[HN Gopher] Palo Alto Networks sends cease-and-desist letter to ... ___________________________________________________________________ Palo Alto Networks sends cease-and-desist letter to take down review videos Author : bonfire Score : 313 points Date : 2020-10-20 17:31 UTC (5 hours ago) (HTM) web link (orca.security) (TXT) w3m dump (orca.security) | neilv wrote: | Trustworthiness seems to be one of the most important properties | of a firewall company. | | But this news of a reviewer getting cease&desist nastygram from | PANW erodes some of the trust that PANW started with by default | in my mind. | | They're not the only company to try to prevent independent | benchmarking and reviews, but I've never liked that from any | company. | | Perhaps this could be a learning moment for PANW, and they decide | to change some policies? | | (I actually have one of those big old Palo Alto Networks blue | rackmount firewalls right here, purchased with the intention of | playing with it, either for ideas for OpenWrt features, or to | decide whether to buy a new little one for interim use until I | have more time for open source. I'm not getting much warm-fuzzies | from the big blue metal box at the moment, but maybe that will | improve.) | RIMR wrote: | At this point in the game, how could anyone ever think that this | was a good idea? Palo Alto Networks is already on my blacklist | because of how badly their products perform in production. This | makes it hard for me to ever consider them again, since it's | clear that they are trying to purge negative information about | their product from my view. | hirundo wrote: | Dear Palo Alto Networks: There is no way I would have watched | that video if you hadn't demanded it be taken down. Now having | watched it I can see why you want to hide it. | mshook wrote: | Typical case of https://en.wikipedia.org/wiki/Streisand_effect | 3np wrote: | We were just in the process of surveying firewalls. PANW was | high on the list, given the user experience. They are no longer | on it since today. | unethical_ban wrote: | I'll say this again, I said it elsewhere. And to clarify, I | own no stock in PANW, I don't work for them, though I have | years of experience managing PAN firewalls in a large | deployment (and some experience with their competitors). My | coworkers don't know my HN name so I'm saying this from the | heart, not for kudos from meatspace. | | As part of a team choosing a new technology for something, | you really need to take a lot of things into consideration. | This would be one thing your legal department would need to | consider, undoubtedly. However, if you are trying to choose | such a critical technology as your infosec stack, and you | completely remove a company from a bakeoff because of a | negative review (which this essentially is), then you are not | running your bakeoff properly. | | PA firewalls and systems are pretty freaking good. I haven't | worked with Checkpoint for a long time, but hear they got | good a few years back when PA started eating their lunch. | FirePOWER is the devil, as is Cisco. | robertlagrant wrote: | Is your heart telling you that you should get people to buy | the product you've got professional experience with? | azernik wrote: | I suspect in this case it's not because of the single | review, but because of the shady business practices. | logicalmonster wrote: | A review seems like a textbook case of fair use to me. Not sure | where there's a justification for removing a review in this | situation. | kmeisthax wrote: | Because of a legal precedent and a general fact about contract | law: | | 1. Installation and/or execution of software constitutes | copying (the "RAM Copy Doctrine") which is only lawful if the | person currently using the software has been licensed or sold | the software | | 2. Licensing restrictions can restrict license holders from | exercising rights they otherwise would have as a matter of law | | There is nothing prohibiting you from only licensing your | software out under terms that prohibit licensees from | exercising fair use or first sale rights. Indeed, this is one | of Oracle's main "innovations": ever since Larry Ellison failed | to get David DeWitt fired for daring to benchmark Oracle, they | just made everyone who buys Oracle promise not to benchmark it. | This is legally sound and the only way around it is to argue | that the software transaction was actually a sale and not a | license - as far as I'm aware, though, nobody has been able to | successfully articulate such a claim. | wolco2 wrote: | Doesn't a brief window exists where at 11:59pm you can run | Oracle but after midnight when lic expires and the results | are back you could report on those numbers. | shuaavi wrote: | Just google 'yelp law'. It isn't legal these days. | eternalban wrote: | You mean CRFA? | | https://www.ftc.gov/tips-advice/business- | center/guidance/con... | | Did a court rule that CRFA trumps (npi) DeWitt's Clause? | | https://dwheeler.com/essays/dewitt-clause.html | | (IANAL) | otterley wrote: | IAAL, and that is a good question. (This is not legal | advice.) | | CRFA appears to apply to contracts that bind an | "individual" and not a "person". This technical | difference is important in contracts: an individual is | also known in the art as a "natural person" (i.e., a | human being), while a "person" could be an individual, a | company, or other organization. | | So it is possible that the law does not apply to Orca | Security because they are a "person" and not an | "individual". In other words, if it can be found that Mr. | Shua was acting as an officer or other representative of | Orca Security instead of in his personal capacity, then | CRFA may not apply to the license agreement. | | Again, this is NOT legal advice, and anyone seeking a | legal opinion should engage a licensed attorney. This law | is pretty new and I don't know whether this specific | question has been tested by any court. But I would tread | with caution. | BrandoElFollito wrote: | I am grateful to Palo Alto for the C&D. I had them on my radar | screen for possible consideration next year on a large project. | | Now I don't anymore. That's a bunch of money that will go to | someone else. | | This is the price when you have to defend the technical aspects | of your solution with lawyers. | quadrifoliate wrote: | Yep, they just dropped out of consideration as a firewall | vendor for me in the near future. The money for this | superfluous legal stuff is coming from _somewhere_ , probably | from the overinflated margins. Also no one wants to be sued by | a company whose products you paid good money for. | unethical_ban wrote: | This is such an absurd take that I clicked your account to | ensure you were not a troll. | | PAN, for all their true issues, puts out some impressive | products. There is a reason they have eaten Checkpoint and | Cisco FirePOWER's lunch. | | Hilariously, my company blocks the article because it is a non- | approved TLD. But I challenge you to defend the lawyers and | ethics of other large infosec players. | GartzenDeHaes wrote: | I agree. If you have a full time security analyst(s) to tune | and monitor it, PA's firewall is unbeatable for perimeter | security AFAIK. Unfortunately, their other offerings don't | measure up and tend to be a jumble of M&A. | orca-pp wrote: | With NSS Labs shutting down today the need for objectivity and | visibility into testing has never been greater. | guardiangod wrote: | I know no one cares about NSS Labs but as an employee of a NSS- | tested company I'd like to say RIP. No one does testing as | rigorously as you, and thanks for all the headaches you've | caused my teams. | | (Gartner is a joke. There, I said it.) | kazen44 wrote: | NSS labs was one of the few labs which actually did rigorous | testing in regards to firewall performance. It helped me and | my company enourmously with both recommending solutions to | customers aswell as troubleshooting. Mainly by providing a | truthfull baseline compared to the datasheet of the vendor. | all firewall vendors seem to basically lie on their datasheet | in regards to real life performance. This becomes a real pain | in the arse when you start seeing performance issues or weird | behaviour because you actually run a firewall "to spec". | | a good example of this was a cisco asa with firepower (which | in itself ia a terrible solution, but alas). even at "just" | 50% of the specced load, we started seeing weird issues in | regards to IPsec tunnels. (SA's randomly dropping, getting | abysmal performance at certain times etc). | bonfire wrote: | :) Same here | cybert00th wrote: | Our firewall guy thinks Palo Alto firewalls are really good and I | don't dispute that they are. But I may just show him this | tomorrow morning as, another perspective never hurts. | RKearney wrote: | I've used Palo Alto, Fortinet, and Cisco firewalls. | | Cisco is the worst by far, the Fortinet are not fun to use but | have an incredible $/performance ratio, and the Palo Alto ones | are by far the most expensive but also the most enjoyable to | use. | | They're certainly not without their faults, and we've had | issues with them that took time to remedy, but I wouldn't trade | them for anything else I've seen so far from competitors. | canarypilot wrote: | Did you just publish the result of a benchmark or performance | comparison test you ran to establish the difference in | $/performance ratio between competitors? | | If so, I have bad news for your license compliance... | RKearney wrote: | Nope, I read the manufacturers published specifications for | their equipment and looked up the pricing on publicly | accessible websites. | | https://www.paloaltonetworks.com/products/product-selection | | https://www.fortinet.com/products/product-compare?cat=ngfw | | And you can get pricing from any VARs website such as | CDW.com | | Good try though. | pmart123 wrote: | Have you ever worked with Check Point's firewall? | guardiangod wrote: | Check out https://www.reddit.com/r/networking/ and search | for the firewall/company names, sorted by Newest. | | (I don't subscribe to the sub nor have I posted anything in | it. I do read it from time to time and find the comments | alright from an end-user (ie. sysadmin) point of view.) | paultopia wrote: | Palo Alto networks also makes bossware so intrusive that it's | basically malware. Their VPN software on MacOS, for example, | collects tons of system data and starts itself persistently on | reboot + cannot be quit unless the user happens to have much- | more-technical-than-most-users levels of knowledge about things | like sudo and the various plist files work. | | My own experience, in a couple Twitter threads: | | https://mobile.twitter.com/PaulGowder/status/129693268470763... | | https://mobile.twitter.com/PaulGowder/status/129686524552122... | | Tl;dr: I installed their VPN software on my personal computer in | order to get remote library database access during COVID. It | turns out that it wanted to know everything about my system and I | had to rip holes into configuration files 99% of users couldn't | even find in order to stop it. | ecliptik wrote: | It also uses High-Performance graphics for whatever reason when | connected and can completely drain a full MacBook Pro battery | in under an hour. Disconnecting does not free the GPU. | | On a positive note, I now have a reason to use to MacBook | touchbar. Setup an Automator action to kill the PIDs to release | the GPU when I no longer need to use VPN. | justinclift wrote: | Maybe their developers don't yet know that's fixable with a | plist entry? eg: | | https://github.com/sqlitebrowser/sqlitebrowser/commit/72a452. | .. | | You can manually add that to applications that don't have it, | to see if it works. :) | Spivak wrote: | As much as I despise this kind of software as an end-user the | data collection can be for above-board purposes and is required | in certain regulatory domains. Zero excuse for being a shitty | application though. | | In our case we were required to verify that any machine that | connected to our VPN was sufficiently updated, had a backup | taken, was running AV and was recently scanned for malware, and | had disk encryption enabled with our recovery key. | paultopia wrote: | Anyone who requires this level of security for regulatory | purposes should not have a BYOD policy at all. "Only fully- | managed, organization-owned devices get to touch this data" | is the only fair way to both maintain data security in highly | regulated environments and not effectively take ownership | over employees (and, in a university context, student) | computers). | Jonnax wrote: | Sure but it has no business doing this crap on university | student's machines. | | It's straight up malware that modifies things that can break | your computer. | | And it's not like they're going to offer support for fixing | it. | warhorse10_9 wrote: | All of these things are actually configured by your | university. They are configuration options for the firewall | that enforces the portal. Blame your university IT, not | Palo Alto. | apostacy wrote: | That's really gross. But it is sadly not at all unusual. In | fact, Google's obscurely named "Keystone Agent" isn't much | better. | | Apple should expose services in Control Center instead of | making you use the terminal. | warhorse10_9 wrote: | I posted this in a comment response below. | | All of these things are actually configured by the | company/library you are connecting to. They are configuration | options for the firewall that are enforced by global protect. | Blame your library IT, not Palo Alto. | jlgaddis wrote: | Dear Palo Alto Networks, | | In response to your " _Cease and Desist_ " letter of 4 September | 2020 to Avi Shua of Orca Security, we refer you to the reply | given in the case of Arkell v. Pressdram [0]. | | Sincerely, | | The Internet | | -- | | [0]: https://lettersofnote.com/2013/08/07/arkell-v-pressdram/ | orliesaurus wrote: | I applaud Orca security to expose the bs that Palo Alto Networks | is trying to feed the enterprise security industry - as other | comments have said, these are fairly standard, but you could have | just not said anything and moved on...instead you come out and | explain the situation. I love this transparency! | ghastmaster wrote: | > Palo Alto Networks appears oblivious to the fact that the New | York Attorney General's office sued and won an injunction against | McAfee from enforcing its contractual restrictions against | publishing reviews or comparisons of its products without its | consent more than 17 years ago. In enacting the Consumer Review | Fairness Act, Congress has also prohibited businesses from | including contract terms that prohibit consumers from reviewing | products or services they purchase. | | New York only matters if either party has standing in that | jurisdiction. Palo Alto Networks(California) and Orca | Security(Israel) would not, however there could be made a case | that the video in question resides on servers(youtube) in New | York. | | The argument for the application of 15 U.S. Code SS 45b appears | to only apply to "form contracts". | | > means a contract with standardized terms-- (i) used by a person | in the course of selling or leasing the person's goods or | services; and (ii) imposed on an individual without a meaningful | opportunity