Palo Alto networks also makes bossware so intrusive that it's basically malware. Their VPN software on MacOS, for example, collects tons of system data and starts itself persistently on reboot + cannot be quit unless the user happens to have much-more-technical-than-most-users levels of knowledge about things like sudo and the various plist files work.
Tl;dr: I installed their VPN software on my personal computer in order to get remote library database access during COVID. It turns out that it wanted to know everything about my system and I had to rip holes into configuration files 99% of users couldn't even find in order to stop it.
If anyone is required to use Palo Alto or any other closed source VPN, try using Openconnect [1]. It is an open source client for Palo Alto, Cisco, Juniper, etc. VPNs which typically are just cruft on top of IPSEC tunnels. While some of the features these VPNs offer sound cool but at the end of the day they use client side validation in the from of a 'trojan' binary that is downloaded and collects a bunch of metadata about your system. Obviously this can be spoofed pretty easily if you have full control of the machine. I know it works on Linux and it should work on Mac, and Windows.
With some tweaking you can also use it to configure a split tunnel (at least on Linux) VPN so that your employer can't spy on all of your web activity. (Really for any VPN you just need to update the routing table after the VPN software is running).
It also uses High-Performance graphics for whatever reason when connected and can completely drain a full MacBook Pro battery in under an hour. Disconnecting does not free the GPU.
On a positive note, I now have a reason to use to MacBook touchbar. Setup an Automator action to kill the PIDs to release the GPU when I no longer need to use VPN.
All of these things are actually configured by the company/library you are connecting to. They are configuration options for the firewall that are enforced by global protect. Blame your library IT, not Palo Alto.
As much as I despise this kind of software as an end-user the data collection can be for above-board purposes and is required in certain regulatory domains. Zero excuse for being a shitty application though.
In our case we were required to verify that any machine that connected to our VPN was sufficiently updated, had a backup taken, was running AV and was recently scanned for malware, and had disk encryption enabled with our recovery key.
Lawyers sending letters to discourage actions they do not like are fairly standard. I've had attorneys tell me that if you are not getting letters like this, you aren't making enough of an impact. And to be clear, this is just a letter - tossing one of these out just to see if it works is an easy tactic because many smaller organizations are terrified of litigation, and will cave to demands even if there is no legal basis for them.
Do take the letters seriously... determine whether there are valid legal claims presented. But if there are not, it is a scare tactic, so don't stress over it.
Most likely than not, they have legal basis for what they are asking for. Check with your lawyers and if they agree, you should just accept and move on. The distraction (and cost) of having to fight a legal battle to have a comparison page on your website is just not worth it for most startups.
We are a tiny company building an open-source alternative to an existing SaaS app and we have received two such letters in the last 6 months. First time I just replied in an email, second time I had the lawyers respond to create a legal trail.
I don't think we were at fault in both the cases but it is still not worth it.
As a serial entrepreneur that is the brains in building the entire hardware and software of several acquired systems I have been the recipient of multiple such certified delivery cease and desists. While my case does not match that of this topics point mine was threating to inform me to stay out of the industry which clearly I did not, just a scare tactic without grounds because they knew of my talents. My most recent exit I secured a legally binding document with the new owner that states I cannot be pursued for anything by either the parent company or any future subsidiary. It has been crickets.
As others say your best option is to read and understand your situation since you lived it as no one will care more about it than you, not even a lawyer you are paying but they will gladly take your money, again from experience.
> Do take the letters seriously... determine whether there are valid legal claims presented. But if there are not, it is a scare tactic, so don't stress over it.
Is the validity of the legal claim that relevant? If deep pockets co. wants to sue you into oblivion can't they just drag the trial forever and make sure you go bankrupt from legal fees before reaching a judgement?
OP is not some independent site doing a neutral review. This is a competitor pretending to be neutral (and doing a laughably bad job at it; the "referee" is their evangelist).
So they basically make a untrustworthy video that (surprise, surprise) comes to the conclusion that their product is better, provoke Palo Alto into a hamfisted knee-jerk response, and now try to drum up cheap publicity by posing as the victim.
