Slashdot Mirror
Harvard Bomb Hoax Perpetrator Caught Despite Tor Use
Meshach writes "The FBI has caught the student who called in a bomb threat at Harvard University on December 16. The student used a temporary anonymous email account routed through Tor, but the FBI was able to trace it (PDF) because it originated from the Harvard wireless network. He could face as long as five years in prison, three years of supervised release and a $250,000 fine if convicted. He made the threat to get out of an exam."
Whenever you peel back the layers of an onion, someone is bound to cry.
Science advances one funeral at a time- Max Planck
We can either live in a future where little jackwagons can effect a denial-of-service attack on society, or
we can spank the crap out of the idiots so that this kind of noise is minimized. Same goes for rape/hate crime hoaxes.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
And therefore they'll put him in rehab rather than prison.
Unless he's not affluent enough for his affluenza to be strong enough to cover this crime, after all, he called in a bomb threat, rather than killed four people in a drunk-driving incident.
Not neccessarily. His access to Tor via the campus wifi matched the timing of the emails enough to get him in a room, and then he confessed. Without the confession there'd be a lot less certainty of conviction, as the presumption of innocence would probably compel a jury, in the absence of any other compelling evidence, to find him not guilty.
Moral of the story: Don't talk to cops.
(also, don't make false bomb threats. They're stupid)
...but because he was the only one on the whole campus wifi that used Tor that day.
Lesson to learn: Keep your endpoint traffic able to be lost in the noise, or ya' stick out like a sunflower in a coal mine.
I.E. SSH somewhere *THEN* Tor.
Really?! Smart man.
Avoid exam?
Bomb threat!
Police arrive?
Immediately confess!
The evidence itself was completely circumstantial. Without a confession they surely had nothing.
They had no way to prove anything other than:
1. Guerilla Mail was accessed by Tor to send the e-mails.
2. Kim is a Harvard student that recently accessed Tor.
I read the PDF (shock).
It sounds suspiciously like they just checked the logs to see who had visited Tor related websites and then went and interviewed the handful of people who happened to visit these sites within a few days. Maybe interview those who had exams in the 4 listed buildings at the designated time?
Or, possibly, they just checked who had used Tor in the last few days on their network - can you ID a Tor packet by looking at it?
It doesn't sound like they needed to crack Tor.
In our next lesson we will learn delayed email deliver functionality. Stay tuned!
Love many, trust a few, do harm to none.
" as the presumption of innocence would probably compel a jury, in the absence of any other compelling evidence, to find him not guilty."
LOL, you believe too much what the tv tells you.
also, don't make false bomb threats. They're stupid
Don't make real ones either. They're even stupider.
... to use TOR, but then gave a full confession during an "interview", throwing his right to remain silent (and to have a lawyer present during questioning) out the window?
From the pdf
"Harvard University was able to determine that, in the several hours leading up to the
receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvardâ(TM)s
wireless network."
So Harvard keeps track of your connections. Still circumstancial but he confessed.
"KIM then stated that he authored the bomb threat e-mails described above."
It doesn't much help his case that circumstantial evidence pointed everyone more or less immediately at the Harvard campus, and thus at the first layer of the 'onion'. Tor is only minimally better (if at all) then straight SSL/TLS if the operator of hop #1 has strong reasons to be suspicious of Tor traffic within a set time period.
He made the threat to get out of an exam.
he won't have to worry about that any more
I expected more from a Harvard student.
A couple of hours of online research should have taught him to, at least, connect through a cracked wifi far from his neighborhood. Or, if he was computer illiterate, to convince someone from another country to send the mails for him.
Also, once he decided to avoid the exam in a way that could land him in prison, why use a method he didn't understand, instead of burning down the building or paying someone to send the teacher to the hospital?
However, the first question I would ask him would be if he had considered that simply approaching the teacher and explaining him that he and all his family would be killed unless the exam was postponed, carried a shorter jail time than a terrorist threat.
