Anonymity can be maintained even if the pattern of communication is not "normal". What you need for anonymity is for the parts of the system(s) you interact with to not identify you. This certainly should apply to the nodes you interact with directly, so they should be under your control (e.g. the user-agent software, the computer you use, the facility the computer is located in, etc.) Further out, the system components have to not have a centralized ID of the endpoints. Cellphone networks DO have a centralized hub, namely the cellphone company. The key to anonymity is to make sure that none of the parts of the system can identify you, either because they don't require a centralized ID, or because the ID provider / facility / computer you used to access the system is unwilling or unable to identify you.
The way that governments and other organizations combat anonymity is by requiring various systems to identify other parts of the system (e.g. cellphones) with unique identifiers before letting them use that system. There are only two ways to defeat this:
1) Create a fake user-agent, to impersonate existing identifier(s), or
2) Circumvent the requirement to identify oneself.
The first one will put individuals you impersonate at risk, but it is likely they'll be let go and not subjected to "rubberhose cryptanalysis". The second one will eventually attract the attention of the governments. If they can set things up in such a way that systems (e.g. Lavabit) that refuse to identify individuals are somehow punished, their license to operate revoked, etc. then this should prove a deterrent to anonymity.
In the real world there are plenty of systems in the world who do not care about who is sending the data through the wires (net neutrality is related). Some of them are tunneled over other systems. Tor is an example, Freenet is another. They use primarily legitimate, identified accounts (e.g. someone in their home using an ISP) to transmit this tunneled information, sometimes over a protocol that is indistinguishable from TLS. As long as things like SSL and TLS are allowed, this will be possible.
As long as such a system is distributed enough that it doesn't have a central way to shut it down, it will be infeasible for governments to intimidate enough operators of the system into shutting it down. These are the ways to have true anonymity. PerfectDark and Freenet are used in countries with oppressive governments.
Note that you can have a consistent identity and still be anonymous! This can be great for reputations, e.g. of app developers, app stores, antivirus companies and reviewers of software. I have written a lot more on the subject here:
What the article describes is that steganography is hard. Acting in the real world while avoiding suspicion of a government with access to many systems (telephone systems, etc.) is hard. Which is probably a good thing. Terrorism is a problem of technology. 300 years ago it was nearly impossible for a few guys to kill thousands -- they'd be apprehended and stopped first. Today, there is more and more technology that empowers individuals to kill may people. This goes back to the machine-gun debate, but basically as capabilities grow (3d printers printing guns, for instance) so does the surveillance. Sadly the surveillance isn't going away, because the technology for both is only increasing.
Actually the problem goes beyond this. The adversary (Hezbollah in this case) correlated anomalous data (the weird mobile phone behavior) with information about people inside their organisation who had access to sensitive information. They could say "this apartment complex has a static mobile phone" and also "this same apartment complex is where the regional director of operations lives". This correlation is what allowed them to then place surveillance on the suspect and eventually they were able to unravel the whole spy ring (due to other tradecraft errors).
Here is why you are probably wrong about your techniques for avoiding detection. Essentially, we don't know what the capabilities of the adversary are, and therefore we can't develop effective countermeasures. We can postulate, and guess, but we can't know if our countermeasures are successful until they fail catastrophically. http://grugq.github.io/blog/2013/06/14/you-cant-get-there-fr...
Here is how one can begin to unlink and operate anonymously, however it is not a viable long term proposition and few people can maintain the discipline to do this for extended periods of time. http://grugq.github.io/blog/2013/06/13/ignorance-is-strength...
The article does not talk about steganography. It talks about how in the real world real adversaries use real data to find real people who made real mistakes and really kill them. The problem was that the CIA case officer was lazy (or incompetent) and reused the same meeting places; the agents inside Hezbollah were contacted in a way that attracted attention, although it likely seemed very low profile at the time it was adopted; and, Hezbollah was able to use this signal "something weird is happening at this location" to narrow the list of suspects that they had to surveil for counterespionage.
That could have been a coded message using a one-time pad. The encryption doesn't have to be super complex. If I didn't link to it, how would you know who posted it?
You'd have to track down pastie.org, or its ISP and see who posted this message around the time it was posted. Then you'd have to track down the IP that originated the message, and then talk to my ISP about who owns that IP. Even assuming everyone cooperated with you, I could have went to a library and sent it from there. If they took some form of ID I could have faked the ID. Then you'd have to obtain video footage from the library of who used the computer.
But you'd get stuck at the first stage - it's unlikely pastie.org keeps track of who's posting. It's a case of #2.
Tor is much less resilient than Freenet because it's A) susceptible to traffic pattern analysis, and B) because each resource has a single point of failure - its host.
The thing about anonymity that it is not about someone taking a single anonymous action. It is hiding the identity of a whole person, a person with many habits and many attributes.
All the information a person produces tells a certain amount about their habit and attributes. The more information one produces under a single handle or for a single purpose, the more information you "leak" about the person who is acting and the more a determined adversary can use to find less protected, less anonymous outputs that have the same signature.
So it is hard to be anonymous anywhere. Maybe you have shown how a determined person can take anonymous actions online. But the problem is people skimp somewhere. You can say X got caught because they didn't take Y precaution. But what may be going on is that with X's resources, he/she can only some lesser level of precautions elsewhere. Given that she/he wouldn't/couldn't do the rest of the protections, he/she figured there wasn't a good reason to do Y - X could been right in that X's life remained a bit happier tell inevitable day he/she was caught.
td;dr; It's not the door but building you gotta secure and buildings are expensive.
You're missing the "nation state level adversary" component. I personally, do not know your mobile phone number or the last cell tower that it associated with. But I am not your adversary. A nation state level adversary ipso facto has access to that information.
I suggest that you read the links I have posted and the articles I've written, both on http://grugq.tumblr.com and http://grugq.github.io ... there is a lot of information there about how to operate clandestinely.
I took a look at the links you provided. There's some interesting stuff in there. I note, however, that the downfall of guys like Ulbricht involved things like:
1) Single point of failure. This is also related to increased susceptibility to network analysis. Even if the CIA "can't deanonymize everyone all the time" they can deanonymize a given host of a given network, by analyzing traffic patterns, placing proxies in the way or backdooring the nodes in the network, etc.
2) Recording. As you say, he got serious about his security "too late". In an age where tons of stuff you do online can be recorded and found when needed, you have to protect your anonymity from day 1.
What I am claiming is that it's possible to BEGIN an alternate identity by leveraging techniques #1 and #2. #1 is what you can do with freenet or perfectdark - basically, distributed DHTs which DO NOT record the originator of a file. While it's true that a given freenode network can be compromised by backdooring enough nodes, that is much harder to do than with Tor. And #2 is what you can do with services like pastie and others who simply DO NOT have the capability in place to record who posted a message. As governments go after people, they will attempt to intimidate #2 type services.
Either way there can be databases listing the confidence that a given system does NOT record a particular identifier such as an IP address. The ones that score high can be used directly. The ones that score low must unfortunately be used via commandeered accounts and the steganography would proceed that way.
If there were truly no networks that the agents could trust, the agents could have aggressively employed steganography - they should have basically commandeered some email addresses in the country (http://xkcd.com/792/) and then tunneled messages through a number of different channels, including the text, the timing of the messages, the order of the messages, etc.
There's tons of ways to do this without falling prey to being doxed. However, once even the smallest bit is revealed (e.g. your literary writing style is identified) the whole thing can unravel IN THEORY.
Anonymity can be maintained even if the pattern of communication is not "normal". What you need for anonymity is for the parts of the system(s) you interact with to not identify you. This certainly should apply to the nodes you interact with directly, so they should be under your control (e.g. the user-agent software, the computer you use, the facility the computer is located in, etc.) Further out, the system components have to not have a centralized ID of the endpoints. Cellphone networks DO have a centralized hub, namely the cellphone company. The key to anonymity is to make sure that none of the parts of the system can identify you, either because they don't require a centralized ID, or because the ID provider / facility / computer you used to access the system is unwilling or unable to identify you.
The way that governments and other organizations combat anonymity is by requiring various systems to identify other parts of the system (e.g. cellphones) with unique identifiers before letting them use that system. There are only two ways to defeat this:
1) Create a fake user-agent, to impersonate existing identifier(s), or
2) Circumvent the requirement to identify oneself.
The first one will put individuals you impersonate at risk, but it is likely they'll be let go and not subjected to "rubberhose cryptanalysis". The second one will eventually attract the attention of the governments. If they can set things up in such a way that systems (e.g. Lavabit) that refuse to identify individuals are somehow punished, their license to operate revoked, etc. then this should prove a deterrent to anonymity.
In the real world there are plenty of systems in the world who do not care about who is sending the data through the wires (net neutrality is related). Some of them are tunneled over other systems. Tor is an example, Freenet is another. They use primarily legitimate, identified accounts (e.g. someone in their home using an ISP) to transmit this tunneled information, sometimes over a protocol that is indistinguishable from TLS. As long as things like SSL and TLS are allowed, this will be possible.
As long as such a system is distributed enough that it doesn't have a central way to shut it down, it will be infeasible for governments to intimidate enough operators of the system into shutting it down. These are the ways to have true anonymity. PerfectDark and Freenet are used in countries with oppressive governments.
Note that you can have a consistent identity and still be anonymous! This can be great for reputations, e.g. of app developers, app stores, antivirus companies and reviewers of software. I have written a lot more on the subject here:
http://magarshak.com/blog/?p=114
What the article describes is that steganography is hard. Acting in the real world while avoiding suspicion of a government with access to many systems (telephone systems, etc.) is hard. Which is probably a good thing. Terrorism is a problem of technology. 300 years ago it was nearly impossible for a few guys to kill thousands -- they'd be apprehended and stopped first. Today, there is more and more technology that empowers individuals to kill may people. This goes back to the machine-gun debate, but basically as capabilities grow (3d printers printing guns, for instance) so does the surveillance. Sadly the surveillance isn't going away, because the technology for both is only increasing.