Off the Kuff Rotating Header Image

hacking

An update on election security

Nothing to see here.

Russian hackers probed election systems in all 50 states, a new Senate report confirmed Thursday.

The report comes one day after former special counsel Robert Mueller told Congress that the Russian government is working to meddle in U.S. elections “as we sit here.”

“It wasn’t a single attempt,” Mueller said Wednesday of Russia’s 2016 election interference. “They’re doing it as we sit here. And they expect to do it during the next campaign.”

The bipartisan report by the Senate Intelligence Committee released Thursday confirmed previous comments by the Department of Homeland Security (DHS) that Russian hackers scanned election systems in all 50 states ahead of the 2016 presidential election. DHS initially acknowledged Russian attempts to hack into election systems in just 21 states.

[…]

Democrats used Mueller’s testimony Wednesday as the backdrop to bring a trio of election security bills to the Senate floor, but Sen. Cindy Hyde-Smith (R-MS) blocked each one in succession.

Two of the measures, one by Warner and the other by Sen. Richard Blumenthal (D-CT), would require campaigns to report offers of foreign support. The third, by Sen. Ron Wyden (D-OR), would have allowed the Senate Sergeant-at-Arms to help secure personal electronic devices belonging to senators and their staff.

Hyde-Smith has not said why she blocked the measures, but Senate Majority Leader Mitch McConnell (R-KY), has long opposed bringing election-security measures up for vote. Last year, for example, Senate Rules and Administration Committee Chair Roy Blunt (R-MO) accused McConnell of blocking another election security bill, explaining that McConnell believed the issue “reaches no conclusion.”

“[McConnell] has a long history of opposing election reform,” Wyden told ThinkProgress earlier this year. “And he’s got people in his caucus who’ll do a lot of the heavy lifting for him.”

Remain calm, all is well.

Senate Intel Committee Chairman Richard Burr (R-NC), and Vice Chair Mark Warner (D-Va.) each issued statements with the report’s release. Burr said that in 2016, the United States was “unprepared at all levels of government” for attacks on election infrastructure, and has improved in the time since. Burr noted that the Department of Homeland Security and state election officials have a much better working relationship than before, but that “still much work remains to be done.”

It’s unclear whether Burr considers federal elections security legislation as part of the work that remains to be done. Mitch McConnell, Burr’s Republican colleague and the Senate majority leader, has prevented most of this type of legislation from coming to the Senate floor, arguing that Congress has done enough and that pending election security legislation is merely the Democrats’ effort to usurp states’ rights and bolster their chances at the polls.

Warner, who a day ago was part of a group of Congressional Democrats that blasted McConnell for holding up election security legislation, alluded to the need to get past the partisan gridlock. “I hope the bipartisan findings and recommendations outlined in this report will underscore to the White House and all of our colleagues, regardless of political party, that this threat remains urgent, and we have a responsibility to defend our democracy against it,” he said in a statement.

The report notes that the Russian operation dates back to “at least 2014.” It reveals that state and local officials, who are mostly in charge of running elections, “were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor,” and that officials at all levels of the government debated whether to publicly acknowledge what was happening, with some concerned that disclosing it “might promote the very impression they were trying to dispel—that the voting systems were insecure.” At the time, McConnell took an active role in preventing further public disclosure of the Russian operation, theWashington Post reported in December 2016.

Go about your business.

Hacking individual voting machines would be an inefficient way to throw an election. But J. Alex Halderman, a computer scientist who has tested vulnerabilities for more than a decade, testified to the Senate committee that he and his team “created attacks that can spread from machine to machine, like a computer virus, and silently change election outcomes.” They studied touch-screen and optical-scan systems, and “in every single case,” he said, “we found ways for attackers to sabotage machines and steal votes.”

Another way to throw an election might be to attack systems that manage voter-registration lists, which the hackers also did in some states. Remove people from the lists—focusing on areas dominated by members of the party that the hacker wants to lose—and they won’t be able to vote.

One former senior intelligence official told me, “If I was going to hack such a system, I’d leave the records alone and corrupt the tally software”—the programs that count the votes and transmit results to a central headquarters. The transmission is done through a network, which is vulnerable to hackers. Some data are transmitted from the voting machines via USB ports, which are also easy to hack.

In the past decade, many states have installed voting machines with paper backups. (One of the measures blocked in the Senate this week would have required them.) But the Senate report notes that 19 states do not conduct complete postelection audits to compare these ballots to the electronic results; five of them do not audit at all. Paper backups mean little if nobody looks at them.

Computerized voting might be inherently vulnerable. Matt Blaze, who holds the McDevitt Chair of Computer Science at Georgetown Law, said at a hacking conference in Washington earlier this year, “Voting security is by far the hardest problem I have ever encountered.”

That last link does have a proposed solution, if you’re not too depressed to read it. But as with most things in this life, if we want to make progress on fixing the problem, we have to first solve the Mitch McConnell problem.

Yeah, we’re still talking about the risk to our elections

And when we talk about these things, we talk to Dan Wallach.

When we think about those who defend the territorial integrity of our nation and state, we tend to imagine well-equipped members of the U.S. armed forces, or perhaps a square-jawed detachment of Texas Rangers. Increasingly, however, the twenty-first century battle for control of the American homeland is being fought in the computerized elections systems overseen by our humble county clerks.

Here in Texas, votes in federal and state elections are tallied independently by 254 local officials, one in each county seat, from big cities like Houston and Dallas to tiny courthouse towns like Tahoka and Floydada. If a hostile country decides to hack an election in Texas, that means pitting Russia’s (or Iran’s or North Korea’s or China’s) most skilled hackers against a group of officials and volunteers who may not even know their way around an iPhone.

“We’re asking county clerks, and for that matter local poll workers, to defend against a nation-state adversary,” says Dan Wallach, computer science professor at Rice and expert on election security issues. “That’s not a fair fight.”

Wallach, a graduate of J.J. Pearce High School in Richardson as well as U.C. Berkeley and Princeton, has made it his mission to assist local election administrators by helping to develop and advocate for the adoption of foolproof, verifiable election systems and policies in Texas. From 2011 to 2015, Wallach served on the U.S. Air Force Scientific Advisory Board; before that he led the National Science Foundation–funded ACCURATE (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections). Most recently, he’s been seen testifying before the Texas Senate on issues related to election security.

“From a security perspective, the systems that we use, these electronic voting systems, were never engineered with the threat model of foreign nation-state actors,” Wallach says of the status quo in Texas. “I have no idea if anybody’s planning to exploit them, but there’s no question that the vulnerabilities are present.”

That’s the bad news. The good news is that remedies are within reach, if Texas is willing to invest money and other state-level resources to improve election security. Experts like Wallach have identified best practices that can make elections reliably secure for the current threat horizon. Wallach proposes what amounts to a three-step plan for improved election security: better machines, better oversight, and better contingency planning.

