Schneier on Security
A blog covering security and security technology.
« Security Vulnerabilities of Legacy Code |
| Acoustic Cryptanalysis »
December 18, 2013
Tor User Identified by FBI
Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It's just a coincidence that I was on the Harvard campus that day.) Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed the Tor network, and went through them one by one to find the one who sent the threat.
This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess.
Tor didn't break; Kim did.
Posted on December 18, 2013 at 9:59 AM
• 99 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The whole point of tools like TOR is that they shouldn't be rare. As soon as they become common enough, then the number of potential suspects becomes too large to check effectively.
(Which of course doesn't mean the checking won't be done but rather that the odds of a false or coerced confession are comparable to the odds of a true one, thus leaving the actual perp in the clear.)
Since all human rights and the constitution are suspended in "terrorist" cases... and they therefore just tortured all Tor users on campus until one confessed finally... did they even really get the right guy? or did one just falsely confess to make them stop?
Not that he doesn't deserve to be convicted (assuming he's actually guilty—I'm not about to assume that a confession means anything, given how many false confessions occur), but I'm surprised that someone who uses TOR doesn't know that you DON'T TALK TO THE POLICE.
@Matt - this is someone in what is (I hope and assume) an unusual intersection of sets - people savvy enough to use TOR, and people stupid enough to email a bomb threat to get out of a final.
Wait - you mean the FBI didn't have to violate the Constitution to get the culprit? They just used "old-fashioned" police work? Unpossible!
@paul: Yes, the whole point of tools like TOR is that they shouldn't be rare.
On the other hand, many tools like that scale very badly, so they are only useable until everyone and his dog wants to start using them.
For TOR it's probably the bandwidth needed that multiplies with each additional hop. No big deal if only a few use it. But if everyone wants to send his traffic zig-zag across 5 hops, the overall bandwidth needed on the net will multiply by 5.
Two words: Public WiFi.
If you are really, really, paranoid, public wifi -> tor -> compromised machine -> tor -> target.
Harvard University was able to determine that, in the several hours leading up to the receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvard’s wireless network.
That was probably his biggest mistake, should have used a coffee shop free wifi.
> That was probably his biggest mistake, should have used a coffee shop free wifi.
Yes, and he should have assigned his computer a random MAC address first.
I'm somewhat amazed and disappointed that the readers of a security list have more sympathy with the perpetrator than with hundreds or thousands of people affected by the threat and the people tasked with protecting them. Yes real bombs are more dangerous than threats, but threats are not benign. The public safety resources wasted in dealing with them, and the potential for injury as people respond to the threat make even threats terror weapons against the occupants of the threatened space. Just because the government has chosen unacceptable tactics to fight terrorism, it does not make the acts they are trying to prevent acceptable.
I don't think anyone's shown sympathy for them, we are just analyzing where they went wrong.
"Tor didn't break; Kim did."
That's the whole point in one sentence.
Exam skippers once again proven lazy.
Tor is great but it can't help you if you don’t use your head :)
--I agree but don't think people feel sorry, tragedy all around. Guy's life is ruined, all on campus are shaken up, police waste time.
Plus, TOR gets yet another bad reputation; it's a tool like a gun or a chainsaw, the operator makes it evil.
Bruce, or others on campus, I would like to know if the university had a system or plan in place, and did it work well? B/c my experiences w/ a system in a "gun-man on campus" situation, the system failed me horribly and there was chaos over nothing.
Exactly, just like CPU calculation.
By subtracting information, one by one from the total scope, we can find the logical value: the threat.
What I'd like to know is whether he used Tor with Pluggable Transports and a Bridge, features which were designed to address this kind of "small set" problem by obscuring the fact that Tor is even being used at all.
If not, it's his own fault for using Tor in ignorance. But if so, how did the FBI defeat these measures?
"But the mood on campus seemed to shift quickly from fear toward curiosity, annoyance, or indifference, long before the last of the four evacuated buildings was deemed bomb-free around 3 p.m. Almost from the start, officials called the evacuation a result of “an abundance of caution,” and many students speculated that the threat was an exam-period hoax."
My understanding, from reading other reports, is that this guy was the only one using TOR on Harvard's network that day, which made him absurdly easy to ID.
Oh, come on.....
His biggest mistake was that he should've used public Wi-Fi?
NO, people, just NO.
His biggest mistake was that he DIDN'T STUDY FOR HIS EXAM and therefore put himself in a position where he felt he needed to find a way to get out of it. This kid didn't engage in some Snowden-esque conscientious objection to bad laws, or poor treatment at Harvard .... his actions were both selfishly-driven and socially unacceptable.
And let's face it, the very reason the FBI exists at all is because people like that -- selfish people doing anti-social things -- exist in the world.
This is a security blog; people here are going to be less concerned with what he did, and more concerned with how he got caught.
If they're willing to strip-search and stick their hands up the v...a and a...s of an Indian Diplomat over minor financial paperwork
"minor financial paperwork"...LOL...and 99 other fantasies.
Just FYI, the Vienna convention does not shield criminals from the consequences of their actions.
For anyone else who may not be from India:
In India of course a criminal (one convicted by an Indian court) can set themselves up for election and quite a few such have been elected to public office there.
And then they have the power of the bribe. A friend of mine went to get a driving license for a motor cycle in Lucknow. The clerk told him that he could just write a license for an automobile without any additional testing. It would cost a bit of extra money to be given 'under the counter', but my friend thought it could be useful and agreed to it.
But that is there. And now Indians are making a big fuss because they believe their governments version of what has happened in USA.
Hadn't he confessed they would have had nothing. He would be free, although the obvious suspect.
My impression is that there are distinguishing features of wireless chipsets, so that you can tell for instance Atheros from Broadcom. The paranoid can conceive of open WiFi access points that would detect "improper" MACs - in this instance a MAC that should be coming from an Atheros chip, that had the "signature" of a Broadcom chip. At that point, "click" go the security cameras, and another shot when that particular MAC goes offline, identifying who just moved.
In other words simply randomizing your MAC may not be a good idea - you need some sort of smart randomization so that Atheros only impersonates Atheros, and Broadcom only impersonates Broadcom.
