I’m just wondering what those on the forum here - and in particular - Rob Braxman - think about the criticism that is being leveled against him and the Brax3 device and its operating system that he won’t allow an independent audit of its security, and that GrapheneOS on a de-Googled pixel phone is a better alternative to the Brax3 because they DO allow these things. I’m somewhat skeptical of the criticism because it is not specific, but I would like Rob to respond to it - just to set the record straight.
1 Like
Anyone can buy the phone and download the source code and audit as much as he wants.
2 Likes
Welcome to the forum.
Let me clear out some misconceptions:
-
Security audit - as a company that is involved in the design and production of the hardware, we are responsible for ensuring security audit. After all, we’re not taking a phone from bestbuy, full of proprietary source we have no visibility over, and flashing a custom ROM. Projects that do a custom ROM flashing on a device built by the most privacy-intruding company, heavily rely on independent audit as you can imagine. Nevertheless, we’ve opened the source code, so anyone is able to audit the product, as they are with other open-source products.
-
Hardening of software - our mission is often misunderstood. We are designing, manufacturing, and delivering devices that work well without intrusive big tech, providing privacy and ownership for the user. Our mission is not to harden big tech products so that law enforcement has harder time cracking those. There are projects that specialize in that, and are doing it correctly with proven track record and adoption in sensitive industries (military, government, etc.) with solutions including custom hardware, OS, MDM, communication suite, etc. The BraX3 is not a project like that. There is still an element of hardening, from the fact that there is a lot of bloat, and big tech proprietary software removed, thus the hardening.
The criticism always comes from the same source - always. The same source that claimed the phone is insecure 9 months before it got launched (and yet to hear of any security issues with the product 8 months from delivery). That obviously didn’t work out well for them - BraX3 became the most successful crowdfunding project in history.
Not sure what is the obsession with our project. Not sure if they are fans that can not express themselves, if they are jealous they can’t design their own hardware and have to use Google instead (and no, it’s not poetic that you use Google hardware to deGoogle. That’s like replacing your patty from McDonalds with an organic one, and thinking you’re sticking it to them).
We’re still waiting on the criticism of the new project open_slate, which is outdoing the Pixel tablet in almost any aspect you can think of, especially security features. Waiting to hear how it’s insecure, the battery doesn’t last long and it blows up if exposed to full moon light.
p.s.
What does it say to you when party A (the critic) is blocking Party B (the target of the criticism) from responding.
7 Likes
Just the usual mumbo-jumbo ‘new speak’ from a certain problematic individual.
1 Like
Anyone can buy a Brax3 but can’t audit it because Rob doesn’t allow it.
Conversely anyone can buy a Pixel and audit it because Graphene allows it.
What exactly does it mean to “audit” a phone? And why would Rob have to allow it? I would think if you own the phone, you can do whatever you want with it. Tear it apart and analyze the circuits, etc. What am I missing?
1 Like
Hi Plamen. Another member here says that Rob won’t allow the Brax3 to be audited, while Graphene allows it. What exactly does this mean, and what significance does it have?
I mean, you opened a question by sharing criticism that we won’t allow people to audit our phone. And then followed up with a question what it means to audit a phone.
Let me share who and what can be or can not be audited:
-
Open-sourced software: inclduing iodeOS, Ubuntu Touch (both running on BraX3), grafenos and other open-sourced custom ROMs - everybody can audit. Nobody can restrict people from auditing open-sourced software. So the OS running on BraX3 is as auditable as graphenOs.
-
Closed-sourced code (drivers, firmware, etc.): this is only audited by contractors and/or customers approved by the owner of intellectual property. This is valid for both BraX3 (where MediaTek owns the IP for most closed-sourced code), Pixel device (where Google owns the IP for most closed-sourced code), and so on.
While we were given access to that source code (as we requested for auditing purposes, to ensure there is no malicious code installed), we can not share this source code, as it is closed-sourced by license. Basically, you are trusting our word (after having inspected the code ourselves) that there is no malicious code that’s closed-sourced. With Pixel devices, you are trusting Google’s word that there is no malicious code that’s closed-sourced, since no one other than them gets to access it. Some people are comfortable promoting pixel devices as privacy-respecting without having access to the closed-source code, without sharing a clear disclaimer that actually they can not guarantee it. For me, that is misleading. You make your own opinion and conclusion.
So basically, there is only a part that is auditable by the public - the open-sourced part. Not everything is open-sourced. In fact, a lot of critical parts that manage connectivity, location, encryption, etc. is closed-sourced.
We as a company are actively pushing for opening more source code to the public. There is a lot of pushback from the industry, as vendors are protecting their intellectual property to keep their advantage over competitors or simply deciding not to disclose for other, maybe malicious reasons.
We’re hoping that we can get more source code shared with the public. For now, we can not share more because we simply can’t, as I explained the reasons earlier. Google doesn’t share more, because they simply don’t want to.
4 Likes
Thank you, Plamen - that clarifies the issue for me. Just to be clear - I am not a techie and don’t understand all the details of hardware and firmware, etc. I also mentioned in my original question that I am very skeptical of the criticism I have read regarding Rob and the Brax3. Seems to me to be a lot of unsupported trash-talking without any evidence. Thank you again for clarifying.
2 Likes
This is the crux of the issue, and for me the hypocrisy (repeatedly bad mouthing someone, often inaccurately, for the very same thing you are guilty of). There are different ways to approach this and mitigate it and being open about it and endeavouring to open source more is definitely the better way than how it’s handled differently elsewhere…
2 Likes