Slashdot got this one wrong. As usual, Schneier got it right, which merely highlights the importance of trusting in individuals rather than organizations for due diligence and competence:
Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It’s just a coincidence that I was on the Harvard campus that day.) Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed the Tor network, and went through them one by one to find the one who sent the threat.
This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn’t have to break Tor; they just used conventional police mechanisms to get Kim to confess.
Tor didn’t break; Kim did.
Tor User Identified by FBI
(Okay, that last line was a little stupid. He’s saying that PEBCAK. Even that isn’t really true here.)