Houston Astros 'hack' row: St Louis Cardinals fire their chief scout The St Louis Cardinals baseball team has sacked its director of scouting over the alleged unauthorized access of a rival team's computer database. The Major League Baseball team said on Thursday that Chris Correa was booted out of the team after he apparently admitted to logging into systems owned by the Houston Astros. The …
So the same developers built the same software for two different teams.
Using the same user IDs and passwords.
Not much of a hack then.
Also a hint that they may have "reused" data as well as code and passwords.
Available via the Internet as well?
If not, how did he get access?
Not surprised the FBI aren't chasing him as a terrorist hacker!
Hint: If you change ALL passwords (and hopefully also login names!) after an employee or employees with access to same leave the company, you won't have this kind of issue. But that would be hard.
On the bright side, I make a lot of money cleaning up after this kind of mess.
Well, it is quite possible that the St. Louis sysadmins did just what you said, disabled their logins and changed privileged passwords that the departing users might have known. The problem isn't that Joe Smith's old login jsmith@cardinals.com was left active, but that Joe Smith reused his password "i-hate-the-yankees" for jsmith@astros.com.
While the BOFH is probably authorized to use enhanced interrogation methods to prevent such password reuse, I doubt that MLB sysadmins are.
"reused his password"
Possible with lax security. My systems? Not so much.
The so-called "BOFH" was old, tired & derivative of itself before it left Usenet. Kindly stop citing it as authoritative, you are just making yourself look silly.
Jake: "Possible with lax security. My systems? Not so much."
Right, because your systems know the passwords a user used at a previous job, and adds those to a magical blacklist.
I'd say that ill-deserved smugness is more old, tired, & derivative than the BOFH could ever become.
"because your systems know the passwords a user used at a previous job"
The previous job-site (the idiots who were broken into) was not admined by a clueful sysadmin. When the (l)user changes employment, all access info/code should be changed, thus not allowing this kind of stupidity. Try to remember, the system that was broken into was at a previous job AND the idiots at the previous job didn't change the password(s).
My systems generate a new fairly-random password for new employees ... in fact, no user is allowed to choose their own password.
"I'd say that ill-deserved smugness is more old, tired, & derivative than the BOFH could ever become."
I'd say that you don't really understand system security.
It looks worse.
Bet they just plugged in a <cleaned< backup of the database and the application. And forgot about the DBA´s identity.
And it was too much bother to change everything, Including scripts, scheduling, houskeeping,etc
So I suppose there is still a long way yill the lawyers finish.
It looks worse.
Bet they just plugged in a <cleaned< backup of the database and the application. And forgot about the DBA´s identity.
And it was too much bother to change everything, Including scripts, scheduling, housekeeping,etc
So I suppose there is still a long way till the lawyers finish.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
