The ISP knows that your IP is connecting to the IP of a TOR relay. (EDIT: the ISP is technically renting the IP address to you, so they obviously know it.)
And the admin of your network knows it too, which is exactly why the guy got caught.
I'm at reasonably large (~15000 students on-campus), and a friend using TOR to do ... something ... got caught not because he was the only one using TOR at the time, but because he was the only one using TOR, ever -- it was just too obvious.
I can understand they can the attack was done through Tor, what I don't understand is how they understood the attack originated on their own network through Tor.
It depends on how many Tor users there are on the Harvard wireless network. If he was the only person using Tor that year, or one of only a few dozen that could all be questioned, maybe not.
Also keep in mind that, from my understanding, he was confronted with this information and then admitted that it was him. This just reinforces the rule... never talk to the police.
And we wonder why TOR and other privacy tools are stereotyped as being for criminals. The better - and more immediately applicable - rule is "don't break the law".
Now I have the scene from "Liar, Liar" stuck in my head.
Well if that was the only concern that the police ever had, then I would say go ahead and talk to the police.
Don't break the law is fine advice, and really I don't think it needs to be stated here. Even so, even if you think you are following that advice, you should not talk to the police unless being in a jail cell is preferable to the situation you are currently in.
In which case, I'd argue a moral person should throw the generally sound rule against talking to police out the window, despite the fact that it'll probably make you the prime suspect.
You'd have to be pretty stupid to not know this was illegal.
The things people are actually going to track you down for you can be pretty damn sure are easily identifiable as illegal. Sure, you may not be aware your Halloween costume of a priest is illegal (illegal to impersonate clergy) but no one's going to arrest you for it. They could, but arresting officers probably have only a slight degree better understanding than the average person. Now, if you're shooting someone, raping someone, bombing something, those things are obviously illegal and it doesn't take a Harvard student to know this...or maybe it does.
I'm not really sure how crime works in US but in my country there's sort of minor offence kind of thing when you just get the ticket or are being told by the policemen not to do that again. You may refuse to take the ticket and defend yourself in court. And there's a crime, where you can get arrested.
If you ignore "do not step on the grass" sign can you get arrested in US as well?
Depends on the grass. It would be unusual to be arrested just for stepping on the grass, but if the police ask you to get off the grass and you pull your pants down and take a dump, there's going to be trouble.
I suppose he could have claimed somebody else was using the computer he was signed into because he left it unlocked while going to the bathroom or whatever... but in this case, (assuming he is indeed guilty) then I'm fine with it.
It's a dick move, and I'm fine with him being caught and punished.
Or he could have simply said he was browsing Silk Road or something. There's a whole world of Tor users out there, and many Harvard students use the Internet other than through their wireless.
Fail a test, no big deal. Send a bomb hoax, ruin your life. Interesting choice. I thought Harvard students were supposed to be smart not just arrogant.
It produces smart and not-so-smart graduates just like any other school. There are benefits of attending Harvard other than intelligence and education.
It's worth remembering that security (here including the information security involved in hiding identity) is not boolean. The value of the prize matters. A penny (or a diary) hidden under a mattress can be considered "secure" - three million dollars can't, especially when people know you have those three million somewhere.
The first mistake this guy made was doing something that made the authorities want to know who he was, and have a good excuse for expending enormous resources (if necessary) to do that. Had he used TOR correctly, it would have been harder for them, but it's very likely they would still have succeeded.
Plenty of people here are making comments that sound suspiciously like advice for breaking the law. I realize that that's not actually the case -- lessons taken from somebody who did something illegal and got caught can be perfectly applicable to someone trying to do something legal, privately. We all should be aware, though, that TOR and other privacy tools (and other non-privacy tools, like bittorrent) have a reputation for being designed for criminals, and it's not a good idea to seem to sympathize too strongly with people who use TOR to send in bomb threats.
Certainly - the real question should be 'secure against whom?'.
Any security can be broken given sufficient resources and motivation (e.g. if you can't brute-force the crypto, you can brute-force the keyholder, etc.).
Amusingly, the original FBI affidavit was posted yesterday with a similar title, but it was changed to "FBI Affidavit in Harvard Bomb Hoax [pdf]".
