Tuesday, 09 December 2008

DLP and DRM Mergers

Following on from my comment on Dom's blog, the DLP and DRM mergers are interesting and likely to cause a shakeup in the market place. Gartner have released a commentary on the merger and raise a few interesting points about the RSA / MS integration, but do have a bigger impact the space in general.

In order for DLP to really work and provide a real return for the organisation, you need user buy in, and how do you get user buy in? You need to make what they are buying into as seamless as possible and asking for as little input from them as possible. 95 % of the time it should just happen, but it must be transparent (so there is no fear of big brother) and they must be able to take control.

Data classification is a must for this to work, as far as possible the organisation needs to know what data exists and then who accesses that data and for what purpose. If you know the who and what, all you need to do is configure accordingly. It has been the configure accordingly that was the problem, but just reading the Gartner report and the RSA Sales Bulletin if you can have a product that understands AD Group in terms of access to data and that understands the value of the data, you have closed a number of gaps that existed previously with just a DLP or DRM tool.

Users now have the ability to tighten the controls on the unstructured data that they are working on, but the organisation still has the default safety net behind the scenes. Data classification still becomes the key to the solution though as there is a lot that the organisation's sytems will need to know about data and the people using that data.

The Liquid Machines / McAfee works along much the same principles as above, it is also built on Microsoft's RMS, except that the RSA product will more than likely be more tightly integrated (and hopefully more seamless) into the organisations infrastructure.

Anyways, these are initial observations and I will hopefully be constructing some labs to POC all this and see how close it is to the big picture painted above.

Wednesday, 03 December 2008

Christmas Dinner for 20 @ R30 / head

Last weekend my wife and I had some people around in our new house for supper. We were talking yesterday about we are going to doing for Christmas Eve as we will be hosting it and the wife's family is on the large side. All in all we will be serving about 20 people a 3 course meal.

Doing a roast of any sort starts being expensive, at an average of a 150g of meat person you are looking at at least 3kg. Chances are the roast will bones in it so you are actually looking at 4 or 4.5kgs @ about R100/kg. Plus veg, starters and pudding and you are looking at about R1000 or R50 a head.

We will be doing a starter of roasted beetroot, rocket and feta cheese with a olive oil and balsamic dressing (R5 a head). Mains will be Black Pepper gnocchi with a goats cheese sauce (R15 a head) and pudding will be an Apple Tart Fine (R5 a head). The other R5 a head will be going to chips and dip.

The gnocchi is a version from Mr Locatelli that I have tweaked a bit until the wife declared it the best pasta ever! The Apple Tart Fine is from also tweaked from Mr Ramsay but I have not got it quite right yet, I need to work out how to make the pastry crisper. I may yet, budget depending, upgrade the pudding to Mr Ramsay's Chocolate Fondants. I made them a while ago and got them spot on first time off, not seeing the great difficulty yet.

Sensepost Hacking by Numbers Extended Edition

Last week I attended Sensepost's Cadet and Bootcamp training courses. Cadet is the introductory course and Bootcamp takes it up one notch and really makes the smoke waft out of your ears.

The Sensepost mantra for the training is that is not about the technical ability, but rather the process that one follows to discover potential vulnerabilities in systems and networks. The process that one should follow is basically why, why, why and what next. Question why something is there and then how to exploit the current scenario to get to your next step.

The difficult part for me was knowing what I needed to do next in terms of finding a channel or a user name or password, but it was the actual doing, but that'll come in time and with experience.

I can highly recommend the course, and if fact try and take your manager with you. The instructors stories from assessments that Sensepost has done will get them to take your security budget a bit more seriously.

Also, go on the training because they provide the best food and having the good coffee machine in the training room also doesn't hurt.

Thursday, 20 November 2008

Securing an inherently insecure application?

How does one go about securing an application that is mission critical, continent wide, revenue earning and only designed with basic user access control in mind? That is the task that my team and I are now facing following on from the assessment mentioned in the previous post.

The application uses data files managed by Pervasive SQL for content, process and transaction mapping as well as configuration. The bulk of the users need access to all the files in order to get the functionality from the application in order to do their job and a good portion of those users require write access.

The main problem that we are facing is that the users have too much access, especially by today's standards to the nuts and bolts of the application, but they need that access to access the functionality in the system. Back in the day when a mapped network drive was magic and could be considered the "backend" it may have too much for inquisitive users to handle, but nowadays, even full on database queries are not too much for an inquisitive user to poke at, given access to the right tools.

Setting permissions at a folder level almost impossible, well it is impossible. It is only almost impossible if the users accept not being able to use some functionality. It means that permissions will need to be set a file level - management overhead deluxe!

The removal of tools that allow users to edit data files is a must, but some users require those tools to assist in the support of the application and troubleshooting in country. Did I already mention too much access? Well now we can add too much trust with no trust guaranteeing controls and too much access... A matter of time before there is an incident.

So at the moment the mitigation research is following along the lines of:
  • Kung Fu NTFS Permissions - I can feel the smoke coming out of my brain already
  • Application white listing
  • File version tampering monitoring
  • Support process review
  • Applicability of the application (business is not going to like this one - read the first sentence again)

Friday, 14 November 2008

People, Process and Technology!

I am currently working on a security assessment of one of the large applications in the bank due a series on incidents in the application and it is quite concerning from my side that the technical resources of the system are just looking at the people side of the solution. Different for a change, isn't it?

They are saying that if the users could be trusted, then we wouldn't need to do all this. I find this a change from the usual technical mindset, which is lets throw more technology at the problem. What is also concerning, is that fingers are being pointed to the platform from the business application and vica versa, but when asked for their implementation and configuration guidelines, none exist. Also when asked about the logical access control standards or the backup process, I get a blank stare.

The technology at the moment is not getting off the hook lightly, there are concerns in it. The concerns could have be signficantly reduced if the correct processes and supporting standards were in place.

Little wonder then that the people in the PPT (People Process and Technology) triangle can start manipulating the system? PPT is as important for a solution to be secure as Confidentiality, Integrity and Availability.

Solutions need to developed incorporating two triangles and whilst you can't merge them to make them the hexagon of holistic solution desgin, all the points do need to be taken into account.

Needless to say the Assessment's scope has increased significantly to a holistic review of the Information Security posture of the solution and its environment from a purely technical review.

I am looking forward to the result of the full audit of the environment as I think that it will be the first deliverable of a mature approach to the Information Risk Management approach (as opposed to an IT Security approach) that the department is trying to move towards.

Tuesday, 04 November 2008

NIST: Technical Guide to Information Security Testing and Assessment

NIST have released their Technical Guide to Information Security Testing and Assessment (SP 800-115). The document outlines at a high level what an assessment program should contain and the various facets thereof. It is extremely important for every assessment to include the classic powerpoint extension of any solution, People, Process and Technology (PPT).

The guide is not technical (for techies) but does present a good overview of what a Security Assessment program within an organisation should contain, its general approach and what skills are required by the people within the team. Don't expect job descriptions or list of applications that they must be proficient in...

A good read if you are setting up an Assessment unit within your organisation or if you want to put in place some structure around your existing Security Assessment programme. I will definately be using it to put a bit of structure into my teams assessment process, particularily around the business engagement, planning and the policy environment.

Monday, 27 October 2008

New job!

I have moved into the Information Security Department of my Bank as an Information Security Analyst. Hooray, I can feel my shoulders relaxing already!

Saturday, 13 September 2008

Kloof's proper spelling?


There is a suburb in Durban called Kloof. It is the Afrikaans word for cliff but it is pronounced cloof and not at all like the Afrikaans pronounciation.
In fact a few years ago I stayed with a good friend of mine at his inlaws in Kloof and on a supply run to the local Spar we were calling it by its Afrikaans name and the locals were starting to organise a lynching party.
The wine is quite nice, smooth and refreshing. I picked up some pepper on the nose and a good fruity flavour. Don't quote me on the flavours or the aromas, I usually get the opposite of the labels.

Wednesday, 10 September 2008

Godzilla, Goldy and Anon



Two are named, one pending naming and there is a strong possibility of another assisted de-shelling tonight.


Update (12/09/2008): Godzilla, Goldy, Pop and Le Petite are doing well.

Monday, 08 September 2008

Chiclets, incubators and brooders



Claire's Dad came back from the farm on Monday just in time to help me fire the builder that has destroyed the last 9 months of my life but this is a happy post and the sad post is here.

