Oracle Sues SAP for Spidering Their Support Site

TodoInSATX writes "Oracle has filed a lawsuit against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy. From the actual complaint: 'SAP has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers. SAP gained repeated and unauthorized access, in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support website.'"

Using customer logins?

[Anonymous Coward]

That's slightly different than just spidering.

Re:Using customer logins?

[Jussi K. Kojootti]

You do know that there is an alternative explanation for that? The sites in question may well let googlebot in without registering...

Re:

[Stone316]

I'm on Oracle's Metalink many times a day.. I also do google searches pretty frequently for Oracle topics... I have never google cache Oracle support content.

Re:

[Anonymous Coward]

No they don't, many sites will allow googlebot into their site without registering. In fact on some sites that normally require logins you can change your browser's identity to googlebot and get into the site without registering. That's how google caches non public sites, they don't use usernames and passwords.

Re:

[aztracker1]

Isn't delivering different content to google, than a regular browser grounds for removal from google's engine?

Re:

[an.echte.trilingue]

In case anyone is wondering how to do this, the user agent switcher for Firefox is here:

https://addons.mozilla.org/en-US/firefox/addon/59/ [mozilla.org]

Encyclopedia Britannica is one of those sites that will (or at least used to) let you look at member-only info if you set your agent to googlebot.

Re:

[Rakshasa Taisab]

Are you sure they use accounts, instead of the website just explicitly allowing spiders from certain netblocks access?

Re:

[metlin]

Well, robots.txt [robotstxt.org] is your friend.

Re:

[Yvanhoe]

And here is a link to Oracle's : robots.txt [slashdot.org]. Only this line "Disallow: /support/metalink/index.html" forbids access to the support/ branch. I am not sure this is enough...

What

[Anonymous Coward]

the fuck is SAP?

Re:

[ScrewMaster]

I think means "Secondary Audio Program", implies that one is an idiot, or is a substance that leaks out of trees. Other than that, I'm not sure.

Re:What

[dedazo]

the fuck is SAP?

Site
Attacked &
Pwned.

Re:What

[l-ascorbic]

It's only the third-largest software company in the world.

Re:

[ring-eldest]

Which is kind of like having the fifth largest army in the world (Iraq). After the first couple, there's a big fucking drop-off. Okay, it sounded better coming from Bill Hicks, but it's still true. ;)

Re:What

[l-ascorbic]

It has a market cap of $57 billion [google.com]. That's larger than Yahoo, over twice the size of Sun and only around 25% smaller than Oracle. To put it in perspective, MSFT is three times the size of Oracle, the number 2. The numbers would be similar if you did it by revenue, but that's more annoying to look up. The fact you haven't heard of them doesn't prove that they're insignificant - just that you're ignorant.

Re:

[Lars T.]

US is #2 and they're getting their asses mopped by a couple ragheads? BAhaha. Iran would toaste them.

That's only because they deployed less than 25,000 troops there.

The rest is middle management.

Re:

[rjshields]

Don't forget the technical architects!

Re:What

[the_womble]

It's only the third-largest software company in the world.

Yes, but its hard to install their software on a PC in your parents' basement. Therefore, from the point of view of Slashdot, SAP does not exist.

Re:What

[asavage]

SAP is the largest software company in Europe.

Re:What

[ray-auch]

Well, typically only really big places use it since it costs millions and takes years (and more $$$) of consultancy and configuration to roll it out.

When you finally get it, the UI is an excercise in how many good UI design principles can we possibly break on one screen. Response to comments on the UI ? - "Vee are the third largest softvare company in zee vorld" (or in other words, they're so successful they must be right).

Be thankful you've never had to use it.

Re:

[xero314]

I normally don't just agree, but in this case I can't resist. You have summed up SAP perfectly (though there are certainly more complaints one could make). Heck you are so dead on I have to think we are co-workers.

Re:

[Richard W.M. Jones]

When you finally get it, the UI is an excercise in how many good UI design principles can we possibly break on one screen. Response to comments on the UI ? - "Vee are the third largest softvare company in zee vorld" (or in other words, they're so successful they must be right).