I have always regarded Palo Alto's products as snake oil, so this is not a fan defending their team.
That said: This behavior of Orca is reprehensible and you should not reward them with your attention.
Fefe,
We never said we're objective.
Marketing is almost never objective. We tried to make it objective, but naturally - we're biased.
But should the larger player be allowed to stop the smaller one from publishing his materials?
> Palo Alto Networks appears oblivious to the fact that the New York Attorney General’s office sued and won an injunction against McAfee from enforcing its contractual restrictions against publishing reviews or comparisons of its products without its consent more than 17 years ago. In enacting the Consumer Review Fairness Act, Congress has also prohibited businesses from including contract terms that prohibit consumers from reviewing products or services they purchase.
New York only matters if either party has standing in that jurisdiction. Palo Alto Networks(California) and Orca Security(Israel) would not, however there could be made a case that the video in question resides on servers(youtube) in New York.
The argument for the application of 15 U.S. Code § 45b appears to only apply to "form contracts".
> means a contract with standardized terms— (i) used by a person in the course of selling or leasing the person’s goods or services; and (ii) imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized terms.
It appears as though the EULA is a form contract and Orca indeed falls under the protections of the Consumer Reviews Fairness Act.
Our firewall guy thinks Palo Alto firewalls are really good and I don't dispute that they are. But I may just show him this tomorrow morning as, another perspective never hurts.
I've used Palo Alto, Fortinet, and Cisco firewalls.
Cisco is the worst by far, the Fortinet are not fun to use but have an incredible $/performance ratio, and the Palo Alto ones are by far the most expensive but also the most enjoyable to use.
They're certainly not without their faults, and we've had issues with them that took time to remedy, but I wouldn't trade them for anything else I've seen so far from competitors.
Dear Palo Alto Networks: There is no way I would have watched that video if you hadn't demanded it be taken down. Now having watched it I can see why you want to hide it.
Yep, they just dropped out of consideration as a firewall vendor for me in the near future. The money for this superfluous legal stuff is coming from somewhere, probably from the overinflated margins. Also no one wants to be sued by a company whose products you paid good money for.
My first thought was I saw this thread was the Barbara Streisand effect. My employer uses GP, but at least I learned about mitigation from this thread, such as OpenConnect.
This is such an absurd take that I clicked your account to ensure you were not a troll.
PAN, for all their true issues, puts out some impressive products. There is a reason they have eaten Checkpoint and Cisco FirePOWER's lunch.
Hilariously, my company blocks the article because it is a non-approved TLD. But I challenge you to defend the lawyers and ethics of other large infosec players.
Trustworthiness seems to be one of the most important properties of a firewall company.
But this news of a reviewer getting cease&desist nastygram from PANW erodes some of the trust that PANW started with by default in my mind.
They're not the only company to try to prevent independent benchmarking and reviews, but I've never liked that from any company.
Perhaps this could be a learning moment for PANW, and they decide to change some policies?
(I actually have one of those big old Palo Alto Networks blue rackmount firewalls right here, purchased with the intention of playing with it, either for ideas for OpenWrt features, or to decide whether to buy a new little one for interim use until I have more time for open source. I'm not getting much warm-fuzzies from the big blue metal box at the moment, but maybe that will improve.)
In response to your "Cease and Desist" letter of 4 September 2020 to Avi Shua of Orca Security, we refer you to the reply given in the case of Arkell v. Pressdram [0].
Bear with me here, but what if this entire thing was engineered from the beginning to be a marketing technique? The videos themselves? Marketing. The "we got a cease and desist from a big company" blog? Marketing. The follow-up letter about transparency? Marketing. And it all falls right into the David vs. Goliath story that the tech community loves.
I applaud Orca security to expose the bs that Palo Alto Networks is trying to feed the enterprise security industry - as other comments have said, these are fairly standard, but you could have just not said anything and moved on...instead you come out and explain the situation. I love this transparency!
