Cybersecurity Community Remembers Researcher Dan Kaminsky
Forensics
,
Fraud Management & Cybercrime
,
Fraud Risk Management
Banisher of ‘The Kaminsky Bug’ Lauded for His Drive to ‘Make Things Better’
The information security community is mourning the loss of Dan Kaminsky, the renowned security researcher who died last week at age 42.
See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive
Tributes to Kaminsky have been flooding social media, praising not just his keen intellect and passion for technology and security, but also his generous nature, approachability and dedication to teaching. He’s remembered for how pivotal he was in helping to protect the internet and leading by example when coordinating vulnerability reporting and mitigation.
Dan Kaminsky’s @dakami passion, creativity, desire to learn and teach really help influence both #defcon and @BlackHatEvents in the early years. He became an icon in all the positive ways and we look up to him. RIP Hacker.
— DEF CON (@defcon) April 24, 2021
The cause of Kaminsky’s death was diabetic ketoacidosis, Kaminsky’s niece said in a statement issued Sunday. “While his passing was sudden and unexpected for us, Dan struggled for years with diabetes and was even recently hospitalized because of it.”
Rest In Peace, Dan Kaminsky. Our world will never be the same. pic.twitter.com/DCxjwDoBie
— sarah b (@sarahbrie) April 25, 2021
The Kaminsky Bug
In 2008, Kaminsky earned plaudits for discovering how to exploit an “extremely serious” cache poising vulnerability in the Domain Name System – essentially, the internet’s phone directory – and alerting key DNS researchers. Together, they helped marshal an industry response to “the Kaminsky bug, as people annoyingly call it,” he told me in a 2016 interview.
At the time, many said the effort represented the largest collective patching effort to fix a critical security flaw, Wired reported.
Among other efforts, Kaminsky also helped to identify the full impact of the rootkit installed by Sony on its CDs under the guise of copy-protection software, which came to light in 2005 and left affected systems vulnerable to being exploited. Using DNS cache snooping techniques, he estimated that more than 568,000 systems had been infected with the malware, and Wired reported at the time that infected systems were present in military and government networks.
‘We Can Fix That’
Kaminsky was hyperpassionate and articulate, knowledgeable and entertaining.
One interview stands out, from the RSA Conference in San Francisco in 2016. At the time, the FBI was seeking to force Apple, in court, to design a version of its operating system that could be used to give the agency access to an iPhone of one of the San Bernardino shooters.
Enter Kaminsky, in a black T-shirt with a version of the famous “American Gothic” painting on it, only swapping the farmers for “Star Wars” storm troopers.
After getting his insights into a serious GNU C Library – aka glibc – flaw then circulating, I asked Kaminsky if had any thoughts on the then-unfolding Apple-FBI fight (see: Treat Data Security Like Firefighting).
“Quite a few, actually,” he responded, launching into a critique of the FBI’s anti-encryption rhetoric by saying the bureau was missing the forest for the trees.
“We’re living in a world where everything can be hacked, and is being hacked,” he said. But Apple had managed to build a device – the iPhone – which wasn’t being hacked. “These guys should be getting medals” rather than being vilified as the court case was doing, he told me.
“We have got to protect the people who are putting out the fires, OK? If American cities were burning regularly, we would be fixing that problem. Firefighters would be within minutes of every site to stop them from spreading. Law enforcement has an absolute role to play; they will hunt down the arsonists. Engineers would be figuring out how to make buildings that didn’t burn.
“This is not a theoretical thing; this is what we did. American cities used to burn regularly: Manhattan, San Francisco, Seattle, Chicago all suffered enormous fires, and now it doesn’t happen. We need to get that degree of predictability for cyber because, I tell you, all those cities are going to be cyberattacked tomorrow. And we can fix that. It’s going to take some work, it’s going to take some time and it’s going to take not threatening the people who are putting out the fires.”
Cybersecurity Community Pays Tribute
The community he was a part of and helped nurture – including through his presentations at DEF CON and Black Hat, where he first described “the Kaminsky bug” in 2008 – has been sharing remembrances of Kaminsky.
Bug bounty pioneer Katie Moussouris, who founded Microsoft’s first bug bounty program, said Kaminsky’s “DNS multiparty vulnerability coordination and embargoed disclosure he championed” in 2008 had been “the catalyst for the formal creation of Microsoft Vulnerability Research.”
Aw Dan. The year we met, you showed me a camera that fit in an Altoid box the night HD told me he was building metasploit.
Your DNS bug catalyzed the creation of Microsoft Vulnerability Research. But your kindness is what we’ll miss. Rest easy old friendhttps://t.co/cbeta7uRGe— Katie Moussouris (she/her) is 1/2 vaccinated (@k8em0) April 24, 2021
“He had such a kind gentle soul,” says security researcher Marc Rogers. “He was always looking to help. Always looking to make things better.”
Dan was a force of nature. A hacker who saw not just 1 or 2 moves ahead but so many you sometimes wondered if he was playing the same game: I asked him for a demo. He brought a record turntable he used to move a VM forwards & backwards in time like a DJ scratching.
— Marc Rogers (@marcwrogers) April 24, 2021
Kaminsky was literally a DNS security – aka DNSSEC – keymaster, having been designated a recovery key share holder for the Internet Corporation for Assigned Names and Numbers, better known as ICANN, in 2010. In that role, Kaminsky served as one of seven individuals trusted with holding the credentials for a backup key for DNSSEC to be used if ever required for disaster recovery purposes.
Kaminsky was renowned not only for his research acumen but also his ability to communicate complex ideas.
Close. AI has plenty of doubt (most models can return probabilities for any prediction, if you configure them to).
The problem is humans, not doubting the AI enough to notice when it doubts itself.
It’s a tool, and it matters how you use it. https://t.co/LgtQ041dcb
— Dan Kaminsky (@dakami) April 18, 2021
He was also a regular presence on Twitter, discoursing on technical topics with passion and insight.
Now, moves are afoot to honor Kaminsky’s legacy.
My idea would not award it every year, have a group of diverse hackers & experts on the selection committee, and try to honor the core ideals of Dan.
Generous people have offered to help with a financial contribution or endowment to help the awardee. I’ll start in that direction— Jeff Moss (@thedarktangent) April 25, 2021
Black Hat and DEF CON founder Jeff Moss says he’s working on some type of award “for cyber/hackers” that would “try to honor the core ideals of Dan.”
