On Sunday morning, February 20, 2005, hackers posted the data from Paris Hilton’s cell phone on GenMay.com (short for General Mayhem), a rowdy online forum that served as an internet meme incubator, much as 4chan continues to operate. In addition to the phone numbers of Paris’s friends, and her humiliating personal notes, the cache contained intimate photos of her topless.
Within hours, the stolen data migrated to illmob.org, a website started by the hacker Will Genovese (known as illwill), notorious for having stolen proprietary code for Microsoft Windows 2000 and Windows NT a year earlier. The next morning, hundreds of blogs picked up the story, either linking to illmob.org or copy-pasting the pictures directly. The U.S. Secret Service—the agency that protects high federal officials like the president, but also investigates cybercrime—shut these websites down as fast as they sprang up.
T-Mobile acknowledged that Paris Hilton was a customer and that the data posted came from her Sidekick II mobile phone. “Her information is on the internet,” said Bryan Zidar, head of media relations for T-Mobile, stating the obvious. Speculation ran rampant on who did it and how.
One possibility discussed was an “evil maid” attack. In an evil maid attack, someone who has physical access to a digital device compromises data manually. An evil maid (or a bald butler) could have taken Paris Hilton’s Sidekick and either entered her pass code or exploited one of the phone’s numerous security vulnerabilities (many of which were discussed in great detail on internet chat boards). While conceivable, there was no evidence that her cell phone had been out of her possession, or that a disgruntled employee or friend had compromised it.
The New York Times floated another theory: Paris Hilton’s phone was hacked via its Bluetooth connection, an attack called Bluesnarfing. Bluetooth is a wireless technology that allows communication between nearby devices using radio waves. Hackers could have intercepted the Bluetooth signal sent from Paris’s Sidekick II to hoover up her data.
To bolster its theory, the Times reported on the security firm Flexilis, which sent employees to Grauman’s Chinese Theatre on Oscar night. Using a laptop hidden in a backpack and running scanning software with a powerful antenna, they detected that “50 to 100 of the attendees had smart cellphones whose contents—like those of Ms. Hilton’s T-Mobile phone—could be electronically siphoned from their service providers’ central computers.” Paris Hilton was not present that night, but Flexilis employees were trying to make a point: hackers could have been at some other gathering where she was present and used similar equipment to steal her data.
The Bluesnarfing hypothesis was farfetched. Bluetooth is a relatively secure technology that is difficult to hack because its communications are encrypted. Even if someone did pick up her phone’s Bluetooth signal, the person would have captured information they could not decipher. The Times’s theory also had a bigger problem: the Sidekick II did not have Bluetooth technology.
Bryan Zidar suggested another possibility: the Sidekick II was part of a new generation of cell phones that stored data on remote servers—what we now call the cloud. Hackers could have infiltrated these servers through the very web that allowed legitimate users to access their data.
The simplest way to infiltrate these web portals would be by guessing passwords. Famous people have been known to choose extremely weak passwords. Barack Obama admitted that his password used to be password; until he was hacked in 2012, Mark Zuckerberg’s Twitter and Pinterest password was dadada; Kanye West’s pass code for his iPhone was 000000, which cameras picked up when he opened his iPhone in the Oval Office chatting with Donald Trump. On his blog Good Morning Silicon Valley, the journalist John Paczkowski wrote, “$5 and a Swarovski-encrusted dunce cap says [Paris’s] password was Tinkerbell,” the name of her favorite pet Chihuahua, whom she constantly carried around with her.
Even if Tinkerbell was not Paris Hilton’s password, hackers could have reset her password using that information. T-Mobile allowed users to reset their passwords using a security question. One of those questions was “What is your favorite pet?” If Hilton chose this question, then hackers could have guessed Tinkerbell and then reset her password. To reset the password, hackers would also have to know her phone number. Since Paris Hilton had many friends, hackers could easily have learned of her personal phone number from some mutual contact.
SQL Injection
Still, the leading theory in the security community was not that hackers had exploited information about Paris Hilton’s Chihuahua. T-Mobile’s entire customer base had been compromised the previous year by a twenty-one-year-old hacker named Nicholas Jacobsen. Using a so-called SQL injection, Jacobsen compromised the accounts of 16 million T-Mobile customers. One of those customers was Peter Cavicchia, a Secret Service cybercrime agent in New York who used a Sidekick. By capturing Cavicchia’s username and password, Jacobsen had access to a treasure trove of highly sensitive communications of the Secret Service and its ongoing criminal investigations.
To understand how an SQL injection works, and how it could have been used to hack Hilton’s data, let’s first talk about SQL. SQL stands for Structured Query Language. It is the main language used for database searches on the web. When you enter your username and password into a log-in page or search for a book on a website, you are most likely using SQL. SQL enables a web application to search through a database potentially housed on a remote server for an inputted term and deliver information associated with the term back to the client. Thus, if I input “Fancy Bear Goes Phishing” in the search bar on a book website, the web application using SQL will find the book’s web page and deliver its file to my browser.
