[Owasp-board] [Owasp-leaders] [Owasp-community] IAB Statement on the Trade in Security Technologies

Jim Manico jim.manico at owasp.org
Mon Jun 22 01:55:43 UTC 2015

 > What concerns me is that you would "implore the community to focus" 
on anything.

I am imploring the community to work on projects and documents that help 
spread good, technical information about application security. That's 
our mission Jeff.

Even though I am a Board member I am also a very active volunteer 
working on a number of projects and documentation efforts. My opinion 
matters. Just likes your opinions matter as does the opinion of every 
other member of the community.

My job is to to help everyone who wants to help spread AppSec awareness 
but that is by no means my only job. By no means. If you would like to 
understand 501c3 board member fiduciary duty and responsibility, I 
encourage you to read 
and more.

- Jim

On 6/21/15 3:48 PM, Jeff Williams wrote:
> Jim, I'm not concerned about this particular action at all. What 
> concerns me is that you would "implore the community to focus" on 
> anything.  At a minimum, speaking out with authority on issues related 
> to our mission certainly COULD work.  In fact, I think there's a 
> pretty good case to be made that any real progress in our field won't 
> be made by the kind of action you suggest.
> The point is that the Board shouldn't implore anyone to change how 
> they believe they can help. The Board wasn't set up to be an arbiter 
> of what activities are good ideas.  Your only job is to support 
> everyone and anyone who wants to help appsec.  If you want to have 
> opinions, get off the Board.
> --Jeff
> On Sun, Jun 21, 2015 at 9:35 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     This is not about changing OWASP's charter. It's a warning that we
>     are engaging in activity that is on the edge of trying to
>     influence legislation and that we should proceed with caution.
>     Also, I am concerned that we are losing focus here and implore the
>     community to focus less on announcements like this and to focus
>     more on application security in a more direct way via projects and
>     technical documentation.
>     - Jim
>     On 6/21/15 3:32 PM, Jerry Hoff wrote:
>>     Agreed - but I was under the strong impression this entire
>>     discussion was on putting out a statement similar to the IAB.
>>      Apologies if I misunderstood. I was voicing support on that
>>     specific action.
>>     I didn't see anywhere in the thread (though I may have missed it)
>>     anyone advocating political campaigning or to change the OWASP
>>     charter such that influencing legislation would be a substantial
>>     activity.
>>     -- 
>>     Jerry Hoff
>>     jerry at owasp.com <mailto:jerry at owasp.com>
>>     @jerryhoff
>>     On Jun 21, 2015, at 21:25, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>>     Jerry,
>>>     I'm a fan of OWASP taking technical stands such as the IAB
>>>     Statement on Internet Confidentiality
>>>     https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/
>>>     and similar.
>>>     What our 501(c)(3) foundation needs to to steer clear of from my
>>>     understanding is...
>>>     1) ... not to engage in political campaigning
>>>     2) ... not to attempt to influence legislation as a substantial
>>>     part of our activities
>>>     I am no fan of NACL's but this is a very important topic.
>>>     The exact quote from the IRS is
>>>     (http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)
>>>     <http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501%28c%29%283%29-Organizations%29>
>>>     "...it may not attempt to influence legislation as a substantial
>>>     part of its activities and it may not participate in any
>>>     campaign activity for or against political candidates..."
>>>     So as long as our "official foundation statement" on this matter
>>>     steers clear of these issues, I will support it.
>>>     We will be discussing this at the June 24th meeting, I hope you
>>>     can make it.
>>>     https://www.owasp.org/index.php/June_24,_2015
>>>     Aloha,
>>>     Jim
>>>     On 6/21/15 3:16 PM, Jerry Hoff wrote:
>>>>     I believe this debate is based off wrong assumptions - for
>>>>     example the EFF is 501(c)(3) and that does not prevent them
>>>>     from taking a position on relevant issues as an organization.
>>>>     -- 
>>>>     Jerry Hoff
>>>>     jerry at owasp.com <mailto:jerry at owasp.com>
>>>>     @jerryhoff
>>>>     On Jun 21, 2015, at 21:05, Jim Manico <jim.manico at owasp.org
>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>>     With respect, I disagree with your take on this Jeff. Official
>>>>>     OWASP public statements should be done with care.
>>>>>     Also, this issue is not resolved yet and I am simply stating
>>>>>     *my opinion* on the matter backed by research and references
>>>>>     to IRS guidelines discussing this matter. And again I've
>>>>>     stated that this is a nebulous area even by IRS regulation.
>>>>>     _*We are discussing this at the June 24 board meeting*__*- a
>>>>>     meeting in which I hope that you and the community attend.*_
>>>>>     Making a big statement like this as an official message of the
>>>>>     OWASP foundation - especial since it's political in nature -
>>>>>     does in my opinion require board discussion. I know you want
>>>>>     us to "jump on this" immediately - and we are Jeff - in just a
>>>>>     few days.
>>>>>     In fact, if the language is crafted in a way that keeps clear
>>>>>     of specific legislation, I will likely vote to push this out.
>>>>>     I agree with it 100%, I am only concerned if it's the right
>>>>>     thing for OWASP to be making such a public statement.
>>>>>     It is critical for all of us in OWASP leadership to be aware
>>>>>     of the limits of what a 501(c)(3) should be doing, and when I
>>>>>     hear that the members of foundation want OWASP to make a
>>>>>     public and politically charged statement of intent, I think
>>>>>     it's crucial for the board to be a part of it since the board
>>>>>     holds legal responsibility for the operations of the foundation.
>>>>>     See you June 24th?
>>>>>     https://www.owasp.org/index.php/June_24,_2015
>>>>>     Aloha,
>>>>>     Jim
>>>>>     On 6/21/15 2:47 PM, Jeff Williams wrote:
>>>>>>     This is a false dichotomy -- OWASP can and should do both.
>>>>>>     The Board should work to assist and support *any* idea
>>>>>>     consistent with our mission...even if...especially if... you
>>>>>>     don't think it will work.
>>>>>>     You can't let *your* judgement influence the decision to
>>>>>>     support a project. If you do, then all we will ever get is
>>>>>>     Board ideas.  And, respectfully, I don't trust you or any
>>>>>>     other individual to think up the next great AppSec idea.
>>>>>>     The Board shouldn't interfere at all unless somebody is doing
>>>>>>     something harmful to the organization or the mission. And
>>>>>>     even then should try to figure out a productive path for that
>>>>>>     energy.
>>>>>>     Again respectfully, you should get out of the way.
>>>>>>     --Jeff
>>>>>>     On Sun, Jun 21, 2015 at 5:27 PM -0700, "Jim Manico"
>>>>>>     <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>>>>         Jeff,
>>>>>>         My take on this is that "talk is cheap" and that "actions
>>>>>>         are more powerful words". I'd rather keep out of
>>>>>>         legislation and focus on making important projects like
>>>>>>         ESAPI, ASVS, Security Shepard and others more powerful.
>>>>>>         I am sorry you are disappointed in current board action,
>>>>>>         but there is good reason behind the perspective I am
>>>>>>         stating. Also, this is my opinion alone, not the entire
>>>>>>         boards.
>>>>>>         Again, take a look at Whisper Systems. They are providing
>>>>>>         incredibly well created and well assessed open source
>>>>>>         projects for secure communications. These open source
>>>>>>         projects are now being integrated into various Operating
>>>>>>         Systems and other projects.
>>>>>>         If ESAPI was not a abandoned, it could have been serving
>>>>>>         our mission - planet level. I want to see it and other
>>>>>>         key projects revived and well funded.
