The NSA certainly does not control every Tor node. It controls some but that
is not enough: see the slides 21 and 22 (a list of six questions) of
http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
for what they consider(ed?) to try with their nodes.
I am not sure it is that easy to protect his system from being directly
attacked. Using a live system certainly is the best way.
As for taking advantage of user stupidity, it is indeed one of the NSA's
program named EPICFAIL. See slide 9 of
http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
