People in the EU have been requesting to see what data bambu has taken and what they've done with it. And some users found that bambu has provided their data to 20+ different companies.
@@3DMusketeers It was actually a comment thread on a reddit post from 3dprinting last week how people were saying bambu was sending their data to unknown companies. Likely advertisement marketing or something. But yesterday during nero's live chat..someone in the chat had also mentioned it. It was at 1:07:33 in the live stream.
The new printers all support send data back to Prusa, not sure what data but they are pretty open that it part of what they are using to make printers “smarter”
@@joshuamiller7231 well, if Prusa sticks to open source, I should be able to check the source code and see what exactly they send and where. And as I understand it, the printer functions fine and you can even upgrade it without ever connecting it.
I wonder how this ToS complies with strict data laws like the EU's GDPR Edit: Here, as far as I know, companies must provide all the data to you that they collect from you if you ask for it. Wonder if Bambu does that
I get why you feel like you're shouting at the clouds a bit regarding data security, but I agree with you/think it needs to be talked about. Data security for consumers is death by a thousand cuts. Since the legal protections are often void or lessened with a EULA, its incumbent on users to raise awareness and encourage 'speaking with your wallet', because companies have no moral quandaries about slowly taking more and more from their 'customers/data-mines'.
We have four Bambu X1-C’s. Our Attorneys found stuff in the terms of service, and a work around, they wrote Bambu Labs a letter basically telling them to pound sand on their TOS. They signed the agreement with the demands from our attorneys. I’ll ask our attorney and see if they can legally release the letter and if so I will send you a copy. We are a Military contractor 3D printing firm in Alaska. A lot of what we print is very sensitive.
Yeah.... That doesn't mean they are not collecting your data and informing government with this information. I truly hope these are not connected to any sort of network.
You are dead on point about Privacy! Years ago a company I worked for a company that established an Ip connection for a manufacturing company in China. Months later we found the company trying to access our network facilities. We disconnected from the IP address and put up a new firewall. I have used DJI drones for years and very careful what DJI has access to my data.
Unfortunately most people buying their machine either don’t know about this or simply don’t care. Bambu should be more explicit about this when people register their accounts. I wonder how much of their income comes from selling user data, would be interesting to see statistics on this.
I'm (reasonably) sure that the Bambu engineers intended for the update before printing thing to be entirely related to "we really need to install firmware updates when the printer is not printing." I'm equally sure that the Bambu senior management, legal team, and PRC political officer are happy to have it written such that they reserve the right to brick your machine if they wish to do so, after stealing every bit of IP data they can get their hands on. And honestly, how much can we trust that any China-based company will follow their own TOS anyway? There's no legal recourse for the average person whose data has been compromised and even government-level complaints that get escalated to the WTO get largely ignored. I'm not so worried about Bambu Lab selling our data to random con men or even that worried about them having their own servers infiltrated by individual criminals, I'd be absolutely worried about models being collected via keyword search for Chinese national defense purposes. And yes, you are right - we have plenty of devices in our homes that listen to what we say and do, use that information for targeted ads plus unknown other sundry items, and we tend to also carry them in our pockets and take them everywhere we go. Not having one more device that does this is a good thing.
This is the main thing keeping me from gettin a Bambu printer. And we know that CCP does not holt a good record to be trusted. Especially if every single Chinese company is required by law to cooperate with the government and provide those sensitive data to CCP. Makes you wonder. Tinfoil hat off for a second. Is it possible that TikTok, Bambu, milions of home things from robot vacuum cleaners and cat cameras were designed to pretty much monitor the planet in real time? Tinfoil hat back on. No, they surely wouldn't do this.
These companies have enough data to almost predict the future using history, statistics and live information input. We know Google and Facebook and pre Elon Twitter had/has special relations with the US gov can’t see China not doing the same. The big difference is what the US gov admits to and what the communist Chinese gov openly does.
Yeah no chance the cameras and such we all have are there 100% for good, it is why we dont have cameras inside our house (other than ones we can control for things like filming), and any printers with them are immediately disabled.
I have given you some critique in the past but I love the fact that you are not anti-bamboo but not pro bamboo either. You take a rather objective stance and I really respect that. I would like to see more content for this updated with possible fixes and patches that do not connect to bamboo servers in any way. Orca slicer with third-party patches has been known to work
Erasure (Art. 17 GDPR) Right: You may request us to erase certain of your personal data. For example, you can ask us to erase the personal data: which is no longer needed by us in relation to the purpose for which they were collected or otherwise processed; (So... if they collected it for the purpose of "keeping it forever", they can keep it forever.) In certain situations, Bambu Lab is unable to delete your personal data in responding to your requests, including: when such personal data is still necessary to be processed to achieve the purpose we collected it for; (You mean like... keeping it forever?) Bambu Lab’s interest in using the data overrides your interest in having it deleted (e.g., when we need to process the personal data to protect our services from fraud); (Or... their interest in keeping it forever?) Bambu Lab has a legal obligation to keep relevant personal data; or (This may sound crazy, but this is a China-based company that is at the legal whims of China's policies. If their government told them to keep all data collected forever, they'd legally have to keep it... FOREVER.)
I am not saying they are or plan to do this, but this is how a 3D printer (another computer on your network) could have total access to everything unprotected. Hacking everything else might not be as hard as you think. This is done by making something called a "reverse shell." Your router is setup by default to reject any incoming data not asked for. Get that? If the data isn't asked for the router is setup by default to reject it. If it is asked for, then the incoming data requested will be accepted. This is where a reverse shell comes in. A good example of this is putting a Raspberry PI on your network polling a IP address of another computer. This computer accepts the polling, and makes a connection. Any command made inside this reverse shell on the connecting computer makes it look like the command is inside the network of the polling computer. If you paid attention, you would release that the router of the polling computer now thinks that any request or sent data came from inside your network, and bypassed security. To make this happen could take a update to your 3D printer, which really is another computer on your network. You're right about China. It's law that the Chinese government can and has demanded data from Chinese companies, which have to hand it over by law. To get around this you can buy a Wi-Fi router, and make a connection to the Wi-Fi part of it on your computer. Then connect the printer to it. Have an either net cable from this router to your net work with access to the WWW. Set up and update your printer with this cable in place. Disconnect the cable, and your computer still has access tot he printer. You printer doesn't. It is possible to go through your computer, but highly unlikely. To make it more secure make sure nothing is on your network on the WWW, when doing downloads. In the real world you are a drop in the ocean, but even drops have things happen to them.
Because we are ITAR controlled, we cant do that, however, the average user that wants some more security can :) We recently upgraded our router to one that can do full monitoring and have a fail over and WOW it has been nice!
This is a HUGE deal! I almost didn't purchase the X1 Carbon because of the security issues. But when I learned that it's capable of printing from LAN, I made the purchase. However..... It was impossible to activate the printer without connecting via phone. I went a whole week before ultimately activating it, then setting it for LAN. Still, we can't send models to the printer without logging on to the software... which must communicate with Bambu Lab's servers. Even if this is only intended to provide great service to the user, this comes off as truly shady. I turn off the machine and the VM (where I use the software) off after every use. At the very least, I get added peace of mind. Thank you for covering this 😎
As a contrasting video I'd love for you to cover an example of a privacy policy for another internet connected service that is pro-consumer and pro-privacy. These privacy concerns are not limited to Bambu or other Chinese companies -- these privacy policies almost look the same as every other software / Internet related privacy policy I've seen for all companies and countries. You brought up some great points that apply to all policies: what are users supposed to do if you disagree with a change in policy, what systems are in place to ensure you can remove your data if you no longer agree? How can a consumer protect their purchases -- is it legal for companies to change their privacy policies as a bait and switch tactic?
ooooh thats a good one. I think Peopoly is the best example I can think of.. Legal will depend on where you are, but how can consumers protect themselves? They first have to understand it and they fundamentally dont :/
If you need a video on those things, you need more than that video. If it doesn't apply to contracts you are fulfilling, just don't go down the rabbit hole, but the information is freely available in government docs.
honestly, I'd like to see a video or 2 on these too. It'd be nice to have like a mid-level view/understanding of them (i.e. some of the finer points and details but not having to read government documents and the definitions contained within them)
@@alanpreston1822 I fully understand them, since I'm subject to them (and GDPR for that matter). However, @grant is excellent at making videos about them, which would allow my senior IT laziness to manifest fully by just sending someone a link.
I am certainly no expert, and we only run a level 2 facility here. We were working towards level 3 but had a contract fall through a bit over 3 years ago... so that was put on pause due to expenses of going 3, 4, and 5.
