Slashdot Mirror
Oracle Sues SAP for Spidering Their Support Site
TodoInSATX writes "Oracle has filed a lawsuit against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy. From the actual complaint:
'SAP has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers. SAP gained repeated and unauthorized
access, in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support website.'"
That's slightly different than just spidering.
the fuck is SAP?
... that Oracle acquires SAP, just like they bought every other ERP and CRM company with a mid-large business customer base. Vultures.
Does Oracle actually make "thousands of products"?
The higher the technology, the sharper that two-edged sword.
WTFIWATGDA??? (what the fuck is with all the god dammed acronyms ????)
How could Oracle's server have been compromised? I thought Oracle was "unbreakable"
Here's a copy of the article in case it gets slashdotted:
Oracle Sues SAP
On March 22, 2007, Oracle filed a lawsuit in U.S. Federal District Court in the Northern District of California against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy.
Yeah, that's the entire thing (except for the 44 page PDF of the actual suit). Glad I could make sure that everyone got that clear and concise summarization, and can now fairly and properly comment on it.
Cheers!
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
Appears it wouldn't have made too much of a difference here, but perhaps something useful to know.
Hulk SMASH Celiac Disease
That little link to read the complaint actually includes rather shocking detail concerning how blatant SAP's misuse of the logins they used was. Not to mention the fact that they HAD to know they were leaving fingerprints left right and center, for example with one login they had downloaded 1800 distinct packages over 4 days, where the original user of the login was logging usage around 20 downloads per month.
Ice Cream has no bones.
I'm reading through the first bit of the actual suit, and here's what caught my eye:
These "customer users" supplied user information (such as user name, email address, and phone number) that did
not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of "xx" "ss" "User" and "NULL." Others used phony email addresses like "test@testyomama.com" and fake phone numbers such as "7777777777" and "123 456 7897."
Now, they do state that the IP doing the downloading was an SAP branch office in Texas... but still, if your supposedly secure support site accepts "xx" and "ss" and "User" as valid logins to access support documents and what appears to be actual product downloads... well, what the hell?
I think I just became a little less likely to buy either SAP or Oracle software, if this is their idea of ethics and security, respectively.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
One has to wonder if there was a discount if you passed along your Oracle support credentials. That would be an interesting marketing strategy.
One problem is that these customers downloaded files which weren't supposed to be made available to them under the terms of their support contracts. Why were their accounts able to get to these files then? I'm not sure that Oracle would want to admit they can't control the security of their own website, even if it boosts the credibility of the rest of their complaint.
Skip the press release and go right to the Complaint. (IT IS A PDF!! You've been warned.)
.. paranoid crackpot leftover from the days of Amiga.
I don't blame SAP for using whatever backchannel means nessasary to access Oracle's knowledge base. I'm sure it was completely out of nessesity to support their customers. It has always baffled me how completely locked down Oracle is when it comes to their support. If you are not paying on a support contract and have a login with sufficient rights, there is basically nothing to see of any use on their website. As a deveoper trying to evalute a demo copy of the DBMS, I found it comepletely useless and ultimately was not able to get the demo to work because I couldn't get any support on it. The "big evil corporation" Microsoft doesn't have any problem putting their knowledgebase and troubleshooting guides out for public consumption, why does Oracle need to keep their's a closely guarded company secret?
Oh, and I think what they were referring to with the phrase "Thousands of proprietary software products" was all the patches for their DBMS.
This file listing shows several directories and archive files. One of these files contains the server-side code used to collect the data. The other file contains server-side code for an administrator interface and a "customer" interface for data mining.
They are CGI applications written entirely in perl...There are perl modules, written as plug-ins for the server-side framework, for parsing out and storing the information collected by each of these and code for sending options data. There is code for loading the flat files produced by the collection code into MySQL...The front-end code provides a nice login page, generates views into indexed data, and provides account management.
This interface is designed so that an administrator adds customer accounts to the database. Customers can also log in and get results from queries based on certain fields (URL, form parameters, and so on). Each of these customer-generated queries has an associated price.
There are also other files that set default parameters, a default MySQL username and password for example. None of these default values worked on this server.
The stolen data is held in directories whose names can be guessed. Using the base directory from the perl code (translated according to the web server's DocumentRoot), combine these with version_id and user_id (generated ID for each infection) for subdirectories, and one can brute force directory names....one can script the wget utility and fetch of all the data residing on the server. There is no need to query the MySQL database.
the results added up to more than $2 million. And that, your honor, is exactly how SAP went about stealing Oracle's trojan, errr, proprietary customer management code.
From the summary: in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support website.'" Did the customer support website look like this, or this?
the NPG electrode was replaced with carbon blac
....of corporate espionage. You know, like dumpster diving and such harmless but more dignified ways.
Anyways, pot calling kettle spy and all that.
