Bambu-zled
Geoff sounds the alarm on Bambu Lab's legal threats against an open-source OrcaSlicer developer, the crew unpacks the CopyFail and DirtyFrag Linux kernel CVEs and AI-accelerated vulnerability discovery, and Adam reports from an off-grid California compound to explore parallels between physical self-sufficiency and digital self-hosting.
What we cover
- Breaking down the recent controversy involving Bambu Lab and an OrcaSlicer fork, and the ramifications Bambu’s actions.
- The CopyFail and DirtyFrag kernel vulnerabilities and the merits of responsible disclosure in an era when AI can discover vulnerabilities faster than they can be patched.
- Adam shares his experience at a fully off-grid compound in California and the crew draws parallels between off-grid living and self-hosting.
First up, a fired-up Geoff provides details on the recent kerfuffle between Bambu Lab and the open source community. We also go into some of the background of how this is not Bambu’s first such controversy. We discuss what exactly the developer of the open source fork of OrcaSlicer did, Bambu’s completely off-the-mark handling of the situation, and the open source world’s fierce backlash in response.
Next, we talk about the CopyFail (CVE-2026-31431) and DirtyFrag (CVE-2026-43284/43500) Linux kernel privilege escalation vulnerabilities that were recently discovered in part by AI. That discussion leads to a more general discussion about the responsible disclosure model in a world where vulnerabilities are being found and reverse-engineered faster than ever.
Finally, Adam chats with us about his experience at an off-grid, solar-powered compound in California. We discuss the parallels between off-grid living and self-hosting software and owning your own infrastructure, and whether HomeAssistant is up to the task of managing critical off-grid systems.
Topics: 3D printing, Bambu Lab, OrcaSlicer, open-source licensing, Linux kernel CVEs, AI security research, responsible disclosure, off-grid living, self-hosting, HomeAssistant.
Links
- Bambu/OrcaSlicer:
- https://github.com/jarczakpawel/OrcaSlicer-bambulab
- https://blog.bambulab.com/setting-the-record-straight-on-cloud-access-and-community/
- https://www.youtube.com/watch?v=jIbpQtoz6hs
- https://www.jeffgeerling.com/blog/2026/bambu-lab-abusing-open-source-social-contract/
- https://gamersnexus.net/fk-you-bambu-lab
- CopyFail/Dirty Frag:
- https://en.wikipedia.org/wiki/Copy_Fail
- https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
- https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
- https://arstechnica.com/security/2026/05/linux-bitten-by-second-severe-vulnerability-in-as-many-weeks/
- https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html
- https://tailscale.com/events-webinars/toronto-tech-week-tailscale-meetup
Transcript
Geoff: All right, welcome back to the latest episode of the BitFlip Show podcast. Tonight we are going to be talking about all sorts of fun things, about OrcaSlicer and Bambu Lab, and we’re going to be talking about Copy Fail and Dirty Frag, all kinds of dirty things. And then Adam, as you can tell, is not in his house, and he’s going to talk us about… living off the grid and all the fun that he’s had to, you know, deal with on that one. So I’m your host, Jeff, and I’m joined tonight by Adam and Steven. Alex, as you can tell, is not here tonight. No, he did not jump into a rocket ship and, you know, take off into outer space. He had a personal commitment that he was unable to get out of tonight. So it is just the three of us. We’re going to have lots of fun. So how you gents doing? 00:00
Adam: Doing well. Doing 00:51
Stephen: Can I 00:53
Adam: well. 00:53
Stephen: complain? 00:53
Geoff: All right. You guys want to talk about Bambu and OrcaSlicer? 00:54
Adam: Please. 00:58
Stephen: I think we should, yeah. Mm-hmm. 00:58
Adam: Please. 00:59
Geoff: Yeah, I will start off by saying on this one, these are my opinions. I think this is for everyone, but don’t, this is not my employer. These are my own personal thoughts, but let’s give a little background here. Cause I think it’s important for everyone to kind of, who doesn’t know what’s going on. So Bambu Lab, we talked about in episode three with the printers that they have. Um, we all agree that we love the printers but some of the ecosystem stuff they have done maybe not so much so Going back about a year or so, in 2025, Bambu did some security upgrades where they locked out a lot of the existing third-party things like Panda Touch and a couple of the other companies out there that had created products. They were no longer able to connect to the printers via the cloud. unless you kept your firmware on an older firmware. And if you upgraded the software that they provided to do the interconnect had much less functionality, like you couldn’t control filament selection. You couldn’t do a whole bunch of things. And they were claiming that they were having security issues, that they were getting like 30 million requests per day from things like OrcaSlicer. And so they were saying that this is all about security. So OrcaSlicer, for again, those who don’t know, is a slicing software that you use for your 3D printer. And that’s basically what you need in order to convert the model to be able to print on your printer. And so OrcaSlicer is a slice of Bambu Studio, which is in turn a fork of PrusaSlicer, which is in turn a fork of Slic3r. All of this is open source code under the AGPLv3 license. And so there was some uproar back in 2025 when Bambu did this, but that kind of seemed to die down a little bit because people kind of adapted to the new reality. But just this week, Bambu kind of struck again. So the developer of a fork of OrcaSlicer, and I’m going to say his name and I’m going to butcher it and I apologize, Pavel Jarsak, I’m just going to call him, I’m just going to say he’s a developer. He developed OrcaSlicer-BambuLab that included the ability of OrcaSlicer to connect to the Bambu cloud and print via the cloud. So Bambu reached out to him and according to him, we don’t have the conversations because Bambu wouldn’t let him post them. But according to them, they accused him of… They threatened legal action. They said that he was impersonating Bambu Studio. He was bypassing authorization controls, violating the terms of use, reverse engineering, all sorts of things that, you know, bad developer, what are you doing? You’re going around all of our blocks. Do you guys know what he was doing? 01:00