The rest of the story delves into those three steps; it begins of course with auditable voting machines that include printed ballots. Speaking from my perspective in the IT security field, I can confirm that every big company that wants to stay in business past tomorrow zealously captures, indexes, and monitors its systems’ log files, both to look for real-time anomalies and to provide a written record of what happened in the event of a breach or other failure. It’s just standard practice in the real world. Why our state government is so resistant to it for our election systems is a question for which they really need to be held accountable. I would also note that the $350 million price tag to replace every obsolete voting machine in the state, which apparently we can’t do unless the feds pick up the tab, is something we could easily afford if we wanted to do it. For now, assuming we don’t get a state government that’s willing to do this, our best bet is to work towards a federal government that will do it, presumably after 2020. And hope like hell in the meantime that nothing goes horribly wrong.

Cyber insurance

Seems like a good idea.

Houston City Council on Wednesday unanimously agreed to spend $471,000 on cyber insurance, becoming the latest Texas municipality trying to bolster its response to growing technological risks.

The insurance can cover up to $30 million in expenses related to security breaches in the city’s network, including crisis response, recovery of losses and answers to legal claims stemming from cyberattacks.

While some data breaches are preventable, the prevalence of cybersecurity threats against city governments nationwide prompted Houston to take steps to insure itself, said At-large Councilman David Robinson, chairman of council’s Transportation, Technology and Infrastructure committee.

“There are those things that are just beyond the reach or scope of expected due diligence and preparation,” Robinson said. “You need to be prepared for the unknown.”

In the event of a cyberattack, such as hacking or phishing, in which people pose as trustworthy sources to obtain money or information, the insurance coverage could pay for crisis management resources, computer forensics, credit monitoring and call center services.

After a security threat is detected, the new policy could cover any loss of income or expense from the interruption of computer systems, according to council background materials outlining the insurance. It could be used to pay the cost of restoring or recollecting data affected by a cyberattack, as well the cost of investigating threats. The insurance policy also can be used for liability claims made against the city for failing to protect data or prevent access to confidential information.

This makes sense. Of course, as an organization you want to do everything you can to prevent an incident, but as we say in the business, it’s not a matter of if you’ll get hacked, it’s a matter of when. Like what happened to Harris County earlier this year. All of your vendors and suppliers and business partners are potential avenues for compromise, too. While I hope we’ll never need to use it, this is a smart investment.

Who wants to protect our voting systems from hackers?

You would hope the answer to that question would be “everyone”, but that’s not the world we currently live in.

A bipartisan group of 21 state attorneys general are demanding Congress’ assistance in protecting the 2018 election. Writing to Rep. Michael McCaul, chairman of the House Homeland Security Committee and Sen. Roy Blunt, Senate Rules and Administration Committee Chairman, the AGs ask for “assistance in shoring up our systems so that we may protect our elections from foreign attacks and interference.”

“As the latest investigations and indictments make clear,” they write “during the 2016 election, hackers within Russia’s military intelligence service not only targeted state and local election boards, but also successfully invaded a state election website to steal the sensitive information of approximately 500,000 American voters and infiltrated a company that supplies voting software across the United States.” Combatting that incursion and giving the electorate “confidence in our democratic voting process” is “imperative,” they write. “The integrity of the nation’s voting infrastructure is a bipartisan issue, and one that affects not only the national political landscape, but elections at the state, county, municipal, and local levels.”

Their direct demands: “Prioritizing and acting on election-security legislation” in the form of the Secure Elections Act (S.2261), a bipartisan bill that would provide additional grants and assistance to states to shore up systems; “Increasing funding for the Election Assistance Commission to support election security improvements at the state level and to protect the personal data of the voters of our states”; and, “Supporting the development of cybersecurity standards for voting systems to prevent potential future foreign attacks.”

You can see the very reasonable letter here. Seems simple and straightforward, no? You can also see that none of those AGs are Ken Paxton. Maybe that’s why he doesn’t want to debate – he doesn’t want to get asked pesky questions about that sort of thing.

LWV to look at Harris County election security

I look forward to seeing their results.

The League of Women Voters of the Houston Area plans to study the cybersecurity of Harris County’s election system, but the non-partisan group may not be able to gather all the information it wants.

The League, working with the non-profit civic-tech activist group Sketch City, hopes to finish the study and release recommendations by May 2018.

During an organizational meeting [last] Tuesday night at the Leonel Castillo Community Center, Sketch City founder Jeff Reichman said the group had received early cooperation from both the Harris County Clerk’s office, which administers elections, and the Harris County Tax Assessor-Collector, which handles voter registration.

Reichman said the group wants to study all aspects of the election process, which uses Hart InterCivic eSlate voting machines that are about 15 years old. He said they want to look into the documented vulnerabilities of the machines; how easily computers involved in the election can be physically accessed both in storage and while in use in elections; and what the procurement process is for buying new machines.

“We want to look into the best practices that anyone with access to sensitive information should follow,” Reichman said during Tuesday’s meeting.

There’s been a lot of debate about the security of our election systems, locally and nationally. Less discussed is the fact that our voting system is just old, at least in technological terms. The eSlate made its debut in Texas in the 2000 election and has been in use in Harris County since 2002, which is five years before the debut of the iPhone. One would think there have been some advances in the engineering since then. As such, even without this particular elephant in the room, we have needed to be thinking about what comes next for some time. If this is even a small step in that direction, I’m glad to see it. I’m not sure what it would take otherwise.

So were we targeted by Russian hackers or not?

Depends who you ask, I guess.

A top state official is pushing back against the federal government’s claim that Texas was among states whose election systems were targeted by Russian hackers ahead of the 2016 presidential election.

“At no point were any election-related systems, software, or information compromised by malicious cyber actors,” Texas Secretary of State Rolando Pablos wrote in a letter to the U.S. Department of Homeland Security on Thursday.

Last week, the Department of Homeland Security said the election infrastructure of 21 states, including Texas, was targeted by Russian hackers. Being targeted does not mean that votes were changed but that a system was scanned.

Shortly after the announcement, officials in California and Wisconsin said they’d received contradictory information from the department that suggested they’d been incorrectly included on that list.

Pablos, in his letter, made a similar claim and asked the department to “correct its erroneous notification” that the state agency’s website had been the target of malicious hackers. Pablos argued that federal officials had based their assessment on “incorrect information” and that an investigation by his office with the state’s Department of Information Resources had found no such targeting.

“In order to restore public confidence in the integrity of our elections systems, it is imperative for DHS to further clarify the information provided,” the letter says. “Our office understands that you have provided similar clarification to election officials in Wisconsin and California. We respectfully request you provide the same clarification to the State of Texas.”

A Department of Homeland Security spokesman told Reuters Thursday that “additional information and clarity” had been provided to several states, and that the department stood by its assessment “that Internet-connected networks in 21 states were the target of Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure.”

See here for the background. I’d need to see the specifics before I can make a judgment here. Saying the SOS systems weren’t “compromised” isn’t a contradiction of what was said by Homeland Security, which merely said the SOS website had been “scanned and probed”. That’s basically background noise on the Internet, though depending on the source of the probe it can be of interest. It would be nice for everyone to get their story straight so we know for sure who is claiming what.

Texas was a hacking target in 2016

We’re just finding out about this now?

