The witness-list can be pulled from any hub, its a centralization/convenience exactly if you as user dont want to care but trust a hub-owner to keep up to date and do the choices for you. If you do want power and control you still have it though.
What if a malicious hub owner pushes its own list of Witnesses ? Isn't it a security threat ?
Still not clear to me the "witness mecanism" of the network. Maybe I have to go seriously to the white paper... (RTFM)
A hub can do that, but if a unit (transaction) has more than 1 mutation its invalid. Only when 1 witness is replaced by others as well, when the new witness has posted enough stamps, the "stability point" can be moved forward, and then the next witness replaced. Exactly how this works is in the whitepaper, do RTFineManual.
There are some small rules, which need to be followed, the worse which happens if someone doesnt follow the rules, those transactions are invalid, its like sending malformed data.