Above is a blog post that states the facts of and a how to on a Kaspersky SQL injection. No comment is made on the sophistication or lack thereof of the attack either way. If you don’t think it’s special (it is not a new or novel attack method) then you don’t have to read about it. Sometimes it is not the attack, but the target, that makes something worth looking at. Others, a portion of the audience we try to reach, are not all that familiar with the mechanisms of these attacks. It doesn’t mean they are not smart folks, just that they are specialists elsewhere who want a concise description of what happened, why, and from a technical perspective how. Still others fully understand web application attacks like SQL injection, but want a decent summary of exactly what happened in this particular case.

Frankly, listening to people on any side of the information security equation talking about their skillz or how elite they are is an irritant. We can assure you from enough years of experience that in any area of specialization there are those you are better than and those that are better than you. If more are worse than are better, you’re probably an interesting person to talk to.

We mention Litchfield twice, first in reference to the fact that he was hired to determine the scope of the database access when Kaspersky USA was hit earlier in the year. The second time we joke about him being on a plane to do the same thing again. At no time do we discuss whether he is uber or not (his books and contributions are pretty good though in our opinion, if you’re asking). We do know what Unu and others are driving at mentioned him in their posts, we didn’t miss the sarcasm, but choose to carry none of that forward in our post. Because at the end of the day David was hired to do an audit of a database, probably did it to a reasonable level of quality, and has no going forward responsibility for the web application security of Kaspersky web sites.

Full disclosure is a bitch? It can be, but that’s a well worn topic worthy of its own blog post and debate. Frankly much of what constitutes the responsible disclosure debate is nonsense in our opinion, but another time and another place.

And somewhere in there you seem to be irritated by the phenomenon of foreign hackers finding problems with the web sites of brand name companies, and with the editorializing done alongside it in the blog posts. That’s a fair point, an opinion others clearly share from the comments made on those other blogs, but would seem unrelated to how bright we are?

Unless you are making a point that we are inflating what’s happening by doing a blog post about it. To that we respond that’s it is our blog, we’re not paid to do it, and thus we’ll write about what interests us. We’re not the media (ostensibly media get paid for writing), so we do not owe anyone anything. It interests us in this case that a security company had a problem like this, dealt with it by basically saying it will never happen again, and then seeing how they react when it does happen again. This casts no dispersions on Kaspersky, a company of experts, because web vulnerabilities are very common. But it is commentary and observation on the handling of this specific situation.

Congratulations on your mastery of anonymous proxies.

I see you made a comment ’bout David Litchfield. Perhaps it is in direct relationship with “unu”’s comment ’bout David Litchfield… Let me translate it for you: “uber” from there means “dumb ass”. Source: http://www.hackersblog.org/2009/12/03/kaspersky-com-pt-hacked/

I made a comment on “unu’s” post regrading the hidden irony from its blog post. My comment never made it(I can post it here if you like), full disclosure is a bitch, I assume, when it comes to your own shit, especially when you’re full of it.

What do we have here ? It’s very simple, it’s called escalation of skilzz… A bunch of romanian script kiddies, inflated by dumb ass media, think now they “secure the web”… Weee…

Posted by anonymous, through anonymous proxies(see, anybody can do it), as your romanian script kiddies…

source: http://www.imdb.com/title/tt0465602/quotes

Mr. Smith: You know what I really hate? [Smith shoots Hertz in the the chest] Mr. Smith: What I really hate, is a pussy with a gun in his hand.