They could very well enforce login for the entire app, that doesn’t require any closed source code and everyone would be worse off.
Given this was "a developer using upstream code verbatim", in your analogy "ricardobeat" would've been printed on the blank postcard by you, then you gave me the postcard with permission to use/modify/redistribute it. Plus it'd be a machine-readable field interpreted as "this postcard supports the same envelopes as ricardobeat's template", not something read by a third-party.
(Later, a trick was found to replace the signature and still boot, but it required extra chips in the game cartridge)
- "It is more convenient" is not a strong enough argument there, that's kind of the point of a commercial venture.
- Yes, they could be nicer about it. They aren't. That doesn't make this any more legal or acceptable.
But, though there are some explicit laws where that’s how it works, that’s not generally how the legal system works. If I have a private server, and I don’t give you permission to access it - or, even better, tell you not to, it doesn’t really matter how I secure it. If you access it, you’re in the wrong.
To give a physical analogy, it doesn’t matter how I’ve secured my house. Even if the door is open, you’re not allowed to just waltz in (or, to take it a bit further, come in and start using my stuff).
1. You bought the house. 2. They gave you a key, which implies that you have permission to use it. 3. Is the problem really the _copy_ of the key?
With authentication it's "gates up" and then "without authorization" from CFAA kicks in. I think it's unlikely that a user agent string creates a "gates up" situation, especially not if it's from code granted under a permissive license.
My neighbor could in theory buy the key to my mailbox, but it would be illegal for him to actually open my mailbox and read my mail.
If I made any changes prior to building, would it still be acceptable? And if not, where is the line? What is the legal basis, any precedent? How much of the code may I modify before I cross an invisible threshold and somehow "bypass" an "authentication" (neither fit UA anyways, either for law or other purposes unless one can provide any evidence that it ever has).
Bambu clearly didn’t want to press charges on their users, though, so they weaponized the law to try and prevent this, and it’s causing them issues.
In any case, we’re not in some “only the laws matter” reality, we’re also have ethics and morals to consider, in which case Bambu is clearly in the wrong. If they want to secure their servers, they should do it properly rather than using legal threats.
A US Attorney prosecuting anyone on behalf of Chinese business interests isn't a good look politically, though, and that's often a factor.
The legal risk comes from why you are doing it and what protections you are bypassing.
If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about.
The funny part here is it seems Bambu is more exposed to a libel suit than the developer is for... checks notes clicking 'Fork' on Bambu's github. Since the moment he did that, his software was supposedly in breach of Bambu's...expectations.
At least in the US, the law against unauthorized access to a computer system has no requirements for how good the security has to be. If you should reasonably know you're not supposed to be using it, that's potentially enough to make it illegal.
Am currently somewhat into the topic of UAs for a personal project (not connected to Bambu printers), so am honestly interested for any tangible information, I just dislike us assuming something illegal because a corporate entity views it in a negative light.
[0] https://www2.ca3.uscourts.gov/opinarch/131816p.pdf ("We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.")
You're correct of course that this is an entirely distinct argument from what Bambu's legally allowed to do under existing law.
I don't know if that is what is happening here because the article is talking about a fork that is bypassing Bambu's servers entirely (which is permitted under the AGPL) and Bambu is not happy.
Edit: On re-reading, it seems to me the fork is still calling Bambu's servers. It's just bypassing some things.
While the right of access is not granted by AGPL - it is not reasonable to run a public service with an AGPL client and say you shouldn't be connecting to it.
They are doing a lot of work to create implied consent under CFAA.
If you want to control access you must do something to control access - it must reach a threshold, it cannot just be a public user agent string.
Unfortunately, the CFAA doesn't necessarily require that authorization is implemented through technical means, and it definitely doesn't require any authorization to be technically robust.
This is a direct quote from the Affero GPL:
> When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
The thing Bambu is doing is very much against the spirit of the AGPL, which is the license they chose for the Bambu printer software. And the AGPL has such broadly written language it's hard to believe what they are doing complies with the letter.
Elsewhere, the GNU explains why this is important[1]:
> With proprietary software, the program controls the users, and some other entity (the developer or “owner”) controls the program. So the proprietary program gives its developer power over its users. That is unjust in itself; moreover, it tempts the developer to mistreat the users in other ways.
> [...]
> Freedom means having control over your own life. If you use a program to carry out activities in your life, your freedom depends on your having control over the program. You deserve to have control over the programs you use, and all the more so when you use them for something important in your life.
Telling your users they can't run modified versions of your open source client goes against this principle.
Again, I'm not necessarily saying Bambu isn't within their legal rights to do this, I'm just saying it's a jerk move.
[1]: https://www.gnu.org/philosophy/free-software-even-more-impor...