[HN Gopher] Palo Alto Networks sends cease-and-desist letter to ...
___________________________________________________________________
Palo Alto Networks sends cease-and-desist letter to take down
review videos
Author : bonfire
Score : 313 points
Date : 2020-10-20 17:31 UTC (5 hours ago)
(HTM) web link (orca.security)
(TXT) w3m dump (orca.security)
| neilv wrote:
| Trustworthiness seems to be one of the most important properties
| of a firewall company.
|
| But this news of a reviewer getting cease&desist nastygram from
| PANW erodes some of the trust that PANW started with by default
| in my mind.
|
| They're not the only company to try to prevent independent
| benchmarking and reviews, but I've never liked that from any
| company.
|
| Perhaps this could be a learning moment for PANW, and they decide
| to change some policies?
|
| (I actually have one of those big old Palo Alto Networks blue
| rackmount firewalls right here, purchased with the intention of
| playing with it, either for ideas for OpenWrt features, or to
| decide whether to buy a new little one for interim use until I
| have more time for open source. I'm not getting much warm-fuzzies
| from the big blue metal box at the moment, but maybe that will
| improve.)
| RIMR wrote:
| At this point in the game, how could anyone ever think that this
| was a good idea? Palo Alto Networks is already on my blacklist
| because of how badly their products perform in production. This
| makes it hard for me to ever consider them again, since it's
| clear that they are trying to purge negative information about
| their product from my view.
| hirundo wrote:
| Dear Palo Alto Networks: There is no way I would have watched
| that video if you hadn't demanded it be taken down. Now having
| watched it I can see why you want to hide it.
| mshook wrote:
| Typical case of https://en.wikipedia.org/wiki/Streisand_effect
| 3np wrote:
| We were just in the process of surveying firewalls. PANW was
| high on the list, given the user experience. They are no longer
| on it since today.
| unethical_ban wrote:
| I'll say this again, I said it elsewhere. And to clarify, I
| own no stock in PANW, I don't work for them, though I have
| years of experience managing PAN firewalls in a large
| deployment (and some experience with their competitors). My
| coworkers don't know my HN name so I'm saying this from the
| heart, not for kudos from meatspace.
|
| As part of a team choosing a new technology for something,
| you really need to take a lot of things into consideration.
| This would be one thing your legal department would need to
| consider, undoubtedly. However, if you are trying to choose
| such a critical technology as your infosec stack, and you
| completely remove a company from a bakeoff because of a
| negative review (which this essentially is), then you are not
| running your bakeoff properly.
|
| PA firewalls and systems are pretty freaking good. I haven't
| worked with Checkpoint for a long time, but hear they got
| good a few years back when PA started eating their lunch.
| FirePOWER is the devil, as is Cisco.
| robertlagrant wrote:
| Is your heart telling you that you should get people to buy
| the product you've got professional experience with?
| azernik wrote:
| I suspect in this case it's not because of the single
| review, but because of the shady business practices.
| logicalmonster wrote:
| A review seems like a textbook case of fair use to me. Not sure
| where there's a justification for removing a review in this
| situation.
| kmeisthax wrote:
| Because of a legal precedent and a general fact about contract
| law:
|
| 1. Installation and/or execution of software constitutes
| copying (the "RAM Copy Doctrine") which is only lawful if the
| person currently using the software has been licensed or sold
| the software
|
| 2. Licensing restrictions can restrict license holders from
| exercising rights they otherwise would have as a matter of law
|
| There is nothing prohibiting you from only licensing your
| software out under terms that prohibit licensees from
| exercising fair use or first sale rights. Indeed, this is one
| of Oracle's main "innovations": ever since Larry Ellison failed
| to get David DeWitt fired for daring to benchmark Oracle, they
| just made everyone who buys Oracle promise not to benchmark it.
| This is legally sound and the only way around it is to argue
| that the software transaction was actually a sale and not a
| license - as far as I'm aware, though, nobody has been able to
| successfully articulate such a claim.
| wolco2 wrote:
| Doesn't a brief window exists where at 11:59pm you can run
| Oracle but after midnight when lic expires and the results
| are back you could report on those numbers.
| shuaavi wrote:
| Just google 'yelp law'. It isn't legal these days.
| eternalban wrote:
| You mean CRFA?
|
| https://www.ftc.gov/tips-advice/business-
| center/guidance/con...
|
| Did a court rule that CRFA trumps (npi) DeWitt's Clause?
|
| https://dwheeler.com/essays/dewitt-clause.html
|
| (IANAL)
| otterley wrote:
| IAAL, and that is a good question. (This is not legal
| advice.)
