Forwarded From: William Knowles <erehwonat_private> http://www.worldnetdaily.com/bluesky_dougherty/19990223_xex_are_pentagon.shtml (WorldNetDaily) [2.23.99] A National Security Agency-trained computer vendor and security analyst says the Pentagon and other government agencies have violated their own security rules by purchasing mass quantities of a non-secure computer operating system. Ed Curry, a former independent contractor for the Microsoft Corporation, developed one such secure processor program for one version of the computer giant's Windows NT program. He said since it was destined for government computer systems, the program had to pass the scrutiny of the National Computer Security Center (NCSC), which ran the program through a battery of tests and diagnostics to obtain a "level of trust" rating. But Curry told WorldNetDaily the current version of Windows NT being purchased "in mass quantities" by the federal government is insecure and subject to alteration. The version he tested and knows to be secure is Windows NT 3.5, whereas the government -- even the Department of Defense -- has been buying version 4.0. According to Curry, the most susceptible component of the computer is the processor. With no security program in place, the processor can be altered, and therefore so too can the processor commands and functions. When these systems are used to operate or monitor defense defensive systems, guided missiles, or any number of other applications, vulnerability means they can be changed in any number of ways -- perhaps without the operator knowing until it's too late. Curry said that processors on Windows NT Version 4.0 are insecure because they have been designed to automatically "open the processor up to accept commands" on start-up, whereas the 3.5 version does not do that. That alone, he said, "makes the processor insecure and hence, the entire system as well." Curry's program is not compatible with the 4.0 version. But because government buyers wanted other "bundled" Windows applications that were incompatible with the 3.5 version, they decided to buy 4.0 instead, despite being notified of the security problems. "Basically it was money over security," Curry explained. "They had already bought thousands of the 4.0 systems, and didn't want to have to replace them." In the meantime, Curry says he has met with a number of government and defense representatives but has been unable to change their minds. "I have met with representatives of Defense Secretary William Cohen," Curry told WorldNetDaily, "and have presented my evidence to them. They know I'm right, and they know what I've told them -- that they're violating their own security rules -- is right. But they basically said it didn't matter, that they would continue to use the 4.0 version." Dick Schaefer, an aide to Defense Secretary William Cohen, as well as representatives of the NSA, told Curry "their hands were tied" in the matter. To continue getting the government contracts, Curry said, Microsoft "misled" the government about the 4.0 version. "Microsoft said that version was security tested by the government (NSA), which was patently untrue." He said that the huge computer corporation is taking advantage of poor enforcement of government-security-rating requirements to sell non-certified versions of the same product in the lucrative federal market. "In fact," he added, "Microsoft NT 4.0 is the least secure of all the NT versions." Version 3.5 is the only one that is secure, Curry said, but other reports quoted some officials as saying that version is now out of date. Ironically, when the NSA was evaluating NT in 1994, the government told Curry "they needed a program to make sure the processor was secure. It was sort of a rush job, but I got to work and got a program written to their specifications." Normally, he said, the process takes "several months" or longer, "but they wanted this one in a hurry." Curry told WorldNetDaily that initially, Microsoft promised to bundle and co-market his security-testing software with each licensed copy of NT. But later the company broke that agreement, thereby leaving his company holding a serious amount of research and development debt over the project. When he requested that Microsoft compensate him for his loss after they broke their contract with him, the company threatened legal action, he said. Microsoft would not return phone calls to WorldNetDaily, but in other published reports the company has denied Curry's charges, saying they are "working closely with the federal government to ensure all versions of NT are secure." Curry said a government security rating is not easy to obtain, but once he received it, the potential sales of his software could have comprised some 3 to 4 million units, totaling about a billion dollars in sales. Curry also explained that it was critical to make sure the processor of every system is protected, particularly government computers in any setting that can be exposed to hacking attacks or other methods of alteration. "All computer security systems begin with the Intel processor itself," Curry said. "I helped Intel develop their processor, so I know how they work and how vulnerable they can be if left exposed." Curry added that beginning with the Pentium Pro processor, people using the Internet could download programs that would fix certain glitches and bugs in existing software and systems. Many of those fixes were geared toward the processors, which means, "you can also download a program that could shut off the security," he said. Consequently, "those programs which alter the processors (and are being used in DoD systems) can also make weapons fire certain ways, or not at all. My program was designed not only to make sure all processors are secure, but to make sure they stay secure." Curry repeatedly emphasized that his continued attempts to make the government aware of the shortcomings in unsecured Windows NT operating systems "is because of what it is doing to our national security, nothing more." He said his consulting and software design business is gone, "and there isn't much I can do about that right now." "But I can continue to try to let these people know what kind of product Microsoft is actually selling them," he added. "It's been hard, partially because I don't think the government agencies really understand the nation of PCs." Other government sources confirmed that Windows NT sales are booming, and are steadily replacing competitor Novell Netware in federal systems. And, it's likely to get worse. In May 1998, Microsoft announced a major contract with the U.S. Air Force to begin changing military command and control applications from the UNIX operating system to Windows NT. And Curry said the U.S. Navy is extensively using the unsecured NT versions about its warships. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:45 PDT