Palo Alto networks also makes bossware so intrusive that it's basically malware. Their VPN software on MacOS, for example, collects tons of system data and starts itself persistently on reboot + cannot be quit unless the user happens to have much-more-technical-than-most-users levels of knowledge about things like sudo and the various plist files work.
Tl;dr: I installed their VPN software on my personal computer in order to get remote library database access during COVID. It turns out that it wanted to know everything about my system and I had to rip holes into configuration files 99% of users couldn't even find in order to stop it.
If anyone is required to use Palo Alto or any other closed source VPN, try using Openconnect [1]. It is an open source client for Palo Alto, Cisco, Juniper, etc. VPNs which typically are just cruft on top of IPSEC tunnels. While some of the features these VPNs offer sound cool but at the end of the day they use client side validation in the from of a 'trojan' binary that is downloaded and collects a bunch of metadata about your system. Obviously this can be spoofed pretty easily if you have full control of the machine. I know it works on Linux and it should work on Mac, and Windows.
With some tweaking you can also use it to configure a split tunnel (at least on Linux) VPN so that your employer can't spy on all of your web activity. (Really for any VPN you just need to update the routing table after the VPN software is running).
Oh, how interesting! Thanks for linking this. I'd love to hear if anyone has experience with it---slightly anxious about using unknown software for sensitive tasks like VPN, but it does look like a pretty robust project...
I’ve been using it for years now. I have a Debian vm that is configured as a NATing router so I can flexibly send traffic wherever I want. Also use unbound to use the company dns for company internal queries only.
With the particular Palo Alto config the company uses I need to peel a cert off of a windows domain member as well as my creds, but that’s not hard to manage
It also uses High-Performance graphics for whatever reason when connected and can completely drain a full MacBook Pro battery in under an hour. Disconnecting does not free the GPU.
On a positive note, I now have a reason to use to MacBook touchbar. Setup an Automator action to kill the PIDs to release the GPU when I no longer need to use VPN.
> It also uses High-Performance graphics for whatever reason when connected and can completely drain a full MacBook Pro battery in under an hour. Disconnecting does not free the GPU.
Which is ultimately a bug, or a missing feature, in MacOS -- it shouldn't be possible for a random broken app to make your 10h battery only last 1h -- change my mind.
Coincidentally, even though MacBook Pro 16" has a much larger battery than MacBook Air -- ~100Wh vs. ~50Wh -- MBP is also capable of consuming said battery at a much faster rate -- 100W vs. 30W. So, if you need an average web-browsing machine with the best battery runtime in the presence of silly apps that consume all available resources, it's actually a much better choice to get MBA vs. MBP.
Why Apple doesn't introduce a setting to optimise the runtime for battery, or a lap-use mode, is beyond me. I had to install Turbo Boost Switcher to make my 2020 MBP16" usable as a laptop -- it runs out of battery, and is too hot to use on a lap, otherwise. Sadly, there's not even any tool to reliable turn off the graphics card, either -- I had to find a setting to switch it off in Firefox manually.
I've determined based on trial and error that the High-Performance graphics usage only happens after the animation during the Okta Verify window in their embedded browser. Unfortunately, there's no way for me to disable that and still authenticate into the VPN.
Hmm. I don't know about Windows, but when I've used Linux in the last few years, my impression of systemd is that somebody looked over at Apple's launchd and inexplicably said "yes, that's a great idea, let's do that," then did it just a little bit worse.
I mean, the general design is fine, the UX kind of sucks though. systemctl stop/start/restart/reload/enable/disable is a lot easier to grok than launchctl.
All of these things are actually configured by the company/library you are connecting to. They are configuration options for the firewall that are enforced by global protect. Blame your library IT, not Palo Alto.
It isn’t. You will have to speak with the IT staff to understand how they have it configured. If you have an issue with this use a third party open source client.
The point is, any enterprise client is expected to have these features. Don’t install them on your personal laptop if you have a problem with what is expected behavior.
Let's lay this out. Let's say you are a government IT shop (it doesn't matter what level, state, nation whatever), or a bank, or a hospital, you are required by law to control how data is processed on your network. Therefore you must monitor compliance for devices connecting to your network. This is what GlobalProtect was designed for. It can be used in less restrictive environments, but the IT shop should make sure to audit the rules and policies of the client to not be overly burdensome on users. Palo Alto has numerous courses to train IT professionals to configure their products. It is on the IT professionals to configure the services correctly.
