MLABS Secure Phone (Sidco Endorsed!)

I believe, and may be mistaken, the website was prematurely published. Legal advice was to unpublish and wait on results of IP filings.

Thank you. That is a simple answer and one I can believe.

The company just needs to do what you did. Be transparent and stop and disparaging its potential user base.

Well, this site(future) is asking me for my pic, and makes you use java in order to log on, so thats shitty, pretty un-secure.
Calyx institute has items that may be of interest to some who like security https://calyxinstitute.org/

@slurry nobody is asking for your pic, your operating system and device is what? You having the option to have an image of your choice vs your basic S for the first letter of your profile is your privilege.
The entire website is built on Discourse.org which you can find the source code for yourself.

Discourse is an open-source forum software distributed under the GNU General Public License (GPL 2). It is written in Ruby on Rails and backed by a Postgres database and Redis cache, with over 40,000 commits as of March 2022.

Also: your choice of CalyxOS is just another AOSP Rom. Hardly anything to throw your hands in the air about. Rather keep flashing my Beta Builds of Android 14 right from flash.Android.com

https://pyrephone.com/de-googled-phone-comparison-e-os-vs-lineage-vs-calyx-vs-graphene/

I’ve checked out Lineage and it’s more to my liking, Graphene comes with extra layers I don’t need but would be ideal for a security focused Gapps / separate from private apps model. Your share of the only other major AOSP rom doesn’t instill a Calyx>graphene vibe.
I’d rather crDroid lol. The options of roms is what GIVES us FREEDOM. You can make your own! This is why I take direct AOSP and if I need to modify something I can. Convenient upgrades like Roms provide a quick do-it-all upgrade at once without the learning experience (other than learning to install)

No Rom provides you a better blanket than making your own. Compiling from source, modifying to your needs. That is why the Pixel is so special, because it’s built to be fucked with and by you! Unlike Galaxy Phones bootloaders/kernels/methods of locking. Theyre focused on trying to be Apple competitors and gaining their own ecosystem of Galaxy users. The Pixel is built for you to Modify it, and secure it to your liking.

To answer a few more questions heard here.

Our website is private for IP related concerns surrounding enterprise device SKUs with patentable features and will remain private for the time being. The password can be shared on a case-by-case basis for anyone seriously interested in purchasing a device.

This is NOT a “drug dealer phone” and it never will be. If anyone voices intent of illicit activity to us we will be unable to sell you a phone.

That being said, we value consumer privacy and maintain minimal records of each purchase. We do not track the IMEIs of devices sold and for direct purchases (bank wires, ACH) we do not store shipping / billing addresses or any identifying information other than the name of the purchaser and the zip code shipped to (for sales tax). If purchasing online, all information must be preserved by our payment processor to remain PCI compliant and all payments are handled via Shopify Payments. It’s our policy to not reveal customer data under any circumstance unless presented with a court order or subpoena.

If you are interested in seeing design docs or information about the OS on the phone, I would recommend reading the GrapheneOS documentation. We have not modified the OS in any way and are only providing configuration and usability enhancements that do not live in the OS layer of the device itself. For custom work, we will happily provide OS modifications, but that requires an MOQ of at least 1000 devices.

Ultra high security devices are NOT typically highly private. They are centrally managed by the organization(s) they operate in and while they may supply high degrees of privacy and security enhancing features, these features require customized hardware and firmware. These customizations are prohibitively expensive for the average consumer, not to mention the infrastructure required to even operate the majority of these devices.

The MLABS phone intends on making a security and privacy enhanced device readily available to any consumer. The actual impact of the device is still entirely dependent on usage, although we do take a “secure by default” approach meaning that the end user will need to actively turn security policies and device configurations OFF to make any major mistakes, but it’s still possible.