So as far as the update before printing, I have had it stop me from printing once until I updated. I wish I had taken pitures at the time, but I was in a rush to get something done, so agreed.
Thinking back on it, I think this was about the time the security vulnerability was fixed. It's possible that the reason it was foreced was due to the level of the vulnerability. I have seen other devices do similar (looking at you samsung). I have not seen this again since then, and I am constantly ignoring the updates.
I keep mine on its own vlan, and the Wifi network it is on is for IoT devices, and it's the only one I have currently. So isolated in the event of a breach. Thats not something everyone has the hardware and knowledge to do. Still wish it were more open.
Having some experience with dji, your issues with bambu remind me a lot of my dealings with them. Unfortunately the drone industry doesn't have the plethora of alternatives that 3d printing does. I hope you all can keep them a little more honest than what's happened with dji.
What you really should do with the Bambu printers BEFORE you do anything else: 1.) Pull the internet connection cabel from your router. (so your network does not have internet) 2.) Set the printer to LAN only mode. 3.) Connect it to your WiFi. (we are however not really believing this and will make sure it is really lan only in the next step) 4.) Go to your router or firewall and block any connection from or to the internet for the printer. (for Fritzbox users it is called Device Blocking) 5.) Now you can reattach your router to the internet. > This will block it from the internet and not rely on their promisses but on the promise of your Firewall / Router manufacture you already trust anyway ;). Important: After that you will loose a couple of features, but I would say those are pretty much not that important for most people. (should be the same as with LAN only mode described by Bambuu) If you still want to see what is going on with your printer from outside your network, you can use a VPN connection to your network.
@@3DMusketeers That is exactly how the Bambu subreddit is. You get dogpiled and accused of nonsense if you raise any concerns about privacy or data security. The old "If you have nothing to hide, then you have nothing to fear" fallacy.
@@rDigital2A 1000% agree. "my requirements are a printer I can keep up to date without connecting to a network" BambuBois: "why would you need that, or it even be a concern?"
The Qidi’s seem to be fixed, just saw what I think is the first new update review to the xplus3 and seems everything is fixed and really good. We need to get the Xmax3 in your hands for review. These might be a great the bambu replacement.
@@3DMusketeers yeah the xplus3 was the model they used mostly for reviewers before so not surprised that’s what you got, but that’s great news! Now with the lower pricing and improvements I’m really hoping that these can be a cheaper option that’s on par with (maybe better?) bambu. Looking forward to the video/stream.
I would like to correct one thing. Bambu does not need a SSID and password to use a client as a botnet. All it needs is an internet connection for that, and that would be easily identified and found with wireshark. Network analysis has been done on bambu printers, and this is not something that was found long term.
@@3DMusketeers As someone who does network engineering, spreading assumed but not correct information annoys me. That is not how that works. Not only would a update for all printers need done to enable them to send remote commands to act against a target IP as a bot, but it would not give them access to your network. Just because a device in on your router's network does not imply devices on it will care about what another sends to them. Having access to one's LAN in a client-only device context is not very powerful, hence why in actual hacking, none make use of it. Instead they make use of hosts, via spoof networks. Any nefarious network activity can easily be observed, and majority modern routers also automatically detect bot activity and lock the device from the internet in detection of it, such as with ASUS routers. The only things we cannot analyze is encrypted data, but in bambu's case, this is not entirely the case, as the logs seem to be basically just the MQTT data from what we have seen, which we CAN read. You can access it via username bblp on port 8883 without SSL and TLS. The password is the LAN Only access code on your printer's screen. I have a video I did where I went over such info and explained it in simpler context.
@@3DMusketeers Sure, but always remember local files != networked files. From looking at the length of networked data, it only looks like MQTT gets networked in terms of large data amounts. The rest seem too small to be that relevant. While local files are interesting; I agree, it is not conclusive of privacy. It's like me FTP'ing to my android phone and seeing the mass in there to conclude danger.
