Oracle Corporation et al v. SAP AG et al

Filing 772

Declaration of John A. Polito in Support of 771 MOTION No. 5: To Exclude Testimony of Defendants' Expert Stephen Gray filed byOracle EMEA Limited, Oracle International Corporation, Oracle USA Inc., Siebel Systems, Inc.. (Attachments: # 1 Exhibit A, # 2 Exhibit B, # 3 Exhibit C, # 4 Exhibit D, # 5 Exhibit E, # 6 Exhibit F, # 7 Exhibit G, # 8 Exhibit H)(Related document(s) 771 ) (Polito, John) (Filed on 8/19/2010)

Download PDF
Oracle Corporation et al v. SAP AG et al Doc. 772 Att. 3 EXHIBIT C Dockets.Justia.com Analysis of SAP TN's Collection and Use of Oracle Software and Related Materials November 16, 2009, supplemented February 12, 2010 Proprietary and Highly Confidential I. INTRODUCTION AND SUMMARY OF CONCLUSIONS A. 1. INITIAL REPORT I, Kevin Mandia, submit the following expert report in the case Oracle USA, Inc., et al., v. SAP AG, et al., Civil Action Number 07-CV-1658, in the U.S. District Court for the Northern District of California, Oakland Division. This report has been supplemented to account for additional fact discovery received on or after November 1, 2009. I have been advised that pertinent fact discovery in this case is still outstanding, pursuant to a motion to compel. Furthermore, I understand that the expert discovery period extends until June 18, 2010, and that Defendants may be serving rebuttal reports on or before March 26, 2010. Accordingly, I reserve the right to modify or supplement this disclosure, or simply consider new information, if and when more information is made available to me, including both factual discovery and information provided by the experts for Defendants SAP AG, SAP America, Inc., (together, "SAP") and TomorrowNow, Inc. ("SAP TN," and together with SAP, "Defendants"). I have been asked by Plaintiffs Oracle USA, Inc., et al. ("Oracle") to render my opinions regarding the means and methods by which SAP TN accessed and downloaded from Oracle's customer support websites, as well as the nature and extent of SAP TN's copying, modification, distribution, and use of Oracle intellectual property to support SAP TN's customers. As a result of extensive analysis and investigation by Mandiant, I have reached five overall opinions. Below I provide a detailed summary of my findings, based on analysis and corroborated by testimony.1 First, SAP TN's service model relied on mass downloading from and improper access to Oracle systems. A review of Oracle log files revealed SAP TN connected to Oracle servers and downloaded at least 992,420 files from September 1, 2006 through May 8, 2008. A review of SAP TN systems revealed additional downloads totaling over 9 million files related to Oracle Software and related support materials (SSMs). On several occasions, SAP TN connected to Oracle support websites over 600,000 times in a single day. In fact, SAP TN created specialized software, called Titan, to ensure the most expeditious collection of Oracle SSMs. SAP TN used this tool for data collection without regard for customer credentials or customer licenses.2 SAP TN used improper credentials and false pretexts to access Oracle support websites. SAP TN accessed Oracle support websites using a pool of credentials provided by third parties, and downloaded Oracle materials without regard to licensing. For example, a limited review of Oracle's log files and Data Warehouse for five SAP TN customers identified over 20,000 files downloaded for these customers for which they had no license. In other words, SAP TN used virtually any working credentials to download files indiscriminately. SAP TN then copied, distributed, modified and used these downloaded Oracle Software and related support materials in numerous ways, including to support customers beyond 2. 3. 4. 5. 6. Mandiant has considered numerous evidentiary sources and other materials in performing the analysis and reaching the conclusions described in this report. A list of all such materials is provided in the attached Appendix and electronic appendices. To the extent such materials have not already been produced by or to Defendants in this matter, Mandiant is producing these materials in electronic form with this report. Many of the materials being produced are explicitly referenced in this report, in which case the report cites to a Bates-number assigned to a folder in the directory structure of the media being produced and which contains the referenced information. 