Security is not an easy business, we all should know it quite well. Probably the main issue is that you have to implement security with a comprehensive approach (the term often used is “holistic”). In other words, you have to consider all possible sides of the issues at hand, both technical, procedural and human. And if you forget one side of your problem, then all the rest you did, could add up to nothing. Not easy at all.
And this is what an Harvad kid should be thinking right now (see here for example): he did use Tor and other anonimization tools to send an anonymous threat to his university in order to avoid taking a test, but he used his campus network and did not consider the fact that very few students did use such tools and that the fact of using them would attract attention to himself. So it was not so hard to find him after all.