Questions about what methods investigators can legitimately use aside, the practical implications are clear. You can not count on Tor alone for real anonymity.
So what might these NITs be doing? In the simplest case, they'd be dropping malware that reports ISP-assigned IP address, local IP address, network hardware MAC, and whatever to FBI servers. And it's probably Windows malware.
To protect against that, you isolate userland and the Tor process in separate machines, or at least VMs. So adversaries that compromise browsers etc can't discover ISP-assigned IP addresses, and can't reach the Internet except through Tor. Also, you don't use Windows or OSX. Whonix does this, and you can run it in Qubes.
It's possible that these NITs are exploiting a bug in Tor itself. Even if that were so, however, isolating the Tor process from userland would mitigate that risk.
Perhaps the FBI has access to substantial numbers of malicious Tor relays, operated by the NSA etc. To mitigate that risk, you can hit Tor through nested chains of VPN services. Even if they identify the final VPN exit in your chain, they will probably need to track back through the chain to identify you. And by including unfriendly jurisdictions in your chain, you can make that harder.
Finally, it's possible that the NSA has sufficient global intercepts and logs to deanonymize any network connection, no matter how complicated and indirect. It's impossible to say.
> To protect against that, you isolate userland and the Tor process in separate machines, or at least VMs.
This applies as well to people who run Tor hidden services that are doorkicker bait (like drug cryptomarkets).
It should be impossible for a compromised browser or hidden service server or Tor process to know anything about your hardware or MAC address, your internal IP address (the RFC1918 one), or your globally routable IP address.
also yeah the Feeb loves to exploit browsers (especially firefox :^) and make them execute the NIT (which just sends, unencrypted/unauthenticated data of the MAC address, ethernet interface's IP addresses, username, and stuff like that, to a computer run by the FBI)
So what might these NITs be doing? In the simplest case, they'd be dropping malware that reports ISP-assigned IP address, local IP address, network hardware MAC, and whatever to FBI servers. And it's probably Windows malware.
To protect against that, you isolate userland and the Tor process in separate machines, or at least VMs. So adversaries that compromise browsers etc can't discover ISP-assigned IP addresses, and can't reach the Internet except through Tor. Also, you don't use Windows or OSX. Whonix does this, and you can run it in Qubes.
It's possible that these NITs are exploiting a bug in Tor itself. Even if that were so, however, isolating the Tor process from userland would mitigate that risk.
Perhaps the FBI has access to substantial numbers of malicious Tor relays, operated by the NSA etc. To mitigate that risk, you can hit Tor through nested chains of VPN services. Even if they identify the final VPN exit in your chain, they will probably need to track back through the chain to identify you. And by including unfriendly jurisdictions in your chain, you can make that harder.
Finally, it's possible that the NSA has sufficient global intercepts and logs to deanonymize any network connection, no matter how complicated and indirect. It's impossible to say.