From one IT/OT person to another IT person, i have to respectfully disagree with your evaluation and for taking Bambu Labs words at face value.. There is nothing, if not minimal, security added by this new firmware, which by the way has already had its encryption key compromised and leaked 24hrs after its release to beta. MQTT is an extremely common OT communication protocol with moderate to good security depending on its implementation (opinion varies if you're an IT guy or an OT guy) but, FTP is as insecure as they come, which arguably, is fine on a SOHO LAN but not a corp. network. Just the fact that your print job has to go out the WAN to BBL servers and then come back down the WAN to your printer is a questionable practice along with allowing unfettered internet access to the printer in the first place. Just that practice alone was the first thing that made my cringe and move to LAN mode, i'd rather send my print data over my secure wireless (i'd prefer ethernet solution) then over the internet to BBL servers. LAN Mode is not hard to set up and use, and i agree using the cloud is definitely faster, easier and more convenient especially for new users. What i want to know is why can Bambu slicer send data to the cloud at line speed but can only send data over wireless at a paltry 2MB/s to a PS1, a little faster to the X1C using the SAME wireless. Now i am not the avg user and i don't use SOHO hardware for my network and i am well versed in wireless technologies pros and cons, especially cause the printers use wifi 4 1x1, 20yr old technology but at least they use WPA2. Again, I'd get it if they nerfed local wireless transfer to make sending data up the WAN faster and the preferred choice, no complaints there just curiosity. Additionally, Why does BBL need to see my data? Is it not enough that they know what i am printing but i have to send my files to them too?? I won't even touch on the tinfoil hat stuff about all the negative press about Chinese hacking US assets and them "Profiling" US citizen's, but anyone who is a gamer why companies region lock games. Printers are an OT device just like any other and IT (and OT) best practice is to secure OT Devices from the internet. I treat printers like IP cams and smart home devices, behind a firewall, on a seperate vlan and no access to internet or internal vlans except for me VPN'ing in if i want to view or access my OT/IOT network. Alexa is an OT product that requires internet work (which i will never use, sorry Jeff, my data is mine), just like these printers, and if you want all their capability and the Handy app, great, off it goes on an IOT network with no access to my internal networks, or in BBL printers case, i block them from internet access period, and use LAN mode. Way more secure than trusting BBL to protect me. I respect your view and i don't wear a tinfoil hat but, i would not, and do not, take BBL blog post statements as the truth and i guarantee there is an ulterior motive to this security upgrade. They claim their servers were attacked, well that is their IT problem not ours, our printers were not attacked because you have to authenticate your install of BBL Studio to your printer and LAN Mode requires punching in the unique and changeable Access Code into the slicer to use the printer. Plus, there are way better and less inconvenient ways they could approach security if they truly wanted to. I am not convinced. There is a lot a crazy talk about this topic and i give you a lot of respect for taking a stance and sharing your opinion. The internet is full of speculation but as and IT/OT security guy i am saying their upgrade doesn't effectively solve any problem (other than 3rd party's getting a piece of their pie) but, it does appear to be the first step in further closing off their ecosystem. Which is fine, for any future products, that's their choice and people will respect it, but don't do it to existing products and don't do it under the guise of security. That i believe is the stinger in the community, they feel lied to and a lack of transparency; which is why so many people flocked to open source products. Bambu caught the world by storm with an exceptional product and may be a victim of their own success but shitification of a product is the best way to watch revenue tank. Again, much respect for your opinion, i'd hope you'd respect mine. I also hope that you are correct and that they will refine their iteration of the beta firmware and they find a better way to achieve security without breaking 3rd party integration.
This is cool! Although in a different context and forum, you would find we don’t disagree on much of what you written and the way you feel. As this video’s intended audience most likely does not have the level of experience and insight as you and I, we made the decision to keep it at a higher level. As to whether a 3D printer and Alexa Echo is an OT might be debatable (maybe on another video comments thread) we do agree on network security and isolating devices that may be suspect. All of my IoT networks, both professionally and at home are segmented and secured. That’s just a reasonable practice for what we do. For most non IT oriented people, it’s a different landscape. While you and I see the benefit to justify the cost of advanced networking equipment to achieve the topologies to provide the best possible security, most of the general population do not have those resources nor the training necessary to utilize them. As to accepting Bambu Labs statement as the truth, that remains to be seen. Guarantees at this point are disingenuous at best. Years ago I would be in total agreement but old age and serious introspection has revealed certain truths about how wrong I could be in my hard line stance as well as the unintended impacts and consequences they could bring. I came to the realization I have to decide what is truly important and what is not. Given that our important personal information (PI) as well as health information is already out in the wild due to so many corporations and our own governments are giving it away to hackers, etc. Even Ford and GM have been selling our cars telemetry data to Insurance companies. These are of greater concern than whether a third party knows what I have been printing. I’m sure you watch the CISA announcements about vulnerabilities found and patched in control systems, the very ones that supply our critical utilities. As far as efforts in securing our printers, I do believe Bambu is trying. It may not be great but it is a step in the right direction. If they didn’t care they wouldn’t be bothering. The current lack of security would give them everything they needed to do something nefarious. So where does this all lead in my opinion of what’s going on? As pointed out in the video, Bambu Labs, at this point is still providing resources to users such as spare parts at reasonable cost and a hardware system that is simple enough that a novice can repair consumable parts. This is not the behavior of a company that wants to destroy itself. Could they change? Sure. But at the moment that does not look like the case. The nature of suspicion has been seeded in our society for decades and while sometimes necessary has reached a point where it is unhealthy. People should not be intimidated by unvalidated hype and “what if” scenarios to the point where they are missing out on the important moments in life. To be able to enjoy the new discoveries of life that bring real joy without being brow beaten into a singular mode of group think is the point of the video. As far as choosing what Is and what isn’t important enough to get worked up about? That’s up to each person and no one who is an adult of reasonable ability should let another person make that decision for them. (I qualify that because I have been the health care representative for close relatives who were incapable of making their own decisions. The things we learn as we live life.) For me, I’ve learned to relax and concentrate on what truly matters. I applaud your networking prowess and care in your application of your knowledge and skills. I am also deeply grateful for your respect.
if you've been in IT engineering for 30 years, surely you know about a number of better methods of secure communication than "bambu connect"? like the ones Google, Meta, Microsoft, Github and others use without requiring weird 3rd party proxy to be installed on your computer.
