Former Microsoft employee says NT not secure

Ed Curry, a former Microsoft employee, is attempting to warn the U.S.government that Windows NT is not secure; he will present his case beforethe staff of the U.S. Secretary of Defense next month. Meanwhile, hisformer employer is painting a different picture: Curry is on a personalvendetta to smear Microsoft's--and NT's--reputation, they say.

So which is it?

A few years back, Curry was working to help Microsoft obtain the lofty C2security certification for Windows NT 3.5 SP3. C2--or NCSC/NSA C2--is anaward given by the National Security Agency (NSA) based on the so-called"orange book" criteria. Any computer system that is certified to be C2compliant is considered extremely secure, basically: Only a complete systemcan be considered C2 compliant. Microsoft wants to sell Windows NT as partof C2-compliant systems to the government. Curry's job was to write a set of C2 hardware diagnostics for Microsoft.

In 1995, Microsoft ended Curry's contract, though it won't say why, citingrecommendations by the company's lawyers. Two years after Curry was fired,Microsoft contracted Science Applications International Corp. (SAIC) to continue its NT C2 certification efforts. SAIC, at the time, said that NT4.0 would get C2 certification "within weeks." Three years later, thatstill hasn't happened. Curry says that security flaws in Windows NT 4.0 areto blame, flaws that Microsoft has sought to cover up. He says that thecompany fired him because he became aware of problems in NT 4.0 and refusedto lie about them.

So he's taking his case to the government, warning that "the government's procurement of millions of copies of non-evaluated versions of Windows NT [4.0]...fail to meet the C2-level security requirements of the Department of Defense and other agencies."

"Microsoft has knowingly and willfully concealed information regarding security flaws in computer hardware from the NSA out of fear that revealingsuch flaws would reduce the number of copies of its products that would bepurchased by the government," Curry wrote in a letter to U.S. Secretary of Defense William Cohen. "I have raised this issue internally with Microsoft,and in return have been the subject of both bribes and threats."

Meanwhile, Microsoft is denying the claims.

"Ed's making a mountain out of a molehill," said a Microsoft spokesperson.

We'll see: On October 13, Curry will have a chance to tell his side of thestory to Will Cohen's staff