That's technically true but largely irrelevant because it ignores the hard problem: if you're a covert agent supported by a major power, sure, you may have the opsec training and resources needed for that to be relevant but in most cases the question is not crypto magic but how it handles discovery, trust, and individual compromises.

You can have perfect steganography but as soon as a government informant says they got contraband data from you people are going to jail or worse. Similarly, all of the plausible deniability in the world won't help if they compromise your system and record you accessing that data.

Among other things, this kills widespread underground media dissemination because as the number of people increases the odds approach certainty that state actors will learn how to access it, and the risk to users increases constantly – how well do you really know the person who hooked you up with an invite code? Is the P2P node you're connecting to anything other than a honeypot? The hottie you hooked up with last night – really into you or just installing malware on your computers and mapping out your social network?

(Lest you think that's a stretch, consider e.g. http://www.bbc.com/news/magazine-29743857 and ask whether the Chinese government is more or less concerned with activists)

Dissent against authoritarian governments will always be a game of cat and mouse - sometimes the cat will catch the mouse, there's no preventing that.

But I think that you're underestimating the power of the mathematics here in terms of the levels of achievable misdirection.

If the government gets into your unencrypted context you're pretty much fucked - I'll give you that - but it does not necessarily mean that anyone else is going down with you.

Let's say you have an unencrypted piece of data telling you that the XOR of the least significant bits of a multitude of data streams contains secret data and a descriptor for the next source node. Most of the data streams will be completely innocent. Even once I extract that data I'll have no idea where the contraband information came from.

This naturally further reduces your bandwidth, and you'll need the streams to contain content that non-dissidents have a decent chance of downloading together by pure chance to reduce suspicion.

There are huge difficulties - but that does not come close to meaning that nothing can be done.

A nation state doing traffic analysis will have people working full time to subvert the initial weak link of getting the software (which nobody else uses so simply possessing it will be seen as a sign of criminal intent) and keying information, doing statistical analysis to find why people have unusual access patterns to that innocent content and correlating people not known to be connected who are showing those same atypical patterns around the same time, etc. It doesn't matter if your source data is entirely fluffy kitten videos if there's a set of users inexplicably accessing the same set of videos in temporal or geographic proximity without a known link.

The other problem is trust: you said you'd have no idea where the key came from. Ignoring the high possibility of the state recording enough history to answer that question, the bigger risk is active subversion: using that software is evidence that you're trying to evade surveillance, which is risky no matter how warranted, and making those requests is clear proof that you're doing so. The hardest problem here would be detecting moles and honeypots: secret police distribute software versions which leaks your activity to them, distribute keys online and in person, etc. They're not going to arrest you as soon as you install it but will wait, possibly for years, seeing who else your activity links in.

Obtaining the software is hard, that is certain - but human beings have been successfully smuggling contraband for as long as there has been such a thing. And when you download the dozen specific fluffy cat videos, you don't just download that set - that would be fundamentally stupid - the set exists to mask the source, not to protect the receiver. The receiver would download a naively popular superset of the target set - you mask suspicion by hiding with the sheep.

Absolute trust is fundamentally impossible (the place where there is no darkness is a legitimate concern here). How do you even know that the public keys on your machines are true, that the hashes of your OS ISOs are not false, that every semblance of the assumption of security that you are working within is not simply a cleverly laid trap designed to lead you to naively reveal your hitherto hidden intentions?

Eventually, you just have to run with "fuck it, I'll do what I can to cover my arse - let the chips fall where they may".

The fact that it is fundamentally impossible to know the underlying intention of any foreign consciousness or computational context does not necessarily mean that none can ever be trusted, only that they can never be fully trusted - and that you should use whatever degree of caution you believe is justified for the given situation.

I think it's very risky to conflate different classes of threat. Yes, the state could suborn a CA but simply using SSL does not make you stand out. Using software which is designed to evade surveillance is by itself a bad thing to be caught possessing and unless it's perfect it will leave traces which will draw attention.

The problem I'm concerned with is the promise: tell people that something like this works and they are likely to trust it – at least until news spreads about other people getting caught by basic statistical traffic analysis. This is basically the Bitcoin anonymity trap: the marketing guys like to run around telling people it's anonymous and people often miss the distinction that any mistake will cause it to fail open with a full public history.