"My impression is that there are distinguishing features of wireless chipsets, so that you can tell for instance Atheros from Broadcom."
It's not completely implausible that this kind of fingerprinting might be possible... Have you got a reference on this?
"you need some sort of smart randomization so that Atheros only impersonates Atheros, and Broadcom only impersonates Broadcom."
Some MAC randomization tools already support this -- keeping the vendor prefix and randomizing the suffix -- e.g. macchanger.
Nobody here has any "sympathy" for actual bombers or fake bomb threat makers. We just have a healthy contempt for government overreaches and some degree of suspicion about what they say happened.
And this being a security blog, we all want to figure out how to keep us all safe from our totalitarian stasi-like government that treats us all like suspected terrorists that are guilty until proven innocent. If that makes it appear like we're trying to figure out how to keep the actually really guilty safe from the government too, I assure you that's only a coincidence since security isn't about guilt or innocence.
>we all want to figure out how to keep us all safe from our totalitarian stasi-like government that treats us all like suspected terrorists that are guilty until proven innocent.
I believe the US government funds an anonymous network proxy called Tor to allow people to do that
@DB: "security isn't about guilt or innocence".
Yeah, guilt or innocence are for lawyers as all other legal activities are reactive after fact of attack/attemp and culprit is in custody. For security professionals: technical and other proactive deterrents before attack - just opinion.
If apply psychologial association test: Harvard
-> bomb -> ? (what is your next word?) Ted Kuzinsky?!
If they're willing to strip-search and stick their hands up the vagina and anus of an Indian Diplomat over minor financial paperwork, what do you think they were doing to the kids at Harvard who used TOR?
Your comment is a far from reality and unrealistic. Proper actions appear to have been taken against this person who failed to follow U.S. laws regarding the treatment (payment) of household help. She didn't follow the law, she didn't cooperate with the police, she expected to have special treatment but didn't receive it as she is not in India. India's special treatment of "special people" is total nonsense and the exact opposite of that the U.S.A. represents. Rather than riot, India should pause for a minute, listen, watch and learn.
MAC addresses are almost entirely derived from pools assigned to the device vendor (ie Apple, Samsung, Motorola), not the chipset vendor (ie Broadcom, Atheros, etc). Also, agreed that it is very trivial for a randomizer to select a new MAC using the same manufacturer identifier (the first 3 octets).
Even if he had used a public wifi, exhaustive detective work could have isolated Tor users at nearby coffeeshops or other public Wifi connections.
Using Tor through a vpn would have made a difference, especially if you are one of millions using vpn's.
After the Snowden revelations, my internet usage has changed. I use https: everywhere and I use a VPN nearly all the time.
@Martin what makes you think people are treated equally in the USA? If people were treated equally, why does James Clapper still has his job, let alone his freedom, after confessing to having committed Felony Perjury in front of Congress? No, he gets special treatment because he's the Director of National Intelligence. He can break the law with no consequences at all therefore. There are many other examples of this too, this is just a recent obvious high profile one.
A quick search...
As Mike points out, MAC ranges are by system manufacturer, not chipset vendor. As you point out, macchanger can keep you within your system manufacturer's prefix. It would be nice if the space were expanded - if there were some way to know what manufacturers used your Atheros (or Broadcom) chipset and let macchanger pick from that bigger set of ranges. At that point it's probably gilding the lily, unless of course there are documented subranges that do identify the chipset.
Keep in mind, this is Harvard, a very populated area. A 10-20 minute drive, and you are talking hundreds of possible coffee shops. Whether you can even find if someone was using Tor at a given coffee shop depends on how much logging they have; in coffee shops it's probably limited or non-existent. If there are no logs, you really don't have much of anything.
Even then, identifying the specific person who was using the wifi is difficult. Maybe you have surveillance cam footage, but quality will probably will be too poor to identfy them.
If you are really concerned, drive into a residential neighborhood and find an unsecured router.
"Proper actions appear to have been taken against this person"
I have difficulty seeing how someone accused of non-compliance with compensation laws needs to be subjected to strip/cavity searching.
There is of course a difference if your "crime" is something that the government wanted. Murder is normally illegal but not always so if do it as part of military duty.
That issue with that Indian diplomat sure seems to annoy some people. She was subjected to standard procedures, get over it.
Since when does the FBI have jurisdiction over bomb threats on non-federal property? The University of Delaware had two bomb threats this year, but the FBI was not involved in the investigations or arrests.
With Mordor-on-the-Potomac, the all seeing NSA eye captures all domestic internet traffic.
The questions then become, a) does the browser used to access Tor leak the Mac address or any identifiable cookies? b) if it does leak, is it observed?
torbrowser is supposed to stop this, but careless browsing may expose either Mac address or identifiable cookies at the Tor exit node.
Its for this reason that Tails was created.
Nicholas Weaver - the article I linked to is by CSO Steve Ragan, and he cites this original report http://cryptome.org/2013/12/Full-Disclosure.pdf
I'm not sure if you're blasting the CSO article or the original report. Notice on page 2 of the cryptome.org report.
"The evidence provided by this Full-Disclosure is the first independent technical verifiable proof that Bruce Schneier's statements are indeed correct."
Did you read what Steve Ragan wrote? I did go to your "very good piece of intellectual garbage collection" but I'm not sure it even addressed the basis for the report above and left me confused. How in the world would I know what BT is doing? Someone is probably wondering if BS found out about all this crap and split, but can't say anything because of contracts, etc. How in the world would I know? I'm reading everything I can, but there is so much disinformation... who the hell is Nicholas Weaver anyway? And who is Robert Graham?
Oh... that guy.
Sure, you need to use Tor properly*, that's a given, but I was talking about public WiFi. NSA level technology isn't necessary if you can just figure it out from the University's network log.
*Some have said he wasn't using Tor properly because he didn't use tools to disguise that it was Tor traffic. This is arguable, but either way a public/unsecured access point is probably your best option for hiding your tracks.
"His biggest mistake was that he DIDN'T STUDY FOR HIS EXAM...."
