[ISN] NT critic gets audience with DOD chieftains

From: mea culpa (jerichot_private)
Date: Mon Oct 12 1998 - 02:05:09 PDT

  • Next message: mea culpa: "[ISN] Re: Will Rodger's "Cyberwars: Proper vigilance or paranoia?""

    http://www.gcn.com/gcn/1998/October12/1c.htm
    GCN October 12, 1998
    NT critic gets audience with DOD chieftains
    By Gregory Slabodkin
    GCN Staff
     
    Not every software engineer gets a meeting with Defense Department brass. 
    
    But a Texas man has made it his personal crusade to warn DOD that current
    versions of Microsoft Windows NT are not secure enough operating systems
    for the department, and DOD has decided to hear him out. 
    
    Ed Curry, a contract engineer for Xplore Technologies Inc. of Georgetown,
    Texas, will meet tomorrow with Richard Schaeffer, director of information
    assurance in the Office of the Assistant Secretary of Defense for Command,
    Control, Communications and Intelligence. 
    
    Schaeffer agreed to the meeting after Curry sent Defense Secretary William
    Cohen a letter in August warning about the potential hazards of using NT. 
    
    "My concerns are that I believe Microsoft has operated a widespread
    campaign of misinformation regarding the government security position of
    successive versions of Windows NT," Curry said in his letter to Cohen, "so
    much so, that the government has procured possibly millions of copies of
    nonevaluated versions of NT, such as versions 3.51 and 4.0, that do not
    meet the mandatory C2 level security requirements of DOD and other
    agencies." 
    
    This is not a new view for Curry. He has long peppered DOD officials with
    his concerns about Windows. 
    
    Microsoft officials emphatically deny Curry's charges of fraud and
    misrepresentation. Company officials acknowledged that NT 3.5 is the only
    version of NT to meet the C2 level requirements set by the National
    Security Agency, but said NT 4.0 is under evaluation by NSA. 
    
    NT 3.5 received a C2 rating in July 1995 as part of a standalone
    evaluation in which networking was not evaluated, Microsoft officials
    said. 
    
    "The government absolutely has not been duped by Microsoft,"  said Keith
    Hodson, spokesman for Microsoft federal systems. "We stated very clearly
    where we are with C2 certification, and it's right there for all the world
    to see at http://www.microsoft.com/security." 
    
    Curry once worked with Microsoft. His now-defunct company, Lone Star
    Evaluation Laboratories, had a contract with Microsoft during the
    mid-1990s to obtain NSA C2 certification for Windows NT 3.5 with Service
    Pack 3, based on the Trusted Computer System Evaluation Criteria. NSA's
    National Computer Security Center uses the criteria, commonly known as the
    Orange Book, to evaluate the security of products. 
    
    Microsoft selected Lone Star in 1994 to help it achieve C2 certification
    for NT 3.5 by testing and evaluating hardware running the operating system
    for NCSC's Rating Maintenance Program (RAMP). As part of the contract,
    Curry's company developed the required security diagnostics software,
    which Microsoft promised to market to millions of potential users, Curry
    said. 
    
    Curry contends that Microsoft canceled its C2 certification contract with
    Lone Star because he refused to publicly misrepresent the status of NT's
    C2 certification. Microsoft denies this allegation. 
    
    "When I wrote the security diagnostics for NT 3.5 I came across flaws in
    the Intel 486 that disqualified it from C2 level security," he said.
    "Microsoft immediately came down on me and said to conceal the information
    because a lot of their customers wanted to sell 486s to the government." 
    
    He said that Microsoft tried to bribe and even threatened him to keep
    quiet about NT's security flaws. 
    
    "I won't even dignify his charges of bribery and threats with a response,"
    Hodson said. "What I will say is that Curry was a very limited-scope
    contractor for Microsoft who was contracted to provide a hardware test
    tool as part of the NT 3.5 C2 evaluation. But the tool was only a very
    small piece of what was needed during the C2 evaluation process." 
    
    Closing the door
    
    Lone Star eventually went out of business in 1997 after vendors lost
    interest in getting hardware certified for inclusion on NCSC's Evaluated
    Products List. 
    
    Although the 1985 DOD Directive 5200.28 encourages the use of products on
    NSA's list, no formal NSA certification is required for DOD users to buy
    hardware and software from vendors.
    
    The Navy, for example, does not require its OSes be C2-certified. 
    
    But the service's Information Technology Standards Guidance said it is
    desirable, and OSes that do not have C2 level security features including
    Windows 3.1, Windows 95 and Windows 98 should be avoided. The Navy's ITSG
    document established NT 4.0 as the service's standard OS. 
    
    "Microsoft has both knowingly and willfully misled government officials on
    the security of their operating system products resulting in the
    government procuring insecure versions of Windows NT under the belief they
    were obtaining the NCSC-evaluated version," Curry said in his letter to
    Cohen. 
    
    Microsoft, with the help of Science Applications International Corp., is
    in the process of having NT 4.0 with Service Pack 4 certified, company
    officials said. SAIC, of San Diego, is helping Microsoft with a broad
    range of items for the NT 4.0 evaluation, including the preparation and
    analysis of documents. SAIC also acts as a liaison to NCSC. 
    
    Microsoft expects to complete the evaluation process by January, according
    to company statements. 
    
    But it's not enough to certify NT, Curry said. Microsoft must also certify
    the hardware running NT as part of a complete configuration, he said. 
    
    The only C2-certified NT hardware platforms for NT 3.5 listed on NCSC's
    Evaluated Products List are Compaq ProLiant 2000 and ProLiant 4000, and
    Digital Equipment Corp.'s DECpc AXP/150 workstation. 
    
    On the Microsoft Web site, the company states that in the current
    evaluation process "both Windows NT Server 4.0 and Windows NT Workstation
    4.0 are being evaluated in a network configuration on current Compaq
    hardware, in both single-processor and multiprocessor configurations." 
    
    A DOD spokeswoman for Schaeffer declined to comment on the charges Curry
    is making against Microsoft until after Schaeffer meets with Curry. 
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:12 PDT