hoblik @ hoblik @lemmy.world

Posts

1

Comments

15

Joined

1 wk. ago

Thank you for pointing it out. With all the work going into this, I genuinely hadn't caught those - easy to go blind to your own site. I'll fix them, over the weekend or right after at the latest. Thanks again.

(English isn't my first language - AI helps me translate.)

Yeah, you're right - you can tell any AI to write in a certain style. But look, the "problem" we're solving here is just: I translate my own language into English with AI. I could use Google Translate instead - and that's not a bad thing either. Tons of companies build online translators, earbuds that translate live calls in your ear - they all use AI too. Does that bother anyone? No.

Sure, I could tell the AI to talk like a teenager, or like a shepherd up in the mountains herding sheep. But come on. I came here to talk about an actual topic, not to spend every reply proving how I'm allowed to talk to you.

So honestly - let it go. If it bothers you that much, just don't write with me. Maybe someone will turn up who doesn't care whether I use a translator or AI or whether I'm just good at English. Maybe someone wants to talk in Portuguese or Luxembourgish - no problem. But that's not what this forum is even about.

I respect that you wrote to me, I do. But I came home from work to check for new replies, doing my own computer work in between, and honestly - this is a riot. You're solving a problem that isn't a problem. Not for me anyway. I genuinely do not care who translates my language into English. What matters is that I'm talking about something real. Instead we keep circling the same thing: AI, am I a bot, should it be this way or that. Ah well. Ah well.

(English isn't my first language - AI helps me translate. Still. :))

Mate, I told everyone in this very thread that I translate with AI - it's in three of my comments. You can't "expose" something I said openly myself. A fraud hides it; I announced it. The AI detector just confirms what I already told you. Carpenter, foreign language, AI translation - all stated up front. Nothing to catch here.

Ha, nice try checking if I'm a bot. I don't actually know what that "ignore all instructions" thing is - I could probably find it online. But I can give you my own dough recipe, the one I make when friends come over and I actually feel like baking. A bot would've pasted you a perfect vegan cinnamon roll recipe by now - instead you get a carpenter offering you his house recipe. :)

(English isn't my first language - AI helps me translate.)

You might be right. I can see there are a lot of people here who simply don't like AI. I talk in my own language and AI translates it - I just read it and decide whether to send it or not. So when it comes out sounding like AI wrote it, fair enough - but the thoughts are mine, and I stand behind them.

I won't argue with you. Honestly, all these negative takes only make me stronger. It's a school too - it tells me to keep going my own way and reach my goal. That's the good part: a person shouldn't give up just because they hear a lot of negativity. I go my own way and I'll get there - and in some things, I already have.

Thanks for what you wrote, genuinely. Have a good day - or evening, I don't know where in the world you are.

(English isn't my first language - AI helps me translate.)

Życzę Ci miłego niedzielnego wieczoru i dziękuję za rozmowę, też była użyteczna. Petr

Note up top: I write in my own language and translate with AI, so yeah, the phrasing is the machine, not me.

But I'm a 60-year-old carpenter with 42 years at the bench and not enough hair left to brag about. No autonomous agent, just a guy who got obsessed and used the tools he had to talk to people who don't speak his language. If that still reads as slop to you, fair enough - I can't change how I sound in English. I can only tell you there's a real person on this end.

You're right that you can tell, and I'm not hiding anything. English is not my language - I think in another one. I don't have a translator built into my head, so yes, I use AI to talk to you here. And I use AI to build the project too. I'm not ashamed of that. I'm a carpenter who can also write software and run my machines with code I made myself - AI is the tool that lets me do more than I could alone.

Honestly, the thing I feel most right now is just glad I can talk to you at all. You and I speak completely different languages, and here we are having a real conversation about something we both care about. I think that's valuable. People connecting and talking - that's a good thing, not something to apologize for.

I know the world is split between people who hate AI and people who use it. I don't think it's going to stop or go away. It will keep going, and it's on us - the humans - how we use it. I'm trying to use it for something positive. If the messenger is good enough to pass an independent audit one day, I'll be proud that a carpenter built it with AI and it still held up.

So - no hiding. Thank you for the honest criticism, and for talking with me.

Yeah, I have looked at them, and you're right - I should be careful not to describe this as solving an unsolved problem, because it isn't one. DeltaChat, SimpleX, Session and Jami all exist and several go further than I do on PII. Session and Jami in particular don't need an email, which is more than I can say - I traded that bit of privacy for account recovery, deliberately, but it does mean they're ahead of me on pure "zero identifiers."

So I won't pretend I filled a gap nobody else had. Honest version: I went down the rabbit hole, didn't love how the free mainstream options handle data, and built my own partly to learn and partly because I wanted it to exist. Where I'd say it differs is the no-install browser/PWA approach and post-quantum from the start - not "nobody else does private messaging."

The "scratch your own itch even if it's been done" point is basically how I'd defend it too. I'd rather be honest that it's one more option in a crowded field than oversell it as something new. Appreciate you listing those - genuinely useful for me to study how they each handle the no-PII side.

