C+ in Online Anonymity

How Harvard tracked down the student who allegedly made bomb threats to get out of an exam.

Firefighters check a locked gate on Quincy Street at Harvard University during the bomb scare
Firefighters check a locked gate on Quincy Street at Harvard University during the bomb scare on Dec. 16, 2013.

Photo by Darren McCollester/Getty Images

On Monday afternoon, while four buildings on the Harvard University campus were still being searched for explosives, I met my younger brother for lunch in Harvard Square. “I just want you to remember,” I told him, half-joking, “no matter how much you don’t want to take your Life Sciences 1a final—this is not the answer.”

We agreed that a student looking to get out of a 9 a.m. final had probably issued the anonymous bomb threats that had postponed exams and emptied several buildings on campus. But as someone who researches cybersecurity, I worried that the guilty party was unlikely to be caught (though I was absolutely rooting for the investigators to succeed). There are two ways I thought the emails had probably been sent without creating (much of) a trail.

The first way would be to go to a public computer in a library or cluster that doesn’t require a login and create a new email address on it, then send the emails from that address and leave. (Not coincidentally, this was the exact method used to send anonymous death threats via email as part of an elaborate hoax that occurred when I was in college.) Harvard could then identify people who had logged in to university accounts on that computer—or nearby machines—in the same time window and question them about whom they had seen using the public computers. But it seems unlikely that this would ultimately lead them back to the perpetrator, unless surveillance cameras were in place. This would be the email equivalent of the person who called in a shooter on Yale’s campus last month from a pay phone. The communications could be traced back to a specific machine—but not an individual.

The other scenario that seemed likely was one in which the threats were emailed from an off-campus location using public Wi-Fi. If the sender were sitting in the Harvard Square Starbucks, say, or the nearby Dado Tea, or any number of other Wi-Fi-equipped cafes within walking distance of Harvard Yard, I doubt that he would be found. If a Harvard student were not, in fact, responsible for the threats, and instead, they had been made by someone totally outside the university community, it seems even less likely that the perpetrator would be successfully identified.

Basically, I assumed that—at a university where users have to register the MAC addresses of their devices with a university ID and password in order to access the Internet—whoever had sent the bomb threats had either not used his own computer or not used the Harvard network. But according to the affidavit filed yesterday, I was wrong on both counts.

Harvard sophomore Eldo Kim has been charged in connection with the threats and confessed that he sent them in order to avoid taking an exam. Contrary to my expectations, he seems to have sent the emails from his own personal computer on the Harvard network, making use of a pair of technical tools to try to protect his anonymity. But while his understanding of online anonymity was sophisticated enough for him to try to mask his tracks, it was ultimately incomplete.

The affidavit says that on Monday morning around 8:30, the Harvard University Police Department, two university officials, and the president of the Harvard Crimson received identical email messages with the subject line “bombs placed around campus” and the following in the message body:

shrapnel bombs placed in:

science center
sever hall
emerson hall
thayer hall

2/4. guess correctly.

be quick for they will go off soon

The messages were sent from a Guerrilla Mail account. That service, which bills itself as providing “disposable, temporary e-mail addresses,” instantly generates new email addresses that can be used without any registration and that are then deleted an hour after their creation. This is, obviously, more anonymous than sending messages from an authenticated Harvard email account—but it’s not clear that it provides any greater anonymity than other email addresses that could be easily created using any number of free email providers. If anything, the emphasis of Guerrilla Mail seems to be on preventing replies (after the account has expired) rather than protecting identities, since the company’s terms of service explicitly state that outgoing email headers contain the originating Internet protocol address.

Kim seems to have understood this, because he used the popular anonymity service Tor to mask his IP address before connecting to Guerrilla Mail. Tor allows users to send their Internet traffic through multiple online relays located all over the world, making it extremely difficult to identify the actual originating machine (unless you happen to be the National Security Agency). A valuable tool for political activists living under oppressive regimes, Tor can also be used to shield users, like Kim, with more malicious aims. So, if Kim knew he needed an anonymous email account, and he knew he needed to mask his IP address, what was his mistake (besides sending bomb threats in the first place)?

Presumably, the originating IP addresses in the email headers pointed to known Tor exit nodes—servers that are publicly listed as being part of the Tor network. The crucial sentence of the affidavit states: “Harvard University was able to determine that, in the several hours leading up to the receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvard’s wireless network.” Just as the exit nodes are common knowledge, many of the entry, or access, nodes used to connect to Tor are also listed in the service’s directory (some aren’t, to allow access to users in places that have blocked all known Tor servers). So while it’s easy to hide what you’re doing online when you’re using Tor, it’s harder to hide the fact that you’re using it. It sounds as if Harvard was able to consult its network activity logs and simply identify a device on its network that connected to one of these known Tor nodes around the same time the emails were sent. That device, presumably, was registered to Kim.

All that proves, of course, is that he (or someone on his computer) was using Tor when the bomb threats were being sent—not that he sent them. Tor is a fairly popular service used by lots of people for all sorts of reasons. (On a college campus, one might expect to see it employed by students downloading copyright-infringing files.) On a network where enough people were using Tor, in fact, the Harvard police might not even have been able to narrow down the suspect list to a manageable size. And even if Kim had been the only person on the Harvard network using Tor at that time, there’s still the possibility that the threats were sent by someone else—not on the Harvard network—using the service.

The digital clues provide, at best, circumstantial evidence, and whoever did this could have made those clues more difficult to collect—by connecting to Tor from a public Wi-Fi network, or a public computer, or even using a bridge relay that is not listed in the service’s directory.

But at a certain point, it might have been easier to study for the exam.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and SlateFuture Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.