[Owasp-board] Let's stand together against DCMA and similar laws

Tiffany Long tiffany.long at owasp.org
Thu Aug 11 18:26:08 UTC 2016

Hey Johanna,

That is a link to how committees can be set up.  I don't see
acknowledgement of this committee on the page.  Has the committee gone
through board approval and simply not  been set up with a wiki page or is
this the wrong link?


Tiffany Long
Community Manager

On Thu, Aug 11, 2016 at 10:37 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Tiffany
> The committee has been setup here:
> https://owasp.org/index.php/Governance/OWASP_Committees
> Like I explained on another email on this same email chain, we do comply
> with the requirements for this committee, so this is done ;-)
> The next step involves requesting the board to approve officially the
> committee .
> Also, staff can be part of the committee, so please join us ;-) if you
> want , feel free to add you name.
> Cheers
> Johanna
> On Thu, Aug 11, 2016 at 12:43 PM, Tiffany Long <tiffany.long at owasp.org>
> wrote:
>> Hey Kevin,
>> You are not the only person interested in this initiative (Which I
>> believe we spoke about in Las Vegas?  If not, I have another person to put
>> you in contact with as well).  As OWASP is a volunteer run organization
>>  the best way for you to move this process along is bottom up rather than
>> top down. The Committees 2.0
>> <https://tracking.cirrusinsight.com/c6621019-08d4-469b-a783-f3ab54583653/owasp-org-index-php-governance-owasp-committees> is
>> a great way to address this situation on a larger scale.  For example, as
>> you form a committee you should ask a wider question--perhaps "What is the
>> role of security oriented organizations like OWASP and how do we fill that
>> role according to the OWASP core principles?"  This proposal is likely only
>> part of the answer to your question. As such, by forming a committee and
>> driving forward using that tool you can actually craft a sustainable and
>> flexible suite of actions to achieve your goal with the OWASP organization
>> and brand behind you.
>> Rallying the community around the cause before proposing these answers to
>> the board empowers the board to broadly support you rather than taking
>> slow, narrow action  and allows the community strong and direct say in the
>> manner of response. This course also multiplies the number of individual
>> voices advocating for the cause basically doing double duty.
>> If you are interested in this, we can discuss how I can support you
>> moving forward.  The support can be anything from strategy re forming the
>> committee to a suite of outreach tools to sounding board for recruitment or
>> ideas.
>> Tiffany Long
>> Community Manager
>> On Thu, Aug 11, 2016 at 7:18 AM, Tom Brennan - OWASP <tomb at owasp.org>
>> wrote:
>>> I would second the motion to start the process.
>>> Andrew with AppSecUSA coming up perfect opportunity to get people into a
>>> room together and TALK about it life.
>>> Cory, can intrested in coming out to www.appsecusa.org in Washington DC
>>> to discuss this in a face-to-face, open-forum with OWASP experts from
>>> around the world?
>>> Tom Brennan
>>> GPG ID: DC6AA149
>>> https://www.linkedin.com/in/tombrennan
>>> On Thu, Aug 11, 2016 at 10:13 AM, Andrew van der Stock <
>>> vanderaj at owasp.org> wrote:
>>>> Hi Kevin
>>>> As I mentioned, I am interested. Not getting a response from the Board
>>>> in 13 hours is not ideal, but at least give us 24 hours to respond.
>>>> Is anyone else on the Board interested in helping?
>>>> thanks
>>>> Andrew
>>>> On Thu, Aug 11, 2016 at 11:57 PM, Kevin W. Wall <kevin.w.wall at gmail.com
>>>> > wrote:
>>>>> Johanna,
>>>>> I'm fine with considering proposing a committee to address this, but
>>>>> if Cory or myself can't can't get people to take the relatively low effort
>>>>> of responding to a mailing list, I'm not sure how much more OWASP members
>>>>> will respond to / assist with any committee work that needs to be done.
>>>>> If there is anyone besides Johanna who might be willing to help with
>>>>> such a committee, please let me know.
>>>>> -kevin
>>>>> --
>>>>> Blog: http://off-the-wall-security.blogspot.com/.   | Twitter:
