Health Care Systems Oncology, Imaging and Pharmacology, particularly for Prostate Cancer.
Technology that interests me: Sensors (Radar, Sonar, EO/IR,Fusion) Communications, Satellites, Unmanned Vehicles (UAV), Information Technology, Intelligent Transportation
GM Javokhir Sindarov grabbed the sole lead at the 2026 FIDE Candidates Tournament, reaching a remarkable plus-three score by beating co-leader GM Fabiano Caruana. Chess.com To understand how stunning this is, one must appreciate who these players are and what was at stake.
Javokhir Sindarov, born December 8, 2005, is an Uzbek chess grandmaster who became a grandmaster at the age of 12 years, 10 months, and 8 days. Wikipedia His path to Cyprus was paved with historic milestones. Sindarov capped a remarkable campaign in Goa by winning the 2025 FIDE World Cup, defeating Wei Yi in a tense rapid-play tiebreak — the 19-year-old Uzbek grandmaster kept his composure in a dramatic set of rapid encounters, capitalizing on late chances as his opponent faltered in time pressure. Chess News By winning the 2025 FIDE World Cup, he made history by becoming the youngest World Cup winner ever at 19 years, 11 months, and 18 days. Kingdomofchess
His opponent in Round 4, Fabiano Caruana, needs little introduction to the chess world. An American grandmaster of Italian heritage, Caruana has been one of the world's top two or three players for over a decade and was a World Championship challenger against Magnus Carlsen in 2018. The next round paired the two co-leaders at 2.5 points each, with Sindarov having White against Caruana. Chess.com
He's only 20 years old and is playing his first Candidates Tournament, but that hasn't stopped Sindarov from having the best-ever start in any Candidates in this format: 3.5/4. Chess.com
The Game: A Queen's Gambit Accepted Gone Wrong
The opening was a Queen's Gambit Accepted — 1.d4 d5 2.c4 e6 3.Nf3 dxc4 — one of the most classical and deeply analyzed structures in all of chess. Caruana, as Black, chose a well-known approach: playing ...c5 to immediately challenge White's central control, aiming either to liquidate White's central pawn advantage or saddle him with an isolated d-pawn. After castling, Black followed with ...Nc6, ...a6, and ...b5, a thematic setup that plants the bishop on b7 and controls the long light-square diagonal.
Where Things Began to Go Wrong for Caruana
The game appeared balanced through the early middlegame. White played ambitiously — Sindarov advanced a4 to challenge Black's queenside pawn chain, then maneuvered his queen's knight to e4, targeting Black's defensive knight on f6. This is a recognized strategic motif: eliminating the king's knight often clears the way for a kingside attack.
The critical moment came when Sindarov exchanged on f6. Instead of recapturing with the queen — which would have been the natural, centralizing move — Caruana chose to recapture with the g-pawn. This decision, designed to activate the rook and bishop battery toward g2, was the fateful turn. As the commentary makes clear, taking with the queen would have allowed e4 with strong effect; after 1...Qxf6 2.e4, White gains dangerous space. And if Black got greedy and captured on d4, the bishop sacrifice to g5 would have created havoc, threatening mate ideas via bishop to b5-check combined with queen pressure.
So Caruana accepted a compromised pawn structure — the open g-file — in exchange for dynamic counterplay with his rook and bishop targeting g2. This is a double-edged, high-risk decision. In principle, it is not wrong; in practice, it placed tremendous demands on precision that Caruana was unable to meet.
Still, there was some confusion over Black's decisive mistake. Caruana thought it was 16...Rg8, and Sindarov agreed with him, but engine analysis shows that it was Caruana's 17th move that was the real issue. Chess.com
The Strategic Drift: The d5 Blockade Collapses
Sindarov responded to the dynamic imbalance with superb strategic clarity. He played c6 — a deeply calculated deflection move, pulling the Black bishop off the defense of the a6 pawn, which was under double attack by White's queen and bishop. Caruana had no real choice but to capture, and White immediately exploited the moment with knight to d4, centralizing powerfully and threatening to unravel Black's position entirely.
From here, the game became a relentless squeeze. Black attempted to establish a blockade on d5, parking his bishop on that square to cork White's central passed pawn ambitions. For several moves, both sides maneuvered with precision — Sindarov probing with rook to c1, bishop to c6, and ultimately the rook lift to c5 — while Caruana fought to keep the d5 square occupied and neutralize the dangerous a-pawn.
The blockade, however, was always a temporary solution, not a cure. When Sindarov finally broke through with d5, the position opened catastrophically for Black. As the commentary describes: every single Black pawn became weak simultaneously, and the Black king — never fully safe after the g-pawn recapture — was now genuinely endangered. The fact that Caruana got low on time early — going under 10 minutes while pondering his 20th move — didn't help either. Chess.com
The Killing Blow: Rook to c5
The game's decisive combination came with elegant simplicity. After a series of pawn advances on the kingside — h4, h5 — and bishop maneuvers to exploit the dark-square weaknesses, Sindarov delivered the coup de grĂ¢ce: Rook to c5. The threat of Rook to c8, pinning the Black queen against the king, was immediately decisive. The queen could not move — rook to c8 would lead to mate — and Black could not defend against both the pin and the loss of his bishop. Caruana resigned.
Caruana's Own Assessment
Caruana's matter-of-fact summary of his loss: "I kind of got caught in the opening." Chess.com This candid admission reveals the depth of Sindarov's preparation. The young Uzbek had clearly studied this exact structure with his seconds and came armed with a precise roadmap.
Sindarov agreed that a large part of his win was based on preparation: "Of course I never imagined I would go into the rest day with plus three but today I played a really [good] game and the prep was also fantastic, thanks to my seconds." Chess.com
The Bigger Picture: A Star Is Born
The Candidates Tournament is the gateway to the World Championship. The FIDE Candidates Tournament is the most important FIDE tournament of the year. In the Open and Women's events, eight players play each other twice for the right to challenge the FIDE World Champions Gukesh Dommaraju and Ju Wenjun to a match for the title. Chess.com
Sindarov's victory over Caruana was not just a win — it was a statement. His great start of three wins and one draw took the young Uzbek to world number six in the live ratings. Chess.com On the same list, Sindarov jumped up two spots to world number eight Chess.com after the previous round, and now sits even higher. The chess world is beginning to ask a question that would have seemed far-fetched just six months ago: could the youngest World Cup champion in history also become the youngest Candidates winner?
The tournament is far from over — Round five is on Friday, April 3, starting at 8:45 a.m. ET / 14:45 CEST Chess.com, with Sindarov facing Nakamura next. But after four rounds, the narrative belongs entirely to a 20-year-old from Tashkent who earned the grandmaster title before he was a teenager, won the World Cup before he was old enough to drink in most countries, and is now dismantling the world's elite one game at a time.
The Unwritten Rules of IT — Starting With What Nobody Tells You
BLUF: The Unwritten Rules of IT
You don't need to know everything. You need to keep learning, stay humble, and understand that technology rarely fails on its own — humans fail it, consistently, creatively, and at the worst possible time.
The rules break down into three unavoidable truths:
On entering the field: Start before you're ready. Experience beats preparation every time, "I don't know" is a legitimate answer, and the only skill with guaranteed shelf life is the ability to learn new ones.
On the humans: Almost every outage has a human at the root of it — one who changed something, skipped the test, refused to document, or scheduled the Friday deployment with misplaced confidence. The systems are largely fine. The people are the variable.
On AI: It's a fast, tireless, extremely confident tool that doesn't know what it doesn't know, will fabricate solutions that look exactly like real ones, and is already being handed credentials it shouldn't have by someone in your organization who was just trying to be helpful. Supervise it accordingly.