for such individual to negotiate the standardized | terms. | | It appears as though the EULA is a form contract and Orca indeed | falls under the protections of the Consumer Reviews Fairness Act. | | EULA: | https://www.paloaltonetworks.com/content/dam/pan/en_US/asset... | otterley wrote: | Maybe, maybe not. See my analysis elsewhere about the | importance of the word "individual" as opposed to "person" in | the language of CFRA. | cycop wrote: | The letter is about using Palo Alto Networks trademarks on their | website. I think Orca should just change their review to say | "Palo Crapo Networks" .... issue solved | yoavalon wrote: | Or a new diet, Paleo Alto | robertlagrant wrote: | Or the slightly deeper Palo Tenor. | zufallsheld wrote: | It's says "orcas comparison and rating of prisma and its public | dissemination is a clear breach of...", so not just a trademark | issue. | fefe23 wrote: | The title is deceptive. | | OP is not some independent site doing a neutral review. This is a | competitor pretending to be neutral (and doing a laughably bad | job at it; the "referee" is their evangelist). | | So they basically make a untrustworthy video that (surprise, | surprise) comes to the conclusion that their product is better, | provoke Palo Alto into a hamfisted knee-jerk response, and now | try to drum up cheap publicity by posing as the victim. | | I have always regarded Palo Alto's products as snake oil, so this | is not a fan defending their team. | | That said: This behavior of Orca is reprehensible and you should | not reward them with your attention. | shuaavi wrote: | Fefe, We never said we're objective. Marketing is almost never | objective. We tried to make it objective, but naturally - we're | biased. But should the larger player be allowed to stop the | smaller one from publishing his materials? | AcerbicZero wrote: | Thats a silly lawyer move, but I also kind of understand where PA | is coming from - the FW space is a crowded, reputation driven | world and a lot of classic late 00s companies are struggling to | adapt to a less hardware centric space. | | That said, build better products, don't take down crappy reviews. | I've had terrific experiences with my PA FW's and Panorama isn't | too shabby as far as centralized mgmt solutions go - I'd hate to | see them throw away all the good will they've built up with | stupid choices like this. | RIMR wrote: | It's not just about the reviews. People make careers out of | reviewing products. Legal complaints can lead to people be | demonetized or deplatformed entirely. | | For PA to risk ruining other people's careers (for being | honest!) just to artificially inflate the reputation of their | own crappy product isn't something I can forgive very easily. | codingdave wrote: | Lawyers sending letters to discourage actions they do not like | are fairly standard. I've had attorneys tell me that if you are | not getting letters like this, you aren't making enough of an | impact. And to be clear, this is just a letter - tossing one of | these out just to see if it works is an easy tactic because many | smaller organizations are terrified of litigation, and will cave | to demands even if there is no legal basis for them. | | Do take the letters seriously... determine whether there are | valid legal claims presented. But if there are not, it is a scare | tactic, so don't stress over it. | RIMR wrote: | Legality isn't my concern. It's intent. | | Their intent is to prevent their customers and potential | customers from hearing criticisms of their products. | | That alone is enough to make me never do business with them | again. Legality means nothing, this was a breach of ethics and | honesty. | trentnix wrote: | This. Many lawyers threaten and posture for a living. Don't let | their empty threats bully you into submission if you've done | nothing wrong. | pavel_lishin wrote: | How do you tell whether you're doing something wrong or not | without spending money on your own lawyer? | wldcordeiro wrote: | Right? Just because it's normal for C&Ds to be sent doesn't | mean it should be because they're obviously weaponized by | large organizations. | trentnix wrote: | That presumes a lawyer will give you good legal advice. | I've been given poor legal advice before by a lawyer, and | been given even worse tactical advice. I've gone against a | lawyer's recommendations before when their explanation and | recommendation did not jive with my reading and | understanding. | | You should educate yourself and seek counsel if you believe | you need it. Because ultimately the situation is no | different than getting a physician's opinion or a | consultant's opinion or whatever else - you seek that | expertise because you feel you need it. And usually that | means you have to pay for it. But a lawyer's opinion, even | if it's a good opinion, doesn't inoculate you from being | sued or threatened or whatever else an antagonizing party | may do. | | But don't freak out. Everyone is terrified when they get | their first lawyer letter. Everyone is outraged when they | get their second. And when they get their third (or fourth | or