Yesterday's story about Ed Curry and his claims about NT security--or the lack thereof--generated a ton of email from various places, most of which wished to remain anonymous. I was, however, able to verify numerous details of the story and got a couple of corrections from Waggner Edstrom, the Microsoft PR firm. Most importantly, Curry was not a Microsoft employee but was rather contracted by Microsoft to develop C2 diagnostics software and offer Windows NT as a secure part of C2 certified hardware to the National Computer Security Center (NCSC). The funny thing is, I actually knew that Curry wasn't a Microsoft employee and yet the title of yesterday's story obviously identifies him as such: My mistake.
Curry's claims, of course, will be verified or refuted in the future. That will be up to the U.S. Department of Defense, which will review Curry's claims when they interview him on October 13th.
So what do we know about this story? Well, Curry is the president of Lone Star Evaluation Laboratories (LSEL), and he was picked to defend Windows NT as an appropriate candidate for C2 because "LSEL has the unique technical qualities required to work with Microsoft and computer hardware manufacturers in defending our products to the NCSC," according to a letter written by Microsoft Government Evaluations Manager Ken Moss.
Curry says that Microsoft promised it would sell millions of copies of the diagnostic software he wrote but then failed to market it. As a result, LSEL went bankrupt, he says, but this possibility casts some doubt on his claims because he has a somewhat obvious reason to attack Microsoft. Still, the charges are serious enough to investigate and Curry says that Microsoft asked him to misrepresent the status of NT's C2 certification while he was contracted to do this work.
Microsoft, for its part, says that the works its done with SAIC is unrelated to anything it did with Curry and that Curry's role in NT's C2 certification was "limited." Also, certain hardware systems that were being tested exhibited problems that would have affected any operating system, not just NT. Furthermore, Curry's work wasn't exactly NT-related. His hardware diagnostic tool was OS-independent because the hardware test itself is OS-independent.
Again, one has to wonder what the truth of the situation is. The entire issue of "C2 certification" is itself a complex one: For example, an operating system itself, such as Windows NT, cannot be "C2 certified." Rather, a computer system is rated. NT can be part of that system, of course. Furthermore, a "C2-certified" system requires further certification if it is connected to a network, and the NT systems that were certified were not. Systems with Windows NT 3.5 and 3.51 were successfully certified, but Service Pack releases were not (as far as I could find out), and NT 4.0 has never been C2 certified, despite the fact that it's been commercially available for over two years. One has to wonder.
I'm hoping to talk with someone from Microsoft next week to clarify this sticky situation. If I find out more, I will, of course, pass it along. One thing that amazes me is the scope of these charges and how little press it has gotten so far (perhaps because of the other major problems Microsoft is facing right now): IDG's Nick Peterley reported on it back in July and ZDNet's Mary Jo Foley published a story yesterday. But that's about it. I'd been looking for corroboration on this for a few weeks now, and it's starting to take shape. Expect more news as the October 13 meeting draws close.
Here are some links for more information on C2:
Achieving Class C2 Security in a Network Environment (Novell)
Windows NT "C2" Security Evaluations (Microsoft)