Hackers targeted Texas and 20 other states prior to the 2016 presidential election, the United States Department of Homeland Security has formally informed the states.

But the hackers who tried to mess with Texas didn’t get far, officials with the Texas Secretary of State’s office said Monday.

The federal agents said instead of targeting the state’s voter registration database during the 2016 elections, hackers searched for a vulnerability on the Secretary of State’s public-facing website, according to Sam Taylor, an agency spokesman.

“If anyone was trying to get into the elections system, they were apparently targeting the wrong website,” Taylor said.

The website, http://www.sos.state.tx.us, is devoid of voter information, he said, and hackers never find a way to crack into it.

[…]

According to testimony before the U.S. Senate Intelligence Committee, the Department of Homeland Security began finding incidents of scanning and probing of state and local election systems in August 2016. A declassified report from national intelligence officials released in January stated that “Russian intelligence obtained and maintained access to elements of multiple U.S. state or local electoral boards.”

“There is no complacency in Texas when it comes to protecting the security of our elections system,” Secretary Rolando Pablos said. “We take our responsibility to guard against any and all threats to the integrity of elections extremely seriously and will continue to do so moving forward.”

Here’s what bothers me about this. It’s not that our Secretary of State websites may have been attacked – that’s a matter of when, not if – and it’s not even that they might not have known about it until the feds informed them of it – it may have been a new vulnerability being exploited. What bothers me is the assertion that because there was nothing of value on the server that was hacked, there was nothing to worry about. Low-value servers, ones that are public facing and have no proprietary or confidential information on them, are often targets for hackers. The reason for this is that once you have access to such a machine, you have the opportunity to look for vulnerabilities inside the network, to do things like try to crack passwords on higher-privilege accounts so that you can gain access to more valuable resources. A spokesperson like Sam Taylor may not understand this, but I sure hope someone at the SOS office does.

Also, too: It’s not possible to stop every attack – any IT professional worth their salt will tell you this – but what is possible and very necessary is to detect as quickly as you can abnormal system activity so you can tell when you’ve been breached and take steps to stop it. As I said, the SOS may not have known about these particular attacks at the time. Some of this is cutting edge stuff, and the majority of us only find out about them in retrospect. But now that they do know, I sure hope they’re reviewing all their logs and their various monitoring tools to see what they might have missed and how they can detect this sort of attack going forward. I also hope they’re sharing this information with every elections administrator to ensure they are aware of this and can perform the same reviews. That is something I’d expect a spokesperson to address.

Hacking voting machines

I’m just going to leave this here.

Google and Apple invite hackers to find flaws in their code and offer hefty rewards to those who find them. It’s a common practice in the industry. The government’s done it too, with programs like “Hack the Pentagon.”

But opportunities to test how secure our voting machines are from hackers have been rare. Manufacturers like to keep the details of voting machines secret. And they don’t often provide machines for people to test.

That’s why hackers swarmed to the Voter Hacking Village at Defcon in Las Vegas. The massive hacker convention is split into “villages” based on themes such as lock picking, encryption, social engineering and, for the first time, voter machine hacking.

Defcon received more than 30 voting machines to play with, providing a rare opportunity for hackers to find the flaws in our democracy’s technology. (The organizers didn’t specify how many models the 30 units represented.) Voting technology was elevated into the political spotlight in 2016 as lawmakers raised concerns about Russian hacking and President Donald Trump’s road to the White House.

To be clear, there’s no evidence any votes were hacked during the 2016 presidential election. But there hasn’t been much research on the voting machines to see if it’s possible.

“The exposure of those devices to the people who do bug bounties or actually look at these kind of devices has been fairly limited,” said Brian Knopf, an internet of things security researcher for Neustar, a security analysis company. “And so Defcon is a great opportunity for those of us who hack hardware and firmware to look to these kind of devices and really answer that question, ‘Are they hackable?'”

After just about an hour and a half, the answer was an emphatic “yes.”

I don’t want to be alarmist. The one specific voting machine mentioned in the story is one that has been out of use since 2015, so it’s hard to say how real-world and prevalent some of this is. The problem is that there’s a lot of secrecy around voting machine technology, so while there are no known examples of systems being compromised, we mostly just have the assurances of the people in charge that there’s nothing to see here. There’s a lot of room to improve standards and transparency, in the name of promoting faith in the security of the system.

Stanart pushes back on election security claims

Our County Clerk is not happy with recent stories about the potential for vulnerability in our election systems.

Despite reports from federal intelligence agencies and media outlets of Russia’s widespread targeting of state and local elections around the country and in Texas, election administrators in the nation’s third-largest county say Vladimir Putin’s government does not pose a unique or heightened cybersecurity threat.

Harris County Clerk Stan Stanart said his office, which runs local elections, has a slew of checks in place to prevent hackers from tampering with the vote, including multiple backed-up voter registration databases that are kept offline. He said reports produced by voting machines before every election ensure the machines do not come pre-loaded with votes and after the election allow the county to cross-check against final tallies to make sure the vote is not manipulated.

While most observers and experts agree Russia exemplifies a new threat to election infrastructure nationwide, Stanart said the county faces no greater risk from Russia today than threats going back to the 1980s. He also challenged the veracity of reports that the Kremlin had attempted to coordinate widespread attacks on state and local election systems in 2016.

“Where’s the evidence?” Stanart said. “I would really question that.”

[…]

Bloomberg reported in June that Russian hackers “hit” voter databases and software systems in 39 states, in some cases penetrating campaign finance databases and software used by poll workers, and attempted to alter or delete voter data in Illinois.

Also last month, the Dallas Morning News published a story that election officials there had found attempts to hack their election system ahead of the November election. The newspaper reported that election officials there cross-referenced hundreds of suspicious or possibly Russian-linked IP addresses provided to them by the U.S. Department of Homeland Security against those that had attempted to access Dallas County servers in early October and found 17 matches.

Stanart said his office has not seen that list of IP addresses. Dallas County election officials did not respond to a request for comment.

[…]

Harris County officials refuse to answer whether they saw any attempts to penetrate the county’s systems. While Stanart himself said he has not found that Russian-linked hackers targeted the local election system, he acknowledged that other county security officials could have found and stopped such attempts before they reached his office.

Those officials repeatedly have not answered questions about whether they saw such a threat.

Bruce High, the chief information officer and executive director of the county’s Central Technology Services, has acknowledged a recent “spike” in attempts to hack Harris County servers from outside of America’s borders, but has declined to explain when the spike began, what is being targeted and where the hack attempts are coming from.

See here for the background. I received some feedback from the County Clerk’s office following the publication of that piece, including a fuller response from Stan Stanart that I believe is intended to be an op-ed in the Chronicle that specifically disputed several of the claims made by Dan Wallach. I’m printing it here beneath the fold for your perusal. Beyond that, I don’t understand why the County Clerk says it has not seen the aforementioned list of Russian IP addresses, nor do I understand the reluctance by Harris County to discuss their cybersecurity measures in any depth. I don’t expect them to lay out their defense plans in detail, but some reassurance beyond “trust me” that they’re on the job would be nice. Maybe trot someone out who can at least speak the lingo or something like that, I don’t know. This is a legitimate thing for voters to be concerned about, and we have a right to expect those concerns to be addressed in a more responsive fashion than what we are getting.

