[Owasp-leaders] [Owasp-community] [Owasp-board] IAB Statement on the Trade in Security Technologies

Jim Manico jim.manico at owasp.org
Mon Jun 22 01:35:39 UTC 2015


This is not about changing OWASP's charter. It's a warning that we are 
engaging in activity that is on the edge of trying to influence 
legislation and that we should proceed with caution.

Also, I am concerned that we are losing focus here and implore the 
community to focus less on announcements like this and to focus more on 
application security in a more direct way via projects and technical 
documentation.

- Jim

On 6/21/15 3:32 PM, Jerry Hoff wrote:
> Agreed - but I was under the strong impression this entire discussion 
> was on putting out a statement similar to the IAB.  Apologies if I 
> misunderstood. I was voicing support on that specific action.
>
> I didn't see anywhere in the thread (though I may have missed it) 
> anyone advocating political campaigning or to change the OWASP charter 
> such that influencing legislation would be a substantial activity.
>
> -- 
> Jerry Hoff
> jerry at owasp.com <mailto:jerry at owasp.com>
> @jerryhoff
>
> On Jun 21, 2015, at 21:25, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> Jerry,
>>
>> I'm a fan of OWASP taking technical stands such as the IAB Statement 
>> on Internet Confidentiality 
>> https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/ 
>> and similar.
>>
>> What our 501(c)(3) foundation needs to to steer clear of from my 
>> understanding is...
>>
>> 1) ... not to engage in political campaigning
>> 2) ... not to attempt to influence legislation as a substantial part 
>> of our activities
>>
>> I am no fan of NACL's but this is a very important topic.
>>
>> The exact quote from the IRS is 
>> (http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)
>>
>> "...it may not attempt to influence legislation as a substantial part 
>> of its activities and it may not participate in any campaign activity 
>> for or against political candidates..."
>>
>> So as long as our "official foundation statement" on this matter 
>> steers clear of these issues, I will support it.
>>
>> We will be discussing this at the June 24th meeting, I hope you can 
>> make it.
>>
>> https://www.owasp.org/index.php/June_24,_2015
>>
>> Aloha,
>> Jim
>>
>> On 6/21/15 3:16 PM, Jerry Hoff wrote:
>>> I believe this debate is based off wrong assumptions - for example 
>>> the EFF is 501(c)(3) and that does not prevent them from taking a 
>>> position on relevant issues as an organization.
>>>
>>> -- 
>>> Jerry Hoff
>>> jerry at owasp.com <mailto:jerry at owasp.com>
>>> @jerryhoff
>>>
>>> On Jun 21, 2015, at 21:05, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>> With respect, I disagree with your take on this Jeff. Official 
>>>> OWASP public statements should be done with care.
>>>>
>>>> Also, this issue is not resolved yet and I am simply stating *my 
>>>> opinion* on the matter backed by research and references to IRS 
>>>> guidelines discussing this matter. And again I've stated that this 
>>>> is a nebulous area even by IRS regulation.
>>>>
>>>> _*We are discussing this at the June 24 board meeting*__*- a 
>>>> meeting in which I hope that you and the community attend.*_
>>>>
>>>> Making a big statement like this as an official message of the 
>>>> OWASP foundation - especial since it's political in nature - does 
>>>> in my opinion require board discussion. I know you want us to "jump 
>>>> on this" immediately - and we are Jeff - in just a few days.
>>>>
>>>> In fact, if the language is crafted in a way that keeps clear of 
>>>> specific legislation, I will likely vote to push this out. I agree 
>>>> with it 100%, I am only concerned if it's the right thing for OWASP 
>>>> to be making such a public statement.
>>>>
>>>> It is critical for all of us in OWASP leadership to be aware of the 
>>>> limits of what a 501(c)(3) should be doing, and when I hear that 
>>>> the members of foundation want OWASP to make a public and 
>>>> politically charged statement of intent, I think it's crucial for 
>>>> the board to be a part of it since the board holds legal 
>>>> responsibility for the operations of the foundation.
>>>>
>>>> See you June 24th?
>>>>
>>>> https://www.owasp.org/index.php/June_24,_2015
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 6/21/15 2:47 PM, Jeff Williams wrote:
>>>>> This is a false dichotomy -- OWASP can and should do both. The 
>>>>> Board should work to assist and support *any* idea consistent with 
>>>>> our mission...even if...especially if... you don't think it will work.
