Tag Archives: against

Federal privacy regulations usher in the age of tech lawmakers

Tech companies that have successfully lobbied against stricter privacy regulations are facing pushback from consumers on their latest campaign to curtail data privacy rights.

Big tech’s call for federal regulation comes amid a reactionary call for privacy rights, as data breach media coverage has exposed companies’ poor management of personal information and piqued consumers’ data protection concerns.  

“Consumers are seeing data breaches and privacy mistakes in the news every single day, and the breaches are getting larger in scope. And the number of individuals impacted seems to be larger for every single one,” said Nicholas Merker, partner and co-chair of the data security and privacy practice at Ice Miller, based in Indianapolis. “People understand that some companies are misusing their data or not protecting their data appropriately, and it’s creating a risk for these individuals.”

Shortly after GDPR — the European law that unified data privacy protection and specified consumer rights to their personal data — went into effect last spring, California passed the California Consumer Privacy Act (CCPA) of 2018. The new state law gives users the right to request details about individual data collected by the companies they do business with and to delete personal data without penalty to service.

Now, tech giants like Facebook, IBM and Microsoft are playing offense and proposing federal privacy regulations that override the California rules.

As the fight between state and federal laws plays out, CIOs and their data privacy experts may well find themselves advising their companies on where to come down on data privacy rights.

A company‘s best course will likely depend, in large part, on where it does business, how it makes money and how much its customers value data privacy.

Why the push for federal law?

Tech companies with multistate operations are gunning for the federal law in order to avoid having to comply with up to 50 competing jurisdictions. Experts expect other states to begin following in California’s footsteps by amending or creating state privacy laws.

The CCPA has certainly set the bar for other like-minded states, said Erin Illman, co-chair of Bradley’s cybersecurity and privacy practice group and member of the North Carolina Bar Association’s Privacy and Data Security Committee.

“You’re going to see the states that have taken a forward stance in privacy start to really look at California and say, ‘Maybe we need to amend our laws that are already on the books, but maybe we also need to put forward a similar law or something that even goes farther than California,'” Illman said.

But big tech’s effort to get a federal law passed is not just to save themselves the headache of state-specific compliance, experts said, but also to preserve profits amid growing concern over business preservation.

And if we look to the GDPR as a model for U.S. legislation, we must also examine the immediate aftermath, Merker said.

“The GDPR is a great example of what [strict federal privacy legislation] would do to the behavioral advertising firm, targeted advertising firm, company index firm industry — it would destroy it,”  Merker said.

“When GDPR was implemented for publicly traded companies, you saw massive drops in stock prices; you saw some companies that just no longer existed, because their practices are no longer legitimate under the GDPR.”

Data: The new dollar

Data privacy experts advise CIOs keep a close eye on the proposed legislation and its framework, including exactly whom it seeks to regulate.

For example, one of the proposals for the federal privacy regulations defines consumers as users who have purchased something from the company. Under this definition, social media businesses like Facebook and email businesses like Gmail that do not charge for their services or sell products would have far fewer reportable consumers than sites that sell a product or charge a nominal fee for service. Even a $1 yearly fee makes each individual a consumer whose privacy is protected instead of a user who remains exempt from privacy regulations.

Experts noted that this distinction shows the defining characteristic of online business: Data is money.

Personal information is the currency of the internet — more so than bitcoin, more so than the dollar. [Data] is what is being bartered for services and then sold for revenue,” said Nader Henein, research director of data protection and privacy at Gartner.

“Like any other currency, it needs to be regulated. Otherwise, it loses its value, and it’s inconsistent.”

Love affair gone sour

In the face of big tech’s all-out lobbying effort for the federal law, data privacy interest groups have not hung back. Instead, they are taking advantage of growing consumer sentiment that the titans of Silicon Valley can delight customers and still not have their best interest at heart.

The inability of business to prevent massive data breaches that expose sensitive information has also fueled consumer interest in wanting more control over personal data. 

