The surest way to kill a troll is the ignore button. You cannot reason someone out of a stance they did not reason themselves into to begin with.
This firmware is cancer, I keep hoping that they reverse course before it hits the a1. Don’t publicly distribute an unencrypted key, tell me to use it, and then pat me on the back for the whole affair being more secure. Total clown show of software developers’ cyber security knowledge.
He’s still fighting the corner 
How big was that pay cheque
Because it realistically doesn’t, how many normie owners of bambu printers do you think are going to know nor care about the windows server lifecycle when it doesn’t actually affect nor impact them?
Like i get it, point out that its factually not explaining the entire nitty gritty of it, but given the target demographic there is literally no point in you trying to argue that it matters to them, we both know it doesn’t but if it makes you feel better take the W, doesn’t bother me, much like how the server extended support program details don’t bother atleast a solid 80% of bambu’s install base
Who out there is writing a whole new app from scratch that targets server 2019 today? sure they will continue to maintain and update anything they have that was already released there, but there really isn’t much point building from scratch now for 2019, it working there incidentally is a different matter but chances are brand new software is more likely to target 2022 as its minimum supported OS
No its just a statement of fact, i mean you are free to call it whatever makes you feel better, what you think doesn’t really bother me at the end of the day and i’ll have forgotten about even writing this reply about 3 minutes after writing it, but you do you
And like i said, “for the most part”, i mean i can go start throwing things at my 2022 server if you want but most of the issues i’ll have will be down to a lack of supported hardware or needing to install missing runtimes, games won’t currently run on here because i don’t have a dedicated GPU and some stuff doesn’t run because i haven’t installed the required .net runtimes
While there are no doubt some things that won’t want to run on a server 2022 install, the list of things that do is likely to be far larger, which is why its a case of “for the most part” rather than a blanket statement saying all W10 software will run
I’m not updating, there’s nothing is this release that screams, download me. BL needs to reprioritize their direction of Customer Service and with the lack cohesiveness with open-source parts, upgrades, and firmware. X1+ showed a lot of promise on how Bambu would “work” with third parties, now I think that was smoke and mirrors or a complete reversal on that decision to work with X1+. They can have their closed eco-system, but third party slicing will be my choice. Sad thing is I primarily use BL Studio, but I won’t be told what I “must” use after I purchase based upon a set of terms and they do a 180deg change on policy. H2D will be a flop, Prusa XL and soon to be others that compare to the multi-tool design will remain as open-source cooperative and BL will go under, unless they change their focus and beliefs.
There is a standard already - it’s called mTLS + MQTT (and can be further fine-tuned with ACLs or any other standard message authorization & authentication protocol). It’s been used for decade(s) in far more critical systems than 3D printing (chances are that a lot of your utility providers are using it to orchestrate / control their subsystems) so there is zero reason not to use it in this case as well - BL is already 80% there, they just lack the competence to implement it properly (if security is indeed the reason they’re doing this), which they augment with demonstrably less secure system that only adds more hoops to jump through with zero benefit to the user.
I think it’s not the competence (or not only that) they are missing, rather the will to do it.
Just something from another printer company… HP
Color me surprised, but this story seems awful familiar to me… Where did I hear about another company doing the very same thing? Ah, I think I remember about a Chinese company, with a similar security firmware patch and exactly the same consequences… What was it called?.. Oh, yeah. It was Bambulab… What were they claiming?
This step is a significant security enhancement to ensure only authorized access and operations are permitted.
This change is mitigating any risk of remote hacks or printer exposure issues that have happened in the past and also lower the risk of abnormal traffic or attacks.
Very familiar indeed. Actually, one could say both companies used the same “user security” argument… only that, from the article it results that the invoked justication wouldn’t hold in court and consequently it didn’t work out that well for HP…
Thank you, I did not know this.
Maybe, just maybe, Bambu software developers didn’t know about it either. Hopefully they might be enlightened with this information.
Based on the verge article with Q&A with Bambu’s spokesperson
I’d wager “nope”. But I hope they do reconsider…
They already used MQTT for intra-LAN comms (not sure what they use to talk with the cloud, all my printers operate in a strict local-only mode), they’re already doing message authorization, so chances that they haven’t heard of (m)TLS+MQTT and ACLs are virtually zero - the only thing missing from their system is certificates/PKI handling. Whether they invested the time to properly grasp and implement the topic (no pun intended) is a different story - they obviously didn’t given the hilariously amateurish way they’re attempting to do it using the Bambu Connect middleware.
The real problem here, security-wise, is not ensuring that some rogue process or a threat actor gains control over your printer - even with their half-implemented message auth solution, without the auth code (that you can only obtain with physical access to their printers) you can’t send any commands to it. The status messages are on an open topic, but there’s nothing really stopping them to apply basic ACLs to that as well if it’s considered ‘sensitive’.
No, the problem is not local security at all - it’s good enough as it is and, paradoxically, it’s actually getting worse with the way they’re attempting to do it. The real problem is how to tie in their cloud/MakerWorld operation in the mix as this is the integral part of their business strategy.
How do you guarantee that people are not skirting the system to earn points by creating a model, and then pretending to print it (i.e., tell your cloud they’re printing it but they block the commands to the printer locally)? But of course, by ensuring that everything their printers print goes through their cloud so it’s counted only after it’s sent to the printer and proper status callbacks are observed (the benefit of being able to spy on your users and what they’re printing is a bonus). But that means that BL needs to pay for bandwidth and at least some temporary storage for every single print on their printers + status back-logging + other comms, which means recurring cloud costs for a finite sale. That would be all fine and dandy if there were subscription fees to cover that, but there aren’t so, unless you involve yourself in some shady planned obsolescence, sooner or later you’re running out of business.
So - how do you ensure that you have your cake and eat it too? But of course, local authorization - the cloud implicitly trusts a local agent to act on its behalf which can then (not yet, but maybe in the next step) utilize fully local comms to save the cloud bandwidth, saving BL money without compromising their MakerWorld strategy or product feature offering (mainly, the Handy app). But how do you trust the local agent - of course, by providing the local agent and ensuring that the only way to talk with the cloud (and printers) goes through it. The added benefit of gaining a full control over the ecosystem goes without saying (and that’s where the conspiracy theories start).
This is where things fall apart a bit as their implementation of all of this is comically bad, but I’d bet you that was the idea behind it. Could have they done it using widely used standards without introducing a BL-controlled funnel as the only mean of utilizing their printers - absolutely. Why they didn’t? Well, their representative wasn’t clear on the details when talking to Verge - the charitable explanation is that they simply lacked the competence and estimated that it would take too much effort. There are many, many far less charitable takes as to why they did it the way they did… But one thing I’m certain of, there is no way their team didn’t know of standardized ways of securing IoT comms via MQTT.
I find the fact that BL not know industry standards, a little hard to swallow. 90% of the exec’s came from a very high quality drone company. Those drones are frontline drones for military and First responders. I know this because I use them, as a first responder. Drones define industry standard with the added hurdle of industry regulations. BL is only looking at controlling the access to their “sandbox”.
Yes, Dr. Toa came from DJI along with a gaggle of robotics engineers, but that doesn’t mean they were the chief architects. In Silicon Valley, it’s common for small groups of like-minded engineers to break away from larger companies, either to pursue a vision or escape a stifling environment. However, brilliance in engineering doesn’t equate to market knowledge. Experience matters, and even the most talented robotics engineers may lack business insight.
I’ve often seen exceptionally skilled engineers who have no idea who their competitors are. Those who do develop market awareness often rise to roles like technology architects, tech leads, marketers, or CTOs, while others are content simply solving assigned problems. As a professional marketer, I’ve wrestled with this for decades when working with design teams, quickly assessing who “gets it” and who can execute market goals vs who can solve “[fill in the blank”. It’s rare to have someone with both which is why a good team needs both personalities.
You can easily see the differences in the market approach of DJI vs Bambu. DJI appears to understand their market forces while Dr Tao ignores them. Only time will tell if Tao is Steve Jobs or Steve Wozniak.
