[Owasp-board] Let's stand together against DCMA and similar laws

Tiffany Long tiffany.long at owasp.org
Thu Aug 11 16:43:57 UTC 2016

Hey Kevin,

You are not the only person interested in this initiative (Which I believe
we spoke about in Las Vegas?  If not, I have another person to put you in
contact with as well).  As OWASP is a volunteer run organization  the best
way for you to move this process along is bottom up rather than top down. The
Committees 2.0
a great way to address this situation on a larger scale.  For example, as
you form a committee you should ask a wider question--perhaps "What is the
role of security oriented organizations like OWASP and how do we fill that
role according to the OWASP core principles?"  This proposal is likely only
part of the answer to your question. As such, by forming a committee and
driving forward using that tool you can actually craft a sustainable and
flexible suite of actions to achieve your goal with the OWASP organization
and brand behind you.

Rallying the community around the cause before proposing these answers to
the board empowers the board to broadly support you rather than taking
slow, narrow action  and allows the community strong and direct say in the
manner of response. This course also multiplies the number of individual
voices advocating for the cause basically doing double duty.

If you are interested in this, we can discuss how I can support you moving
forward.  The support can be anything from strategy re forming the
committee to a suite of outreach tools to sounding board for recruitment or

Tiffany Long
Community Manager

On Thu, Aug 11, 2016 at 7:18 AM, Tom Brennan - OWASP <tomb at owasp.org> wrote:

> I would second the motion to start the process.
> Andrew with AppSecUSA coming up perfect opportunity to get people into a
> room together and TALK about it life.
> Cory, can intrested in coming out to www.appsecusa.org in Washington DC
> to discuss this in a face-to-face, open-forum with OWASP experts from
> around the world?
> Tom Brennan
> GPG ID: DC6AA149
> https://www.linkedin.com/in/tombrennan
> On Thu, Aug 11, 2016 at 10:13 AM, Andrew van der Stock <vanderaj at owasp.org
> > wrote:
>> Hi Kevin
>> As I mentioned, I am interested. Not getting a response from the Board in
>> 13 hours is not ideal, but at least give us 24 hours to respond.
>> Is anyone else on the Board interested in helping?
>> thanks
>> Andrew
>> On Thu, Aug 11, 2016 at 11:57 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>> wrote:
>>> Johanna,
>>> I'm fine with considering proposing a committee to address this, but if
>>> Cory or myself can't can't get people to take the relatively low effort of
>>> responding to a mailing list, I'm not sure how much more OWASP members will
>>> respond to / assist with any committee work that needs to be done.
>>> If there is anyone besides Johanna who might be willing to help with
>>> such a committee, please let me know.
>>> -kevin
>>> --
>>> Blog: http://off-the-wall-security.blogspot.com/.   | Twitter:
>>> @KevinWWall
>>> NSA: All your crypto bit are belong to us.
>>> On Aug 10, 2016 9:51 PM, "johanna curiel curiel" <
>>> johanna.curiel at owasp.org> wrote:
>>>> Hi Kevin,
>>>> I think we need a team of organized volunteers that can take care of
>>>> these initiatives and take the task of responding or take actions.As you
>>>> can see, sending things to mailing list have almost no feedback and that's
>>>> a shame.
>>>> If you want to see an action from OWASP as an organization, within
>>>> OWASP bylaws we can form a Committee in order to propose a specific action
>>>> that we submit to the board with regards these laws.
>>>> https://owasp.org/index.php/Governance/OWASP_Committees
>>>> If you want to lead this committee,I'll support you as being part of
>>>> it.
>>>> Let me know, we just need to form the committee with other Owasp
>>>> community members that support this action and we submit this proposal
>>>> officially as a committee to 'protect security researchers reporting
>>>> on vulnerabilities'. We need to define the details in this proposal and we
>>>> submit it to be approved by the board once is ready.
>>>> They can vote to approve or deny our motion during a next OWASP Board
>>>> meeting.
>>>> Regards
>>>> Johanna
>>>> On Wed, Aug 10, 2016 at 8:25 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>> wrote:
>>>>> OWASP Board members,
>>>>> One day ago, I cross-posted to the OWASP Leader's mailing list (see
>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2016-August/017095.html
>>>>> )
>>>>> an earlier post that Cory Doctorow had originally posted to the OWASP
>>>>> Community list back on June 2nd. I did so because Cory said that NO ONE
>>>>> had responded to his original post. After having the privilege of
>>>>> talking
>>>>> about the current state of DRM and DCMA affairs and hearing W3C's
>>>>> venturing
>>>>> into dangerous waters with their DRM-like technology known as Encrypted
>>>>> Media Extension (EME), it seemed to me that as a community, this is
>>>>> something
>>>>> that affects many off us, potentially in some very bad ways.
>>>>> I've contacted Cory to have my name added to EFF's list of people
>>>>> protesting
>>>>> the W3C's EME technology without providing an exclusion for security
>>>>> researchers reporting on browser vulnerabilities. I know that other
>>>>> OWASP
>>>>> members have as well, and I'm happy for that. But realistically, as
>>>>> individuals,
>>>>> our voices do not carry much weight is it would if we spoke with a
>>>>> collective
>>>>> voice.
>>>>> So myself and a few other OWASP members have said questioned what
>>>>> could we
>>>>> do as a _community_ to come against DCMA and similar laws.  Whatever
>>>>> your
>>>>> feelings are about DRM, I think that most of you feel that it is wrong
>>>>> for
>>>>> a company to hide behind DRM and DMCA in an attempt to prevent product
>>>>> vulnerabilities from being publicly revealed after providing reasonable
>>>>> time for a company to issue patches, etc. (That is, I am talking about
>>>>> what
>>>>> happens after responsible disclosure fails and security researchers
>>>>> finds
>>>>> themselves facing a choice between being sued or divulging the
>>>>> necessary
>>>>> details of the vulnerability for the public good and safety in order to
>>>>> force a company's hand at taking corrective action or making the public
>>>>> aware so they can avoid purchasing said product.)
>>>>> To me, this goes beyond mere copyright evasion and DRM. Toward that
>>>>> end, I
>>>>> think that DRM is understandable, although an ill-conceived, if not
>>>>> totally
>>>>> futile endeavor to protect copyrights. However, my understanding of
>>>>> DMCA
>>>>> (and Cory, please correct me if I'm wrong here) is that DMCA
>>>>> criminalizes
>>>>> production and dissemination of technogly or knowledge of ANYTHING
>>>>> intended
>>>>> to circumvent access to control of copyrighted works. So for instance
>>>>> (and,
>>>>> this is just a hypothetical here), if a company made a pacemaker that
>>>>> used
>>>>> Bluetooth for remote access by doctors and the authentication / access
>>>>> control
>>>>> of those devices relied on obfuscation rather than (say) a secure
>>>>> encrypted
>>>>> communication channel, a security researcher who revealed this could
>>>>> potentially face a lawsuit by the pacemaker manufacturer because
>>>>> revealing
>>>>> details of any authentication bypass could infringe on that company's
>>>>> copyrighted IP. Has that happened yet? Well, not to my knowledge, but
>>>>> with the explosion of IoT devices, it's bound to sooner or later.
>>>>> (Cory, if
>>>>> you know of any real case law that you can discuss here, that might go
>>>>> a
>>>>> long way towards convincing folks.)
>>>>> So, what am I proposing? I would like an OWASP board member to
>>>>> propose a couple of different motions to be considered by and voted
>>>>> on by the OWASP board:
>>>>> 1) I would like to see a motion for OWASP as an organizational whole,
>>>>>    consider support for and officially "signing" (whatever that means
>>>>>    in a legal sense) EFF's notice to W3C to protect security
>>>>> researchers
>>>>>    reporting on vulnerabilities in their proposed EME standard,
>>>>>    implementations thereof, or other W3C browser related technologies.
>>>>> That
>>>>>    is, I would like to see the "OWASP Foundation" named as a party to
>>>>> <https://www.eff.org/deeplinks/2016/03/security-researchers-
>>>>> tell-w3c-protect-researchers-who-investigate-browsers>
>>>>> 2) I would like to see a motion for OWASP to at least analyze the pros
>>>>> and
>>>>>    cons of filing a "friend of the court" (i.e, amicus curiae) brief
>>>>> to stand
>>>>>    with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit
>>>>> that they
>>>>>    recently filed against the USG (for details see
>>>>>    <https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-
>>>>> section-1201-research-and-technology-restrictions-violate>)
>>>>>    and if the perceived pros outweigh the cons, to actually proceed
>>>>> with
>>>>>    filing an amicus brief.
>>>>> It is my understanding that someone presently on the OWASP Board has to
>>>>> bring forth these as motions before the board. (Note: If I am mistaken
>>>>> about that, I will gladly do it myself.)  So who on the board will
>>>>> stand up against DCMA and similar legislation in other countries that
>>>>> Cory outlined in a follow-up post to the OWASP leaders list?  I
>>>>> personally
>>>>> do not believe that either of these proposals for motions are partisan
>>>>> from a political perspective and I think that both support our stated
>>>>> core purpose of being "the thriving global community that drives
>>>>> visibility
>>>>> and evolution in the safety and security of the world’s software".
>>>>> So, let us do what we can as individuals, but let us remember that our
>>>>> community voice together is much louder than it is speaking alone.
>>>>> Thanks you all for listening and considering my thoughts in earnest.
>>>>> -kevin
>>>>> --
>>>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>>> @KevinWWall
>>>>> NSA: All your crypto bit are belong to us.
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160811/05af53a6/attachment-0001.html>

More information about the Owasp-board mailing list