Anonymous Threats

Our local community has recently had threats where the user has a
FaceBook profile and is threatening the schools, and several surrounding
schools, saying he is going to shoot everyone and blow them up... This
is an investigation, but it is getting out of hand. Several police/FBI
raids, but yielded no results, and/or did not catch the right person.
He/she is taunting them, local and federal.

I would ASSUME he is using some sort of proxy/anonymizer such as TOR or
something similar. Is there any way to sniff for that type of traffic
on my network? I want to make sure that they are not using us as the

Any thoughts on how to catch this person? Even if it isn't us, and it
is somewhere else I would like to put a stop to it. Preferably off-list
if you do respond...

Thanks in advance.

Eric Rogers

(317) 831-3000 x200

Even if you find somebody running TOR, you can't see inside it. They also
could simply be running an exit node, or $reason.

I'll keep a look out

I’m pretty sure that is what TOR was designed to prevent. While your intent may be altruistic, technologically speaking, there is no difference between that and say Iran or China sniffing out traffic.

I think if the FBI wants your help, they'll let you know.

In the meantime, I would probably avoid anything that looked like you are
spying on your customers, especially if you are explicitly targeting
customers who are attempting to anonymize their traffic (for whatever
reason). No matter how well intentioned. I can see a number of downsides...

But in simple terms, if its Facebook, its HTTPS, and seems you are
basically done there. Regardless what anonymous transport they use, you
wouldn't be able to see what they are up to...

Report it to the authorities and trust that they can handle it, matter
how difficult that is. Remember your place that you are just the
admin/operator and not the hero. If they need your help, law enforcement
will ask for it.

Sucks but what would you do if you found his IP address? Go to his house?
No matter what, law enforcement needs to own the problem.


Thank you for all that have responded, and this response has been the majority, to leave well enough alone. I guess I was hoping that maybe I could offer a new way to help narrow this search down. It has been extremely frustrating to see someone so blatantly cocky in how he is taunting the authorities, yet threaten people's lives...this person is taking pictures of "intended targets" and their young children saying "maybe they won't make it home tonight" and much, much worse...I have reached out to local authorities to offer any help, and I haven't had any response, so at this point I am not going to do anything to slow or interfere with any investigation... this person needs caught.

As a secondary, I was thinking that by looking at the type of traffic, by using a sniffer/IDS or some mechanism to generate a list of possible users so if authorities came knocking I could help them ask for the correct information for a warrant.

My personal guess is that they are not from this area, possibly overseas from the US and using proxies that are nearby the target community. That means any looking into my network won't do any good except find any "exit nodes" in the TOR world, but there are several other ways to do the same thing, and too many to keep up.

Eric Rogers
PDS Connect
(317) 831-3000 x200

The only thing that's more likely to get you into trouble that acting "under
color of law" (meaning doing it at the express request of law enforcement) is
taking the same actions *not* under color of law (at which point it's your
problem, not law enforcement's, if you break any laws).

I have an idea. Indianapolis Cybercrime should stop playing politics and
treat people like me who are willing to help, and were hugely successful
with respect, and not like a mob informant.
That said, post Snowden, I doubt I would go back... even with Brian Kils

Andrew D Kirch.

Was this intended for the list? It's a bit confusing.