>In enacting the Consumer Review Fairness Act, Congress has also prohibited businesses from including contract terms that prohibit consumers from reviewing products or services they purchase.
[IANAL] if that is true i wonder whether PA Networks exposes itself to counter suit as i think i know at least one similar (in my layman view) case where inclusion and enforcement of a contract provision violating a specific consumer law protection provision was a ground for successful class action. In such a case one doesn't even need to actually fight the legal battle themselves, just show it to lawyers with time to spare, and even just mentioning such possibility may be enough on its own.
Thats a silly lawyer move, but I also kind of understand where PA is coming from - the FW space is a crowded, reputation driven world and a lot of classic late 00s companies are struggling to adapt to a less hardware centric space.
That said, build better products, don't take down crappy reviews. I've had terrific experiences with my PA FW's and Panorama isn't too shabby as far as centralized mgmt solutions go - I'd hate to see them throw away all the good will they've built up with stupid choices like this.
It's not just about the reviews. People make careers out of reviewing products. Legal complaints can lead to people be demonetized or deplatformed entirely.
For PA to risk ruining other people's careers (for being honest!) just to artificially inflate the reputation of their own crappy product isn't something I can forgive very easily.
The letter is about using Palo Alto Networks trademarks on their website. I think Orca should just change their review to say "Palo Crapo Networks" .... issue solved
At this point in the game, how could anyone ever think that this was a good idea? Palo Alto Networks is already on my blacklist because of how badly their products perform in production. This makes it hard for me to ever consider them again, since it's clear that they are trying to purge negative information about their product from my view.
Prisma cloud (the cloud monitoring part) is not a great product. It lags pretty far behind cloud provider capabilities.
I also got the email that orca probably sent to everyone in their CRM about this, and while I didn’t need any reason to think less of prisma, I now associate Orca as a competitor and probably an earlier call than palo alto for cloud.
We are considering prisma cloud to monitor an on premise kubernetes deployment. Is there anything I should be concerned about or better options to consider?
I know no one cares about NSS Labs but as an employee of a NSS-tested company I'd like to say RIP. No one does testing as rigorously as you, and thanks for all the headaches you've caused my teams.
I'm curious as to what Palo Alto is concerned about with these videos. If they feel they are mis-represented, they can easily post their own videos in response. But no doubt, transparency is a necessity and cease-and-desist letters does no one any good.
Huh? If it causes the video giving bad reviews of their product to be taken down, the C&D letter does a lot of good for Palo Alto. Even if the review is accurate, if Palo Alto can force the review to go away it is a good day's work for that lawyer.
Because of a legal precedent and a general fact about contract law:
1. Installation and/or execution of software constitutes copying (the "RAM Copy Doctrine") which is only lawful if the person currently using the software has been licensed or sold the software
2. Licensing restrictions can restrict license holders from exercising rights they otherwise would have as a matter of law
There is nothing prohibiting you from only licensing your software out under terms that prohibit licensees from exercising fair use or first sale rights. Indeed, this is one of Oracle's main "innovations": ever since Larry Ellison failed to get David DeWitt fired for daring to benchmark Oracle, they just made everyone who buys Oracle promise not to benchmark it. This is legally sound and the only way around it is to argue that the software transaction was actually a sale and not a license - as far as I'm aware, though, nobody has been able to successfully articulate such a claim.
paultopia|5 years ago
My own experience, in a couple Twitter threads:
https://mobile.twitter.com/PaulGowder/status/129693268470763...
https://mobile.twitter.com/PaulGowder/status/129686524552122...
Tl;dr: I installed their VPN software on my personal computer in order to get remote library database access during COVID. It turns out that it wanted to know everything about my system and I had to rip holes into configuration files 99% of users couldn't even find in order to stop it.
KingMachiavelli|5 years ago
With some tweaking you can also use it to configure a split tunnel (at least on Linux) VPN so that your employer can't spy on all of your web activity. (Really for any VPN you just need to update the routing table after the VPN software is running).