To take a simple example, suppose Tom wants to retrieve his account information from www.example.com. He goes to example.com’s log-in page and enters his username. When Tom presses Enter, the browser sets the variable name to “Tom” and sends the variable to the example.com web server.
When the web server gets this data, it runs the following code:
$NAME = $_GET[‘NAME’];
$QUERY = “SELECT * FROM USERS WHERE NAME = ‘$NAME’”;
SQL_QUERY($QUERY);
The first line of code assigns variable $name to “Tom.” The second line uses SQL to create the query it will send to its database. The query selects (SELECT) all of the information (*) from the user database (FROM users) associated with $name (WHERE name = ‘$name’)—in this case, “Tom.” The third line queries the database. The code inspects each record in the database to find Tom’s record. If it locates Tom’s record, it retrieves all of the information the record contains.
Instead of inputting his name, imagine Tom inputs Tom’ OR 1=’1. This statement looks like nonsense, but it has been specially crafted for SQL to cough up the entire contents of the database. Here’s how: When Tom enters his weird input, the following URL will be sent to the server: www.example.com?name= Tom’ OR 1=’1. The code will then assign the input to name. When the second line of code is executed, it will formulate the following query:
SELECT * FROM USERS WHERE NAME = ‘TOM’ OR 1=’1’;
When the third line uses this statement to query the database, it will inspect each record to see whether (a) the name is Tom or (b) 1 is 1. If either condition is true, the database will return all information in that record. Notice, however, that condition (b) is always true, because 1 is always equal to 1. Therefore, the database will return every record, and all of the associated information, in the entire database.
A hacker can retrieve all the information in a database by using an SQL injection. Instead of submitting data, the hacker injects code. In our example, Tom doesn’t submit his username: Tom (data); he injects a partial SQL query: Tom’ OR 1=’1 (code). The new snippet interacts with the original code to produce a result that the original coder had not intended.
SQL injections can be devastating. Jacobsen had used an SQL injection to gain access to the entire database of T-Mobile customers. But while dangerous and quite common, SQL injections are easy to prevent. Web application developers should “sanitize” inputs. Instead of accepting every input and plugging it into an SQL query, applications should check to see if the input looks like code. Any SQL code symbols (such as quotation marks, or logical operators like OR) should be rejected. A user cannot inject code if the application won’t accept code.
Unfortunately, T-Mobile’s website did not sanitize inputs. And because the application did not check for code, hackers could easily inject it. According to the security researcher Jack Koziol, there were “literally hundreds of injection vulnerabilities littered throughout the T-Mobile website.”
As the media was speculating about the wizards who had compromised Paris Hilton’s cell phone, the cybersecurity reporter for The Washington Post, Brian Krebs, received a series of texts from an unknown number. The sender claimed to be a sixteen-year-old boy, Cameron LaCroix. He also claimed responsibility for hacking Paris Hilton’s cell phone and described to Krebs how he did it. To verify his boasts, he sent Krebs screenshots of internal T-Mobile web pages normally inaccessible to the general public.
Cameron LaCroix had not hacked Paris Hilton’s cell phone. He had attacked the cloud. He compromised T-Mobile’s remote servers through a combination of social engineering—tricking employees to release private information—and exploiting vulnerabilities in the company’s website. It didn’t require anything fancy like an SQL injection. It wasn’t black magic. As we will see, it was child’s play.
The Invisible Code
Paris Whitney Hilton was born on February 17, 1981, to Kathy Hilton, a former actress, and Richard “Rick” Hilton, a businessman and grandson of Conrad Hilton, who founded the Hilton hotel chain. As a child, Paris moved frequently, living in Beverly Hills, the luxury resort community of the Hamptons on Long Island, New York, and a suite at the Waldorf Astoria hotel in New York City. She was friends with other well-heeled children, including Ivanka Trump, Kim Kardashian, and Paris’s costar in The Simple Life, Nicole Richie, daughter of the pop superstar Lionel Richie.
Though, growing up, Paris dreamed of becoming a veterinarian, she dropped out of high school and spent much of her time clubbing and partying. Her fashion style and sex appeal landed her frequently on Page Six, the gossip column of the New York Post tabloid. At age nineteen, she signed with T Management, Donald Trump’s modeling agency. In January 2000, she and her sister, Nicky, were profiled in Vanity Fair in an article entitled “Hip Hop Debs.” In the photo splash, Paris is shown standing with her sister outside a cheap motel in silver short shorts and a vest with only her long blond hair covering her bare chest. She is wearing a choker that spells rich. The breathless article announced Nicky and Paris’s coming out as the fourth generation of Hiltons, an all-American celebrity family. Like great-grandfather Conrad Hilton, who was routinely photographed with showgirls on his arm and was married to Zsa Zsa Gabor, and grandfather Nicky, who was married to and quickly divorced Elizabeth Taylor, Paris was rumored to be in a secret relationship with the actor Leonardo DiCaprio. The Hilton sisters were the new generation of “hip hop debutantes,” with an “insatiable desire for the spotlight.”
After Paris was anointed the new “it girl,” her career took off. The businessman George Maloof Jr. paid her to appear at the opening of the Palms Casino in Las Vegas wearing a dress made of $1 million in poker chips. She appeared in music videos, graced magazine covers, and even did a cameo in the 2001 comedy Zoolander as herself. Reflecting on her early career, the comedian Dave Chappelle noted, “Paris had a charisma back then that you couldn’t take your eyes off. She would giggle and laugh and be effervescent and take up a room.”
Paris’s big breakthrough came in 2003 with The Simple Life, a huge ratings triumph. Some attributed its success to the timing of the One Night in Paris sex tape, which dropped a few weeks before the show’s premiere. In truth, the show was just really good television. Both Paris and Nicole convincingly played out-of-touch ditzy blondes who have no idea how normal people live. “Walmart? What’s Walmart?” Paris asks a befuddled Arkansas family. “What do they sell, walls?” The Simple Life ran for three seasons but was canceled over a fight between the two stars, apparently because Nicole had shown Paris’s sex tape to a group of friends. The Simple Life was picked up two years later for another season but stopped in 2007, right before Paris Hilton went to jail for violating parole on the drunk-driving conviction she’d gotten speeding down Sunset Boulevard in her Bentley without a valid license.
Determined to conquer every form of media, she put out an album in 2006, entitled Paris, which hit no. 15 on the Billboard charts. She published a memoir, Confessions of an Heiress, which was a New York Times bestseller. She starred in several forgettable films, including House of Wax, for which she won a Teen Choice Award for best scream, but the Golden Raspberry for the Worst Supporting Actress. She licensed her name to the video game Paris Hilton’s Diamond Quest. Soon thereafter, she introduced new lines of hair extensions, footwear, dresses, coats, and perfume.
Paris was adamant that she achieved success on her own merits. “Everything I’ve done, I’ve bought this house on my own. I bought all my cars on my own. My parents haven’t given me any of this. I’ve done this all by myself.” This claim of rugged self-reliance and independence from an affluent socialite who grew up in the Waldorf Astoria highlights a notable feature of social upcode: it seems so natural that it is essentially invisible. The power of social upcode is that it doesn’t seem to be a form of code at all. Unlike downcode, which is explicitly written and executed by machines, upcode is usually not formulated or written down anywhere. Nevertheless, it affects what we believe, what we value, and how we act. It is hidden to us because we have internalized its demands. Its value system becomes our value system. The invisibility of social upcode is the source of its great power. If I don’t know that something is influencing my behavior, I won’t resist or even question it.
Yet, the inconspicuousness of social upcode is insidious because it misleads us about the agency we do or do not have over our lives. The privileged rarely reflect on how the invisible code entrenches their privilege—their education, health, relationships, language, and general outlook on life. Nor do they consider how social upcode compounds the disadvantages of the underprivileged.
Few are as lucky as Paris Hilton. And few are as unlucky as Cameron LaCroix.
Cameron LaCroix
Cameron was born in 1989 in New Bedford, Massachusetts. His parents separated when he was very young. His mother began dating drug-addicted men and became addicted herself. She died of an opioid overdose when he was five. Cameron grew up envying those with living mothers.
Cameron’s father took custody but had to work two jobs to support his family. Cameron was therefore responsible for taking care of his younger brother. He did all the cooking and cleaning, too. The pressure took its toll. When Cameron was in elementary school, he received treatment for depression, but it did not abate. Despite being smart, he had poor grades.
Cameron began hacking when he was ten. His first hacks were innocent enough. On AOL, a username could not be more than ten letters. Cameron figured out how to make his username sixteen letters. He also managed to make his username one letter: “A.” These mini-hacks increased his clout on the platform.
Cameron began to break into computer accounts when he was thirteen. He specialized in “mumble attacks,” which he learned from his AOL friend “egod.” In a mumble attack, the hacker calls a customer service representative asking for someone’s account information. When the representative asks a security question to authenticate the caller—such as a PIN—the hacker mumbles the response. Either the employee is satisfied with the gibberish and processes the hacker’s request or repeats the security question. The hacker then mutters the answer again. After several rounds, the employee gives up in frustration and processes the request anyway. In his version of the attack, Cameron would call up AOL customer service and ask representatives, who often worked from a call center in India or Mexico and had less training than their American counterparts, for a password reset. When asked for the last four numbers of his credit card number, Cameron would mumble them. The representatives usually reset the password.
Cameron also catfished an AOL employee. He pretended to be a teenage girl and engaged in flirtatious conversation. He also sent the representative phony photographs. The smitten employee provided him with confidential information that he used to compromise AOL accounts.
In March 2004, when he was fifteen, the FBI raided Cameron’s house and took his computer. “I always had the feeling that with the AOL [thing] I was eventually going to go to court,” he told Wired magazine. But the FBI did not press charges, presumably because he was a minor. Cameron simply bought another computer and, in his words, “kept going.” He took care to hack away from home to hide it from his family.
Cameron’s behavior soon became more dangerous. An internet friend from Florida challenged him to have the friend’s school closed down. In response, Cameron sent an email to the friend’s school with the subject line “this is URGENT!!!” The email read:
your all going to perish and flourish … you will all die
Tuesday, 12:00 p.m.
we’re going to have a “blast”
hahahahahaha wonder where I’ll be? youll all be destroyed. im sick of your [expletive deleted]
school and piece of [expletive deleted] staff, your all gonna [expletive deleted] die you pieces of crap!!!!
DIE MOTHER [expletive deleted] IM GONA BLOW ALL YOU UP AND MYSELF
ALL YOU NAZI LOVING MEXICAN FAGGOT BITCHES ARE DEAD
Closing for two days, the school called in the bomb squad, a canine team, the fire department, and emergency medical services. Cameron’s friend was impressed and delighted.
Cameron’s hacking became more daring as well. He teamed up with a group calling themselves the Defonic Team Screen Name Club, or DFNCTSC. These young men had cut their hacking teeth on AOL. “If there was a security breach [at AOL], we were all a part of [it] … That’s how we all started,” Cameron reported. “We all met up on AOL [while] breaking into their crap.” DFNCTSC hung out on digitalgangster.com, where they traded tips and war stories, much like the Bulgarian virus writers on Todorov’s vX.
Cameron described AOL as a “gateway drug” that emboldened him and his friends to engage in larger-scale intrusions. These hacks made them “feel invincible,” according to a DFNCTSC member, and they “weren’t worried about getting caught.” Their biggest attack was on LexisNexis, the giant legal and news database. DFNCTSC blasted out hundreds of email messages claiming to have images of child pornography attached. The attachments, however, were not images, but rather “keyloggers,” programs that record and transmit anything typed on the victim’s computer keyboard.
A police officer in Florida infected his computer with the keylogger by clicking on the attachment. Not long thereafter, the officer logged on to Accurint, a service provided by LexisNexis that compiles consumer data. The keylogger transmitted the officer’s log-in credentials back to DFNCTSC. Using these credentials, the group created a number of Accurint accounts under the name of the police department with its billing information. They then looked up thousands of names, including those of their friends, and actors such as Matt Damon and Ben Affleck (both celebrities who hailed from Cambridge, Massachusetts, but portrayed characters from South Boston). The group also stole the personal data—including the Social Security number, birth date, home address, and driver’s license number—of 310,000 people from Accurint’s database. “We didn’t use the info for bad reasons,” Cameron claimed. “It was to have the info and get kicks out of it.” However, it appears that some members of the group did sell the information to a ring of identity thieves in California.
Cameron, however, did not get Paris Hilton’s personal information from the LexisNexis database. He got it from television.
She’s Got Nudes
Snoop Dogg is standing by a laundry machine in his robe. Snapping open his Sidekick II, the rapper texts, “Hey Molly, when do I add the fabric softener?” Molly Shannon reads the text to her bowling partner, Jeffrey Tambor, who answers, “It depends on whether it’s a front- or side-loading machine.” Snoop texts the same question to Paris Hilton, who is waiting at the DMV. “Snoop does his own laundry,” she says to the old man next to her. “That’s hot.”
Hackers are information junkies. What may seem like an irrelevant factoid to us can be an invaluable tip-off to someone determined to compromise a computer account. For Cameron LaCroix, this Sidekick ad wasn’t just a goofy commercial—it was a clue.
Cameron, posing as a supervisor from corporate, called a T-Mobile store in a small Southern California coastal town: “This is [invented name] from T-Mobile headquarters in Washington. We heard that you’ve been having problems with your customer account tools.” The employee replied that everything appeared to be fine, though the system could sometimes be a bit slow. Cameron anticipated this response and said, “Yes, that’s what is described here in the report. We’re going to have to look into this for a quick second.”
“All right, what do you need?”
Cameron asked for the IP address of the website T-Mobile used to manage customer accounts and the manager’s username and password. The employee gave Cameron the security information over the phone.
Now that he had the password to T-Mobile’s main customer database, Cameron confirmed his hunch that Paris Hilton had an account with this cellular provider. And, bingo, he found Hilton’s personal number.
Unfortunately, Cameron has never publicly explained how he used Paris Hilton’s phone number to access her T-Mobile account. But a very likely explanation goes as follows:
Normally, when we request access to websites that contain confidential information, the web server requires that we establish our identity. This process is called authentication. On the web, users normally authenticate with passwords and have to do it only once. We remain authenticated because web pages provide browsers with “session tokens”: little electronic tickets that tell the web server to trust the user. These tokens are stored by our browsers after authentication and remain valid until the tokens expire (usually after an hour) or are renewed before then.
The DFNCTSC discovered that T-Mobile’s website was overly generous with session tokens. When a user claimed to have forgotten his or her password, the server asked for the username and phone number. But the user did not actually have to enter the username. As long as a valid phone number was entered and the username left blank, the T-Mobile server delivered a token authenticating the user for the account associated with that phone number.
Sometime in January 2005, Cameron logged on to T-Mobile and tried to reset Hilton’s password. He left the username blank, entered her correct phone number, and hit Enter. The website replied with an error message but still served up a session token, which he found in the web page source code (in most browsers, page source code can be found by hitting CTRL-U). Cameron copied the token and pasted it in the password reset page. Believing that the sixteen-year-old hacker from South Boston was a twenty-four-year-old socialite from Beverly Hills, the T-Mobile website allowed him to reset Paris’s password. With the new password, he had access to her personal information. That information—contacts, emails, photos, notes—was not on her phone. It was in the cloud, on T-Mobile’s web server, to which Cameron now had total access. “As soon as I went into her camera and saw nudes, my head went, ‘Jackpot,’” he told Brian Krebs. “I was like, ‘Holy **** dude … she’s got nudes. This ****’s gonna hit the press so ******* quick.’”
Authentication
Like any good guard, an operating system requires users to identify themselves. The username prompt on a log-in page is the operating system’s way of saying, “Halt! Who goes there?” Once users identify themselves, the operating system will issue a “challenge”—a request for information that only the user should be able to provide. This additional information is known as a credential. Credentials are data used to prove that you are the person you claim to be. Providing credentials successfully meets the challenge and achieves authentication.
Passwords are the most common form of credential, but they are not the only kind. It is traditional to classify credentials according to three groups, called factors: (1) things you know; (2) things you own; and (3) things you are. Credentials that are things you know are answers to security questions such as “What’s the name of your favorite pet?” A cell phone running an app providing a code or a security key is something you own. Biometrics, such as fingerprints, facial recognition, or retinal scans, fall into the third group of factors, namely, things you are. “Multifactor authentication” requires credentials from more than one group, e.g., a password and a thumbprint.
A system’s security policies determine how many and what types of factors a user must provide to gain access to the system. Operating systems and applications enforce security policies: downcode implements upcode. But if the authentication downcode is buggy, it does not matter how many factors the user has to provide. The security policy will not be implemented.
In the Paris Hilton hack, the authentication downcode was broken. Indeed, it is hard to imagine downcode being more broken. Even if a person entered the wrong password, it still provided a session token. Which raises the question, Why was T-Mobile authentication downcode so buggy?
In Sync
When Paris Hilton’s Sidekick was hacked, T-Mobile was worried about the fallout. The company had spent an enormous sum of money marketing the phone not simply as a productivity device, but as a cool lifestyle gadget—one that could be used to store all of the user’s personal information. The Sidekick was the iPhone before the iPhone. T-Mobile had even produced television commercials staring Paris Hilton to appeal to the younger demographic. Now the compromise of her Sidekick II was threatening it all.
But the opposite happened. Gawker reported that sales of the Sidekick II skyrocketed. Many stores sold out. A British journalist drolly summed it up: “It’s a bit like hearing about the sinking of the Titanic, and then announcing that you’re buying a ticket on an ocean liner.”
One theory for the sudden popularity is the power of celebrity. People wanted a piece of Paris Hilton, even if that piece was broken. But there was another, more charitable interpretation: the hack publicized the Sidekick II’s bugs, but also many of its features. T-Mobile’s new device heralded the arrival of the mobile internet and the idea that consumers could access their data—contacts, emails, notes, pictures, and videos—24-7.
Though it may be hard for many of us to remember, there was a time when cell phones were just phones. If you couldn’t reach someone on their landline, you rang them on their Nokia or Motorola flip Razr. People could use their cell phones for texting, but only with the number pad, which was cumbersome (to text hi you had to hit “33” for h, wait, and then “333” for i). Corporate types used Motorola two-way pagers, which had a keyboard for fast communication, or the more expensive BlackBerry, which also had a keyboard and could send and receive emails. Personal data, such as calendars and notes, were stored in PDAs (personal digital assistants), such as the PalmPilot. The PalmPilot did not have a keyboard, so users had to learn a new way of writing with a stylus (known as Graffiti).
Danger, the company that developed the Sidekick, set out to change how people used their cell phones. The first model—which they called the Hiptop, because it was chunky and surprisingly heavy, and therefore designed to be worn on the hip— not only had a QWERTY keyboard, but also a large screen that slid out to reveal a keyboard that could pivot 180 degrees. The keyboard also contained a “D-pad,” a thumb-operated four-way directional control now found on all video game controllers, with a dedicated numbers row and jump button to switch between apps. The Hiptop came with a free email account, but you could use several email accounts at the same time. The email client was so sophisticated that it could display images and download attachments. It even supported a limited set of emojis, including the smiley face (the full set, unfortunately, was under copyright to Japan’s SoftBank). As for apps, the Hiptop came with a notepad, to-do list, address book, and calendar. It came loaded with a web browser, instant messaging for multiple platforms (AOL, Yahoo, and Microsoft), and, of course, texting.
The most revolutionary aspect of the Hiptop was that it was always connected. As soon as data was entered into the phone, it was backed up to the cloud. PalmPilots, by contrast, had to be manually synced to desktop computers (first using cables, later infrared transmitter). Conversely, when new data hit a remote server, it was pushed down to the phone. New emails would arrive on the Sidekick as soon as the email server received them. If you had multiple devices, all of them would sync up as well.
The idea of one’s phone constantly in sync with one’s desktop was a huge leap. During a demonstration at the 2004 Consumer Electronics Show in Las Vegas, the Danger presenter asked someone in the audience to shout out a quote. He typed the quote into the Notes app. The presenter then put the phone on the ground and dropped a bowling ball on it. The presenter then took the SIM card out of the destroyed Hiptop and put it into a new one. After the presenter signed in, the quote appeared in the Notes app, fully restored. The audience erupted in applause.
To implement this data syncing, Danger first looked to FM radio to transmit and receive the information. But there weren’t enough FM radio stations to cover the necessary area. Danger found Sound Stream, a telecom company based in the northwestern United States that was using a new technology known as GPRS, short for “general packet radio service.” GPRS does for radio signals what TCP/IP does for internet communication: it chops up radio signals into packets, slaps addresses on them, directs them through various routers, and reassembles them at the destination. Danger contracted with Sound Stream to use their general packet radio service for the always-connected Hiptop. Soon after, Danger changed the name of their phone to Navi and then to Sidekick. Sound Stream changed its name to T-Mobile.
The Sidekick was a commercial success even before the Paris Hilton hack. It was extremely popular among young people and hip celebrities. Cell phones had gone from corporate to cool, as they appeared at award shows, in music videos, and on reality TV. Those able to afford the Sidekick personalized them with faux gems and sports stickers. They became high-tech jewelry and identity statements.
Cameron desperately wanted a Sidekick, so, despite its expense, his father bought him one for Christmas. The Sidekick was a lifeline. With its full keyboard and access to the internet, Cameron compensated for his loneliness at school with online connections. But when the FBI raided his house in March 2004, they confiscated the phone. He felt alone without it. To replace his Christmas present, Cameron bought himself, and four of his friends, new Sidekick IIs using stolen credit card information.
Cameron called the T-Mobile store in California after watching the Snoop Dogg commercial. T-Mobile promoted and sold the Sidekick to get customers onto its network. Cellular networks are Winner Take All systems, so the more subscribers that join, the more valuable a network becomes. But T-Mobile was not merely interested in getting subscribers for its network. Customers who used the Sidekick also used T-Mobile’s app store, awkwardly designated by a Download Fun icon on the screen. The Sidekick not only pushed data but provided code to download as well. Since T-Mobile kept customers’ credit card information, the Sidekick allowed one-click purchasing. The more code it pushed, the more valuable the platform became. Apps written for Sidekick worked only on the Sidekick’s operating system, known as Danger OS. The more apps written for Danger OS, the more valuable Danger OS became. Danger wanted to win the mobile operating system market.
T-Mobile’s websites were filled with buggy code because they were thrown together. The company was so desperate for customers that it didn’t fret over the security of its customers’ data. “It’s pretty amazing how poorly secured their Web properties are,” said Jack Koziol, who examined T-Mobile’s web code. “Most of these flaws are simple Web Security 101, stuff you’d learn about in the first few chapters of a basic book on how to secure Web applications.”
Like Microsoft before it, T-Mobile went overboard on the new-new thing. Cloud-based technology was proving extremely popular, and T-Mobile tried to get in on the action. The mad scramble to provide customers 24-7 access to their data in the cloud through websites led to shoddy code that even a teenager could exploit. T-Mobile could compete furiously without fear of liability for its recklessness. Like Microsoft, T-Mobile prioritized sales over security. And Paris Hilton paid the price.
The explanation of how Paris Hilton’s phone was hacked is, therefore, complex. Cameron LaCroix was able to breach T-Mobile’s web application not simply because the authentication downcode was glitchy. T-Mobile’s corporate upcode was glitchy as well. Because T-Mobile did not give adequate training to its store managers, a sixteen-year-old boy was able to get the password to its internal systems. And because the company was in such a rush to push out web applications for the Sidekick, testing was inadequate.
But T-Mobile’s corporate upcode was buggy because the legal upcode was buggy as well. By immunizing software companies from liability, the law gave companies like T-Mobile no incentive to fix their corporate policies. And by allowing an economy where the winner not only takes all, but can also use its market power to keep it, the law encouraged T-Mobile to gather as many subscribers as possible.