Stephen: You know, I don’t, I’d love for you to tell me. 04:06
Geoff: He copied the user agent string from Bambu Studio open source software and put that in his code and that was all he needed to do in order to prove that he was connecting from Bambu Studio. That 04:09
Adam: So the 04:26
Geoff: was the extent of their security authorization. 04:26
Adam: amazing. 04:31
Stephen: So he took down the, his 04:33
Geoff: Yes, 04:34
Stephen: app, right? Yeah. 04:35
Geoff: he because he didn’t want to deal with it, he took down his app. So the GitHub repo, if you go there now and we’ll have a link in the show notes, it basically has a summary of what I just kind of said to you guys. So obviously the open source community took note of this. Louis Rossmann, a well-known open source and right-to-repair advocate, quickly posted some videos talking about it, and he pledged $10,000 to defend the developer if Bambu came after him. He used some pretty profane language that’s not safe for work. Jeff Geerling also posted a video that we’ll have in the show notes that basically says that, you know, Bambu no longer, he doesn’t recommend Bambu printers. And then Gamers Nexus, you know, we recorded, we recorded this on Wednesday. They did this last night. They posted a expletive filled post saying basically Bambu printers. Come at us. And they posted the code that the developer had taken down and basically said, we think this is open source. We think this is completely legitimate. You have no grounds to, you know, claim to take this down. Sue us. And that’s where we are right now. So, Steve, I’m going to throw it to you. I mean, you’ve got a 3D printer and a Bambu. What do you make of all this? 04:36
Stephen: I absolutely do. And, you know, I remember back when they stopped the ability to run your own custom firmware and allowing it to connect to their cloud and whatnot. 05:57
Geoff: Thank you. 06:06
Stephen: At the time, I mean, I didn’t care because I used it as a tool. I wasn’t really using it as a hobby. And so I didn’t really care about throwing other firmware on there. And as long as that was kind of the line that they drew in the sand, it wasn’t so bad because it didn’t affect me very much. But when they start going after a guy like this, that’s… really from the way i’m looking at it not really doing a whole lot wrong he’s not impersonating them and it’s that’s being some of their grounds i don’t know it’s pretty shaky 06:06
Geoff: Yeah, I mean, it’s just one of those things where back in 2025, when they first did this whole, you know, taking things away, I mean, they did the name of security and I was, I didn’t necessarily say I wanted to defend them, but I at least wanted to give them the benefit of the doubt that, okay, you’re taking things away because you’re going to enhance security. You don’t want people getting into my printer and doing all sorts of things. Fine. A user agent string is not security. 06:38
Stephen: No, for sure not. 07:08
Geoff: I mean, they’re like, you copy. He wasn’t like he, you know, broke it. You know, he wasn’t like he decrypted a private blob or, you know, reverse engineered. He literally copied the string from the open source software. I 07:09
Stephen: Open source. 07:23
Adam: No, it is. 07:25
Geoff: mean, that’s a whole other question, because I mean, there is questions about Bambu’s, you know, 07:26
Adam: Okay. 07:30
Geoff: Connect software and the fact that it’s, you know, because it’s AGPLv3, you have to kind of commit that back. you really can’t then have proprietary software it gets into a whole thing i don’t think we don’t really have time to get into but i mean i don’t know i mean again i have my p1s back there i’m i’m thinking about ditching it 07:30
Stephen: Well, yeah, you seem pretty up there about the situation. Like I said, I wasn’t too bothered by the last thing that they did. I kind of felt because it was a tool that I could really rely upon, if they wanted to lock it down to make sure that something wasn’t going to mess with that, you know, quote unquote tool, I was okay with it. But yeah, I don’t love the path that they’re going down right now. It just doesn’t seem right. 07:54
Adam: Can you guys tell me like why the cloud? I still haven’t seen anything that’s like convincing or otherwise that would say, why do they need these cloud connections for this service? 08:15
Stephen: So, so you want to know why the cloud connect exists. And so basically what they allow 08:27
Geoff: Bye. 08:32
Stephen: you to do for all the listeners that are just listening and not looking at off on a screen, holding a phone. And so they have an app and you can connect to your printer, but realistically, you’re not connecting to the printer. You’re connecting to a cloud service that is also happens to be connected to your printer. And their whole theory is that you should be able to hit the go button on your computer. And if you went, I don’t know, outside to touch grass, you could pull your phone out and you could look at the little camera and see what’s happening at any given time with all of the devices that you own that say Bambu on them. um i think they did this because it allows you to take all the troubleshooting that might have to come from you know someone’s home network isn’t really set up correctly there’s something blocking some port that the this and that doesn’t work they just wanted all the devices that you log in with your account to be able to interfere or interfere 08:32
Adam: Ha! 09:25
Stephen: interface with their devices and your devices right and so That kind of makes sense, right? But that’s why they cloud access this. Of course, there’s a lot of people that say, listen, I don’t want cloud at all. I just want to hit the go button and have that go through my network into the printer. And that seems reasonable, but this is the path they chose. 09:25
