Last week, it hit the fan that Microsoft's internal corporate computer network had been cracked. Probably because of the name "Microsoft," this was big news. It made the front page of my local rag, the Santa Rosa Press-Democrat, which is owned by the New York Times, so I'll bet it got good play in Manhattan, too. The gist of the story was that mighty Microsoft, home to the smartest and the nerdiest, had somehow been cracked, and that this was both amazing and appalling. What nobody seems to have figured out, however, is that it was probably an inside job.

The stories in the general press were most entertaining in their assessment of the possible damage to Microsoft and the western world, which came down to theft of source code and/or tampering. Theft of source code might be damaging, I suppose, but not in the way that the stories tended to posit. They pretended like Company X might steal the source to PowerPoint and use it to come out with an identical competing product. Microsoft would like nothing more than that. They'd get an immediate injunction against Company X and leverage that into a blanket right to examine the source code of nearly every other PC operating system or application just in case those, too, were powered by Microsoft gray matter. Stealing Microsoft source code to put it in a competing product is crazy.

Then there is the idea that the source code could be stolen, modified, then replaced with some digital time bomb. While this might be an interesting challenge for some computer cracker, it is at best a low percentage bet. For if the time bomb isn't exposed by all the usability testing, alpha and beta testing that takes place in the months before a product finally ships to paying customers, it is still likely to be lost in the inevitable storm of Microsoft-created bugs that accompany every release. Unless it wipes your hard drive clean, such a planted bug would be no news at all.

In fact the only good reason a person would have for stealing Microsoft source code is because it would allow him to see aspects of programs that Microsoft deliberately keeps secret. All those undocumented calls, for example, that allow Microsoft applications to work better with Windows than might the applications from some Microsoft competitor — those would be worth a look. But in such a case, the looking is more powerful for not being noticed, yet the Microsoft cracker apparently wandered around the company network for 12 days before the FBI was called in. Twelve days is hardly a commando raid.

So my guess, given the lack of real reasons for cracking the network in the first place and the flagrant manner in which it was done, is that this break-in was like most others — done primarily because it could be done and by somebody who watched "The Matrix" one time too many.

Microsoft says the attack came using QAZ, a backdoor Trojan that appeared in tainted e-mails starting last summer. It allows crackers to access and control an infected system. TROJ_QAZ was initially distributed as "Notepad.exe," a file attached to seemingly innocent e-mail messages, but sometimes appears with different filenames. Once it tricks you into launching notepad.exe, TROJ_QAZ modifies the Windows registry so that it launches every time Windows is started. TROJ_QAZ also renames the original "notepad.exe" file to "note.com" and then copies itself as "notepad.exe" to the Windows folder. This way, the Trojan is also launched every time a user runs Notepad. The program then listens at a specific TCP port, waiting for orders from its devilish master. TROJ_QAZ also attempts to spread itself to other shared drives on local networks. But it does not mass e-mail itself out to lists in the user's address book.

Some break-ins will always happen, of course. Give 30,000 employees a computer or two each and some slip-ups are bound to happen. Nearly every company has been cracked at one time or another. And it is unrealistic to expect that any outfit — even Microsoft — would be immune. It's not surprising, either, that Microsoft, for all its technical arrogance, was caught flat-footed and then embarrassed over and over again. Sometimes the most sophisticated organizations have the poorest checks and balances.

Still, Microsoft should have known better. The means of access was known and obvious. The means of fighting infestation were well known, too. This is not rocket science. Microsoft, for all its technology, blew it. This break-in should never have happened. And calling-in the FBI, well that's a synonym for calling-in the Seattle Times, since its major function is typically to create a news event, not to catch a criminal. So Microsoft has the FBI scouring cyberspace for the usual suspects, which are supposed to be either European anarchists or poorly socialized teenagers who happen prefer cracking computers to taking guns to school. But what if there are no teenagers?

There is something wrong with this picture. Why couldn't Microsoft catch the perp after 12 days of trying? Why did they call the FBI? Why were they so poorly protected in the first place? Of course, I have a theory.

Microsoft doesn't need the resources of the FBI to catch a computer cracker. Microsoft has (or can afford to hire) data security resources far beyond anything the FBI has to offer. The FBI was brought in for only one reason — because the whole thing was an inside job. That would explain the FBI, there to arrest an employee gone awry or — better still — to put the Fear of Bill in every Microsoft employee so it doesn't ever happen again.

This is more than just guessing on my part. Many oddities in the case can almost only be explained if it was an inside attack.

The original QAZ used port 7597 for control. If the Microsoft Web site allows unrestricted inward access to port 7597, I would be surprised, though again I do not know how their firewall (and I assume they have one) is configured.

What I have heard indicates that the original infection was to a developer's home machine. The developer had inward access to the Microsoft internal network. The developer's machine did not have anti-virus software running and there was no check of the machine prior to allowing the login.

This is all possible, but it would indicate incredibly sloppy security.

Next, the infected machine surveyed the internal network and then e-mailed data to an outside site. This indicates either that there is no internal control over which machines are allowed direct SMTP outward access or the machine was dual-homed — that is, it had connection simultaneously to the Microsoft internal network and to an outside ISP.

The probability that the machine was dual-homed is reinforced by the fact that the outsiders were able to reach at least one machine and access the network simultaneously. It is the simplest answer that fits what is known, however dual-homing is not a part of any shipping Microsoft product that I know of.

Now one story said Microsoft discovered the break-in though an intercepted e-mail. That implies they do allow outward SMTP from nodes. Possibly all QAZ did then was to export password/accounts which the hackers were able to use over known access points. That would make more sense than inward 7597.

As you can see, it is possible to do the job without inside help, but it takes a lot of work.

Here's how the same problem is avoided at another big company — this one with more robust data security (though lower market share than) Microsoft. Such attack would have had to penetrate a number of well-known defensive layers:

1. Antivirus software is available to all users and can be updated at login.

2. Only single-homed connections are permitted and those are VPNs.

3. Firewalls do not permit nodes to send e-mail via SMTP, only designated servers may do that.

4. All 7000 series ports are blocked at the firewalls (in fact NO inward connection to desktops are permitted and only seven specific outbound protocols are allowed and those are through proxies).

5. While anti-virus mechanisms are provided for all desktops, the real lines of defense are on the servers and gateways. Both can detect QAZ.

Given that none of these techniques appear to have been used at Microsoft, it was more a question of "when" rather than "if" such an attack would happen.

But why would someone from the inside even want to do something like this? There is more smart-but-stupid computing energy at Microsoft than probably anywhere else. If somebody is going to be dipping into other people's files, why do we immediately assume the dipper is from outside the building? Morbid curiosity, professional jealousy, romantic fantasy, or just plain technical cockiness could easily explain such an inside job. True, Microsoft found that passwords used to transfer source codes were being sent from the company's computer network to an e-mail account in St. Petersburg, Russia, but is that a clue or a clever diversion? I think it was a diversion.

And there is plenty of precedent for such crazy activities from times when the potential cost was far steeper. Remember Richard Feynman's hobby when he was a young physicist helping to build in secret the first atomic bomb at Los Alamos, New Mexico, during the Second World War?

Feynman liked to crack safes.