For over an hour on Saturday, retired Microsoft OS developer David Plummer answered questions from his viewers on YouTube.

Long-time Slashdot reader destinyland writes: He began with an update on a project to test the performance of the same algorithm using 30 different programming languages, and soon tells the story of how he was inspired to apply for his first job at Microsoft after reading Hard Drive: Bill Gates and the Making of the Microsoft Empire.

I decided that this is where I wanted to work, because these guys sound like me, they act like me, they are what I want to be when I grow up. And holy cow, they pay them well, apparently. So I wrote to everybody that I could find that had a Microsoft email address, which was about four people, because I had a software product people had been regisering on the Amiga. And one guy, Alistair Banks... responded and he hooked me up with a hiring manager directly in Windows that had an open slot that was hiring... And a couple of interview slots later, I wound up as an intern at MS-DOS working for Ben Slivka.

So you would think, "Oh, an intern on MS-DOS. What'd you do? Format disks?" No — it's amazing to me, actually. They give you as much work as they believe that you are capable of, and — they get you for all that you're worth, basically. They had me write a bunch of major features, like the Smart Drive cache for CD-ROMs was the first thing I wrote. Then I wrote DISKCOPY, making it work, single pass, bunch of features in MS-DOS. I re-wrote Setup to work on a single floppy disk by using deltas and patching in place, DOS 5 to turn it into DOS 6, something like, or maybe it was DOS 6 into 6.2... A whole bunch of features, within the span of, like, three months, which to me was fairly impressive at the time, I thought. And that only got me an interview...

Later he says that he'd like to see most of 16-bit Windows and all of MS-DOS open sourced, along with some select application code from that era.

I don't think there's any reason to hold back any of MS-DOS at this point. They have absolutely no reason to open source any of it, really — other than PR, because all it brings them is potential liability, complaints and angst, and probably nothing positive for putting the code out there and exposing it to ridicule. Because it's ancient code at this point. It's like, "Ha! Look what Microsoft did!" Well, yeah, I know Linux is cool now, but go look at Linux code from 1991 — and I worked on some of that code. Well, '93 I did. It's not the same as what you see today.

So yeah, MS-DOS probably looks archaic — although it's super tight, it doesn't have many bugs. It's just written differently than you would write code today, because you're targetting something that is a very different CPU and memory system and PC as a whole, and it's so much more limited that everybody's sacred, every cycle matters. That kind of thing that you don't worry about now. But I'd still like to see all the code from back then that's not embarrassing released.

And when asked what he misses most about being a Microsoft developer, he answers:

I miss going for lunch with the people that I went for lunch with, and talking to the people that I worked with. Because they were a lot like me, they had similar interests, they had similar abilities, they were people like me. We went for lunch, we ate food, it was awesome, and then we talked about cool things. And we did that every day. And now I don't get to do that any more. I get to do it rarely, because I take guys out for lunch and stuff, but it's not the same. So that's really what I miss.

And I miss somebody always feeding me something interesting to do. Because now I have to go out and find something that's interesting to do on my own. And I can't make everything be monetarily remunerative...

CalMatters writes: At least six Cal State campuses and nearly all of the University of California campuses have created esports programs since 2015, in which students host and compete in live tournaments, sometimes funded by corporate sponsors. Both Cal State Dominguez Hills and UC Irvine offer certificates in esports, which means students can earn credit for, yes, playing video games.

Educators who support the trend point to the jobs available in gaming and other forms of digital media, while students say esports clubs and classes have given them another way to connect virtually during the pandemic. "Higher ed needs to evolve or die," said Dina Ibrahim, the academic advisor of the SF State esports athletic club and a professor of broadcast journalism. "We need to be teaching students relevant skills, that's going to get them jobs in a rapidly changing landscape...." Ibrahim shared the syllabus for her live stream broadcasting class, which she created after she noticed the effects esports and gaming were having on the field of digital media. In the course, students learn how to market a brand, monetize it, and develop live streamed events using Twitch — an entertainment site mainly aimed at gamers — and other platforms. For their final project, they help organize and market a live-streamed tournament featuring games like Overwatch, Valorant and League of Legends. "What I wanted to do was just provide a venue for students who are doing it anyway, to get credit," said Ibrahim. "And also not just focusing on the gaming community; it's really gaming, plus content creation."

