Letter to the Editor of the Indian Express about the SQL Slammer worm

Your editorial “When the worm turns”, on 28th January, brings to the fore a worrying aspect of computing that seems to have escaped the notice of most of us.

The SQL slammer worm, as you mentioned, exploited a gaping vulnerability in the Microsoft database program SQL Server, used by many many businesses around the world on their mission-critical systems. You have described the enormous damage it caused around the world, particularly in “wired” countries.

Now, at the end of your editorial you have written “Now, if only Microsoft would hurry up and plug that glitch in their software.” This is a crucial point to make and is the crux of my whole argument – should the world rely on just one company to keep its systems, worth billions and billions of dollars, up and running? By this I do not mean that Microsoft is to blame per se. It is perfectly natural on its part to provide software that businesses need. The fatal mistake that businesses are making is, going in for software that is closed source, like all of Microsoft’s.

Closed source software is the kind that does not allow the end user to see or modify the source code (the files written in various programming languages that make up the end product). This means that Microsoft and Microsoft only can control SQL Server (and indeed all its other products). Any vulnerability in the program can be fixed through patches issued only by Microsoft, which may choose when to do so and whom to distribute these patches to. True, major Anti-Virus companies have issued fixes to guard against this worm and others, but as usual this is a reaction, these are steps taken only after the damage has occurred. The question we need to ask ourselves is “Why should there have been such a vulnerability in the first place?” This vulnerability remained because no one was able to review SQL Server’s source code in order to notice the problem. If the source code had been released to the public along with the product (or even as the product was being developed), many of the known and (God forbid!) as yet unknown bugs might have been revealed long back.

There is a software movement called Open Source Software. This movement believes in free access to the source code of products, and cooperative development of software. Through this model of software development, excellent products have emerged, such as the Linux operating system, and the Apache Web Server (a web server is the software that drives a website). Open Source Software gives complete control of the software to the end user, with the freedom to use modify and redistribute the software as he wishes (with some restrictions to maintain the free nature of software). This software is the kind that we ought to be using, simply because of the control that it grants us. No longer does an organisation have to depend upon a handful of companies to maintain its software, and thus, its data.

This last point is important. Most commercial software, especially database products, store the customers’ data in its own format, which is readable only by that company’s software. The details of the format will never be made public. This renders the company totally dependent on the software vendor to guarantee access to the data. As we all know, data is the cornerstone of any organisation. Should businesses, whether small or collosal, leave control of their data in the hands of a single company?

As far as the question of security goes, Open Source Software undergoes intense testing and review by developers around the world. Most bugs in the software are reported immediately, and fixes are released in a matter of hours, rather than days or weeks, as with commercial software.

Will the businesses which lost money due to this worm , or the countless users who were unable to access their email, hold Microsoft accountable for this devastation that this worm has caused? No. It will be the insurance companies who will have to dole out any compensation. Time and money lost is lost forever. And after all this, we have no guarantee (and it is unreasonable to expect one) from Microsoft that its products will no longer contain such vulnerabilities.

Microsoft will continue making buggy products, which will continue to be a bigger menace to the world business, as computing technology makes further inroads into our lives. It is up to us to decide whether to risk our fortunes upon a single, unamenable entity, or upon Open Source products, which are freely modifiable, and thus more secure.