Were-wolf.net
Political Issues:
  Remember Ed Curry!
Main Page Politics

Overview Mirrored Documents Glossary

Overview

In 1994, Microsoft received its first, and as of this date (08-23-2000), only United States governmentally approved security rating for Windows NT: a Orange Book C2 rating for Windows NT 3.5 with service pack 3 running on three very specific machines with no floppy drive and no network interface. The man behind this was a Mr. Ed Curry, NSA-certified and NCSC trusted security technician. He was contracted, thorugh his company Lone Star Evaluation Laboratories (LSEL) by Microsoft to get NT its necessary certification for governmental use. He took the job. That was his mistake.

As part of this, LSEL needed to construct several diagnostics systems, and under the verbal promise by Microsoft that LSEL would sell "millions of copies" of this software (presumably it would be bundled with NT on any government purchase). In fact, within the written contracts, Microsoft agreed to help market and sell the product. No company would be foolish enough to turn down this kind of offer.

LSEL underwent necessary expansion to undertake such a massive contract, a contract awarded based on LSEL's "unique technical qualities required to work with Microsoft and computer hardware manufacturers in defending our products to the NCSC." (Ken Moss, Microsoft Government Evaluations Manager)

When NT 3.51 came out, Ed Curry was in a position to keep the certification current (he could get a system through the tests in under 45 days, a feat demonstrating how highly NCSC thought of him). But Microsoft was not willing to wait. At the NSA/NIST conference in 1995, Microsoft displayed a banner showing 3.51 as being C2 certified. NSA officials reportedly asked Microsoft to remove the banner. Things continued to go downhill, with Microsoft freely mixing literature describing NT 3.51 and NT 3.5 SP3. Deliberate or not, this mixing lead many to believe NT 3.51 was C2 certified. And Ed called them on that.

Almost overnight, Microsoft's support of LSEL vanished. They ceased assisting LSEL with continuing certification and dropped all mention of LSEL's diagnostics software. It was not long before LSEL went bankrupt. Throughout this time, Microsoft continued implying versions of NT (now up to 4.0) were C2 certified. No one cared to look at the facts and the U.S. government has purchased unknown numbers of NT boxes for use in secure locations under the premise that NT was C2 certified and even worse, Red Book certified.

Later, with support from people at the then existent Infoworld Electric forums, and direct support from Nick Petreley, Mr. Curry began trying to get the word out. He was not out to stomp all over Microsoft. He did not have a vendetta against them. He just was concerned about the way the government was doing its business, and how Microsoft was facilitating that. In his words, "I still believe in MS products, but am increasingly concerned over how they are running the business side of things."

Things began looking up, but they were incredibly stressful times for Ed, with his family on the verge of financial disaster, and until the story broke, he was nearly totally unable to get sufficient employment despite his enormous credentials. Unfortunately, just as things began to get better, Ed fell victim to a stroke and died on March 24, 1999. It was as if "one of the stars in an otherwise black corporate sky has gone out." (cslawson, Infoworld Forums)