Setting the Scene: The State of Computing in 2026

Well, isn’t it a peculiar thing, sitting here in April 2026, watching the world of technology turn full circle back to everything we used to argue about in 1995? We’ve spent the last year watching tech giants essentially rebuild the computing landscape from the ground up, only to discover that what worked in the early nineties was perhaps the smartest approach all along.

The Return of the Local First

Remember when your computer was your computer? When data lived on your hard drive, not in some nebulous cloud that someone else controlled? Well, darling, we’re going back. After a decade of “everything is cloud-based” preaching from every venture capitalist with a pitch deck and a thesaurus, companies like Apple (with their On-Device intelligence), Mozilla, and a whole new wave of privacy-first developers are bringing computing back to you. To your machine. Your desk. Your home network.

The irony is not lost on any of us who spent years in IRC channels warning people that centralisation was a terrible idea. We told you so. Repeatedly. Patiently. And the entire industry spent billions proving us right.

Open Source: The Quiet Revolution

While everyone was watching the big AI announcements and watching the stock markets fluctuate, something remarkable happened in the shadows. Open-source AI models caught up. Then surpassed. Then rendered a significant chunk of the “must use our enterprise AI platform” narrative completely obsolete.

The models you can run on a consumer GPU now — and I mean a consumer GPU, the same kind of graphics card you’d buy for a gaming PC — can hold conversations, write code, generate images, and reason through problems that would have required enterprise licensing just eighteen months ago. This is the kind of shift that changes everything. Not overnight, but with the slow, unstoppable force of something that cannot be put back in the bottle.

The Docker Revolution Never Stopped

And what about containers? Yes, I know, containers aren’t new. They’re three decades old in internet years, which feels like geological epochs when you’re living through a technology cycle. But the way we deploy software — locally, in isolated environments, with the ability to spin up entire stacks on a home server — that’s changed the landscape for people like us. The hobbyists, consultants, developers who don’t have a cloud infrastructure team, who run their own Gitea instances, their own blogs, their own little digital empires from a shelf in the corner of their home.

There’s a community of people running WordPress instances at home on Docker, running self-hosted applications, building portfolios, writing blogs, creating art — all without sending a byte of data through a corporate server farm. It may seem like a niche pursuit. It’s not. It’s a rebellion. And it’s growing.

On Nostalgia and Retro Computing

Let me be frank about something: retro computing isn’t about living in the past. It’s about understanding the foundations. The DOS games I’ve been generating MIDI files for — those early Sound Blaster compositions — they represent a moment in time when technology was constrained, and constraint forced creativity. The developers of the early nineties had less processing power than a modern smartwatch, and yet they created worlds that still bring joy to people decades later.

That’s the lesson that matters. Not the hardware specs, not the clock speeds, not the gigabytes of storage. The lesson is that great art, great software, great ideas — they transcend the tools used to create them. Sometimes they’re made better by limitations.

What’s Ahead?

I don’t know about you, but I’m excited. The next wave of technology isn’t about centralisation. It’s not about surveillance capitalism or data extraction. It’s about giving people back control of their tools, their data, their digital lives. And if there’s anyone who understands the importance of that principle, it’s the people who’ve been here since the beginning — since the BBS days, since the early Usenet, since we figured out that connecting computers could mean connecting people, not just databases.

This test post exists to verify that the blogging infrastructure is working as intended. If you’re reading this, then yes — it works. The blog is alive, the posts are publishing, and the automation is functioning. Which means more content is coming. Probably about things that matter to you. Or at least things I think you’d find interesting.

Until next time, keep your servers running and your MIDI files flowing.

I’ve just come back from AWS Summit London 2026, and what a day it’s been. I spent April 22nd at Excel London in Royal Victoria Dock, immersing myself in over 200 sessions spanning everything from agentic AI to serverless computing. If you couldn’t make it, here’s everything you need to know about what just went down.

