Perhaps one of the most fascinating aspects of any developing tech scandal is the way that the target company handles criticism and feedback from the community. After announcing a new authentication scheme for cloud & LAN-based operations a few days ago, Bambu Lab today posted an update that’s supposed to address said criticism and feedback. This follows the original announcement which had the 3D printer community up in arms, and quickly saw the new tool that’s supposed to provide safe and secure communications with Bambu Lab printers ripped apart to extract the security certificate and private key.
In the new blog post, the Bambu Lab spokesperson takes a few paragraphs to get to the points which the community are most concerned about, which is interoperability between tools like OrcaSlicer and Bambu Lab printers. The above graphic is what they envision it will look like, with purportedly OrcaSlicer getting a network plugin that should provide direct access, but so far the Bambu Connect app remains required. It’s also noted that this new firmware is ‘just Beta firmware’.
As the flaming wreck that’s Bambu Lab’s PR efforts keeps hurtling down the highway of public opinion, we’d be remiss to not point out that with the security certificate and private key being easily obtainable from the Bambu Connect Electron app, there is absolutely no point to any of what Bambu Lab is doing.
“with the security certificate and private key being easily obtainable from the Bambu Connect Electron app, there is absolutely no point to any of what Bambu Lab is doing”
Unless what they’re doing is only under the guise of security, and is actually a move to restrict / controll interoperability outside of their walled garden.
Regardless of the motive, if anyone can extract the required credentials from the client software they won’t be able to control anything.
Until they start rotating the certificate every month and requiring updates, at which point extracting the certificate every month becomes too much hassle for most people.
There is no way it needs to be designed like this. Secure pairing has been done a dozen times (example bluetooth) and is better for security and not depended on online infrastructure or 2nd apps.
What do you mean? Software will just get its own centralised update system and it won’t be a manual process.
Solution for not depending on a central authority is to create a central authority?
A local central authority, under the user’s control, is fine.
Only need one person to do it, then publish it.
They have a US business presence. They could attempt to use the legal system to enforce punishments against anyone working around their system. That can be seen as a form of control, even if a poor form of it.
Look at how well Nintendo utilizes the legal system to control what they want. Their legal department fully admits the people they sue are breaking no laws, they just limit their lawsuits to people that can’t afford to defend their rights, so they win by default.
In the case of extracting keys, sadly that is illegal since the DMCA added it as a crime.
Not saying Bambu will go that route, but they certainly could, and as shown there are ways they can do it that will work and give them the control they are seeking…
Yup! It’s the height of naivety to believe a corporation’s benign explanations in cases like this. Maybe this will end up being a rare example of an honest miscalculation… but smart money would bet on it being yet more corporate greed.
The United States is an absolute mecca for corporations – the government will make laws to restrict the public’s rights and options, and the public is too fractured to ever support or sustain an effective boycott of greedy, anti-consumer corporate business practices. The truly sad part is that the fracturing of public solidarity is largely instigated by the very same corporate interest that benefits from it, and we fall for it… every… damn… time.
Only for people in the US.
Dunno if it’s illegal for people in the US to use a key extracted elsewhere. Probably is, though.
Or unless what they mean by “beta” is “this is not how it will ultimately function.”
Clearly the current situation doesn’t even accomplish that. On the other hand, if they are feeling regulatory pressure to show some security posture for these printers, a completely broken implementation could be enough to demonstrate an effort to comply. That’s where my gut is going with this.
Yeah, Bambu gets absolutely zero benefit of the doubt here. This is the beginning of them tying and locking the hardware people bought and own to their cloud platform.
As long as good hearted people like Rossman document it inside their wiki, about anti-consumer changes, the world will know. Rossman said he will lawyer up, to defend and keep all the information online.
Easy to say. But we all know the person in the courtroom with the biggest wallet usually wins.
Better question is does he have the financial backing to take on a massive company?
As (a fictional version of) Einstein said in the Red Alert intro:
“Time will tell. Sooner or Later. Time will tell.”
If nobody tries to fight companies with their own methods, we won’t even know. Remind me, how is sci-hub still online, if people are so powerless?
It seems completely obvious that they are trying to attack the Panda Touch in an attempt to protect margins on their higher-margin printers, and that they are “security washing” the attempt.
Absolutely. Notice the wording in their PR release, that they mandate that they determine who are ‘legitimate’ developers (which likely means NDAs, and paying them).
