xoron

@ xoron @programming.dev

Posts

89
Comments

138
Joined

2 yr. ago

4w ago

We can't just call AI-generated code slop anymore
Jump
7

xoron @programming.dev 4w ago

perfect. you get it. you understand that generating an AI audit is wild!
https://www.reddit.com/r/CyberSecurityAdvice/comments/1su8lir/security_audit_feedback_from_radically_open
the AI audit comes after a long time of to-and-fro from the various communities that asked for an audit... of course they asked for a professional one... but those that ask, must know that they are all prohibitively expensive. especially for a solo vibecoding dev like myself.
i also understand that people would prefer a project with a team of experts... sorry to break it to you, a team of experts are not going to hire themselves on an unfunded project like this.
while the security audit, unit test, formal proofs and verification are not good enough when its done with AI, my hope was that it could serve as a starting point for anyone like ROS to perform an actual review. i cant offer more transparancy that open source, documented and discussions.

4w ago

We can't just call AI-generated code slop anymore

to call it slop just undermines the time and effort i put into the project. its not just code, i put efforts towards testing and documentation. but sure... if you want to believe you're poking holes on big-tech's practices here.

4w ago

We can't just call AI-generated code slop anymore

Jump

xoron @programming.dev 4w ago

in the recent post that got me banned it was a copy of this post here:

https://www.reddit.com/r/cybersecurityai/comments/1sxvrmu/browserbased_file_encryption_no_install_or/

i make a point in all my posts to be clear with the caveats. im not promoting this to replace anything. details to find out more is there along with advice to not use it for sensitive data.

for me messaging app, the caveats are similarly mentioned: https://positive-intentions.com/docs/technical/p2p-messaging-technical-breakdown

my projects are reasearch and development projects which i make sure to make clear when i post about them. im fairly consistent with advice around cautious use... knowing full well that it will deter people. im proactively seeking critisism in order to improve it.

It produces such vast quantities of code (and often unnecessarily) that it becomes infeasible for a human to review it, immediately requiring us to place trust in the machine to both generate it and review it, and to continue maintaining it while the human operator probably does not even have full understanding of what’s changing.

bingo!... youre framing as a negative understandable, but unless im mistaken, that the way its going to have to go. software development broadly speaking (for better or worse) is going to be AI generated. the tooling and methodologies have to keep up.

horrible impacts it has on our world

thats pretty vague, im sure it does some good too. AI is a tool. its easy to talk about how AI is impacting people badly. personally ive been unemployed for the past few months. its a horrible experience to go through countless interview thinking i aced it, but still come up with a rejection because the field has become so competative. but i dont blame AI on that. its a tool that i need to be learn how to use. perhaps others use it better than me.

4w ago

We can't just call AI-generated code slop anymore

Jump

xoron @programming.dev 4w ago

i used opencode (various models), cursor (claude, composer)

how these models are trained is arguably not ethical. the disregard of licences of code is not something i can influence.

4w ago

We can't just call AI-generated code slop anymore

Jump

xoron @programming.dev 4w ago

completely understandable and so the proactive attempt to get a professional security audit so i can avoid asking to "trust me".

its completely understandable that you want to use something established. i cant offer more than open source and transparency in the implementation. if "trust" is behind the "paywall" of a security audit, its simply not an option without support.

i used AI to generate an audit. it took several days of my time and effort to get it to where it is. i made a genuine attempt to be objective.

in SWE we already have things in place for this like unit tests. if we dive further into cryptography we have things like formal proofs and verification.

formal verification has tooling to help make sure things work and behave how it should. (without AI) it can take a look at the code and create abstractions that can be used for verification. if we question if AI can be used with such tooling, we start discussing if the tooling we use is good enough (its pretty widely used!).

if the conversation cant move past that i used AI, then we're not really having a discussion.

