But, though there are some explicit laws where that’s how it works, that’s not generally how the legal system works. If I have a private server, and I don’t give you permission to access it - or, even better, tell you not to, it doesn’t really matter how I secure it. If you access it, you’re in the wrong.
To give a physical analogy, it doesn’t matter how I’ve secured my house. Even if the door is open, you’re not allowed to just waltz in (or, to take it a bit further, come in and start using my stuff).
1. You bought the house. 2. They gave you a key, which implies that you have permission to use it. 3. Is the problem really the _copy_ of the key?
With authentication it's "gates up" and then "without authorization" from CFAA kicks in. I think it's unlikely that a user agent string creates a "gates up" situation, especially not if it's from code granted under a permissive license.
The legal risk comes from why you are doing it and what protections you are bypassing.
If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about.
At least in the US, the law against unauthorized access to a computer system has no requirements for how good the security has to be. If you should reasonably know you're not supposed to be using it, that's potentially enough to make it illegal.
Am currently somewhat into the topic of UAs for a personal project (not connected to Bambu printers), so am honestly interested for any tangible information, I just dislike us assuming something illegal because a corporate entity views it in a negative light.
[0] https://www2.ca3.uscourts.gov/opinarch/131816p.pdf ("We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.")
The funny part here is it seems Bambu is more exposed to a libel suit than the developer is for... checks notes clicking 'Fork' on Bambu's github. Since the moment he did that, his software was supposedly in breach of Bambu's...expectations.
They could very well enforce login for the entire app, that doesn’t require any closed source code and everyone would be worse off.
(Later, a trick was found to replace the signature and still boot, but it required extra chips in the game cartridge)
Given this was "a developer using upstream code verbatim", in your analogy "ricardobeat" would've been printed on the blank postcard by you, then you gave me the postcard with permission to use/modify/redistribute it. Plus it'd be a machine-readable field interpreted as "this postcard supports the same envelopes as ricardobeat's template", not something read by a third-party.
You're correct of course that this is an entirely distinct argument from what Bambu's legally allowed to do under existing law.
I don't know if that is what is happening here because the article is talking about a fork that is bypassing Bambu's servers entirely (which is permitted under the AGPL) and Bambu is not happy.
Edit: On re-reading, it seems to me the fork is still calling Bambu's servers. It's just bypassing some things.
While the right of access is not granted by AGPL - it is not reasonable to run a public service with an AGPL client and say you shouldn't be connecting to it.
They are doing a lot of work to create implied consent under CFAA.
If you want to control access you must do something to control access - it must reach a threshold, it cannot just be a public user agent string.
Elsewhere, the GNU explains why this is important[1]:
> With proprietary software, the program controls the users, and some other entity (the developer or “owner”) controls the program. So the proprietary program gives its developer power over its users. That is unjust in itself; moreover, it tempts the developer to mistreat the users in other ways.
> [...]
> Freedom means having control over your own life. If you use a program to carry out activities in your life, your freedom depends on your having control over the program. You deserve to have control over the programs you use, and all the more so when you use them for something important in your life.
Telling your users they can't run modified versions of your open source client goes against this principle.
Again, I'm not necessarily saying Bambu isn't within their legal rights to do this, I'm just saying it's a jerk move.
[1]: https://www.gnu.org/philosophy/free-software-even-more-impor...