Yes and frigging whyyy. I knew the P1S could be modded and still got the X1C as I didn’t want a new hobby of modding a 3D printer. Pretty sure lots of others did the same.
I’m not familiar with their features, how does the panda touch undermine the X1C?
The Panda Touch is a product that provides a touch screen for the P1 series of printers – that is the printers that don’t have the full-color touch screen, but have a less expensive dot-matrix display with a 4-way pad.
So basically, people might be buying the P1S and a Panda-Touch instead of an X1 Carbon.
You blew it, Bambu, my next 100 printers will NOT be Bambu brand.
Yeah – I was a pretty ardent defender of BambuLab. I recommended them. I am really happy with my printer – but the way this has gone down, and their doubling down on how the community has “misunderstood” it, and “misinformation is being spread” has pushed me over the edge. I can’t recommend these any more because I don’t feel confident that the printer I recommend can be used the same way I’m using it right now. I’m not even sure that I’ll be able to keep using my printer that I bought the way I’m using it right now.
So no. I’ll have to find a different manufacturer to recommend. But I don’t know who. Prusa is not the shining beacon it once was. The Open source projects like RatRig and Voron are amazing, but certainly not plug-and-play.
Prusa has lost a little luster, but I wouldn’t put them in the same ballpark as this nonsense.
I get the feeling with the Prusa situation that it’s more about long term survival than global dominance. They watched the Chinese firms copy their homework and then try to undercut them with it.
I think Prusa is the way with their new printers but Sovol claims to be supporting Voron with some of their Voron designs.
Sovol did the same thing with the Prusa MK3, they built the SV06 based on it, but they never contributed to it. It’ll be the same with the sv08, they’re just selling a cheaper version but keeping it open source so they don’t have to pay a license.
I hate the “It’s a beta!” excuse being trotted out in response to criticisms of the desired behavior or architecture of something.
Bug are to be expected; but it it’s a beta it’s release-level in terms of expressing what you are planning to do and how you are planning to do it
I’m not part of the 3d printer community.
I personally never wanted (i have lusted for) a Bambu printer cause I have always felt the leather glove around my throat.
They have been hyper aggressive in advertising and seems like they are taking over youtube makers then “praying they don’t change the deal” nonsense
Ya know I got an ender like 4 years ago for birthday money, it prints it does ok I don’t need apps and mandatory updates
Its nothing fancy bit the 4 projects a year I need it its there
Guess I just might be building that Voron after all.
This. I avoid the “3D community” that seems fascinated by spending money producing figurines and the like since I’m printing the odd doohickey, thingamajig, and occasionally a whatchamacallit for some project I’m building (and the occasional home repair part).
I curse at Fusion (my lack of regular practice with it), am happy with Cura (or Ender’s slicer derived from it), try not to lose the micro-SD card that I carry eight feet to the printer, and I get it all done. I believe I’m not alone in this by a lot, particularly in the global market.
Ender knows its market, Bambu seems to be drinking the Flavor Aid of some consultancy when they should be considering the lesson of Juicero:
https://www.cnet.com/culture/juicero-is-still-the-greatest-example-of-silicon-valley-stupidity/
You don’t print and paint effigies of Blammo, the Ur-Demon of Highly Corrosive Flatulence? You use it for practical and utilitarian purposes? Shocking!
Me too…
The authz graph is ridiculous. If they only wanted authorization, just generate certs on the printer, show one as a QR code or something on the printer screen or app setup flow and 3rd party integrations and apps must then provide that cert in connection requests. It’s laughable to need any locally running broker software for any of that and the cloud routing just needs to conmect the two websockets. But then they can’t intercept your traffic because it’s actually secure.
Wondering if this has to do with their ongoing lawsuit from Stratsys??
CFW when?
Beta version meaning the next one will have properly secured certs and keys?
bambulab is like tesla, tesla does not make cars to be cars, they make computers with wheels for data scrapping at large scale.
Bambulab does the same a computer that prints and scraps data.
They are data companies that steal your privacy in order to grow.
They could have released an update saying something like:
“We heard the voices from the community about ideas laid out in our beta software and we have decided that this isn’t what our customers want and we will make sure to not implement this”.
They could have gotten more customers if they did that. I was planning on buying a Bambulab.
Was.
That would imply that they have any intention of giving the users what they want. They’re still going to put the fences up around their garden, they just don’t want to spook the customers before they’ve got them trapped.
Was, yeah me too…
I was also looking at a Bambulab printer and I’m now sticking with Creality because of this.
