There are two things about that. 1) NIST and CMRR recommend a random write, not a zero write. 2) They also recommend using an offline program, meaning the host OS isn't running. DBAN is a program that you reboot the computer into, for example. If the host OS is running, then depending on the program, it may not write over the unallocated space (for example, running the command "secure-delete C:" won't write over the unallocated space). The article doesn't mention whether it was an online or offline program, but one interpretation is that he used a program running on the host OS, which only wrote over the allocated partitions/space, leaving the unallocated space untouched, even though he didn't cancel the job. In fact, he may have done a zero fill of the empty space, which would be the least secure.