Darknetlive

Simple OPSEC Failure: Harvard Bomb Hoax

In 2013, a Harvard University student sent a bomb threat to university faculty members. Although the student had used the Tor Browser and an anonymous email address, law enforcement identified him hours after sending the threats.

I remembered this case after seeing a post by a user on Dread who asked about the “best way to safely hide tor usage.” Most people will probably remember this case.

A picture of A good question to ask.

A good question to ask.

The Bomb Threat

On December 16, 2013, “Eldo Kim, 20, of Cambridge, emailed several bomb threats to offices associated with Harvard University, including the Harvard University Police Department and the Harvard Crimson, the student-run daily newspaper.”

The emails had the subject line “bombs placed around campus” and contained the following message:

shrapnel bombs placed in:
science center
sever hall
emerson hall
thayer hall
2/4. guess correctly.
be quick for they will go off soon

A screenshot of a Harvard alert about the bomb hoax

a Harvard alert concerning the bomb hoax.

The Harvard University Police Department notified the Federal Bureau of Investigation (FBI) in response to the emails. The FBI immediately began an investigation on the campus, in coordination with the Bureau of Alcohol, Tobacco, Firearms, and Explosives (BATFE), the United States Secret Service (USSS), the Harvard University Police Department, the Cambridge Police Department, the Boston Police Department; and the Massachusetts State Police. Officers evacuated the buildings specified in the emails and searched them for explosives.

A picture of Police evacuated the listed buildings and searched for bombs

Police evacuated the listed buildings and searched for bombs

X-Originating-IP

The FBI investigated the origin of the emails. They learned that someone had used Guerrilla Mail, a disposable email service, to send the threats. Guerrilla Mail attaches the header X-Originating-IP:[the user’s IP address] to every outgoing email. The FBI saw that the person responsible for sending the emails had accessed Guerrilla Mail through Tor. The criminal complaint does not explain how the FBI learned that the suspect had used Tor. However, the simplest explanation is that Guerrilla Mail embedded the IP address of the Tor exit node Kim had used. As The Privacy Blog pointed out, “even if they had not embedded the IP, GuerrillaMail keep logs which would have been available to the FBI with a warrant.”

A screenshot of the terms of service agreement at Guerrilla Mail

Guerrilla Mail is an anti-spam service

When investigating the IP address, the FBI saw that it matched an IP address of an exit node.

Investigators and Harvard University employees analyzed the logs for the University’s wireless network. The logs revealed that Kim had been using Tor in the hours leading up to receipt of the emails. The rest is history.

Confession

The FBI and an officer of the Harvard University Police Department questioned Kim. They advised Kim of his rights under Miranda. Then Kim confessed to sending the emails in an attempt to avoid taking an exam.

Kim then stated that he authored the bomb threat emails described above. Kim stated that he acted alone. He further stated that he sent the emails to “five or six Harvard University email addresses” that he picked randomly from the University’s web page. According to Kim, he was motivated by a desire to avoid a final exam scheduled to be held on December 16, 2013.

Kim further stated that he sent all of the threatening emails at about 8:30 a.m. and that he used TOR to create a “guerrillamail.com” email address for each of the emails. Kim explained that he sent all the bomb-threat emails from his MacBook Pro Laptop. Kim stated he chose the word “shrapnel” because it sounded more dangerous and wrote, “2/4. guess correctly,” so that it would take more time for the Harvard Police Department to clear the area.

Kim was scheduled to take a final exam in Emerson Hall, a building on the Harvard campus, at 9:00 a.m. on December 16, 2013. Kim stated that he was in Emerson Hall at 9:00 a.m. when the fire alarm sounded and the building was evacuated. According to Kim, upon hearing the alarm, he knew that his plan had worked.

To be clear, Tor did not fail. Kim was one of very few, if any, university students using Tor in time before the bomb threats were received.

Also, Kim’s plan was a success, I think.

Affidavit pdf

archive.org (DOJ Announcement)

17 Comments
Do you really want to comment here? not rules
b0ef10b8
42c19b00 Mon, Mar 14, 2022

Would have easily been mitigated by a VPN, a bridge, or using a cracked wireless network – ideally, all three. You can bet that glowies query ISPs for Tor users and map them out; you’re easy to link to Tor activity if you’re in an area or country with a low density of other Tor users.

213faa61
baa60540 Mon, Mar 14, 2022

would still need to spoof mac at least for using cracked wifi

74c0ee10
fc8a50b0 Tue, Mar 15, 2022

as dumb as you can get. what punishment did he get?
it doesn’t matter, he could’ve easily avoided all of this with little extra security steps.

d976723f
1b524050 Tue, Mar 15, 2022

He got into a diversion program where he avoided criminal charges in exchange for serving 4 months house arrest, 750 hours of community service and restitution for the costs of the emergency response. It pays to be rich I guess, no way a plebeian would get a bargain like that.

04a185fc
12811050 Tue, Mar 15, 2022

It’s quite interesting that the university had that level of logging on their network. Presumably they historically logged all ports and ips accessed and were able to tie that ip to a partucular user. I dont think most ISP will even have that much logging. Certainly the one i work at does not 🧐 only the source ip of each customer at any given time.

c3c81632
2dffda80 Tue, Mar 15, 2022

Country of the ISP you work for please

9bb9caec
c4473ec0 Tue, Mar 15, 2022

Since 2005, most universities in the USA had the equipment. Started with Cisco, then later Avaya. To have a AS-node slice of the direct ICANN internet the size that universities get, those universities have to agree to extensive management. Agreements which force latest technology (reminder: we’re talking 2005 here). All of this was fallout from the Microsoft winNT/Win2k endless security breaches, warez ftp, p2p explosions, and phreak wars of the late 90s and early 00s. Thus by the time 2005/6 rolled around, most networks had intrinsic captive portal and logging tied directly into VLAN configurations on Cisco/Avaya switch and management frameworks. Full network hardware layer integration campus wide. Sweet dollars and tax breaks for all the companies involved – If you had access to it, you didn’t –not– do it. Thus, any late comers past 2007 had no idea the entire network fabric of any University had become instant kill-zones. The guy was 10yrs too late for...

398666c5
61d1dd40 Tue, Mar 15, 2022

TBH the comments above as well as the general conclusion of the article are a bit off…

Using VPN would not change this story at all. Changing his MAC would’ve been nice but wouldn’t have helped much as he was using his university account to access the university WiFi anyway. The IP address shared by GM played no role; if it had not been included then the GM sever lots would have had it as well as the third parties with content displayed on GM, etc, etc.

His traffic was stained. Tor frequently, and especially in those days, has vulnerabilities that get reported and patched after the IC has been using them to hack browsers. IC operate about half the major tor nodes out there to eliminate the 1 little hop that Tor provides uses by default. In short, he had no chance before he even downloaded Tor.

On top of all that they would’ve immediately put university students at the top of their suspect list in this situation anyway, because that’s who stands to gain...

3d717a0c
6b1cdd10 Tue, Mar 15, 2022

imagine how pissed his mum was upon finding out what little Eldo has done! Korean folks dont like when the kids do stupid shit like this, Real hoogan ish

d2672568
c3be17f0 Tue, Mar 15, 2022

This would have been prevented if the user simply used the “meek-azure” bridge that TOR provides, right? That obfuscates your traffic and makes it appear that you are using a Microsoft website.

c81cfc9b
f8807f30 Wed, Mar 16, 2022

His OPSEC was enough to keep him out of jail by a far shot, how about, “fuck you university rent-a-cops, I’m not saying anything without a lawyer, that my rich parents will foot the bill for, by the time the bank opens tomorrow…”

-
His mouth was the real OPSEC failure.

9aa7e9c4
a2a9af30 Fri, Mar 18, 2022

Really though, this should not be sufficient proof, right? Right? Gotta ask twice these days, especially when it comes to the US.

3425dce0
f6c76b30 Sun, Mar 20, 2022

about:conifg
network.http.sendRefererHeader Set to 0 to avoid emails sending headers that can help deanonymize sender.

ea846573
0c190600 Mon, Mar 21, 2022

complete asshole. not only did he ruin many people’s day and waste resources and time, he couldnt even do it right

b2936c84
6f29e4d0 Mon, Mar 21, 2022

complete asshole. not only did he ruin many people’s day and waste resources and time, he couldnt even do it right

12ca7063
38d7ca40 Thu, Mar 24, 2022

That’s why you either attack unrelated target or lots of targets at the same time. And you don’t confess, obviously.

45e28aa7
59206530 Sun, Apr 10, 2022

This guy really needed an extension for that term paper or his Asian parents would disown him

New comments are disabled after one month in an attempt to limit spam.