DOD weighs JavaScript ban

[William Knowles <erehwon () KIZMIAZ DIS ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2398182,00.html?chkpt=zdnntop

(ZDNet News) [11.22.99] The Department of Defense is considering
banning all JavaScript and other mobile code from military Web sites
because the tools could pose a security risk to its computer systems.

JavaScript and Microsoft's (Nasdaq:MSFT) ActiveX have been flagged
because hackers are increasingly breaking into DOD systems, and
department officials fear that mobile code is serving as an easy
gateway for them to enter military networks, sources said. The tools
are widely used by Web site developers to add animation and
interactivity to Web pages.

DOD spokeswoman Susan Hanson confirmed there have been discussions
within the DOD about the future use of mobile code. She would not
confirm that the department is talking about banning mobile code, but
a high-level government source said it is common knowledge that the
department's deputy chief information officer, Marvin Langston, is
considering eliminating the use of the code within department Web
pages.

Langston was traveling and unavailable for comment.

Stealthy programs The security threat posed by the codes has been
discussed within both the DOD and the Department of Justice since
early this year. Many are concerned that the codes can carry malicious
programs that surreptitiously launch from a user's browser.

"I think it's wise to be worried about mobile code security issues,"
said Edward Felten, director of the Secure Internet Programming Lab at
Princeton University. "Right now, there is no mobile code [safe]
enough for high-security uses."

The Sun-Netscape Alliance, which markets JavaScript, and Microsoft,
which developed ActiveX, were not immediately available for comment.

But without the popular code, Web sites become largely passive and
unable to deliver the most basic interactivity. Dave Plummer, a vice
president for Internet and Java at the GartnerGroup consulting firm,
noted that without any mobile code capabilities, DOD Web sites would
become much more static than standard corporate Web sites.

"Your sites will end up being less competitive overnight," Plummer
said, adding that a complete ban on all mobile script capabilities
could lead to a Web presence that does not permit online chats or the
filling out and sending of online forms.

According to a high-level DOD official, the department has more than
2,500 primary Web sites, including one for the U.S. Army and another
for the Defense Contract Audit Agency, and hundreds of servers to host
the Web sites. It hosts the largest network of Web pages in the
federal government.

In April alone, according to statistics, the DOD's primary Web sites
were accessed 5.4 million times by 422,000 unique visitors, who
received 365,000 megabytes of data.

Security headaches Security has long been a headache for the DOD as it
has inched its way into the online world. The department houses and
protects extremely classified and potentially volatile information on
its computer networks. Keeping hackers away from classified
information has been a prominent concern within the department.

"These guys [in the DOD] are extremely nervous about allowing ActiveX
and JavaScript," said Ron Moritz, chief technology officer at Finjan
Software, a security software firm. "They are getting hit
consistently."

Many companies, he said, do have policies of some sort toward mobile
code. Some companies, for example, will order employees not to open
e-mail attachments.

Moritz said that in 1998, 20 percent to 30 percent of companies banned
ActiveX and JavaScript. But that percentage is dropping because so
many of the functions offered on Web pages now depend upon mobile
code.

"Take a Wall Street firm," Moritz said. "There are undoubtedly a
number of folks who need to use the EDGAR database, and that uses
JavaScript, so it's mobile code that drives the service. One year ago,
you would find many corporations with their finger in the dike, but
now companies are finding they have to allow JavaScript and ActiveX.
JavaScript is on 80 percent of sites. You can't deliver to the desktop
browsers that have these services disabled because there are just too
many sites that use this."

News of Langston's proposal caused immediate ire on an internal DOD
listserv. One poster called the idea a perfect case of "throwing out
the baby with the bathwater."  Another asked: "So now we're not going
to use the Web?"


==
Some day, on the corporate balance sheet, there will be
an entry which reads, "Information"; for in most cases
the information is more valuable than the hardware which
processes it. -- Adm. Grace Murray Hopper, USN Ret.
==
http://www.dis.org/erehwon/

ISN is sponsored by Security-Focus.COM