"It pretended to be the official client" is not a security argument if the mechanism was client-supplied metadata.
That’s not impersonation. That’s Bambu discovering that user agents are not authentication.
"It pretended to be the official client" is not a security argument if the mechanism was client-supplied metadata.
That’s not impersonation. That’s Bambu discovering that user agents are not authentication.
And by using AGPL they grant you the license to use the code however you wish, they cannot say it's "unauthorized access".
Yes you can use the code however you want but equally they are free to bar anyone they wish from accessing their servers. These are completely orthogonal issues in a legal sense.
They can bar people from accessing their servers if they do so by rewriting the entire slicer to be closed source and then implementing some actual security, instead of literally giving you the means of access AND the permission to use and modify it as you wish.
If I give you a template for a postcard, it doesn’t give you the right to send it with “signed, ricardobeat” at the end. These are orthogonal concerns.
They could very well enforce login for the entire app, that doesn’t require any closed source code and everyone would be worse off.
> it doesn’t give you the right to send it with “signed, ricardobeat” at the end.
Given this was "a developer using upstream code verbatim", in your analogy "ricardobeat" would've been printed on the blank postcard by you, then you gave me the postcard with permission to use/modify/redistribute it. Plus it'd be a machine-readable field interpreted as "this postcard supports the same envelopes as ricardobeat's template", not something read by a third-party.
It does if you make the card self destruct if you don't write "signed, ricardobeat" on it. Courts have been over this in the 1990s with Nintendo. The Gameboy wouldn't boot any game that didn't start with "signed, Nintendo" so game companies just put that there and it wasn't illegal.
(Later, a trick was found to replace the signature and still boot, but it required extra chips in the game cartridge)
That is not the case, is it? You only need to spoof the BambuStudio client in order to use their cloud infrastructure. Sending prints over LAN is still possible without it.
- "It is more convenient" is not a strong enough argument there, that's kind of the point of a commercial venture.
- Yes, they could be nicer about it. They aren't. That doesn't make this any more legal or acceptable.
The part of the slicer connecting to their cloud IS closed source.
Which is itself a violation of the AGPL license by Bambu - if anyone deserves to get sued, they do.
Any instance anywhere that a court has considered an UA sufficient for access control? Especially one published under a copyleft license?
Techies like us get caught up in mechanism all the time in discussions like this.
But, though there are some explicit laws where that’s how it works, that’s not generally how the legal system works. If I have a private server, and I don’t give you permission to access it - or, even better, tell you not to, it doesn’t really matter how I secure it. If you access it, you’re in the wrong.
To give a physical analogy, it doesn’t matter how I’ve secured my house. Even if the door is open, you’re not allowed to just waltz in (or, to take it a bit further, come in and start using my stuff).
That is how I (a non-lawyer) understand it as well, but I wonder if it's so simple when you combine it with the GPLness of it all. Like, releasing something under the (A)GPL is a license to use and modify the code how you see fit, and that goes "virally" through the forks. This fork is just using their own GPL-licensed code, and it seems unreasonable (for some definition of "unreasonable") to limit forks in this way. I think it's plausible you can make an argument that if you make this kind of restriction in your GPL codebase, you're violating the GPL license of the original ("upstream") authors.
In general, I agree with you. However, to extend your analogy a bit further, so that it applies to _this_ situation: suppose you buy said house. When the former owner hands over the keys, you copy them. Then, one day, you enter the house using the copied key. The former owner can't really be all that upset, can they?
1. You bought the house. 2. They gave you a key, which implies that you have permission to use it. 3. Is the problem really the _copy_ of the key?
With no authentication it's a "gates down" scenario and it's assumed that if you put your server on the open internet you intend people to connect to it.
With authentication it's "gates up" and then "without authorization" from CFAA kicks in. I think it's unlikely that a user agent string creates a "gates up" situation, especially not if it's from code granted under a permissive license.
The law isn't some autistic computer system, "authentication" is a very broad and amorphous term.
If I build their slicer, not modifying any line of code, then accessed using that binary, would that be acceptable? If not, why not, considering it is identical to what is on their website?
If I made any changes prior to building, would it still be acceptable? And if not, where is the line? What is the legal basis, any precedent? How much of the code may I modify before I cross an invisible threshold and somehow "bypass" an "authentication" (neither fit UA anyways, either for law or other purposes unless one can provide any evidence that it ever has).
Even if that’s correct, Bambu has a right to then press charges on the users, but can’t really complain about the guy simply copying AGPL software to make it work. He’s not the one doing the illegal part.
Bambu clearly didn’t want to press charges on their users, though, so they weaponized the law to try and prevent this, and it’s causing them issues.
In any case, we’re not in some “only the laws matter” reality, we’re also have ethics and morals to consider, in which case Bambu is clearly in the wrong. If they want to secure their servers, they should do it properly rather than using legal threats.
"Press charges" - as if this were some Simple Assault. The CFAA isn't something one "chooses" to levy or not, these are crimes against the United States of America and it is solely up to the discretion of a US Attorney to prosecute.
A US Attorney prosecuting anyone on behalf of Chinese business interests isn't a good look politically, though, and that's often a factor.
I have a mailbox in a multi family home. The keys are numbered and standardized. There are identical mailboxes out there that have the same key as me. In fact, I had to buy a replacement key since the original key broke and I just had to tell the manufacturer which number my mailbox had.
My neighbor could in theory buy the key to my mailbox, but it would be illegal for him to actually open my mailbox and read my mail.
Spoofing a User-Agent by itself is not illegal. Browsers, curl, bots, monitoring tools, and privacy tools do this constantly for legitimate reasons.