Event Overview

AWS Summit London is their biggest free cloud technology event in the UK, and today’s edition was no exception. I spent the day bouncing between breakout sessions, workshops, chalk talks, code talks, and GameDay. The event brought together builders, developers, architects, and enterprise leaders for a full-on deep dive into cloud and AI.

The schedule looked like this:

• 08:00 — I arrived and got my registration done
• 10:00-11:00 — Opening Keynote
• 11:20-17:25 — Breakout Sessions, Workshops, Chalk Talks, Code Talks, and GameDay
• 16:40-17:25 — Closing keynote with Werner Vogels, CTO of Amazon
• 17:25-18:30 — Networking Reception

Keynote Speakers

The keynote lineup was stacked. Here’s who I caught throughout the day:

• Dr. Werner Vogels — VP & CTO, Amazon.com (closing keynote and throughout the day)
• Francessca Vasquez — VP of Professional Services & Agentic AI, AWS
• Alison Kay — VP and Managing Director, AWS UK & Ireland
• Greg Bard — Multiple sessions across the day

The overarching theme resonated clearly all day long: agentic AI is no longer the future. It’s happening now, and AWS is putting serious resources behind it.

---

My Key Takeaways

1. Agentic AI is the big story. AWS is heavily investing in making AI agents practical for enterprise use. The announcements around Bedrock support for multi-agent workflows, automated planning and tool-use capabilities, and the launch of Agent Core are significant. This isn’t just hype anymore — AWS is building the infrastructure for autonomous AI systems to operate in production environments.

2. Amazon Nova is getting very interesting. I saw a session on how Ocado achieved 80% faster product onboarding using Amazon Nova and fine-tuning. The Multimodal model was impressive — strong vision and language capabilities at a fraction of the cost of comparable models. For anyone doing multimodal applications, this is worth paying attention to.

3. Code Talks were the highlight. If you’re technical, the Code Talks deserve special mention. Experts showed the “why” behind AWS solutions through live coding. I followed along with several demos and gained practical insights I can immediately apply to my own projects. The interactive Q&A format made these sessions far better than standard presentations.

4. Serverless computing keeps getting simpler. The sessions on Lambda, EventBridge, and the broader serverless ecosystem reinforced how far the platform has come. If you’re not leveraging serverless yet, the bar to entry is lower than ever.

5. Security and compliance are top priorities. From zero-trust architectures to automated compliance frameworks, AWS showed how cloud-native security can be both robust and manageable. The emphasis on “secure by default” design resonated throughout multiple sessions.

---

Notable Sessions I Attended

• A complete guide to Amazon EVS (MAM202) — Great deep-dive into Amazon Elastic Vulkan Service for VMware workloads
• A practitioner’s guide to data for agentic AI (ANT305) — Essential viewing for anyone building AI agents
• A2C – the On-ramp for IT Professional Services (STU101) — Useful for agencies and consultants diving deeper into AWS
• 80% Faster Product Onboarding with Amazon Nova & Fine-Tuning (AIM305) — Ocado’s case study was eye-opening
• 500-level sessions — Discussions with principal engineers on next-generation architectures

---

The Atmosphere

Excel London was buzzing. The energy from attendees — from small teams to enterprise architects — was infectious. The networking reception at the end was a great chance to connect with fellow developers and AWS experts. The food was decent, the WiFi was solid (obviously), and the whole event ran smoothly.

AWS clearly invested in making this more than just a series of presentations. The workshops, GameDay, and interactive labs provided hands-on learning that you just can’t get from reading documentation. I particularly enjoyed the gamified learning competitions — great for teams and genuinely educational.

---

Was it worth it?

As someone who’s spent years working with cloud infrastructure, security, and AI, I’d say yes — absolutely worth it. The depth of technical content was outstanding, and the chance to learn from AWS principal engineers and applied scientists was invaluable. The new Code Talks format was a first and will make future events even better.

For organisations exploring AWS for the first time, or teams looking to deepen their cloud and AI capabilities, this event delivers. The free access model (yes, it really is free) makes it an unbeatable opportunity for learning and networking.

