Look, the answers are excruciatingly simple: 1. your email should not execute. 2. your web browser should not be able to run script that can access anything other than contect that came from that server - or in the least that domain -- especially not your hard drive. Things like ActiveX are a security nightmare. 3. your machine should not serve any services to the outside world that it doesn't need to. It doesn't matter what OS you run, the above are all still true. Do that, the 90% of insecurity goes away. Add buffer overflow protections, and another 5% goes away. Add parameter checking to libraries, good security permissions on file systems and other objects, and things like per process capabilities limitations, and another 4% goes away. If you run a network of unhardened Macs, Linux boxes, FreeBSD or even OpenBSD boxes, you may as well hang up a sign that says "break in please." All of this has been previously dealt with elsewhere, and it isn't that hard to grok. The only reason to cricize the redmond beast that should not be is points 1-3. The paragraph following it hasn't been implemented anywhere that's widely in use. Things like SE Linux and OBSD have attempted some of them and succeeded, but they're not as widely used as they should be. Worrying about what percentage of machines are hetro vs homogenous is a waste of time. Do you run Linux or MacOS X? Did you bother to upgrade OpenSSH last week? No? Is ssh open for anyone on the internet to access? Well then, you're fucked, and you're not even running Windows! If someone breaks into a windows 95 machine on your network whose owner has access to files vital to your company's existance, the potential to break into the server is already there. Don't just harden SOME machines and your firewall, harden them all. A simple activeX component off some rogue web page is enough to take over a lame little win9x machine. Example: Ever seen WebX? - it's like PCAnywhere, or VNC or TimbukTu, only it works over the web. A user just goes to a web page, and a user at the other end can take over their machine because IE allows such software to run! Ok, at least WebX is a commercial product designed to provide tech support, and asks if it's ok to allow it, but if it's technically possible to do it for legitimate reasons, it's technically feasable to do it for rogue reasons too. Worms aren't the only problems out there. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------