back to article Russia will fork Sailfish OS to shut out pesky Western spooks

Russia's Minister of Communications and Mass Media, Nikolai Nikiforov, has taken part in talks to form a consortium that will aid Russia in developing a custom mobile OS, reportedly a forked version of Jolla's Sailfish OS, to lessen its dependence on Western technology. Nikiforov held a working meeting last week with the …

  1. NoneSuch
    Devil

    Dear Russia,

    Get out of Ukraine and then we'll talk.

    Hugs and kisses

    The World.

    1. Ledswinger Silver badge

      "Get out of Ukraine and then we'll talk."

      But all the US led regime change in Kiev, Iraq, Syria, Libya, that's just dandy?

      1. Anonymous Coward
        Anonymous Coward

        @ Ledswinger

        Boy are you stretching the truth. Kiev, really? That was all about the past and present battling oligarchs, the US had nothing to do with the Ukraine revolution. You must be watching RTV and smoking their Putin propaganda.

        I'll give you Iraq was regime change; but we had so little presence in Syria, Ukraine and Libya that it was bordering on negligence. Do you want to back up and try the UN to blame? They had more to do with the lack of continuity in Syria and Libya than anyone. Don't make the mistake of thinking that the UN is a US puppet as they are more in tune with Russia.

        And in answer to your question, yes! Regime change of dictators is ALWAYS good. Gaddafi was always a bad apple and was on the road to being deposed, Assad is more two faced than Janus and should be deposed, Saddam stepped over the line a long time ago and is old news.

        The only fault I find is the fact that we either left the area and did not keep forces in play or we did not have the troop presence (to begin with) we should have because Obama is a huge wimp and is more interested in his "legacy" than actually winning any military option. He hates our military people and disdains our veterans.

        1. Graham Marsden
          Facepalm

          @AC - Regime change of dictators is ALWAYS good.

          Sure, because it never leads to civil war, ethnic battles, religious wars, the rise of local "warlords" and huge numbers of innocent people being slaughtered or forced out of their homes because those who undertake said "Regime Change" have no idea of the underlying tensions or don't give a damn about them because they're more interested in trying to force their own ideology on the people (or just grab the mineral rights) and have no strategy other than "well, it's got to be better than what's before"...

        2. gbru2606

          Re: @ Ledswinger

          "He hates our military people and disdains our veterans"

          Only the many Generals and troops that believe they've been doing God's work for the past two decades I'm sure, and who can blame him?

        3. Queasy Rider

          Re: @ Ledswinger

          Yup, Obama is to blame. What for? Everything. Regime change, regime no change, the economy, the weather, that pimple on your face and that boil on your ass.

          Give us here a break and save your politics for other websites or a bar where somebody can actually reach out and touch you, forcefully.

          1. Dan Paul

            Re: @Queasy Rider

            You are absolutely right. He IS to blame for most of the political BS we have today because of his apologist views and wimpy responses to multiple crises. The Ukraine situation is only one such example. Obviously Putin is not afraid of Obama, but he sure stayed out of the way of every Republican President we ever had.

            Go find another place to spout the communist rhetoric and leftwing crap perhaps someplace in Texas where I hope someone can treat you like you seem to think I should be treated.

    2. WalterAlter
      Stop

      Eat BRICS You Swine

      >>Nikiforov talked of further developing an international consortium amongst the emerging BRICS economies, which would collaborate towards the industrial development of "alternative software products",

      This is the real reason why "NATO" is squeezing Ukraine, Poland, the Baltic republics, etc. to install ABM missile capability and host troops. Your banker dollars at work. BRICS is seriously upsetting the globalist oligarch honey bucket. Them fascistico-monopolist basterds would welcome WWIII and a subsequent new feudal empire where they will eat the livers of sentient humanity with fava beans and a nice Chianti.

  2. Anonymous Coward
    Anonymous Coward

    Dear Russia,

    Not even Russians would trust a Russian OS. Maybe you need to first pass a law requiring all Russians use it.

    Hugs and kisses

    The World.

  3. martinusher Silver badge

    Makes Business Sense

    The US government has a long standing history of interfering with technology and technology exports. Like a lot of things that have passed their sell-by date -- the embargo on Cuba being a good example -- the bureaucracies created to enforce these restrictions carry on way past their useful lives causing inconvenience to all that come up against them. Having alternatives makes a lot of sense.