Yes, although -- honestly -- forging a doctor's note is a way safer way to get out of an exam than calling in a bomb threat.
"I'm somewhat amazed and disappointed that the readers of a security list have more sympathy with the perpetrator than with hundreds or thousands of people affected by the threat and the people tasked with protecting them."
We're not showing sympathy. We're discussing tactics.
re Tor vs Wifi
I agree he should've used WiFi instead. My old recommendation was a long-range antenna, public wifi (corporate or residential), a LiveCD, and the use of proxies. I prefer a non-US SOCKS proxy over Tor as Tor stands out and the real privacy of my solution comes from not being ID'd. Disposable computers can also be used for this kind of stuff to enhance the capabilities in various ways.
re the guy who did it
I agree with other commenters that people focusing on tactics here makes sense: it's one of the purpose's of this blog. I'll say, though, that the guy was a jerk who deserved to get caught. The bomb threat might not have scared people but I'm all for punishing someone who uses a bomb threat. Trying to terrorize a school to dodge an exam is unacceptable from a variety of perspectives. Even black hats back in my day would have laughed at the guy as totally lame. They would have given props for cheating more along these lines.
(Note: The link is about the Kobayashi Maru scenario where they encouraged students to cheat. I posted it b/c long-time readers who knew about it might have missed this PDF that has pictures of the cheating tactics they used. Clever students.)
@ xXx, Martin, DB re Indian issue
I had less sympathy for their cause especially after reading this update on a certain issue. They have outrage because a scheming woman of a particular class was strip searched, yet the country has a pervasive problem of extremely brutal treatment of lower class women and little to no recourse for it.
In both corruption and humane treatment, Indian police are *far* behind American police. I say this as a critic rather than a fan of US LEO's. It's just that bad in India.
kumvipin said "That issue with that Indian diplomat sure seems to annoy some people. She was subjected to standard procedures, get over it."
Get over it yourself. The issues most people are concerned with are common decency, not shown in your reply, but expected among civilized people. India's national security has called her treatment by the US as “despicable and barbaric”, and it sure looks like it to average people.
The legal issues are 1) The suspect is a diplomatic and immune from 'customary arrest', and, 2) what she did —what she was accused of doing— is not mala en se crime but hinges entirely on a civil violation.
The real issue is hubris. India is a large nation in a part of the world where US influence is waning. So the US arrests this diplomat and decides to treat her badly. Expect US diplomats to be arrested for felonies they are committing in India:
". . . we have issued visas to a number of US diplomats' companions. Companions means that they are of the same sex" senior member of India’s main opposition party said, ". . . after the Supreme Court ruling, it is completely illegal in our country. Just as paying less wages was illegal in the US. So, why doesn’t the government of India go ahead and arrest all of them?"
Already India has reopened a road by the US embassy in Delhi which India had blocked off at US request for security reasons.
There were 999 other ways to handle this, somebody chose the worst and most damaging, and kumvipin thinks it's great.
If you look at the actual report that @Martin says @Matt is misinterpreting, you find that there is no arch criminal who was cavity-searched and humiliated, but a woman accused of paying a worker less than the minimum wage. There is no hint that the worker was forced to remain on the job against her will.
@kumvipin - are you really advocating that crime is ok as long a the "government wants" you to do it? You really think the government should be above the law, and be able to do whatever it wants?
Given the disconnect between the media and the truth (eg. 60 Minutes), how do we know that this reported bomb hoax even took place?
It could be just a propaganda operation aimed at Tor usage and online anonymity in general.
So the US arrests this diplomat...
Keep in mind that she is a consul and not a diplomat. She has much more limited immunity and is probably not protected. She also wasn't arrested for underpayment of the help, she was arrested for lying on immigration forms.
re: "people stupid enough to email a bomb threat to get out of a final"
The stupid crooks will get caught easily as always, regardless of the latest cyber police trick.
In the olden days, bomb threats and pulling fire alarm handles were routine classic ways to get out of class.
These days it might get you 20 years in prison.
Then and now it was stupid, however.
Isn't an aspect of security is accessing risk?
After a while, false alarms make the public less likely to pay attention to actual threats. Similar to the reaction to a car alarm is not that a theft is in progress.
A few weeks ago a gunman threat was called into Yale University. They locked down the University, several nearby schools and downtown New Haven.
This was based on a 30 second phone call from someone claiming to be a student worried about his roommate. This call was from reported by a Yalie from a phone booth in a poor section of town. He didn't use a cell phone or identify himself or the roommate. Instead we had a case of security theater.
While all the police were tied up for the day, the police forgot to release a report on a jail suicide from a few days earlier.
@paranoia destroys ya "While all the police were tied up for the day, the police forgot to release a report on a jail suicide from a few days earlier."
This seems to be a non sequitor. I fail to see the connection and/or importance of reporting a jail suicide.
By the way, the apparently inept 60 Minutes propaganda may hide a subliminal sucker punch.
To understand the technique of subliminal framing, read "Don't Think of an Elephant!: Know Your Values and Frame the Debate--The Essential Guide for Progressives" by George Lakoff, usefule even if you are not a "Progressive".
@psy The police were scheduled to make the press release that day. Other duties were neglected due to all personal looking for a gunman. There has been a big deal made of the circumstances and that the report was about a week later.
Instead of security theater, more focus should be put into establishing the credibility of a called in threat. I can see a business owner disrupting a competitor's sales with a false alarm, criminals have used similar tactics to rob the other side of town,
But the government's use of unacceptable methods in its war on terrorism include covering up torture and setting up perjury traps for witnesses.
The FBI can ask you an innocent sounding question, and when you slip up telling them something that may be interpreted as false, they can get you for making false statements to the government.
This is no reason for having sympathy for actual terrorists, but it's a matter of fact that the government's interrogation of suspects and nonsuspects often employs trickery and deception -- making any confession very dubious.
It's legal for the government to lie to you -- the investigator may falsely tell you that your DNA and fingerprint was found at the murder scene, or more applicable here that there is forensic evidence connecting you to a computer crime.
There are really few limits short of torture on the government'intterogation on suspects.