For a moment I thought you were talking about Oracle Applications. But you couldn't be, because then you would have mentioned how not only is it totally unusable, but it also crashes all the time. Gotta love ERP ...

Rich.

Re:

[avdp]

Yes, I've heard the term "Consultantware" to define this category of products. To their credit (as a mitigating factor I guess), it is the case of ALL their competitors are well (Oracle, former PeopleSoft, anybody else in this field?). Companies that go into ERP projects expecting to get a shrinkwrap CD and install it like they would MS-Office and just run with it are out of their mind. There is no such thing as a one-size-fits-all ERP solution, and therefore expect lots and lots of time in consulting

Re:What

[afidel]

SAP has over 17K customers and 27K employees worldwide with over half of the Fortune 500 being customers. Oracle and SAP are now basically the only big players in the ERP arena. ERP stands for Enterprise Resource Planning, basically the software that runs medium to large businesses. If you've been programming for 15 years and have never heard of SAP you have either worked in small companies or have worked in Peoplesoft, JD Edwards (both now Oracle comapanies), Infor, or Sage shops.

Re:

[Nethead]

OMG! Sage! The last I used that was on a SWTPC 6809 running Uniflex! (to give the pups an idea, 1MHz, 8 bit, 256k RAM. And it still ran faster than some '386 SCO boxes!)

Re:

[avdp]

Certainly it's understandeable a programmer would never have used/customized/programmed-for one of these products (I haven't myself either), but I do find it pretty amazing that anyone in IT (in ANY IT field) would not at least have heard of the company. But maybe that's just me - I try to keep myself fairly informed about general IT subjects and companies...

Re:

[Ash Vince]

Where I work has just deployed one of these godawful nigthmares.

Count yourself luck you have never heard of any of them. They are all a nightmare to support from a technical standpoint.

Re:

[avdp]

SAP is probably the largest provider of ERP (and CRM?) software in the world (hard to say who's bigger than who after the recent buyouts). Maybe not as successful in the US because of local competitors like Oracle (and formerly PeopleSoft, now part of Oracle). But IT IS a huge worldwide software company, and there is very little excuse for someone in IT to not at least have heard of it...

Re:

[Anonymous Coward]

What the fuck is SAP?

Tell me, oh, all knowing moderators, how exactly this is offtopic?

The poster has asked what the acronym SAP means, which is not explained in the summary. Granted the poster could simply have googled it and obtained this:

Founded in 1972 as Systems Applications and Products in Data Processing, SAP is the recognized leader in providing collaborative business solutions for all types of industries and for every major market.

http://www.sap.com/company/index.epx

So how is this question offtopic

Re:

[Wellerite]

Well, there are certain things that Slashdot readers are assumed to know. The name of the third largest software company in the world is one of those things. Also, the rude, short post that could have been answered in a five second trip to google or wikipedia didn't help either. If I were moderating, I think I would have gone for Troll, though.

assumption is the f*ckup of mother nature ...

[freaker_TuC]

No offense intended,

You assume to know; although; I've got 2 IT people here with me; already for over 10 years active in the field and they've asked ME what SAP was; so don't assume others presume the same ; because such expectations only fail if you find out those assumptions (and presumptions) are flawed...

If you want to assume something; assume something people DO know for sure; but don't "assume" everyone is a walking dictionary/thesaurus/abbrevations guide; don't assume your standards upon another; it'

Re:assumption - solution in tags ??

[freaker_TuC]

My granddad always used to say "There are no silly questions, only silly answers" ...

Maybe this should be something to take account of in tags ? The name of the company/individual/website in a tag ?

This way your opinion would be auto policed and people would not need to ask "silly questions" ;) ...

Re:

[Lars T.]

The poster has asked what the acronym SAP means, which is not explained in the summary. Granted the poster could simply have googled it and obtained this:

Founded in 1972 as Systems Applications and Products in Data Processing, SAP is the recognized leader in providing collaborative business solutions for all types of industries and for every major market.

http://www.sap.com/company/index.epx

Nitpick: It actually was "Systemanalyse und Programmentwicklung" originally, but German confused Americans, so they changed it to something that would work in both languages. And now, like so many acronyms, it simply stopped being one.

