The news: By now we’ve all heard the story of Eldo Kim, the sophomore at Harvard who emailed out a bomb threat just so he could get out of taking a 9 a.m. final exam. It is a true testament to just how reluctant college students are to actually studying – they’d rather face five years in prison.
But what’s interesting about Kim’s bomb threat isn't necessarily why he did it, but rather how he did it. This was no half-assed, last minute panicky bomb threat. Kim really committed to the cause.
How he did it: Kim went to fairly extensive lengths to disguise his identity when he sent the email claiming he’d put “shrapnel bombs” inside four Harvard buildings. Because, I guess, if you’re going to pull off a bomb threat, you might as well try to cover your tracks as best as possible – though obviously, Kim’s plan didn’t work.
Kim used a temporary email generator called Guerilla Mail to obtain an anonymous email. And he sent the email using a Tor browser to conceal his identity online. Tor is no joke – it’s used to create anonymous IP addresses and has even been targeted by the NSA, which called it “the king of high-secure, low-latency internet anonymity.”
So Kim really went all out. He just forgot one little thing: he accessed the Tor browser using Harvard’s own wireless network. Law enforcement was easily able to figure out which users on the Harvard network went to Tor around the time Kim emailed out the bomb threat. And with that, the jig was up.
The federal complaint against Kim reads: “Harvard University was able to determine that, in the hours leading up to the receipt of the e-mail [sic] messages described above, ELDO KIM accessed TOR using Harvard’s wireless network.”
It’s no wonder Kim confessed to police by nightfall – there really wasn’t any way to get out of it. Because why would he be accessing Tor if he didn’t email out the bomb threat? That’s the thing – using Tor helps you hide your identity online, but if you do get caught using it, it only makes you look guiltier.
So remember kids, next time you want to call in a bomb threat because you’re scared of a test, be sure to do it from a remote location, and not on your school’s wifi network. Classic rookie mistake.