I bought a 3d printer off Ebay which got delivered not too long ago, and it came with 2 sd cards - one with a build video and some demo print files, but worryingly another card that has all the previous owner’s personal files on there.
Not sure whether to format it, or to contact the seller offering to send the card back (free of charge)… how would you prefer to be approached in a similar situation?
Edit: No gcode files are on the card, just 30gb of pictures, music and videos. Sent the seller a message offering to upload it to cloud or to send the card back
That’s the type of security advice they give you when there’s an international team of hackers after your data, and it’s true… and on the level of “don’t open any emails from an address you don’t know”, “don’t click links to domains you don’t recognise”, and “leave secure boot and smart screen enabled, don’t install any browser extensions, and never ever add any exclusions to your antivirus”. Very important for business computers, but let’s be realistic about the realistic threat profile.
I don’t know what position OP is in but I doubt anyone is going to spend 50 dollars on a Rubber Ducky to attack OP. Even if they would, we’re talking about an SD card, so your risk comes down to “0day file system driver exploit” which I doubt anyone is going to send out over eBay.
Yes, OP could be targeted by FIN7 and maybe should consult the FBI about a suspicious extra SD card, but most likely the sender accidentally included the wrong SD card in his package.
It doesn’t have to be about someone stealing your data. I had a situation where a user got some malware on their USB drive that deleted other user files when plugged in and replaced them with porn or something. It’s just good practice to not plug unknown devices into your computer all willie nillie.
It’s important to be careful and to treat storage devices like their contents came off the internet. I wouldn’t be opposed to some kind of (non-identifying) machine marker on partitions so the OS can track whether or not the disk has been inserted before, to treat the files on those disks the same way it treats downloaded files (i.e. apply the Mark of the Web) unless the disk is marked as trusted.
That said, this “only insert storage devices into an offline Linux laptop that you light on fire afterwards” type of advice doesn’t apply to moet people most of the time.
Never insert an unknown storage device into a computer you don’t own (i.e. a work machine), probably because there’s some kind of contract with repercussions for that sort of thing, but you’re probably free to look around it you think before you click.
This only applies if you update your stuff and reboot your computer when asked, off course. Treat any file from any source like toxic waste if you can’t be bothered to install updates.
Windows doesn’t autorun by default these days iirc, I don’t think there’s any zero interaction remote code execution bugs that are unpatched either. The only way you would get compromised is by running something or if the usb device pretended to be a keyboard which I don’t think is commercially available in sd card format