Those skills could help students land their first media jobs, said Mark "Garvey" Candella, director of student and education programs for Twitch... "All the skills that you're learning and using while you participate in gaming and esports are highly transferable and valuable skills in emerging new and digital media," said Candella, who has helped universities establish esports curriculum that uses gaming as a vehicle to teach branding, management and hardware and software knowledge. At Cal State Dominguez Hills, esports academic advisor Ruben Caputo says he's seen 37 students obtain internships based on their work in the program this past year alone... Like other collegiate esports programs, the one at Dominguez Hills started as an informal student club and is now a thriving organization that has obtained sponsorships with companies such as Microsoft and Level Up Esports Apparel. The university is building a new $750,000 esports lab in the campus library, according to the student-run newspaper, The Bulletin. It will be divided into three sections: a classroom, an incubator and a competition area with rows of PCs...

More than 170 schools across the country have varsity esports teams, according to the National Association of Collegiate Esports, but the number with academic programs is much smaller — and students and professors involved in them say they still encounter skepticism from colleagues who see gaming as just a mind-numbing hobby. At UC Irvine, the first California college to pioneer an esports program, students can earn a continuing education certificate but there are no plans to develop a major in the field, said assistant director Kathy Chiang.

"We don't think that there's enough content for that," she said...
Ibrahim argues that gaming "is a huge, profit-churning component of the entertainment industry that can no longer be ignored," adding that gaming students "are getting skills that are going to prime you to work in a very significant industry that's only growing post pandemic."

"The official Python software package repository, PyPI, is getting flooded with spam packages..." Bleeping Computer reported Thursday.

"Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once..." PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-... Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI... The web page for these bogus packages contain spam keywords and links to movie streaming sites, albeit of questionable legitimacy and legality...

February of this year, PyPI had been flooded with bogus "Discord", "Google", and "Roblox" keygens in a massive spam attack, as reported by ZDNet. At the time, Ewa Jodlowska, Executive Director of the Python Software Foundation had told ZDNet that the PyPI admins were working on addressing the spam attack, however, by the nature of pypi.org, anyone could publish to the repository, and such occurrences were common.

Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages... As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging...

In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated. Threat actors have been caught flooding software repositories with malware, malicious dependency confusion copycats, or simply vigilante packages to spread their message. As such, securing these repositories has turned into a whack-a-mole race between threat actors and repository maintainers.

Business Insider re-visits the story of why May 22nd is celebrated as "Bitcoin Pizza Day." Exactly 11 years ago today, a software programmer from Florida, Laszlo Hanyecz, became well known in the crypto world after trading 10,000 bitcoins for two Papa John's pizzas. In honor of that purchase, the date is now celebrated in the crypto calendar as "Bitcoin Pizza Day."

"It wasn't like bitcoins had any value back then, so the idea of trading them for a pizza was incredibly cool," Hanyecz said in an interview with the New York Times in 2013... In 2018, he gave an interview to Cointelegraph. He said: "You know, I don't regret it. I think that it's great that I got to be part of the early history of bitcoin in that way, and people know about the pizza and it's an interesting story because everybody can kind of relate to that and be [like] - "Oh my God, you spent all of that money!"
So today Papa John's is giving away 10,000 slices of pizza to commemorate their place in history, another Business Insider article reports. Justin Falciola, SVP, chief insights & technology officer, tells them that "Celebrating National Bitcoin Pizza Day felt like a natural extension of Papa John's historical tie to the bitcoin story... It's great for consumer brands to show that they're aware of trends and emerging technologies. The benefit to this is meeting consumers where they are and continuing to build a meaningful connection."

The link between pizza and bitcoin was further observed earlier in the week when crypto investor Anthony Pompliano launched a bitcoin-themed pizza service in the US that won't accept the digital asset as payment. As Insider's Shalini Nagarajan reported, the service will partner with independent pizzerias in 10 cities across the US, but won't accept bitcoin payments. All proceeds will go towards supporting research and development of bitcoin, Pompliano said.
The article also points out that "Earlier this week, the crypto market lost 47% of its value in just seven days," and by Friday one bitcoin was worth $37,340.

But another article notes that the 10,000 bitcoins traded for two Papa Johns pizzas would, at one point this year, have been worth $648,950,000.

