Been banned for AI-Slop on a few subs here on Lemmy as well as on Reddit.
I always provide a good amount of technical detail in my posts and i try to be as transparant and communicative about the details. My projects are very complicated and I try to document them well.
my project is pretty cryptography-heavy... the act of me sharing my efforts in an attempt to show transparency... but it is used against my project by calling it AI-slop (undermining Kerkhoff's principles).
It's 2026 and most developers are using AI. I have used it to create things like formal proof and verification.
my project is aimed to be a secure messaging app. i have all the bells-and-whistles there along with documentation.... but if the conversation cant move past "its AI-generated"... then it seems the cryptography/cybersecurity/privacy community isnt aligned with the fact that using AI is now common practice for developers of all levels.
AI is a tool. you cant (and shouldnt) "trust" AI to do anything without oversight. AI does not replace the due-diligence that has always been needed. i dont "trust" my hammer to bash in a nail... i "use" the hammer. AI is not different in how you need to be responsible for how its used.
i've busted my ass on my project for it to be called AI slop. i think its completely fine when it comes from folks in the community. cryptography is a serious subject and my ideas and implementation SHOULD/MUST be scrutinised... but its simply ignorant if mods are banning me for the quality of my work considering the the level of transparency and my engagement on discussions about it.
It's a bit reductive to call it slop. I think i try harder than most in providing links, code and documentation. Of course I used AI... and it's clearer for it. (you can find more detail on my profile)
i am of course sour from being banned, but am i wrong to think my code isnt AI slop? Some parts of my project are clearly lazy-ui... but im not sharing on some UI/UX/design sub. the cryptography module has unit tests and formal verification. if that is AI-slop and can result in me being banned, i simply dont have faith in that community to be objective on the reality of where AI can contribute.
while its understandable people dont want to review AI-slop... i think the cryptography/cybersecurity community needs to get on board with the idea of using AI to help in reviewing such code. am i wrong? is the future of cryptography is still people performing manual review of the breathtaking volumes of AI code?
https://github.com/positive-intentions/signal-protocol
https://positive-intentions.com/docs/technical/signal-protocol-formal-verification
There are still bugs there I'm actively working on it you look at the pull-requests where I'm trying to setup verification on the ci.
Uh, sorry your code is a bit difficult to read. There seems to be one implementation in the 'src' directory, which is referenced in your ProVerif pi code. But then there's another one(?) in the 'signal-protocol-core' directory which seems to be the one that's actually built?
And how did you arrive at those proverif files? Do they come from your Rust code? How? And how do you make sure they relate to your code? I mean for all I know they could contain some correct design, while your code does something else... I'm not really an expert at this, but they seem (to me) just to appear in some commit but I don't really get how it relates to the Rust code. Or how it came to be.
And then it's a bit difficult to tell for me whether your Chat uses the cryptography code from the 'cryptography' repository. Or the one from the 'signal-protocol' repository. It seems to load both?! But your own AI security audit flagged a lot of issues with your 'cryptography' repository. I can't tell if that's still up-to-date information but there was some report with mostly exclamation marks and red crosses in it. And a recommendation not to do it this way.
While at it, I had a look at the browser's developer console, and you have a lot of JavaScript warnings and errors there. Which I guess isn't good?! And another sidenote: If I were you and developing a secure and private messenger, I'd skip all the requests to Google fonts, AWS, JSdelivr, third party JS CDN, analytics... It directly connects to Youtube and another analytics service which gets broad permissions. The infrastructure isn't entirely controlled by you, for example the signalling server is the default free one. All of that isn't great for privacy. Plus your content security policy has way too many asterisks in it with external domains and domains you control but there's debugging stuff on there. And I don't think you even put further restrictions on what JavaScript can be loaded or injected, other than the CSP?!
And the hax just traslates code and is supposed to do a bit of type-checking and see if your code generates things with the correct length. It doesn't currently do any theorems or verification regarding cryptography, does it? I'm not sure where to look.
Sorry I'm not exactly a security researcher... Maybe my layman's audit is shit... But I think there's quite some stuff going on which pretty much renders any verification of a component irrelevant. I could be wrong though. But I'd still be interested to hear how the code relates to the ProVerif files, and what kind of assurance there is, they're the same.
@xoron@programming.dev Does the currently deployed version on chat.positive-intentions.com work? I tried to connect and try some more. But somehow it doesn't ever connect. I'm following the procedure in the Youtube video. It reloads something on the page intermittently but never connects to the other browser.
And already after opening the page, it says: "My peer ID is: xy"
But then immediately "peer disconnected" and "peer closed: undefined". Even before I do anything. Is it supposed to say that?
I tried several combinations of Chromium 147 and LibreWolf 150. And whatever Vanadium is on my phone. I tried phone-computer and two different browsers on the same computer. Is that an issue? Other PeerJS applications work just fine.
And does the QR scanner work? It opens the camera and scans the QR code just fine, but then reloads and doesn't put any ID into the field?! So I guess that's broken and I need to copy-paste it?
Edit: Your file demo seems to work better. It at least gets to the point where it tries to open a connection. For some reason it also fails (ICE failed, your TURN server appears to be broken, see about:webrtc for more details). But at least that demo gets far enough to listen to connections and try to initialize them.
https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story
That's the most stable version of the project. It's still a work in progress and can't promise stability.
For the best experience trying from 2 fresh incognito instances or clear site-date befor testing it out.