Wow, talk about a non-answer. I’m astonished you think that post answers anything regarding why anyone should believe this is a “secure” phone. Talk about security theater

It’s now painfully obvious you believe in “security through obscurity,” and you have no design docs nor do you plan to create them. Nor do you plan to have an independent 3rd party security audit. And, even though the site was open just a few weeks ago, now you’re concerned about IP - give me a break - and then show me any other security hardware or software that forces people to request a password to even read the freaking site (don’t worry, I’ll wait but I won’t hold my breath).

Tell us then, WHY should we trust you and your “secure” phone? What is your background and what training and education do you have that makes you suited to be the “Chief Architect”? Please tell me you have at least some training and education.

Also, don’t give me that shit about “reading the GrapheneOS documentation,” I want to read WHAT YOU’RE DOING TO THE PHONE.

Your post screams snake oil and you can’t even answer simple security questions. Also, based on your post, you’re not doing much of anything to the phone, so why is your title “Chief Architect”? No way your company is large enough to need a “Chief Architect,” and based on your claims, it sounds like your title should be “Chief Repackager.”

Best thing for this company is to fire you and hire someone who knows what they’re doing.

NO ONE SHOULD CONSIDER THIS A “SECURE” PHONE OR TRUST THIS COMPANY TO CREATE A “SECURE” PHONE.

@sidco if you remove this post then it’s clear you’re in cahoots with MLabs and you loose all credibility.

We were introduced to this forum for a civil and respectful conversation about our product and any interest in it. If that isn’t possible, we’re happy to sell our product elsewhere. Despite this being a non-target market for us, we’ve been nothing but respectful towards @sidco and everyone on this forum.

If you’d like to have a professional and respectful conversation about our product, we’d be happy to host a call with you and anyone else on this forum to discuss.

We will not respond to any more unprofessional discourse or disparaging and disrespectful comments or demands made towards our business and its employees (myself included).

We’re happy to accept any comments or criticisms, as long as they’re civil.

Thanks, but it’s better to answer questions out in the open so everyone can learn. Right now we have no answers. It’s up to you if you choose to respond. Take care.

Dude just schedule a demo or call if you care this much. Could have cleared all this up already with all the time you’ve spent acting like this is a honeytrap and probably would have had a very interesting conversation with another professional in the field.

What is your name? How about your background ? Buying a piece of security hardware is not something to be done in the dark. Think about if I had to buy a Cisco switch from a blank faced guy calling himself “MrCisco”, I doubt anyone would want that

It looks to me like these guys do the same thing as MLABS. With an open website, third party security audit, lots of details about their product and team, and it seems a lot fewer $ attached to each unit.

Nice find. It’s almost as if they made that site to troll Mlabs wrt doing security right.

@Mlabsindustries you can can learn a lot from Nitrokey (and some members on this site, like @Lincoln20XX ):

1. Independent 3rd party security audit (man, does that ring a bell…).

They used Cure53, which is a great company. That’s also who Mullvad VPN used for their infrastructure audit in 2020:

1556×620 38.4 KB

2. Does not rely on “security through obscurity” and is open source.

Which, sadly, and to the great detriment of its user base, is not the case with MLabs:

2506×508 27.7 KB

Alongside the jabs at you / your business, @Ralf is asking some good questions and making some good points. If you’d like to have a civil discussion, you can simply address those points and ignore the jabs. This response reads to me like you’re using the jabs as a vehicle to “reasonably” ignore these questions.

That being said, it’s very possible your phone is in fact secure, but when it comes to security, it’s only as strong as it’s weakest link. Now keep in mind I have to read most of this thread, but to me it seems your weakest link seems to be a lack of documentation, 3rd party audits, and communication. This all forces the customer to trust you and your company, but security needs to be trustless.

In order for a company, or anybody, to effectively implement OPSEC countermeasures based on a risk assessment, they need an in-depth understanding of the tools they use to execute those countermeasures. Your job should be to make this process of understanding your phone (the tool), as easy and trustless as possible. You are failing at this.

Nobody who knows anything about security will blindly trust an organizations claims when they directly benefit from making those claims.

