Internet security researcherDaniel Kaminsky

(Reading Time: 3 minutes)

Born in San Francisco, Calif., Kaminsky’s father bought him a computer …at age 4. By the time he was 5, Kaminsky had taught himself how to program it. At 11, his mother received a call from a government security administrator who told her that Daniel had used “penetration testing” to intrude into military computers, and that the family’s Internet would be cut off. His mother seems just as smart as he was: she said if their Internet access was cut, she would take out an advertisement in the San Francisco Chronicle to publicize the fact that military computer security was so weak, an 11-year-old could break it. Instead, they settled on a three-day “timeout” from the Internet. Not surprisingly, Kaminsky became a security researcher, and was the co-founder and chief scientist of White Ops (now called HUMAN), a security firm specializing in detecting malware activity via JavaScript. He worked for Cisco, Avaya, and IOActive, where he was the director of penetration testing.

In 2008, Kaminsky discovered a fundamental flaw in the Internet’s DNS — Domain Name System — which is needed to route requests for an Internet domain (such as HonoraryUnsubscribe.com) to its actual host server at an Internet Protocol address. The flaw: DNS was designed with only 65,536 possible transaction IDs. Using a technique called “cache poisoning,” an attacker could fool DNS (and, thus, anyone depending on it, which is everyone) into, for instance, putting a fake web site at a real address to collect, say, banking login information. Such fake sites could also collect other people’s emails, enabling the attacker to (for instance) intercept “Lost my Password” emails. It was a disaster in the making, so Kaminsky contacted Internet pioneer Paul Vixie, who designed the DNS protocol. As Kaminsky described the flaw, Vixie started to panic. “I realized we were looking down the gun barrel of history,” he said later. “It meant everything in the digital universe was going to have to get patched.” Kaminsky then alerted the Department of Homeland Security, as well as executives at Cisco and Microsoft, and gathered researchers together at a secret meeting in Seattle to work on a fix. The quick fix made it 65,536 times more difficult for the flaw to be exploited, but a full fix has never been implemented, despite Kaminsky pushing for a solution. When he later described the flaw — and the fix — at an Internet security conference, a man came up to thank him for his work: it was the same government security administrator who discovered Kaminsky’s hacking when he was 11.

Daniel Kaminsky
Kaminski in 2012. (Photo: CC2.0 by technology historian Jason Scott, from DEFCON: A Documentary About the World’s Largest Hacking Conference.) His T-shirt reads, “I ♥ Color” in the style of an Ishihara test. Kaminsky developed an app helping people with color blindness, inspired by a friend who is color blind.

In 2009, Kaminsky and other researchers discovered a flaw in the Public Key Infrastructure, which meant web sites’ SSL security certificates could be hacked. That was also fixed by moving away from the “MD2” hashing protocol. “The Internet was never designed to be secure,” Kaminsky explained about the fundamental flaws in the Internet’s infrastructure. It “was designed to move pictures of cats. We are very good at moving pictures of cats.” But because the Internet’s designers “didn’t think you’d be moving trillions of dollars [online]. What are we going to do? And here’s the answer: Some of us got to go out and fix it.” Security researchers must continue their work, he said. “Everybody looks busy, but the house still burns.” While there are always security flaws in any complex system, Kaminsky is largely responsible for your not losing money from your online bank accounts from such flaws. Kaminsky suffered a number of times from diabetic ketoacidosis — a bodily shortage of insulin, which causes the body to switch to burning fatty acids, which can lead to death if not treated in time. On April 23 he suffered another attack, and died in his San Francisco home. He was 42.

From This is True for 25 April 2021