If Benjamin Franklin were alive today I’m pretty sure he would amend his famous “…in this world nothing is certain but death and taxes” line to include botnets. Every single day, some 150 billion spam messages are distributed by botnets and, like death and taxes, no matter how hard we try nothing seems to be able to prevent botnet growth. Well, almost nothing.

With botnets now being responsible for some 88% of all global spam by volume, and the computers of those unsuspecting folk which contribute to the botnet collectives being at risk of an assortment of auxiliary security and privacy compromises, something has to be done. That much is obvious. According to the latest Symantec MessageLabs Intelligence Report, that something has been the closure of hosting outfits that it describes as ‘rogue Internet Service Providers’ such as McColo, PriceWert and Real Host. These closures came after a four month investigation by the Washington Post which forced the suppliers of their connectivity to take action.

At the time of the McColo takedown, late in 2008, the impact was felt almost immediately. IT Pro reported how during the first 12 hours following the pulling of the plug, spam volumes dropped by as much as 70%, and how those spam volumes remained low for a few weeks. However, within a month security researchers were seeing a steady climb in spam activity as the botnets found new homes for their command and control centres. By the start of this year, Mega-D had come back from the dead and was responsible for around half of all the spam flowing through security honeypots. Other botnet brands, if you can call them that, such as Cutwail and Srizbi have also hit that 50% figure at their peak.

But, as the new Symantec MessageLabs report reveals, botnet trends come and go like the seasons. Srizbi has vanished from the spamming scene entirely it would appear, and Mega-D has been shrinking in size so rapidly that it is now only one tenth as big as it was in June in terms of compromised computers. That does not mean that Mega-D is no longer a player, of course, in fact it is putting the bots it does have left to work at a far harder pace and is churning out spam at a rate per minute that can only be beaten by a relative newcomer called Bobax. depending on your point of view Bobax either sounds like a cuddly teddy bear or a nasty disease. I favour the latter, especially when the spam output per compromised computer is claimed to be the highest that MessageLabs has ever seen. Currently, Bobax is responsible for some 15.7% of all global spam by volume. That still falls short of another new name, Grum, which is apparently churning out 23% of global spam right now, having ramped up the output per bot significantly since the summer.

The largest botnet if measured by the number of compromised computers under its direct control would have to be Rustock, claiming anything up to 1.9 such PCs. In sheer botnet size terms it has grown to double what it was at the start of the summer. Yet in terms of actual spam output it is struggling against the competition. Researchers insist that what sets Rustock apart from the rest is the ‘highly automated cycle of spamming activity’ it displays, with spam output accelerating from 8am (GMT) and peaking at noon. The newest of the major botnets to watch is Maazben, a casino only spammer at the moment but one which is growing at a rapid rate (up from 0.5% of global spam to 1.4% in just a few weeks) recently without increasing the spam output. This suggests it could be getting ready for a move into other spamming markets soon.

“Over the past year, we have seen a number of ISP’s taken offline for hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge. However, this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

Is the news that some 7.5 million users of broadband in the UK are disappointed with the service provided by their ISP surprising? Yes, to be fair I thought more people would be right royally cheesed off, a lot more in fact.

The Broadbandchoices of more than 4000 users revealed that 47.3% felt the ISP they contracted with had simply not lived up to the promises made for the service they used. Working on the latest estimates of 63% of the 25,751,000 households in the UK which have broadband access gives us 16,223,130 households and 47.3% of that is 7,673,540. Perhaps the most surprising figure here is that this leaves 8,549,590 households which are, by implication, quite happy with their broadband service thank you very much. All I can say is that either they commute to South Korea or Japan and therefore have access to some truly fast broadband or, more realistically, their expectations are set far too low in the first place.

Look, I happen to be with one of the true good guys of the ISP business (Zen, take a bow, you deserve the blatant plug) and while I cannot, like 34% of folk in that survey, complain about the reliability of the service my ISP provides I can sure as hell can join the 30% who are disappointed with the speed of connection. Sure, my rural working retreat has seen connectivity improved beyond recognition over the last few years. No longer am I stuck on the broadband hard shoulder where my download speed was slower than most people’s upload rate, and I am grateful that I can average anything between 3Mbps and 5Mbps on a good day, with a following wind and all fingers crossed. Grateful, but not satisfied. I want more, a lot more. I don’t even just want a 20Mbps connection, I want 60Mbps as a stop-gap until something really fast comes along - and I want it yesterday.