"And let's face it, the very reason the FBI exists at all is because people like that -- selfish people doing anti-social things -- exist in the world. "
No, it isn't. The federal government has no general constitutional police power to prosecute people for anti-social behavior.
The federal government was never granted general criminal jurisdiction over murder, theft, rape or other local crimes.
Under any sane interpretation of the constitution, prosecuting violent or anti-social crimes should be a local matter for the state government.
The only reason why this case should be a federal matter is the use of an instrumentality of interstate commerce to transmit the threat.
If the suspect had just left anonymous leaflets, the feds would likely not be involved.
So the lesson 101 in addition to all the other security arguments is never do an act for which federal intervention is authorized by statute.
@MingoV • December 18, 2013 4:21 PM
"Since when does the FBI have jurisdiction over bomb threats on non-federal property? The University of Delaware had two bomb threats this year, but the
FBI was not involved in the investigations or arrests."
The federal government lacks a general police power -- it therefore can't ban mere gun possession near schools (United States v. Lopez) or sexual assault (United States v. Morrison) but it can certainly pprosecute people who use an instrumentality of interstate or foreign commerce to send true threats.
In this case, the jurisdictional hook for federal power is that the suspect used Tor to transmit the threat in interstate or foreign commerce.
Of course, that potentially bring all internet related crimes within federal jurisdiction.
There are other such crimes not least the anti-obscenity statute.
It's a crime to knowingly transmit or receive obscene matter in interstate or foreign commerce, and it does not matter if all parties have consented to the transaction.
And if the government wants, it can set up a perjury trap -- Have you ever visited an adult website -- and if you falsely answer no, the government can get you for violation of 1001.
A lot of suspects have found out the hard way that speaking to the government is risky without a lawyer.
Martha Stewart was otherwise innocent, but she was convicted of making a false statement under 1001.
So the only advice is never talk to the police and always expressly invoke the Fifth Amendment
as early as possible during a police encounter.
After Salinas v. Texas mere silence is not a valid invocation of the Fifth Amendment. Mere silence may be used to impeach your testimony, but express invocation of the Fifth Amendment can't be used to increase the guilt.
If the police asks if they can speak to you, you should always assume that they don't have your best interest at heart.
Police is there to get a conviction bby any legal means including confessions from suspect ignorant of the law.
When I am ever approached by law enforcement, I always start with the question -- Am I free to leave, and if the answer is no, I know I am in custody.
Custody changes everything, because Miranda rights only attaches from the moment the individual is taken into custody, and the interrogation starts.
The Tor Project should provide a legal guide on how to invoke your rights during a computer investigation.
"And let's face it, the very reason the FBI exists at all is because people like that -- selfish people doing anti-social things -- exist in the world."
J. Edgar Hoover springs to mind.
--Were you on campus or are you just stating the news report? I want individual accounts of what happened, not biased news reports.
J. Edgar Hoover springs to mind.
--Good one, I think all gov't employees need a good history lesson by a "controversial" historian that really seeks out the truth of history. The few I've been privileged to learn from, they really help to know what happened; still could be pure falsehoods but they have accounts from people you've never heard of and it's the average [wo]man's history that is the most relevant to most people.
Nick P: I agree with you there. Using a high gain antenna and one of the better ralink USB 802.11 adaptors you can get some impressive reception. Pick yourself a target a few miles away and go for it (remembering to change your wlan interface's MAC address of course).
That said had this kid instead installed visited a friend's house, downloaded GNUPG, hopped onto the mit key server and grabbed the keys for, say email@example.com|foto.nl1.torservers.net|privacy.at and saved them to his USB thumb drive he could have then returned home, generated his own key and then assembled a block for each remailer in the chain. Good luck to the FBI breaching all those remailers. The risk of being identified as a remailer user is high but the likelihood of them actually being able to link you to the content of the message is almost zero particularly if you make judicious use of the Delay-Time: pseudoheader and use a random delay of ten minutes to two hours.
It is always a good idea to include a large amount of "chaff" at the end of the message to frustrate analysis. You can even include some.bogus headers (e.g. X-Mailer / user agent headers so it looks like it came from Outlook) and even better use a real reply address of an adversary and enable return receipts. Fun!!
One of the.major issues I have with tor is that it gives users a false sense of security. They appear to.think that.just because they activate tor that they are somehow protected against even adversaries with nation state level capabilities. This simply isn't true - and if we are talking about hidden services then uh, forget about it. The HS functionality is just a honey trap for illegal site operators. Sooner or later the guard will change to one that is colluding with the NSA and you will be decloaked. It may take months or even years but it will happen.
Bob S.: Yup, bomb threats used to get out of class/exams weren't that uncommon from the stories my parents told. What's different now is that they (along with any serious crime) seem to become rare enough that busybodies from FBI and similar organizations can afford to latch onto them and use them to justify their jobs (because of, you know, TERRORISM!!1!).
Back then, there never was any serious investigation, and that was at the height of the activity of the "Red Army Faction" in Germany, so they definitely had an excuse to be paranoid - but they also had enough common sense not to waste important resources on student pranks.
Tor adds a address in your registry. even cleaning Tor, this registry address remains.
Clean it by CCleaner.
@DB: "You really think the government should be above the law, and be able to do whatever it wants?"
In law(not lawyer)-guided State Government is NOT above the law, but that is not the whole story. In Nazy Germany government followed the Law, but Law itself was draconian in nature.
Conclusion: In the country positioning as democratic and law-guided, Law is fair (protecting interest of overwhelming majority and openly available to everybody with clearly understandable content) and everybody including the Government is not above the Law following due process and implementing justice in non-selective (no double standard) fashion (not like "For friends everything, for others - Law").
The point about the rarity of the security tool applies to any rarity in the signature one leaves. In this case it may have been the use of Tor. In another case it may be any one, or a combination of, other things.
Can't help but respond to two other points in the comments:
India's national security has called her treatment by the US as “despicable and barbaric”, and it sure looks like it to average people.
The legal issues are 1) The suspect is a diplomatic and immune from 'customary arrest', and, 2) what she did —what she was accused of doing— is not mala en se crime but hinges entirely on a civil violation.
The real issue is hubris.
She's a consular official who has limited immunity for acts committed as part of her official duties. Lying on the visa form in an effort to dodge US employment law, as far as I'm aware, isn't an official duty.
The crime charged obviously isn't a civil matter. In fact it's a felony.
Her deception wasn't an innocent mistake. She not only dramatically overstated the amount of her housekeeper's compensation, but she went to the trouble of creating two contracts: a false contract, submitted to the US Government, providing the housekeeper with a legal wage and acknowledging that the housekeeper is entitled to the protections of US law, and also a second, secret contract, in which the housekeeper was promised a wage far below the legal minimum and all references to the protections of US law were removed.
The official was not arrested in front of her children; she was not handcuffed; she was permitted to sit in the car for two hours while the US Marshals allowed her to make phone calls and brought her food and coffee. Upon arrival at jail, she was strip-searched, which is normal procedure to ensure that contraband are not being smuggled in. It's performed by a same-sex officer.
Meanwhile, the housekeeper's family has had to be evacuated from India, and the Indian government has removed security barricades protecting the US Embassy.
There is certainly hubris here, but not by the US; India puts it on display every time another nation has the gall to make an Indian celebrity go through a security line like everyone else.
Frank, re 18 USC 1001
It's a powerful tool for the government, but you may be unintentionally exaggerating it a bit, at least on my reading of your comments. Innocent mistakes aren't truly punishable under the statute.
The fact that they were even able to identify him as a tor user at all implies that Harvard are keeping quite detailed logs about which students access which sites at what times via their network, which is a little worrying from a privacy point of view.
Responding to these cases with "there isn't a weakness in Tor, it was the user who made a mistake" misses the point; any secure system needs to be designed with users and their human frailties in mind.
In fact, this case does highlight a weakness in low-latency anonymity systems like Tor: If you can watch both "ends" (i.e. the Harvard wifi network and the email logs/headers) you can correlate traffic. High latency systems like mixmaster/mixminon mitigate against these kind of attacks (unfortunately, they have almost no users...).
That said, if he had simply denied everything and maintained that he was doing something else on Tor at the time, then law enforcement would have had a hard time proving anything.
So, is there any evidence against this kid other than (A) TOR was used for the bomb threat; (B) He was the only TOR user on campus that day; (C) He may have folded under interrogation; (D) Bomb threats are bad; (E) We have no other suspects?
I didn't bring up that Indian woman being strip searched to argue about whether it was justified.
I brought it up as an example of the generous powers of interrogation given to our police. If you don't cooperate, and by that I mean confess, falsify evidence against yourself, and accept your jail sentence for whatever they say you did, they can stick their hand up your ass, tearing tissues, and leading to life-threatening infections. Enjoy spending the rest of your life, however short it may be after sepsis sets in, in adult diapers dealing with anal leakage. And ignore the part where you're now covered in your own excrement. Remember, they're only following procedure.
We say don't talk to cops. Yet if we don't talk to them, they come back with a warrant and tear our house apart. Right down to tearing apart the walls to the point where after they've finished searching, and find nothing, they condemn your home, put you out on the street, and your bank calls your mortgage loan due do to lack of collateral and seizes your remaining assets. And there's nothing legally you can do about it.
What about the difference between being guilty of a crime and committing the crime? If I steal the license plate off your car, and you drive it, you are guilty of a crime. I may have committed the crime, but I have next to no chance of getting caught. You on the other hand are easily convicted. And you can have someone with hands the size of basketballs sticking them up your ass. Remember, it's just procedure.
Color me jaded, but I find it hard to believe folks are confessing to crimes that will put them in jail for a very long time entirely of their own free will.
"re 18 USC 1001
It's a powerful tool for the government, but you may be unintentionally exaggerating it a bit, at least on my reading of your comments. Innocent mistakes
aren't truly punishable under the statute."
Let me make it simple. It should not be the government's business to query me about anything unrelated to the crime which under investigation.
1001 makes criminals out of everyone telling the government any lie -- which may include falsehood by omission according to caselaw.
I think I have often misremembered something I did in the past and if I am asked if I have visited a website, eaten at a certain restaurant, or met someone, there is a lot of potential for abuse, if the statement is untrue, and the government sets me up for perjury.
You should really read Ken White's blog Popehat.
He is an expert on 1001, and his advice to people is basically shut up when approached by the police.
The materiality requirement in the statute is thin.
In a lot of terrorism cases, people were convicted not of terrorism but merely of making false statements about their legal activities.
"What about the difference between being guilty of a crime and committing the crime? If I steal the license plate off your car, and you drive it, you are
guilty of a crime. I may have committed the crime, but I have next to no chance of getting caught. You on the other hand are easily convicted. "
A license plate number in itself is not sufficient to prove guilt beyond a reasonable doubt.
But the burden of proof is different if the act is not criminal but civil in nature.
Some speed camera laws operate on the presumption that the owner of the car is responsible for civil violations of the trafick law, but this is as far I know only a rebuttable presumption.
It does not automatically make you guilty if someone else has Stolen the car with the keys or has found another way around the lock system.
Regarding IP addresses, an internet acount owner is not automatically responsible for crimes committed from the account, unless there is proof connecting the act to the owner itself.
And even in civil copyright cases, wherein the burden of proof is lower, copyright trolls have failed to convince the courts that the account owner ought to incur responsibility under a negligence theory.
--Here's some more disgusting violations. Mike the goat on here told of something cops did to him when he was 16(!), I really think there's many more horror stories out there where these bullies are getting away w/ it...Then the kicker is sending you a bill for that obscene invasion of your person.
I agree. However, id mention one warning: charged and convicted are different things. Many people want to avoid arrest or charges much as conviction. What you say applies by the time a conviction is sought. Before that, it's enough reason to investigate you, arrest/hold you, get a warrant to search your place, seize your computer (FBI), and add you to the list of people that get more scrutiny.
