Friction does matter. Yes, criminals will create fake accounts with stolen IDs and stolen credit cards. But creating 1,000s of these is hard. Creating polymorphic banking trojans is simple.

I don't know if this trade off is worth it, but the idea that it won't affect this abuse at all is false.

If you can convince someone over the phone to install malware thru a million "don't do this" screens, you can convince them to just give you their login credentials. Which is both easier, cheaper, and, I imagine, more effective.

And yet, criminals create banking trojans at scale. They wouldn't do this if it was more effective to always do traditional phishing.

Codes arrive via SMS, which is available to all apps with the READ_SMS permission. This isn't an OS vuln. It is a property of the fact that SMS messages are delivered to a phone number and not an app.

On the Play store there is a bunch of annoying checking for apps that request READ_SMS to prevent this very thing. Off Play such defense is impossible.

Only require Developer Registration for apps with READ_SMS then.

There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.

If they restricted sideloaded apps from sniffing SMS then I wouldn't mind all that much.

There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.

So no access to SMS for apps distributed on F-Droid?

Fine by me, what are people using SMS for in 2026 except for spam and sending 2FA codes insecurely?

(I'm being facetious here but this is massively preferable to disabling sideloading altogether)

It really is amazing how billionaires have managed to convince so many people that wealth held in equities does not really count.

Bragging about abusing subreddits with spam is not my idea of an endorsement.

In my opinion your account should be banned from HN permanently. We do not need robot comments.

I reported their comments. What he's doing is crazy, but even more crazy is bragging about it.

I'd wager a lot of money that the huge majority of software engineers are not aware of almost any transformations that an optimizing compiler does. Especially after decades of growth in languages where most of the optimization is done in JIT rather than a traditional compilation process.

The big thing here is that the transformations maintain the clearly and rigorously defined semantics such that even if an engineer can't say precisely what code is being emitted, they can say with total confidence what the output of that code will be.

> the huge majority of software engineers are not aware of almost any transformations that an optimizing compiler does

They may not, but they can be. Buy a book like "Engineering a Compiler", familiarize yourself with the Optimization chapters, study some papers and the compiler source code (most are OSS). Optimization techniques are not spell locked in a cave under a mountain waiting for the chosen one.

We can always verify the compiler that way, but it's costly. Instead, we trust the developers just like we trust that the restaurant's chef are not poisoning our food.

They can't! They can fairly safely assume that the binary corresponds correctly to the C++ they've written, but they can't actually claim anything about about the output other than "it compiles".

Wait until they actually pay.

Almost all of these eye watering fines get reduced in further legal action. This has even happened to Tesla before with their news-making hostile workplace suit.

Does it actually require an OTP or is this just hoping that the agent follows the instructions every single time?

Rice's Thm just says that you can't have a sound and complete static analysis. You can happily have one or the other.

Today it includes "under God" in the text.

There are really two values expressed in the pledge. "Liberty and justice for all" and "the nation is below God." I'm happy saying that the former is a national value, though it is rarely achieved in practice. The latter... oof.

It is definitely propagandistic. Even if we ignore the religious component, it more expresses an idea that "liberty and justice for all" is already achieved rather than being a goal to strive for.

I think "liberty and justice for all" is actually the norm in the US, at least within fairly ordinary bounds. We can only have liberty up to a point being under a government. A human living in the wilderness, in anarchy, would also have liberty limited by other humans.

You can say "oof" to "under God" but most of the founders believed in the divine and cited it as a reason for granting "god-given" rights to the people. I am an atheist and I kinda don't like the religious aspect of the pledge, but I'm not so upset about it either. Most people believe in a deity, even in 2026, and on the whole I've been treated better by those people than by fellow atheists. Regardless of whether God exists, Christian moral standards are mostly beneficial and too often abandoned when people give up religion. It represents hard-won cultural knowledge and survival strategies for civilization.

"Justice for all" is demystified by spending any amount of time looking at the criminal justice system, which regularly abuses people in about a thousand different ways. The fact that the courts depend on the bulk of defendants taking plea deals to function at all is sick.