Cardinal sin: Ex St Louis baseball exec cops to 'hacking' rival team's db The former scouting director of the St Louis Cardinals baseball club has admitted he illegally poked around in the player database of a Major League Baseball rival. Chris Correa pleaded guilty on Friday at a Houston federal court to five counts of unauthorized access to a computer stemming from a 2013 infiltration of the email …
"Whether it's preserving the sanctity of America's pastime or protecting trade secrets, those that unlawfully gain proprietary information by accessing computers without authorization must be held accountable for their illegal actions."
I suggest that the gaping hole created by the practice of not enforcing effective password related policies (or any at all) should also be punished in some way or at least highlighted. If America (how can a US Attorney escalate this local fuck up countrywide) wants to preserve the sanctity of their pastime or protect their trade secrets, then they do so and not leave the door off the latch. Note that you can't throw assault rifles at this task, unfortunately you have to use common sense instead.
Ideally, every company would issue a password manager on each computer. This would stop a lot of this type of intrusion. Plus, it would stop employees from using their Facebook password as an example as their login password at work. But.. dollars and profit and all that.
> I suggest that the gaping hole created by the practice of not enforcing effective password related policies (or any at all) should also be punished in some way or at least highlighted.
Absolutely! Who on earth down voted you?
It's like those German girls in the crowds berating the government for not looking after them the way Hitler would for wearing revealing clothes and arm tattoos in the presence of morons from unknown cultures. (I am not blaming anybody I actually think that if you want to walk around totally naked you should be perfectly safe to do so.)
But it shouldn't require a Nazi state mentality to keep anyone safe. If you leave your car door unlocked and the keys in it then your insurance should refuse to pay. Ever since the moneyball era the practice of hiring computer engineers has become widespread in sport generally. If the powers that be never learned to be careful they shoulder most of the blame.
"Exclusion clauses are found in almost all motor insurance policies, although the precise wording and scope of the clause can vary. Insurers include these clauses because they do not intend to cover loss or damage caused by theft when the consumer deliberately or inadvertently leaves the ignition keys in or on the car."
http://www.financial-ombudsman.org.uk/publications/technical_notes/motor-insurance-keys-in-car.html
Either hire an insurance techies next time, or learn the meaning of the term "great game".
I would sentence all parties to watching Money Ball and The Blind Side every day for a couple of years. That should be enough. Maybe make the Cardinals trade a quarter of their fans to a team less stooooopiiiid?
The real issues is how he obtained the former employee password. Does the Cardinals store the password in a reversible way? Does they share passwords, or have user communicate them?
Of course the Astros have issues if they don't force password changes, and anyway important data should be protected by better methods than a single password. They spend millions on people hitting balls with a piece of wood, could spend a little more on authentication devices...
I have worked with companies that had common passwords for some accounts and with others that mandate periodic password changes with no sharing. First the Cardinals have some serious policy issues about sharing passwords and Astros have equally idiotic policies. However that does not excuse moron's actions.
Of course the Astros have issues if they don't force password changes,
Not only that, when they suspected the intrusion they apparently had some but not all users change passwords. Or the guy who came from the Cardinals changed his password back because he was used to using that one (which he probably also used for facetwitcetera).
As I recall it was on a post-it note on the former scout's PC. For the Astros to force a PW change means nothing if he re-uses the one from the previous employer. There's no way a new employer can guarantee that all passwords have never been used before by an employee. Except with a password manager than randomly generates the password and such that the employee never sees any passwords except the one to use the manager. Convoluted, isn't it?
" Even when unauthorized access to the database was detected by the Astros and user passwords were changed, Correa simply logged into the staffer's email account and lifted the new credentials."
Seems to imply that when the employee left the Cardinals they did not suspend / delete his email account (assuming it was a corporate account) or remove it from all distribution lists (if it was a personal account)
...Or it was a shared account.
Worked for a large company that had open, internet-facing test accounts for tech support to use. Passwords weren't changed (ever) on then, one account that everyone used for everything (same name/pass on multiple systems, too).
A pity, really, that I ethically chose to forget the account when I left as nothing would prevent me from using it now, years later, unless something major has changed.
There is no evidence, none at all, that the intruder's intent or subsequent actions, had -anything- to do with "stealing" data. There is no evidence that he shared any data he accessed with anyone in his organization, or even made -any- use of it. There is no evidence that anyone else in his organization approved or even knew of his intrusion. His stated purpose (and I choose to believe him) was to determine if former Cardinals employees stole proprietary data or proprietary software or proprietary methods and tools from the Cardinals upon moving to another company (team.)
The above is not a defense of his stupid actions, but, IMHO, casts them in a completely different light, No?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
