Yes you can use the code however you want but equally they are free to bar anyone they wish from accessing their servers. These are completely orthogonal issues in a legal sense.

They can bar people from accessing their servers if they do so by rewriting the entire slicer to be closed source and then implementing some actual security, instead of literally giving you the means of access AND the permission to use and modify it as you wish.

If I give you a template for a postcard, it doesn’t give you the right to send it with “signed, ricardobeat” at the end. These are orthogonal concerns.

They could very well enforce login for the entire app, that doesn’t require any closed source code and everyone would be worse off.

It does if you make the card self destruct if you don't write "signed, ricardobeat" on it. Courts have been over this in the 1990s with Nintendo. The Gameboy wouldn't boot any game that didn't start with "signed, Nintendo" so game companies just put that there and it wasn't illegal.

(Later, a trick was found to replace the signature and still boot, but it required extra chips in the game cartridge)

That is not the case, is it? You only need to spoof the BambuStudio client in order to use their cloud infrastructure. Sending prints over LAN is still possible without it.

- "It is more convenient" is not a strong enough argument there, that's kind of the point of a commercial venture.

- Yes, they could be nicer about it. They aren't. That doesn't make this any more legal or acceptable.

No, the fact it's a cloud Gameboy doesn't make a difference

> it doesn’t give you the right to send it with “signed, ricardobeat” at the end.

Given this was "a developer using upstream code verbatim", in your analogy "ricardobeat" would've been printed on the blank postcard by you, then you gave me the postcard with permission to use/modify/redistribute it. Plus it'd be a machine-readable field interpreted as "this postcard supports the same envelopes as ricardobeat's template", not something read by a third-party.

The part of the slicer connecting to their cloud IS closed source.

Which is itself a violation of the AGPL license by Bambu - if anyone deserves to get sued, they do.

Any instance anywhere that a court has considered an UA sufficient for access control? Especially one published under a copyleft license?

Techies like us get caught up in mechanism all the time in discussions like this.

But, though there are some explicit laws where that’s how it works, that’s not generally how the legal system works. If I have a private server, and I don’t give you permission to access it - or, even better, tell you not to, it doesn’t really matter how I secure it. If you access it, you’re in the wrong.

To give a physical analogy, it doesn’t matter how I’ve secured my house. Even if the door is open, you’re not allowed to just waltz in (or, to take it a bit further, come in and start using my stuff).

In general, I agree with you. However, to extend your analogy a bit further, so that it applies to _this_ situation: suppose you buy said house. When the former owner hands over the keys, you copy them. Then, one day, you enter the house using the copied key. The former owner can't really be all that upset, can they?

1. You bought the house. 2. They gave you a key, which implies that you have permission to use it. 3. Is the problem really the _copy_ of the key?

That is how I (a non-lawyer) understand it as well, but I wonder if it's so simple when you combine it with the GPLness of it all. Like, releasing something under the (A)GPL is a license to use and modify the code how you see fit, and that goes "virally" through the forks. This fork is just using their own GPL-licensed code, and it seems unreasonable (for some definition of "unreasonable") to limit forks in this way. I think it's plausible you can make an argument that if you make this kind of restriction in your GPL codebase, you're violating the GPL license of the original ("upstream") authors.

With no authentication it's a "gates down" scenario and it's assumed that if you put your server on the open internet you intend people to connect to it.

With authentication it's "gates up" and then "without authorization" from CFAA kicks in. I think it's unlikely that a user agent string creates a "gates up" situation, especially not if it's from code granted under a permissive license.

The law isn't some autistic computer system, "authentication" is a very broad and amorphous term.

If I build their slicer, not modifying any line of code, then accessed using that binary, would that be acceptable? If not, why not, considering it is identical to what is on their website?

If I made any changes prior to building, would it still be acceptable? And if not, where is the line? What is the legal basis, any precedent? How much of the code may I modify before I cross an invisible threshold and somehow "bypass" an "authentication" (neither fit UA anyways, either for law or other purposes unless one can provide any evidence that it ever has).

Even if that’s correct, Bambu has a right to then press charges on the users, but can’t really complain about the guy simply copying AGPL software to make it work. He’s not the one doing the illegal part.

Bambu clearly didn’t want to press charges on their users, though, so they weaponized the law to try and prevent this, and it’s causing them issues.

In any case, we’re not in some “only the laws matter” reality, we’re also have ethics and morals to consider, in which case Bambu is clearly in the wrong. If they want to secure their servers, they should do it properly rather than using legal threats.

"Press charges" - as if this were some Simple Assault. The CFAA isn't something one "chooses" to levy or not, these are crimes against the United States of America and it is solely up to the discretion of a US Attorney to prosecute.

