Sentencing in Astro-Cardinals baseball hack offers lesson about passwords

Law punishing illegal computer access used in even seemingly minor transgressions

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Base­ball has long cel­e­brat­ed cheat­ing, but elec­tron­ic cheat­ing just sent a for­mer team front-office work­er to prison for near­ly four years.

For­mer St. Louis Car­di­nals scout­ing direc­tor Chris Cor­rea, who ear­li­er plead­ed guilty to using old pass­words to access a for­mer team’s scout­ing data­base, was sen­tenced to 46 months in prison Mon­day. Cor­rea broke into the Hous­ton Astros’ com­put­er sys­tems repeat­ed­ly, steal­ing data. He pre­vi­ous­ly had worked for the Astros.

Cor­rea has been dubbed a hack­er by sports media, but he sim­ply made edu­cat­ed guess­es to break into his old team’s com­put­er data­base, main­ly to down­load scout­ing intel­li­gence that might help the Car­di­nals gain insight into play­ers the Astros want­ed to draft or trade for.

The long sen­tence was tied to the eco­nom­ic loss “suf­fered” by the Astros … and here things get con­fus­ing. Accord­ing to, fed­er­al pros­e­cu­tors essen­tial­ly cal­cu­lat­ed how much mon­ey the Astros spent devel­op­ing the data in their play­er database.

Sen­tence tied to finan­cial loss

Assis­tant U.S. Attor­ney Michael Chu, who han­dled the hear­ing, list­ed the for­mu­la used to arrive at $1.7 million.

But since much of the data that we looked at focused on the 2013 draft, what we did was we took the num­ber of play­ers that he looked at by 200 and we divid­ed that by the num­ber of play­ers who were eli­gi­ble to be draft­ed that year, and we mul­ti­plied that times the scout­ing bud­get of the Astros that year. That comes to $1.7 mil­lion,” he said.

That kind of loss meant a sen­tence of 36–48 months, accord­ing to fed­er­al guidelines.

That kind of jail time sounds like a lot for what some might con­sid­er the equiv­a­lent of steal­ing a third-base coach’s signs—particularly when you hear about rapists get­ting six-month sentences—but it is not out of line with many com­put­er crim­i­nal punishments.

There has long been debate about fair­ness in hack­er sen­tenc­ing, a debate that reached fever pitch after Aaron Swartz was charged for “hack­ing” research and received a 30-year sen­tence and ulti­mate­ly com­mit­ted suicide.

No ‘typ­i­cal’ hacker

Again, Cor­rea is no hack­er. When I talked to Morey Haber, vice pres­i­dent of tech­nol­o­gy at BeyondTrust, he sharply defend­ed the sentence.

Yes, there is a cer­tain amount of cheat­ing that goes on (in sports), but that’s dur­ing the game,” he said. “This is cor­po­rate espi­onage. It’s no dif­fer­ent from hack­ing a bank. It’s no dif­fer­ent than if you went from Lock­heed Mar­tin to Northrop Grum­man (and hacked into your old employ­er). It’s not accept­able and courts are send­ing a strong message.”

What­ev­er you feel about Correa’s sentence—and hang­ing ques­tions about whether or not he could have been the only one who knew about all this—there are three real­ly impor­tant lessons to learn from the Car­di­nals hack.

First, Cor­rea actu­al­ly told the judge dur­ing a hear­ing that he start­ed break­ing into the Astros com­put­ers because he was afraid they were doing the same thing to him. That may or may not be true. But “hack­ing back,” how­ev­er tempt­ing, is a crime. And it can steal sev­er­al years from your life.

Make pass­words more difficult

Sec­ond, using an old pass­word to log into your old company—or slight vari­a­tions of that—might seem like a fair­ly inno­cent thing to do. Maybe you for­got a con­tact phone num­ber, or there’s a doc­u­ment you wrote that you’d like to see one more time. This kind of “hack­ing” can feel like no crime at all. It’s just a few keystrokes.

Doing that also can cost you years of your life.

Final­ly, to you Astros-like com­pa­nies out there. Pass­words can be eas­i­ly guessed. And for­mer employ­ers who know the pass­word ten­den­cies of your cur­rent employ­ees can guess them real­ly eas­i­ly. Look at this sec­tion of the court tran­script that describes the “hack.”

It was based on the name of a play­er who was scrawny and who would not have been thought of to suc­ceed in the major leagues, but through effort and deter­mi­na­tion he suc­ceed­ed any­way. So this user of the pass­word just liked that name, so he just kept on using that name over the years. … Kind of like Magidson123… Or Magidson1/2,1/4,1/3.

Have a smarter authen­ti­ca­tion sys­tem than that. At least change the indi­ca­tor once in a while. (That’s a base­ball joke.)

More sto­ries relat­ed to hack­ing and security:
Play ball: CISOs can learn a few things from Major League Baseball
Base­ball hack­ing scan­dal points to need for pass­word protocol
Hack of CIA director’s email pro­vides a secu­ri­ty les­son for all

Posted in Data Breach, News & Analysis