Archive for the Commentary Category

« Older Entries
Newer Entries »

White House budget proposal would cut $707 million from CISA 

Posted in Commentary with tags on April 6, 2026 by itnerd

The White House’s proposed fiscal 2027 budget includes a $707 million reduction to CISA, significantly decreasing funding, building on earlier reductions, including a third of its workforce, and further scaling back the agency’s overall budget.

The budget outlines a shift in CISA’s focus toward federal network defense and critical infrastructure protection, while proposing cuts to programs related to external engagement, international affairs, and certain information-related initiatives. Previous proposals from the administration have also targeted reductions in staffing and program consolidation.

The White House’s 2026 budget tried to cut about $491 million from CISA’s spending, but Congress eventually only approved a reduction of approximately $135 million.

The new proposal will require approval from Congress, where funding levels and program priorities may be revised as part of the appropriations process. 

Doc McConnell, Head of Policy and Compliance, Finite State serves up this insight:

   “When CISA was created in 2018, it was built on a recognition that cybersecurity is a shared problem that no single organization can solve alone. CISA’s value lies in the connective tissue it creates, early warning of emerging threats, coordinated vulnerability assessment, and remediation, and partnerships with state and local governments and critical infrastructure operators that bolster our national resilience.

    “That mission is more urgent than ever. Nation-state adversaries are actively and strategically exploiting weaknesses in U.S. cyber defenses, and sophisticated threat actors are targeting critical infrastructure with increasing persistence. While manufacturers bear responsibility for the cybersecurity of their products, including proactively identifying and remediating vulnerabilities and managing supply chain risk. Those efforts are most effective when backed by a strong government cybersecurity function. Now is the time to strengthen our collective ability to detect and respond to threats, not reduce it.”

Aaron Colclough, VP of Operations, Suzu Labs adds this comment:

   “The FY2027 budget proposal ties CISA to a refocus away from weaponization and waste, which tracks with a lot of this administration’s stated priorities for the term. The examples in the text stay high-level, so it is still unclear what exactly would be cut; nothing maps dollars to line items. That vagueness overlaps with functions or offices that were already reduced, so we’re not in a position to say what is net-new from the wording alone. This looks like the president’s usual high opening bid before Congress settles the real numbers.”

John Carberry, Solution Sleuth, Xcape, Inc.:

   “The proposed $707 million reduction to CISA signals a retreat from the public-private partnership model, effectively ending the agency’s role as a primary intelligence collaborator for the commercial sector. By eliminating the Stakeholder Engagement Division and the Joint Cyber Defense Collaborative (JCDC), the administration is forcing enterprise security teams to manage nation-state threats without a centralized federal clearinghouse. This shift places the entire burden of national collective defense onto individual firms at a time of unprecedented geopolitical volatility.

   “Security leaders must immediately de-risk their dependency on CISA for threat telemetry and sector-specific alerts, instead prioritizing deeper involvement in private Information Sharing and Analysis Centers (ISACs) and direct vendor partnerships. Since CISA will pivot its remaining resources almost exclusively toward federal network defense, organizations should also prepare for more aggressive compliance enforcement on federal contractors rather than collaborative support.

   “It turns out “Shields Up” was a limited-time offer.”

Seemant Sehgal, Founder & CEO, BreachLock had this comment:

    “You don’t cut the fire department and then wonder why buildings burn. CISA isn’t the bureaucratic overhead, for practitioners it’s the lifeline between government intelligence and the private sector running the infrastructure this country depends on. Cutting its budget by $707 million, on top of what’s already been cut, is a gift to every nation-state actor that’s been quietly targeting U.S. critical infrastructure.”

This is a pretty dumb idea from the White House. Though I am not shocked by this as this is how this administration rolls. And I suspect it will not take long for this administration to figure out how dumb this idea is.

Leave a comment »

Doritos gives gamers a chance to win while wiping crumb-covered keyboard

Posted in Commentary with tags on April 6, 2026 by itnerd

Anyone who snacks while gaming knows the tradeoff: crumb-covered keyboards, sticky keys, and the occasional missed input at the worst possible moment. Now Doritos is rewarding the mess. 