however long it takes to learn), they use it for toilet | paper. | ryandrake wrote: | Can you expand on how one would educate themselves on | this (besides getting a law degree), and how one would | determine that they need legal counsel, besides having | this vague feeling that they need it? Are there some | rules of thumb that a normal, non-lawyer can follow to | roughly gauge the seriousness of a written legal threat? | trentnix wrote: | Hopefully someone more educated than me will chime in, | but inevitably a C&D or some other lawyer letter will | reference law (for me, it was trademark law) or will | reference a contract. I've gotten both kinds, and found | that it was easier to educate myself regarding the | threats made in reference to the contract than in | reference to the law. | | Once you do some searching you'll get a better idea of | whether you need legal counsel. And just because you | receive a letter doesn't mean you need to respond no | matter what absurd timeline the demanding letter might | have suggested. | | Eventually they'll have to put up (and file a lawsuit) or | shut up. | CapitalistCartr wrote: | My wife went to law school. I know _lots_ of lawyers. The | spread between Justin (first in his class by a fat margin), | and the bottom, oh, say, quarter of the class, is brutal. | shuaavi wrote: | Palo Alto can easily cause us to put 500K USD into legal | fees, and I guess they thought that we'll bail out due to | this empty threat. We chose not to. | kobalsky wrote: | > Do take the letters seriously... determine whether there are | valid legal claims presented. But if there are not, it is a | scare tactic, so don't stress over it. | | Is the validity of the legal claim that relevant? If deep | pockets co. wants to sue you into oblivion can't they just drag | the trial forever and make sure you go bankrupt from legal fees | before reaching a judgement? | kmeisthax wrote: | Depends on the jurisdiction and tort. America is notably | hostile to attorney fee shifting, to the point where we | literally call it the French Rule. If you're sued for | something baseless you're expected to have the money to | defend yourself. Copyright is unique in that fee shifting is | regularly granted in the US, but even then it's limited to | specific amounts of hours billed at a reasonable rate as | determined by a court. You don't get to just hire the most | expensive attorney with the expectation that they can make | the nuisance suit go away and then collect from the plaintiff | rather than the defendant. | azernik wrote: | Depends _how_ invalid the legal claim is. There are multiple | points a judge can say "this is such obvious BS I'm cutting | it off now" ("summary judgment"). | soumyadeb wrote: | Most likely than not, they have legal basis for what they are | asking for. Check with your lawyers and if they agree, you | should just accept and move on. The distraction (and cost) of | having to fight a legal battle to have a comparison page on | your website is just not worth it for most startups. | | We are a tiny company building an open-source alternative to an | existing SaaS app and we have received two such letters in the | last 6 months. First time I just replied in an email, second | time I had the lawyers respond to create a legal trail. I don't | think we were at fault in both the cases but it is still not | worth it. | shuaavi wrote: | We checked VERY thoroughly. They don't have legal basis. | Federal law specifically prohibit clauses that prevent open | reviews. It is dubbed the 'yelp law' | trhway wrote: | >In enacting the Consumer Review Fairness Act, Congress has also | prohibited businesses from including contract terms that prohibit | consumers from reviewing products or services they purchase. | | [IANAL] if that is true i wonder whether PA Networks exposes | itself to counter suit as i think i know at least one similar (in | my layman view) case where inclusion and enforcement of a | contract provision violating a specific consumer law protection | provision was a ground for successful class action. In such a | case one doesn't even need to actually fight the legal battle | themselves, just show it to lawyers with time to spare, and even | just mentioning such possibility may be enough on its own. | [deleted] | robertab wrote: | I'm curious as to what Palo Alto is concerned about with these | videos. If they feel they are mis-represented, they can easily | post their own videos in response. But no doubt, transparency is | a necessity and cease-and-desist letters does no one any good. | dylan604 wrote: | Huh? If it causes the video giving bad reviews of their product | to be taken down, the C&D letter does a lot of good for Palo | Alto. Even if the review is accurate, if Palo Alto can force | the review to go away it is a good day's work for that lawyer. | hinkley wrote: | Unless you trigger the Streisand Effect. | | But it looks like more people have upvoted this post than | actually watched the video, so maybe that isn't going to | happen. ___________________________________________________________________ (page generated 2020-10-20 23:00 UTC)