[Owasp-board] Let's stand together against DCMA and similar laws

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 11 18:29:12 UTC 2016


Thanks for pointing that out

This is the page of the committee that needs to be approved by the board :
https://www.owasp.org/index.php/Committee_DMCA1201

Next steps is to submit this info to a board meeting and wait the approval

If you can assist us with this process to make it faster and more
effective, please let us know

cheers

On Thu, Aug 11, 2016 at 2:26 PM, Tiffany Long <tiffany.long at owasp.org>
wrote:

> Hey Johanna,
>
> That is a link to how committees can be set up.  I don't see
> acknowledgement of this committee on the page.  Has the committee gone
> through board approval and simply not  been set up with a wiki page or is
> this the wrong link?
>
> -Tiffany
>
> Tiffany Long
> Community Manager
>
> On Thu, Aug 11, 2016 at 10:37 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Tiffany
>>
>> The committee has been setup here:
>> https://owasp.org/index.php/Governance/OWASP_Committees
>>
>>
>> Like I explained on another email on this same email chain, we do comply
>> with the requirements for this committee, so this is done ;-)
>>
>> The next step involves requesting the board to approve officially the
>> committee .
>>
>> Also, staff can be part of the committee, so please join us ;-) if you
>> want , feel free to add you name.
>>
>> Cheers
>>
>> Johanna
>>
>> On Thu, Aug 11, 2016 at 12:43 PM, Tiffany Long <tiffany.long at owasp.org>
>> wrote:
>>
>>> Hey Kevin,
>>>
>>> You are not the only person interested in this initiative (Which I
>>> believe we spoke about in Las Vegas?  If not, I have another person to put
>>> you in contact with as well).  As OWASP is a volunteer run organization
>>>  the best way for you to move this process along is bottom up rather than
>>> top down. The Committees 2.0
>>> <https://tracking.cirrusinsight.com/c6621019-08d4-469b-a783-f3ab54583653/owasp-org-index-php-governance-owasp-committees> is
>>> a great way to address this situation on a larger scale.  For example, as
>>> you form a committee you should ask a wider question--perhaps "What is the
>>> role of security oriented organizations like OWASP and how do we fill that
>>> role according to the OWASP core principles?"  This proposal is likely only
>>> part of the answer to your question. As such, by forming a committee and
>>> driving forward using that tool you can actually craft a sustainable and
>>> flexible suite of actions to achieve your goal with the OWASP organization
>>> and brand behind you.
>>>
>>> Rallying the community around the cause before proposing these answers
>>> to the board empowers the board to broadly support you rather than taking
>>> slow, narrow action  and allows the community strong and direct say in the
>>> manner of response. This course also multiplies the number of individual
>>> voices advocating for the cause basically doing double duty.
>>>
>>> If you are interested in this, we can discuss how I can support you
>>> moving forward.  The support can be anything from strategy re forming the
>>> committee to a suite of outreach tools to sounding board for recruitment or
>>> ideas.
>>>
>>>
>>>
>>>
>>> Tiffany Long
>>> Community Manager
>>>
>>> On Thu, Aug 11, 2016 at 7:18 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> I would second the motion to start the process.
>>>>
>>>> Andrew with AppSecUSA coming up perfect opportunity to get people into
>>>> a room together and TALK about it life.
>>>>
>>>> Cory, can intrested in coming out to www.appsecusa.org in Washington
>>>> DC to discuss this in a face-to-face, open-forum with OWASP experts from
>>>> around the world?
>>>>
>>>> Tom Brennan
>>>> GPG ID: DC6AA149
>>>> https://www.linkedin.com/in/tombrennan
>>>>
>>>> On Thu, Aug 11, 2016 at 10:13 AM, Andrew van der Stock <
>>>> vanderaj at owasp.org> wrote:
>>>>
>>>>> Hi Kevin
>>>>>
>>>>> As I mentioned, I am interested. Not getting a response from the Board
>>>>> in 13 hours is not ideal, but at least give us 24 hours to respond.
>>>>>
>>>>> Is anyone else on the Board interested in helping?
>>>>>
>>>>> thanks
>>>>> Andrew
>>>>>
>>>>> On Thu, Aug 11, 2016 at 11:57 PM, Kevin W. Wall <
>>>>> kevin.w.wall at gmail.com> wrote:
>>>>>
>>>>>> Johanna,
>>>>>>
>>>>>> I'm fine with considering proposing a committee to address this, but
>>>>>> if Cory or myself can't can't get people to take the relatively low effort
>>>>>> of responding to a mailing list, I'm not sure how much more OWASP members
>>>>>> will respond to / assist with any committee work that needs to be done.
>>>>>>
>>>>>> If there is anyone besides Johanna who might be willing to help with
>>>>>> such a committee, please let me know.
>>>>>>
>>>>>> -kevin
>>>>>> --
>>>>>> Blog: http://off-the-wall-security.blogspot.com/.   | Twitter:
>>>>>> @KevinWWall
>>>>>> NSA: All your crypto bit are belong to us.
>>>>>>
>>>>>> On Aug 10, 2016 9:51 PM, "johanna curiel curiel" <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Hi Kevin,
>>>>>>>
>>>>>>> I think we need a team of organized volunteers that can take care of
>>>>>>> these initiatives and take the task of responding or take actions.As you
>>>>>>> can see, sending things to mailing list have almost no feedback and that's
>>>>>>> a shame.
>>>>>>>
>>>>>>> If you want to see an action from OWASP as an organization, within
>>>>>>> OWASP bylaws we can form a Committee in order to propose a specific action
>>>>>>> that we submit to the board with regards these laws.
>>>>>>>
>>>>>>> https://owasp.org/index.php/Governance/OWASP_Committees
>>>>>>>
>>>>>>> If you want to lead this committee,I'll support you as being part of
>>>>>>> it.
>>>>>>>
>>>>>>> Let me know, we just need to form the committee with other Owasp
>>>>>>> community members that support this action and we submit this proposal
>>>>>>> officially as a committee to 'protect security researchers reporting
>>>>>>> on vulnerabilities'. We need to define the details in this proposal and we
>>>>>>> submit it to be approved by the board once is ready.
>>>>>>>
>>>>>>> They can vote to approve or deny our motion during a next OWASP
>>>>>>> Board meeting.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Wed, Aug 10, 2016 at 8:25 PM, Kevin W. Wall <
>>>>>>> kevin.w.wall at gmail.com> wrote:
>>>>>>>
>>>>>>>> OWASP Board members,
>>>>>>>>
>>>>>>>> One day ago, I cross-posted to the OWASP Leader's mailing list (see
>>>>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2016-August/0
>>>>>>>> 17095.html)
>>>>>>>> an earlier post that Cory Doctorow had originally posted to the
>>>>>>>> OWASP
>>>>>>>> Community list back on June 2nd. I did so because Cory said that NO
>>>>>>>> ONE
>>>>>>>> had responded to his original post. After having the privilege of
>>>>>>>> talking
>>>>>>>> about the current state of DRM and DCMA affairs and hearing W3C's
>>>>>>>> venturing
>>>>>>>> into dangerous waters with their DRM-like technology known as
>>>>>>>> Encrypted
>>>>>>>> Media Extension (EME), it seemed to me that as a community, this is
>>>>>>>> something
>>>>>>>> that affects many off us, potentially in some very bad ways.
>>>>>>>>
>>>>>>>> I've contacted Cory to have my name added to EFF's list of people
>>>>>>>> protesting
>>>>>>>> the W3C's EME technology without providing an exclusion for security
>>>>>>>> researchers reporting on browser vulnerabilities. I know that other
>>>>>>>> OWASP
>>>>>>>> members have as well, and I'm happy for that. But realistically, as
>>>>>>>> individuals,
>>>>>>>> our voices do not carry much weight is it would if we spoke with a
>>>>>>>> collective
>>>>>>>> voice.
>>>>>>>>
>>>>>>>> So myself and a few other OWASP members have said questioned what
>>>>>>>> could we
>>>>>>>> do as a _community_ to come against DCMA and similar laws.
>>>>>>>> Whatever your
>>>>>>>> feelings are about DRM, I think that most of you feel that it is
>>>>>>>> wrong for
>>>>>>>> a company to hide behind DRM and DMCA in an attempt to prevent
>>>>>>>> product
>>>>>>>> vulnerabilities from being publicly revealed after providing
>>>>>>>> reasonable
>>>>>>>> time for a company to issue patches, etc. (That is, I am talking
>>>>>>>> about what
>>>>>>>> happens after responsible disclosure fails and security researchers
>>>>>>>> finds
>>>>>>>> themselves facing a choice between being sued or divulging the
>>>>>>>> necessary
>>>>>>>> details of the vulnerability for the public good and safety in
>>>>>>>> order to
>>>>>>>> force a company's hand at taking corrective action or making the
>>>>>>>> public
>>>>>>>> aware so they can avoid purchasing said product.)
>>>>>>>>
>>>>>>>> To me, this goes beyond mere copyright evasion and DRM. Toward that
>>>>>>>> end, I
>>>>>>>> think that DRM is understandable, although an ill-conceived, if not
>>>>>>>> totally
>>>>>>>> futile endeavor to protect copyrights. However, my understanding of
>>>>>>>> DMCA
>>>>>>>> (and Cory, please correct me if I'm wrong here) is that DMCA
>>>>>>>> criminalizes