Yes, there are a variety of ways to secure communication from simple challenge/response schemes to crypto card type authorization to MFA like DUO, MS and Google Auth apps. But these are not at the device level, but at the user level of access for email, storage, general web apps., etc. And many of the higher level user level apps (Office 365 for example) are offering and starting to require MFA (Multi Factor Authentication). There are other behind the scenes means of securing communications at the device level. As far as how Bambu Labs decides to implement these is up to them and their engineers. I’m not really here to do the job for them nor was that the intent of the video. But, I’m really glad you asked the question. I can respond with a method that might help explain the route Bambu Labs has taken based on certain assumptions. Again, this is based on assumptions without having intimate knowledge of the inner workings of Bambu Labs systems and is somewhat theoretical in nature. In the past I’ve use reverse proxies via NGINX to help secure data paths from Kafka ingest processes. I apologize if this seems super technical. Basically, the reverse proxy sits in front of the http (web based) service and routes the traffic according to the IP address of the sender or the URL the sender is trying to access. This is very basic security and not the whole of the system but it’s at the root of how the data is processed from the sender computer to the host. This is good if the sender you want to allow knows the URL, port, keys, etc. of the destination. Bambu Labs cannot allow every IP on the planet to pass through a system like this (if that’s what they’re doing). As Bambu Labs is the software and hardware developer, they can implement this relatively seamlessly on their software and hardware. But what about other software they do not develop but want to allow to access their system? The option is to have another process on the local machine, similar to a vpn client, that can translate general requests and add the appropriate keys to the door in the cloud. Orca Slicer, for example is meant to be a general slicer compatible at the hardware level with a variety of 3D printers. A general rule of thumb in security is the more general a program is, the more bugs, flaw, and security risks it MAY have and also limited functionality. BTW, I use Orca Slicer for some operations and trust it. A proxy app between Orca and the cloud makes sense for those who want to use Orca Slicer and still want to benefit from some of the cloud operations offered by Bambu. Again, this is somewhat theoretical and maybe a bit simplistic for some and too technical for others, but this is my perspective on what’s going on from a technical point of view. This will make a great video for another channel I'm starting.
I wouldn't call that MFA. It's more of a device registration linking the device to your account. It's similar to having a license plate that shows that you own the car with local authorities but does nothing to prevent your car from being stolen.
3rd party slicers Will not be allowed to "become compatible", please see the post from SoftFever themselves. They were told in simple terms to "pound sand".
Actually, SoftFever, for now, has rejected the Bambu Connect offering from Bambu Labs. Which is not Bambu Labs telling him to "pound sand". This current stance is SoftFever's choice. This is how negotiations work. Essentially, SoftFever is throwing the ball back into Bambu Labs court. To definitively say "will not be allowed" is a fallacy, especially in light of his sincere request that Bambu Labs reconsider. This is a wait and see situation. Not really the point of the video, either. Disagreements between publishers and developers is nothing new. Disappointing, yes. Startling, no. Are we hopeful for a happy conclusion? Absolutely. Your tone and wording add nothing but noise.
@@wolftraxlife "rejecting the offer" is "whitewashing" it. Would you be ok having to launch an HP application to print a Word document on your HP Printer? (Those are Jeff Geerlings words, not mine.)
As a maker for almost 30 years I can assure you that you’re missing the point. This is not about security regardless of what BL says. If you don’t believe me, ask XYZ Inc. why they went out of business. It’s the definition of insanity. Does BL think they’re going to get a different result for the EXACT same thing that put XYZ and many other companies before them out of business? I sure hope they’re not that stupid. We as makers don’t want restrictions on anything. We want to modify and tinker every last nut and bolt we can get our hands on. Taking that ability away from us in the name of security is an economic death sentence even if your security concern is genuine. For us, full control of what we paid for outweighs the negligible risk of someone hijacking my machine to print themselves a benchy.
I think you missed the point of the video. It's meant for the new Bambu Labs Printer owner and how to navigate through the FUD. I've been a businessman longer than I have been in IT and have owned more than a couple of successful companies. Clairvoyance is not within anyone's realm to accurately predict the future so neither you nor anyone else can assure me of anything. What XYZ did is completely different from what Bambu Labs is doing right now. Bambu Labs printers and eco system was not designed for you to take apart and remake in your own image, nor was that claim ever made. There are plenty of other systems that let you do that. Choose one of those if you desire. To claim Bambu Lab's printers as part of the Tinker realm is a fallacy. You are also confusing Makers with Tinkerers believing they can only be one and the same. You may be doing both in combination since they are not mutually exclusive nor entirely dependent on each other. I salute your dedication to the Tinkerer side of 3d Printing as indicated at the beginning of the video. I believe I referred to you and your fellow Tinkerers as giants. Bambu Labs has brought a new dimension to the 3d printing world with ease of use in every aspect and it has changed the world. You may not like the change. I get that. I have seen this argument so many times over and over again when a small community believes they have exclusivity to a certain idea, or process, or whatever. When someone comes along and brings innovation that opens opportunities for everyone to participate, rage ensues as if the original community has been insulted. All of your efforts in 3D printing have not been in vain. People like you are largely responsible for helping to make 3D printing accessible for so many others who would be driven away by the cost in time and lack of expertise. As I mentioned in the video, you have my gratitude and thanks.
