Forwarded From: Aleph One <aleph1@nationwide.net>
[ Personally this article seems like a lot of FUD. Everyone knows C2
certification is a joke. The government is not buying NT because it is C2
certified. They are buying NT because it looks like Windows and runs off
the self applications. Looks like wired has written an article based on
statements by a clearly disgruntled contractor. It would have been
better if they had focused it the charges that MS broke their agreement.
- a1]
http://www.wired.com/news/news/technology/story/12121.html
Should Feds Trust Windows NT?
by James Glave
5:03am 6.May.98.PDT
As the Justice Department considers starting a widespread antitrust
probe into Microsoft's business practices, one security expert says
Microsoft is pulling the wool over the government's eyes with its NT
operating system.
Ed Curry, a technical security analyst who has tangled with Microsoft
in the past, has launched a one-man campaign to encourage the US
Senate Judiciary Committee and Justice Department to zero in on
Microsoft's extensive Windows NT business with the federal government.
Specifically, he is asking investigators to look into whether or not
the company cut corners with government security requirements in order
to sell potentially millions of operating system licenses to agencies
such as the Defense Department.
"I am formerly a military man, and when it comes to national security,
we have risked our butts in the past," said Curry. "We are not going
to let profits stand in the way of national security."
Curry claims that Microsoft is stretching the truth of NT's security
certification, and taking advantage of lax enforcement of
government-security-rating requirements to sell non-certified versions
of the product to federal markets. The scheme, he alleges, gives the
company an unfair advantage over its competitors and opens the US
government's computer networks up to needless risk.
Microsoft denied the allegations, stating that the company is working
closely with federal agencies to keep newer versions of Windows NT
certified.
Curry's concerns for national security go beyond patriotism. A former
Microsoft contractor, and a National Security Agency-certified
technical security analyst, he claims that Microsoft drove him to the
brink of personal bankruptcy by breaking agreements to bundle and
co-market his security-testing software with each licensed copy of NT.
Further, he said the company threatened him with legal action when he
asked for restitution.
Ken Moss, the Microsoft representative familiar with Curry's charges,
was not available for comment.
At the heart of Curry's struggle is the security rating that the
government first awarded to an early version of Windows NT in 1994 --
a rating that opened doors for Microsoft to sell to the Defense
Department (DOD). Curry said that the company estimated these markets
could comprise three to four million Windows NT licenses, amounting to
potentially more than a billion dollars.
But a government security rating is not easy to come by.
Software and hardware companies must apply to the National Computer
Security Center (NCSC) to have their product run through a battery of
tests and diagnostics to obtain a "level of trust" rating. For
example, custom-built systems rated A1, appropriate for top-secret
material, must be shipped and installed under armed guard. Meanwhile,
an off-the-shelf product rated "C2" can handle sensitive, but not
classified, information. It is the C2 rating that was awarded to
Windows NT 3.5.
A number of attacks on DOD systems, including the recent theft of
network configuration software, have been attributed to poorly
configured Windows NT machines. Kirby Kuehl, a Microsoft-certified
product specialist for NT Server and founder of the security site
Technotronic, said that while NT can be made secure, many of the
default settings that ship with the system leave NT systems vulnerable
to cracking.
Despite such concerns about security, Windows NT has enjoyed rapid
growth in the Defense Department market, largely on the credibility of
the C2 rating, according to Curry and analysts with International Data
Corp.
"Getting the first, off-the-shelf commercial operating system through
the evaluation allowed them to capture the government market," Curry
said.
"The C2 rating was a big factor for DOD embracing Windows NT,"
said Mathew Mahoney, an analyst for IDC Government. "They have adopted
aggressively at the desktop and the server; part of the reason was the
security rating, but also increased robustness of the platform."
Other sources familiar with government purchasing trends confirmed
that Windows NT sales were booming.
"We have seen a continual erosion of NT competitor Novell Netware in
the federal government due to NT," said Steve Vito, publisher of
Federal Computer Week magazine.
Vito said that recent research among his readership shows that while
14 percent plan to buy Netware, 33 percent intend to buy NT in the
coming year. About 65,000 of Vito's 83,000 subscribers are government
IT managers.
Last month, Microsoft announced a major contract with the US Air Force
to begin converting military command and control applications from
UNIX operating system environments to Windows NT.
But not all is what it seems, Curry claims.
In their rush to embrace Windows NT, which is less expensive than
similar UNIX-based systems, Curry suggested many government
procurement officers may be either ignoring or misunderstanding the
product's C2 rating. Microsoft may also be glossing over the fact that
the C2 rating only applies to a now-obsolete version of Windows NT,
version 3.5, running on a machine that is unplugged from a network.
But that configuration isn't much use to anybody.
