perfidy

How else to describe a court battle between the two titans of enterprise software, Oracle and SAP? Heavyweights, both.

On March 22, 2007, Oracle filed suit against SAP alleging corporate theft. Per Oracle's filing:

"This case is about corporate theft on a grand scale, committed by the largest German software company—a conglomerate known as SAP," the lawsuit says. "From that Web site, SAP has copied and swept thousands of Oracle software products and other proprietary and confidential material onto its own servers."

My initial reaction to the news was "Whoa. SAP just made a big mistake". In the fullness of the news cycle, however, further details arrived, via a story in one of last week's issues of the WSJ (subscription req'd) entitled "SAP Unit Denies Oracle's Claims":

According to the complaint, TomorrowNow in some cases accessed information using log-in information for Oracle customers with expired support contracts. In other cases, TomorrowNow accessed information beyond what customers were entitled to access, according to the suit.

My reaction after reading this bit of news, in a story focused on SAP's proclamation of innocence, was that Oracle's position isn't quite as iron-clad as it had first appeared to be. 

I'm not the only one who thinks so. Wired Magazine, in an interesting article, also from last week, entitled "Is Oracle Using Computer Crime Law to Squelch Competition?" questions how different the case would be had the Oracle customers simply provided written manuals in their possession to the SAP subsidiary. Further, Jennifer Granick, the author of the Wired article, doesn't pick a likely winner in the case, but seems dismayed at the prospect of Oracle's succeeding in their suit, but doing so simply because the access was electronic rather than physical.

There's a larger issue that occurred to me in this matter, however. I'm no Oracle maven, but I remember quite vividly the marketing campaign Oracle ran earlier this decade touting "Unbreakable: Oracle's Commitment to Security". Ever since the 2002 debut of that campaign, naysayers have been a dime a dozen. In fact, Oracle itself, by its actions if not its advertising rhetoric, has admitted as much. No less a luminary than Bruce Schneier, founder & CTO of BT Counterpane was quoted thusly:

When they say their software is unbreakable, they're lying.

Ouch. That could have left a mark, directed anywhere other than at Oracle's marketing department, I'd guess.

But unless Oracle has dispensed with the fiction that they, alone in the technology world, are capable of providing a secure database, application, or portal, it would seem as though they're begging for further ridicule when complaining that SAP (via its TomorrowNow subsidiary) was able not only to get into Oracle's systems with expired passwords, but that SAP was also able, as if by magic, to access areas to which those same customer passwords were not authorized.

Friends of mine with cooler heads have pointed out that, if Oracle were attempting to get a customer to sign a new maintenance agreement, they might well have avoided disabling access for those expired accounts. My rejoinder? That still doesn't explain or excuse the fact that their security over this information must be marginal, at best, if they allowed access to items for which the customers weren't authorized.

And one logical conclusion a court could, but wouldn't be forced to, draw, is that Oracle didn't think highly enough of the supposed "corporate secrets" to even put a lock on the door.

Advantage, SAP?

(also posted at a issuesblog.com)