"Pardon me while I feed the meter on my critical safety device," quips a Hackaday article (shared by long-time Slashdot reader AmiMoJo): If you ride a motorcycle, you may have noticed that the cost of airbag vests has dropped. In one case, something very different is going on here. As reported by Motherboard, you can pick up a KLIM Ai-1 for $400 but the airbag built into it will not function until unlocked with an additional purchase, and a big one at that. So do you really own the vest for $400...?

The Klim airbag vest has two components that make it work. The vest itself is from Klim and costs $400 and arrives along with the airbag unit. But if you want it to actually detect an accident and inflate, you need load up a smartphone app and activate a small black box made by a different company: In&Motion. That requires your choice of another $400 payment or you can subscribe at $12 a month or $120 a year.

If you fail to renew, the vest is essentially worthless.
Hackaday notes it raises the question of what it means to own a piece of technology.

"Do you own your cable modem or cell phone if you aren't allowed to open it up? Do you own a piece of software that wants to call home periodically and won't let you stop it?"

Lanodonal shares a report from the BBC: Hackers responsible for causing widespread disruption to the Irish health system have unexpectedly gifted it with the tool to help it recover. The Conti ransomware group was reportedly asking the Irish health service for $20 million to restore services after the "catastrophic hack." But now the criminals have handed over the software tool for free.The Irish government says it is testing the tool and insists it did not, and would not, be paying the hackers. Taoiseach (Irish prime minister) MicheÃl Martin said on Friday evening that getting the software tool was good, but that enormous work is still required to rebuild the system overall.

Conti is still threatening to publish or sell data it has stolen unless a ransom is paid. On its darknet website, it told the Health Service Executive (HSE), which runs Ireland's healthcare system, that "we are providing the decryption tool for your network for free." "But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation." It was unclear why the hackers gave the tool -- known as a decryption key -- for free, said Health Minister Stephen Donnelly. In an alert made public Thursday by the American Hospital Association, the FBI said the Conti group has also hit at least 16 U.S. medical and first response networks in the past year.

The Federal Bureau of Investigation said that the same group of online extortionists blamed for striking the Irish health system last week have also hit at least 16 U.S. medical and first response networks in the past year. From a report: In an alert made public Thursday by the American Hospital Association, the FBI said the cybercriminals using the malicious software dubbed 'Conti' have targeted law enforcement, emergency medical services, dispatch centers, and municipalities. The alert did not name the victims or go into detail about the nature or severity of the breaches, saying only that they were among more than 400 organizations worldwide targeted by "Conti actors."

Apple's software engineering head Craig Federighi had a tricky task in the Epic v. Apple trial: explaining why the Mac's security wasn't good enough for the iPhone. From a report: Mac computers have an official Apple App Store, but they also allow downloading software from the internet or a third-party store. Apple has never opened up iOS this way, but it's long touted the privacy and security of both platforms. Then Epic Games sued Apple to force its hand, saying that if an open model is good enough for macOS, Apple's claims about iOS ring hollow. On the stand yesterday, Federighi tried to resolve this problem by portraying iPhones and Macs as dramatically different devices -- and in the process, threw macOS under the bus.

The second difference is data sensitivity. "iPhones are very attractive targets. They are very personal devices that are with you all the time. They have some of your most personal information -- of course your contacts, your photos, but also other things," he said. Mobile devices put a camera, microphone, and GPS tracker in your pocket. "All of these things make access or control of these devices potentially incredibly valuable to an attacker." That may undersell private interactions with Macs; Epic's counsel Yonatan Even noted that many telemedicine calls and other virtual interactions happen on desktop. Still, it's fair to say phones have become many people's all-purpose digital lockboxes. The third difference is more conceptual. Federighi basically says iOS users need to be more protected because the Mac is a specialist tool for people who know how to navigate the complexities of a powerful system, while the iPhone and iPad are -- literally -- for babies.

Snap's new Spectacles glasses are its most ambitious yet. But there's a big catch: you can't buy them. From a report: On Thursday, Snap CEO Evan Spiegel unveiled the company's first true augmented reality glasses, technology that he and rivals like Facebook think will one day be as ubiquitous as mobile phones. A demo showed virtual butterflies fluttering over colorful plants and landing in Spiegel's extended hand. The new Spectacles have dual waveguide displays capable of superimposing AR effects made with Snapchat's software tools. The frame features four built-in microphones, two stereo speakers, and a built-in touchpad. Front-facing cameras help the glasses detect objects and surfaces you're looking at so that graphics more naturally interact with the world around you.

