this post was submitted on 29 Dec 2023
78 points (98.8% liked)

Asklemmy

43989 readers
1255 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

I bought a 3d printer off Ebay which got delivered not too long ago, and it came with 2 sd cards - one with a build video and some demo print files, but worryingly another card that has all the previous owner's personal files on there.

Not sure whether to format it, or to contact the seller offering to send the card back (free of charge)... how would you prefer to be approached in a similar situation?

Edit: No gcode files are on the card, just 30gb of pictures, music and videos. Sent the seller a message offering to upload it to cloud or to send the card back

all 25 comments
sorted by: hot top controversial new old
[–] ThePantser 78 points 11 months ago (2 children)

Firstly, never stick a storage drive into your personal machine that was previously owned by an individual. If you need to use the drive always open it on a machine disconnected from the Internet that contains no personal files. Better would be to boot up a live Linux machine and read the drive and format if needed.

[–] LufyCZ -4 points 11 months ago (2 children)

Autorun doesn't exist anymore.

As long as you don't open any executables, you'll be fine.

What's the chance that the seller has a 0day (which would be veeery valuable) and is using it to steal data from someone random? Not worth it for sure on their side.

[–] [email protected] 34 points 11 months ago* (last edited 11 months ago) (2 children)

While autorun doesn't exist anymore, there's many many other methods of attack via usb.

Here's a list with 10 seconds of searching:

https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/

It's entirely possible this drive was made maliciously to pass on data from whatever unsuspecting soul uses it. The seller op bought from could even be a victim themselves. You just never know.

[–] LufyCZ 5 points 11 months ago (1 children)

We're talking about an sd card here. The absolute majority of these attacks only work with USB drives.

And the rest either don't make sense or make use of a 0day, which, as I've already said, is inconceivable

[–] ThePantser 0 points 11 months ago (2 children)

How do you read a SD card? I usually put it in my SD card reader which is USB.

[–] [email protected] 10 points 11 months ago

The SD card is still speaking SD protocol, the card reader bridges between USB and SD.

This only works with USB sticks because they're plugged on directly over USB and you don't know whether it'll present itself as a storage device or as a keyboard that immediately starts typing stuff and running a bunch of commands.

The risk is not the flash storage part, it's the USB interface.

[–] [email protected] 1 points 11 months ago

But I don't think OP is saying the package came with an sd card reader as well that they used

[–] MiltownClowns 15 points 11 months ago (1 children)

Best security practices are pointless if you disregard them because they're inconvenient and unlikely to be necessary. Most needles I find on the ground are clean too, but I'm not just gonna stick them in me because the odds are in my favor.

[–] [email protected] 54 points 11 months ago* (last edited 11 months ago) (1 children)

Better to offer and they say no vs you just destroying data they can't replace and didn't realize they'd lost.

Just send a quick email/DM. Couldn't hurt. Could even send the data through dropbox or similar instead of the whole card.

[–] MissJinx 2 points 11 months ago

First make sure it's not CP 🤷🏻‍♀️

[–] [email protected] 18 points 11 months ago (1 children)

Reach out to them and ask. The card is now yours, but the data is theirs.

I am sure if needed they can give you an online folder to upload the contents if needed.

[–] [email protected] 5 points 11 months ago

Yeah I don't see the need to return the card. But asking if they want the data seems sensible.

[–] AncientFutureNow 11 points 11 months ago* (last edited 11 months ago) (1 children)

Upload the files to google drive or the like, send the seller a message with the link and an explanation. Give them 14 days to download it. Delete files.

Idk how big these files are. Too big and my idea won't work

[–] [email protected] 14 points 11 months ago* (last edited 11 months ago)

I wouldn’t upload my own files to the cloud, and in turn I wouldn’t upload someone else’s without their consent.

It might have passwords, personal financial data, corporate trade secrets, health data, child porn—any number of cans of worms.

[–] andrewta 9 points 11 months ago

Offer to send it back.