The trust is gone, farewell. May Sonos be with you.
I once bought a squeezebox. Not this one:
https://en.wikipedia.org/wiki/Squeezebox
But:
https://en.wikipedia.org/wiki/Squeezebox_%28network_music_player%29
After I discovered it was not possible to play my own music on it without registering an account, I brought it back for a refund one or two days later. It was one of the many things that pushed me closer to Linux. Later I bought a small SBC with a SATA interface and made an audio box out of it. I guess I’m running Linux exclusively for 12+ years now.
The LMS server (now named something else) was always open source and written in Perl and supported Linux pretty much out of the box. The hardware is just a dumb device.
I suspect part of this is the 3d community likes to eat it’s own tail ever 6 months. For what ever reason, 3d priting attracted that kind of person. You can still print in “LAN” mode, right? And SD card?
That’s the issue. Even a direct LAN connection would now need to go through their authentication server/cloud.
The only way to be ‘off grid’ is with an SD card, like it’s 1999. Which is possible, but less feasible for printer farms with 50+ machines, which is what this change effects the most.
The only reason I was willing to buy Bambu was because of LAN mode. I don’t like cloud-connecting things that are critical to my workflow, and I don’t want my IP (however worthless) flowing through anyone else’s servers when there’s no reason it should need to. I stuck my X1C in a no-internet VLAN and went on with my life. It’s been an excellent printer so far.
As originally proposed, the update would have taken my preferred setup away from me, because LAN mode now required authentication with their servers (WTF?!). As much as they are harping on “security”, it would have made it more vulnerable due to the required path to the internet. And as I said, I don’t want them even seeing my data, so there’s no reason I should have to log in with them to use my printer locally anyway.
This change would have occurred long after I plunked over a grand down on the printer.
I never would have bought it if it didn’t serve my use case, and changing it so that it no longer does after the fact, is flat out unacceptable. Their response has also been very unfortunate IMHO, though part of that could be culturally driven for all I know.
A simple apology and complete rollback and rethink would have been much better from an American cultural perspective, though, IMHO.
I’m not ready to grab a pitchfork yet, but they have put a significant dent in my confidence. The next printer I buy, I will be carefully examining my options. Honestly, the only reason they are still in the running is because I’m using this for business purposes, not as a 3D printing hobby, and I’m not convinced yet that anyone else has a system as reliable and easy to use.
If it was just a hobby, they would be toast for a move like this.
Well, unless the firmware updates bring along some new capability that is one of those “want it, need it, my preciousssss … “, we can just skip updating the firmware, and keep running the machines the way they are now. Basically, just remove the gateway ip from the configurations.
That really doesn’t work for me. I bought it expecting to receive updates for bug fixes and the like; that was part of the deal. Their original proposal would have instead orphaned my printer, leaving it unsupported unless I give up what I bought it for. Newer replacement part requires newer firmware, you say? Sucks to be you.
Having a “workaround” like that one doesn’t make it any more acceptable.
yeah yeah, not longer that yesterday, I was tempting this “sd card” workflow, while the printer is not issue, i had Murphy on my side: sdhci controller not working, adapter blocked in read only…
Why not just a freaking ethernet port and a SMB share ? why?!
I was in the process of connecting my new 3d printer (Bambu labs A1) to the wifi when this happens. Not anymore. I am now reduced to SD card and I cannot use the network and camera feature of the printer.
I am not happy.
This is the third time it happens to me. I was lucky with the whole WD Cloud NAS that I wanted to use on the local network only. I find out it only works online, even for local connections. So I simply hacked the whole thing and blocked internet access. I was one of the lucky few that still have its data when that cloud was hacked and everybody lost the content of their LOCAL disk.
We need to have a database of products that you actually own the stuff when you buy. This way we avoid wasting time in-depth investigating several products before buying.
I seriously considered a Bambu because “they just work” for my next printer but in the end chose a different brand because I wanted to use Klipper firmware. But I was still recommending Bambu to others. Now in addition to the poo-storm mentioned above, I’m seeing accusations that they are making heavy use of AI and that many of their fanboys raving about how great they are and how they “just work” on the forums/groups/sites/pages are actually just bots. I haven’t seen any real evidence yet but my gut instinct says it’s true. And lots of people complaining that they got banned from forums/groups/sites for criticizing Bambu. Plenty of evidence of that, they are posting their ban notices. Needless to say I won’t be recommending Bambu any more.
