Douglas Crawford

Douglas Crawford

December 19, 2013

Perhaps it’s wrong of us, but we found the story of Eldo Kim, a Harvard University student who made bomb threats in order to get out of an taking a final exam rather amusing (although the potential five year jail sentence certainly isn’t.)

More interesting, however, and a pertinent lesson for those who want to protect their anonymity, is how he got caught. Kim sent the bomb threats by email, using an anonymous disposable email service called Guerrilla Mail, and further protecting his identity using the Tor anonymity network.

These might sound like great precautions to prevent getting caught, but Kim made the mistake of using the Harvard campus WiFi network when making the threats. All Harvard security had to do was check their logs to see who was using Tor at the time the emails were sent, and the police could then bring them in for questioning (and it is very possible that Kim was the only person using Tor at 8:30 that day). This incidentally is known as ‘end to end timing attack’, and is known vulnerability with Tor.

Apparently it didn’t take much pressure from the police before Kim gave a full confession.

Although this mistake was undoubtedly very stupid on Kim’s part, it is, to be honest, a fairly easy one to make, and demonstrates how those serious about security need to carefully think through the implications of their setup. Remember that Kim was a student at one of the world’s top universities. He is not dumb.

In Kim’s case, he should instead have gone somewhere with open WiFi (such as public library or café), which would have made it very difficult to catch him. Using VPN instead of Tor may have helped a little as it is a little less obvious to spot, but would still have been vulnerable to an end to end timing attack.

Of course, we do not in any condone Kim’s actions, but anonymity tools are just that: tools. They have many extremely good uses, and to use them well people need to learn from the mistakes of others.