A Comment Unheard?

It’s interesting to me that the following, my comment to a post from Stefan Esser, was not approved/included in its comments:

So, are you angry because the entry was changed or because all the evidence points
to Chris S.? Because I can’t really tell.

Honestly, it really doesn’t reflect well on the Hardened-PHP project to have pety
issues like this brought up by one of its key members.

Are you upset about the content of the new item? If so, what part are they missing?
I go to the Hardened-PHP site and all I see are links to download the patch (as the
new version says) and some barely used forums. Where is the “dedication to promote
and teach secure PHP programming”?

Chris does well to have posts on his blog to help share security issues related to
both the bugs in PHP and just general common errors.

This post just seems a little inflammatory to me – of course that seems par for the
course for Stefan.

And yes, there were other comments posted after it, so it’s not a case of “just haven’t gotten to it yet”. Hmm…



  1. Liar. Your comment is the newest that was posted and it was not yet through moderation, because I have other things todo. And do you really expect me to give an answer to that comment? Our site contains several dozens of advisories. Every single one is a contribution to secure the PHP community. Every single one have tought the developers of the application what kind of errors they did. Members of the Hardened-PHP Project provide PHP Security courses and have written a german PHP Security book. There are even a few articles online in Services / Publications.


  2. Actually, I was talking with Aaron W. about the post and he noted that his comment was just posted – before mine. And is it just me or do I still not see the comment posted? (as of the time of this comment)

    I have no doubt that the advisories are helpful to people with issues on that software, but “taught the developers” is a bit of a reach. Providing information is “informing the developers” not “teaching” them.

    And I admit, the Hardened-PHP project name is around quite a bit in the PHP community. Fortunately, the other two of your group (Christopher and Peter, the ones who wrote the book) don’t share your seeming flair for the inflamatory. You don’t look before you jump and take everything as a person attack towards you. You almost act as if the information on Wikipedia was changed to damage your project – as if there is no other method for people to find out information on it. Last I checked, that’s what Hardened-PHP.net is for – to promote the package and your involvement.

    PHPDeveloper.org doesn’t even have an entry in there and I could care less. I’m happy that people keep coming to the site because of the content I provide, not because someone has a summary of the site that I don’t like.

    And, honestly, on your previous comment, you could have started with just “Your newest comment…” and of been okay. By starting with an insult, I can imagine that over half of the people out there stopped reading right then. That cuts your “audience” down by half, and isn’t that whay you really want? An audience?


  3. Hi enygma,
    I posted a follow-up comment two days ago. It still isn’t there. Mr Esser has the perfect right to refuse any comment (and I’m sure he does, especially in the case of spam), but he shouldn’t pretend that unposted “comments” are just ones he hasn’t moderated.

    Besides, so venomous is he on his blog posts that I’m surprised he just didn’t reply “Your comment is crap so I deleted it.” Instead it appears that there are fewer dissenting comments than is actually the case.

    But, hey, a blog isn’t a democracy!


  4. First of all, I respect both Chris and Stefan for what they have provided to the community. Chris helps a lot of people, not only with his book and company, but also helping out people like me on several forums and mailing lists. I cannot imagine another field in which I get personal answers from an obvious busy man to questions I post. Stefan obviously does a lot for the community as well with the hardened php project.
    I really don’t know the ins and outs of the specific situation so I won’t say anything about that. But I do think that being a professional and public figure means you have to be careful not only what you say but also how you say it.


  5. @David: I have not allowed your comment, because you actually admit in it, that you never read the original blog entry by Shiflett but then start a rant against my tone. That you believe the new version of his blog entry has a good tone, does not change the fact that he wrote a first one. And he still lets it sound as if I have not disclosed the bugs to them first. I have not contacted him, that is true, but I have contacted atleast 6 members of that consortium before I posted my entry. It is not my problem if their internal communication is broken. He still insists in his blog entry that one of the bugs is not a security bug, which is a lie (or just proves how clueless he is). In a later disclosure I even mailed to their official consortium email adress. Do you believe they have ever answered? No infact they cried again that I am unreasonable.

    Ohh btw… enygma why did you post your comment under the fake name: ‘jarod’ anyway? Do you wanted to make it look like that someone who is not an official buddy of chris shiflett speaks for him?


  6. Just another alias I use *shrug*.

    And it was more to make it seem impartial, as (I assume) it’s known that Chris and I are friends.

    I have no problem saying it was me, and I had nothing to hide when doing it. You seem to react so vehemently towards people you already know support him, that I figured maybe my comment would be read and understood more than treated with the same knee-jerk dismissive reaction you seem so good at.


  7. @Stefan: So what if I hadn’t read the original post? It’s not available for me to read. Has it occurred to you that Chris might have changed the content of that post because he regretted what he said? Lots of people do that. (I feel certain, though, that you’ll never be among them.)

    Your account of your communications with Chris and other members of the consortium are still available (starting with the second post on your blog), as are your claims about the “bugs” in his code. Readers can make up their own minds. In the mean time, your rudeness is probably losing you respect and customers. That he might be gaining from that should be your concern.

    He can continue to write about security, and so can you. Some people might prefer his views. Others might prefer yours. You ultimately have no control over that. Just because you’re right and have greater expertise doesn’t guarantee that your view will always prevail. Hell, why is George Bush the president (or John Howard the Australian prime minister)?

    In the comment you decided not to publish (no problems with that BTW … it’s your blog), I observed that you seem to be most upset that he gets more media attention. As said, that only proves he’s a better marketer. Get over it or get a publicist.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s