Geoff: Yeah. I mean, there’s also the. I’m going to put my tinfoil hat on theory here and that they kind of did this as a way to, again, it’s one of those classic and shitification, you know, plays where you, you know, get everyone hooked on your stuff and slowly but surely you kind of start bringing things in and you start, you know, making it so that way you can’t, you love the product so much you don’t want to go away. And so if they start, you know, doing things you don’t like, well, you don’t only want to give it up. So the cloud is certainly convenient, but I mean, You can do pretty much all this stuff locally. There is no reason you should not be able to push print. Like, you know, Bambu saying, oh, we’re getting overwhelmed by 30 million requests. You know what the solution is then, Bambu? Have a damn local, you know, API that can hit. So therefore I’m not going through your cloud. 09:45
Stephen: Yeah. 10:35
Geoff: I mean, 10:35
Adam: absolutely 10:36
Geoff: that’s the answer. 10:36
Adam: that’s that’s what i was going to say is that i agree with you 100 and what i was going to say to you know the description that that stephen provided is i don’t find that compelling here’s the compelling factor remote access okay i want to access the camera cool then i have a check box that i can use to say i want to do this function through your cloud service but 10:38
Geoff: Nope. 10:58
Adam: everything 10:58
Geoff: Now I. 10:58
Adam: else there is no Tangible benefit that I’ve been able to suss out to using their cloud services other than to protect their own little fiefdom so 10:59
Stephen: I think they also get to figure out exactly what you’re printing, right? They know 11:09
Adam: Yep 11:12
Stephen: what things are popular. They know stats. And, you know, I haven’t dug through the settings to figure out if there’s like a do not use my stats to, you know, with your cloud service. But I’m sure I’m, you know, adding to all their stats. 11:12
Adam: even then you can still pull stats off of access of assets. 11:26
Stephen: Sure. 11:32
Adam: It doesn’t have to be cloud connected for that. 11:32
Stephen: Yeah, 11:35
Adam: So 11:35
Stephen: for sure. 11:35
Adam: I just think it appears to be very classic, like again, protecting their little fiefdom and shitification is the word that everybody throws around these days, but I think it fits here from what I can see. 11:36
Geoff: Do you want to hear what… So Bambu posted a response on their blog post about, you know, why they took these steps. Do you want to… Let’s go through what they say. Because I, again, as you can tell, I’m a little worked up about this because I just find it… It’s just so insulting almost. 11:52
Stephen: Yeah, there’s no stopping you. Please tell us. 12:06
Geoff: No. So they go, it was all in the name of stability of our cloud infrastructure. I think we’ve already talked about that one. Like, if you don’t want your cloud to go down, make local access. Because therefore, I don’t need your damn cloud. 12:08
Adam: Yep. 12:23
Stephen: Yep. 12:24
Geoff: And then in this one, they go when this particular OrcaSlicer fork communicates with our cloud services, it quietly introduces itself as our official Bambu Studio with a hard coded version number and all our servers see what looks like a legitimate client. They have no reason to question it. And that’s why they blocked it again. User agent string is not security. I don’t know how many times I’m going to say that this episode, but it’s ridiculous. 12:24
Stephen: That’s true. 12:54
Adam: Yeah, it would be… It’s kind of… I mean, it is funny in a way that 12:55
Geoff: you 12:59
Adam: they’re trying to have this ecosystem lock-in, and at the same time, they have the most ridiculous security requirement that’s not even a security requirement that’s out in the open, and that’s what they’re leaning into. It’s just… It’s pretty bad. I have a question for you guys. So… What do the competitors have to do? This seems like an opportunity, a point in time where there’s a pretty clear gap in opening. What do the competitors have to do to make, you know, kind of fill that void that Bambu is kind of opened at this point? 13:00
Stephen: I don’t know. Pretty simple. I would imagine if they just take 13:37
Geoff: you 13:40
Stephen: everything that is a negative about this situation and then just reverse it and say, listen, Hey, we, we have local connect. It’s not a problem. We make a promise to never remove that. That’s actually going to be baked into the core of our software. I don’t know. That’s a pretty big win. 13:40
Geoff: I mean, I think that and I mean, the other kind of thing that was a selling point of bamboo was, you know, it just works. And I talked about in episode two, I’ve been keeping an eye on the Snapmaker U1 and I’ve been, you know, in the subreddit, seeing posts about it. And it really looks like they have managed to succeed in that. It just works bit with. Local only. you know, it runs, I think it runs Klipper. And so therefore again, it is entirely local. You do not need to use Snapmaker’s cloud in order to print from it. And I think they have an app too, so you can print from your phone. I’m not a hundred percent sure on that one. You know, you go ahead and can write us and let me know if I’m wrong. But yeah, I just, I really think that, you know, it’s basically, it’s getting a good printer out there, like a core XY, dual head, you know, dual multi head printer that can just print, you know, it’s not a hobby. You don’t have to sit there fiddling with it and local. I think that’s doable for a lot of companies these days. I don’t think it’s that, you know, when Bambu came on, they were, you know, it was huge that they were made the printing so easy. I think that that ship has sailed a little bit. And I think that other companies can do the same thing now. 13:55
Stephen: 100%. 15:12
Adam: There’s no other limiting factors that you’ve seen from the competition in regards to enclosures, the niceties around the way that they manage the filaments, all of that, you feel there’s parity in the ecosystem already? 15:13