2 1 Certain capitalized terms in these Conclusions are defined below in Section IV. Page 1 SAP TN's Fixes were maintained on its computers and were delivered to their customers. The Environments containing these Fixes were also maintained by SAP TN. 15. Mandiant searched the SAP TN infrastructure and identified significant copies of Objects and SSMs that Oracle asserts are protected by its copyrights. It is Mandiant's understanding that these Objects are Protected Expressions subject to copyright. It is also Mandiant's understanding that Environments updated with Fixes constitute Derivative Works. Therefore, I conclude that SAP TN downloaded, modified, distributed and used a significant amount of material protected by the copyrights Oracle asserts in this action. In summary, I have concluded that SAP TN's support of Oracle's products relied on the access to and copying of Oracle materials through: 16. x x x x x x Mass downloading of and improper access to Oracle SSMs from Oracle's customer support websites Creation of copies of Oracle SSMs Creation of thousands of copies of Oracle Enterprise Application and Database Software Cross-Use of Oracle Enterprise Application Software and/or SSMs to develop and deliver virtually every Fix SAP TN provided to customers Continuing access, downloading, copying, modification, and distribution of Oracle Enterprise Application Software, SSMs, and support websites for over a year and a half after Oracle sued in this Action Oracle's copyrights asserted in this Action protect the Oracle Enterprise Application and Database Software and SSMs that SAP TN copied, downloaded, modified, distributed, and used to create Fixes and for other commercial purposes to support its business model. B. 17. SUPPLEMENTAL REPORT Mandiant continues to receive new and additional data productions as part of the ongoing discovery process. The supplemental material in this report addresses the emerging information Mandiant has considered since its initial report dated November 16, 2009. Specifically, Mandiant has considered the Data Warehouse materials, depositions, written responses and other materials listed in Tables A through D below. Mandiant understands that all of these materials were first produced by Defendants on or after November 1, 2009. Images Produced Drives Produced TN-HD112-a Disc 319 (HOMER), TN-HD116 (3 Partitions of PSDEV02) TN-HD119 Supplemental Report Date of Production 11/12/2009 12/1/2009 TN-DCPSDB01 PSDEV02_D01, PSDEV02_D02, PSDEV02_D03, HOMER 1/8/2010 PSNT01_C, PSNT01_F, 24 Siebel virtual machines recollected from TN-FS01_F Table A: Data Warehouse Images First Addressed in Date of Deposition November 18, 2009 November 20, 2009 December 1, 2009 Deponent Wanda Jones Jeff Buehrle Jerry Jin Page 3 IV. ASSUMPTIONS AND DEFINITIONS A. ASSUMPTIONS 1. 35. Derivative Works The following represent my assumptions for Derivative Works: x x x x x x File-based Objects and Online Objects incorporate a substantial amount of Protected Expression. Modification of a File-based Object substantially transforms the File-based Object. A File-based Object applied to an Environment substantially transforms that Environment. A DAT file applied to an Environment substantially transforms that Environment. The Database Schema incorporates a substantial amount of Protected Expression. Modification to the Database Schema substantially transforms that Database. 2. 36. Distribution Any Fix found on Delivered Updates and Fixes associated with a customer's three-letter acronym was delivered to that customer. 3. 37. Environments Environments include any installation of Oracle Enterprise Application Software. Where an Environment comprises multiple components, such as a PS_HOME in the case of PeopleSoft Enterprise Application Software, the presence of some or all components constitutes an Environment. 4. 38. Improper Activity Use of existing Oracle Enterprise Application Software, Oracle Database Software, or Oracle SSMs provided by one customer to create instructions by which another customer can implement its own Fix to Oracle Enterprise Application Software or Oracle Database Software is improper. Fixes developed and delivered to a customer should only be developed, tested, and produced using that customer's licensed Oracle software. Even if an Environment assigned to a specific customer was used for all stages of Fixdelivery for that customer's Fix, the Fix is Contaminated if that Environment was also used to support other customers as part of the Fix-delivery process for that same Fix ID. 39. 40. 5. 