DOJ briefs managers about Web-based 'malicious' code

Top Justice Department information managers last week briefed technical personnel within the department on plans to curb the use of World Wide Web-based software that the agency fears may harbor "malicious" computer code.

The software, known as "mobile code," includes Sun Microsystems Inc.'s Java and Microsoft Corp.'s ActiveX controls. The programs run small applications called "applets," which might take the form of animation when a user connects to certain Web pages.

"We have concerns about mobile code, and there are some legitimate problems associated with mobile code," said Linda Burek, acting deputy chief information officer for DOJ.

Members of the computer security industry have reported that mobile code could be manipulated to carry malicious computer code that could steal information from a computer's files or disable the system. But Sun and Microsoft officials downplayed the concern.

Regardless, Burek said agency officials are instructing computer specialists within DOJ to make sure their computers do not run Java. She said the department is upgrading to the latest version of the Netscape Communications Corp.'s Navigator Web browser, which allows users to disable Java, and the department will set the browsers to a default setting that will disable Java. If a computer user at DOJ accesses a trusted Web site where Java is needed to navigate the site, the user can then enable Java, she said. DOJ employees need to "make a conscious effort to access a specific site," Burek said.

However, DOJ essentially has prohibited the use of ActiveX, Burek said. "We feel very uncomfortable with [ActiveX's security safeguards], and we have basically banned ActiveX," she said. Responsibility for tackling ActiveX has largely been passed on to DOJ's bureaus, Burek said.

S.D. "Chaz" Chastain, federal sales manager for Sun's criminal justice operation, hailed DOJ's decision to allow its employees access to Java but said Java has a built-in security mechanism.

DOJ officials "thought a malicious applet could be brought down unintentionally," Chastain said. However, Java works in a confined area on a computer - in something Sun calls a "sandbox," which prevents the Java code from seeping into sensitive areas of computer systems, according to Chastain. "It can't get to your files," he said.

Microsoft spokesman Keith Hodson also said ActiveX has built-in security features. He said ActiveX code includes a digital security signature that lets users know if code has been tampered with. "Fundamentally, we give an administrator the ability to choose what code they want to trust," he said.

Hodson said the digital signature serves much like shrink-wrap plastic on store-bought software: Users can view the signature to tell if the software has been tampered with before they use it.