Fascinating stuff. Reading between the lines of the article, it sounds like the Feds set up a bait site with malicious code that sent them information about the requester's PC. That is, TOR wasn't hacked, but some sort of script or cookie was used to circumvent TOR's game of anonymous server ping-pong.  

As a geek. If I can do it,  anyone else can.  
Can't really hide the true source in the US  
that's why I find those proxy server and IP masking programs useless if anything.
If LE really wants you and whatever's on your computer or mobile device they'll get it, I don't doubt our local LE agencies expertise at all.
The point is to have good back up & a strong defense in case anything goes awry.  

TOR is pretty robust, using layers of encryption and a series of middleman servers to prevent any given server from knowing anything other than the previous server and next server in the connection chain. It's been successfully used by political dissidents to the extent that authoritarian regimes have tried to block access to the server network.

But what this shows is that if the destination website is out to get you, and gets you to run some malware, TOR can't do much about it. The lesson I glean from this is that TOR works for what it does, but isn't a magic force field that can protect you from being compromised in other ways.  

I don't think this has much bearing on this industry, as this would be a very resource intensive method of getting information that isn't itself enough to make a bust (it isn't illegal to look at an escort site), for a very small share of users. (TOR is a pain to use - slow, and a lot of things don't work on TOR browsers.)

They get people on just agreeing to meet up these days.  
Jeeze even a text gets someone in a load of trouble,  another reason to have a strong defense, I noticed they like to put words in our mouths for the sake of a bust as well.
Like I said it's pretty useless, the lag is one of the reasons and no it's definitely not illegal to look at or post on an escort geared forum like this one however they do make cases out of virtually nothing.  
I do agree going after people involed in crimes such as underage trafficking ( it's not just for sex work) & child pornography.
 For every thing created to hide identity the Feds have a way to break it. That's just a given.

We might not even be disagreeing, but while risk can't be avoided, services like TOR (if you can tolerate the inconveniences) can still help. Frankly, I use TOR more to protect myself from prying eyes at my ISP. LE avoidance requires a completely different set of precautions.

Exactly!

As the parallel thread rightly points out, this "breach" isn't really a Tor breach at all, but surfing to a set of compromised web sites that run as "hidden services" on the Tor network. Tor wasn't breached; rather, websites that some folks visit with Tor were hacked. Without diving into the technical details of the exploit, I think there are a couple of reminders that folks on this board that care about such matters should take away:

1) Always be wary of allowing javascript to run, and only allow it to run if it comes from a trusted source. If you are a Firefox user, learn to use the excellent 'NoScript' plugin (see noscript.net). As a rule you should be very wary of any "third-party javascript" (i.e. javascript that is coming from some site other than the one you are visiting). Probably the most common purpose of third-party javascript these days is for tracking you.

2) Pay attention to cookies being set --- only allow cookies from sites you have a trusted relationship with. If a cookie is being set for a site that you aren't (intentionally) visiting, that should be a red flag. Many browsers have the ability to disable third-party cookies altogether and to *ask* you before allowing first-party cookies to be set ... learn to use this. If your browser doesn't allow this level of control, then find a plugin or a different browser. Third-party cookies are almost always associated with tracking.

3) Use SSL (https) whenever possible. Without SSL, the web page can be manipulated (i.e. a "man in the middle" can inject malicious code) while in flight to your browser.

This particular exploit seems to have been packaged as third-party javascript and also utilized cookies. An alert user paying attention to javascript and cookies would probably not have been compromised.

 

And some thoughts to those of you that have websites of your own: carefully vet the javascript that you use; be extra wary of third-party javascript use (i.e. you domain name should be the source of all javascript, etc. that you use); support SSL connections; and consider adopting the practice of "progressive enhancement" (wikipedia.org/wiki/Progressive_enhancement). Can your site achieve it's goal if javascript and cookies, etc., are all disabled?

...don't email anything that you wouldn't be happy to have written on the back of a postcard and sent to the recipient.  

It makes communication with people in this industry a challenge, I grant you, but a little imagination will always get you around that.