Internationally, America seems like we are now behind the times when it comes to privacy law.
Nicholas Merkerpartner and co-chair of Ice Miller’s data security and privacy practice

A major point on the tech companies’ list of wishes is self-regulation and the creation of industry guidelines with no legal or financial penalty for noncompliance. Trade groups such as the U.S. Chamber of Commerce, the Internet Association and the Information Technology Industry Council are all pushing for voluntary standards.

Tech companies’ C-suites claim they know exactly what data is being collected, how it’s used and, ultimately, how to protect it. They argue self-regulation allows for flexible compliance that protects privacy and the ability to remain profitable.

Privacy advocates, on the other hand, cite years of improper data management, privacy violations and data breaches as examples of the whittling of trust that’s occurred between the general public and tech businesses.

“There’s a lot of trust that’s been lost between the general public and between privacy advocates and business,” Illman said. “Because of that loss of trust, the concept of self-regulation is something that privacy advocates are pushing back against and saying, ‘You know, we don’t really trust you to regulate yourselves.'”

So, what’s the next battle move? The proposal and establishment of federal privacy regulations could be a positive change if companies develop strategies that are fair, transparent and create a more equal benefit for company and user.

“Internationally, America seems like we are now behind the times when it comes to privacy law,” Merker said. “All privacy advocates want America to catch up and be standing with the rest of the world.”

Physical security keys eliminate phishing at Google

Google claims it has completely eliminated successful phishing attacks against its employees through the use of physical security keys and Universal Second Factor.

Google began introducing and evaluating physical security keys in 2014 and by early 2017 all 85,000-plus Google employees were required to use them when accessing company accounts. In the time since, the company told Brian Krebs, no employee has been successfully phished.

A Google spokesperson said the decision to use the Universal Second Factor (U2F) physical security keys instead of software-based one-time-password (OTP) authentication was based on internal testing.

“We believe security keys offer the strongest protections against phishing,” a Google spokesperson wrote via email. “We did a two-year study that showed that OTP-based authentication had an average failure rate of 3%, and with U2F security keys, we experienced zero percent failure.”

Lane Thames, senior security researcher at Tripwire, based in Portland, Ore., said the main reason these software-based apps are less secure is “because attackers can potentially intercept these OTPs remotely.”

“Another issue is the bulk production of OTPs that users can store locally or even print. This is done in order to make the 2FA [two-factor authentication] process a little easier for end users or so end users can save OTPs for later use, if they don’t have access to their phones when the code is needed,” Thames wrote via email. “This is akin to a similar problem where users write passwords and leave them around their workspace.”

However, John Callahan, CTO at Veridium, an identity and access management software vendor based in Quincy, Mass., noted that there are also benefits to users opting for 2FA via smartphone.

“Some people who use a U2F key fear losing it or damaging it. This is where biometrics can play a key role. Methods using biometrics are helping to prevent attacks,” Callahan wrote via email. “Using biometrics with the Google Authenticator app is a secure solution, because a mobile phone is always nearby to authenticate a transaction.”

Moving companies to physical security keys

Physical security keys implementing U2F was the core part of Google’s Advanced Protection Program, which it rolled out as a way for high-risk users to protect their Google accounts. A physical security key, like a YubiKey, can authenticate a user simply by inserting the key into a computer, tapping it against an NFC-capable smartphone or connecting to an iOS device via Bluetooth.

Nadav Avital, threat research manager at Imperva, based in Redwood Shores, Calif., said, “in an ideal world,” more companies would require multifactor authentication (MFA).

In general, physical keys offer better security, because software-based authentication relies on a shared secret between the client and the provider that can be discovered.
Nadav Avitalthreat research manager at Imperva

“In general, physical keys offer better security, because software-based authentication relies on a shared secret between the client and the provider that can be discovered. Unfortunately, most people don’t use [2FA or MFA], neither physical nor software-based, because they don’t understand the implications or because they prefer simplicity over security,” Avital wrote via email. “Clients can suffer from fraud, data theft or identity theft, while the company can suffer from reputation damage, financial damage from potential lawsuits and more.”

