Oracle Sues SAP for Spidering Their Support Site

TodoInSATX writes "Oracle has filed a lawsuit against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy. From the actual complaint: 'SAP has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers. SAP gained repeated and unauthorized access, in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support website.'"

Using customer logins?

That's slightly different than just spidering.

Re:Using customer logins?

[Jussi+K.+Kojootti]

You do know that there is an alternative explanation for that? The sites in question may well let googlebot in without registering...

Re:Using customer logins?

No they don't, many sites will allow googlebot into their site without registering. In fact on some sites that normally require logins you can change your browser's identity to googlebot and get into the site without registering. That's how google caches non public sites, they don't use usernames and passwords.

Re:Using customer logins?

[Yvanhoe]

And here is a link to Oracle's : robots.txt. Only this line "Disallow: /support/metalink/index.html" forbids access to the support/ branch. I am not sure this is enough...

What

the fuck is SAP?

Re:What

[dedazo]

the fuck is SAP?

Site
Attacked &
Pwned.

Re:What

[l-ascorbic]

It's only the third-largest software company in the world.

Re:What

[asavage]

SAP is the largest software company in Europe.

Re:What

[ray-auch]

Well, typically only really big places use it since it costs millions and takes years (and more $$$) of consultancy and configuration to roll it out.

When you finally get it, the UI is an excercise in how many good UI design principles can we possibly break on one screen. Response to comments on the UI ? - "Vee are the third largest softvare company in zee vorld" (or in other words, they're so successful they must be right).

Be thankful you've never had to use it.

Re:What

[afidel]

SAP has over 17K customers and 27K employees worldwide with over half of the Fortune 500 being customers. Oracle and SAP are now basically the only big players in the ERP arena. ERP stands for Enterprise Resource Planning, basically the software that runs medium to large businesses. If you've been programming for 15 years and have never heard of SAP you have either worked in small companies or have worked in Peoplesoft, JD Edwards (both now Oracle comapanies), Infor, or Sage shops.

Re:What

[l-ascorbic]

It has a market cap of $57 billion. That's larger than Yahoo, over twice the size of Sun and only around 25% smaller than Oracle. To put it in perspective, MSFT is three times the size of Oracle, the number 2. The numbers would be similar if you did it by revenue, but that's more annoying to look up. The fact you haven't heard of them doesn't prove that they're insignificant - just that you're ignorant.

Re:What

[Wellerite]

Well, there are certain things that Slashdot readers are assumed to know. The name of the third largest software company in the world is one of those things. Also, the rude, short post that could have been answered in a five second trip to google or wikipedia didn't help either. If I were moderating, I think I would have gone for Troll, though.

Re:What

[the_womble]

It's only the third-largest software company in the world.

Yes, but its hard to install their software on a PC in your parents' basement. Therefore, from the point of view of Slashdot, SAP does not exist.

Re:What

[Lars+T.]

US is #2 and they're getting their asses mopped by a couple ragheads? BAhaha. Iran would toaste them.

That's only because they deployed less than 25,000 troops there. The rest is middle management.

Re:What

[Lars+T.]

The poster has asked what the acronym SAP means, which is not explained in the summary. Granted the poster could simply have googled it and obtained this:

Founded in 1972 as Systems Applications and Products in Data Processing, SAP is the recognized leader in providing collaborative business solutions for all types of industries and for every major market.

http://www.sap.com/company/index.epx

Nitpick: It actually was "Systemanalyse und Programmentwicklung" originally, but German confused Americans, so they changed it to something that would work in both languages. And now, like so many acronyms, it simply stopped being one.

But Oracle is "Unbreakable"

[gc8005]

How could Oracle's server have been compromised? I thought Oracle was "unbreakable"

Re:But Oracle is "Unbreakable"

[Adambomb]

By making use of soon to expire passwords. They didnt exploit a flaw, they used credentials they were not authorized to use.

Re:But Oracle is "Unbreakable"

[shelterpaw]

It's not broken, just violated like Tiny Tim locked up in side a cell with Bubba.

A copy of the article

[Cervantes]

Here's a copy of the article in case it gets slashdotted:

Oracle Sues SAP
On March 22, 2007, Oracle filed a lawsuit in U.S. Federal District Court in the Northern District of California against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy.

Yeah, that's the entire thing (except for the 44 page PDF of the actual suit). Glad I could make sure that everyone got that clear and concise summarization, and can now fairly and properly comment on it.

Cheers!

capitalization overload

the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy.

Could someone translate that to English, please? I can't read German.

Re:capitalization overload

[joe_bruin]

the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy

Could someone translate that to English, please? I can't read German.

You should have seen the original:

Der Federalkomputerfraudundabußeact und Kaliforniakomputerdataacceßundfraudact, Unfairkompetition, Intenzionalnegligentunterference wit Prozpectiveeconomikadvantage und Civilkonspiracy.

Re:capitalization overload

[quigonn]

It isn't. In proper German, it translates to something like "das Bundesgesetz zu Computermissbrauch und -betrug und das kalifornische Computerdatenzugriffs- und -betrugsgesetz, unlauterer Wettbewerb, vorsätzliche und fahrlässige Beeinflussung von voraussichtlichem wirtschaftlichen Gewinn und zivile Verschwörung". Even with umlauts!

You're Missing Out

[Adambomb]

That little link to read the complaint actually includes rather shocking detail concerning how blatant SAP's misuse of the logins they used was. Not to mention the fact that they HAD to know they were leaving fingerprints left right and center, for example with one login they had downloaded 1800 distinct packages over 4 days, where the original user of the login was logging usage around 20 downloads per month.

Re:You're Missing Out

[TubeSteak]

right before the complaint talks about all that, it says this:

"SAP employees using the log-in credentials of Oracle customers with expired or soon-to-expire support rights had, in a matter of a few days or less, accessed and copied thousands of individual Software and Support Materials. For a significant number of these mass downloads, the users lacked any contractual right even to access, let alone copy, the Software and Support Materials."

While that doesn't excuse SAP, you have to wonder at the kind of security Oracle has got on their support site. I mean, they don't revoke access to expired accounts & they give accounts more access than was paid for.

Seems pretty shoddy to me.

The actual suit..

[Cervantes]

I'm reading through the first bit of the actual suit, and here's what caught my eye:

These "customer users" supplied user information (such as user name, email address, and phone number) that did
not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of "xx" "ss" "User" and "NULL." Others used phony email addresses like "test@testyomama.com" and fake phone numbers such as "7777777777" and "123 456 7897."

Now, they do state that the IP doing the downloading was an SAP branch office in Texas... but still, if your supposedly secure support site accepts "xx" and "ss" and "User" as valid logins to access support documents and what appears to be actual product downloads... well, what the hell?

I think I just became a little less likely to buy either SAP or Oracle software, if this is their idea of ethics and security, respectively.

Re:The actual suit..

[jrockway]

That's the same e-mail and phone (almost) that I gave Oracle, too. Do people actually give their real information to Oracle, just to download docs for products they've paid hundreds of thousands of dollars for?

No, they don't.

Re:The actual suit..

[mpapet]

I tend to believe this is a kind of abuse of the courts.

*All* big companies and political campaigns beyond water commissioner appointments do exactly this kind of opposition research.

What's illegal about me giving a gmail address while I work for an Oracle competitor and buy some oracle products/services for research?

Re:The actual suit..

[espressojim]

if your supposedly secure support site accepts "xx" and "ss" and "User" as valid logins to access support documents and what appears to be actual product downloads... well, what the hell?

Please let me know what your algorithm is for a valid user name. As far as I know, they are free text (which seems perfectly valid.) As for the other information, it would pass your typical regex for validation. If oracle gets a phone number, should they call it to validate that the person has the same information as the login gave. Do you run a website that does something similar, and has the same number of hits the Oracle website does?

