In 2008, Kaminsky discovered a fundamental flaw in the Internet’s DNS — Domain Name System — which is needed to route requests for an Internet domain (such as HonoraryUnsubscribe.com) to its actual host server at an Internet Protocol address. The flaw: DNS was designed with only 65,536 possible transaction IDs. Using a technique called “cache poisoning,” an attacker could fool DNS (and, thus, anyone depending on it, which is everyone) into, for instance, putting a fake web site at a real address to collect, say, banking login information. Such fake sites could also collect other people’s emails, enabling the attacker to (for instance) intercept “Lost my Password” emails. It was a disaster in the making, so Kaminsky contacted Internet pioneer Paul Vixie, who designed the DNS protocol. As Kaminsky described the flaw, Vixie started to panic. “I realized we were looking down the gun barrel of history,” he said later. “It meant everything in the digital universe was going to have to get patched.” Kaminsky then alerted the Department of Homeland Security, as well as executives at Cisco and Microsoft, and gathered researchers together at a secret meeting in Seattle to work on a fix. The quick fix made it 65,536 times more difficult for the flaw to be exploited, but a full fix has never been implemented, despite Kaminsky pushing for a solution. When he later described the flaw — and the fix — at an Internet security conference, a man came up to thank him for his work: it was the same government security administrator who discovered Kaminsky’s hacking when he was 11.
In 2009, Kaminsky and other researchers discovered a flaw in the Public Key Infrastructure, which meant web sites’ SSL security certificates could be hacked. That was also fixed by moving away from the “MD2” hashing protocol. “The Internet was never designed to be secure,” Kaminsky explained about the fundamental flaws in the Internet’s infrastructure. It “was designed to move pictures of cats. We are very good at moving pictures of cats.” But because the Internet’s designers “didn’t think you’d be moving trillions of dollars [online]. What are we going to do? And here’s the answer: Some of us got to go out and fix it.” Security researchers must continue their work, he said. “Everybody looks busy, but the house still burns.” While there are always security flaws in any complex system, Kaminsky is largely responsible for your not losing money from your online bank accounts from such flaws. Kaminsky suffered a number of times from diabetic ketoacidosis — a bodily shortage of insulin, which causes the body to switch to burning fatty acids, which can lead to death if not treated in time. On April 23 he suffered another attack, and died in his San Francisco home. He was 42.