From: Aleph One 

[ Personally this article seems like a lot of FUD. Everyone knows C2
  certification is a joke. The government is not buying NT because it is C2
  certified. They are buying NT because it looks like Windows and runs off
  the self applications. Looks like wired has written an article based on
  statements by a clearly disgruntled contractor. It would have been
  better if they had focused it the charges that MS broke their agreement.
  - a1]

Should Feds Trust Windows NT?

by James Glave

5:03am 6.May.98.PDT

http://www.wired.com/news/news/technology/story/12121.html

As the Justice Department considers starting a widespread antitrust probe into Microsoft's business practices, one security expert says Microsoft is pulling the wool over the government's eyes with its NT operating system.

Ed Curry, a technical security analyst who has tangled with Microsoft in the past, has launched a one-man campaign to encourage the US Senate Judiciary Committee and Justice Department to zero in on Microsoft's extensive Windows NT business with the federal government. Specifically, he is asking investigators to look into whether or not the company cut corners with government security requirements in order to sell potentially millions of operating system licenses to agencies such as the Defense Department.

"I am formerly a military man, and when it comes to national security, we have risked our butts in the past," said Curry. "We are not going to let profits stand in the way of national security."

Curry claims that Microsoft is stretching the truth of NT's security certification, and taking advantage of lax enforcement of government-security-rating requirements to sell non-certified versions of the product to federal markets. The scheme, he alleges, gives the company an unfair advantage over its competitors and opens the US government's computer networks up to needless risk.

Microsoft denied the allegations, stating that the company is working closely with federal agencies to keep newer versions of Windows NT certified.

Curry's concerns for national security go beyond patriotism. A former Microsoft contractor, and a National Security Agency-certified technical security analyst, he claims that Microsoft drove him to the brink of personal bankruptcy by breaking agreements to bundle and co-market his security-testing software with each licensed copy of NT. Further, he said the company threatened him with legal action when he asked for restitution.

Ken Moss, the Microsoft representative familiar with Curry's charges, was not available for comment.

At the heart of Curry's struggle is the security rating that the government first awarded to an early version of Windows NT in 1994 -- a rating that opened doors for Microsoft to sell to the Defense Department (DOD). Curry said that the company estimated these markets could comprise three to four million Windows NT licenses, amounting to potentially more than a billion dollars.

But a government security rating is not easy to come by.

Software and hardware companies must apply to the National Computer Security Center (NCSC) to have their product run through a battery of tests and diagnostics to obtain a "level of trust" rating. For example, custom-built systems rated A1, appropriate for top-secret material, must be shipped and installed under armed guard. Meanwhile, an off-the-shelf product rated "C2" can handle sensitive, but not classified, information. It is the C2 rating that was awarded to Windows NT 3.5.

A number of attacks on DOD systems, including the recent theft of network configuration software, have been attributed to poorly configured Windows NT machines. Kirby Kuehl, a Microsoft-certified product specialist for NT Server and founder of the security site Technotronic, said that while NT can be made secure, many of the default settings that ship with the system leave NT systems vulnerable to cracking.

Despite such concerns about security, Windows NT has enjoyed rapid growth in the Defense Department market, largely on the credibility of the C2 rating, according to Curry and analysts with International Data Corp.

"Getting the first, off-the-shelf commercial operating system through the evaluation allowed them to capture the government market," Curry said.

"The C2 rating was a big factor for DOD embracing Windows NT," said Mathew Mahoney, an analyst for IDC Government. "They have adopted aggressively at the desktop and the server; part of the reason was the security rating, but also increased robustness of the platform."

It is only C2 certified in a NON-networked environment. The certification only holds for NT 3.5, something Microsoft doesn't always remind their users of.

Other sources familiar with government purchasing trends confirmed that Windows NT sales were booming.

"We have seen a continual erosion of NT competitor Novell Netware in the federal government due to NT," said Steve Vito, publisher of Federal Computer Week magazine.

Vito said that recent research among his readership shows that while 14 percent plan to buy Netware, 33 percent intend to buy NT in the coming year. About 65,000 of Vito's 83,000 subscribers are government IT managers.

Last month, Microsoft announced a major contract with the US Air Force to begin converting military command and control applications from UNIX operating system environments to Windows NT.

But not all is what it seems, Curry claims.

In their rush to embrace Windows NT, which is less expensive than similar UNIX-based systems, Curry suggested many government procurement officers may be either ignoring or misunderstanding the product's C2 rating. Microsoft may also be glossing over the fact that the C2 rating only applies to a now-obsolete version of Windows NT, version 3.5, running on a machine that is unplugged from a network.

But that configuration isn't much use to anybody.