I appreciate a holy-than-thou attitude, but please tell me what site YOU are in charge of the security for (and if I can then pass in crap like the above, then you're in for a nice big plate of humble pie, slashdot style.) Alternatively, you're talking out your ass.

Re:The actual suit..

[EonBlueTooL]

My name is Üser you insensitive clod!

Re:The actual suit..

[ivan256]

Please let me know what your algorithm is for a valid user name.

I don't know what you do where you work, but here's the algorithm we use:

• Collect money from the customer in exchange for a copy of our product.
• Declare the user name chosen by the customer to be 'valid'.

Any site that doesn't do a manual validity check should be considered to contain public content.

Re:The actual suit..

[Cervantes]

Please let me know what your algorithm is for a valid user name. As far as I know, they are free text (which seems perfectly valid.) As for the other information, it would pass your typical regex for validation. If oracle gets a phone number, should they call it to validate that the person has the same information as the login gave. Do you run a website that does something similar, and has the same number of hits the Oracle website does?

I appreciate a holy-than-thou attitude, but please tell me what site YOU are in charge of the security for (and if I can then pass in crap like the above, then you're in for a nice big plate of humble pie, slashdot style.) Alternatively, you're talking out your ass. I have this funny thing, when I issue a username, I actually make sure it is valid and usable. Similarly, when a website of mine asks for a username, it tends to check and see if that username is actually valid before allowing the user to proceed. The way these logins are presented in the suit, it certainly seems like SAP just made up some random usernames, and Oracle just let them in.

Also, I like to do other, holier-than-thou things, like requiring passwords, and expiring users passwords when their contracts expire. Sometimes, just for shits and giggles, I like to assign usernames in a predetermined format to ensure accuracy, ease of use, etc etc. I like to actually make sure the site is a little bit secure. It doesn't seem like they did a very good job of this.

Also, there are plenty of scripts for plenty of different platforms that will do basic validation on data fields. They can check to see if your phone number is all the same digit, or 123-456-7890. Some of the more advanced forms even require minimum length on usernames or passwords. If you have millions to spend, you can even get super-advanced DARPA user-creation scripts that run checks to make sure your city is valid, or your data meets a required format.

Finally, sometimes, if your luck is amazing and your spirit pure, you can spill coke on your keyboard while you sit in your moms basement, get an electric shock, and purge all that sanctimonious bullshit and "strawmen are our friend" thinking from your pale, pudgy little head. Believe it or not, it's possible to have an informed opinion on something without spending your whole life doing exactly and only that. Although if you don't believe it, it does make it easier to talk smack and belittle your opponent without actually advancing a valid argument, thusly helping disguise an inferior argument or intellect.

And that is a slice of a different kind of pie. Slashdot style.

The complaint seems to be rather convincing

[whitehatlurker]

A bunch of soon-to-be-ex customers of Oracle (who are in the process of moving to SAP) log in from SAP computers and download all kinds of support information. It might be a bit more than coincidence.

One has to wonder if there was a discount if you passed along your Oracle support credentials. That would be an interesting marketing strategy.

One problem is that these customers downloaded files which weren't supposed to be made available to them under the terms of their support contracts. Why were their accounts able to get to these files then? I'm not sure that Oracle would want to admit they can't control the security of their own website, even if it boosts the credibility of the rest of their complaint.

Skip the press release and go right to the Complaint. (IT IS A PDF!! You've been warned.)

Re:The complaint seems to be rather convincing

[KnuthKonrad]

A bunch of soon-to-be-ex customers of Oracle (who are in the process of moving to SAP) log in from SAP computers and download all kinds of support information. It might be a bit more than coincidence.

Than again, suppose you're a Oracle customer who's to switch over to SAP. You won't do that on a friday's night within 2 hours. You're more likely to contact SAP and set up a migration project. SAP might ask you for documentation of your current software/environment and tools that might help with the migration. You might answer like most customers answer: "I dunno...here's what we got from them." *hands over a folder with lots of papers, one of it having username/pw for Orcale's KB*

Seeing SAP using some kind of spider/downloader to get all stuff instead of manually looking into each and every document to see if that's one that might be of any help, makes also sense from an efficency point of view.

