i’m guessing Mudita’s support is a bit overloaded at the moment because i haven’t received a reply to questions asked through email … so i thought i’d give it a shot here and see if the community can help
privacy is very important to me and, in that vein, i have questions…
with the hardware power switch on, how well is the modem/baseband OS isolated from user-space (OS and RAM)? is there a properly implimented IOMMU?
what modem are you using?
it’s great that the hardware switch kills networking, but it also disables non-networking functions such as the camera - given that it does this via software, is it possible to not disable the camera when the hardware switch is off?
yep, looks like Mudita is using the MediaTek MT6761 - here’s some of the history of known CVEs (7 this year alone) - all appear to be patched and many appear to require physical access, but the track record for MediaTek looks absolutely awful and there’s a question as to how soon security patches are applied and pushed to vendors and, finally, users
Not just security, quality of IEEE 802.11 pieces implementation is sub-par for both consumer-grade as well as enterprise-grade equipment.
The whole IC industry seems to be skewed with something. IMHO for big players it’s frankly wrong priorities, as (since Ford v Dodge) they are shareholders-first, not quality-first or do-what’s-right-first.
@hiItsMe Hi. Thank you for the feedback. I think you posted a similar post/question in another thread & I took the liberty to answer it there. Let me know if you need any more info.
hi @urszula - thanks for your answers - i’m quoting here from your other post…
i had hoped that Mudita held a stronger position regarding privacy and security given the company is marketing a de-googled device - the decision to use the MediaTek MT6761 modem and apparent lack of modem isolation from user-space in combination with the forced telemetry is off-putting enough that i believe i’ll pass on this phone
“[…] as long as users don’t control what code runs on the baseband, they do not in fact have ownership of the device.”
unfortunately all cellular devices having a baseband/modem are forced to run bug-riddled, insecure, proprietary code and this is why proper isolation of the modem and baseband OS is crucial
i’m aware of the hardware switch - i was referring to a software option to disable telemetry when i mentioned a ‘switch’
regarding Sentry, i understand no PII is collected, however users must be made aware during setup of what data is collected and why and they must have the option to disable collection (most people, including myself, will be happy to send telemetry as long as they know no PII is sent)
not offering the option to disable telemetry in combination with not informing users at setup of Sentry is a decision that could come back to bite Mudita - i’m just telling you this based on what i’ve seen with other companies
@hiItsMe Thank you for the feedback. Good luck in your search. I hope you find what you’re looking for when it comes to privacy & security. Thank you for considering Kompakt.
While your concerns in general are absolutely valid IMHO you completely misunderstood the purpose of this device which is all about digital detox and mindfulness instead of your obvious expectations of a open source and 100% secure device (nothing is 100% secure btw) just because it is de-googled. I, too, wish you good luck in finding what you’re looking for even though I think there is currently nothing available on the market which fulfills your expectations.
My take is that - I rely on Signal when it comes to confidentiality (although the EU plans to mandate some magical pre-sending scanning of messages all across a smartphone lmao), I assume all else can be accessed this way or another (SMS for instance, is practically not encrypted, and I tend to paranoically believe that although Meta claims WhatsApp as having E2EE, it doesn’t have to mean they don’t have access to the messages while they sit on the phone).
So I go Offline+ and face to face for full security, like in the old days where people were unmounting batteries from their cell phones before having serious conversations.
No offense, but I think you should try reconsidering your relationship to your devices, because if it is somewhat paranoid that is not a healthy way nor especially a mindful way like Mudita describes in its manifesto.
Unless you’re working for a secret government department or something else highly confidential (for which in both cases any regular phone would be the wrong choice anyways) then I think it is basically pointless to go that deep down the security/privacy route.
Don’t get me wrong tho since I’m a EU citizen, too, and a IT system administrator. As both I’m very much aware about privacy and security in general whether it concerns business or private matters. For both the current marketleaders are a bad choice unless you heavily modify the device (which works much better with an Android device btw). I think for this matter there is no better choice than a de-googled device like the Mudita Kompakt, a Pixel with GrapheneOS or a Fairphone with /e/OS for instance.
In any case those privacy concerns shouldn’t dictate your thinking or how secure you feel in general. Take care and try not to jump to deep into this rabbit hole.
I’m a rabbit hole digger on a daily basis so I can’t help myself. ;p Not a VIP but same as with plastics around food and clothing fabrics, I’m just trying to improve as much as I can without making more important things suffer. Just for the hell of it, because I believe this is the right thing to do.
Agreed, MK, Pixel+GrapheneOS or Fairphone is fair enough. Librem might be too much.
Yet still, I’m not going to call an outdated Android a dealbreaker because in my risk assessment it’s not much compared to what the EU wants to impose, and to me governments are now a more serious threat since most of digital crime targeted at individuals is based on phishing. Not much trojans or viruses, and random people with just a couple photos are not a worthy prize to spend effort on APT.
EU aims and EU/Polish penal law changes from time to time make me disregard a popular rule “if you don’t do anything bad, you shouldn’t worry about surveillance” because one day what I do or say might become illegal. I could spit many fun facts about things that used to be normal or at least legal a decade ago and now are not (first example, selling your own plant seeds is illegal in Poland without some license - people overcome this by selling offline or as collectibles, but still).
That all being said, I’m fine with MK, plus Signal for more edgy conversations, plus remembering about face to face as the ultimate digital privacy option (as in the joke, the most secure computer is the one that’s offline and powered down).
And I’m getting another one for my wife next month because I see constant social media, FOMO and Pavlovian response to dozens of pings a day a bigger threat to mind, body and soul that impacts whole family in a much worse way long term than a considerable data leak (in my own use case scenario).