[ISN] Should Feds Trust Windows NT?

From: mea culpa (jerichoat_private)
Date: Fri May 08 1998 - 01:15:42 PDT

  • Next message: mea culpa: "[ISN] Alleged hacker goes to court (Colorado/University)"

    Forwarded From: Aleph One <aleph1at_private>
    
    [ Personally this article seems like a lot of FUD. Everyone knows C2
      certification is a joke. The government is not buying NT because it is C2
      certified. They are buying NT because it looks like Windows and runs off
      the self applications. Looks like wired has written an article based on
      statements by a clearly disgruntled contractor. It would have been
      better if they had focused it the charges that MS broke their agreement.
      - a1]
    
    http://www.wired.com/news/news/technology/story/12121.html
    
       Should Feds Trust Windows NT?
       by James Glave 
       
       5:03am  6.May.98.PDT
       As the Justice Department considers starting a widespread antitrust
       probe into Microsoft's business practices, one security expert says
       Microsoft is pulling the wool over the government's eyes with its NT
       operating system.
       
       Ed Curry, a technical security analyst who has tangled with Microsoft
       in the past, has launched a one-man campaign to encourage the US
       Senate Judiciary Committee and Justice Department to zero in on
       Microsoft's extensive Windows NT business with the federal government.
       Specifically, he is asking investigators to look into whether or not
       the company cut corners with government security requirements in order
       to sell potentially millions of operating system licenses to agencies
       such as the Defense Department.
       
       "I am formerly a military man, and when it comes to national security,
       we have risked our butts in the past," said Curry. "We are not going
       to let profits stand in the way of national security."
       
       Curry claims that Microsoft is stretching the truth of NT's security
       certification, and taking advantage of lax enforcement of
       government-security-rating requirements to sell non-certified versions
       of the product to federal markets. The scheme, he alleges, gives the
       company an unfair advantage over its competitors and opens the US
       government's computer networks up to needless risk.
       
       Microsoft denied the allegations, stating that the company is working
       closely with federal agencies to keep newer versions of Windows NT
       certified.
       
       Curry's concerns for national security go beyond patriotism. A former
       Microsoft contractor, and a National Security Agency-certified
       technical security analyst, he claims that Microsoft drove him to the
       brink of personal bankruptcy by breaking agreements to bundle and
       co-market his security-testing software with each licensed copy of NT.
       Further, he said the company threatened him with legal action when he
       asked for restitution.
       
       Ken Moss, the Microsoft representative familiar with Curry's charges,
       was not available for comment.
       
       At the heart of Curry's struggle is the security rating that the
       government first awarded to an early version of Windows NT in 1994 --
       a rating that opened doors for Microsoft to sell to the Defense
       Department (DOD). Curry said that the company estimated these markets
       could comprise three to four million Windows NT licenses, amounting to
       potentially more than a billion dollars.
       
       But a government security rating is not easy to come by.
       
       Software and hardware companies must apply to the National Computer
       Security Center (NCSC) to have their product run through a battery of
       tests and diagnostics to obtain a "level of trust" rating. For
       example, custom-built systems rated A1, appropriate for top-secret
       material, must be shipped and installed under armed guard. Meanwhile,
       an off-the-shelf product rated "C2" can handle sensitive, but not
       classified, information. It is the C2 rating that was awarded to
       Windows NT 3.5.
       
       A number of attacks on DOD systems, including the recent theft of
       network configuration software, have been attributed to poorly
       configured Windows NT machines. Kirby Kuehl, a Microsoft-certified
       product specialist for NT Server and founder of the security site
       Technotronic, said that while NT can be made secure, many of the
       default settings that ship with the system leave NT systems vulnerable
       to cracking.
       
       Despite such concerns about security, Windows NT has enjoyed rapid
       growth in the Defense Department market, largely on the credibility of
       the C2 rating, according to Curry and analysts with International Data
       Corp.
       
       "Getting the first, off-the-shelf commercial operating system through
       the evaluation allowed them to capture the government market," Curry
       said.
       
       "The C2 rating was a big factor for DOD embracing Windows NT,"
       said Mathew Mahoney, an analyst for IDC Government. "They have adopted
       aggressively at the desktop and the server; part of the reason was the
       security rating, but also increased robustness of the platform."
       
       Other sources familiar with government purchasing trends confirmed
       that Windows NT sales were booming.
       
       "We have seen a continual erosion of NT competitor Novell Netware in
       the federal government due to NT," said Steve Vito, publisher of
       Federal Computer Week magazine.
       
       Vito said that recent research among his readership shows that while
       14 percent plan to buy Netware, 33 percent intend to buy NT in the
       coming year. About 65,000 of Vito's 83,000 subscribers are government
       IT managers.
       
       Last month, Microsoft announced a major contract with the US Air Force
       to begin converting military command and control applications from
       UNIX operating system environments to Windows NT.
       
       But not all is what it seems, Curry claims.
       
       In their rush to embrace Windows NT, which is less expensive than
       similar UNIX-based systems, Curry suggested many government
       procurement officers may be either ignoring or misunderstanding the
       product's C2 rating. Microsoft may also be glossing over the fact that
       the C2 rating only applies to a now-obsolete version of Windows NT,
       version 3.5, running on a machine that is unplugged from a network.
       
