Why We Decided Not to Say the Astros Were ‘Hacked’
The word “hack” is being used like the Drudge siren.
Image: Dilip Vishwanat/Getty Images
On Tuesday, the St. Louis Cardinals were accused by federal investigators of accessing proprietary information on a database owned by the Houston Astros. The Cards allegedly got into the Astros' data because a former employee didn't change his password. Immediately, the Motherboard team began debating: Was this a hack?
To be clear, there is no question that this act, if it took place as described in news reports, is a crime under current law. The Computer Fraud and Abuse Act (CFAA), enacted in 1986, is concerned with obtaining electronic information without permission. Although many activists would like it to be otherwise, it does not make exceptions for non-criminal intent or unforced access. Using someone else's password, no matter how you got it, to access a protected* computer counts as unauthorized entry under the CFAA.
What the CFAA does not say, however, is whether this activity constitutes "hacking."
The word "hack" does not appear in the statute at all. In fact, the word and its permutations appear only 13 times in the US Code, according to a search on a site owned by Cornell University Law School. The word "hack" and its relatives appear more frequently in non-computer contexts, such as landscaping and falconry, than they do in reference to computer security.
"Hacking should imply a degree of expertise"
Still, the New York Times decided this unauthorized password use was a hack. "Cardinals Investigated for Hacking Into Astros' Database" read the headline used online (the one in the paper hedged much more, even allowing for the possibility that readers had not heard of either team: "Baseball Team Is Said to Breach Rival's Database").
The story opens:
Front-office personnel for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, are under investigation by the F.B.I. and Justice Department prosecutors, accused of hacking into an internal network of the Houston Astros to steal closely guarded information about players.
Reading through the piece, I wondered how the Cards did it. Is someone in the front office a crack coder? Did the team buy a zero-day? Did it hire a black hat on the dark web?
The attack would represent the first known case of corporate espionage in which a professional sports team hacked the network of another team. Illegal intrusions into companies' networks have become commonplace, but they are generally conducted by hackers operating in foreign countries, like Russia and China, who steal large amounts of data or trade secrets for military equipment and electronics.
Wow, that's some elite company. Perhaps the Cards executed a phishing attack, sending malware disguised as Google Drive files, as Chinese government hackers are suspected of doing to Tibetan activists. Or maybe someone from the team discovered a vulnerability that allowed the Cards to inject code through a forward-facing part of an Astros website, as one Russian hacker group did last year when its members stole 1.2 billion usernames and passwords.
It's not until the 13th paragraph that the Times starts to hint at how the "hack" actually happened.
The intrusion did not appear to be sophisticated, the law enforcement officials said.
Investigators believe that Cardinals personnel, concerned that [Astros general manager Jeff Luhnow] had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros' network, law enforcement officials said.
In other words, according to investigators speaking through the press, the Cards knew Luhnow's password because he worked for them. Once he went to the Astros in 2011, it occurred to his old bosses that maybe their turncoat employee was still using the same password at his new job, and whoops, he was.
I'm honestly not sure what goes through the average person's mind when they hear the word "hack," but I'm pretty sure it's not this. (It shouldn't be what Hugh Jackman is doing up there, either, but hacking in movies is another issue.)
The Times wasn't alone in deemphasizing the fact that the "hack" was accomplished with a legitimate password; the Washington Post doesn't explain it until the second to last paragraph.
When it came time for the Motherboard team to write a headline, we were divided.
We started analogizing. Is this like your ex knowing your password, and using it to check your email? Is that a hack? Is it like your ex having a key and using it to enter the apartment you used to share? Is that a break-in?
While we dithered, other outlets were going up with their stories. It was hacking all the way down. Even from Wired.
Ultimately, we went with, "If You Run a Sports Team, Change Your Goddamn Password" and tried to use the work "hack" as judiciously as possible.
I understand the impulse to call any compromise of a computer system a hack, especially when unauthorized entry into a computer system is treated the same under the CFAA, regardless of methods. It's also a fun Drudge siren for your story that signals immediately that computers and data stealing were involved, which can be very helpful when distilling a complicated story into a headline.
However, Cornell defines hacking as criminal activity in which "a perpetrator uses sophisticated technological tools to remotely access a secure computer or internet location." In the end, we agreed. As senior editor Brian Merchant put it, "hacking should imply a degree of expertise."
Calling every instance of unauthorized computer access a hack does a disservice to the public. It creates the impression that digital safecracking is a lot more rampant than it is—not that it's something you should ignore—and squanders the opportunity to hammer on the everyday vulnerabilities we face around passwords (change them!) and social engineering (trust no one, even if they say they're calling from Amazon).
That doesn't mean every computer crime has to involve sophisticated man-in-the-middle attacks or handcrafted viruses in order to be called a hack. But reusing an old password is pretty far from what Chinese and Russian state hackers do, and much closer to looking over someone's shoulder at their computer screen.
*If the computer is owned by the government or, in this case, involved in interstate commerce, it's considered protected and is covered by the law; it's been argued that any computer connected to the internet is covered as well.