Stephen: I think there is, like you’ve got like Prusa, obviously, they’ve been 15:26
Geoff: Thank 15:29
Stephen: doing 15:29
Geoff: you. 15:29
Stephen: this longer than Bambu was. Their stuff is phenomenal. And they’re basically building their own machines right from scratch on everything. I mean, Bambu starts to do that. But you have to think that Bambu probably grabbed some of the early Prusa stuff and pretty much copied out, you know, how this works. But they’ve been there for a long time. They have really nice machines. And I think they’re expensive, obviously, but I think you get what you pay for, for a certain extent. I don’t know. There’s a lot of other companies, like Jeff was looking at that one. There’s a lot of companies that the technology has come so far that the kind of the baseline is just leaps and bounds ahead of what used to be just kind of, it kind of works, right? 15:29
Geoff: I mean, you just said kind of what I find the most ironic part about Bambu’s whole position. They’re literally built off open source software. Like 16:14
Stephen: Yeah, for 16:22
Geoff: they basically took 16:22
Stephen: sure. 16:23
Geoff: what Prusa did. We talked about this in episode three. They took what Prusa built and took it and made what they did. And they were very successful on that. You can’t have it both ways, Bambu. You can’t build yourself on open source and then claim open source is now the devil. I know they can, but they really should. That does not work. It does not fly, it does not compute in my mind. Yeah, I think that’s… Write in and let us know if you guys think… I don’t think I’m off base for most of the audience out there. I think most people are going to agree, but I just found this whole thing just… absolutely i don’t know wild and insane the whole thing 16:24
Stephen: Yeah, so let us know if you’re passionate like Jeff, are you going to get rid of your printer? Are you going to switch to something else? Please comment. We’ll maybe bring it up next time if we see an overwhelming amount of you saying that the thing’s going in the trash. Mind you, I’d like to know which trash bin you’re throwing them in, but please let us know. 17:09
Geoff: and what you’re switching to maybe 17:26
Adam: And suddenly I’m happy that I was researching them and haven’t purchased yet. So 17:28
Stephen: There you 17:32
Adam: there’s 17:32
Stephen: go. 17:32
Adam: that too. 17:33
Stephen: All right, guys. So up next, I think we could probably talk about these these CVEs that have been coming out. The CopyFail, the DirtyFrag. So 17:34
Geoff: What a name. Just 17:42
Stephen: what a name. 17:43
Geoff: before 17:44
Stephen: Yeah, 17:44
Geoff: we 17:44
Stephen: it’s 17:44
Geoff: get, 17:44
Stephen: pretty 17:44
Geoff: what 17:44
Stephen: bad 17:44
Geoff: a name. 17:44
Stephen: for sure. So full disclosure, this this was two weeks ago because we record on Wednesdays today. Right. So we record on Wednesday. So this was two weeks ago. We didn’t really get a chance to discuss this, but that’s really not so bad because more information’s kind of come out about all this. So CopyFail, which is for all you very nerdy people, CVE-2026-31431. It’s the unauthorized privilege escalation vulnerability. I have a feeling you guys dove way more into this versus me. I just quietly sat there and patched all my servers really quickly. But how about, I don’t know, Jeff, do you want to throw something in there? 17:45
Geoff: Yes, this was a bad one. So it’s been in the kernel since 2017. It was like a performance patch that was introduced to kind of speed things up. And again, I don’t pretend to understand the technical nitty gritty behind the scenes. You know, see some of the other fine podcasts out there that will do a more deep dive. But basically, my understanding is there’s a subsystem that lets regular user space programs work across hardware accelerated stuff. And so there was a bug in 2017 that allowed some data to be left kind of in the buffer. So that way someone could then write to that and then can slowly kind of get privilege escalation into other things. And so… know AppArmor and SELinux you know everyone’s favorite you know security things on you know ubuntu and fedora you know they were somewhat effective if you had it configured properly but even that the default configuration really wasn’t enough to protect you against this one um so this was disclosed to the linux security or linux kernel security team about five weeks before it was disclosed um and so basically when it was finally disclosed there was a patch ready to go and then i think a couple weeks later there was DirtyFrag which was again for those nerdy people out there it’s CVE-2026-43284 and CVE-2026-43500 18:28
Stephen: Oh yeah, it’s 20:04
Geoff: and 20:04
Stephen: my favorite. 20:05
Geoff: oh i know it just rolls off the tongue um and so this one’s kind of a similar thing but attacked a different part of the kernel uh it was in the network stack and so but the I’m gonna say the thing about this, the difference about this one was when it basically got released and there was no patch for this one initially. And so it’s been a bit of a catch up game for the, you know, the operating systems to provide patches and to provide, because yet the other thing is you have to reboot your system in order for the kernel patch to work. So you can’t just upgrade and, you know, sudo apt update and you’re good. You got to do the upgrade and then you got to reboot and that can, you know, be costly for some companies out there. And so you only want to only reboot when you have to. And so I think that was another interesting part of this one. Um, So I guess, you know. Question for you guys. This these vulnerabilities were discovered by AI. Do you think that, you know, there’s always that classic debate in security practices of do we responsibly disclose and allow there to be a patch in place before we release it? Or is it better to have, you know, all the information out there as soon as possible so everyone knows what’s going on? Where do you guys fall on that one? 20:05
Adam: I personally feel like the responsible disclosure and giving time to actually put the remediations in place is something that’s worked for a long time. I think it protects. the actual end user and individuals more so than just getting it out there as quickly as possible. You know, some people would look at that as like, oh, you’re giving these companies a lot of leeway to put these fixes in place, but it’s kind of a myopic perspective. It is a singular aspect to this, but it’s also like, you got to, you know, millions and plus of end users who are actually affected by these things as well. And do you really want to expose them during while these companies are scrambling to put fixes in place because you didn’t want to be, you know, give some grace to the companies for the fact that code is fallible? I mean, that’s kind of where I come at it from. Admittedly, I work for a company that actually put these remediations in place last week. And, um, So I’m living through this firsthand and absolutely, at Lime Technology and Unraid, we are very, very concerned about this and protecting our end users. And we’re evolving with the rest of the world with this new AI discovery aspect that’s coming into play. And the velocity of these CVEs as they’re coming in now is something that everybody’s gonna have to adjust to. It’s kind of an interesting catch-22 because there’s 21:27
Geoff: Thank you. 22:59
Adam: the, I want to do responsible disclosure, but also the democratization of people’s ability to reverse engineer and for multiple parties to find these sorts of vulnerabilities is a new aspect that just hasn’t been in play to the same extent. So it’s kind of a hard spot. And then, you know, as the end user and caring about security and caring about even my own devices and whatnot, what does that mean also? Like, what is the new reasonable as far as timetable for organizations to put these fixes into their products that are downstream as well? Yeah. You know, I’ll tell you, I was getting messages within four hours of this going live for DirtyFrag saying, is this in the next patch? I’m like, yes, but it’s, you know, it’s gonna be a minute before we get that in there. And so that’s a whole nother aspect of it too. Like, what is the public’s tolerance of these? And like, I think the tolerance is very low Is that going to have to adjust so that businesses are able to actually fulfill these things within a reasonable amount of time and maintain stability of their products also, right? Like, yes, you’re getting things out quickly, but you also have to make sure that you’re not bringing down the house with that and making sure that your product is still stable and functional. And I think about that from, again, maybe my perspective of a NAS product. where you want this thing to be rock solid. So that’s my two cents. 23:00
Geoff: No, I mean, again, real quick, I mean, I agree with that because to me, it doesn’t make sense to disclose a vulnerability if there’s not a patch, because then you’re just giving the bad actors the playbook how to you know get into things there has to be it even if the patch is not fully you know released and out there completely there at least needs to be a solution to the problem or if there’s not a solution to the problem there needs to be a mitigation there needs to be something that i can do to protect myself from whatever the vulnerability is so i mean steven you’re in it you know you’re you own an msp how did this one hit you guys 24:38
Stephen: No, no. So I completely agree with that. Like the reality is, yes, I want to know about the thing, but I want the companies to look at how to fix it first, have that patch ready, then talk about it. Because the reality is, especially with AI now, there’s a whole lot more people able to just jump on a bandwagon saying, hey, wait, how can I, how can I use this vulnerability? Because not everything’s patched yet. So how do I go about that? So if they just said, hey, there’s a big problem, you can totally get hacked. then there’s going to be a whole bunch of people trying to use that hack. Whereas if you release the patch and you say, okay, we know about this. Here’s how to fix it. Put your stuff out there. I think there’s a lot less time that the majority of the people that want to do terrible things have to actually implement the terrible thing, right? So for me, this kind of also works in the Windows world, right? We have patching that happens all the time. There’s really critical patches that happen that you want to get pushed right away and there’s less. And so you just have to look at what you’re hosting and you have to look at how things could be going poorly for you with these vulnerabilities that come out. And you have to understand what those things are doing. In this case, Even though I had to patch all my servers, I didn’t really have anything that’s out in the world that would allow people to get into using this, right? Yeah, so from an MSP perspective, you have to really just have everything documented and understand if certain bad things that happen actually affect you or not. 25:13
Adam: So, one, I agree with everything you just said, and I also find it very relatable, the fact that you’re like, I’m affected by this, but I also don’t really have the same sort of threat vectors that others do because I don’t put these things out in the world. That is another challenge that’s going to come into play here. And it already is in play, frankly, with just public perception and perception equaling reality and how we all have to adjust to that as well, right? Like either the learning and the messaging has to change or… expectations have to change something has to give in this whole equation right or else it really i think is going to be painful and stall progress for companies that weren’t even necessarily at risk for this so that’s that’s another downside i would say from the whole conversation 26:50
Stephen: so i’m not going to downplay this it’s a it’s a pretty bad thing to have just not have been patched a long time ago but do you guys think that perhaps this got a whole lot of news coverage because it was ai found Because that’s a hot topic, right? 27:43
Geoff: Yeah. 28:04