  4. Eddy Ito Silver badge

    Paranoia over NSA tampering spurs de-Westernisation drive

    Just because they're paranoid it doesn't mean the NSA isn't out to get them.

    1. elDog Silver badge

      Re: Paranoia over NSA tampering spurs de-Westernisation drive

      That's childish. The NSA is just a "security" organization. It only exists to promote security by rooting around in everyone's pants - but only if those pants are outside of the US.

      The CIA is where the "operatives" live. They are just an "intelligence" organization and therefore are given free rein to interfere in everyone's lives (and pants). They deny any such involvement and if you ask you disappear. This is where all the nasty people from our prior democracy-building exercises go for post-retirement jollies and more taxpayer-funded salaries.

      The FBI is just an investgory agency that has no power to enforce laws. And if they did, they would never be seen outside of the US. And if they trump all other policing forces within the US there is always the undercover SWAT teams to clean up the messes.

      This was actually fun to start writing and then I realized that there's no end of people with badges, guns, authority (self given or otherwise.) Local, state forces; vigilantes, biker gangs. Your neighbor who hates neighborhood kids on his/her lawn.

      1. Eddy Ito Silver badge

        Re: Paranoia over NSA tampering spurs de-Westernisation drive

        Obligatory Clint Eastwood.

      2. ST Silver badge

        Re: Paranoia over NSA tampering spurs de-Westernisation drive

        > The NSA is just a "security" organization.

        Wrong. it is a full-fledged spy agency, and everything that comes with it.

        > The FBI is just an investgory agency that has no power to enforce laws.

        Wrong. It is a full-fledged law enforcement agency. It enforces laws. It is the US equivalent of a Federal Police. It has the power to enforce laws, as well as powers of arrest, interrogation and detention.

        Where do you get your information?

        1. Doctor Syntax Silver badge

          Re: Paranoia over NSA tampering spurs de-Westernisation drive

          @ST

          Did you hear a whoosh sound?

        2. elDog Silver badge

          Re: Paranoia over NSA tampering spurs de-Westernisation drive

          I guess my <sarcasm> tag was missing. So solly...

      3. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      "Paranoia"?

      Really? Paranoia? What paranoia? Are we REALLY expected to go on calling common sense "paranoia" even now that what was always OBVIOUS is now PROVEN?

      Seriously?

      "Concern over NSA tampering... "

  5. Mongo

    Same old hokey-cokey

    You put the NSA in

    You take the NSA out

    You put the FSB in

    And you're back under the knout

    You do the "*we're* the good guys"

    And start the secret courts

    That's what the new state's about

    Poor old Sailfish - started as Nokia's great hope, now bedrock for Finland's historic foe.

    1. gerryg
      Pirate

      Re: Same old hokey-cokey

      Yup, history repeating itself

    2. MacroRodent Silver badge
      Linux

      Re: Same old hokey-cokey

      Poor old Sailfish - started as Nokia's great hope, now bedrock for Finland's historic foe.

      Aren't you exaggerating a bit the historical significance of smartphone operatng systems?

      Anyway, too bad Sailfish hasn't exacly made it even here in Finland. The only Jolla:s I have seen have been in the hands of certified Linux fanatics. Lumia:s are fare more common. (I have one, so the NSA probably knows -or could easily find out- all my movements).

  6. Primus Secundus Tertius Silver badge

    What about the toolchain?

    It's not enough to have source code that you trust. You also need compilers, linkers, assemblers, library editors, etc that you trust.

    Maybe Russia has spent money on these things. I doubt that the UK has.

    1. ST Silver badge

      Re: What about the toolchain?

      > You also need compilers, linkers, assemblers, library editors, etc that you trust.

      GCC + GNU Binutils + GDB. I very much doubt they're infected.

      1. elDog Silver badge

        Re: What about the toolchain?

        And so easy to infect.

        Do you rely on the MD5 checksum? Lots of people don't even bother checking and it is subvertible.

        Do you recompile all of the libraries going into GCC/etc. from source? Do you recompile all the compilers from source? Do you trust the underlying OS?