Richard Ford, chief scientist at Forcepoint, a cybersecurity company based in Austin, Texas, said worrying about the best way to implement 2FA might be premature, as “we still have oodles of companies still using simple usernames and password.”

“Getting off that simple combo to something more secure provides an immediate plus up for security. Look at your risk profile, and try and peer a little into the future,” Ford said. “Remember, what you plan today won’t be reality for a while, so you want to skate to where the puck is going. With that said, please don’t let perfect be the enemy of good.”

Petitioning the board

Experts noted that not all IT teams will have as easy a time convincing the board to invest in making physical security keys or another form of multifactor authentication a requirement as Google would.

Matthew Gardiner, cybersecurity expert at Mimecast, a web and email security company based in Lexington, Mass., suggested framing the issue in terms of risk reduction.

“It is hard to quantify risk unless you have experienced a recent breach. Using MFA is not a theoretical idea; it is now a security best practice that is incredibly cheap and easy to use from a multitude vendors and cloud service providers,” Gardiner wrote via email. “I can only assume that if organizations are still only using a single-factor of authentication in support of B-to-B or B-to-E applications that they must think they have nothing of value to attackers.”

Ford said it was probably best not to spear phish the board for effect, “no matter how tempting that might be.”

“I would, however, suggest that the Google data itself can be of tremendous value. Boards understand risk in the scope of the business, and I think there’s plenty of data now out there to support the investment in more sophisticated authentication mechanisms,” Ford wrote. “Start with a discussion around Google and their recent successes in this space, and also have a reasoned — and money-based — discussion about the data you have at risk. If you arm the board with the right data points, they will very likely make the right decision.”

New Spectre variants earn $100,000 bounty from Intel

Researchers found new speculative execution attacks against Intel and ARM chips, and the findings earned them a $100,000 reward under Intel’s bug bounty.

The new methods are themselves variations on Spectre v1 — the bounds check bypass version of Spectre attacks — and are being tracked as Spectre variants 1.1 and 1.2.

The new Spectre 1.1 has also earned a new Common Vulnerabilities and Exposures (CVE) number, CVE-2018-3693, because it “leverages speculative stores to create speculative buffer overflows” according to Vladimir Kiriansky, a doctoral candidate in electrical engineering and computer science at MIT, and Carl Waldspurger of Carl Waldspurger Consulting.

“Much like classic buffer overflows, speculative out-of-bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming gadgets that can be used to build alternative attack payloads,” Kiriansky and Waldspurger wrote in their research paper. “In a speculative data attack, an attacker can (temporarily) overwrite data used by a subsequent Spectre 1.0 gadget.”

Spectre 1.2 does not have a new CVE because it “relies on lazy enforcement” of read/write protections.

“Spectre 1.2 [is] a minor variant of Spectre v1, which depends on lazy PTE enforcement, similar to Spectre v3,” the researchers wrote. “In a Spectre 1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers and code metadata, including v-tables [virtual tables], GOT/IAT [global offset table/import address table] and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective.”

As the research paper from Kiriansky and Waldspurger went live, Intel paid them a $100,000 bug bounty for the new Spectre variants. After the initial announcement of the Spectre and Meltdown vulnerabilities in January 2018, Intel expanded its bug bounty program to include rewards of up to $250,000 for similar side-channel attacks.

I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.
Nick BilogorskiyCybersecurity strategist, Juniper Networks

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, also noted that the research into these new Spectre variants was partially funded by Intel.

“When implemented properly, bug bounties help both businesses and the research community, as well as encourage more security specialists to participate in the audit and allow CISOs to optimize their security budgets for wider security coverage,” Bilogorskiy wrote via email. “These bugs are new minor variants of the original Spectre variant one vulnerability and have similar impact. They exploit speculative execution and allow speculative buffer overflows. I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.”

ARM and Intel did not respond to requests for comment at the time of this post. ARM did update its FAQ about speculative processor vulnerabilities to reflect the new Spectre variants. And Intel published a white paper regarding bounds check bypass vulnerabilities at the same time as the disclosure of the new Spectre variants. In it, Intel did not mention plans for a new patch but gave guidance to developers to ensure bounds checks are implemented properly in software as a way to mitigate the new issues.