In conclusion, clearly in Harvard they are not teaching how to deal with real world problems pragmatically.
The wonderful thing about shows like CSI is that it convinces criminals to implement absurd technical defences when their crimes will almost certainly be dealt with by old-fashioned police work.
No kidding!!! What do you say at this point?
Was the guy ever catched ? Nope.
Did this happen during an English class?
It doesn't sound like they needed to crack Tor.
Of course, if the NSA has easy and simple ways of cracking Tor . . . they're not going to brag about it anyway:
"Go ahead, keep using Tor . . . it's safe and we can't crack it . . ."
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
They didn't know it originated from the wireless network. They knew it came from Tor. I could have sent it, for all they know. What they did know was the time it arrived. They played a hunch that it came locally (someone who planted/discovered the bomb on campus) and checked to see who had used Tor on their network at around that time, it's plain old fashioned detective work.
Put the suspect in a room with an interrogator and extract a confession ("We have you on the Tor network the exact same time the email for the bomb hoax came through", "You were the only person using it at the time (whether that is true or not) so we know you did it", "This will go a lot easier on you if you confess now"). Will the confession stand? Did they read Miranda rights? Was he offered legal council?
This reminds me of the news the other day - there have had a few bombs going off recently in Northern Ireland - with warnings. Anyhow, on Monday the news said that a man was being treated for burns in Belfast, which was thought to be linked to sectarian violence, my first thought was "FFS, now they're setting each other on fire", quickly followed by laughter when it turned out the incendiary device he was carrying detonated - serves the stupid fucker right.
... and they are not going to use it for this kind of case.
Why do you want the best for this dipshit?
If you're *innocent*, don't talk to cops.
If you're guilty, spill the beans immediately.
You seem to want to encourage criminals to waste the whole legal system's time? (Which, like everything in the end, is paid for by honest tax-payers.)
Also FatPhil on SoylentNews, id 863
Depends on who the "you" is. The list of entry nodes is public knowledge. Telecoms/Government agencies probably keep historic lists of entry nodes. So it should be trivial to show a connection to the Tor network. The PDF implied (to me) that the FBI just crossreferenced Harvard's log with their list of entry nodes.
To technically answer your question: Tor packets don't have a unique signature, but they all are of a known size.
This is one of the best-known ways to deanonymize people using Tor: timestamping entering traffic and exiting traffic. Tor itself explains they have no theoretical way to fix that issue and still maintain a system that is low-latency (there may have been a third feature as well, where they got to pick-2-of-3).
Your ad here. Ask me how!
Every time you join their wireless network, there is a click-through stating you agree that your traffic will be stored, should you do something stupid. Not in those same words, but close enough (at least in a series of two sentences... of which any Harvard student should be able to understand..
Most of their traffic capturing was put in because of a mandate from the MPAA and RIAA back quite a few years ago. They were either going to be sued for aiding and abetting or they had to keep logs of which students were downloading which Metallica songs. They don't keep the traffic just the IP headers (actually trends, not every IP header). This was very well publicized a few years ago and shouldn't be a surprise to anybody.
Additionally, the upstream provider is required to conform to CALEA laws anyway, which would have been able to provide the same types of reports. It would have required Harvard's assistance to translate an IP to a person (I'm more than assuming they would have been willing to do this as well). CALEA does not require ISPs to notify that their traffic is being recorded, but guess what -- anything that leaves your network is out there in the open and may be open for inspection.
Precisely this. Harvard keeps flow type logs, they found someone using tor. Pigs barfed on him, he cracked and confessed. The kid's a fucking retard, mostly for cranking people.
Please, don't use Tor to harass and be an asshole.
Real freedom fighters need Tor, not you and your lulz.
See who else really needs Tor: https://www.torproject.org/
And quit being assholes.
legal council? probably not. he's a terrorism suspect after all!!
world was created 5 seconds before this post as it is.