Re:

[Anonymous Coward]

I thought MySap was a pr0n site? :-D

At least I wouldn't go around telling people I like my sap.

What's the bet...

[OriginalHunchy]

... that Oracle acquires SAP, just like they bought every other ERP and CRM company with a mid-large business customer base. Vultures.

WTFIWATGDA???

[dave1g]

WTFIWATGDA??? (what the fuck is with all the god dammed acronyms ????)

Re:

[OriginalHunchy]

hehehe wouldn't be /. if there weren't any TLAs. CRM - customer relationahip management (RIAA and Microsoft do this real well). ERP - enterprise resource planning (makes consultants rich). Oracle went on a buying spree & bought up their comptitors, SAP is the last pne standing. BTW, SAP is the name of a GBE, HQ'd in Germany.

Re:

[Tim C]

SAP is a name, not an acronym. As for CRM and ERP, it's because take it from me, pitch documents and functional and requirements specs are already quite long enough without spelling absolutely everything out in full the whole time. (The response document for the pitch I was part of earlier today was 95 pages long; a report I helped produce a couple of weeks ago was 60 pages long, and so on)

Re:

[Clandestine_Blaze]

SAP is a name, not an acronym.

For those who don't know what the name stands for, the full name is Systeme, Anwendungen und Produkte in der Datenverarbeitung ("Systems, Applications And Products in Data Processing") Taken from this Wikipedia [wikipedia.org] document, they changed their name to just plain SAP AG in 2005.

Re:

[ScrewMaster]

Not vultures, because the companies Oracle has taken over weren't necessarily carrion. I'd say "bloodsucking leeches" might be more appropriate.

Re:

[shawb]

I'll take your bet. SAP is the world's third largest software company, only behind Microsoft and IBM in terms of market cap. If anything, SAP would acquire Oracle to silence the lawsuit.

Re:

[afidel]

Huh? SAP has a market cap of $56B [yahoo.com] and Oracle has a market cap of $95.8B [yahoo.com], so Oracle is almost twice as large as SAP.

Re:

[ezberry]

FYI, the difference between your quote and mine is that you cited to the American Depository Receipts of SAP, not their actual stock. This is a depository receipt for the stock, not an actual share - but the price is generally a very close proxy to it. (See Wikipedia ADR entry [wikipedia.org])

Re:

[ezberry]

Do some research before you say things like that. SAP's market cap is 57.09B, ORCL is 95.82B.

Re:

[shawb]

Grr... I did a minimum of research. I suppose I should stop believing Wikipedia. Well, at least I didn't put a number on that wager...

Re:

[nelsonal]

In your defense, SAP about the same size as Oracle in terms of sales until Oracle acquired both Peoplesoft and Siebel, now Oracle sells more than SAP. Oracle does make more money per dollar of sales (by roughly a factor of 2) and since shareholders care mostly about earnings, Oracle as a company is substantially more valuable to investors. Oracle's stock has rallied pretty substantially in the past year while SAP has declined, so comparing on market value requires very frequent updates to remain correct.

Re:

[dimeglio]

Someone's vulture is another's capitalist. SAP has acquired a number of relatively small companies themselves but nothing like Oracle vs PeopleSoft but keep watching...

Re:

[Lars T.]

... that Oracle acquires SAP, just like they bought every other ERP and CRM company with a mid-large business customer base. Vultures.

Somewhat unlikely since SAP has 60% the market cap of Oracle.

Thousands?

[ScrewMaster]

Does Oracle actually make "thousands of products"?

Re:

[yupie]

No, but they bought some thousands last years, though.

Re:

[Clandestine_Blaze]

Companies like Oracle and SAP pretty much take on large corporations, military, and local / federal government projects. You'll never see Jack & Jane's diner using Oracle 10g to store their customer information. Oracle would be overkill and they would never even be able to afford an enterprise license, let alone the hardware and training to support it.