And in my book "soon to expire accounts" means "still valid (and payed for) accounts". Oracle might blame the (soon to be ex-)customer for sharing his credentials with a 3rd party, but I guess Oracle would (and perhaps does) exactly the same in exactly the same situation when helping a customer in migrating form a competitor's product to theirs.

Personnally...

[bobcat7677]

I don't blame SAP for using whatever backchannel means nessasary to access Oracle's knowledge base. I'm sure it was completely out of nessesity to support their customers. It has always baffled me how completely locked down Oracle is when it comes to their support. If you are not paying on a support contract and have a login with sufficient rights, there is basically nothing to see of any use on their website. As a deveoper trying to evalute a demo copy of the DBMS, I found it comepletely useless and ultimately was not able to get the demo to work because I couldn't get any support on it. The "big evil corporation" Microsoft doesn't have any problem putting their knowledgebase and troubleshooting guides out for public consumption, why does Oracle need to keep their's a closely guarded company secret?

Oh, and I think what they were referring to with the phrase "Thousands of proprietary software products" was all the patches for their DBMS.

Re:Personnally...

Ever heard of OTN?

http://otn.oracle.com/ hosts the entire documentation library of every oracle product.

There's also http://forums.oracle.com/

All it takes is just a little looking around and you can find help...no need to blame Oracle for keeping everything under lock and key...because they certainly don't.

Re:What's the bet...

[shawb]

I'll take your bet. SAP is the world's third largest software company, only behind Microsoft and IBM in terms of market cap. If anything, SAP would acquire Oracle to silence the lawsuit.

Re:What's the bet...

[ezberry]

FYI, the difference between your quote and mine is that you cited to the American Depository Receipts of SAP, not their actual stock. This is a depository receipt for the stock, not an actual share - but the price is generally a very close proxy to it. (See Wikipedia ADR entry)

Does anybody here

[xx01dk]

actual like using SAP? I have yet to come across anyone who does. Sure it works and has lots of neat features but seriously, those of us "in the trenches" who must use it regularly... well I for one would rather pull my hair out than use SAP...

Yeah it's OT but I'm curious. If Oracle DID somehow manage to snap it up, would/could they make it any better?

Oracle is the Next SCO

[tjasond]

Oracle is a company that appears to be driven by talented technical folks with blinders on. I'm only a techie, so I could be completely wrong here, but how many times has Oracle tried to reinvent the wheel rather than buy companies with the capabilities they were looking for? There are too many to list here, but after browsing their site (over the course of several years, which you'll have to do if you ever want to use their database product), they have invested a lot into things that they should have acquired.

They targeted the Java development crowd, but failed to do anything that appealed to a typical Java development shop. For instance, they have some kind of ORM tool, but JBoss bought Hibernate, which has now become nearly standard, as much of it is backed by/included with EJB 3. Adobe bought JRun from Alaire which, at the time, Oracle had the cash to purchase. Instead, as far as I know, Oracle chooses not to provide their own Servlet container. Furthermore, they probably could've bought BEA at some point, but chose not to. Arguably this could have made them be what it appears they're trying to become - an end to end solution for application development.

Couple that with the fact that they are getting hit hard by MySQL, PostgresSQL, and SQL Server, and you have a solid case as to why Oracle is on their way down. A friend and I were talking about this just the other day. The conclusion we came to was that sure, Oracle was great and innovative back when we were still using 486 processors, but now they are irrelevant for 90% of the market, if not more, due to increased availability of fast hardware. Oh, and their database is in large part a huge pain in the ass that cannot be uninstalled. As mentioned before, much of it is unnecessary for 90% of applications out there. Actually, the only people I see using/advocating it are people with the same mentality of "People never got fired for choosing Microsoft", or people that are a "DBA" in Oracle, which is equally absurd.