If the last few years have taught me anything, it’s that I don’t owe trolls any attention. The ignore button works quite well.
I decided a while back that the simplest form of “be the change you want to see in the world”, is realizing that I don’t have to hear people I’m not interested in hearing from.
They won’t, you’re not part of their target demographic, they are focussing on bringing printing to the masses, and the masses aren’t going to be that bothered
“The masses”, that is, target here. I’m a hobbyist, I don’t mind “walled garden” approach, I like nice ecosystem in which things “just works”. This is not the case with Bambu Lab.
I bought X1C because it was said that “it just works”. It turned out that this only applies to hardware. It’s marvelous, the print quality out of the box is great regardless of the material, AMS is working just fine, simple and effective (especially compared to awful Prusa’s solution).
But… the software is atrocious. Software is full of bugs, my flow (Fusion->3MF/STEP/STL->BambuLab Studio->Slice->Print) is riddled with errors like notorious FTP 4020, etc. And instead improve quality and developing nice API to boost your closed ecosystem adoption, they’re proposing some crapware which has nothing common with “industry standards” and looks like software written in 1h during some online IT bootcamp.
I wanted to buy next AMS unit(s), 1 or 2 A1s, but I won’t. I’ll just use my X1C till it falls apart, and when it comes to buying new printer Bambu Lab will be the last to look at. With their latest decisions they’ve given their competitors a lot of space. Whether they take advantage of it or not is up to them. Fingers crossed they will.
Can’t say i’ve had any issues, not sure why you would be getting an FTP error though as that sounds more connection related, are you using LAN or cloud mode?
I currently use cloud mode because LAN mode doesn’t work, or rather doesn’t work seamlessly.
Take the aforementioned FTP 4020 error as an example (one of many). This is not a problem with connectivity, but with handling .3MF files, including those created by Bambu Studio. The only thing that helps is exporting to .STL, opening a new, empty project, importing and printing again (without saving the project before clicking Print). Funny thing, the most frequently recommended solution was to click Send instead of Print and start printing from the printer panel. To my surprise, people were happy with this solution, because “it’s not a big deal, you’re whining”. To me it sounded like a Stockholm Syndrome, but anyway, I checked it once, it worked, but going to the printer to start printing is not very LAN-like.
If we assume that Bambu Studio is essentially a customized fork of Prusa Slicer with a proprietary network module added to it, then it turns out that this module is the main software developed by Bambu Lab, and it is of terrible quality.
This whole “authorization control” drama showed two things to current and potential users. One, Bambu Lab consistently moving towards a closed ecosystem, which doesn’t bother me as long as it’s good and complete. Two: Bambu Lab seriously lacks knowledge in the area of software development, which makes it hard to believe that it will deliver high-quality software to implement such ecosystem. Seriously, if this Connect ■■■■ is the pinnacle of Bambu Lab’s software development skills then we’re fucked. 
As I wrote in previous post, I’ll continue using X1C because printer itself and AMS are great. Probably I will stick with half-baked LAN Mode, I’ll just accept that “it is what it is”. But I stop investing in the ecosystem, because of the software. If it doesn’t improve and I’m looking for new printer, I’ll choose a different brand. It’s that simple.
Maybe even Prusa will finally get their MMS working, in version 12.5 or similar. We’ll see. 
I’ve been using OrcaSlicer with my X1C in LAN-only mode since this authorization mess popped up mid-January. Internet blocked at the router. I had an issue with the printer being “remembered” and had to reconnect in the Device tab before Print/Send would work. Late January, NoisyFox made a change in the nightly beta that fixed the problem.
Since then, no error messages, no prompts to keep entering access codes, the printer is never forgotten. It just works.
You might want to give it a try.
Thanks, I will, for sure.
The plan is to switch to LAN Mode + OrcaSlicer, and buy different brand, instead of A1s, just for test (and fun). I’ll probably pull a trigger on Qidi Q1 Pro with their AMS, and later on Elegoo Centauri Carbon, also with their AMS when it become available, just because of the price.
What a great hobby.
