|Table of contents|
When using any Internet program, PC users must be careful about their own Internet security. This page suggests some methods related to software connecting you to online go servers.
A Java program can be written either as an applet or an application. Java applets are designed for browsers, and by default they are sandboxed for security reasons. In other words, it has no or limited access to other parts of the computer system, such as file reading and writing and execution of other programs. On the other hand, Java applications are not sandboxed, and can perform whatever actions that are allowed by the effective permissions of the user account, just like other native applications. Note that the Java Web Start technology allows applications to be started from the browser, but users will need to explicitly accept the installation of such applications via a dialog box.
Native applications have access to much of the computer. Its access is limited, if at all, by the measures taken by the programmer of the application, the designers of the operating system, as well as the permissions set by the user. Threats include, but are not limited to, trojans, spyware, spambots and other forms of malware.
Unless one is a security expert and knows how to do better, using a personal firewall for one's PC should be considered mandatory. There is no general advice because every PC, environment, and user demand a different solution. The simplest (but comparatively weak) solution would be using the operating system's default inbound firewall. An intermediate solution on the application level configures the specific program's paths to for local IP addresses, remote IP addresses, and ports. Alternatively or additionally one can configure firewall rules for the packet level. Good personal firewall software furthermore allows the setting of rules for (mostly prohibited) communications (indirect access and process talk) in between different programs so that malware may not abuse the go client related processes.
Do not connect to the Internet when logged in to your PC as an administrator! Under Windows, log in as a standard user. If necessary, create such a standard user account.
More sophisticated is the creation of yet another standard user, call it "InternetUser", that is always and only used when going online. Protect your private folders by changing their access rights. Right click a folder, say "Private", and choose "Security". Edit the users and their rights (and inherit the rights to subfolders): E.g. for that folder, delete the user "InternetUser" and delete all generic entries for standard users (this might be something like "Authentified Users" and "Domain\Users"). Be careful to leave some user(s) with access to and ownership of the folder, e.g., SYSTEM, all "Administrators", and the specific user standing for your administrator account, say, "Domain\AdminName". Now the effect will be: Log in as "InternetUser", open some program, and it may not access "Private"! (You also should know how to revert changed rights if the easier and obvious methods fail: In the folder's context menu, under Vista choose "Sicherheit | Erweitert | Berechtigungen | Bearbeiten | (Enter UAC Passwort, if necessary) | Hinzufügen | Erweitert | Jetzt Suchen" and you get to see any user handle you might otherwise be missing. Somebody translate that to English Windows text, please. Under earlier Windows versions, it may be slightly different.) With the command line tool icacls, you can also inspect the currently assigned rights and valid users of every particular folder or file.
There are VM-ware solutions or sandbox softwares but security experts have doubts about them because malware can break out or even abuse such software. In principle, Windows Vista allows the PC user to specify Integrity Levels; Internet software should get the level Low and thereby be prohibited to access one's private folders and data, which is stored at Medium level.
There are tools for logging files actions. E.g., for Windows there is the tool ProcessExplorer. With it, you can select a process and view details in the lower pane. Inspect the type File: There the directories are listed to that a particular process has had access. Besides the program directories, you may find the directory to which an SGF is stored or from which an SGF is read. However, if you should see other private directories in the list, you should wonder whether the program would be spyware. Such behaviour has not been reported so far but simply trusting each game client is somewhat unreasonable in the long run. We all want secure software; so if everybody occasionally watches a little, we are protecting ourselves against bugs, intentional spying, or malware attacks on supposedly harmless software like a go client and its interaction with Java.
(Please provide specific contents for MacOS X, FreeBSD, Linux, or other operating systems!)