Ed Curry, a former Microsoft employee, is attempting to warn the U.S. government that Windows NT is not secure; he will present his case before the staff of the U.S. Secretary of Defense next month. Meanwhile, his former employer is painting a different picture: Curry is on a personal vendetta to smear Microsoft's--and NT's--reputation, they say.
So which is it?
A few years back, Curry was working to help Microsoft obtain the lofty C2 security certification for Windows NT 3.5 SP3. C2--or NCSC/NSA C2--is an award given by the National Security Agency (NSA) based on the so-called "orange book" criteria. Any computer system that is certified to be C2 compliant is considered extremely secure, basically: Only a complete system can be considered C2 compliant. Microsoft wants to sell Windows NT as part of C2-compliant systems to the government. Curry's job was to write a set of C2 hardware diagnostics for Microsoft.
In 1995, Microsoft ended Curry's contract, though it won't say why, citing recommendations by the company's lawyers. Two years after Curry was fired, Microsoft contracted Science Applications International Corp. (SAIC) to continue its NT C2 certification efforts. SAIC, at the time, said that NT 4.0 would get C2 certification "within weeks." Three years later, that still hasn't happened. Curry says that security flaws in Windows NT 4.0 are to blame, flaws that Microsoft has sought to cover up. He says that the company fired him because he became aware of problems in NT 4.0 and refused to lie about them.
So he's taking his case to the government, warning that "the government's procurement of millions of copies of non-evaluated versions of Windows NT \[4.0\]...fail to meet the C2-level security requirements of the Department of Defense and other agencies."
"Microsoft has knowingly and willfully concealed information regarding security flaws in computer hardware from the NSA out of fear that revealing such flaws would reduce the number of copies of its products that would be purchased by the government," Curry wrote in a letter to U.S. Secretary of Defense William Cohen. "I have raised this issue internally with Microsoft, and in return have been the subject of both bribes and threats."
Meanwhile, Microsoft is denying the claims.
"Ed's making a mountain out of a molehill," said a Microsoft spokesperson.
We'll see: On October 13, Curry will have a chance to tell his side of the story to Will Cohen's staff