[kmlymi]

I think it's because he was the only one accessing TOR on a monitored network during the specific time.

[srl]

Almost certainly.

I'm at reasonably large (~15000 students on-campus), and a friend using TOR to do ... something ... got caught not because he was the only one using TOR at the time, but because he was the only one using TOR, ever -- it was just too obvious.

[mseebach]

Reminds me of this XKCD: http://xkcd.com/1105/

[talmand]

How did they know the something was done by someone using TOR on their network?

[rickyc091]

There's a list of IPs that TOR networks run on, so they could just cross reference that.

[dijit]

tor exit nodes are easy to identify, if they had the co-operation of site.com then they'd not see the location, but they'd see the exit node.

[talmand]

I can understand they can the attack was done through Tor, what I don't understand is how they understood the attack originated on their own network through Tor.

[srl]

It came from a TOR ip.

[epsylon]

Good old Signal Intelligence.