Oh yeah, I agree. I was talking more about the cool stuff you'll find. As for security, we know what is packaged up and I'm not very comfortable with it. Mind you, I'm a business that deals with NDAs and ITAR. The average consumer won't likely care and that's a different chat for a different day
First off, what a great and comprehensive take on the data privacy concerns. It's almost March 2024 and I have similar concerns wondering if Bambu addressed them as I consider Prusa XL, K1, and/or Arco. I don't want my network to be a botnet nor do I want my printer accessible from outside my network. Is it possible to access all features in LAN Mode yet? Is it possible to update Bambu firmware without being connected to the internet? If not, I need to consider VLANs/DMZ + WIFI password update prior to connecting/disconnecting. Any other updates to consider? Thank you & well-done, subscribed!
We recently showed exactly what is in the logs, I recommend you watch that video too :) It is not possible to access all features with LAN mode. It is NOT possible to update a Bambu offline officially. A firmware called X1Plus is on the horizon, which we also did a video on, but it is not publicly available yet
@@3DMusketeers Thank you for your response and being a champion in this area or concern. I may consider P1S if my concerns are addressed otherwise I'm a hard no. I'll check out your other videos now thank you!
Bambu EULA=You ARE the product! We will make money off of you by selling all the data we collect from the product you bought but technically we still own and can dictate how you use.
I have a bambu X1C and since i am aware of all those data they retrieve, i only use orca slicer with sd card. Edit : im in the EU , printers are shipped from germany and if im right, bambu servers in EU are in germany too.
This is why you need to add them to a separate ssid on your router with no connection to your network. Gaming routers do this and I have two 3d printers on their own ssid's with internet access but no network access. I can turn them off via smart plugs via tuya.
@@3DMusketeers Its something that goes for all IOT devices. they should all be on a dedicated IOT lan segment on its own SSID and nothing on that lan segment should be able to talk to other lan segments or other devices in its own IOT lan segment. It should be 100% isolated and all it should be able to do is get out to the internet, you can then also implement a dns sinkhole to log and stop it resolving any url's addresses you don't want it talking to. That si probably the least extreme approach to Trust is good CONTROL IS BETTER! I wonder if we can identify and block the talk home server addresses but still let it access the update servers to get new firmware. it is concerning that they encrypt the payload back to their servers and wont disclose the content of what they are collecting, but at the same time we would all be screaming at them if they was sending data back unencrypted. I think what is needed is an independent review permitted by Bambu, by trusted industry security experts. A brute force hacking the aes encryption and releasing the method would then be a security vulnerability they would have to patch, so i can see whey they are not keen to divulge on that front and it could be seen as them actually caring about protecting privacy of customers from another perspective. regardless if the vendor cannot provide the necessary guarantees one would expect for commercial use then that's just a market they will not be able to compete in. For average joe in his basement that doesn't care about a dude in china seeing him in his underpants they can have a very nice printer and do some pretty cool little projects.
It's too good to be true. Besides, there was a semi-recent fiasco with Bambu printers randly printing. Mark my words, there will be a major uproar once people do find out what really happens. But then again, people are very stupid; Microsoft has been doing it for decades with Windows...
As an innovator, I find the model data to be the most troubling. If I make a new toy that I intend to place copyright on, its pre-leaked to a country that consistently pirates people's work. Even more troubling is this looks like a case of industrial espionage. People who want to create new things will be the first to buy a rapid prototyping machine. Do you want sketchy people to see what you're making?
We designed and have been selling a product on etsy that didn't exist before we created it; we have now found it being sold on Amazon by 24+ different Chinese companies and to top it off they are using our product images and videos for their advertisement and also customer review images. Our product is not public so they most likely stole our file. Amazon claims they'll investigate and block those sellers 😂
In the medical space, and for HIPAA compliance, we have to de-identify when sharing. Our health is just part of us and it's protected. Why not the remainder of our being? I believe companies like this should have something in their terms for similar occasions. Only use specific identifiers when interacting with the individual and de-identify when used for other purposes. The specific instances should also be limited and called out.
I love this idea. Capitalism, in its purest form, would not allow for this though.. I am glad we have it for medical records, but all these people doing the 23&me things are just sharing their geneology with insurance providers who can use it for reasons not to cover treatments because there is an existing risk.. I hate it.
The P1S cant really see much with the camera other than a small sliver of my wall. You could run a packet sniffer and see how the network is being used and utilize a dual NIC PC as a "pass through."
