Is Java safe?
Isn't it strange how computer "revolutions" are often well along before people realize they've begun? It happened with the PC, the Internet, and, now, with Java.
Nearly every business is using Java. By 1999, 92 percent will be using it in mission-critical applications, according to Zona Research in Redwood Shores, Calif. Ninety percent of people are already using Java-enabled browsers, and practically every other page on the Internet hosts at least one Java applet.
But the Java revolution, like most others, doesn't come without risk. Downloading anything into a computer should be cause for alarm, and a handful of vendors are ringing this one loudly.
In the last few months, startups Security-7 and Digitivity have entered the nascent applet-security market, while CyberMedia and McAfee Associates have launched new products. Finjan, the 18-month-old forefather of Java security, is working on its next-generation products, due next year.
How safe is Java? Today, the controversial cross-platform language is mainly used for jazzing up advertising banners on the Web. But it can do much more than that. Mini-applications (or applets) written in Java can automatically and transparently download into a user's PC to take advantage of local processing power.
This means users can get the benefit of new software without actually having to install it. And software developers may be able to charge users only for downloaded applets. Taken to the extreme, Java will enable electronic commerce, allowing companies to transmit purchase and payment applets.
Sun: "Fear not"
For its part, Sun Microsystems's JavaSoft unit, which developed Java, maintains that Java's built-in security is more than adequate.
Java applets travel across a network in a format known as Java byte codes, and are executed by a Java Virtual Machine (JVM) inside Java-enabled browsers. The JVM scans incoming applet byte codes to make sure they correspond with a syntactically correct Java program. This usually means they were produced by a Java compiler.
Making sure the byte codes correspond to valid Java programs guarantees that the applet will be able to access only valid Java functions. Sun, however, has no proof or guarantees that hackers can't or won't create rogue Java code, admits Li Gong, chief security architect for the JavaSoft division at Sun in Mountain View, Calif.
Even dismissing the hacker threat, a greater concern is the well-intentioned programmer who makes a mistake in code that might be downloaded, especially in an electronic commerce application, says Andrew Herbert, chief technical officer at Digitivity in Los Altos, Calif.
So while Sun doesn't see a theoretical need for third-party security solutions, there may be a psychological-- or marketing-- need for them.
Worst case scenarios
The security vendors are capitalizing on that need with tales of horror.
"We see the Java market as viruses were four years ago," says Sal Viveros, product marketing manager at McAfee Associates in Santa Clara, Calif. "Hackers like the technology. We expect to see a huge explosion in the number of hostile applets."
A so-called rogue or hostile applet could destroy or corrupt data, copy and leak confidential data, start bogus transactions, slow down a system, attach a time bomb, or steal privileges to set up a trapdoor for a subsequent attack.
And because applets do their work transparently and automatically, a user might not even know what caused the problem.
McAfee has already identified 200 rogue applets, ranging from the annoying "Noisy Bear," which causes a browser to growl incessantly, to the one created by a group called Chaos, which loads itself into a users' Quicken application and automatically transfers money from the user's account into its own.
For more on crime, hacking, safety, and the digital underground, visit ZDTV's new (https://www.zdnet.com/zdtv/chaos/) CyberCrime channel.