NT critic gets audience with DOD chieftains

Not every software engineer gets a meeting with Defense Department brass.

But a Texas man has made it his personal crusade to warn DOD that current versions of
Microsoft Windows NT are not secure enough operating systems for the department—and
DOD has decided to hear him out.

Ed Curry, a contract engineer for Xplore Technologies Inc. of Georgetown, Texas, will
meet tomorrow with Richard Schaeffer, director of information assurance in the Office of
the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.

Schaeffer agreed to the meeting after Curry sent Defense Secretary William Cohen a
letter in August warning about the potential hazards of using NT.

“My concerns are that I believe Microsoft has operated a widespread campaign of
misinformation regarding the government security position of successive versions of
Windows NT,” Curry said in his letter to Cohen, “so much so, that the government
has procured possibly millions of copies of nonevaluated versions of NT, such as versions
3.51 and 4.0, that do not meet the mandatory C2 level security requirements of DOD and
other agencies.”

This is not a new view for Curry. He has long peppered DOD officials with his concerns
about Windows.

Microsoft officials emphatically deny Curry’s charges of fraud and
misrepresentation. Company officials acknowledged that NT 3.5 is the only version of NT to
meet the C2 level requirements set by the National Security Agency, but said NT 4.0 is
under evaluation by NSA.

NT 3.5 received a C2 rating in July 1995 as part of a standalone evaluation in which
networking was not evaluated, Microsoft officials said.

“The government absolutely has not been duped by Microsoft,” said Keith
Hodson, spokesman for Microsoft federal systems. “We stated very clearly where we are
with C2 certification, and it’s right there for all the world to see at http://www.microsoft.com/security.”

Curry once worked with Microsoft. His now-defunct company, Lone Star Evaluation
Laboratories, had a contract with Microsoft during the mid-1990s to obtain NSA C2
certification for Windows NT 3.5 with Service Pack 3, based on the Trusted Computer System
Evaluation Criteria. NSA’s National Computer Security Center uses the criteria,
commonly known as the Orange Book, to evaluate the security of products.

Microsoft selected Lone Star in 1994 to help it achieve C2 certification for NT 3.5 by
testing and evaluating hardware running the operating system for NCSC’s Rating
Maintenance Program (RAMP). As part of the contract, Curry’s company developed the
required security diagnostics software, which Microsoft promised to market to millions of
potential users, Curry said.

Curry contends that Microsoft canceled its C2 certification contract with Lone Star
because he refused to publicly misrepresent the status of NT’s C2 certification.
Microsoft denies this allegation.

“When I wrote the security diagnostics for NT 3.5 I came across flaws in the Intel
486 that disqualified it from C2 level security,” he said. “Microsoft
immediately came down on me and said to conceal the information because a lot of their
customers wanted to sell 486s to the government.”

He said that Microsoft tried to bribe and even threatened him to keep quiet about
NT’s security flaws.

“I won’t even dignify his charges of bribery and threats with a
response,” Hodson said. “What I will say is that Curry was a very limited-scope
contractor for Microsoft who was contracted to provide a hardware test tool as part of the
NT 3.5 C2 evaluation. But the tool was only a very small piece of what was needed during
the C2 evaluation process.”

Lone Star eventually went out of business in 1997 after vendors lost interest in
getting hardware certified for inclusion on NCSC’s Evaluated Products List.

Although the 1985 DOD Directive 5200.28 encourages the use of products on NSA’s
list, no formal NSA certification is required for DOD users to buy hardware and software
from vendors.

The Navy, for example, does not require its OSes be C2-certified.

But the service’s Information Technology Standards Guidance said it is desirable,
and OSes that do not have C2 level security features—including Windows 3.1, Windows
95 and Windows 98—should be avoided. The Navy’s ITSG document established NT 4.0
as the service’s standard OS.

“Microsoft has both knowingly and willfully misled government officials on the
security of their operating system products resulting in the government procuring insecure
versions of Windows NT under the belief they were obtaining the NCSC-evaluated
version,” Curry said in his letter to Cohen.

Microsoft, with the help of Science Applications International Corp., is in the process
of having NT 4.0 with Service Pack 4 certified, company officials said. SAIC, of San
Diego, is helping Microsoft with a broad range of items for the NT 4.0 evaluation,
including the preparation and analysis of documents. SAIC also acts as a liaison to NCSC.

Microsoft expects to complete the evaluation process by January, according to company
statements.

But it’s not enough to certify NT, Curry said. Microsoft must also certify the
hardware running NT as part of a complete configuration, he said.

The only C2-certified NT hardware platforms for NT 3.5 listed on NCSC’s Evaluated
Products List are Compaq ProLiant 2000 and ProLiant 4000, and Digital Equipment
Corp.’s DECpc AXP/150 workstation.

On the Microsoft Web site, the company states that in the current evaluation process
“both Windows NT Server 4.0 and Windows NT Workstation 4.0 are being evaluated in a
network configuration on current Compaq hardware, in both single-processor and
multiprocessor configurations.”

A DOD spokeswoman for Schaeffer declined to comment on the charges Curry is making
against Microsoft until after Schaeffer meets with Curry.