[Owasp-board] [Owasp-leaders] [Owasp-community] IAB Statement on the Trade in Security Technologies
Jim Manico
jim.manico at owasp.org
Mon Jun 22 01:05:19 UTC 2015
With respect, I disagree with your take on this Jeff. Official OWASP
public statements should be done with care.
Also, this issue is not resolved yet and I am simply stating *my
opinion* on the matter backed by research and references to IRS
guidelines discussing this matter. And again I've stated that this is a
nebulous area even by IRS regulation.
_*We are discussing this at the June 24 board meeting*__*- a meeting in
which I hope that you and the community attend.*_
Making a big statement like this as an official message of the OWASP
foundation - especial since it's political in nature - does in my
opinion require board discussion. I know you want us to "jump on this"
immediately - and we are Jeff - in just a few days.
In fact, if the language is crafted in a way that keeps clear of
specific legislation, I will likely vote to push this out. I agree with
it 100%, I am only concerned if it's the right thing for OWASP to be
making such a public statement.
It is critical for all of us in OWASP leadership to be aware of the
limits of what a 501(c)(3) should be doing, and when I hear that the
members of foundation want OWASP to make a public and politically
charged statement of intent, I think it's crucial for the board to be a
part of it since the board holds legal responsibility for the operations
of the foundation.
See you June 24th?
https://www.owasp.org/index.php/June_24,_2015
Aloha,
Jim
On 6/21/15 2:47 PM, Jeff Williams wrote:
> This is a false dichotomy -- OWASP can and should do both. The Board
> should work to assist and support *any* idea consistent with our
> mission...even if...especially if... you don't think it will work.
>
> You can't let *your* judgement influence the decision to support a
> project. If you do, then all we will ever get is Board ideas. And,
> respectfully, I don't trust you or any other individual to think up
> the next great AppSec idea.
>
> The Board shouldn't interfere at all unless somebody is doing
> something harmful to the organization or the mission. And even then
> should try to figure out a productive path for that energy.
>
> Again respectfully, you should get out of the way.
>
> --Jeff
>
>
>
> On Sun, Jun 21, 2015 at 5:27 PM -0700, "Jim Manico"
> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>
> Jeff,
>
> My take on this is that "talk is cheap" and that "actions are more
> powerful words". I'd rather keep out of legislation and focus on
> making important projects like ESAPI, ASVS, Security Shepard and
> others more powerful.
>
> I am sorry you are disappointed in current board action, but there
> is good reason behind the perspective I am stating. Also, this is
> my opinion alone, not the entire boards.
>
> Again, take a look at Whisper Systems. They are providing
> incredibly well created and well assessed open source projects for
> secure communications. These open source projects are now being
> integrated into various Operating Systems and other projects.
>
> If ESAPI was not a abandoned, it could have been serving our
> mission - planet level. I want to see it and other key projects
> revived and well funded.
>
> The power of a well built security project is worth more than a
> thousand words. Talk is cheap. Actions that change the world take
> sweat, blood and staying the course even when it's no longer
> financially beneficial to do so.
>
> Respectfully,
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org <https://www.owasp.org/>
> Join me at AppSecUSA <http://appsecusa.org/> 2015 in San Francisco!
>
> On Jun 21, 2015, at 2:12 PM, Jeff Williams
> <jeff.williams at owasp.org <mailto:jeff.williams at owasp.org>> wrote:
>
>> For the record, the IAB is part of the IETF, which *is* a 501c3.
>> Even though 501c3 organizations *can* do some lobbying (as long
>> as expenditures are not substantial), the IAB is careful not to
>> talk about legislation or urge anyone to contact representatives
>> about legislation.
>> As the creator and longtime Chair of the OWASP Board, I'm
>> frustrated that the current Board isn't falling over themselves
>> to support efforts like this. IMO the whole purpose of the Board
>> is to create a great platform to support and amplify the efforts
>> of anyone willing to contribute to our important cause. Does't
>> matter the topic, but instead of saying no or criticizing ideas
>> or projects, figure out a way to make it work or make them better.
>> In this case, and a million other topics, it would be incredibly
>> easy to stick to the technical realities and feasibility of any
>> approaches being discussed in the news. No need to mention
>> legislation.
>> --Jeff
>>
>> Jeff Williams | CTO
>> Contrast Security
>> 410.707.1487 <tel:410.707.1487> | @planetlevel @contrastsec
>>
>>
>> _____________________________
>> From: Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>> Sent: Sunday, June 21, 2015 7:37 PM
>> Subject: Re: [Owasp-leaders] [Owasp-community] [Owasp-board] IAB
>> Statement on the Trade in Security Technologies
>> To: McGovern, James <james.mcgovern at hp.com
>> <mailto:james.mcgovern at hp.com>>
>> Cc: <owasp-community at lists.owasp.org
>> <mailto:owasp-community at lists.owasp.org>>, OWASP Board List
>> <owasp-board at lists.owasp.org
>> <mailto:owasp-board at lists.owasp.org>>, owasp-leaders
>> <owasp-leaders at lists.owasp.org
>> <mailto:owasp-leaders at lists.owasp.org>>
>>
>>
>> I will - for sure - put this on the June 24th Board meeting
>> agenda. My opinion (based on research over the years trying to
>> understand my duty to the foundation) is to keep AWAY from any
>> even slight attempt to influence legislation.
>>
>> In general I see projects, documentation efforts and conferences
>> doing much to unite us in our shared mission. But start
>> discussing politics and it will go a long way to divide us as a
>> community.
>>
>> I suggest that we focus on •doing something• vs •saying something•.
