Singapore Government Hackers Love to Hack Teo En Ming's Computers, Smartphones, and Internet Online Accounts

Sun Aug 9 13:19:27 UTC 2015

On Sun, 9 Aug 2015 13:20:14 +0100, Colin Law wrote:
>On 9 August 2015 at 12:57,  <silver.bullet at zoho.com> wrote:
>> On Sun, 9 Aug 2015 12:20:32 +0100, Colin Law wrote:
>>>I begin to think you are a politician as I cannot get a simple yes/no
>>>answer :) I asked
>>
>> It's because we reply to the mail of the other at the same time. We
>> reply to older mails.
>
>Yes, you are right.  Sorry.
>
>>
>> The problem is the nature of "trust".
>>
>> In the end it's a philosophical question, that can't be answered by a
>> simple yes or no.
>>
>> From a technically point of view, it's already harder for a
>> government to redirect to faked ISO and checksum download sites and
>> at the same time to redirect every possibility to share a valid
>> public key.
>>
>> They need to redirect all key servers, they even need to redirect to
>> a faked, edited mailing list archive without to much delay.
>>
>> With this mail to the list, I could post a good public key, somebody
>> else could provide a good public key to validate other public keys
>> in a different way somewhere else. The government needs to get
>> control about the whole Internet. This is impossible!
>>
>> No government has absolutely control over the Internet!
>> OTOH while you most likely could find a way to validate ownership of
>> public keys, there's most likely no a way to trust everything
>> provided by Ubuntu, even if you should trust the Canonical owner and
>> all package maintainers. They can't verify the complete source code
>> they use to provide their packages.
>>
>> In the end you need to trust the community, other humans, yourself.
>
>Understood.  Thanks.

Most likely the OP can trust the public key downloaded from a key
server. Governments usually pay coders to add backdoors into security
relevant code. Sure, it's all hearsay, e.g. 
http://slashdot.org/story/10/12/15/004235/FBI-Alleged-To-Have-Backdoored-OpenBSDs-IPSEC-Stack ,
but this is more effective and more likely happens, than trying to
redirect official web pages of major Linux distributions and trying to
spread bad public keys. It would cause too much attention as soon as a
bad key attract attention and soon or later several bad keys would fail
validation by other public keys.