Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:10 PM
Connect Directly

In Appreciation: Dan Kaminsky

Beloved security industry leader and researcher passes away unexpectedly at the age of 42.

"We're hackers: we're not afraid to get into how things work. Let's use that knowledge and fearlessness and make things work better."  —Dan Kaminsky, 2015

The security industry is reeling over news of the death of an iconic industry leader and innovator who shaped a generation of ethical hacking and security technologies, Dan Kaminsky.

Kaminsky, 42, passed away suddenly on April 23 due to complications from diabetes, and word of his death spread online Saturday as friends, colleagues, and industry admirers shared tributes on Twitter about his groundbreaking and prolific security research, the personal touch he applied to all of the work he did and shared — and his signature generosity and enthusiastic passion for the work and industry he so loved.

His work spanned nearly every aspect of cybersecurity: network security, Web security, cryptography, clickjacking defense, online ad-fraud prevention with the co-founding of HUMAN (formerly White Ops), and more. He even wrote a mobile app called DanKam that uses a form of augmented reality for helping with color blindness. But his best-known research was the discovery of the massive DNS cache poisoning flaw in 2008 that could be exploited to redirect victims to a malicious website without their knowing. Kaminsky helped engineer a then-unprecedented emergency patching effort among vendors and service providers to protect domain servers worldwide, including internal email systems, from the attack.

Kaminsky stumbled onto the bug while working with his friend Artur Bergman — who later founded Fast.ly — on brainstorming ways to speed up content delivery networks by getting the Domain Name System to use faster servers. A neat trick he found to speed up the Internet led to his discovery of the dangerous design flaw in DNS.

Credit: Dan Kaminsky
Credit: Dan Kaminsky

For years, he hosted the famous "Black Ops" series of talks at Black Hat, where he shared his latest research and insights, including the impact of the DNS cache poisoning bug. His very first one in 2001, "The Black Ops of TCP/IP," came together while he was studying for his business computing degree at Santa Clara University and was on "some random things I was working on instead of doing homework," he once recalled. "My family was not happy with me."

Family was always a part of Kaminsky's professional life. His grandma famously attended his Black Hat talks, bringing along her homemade cookies in a Tupperware container to share with attendees after the presentations, and other family members also regularly attended his talks. He produced a DNS security "PSA" video for "non-geeks" in 2008 with his young niece, Sarah, on the importance of DNS security. "Kids, talk to your parents about DNS. They'll be glad you did," Kaminsky quipped at the end of the video.

Katie Moussouris, founder and CEO of Luta Security, says Kaminsky looked at security problems differently — and with optimism, often a rare sentiment in security. "He was not transactional in his approach of security. He was a long-game thinker," she says. "We really don't have too many folks in our industry who have a long track record as he had, and with as much impact — and [also] as much hope for the future" as Kaminsky had, she says. "That was something precious."

Security researcher David Maynor says he was always inspired by Kaminsky's enthusiastic embrace of security challenges and research, and to life: Kaminsky remained true to his pure love of his work throughout his accomplished career. He was eager to share his knowledge and excitement about his work. "He made it okay to be passionate about what you do every day," Maynor says of his longtime friend. "I do a bunch of stuff, such as CTFs [capture the flag] that's not work-related, that I don't think I would be doing if not for Dan."

Security expert Robert Graham described Kaminsky as "a nerd's nerd."

"Most conference talks have five minutes of content surrounded by 40 minutes of background material. So a couple times, Dan would rent a suite in a hotel and invite techies who already understood the background material to give the five-minute version of the talk. Everyone invited was expected to present," Graham recalls. "This then included questions and answers from techies who thoroughly understood the material."

Labor of Love
Kaminsky landed at his first Black Hat conference in 2000 at age 20 after winning a free ticket in a security treasure-hunt competition. He recalled that he had raised his hand to answer — correctly — a security question famed L0pht member Mudge (aka Pieter Zatko) posed to the audience during a panel presentation. Mudge gave him some advice that Kaminsky said he took to heart: "He said, 'never tell anyone your age. That way you will always be old enough for them to believe what you are saying.'"

After working as an intern at Cisco and co-writing the book Hack Proofing Your Network, he decided to go back to school to finish his college degree.

"I took business classes, because you don't naturally know how money works. I think finance should be a mandatory class for everyone," he said. If you build an expensive but great security system that no one actually uses, he said, that's worse than doing nothing at all.

He didn't consider his security work as labor: It was fun for him and he embraced being a self-professed "nerd." Kaminsky wrote his first code at the age of five, when he programmed the Tandy 80 computer he had back then. "I could tell the turtle to walk around, and make it do spirograph patterns," he said.

Editor's Note: Dan was always so very generous with his time for us, and we are the better for it. We will always remember his excitement  and pure joy  when he shared his groundbreaking work with us. We will miss him terribly.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-15
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
PUBLISHED: 2021-10-15
Mitsubishi Electric SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
PUBLISHED: 2021-10-15
Yealink Device Management (DM) allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
PUBLISHED: 2021-10-15
IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information.
PUBLISHED: 2021-10-15
Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file.