Re:Oracle is the Next SCO

[Funks]

>For instance, they have some kind of ORM tool, but JBoss bought Hibernate, which has now become nearly standard, as much of it is backed by/included with EJB 3. Adobe bought JRun from Alaire which, at the time, Oracle had the cash to purchase. Instead, as far as I know, Oracle chooses not to provide their own Servlet container. Furthermore, they probably could've bought BEA at some point, but chose not to. Arguably this could have made them be what it appears they're trying to become - an end to end solution for application development.

Oracle has a lot of technology revolving around Java. For example, the ORM you are talking about is TOPLINK (which they bought a while back). Several of their engineers worked on the JPA (Java Persistence API) JSR, along with some of the hibernate guys. The result, we now have JPA (which Toplink and Hibernate support) instead of the POS EJB2 specs. Oracle is open sourcing Toplink and you can use as your JPA provider if you wish (along with Hibernate, or OpenJPA from Apache). I personally would use either TopLink or Hibernate for JPA as both those products are well supported and are stable (they've been around for a while). In regards to the J2EE server, Oracle does have a J2EE container (which also includes a servlet engine), it's called OC4J (Oracle Container for J2EE). They've had that for a *REALLY* long time, it used to be called Orion (which is as old as the Jboss J2EE server).

Java is doing well in enterprise development. The big boys are all gearing their future towards it. Look at Oracle's Fusion which leverages their J2EE stack, SAP is also doing the Java/J2EE thing with their Netweaver platform. And let's not forget IBM's WebShere Java Portfolio. Then there's the other lesser 3-lettered company's like SUN, BEA and etc..

Who would *steal* Oracle support?

[Mongoose+Disciple]

Not that I'm an SAP fan either, but based on my experiences trying to get good answers out of Oracle's support materials in the past, I'm baffled as to why anyone would even want a copy of it.

Don't get me wrong, there are projects where I'd still use Oracle even so, but if I need Oracle support documents I'm probably going to Google and ignoring any of the responses that go to oracle.com. Generally, some random yahoo on the internet has done a better job of explaining Oracle's products/bugs/problems.

assumption is the f*ckup of mother nature ...

[freaker_TuC]

No offense intended,

You assume to know; although; I've got 2 IT people here with me; already for over 10 years active in the field and they've asked ME what SAP was; so don't assume others presume the same ; because such expectations only fail if you find out those assumptions (and presumptions) are flawed...

If you want to assume something; assume something people DO know for sure; but don't "assume" everyone is a walking dictionary/thesaurus/abbrevations guide; don't assume your standards upon another; it's what this world makes rotten; overexpectations of others without thinking about any other factors; maybe presume would be a better world in this context since it's meaning is less aggressive towards its expectations ....

Tolerance is another something which doesn't get thrown in enough when such expectations are not met; which makes people often striving upon eachother instead of working together to still meet the expectations of another; some of these people call this healthy competition .. heh ...

To my opinion this question was a very valid question which will educate the other slashdotters who DO NOT know which SAP means ; by all means, it's a question which is fully on-topic and should not require further research (leaving the Slashdot realm) before studying its acronyms or content; I'd presume the needed links will be made for me as /. reader so I won't need to go through all those hula hoops to find out which that one acronym means ...

I will always keep remembering the quote "Assumption is the f*ckup of mother nature" ....

Re:Why Would They Do This?

[Joncbeall]

Quote: "don't get it. If SAP *did* steal Oracle's code, why would the *want* to do this? SAP is the number 1 application suite in use in the *world*. It doesn't make sense for them to steal code.
Could this lawsuit be nothing more than Larry being Larry?"

Because it wasn't just SAP AG (the packaged apps side of the house), but rather the TomorrowNow division of SAP, who *sells* 3rd party support for Oracle applications (JDE, PSoft, and Siebel). That why the support doc's, patches, and other info form the site was valuable. With that information TomorrowNow would be able to offer the same level of technical knowledge and patches as Oracle (that's where the $$ aspect of the suit comes in to play). Read the PDF on their site for more info on the suit. -JB