The through-line: IT is not a technology problem with occasional human interference. It is a human problem that happens to run on technology. Every rule in this document — from "never deploy on a Friday" to "it's always DNS" — is ultimately a rule about people: how they communicate, cut corners, assume, avoid, and occasionally, heroically, hold everything together with a 2am fix that nobody will ever fully understand.
0a. You don't need to know everything to get started.
The single biggest reason talented people never enter IT is that they're
waiting until they feel ready. That feeling never comes. Not on day
one, not after your A+, not after your CCNA, not after twenty years. The
people who look like they know everything have simply had more
opportunities to figure things out under pressure — which is just
experience wearing a confident expression.
0b. Experience is the certification that actually matters.
You can memorize every answer on a practice exam and still freeze when a
real problem lands in front of you. You can also fumble through your
first year, break things, fix things, and emerge knowing more than any
exam ever tested. The field rewards people who kept showing up. It is
far less impressed by people who studied perfectly and then waited.
0c. "I don't know — let me find out" is a complete and professional answer.
Users will assume you know everything. Managers will assume you know
everything. The new hire shadowing you will assume you know everything.
None of them know everything either. The most dangerous IT professional
isn't the one who admits ignorance — it's the one who can't. Confidently
incorrect is how outages happen.
0d. An inch thick and a mile long is the job.
IT is not about mastering one thing completely. It's about knowing
enough about everything to ask the right questions, recognize the right
patterns, and know which expert to call. Your value isn't depth in
isolation — it's the ability to connect dots across an impossibly wide
landscape. Nobody hired you to know everything. They hired you to figure
things out.
0e. The ability to learn is the only skill that doesn't expire.
Every specific technology you know today will eventually be legacy,
deprecated, or replaced by something a 24-year-old built last Tuesday.
The sysadmin who thrives for thirty years isn't the one who mastered
Windows NT — it's the one who was curious enough to keep learning when
everything changed. Comfort with not-yet-knowing is the most durable
skill in the field.
And Then You Meet the Humans
1. Never deploy on a Friday.
Technically this is about timing, but really it's about humans.
Specifically, the human who schedules a Friday deployment because "it'll
only take five minutes" — the same human who has never, in recorded
history, completed anything in five minutes. The deployment takes four
hours. You know this. They know this. Nobody says it out loud.
2. "I didn't change anything." They changed something.
The full archaeology of this statement is remarkable. Stage one: "I
didn't change anything." Stage two: "Well, I updated one thing, but that
shouldn't matter." Stage three: "Okay, I may have also restarted the
service." Stage four: "...and installed some software." Stage five:
quiet, prolonged eye contact as the full picture emerges. You will reach
stage five every single time. Budget for it.
3. The 2am fix makes zero sense on Monday morning.
The human who wrote the 2am fix was you, technically, but they were
operating under conditions — panic, caffeine, a user screaming on Slack —
that no longer exist. The real problem is the other human: the
one who created the crisis at 2am because they "just needed to make one
quick change before a big presentation" and didn't mention this to
anyone until something exploded. That human went to bed at 9pm. They
slept great.
4. Never say the Q word ("It's quiet").
The Q word is never said in isolation. It's always said in response to a human.
Usually a manager wandering through asking how things are going,
clearly hoping for reassurance. You, desperate to provide it, say
"pretty quiet actually." The manager nods, satisfied, and leaves. Three
things break simultaneously. The manager will not return to witness
this. They are at lunch.
5. If it's working and nobody knows why — don't touch it.
The dangerous human here is the enthusiastic new hire who wants to
"clean things up" and "apply best practices." They are not wrong that
it's messy. They are catastrophically wrong that this matters. The mess is
the solution. The mess accumulated organically around an original
problem like scar tissue. Disturbing it doesn't clean things up — it
just moves the chaos somewhere less predictable.
6. The backup you never tested is the one you'll need.
There are two humans in this story. The first said "we should test the
backups regularly" and was told "we don't have time for that right now."
The second is the executive calling at midnight asking why the data is
gone. These two humans have never been in the same meeting about backup
testing. They will, however, be in the same meeting about the incident
report. It will be a long meeting.
7. Document it now or hate yourself in six months.
Documentation fails because of humans at every stage. The human who
built it didn't document because they were too busy. The human who
inherited it didn't document because they were trying to understand it.
The human who needs it now is opening a ticket marked URGENT while
simultaneously asking a question that is answered nowhere. Somewhere,
the original human has left the company and is living their best life,
completely unreachable, on a beach.
8. Restarting fixes 80% of problems. Admitting it fixes 0% of credibility.
The real issue is the human on the other end of the ticket who will, if
told "we restarted it," immediately ask "why did it need restarting?" — a
question with a real answer that will take forty-five minutes to
explain and will not satisfy them. So instead you say "we identified and
resolved an instability in the service layer," which is both
technically accurate and completely unanswerable as a follow-up. Humans
respond well to words that sound like effort. This is not cynicism. This
is professional communication.
9. DNS. It's always DNS.
The human problem with DNS is that explaining why it's DNS
takes longer than just fixing it. So you fix it. The human asks what was
wrong. You say "DNS issue." They nod as though this means something to
them. It does not mean something to them. Next month they will make a
change that breaks DNS again and tell you, with complete sincerity, that
they didn't change anything.
10. The person who never raises a ticket has the biggest problem.
This human has a workaround. The workaround involves copy-pasting
something into Notepad, waiting 30 seconds, and then copying it back.
They do this seventeen times a day. They have never mentioned it to
anyone because "it's fine, I've got a system." The system took them four
minutes to develop eighteen months ago and has since consumed
approximately 140 hours of their life. They are fiercely protective of
it. When you fix the underlying problem, they will be briefly annoyed
that their system no longer works.
And Then AI Showed Up
11. AI is confidently wrong the way only a very fast, very agreeable intern can be.
The danger isn't that AI doesn't know something — it's that it doesn't know that it doesn't know something, and will explain its wrongness to you in beautifully structured paragraphs with appropriate technical terminology. A human who doesn't know something will usually hesitate. AI will not hesitate. It will cite the hesitation in APA format if you ask nicely.
12. "The AI said so" is not a root cause.
You will get tickets caused by someone copy-pasting AI-generated code directly into production without reading it. The code will be almost correct. "Almost" is doing a lot of work in that sentence. When you ask why they didn't test it first, they will explain that the AI seemed very sure. The AI is always very sure. That is not the same thing as being right.
13. Prompt garbage in, prompt garbage out.
AI does not rescue bad requirements — it accelerates them. If you ask a vague question, you will receive a confident, thorough, beautifully formatted answer to a slightly different question than the one you meant to ask. This is not the AI's fault. This is Rule 2 in a new costume: the user didn't change anything. They just asked the wrong thing.
14. AI will hallucinate a library, a function, and three Stack Overflow posts that don't exist.
It will do this calmly, with working-looking syntax and plausible version numbers. You will spend forty minutes trying to install a package that has never existed before you realize what happened. The AI, when informed of this, will apologize sincerely and suggest a different package that also doesn't exist. This is not malice. This is a very sophisticated form of making things up, which somehow makes it worse.
15. Someone has already given the AI admin credentials. You just don't know who yet.
There is a human in your organization who, trying to be helpful, fed a system prompt containing environment variables, API keys, or database connection strings into a third-party AI tool. They did this because the tool asked for "context" and they wanted to be thorough. This happened. It may be happening right now. Check your logs. Check your logs again. Consider crying.
16. AI doesn't replace the need to understand the thing — it replaces the excuse not to.
For twenty years the defense was "this is too complicated to document properly." AI can now draft your runbooks, summarize your architecture, and explain your legacy codebase in plain English in about four minutes. The humans who refused to document will now have to explain why they also refuse to have AI document it. This conversation will be awkward. Enjoy it.
