Singapore Government Hackers Love to Hack Teo En Ming's Computers, Smartphones, and Internet Online Accounts

silver.bullet at zoho.com silver.bullet at zoho.com
Sun Aug 9 11:29:34 UTC 2015 

On Sun, 9 Aug 2015 13:20:11 +0200, silver.bullet at zoho.com wrote:
>On Sun, 9 Aug 2015 12:03:45 +0100, Colin Law wrote:
>>On 9 August 2015 at 11:53,  <silver.bullet at zoho.com> wrote:
>>> Note, there are two things you need to trust.
>>>
>>> 1. Do you trust an ISO signed by Donald Duck?
>>>
>>> Assumed you do, you need the public key of Donald Duck.
>>>
>>> 2. You need to trust that the key is really owned by Donald Duck.
>>>
>>> You can trust the key of Donald Duck if you got the key from him,
>>> instead of downloading it from a key server, or because you got a
>>> key from Daisy Duck and you trust Daisy Duck, while her key
>>> confirms that the key you own from Donald Duck, is really the key
>>> from Donald Duck and not just a faked key owned by Gladstone Gander.
>>
>>Is that intended to be an answer to my question "So in practice how
>>would I actually go about verifying an Ubuntu ISO in a country where
>>all my web access may be intercepted and faked?"?
>
>No, I received it after I sent my reply. But indeed, it does answer
>this question.
>
>>You did not quote anything so I don't know.  If it is then I believe
>>you are saying that I cannot verify an Ubuntu ISO in such
>>circumstances unless I can get the key from another source, such as
>>physically smuggling it into the country, or from someone else that I
>>trust who has obtained it by a trusted route.  Is that your meaning?
>
>Yes, that's what I pointed out :).

You not necessarily need to physically smuggle all the keys you need,
you only need to physically smuggle one key that can validate all the
other keys you need. It not necessarily has to be done by "physically
smuggling", it also could be done by signed or encrypted emails, assumed
you at least have a key you trust for this purpose.

However, there must be at least one key that is safe and can be used to
validate other keys or to send encrypted or signed mails to share
verified keys.

More information about the ubuntu-users mailing list