(more…)

Was the Harris County election system hacked?

Wouldn’t you like to know?

Despite widespread alarm over the breadth of Russian cyber attacks on state and local election systems last year, including revelations of Dallas County being targeted, Harris County officials are refusing to say whether hackers similarly took aim at the nation’s third-largest county.

Releasing information on whether Harris County election systems saw attacks from Russian hackers would threaten the county’s cyber security by emboldening hackers to further target local systems, county officials said this week.

The county’s argument was dismissed by experts, who said the secrecy is unnecessary, and could actually downplay the seriousness of the threat and the resources needed to combat it.

“There’s this concept in security called ‘security through obscurity,’ sort of, if they don’t know about it they won’t come after it,” said Pamela Smith, a consultant at Verified Voting, a San Francisco-based nonprofit that promotes voting integrity. “But to really have robust security, you want people to be able to know that it’s there … I think what the public wants to know is that you’re aware of the threat and you’re taking steps to mitigate.”

Bruce High, the chief information officer and executive director of the county’s Central Technology Services, said Harris County overall sees on average more than a million hack attempts every day. He even acknowledged a recent “spike” in attempts to hack Harris County servers from outside of America’s borders.

[…]

Dan Wallach, a Rice University computer science professor and scholar at the Baker Institute for Public Policy, who has testified before Congress about the cyber security threat to elections, said that to an advanced threat like Russia, there likely are no secrets about Harris County elections.

Asked if Harris County had been targeted in a similar manner as Dallas County, High said the county had not received a list of IP addresses from the Department of Homeland Security. He added that both the FBI and the Homeland Security department will flag Harris County when they have concerns about specific IP addresses.

High did not respond to questions seeking details on how often such concerns are brought up, how big of a “spike” in hacking attempts the county was experiencing and over what period of time, whether that spike was election-related or which systems had been targeted.

Wallach said he was concerned about the ability of many local jurisdictions, including Harris County, to protect against a targeted threat from an advanced adversary like Russia. He said he believed it was probable that Russia had at least targeted Harris County servers, but also that in many cases, attackers are so sophisticated that local officials would not even know that their systems had been breached.

“The category of adversary we’re facing now is not something that Harris County government is equipped to deal with,” Wallach said.

I work in IT security and had a few thoughts about this, but then I saw that Dan wrote this piece with a much deeper analysis than I had done, and I figured it was better to outsource this to him.

Computer security experts who deal with nation-state activities use the term “advanced persistent threats” (APT) as a shorthand to indicate that our adversaries have significant capabilities, including both engineering resources and spycraft, to quietly break into our computers, spread out across our networks, and avoid detection. It’s common for APT attacks to last for months to years prior to detection.

Given these threats, we need to conduct a serious analysis of where our elections stand. Harris County’s Hart InterCivic eSlate voting machines, for example, haven’t had any major security updates following studies conducted a decade ago by the states of California and Ohio. (I was part of the California effort.) In short, an attacker need only tamper with a single voting machine. After that, the infection can spread “virally” to every machine in the county.

Compounding the problem, all of our vote-tabulating systems are running Windows 2000, for which Microsoft dropped all software support, including security patches, seven years ago.

In the lead-up to the 2018 election, it may be financially infeasible for a complete replacement of our voting machines. We only just recently purchased our voting machines after a 2010 warehouse fire destroyed our original fleet of eSlate machines, so the funds aren’t likely to be available so soon for replacements.

What’s clearly necessary, since we know the Russians targeted voter registration systems, is a major upgrade to the way our voter registration systems are managed. A redesigned system would still, by necessity, require Internet connections so voters can verify their correct polling places, see sample ballots, and so forth. Most notably, during our early voting period, we need an online database to track which voters have cast ballots.

A modern design, intended to operate even if the entire Internet failed while the election was ongoing, would involve making local copies of the database at every voting center. Unsurprisingly, the needs of Harris County are essentially the same as the needs for every other county in our state, suggesting that a state-level procurement could be an efficient way to improve the voter registration security for every county’s voters.

Another short-term recommendation will be for Harris County to upgrade its systems to the latest versions of Microsoft’s operating systems, even though this will require a waiver from Texas’s election certification requirements. Even though our vote tabulation systems are hopefully never connected to the Internet, they are nonetheless unacceptably weak in the present threat environment.

Likewise, Harris County needs to hire a professional security “penetration testing” firm to identify other soft points in its infrastructure and prioritize repairs; such consultants need to be brought in on a regular basis for check-up exams. We also need forensic security auditors to do a deep dive into our county’s existing systems to make sure they’re as clean as we hope them to be. This isn’t just a matter of running some anti-virus scanner, since APT adversaries use tricks that automated scanners won’t detect.

There’s more, so go read the whole thing. At the very least, I hope we can all agree that any system that is still using Windows 2000 (!!!) needs to be upgraded or replaced. Dan (who as you know is a friend of mine) puts in a plug for the STAR-Vote system that he helped design, and it’s definitely something the county and the state should consider. I just hope we take this seriously before something bad happens.

UPDATE: Hector DeLeon, the Director of Communications and Voter Outreach for the County Clerk, has emailed me to say that the county tabulation system is running on Windows 7, not Windows 2000 as stated in Wallach’s op-ed. He says they have made this same correction to the Chronicle as well. My apologies for the confusion.

Maybe we should be a little more concerned about election security?

Just a thought.

Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.

In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

The scope and sophistication so concerned Obama administration officials that they took an unprecedented step — complaining directly to Moscow over a modern-day “red phone.” In October, two of the people said, the White House contacted the Kremlin on the back channel to offer detailed documents of what it said was Russia’s role in election meddling and to warn that the attacks risked setting off a broader conflict.

The new details, buttressed by a classified National Security Agency document recently disclosed by the Intercept, show the scope of alleged hacking that federal investigators are scrutinizing as they look into whether Trump campaign officials may have colluded in the efforts. But they also paint a worrisome picture for future elections: The newest portrayal of potentially deep vulnerabilities in the U.S.’s patchwork of voting technologies comes less than a week after former FBI Director James Comey warned Congress that Moscow isn’t done meddling.

“They’re coming after America,” Comey told the Senate Intelligence Committee investigating Russian interference in the election. “They will be back.”

[…]

One of the mysteries about the 2016 presidential election is why Russian intelligence, after gaining access to state and local systems, didn’t try to disrupt the vote. One possibility is that the American warning was effective. Another former senior U.S. official, who asked for anonymity to discuss the classified U.S. probe into pre-election hacking, said a more likely explanation is that several months of hacking failed to give the attackers the access they needed to master America’s disparate voting systems spread across more than 7,000 local jurisdictions.

Such operations need not change votes to be effective. In fact, the Obama administration believed that the Russians were possibly preparing to delete voter registration information or slow vote tallying in order to undermine confidence in the election. That effort went far beyond the carefully timed release of private communications by individuals and parties.

One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks.

