Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.worldnetdaily.com/bluesky_dougherty/19990223_xex_are_pentagon.shtml
(WorldNetDaily) [2.23.99] A National Security Agency-trained computer
vendor and security analyst says the Pentagon and other government
agencies have violated their own security rules by purchasing mass
quantities of a non-secure computer operating system.
Ed Curry, a former independent contractor for the Microsoft Corporation,
developed one such secure processor program for one version of the
computer giant's Windows NT program. He said since it was destined for
government computer systems, the program had to pass the scrutiny of the
National Computer Security Center (NCSC), which ran the program through a
battery of tests and diagnostics to obtain a "level of trust" rating.
But Curry told WorldNetDaily the current version of Windows NT being
purchased "in mass quantities" by the federal government is insecure and
subject to alteration. The version he tested and knows to be secure is
Windows NT 3.5, whereas the government -- even the Department of Defense
-- has been buying version 4.0.
According to Curry, the most susceptible component of the computer is the
processor. With no security program in place, the processor can be
altered, and therefore so too can the processor commands and functions.
When these systems are used to operate or monitor defense defensive
systems, guided missiles, or any number of other applications,
vulnerability means they can be changed in any number of ways -- perhaps
without the operator knowing until it's too late.
Curry said that processors on Windows NT Version 4.0 are insecure because
they have been designed to automatically "open the processor up to accept
commands" on start-up, whereas the 3.5 version does not do that. That
alone, he said, "makes the processor insecure and hence, the entire system
as well."
Curry's program is not compatible with the 4.0 version. But because
government buyers wanted other "bundled" Windows applications that were
incompatible with the 3.5 version, they decided to buy 4.0 instead,
despite being notified of the security problems.
"Basically it was money over security," Curry explained. "They had
already bought thousands of the 4.0 systems, and didn't want to have to
replace them."
In the meantime, Curry says he has met with a number of government and
defense representatives but has been unable to change their minds.
"I have met with representatives of Defense Secretary William Cohen,"
Curry told WorldNetDaily, "and have presented my evidence to them. They
know I'm right, and they know what I've told them -- that they're
violating their own security rules -- is right. But they basically said it
didn't matter, that they would continue to use the 4.0 version."
Dick Schaefer, an aide to Defense Secretary William Cohen, as well as
representatives of the NSA, told Curry "their hands were tied" in the
matter.
To continue getting the government contracts, Curry said, Microsoft
"misled" the government about the 4.0 version. "Microsoft said that
version was security tested by the government (NSA), which was patently
untrue." He said that the huge computer corporation is taking advantage of
poor enforcement of government-security-rating requirements to sell
non-certified versions of the same product in the lucrative federal
market.
"In fact," he added, "Microsoft NT 4.0 is the least secure of all the NT
versions." Version 3.5 is the only one that is secure, Curry said, but
other reports quoted some officials as saying that version is now out of
date.
Ironically, when the NSA was evaluating NT in 1994, the government told
Curry "they needed a program to make sure the processor was secure. It was
sort of a rush job, but I got to work and got a program written to their
specifications." Normally, he said, the process takes "several months" or
longer, "but they wanted this one in a hurry."
Curry told WorldNetDaily that initially, Microsoft promised to bundle and
co-market his security-testing software with each licensed copy of NT. But
later the company broke that agreement, thereby leaving his company
holding a serious amount of research and development debt over the
project. When he requested that Microsoft compensate him for his loss
after they broke their contract with him, the company threatened legal
action, he said.
Microsoft would not return phone calls to WorldNetDaily, but in other
published reports the company has denied Curry's charges, saying they are
"working closely with the federal government to ensure all versions of NT
are secure."
Curry said a government security rating is not easy to obtain, but once he
received it, the potential sales of his software could have comprised some
3 to 4 million units, totaling about a billion dollars in sales.
Curry also explained that it was critical to make sure the processor of
every system is protected, particularly government computers in any
setting that can be exposed to hacking attacks or other methods of
alteration.
"All computer security systems begin with the Intel processor itself,"
Curry said. "I helped Intel develop their processor, so I know how they
work and how vulnerable they can be if left exposed."
Curry added that beginning with the Pentium Pro processor, people using
the Internet could download programs that would fix certain glitches and
bugs in existing software and systems. Many of those fixes were geared
toward the processors, which means, "you can also download a program that
could shut off the security," he said. Consequently, "those programs
which alter the processors (and are being used in DoD systems) can also
make weapons fire certain ways, or not at all. My program was designed not
only to make sure all processors are secure, but to make sure they stay
secure."
Curry repeatedly emphasized that his continued attempts to make the
government aware of the shortcomings in unsecured Windows NT operating
systems "is because of what it is doing to our national security, nothing
more." He said his consulting and software design business is gone, "and
there isn't much I can do about that right now."
"But I can continue to try to let these people know what kind of product
Microsoft is actually selling them," he added. "It's been hard, partially
because I don't think the government agencies really understand the nation
of PCs."
Other government sources confirmed that Windows NT sales are booming, and
are steadily replacing competitor Novell Netware in federal systems. And,
it's likely to get worse.
In May 1998, Microsoft announced a major contract with the U.S. Air Force
to begin changing military command and control applications from the UNIX
operating system to Windows NT. And Curry said the U.S. Navy is
extensively using the unsecured NT versions about its warships.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:28:04 1999