The only thing criminal about this is what he's being charged with from a federal law perspective; his actions were just that: stupid. He was going to gain perhaps 24 more hours of study time to get out of a final exam. Using tor was a good idea until you originate it on a campus network --- someone who knew just enough to be microscopically dangerous on the internet. If articles are being written to use tor to make my personal activities on the internet harder for the NSA to correlate, it's gotta be the one-and-only tool right?
Leave your smart phone at the dorm, give your student ID to a conspirator and have them badge you in at the library, use a laptop you temporarily bought at Walmart 2 weeks ago (which has an excellent return policy within 15 days opened or not), then take a taxi (or walk) down to a local area with free wifi (outside a budget hotel, coffee house or there are still dinks who have open APs), use a fake mac address, and do what you need to do. Kid criminals these days.
I'm sure some slashdotter will bullet-hole that remark, but for making a digital bomb thread 'these days' I'd say you have to at least do that if you were on such a mission to do so. What happened to the "my immediate family member is suddenly ill? I must go see them for a day" excuse? I've never used that personally, but surely you start small and don't play the final ace right away.
Rule #9 of the American Justice System: To a jury, any doubt is reasonable; the better the case, the worse the jury; a good man is hard to find, but 12 of them, gathered together in one place, is a miracle.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
If he'd just called it in from a pay phone, they'd never have found him.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
The PDF says he signed a waiver of Miranda rights.
The linked article is confused... but Emerson Hall houses the philosophy department, so it was a philosophy final.
Which is incredibly ironic, since those are generally a matter of opinion or history, which means he could likely have passed it in any case, given that he was a psychology major with a minor in Japanese, so it was kind of a pass/fail class for him anyway. I wonder if any of the news organizations have talked to Professor Gary King (Kim was his research assistant).
that would be a big red flag because, you know...Silk Road is shut down.
never bring a twinkie to a food fight.
Remember the days when this story wouldn't even have made the local paper? Seriously, 25 years ago your average school saw one of these every few years. It headlined the school paper, the local cops investigated, but the FBI? National news? Heck no.
Who needs terrorists when we now pay large corporations and government agencies to spread panic? Quit terrorizing the nation to protect your job security and let me know when something actually blows up.
And in lesson three, we'll learn the age old trick of going down to the local busy Starbucks with a fresh install of *OS and then use the Tor. This might extend the time it takes the feds to knock on your door to over 24 hours!
What other people think of me is none of my business
(also, don't make false bomb threats. They're stupid)
I work at a University. You can always tell when the exam periods have started by the fact that you are constantly seeing fire engines on campus.
Students do the most stupid things to get out of doing an exam they have not prepared for.
I have also seen fake student IDs so someone else can sit the exam and other dodgey dealings. It sucks for the staff (I have lost count of the amount of times I have had to evacuate the data centre/office due to a fire alarm) and also screws over the other students since they often need to resit the exam. It also costs the university money since they get charged for every fire department response.
You missed the part where he didn't want to take an exam.
He didn't want to take an exam that day (probably because he had started studying way too late). He wouldn't probably object taking it 1 week later (or whatever date it would have been postponed too).
If he hadn't confessed, he would have had to take it. So he really didn't have a choice.
Even that is no guarantee. Maybe the cops will "allow" him to take the exam from prison?
Just study, it's easier.
Moron. I don't care how innocent or guilty you are.
Don't talk
Demand a lawyer (only time you can talk)
Don't sign anything
Don't fucking talk!
Did I mention not talking?
By the time your lawyer arrives you should need a glass of water because your lips will be stuck together from all the not talking you were doing.
Or, and I'm just spitballing here, don't do any of that. Instead, use persuasive arguments to convince people to follow your will instead of trying to impose it via violence or threat of violence. Or even, if what you want people do do is legal to pay people to do, try that.
Can you be Even More Awesome?!
... and they are not going to use it for this kind of case.
