Been banned for AI-Slop on a few subs here on Lemmy as well as on Reddit.
I always provide a good amount of technical detail in my posts and i try to be as transparant and communicative about the details. My projects are very complicated and I try to document them well.
my project is pretty cryptography-heavy… the act of me sharing my efforts in an attempt to show transparency… but it is used against my project by calling it AI-slop (undermining Kerkhoff’s principles).
It’s 2026 and most developers are using AI. I have used it to create things like formal proof and verification.
my project is aimed to be a secure messaging app. i have all the bells-and-whistles there along with documentation… but if the conversation cant move past “its AI-generated”… then it seems the cryptography/cybersecurity/privacy community isnt aligned with the fact that using AI is now common practice for developers of all levels.
AI is a tool. you cant (and shouldnt) “trust” AI to do anything without oversight. AI does not replace the due-diligence that has always been needed. i dont “trust” my hammer to bash in a nail… i “use” the hammer. AI is not different in how you need to be responsible for how its used.
i’ve busted my ass on my project for it to be called AI slop. i think its completely fine when it comes from folks in the community. cryptography is a serious subject and my ideas and implementation SHOULD/MUST be scrutinised… but its simply ignorant if mods are banning me for the quality of my work considering the the level of transparency and my engagement on discussions about it.
It’s a bit reductive to call it slop. I think i try harder than most in providing links, code and documentation. Of course I used AI… and it’s clearer for it. (you can find more detail on my profile)
i am of course sour from being banned, but am i wrong to think my code isnt AI slop? Some parts of my project are clearly lazy-ui… but im not sharing on some UI/UX/design sub. the cryptography module has unit tests and formal verification. if that is AI-slop and can result in me being banned, i simply dont have faith in that community to be objective on the reality of where AI can contribute.
while its understandable people dont want to review AI-slop… i think the cryptography/cybersecurity community needs to get on board with the idea of using AI to help in reviewing such code. am i wrong? is the future of cryptography is still people performing manual review of the breathtaking volumes of AI code?
Uh, sorry your code is a bit difficult to read. There seems to be one implementation in the ‘src’ directory, which is referenced in your ProVerif pi code. But then there’s another one(?) in the ‘signal-protocol-core’ directory which seems to be the one that’s actually built?
And how did you arrive at those proverif files? Do they come from your Rust code? How? And how do you make sure they relate to your code? I mean for all I know they could contain some correct design, while your code does something else… I’m not really an expert at this, but they seem (to me) just to appear in some commit but I don’t really get how it relates to the Rust code. Or how it came to be.
And then it’s a bit difficult to tell for me whether your Chat uses the cryptography code from the ‘cryptography’ repository. Or the one from the ‘signal-protocol’ repository. It seems to load both?! But your own AI security audit flagged a lot of issues with your ‘cryptography’ repository. I can’t tell if that’s still up-to-date information but there was some report with mostly exclamation marks and red crosses in it. And a recommendation not to do it this way.
While at it, I had a look at the browser’s developer console, and you have a lot of JavaScript warnings and errors there. Which I guess isn’t good?! And another sidenote: If I were you and developing a secure and private messenger, I’d skip all the requests to Google fonts, AWS, JSdelivr, third party JS CDN, analytics… It directly connects to Youtube and another analytics service which gets broad permissions. The infrastructure isn’t entirely controlled by you, for example the signalling server is the default free one. All of that isn’t great for privacy. Plus your content security policy has way too many asterisks in it with external domains and domains you control but there’s debugging stuff on there. And I don’t think you even put further restrictions on what JavaScript can be loaded or injected, other than the CSP?!
And the hax just traslates code and is supposed to do a bit of type-checking and see if your code generates things with the correct length. It doesn’t currently do any theorems or verification regarding cryptography, does it? I’m not sure where to look.
Sorry I’m not exactly a security researcher… Maybe my layman’s audit is shit… But I think there’s quite some stuff going on which pretty much renders any verification of a component irrelevant. I could be wrong though. But I’d still be interested to hear how the code relates to the ProVerif files, and what kind of assurance there is, they’re the same.
hi. thanks for taking a look. sorry for the delay in responding, i wanted the heat on this post to settle down a bit.
i originally started with src, but then when it some to formal verification and proofs, i came to the conclusions that you cant simply point it to a single folder are various functions are better separated to make it easier to document.
unlike the formal verification with tools like hax, formal proofs are loosely related to the code. there isnt a direct relation too the proverif files and the code itself. if i change the code, i should also adjust the proverif. i documented it on the website to help me keep track of the functionality.
https://positive-intentions.com/docs/technical/signal-protocol-formal-verification/proverif https://www.reddit.com/r/cryptography/comments/1evdby4/comment/liwyn3o/
regarding how the cryptography is loaded, im using module federation. the signal protocol is imported into the cryptography modules (so the app doesnt need to load the signal protocol project explicitly). that cryptography modules is itself loaded into the p2p-framework repository so that i can automate the handling of p2p authentication.
