Top Stories

Codex Is Now in the ChatGPT Mobile App

433 points · openai.com

OpenAI has folded Codex directly into the ChatGPT mobile app, letting users kick off coding tasks, review PRs, and chat with running agents from their phones. The pitch is “work with Codex from anywhere” — a continuation of OpenAI’s strategy to make coding agents ambient rather than IDE-bound.

The HN reaction is split between developers excited about reviewing agent output on the train and those skeptical that meaningful code work happens on a 6-inch screen. Either way, it’s another sign that the agent-as-default workflow is hardening, and that the ChatGPT app is the surface OpenAI most cares about defending.

OpenAI Is Connecting ChatGPT to Bank Accounts via Plaid

44 points · firethering.com

OpenAI is wiring ChatGPT into Plaid, the bank-account aggregation layer used by Venmo, Robinhood, and most US fintechs. The integration would let ChatGPT pull transaction history and account balances to answer personal finance questions — and, in theory, take action on the user’s behalf.

The 50+ comment thread is a study in mixed feelings: this is the kind of feature people clearly want (a competent financial assistant that knows your real numbers), but handing checking-account read access to an LLM provider feels like a different magnitude of trust than letting it summarize your inbox. Expect a regulatory eyebrow or two.

We Are Retiring Our Bug Bounty Program

310 points · turso.tech

Turso, the SQLite-derived edge database company, is killing its bug bounty program. The reason: the inbox has been overrun with AI-generated “vulnerability reports” that are syntactically plausible, technically wrong, and expensive to triage. The post reads as exhausted rather than triumphant.

This is part of a broader trend — curl’s Daniel Stenberg has made the same complaint — but Turso putting it in writing and pulling the plug is notable. The economics of a bug bounty depend on signal-to-noise; LLMs have inverted that ratio for small teams, and the comments are full of other maintainers nodding along.

A Few Words on DS4

391 points · antirez.com

Salvatore Sanfilippo (antirez), the creator of Redis, weighs in on DS4 — the latest iteration of his work since returning to Redis from his sabbatical. The post is classic antirez: opinionated, technically detailed, and unsentimental about which trade-offs he’s made.

Whenever antirez publishes, HN reads it. The thread covers his thinking on data structure design, what he’s learned from years away from the project, and the tension between making Redis “more” versus keeping it the small, comprehensible thing developers loved in the first place.

Removing the Modem and GPS from My 2024 RAV4 Hybrid

1004 points · arkadiyt.com

The single biggest story on HN today (by a wide margin) is a teardown of how to physically excise the cellular modem and GPS unit from a recent Toyota RAV4 to stop it phoning home. The writeup walks through the connector pinouts, what breaks (some convenience features), and what doesn’t (the car still drives fine).

A thousand upvotes is the audience speaking clearly: people are angry that mid-priced cars now ship as always-connected data collection devices, and a meaningful chunk of the HN crowd would rather pull a wire than accept it. Expect this to get cited the next time someone argues “consumers don’t care about car telemetry.”

Amazon Workers Under Pressure to Up Their AI Usage Are Making Up Tasks

182 points · fastcompany.com

Fast Company reports that Amazon employees, facing internal pressure to demonstrate AI tool adoption, are inventing busywork to feed to the assistants — generating reports nobody reads, asking for summaries of meetings they didn’t attend, and otherwise gaming the usage metric.

This is the Goodhart’s Law version of the AI productivity story: when “AI usage” becomes a KPI, it stops being a measure of productivity. The thread is full of people from other large companies reporting variations on the same theme, plus the predictable counter from people insisting their teams use AI for real.

A 0-Click Exploit Chain for the Pixel 10

191 points · projectzero.google

Google’s own Project Zero publishes a 0-click exploit chain against the Pixel 10 — meaning a victim doesn’t have to tap anything, just receive the malicious packet. The writeup chains multiple bugs in the modem and IPC layers to land kernel-level code execution.

The interesting wrinkle is who’s publishing: Google researchers, on a Google flagship, presumably already patched. The community appreciates Project Zero applying the same disclosure rules to its own employer that it does to Microsoft and Apple — though a few commenters note the asymmetry of access that makes such a chain possible in the first place.

First Public macOS Kernel Memory Corruption Exploit on Apple M5

421 points · blog.calif.io

A detailed writeup of what the author claims is the first public kernel memory corruption exploit against Apple’s M5 chip. The post walks through the bug discovery, the constraints imposed by the M-series memory protections, and the eventual primitive that yields arbitrary kernel read/write.

For the security-minded HN crowd this is required reading: Apple’s hardware mitigations were supposed to make this class of exploit dramatically harder, and the post is essentially a stress test of how well that’s held up. The 23-comment thread is split between admiration for the technical work and arguments about how realistic the threat model is in practice.

Trade Dollars with Other Startups — Book It as Revenue

145 points · revswap.ai

RevSwap is a, uh, marketplace that lets startups swap equal dollar amounts of “services” with each other and book the gross numbers as revenue. The site is presented unironically. The HN thread is not.

Most of the comments are dunking — this is essentially a service for inflating top-line metrics ahead of fundraising — but a few people are taking the question seriously: where exactly is the line between barter, channel partnership, and revenue laundering? Either way, it’s a fascinating artifact of a fundraising market where “ARR” has become a moving definition.

O(x)Caml in Space

188 points · gazagnaire.org

A writeup of “Borealis” — using OCaml in a real space-bound system, with discussion of the type-safety properties that make functional languages attractive for high-reliability environments where bugs cost satellites.

OCaml-in-production stories are catnip for the HN programming-languages crowd, and one running on actual orbital hardware is the apex form. The thread digs into the runtime trade-offs, how garbage collection plays with real-time constraints, and why Jane Street’s OCaml investment keeps paying dividends in unexpected places.