Singapore Government Hackers Love to Hack Teo En Ming's Computers, Smartphones, and Internet Online Accounts

silver.bullet at zoho.com silver.bullet at zoho.com
Sun Aug 9 11:20:11 UTC 2015


On Sun, 9 Aug 2015 12:03:45 +0100, Colin Law wrote:
>On 9 August 2015 at 11:53,  <silver.bullet at zoho.com> wrote:
>> Note, there are two things you need to trust.
>>
>> 1. Do you trust an ISO signed by Donald Duck?
>>
>> Assumed you do, you need the public key of Donald Duck.
>>
>> 2. You need to trust that the key is really owned by Donald Duck.
>>
>> You can trust the key of Donald Duck if you got the key from him,
>> instead of downloading it from a key server, or because you got a key
>> from Daisy Duck and you trust Daisy Duck, while her key confirms that
>> the key you own from Donald Duck, is really the key from Donald Duck
>> and not just a faked key owned by Gladstone Gander.
>
>Is that intended to be an answer to my question "So in practice how
>would I actually go about verifying an Ubuntu ISO in a country where
>all my web access may be intercepted and faked?"?

No, I received it after I sent my reply. But indeed, it does answer
this question.

>You did not quote anything so I don't know.  If it is then I believe
>you are saying that I cannot verify an Ubuntu ISO in such
>circumstances unless I can get the key from another source, such as
>physically smuggling it into the country, or from someone else that I
>trust who has obtained it by a trusted route.  Is that your meaning?

Yes, that's what I pointed out :).





More information about the ubuntu-users mailing list