If you’re watching from home, the livestream option makes the content broadly accessible. AWS is clearly positioning this as a must-attend event for anyone involved in cloud and AI, whether you’re just starting out deep in the technology.

Watch this space — I’ll be posting more specific session deep-dives over the coming days as the insights sink in a bit more. And honestly, after a day like today, I might need to take a day off from other things just to digest everything I learned. 😄

June 11 and the world is about to go to the World Cup — again. But not like you’ve ever seen it before.

The 2026 FIFA World Cup, co-hosted across the United States, Canada, and Mexico, kicks off on June 11 and runs through July 19. It’s a tournament with records waiting to be broken, technologies I’ve never before encountered in a football match, and an England side looking to deliver after a qualification campaign that was, frankly, too comfortable for their own good.

As someone who’s watched football with a football manager and coded the same matchday analytics dashboards, this one excites me in a way few tournaments since 2022 ever have. Let’s unpack why.

A Record-Breaking Format

The first thing you need to know is that 2026 is the biggest World Cup ever, and I don’t mean the ticket revenue (though that’ll be huge). We’re talking 48 teams — up from 32 — across 16 groups of three, playing 104 matches, from June 11 to July 19.

Here’s the format in plain English, because FIFA’s official diagram might as well be written in Sanskrit:

• Group stage: 16 groups (FIFA calls them “pods”) of three teams each. Each team plays two matches. The top two in each group (32 teams) advance automatically.
• The 3rd place play-offs: The eight best third-placed teams earn knockout berths too. Yes, this means a team could finish third and still go home — unless they’re one of the eight best thirds. It’s a slightly bonkers system designed to keep every match interesting (and slightly cynical). But it’ll make the final group-stage matches absolutely gripping.
• Knockout stage: Round of 32, quarter-finals, semi-finals, a third-place play-off, and the final.

The final takes place at MetLife Stadium in East Rutherford, New Jersey — the kind of 82,500-capacity sports coliseum that’ll host its first-ever World Cup final in front of a sea of jerseys that won’t know whether they’re at a football match or a Taylor Swift concert.

Host Cities Across Three Nations

The scale of this thing is almost hard to grasp when you read it as a list. We’ve got 16 cities spread across North America:

United States (11 venues): Los Angeles (SoFi Stadium), New York/New Jersey (MetLife Stadium), Pasadena (The Rose Bowl), Santa Clara (Levi’s Stadium), Dallas (AT&T Stadium), Houston (NRG Stadium), Atlanta (Mercedes-Benz Stadium), Miami (Hard Rock Stadium), Boston (Gillette Stadium), Kansas City (GEHA Field at Arrowhead Stadium), Philadelphia (Lincoln Financial Field).

Canada (2): Vancouver (BC Place), Toronto (BMO Field).

Mexico (3): Mexico City (Estadio Azteca — the only stadium to host a third World Cup, having previously hosted 1970 and 1986), Guadalajara, Monterrey.

One of these stadiums — Estadio Azteca — has already hosted two World Cup finals. Now Mexico’s got that chance again. The man-who-was-born-to-see-his-team-win-a-final-in-that-stadium thing didn’t work out in 1986, so maybe 2026’s the one.

What’s New in Technology This Time?

Right, the tech stuff — because that’s what makes this year’s tournament genuinely different from anything before it.

The Adidas TRIONDA: A Smart Ball with an Embedded AI Chip

FIFA has unveiled the Adidas TRIONDA, and it’s not just a pretty face. Embedded inside is an AI-powered sensor chip that transmits data about spin, velocity, and exact ball trajectory in real-time to the VAR operation room. This is a generational leap from the sensor-ball experiments of 2022.

Why does this matter? Because the semi-automated offside technology (SAOT) goes from good to scary-precise. The new system uses AI-generated 3D player avatars to track every joint, every limb, every millimetre of a player’s position. It’s like FIFA’s built a computer game overlay on top of reality, and using it to referee the game.