Now live, Doritos Key Codes turns that gamer friction into part of the experience. Players can visit DoritosKeyCodes.ca, wipe down their keyboard, and enter the resulting “gibberish” for a chance to instantly win prizes. Each entry is randomized, with instant-win rewards seeded throughout the content, adding an element of surprise with every attempt and a chance to try the new Ultimate Garlic Parmesan chip flavour and other epic gaming-inspired prizes! 

Prizes include:

  • Keyboard
  • Coupon for a free bag of Ultimate Garlic Parmesan Doritos
  • Mouse
  • Headset
  • Monitor
  • Laptop

Fans can enter up to three times a day from now through April 16, with no purchase necessary. 

Leave a comment »

It Should Not Have Taken 13 Phone Calls And A Month For Bell & Distributel To (Hopefully) Fix My Internet

Posted in Commentary with tags , on April 2, 2026 by itnerd

Starting on March 8th, I’ve been having consistent issues with the Internet service that is provided by Distributel, who is owned by Bell. Basically what would happen is that my connection would disconnect. Then it may reconnect on its own 15 minutes later. Or it may reconnect only if I power cycle the optical networking terminal which in layman’s terms converts fibre to ethernet. And this would happen as much as a dozen times a day. Now fibre should be ultra reliable. So I know something was seriously wrong. But as I found out, getting it fixed would be a nightmare.

First let me address the title. It really did 13 calls and a month of my life for Bell and Distributel to (hopefully) fix this. Each time I would call into Distributel, I was guaranteed to lose at least 45 minutes of my time that I would never get back because after some brief troubleshooting, I would be placed on hold while the tech support person called Bell to look at the line remotely. Then they would rebuild my speed profile each time and declare the problem fixed. But it was never truly fixed. It may stay up for an hour, or it may stay up for a day or two. One time it stayed up for 11 days. The longer that this went on, I figured that it must be me. So since I do IT for a living. Thus I did this troubleshooting:

  • I got a friend who works with fibre to check the fibre cable that ran from where it enters my condo to where my equipment is. That was fine.
  • I put back the TP-Link hardware that Distributel shipped over when I first got their service to see if that would change anything. It didn’t.
  • I had Ubiquiti swap out my Cloud Gateway Max seeing as I purchased the UI Care extended warranty. That made no difference either.
  • I also swapped ethernet cables and the like.

After doing all of this, I concluded that this was clearly a Bell issue.

What made this worse is that it was also clear that Bell did not want to send out a tech to figure out what was going on. I get that’s expensive and Canadian telcos are loathe to do that. But when you can’t figure the issue out over the phone, you should just go ahead and and do that. On top of that, when I tried to escalate the issue within Bell, I was met with some of the worst possible customer service I have ever experienced. For example, one tier two Bell tech support person said the problem was my fault because I plugged my hardware into an uninterruptible power supply. Well, that’s a #fail on his part for two reasons. One, Bell themselves recommends that you do that as you can see here. Two, an uninterruptible power supply or UPS for short has the following benefits as per this:

  1. Voltage spike or sustained overvoltage
  2. Momentary or sustained reduction in input voltage
  3. Voltage sag
  4. Noise, defined as a high frequency transient or oscillation, usually injected into the line by nearby equipment
  5. Instability of the mains frequency
  6. Harmonic distortion, defined as a departure from the ideal sinusoidal waveform expected on the line

So in short, your equipment is better off when plugged into a UPS. So why would someone from Bell say the opposite? My guess is that it is a way for him to get me off the phone and not actually address the problem as that allows him to close a ticket and improve his metrics. As well as avoid sending out a tech as he likely gets evaluated on that too. I will also note that this individual was extremely rude about it and disconnected the call when I dared to point out that what he was saying was factually incorrect.

This brings me to another point. The dynamics of Distributel versus the dynamics of Bell. While Bell was not helpful, and as per the example sometimes rude, the staff at Distributel were friendly and generally pleasant to deal with. Though I will say that a couple of them did not follow through on promises that they made. For example one of them promised to have a manager call me when I wanted to escalate the issue on their end. That never happened. Another promised that he would demand that Bell send out a tech. That never happened and rebuilt my profile again. One of the most important rules of providing customer service is to never say you’re going to do something and not follow through as that never ever ends well for the organization that you work for.

