I learned today that Dan Kaminsky died on Friday 23 April of complications arising from his diabetes. (I would probably have learned earlier if I followed twitter, but I don’t.) He was only 42. I met Kaminsky at an MSRC Bluehat Forum in 2009. He was only 30 at the time, but already widely respected, and not just for his work on DNS.
Kaminsky is probably most famous for his 2008 discovery (and subsequent handling) of the serious flaw in DNS which would permit an attacker to poison DNS caches. Kaminsky successfully managed to get multiple vendors of DNS server products to take the issue seriously, patch their products and co-ordinate the release of said patches, before he announced the vulnerability. Such responsible disclosure is completely antithetical to the kind of viewpoint which leads “bad guys” (of all kinds) to withhold vulnerability details so that they can be exploited in so-called 0-day attacks. We need more Kaminskys.
In his own blog post on the flaw, Kaminsky said:
So there’s a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes…somewhere. Not where it was supposed to. You may have heard about this — the Wall Street Journal, the BBC, and some particularly important people are reporting on what’s been going on. Specifically:
1) It’s a bug in many platforms
2) It’s the exact same bug in many platforms (design bugs, they are a pain)
3) After an enormous and secret effort, we’ve got fixes for all major platforms, all out on the same day.
4) This has not happened before. Everything is genuinely under control.
I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely.
It was a good day.
A good day indeed.
A couple of weeks after the first announcement, Kaminsky wrote a “guide for management” summarising the technicalities in a way by which sysadmins could present the flaw to their management to get them to take the issue (and the necessary overtime) seriously.
All of us who use the ‘net owe Kaminsky a debt of gratitude.