Stephen: Everyone’s like, AI, AI, AI. It’s the big thing right now. And it’s pretty easy to think, well, if something’s going poorly in the world of humans, AI is very popular. If I talk about this and say, hey, AI found this and it’s going to be the end of the world because AI is going to find more terrible things. 28:04
Geoff: I mean, I will say, I don’t know if you guys saw, but like Mozilla had, you know, they’ve gotten access to Claude’s mythos, which is their, you know, top of the line security thing. And apparently they patched 250 vulnerabilities, like legitimate vulnerabilities that the AI found in Firefox. I mean, that’s kind of impressive, 28:24
Stephen: Yeah, it’s serious 28:42
Geoff: but 28:43
Stephen: for sure. A 28:43
Geoff: also terrifying of if we were, you know, if AI is able to start looking at all the other software run out there, what else is it going to find? What else is not going to get patched? Like, It’s an interesting new world. 28:44
Stephen: hundred 28:57
Geoff: And I don’t 28:57
Stephen: percent. 28:58
Geoff: know how that’s going to change the disclosure model. I mean, is that going to make, you know, if AI can find things in 10 seconds, is the patch going to take 10 seconds to do? I don’t know. 28:58
Adam: The other, I think, interesting angle that I’ve been hearing a lot out there, well, not a lot, but from some people who I consider to be educated sources is that the reason that these have been out there for so long and unpatched is intentional and that there’s likelihood of either governmental or other nation states or some other influences in some of the things that are being surfaced now. I found that pretty interesting as an angle also. Yeah. 29:11
Geoff: Feels a little tin-hattie to me, but I can’t necessarily say they’re completely wrong there. 29:38
Stephen: Which, you know, I’m just going to say, just because not everyone that is listening right now can see where Adam is sitting, but this will be talked about later. Full disclosure, we should all understand that right now he is in a building that is completely off the grid and has no connection to any hydro company whatsoever. So his arguments are, you know, maybe tainted slightly. 29:44
Adam: Fair. I’m not going to argue that point. I cannot argue that point. 30:06
Stephen: Mm-hmm. 30:11
Adam: So. 30:11
Stephen: All right, guys, patch your servers. 30:13
Geoff: and 30:16
Stephen: Don’t 30:16
Geoff: reboot 30:16
Stephen: let yourself reboot. 30:16
Geoff: reboot 30:17
Stephen: Yeah, 30:17
Adam: Reboot. 30:18
Stephen: definitely reboot. Yeah. But don’t get caught out from this because at this point you should have patched it. 30:18
Geoff: so as even kind of alluded to adam you know you look like you’ve got a lovely background is that’s on a green screen is it you’ve been you’ve been you’ve been traveling 30:25
Adam: For those of you who are not watching the video version of this, there’s a giant backhoe behind me, and I am in fact in a shop. So I’m in California this week, and my girlfriend has a beautiful property up in the mountains of Willits. I wanted to raise this topic because I was so surprised with the experience of being out here this time versus the last time I was here. It is a completely off-grid type of situation here. There’s like a security gate way the heck down the hill where it meets the road and that’s kind of like… the entrance into this, what would we call this, like a compound of sorts. So all of the electricity for this location, so multiple buildings, so this is a shop that I’m in, and then again, there’s like the main house up the hill and such, all on solar power. A lot of that has to do with the fact that her brother is partial owner of a solar company, and therefore, I think the understanding of said equipment and access and such has been ideal, so that’s fair. Both buildings have separate solar arrays, have separate battery systems that are installed. All of the niceties around different converters, et cetera, are in place here. The water for this place is actually fed from two different wells. So there’s like a level of redundancy on that too, which is interesting. And then again, the solar powers the pumps that push the water up to multiple water tower type situations for storage at the top of the mountain. And then it’s gravity fed down to the different locations. So kind of freaking amazing. And the game changer has been Starlink though. So right, all of these other functions have existed for quite a long time. But Starlink being ubiquitous now has really kind of changed the game. I can be, we have, there’s multiple Starlink satellites for each of these buildings. Wi-Fi primarily. It’s not all wired connections, unfortunately, but for now, wired Wi-Fi throughout. And it’s been rock solid, guys. It’s been like just eye-opening to me to say… Me as somebody who works for a software company, has worked in tech for the majority of my life at this point, can go anywhere and do this job completely effectively without sacrifice. That’s the thing, like what are you giving up in a scenario like this? So we’ve had great internet connections, power, water, everything you could ask for from a normal living situation, but off-grid and completely, you know, self-modulated, you are the one who’s fulfilling all of these needs with these different systems that we have in place. And I thought that there was like an interesting parallel to self-hosting that I wanted to talk about and just get your guys’ opinion on that. of this just feels like that next level of sovereignty over things that we either love or rely on. And I’m wondering, what do you think, Jeff? Does that resonate or does that seem like a stretch? 30:33
Geoff: Well, I guess I have a question of my own to you first. Like, is there a reason why this compound is completely off the grid? Is it because it’s kind of in a remote area or was it by like a conscious choice of they didn’t want to be on the grid? 33:51
Adam: Fair question and it’s totally because of the location, the area. This place was purchased like 40 years ago and there literally was nothing but a mountain. And her father and her brother 34:04
Stephen: you 34:18