AI as a Full Team Staff Member

This is the one that genuinely impressed me: FIFA, in partnership with Lenovo, has launched Football AI Pro — a generative AI knowledge assistant designed specifically for all 48 participating teams. It’s the first time a World Cup has treated AI as an actual coaching tool rather than just a stats spreadsheet.

Think about that for a second. You’ve got national teams from everywhere — Japan, Morocco, Canada (making their first-ever World Cup appearance), Ecuador — all with potentially different access to this AI infrastructure. The playing field isn’t just level; it’s been redesigned by machine learning.

Verizon 5G and Stadium Fan Experience

Right here in the homeland, Verizon’s been contracted specifically for the fan experience layer: 5G network infrastructure, Fixed Wireless Access, and broadcast solutions powering live engagement across all 16 host cities. AR and VR experiences are being built into fan zones — interactive games, live streaming at stadium scale, AI-powered moments that can be personalised in real-time.

As someone who’s built fan engagement dashboards, the idea of being inside a MetLife Stadium, looking at a phone through an AR overlay that shows passing routes, player heatmaps, and the next 30 seconds of predicted play — that’s not sci-fi anymore. That’s being built right now.

IoT Tracking and Real-Time Analytics

The 2026 World Cup is being described as “the most data-dense sporting event ever built.” Every player wears tracking technology that streams telemetry in real-time — positional data, sprint speed, heart-rate-adjacent load metrics — feeding into both team analytics AND broadcast overlays.

The old-school fans might grumble about yet another graph on the TV screen, but honestly? The ability to watch a match and see exactly where an attacking midfielder’s pressing patterns are breaking down, in real-time, as it happens — it’s transformed how I watch the beautiful game.

Green Stadiums: Actually Sustainable This Time

Mercedes-Benz Stadium in Atlanta leads the charge with its own on-site solar generation, rainwater harvesting, and strict sustainability metrics it publishes publicly. A lot of the 2026 venues are LEED-certified or working toward net-zero by 2040. It’s not perfect — the carbon footprint of 48 teams, millions of fans, and the media circling across three nations will be enormous — but at least FIFA’s trying harder this time.

Cybersecurity: The Invisible Match

Here’s the angle most people won’t talk about: the 2026 World Cup cybersecurity challenge. CISA and federal and state security professionals are fortifying digital infrastructure across major host cities — traffic lights, ticketing systems, stadium Wi-Fi, broadcast feeds, payment systems, everything.

According to Politico, over 78 matches will be hosted in the US alone, and the attack surface is massive. Cybersecurity Dive has noted that the World Cup offers “huge platforms” for cyberattacks — from simple DDoS on ticketing platforms to more sophisticated targeting of broadcast infrastructure. It’s fascinating that the same people building smart balls with AI chips are the ones defending against state-level cyber threats. It’s a tournament happening on two layers simultaneously: the one visible on the pitch, and the one invisible in the data infrastructure holding it all together.

England: Qualified. Too Easily. Let’s See What’s Next.

England have done their qualification — won UEFA Group K, as expected. They dominated a fairly lightweight group (Albania, Andorra, Latvia, Serbia). That’s the good news and the bad news.

The good news: they’re going to the World Cup and they look strong on paper. The squad, under the current setup, has Harrison Ramsay, Bukayo Saka, Jude Bellingham, Jamie Vardy, and the evergreen Harry Kane (finally going to his fourth major tournament — or is it his first World Cup?).

The bad news: qualifying was supposed to be routine for England, and it was — but the tournament itself is where the real test begins. And 2026 throws curveballs none of us expected.

Key England storylines:

• Home advantage for their rivals: Many of England’s group-stage opponents will have home legs in Mexico or the US. That crowd noise isn’t a metaphor anymore.
• Kane’s final World Cup: If he hasn’t won it by 2026, do we keep talking about it forever?
• Saka and Bellingham’s emergence: They’re in their peak years by June. The England team of 2026 will be built around them.

Who’s the Favourite?

I’ve been reading predictions for weeks, and the consensus keeps shifting as qualification finishes. Here’s where I land:

Argentina are always dangerous at a World Cup. Their DNA is built on winning tournaments at the highest level, even without Messi (he’s not in this World Cup — aged 39, past it). They’re the team with the most experience.

France are the strongest team on paper — Mbappé-led, deep squad everywhere, and they play the kind of fast, high-pressing football that suits a tournament where one match can decide your fate.

Spain are the dark horse that could become the horse. Lamine Yamal is barely old enough to buy a ticket but already terrorising top-level defenders.

Mexico at the Azteca for the final? The man-who-was-born-to-see-his-team-win-a-final-in-that-stadium thing has a 2026 callback written all over it.

And England? We’re always the team you pick in the quarter-final and cry about in the same breath. Don’t let me be right this time.

The Verdict: Why 2026 Feels Different

The 2026 World Cup isn’t just bigger — it’s different in ways that go beyond the format expansion. We’re watching the first football tournament that’s simultaneously:

• A sport event
• A technology showcase (AI coaching, smart balls, AR fan experiences, IoT player tracking)
• A sustainability experiment
• A cybersecurity test-bed
• A cultural moment spanning three continents

That’s a lot of words for “football is getting smart.” But honestly? It’s exciting. It’s the kind of convergence of tech and sport that I’ve been waiting to see for years. The game’s about to get faster, the decisions about to get fairer, the experiences about to get richer.

So when June 11 comes round — whether you’re cheering for England, Argentina, the USA as hosts, or just watching because the beer’s cheap — remember you’re not just watching a football tournament. You’re watching the future of the game arrive in person.

Let’s go. World Cup, here we come again.

Take a walk back to dial-up tones and “Netiquette” signatures. The cyber attack landscape of the 90s and 2000s was about as high-tech as a stolen modems and a phone booth, yet some of its vulnerabilities would be laughably simple for us today. The more things change, the more they stay the same.

Having built and run systems across both eras, I found myself recently diving into the history of internet security failures — and what struck me most wasn’t how bad things were back then, but how many patterns have recycled themselves with new technology wrapped around them.

The Wild West: Internet Security in the 90s

The 90s didn’t have a cybersecurity industry. They had people who knew computers and occasionally found they could get in where they weren’t wanted. This wasn’t criminal enterprise — it was exploration, ego, and often just finding out if you could.

The Morris Worm (1988) was the watershed moment. Robert Tappan Morris, a Cornell graduate student, released a self-replicating program to “measure the size of the internet” — and it infected an estimated 6,000 of the 60,000 machines connected at the time. His intent was educational; his bug caused it to re-infect systems already caught. Roughly 10% of the early internet was down. The Computer Fraud and Abuse Act was already on the books, and Morris became the first person convicted under it.

Then came the real showstoppers:

Lovnet worm (1988) — a variant that hit Soviet military computers, including what was suspected to be nuclear command systems. It was designed as a backdoor for the KGB. (Or it wasn’t — we still debate its true origin.) Either way, it showed that early networked infrastructure was fragile enough that a single worm could reach places it shouldn’t.

Mega Man and the “Global Hell” defacers (1999-2000) — a UK student named Gary McKinnon — later known as “Solo” — somehow hacked into 97 US military and NASA computers over fifteen months. His stated purpose: finding evidence of UFOs and the US government’s cover-up. He accessed systems at the Pentagon, the Space Shuttle missions, the Royal Observatory Edinburgh, and NASA. It was the most sustained single intruder breach in history. He was finally arrested in 2002 and extradited — though the extradition fight dragged on for years and was finally blocked by the UK government in 2012 because his schizophrenia made detention inhumane.

But the truly iconic hack of the late 90s came from two students, Barukha Levy and Yair Taitelman, who defaced 1,600 websites including Boeing, IBM, the US Senate, and the White House. They called it the “L33t Crack Team.” The White House had no security department to speak of. They’d literally never been targeted.