I admit, I’m not sure what I would actually do with it. Indeed, most of the things that superfast broadband promises to deliver I have already. Movies I get via my Sky HD box or LoveFilm or the big shelf of Blu-ray discs over by the telly. Television programmes I get, funnily enough, on the television set which is quite good at the kind of thing. I avoid video-conferencing as much as possible and have done for years, so I don’t want anything that makes the experience easier or better as it reduces the excuses not to talk to people. Occasionally I do need to squirt a big file around, and it would be nice to speed that process up a tad but still not exactly a life changing moment dontcha know.

Yet I still want faster broadband and I’m still disappointed I do not yet have it.

Michael Phillips, product director at Broadbandchoices does not think I am alone, commenting “the main reason for dissatisfaction is overwhelmingly because of broadband speed, demonstrating that ISPs are still falling short when it comes to meeting their customer’s expectations after advertising unattainable headline speeds in the media.”

Is Google really 11 years old? Is it really that long ago that we all used AltaVista and couldn’t imagine anyone doing search better than that? The answer to both questions is yes, possibly.

Happy 11th birthday Google. Well at least I think that’s right. Maybe.

To celebrate, Google has a special logo of course. No UFO inspired nonsense to get the conspiracy theorists conspiring, just a rather clever use of a double ‘l’ to represent the number 11 instead. Nice. I actually prefer this one to the 10th birthday effort which seemed a bit forced, although the cupcake for the first o was inspired, replacing the e with an 0 just didn’t work on anything but a surrealist level.

The odd thing is, of course, that the 10th birthday logo did not appear on the 27th September 2008, but instead celebrations started on the 2nd. I’m a little confused as to why that might be, especially as the Google domain name was registered on the 15th September while company incorporation papers were submitted on the 4th. If anyone has a clue as to how Google picks a birthday date, please do let me know.

Actual date aside, Google was definitely launched upon the world in 1998 and this got me to remembering what I was doing PG: pre-Google. Well, I was doing the same as everyone else who was online at the time, and that was thinking that AltaVista was the dogs doo-dahs. Nobody expected the Google upstart, despite the wonderfully minimalist interface, to be anything other than a minor distraction in the world of search back in 1998. If you were not using AltaVista, and I’d have to ask why not as it really did rock back then, you were probably searching courtesy of some other long forgotten by most engine with names like Magellan, Excite, Infoseek, Lycos, HotBot or even Yahoo! OK, the latter has not been forgotten although it did go through a period when most of us would have been happy to forget it, truth be told. Oddly, back in 1997, Microsoft wasn’t really considered a search player although the launch of MSN Search around the same time as Google if my memory serves me well did start to change all that.

Now, and I’ll admit it, I cannot imagine using anything other than Google as my primary search weapon. It’s always primed and ready to fire, generally hits the target without too much collateral damage, and I don’t need to read an instruction manual before I pull the trigger. Happy Birthday Google - I wonder if you will still be king of search in another 11 years, or whether you will just be remembered as the new AltaVista?

I don’t think that anyone with an eye on the future could seriously dismiss ‘the cloud’ as not being right up there as far as game-changing business technologies go. However, that doesn’t mean that the services are not suffering at the hands of over-exposure and hype right now.

IT powerhouses have, it would seem, been happy to jump aboard the cloud hype bandwagon in what some have described as being an all puff and no trousers move.

While I would not dream of suggesting for one moment that cloud-based security services do not have the potential to be really important players as far as the next few years are concerned, I would have to agree with the Gartner overview that they have yet to deliver on customer expectation. I’m thinking in terms of delivering managed firewalls to the enterprise, distributed denial of service protection services and antivirus for example.

According to the latest Security Related Hype Cycles report, in the cloud security services have hit an inflated expectations peak this year. Ray Wagner, a Managing VP at Gartner, explains that in the cloud security services made the top of the list courtesy of a combination of limited successful implementations coupled with unrealistic expectations. “Cloud security providers must deliver on customer expectations for the effectiveness, scalability and cost savings of performing security filtering in the cloud or as a service” Wagner says, concluding that “the small or midsize business is an appealing initial market for these delivery models at lower price points, and we expect that the technology will become mainstream within two to five years”.