The legal risk comes from why you are doing it and what protections you are bypassing.
If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about.
I don't think courts basically ever settle narrow technical questions like that. Any court decision would carry with it particular baggage based on the rest of the specifics, so I don't think it would have established a clear precedent either way.
The funny part here is it seems Bambu is more exposed to a libel suit than the developer is for... checks notes clicking 'Fork' on Bambu's github. Since the moment he did that, his software was supposedly in breach of Bambu's...expectations.
Thanks, would have been surprised, was mainly asking because OP was mentioning legal concerns. This may be a case for their EULA, sure, but I would have been surprised if there was any legal precedent or grounding for such a statement.
weev got convicted for something pretty similar to this. His conviction was vacated, but he did spend time in prison for unauthorized access to an AT&T server that only required a specific user agent and a guessable numeric device ID number.
At least in the US, the law against unauthorized access to a computer system has no requirements for how good the security has to be. If you should reasonably know you're not supposed to be using it, that's potentially enough to make it illegal.
I checked and in that case [0] specifically, the court specifically doubted that such access was violating any applicable laws. Course, it got vacated before that could be properly addressed and this seems to be specific to NJ so if someone knows a broader case, happy to read up, but to me this makes the argument stronger that there is no reason to just presume such a "bypass" (if that counts, many of us have "bypassed" a lot via reading robots.txt, etc. in our youth) is inherently illegal. Again, happy to read if someone can provide a source saying something else. If Bambu want to argue EULA, go ahead, but let us not give these entities the ability to just wish something illegal because they simply dislike it, when there is no evidence it is.
Am currently somewhat into the topic of UAs for a personal project (not connected to Bambu printers), so am honestly interested for any tangible information, I just dislike us assuming something illegal because a corporate entity views it in a negative light.
[0] https://www2.ca3.uscourts.gov/opinarch/131816p.pdf ("We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.")
There was more than one court involved. He was convicted. Then he appealed and the appeals court vacated the conviction. So from one perspective, "the law" as a whole decided that he wasn't guilty. From another perspective, he still got involuntary lodging courtesy of the state.
They're essentially saying "yes, the code is open source, but you're not allowed to modify it or we'll ban you and threaten you with legal action", which is completely antithetical to the whole idea behind open source (especially the GPL which literally says in the license text itself that it was created to protect your right to run modified software). "Violation of the open source social contract" is a good way to describe it.
You're correct of course that this is an entirely distinct argument from what Bambu's legally allowed to do under existing law.
You can run modified software per the GPL but that does not include the right to connect to Bambu's servers with your modified software. That is entirely reasonable (especially since this is not some social/messaging application). If I release a client as open source, that doesn't mean it's OK for modified clients to connect to my server. I expect you to use it offline or set up your own server to connect to.
I don't know if that is what is happening here because the article is talking about a fork that is bypassing Bambu's servers entirely (which is permitted under the AGPL) and Bambu is not happy.
Edit: On re-reading, it seems to me the fork is still calling Bambu's servers. It's just bypassing some things.
You must put authorization on your server if you don't want others connecting to it.
While the right of access is not granted by AGPL - it is not reasonable to run a public service with an AGPL client and say you shouldn't be connecting to it.
They are doing a lot of work to create implied consent under CFAA.
If you want to control access you must do something to control access - it must reach a threshold, it cannot just be a public user agent string.
> You must put authorization on your server if you don't want others connecting to it.
Unfortunately, the CFAA doesn't necessarily require that authorization is implemented through technical means, and it definitely doesn't require any authorization to be technically robust.
The point is that they distributed AGPL licensed software which legally speaking puts them on very thin ice if they say "actually you're not allowed to modify that software we gave you and explicitly told you you could modify to do whatever you want."
This is a direct quote from the Affero GPL:
> When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
The thing Bambu is doing is very much against the spirit of the AGPL, which is the license they chose for the Bambu printer software. And the AGPL has such broadly written language it's hard to believe what they are doing complies with the letter.
Again, legally that's correct. But it goes completely against the spirit of open source and especially the GPL which says in the license itself that "our General Public Licenses are intended to guarantee your freedom to share and change all versions of a program". If you can't run a modified version of a program without getting sued, you practically speaking do not have the freedom to modify it.
Elsewhere, the GNU explains why this is important[1]:
> With proprietary software, the program controls the users, and some other entity (the developer or “owner”) controls the program. So the proprietary program gives its developer power over its users. That is unjust in itself; moreover, it tempts the developer to mistreat the users in other ways.
> [...]
> Freedom means having control over your own life. If you use a program to carry out activities in your life, your freedom depends on your having control over the program. You deserve to have control over the programs you use, and all the more so when you use them for something important in your life.
Telling your users they can't run modified versions of your open source client goes against this principle.
Again, I'm not necessarily saying Bambu isn't within their legal rights to do this, I'm just saying it's a jerk move.
[1]: https://www.gnu.org/philosophy/free-software-even-more-impor...
Yes, but not bully the people sharing AGPL code. I would like to see how they do it.
And their freedom to bar people from connecting to their servers is orthogonal to their bullshit legal threats aimed at the developer.
And they report service disruptions as a result of this - so perhaps they are are also learning what gateways are.
Blaming the CLIENT for this is absolutely crazy.
"You can't use any client you want because of security" is bullshit, as if hackers will care what client you'd like them to use or not when they're trying to hack your infrastructure.
This is just Bambu alienating their customer base, again.
“But I checked the evil bit and it was off!!!” (https://www.ietf.org/rfc/rfc3514.txt)
Or it's a really blatant security issue that should be reported https://github.com/bambulab/BambuStudio/issues/10681