http://www.gcn.com/gcn/1998/October12/1c.htm GCN October 12, 1998 NT critic gets audience with DOD chieftains By Gregory Slabodkin GCN Staff Not every software engineer gets a meeting with Defense Department brass. But a Texas man has made it his personal crusade to warn DOD that current versions of Microsoft Windows NT are not secure enough operating systems for the department, and DOD has decided to hear him out. Ed Curry, a contract engineer for Xplore Technologies Inc. of Georgetown, Texas, will meet tomorrow with Richard Schaeffer, director of information assurance in the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence. Schaeffer agreed to the meeting after Curry sent Defense Secretary William Cohen a letter in August warning about the potential hazards of using NT. "My concerns are that I believe Microsoft has operated a widespread campaign of misinformation regarding the government security position of successive versions of Windows NT," Curry said in his letter to Cohen, "so much so, that the government has procured possibly millions of copies of nonevaluated versions of NT, such as versions 3.51 and 4.0, that do not meet the mandatory C2 level security requirements of DOD and other agencies." This is not a new view for Curry. He has long peppered DOD officials with his concerns about Windows. Microsoft officials emphatically deny Curry's charges of fraud and misrepresentation. Company officials acknowledged that NT 3.5 is the only version of NT to meet the C2 level requirements set by the National Security Agency, but said NT 4.0 is under evaluation by NSA. NT 3.5 received a C2 rating in July 1995 as part of a standalone evaluation in which networking was not evaluated, Microsoft officials said. "The government absolutely has not been duped by Microsoft," said Keith Hodson, spokesman for Microsoft federal systems. "We stated very clearly where we are with C2 certification, and it's right there for all the world to see at http://www.microsoft.com/security." Curry once worked with Microsoft. His now-defunct company, Lone Star Evaluation Laboratories, had a contract with Microsoft during the mid-1990s to obtain NSA C2 certification for Windows NT 3.5 with Service Pack 3, based on the Trusted Computer System Evaluation Criteria. NSA's National Computer Security Center uses the criteria, commonly known as the Orange Book, to evaluate the security of products. Microsoft selected Lone Star in 1994 to help it achieve C2 certification for NT 3.5 by testing and evaluating hardware running the operating system for NCSC's Rating Maintenance Program (RAMP). As part of the contract, Curry's company developed the required security diagnostics software, which Microsoft promised to market to millions of potential users, Curry said. Curry contends that Microsoft canceled its C2 certification contract with Lone Star because he refused to publicly misrepresent the status of NT's C2 certification. Microsoft denies this allegation. "When I wrote the security diagnostics for NT 3.5 I came across flaws in the Intel 486 that disqualified it from C2 level security," he said. "Microsoft immediately came down on me and said to conceal the information because a lot of their customers wanted to sell 486s to the government." He said that Microsoft tried to bribe and even threatened him to keep quiet about NT's security flaws. "I won't even dignify his charges of bribery and threats with a response," Hodson said. "What I will say is that Curry was a very limited-scope contractor for Microsoft who was contracted to provide a hardware test tool as part of the NT 3.5 C2 evaluation. But the tool was only a very small piece of what was needed during the C2 evaluation process." Closing the door Lone Star eventually went out of business in 1997 after vendors lost interest in getting hardware certified for inclusion on NCSC's Evaluated Products List. Although the 1985 DOD Directive 5200.28 encourages the use of products on NSA's list, no formal NSA certification is required for DOD users to buy hardware and software from vendors. The Navy, for example, does not require its OSes be C2-certified. But the service's Information Technology Standards Guidance said it is desirable, and OSes that do not have C2 level security features including Windows 3.1, Windows 95 and Windows 98 should be avoided. The Navy's ITSG document established NT 4.0 as the service's standard OS. "Microsoft has both knowingly and willfully misled government officials on the security of their operating system products resulting in the government procuring insecure versions of Windows NT under the belief they were obtaining the NCSC-evaluated version," Curry said in his letter to Cohen. Microsoft, with the help of Science Applications International Corp., is in the process of having NT 4.0 with Service Pack 4 certified, company officials said. SAIC, of San Diego, is helping Microsoft with a broad range of items for the NT 4.0 evaluation, including the preparation and analysis of documents. SAIC also acts as a liaison to NCSC. Microsoft expects to complete the evaluation process by January, according to company statements. But it's not enough to certify NT, Curry said. Microsoft must also certify the hardware running NT as part of a complete configuration, he said. The only C2-certified NT hardware platforms for NT 3.5 listed on NCSC's Evaluated Products List are Compaq ProLiant 2000 and ProLiant 4000, and Digital Equipment Corp.'s DECpc AXP/150 workstation. On the Microsoft Web site, the company states that in the current evaluation process "both Windows NT Server 4.0 and Windows NT Workstation 4.0 are being evaluated in a network configuration on current Compaq hardware, in both single-processor and multiprocessor configurations." A DOD spokeswoman for Schaeffer declined to comment on the charges Curry is making against Microsoft until after Schaeffer meets with Curry. -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:12 PDT