Simple OPSEC Failure: Harvard Bomb Hoax
I remembered this case after seeing a post by a user on Dread who asked about the “best way to safely hide tor usage.” Most people will probably remember this case.
A good question to ask.
The Bomb Threat
On December 16, 2013, “Eldo Kim, 20, of Cambridge, emailed several bomb threats to offices associated with Harvard University, including the Harvard University Police Department and the Harvard Crimson, the student-run daily newspaper.”
The emails had the subject line “bombs placed around campus” and contained the following message:
shrapnel bombs placed in:<br>science center<br>sever hall<br>emerson hall<br>thayer hall<br>2/4. guess correctly.<br>be quick for they will go off soon
[img=]a Harvard alert concerning the bomb hoax.[/img]
The Harvard University Police Department notified the Federal Bureau of Investigation (FBI) in response to the emails. The FBI immediately began an investigation on the campus, in coordination with the Bureau of Alcohol, Tobacco, Firearms, and Explosives (BATFE), the United States Secret Service (USSS), the Harvard University Police Department, the Cambridge Police Department, the Boston Police Department; and the Massachusetts State Police. Officers evacuated the buildings specified in the emails and searched them for explosives.
Police evacuated the listed buildings and searched for bombs
The FBI investigated the origin of the emails. They learned that someone had used Guerrilla Mail, a disposable email service, to send the threats. Guerrilla Mail attaches the header <code>X-Originating-IP:[the user’s IP address]</code> to every outgoing email. The FBI saw that the person responsible for sending the emails had accessed Guerrilla Mail through Tor. The criminal complaint does not explain how the FBI learned that the suspect had used Tor. However, the simplest explanation is that Guerrilla Mail embedded the IP address of the Tor exit node Kim had used. As The Privacy Blog pointed out, “even if they had not embedded the IP, GuerrillaMail keep logs which would have been available to the FBI with a warrant.”
[img=]Guerrilla Mail is an anti-spam service[/img]
When investigating the IP address, the FBI saw that it matched an IP address of an exit node.
Investigators and Harvard University employees analyzed the logs for the University’s wireless network. The logs revealed that Kim had been using Tor in the hours leading up to receipt of the emails. The rest is history.
The FBI and an officer of the Harvard University Police Department questioned Kim. They advised Kim of his rights under Miranda. Then Kim confessed to sending the emails in an attempt to avoid taking an exam.
Kim then stated that he authored the bomb threat emails described above. Kim stated that he acted alone. He further stated that he sent the emails to “five or six Harvard University email addresses” that he picked randomly from the University’s web page. According to Kim, he was motivated by a desire to avoid a final exam scheduled to be held on December 16, 2013.
Kim further stated that he sent all of the threatening emails at about 8:30 a.m. and that he used TOR to create a “guerrillamail.com” email address for each of the emails. Kim explained that he sent all the bomb-threat emails from his MacBook Pro Laptop. Kim stated he chose the word “shrapnel” because it sounded more dangerous and wrote, “2/4. guess correctly,” so that it would take more time for the Harvard Police Department to clear the area.
Kim was scheduled to take a final exam in Emerson Hall, a building on the Harvard campus, at 9:00 a.m. on December 16, 2013. Kim stated that he was in Emerson Hall at 9:00 a.m. when the fire alarm sounded and the building was evacuated. According to Kim, upon hearing the alarm, he knew that his plan had worked.
To be clear, Tor did not fail. Kim was one of very few, if any, university students using Tor in time before the bomb threats were received.
Also, Kim’s plan was a success, I think.
archive.org (DOJ Announcement)
He got into a diversion program where he avoided criminal charges in exchange for serving 4 months house arrest, 750 hours of community service and restitution for the costs of the emergency response. It pays to be rich I guess, no way a plebeian would get a bargain like that.
It's quite interesting that the university had that level of logging on their network. Presumably they historically logged all ports and ips accessed and were able to tie that ip to a partucular user. I dont think most ISP will even have that much logging. Certainly the one i work at does not 🧐 only the source ip of each customer at any given time.
Country of the ISP you work for please
Since 2005, most universities in the USA had the equipment. Started with Cisco, then later Avaya. To have a AS-node slice of the direct ICANN internet the size that universities get, those universities have to agree to extensive management. Agreements which force latest technology (reminder: we're talking 2005 here). All of this was fallout from the Microsoft winNT/Win2k endless security breaches, warez ftp, p2p explosions, and phreak wars of the late 90s and early 00s. Thus by the time 2005/6 rolled around, most networks had intrinsic captive portal and logging tied directly into VLAN configurations on Cisco/Avaya switch and management frameworks. Full network hardware layer integration campus wide. Sweet dollars and tax breaks for all the companies involved -- If you had access to it, you didn't --not-- do it. Thus, any late comers past 2007 had no idea the entire network fabric of any University had become instant kill-zones. The guy was 10yrs too late for his trick to work.
TBH the comments above as well as the general conclusion of the article are a bit off... Using VPN would not change this story at all. Changing his MAC would've been nice but wouldn't have helped much as he was using his university account to access the university WiFi anyway. The IP address shared by GM played no role; if it had not been included then the GM sever lots would have had it as well as the third parties with content displayed on GM, etc, etc. His traffic was stained. Tor frequently, and especially in those days, has vulnerabilities that get reported and patched after the IC has been using them to hack browsers. IC operate about half the major tor nodes out there to eliminate the 1 little hop that Tor provides uses by default. In short, he had no chance before he even downloaded Tor. On top of all that they would've immediately put university students at the top of their suspect list in this situation anyway, because that's who stands to gain and who always does this.
imagine how pissed his mum was upon finding out what little Eldo has done! Korean folks dont like when the kids do stupid shit like this, Real hoogan ish
This would have been prevented if the user simply used the "meek-azure" bridge that TOR provides, right? That obfuscates your traffic and makes it appear that you are using a Microsoft website.
His OPSEC was enough to keep him out of jail by a far shot, how about, “fuck you university rent-a-cops, I’m not saying anything without a lawyer, that my rich parents will foot the bill for, by the time the bank opens tomorrow…” - - His mouth was the real OPSEC failure. - - So you’re really going to use school campus Wi-Fi for something like this instead of buying a cup of coffee up the street in cash and using Starbucks wifi instead? - - Tor will not protect you from correlation attacks… they are incredibly unlikely unless you are a market man but ya they work great if you’ve got a meaty supper computer at your disposal $$$ - - This kid should have focused on his studies, an opportunity to graduate from Ivy League and be legitimately stinking successful for this bull shit? Some sexy blonde hottie is sobbing in the future for this… What a fucking dumbass.
Really though, this should not be sufficient proof, right? Right? Gotta ask twice these days, especially when it comes to the US.
about:conifg network.http.sendRefererHeader Set to 0 to avoid emails sending headers that can help deanonymize sender.
complete asshole. not only did he ruin many people's day and waste resources and time, he couldnt even do it right
That's why you either attack unrelated target or lots of targets at the same time. And you don't confess, obviously.
This guy really needed an extension for that term paper or his Asian parents would disown him
would still need to spoof mac at least for using cracked wifi
as dumb as you can get. what punishment did he get? it doesn't matter, he could've easily avoided all of this with little extra security steps.