NT critic gets audience with DOD chieftains

 

Connecting state and local government leaders

Not every software engineer gets a meeting with Defense Department brass. But a Texas man has made it his personal crusade to warn DOD that current versions of Microsoft Windows NT are not secure enough operating systems for the department—and DOD has decided to hear him out. Ed Curry, a contract engineer for Xplore Technologies Inc. of Georgetown, Texas, will meet tomorrow with Richard Schaeffer, director of information assurance in the Office of the Assistant Secretary of

Not every software engineer gets a meeting with Defense Department brass.


But a Texas man has made it his personal crusade to warn DOD that current versions of
Microsoft Windows NT are not secure enough operating systems for the department—and
DOD has decided to hear him out.


Ed Curry, a contract engineer for Xplore Technologies Inc. of Georgetown, Texas, will
meet tomorrow with Richard Schaeffer, director of information assurance in the Office of
the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.


Schaeffer agreed to the meeting after Curry sent Defense Secretary William Cohen a
letter in August warning about the potential hazards of using NT.


“My concerns are that I believe Microsoft has operated a widespread campaign of
misinformation regarding the government security position of successive versions of
Windows NT,” Curry said in his letter to Cohen, “so much so, that the government
has procured possibly millions of copies of nonevaluated versions of NT, such as versions
3.51 and 4.0, that do not meet the mandatory C2 level security requirements of DOD and
other agencies.”


This is not a new view for Curry. He has long peppered DOD officials with his concerns
about Windows.


Microsoft officials emphatically deny Curry’s charges of fraud and
misrepresentation. Company officials acknowledged that NT 3.5 is the only version of NT to
meet the C2 level requirements set by the National Security Agency, but said NT 4.0 is
under evaluation by NSA.


NT 3.5 received a C2 rating in July 1995 as part of a standalone evaluation in which
networking was not evaluated, Microsoft officials said.


“The government absolutely has not been duped by Microsoft,” said Keith
Hodson, spokesman for Microsoft federal systems. “We stated very clearly where we are
with C2 certification, and it’s right there for all the world to see at http://www.microsoft.com/security


Curry once worked with Microsoft. His now-defunct company, Lone Star Evaluation
Laboratories, had a contract with Microsoft during the mid-1990s to obtain NSA C2
certification for Windows NT 3.5 with Service Pack 3, based on the Trusted Computer System
Evaluation Criteria. NSA’s National Computer Security Center uses the criteria,
commonly known as the Orange Book, to evaluate the security of products.


Microsoft selected Lone Star in 1994 to help it achieve C2 certification for NT 3.5 by
testing and evaluating hardware running the operating system for NCSC’s Rating
Maintenance Program (RAMP). As part of the contract, Curry’s company developed the
required security diagnostics software, which Microsoft promised to market to millions of
potential users, Curry said.


Curry contends that Microsoft canceled its C2 certification contract with Lone Star
because he refused to publicly misrepresent the status of NT’s C2 certification.
Microsoft denies this allegation.


“When I wrote the security diagnostics for NT 3.5 I came across flaws in the Intel
486 that disqualified it from C2 level security,” he said. “Microsoft
immediately came down on me and said to conceal the information because a lot of their
customers wanted to sell 486s to the government.”


He said that Microsoft tried to bribe and even threatened him to keep quiet about
NT’s security flaws.


“I won’t even dignify his charges of bribery and threats with a
response,” Hodson said. “What I will say is that Curry was a very limited-scope
contractor for Microsoft who was contracted to provide a hardware test tool as part of the
NT 3.5 C2 evaluation. But the tool was only a very small piece of what was needed during
the C2 evaluation process.”


Lone Star eventually went out of business in 1997 after vendors lost interest in
getting hardware certified for inclusion on NCSC’s Evaluated Products List.


Although the 1985 DOD Directive 5200.28 encourages the use of products on NSA’s
list, no formal NSA certification is required for DOD users to buy hardware and software
from vendors.


The Navy, for example, does not require its OSes be C2-certified.


But the service’s Information Technology Standards Guidance said it is desirable,
and OSes that do not have C2 level security features—including Windows 3.1, Windows
95 and Windows 98—should be avoided. The Navy’s ITSG document established NT 4.0
as the service’s standard OS.


“Microsoft has both knowingly and willfully misled government officials on the
security of their operating system products resulting in the government procuring insecure
versions of Windows NT under the belief they were obtaining the NCSC-evaluated
version,” Curry said in his letter to Cohen.


Microsoft, with the help of Science Applications International Corp., is in the process
of having NT 4.0 with Service Pack 4 certified, company officials said. SAIC, of San
Diego, is helping Microsoft with a broad range of items for the NT 4.0 evaluation,
including the preparation and analysis of documents. SAIC also acts as a liaison to NCSC.


Microsoft expects to complete the evaluation process by January, according to company
statements.


But it’s not enough to certify NT, Curry said. Microsoft must also certify the
hardware running NT as part of a complete configuration, he said.


The only C2-certified NT hardware platforms for NT 3.5 listed on NCSC’s Evaluated
Products List are Compaq ProLiant 2000 and ProLiant 4000, and Digital Equipment
Corp.’s DECpc AXP/150 workstation.


On the Microsoft Web site, the company states that in the current evaluation process
“both Windows NT Server 4.0 and Windows NT Workstation 4.0 are being evaluated in a
network configuration on current Compaq hardware, in both single-processor and
multiprocessor configurations.”


A DOD spokeswoman for Schaeffer declined to comment on the charges Curry is making
against Microsoft until after Schaeffer meets with Curry.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.