        Do you trust your hardware layers all the way out to the NICs, the routers, the disk firmware?

        1. MacroRodent Silver badge
          Boffin

          Re: What about the toolchain?

          Do you recompile all of the libraries going into GCC/etc. from source? Do you recompile all the compilers from source? Do you trust the underlying OS?

          When the source is available, there is a verification method for the toolchain: Diverse double compiling, described by David A. Wheeler here: http://www.dwheeler.com/trusting-trust/

          The general idea is to use multiple independently developed compilers as a cross-check. It is not plausible that they are all subverted the same way.

          Note that this verification is possible only if the source is available, giving open source an edge in trustworthiness.

        2. ST Silver badge

          Re: What about the toolchain?

          > Do you rely on the MD5 checksum?

          No, I rely on ths SHA256 checksum specifically because MD5 is subvertible.

          > Do you recompile all of the libraries going into GCC/etc. from source?

          Yes.

          > Do you recompile all the compilers from source?

          Yes.

          > Do you trust the underlying OS?

          Yes.

          Everything you mention thus far is open source. Free and Open Source if it's GPL. Compiler or assembler verification against this type of infection or attack is really not that difficult. It's very tedious and time-consuming to do, but not very difficult. You could, for example, take a Standard C or C++ Compliance test harness and compile it to assembler only with two different compilers, and then compare the results.

          This type of infection, if it exists, could maybe fool - read: sneak in undetected - for a very very small number of test programs. It's impossible to fool 50,000+ different very small test programs, each one of them exercising a very specific feature of the language.

          There's more sophisticated methods of testing as well: you take two different compilers - GCC and some other one - and you create two different builds: one build bootstraps each compiler with itself, the other build bootstraps each one with the other one. And then you compare the resulting assembler from both builds. Again you need a very large set of small test programs.

          > Do you trust your hardware layers all the way out to the NICs, the routers, the disk firmware?

          If it's a closed-source binary-only blob, such as hardware firmware or drivers, then all bets are off.

          1. Robert Helpmann?? Silver badge
            Childcatcher

            Re: What about the toolchain?

            > Do you rely on the MD5 checksum?

            No, I rely on ths SHA256 checksum specifically because MD5 is subvertible.

            > Do you recompile all of the libraries going into GCC/etc. from source?>

            All of which arguably misses the point. If you have to go through this much trouble to mod a piece of consumer electronics before you are comfortable using it, the situation is FUBARed. You can perhaps make your stuff secure. You still have not addressed the communications channels you will have to use for your phone and you definitely have not addressed issues with the phones of everyone else you contact with yours (or for sites you visit online, for that matter). While I think more secure tech is worth pursuing for a number of reasons, there is no tech solution to this.

            1. ST Silver badge

              Re: What about the toolchain?

              > If you have to go through this much trouble to mod a piece of consumer electronics before you are comfortable using it, the situation is FUBARed.

              No, it's not FUBAR-ed at all. It's called software engineering. You want a secure system? You have to build it that way. That starts with the compilers.

              Any Linux distro that you download and install goes through the same exact process: they verify the SHA256 checksums, they build everything from source, and they run the corresponding test harnesses.

              It does get dicier with hardware.

              What I understood from reading the article is that the Russians are investing in building their own hardware - an ARM64-compatible chip and the associated boards and chipsets. They've already built an Intel EM64T and a SPARC64 emulator on the Elbrus-4S, and the design of that chip is fundamentally different from the designs of either Xeons/Pentiums or the SPARC64 chips. From what I read in Wikipedia about the Elbrus-4S, they have successfully booted the SPARC64 Linux kernel and glibc 2.7 on it. So, they seem quite adept at designing and baking very advanced chippery, and at writing compilers for it.

              You should give SELinux a try. It comes with Fedora. It's the closest to a hardened system one can get in the US. Yes, SELinux was written by NSA.

              Android and iOS are not good examples of hardened systems. They are full of security holes and exploits, intentionally and by design: Android is not SELinux, and iOS is the consumer-insecure version.

              Cyanogen's Android distros are based on SELinux. YMMV as to how well it works on any given particular device.

              I can't think of any reason why this Russian Jolla clone wouldn't run on a hardened SELinux-like implementation, with a hardended JVM - if they choose to go the Java VM clone route for the applications layer.