These entities bounce thousands and thousands of transactions daily - most of which occurs concurrently - and have hundreds of users behind the controls

Re:

[Asgard]

Jack & Jane could run Oracle 10g Express Edition [oracle.com] for free on their windows or Linux server, assuming they could shoehorn themselves into 4GB of data and a limited number of concurrent connections, and live without some of the advanced features. If they then went to a franchise model, J&J could upgrade to the non-free versions without having a lot of pain changing database backends.

But Oracle is "Unbreakable"

[gc8005]

How could Oracle's server have been compromised? I thought Oracle was "unbreakable"

Re:But Oracle is "Unbreakable"

[Adambomb]

By making use of soon to expire passwords. They didnt exploit a flaw, they used credentials they were not authorized to use.

Re:

[shelterpaw]

It's not broken, just violated like Tiny Tim locked up in side a cell with Bubba.

Re:

[arodland]

How could Oracle's server have been compromised? I thought Oracle was "unbreakable"

That wasn't Oracle, that was Bruce Willis.

A copy of the article

[Cervantes]

Here's a copy of the article in case it gets slashdotted:

Oracle Sues SAP
On March 22, 2007, Oracle filed a lawsuit in U.S. Federal District Court in the Northern District of California against SAP. Among the claims made against SAP are violations of the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy.

Yeah, that's the entire thing (except for the 44 page PDF of the actual suit). Glad I could make sure that everyone got that clear and concise summarization, and can now fairly and properly comment on it.

Cheers!

You're Missing Out

[Adambomb]

That little link to read the complaint actually includes rather shocking detail concerning how blatant SAP's misuse of the logins they used was. Not to mention the fact that they HAD to know they were leaving fingerprints left right and center, for example with one login they had downloaded 1800 distinct packages over 4 days, where the original user of the login was logging usage around 20 downloads per month.

Re:You're Missing Out

[TubeSteak]

right before the complaint talks about all that, it says this:

"SAP employees using the log-in credentials of Oracle customers with expired or soon-to-expire support rights had, in a matter of a few days or less, accessed and copied thousands of individual Software and Support Materials. For a significant number of these mass downloads, the users lacked any contractual right even to access, let alone copy, the Software and Support Materials."

While that doesn't excuse SAP, you have to wonder at the kind of security Oracle has got on their support site. I mean, they don't revoke access to expired accounts & they give accounts more access than was paid for.

Seems pretty shoddy to me.

Re:

[MyDixieWrecked]

I see you read the first page. ;)

also, from the SAME SAP IP, they logged in as several different former, or soon to be former customers of Oracle and provided fake information (fake names, emails and phone numbers) and then proceeded to downloaded entire libraries of documentation and other softwares.

the summary doesn't really make the slashdot crowd quite aware of the wrongs that SAP committed. To me, it seems that they gave competitive upgrades to Oracle customers, requiring their Oracle login credentials

Re:

[MyDixieWrecked]

SAP is one of Oracle's biggest competitors.

If SAP can offer as much support as possible to people on their current Oracle software, that's less worry to the customer. They don't have to pay for SAP software/support and Oracle support during the transition phase, so that's just another thing helping them lure Oracle's customer base away.

Why would you think that?

[WindBourne]

The average programmer out there really has no clue about security or how systems really operate. They know their stuff but do not really think about how others operate. In fact, I would guess that it was generally support ppl that were doing all this and I suspect that only a few would really get this.

capitalization overload

[Anonymous Coward]

the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy.

Could someone translate that to English, please? I can't read German.

Re:capitalization overload

[joe_bruin]

the Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act, Unfair Competition, Intentional and Negligent Interference with Prospective Economic Advantage and Civil Conspiracy

Could someone translate that to English, please? I can't read German.

You should have seen the original:

Der Federalkomputerfraudundabußeact und Kaliforniakomputerdataacceßundfraudact, Unfairkompetition, Intenzionalnegligentunterference wit Prozpectiveeconomikadvantage und Civilkonspiracy.

Re:

[BiggerBadderBen]

I have no idea if that's real German, but you just made me pee my pants!

Re:capitalization overload

[quigonn]

It isn't. In proper German, it translates to something like "das Bundesgesetz zu Computermissbrauch und -betrug und das kalifornische Computerdatenzugriffs- und -betrugsgesetz, unlauterer Wettbewerb, vorsätzliche und fahrlässige Beeinflussung von voraussichtlichem wirtschaftlichen Gewinn und zivile Verschwörung". Even with umlauts!

Re:

[Kjella]

I see your comment was modded 50-50 funny and informative, but I still had a good laugh from seeing a joke translation at +5, Funny and then your proper translation also ranked at +5, Funny. Guess they can't tell the difference :D

How to exclude Search Engine Spiders

[xmas2003]

Tangential to the story, but if you want to exclude a search engine spider, you can use the robots exclusion protocol. [robotstxt.org]

Appears it wouldn't have made too much of a difference here, but perhaps something useful to know.

The actual suit..

[Cervantes]

I'm reading through the first bit of the actual suit, and here's what caught my eye:

These "customer users" supplied user information (such as user name, email address, and phone number) that did
not match the customer at all. In some cases, this user information did not match anything: it was fake. For example, some users logged in with the user names of "xx" "ss" "User" and "NULL." Others used phony email addresses like "test@testyomama.com" and fake phone numbers such as "7777777777" and "123 456 7897."

Now, they do state that the IP doing the downloading was an SAP branch office in Texas... but still, if your supposedly secure support site accepts "xx" and "ss" and "User" as valid logins to access support documents and what appears to be actual product downloads... well, what the hell?

I think I just became a little less likely to buy either SAP or Oracle software, if this is their idea of ethics and security, respectively.

Re:

[RpiMatty]

Its not a fake phone number, you just posted mine on /. you insensitive clod!

Re:

[jrockway]

That's the same e-mail and phone (almost) that I gave Oracle, too. Do people actually give their real information to Oracle, just to download docs for products they've paid hundreds of thousands of dollars for?

No, they don't.

Re:

[mpapet]

I tend to believe this is a kind of abuse of the courts.

*All* big companies and political campaigns beyond water commissioner appointments do exactly this kind of opposition research.

What's illegal about me giving a gmail address while I work for an Oracle competitor and buy some oracle products/services for research?

SAP vs. some tiny subsidiary of SAP

[Crackez]

I think I just became a little less likely to buy either SAP or Oracle software, if this is their idea of ethics and security, respectively.

It doesn't take very much to own a company, any company, except for the right amount of money... Thats all. SAP TN is a wholly owned subsidiary of SAP, so SAP is responsible. That sucks. My company just bot some tiny 10 person shop and they are a bunch of idiots, ignorant of the very technology they claim to be capable of developing... Dealing with them is like execut

Re:The actual suit..

[espressojim]

if your supposedly secure support site accepts "xx" and "ss" and "User" as valid logins to access support documents and what appears to be actual product downloads... well, what the hell?

Please let me know what your algorithm is for a valid user name. As far as I know, they are free text (which seems perfectly valid.) As for the other information, it would pass your typical regex for validation. If oracle gets a phone number, should they call it to validate that the person has the same information as the login gave. Do you run a website that does something similar, and has the same number of hits the Oracle website does?

I appreciate a holy-than-thou attitude, but please tell me what site YOU are in charge of the security for (and if I can then pass in crap like the above, then you're in for a nice big plate of humble pie, slashdot style.) Alternatively, you're talking out your ass.

Re:The actual suit..

[ivan256]

Please let me know what your algorithm is for a valid user name.

I don't know what you do where you work, but here's the algorithm we use:

• Collect money from the customer in exchange for a copy of our product.
• Declare the user name chosen by the customer to be 'valid'.

Any site that doesn't do a manual validity check should be considered to contain public content.

Re:

[ivan256]

Ok Wait so AFTER all this has happened, and your customer then gives thier login to SAP,

and guess what SAP logs in?

Yeah, but then the associated breach of contract provides solid ground for a lawsuit.

You'd have thought of that if you weren't so eager to call me names.

Re:

[Cervantes]

Please let me know what your algorithm is for a valid user name. As far as I know, they are free text (which seems perfectly valid.) As for the other information, it would pass your typical regex for validation. If oracle gets a phone number, should they call it to validate that the person has the same information as the login gave. Do you run a website that does something similar, and has the same number of hits the Oracle website does?