Right, Global Protect is great in regulated environments. You can turn on its always on functionality and devices can then be used while connected to VPN or not at all. If that setting is configured in an environment where users are connecting their personal devices, it's misconfigured, pure and simple.
As much as I despise this kind of software as an end-user the data collection can be for above-board purposes and is required in certain regulatory domains. Zero excuse for being a shitty application though.
In our case we were required to verify that any machine that connected to our VPN was sufficiently updated, had a backup taken, was running AV and was recently scanned for malware, and had disk encryption enabled with our recovery key.
Anyone who requires this level of security for regulatory purposes should not have a BYOD policy at all. "Only fully-managed, organization-owned devices get to touch this data" is the only fair way to both maintain data security in highly regulated environments and not effectively take ownership over employees (and, in a university context, student) computers).
All of these things are actually configured by your university. They are configuration options for the firewall that enforces the portal. Blame your university IT, not Palo Alto.
The policies are really not excessive, Palo Alto is designing for enterprises which would want many of these restrictions on their assets. It just so happens the software is flexible enough to be used in BYOD settings. The IT professionals in those settings need to do their due diligence and apply appropriate policies. This is a PICNIC/PEBKAC.
Regulations (I'm familiar with HIPAA/SOX/PCI) do not require specific technical implementations like this. These are just things that have been negotiated between IT and their auditor. Saying shitty IT policies are due to "regulation" is almost always a cop-out.
Lawyers sending letters to discourage actions they do not like are fairly standard. I've had attorneys tell me that if you are not getting letters like this, you aren't making enough of an impact. And to be clear, this is just a letter - tossing one of these out just to see if it works is an easy tactic because many smaller organizations are terrified of litigation, and will cave to demands even if there is no legal basis for them.
Do take the letters seriously... determine whether there are valid legal claims presented. But if there are not, it is a scare tactic, so don't stress over it.
Why/how would they cause you to put that much into legal fees? You don't need to hire an attorney, and probably you can hire anyone (with a legal bar license), right? Just hire the cheapest one. Sure that might not be the brightest tactic, but claiming that they can "cause" this is very strange. (You might even get someone to file motions for you pro bono.)
Do you know what they call the person who graduated at the bottom of their law school class? "Counselor."
Do not hire the cheapest lawyer you can find. The amount of work required to analyze this situation is a few hours at most; and the hourly-rate difference between a good lawyer and a bad lawyer is going to be far less than what it will cost you if you get bad advice.
> You might even get someone to file motions for you pro bono
No attorney worth a damn is going to provide a commercial entity pro bono representation.
That presumes a lawyer will give you good legal advice. I've been given poor legal advice before by a lawyer, and been given even worse tactical advice. I've gone against a lawyer's recommendations before when their explanation and recommendation did not jive with my reading and understanding.
You should educate yourself and seek counsel if you believe you need it. Because ultimately the situation is no different than getting a physician's opinion or a consultant's opinion or whatever else - you seek that expertise because you feel you need it. And usually that means you have to pay for it. But a lawyer's opinion, even if it's a good opinion, doesn't inoculate you from being sued or threatened or whatever else an antagonizing party may do.
But don't freak out. Everyone is terrified when they get their first lawyer letter. Everyone is outraged when they get their second. And when they get their third (or fourth or however long it takes to learn), they use it for toilet paper.
> But a lawyer's opinion, even if it's a good opinion, doesn't inoculate you from being sued or threatened or whatever else an antagonizing party may do.
Actually, "reliance on advice of counsel" is a valid legal defense. It's an interesting legal privilege lawyers have given themselves.
Reliance on advice of counsel is not a blanket defense against any arbitrary crime you could be charged with or civil liability you might face. It is only a defense in a certain limited set of circumstances; and it also requires you to waive attorney-client privilege.
Can you expand on how one would educate themselves on this (besides getting a law degree), and how one would determine that they need legal counsel, besides having this vague feeling that they need it? Are there some rules of thumb that a normal, non-lawyer can follow to roughly gauge the seriousness of a written legal threat?
Hopefully someone more educated than me will chime in, but inevitably a C&D or some other lawyer letter will reference law (for me, it was trademark law) or will reference a contract. I've gotten both kinds, and found that it was easier to educate myself regarding the threats made in reference to the contract than in reference to the law.
