Cardinals allegedly hacked the Astros—but is it really hacking?

Baseball Rocked by Hacking Scandal—if by “Hacking” You Mean Using an Old Password

Baseball Rocked by Hacking Scandal—if by “Hacking” You Mean Using an Old Password

The citizen’s guide to the future.
June 17 2015 5:31 PM
FROM SLATE, NEW AMERICA, AND ASU

Hack and Field

The Cardinals allegedly hacked the Astros. But is it really hacking if you have a password?

Houston Astros general manager Jeff Luhnow.
Astros general manager Jeff Luhnow answers questions on June 12, 2015 in Houston.

Photo by Bob Levey/Getty Images

The FBI’s investigation of the St. Louis Cardinals for stealing information about baseball players from the Houston Astros’ computers has all the makings of a good movie—sports, rivalry between a team with 11 World Series championships and a team with none, revenge, computer programs with ridiculous code names, and the disgrace of a team previously lauded for playing baseball “the right way.” The one thing it’s missing? Technical drama.

The New York Times reports that law enforcement officials found the breach “did not appear to be sophisticated.” That’s rather an understatement here. In cybersecurity, “sophisticated” is something of a catch-all adjective, used to imply that a threat was carefully tailored to its targets, that it required a great deal of advanced engineering and technical expertise, that thousands of lines of new code and many hours of careful planning went into its creation. Sophisticated suggests that an attack couldn’t have been anticipated or prevented. Many, perhaps most, computer security incidents are decidedly unsophisticated—they make use of common, freely available malware or vulnerabilities, requiring little technical skill or planning on the part of the user and giving rise to the phenomenon of “script kiddies.”

But the Cardinals weren’t even using ready-made software to steal data. The employees who allegedly accessed the Astros’ “Ground Control” program—Ground Control, by the way, should be the name of the movie dramatization—apparently did so by trying out passwords that Astros’ general manager Jeff Luhnow had used back when he worked for the Cardinals. There are some good lessons here for the aspiring sports executive. First of all, don’t make a “master list” of all your passwords and give it to your co-workers. And if you insist upon keeping a master list, maybe change the passwords when one of your colleagues goes to work for a competitor.

Advertisement

But is this really a “hacking” story? Let’s say there’s a spectrum of computer security incidents that ranges from using a fake name on Facebook to Stuxnet. Even setting aside the debate around how hacking and hackers came to be synonymous with something criminal, using your former boss’s old passwords to access a database at his new job falls pretty deep on the nontechnical side of that spectrum. Of course, how technical a breach is does not necessarily determine how harmful it is—you can do a lot of damage with a password in certain situations. It’s still not clear how harmful breaching the Astros’ system really was, or how much the Cardinals could have benefited from the private data they accessed. (What’s been released seems to be mostly internal records about potential trades.)

In terms of consequences, the baseball breach, at first glance at least, appears to have more in common with the 2002 story about Princeton’s admissions office accessing Yale’s admissions database by entering student social security numbers and birth dates than it does the stories of large-scale, international cyber espionage that have also been in the headlines this week. The FBI was involved in both cases, but when two Ivy League colleges or two Major League Baseball teams are stealing information about admissions or potential player trades, it’s hard to feel that anything too serious is at stake beyond who gets the kid with the perfect SAT scores, or the kid with the promising knuckleball.

The consequences of computer security breaches matter more than the technical (or nontechnical, as the case may be) means by which they’re perpetrated. But it’s still sometimes worth drawing distinctions between incidents that require more or less technical expertise and maneuvering. That degree of technical difficulty has implications not just for how future incidents should be defended against, but also for what kind of laws the perpetrators may have violated, and whether the victims could or should have been reasonably expected to prevent the breach.

For years, lawyers and judges in the United States have been arguing about how technical a security breach needs to be to qualify as a violation of the Computer Fraud and Abuse Act (also known as the anti-hacking law). The CFAA makes it illegal to access a computer without authorization or “exceeding authorized access,” but there’s a lot of disagreement about whether that includes (or should include) nontechnical activity. What if someone posts messages on a social media site under a fake name in violation of a Terms of Service agreement? Should the CFAA be limited to only more technical breaches, in which someone explicitly circumvents a code-based control?

Advertisement

Clearly, if the allegations are true, the Cardinals went beyond violating a Terms of Service agreement when they stole information from the Astros. They apparently circumvented a technical control—namely, the Ground Control authentication system that demanded a password. In that regard, the involvement of the FBI makes some sense (though surely, in retrospect, everyone would have preferred to handle this under the auspices of the MLB, just as the NFL took charge of investigating and meting out punishment for the Patriot’s deflated footballs).

But even if there’s not a legal distinction between using passwords off a master list and engineering a tailored, technical attack on a computer system, there’s an important difference between the breaches that we could—and should—have been able to easily prevent and those that we could never have anticipated.

The baseball breach was both low-stakes (I doubt it will influence who wins the World Series) and low-technology, but the outcome and the sophistication of the attack may not always align. You can sometimes use incredibly clever technological know-how to get information that is merely mischievous; other times you can use really basic things (say, an old password) to get information that could put people or economies in peril.

The low-tech incidents are interesting in their own way, not least because they raise several important questions about who is responsible for breaches and how we decide when victims are unfairly targeted versus just downright negligent. If the Cardinals really did access the Astros’ Ground Control program, of course they shouldn’t have done it—but it shouldn’t have been so easy for them, either.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.