The submitter of yesterday's post joked,
> I guess I should have written a paragraph's worth of inane blog spam to get my submission title used? I was trying to make this exact point in my original title. The title my submission was assigned is not the real title of the PDF either... seems very arbitrary.[0]
I completely understand the desire not to editorialize discussions. That said, this is an interesting case study of how the title of the submission very strongly affects the actual discussion that unfolds. After the title was changed, more of the comments revolved around the actual bomb threat itself, rather than the security benefits (and caveats) of Tor.
That was my first submission to HN and I was really surprised to see my submission title changed, and you're correct that the title change directed the conversation away from what I intended. I'm probably not going to start a blog so that I can control the titles of my posts to HN, so I will probably be dissuaded from submitting content in the future.
He would have had better luck cutting letters out of a newspaper, sticking them to a page and popping it in the post.
However that is not without its hazards. He would need to evade CCTV and make sure he did not take his cell phone with him to the post box. The stationary he used would also have to be untraceable, so a stack of identical envelopes at home would not be ideal. He would also need an alibi lest any neighbours end up why he was posting letters at 4 a.m.
I'm sure the legal ramifications for him will be much greater than the moronic "pranksters" who pulled stunts like this at my high school in the late '90s.
Yes, the medic and fire first responders that were mobilized inefficiently could have had serious negative externalities, but apart from that I don't see this as particularly immoral:
He elucidated the disparity between the facade of harvard student esteem and the puerile, cowardice reality.
He disrupted the lives of thousands of self-entitled ivy league students, potentially even delaying some of them from further concentrating wealth.
He made the police experience a once-in-a-month type of excitement that might keep them from getting bored and harassing an unwitting minority for as long as a week.
They caught him because he was signed into the wifi network using his personal credentials. Had he went to a Starbucks or McDonalds we'd be having a different discussion.
However, his use of Tor would mean the authorities wouldn't know which surveillance video to look at.
He was caught because they probably assumed the threat was an internal hoax, checked the logs and found only one or a few internal users on Tor at the right time, then got a police officer to ask each of them if they had done anything wrong [1]. One confessed, and there you go.
Morale of the story: don't do illegal things, and if you do want to do illegal things, have a cover story and don't admit things based on inferences from investigators.
[1] In fact, they probably overrepresented the evidence and then left him to talk himself into being convicted.
Back when the whole Snowden/NSA thing blew up, people talked about switch to TOR all the time to keep safe. The problem is, you kind of have to be disciplined and commit to it...and even if that's the case, you might be exposed by uncontrollable environmental variables. The apparent problem in this case was that the student was using Tor at the time of the incident...and I'm assuming he was one of the very few to have been using Tor at that time, and he didn't use it all the time...which makes his Tor usage at the time of the email stick out.
Obviously, he should've just not done it from Harvard's network (and obviously, he shouldn't have done it at all)...but I think it's a good lesson when teaching others about security...know the conceptual limits of the black box you choose to use.
There's always an official good reason why some Tor user gets busted by the Feds, and it's never that Tor itself is pwned. It reminds me of Brits trying not to show that they pwned Enigma during WWII.
If I needed to be shielded from the Feds, and I depended on Tor for this, I'd feel increasingly nervous.
It's been a while since I was in the network security and monitoring world so I'm wondering what this monitoring software looks like. It sounds like it has the capability to keep a historical log of the type of traffic associated with each wifi-authenticated user. How detailed is the traffic analysis? How is the data recorded and for how long?
It sounds like they merely looked for who had accessed a Tor network, not that they could tell anything about the communication. Kind of like, "We know the perpetrator entered the grounds through the east gate prior to 9:00am. Security footage shows only 1 person doing that so go talk to him".
72 comments
[ 3.0 ms ] story [ 177 ms ] thread[1] https://www.eff.org/pages/tor-and-https
The ISP knows that your IP is connecting to the IP of a TOR relay. (EDIT: the ISP is technically renting the IP address to you, so they obviously know it.)
And the admin of your network knows it too, which is exactly why the guy got caught.
I'm at reasonably large (~15000 students on-campus), and a friend using TOR to do ... something ... got caught not because he was the only one using TOR at the time, but because he was the only one using TOR, ever -- it was just too obvious.
Now I have the scene from "Liar, Liar" stuck in my head.
