Chris Shiflett once again proves his poor character

Saturday, February 18. 2006

Saturday, February 18. 2006



It is widely known, that Chris Shiflett tries every dirty marketing trick to get attention to himself and his pseudo PHP security consortium. He tries hard to make everyone believe, that he is the non-plus-ultra PHP security guy.


Once again he has crossed a line, once again he proves his malicious attitude against the Hardened-PHP Project. A friend just pointed me to a modification of the Wikipedia article about PHP. In the changeset it is clearly visible that someone who mysteriously happens to have the same static IP, that Chris Shiflett uses, manipulates the entry describing the Hardened-PHP Project (removing information about our actions) and shamelessly adds his own site/book to the article.

Posted by Stefan Esser in Security, PHP at 13:13
Comments (26)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Gustavo Narea ()
This information seems to be true:

The IP address 69.112.168.234 was used to modify that wikipedia's article and It's also used by Shiflett when he posts to the PHP General user-list. You just have to review the headers of any email message sent by Shiflett.

These headers belong to an email message sent by Chris Shiflett on January 31st 2006 (2 days before edition of that wikipedia article):

Newsgroups: php.general
Path: news.php.net
Xref: news.php.net php.general:229602
Return-Path:
Mailing-List: contact php-general-help@lists.php.net; run by ezmlm
Delivered-To: mailing list php-general@lists.php.net
Received: (qmail 73658 invoked by uid 1010); 1 Feb 2006 03:19:41 -0000
Delivered-To: ezmlm-scan-php-general@lists.php.net
Delivered-To: ezmlm-php-general@lists.php.net
Received: (qmail 73643 invoked from network); 1 Feb 2006 03:19:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
by localhost with SMTP; 1 Feb 2006 03:19:41 -0000
X-Host-Fingerprint: 167.206.4.199 mta4.srv.hcvlny.cv.net NetCache Data OnTap 5.x
Received: from ([167.206.4.199:44090] helo=mta4.srv.hcvlny.cv.net)
by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
id 33/65-23224-8C820E34 for ; Tue, 31 Jan 2006 22:19:36 -0500
Received: from [192.168.1.101]
(ool-4570a8ea.dyn.optonline.net [69.112.168.234]) by mta4.srv.hcvlny.cv.net
(Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005))
with ESMTP id for
php-general@lists.php.net; Tue, 31 Jan 2006 22:19:13 -0500 (EST)
Date: Tue, 31 Jan 2006 22:19:13 -0500
In-reply-to:
To: "Murray @ PlanetThoughtful"
Cc: "[php] PHP General List"
Message-ID:
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7BIT
X-Accept-Language: en-us, en
References:
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
Subject: Re: [PHP] CR \ LFs being represented as ascii characters in output of
mail()
From: shiflett@php.net (Chris Shiflett)

Cheers
posted on Saturday, February 18. 2006
#2 HawleyJR ()
So you have posted this to whine about someone else’s poor behavior??? I'm thinking that is pretty poor behavior. Time to be constructive. I've been doing PHP for over 6 years now and have NEVER heard of the Hardened-PHP-Project, on the other hand, I do hear Shiflett's name mentioned, quoted and discussed on a regular basis. Wikipedia is what it is get over it.
posted on Saturday, February 18. 2006
#2.1 Stefan Esser ()
HawleyJR get a clue about what you are talking, get a clue about who found all major security holes in PHP during the last 6 years and then come back. If you have never heard of the Hardened-PHP Project then it is simply your fault not our. And that you hear Shiflett's name on a regular basis is no wonder. He is very busy pasting his name all over the internet instead of improving the security of the PHP commuity.

