Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy

Two-Thirds of Second-Hand Memory Cards Contain Data From Previous Owners (bleepingcomputer.com) 130

Catalin Cimpanu, writing for BleepingComputer: A recent study conducted by academics from the University of Hertfordshire in the UK has revealed that almost two-thirds of second-hand memory cards still contain remnants of personal data from previous owners. For their study, researchers analyzed 100 second-hand SD and micro SD memory cards purchased from eBay, conventional auctions, second-hand shops, and other sources over a four-month period. All in all, researchers say the memory cards they recovered were previously used in smartphones and tablets, but some cards were also used cameras, SatNav systems, and even drones. The research team says the analysis process consisted of creating a bit-by-bit image of the card and then using freely available software to see if they could recover any data from the card. Their efforts were successful and worrisome at the same time, as the team says it managed to recover data from the memory cards, including intimate photos, selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and other personal documents.
This discussion has been archived. No new comments can be posted.

Two-Thirds of Second-Hand Memory Cards Contain Data From Previous Owners

Comments Filter:
  • Just Surprised... (Score:4, Interesting)

    by rally2xs ( 1093023 ) on Friday July 06, 2018 @09:49AM (#56901836)

    ...that it's ONLY 2/3rds. Who remembers / bothers to erase that data, anyway? For my cameras and GPSs, I doubt that I'd bother. Info available is immensely non-useful to anyone else. A PC memory I would erase, and spend time writing 1's, 0's, and then random #'s to it, but the other hardware I really wouldn't care about.

    And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them. Everybody knows that.

    • by Anonymous Coward

      That's the first damn thing on my mind whenever such a device is leaving my control.

      WTF is wrong with you people? Bell curve, that's what.

      • That's the first damn thing on my mind whenever such a device is leaving my control.

        WTF is wrong with you people? Bell curve, that's what.

        I wouldn't even SELL or giveaway any SD card/ HDD, etc, even if I had wiped it. Not worth potential privacy and identity loss, even if I have wiped it with special software... I just would never take that risk. Who even sells their used SD cards? What do you get $2? Not worth it.

        • I have never bothered selling a used memory card. If it is leaving my possession, it gets the "dd if=/dev/urandom of=/dev/sdwhatever" treatment, at least once or twice.

    • by KiloByte ( 825081 ) on Friday July 06, 2018 @10:13AM (#56901968)

      And who is SELLING these memory cards, anyway? That's not how you get rid of 'em. You get rid of 'em by losing them.

      That kind person who made you lose the card is selling; he can't drink, smoke nor inject that card in its present form. And you did not get an opportunity to clean the data.

      Thus, we'd need some way to encrypt the cards yet still be able to comfortably share them between diverse systems, as unless the card is sitting in the dust behind your couch, the data is likely to be used. Not by the direct "finder", but as soon as anyone pays for the copy, those nudes and bank statements will be out there. Oh, by the way: if you're evil enough, here's a business opportunity. Don't take it.

    • A PC memory I would erase, and spend time writing 1's, 0's, and then random #'s to it, but the other hardware I really wouldn't care about.

      Also, given that flash cards have a limited number of erase/write cycles, doing a proper erase would reduce the lifespan of the card significantly (at least compared to a hard drive).

    • When I saw the headline, I assumed that was the number of people who didn't even bother to delete everything.
    • by Anonymous Coward

      Thats nothing! A few years ago some folks bought 100 used copy machines. In every case, the hard drives in those machines had not only records of copier usage, but the actual documents that had been copied. Wait...you didn't know that copiers had hard drives and kept copies of documents? Some of the used copiers had come from police stations, and had copies of case documents on them.

      Be careful what you copy and where!!!

      • What blows my mind is that it isn't hard to create an encryption system to guarantee that temporary files stored there are zapped. It can be as simple as deleting the old cruft, creating an LUKS volume or eCryptFS directory on bootup, keeping the key in RAM, and storing files there. If the copier gets power cycled, the keys are forgotten, and the documents are never accessible. Next bootup, the files are cleared out, and a new volume is made.

        If the copier uses Windows, a partition that is formatted and a

    • Info available is immensely non-useful to anyone else.

      Last time I found a memory card the contents were useful enough to directly identify the owner even though it contained nothing but camera snaps. Hell the last 2 times that was true and the second time I found the camera in the bottom of the ocean.

      Don't discount what is on your memory card. It's like those people who don't realise that posting a selfi with your plane ticket barcode visible is about all that is needed for someone to come in and cancel your flight on you.

  • by fph il quozientatore ( 971015 ) on Friday July 06, 2018 @09:56AM (#56901878)
    Who the heck sells a memory card? They are as cheap as a McDonald's burger, and by the time you exit the store there are already larger ones on sale.
    • Stupid people that's who!

      The sort of people that do not know how to properly delete files (really a once over zeroing is fine, or choose your favourite number!).

      I am more worried about the sort of people that buy these second hand cards to trust their data to!

      I have many old cards. I should bin them but I like to hoard! They are all far too small anyway (16gb is the minimum these days, 64gb is usual, your view may differ!) I tend to buy above the burger price but below the point where the price gets silly.

      • by OzPeter ( 195038 )

        I have many old cards. I should bin them

        Which raises the question of what is the environmentally way of disposing of them?

        That's one reason I also have a hoard of memory cards - I have no idea of the best way to dispose of them and the amount of money I'd make on selling them isn't worth my time*

        ---

        *Anyone want to bid on an San Disk EC-8CF 8MB CompactFlash card? It's Nikon branded!