A US Attorney prosecuting anyone on behalf of Chinese business interests isn't a good look politically, though, and that's often a factor.

I have a mailbox in a multi family home. The keys are numbered and standardized. There are identical mailboxes out there that have the same key as me. In fact, I had to buy a replacement key since the original key broke and I just had to tell the manufacturer which number my mailbox had.

My neighbor could in theory buy the key to my mailbox, but it would be illegal for him to actually open my mailbox and read my mail.

Spoofing a User-Agent by itself is not illegal. Browsers, curl, bots, monitoring tools, and privacy tools do this constantly for legitimate reasons.

The legal risk comes from why you are doing it and what protections you are bypassing.

If you are doing it specifically to bypass Bambu's authorized access, then it is very likely to fall afoul of the Computer Fraud and Abuse Act. The mechanism (spoofing the UA) is entirely incidental to the motivation (bypass authorized access), which is what the law cares about.

I don't think courts basically ever settle narrow technical questions like that. Any court decision would carry with it particular baggage based on the rest of the specifics, so I don't think it would have established a clear precedent either way.

The funny part here is it seems Bambu is more exposed to a libel suit than the developer is for... checks notes clicking 'Fork' on Bambu's github. Since the moment he did that, his software was supposedly in breach of Bambu's...expectations.

Thanks, would have been surprised, was mainly asking because OP was mentioning legal concerns. This may be a case for their EULA, sure, but I would have been surprised if there was any legal precedent or grounding for such a statement.

weev got convicted for something pretty similar to this. His conviction was vacated, but he did spend time in prison for unauthorized access to an AT&T server that only required a specific user agent and a guessable numeric device ID number.

At least in the US, the law against unauthorized access to a computer system has no requirements for how good the security has to be. If you should reasonably know you're not supposed to be using it, that's potentially enough to make it illegal.

I checked and in that case [0] specifically, the court specifically doubted that such access was violating any applicable laws. Course, it got vacated before that could be properly addressed and this seems to be specific to NJ so if someone knows a broader case, happy to read up, but to me this makes the argument stronger that there is no reason to just presume such a "bypass" (if that counts, many of us have "bypassed" a lot via reading robots.txt, etc. in our youth) is inherently illegal. Again, happy to read if someone can provide a source saying something else. If Bambu want to argue EULA, go ahead, but let us not give these entities the ability to just wish something illegal because they simply dislike it, when there is no evidence it is.

Am currently somewhat into the topic of UAs for a personal project (not connected to Bambu printers), so am honestly interested for any tangible information, I just dislike us assuming something illegal because a corporate entity views it in a negative light.

[0] https://www2.ca3.uscourts.gov/opinarch/131816p.pdf ("We also note that in order to be guilty of accessing “without authorization, or in excess of authorization” under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimer’s conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.")

There was more than one court involved. He was convicted. Then he appealed and the appeals court vacated the conviction. So from one perspective, "the law" as a whole decided that he wasn't guilty. From another perspective, he still got involuntary lodging courtesy of the state.

They're essentially saying "yes, the code is open source, but you're not allowed to modify it or we'll ban you and threaten you with legal action", which is completely antithetical to the whole idea behind open source (especially the GPL which literally says in the license text itself that it was created to protect your right to run modified software). "Violation of the open source social contract" is a good way to describe it.

You're correct of course that this is an entirely distinct argument from what Bambu's legally allowed to do under existing law.

You can run modified software per the GPL but that does not include the right to connect to Bambu's servers with your modified software. That is entirely reasonable (especially since this is not some social/messaging application). If I release a client as open source, that doesn't mean it's OK for modified clients to connect to my server. I expect you to use it offline or set up your own server to connect to.

I don't know if that is what is happening here because the article is talking about a fork that is bypassing Bambu's servers entirely (which is permitted under the AGPL) and Bambu is not happy.

Edit: On re-reading, it seems to me the fork is still calling Bambu's servers. It's just bypassing some things.

You must put authorization on your server if you don't want others connecting to it.

While the right of access is not granted by AGPL - it is not reasonable to run a public service with an AGPL client and say you shouldn't be connecting to it.

They are doing a lot of work to create implied consent under CFAA.

If you want to control access you must do something to control access - it must reach a threshold, it cannot just be a public user agent string.

> You must put authorization on your server if you don't want others connecting to it.

Unfortunately, the CFAA doesn't necessarily require that authorization is implemented through technical means, and it definitely doesn't require any authorization to be technically robust.

The point is that they distributed AGPL licensed software which legally speaking puts them on very thin ice if they say "actually you're not allowed to modify that software we gave you and explicitly told you you could modify to do whatever you want."

This is a direct quote from the Affero GPL:

> When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.

The thing Bambu is doing is very much against the spirit of the AGPL, which is the license they chose for the Bambu printer software. And the AGPL has such broadly written language it's hard to believe what they are doing complies with the letter.

You're certainly allowed to modify the software, but that doesn't necessarily give you the right to connect it to hardware owned by other people. And AGPL does not provide for any right to services -- only a right to use and modify the covered work.

For example, AGPL doesn't prevent you from being banned from a Mastodon server.

The key part of the sentence you quoted is "... to the extent such circumvention is effected by exercising rights under this License with respect to the covered work" -- meaning, you can't use anti-circumvention to prevent people from using or modifying the copyrighted code.

Again, legally that's correct. But it goes completely against the spirit of open source and especially the GPL which says in the license itself that "our General Public Licenses are intended to guarantee your freedom to share and change all versions of a program". If you can't run a modified version of a program without getting sued, you practically speaking do not have the freedom to modify it.

Elsewhere, the GNU explains why this is important[1]:

> With proprietary software, the program controls the users, and some other entity (the developer or “owner”) controls the program. So the proprietary program gives its developer power over its users. That is unjust in itself; moreover, it tempts the developer to mistreat the users in other ways.

> [...]

> Freedom means having control over your own life. If you use a program to carry out activities in your life, your freedom depends on your having control over the program. You deserve to have control over the programs you use, and all the more so when you use them for something important in your life.

Telling your users they can't run modified versions of your open source client goes against this principle.

Again, I'm not necessarily saying Bambu isn't within their legal rights to do this, I'm just saying it's a jerk move.

[1]: https://www.gnu.org/philosophy/free-software-even-more-impor...

Yes, but not bully the people sharing AGPL code. I would like to see how they do it.

And their freedom to bar people from connecting to their servers is orthogonal to their bullshit legal threats aimed at the developer.

Population 1926: ~2 billion

Population 2026: ~8.3 billion

Can't escape this and its consequences on the environment.

> For a fee of around 30 euros per month, any user can also view the list of visitors to their own profile. However, if LinkedIn is supposed to provide the same information as part of a GDPR data subject access request, it allegedly cannot

A GDPR data request access forces a company to disclose what personal data their hold about you.

It very unclear how a list of visitors to your profile is your personal data. Seems more like personal data of the visitor. Possibly you may argue that the number of visits is your personal data but it seems a stretch to argue that the details of the visitors (what is a paid for service) is.

That being said, when it comes to interpretation of the GDPR anything is possible...

> You can’t legalize your way to cultural assimilation

And that's why we are unlikely to see mass immigration allowed in China. They know that and can see what has happened and is happening in Europe and are thus likely to protect themselves. That's not my opinion but what Chinese think if you can discuss openly with people there.

This is a puzzling badly-received point of view here, but I think Europe and its official narrative that are actually the odd ones out globally.

China is investing a lot in automation and they already have state of the art automated factories. I think this will be the way forward for them and everyone (birth rates are dropping everywhere).

I doubt it because the Chinese are very protective of their homogeneity and see what has happened in Europe as a massive cautionary tale. So my guess is that they will be very picky and control both quality and numbers tightly.

>>and see what has happened in Europe as a massive cautionary tale

As a European - what has happened to us, exactly? I'm curious what kind of thing you think is happening to Europe that is such disaster that even China should be afraid of it.

Not getting an Elon Musk seems like a massive positive.

There is no need to go that high in salary (a lucky very small minority). The higher income tax band (40%) kicks in at 50k. Salary sacrifice schemes offer huge savings to many people.

true it does kick in at 50k but only for stuff over 50k. so its not a cliff like 100k or if you're at the other end on universal credit.

What I mean is that if salary sacrifice schemes on EV were only used, and very good deals, for people over 100k then it would be extremely niche as we're talking about the top 4% of earners whereas about 16% are higher band taxpayers...

People on higher salaries are disproportionately likely to be the ones doing it though - much much more likely to work for companies that implement the schemes for a start.

Yes, "higher salaries" as in higher tax band (median salary is 39k, higher tax band starts at 50k), which impacts 16% of people. That's why it has an notable impact on sales and also on the used cars market (salary sacrifice schemes are usually PCP/leasing over 3-4 years).

Perhaps it is the "London bubble" on HN as I feel that no-one is registering that 100k+ is a really, really small minority...

according to the IFS 100k+ is top 10% earner in the UK. Which does feel a bit bubbly to me

Yes, seems a bit generous. What I found most often is ~4-5% with up to 18% higher tax payers (>50k) in latest tax year (threshold being frozen...).