41. Install Media Every successful installation of Oracle Enterprise Application Software or Database Software from Install Media3 listed creates a copy of the associated Oracle Enterprise A complete list of Oracle software that embodies the Registered Works, by Bates number, can be found in the appendices to Plaintiffs' Responses to Defendants' Interrogatory 13, including amended and supplemental responses. Page 9 3 Application Software or Database Software, and the Protectable Expression contained in the Oracle Enterprise Application Software or Database Software. 42. Every copy of Install Media for Oracle Enterprise Application Software or Oracle Database Software is a copy of the associated Oracle Enterprise Application Software or Oracle Database Software, and the Protectable Expression contained in the Oracle Enterprise Application Software or Oracle Database Software. 6. 43. PeopleSoft Environments A PeopleSoft Environment typically consists of one or more of a PeopleSoft base application (such as HRMS), PeopleTools, and a PeopleSoft Database. 7. 44. Protected Expression Oracle Enterprise Application Software, Oracle Database Software, and certain SSMs contain a substantial amount of Protected Expression. In particular, File-based Objects and schema contain a substantial amount of Protected Expression and DAT files may contain a substantial amount of Protected Expression. Any materials described by tables 35 or 36 in Section X embody one or more Registered Works identified in paragraph 158 of the Fourth Amended Complaint. 45. 8. 46. Terms of Use Oracle's customer support website terms of use generally do not allow a customer, including a third party using that customer's log-in credential, to (1) download customer support materials after the customer's maintenance end date; (2) download customer support materials for a different customer; (3) subsequently use downloaded customer support materials for a different customer; or (4) use a customer login credential other than to download licensed customer support materials solely for the use of the customer whose login credentials were used for the download(s). Oracle's customer support website terms of use incorporate the terms of the relevant license agreements and also restrict access to only customers and/or agents acting on behalf of a customer. 47. B. 48. DE F I N I T I O N S "Additional-Customer Contamination" means that a Fix intended for or delivered to one customer is generated using Oracle Enterprise Application Software, Oracle Database Software, or SSMs that are licensed to that customer but were Cross-Used to support an additional customer. "Associated Files" means any file that is a component of a specific Fix. "BakTrak" is one of SAP TN's tracking systems for the creation, backup, restore, checkin, and checkout of Local Environments for the PeopleSoft product family. "Bundle" is a collection of files corresponding to more than one Fix. "CD Binders" refers to Defendants' binders containing the CDs and/or DVDs copied from the original Oracle Enterprise Application Software Install Media provided by (and generally organized by) SAP TN's customers during the On-boarding process, as testified 49. 50. 51. 52. Page 10 time.58 Furthermore, SAP TN employees have testified that they performed and then deleted downloads on a regular basis, including an estimated 1 million downloads obtained in the course of developing Titan, alone.59 It is likely that millions of additional SSMs were downloaded and either deleted or never produced in this matter. 171. The methodology employed by Mandiant to obtain this data is described in Appendix D. When not minimizing by file type, and by decompressing the archive files found on the DCITBU01 system, Mandiant identified over 9 million files on the DCITBU01 system alone (see ORCLX-MAN-000148): DCITBU01 Size (GB) Number of Files DCITBU01 Total Files not reduced by file type 4624.82 4,880,270 DCITBU01 Additional Files after Decompression 266.97 4,718,840 Total: 4891.79 9,599,110 Table 13: Total Number of Files on DCITBU01 After Decompression C. 172. SAP TN IMPROPERLY ACCESSED THE ORACLE WEBSITES SAP TN accessed Oracle's password-protected support websites using automated downloading tools, inappropriate customer credentials and pre-textual customer information to take Oracle SSMs and download them to SAP TN's local systems. 1. 173. The Oracle Websites Were Password-Protected Certain of Oracle's support websites, including Customer Connection, and certain Oracle tools on those websites, were password-protected. The password protection and Terms of Use restricted access to a customer (or agent) with an active maintenance contract with Oracle. To log onto Customer Connection, SAP TN accessed the log-in page, shown in a screenshot below. 58 Mandiant understands that SSMs on the computers of SAP TN employees not named as custodians in this matter would not have been produced. Mandiant similarly understands that, for the majority of employees, date-filtering and search-term filtering were used to exclude SSMs on employees' machines from production. See E-mail from Joshua L. Fuchs to John A. Polito, January 24, 2010, produced as ORCLX-MAN-000381 (admitting that ESUs on employees' computers would have been produced only "where identified through the use of Defendants' custodian production and review protocol, including the use of the extensive search terms agreed to by the parties."). 59 See Deposition of John Ritchie, December 2, 2009 at 75:4-79:2. Page 38 Figure 11: Customer Connection Log-In Page Similarly, below is a screenshot of the log-in screen SAP TN accessed to use Oracle's Update Center: Figure 12: JD Edwards Change Assistant Tool Log-In Page 39 2. 174. SAP TN's Use of Automated Downloading Tools SAP TN used its knowledge of Oracle's websites to develop and test automated downloading tools.60 Over time, SAP TN developed a tool known as Titan. SAP TN programmed Titan to allow automated, mass downloading from Oracle without regard to any license restrictions a customer may have.61 SAP TN employed Titan to "crawl" Customer Connection, and to locate and retrieve materials that not even paying customers would ordinarily reach through standard searching. The nature of Titan and the evidence of its use, including as reflected in Oracle's logs, indicates to me an intentional, knowing effort to bypass any access or use restrictions and perform mass downloading from Customer Connection. SAP TN also developed and used Titan and other automated tools to download Siebel SSMs from SupportWeb.62 As with SAP TN's other downloading tools, the tools for downloading Siebel SSMs "crawled" SupportWeb, collecting the broadest possible range of materials.63 The nature of these tools and the evidence of their use indicate to me an intentional, knowing effort to bypass any access or use restrictions and perform mass downloading from SupportWeb.64 SAP TN developed and tested these automated downloading tools by accessing Oracle's customer support websites using certain customers' credentials. As an example, if Oracle changed the layout of Customer Connection, then SAP TN would use one customer's credentials to access the site and modify Titan to function with the changed layout.65 For JD Edwards downloads, SAP TN also used Oracle's "Change Assistant" application, which allowed automated downloading.66 These automated tools allowed SAP TN to conduct multiple downloading sessions using multiple sets of credentials on multiple machines simultaneously.67 175. 176. 177. See, e.g., Defendants' Reponses to Plaintiffs' Second Set of Requests for Admission, Nos. 225-234 ("Defendants reasonably believe that at least one or more TomorrowNow employees likely accessed Customer Connection for the purpose of testing the "Titan" automated downloading program."). 61 62 60 Deposition of John Ritchie, December 2, 2009 at 79:15-82:8. See, e.g., Deposition of Jerry Jin, December 1, 2009 at 109:5-112:21 (discussing eServiceWalker and URL Tracker); id. at 122:11-123:19 (discussing eServiceWalker, URL Tracker and an "unnamed script . . . used to download public SR's"); id. at 133:17-142:12 (same); Plaintiffs' Deposition Exhibit 1800 (discussing the "Mass Downloader utility"); Deposition of John Ritchie, December 2, 2009 at 70:3-71:20 (discussing Titan for Siebel). 63 See Deposition of Jerry Jin, December 1, 2009 at 136:10-19 (establishing that eServiceWalker incremented URLs); id. at 169:17-171:20 ("[B]y the using of newly developed eServiceWalker tool we now have the full set of MKS's customer facing SR's."); Deposition of John Ritchie, December 2, 2009 at 76:7-19 (discussing "Incrementing through the different downloads from the Oracle site"). See, e.g., Deposition of John Ritchie, December 2, 2009 at 72:18-74:11 (establishing that Ritchie "was never told" whose credentials he had been given for use in Titan, including with respect to Titan for Siebel); Plaintiffs' Deposition Exhibit 1800 ("The Mass Downloader utility can control bandwidth utilization. So during the day, we can set it to . . . a mere trickle . . . . [t]hen . . . drop the bandwidth limitation . . . overnight."). 