In 2008 I was lucky to collaborate on DNS issues with Dan when he discovered a new form of DNS cache poisoning and spent years helping the Internet upgrade and defend against a serious and significant vulnerability. We all owe him a debt of gratitude for this and so much of his other work.
He was a hacker's hacker, and the guy you want in your corner. Very sad to hear this news.
A really good, and really detailed, overview of what Kaminsky found: http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htm... Kaminsky references this from the sidebar in his blog.
So very sad that he's gone so young.
A true inspiration in infosec.
Might post it myself if you'd prefer not to; I figured it might make sense for you to claim the credit/karma.
 - https://news.ycombinator.com/newsguidelines.html
We both went back to CCCamp in 2011. I excitedly told him about a reverse DNS scanning project (0.0.0.0/0 in 12 hours on AWS for like $50), and then we ended up talking about the Debian RNG bug and password security, walking around camp watching the lightning in the distance.
When I was doing my original brainwallet research back in 2013 and cracked the woodchuck wallet the first thing I did after showing my ex (then girlfriend) was call him. I told him I’d found something but didn’t feel comfortable discussing over the phone. He invited me over.
My ex and I hopped on BART headed into SF and met him at the loft he was living at above a motorcycle shop. We talked and carefully planned and then I accidentally made 250 BTC vanish.
Dan looked at me and said “[my ex] and I are going to go for a walk and return with burritos. You’re going to calm down and have this fixed by the time we get back. It’ll be okay.”
It was, and I did. I’d simply forgotten about change addresses for a brief moment of terror.
I think the first time he mentioned wanting to hire me was a few months later at a Bitcoin conference in San Jose. He believed in me. I went on to work alongside him at White Ops (now known as Human Security) in 2014. He brought me on stage with him at DEFCON that year.
He spent a lot of time helping me put together a CFP submission about my brainwallet research for DEFCON the following year and then helped me put together slides, rehearse, and had a professional help me refine everything. I couldn’t have done it without him.
My wedding was about six weeks before DEFCON - Dan showed up in an Uber, about an hour late. He explained that he’d confused Menlo Park for Morgan Hill when planning to leave. I was just thrilled to have him there.
Dan was a supportive friend, a great mentor, and a delightful colleague. I really can’t overstate what a positive impact he had on my life. It’s hard to believe he’s really gone. That I’ll never get to swap stories about our respective side projects with him again.
I miss him.
That's just terrific. Thank you for sharing.
I'm sorry for your loss.
A smart man and a nice man. RIP.
I was feeling a little isolated and lonely when I saw this guy in a black 2600 tshirt over by the “FooBar” bar and thought “finally someone I can talk to!” He was so welcoming and engaging it broke the ice and made the whole weekend worth it. We started talking about tunneling various protocols over DNS and ended up doing a midnight stroll with Fyodor all around Sevastopol looking for “interesting” things.
That’s the kind of guy Dan was. Everyone felt his warmth.
Dan was a rare mix of genius with an over the top personality. Seeing what crazy RFC-bending project Dan was doing was one of the best things about going out to Blackhat, DEFCON, or RSA. He is easily one of the best presenters I’ve ever seen: a perfect blend of compelling story, esoteric tech details, and those classic Dan mischievous grins.
I will miss you dearly Dan
There are so many things that existed because Dan sprinkled some magic here and there. He was incredibly charming, making electrons dance in ways I never thought possible. The man was a technomage, a grey-hatted magician.
Dan was far from perfect but I am thankful for every moment I spent with him. He was the first person to tell me that he believed in me when I was starting a hard technology company (I had never really managed any software project before).
I will miss Dan’s kind and generous soul until my dying breath. A true titan in all senses of the word.
Dan was always generous with his time and expertise. He was the kind of person whom you could expect could easily become very rich, but was entirely unmotivated by money. Dan was fascinated to learn the inner workings of things we all take for granted - such as the DNS. A true hacker.
Thank you for sharing.
Interesting article here https://www.icann.org/en/blogs/details/the-problem-with-the-....
He always had a certain eccentricity to him. I never met him in person. He always was the prototypical nerd judging from his talks and mannerisms.
 - https://twitter.com/thedarktangent/status/138595909778312806...
He saved our company from extinction. I won't discuss the sequel to that, because it doesn't reflect well on some people who don't deserve that in this eulogy. But I will say that we retained our friendship through it all.
I'm absolutely gutted at this news. What a shining human being. A terrible loss.