17. The AI audit trail is "we asked it and it said yes."
Traditional systems fail with logs, error codes, stack traces, and timestamps. AI fails with vibes. Something went wrong and the AI was involved, but reconstructing exactly what was asked, what was returned, and what the human did with that information is an exercise in archaeology with no artifacts. If you're deploying AI in any serious workflow, logging the inputs and outputs isn't optional. It's the only thing standing between you and an incident report that says "the AI told us to."
18. AI is the new junior developer who works at superhuman speed and has read every Stack Overflow post ever written but has never actually run anything in production.
This is not an insult — junior developers are valuable, and so is AI. But you wouldn't give a junior developer unsupervised access to the production database on their first day, hand them the deployment keys, and go to lunch. The same logic applies here, just with higher throughput and more confident typing.
19. "We'll just use AI for that" is the new "we'll fix it in post."
It sounds like a solution. It has the shape of a solution. It is a placeholder wearing a solution's clothes. Slotting AI into a broken workflow doesn't fix the workflow — it automates the broken parts at scale, adds a layer of opacity to the failures, and ensures that when something goes wrong, nobody is entirely sure which part of the system decided to do the thing that caused the problem.
20. AI changes every six months. The humans using it do not.
New model, new capabilities, new limitations, new hallucination patterns, new things it's surprisingly good at, new things it confidently ruins. You will just have finished training your team on how to use the current version responsibly when a new one arrives that behaves differently in ways nobody has fully mapped yet. The humans will continue to use it exactly as they used the previous version, applying lessons that no longer apply, missing capabilities that now exist, and filing tickets about behavior that changed four months ago.
The uncomfortable truth no one will print:
The
infrastructure almost never fails on its own. Servers don't get bored
and decide to misbehave. Networks don't harbor resentment. Code doesn't
act out of spite — though it occasionally feels that way at 2am.
Almost
every outage, every mystery, every "how did this even happen"
post-mortem traces back to a human decision. A skipped test. An
undocumented change. A timeline someone invented and then treated as a
physical law. A meeting where the words "do we have time to do this
properly?" were asked and answered incorrectly.
What the 2026 Certificate Expiration Means for Every Windows PC
A 15-year-old trust anchor is expiring this June,
and Windows is racing to push replacement certificates to millions of
devices before the clock runs out—leaving Windows 10 users, older PCs,
and unmanaged endpoints exposed if the rollout stalls.
By PC Magazine Security StaffUpdated: March 10, 2026Related: Windows 11 | Cybersecurity | Enterprise IT
▶ Bottom Line Up Front
Microsoft's original Secure Boot certificates—issued in 2011 and
embedded in the firmware of virtually every Windows PC sold over the
past 14 years—begin expiring in June 2026. Your computer will not stop
booting, but it will lose the ability to receive new security
protections for the pre-OS boot environment, including mitigations for
active threats like the BlackLotus UEFI bootkit (CVE-2023-24932).
Microsoft is pushing replacement 2023 certificates via Windows Update in
a phased rollout that accelerated with the March 2026 Patch Tuesday
cycle. Most Windows 11 users on supported hardware who allow
Microsoft-managed updates need to do nothing. The at-risk groups are
large and real: Windows 10 users who did not enroll in Extended Security
Updates (ESU) before the October 2025 end-of-support date, owners of
older PCs whose OEMs are not providing firmware updates, and enterprise
environments managing IT-controlled or air-gapped systems. Action is
required now, not in June.
If you opened Windows Update recently and found a pending item
labeled "Secure Boot Allowed Key Exchange Key (KEK) Update," you have
just received a front-row seat to one of the most consequential
under-the-hood security overhauls in Windows history. The update is
small—it downloads in under two minutes and installs with a single
reboot—but it represents the tip of an enormous iceberg: the scheduled
retirement of the cryptographic trust anchors that have protected the
Windows boot process since the era of Windows 8.
The certificates in question are not obscure. They are baked into
the UEFI firmware of nearly every PC manufactured between 2012 and
2023. Three of them are on the clock: the Microsoft Corporation KEK CA 2011 and the Microsoft UEFI CA 2011, both expiring in June 2026, followed by the Microsoft Windows Production PCA 2011—which signs Windows' own bootloader—expiring in October 2026.
What Secure Boot Actually Does, and Why Certificates Matter
Secure Boot is a feature of UEFI firmware that validates every
piece of software that runs during system startup. Before the Windows
kernel ever loads, your PC's firmware checks digital signatures on the
bootloader, boot manager, and key drivers against a database of trusted
certificate authorities (CAs) stored in the chip itself. Trusted
signatures run; untrusted signatures are blocked. It is the closest
thing a modern PC has to a cryptographic gatekeeper standing at the door
before the operating system is even conscious.
Like a website's TLS certificate, Secure Boot certificates carry
expiration dates by design. Periodic renewal is a standard cryptographic
hygiene practice—a way to ensure that aging algorithms and key material
do not become a liability. The 2011 certificates have served their
purpose across more than a decade of continuous operation, but their
time is now ending on a hard deadline that does not care about
deployment complexity.
When these CAs expire, firmware can no longer use them to
validate new updates. Devices that have not received replacement
certificates will enter what Microsoft officially describes as a
"degraded security state." They will still boot. Standard Windows
cumulative updates will still install. But they will be unable to
receive new security protections for the early boot process—including
updates to the Secure Boot revocation databases, new Boot Manager
versions, or mitigations for newly discovered bootkit vulnerabilities.
"After more than 15 years of continuous service, the
original Secure Boot certificates are reaching the end of their planned
lifecycle and begin expiring in late June 2026. This represents one of
the largest coordinated security maintenance efforts across the Windows
ecosystem."
— Nuno Costa, Windows Servicing and Delivery Partner Director, Microsoft (February 2026)
The BlackLotus Connection: Why This Is Not Just a Compliance Checkbox
To understand why this update matters beyond abstract certificate
hygiene, you need to understand BlackLotus. Discovered in early 2023 by
ESET researchers and confirmed in the wild, BlackLotus was the first
UEFI bootkit publicly shown to bypass Secure Boot on fully updated
Windows 11 systems. It exploited CVE-2022-21894 (nicknamed "Baton
Drop"), a vulnerability patched by Microsoft in January 2022—but whose
affected signed binaries were never added to the UEFI revocation list,
leaving a window for exploitation long after the patch shipped.
Once installed, BlackLotus achieved persistence at the firmware
level and could disable BitLocker, Hypervisor-Protected Code Integrity
(HVCI), and Microsoft Defender Antivirus—all before Windows loaded. A
follow-on vulnerability, CVE-2023-24932, was disclosed in May 2023 as
part of Microsoft's remediation effort. The U.S. National Security
Agency issued its own BlackLotus Mitigation Guide (U/OO/167397-23, June
2023), explicitly calling on DoD network administrators to take action,
and the Cybersecurity and Infrastructure Security Agency (CISA) issued
parallel advisories.
Microsoft has stated directly that the new 2023 Secure Boot
certificates are the definitive security measure to address the class of
vulnerability that BlackLotus exploited. Without the certificate update
and associated revocations now being pushed via Windows Update, a
device retains no mechanism to block downgrade attacks that swap modern,
secure boot managers for older, vulnerable versions that Secure Boot
still trusts. Every day after June 2026 without updated certificates is a
day with a narrowing ability to close those gaps.
⚠ Security Context: Active Exploitation
BlackLotus (CVE-2022-21894 / CVE-2023-24932) is a real-world,
commercially available UEFI bootkit sold on criminal forums. It requires
either administrator privileges or physical access—it is not a drive-by
exploit—but once deployed it can survive OS reinstallation and is
invisible to traditional antivirus tools. The Secure Boot certificate
update and accompanying revocations are the primary mechanism to block
downgrade attacks that enable it.