Cybersecurity failures are never just technical failures. They are always the result of systemic failures through the upcode stack. Organizational vulnerabilities beget technical vulnerabilities.
The sad story of Cameron LaCroix and Paris Hilton reveals another truth: cybersecurity is a human problem. It does not matter how secure your web application is if your customer service department falls for mumble attacks, or your branch manager hands over credentials to any caller claiming to be from corporate headquarters. And even the best downcode will be vulnerable if the attacker is dedicated and wily and has nothing left to lose.
“Paris, I’m Sorry”
In August 2005, Cameron was arrested and pled guilty to numerous crimes, including the Paris Hilton hack, the LexisNexis breach, and the fake bomb threats. He was sentenced to eleven months; since he was a minor, he served his sentence in juvenile detention at the Long Creek Youth Development Center in South Portland, Maine. Cameron was put on parole for two more years under the condition that he could not possess a computer during that time.
Unfortunately, Cameron’s parole was revoked shortly after his release for possession of a flash drive and the evidence of hacking that it contained. In January 2007, he was sent back to juvenile detention to serve the remainder of his sentence. The next year, he was arrested when police pulled over the car he and his cousin Corey were driving and discovered blank credit cards, a credit card machine, and several video game consoles. In the back seat, the police also found a vial of OxyContin, a razor, and a straw, presumably for snorting the opioid. Cameron pled guilty again to theft and credit card fraud and was sentenced to two years in prison.
Jail, however, did not have the desired effect. After he served his time, Cameron enrolled in Bristol Community College but hacked the computer accounts of three professors, changing his grades and those of two friends. In addition, he broke into the email account of New Bedford’s police chief and its police department to see whether he was under investigation. Last but not least, he stole the credit card information of fourteen thousand people.
Cameron also made several high-profile attacks. He hacked Burger King’s Twitter account and posted a tweet claiming that Burger King had sold itself to its rival, McDonald’s. He also changed the account’s name to McDonald’s, its logo to the Golden Arches, and bio to “Just got sold to McDonald’s because the whopper flopped =[FREDOM IS FAILURE.” Cameron also tweeted several raunchy messages, including “This is why we were sold to @McDonalds! All of our employees crush and sniff percocets =[@DFNCTSC” and “Try our new BK Bath Salt! Pure MDPV! Buy a Big Mac get a gram free!” Twitter suspended the account within minutes and restored control to Burger King. The next day, Cameron hacked Jeep’s Twitter account and claimed that it had been sold to Cadillac.
Cameron was arrested again and charged with numerous violations of the CFAA. He pled guilty to all of them. At his sentencing, Cameron expressed remorse: “My actions let a lot of people down.” Reading from a prepared statement, with his hands flailing, he told federal judge Mark Wolf, “I grew up as a person, I know in my head I shouldn’t be doing this.” The federal prosecutor, however, argued for a stiff sentence. Assistant U.S. Attorney Adam Bookbinder pointed out the indisputable truth: Cameron LaCroix had failed “to get the message … This is a person committing serious crimes.”
Cameron’s lawyer, Behzad Mirhashem, asked Judge Wolf for mercy. Mirhashem pointed out that Cameron had a difficult childhood, his mother died of a drug overdose when he was young, and he had a fragile relationship with his father. Mirhashem noted that Cameron had dropped out of high school and was suffering from depression and opioid addiction. Cameron was also cooperating with the FBI to help them catch hackers. Mirhashem also tried to explain why Cameron committed these crimes. “He was getting the rush from the discovery that he was capable of doing these things, but he is capable of so much more.”
Judge Wolf agreed that Cameron had great potential: “It took talent to commit the crime you committed; very few could do it.” Yet, the judge did not go easy on Cameron. “You obviously have a lot of talent, [but] you’ve misused it, you’ve abused it. Life is not a video game.” Judge Wolf observed that this was the third time Cameron had pled guilty to a federal judge. Cameron had clearly not learned his lesson. The judge sentenced Cameron to four years in federal prison and three years of supervised release without use of a computer or internet. Nevertheless, this was a shorter sentence than the Federal Sentencing Guidelines recommended, which was five years’ imprisonment. As a condition of this “downward departure,” Cameron agreed that if he violated his parole, he would accept the higher penalty suggested by the guidelines.
Cameron also went on the Today show. In a segment billed as a real-life Catch Me If You Can, Matt Lauer described the twenty-five-year-old Cameron LaCroix, from New Bedford, Massachusetts, as a “computer superhacker sharing his secrets in an exclusive interview.” The interviewer claimed that authorities regarded Cameron LaCroix as “one of the most sophisticated hackers they have ever seen,” which was either morning-news puffery or law-enforcement puffery. Cameron was skilled at compromising computer accounts, but his techniques were rather mundane—mumble attacks, phishing, catfishing, and session-token stealing. The reporter listed Cameron’s long rap sheet. “It was easy, too easy,” he tells the camera. And he did it all with just “a three-hundred-dollar Toshiba laptop from Best Buy.”