[...] The idea is to encourage a small portion of the 200,000 people who already make AR effects in Snapchat to experiment with creating experiences for the new Spectacles, according to Spiegel. Like the bright yellow vending machines Snap used to sell the first version of Spectacles several years ago, the approach could end up being a clever way to build buzz for the glasses ahead of their wide release. Spiegel has said that AR glasses will take roughly a decade to reach mainstream adoption. "I don't believe the phone is going away," he told The Verge in an interview this week. "I just think that the next generation of Spectacles can help unlock a new way to use AR hands-free, and the ability to really roam around with your eyes looking up at the horizon, out at the world."

Microsoft has open-sourced today a tool that can be used to build lab environments where security teams can simulate attacks and verify the detection effectiveness of Microsoft security products. The Record reports: Named SimuLand, the tool was specifically built to help security/IT teams that use Microsoft products such as Microsoft 365 Defender, Azure Defender, and Azure Sentinel. Currently, SimuLand comes with only one lab environment, specialized in detecting Golden SAML attacks. However, Microsoft said it's working on adding new ones. Community contributions are also welcomed, and the reason the project has been open-sourced on GitHub, with Microsoft hoping to get a helping hand from the tens of thousands of security teams that run its software.

"If you would like to share a new end-to-end attacker path, let us know by opening an issue in our GitHub repository, and we would be happy to collaborate and provide some resources to make it happen," Microsoft said today in a blog post. But Microsoft doesn't want only lab environments specialized in executing well-known techniques or adversary tradecraft. The OS maker is also encouraging the community to contribute improved detection rules for the attacks they're sharing, so everyone can benefit from the shared knowledge.

Microsoft today open-sourced a tool that can be used to build lab environments where security teams can simulate attacks and verify the detection effectiveness of Microsoft security products. From a report: Named SimuLand, the tool was specifically built to help security/IT teams that use Microsoft products such as Microsoft 365 Defender, Azure Defender, and Azure Sentinel. Currently, SimuLand comes with only one lab environment, specialized in detecting Golden SAML attacks.

However, Microsoft said it's working on adding new ones. Community contributions are also welcomed, and the reason the project has been open-sourced on GitHub, with Microsoft hoping to get a helping hand from the tens of thousands of security teams that run its software. "If you would like to share a new end-to-end attacker path, let us know by opening an issue in our GitHub repository, and we would be happy to collaborate and provide some resources to make it happen," Microsoft said today in a blog post. But Microsoft doesn't want only lab environments specialized in executing well-known techniques or adversary tradecraft. The OS maker is also encouraging the community to contribute improved detection rules for the attacks they're sharing, so everyone can benefit from the shared knowledge.

Craig Federighi is currently testifying during the Apple vs. Epic lawsuit. While facing questioning from Apple's lawyers, Federighi made some interesting comments about security, particularly noting that the Mac currently has a level of malware that Apple "does not find acceptable." 9to5Mac reports: One of Federighi's goals is to paint the iPhone ecosystem, including the App Store and lack of side-loading support, as a secure and trusted environment for users. To do this, it appears that part of Federighi's strategy is to throw the Mac under the bus. Judge Yvonne Gonzalez Rogers, who is presiding over the Epic vs. Apple case, asked Federighi about why the Mac can have multiple app stores, but not the iPhone. "It is regularly exploited on the Mac," Federighi explained. "iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today." "Today, we have a level of malware on the Mac that we don't find acceptable," Federighi added.

The Apple executive also pointed to Android as another example of a platform with multiple app stores that suffers from security problems. "It's well understood in the security community that Android has a malware problem," he explained. "iOS has succeeded so far in staying ahead of the malware problem." Federighi added that Apple is essentially playing "an endless game of whack-a-mole" with malware on the Mac and has to block "many instances" of infections that can affect "hundreds of thousands of people" every week. Since last May, Federighi testified there have been 130 types of Mac malware, and one of them infected 300,000 systems. When asked whether side-loading would affect security on iOS, Federighi said things would change "dramatically. No human policy review could be enforced because if software could be signed by people and downloaded directly, you could put an unsafe app up and no one would check that policy," he said.