Why should anyone care about whether cloud security is on this list? Well, looking back it would appear that those technologies that do rise to a ‘peak of inflated expectations’ level on the hype cycle list tend to pretty soon end up reaching a tipping point whereby they are left on the wrong side of that hype peak, and users are left disillusioned with the technology.

In other words, maybe it is time to stop with all the ‘next big thing’ hyperbole from the cloud service providers and instead time to start giving the technology a chance to talk for itself. Do that and corporate users might just discover that there actually is something to be said for consolidating premises-based security into a cloud-based delivery model after all. Surely the cloud has, by now, gone past the ‘too early in the development cycle to be worth evaluating’ stage even if it has not, at least when we are talking security services, reached a stage of maturity where it can be said to be capable of delivering competitive advantage.

As my late father used to say “don’t jump in with both feet unless you’ve measured the water depth first” and, as usual, he wasn’t wrong.

With some 12% of the UK population falling victim to online fraud within the last 12 months alone, I guess it should come as no surprise that as far as the online version goes crime does pay. The extent to which is pays, of course, is another thing altogether. New research from YouGov and VeriSign (commissioned to launch the VeriSign UK Fraud Index) suggests that the average cost per victim of online ID fraud is £463. If you are one of those who have been mugged in this manner, I feel for you - unless you have acted like some greedy village idiot in which case consider it an expensive but effective lesson in trust.

Truth be told, less than £500 per person on average doesn’t sound too frightening. I imagine that, like the three people I randomly asked about the survey this morning, you thought that victims of Nigerian 419 and Canadian Lottery scams got fleeced for thousands at a pop. But remember these are averages we are talking about, and quite apart from the highs and lows of such math, you also need to take into account the huge numbers of people concerned. Multiply the average by millions, because that’s what we are talking about here, and the figures start to get very worrying indeed.

The survey shows that in the last 12 months some £2.61 billion was stolen online from UK consumers. This despite 82% of them claiming to only buy from sites with enhanced security settings. Obviously they are not doing enough checking, and not applying enough common sense to avoid being defrauded though.

It also revels that only 5% of 18-24 year olds have been defrauded, suggesting that younger folk are not only more street-wise but also more web-wise. People aged 45-54, however, are defrauded the most with some 14% claiming to have fallen victim to online ID fraud.

Looked at from a geographical perspective, it is Londoners who are most careless when it comes to buying stuff online with 18% of them saying they just don’t bother checking site security settings before purchasing. That compares to just 9% in Northern Ireland, for example, who ranks as the safest. Welsh folk are the biggest victims of online fraud, however, with some 20% percent stating that they had experienced ID fraud in the last year, while only 8% of Scots said the same.

“Research reveals that there isn’t a relationship between the number of people who check a website’s security and those who have been scammed” Martin Mackay, VeriSign’s vice president of EMEA reckons. “There are still too many out there who simply don’t know the danger signs to look for when buying online. We’re committed to measuring fraud in the UK to raise awareness of this issue, and promise to educate the public with regular campaigns on what they should be looking for before buying online.”

When you send an email to an address that doesn’t exist or to a server that is having trouble delivering it, you get a Non-Delivery Report back. Spammers have been exploiting these bounce messages for a while now, as a way to get around spam-filtering measures. However, last month saw NDR spam hit an all time high with 20% of all spam messages using the trick. That’s a rise, according to security specialists PandaLabs, of no less than 2000% when compared to the number of different NDR spam samples seen between January and June this year.

It is a clever technique, and obviously one that works or the spammers wouldn’t waste their time and money exploiting it. The point being that the bounce messages themselves are more often than not genuine, with the server function being exploited to distribute the spam (sent as an attachment to the bounce notice) using the sender’s real name.

Now I know I have upset readers in the past by calling them morons for clicking on spam links in email, but this time I will let you off as it’s a rather different kind of spam trickery being employed. Go on, admit it, curiosity often gets the better of you when you get a bounce message and you open the thing to see who it was you sent mail to that has not arrived. Right? Even if you have not sent that mail in the first place, and don’t recognise the email address. Indeed, the fact that you don’t recognise the address plays in the spammer’s favour making the recipient even more likely to take a sneaky peek.

According to Luis Corrons, technical director of PandaLabs, “there is presently no consensus on whether NDRs are a technique to evade anti-spam filters or a collateral effect of dictionary attacks; either way, this technique is now among the most widely used. These waves of spam are usually generated through botnets (infected PCs controlled by attackers to launch spam, etc.). Since most NDRs are legitimate emails and, part of the mail server functionality, many traditional anti-spam techniques did not detect or block them up until now”.

When it comes to smartphone technology, fans of both the Apple iPhone and Google’s Android-based handsets are pretty vocal to say the least. I am on dodgy ground to even contemplate suggesting that one is better than the other, so I thought I might let the applications do the talking. Well, the respective App Store and Android Market numbers at any rate.

There’s no doubting that Android is growing fast when it comes to the applications side of things, with figures from Android app experts Androlib suggesting that the Android Market (the equivalent of the iPhone App Store) has grown by something in the region of 440% in just four months. Indeed, sources suggest that there are now between 9,000 and 10,000 applications available for download from the Android Market.

Pretty impressive stuff. Until you look at the iPhone App Store numbers that is. A couple of months ago Apple announced it had hit the 1.5 billion downloaded apps target, with some half a billion of them happening in the preceding quarter alone. Indeed, Apple reckons that only 2% of iPhone users have NOT downloaded an application from the App Store. On average, we are told, iPhone users will spend USD $80 on applications. In terms of choice, well the iPhone really is short circuiting the Android right now, with a staggering 65,000 plus applications available to download from the App Store. A number which would be even more impressive were it not for the strange Apple habit of rejecting perfectly acceptable applications on somewhat dodgy grounds. My particular favourite being putting the blame squarely on the shoulders of Adolf Hitler.

Can the Android catch up? Or perhaps the question should be does it want to? Some industry commentators are suggesting that it cannot because “Android is just a hobby for the company, and it will never be able to match Apple’s marketing prowess” and you know what, I think they may just have a point.

Want to know what the top ten pitfalls facing business when trying to establish an enterprise architecture programme are? Good, in that case you’ve come to the right place because with a little help from Gartner we’ve got the answers for you.

Ahead of the Gartner Enterprise Architecture Summit 2009 which takes place in London in a week’s time, where analysts will be discussing various enterprise architecture topics, Scott Bittler, a research vice president at Gartner, says that “The key for enterprise architects is to create not the perfect or most elegant architecture for the moment, but the most adaptable architecture for the future. EA is a challenging discipline and careful attention to the basics can mean the difference between failure and success. Avoiding the pitfalls in the first place is much easier than climbing out of a hole you’ve inadvertently tumbled into. Applying the ways to avoid these pitfalls results in achieving EA benefits faster and reduced risk of programme failure. It will also improve the credibility of IT among business leaders”.

So, here they are, the top 10 EA mistakes:

1.

The Wrong Lead Architect: Gartner identified the single biggest EA problem as a chief architect who is an ineffective leader. He or she may understand EA well but has ineffective leadership skills that even a good organisational structure and staffing levels cannot overcome. Gartner recommends that such a lead architect be replaced by someone with strong ‘soft’ skills such as enthusiasm, communication and passion, as well as being well respected and strategically minded.

2.

Insufficient Stakeholder Understanding and Support: This happens when employees outside the EA team don’t participate in the EA programme, EA content is not used in projects and management questions its value. Gartner’s solution is to make EA education and communication a top priority to secure executive-team sponsorship. “The key is to ‘sell’ first and architect later,” said Mr Bittler.

3.

Not Engaging the Business People: When IT and business goals are not aligned, resultant problems include non-technical people trying to make technical decisions while enterprise architects become too reactionary and tactical in response to projects. To overcome this, Gartner recommends that enterprise architects get involved in the development of the business context and engage jointly with other employees in the business architecture.

4.

Doing Only Technical Domain-Level Architecture: This dated EA approach is still in use in some organisations and is even narrower in scope than technical architecture. Holistic EA best-practice is much broader as it includes business, information and solutions architecture.

