| |
| ▲ | CarVac 8 hours ago | parent | next [-] | | They can bar people from accessing their servers if they do so by rewriting the entire slicer to be closed source and then implementing some actual security, instead of literally giving you the means of access AND the permission to use and modify it as you wish. | | |
| ▲ | ricardobeat 2 hours ago | parent | next [-] | | If I give you a template for a postcard, it doesn’t give you the right to send it with “signed, ricardobeat” at the end. These are orthogonal concerns. They could very well enforce login for the entire app, that doesn’t require any closed source code and everyone would be worse off. | |
| ▲ | shrx 2 hours ago | parent | prev [-] | | The part of the slicer connecting to their cloud IS closed source. | | |
| ▲ | dns_snek an hour ago | parent [-] | | Which is itself a violation of the AGPL license by Bambu - if anyone deserves to get sued, they do. | | |
|
| |
| ▲ | Topfi 8 hours ago | parent | prev | next [-] | | Any instance anywhere that a court has considered an UA sufficient for access control? Especially one published under a copyleft license? | | |
| ▲ | jrmg 7 hours ago | parent | next [-] | | Techies like us get caught up in mechanism all the time in discussions like this. But, though there are some explicit laws where that’s how it works, that’s not generally how the legal system works. If I have a private server, and I don’t give you permission to access it - or, even better, tell you not to, it doesn’t really matter how I secure it. If you access it, you’re in the wrong. To give a physical analogy, it doesn’t matter how I’ve secured my house. Even if the door is open, you’re not allowed to just waltz in (or, to take it a bit further, come in and start using my stuff). | | |
| ▲ | raddan 6 hours ago | parent | next [-] | | In general, I agree with you. However, to extend your analogy a bit further, so that it applies to _this_ situation: suppose you buy said house. When the former owner hands over the keys, you copy them. Then, one day, you enter the house using the copied key. The former owner can't really be all that upset, can they? 1. You bought the house.
2. They gave you a key, which implies that you have permission to use it.
3. Is the problem really the _copy_ of the key? | |
| ▲ | abigail95 6 hours ago | parent | prev [-] | | With no authentication it's a "gates down" scenario and it's assumed that if you put your server on the open internet you intend people to connect to it. With authentication it's "gates up" and then "without authorization" from CFAA kicks in. I think it's unlikely that a user agent string creates a "gates up" situation, especially not if it's from code granted under a permissive license. | | |
| ▲ | 15155 an hour ago | parent [-] | | The law isn't some autistic computer system, "authentication" is a very broad and amorphous term. | | |
| ▲ | ok_dad 26 minutes ago | parent [-] | | Even if that’s correct, Bambu has a right to then press charges on the users, but can’t really complain about the guy simply copying AGPL software to make it work. He’s not the one doing the illegal part. Bambu clearly didn’t want to press charges on their users, though, so they weaponized the law to try and prevent this, and it’s causing them issues. In any case, we’re not in some “only the laws matter” reality, we’re also have ethics and morals to consider, in which case Bambu is clearly in the wrong. If they want to secure their servers, they should do it properly rather than using legal threats. |
|
|
| |
| ▲ | petcat 7 hours ago | parent | prev | next [-] | | Spoofing a User-Agent by itself is not illegal. Browsers, curl, bots, monitoring tools, and privacy tools do this constantly for legitimate reasons. The legal risk comes from why you are doing it and what protections you are bypassing. If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about. | |
| ▲ | xp84 7 hours ago | parent | prev | next [-] | | I don't think courts basically ever settle narrow technical questions like that. Any court decision would carry with it particular baggage based on the rest of the specifics, so I don't think it would have established a clear precedent either way. The funny part here is it seems Bambu is more exposed to a libel suit than the developer is for... checks notes clicking 'Fork' on Bambu's github. Since the moment he did that, his software was supposedly in breach of Bambu's...expectations. | | |
| ▲ | Topfi 6 hours ago | parent [-] | | Thanks, would have been surprised, was mainly asking because OP was mentioning legal concerns. This may be a case for their EULA, sure, but I would have been surprised if there was any legal precedent or grounding for such a statement. |
| |
| ▲ | wat10000 7 hours ago | parent | prev [-] | | weev got convicted for something pretty similar to this. His conviction was vacated, but he did spend time in prison for unauthorized access to an AT&T server that only required a specific user agent and a guessable numeric device ID number. At least in the US, the law against unauthorized access to a computer system has no requirements for how good the security has to be. If you should reasonably know you're not supposed to be using it, that's potentially enough to make it illegal. | | |