64 65 Deposition of Josh Testone, June 3, 2009 at 109:23-118:24, 98:4-103:23; Plaintiffs' Deposition Exhibits 1410, 1411, 1412; Deposition of Desmond Harris, October 9, 2009 at 119:10-123:25; Plaintiffs' Deposition Exhibit 1566; Deposition of Peggy Lanford, September 22, 2009 at 51:23-58:3; Plaintiffs' Deposition Exhibit 1637. Deposition of Pete Surette, June 19, 2009 at 34:24-37:24. 66 67 Deposition of Josh Testone, June 3, 2009 at 83:20-94:9, 136:22-140:2; Deposition of Desmond Harris, October 9, 2009 at 106:24-108:13 ("It was from what I remember, it was basically just made to speed the process up and simplify it. That's about it. It's click, click, click, go."); Defendants' Answer to Oracle's Fourth Amended Complaint, August 26, 2009 at 108 ("Defendants admit that some downloads were performed in rapid succession without real time human review of the materials being downloaded."). Page 40 Figure 14: An "html" File Within Global Santa Fe's Folder that Was Downloaded Using StarHub Pte Ltd's Credentials 215. In summary, 97,871 files could be attributed to a company name, and of those files, 27% were downloaded for other customers than the customers in whose folders they appeared.94 The following table provides a summary of HTML files that could be identified with a customer-specific credential in the inappropriate customer folder: Number of Other Customers With Files From This Customer 3 4 2 6 2 13 8 16 2 2 1 1 Size of Files Downloaded 468.13 MB 70.01 MB 24.85 MB 20.06 MB 19.70 MB 7.57 MB 6.62 MB 6.00 MB 5.36 MB 5.35 MB 5.28 MB 4.78 MB Number of Files Downloaded 15,352 1,120 6,211 743 538 294 246 232 153 140 160 127 Customer Credential Used Bear, Stearns Trenwick Group Vanderbilt University Baxter International JB Hunt Transport Wendy's International Parkview Health System Kent County AO Smith Corporation Richmond Power & Light Cerebos Pacific Limited Hitachi Global 94 See ORCLX-MAN-000384. Page 54 Customer Credential Used Number of Other Customers With Files From This Customer 1 1 2 3 1 1 1 1 13 7 2 44 1 2 1 2 1 1 1 1 1 2 3 1 1 1 1 1 1 1 160 Size of Files Downloaded 3.22 MB 3.06 MB 2.88 MB 2.69 MB 2.18 MB 2.14 MB 1.99 MB 1.67 MB 983.79 KB 939.57 KB 933.31 KB 899.04 KB 644.20 KB 614.11 KB 345.02 KB 325.07 KB 264.72 KB 189.75 KB 152.17 KB 136.74 KB 134.23 KB 82.63 KB 60.70 KB 38.25 KB 29.97 KB 23.49 KB 20.41 KB 17.14 KB 14.54 KB 4.60 KB 670.22 MB Number of Files Downloaded 48 80 105 100 52 484 64 46 39 35 20 44 24 22 8 8 8 6 73 5 2 4 3 1 1 1 1 4 4 1 26,609 Ariba, Inc. StarHub Pte Ltd Wellbridge Club Management Allianz Global Interpublic Global Information Alterra Healthcare Wakefern Food Corporation Energy Northwest High Industries American Council on Education American Family Life Assurance Simon Property Group Engelhard Corporation Federated Investors CSK Auto Incorporated Ross Dress for Less Markel Corporation GKN Driveline University of Massachusetts Epiphanygen Inc Newport Corporation Mieco Incorporated Diamond Cluster International Pepsi Cola DataDirect Technologies Corp Toshiba American American Media Inc Tropical Shipping USA Robert Half International Norstan Incorporated Total: Table 19: Number of Downloads Using Inappropriate Customer Credentials 5. 216. SAP TN Downloaded and Copied SSMs for Non-Customers SAP TN downloaded SSMs from Oracle's support websites on behalf of potential customers that never signed a contract with SAP TN. It also kept materials it had downloaded even after the customers that had provided the credentials terminated their SAP TN contracts. SAP TN downloaded materials for potential customers Apria Health Page 55 VIII. CONCLUSION 3: ANALYSIS OF SAP TN FIX DEVELOPMENT AND DELIVERY CONFIRMED SIGNIFICANT CROSS-USE AND CONTAMINATION 292. Mandiant performed an extensive analysis of the evidence relating to how SAP TN used Oracle Enterprise Application and Database Software and downloaded SSMs to prepare and deliver the support materials for its customers. Mandiant was instructed to assume that all Fixes developed and delivered to a customer should only be developed, tested and produced using that customer's licensed Oracle Enterprise Application Software, as reflected in SAP TN's own Compliance Guidelines, prepared after this litigation began. I have also been instructed to assume that, even if an Environment assigned to a specific customer was used for all stages of Fix-delivery for that customer's Fix, that the Fix is Contaminated if