NEWS
GCN October 26, 1998
Former Microsoft contractor Ed Curry says that the company deliberately misled government buyers
By Gregory Slabodkin
GCN Staff
A Texas software engineer gave the Defense Department documents that he said prove that Microsoft Corp. is conducting a campaign to mislead the government about the security certification status of Microsoft Windows NT.
Ed Curry, whose now-defunct company worked with Microsoft to obtain the National Security Agency’s C2 certification for NT 3.5 during the mid-1990s, met earlier this month with Richard Schaeffer, director of information assurance in the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.
A Microsoft spokesman in Washington said that poorly worded information on the company’s Web site may have led to misunderstandings about NT 4.0’s security rating. He also said Microsoft officials are talking with senior Defense officials about Curry’s allegations.
“We’re currently working with appropriate senior-level DOD officials on the issues that Curry has raised,” Keith Hodson, spokesman for Microsoft Federal Systems in Washington, said. “We’re not refuting Curry’s charges point-by-point with DOD but rather describing our position with regard to NT security.”
No DOD promises
Schaeffer did not promise that DOD would stop using Microsoft products and noted efforts by the department to use more commercial products generally.
“Mr. Curry provided a summary of his issues with Microsoft and repeated his concern about the government’s use of Microsoft products, in particular Windows NT,” DOD spokeswoman Susan Hansen said in a written statement.
“Mr. Schaeffer explained that the department is making more and more use of commercial security technology and that evaluated products, either in the context of the Orange Book or the Common Criteria, will become a greater part of the overall security solutions,” she said.
Schaeffer agreed to meet with Curry after the software engineer warned Defense Secretary William Cohen in an August letter that NT contained security flaws and claimed that Microsoft had tried to hide them [GCN, Oct. 12, Page 1].
DOD and civilian agencies have bought millions of copies of Windows NT 3.51 and 4.0 that do not meet NSA’s C2 level security requirements, Curry said.
Government users bought copies of NT 3.51 and 4.0 under the false belief, encouraged by Microsoft, that they were buying NSA-certified versions of NT, he said.
Curry gave Schaeffer documents to support his contention that Microsoft states that Windows NT 4.0 has C2 level certification from NSA. Curry cited the documents as proof that Microsoft is misleading DOD about the product’s certification.
“It’s always helpful to have stuff in Microsoft’s own words,” Curry said. “There was a really damning 1997 document on Microsoft’s Web site called ‘Securing Microsoft Windows NT Installation’ that talks about NT 4.0 exclusively.”
The document, dated April 10, 1997, and revised Aug. 11, 1997, appeared on the January 1998 Microsoft Developer Network Library. MSDN is an online subscription service that includes tools, technologies and information for software developers.
“Scattered throughout the document are statements about NT being C2-evaluated, yet this is an NT 4.0 document,” Curry said.
NT 4.0 is not certified at the C2 level by NSA. Microsoft, however, is in the process of getting C2 certification for NT 4.0 with Service Pack 4 in a closed network configuration.
Curry also gave Schaeffer an updated document pulled from Microsoft’s Web site posted at http://www.microsoft.com/ntserver/deployment/faq/security_faq.asp as further evidence of the company’s dishonesty.
Under a section of frequently asked questions on security, the site answered the question: “Is Windows NT a secure enough platform for enterprise applications?” by stating that the company recently enhanced the security of NT Server 4.0 through a service pack.
“Windows NT Server was designed from the ground up with a sound, integrated and extensible security model,” the Microsoft Web site said as late as last week. “It has been certified at the C2 level by the U.S. government and the E3 level by the U.K. government.”
Hodson said the passage claiming C2 certification cited by Curry refers to NT 3.5 with Service Pack 3, which is the only version of NT to meet the NSA’s C2 level requirements to date. But because the passage earlier mentions NT 4.0, Hodson said, the meaning could be misconstrued.
The passage was badly worded, Hodson acknowledged, and he said that the ambiguous references would be removed. The company subsequently removed the statement about the government’s C2-level certification from the site.
Curry said that the ambiguous language was purposely misleading.
