directory authorities are the point of contact for clients to locate relays/exit nodes/guard nodes/etc. This is determined by a consensus document that goes through an elaborate process to ensure its integrity and cause bad directory authorities to be identified also via consensus.
However, Tor developers are not the quickest lot, and this is basically the only document that they serve that has integrity control on it. Most interestingly, the public keys for every other node in the network is served without any form of signature or other form of integrity control.
As such, a rogue directory authority, which anyone can be simply with a configuration option and an IP, can introduce path bias and other such tricks by serving the wrong keys for relays/guards/exits that it doesnt control. This can result in essentially directing clients through the network by causing decryption failures, thereby allowing determination of the source and end-point of a given tor connection with little more than a couple relays and some rogue directory authorities. Moreover, it can use the simple-minded metrics made to identify rogue guard nodes and couple that together with the behavior of public key cryptography to actually cause legitimate guard nodes to be flagged as having excessive extend cell failures causing it ultimately to be marked as bad.
As such, this entirely mitigates the half-witted fixes guard nodes were intended to fix, by introducing rogue guards that work in conjunction with rogue directory authorities, whom serve bad public keys for all nodes except for their own giving them the ability to cause clients to reconnect to guard nodes at their leisure.
These are design flaws in tor. Don't outsource your security, especially if its to people like appelbaum and other incompetents. The fact is the US government doesn't need to backdoor Tor, they just get to let the dunces think their competent.