Internet security experts say they probably would have given the accused Harvard bomb hoaxer an "F" when it comes to hiding his identity.
Twenty-year-old Harvard student Eldo Kim was charged Tuesday with sending out a fake bomb threat, all so that he could get out of taking a final exam, according to an FBI affidavit. A federal judge released him on an $100,000 bond on Wednesday with instructions to stay away from the Ivy League university.
To disguise who he was, Kim allegedly used Tor, the software network that bounces signals around thousands of relays around the world with the aim of making a user's identity and location extremely difficult to pinpoint. In theory, it makes the computer user anonymous.
A message warning that "shrapnel bombs" had been placed in Harvard's Science Center, Emerson Hall, Sever Hall and Thayer Hall was sent to several university officials, the Harvard police and the Harvard Crimson, the campus newspaper, at 8:30 a.m. on Monday — just a half hour before Kim was scheduled to take a final exam in one of the buildings mentioned in the email, according to the FBI affidavit filed on Tuesday.
Students were evacuated from those locations, but no bombs were found. Afterward, according to the affidavit, the FBI determined that Kim had connected to Tor through the university's wireless network in the hours leading up to the threat.
Kim, according to the document, admitted to the FBI that he had sent the bomb threat to the email addresses, which he had found through Harvard's website, because he wanted to avoid taking the test.
"It's very hard to fail an exam at Harvard," Alan Dershowitz, the Felix Frankfurter Professor of Law at Harvard, told NBC News, citing grade inflation that he said is present not only at Harvard, but at universities across the country. Although few Harvard students actually fail their classes, Dershowitz said, they come into the university facing a lot of pressure from their parents and other sources.
So how did Kim, who also reportedly used an anonymous, temporary email address from a service called Guerilla Mail on his MacBook Pro Laptop, get caught?
While Tor might hide a user's IP address, there are other ways law enforcement officials can identify people who try to hide their identity online, said Chester Wisniewski, senior security advisor at Sophos.
"You can still, with a reasonable amount of certainty, identify someone by things like the version of Web browser they're using, along with the exact model of computer they are connecting with, combined with 10 or 12 things we leak all the time by just using the Internet," he said, pointing to factors like the version of Flash or Java that someone might have installed on their browser.
Most universities also require students to register their computers in order to use their wireless network. That could have helped narrow the field considerably. If, for example, only 10 students were connected to Tor through Harvard's Wi-Fi, said Wisniewsk, the FBI could identify those computers and their owners, and then knock on those 10 doors until they found their suspect.
Bruce Schneier, a security expert and fellow at the Berkman Center for Internet and Society at Harvard Law School, thinks that is probably what happened.
"Basically, if you're using a tool that gives you plausible deniability, it also makes you the most likely candidate," he wrote in an email to NBC News. "And while the FBI might not be able to prove you were the Tor user that made the bomb threat, they can revert to conventional investigation mechanisms to bridge that gap. Tor didn't break; Kim did."
There are precautions Kim could have taken, experts said. Reporters and political dissidents, using the Internet in conflict areas like Syria, are taught to boot up Tor from USB thumb drives or compact discs instead of their hard drives.
Kim could have used a computer other than his own MacBook Pro or logged onto another Wi-Fi network. Tor, said Wisniewski, does require some technical expertise to guarantee total anonymity. Under most circumstances, Wisniewski said, Kim's security precautions probably would have protected him.
"If you're buying an ounce of pot on the Silk Road, it's probably good enough," Wisniewski said, referring to the now defunct online drug marketplace. "But if you're going to call in bomb threats, it's not."
Keith Wagstaff writes about technology for NBC News. He previously covered technology for TIME's Techland and wrote about politics as a staff writer at TheWeek.com. You can follow him on Twitter at @kwagstaff and reach him by email at: Keith.Wagstaff@nbcuni.com