UPDATE: MLB says there are safeguards in place for All-Star vote shenanigans

51 Comments

An update, via ESPN:

MLB makes a concerted effort to investigate votes that: 1. come from accounts created using email addresses that appear to have been tweaked in some way that too closely resemble another address; 2. multiple voting accounts that come from the same IP address; and 3. troubling patterns in voting that emerge during the reviews by a third-party company employed to chart All-Star Game balloting trends.

[Bob] Bowman [MLB President of Business and Media] said that process alone leads to about 20 percent of the votes that are cast online being eliminated every year. With that in mind, all the votes MLB has reported so far have been sanitized.

And then there’s this from Jeff Passan of Yahoo Sports:

More than 300 million votes have been accepted, according to the league, and the record of 390 million should fall sometime this week. Almost certainly a half-billion votes will be cast by the time balloting ends at 11:59 p.m. ET on July 2. And that doesn’t include the massive amounts of votes Bob Bowman, the CEO of MLB Advanced Media, said the league disallowed because of concerns over fake or improper voting.

“I’m not saying we bat 1.000,” Bowman said. “But it’s between 60 and 65 million votes that have been canceled. We don’t really trumpet it because if someone thinks they’re getting away with it, they’ll try to again.”

Thirty-five of those votes belonged to the email address of Yahoo Sports blogger Mike Osegueda, who received a verification email for ballots he didn’t cast. Alerted to his tweet about it, the league said the votes were taken away. Presumably, MLBAM tries the same with similar such ballots – Bowman said the 20 percent rate of killing ballots is consistent with previous seasons – keenly aware that in addition to civic pride, Kansas City packs a nice wallop of humor.

2:54 p.m. ET: In terms of importance the All-Star vote isn’t exactly Fort Knox of the CIA mainframe or the president’s nuclear launch codes. Indeed, in the grand scheme of things it’s somewhat less important than the Astros’ Ground Control system and somewhat more important than the survey Pizza Hut wants you to do after filling out an online order.

But boy oh boy, you think they’d have at least some sort of security on the thing. Nope. They don’t. From HookSlide at SB Nation’s Bless You Boys blog, who explains how he hacked the All-Star voting page to give him far, far more than the 35 votes Major League Baseball allows each email address:

To be fair, “hacked” really isn’t the right word. That word implies some kind of username/password cracking, which in turn implies some kind of secure system, and quite frankly, the All Star voting page set up by MLB is anything but secure. With a basic knowledge of HTML, a bit of Javascript, and a few minutes to play around, I was able to exploit MLB’s All-Star voting system quite easily.

The key to exploiting the system was realizing that—are you ready for this?—there is zero verification surrounding the most important piece of information supplied in the voting process: your email address. The voting page asks you to supply an email address, along with some other information such as a birthdate, a zip code, and a favorite team, but unlike most systems that at least try to implement some form of security, MLB does not require you to validate your email address. There’s no confirmation email sent with a “click here to verify” or “use this five-digit verification code” message, some way of ensuring that the email address you supplied in the voting process is actually yours.

As he notes, it’s highly doubtful Major League Baseball gives a flying frick about this because they’re getting what they want out of the system: lots of pageviews and user engagement on their voting page which has a corporate sponsor. Lots of people talking about the All-Star Game. Lots of votes — in sheer numbers — which allows them to talk about how excited everyone is about the Midsummer Classic. The All-Star Game is, from its sponsored votes to its sponsored events to its sponsored musical acts, is just a big circus to the league anymore, so there’s no sense in worrying about the voting process being a circus too.

Sure, there will be a ballgame in the middle of all of this and it’ll decide home field advantage in the World Series, but that Esurance doesn’t sell itself.

Ron Roenicke fired by Red Sox after one season

Mary Holt-USA TODAY Sports
Leave a comment

BOSTON — Red Sox manager Ron Roenicke will not return in 2021, the team said before its final game on Sunday, ending his tenure as a one-year, shotgun stopgap for a pandemic-shortened season with a last-place finish in the AL East.

Hired on the eve of spring training after Alex Cora was caught cheating during his time in Houston, Roenicke took over a roster that would soon shed 2018 AL MVP Mookie Betts and 2012 AL Cy Young winner David Price, who were traded to the Los Angeles Dodgers. Ace Chris Sale (Tommy John surgery) and Eduardo Rodriguez (COVID-19) never threw a pitch for the team this year.

Chief Baseball Officer Chaim Bloom also commended Roenicke for navigating the coronavirus shutdown and for holding the team together when racial protests interrupted the season.

“He did a tremendous job under really challenging and basically unprecedented circumstances,” said Bloom, who met with Roenicke in Atlanta on Sunday morning to give him the news.

“As you would expect, he handled it really well. Probably better than I did,” Bloom said on a Zoom call. “I think he is just an incredible human being.”

Sure to get attention as a possible successor: Cora, who led the Red Sox to a World Series championship in 2018, his first season as a major league manager. The team split with him less than a month before spring training after he was identified as the ringleader in the Houston sign-stealing scandal; Cora’s one-year suspension for that scandal ends after the World Series.

With Cora gone, the Red Sox promoted Roenicke from bench coach to interim manager. They removed the temporary tag in April, during the coronavirus shutdown, when Roenicke was cleared in the commissioner’s investigation into sign-stealing by the Red Sox during their championship season.

He was not given an extension on the one year he had remaining on the contract he had signed as a bench coach — fueling speculation that Cora could be welcomed back after serving his penalty.

The Red Sox dismissed such suggestions dismissed such suggestions at the time, but on Sunday Bloom refused to rule a return either in or out.

“I thought Ron deserved to be evaluated without anyone looking over his shoulder,” Bloom said, declining to comment further because “I don’t want to say anything about Alex that I haven’t said to Alex.”

Roenicke, 64, spent five years as the Brewers manager from 2010-15, winning 96 games and the NL Central title in his first season and finishing as runner-up for NL manager of the year. In all, he led Milwaukee to a 342-331 record in five seasons.

He was 23-36 with the Red Sox entering Sunday’s games. Bloom said he wanted to break the news to Roenicke before the end of the season.

“If Ron wanted the chance to look his players in the eye before we part ways … I didn’t want to take that from him,” Bloom said.

An infielder on Boston’s 2007 champions, Cora was mentioned 11 times in Commissioner Rob Manfred’s decision on the Astros, which said Cora developed the cheating system. Cora left Houston to become Boston’s manager after the 2017 season and led the Red Sox to a franchise-record 108 regular-season wins and the World Series title.

But fallout from the Astros investigation caused Cora and newly hired New York Mets manager Carlos Beltran to lose their jobs.