I bought a 3d printer off Ebay which got delivered not too long ago, and it came with 2 sd cards - one with a build video and some demo print files, but worryingly another card that has all the previous owner’s personal files on there.
Not sure whether to format it, or to contact the seller offering to send the card back (free of charge)… how would you prefer to be approached in a similar situation?
Edit: No gcode files are on the card, just 30gb of pictures, music and videos. Sent the seller a message offering to upload it to cloud or to send the card back
Firstly, never stick a storage drive into your personal machine that was previously owned by an individual. If you need to use the drive always open it on a machine disconnected from the Internet that contains no personal files. Better would be to boot up a live Linux machine and read the drive and format if needed.
That’s the type of security advice they give you when there’s an international team of hackers after your data, and it’s true… and on the level of “don’t open any emails from an address you don’t know”, “don’t click links to domains you don’t recognise”, and “leave secure boot and smart screen enabled, don’t install any browser extensions, and never ever add any exclusions to your antivirus”. Very important for business computers, but let’s be realistic about the realistic threat profile.
I don’t know what position OP is in but I doubt anyone is going to spend 50 dollars on a Rubber Ducky to attack OP. Even if they would, we’re talking about an SD card, so your risk comes down to “0day file system driver exploit” which I doubt anyone is going to send out over eBay.
Yes, OP could be targeted by FIN7 and maybe should consult the FBI about a suspicious extra SD card, but most likely the sender accidentally included the wrong SD card in his package.
It doesn’t have to be about someone stealing your data. I had a situation where a user got some malware on their USB drive that deleted other user files when plugged in and replaced them with porn or something. It’s just good practice to not plug unknown devices into your computer all willie nillie.
It’s important to be careful and to treat storage devices like their contents came off the internet. I wouldn’t be opposed to some kind of (non-identifying) machine marker on partitions so the OS can track whether or not the disk has been inserted before, to treat the files on those disks the same way it treats downloaded files (i.e. apply the Mark of the Web) unless the disk is marked as trusted.
That said, this “only insert storage devices into an offline Linux laptop that you light on fire afterwards” type of advice doesn’t apply to moet people most of the time.
Never insert an unknown storage device into a computer you don’t own (i.e. a work machine), probably because there’s some kind of contract with repercussions for that sort of thing, but you’re probably free to look around it you think before you click.
This only applies if you update your stuff and reboot your computer when asked, off course. Treat any file from any source like toxic waste if you can’t be bothered to install updates.
Windows doesn’t autorun by default these days iirc, I don’t think there’s any zero interaction remote code execution bugs that are unpatched either. The only way you would get compromised is by running something or if the usb device pretended to be a keyboard which I don’t think is commercially available in sd card format
Autorun doesn’t exist anymore.
As long as you don’t open any executables, you’ll be fine.
What’s the chance that the seller has a 0day (which would be veeery valuable) and is using it to steal data from someone random? Not worth it for sure on their side.
While autorun doesn’t exist anymore, there’s many many other methods of attack via usb.
Here’s a list with 10 seconds of searching:
https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/
It’s entirely possible this drive was made maliciously to pass on data from whatever unsuspecting soul uses it. The seller op bought from could even be a victim themselves. You just never know.
We’re talking about an sd card here. The absolute majority of these attacks only work with USB drives.
And the rest either don’t make sense or make use of a 0day, which, as I’ve already said, is inconceivable
How do you read a SD card? I usually put it in my SD card reader which is USB.
The SD card is still speaking SD protocol, the card reader bridges between USB and SD.
This only works with USB sticks because they’re plugged on directly over USB and you don’t know whether it’ll present itself as a storage device or as a keyboard that immediately starts typing stuff and running a bunch of commands.
The risk is not the flash storage part, it’s the USB interface.
But I don’t think OP is saying the package came with an sd card reader as well that they used
Best security practices are pointless if you disregard them because they’re inconvenient and unlikely to be necessary. Most needles I find on the ground are clean too, but I’m not just gonna stick them in me because the odds are in my favor.
Might as well get rid of your internet connection then.
And your shoes while you’re at it. Good luck walking on all those pinecones!
Better to offer and they say no vs you just destroying data they can’t replace and didn’t realize they’d lost.
Just send a quick email/DM. Couldn’t hurt. Could even send the data through dropbox or similar instead of the whole card.
I know if I was the seller I would appreciate the gesture, even if I didn’t need the data.
First make sure it’s not CP 🤷🏻♀️
Reach out to them and ask. The card is now yours, but the data is theirs.
I am sure if needed they can give you an online folder to upload the contents if needed.
Yeah I don’t see the need to return the card. But asking if they want the data seems sensible.
Offer to send it back.
Upload the files to google drive or the like, send the seller a message with the link and an explanation. Give them 14 days to download it. Delete files.
Idk how big these files are. Too big and my idea won’t work
I wouldn’t upload my own files to the cloud, and in turn I wouldn’t upload someone else’s without their consent.
It might have passwords, personal financial data, corporate trade secrets, health data, child porn—any number of cans of worms.
Good on you for asking to upload the data before formating. It’s a nice gesture that I’d appreciate either way.
I’d just contact the seller, explain the situation, and offer to send it back. If they say they don’t care then just go ahead and format it, or dig through it for fun if you’re that kind of person.
I’m pretty sure he doesn’t care about random gcode files that won’t be usable on another 3D printer anyway.
It’s pictures, music and videos, sorry wasn’t clearer in the post - updated
then yes, you should tell them 😁
