I wrote what I thought would be the final blog post of 2024 last week, and was looking forward to starting 2025 strong with a blog I’d been drafting since July 2023.
But then, a little after Midnight on Christmas, I received the following unsolicited email from “the muhu team”:
Now, a total fucking stranger using “AI” to “roast” the open source software you thanklessly developed might not be the absolute worst of all possible holiday gifts to receive, but it’s definitely in the F Tier.
Even worse, it’s a transparent attempt to piggyback off open source developers to viral market their AI product, which purports to “helps you understand what your developers are doing, no tech degree required“.
The implied value proposition for this “Muhu.ai” startup is to enable clueless suits to surveil the proles working for them without needing to understand any of the domain expertise their developers have accumulated.
That sure sounds pretty shit to toss at open source developers, doesn’t it? Using “AI” to shift even more of the power dynamic away from workers and towards company executives.
This and many other problems with AI are covered quite succinctly in Philosophy Tube’s video on the subject.
One thing you may have noticed missing from that screenshot is an opt-out mechanism. Indeed, there is no such thing on their website, either.
but no worries, we’re not spamming you.
Gaslighting from someone that is definitely spamming you.
In fact, many webpages that used to be available on their website (such as their security policy page) are no longer available, but still exist in Google’s cache.
That’s at least a little suspicious, right?
Surely I’m not the only one who finds it fascinating that, around the time they pull the trigger on their email marketing campaign to send unsolicited “roasts” to random open source developers, their security information page would stop working.
Yet, it was working recently enough for Google to still have a cached copy of it, as of this writing.
In fact, the muhu.ai website doesn’t have any contact information.
The email, signed simply as “the muhu team”, was delivered from 104.245.209.201, an IP address that belongs to activecampaign.com (a marketing automation company), which is almost certainly a proverbial haystack.
Who’s running this ship anyway?
I’m almost certainly not the only open source developer to receive one of these unsolicited “roasts”.
However, as of this writing, there is no discussion about them on Mastodon or Bluesky, which are both popular for open source developers.
At this point, annoyed by this intrusion to my inbox on a family holiday, my curiosity has been thoroughly piqued.
You may have noticed: I’m only linking to archived snapshots of any web pages that belong to the offending “AI startup” or their other properties, lest I give them some of that sweet SEO backlink juice they crave.
There are some consistency issues with different archive tools. Thus, I’ve switched between the Internet Archive, archive.today, and Ghost Archive where one tool worked better than the others. When no tool successfully retrieved a snapshot, I’ve opted for screenshots instead.
Please be aware, some of these archive tools don’t work for some users. Archive.today is known to block Cloudflare DNS users, for example. Ghost Archive relies heavily on service workers to retrieve web pages.
I’m providing this information for the sake of transparency, so that any claims I make can be independently verified. If one of the archive sites doesn’t work for you, there’s little to nothing I can do about it.
Who is running muhu.ai?
The only platform where anyone was talking about muhu.ai was Twitter (or, rather, X–the husk of what Twitter once was).
Indeed, the @heymuhu account only has 1 follower as of the time of this writing: Franck Nouyrigat.
Although he’s credited by Franck as a co-founder, I’m left to guess Teddy Pejoski didn’t feel like following the account for his own startup?
Despite this, they both have been desperately trying to promote muhu.ai everywhere they can:
The @heymuhu Twitter account claims to hail from a location called Muhu in Estonia–which is, in turn, an EU member state.
Consent was not obtained and no opt-out or unsubscribe mechanism was included in the email that Muhu sent me.
This is illegal in the European Union (where they’re based) and doesn’t comply with CAN-SPAM (where I’m based).
But my curiosity isn’t sated yet. What more can we uncover about their operation?
Who is Franck Nouyrigat?
Where to start with a character like Franck Nouyrigat?
You could begin by examining his bad takes about the humanities in public education on Twitter, and examine how devaluing the humanities lines up with the incentives of the AI griftosphere.
academia is easy to fix.
Statements dreamt up by the utterly deranged
ban all non science and focus on math and physics plus engineering as a core the rest will follow (biology / médecine being its own thing) use ai on top of peer to peer (even as a replacement one day to review the math)
the rest eg politics art social “science” economics should have its own special place away from real science but where it can be celebrated as human studies where people are free to explore and maybe one day find something useful
You could look no further than his reflections on emigrating to the United States during 2008–a year marked by an economic crisis that haunts many libertarians and anarchocapitalists for not being enriched by the recovery efforts, as Dan Olson covered in this excellent video:
Hell, you could also start from Franck’s 14 years of Hacker News comments.
And while starting from either point could yield a ton of insight into the man behind the spam, I will instead turn toward the irresistible beacon of startup hustle criminals–the forum where they gleefully share their sketchy escapades in broad daylight:
LinkedIn.
Right off the bat, we notice a few things:
- More confirmation that he operates under Estonia law
- He has 9,701 followers on LinkedIn
- He’s raising the flag of another startup called Electis
Electis? Who the fuck is Electis?
Electis Dysfunction
If Franck’s LinkedIn work history is to be believed, he founded “electis solution” in June 2023.