What the 2023 Certificates Change—and Why the Restructuring Matters
The replacement is not a simple one-for-one swap. Microsoft has
taken the opportunity to restructure the certificate architecture
itself, separating responsibilities that were previously bundled under a
single CA. The original Microsoft Corporation UEFI CA 2011
signed everything: third-party bootloaders, option ROMs for graphics and
network cards, and various firmware components. The new structure
divides this into three distinct certificates:
The Microsoft Corporation KEK 2K CA 2023 replaces the Key Exchange Key, which authorizes updates to the DB (allowed signatures) and DBX (revocation list). The Windows UEFI CA 2023 handles Windows boot loader components specifically. A separate Microsoft Option ROM UEFI CA 2023
handles third-party option ROMs and add-in card firmware. This
separation allows for finer-grained trust control—a system that does not
need to trust option ROMs can add the Windows CA without broadening
trust to all third-party hardware firmware.
The restructuring has practical implications for dual-boot
systems and Linux users. Linux distributions that rely on
Microsoft-signed shim binaries may need updated shims rebuilt for the
new CA. Microsoft has noted that Windows will update certificates that
dual-boot Linux systems rely on, but the timing and compatibility of
specific Linux distribution shims are the responsibility of those
projects.
The Rollout: Who Gets What, When
Microsoft is using a Controlled Feature Rollout (CFR) approach,
the same phased delivery mechanism used for major Windows feature
updates. Devices on Microsoft-managed updates that meet readiness
criteria—including having the correct OEM firmware in place and
returning diagnostic telemetry—receive the update as part of monthly
cumulative updates. The March 2026 Patch Tuesday cycle notably expanded
the rollout to more devices.
For IT-managed environments, enterprises can accelerate the process using Group Policy (navigating to Computer Configuration > Administrative Templates > Windows Components > Secure Boot and enabling the "Secure Boot certificate deployment" policy), registry keys (setting the AvailableUpdates DWORD to 0x5944),
Microsoft Intune, or the new Windows Configuration System (WinCS)
command-line tools available on Windows 11 versions 23H2, 24H2, and
25H2.
A critical prerequisite that administrators must not overlook:
OEM firmware updates must be applied before the Windows certificate
update lands. The firmware layer is the foundation. Without it,
certificate update attempts on some devices can fail or, in edge cases,
cause boot problems. Microsoft has been coordinating closely with major
OEMs including Dell, HP, and Lenovo, and all three have published
platform-specific guidance and firmware updates for supported hardware
lines.
Windows Server is a distinct case. Unlike Windows PCs, Server
instances do not receive the 2023 certificates through the automatic CFR
pathway. IT administrators managing Windows Server 2022, 2019, 2016,
and 2012/R2 must manually initiate the update. Windows Server 2025,
certified server platforms, and most hardware built in 2024 and 2025
already include the 2023 certificates in firmware. Microsoft hosted
Secure Boot Ask Microsoft Anything (AMA) sessions in December 2025 and
February 2026 for enterprise administrators, with another session on
March 12, 2026.
"HP is working closely with Microsoft to ensure
firmware updates are available so that all supported HP PCs running
Windows 11 can adopt the new Secure Boot certificates before legacy
certificates expire."
— HP Statement, Microsoft Windows Experience Blog, February 2026
The High-Risk Groups: Who Is Most Exposed
User Group
Risk Level
Primary Issue
Recommended Action
Windows 11 (managed updates, modern hardware)
Low
None expected; update arrives automatically
Verify via PowerShell (see below)
Windows 10 with ESU enrollment
Low–Med
Certificates delivered via Windows Update through Oct 2026
Shim binaries may require distribution-level updates
Check distribution guidance; test in non-production before June 2026
Virtual machines (Hyper-V, cloud)
Medium
Both host and guest VMs may need separate certificate updates
Update both layers; consult Azure 2603 release guidance for cloud VMs
The Windows 10 Problem Is Large and Real
Microsoft's Windows 10 mainstream support ended on October 14,
2025. Devices running Windows 10 without Extended Security Update (ESU)
enrollment receive no further Windows Updates of any kind—which means
they receive no automatic Secure Boot certificate delivery. The problem
is structural: Windows 10 powered an estimated majority of the Windows
installed base at end-of-life, and many of those machines cannot run
Windows 11 due to the TPM 2.0 hardware requirement.
A commercial ESU license for Windows 10 version 22H2 costs $30
per device and covers security updates through October 13, 2026.
Consumer ESU is also available for free to Microsoft account holders via
Windows Backup enrollment, or through redemption of Microsoft Rewards
points. European Economic Area customers qualify for free consumer ESU
automatically. For devices that can run Windows 11, upgrading is the
cleanest path. For devices that cannot—a population running into the
tens of millions globally—the combination of expired OS support and
expiring Secure Boot certificates represents a compounding security
liability.
There is an additional problem that no Microsoft update can fully
solve: hardware abandonment. Major OEMs including HP, Dell, and Lenovo
have committed to providing firmware updates for currently supported
hardware lines, but enterprise IT managers have already reported cases
where OEMs are refusing to provide BIOS updates for devices outside
their support lifecycle—even hardware that is otherwise fully
functional. Without an OEM firmware update that prepares the UEFI
environment, Windows cannot safely apply the new certificates. As one IT
manager noted in the Microsoft Tech Community forums: "Many OEMs are
not covering BIOS updates for devices fully compatible with Windows 11
older than five to six years old for this change."
How to Verify Your Status Right Now
You do not need to wait for an update notification to check
whether your PC has already received the new certificates. Microsoft
provides two verification methods.
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
A result of True confirms the Windows UEFI CA 2023 certificate is present in the Secure Boot DB. A result of False means it has not yet been applied to your system.
Note: Presence of the
certificate in the DB does not necessarily mean the full rollout is
complete. The KEK and boot manager must also be updated.
Open Event Viewer and navigate to Windows Logs > System. Use "Filter Current Log" and select source TPM-WMI (or Microsoft-Windows-TPM-WMI). Look for:
Event ID 1808 — "This
device has updated Secure Boot CA/keys." This confirms that all needed
certificates have been applied to firmware and the boot manager has been
updated.
Event ID 1043 — "Secure Boot KEK update applied successfully." Confirms the KEK specifically.
Event ID 1801 — Indicates that some or all updated certificates and the 2023-signed boot manager have not yet been applied.
What Happens After June 2026 if You Miss the Update
Microsoft has been clear and consistent on one point: missing
this deadline does not brick your machine. It will still boot. Standard
monthly Windows security updates will still install. But the inability
to update boot-level protections becomes a compounding problem over
time. Newly discovered bootkit vulnerabilities will have no available
mitigation path. New signed software using only the 2023 certificates
will be untrusted by firmware that still only carries the 2011
certificates—potentially affecting third-party bootloaders and option
ROMs as vendors begin signing exclusively with the new CA. And the
revocation mechanisms that allow Microsoft to block compromised binary
signatures from running during boot will cease to function.
Security researchers and Microsoft alike describe this as
entering an increasingly degraded security posture, not an immediate
catastrophe. But the analogy to an unpatched system is apt: every day
without the fix is a day the attack surface is larger than it needs to
be, against adversaries who are aware of the gap.
The Bottom Line for PC Magazine Readers
For most home Windows 11 users who allow Microsoft to manage
their updates: this is already being handled on your behalf. Install the
"Secure Boot Allowed Key Exchange Key (KEK) Update" when it appears in
Windows Update—or verify it has already been applied using the
PowerShell command above. A single reboot is all that is required; no
BIOS changes, no visible performance impact.
For Windows 10 users: check your ESU enrollment status today. The
$30 per-device commercial option or free consumer ESU through your
Microsoft account is worth every cent to maintain both OS security
patches and Secure Boot certificate delivery through October 2026. After
that, hardware replacement or Windows 11 upgrade is the only supported
path.
For IT administrators: do not assume Windows Update alone is
moving fast enough in your environment. Audit your fleet's Secure Boot
status using the registry key UEFICA2023Status, apply OEM
firmware updates before the Windows certificate update arrives, manually
address all Windows Server instances, and treat June 27, 2026 as a hard
deadline, not a suggestion. Microsoft is hosting a dedicated Secure
Boot Technical Takeoff session for IT professionals—attendance is
worthwhile if you are managing a significant device fleet.
The certificate expiration is not the new Y2K—there is no
midnight cliff where machines stop working. But it is a genuine,
deadline-driven security maintenance event with real consequences for
devices left behind. The rollout infrastructure is in place. The tools
exist. The window to act before the deadline is open right now.
Parmar, Mayank. Windows 11 gets Secure Boot Allowed Key Exchange Key (KEK) update on more PCs, requires a reboot to install. Windows Latest, March 2026. https://www.windowslatest.com
From a verified FDA warning letter and live
class-action litigation to a state glyphosate study that alarmed
consumers—yet left federal safety limits untouched—we separate
documented fact from viral exaggeration in the American bread industry.
Bottom Line Up Front
Several serious, documented concerns exist in the commercial bread industry: Bimbo Bakeries USA—the
world's largest baker and owner of Sara Lee, Wonder Bread, Arnold,
Brownberry, Ball Park, and many other household names—received an FDA warning letter in June 2024 for falsely listing allergens on product labels, and faces a federal class-action lawsuit filed November 2025
alleging "no artificial preservatives" claims are contradicted by the
presence of citric acid. Wonder Bread's predecessor was fined by the FTC
in 2002 for unsubstantiated children's health claims. The Florida
Department of Health detected glyphosate in six of eight tested bread
products in February 2026—but all results fell within federal safety limits,
a critical context omitted by viral social media videos. The dough
conditioner azodicarbonamide (ADA) remains legal in the U.S. at up to 45
ppm but is banned in the EU and Australia. The dominant story behind
American bread labeling is the extraordinary market concentration produced by Grupo Bimbo's decades of acquisitions,
which placed dozens of seemingly independent brands under a single
corporate parent. Shoppers seeking cleaner options have documented
alternatives, but claims that every commercial loaf is acutely dangerous
are not supported by current regulatory science.
Consumer Advocate Report
At my supermarket (Vons) there's a "bread" aisle on one side of the store, and a totally separate "baked goods" aisle on the other side. I think the're trying to tell me something. it's partly deliberate and partly just the weird logic of how supermarkets evolved.
The "bread" aisle is ambient shelf-stable product: highly processed, loaded with preservatives (calcium propionate, cultured wheat starch, vinegar) specifically engineered to sit unrefrigerated for weeks without molding. The long shelf life is the product. That's why it can live in a center aisle next to crackers and cereal.
The "bakery" side is either actually baked in-store or delivered fresh daily with a 2–3 day sell-by. No or minimal preservatives, which is why it needs to be near the perimeter where staff can rotate and pull product. Vons/Albertsons bakeries typically produce their own rolls, sourdough rounds, and sandwich loaves in-store every morning.
The quiet implication you're picking up on is real: the bakery side is closer to what humans have eaten for 10,000 years, and the bread aisle is a mid-20th century industrial invention. They can't really share shelf space because their supply chains, spoilage timelines, and ingredient philosophies are completely different.
The darkly funny version: one aisle sells a food product that contains bread. The other aisle sells bread.
Vons' parent company (Albertsons) is also one of Bimbo's private-label manufacturing customers, so there's a decent chance a meaningful portion of that center aisle — across multiple brand names at different price points — came out of the same facility.
Estimated Price per Ounce & Quality Summary for All Evaluated Bread Brands
Retail prices are approximate, drawn from Walmart,
Kroger, and regional grocery data as of early 2026. Price per ounce
allows apples-to-apples comparison across loaf sizes. Quality ratings
reflect ingredient transparency, additive load, nutritional density, and
documented regulatory issues—not taste preference.
Master Price & Quality Reference Table
ⓘ Prices reflect standard shelf price at major
retailers (Walmart used as primary benchmark for consistency). Sale
prices can be 15–40% lower. "Quality" ratings use a 5-point scale
combining: ingredient list length/complexity, presence of dough
conditioners, added sugars, sodium per slice, fiber content, and any
documented regulatory issues. Higher = cleaner/more nutritious profile.
Corporate parent noted for transparency.
Brand
Typical Size
Est. Price
Est. ¢/oz
Tier
Quality Rating
Corporate Parent
Key Concerns / Notes
Wonder Bread Classic White
20 oz
$2.29–$3.49
11–17¢
Budget
POOR (2/5)
Flowers Foods
FTC 2002 settlement; glyphosate detected; enriched flour; high sugar; long additive list
Great Value (Walmart) Wheat
20 oz
$1.98–$2.48
10–12¢
Budget
POOR (2/5)
Bimbo (mfr.)
Made by Bimbo for Walmart; 2015 glass-fragment recall; classified ultraprocessed; HFCS
Sunbeam White / Texas Toast
20 oz
$2.49–$3.29
12–16¢
Budget
POOR (2/5)
Flowers Foods
~190–200 mg sodium/slice; azodicarbonamide (ADA) documented in formulations; enriched flour
Market Pantry (Target)
20 oz
$1.99–$2.49
10–12¢
Budget
POOR (2/5)
Third-party (likely Bimbo)
Longest additive lists; most aggressive preservation; lowest cost = most ingredient compromises
Bimbo Soft White
24 oz
$2.49–$3.49
10–15¢
Budget
POOR (2/5)
Bimbo Bakeries
High sodium, very low fiber; calcium propionate; DATEM/monoglycerides; FDA allergen warning applies to parent company
Nature's Own Butterbread
20 oz
$3.49–$4.49
17–22¢
Mid
POOR (2/5)
Flowers Foods
Highest glyphosate in FL study (190 ppb); artificial butter flavoring; enriched flour; misleading "natural" branding
Nature's Own 100% Whole Wheat
20 oz
$3.64–$4.49
18–22¢
Mid
FAIR (3/5)
Flowers Foods
Better nutritional profile: 2g fiber, 4g protein, 1g added sugar per slice; but calcium propionate; moderate additive load
Sara Lee Honey Wheat
20 oz
$3.28–$4.49
16–22¢
Mid
POOR (2/5)
Bimbo Bakeries
Glyphosate detected (FL study); crumbling texture complaints; thin slices; poor freshness reviews; FDA allergen letter applies
Sara Lee Artesano Original
20 oz
$4.49–$5.49
22–27¢
Mid
FAIR (3/5)
Bimbo Bakeries
No detectable glyphosate (FL study);
thick slices well-reviewed; BUT active class-action over "no artificial
preservatives" claim (citric acid); FDA allergen letter applies to
parent
Good & Gather (Target)
20 oz
$2.99–$3.99
15–20¢
Mid
POOR (2/5)
Third-party (likely Bimbo)
Same additive profile as national
brands; sodium comparable or higher; enriched flour primary ingredient;
limited transparency on manufacturer
No detectable glyphosate (FL study);
decent texture; BUT 230 mg sodium/slice is among the highest tested;
enriched flour primary; 4g added sugar/slice
Arnold / Brownberry / Oroweat Whole Grain
20–24 oz
$4.29–$5.49
18–27¢
Mid–Premium
FAIR (3/5)
Bimbo Bakeries
Same product, three names (see below);
whole grain lines reformulated to remove ADA, DATEM, HFCS (2019); FDA
allergen warning applies to parent company; tree nut mislabeling issue
on 12 Grains variety
Ball Park Buns
15 oz (8 ct)
$3.49–$4.49
23–30¢
Mid
POOR (2/5)
Bimbo Bakeries
Refined enriched flour; HFCS; multiple
dough conditioners; included in FDA allergen warning letter scope; high
sodium per serving combined with typical hot dog fillings
Mrs. Baird's White
20 oz
$2.99–$3.99
15–20¢
Budget–Mid
POOR (2/5)
Bimbo Bakeries
Regional (TX/South); standard
commercial formula; enriched flour; HFCS; calcium propionate; heritage
brand image vs. industrial reality
King's Hawaiian Rolls
12 oz (12 ct)
$4.49–$5.99
37–50¢
Mid–Premium
POOR (2/5)
King's Hawaiian (independent)
5g added sugar/roll; near-zero fiber;
saturated fat ~50% of total fat; indulgent product openly marketed as
such; concern is frequency of use, not occasional enjoyment
Dave's Killer Bread 21 Whole Grains
27 oz
$5.99–$6.98
22–26¢
Premium
GOOD (4/5)
Flowers Foods (since 2015)
Organic; lowest glyphosate in FL study
(10.38 ppb); 5g fiber + 5g protein/slice; No HFCS, no artificial
preservatives; 2g added sugar/slice is only notable concern; widely
available
Ezekiel 4:9 Sprouted Grain (Food for Life)
24 oz (frozen)
$6.39–$7.53
27–31¢
Premium
BEST (5/5)
Food for Life (independent)
Flourless sprouted grains; zero added
sugar; no preservatives; complete plant protein (all 9 essential amino
acids); low glycemic index (36); requires freezer section; dense texture
not for everyone; found at Trader Joe's as low as ~15¢/oz
Silver Hills Sprouted Bakery
24 oz
$5.99–$7.99
25–33¢
Premium
BEST (5/5)
Silver Hills (independent)
Organic sprouted grains; no added
sugar; no preservatives; no artificial anything; transparent sourcing;
clean enough that you can pronounce every ingredient
Angelic Bakehouse Sprouted Whole Grain
20.5 oz
$5.49–$6.99
27–34¢
Premium
GOOD (4/5)
Angelic Bakehouse (independent)
Sprouted whole grains; no HFCS; no
artificial preservatives; no dough conditioners; available at Walmart,
Target, Kroger; good accessibility for a clean-label brand
ⓘ Price note: Prices vary
significantly by region, retailer, and promotion. Figures reflect
approximate mid-2025 to early-2026 standard shelf prices at major
chains. Organic sprouted breads are often 30–50% cheaper at Trader Joe's
or Costco than at standard grocery chains. Quality ratings reflect a
nutritional/regulatory assessment, not a taste ranking.
