I believe I have stumbled upon two of Microsoft's most-startling and best-kept secrets, the ramifications of which for Linux and open source are profound.

The revelation began when I realized that I had been mistaken in thinking that the lack of a well-funded marketing department could prevent open source and free software from displacing the commercial variety. The events of the past few months demonstrate that free software is being promoted by the richest and most-talented marketing organization on the planet: Microsoft.

Consider for a moment what a well-orchestrated promotional stunt the Microsoft SQL Server Slammer worm proved to be. Does anyone honestly think it was a coincidence that Slammer brought the Internet to its knees before the echoes of Bill Gates' state of the union on trustworthy computing address could fade? The timing was as impeccable as food to a beakless chicken.

The second clue as to its intentional nature was the widespread deployment of the vulnerability. Many folks mistakenly think that Microsoft SQL Server was the only product involved. Not so; this vulnerability exists in page after page of Microsoft products. Here is a partial list of the products containing the weakness:

SQL Server 2000 (Enterprise Edition, Developer Edition, and Personal Edition)
.NET Framework
ASP.NET Web Matrix
Visio Enterprise Network Tools
Visual FoxPro
Visual Studio .NET
Visual Basic .NET
Visual C++ .NET
Visual C# .NET
Office XP Premium, Professional and Developer editions
Project Server 2002
Windows Enterprise Server
Windows Server 2003
... and many, many more.

If the above isn't enough to tip one off to the promotional nature of Slammer, the intelligent design that went into the bug should remove all doubt. If you think buffer overflow was the weakness exploited by Slammer, you would be only partly correct. As dangerous as buffer overflows may be, they are relatively benign unless one can exploit them via the network. Unless you are willing to embed a buffer overflow into a core public network service such as a Web site, FTP server or e-mail, it takes a concerted effort to make it available to crackers. Database servers are particularly hard to crack, because no sane software company would make one listen to the Internet by default.

Here's why: if you are using a database for a Web site, and the Web server is on the same machine as the database, one doesn't need to use networking at all to make the Web server communicate with the database. Assuming it is desirable to use a network port for communications between Web server and database, one only has to configure the database to listen to the local host (the same machine) and no outside requests. Even if the server and database reside on separate machines, it is a simple matter to tell the database to listen only to specified IP addresses (i.e., the Web server machine) or all machines on the internal network.

Under normal circumstances, one would have to deliberately configure a database server to be vulnerable to outside attack. Microsoft circumvented this limitation by opening up the port to the world. Then it embedded the engine in so many of its applications that hardly a Windows machine on the Internet lacked the vulnerability!