>>>>>>         The power of a well built security project is worth more
>>>>>>         than a thousand words. Talk is cheap. Actions that change
>>>>>>         the world take sweat, blood and staying the course even
>>>>>>         when it's no longer financially beneficial to do so.
>>>>>>         Respectfully,
>>>>>>         --
>>>>>>         Jim Manico
>>>>>>         Global Board Member
>>>>>>         OWASP Foundation
>>>>>>         https://www.owasp.org <https://www.owasp.org/>
>>>>>>         Join me at AppSecUSA <http://appsecusa.org/> 2015 in San
>>>>>>         Francisco!
>>>>>>         On Jun 21, 2015, at 2:12 PM, Jeff Williams
>>>>>>         <jeff.williams at owasp.org
>>>>>>         <mailto:jeff.williams at owasp.org>> wrote:
>>>>>>>         For the record, the IAB is part of the IETF, which *is*
>>>>>>>         a 501c3.  Even though 501c3 organizations *can* do some
>>>>>>>         lobbying (as long as expenditures are not substantial),
>>>>>>>         the IAB is careful not to talk about legislation or urge
>>>>>>>         anyone to contact representatives about legislation.
>>>>>>>         As the creator and longtime Chair of the OWASP Board,
>>>>>>>         I'm frustrated that the current Board isn't falling over
>>>>>>>         themselves to support efforts like this.  IMO the whole
>>>>>>>         purpose of the Board is to create a great platform to
>>>>>>>         support and amplify the efforts of anyone willing to
>>>>>>>         contribute to our important cause. Does't matter the
>>>>>>>         topic, but instead of saying no or criticizing ideas or
>>>>>>>         projects, figure out a way to make it work or make them
>>>>>>>         better.
>>>>>>>         In this case, and a million other topics, it would be
>>>>>>>         incredibly easy to stick to the technical realities and
>>>>>>>         feasibility of any approaches being discussed in the
>>>>>>>         news.  No need to mention legislation.
>>>>>>>         --Jeff
>>>>>>>         Jeff Williams | CTO
>>>>>>>         Contrast Security
>>>>>>>         410.707.1487 <tel:410.707.1487> | @planetlevel @contrastsec
>>>>>>>         _____________________________
>>>>>>>         From: Jim Manico <jim.manico at owasp.org
>>>>>>>         <mailto:jim.manico at owasp.org>>
>>>>>>>         Sent: Sunday, June 21, 2015 7:37 PM
>>>>>>>         Subject: Re: [Owasp-leaders] [Owasp-community]
>>>>>>>         [Owasp-board] IAB Statement on the Trade in Security
>>>>>>>         Technologies
>>>>>>>         To: McGovern, James <james.mcgovern at hp.com
>>>>>>>         <mailto:james.mcgovern at hp.com>>
>>>>>>>         Cc: <owasp-community at lists.owasp.org
>>>>>>>         <mailto:owasp-community at lists.owasp.org>>, OWASP Board
>>>>>>>         List <owasp-board at lists.owasp.org
>>>>>>>         <mailto:owasp-board at lists.owasp.org>>, owasp-leaders
>>>>>>>         <owasp-leaders at lists.owasp.org
>>>>>>>         <mailto:owasp-leaders at lists.owasp.org>>
>>>>>>>         I will - for sure - put this on the June 24th Board
>>>>>>>         meeting agenda. My opinion (based on research over the
>>>>>>>         years trying to understand my duty to the foundation) is
>>>>>>>         to keep AWAY from any even slight attempt to influence
>>>>>>>         legislation.
>>>>>>>         In general I see projects, documentation efforts and
>>>>>>>          conferences doing much to unite us in our shared
>>>>>>>         mission. But start discussing politics and it will go a
>>>>>>>         long way to divide us as a community.
>>>>>>>         I suggest that we focus on •doing something• vs •saying
>>>>>>>         something•.