>>
>> Imagine funding open source projects similar to Whisper Systems
>> or enhancing our documentation projects to be much more up to
>> date and relevant our building professional open source training
>> material? This is how I think the foundation can best face these
>> issues while at the same time serve our mission while at the same
>> time keep away from influencing legislation. :)
>>
>> And for what it's worth, I strongly dislike the fact that I'm
>> bringing these things up. I'm not trying to ruin anyones party
>> here. But I do feel it's my duty as your elected board member to
>> do so.
>>
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org <https://www.owasp.org/>
>> Join me at AppSecUSA <http://appsecusa.org/> 2015 in San Francisco!
>>
>> On Jun 21, 2015, at 1:23 PM, McGovern, James <
>> james.mcgovern at hp.com <mailto:james.mcgovern at hp.com>> wrote:
>>
>> Jim, while you are going to the board for legal
>> clarification, please inquire:
>>
>> 1. 501c3 is a US thing. Can we influence non-US government
>> and still comply?
>> 2. Understanding the US political issues sometimes will put
>> us on a partisan path. For example, in CT I have commented in
>> the past in a political context on why smart guns are just
>> plain stupid. This particular issue leans more
>> conservative/libertarian than it does Liberal. Therefore, we
>> must attempt to understand the flow of politics on any given
>> Sunday.
>> 3. Maybe we could somehow solve this by having a policy that
>> encourages legislators of all parties to reach out to their
>> local chapter leader for an informed opinion.
>>
>> -----Original Message-----
>> From: owasp-community-bounces at lists.owasp.org
>> <mailto:owasp-community-bounces at lists.owasp.org>
>> [mailto:owasp-community-bounces at lists.owasp.org] On Behalf Of
>> Jim Manico
>> Sent: Saturday, June 20, 2015 4:37 PM
>> To: Kevin W. Wall
>> Cc: OWASP Board List; owasp-community at lists.owasp.org
>> <mailto:owasp-community at lists.owasp.org>; owasp-leaders
>> Subject: Re: [Owasp-community] [Owasp-board] IAB Statement on
>> the Trade in Security Technologies
>>
>> I agree with you Kevin. Even the IRS is cagey about this topic.
>>
>> However, this is an organization risk that I feel we should
>> be aware of before charging to far into policy. It would
>> behoove is to get legal review before going to far. I'll
>> bring this up at the next board meeting.
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805 <tel:%28808%29%20652-3805>
>>
>> On Jun 20, 2015, at 9:47 AM, Kevin W. Wall
>> <kevin.w.wall at gmail.com <mailto:kevin.w.wall at gmail.com>>
>> wrote:
>>
>>
>> Jim,
>>
>>
>> On Sat, Jun 20, 2015 at 2:55 PM, Jim Manico
>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>> wrote:
>>
>> That is fair Michael.
>>
>>
>> But I do want to warn the community that this is a
>> slippery slope, we
>>
>> are being watched, and trying to influence
>> legislation is one of the
>>
>> few ways OWASP can lose it's charitable status. And
>> if that happens,
>>
>> the debate about what to do with our funds will
>> quickly change for the worse.
>>
>>
>> I don't think that it is impossible for charitable
>> organizations to
>>
>> comment on public possible without loosing their
>> 501(c)(3) status, but
>>
>> it just has to be done in the right way. (However, IANAL,
>> so I don't
>>
>> even begin to know the details of what that "right way"
>> would entail.)
>>
>>
>> As a case in point, the ACM has a 501(c)(3)
>> not-for-profit status, and
>>
>> yet their public policy arm--the USACM--has certainly
>> tried to
>>
>> influence public policy. (Recall the crypto debate from
>> the late
>>
>> 1990s? The USACM and IEEE wrote a letter to Sen. John
>> McCain to try to
>>
>> influence the US legislation not to pass laws to mandate
>> weak
>>
>> encryption. E.g., see
>>
>> <http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri
>>
>>
>> vacy%20and%20Security>.)
>>
>>
>> So I'm guessing that the devil is in the details of how
>> it is done.
>>
>> In fact, according to Spaf's blog at
>>
>> <https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t
>>
>>
>> he_attack_on_encryption/> the USACM is going through this
>> same this
>>
>> this again. Like I said, I am not a lawyer and maybe this
>> attempt to
>>
>> influence public policy doesn't strictly qualify as
>> "lobbying" in the
>>
>> eyes of the IRS. But it certainly doesn't seem impossible.
>>
>>
>> Also, we can--and should--all speak out strongly against
>> things that
>>
>> we believe are against the OWASP mission, but we don't
>> have to do it
>>
>> in a manner as representing OWASP. Do that on your
>> personal blogs or
>>
>> social media instead of OWASP mailing lists and there
>> shouldn't be an
>>
>> issue, especially if you add a short disclaimer as to how
>> your opinion
>>
>> does not necessarily affect the opinion of OWASP overall
>> (in the cases when there might be some doubt).
>>
>>
>> So perhaps if we decide that we officially want to speak
>> out on
>>
>> certain public policy as an organization in order to
>> influence public
>>
>> policy in accordance with our mission statements, then
>> someone who
>>
>> understands the nuances of the 501(c)(3) IRS regulations
>> could help
>>
>> OWASP navigate these waters.
>>
>>
>> -kevin
>>
>> --
>>
>> Blog: http://off-the-wall-security.blogspot.com/
>>
>> NSA: All your crypto bit are belong to us.
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> <mailto:Owasp-community at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150621/3e736b15/attachment-0001.html>
More information about the Owasp-board
mailing list