Don't break the law is fine advice, and really I don't think it needs to be stated here. Even so, even if you think you are following that advice, you should not talk to the police unless being in a jail cell is preferable to the situation you are currently in.
The things people are actually going to track you down for you can be pretty damn sure are easily identifiable as illegal. Sure, you may not be aware your Halloween costume of a priest is illegal (illegal to impersonate clergy) but no one's going to arrest you for it. They could, but arresting officers probably have only a slight degree better understanding than the average person. Now, if you're shooting someone, raping someone, bombing something, those things are obviously illegal and it doesn't take a Harvard student to know this...or maybe it does.
If you ignore "do not step on the grass" sign can you get arrested in US as well?
It's a dick move, and I'm fine with him being caught and punished.
http://www.youtube.com/watch?v=6wXkI4t7nuc
https://www.youtube.com/watch?v=6wXkI4t7nuc
http://www.slideshare.net/grugq/opsec-for-hackers
Video: https://www.youtube.com/watch?v=9XaYdCdwiWU
The first mistake this guy made was doing something that made the authorities want to know who he was, and have a good excuse for expending enormous resources (if necessary) to do that. Had he used TOR correctly, it would have been harder for them, but it's very likely they would still have succeeded.
Plenty of people here are making comments that sound suspiciously like advice for breaking the law. I realize that that's not actually the case -- lessons taken from somebody who did something illegal and got caught can be perfectly applicable to someone trying to do something legal, privately. We all should be aware, though, that TOR and other privacy tools (and other non-privacy tools, like bittorrent) have a reputation for being designed for criminals, and it's not a good idea to seem to sympathize too strongly with people who use TOR to send in bomb threats.
Any security can be broken given sufficient resources and motivation (e.g. if you can't brute-force the crypto, you can brute-force the keyholder, etc.).
The submitter of yesterday's post joked,
> I guess I should have written a paragraph's worth of inane blog spam to get my submission title used? I was trying to make this exact point in my original title. The title my submission was assigned is not the real title of the PDF either... seems very arbitrary.[0]
I completely understand the desire not to editorialize discussions. That said, this is an interesting case study of how the title of the submission very strongly affects the actual discussion that unfolds. After the title was changed, more of the comments revolved around the actual bomb threat itself, rather than the security benefits (and caveats) of Tor.
[0] https://news.ycombinator.com/item?id=6925289
That was my first submission to HN and I was really surprised to see my submission title changed, and you're correct that the title change directed the conversation away from what I intended. I'm probably not going to start a blog so that I can control the titles of my posts to HN, so I will probably be dissuaded from submitting content in the future.
Oddly, the Guidelines suggest exactly that:
If you want to add initial commentary on the link, write a blog post about it and submit that instead.
However that is not without its hazards. He would need to evade CCTV and make sure he did not take his cell phone with him to the post box. The stationary he used would also have to be untraceable, so a stack of identical envelopes at home would not be ideal. He would also need an alibi lest any neighbours end up why he was posting letters at 4 a.m.
That would have required advance planning; seems he did this on impulse or, at least, not far enough ahead of time to use the mail.
You really have to have a shallow life experience to think a bomb threat to get out of an exam is even remotely an okay idea.
He elucidated the disparity between the facade of harvard student esteem and the puerile, cowardice reality.
He disrupted the lives of thousands of self-entitled ivy league students, potentially even delaying some of them from further concentrating wealth.
He made the police experience a once-in-a-month type of excitement that might keep them from getting bored and harassing an unwitting minority for as long as a week.
</snark>
edit: Or how about a prepaid cell phone 3g connection?
He was caught because they probably assumed the threat was an internal hoax, checked the logs and found only one or a few internal users on Tor at the right time, then got a police officer to ask each of them if they had done anything wrong [1]. One confessed, and there you go.
Morale of the story: don't do illegal things, and if you do want to do illegal things, have a cover story and don't admit things based on inferences from investigators.
[1] In fact, they probably overrepresented the evidence and then left him to talk himself into being convicted.
Obviously, he should've just not done it from Harvard's network (and obviously, he shouldn't have done it at all)...but I think it's a good lesson when teaching others about security...know the conceptual limits of the black box you choose to use.
If I needed to be shielded from the Feds, and I depended on Tor for this, I'd feel increasingly nervous.