The bomb-hoaxing Harvard student was using Tor, but they caught him anyway (opens in new tab)

Also keep in mind that, from my understanding, he was confronted with this information and then admitted that it was him. This just reinforces the rule... never talk to the police.

I think it's because he was the only one accessing TOR on a monitored network during the specific time.

They caught him because he was signed into the wifi network using his personal credentials. Had he went to a Starbucks or McDonalds we'd be having a different discussion.

Fail a test, no big deal. Send a bomb hoax, ruin your life. Interesting choice. I thought Harvard students were supposed to be smart not just arrogant.

So basically idiotic "pranks" that would have been done in high school have now moved to colleges costing tens of thousands a year?

You really have to have a shallow life experience to think a bomb threat to get out of an exam is even remotely an okay idea.

So if Guerilla Mail had a chron option to buffer mail and avoid temporal correlation he would have walked?

I think I just decided to use TOR as often as possible.

Amusingly, the original FBI affidavit was posted yesterday with a similar title, but it was changed to "FBI Affidavit in Harvard Bomb Hoax [pdf]".

The submitter of yesterday's post joked,

> I guess I should have written a paragraph's worth of inane blog spam to get my submission title used? I was trying to make this exact point in my original title. The title my submission was assigned is not the real title of the PDF either... seems very arbitrary.[0]

I completely understand the desire not to editorialize discussions. That said, this is an interesting case study of how the title of the submission very strongly affects the actual discussion that unfolds. After the title was changed, more of the comments revolved around the actual bomb threat itself, rather than the security benefits (and caveats) of Tor.

[0] https://news.ycombinator.com/item?id=6925289

It's worth remembering that security (here including the information security involved in hiding identity) is not boolean. The value of the prize matters. A penny (or a diary) hidden under a mattress can be considered "secure" - three million dollars can't, especially when people know you have those three million somewhere.

The first mistake this guy made was doing something that made the authorities want to know who he was, and have a good excuse for expending enormous resources (if necessary) to do that. Had he used TOR correctly, it would have been harder for them, but it's very likely they would still have succeeded.

Plenty of people here are making comments that sound suspiciously like advice for breaking the law. I realize that that's not actually the case -- lessons taken from somebody who did something illegal and got caught can be perfectly applicable to someone trying to do something legal, privately. We all should be aware, though, that TOR and other privacy tools (and other non-privacy tools, like bittorrent) have a reputation for being designed for criminals, and it's not a good idea to seem to sympathize too strongly with people who use TOR to send in bomb threats.

To be sure about who knows what when you use TOR, there is this excellent EFF article [1].

[1] https://www.eff.org/pages/tor-and-https

The very BEST slideshow about using Tor to stay anonymous. You'll see his mistake in it.

http://www.slideshare.net/grugq/opsec-for-hackers

It sounds like they merely looked for who had accessed a Tor network, not that they could tell anything about the communication. Kind of like, "We know the perpetrator entered the grounds through the east gate prior to 9:00am. Security footage shows only 1 person doing that so go talk to him".

He would have had better luck cutting letters out of a newspaper, sticking them to a page and popping it in the post.

However that is not without its hazards. He would need to evade CCTV and make sure he did not take his cell phone with him to the post box. The stationary he used would also have to be untraceable, so a stack of identical envelopes at home would not be ideal. He would also need an alibi lest any neighbours end up why he was posting letters at 4 a.m.

"Kim told the FBI he trying to avoid taking a final exam."

Back when the whole Snowden/NSA thing blew up, people talked about switch to TOR all the time to keep safe. The problem is, you kind of have to be disciplined and commit to it...and even if that's the case, you might be exposed by uncontrollable environmental variables. The apparent problem in this case was that the student was using Tor at the time of the incident...and I'm assuming he was one of the very few to have been using Tor at that time, and he didn't use it all the time...which makes his Tor usage at the time of the email stick out.

Obviously, he should've just not done it from Harvard's network (and obviously, he shouldn't have done it at all)...but I think it's a good lesson when teaching others about security...know the conceptual limits of the black box you choose to use.

It's been a while since I was in the network security and monitoring world so I'm wondering what this monitoring software looks like. It sounds like it has the capability to keep a historical log of the type of traffic associated with each wifi-authenticated user. How detailed is the traffic analysis? How is the data recorded and for how long?

Easy to forget "Anonymous" strongly does not equal "Untraceable".

There's always an official good reason why some Tor user gets busted by the Feds, and it's never that Tor itself is pwned. It reminds me of Brits trying not to show that they pwned Enigma during WWII.

If I needed to be shielded from the Feds, and I depended on Tor for this, I'd feel increasingly nervous.

As an aside, do we think that as online courses become every more prevalent that we will see an equivalent of this in the form of DOS attacks?

The weakest link is always the end-user.