[1] https://gitlab.com/openconnect/openconnect
ecliptik|5 years ago
On a positive note, I now have a reason to use to MacBook touchbar. Setup an Automator action to kill the PIDs to release the GPU when I no longer need to use VPN.
apostacy|5 years ago
Apple should expose services in Control Center instead of making you use the terminal.
warhorse10_9|5 years ago
All of these things are actually configured by the company/library you are connecting to. They are configuration options for the firewall that are enforced by global protect. Blame your library IT, not Palo Alto.
Spivak|5 years ago
In our case we were required to verify that any machine that connected to our VPN was sufficiently updated, had a backup taken, was running AV and was recently scanned for malware, and had disk encryption enabled with our recovery key.
codingdave|5 years ago
Do take the letters seriously... determine whether there are valid legal claims presented. But if there are not, it is a scare tactic, so don't stress over it.
trentnix|5 years ago
RIMR|5 years ago
Their intent is to prevent their customers and potential customers from hearing criticisms of their products.
That alone is enough to make me never do business with them again. Legality means nothing, this was a breach of ethics and honesty.
soumyadeb|5 years ago
We are a tiny company building an open-source alternative to an existing SaaS app and we have received two such letters in the last 6 months. First time I just replied in an email, second time I had the lawyers respond to create a legal trail. I don't think we were at fault in both the cases but it is still not worth it.
bokohut|5 years ago
As a serial entrepreneur that is the brains in building the entire hardware and software of several acquired systems I have been the recipient of multiple such certified delivery cease and desists. While my case does not match that of this topics point mine was threating to inform me to stay out of the industry which clearly I did not, just a scare tactic without grounds because they knew of my talents. My most recent exit I secured a legally binding document with the new owner that states I cannot be pursued for anything by either the parent company or any future subsidiary. It has been crickets.
As others say your best option is to read and understand your situation since you lived it as no one will care more about it than you, not even a lawyer you are paying but they will gladly take your money, again from experience.
kobalsky|5 years ago
Is the validity of the legal claim that relevant? If deep pockets co. wants to sue you into oblivion can't they just drag the trial forever and make sure you go bankrupt from legal fees before reaching a judgement?
fefe23|5 years ago
OP is not some independent site doing a neutral review. This is a competitor pretending to be neutral (and doing a laughably bad job at it; the "referee" is their evangelist).
So they basically make a untrustworthy video that (surprise, surprise) comes to the conclusion that their product is better, provoke Palo Alto into a hamfisted knee-jerk response, and now try to drum up cheap publicity by posing as the victim.
I have always regarded Palo Alto's products as snake oil, so this is not a fan defending their team.
That said: This behavior of Orca is reprehensible and you should not reward them with your attention.
shuaavi|5 years ago
ghastmaster|5 years ago
New York only matters if either party has standing in that jurisdiction. Palo Alto Networks(California) and Orca Security(Israel) would not, however there could be made a case that the video in question resides on servers(youtube) in New York.
The argument for the application of 15 U.S. Code § 45b appears to only apply to "form contracts".
> means a contract with standardized terms— (i) used by a person in the course of selling or leasing the person’s goods or services; and (ii) imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized terms.
It appears as though the EULA is a form contract and Orca indeed falls under the protections of the Consumer Reviews Fairness Act.
EULA: https://www.paloaltonetworks.com/content/dam/pan/en_US/asset...
otterley|5 years ago
cybert00th|5 years ago
RKearney|5 years ago
Cisco is the worst by far, the Fortinet are not fun to use but have an incredible $/performance ratio, and the Palo Alto ones are by far the most expensive but also the most enjoyable to use.
They're certainly not without their faults, and we've had issues with them that took time to remedy, but I wouldn't trade them for anything else I've seen so far from competitors.
hirundo|5 years ago
mshook|5 years ago
3np|5 years ago
BrandoElFollito|5 years ago
Now I don't anymore. That's a bunch of money that will go to someone else.