And this blog entry just shows his dirty tricks. Removing information about those who actually bring forward the security of the PHP community.
posted on Saturday, February 18. 2006
#2.2 Helgi wrote (Link) ()
I think that just shows how little you have been following PHP if you haven't heard of the Hardening project but I'm not very suprised that you've heard about Chris, he's all talk and no action person IMHO ... Even people in that consortium question the validty of the whole consortium, for my part I think it was mostly some marketing boost for his own company and at best a poorly thought out effort (kinda like, hey lets do this nifty idea and later on figure that you don't have time nor the energy to do it)
posted on Saturday, February 18. 2006
#2.2.1 Derick wrote (Link) ()
Correct. I thought it was a good idea at the start, but since they were not doing anything useful (besides pissing off other people like Stefan) I got out.
posted on Saturday, February 18. 2006
#2.2.2 Gustavo Narea ()
I agree with you.

I am disappointed on the "PHP Security Consortium". They've done almost nothing for the PHP community: The "PHP Security Guide", 2 articles (the last one was released 1 year ago) and a link section (aka "Library")... Despite their main goal in phpsec.org/about/

But they *do* use that name to promote Shiflett's books and talks.

Cheers.
posted on Saturday, February 18. 2006
#2.2.3 Sledge wrote (Link) ()
If you developed PHP for 6 years and never looked for a hardening patch for the core then I'm sorry, but you're the reason why PHP has a bad rep when it comes to the quality of its developers. There are a lot of low skill people 'developing' in PHP such as yourself who don't bother themselves with gaining any deep understanding of the way PHP works.

Do you not read professional articles? have you never noticed the security advisories related to PHP? most of those get closed up pretty well with Hardened-PHP, which is why I've used it in multiple projects.

I guess you think that reading Shiflett's Duh articles about security will help you around.
posted on Monday, February 20. 2006
#3 Peter Pistorius wrote (Link) ()
I'm shocked, this is inexcusable behaviour on the part of Chris ... I'm disgusted at his actions. PHP is a community based project.

Response to HawleyJR:
Anything done to harm Hardened PHP is directly related to Stefan, it's his project. So he's allowed to bring it to our attention. Besides, you've been using PHP for 6 years? Well then ... Why don't you call phpinfo() and go look at the credits.
posted on Saturday, February 18. 2006
#4 HawleyJR ()
Good, now that I got everyone all rallied up here is the thing. Yes, I have heard of Hardened how else you think I found the blog...duh! My point was Chris is very well known. Both Chris and Hardened have common goals; security. Shiflett is there to educate Hardened is coming at it from the internal PHP side. Now, was it right *or ethical for him to change the links. I'd say no. Now ask yourself this...Is it right *or ethical for Hardened to attack someone’s (Anyone’s) character? Nope :-) As for the comments about him pushing his book? Of course why wouldn't he? Wouldn't you?
posted on Saturday, February 18. 2006
#4.1 Stefan Esser ()
HawleyJR: You are mistaken. In the beginning Hardened-PHP was just a patch... Internal patch but during the last year this was changed. Christopher and Peter have talked as members of the Hardened-PHP project at various conferences and/or user group meetings. Additionally they were teaching PHP security at f.e. the linuxhotel, released a PHP security book. We also did several commercial audits with the brand Hardened-PHP Project. We are not only the patch anymore and Shiflett removed the fact that we do more than the Patch from Wikipedia and also from phpsec.org because we are in direct competition with his company and the consortium. This behaviour is totally unprofessional. Something he always accuses me to be.
posted on Saturday, February 18. 2006
#4.1.1 HawleyJR ()
That's fine, I wasn't aware that Hardened-PHP is now doing learning events. Good for you guys. However, to get to the point of the pot calling the kettle black. Is attacking someone's character professional? See previous comment about being constructive...
posted on Saturday, February 18. 2006
#4.1.1.1 Peter Pistorius wrote (Link) ()
I do not agree with you HawleyJR. (I also do not believe that you're previous comments were written to "rally us up." I belive you're simply trying to save face, as they say).

If you're caught doing something malicious then it is a natural, and fair, response that this person must be brought to justice.