"They got a customer account with us and copied down all of our support information. They could use it for nefarious things like supporting our customers! Oh noes!!!11!!eleven!"
Seriously, this reminds me of when SCO accused IBM of "hacking" for logging into its anonymous FTP server and discovering that SCO was still violating the GPL (in spite of its statements to the contrary).
So, I really feel bad blaming SAP for what some douchbag did at some subsidiary they just bought. I really doubt there was management knowledge outside of SAP TN of these events occurring, until now of course. It's really a bummer for SAP AG.
Its a fine line there -
We have several login accounts with several oil companies to place orders for fuel cards and collect transactions via a number of (very convoluted) websites, on behalf of fleets in the thousands.
Like any sensible organisation, we sit around having coffee and cakes and BBQ's all day, whilst cron jobs kick off CURL scripts to do all the hard work and earn all the money.
By Oracle's definition, we may be treading some fine line of DMCA violation. Fuck, I hope not - I love my friday arvo BBQ and beer parties at work.
actual like using SAP? I have yet to come across anyone who does. Sure it works and has lots of neat features but seriously, those of us "in the trenches" who must use it regularly... well I for one would rather pull my hair out than use SAP...
Yeah it's OT but I'm curious. If Oracle DID somehow manage to snap it up, would/could they make it any better?
There is simply too much glass..
Uh, this is nothing like that.
I'm kind of glad SAP is getting sued.... I don't like Oracle any better, but seeing SAP die means I'll have one less mega spaghetti app to maintain on my résumé. Now if only they could sue the shit out of Cognos my life would be complete.
:P
It's bad enough having two support multiple operating systems, supporting multiple "business intelligence" suites is about as fun as trying to shove a grizzly bear up your own ass. These projects are so "large" they seem to be written by a thousand different coders, each with a different set of design specs
-Billco, Fnarg.com
Oracle is a company that appears to be driven by talented technical folks with blinders on. I'm only a techie, so I could be completely wrong here, but how many times has Oracle tried to reinvent the wheel rather than buy companies with the capabilities they were looking for? There are too many to list here, but after browsing their site (over the course of several years, which you'll have to do if you ever want to use their database product), they have invested a lot into things that they should have acquired.
They targeted the Java development crowd, but failed to do anything that appealed to a typical Java development shop. For instance, they have some kind of ORM tool, but JBoss bought Hibernate, which has now become nearly standard, as much of it is backed by/included with EJB 3. Adobe bought JRun from Alaire which, at the time, Oracle had the cash to purchase. Instead, as far as I know, Oracle chooses not to provide their own Servlet container. Furthermore, they probably could've bought BEA at some point, but chose not to. Arguably this could have made them be what it appears they're trying to become - an end to end solution for application development.
Couple that with the fact that they are getting hit hard by MySQL, PostgresSQL, and SQL Server, and you have a solid case as to why Oracle is on their way down. A friend and I were talking about this just the other day. The conclusion we came to was that sure, Oracle was great and innovative back when we were still using 486 processors, but now they are irrelevant for 90% of the market, if not more, due to increased availability of fast hardware. Oh, and their database is in large part a huge pain in the ass that cannot be uninstalled. As mentioned before, much of it is unnecessary for 90% of applications out there. Actually, the only people I see using/advocating it are people with the same mentality of "People never got fired for choosing Microsoft", or people that are a "DBA" in Oracle, which is equally absurd.
Companies like Oracle and SAP pretty much take on large corporations, military, and local / federal government projects. You'll never see Jack & Jane's diner using Oracle 10g to store their customer information. Oracle would be overkill and they would never even be able to afford an enterprise license, let alone the hardware and training to support it.
These entities bounce thousands and thousands of transactions daily - most of which occurs concurrently - and have hundreds of users behind the controls, each with their own roles and credentials. MS Access and MS Excel would never handle that. Even SQL Server would lag behind the performance of companies like Oracle and SAP just on the database side, and without the applications, CRM, ERP, or supply-chain support. Furthermore, a lot of the business solutions that they provide take accounting, financial, and government business rules and laws into account. Again, a spreadsheet would never do this.
The design of the GUI, however, does leave much to be desired...
Best "String" Ever!
Sure, censor the views you don't like to hear Mr. moderator. Eat shit and die asshole.
The fact remains that SAP is fucking retarded. MBAs can't use spreadsheets and databases, so they need this crap, its amazing how stupidity is rewarded in this economy built for self destruction.
The average programmer out there really has no clue about security or how systems really operate. They know their stuff but do not really think about how others operate. In fact, I would guess that it was generally support ppl that were doing all this and I suspect that only a few would really get this.
I prefer the "u" in honour as it seems to be missing these days.
Not that I'm an SAP fan either, but based on my experiences trying to get good answers out of Oracle's support materials in the past, I'm baffled as to why anyone would even want a copy of it.