So, I think as we talk about legal risks we should look not just at "go to prison for" but a set of potential negative outcomes. And then people can decide which risks in the set they want and which they dont. Thinking in these terms made me decide not to run a Tor relay as my budget is too tight to replace seized equipment and Id rather the ISP not have me under a microscope.
Why do you accept such a legal system?
It is your country, so it is your civic duty to act against it. I know for sure that there are organizations waiting for your active contributions.
--B/c when it gets so bad, some people would rather hide for as long as possible. When it gets as bad as I see it heading, I'm toast for sure. They already send out the black bag teams for people speaking out; and also I think many people will see that sometimes it's pointless and won't change anything.
Why all this talk about MAC addresses? Where does any document mention MAC address? As a student he would have logged into the university's wi-fi and would have been located via that.
That is, the IT department simply would have checked who made connections to know Tor IP addresses and who was signed in with their student ID at the time.
Unfortunately for this guy, it looks like he was the only person using Tor from the uni at the time. In the end h was foolish in many ways, but perhaps the biggest mistake he made with regard to getting caught was not his use of the uni's wi-fi, but his admission.
xXx, no. Body cavity searches and strip searches are different things (legally and semantically). Being processed into a jail will likely entail a strip search, i.e. one disrobes, turns in a circle, lifts up anything that might be concealing contraband, touches one's toes, and that's it. There's no touching by any hands other than your own. It's not pleasant, but it's also not harmful or abusive. A body cavity search is not routine and would require additional justification. A body cavity search resulting in the injuries you describe would be treated as aggravated assault and torture, among other things. That kind of criminal act is, thankfully, rare (though I'd prefer non-existent).
Frank, I understand, and I'm not talking about what one should do prudentially if approached by law enforcement (though, following the rule "never say anything" at all times will make for some very, very lengthy traffic stops). The materiality requirement is thin, though still significant, but there's also the requirement of willfulness, i.e. that one knowingly violate the law by intentionally making a false statement. My reservation with regard to your initial comment had more to do with the implication that innocent mistakes, as such, are rendered criminal by the statute (Martha Stewart, by the way, not an example of an innocent mistake). I agree that lying, generally, on an official form or to a government official or employee, is a bad idea, regardless of whether a 1001 charge is likely to succeed.
How would Harvard be able to identify TOR traffic? Can Deep Packet Inspection yield this, or is it just much simpler case of the destination IP address being a known TOR entry node?
ron41 hit the important weakness in Tor - it's a low-latency system, so unless you're sure that you're using nodes that lots of other people are also using, and sure that nobody's watching you use Tor at your end and correlating that with the destination, you don't know that you're secure - and the lower the latency, the fewer fellow Tor users you have.
A high-latency remailer doesn't have as much risk, because it's much harder to correlate the sender with the receiver, but that's still only true if there are enough users (and of course, if you want to allow 24 hours of latency, that's not enough time to panic about having not studied and call in your bomb threat. At least he should have taken the time to head to a coffee shop...)
huh?: I mentioned MAC address in my post when suggesting that an attacker use an open or loosely secured AP a few miles away from where he resides. If you read my post I did not indicate this was how this particular guy was found.
That said, assuming it is an enterprise WiFi network the kid would have been required to authenticate using 802.1x and there would have been a log entry made in the AAA database of their RADIUS solution documenting the Access-Accept.
Even back when I was in the game we had an apartment complex owner approach us in the construction phase and ask if we could take on a contract to provide Internet services to their guests. All of the rooms had a cat5e in their study nook area which went to a cupboard on each floor that contained a switch. The switch was configured to isolate each switch port from each other and tag them into a VLAN and then aggregate the traffic into a trunk which was a 1000baseSX miniGBIC that made its way to the basement. In the basement we had our WorldCom subleased fiber connection back to our Colo facility and a smart switch and a router. In addition to this we had APs - five on each floor - the building was in a cross style design and so we had a N,S,E,W and central AP on each floor. We used Cisco Aironets and they worked very well.
Anyway, using netflow coupled with the info from our radius db we were able to quite reliably demonstrate which users were doing what. Because we had a transparent cache we could even get a log of their http history.
So yeah - this kid stuffed up. And you're right - he could have likely claimed that he was using tor because he valued his privacy and the ownus would be on them to prove otherwise. In theory anyway.
I have a very uneasy feeling about onion routing and fear that to adversaries like the NSA and friends it may amount to nothing more than a frustration. My feelings about tor are mixed. I think running a hidden service for any length of time (if it contains illegal content) is a suicide mission.
How did they get a list of Tor users on campus along with their names? Did they do "parallel construction" after having already identified the likely target using illegal means? These are questions we have to ask every time now.
What do you think is a legitimate procedure for figuring out who's responsible and gathering evidence in a situation like this, when is there no legal, justifiable way to identify a perp, but there are illegal ways to do so?
@Mark: My guess is they simply looked at the traffic logs of users on the network at the time period that the emails were sent, identified the Tor users (I can't imagine there would be that many on Harvard's network), and gave the list to law enforcement. There was no manipulation of Tor routing, or super secret NSA tools being deployed to crack the case. It was one idiot, who used the victim organization's own network, to send the threat.
This isn't a issue of privacy for Harvard students. I doubt Harvard records the content of internet use; more likely, they track the source, destination, and types of traffic in their day-to-day network management practices (Malware detection, resource abuse, etc.). As a network admin, you want to know what's burdening your network, where the problems are, etc. All of that can be done through traffic flow analysis without looking at content.
In this case, all they had to do was look at who was using Tor on their network. The police had every right to go knock on the doors of those suspects and say "Was it you?" Based on the affidavit, Kim rolled over before the cops were even saying hello.
With respect to many on this board, much more than 'tactics' are discussed here, else we would be marveling with technical admiration how effective NSA has been in achieving network situational awareness. Not calling it "stasi-like" privacy invasion. So please be consistent with your moral outrage.
The NSA is targeting everyone on this board, the board, the entire Internet, all security standards, the country, and many foreign countries. They're doing this with secrecy, criminal immunity and partners (eg FBI, DEA) that can imprison/kill us based on NSA analysis. Supporting their activities are some of America's smartest engineers and a multi-billion dollar budget.