To put this another way, you don’t have to hack voting machines to wreak havoc on our elections. Simply undermining confidence in the process is enough. And unfortunately, Republicans like Mitch McConnell were not at all interested in any of this last year, so don’t hold out hope that they will want to take action about it for next time. There’s a lot of work to be done to fix this mess. Daily Kos and Chalie Pierce have more.

More about the hack of the Astros

Fascinating stuff.

A federal judge has unsealed details about former St. Louis Cardinals executive Chris Correa’s hacking of the Astros’ email and player evaluation databases, clearing the way for Major League Baseball to impose sanctions against the Cardinals as soon as this week.

Three documents entered into court records but made public by U.S. District Judge Lynn Hughes on Thursday reveal new information regarding Correa’s intrusions, for which the former Cardinals scouting director is serving a 46-month sentence in federal prison after pleading guilty in January 2016 to five counts of unauthorized access to a protected computer.

[…]

According to the documents, portions of which remained redacted, Correa intruded into the Astros’ “Ground Control” database 48 times and accessed the accounts of five Astros employees. For 21/2 years, beginning in January 2012, Correa had unfettered access to the e-mail account of Sig Mejdal, the Astros’ director of decision sciences and a former Cardinals employee. Correa worked in St. Louis as an analyst under Mejdal, who came to Houston after the 2011 season with Astros general manager Jeff Luhnow, also a former Cardinals executive.

“(Correa) knew what projects the Astros’ analytics department was researching, what concepts were promising and what ideas to avoid,” said one of the documents, signed by Michael Chu, the assistant U.S. attorney who prosecuted the case against Correa. “He had access to everything that Sig Mejdal … read and wrote.”

Correa also attempted to gain access to the accounts of Bo Porter, the Astros’ manager in 2013-14, and pitching coach Brent Strom, and he used passwords belonging to Luhnow, Astros analyst Colin Wyers, and three Astros minor league players to gain access to the Astros system, the documents show.

A third document includes a subpoena from Correa’s attorney to obtain documents from the Astros, based on Correa’s statement that he was combing the files looking for information taken from the Cardinals. Hughes denied the request, which sought access to emails from Mejdal, Luhnow and former Astros assistant GM David Stearns and analyst Mike Fast regarding a variety of topics, including Cardinals minor league pitching coach Tim Leveque, Cardinals assistant general manager Mike Girsch and the Cardinals’ player information database, known as RedBirdDog.

See here and here for some background. The sanctions have since been imposed – the Cardinals will give their top two draft choices and two million bucks to the Astros as redress – but it’s the details of what Correa did that are so riveting. Deadspin, which was a key player in this as well, elaborates:

The sentencing document also points to a motive beyond the obviously useful scouting data: Correa was furious and envious of Mejdal’s acclaim in a June 25, 2014 Sports Illustrated cover story about the Astros’ embrace of analytics, with the cover predicting them as the winners of the 2017 World Series.

The account the feds lay out reads like a downright sinister revenge plot by Correa: On June 27, two days after the SI cover story, Correa attempted, unsuccessfully, to log into Mejdal’s, Luhnow’s, and Wyers’s Ground Control accounts. He then tried to log in via the accounts of Astros pitching coach Brent Strom and Astros manager Bo Porter. Thwarted but not deterred, he tried another tactic.

[…]

The same day, June 28, Deadspin was emailed a tip from a burner email service that linked “to a document on AnonBin, a now-dead service for anonymously uploading and hosting text files.” On June 30, Deadspin published the contents of the document, which detailed the Astros’ trade discussions between June 2013 and March 2014.

A year later, Deadspin deputy editor Barry Petchesky laid out the information we received, and why he believed we were the intended recipients. We had and have no additional information that indicates who the leaker was, and would not reveal the leaker’s identity if we knew it—as Petchesky later explained to an FBI investigator.

Regardless, the feds speculate that Correa himself emailed us the information.

Damn. I will watch the hell out of the eventual 30 for 30 documentary on this. The Press, Craig Calcaterra, and Jeff Sullivan, who thinks the Cardinals got off too lightly, have more.

Stan Stanart talks election security

I have a few thoughts as well.

vote-button

Over the course of the presidential race, concern has grown about digitally safeguarding election results.

New cyber security threats seem to emerge monthly. Republican Donald Trump has repeatedly contended the presidential election will be “rigged.” And suspected Russian hackers have broken into computer systems of the Democratic Party.

“With so much news out there, people are concerned,” acknowledged Harris County’s top election official, Stan Stanart, at a news conference Thursday.

However, Stanart sought to reassure the public that all necessary defenses are up and there is no way Harris County’s election will be hacked or rigged, because it is not connected to the internet.

[…]

“Our elections are too important to leave them open to attack,” said Dan Wallach, a Rice University computer science professor who testified in September to Congress on election cyber security. “We need to do better.”

The most attractive part of an election system for a malicious attack, he said,is the voter database – in Harris County, it’s a list of nearly 2.2 million registered voters. If hackers successfully deleted it, chaos would ensue.

But the county database is kept offline, invulnerable from the outside. Even so, Stanart, the county clerk, said his office, the county tax assessor’s office, and the Texas secretary of state save a backup copy every day.

“There are many eyes and there are many triggers in the whole system that would notify us, and we would observe if there were any issues with any registrations being changed,” Stanart said. “I assure you there’s no problem there.”

Wallach agreed that the daily database backups provided excellent protection.

The fact that the voting machines are not connected to the Internet is a good thing. Dan Wallach (who is a friend of mine) has some criticism of the “secure network” setup for transferring the voting data from the individual memory cards to the central network, but I agree with him that this is an unlikely target for attack. The main vulnerability here is what it has always been, with the cards themselves and their handling. If a card becomes corrupted or lost before its contents can be uploaded, there’s no backup. This is why people like Wallach have been calling for paper receipts to be included. That problem, and the accompanying risk, cannot be solved with the current voting machines. I don’t know how big that risk is – in over a decade of using the eSlate machines, we have not had this problem, but the downside if it happens even once is enormous, and these machines are at the end of their lifecycle with no obvious path forward. But hey, maybe we’ll make it through another election.

As for the voter registration data, it’s really a question of the county’s network security overall. There are a lot of pieces to this, so I’ll just focus on the question of monitoring. As long as they monitor all changes to the voter registration file – what, when, by whom – and they have someone keeping an eye on that, then they’re probably OK.

So I tend to agree that at the very least there’s nothing new or unusual to worry about this year, and I appreciate Stanart making the effort to address that. We should always be vigilant, but let’s not lose perspective, and let’s not worry about things that aren’t worth worrying about. If only Stanart took that same approach to the far smaller risk of in person vote fraud.

Astros hacker sentenced to 46 months

Away he goes.

Former St. Louis Cardinals executive Christopher Correa was sentenced Monday to 46 months in prison for illegal incursions into the Astros’ computer database, wrapping up a case of sports-related cybercrime that a federal judge and prosecutors summed up as plain, old-fashioned theft.

Correa, 35, will report within two to six weeks to begin his sentence imposed by U.S. District Judge Lynn Hughes, who accepted the government’s recommended sentence in the wake of Correa’s guilty plea in January to five counts of illegal access to a protected computer.

