[Owasp-leaders] [Owasp-community] [Owasp-board] IAB Statement on the Trade in Security Technologies

Jeff Williams jeff.williams at owasp.org
Mon Jun 22 00:47:31 UTC 2015


This is a false dichotomy -- OWASP can and should do both. The Board should work to assist and support *any* idea consistent with our mission...even if...especially if... you don't think it will work.
You can't let *your* judgement influence the decision to support a project. If you do, then all we will ever get is Board ideas.  And, respectfully, I don't trust you or any other individual to think up the next great AppSec idea.
The Board shouldn't interfere at all unless somebody is doing something harmful to the organization or the mission. And even then should try to figure out a productive path for that energy.
Again respectfully, you should get out of the way.

--Jeff




On Sun, Jun 21, 2015 at 5:27 PM -0700, "Jim Manico" <jim.manico at owasp.org> wrote:










Jeff,
My take on this is that "talk is cheap" and that "actions are more powerful words". I'd rather keep out of legislation and focus on making important projects like ESAPI, ASVS, Security Shepard and others more powerful.
I am sorry you are disappointed in current board action, but there is good reason behind the perspective I am stating. Also, this is my opinion alone, not the entire boards.
Again, take a look at Whisper Systems. They are providing incredibly well created and well assessed open source projects for secure communications. These open source projects are now being integrated into various Operating Systems and other projects.
If ESAPI was not a abandoned, it could have been serving our mission - planet level. I want to see it and other key projects revived and well funded.
The power of a well built security project is worth more than a thousand words. Talk is cheap. Actions that change the world take sweat, blood and staying the course even when it's no longer financially beneficial to do so.
Respectfully,
--Jim ManicoGlobal Board MemberOWASP Foundationhttps://www.owasp.orgJoin me at AppSecUSA 2015 in San Francisco!
On Jun 21, 2015, at 2:12 PM, Jeff Williams <jeff.williams at owasp.org> wrote:


    For the record, the IAB is part of the IETF, which *is* a 501c3.  Even though 501c3 organizations *can* do some lobbying (as long as expenditures are not substantial), the IAB is careful not to talk about legislation or urge anyone to contact representatives about legislation.As the creator and longtime Chair of the OWASP Board, I'm frustrated that the current Board isn't falling over themselves to support efforts like this.  IMO the whole purpose of the Board is to create a great platform to support and amplify the efforts of anyone willing to contribute to our important cause. Does't matter the topic, but instead of saying no or criticizing ideas or projects, figure out a way to make it work or make them better.In this case, and a million other topics, it would be incredibly easy to stick to the technical realities and feasibility of any approaches being discussed in the news.  No need to mention legislation.--Jeff

Jeff Williams  | CTO
Contrast Security
410.707.1487 | @planetlevel @contrastsec



    _____________________________
From: Jim Manico <jim.manico at owasp.org>
Sent: Sunday, June 21, 2015 7:37 PM
Subject: Re: [Owasp-leaders] [Owasp-community] [Owasp-board] IAB Statement on the Trade in Security Technologies
To: McGovern, James <james.mcgovern at hp.com>
Cc:  <owasp-community at lists.owasp.org>, OWASP Board List <owasp-board at lists.owasp.org>, owasp-leaders <owasp-leaders at lists.owasp.org>


          I will - for sure - put this on the June 24th Board meeting agenda. My opinion (based on research over the years trying to understand my duty to the foundation) is to keep AWAY from any even slight attempt to influence legislation.       
       In general I see projects, documentation efforts and  conferences doing much to unite us in our shared mission. But start discussing politics and it will go a long way to divide us as a community.       
       I suggest that we focus on •doing something• vs •saying something•.        
       Imagine funding open source projects similar to Whisper Systems or enhancing our documentation projects to be much more up to date and relevant our building professional open source training material? This is how I think the foundation can best face these issues while at the same time serve our mission while at the same time keep away from influencing legislation. :)       
       And for what it's worth, I strongly dislike the fact that I'm bringing these things up. I'm not trying to ruin anyones party here. But I do feel it's my duty as your elected board member to do so.       
       Aloha,       --   
       Jim Manico                            Global Board Member            OWASP Foundation             https://www.owasp.org                        Join me at AppSecUSA 2015 in San Francisco!              
On Jun 21, 2015, at 1:23 PM, McGovern, James <   james.mcgovern at hp.com> wrote:   
   