>>>>> @KevinWWall
>>>>> NSA: All your crypto bit are belong to us.
>>>>> On Aug 10, 2016 9:51 PM, "johanna curiel curiel" <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>> Hi Kevin,
>>>>>> I think we need a team of organized volunteers that can take care of
>>>>>> these initiatives and take the task of responding or take actions.As you
>>>>>> can see, sending things to mailing list have almost no feedback and that's
>>>>>> a shame.
>>>>>> If you want to see an action from OWASP as an organization, within
>>>>>> OWASP bylaws we can form a Committee in order to propose a specific action
>>>>>> that we submit to the board with regards these laws.
>>>>>> https://owasp.org/index.php/Governance/OWASP_Committees
>>>>>> If you want to lead this committee,I'll support you as being part of
>>>>>> it.
>>>>>> Let me know, we just need to form the committee with other Owasp
>>>>>> community members that support this action and we submit this proposal
>>>>>> officially as a committee to 'protect security researchers reporting
>>>>>> on vulnerabilities'. We need to define the details in this proposal and we
>>>>>> submit it to be approved by the board once is ready.
>>>>>> They can vote to approve or deny our motion during a next OWASP
>>>>>> Board meeting.
>>>>>> Regards
>>>>>> Johanna
>>>>>> On Wed, Aug 10, 2016 at 8:25 PM, Kevin W. Wall <
>>>>>> kevin.w.wall at gmail.com> wrote:
>>>>>>> OWASP Board members,
>>>>>>> One day ago, I cross-posted to the OWASP Leader's mailing list (see
>>>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2016-August/0
>>>>>>> 17095.html)
>>>>>>> an earlier post that Cory Doctorow had originally posted to the OWASP
>>>>>>> Community list back on June 2nd. I did so because Cory said that NO
>>>>>>> ONE
>>>>>>> had responded to his original post. After having the privilege of
>>>>>>> talking
>>>>>>> about the current state of DRM and DCMA affairs and hearing W3C's
>>>>>>> venturing
>>>>>>> into dangerous waters with their DRM-like technology known as
>>>>>>> Encrypted
>>>>>>> Media Extension (EME), it seemed to me that as a community, this is
>>>>>>> something
>>>>>>> that affects many off us, potentially in some very bad ways.
>>>>>>> I've contacted Cory to have my name added to EFF's list of people
>>>>>>> protesting
>>>>>>> the W3C's EME technology without providing an exclusion for security
>>>>>>> researchers reporting on browser vulnerabilities. I know that other
>>>>>>> OWASP
>>>>>>> members have as well, and I'm happy for that. But realistically, as
>>>>>>> individuals,
>>>>>>> our voices do not carry much weight is it would if we spoke with a
>>>>>>> collective
>>>>>>> voice.
>>>>>>> So myself and a few other OWASP members have said questioned what
>>>>>>> could we
>>>>>>> do as a _community_ to come against DCMA and similar laws.  Whatever
>>>>>>> your
>>>>>>> feelings are about DRM, I think that most of you feel that it is
>>>>>>> wrong for
>>>>>>> a company to hide behind DRM and DMCA in an attempt to prevent
>>>>>>> product
>>>>>>> vulnerabilities from being publicly revealed after providing
>>>>>>> reasonable
>>>>>>> time for a company to issue patches, etc. (That is, I am talking
>>>>>>> about what
>>>>>>> happens after responsible disclosure fails and security researchers
>>>>>>> finds
>>>>>>> themselves facing a choice between being sued or divulging the
>>>>>>> necessary
>>>>>>> details of the vulnerability for the public good and safety in order
>>>>>>> to
>>>>>>> force a company's hand at taking corrective action or making the
>>>>>>> public
>>>>>>> aware so they can avoid purchasing said product.)
>>>>>>> To me, this goes beyond mere copyright evasion and DRM. Toward that
>>>>>>> end, I
>>>>>>> think that DRM is understandable, although an ill-conceived, if not
>>>>>>> totally
>>>>>>> futile endeavor to protect copyrights. However, my understanding of
>>>>>>> DMCA
>>>>>>> (and Cory, please correct me if I'm wrong here) is that DMCA
>>>>>>> criminalizes
>>>>>>> production and dissemination of technogly or knowledge of ANYTHING
>>>>>>> intended
>>>>>>> to circumvent access to control of copyrighted works. So for
>>>>>>> instance (and,
>>>>>>> this is just a hypothetical here), if a company made a pacemaker
>>>>>>> that used
>>>>>>> Bluetooth for remote access by doctors and the authentication /
>>>>>>> access control
>>>>>>> of those devices relied on obfuscation rather than (say) a secure
>>>>>>> encrypted
>>>>>>> communication channel, a security researcher who revealed this could
>>>>>>> potentially face a lawsuit by the pacemaker manufacturer because
>>>>>>> revealing
>>>>>>> details of any authentication bypass could infringe on that company's
>>>>>>> copyrighted IP. Has that happened yet? Well, not to my knowledge, but
>>>>>>> with the explosion of IoT devices, it's bound to sooner or later.
>>>>>>> (Cory, if
>>>>>>> you know of any real case law that you can discuss here, that might
>>>>>>> go a
>>>>>>> long way towards convincing folks.)
>>>>>>> So, what am I proposing? I would like an OWASP board member to
>>>>>>> propose a couple of different motions to be considered by and voted
>>>>>>> on by the OWASP board:
>>>>>>> 1) I would like to see a motion for OWASP as an organizational whole,
>>>>>>>    consider support for and officially "signing" (whatever that means
>>>>>>>    in a legal sense) EFF's notice to W3C to protect security
>>>>>>> researchers
>>>>>>>    reporting on vulnerabilities in their proposed EME standard,
>>>>>>>    implementations thereof, or other W3C browser related
>>>>>>> technologies. That
>>>>>>>    is, I would like to see the "OWASP Foundation" named as a party to
>>>>>>> <https://www.eff.org/deeplinks/2016/03/security-researchers-
>>>>>>> tell-w3c-protect-researchers-who-investigate-browsers>
>>>>>>> 2) I would like to see a motion for OWASP to at least analyze the
>>>>>>> pros and
>>>>>>>    cons of filing a "friend of the court" (i.e, amicus curiae) brief
>>>>>>> to stand
>>>>>>>    with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit
>>>>>>> that they
>>>>>>>    recently filed against the USG (for details see
>>>>>>>    <https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-
>>>>>>> section-1201-research-and-technology-restrictions-violate>)
>>>>>>>    and if the perceived pros outweigh the cons, to actually proceed
>>>>>>> with
>>>>>>>    filing an amicus brief.
>>>>>>> It is my understanding that someone presently on the OWASP Board has
>>>>>>> to
>>>>>>> bring forth these as motions before the board. (Note: If I am
>>>>>>> mistaken
>>>>>>> about that, I will gladly do it myself.)  So who on the board will
>>>>>>> stand up against DCMA and similar legislation in other countries that
>>>>>>> Cory outlined in a follow-up post to the OWASP leaders list?  I
>>>>>>> personally
>>>>>>> do not believe that either of these proposals for motions are
>>>>>>> partisan
>>>>>>> from a political perspective and I think that both support our stated
>>>>>>> core purpose of being "the thriving global community that drives
>>>>>>> visibility
>>>>>>> and evolution in the safety and security of the world’s software".
>>>>>>> So, let us do what we can as individuals, but let us remember that
>>>>>>> our
>>>>>>> community voice together is much louder than it is speaking alone.
>>>>>>> Thanks you all for listening and considering my thoughts in earnest.
>>>>>>> -kevin
>>>>>>> --
>>>>>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>>>>> @KevinWWall
>>>>>>> NSA: All your crypto bit are belong to us.
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> The information contained in this message and any attachments may be
>>> privileged, confidential, proprietary or otherwise protected from
>>> disclosure. If you, the reader of this message, are not the intended
>>> recipient, you are hereby notified that any dissemination, distribution,
>>> copying or use of this message and any attachment is strictly prohibited.
>>> If you have received this message in error, please notify the sender
>>> immediately by replying to the message, permanently delete it from your
>>> computer and destroy any printout.
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> Johanna Curiel
> OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160811/ae9b80c2/attachment-0001.html>

More information about the Owasp-board mailing list