4w ago

We can't just call AI-generated code slop anymore

Jump

xoron @programming.dev 4w ago

AI involvement = slop

thats the part that seems disconnected from reality. im sure there are still people cranking out code manually, but lets be real; it isnt normal anymore.

in cybersec, there is scrutiny than most against the use of AI... i simply cant believe that the folks at Whatsapp, Signal or simpleX are not using AI in their daily workflow.

4w ago

We can't just call AI-generated code slop anymore

Jump

xoron @programming.dev 4w ago

https://github.com/positive-intentions/signal-protocol

that there is just the tip-of-the-iceberg in how im dealing with the cryptography.

https://www.reddit.com/r/CyberSecurityAdvice/comments/1su8lir/security_audit_feedback_from_radically_open

i cant get a proper audit, so i use these communities to share my ideas to determine any details im overlooking.

4w ago

We can't just call AI-generated code slop anymore

Jump

xoron @programming.dev 4w ago

AI-slop is easy to generate, but there needs to be a recognition that at some point ai-generated code is no longer slop. the failure to recognise that is the issue that seems to have got me banned.

2mo ago

What are my options for a securit audit for my FOSS project?

Jump

xoron @programming.dev 2mo ago

thanks for the tip. it seems nlnet seem to use radically open security. so i pinged them an email.

3mo ago

Signal Protocol for a Web-Based Messenger

Jump

xoron @programming.dev 3mo ago

I'm upfront about it. I'm sure you can imagine how ai can help in software development. I can't be more transparent than it being open source.

3mo ago

Signal Protocol for a P2P PWA

Jump

xoron @programming.dev 3mo ago

That's why it's kinda the first thing I mention on the post. How do you think I could make this more clear? It's also on the readme and terms and conditions in the app.

In my open source version, it's at the top of every page. It isn't a good look and I don't want to slap people on the face with words of caution.

3mo ago

Signal Protocol for a P2P PWA

Jump

xoron @programming.dev 3mo ago

Thanks for taking an interest.

I think the most stable version on my app is here: https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story

I would suggest clearing all site-data before creating a new connection. I hope the UI is intuitive for which link needs to be copied and where it should be pasted on the peer side.

(If that doesn't work, try locally with different browsers or incognito)

Can you tell me the features you are interested in? They are all "coming soon" and a matter of more time and effort. I could spend all my time on a nice UI, but that takes away from working on the cryptography and documentation. It's important to be clear that it's testable, but far from finished.

3mo ago

Signal Protocol for a P2P PWA

Jump

xoron @programming.dev 3mo ago

i hope the latter. its provided as a testable demo. it isnt finished, but i see its working as i expect. i post about it to encourage feedback.

if you're interested, theres technical documentation here: https://positive-intentions.com/docs/technical . feel free to reach out for clarity on any details.

its provided as a demo and i try to be clear about it NOT being ready for your trust (there could be breaking changes, bugs)... but i hope its clear that gaining user trust is the general aim when i share open-source code and documentation.

having prefessionals review would be great... i think im being realistic that it isnt going to be an option anytime soon.

3mo ago

Signal Protocol for a P2P PWA

Jump

xoron @programming.dev 3mo ago

i have applied to some grants (some specific for security sudits for open source projects). so far, all rejections.

if youre asking for one, you must know a professional security audit is pretty expensive. best i can offer is open source transparency.

its important maintain the wording around "work-in-progress" because there may be breaking changes. ultimately, making it so its far from ready for an audit.

3mo ago

Signal Protocol in Rust for Frontend Javascript

Jump

xoron @programming.dev 3mo ago

i think use it an appropriate amount. im not sure how to quantify that. i use different AI models on different tasks in the code as well as the documentation.

its worth repeating its far from finished and i hope with feedback i can make it better. i have put efforts towards directing it towards unit-tests, an audit and formal-proofs. none of that is good-enough, but i hope it can act as a starting point for verifying the implementation is correct.

i get the whole semantic versioning rhetoric and branching strategies, etc. this project is a while from being promoted as "perfect". this is still a work-in-progress.

im sure people have better things to do with their time than review unstable and unfinished code. as a solo dev on this, there isnt anyone reviewing my code. if i dont share it like this, no one with come across it. i hope you can understand i get pushback when i promote my messaging app is "secure", so this transparency is nessesary.

