Today’s TechScan: Open‑source rockets, watchdogs, and surprising tooling wins

The most consequential theme cutting across today’s stories is a quiet one: trust is being re-negotiated. Not the big, cinematic kind of trust—no single password dump, no dramatic “AGI” proclamation—but the everyday trust that lets modern tech function. Trust that your authentication logs tell the truth. Trust that a compliance report means what it says. Trust that a headline reflects what a publisher wrote. And, in a more uplifting register, trust that the tools you rely on—whether for designing circuit boards or launching a classroom model rocket—are getting better in ways that make your work less fragile.

Start with identity, because identity is where we tend to discover that our “observability” was really just a comforting story. Security researcher Nyxgeek disclosed two additional Azure Entra ID sign-in log bypasses in 2026, bringing the tally to the third and fourth distinct bypasses they’ve found since 2023 (following earlier issues dubbed GraphNinja and GraphGhost). The core problem is brutally simple in its impact: an attacker could obtain valid OAuth tokens without generating sign-in log entries, meaning defenders lose a primary source of detection and post-incident investigation data. Microsoft has fixed the newly disclosed issues, but what lingers is not one bug—it’s the pattern that critical authentication flows can be made to “work” while telemetry fails to record them.

The disclosed technique centers on crafted ROPC (resource owner password credentials) POSTs to login.microsoftonline.com with particular parameters that validate credentials or return tokens while avoiding the expected sign-in telemetry. If you’re a security leader, the scariest part isn’t even exploitation; it’s the epistemology. Your security team may be doing everything “right”—watching sign-in logs, building alert rules, writing KQL detections—yet key events can be absent by design flaw. Nyxgeek’s write-up includes KQL-based detection guidance, but the broader takeaway is architectural: logging must be futureproofed as a security property, not treated as a side-effect of successful authentication. When authentication can happen without an audit trail, incident response becomes archaeology with missing layers.

That same trust gap shows up—arguably even more uncomfortably—in the compliance supply chain. A DeepDelver investigation alleges that YC W24 startup Delve sold “fake compliance,” fabricating audit evidence and issuing auditor-like reports that led hundreds of customers to believe they met standards such as SOC 2, HIPAA, and GDPR. The report claims Delve produced identical audit documents, used shell US auditors operated by Indian certification mills, and pressured clients to accept fake artifacts rather than perform real controls. Leaked spreadsheets and reports are cited, and the allegations include affected clients ranging from enterprises to a NASDAQ-listed company. Delve is accused of denying and deflecting when confronted.

If those allegations are accurate, the damage isn’t confined to one startup’s customers. SOC 2 and similar attestations are a kind of institutional shortcut that lets procurement move at SaaS speed: a standardized artifact standing in for bespoke verification. The HN discussion around the story (and the parallel write-up summarizing the uproar) underscores how fragile this trust can be when the market is incentivized to optimize for “SOC 2 in days.” Even the idea of “automation” in compliance becomes suspect when it slides from streamlining evidence collection into fabricating it. The systemic risk is that buyers think they’re outsourcing diligence, when in practice they may be importing regulatory, contractual, and reputational liability. The lesson for security and procurement teams is not merely “vet vendors better,” but to treat compliance artifacts as something that can be adversarially produced—because, as alleged here, they can.

Now pivot to a more hopeful corner of the ecosystem: open tooling that earns trust the hard way, with visible work and reproducible results. KiCad 10.0.0 is a reminder that open-source infrastructure can advance not via hype cycles, but via sheer accumulation of craft. This release landed after 7,609 commits with hundreds of contributors, and it’s packed with changes that matter in daily electronics design: performance fixes, usability upgrades, and substantial library updates. The release standardizes on STEP 3D models, which reduces install size and improves geometric accuracy—exactly the kind of unglamorous improvement that saves designers time when mechanical fit suddenly matters.

The library work is similarly concrete: 952 symbols, 1,216 footprints, and 386 3D models added, and over 78% of footprints moved to generated data-driven production—a phrase that sounds bureaucratic until you realize it’s about consistency, maintainability, and fewer “why is this footprint slightly different” surprises. Usability improvements include Windows dark mode, customizable toolbars, undo/redo in dialogs, and lasso selection, plus new importers for Allegro, PADS, and gEDA/Lepton PCB. Even governance shows up as a performance metric: merge request processing sped up (median from three days to 18 hours) amid increased contributions. That’s not just community feel-goodery; it’s throughput, and it’s how niche workflows become accessible to more people without collapsing under their own complexity.

If KiCad is about electrons, OpenRocket is about air and gravity—and about reducing the amount of learning you have to do by breaking things. The project’s GitHub description positions it as software for simulating model-rocket aerodynamics and flight trajectories, helping users model designs and predict performance—stability and expected flight path—before launch. The source material doesn’t give us recent release specifics, version numbers, or new features, so what stands out is its role: a go-to simulator that shifts rocketry from trial-and-error into validation. In hobbyist launches and education contexts, that’s not just convenience. It’s risk reduction—the practical kind, where simulation turns “I hope this works” into “I have a reason to think this will work.”

