Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
06:10 PM
Connect Directly

In Appreciation: Dan Kaminsky

Beloved security industry leader and researcher passes away unexpectedly at the age of 42.

"We're hackers: we're not afraid to get into how things work. Let's use that knowledge and fearlessness and make things work better."  —Dan Kaminsky, 2015

The security industry is reeling over news of the death of an iconic industry leader and innovator who shaped a generation of ethical hacking and security technologies, Dan Kaminsky.

Kaminsky, 42, passed away suddenly on April 23 due to complications from diabetes, and word of his death spread online Saturday as friends, colleagues, and industry admirers shared tributes on Twitter about his groundbreaking and prolific security research, the personal touch he applied to all of the work he did and shared — and his signature generosity and enthusiastic passion for the work and industry he so loved.

His work spanned nearly every aspect of cybersecurity: network security, Web security, cryptography, clickjacking defense, online ad-fraud prevention with the co-founding of HUMAN (formerly White Ops), and more. He even wrote a mobile app called DanKam that uses a form of augmented reality for helping with color blindness. But his best-known research was the discovery of the massive DNS cache poisoning flaw in 2008 that could be exploited to redirect victims to a malicious website without their knowing. Kaminsky helped engineer a then-unprecedented emergency patching effort among vendors and service providers to protect domain servers worldwide, including internal email systems, from the attack.

Kaminsky stumbled onto the bug while working with his friend Artur Bergman — who later founded Fast.ly — on brainstorming ways to speed up content delivery networks by getting the Domain Name System to use faster servers. A neat trick he found to speed up the Internet led to his discovery of the dangerous design flaw in DNS.

Credit: Dan Kaminsky
Credit: Dan Kaminsky

For years, he hosted the famous "Black Ops" series of talks at Black Hat, where he shared his latest research and insights, including the impact of the DNS cache poisoning bug. His very first one in 2001, "The Black Ops of TCP/IP," came together while he was studying for his business computing degree at Santa Clara University and was on "some random things I was working on instead of doing homework," he once recalled. "My family was not happy with me."

Family was always a part of Kaminsky's professional life. His grandma famously attended his Black Hat talks, bringing along her homemade cookies in a Tupperware container to share with attendees after the presentations, and other family members also regularly attended his talks. He produced a DNS security "PSA" video for "non-geeks" in 2008 with his young niece, Sarah, on the importance of DNS security. "Kids, talk to your parents about DNS. They'll be glad you did," Kaminsky quipped at the end of the video.

Katie Moussouris, founder and CEO of Luta Security, says Kaminsky looked at security problems differently — and with optimism, often a rare sentiment in security. "He was not transactional in his approach of security. He was a long-game thinker," she says. "We really don't have too many folks in our industry who have a long track record as he had, and with as much impact — and [also] as much hope for the future" as Kaminsky had, she says. "That was something precious."

Security researcher David Maynor says he was always inspired by Kaminsky's enthusiastic embrace of security challenges and research, and to life: Kaminsky remained true to his pure love of his work throughout his accomplished career. He was eager to share his knowledge and excitement about his work. "He made it okay to be passionate about what you do every day," Maynor says of his longtime friend. "I do a bunch of stuff, such as CTFs [capture the flag] that's not work-related, that I don't think I would be doing if not for Dan."

Security expert Robert Graham described Kaminsky as "a nerd's nerd."

"Most conference talks have five minutes of content surrounded by 40 minutes of background material. So a couple times, Dan would rent a suite in a hotel and invite techies who already understood the background material to give the five-minute version of the talk. Everyone invited was expected to present," Graham recalls. "This then included questions and answers from techies who thoroughly understood the material."

Labor of Love
Kaminsky landed at his first Black Hat conference in 2000 at age 20 after winning a free ticket in a security treasure-hunt competition. He recalled that he had raised his hand to answer — correctly — a security question famed L0pht member Mudge (aka Pieter Zatko) posed to the audience during a panel presentation. Mudge gave him some advice that Kaminsky said he took to heart: "He said, 'never tell anyone your age. That way you will always be old enough for them to believe what you are saying.'"

After working as an intern at Cisco and co-writing the book Hack Proofing Your Network, he decided to go back to school to finish his college degree.

"I took business classes, because you don't naturally know how money works. I think finance should be a mandatory class for everyone," he said. If you build an expensive but great security system that no one actually uses, he said, that's worse than doing nothing at all.

He didn't consider his security work as labor: It was fun for him and he embraced being a self-professed "nerd." Kaminsky wrote his first code at the age of five, when he programmed the Tandy 80 computer he had back then. "I could tell the turtle to walk around, and make it do spirograph patterns," he said.

Editor's Note: Dan was always so very generous with his time for us, and we are the better for it. We will always remember his excitement  and pure joy  when he shared his groundbreaking work with us. We will miss him terribly.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.