
The bomb-hoaxing Harvard student was using Tor, but they caught him anyway - jpbutler
http://www.onthemedia.org/story/harvard-bomb-threat/
======
chimeracoder
Amusingly, the original FBI affidavit was posted yesterday with a similar
title, but it was changed to "FBI Affidavit in Harvard Bomb Hoax [pdf]".

The submitter of yesterday's post joked,

> I guess I should have written a paragraph's worth of inane blog spam to get
> my submission title used? I was trying to make this exact point in my
> original title. The title my submission was assigned is not the real title
> of the PDF either... seems very arbitrary.[0]

I completely understand the desire not to editorialize discussions. That said,
this is an interesting case study of how the title of the submission very
strongly affects the actual discussion that unfolds. After the title was
changed, more of the comments revolved around the actual bomb threat itself,
rather than the security benefits (and caveats) of Tor.

[0]
[https://news.ycombinator.com/item?id=6925289](https://news.ycombinator.com/item?id=6925289)

~~~
daughart
Thank you for pointing this out.

That was my first submission to HN and I was really surprised to see my
submission title changed, and you're correct that the title change directed
the conversation away from what I intended. I'm probably not going to start a
blog so that I can control the titles of my posts to HN, so I will probably be
dissuaded from submitting content in the future.

------
srl
It's worth remembering that security (here including the information security
involved in hiding identity) is not boolean. The value of the prize matters. A
penny (or a diary) hidden under a mattress can be considered "secure" \- three
million dollars can't, especially when people know you have those three
million somewhere.

The first mistake this guy made was doing something that made the authorities
want to know who he was, and have a good excuse for expending enormous
resources (if necessary) to do that. Had he used TOR correctly, it would have
been harder for them, but it's very likely they would still have succeeded.

Plenty of people here are making comments that sound suspiciously like advice
for breaking the law. I realize that that's not actually the case -- lessons
taken from somebody who did something illegal and got caught can be perfectly
applicable to someone trying to do something legal, privately. We all should
be aware, though, that TOR and other privacy tools (and other non-privacy
tools, like bittorrent) have a reputation for being designed for criminals,
and it's not a good idea to seem to sympathize too strongly with people who
use TOR to send in bomb threats.

~~~
thatthatis
So what you're saying is "whether a particular method is secure or not depends
on the size of the penny"

~~~
danparsonson
Certainly - the real question should be 'secure against whom?'.

Any security can be broken given sufficient resources and motivation (e.g. if
you can't brute-force the crypto, you can brute-force the keyholder, etc.).

------
theboss
The very BEST slideshow about using Tor to stay anonymous. You'll see his
mistake in it.

[http://www.slideshare.net/grugq/opsec-for-
hackers](http://www.slideshare.net/grugq/opsec-for-hackers)

~~~
majika
Non-SlideShare link:
[http://conference.hitb.org/hitbsecconf2012kul/materials/D1T3...](http://conference.hitb.org/hitbsecconf2012kul/materials/D1T3%20-%20The%20Grugq%20-%20OPSEC%20-%20Because%20jail%20is%20for%20wuftpd.pdf)

Video:
[https://www.youtube.com/watch?v=9XaYdCdwiWU](https://www.youtube.com/watch?v=9XaYdCdwiWU)

------
thoughtsimple
Fail a test, no big deal. Send a bomb hoax, ruin your life. Interesting
choice. I thought Harvard students were supposed to be smart not just
arrogant.

~~~
talmand
It produces smart and not-so-smart graduates just like any other school. There
are benefits of attending Harvard other than intelligence and education.

------
jstalin
Also keep in mind that, from my understanding, he was confronted with this
information and then admitted that it was him. This just reinforces the
rule... never talk to the police.

~~~
TheCraiggers
I suppose he could have claimed somebody else was using the computer he was
signed into because he left it unlocked while going to the bathroom or
whatever... but in this case, (assuming he is indeed guilty) then I'm fine
with it.

It's a dick move, and I'm fine with him being caught and punished.

~~~
smokeyj
Talking to cops is never good for you.

[http://www.youtube.com/watch?v=6wXkI4t7nuc](http://www.youtube.com/watch?v=6wXkI4t7nuc)

~~~
TheCraiggers
Yes, I've seen the video. My point wasn't that it was good for that guy, but
that it was good for _society_.

------
nmc
To be sure about _who knows what_ when you use TOR, there is this excellent
EFF article [1].

[1] [https://www.eff.org/pages/tor-and-https](https://www.eff.org/pages/tor-
and-https)

~~~
telecuda
So then is LOCATION visible to the ISP before it hits the first Tor Relay
because the ISP knows the real IP Address of the user making the request?

~~~
nmc
TL;DR Yes.

The ISP knows that your IP is connecting to the IP of a TOR relay. (EDIT: the
ISP is technically renting the IP address to you, so they obviously know it.)

And the admin of your network knows it too, which is exactly why the guy got
caught.

------
gaoshan
It sounds like they merely looked for who had accessed a Tor network, not that
they could tell anything about the communication. Kind of like, "We know the
perpetrator entered the grounds through the east gate prior to 9:00am.
Security footage shows only 1 person doing that so go talk to him".

~~~
bwilliams18
Thats exactly what happened–he then confessed under interrogation.

------
ck2
So basically idiotic "pranks" that would have been done in high school have
now moved to colleges costing tens of thousands a year?

You really have to have a shallow life experience to think a bomb threat to
get out of an exam is even remotely an okay idea.

~~~
jaynos
I'm sure the legal ramifications for him will be much greater than the moronic
"pranksters" who pulled stunts like this at my high school in the late '90s.

~~~
talmand
These days those legal ramifications can be quite severe even on the high
school level.

------
kmlymi
I think it's because he was the only one accessing TOR on a monitored network
during the specific time.

~~~
srl
Almost certainly.

I'm at reasonably large (~15000 students on-campus), and a friend using TOR to
do ... something ... got caught not because he was the only one using TOR at
the time, but because he was the only one using TOR, ever -- it was just too
obvious.

~~~
talmand
How did they know the something was done by someone using TOR on their
network?

~~~
dijit
tor exit nodes are easy to identify, if they had the co-operation of site.com
then they'd not see the location, but they'd see the exit node.

~~~
talmand
I can understand they can the attack was done through Tor, what I don't
understand is how they understood the attack originated on their own network
through Tor.

------
millzlane
They caught him because he was signed into the wifi network using his personal
credentials. Had he went to a Starbucks or McDonalds we'd be having a
different discussion.

~~~
peter303
He would have been on survellience video in both of those places

~~~
Robin_Message
However, his use of Tor would mean the authorities wouldn't know which
surveillance video to look at.

He was caught because they probably assumed the threat was an internal hoax,
checked the logs and found only one or a few internal users on Tor at the
right time, then got a police officer to ask each of them if they had done
anything wrong [1]. One confessed, and there you go.

Morale of the story: don't do illegal things, and if you do want to do illegal
things, have a cover story and don't admit things based on inferences from
investigators.

[1] In fact, they probably overrepresented the evidence and then left him to
talk himself into being convicted.

------
danso
Back when the whole Snowden/NSA thing blew up, people talked about switch to
TOR all the time to keep safe. The problem is, you kind of have to be
disciplined and commit to it...and _even if that 's the case_, you might be
exposed by uncontrollable environmental variables. The apparent problem in
this case was that the student was using Tor at the time of the incident...and
I'm assuming he was one of the very few to have been using Tor at that time,
and he didn't use it _all_ the time...which makes his Tor usage at the time of
the email stick out.

Obviously, he should've just not done it from Harvard's network (and
obviously, he shouldn't have done it at all)...but I think it's a good lesson
when teaching others about security...know the conceptual limits of the black
box you choose to use.

------
guelo
It's been a while since I was in the network security and monitoring world so
I'm wondering what this monitoring software looks like. It sounds like it has
the capability to keep a historical log of the type of traffic associated with
each wifi-authenticated user. How detailed is the traffic analysis? How is the
data recorded and for how long?

------
crb002
So if Guerilla Mail had a chron option to buffer mail and avoid temporal
correlation he would have walked?

~~~
guan
It depends on how many Tor users there are on the Harvard wireless network. If
he was the only person using Tor that year, or one of only a few dozen that
could all be questioned, maybe not.

~~~
Kequc
So if you use Tor there is a certain expectation to be questioned sooner or
later.

------
njharman
Easy to forget "Anonymous" strongly does not equal "Untraceable".

------
Theodores
He would have had better luck cutting letters out of a newspaper, sticking
them to a page and popping it in the post.

However that is not without its hazards. He would need to evade CCTV and make
sure he did not take his cell phone with him to the post box. The stationary
he used would also have to be untraceable, so a stack of identical envelopes
at home would not be ideal. He would also need an alibi lest any neighbours
end up why he was posting letters at 4 a.m.

~~~
massysett
> He would have had better luck cutting letters out of a newspaper, sticking
> them to a page and popping it in the post.

That would have required advance planning; seems he did this on impulse or, at
least, not far enough ahead of time to use the mail.

------
sp332
I think I just decided to use TOR as often as possible.

~~~
RankingMember
Get ready to experience the internet at 56kbps again.

~~~
badman_ting
Also, every Tor/onionweb/darknet/whatever site is around for approximately 53
minutes, and all the link pages were written at least 54 minutes ago.

------
fab13n
There's always an official good reason why some Tor user gets busted by the
Feds, and it's never that Tor itself is pwned. It reminds me of Brits trying
not to show that they pwned Enigma during WWII.

If I needed to be shielded from the Feds, and I depended on Tor for this, I'd
feel increasingly nervous.

------
RankingMember
"Kim told the FBI he trying to avoid taking a final exam."

~~~
herbig
you found a typo

------
methodin
As an aside, do we think that as online courses become every more prevalent
that we will see an equivalent of this in the form of DOS attacks?

------
joshguthrie
The weakest link is always the end-user.

