[Owasp-board] [Owasp-leaders] [Owasp-community] IAB Statement on the Trade in Security Technologies

Jim Manico jim.manico at owasp.org
Mon Jun 22 01:05:19 UTC 2015

With respect, I disagree with your take on this Jeff. Official OWASP 
public statements should be done with care.

Also, this issue is not resolved yet and I am simply stating *my 
opinion* on the matter backed by research and references to IRS 
guidelines discussing this matter. And again I've stated that this is a 
nebulous area even by IRS regulation.

_*We are discussing this at the June 24 board meeting*__*- a meeting in 
which I hope that you and the community attend.*_

Making a big statement like this as an official message of the OWASP 
foundation - especial since it's political in nature - does in my 
opinion require board discussion. I know you want us to "jump on this" 
immediately - and we are Jeff - in just a few days.

In fact, if the language is crafted in a way that keeps clear of 
specific legislation, I will likely vote to push this out. I agree with 
it 100%, I am only concerned if it's the right thing for OWASP to be 
making such a public statement.

It is critical for all of us in OWASP leadership to be aware of the 
limits of what a 501(c)(3) should be doing, and when I hear that the 
members of foundation want OWASP to make a public and politically 
charged statement of intent, I think it's crucial for the board to be a 
part of it since the board holds legal responsibility for the operations 
of the foundation.

See you June 24th?