If Mr. Shiflett didn't want to have his name disgraced then he shouldn't have been so careless with his reputation... Maybe not attending in his anti-competitive behavior would be a start?

Also, you're stating that Shiflett and Hardened have common goals, but why does Shiflett work against this common goal?
posted on Saturday, February 18. 2006
#4.1.1.1.1 HawleyJR ()
Save Face from what? The fact that I called them out for being a hypocrite? By attacking a persons character, calling him unprofessional and unethical. When in turn that's what he is doing by posting a blog with such a malignly subject: "Chris Shiflett once again proves his poor character"

Disagree with that's fine. But ask yourself this. Regardless of what happened. Is it ethical, professional or in good character to talk about another person in a slanderous manor?
posted on Saturday, February 18. 2006
#4.1.1.1.1.1 Curious George ()
It's only slanderous if it's false, which clearly does not apply in this case.
posted on Saturday, February 18. 2006
#4.1.2 Richard Davey wrote (Link) ()
Do you know if there is ever likely to be an English release of PHP-Sicherheit?
posted on Saturday, February 18. 2006
#5 Sebs ()
- quote -
Disagree with that's fine. But ask yourself this. Regardless of what happened. Is it ethical, professional or in good character to talk about another person in a slanderous manor?
- quote -
Good question to ask. Regardless the topic, missing the right tone in the criticism. Wikipedia is a official medium, everyone has the right to edit it.
posted on Saturday, February 18. 2006
#5.1 Stefan Esser ()
Yeah and everyone has the right to demonstrate how Shiflett misuses Wikipedia, to alter facts to boost his own company.
posted on Sunday, February 19. 2006
#6 Robert Brown ()
So weird. I just read the Wikipedia article, found Planet PHP from there, then from there found this entry complaining about the author who added the link to Planet PHP. What a small world...

The evidence you point to doesn't support your statements. Someone added a PHP book to a list of PHP books. Doesn't seem like it matters who added it, it doesn't violate any standards of which I am aware.

I bet the people involved in the Hardened-PHP project wouldn't actually mind the modification to their description, because it's an improvement. The original description focuses on the people and says they're developing a modification to PHP. It sounds like they're not done, so it doesn't sound very important or interesting. It also sounds like they wrote it themselves, because they focus on themselves and not the project.

The new description focuses on the project and makes it sound complete, and useful. It's a patchset that adds security hardening features to PHP. I just looked at this project, and that's actually how they describe their own project, so I'm sure they would not mind. I suspect that their project will receive more attention now that it sounds complete. Whoever the author is should be thanked, not attacked.

So it seems that no harm has been done here by anyone. Forgive me, but I don't see why you feel it necessary to attack someone.
posted on Saturday, February 18. 2006
#6.1 Stefan Esser ()
Oh my god Robert. What a nice *FAKE* story.

I am the founder of the Hardened-PHP Project, which is not only the patchset, but kinda another security consortium, with the little difference that we actually perfom action and are more than a dead website.

Shiflett's wikipedia manipulation tries to hide this fact by reducing us to being the creators of a patchset. This manipulation is malicious and proves his bad character.
posted on Sunday, February 19. 2006
#7 Rickard Andersson ()
It might not be "the ethical thing to do", but I for one applaude these kinds of announcements. When one has the ability to bring to light these kinds of dodgy actions, one should. Could it have been dealt with more professionally by Stefan? Well, Chris Shiflett threw professional out the window when he tampered with the Wikipedia entry, so I really couldn't care less.
posted on Sunday, February 19. 2006
#8 David Rodger ()
Hey Esser,

Once would expect that, in a competitive environment, you would seek to show where Shiflett has gone wrong and you have done so on a number of occasions. It is also not so surprising that he has not always admitted his errors. However, you never leave it there. You speak about the man in a sneering tone which makes you sound like a petty schoolyard bully. He, on the other hand, has never made ad hominem attacks against you. So, while it would appear the Shiflett has engaged in anti-competitive behaviour (as Peter Pistorius said), this is not an example of his "once again" being malicious toward Hardened-PHP.