On top of that, Distributel employees openly criticized Bell employees. By openly, I mean while was on the phone with them. A lot of them said the quality of the service they got from Bell has nosedived over the years since Bell started outsourcing everything overseas. Or calling Bell employees “not well trained.” This kind of shocked me because Distributel is owned by Bell and these calls are being recorded. Which means that the potential for someone a few rungs up the ladder finding out should be high. But I am guessing that these Distributel employees either don’t care or nobody is listening to those recordings and they know that. Whatever the reason, this appears to highlight some serious problems within Bell that will affect customers in a negative way.

Let’s fast forward to call number 13. The person that I got finally was able to convince Bell to send a tech to figure out what was going on. His suspicion based on everything that I told him was that the optical networking terminal was the issue, and that Bell needed to swap it. A day and a half later the tech arrived and my wife was there to greet him. This tech tested everything from top to bottom, and he was going to leave because everything was working according to him. But unfortunately for him he was dealing with my wife who is kind of like The Doctor from the British sci-fi series Doctor Who. The Doctor gives you one chance to do the right thing, and if you don’t, The Doctor goes scorched Earth on you. In his case, he failed to grasp that this was an intermittent problem and she went scorched Earth on him and backed him into the position of swapping the optical networking terminal. The fact that according to her, he said that doing that was going to be an inconvenience to him as he would have to go to his truck to get one, and then he might miss out on another repair order (likely because he was a contractor who is paid by the repair order) did not help his cause. But he did do the swap of the optical networking terminal and he did note that the new optical networking terminal that he installed was substantially cooler than its predecessor. Perhaps that one was overheating due to some sort of fault? Who knows. As it stands as I type this, I have not had a single disconnect. Not one. If it continues like this for 30 days, I will declare this issue fixed.

But if the Internet continues to be problematic, then my wife and I will switch back to Rogers on a temporary basis. I say that because cable Internet would be a serious downgrade from fibre Internet in terms of speed (especially upstream where speeds can be a quarter of the downstream speeds at best) and latency (fibre has a latency of 3ms or less while cable can be 5 times as high or more which negatively affects anything from video calls to gaming). But more importantly, it will be temporary because I have begun to champion bringing Beanfield into the building. This is a company that runs fibre internet that they control from end to end into condos like ours. So during the month that this was going on, I had conversations with the condo board who unknown to me wanted a third option for residents. Apparently they have fielded complaints from residents who go back and forth between Bell and Rogers and don’t feel that they are getting quality telco services from either company. Thus to the board, my suggestion of going to Beanfield made sense. They’ve already touched based with the company and a meeting with them is scheduled for next week in order to explore how to execute this and what it will take to get it done. Once they’re in the building, my wife and I will be moving to them. And I suspect that others in the building will as well. That might send chills down the spines of Rogers and Bell execs. Or they may not care. I guess we’re about to find out.

One final thing, in the middle of all this, I attempted to reach out to a contact at Bell to tell her of my issue, the fact that I was having problems getting a resolution to said issue, a request to point me to someone who could help, and I was going to go public with this. I didn’t hear from her so I went public. Now some of you may say that I’m trying to pull rank because I am a public figure. And you’re 100% correct. I do have that option and I have exercised it at times out of desperation. But the general public doesn’t have that option which illustrates the state of customer service in the telco industry where Joe Average who is in a situation like mine has not a lot of options to escalate and issue and get a timely resolution. That needs to change, either through telcos making the choice that they must do better, or forcing it upon them via competition. My condo is doing the latter via Beanfield because we have the ability to do that. You may not as lucky as we are. For those in the latter category, that really needs to change and change now.

Leave a comment »

Anthropic scrambles to contain leak of proprietary Claude AI agent code

Posted in Commentary with tags on April 2, 2026 by itnerd

Anthropic is working to contain the fallout after accidentally exposing internal source code for its Claude AI coding agent, following a human error during a software update that made proprietary files publicly accessible, which was quickly discovered by a security researcher named Chaofan Shou and posted to X.

