Are Pentagon computers compromised?

By Jon Dougherty

A National Security Agency-trained computer vendor and security
analyst says the Pentagon and other government agencies have violated
their own security rules by purchasing mass quantities of a non-secure
computer operating system.

Ed Curry, a former independent contractor for the Microsoft
Corporation, developed one such secure processor program for one version
of the computer giant’s Windows NT program. He said since it was
destined for government computer systems, the program had to pass the
scrutiny of the National Computer Security Center (NCSC), which ran the
program through a battery of tests and diagnostics to obtain a “level of
trust” rating.

But Curry told WorldNetDaily the current version of Windows NT being
purchased “in mass quantities” by the federal government is insecure and
subject to alteration. The version he tested and knows to be secure is
Windows NT 3.5, whereas the government — even the Department of Defense
— has been buying version 4.0.

According to Curry, the most susceptible component of the computer is
the processor. With no security program in place, the processor can be
altered, and therefore so too can the processor commands and functions.
When these systems are used to operate or monitor defense
systems, guided missiles, or any number of other applications,
vulnerability means they can be changed in any number of ways — perhaps
without the operator knowing until it’s too late.

Curry said that processors on Windows NT Version 4.0 are insecure
because they have been designed to automatically “open the processor up
to accept commands” on start-up, whereas the 3.5 version does not do
that. That alone, he said, “makes the processor insecure and hence, the
entire system as well.”

Curry’s program is not compatible with the 4.0 version. But because
government buyers wanted other “bundled” Windows applications that were
incompatible with the 3.5 version, they decided to buy 4.0 instead,
despite being notified of the security problems.

“Basically it was money over security,” Curry explained. “They had
already bought thousands of the 4.0 systems, and didn’t want to have to
replace them.”

In the meantime, Curry says he has met with a number of government
and defense representatives but has been unable to change their minds.

“I have met with representatives of Defense Secretary William Cohen,”
Curry told WorldNetDaily, “and have presented my evidence to them. They
know I’m right, and they know what I’ve told them — that they’re
violating their own security rules — is right. But they basically said
it didn’t matter, that they would continue to use the 4.0 version.”

Dick Schaefer, an aide to Defense Secretary William Cohen, as well as
representatives of the NSA, told Curry “their hands were tied” in the
matter.

To continue getting the government contracts, Curry said, Microsoft
“misled” the government about the 4.0 version. “Microsoft said that
version was security tested by the government (NSA), which was patently
untrue.” He said that the huge computer corporation is taking advantage
of poor enforcement of government-security-rating requirements to sell
non-certified versions of the same product in the lucrative federal
market.

“In fact,” he added, “Microsoft NT 4.0 is the least secure of all the
NT versions.” Version 3.5 is the only one that is secure, Curry said,
but other reports quoted some officials as saying that version is now
out of date.

Ironically, when the NSA was evaluating NT in 1994, the government
told Curry “they needed a program to make sure the processor was secure.
It was sort of a rush job, but I got to work and got a program written
to their specifications.” Normally, he said, the process takes “several
months” or longer, “but they wanted this one in a hurry.”

Curry told WorldNetDaily that initially, Microsoft promised to bundle
and co-market his security-testing software with each licensed copy of
NT. But later the company broke that agreement, thereby leaving his
company holding a serious amount of research and development debt over
the project. When he requested that Microsoft compensate him for his
loss after they broke their contract with him, the company threatened
legal action, he said.

Microsoft would not return phone calls to WorldNetDaily, but in other
published reports the company has denied Curry’s charges, saying they
are “working closely with the federal government to ensure all versions
of NT are secure.”

Curry said a government security rating is not easy to obtain, but
once he received it, the potential sales of his software could have
comprised some 3 to 4 million units, totaling about a billion dollars in
sales.

Curry also explained that it was critical to make sure the processor
of every system is protected, particularly government computers in any
setting that can be exposed to hacking attacks or other methods of
alteration.

“All computer security systems begin with the Intel processor
itself,” Curry said. “I helped Intel develop their processor, so I know
how they work and how vulnerable they can be if left exposed.”

Curry added that beginning with the Pentium Pro processor, people
using the Internet could download programs that would fix certain
glitches and bugs in existing software and systems. Many of those fixes
were geared toward the processors, which means, “you can also download a
program that could shut off the security,” he said. Consequently, “those
programs which alter the processors (and are being used in DoD systems)
can also make weapons fire certain ways, or not at all. My program was
designed not only to make sure all processors are secure, but to make
sure they stay secure.”

Curry repeatedly emphasized that his continued attempts to make the
government aware of the shortcomings in unsecured Windows NT operating
systems “is because of what it is doing to our national security,
nothing more.” He said his consulting and software design business is
gone, “and there isn’t much I can do about that right now.”

“But I can continue to try to let these people know what kind of
product Microsoft is actually selling them,” he added. “It’s been hard,
partially because I don’t think the government agencies really
understand the nature of PCs.”

Other government sources confirmed that Windows NT sales are booming,
and are steadily replacing competitor Novell Netware in federal systems.
And, it’s likely to get worse.

In May 1998, Microsoft announced a major contract with the U.S. Air
Force to begin changing military command and control applications from
the UNIX operating system to Windows NT. And Curry said the U.S. Navy is
extensively using the unsecured NT versions about its warships.

Jon Dougherty

Jon E. Dougherty is a Missouri-based political science major, author, writer and columnist. Follow him on Twitter. Read more of Jon Dougherty's articles here.