The St. Louis Cardinals hacking scandal continues to develop, with the most recent update coming from The New York times:
whoever hacked astros tried to cover tracks but failed miserably. fbi traced it directly to computer cards had access http://t.co/5qiHSUXYOz
— Michael S. Schmidt (@nytmike) June 22, 2015
According to the NY Times, the F.B.I. has been able to identify the exact computer used to hack into the Houston Astros’ network, during Spring Training 2014. The computer was located in a residence near the team’s spring training facility in Jupiter, Florida. Although the hacker(s) attempted to mask their location, the F.B.I. claims that whoever performed that hack was inexperienced and failed to cover their tracks successfully.
Now that the location of the computer is known, the F.B.I. has been able to narrow down their investigation to a smaller array of suspects. Specifically, Michael Schmidt of the NY Times claims that the investigation is focused on a small group of Cardinals employees that have a background in statistical analysis and computer programming, as well as access to the computer in the correct time frame. Four members of the Cardinals’ organization have hired criminal defense lawyers.
Even with a short list of suspects, the F.B.I. might not be able to properly identify who, precisely, is responsible for the hack. “If four or five men were working in the residence at one time,” Schmidt explains, “electronic forensics alone may not be able to establish whose fingers were on the keyboard.”
The F.B.I. is working to put together a time frame of when each individual was using the computer and for how long, in order to determine who specifically was responsible. So far, the process has been very difficult and may yet take some time. At this point, it appears that the F.B.I. has been able to identify the length of each users’ interaction with the computer, but not the actions taken therein.
In an exclusive interview with Houston Astros general manager Jeff Luhnow, Sports Illustrated staff writer Ben Reiter obtains three important, clarifying elements to the story. According to Luhnow:
- He did not use any of the passwords from his days in St. Louis, during his time in Houston
- He did not take any intellectual property from the Cardinals to Houston
- He has (had) no bad relationships with the St. Louis organization
On the first point, Reiter reminds us that Luhnow is a former technology executive that would clearly know better than to reuse old passwords at a new organization. Luhnow was firm in his stance, claiming that he is intimately familiar with password hygiene and best practices and that he holds himself and those he works with to a very high standard. Whether or not he changed his password, though, is unimportant. While it may make a hacker’s job easier, knowing someone else’s password does not give you permission to access their personal information. We have a tendency not to associate hacking with theft, but it is (rightly) treated that way in the eyes of the law. Breaking into someone’s house with their key is still breaking into someone’s house – especially if you stole their key.
On the second point, Reiter cites a possible motive put forth by Cardinals officials: Perhaps Luhnow performed an illegal knowledge transfer of his own, on his way out, leading to the act of revenge. Even if this turns out to be true, it is once again a separate issue. Unless you are Batman, you are not allowed to go on a vigilante justice mission to regain your stolen property. The right thing to do would be to alert the authorities and let them handle their job, like they are right now. Moreover, the motive doesn’t necessarily explain why the Astros’ proprietary information and data was stolen and leaked. If they were there to get evidence, they would have gotten it and left; if they were there to steal back their information, there would be no need to peek elsewhere.
The third point Reiter took from his interview with Luhnow is another piece to the puzzle. According to the Astros’ GM, there were no ill wishes or hurt feelings following his departure from the St. Louis organization. In fact, Luhnow invited the Cardinals’ owner, general manager and several other executives and scouts to his wedding a month after he left for Houston. But again, the motive is a separate issue from the crime. Even if there was some ill-will, an explanation for your actions does not excuse them.
Evan Drellich of the Houston Chronicle goes on to address the security issues surrounding professional sports’ first reported hacking scandal. Notably, he mentions that the Astro’s proprietary database, “Ground Control” didn’t have the industry standard level of security at the time of the breach. But continuing with the trend, that doesn’t matter. Unauthorized access, in any capacity, constitutes a “hack,” according to the legal definition of the term. To slide back into a metaphor, an easily breakable lock on the backdoor of my house does not give you permission to enter, nor does it lessen the fact that you illegally entered into my property.
Ultimately, the story continues to look bad for Cardinals. There is no number of explanations for the hack or reasons why it was easy, to excuse the actions of the accused. We’ll continue to wait for more details to come out before making any judgements, though, because for now we still know very little. Even if that very little appears to be fairly damming.