Now the case moves into the hands of Major League Baseball, where commissioner Rob Manfred will decide if the Cardinals will face sanctions because of Correa’s actions in 2013 and 2014.

Manfred also may be asked to consider a heretofore undisclosed element: that Correa intruded into the Astros’ system 60 times on 35 days, far more the five reported cases to which he pleaded guilty, according to an Astros official.

[…]

U.S. Attorney Kenneth Magidson said he was pleased with length of the sentence. Correa could have been sentenced to a maximum of five years in prison on each count, although prosecutors agreed in return for his guilty plea that sentences would be served concurrently.

“This is a serious federal crime,” Magidson said. “It involves computer crime, cybercrime. We in the U.S. Attorney’s office look to all crimes that are being committed by computers to gain an unfair advantage. … This is a very serious offense, and obviously the court saw it as well.”

Astros general counsel Giles Kibbe, who also attended the hearing, described Monday as a “sad day for baseball” and emphasized that the Astros were the victims of Correa’s unauthorized access into a computer database that included scouting reports and other information.

Referring to Correa’s statements in January, he added, “I don’t know what Mr. Correa saw in our system or what he thinks he saw in our system, but what I can tell you is that the Astros were not using Cardinals’ proprietary information.”

Kibbe, for the first time, also acknowledged that Correa’s intrusions into the Astros computer system were more frequently than the instances set out in the information to which he pleaded guilty – 60 intrusions over 35 days, he said, from March 2013 through June 2014.

He also said the Astros would rely on Major League Baseball to complete its investigation of the Cardinals, with the possibility of sanctions against the team.

“We have full faith in his actions,” he said, referring to MLB commissioner Manfred.

See here for the background. Correa had previously claimed to have found Cardinal information on the Astros’ system while he was hacking around. There could be some effect from that if there’s anything to it when MLB wraps up its investigation and imposes any sanctions on the Cards. In the meantime, I’d say this will serve as a pretty strong deterrent to any other baseball front office folks who may have been tempted to take an unsanctioned peek at what their rivals are doing. No one can say they haven’t been warned at this point.

Are driverless cars ready or not?

GM and Lyft think theirs are pretty close.

Lyft

General Motors Co. and Lyft Inc. within a year will begin testing a fleet of self-driving Chevrolet Bolt electric taxis on public roads, a move central to the companies’ joint efforts to challenge Silicon Valley giants in the battle to reshape the auto industry.

The plan is being hatched a few months after GM invested $500 million in Lyft, a ride-hailing company whose services rival Uber Technologies Inc. The program will rely on technology being acquired as part of GM’s separate $1 billion planned purchase of San Francisco-based Cruise Automation Inc., a developer of autonomous-driving technology.

Details of the autonomous-taxi testing program are still being worked out, according to a Lyft executive, but it will include customers in a yet-to-be disclosed city. Customers will have the opportunity to opt in or out of the pilot when hailing a Lyft car from the company’s mobile app.

[…]

The new effort is directed mostly at challenging Alphabet and Uber. The Google self-driving car program has gained a sizable lead over conventional auto makers via testing in California and other states, and it received an additional boost this week through a minivan-supply agreement with Fiat Chrysler Automobiles NV. Uber, much bigger than Lyft, has its own self-driving research center in Pittsburgh and is preparing to usher autonomous vehicles in to its fleet by 2020.

I alluded to this yesterday. My reaction remains: Next year? Really? That’s pretty darned aggressive. It’s also pretty interesting considering that the people who are making driverless cars have been suggesting that we should maybe slow our roll a little.

Engineers, safety advocates and even automakers have a safety message for federal regulators eager to get self-driving cars on the road: slow down.

Fully self-driving cars may be the future of the automotive industry, but they aren’t yet up to the demands of real-world driving, several people told the National Highway Traffic Safety Administration during a public meeting Friday.

A slower, more deliberative approach may be needed instead of the agency’s rapid timetable for producing guidance for deploying the vehicles, according to an auto industry trade association.

[…]

A General Motors official recently told a Senate committee that the automaker expects to deploy self-driving cars within a few years through a partnership with the ride-sharing service Lyft. Google, a pioneer in the development of self-driving cars, is pushing Congress to give the NHTSA new powers to grant it special, expedited permission to sell cars without steering wheels or pedals.

But many of those who addressed the meeting, the first of two the agency has scheduled as it works on the guidelines, described a host of situations that self-driving cars still can’t handle:

—Poorly marked pavement, including parking lots and driveways, could foil the technology, which relies on clear lane markings.

—Bad weather can interfere with vehicle sensors.

—Self-driving cars can’t take directions from a policeman.

—Inconsistent traffic-control devices such as horizontal versus lateral traffic lights.

Until the technology has advanced beyond the point where ordinary conditions are problematic, “it is dangerous, impractical and a major threat to the public health, safety and welfare to deploy them,” said Mark Golden, executive director of the National Society of Professional Engineers.

There have been thousands of “disengagements” reported in road tests of self-driving cars in which the vehicles automatically turned control over to a human being, said John Simpson, privacy project director of Consumer Watchdog.

“Self-driving cars simply aren’t ready to safely manage too many routine traffic situations without human intervention,” he said.

There’s also the concern that driverless cars, which by definition will be connected to the Internet, will be vulnerable to malware. We’re not at a point where today’s cars can be successfully hijacked, as dramatized on a recent episode of Elementary, but it is something the industry is gaming out now. The larger point here is that our driverless car future may be farther off than we think. Or maybe it’s closer than we think. We’ll see how that taxi pilot goes.

One more thing:

Executives at Lyft and Uber have said one of the top hurdles to their success is navigating a patchwork of regulations that govern the use of autonomous vehicles and liabilities. In an effort to ease regulatory concerns, Lyft will start with autonomous cars that have drivers in the cockpit ready to intervene—but the driver is expected to eventually be obsolete.

“We will want to vet the autonomous tech between Cruise, GM and ourselves and slowly introduce this into markets,” Taggart Matthiesen, Lyft’s product director, said in an interview. That will “ensure that cities would have full understanding of what we are trying to do here.”

Well, at least we won’t be fighting about fingerprints any more. I shudder to think how much money will be dumped into those lobbying – and possibly electioneering – efforts.

Astros-hacker pleads out

One chapter closes in of one of the stranger sagas I’ve seen in sports.

The former scouting director of the St. Louis Cardinals pleaded guilty in federal court Friday to hacking into the player database and email system of the Houston Astros in an unusual case of high-tech cheating involving two Major League Baseball clubs.

Chris Correa pleaded guilty to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. Correa, 35, was fired last summer and faces up to five years in prison on each charge when he is sentenced April 11.

“I accept responsibility in this case,” Correa told U.S. District Judge Lynn Hughes. “I trespassed repeatedly.”

“So you broke in their house?” Hughes asked Correa, referring to the Astros.

“It was stupid,” replied Correa, who is free on $20,000 bond.

U.S. Attorney Kenneth Magidson said the hacking cost the Astros about $1.7 million, taking into account how Correa used the Astros’ data to draft players.