|
| CRFA appears to apply to contracts that bind an
| "individual" and not a "person". This technical
| difference is important in contracts: an individual is
| also known in the art as a "natural person" (i.e., a
| human being), while a "person" could be an individual, a
| company, or other organization.
|
| So it is possible that the law does not apply to Orca
| Security because they are a "person" and not an
| "individual". In other words, if it can be found that Mr.
| Shua was acting as an officer or other representative of
| Orca Security instead of in his personal capacity, then
| CRFA may not apply to the license agreement.
|
| Again, this is NOT legal advice, and anyone seeking a
| legal opinion should engage a licensed attorney. This law
| is pretty new and I don't know whether this specific
| question has been tested by any court. But I would tread
| with caution.
| BrandoElFollito wrote:
| I am grateful to Palo Alto for the C&D. I had them on my radar
| screen for possible consideration next year on a large project.
|
| Now I don't anymore. That's a bunch of money that will go to
| someone else.
|
| This is the price when you have to defend the technical aspects
| of your solution with lawyers.
| quadrifoliate wrote:
| Yep, they just dropped out of consideration as a firewall
| vendor for me in the near future. The money for this
| superfluous legal stuff is coming from _somewhere_ , probably
| from the overinflated margins. Also no one wants to be sued by
| a company whose products you paid good money for.
| unethical_ban wrote:
| This is such an absurd take that I clicked your account to
| ensure you were not a troll.
|
| PAN, for all their true issues, puts out some impressive
| products. There is a reason they have eaten Checkpoint and
| Cisco FirePOWER's lunch.
|
| Hilariously, my company blocks the article because it is a non-
| approved TLD. But I challenge you to defend the lawyers and
| ethics of other large infosec players.
| GartzenDeHaes wrote:
| I agree. If you have a full time security analyst(s) to tune
| and monitor it, PA's firewall is unbeatable for perimeter
| security AFAIK. Unfortunately, their other offerings don't
| measure up and tend to be a jumble of M&A.
| orca-pp wrote:
| With NSS Labs shutting down today the need for objectivity and
| visibility into testing has never been greater.
| guardiangod wrote:
| I know no one cares about NSS Labs but as an employee of a NSS-
| tested company I'd like to say RIP. No one does testing as
| rigorously as you, and thanks for all the headaches you've
| caused my teams.
|
| (Gartner is a joke. There, I said it.)
| kazen44 wrote:
| NSS labs was one of the few labs which actually did rigorous
| testing in regards to firewall performance. It helped me and
| my company enourmously with both recommending solutions to
| customers aswell as troubleshooting. Mainly by providing a
| truthfull baseline compared to the datasheet of the vendor.
| all firewall vendors seem to basically lie on their datasheet
| in regards to real life performance. This becomes a real pain
| in the arse when you start seeing performance issues or weird
| behaviour because you actually run a firewall "to spec".
|
| a good example of this was a cisco asa with firepower (which
| in itself ia a terrible solution, but alas). even at "just"
| 50% of the specced load, we started seeing weird issues in
| regards to IPsec tunnels. (SA's randomly dropping, getting
| abysmal performance at certain times etc).
| bonfire wrote:
| :) Same here
| cybert00th wrote:
| Our firewall guy thinks Palo Alto firewalls are really good and I
| don't dispute that they are. But I may just show him this
| tomorrow morning as, another perspective never hurts.
| RKearney wrote:
| I've used Palo Alto, Fortinet, and Cisco firewalls.
|
| Cisco is the worst by far, the Fortinet are not fun to use but
| have an incredible $/performance ratio, and the Palo Alto ones
| are by far the most expensive but also the most enjoyable to
| use.
|
| They're certainly not without their faults, and we've had
| issues with them that took time to remedy, but I wouldn't trade
| them for anything else I've seen so far from competitors.
| canarypilot wrote:
| Did you just publish the result of a benchmark or performance
| comparison test you ran to establish the difference in
| $/performance ratio between competitors?
|
| If so, I have bad news for your license compliance...
| RKearney wrote:
| Nope, I read the manufacturers published specifications for
| their equipment and looked up the pricing on publicly
| accessible websites.
|
| https://www.paloaltonetworks.com/products/product-selection
|
| https://www.fortinet.com/products/product-compare?cat=ngfw
|
| And you can get pricing from any VARs website such as
| CDW.com
|
| Good try though.
| pmart123 wrote:
| Have you ever worked with Check Point's firewall?
| guardiangod wrote:
| Check out https://www.reddit.com/r/networking/ and search
| for the firewall/company names, sorted by Newest.