Adam: cleared the road, cleared the land, built the house from scratch themselves. So it wasn’t like intentional from the perspective of being like a prepper or anything along those lines. It was really location based where it’s out here, but yeah. 34:18
Geoff: So, I mean, to answer your question though, I mean, I do think there is some, a bit of a parallel between, you know, the autonomy of self hosting and the autonomy of being off the grid. Um, and there also is that practicality aspect to it of, you know, I’m not paying for a cloud subscription. You know, I’m not paying for electricity bill. I’m, you know, getting it for free. But you know, like me personally, it’s not something I can necessarily do. Like I unfortunately live in an HOA and they have strict rules about solar panels, for example. Like I can’t have them in the front of my house. And unfortunately my house is south facing, so I really can’t do solar at my house, unfortunately. I would love to. But I mean, I will admit I’ve always been intrigued by the idea of and more from the less the autonomy and the, you know, being free of things and more just the practicality of why should I be paying for electricity when I can easily have my own generated for me? What about you, Steven, up in the cold north? I mean, do you guys is that kind of something that you guys do or? 34:34
Stephen: OK, so I want to point one thing out is that 35:39
Adam: Thank 35:42
Stephen: if you’re 35:42
Adam: you. 35:42
Stephen: self hosting, you don’t like clouds. And if you are doing solar, you don’t like clouds. I’m just going to make that I just thought about that while you’re talking. But I love the idea of solar and especially of having the battery banks. They’re pulling in the power up here with the snow and whatnot. You don’t generate the same amount of power during the winter. up where i am i’m sure if you’re further south in canada less snow it’s not as big a deal but the other part that you have going on there with those battery systems that is a super appealing for us up here is that we can buy the power to recharge those battery packs when it’s really really cheap then we can use the power during the day and whatnot and so that allows you to bring your your actual hydro build down considerably of course it’s even better if you do have a solar array of some sort but my house also doesn’t face in in a preferable way to get uh to get the kind of exposure you would need i’d have to put like an actual array in a in a backyard and whatnot and then a certain point it because i don’t have huge acreage that would just be kind of terrible and i’m sure my neighbors would hate it we don’t really have the hoa thing but um but yeah we have to be neighborly but i really like the idea and i really really like the idea that that power is super clean so if you have electronics and whatnot you’re not going to have the same brownouts well i guess you could if you had issues but in theory you’re not going to have the same dirty power and whatnot because it’s actually all been filtered it’s nicely stored in your own battery pack I do have a question about that lovely situation because, you know, you shared a video earlier. We saw the sweet gear. Do you guys up there have like a generator system in case you’ve had absolutely terrible weather? Things weren’t really charged, you know, past 50% or whatever. And I don’t know, bad weather and you need power. Do you have the option to generate your own in another way? 35:43
Adam: Yes, so there’s diesel generators as well as a backup. And it wasn’t necessarily purchased as a backup. It was more of an evolution of the setup here. So initially, the solar setup was not sufficient to actually completely… fulfill the needs. 37:47
Stephen: Okay. 38:05
Adam: So there was usage of the diesel generators at night and such. But it’s evolved since then to the point where that’s not the case and now it really is just fully a backup. He was actually, her brother was telling me an interesting thing about hydrogen cells and hydrogen converters and whatnot that are starting to come on the market as well, where excess power can now be diverted into the creation and storage of hydrogen, which then can, when needed, can be converted back through a hydrogen cell into electricity. So it’s like another layer of abstraction and storage of this energy, which I found really intriguing. I hadn’t 38:05
Stephen: Mm-hmm. 38:49
Adam: heard of that before 38:49
Stephen: Mm-hmm. 38:50
Adam: either. 38:50
Geoff: No, I hadn’t either. That is interesting. 38:51
Adam: So it’s, it’s kind of fascinating. I will tell you like the feeling is hard to impart, like how it feels to be out here and to have all of these things just work magically. And, um, I find it really appealing personally. And I didn’t know that I would, honestly. I like my niceties. I like my conveniences. And I don’t like a whole lot of some of what I would have considered to be risk factors. But in being out here, it’s not felt that way. It’s actually felt like a limiting factor in a similar way that I’ve felt from data sovereignty and self-hosting from the perspective of limiting the inputs and outputs of your life and the things that can affect you. And having that like level or at least feeling of control on those things is really a wonderful feeling to have. I don’t care if the power goes down in town. I don’t care. What happens with… I mean, I do care about people around us, obviously, but I don’t care if the water system has an issue down there or whatever. It’s like this level of comfort and being in this little bubble where you still have all of the things that you love, but you’re not necessarily at the whim of forces outside of said bubble, right? 38:53
Stephen: Mm-hmm. 40:13
