Newsletter

04.26.2021 | 5'' read

Remembering Dan Kaminsky (1979-2021)

by Ryan Naraine

[ On Thursday, May 6 at 12p EST, I’ll be moderating a live discussion with head of Uptycs threat research Amit Malik on the recent MITRE FIN7/Carbanak evaluation. Register here and come with your questions ] 


Hello friend,
Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).

Monday blues. Remembering Dan Kaminsky (1979-2021)

I don’t handle news of death well, especially the sudden passing of folks younger than me. Dan Kaminsky’s sudden death over the weekend, at the age of 42, hit me particularly hard. My body shook uncontrollably in spurts and I could not leave the couch for hours.

I knew Dan only from work-related interactions but I felt like we were friends. I first met him in the early 2000s, at the height of his annual Black Ops presentations at Black Hat and DEFCON.  Back then, he used the “Effugas” handle and scored Black Hat talks without having to submit CFP proposals.

Dan was extremely generous with his time, especially with journalists covering his complicated research work. He proactively reached out to correct, clarify, or add context to stories I wrote over the years (even on things unrelated to his work). He wasn’t just focused on his work, but was passionate about making things better in other areas, whether that was clarifying complicated security concepts for other people or working on side projects.

We had some interesting fights over the years, but the most tense was the time I accused him of selling out to Microsoft during the infamous Windows Vista pen-test. At the time, Microsoft had essentially leased the security research community for the “largest ever penetration test” of a Redmond OS, and because of strict NDAs, the once-noisy hackers were no longer taking my calls to talk about Microsoft’s security problems.

The ensuing debate with Dan was professional and friendly, but he wasn’t happy with my insinuation and he let me know it. In Dan’s mind, Microsoft’s decision to embrace the hacker community was noble, genuine and would positively impact security for billions of users around the world. He stood by those convictions and taught me an important lesson about zooming out and understanding the long-game impact of the work we do.

The same theme would reemerge in 2008 when he found himself embroiled in a “partial disclosure” controversy that rankled his security peers who felt he was over-hyping an issue to promote a Black Hat presentation. The result was a long, detailed explanation, directly from Dan, that emphasized making the end users the priority.  An example of his empathy for the user is perfectly illustrated at 21:35 of this testy discussion with some of his most vocal peers.

While he will most be celebrated for the great DNS vulnerability or the Vista pen-test that killed Clippy, Dan’s legacy includes work on the “Paketto Keiretsu” tools to manipulate TCP/IP networks, authorship of spoofing and tunneling chapters in seminal books on network security, and the integration of VPN-style functionality to OpenSSH.

Dan was the original rock-star hacker, a media-savvy presenter who issued important security warnings with humor and candor.  He was in heavy demand but, somehow, always had time to help a friend.

He was beyond generous to me, at times when it would have been easy for him to decline my nonstop requests.  When I asked him to keynote the SAS conference in 2015, he took a ridiculous number of connecting flights to show up on time and deliver a kickass presentation. When he couldn’t help, he would call and offer alternatives and make sure I was properly connected to the right people.

Daniel Michael Kaminsky was a real one.  I will miss him dearly.  We all will.

On to the newsletter.  

New podcast episodes.

​🎧  On the show this week, Crossbeam CISO Chris Castaldo explains why he enjoys briefings and demos with security vendors.  Also catch my conversation with Assetnote CEO Shubs Shah on how he found riches (and lessons) from participating in global bug bounty programs.

 


Sponsor message: Going on the ATT&CK versus FIN7 and Carbanak

The 2020 MITRE ATT&CK vendor evaluation results have been released! This is the first time the evaluation has focused on financially motivated criminal groups, in this case Carbanak and FIN7, which heavily target retail and financial services industries. Uptycs was among 30 vendor participants in this round and this blog looks at the significance of these threat groups and breaks down the fascinating simulation and evaluation process.


Supply chain pain.

Privacy engineering.
Tangentially.
​Have a great week and reach out with things I should be doing better.

_ryan

PS: The podcast is available on all platforms (AppleGoogleSpotify and Amazon).  As the kids say, like and subscribe, like and subscribe.

|

This site uses cookies and may process personal data based on our Privacy Policy