The recent TF-CSIRT meeting in Zurich included a talk by the Swiss telecoms regulator (like ours, called Ofcom, though their 'F' stands for Federal!) on the law covering websites in the .ch domain that distribute malware, normally as the result of a compromise.

Nominet have published an interesting analysis of the legal issues around any possible process for suspending domains associated with criminal activity. This raises the rather worrying issue that the legal position is not clear if a registry is informed of unlawful conduct somewhere in their domain and decides that the evidence is not strong enough to justify them acting.

Questions about my last posting on Nominet's DNS domain suspension discussions, have got me thinking a bit more about my idea of "domains registered for a criminal purpose". My suggestion is that these should be the only domains that a top-level registry can remove on its own, rather than asking for the decision to be taken by an independent authority.

An interesting paper from ENISA and the NATO Cyberdefence Centre illustrates the narrow space that the law allows for incident response, and the importance of ensuring that new laws don’t prevent incident response teams from protecting networks, systems, their users and information against attack.

Earlier in the year I wrote about the German ISP Association's scheme to remove the economic disincentive for ISPs to inform their customers of botnet infections on their PCs by providing a centrally-funded helpdesk. In Latvia a different approach has been taken: providing a "responsible ISP" mark that consumer networks can use on their websites and other promotional materials. To be entitled to use the mark an ISP must satisfy three conditions: