Ο college student under the name Eldo Kim is accused of threatening Harvard University with a bomb attack in an e-mail message aimed at delaying final exams. For his anonymity he unsuccessfully used the Tor Network.
According to the indictment filed with the Massachusetts attorney general's office, the messages were sent around 8:30 a.m. on Monday morning at the University offices and the Police Department. It came from a service called GuerillaMail, which provides temporary email addresses.
According to the affidavit of FBI agent Thomas M. Dalton, “Mr research showed that the person who sent the e-mails connected to Guerrilla Mail using Tor" and that "Harvard University was able to determine that Eldo Kim at the time was accessing Tor using the Harvard wireless network .” (source Daily Dot)
We've heard a lot about the Tor service lately. Many people refer to it as a top software tours that offers anonymity. Of course, we have seen in previous publications that the NSA was able to "break" the anonymity offered by the network. (Read here and here)
If we believe that the Tor service is safe, then there are many questions about how Eldo Kim was finally identified. One case is the following.
A Tor circuit is defined by the nodes that cross a message, from which it enters and exits, using a concept called onion routing. The list of Tor output and input nodes is available to the public. The IP address of the output node used by the suspect is in the form “X-origin- IP ”and exists in the messages sent by the GuerillaMail service by default. The IP address also appears in the logs of the service. On the other hand, the address of the input node, and the suspect's connection to it, could be discovered by Harvard by analyzing metadata from the traffic logs on their network during the period under consideration. So it seems simple to associate an IP address that uses Tor at both ends of the connection.
But if this happened, Harvard University should keep logs for the recent network activity. It is known that users of a Wi-Fi network require authentication with the registered ID assigned to them by their University. So network administrators just looked at who used the Tor protocol at the time the messages left.
If Eldo Kim had used another non-University login network, perhaps the bomb threat would still have gone undetected due to the encryption(SSL/HTTPS) applied to the data. GuerillaMail would have little to offer the FBI, other than the fact that the message came from a Tor network and the time the message was sent. However, after receiving the e-mail and determining it was from a Tor user, authorities were able to associate the Tor activity to the University, without being certain of its content. However, the charge was supported after Eldo Kim's confession. Without his confession, his actions would be impossible to prove because quite simply no one knew what he was doing while connected to Tor.
This raises important questions about the extent of Harvard data recording and monitoring. It naturally leaves questions about whether things were done as described above. If they were not made, we should consider the Tor network, totally unreliable, since the Authorities were able to know exactly what Eldo Kim did.
