[Owasp-board] Fwd: Funding and Iran follow up
bev.corwin at owasp.org
Wed Aug 24 21:05:08 UTC 2016
Just wondering if anyone remembers - Didn't OWASP have a similar situation
in one of the African chapters where there were limited sanctions? Didn't
Paul have a lawyer review it? Are there any records available from that?
Does anyone know who that lawyer was?
On Wed, Aug 24, 2016 at 12:04 PM, Matt Tesauro <matt.tesauro at owasp.org>
> ---------- Forwarded message ----------
>> From: Ali Razmjoo <ali.razmjoo at owasp.org>
>> Date: Wed, Aug 24, 2016 at 11:32 AM
>> Subject: Re: [Owasp-board] Funding and Iran follow up
>> To: Matt Tesauro <matt.tesauro at owasp.org>
>> Cc: johanna curiel curiel <johanna.curiel at owasp.org>, OWASP Board List <
>> owasp-board at lists.owasp.org>, Reza Espargham <reza.espargham at owasp.org>
>> Hello All,
>> @Johanna Thank you for this great subject,
>> After Iran nuclear deal many of sanctions lifted, and BTW I personally
>> didn't get any support from OWASP yet (Just once I used the google cloud
>> service for a few minutes/hours), and just like you said, Projects are
>> opensource and mostly hosted on github, there are more contributors from
>> India and ..., So it's shouldn't be any trouble in here!
>> Iranian members are just helping the application security so I don't
>> think any big consequences comming for OWASP, Abbas also is living in
>> Virgina and BTW he isn't present in Iran community anymore.
>> Currently OWASP has two active projects which have Irani leaders (VBScan
>> and ZSC) and both are growing very fast. I think OWASP Broad members should
>> try to find a way to support these projects, in this case by supporting
>> Iranian or projects or the projects who Iranian are working on, We can have
>> an appsec confrance in Iran soon ...
>> I understand that right now OWASP can't fund us directly but it could
>> support and investing by other ways, Sanctions are not stable anymore and I
>> hope they will be all lifted soon, and OWASP could be the first foreign
>> community/org to be present here after Political deals.
>> BTW I don't know what kind of risk you are talking about if there isn't
>> any economic exchange ?!!
> I don't know of the specific risk and that's the point - these are
> _potential_ risks. I've not read the current statutes/laws on the US Iran
> sanctions. Even if I had, I am not a lawyer nor is anyone on this list to
> my knowledge.
> I do know that there are some sort of sanctions placed on Iran by the US
> government and the OWASP Foundation is a charity under US law. I do know
> that in some cases, the specific language of sanctions in the past have
> included the phrases like "material support"  which is more then just
> financial/funds exchange. I have no clue if that's part of the current
> Iran sanctions.
> Since none of us know or have the specific legal background to make
> reasonable recommendations, the Foundation is going to talk to those that
> Based on the advice provided by those with legal backgrounds in US law
> hired by the Foundation, I see one of two things happening:
> (1) Nothing changes. What we have done in the past is acceptable under US
> (2) Something changes so that the Foundation complies with the current US
> laws around Iran sanctions.
> So, please be patient while we gather the information the Board needs to
> make one of those choices above.
>  Here's a non-authoritative resource on what 'material support' means
> to get an idea of what _may_ potentially be in scope:
> -- Matt Tesauro
>> Sincerely yours,
>> Ali Razmjoo <https://twitter.com/Ali_Razmjo0>
>> Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
>> OWASP ZSC Project Leader
>> On Wed, Aug 24, 2016 at 7:43 PM, Matt Tesauro <matt.tesauro at owasp.org>
>>> Answering inline for sake of efficiency...
>>> TLDR: The Foundation noticed a potential problem, realized that
>>> understanding the problem will require expertise it doesn't have and the
>>> Foundation is getting the advice from those that do have expertise in that
>>> On Wed, Aug 24, 2016 at 9:04 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> Board members,
>>>> The following issues was mentioned during the board meeting yesterday:
>>>> "Projects, Funding and Iran - Matt Tesauro & Claudia Casanovas
>>>> We have several projects with leaders or co-leaders located in Iran.
>>>> This makes funding those projects problematic due to the OWASP Foundation
>>>> being a US charity and the economic sanctions imposed by the US. For
>>>> background, see the US Dept of State Iran Sanction site
>>>> <http://www.state.gov/e/eb/tfs/spi/iran/index.htm>. Details of the
>>>> projects in question are in the Projects Report for this month, slide 5
>>>> S*ince any funding of activities in Iran represents a risk to the
>>>> Foundation, the staff is asking for the board to determine how the
>>>> Foundation will interact with any community members or project leaders
>>>> which are located in Iran*"
>>>> Now that this issue has been raised after some many years having a
>>>> Project Leader from Iran (Abbas Naderi) and even a project leader that was
>>>> considered to be part of the board and was a board candidate, I'm
>>>> requesting a clarification and solution, meaning that once you have raised
>>>> this subject , the situation should be clarified asap.