3mo ago

Signal Protocol in Javascript for Browsers

Jump

xoron @programming.dev 3mo ago

im not sure how easy it is to get LLM's to output near-verbatim. different models have understandably different results. i dont know if youre asking me to justify using AI?

considering how well documented and discussed the signal protocol might be, its understandable that the LLM would have a decent grasp of the concept from the onset and may well be able to get near-verbatim results. i dont want "using AI" to be used to undermine my efforts. what you see is the result of the typical software development process when i planned and iterated for improvements. im sure you can imagine how AI can help in the process.

im not an expert on licences. i chose that licence after a fairly brief consideration... you're the first to give any pushback on it. we can discuss further if you can share any insights on licences. i created the project. its not cloned and refactored from some other existing implementation. i cant be more transparent than it being on github with a commit history.

we then start leaning towards the questions of: if anyone authors any code they produce with AI?

3mo ago

Signal Protocol in Javascript for Browsers

Jump

xoron @programming.dev 3mo ago

my bad. i wrote the post, but im no shakespeare. the confusing messaging was meant to convey along the lines that im aware that people have better things to do than review my project, id like to put it out there if youre interested.

im mainly working on a messaging app as linked. several secure messaging apps exist and like anyone else working on a messaging app, i want mine to be secure. in the cybersec community there is emphesis on open source. the project is linked in the post to share (because otherwise people arent going to come across it).

ive done a good amount of testing and reviewing myself, but im sure i can spend more time. i try to make it clear in this post and the readme that its still a work in progress.

3mo ago

WhatsApp Clone... But Decentralized and P2P Encrypted Without Install or Signup

Jump

xoron @programming.dev 3mo ago

i agree. those (and many more) are better choices for a number of reasons. i work on this because its interesting. its open source for transparency.

4mo ago

WhatsApp Clone... But Decentralized and P2P Encrypted Without Install or Signup

Jump

xoron @programming.dev 4mo ago

What’s your motivation? Why are you doing this? Do you hope to make money out of it, or do you have more altruistic intentions?

i mentioned it in the post. 'Im aiming to create the “theoretically” most secure messaging app'... that is the goal. im not aiming for "more secure that whatsapp/signal"... but something fundamentally different in how it works. while things like webrtc and interest decentralized technology has been around for a long time, there wasnt something as general-purpose like what im aiming for.

it started as a sideproject and i kept building on it. i hope to make money out of it and have something that can support me (because ya know... bills to pay). i started off open source; naively thinking i would get open-source funding support if i demonstrated the concept to develop it further. i did several exhausting rounds of grant applications. it was an horrible experience on something outside my competence and towards the end i was dreading applying for grants knowing that they were going to reject my project. i also set up github sponsors, but nobody has donated... completely understandable for something that looks like a weekend project, but its clear that it isnt going to pay any bills.

Anyone you convince to use this will have their data and privacy at risk

you are fear-mongering again... its important for anyone reading this, the app works differently with user data. its all client-side. you dont need to add any personal info for it to work. ive linked how the data can be encrypted at rest. there are irresponsible ways to use any app, your data is not inherently at risk because of this implementation. if you are going to make such claims, you should make it against the code examples i've provided... or at least an example of what could go wrong.

i work hard on this project, so of course i promote the project on reddit and the fediverse, but you failed to mention that i also advise caution in all of my posts (including this). i hope its clear that such wording like "work-in-progress" works against marketing/promoting... i include it because its responsible to do on a project like this at its current stage.