He'd enjoyed a few drinks by the point he spoke to everyone, and the resulting honesty (accompanied by what I sensed as trepidation from the audience, about seeing a respected speaker in a vulnerable state) left a mark on me.
He was right: software security nowadays is a swiss-cheese mess, and the industry isn't addressing it.
His speech instructed me and perhaps others in the audience to deal with that new reality and adjust to it. It's tough for the original hacker / cypherpunk / purist mentality to adjust to. But it's where we are now, and it's a mindset that'll never die even if all of us that subscribe to it do.
It can be difficult when it appears that we are building and deploying so much more software than we are maintaining and securing.
I don't know exactly what mindset will win out - either an assumption that information always leaks and that that's helpful to catch people when they might fall, and/or a mindset that believes it's necessary to be able to create private channels -- if perhaps not private spaces, for safety reasons (is there a digital distinction there? could there be?). Fragmentation and/or consensus are two possible paths forwards (that different communities are already exploring).
I couldn't name one class of software or hardware, nor one layer in the 'stack' that hasn't been compromised. The only conclusion is to admit failure (as an industry) and rebuild everything from the ground up.
It's inevitable that some things will leak. Defense in depth will help mitigate the risk and contain the fallout.
(extreme paranoia, perhaps bred of experience, doesn't hurt either!)
Much love to his family and friends.
When people say Dan Kaminski was a hacker’s hacker, it’s with good cause. Not only did he defend the Internet from itself, but he changed the way people see the world. He put a noticeable dent in the universe.
For me, he was one of my earliest examples of what a hacker was and should be. I aspire to his level of curiosity, openness, and kindness, and he'll be missed.
He was so curious about everything that it caught my attention, and I’m not just saying that. He pointed out how good the GPT-Neo samples were, which I hadn’t seen before.
I didn’t know he was anything except an enthusiastic person interested in AI. He even tried to help me with my M1 build of tensorflow. https://twitter.com/search?q=from%3Adakami%20to%3Atheshawwn&...
I’ll miss him.
Perhaps appreciate the people around you, I suppose. Never know when they’ll be the last words you exchange with them.
Dan: streams a tv show over DNS
Crowd: goes wild
He was one of the ones who I aspire to be: to show others they can do .*
This is a lovely moment I captured of Dan having a good time. I like 0:29 in particular, and wanted to share it with you. https://www.youtube.com/watch?v=D4jRaetW7k0
Edit: plus watching him and tqbf argue on Twitter about stuff was always fun.
You can see many of his CCC talks here:
That's a great tribute.
The world is worse off without him.
It was an early inspiration for a lot of my L3-in-userspace work.
I'm not sure whether I got it directly from him or if I had a saved copy, but that's the most recent version.
Absolutely god damn heart breaking.
A wonderful reminder that true brilliance and humanity can coexist.
Thank you for everything
Condolences to those who knew him.
He was one of the good guys. I'll miss him.
This just insanely sad. I'm really sick of hearing about my friends passing - especially when they're brilliant.
He was a good man. My condolences to his friends and family.
Rest in peace Dan.
(Context here: He publicized a big DNS security hole which my MaraDNS never had, because I read Daniel Bernstein’s writings)
So sorry for the loss.
I have known him for decades, and I have never seen him take advantage of another person. Not ever. Not even once.
If he said he forgot to bring money, then he probably did.
Let us raise a cup to his name. A kind soul and an inspiration to us all.
They didn’t expect him to pay and yet he paid them back fairly promptly and actually gave a few cents more than he technically owed - which he claimed was interest at the prevailing rate.
I certainly don’t see him “hacking” his way to a free dinner on a(n) (un)suspecting victim.
Very true. Either way, I didn't feel taken advantage of. He truly was special, and I'm incredibly happy I got to spend some time with him.
I don't know how many years ago this was, but he's been a man of independent means for longer ago than whenever this happened.
I think you intended this as a sharing of a cool moment you had with the recently deceased, but you thoroughly missed the mark.
I maybe forget my wallet once per year, but I'd like to think that my friends have forgiven me for it. (And I always Venmo my share of the bill anyway.)
He gave the best Defcon talks.
What else can we do?
@dang can we get a black bar please?
Or only some of his family know, and it may be best that for those that haven't heard yet the best people to tell them would be the other family members that do know.
THIS IS BAD FOR EVERYONE!
Yes, it's embarrassing for the family (though it shouldn't be) because they feel like they can do more.
But, it the prevalence needs to made public so we treat these things like the crisis they are!
And worse, in this case, people are even drawing ties to the vaccine!?!? What an insane intellectual lottery to play. But that speculation WILL cause direct negative outcomes!
Ugh, just ranting b/c as mentioned I have first hand experience with "it wasn't alcohol/drugs/suicide, it was cardiac arrest."
Your reply talks about other families who lie and state a false cause of death, which would be morally wrong but in this case is completely irrelevant because that's not what's happened.
The one bit of your comment which is relevant, I think, is wrong: namely "the prevalence needs to made public so we treat these things like the crisis they are". We have anonymised statistics on suicide and overdose deaths. That is not the same as demanding a specific person's cause of death - and the sense of generalised academic interest you're alluding to is plainly not the reason for which people are curious about how he died. I wish we would get a grip on ourselves here, because it must be upsetting for anyone who knew him and is reading these comments, as surely some of those people are.
Edit: I died of a heroin overdose, briefly, before I was resuscitated. If I'd died permanently, my family may well have wanted to keep that information off the record permanently (easier in my case of course because I'm not a public figure). It's easy to think in the age of Wikipedia that all information is in the public domain and belongs to everyone. It's not, and it doesn't.
That's a bit of an assumption. Working out how someone died can be tricky.
I had never heard of Dan Kaminsky because I’m a typical 9-5 app dev who knows as much about security as I need to but never watch black hat or defcon presentations. It’s really interesting to peak into this world and discover someone who seemed to be a hero to many and unwittingly to me as it sounds like he has helped make the internet more secure. I appreciate the work of people who bring the issues to our attention. I’m beginning to go down the privacy rabbit hole (Pi holes etc.) as a result.
I’m not sure how others feel, personally I am conflicted: respect the death of an icon and not pry (even if others are speaking on his behalf) or satisfy my curiosity.
I’m going to go with the former, for now.
I don't think the curiosity to know is just for curiosity alone. I think it serves a purpose for everyone to bear witness to the kinds of things that take us.
There are a lot of people here making very high-minded comments about how it’s deeply important to the sum total of human knowledge that we learn the cause of his death so that we can reflect on our mortality, and so on and so forth. I can’t help but feel those comments are a bit insincere. It’s morbid curiosity, let’s be honest, and it’s not enough to justify speculating when his family and friends are probably reading these comments and possibly haven’t found out.
I guess it's the caveman in all of us who really needs to know what happened to his buddy so that he can avoid it. And I guess those without this curiosity in their DNA died out rather soon...
So it might not be insincerity but genetics.
May you live until tomorrow and may your genes prosper to fight another day ;)
I'd like to know what happened to my friend, who was himself always in pursuit of the truth.
Speculation is precisely what I don't want, though. If you don't have the data, please hold your tongue.
Is Marc Rogers Dan's family, or close friend?
In the interim, obviously a great many additional people and sources have reported it that could be chosen instead.
I don't mind them not giving facts. I just think it's silly to not give facts and then tell people not to speculate.
"I don't mind them not giving facts."
I demanded nothing. I simply pointed out that lack of information will always produce curiosity. If they don't want people curious, they have it in their power to stop them from being curious. Or they can be silent and leave people curious.
Perhaps I've missed the actual point of their request. As I think about it further, I wonder if they are simply requesting that people not spread baseless rumors, which is certainly a legitimate reminder for anybody to give at any time. Still, speculation seems to me to be more along the lines of an educated guess, rather than a baseless rumor.
In that case, sorry about the misunderstanding. I agree with you in that descriptive sense, that people will speculate.
I also think they ought not to speculate or demand information, and that it's quite l̶u̶r̶i̶d̶ [edit: morbid, rather] of them to do so. I understand the psychology behind it, because generally information is transparent and accessible by default these days. And generally that's a good thing. But people may not want to share certain information when grieving a loved one's death - and when they may still need to tell people who were close to him, rather than letting them find out from a trending Twitter topic. They may even never want the manner of their loved one's death to be an open fact on Wikipedia, like for instance David Carradine's family might have wished. I'm sympathetic in either case. I think we internet people as a whole really ought to be sympathetic too. Some of the comments on this thread are appalling in their sense of entitlement to know this information.
How do you know they have facts? It takes some time for a coroner / medical examiner to produce a report. The death certificate will have minimal information.
And your claim that speculation is reduced by releasing details is incorrect. Imagine a person dies a self-inflicted death -- there will then be speculation about whether or not this is suicide or misadventure, and what the causes were.
The story of how he died could be a valuable cautionary tale for people, as much as his talent and work was inspirational.