hgezim

Last year, I started working on a children's book generation product using AI for illustrations. In the process, I discovered Midjourney and I was blown away by the quality.

I then tried to find their API so I could use it in my product. Google showed no results. I thought I was Googling wrong.

It turns out, Midjourney didn't have an API

<insert pivot gif from Friends>

Of course, I set out to build it. I created a POC and posted it on the Midjourney subreddit[1]. That's when I discovered that Midjourney's ToS specified that user's aren't allowed automated access

Too late, I had already built it and had a lot of email signups from people wanting it.

The initial idea was to have a bunch of Midjourney accounts and let people generate images using my accounts. Now that was a no go since I'd be in violation of their ToS. To sidestep the issue, I decide to let the end users take the risk. You want API access, you provide your Midjourney account and we'll do the rest.

At first I launched a self-hosted version that people would pay once and then use it on their on hardware. This proved too cumbersome to setup, so I launched the cloud version. Mind you, it took me months to learn this lesson.

To say it's been going great is an understatement.

I've been building side projects since 2014, starting with HNdigest (which I exited for a whopping $2k ). The farthest I got was $3,000 MRR in 2019 which was a huge success. Now, ImagineAPI.dev is doing $16k MRR

Fast forward to a few days ago. I check my email and see that Midjourney sent me a cease and desist. They had two issues: ToS Violation[2] and Trademark Infringement[3].

I want to be clear, I've never intended to harm Midjourney. Every image generating with ImagineAPI.dev has been paid for — we don't allow users to generate free images using Midjourney's relaxed mode. There are alternative API products that do that and we get people asking all the time. However, I wanted Midjourney to benefit from us being around; not to be harmed.

However, I certainly don't intend to roll over and kill my product.

We're not in violation of the ToS as we don't have any Midjourney accounts. I've updated marketing assets to specify that we're an "(unofficial) Midjourney API". What else should I do?

What should I respond to their legal counsel with?

Anyone have experience with this type of threat in the past? How did you handle it?

P.S.: My legal entity is based in Canada. FWIW.

[1] https://www.reddit.com/r/midjourney/comments/11betr7/i_created_an_unofficial_api_for_midjourney/ [2] https://share.cleanshot.com/NPXjkk3c [3] https://share.cleanshot.com/94ZvY4q4 https://share.cleanshot.com/j47jnx6N

I accidentally found this vulnerability that when you remote login into a Mac using Screen Sharing (included in all recent MacOS versions), someone with physical access can take over your session and lock you out of it and then have full, complete, total, absolute control over your machine.

Someone crafty can watch your screen and wait until you type in a sensitive password (like root or 1Password) and decide to take over at that point.

The best part? The person with physical presence can lock the remote user out (you): https://www.youtube.com/watch?v=wbLYKEQk_mM

I reported this to Apple more than 90 days ago. They said it was intended behaviour.

I cannot remote into my machines safely since I discovered this.

Without exaggeration, my wife one day messaged me and said, "your computer is moving," because she could see I was logged into my iMac at home from the office and using it.

Another day a colleague was working late at the office and I had logged into my office machine from home. He messaged me saying, "Did you leave your computer on on purpose?" He knows I always lock my computer because I give him heck for not locking his.

What did Apple Security Research recommend when they closed out the issue? They said I should use Apple Remote Desktop. That app is on the Mac App Store and averages 2.1/5. It retails for $99.99.

Maybe I'm off here. Did you expect someone next to your machine to see everything you do and be able to take control when you remote into it?

On the 3rd of March, I happened on a severe security vulnerability on an Apple product. Immediately, I reported it to them via the Apple Security Research program.

In the initial report, I didn't know I could upload videos and I asked them if I can upload my video proof to YouTube (unlisted). They told me not to — presumably because they didn't want this to be public.

It took them until another 9 days (March 14th) to decide that this wasn't an issue. At that point the ticket got marked as "This is expected behavior."

I'm convinced that if this vulnerability is made public, Apple would change their mind about it's severity.

I'm not sure if I can share it, though, as they might use it as an excuse not to pay me a bounty. Thoughts on how to approach this?

PS: I asked them if I could post it publicity after they closed the ticket but haven't heard anything from them.