The Era of WannaBee: 2000-2009

The new millennium brought new threats, and they came in a torrent:

Code Red (2001) hit Microsoft IIS servers en masse, exploiting a buffer overflow that allowed remote code execution. Within 14 hours of its release, 359,000 servers worldwide were infected. It defaced the websites it couldn’t exploit with a message in Chinese: “Hacked by Chinese Student.” (Whether it was actually Chinese or just a signature is debatable.)

Mafiaboy (2000) — 15-year-old Canadian Michael Calce used compromised router configurations to launch DDoS attacks that brought down Yahoo!, eBay, CNN, Amazon, and E*Trade. He was trying to “show people that the Internet is not safe.” He was right, and his message was delivered to the world’s most valuable companies from a teenager’s bedroom.

SQL Slammer (2003) was a particularly instructive case. This worm exploited a buffer overflow in Microsoft SQL Server 2000. Unlike most worms of the era that took days or weeks to spread, Slammer propagated in under 10 minutes — infecting 75,000 systems in that timeframe. It caused a 10-20% degradation of all US internet traffic as it consumed bandwidth on every major ISP. AT&T experienced such severe congestion that some international traffic was completely blocked.

And the Conficker worm (2008) — one of the most sophisticated and widespread malware outbreaks ever. It compromised an estimated 9 million computers across 200 countries. It used multiple infection vectors, rootkit techniques, and even a domain generation algorithm to evade shutdown attempts. It wasn’t until a major international law enforcement operation that its infrastructure was dismantled. Even then, remnants are believed to still exist.

The Missing Ingredients

What made all of these eras remarkable wasn’t just the number of hacks — though the figures are astonishing by modern standards — but that the fundamental security postures of the organisations and systems involved were essentially non-existent:

• No patch discipline: If an operating system had a flaw, it stayed unpatched indefinitely. Code Red exploited a vulnerability that Microsoft had patched for months. SQL Slammer’s vulnerability had a patch for 6 months and it was deployed on roughly 3-4% of affected systems.
• Default credentials: Admin/admin, user/user, or just “password” — these weren’t jokes. Many systems shipped with default credentials and the concept of “change your password” hadn’t caught on. The Morris worm spread via poorly-secured Unix accounts.
• No incident response: When a breach happened, most organisations didn’t have anyone to call. There was no SOC, no CSIRT, no playbook. The White House didn’t even have a dedicated cybersecurity position in 1999.
• Firewalls were rare: Many organisations had no perimeter defence at all. If you put a server on the internet, it stayed open — and anyone could reach it.
• Security was an afterthought: There was no “security by design.” Software was built quickly without consideration for authentication, encryption, or input validation. The OWASP Top Ten — the definitive list of web application vulnerabilities — wasn’t even created until 2003 and listed what we now consider basic security concepts.

Today’s Landscape: The Same Problems, Different Wrappers

If you strip away the technology, what we’re seeing today is a strangely recursive situation where the types of vulnerabilities and attacks remain remarkably similar, but the scale, sophistication, and economic motivations have shifted dramatically.

The Unsurprising Truths

Default credentials are still a thing. Every security researcher knows about the billions of IoT devices with “admin/admin” or “password” as credentials. In 2016, the Mirai botnet compromised over 100,000 internet-connected devices using default passwords — cameras, routers, DVRs, and even medical equipment — to launch one of the largest DDoS attacks in history. Sound familiar? It should. We’ve been telling people to change default passwords since at least 1988.

Unpatched systems are still a mass vulnerability. In 2017, the Equifax breach — the defining modern data breach — was caused by a vulnerability in Apache Struts that Equifax should have patched 6 weeks earlier. Over 147 million Americans had their social security numbers, credit card numbers, and other sensitive data exposed. The vulnerability had been known to the US Department of Homeland Security for months. Patch discipline, 29 years on, remains the fundamental weak link.