In the rush to get to the house in time to meet with the ex-builder about 9 Bantam chicken eggs where dropped in Claire's hands and she was told to get the incubator working and put the eggs in as soon as possible as they were loosing temperature due to the effectiveness of the Discovery 3's aircon and a 4 hour drive from the farm.

Claire's panic and worry and general affection and love for all animals won the day and on Monday we got two chics out of their eggs (1 was a caesarian type affair, but it is breathing and alive and so it counts).

We knocked up a brooder (pic) to keep the little things warm and safe from the pride of savage domestic cats and they seem to be doing well.

And no we are not allowed to eat them. Claire is thinking of names for them...

Update (10/09/2008): We now have 3 chiclets. The first born is called Godzilla (my name for it as it rampaged over the other eggs when he hatched), but his real name is Churchill. Number 2 and 3 are as yet unchristened.

The Builder is fired!

Claire and I signed an offer to purchase our house in March last year, in May the owner finally got this tenants (squatters) out the house was transferred into our names. The house after a few years of abuse needed a renovation and Claire needed a studio for her business so we bought it as a fixer upper to get exactly what we wanted in a home. Market conditions as the time saw house prices increasing nearly daily and the entry level houses were getting more and more expensive and needing more and more work. We bought 167 with grand plans, which are still grand, just delayed.

Then we started looking for a builder. Most of the builders I interviewed never bothered to quote, obviously they had too much work and my project was not valuable enough. Of the few who did quote, most thumb sucked a number and said we can do it for that. When I asked for a breakdown of the costs (so I can prioritise) they never came back to me, I am guessing that they didn't really know what they were doing and that were sure that they could make a profit for the amount they wanted to charge.

George Schutte, of Massgro Construction cc, started off great. An itemised quote came in, breaking down all the work on all the parts of the house. It was in detail down to the number of hours needed to dig the foundation trench. Price wasn't bad, bit of quote adjusting and time to check references.

References where great, quality of work was good (not for me), completed on time (not for me) and he done a lot of well known brands (Primi, Newscafe) in SA through S&V Construction. Great stuff, things are looking good. We sign the contract.

Work was scheduled to take 3 months and to start late December just before shutdown. End of March was the date we could move in. Wrong! To cut this short and save my forearms from another breakout of RSI, the main points are bulleted below:
  • He never had materials on site.
  • He never supervised the labourers:
    • windows went in upside down
    • ceilings like a gentle rolling ocean
    • cornices like a roller coaster
    • plaster work like a hail damaged shed
    • poor structural work
    • etc.
  • He never had tools on site.
  • A big team was coming through tomorrow to finish and fix and sort it out x 34325748975 times.
  • He never kept promises.
  • Regularly would not return my calls, for weeks.
  • Hired contractors who where useless. My beautiful wooden doors are scared!
  • Lied about cash flow problems - sent me his suppliers bills to pay.
We eventually offered to help by getting the materials ourself and taking it off the contract price, we supported him through tough times of his mentor drowning, his dad dying and his kids being in involved in the Ashley Callie (Link2) accident.

We did everything on our side, including breaking the cardinal rule and giving him a bit extra cash in front of his progress payment (not to much lost, but enough to piss me off) but George kept breaking promises, his workers doing things wrong and generally setting us back and keeping us living with the Parents-in-Law.

Overall, DO NOT USE George Schutte at Massgro Construction. Sportsman's Warehouse - beware - you may not get your new store. Looking back, I should have seen it coming, but so sue me for trying to believe in the good in all people.

This has not dampened my renovation spirits, but next time I'll back myself to supervise and organise it all myself. Self-reliance and confidence in oneself is a great strength and asset, but man I would so like to say just once: "that if you want something done right, <insert name here> will do it".

Wednesday, 03 September 2008

Paraolympics C*ck up

It is days like today that I really hate (am embarrassed) our country. The South African Sport Confederation and Olympic Committee (SASCOC) have really screwed up. Our Athletes have no kit to train in, no water and no support.

The short of it:
  • Administrators and SASCOC officials fly business class, athletes fly cattle - one or the other no one is more special, although I am pretty sure that the athletes take precedence (forgetting the disabled bit)?
  • The team has no kit - it is only been sent 2 days after the team left SA. The organisers say that the athletes can use their own kit for training, but if you are getting supplied kit why take your own, especially if you where told it would arrive on time.
  • The attitude - When asked for comment about the situation, SASCOC just said that Oscar "the blade runner" Pistorius should have been talking to the media because he signed a contract. What kind of a comment is that? What kind of an attitude is that?
SASCOC must support the athletes and listen to them and ensure that they get what they need to do us proud at the Olympics. I have deliberately said Olympics to cover both the Para and Standard(?) events as SASCOC is about politics and government interfering and providing a vehicle for people to inflate their egos, rack up frequent flyer miles and generally look after their new BMW M3 acquisition strategy as opposed to serving the people that got them employed in the first place.

Read the full article from The Star here.

This leads to another rant of mine: South Africans (less a few) do not know how to put a "customer" first. SA company's don't get it - well there are two that I have come across that get it right (outsurance and equinox). Generally we are all about my problems are your problems and your problems are your problems, but that is enough on this rant for now - otherwise I won't get any work done today.

Monday, 01 September 2008

Coachman's Inn Recycles (the wrong way)

Saturday we had the family around for a farewell lunch for Claire's youngest brother how is off to Switzerland to study something about epigenetics and RNA and a whole lot of other words that I am sure he made up on the spot to tease us.

One of the cousins attempted to work at the Coachman's Inn, a well known and (was) a very good restaurant, as a waiter. He was telling us about the way the restaurant was run and how whilst it looks calm and well run it is indeed like a duck on stormy water (furious paddling below the surface). The waiters are not paid, but only get their tips (which I can agree with), but the establishment takes 15% of their total takings per night (I don't agree with). The way that the waiters are led borders on abusive and apparently the average time a new staff member can endure is about 1 1/2 months.

The restaurant also does not have a head chef and whilst I suppose this is not a hindrance, it does explain why the menu and the specials (come to think about it)have been the same each time I have been there in the last year and a half.

The above, whilst concerning is not at all what really annoys me, or as I like to put it, grates my chicken. The Coachmans is a relative up market place and definitely a place that you take your to be parents-in-law or a potential new significant other to impress them and the last thing you want is to be eating recycled vegetables. The kitchen staff will apparently just move vegetables that have not been eaten from a plate coming back from the floor to a new plate that is going out to the floor. YUCK! I don't want someone else's leftovers. The cousin was saying that any left over spinach or roast potatoes or other veg would be scooped into an outgoing plate. I am paying a substantial amount for my meal and I want my own new cooked veggies!

I will not be going back to Coachmans again, ever.

Monday, 25 August 2008

Lamb Potjie - A winning recipe.

Friday last week my portfolio had a Potjie kos (pot food) competition. A potjie is basically just a stew done on an open fire, or gas when an open fire is not allowed. My potjie, the wife's, won the competition. I am sure that it was the red wine in the pot and the bread that I made on site.

I am note sure why people think that making bread is difficult? It takes a bit of practise to get a hang of the textures and what textures work for what type of bread, but after that bread making is as easy as pie. That said, I have yet to master a ciabatta - any takes to send me a recipe to try?

Ingredients: Potjie (for about 8 people)
  • 4 onions - two chopped and two quartered.
  • 3tbs mixed chopped herbs (fresh (thyme, rosemary, parsley, oregano), dried (Robertson's))
  • Olive oil for frying meat and onions
  • 3 large carrots, chopped
  • 1 large butternut (1/4 chopped into small blocks, about 1cm X 1cm, the rest chopped big).
  • 1/3 - 1/4 of a bottle of red wine (the better the wine the better the potjie)
  • 8pcs braai lamb chops, or 8pcs of lamb neck - I used a mixture of both - (In theory this should work really well for oxtail as well).
  • 2 heads of broccoli
  • 2 tins of tomato and onion mix
  • 2 handfuls of baby potatoes
  • Black pepper
  • Salt
Method: Potjie
  1. Heat up the pot - quite hot, as you need to fry the chopped onions and
  2. Brown the meat.
  3. Put in some olive oil, fry the chopped onions till they start going
  4. translucent.
  5. Put the meat it and brown, add some black pepper and salt.
  6. Put in the potatoes, carrots, small chopped butternut, cans of tomato and onion, mixed herbs and the wine.
  7. Turn down the heat to that the pot is simmering slowly.
  8. Cook for at least an hour, preferably two.
  9. Half an hour from eating time, add the big butternut.
  10. 10 min from eating time add the broccoli
Feel free to look whenever you want to give a few gentle nudges (aka: stirs). I prepared some cous cous to go with the potjie, follow the cooking directions on the packet, but use stock instead of water.