Are All Bimbo Brands Basically the Same?
The short answer: it depends on which brands you're comparing.
Bimbo owns dozens of brands, but they fall into three distinct
categories with genuinely different formulas, price points, and quality
profiles.
The clearest case of identical products under different names:
Arnold (East Coast), Brownberry (Midwest), and Oroweat (West Coast) are
confirmed by Bimbo Bakeries itself to be the same products sold under
regional names. The breads feature the same label, same recipes, and
same formulations—packaged differently only to preserve regional brand
loyalty. Choosing between them is purely a geography artifact, not a
quality or value decision.
↔ Identical Products
Arnold / Brownberry / Oroweat
East / Midwest / West Coast — same recipes
Confirmed by Bimbo and industry reporting to be
the same products under regional brand names. All three have been
reformulated since 2019 under the "No Added Nonsense" initiative,
removing ADA, DATEM, HFCS, and artificial preservatives from the whole
grain lines. Premium price tier (~20–27¢/oz). Among the better Bimbo
offerings nutritionally, though the Brownberry 12 Grains variety was
specifically named in the FDA allergen warning letter for listing tree
nuts that weren't present.
≠ Distinct Products
Sara Lee
Acquired 2011 — National brand, multiple sub-lines
Not the same as Arnold/Brownberry/Oroweat. Sara
Lee has its own distinct formulas across sub-brands. The Artesano line
uses thick-sliced enriched flour and is positioned as artisan-style. The
Delightful line is thin-sliced and low-calorie. The 100% Whole Wheat is
a budget staple. Sara Lee Honey Wheat and Artesano specifically
appeared in the Florida glyphosate testing and the 2024 FDA allergen
warning letter, respectively. Price range: 16–27¢/oz depending on line.
≠ Distinct Products
Thomas' / Entenmann's
Acquired 2002 — English muffins, sweet goods
Not bread in the traditional sense—Thomas'
produces English muffins, bagels, and sandwich thins; Entenmann's is in
the sweet baked goods category entirely. Different formulas and
positioned differently from the sliced bread portfolio. Both fall under
the FDA allergen warning letter's umbrella of "Bimbo Bakeries USA," but
their specific products were not named in the June 2024 letter.
≠ Distinct Products
Mrs. Baird's
Acquired 1998 — Regional (Texas/South)
Distinct regional formulas but the same
industrial ingredient philosophy as Bimbo's budget tier: enriched flour,
HFCS, calcium propionate. Different from Arnold/Brownberry in that it's
not a premium-positioned whole grain brand—it's a budget-to-mid white
bread staple with strong Southern regional loyalty. The "homestyle"
heritage narrative is marketing; ingredients are standard commercial
fare at ~15–20¢/oz.
≠ Distinct Products
Ball Park Buns
Acquired with Sara Lee 2011 — Rolls/buns category
A buns-and-rolls product specifically
engineered for cookout use—different format and formulation from loaf
bread. High-refinement, HFCS, multiple conditioners. Included in the FDA
allergen warning letter scope under Bimbo's operations. Nutritionally
among the weakest Bimbo offerings.
↔ Similar Formula
Great Value / Store Brands (Walmart, Kroger)
Manufactured by Bimbo under private-label agreements
While not identical to Sara Lee loaf-for-loaf,
store-brand breads manufactured by Bimbo for retailers use the same
industrial template: enriched flour, preservatives, emulsifiers, dough
conditioners. The formulas may differ in minor ways by retailer
specification, but the ingredient philosophy is essentially the same.
You're paying for the name-brand label premium with Sara Lee; not for a
meaningfully different product.
Value Assessment: What Are You Actually Paying For?
The price-per-ounce data reveals a counterintuitive picture. The
cheapest breads (~10–12¢/oz) and some mid-tier name brands (~18–22¢/oz)
deliver essentially the same industrial ingredient formula—enriched
flour, preservatives, dough conditioners. The price difference in that
range is almost entirely about marketing and brand recognition, not
ingredient quality.
Genuinely cleaner ingredients only appear at the premium tier (~25–34¢/oz), with one important exception: Dave's Killer Bread at 22–26¢/oz
delivers an organic, high-fiber, high-protein loaf at a price that
overlaps with name-brand mid-tier breads like Pepperidge Farm. That
makes it the strongest value proposition among the cleaner options for
consumers who shop at mainstream grocery chains.
Ezekiel bread at Trader Joe's (~15¢/oz) breaks the premium rule
entirely—it's the cleanest formulation tested and among the least
expensive per ounce when purchased at the right retailer. The practical
barrier is that it requires freezer storage and its dense texture is not
for every palate.
For consumers managing sodium intake specifically, the findings are striking: Pepperidge Farm Farmhouse White charges a premium price but delivers 230 mg sodium per single slice—higher
than some budget breads. Price does not predict sodium content, and
health-motivated shoppers cannot rely on price tier as a proxy for
sodium management.
The Florida Glyphosate Study: What the Data Actually Shows
The highest reading—191 ppb—is more than 150
times below the federal tolerance for wheat. Detection is not the same
as a safety violation.
The Florida Department of Health, as part of Governor DeSantis's
"Healthy Florida First" initiative, tested eight bread products across
five national brands. Glyphosate was detected in six of the eight
products tested.
Triple-digit glyphosate levels were found in Nature's Own
Butterbread, Nature's Own Perfectly Crafted White, Wonder Bread Classic
White, and Sara Lee Honey Wheat. No detectable glyphosate was found in
Sara Lee Artesano White and Pepperidge Farm Farmhouse White.
Brand & Product
Glyphosate (ppb)
Within Federal Limits?
Nature's Own Butterbread
190.23
Yes — EPA wheat tolerance: ~30,000 ppb
Nature's Own Perfectly Crafted White
132.34
Yes
Wonder Bread Classic White
~100+ (reported)
Yes
Sara Lee Honey Wheat
elevated
Yes
Dave's Killer Bread White Done Right
11.85
Yes
Dave's Killer Bread 21 Whole Grain
10.38
Yes
Sara Lee Artesano White
None detected
N/A
Pepperidge Farm Farmhouse Hearty White
None detected
N/A
All of the results published by the Florida Department of Health
fell within federally permitted limits. A joint statement from the
National Association of Wheat Growers, North American Millers'
Association, and American Bakers Association stated: "Food safety is the
top priority for the grain we grow, the flour we mill and the bread we
bake for all Americans," adding that the report "needlessly scares
consumers about trace levels of glyphosate that do not present genuine
risks."
Florida-based toxicologist Alex LeBeau, Ph.D., told Food Safety
Magazine that without important scientific context—including sampling
parameters, analytical methods, laboratory detection limits, and
referenced health thresholds—the results "do not convey any
interpretable meaning" and create "unnecessary alarmist reporting."
The scientific controversy over glyphosate itself is genuine: the
International Agency for Research on Cancer classifies glyphosate as
"probably carcinogenic to humans," while the U.S. Environmental
Protection Agency concludes it is "not likely" to cause cancer when used
as directed. A journal article asserting the safety of glyphosate that
for decades served as a cornerstone piece of regulatory evidence was
recently retracted due to revelations of the authors' previously
undisclosed conflicts of interest. The debate is active; but the Florida
bread data, on its own, did not identify any product in violation of
U.S. law.
ⓘ Notable: Dave's Killer Bread, marketed as organic and certified
non-GMO, still showed low but detectable glyphosate levels. This is
consistent with studies showing that glyphosate residues can persist in
organic grain crops through atmospheric drift and soil carryover, not
intentional application.
How Did Bimbo End Up Owning So Many Brands?
Shoppers who assume they are choosing between competing companies
when they select Sara Lee over Arnold, or Brownberry over Ball Park, may
be surprised to learn they are often buying from the same corporation.
Understanding why requires a brief history of deliberate, aggressive
acquisition.
Bimbo Bakeries USA, Inc. is the American corporate arm of the
Mexican multinational Grupo Bimbo, headquartered in Mexico City and
listed on the Mexican Stock Exchange. Its U.S. story began in 1994,
growing to become the largest bakery company in the United States
through a series of landmark acquisitions.
In 2002, BBU acquired the Western U.S. baking business of George
Weston Ltd., adding Oroweat, Entenmann's, Thomas', and Boboli. In 2008,
Grupo Bimbo purchased the remaining U.S. fresh baked goods business of
George Weston Ltd., adding Arnold, Brownberry, Freihofer's, and
Stroehmann. In 2011, BBU completed its largest acquisition to date: Sara
Lee's North American fresh bakery business, which doubled BBU in size.
The strategy is deliberate. Rather than converting acquired brands
into "Bimbo" products, the company preserves regional loyalties and
consumer trust built up over generations. Arnold is a Northeast
institution. Brownberry resonates in the Midwest. Sara Lee has national
recognition. Ball Park is the default hot dog bun at summer cookouts.
Each of these identities was purchased and maintained intact as a
separate consumer-facing entity. Bimbo Bakeries USA operates more than
60 bakeries, delivering fresh bread, buns, rolls, tortillas, and other
baked goods to millions of consumers across the country.
▶ Major Bimbo Bakeries USA Brands
Sara Lee · Wonder Bread · Arnold · Brownberry · Oroweat · Ball
Park · Thomas' · Entenmann's · Boboli · Freihofer's · Stroehmann ·
Lender's Bagels · Mrs. Baird's · Bays English Muffins · Levy's · Colombo
Source: Bimbo Bakeries USA corporate history; Wikipedia; FDA warning letter (June 2024).
The DOJ Antitrust Division required Bimbo to divest certain Sara
Lee assets when that acquisition closed—Earthgrains facilities in
California and Oklahoma were sold to Flowers Foods, which is now the
other dominant force in American commercial baking, owning Nature's Own,
Wonder Bread, and Dave's Killer Bread. The result is a bread aisle
where two corporate families—Bimbo and Flowers Foods—account for the
majority of national branded loaves.
The FDA Warning Letter: A Documented Regulatory Failure
Of all the claims in circulation about commercial bread, the
allergen-labeling situation at Bimbo Bakeries is the most
straightforwardly documented and the most consequential for public
safety.
On June 17, 2024, the FDA issued a warning letter to Bimbo Bakeries
USA, Inc. because, during two inspections in late 2023, FDA found that
some of the company's bakery products included ingredients that are or
contain major food allergens on their labels, but those ingredients were
not included in the product formulations. Specifically, during a late
2023 inspection in Phoenix, Arizona, the FDA found that certain
ready-to-eat bread products, including Sara Lee brand Artesano Brioche,
Delightful Multigrain, Artesano Golden Wheat, and Artesano Smooth
Multigrain, listed sesame as an ingredient and in their "Contains"
statements even though there was no sesame in the product formulations.
CSPI obtained Bimbo Bakeries' July 2024 response letter through a
Freedom of Information Act request. In that letter, the company explains
that it produces the bread products at multiple facilities—some of
which do use sesame—and argues that uniformly labeling such products for
sesame "protects sesame-allergic consumers" from reaction risks.
Sarah Sorscher, CSPI's Director of Regulatory Affairs, called it "a
perverse response to food safety rules." She added: "You add an
ingredient that could trigger a harmful food allergy reaction, slap a
label on it, and say you've solved the problem. Then you label even
those versions that contain no sesame as containing it."
The broader context matters: the sesame labeling controversy is not
unique to Bimbo. Concerns over labels at Bimbo and other companies
followed a law that took effect in 2022, which added sesame to the list
of major allergens that must be listed on packaging. Because it can be
difficult and expensive to keep sesame in one part of a baking plant out
of another, some companies began adding small amounts of sesame to
products that didn't previously contain the ingredient to avoid
liability and cost. The FDA found this practice unacceptable and said so
explicitly.
The "No Artificial Preservatives" Class Action
A second front of legal accountability opened in November 2025.
Plaintiffs Jessica Pardo and Sthorm Pyrane filed a class-action
complaint against Bimbo Bakeries on November 17 in New York federal
court, alleging violations of state and federal consumer laws. The
plaintiffs claim that the company prominently displays the phrase
"Always baked without artificial colors, flavors & preservatives" on
the packaging of its Artesano bread products, while the ingredient list
contains citric acid.
According to the filing, citric acid functions as a preservative in
bread by slowing spoilage and maintaining freshness. The plaintiffs
assert that commercially used citric acid is almost always produced
through industrial fermentation using Aspergillus niger, a type
of mold, and because that manufacturing method is synthetic, the
ingredient qualifies as artificial under federal food labeling
regulations.
This is not an isolated lawsuit. Similar suits have been filed
against Kraft Heinz over its "no preservatives" macaroni and cheese
marketing, and against Panera Bread over its "No Artificial
Preservatives" dressing labeling. Whether industrially fermented citric
acid constitutes an "artificial preservative" under FDA standards is an
unsettled legal and regulatory question. No judgment has been entered in
the Sara Lee case.
Azodicarbonamide: The Yoga Mat Chemical
ADA is not approved for use as a food additive in either Australia
or the European Union because of safety concerns. The FDA approved ADA
as a food additive in 1962 under the "generally recognized as safe"
(GRAS) standard. In the early 1990s, ADA became the preferred dough
conditioner of many American commercial bakers.
ADA breaks down during breadmaking, and two of its breakdown
products—semicarbazide and urethane—have raised concerns. Semicarbazide
has been shown to cause cancer in mice. Urethane is known to cause
cancer and damage to the reproductive system. WHO's cancer research arm,
IARC, has said urethane probably causes cancer in humans.
The countervailing view deserves equal space: the European Food
Safety Authority has concluded that the level of semicarbazide found in
food products is not a concern to human health, and the current
scientific and regulatory consensus is that ADA is safe to consume at
current permitted levels. The key distinction is between occupational
exposure—where workers handle raw ADA in quantity—and the trace amounts
in baked goods. Use of ADA in products intended for human consumption is
in decline under pressure of public opinion. Subway, McDonald's, and
several other major chains removed it following consumer advocacy
campaigns beginning in 2014.
The core scientific concern
ADA itself breaks down during baking into two byproducts: semicarbazide and urethane. Semicarbazide has been shown to cause cancer in mice, and urethane is a known human carcinogen. Consumer Reports A 1999 WHO report also linked occupational exposure to ADA in raw form to respiratory issues, allergies, and asthma Wikipedia — though that's factory workers handling it in bulk, not consumers eating bread.
The human cancer risk at food-level doses remains genuinely scientifically disputed. The data from animal studies is real, but extrapolating mouse tumor data to human bread consumption is contested territory.
Why other countries banned it: the Precautionary Principle
The EU, Australia, and most other developed nations operate under what's called the precautionary principle: if there's credible evidence of potential harm and the substance isn't essential, ban it until proven safe. The EU banned ADA in food products citing insufficient safety data and the precautionary principle. OnSite Health
The logic is: bread has been made without ADA for millennia. It's a convenience additive for industrial bakers, not a necessity. So the risk/benefit calculation tips toward banning it.
Why the US hasn't banned it: the GRAS system
The US operates under the opposite framework — substances are permitted unless proven unsafe. The mechanism is the GRAS designation (Generally Recognized as Safe). In the US, ADA is classified as GRAS and permitted in flour at up to 45 ppm. Wikipedia
Here's where it gets structurally problematic: under current rules, industry can self-affirm that an ingredient is GRAS without notifying the FDA at all. HHS.gov Nearly 99% of food chemicals introduced since 2000 were approved by the food and chemical industry, not the FDA. EWG This is the so-called "GRAS loophole" — companies essentially regulate themselves on ingredient safety.
What's actually changing right now
The situation is moving fast on multiple fronts:
Industry is phasing ADA out voluntarily. The American Bakers Association announced that 95% of member companies already do not use ADA, with full industry phase-out expected by December 31, 2026. Supermarket Perimeter Consumer pressure — amplified by the "yoga mat chemical" branding — did what regulation didn't.
The FDA announced it's revisiting ADA's approval. In May 2025, the FDA announced plans to revisit its approval of ADA, citing longstanding questions about safety that had caused international health authorities to raise concerns. CBS News
States are moving ahead of the federal government. New York has proposed banning ADA alongside other additives including BVO, potassium bromate, propylparaben, and titanium dioxide. National Agricultural Law Center Because large states like California and New York effectively set national standards (manufacturers can't easily make separate formulations for each state), state-level bans function as de facto national bans.
The GRAS system itself is under reform pressure. In March 2025, HHS Secretary Kennedy directed the FDA to explore rulemaking to eliminate the self-affirmed GRAS pathway entirely, which would require companies to submit safety data to the FDA before bringing new food ingredients to market. HHS.gov However, meaningful GRAS reform would likely overwhelm FDA's review resources — a concern compounded by the fact that thousands of FDA scientists were laid off in April 2025. Skadden
The bottom line
The US didn't ban ADA because of a structural regulatory philosophy — permit unless proven unsafe, with industry doing much of the safety self-certification — combined with significant lobbying resistance from the baking industry. The EU banned it because their framework defaults to caution when safety data is incomplete. Neither system is purely scientific; both reflect political and economic choices about who bears the burden of proof.
The practical outcome, somewhat ironically, is that the US is arriving at the same place as the EU — just through market pressure and voluntary pledges rather than law, and about 20 years later. Meanwhile, for 20 years consumers may have been harmed.
Wonder Bread and the FTC: What Actually Happened
The marketers of Wonder Bread agreed to settle Federal Trade
Commission charges that ads claiming that Wonder Bread containing added
calcium could improve children's brain function and memory were
unsubstantiated and violated federal law. The FTC found that Wonder
Bread's then-manufacturer, Interstate Bakeries Corp., aired an ad
featuring a fictional spokesperson called "Professor Wonder," who made
claims that Wonder Bread helps children's minds work better and helps
their memory. The Commission alleged that Interstate Bakeries and its ad
agency did not have adequate substantiation to make such health benefit
claims.
The settlement was a consent order, not a monetary fine—the
companies agreed to cease making such claims without scientific backing.
Future violations of the order would carry a $11,000 per-violation
penalty. Wonder Bread is today owned by Flowers Foods, a different
company, though the FTC order applies to the brand's conduct.
What Consumers Can Do: Evidence-Based Guidance
The underlying issues—industrial concentration,
aggressive marketing claims, and documented regulatory violations—are
real. Here is what current evidence supports:
Read the ingredient list, not the front panel.
Front-of-pack claims like "no artificial preservatives," "natural,"
"whole grain," and "artisan" are marketing language. They are not
legally defined with the precision consumers assume. The ingredient list
on the back is the authoritative source.
Allergen labeling matters acutely. The Bimbo FDA
warning letter is a reminder that even the largest, most sophisticated
manufacturers can list allergens inaccurately. Consumers with sesame or
tree nut allergies should pay close attention and contact manufacturers
directly if a product's labeling is ambiguous.
The glyphosate question is unresolved science, not an active emergency.
The Florida data confirmed that residues exist in conventionally grown
wheat-based products. The levels detected did not exceed federal limits.
If residue minimization is a priority, certified-organic sprouted grain
breads (such as Ezekiel / Food for Life, Silver Hills Bakery, or
Angelic Bakehouse) represent documented lower-exposure alternatives.
ADA is avoidable. If you prefer to avoid
azodicarbonamide, it must be labeled when present. USDA-certified
organic bread cannot legally contain ADA. The EWG Food Scores database
lists products that contain it.
Sodium is the most consistently documented nutritional concern.
Many commercial bread products contain 150–240 mg of sodium per
slice—up to 10% of the daily recommended value in a single slice. For
consumers managing hypertension or heart disease, this cumulative load
is a legitimate dietary concern supported by extensive cardiovascular
research, quite apart from any pesticide or additive controversy.
✓ Brands with Documented Cleaner Profiles
Food for Life Ezekiel 4:9 Bread — Sprouted organic grains, no flour, no added sugar, no preservatives. Found in grocery freezer sections.
Dave's Killer Bread — Organic whole grains; tested among the lowest for glyphosate in the Florida study. Available at most major chains.
Silver Hills Bakery — Organic sprouted grains, no added sugar, no preservatives, transparent sourcing.
Angelic Bakehouse — Sprouted whole grains, no artificial preservatives, no HFCS, no dough conditioners. Available at Walmart, Target, and Kroger.
Local and artisan bakeries using traditional fermentation (true
sourdough: flour, water, salt, wild yeast culture only) remain among the
cleanest options. If commercial yeast appears alongside "sourdough" in
the ingredient list, the bread was not traditionally fermented.
Bhagan, S., Doell, D., et al. Exposure Estimate for Semicarbazide from the Use of Azodicarbonamide in Bread. U.S. FDA, College Park, MD. Presented research document.
Noonan, G.O., Warner, C.R., et al. "Ethyl Carbamate Levels Resulting from Azodicarbonamide Use in Bread." Journal of Agricultural and Food Chemistry, 2005; 53:4680. https://pubmed.ncbi.nlm.nih.gov/9059587/
