

Cardinals Face F.B.I. Inquiry in Hacking of Astros’ Network - QUFB
http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html

======
timboslice
TL;DR: a member of the Cardinals' staff left for the Astros a few years ago.
Both teams had an internal system to track recruiting efforts etc. He used the
SAME password in the new org, the Astros. Someone from the Cardinals org
checked his master password list and was able to enter the Astros system with
his old creds

~~~
Fuxy
Wait does that mean they kept unhashed passwords? That's a big security no no
and there's absolutely no reason they should have it like that.

~~~
coleca
It's more likely that the Cards had a Excel file "Master_Passwords.xls" (or
similar) with all his department's passwords listed in it on a shared
department folder. No encryption, hashing, etc. Maybe they used Excel password
protection on the file.

Just a hunch, but I've seen it many times at past employers.

~~~
atwebb
Or something like KeePass or similar, it can be nice to know people's
information in case they leave (I'm not advocating insecure practices), though
an excel sheet or post it seems as likely.

------
Kevin_S
This is shocking, I followed this closely last year as I am a die-hard Astros
fan but never thought it would be another team. I definitely doubt the
Cardinals endorsed this, it was just some dudes that had access. These guys
will be fired (if they haven't already) and there will be fines. Nothing too
crazy will happen.

Though if the FBI finds that the GM/high level execs knew about the
activity... this will be unprecedented. The penalties would be staggering as
MLB would want to crack down extremely hard to deter future bad behavior.

~~~
remarkEon
Really interested to see how Bud Selig responds to this. Looks like this is
the same guy (Luhnow) who SI did a pretty good thing last year about,
reference how the Astros were doing a Ctrl+Alt+Dlt[1].

The cynical side of me says that Selig and MLB will try to maybe milk this for
some rating or something, considering the meme going around that baseball is
dying.

(full disclosure, Twins fan here, so I'm gonna be cynical about anything that
Selig does)

[1] [http://www.si.com/longform/astros/](http://www.si.com/longform/astros/)

Edit: Guess I missed that Selig retired in January. Damn you, work!

~~~
gtCameron
Selig retired in January. Rob Manfred is the commissioner now.

~~~
remarkEon
Good to know. Guess I missed the press release and party.

~~~
Kevin_S
Yeah haha, no one really liked Selig. Manfred has been solid so far though. I
personally am a fan.

------
s0uthPaw88
Here's how they did it:

"Investigators believe Cardinals officials, concerned that Mr. Luhnow had
taken their idea and proprietary baseball information to the Astros, examined
a master list of passwords used by Mr. Luhnow and the other officials who had
joined the Astros when they worked for the Cardinals. The Cardinals officials
are believed to have used those passwords to gain access to the Astros’
network, law enforcement officials said."

~~~
carsonreinke
Where does one get a master list?

~~~
timboslice
Lot's of companies keep passwords in an unprotected Excel sheet :/

~~~
carsonreinke
Please no

------
bradleyankrom
It'll be very interesting to see how the Commissioner's Office responds to the
FBI's findings. While I don't believe espionage is new to MLB, this is the
first case of it reaching the public (and federal government) that I can think
of.

~~~
jessaustin
It's lucky for them that Bill DeWitt Jr. chaired the search committee who
hired the new commissioner. (Shades of Goldman Sachs' perennial association
with the Treasury Department...)

However, if the Cardinals are as smart (and perhaps as ethical?) as they
previously seemed, they'll get out in front of this, and _voluntarily_ give up
their 2013 pennant, as well as fire whoever was involved in this harebrained
scheme.

~~~
dionidium
_voluntarily give up their 2013 pennant_

I'm a Cardinals fan, I admit it, but that's basically an insane suggestion.
It's not going to happen and it's _not_ smart. Why in the world do you think
that would be _smart_?

~~~
jessaustin
For one thing, they've got a better team this year, and it's possible they'll
be forced to skip the playoffs _this_ year. Then they don't get to sell those
tickets, they don't get that chance at a World Series, etc.

------
alan_cx
"The attack represents the first known case of corporate espionage in which a
professional sports team has hacked the network of another team."

Im pretty sure that in F1 one team hacked another for design details. That
said, I cant find a source. IIRC, it was Renault hacking Ferrari, but Im not
sure.

~~~
josefresco
"hacked the network"

Hardly. I'm sure there are countless examples of employees improperly using
access given to them by their previous employer.

~~~
ghughes
That distinction seems somewhat dubious. The end result is the same.

------
paulsutter
Let's see if the penalties are as severe when a major sports team is caught
hacking as opposed when a nerdy computer guy is caught hacking.

------
zekevermillion
Could someone please get the NYT to drop the paywall on hackernews links?