Ingredients: Bread (makes about 8 pieces)
  • 3 cups of cake flour
  • 1 packet dried yeast
  • 3 tbs sugar
  • 1 tsp salt
  • Olive oil
  • About a cup and a half of water - just enough to bring the dough together, make it soft, but not sticky.
  • Mixed herbs and spices (Woolworths make a good mix with coriander, pepper, salt, chilli etc)
Method: Bread
  1. Mix the sugar and the yeast in about 100ml of water.
  2. Put all the flour and salt in a bowl, make a hole in the middle and add the yeasted water.
  3. Get your hands dirty and mix, adding water to get a soft non-sticky consistency. Add more water or flour as required.
  4. When you have the right texture (dough should be soft, but not sticking to the bowl) take it out the bowl and start kneading it for about 10 minutes. You have kneaded it enough when you shape into a ball and poke it with your finger and the dough bounces back.
  5. Drizzle with olive oil, put it back in the bowl, cover and let stand till it doubles (depending on temp, anything from 1/2 hour in hotter temp to an hour and a half in colder).
  6. Turn the bread onto a well oiled baking tray, shape the bread to over the tray. Cover in olive oil. Leave to rise for 1/2 hour.
  7. Cut the bread gently into squares. Sprinkle liberally with spice mix (the salt lover, can add extra salt here) and put onto the braai (BBQ) grid (or hot griddle pan on your gas cooker or hob).
  8. Turn over once a good crust has formed.
  9. The bread is done when you tap it and it sounds hollow.
  10. Serve with butter

Tuesday, 19 August 2008

Beijing Rocks!

I got back from Beijing last yesterday morning from an experience of a lifetime! The trip was just marvellous, everything was just so different that it boggles the brain to even just try and comprehend it all.

China did a really fantastic job, everything works, everything looks great, everyone has such pride about the Games and hosting tourists, it actually makes me a bit embarrassed about our ability to host the 2010 Soccer world cup.

Sportsworld hosted us in Beijing. Clive and his team were awesome hosts and we never knew if there was a panic or not behind the scenes and everything was just great. I took a few photos and I am busy sorting through them all and will start posting them online shortly and will go into more detail of everything that we did.

Thursday, 31 July 2008

Architects - why are there so many and why are we reverse engineering a solution?

IT has a horrendous reputation in the Bank and I don't blame them. We are delivering solutions that do not meet the Bank's needs - cool (best of breed) technology is not a need, but a want. There are 3 teams of architects in the Bank: Enterprise, Solution and Infrastructure.

The Bank wants to make sure that it is the Infrastructure Architects that get to draw up the evaluation criteria. Shouldn't the process start at the Enterprise level and filter down through the project lifecycle?

The process as I see it should be:
a) Identify business need
b) Evaluate and document requirements
c) Engage with the Solution Architects
d) Business, Enterprise and Solution Architecture develop conceptual solution
e) Conceptual solution implementation tender created
f) Choose aligned Technology that meets needs, not infrastructure wants.
g) Build solution

Now, I am not saying that the Infrastructure Architects are not needed, but just that it is funny that they are driving a solution that we will need to do again in a few years and Business will shout again and reduce our performance appraisal score because we are not delivering the right solutions?

Infrastructure and a specialist skill and it is very important, but following a good enterprise architecture and ensuring that Solutions align with that architecture will mean that the job of the Infrastructure team will be made easier.

Wednesday, 30 July 2008

Performance Appraisals lead to mediocrity!

Performance appraisals are a pain. They encourage people to do just what is required of them as it is easy to get the 3 out of 5, but as soon as you reckon that you have done more than the norm and really excelled:
a) the organisation doesn't have an exact definition for the level you are trying to motivate that you are operating at and then it all becomes subjective.
b) no one gets a 5, ever, only the people who really shoot the lights out and that doesn't happen and no we can't tell you what shooting the lights out mean.
c) as the ratee you need to fight for your score, present a body of evidence (I don't really know what that means - should you present a body of your damager's enemy?) and fight in front of a board for what you have been doing and they liked and "encourage" in their employees.