Once you do some searching you'll get a better idea of whether you need legal counsel. And just because you receive a letter doesn't mean you need to respond no matter what absurd timeline the demanding letter might have suggested.
Eventually they'll have to put up (and file a lawsuit) or shut up.
A good rule of thumb is that when an attorney sends you a cease and desist letter, you should hire an attorney to read it and give you advice on what to do and/or how to respond -- especially if you are inclined not to assent to the demands made.
I know this, not only as an attorney today, but as someone who (before I got my law degree) did not do this and paid a very high price for my immaturity. Hiring an attorney could have saved me many thousands of dollars.
My wife went to law school. I know lots of lawyers. The spread between Justin (first in his class by a fat margin), and the bottom, oh, say, quarter of the class, is brutal.
Justin relishes a fight; he's confident. He's creative in his thinking. Many lawyers are paper pushers. They file the right documents, fill out the right forms, but they can't think tactically to save their lives. They're never going to change the outcome of a case.
Most likely than not, they have legal basis for what they are asking for. Check with your lawyers and if they agree, you should just accept and move on. The distraction (and cost) of having to fight a legal battle to have a comparison page on your website is just not worth it for most startups.
We are a tiny company building an open-source alternative to an existing SaaS app and we have received two such letters in the last 6 months. First time I just replied in an email, second time I had the lawyers respond to create a legal trail.
I don't think we were at fault in both the cases but it is still not worth it.
We checked VERY thoroughly.
They don't have legal basis. Federal law specifically prohibit clauses that prevent open reviews. It is dubbed the 'yelp law'
I would double check that legal advice (assuming you actually consulted a competent attorney who specializes in this law). See my analysis elsewhere in this discussion.
> Most likely than not, they have legal basis for what they are asking for... you should just accept and move on... The distraction (and cost) of having to fight a legal battle
This is not reasonable advice. 95% of lawyer's letters that we receive are without legal merit and do not lead to any legal action if ignored. You can generally tell which ones have merit. If you're not certain, sure you can ask a lawyer - but even asking a lawyer costs money, so don't bother for letters that are obviously attempts at intimidation.
As a serial entrepreneur that is the brains in building the entire hardware and software of several acquired systems I have been the recipient of multiple such certified delivery cease and desists. While my case does not match that of this topics point mine was threating to inform me to stay out of the industry which clearly I did not, just a scare tactic without grounds because they knew of my talents. My most recent exit I secured a legally binding document with the new owner that states I cannot be pursued for anything by either the parent company or any future subsidiary. It has been crickets.
As others say your best option is to read and understand your situation since you lived it as no one will care more about it than you, not even a lawyer you are paying but they will gladly take your money, again from experience.
> Do take the letters seriously... determine whether there are valid legal claims presented. But if there are not, it is a scare tactic, so don't stress over it.
Is the validity of the legal claim that relevant? If deep pockets co. wants to sue you into oblivion can't they just drag the trial forever and make sure you go bankrupt from legal fees before reaching a judgement?
Depends on the jurisdiction and tort. America is notably hostile to attorney fee shifting, to the point where we literally call it the French Rule. If you're sued for something baseless you're expected to have the money to defend yourself. Copyright is unique in that fee shifting is regularly granted in the US, but even then it's limited to specific amounts of hours billed at a reasonable rate as determined by a court. You don't get to just hire the most expensive attorney with the expectation that they can make the nuisance suit go away and then collect from the plaintiff rather than the defendant.
Depends how invalid the legal claim is. There are multiple points a judge can say "this is such obvious BS I'm cutting it off now" ("summary judgment").
OP is not some independent site doing a neutral review. This is a competitor pretending to be neutral (and doing a laughably bad job at it; the "referee" is their evangelist).
So they basically make a untrustworthy video that (surprise, surprise) comes to the conclusion that their product is better, provoke Palo Alto into a hamfisted knee-jerk response, and now try to drum up cheap publicity by posing as the victim.
I have always regarded Palo Alto's products as snake oil, so this is not a fan defending their team.
That said: This behavior of Orca is reprehensible and you should not reward them with your attention.
Fefe,
We never said we're objective.
Marketing is almost never objective. We tried to make it objective, but naturally - we're biased.
But should the larger player be allowed to stop the smaller one from publishing his materials?
> Palo Alto Networks appears oblivious to the fact that the New York Attorney General’s office sued and won an injunction against McAfee from enforcing its contractual restrictions against publishing reviews or comparisons of its products without its consent more than 17 years ago. In enacting the Consumer Review Fairness Act, Congress has also prohibited businesses from including contract terms that prohibit consumers from reviewing products or services they purchase.
New York only matters if either party has standing in that jurisdiction. Palo Alto Networks(California) and Orca Security(Israel) would not, however there could be made a case that the video in question resides on servers(youtube) in New York.
The argument for the application of 15 U.S. Code § 45b appears to only apply to "form contracts".
> means a contract with standardized terms— (i) used by a person in the course of selling or leasing the person’s goods or services; and (ii) imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized terms.
It appears as though the EULA is a form contract and Orca indeed falls under the protections of the Consumer Reviews Fairness Act.
Good catch! It looks like the New York case does indeed have some relevance as well considering the code explicitly allows state's attorneys general to file suit using this statute. Because it did not proceed to the higher courts(that I know of) it is not of great significance, but still noteworthy.
I don't think People v. Network Associates (the McAfee case, 758 N.Y.S.2d 466 (2003)) is on point. That case involved a number of complex facts, like a difference between the license agreement (which did not contain the restrictive terms and contained an "entire agreement" clause) and the warning printed on the media; and whether consumers could be misled by the warning on the media.
The court did not hold that restrictions in license agreements were void due to public policy. Rather, it held that Network Associates could not bind customers to the language on the disks because the language deceived the customer.
Our firewall guy thinks Palo Alto firewalls are really good and I don't dispute that they are. But I may just show him this tomorrow morning as, another perspective never hurts.
I've used Palo Alto, Fortinet, and Cisco firewalls.
Cisco is the worst by far, the Fortinet are not fun to use but have an incredible $/performance ratio, and the Palo Alto ones are by far the most expensive but also the most enjoyable to use.
They're certainly not without their faults, and we've had issues with them that took time to remedy, but I wouldn't trade them for anything else I've seen so far from competitors.
Did you just publish the result of a benchmark or performance comparison test you ran to establish the difference in $/performance ratio between competitors?
If so, I have bad news for your license compliance...
That's a good thing to warn people of, but feels like a complete red flag in a license. If a company isn't willing to stand by their product in reviews, then that should be a reason to disqualify their product from consideration.
(I don't subscribe to the sub nor have I posted anything in it. I do read it from time to time and find the comments alright from an end-user (ie. sysadmin) point of view.)
FWIW, I know a Checkpoint guy and he swears they’re the best. I haven’t had a chance to do a comparison with him yet but the impression I get is that Checkpoint gets overlooked more than anything so they don’t do great on r/networking.
There is another guy in this thread who gives a good review saying Checkpoint got good in response to competition. Forti is the value option. And, FTD is looked down upon while ASA has some niches.
So, PAN, Checkpoint, and Fortinet appears to be the leaders.
Dear Palo Alto Networks: There is no way I would have watched that video if you hadn't demanded it be taken down. Now having watched it I can see why you want to hide it.
I'll say this again, I said it elsewhere. And to clarify, I own no stock in PANW, I don't work for them, though I have years of experience managing PAN firewalls in a large deployment (and some experience with their competitors). My coworkers don't know my HN name so I'm saying this from the heart, not for kudos from meatspace.
As part of a team choosing a new technology for something, you really need to take a lot of things into consideration. This would be one thing your legal department would need to consider, undoubtedly. However, if you are trying to choose such a critical technology as your infosec stack, and you completely remove a company from a bakeoff because of a negative review (which this essentially is), then you are not running your bakeoff properly.
PA firewalls and systems are pretty freaking good. I haven't worked with Checkpoint for a long time, but hear they got good a few years back when PA started eating their lunch. FirePOWER is the devil, as is Cisco.
I must agree, and I have been a PAN evangelist for a couple years. That said, my only other NGFW experience is with Firepower and I always feel gross after working with those. The only good thing I can say about Firepower is that my billable time gets padded to the stratosphere due to how long it takes to do anything in there.
If I burned a vendor every time they sent someone a mean letter, I would probably have nobody left to do business with.
The CTO and I agreed we value honesty and integrity in the companies we work with. On top of that, this is not behavior we want go support. If they pull BS on others, they may pull BS on us one day. It does not give good expectations for how they would handle disclosure surrounding some embarrassing security incident, for one thing.
"Business is business" may have different connotation for different people.
Business is business. I don't like PA's behavior here either, but you aren't going to get better behavior from Cisco or others. Good luck spinning up some OpenBSD servers for your security stack, if ideological purity is a higher priority than your network's security.
The question isn't "how likely is it that PA is going to sue us", but "how bad do your products have to be that you resort to legal threats to prevent people from doing benchmarks"?
Yep, they just dropped out of consideration as a firewall vendor for me in the near future. The money for this superfluous legal stuff is coming from somewhere, probably from the overinflated margins. Also no one wants to be sued by a company whose products you paid good money for.
My first thought was I saw this thread was the Barbara Streisand effect. My employer uses GP, but at least I learned about mitigation from this thread, such as OpenConnect.
This is such an absurd take that I clicked your account to ensure you were not a troll.
PAN, for all their true issues, puts out some impressive products. There is a reason they have eaten Checkpoint and Cisco FirePOWER's lunch.
Hilariously, my company blocks the article because it is a non-approved TLD. But I challenge you to defend the lawyers and ethics of other large infosec players.
I agree. If you have a full time security analyst(s) to tune and monitor it, PA's firewall is unbeatable for perimeter security AFAIK. Unfortunately, their other offerings don't measure up and tend to be a jumble of M&A.
Trustworthiness seems to be one of the most important properties of a firewall company.
But this news of a reviewer getting cease&desist nastygram from PANW erodes some of the trust that PANW started with by default in my mind.
They're not the only company to try to prevent independent benchmarking and reviews, but I've never liked that from any company.
Perhaps this could be a learning moment for PANW, and they decide to change some policies?
(I actually have one of those big old Palo Alto Networks blue rackmount firewalls right here, purchased with the intention of playing with it, either for ideas for OpenWrt features, or to decide whether to buy a new little one for interim use until I have more time for open source. I'm not getting much warm-fuzzies from the big blue metal box at the moment, but maybe that will improve.)
In response to your "Cease and Desist" letter of 4 September 2020 to Avi Shua of Orca Security, we refer you to the reply given in the case of Arkell v. Pressdram [0].
Bear with me here, but what if this entire thing was engineered from the beginning to be a marketing technique? The videos themselves? Marketing. The "we got a cease and desist from a big company" blog? Marketing. The follow-up letter about transparency? Marketing. And it all falls right into the David vs. Goliath story that the tech community loves.
No, not fabricated at all. I'm suggesting that they had to know that what they were doing would provoke a response from PAN. And as soon as it did, a nice "underdog" blog post was ready to go.
I applaud Orca security to expose the bs that Palo Alto Networks is trying to feed the enterprise security industry - as other comments have said, these are fairly standard, but you could have just not said anything and moved on...instead you come out and explain the situation. I love this transparency!
>In enacting the Consumer Review Fairness Act, Congress has also prohibited businesses from including contract terms that prohibit consumers from reviewing products or services they purchase.
[IANAL] if that is true i wonder whether PA Networks exposes itself to counter suit as i think i know at least one similar (in my layman view) case where inclusion and enforcement of a contract provision violating a specific consumer law protection provision was a ground for successful class action. In such a case one doesn't even need to actually fight the legal battle themselves, just show it to lawyers with time to spare, and even just mentioning such possibility may be enough on its own.
Thats a silly lawyer move, but I also kind of understand where PA is coming from - the FW space is a crowded, reputation driven world and a lot of classic late 00s companies are struggling to adapt to a less hardware centric space.
That said, build better products, don't take down crappy reviews. I've had terrific experiences with my PA FW's and Panorama isn't too shabby as far as centralized mgmt solutions go - I'd hate to see them throw away all the good will they've built up with stupid choices like this.
It's not just about the reviews. People make careers out of reviewing products. Legal complaints can lead to people be demonetized or deplatformed entirely.
For PA to risk ruining other people's careers (for being honest!) just to artificially inflate the reputation of their own crappy product isn't something I can forgive very easily.
The letter is about using Palo Alto Networks trademarks on their website. I think Orca should just change their review to say "Palo Crapo Networks" .... issue solved
At this point in the game, how could anyone ever think that this was a good idea? Palo Alto Networks is already on my blacklist because of how badly their products perform in production. This makes it hard for me to ever consider them again, since it's clear that they are trying to purge negative information about their product from my view.
Prisma cloud (the cloud monitoring part) is not a great product. It lags pretty far behind cloud provider capabilities.
