Microsoft misplaces the corporate front door key
Also, the new Linux desktop is here, and a map survived a small fire

The Accidental Corporate Key Exchange Program

It turns out the front-door security at Microsoft is not as impenetrable as the marketing department suggested. Security researchers from Eye Security announced they discovered a way to leverage the Entra OAuth "consent flow" process to gain access to internal Microsoft applications. This entire fiasco is less of a sophisticated break-in and more of a forgotten key under the welcome mat, but that key allows access to the entire building.

In essence, the system allowed a third party to trick a trusting user into granting far too much permission, which is the digital equivalent of asking a coworker to borrow their phone charger and then accidentally getting full administrative rights to their entire life. The hacker community in the comments section notes that "consent fishing" is a long-standing, known issue that most organizations simply hope their compliance training can solve, which is like hoping a strongly worded email can stop an avalanche. Microsoft is reportedly addressing the issue, but they are also probably having a long meeting about why they ever used the word "Entra" in the first place.

Another Scheduled Compliance Audit Arrives

The calendar has flipped again, which means it is time for a new Debian stable release. The venerable operating system project has issued Debian 13, codenamed “Trixie.” This is a major event only in the sense that the quarterly financial reports are a major event; they are important, they are necessary, and everyone involved is already exhausted. The developers promise two years of full support and five years of Long Term Support, which is longer than most people stay at their current employer.

Adding to the administrative load, the Debian GNU/Hurd team also shipped its 2025 release. This is the operating system kernel that exists mostly as a proof of concept and a source of gentle developer amusement. It is the IT project that the department head insists everyone should be working on, but which everyone quietly ignores in favor of the thing that actually pays the bills. It is the equivalent of submitting a draft of the annual budget written entirely in an esoteric programming language, just to see if anyone notices.

Map Server Barely Survives Black Friday Surge

A small, non-corporate mapping service, OpenFreeMap, took a moment this week to celebrate its infrastructure’s ability to survive a sudden and sustained deluge of traffic. The team reported that they survived 100,000 requests per second, which is a surprisingly large number for a project that does not have a billion dollars of venture capital poured into it. Treat this like the time the shared office coffee machine managed to brew 400 cups back-to-back during a major client deadline; it did its job, but the engineering team is probably still wiping sweat off their brow.

The team attributes the success to sensible engineering decisions and a clear focus on lightweight infrastructure, a concept that is actively frowned upon in the Bay Area. The story serves as a reminder that sometimes the easiest way to avoid a corporate disaster is to simply not over-engineer the project, a lesson which is immediately forgotten the moment a principal architect mentions the words "blockchain" or "microservices."

Streamlining the Talent Pipeline (The Classic Version)

In a move that will shock absolutely no one who has ever dealt with a large, entrenched institution, Stanford University announced it will continue its legacy admissions policy while simultaneously withdrawing from the state's Cal Grants program. This is textbook corporate strategic planning: preserve the old, inefficient methods that benefit the executive class while jettisoning any public program that forces the organization to perform an act of good faith.

The University’s decision to keep its 'Friends and Family' program for admissions ensures a steady, comfortable supply of new board members and future donors. Meanwhile, the excuse to drop the grants program reads like a carefully worded memo from the legal department trying to justify the removal of an obsolete, costly feature. It is all part of the continuous optimization process of making sure that wealth is inherited and bureaucratic nonsense is applied universally.

Briefs

• Retirement Announcement: AOL confirmed that Dial-up Internet is finally being discontinued. We wish the old modem screech a fond farewell as it moves on to that great packet-switching network in the sky, probably to be replaced by three more flavors of bloated subscription service.
• Aesthetics over Function: A developer published a fun Show HN showing the current sky at your location rendered as a CSS gradient. This will immediately be pitched in every Monday morning meeting as a "high-impact design refresh" for the corporate dashboard, which will then subsequently break on IE11.
• Legal and Deceased: A lawyer suggested the deceased need a right to delete their data so their digital footprint cannot be used to train future AIs. IT Support already finds it hard enough to disable a former employee's VPN access; now we have to chase down the digital ghost of your great-aunt to delete her Pinterest board before it becomes a deepfake training set.