Well said.. im one of those who would not be in this hobby if I had to spend the time "tinkering" with my 3d printer... unfortunately due to my life I only have a small amount of time available for hobbies... and bambu has opened up 3d printing to be one of those hobbies. I have fallen in love and addiction and am already planning my 2nd printer after 4 weeks of owning my first... A user like me doesn't care if im locked into bambu products, but I do understand why certain use cases are getting upset... on that end, just keep using the company it's you have used for 20 years, they are innovating at a rapid pace because of the change bambu has brought to the community, and my next printer may not be a bambu printer.. but it will certainly be a printer that I can "just use" and not constantly work on..
@ we can agree to disagree. Twenty years in law enforcement has made me skeptical of a lot of things and I’m certainly calling BS on BL. I sincerely hope I’m wrong and you’re right but I just can’t believe the decisions of a Chinese company operating under the CCP are genuinely for the benefit of the consumer.
@ I certainly understand most people want a plug and play worry free device but that’s not realistic. The inherent nature of 3D printing is going to require a fair amount of tinkering and maintenance to keep them running well. Many parts are wear and tear regardless of brand and BL doesn’t seem to want to play nice with neither their hardware or software. Welcome to the amazing world of 3D printing but buyer beware.
We certainly can disagree. And it's great! Your experience in law enforcement is the bias on which you make decisions and I gather that it has served you well. Skepticism is healthy unless that is all you use, though. Available evidence as fact is also a factor in decision making. Proper investigation and research are required to make a quality conclusion. I'm guessing many Fisker owners are wishing they had all the facts about the company founder before buying one. Thanks for the comment!
@@wolftraxlife See as you may have guessed i'm not all that comfortable taking carefully worded Bambu Lab statements at face value when what they're doing is replacing a flawed security concept, by a security concept which has all the same flaws and then some, but now with artificial limitations, it just doesn't quite vibe as a genuine security proposal to me. And it's sort of difficult to suggest that they don't know what they're doing, i mean you have seen their engineering, it's top notch, it's not some uncle and a couple college friends, they've got resources behind them. Guaranteed, top security experts are at the distance of a phonecall for them. And given the wide userbase including early adopter type cohort, there's some of this same top level expertise found in the halo user group as well. Which is exactly why community is eyeing the changes with suspicion. And as an IT professional, you're bound to be seeing the fundamental issue as well, right? That you cannot securely hide encryption keys in a client application, that no client on the Internet can ever be trusted. And i'm sure you could come up with a better concept, for example, you can assume you trust the company's own infrastructure, and that you can lend a temporary limited token of trust from the machine itself pertaining to things that happen on this machine, in the sense that if an enduser modified the machine to do something it's not supposed to do, well the outcome is their own problem. But you can't just trust a PC application no matter if it's called Bambu Studio or Bambu Connect or something else, because you can assume up front that an impostor exists. You say you're not there to do the company's work for them which is fair, and yet you are happy enough to reproduce and amplify their PR. I also think the use of term "FUD" is completely misplaced since that implies a targeted campaign, and while i'm sure several competitors are eyeing what's happening with a hint of glee, this is entirely Bambu's own doing. And as a business person, you're also likely to have a scope of how larger VC backed startups operate, right? I'd be half surprised if you were never pushed out of business by one, or didn't have that happen to one of your mates. I actually think security is going to be vital for this market sector, and that people shouldn't be expected to handle their own security on a mass market machine like this, and that an actual security architecture is needed, not security theatre. And i also have a suspicion that other companies are going to stay oblivious to this as well.
@SianaGearz It’s awesome that you engaged. As I’ve opened the door to traverse this Rabbit Hole, might at well see where it goes. Thank you. First let’s look at where we agree. I can understand why Bambu Labs is taking this approach in a beta release. But also agree that it is not great approach in its implementation. We also agree that this market segment is in dire need of better security as in my view, it’s not going to slow down. At least in terms of cloud integration. More manufacturers are seeing the benefit of expanding their customer base beyond the DIY and Tinker space. You are also correct in the assessment of using the X1C as the test platform for this beta release. Also, application trust is crucial no matter what the application is or who the developed it. Where we disagree Am I happy with my Bambu Lab experience. Yes. It opened the door for me to easily access 3d printing. Am I happy to share my experience about it. Absolutely. Being happy about a purchase and telling other people about it isn’t PR. People talk positively about their cars, their experience at restaurants, clothes, just about other aspect of life. But talk positively about something somebody disagrees with and suddenly you’re labeled a company shill (which I don’t believe was your intent but comes danger close). As a business man, happy customers are the cornerstone of growing a business. I would greatly caution against confusing FUD with valid skepticism such as yours. FUD is not based on facts but a series of “what if” and “they could” without any solid evidence or validation. After seeing comment after comment and video after video parroting the same terms as a few individuals who kicked off this ridiculousness it is easy to see that this is not a coordinated attack against Bambu Labs but a fashionable posture to gain acceptance or worse yet, clicks. There are valid concerns and skepticism that can only be proofed out by waiting and seeing what happens. Taking a posture of promoting yourself (not you specifically) while stealing someone else’s joy is not the good play. As I mentioned in the video, this is a beta release. Having been a participant in more beta release than I can count (or at my age possibly remember), it is a rare occurrence that the final release is exactly like the beta, especially early beta. I anticipate Bambu Labs will correct and possibly expand in positive ways this release. All the evidence I have come across shows they truly care about their customer base and their experience with Bambu Labs systems. As far as larger VC backed startups, I actually worked for one. Swore I’d never work for another startup again. But probably not for reasons you would think. I have worked for businesses that were pushed out by suppliers who saw an opportunity to compete. I have also worked for two businesses that ran themselves out of business with unethical business practices and poor partnership decisions. (I left both before they went bankrupt when I saw what was going on). I’ve also seen and been professionally affected when companies I worked with were bought out by holding companies, etc. I’ve also worked for and owned extremely successful businesses and organizations. Lessons learned from all these experiences shape all my opinions and decisions. Thank you agin for your engaging post. I really enjoyed it and you gave me some take aways.
hmm, my cheapish Creality LAN printing is superfast even with 30M+ prints. Not sure why I would need cloud for that at all. And I am a new to 3d printing user, worked out of the box, without any call to Creality cloud, or needing Internet access at all. No issues with camera either.