|
| (I don't subscribe to the sub nor have I posted anything in
| it. I do read it from time to time and find the comments
| alright from an end-user (ie. sysadmin) point of view.)
| paultopia wrote:
| Palo Alto networks also makes bossware so intrusive that it's
| basically malware. Their VPN software on MacOS, for example,
| collects tons of system data and starts itself persistently on
| reboot + cannot be quit unless the user happens to have much-
| more-technical-than-most-users levels of knowledge about things
| like sudo and the various plist files work.
|
| My own experience, in a couple Twitter threads:
|
| https://mobile.twitter.com/PaulGowder/status/129693268470763...
|
| https://mobile.twitter.com/PaulGowder/status/129686524552122...
|
| Tl;dr: I installed their VPN software on my personal computer in
| order to get remote library database access during COVID. It
| turns out that it wanted to know everything about my system and I
| had to rip holes into configuration files 99% of users couldn't
| even find in order to stop it.
| ecliptik wrote:
| It also uses High-Performance graphics for whatever reason when
| connected and can completely drain a full MacBook Pro battery
| in under an hour. Disconnecting does not free the GPU.
|
| On a positive note, I now have a reason to use to MacBook
| touchbar. Setup an Automator action to kill the PIDs to release
| the GPU when I no longer need to use VPN.
| justinclift wrote:
| Maybe their developers don't yet know that's fixable with a
| plist entry? eg:
|
| https://github.com/sqlitebrowser/sqlitebrowser/commit/72a452.
| ..
|
| You can manually add that to applications that don't have it,
| to see if it works. :)
| Spivak wrote:
| As much as I despise this kind of software as an end-user the
| data collection can be for above-board purposes and is required
| in certain regulatory domains. Zero excuse for being a shitty
| application though.
|
| In our case we were required to verify that any machine that
| connected to our VPN was sufficiently updated, had a backup
| taken, was running AV and was recently scanned for malware, and
| had disk encryption enabled with our recovery key.
| paultopia wrote:
| Anyone who requires this level of security for regulatory
| purposes should not have a BYOD policy at all. "Only fully-
| managed, organization-owned devices get to touch this data"
| is the only fair way to both maintain data security in highly
| regulated environments and not effectively take ownership
| over employees (and, in a university context, student)
| computers).
| Jonnax wrote:
| Sure but it has no business doing this crap on university
| student's machines.
|
| It's straight up malware that modifies things that can break
| your computer.
|
| And it's not like they're going to offer support for fixing
| it.
| warhorse10_9 wrote:
| All of these things are actually configured by your
| university. They are configuration options for the firewall
| that enforces the portal. Blame your university IT, not
| Palo Alto.
| apostacy wrote:
| That's really gross. But it is sadly not at all unusual. In
| fact, Google's obscurely named "Keystone Agent" isn't much
| better.
|
| Apple should expose services in Control Center instead of
| making you use the terminal.
| warhorse10_9 wrote:
| I posted this in a comment response below.
|
| All of these things are actually configured by the
| company/library you are connecting to. They are configuration
| options for the firewall that are enforced by global protect.
| Blame your library IT, not Palo Alto.
| jlgaddis wrote:
| Dear Palo Alto Networks,
|
| In response to your " _Cease and Desist_ " letter of 4 September
| 2020 to Avi Shua of Orca Security, we refer you to the reply
| given in the case of Arkell v. Pressdram [0].
|
| Sincerely,
|
| The Internet
|
| --
|
| [0]: https://lettersofnote.com/2013/08/07/arkell-v-pressdram/
| orliesaurus wrote:
| I applaud Orca security to expose the bs that Palo Alto Networks
| is trying to feed the enterprise security industry - as other
| comments have said, these are fairly standard, but you could have
| just not said anything and moved on...instead you come out and
| explain the situation. I love this transparency!
| ghastmaster wrote:
| > Palo Alto Networks appears oblivious to the fact that the New
| York Attorney General's office sued and won an injunction against
| McAfee from enforcing its contractual restrictions against
| publishing reviews or comparisons of its products without its
| consent more than 17 years ago. In enacting the Consumer Review
| Fairness Act, Congress has also prohibited businesses from
| including contract terms that prohibit consumers from reviewing
| products or services they purchase.
|
| New York only matters if either party has standing in that
| jurisdiction. Palo Alto Networks(California) and Orca
| Security(Israel) would not, however there could be made a case
| that the video in question resides on servers(youtube) in New
| York.
|
| The argument for the application of 15 U.S. Code SS 45b appears
| to only apply to "form contracts".