How again do you suppose FBI treatment of a jerk at Harvard would get a comparable reaction?
@Figureitout "--Good one, I think all gov't employees need a good history lesson by a "controversial" historian that really seeks out the truth of history."
Here's a good place to start, perhaps:
Peter Dale Scott is Professor Emeritus of English at UC-Berkeley and former Canadian diplomat, with his Ph.D in Political Science from McGill. A national treasure to two nations, and a light to the world. His website may be found here: http://www.peterdalescott.net/
From a review of his latest book, "American War Machine" by Gen. Bernard Norlain, Revue Defense Nationale, March 2011 [in French]: "Here is a book that is fascinating, revealing, one could say terrifying.... This work astonishes by its originality and its power of analysis. It should be a reference work for all the defenders of the legal state and for all those who concern themselves with the future of our democracies." [General Norlain is a retired five-star French general who also served as military adviser to French Prime Ministers Jacques Chirac and Michel Rocard.] "
Positively essential reading. The technical and tactical discussions of security I've found here are second to none, but discussions of the political context are rarely on the same level. I can't think of a better corrective than Scott's work. Impossible to recommend highly enough.
Yes, body cavity searches are different from strip-searches. She claimed both had been done to her. Body cavity searches are commonly done when go to jail. (Anyone remember the story of the fellow who got caught trying to smuggle a actual live hand-grenade into jail that way? Ouch!)
Perhaps you didn't hear about that fellow in Jersey who was arrested for failing to pay a parking ticket that he had already paid, and had a receipt for having paid in his car at the time of his arrest, and who subsequently spent a week in jail being subjected to multiple painful body cavity searches. His case went to the state supreme court who decided officers at the jail could do pretty much whatever they wanted to him in the name of safety.
Perhaps you didn't hear about those cases down in Texas where police officers were stopping folks, claiming they littered, specifically that they threw a cigarette butt out the window when nobody in the car smoked or had cigarettes, holding them roadside for an hour or more until other officers arrived, and then subjected them to body cavity searches. Part of the complaint, as I heard it, was that they were not changing gloves between searching the anus and vagina, or between searching different people in the car. (Nasty way to transmit STDs.) Afterwards the folks were released without even a ticket. Just a warning. A fair number of people complained about this treatment. Nobody believe them. Then a few folks had dash-cams that recorded their abuse...
What's scary is how those videos were shot so many hundreds of miles apart. This wasn't a renegade cop. It was systematic.
Just read the affidavit...
1. The description of TOR is wrong, isn't it? It doesn't give you an anonymous IP but hides the connection between where you join TOR and where you leave it.
2. It seems that Kim got caught because he used the Harvard network ... Tip: don't use TOR on a network that you uniquely authenticate yourself on.
3. I agree with Brian, forge a doctors note would've been a better approach
I dont buy it. I doubt TOR was the problem I'd suspect the user had at some point in time accessed the anonymous email account using a computer and/or identifiable IP account that he had also used for access to an identifiable email account.
The real take away is that Gmail, hotmail... never forgets any access to any account, so your opsec needs to be perfect. Fortunately for Lea's perfect opsec is extremely rear, unfortunately for those that have perfected an effective opsec regime it is their perfection that makes them singularly identifiable. This creates the need for deliberately seeding believable disinformation with any access to anonymous accounts (as part of your opsec procedures) and so the game escalates.
Thank goodness he didn't MitM re-route unencrypted bystanders traffic through Tor and tunneling his own Mac re-branded same Manufacturer traffic with their packets through VPN through Wifi to a compromised machine then over streaming audio using a 4096 bit key shared to another rom through mutual tempest stenography key transfer attack again through the new room through Tor over VPN on Wifi cause then for sure he would have not been detected.
Sorry their is no counter measure stupid and it can't be patched and is 10x easier to detect stupid and 100x easier to confront stupid then it is to disuse it with genius.
Isn't it? :)
Your concern about the Cryptome report does raise serious questions. When carefully read the Cryptome report touches on the subject of finger printing TOR users via a BT backdoor.
The Crytome report also speculates that major CA's instantly transmits copies of clients SSL/TLS Certificates to the NSA and possibly GCHQ when purchased. This is quite troubling.
I will note that CSO acknowledges that:
'On the issue of the USDOD IP address referenced by the paper's authors, that block of addresses has been used by many firms over the years. It's a valuable piece of IPv4 real-estate that is often enabled internally by an ISP after they've gotten permission from the Defense Information Systems Agency (the part of the USDOD that manages networks and infrastructure).
Just last year, Sprint was using IPs internally from that block for their mobile network. So the fact that BT would be using it too isn't a shock to network engineers who have seen the paper.
'In short, one security expert told CSO, the usage of 30.x.x.x /8 doesn't really imply NSA monitoring at all. In fact, he added, "If you want a non-routable IP that won't break when using it, [the] DOD is your best choice."'
But the Cryptome report goes much farther. It indicates that a simple ping test can detect the backdoor. Next you can telnet into the modem and see the actual configuration and un-hack the device (assuming altering the firmware doesn't violate BT TOS agreement - causing your service to terminated).
[Cryptome pdf page 39]
"Remove Power from the modem and disconnect the telephone line.
"On your PC (assumed Linux) add an IP address 192.168.1.100 i.e:
ifconfig eth0:1 192.168.1.100 up
"Start to ping 192.168.1.1 from your PC i.e:
"Connect a network cable to LAN1
"Plug-in the power cable to the modem and wait for about 30 seconds
"for the device to boot, you will then notice:
"64 bytes from 192.168.1.1: icmp_seq=115 ttl=64 time=0.923 ms
"64 bytes from 192.168.1.1: icmp_seq=116 ttl=64 time=0.492 ms
"64 bytes from 192.168.1.1: icmp_seq=117 ttl=64 time=0.514 ms
"You may notice up to ten responses, then it will stop.
"What is happening is the internal Linux kernel boots [inside of the modem], the start up scripts then configure the internal and virtual interfaces and then turn on the hidden firewall at which point the pings stop responding.
"In other words, there is a short window (3-10 seconds) between when the kernel boots and the hidden firewall kicks in.
