DIA cools on Java; DISA keeps perking

Two key Defense agencies last week took opposite stands on the security threat posed by the use of the Java operating system developed by Sun Microsystems Inc. The Defense Intelligence Agency called for a temporary halt to its use while the Defense Information Systems Agency plans for Java to play a substantial role in the agency's future.~~DIA issued a "moratorium" on the use of "Java applets and applications of any kind" in the Department of Defense Intelligence Information System (DODIIS) which serves thousands of users worldwide. However DIA "approved the use of Java scripts and scripting tools for commands sites and program management offices " according to a copy of a message obtained by Federal Computer Week that DIA sent to commands worldwide last month.~~The moratorium will remain in effect until delivery of a report on Java's features and a review of that report by the DIA Engineering Review Board which will then "recommend a further course of action to the DMB [DODIIS Management Board.]"~~Meanwhile DISA embraced Java warmly even though it has not made an extensive review of the security of the Internet-~~oriented operating system. Rear Adm. John Gauss director of DISA's Joint Interoperability Engineering Organization (JIEO) said that while "there have been security issues raised with Java I have not delved into them to determine if they are 'fatal' flaws. My initial assessment is that Java will play a substantial role in our future and whatever security problems exist can be dealt with."~~Gauss added that he believed the "future of networked computing solutions and 'thin clients' for DOD computing will depend on the use of Java and/or JavaScript.... I believe Java will be a significant tool in achieving heterogeneous computing."~~On the security front Gauss said DISA recently agreed to purchase 180 000 copies of Netscape client software (see story page 48) that can run Java with Fortezza security cards developed by the National Security Agency. "Given that the applications are designed to use Fortezza between the client and the server so that you can have encrypted identification authentication and content I believe we can adequately secure the process " Gauss said.~~Java supports a new form of software called an applet: an application that Internet users can run from a World Wide Web page but never download to their own computers. With Java developers can create portable applications that require little in the way of end-user resources. Government agencies are using Java primarily to create interactive Web pages.~~Bug Cited~~Sources familiar with the DIA moratorium on Java said it stemmed from some widely publicized security problems that surfaced this spring. Researchers at Princeton University discovered a bug in the Java "Verifier" code. Netscape issued a bulletin on the bug that said "A malicious programmer could potentially write a malicious applet that might exploit this bug and cause a file to be deleted or cause other damage on a user's machine."~~David Spenhoff director of product marketing for Sun's JavaSoft subsidiary viewed the DIA moratorium "as the kind of standard review any kind of [chief information officer] would do when looking at a new operating system." John Leahy group manager for Sun Federal said that while he understood the concerns of the DIA - one of Sun's largest customers - "we do not know of any unsolved security problems with Java."~~Spenhoff asserted that any holes or flaws in Java security resulted from the company putting its source code out on the Net and inviting users to make attacks. "Any flaws that have been found result from the work of very skilled people who have our code available to them " he said. "We have put our crown jewels on public display and inspection so we can find the bugs and fix it."~~DIA is holding a DODIIS user and developer meeting this week where sources said the Java security issue will be a hot topic. A DIA spokeswoman did not provide any information about the DIA Java applet moratorium in response to questions from FCW.~~In a related matter Telestra Australia's largest telecommunications company has forbidden its 1 000 employees hooked up to the World Wide Web from using Java applets because of security concerns.