
Harvard Student Charged In Bomb Hoax - physicsistic
http://boston.cbslocal.com/2013/12/17/harvard-student-charged-in-bomb-hoax/
======
Torgo
[http://www.scribd.com/doc/192157170/Eldo-Kim-
Complaint](http://www.scribd.com/doc/192157170/Eldo-Kim-Complaint)

It sounds like they determined from the email provider that the message came
from a Tor exit node, then from there they looked for who had made a
connection on Harvard campus to known Tor relays. He had, so they interviewed
him and he confessed to everything. I don't see any strong indication of a
weakness in Tor from this, but it's a bit concerning that you could be
interviewed for having used Tor at the same time as something like this. I run
a relay full-time, I don't know if this is better or worse for me.

~~~
throwaway_yy2Di
Serious question: why do people talk so highly of a security protocol which
even _Harvard students_ fail hard at actually using in real life? If people
who are the global 99.999'th percentile of tech literacy lose their lives and
careers relying on this stuff, in what way is it a meaningful solution to
third-world victims of repressive governments?

I'm assuming at this point that thousands of Syrian, Egyptian, Iranian,
Chinese, etc. dissidents are dead from misplaced trust in Tor and other crypto
magic, and no one's the wiser.

~~~
toki5
The "failure" you mention here is his confession.

If all they had to go on was what's in the article -- that "the person who
used Guerilla Mail used Tor to access it" and "[Kim] used Tor around the same
time the e-mails were sent" \-- that's not enough to charge him with a crime.

It's enough to go and talk to him about it, but if he had wanted to, he could
have protected his identity (but possibly prolonged the investigation,
depending on what other resources the agent had) by simply denying that he had
anything to do with it.

~~~
throwaway_yy2Di
Obviously the point at which a hostile government thinks you're a top suspect
and interrogates you is the _weakest_ link in the security chain. This guy had
it comparatively easy: his interrogators weren't torturing him to death.

~~~
anigbrowl
That's ridiculous. If police find a print of XYZ-brand shoes near a crime
scene and start keeping their eyes open for people who have XYZ shoes, they're
not trying to oppress people with a certain taste in footwear. there seems to
be a misconception about that police need probable cause before they even ask
questions, which is nonsensical.

Edit for clarity: I don't think that following up obvious leads is evidence of
government hostility. After all, if Harvard called up law enforcement to
advise of a bomb threat and were told not to bother unless an explosion had
taken place, most people would consider that pretty remiss (especially given
Harvard's proximity to Boston).

~~~
mindslight
It's "hostile government" when analyzing the failure of Tor, because the tool
should have kept this kid off of the suspect list.

I'm guessing you don't even believe this to be a laudable goal, and that's
precisely why we need anonymity tools.

~~~
jbooth
Oh, for god's sake.

First off, don't put words in the anigbrowl's mouth.

Second off, it's not government hostility to investigate a bomb hoax that
costs a lot of people money and inconveniences a ton of people. This guy
wasn't engaging in civil disobedience.

Third off, the dude could have just walked to any of the dozen coffee shops in
harvard square with free wifi and done this all in the clear, and been fine.
Tor cannot and will never prevent traffic analysis if you're dumb enough to
plug into the organization you're hoaxing's network. Tor created reasonable
doubt, that's all it could do in this case, as a matter of physical
limitations.

~~~
mindslight
What specific words did I put in his figurative mouth? anigbrowl took a
technical point about anonymity opsec and responded to it as if it were a
political plea about the police, and you're doing the same. So I'm guessing
that both you and him don't consider this a failure of Tor because you
consider the "right thing" to have happened in the larger situation.

As I had said, it's a "hostile government" _in the context_ of security
analysis. Sorry, there just isn't a technical distinction between this kid and
a dissident. To take a principled stand of saying dissidents should have the
means to communicate freely, you also have to assert that you'd like for this
kid to not get caught. Understandably this is a hard thing to do, given the
chaos it would cause (is causing) in the short term.

~~~
jbooth
Well, sorry, I read it like you were the one injecting politics about
'government hostility' into it, regardless of Tor or SSL, ssh keys or whatever
methods are involved. You seemed to be attributing motives to the previous
poster with comments about "maybe you prefer it that way" which seem to place
him on the side of surveilling fascists, and I thought that was unjustified
but maybe I misread it. If you're not getting political about it, then neither
am I, and sorry.

On a technical level.. I don't see how Tor could have performed better here.
It's physically impossible for them to mask the fact that this guy connected,
through the harvard network, to the tor network. The rest of it is between the
police and the guy. If they had gotten proof that it was his specific machine
that sent the emails through some weakness in Tor, then I'd lay some blame
with Tor.

I disagree that I have to root for this kid not to get caught. Tor didn't fall
down, and I'm not rooting for Tor to fall down. He could have stonewalled the
cops, or he could have taken the most basic precaution on earth of not doing
it from his frickin dorm room, Tor or no

EDIT: Actually, maybe they'd be able to correlate his mac address if they
subpoena'd whatever coffee shop the email came from. That's a much bigger
fishing expedition for "any coffee shop that connected to a tor node that
day", though. But anyways, my point is that Tor can't be held responsible for
things it will physically never be able to mask.

~~~
mindslight
I'd just gotten done typing why it's impossible to convince most people this
stuff matters, and was responding to a comment that seems to be written with
the assumption that man-made laws are the ultimate authority. So I'll admit to
being a bit presumptuous, but I really do believe it to be a fact that most
people will never see the need for technically-granted anonymity, and that
these opinions simply aren't relevant when discussing such software.

Back to the technical, isn't this the point of Tor "bridges" ? Of course these
don't work out of the box - they require finding out the address of one out-
of-band and manually configuring it. Wider casual adoption of Tor would have
also fixed the problem in this case (if the resulting Tor user list was too
long to question everybody).

The whole point is that ending up on a shortlist means you are essentially
caught. This kid may have gotten off by playing it cool. But translated into
the dissident scenario, it's still a loss.

Given the proliferation of surveillance cameras, the coffee shop scenario
becomes much harder. Assuming after-the-fact facial recognition is standard
these days, it would only work if there were enough other Harvard students
also on tape. Low latency is the mortal enemy of mix networks.

~~~
anigbrowl
I do appreciate the arguments about why anonymity matters. You might find it
interesting to consider the similarities fo debates about services like the
penet remailer
([http://www.textfiles.com/hacking/INTERNET/na.txt](http://www.textfiles.com/hacking/INTERNET/na.txt)
and
[http://en.wikipedia.org/wiki/Penet_remailer](http://en.wikipedia.org/wiki/Penet_remailer)).

With time, I've come to the conclusion that the ability to (re*-create such
tools is more important than any individual instance of such a tool.

~~~
mindslight
I've come to the opposite conclusion. Adopted systems in continual use are
what is important. I could setup any number of service 'anonymizers' within a
day, but if an individual operator can even be short-term trusted, they
certainly can't be relied on. Only by getting an overwhelming number of not-
heavily-invested node operators can one bootstrap reliable trust.

I want to live in a world where the _routine_ use is anonymous, with nyms only
connected voluntarily. Of course people have to be smart enough to not post
'my name is XXX' in-band, but they shouldn't have to go to a distant coffee
shop. If privacy takes work, that means it's only accessible to the few
willing to put in that work, and will be viewed as an aberration by everyone
else. It's only by making it easily accessible to everyone that it can become
societally accepted.

------
rjbwork
Firstly, this dude made an incredibly stupid decision to even go through with
his plan to get some extra time on a test. Secondly, the way he actually went
about doing it was completely asinine. He did it from his own machine on the
school's network.

No matter the nature of your activity, if you're trying to obfuscate your
identity using systems like TOR and GuerillaMail, you probably shouldn't do it
on the network of the people you're attempting to hide your identity from...

------
jpwright
Why bother risking expulsion/FBI charges/a tainted professional reputation for
the rest of your life for more time on a test? Even if he succeeded, I doubt
anyone could pull something like that off and then focus on schoolwork for the
next day or two. Plus, <insert snarky comment about Harvard grade inflation
here>.

~~~
Crito
Stress can make people pretty irrational I guess.

I wonder if there is any sort of correlation between the prestige of a school
and how often someone calls in a threat or pulls a fire alarm. I had a fire
alarm go off while I was taking a final twice when I was in university. Seems
like it is probably a semi-frequent occurrence.

------
Aqueous
Looks like he succeeded in delaying his final exam, potentially for many years

------
Techskeptic
Did anyone really think this was anything other than a kid not wanting to take
a final? Seriously, this was happening at my high school. Ffs.

------
belluchan
Seems like all he had to do was say nothing and all they would have had on him
is access to tor.

------
koenigdavidmj
Seems similar to how Jeremy Hammond was caught: they suspected that he was a
particular IRC user, and correlated his login/logout times with actual comings
and goings from his residence.