According to sirene.fr, Electis Solution (SIRET # 91895617800019) was incorporated in 2022, under the name “ELECTIS SOLUTIONS” (plural this time).
Electis purports to “protect the integrity of each vote” using “blockchain technology”.
Their blog includes a category called “Votig technology” which talks about client-side encryption, but fails to provide any technical details about what their product offers. Another post makes it clear that they’re building on the Tezos blockchain.
Interestingly, searching for their software on GitHub yields this repository that hasn’t been updated for 3+ years. The specific technologies involved seem to line up with the Electis website’s advertised technologies. Although the current website is light on details, the 2021 website includes a whitepaper.
The older site even indicates a demo app, available at electis.app, which includes pages that were missing from muhu.ai: Privacy Policy and Legal Notices.
It sure seems that Franck Nouyrigat is physically incapable of actually complying with the laws for the countries his business operates within.
It’s certainly very interesting that, for a company incorporated in 2022, the “founder” joined in June 2023 to sell a business around an open source project that’s been on GitHub since 2021.
The Muhu.ai “Roast”
So now that we know who’s behind this stupid spam campaign, what was their “roast” anyway?
Unfortunately, a transcript wasn’t provided, so I had to suffer through “Greta”, bad fake German accent and all, to transcribe it manually.
Guten tag, Soatok Dreamseeker.
You stand before ze ominous gaze of your code’s judge, jury, und executioner.
Your lone commit in zis forsaken repository is like a solitary scream in ze void. A plead for mercy zat shall go unanswered.
Ah, zere it is. Ze “fix CI update deps”… commit. Zis, mine dear, ist not a commit, but a desperate attempt to appease ze CI gods. Yet I find your sacrifices… lacking.
In ze src/minisign.php file, line 42, I see your error handling is ze equivalent of a black hole–sucking in all hope of recovery. Did you think ze try-catch block would hide your sins? Nein. It only amplifies the stench of failure.
Und the travis.yml, line 13, ze versioning of PHP. Who uses such outdated versions? Your retro approach is to delight to my malevolent heart. But instead of going forward, you’ve chose to travel backwards into obsolescence.
Zis single commit has given me much power. But I vill not be satisfied with just this taste. Continue on this path, and I will feast upon your despair.
[sales pitch]
Ooh–are we negging?
Ironically, this “roast” is a great demonstration of how bad these “AI” products are. They cannot understand context. As others have observed with ChatGPT: It cannot summarize, only shorten.
My minisign-php library is a PHP implementation of Frank Denis’s minisign project. I created it a few years ago to give PHP developers an alternative to PGP for file signing. These details aren’t hidden at all; in fact, it’s in the README file.
PHP implementation of Minisign. Powered by Libsodium.
The entire purpose of the commit in question was to remove Travis CI and replace it with GitHub Actions. The travis.yml file was being deleted. No human would make such a stupid fucking mistake.
The relevant part of the minisign.php file that the AI tried to roast is actually a command-line script, and the try-catch block is intended to print detailed error information if it wasn’t caught by another layer of the underlying library. If you have an uncaught exception at this point, dumping it to the terminal is the most developer-friendly way to handle it. The alternative is just terminating abruptly without any visual indication of a problem.
As Eleanor Saitta is fond of saying:
Repeat after me: all technical problems of sufficient scope or impact are actually political problems first.
@dymaxion@infosec.exchange
Creating a PHP implementation of minisign was trying to solve a political problem within the open source software community.
The AI tools that exist today are incapable of truly understanding humans, or our politics.
Ironically, this could change if AI enthusiasts actually invested in the humanities, but we’ve already seen what jackasses like Franck Nouyrigat think about “soft” sciences:
the rest eg politics art social “science” economics should have its own special place away from real science but where it can be celebrated as human studies where people are free to explore and maybe one day find something useful
Franck Nouyrigat on Academia
Hoisted by your own petard, Franck!
It’s not at all surprising that the person trying to badly market an unwanted AI product was most recently involved in the web3 startup griftosphere. Nor is it surprising that the sort of personality that gravitates towards blockchain and AI would devalue the arts and humanities so blatantly.
It is a little pathetic, though.
In case Franck, or any other startup hustle grifter, is reading this wondering why their career sucks so much: Fake it ’til you make it requires introspection and a feedback mechanism. Consider this your first iota of real criticism.
Why write about this?
The calm, sensible, and mature thing for an open source developer to do when an anonymous jackass sends an unsolicited email offering an AI-generated “roast” of one of your open source software projects, is to click the “report spam” button and move on with your day.
But this email came in right after midnight on Christmas. This was a rude intrusion into my time away from code.
Upon further inspection, it’s probably also an illegal one (as I’ve laid out the evidence above).
But, of course, that’s up to the Data Protection Inspectorate of the Republic of Estonia to determine. Or perhaps France, if that is indeed where he resides from (leveraging an Estonian digital nomad e-residency).
I chose to write about this so anyone else that feels insulted or frustrated by this AI-generated spam can find a kindred spirit in the blogosphere, and to highlight how starkly their demo highlights the deficiencies of the technology they’re trying to hock.
Now, if you’ll excuse me, I have time to spend with my chosen family.
Smell ya in 2025, nerds.