Bomb threat from unknown source? Boston? Possible foreign connections? The NSA is allegedly supposed to be involved in investigation of terror threats. It's the other stuff they're doing that's got people upset.
I'm surprised he did it from his dorm (if, indeed, he actually did it). I thought the sensible thing was to go down to the local public library and/or coffee shop (without cameras) and do your shit from there.
Well, assuming that there aren't cameras in the local public library or coffee ship, the challenge is in getting there without showing up on any intermediary cameras.
That, after all, was one of the first things they scoured after the Marathon bombing.
Is that more or less work than actually studying for the exam?
It's better than it used to be but it's still not going to win any speed awards. Does allow access to sites my arsehole government have blocked though.
Will only get worse now the great firewall is active (with auto opt-in for new customers), which btw doesn't just censor porn but also 'extreme political speech', I'd like to know who the fuck gets to determine what's extreme politics I can't view or not, personally I think it should be me, the government think otherwise.
Seven was good enough for Serenity. Oh, and Voldemort.
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
No normal person calls in a bomb threat to get out of a final that will at most just end being delayed.
That YOU were (and are) an idiot doesn't mean everyone is. If your moronic logic was true, then the phone at your average school would never stop ringing. This guy (and since you clearly identify with him, you) is an asshole who thought nothing of creating a major nuisance for teachers and students because he wanted to get out of an exam. Ten to one you and him are the type who then later grow up... grow older and at the slightest provocation threaten to sue anyone and everyone for any delay or inconvenience.
It is the eternal excuse of the asshole: Everyone does it.
Nope.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Please, don't use Tor to harass and be an asshole. Real freedom fighters need Tor, not you and your lulz.
Almost everyone needs anonymity, at least some of the time. The more people use Tor (without cheating), the more robust is the network, so your uppity attitude is completely out of place. Tor is for lulz as much as it is for freedom fighting.
College students are allergic to studying. It gives them hives and agida.
Common mistake for people speaking English as a second language. I doubt the AC can speak more than one language, because if he did, he would probably know this ;)
Except he didn't actually send the bomb threat! He only confessed to that lesser crime because what he was REALLY doing was seeding a pirated release of Gravity, and he knew if the police continued their investigation they might find out and he'd end up in jail for 10 years and have to pay $3 million in fines.
If you weren't ready to make that post, you could've called in a bomb threat.
#DeleteChrome
I think it is also worth noting that this is coming from Harvard. Not to say that other schools don't have similar issues but my point is that this is a very high end, private, and expensive university. And that that most of the people there are expected, and that is probably putting it lightly, to excel.
My point is that the higher the stakes the more people tend to be willing to do. Whatever those stakes may be. Be it some personal drive, parental urgings, or whatever. (And I'm talking about people that would otherwise be rational.)
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
Not sure if this should be troll or insightful. I mean in all seriousness, people who make bomb threats tend to not be the ones capable of carrying out the crime. If you are going to commit a crime, you just do it, you dont go around bragging about it or making threats.
have you seen my sig? there are many others like it but none that are the same
TOR is not an entity and even if they managed to get hold of the exit node there is no logs left there to point back to the previous node and so on.
Say what? Why not just buy a cheap USB wireless stick (paying cash, of course) and send the message from a car parked outside of Panera Bread (or any other unsecured wireless network) and then throw the stick into the nearest storm drain? The only thing you have to do is use a MAC address not already registered in Harvard's DHCP tables to the student. While a proper geek would then edit the internal logs of the laptop -- a REAL geek on their LINUX (or possibly Mac) laptop where the logs are in straight ASCII and bone simple to edit -- to remove all trace of the DHCP connection and the MAC address of the stick. But even if they didn't do this, the trail ends at Panera, assuming that the student didn't go inside and get his face captured on the store video or the like. They would have to examine the logs of every laptop on campus to find the perp otherwise, and of course they'd never get a judge to agree to that.