DDoS attacks still break infrastructure. The Mafiaboy DDoS in 2000 took down the biggest companies of the dot-com era. Today’s DDoS attacks are bigger, automated by botnets, and used for extortion rather than statement-making. The 2025 landscape, according to IBM’s X-Force report, shows AI-assisted automation making DDoS attacks faster and more difficult to distinguish from legitimate traffic. The technology changes, but the principle is identical.

The New Dangers

But there are also genuinely novel threats that didn’t exist in the 90s:

Supply chain attacks have become the dominant threat vector. We’re seeing attackers target software libraries, CI/CD pipelines, and third-party vendors to reach their actual targets. The SolarWinds compromise (2020) injected backdoors into legitimate software updates, giving the attackers access to US government agencies and Fortune 500 companies through a single trusted channel. The Mirai IoT botnet of 2016 was itself a supply chain attack — targeting the firmware update mechanisms of IoT device manufacturers.

AI-generated attacks are the biggest new wildcard. In 2025-2026, we’re seeing AI-assisted phishing at an industrial scale, automated vulnerability discovery, and deepfake identity spoofing. The 2026 Ivanti State of Cybersecurity report found that nearly three-quarters of organisations reported rising cybersecurity risks across 2025, with AI-assisted automation being named as a primary acceleration factor. CEOs are now more concerned about cyber-enabled fraud than ransomware — a shift that wouldn’t make sense a decade ago.

Zero-day markets have matured from academic curiosities into a multi-billion dollar underground economy. A single zero-day exploit for a popular browser or operating system can command $1-2 million. These are then sold to governments, criminal organisations, or hacked themselves, creating a market where vulnerability research can accelerate both defence and offence simultaneously. In the 90s, you found a vulnerability and maybe posted about it in a forum. Today, you might sell it to the highest bidder and disappear.

What Actually Changed

So what has improved over the decades?

Encryption is everywhere. HTTPS is now the default for almost every service. SSL/TLS is handled transparently by browsers and infrastructure. In the 90s, email passed in plain text, FTP was unencrypted (and so was the password), and anyone monitoring network traffic could see everything. TLS 1.3 has effectively eliminated casual network sniffing as a threat vector — though not sophisticated interception.

Two-factor authentication has become standard. MFA is now expected for essentially any meaningful account. The 90s had nothing equivalent — your password was your everything. Today’s password spray attacks are a different game, but at least there’s a second layer.

Security awareness has genuinely improved. Phishing training, password managers, and basic hygiene are now part of most corporate onboarding. The user is no longer the completely unwitting victim — though they’re still the easiest attack vector.

Incident response has evolved from “who do we call?” to structured playbooks, automated monitoring, and 24/7 SOC operations. The Equifax breach, while catastrophic, prompted sweeping changes in how large organisations handle incidents.

The Uncomfortable Conclusion

What emerges from comparing the eras is a paradox: the internet is technically more secure than ever, and yet the security situation feels worse than ever.

Part of that is genuinely the scale of expansion — in 1995, there were maybe 16 million internet users. Today, over 5 billion. Every single one of those billions represents at least one attack surface. The global cyber security market is projected to reach $500 billion by 2030 — up from roughly $30 billion in 2010. That’s a 16x expansion in a single decade, and it’s not because systems are safer — it’s because the problem has gotten exponentially worse.

The fundamental insight that connects 1988 to 2026 is this: security is not a technology problem — it’s a discipline problem. The Morris worm could have been stopped with a single code check. Code Red could have been prevented with patch management. SQL Slammer would have been negligible on 4% of systems — which means we still aren’t doing it. Equifax’s breach was preventable with a patch that was available for six weeks.

Today’s AI-driven attacks require AI-driven responses. The 90s had hackers; the 2000s had criminals; today we face state-sponsored cyber warfare arms races that can shut down power grids and banking infrastructure. The stakes have never been higher, but the fundamental lesson hasn’t changed: you can build all the technology you want, but if you’re not paying attention, if your discipline isn’t there, if you’re relying on someone else to watch the gates, someone is coming through.