> What I found most often

How did you find this?

I'm not based in London.

I believe that they usually have a maximum dwell time, thoughs sometimes over a specific period (in which case it it equivalent to duty cycle)..

And we have brought the planet to its knees in the process...

It is unavoidable that, at some point, China will have its own matching or better machine because they obviously how incredibly strategically important it is.

That question is discussed in the article.

“Retaining the best workers is especially crucial in an area like photolithography, where a huge amount of tacit knowledge is used to assemble its machines. An ASML engineer once told He Rongming, the founder of Shanghai Micro Electronics Equipment, one of China’s top ASML competitors, that the company wouldn’t be able to replicate ASML’s products even if it had the blueprints. He suggested that ASML’s products reflected ‘decades, if not centuries’ of knowledge and experience. ASML’s Chinese competitors have systematically attempted to hire former ASML engineers, and there is at least one documented case of a former ASML employee unlawfully handing over proprietary information. But none of this appears to have narrowed the gap.”

Apparently China had a prototype EUV source working in 2025 (https://www.reuters.com/world/china/how-china-built-its-manh... )

They are saying trying to exactly copy the machine by poaching employees or spying is impossible because it is too complex.

This does not mean that China cannot or will not have something similar at some point, probably sooner than later.

Non-zero chances - yes. Unavoidable - I wouldn't be so sure. I can't imagine how many top human-hours and cutting-edge inventions involved to construct this machine. And much of this simply cannot be stolen or bought, no matter how much money you have.

It has never happened in the history of the world that a company or country could maintain its technological advance indefinitely.

Either China will catch up on this or that particular technology will become obsolete. But it is certain that they won't stay behind forever (measured in a small number of decades at most).

Right but if you dont say how long it will take them, youre not really saying anything.

There is no doubt that less than 10 years will be needed for China to be able to do something equivalent to what the ASML machines can do now.

What is far less certain is what ASML will be able to do at that time, i.e. if they will be able to progress significantly over the state-of-the-art of today, or they will reach a plateau.

Besides China, there is a renewed effort in Japan to become competitive again, so ASML may face in the future both Chinese and Japanese competitors.

5 years China 5 years Japan 10 years Korea

> measured in a small number of decades at most

By "a small number of decades" do you mean from now, or starting from 15 years ago when the ASML Twinscan NXE:3100 made it debut?

This is kind of like saying you can prove everyone dies based on the evidence that everyone who is not currently alive has died.

You might place an upper limit using history but in this case I'd guess that limit would end up being much larger than the present semiconductor industry itself might last.

I'd say it is more likely than within 20 years the domestic Chinese semiconductor industry will be state-of-the-art across the full vertical and horizontal range.

There is a level of arrogance in the West that China does cheap but simple/low quality whereas this is only a stepping stone along the way. German car manufacturers went into China during the 90s with that mindset, and expecting it was forever, well they don't think that anymore...

I mean you’ve definitely just had technology disappear though, usually because of war. Damascus Steel was a lost military tech. We could certainly end up just accidentally (or worse, intentionally) bomb this stuff out of existence so nobody has it.

One can ballpark it, during EUV commercialization, ASML had 15k employees, Zeiss 3k, Cymer 1k. 20 years of non priority commercial development, lots of setbacks. Final integration ~5k suppliers. For reference commercial aviation Boeing/Airbus with as 100k employees, 50k suppliers. And we don't even know it's correct technical roadmap. Initially they thought synchrotron better than plasma/LPP but went with latter because synchrotron too expensive, now EUV machine prices ballooned to multiple synchrotron price. Don't be surprise if we find it dead end non competitive tech in 5-10 years if PRC or JP figures out SSMB/FEL etc, LPP may become economically uncompetitive and all ASML EUV becomes stranded assets. This real possibly because while ASML LPP works, it works at far higher cost than original projections, i.e. it's overbudget techstack with lethal scaling costs.

On paper EUV relatively modest undertaking vs commercial aviation, EUV deeper integration vs commercial aviation breadth, but in terms of scale of effort for nation state coordination, EUV probably all things considered, easier to replicate because it has no regulatory slowdown, it's purely host country physics problem. Having enough talent and throwing it at problem x espionage x poaching talent x time will likely solve precision physics problem sooner than later. Vs commercial aviation which has complicated geopolitical/regulatory hurdles and magnitude more suppliers and scale. TLDR EUV has smaller organizational surface area for determined state to pursue through concentrating $$$, talent and effort. You can buy a ex ASML to bootstrap EUV development, much harder to get globe to buy COMAC without decades of airworthiness. There's a reason western analysts predict PRC EUV in 2030s (meanwhile PRC already beat prototype estimate timeline), but probably not realistic for global COMAC in same timeframe, and PRC been hammering at commercial aviation seriously long before EUV.