>>>>>>>> production and dissemination of technogly or knowledge of ANYTHING
>>>>>>>> intended
>>>>>>>> to circumvent access to control of copyrighted works. So for
>>>>>>>> instance (and,
>>>>>>>> this is just a hypothetical here), if a company made a pacemaker
>>>>>>>> that used
>>>>>>>> Bluetooth for remote access by doctors and the authentication /
>>>>>>>> access control
>>>>>>>> of those devices relied on obfuscation rather than (say) a secure
>>>>>>>> encrypted
>>>>>>>> communication channel, a security researcher who revealed this could
>>>>>>>> potentially face a lawsuit by the pacemaker manufacturer because
>>>>>>>> revealing
>>>>>>>> details of any authentication bypass could infringe on that
>>>>>>>> company's
>>>>>>>> copyrighted IP. Has that happened yet? Well, not to my knowledge,
>>>>>>>> but
>>>>>>>> with the explosion of IoT devices, it's bound to sooner or later.
>>>>>>>> (Cory, if
>>>>>>>> you know of any real case law that you can discuss here, that might
>>>>>>>> go a
>>>>>>>> long way towards convincing folks.)
>>>>>>>>
>>>>>>>> So, what am I proposing? I would like an OWASP board member to
>>>>>>>> propose a couple of different motions to be considered by and voted
>>>>>>>> on by the OWASP board:
>>>>>>>>
>>>>>>>> 1) I would like to see a motion for OWASP as an organizational
>>>>>>>> whole,
>>>>>>>>    consider support for and officially "signing" (whatever that
>>>>>>>> means
>>>>>>>>    in a legal sense) EFF's notice to W3C to protect security
>>>>>>>> researchers
>>>>>>>>    reporting on vulnerabilities in their proposed EME standard,
>>>>>>>>    implementations thereof, or other W3C browser related
>>>>>>>> technologies. That
>>>>>>>>    is, I would like to see the "OWASP Foundation" named as a party
>>>>>>>> to
>>>>>>>> <https://www.eff.org/deeplinks/2016/03/security-researchers-
>>>>>>>> tell-w3c-protect-researchers-who-investigate-browsers>
>>>>>>>>
>>>>>>>> 2) I would like to see a motion for OWASP to at least analyze the
>>>>>>>> pros and
>>>>>>>>    cons of filing a "friend of the court" (i.e, amicus curiae)
>>>>>>>> brief to stand
>>>>>>>>    with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit
>>>>>>>> that they
>>>>>>>>    recently filed against the USG (for details see
>>>>>>>>    <https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-
>>>>>>>> section-1201-research-and-technology-restrictions-violate>)
>>>>>>>>    and if the perceived pros outweigh the cons, to actually proceed
>>>>>>>> with
>>>>>>>>    filing an amicus brief.
>>>>>>>>
>>>>>>>> It is my understanding that someone presently on the OWASP Board
>>>>>>>> has to
>>>>>>>> bring forth these as motions before the board. (Note: If I am
>>>>>>>> mistaken
>>>>>>>> about that, I will gladly do it myself.)  So who on the board will
>>>>>>>> stand up against DCMA and similar legislation in other countries
>>>>>>>> that
>>>>>>>> Cory outlined in a follow-up post to the OWASP leaders list?  I
>>>>>>>> personally
>>>>>>>> do not believe that either of these proposals for motions are
>>>>>>>> partisan
>>>>>>>> from a political perspective and I think that both support our
>>>>>>>> stated
>>>>>>>> core purpose of being "the thriving global community that drives
>>>>>>>> visibility
>>>>>>>> and evolution in the safety and security of the world’s software".
>>>>>>>>
>>>>>>>> So, let us do what we can as individuals, but let us remember that
>>>>>>>> our
>>>>>>>> community voice together is much louder than it is speaking alone.
>>>>>>>>
>>>>>>>> Thanks you all for listening and considering my thoughts in earnest.
>>>>>>>> -kevin
>>>>>>>> --
>>>>>>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>>>>>> @KevinWWall
>>>>>>>> NSA: All your crypto bit are belong to us.
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Johanna Curiel
>>>>>>> OWASP Volunteer
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>> The information contained in this message and any attachments may be
>>>> privileged, confidential, proprietary or otherwise protected from
>>>> disclosure. If you, the reader of this message, are not the intended
>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>> copying or use of this message and any attachment is strictly prohibited.
>>>> If you have received this message in error, please notify the sender
>>>> immediately by replying to the message, permanently delete it from your
>>>> computer and destroy any printout.
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160811/1a83a886/attachment-0001.html>


More information about the Owasp-board mailing list