“It has to do with the talent that was on the record that they were able to have access to, that they wouldn’t have otherwise had access to,” he told reporters. “They were watching what the Astros were doing.”

MLB could discipline the Cardinals, possibly with a fine or a loss of draft picks, but said only that it looked forward to getting details on the case from federal authorities. The Cardinals, whose chairman, Bill DeWitt Jr., had blamed the incident on “roguish behavior,” declined comment.

See here, here, and here for the background. Given that he pleaded out, I don’t expect Correa to get jail time, though perhaps a suspended sentence might be in the works. He’ll never work in baseball again, that’s for sure.

There’s still a lot more to this, however. As Craig Calcaterra notes, Correa claimed to have found Cards information on the Astros’ system when he was traipsing around in there.

That may not raise to a criminal level — there is no allegation Astros people hacked into the Cardinals’ system — but it could be relevant to Major League Baseball in a larger team-to-team information security matter. All of that depends on what Correa is saying he saw, which we do not know yet.

That aside, the level and the amount of information Correa got from the Astros is extraordinary. The defense some have offered — that he was merely checking to see if the Astros stole something — seems like a tiny part of this compared to what he accessed. And the argument I have heard from some people that, “hey, Correa was just walking in an unlocked door, so it’s not a big deal,” is not really true. He walked in, the Astros locked it, so then he broke into Jeff Luhnow’s office, as it were, and stole the keys so he could walk back in again. That is not just idle perusing. That is a concerted effort to carry out corporate espionage.

All of which is to say that this is far from over, especially from a baseball perspective. Correa performed his duties as Cardinals scouting director for over two years while in possession of extensive amounts of Astros’ confidential information. That benefitted him personally and, by extension, benefitted the Cardinals via the acts he took on their behalf with that information in his head. And that’s the case even if he was the sole person involved. If anyone else accessed Ground Control or was made privy to the information Correa obtained, it makes the Cardinals’ collective informational advantage all the greater.

Major League Baseball needs to find out what, if anything the Astros have of the Cardinals, as Correa claims. They need to learn — as they may still learn given that the investigation and the case is not over — what law enforcement knows about anyone else’s involvement. There is still a long way to go. However, based on what is known at the moment, the data breach here was extensive and extraordinary and the Cardinals will likely be facing some stiff, stiff penalties as a result. Maybe financial penalties. Maybe draft pick penalties. Maybe some combination.

Either way, this case is way bigger than people thought it to be yesterday.

We’ll see what MLB does once they have all the information that the prosecutors gathered. Hair Balls and the Chron have more.

Cardinals identify a fall guy

The latest Hacked-Stros news.

The St. Louis Cardinals have terminated the contract of their scouting director, Chris Correa, as investigations continue into alleged hacking of a Houston Astros database.

A Cardinals’ lawyer, James G. Martin, confirmed the move Thursday, saying Correa already had been on an “imposed leave of absence.” Martin declined to comment on the reason. And he would not say whether any employee has admitted hacking the Astros, citing ongoing investigations by the club, Major League Baseball and the FBI.

Correa declined to comment.

In a prepared statement, Correa’s lawyer, Nicholas Williams, wrote: “Mr. Correa denies any illegal conduct. The relevant inquiry should be what information did former St. Louis Cardinals employees steal from the St. Louis Cardinals organization prior to joining the Houston Astros, and who in the Houston Astros organization authorized, consented to, or benefited from that roguish behavior?”

Giles Kibbe, the attorney for the Astros, reaffirmed an earlier denial that neither the Houston organization nor any previous Cardinals employees now with the Astros had taken anything proprietary from the Cardinals.

Astros general manager Jeff Luhnow, who as head of the Cardinals’ analytics department had helped build the database used here to evaluate players, has said that everything he and others did in Houston was accomplished “from scratch.”

“We stand by all of our previous comments,” Kibbe said. “We’re looking forward to the conclusion of the FBI’s investigation. I stand by all that Jeff has said on this matter.”

Correa has admitted hacking into a Houston database but only to determine whether the Astros had stolen proprietary data, according to a source with knowledge of the investigation.

Correa did not leak any Astros data and is not responsible for additional hacks that the FBI has alleged occurred, said the source.

[…]

The source said that Correa’s involvement in the hacking began in 2013, in an attempt to determine whether Luhnow or any other former Cardinals employees took proprietary data to the Astros.

Correa’s suspicions were aroused in part by a résumé in which a job seeker claimed expertise that Correa believed could have come only from working with Cardinals data, the source said.

He used an old password from a former Cardinals employee working for the Astros to access the Houston database “a few” times but did not download data, the source said. The source claims Correa located some data on the website, but did not report it to his bosses because the information was outdated and unreliable without being redone.

The source said that others must have accessed Houston’s database if federal investigators’ claims about the number of hacking attempts are correct.

See here and here for the background. The counter-charges are interesting and I suppose could be a potential line of defense in the event this ever goes to a courtroom in some fashion. Whether it might mitigate any future punishment by MLB is another matter. The Chron story adds a bit more detail.

Giles Kibbe, the Astros’ general counsel, said in an e-mail, “We stand by all of our previous comments. We look forward to the FBI concluding their investigation.”

Major League Baseball, similarly, plans to await the conclusion of the FBI’s investigation, a person familiar with the league’s thinking said. A league spokesperson did not return a request for comment.

The FBI has not commented on details of its investigation but repeated a previously issued statement: “The FBI aggressively investigates all potential threats to public and private sector systems. Once our investigations are complete, we pursue all appropriate avenues to hold accountable those who pose a threat in cyberspace.”

[…]

Washington D.C.-based attorney Peter Toren, who handles cases involving intellectual property and commercial litigation, said that were a civil case to be filed, the Cardinals might be able to allege as a counterclaim against the Astros that Astros personnel improperly used information obtained in their time as employees for the Cardinals that could be classified as a trade secret.

Major League Baseball forbids clubs from suing each other, instead directing disputes to the commissioner as arbitrator. He can then award the Astros damages.

Luhnow and director of decision sciences Sig Mejdal worked with the Cardinals before joining the Astros, for whom they launched a database called “Ground Control.” The Cardinals had their own database, called “Red Bird Dog.”

“Ground Control” includes statistics, player evaluations and, at least up until last spring, logs of trade negotiations. Those logs were posted online and widely viewed at the website Deadspin last June, prompting an FBI investigation.

As first reported by The New York Times and confirmed by the Chronicle, the Cardinals had a master list of passwords, and at least one of the Astros’ departed executives did not alter his password well enough upon departure.

While Astros amateur scouting director Mike Elias also worked with the Cardinals in St. Louis and came over to the Astros with Luhnow, a person familiar with the investigation said Elias’ log-in credentials were not at issue. It’s unclear if the log-in information of both of Luhnow and Mejdal or just one of the two was in some way utilized in accessing Astros information.

Luhnow told Sports Illustrated he knows “about password hygiene and best practices” but did not directly address whether both he and his employees followed those practices to the necessary extent. Luhnow has turned down repeated requests for comment.

