"We're hackers: we're not afraid to get into how things work. Let's use that knowledge and fearlessness and make things work better." —Dan Kaminsky, 2015
The security industry is reeling over news of the death of an iconic industry leader and innovator who shaped a generation of ethical hacking and security technologies, Dan Kaminsky.
Kaminsky, 42, passed away suddenly on April 23 due to complications from diabetes, and word of his death spread online Saturday as friends, colleagues, and industry admirers shared tributes on Twitter about his groundbreaking and prolific security research, the personal touch he applied to all of the work he did and shared — and his signature generosity and enthusiastic passion for the work and industry he so loved.
His work spanned nearly every aspect of cybersecurity: network security, Web security, cryptography, clickjacking defense, online ad-fraud prevention with the co-founding of HUMAN (formerly White Ops), and more. He even wrote a mobile app called DanKam that uses a form of augmented reality for helping with color blindness. But his best-known research was the discovery of the massive DNS cache poisoning flaw in 2008 that could be exploited to redirect victims to a malicious website without their knowing. Kaminsky helped engineer a then-unprecedented emergency patching effort among vendors and service providers to protect domain servers worldwide, including internal email systems, from the attack.
Kaminsky stumbled onto the bug while working with his friend Artur Bergman — who later founded Fast.ly — on brainstorming ways to speed up content delivery networks by getting the Domain Name System to use faster servers. A neat trick he found to speed up the Internet led to his discovery of the dangerous design flaw in DNS.
For years, he hosted the famous "Black Ops" series of talks at Black Hat, where he shared his latest research and insights, including the impact of the DNS cache poisoning bug. His very first one in 2001, "The Black Ops of TCP/IP," came together while he was studying for his business computing degree at Santa Clara University and was on "some random things I was working on instead of doing homework," he once recalled. "My family was not happy with me."
Family was always a part of Kaminsky's professional life. His grandma famously attended his Black Hat talks, bringing along her homemade cookies in a Tupperware container to share with attendees after the presentations, and other family members also regularly attended his talks. He produced a DNS security "PSA" video for "non-geeks" in 2008 with his young niece, Sarah, on the importance of DNS security. "Kids, talk to your parents about DNS. They'll be glad you did," Kaminsky quipped at the end of the video.
Katie Moussouris, founder and CEO of Luta Security, says Kaminsky looked at security problems differently — and with optimism, often a rare sentiment in security. "He was not transactional in his approach of security. He was a long-game thinker," she says. "We really don't have too many folks in our industry who have a long track record as he had, and with as much impact — and [also] as much hope for the future" as Kaminsky had, she says. "That was something precious."
Security researcher David Maynor says he was always inspired by Kaminsky's enthusiastic embrace of security challenges and research, and to life: Kaminsky remained true to his pure love of his work throughout his accomplished career. He was eager to share his knowledge and excitement about his work. "He made it okay to be passionate about what you do every day," Maynor says of his longtime friend. "I do a bunch of stuff, such as CTFs [capture the flag] that's not work-related, that I don't think I would be doing if not for Dan."
Security expert Robert Graham described Kaminsky as "a nerd's nerd."
"Most conference talks have five minutes of content surrounded by 40 minutes of background material. So a couple times, Dan would rent a suite in a hotel and invite techies who already understood the background material to give the five-minute version of the talk. Everyone invited was expected to present," Graham recalls. "This then included questions and answers from techies who thoroughly understood the material."
Labor of Love
Kaminsky landed at his first Black Hat conference in 2000 at age 20 after winning a free ticket in a security treasure-hunt competition. He recalled that he had raised his hand to answer — correctly — a security question famed L0pht member Mudge (aka Pieter Zatko) posed to the audience during a panel presentation. Mudge gave him some advice that Kaminsky said he took to heart: "He said, 'never tell anyone your age. That way you will always be old enough for them to believe what you are saying.'"
After working as an intern at Cisco and co-writing the book Hack Proofing Your Network, he decided to go back to school to finish his college degree.
"I took business classes, because you don't naturally know how money works. I think finance should be a mandatory class for everyone," he said. If you build an expensive but great security system that no one actually uses, he said, that's worse than doing nothing at all.
He didn't consider his security work as labor: It was fun for him and he embraced being a self-professed "nerd." Kaminsky wrote his first code at the age of five, when he programmed the Tandy 80 computer he had back then. "I could tell the turtle to walk around, and make it do spirograph patterns," he said.
Editor's Note: Dan was always so very generous with his time for us, and we are the better for it. We will always remember his excitement — and pure joy — when he shared his groundbreaking work with us. We will miss him terribly.