[Owasp-board] Let's stand together against DCMA and similar laws

Kevin W. Wall kevin.w.wall at gmail.com
Thu Aug 11 13:57:02 UTC 2016


I'm fine with considering proposing a committee to address this, but if
Cory or myself can't can't get people to take the relatively low effort of
responding to a mailing list, I'm not sure how much more OWASP members will
respond to / assist with any committee work that needs to be done.

If there is anyone besides Johanna who might be willing to help with such a
committee, please let me know.

Blog: http://off-the-wall-security.blogspot.com/.   | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

On Aug 10, 2016 9:51 PM, "johanna curiel curiel" <johanna.curiel at owasp.org>

> Hi Kevin,
> I think we need a team of organized volunteers that can take care of these
> initiatives and take the task of responding or take actions.As you can see,
> sending things to mailing list have almost no feedback and that's a shame.
> If you want to see an action from OWASP as an organization, within OWASP
> bylaws we can form a Committee in order to propose a specific action that
> we submit to the board with regards these laws.
> https://owasp.org/index.php/Governance/OWASP_Committees
> If you want to lead this committee,I'll support you as being part of it.
> Let me know, we just need to form the committee with other Owasp community
> members that support this action and we submit this proposal officially as
> a committee to 'protect security researchers reporting on
> vulnerabilities'. We need to define the details in this proposal and we
> submit it to be approved by the board once is ready.
> They can vote to approve or deny our motion during a next OWASP Board
> meeting.
> Regards
> Johanna
> On Wed, Aug 10, 2016 at 8:25 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>> OWASP Board members,
>> One day ago, I cross-posted to the OWASP Leader's mailing list (see
>> http://lists.owasp.org/pipermail/owasp-leaders/2016-August/017095.html)
>> an earlier post that Cory Doctorow had originally posted to the OWASP
>> Community list back on June 2nd. I did so because Cory said that NO ONE
>> had responded to his original post. After having the privilege of talking
>> about the current state of DRM and DCMA affairs and hearing W3C's
>> venturing
>> into dangerous waters with their DRM-like technology known as Encrypted
>> Media Extension (EME), it seemed to me that as a community, this is
>> something
>> that affects many off us, potentially in some very bad ways.
>> I've contacted Cory to have my name added to EFF's list of people
>> protesting
>> the W3C's EME technology without providing an exclusion for security
>> researchers reporting on browser vulnerabilities. I know that other OWASP
>> members have as well, and I'm happy for that. But realistically, as
>> individuals,
>> our voices do not carry much weight is it would if we spoke with a
>> collective
>> voice.
>> So myself and a few other OWASP members have said questioned what could we
>> do as a _community_ to come against DCMA and similar laws.  Whatever your
>> feelings are about DRM, I think that most of you feel that it is wrong for
>> a company to hide behind DRM and DMCA in an attempt to prevent product
>> vulnerabilities from being publicly revealed after providing reasonable
>> time for a company to issue patches, etc. (That is, I am talking about
>> what
>> happens after responsible disclosure fails and security researchers finds
>> themselves facing a choice between being sued or divulging the necessary
>> details of the vulnerability for the public good and safety in order to
>> force a company's hand at taking corrective action or making the public
>> aware so they can avoid purchasing said product.)
>> To me, this goes beyond mere copyright evasion and DRM. Toward that end, I
>> think that DRM is understandable, although an ill-conceived, if not
>> totally
>> futile endeavor to protect copyrights. However, my understanding of DMCA
>> (and Cory, please correct me if I'm wrong here) is that DMCA criminalizes
>> production and dissemination of technogly or knowledge of ANYTHING
>> intended
>> to circumvent access to control of copyrighted works. So for instance
>> (and,
>> this is just a hypothetical here), if a company made a pacemaker that used
>> Bluetooth for remote access by doctors and the authentication / access
>> control
>> of those devices relied on obfuscation rather than (say) a secure
>> encrypted
>> communication channel, a security researcher who revealed this could
>> potentially face a lawsuit by the pacemaker manufacturer because revealing
>> details of any authentication bypass could infringe on that company's
>> copyrighted IP. Has that happened yet? Well, not to my knowledge, but
>> with the explosion of IoT devices, it's bound to sooner or later. (Cory,
>> if
>> you know of any real case law that you can discuss here, that might go a
>> long way towards convincing folks.)
>> So, what am I proposing? I would like an OWASP board member to
>> propose a couple of different motions to be considered by and voted
>> on by the OWASP board:
>> 1) I would like to see a motion for OWASP as an organizational whole,
>>    consider support for and officially "signing" (whatever that means
>>    in a legal sense) EFF's notice to W3C to protect security researchers
>>    reporting on vulnerabilities in their proposed EME standard,
>>    implementations thereof, or other W3C browser related technologies.
>> That
>>    is, I would like to see the "OWASP Foundation" named as a party to
>> <https://www.eff.org/deeplinks/2016/03/security-researchers-
>> tell-w3c-protect-researchers-who-investigate-browsers>
>> 2) I would like to see a motion for OWASP to at least analyze the pros and
>>    cons of filing a "friend of the court" (i.e, amicus curiae) brief to
>> stand
>>    with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit that
>> they
>>    recently filed against the USG (for details see
>>    <https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-
>> section-1201-research-and-technology-restrictions-violate>)
>>    and if the perceived pros outweigh the cons, to actually proceed with
>>    filing an amicus brief.
>> It is my understanding that someone presently on the OWASP Board has to
>> bring forth these as motions before the board. (Note: If I am mistaken
>> about that, I will gladly do it myself.)  So who on the board will
>> stand up against DCMA and similar legislation in other countries that
>> Cory outlined in a follow-up post to the OWASP leaders list?  I personally
>> do not believe that either of these proposals for motions are partisan
>> from a political perspective and I think that both support our stated
>> core purpose of being "the thriving global community that drives
>> visibility
>> and evolution in the safety and security of the world’s software".
>> So, let us do what we can as individuals, but let us remember that our
>> community voice together is much louder than it is speaking alone.
>> Thanks you all for listening and considering my thoughts in earnest.
>> -kevin
>> --
>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>> @KevinWWall
>> NSA: All your crypto bit are belong to us.
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> Johanna Curiel
> OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160811/261401f1/attachment.html>

More information about the Owasp-board mailing list