At about 1:04 in this talk by Thomas Ptacek he says:
“Zed Shaw will kill your company before security kills your company.”
I heard the above quote and laughed it off. “Ah, I can take a joke.” But, no, this is a little more serious I’m afraid. This is actually classic libel and I hate to say it, but I gotta ask Thomas to apologize for it and say the statement was false.
He spends several minutes talking about how my attempt at implementing Utu and my crypto choices would somehow destroy a company. The lead-in to these statements also mentioned John McCain as President being another thing that will kill your company, bad product managers, and poor design, so the statement is rather strong and associates me with negative events in the life of a company.
Now, I’m all for ripping into my software. I can take it as good as I give it. Point out security vulnerabilities until the cows come home. That’s why I release my software, especially anything with crypto. I believe that nobody’s perfect and half the enjoyment of open source is getting other people to look at my code.
You can even call me names, like dickhead, prick, and arrogant fuck. Say “Zed’s Dead” all day long. I can easily take it as much as I give it out. Rip into my writing style. Say I’m lousy at public speaking. Say I suck at playing guitar. Don’t I know it.
However, the above quote is libel. You may not take this too seriously, but it’s statements like this that made it hard for me to find work in the past.
False rumors spread and perpetuated by my peers are a death sentence on my ability to find work as a software developer. They undermine my chosen profession and reputation, especially when they’re spoken by a trusted security expert to a large audience and then placed online for many people to see.
For some companies, that statement alone is enough to not even consider hiring someone.
Just to make it clear, here’s the definition of libel and slander off wikipedia:
Slander and libel are false or malicious claims that may harm someone’s reputation. If false, malicious statements are published in mainstream media (i.e. on the internet, in a magazine, etc.) then it is classified as “libel”. If the defamatory statements are only spoken, then it is called “slander”.
I’ve never killed a company. Especially not one I’ve worked for. I’ve never even had the power to kill a company. The above statement is entirely false, and in the context of the talk, really does work to harm my ability to find work in my field.
However, I hope that Thomas Ptacek is a good man who realizes that his comment may have been too much. I’m hoping that Thomas can post an audio or video recanting his statement. I personally feel a blog post isn’t enough to undo the above, and only a verbal equally available statement would correct it.
I’m not the kind of guy to throw lawyers at someone. Hell I don’t even have the money for one. So I’ll just ask for the apology and take it from there. I also wouldn’t want this to get out of control, since it easily could so hopefully Thomas can contact me and resolve this quickly.
So please Thomas, I’d appreciate it if you’d apologize publicly.
P.S. I decided to post this here as an open letter since the statement is already in the open. It will at least potentially serve as a rebuttal to the statement in the event Thomas doesn’t apologize.