| ▲ | Topfi 6 hours ago | parent [-] | | I checked and in that case [0] specifically, the court specifically doubted that such access was violating any applicable laws. Course, it got vacated before that could be properly addressed and this seems to be specific to NJ so if someone knows a broader case, happy to read up, but to me this makes the argument stronger that there is no reason to just presume such a "bypass" (if that counts, many of us have "bypassed" a lot via reading robots.txt, etc. in our youth) is inherently illegal. Again, happy to read if someone can provide a source saying something else. If Bambu want to argue EULA, go ahead, but let us not give these entities the ability to just wish something illegal because they simply dislike it, when there is no evidence it is. Am currently somewhat into the topic of UAs for a personal project (not connected to Bambu printers), so am honestly interested for any tangible information, I just dislike us assuming something illegal because a corporate entity views it in a negative light. [0] https://www2.ca3.uscourts.gov/opinarch/131816p.pdf ("We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based
barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.") | | |
| ▲ | wat10000 6 hours ago | parent [-] | | There was more than one court involved. He was convicted. Then he appealed and the appeals court vacated the conviction. So from one perspective, "the law" as a whole decided that he wasn't guilty. From another perspective, he still got involuntary lodging courtesy of the state. |
|
|
| |
| ▲ | Ajedi32 7 hours ago | parent | prev | next [-] | | They're essentially saying "yes, the code is open source, but you're not allowed to modify it or we'll ban you and threaten you with legal action", which is completely antithetical to the whole idea behind open source (especially the GPL which literally says in the license text itself that it was created to protect your right to run modified software). "Violation of the open source social contract" is a good way to describe it. You're correct of course that this is an entirely distinct argument from what Bambu's legally allowed to do under existing law. | | |
| ▲ | joshuaissac 6 hours ago | parent [-] | | You can run modified software per the GPL but that does not include the right to connect to Bambu's servers with your modified software. That is entirely reasonable (especially since this is not some social/messaging application). If I release a client as open source, that doesn't mean it's OK for modified clients to connect to my server. I expect you to use it offline or set up your own server to connect to. I don't know if that is what is happening here because the article is talking about a fork that is bypassing Bambu's servers entirely (which is permitted under the AGPL) and Bambu is not happy. Edit: On re-reading, it seems to me the fork is still calling Bambu's servers. It's just bypassing some things. | | |
| ▲ | abigail95 6 hours ago | parent | next [-] | | You must put authorization on your server if you don't want others connecting to it. While the right of access is not granted by AGPL - it is not reasonable to run a public service with an AGPL client and say you shouldn't be connecting to it. They are doing a lot of work to create implied consent under CFAA. If you want to control access you must do something to control access - it must reach a threshold, it cannot just be a public user agent string. | | |
| ▲ | kube-system 5 hours ago | parent [-] | | > You must put authorization on your server if you don't want others connecting to it. Unfortunately, the CFAA doesn't necessarily require that authorization is implemented through technical means, and it definitely doesn't require any authorization to be technically robust. |
| |
| ▲ | Ajedi32 6 hours ago | parent | prev [-] | | Again, legally that's correct. But it goes completely against the spirit of open source and especially the GPL which says in the license itself that "our General Public Licenses are intended to guarantee your freedom to share and change all versions of a program". If you can't run a modified version of a program without getting sued, you practically speaking do not have the freedom to modify it. Elsewhere, the GNU explains why this is important[1]: > With proprietary software, the program controls the users, and some other entity (the developer or “owner”) controls the program. So the proprietary program gives its developer power over its users. That is unjust in itself; moreover, it tempts the developer to mistreat the users in other ways. > [...] > Freedom means having control over your own life. If you use a program to carry out activities in your life, your freedom depends on your having control over the program. You deserve to have control over the programs you use, and all the more so when you use them for something important in your life. Telling your users they can't run modified versions of your open source client goes against this principle. Again, I'm not necessarily saying Bambu isn't within their legal rights to do this, I'm just saying it's a jerk move. [1]: https://www.gnu.org/philosophy/free-software-even-more-impor... |
|
| |
| ▲ | f1shy 7 hours ago | parent | prev | next [-] | | Yes, but not bully the people sharing AGPL code. I would like to see how they do it. | |
| ▲ | dns_snek 7 hours ago | parent | prev [-] | | And their freedom to bar people from connecting to their servers is orthogonal to their bullshit legal threats aimed at the developer. |
|