I also got the email that orca probably sent to everyone in their CRM about this, and while I didn’t need any reason to think less of prisma, I now associate Orca as a competitor and probably an earlier call than palo alto for cloud.
We are considering prisma cloud to monitor an on premise kubernetes deployment. Is there anything I should be concerned about or better options to consider?
The Kubernetes protection is derived from their Twistlock acquisition which is really good (just wish they’d get some SAST stuff in there). Not tied to RQL (but can be queried with it for some information)
I actually have never seen it's kubernetes security platform.
If it's using RQL for that I would take that as a redflag that it won't support much customization or logic that would allow you to tailor it to your organization.
I know no one cares about NSS Labs but as an employee of a NSS-tested company I'd like to say RIP. No one does testing as rigorously as you, and thanks for all the headaches you've caused my teams.
NSS labs was one of the few labs which actually did rigorous testing in regards to firewall performance. It helped me and my company enourmously with both recommending solutions to customers aswell as troubleshooting. Mainly by providing a truthfull baseline compared to the datasheet of the vendor. all firewall vendors seem to basically lie on their datasheet in regards to real life performance. This becomes a real pain in the arse when you start seeing performance issues or weird behaviour because you actually run a firewall "to spec".
a good example of this was a cisco asa with firepower (which in itself ia a terrible solution, but alas).
even at "just" 50% of the specced load, we started seeing weird issues in regards to IPsec tunnels. (SA's randomly dropping, getting abysmal performance at certain times etc).
I'm curious as to what Palo Alto is concerned about with these videos. If they feel they are mis-represented, they can easily post their own videos in response. But no doubt, transparency is a necessity and cease-and-desist letters does no one any good.
Huh? If it causes the video giving bad reviews of their product to be taken down, the C&D letter does a lot of good for Palo Alto. Even if the review is accurate, if Palo Alto can force the review to go away it is a good day's work for that lawyer.
While the Streisand Effect might be valid, I am curious if lawyers give a crap about it. If more people start posting the same content and/or similar but equally aggravating content, then that's just more work for the lawyers to do. More billable hours. They'll just have an intern or do it.
Because of a legal precedent and a general fact about contract law:
1. Installation and/or execution of software constitutes copying (the "RAM Copy Doctrine") which is only lawful if the person currently using the software has been licensed or sold the software
2. Licensing restrictions can restrict license holders from exercising rights they otherwise would have as a matter of law
There is nothing prohibiting you from only licensing your software out under terms that prohibit licensees from exercising fair use or first sale rights. Indeed, this is one of Oracle's main "innovations": ever since Larry Ellison failed to get David DeWitt fired for daring to benchmark Oracle, they just made everyone who buys Oracle promise not to benchmark it. This is legally sound and the only way around it is to argue that the software transaction was actually a sale and not a license - as far as I'm aware, though, nobody has been able to successfully articulate such a claim.
IAAL, and that is a good question. (This is not legal advice.)
CRFA appears to apply to contracts that bind an "individual" and not a "person". This technical difference is important in contracts: an individual is also known in the art as a "natural person" (i.e., a human being), while a "person" could be an individual, a company, or other organization.
So it is possible that the law does not apply to Orca Security because they are a "person" and not an "individual". In other words, if it can be found that Mr. Shua was acting as an officer or other representative of Orca Security instead of in his personal capacity, then CRFA may not apply to the license agreement.
Again, this is NOT legal advice, and anyone seeking a legal opinion should engage a licensed attorney. This law is pretty new and I don't know whether this specific question has been tested by any court. But I would tread with caution.
I would be extremely surprised if the CRFA applied to competitors (or generally to corporations). The first word is "consumer", and competitors are generally not consumers of each other's products.
If you are correct though, doesn't that make Oracle et al's "no benchmarks" stipulation non-enforceable as well? That would be kind of nice.
Doesn't a brief window exists where at 11:59pm you can run Oracle but after midnight when lic expires and the results are back you could report on those numbers.
My own experience, in a couple Twitter threads:
https://mobile.twitter.com/PaulGowder/status/129693268470763...
https://mobile.twitter.com/PaulGowder/status/129686524552122...
Tl;dr: I installed their VPN software on my personal computer in order to get remote library database access during COVID. It turns out that it wanted to know everything about my system and I had to rip holes into configuration files 99% of users couldn't even find in order to stop it.