This is the price when you have to defend the technical aspects of your solution with lawyers.
quadrifoliate|5 years ago
FullyFunctional|5 years ago
unethical_ban|5 years ago
PAN, for all their true issues, puts out some impressive products. There is a reason they have eaten Checkpoint and Cisco FirePOWER's lunch.
Hilariously, my company blocks the article because it is a non-approved TLD. But I challenge you to defend the lawyers and ethics of other large infosec players.
neilv|5 years ago
But this news of a reviewer getting cease&desist nastygram from PANW erodes some of the trust that PANW started with by default in my mind.
They're not the only company to try to prevent independent benchmarking and reviews, but I've never liked that from any company.
Perhaps this could be a learning moment for PANW, and they decide to change some policies?
(I actually have one of those big old Palo Alto Networks blue rackmount firewalls right here, purchased with the intention of playing with it, either for ideas for OpenWrt features, or to decide whether to buy a new little one for interim use until I have more time for open source. I'm not getting much warm-fuzzies from the big blue metal box at the moment, but maybe that will improve.)
jlgaddis|5 years ago
In response to your "Cease and Desist" letter of 4 September 2020 to Avi Shua of Orca Security, we refer you to the reply given in the case of Arkell v. Pressdram [0].
Sincerely,
The Internet
--
[0]: https://lettersofnote.com/2013/08/07/arkell-v-pressdram/
cddotdotslash|5 years ago
drakenot|5 years ago
That seems unlikely given if that were true, we would expect a public response from Palo Alto to that effect?
That isn’t a ploy that would work very long and the backlash and damaged reputation would be significant if that occurred.
orliesaurus|5 years ago
shuaavi|5 years ago
trhway|5 years ago
[IANAL] if that is true i wonder whether PA Networks exposes itself to counter suit as i think i know at least one similar (in my layman view) case where inclusion and enforcement of a contract provision violating a specific consumer law protection provision was a ground for successful class action. In such a case one doesn't even need to actually fight the legal battle themselves, just show it to lawyers with time to spare, and even just mentioning such possibility may be enough on its own.
AcerbicZero|5 years ago
That said, build better products, don't take down crappy reviews. I've had terrific experiences with my PA FW's and Panorama isn't too shabby as far as centralized mgmt solutions go - I'd hate to see them throw away all the good will they've built up with stupid choices like this.
RIMR|5 years ago
For PA to risk ruining other people's careers (for being honest!) just to artificially inflate the reputation of their own crappy product isn't something I can forgive very easily.
cddotdotslash|5 years ago
cycop|5 years ago
zufallsheld|5 years ago
yoavalon|5 years ago
RIMR|5 years ago
different_sort|5 years ago
I also got the email that orca probably sent to everyone in their CRM about this, and while I didn’t need any reason to think less of prisma, I now associate Orca as a competitor and probably an earlier call than palo alto for cloud.
CameronNemo|5 years ago
orca-pp|5 years ago
guardiangod|5 years ago
(Gartner is a joke. There, I said it.)
robertab|5 years ago
dylan604|5 years ago
unknown|5 years ago
[deleted]
rasz|5 years ago
Are you trying to sell me access to a comparison trying to sell me on your product? Im confused and amused.
logicalmonster|5 years ago
kmeisthax|5 years ago
1. Installation and/or execution of software constitutes copying (the "RAM Copy Doctrine") which is only lawful if the person currently using the software has been licensed or sold the software
2. Licensing restrictions can restrict license holders from exercising rights they otherwise would have as a matter of law
There is nothing prohibiting you from only licensing your software out under terms that prohibit licensees from exercising fair use or first sale rights. Indeed, this is one of Oracle's main "innovations": ever since Larry Ellison failed to get David DeWitt fired for daring to benchmark Oracle, they just made everyone who buys Oracle promise not to benchmark it. This is legally sound and the only way around it is to argue that the software transaction was actually a sale and not a license - as far as I'm aware, though, nobody has been able to successfully articulate such a claim.
mtnGoat|5 years ago
Seems like the usual situation to me. :(