Thank you for this. I have only been at the 3D printing since the beginning of this year (2023). I have and E3V2 and looking to upgrade to a faster printer P1S was in my view, but I've heard too much about possible data collection, and now I'm starting to looking elsewhere for a printer. I love what I've read about the P1S, but I can't dive in knowing there may be a DJI type of thing going on. I started using Octoprint not too long ago but it keeps disconnecting from my printer so I just pulled the plug on it for now. It's a hobby for me so the network connection I could care less about. Maybe I'll look at Sovol, I've read some decent things about them. I thought I saw that a core XY would be coming out. I've got the E3V2 dialed in but man is it slow.
Computers and software have totally redefined what an "agreement" or "contract" is. In what other situation is it acceptable that ONE part just redefines the legal contract? You buy a car and the company redefines the terms of use to require a monthly fee or "the car will be permantly disabled if you exceed speed limits more than twice" or whatever. HOW can we consumers or the courts and judges play this game with these "consent" of "terms of use" to be able to use what you actually have bought...?
So I guess the real question is, why don’t other manufacturers develop, produce and release a product that meets or exceeds the specifications of the Bambu labs printers who are “more” trustworthy? There is a reason the Bambu labs printers are popular, they meet a want customers have been asking for for years, ease of use, quality and speed. Instead manufacturers cling to more of the same as what came before. Not only that but many printers require quite a bit of tuning that you have to do periodically and continuously, to work and in many cases should be upgraded out of the box to perform better though they do “work” out of the box….. usually. It also seems like a lot of the issues involve the use of the cloud printing feature, which due to my personal preference I don’t use, I load files directly onto my sd card. I’ve also found that the camera feature mostly useless unless I want a Timelapse video, which I generally don’t.
@@3DMusketeers I think that the benchmark was always what prusa set, all the other manufacturers concentrated on clones that were close to what has been considered the standard. And no one can argue that prusa doesn’t make a very good machine. As a matter of fact I still recommend a prusa to people that ask, but I also recommend the p1p, because even the security issues aside it’s a very capable printer at a good price point that’s simple to use. I’d sure like to see more innovation in fdm printers, and there is clearly room for improvement. Seems like I’m seeing more improvements in resin printers then I am fdm. Prusa has something going for it with the XL but price and availability are an issue. I’d like to get one but I’ll hold off for a while and if I can get one second hand for a decent price I might but it’s doubtful I’ll buy one retail. I just can’t justify it. I might also look into a rat rig or a voron as I’d like to have something with both speed and build volume. But that’s a project for another time as I don’t “need” it. Maybe we will see better things in the future but it’s clear to me that Bambu and prusa are going at each other and people are picking sides.
No hate here. After watching NBR's vid, I was TOTALLY against purchasing a Bambu machine. I did opt for a Creality K1max. I just hope they don't have the same stuff.
There is a term for 'believing' what you read to be truth: *Blind Faith* - These people have *no* reason to be truthful in their 'disclosure' - none whatsoever. Not only that, there is *no* recourse if it proves to be false, and finally - and most importantly - there is *no* way to verify anything they say.
I had initially intended to buy one before watching your video, but now I've decided against it. I think I'll wait and see what the XL version from Prusa has to offer, and if not, then I'll consider the MK4 as an alternative. 🤔
Yall should be saving copies of the log files, because they may decide at some point (particularly if the encryption is defeated) to cover their ass and stop collecting something they arent supposed to.
So can you use it offline, third party slicer and SD card, without creating an account or ever having to update the firmware? Presumably the current firmware works well enough as long as it doesn't have a timer in it saying it needs to be updated at some point. What's the best alternative to the P1S without the same concerns with China?
Not updating the firmware will get you into all manners of BS if you need support and if you make videos about it, fanboys will tell you are a moron, so there is that lol.. To be clear though, NOW there is a 3rd party slicer, previously there was not, and we dont know what orca collects.
I'm working for one well known telecom company based in Europe (not Huawei 🤣).We have a lot of mandatory trainings and accientaly the one today was about personal informations and GDPR. And as I can see,Bambu lab doesn't comply with GDRP at all :( ...and my new X1 is on it's way to me....
The situation is made worse by this release, the A1 an entry level printer aimed at younger customers, I foresee many A1 printers ending up in childrens bedrooms, the A1 will collect images, ether directly or via mirrored images may well include indecent images of your children. Collecting such images is illegal in many countries and Bambu labs need to ammend privacy policy or risk being guilty of creating indecent images of children in many countries!
@@3DMusketeers hshshshshs If I may.... In terms of data security I could care less after interning over DJI in the past. I get their point of getting this data and they only use significant flight log information, statistics and whatnot "BLACKBOX with the intent to sell other data for socmed and ads" for external cash flow, DJI alone back then even during the DIY era production was extremely expensive they could not just rely on tradional means. I was already done with my internship when they started profitting from these data selling to manufacture cheaper drones while paying employees generously. I think the same goes for Bambu. Anyways thats just my opinion from experience it could be different now but until we haven't seen bad stuff happening from the millions of DJI drones sold and thousands of bambu printers sold everything thats to be worried about is pretty much meh.
We have seen bad things from DJI, you dont end up on the banned list for the US Govt for NOT doing something wrong.. What exactly, I know it involves selling the data to bad actors, but specifically I am not aware.
@@3DMusketeers I'm in the drone industry as well so I know the reason why its banned its an appropriate move for the US gov. You dont want DJI getting into high position government emplyees assuming some of the said data is sold to bad actors as per rumors other than that you wont see any other DJI user Pro/Com/Private complaining and just to add since US gov service cannot own and use DJI products they just outsource these drone shots or topo scanning for gov use pretty much nonsense but at least people are given high paying work while still using DJI products. Hope you get the drone side but yeah everything else is superstition in my opinion based on my take and experience of how some of these data is used to improve the product, manufacturing, material, software and user experience.
Personally, I think any privacy policy, terms of service, end user agreement, etc. are all worthless. Cause at the end of the day you don't know what happens what a business does behind closed doors. Also, with how invasive governments are with businesses and individuals, I just work on the premise everything is compromised. I apply this mindset with "open source" software and hardware. Cause historically speaking, there have been lots of open source systems that were purposefully compromised. The upside of open source is good for inspection purposes, and for business continuity purposes. Once I made shift with my mindset, it allowed me to plan and position myself accordingly.
So I'm going to have to add firewall rules to blacklist every connection to the printer outside of my LAN and leave it on its own VLAN with a VM that is also separated from my network. lovely.
Its defo sus. What is the functionality limitations when you don't connect it to the internet aka air gapped. Can you still just use SD card and print while air gapped
you can use the SD card but you cannot update, no camera (other than like timelapses) no ai detection, no alerts, etc. No nothing that would need the internet obviously.
Maybe someone can try to use it a way PRC don’t like and see if something odd happen. I would really like to see what they are sending and the data amount, I can understand a crash log and the setting when it happening can be interesting, but why use encryption for this.?
About to buy a X1-C. I will lock it down hard and only allow updates thru a dedicated path. My biggest concern is them disabling the printer. I'm not sure they can include timebombs legally. I will ALWAYS be in LAN mode and divorced from their cloud just like all my IoT.
do you think there will ever be a "crack" or something (specialy x1c) to be full featured free of Bambu? and Du you know if the X1E has the legal abillity to be complete free?
Bambulab can take whatever info they want as long as they dont share it with my government. Its our government who is more of a threat than any other one.
one idea on firmware updating while using the machines offline: Can´t you just reset the printer before getting it online and updating the firmware while using a "fake" account?
We dont know if a factory reset actually deletes anything, since we cannot read the logs. It is not about the account, it is about what the printer can do on an open network, what it downloads, and how it installs it all.
We got it specifically to see if they would be useful for this and have now gone down such a deep hole of trying to understand it's both frightening, frustrating, and incredibly interesting.
@3DMusketeers you'd think for itar sensative stuff a more vetted and professional fdm manufacturer would be required. I'd assume some sort of external clearance would be required before it was even to be set into the contractors facility. Then again whos to say these comments arnt all from bots on the bamboo side anyways. This is china we are dealing with
There isn't actually a vetting process yet, but I think that's to let people make their own decisions. There's a vetting process for the businesses, like ours, but for people we buy from, no, not really :/ there are recommendations but it's not realistic often for startups like ours.
Any free cloud service, VPN, online storage etc. should be used with caution. It may seem free on the surface, but you are really paying in different ways.
@@3DMusketeers Oh, I almost forgot to tell you this: I checked the logs in my router for the the Bambu Lab machine, and the printer is connecting to several different servers. 1 is in Germany, 1 is in Netherlands or somewhere near there, and a 3rd is connecting to some US based server. None of which are registered to Bambu Labs. I also looked up the ratings for some of them, and some users reported them as dangerous for several reasons.