|
| > means a contract with standardized terms-- (i) used by a person
| in the course of selling or leasing the person's goods or
| services; and (ii) imposed on an individual without a meaningful
| opportunity for such individual to negotiate the standardized
| terms.
|
| It appears as though the EULA is a form contract and Orca indeed
| falls under the protections of the Consumer Reviews Fairness Act.
|
| EULA:
| https://www.paloaltonetworks.com/content/dam/pan/en_US/asset...
| otterley wrote:
| Maybe, maybe not. See my analysis elsewhere about the
| importance of the word "individual" as opposed to "person" in
| the language of CFRA.
| cycop wrote:
| The letter is about using Palo Alto Networks trademarks on their
| website. I think Orca should just change their review to say
| "Palo Crapo Networks" .... issue solved
| yoavalon wrote:
| Or a new diet, Paleo Alto
| robertlagrant wrote:
| Or the slightly deeper Palo Tenor.
| zufallsheld wrote:
| It's says "orcas comparison and rating of prisma and its public
| dissemination is a clear breach of...", so not just a trademark
| issue.
| fefe23 wrote:
| The title is deceptive.
|
| OP is not some independent site doing a neutral review. This is a
| competitor pretending to be neutral (and doing a laughably bad
| job at it; the "referee" is their evangelist).
|
| So they basically make a untrustworthy video that (surprise,
| surprise) comes to the conclusion that their product is better,
| provoke Palo Alto into a hamfisted knee-jerk response, and now
| try to drum up cheap publicity by posing as the victim.
|
| I have always regarded Palo Alto's products as snake oil, so this
| is not a fan defending their team.
|
| That said: This behavior of Orca is reprehensible and you should
| not reward them with your attention.
| shuaavi wrote:
| Fefe, We never said we're objective. Marketing is almost never
| objective. We tried to make it objective, but naturally - we're
| biased. But should the larger player be allowed to stop the
| smaller one from publishing his materials?
| AcerbicZero wrote:
| Thats a silly lawyer move, but I also kind of understand where PA
| is coming from - the FW space is a crowded, reputation driven
| world and a lot of classic late 00s companies are struggling to
| adapt to a less hardware centric space.
|
| That said, build better products, don't take down crappy reviews.
| I've had terrific experiences with my PA FW's and Panorama isn't
| too shabby as far as centralized mgmt solutions go - I'd hate to
| see them throw away all the good will they've built up with
| stupid choices like this.
| RIMR wrote:
| It's not just about the reviews. People make careers out of
| reviewing products. Legal complaints can lead to people be
| demonetized or deplatformed entirely.
|
| For PA to risk ruining other people's careers (for being
| honest!) just to artificially inflate the reputation of their
| own crappy product isn't something I can forgive very easily.
| codingdave wrote:
| Lawyers sending letters to discourage actions they do not like
| are fairly standard. I've had attorneys tell me that if you are
| not getting letters like this, you aren't making enough of an
| impact. And to be clear, this is just a letter - tossing one of
| these out just to see if it works is an easy tactic because many
| smaller organizations are terrified of litigation, and will cave
| to demands even if there is no legal basis for them.
|
| Do take the letters seriously... determine whether there are
| valid legal claims presented. But if there are not, it is a scare
| tactic, so don't stress over it.
| RIMR wrote:
| Legality isn't my concern. It's intent.
|
| Their intent is to prevent their customers and potential
| customers from hearing criticisms of their products.
|
| That alone is enough to make me never do business with them
| again. Legality means nothing, this was a breach of ethics and
| honesty.
| trentnix wrote:
| This. Many lawyers threaten and posture for a living. Don't let
| their empty threats bully you into submission if you've done
| nothing wrong.
| pavel_lishin wrote:
| How do you tell whether you're doing something wrong or not
| without spending money on your own lawyer?
| wldcordeiro wrote:
| Right? Just because it's normal for C&Ds to be sent doesn't
| mean it should be because they're obviously weaponized by
| large organizations.
| trentnix wrote:
| That presumes a lawyer will give you good legal advice.
| I've been given poor legal advice before by a lawyer, and
| been given even worse tactical advice. I've gone against a
| lawyer's recommendations before when their explanation and
| recommendation did not jive with my reading and
| understanding.
|
| You should educate yourself and seek counsel if you believe
| you need it. Because ultimately the situation is no
| different than getting a physician's opinion or a
| consultant's opinion or whatever else - you seek that
| expertise because you feel you need it. And usually that
| means you have to pay for it. But a lawyer's opinion, even
| if it's a good opinion, doesn't inoculate you from being
| sued or threatened or whatever else an antagonizing party
| may do.
