[Owasp-board] Let's stand together against DCMA and similar laws

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 11 17:37:11 UTC 2016

Hi Tiffany

The committee has been setup here:

Like I explained on another email on this same email chain, we do comply
with the requirements for this committee, so this is done ;-)

The next step involves requesting the board to approve officially the
committee .

Also, staff can be part of the committee, so please join us ;-) if you want
, feel free to add you name.



On Thu, Aug 11, 2016 at 12:43 PM, Tiffany Long <tiffany.long at owasp.org>

> Hey Kevin,
> You are not the only person interested in this initiative (Which I believe
> we spoke about in Las Vegas?  If not, I have another person to put you in
> contact with as well).  As OWASP is a volunteer run organization  the best
> way for you to move this process along is bottom up rather than top down. The
> Committees 2.0
> <https://tracking.cirrusinsight.com/c6621019-08d4-469b-a783-f3ab54583653/owasp-org-index-php-governance-owasp-committees> is
> a great way to address this situation on a larger scale.  For example, as
> you form a committee you should ask a wider question--perhaps "What is the
> role of security oriented organizations like OWASP and how do we fill that
> role according to the OWASP core principles?"  This proposal is likely only
> part of the answer to your question. As such, by forming a committee and
> driving forward using that tool you can actually craft a sustainable and
> flexible suite of actions to achieve your goal with the OWASP organization
> and brand behind you.
> Rallying the community around the cause before proposing these answers to
> the board empowers the board to broadly support you rather than taking
> slow, narrow action  and allows the community strong and direct say in the
> manner of response. This course also multiplies the number of individual
> voices advocating for the cause basically doing double duty.
> If you are interested in this, we can discuss how I can support you moving
> forward.  The support can be anything from strategy re forming the
> committee to a suite of outreach tools to sounding board for recruitment or
> ideas.
> Tiffany Long
> Community Manager
> On Thu, Aug 11, 2016 at 7:18 AM, Tom Brennan - OWASP <tomb at owasp.org>
> wrote:
>> I would second the motion to start the process.
>> Andrew with AppSecUSA coming up perfect opportunity to get people into a
>> room together and TALK about it life.
>> Cory, can intrested in coming out to www.appsecusa.org in Washington DC
>> to discuss this in a face-to-face, open-forum with OWASP experts from
>> around the world?
>> Tom Brennan
>> GPG ID: DC6AA149
>> https://www.linkedin.com/in/tombrennan
>> On Thu, Aug 11, 2016 at 10:13 AM, Andrew van der Stock <
>> vanderaj at owasp.org> wrote:
>>> Hi Kevin
>>> As I mentioned, I am interested. Not getting a response from the Board
>>> in 13 hours is not ideal, but at least give us 24 hours to respond.
>>> Is anyone else on the Board interested in helping?
>>> thanks
>>> Andrew
>>> On Thu, Aug 11, 2016 at 11:57 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>> wrote:
>>>> Johanna,
>>>> I'm fine with considering proposing a committee to address this, but if
>>>> Cory or myself can't can't get people to take the relatively low effort of
>>>> responding to a mailing list, I'm not sure how much more OWASP members will
>>>> respond to / assist with any committee work that needs to be done.
>>>> If there is anyone besides Johanna who might be willing to help with
>>>> such a committee, please let me know.
>>>> -kevin
>>>> --
>>>> Blog: http://off-the-wall-security.blogspot.com/.   | Twitter:
>>>> @KevinWWall
>>>> NSA: All your crypto bit are belong to us.
>>>> On Aug 10, 2016 9:51 PM, "johanna curiel curiel" <
>>>> johanna.curiel at owasp.org> wrote:
>>>>> Hi Kevin,
>>>>> I think we need a team of organized volunteers that can take care of
>>>>> these initiatives and take the task of responding or take actions.As you
>>>>> can see, sending things to mailing list have almost no feedback and that's
>>>>> a shame.
>>>>> If you want to see an action from OWASP as an organization, within
>>>>> OWASP bylaws we can form a Committee in order to propose a specific action
>>>>> that we submit to the board with regards these laws.
>>>>> https://owasp.org/index.php/Governance/OWASP_Committees
>>>>> If you want to lead this committee,I'll support you as being part of
>>>>> it.
>>>>> Let me know, we just need to form the committee with other Owasp
>>>>> community members that support this action and we submit this proposal
>>>>> officially as a committee to 'protect security researchers reporting
>>>>> on vulnerabilities'. We need to define the details in this proposal and we
>>>>> submit it to be approved by the board once is ready.
>>>>> They can vote to approve or deny our motion during a next OWASP Board
>>>>> meeting.
>>>>> Regards
>>>>> Johanna
>>>>> On Wed, Aug 10, 2016 at 8:25 PM, Kevin W. Wall <kevin.w.wall at gmail.com
>>>>> > wrote:
>>>>>> OWASP Board members,
>>>>>> One day ago, I cross-posted to the OWASP Leader's mailing list (see
>>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2016-August/0
>>>>>> 17095.html)
>>>>>> an earlier post that Cory Doctorow had originally posted to the OWASP
>>>>>> Community list back on June 2nd. I did so because Cory said that NO
>>>>>> ONE
>>>>>> had responded to his original post. After having the privilege of
>>>>>> talking
>>>>>> about the current state of DRM and DCMA affairs and hearing W3C's
