Political Issues:
  Remember Ed Curry!
Main Page Politics

Overview Mirrored Documents Glossary

This column originally appeared in Infoworld Electric. It is mirrored here due to its key information. This is the result of his open letter he wrote in an attempt to find out the veracity of the allegations.

Back in 1994, Microsoft contracted with Ed Curry, president of Lone Star Evaluation Laboratories (LSEL) to do a job. Microsoft wanted LSEL to develop C2 processor diagnostics software and to defend the security of Windows NT to the National Computer Security Center (NCSC).

Curry was handpicked because of his qualifications. Microsoft Government Evaluations Manager Ken Moss even stated in his confirmation letter to LSEL, "We believe that LSEL has the unique technical qualities required to work with Microsoft and computer hardware manufacturers in defending our products to the NCSC."

As part of the contractual agreements, Microsoft agreed to help market the LSEL diagnostics, and Curry claims Microsoft verbally promised that LSEL would sell millions of copies. However, Microsoft decided not to promote the diagnostics, and Curry went bankrupt. I reviewed a number of contracts signed by Microsoft and Curry that support Curry's claim, although some of the promises are only implicit in the written agreements.

Among the various incidents that led to the falling out between Curry and Microsoft, Curry alleges that Microsoft misrepresented the status of C2 certification for Windows NT on various occasions and asked him to do the same.

This is an extremely serious charge of fraud. Yet Microsoft refused to answer any of my questions or even to deny the charges on advice of their attorneys. Because Microsoft won't give me answers, I encourage you to demand answers to the following questions before purchasing NT. But before I pose the questions, let me clarify a common misconception about C2 security.

One does not C2-certify an OS. One certifies a complete configuration, including the hardware. The National Security Agency (NSA) lists the following configurations as having been evaluated for U.S. C2 certification:
Windows NT 3.5 with Service Pack 3 on the Compaq ProLiant 2000 and ProLiant 4000 Pentium systems, and on a DECpc AXP/150. The LSEL diagnostics software was used as part of the configuration. The systems were certified only in a stand-alone configuration (no network). No other version of Windows NT has received C2 certification on any hardware platform (Windows NT 3.51 was C2-certified in October 1996, but only in the United Kingdom) (ed. note: the UK has some standards which are functionally equivalent to C2, and this is what NT 3.51 received, though the standards are not transferrable).

Now, to Microsoft: Is it true that the banner Microsoft used to announce NT's C2 certification at the October 1995 National Institute of Standards and Technology (NIST)/NSA conference dis-played a picture of NT 3.51 instead of the version that was actually certified (NT 3.5 Service Pack 3)? Is it true that the NSA demanded that this banner be corrected or removed? Did Microsoft comply?

Microsoft allegedly demonstrated NT 3.51 on the floor at the 1995 NIST/NSA conference and Windows NT 4.0 at the 1996 conference. Why was it appropriate to demonstrate nonevaluated versions of Windows NT at a conference specifically designed to attract customers who want the certified version of this software?

Was NT 4.0 under the Rating Maintenance Phase (RAMP) program during the 1996 NIST/NSA conference? If not, were Microsoft representatives instructed to say it was? Did Microsoft instruct Ed Curry to say it was in RAMP? When did Windows NT 4.0 officially enter the RAMP program?

To government customers: If you attended the 1996 NIST/NSA conference, were you told that NT 4.0 was currently in the RAMP program for C2 certification? Were you ever told that any version of NT besides 3.5 with Service Pack 3 was C2-evaluated? Did you buy any version other than 3.5 with Service Pack 3 on the basis of that information?

Finally, is it true that Windows NT was the entry point for recent cracks into the Pentagon computer system? If so, can you explain how this would happen? Because no version of NT is certified as a secure OS when connected to a network, why would the Pentagon deem it appropriate to allow a Windows NT system to be a network entry point?

Does Microsoft and our government think security is just a game? If there is any truth to the allegations above, then it's not surprising that hackers consider it sport to find the security hole du jour in Windows NT. I have a news flash. It's not a game. And as American citizens, I think we deserve the answers to the above questions. Don't you?