Slashdot Mirror
Oracle Sues SAP for Spidering Their Support Site
TodoInSATX writes "Oracle has filed a lawsuit against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy. From the actual complaint:
'SAP has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers. SAP gained repeated and unauthorized
access, in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support website.'"
That's slightly different than just spidering.
How could Oracle's server have been compromised? I thought Oracle was "unbreakable"
Here's a copy of the article in case it gets slashdotted:
Oracle Sues SAP
On March 22, 2007, Oracle filed a lawsuit in U.S. Federal District Court in the Northern District of California against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy.
Yeah, that's the entire thing (except for the 44 page PDF of the actual suit). Glad I could make sure that everyone got that clear and concise summarization, and can now fairly and properly comment on it.
Cheers!
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
Site
Attacked &
Pwned.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
That little link to read the complaint actually includes rather shocking detail concerning how blatant SAP's misuse of the logins they used was. Not to mention the fact that they HAD to know they were leaving fingerprints left right and center, for example with one login they had downloaded 1800 distinct packages over 4 days, where the original user of the login was logging usage around 20 downloads per month.
Ice Cream has no bones.
I'm reading through the first bit of the actual suit, and here's what caught my eye:
These "customer users" supplied user information (such as user name, email address, and phone number) that did
not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of "xx" "ss" "User" and "NULL." Others used phony email addresses like "test@testyomama.com" and fake phone numbers such as "7777777777" and "123 456 7897."
Now, they do state that the IP doing the downloading was an SAP branch office in Texas... but still, if your supposedly secure support site accepts "xx" and "ss" and "User" as valid logins to access support documents and what appears to be actual product downloads... well, what the hell?
I think I just became a little less likely to buy either SAP or Oracle software, if this is their idea of ethics and security, respectively.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
It's only the third-largest software company in the world.
One has to wonder if there was a discount if you passed along your Oracle support credentials. That would be an interesting marketing strategy.
One problem is that these customers downloaded files which weren't supposed to be made available to them under the terms of their support contracts. Why were their accounts able to get to these files then? I'm not sure that Oracle would want to admit they can't control the security of their own website, even if it boosts the credibility of the rest of their complaint.
Skip the press release and go right to the Complaint. (IT IS A PDF!! You've been warned.)
.. paranoid crackpot leftover from the days of Amiga.
SAP is the largest software company in Europe.
Well, typically only really big places use it since it costs millions and takes years (and more $$$) of consultancy and configuration to roll it out.
When you finally get it, the UI is an excercise in how many good UI design principles can we possibly break on one screen. Response to comments on the UI ? - "Vee are the third largest softvare company in zee vorld" (or in other words, they're so successful they must be right).
Be thankful you've never had to use it.
SAP has over 17K customers and 27K employees worldwide with over half of the Fortune 500 being customers. Oracle and SAP are now basically the only big players in the ERP arena. ERP stands for Enterprise Resource Planning, basically the software that runs medium to large businesses. If you've been programming for 15 years and have never heard of SAP you have either worked in small companies or have worked in Peoplesoft, JD Edwards (both now Oracle comapanies), Infor, or Sage shops.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Ever heard of OTN?
http://otn.oracle.com/ hosts the entire documentation library of every oracle product.
There's also http://forums.oracle.com/
All it takes is just a little looking around and you can find help...no need to blame Oracle for keeping everything under lock and key...because they certainly don't.
It has a market cap of $57 billion. That's larger than Yahoo, over twice the size of Sun and only around 25% smaller than Oracle. To put it in perspective, MSFT is three times the size of Oracle, the number 2. The numbers would be similar if you did it by revenue, but that's more annoying to look up. The fact you haven't heard of them doesn't prove that they're insignificant - just that you're ignorant.
Not that I'm an SAP fan either, but based on my experiences trying to get good answers out of Oracle's support materials in the past, I'm baffled as to why anyone would even want a copy of it.
Don't get me wrong, there are projects where I'd still use Oracle even so, but if I need Oracle support documents I'm probably going to Google and ignoring any of the responses that go to oracle.com. Generally, some random yahoo on the internet has done a better job of explaining Oracle's products/bugs/problems.
>For instance, they have some kind of ORM tool, but JBoss bought Hibernate, which has now become nearly standard, as much of it is backed by/included with EJB 3. Adobe bought JRun from Alaire which, at the time, Oracle had the cash to purchase. Instead, as far as I know, Oracle chooses not to provide their own Servlet container. Furthermore, they probably could've bought BEA at some point, but chose not to. Arguably this could have made them be what it appears they're trying to become - an end to end solution for application development.
Oracle has a lot of technology revolving around Java. For example, the ORM you are talking about is TOPLINK (which they bought a while back). Several of their engineers worked on the JPA (Java Persistence API) JSR, along with some of the hibernate guys. The result, we now have JPA (which Toplink and Hibernate support) instead of the POS EJB2 specs. Oracle is open sourcing Toplink and you can use as your JPA provider if you wish (along with Hibernate, or OpenJPA from Apache). I personally would use either TopLink or Hibernate for JPA as both those products are well supported and are stable (they've been around for a while). In regards to the J2EE server, Oracle does have a J2EE container (which also includes a servlet engine), it's called OC4J (Oracle Container for J2EE). They've had that for a *REALLY* long time, it used to be called Orion (which is as old as the Jboss J2EE server).
Java is doing well in enterprise development. The big boys are all gearing their future towards it. Look at Oracle's Fusion which leverages their J2EE stack, SAP is also doing the Java/J2EE thing with their Netweaver platform. And let's not forget IBM's WebShere Java Portfolio. Then there's the other lesser 3-lettered company's like SUN, BEA and etc..