>>>>>>>         Imagine funding open source projects similar to Whisper
>>>>>>>         Systems or enhancing our documentation projects to be
>>>>>>>         much more up to date and relevant our building
>>>>>>>         professional open source training material? This is how
>>>>>>>         I think the foundation can best face these issues while
>>>>>>>         at the same time serve our mission while at the same
>>>>>>>         time keep away from influencing legislation. :)
>>>>>>>         And for what it's worth, I strongly dislike the fact
>>>>>>>         that I'm bringing these things up. I'm not trying to
>>>>>>>         ruin anyones party here. But I do feel it's my duty as
>>>>>>>         your elected board member to do so.
>>>>>>>         Aloha,
>>>>>>>         -- 
>>>>>>>         Jim Manico
>>>>>>>         Global Board Member
>>>>>>>         OWASP Foundation
>>>>>>>         https://www.owasp.org
>>>>>>>         Join me at AppSecUSA <http://appsecusa.org/> 2015 in San
>>>>>>>         Francisco!
>>>>>>>         On Jun 21, 2015, at 1:23 PM, McGovern, James <
>>>>>>>         james.mcgovern at hp.com <mailto:james.mcgovern at hp.com>>
>>>>>>>         wrote:
>>>>>>>             Jim, while you are going to the board for legal
>>>>>>>             clarification, please inquire:
>>>>>>>             1. 501c3 is a US thing. Can we influence non-US
>>>>>>>             government and still comply?
>>>>>>>             2. Understanding the US political issues sometimes
>>>>>>>             will put us on a partisan path. For example, in CT I
>>>>>>>             have commented in the past in a political context on
>>>>>>>             why smart guns are just plain stupid. This
>>>>>>>             particular issue leans more conservative/libertarian
>>>>>>>             than it does Liberal. Therefore, we must attempt to
>>>>>>>             understand the flow of politics on any given Sunday.
>>>>>>>             3. Maybe we could somehow solve this by having a
>>>>>>>             policy that encourages legislators of all parties to
>>>>>>>             reach out to their local chapter leader for an
>>>>>>>             informed opinion.
>>>>>>>             -----Original Message-----
>>>>>>>             From: owasp-community-bounces at lists.owasp.org
>>>>>>>             <mailto:owasp-community-bounces at lists.owasp.org>
>>>>>>>             [mailto:owasp-community-bounces at lists.owasp.org] On
>>>>>>>             Behalf Of Jim Manico
>>>>>>>             Sent: Saturday, June 20, 2015 4:37 PM
>>>>>>>             To: Kevin W. Wall
>>>>>>>             Cc: OWASP Board List;
>>>>>>>             owasp-community at lists.owasp.org
>>>>>>>             <mailto:owasp-community at lists.owasp.org>; owasp-leaders
>>>>>>>             Subject: Re: [Owasp-community] [Owasp-board] IAB
>>>>>>>             Statement on the Trade in Security Technologies
>>>>>>>             I agree with you Kevin. Even the IRS is cagey about
>>>>>>>             this topic.
>>>>>>>             However, this is an organization risk that I feel we
>>>>>>>             should be aware of before charging to far into
>>>>>>>             policy. It would behoove is to get legal review
>>>>>>>             before going to far. I'll bring this up at the next
>>>>>>>             board meeting.
>>>>>>>             Aloha,
>>>>>>>             -- 
>>>>>>>             Jim Manico
>>>>>>>             @Manicode
>>>>>>>             (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>>>>                 On Jun 20, 2015, at 9:47 AM, Kevin W. Wall
>>>>>>>                 <kevin.w.wall at gmail.com
>>>>>>>                 <mailto:kevin.w.wall at gmail.com>> wrote:
>>>>>>>                 Jim,
>>>>>>>                     On Sat, Jun 20, 2015 at 2:55 PM, Jim Manico
>>>>>>>                     <jim.manico at owasp.org
>>>>>>>                     <mailto:jim.manico at owasp.org>> wrote:
>>>>>>>                     That is fair Michael.
