Forgot your password?
typodupeerror
Crime The Internet News

Harvard Bomb Hoax Perpetrator Caught Despite Tor Use 547

Posted by Soulskill
from the do-not-pass-go dept.
Meshach writes "The FBI has caught the student who called in a bomb threat at Harvard University on December 16. The student used a temporary anonymous email account routed through Tor, but the FBI was able to trace it (PDF) because it originated from the Harvard wireless network. He could face as long as five years in prison, three years of supervised release and a $250,000 fine if convicted. He made the threat to get out of an exam."
This discussion has been archived. No new comments can be posted.

Harvard Bomb Hoax Perpetrator Caught Despite Tor Use

Comments Filter:
  • by Cryacin (657549) on Wednesday December 18, 2013 @06:14AM (#45724109)
    Whenever you peel back the layers of an onion, someone is bound to cry.
  • by Anonymous Coward on Wednesday December 18, 2013 @06:24AM (#45724141)

    And therefore they'll put him in rehab rather than prison.

    Unless he's not affluent enough for his affluenza to be strong enough to cover this crime, after all, he called in a bomb threat, rather than killed four people in a drunk-driving incident.

  • by Anonymous Coward on Wednesday December 18, 2013 @06:27AM (#45724155)

    ...but because he was the only one on the whole campus wifi that used Tor that day.

    Lesson to learn: Keep your endpoint traffic able to be lost in the noise, or ya' stick out like a sunflower in a coal mine.

    I.E. SSH somewhere *THEN* Tor.

  • What an idiot. (Score:3, Insightful)

    by Anonymous Coward on Wednesday December 18, 2013 @06:28AM (#45724159)

    Really?! Smart man.

    Avoid exam?
    Bomb threat!

    Police arrive?
    Immediately confess!

    The evidence itself was completely circumstantial. Without a confession they surely had nothing.
    They had no way to prove anything other than:
    1. Guerilla Mail was accessed by Tor to send the e-mails.
    2. Kim is a Harvard student that recently accessed Tor.

    • Re: (Score:3, Insightful)

      by gnasher719 (869701)

      The evidence itself was completely circumstantial. Without a confession they surely had nothing.
      They had no way to prove anything other than:
      1. Guerilla Mail was accessed by Tor to send the e-mails.
      2. Kim is a Harvard student that recently accessed Tor.

      Enough to get a search warrant. So what do you think would a search warrant have shown? Fact is: If you did it, then there is evidence. And if the police thinks you did it, and the case is important enough to search very, very hard, they will find the evidence.

  • by WoTG (610710) on Wednesday December 18, 2013 @06:29AM (#45724169) Homepage Journal

    I read the PDF (shock).

    It sounds suspiciously like they just checked the logs to see who had visited Tor related websites and then went and interviewed the handful of people who happened to visit these sites within a few days. Maybe interview those who had exams in the 4 listed buildings at the designated time?

    Or, possibly, they just checked who had used Tor in the last few days on their network - can you ID a Tor packet by looking at it?

    It doesn't sound like they needed to crack Tor.

    • It doesn't sound like they needed to crack Tor.

      Of course, if the NSA has easy and simple ways of cracking Tor . . . they're not going to brag about it anyway:

      "Go ahead, keep using Tor . . . it's safe and we can't crack it . . ."

    • by Actually, I do RTFA (1058596) on Wednesday December 18, 2013 @07:57AM (#45724521)

      Or, possibly, they just checked who had used Tor in the last few days on their network - can you ID a Tor packet by looking at it?

      Depends on who the "you" is. The list of entry nodes is public knowledge. Telecoms/Government agencies probably keep historic lists of entry nodes. So it should be trivial to show a connection to the Tor network. The PDF implied (to me) that the FBI just crossreferenced Harvard's log with their list of entry nodes.

      To technically answer your question: Tor packets don't have a unique signature, but they all are of a known size.

      It doesn't sound like they needed to crack Tor.

      This is one of the best-known ways to deanonymize people using Tor: timestamping entering traffic and exiting traffic. Tor itself explains they have no theoretical way to fix that issue and still maintain a system that is low-latency (there may have been a third feature as well, where they got to pick-2-of-3).

  • by Ihlosi (895663) on Wednesday December 18, 2013 @06:34AM (#45724193)
    ... to use TOR, but then gave a full confession during an "interview", throwing his right to remain silent (and to have a lawyer present during questioning) out the window?
    • by SB9876 (723368) on Wednesday December 18, 2013 @06:45AM (#45724247)

      He called in a bomb threat to delay taking a final. This is a dude that has already shown that he has poor decision making skills.

      • by tlambert (566799) on Wednesday December 18, 2013 @08:43AM (#45724759)

        The linked article is confused... but Emerson Hall houses the philosophy department, so it was a philosophy final.

        Which is incredibly ironic, since those are generally a matter of opinion or history, which means he could likely have passed it in any case, given that he was a psychology major with a minor in Japanese, so it was kind of a pass/fail class for him anyway. I wonder if any of the news organizations have talked to Professor Gary King (Kim was his research assistant).

    • by gnasher719 (869701) on Wednesday December 18, 2013 @07:02AM (#45724311)

      ... to use TOR, but then gave a full confession during an "interview", throwing his right to remain silent (and to have a lawyer present during questioning) out the window?

      We can assume that someone who needs to avoid a test isn't the brightest spark. We can assume that someone who sends a bomb threat to avoid a test is reckless and stupid. We can assume that if someone who is reckless and stupid mails in a bomb threat, and his identity is discovered, then there _will_ be evidence. For example, they had easily enough to get a search warrant for his computer. What are the odds that there is evidence, like a draft of the email, on his computer? Remember: This is not an evil genius trying to disrupt US universities, it is a reckless idiot trying to get out of an exam.

      • We can assume that someone who needs to avoid a test isn't the brightest spark. We can assume that someone who sends a bomb threat to avoid a test is reckless and stupid. We can assume that if someone who is reckless and stupid mails in a bomb threat, and his identity is discovered, then there _will_ be evidence. For example, they had easily enough to get a search warrant for his computer. What are the odds that there is evidence, like a draft of the email, on his computer? Remember: This is not an evil genius trying to disrupt US universities, it is a reckless idiot trying to get out of an exam.

        Did you read a different warrant than I did? I saw *nothing* in the declaration that would count as probably cause for a search warrant, until it got to the part of "he admitted it to me". So most likely they did NOT have enough to get a warrant for his computer (the fact that he accessed TOR on that day wouldn't, by itself, be enough - he could have been using TOR for any number of reasons).

        You were dead on about him not being the sharpest knife in the drawer, though. What probably happened is that the

    • by Kijori (897770)

      I'm not sure that it's really that surprising that he confessed - most people who are convicted of crimes plead guilty.

      And that's not a ridiculous notion; if you did it and have been caught, pleading guilty can get you a pretty hefty discount on your sentence when compared to being convicted at trial. In particular, where, like here, the range of sentences is very wide, it might mean the certainty that you will not go to prison.

      • by Ihlosi (895663) on Wednesday December 18, 2013 @07:10AM (#45724357)
        I'm not sure that it's really that surprising that he confessed - most people who are convicted of crimes plead guilty.

        You plead guilty right before the trial would start, if anything.

        pleading guilty can get you a pretty hefty discount on your sentence

        And you waive that discount by confessing to a law enforcement officer during an "interview". Because in that case, the court has sufficient evidence to convict you regardless of your plea.

    • ... to use TOR, but then gave a full confession during an "interview", throwing his right to remain silent (and to have a lawyer present during questioning) out the window?

      Outside of pessimists, paranoiacs, and people whose job description involves the word 'uptime', it's normal for someone engaged in 'problem solving' to stop thinking as soon as they find a solution.

      In his case, he started thinking, came up with a multi-layer anonymity plan, and then apparently stopped. When it failed, he suddenly had FBI agents and no additional plan. (Also, basic script-kiddie attempts at hiding online and lying to experienced interrogators in person are two very, very, different skill

  • How did they do it? (Score:5, Informative)

    by it0 (567968) on Wednesday December 18, 2013 @06:34AM (#45724197)

    From the pdf

    "Harvard University was able to determine that, in the several hours leading up to the
    receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvardâ(TM)s
    wireless network."

    So Harvard keeps track of your connections. Still circumstancial but he confessed.
    "KIM then stated that he authored the bomb threat e-mails described above."

    • by fuzzyfuzzyfungus (1223518) on Wednesday December 18, 2013 @07:02AM (#45724313) Journal
      All the campus networks I've seen remotely recently do some sort of access control, if only to avoid being a free wifi provider for every porn-torrent enthusiast in the neighborhood. Sometimes 802.11x, sometimes that bloody awful Cisco VPN monstrosity.

      What's more notable is that they apparently keep traffic logs for some amount of time, at least long enough to catch this guy, who knows how much longer?

      If you have a network of any nontrivial size, and want to keep it from falling in a screaming heap (especially with the lousiness of wireless links in the mix), taking steps to ensure that most of the users are the ones you are supposed to be providing service to, and doing some QoS to keep them from stepping on each others' toes is basically necessary. Keeping traffic logs, though, is an additional chunk of effort and expense, and all so that people will be motivated to come bug you for access to them. I wonder when they started keeping logs, and why.
      • by thoromyr (673646)

        logs are kept because you need them. I wouldn't expect it to be apparent to someone who has never had to manage a real network, but logs and a reasonable retention are essential. There is a basic tension at work, though. You need logs from a management perspective, the more the better, but the more you have the greater your liability.

        For something basic like netflow (which any sane network administrator is going to have) you might have months of data. Places will vary, and some insist they need years, other

  • by Chrisq (894406) on Wednesday December 18, 2013 @06:39AM (#45724219)

    He made the threat to get out of an exam.

    he won't have to worry about that any more

  • Harvard (Score:5, Insightful)

    by Thanshin (1188877) on Wednesday December 18, 2013 @06:42AM (#45724229)

    I expected more from a Harvard student.

    A couple of hours of online research should have taught him to, at least, connect through a cracked wifi far from his neighborhood. Or, if he was computer illiterate, to convince someone from another country to send the mails for him.

    Also, once he decided to avoid the exam in a way that could land him in prison, why use a method he didn't understand, instead of burning down the building or paying someone to send the teacher to the hospital?

    However, the first question I would ask him would be if he had considered that simply approaching the teacher and explaining him that he and all his family would be killed unless the exam was postponed, carried a shorter jail time than a terrorist threat.

    In conclusion, clearly in Harvard they are not teaching how to deal with real world problems pragmatically.

    • Re:Harvard (Score:5, Insightful)

      by fuzzyfuzzyfungus (1223518) on Wednesday December 18, 2013 @06:54AM (#45724289) Journal
      The best Harvard students learn that you have no need to conceal your crimes if you can commit them from a position of enough influence to simply make them legal. That's where kiddo slipped up.
  • Kids these days... (Score:5, Insightful)

    by jcr (53032) <jcr@mac. c o m> on Wednesday December 18, 2013 @08:30AM (#45724689) Journal

    If he'd just called it in from a pay phone, they'd never have found him.

    -jcr

    • by ysth (1368415)

      What is this "pay phone" you mention?

    • by ArsenneLupin (766289) on Wednesday December 18, 2013 @09:04AM (#45724869)

      If he'd just called it in from a pay phone, they'd never have found him.

      In Luxembourg, a couple of students at the European School did exactly that a few years ago. They were caught pretty quickly, because, you know, payphones have cameras... ("officially" to catch vandalism, but these cams sure did come in handy in this case as well). So, cops just walked with the pix from classroom to classroom until they found the perps.

  • by goodmanj (234846) on Wednesday December 18, 2013 @08:49AM (#45724805)

    Remember the days when this story wouldn't even have made the local paper? Seriously, 25 years ago your average school saw one of these every few years. It headlined the school paper, the local cops investigated, but the FBI? National news? Heck no.

    Who needs terrorists when we now pay large corporations and government agencies to spread panic? Quit terrorizing the nation to protect your job security and let me know when something actually blows up.

Do not simplify the design of a program if a way can be found to make it complex and wonderful.

Working...