        • You can break them in half to be safe. But there isn't really an environmentally sound way to dispose of them.
          • But there isn't really an environmentally sound way to dispose of them.

            Throw them into an active caldera. They get instantly melted down and form part of the earth's magma. The only downside is you have to walk to the volcano- not drive because driving pollutes. Some people have a longer walk/swim than others.

        • by PPH ( 736903 )

          Which raises the question of what is the environmentally way of disposing of them?

          What about an SD card is hazardous?

          • Neckbeard tears are highly toxic, you'd never decontaminate their hoard.

            I'd just take them to the local tech recycling nonprofit in an unmarked bag, and just don't even mention where they came from. They probably have neckbeards that attempt to volunteer in exchange for free computers, especially before they learn that the volunteering needed is all manual labor. So they have to already have some precautions; they'll be able to contain any outbreaks. So don't worry. Just don't tell them, they don't want to

    • Re: (Score:2, Funny)

      I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.
      • I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

        Where are you getting 400 used memory cards a month?

      • by OzPeter ( 195038 )

        I do. I typically make about $5 per memory card, and I sell about 400 per month. It supplements my $50,000 a year salary I get in IT in Silicon Valley.

        So you are buying them for $6 and selling them for $5 with the intention of making up for the loses with volume?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Thieves. That's also why they don't bother erasing the card.

    • Thefts come to mind, be it cell phones, cameras, or whatnot. A cell phone, even if it will never work for a provider, is still worth a lot, due to the screen and other parts, and a SD card, especially a larger one, is just icing on the cake.

      Some Android phones do a great job at full volume encryption, so the SD card's loss means data isn't loss. Other phones don't do that, which can be a security risk.

  • by necro81 ( 917438 ) on Friday July 06, 2018 @09:57AM (#56901888) Journal
    My secret past-time is buying up old memory cards, finding the goodies, and then blackmailing the former owners, committing industrial espionage, and generally being amused. Now you all have gone and ruined it by warning everyone!

    Oh, wait, people are still lazy? Don't care about security? Wouldn't know how to wipe a card even if they did care? Well, then, I guess I'm all set.

    disclaimer: this post is in jest
    • by cshark ( 673578 )

      Quite the racket you've got going on. But what do you do with the cards after you get the data off of them and blackmail the owners? That's a lot of media. I was thinking, you know, cost per gigabyte on memory cards is so low, it's almost negative. I bet you could do something fun with drive clustering if you had the hardware to do it.

      • by necro81 ( 917438 )

        But what do you do with the cards after you get the data off of them and blackmail the owners?

        Load them with malware, then sell them back on eBay! Or sprinkle them at various political gatherings to see who's gullible enough to pick them up and plug them in.

      • most memory cards can be used directly by microntrollers with built-in SPI communication. Even just an arduino can give the access. Not to make it fast, but when you're hunting for a "fun" use case, that won't matter; you can still over-build it.

  • by Anonymous Coward on Friday July 06, 2018 @10:14AM (#56901972)

    I could not find the link to the actual report in the summary or the linked article (unless I missed it). But some googling located it.

    https://cdn.comparitech.com/static/docs/survey-data-remaining-second-hand-memory-cards-uk.pdf

    It is linked in the story of the company that commissioned the research in the first place: https://www.comparitech.com/blog/vpn-privacy/secondhand-memory-card-study/

  • Contain genetic material from previous owners.

  • by Anonymous Coward

    You are all cows. Cows say moo. MOOOOOOO! MOOOOOOO! Moo cows MOOOOOO! Moo say the cows. YOU DBAN-NEEDING COWS!!

    • I doubt they'd manage dban, if you want these cows to make progress that easy you'd have to somehow teach them to follow a shepherd.

      No, you're going to have to team up with app guy for this one. Make it easier.

  • but alas SD cards don't seem to support it.

  • Why is this so "surprising" - most people don't understand how a FAT file system works when you delete something, fuck, most PROGRAMMERS don't understand how FAT works, so why is it surprising most people think that simply deleting files is the same as erasing the card? Some might go the extra mile and format it, but all that does is reset the FAT table.

    P.S. The only reason I know so much about FAT is I tried to write a boot sector virus in assembler in school. Yeah, it didn't work as expected and I en
  • Why is it shocking that you can recover unsecured data from a used memory card again? Especially when you're using recovery software to do the job? This one falls into the "no duh," category.

    • Exactly. That was my point. How is this considered "academic study"? Of course I get crucified by the dullards on here who think this is novel research.
  • This is nothing new. Several years ago, a local electronics junk store got in a bunch of Blackberries of various models (probably a company going out of business) and were selling them for something like $5 apiece. Daughter was a major texter at the time, and liked the retro look and superior keyboard, so we bought several different models so she could switch between them as her mood took her.

    We discovered that all but one of them had not been wiped. Appointments, phone numbers, baby pictures, still inta

  • It would cost a bit more but maybe it's time for camera-cards, USB sticks, and the like to routinely use strong encryption with a non-secret-by-default key stored on a the medium itself.

    To the end user, it would "just work" except there would be a "quick erase" mode that would scramble the key then either do a normal operating-system-level "long" or "quick" format using the new key.

    Even a "quick format" by the OS would be good enough since the left-over data would be encrypted with a now-deleted key.

    Now, th

You are always doing something marginal when the boss drops by your desk.

Working...