72 comments

[ 3.0 ms ] story [ 177 ms ] thread
To be sure about who knows what when you use TOR, there is this excellent EFF article [1].

[1] https://www.eff.org/pages/tor-and-https

So then is LOCATION visible to the ISP before it hits the first Tor Relay because the ISP knows the real IP Address of the user making the request?
TL;DR Yes.

The ISP knows that your IP is connecting to the IP of a TOR relay. (EDIT: the ISP is technically renting the IP address to you, so they obviously know it.)

And the admin of your network knows it too, which is exactly why the guy got caught.

I think I just decided to use TOR as often as possible.
Get ready to experience the internet at 56kbps again.
That's...yes...that's a boob!
Also, every Tor/onionweb/darknet/whatever site is around for approximately 53 minutes, and all the link pages were written at least 54 minutes ago.
I think it's because he was the only one accessing TOR on a monitored network during the specific time.
Almost certainly.

I'm at reasonably large (~15000 students on-campus), and a friend using TOR to do ... something ... got caught not because he was the only one using TOR at the time, but because he was the only one using TOR, ever -- it was just too obvious.

How did they know the something was done by someone using TOR on their network?
It came from a TOR ip.
There's a list of IPs that TOR networks run on, so they could just cross reference that.
tor exit nodes are easy to identify, if they had the co-operation of site.com then they'd not see the location, but they'd see the exit node.
I can understand they can the attack was done through Tor, what I don't understand is how they understood the attack originated on their own network through Tor.
Good old Signal Intelligence.
So if Guerilla Mail had a chron option to buffer mail and avoid temporal correlation he would have walked?
It depends on how many Tor users there are on the Harvard wireless network. If he was the only person using Tor that year, or one of only a few dozen that could all be questioned, maybe not.
So if you use Tor there is a certain expectation to be questioned sooner or later.
No, because Guerilla Mail would just have told the investigators the time the mail was queued up to send.
Easy to forget "Anonymous" strongly does not equal "Untraceable".
Also keep in mind that, from my understanding, he was confronted with this information and then admitted that it was him. This just reinforces the rule... never talk to the police.
And we wonder why TOR and other privacy tools are stereotyped as being for criminals. The better - and more immediately applicable - rule is "don't break the law".

Now I have the scene from "Liar, Liar" stuck in my head.

Do you know law enough not to break it?
I know not to make fake bomb threats.
Well if that was the only concern that the police ever had, then I would say go ahead and talk to the police.

Don't break the law is fine advice, and really I don't think it needs to be stated here. Even so, even if you think you are following that advice, you should not talk to the police unless being in a jail cell is preferable to the situation you are currently in.

yes, better to have a real bomb threat
In which case, I'd argue a moral person should throw the generally sound rule against talking to police out the window, despite the fact that it'll probably make you the prime suspect.
You'd have to be pretty stupid to not know this was illegal.

The things people are actually going to track you down for you can be pretty damn sure are easily identifiable as illegal. Sure, you may not be aware your Halloween costume of a priest is illegal (illegal to impersonate clergy) but no one's going to arrest you for it. They could, but arresting officers probably have only a slight degree better understanding than the average person. Now, if you're shooting someone, raping someone, bombing something, those things are obviously illegal and it doesn't take a Harvard student to know this...or maybe it does.

How about switching cars in NYC subway? One black man in a suit got arrested for this crime.
Maybe that's why they put "do not move between cars" signs on the doors.
I'm not really sure how crime works in US but in my country there's sort of minor offence kind of thing when you just get the ticket or are being told by the policemen not to do that again. You may refuse to take the ticket and defend yourself in court. And there's a crime, where you can get arrested.

If you ignore "do not step on the grass" sign can you get arrested in US as well?

Depends on the grass. It would be unusual to be arrested just for stepping on the grass, but if the police ask you to get off the grass and you pull your pants down and take a dump, there's going to be trouble.
I suppose he could have claimed somebody else was using the computer he was signed into because he left it unlocked while going to the bathroom or whatever... but in this case, (assuming he is indeed guilty) then I'm fine with it.

It's a dick move, and I'm fine with him being caught and punished.

Or he could have simply said he was browsing Silk Road or something. There's a whole world of Tor users out there, and many Harvard students use the Internet other than through their wireless.
"Kim told the FBI he trying to avoid taking a final exam."
Fail a test, no big deal. Send a bomb hoax, ruin your life. Interesting choice. I thought Harvard students were supposed to be smart not just arrogant.
It produces smart and not-so-smart graduates just like any other school. There are benefits of attending Harvard other than intelligence and education.
Your judgment is based on a sample size of 1.
It's worth remembering that security (here including the information security involved in hiding identity) is not boolean. The value of the prize matters. A penny (or a diary) hidden under a mattress can be considered "secure" - three million dollars can't, especially when people know you have those three million somewhere.

The first mistake this guy made was doing something that made the authorities want to know who he was, and have a good excuse for expending enormous resources (if necessary) to do that. Had he used TOR correctly, it would have been harder for them, but it's very likely they would still have succeeded.

Plenty of people here are making comments that sound suspiciously like advice for breaking the law. I realize that that's not actually the case -- lessons taken from somebody who did something illegal and got caught can be perfectly applicable to someone trying to do something legal, privately. We all should be aware, though, that TOR and other privacy tools (and other non-privacy tools, like bittorrent) have a reputation for being designed for criminals, and it's not a good idea to seem to sympathize too strongly with people who use TOR to send in bomb threats.