>>> The existence of a risk and the knowledge of that risk being a factor
>>> for an entity are two separate things. Let me use an analogy to make this
>>> If I drive on a road at 45 miles per hour (mph) without knowing the
>>> posted / legal speed limit and that limit is 35 mph, I am at risk of
>>> getting a speeding ticket. I could drive for an arbitrary amount of time
>>> not realizing the speed limit of that road and therefore not realizing the
>>> risk I was taking. If a passenger in the car suggested to me that the
>>> speed limit may be lower then 45 mph, I would then be aware of a potential
>>> risk and, should I not want a speeding ticket, I would do the work to
>>> determine what the speed limit is on that road - am maybe even drive a bit
>>> slower until i knew for sure.
>>> That is the essence of what has happened here. Timing or the parties
>>> involved had nothing to do with the realization that there _may_ be legal
>>> problems when the Foundation interacts with parties in Iran. You were on
>>> the email thread where this issue was raised - I don't recall who raised
>>> the issue but that is, to be honest, irrelevant.
>>>> I did consult a lawyer but he mentioned that in this case, being OWASP
>>>> a US non-profit foundation, to consult a lawyer knowledgeable in these
>>>> matters, not just any lawyer.
>>> I am not sure who the 'he' is in the above sentence but the Board, as a
>>> whole, took the action to have Kate engage with the law firm the Foundation
>>> has retained to look into this matter and determine both what the current
>>> laws of the US say about interaction with Iran and what, if any, exposure
>>> to legal risk/sanction the Foundation. I agree with the Board's decision
>>> that, since none of us in the Board meeting had any expertise in these
>>> matter, utilizing the services of the Foundation's law firm was a valid
>>> method to determine our risk and make a informed decision on how best to
>>> interact with the OWASP community in Iran.
>>> I find it very regrettable that because of actions of various government
>>> bodies, we need to take this extra step with the OWASP community in Iran
>>> but as much as the Internet has removed boarders for communication and
>>> information sharing, we all live in one or another country and are subject
>>> to that country's laws.
>>> I'd also like to note that the fact that the Foundation wants to
>>> understand any legal risks that may exist in this case DOES NOT lessen the
>>> value the OWASP community places on the contributions from the those
>>> community members in Iran.
>>>> So far, none of the Iranian leaders have received any goods or
>>>> financial support from OWASP. There is no commercial exchange between
>>>> Iranian leaders and OWASP, however, the restrictions go so far including
>>>> exchange of services or goods, or any kind of financial support, such as ,
>>>> sponsoring. In this case, many of the support/services provided by OWASP,
>>>> could be seen as an exchange of services.
>>>> I'm not a lawyer and since we are talking about a very specific
>>>> situation, OWASP needs to define this situation asap because the
>>>> consequences for OWASP can be quite big.
>>> Nor was anyone on the Board call yesterday, hence the action to reach
>>> out to the Foundation retained law firm. I do not know if US law is only
>>> covers funding or 'material support', nor is speculating particularly
>>> useful; hence the use of a lawyer.
>>>> *One of the project that I co-lead, is technically nor can be
>>>> considered a 'Iranian' project, so please let's not call it that way. The
>>>> Projects are not from Iran, the projects are open source, anyone can reach
>>>> them and they are co-lead/lead by some one from Iran.So please, correct
>>>> this naming that bring confusion and the wrong tone to this issue.*
>>> I appreciate that, in your opinion the project you co-lead isn't subject
>>> to the Iran sanctions, but I'd much prefer to get an opinion from a legal
>>> expert - which is what the Foundation is doing.
>>>> Given this situation, it is clear that OWASP requires the advice of a
>>>> knowledgeable lawyer specialised in these cases, considering also that some
>>>> of the sanctions have been lifted and what that means for OWASP if provides
>>>> support of goods or services.
>>> Yup. That's exactly what the Board said it was going to do on the call
>>> you attended yesterday. The call was recorded and should be posted in the
>>> next day or two.
>>>> Please let us know asap, the next steps. I hope there is some actions
>>>> after this issue has been raised, so Ali and Reza , including me know what
>>>> to expect.
>>> Once the Foundation has received advice from their legal firm and
>>> understands what, if any, changes need to happen with community members in
>>> Iran, we'll not only let those involved know but will document it
>>> publicly. O is for Open after all.
>>> -- Matt Tesauro
>>>> Johanna Curiel
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>> Johanna Curiel
>> OWASP Volunteer
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board