Staff at the world's largest FOSS IRC network, Freenode, have resigned following a "hostile takeover." "Seeking to take control of the Freenode IRC network after acquiring Freenode Limited as their live conference organization is reported to be Andrew Lee, the founder of VPN service Private Internet Access (PIA)," reports Phoronix. Aaron Jones, a member of the staff since March 2019, details the sequence of events. Another staff member has provided additional details. Slashdot reader rastos1 writes: As it is now known, the Freenode IRC network has been taken over by a "narcissistic Trumpian wannabe korean royalty bitcoins millionaire," [writes (former) staff member Marco d'Itri]. "To make a long story short, the former freenode head of staff secretly 'sold' the network to this person even if it was not hers to sell, and our lawyers have advised us that there is not much that we can do about it without some of us risking financial ruin."

Fuck you Christel, lilo's life work did not deserve this. What you knew as Freenode after 12:00 UTC of May 19 will be managed by different people. Freenode Limited has responded to the backlash, writing: "Given the millions I have injected into freenode thus far, the fact I own it and the fact that I protected the freenode staff with professional legal work and funding when they needed help and they could still lie and slander like this... says a lot about who they are. It saddens me that christel was forced out, and I wish she'd feel safe returning. I'm frustrated that tomaw's hostile takeover seems likely to succeed, in spite of all. I simply want freenode to keep on being a great IRC network, and to support it financially and legally as I have for a long time now."

Amazon said on Tuesday it is extending a moratorium on police use of its facial recognition software. The company imposed the ban last year after the murder of George Floyd by law enforcement in June 2020. Reuters reports: Civil liberties advocates have long warned that inaccurate face matches by law enforcement could lead to unjust arrests, as well as to a loss of privacy and chilled freedom of expression. Amazon's extension, which Reuters was first to report, underscores how facial recognition remains a sensitive issue for big companies. The world's largest online retailer did not comment on the reason for its decision. Last year, it said it hoped Congress would put in place rules to ensure ethical use of the technology, though no such law has materialized. Amazon also faced calls this month from activists who wanted its software ban to be permanent.

Today, Google and Samsung announced that they are merging Wear OS and Tizen in an effort to better compete against Apple's watchOS. "The resulting platform is currently being referred to simply as 'Wear,' though that might not be the final name," notes The Verge. From the report: Benefits of the joint effort include significant improvements to battery life, 30 percent faster loading times for apps, and smoother animations. It also simplifies life for developers and will create one central smartwatch OS for the Android platform. Google is also promising a greater selection of apps and watch faces than ever before. "All device makers will be able to add a customized user experience on top of the platform, and developers will be able to use the Android tools they already know and love to build for one platform and ecosystem," Google's Bjorn Kilburn wrote in a blog post.

Wired has more details on what's to come, including the tidbit that Samsung will stick with its popular rotating bezel on future devices -- but it's finished making Tizen-only smartwatches. There will also be a version of Google Maps that works standalone (meaning without your phone nearby) and a YouTube Music app that supports offline downloads. Oh, and Spotify will support offline downloads on Wear smartwatches, as well. Samsung confirmed that its next Galaxy Watch will run on this unified platform. And future "premium" Fitbit devices will also run the software.

A software bug that's now been fixed allowed some Eufycam owners to stream video from strangers' homes instead of their own. The Register reports: These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people's homes -- even those in other countries -- and feared they were being watched, too. The privacy breakdown sparked an eruption of complaints on Reddit and Anker's support forum.

A spokesperson for Anker told us just a small number of customers were affected: "Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001 per cent) of our users were able to access video feeds from other users' cameras. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST." We're told customers in the US, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were affected though not GDPR-armed Europe. "We realize that as a security company we didn't do good enough," the spokesperson added. "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again." Eufy recommends users unplug and then reconnect their devices, log out of the Eufy security app, and log in again to fix the issue.

Ever wish you could delete the last thing you searched for on Google? Now Google will let you. From a report: Google announced the new feature Tuesday during its I/O software conference, part of a package of privacy controls the Alphabet company is pushing out to appease consumers and regulators. Users now can tap on a tab inside their Google accounts to remove the last fifteen minutes of search history. The company has offered a feature to clear search histories, but people have found that data useful for tools like Maps or been unaware of the ability to delete it. The new ways to give people more privacy controls come after years of scrutiny on the search giant's behavior. "We never sell your personal information to anyone," Jen Fitzpatrick, a Google senior vice president, said at the virtual event. "It's simply off limits."