|
| But don't freak out. Everyone is terrified when they get
| their first lawyer letter. Everyone is outraged when they
| get their second. And when they get their third (or fourth
| or however long it takes to learn), they use it for toilet
| paper.
| ryandrake wrote:
| Can you expand on how one would educate themselves on
| this (besides getting a law degree), and how one would
| determine that they need legal counsel, besides having
| this vague feeling that they need it? Are there some
| rules of thumb that a normal, non-lawyer can follow to
| roughly gauge the seriousness of a written legal threat?
| trentnix wrote:
| Hopefully someone more educated than me will chime in,
| but inevitably a C&D or some other lawyer letter will
| reference law (for me, it was trademark law) or will
| reference a contract. I've gotten both kinds, and found
| that it was easier to educate myself regarding the
| threats made in reference to the contract than in
| reference to the law.
|
| Once you do some searching you'll get a better idea of
| whether you need legal counsel. And just because you
| receive a letter doesn't mean you need to respond no
| matter what absurd timeline the demanding letter might
| have suggested.
|
| Eventually they'll have to put up (and file a lawsuit) or
| shut up.
| CapitalistCartr wrote:
| My wife went to law school. I know _lots_ of lawyers. The
| spread between Justin (first in his class by a fat margin),
| and the bottom, oh, say, quarter of the class, is brutal.
| shuaavi wrote:
| Palo Alto can easily cause us to put 500K USD into legal
| fees, and I guess they thought that we'll bail out due to
| this empty threat. We chose not to.
| kobalsky wrote:
| > Do take the letters seriously... determine whether there are
| valid legal claims presented. But if there are not, it is a
| scare tactic, so don't stress over it.
|
| Is the validity of the legal claim that relevant? If deep
| pockets co. wants to sue you into oblivion can't they just drag
| the trial forever and make sure you go bankrupt from legal fees
| before reaching a judgement?
| kmeisthax wrote:
| Depends on the jurisdiction and tort. America is notably
| hostile to attorney fee shifting, to the point where we
| literally call it the French Rule. If you're sued for
| something baseless you're expected to have the money to
| defend yourself. Copyright is unique in that fee shifting is
| regularly granted in the US, but even then it's limited to
| specific amounts of hours billed at a reasonable rate as
| determined by a court. You don't get to just hire the most
| expensive attorney with the expectation that they can make
| the nuisance suit go away and then collect from the plaintiff
| rather than the defendant.
| azernik wrote:
| Depends _how_ invalid the legal claim is. There are multiple
| points a judge can say "this is such obvious BS I'm cutting
| it off now" ("summary judgment").
| soumyadeb wrote:
| Most likely than not, they have legal basis for what they are
| asking for. Check with your lawyers and if they agree, you
| should just accept and move on. The distraction (and cost) of
| having to fight a legal battle to have a comparison page on
| your website is just not worth it for most startups.
|
| We are a tiny company building an open-source alternative to an
| existing SaaS app and we have received two such letters in the
| last 6 months. First time I just replied in an email, second
| time I had the lawyers respond to create a legal trail. I don't
| think we were at fault in both the cases but it is still not
| worth it.
| shuaavi wrote:
| We checked VERY thoroughly. They don't have legal basis.
| Federal law specifically prohibit clauses that prevent open
| reviews. It is dubbed the 'yelp law'
| trhway wrote:
| >In enacting the Consumer Review Fairness Act, Congress has also
| prohibited businesses from including contract terms that prohibit
| consumers from reviewing products or services they purchase.
|
| [IANAL] if that is true i wonder whether PA Networks exposes
| itself to counter suit as i think i know at least one similar (in
| my layman view) case where inclusion and enforcement of a
| contract provision violating a specific consumer law protection
| provision was a ground for successful class action. In such a
| case one doesn't even need to actually fight the legal battle
| themselves, just show it to lawyers with time to spare, and even
| just mentioning such possibility may be enough on its own.
| [deleted]
| robertab wrote:
| I'm curious as to what Palo Alto is concerned about with these
| videos. If they feel they are mis-represented, they can easily
| post their own videos in response. But no doubt, transparency is
| a necessity and cease-and-desist letters does no one any good.
| dylan604 wrote:
| Huh? If it causes the video giving bad reviews of their product
| to be taken down, the C&D letter does a lot of good for Palo
| Alto. Even if the review is accurate, if Palo Alto can force
| the review to go away it is a good day's work for that lawyer.
| hinkley wrote:
| Unless you trigger the Streisand Effect.
|
| But it looks like more people have upvoted this post than
| actually watched the video, so maybe that isn't going to
| happen.
___________________________________________________________________
(page generated 2020-10-20 23:00 UTC)