Advanced Micro Devices was not directly mentioned by the researchers in connection with the new Spectre variants, but Spectre v1 did affect AMD chips. AMD has not made a public statement about the new research.

Wanted – Cheap/free HDMI monitor for teaching with Raspberry Pis

Didn’t see anything against the rules for threads like this. Mods, please accept my apologies in advance and remove this thread if I’m breaking any rules.

I’m teaching some children some computer science basics in my neighbourhood. We have some Raspberry Pi Zeros (edited on 12/07./2018 to reflect we have Pi Zeros, not Pis!), but no dedicated display units. I’ve been using my TV for this, but the number of children has increased, so we need additional displays. The only requirement, is they be able to accept an HDMI input, and work.

I’m looking for something as cheap as possible. I can make a small donation to charity or pay a small cost for anyone supplying a monitor.

I can collect from Berkshire or Bristol by arrangement.

Location: Bracknell, Berkshire

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Wanted – Cheap/free HDMI monitor for teaching with Raspberry Pis

Didn’t see anything against the rules for threads like this. Mods, please accept my apologies in advance and remove this thread if I’m breaking any rules.

I’m teaching some children some computer science basics in my neighbourhood. We have some Raspberry Pis, but no dedicated display units. I’ve been using my TV for this, but the number of children has increased, so we need additional displays. The only requirement, is they be able to accept an HDMI input, and work.

I’m looking for something as cheap as possible. I can make a small donation to charity or pay a small cost for anyone supplying a monitor.

I can collect from Berkshire or Bristol by arrangement.

Location: Bracknell, Berkshire

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Wanted – Cheap/free HDMI monitor for teaching with Raspberry Pis

Didn’t see anything against the rules for threads like this. Mods, please accept my apologies in advance and remove this thread if I’m breaking any rules.

I’m teaching some children some computer science basics in my neighbourhood. We have some Raspberry Pis, but no dedicated display units. I’ve been using my TV for this, but the number of children has increased, so we need additional displays. The only requirement, is they be able to accept an HDMI input, and work.

I’m looking for something as cheap as possible. I can make a small donation to charity or pay a small cost for anyone supplying a monitor.

I can collect from Berkshire or Bristol by arrangement.

Location: Bracknell, Berkshire

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Wanted – Cheap/free HDMI monitor for teaching with Raspberry Pis

Didn’t see anything against the rules for threads like this. Mods, please accept my apologies in advance and remove this thread if I’m breaking any rules.

I’m teaching some children some computer science basics in my neighbourhood. We have some Raspberry Pis, but no dedicated display units. I’ve been using my TV for this, but the number of children has increased, so we need additional displays. The only requirement, is they be able to accept an HDMI input, and work.

I’m looking for something as cheap as possible. I can make a small donation to charity or pay a small cost for anyone supplying a monitor.

I can collect from Berkshire or Bristol by arrangement.

Location: Bracknell, Berkshire

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Wanted – Cheap/free HDMI monitor for teaching with Raspberry Pis

Didn’t see anything against the rules for threads like this. Mods, please accept my apologies in advance and remove this thread if I’m breaking any rules.

I’m teaching some children some computer science basics in my neighbourhood. We have some Raspberry Pis, but no dedicated display units. I’ve been using my TV for this, but the number of children has increased, so we need additional displays. The only requirement, is they be able to accept an HDMI input, and work.

I’m looking for something as cheap as possible. I can make a small donation to charity or pay a small cost for anyone supplying a monitor.

I can collect from Berkshire or Bristol by arrangement.

Location: Bracknell, Berkshire

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

RAMpage attack unlikely to pose real-world risk says expert

A group of researchers developed a proof of concept for a variant of the Rowhammer exploit against Android devices and proved that Google’s protections aren’t enough, but one expert said the RAMpage attack is unlikely to pose a real-world threat.

