Comment by mytailorisrich
1 day ago
Yes you can use the code however you want but equally they are free to bar anyone they wish from accessing their servers. These are completely orthogonal issues in a legal sense.
1 day ago
Yes you can use the code however you want but equally they are free to bar anyone they wish from accessing their servers. These are completely orthogonal issues in a legal sense.
They can bar people from accessing their servers if they do so by rewriting the entire slicer to be closed source and then implementing some actual security, instead of literally giving you the means of access AND the permission to use and modify it as you wish.
If I give you a template for a postcard, it doesn’t give you the right to send it with “signed, ricardobeat” at the end. These are orthogonal concerns.
They could very well enforce login for the entire app, that doesn’t require any closed source code and everyone would be worse off.
> it doesn’t give you the right to send it with “signed, ricardobeat” at the end.
Given this was "a developer using upstream code verbatim", in your analogy "ricardobeat" would've been printed on the blank postcard by you, then you gave me the postcard with permission to use/modify/redistribute it. Plus it'd be a machine-readable field interpreted as "this postcard supports the same envelopes as ricardobeat's template", not something read by a third-party.
It does if you make the card self destruct if you don't write "signed, ricardobeat" on it. Courts have been over this in the 1990s with Nintendo. The Gameboy wouldn't boot any game that didn't start with "signed, Nintendo" so game companies just put that there and it wasn't illegal.
(Later, a trick was found to replace the signature and still boot, but it required extra chips in the game cartridge)
1 reply →
The part of the slicer connecting to their cloud IS closed source.
Which is itself a violation of the AGPL license by Bambu - if anyone deserves to get sued, they do.
1 reply →
Any instance anywhere that a court has considered an UA sufficient for access control? Especially one published under a copyleft license?
Techies like us get caught up in mechanism all the time in discussions like this.
But, though there are some explicit laws where that’s how it works, that’s not generally how the legal system works. If I have a private server, and I don’t give you permission to access it - or, even better, tell you not to, it doesn’t really matter how I secure it. If you access it, you’re in the wrong.
To give a physical analogy, it doesn’t matter how I’ve secured my house. Even if the door is open, you’re not allowed to just waltz in (or, to take it a bit further, come in and start using my stuff).
In general, I agree with you. However, to extend your analogy a bit further, so that it applies to _this_ situation: suppose you buy said house. When the former owner hands over the keys, you copy them. Then, one day, you enter the house using the copied key. The former owner can't really be all that upset, can they?
1. You bought the house. 2. They gave you a key, which implies that you have permission to use it. 3. Is the problem really the _copy_ of the key?
That is how I (a non-lawyer) understand it as well, but I wonder if it's so simple when you combine it with the GPLness of it all. Like, releasing something under the (A)GPL is a license to use and modify the code how you see fit, and that goes "virally" through the forks. This fork is just using their own GPL-licensed code, and it seems unreasonable (for some definition of "unreasonable") to limit forks in this way. I think it's plausible you can make an argument that if you make this kind of restriction in your GPL codebase, you're violating the GPL license of the original ("upstream") authors.
With no authentication it's a "gates down" scenario and it's assumed that if you put your server on the open internet you intend people to connect to it.
With authentication it's "gates up" and then "without authorization" from CFAA kicks in. I think it's unlikely that a user agent string creates a "gates up" situation, especially not if it's from code granted under a permissive license.
5 replies →
Spoofing a User-Agent by itself is not illegal. Browsers, curl, bots, monitoring tools, and privacy tools do this constantly for legitimate reasons.
The legal risk comes from why you are doing it and what protections you are bypassing.
If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about.
I don't think courts basically ever settle narrow technical questions like that. Any court decision would carry with it particular baggage based on the rest of the specifics, so I don't think it would have established a clear precedent either way.
The funny part here is it seems Bambu is more exposed to a libel suit than the developer is for... checks notes clicking 'Fork' on Bambu's github. Since the moment he did that, his software was supposedly in breach of Bambu's...expectations.
Thanks, would have been surprised, was mainly asking because OP was mentioning legal concerns. This may be a case for their EULA, sure, but I would have been surprised if there was any legal precedent or grounding for such a statement.
weev got convicted for something pretty similar to this. His conviction was vacated, but he did spend time in prison for unauthorized access to an AT&T server that only required a specific user agent and a guessable numeric device ID number.
At least in the US, the law against unauthorized access to a computer system has no requirements for how good the security has to be. If you should reasonably know you're not supposed to be using it, that's potentially enough to make it illegal.
I checked and in that case [0] specifically, the court specifically doubted that such access was violating any applicable laws. Course, it got vacated before that could be properly addressed and this seems to be specific to NJ so if someone knows a broader case, happy to read up, but to me this makes the argument stronger that there is no reason to just presume such a "bypass" (if that counts, many of us have "bypassed" a lot via reading robots.txt, etc. in our youth) is inherently illegal. Again, happy to read if someone can provide a source saying something else. If Bambu want to argue EULA, go ahead, but let us not give these entities the ability to just wish something illegal because they simply dislike it, when there is no evidence it is.
Am currently somewhat into the topic of UAs for a personal project (not connected to Bambu printers), so am honestly interested for any tangible information, I just dislike us assuming something illegal because a corporate entity views it in a negative light.
[0] https://www2.ca3.uscourts.gov/opinarch/131816p.pdf ("We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.")
1 reply →
They're essentially saying "yes, the code is open source, but you're not allowed to modify it or we'll ban you and threaten you with legal action", which is completely antithetical to the whole idea behind open source (especially the GPL which literally says in the license text itself that it was created to protect your right to run modified software). "Violation of the open source social contract" is a good way to describe it.
You're correct of course that this is an entirely distinct argument from what Bambu's legally allowed to do under existing law.
You can run modified software per the GPL but that does not include the right to connect to Bambu's servers with your modified software. That is entirely reasonable (especially since this is not some social/messaging application). If I release a client as open source, that doesn't mean it's OK for modified clients to connect to my server. I expect you to use it offline or set up your own server to connect to.
I don't know if that is what is happening here because the article is talking about a fork that is bypassing Bambu's servers entirely (which is permitted under the AGPL) and Bambu is not happy.
Edit: On re-reading, it seems to me the fork is still calling Bambu's servers. It's just bypassing some things.
You must put authorization on your server if you don't want others connecting to it.
While the right of access is not granted by AGPL - it is not reasonable to run a public service with an AGPL client and say you shouldn't be connecting to it.
They are doing a lot of work to create implied consent under CFAA.
If you want to control access you must do something to control access - it must reach a threshold, it cannot just be a public user agent string.
4 replies →
Again, legally that's correct. But it goes completely against the spirit of open source and especially the GPL which says in the license itself that "our General Public Licenses are intended to guarantee your freedom to share and change all versions of a program". If you can't run a modified version of a program without getting sued, you practically speaking do not have the freedom to modify it.
Elsewhere, the GNU explains why this is important[1]:
> With proprietary software, the program controls the users, and some other entity (the developer or “owner”) controls the program. So the proprietary program gives its developer power over its users. That is unjust in itself; moreover, it tempts the developer to mistreat the users in other ways.
> [...]
> Freedom means having control over your own life. If you use a program to carry out activities in your life, your freedom depends on your having control over the program. You deserve to have control over the programs you use, and all the more so when you use them for something important in your life.
Telling your users they can't run modified versions of your open source client goes against this principle.
Again, I'm not necessarily saying Bambu isn't within their legal rights to do this, I'm just saying it's a jerk move.
[1]: https://www.gnu.org/philosophy/free-software-even-more-impor...
Yes, but not bully the people sharing AGPL code. I would like to see how they do it.
And their freedom to bar people from connecting to their servers is orthogonal to their bullshit legal threats aimed at the developer.