I end up thinking is this worth the effort? If put in the extra effort, work the extra time and take on the additional responsibility and they make me fight like this to be acknowledged formally for it then what the f***! Why bother and then in the next cycle am I going to go to the extra effort?

Or worse, you do really well and are (by a slim chance) recognised and acknowledged but you didn't submit your time sheets in time and we needed to score you down for that. Why bother and then in the next cycle am I going to go to the extra effort?

Hmm, I wonder what Nikon kit I can buy on a mediocre increase and bonus?

Tuesday, 22 July 2008

Weekend of good food

This last weekend I had an awesome time in the kitchen. I have a hankering for making up recipes and experimenting with recipes. The weekend yielded preserved oranges, awesome custard tarts, the worst sushi I have made so far and the best gnocchi that I have made so far.

On Friday afternoon I preserved oranges using a recipe from the book "Preserved". The recipe itself is really simple, but I found that I needed more syrup to properly cover the oranges in my containers. Next time I'll make more and worst comes to worst use it to flavour a pudding at a later date.

I also made a fantastic baked custard tart from scratch. I really must start keeping a proper food journal instead of winging with recipes all the time, when I find something that works, I must write it down!

Thursday, 17 July 2008

I am going to the OLYMPICS!

I am going to Beijing to see the Olympics! I entered a local radio competition for an all expenses trip to see various events and some tourist stuff too!

Claire and I will be watching some rowing, athletics (incl: men's 100m final), beach volleyball and going to the forbidden city, great wall and some markets! I am so happy I almost can't believe it!

Long live Highveld and Coco-Cola!

Friday, 11 July 2008

PIX prize arrives

I got my Canon Ixus 80 IS today from the PIX competition that I won. It is a great looking little device, I got the chocolate colour, but it is so limiting compared to the D80!

It takes really good pictures, but I can't take command like on the D80 and I end up feeling frustated. I know that it is not a "pro" camera and I guess that I am used to the Nikon. I will concede that it does take some macro pics. I am lacking a macro lens for the D80 and the Canon will be my macro tool for a while.

Monday, 07 July 2008

PIX Magazine Competition Winner = Forrester


I won! I entered a photo competition run by PIX Magazine with the above photo and I have won a Canon Ixus 80 IS. The theme of the competition was Abstract. I took this photo just a few days after I got my Nikon D80 and I was fiddling with the settings and in this photo's case, the manual focus.

I am most chuffed, am off to go buy a copy of the magazine and see my name in print. In fact two copies, my Gran is going to love seeing my name in print.

Popcorn Flavoured Jelly Beans

On Friday night Claire and I went to go watch Hancock at the Monte Casino and this provided several interesting things...
  1. Numetro's online ticketing system doubled book the same set of seats about 6 times and this has proved the small indian mom protecting her kids is in deed stronger and more dangerous than the 7ft body builder trying to impress this mates.
  2. Hancock was a great movie. We really enjoyed it.
  3. Popcorn flavoured jelly beans (buttered popcorn on top of it) are disgusting! Full stop. End of argument.

Thursday, 03 July 2008

ISG Africa July meeting

I attended a very good get together of the ISG Africa Security forum today, the topics were around PCI DSS, PPI (Protection of Private Information) Bill, XSS and Client side web application security.

The PPI was the most interesting for me as it has MAMMOTH implications for anyone storing and using any information on anyone (natural or juristic). "Use" is defined in much the same way as the iron as can be said to have a high iron content, ie: is all pervasive by design.

I'll type up my notes and post them tomorrow, in the mean time think about this scenario post enactment: An organisation (irrespective of size) must be able to tell a customer where they got the customer's information, what they have used it for and who had access to it and when they are finished using it for its intended purpose, it must be destroyed.

Wednesday, 02 July 2008

Biometrics ISO Standard released for use in the Financial Industry

The International Organization for Standardization (ISO) has established a standard security framework, ISO 19092:2008, for the use of biometric authentication of individuals in the financial services industry.

This will be interesting to keep an eye on, especially the adoption of the standard by Banks on customer facing systems.

FNB used to offer a digitag with its internet banking, but stopped the issuing the device as the take up was so poor. I personally though it was a great implementation of a second factor authentication. SA Banks seem to have settle on a one time pin delivered via SMS to your cellphone for that added layer of security, but sim swaps and the like for me only make it a half an extra factor.

People just don't seem that keen for the hassle of keeping themselves secure.

More info here.