I appreciate a holy-than-thou attitude, but please tell me what site YOU are in charge of the security for (and if I can then pass in crap like the above, then you're in for a nice big plate of humble pie, slashdot style.) Alternatively, you're talking out your ass.

I have this funny thing, when I issue a username, I actually make sure it is valid and usable. Similarly, when a website of mine asks for a username, it tends to check and see if that username is actually valid before allowing the user to proceed. The way these logins are presented in the suit, it certainly seems like SAP just made up some random usernames, and Oracle just let them in.

Also, I like to do other, holier-than-thou things, like requiring passwords, and expiring users passwords when their contra

Re:

[EonBlueTooL]

My name is Üser you insensitive clod!

The complaint seems to be rather convincing

[whitehatlurker]

A bunch of soon-to-be-ex customers of Oracle (who are in the process of moving to SAP) log in from SAP computers and download all kinds of support information. It might be a bit more than coincidence.

One has to wonder if there was a discount if you passed along your Oracle support credentials. That would be an interesting marketing strategy.

One problem is that these customers downloaded files which weren't supposed to be made available to them under the terms of their support contracts. Why were their accounts able to get to these files then? I'm not sure that Oracle would want to admit they can't control the security of their own website, even if it boosts the credibility of the rest of their complaint.

Skip the press release and go right to the Complaint [oracle.com]. (IT IS A PDF!! You've been warned.)

Re:

[KnuthKonrad]

A bunch of soon-to-be-ex customers of Oracle (who are in the process of moving to SAP) log in from SAP computers and download all kinds of support information. It might be a bit more than coincidence.

Than again, suppose you're a Oracle customer who's to switch over to SAP. You won't do that on a friday's night within 2 hours. You're more likely to contact SAP and set up a migration project. SAP might ask you for documentation of your current software/environment and tools that might help with the migrati

Personnally...

[bobcat7677]

I don't blame SAP for using whatever backchannel means nessasary to access Oracle's knowledge base. I'm sure it was completely out of nessesity to support their customers. It has always baffled me how completely locked down Oracle is when it comes to their support. If you are not paying on a support contract and have a login with sufficient rights, there is basically nothing to see of any use on their website. As a deveoper trying to evalute a demo copy of the DBMS, I found it comepletely useless and ultimately was not able to get the demo to work because I couldn't get any support on it. The "big evil corporation" Microsoft doesn't have any problem putting their knowledgebase and troubleshooting guides out for public consumption, why does Oracle need to keep their's a closely guarded company secret?

Oh, and I think what they were referring to with the phrase "Thousands of proprietary software products" was all the patches for their DBMS.

Re:Personnally...

[Anonymous Coward]

Ever heard of OTN?

http://otn.oracle.com/ [oracle.com] hosts the entire documentation library of every oracle product.

There's also http://forums.oracle.com/ [oracle.com]

All it takes is just a little looking around and you can find help...no need to blame Oracle for keeping everything under lock and key...because they certainly don't.

Re:

[bobcat7677]

I got all excited there for a minute that maybe I had missed something or something had changed in the Oracle camp. So I actually tried to access some content at otn.oracle.com. It teased me a little as if I was going to get some love. But then I was presented with the framilliar "please log in to access this content" box.

OTOH, I was able to view stuff in the forums mentioned and they actually seemed helpful. So that is an improvement over what I saw a couple years ago.

Re:

[cmdrbuzz]

For OTN you just need to have an Oracle ID which is free to register. Just follow the links.
Metalink (Oracle Support site) on the otherhand, is not freely accessible and in my opinion should be.

Re:

[mandelbr0t]

I love not being able to access Metalink. It was great in school when I had to wait 2 extra days to track down a DBA with a Metalink password just so I could install on Linux, and it's great that Database 10g EM won't work until after Sunday. (</sarcasm>)

Seriously though, some of the patches on Metalink are critical to developers. No, we don't have an Oracle support contract, but Oracle wouldn't get very far without developers. Patches for the free downloads should be available, even if you have to re

Oracle and SAP are competing h4><0r teams

[HomelessInLaJolla]

This is way too similar [slashdot.org] to be coincidence. Reread the summary [slashdot.org] and then quote [secureworks.com]:

Several other hosted web sites...were located with a script designed to "spider" some IP address ranges for hosted servers that are commonly...used for this purpose. Since it is almost always hosted on the main page, only that page was searched. ...there are two other variants of the client-side executable.

