[Owasp-board] Let's stand together against DCMA and similar laws

Tom Brennan - OWASP tomb at owasp.org
Thu Aug 11 14:18:18 UTC 2016


I would second the motion to start the process.

Andrew with AppSecUSA coming up perfect opportunity to get people into a
room together and TALK about it life.

Cory, can intrested in coming out to www.appsecusa.org in Washington DC to
discuss this in a face-to-face, open-forum with OWASP experts from around
the world?

Tom Brennan
GPG ID: DC6AA149
https://www.linkedin.com/in/tombrennan

On Thu, Aug 11, 2016 at 10:13 AM, Andrew van der Stock <vanderaj at owasp.org>
wrote:

> Hi Kevin
>
> As I mentioned, I am interested. Not getting a response from the Board in
> 13 hours is not ideal, but at least give us 24 hours to respond.
>
> Is anyone else on the Board interested in helping?
>
> thanks
> Andrew
>
> On Thu, Aug 11, 2016 at 11:57 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>
>> Johanna,
>>
>> I'm fine with considering proposing a committee to address this, but if
>> Cory or myself can't can't get people to take the relatively low effort of
>> responding to a mailing list, I'm not sure how much more OWASP members will
>> respond to / assist with any committee work that needs to be done.
>>
>> If there is anyone besides Johanna who might be willing to help with such
>> a committee, please let me know.
>>
>> -kevin
>> --
>> Blog: http://off-the-wall-security.blogspot.com/.   | Twitter:
>> @KevinWWall
>> NSA: All your crypto bit are belong to us.
>>
>> On Aug 10, 2016 9:51 PM, "johanna curiel curiel" <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Kevin,
>>>
>>> I think we need a team of organized volunteers that can take care of
>>> these initiatives and take the task of responding or take actions.As you
>>> can see, sending things to mailing list have almost no feedback and that's
>>> a shame.
>>>
>>> If you want to see an action from OWASP as an organization, within OWASP
>>> bylaws we can form a Committee in order to propose a specific action that
>>> we submit to the board with regards these laws.
>>>
>>> https://owasp.org/index.php/Governance/OWASP_Committees
>>>
>>> If you want to lead this committee,I'll support you as being part of it.
>>>
>>> Let me know, we just need to form the committee with other Owasp
>>> community members that support this action and we submit this proposal
>>> officially as a committee to 'protect security researchers reporting on
>>> vulnerabilities'. We need to define the details in this proposal and we
>>> submit it to be approved by the board once is ready.
>>>
>>> They can vote to approve or deny our motion during a next OWASP Board
>>> meeting.
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>> On Wed, Aug 10, 2016 at 8:25 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>> wrote:
>>>
>>>> OWASP Board members,
>>>>
>>>> One day ago, I cross-posted to the OWASP Leader's mailing list (see
>>>> http://lists.owasp.org/pipermail/owasp-leaders/2016-August/017095.html)
>>>> an earlier post that Cory Doctorow had originally posted to the OWASP
>>>> Community list back on June 2nd. I did so because Cory said that NO ONE
>>>> had responded to his original post. After having the privilege of
>>>> talking
>>>> about the current state of DRM and DCMA affairs and hearing W3C's
>>>> venturing
>>>> into dangerous waters with their DRM-like technology known as Encrypted
>>>> Media Extension (EME), it seemed to me that as a community, this is
>>>> something
>>>> that affects many off us, potentially in some very bad ways.
>>>>
>>>> I've contacted Cory to have my name added to EFF's list of people
>>>> protesting
>>>> the W3C's EME technology without providing an exclusion for security
>>>> researchers reporting on browser vulnerabilities. I know that other
>>>> OWASP
>>>> members have as well, and I'm happy for that. But realistically, as
>>>> individuals,
>>>> our voices do not carry much weight is it would if we spoke with a
>>>> collective
>>>> voice.
>>>>
>>>> So myself and a few other OWASP members have said questioned what could
>>>> we
>>>> do as a _community_ to come against DCMA and similar laws.  Whatever
>>>> your
>>>> feelings are about DRM, I think that most of you feel that it is wrong
>>>> for
>>>> a company to hide behind DRM and DMCA in an attempt to prevent product
>>>> vulnerabilities from being publicly revealed after providing reasonable
>>>> time for a company to issue patches, etc. (That is, I am talking about
>>>> what
>>>> happens after responsible disclosure fails and security researchers
>>>> finds
>>>> themselves facing a choice between being sued or divulging the necessary
>>>> details of the vulnerability for the public good and safety in order to
>>>> force a company's hand at taking corrective action or making the public
>>>> aware so they can avoid purchasing said product.)
>>>>
>>>> To me, this goes beyond mere copyright evasion and DRM. Toward that
>>>> end, I
>>>> think that DRM is understandable, although an ill-conceived, if not
>>>> totally
>>>> futile endeavor to protect copyrights. However, my understanding of DMCA
>>>> (and Cory, please correct me if I'm wrong here) is that DMCA
>>>> criminalizes
>>>> production and dissemination of technogly or knowledge of ANYTHING
>>>> intended
>>>> to circumvent access to control of copyrighted works. So for instance
>>>> (and,
>>>> this is just a hypothetical here), if a company made a pacemaker that
>>>> used
>>>> Bluetooth for remote access by doctors and the authentication / access
>>>> control
>>>> of those devices relied on obfuscation rather than (say) a secure
>>>> encrypted
>>>> communication channel, a security researcher who revealed this could
>>>> potentially face a lawsuit by the pacemaker manufacturer because
>>>> revealing
>>>> details of any authentication bypass could infringe on that company's
>>>> copyrighted IP. Has that happened yet? Well, not to my knowledge, but
>>>> with the explosion of IoT devices, it's bound to sooner or later.
>>>> (Cory, if
>>>> you know of any real case law that you can discuss here, that might go a
>>>> long way towards convincing folks.)
>>>>
>>>> So, what am I proposing? I would like an OWASP board member to
>>>> propose a couple of different motions to be considered by and voted
>>>> on by the OWASP board:
>>>>
>>>> 1) I would like to see a motion for OWASP as an organizational whole,
>>>>    consider support for and officially "signing" (whatever that means
>>>>    in a legal sense) EFF's notice to W3C to protect security researchers
>>>>    reporting on vulnerabilities in their proposed EME standard,
>>>>    implementations thereof, or other W3C browser related technologies.
>>>> That
>>>>    is, I would like to see the "OWASP Foundation" named as a party to
>>>> <https://www.eff.org/deeplinks/2016/03/security-researchers-
>>>> tell-w3c-protect-researchers-who-investigate-browsers>
>>>>
>>>> 2) I would like to see a motion for OWASP to at least analyze the pros
>>>> and
>>>>    cons of filing a "friend of the court" (i.e, amicus curiae) brief to
>>>> stand
>>>>    with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit that
>>>> they
>>>>    recently filed against the USG (for details see
>>>>    <https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-
>>>> section-1201-research-and-technology-restrictions-violate>)
>>>>    and if the perceived pros outweigh the cons, to actually proceed with
>>>>    filing an amicus brief.
>>>>
>>>> It is my understanding that someone presently on the OWASP Board has to
>>>> bring forth these as motions before the board. (Note: If I am mistaken
>>>> about that, I will gladly do it myself.)  So who on the board will
>>>> stand up against DCMA and similar legislation in other countries that
>>>> Cory outlined in a follow-up post to the OWASP leaders list?  I
>>>> personally
>>>> do not believe that either of these proposals for motions are partisan
>>>> from a political perspective and I think that both support our stated
>>>> core purpose of being "the thriving global community that drives
>>>> visibility
>>>> and evolution in the safety and security of the world’s software".
>>>>
>>>> So, let us do what we can as individuals, but let us remember that our
>>>> community voice together is much louder than it is speaking alone.
>>>>
>>>> Thanks you all for listening and considering my thoughts in earnest.
>>>> -kevin
>>>> --
>>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>> @KevinWWall
>>>> NSA: All your crypto bit are belong to us.
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>

-- 
The information contained in this message and any attachments may be 
privileged, confidential, proprietary or otherwise protected from 
disclosure. If you, the reader of this message, are not the intended 
recipient, you are hereby notified that any dissemination, distribution, 
copying or use of this message and any attachment is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by replying to the message, permanently delete it from your 
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160811/04f1217f/attachment.html>


More information about the Owasp-board mailing list