Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
06:10 PM
Connect Directly

In Appreciation: Dan Kaminsky

Beloved security industry leader and researcher passes away unexpectedly at the age of 42.

"We're hackers: we're not afraid to get into how things work. Let's use that knowledge and fearlessness and make things work better."  —Dan Kaminsky, 2015

The security industry is reeling over news of the death of an iconic industry leader and innovator who shaped a generation of ethical hacking and security technologies, Dan Kaminsky.

Kaminsky, 42, passed away suddenly on April 23 due to complications from diabetes, and word of his death spread online Saturday as friends, colleagues, and industry admirers shared tributes on Twitter about his groundbreaking and prolific security research, the personal touch he applied to all of the work he did and shared — and his signature generosity and enthusiastic passion for the work and industry he so loved.

His work spanned nearly every aspect of cybersecurity: network security, Web security, cryptography, clickjacking defense, online ad-fraud prevention with the co-founding of HUMAN (formerly White Ops), and more. He even wrote a mobile app called DanKam that uses a form of augmented reality for helping with color blindness. But his best-known research was the discovery of the massive DNS cache poisoning flaw in 2008 that could be exploited to redirect victims to a malicious website without their knowing. Kaminsky helped engineer a then-unprecedented emergency patching effort among vendors and service providers to protect domain servers worldwide, including internal email systems, from the attack.

Kaminsky stumbled onto the bug while working with his friend Artur Bergman — who later founded Fast.ly — on brainstorming ways to speed up content delivery networks by getting the Domain Name System to use faster servers. A neat trick he found to speed up the Internet led to his discovery of the dangerous design flaw in DNS.

Credit: Dan Kaminsky
Credit: Dan Kaminsky

For years, he hosted the famous "Black Ops" series of talks at Black Hat, where he shared his latest research and insights, including the impact of the DNS cache poisoning bug. His very first one in 2001, "The Black Ops of TCP/IP," came together while he was studying for his business computing degree at Santa Clara University and was on "some random things I was working on instead of doing homework," he once recalled. "My family was not happy with me."

Family was always a part of Kaminsky's professional life. His grandma famously attended his Black Hat talks, bringing along her homemade cookies in a Tupperware container to share with attendees after the presentations, and other family members also regularly attended his talks. He produced a DNS security "PSA" video for "non-geeks" in 2008 with his young niece, Sarah, on the importance of DNS security. "Kids, talk to your parents about DNS. They'll be glad you did," Kaminsky quipped at the end of the video.

Katie Moussouris, founder and CEO of Luta Security, says Kaminsky looked at security problems differently — and with optimism, often a rare sentiment in security. "He was not transactional in his approach of security. He was a long-game thinker," she says. "We really don't have too many folks in our industry who have a long track record as he had, and with as much impact — and [also] as much hope for the future" as Kaminsky had, she says. "That was something precious."

Security researcher David Maynor says he was always inspired by Kaminsky's enthusiastic embrace of security challenges and research, and to life: Kaminsky remained true to his pure love of his work throughout his accomplished career. He was eager to share his knowledge and excitement about his work. "He made it okay to be passionate about what you do every day," Maynor says of his longtime friend. "I do a bunch of stuff, such as CTFs [capture the flag] that's not work-related, that I don't think I would be doing if not for Dan."

Security expert Robert Graham described Kaminsky as "a nerd's nerd."

"Most conference talks have five minutes of content surrounded by 40 minutes of background material. So a couple times, Dan would rent a suite in a hotel and invite techies who already understood the background material to give the five-minute version of the talk. Everyone invited was expected to present," Graham recalls. "This then included questions and answers from techies who thoroughly understood the material."

Labor of Love
Kaminsky landed at his first Black Hat conference in 2000 at age 20 after winning a free ticket in a security treasure-hunt competition. He recalled that he had raised his hand to answer — correctly — a security question famed L0pht member Mudge (aka Pieter Zatko) posed to the audience during a panel presentation. Mudge gave him some advice that Kaminsky said he took to heart: "He said, 'never tell anyone your age. That way you will always be old enough for them to believe what you are saying.'"

After working as an intern at Cisco and co-writing the book Hack Proofing Your Network, he decided to go back to school to finish his college degree.

"I took business classes, because you don't naturally know how money works. I think finance should be a mandatory class for everyone," he said. If you build an expensive but great security system that no one actually uses, he said, that's worse than doing nothing at all.

He didn't consider his security work as labor: It was fun for him and he embraced being a self-professed "nerd." Kaminsky wrote his first code at the age of five, when he programmed the Tandy 80 computer he had back then. "I could tell the turtle to walk around, and make it do spirograph patterns," he said.

Editor's Note: Dan was always so very generous with his time for us, and we are the better for it. We will always remember his excitement  and pure joy  when he shared his groundbreaking work with us. We will miss him terribly.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.