You can’t access the site cause of IP concerns, but anyone interested in buying it can ask for it and access the site fine while potentially imaging everything. Security expert move right their.

You couldn’t pay me to use this phone. Would get thrown in a river so fast.

The only people who tell you to give it a chance is bias everyone else will tell you to stay the fuck away.

MLABS appears to be the worst thing to ever come to F42k.

Out of all the drama. All the nonsensical arguments. All the accusations. The scams. The cart peddlers. The disty trash.

This is the meta of all dumpster fires.

This MLABS endeavor has become a cess pool that has seeped into a majority of threads… all of which are referencing it as a joke.

I hope discrediting yourself was worth the commission of the sales you got @sidco… if any lol.

I will point out a few concerns I have with Nitrokey, just to show @Mlabsindustries that I am an equal opportunity nitpicker

1. It’s made in Germany, which is a huge strike against the company IMO.

That’s because Germany has a very poor record with security and anonymity companies going back to the days of Java Anon Proxy (JAP). When the JAP team allowed the German Feds to backdoor the software 20 years ago.

I vividly recall those days (I’m old). Using JAP for testing purposes and comparing it to ZKS (Zero Knowledge Systems) and Tor, just before JAP was backdoored. When ZKS was still in business it was (and still is) one of best pseudonymity system every made, second only to Tor. Both ZKS and JAP were popular before and for a few years after the public release of Tor in 2002 (when I started working with and voluntarily programming for Tor). Long before someone created the first version of TorBrowser, and instead we had to use Privoxy and later Polipo as our HTTP > Socks 5 proxy (and fingerprinting defense) to route our browsers through the Tor network (oh, the old days manually of editing the .torrc file lol). And just to dispel a common myth, Tor is not spelled “TOR,” and it doesn’t stand for “The Onion Router.”

2. They claim Plausible Deniability (from VeraCrypt, I assume).

That is unfortunate because plausible deniability is pretty well proven to be bunk (it’s hard/impossible to do it right) and won’t help in a criminal case.

3. They seem to suggest they load TrueCrypt (TC) into their hardware.

But maybe they’re just trying to inform those who who don’t know that VeraCrypt is essentially TrueCrypt v2.0 after the anonymous TC authors dropped the project and went into hiding. TC was later found to have serious security issues during a 3rd party security audit commissioned by VeraCrypt, when, IIRC, one of the biggest issues found was cryptographically insecure random number generation on Windows systems when users didn’t manually increase randomness during key generation, lack of salting, and other critical security flaws.

Use italics please. Some people have had hotdogs edited into their posts here before. It was traumatic and comparing this minor controversy in such a way minimizes their struggles

I love it when hotdogs are responsible for recording/leaking my personal, private information.

@Mlabsindustries the absolute BEST things you can do right now are to increase your transparency, create design docs (including threat models, etc.), and get independent 3rd party security audits of your hardware and software (and then share the reports after you fix the bugs and flaws they WILL find in your phones).

I like Cure53 for security audits because they are used by the best companies in this space, as well as Assured AB.

For example, Mullvad VPN, which is the only VPN I will use, uses Cure53 and Assured AB for its security audits (as does the Tor Project). Mullvad has worked with the Tor Project for years (e.g., just this month the Tor Project and Mullvad released the Mullvad Browser which is TorBrowser for VPNs), is a Shallot Tor Member, and is enthusiastically recommend by a few top Tor devs.

Mullvad used Assured AB for the security audit of their account and payment services and their public (free to all), open-source DNS (DoH/DoT) service. Plus, as I noted above, Mullvad used Cure53 for their infrastructure security audit.

(I could go on and on about why Mullvad is so great and so secure, so transparent, how I configure it to use WireGuard for three hop proxy chains all outside of the Five, Nine, and Fourteen Eyes countries on servers owned by Mullvad running quantum computing resistant tunnels, Socks 5 DoT, Bridge entry proxy, and so on, but I won’t.)

I’m gonna trust my security to this joker.