A team of researchers from Vrije Universiteit Amsterdam, the University of California at Santa Barbara, Amrita University of Coimbatore, India and EURECOM — including many of the researchers behind the Drammer PoC attack upon which RAMpage was built — and created both the RAMpage attack against ARM-based Android devices and a practical mitigation, called GuardION.

According to the researchers, the most likely method for attacking a Rowhammer vulnerability on a mobile device is through a direct memory access (DMA) based attack.

As such, they developed the RAMpage attack, “a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses,” researchers wrote in their research paper. “To mitigate Rowhammer exploitation on ARM, we propose GuardION, a lightweight defense that prevents DMA-based attacks — the main attack vector on mobile devices — by isolating DMA buffers with guard rows.”

The researchers said a successful RAMpage attack could allow a malicious app to gain unauthorized access to the device and read secret data from other apps, potentially including “passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.” However, lead researcher Victor van der Veen was careful to note it is unclear how many devices are at risk because of differences in software.

“With RAMpage, we show that the software defenses that were deployed to stop Drammer attacks are not sufficient. This means that the only remaining requirement is having buggy hardware. Since we have seen bit flips on devices with LPDDR2, LPDDR3, and LPDDR4 memory, we state that all these devices may be affected, although it is uncertain how many,” van der Veen wrote via email. “Local access is required. This means that the attacker must find a way to run code (e.g., an app) on the victim’s device. A second requirement is that the device needs to be vulnerable for the Rowhammer bug: it is unclear what percentage of devices expose this issue.”

In a statement, Google downplayed the dangers of the RAMpage attack: “We have worked closely with the team from Vrije Universiteit and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.”

Google also asserted that newer devices include protections against Rowhammer attacks and “the researcher proof of concept for this issue does not work on any currently supported Google Android devices,” though Google did not specify what qualified as a “currently supported Google Android device.” 

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said this could mean “that ‘currently supported devices’ refers to Android builds to which Google still issues security patches, which means that Android Marshmallow (6.0.) and above may not be susceptible” to the RAMpage attack. According to Google’s latest platform numbers, more than 62% of Android devices in the wild are above this threshold.

However, van der Veen thought Google might be referring to its own handsets.

“I believe they hint at the devices that fall under their Android Reward program, which is basically the Pixel and Pixel 2. We did manage to flip bits on a Pixel, and I think that it is likely that there are Pixel phones out there on which the attack will work,” van der Veen wrote. “I don’t see criminals exploiting the Rowhammer bug in a large-scale fashion. It is more likely to be used in a targeted attack. I do think that Google can do a bit more though.”

Arsene agreed that the RAMpage attack does appear “very difficult and unlikely to happen on a mass scale.”

“Attackers would have to know in advance the type of device the target owns, because some manufacturers and OS builds implement different row sizes (e.g. 32KB, 64KB, 128KB), making the attack significantly more complex and less reliable,” Arsene wrote via email. “Google may be right in saying the attack should not be of concern to average users, but it could be used in highly targeted attacks that involve stealthily compromising the device of a high priority individual. For mass exploitation of Android devices there are likely other, less sophisticated methods, for compromise. Attackers will often go for the path of least resistance that involves maximum efficiency and minimum effort to develop and deploy.”

GuardION defense

Despite the relatively low likelihood of the RAMpage attack being used in the wild, researchers developed a mitigation based on protecting Google’s ION DMA buffer management APIs, which were originally added to Android 4.0.

“The main reason for which defenses fail in practice is because they aim to protect all sensitive information by making sure that they are not affected by Rowhammer bit flips. Hence, they are either impractical or they miss cases,” the researchers wrote in their paper. “Instead of trying to protect all physical memory, we focus on limiting the capabilities of an attacker’s uncached allocations. This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data.”

I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts.
Victor van der VeenPhD candidate in the VUSec group at Vrije Universiteit Amsterdam

Van der Veen added via email, “I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts. I think there is also (scientific) value in our breakdown of other proposed mitigation techniques and how they apply to mobile devices, plus our proposed defense, GuardION.”

GuardION may not be real-world ready either though. The researchers noted that Google said the mitigation technique resulted in too much “performance overhead” in apps, but they continue to work with the Android security team “to figure out what a real-world benchmark looks like so that we can hopefully improve our implementation.”

