How did Eldo Kim get caught for the Harvard bomb hoax if he used Guerrilla Mail through Tor?

There was very likely no need for big brother NSA-style hacking or anything. Far more likely, it was just a simple game of connecting the dots and one major mistake from mister smartass who thinks a bomb threat is an adequate way to delay their final. Harvard's wireless network works with a semi-open system with a MAC address-based authorization system. To get on the network, you have to log in to a page with your Harvard ID to register the MAC address of the device you want to connect. This way it is quite easy to monitor network activity on a user-level. The bomb threat genius was clever enough to connect through the Tor network, yet while connected through the Harvard network. The first course of action at Harvard after receiving the threat was to check the headers of the email. The IP address pointed at a masked transmission through Tor. A check of their IP logs crossmatched with the moment the message was sent likely led to only one user on the network or few enough to question them all. From there on it was just a matter of cross-checking IP logs with MAC addresses and check who registered the device.

My calculated guesses based on the publicly available information. Basically you should not underestimate law enforcement agencies. They have lots of authority. :) And of course there are always limitations in a lot of technologies. Nothing is truly anonymous. Tor has a documentation page that most of the people do not care to read. I assume we have a basic idea of how tor works and some basic networking. Entry and Exit If you read something about the tor and the onion routing, there is an entry point and an exit point in a tor network. Both are usually vulnerable as far as anonymity is concerned. Because that's the point where you are not a part of the tor network. Does my ISP know? So your ISP can always tell you that we know you are connecting to a tor network. However they may not know why you are connecting to a tor network. Whoever (all the devices and routers involved) is routing your data to the tor entry, obviously knows that you are connecting to the tor network. (like your ISP routers or in this case it was the Harvard network) Similarly whoever is receiving the data knows that the data is coming from a tor network. (see reference) Clues from the affidavit I just read a copy of the affidavit (see reference) and it says a few notable points (this one confirms that the exit point was using tor, Guerrilla service must have provided the source ip that must have belonged to a tor network): 8. Further investigation yielded information that the person who sent the e-mail messages accessed Guerrilla Mail by using a product called TOR. I am the Dark Knight, the silent Guardian and a watchful protector If I am an officer with law and authority at my side, I would check with the ISP, if there is anyone who has been using tor from the network and I would round him/her up to know why they have been using tor? I would suspect that an insider having a grudge might have done it (chances are usually high). The Harvard ISP provides me the logs of suspected ips that have accessed the tor network based on guerilla email timestamps. These ips belonged to the wireless nodes in the campus. I would traceback the logs on the wireless nodes to see who accessed the service. 9. Harvard University was able to determine that, in the several hours leading up to the receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvard’s wireless network. Subsequent interrogation of the suspects and behavioral analysis would have nailed them. Affidavit: http://www.bostonmagazine.com/news/blog/2013/12/17/harvard-bomb-hoax-arrest-eldo-kim/ Are you coming through tor: http://torstatus.blutmagie.de.

By being thoroughly stupid. Access TOR via attacked network? Check. Access attacked network while at school? Check. Access attacked network while under video surveillance? Check. Access attacked network with personal ID? Check. Didn't ask for your lawyer? Check. Talked to the police? Check. Confessed to the police? Check. There really is no wonder why he had to figure out a way to get out of his finals. He's that stupid. His utter incompetence truly is a wonder to behold. For anyone else stupid enough to do this in the future: just fail your finals. You'll actually look less stupid failing all of your exams than pulling this stunt, and that truly is saying something.

http://cbsboston.files.wordpress.com/2013/12/kimeldoharvard.pdf 9. Harvard University was able to determine that, in the several hours leading up to the receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvard’s wireless network. They only needed to know who entered a TOR network; they didn't need to know what was being sent. Since he used Harvard's network, which requires login to use, they knew who he was. Then there is probably a public database on which IP addresses are the TOR entry nodes which they can compare to. Question: Would he have been more successful if he had used a Starbucks network instead? Why or why not? 11. KIM further stated that he sent all of the threatening e-mails at about 8:30 a.m. and that he used TOR to create a “http://guerrillamail.com” e-mail address for each of the e-mails. KIM explained that he sent all of the bomb-threat e-mails from his MacBook Pro Laptop. KIM stated he chose the word “shrapnel” because it sounded more dangerous and wrote, “2/4. guess correctly,” so that it would take more time for the Harvard Police Department to clear the area. They got a confession.