Nothing within that suggests Tor has been cracked but highlights that enforcement agencies do not need to crack Tor if other elements of the infrastructure (Flash, Firefox) have vulnerabilities.
There are of course simple ways around that sort of issue. You can create a 2 VM system:
- proxy VM - 2 NICs, one public, one internal to VMs only, runs Tor, exposes only Tor SOCKS5 port to internal network, firewalls everything else
- main VM - 1 NIC, internal only, connects only to other VM on Tor SOCKS5 port. Preventing any application from being able to connect. This VM needs to be somewhat locked down from the host at minimum though, no VM file sharing, probably best to avoid other VM services too.
The only way to break this scheme would be to exploit the Tor proxy port itself to break into the proxy VM from the main VM or to break out of the VM itself. Likely harder than a large codebase like Firefox/Java/Flash. Of course, remember to snapshot and restore once you're configured to avoid any risk of persistent malware.