Thanks for the video, good perspective. New 3D printer user here, received my P1S mid Jan. I have been around IT pros for years, but do not consider myself a IT professional. I followed most of what you said and appreciate your feedback on this issue. I am not an engineer and have no concerns with Bambu "seeing" what I'm printing or "stealing" my print ideas. I do have a question that I don't see addressed much with Bambu. Do you have any concerns or do you think there are other "holes" or "backdoor" in the software that could allow Bambu to access other areas of a computer or network? For example would you have any concern with being logged into Markers World and Bambu Studio and having them open and printing models from a computer that you are actively using for your bill paying or banking?
Thanks for asking. This a concern for pretty much every computer owner and operator with any program they run. I apologize in advance for the lengthy reply…. Just about every commercial software vendor adheres to certain rules governed by the intended Operating System publisher. In the case of Apple and even Windows to a certain extent, the application must be signed in order to run. Up until recently with maOS, the end user could bypass the warning and run the software. Why is this important? To demonstrate, open up a web browser like Chrome and look at Activity Monitor (macOS) or Task Manager (Windows), sort by name and look at the Chrome tasks. Each tab open in Chrome is a child to the main (Chrome) task. This demonstrates that each tab is operating in its own memory space and cannot interact with other tabs except through the main Chrome task. Even then, it’s limited by what the OS will allow. Bambu Studio operates in its own memory space as required by the OS. Breaking out of that memory space to access other non-related process is not allowed. This is the reason apps are signed by the OS publisher. Casually browsing MakerWorld or downloading a model into Bambu Studio will not give the app rights to other processes or data on the computer. Granted, these memory protection schemes are not fool proof, but it is a good first line of defense implemented by the OS publishers. Some even encrypt the data stored in memory so that if a process can break out into another apps memory space, only encrypted data is accessed. I believe various flavors of Linux have that as an option. But much depends on the hardware, bios, firmware, and other capabilities outside the control of the OS publisher. Which is why newer versions of Windows can require newer hardware to run securely. Another recommendation is to not log into your computer and run applications (especially those you suspect of malfeasance) with an account that has admin right (root). Keep that account separate from day to day operations and use it only to authenticate trusted processes (like signed application installs). Thanks for hanging in this far, but for me, I do not have a concern that Bambu Studio will attempt to steal my data or other login information. But, this gives me an idea for another video on another channel I’m starting. Thanks!
@@wolftraxlife Thanks for the detailed response. I appreciate it. Now I have to bone up on whether or not I'm logged into anything that as admin rights. LoL
Universities are buying the X1E because it can run completely offline and has hardware switches for the ethernet and WIFI connections so you can completely disconnect them. Plus it has several other upgrades over the X1C and lower printers.
I have been in envy of those who could afford an X1E or a Prusa XL with 5 print heads. The ethernet connection is something sorely missing from 3d printers these days. That would be one of my top wish list items. I would love to not have to keep creating subnets and SSIDs to segment traffic on my home network. Well.. mostly more SSIDs. It's getting crowded.
No IT professional spends any time in their work-a-day life looking for excellent man-in-the-middle software to install in their intranet. Good IT pros do all they can to prevent uncommanded connections between their internal assets and external processes. Your complete acceptance of BL's "...Truth..." statement means you have given over your security processes to an external entity that is under fire for deceptive practices, post-sale TOS changes, and who wish to install MITM software inside your network. I can only surmize your claim of being an IT profession is this is not the first time you've comprised your network and need to have your work audited. In lore this is equivalent to hiring "Foxes R Us" to guard your hen house. As for fear, uncertainty, and doubt you've added absurdity.
Wow!! A personal attack. Sooooo unexpected. Actually, statistically you're probably right on time. Predictable and unoriginal. This should make for an interesting TH-cam metric.
@ nothing personal at all. Seems like the new norm has been everyone is compromised and I respect the hustle. Bambu success has gotten to their heads in my opinion. There customer service went from top notch to worst then creality in my opinion through my experiences with them. The fact that they can brick your unit until you update is not cool. I recently had an issue with doing an update that made my unit inoperable and when I reached out I had to change a board inside. Not covered by warranty I know I’m not alone in this. However the left a bad taste in my mouth between that and the tape they use on the end of their filament spools damaged my ams. I used to think very highly of them until these issues happened. It’s ok tho my side hustle has been growing and growing and more printers are needed. Instead of buying more of there units I went elsewhere. They put the last nail in the coffin for me.
As mentioned in the video, efforts to improve security are a good thing. This is a beta attempt. I do expect better results in the future. This could also be an utter failure and Bambu Labs abandons the efforts all together. Again, a beta effort. Much remains to be seen. The emphasis of this video is not the quality of the what Bambu Labs is doing but the effect FUD and exaggeration have on people just beginning to explore this wonderful hobby.
@wolftraxlife I just don't know how you can't read between the lines. Its not like other printing companies haven't headed down a more walled garden approach in the past. Profit. Thing is the community punishes them, and they go way down in market share.
From one IT/OT person to another IT person, i have to respectfully disagree with your evaluation and for taking Bambu Labs words at face value.. There is nothing, if not minimal, security added by this new firmware, which by the way has already had its encryption key compromised and leaked 24hrs after its release to beta. MQTT is an extremely common OT communication protocol with moderate to good security depending on its implementation (opinion varies if you're an IT guy or an OT guy) but, FTP is as insecure as they come, which arguably, is fine on a SOHO LAN but not a corp. network. Just the fact that your print job has to go out the WAN to BBL servers and then come back down the WAN to your printer is a questionable practice along with allowing unfettered internet access to the printer in the first place. Just that practice alone was the first thing that made my cringe and move to LAN mode, i'd rather send my print data over my secure wireless (i'd prefer ethernet solution) then over the internet to BBL servers.
LAN Mode is not hard to set up and use, and i agree using the cloud is definitely faster, easier and more convenient especially for new users. What i want to know is why can Bambu slicer send data to the cloud at line speed but can only send data over wireless at a paltry 2MB/s to a PS1, a little faster to the X1C using the SAME wireless. Now i am not the avg user and i don't use SOHO hardware for my network and i am well versed in wireless technologies pros and cons, especially cause the printers use wifi 4 1x1, 20yr old technology but at least they use WPA2. Again, I'd get it if they nerfed local wireless transfer to make sending data up the WAN faster and the preferred choice, no complaints there just curiosity.
Additionally, Why does BBL need to see my data? Is it not enough that they know what i am printing but i have to send my files to them too?? I won't even touch on the tinfoil hat stuff about all the negative press about Chinese hacking US assets and them "Profiling" US citizen's, but anyone who is a gamer why companies region lock games.
Printers are an OT device just like any other and IT (and OT) best practice is to secure OT Devices from the internet. I treat printers like IP cams and smart home devices, behind a firewall, on a seperate vlan and no access to internet or internal vlans except for me VPN'ing in if i want to view or access my OT/IOT network. Alexa is an OT product that requires internet work (which i will never use, sorry Jeff, my data is mine), just like these printers, and if you want all their capability and the Handy app, great, off it goes on an IOT network with no access to my internal networks, or in BBL printers case, i block them from internet access period, and use LAN mode. Way more secure than trusting BBL to protect me.
I respect your view and i don't wear a tinfoil hat but, i would not, and do not, take BBL blog post statements as the truth and i guarantee there is an ulterior motive to this security upgrade. They claim their servers were attacked, well that is their IT problem not ours, our printers were not attacked because you have to authenticate your install of BBL Studio to your printer and LAN Mode requires punching in the unique and changeable Access Code into the slicer to use the printer. Plus, there are way better and less inconvenient ways they could approach security if they truly wanted to. I am not convinced.
There is a lot a crazy talk about this topic and i give you a lot of respect for taking a stance and sharing your opinion. The internet is full of speculation but as and IT/OT security guy i am saying their upgrade doesn't effectively solve any problem (other than 3rd party's getting a piece of their pie) but, it does appear to be the first step in further closing off their ecosystem. Which is fine, for any future products, that's their choice and people will respect it, but don't do it to existing products and don't do it under the guise of security. That i believe is the stinger in the community, they feel lied to and a lack of transparency; which is why so many people flocked to open source products. Bambu caught the world by storm with an exceptional product and may be a victim of their own success but shitification of a product is the best way to watch revenue tank. Again, much respect for your opinion, i'd hope you'd respect mine. I also hope that you are correct and that they will refine their iteration of the beta firmware and they find a better way to achieve security without breaking 3rd party integration.
The kicker is that it's running 800mb of ram running Chromium... Electron is not the framework to run, to make something more secure.
This is cool! Although in a different context and forum, you would find we don’t disagree on much of what you written and the way you feel. As this video’s intended audience most likely does not have the level of experience and insight as you and I, we made the decision to keep it at a higher level. As to whether a 3D printer and Alexa Echo is an OT might be debatable (maybe on another video comments thread) we do agree on network security and isolating devices that may be suspect. All of my IoT networks, both professionally and at home are segmented and secured. That’s just a reasonable practice for what we do. For most non IT oriented people, it’s a different landscape. While you and I see the benefit to justify the cost of advanced networking equipment to achieve the topologies to provide the best possible security, most of the general population do not have those resources nor the training necessary to utilize them.
As to accepting Bambu Labs statement as the truth, that remains to be seen. Guarantees at this point are disingenuous at best. Years ago I would be in total agreement but old age and serious introspection has revealed certain truths about how wrong I could be in my hard line stance as well as the unintended impacts and consequences they could bring. I came to the realization I have to decide what is truly important and what is not. Given that our important personal information (PI) as well as health information is already out in the wild due to so many corporations and our own governments are giving it away to hackers, etc. Even Ford and GM have been selling our cars telemetry data to Insurance companies. These are of greater concern than whether a third party knows what I have been printing. I’m sure you watch the CISA announcements about vulnerabilities found and patched in control systems, the very ones that supply our critical utilities.
As far as efforts in securing our printers, I do believe Bambu is trying. It may not be great but it is a step in the right direction. If they didn’t care they wouldn’t be bothering. The current lack of security would give them everything they needed to do something nefarious.
So where does this all lead in my opinion of what’s going on? As pointed out in the video, Bambu Labs, at this point is still providing resources to users such as spare parts at reasonable cost and a hardware system that is simple enough that a novice can repair consumable parts. This is not the behavior of a company that wants to destroy itself. Could they change? Sure. But at the moment that does not look like the case.
The nature of suspicion has been seeded in our society for decades and while sometimes necessary has reached a point where it is unhealthy. People should not be intimidated by unvalidated hype and “what if” scenarios to the point where they are missing out on the important moments in life. To be able to enjoy the new discoveries of life that bring real joy without being brow beaten into a singular mode of group think is the point of the video.
As far as choosing what Is and what isn’t important enough to get worked up about? That’s up to each person and no one who is an adult of reasonable ability should let another person make that decision for them. (I qualify that because I have been the health care representative for close relatives who were incapable of making their own decisions. The things we learn as we live life.) For me, I’ve learned to relax and concentrate on what truly matters.
I applaud your networking prowess and care in your application of your knowledge and skills. I am also deeply grateful for your respect.
if you've been in IT engineering for 30 years, surely you know about a number of better methods of secure communication than "bambu connect"? like the ones Google, Meta, Microsoft, Github and others use without requiring weird 3rd party proxy to be installed on your computer.