that Environment was also used to support other customers as part of the Fix-delivery process for that same Fix ID. Because it constituted most of SAP TN's support deliverables, Mandiant focused on SAP TN's support of the PeopleSoft HRMS product line. More than 90% of SAP TN Fixes were PeopleSoft HRMS Fixes and more than 79% of SAP TN's Oracle Enterprise Software Application Environments were for PeopleSoft HRMS. Specifically, of the approximately 1,928 Fix IDs recorded in SAS, 1,761 were for PeopleSoft HRMS Fixes and Bundles. Approximately 2,942 of SAP TN's approximately 3,742 Environments were PeopleSoft HRMS Environments.151 These percentages led Mandiant to believe that analysis of SAP TN's HRMS Fixes would provide the most insight into SAP TN's development process. Mandiant examined the available data in Delivered Updates and Fixes, SAS, BakTrak, and the Data Warehouse, and identified measures relevant to analyzing SAP TN's Fixdelivery process. These measures captured information concerning the PeopleSoft HRMS Objects that SAP TN copied, modified, and distributed to its customers, the number of customers who received Fixes, the number of Fix Objects that were delivered to customers, and the occasions where the Oracle Enterprise Application Software of one customer was used to create Fixes to support other customers. A summary of Mandiant's PeopleSoft HRMS Fix analysis can be found in Appendix K. This analysis revealed that most Fixes delivered by SAP TN to customers were affected by the Cross-Use of Oracle Enterprise Application Software and/or SSM downloads originally obtained on behalf of another customer. In reaching these opinions, and as explained below, Mandiant relied on, and worked with, statistical expert Dr. Daniel Levy to extrapolate the initial factual findings developed by Mandiant to better assess the actual extent of SAP TN's activities. 293. 294. 295. A. SUMMARY OF OPINIONS 1. SAP TN Improperly Used Environments to Generate Both Retrofit Support Model Fixes and Critical Support Model Fixes 296. It is my opinion that SAP TN's support models both resulted in Fixes being Contaminated (in one or more ways) by improper Environment use. Specifically, Mandiant identified (via the DAT Contamination and Hash Contamination measures): 1. 94% of the CSM Fixes were generated from improperly used Environments. 151 2615 of 3162 PeopleSoft Environment backups and 327 of 549 "live environments" were copies of PeopleSoft HRMS environments. There were an additional 25 complete or partial installations of Siebel, 4 of JD Edwards EnterpriseOne, and 2 of JD Edwards World observed. See Section VII and eAppendix - "ORCLX-MAN-000160." Page 80 2. 90% of the RSM Fixes were generated from improperly used Environments. Adding Source Group Contamination as well as Cross-Use Contamination and Additional-Customer Contamination calculated for a sample of Fixes152 yielded: 3. Between 98.73% and 99.57% of the CSM Fixes were generated with improperly used Environments. Between 74.64% and 99.74% of the RSM Fixes were generated with improperly used Environments. 4. 2. 97.5% of DAT files in Fixes Were Developed Using Generic Environments or Incorrect Client-Labeled Environments 297. Many Fixes to PeopleSoft HRMS include a data change, meaning that application of the Fix to an Environment modifies the contents or the structure of the database in that Environment. For PeopleSoft HRMS, data changes commonly update an Environment to account for new or modified legislation or regulation. A Fix almost always effects a data change using a DAT File. A DAT File contains database modifications created in and exported from a PeopleSoft Environment using PeopleTools. Mandiant was able to identify 6,508 data changes delivered to approximately 123 unique SAP TN clients. Out of the 123 SAP TN clients, approximately 120 clients received at least one data change from a Generic Environment. Additionally, 39 clients received at least one data change from the wrong client-labeled Environment. Overall, 121 clients received data changes from either a Generic or incorrect client-labeled Environment. 298. x 299. At least 98% of the clients receiving a data change received at least one change created from a Generic or incorrect client labeled Environment. The following represents the volume of data changes. x 96.1% of all data changes were created from a Generic Environment. Overall, 6,256 DAT Files were identified as created on Generic Environments. An example would be the Environment "D831DATM" used to support 44 different clients. 