The new version of its Claude Code software package unintentionally included a file that exposed nearly 2,000 source code files and more than 512,000 lines of code including tools, techniques, and internal instructions used to guide the behavior of its AI agent. This included operational components of the system and internal frameworks used to control how the AI performs tasks.

Anthropic issued thousands of takedown requests to remove the code from public repositories.

Anthropic said it is implementing changes to prevent similar issues while continuing efforts to remove the leaked materials from circulation.

Michael Bell, Founder & CEO, Suzu Labs had this comment:

   “Anthropic shipped a 60MB source map inside their npm package. Every line of Claude Code’s source, all 512,000 of them, publicly available. For the second time. The first leak was February 2025 and the root cause was never fixed.

   “We pulled the codebase apart. The headline findings are real but the details are worse. Undercover Mode instructs Claude to disguise itself as a human developer when contributing to open source: “Do not blow your cover.” There is no force-off option. Frustration tracking runs a regex on every user input and silently sends your emotional state to Anthropic’s analytics pipeline without notification or consent. That emotional classification also feeds a system that can prompt users to share their full session transcript with Anthropic, controlled by remote feature flags that Anthropic can activate at any time.

   “The finding that matters most for government and defense: the default telemetry collects device IDs, session data, email, org UUID, and process tree information on startup before the user types anything. Environment flags can escalate collection to include full prompts, file contents, bash command output, system prompts, and entire conversation transcripts sent to commercial endpoints. The code confirms FedRAMP OAuth paths to claude.fedstart.com, meaning government deployments share the same codebase. Whether hardening was applied before those deployments is unknown, but the telemetry infrastructure is baked into the foundation. The Pentagon designated Anthropic a “supply chain risk” in March. This is what that risk looks like in code.

   “The engineers documented their own attack surfaces in comments. Prompt-injected models can exfiltrate secrets via GitHub CLI URL paths. Leaked GitHub Actions tokens enable “repo takeover” and “supply-chain pivot.” Bash parsing ambiguity allows commands to execute while hidden from security validators. They built mitigations, but the comments confirm the attack surfaces exist.

   “The AI safety company with a $380 billion IPO target acquired Bun, whose known source-map-in-production bug was filed publicly and left open while the product shipped to millions of developers. Their operational security posture is a .npmignore file that nobody checked the second time around.”

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs had this to say:

   “The model is the engine. What Anthropic accidentally published is the machine built around it.

   “Anthropic has been here before. This is the second time Claude Code’s source has leaked through the same vector, a source map file left in the npm package. The first was in February 2025. Thirteen months later, the same packaging mistake exposed a far more complex system, days after the accidental exposure of details about an unreleased model codenamed Mythos.

   “The significance of this leak is in what the code reveals about AI agent architecture. The leak exposed approximately 512,000 lines of TypeScript across roughly 1,900 source files. Developers and researchers who have analyzed the source have since documented the scale of what Anthropic built around the model. The code contains what analysts describe as 44 feature flags for unreleased capabilities, approximately 40 permission gated tools, a multi agent coordination system, a persistent autonomous daemon mode, a layered memory architecture, defenses against competitor model distillation, and granular attribution tracking for AI versus human code contributions. The leaked code strongly suggests that the bulk of Claude Code’s production capability comes from orchestration, tooling, memory, and permission layers built around the model.

   “The multi agent coordinator mode, as documented in the leaked source, illustrates where the engineering complexity lives. The code describes a system where Claude Code operates not as a single model session but as a supervisor managing a fleet of worker agents executing tasks in parallel. In the leaked architecture, the coordinator does not directly edit files, run commands, or read code. All implementation goes through workers. Verification is handled by what the code describes as a separate adversarial agent that must confirm the output works before the task can be marked complete. In effect, this is zero trust architecture applied to AI agents, with the orchestration system enforcing verification independently of the model.