Brian Krebs: In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed -- such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick. The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations.

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities. In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country's borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies. [...] Here's the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.

After collaborating on various projects for several years, the relationship between Microsoft and Apple is getting testier again. From a report: [...] Around the time the PC character reappeared, Microsoft began bad-mouthing Apple to regulators, saying the company's App Store was anti-competitive. The Redmond, Washington, software giant had thrown in its lot with Epic Games, which was suing Apple for booting its Fortnite title from the App Store and accusing the iPhone maker of monopolistic behavior. A Microsoft executive has since testified against Apple at the trial, now in its second week, telling the court that Apple's tight control of its App Store had hurt Microsoft's own gaming efforts. The tensions are unlikely to ease once a verdict comes down because Apple and Microsoft are both looking to dominate the next big things in tech -- from artificial intelligence and cloud computing to gaming, tablets, custom processors and mixed-reality headsets.

The renewed antipathy between Apple and Microsoft started about a year ago. Microsoft had developed a cloud gaming service for iPhones and iPads called xCloud. One app would let users pay a monthly fee to Microsoft and stream dozens of different gaming titles from the cloud. The service was supposed to do for gaming what Netflix did for video, appease gamers and turn Apple devices into a more powerful gaming platform backed by Xbox, one of the hottest names in the industry. But Microsoft never launched the service in its intended form, having failed to persuade Apple to loosen App Store rules forbidding all-in-one gaming services. Originally, Microsoft was barred from launching any cloud-based games at all. But a few months after concerns over the ban on streaming apps went public, Apple tweaked the rules.

Microsoft can now launch a cloud gaming service, but each game must be downloaded separately, defeating the purpose of an all-in-one solution. Now Microsoft is rolling out the service on Apple devices via the web, a much less optimal experience than a real app. Around the same time, Microsoft President Brad Smith began urging U.S. and European antitrust regulators to examine Apple's practices.

Politico writes: President Joe Biden on Wednesday ordered a sweeping overhaul of the federal government's approach to cybersecurity, from the software that agencies buy to the security measures that they use to block hackers, as his administration continues grappling with vulnerabilities exposed by a massive digital espionage campaign carried out by the Russian government... Biden's order requires agencies to encrypt their data, update plans for securely using cloud hosting services and enabling multi-factor authentication...

It also creates a cyber incident review group, modeled on the National Transportation Safety Board that investigates aviation, railroad and vehicle crashes, to improve the government's response to cyberattacks. And it sets the stage for requiring federal contractors to report data breaches and meet new software security standards.

The directive, which sets deadlines for more than 50 different actions and reports, represents a wide-ranging attempt by the new Biden administration to close glaring cybersecurity gaps that it discovered upon taking office and prevent a repeat of Moscow's SolarWinds espionage operation, which breached nine federal agencies and roughly 100 companies... In addition to requiring agencies to deploy multi-factor authentication, the order requires them to install endpoint detection and response software, which generates warnings when it detects possible hacks. It also calls for agencies to redesign their networks using a philosophy known as zero-trust architecture, which assumes that hackers are inside a network and focuses on preventing them from jumping from one computer to another... Officials say current federal monitoring programs are outdated — they can only spot previously identified malware, and they can't protect increasingly pervasive cloud platforms...

Biden's executive order attempts to prevent another SolarWinds by requiring information technology service providers to meet new security requirements in order to do business with the federal government. These contractors will need to alert the government if they are hacked and share information about the intrusion.
The order "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," one senior administration official told reporters. The order notes "persistent and increasingly sophisticated malicious cyber campaigns" that "threaten the public sector, the private sector, and ultimately the American people's security and privacy," calling for "bold changes and significant investments."

But the order also argues that "In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is..." warning that "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." To that end, the order also requires guidelines for a "Software Bill of Materials" or "SBOM," a "formal record containing the details and supply chain relationships of various components used in building software... analogous to a list of ingredients on food packaging." [A]n SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
ZDNet reports that "the Linux and open-source community are already well on their way to meeting the demands of this new security order," citing security projects in both its Core Infrastructure Initiative (CII) and from the Open Source Security Foundation (OpenSSF).