1.4% of all data changes were created from incorrect client-labeled Environments. Overall, 92 DAT Files were identified as mismatches. An example would be the Environment H881COHM, created by SAP TN on the behalf of City of Huntsville. The H881COHM Environment was used to support 13 additional clients153 besides City of Huntsville: o o o o o o o o Baker Botts LLP ("BKB") CompuCom ("CCO") Children's Health System of Alabama ("CHS") CSK Auto ("CSK") Delta Dental Plan of Michigan ("DDM") East Bay Municipal Utility District ("EBM") GKN Driveline North America Inc. ("GKN") Kent County Michigan ("KCM") x 152 The sample of Fixes was selected by Dr. Levy. The statistics were provided to Mandiant by Dr. Levy based on sample data provided by Mandiant. For a sample listing of customers and contract dates, see Appendix J. Page 81 153 o o o o o 300. 301. Mutual of Omaha ("MOH") Oxford Global Resources, Inc. ("OXF") Philadelphia Corporation of Aging ("PCA") Remy International, Inc. ("RII") Waste Management Resources, LLP ("WMI") A full discussion of Mandiant's analysis of data changes can be found in Appendix K. It is my opinion that a Fix containing a DAT file is Contaminated unless the DAT file was generated in the recipient's customer-labeled Environment. It is also my opinion that the use of an Environment created from one customer's Install Media to create a DAT File for another customer constitutes Cross-use of that Environment. 302. 3. The Majority of Fixes Were Contaminated Because One or More Component Fix Objects Were Delivered to Multiple Customers 303. For every file that can appear on a computer, an MD5 Hash that uniquely identifies the file's contents can be calculated. This hash ignores the file's name, date of creation and other metadata, and is calculated solely from the file's contents. Files with the same MD5 Hash are exact duplicates of each other. In my opinion, it is extraordinarily unlikely that two File-based Objects that were developed or modified independently would have the same MD5 Hash. Inside every DAT File, PeopleTools records the name of the Environment used to generate the DAT File and the time of generation of the DAT File down to the second. In my opinion, it is extraordinarily unlikely that two DAT Files would have the same MD5 Hash because it would require that the files were generated from identically named Environments at exactly the same second. It is my opinion that whenever two or more customers receive a File-based Object or DAT file with the same MD5 Hash, the customers have received an Object that was generated once by SAP TN. Such customers have not received a Fix independently developed for each of them, using only their own software. 304. 4. The Majority of Fixes Were Contaminated Because SAP TN's Development and Testing Documentation Revealed that the Fixes Were Generated or Tested Through Cross-Use of Environments 305. SAP TN's documentation sometimes alludes to the planned Cross-Use of Environments with respect to a given Fix, and lists the source groups for which development and/or testing would occur in the documentation related to each Fix.154 The excerpt below from the test plan for the CSS-TN-1116067702 Fix is an example showing the customers SAP TN assigned to each source group for common development. 154 See, e.g., Plaintiffs' Deposition Exhibit 291. Page 82 378. SAP TN created thousands of Fixes in order to modify or add new features or functionality to Oracle Enterprise Application Software. Mandiant has compared these Fixes to Oracle Enterprise Application Software and SSMs in various ways, including (1) review of file name and path; (2) inspection or comparison of code and file contents; and (3) comparison of MD5 Hash. See Appendix G. Mandiant has also reviewed documentation of SAP TN's Fix-delivery process, including SAS and other sources of documentation, and has observed that the stated purpose of SAP TN's Fixes was primarily to modify existing features or functionality or add new features or functionality to Oracle Enterprise Application Software. See Section V. Report Submitted By: ________________________________________ Kevin Mandia November 16, 2009 Supplemental Report Submitted By: ________________________________________ Kevin Mandia February 12, 2010 Kevin Mandia President 675 North Washington Street Suite 210 Alexandria, VA 22314 Phone 703.683.3141 Fax 703.683.2891 Email kevin.mandia@mandiant.com Page 102

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?