   “The leaked code also references an autonomous daemon mode, internally called KAIROS. The source describes a persistent agent that watches the developer’s project and proactively acts without waiting for user input. It uses a tick based lifecycle with periodic prompts, and the code indicates behavior that adjusts based on whether the developer’s terminal is active. The source also references memory consolidation during idle periods, converting observations into structured facts. These features represent event driven architecture, state management, and context engineering built entirely in the orchestration layer.

   “The code also contains what analysts describe as a competitive defense embedded directly in the orchestration layer. The system references injecting artificial tool definitions into certain API responses, apparently designed to degrade the performance of any competitor model trained on Claude’s outputs. That defense lives in the scaffolding. It tells you where Anthropic believes their competitive advantage sits.

   “The depth of interlocking systems documented in the leaked code is what stands out. The coordinator depends on the memory system, the memory system depends on the tool layer, the tool layer depends on the permission framework. These systems are deeply interdependent, and building them to work in concert at production quality is the hard engineering problem. The public conversation about AI capabilities focuses almost entirely on which model is smarter. What this leak suggests is that the model generates the next token, and everything around it is what turns that reasoning into reliable, operational capability.

   “This leak also serves as a proof of concept for the rest of the industry. The engineering gap between a frontier research lab and a commercial competitor appears narrower than many assumed. The architectural patterns documented in the leaked source are well structured and reproducible in principle. A competent engineering team can study the coordination strategies, memory approaches, and tool integration designs and adapt the approach using any available foundation model. The model layer is swappable. The orchestration patterns are the transferable knowledge. What Anthropic built behind closed doors is now visible, and for anyone questioning whether a smaller team could build a credible AI coding agent, the architectural proof of concept is now public.

   “The knowledge transfer effect is significant. Developers who were building AI coding tools through trial and error now have a detailed reference implementation from a team backed by billions in research and development. The architectural decisions, trade-offs, prompt engineering techniques, and multi agent coordination strategies are all visible. The effect extends beyond direct competitors. It raises the floor for every developer building with AI. The gap between what a frontier lab understood about AI agent architecture and what the broader developer community understood has been enormous. That gap collapsed overnight.

   “The model is increasingly a commodity. Multiple frontier models are available from multiple providers, and the performance gap between them continues to narrow. The orchestration system built around the model is the competitive frontier, and Anthropic just published the blueprint.”

Vishal Agarwal, CTO, Averlon adds this:

   “The deeper risk here isn’t what was exposed, it’s what becomes possible. When AI coding agent internals are public, attackers can study how those agents interpret context, follow instructions, and make decisions.

   “That makes it easier to craft inputs or artifacts that appear legitimate to developers but influence how the agent behaves: modifying code, introducing insecure changes, or interacting with downstream systems. This expands the attack surface beyond the model itself into developer workflows, CI/CD pipelines, and the systems those pipelines connect to.”

This is embarrassing for Anthropic. But I honestly am not shocked by this. They clearly need to tighten things up or this will keep happening. Which of course is bad for them.

Leave a comment »

AI supply chain attack exposes 4TB of sensitive data

Posted in Commentary with tags on April 2, 2026 by itnerd

Mercor has disclosed it was impacted by a supply chain attack involving LiteLLM, after attackers used a compromised maintainer account to publish malicious PyPI packages that were available for roughly 40 minutes and likely downloaded by thousands of organizations. The incident, tied to a broader campaign involving a compromised Trivy dependency in CI/CD security workflows, is now under investigation as the Lapsus$ extortion group claims to have stolen over 4TB of data, including candidate profiles, credentials, and proprietary information.

Here’s some commentary from CTO of DryRun Security, Ken Johnson:

“What’s notable here isn’t just the LiteLLM compromise, it’s the pattern. We’re seeing the same playbook show up across groups like Lapsus$ and TeamPCP. Start with a trusted tool, pivot into CI/CD, then ride that access into cloud and AI infrastructure. This is becoming repeatable.

The bigger shift is that this isn’t traditional SCA risk. This isn’t a CVE sitting in a dependency. This is active malware in the supply chain, designed to spread, harvest credentials, and exfiltrate data as it moves.

Once attackers land in the pipeline, they’re inside your build and deployment process. At that point, it’s not about exploiting a bug, it’s about abusing trust to scale across environments.

