I don’t run firewall or antivirus software on my personal computer. And the operating system there isn’t Mac OS. And I work logged on as the Administrator.
The reason is simple. I want to know if the intruders out there will outsmart me – by coming up with a new kind of remote exploit (I don’t run unnecessary services on the Internel interfaces); by making me double-click on an email attachment; or by making me go to a Web site that has a picture containing binary virus payload. Or maybe they will come up with a totally new technique (like I did with exploiting implicit trust using wireless access point)? I do my housekeeping: apply updates, disable unnecessary services and configure others securely, and only access trusted content. I think I’m up to the challenge.
I don’t suggest anyone to follow my example. In fact, I recommend using both firewall and antivirus/antispyware software. But I think that traditional network-based, remote exploit type of attacks will die off, and traditional virii soon after.