Developer experience, meanwhile, continues to be shaped by tools that are aggressively small yet oddly transformative. A new “Show HN” project called Sonar is a tiny CLI that shows what’s running on localhost and can kill it—processes and containers alike—with Docker/Compose awareness. It lists ports alongside process and container details (including image and container port) and even provides clickable URLs, while exposing resource and health stats. This is one of those tools that sounds trivial until you’ve lost 45 minutes to a port conflict caused by “something” you started two days ago. Sonar’s verbs—list, info, kill, kill-all, logs, attach, watch, graph—read like a developer’s wish list after one too many “why won’t this bind to 8080” mornings. It can also target remote hosts over SSH, which quietly broadens it from local convenience to team debugging utility.

The other tooling story is less about a new command and more about a hard-won performance intuition: sometimes you go faster by doing “less clever” things. The team behind openui-lang rewrote their Rust parser compiled to WASM into TypeScript, and it got roughly 3x faster. The culprit wasn’t Rust being slow; it was the JS⇄WASM boundary—copying input into WASM, serializing results back to JavaScript, and the per-call latency that dominates when you care about responsiveness. They tried serde-wasm-bindgen to return JsValue objects, but that was slower due to fine-grained cross-runtime materialization. The winning move was to port the entire pipeline—autocloser, lexer, splitter, parser, resolver, mapper—into TypeScript so parsing stays inside V8 and the boundary cost disappears. In the era of streaming LLM-to-UI pipelines, where per-chunk latency is everything, this is a useful corrective: the fastest stack can be the one with fewer crossings, not the one with the fanciest compilation story.

On the AI systems front, today’s advances are about making familiar primitives run like they belong in 2026. Flash-KMeans is a GPU-focused, IO-aware reimplementation of exact k-means that targets two bottlenecks: materializing the huge N×K distance matrix and the atomic-write contention during centroid updates. Its FlashAssign fuses distance computation with an online argmin to avoid intermediate memory, and its sort-inverse update turns scatter-heavy atomic writes into localized segment reductions. With chunked-stream overlap and cache-aware heuristics, evaluations on NVIDIA H200 show up to 17.9× end-to-end speedup versus best baselines, with large gains over cuML and FAISS. The subtext here is operational: k-means stops being a batch chore and becomes an online primitive, which matters for real-time clustering and embedding-heavy workflows.

At the architecture level, Attention Residuals (AttnRes) proposes replacing fixed additive residuals in Transformers with learned attention over previous layer outputs, letting each layer selectively aggregate earlier representations. Full AttnRes attends over all prior layers but is memory-heavy; Block AttnRes groups layers into about eight blocks and uses attention on block summaries to capture most of the benefit with modest overhead. The reported experiments show improvements in scaling and downstream benchmarks (including +7.5 GPQA-Diamond and +3.1 HumanEval), matching a baseline trained with about 1.25× more compute. It also frames the motivation in terms of depth pathologies—PreNorm dilution and unbounded hidden-state growth—suggesting a pragmatic, “drop-in” route to better depth-aware representation without brute-force scaling.

Finally, the media ecosystem is getting another stress test in who controls the user’s first impression. The Verge reports that Google has begun a small experimental program using AI to rewrite publisher headlines in Search results, sometimes changing tone or meaning. In multiple instances, The Verge’s headlines were shortened or reframed without attribution; Google calls the test “small” and “narrow” but didn’t specify scope. Vox Media has seen similar behavior in Google Discover, and Vox has an ongoing lawsuit against Google over ad tech practices. Headline rewriting is not a cosmetic tweak: headlines are editorial decisions, legal risk management, and reader navigation all at once. When a platform silently swaps them, it’s not just repackaging—it’s re-authoring the frame.

That framing battle connects neatly to public-sector attempts to reclaim control through standards rather than lawsuits. Germany has mandated ODF and PDF/UA as official document formats for public administration under its Deutschland-Stack sovereign digital infrastructure framework. The framework enforces open standards, local data storage, and open source development to reduce vendor lock-in and ensure interoperability across federal and state systems through 2028, excluding proprietary formats from official use. The Document Foundation’s Florian Effenberger praised the decision as essential for democratic, interoperable public administrations, and the move aligns with broader EU digital sovereignty efforts. It’s a reminder that while platforms experiment with rewriting the surface layer of information, governments are trying—slowly, bureaucratically, but meaningfully—to lock in interoperable ground truth underneath.

Put together, today reads like a referendum on where we anchor reality: in logs, in audits, in open file formats, in reproducible design tools, in performance claims that can be measured. The forward-looking question is whether the next year brings more “trust me” automation—or more systems designed so trust is earned by default: logged when it matters, standardized where it counts, and transparent enough that communities (and customers) can actually verify what they’re being sold.