12 September 1999
From: "kin nay" <kinnay@au.ru>
To: jya@pipeline.com
Subject: Who Hides The Truth About NT? And Why?
Date: Sun, 12 Sep 1999 18:16:01 +0400
Today someone is doing his best to make us forget this man.
Ed Curry is formerly a military man, a NSA-certified technical security analyst, and a former independent contractor for the Microsoft Corporation, who for several years has been saying that the Pentagon and other US government agencies have violated their own security rules by purchasing mass quantities of a non-secure computer operating system, Windows NT.
One can see some details at:
http://www.wired.com/news/news/technology/story/12121.html
http://www.infoworld.com/pageone/opinions/petrel/980713np.htm
The peak of this story was about a year ago, when Curry had stepped up his campaign to alert the government and the public in general about "the government's procurement of millions of copies of non-evaluated versions of Windows NT that fail to meet the C2-level security requirements of the Department of Defense and other agencies." In September 1998 Curry sent a letter to Defense Secretary William Cohen, alerting him to potential security violations involving NT. In the letter, Curry says his C2 certification contract was discontinued by Microsoft because he refused to lie about Microsoft's violations of C2 guidelines. In response to the letter, Ed Curry had an October 13 meeting with the Secretary of Defense staff.
"All computer security systems begin with the Intel processor itself," Curry said. "I helped Intel develop their processor, so I know how they work and how vulnerable they can be if left exposed." ... "In fact," he added, "Microsoft NT 4.0 is the least secure of all the NT versions... Processors on Windows NT Version 4.0 are insecure because they have been designed to automatically open the processor up to accept commands on start-up."
More about the Curry's letter and the subsequent meeting:
http://www.zdnet.com/zdnn/stories/news/0,4586,2140612,00.html
http://www.worldnetdaily.com/bluesky_dougherty/19990223_xnjdo_are_pentag.shtml
"I have met with representatives of Defense Secretary William Cohen," Curry said after the meeting," and have presented my evidence to them. They know I'm right, and they know what I've told them -- that they're violating their own security rules -- is right. But they basically said it didn't matter, that they would continue to use the 4.0 version." Dick Schaefer, an aide to Defense Secretary William Cohen, as well as representatives of the NSA, told Curry "their hands were tied" in the matter. "Basically it was money over security," Curry explained.
But the most interesting thing about all this story is what happens after that.
Curry's "vendetta" wasn't broadly reflected in mass media due to "the understandable delicacy" of the problem. If you try to find something new about this in the Internet, it won't be easy. More than that, somebody has been trying to hide past publications.
A clear example.
There is GOVERNMENT COMPUTER NEWS [http://www.gcn.com/] - a branch of The Washington Post company. In Autumn 1998 there was several articles about this case, but if you go to their archive [http://www.gcn.com/search/index.html] now, what will you see? There are only issues from Jan to Aug 1998, and Dec 1998 right after them. Without any explanations why Sep-Oct-Nov-issues are omitted. Of course this isn't a problem, if you know their direct addresses ;-). In particular, some GCN articles about the Curry's case:
http://www.gcn.com/archives/gcn/1998/October12/1c.htm
http://www.gcn.com/archives/gcn/1998/October26/8.htm
Do you think it's a random coincidence? Well, then try to search something about Ed Curry through all GCN-web-site at http://www.gcn.com/search/index.html. The result is you will get only one small blurb dated 1996 about Curry's MS-contract. And nothing about the subsequent scandal.
How nice.
So why do they do that?
Are they shy?
********************************
(In case if some of the cited pages begin to "disappear" we've posted a zip-file with them to John Young's Cryptome): http://cryptome.org/ed-curry.zip