Yes, there are a variety of ways to secure communication from simple challenge/response schemes to crypto card type authorization to MFA like DUO, MS and Google Auth apps. But these are not at the device level, but at the user level of access for email, storage, general web apps., etc. And many of the higher level user level apps (Office 365 for example) are offering and starting to require MFA (Multi Factor Authentication).
There are other behind the scenes means of securing communications at the device level. As far as how Bambu Labs decides to implement these is up to them and their engineers. I’m not really here to do the job for them nor was that the intent of the video.
But, I’m really glad you asked the question. I can respond with a method that might help explain the route Bambu Labs has taken based on certain assumptions. Again, this is based on assumptions without having intimate knowledge of the inner workings of Bambu Labs systems and is somewhat theoretical in nature.
In the past I’ve use reverse proxies via NGINX to help secure data paths from Kafka ingest processes. I apologize if this seems super technical. Basically, the reverse proxy sits in front of the http (web based) service and routes the traffic according to the IP address of the sender or the URL the sender is trying to access. This is very basic security and not the whole of the system but it’s at the root of how the data is processed from the sender computer to the host. This is good if the sender you want to allow knows the URL, port, keys, etc. of the destination. Bambu Labs cannot allow every IP on the planet to pass through a system like this (if that’s what they’re doing).
As Bambu Labs is the software and hardware developer, they can implement this relatively seamlessly on their software and hardware.
But what about other software they do not develop but want to allow to access their system?
The option is to have another process on the local machine, similar to a vpn client, that can translate general requests and add the appropriate keys to the door in the cloud. Orca Slicer, for example is meant to be a general slicer compatible at the hardware level with a variety of 3D printers. A general rule of thumb in security is the more general a program is, the more bugs, flaw, and security risks it MAY have and also limited functionality. BTW, I use Orca Slicer for some operations and trust it. A proxy app between Orca and the cloud makes sense for those who want to use Orca Slicer and still want to benefit from some of the cloud operations offered by Bambu.
Again, this is somewhat theoretical and maybe a bit simplistic for some and too technical for others, but this is my perspective on what’s going on from a technical point of view.
This will make a great video for another channel I'm starting.
@@wolftraxlife Bambu's existing "old" mechanism already does MFA (you need the 2nd factor of the access code from the device itself)
I wouldn't call that MFA. It's more of a device registration linking the device to your account. It's similar to having a license plate that shows that you own the car with local authorities but does nothing to prevent your car from being stolen.
@ It's literally the definition of 2FA, something you know and something you have...
3rd party slicers Will not be allowed to "become compatible", please see the post from SoftFever themselves. They were told in simple terms to "pound sand".
Actually, SoftFever, for now, has rejected the Bambu Connect offering from Bambu Labs. Which is not Bambu Labs telling him to "pound sand". This current stance is SoftFever's choice. This is how negotiations work. Essentially, SoftFever is throwing the ball back into Bambu Labs court. To definitively say "will not be allowed" is a fallacy, especially in light of his sincere request that Bambu Labs reconsider. This is a wait and see situation. Not really the point of the video, either. Disagreements between publishers and developers is nothing new. Disappointing, yes. Startling, no. Are we hopeful for a happy conclusion? Absolutely. Your tone and wording add nothing but noise.
@@wolftraxlife "rejecting the offer" is "whitewashing" it. Would you be ok having to launch an HP application to print a Word document on your HP Printer? (Those are Jeff Geerlings words, not mine.)
As a maker for almost 30 years I can assure you that you’re missing the point. This is not about security regardless of what BL says. If you don’t believe me, ask XYZ Inc. why they went out of business. It’s the definition of insanity. Does BL think they’re going to get a different result for the EXACT same thing that put XYZ and many other companies before them out of business? I sure hope they’re not that stupid. We as makers don’t want restrictions on anything. We want to modify and tinker every last nut and bolt we can get our hands on. Taking that ability away from us in the name of security is an economic death sentence even if your security concern is genuine. For us, full control of what we paid for outweighs the negligible risk of someone hijacking my machine to print themselves a benchy.
I think you missed the point of the video. It's meant for the new Bambu Labs Printer owner and how to navigate through the FUD. I've been a businessman longer than I have been in IT and have owned more than a couple of successful companies. Clairvoyance is not within anyone's realm to accurately predict the future so neither you nor anyone else can assure me of anything.
What XYZ did is completely different from what Bambu Labs is doing right now. Bambu Labs printers and eco system was not designed for you to take apart and remake in your own image, nor was that claim ever made. There are plenty of other systems that let you do that. Choose one of those if you desire. To claim Bambu Lab's printers as part of the Tinker realm is a fallacy.
You are also confusing Makers with Tinkerers believing they can only be one and the same. You may be doing both in combination since they are not mutually exclusive nor entirely dependent on each other. I salute your dedication to the Tinkerer side of 3d Printing as indicated at the beginning of the video. I believe I referred to you and your fellow Tinkerers as giants.
Bambu Labs has brought a new dimension to the 3d printing world with ease of use in every aspect and it has changed the world. You may not like the change. I get that. I have seen this argument so many times over and over again when a small community believes they have exclusivity to a certain idea, or process, or whatever. When someone comes along and brings innovation that opens opportunities for everyone to participate, rage ensues as if the original community has been insulted. All of your efforts in 3D printing have not been in vain. People like you are largely responsible for helping to make 3D printing accessible for so many others who would be driven away by the cost in time and lack of expertise. As I mentioned in the video, you have my gratitude and thanks.
Well said.. im one of those who would not be in this hobby if I had to spend the time "tinkering" with my 3d printer... unfortunately due to my life I only have a small amount of time available for hobbies... and bambu has opened up 3d printing to be one of those hobbies. I have fallen in love and addiction and am already planning my 2nd printer after 4 weeks of owning my first...