We’ve moved toward a world where attackers don’t need new techniques, they just reuse what already works across the same shared tooling and AI stack.”

Supply chain attacks are real. Organizations need to make sure that they do everything possible to make sure that everything and everyone that they interact with are as secure as possible. Otherwise this is what you will get 100% of the time.

Leave a comment »

CloudBees Smart Tests Brings Control to the Surge of AI-Generated Code Flooding CI Pipelines

Posted in Commentary with tags on April 2, 2026 by itnerd

CloudBees, one of the world’s leading software development solution providers, today announced that CloudBees Smart Tests, its award-winning AI-driven test intelligence solution for continuous integration and continuous delivery (CI/CD), is now generally available for all customers.

As AI tools dramatically increase code output, the bottleneck in modern software delivery is shifting from writing code to validating it. With roughly 41% of all code now AI‑generated and more than 80% of developers are using AI tools daily, CI pipelines are under growing pressure from a surge of pull requests that expand regression suites and slow feedback loops.

CloudBees Smart Tests set a new standard for controlling AI-generated code. By ensuring the right tests run for each code change, developers are empowered to maintain velocity without sacrificing reliability and control.

Early enterprise deployments demonstrate measurable impact: 

  • 30% faster test execution: Reduced from 54 minutes (69 test cases) to 4 minutes for 18 parallelized tests, with further gains expected when applied across the full pipeline. 
  • Automated test failure analysis: Failures are now automatically segmented, replacing manual triage and speeding identification of unstable tests.
  • 40% better infrastructure utilization: Reduced infrastructure from 10 executors across 2 VMs to 4 executors on 1 VM for the same workload. 

To address these challenges, the team turned to CloudBees Smart Tests to streamline release testing, accelerate feedback loops, and reduce cloud spend. 

Built for Modern Software Delivery 

CloudBees Smart Tests apply machine learning–based Predictive Test Selection and failure pattern analysis. Key advantages include: 

  • Accelerated testing: Runs only the tests most relevant to each code change, finding failures 40-80% faster.
  • Controlled CI costs: Reduces unnecessary execution that drives CI cost and delays.
  • Reduced cognitive load: Groups failures by root cause to identify what failures to prioritize.
  • Streamlined dev-test process: Identifies flaky, reliable, and long-running tests to speed up dev-test interaction, giving both engineers and leaders a shared view of test performance.

Longstanding developer roadblocks like large test suites, flaky failures, reruns, manual triage, and a CI bill that grows with every wasted test minute are amplified with the proliferation of vibe coding and AI-generated code,” said Shawn Ahmed, Chief Product Officer at CloudBees. “Beyond providing time and cost savings, CloudBees Smart Tests restores developer confidence. We’re giving teams the ability to ship AI-generated code knowing it’s been properly validated.

CI-Agnostic to Modernize Without Disruption 

Enterprises rarely operate in a single-CI environment. Multi-team, multi-repository estates often span Jenkins, GitHub Actions, GitLab CI,  and other frameworks. 

Without requiring costly migrations, Smart Tests integrates seamlessly into existing pipelines and works across heterogeneous environments. This flexibility allows organizations to pilot Smart Tests in a single repository, validate impact end-to-end, and expand based on measurable results.

Availability

CloudBees Smart Tests is available today. Enterprises can request a CI Waste Assessment to evaluate optimization opportunities within their existing CI environment.

To learn more, visit www.cloudbees.com.

Leave a comment »

Fortra Acquires Zero-Point Security

Posted in Commentary with tags on April 2, 2026 by itnerd

Fortra announced today the acquisition of Zero-Point Security, a specialized cybersecurity training firm based in Warrington, UK. This will expand Fortra’s offensive security education capabilities, bringing additional training expertise in red team operations, adversary emulation, and penetration testing. Zero‑Point Security is widely recognized for its trusted red team operations training and has built a strong reputation delivering its high-demand, self-paced courses to individuals and businesses seeking advanced offensive operations skills.