I'm tempted to joke around about how multiply stupid this Harvard kid was compared to Duke kids -- not only failing a course but too stupid to even send in an anonymized bomb threat by email in an untraceable way -- but sadly to my direct experience there are Duke students who are (or have been in the past) just as criminally dumb and this is a real tragedy and not really something to joke over. The poor kid is probably sitting around in a daze trying to figure out how what happened, how he went from being a struggling (but probably really pretty bright) student at one of the best universities in the world to being a plea-bargained felon working off a hundred-thousand dollar fine selling coffee and cleaning toilets at Starbucks with no hope of ever attending anything better than a community college for the rest of his or her life.
Even when the experts all agree, they may well be mistaken. --- Bertrand Russell.
I stand corrected.
Even when the experts all agree, they may well be mistaken. --- Bertrand Russell.
Except he sent the email 30 minutes before the exam, because he was desperate at the last minute.
Also, news at 10pm: Desperation makes teenager do stupid stuff.
I'd be very surprised if you could access the wireless network without logging on, WPA Radius would be my suspicion. I guess you could claim someone had stolen your password but still doesn't sound too 1337 to me.
If you think someone isn't free to have a different definition of "freedom" you may be a tyrant.
Duke doesn't require you to authenticate your wireless device every time you connect, and I doubt most other Universities do either. It does require you to register your device MAC address (in an authenticated session). In fact, at this point Duke might require you to register wired addresses as well. Unregistered devices get kicked onto an anonymous network outside of a firewall, so visitors can get internet access without getting a "Duke" IP number. Duke controls its own outgoing PoP, of course, so it effectively logs all connections into and out of the Duke domain. As was pointed out above, this was more than likely the method used to identify the student at Harvard -- simply look for a Harvard IP that connected to a TOR server (and obviously, the toplevel TOR servers HAVE to be publicly known or nobody could connect to them) at the right time. That time AFAICT could not be delayed as some have suggested by TOR itself because TOR doesn't know what you are connecting to and has to treat all connections as though they might be real-time keystrokes. You'd need an anonymous, non-logging mail server with a delay on it on the far side to put any sort of substantial desynchronization between the connection and the mail message -- TOR itself cannot do it unless I'm still in error after reading about its architecture for a while.
Regardless, anyone even slightly 1337 would have at the very least gone to starbucks or an internet cafe and THEN used Tor, or bought a disposable USB wireless interface and used the anonymous network or (best) both. No possible way the FBI could have backtracked a cash purchased USB stick from a store with no video surveillance used from an alley next to (but not inside) a Panera Bread while wearing a wig and makeup one dons in the restroom of a giant mall connected to TOR, even if the NSA actually "volunteers" most of the toplevel TOR servers and half of the nodes and/or maintains a running map of all of the nodes (which I'm pretty sure they do regardless of how many they actually provide). I mean what's ten or twenty million dollars in hardware to the NSA, if it gives them a chance to monitor most of the traffic through a supposedly secure onion network? In the end, the Internet does not allow one anything like non-subvertable security of connections, only the data content sent over those connections. I doubt that even the NSA is likely to be able to decrypt e.g. 4096-bit key-secured traffic EXCEPT by obtaining the keys.
rgb
Even when the experts all agree, they may well be mistaken. --- Bertrand Russell.
It's really hard to know how universally safe tor is. Maybe it protects you against Chile but not the NSA. Obviously, the Feds have a lot of money and can deploy a lot of tor systems. Shifting the discussion a little bit, from anonymity to privacy, I'm basically skeptical of all technological means at maintaining privacy, for several reasons: 1) it's super easy to screw up and leak information (this bomb hoax being a prime example). 2) Encryption acts more as temporary barrier because inevitably, it is cracked or technology makes brute force trivial (and before someone says "one time pad," figure out how that's going to work for everyday stuff). 3) It leads to rampant paranoia, for example, the people behind tor are probably good privacy minded people and not some NSA pricks -- but I don't know. Not knowing whether a system is safe or not has a chilling effect on free expression. Of course, Greenwald and Snowden suggest tor, but I'm sure that's just one stage of a multilevel system.