A user like me doesn't care if im locked into bambu products, but I do understand why certain use cases are getting upset... on that end, just keep using the company it's you have used for 20 years, they are innovating at a rapid pace because of the change bambu has brought to the community, and my next printer may not be a bambu printer.. but it will certainly be a printer that I can "just use" and not constantly work on..
@ we can agree to disagree. Twenty years in law enforcement has made me skeptical of a lot of things and I’m certainly calling BS on BL. I sincerely hope I’m wrong and you’re right but I just can’t believe the decisions of a Chinese company operating under the CCP are genuinely for the benefit of the consumer.
@ I certainly understand most people want a plug and play worry free device but that’s not realistic. The inherent nature of 3D printing is going to require a fair amount of tinkering and maintenance to keep them running well. Many parts are wear and tear regardless of brand and BL doesn’t seem to want to play nice with neither their hardware or software. Welcome to the amazing world of 3D printing but buyer beware.
We certainly can disagree. And it's great! Your experience in law enforcement is the bias on which you make decisions and I gather that it has served you well. Skepticism is healthy unless that is all you use, though. Available evidence as fact is also a factor in decision making. Proper investigation and research are required to make a quality conclusion. I'm guessing many Fisker owners are wishing they had all the facts about the company founder before buying one. Thanks for the comment!
How much is bambulab paying you?
uhhhh if you're being held hostage by a bambu and forced to make this vid, blink twice... or just continue not blinking... one of those i guess...
(in my best Obi Wan impression). This is not the video you are looking for.
@@wolftraxlife See as you may have guessed i'm not all that comfortable taking carefully worded Bambu Lab statements at face value when what they're doing is replacing a flawed security concept, by a security concept which has all the same flaws and then some, but now with artificial limitations, it just doesn't quite vibe as a genuine security proposal to me. And it's sort of difficult to suggest that they don't know what they're doing, i mean you have seen their engineering, it's top notch, it's not some uncle and a couple college friends, they've got resources behind them. Guaranteed, top security experts are at the distance of a phonecall for them. And given the wide userbase including early adopter type cohort, there's some of this same top level expertise found in the halo user group as well. Which is exactly why community is eyeing the changes with suspicion.
And as an IT professional, you're bound to be seeing the fundamental issue as well, right? That you cannot securely hide encryption keys in a client application, that no client on the Internet can ever be trusted. And i'm sure you could come up with a better concept, for example, you can assume you trust the company's own infrastructure, and that you can lend a temporary limited token of trust from the machine itself pertaining to things that happen on this machine, in the sense that if an enduser modified the machine to do something it's not supposed to do, well the outcome is their own problem. But you can't just trust a PC application no matter if it's called Bambu Studio or Bambu Connect or something else, because you can assume up front that an impostor exists.
You say you're not there to do the company's work for them which is fair, and yet you are happy enough to reproduce and amplify their PR.
I also think the use of term "FUD" is completely misplaced since that implies a targeted campaign, and while i'm sure several competitors are eyeing what's happening with a hint of glee, this is entirely Bambu's own doing.
And as a business person, you're also likely to have a scope of how larger VC backed startups operate, right? I'd be half surprised if you were never pushed out of business by one, or didn't have that happen to one of your mates.
I actually think security is going to be vital for this market sector, and that people shouldn't be expected to handle their own security on a mass market machine like this, and that an actual security architecture is needed, not security theatre. And i also have a suspicion that other companies are going to stay oblivious to this as well.
@SianaGearz It’s awesome that you engaged. As I’ve opened the door to traverse this Rabbit Hole, might at well see where it goes. Thank you. First let’s look at where we agree. I can understand why Bambu Labs is taking this approach in a beta release. But also agree that it is not great approach in its implementation. We also agree that this market segment is in dire need of better security as in my view, it’s not going to slow down. At least in terms of cloud integration. More manufacturers are seeing the benefit of expanding their customer base beyond the DIY and Tinker space. You are also correct in the assessment of using the X1C as the test platform for this beta release. Also, application trust is crucial no matter what the application is or who the developed it.
Where we disagree
Am I happy with my Bambu Lab experience. Yes. It opened the door for me to easily access 3d printing. Am I happy to share my experience about it. Absolutely. Being happy about a purchase and telling other people about it isn’t PR. People talk positively about their cars, their experience at restaurants, clothes, just about other aspect of life. But talk positively about something somebody disagrees with and suddenly you’re labeled a company shill (which I don’t believe was your intent but comes danger close). As a business man, happy customers are the cornerstone of growing a business.
I would greatly caution against confusing FUD with valid skepticism such as yours. FUD is not based on facts but a series of “what if” and “they could” without any solid evidence or validation. After seeing comment after comment and video after video parroting the same terms as a few individuals who kicked off this ridiculousness it is easy to see that this is not a coordinated attack against Bambu Labs but a fashionable posture to gain acceptance or worse yet, clicks. There are valid concerns and skepticism that can only be proofed out by waiting and seeing what happens. Taking a posture of promoting yourself (not you specifically) while stealing someone else’s joy is not the good play.
As I mentioned in the video, this is a beta release. Having been a participant in more beta release than I can count (or at my age possibly remember), it is a rare occurrence that the final release is exactly like the beta, especially early beta. I anticipate Bambu Labs will correct and possibly expand in positive ways this release. All the evidence I have come across shows they truly care about their customer base and their experience with Bambu Labs systems.
As far as larger VC backed startups, I actually worked for one. Swore I’d never work for another startup again. But probably not for reasons you would think. I have worked for businesses that were pushed out by suppliers who saw an opportunity to compete. I have also worked for two businesses that ran themselves out of business with unethical business practices and poor partnership decisions. (I left both before they went bankrupt when I saw what was going on). I’ve also seen and been professionally affected when companies I worked with were bought out by holding companies, etc. I’ve also worked for and owned extremely successful businesses and organizations. Lessons learned from all these experiences shape all my opinions and decisions.