"The C2 rating is worthless," said Russ Cooper, moderator of the NTBugtraq mailing list, which tracks vulnerabilities with Windows NT. "It doesn't mean anything. If you change one thing, such as add a modem, or change the network adapter, the certification becomes worthless."

Curry alleges that Microsoft is taking improper liberties with its C2 rating by selling the government more recent, but non-certified, versions of the OS, including Windows NT 3.5.1 and the current release, 4.0.

"The story they tell the government is 'This product has the same level of security or better as 3.5. It's OK to buy this version, we are putting it through the certification review process." This is all most agencies need to hear from my experience," said Curry.

Curry alleges that Microsoft, in selling the government other versions of Windows NT than the C2-certified version, was pursuing another agenda. He said that Microsoft was selling later versions of NT bundled with its Office 97, which is not supported by the C2-certified NT 3.5.

"The bundling effectively eliminates the opportunity for other vendors to bid like products (word processors, spreadsheets, etc.) since it reduces the price of the bid," Curry said in a letter he sent to the Senate Judiciary Committee and the Department of Justice.

A Microsoft spokesperson confirmed that Office 97 is not supported by Windows NT 3.5, but is supported by subsequent versions of the OS.

However, in a recent IDC Government report on Windows NT adoption within government, the leading reason government purchasers plan to buy the OS was the availability of commercial software. Security was not offered as a survey option to survey participants.

Curry has a strong personal interest in seeing a new investigation of Microsoft's actions. He said that the company agreed to bundle his software -- the C2 Processor Diagnostics Program -- with certified copies of Windows NT, but later backed out, leaving his company heavily invested in a broken deal. The government requires such a diagnostics program to be shipped with each certified copy of NT 3.5 -- basically, it serves to verify that a given installation is up to the rating.

But Microsoft didn't ship Curry's program. Now he is working as a security contractor for a Fortune 500 company. He said that Microsoft told him that including the diagnostic would give federal buyers reason to question NT's security.

A Microsoft security manager denied Curry's allegations that the government is misrepresenting NT's security certification status.

"I do not believe we have ever made claims that NT 4.0 is C2 certified," said Jason Garms, Microsoft Windows NT security manager.

But they don't volunteer that it isn't. Microsoft relies on people dropping the version numbers when talking about certification.

Garms said that Microsoft hosted a federal security summit in Redmond in December 1997. "There were 350 people here, representing every single agency and constituency, to talk about security for two and a half days. It was made very clear what our C2 rating was, and where we were with it," Garms said.

Garms added that Windows NT 4.0 was entering the C2 certification program, and that the OS has already been certified with a European government security standard that is accepted, within the US government, as the equivalent of the domestic C2 rating.

Besides, said another Microsoft engineer, the DOD can never buy a certified system, because by the time the C2 rating is awarded, the required hardware is long obsolete.

"We have never sold a federal agency a networked C2 system," said Sean Murphy, senior systems engineer with the Microsoft Federal Group. "There are agencies that have gotten exceptions because they are aware that we are in the certification process for NT 4.0."

Garms said that the C2 certification is only required by government agencies in purchasing products on a case-by-case basis, and that there is no broad government mandate requiring the purchase of C2-evaluated products.

However, the National Security Agency (NSA) told Wired News in a statement that two directives, DOD Directive 5200.28 and DCI Directive 1/16, "require the use of an evaluated product for many systems used within DOD."

"Both Directives, however, contain provisions for waivers and exceptions to this requirement," the NSA statement added.

A Wired News request to the NSA to determine the current status of Microsoft's C2 application for Windows NT 4.0 was denied at the request of Microsoft, according to NSA public affairs. But Murphy said that the company expects to have a networked version of Windows NT 4.0 approved as C2 by October.

Meanwhile, Curry says he has personally witnessed Microsoft representatives at government trade shows passing off newer versions of NT as being C2 certified.

"Microsoft's direct and indirect inference that the government evaluation applies equally to NT 3.5.1 and NT 4.0, when it does not, wrongfully prevents vendors of other operating systems from being able to bid their products," said Curry in his letter to the Senate committee and Justice Department.

Curry said he asked Microsoft why they would sell the government a non-evaluated version of the product different than the one they sought approval for. "Their response was, 'A sold NT is a sold NT, we don't care which version it is," he said.

NTBugtraq's Cooper said that due to the long delays in the certification process, few in the government follow the rating system for unclassified applications.

"NT 3.5 with a service pack is the only implementation of Windows NT that is certified. If government departments are buying today and not buying that version, then they are not C2 certified," Cooper said.

"Personally, I think the NCSC is running a stupid certification process," Cooper said.