So what you're saying is "whether a particular method is secure or not depends on the size of the penny"
Certainly - the real question should be 'secure against whom?'.

Any security can be broken given sufficient resources and motivation (e.g. if you can't brute-force the crypto, you can brute-force the keyholder, etc.).

(comment deleted)
Amusingly, the original FBI affidavit was posted yesterday with a similar title, but it was changed to "FBI Affidavit in Harvard Bomb Hoax [pdf]".

The submitter of yesterday's post joked,

> I guess I should have written a paragraph's worth of inane blog spam to get my submission title used? I was trying to make this exact point in my original title. The title my submission was assigned is not the real title of the PDF either... seems very arbitrary.[0]

I completely understand the desire not to editorialize discussions. That said, this is an interesting case study of how the title of the submission very strongly affects the actual discussion that unfolds. After the title was changed, more of the comments revolved around the actual bomb threat itself, rather than the security benefits (and caveats) of Tor.

[0] https://news.ycombinator.com/item?id=6925289

Thank you for pointing this out.

That was my first submission to HN and I was really surprised to see my submission title changed, and you're correct that the title change directed the conversation away from what I intended. I'm probably not going to start a blog so that I can control the titles of my posts to HN, so I will probably be dissuaded from submitting content in the future.

> I guess I should have written a paragraph's worth of inane blog spam to get my submission title used?

Oddly, the Guidelines suggest exactly that:

If you want to add initial commentary on the link, write a blog post about it and submit that instead.

He would have had better luck cutting letters out of a newspaper, sticking them to a page and popping it in the post.

However that is not without its hazards. He would need to evade CCTV and make sure he did not take his cell phone with him to the post box. The stationary he used would also have to be untraceable, so a stack of identical envelopes at home would not be ideal. He would also need an alibi lest any neighbours end up why he was posting letters at 4 a.m.

> He would have had better luck cutting letters out of a newspaper, sticking them to a page and popping it in the post.

That would have required advance planning; seems he did this on impulse or, at least, not far enough ahead of time to use the mail.

So basically idiotic "pranks" that would have been done in high school have now moved to colleges costing tens of thousands a year?

You really have to have a shallow life experience to think a bomb threat to get out of an exam is even remotely an okay idea.

I'm sure the legal ramifications for him will be much greater than the moronic "pranksters" who pulled stunts like this at my high school in the late '90s.
These days those legal ramifications can be quite severe even on the high school level.
Yes, the medic and fire first responders that were mobilized inefficiently could have had serious negative externalities, but apart from that I don't see this as particularly immoral:

He elucidated the disparity between the facade of harvard student esteem and the puerile, cowardice reality.

He disrupted the lives of thousands of self-entitled ivy league students, potentially even delaying some of them from further concentrating wealth.

He made the police experience a once-in-a-month type of excitement that might keep them from getting bored and harassing an unwitting minority for as long as a week.

</snark>

They caught him because he was signed into the wifi network using his personal credentials. Had he went to a Starbucks or McDonalds we'd be having a different discussion.
He would have been on survellience video in both of those places
Sit in your car/on a bench outside mcdonalds/starbucks in a security camera blindspot?

edit: Or how about a prepaid cell phone 3g connection?

However, his use of Tor would mean the authorities wouldn't know which surveillance video to look at.

He was caught because they probably assumed the threat was an internal hoax, checked the logs and found only one or a few internal users on Tor at the right time, then got a police officer to ask each of them if they had done anything wrong [1]. One confessed, and there you go.

Morale of the story: don't do illegal things, and if you do want to do illegal things, have a cover story and don't admit things based on inferences from investigators.

[1] In fact, they probably overrepresented the evidence and then left him to talk himself into being convicted.

Back when the whole Snowden/NSA thing blew up, people talked about switch to TOR all the time to keep safe. The problem is, you kind of have to be disciplined and commit to it...and even if that's the case, you might be exposed by uncontrollable environmental variables. The apparent problem in this case was that the student was using Tor at the time of the incident...and I'm assuming he was one of the very few to have been using Tor at that time, and he didn't use it all the time...which makes his Tor usage at the time of the email stick out.

Obviously, he should've just not done it from Harvard's network (and obviously, he shouldn't have done it at all)...but I think it's a good lesson when teaching others about security...know the conceptual limits of the black box you choose to use.

There's always an official good reason why some Tor user gets busted by the Feds, and it's never that Tor itself is pwned. It reminds me of Brits trying not to show that they pwned Enigma during WWII.

If I needed to be shielded from the Feds, and I depended on Tor for this, I'd feel increasingly nervous.

As an aside, do we think that as online courses become every more prevalent that we will see an equivalent of this in the form of DOS attacks?
It's been a while since I was in the network security and monitoring world so I'm wondering what this monitoring software looks like. It sounds like it has the capability to keep a historical log of the type of traffic associated with each wifi-authenticated user. How detailed is the traffic analysis? How is the data recorded and for how long?
It sounds like they merely looked for who had accessed a Tor network, not that they could tell anything about the communication. Kind of like, "We know the perpetrator entered the grounds through the east gate prior to 9:00am. Security footage shows only 1 person doing that so go talk to him".
Thats exactly what happened–he then confessed under interrogation.
The weakest link is always the end-user.