Thank you agin for your engaging post. I really enjoyed it and you gave me some take aways.
Keep calm and bambu on... brother ive seen so much bs about this bambu stuff and.. your advice is the most real ive seen. Thank you so much.
You're welcome!
hmm, my cheapish Creality LAN printing is superfast even with 30M+ prints. Not sure why I would need cloud for that at all. And I am a new to 3d printing user, worked out of the box, without any call to Creality cloud, or needing Internet access at all. No issues with camera either.
Congratulations! I'm glad you're enjoying your experience. Happy printing!
Thanks for the video, good perspective. New 3D printer user here, received my P1S mid Jan.
I have been around IT pros for years, but do not consider myself a IT professional. I followed most of what you said and appreciate your feedback on this issue. I am not an engineer and have no concerns with Bambu "seeing" what I'm printing or "stealing" my print ideas. I do have a question that I don't see addressed much with Bambu.
Do you have any concerns or do you think there are other "holes" or "backdoor" in the software that could allow Bambu to access other areas of a computer or network? For example would you have any concern with being logged into Markers World and Bambu Studio and having them open and printing models from a computer that you are actively using for your bill paying or banking?
Thanks for asking. This a concern for pretty much every computer owner and operator with any program they run. I apologize in advance for the lengthy reply….
Just about every commercial software vendor adheres to certain rules governed by the intended Operating System publisher. In the case of Apple and even Windows to a certain extent, the application must be signed in order to run. Up until recently with maOS, the end user could bypass the warning and run the software. Why is this important? To demonstrate, open up a web browser like Chrome and look at Activity Monitor (macOS) or Task Manager (Windows), sort by name and look at the Chrome tasks. Each tab open in Chrome is a child to the main (Chrome) task. This demonstrates that each tab is operating in its own memory space and cannot interact with other tabs except through the main Chrome task. Even then, it’s limited by what the OS will allow.
Bambu Studio operates in its own memory space as required by the OS. Breaking out of that memory space to access other non-related process is not allowed. This is the reason apps are signed by the OS publisher. Casually browsing MakerWorld or downloading a model into Bambu Studio will not give the app rights to other processes or data on the computer.
Granted, these memory protection schemes are not fool proof, but it is a good first line of defense implemented by the OS publishers. Some even encrypt the data stored in memory so that if a process can break out into another apps memory space, only encrypted data is accessed. I believe various flavors of Linux have that as an option. But much depends on the hardware, bios, firmware, and other capabilities outside the control of the OS publisher. Which is why newer versions of Windows can require newer hardware to run securely.
Another recommendation is to not log into your computer and run applications (especially those you suspect of malfeasance) with an account that has admin right (root). Keep that account separate from day to day operations and use it only to authenticate trusted processes (like signed application installs).
Thanks for hanging in this far, but for me, I do not have a concern that Bambu Studio will attempt to steal my data or other login information. But, this gives me an idea for another video on another channel I’m starting. Thanks!
@@wolftraxlife Thanks for the detailed response. I appreciate it. Now I have to bone up on whether or not I'm logged into anything that as admin rights. LoL
Universities are buying the X1E because it can run completely offline and has hardware switches for the ethernet and WIFI connections so you can completely disconnect them. Plus it has several other upgrades over the X1C and lower printers.
I have been in envy of those who could afford an X1E or a Prusa XL with 5 print heads.
The ethernet connection is something sorely missing from 3d printers these days. That would be one of my top wish list items. I would love to not have to keep creating subnets and SSIDs to segment traffic on my home network. Well.. mostly more SSIDs. It's getting crowded.
I have both, not worth the extra cost imo.
Thanks for the insight. Something for me to consider.
No IT professional spends any time in their work-a-day life looking for excellent man-in-the-middle software to install in their intranet. Good IT pros do all they can to prevent uncommanded connections between their internal assets and external processes. Your complete acceptance of BL's "...Truth..." statement means you have given over your security processes to an external entity that is under fire for deceptive practices, post-sale TOS changes, and who wish to install MITM software inside your network. I can only surmize your claim of being an IT profession is this is not the first time you've comprised your network and need to have your work audited. In lore this is equivalent to hiring "Foxes R Us" to guard your hen house. As for fear, uncertainty, and doubt you've added absurdity.
Change the tos after I buy anything, and I don't like it. Making it seem ok is pure glaze. This was shady by bambu 100%.
Must Be sponsored I mean gifted by Bambu . Screw them. Best option with Bambu is never update slicer less issues.
Wow!! A personal attack. Sooooo unexpected. Actually, statistically you're probably right on time. Predictable and unoriginal. This should make for an interesting TH-cam metric.
@ nothing personal at all. Seems like the new norm has been everyone is compromised and I respect the hustle. Bambu success has gotten to their heads in my opinion. There customer service went from top notch to worst then creality in my opinion through my experiences with them. The fact that they can brick your unit until you update is not cool. I recently had an issue with doing an update that made my unit inoperable and when I reached out I had to change a board inside. Not covered by warranty I know I’m not alone in this. However the left a bad taste in my mouth between that and the tape they use on the end of their filament spools damaged my ams. I used to think very highly of them until these issues happened. It’s ok tho my side hustle has been growing and growing and more printers are needed. Instead of buying more of there units I went elsewhere. They put the last nail in the coffin for me.
Is it more secure didn't someone hack it in a day
As mentioned in the video, efforts to improve security are a good thing. This is a beta attempt. I do expect better results in the future. This could also be an utter failure and Bambu Labs abandons the efforts all together. Again, a beta effort. Much remains to be seen. The emphasis of this video is not the quality of the what Bambu Labs is doing but the effect FUD and exaggeration have on people just beginning to explore this wonderful hobby.
@wolftraxlife I just don't know how you can't read between the lines. Its not like other printing companies haven't headed down a more walled garden approach in the past. Profit. Thing is the community punishes them, and they go way down in market share.