Is the page KGS Issue - Security really appropriate. The title itself insinuates that there is a genuine and real and possibly dangerous security threat within the KGS software.
There is such a threat in any software! Rather than questioning the page about KGS, there should be similar pages for all the other servers and softwares, too. In particular, closed source software violating an operating system's security standards is suspicious. Go-unrelated security experts consistently and strongly recommend never to use any such software, which does not meet the users' needs for security, at all. Dismissing such as paranoia encourages programmers to continue pursuing their instead of the users' needs for security.
Robert Jasiek is correct. Nonetheless, we use closed source software daily. Perhaps we should change the name of the page from KGS Issue - Security to Software Security.
Anyway, have a look at my already old draft of a revision and split into several pages: KGSIssueSecurityTEMP?. Since I cannot do WMEs on SL (they are all torn to pieces because I tend to be one of the original writers), I have hoped for someone else to consider a WME along roughly my proposal. It would put the general aspects on a general page and leave only the KGS-specific aspects on a KGS-specific page.
I think the issues are appropriate. Anyway, I have copied Robert's articles over.
His writings are largely okay, but I don't think the following is accurate.
Java applications run inside an virtual machine, a sandbox specifically designed to control and limit access to the computer. Details are available in the Java Security Architecture documents published by Sun Microsystems.
Java programs can be divided into two main categories: applets and applications. Java programs are compiled to Java bytecode for portability reasons, and hence all compiled Java programs run in a virtual machine that interprets the Java bytecode. Applets are meant to be run in browsers and hence the sandboxing is applied for security reasons. On the other hand, applications are just any ordinary program and can read, modify, and write files, run other programs, open network ports, and so on, as long as these actions are allowed by the permissions in the user account the applications are running in.
Interestingly, a Java .jar file can contain both an applet and an application using the exact same user interface. For KGS, it uses Java Web Start, which is a means of pushing the most updated Java applications to users. Therefore, I don't think the KGS client is sandboxed. In particular, it has a SGF editor, which requires file read and write permissions to work.
Thx for copying! - Those Java comments were written by somebody else; I just did not delete it; I am not a Java expert. Please correct whatever might be wrong! - Unkx80, I guess you embed the new page also by linking from other pages? You should have a better overview than me about where to find the best places for links.
Sure, no problem. I will redo that paragraph later.
By the way, you can created bulleted lists on SL using the '*' character rather than the '-' character. Example:
* one * two * three
Note that the line should start with '*' - no space should precede the '*'.