Adam: So… It’s pretty cool. The one thing I wanted to ask you guys about also is, like, do you guys think that one of the things that I’ve seen as a gap here is some of the self-hosting setups for Home Assistant and such? I’ve seen the systems that he has in place, and I’m like, oh, man, you could automate X, Y, and Z, and it could, you know, turn on your solar system. not solar, you could turn on the pump for water at optimal times, fill the tank, check the levels, adjust dynamically in a lot of different machinations that could be automated. And then I started to think, well, is home assistant like, is it really up to the task of being something that is that relied on? We’re talking about like, the things that your family needs to get water and whatnot. And I wanted to get your guys’ like feeling about that. Do you think that it’s fit for purpose for that? Or is there still a hole in that realm that’s yet to be filled? 40:13
Stephen: I think this is kind of an easy one, right? Because it’s all you’re doing is you’re taking everything that we think about when we think about using Home Assistant, you’re taking all of that, but you’re just adding more importance to the situation. And so one might argue, well, I want a product that has been put out by the company that makes all of this equipment. that I can quote unquote rely upon to make sure that pump one kicks on when it’s supposed to do blah, blah, blah. And so that I have water, et cetera, et cetera, family happy. But I think there’s a lot of, maybe unfound security that you might have if you actually looked at that situation because the reality is is that that company may not have the best programmers in the world and they might have software bugs and maybe that pump doesn’t kick in when it’s supposed to because you need some sort of software patch and then you’re waiting for that one company to deal with those things and so if i look at Home Assistant, and I would hope that it exists in the world that you’re talking, that they have, you know, some companies that can work with Home Assistant. And I’m sure that there are, and I’m sure you could work things out manually, but I would hope that you would be able to rely upon that in pretty much the same way that we rely upon it for our lights to turn on. It’s just that there’s slightly more importance to it. Now, you do have to worry that you’re not going to be running the thing on a Raspberry Pi. I’m not picking on the pie because it’s a pie. But my point is, is that you want to make sure that you have some infrastructure to support the very important software running your entire property and life and electricity. But at the same time, I would almost lay money that if there was a product that a company in that realm released out like a little server, you might find that it’s literally just a little PCB board thing running their software. And you might actually just be able to make that way more redundant than they ever will, unless you’re just going to keep another one of their boards sitting there on the shelf in case the thing fails. But just because it’s made by a company, I don’t think means that it’s automatically better than the world of open source and the world of Home Assistant has been able to build out. There’s my two cents. 41:12
Geoff: I completely agree. I mean, I think the key is not necessarily what software you’re running. The key is redundancy and making sure it’s reliable. So. 43:39
Adam: Yeah, 43:49
Geoff: Well, 43:49
Adam: agreed. And I think this kind of tacks onto our previous conversations around what is a critical system and what makes sense for Home Assistant and automations and such. And I’m like, trust, but have the backup. So for me, it would just be more reflective of what I said before, which is just make it additive. You got to have the backup systems. Worst case scenario, I got to run down somewhere and flip a switch. And if you have that in place, I think that it makes sense. 43:50
Stephen: Yeah, you have production and you have dev and you make your production thing that runs your life and you don’t fiddle with it. You test things out in another room in another network and then if things work well, push it forward. 44:21
Adam: Also, I’ll leave you guys with this. It’s hard to argue with riding a quad down a dirt road to get to your office for the week I’m doing air quotes. 44:35
Stephen: No doubt. 44:45
Adam: That has been fantastic and probably completely put rose colored glasses on me for this whole scenario. 44:46
Geoff: Well, with that note, if you guys have any thoughts out there in the audience on anything we’ve talked about in this episode, you can write us an email at contact at bitflip.show. We did actually have one person email us and said that they were interested in the piece that Adam talked about where we’ll, you know, talking about our, how we have everything set up and how we use Tailscale and, you know, offered to come on the show. So we’re definitely going to keep that in mind. And, you know, please, more people reach out to us. Let us know what you think. If you have thoughts on Bambu or on AI or anything we talked about, again, contact at bitflip.show. You could also reach out to us on Mastodon. We are BitFlipShow. Or you can see our wonderful website, BitFlipShow. And from there, you can find our Patreon. We actually had a couple people back us. Thank you very much to those who did. If you would like to support the show, you can find us at patreon.com slash bitflip, or you can just go to bitflip.show slash support. So next episode, I think you guys are going to be in the land of Canada. You’re going to be in Stephen land, right? 44:52
Adam: Snowy north. Yes, 45:55
Stephen: Snowy 45:57
Adam: indeed. 45:57
Stephen: north. There’s no snow. It’s gone. I know 45:57
Adam: I always 45:59
Stephen: I rag 45:59
Adam: pick… 45:59
Stephen: on the snow a lot. I get it. But like, it’s gone now. And things are starting to turn green. So it’s a good time to be coming up here. 46:00
Geoff: All right. So I think there’s a Tailscale event that Alex is going up for. We’ll have a link in the show notes about that one. You guys can go up and you can meet Steven. You can meet Adam. You can meet Alex. I unfortunately will not be there because I have parenting duties that I cannot get out of. But that’s been the episode. Thank you very much, gentlemen. I hope we’ll talk to you guys next time. I’ve been Jeff. 46:06
Adam: I’ve been Adam. 46:32
Stephen: And I’ve been Steven. 46:33
Geoff: That was BitFlip episode number six. 46:35