Next message: mea culpa: "[ISN] Re: Will Rodger's "Cyberwars: Proper vigilance or paranoia?""
http://www.gcn.com/gcn/1998/October12/1c.htm
GCN October 12, 1998
NT critic gets audience with DOD chieftains
By Gregory Slabodkin
GCN Staff
Not every software engineer gets a meeting with Defense Department brass.
But a Texas man has made it his personal crusade to warn DOD that current
versions of Microsoft Windows NT are not secure enough operating systems
for the department, and DOD has decided to hear him out.
Ed Curry, a contract engineer for Xplore Technologies Inc. of Georgetown,
Texas, will meet tomorrow with Richard Schaeffer, director of information
assurance in the Office of the Assistant Secretary of Defense for Command,
Control, Communications and Intelligence.
Schaeffer agreed to the meeting after Curry sent Defense Secretary William
Cohen a letter in August warning about the potential hazards of using NT.
"My concerns are that I believe Microsoft has operated a widespread
campaign of misinformation regarding the government security position of
successive versions of Windows NT," Curry said in his letter to Cohen, "so
much so, that the government has procured possibly millions of copies of
nonevaluated versions of NT, such as versions 3.51 and 4.0, that do not
meet the mandatory C2 level security requirements of DOD and other
agencies."
This is not a new view for Curry. He has long peppered DOD officials with
his concerns about Windows.
Microsoft officials emphatically deny Curry's charges of fraud and
misrepresentation. Company officials acknowledged that NT 3.5 is the only
version of NT to meet the C2 level requirements set by the National
Security Agency, but said NT 4.0 is under evaluation by NSA.
NT 3.5 received a C2 rating in July 1995 as part of a standalone
evaluation in which networking was not evaluated, Microsoft officials
said.
"The government absolutely has not been duped by Microsoft," said Keith
Hodson, spokesman for Microsoft federal systems. "We stated very clearly
where we are with C2 certification, and it's right there for all the world
to see at http://www.microsoft.com/security."
Curry once worked with Microsoft. His now-defunct company, Lone Star
Evaluation Laboratories, had a contract with Microsoft during the
mid-1990s to obtain NSA C2 certification for Windows NT 3.5 with Service
Pack 3, based on the Trusted Computer System Evaluation Criteria. NSA's
National Computer Security Center uses the criteria, commonly known as the
Orange Book, to evaluate the security of products.
Microsoft selected Lone Star in 1994 to help it achieve C2 certification
for NT 3.5 by testing and evaluating hardware running the operating system
for NCSC's Rating Maintenance Program (RAMP). As part of the contract,
Curry's company developed the required security diagnostics software,
which Microsoft promised to market to millions of potential users, Curry
said.
Curry contends that Microsoft canceled its C2 certification contract with
Lone Star because he refused to publicly misrepresent the status of NT's
C2 certification. Microsoft denies this allegation.
"When I wrote the security diagnostics for NT 3.5 I came across flaws in
the Intel 486 that disqualified it from C2 level security," he said.
"Microsoft immediately came down on me and said to conceal the information
because a lot of their customers wanted to sell 486s to the government."
He said that Microsoft tried to bribe and even threatened him to keep
quiet about NT's security flaws.
"I won't even dignify his charges of bribery and threats with a response,"
Hodson said. "What I will say is that Curry was a very limited-scope
contractor for Microsoft who was contracted to provide a hardware test
tool as part of the NT 3.5 C2 evaluation. But the tool was only a very
small piece of what was needed during the C2 evaluation process."
Closing the door
Lone Star eventually went out of business in 1997 after vendors lost
interest in getting hardware certified for inclusion on NCSC's Evaluated
Products List.
Although the 1985 DOD Directive 5200.28 encourages the use of products on
NSA's list, no formal NSA certification is required for DOD users to buy
hardware and software from vendors.
The Navy, for example, does not require its OSes be C2-certified.
But the service's Information Technology Standards Guidance said it is
desirable, and OSes that do not have C2 level security features including
Windows 3.1, Windows 95 and Windows 98 should be avoided. The Navy's ITSG
document established NT 4.0 as the service's standard OS.
"Microsoft has both knowingly and willfully misled government officials on
the security of their operating system products resulting in the
government procuring insecure versions of Windows NT under the belief they
were obtaining the NCSC-evaluated version," Curry said in his letter to
Cohen.
Microsoft, with the help of Science Applications International Corp., is
in the process of having NT 4.0 with Service Pack 4 certified, company
officials said. SAIC, of San Diego, is helping Microsoft with a broad
range of items for the NT 4.0 evaluation, including the preparation and
analysis of documents. SAIC also acts as a liaison to NCSC.
Microsoft expects to complete the evaluation process by January, according
to company statements.
But it's not enough to certify NT, Curry said. Microsoft must also certify
the hardware running NT as part of a complete configuration, he said.
The only C2-certified NT hardware platforms for NT 3.5 listed on NCSC's
Evaluated Products List are Compaq ProLiant 2000 and ProLiant 4000, and
Digital Equipment Corp.'s DECpc AXP/150 workstation.
On the Microsoft Web site, the company states that in the current
evaluation process "both Windows NT Server 4.0 and Windows NT Workstation
4.0 are being evaluated in a network configuration on current Compaq
hardware, in both single-processor and multiprocessor configurations."
A DOD spokeswoman for Schaeffer declined to comment on the charges Curry
is making against Microsoft until after Schaeffer meets with Curry.
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:07:12 PDT