Fuck fuck fuck. Apparently TOR has some vulnerabilities that can be exploited.
This is a feature of Tor which allows servers to be run without giving away the identity of the operator. These can be attacked by repeatedly connecting to the hidden service, causing its CPU load, hence temperature, to increase and so change the clockskew. Then the attacker requests timestamps from all candidate servers and finds the one demonstrating the expected clockskew pattern. I tested this with a private Tor network and it works surprisingly well.
You have to go to the link to read the whole deally at Light Blue Touchpaper. Good on them for giving us all the heads up.
Anyone got something better than TOR?