Is it enshitification or is it a knee-jerk reaction to former incompetence?

Okay, so hear me out on this one:

I'm super new to the Bambu game. I set up my printer literally three days ago and finally replaced my Anycubic Vyper. So I've not built any fanboii-ism towards Bambu, although I'm blown away by the fact that I have been printing for three days without a failure (yet) and without ever needing to use my feeler gauges, calipers, micrometers and whatever else I needed for the Vyper ot produce decent prints.

I was really annoyed by their announcement to lock down their APIs. At first, I thought I was boarding a sinking ship. But then, the fact that they provide their Bambu Connect thingamajig irritated me from the start. Like... why go out of your way to provide some access to their API at all when you want competition out? Politics, PR? Nah, they could lock down their API and just leave some calls like they are now if that was the case. Their Connect-Application is just more maintenance than doing the same thing via the servers. That is what previous lock-out-attempts like the one Reddit has done have pulled. "We need to lock it down for security", but some calls are just left open. So... what if this IS about security?

It's not a good look on Bambu either, but paints a different picutre. So, let's look at this.

I've taken a look at the changes they describe that will be happening to their APIs and even with my hobbyist-skills in networking and IT security, they baffled me. The way they describe the new API-auth-system means that until then, there is almost no verification of anything once you're in. If the servers do not require any form of authentication for single calls, we can deduce that the servers save some sort of session-auth. Provide a legit auth-key, and you are on the guest-list for that account on that machine. Like... you can grab a session token from somewhere and just access people's printers from then on, the data that runs through their cloud, heck, even potentially brick printers and hold them for ransom. And you can do that from anywhere in the world, with huge server-farms or botnets.

That should never have been possible in the first place, of course. Yet, it could explain why they provide the Bambu Connect software. What they are doing is moving all external access to the edge of their cloud. That's where the external access should always have been, of course. Yet, juggling around with OAuth and verfied API-Calls and the like (which again: they should have done in the first place) can of course break things severely.

Now, I didn't really believe that this was the case at first. Because if they wanted to secure stuff, why not transition to a secure way of doing things gradually so OrcaSlicer and such could keep up?

That is when I came upon an article in the Bambu Wiki:

https://wiki.bambulab.com/en/security-incidents-cloud-traffic

Given that companies usually don't lie about these things, this is bad. So there have been spikes in weird traffic on specific dates, culminating in a ridiculous spike in January. Everything always happened on one date and one date only. This probably means that someone is testing some way of accessing their cloud for not-so-legit purposes. The huge spike in January looks awfully like they succeeded and now try to scale up their approach.

So what if what they are doing isn't about locking out competition, but a frantic attempt to fix an API-implementation that was just incompetent from the start? The network-activity they shared on that article is insanely alarming!