Tor itself may still be technically secure. However, it can’t protect against stupid mistakes or concerted attacks. The FBI used traditional police methods as well as cyberwar techniques to bust a sickening child porn site hosted on Tor where members talked about torturing and killing infants. Tor sites can only be accessed using the Tor browser and are generally considered secure. Except when users make dumb errors, that is.
Timothy DeFoggi was just convicted of three federal child porn charges. Astonishingly he had been cybersecurity director of the U.S. Department of Health and Human Services. He probably should have know better than to use a screen name on the child porn site that he used on AOL or to not know that authorities can tell when you are using Tor, even if they don’t know what sites you are accessing.
The crucial break for the FBI came when the site operator accidentally left his admin account unprotected by a password. That gave them access. They then installed drive-by software on the site that infected anyone who accessed it, presumably allowing authorities to track users. And, of course, some of the users were FBI.
The malware that investigators installed remotely on the machines of visitors to PedoBook and McGrath’s other sites was designed to identify the computer’s IP address as well as its MAC address and other identifiers. The results were coordinated raids in April 2013 that swept up more than a dozen suspects.