Don't get me wrong, there are projects where I'd still use Oracle even so, but if I need Oracle support documents I'm probably going to Google and ignoring any of the responses that go to oracle.com. Generally, some random yahoo on the internet has done a better job of explaining Oracle's products/bugs/problems.
Oracle's site is so bad the phone support guys are quick to point it out *to you*. I find it hard to believe SAP would want anything from their site. Oracle has one good product - their RDBMS. It's a diamond in a bowl of mush. I wish they would stop goofing off with other crap and just polish that nut to a high gloss. Remember when they introduced their Java installer? Ha ha.
But why would SAP spider Oracle's support site? What could they do with support information?
All SAP products based on WebAS support Oracle DBMS. Other choices are following: DB2 LUW, DB2/390, DB2/400, MAXDB (partially made by SAP) and MS SQL Server. SAP and Oracle have some kind of cooperation despite the competing products. Probably this cooperation is worse than SAPIBM.
No offense intended,
....
.. heh ...
/. reader so I won't need to go through all those hula hoops to find out which that one acronym means ...
....
You assume to know; although; I've got 2 IT people here with me; already for over 10 years active in the field and they've asked ME what SAP was; so don't assume others presume the same ; because such expectations only fail if you find out those assumptions (and presumptions) are flawed...
If you want to assume something; assume something people DO know for sure; but don't "assume" everyone is a walking dictionary/thesaurus/abbrevations guide; don't assume your standards upon another; it's what this world makes rotten; overexpectations of others without thinking about any other factors; maybe presume would be a better world in this context since it's meaning is less aggressive towards its expectations
Tolerance is another something which doesn't get thrown in enough when such expectations are not met; which makes people often striving upon eachother instead of working together to still meet the expectations of another; some of these people call this healthy competition
To my opinion this question was a very valid question which will educate the other slashdotters who DO NOT know which SAP means ; by all means, it's a question which is fully on-topic and should not require further research (leaving the Slashdot realm) before studying its acronyms or content; I'd presume the needed links will be made for me as
I will always keep remembering the quote "Assumption is the f*ckup of mother nature"
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Only the nine circles of Oracle Hell. . .
And yes, I've visited them all.
What?
At least they have more of a case to stand on than the crazy lady with the insane expensive website from last week.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
Could this lawsuit be nothing more than Larry being Larry?
There's an interesting quote from The Globe And Mail article on this:
"This isn't really about protecting intellectual property," said Forrester Research analyst Ray Wang. "This is all about the art of war."
It is not our abilities that show what we truly are... it is our choices.
I see a couple Oracle employees sitting a parking lot across the street from the Houston SAP branch office using a cantenna and a LINKSYS wireless SSID to create all the clumsy incriminating access attempts.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
One
Raging
Asshole
Called
Larry
Ellison
If any of you have ever had to deal with him or his company, you would know where I am comming from.
Jack & Jane could run Oracle 10g Express Edition for free on their windows or Linux server, assuming they could shoehorn themselves into 4GB of data and a limited number of concurrent connections, and live without some of the advanced features. If they then went to a franchise model, J&J could upgrade to the non-free versions without having a lot of pain changing database backends.
This is nothing new here. How many times we used pseudo-names to gain access to a resources on the net but didn't want the corresponding junk mail or other means of contact that accompanies "registered" users.
This is semi-public material that Oracle put on their support website and this data is useless to most people that don't use Oracle applications and/or databases. I know that SAP customers are using a mixed of applications and/or databases from many companies so I assume that SAP support needed to get some data legitimately in the proxy of the customer because they have an Oracle application and/or database that SAP as some issue with since SAP do have applications and/or databases that work with Oracle. Oracle support occasionally needs to go SAP support to to solve an SAP application and/or database issue they are experiencing because they are supporting a similar mixed environment.
Oracle is crying "unfair" because SAP has been gathering data from Oracle support servers but if Oracle has been gathering data from SAP support servers then it is okay.
In a world of mixed environment of applications, databases and/or operating systems Oracle needs to get off its high horse. Oracle just want to be monopoly in this market.
My granddad always used to say "There are no silly questions, only silly answers" ...
;) ...
Maybe this should be something to take account of in tags ? The name of the company/individual/website in a tag ?
This way your opinion would be auto policed and people would not need to ask "silly questions"
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
One has to consider motive. Honeytrap? Could Larry Ellison be behind the whole thing? What does Oracle have that SAP could rationally want? Oracle ERPware is allegedly inferior to SAP, but Ellison by reputation must rank as one of the shrewdest operators in the industry. Remember his poster campaign in Foster City against IBM's DB2. If you can't beat them, trash them, and some of the mud may stick, and make their managment lose focus at the same time If his own Oracle ERP software was so good, he would already be the industry dominant force, and he isn't. Funny, that. All sounds pretty fishy to me.