There is no doubt about the hidden service deanonymization attacks, they have been carried out on the live network and they work. Hidden services have crap anonymity, they are traced to entry guards in no time at all and then it is a single court order (at most) from that point on to get its real IP address. And it isn't even that good because in reality the hidden service has THREE entry guards each of which can be quickly located and each of which can be used to obtain the hidden services real IP address. For all we know it took the FBI 5 years to even figure out that this attack is possible, and I wouldn't be at all surprised if they traced his hidden service with this attack then put him under passive surveillance and using a timing correlation attack to ID him as FH admin after he made the Tor Bank post. Then two weeks of paper work later they raided him. That is one of my top theories. Then they could have deanonymized anyone who accessed FH whose Tor entry guard they owned. They did not need to do only application layer attacks that is only all we know about. They were positioned for 1/2 of timing attack against anyone accessing FH server, anyone who used bad entry guard to connect to FH during that time would be deanonymized just as much as anyone who was pwnt by the javascript. There is a good chance they used traffic analysis as well as application layer attacks, and pwnt those who used their entry guards as well as those who had vulnerable browser and OS targeted by the payload. Application layer attacks are a big worry but direct attacks on Tor are also a big worry. At least with application layer attacks we can use things like isolation to protect from them, direct attacks on Tor are even more worrying because there isn't a whole lot we can do short of hacking the Tor source code, and even if we make Tor as ideal as possible it is still limited by its fundamental design. Doesn't matter where the relays are if you are in US your traffic always enters through networks the NSA monitors. None of them would be better off with tails in regards to anything other than possibly forensic analysis, if they don't boot tails with a persistent volume. Qubes and Whonix are superior when it comes to protection from essentially all other forms of attack. And I do really understand the nuances of computer security I studied it for many years and continue to do so.