acting as a middle man to ChatGPT

its 2026 and AI is very prominent. people are indeed vibcoding some serious stuff. there is clearly a new wave of "developers" that dont have a concept of unit-testing, let alone the appriciation for them. ive been a developer for 10+ years and know how to do this "old-school", but using AI is clearly a huge enhacement so it understandably looks very vibecoded. its important to study, test and review what is produced. when people get hung up on "OmG YoU'rE UsInG AI", that seems to be an indicator for me that im not really having a real discussion. especially when i have code examples and unit tests... that doesnt mean my approach is without issues, but the code is right there. your concerns are well placed so i have some questions for you.

why arent you using an AI to review what ive created?
what academic/professional hoops do i need to jump through for credability?
perhaps you can identify something i overlooked?

while you have no obligation to do anything for me, my point is that the code has been openly discussed for a while and other people have reached out about issues and i addressed them to get the project to where it is now. i have a lot more to do on the project before i can remove wording like "work-in-progress" in my communication about the project. the project is working as expected and i expect it will continue to improve.

4mo ago

WhatsApp Clone... But Decentralized and P2P Encrypted Without Install or Signup

Jump

xoron @programming.dev 4mo ago

it seems clear that i dont have enough on the project to convince/inspire confidence in you, which is understandable and respectable. i dont want you to "trust me bro"... its why i keep the open-source versions separate, its useful to be able to point to open source examples when discussing details online as i refine the implementation. you should use what you are comfortable with and you clearly know your way around cybersecurity, so i expect your judgement in how you securely communicate is better than most.

So is it about convenience, or security?

it isnt about convenience or security. while security is clearly important, the "convienience" is important for helping users to get started. from experience, pointing to a github repo is simply not enough. it has to be easy for users to get started. convinience and security both need a great deal of attention. the quality of either is dependent how much time i put into them.

expect users to audit...

i dont expect users to audit the code. at this stage in the project when im still putting it together, i can confirm this code isnt good enough to audit... third-party audits are important to have, but they are prohibitively expensive so dont expect one any time soon.

There’s nothing the browser can do to protect its data if the OS falls into the hands of an attacker

thats just wrong. its possible to combine the filesystem api and the crypto api. a previous post on the matter: https://programming.dev/post/33435342 ... in this app i have a working version of passkey-encryption-at-rest. so a user has to register a passkey on their device and all the data is then encrypted at rest in indexedDB... users didnt like that every time they reload the page, the webapp was asking for a fingerprint to unlock... so that feature is disabled for now untill i make it so it can be disabled if the user wants. there is much more to think about there and that could be a whole separate discussion as we consider things like devices supporting passkeys PRF and how "recovery" could work.

censor your app

the frontend (this project), the backend (peerjs-server) and stun/turn servers can be selfhosted. but that moves away from what i can offer. id also like to investigate options for onion-style routing which the stray further from "minimal infrastructure" of p2p commmunication. https://programming.dev/post/41521230

low latency/high bandwidth the protocol was designed for

ive been working on this project for a while. it started off as a p2p messaging framework. i created a simple video calling app and the functionality naturally started leaning towards file transfer and messaging. the logical progression of the framework was to wrap it in a messaging app where you would want low latency/high bandwidth video calls and file transfer. these functionalities are in contrast to tasks like moving files between computers using some cloud service.

people need to stay fae away when security is involved

ive had this kind of fear-mongering/gatekeeping a lot in the cyber security community. its understandable to have high standard and expectation for things like security. but if kerhof's principles are worth anything, they would apply to this project. in the open source version the concept is resonably demonstrated and there is documentation about how it works on the website. spicier things like "how the crytography works" are actively discussed online (like this). its clear that the code is too complicated for anyone to use their spare time review, buts its at least an option. i have recieved good feedback and iterated over what you see.

For anyone reading this thread looking for a secure chat app, just use Delta Chat, or even Signal (which has some issues, but it’s better than nothing).