I've been on the road for much of the last week and had little Internet access (hence not blogging).

I came across a case of pure security theatre at a conference whereby their access control was meant to restrict access to those who knew the username and password - unfortunately they'd only implemented the access control for http and therefore https worked quite happily without the need to authenticate!