>>>>>
>>>>> You can't let *your* judgement influence the decision to support a 
>>>>> project. If you do, then all we will ever get is Board ideas. 
>>>>>  And, respectfully, I don't trust you or any other individual to 
>>>>> think up the next great AppSec idea.
>>>>>
>>>>> The Board shouldn't interfere at all unless somebody is doing 
>>>>> something harmful to the organization or the mission. And even 
>>>>> then should try to figure out a productive path for that energy.
>>>>>
>>>>> Again respectfully, you should get out of the way.
>>>>>
>>>>> --Jeff
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Jun 21, 2015 at 5:27 PM -0700, "Jim Manico" 
>>>>> <jim.manico at owasp.org> wrote:
>>>>>
>>>>>     Jeff,
>>>>>
>>>>>     My take on this is that "talk is cheap" and that "actions are
>>>>>     more powerful words". I'd rather keep out of legislation and
>>>>>     focus on making important projects like ESAPI, ASVS, Security
>>>>>     Shepard and others more powerful.
>>>>>
>>>>>     I am sorry you are disappointed in current board action, but
>>>>>     there is good reason behind the perspective I am stating.
>>>>>     Also, this is my opinion alone, not the entire boards.
>>>>>
>>>>>     Again, take a look at Whisper Systems. They are providing
>>>>>     incredibly well created and well assessed open source projects
>>>>>     for secure communications. These open source projects are now
>>>>>     being integrated into various Operating Systems and other
>>>>>     projects.
>>>>>
>>>>>     If ESAPI was not a abandoned, it could have been serving our
>>>>>     mission - planet level. I want to see it and other key
>>>>>     projects revived and well funded.
>>>>>
>>>>>     The power of a well built security project is worth more than
>>>>>     a thousand words. Talk is cheap. Actions that change the world
>>>>>     take sweat, blood and staying the course even when it's no
>>>>>     longer financially beneficial to do so.
>>>>>
>>>>>     Respectfully,
>>>>>     --
>>>>>     Jim Manico
>>>>>     Global Board Member
>>>>>     OWASP Foundation
>>>>>     https://www.owasp.org <https://www.owasp.org/>
>>>>>     Join me at AppSecUSA <http://appsecusa.org/> 2015 in San
>>>>>     Francisco!
>>>>>
>>>>>     On Jun 21, 2015, at 2:12 PM, Jeff Williams
>>>>>     <jeff.williams at owasp.org> wrote:
>>>>>
>>>>>>     For the record, the IAB is part of the IETF, which *is* a
>>>>>>     501c3.  Even though 501c3 organizations *can* do some
>>>>>>     lobbying (as long as expenditures are not substantial), the
>>>>>>     IAB is careful not to talk about legislation or urge anyone
>>>>>>     to contact representatives about legislation.
>>>>>>     As the creator and longtime Chair of the OWASP Board, I'm
>>>>>>     frustrated that the current Board isn't falling over
>>>>>>     themselves to support efforts like this.  IMO the whole
>>>>>>     purpose of the Board is to create a great platform to support
>>>>>>     and amplify the efforts of anyone willing to contribute to
>>>>>>     our important cause. Does't matter the topic, but instead of
>>>>>>     saying no or criticizing ideas or projects, figure out a way
>>>>>>     to make it work or make them better.
>>>>>>     In this case, and a million other topics, it would be
>>>>>>     incredibly easy to stick to the technical realities and
>>>>>>     feasibility of any approaches being discussed in the news.
>>>>>>      No need to mention legislation.
>>>>>>     --Jeff
>>>>>>
>>>>>>     Jeff Williams | CTO
>>>>>>     Contrast Security
>>>>>>     410.707.1487 <tel:410.707.1487> | @planetlevel @contrastsec
>>>>>>
>>>>>>
>>>>>>     _____________________________
>>>>>>     From: Jim Manico <jim.manico at owasp.org
>>>>>>     <mailto:jim.manico at owasp.org>>
>>>>>>     Sent: Sunday, June 21, 2015 7:37 PM
>>>>>>     Subject: Re: [Owasp-leaders] [Owasp-community] [Owasp-board]
>>>>>>     IAB Statement on the Trade in Security Technologies
>>>>>>     To: McGovern, James <james.mcgovern at hp.com>
>>>>>>     Cc: <owasp-community at lists.owasp.org
>>>>>>     <mailto:owasp-community at lists.owasp.org>>, OWASP Board List
>>>>>>     <owasp-board at lists.owasp.org
>>>>>>     <mailto:owasp-board at lists.owasp.org>>, owasp-leaders
>>>>>>     <owasp-leaders at lists.owasp.org
>>>>>>     <mailto:owasp-leaders at lists.owasp.org>>
>>>>>>
>>>>>>
>>>>>>     I will - for sure - put this on the June 24th Board meeting
>>>>>>     agenda. My opinion (based on research over the years trying
>>>>>>     to understand my duty to the foundation) is to keep AWAY from
>>>>>>     any even slight attempt to influence legislation.
>>>>>>
>>>>>>     In general I see projects, documentation efforts and
>>>>>>      conferences doing much to unite us in our shared mission.
>>>>>>     But start discussing politics and it will go a long way to
>>>>>>     divide us as a community.
>>>>>>
>>>>>>     I suggest that we focus on •doing something• vs •saying
>>>>>>     something•.
>>>>>>
>>>>>>     Imagine funding open source projects similar to Whisper
>>>>>>     Systems or enhancing our documentation projects to be much
>>>>>>     more up to date and relevant our building professional open
>>>>>>     source training material? This is how I think the foundation
>>>>>>     can best face these issues while at the same time serve our
>>>>>>     mission while at the same time keep away from influencing
>>>>>>     legislation. :)
>>>>>>
>>>>>>     And for what it's worth, I strongly dislike the fact that I'm
>>>>>>     bringing these things up. I'm not trying to ruin anyones
>>>>>>     party here. But I do feel it's my duty as your elected board
>>>>>>     member to do so.
>>>>>>
>>>>>>     Aloha,
>>>>>>     -- 
>>>>>>     Jim Manico
>>>>>>     Global Board Member
>>>>>>     OWASP Foundation
>>>>>>     https://www.owasp.org
>>>>>>     Join me at AppSecUSA <http://appsecusa.org/> 2015 in San
>>>>>>     Francisco!
>>>>>>
>>>>>>     On Jun 21, 2015, at 1:23 PM, McGovern, James <
>>>>>>     james.mcgovern at hp.com> wrote:
>>>>>>
>>>>>>         Jim, while you are going to the board for legal
>>>>>>         clarification, please inquire:
>>>>>>
>>>>>>         1. 501c3 is a US thing. Can we influence non-US
>>>>>>         government and still comply?
>>>>>>         2. Understanding the US political issues sometimes will
>>>>>>         put us on a partisan path. For example, in CT I have
>>>>>>         commented in the past in a political context on why smart
>>>>>>         guns are just plain stupid. This particular issue leans
>>>>>>         more conservative/libertarian than it does Liberal.
>>>>>>         Therefore, we must attempt to understand the flow of
>>>>>>         politics on any given Sunday.
>>>>>>         3. Maybe we could somehow solve this by having a policy
>>>>>>         that encourages legislators of all parties to reach out
>>>>>>         to their local chapter leader for an informed opinion.
>>>>>>
>>>>>>         -----Original Message-----
>>>>>>         From: owasp-community-bounces at lists.owasp.org
>>>>>>         <mailto:owasp-community-bounces at lists.owasp.org>
>>>>>>         [mailto:owasp-community-bounces at lists.owasp.org] On
>>>>>>         Behalf Of Jim Manico
>>>>>>         Sent: Saturday, June 20, 2015 4:37 PM
>>>>>>         To: Kevin W. Wall
>>>>>>         Cc: OWASP Board List; owasp-community at lists.owasp.org;
>>>>>>         owasp-leaders
>>>>>>         Subject: Re: [Owasp-community] [Owasp-board] IAB
>>>>>>         Statement on the Trade in Security Technologies
>>>>>>
>>>>>>         I agree with you Kevin. Even the IRS is cagey about this
>>>>>>         topic.
>>>>>>
>>>>>>         However, this is an organization risk that I feel we
>>>>>>         should be aware of before charging to far into policy. It
>>>>>>         would behoove is to get legal review before going to far.
>>>>>>         I'll bring this up at the next board meeting.
>>>>>>
>>>>>>         Aloha,
>>>>>>         -- 
>>>>>>         Jim Manico
>>>>>>         @Manicode
>>>>>>         (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>>>
>>>>>>             On Jun 20, 2015, at 9:47 AM, Kevin W. Wall
>>>>>>             <kevin.w.wall at gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>>             Jim,
>>>>>>
>>>>>>
>>>>>>                 On Sat, Jun 20, 2015 at 2:55 PM, Jim Manico
>>>>>>                 <jim.manico at owasp.org> wrote:
>>>>>>
>>>>>>                 That is fair Michael.
