I gave a presentation entitled "Adventures in Domain Takedowns" recently at the APCERT 2012 conference in Bali, Indonesia. The conference itself was excellent - plenty of good technical material and lots of useful contacts - and the location, of course, couldn't have been better. The most interesting part in my mind, though, was the lessons I learned in the process of putting my talk together.

First and foremost among those is the increased respect I now have for people who work at active malware takedowns on a regular basis. Getting anything substantial done in that arena requires a massive amount of work; I spent more time preparing this presentation than I have all the other talks I've done in the last two years combined.

Beyond that, I found that geography is a much less reliable indicator of whether you'll get a useful response than most people may think - I got help from China and Russia, but had plenty of places in the US and Europe ignore me. WHOIS is broken, at least in terms of getting reliable information about registrars; standard practices in security, meanwhile, are adhered to loosely at best in many places (I had 9 different registrars whose abuse@ email addresses bounced).

But most important of all was confirmation of the theory I had going in: it's all about who you know, not what you know. Having contacts in the right places is what gets business done on the Internet. The good news, for those who may not have those contacts, is that national CERT organizations do a good job of putting security researchers in touch with the right people; I would strongly urge anyone working on domain takedowns or other Internet cleanup projects to reach out to the relevant CERTs for assistance.