[Owasp-board] Let's stand together against DCMA and similar laws

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 11 01:51:07 UTC 2016


Hi Kevin,

I think we need a team of organized volunteers that can take care of these
initiatives and take the task of responding or take actions.As you can see,
sending things to mailing list have almost no feedback and that's a shame.

If you want to see an action from OWASP as an organization, within OWASP
bylaws we can form a Committee in order to propose a specific action that
we submit to the board with regards these laws.

https://owasp.org/index.php/Governance/OWASP_Committees

If you want to lead this committee,I'll support you as being part of it.

Let me know, we just need to form the committee with other Owasp community
members that support this action and we submit this proposal officially as
a committee to 'protect security researchers reporting on vulnerabilities'.
We need to define the details in this proposal and we submit it to be
approved by the board once is ready.

They can vote to approve or deny our motion during a next OWASP Board
meeting.

Regards

Johanna

On Wed, Aug 10, 2016 at 8:25 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> OWASP Board members,
>
> One day ago, I cross-posted to the OWASP Leader's mailing list (see
> http://lists.owasp.org/pipermail/owasp-leaders/2016-August/017095.html)
> an earlier post that Cory Doctorow had originally posted to the OWASP
> Community list back on June 2nd. I did so because Cory said that NO ONE
> had responded to his original post. After having the privilege of talking
> about the current state of DRM and DCMA affairs and hearing W3C's venturing
> into dangerous waters with their DRM-like technology known as Encrypted
> Media Extension (EME), it seemed to me that as a community, this is
> something
> that affects many off us, potentially in some very bad ways.
>
> I've contacted Cory to have my name added to EFF's list of people
> protesting
> the W3C's EME technology without providing an exclusion for security
> researchers reporting on browser vulnerabilities. I know that other OWASP
> members have as well, and I'm happy for that. But realistically, as
> individuals,
> our voices do not carry much weight is it would if we spoke with a
> collective
> voice.
>
> So myself and a few other OWASP members have said questioned what could we
> do as a _community_ to come against DCMA and similar laws.  Whatever your
> feelings are about DRM, I think that most of you feel that it is wrong for
> a company to hide behind DRM and DMCA in an attempt to prevent product
> vulnerabilities from being publicly revealed after providing reasonable
> time for a company to issue patches, etc. (That is, I am talking about what
> happens after responsible disclosure fails and security researchers finds
> themselves facing a choice between being sued or divulging the necessary
> details of the vulnerability for the public good and safety in order to
> force a company's hand at taking corrective action or making the public
> aware so they can avoid purchasing said product.)
>
> To me, this goes beyond mere copyright evasion and DRM. Toward that end, I
> think that DRM is understandable, although an ill-conceived, if not totally
> futile endeavor to protect copyrights. However, my understanding of DMCA
> (and Cory, please correct me if I'm wrong here) is that DMCA criminalizes
> production and dissemination of technogly or knowledge of ANYTHING intended
> to circumvent access to control of copyrighted works. So for instance (and,
> this is just a hypothetical here), if a company made a pacemaker that used
> Bluetooth for remote access by doctors and the authentication / access
> control
> of those devices relied on obfuscation rather than (say) a secure encrypted
> communication channel, a security researcher who revealed this could
> potentially face a lawsuit by the pacemaker manufacturer because revealing
> details of any authentication bypass could infringe on that company's
> copyrighted IP. Has that happened yet? Well, not to my knowledge, but
> with the explosion of IoT devices, it's bound to sooner or later. (Cory, if
> you know of any real case law that you can discuss here, that might go a
> long way towards convincing folks.)
>
> So, what am I proposing? I would like an OWASP board member to
> propose a couple of different motions to be considered by and voted
> on by the OWASP board:
>
> 1) I would like to see a motion for OWASP as an organizational whole,
>    consider support for and officially "signing" (whatever that means
>    in a legal sense) EFF's notice to W3C to protect security researchers
>    reporting on vulnerabilities in their proposed EME standard,
>    implementations thereof, or other W3C browser related technologies. That
>    is, I would like to see the "OWASP Foundation" named as a party to
> <https://www.eff.org/deeplinks/2016/03/security-
> researchers-tell-w3c-protect-researchers-who-investigate-browsers>
>
> 2) I would like to see a motion for OWASP to at least analyze the pros and
>    cons of filing a "friend of the court" (i.e, amicus curiae) brief to
> stand
>    with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit that
> they
>    recently filed against the USG (for details see
>    <https://www.eff.org/press/releases/eff-lawsuit-takes-
> dmca-section-1201-research-and-technology-restrictions-violate>)
>    and if the perceived pros outweigh the cons, to actually proceed with
>    filing an amicus brief.
>
> It is my understanding that someone presently on the OWASP Board has to
> bring forth these as motions before the board. (Note: If I am mistaken
> about that, I will gladly do it myself.)  So who on the board will
> stand up against DCMA and similar legislation in other countries that
> Cory outlined in a follow-up post to the OWASP leaders list?  I personally
> do not believe that either of these proposals for motions are partisan
> from a political perspective and I think that both support our stated
> core purpose of being "the thriving global community that drives visibility
> and evolution in the safety and security of the world’s software".
>
> So, let us do what we can as individuals, but let us remember that our
> community voice together is much louder than it is speaking alone.
>
> Thanks you all for listening and considering my thoughts in earnest.
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
> NSA: All your crypto bit are belong to us.
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160810/cc5b64da/attachment.html>


More information about the Owasp-board mailing list