As much as we’d like to be comprehensive here, we won’t. We can’t. Nobody can. The nature of security is that it’s always incomplete. As elusive as it is, 100% uptime is much easier to achieve than 100% security. The goal of this chapter, however, is to point you in some directions that will help you get as far above 99% secure as possible.

Having a secure site has a lot to do with not making any stupid little mistakes. A friend of ours once made the mistake of running an FTP session from a remote shell account provider to a local corporate site to get his .cshrc file, while under contract to a national ISP. Just that single occasion of grabbing a file turned into a situation where one of my accounts was compromised, using my password, and used to run an eggdrop^[59] server. Those five seconds of indiscretion cost many hours of work by several people who had to pull the machine out of production, re-install the OS and all software, and put it back into production.

Assume all your unencrypted keystrokes are already in the hands of hackers. If that makes you feel uncomfortable, it ought to. Strong encryption hasn’t propagated to all common applications, let alone all uncommon applications, yet. The best you can do sometimes is assume that you will be periodically compromised and take effective, routine protective measures.