    2. Anonymous Coward
      Anonymous Coward

      Re: What about the toolchain?

      SHAnnn is not the hash "family" you are looking for.

      They're all just RR/NSA's beloved (systemically b0rked) Merkle-Damgård contrivance - just rehashed* a bit by the very same NSA after the wheels finally fell off their original MD5 ruse.

      If you want an NSA-free MD5 hash it's called Whirlpool... and it'll have to do for the next 10-20 years until the SHA3 contenders have all had a THOROUGH going over.

      *please forgive the little jokie

  7. x 7 Silver badge

    Russia

    lets just nuke it. Nothing to worry about then. And maybe China while we're at it, get rid of the debt problem.

    1. Anonymous Coward
      Anonymous Coward

      @x7

      I assume this is meant ironically, but if not I suggest you use Google to find the likely effects of even a limited nuclear war in the Northern Hemisphere. Good news: We can stop worrying about climate change. Bad news: we can also stop worrying about what to have for dinner, and the collapse of the NHS.

      1. x 7 Silver badge

        Re: @x7

        ironic? absolutely not.

        If that belief was good enough for Ronnie Reagan, its good enough for me.

        1. Afernie

          Re: @x7

          Except Ronnie was joking. I think.

  8. All names Taken
    Alien

    A good start but ...

    ... does it really matter (apart from scada type intrusions?) what hardware and OS a computer has?

    All of that are compromised as soon as it connects to a network of any sorts, nonetheless a step in the right direction and maybe (just like gooogle & android) another way to diversify ITcoms gene pool and ecosystem?

  9. Marketing Hack Silver badge

    If you don't want to get backdoored, just go back to old rotary analog phones!

    But then, I've always wanted to pick up the phone and say "Hello Central!? Get me Klondike 5427!"

    (Dear Reg--can we please get some kind of "Joy of archaic technology" icon?)

  10. Graham Marsden
    Big Brother

    Reminds me of...

    ... an old joke about Russians using dial up.

    "We have a three line modem, one for me, one for you and one for the KGB."

  11. tempemeaty
    Big Brother

    Dear Putin; Please make your OS have a English option. Thank you.

    It would be nice to have a smartphone with no back doors. As it is, anytime American authorities desire they, supposedly, can shut most of them down over wide areas during a police state action against protesters. It would be nice to have the one Russian made phone that is up and working so I can still contact loved ones.

    1. Captain Hogwash

      Re: It would be nice to have...

      Surely there would need to be another Russian made phone that is up and working in order for your loved ones to be able to take your call?

    2. cambsukguy

      Re: Dear Putin; Please make your OS have a English option. Thank you.

      I think the authorities use control of the cell towers and switch them to emergency-only personnel if the circumstances arise.

      What you would need is a cellphone that is allowed to use the system when it goes into civil defence mode.

      And that is controlled externally to the phone (probably via SIM/IMEI/IMSI) - possibly doable via cloning but difficult - no phone OS is getting around that block.

    3. Anonymous Coward
      Anonymous Coward

      Re: Dear Putin; Please make your OS have a English option. Thank you.

      You have no idea what "Stingray" is or how it works, do you? You also need a "Cell" to have a "Cellphone' no matter what the phone operating system is. That cell tower can be snooped on completely independent of the phone. Whose to say that they use end to end encryption in the phone system? "Stingray" creates a fake cell tower and I'll guarantee it doesn't have end to end encryption

      If you do, I have a bridge property you may be interested in buying.

  12. Dinsdale247

    Get Real

    First, this is nothing but a "me too" grab at peoples data. Like the Russians and the Chinese are somehow above putting in their own back doors?

    Second, as someone who has worked through the porters Hardware Adaption Toolkit for Sailfish I can tell you there are lots of places to hide nefarious code. Sailfish relies on binary Android drivers and the entire "phone" part of the OS is a proprietary blob. If they had said "we are using mer and QT/litpstick" then perhaps they would have a point.

    Either way IT'S JUST LINUX PEOPLE! Forget the compiler, as heartbleed has painfully pointed out, no code is perfect, no matter how many eyes are supposed to be on it. Slipping a little buffer overrun into millions of lines of code is easy. Also, once you install a third party app, all bets are off.

