For readers who may not spend their free time watching the PLA spool slowly relax, Spaghetti Detective (TSD) is an open source project that aims to use computer vision and machine learning to identify when 3D printing fails and causes a pile of plastic on the build board “spaghetti”. Once users install the OctoPrint plug-in, they need to point it to a self-hosted server running on a relatively powerful machine, or TSD’s paid cloud service, which handles all the heavy work of artificial intelligence for a monthly fee.
Unfortunately, when configuration vulnerabilities allowed strangers to control their printers, 73 of the cloud customers ultimately received more revenue than they expected. In a frank blog post, TSD founder Kenneth Jiang admits August 19th mistake It also explains exactly what happened, who was affected, and how changes to the server-side code should prevent similar problems from happening.
According to the records, it does not appear to cause permanent damage, and everyone who may be affected by this issue has been notified. First of all, the window of opportunity for anyone to stumble upon this problem is quite narrow, which means that any bad guy must come up with some evil conspiracy on their keyboard very quickly to destroy any printer connected to the TSD.In other words, a user Show off physical warnings from their printers on Reddit; Obvious handwork of a fellow customer who found the fault.
According to Jiang, the problem stems from how TSD associates printers with users. When the server sees multiple connections from the same public IP, it assumes that they are physically connected to the same local network. This allows the server to link the OctoPrint plug-in running on the Raspberry Pi to the user’s mobile phone or computer. But that night, an incorrectly configured load balancing system stopped passing the source IP address to the server.This convinced TSD all During this period, the connected printer and the user are on the same LAN, allowing anyone to connect to any machine they want.
The confusion only lasted about six hours, and so far, only one user has actually reported that their printer is remotely controlled by an external party. After fixing the load balancing configuration, the team also pushed an update to the TSD code, which limits the number of printers that the server will associate with a given IP address. This seems to be a reasonable enough precaution, although it is not obvious how this change will affect users who wish to add multiple printers to their accounts at the same time (for example, in the case of a print farm).
Although it is undoubtedly an embarrassing mistake for the team at The Spaghetti Detective, we can at least appreciate their speed in handling problems and their transparency in exposing defects. This is also a good example of how open source allows the community to independently evaluate the fixes that developers apply to defects found. Jiang said the team will also initiate their own complete security audit, so it is expected that more changes will be pushed to the repository in the near future.
When we first reported on TSD in 2019, we were very impressed with it, and it was great to see the project booming since our last check-in. Trust is difficult to gain and easy to lose, but we hope that the team’s handling of this issue shows that they “even if it means getting some eggs on their faces from time to time, they are still in the most important position and willing to do the right thing for their community.” Things.