Arsene said “the existence of security research that exploits hardware vulnerabilities does not necessarily mean that users will be more at risk than before.”

“Some of it is purely academic and the practical applications of weaponizing this type research may never become a reality for the masses,” Arsene wrote. “However, users should realize that unpatched, outdated, and unsupported devices and operating systems will always involve significant security risks to their privacy and data.”

Suit alleging SAP HANA database built on stolen IP questioned

A lawsuit against SAP, in which Teradata alleged intellectual property theft led to the development of the SAP HANA database, raises more questions than it answers, according to consultant Joshua Greenbaum.

“The main issue that would be of concern to SAP, in my opinion, has to do with bulk data load — the ability to pump that much data into a system like HANA,” said Greenbaum, principal at Enterprise Applications Consulting. “That was a big issue when HANA was first developed and announced, and it’s obviously an important capability.”

However, what the columnar in-memory SAP HANA database does and what Teradata’s relationship does are vastly different, making the idea of the lawsuit questionable (see sidebar).

“My initial reaction is that this is sour grapes. Here’s a company that’s being shut out of a data warehouse market that it helped create and feels that SAP has done this in an illegal or illicit way,” Greenbaum said. “The idea that companies like Teradata are being disadvantaged in the market because vendors like SAP — Oracle does this as well — have put transactional and data warehouse functionality into the same database, that’s absurd for Teradata to think that it’s an illegal use of market position or in any way an infringement on a purely technical standpoint, because that’s simply how the market has evolved.”

SAP may feel negative effects of suit

My initial reaction is that this is sour grapes. Here’s a company that’s being shut out of a data warehouse market that it helped create and feels that SAP has done this in an illegal or illicit way.
Joshua Greenbaumprincipal at Enterprise Applications Consulting

HANA is well-established enough that SAP probably doesn’t have to be too concerned, at least in the technical aspects of the case. But Greenbaum said SAP can’t dismiss any potential negative effects entirely. The allegation that SAP used the joint venture as a bait-and-switch to gain intellectual property (IP) illicitly could be problematic, particularly in light of a lawsuit brought by Oracle in 2008 that alleged SAP illegally downloaded Oracle software for its now-defunct TomorrowNow support unit.

The Oracle suit against SAP was settled in 2014.

“It’s concerning that the last time SAP got caught out in a big lawsuit with the TomorrowNow case, it turned out to be a genuine problem, as someone was misappropriating information in a clearly illegal way,” he said. “I don’t believe SAP does this culturally and that it’s a systemic issue, but it’s a little disconcerting to see an allegation like that resurface.”

SAP’s track record of developing the SAP HANA database on its own should support the technical issues in the lawsuit, Greenbaum said.

“But even if it were proven that there were some illicit acquisition of IP that contributed materially to the development of HANA, I don’t think that’s going to stall anything; that’s a licensing problem that SAP would have to settle,” he said. “From a purely technical standpoint, if I didn’t do those things and can prove it, I would tell them to take a hike.”

Borrowing ideas from previous technologies is common

Teradata is obviously displeased with some past actions taken by SAP, but its exact motives for bringing the lawsuit are unclear, said Curt Monash, president of Monash Research and a technology analyst who follows the database management industry.

HANA has a different approach than Teradata’s RDBMS products, but there are overlapping use cases between the two technologies, Monash said. And it’s conceivable that SAP could have obtained some ideas from Teradata’s technology that it could have implemented in the SAP HANA database. However, it seems unlikely that Teradata had much, if anything, to do with the original development of HANA.

“HANA’s origins are well-known, and they have little to do with Teradata, so this would only be a question of certain particular ideas,” Monash said. “I would not be at all surprised to discover that there were certain technical ideas first used by Teradata earlier than they were implemented in HANA, but I would not at all assume that that would mean there was a serious trade secret violation. In general, database management systems borrow all sorts of ideas from predecessor technologies, or improved upon them and then implemented, and nobody thinks this is wrongful.”