"The C2 rating is worthless," said Russ Cooper, moderator of the
NTBugtraq mailing list, which tracks vulnerabilities with Windows NT.
"It doesn't mean anything. If you change one thing, such as add a
modem, or change the network adapter, the certification becomes
worthless."
Curry alleges that Microsoft is taking improper liberties with its C2
rating by selling the government more recent, but non-certified,
versions of the OS, including Windows NT 3.5.1 and the current
release, 4.0.
"The story they tell the government is 'This product has the same
level of security or better as 3.5. It's OK to buy this version, we
are putting it through the certification review process." This is
all most agencies need to hear from my experience," said Curry.
Curry alleges that Microsoft, in selling the government other versions
of Windows NT than the C2-certified version, was pursuing another
agenda. He said that Microsoft was selling later versions of NT
bundled with its Office 97, which is not supported by the C2-certified
NT 3.5.
"The bundling effectively eliminates the opportunity for other
vendors to bid like products (word processors, spreadsheets, etc.)
since it reduces the price of the bid," Curry said in a letter he sent
to the Senate Judiciary Committee and the Department of Justice.
A Microsoft spokesperson confirmed that Office 97 is not supported by
Windows NT 3.5, but is supported by subsequent versions of the OS.
However, in a recent IDC Government report on Windows NT adoption
within government, the leading reason government purchasers plan to
buy the OS was the availability of commercial software. Security was
not offered as a survey option to survey participants.
Curry has a strong personal interest in seeing a new investigation of
Microsoft's actions. He said that the company agreed to bundle his
software -- the C2 Processor Diagnostics Program -- with certified
copies of Windows NT, but later backed out, leaving his company
heavily invested in a broken deal. The government requires such a
diagnostics program to be shipped with each certified copy of NT 3.5
-- basically, it serves to verify that a given installation is up to
the rating.
But Microsoft didn't ship Curry's program. Now he is working as a
security contractor for a Fortune 500 company. He said that Microsoft
told him that including the diagnostic would give federal buyers
reason to question NT's security.
A Microsoft security manager denied Curry's allegations that the
government is misrepresenting NT's security certification status.
"I do not believe we have ever made claims that NT 4.0 is C2
certified," said Jason Garms, Microsoft Windows NT security manager.
Garms said that Microsoft hosted a federal security summit in Redmond
in December 1997. "There were 350 people here, representing every
single agency and constituency, to talk about security for two and a
half days. It was made very clear what our C2 rating was, and where we
were with it," Garms said.
Garms added that Windows NT 4.0 was entering the C2 certification
program, and that the OS has already been certified with a European
government security standard that is accepted, within the US
government, as the equivalent of the domestic C2 rating.
Besides, said another Microsoft engineer, the DOD can never buy a
certified system, because by the time the C2 rating is awarded, the
required hardware is long obsolete.
"We have never sold a federal agency a networked C2 system," said
Sean Murphy, senior systems engineer with the Microsoft Federal Group.
"There are agencies that have gotten exceptions because they are aware
that we are in the certification process for NT 4.0."
Garms said that the C2 certification is only required by government
agencies in purchasing products on a case-by-case basis, and that
there is no broad government mandate requiring the purchase of
C2-evaluated products.
However, the National Security Agency (NSA) told Wired News in a
statement that two directives, DOD Directive 5200.28 and DCI Directive
1/16, "require the use of an evaluated product for many systems used
within DOD."
"Both Directives, however, contain provisions for waivers and
exceptions to this requirement," the NSA statement added.
A Wired News request to the NSA to determine the current status of
Microsoft's C2 application for Windows NT 4.0 was denied at the
request of Microsoft, according to NSA public affairs. But Murphy said
that the company expects to have a networked version of Windows NT 4.0
approved as C2 by October.
Meanwhile, Curry says he has personally witnessed Microsoft
representatives at government trade shows passing off newer versions
of NT as being C2 certified.
"Microsoft's direct and indirect inference that the government
evaluation applies equally to NT 3.5.1 and NT 4.0, when it does not,
wrongfully prevents vendors of other operating systems from being able
to bid their products," said Curry in his letter to the Senate
committee and Justice Department.
Curry said he asked Microsoft why they would sell the government a
non-evaluated version of the product different than the one they
sought approval for. "Their response was, 'A sold NT is a sold NT, we
don't care which version it is," he said.
NTBugtraq's Cooper said that due to the long delays in the
certification process, few in the government follow the rating system
for unclassified applications.
"NT 3.5 with a service pack is the only implementation of Windows NT
that is certified. If government departments are buying today and
not buying that version, then they are not C2 certified," Cooper said.
"Personally, I think the NCSC is running a stupid certification
process," Cooper said.
Copyright © 1993-97 Wired Ventures Inc. and affiliated companies.
All rights reserved.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri May 8 09:00:05 1998