Former Microsoft contractor Ed Curry says that the company deliberately misledgovernment buyers

A Texas software engineer gave the Defense Department documents that he said prove that
Microsoft Corp. is conducting a campaign to mislead the government about the security
certification status of Microsoft Windows NT.

Ed Curry, whose now-defunct company worked with Microsoft to obtain the National
Security Agency’s C2 certification for NT 3.5 during the mid-1990s, met earlier this
month with Richard Schaeffer, director of information assurance in the Office of the
Assistant Secretary of Defense for Command, Control, Communications and Intelligence.

A Microsoft spokesman in Washington said that poorly worded information on the
company’s Web site may have led to misunderstandings about NT 4.0’s security
rating. He also said Microsoft officials are talking with senior Defense officials about
Curry’s allegations.

“We’re currently working with appropriate senior-level DOD officials on the
issues that Curry has raised,” Keith Hodson, spokesman for Microsoft Federal Systems
in Washington, said. “We’re not refuting Curry’s charges point-by-point
with DOD but rather describing our position with regard to NT security.”

Schaeffer did not promise that DOD would stop using Microsoft products and noted
efforts by the department to use more commercial products generally.

“Mr. Curry provided a summary of his issues with Microsoft and repeated his
concern about the government’s use of Microsoft products, in particular Windows
NT,” DOD spokeswoman Susan Hansen said in a written statement.

“Mr. Schaeffer explained that the department is making more and more use of
commercial security technology and that evaluated products, either in the context of the
Orange Book or the Common Criteria, will become a greater part of the overall security
solutions,” she said.

Schaeffer agreed to meet with Curry after the software engineer warned Defense
Secretary William Cohen in an August letter that NT contained security flaws and claimed
that Microsoft had tried to hide them [GCN, Oct. 12, Page 1].

DOD and civilian agencies have bought millions of copies of Windows NT 3.51 and 4.0
that do not meet NSA’s C2 level security requirements, Curry said.

Government users bought copies of NT 3.51 and 4.0 under the false belief, encouraged by
Microsoft, that they were buying NSA-certified versions of NT, he said.

Curry gave Schaeffer documents to support his contention that Microsoft states that
Windows NT 4.0 has C2 level certification from NSA. Curry cited the documents as proof
that Microsoft is misleading DOD about the product’s certification.

“It’s always helpful to have stuff in Microsoft’s own words,” Curry
said. “There was a really damning 1997 document on Microsoft’s Web site called
‘Securing Microsoft Windows NT Installation’ that talks about NT 4.0

The document, dated April 10, 1997, and revised Aug. 11, 1997, appeared on the January
1998 Microsoft Developer Network Library. MSDN is an online subscription service that
includes tools, technologies and information for software developers.

“Scattered throughout the document are statements about NT being C2-evaluated, yet
this is an NT 4.0 document,” Curry said.

NT 4.0 is not certified at the C2 level by NSA. Microsoft, however, is in the process
of getting C2 certification for NT 4.0 with Service Pack 4 in a closed network

Curry also gave Schaeffer an updated document pulled from Microsoft’s Web site
posted at
  as further evidence of the company’s dishonesty.

Under a section of frequently asked questions on security, the site answered the
question: “Is Windows NT a secure enough platform for enterprise applications?”
by stating that the company recently enhanced the security of NT Server 4.0 through a
service pack.

“Windows NT Server was designed from the ground up with a sound, integrated and
extensible security model,” the Microsoft Web site said as late as last week.
“It has been certified at the C2 level by the U.S. government and the E3 level by the
U.K. government.”

Hodson said the passage claiming C2 certification cited by Curry refers to NT 3.5 with
Service Pack 3, which is the only version of NT to meet the NSA’s C2 level
requirements to date. But because the passage earlier mentions NT 4.0, Hodson said, the
meaning could be misconstrued.

The passage was badly worded, Hodson acknowledged, and he said that the ambiguous
references would be removed. The company subsequently removed the statement about the
government’s C2-level certification from the site.

Curry said that the ambiguous language was purposely misleading.   

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.