~~~
pcl
That's a really good idea. Are there any NYT folks here? Is there a procedure
in place for doing this sort of thing? I imagine that news.ycombinator.com is
a more common Referer than news.google.com in the development community; it'd
be nice to have the same treatment from media organizations.

~~~
smeyer
>I imagine that news.ycombinator.com is a more common Referer than
news.google.com in the development community

Really? I'd suspect it to be the other way around. For reference, here are
some HN stats:
[https://news.ycombinator.com/item?id=9219581](https://news.ycombinator.com/item?id=9219581)
.

------
netik
This really sounds like more of a "Astros suck at employee off-boarding"
problem. They failed to lock out users of the previous system long after they
left the company.

Regardless of their weak password storage scheme (which must be fixed), a
simple set of changes (like disabling public access to their system, disabling
VPN for terminated users, and changing passwords) would have stopped this from
ever occurring.

~~~
jessaustin
No this was _on_ -boarded employees using the same passwords at their new job
that they had used at the old job. I bet the Cardinals were at least savvy
enough to disable Luhnow's old accounts.

------
jessaustin
Dude should have used a password manager. Or maybe just a new password.

Also, the Cards staff probably shouldn't have logged in from home.

Also, how on Earth is this a valid use of the FBI's resources? Fix your broken
crap yourselves, Astros.

~~~
mdm_
One multi-million dollar business franchise gained illegal access to the
computer network and private data of another multi-million dollar business
franchise. Sounds right up the FBI's alley to me.

~~~
themartorana
I'm not sure where the legal line gets drawn. There was no hacking. There was
an attempt to use a password that worked.

Right now, "unauthorized access" is any after-the-fact declaration that
someone didn't want someone else looking at something.

If there had been broken encryption, 0-day exploits, SQL injection attacks,
etc... THAT is hacking. Not accessing a public endpoint that lets you in.

~~~
RogerL
So by your lights I could make a copy of a key on your key ring, enter your
house, take stuff, and that is fine because your locked door is a public
endpoint?

Or if the fact that the key is physical gives you pause, let's say you nave a
numeric keypad lock, and at work one day you commented that you had it set to
the same setting as the lock at work to make it easy for you to remember. Do I
get to take your stuff?

~~~
themartorana
It's funny, these arguments weren't top of mind with regards to the hacking
charges against weev or Aaron Swartz. In that case, HN was clear fault lay
with AT&T or MIT and the abuse of the word "hacking" was a horrible
miscarriage of justice.

------
kolbe
We don't know the details, but I think it's safe to say that if the
allegations are true, the Cardinals engaged in a form of cheating. It could be
that their cheating had very deep and nefarious implications, but I doubt it.
If anything, they may have stolen some secrets that gave the Cards an
advantage over the Astros in player acquisition strategy.

What I cannot get over is how absurd is it that the Federal Government has
been able to insert itself so deeply into a problem that doesn't warrant FBI
involvement in the slightest. Athletic teams have been cheating for centuries.
Sometimes that cheating involves ruined careers for both the cheater and the
cheated, and sometimes they involve teams losing money. But what they rarely
involve is the FBI. And the only times I can think of when they have involved
law enforcement have been narcotics or gang related.

To me, this sounds no worse than various other advantages that teams
unethically gain for themselves. That our legal system allows for this
particular type of cheating to potentially be a federal crime is frightening.
Let MLB handle this internally, and play ball.

[edit: holy shit. I get it. The FBI is acting within its legal right (and
duty). This is a moral statement about the law that they are tasked with
enforcing.]

~~~
lern_too_spel
Interstate computer fraud and abuse is a federal crime. That the business
affected plays some boring game doesn't make it any less of a crime than if
they sold sugar water or provided computer services.

~~~
kolbe
I'm not saying it's not a crime. I'm saying that it's fucked up that it is a
crime.

~~~
lern_too_spel
One business accessed another's computers without authorization and profited
from it, to the other business's detriment (which is now conducting business
with paper and pencil). Why does it matter that the businesses are in the
entertainment industry like Sony Pictures Entertainment, which also had a
recent high profile network security incident?

~~~
kolbe
In all major athletic leagues, this behavior is never treated like a crime.
Players have their careers ruined by intentional assaults. Players take
illegal substances to enhance performance relative to others. High profile
games are won and lost based on violating league rules. These are all forms of
cheating that cause material impact on other members of the league. They are
never settled by Federal Prosecution. What makes this "hacking" case
materially different from those others? Only the fact that the federal
government has the right to get involved if a computer is accessed without
authorization.

A guy was completely careless with his password, and a competitor used it to
steal information. The analogy to "stealing signs" in baseball is almost
perfect. In one case, we laugh. In another, the guy goes to federal prison.

~~~
lern_too_spel
You're still saying that a crime shouldn't be a crime just because it happens
to be committed in order to cheat at sports. Should I be able to get away with
theft if I'm just stealing some other team's sticks and balls to make them
play worse?

~~~
bdcravens
That's the typical attitude on communities like HN re sports. Even though the
computers may contain trade secrets worth millions (for instance, trade
discussions), it's worthless because it's a game. However, if their Github was
hacked and someone stole the source for their Rails/Bootstrap startup that's
an AirBnB for Umbrellas, it'd be the crime of the century.

