You should be operating - at ALL times - as though the entire system is compromised. I'm not saying that it is, of course, but if you don't act like it is then you are likely to let your guard down at some stage. When you get comfortable you get lazy, and when you get lazy you get caught! A great example of this is the use of PGP, or rather the lack thereof. A small number of vendor accounts were compromised today as a result of the vendors logging in to a phishing site that requested their username and passphrase; as a result of this, the person that runs the phishing site can see the addresses of any buyer that did NOT encrypt their address via PGP. That is a very, very scary thought. Libertas