I've lost count of the number of popular, popularly-used, and high-visibility web sites and web-based network facilities that have been successfully hacked since, say, 9-11. There must be tens of thousands. You have targets of opportunity - e.g., credit card processors and banks, high value targets to terrorists and political nemeses - e.g., military and defense contractors, business targets - e.g., a competitor's trade secrets, and targets that offend somebody's sensibilities or social obsessions - e.g., ASPD or, some of you will recall, Ogrish, which carried beheading videos and Abu Ghraib photos a few years ago. It's so common that Congress and most of the states have passed "computer fraud and abuse" laws with stiff prison time, fines, forfeitures, and civil damages to vindicate and compensate proprietors of information technology harmed by a perp's unauthorized access. The economic costs have grown exponentially, to the point that insurance companies don't want to cover them in, say, your general business property damage policy. It's a wonder, a miracle, that all the largest global financial institutions, the IRS and the Social Security Administration haven't been totally plundered by hackers. Governments and the largest corporations can spend whatever it takes to keep their web-based networks relatively secure. But everybody else is whistling past the graveyard. Hackers who want in badly enough will get in. Someone among them already knows what you did to secure your web site and your server before you did it. It's just a matter of underworld networking + trial-and-error. If the users of a facility like ASPD wanted it walled off like it were, say, Exxon, sure, it's do-able. But would anybody come? Therein, I think, lies the dilemma.