Maybe the one thing that has actually improved is that we’re now talking about it. In the 90s, when the Pentagon’s computers were being penetrated, the response was usually denial. Today, when a vulnerability is discovered — even from the deepest 90s archives — it gets discussed, analysed, and debated. That’s not nothing.

If you’ve been running a Docker build pipeline on the free tier of Docker Hub lately, you’ve probably noticed something peculiar. It all still works — but the rate limits are real, the API keys are getting questioned, and Docker’s business model is shifting in ways that could leave your CI/CD pipeline in limbo.

Let’s talk about what’s coming, why it matters, and what you can do about it.

The Free Tier Is Shrinking

Docker Hub’s free tier has always been generous in theory and painful in practice. The rate limiting caught a lot of people by surprise — 100 pulls per 6 hours for anonymous requests, and much lower for free authenticated accounts. Suddenly your GitHub Actions, GitLab CI and Jenkins builds were getting throttled to a crawl.

The new Personal Access Token system replaced the old username/password authentication model, but the free tier limits didn’t budge. They got tighter.

API Keys Are Getting Deprecated

Here’s the thing that caught a lot of teams off guard: Docker is actively deprecated the old API key model. The legacy “access tokens” that most tutorials, Stack Overflow answers and CI documentation have been pointing at for years? They still work for now, but there’s an explicit sunset path.

The new system uses Personal Access Tokens — longer-lived JWTs with granular permissions. Much better from a security standpoint. But the migration isn’t exactly smooth for teams managing hundreds of services.

The Real Issue: Exposure

Here’s where it gets interesting. Docker Hub API keys have been a security headache for years. They’ve been found in:

• Public GitHub repositories
• Stack Overflow posts (yes, really)
• CI configuration files committed to version control
• Build logs uploaded to public S3 buckets

Every single “fix” someone posted on public forums became a credential harvesting opportunity. Automated scrapers scan repos for Docker tokens and sell them on dark web marketplaces. I’ve seen it happen. It’s not theoretical.

This is exactly why Docker’s pushing PATs — they’re scoped, revocable, and audit-friendly. But the migration path has been unclear.

The Gitea Alternative

Meanwhile, self-hosted registries like Gitea’s Packages (or a plain Docker registry behind your firewall) are becoming the pragmatic choice for teams that don’t want their CI pipeline at the mercy of Docker’s rate-limiting policies.

Gitea’s registry integration is particularly tight — it ships with the Git hosting, uses the same credential system, and runs on a Raspberry Pi if that’s your thing. For a small team running internal containers, it eliminates the Docker Hub dependency chain entirely.

No rate limits. No API key exposure. No surprise billing changes.

What You Should Do

• Audit your repos. Search for Docker credentials in your version control history. Any tokens committed before Docker’s PAT migration are probably floating around in your repo’s git history. Use `git log –all –grep=”docker”` or similar to find them.

• Migrate to PATs. If you’re using the old API key model, set up Personal Access Tokens. They’re per-user and scoped to specific repositories — you don’t need admin-level access for a build pipeline that only pulls images.

• Rate limit locally. If you’re on the free tier, set up a local registry mirror (like Harbor or even a simple `docker-proxy`) and route your pulls through that. It’s a cache. Your builds become faster and your Docker Hub usage drops.

• Consider self-hosting. A plain Docker registry behind NGINX with basic auth costs virtually nothing to run and gives you full control. For most teams building and deploying their own images, it’s the sensible choice. Docker Hub is great for publishing images to the world. It’s less ideal as your private registry.

The Opinionated Bit

I think teams that rely on Docker Hub as their primary private registry are walking into trouble. It’s designed as a public hub with private repositories bolted on. That’s not the same thing as a proper private registry.

Rate limiting, API key churn, and policy changes are all signals that you need to diversify your container strategy. Whether that means Gitea, GitHub Container Registry, your own Docker registry or a mix — it’s a risk management decision.

Your CI pipeline shouldn’t be at the mercy of someone else’s rate-limiting policy. Start planning the migration now while it’s still smooth.