Euro Security Watch with Mathew J. Schwartz

Forensics , Fraud Management & Cybercrime , Fraud Risk Management

Cybersecurity Community Remembers Researcher Dan Kaminsky

Banisher of 'The Kaminsky Bug' Lauded for His Drive to 'Make Things Better'
Cybersecurity Community Remembers Researcher Dan Kaminsky
Dan Kaminsky in an interview conducted at the 2016 RSA Conference in San Francisco (Photo: ISMG)

The information security community is mourning the loss of Dan Kaminsky, the renowned security researcher who died last week at age 42.

See Also: New Priorities for IT Operations: Be Ready for Whatever Comes Next

Tributes to Kaminsky have been flooding social media, praising not just his keen intellect and passion for technology and security, but also his generous nature, approachability and dedication to teaching. He's remembered for how pivotal he was in helping to protect the internet and leading by example when coordinating vulnerability reporting and mitigation.

The cause of Kaminsky's death was diabetic ketoacidosis, Kaminsky's niece said in a statement issued Sunday. "While his passing was sudden and unexpected for us, Dan struggled for years with diabetes and was even recently hospitalized because of it."

The Kaminsky Bug

In 2008, Kaminsky earned plaudits for discovering how to exploit an "extremely serious" cache poisoning vulnerability in the Domain Name System - essentially, the internet's phone directory - and alerting key DNS researchers. Together, they helped marshal an industry response to "the Kaminsky bug, as people annoyingly call it," he told me in a 2016 interview.

At the time, many said the effort represented the largest collective patching effort to fix a critical security flaw, Wired reported.

Among other efforts, Kaminsky also helped to identify the full impact of the rootkit installed by Sony on its CDs under the guise of copy-protection software, which came to light in 2005 and left affected systems vulnerable to being exploited. Using DNS cache snooping techniques, he estimated that more than 568,000 systems had been infected with the malware, and Wired reported at the time that infected systems were present in military and government networks.

'We Can Fix That'

Kaminsky was hyperpassionate and articulate, knowledgeable and entertaining.

One interview stands out, from the RSA Conference in San Francisco in 2016. At the time, the FBI was seeking to force Apple, in court, to design a version of its operating system that could be used to give the agency access to an iPhone of one of the San Bernardino shooters.

Enter Kaminsky, in a black T-shirt with a version of the famous "American Gothic" painting on it, only swapping the farmers for "Star Wars" storm troopers.

After getting his insights into a serious GNU C Library - aka glibc - flaw then circulating, I asked Kaminsky if had any thoughts on the then-unfolding Apple-FBI fight (see: Treat Data Security Like Firefighting).

"Quite a few, actually," he responded, launching into a critique of the FBI's anti-encryption rhetoric by saying the bureau was missing the forest for the trees.

"We're living in a world where everything can be hacked, and is being hacked," he said. But Apple had managed to build a device - the iPhone - which wasn't being hacked. "These guys should be getting medals" rather than being vilified as the court case was doing, he told me.

"We have got to protect the people who are putting out the fires, OK? If American cities were burning regularly, we would be fixing that problem. Firefighters would be within minutes of every site to stop them from spreading. Law enforcement has an absolute role to play; they will hunt down the arsonists. Engineers would be figuring out how to make buildings that didn't burn.

"This is not a theoretical thing; this is what we did. American cities used to burn regularly: Manhattan, San Francisco, Seattle, Chicago all suffered enormous fires, and now it doesn't happen. We need to get that degree of predictability for cyber because, I tell you, all those cities are going to be cyberattacked tomorrow. And we can fix that. It's going to take some work, it's going to take some time and it's going to take not threatening the people who are putting out the fires."

Cybersecurity Community Pays Tribute

The community he was a part of and helped nurture - including through his presentations at DEF CON and Black Hat, where he first described "the Kaminsky bug" in 2008 - has been sharing remembrances of Kaminsky.

Bug bounty pioneer Katie Moussouris, who founded Microsoft's first bug bounty program, said Kaminsky's "DNS multiparty vulnerability coordination and embargoed disclosure he championed" in 2008 had been "the catalyst for the formal creation of Microsoft Vulnerability Research."

"He had such a kind gentle soul," says security researcher Marc Rogers. "He was always looking to help. Always looking to make things better."

Kaminsky was literally a DNS security - aka DNSSEC - keymaster, having been designated a recovery key share holder for the Internet Corporation for Assigned Names and Numbers, better known as ICANN, in 2010. In that role, Kaminsky served as one of seven individuals trusted with holding the credentials for a backup key for DNSSEC to be used if ever required for disaster recovery purposes.

Kaminsky was renowned not only for his research acumen but also his ability to communicate complex ideas.

He was also a regular presence on Twitter, discoursing on technical topics with passion and insight.

Now, moves are afoot to honor Kaminsky's legacy.

Black Hat and DEF CON founder Jeff Moss says he's working on some type of award "for cyber/hackers" that would "try to honor the core ideals of Dan."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.