@@3DMusketeers Yep. USA, I'm and not using VPN. I screenshot each IP address, so its on my computer at home. I can post on discord or somewhere if you have a place for that.
@@3DMusketeers If they have collected data, they must make it readable for me upon request, otherwise I can sue them under European law. In addition, upon request, they must delete all of the data they have from me. If this is not done, there will be severe penalties and high demands for compensation. This is perhaps also a reason why the collection of model data in the EU only relates to MakerWorld and not to the use of the printer. I don't mean to say that there isn't any possibility that they could still collect things that they aren't allowed to. But I think the hurdle is significantly greater.
@@3DMusketeers My P1s is coming now and I'll try it out a month after I use it to request my data. They actually have to give them out otherwise they will be threatened with a sales ban in Europe
well you have lot of great point but if i may give some feedback : the main issu in those maters is they can make a 1min video addressing all those point and trying to convince people all those are not much issues. Your video is almost half an hour. So who's message do you think the mass will get ? Been using linux and FOSS for about 25years and that's something i see time and time again. A big company make 1min spot with a cool well dressed dude telling you "it's fine" in a confident stance. And on the other side a guy that sit all curved wearing a goofy tshirt or sweeter too large for him that takes pages and pages to explain in lot's of unnecessary details why "it is not ok". And off course one is lying and the last one is the good guy in the story. But that doesn't mater because nobody will listen to him except those who are already convinced. It's like trying to fight a fully armored knight that run at you with a huge sharp spike, by sitting and making lots and lots of move with a butter knife. That is not chevaleresque. Seen that time and time again against IBM, Microsoft, Google, NVIDIA, Apple, Amazon, ... you name it. 25years and still the same story.
Rather pay Prusa for the premium for privacy and security. I guess if something is too good to be true it usually is. Gotta wonder why Bambu are able to make printers so cheaply.
This is certainly a legitimate issue and while I do not want to minimize it, people need to be aware that Bambu's products are but one of the numerous products in most people's homes that cannot be trusted. ANY web related product - from pc motherboards to modems and routers to home security cameras and even your smartphone that are made in China or consist of Chinese IC chips has the potential to spy on the user. And since there are very few US made alternatives (especially at competitive cost), there is little most people can do to mitigate the concern. Who is to say that your router is not capturing every purchase you make and associating that with other data to personally identify your bank records? Or that your router isn't sharing your Intellectual Property data before you even upload it to the Bambu cloud service? The point is YES - this is a concern. But I don't think it's fair to necessarily jump on the Bambu bandwagon while everything else in your home is potentially doing the same.
My home is secured, but we are ITAR controlled, so there's that. We run a custom built router which is amazing! But yes, for the average user, it's one of many. Given their investors though (dji) I have good reason to be worried lol
Great video. Thank you. Couldn't the 3D printer be put on its own network by using a 2nd WiFi router at home? Is this a good way to isolate that printer from the main home wifi network?
Depending on your setup, your wifi access point may be able to create multiple vlans (virtual lans) and you could place the device on there. Or, depending on your router, you could block the outbound packets from the printer, and prevent it from connecting to the internet at all.
Cracking AES is not a trivial matter and the serial number doesn't need to be part of the key and the key can and should change with every handshake. Your best bet is to intercept the data before it is encrypted but again that may also not be a trivial hack.
It's encrypted on the spintrol MCU. I'm guessing it's a non changing hardware key or it would be a pain in the ass to read them at the factory. I'll have to check to see if the MCU does support spinning keys.
Damn, I was about to buy the X1C, but since I am designing my own models foe business, they can keep their crap. Having the ability to siphon off my work is unacceptable. Time to reconsider a Prusa, but now I need to look into their privacy policy.
The software section will also apply to the mobile app, for which their terms are completely sensible and fair since it is proprietary. Playing devil's advocate, you could read that as applying to that software, rather than the open source desktop software.
I'd like to hear bambulab's justification for not allowing offline firmware updates. You know... like basically every other 3d printer on the market can. If they'd allow that, I'd buy one. It is literally the only thing holding me back from ordering one right now. That they seem unwilling to do that is a big red flag, in my eyes. I can't think of any good non-nefarious reasons for why they'd want to force you to connect your printer to the internet at some point.
My BL X1C was hacked by someone last night. Started trying to rub the nozzle on the plate for over 2 hours before I noticed. I have contacted BL but no response yet..😢
We know what encryption it is?! That's huge, and reduces my search space by several orders of magnitude. Will DM you later. This might be possible in our lifetime...
The simple fact that it's a cloud driven machine made by a Chinese company is enough to make me suspicious. having encrypted log files and closed ecosystem isn't helping their case either! GDPR (EU/UK) works for us within the EU/UK but if the cloud server is in China GDPR does not apply. Also ( I think I'm right in saying) The Chinese government can seize any data stored on a pubic or private server in China if they feel like it. This is why I got rid of my Huawei phone.
Also What about COPPA I know many kids that want 3d printers parents are likely to buy something like an A1 or A1 mini over the more expensive printers. And those printers have exposed cameras that can see everything and they will most likely have it in their rooms and lots of the time people forget to cover the camera or just forget. What will happen if they accidentally catch a vid of a CHILD changing. What if that data gets Leaked or they got hacked. I would certainly have zero trust in a company if they’re printer got my privates exposed.
That is not something I have considered. I think Bambu would say "well you have a way to block the camera" but yeah.. that is a whole new avenue there..
@3DMusketeers A DMZ allows you to isolate a device on your network from your local network. It sounds like when you send jobs to it from the phone app or slicer, it goes to the cloud and gets pushed down to the printer from the cloud. Or I could be misunderstanding it.
@3DMusketeers That'd work. I don't think I'd care if it reached the internet as long as it was segmented. I guess you could connect, update, and then disconnect. My firewall does region blocking, so it probably wouldn't be able to update, haha.
I totally agree with you. Thanks for this video. Would you like to do a video with me about the GDPR part? I live in Europe and would like to do a video about this on my channel and of course i want to give you credits.
FINALLY THIS VIDEO. YESSSS!!!! And Yes, the reason i dont get Bambu are because of this and they dont ship here. While prusa ship to a lot of country. And yes, please do prusa and creality please.
Yeah I put my x1c in my IOT subnet where each device is able to talk to the internet but not any other device on that subnet. All those devices have access to the internet but no access to any other device on my main network, still allows firmware updates but prevents the CCP from getting access to any of the data that's on my main network. I love the bambu printers because they are stupid fast, produce good quality prints and "It Just Works™" but there's no way in hell that I would connect them on my main network.
@@3DMusketeers absolutely agree.... Where commercial in confidence, trade secrets, NDA's, Patents and other business specific principles apply there are a number of considerations that aren't relevant in the home or Soho environments. The relatively recent release of the Bambu X1E is supposedly designed to address most of those considerations.
But it's not.. you still can't update it locally.. have to be internet connected. And while, yes, it has physical kill switches for the internet, it's not helpful if you can't flash the firmware anymore lol
@@3DMusketeers that's a shame. I had hoped that they would address that. Yes I agree. Given that ALL bambu printers keep MASSIVE fairly heavily encrypted logs, even though you can physically kill the X1E's internet connection. If you have to connect it to the cloud at some stage to do a firmware update, it's a fair bet that it would then take that opportunity to upload a tonne of logs to their servers which given that we cannot see what those logs contain, there's an unacceptably high risk that a business may end up breaching NDA's inadvertently during that process even if it is not given an internet connection on a day to day basis.... Such a shame... They are great printers, but that will absolutely limit their utility for a lot of situations.
If you know, you know, if you don't it is fine to keep it that way lol. There is a bad actor in this community that calls people sock puppets, he inspired the shirt by Sam Prentice: b.link/PuppetResearch
Oh, no, not here. We have a business in this industry, printing firearms for others would be a federal crime. We know our laws. And we work strictly within ITAR and CMMC guidelines
Ive beem considerong buy a printer again. Been about 2 years sense i last printed. Was eying the Bambu Carbon X1. Then i ran across videos like this and now im not so sure. Also considering Prusa Mk4 also. But the bambu looks so nice.
With the X1+ f/w, BLs own blog, seems like a lot of data was collected way more than necessary🤔. No need to decrypt the log file anymore, the logging routines are wide open and visible under linux. We will know the extent of "DEBUG" log data soon.😂