“I’m very aware of intellectual property and the agreements I signed,” Luhnow told Sports Illustrated. “I didn’t take anything, any proprietary information. Nor have we ever received any inquiries from anybody that even suggested that we had.”

Regarding the use of information obtained while working for another employer, Toren said, “That scenario is probably the most common type of trade secret case. One employee moves jobs and takes information with him to a new job for his use. The question then is: Is the employee generally allowed to take with him general knowledge?”

Toren said courts have ruled that employees can use general knowledge and skills gained on one job when they move to their next employer. However, he said lines can become blurry over “the type of information that really belongs to the employer that goes beyond … and really is specific knowledge.”

I still say having a master list of passwords is a terrible idea, whether Luhnow and the others who jumped from the Cards to the Stros practiced good password hygiene or not. I can’t wait to see the FBI report. Craig Calcaterra, who is not impressed by Correa’s attorney’s claims, has more.

“Roguish behavior”

The Saint Louis Cardinals admit they hacked the Astros’ proprietary database.

Thursday’s tacit admission by St. Louis Cardinals owner Bill DeWitt Jr. that someone in his organization was involved in hacking the Astros continued a saga that holds the potential for more tawdriness once the FBI has completed its investigation and all the details are released.

The Chronicle on Thursday learned that the Cardinals had unauthorized access to Astros information as early as 2012, a year earlier than was previously known. DeWitt, meanwhile, acknowledged for the first time that his organization played a role in accessing proprietary information belonging to the Astros, blaming “roguish behavior.”

Meeting with reporters in St. Louis on Thursday along with Cardinals general manager John Mozeliak, DeWitt said his organization’s own investigation was still ongoing. He did not specify which employees were responsible, but he told club workers “we’ve all been tainted.”

“Those responsible will be held accountable,” DeWitt said, “and we will continue what we feel is a great franchise.”

The extent of the Cardinals’ reach inside the Astros’ organization isn’t fully known. But it was not limited to one or two occasions, a person familiar with the details of the investigation said. The source asked for anonymity because of the sensitive nature of the case. The Chronicle has previously confirmed two breaches into the Astros’ system – one in 2013 and one in March 2014. The FBI began its investigation after the 2014 breach.

[…]

DeWitt expressed confusion over the intrusions, which he said were limited to a handful of people. The Chronicle learned this week the list of suspects was down to four or five.

“We’re committed to getting this resolved, we hope sooner rather than later,” DeWitt said. “We’re a little bit at the government’s pace. We’re not in a position of pushing them, as you might imagine.”

DeWitt said he was shocked to learn of the scandal.

“I still don’t know the reason for it,” he said of the hacking. “I can’t come up with a reason for it. It goes against everything we stand for. We don’t know who did what here.”

See here for the background. The story suggests that the Astros could have a claim for compensation for their data loss. Let’s see how the FBI investigation goes first, and what if any action Commissioner Rob Manfred takes. I suspect we’re a long way from any resolution just yet.

In the meantime, I love the use of the word “roguish” to describe the actions by whoever did this. It reminds me of a song.

I hereby declare that the official theme song of this scandal, for its use of the word “roguish”. Hair Balls has more.

The Hacked-Stros

WTF?

The F.B.I. and Justice Department prosecutors are investigating whether front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, hacked into internal networks of a rival team to steal closely guarded information about player personnel.

Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built, according to law enforcement officials. Internal discussions about trades, proprietary statistics and scouting reports were compromised, the officials said.

The officials did not say which employees were the focus of the investigation or whether the team’s highest-ranking officials were aware of the hacking or authorized it. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.

The attack represents the first known case of corporate espionage in which a professional sports team has hacked the network of another team. Illegal intrusions into companies’ networks have become commonplace, but it is generally conducted by hackers operating in foreign countries, like Russia and China, who steal large tranches of data or trade secrets for military equipment and electronics.

Major League Baseball “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database,” a spokesman for baseball’s commissioner, Rob Manfred, said in a written statement.

[…]

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.

[…]

The intrusion did not appear to be sophisticated, the law enforcement officials said. When Mr. Luhnow was with the Cardinals, the organization built a computer network, called Redbird, to house all of their baseball operations information — including scouting reports and player personnel information. After leaving to join the Astros, and bringing some front-office personnel with him from the Cardinals, Houston created a similar program known as Ground Control.

Ground Control contained the Astros’ “collective baseball knowledge,” according to a Bloomberg Business article published last year. The program took a series of variables and “weights them according to the values determined by the team’s statisticians, physicist, doctors, scouts and coaches,” the article said.

Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

Emphasis mine. Allow me to put my IT security hat on for a moment: There should never be a “master list of passwords”, because writing passwords down is poor security practice. Keep passwords in your head or in a password-keeper app. Two-factor authentication is a fine idea, too. And for goodness’ sake, don’t reuse old passwords, especially if you know that someone else knows what those old passwords are. The weakest link in any enterprise system is always an end user with bad security habits. Thus endeth the lesson. I can’t wait to see what Commissioner Manfred makes of this “Spygate” allegation. Hair Balls and ThinkProgress, from whom I got the embedded image, have more.

Hacking cars

You can add this to the list of things you didn’t know you needed to worry about.

Computer hackers can force some cars to unlock their doors and start their engines without a key by sending specially crafted messages to a car’s anti-theft system. They can also snoop at where you’ve been by tapping the car’s GPS system.

That is possible because car alarms, GPS systems and other devices are increasingly connected to cellular telephone networks and thus can receive commands through text messaging. That capability allows owners to change settings on devices remotely, but it also gives hackers a way in.

Researchers from iSEC Partners recently demonstrated such an attack on a Subaru Outback equipped with a vulnerable alarm system, which wasn’t identified. With a laptop perched on the hood, they sent the Subaru’s alarm system commands to unlock the doors and start the engine.

Sounds scary! But PC World puts it into context.

As the AP article goes on to explain, hackers need a specific phone number to break into an in-car security system. To get that number, they must run a certain kind of network administration program, which can probe for vulnerable security devices by make and model. Then, the thief must get close to the target vehicle and run a hacking tool to see if that car is using a vulnerable security system.

After all that effort, the car’s steering wheel may still be mechanically locked, preventing the hacker from driving away after breaking in. If someone really wants to steal a car, there are plenty of other methods that sound a lot easier. Besides, Bailey and Solnik are already working with the maker of the security system they hacked to plug the holes.

Keep in mind that this high-tech car hack is just a proof of concept, and it’s not the first. In March, researchers described using a Trojan horse on an audio CD to break a car’s defenses. To my knowledge, no car theft epidemic has resulted from either of these methods.

So don’t sweat it too much for now. Two things to add. One, not to get all tinfoil hatty on you, but if this capability exists, it’s the government that’s most likely to figure out how best to capitalize on it. Not because they want to steal your car, but because your car’s GPS can be hacked in similar fashion, and that information could be of interest to them. And two, since the story also mentioned the possibility of hackers messing with a car’s computer-controlled systems, such as the brakes, it’s just a matter of time before this becomes a key plot element in a mystery or thriller novel. As a fan of that genre, I like to keep abreast of the coming attractions.