This file listing shows several directories and archive files. One of these files contains the server-side code used to collect the data. The other file contains server-side code for an administrator interface and a "customer" interface for data mining.

They are CGI applications written entirely in perl...There are perl modules, written as plug-ins for the server-side framework, for parsing out and storing the information collected by each of these and code for sending options data. There is code for loading the flat files produced by the collection code into MySQL...The front-end code provides a nice login page, generates views into indexed data, and provides account management.

This interface is designed so that an administrator adds customer accounts to the database. Customers can also log in and get results from queries based on certain fields (URL, form parameters, and so on). Each of these customer-generated queries has an associated price.

There are also other files that set default parameters, a default MySQL username and password for example. None of these default values worked on this server.

The stolen data is held in directories whose names can be guessed. Using the base directory from the perl code (translated according to the web server's DocumentRoot), combine these with version_id and user_id (generated ID for each infection) for subdirectories, and one can brute force directory names....one can script the wget utility and fetch of all the data residing on the server. There is no need to query the MySQL database.

the results added up to more than $2 million.

And that, your honor, is exactly how SAP went about stealing Oracle's trojan, errr, proprietary customer management code.

From the summary:

in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support website.'"

Did the customer support website look like [secureworks.com] this [76service.com], or this [undernet.org]?

Thats nasty - i hope oracle loses

[steveoc]

Its a fine line there -

We have several login accounts with several oil companies to place orders for fuel cards and collect transactions via a number of (very convoluted) websites, on behalf of fleets in the thousands.

Like any sensible organisation, we sit around having coffee and cakes and BBQ's all day, whilst cron jobs kick off CURL scripts to do all the hard work and earn all the money.

By Oracle's definition, we may be treading some fine line of DMCA violation. Fuck, I hope not - I love my friday arvo B

Does anybody here

[xx01dk]

actual like using SAP? I have yet to come across anyone who does. Sure it works and has lots of neat features but seriously, those of us "in the trenches" who must use it regularly... well I for one would rather pull my hair out than use SAP...

Yeah it's OT but I'm curious. If Oracle DID somehow manage to snap it up, would/could they make it any better?

Re:

[Anonymous Coward]

No. SAP's programs might be useful, but their interfaces were concieved the moment Xerox Parc said the words "Mouse" and "Window" and never improved. Using their software is like stepping back in time 20 plus years.

I can't understand why management puts up with roadblocks like a horrible interface, which makes things more time consuming to do, after all of our complaining.

And, Oracle drivers corrupted one of our queries to a 9i DB so badly that our app could not function, and eventually SQL Server ran out

See the good in all this

[billcopc]

I'm kind of glad SAP is getting sued.... I don't like Oracle any better, but seeing SAP die means I'll have one less mega spaghetti app to maintain on my résumé. Now if only they could sue the shit out of Cognos my life would be complete.

It's bad enough having two support multiple operating systems, supporting multiple "business intelligence" suites is about as fun as trying to shove a grizzly bear up your own ass. These projects are so "large" they seem to be written by a thousand different cod

Oracle is the Next SCO

[tjasond]

Oracle is a company that appears to be driven by talented technical folks with blinders on. I'm only a techie, so I could be completely wrong here, but how many times has Oracle tried to reinvent the wheel rather than buy companies with the capabilities they were looking for? There are too many to list here, but after browsing their site (over the course of several years, which you'll have to do if you ever want to use their database product), they have invested a lot into things that they should have acq

Re:Oracle is the Next SCO

[Funks]

>For instance, they have some kind of ORM tool, but JBoss bought Hibernate, which has now become nearly standard, as much of it is backed by/included with EJB 3. Adobe bought JRun from Alaire which, at the time, Oracle had the cash to purchase. Instead, as far as I know, Oracle chooses not to provide their own Servlet container. Furthermore, they probably could've bought BEA at some point, but chose not to. Arguably this could have made them be what it appears they're trying to become - an end to end solution for application development.

