In any case, there is no way of assurance that encrypted mods are secure. So, even if you are to try to pin-point a bug or a hack bubble in a mod, you must go through the vendor. Honestly, I can't see a vendor acknowledging an exploit in their code. Sometimes the old ways are the best, write your code if you can and use whatever security measure you think would protect you.. the old tag stripping in php still works like magic. I'm afraid 777 in itself is the weakest link, there's noway it can be see more substituted, and I can tell you now, there is not one Social Network script that doesnt require changing permissions on files. The solution is not substituting permissions, rather, in defining and limiting interactivity between user/visitor and server. Example, a code that takes the crap out of the hackers' input and renders it useless.