5.

Doing Current-State EA First: Successful EA provides prescriptive guidance but current-state EA does not, so it delays delivery of EA value and hinders the creation of good future-state EA. “The temptation is often to do the easy – current-state – EA first,” said Mr Bittler. “Instead, establish the business context and then focus first on future-state EA.”

6.

The EA Group Does Most of the Architecting: This is a pitfall because the EA content is typically off the mark as it was not informed by those on the business side. There is also consequently no buy-in for the EA. The primary job of architects is to lead the EA process rather than impose EA content on the organisation. They should form virtual teams to create content and seek consensus on the content.

7.

Not Measuring and Not Communicating the Impact: The value of EA is often indirect, so it may not be obvious to everyone in the organisation. This then exposes the EA programme to risk of failure. Gartner recommends that enterprise architects create a slide to demonstrate each success story of EA applied to a project. They should include measurement and documentation of EA in the programme plan.

8.

Architecting the ‘Boxes’ Only: Enabling better business agility and integration is key but architecting standards for the ‘boxes’ (business units) in process, information, technical and solutions models doesn’t address this. Integration and interoperability standards are high EA priorities and must account for more than just technical architecture. Architects should focus more on the links between the boxes.

9.

Not Establishing Effective EA Governance Early: Enterprise architects must resist the temptation to wait for more architecture content before setting governance processes and instead develop content and governance in parallel.

10.

Not Spending Enough Time on Communications: Key messages about EA are not intuitively obvious, so enterprise architects must work to educate the business. It is critical that organisations develop and execute an EA communications plan with messages tailored to each audience.

I am a heavily tattooed man, as in seriously heavily tattooed: full sleeves on both arms, full back piece, chest… Some of my earliest tattoos are no longer visible as they have been ‘covered up’ with better, and more appropriate, artwork. If needs be, I can cover them all up with a suit and shirt (well, one might peep over the top of my shirt collar but never mind) - getting rid of any errors in judgement in terms of online posts you may have made a few years back when drunk or just caught up in the stupidity of youth is not so easy.

I once ‘invaded’ an online forum for Morris Dance fans, along with a couple of mates, and started dancing by typing such things as ‘jingle jangle’ and ‘clackety-clack’ into messages. Very silly indeed, and it annoyed a lot of men with far too much facial hair who were harming nobody. That was probably one of the nicer things I did when drunk in charge of an Internet connection twenty years ago. Deleting my ‘digital tattoos’ is not just difficult, for the most part it is impossible.

The Internet has matured a lot during the last decade or so, and thankfully so have I. Which means I am not in the habit of leaving status updates on social networking sites which a potential client or employer might find, er, interesting enough not to become a real client or employer. I am honest and open online, but as in real life I adopt a ‘take me as is or leave me alone’ policy. Some people are not so fortunate.

Take the lads who were suspended from Wimbledon College School after a YouTube video of them mucking about on a bus came to the attention of the headmaster. Or the employee who made it clear how she felt about her boss and her job on Facebook and the boss quickly reciprocated by firing her. Then there was that chap who took a sickie after a night on the booze, and his Facebook status revealed just that to everyone, including his boss.

Now a survey by Symantec has shown that 35% of folk really don’t worry about what they are posting online, 62% of those under the age of 25 have ‘personal’ photos on the web, and 32% would like to delete parts of these digital tattoos if only they could.

“As a recruiter I cannot stress enough how important your online profile is. Whether its blogging, tweeting, facebooking or uploading videos, a fantastic CV can be dismissed in moments if the online story doesn’t match what I’m reading” commented Steve Mallison-Jones, Managing Director, Indigo Red. “When interviewing candidates I find it unbelievable that they don’t realise that all their online activity is indexed and normally traceable. That picture put up from the lad’s night out makes me ask some extra questions and I want to probe and prove I am getting the best candidates for my clients.”

Symantec recommends that people frequently check and increase their privacy settings on social networking sites to prevent unwanted visitors from seeing anything they shouldn’t.

I recommend people think about what they are Tweeting, posting to Facebook or plastering over the web. If you don’t want your work colleagues to know you are a Take That fan, then don’t start ’singing’ their lyrics on Facebook. Simples.