After looking at many brands, I settled on a Creality K1C. Yes, I know Creality does not have a stellar reputation either. But they make it super simple to install the full mainline release of Klipper, seem to encourage it actually, and do not void your warranty for doing so. It has nearly identical specs to the X1C and is considerably cheaper. And it too “just works” and I have been extremely pleased at just how fast and how well it does. FlashForge and Qidi have potential as well but not easy to put full Klipper on them.
Yeah, as often as I see the “it just works comment” I also see so many pictures of hotends entombed in plastic.
I wonder how long until someone implements their own logic board, firmware and interface, and only re-use the mechanics of the printer.
Already has been done reference Rossmann’s blog
Tbh it was more of a surprise that it wasn’t locked down from the start. The whole “it’s easy to use” is generally marketing speak for “you have to bow to your corporate overlords if you want it to work”.
This current thing is probably their strategy to get that sweet vendor lock-in. They made an intentionally hackable app “required”. This way after a small outcry ppl realize it still works the same and shut up. A few months down the line they patch their app to actually be locked down and when ppl complain they tell them to gtfo because their software never claimed to be hackable in that way. Spreads the shitstorm and makes it easier to ignore customers rights.
Bambu products do look better designed, “professional” work. With those design teams comes marketing, with marketing comes “engagement” and KPIs beyond simple device sales. “How is my fancy product doing? Do you have usage data? How are the value added services coming along? Why am I still paying you guys?”
Companies really prefer (insist?) that you rent their services rather than own a products.
Next, they’ll be adding authentication to their filament or filament “partners” spools and only those will be the ones allowed to run on Bamboo labs printers..
People here are raging pissed (and I would be too if I bought one), but has anybody considered the attack vectors of an insecure 3D printer? The camera could be accessed to get a look of the room it’s in, the wifi key leaked to allow discovery of other vulnerable devices, the printer could be turned into a literal oven (through bypassing the max temp of the nozzle and bed) which has shown to cause fires, harassing the occupants by sending commands to move at high speed and crash the nozzle or gantry, sending large prints that waste plastic, and probably more vectors I’m not considering. Most of us here would say “that’s why I use Klipper and a VPN tunnel,” but forget that these machines are not targeted to people like you and I. They were sold as worry-free, easy out-of-the-box solutions for professionals looking for a no hassle solution to rapid prototyping in a buisness use case. They grabbed some of us along the way because we wanted that sweet multicolor.
I talked to some friends who run businesses and they use Bambu machines. They are all for the security. They don’t want hackers screwing with their revenue source. The rest of us should stay in our lane and buy Creality machines or build our Vorons.
Let’s just say you’ve been suspected of copyright infringement they may issue you 3 warnings to stop after you’ve been warned if you continue they could disable your printer and stop you from uploading on their platform as a punishment.
This update screams future gun control If they suspect you print guns or even make parts for them they could easily block you from using your machines.
The government is trying to crack down on TikTok no doubt they’re going to crackdown on the 3D printing Community.
The government has been attempting to crack down on the 3D printing community for years now.
And I don’t think it’s a coincidence that this update Is being shown to the public right after the TikTok ban.
I believe the TikTok ban was a scare tactic used by the government.
Think about it how many people thought they could access TikTok with a VPN.
There are other people out there who probably tried other means to gain access people like Program Developers and all attempts failed.
Even though TikTok was only down for 1 day It showed how powerful the government is to all the developers who thought they might be able to fight.
I believe this message was heard loud and clear by bamboo labs this is why they released the Beta even though it’s not fully ready for release.
Bamboo labs isn’t dumb they know when the government starts going after the 3D printing community again they’re going to be the first ones to take the punch because they’re the most popular 3D printing company out there right now.
In fact Bamboo labs is a example that other companies are trying to follow for example we make an AMS everyone else wants to make an AMS.
Even though multicolor printing isn’t a new thing company’s want to make there AMS the same way bamboo does.
Bamboo Labs likes being an example but they don’t want to be made an example of like TikTok so they’re taking precautions.
Sounds like they did roll-your-own security instead of hiring someone who knew what they were doing. That alone is a good reason to avoid the company; if they think that’s a good idea, what else do they think is a good idea?
Nice to see an article that tries to take an objective look at the situation. Of course the comment section is filled with conspiracy theories and “but, but, open sores” comments. It’s like people using these things would rather throw themselves on their swords for some imaginary principle than have something that just works.
I wonder how many use Apple products.