On 6/21/15 2:47 PM, Jeff Williams wrote:
> This is a false dichotomy -- OWASP can and should do both. The Board 
> should work to assist and support *any* idea consistent with our 
> mission...even if...especially if... you don't think it will work.
> You can't let *your* judgement influence the decision to support a 
> project. If you do, then all we will ever get is Board ideas.  And, 
> respectfully, I don't trust you or any other individual to think up 
> the next great AppSec idea.
> The Board shouldn't interfere at all unless somebody is doing 
> something harmful to the organization or the mission. And even then 
> should try to figure out a productive path for that energy.
> Again respectfully, you should get out of the way.
> --Jeff
> On Sun, Jun 21, 2015 at 5:27 PM -0700, "Jim Manico" 
> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>     Jeff,
>     My take on this is that "talk is cheap" and that "actions are more
>     powerful words". I'd rather keep out of legislation and focus on
>     making important projects like ESAPI, ASVS, Security Shepard and
>     others more powerful.
>     I am sorry you are disappointed in current board action, but there
>     is good reason behind the perspective I am stating. Also, this is
>     my opinion alone, not the entire boards.
>     Again, take a look at Whisper Systems. They are providing
>     incredibly well created and well assessed open source projects for
>     secure communications. These open source projects are now being
>     integrated into various Operating Systems and other projects.
>     If ESAPI was not a abandoned, it could have been serving our
>     mission - planet level. I want to see it and other key projects
>     revived and well funded.
>     The power of a well built security project is worth more than a
>     thousand words. Talk is cheap. Actions that change the world take
>     sweat, blood and staying the course even when it's no longer
>     financially beneficial to do so.
>     Respectfully,
>     --
>     Jim Manico
>     Global Board Member
>     OWASP Foundation
>     https://www.owasp.org <https://www.owasp.org/>
>     Join me at AppSecUSA <http://appsecusa.org/> 2015 in San Francisco!
>     On Jun 21, 2015, at 2:12 PM, Jeff Williams
>     <jeff.williams at owasp.org <mailto:jeff.williams at owasp.org>> wrote:
>>     For the record, the IAB is part of the IETF, which *is* a 501c3.
>>      Even though 501c3 organizations *can* do some lobbying (as long
>>     as expenditures are not substantial), the IAB is careful not to
>>     talk about legislation or urge anyone to contact representatives
>>     about legislation.
>>     As the creator and longtime Chair of the OWASP Board, I'm
>>     frustrated that the current Board isn't falling over themselves
>>     to support efforts like this.  IMO the whole purpose of the Board
>>     is to create a great platform to support and amplify the efforts
>>     of anyone willing to contribute to our important cause. Does't
>>     matter the topic, but instead of saying no or criticizing ideas
>>     or projects, figure out a way to make it work or make them better.
>>     In this case, and a million other topics, it would be incredibly
>>     easy to stick to the technical realities and feasibility of any
>>     approaches being discussed in the news.  No need to mention
>>     legislation.
>>     --Jeff
>>     Jeff Williams | CTO
>>     Contrast Security
>>     410.707.1487 <tel:410.707.1487> | @planetlevel @contrastsec
>>     _____________________________
>>     From: Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>>     Sent: Sunday, June 21, 2015 7:37 PM
>>     Subject: Re: [Owasp-leaders] [Owasp-community] [Owasp-board] IAB
>>     Statement on the Trade in Security Technologies
>>     To: McGovern, James <james.mcgovern at hp.com
>>     <mailto:james.mcgovern at hp.com>>
>>     Cc: <owasp-community at lists.owasp.org
>>     <mailto:owasp-community at lists.owasp.org>>, OWASP Board List
>>     <owasp-board at lists.owasp.org
>>     <mailto:owasp-board at lists.owasp.org>>, owasp-leaders
>>     <owasp-leaders at lists.owasp.org
>>     <mailto:owasp-leaders at lists.owasp.org>>
>>     I will - for sure - put this on the June 24th Board meeting
>>     agenda. My opinion (based on research over the years trying to
>>     understand my duty to the foundation) is to keep AWAY from any
>>     even slight attempt to influence legislation.
>>     In general I see projects, documentation efforts and  conferences
>>     doing much to unite us in our shared mission. But start
>>     discussing politics and it will go a long way to divide us as a
>>     community.
>>     I suggest that we focus on •doing something• vs •saying something•.
>>     Imagine funding open source projects similar to Whisper Systems
>>     or enhancing our documentation projects to be much more up to
>>     date and relevant our building professional open source training
>>     material? This is how I think the foundation can best face these
>>     issues while at the same time serve our mission while at the same
>>     time keep away from influencing legislation. :)
>>     And for what it's worth, I strongly dislike the fact that I'm
>>     bringing these things up. I'm not trying to ruin anyones party
>>     here. But I do feel it's my duty as your elected board member to
>>     do so.
>>     Aloha,
>>     -- 
>>     Jim Manico
>>     Global Board Member
>>     OWASP Foundation
>>     https://www.owasp.org <https://www.owasp.org/>
>>     Join me at AppSecUSA <http://appsecusa.org/> 2015 in San Francisco!
>>     On Jun 21, 2015, at 1:23 PM, McGovern, James <
>>     james.mcgovern at hp.com <mailto:james.mcgovern at hp.com>> wrote:
>>         Jim, while you are going to the board for legal
>>         clarification, please inquire:
>>         1. 501c3 is a US thing. Can we influence non-US government
>>         and still comply?
>>         2. Understanding the US political issues sometimes will put
>>         us on a partisan path. For example, in CT I have commented in
>>         the past in a political context on why smart guns are just
>>         plain stupid. This particular issue leans more
>>         conservative/libertarian than it does Liberal. Therefore, we
>>         must attempt to understand the flow of politics on any given
>>         Sunday.
>>         3. Maybe we could somehow solve this by having a policy that
>>         encourages legislators of all parties to reach out to their
>>         local chapter leader for an informed opinion.
>>         -----Original Message-----
>>         From: owasp-community-bounces at lists.owasp.org
>>         <mailto:owasp-community-bounces at lists.owasp.org>
>>         [mailto:owasp-community-bounces at lists.owasp.org] On Behalf Of
>>         Jim Manico
>>         Sent: Saturday, June 20, 2015 4:37 PM
>>         To: Kevin W. Wall
>>         Cc: OWASP Board List; owasp-community at lists.owasp.org
>>         <mailto:owasp-community at lists.owasp.org>; owasp-leaders
>>         Subject: Re: [Owasp-community] [Owasp-board] IAB Statement on
>>         the Trade in Security Technologies
>>         I agree with you Kevin. Even the IRS is cagey about this topic.
>>         However, this is an organization risk that I feel we should
>>         be aware of before charging to far into policy. It would
>>         behoove is to get legal review before going to far. I'll
>>         bring this up at the next board meeting.
>>         Aloha,
>>         -- 
>>         Jim Manico
>>         @Manicode
>>         (808) 652-3805 <tel:%28808%29%20652-3805>
>>             On Jun 20, 2015, at 9:47 AM, Kevin W. Wall
>>             <kevin.w.wall at gmail.com <mailto:kevin.w.wall at gmail.com>>
>>             wrote:
>>             Jim,
>>                 On Sat, Jun 20, 2015 at 2:55 PM, Jim Manico
>>                 <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>>                 wrote:
>>                 That is fair Michael.
>>                 But I do want to warn the community that this is a
>>                 slippery slope, we
>>                 are being watched, and trying to influence
>>                 legislation is one of the
>>                 few ways OWASP can lose it's charitable status. And
>>                 if that happens,
>>                 the debate about what to do with our funds will
>>                 quickly change for the worse.
>>             I don't think that it is impossible for charitable
>>             organizations to
>>             comment on public possible without loosing their
>>             501(c)(3) status, but
>>             it just has to be done in the right way. (However, IANAL,
>>             so I don't
>>             even begin to know the details of what that "right way"
>>             would entail.)
>>             As a case in point, the ACM has a 501(c)(3)
>>             not-for-profit status, and
>>             yet their public policy arm--the USACM--has certainly
>>             tried to
>>             influence public policy. (Recall the crypto debate from
>>             the late
>>             1990s? The USACM and IEEE wrote a letter to Sen. John
>>             McCain to try to
>>             influence the US legislation not to pass laws to mandate
>>             weak
>>             encryption. E.g., see
>>             <http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri
>>             vacy%20and%20Security>.)
>>             So I'm guessing that the devil is in the details of how
>>             it is done.
>>             In fact, according to Spaf's blog at
>>             <https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t
>>             he_attack_on_encryption/> the USACM is going through this
>>             same this
>>             this again. Like I said, I am not a lawyer and maybe this
>>             attempt to
>>             influence public policy doesn't strictly qualify as
>>             "lobbying" in the
>>             eyes of the IRS. But it certainly doesn't seem impossible.
>>             Also, we can--and should--all speak out strongly against
>>             things that
>>             we believe are against the OWASP mission, but we don't
>>             have to do it
>>             in a manner as representing OWASP. Do that on your
>>             personal blogs or
>>             social media instead of OWASP mailing lists and there
>>             shouldn't be an
>>             issue, especially if you add a short disclaimer as to how
>>             your opinion
>>             does not necessarily affect the opinion of OWASP overall
>>             (in the cases when there might be some doubt).
>>             So perhaps if we decide that we officially want to speak
>>             out on
>>             certain public policy as an organization in order to
>>             influence public
>>             policy in accordance with our mission statements, then
>>             someone who
>>             understands the nuances of the 501(c)(3) IRS regulations
>>             could help
>>             OWASP navigate these waters.
>>             -kevin
>>             -- 
>>             Blog: http://off-the-wall-security.blogspot.com/
>>             NSA: All your crypto bit are belong to us.
>>         _______________________________________________
>>         Owasp-community mailing list
>>         Owasp-community at lists.owasp.org
>>         <mailto:Owasp-community at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150621/3e736b15/attachment-0001.html>

More information about the Owasp-board mailing list