>>>>>>>                     But I do want to warn the community that
>>>>>>>                     this is a slippery slope, we
>>>>>>>                     are being watched, and trying to influence
>>>>>>>                     legislation is one of the
>>>>>>>                     few ways OWASP can lose it's charitable
>>>>>>>                     status. And if that happens,
>>>>>>>                     the debate about what to do with our funds
>>>>>>>                     will quickly change for the worse.
>>>>>>>                 I don't think that it is impossible for
>>>>>>>                 charitable organizations to
>>>>>>>                 comment on public possible without loosing their
>>>>>>>                 501(c)(3) status, but
>>>>>>>                 it just has to be done in the right way.
>>>>>>>                 (However, IANAL, so I don't
>>>>>>>                 even begin to know the details of what that
>>>>>>>                 "right way" would entail.)
>>>>>>>                 As a case in point, the ACM has a 501(c)(3)
>>>>>>>                 not-for-profit status, and
>>>>>>>                 yet their public policy arm--the USACM--has
>>>>>>>                 certainly tried to
>>>>>>>                 influence public policy. (Recall the crypto
>>>>>>>                 debate from the late
>>>>>>>                 1990s? The USACM and IEEE wrote a letter to Sen.
>>>>>>>                 John McCain to try to
>>>>>>>                 influence the US legislation not to pass laws to
>>>>>>>                 mandate weak
>>>>>>>                 encryption. E.g., see
>>>>>>>                 <http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri
>>>>>>>                 vacy%20and%20Security>.)
>>>>>>>                 So I'm guessing that the devil is in the details
>>>>>>>                 of how it is done.
>>>>>>>                 In fact, according to Spaf's blog at
>>>>>>>                 <https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t
>>>>>>>                 he_attack_on_encryption/> the USACM is going
>>>>>>>                 through this same this
>>>>>>>                 this again. Like I said, I am not a lawyer and
>>>>>>>                 maybe this attempt to
>>>>>>>                 influence public policy doesn't strictly qualify
>>>>>>>                 as "lobbying" in the
>>>>>>>                 eyes of the IRS. But it certainly doesn't seem
>>>>>>>                 impossible.
>>>>>>>                 Also, we can--and should--all speak out strongly
>>>>>>>                 against things that
>>>>>>>                 we believe are against the OWASP mission, but we
>>>>>>>                 don't have to do it
>>>>>>>                 in a manner as representing OWASP. Do that on
>>>>>>>                 your personal blogs or
>>>>>>>                 social media instead of OWASP mailing lists and
>>>>>>>                 there shouldn't be an
>>>>>>>                 issue, especially if you add a short disclaimer
>>>>>>>                 as to how your opinion
>>>>>>>                 does not necessarily affect the opinion of OWASP
>>>>>>>                 overall (in the cases when there might be some
>>>>>>>                 doubt).
>>>>>>>                 So perhaps if we decide that we officially want
>>>>>>>                 to speak out on
>>>>>>>                 certain public policy as an organization in
>>>>>>>                 order to influence public
>>>>>>>                 policy in accordance with our mission
>>>>>>>                 statements, then someone who
>>>>>>>                 understands the nuances of the 501(c)(3) IRS
>>>>>>>                 regulations could help
>>>>>>>                 OWASP navigate these waters.
>>>>>>>                 -kevin
>>>>>>>                 -- 
>>>>>>>                 Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>                 NSA: All your crypto bit are belong to us.
>>>>>>>             _______________________________________________
>>>>>>>             Owasp-community mailing list
>>>>>>>             Owasp-community at lists.owasp.org
>>>>>>>             <mailto:Owasp-community at lists.owasp.org>
>>>>>>>             https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>     _______________________________________________
>>>>>     OWASP-Leaders mailing list
>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150621/c8939cfd/attachment-0001.html>

More information about the Owasp-board mailing list