Furthermore, he regularly writes about PHP security and I don't see you attacking absolutely everything he says. Why? presumably because some of the general points about security are valid ones. Maybe that's why people listen to him. If you don't like that, get out there and distribute your own writings. On the other hand, if you said you don't have time, maybe it's because you're too busy providing your services. I guess Hardened-PHP isn't doing too badly after all!

If you were smart about this, you'd point out his errors (and in this case, his apparent actions) and leave the personal attacks out of it. Don't you think that the market (the rest of us, that is) can make up our own minds about him?

Anyone else see the irony of having a textarea element for comments whose background says "Please consider what you post" when the owner of the blog so often lacks consideration?
posted on Sunday, February 19. 2006
#8.1 Stefan Esser ()
Get your facts straight. It is Shiflett who attacked me first. When I disclosed a few holes in his guide he attacked me within his blog, saying that it is not a bug in his guide, but all my fault of understanding, that he has to explain it better so that even I do understand it.

Later he rewrote the blog entry a bit, but that doesn't change the fact that he started it and I am only finishing it.

And if you don't like my tone, then you are free to not read my blog.
posted on Sunday, February 19. 2006
#9 Peter Pistorius wrote (Link) ()
I completely agree with Mr. Esser in this matter, I have never had anything against Shiflett... But as far as that goes I don't respect the man one once and will share this story with the community I'm involved in.

Shiflett did attack Esser first, and it is for the reasons Essar stated. Shiflett might be suffering from a bruised ego? I don't understand his motivation for any of this besides trying to decredit Mr. Essar.

Why is it, with all this "noise" about this entry, that Mr. Shiflett has not joined this discussion and given us some answers for his actions...
posted on Sunday, February 19. 2006
#10 Jacques Marneweck wrote (Link) ()
Speaking about Chris's PHP Security booklet, I was highly disappointed in the lack of content in his book :-( Ilia's book provided a much better guide to writing secure PHP applications.

What is quite amusing is the fact that Chris and Stefan keep having little tiffs all the time as the one provokes the other one and then we have our soap opera episodes of the one attacking the other one.

It's quite obvious that Chris is just interested in making money rather than improving security for end users in the PHP community :-( I don't feel that brainbulb is 'the PHP consultancy' just 'a PHP consultancy' if you ask me, but that's sort of like Zend who claim that they are 'the PHP company'.
posted on Sunday, February 19. 2006
#10.1 Aaron wrote (Link) ()
I enjoyed shiflett's book, it was a "Consumers Guide" to PHP Security, short and easy to read focused at people who are most likely to make security mistakes, it could have focused a little more on some issues, but it would certainly put a "seeker" well on the way to enlightenment. I liked Ilia's book because of the real-world developer feel it had to it. The code samples were great and I enjoyed the writing style.

I think that the general tone of these blog posts (and the ensuing discussions) are a bit harsh, but at the same time I'm happy to see that we have elements in the security community who speak out when something is not right, or when they see what they think is snake oil. That's healthy, and an essential part of PHP security.

As far as the PHP Security Consortium, I would be very happy to see it opened up. Create public mailing lists, CVS repositories for their projects. Just a little bit of transparancy will put an end to a lot of these issues. At least you'll be able to use the "submit a patch" line ;-)
As far ast he

As


As
posted on Monday, February 20. 2006
#11 Patrick Smallwood wrote (Link) ()
I just wanted to mention that the changes in question, redefining the patch project narrowly, as just a patch, have been subsequently fixed.

The wikipedia page now shows the more indepth definition, hopefully ending the whole reason for concern here.
posted on Wednesday, March 1. 2006

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back August '08 Forward
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Archives
August 2008
July 2008
June 2008
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP