But, though there are some explicit laws where that’s how it works, that’s not generally how the legal system works. If I have a private server, and I don’t give you permission to access it - or, even better, tell you not to, it doesn’t really matter how I secure it. If you access it, you’re in the wrong.
To give a physical analogy, it doesn’t matter how I’ve secured my house. Even if the door is open, you’re not allowed to just waltz in (or, to take it a bit further, come in and start using my stuff).
1. You bought the house. 2. They gave you a key, which implies that you have permission to use it. 3. Is the problem really the _copy_ of the key?
With authentication it's "gates up" and then "without authorization" from CFAA kicks in. I think it's unlikely that a user agent string creates a "gates up" situation, especially not if it's from code granted under a permissive license.
If I made any changes prior to building, would it still be acceptable? And if not, where is the line? What is the legal basis, any precedent? How much of the code may I modify before I cross an invisible threshold and somehow "bypass" an "authentication" (neither fit UA anyways, either for law or other purposes unless one can provide any evidence that it ever has).
Bambu clearly didn’t want to press charges on their users, though, so they weaponized the law to try and prevent this, and it’s causing them issues.
In any case, we’re not in some “only the laws matter” reality, we’re also have ethics and morals to consider, in which case Bambu is clearly in the wrong. If they want to secure their servers, they should do it properly rather than using legal threats.
A US Attorney prosecuting anyone on behalf of Chinese business interests isn't a good look politically, though, and that's often a factor.
My neighbor could in theory buy the key to my mailbox, but it would be illegal for him to actually open my mailbox and read my mail.
The legal risk comes from why you are doing it and what protections you are bypassing.
If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about.
The funny part here is it seems Bambu is more exposed to a libel suit than the developer is for... checks notes clicking 'Fork' on Bambu's github. Since the moment he did that, his software was supposedly in breach of Bambu's...expectations.
At least in the US, the law against unauthorized access to a computer system has no requirements for how good the security has to be. If you should reasonably know you're not supposed to be using it, that's potentially enough to make it illegal.
Am currently somewhat into the topic of UAs for a personal project (not connected to Bambu printers), so am honestly interested for any tangible information, I just dislike us assuming something illegal because a corporate entity views it in a negative light.
[0] https://www2.ca3.uscourts.gov/opinarch/131816p.pdf ("We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.")