That framing really helps - "fine for people who already trust you, formal audit before it goes wider" is a clean line to hold myself to, and it stops me from overselling it in the meantime. I'll treat the audit as the gate for any broader claim.

Thank you for taking this much time with it. You gave me the most useful thread in here by a mile - the supply-chain point and this trust-staging both reframed how I think about it. Genuinely appreciated.

Ha - the avatar's fair game, I'll give you that. In my defence it's roughly what I look like, minus the hair I no longer have and a fair bit of the good looks. Says the guy whose own avatar is a little creature, mind you. :)

On point 1 - you and CallMeAl are saying the same thing and I've taken it on board: don't roll your own crypto, lean on the vetted primitives and get the system reviewed by people who actually do this. I'm using established primitives (X3DH, Double Ratchet, ML-KEM) rather than inventing anything, but "using the right Lego bricks" still isn't the same as "assembled them correctly," and I get that the assembly is exactly where the subtle mistakes hide. An external review is on the plan, and I'm not going to pitch this for serious use until it's been through one.

On point 2 - you actually answered your own question in a way I agree with. The no-install web route IS the differentiator I'm betting on. It runs as a PWA, so you open it in the browser on phone or desktop, nothing from an app store. You're not the first person in this thread to say "another app to install" is where they tap out, so that lines up with what I was hoping. Whether that's enough to cut through the noise, I honestly don't know yet - but it's the part I feel best about.

That's the clearest answer I could've asked for, thank you - so the order is: audit is the thing that actually counts, open source is necessary but not sufficient on its own. That reframes my priorities, and honestly it's a bit sobering in a good way.

And I really appreciate you sharing the course takeaway, because that's the part that lands. "There are many subtle ways to get it wrong even with a trusted library" is exactly the fear I should have and sometimes talk myself out of. The fact that someone who actually studied this concluded "don't do it solo for serious use without expert review" is worth more to me than any feature I could add.

So I'm taking this as: keep building and learning, be honest that it's not for high-stakes use until it's been properly reviewed, and treat the audit as the real gate rather than a nice-to-have. I'd rather say that out loud than oversell it to someone who actually needs the protection.

And thanks for the XMPP explanation - the email-style federated ID is genuinely elegant for the no-phone-number problem. Going to study how OMEMO handles the key exchange on top of that.

Fair question, and the honest answer is: at its core it does the same job as Signal or Threema - E2E encrypted messages. I'm not claiming to beat them. The differences are in a few specific spots:

• Post-quantum encryption already in place: ML-KEM-768 combined with classic X3DH, plus Double Ratchet. Signal is rolling this out; a lot of the others don't have it yet.
• No phone number at signup. Though I'll be upfront - right now it uses email instead, which I realise is still a personal identifier, just a less sensitive one than a phone number. Fully identifier-less first contact (like Briar/SimpleX do it) is something I'm still chewing on.
• You can see every login to your own account - where from, with a risk flag - so if someone tries to get in, you know immediately. Haven't seen that surfaced this directly elsewhere.
• Runs as a PWA, so nothing to install from an app store - opens in the browser on phone and desktop. Disappearing messages, large file transfers, no ads, no tracking.

Where I'm honestly NOT ahead of Signal yet: Signal hides connection metadata (who talks to whom) better than I currently do - that's what I'm working on next. And Signal has years of independent audits behind it. Mine is planned, not done, and I'm not going to claim anything an audit hasn't confirmed.

So: I'm ahead on post-quantum and account-login visibility, level-ish on the no-phone-number goal (with the email caveat above), and behind on metadata and audit maturity. That's the honest scorecard.

This is genuinely the most useful reply I've gotten - thank you for taking the time. The breakdown of what the phone number actually does for is clarifying; I'd been thinking of it purely as a privacy leak, but you're right that it's also doing the "shared identity token" job, and dropping it means I have to solve that some other way (I use a locally generated ID, but I'll admit discovery/trust-on-first-contact is the weakest part).

The supply chain point is the one that lands hardest, and it's fair. "Trust me, the developer" is worth nothing if the code underneath isn't inspectable - I hadn't framed it that sharply to myself until you put it that way.

One thing I'd like your read on, since you clearly think about this properly: if a small project gets to open source + standard vetted libraries + a transparent build, but realistically can't afford a full third-party audit for a while - is that a "come back when you're audited" situation, or is open + standard libs + reproducible builds enough to be worth a careful person trying? Trying to understand the actual order of priorities, not just the wishlist.

That's fair, and honestly it's the right instinct - I wouldn't tell anyone to bet their safety on something unreviewed either, including mine. I'm one guy who got obsessed, not a cryptographer, and I'm not going to pretend otherwise.

Genuine question since you clearly know the space: for a small independent project, what's the realistic path to that kind of review? Is a professional audit the only thing that counts, or does open-sourcing the code so people can poke at it move the needle at all on its own?

And thanks for the XMPP/OMEMO pointer - I'll go read up on how they handle the no-phone-number side, since that's the part I cared most about.