    Anyway, if you want real security then start with OpenBSD. Everything else is vulnerable.

  13. cambsukguy

    A state should be able to produce an OS

    An utterly new one, from the ground up, suited to the purpose they require, with no source code outside their purview whatsoever.

    Then they can mandate it's use (we are talking authoritarian states here) wherever they wish. They could even port their OS to other hardware such as Android tablets and not allow the sale of foreign hardware without it. Obviously, owning such hardware without their OS would be treasonous.

    The state can perform cell tower intercepts of all conversations by merely mandating that they supply all SIMs to anyone connecting to a network in their country. Satellite phones or extra in-phone encryption are the only way to avoid it, and the latter would be detectable and thus risky in any case.

    I am sure North Korea does some of this now.

    Ultimately, it doesn't matter. The US/Israel managed to corrupt equipment inside nuclear installations in an enemy country for years, causing major harm before detection.

    Whatever system you run, someone may corrupt your design, your engineers, reverse engineer it and find weaknesses or hack into the system in some way regardless.

    The only reason the NSA/GCHQ doesn't read your information now (if it isn't) is because it doesn't need to, you are not a Person of Interest. Best to keep it that way.

    Oh, and you may think it is cool to try to subvert their position by never telling them anything but information about the movements and actions of innocents (you and me) can often be useful in gaining information about the people they do want information on - at the very least allowing them to discount us from searches.

    Imagine the UK authorities are trying to track a 7/7-style terrorist through London. The simple fact is that every single device that doesn't tell them anything about the owner (a burner, no internet history, call logs only to other burners etc.) means they can't discount it and have to spend resources cross-checking that device.

    You may think it is cool to encrypt every email that says you are going to a show next Friday but imagine just for a moment that the only emails that were encrypted were emails that were trying to hide something that actually mattered. At the very least, it would allow resources to be targeted more easily.

    And this is from an authority sceptic. It is just that I am not an anarchist and I accept that security comes at a cost.

    1. Kye Macdonald

      Re: A state should be able to produce an OS

      This is absolutely fine as long as you can guarantee two things. The first is that every person with access to the data is neither corrupt nor corruptible. The data must never ever be used by anyone for any reason other than the specific enforcement of the codified laws. So your mate who works at police dispatch can NEVER look up the number plate of the creepy car you saw cruising around.

      The second is that laws never change and/or that data that was collected prior to the law change is never ever accessed for the purposes of those laws. For example in Queensland, Australia it became illegal to own a tattoo parlour and be a member of an "outlaw motorcycle gang". But being a member is not illegal and owning a tattoo parlour is also not illegal. Something tells me they used the data they had collected on who was in the gangs from before the law was enacted as proof of membership because many many people declared they had left the gangs in order to keep operating their businesses.

      Final point. All my business emails are encrypted because the information contained in them is sensitive. I deal in big money contracts that would impact share prices should the information become public prior to announcement. I have a duty of care to ensure that information remains private so it is encrypted. Not all encrypted traffic is bad guys talkings.

  14. jelabarre59 Silver badge

    ROS

    I thought Russia was going to put some backing into ReactOS some years back. Had they done that ROS might actually be 5 years away from full-WinXP compatability, rather than the 10-12 years it is right now.

  15. JLV Silver badge

    regardless of NSA crimes and misbehavior

    Is anyone, especially people living in Russia, going to benefit from using a Putin-sanctioned OS?

    This doesn't condone NSA & fives eyes spying in the least, but let's be real, this is like putting the big bad wolf in charge of the little lambs' nursery.

    A pox on all their houses, NSA, FSB, Great FireWall of China. And I really would not think much of any OSS organization that in any way collaborated with this lot. Theo de Raadt had the right attitude when the told the US authorities to take a long walk off a short pier in piranha country some years back.

    Now, as to a collaboration with more accountable and less aligned governments, such as India or Brazil, for example, yes, I think it would be a good idea not to put all our eggs in the US basket.

  16. x 7 Silver badge

    So why does Russia need to fork Sailfish?

    Either the product is known to be secure and so doesn't need forking......or its not known to be secure and is therefore the wrong starting point for a secure product

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019