I'm not advocating abandoning encryption etc., but I think that without strong legal protections which make privacy violations a serious crime, even if done by the Feds, we will never really have privacy (which is a necessary component of freedom). Instead, we'll have technological systems that people trust for a time until someone gets burned and then we'll shift to other systems. But that's not a real solution and it will suck mightily for those sacrificial lambs who get roasted.
What changed under Obama? Nothing Good
I completely agree. I tend to trust high end encryption because I know something about how difficult the problem of cracking a serious cipher with a large key is -- even brute force attacks simply aren't tenable for the good ones. 4096 bits is 2^4096 approx 10^400 permutations and 100 billion years with every atom in the visible Universe a computer still aren't enough. Of course this time can be substantially reduced if one discovers mathematical weaknesses in the encryption or if people do stupid things, but I think e.g. GPG and SSH are pretty reliable when implemented with large keys provided that you can trust your source for the software. SSL is also probably fine if you can trust your key servers and software. However, what NSA does have in abundance is talented crackers and lots of resources and access to federal warrants and even the freedom to proceed without warrants. The easy way to crack my ssh encrypted channel isn't to do a brute force attack on the data stream, it is to crack any of the systems on which I store public and private keypairs. The easy way to decrypt my gpg encrypted documents no matter how large a key I specify is to crack my system and do any of a dozen things -- monitor my keystrokes and steal my keys, issue a warrant forcing me to give up my keys (so I go to jail on contempt of court to rot forever without a trial if I fail to comply). The latter is what the FBI actually told me that they do in cases where there is probable cause, e.g. kiddy porn cases where somebody has a large encrypted file suspected of containing snuff films involving small children or the like (I've attended security conferences and chatted extensively with FBI'ers attending the same sessions in the past, although I don't mess with security at this level much any more).
But the only solution to the issue of privacy is to move BACK to this state of affairs. People have to have a real right to presume that their affairs and activities are private with the narrow exception of a search warrant granted on the basis of actual evidence and probable cause, sort of like it says in the constitution and its amendments.
Of course, we have to be willing to pay the price for this. That means that yeah, criminals and terrorists will succeed in concealing their affairs a lot more often. More of the innocent will die or be hurt in other ways. We cannot insist on having our privacy preserved and then bitch when the outcome of it is that a terrorist succeeds in nuking a city in a case where ignoring the privacy laws might have prevented it.
An alternative that might almost be more palatable would be to alter the laws to completely eliminate victimless crime and almost all moral crime, and indeed provide citizens with broad rights to completely freely choose their lifestyle and activities without their ability to seek employment or education being threatened. People conceal things that might be damaging, and one of the dangers of a police state is that so many things are illegal that "everybody" commits certain crimes, such as driving over the speed limit, driving with a blood alcohol that is just over the limit, bending things a bit on tax returns, engaging in sexual acts between consenting adults that are still technically against the laws of the state in which they live, smokes pot. This makes everybody vulnerable, and hence controllable. If we could actually trust the police not to abuse their power by eliminating most of the ways they COULD abuse their power, it would be a lot simpler to think about exceptions for exceptional risks.
Best of all, do both. Strong privacy laws, eliminate moral/victimless non-crimes and indeed establish legal protections for acting as one wishes to act outside of things that directly impact their employment or damage others, and sure, a tight system of well-regulated courts to handle the edge cases expeditiously and with the ability to seal the record of all discovery outside of a narrow window. Sort of like one imagines the framers of the constitution possibly intended. But then, they were all terrorists themselves.
rgb
Even when the experts all agree, they may well be mistaken. --- Bertrand Russell.
You may not want to cause injury or death, which may turn people against you. If you can scare them and make them pressure their leaders to cease the action you disagree with, you might be able to achieve your aims more easily, particularly if your cause is somewhat sympathetic.