That's the key - if it was done once, it can be done again, and likely it's going to be significantly cheaper/easier because it's known it can be done. We see this from olympic records (e.g., the 4 minute mile was a "barrier" until one day it was passed and suddenly a bunch of people passed it).

Of course, doing it "legally" is another question - someone in the US trying to replicate would likely run into patent and other issues.

But a top-secret Manhattan-style project done by the US or China? definitely doable, and if you add spy-shit in, perhaps even faster.

i find it hard to believe that there is no equivalent anywhere else in the world. there is so much talent out there and the stakes are so high that it seems like an inevitability.

whatever many secrets are involved, information wants to be free and it's hard to believe that others won't figure it out.

by the time they do catch up we better be steps ahead. what's after EUV?

I worked on part of it in 2006-8. I noticed that our office waste wasn't being shredded, and asked my boss why not...

"With all the problems we have getting this to work? We ought to ship our drawings to our competitors to slow them down!"

Very tongue-in-cheek, but... yeah. The entire machine underwent a massive overhaul when it was discovered that bare, unoxidized titanium in the presence of elemental hydrogen would absorb so much it became brittle. Who knew? Maybe some few chemists, but none worked in ASML design, as it happened.

High-NA EUV, apparently. https://www.reuters.com/business/asml-says-next-gen-euv-tool...:

- ASML's High-NA EUV machines ready for high-volume production

- Machines have processed 500,000 wafers, showing technical readiness

- Full integration into manufacturing expected in 2-3 years, ASML's CTO says

After that, it may be X-rays.

A disruptive step would be to move to 3D printing, but that (among other issues) is too slow at the moment. Maybe, ideas from nano robotics (https://en.wikipedia.org/wiki/Nanorobotics) can help there.

> A disruptive step would be to move to 3D printing

The lithography equivalents of that are laser direct write lithography and e-beam lithography. They've been used for decades in research labs, but they're impossibly slow for any mass production.

Atomic Semi are trying to make some derivative of these processes happen at a commercial scale.

Nvidia's latest Rubin architecture has 336 billion transistors, and there are ~10 per wafer.

Even leaving size aside, I don't think that there are any credible way to 3D print something that complex.

Lithography enables that level of complexity because each layer is done in one go. I think any alternative technologies would have that property, too.

> i find it hard to believe that there is no equivalent anywhere else in the world. there is so much talent out there and the stakes are so high that it seems like an inevitability.

Well, even jet engine manufacturing is something that China is behind in (relatively speaking), and it (seems?) is simpler than some of the stuff in EUV machines.

> and it (seems?) is simpler than some of the stuff in EUV machines.

It probably is. But it's probably in the same category of being one of the most difficult things to manufacture.

yeah but maybe there the stakes are not as high. although i guess it touches the military and so it might be

The stakes may not be considered as high for jet engines, but the problems may also be (relatively) easier too.

Honestly I thought the same, but after watching a couple of videos on how EUV actually works, and what ASML (and the 1,200 other specialized companies that feed into its supply chain) built..

I can understand why you can't just take one apart and copy it.

There's (apparently) 4 decades of accumulated cutting edge scientific research that has gone into these machines.

I suspect the machinery, process and human expertise required to simply produce the parts required for these machines is the real moat (oh and I guess the US-led export controls too).

The build tolerances for components are incredible. There are 11 primary mirrors in an EUV machine, each one has something like 100 coats of ultra-pure materials that are precisely deposited in picometer-thick layers with tolerances in the nanometers, across a 1-meter wide curved surface.

Then you have to position the mirrors perfectly inside the machine, again with tolerances in the nanometers.

So even if you know what you need to do, having the equipment and expertise to do it is a different thing.

And that's just one part of the 100,000+ parts that make up an EUV machine.

Hasn't happened yet.

That's the edge of what's possible, it's quite common even for researchers to have problems replicating results at the edge.

There's sometime implicit knowledge in a technique that either doesn't get written down, or someone is so good at something you don't think certain details will matter.

In my old lab (biochemistry) some people just have good hands and are really good at making something repeatable, others not so much.

The straregic importance is vastly over hyped. Maybe by people who want to sell chips. Actual physical feature size shrinkage rate has dramatically slowed from maybe a decade ago. making more efficient algorithms or architectures will beat out trying to fight physics.

"at some point" is doing a lot of work there. How long do you think?

30 years

Japan has restarted their efforts to have something unsure too.