>>>>>> venturing
>>>>>> into dangerous waters with their DRM-like technology known as
>>>>>> Encrypted
>>>>>> Media Extension (EME), it seemed to me that as a community, this is
>>>>>> something
>>>>>> that affects many off us, potentially in some very bad ways.
>>>>>> I've contacted Cory to have my name added to EFF's list of people
>>>>>> protesting
>>>>>> the W3C's EME technology without providing an exclusion for security
>>>>>> researchers reporting on browser vulnerabilities. I know that other
>>>>>> OWASP
>>>>>> members have as well, and I'm happy for that. But realistically, as
>>>>>> individuals,
>>>>>> our voices do not carry much weight is it would if we spoke with a
>>>>>> collective
>>>>>> voice.
>>>>>> So myself and a few other OWASP members have said questioned what
>>>>>> could we
>>>>>> do as a _community_ to come against DCMA and similar laws.  Whatever
>>>>>> your
>>>>>> feelings are about DRM, I think that most of you feel that it is
>>>>>> wrong for
>>>>>> a company to hide behind DRM and DMCA in an attempt to prevent product
>>>>>> vulnerabilities from being publicly revealed after providing
>>>>>> reasonable
>>>>>> time for a company to issue patches, etc. (That is, I am talking
>>>>>> about what
>>>>>> happens after responsible disclosure fails and security researchers
>>>>>> finds
>>>>>> themselves facing a choice between being sued or divulging the
>>>>>> necessary
>>>>>> details of the vulnerability for the public good and safety in order
>>>>>> to
>>>>>> force a company's hand at taking corrective action or making the
>>>>>> public
>>>>>> aware so they can avoid purchasing said product.)
>>>>>> To me, this goes beyond mere copyright evasion and DRM. Toward that
>>>>>> end, I
>>>>>> think that DRM is understandable, although an ill-conceived, if not
>>>>>> totally
>>>>>> futile endeavor to protect copyrights. However, my understanding of
>>>>>> DMCA
>>>>>> (and Cory, please correct me if I'm wrong here) is that DMCA
>>>>>> criminalizes
>>>>>> production and dissemination of technogly or knowledge of ANYTHING
>>>>>> intended
>>>>>> to circumvent access to control of copyrighted works. So for instance
>>>>>> (and,
>>>>>> this is just a hypothetical here), if a company made a pacemaker that
>>>>>> used
>>>>>> Bluetooth for remote access by doctors and the authentication /
>>>>>> access control
>>>>>> of those devices relied on obfuscation rather than (say) a secure
>>>>>> encrypted
>>>>>> communication channel, a security researcher who revealed this could
>>>>>> potentially face a lawsuit by the pacemaker manufacturer because
>>>>>> revealing
>>>>>> details of any authentication bypass could infringe on that company's
>>>>>> copyrighted IP. Has that happened yet? Well, not to my knowledge, but
>>>>>> with the explosion of IoT devices, it's bound to sooner or later.
>>>>>> (Cory, if
>>>>>> you know of any real case law that you can discuss here, that might
>>>>>> go a
>>>>>> long way towards convincing folks.)
>>>>>> So, what am I proposing? I would like an OWASP board member to
>>>>>> propose a couple of different motions to be considered by and voted
>>>>>> on by the OWASP board:
>>>>>> 1) I would like to see a motion for OWASP as an organizational whole,
>>>>>>    consider support for and officially "signing" (whatever that means
>>>>>>    in a legal sense) EFF's notice to W3C to protect security
>>>>>> researchers
>>>>>>    reporting on vulnerabilities in their proposed EME standard,
>>>>>>    implementations thereof, or other W3C browser related
>>>>>> technologies. That
>>>>>>    is, I would like to see the "OWASP Foundation" named as a party to
>>>>>> <https://www.eff.org/deeplinks/2016/03/security-researchers-
>>>>>> tell-w3c-protect-researchers-who-investigate-browsers>
>>>>>> 2) I would like to see a motion for OWASP to at least analyze the
>>>>>> pros and
>>>>>>    cons of filing a "friend of the court" (i.e, amicus curiae) brief
>>>>>> to stand
>>>>>>    with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit
>>>>>> that they
>>>>>>    recently filed against the USG (for details see
>>>>>>    <https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-
>>>>>> section-1201-research-and-technology-restrictions-violate>)
>>>>>>    and if the perceived pros outweigh the cons, to actually proceed
>>>>>> with
>>>>>>    filing an amicus brief.
>>>>>> It is my understanding that someone presently on the OWASP Board has
>>>>>> to
>>>>>> bring forth these as motions before the board. (Note: If I am mistaken
>>>>>> about that, I will gladly do it myself.)  So who on the board will
>>>>>> stand up against DCMA and similar legislation in other countries that
>>>>>> Cory outlined in a follow-up post to the OWASP leaders list?  I
>>>>>> personally
>>>>>> do not believe that either of these proposals for motions are partisan
>>>>>> from a political perspective and I think that both support our stated
>>>>>> core purpose of being "the thriving global community that drives
>>>>>> visibility
>>>>>> and evolution in the safety and security of the world’s software".
>>>>>> So, let us do what we can as individuals, but let us remember that our
>>>>>> community voice together is much louder than it is speaking alone.
>>>>>> Thanks you all for listening and considering my thoughts in earnest.
>>>>>> -kevin
>>>>>> --
>>>>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>>>> @KevinWWall
>>>>>> NSA: All your crypto bit are belong to us.
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160811/e5c9c90f/attachment-0001.html>

More information about the Owasp-board mailing list