       But that configuration isn't much use to anybody.
       
       "The C2 rating is worthless," said Russ Cooper, moderator of the
       NTBugtraq mailing list, which tracks vulnerabilities with Windows NT.
       "It doesn't mean anything. If you change one thing, such as add a
       modem, or change the network adapter, the certification becomes
       worthless."
       
       Curry alleges that Microsoft is taking improper liberties with its C2
       rating by selling the government more recent, but non-certified,
       versions of the OS, including Windows NT 3.5.1 and the current
       release, 4.0.
       
       "The story they tell the government is 'This product has the same
       level of security or better as 3.5. It's OK to buy this version, we
       are putting it through the certification review process." This is
       all most agencies need to hear from my experience," said Curry.
       
       Curry alleges that Microsoft, in selling the government other versions
       of Windows NT than the C2-certified version, was pursuing another
       agenda. He said that Microsoft was selling later versions of NT
       bundled with its Office 97, which is not supported by the C2-certified
       NT 3.5.
       
       "The bundling effectively eliminates the opportunity for other
       vendors to bid like products (word processors, spreadsheets, etc.)
       since it reduces the price of the bid," Curry said in a letter he sent
       to the Senate Judiciary Committee and the Department of Justice.
       
       A Microsoft spokesperson confirmed that Office 97 is not supported by
       Windows NT 3.5, but is supported by subsequent versions of the OS.
       
       However, in a recent IDC Government report on Windows NT adoption
       within government, the leading reason government purchasers plan to
       buy the OS was the availability of commercial software. Security was
       not offered as a survey option to survey participants.
       
       Curry has a strong personal interest in seeing a new investigation of
       Microsoft's actions. He said that the company agreed to bundle his
       software -- the C2 Processor Diagnostics Program -- with certified
       copies of Windows NT, but later backed out, leaving his company
       heavily invested in a broken deal. The government requires such a
       diagnostics program to be shipped with each certified copy of NT 3.5
       -- basically, it serves to verify that a given installation is up to
       the rating.
       
       But Microsoft didn't ship Curry's program. Now he is working as a
       security contractor for a Fortune 500 company. He said that Microsoft
       told him that including the diagnostic would give federal buyers
       reason to question NT's security.
       
       A Microsoft security manager denied Curry's allegations that the
       government is misrepresenting NT's security certification status.
       
       "I do not believe we have ever made claims that NT 4.0 is C2
       certified," said Jason Garms, Microsoft Windows NT security manager.
       
       Garms said that Microsoft hosted a federal security summit in Redmond
       in December 1997. "There were 350 people here, representing every
       single agency and constituency, to talk about security for two and a
       half days. It was made very clear what our C2 rating was, and where we
       were with it," Garms said.
       
       Garms added that Windows NT 4.0 was entering the C2 certification
       program, and that the OS has already been certified with a European
       government security standard that is accepted, within the US
       government, as the equivalent of the domestic C2 rating.
       
       Besides, said another Microsoft engineer, the DOD can never buy a
       certified system, because by the time the C2 rating is awarded, the
       required hardware is long obsolete.
       
       "We have never sold a federal agency a networked C2 system," said
       Sean Murphy, senior systems engineer with the Microsoft Federal Group.
       "There are agencies that have gotten exceptions because they are aware
       that we are in the certification process for NT 4.0."
       
       Garms said that the C2 certification is only required by government
       agencies in purchasing products on a case-by-case basis, and that
       there is no broad government mandate requiring the purchase of
       C2-evaluated products.
       
       However, the National Security Agency (NSA) told Wired News in a
       statement that two directives, DOD Directive 5200.28 and DCI Directive
       1/16, "require the use of an evaluated product for many systems used
       within DOD."
       
       "Both Directives, however, contain provisions for waivers and
       exceptions to this requirement," the NSA statement added.
       
       A Wired News request to the NSA to determine the current status of
       Microsoft's C2 application for Windows NT 4.0 was denied at the
       request of Microsoft, according to NSA public affairs. But Murphy said
       that the company expects to have a networked version of Windows NT 4.0
       approved as C2 by October.
       
       Meanwhile, Curry says he has personally witnessed Microsoft
       representatives at government trade shows passing off newer versions
       of NT as being C2 certified.
       
       "Microsoft's direct and indirect inference that the government
       evaluation applies equally to NT 3.5.1 and NT 4.0, when it does not,
       wrongfully prevents vendors of other operating systems from being able
       to bid their products," said Curry in his letter to the Senate
       committee and Justice Department.
       
       Curry said he asked Microsoft why they would sell the government a
       non-evaluated version of the product different than the one they
       sought approval for. "Their response was, 'A sold NT is a sold NT, we
       don't care which version it is," he said.
       
       NTBugtraq's Cooper said that due to the long delays in the
       certification process, few in the government follow the rating system
       for unclassified applications.
       
       "NT 3.5 with a service pack is the only implementation of Windows NT
       that is certified. If government departments are buying today and
       not buying that version, then they are not C2 certified," Cooper said.
       
       "Personally, I think the NCSC is running a stupid certification
       process," Cooper said.
       
       Copyright © 1993-97 Wired Ventures Inc. and affiliated companies.
       All rights reserved.
       
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:44 PDT