For the first time, the world got to see what Cameron LaCroix looked like. He was pretty much the opposite of Paris Hilton: not attractive or flashy, but plain looking and nondescript; not tall and skinny, but medium height and slightly stocky. His dirty-blond hair was worn in a buzz cut, and his square-framed glasses made him look like a typical nerd. On camera, he wore sneakers and jeans with a tan, untucked button-down shirt.
The interviewer asked Cameron how he hacked Paris Hilton’s phone. He responded, “It all started because I wanted a T-Mobile phone. Once I got in there, I realized that I had access to everyone’s stuff.” After Cameron said that he looked and found Paris Hilton’s information, the interviewer asked, “Why did you post it online?”
“Because I wanted to be known. I wanted to be famous.”
“Ever apologized to her?”
“No, but I would.”
The interviewer then gave him an opportunity to do so.
Cameron looked into the camera. “Paris, I’m sorry I put your information online. I shouldn’t have done it. I wouldn’t want it to have been done to me.”
At the end of the interview, the interviewer mentioned how Cameron wanted to turn his life around after prison and help large companies protect themselves from hackers. The Today show anchor Savannah Guthrie commented on how Cameron was the “guy in the bathrobe at the computer, I always wondered.” Matt Lauer concluded the segment by saying, “He might have to work on a more sincere apology. It didn’t exactly move me.” Everyone laughed.
Matt Lauer has since left the Today show after multiple allegations of sexual harassment. “To the people I have hurt, I am truly sorry,” he wrote in a public letter.
In 2018, I discovered that Cameron LaCroix had finished his sentence at the Federal Medical Center, Lexington, Kentucky. A quick web search indicated that he was working for U-Haul in the Boston neighborhood of Roxbury since August. When I tried to contact him, however, it was too late: Cameron had been reincarcerated after U-Haul accused him of hacking its system, using stolen credentials to load funds onto prepaid credit cards, and withdrawing cash from ATMs. In September 2019, Judge Wolf revoked his parole and held Cameron to the promise made in the 2014 plea agreement. He would accept the highest sentence suggested by the Sentencing Guidelines—five years. Since he had already served three years, he had two more to go. He was sent back to federal prison.
When the COVID-19 pandemic hit the U.S. in March 2020, Attorney General Bill Barr announced a program to release prisoners who posed a minimal risk to the community. Cameron, however, was not eligible. Since he had phoned in a bomb threat to the Florida high school when he was fifteen, he was deemed violent and kept in a low-security prison (a higher level of security than a minimum-security one). He would remain incarcerated at the Federal Medical Center in Devens, Massachusetts, for another year.
After Cameron’s release on April 5, 2021, I managed to contact him on LinkedIn. He responded and we had two two-hour phone conversations. I found Cameron to be smart and charming. He was also very open about his past. He did not deny any of the crimes to which he’d pled guilty, and he also expressed remorse for his actions. (Cameron strongly denied the accusation that he violated the terms of his probation in 2018.) He now has a full-time job, a spouse, and a family, and he is enrolled in school. At age thirty-three, he struck me as someone who has matured and “aged out” of cybercrime.
Besides confirming many of the details of his life, I had two main questions. First, how did he hack Paris Hilton? Second, why did he repeatedly commit cybercrimes? His answers surprised me.
Cameron confirmed that he and his friends used the session token exploit described earlier to break into T-Mobile accounts. But he did not use that exploit on Paris Hilton. The hack was easier: When Cameron first tried to register his own Sidekick phone with T-Mobile, he noticed that T-Mobile did not send him a text code to the phone. Since he was using a Sidekick, T-Mobile trusted that he was a T-Mobile customer and opened an account for him without further authentication. The next step was Hacking 101: Cameron reconfigured the browser on his laptop to impersonate the Sidekick. Thinking that it was dealing directly with a Sidekick owner, T-Mobile’s web server did not require confirmation of the owner’s identity. When Cameron entered Paris Hilton’s phone number, T-Mobile let him into her account. He was shocked to discover that he had access to her private data.
As for the second question, Cameron did not try to justify his actions. He wished he had acted differently. But he explained to me how difficult it was to abide by the terms of his probation. When he was released from prison the first two times, he was forbidden from using a computer of any kind. The probation rules meant, for example, that he could not be a cashier because cash registers are computers. He could not own a cell phone. He could not use email at the local library. Cameron worked for two years as a dishwasher.
Being a young man without access to digital devices was nearly impossible. Cameron’s shyness and preference to socialize online compounded the problem. So he continued to use computers to contact his friends. One thing predictably led to another.
In August 2017, Cameron asked the court to grant him access to the internet at home. His motion cited the recent Supreme Court case of Packingham v. North Carolina, which struck down as unconstitutional the restrictions on sex offenders from accessing social media sites. In October, Cameron’s request was granted.
Cameron has been in the criminal justice system for half of his life. He will be done with parole in July 2023.