"You will not be able to detect any other signs of the hidden network without actually logging into the modem, which is explained in the next section."
The second step is telneting into the BT modem/router is show on page 40 to 44. The “un-hack” is on page 45 forward.
Other notable Cryptome pages include:
“All SSL Certificates Compromised in Real-Time” page 22
“Theft of private keys” page 24
“Tor User/Content Discovery” page 26
@ ron41, see TOR discovery from the Cryptome link. There is a fingerprinting method to determine TOR users.
“Covert International Traffic Routing” page 27
“Secure your end-points” page 30
“I'm an American, does this apply to me” page 35
@ *others who care, the paper indicates that NSA is using the very same technique and can discover TOR users (if this is true it is troubling).
--Hey thanks, I have a feeling I'm going to know what his writings are about and cringe. :/
but discussions of the political context are rarely on the same level.
--Yeah it scared me off...morons start libtarding and teabagging each other and intelligent discussion is done.
--Did you mean collective? Asian? :) Herro der!
Why couldn't he just get a disposable smart phone, of course never using it near his cell?
What if it was an ISP subnet in the range of tens of millions or more?
Funny thing that someone computer literate and going to an elite school didn't know how easy it was to trace TOR usage on a LAN without at most hundreds of active users.. The local sheriffs office could of traced him with literally nothing but a text editor..
Using guerilla mail made it clear he was using Tor, and then they took it from there.
Tor use many hops to connet to target, but how?
1. TorUser use a same browser(Firefox 20+Tor/Firefox 20), so HarvardServer can find the same UserAgent
2. Harvard using sslstrip to decrypt everything
should've used a vpn, stay pleb
Hey people, the guy flooded a mail server on the LAN he was on where he was at most tenths of the users using TOR.. A car mechanic from the shop down the road could of caught him.. Even if he was using VPN or anything else you care to mention..
Sorry.. this is A+ or CS 10x stuff not quantum mechanics or astro physics stuff..
"This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect."
This is part of what's really worrying me in much of the discussion of tools for privacy and security. Is use of these tools actually counterproductive? Are users just identifying themselves to the authorities for special attention?
It's a basic principle of retail security that the only people you need to pay any attention to are the people who are trying to evade security -- and it's usually very obvious when they're doing that.
Tor is mentioned frequently in popular journalism about privacy, security, hacking, etc., and I believe I see it discussed much more often than OTR or OpenPGP. About the only sort of tool I see mentioned as often as Tor is VPN. And yet, at a large university, a Tor user was easily identified because only one person used Tor that day.
Given that, on the one hand, there's a significant opportunity cost to learning to these tools, and on the other, they're so rarely used that actually using them immediately flags you as suspicious, it's pretty obvious why rates of adoption of these tools is so low.
I think we need to consider whether advocating the use of these tools is the wrong approach entirely, and we should focus on bringing the NSA, and similar entities, to heel.
The very thing that gives you plausible deniability also makes you the most likely suspect.
--I try to make this point w/ regards to OPSEC, in that, yeah there are basic precautions that protect you but too much and not only will you be on law enforcement radar, but random criminals who see that maybe you have something worth protecting...extremely frustrating problem to think about and *lol* solve.
One way around using university internet access is simple, I stated just how simple it was a little while ago; some freshman engineer dumbasses leave their accounts logged in, in publicly accessible computer labs. For the people that need to go print something for 1 minute, I watch and make sure they don't get f*cked by some rando, but I got so irritated one time when I go to login on a random computer and this guy leaves his login open to anyone willing to walk in the lab and compromise my university network (which has problems, I know it has major problems that it needs help with).
I understand security can be a bit of a pain, but that was an unacceptable risk to my university network and I deleted that dumbass's work (which could be made up in less than 15 min.); I should've left more of a message b/c this dumbass did it AGAIN near me; maybe make false bomb threats through his account to get the point thru to him that the world isn't a nice place and always look over you shoulder.
@Matt: "DON'T TALK TO THE POLICE. http://www.youtube.com/watch?v=6wXkI4t7nuc "
Thank you very much for that link, it is a must-see video of very good quality, but only accessible to fluent English speakers.
Here is an abstract:
What you say to the police will be partially reported by police and compared to reality as reconstructed by the police. In this process, there is plenty of ways for errors. References provided.
If you appear to have lied, it is bad for you, whatever the reality. It is better to only talk to the jury, not to the police.
The police, as well as the jury, have set up their opinion very fast on your innocence or guilt. Their job is to treat your case as economically as possible: do not confuse them with your lawyer.
More, police is experienced at making you confess (tell your Miranda at conditionnal when you are not attentive, demonstratively stop only one recording device, convince you it is good to write an apology letter or to minor your violations, sympathize, ...).
Without even reading the criminal complaint I'm going to assume the following:
Feds looked at records to see who which MAC's accessed wireless that day using Tor.
Feds then went through the logs to see what else that MAC accessed, such as facebook, emails, student logins.
Feds interrogated student and he folded like a cheap suit instead of asking for a lawyer.
He broke several rules:
Never activate wifi until you have used macchanger (use the switch on your laptop to turn it off/on)
Never commit illegal activities anywhere near where you live work or study, so go off campus and stay out of camera range, don't park near cameras, make sure your laptop either has init scripts to change mac address upon boot before wifi broadcasts your address or keep it off with a switch.
Don't talk to feds without a lawyer, saying absolutely nothing is best policy they are trying to get you to hang yourself by providing a pathetic alibi that will be used against you
Not studying for your exam and thinking a bomb plot will save you when in reality you'll get prison, kicked out of school and probably fined. Take some Ipecac and puke all over your desk the moment you sit down to write it or forge a doctor's note. Or maybe actually study.
Some of the commenters wrote "TOR" instead of "Tor". The correct spelling should be "Tor": http://invisibler.com/tor-faq/...
Totally agree with the author, Tor didn't break but Kim did. By analyzing the traffic
that enters and exits the Tor network from the Harvard's campus network, the FBI can easily find out who was using Tor at a specific time to send the threat.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..