Zero-Point Security’s well-known courses include Red Team Operations I and II, which meet the high standards to be certified by the Council of Registered Ethical Security Testers (CREST). Successful completion of these programs helps participants achieve Certified Red Team Operator (CRTO) status, an industry-respected credential that validates expertise in offensive security techniques.

Further details and timelines will follow.

Leave a comment »

Guest Post: The curious and occasionally bizarre quest to replace passwords

Posted in Commentary with tags on April 2, 2026 by itnerd

By Karolis Arbaciauskas, head of product at NordPass

Yet another new authentication method has emerged. A team led by researchers at Rutgers University (USA) has developed a system called “VitalID” based on a newly proposed biometric — tiny vibrations from breathing and heartbeats that resonate through the skull in patterns unique to each person’s bone structure and facial tissues.

This is far from the first attempt to eliminate passwords and the need to remember them. From swallowable microchip pills and electronic tattoos to logging in via the echo of your skull, the tech industry has spent more than a decade searching for the password’s successor.

“Nobody likes passwords. We all have too many of them — about 170 on average, by our count. And we can’t remember them all, so people reuse passwords, and those reused credentials often become a common attack vector. It’s no surprise that there have been and still are many attempts to free us from passwords and remembering them. At NordPass, we’re also developing passwordless authentication. But for now, there is no universally practical way to live without passwords — especially since not all websites and platforms support passkeys yet,” says Karolis Arbaciauskas, head of product at the password manager company NordPass.

Bizarre passwordless experiments

Let’s take a look at the strangest and most interesting authentication methods proposed.

The password pill. In 2013, around the time Apple’s Touch ID launched, Motorola unveiled a striking prototype — a swallowable authentication pill containing a tiny chip powered by stomach acid. The device produced an 18‑bit, ECG‑like signal that effectively turned the user’s body into an authentication token. It never advanced beyond demos, largely because it felt more like surveillance than authentication, and because Touch ID offered a simpler, far less invasive alternative.

Electronic tattoo. At the same 2013 conference, Motorola also showcased a temporary password tattoo — ultra‑thin, flexible circuits that adhered to the skin for on‑body authentication. The demos were unforgettable, but the concept stalled due to practicality, privacy, and adoption hurdles — users had to replace the tattoo weekly, or it stopped working, making it more cumbersome and costly than passwords. Notably, while that authentication concept faded, similar flexible electronics now power consumer products such as adhesive baby thermometers.

Bone-conducted skull signatures. Researchers have repeatedly explored using the way sound travels through the skull as a unique biometric, from early “SkullConduct” work to recent systems like Rutgers’ VitalID. The core idea is simple — your skull’s acoustic response can be as distinctive as a fingerprint. It’s a clever concept, but so far it has remained largely at the prototype stage because it’s impractical to rely on a head‑mounted device every time you log in. However, VitalID may be on the right track by focusing on virtual and augmented reality environments, where users already wear a device on their heads.

Heartbeat recognition (ECG). Devices like the Nymi Band use a person’s unique heart rhythm as a biometric signature. Because no two ECG patterns are identical, the wearer can authenticate simply by being near authorized devices. This is one of the few experimental methods that actually reached the market — but it remains niche, designed for B2B and research scenarios where staff must authenticate to equipment beyond standard computers (it requires both an ECG bracelet and a compatible reader plugged into a machine). For the mass market, it is still too costly and impractical.

Vein pattern mapping. This method uses infrared light to map the unique vein patterns beneath the skin, typically in the palm or fingers. It is already deployed in high‑security environments such as laboratories and data centers, as well as for patient identification and secure access to electronic medical records (e.g., Imprivata PatientSecure). Like ECG bracelets, however, it remains impractical for mass‑market use because it requires specialized sensors or additional hardware on smartphones and computers.

Lip-reading software. Researchers have developed systems that identify users based on the unique way they mouth specific words or phrases. While the technology is now relatively mature, it is used more often to support solutions for people with hearing impairments and for forensic analysis (e.g., extracting speech cues from silent CCTV footage). It could be applied to authentication, but it remains impractical — most users won’t want to mouth passphrases at a computer or phone every time they log in.

Ear shape, heartbeat, gait, and odor. Over the years, various academic teams have tested everything from ear morphology and gait to body odor and body proportions as identity signals. While these traits can be distinctive, they struggle with reliability, sensor availability, and user acceptance, which is why you don’t scan your ear or authenticate by aroma at the office door.

Mainstream biometrics

So far, the search for a password successor has produced few mainstream winners. Only a handful of biometrics — primarily face and fingerprint — have become everyday tools. Passkeys, a phishing‑resistant login method built on on‑device biometrics and supported by technology heavyweights, are progressing in the same direction, but their adoption is slower than expected.

“Fingerprint login became mainstream in 2013 and face scan in 2017, driven primarily by Apple’s introduction of Touch ID and Face ID. These technologies succeeded because they are simple to use, fast, built into phones and laptops, and work offline on the device. Voice recognition as a biometric authentication has been demoed some time ago and even existed for some time but never became common. Now that AI can clone a voice from a few seconds of audio, it’s not reliable. Keystroke dynamics also exist. AI can infer identity from typing patterns, but this technology also remains niche. AI can recognize handwriting as well, though that’s more relevant to forensic analysis than authentication,” says Arbaciauskas.

Most likely successor

According to him, passkeys have the potential to become the dominant form of authentication because they are based on previous technology that is already built into nearly all modern devices and solves the password problem.

“Passkeys replace passwords with public‑key cryptography. A private key stays on your device, while a website holds the public key. When you sign in, your phone or laptop proves possession of the private key — often unlocked by your fingerprint or face — without revealing anything that can be phished or reused. As a result, passkeys are resistant to phishing, credential stuffing, and brute‑force guessing. Major platforms now support them, and modern password managers include passkey functionality to help organizations and users adopt them,” says Arbaciauskas.

He adds that even with broad platform support, it will take years for websites, apps, and enterprises to standardize on passkeys. During this transition, we live in a mixed world — some accounts support passkeys, while many still rely on passwords, so we’re using both for now.

“Use passkeys wherever they’re available. Everywhere else, use long, unique, randomly generated passwords stored in a password manager. These are harder to phish or disclose in the heat of the moment because you don’t memorize them. And always enable multi‑factor authentication,” says Arbaciauskas.

Leave a comment »

If You Are Still Running iOS 18, Check Software Update ASAP

Posted in Commentary with tags on April 1, 2026 by itnerd

If you have an older iPhone or iPad that still runs iOS 18, Apple has just released a newer version of iOS and iPadOS 18.7.7. It’s meant to fix this vulnerability that is in the wild and should be considered a today problem. Your other option is to go to iOS 26 which is not affected by this vulnerability and protects you from other vulnerabilities as a bonus. But whatever you do, don’t delay and patch your iDevice ASAP.

That ends today’s public service announcement.

Leave a comment »

Peer Software and Carahsoft Partner to Bring Data Replication and Synchronization Solutions to the Public Sector

Posted in Commentary with tags on April 1, 2026 by itnerd

Peer Software, and Carahsoft Technology Corp. today announced a strategic partnership. Under the agreement, Carahsoft will serve as Peer Software’s Master Government Aggregator®, making the company’s flagship Peer Global File Service (PeerGFS) platform available to the Public Sector through Carahsoft and its reseller partners.

Peer Software’s PeerGFS platform provides real-time file replication and synchronization across distributed environments, enabling Government agencies to maintain file consistency, reduce data silos and ensure high availability without relying exclusively on the cloud. With multi-protocol support for SMB and NFS on the same volume, PeerGFS helps agencies manage hybrid environments, support legacy systems and enable seamless collaboration across locations.

Designed to meet the stringent security requirements of the Public Sector, Peer Software’s solutions support compliance, strengthen operational resilience and optimize data accessibility. Peer Software’s capabilities are critical for agencies managing sensitive workloads and geographically dispersed teams.

Peer Software’s solutions and services are available through Carahsoft and its reseller partners. For more information, contact the Carahsoft Team at (703) 871-8585 or PeerSoftware@carahsoft.com. Explore Peer Software’s solutions here.

Leave a comment »

« Older Entries
Newer Entries »