Access control in real life.

March 12, 2010

Rimini Street offers third-party support for Siebel, PeopleSoft, SAP, and JD Edwards software.

Oracle is suing them because they claim that Rimini is gaining access to support materials surreptitiously through Rimini clients’ online support credentials.  They sued SAP’s subsidiary TomorrowNow for the same thing in 2007.  In both cases Oracle uses the same language — that the target of the suit is involved in “[c]orporate theft on a grand scale”.

Here’s the meat from page 3 of the Rimini Street Complaint (Case 2:10-cv-106, US District Court Nevada):

Rimini Street typically logs on to Oracle’s password protected Technical Support websites using a customer credential, then downloads Software and Support Materials in excess of the customer’s authorization under its license agreement.  Sometimes Rimini Street will download hundreds or even thousands of Software and Support Materials at a time, relating to entire families of software (e.g., PeopleSoft, JDE, or Siebel) that the customer does not license and for which it has no use.

The same claim was made against SAP (March, 2007) in a San Francisco district court:

Instead, SAP employees using the log-in credentials of Oracle customers with expired or soon-to-expire support rights had, in a matter of a few days or less, accessed and copied thousands of individual Software and Support Materials.  For a significant number of these mass downloads, the users lacked any contractual right even to access, let alone copy, the Software and Support Materials.  The downloads spanned every library in the Customer Connection support website.

Rimini and TomorrowNow were using their customer’s access to download support materials from Oracle.  This is a common practice across the IT industry when consultants or contractors are supporting technology on behalf of a customer who purchased the technology.  Rimini, in the complaint, appears to have leveraged that access to download everything that the customer’s ID can touch — and customer support IDs could touch everything.  In both cases, Oracle’s complaint hinges on the claim that the agent for the customer violated authorization that has no corresponding technological control in place.  The suit against SAP/TomorrowNow was settled, and TomorrowNow no longer exists.  Given Oracle’s previous victory, a similar end is possible for Rimini.

Oracle is either trying to solve an access control deficiency through litigation, or are leaving their access control open to enable litigation.  They are clearly placing the burden of determining what a customer is licensed to download on the customer themselves.

A competent sysadmin for their support site could at the very least lock down access to materials by product in a matter of weeks, even in a dysfunctional bureaucratic environment.  The fact that they are leaving a known access control deficiency open for over three years does not imply good faith in protecting support materials on the part of Oracle.

This raises an interesting question.  Should you use strong technological controls to enforce contractual authorization, making violations a criminal matter, or should you employ lax controls and pursue violations through civil litigation?

One comment

  1. It strikes me as odd that the Oracle site would even allow a person to access materials they are not licensed for. Sounds like a bug on Oracle’s part.

Comments are closed.

%d bloggers like this: