Oracle Sues SAP for Spidering Their Support Site

TodoInSATX writes "Oracle has filed a lawsuit against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy. From the actual complaint: 'SAP has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers. SAP gained repeated and unauthorized access, in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support website.'"

The actual suit..

[Cervantes]

I'm reading through the first bit of the actual suit, and here's what caught my eye:

These "customer users" supplied user information (such as user name, email address, and phone number) that did
not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of "xx" "ss" "User" and "NULL." Others used phony email addresses like "test@testyomama.com" and fake phone numbers such as "7777777777" and "123 456 7897."

Now, they do state that the IP doing the downloading was an SAP branch office in Texas... but still, if your supposedly secure support site accepts "xx" and "ss" and "User" as valid logins to access support documents and what appears to be actual product downloads... well, what the hell?

I think I just became a little less likely to buy either SAP or Oracle software, if this is their idea of ethics and security, respectively.

Re:Using customer logins?

No they don't, many sites will allow googlebot into their site without registering. In fact on some sites that normally require logins you can change your browser's identity to googlebot and get into the site without registering. That's how google caches non public sites, they don't use usernames and passwords.

Re:What

[ray-auch]

Well, typically only really big places use it since it costs millions and takes years (and more $$$) of consultancy and configuration to roll it out.

When you finally get it, the UI is an excercise in how many good UI design principles can we possibly break on one screen. Response to comments on the UI ? - "Vee are the third largest softvare company in zee vorld" (or in other words, they're so successful they must be right).

Be thankful you've never had to use it.

Re:You're Missing Out

[TubeSteak]

right before the complaint talks about all that, it says this:

"SAP employees using the log-in credentials of Oracle customers with expired or soon-to-expire support rights had, in a matter of a few days or less, accessed and copied thousands of individual Software and Support Materials. For a significant number of these mass downloads, the users lacked any contractual right even to access, let alone copy, the Software and Support Materials."

While that doesn't excuse SAP, you have to wonder at the kind of security Oracle has got on their support site. I mean, they don't revoke access to expired accounts & they give accounts more access than was paid for.

Seems pretty shoddy to me.

Re:What

[l-ascorbic]

It has a market cap of $57 billion. That's larger than Yahoo, over twice the size of Sun and only around 25% smaller than Oracle. To put it in perspective, MSFT is three times the size of Oracle, the number 2. The numbers would be similar if you did it by revenue, but that's more annoying to look up. The fact you haven't heard of them doesn't prove that they're insignificant - just that you're ignorant.