>>>>>>
>>>>>>
>>>>>>                 But I do want to warn the community that this is
>>>>>>                 a slippery slope, we
>>>>>>
>>>>>>                 are being watched, and trying to influence
>>>>>>                 legislation is one of the
>>>>>>
>>>>>>                 few ways OWASP can lose it's charitable status.
>>>>>>                 And if that happens,
>>>>>>
>>>>>>                 the debate about what to do with our funds will
>>>>>>                 quickly change for the worse.
>>>>>>
>>>>>>
>>>>>>             I don't think that it is impossible for charitable
>>>>>>             organizations to
>>>>>>
>>>>>>             comment on public possible without loosing their
>>>>>>             501(c)(3) status, but
>>>>>>
>>>>>>             it just has to be done in the right way. (However,
>>>>>>             IANAL, so I don't
>>>>>>
>>>>>>             even begin to know the details of what that "right
>>>>>>             way" would entail.)
>>>>>>
>>>>>>
>>>>>>             As a case in point, the ACM has a 501(c)(3)
>>>>>>             not-for-profit status, and
>>>>>>
>>>>>>             yet their public policy arm--the USACM--has certainly
>>>>>>             tried to
>>>>>>
>>>>>>             influence public policy. (Recall the crypto debate
>>>>>>             from the late
>>>>>>
>>>>>>             1990s? The USACM and IEEE wrote a letter to Sen. John
>>>>>>             McCain to try to
>>>>>>
>>>>>>             influence the US legislation not to pass laws to
>>>>>>             mandate weak
>>>>>>
>>>>>>             encryption. E.g., see
>>>>>>
>>>>>>             <http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri
>>>>>>
>>>>>>
>>>>>>             vacy%20and%20Security>.)
>>>>>>
>>>>>>
>>>>>>             So I'm guessing that the devil is in the details of
>>>>>>             how it is done.
>>>>>>
>>>>>>             In fact, according to Spaf's blog at
>>>>>>
>>>>>>             <https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t
>>>>>>
>>>>>>
>>>>>>             he_attack_on_encryption/> the USACM is going through
>>>>>>             this same this
>>>>>>
>>>>>>             this again. Like I said, I am not a lawyer and maybe
>>>>>>             this attempt to
>>>>>>
>>>>>>             influence public policy doesn't strictly qualify as
>>>>>>             "lobbying" in the
>>>>>>
>>>>>>             eyes of the IRS. But it certainly doesn't seem
>>>>>>             impossible.
>>>>>>
>>>>>>
>>>>>>             Also, we can--and should--all speak out strongly
>>>>>>             against things that
>>>>>>
>>>>>>             we believe are against the OWASP mission, but we
>>>>>>             don't have to do it
>>>>>>
>>>>>>             in a manner as representing OWASP. Do that on your
>>>>>>             personal blogs or
>>>>>>
>>>>>>             social media instead of OWASP mailing lists and there
>>>>>>             shouldn't be an
>>>>>>
>>>>>>             issue, especially if you add a short disclaimer as to
>>>>>>             how your opinion
>>>>>>
>>>>>>             does not necessarily affect the opinion of OWASP
>>>>>>             overall (in the cases when there might be some doubt).
>>>>>>
>>>>>>
>>>>>>             So perhaps if we decide that we officially want to
>>>>>>             speak out on
>>>>>>
>>>>>>             certain public policy as an organization in order to
>>>>>>             influence public
>>>>>>
>>>>>>             policy in accordance with our mission statements,
>>>>>>             then someone who
>>>>>>
>>>>>>             understands the nuances of the 501(c)(3) IRS
>>>>>>             regulations could help
>>>>>>
>>>>>>             OWASP navigate these waters.
>>>>>>
>>>>>>
>>>>>>             -kevin
>>>>>>
>>>>>>             -- 
>>>>>>
>>>>>>             Blog: http://off-the-wall-security.blogspot.com/
>>>>>>
>>>>>>             NSA: All your crypto bit are belong to us.
>>>>>>
>>>>>>         _______________________________________________
>>>>>>         Owasp-community mailing list
>>>>>>         Owasp-community at lists.owasp.org
>>>>>>         <mailto:Owasp-community at lists.owasp.org>
>>>>>>         https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150621/98a4ff20/attachment-0001.html>


More information about the OWASP-Leaders mailing list