           Jim, while you are going to the board for legal clarification, please inquire:    
        
    1. 501c3 is a US thing. Can we influence non-US government and still comply?    
    2. Understanding the US political issues sometimes will put us on a partisan path. For example, in CT I have commented in the past in a political context on why smart guns are just plain stupid. This particular issue leans more conservative/libertarian than it does Liberal. Therefore, we must attempt to understand the flow of politics on any given Sunday.    
    3. Maybe we could somehow solve this by having a policy that encourages legislators of all parties to reach out to their local chapter leader for an informed opinion.    
        
    -----Original Message-----    
    From: owasp-community-bounces at lists.owasp.org [mailto:owasp-community-bounces at lists.owasp.org] On Behalf Of Jim Manico    
    Sent: Saturday, June 20, 2015 4:37 PM    
    To: Kevin W. Wall    
    Cc: OWASP Board List; owasp-community at lists.owasp.org; owasp-leaders    
    Subject: Re: [Owasp-community] [Owasp-board] IAB Statement on the Trade in Security Technologies    
        
    I agree with you Kevin. Even the IRS is cagey about this topic.     
        
    However, this is an organization risk that I feel we should be aware of before charging to far into policy. It would behoove is to get legal review before going to far. I'll bring this up at the next board meeting.    
        
    Aloha,    
    --    
    Jim Manico    
    @Manicode    
    (808) 652-3805    
        
         On Jun 20, 2015, at 9:47 AM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:     
                  
             Jim,     
                  
                   On Sat, Jun 20, 2015 at 2:55 PM, Jim Manico <jim.manico at owasp.org> wrote:      
                        That is fair Michael.      
                              
                        But I do want to warn the community that this is a slippery slope, we       
                        are being watched, and trying to influence legislation is one of the       
                        few ways OWASP can lose it's charitable status. And if that happens,       
                        the debate about what to do with our funds will quickly change for the worse.      
                       
             I don't think that it is impossible for charitable organizations to      
             comment on public possible without loosing their 501(c)(3) status, but      
             it just has to be done in the right way. (However, IANAL, so I don't      
             even begin to know the details of what that "right way" would entail.)     
                  
             As a case in point, the ACM has a 501(c)(3) not-for-profit status, and      
             yet their public policy arm--the USACM--has certainly tried to      
             influence public policy. (Recall the crypto debate from the late      
             1990s? The USACM and IEEE wrote a letter to Sen. John McCain to try to      
             influence the US legislation not to pass laws to mandate weak      
             encryption. E.g., see     
             <http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri     
             vacy%20and%20Security>.)     
                  
             So I'm guessing that the devil is in the details of how it is done.       
             In fact, according to Spaf's blog at      
             <https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t     
             he_attack_on_encryption/> the USACM is going through this same this      
             this again. Like I said, I am not a lawyer and maybe this attempt to      
             influence public policy doesn't strictly qualify as "lobbying" in the      
             eyes of the IRS. But it certainly doesn't seem impossible.     
                  
             Also, we can--and should--all speak out strongly against things that      
             we believe are against the OWASP mission, but we don't have to do it      
             in a manner as representing OWASP. Do that on your personal blogs or      
             social media instead of OWASP mailing lists and there shouldn't be an      
             issue, especially if you add a short disclaimer as to how your opinion      
             does not necessarily affect the opinion of OWASP overall (in the cases when there might be some doubt).     
                  
             So perhaps if we decide that we officially want to speak out on      
             certain public policy as an organization in order to influence public      
             policy in accordance with our mission statements, then someone who      
             understands the nuances of the 501(c)(3) IRS regulations could help      
             OWASP navigate these waters.     
                  
             -kevin     
             --     
             Blog: http://off-the-wall-security.blogspot.com/     
             NSA: All your crypto bit are belong to us.     
        _______________________________________________    
    Owasp-community mailing list    
    Owasp-community at lists.owasp.org    
    https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150622/fbfda164/attachment-0001.html>


More information about the OWASP-Leaders mailing list