that AI audit as critical as it is of my implementation is the best source of truth for my project. there is simply not going to be a third-party audit and so it is intended to be objective, but i think i signpost enough that its AI generated. i need to clean up the exclamation marks and emoji’s, but the information there should all be correct.
there are indeed a lot of debug messages logged. its worth repeating the project is still a work in progress and far from finished., im sharing it now at this point because it seems like a reasonable state. i understand people can have high expectations around perfection,… this is not that kind of project. perfection would be a waste of my time at this stage in the project.
the CSP headers there are all deliberate to support things like gifs and simpleanalytics. ther could do with a bit of a clean up and taking ownership of things like fonts… its been on the todo-list for a while but i didnt proritise it. thanks for raising it… i’ll see about cleaning it up.
the hax extraction is doing the abstraction to axioms and you right that the axions arent proven… this is something im actively investigating.
thanks for your time and attention on the project. sorry if ive misled you to belive the project is more mature than it is… its is however a genuine attempt to create something safe and secure.
Thanks. Sadly I can’t even get the latest version to work. It does find the other peer and loads the chat interface, but doesn’t open a data channel, so it’ll say “not connected” and do an error popup everytime I try to send a message. And I’ve spend enough time debugging it for now.
Just some general words of my wisdom: I think software projects are first and foremost about focus. I don’t really know what you’re trying to do here. If that’s writing a cryptography library, I think focus is about right. You first need to lay down the design properly. Make sure you factor in advanced tech like formal proofs from the start. After that you need to write the actual code. And then also make sure it aligns with your testing. I mean it’s fairly common to make mistakes while writing computer code, or have bugs… And any of those could render your more formal methods useless. For example like that one time when some Debian package always sent the same random number as a seed… That meant the algorithms were 100% correct. Just used in a wrong way so most of the encryption was futile. Things like that require an equal amount of focus. If not more, since we already know how Double ratchet works, the important part is to implement it correctly and use it correctly. That deserves a massive amount of focus (and effort). It’s also the major part of a security audit of a software project as a whole.
We also have things like sidechannel-attacks, which aren’t covered. But I think that’s a minor thing with what we’re looking at.
And if you’re trying to develop a chat app, Your focus probably needs to be somewhere aimed to make it work, first. Make it connect reliably and across a multitude of devices. Cryptography is pretty much dispensable at that step. Then focus on the UX. Make sure it’s not vulnerable to just bypass any subsequent encryption because for example you don’t have script nonces and everyone in the chat can inject JavaScript and just bypass your entire encryption.
Think about metadata and if your software product wants to address that. You could be doing encrypted messages but all kinds of third parties know who is talking to whom… Make sure you do what your users expect!
And I think that’s also the reason for some of the downvotes here. You have a narrow focus on the formal proof of your encryption algorithm. While your audience probably expects a working Chat app. For all they care it could be entirely unencrypted in the alpha version, and encryption comes in a later version. We as users need something that works in the first place. We want to know what happens to our metadata. If there’s security vulnerabilities in the software. And once all of that is in place, then we start to worry about the specifics of the end-to-end-encryption.
Probably also related to the AI-slop argument. I don’t really know what shaped your focus. But it must look to your audience like you’re deep in some singular rabbit hole, because you write about formal proofs a lot. But then there’s this huge disparity with what your audience assumes you’re doing, or what you have to show off. Just my opinion. But it’s kinda like that for me. You write about how great AI assisted coding is, and where it led you. But then I try to use your software. And it doesn’t even connect. And that really shapes my first impression of it all, in a very negative way. I mean… If we hadn’t talked, I would have just assumed your cryptography is on the same level as your code to do the peer connections. And that wasn’t a good first impression.
@[email protected] Does the currently deployed version on chat.positive-intentions.com work? I tried to connect and try some more. But somehow it doesn’t ever connect. I’m following the procedure in the Youtube video. It reloads something on the page intermittently but never connects to the other browser.
And already after opening the page, it says: “My peer ID is: xy”
But then immediately “peer disconnected” and “peer closed: undefined”. Even before I do anything. Is it supposed to say that?
I tried several combinations of Chromium 147 and LibreWolf 150. And whatever Vanadium is on my phone. I tried phone-computer and two different browsers on the same computer. Is that an issue? Other PeerJS applications work just fine.
And does the QR scanner work? It opens the camera and scans the QR code just fine, but then reloads and doesn’t put any ID into the field?! So I guess that’s broken and I need to copy-paste it?
Edit: Your file demo seems to work better. It at least gets to the point where it tries to open a connection. For some reason it also fails (ICE failed, your TURN server appears to be broken, see about:webrtc for more details). But at least that demo gets far enough to listen to connections and try to initialize them.
https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story
That’s the most stable version of the project. It’s still a work in progress and can’t promise stability.
For the best experience trying from 2 fresh incognito instances or clear site-date befor testing it out.