Singapore Government Hackers Love to Hack Teo En Ming's Computers, Smartphones, and Internet Online Accounts
Colin Law
clanlaw at gmail.com
Sun Aug 9 10:53:54 UTC 2015
On 9 August 2015 at 11:38, <silver.bullet at zoho.com> wrote:
> On Sun, 9 Aug 2015 11:09:05 +0100, Colin Law wrote:
>>On 9 August 2015 at 10:43, <silver.bullet at zoho.com> wrote:
>>> On Sun, 09 Aug 2015 11:22:37 +0200, Oliver Grawert wrote:
>>>>* do not use third party repositories like PPAs (unless you can and
>>>>want to inspect the source code in there before using the binaries)
>>>
>>> This depends to the trustworthiness. You might trust the Ubuntu
>>> maintainers and you might trust a PPA maintainer. Assumed you trust
>>> those people, than you still need trusted keys.
>>>
>>> I already posted it two times:
>>>
>>> https://help.ubuntu.com/community/VerifyIsoHowto
>>
>>Does this guarantee the iso is good if you live in a country where the
>>government may intercept your web access? For example would it not be
>>possible to intercept access to the ubuntu keyserver and provide
>>fraudulent keys, matching those in the fraudulent iso file?
>>
>>I am not suggesting that this is the case here, just asking the
>>question.
>
> That's why you need a chain of trust, that you trust.
>
> You download the ISO, the signed checksum for the ISO and the public
> key that belongs to the signing of the checksum from some obscure
> locations that you can't trust. The ISO could be a fake, signed with a
> faked key.
>
> How do you know if a key is good or a fake?
>
> Searching for "open gpg owner trust" leads to
> https://www.gnupg.org/gph/en/manual/x334.html
So in practice how would I actually go about verifying an Ubuntu ISO
in a country where all my web access may be intercepted and faked?
Colin
More information about the ubuntu-users
mailing list