It is non-obviously difficult.
It just has that feel of "secret society" to it, which tended just to reflect the informal power structures of the wider world anyway.
So it is a "collection" of secret societies, each with their own quirks. As a collection is constitutes a 'web' and perhaps the only commonality is the desire to not be part of the "public" web.
Posting anon, well that's obvious.
Then, use the early victims to catch the rest -- hopefully they're admin assistants, HR people, etc. Targeted attacks on the rest.
Black bag jobs on the remainder, using legal or extralegal means, based on value of the target. It's not worth bothering to black bag someone who you only want to get the big boss if the big boss is otherwise exploitable.
The key is you don't need to have a single exploit which works on 100% of your targets; you can do multiple things.
I wasn't arguing against encryption tools, just that serious attackers are plausible threats.
This entire parent+thread argument back and forth is completely absurd.
It doesn't matter whether he has sources. It doesn't matter whether that firm does or does not exist. It doesn't matter what you think of their tech or his explanation or who is who or what is what.
Your phone has two completely independent, full-featured computers inside of it, totally distinct from the actual computer that is your phone (that you use) that are completely out of your control, and depending on the model, have up to DMA control over your device.
Whisper systems does not solve this. SecurePhoneBlahBlah does not solve this. Moxie Marlinspike does not solve this. If you have a smartphone, you are owned at a deeper level than you've ever been owned before and there is nothing you can do about it other than removing your SIM card. Game over.
 The baseband processor and the SIM chip itself.
I can't buy some mathematically proven secure software, install it on a Chinese tablet and claim it is secure and expect it to get approved.
This is a funny market as some domestic analog components are hard to find today. Micron, I think, makes some but heck most are sourced from China.
This makes 'secure' hardware ridiculously expensive. As in $50k+ for switches and routers and there is a whole market specializing in it.
Now, one can look at it another way -- some security is better than no security. I can see the argument on both sides. At least if NSA can record my phone calls maybe the local cops can't and so on...
Only encrypted traffic goes through the mobile device, e.g. cheap Firefox phone. Decryption takes place on wifi-only "media player" device in the form factor of a phone.
This is still exposed to DMA attacks from wifi device, but it's a smaller attack surface. Next level of protection is a hardware IOMMU on Cortex-A15 or x86 VT-d, plus a Type-1 hypervisor to isolate the wifi device.
1. The SIM chip generally is not a full featured computer and I'm unsure that it would have DMA access. But yes the baseband processor is indeed an issue.
2. Products like this prevent the kind of passive data-slurping that has been popular so far - i.e. install a box at the telco and record everything. That's a good start.
So yes, it does matter and it's a good start, and it pushes up costs for pervasive surveillance.
And that's the point ... right now the stingrays and such simply act as IMSI catchers, etc., but if they can impersonate the carrier they can upload arbitrary java applets to the SIM card which can undermine the call-encryption app you are using. It's an obvious next step which you aren't protected against.
I don't know if any SIM cards get DMA access the way some baseband processors (not all) do ...
 You could get one of those little sim wrapper foils and enable encryption-only for your SIM (which it almost certainly does not have now) which I think would defeat a lot of the carrier-impersonation attacks ...
Pardon me for saying so, but your original comment and your responses to various requests for substantiation don't pass the bullshit test.
I'm not saying you are wrong, but I am saying you haven't remotely proven your claims to this audience.
This is an important point. We waste a lot of breath accusing people of having deliberately planted backdoors, and moving to alternatives that we think are too trustworthy to have backdoors in them.
Whether or not the programmers behave ethically, they're still going to make mistakes and write vulnerable code like everyone else, and you'd better believe the security services (and their contractors) are looking for them.
Everyone is being passively watched at some level, even if it is just for billing purposes.
Defense is always about defense in depth. Always.
Hijacking a smartphone by only knowing its number on the other hand does not seem realistic too me. So a source for this claim would be great …