Oracle has a lot of technology revolving around Java. For example, the ORM you are talking about is TOPLINK (which they bought a while back). Several of their engineers worked on the JPA (Java Persistence API) JSR, along with some of the hibernate guys. The result, we now have JPA (which Toplink and Hibernate support) instead of the POS EJB2 specs. Oracle is open sourcing Toplink and you can use as your JPA provider if you wish (along with Hibernate, or OpenJPA from Apache). I personally would use either TopLink or Hibernate for JPA as both those products are well supported and are stable (they've been around for a while). In regards to the J2EE server, Oracle does have a J2EE container (which also includes a servlet engine), it's called OC4J (Oracle Container for J2EE). They've had that for a *REALLY* long time, it used to be called Orion (which is as old as the Jboss J2EE server).

Java is doing well in enterprise development. The big boys are all gearing their future towards it. Look at Oracle's Fusion which leverages their J2EE stack, SAP is also doing the Java/J2EE thing with their Netweaver platform. And let's not forget IBM's WebShere Java Portfolio. Then there's the other lesser 3-lettered company's like SUN, BEA and etc..

Who would *steal* Oracle support?

[Mongoose Disciple]

Not that I'm an SAP fan either, but based on my experiences trying to get good answers out of Oracle's support materials in the past, I'm baffled as to why anyone would even want a copy of it.

Don't get me wrong, there are projects where I'd still use Oracle even so, but if I need Oracle support documents I'm probably going to Google and ignoring any of the responses that go to oracle.com. Generally, some random yahoo on the internet has done a better job of explaining Oracle's products/bugs/problems.

Re:

[Rone]

if I need Oracle support documents I'm probably going to Google and ignoring any of the responses that go to oracle.com. Generally, some random yahoo on the internet has done a better job of explaining Oracle's products/bugs/problems.

Judging from the first few pages of the complaint (the PDF linked in TFA), the "theft" included software patches and updates, not just documentation.

That said, I can't say that Oracle's documentation is that bad. It's usually pretty useful, once you invest the hours it ta

Re:

[Stone316]

I call your bluff. If you work with Oracle, Metalink is irreplacable. I would say 90% of the time I get an answer from their knowledge base. 5% from google searches and the last 5% from Oracle Support.

Hard to Believe

[KidSock]

Oracle's site is so bad the phone support guys are quick to point it out *to you*. I find it hard to believe SAP would want anything from their site. Oracle has one good product - their RDBMS. It's a diamond in a bowl of mush. I wish they would stop goofing off with other crap and just polish that nut to a high gloss. Remember when they introduced their Java installer? Ha ha.

I don't understand

[icepick72]

But why would SAP spider Oracle's support site? What could they do with support information?

Why Would They Do This?

[canfirman]

I don't get it. If SAP *did* steal Oracle's code, why would the *want* to do this? SAP is the number 1 application suite in use in the *world*. It doesn't make sense for them to steal code.

Could this lawsuit be nothing more than Larry being Larry?

There's an interesting quote from The Globe And Mail article on this: [theglobeandmail.com]

"This isn't really about protecting intellectual property," said Forrester Research analyst Ray Wang. "This is all about the art of war."

Re:

[Joncbeall]

Quote: "don't get it. If SAP *did* steal Oracle's code, why would the *want* to do this? SAP is the number 1 application suite in use in the *world*. It doesn't make sense for them to steal code.
Could this lawsuit be nothing more than Larry being Larry?"

Because it wasn't just SAP AG (the packaged apps side of the house), but rather the TomorrowNow division of SAP, who *sells* 3rd party support for Oracle applications (JDE, PSoft, and Siebel). That why the support doc's, patches, and other info form

You know what Oracle stands for right????

[MrJerryNormandinSir]

One
Raging
Asshole
Called
Larry
Ellison

If any of you have ever had to deal with him or his company, you would know where I am comming from.