<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    With respect, I disagree with your take on this Jeff. Official OWASP
    public statements should be done with care.<br>
    <br>
    Also, this issue is not resolved yet and I am simply stating *my
    opinion* on the matter backed by research and references to IRS
    guidelines discussing this matter. And again I've stated that this
    is a nebulous area even by IRS regulation.<br>
    <br>
    <u><b>We are discussing this at the June 24 board meeting</b></u><u><b>
        - a meeting in which I hope that you and the community attend.</b></u>
    <br>
    <br>
    Making a big statement like this as an official message of the OWASP
    foundation - especial since it's political in nature - does in my
    opinion require board discussion. I know you want us to "jump on
    this" immediately - and we are Jeff - in just a few days.<br>
    <br>
    In fact, if the language is crafted in a way that keeps clear of
    specific legislation, I will likely vote to push this out. I agree
    with it 100%, I am only concerned if it's the right thing for OWASP
    to be making such a public statement. <br>
    <br>
    It is critical for all of us in OWASP leadership to be aware of the
    limits of what a 501(c)(3) should be doing, and when I hear that the
    members of foundation want OWASP to make a public and politically
    charged statement of intent, I think it's crucial for the board to
    be a part of it since the board holds legal responsibility for the
    operations of the foundation.<br>
    <br>
    See you June 24th?<br>
    <br>
    <a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/June_24,_2015">https://www.owasp.org/index.php/June_24,_2015</a><br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 6/21/15 2:47 PM, Jeff Williams
      wrote:<br>
    </div>
    <blockquote
cite="mid:815ED4954DD4EA87.AC9F30B4-B882-4DBD-8F06-A2CC09F2B771@mail.outlook.com"
      type="cite">
      <div>This is a false dichotomy -- OWASP can and should do both.
        The Board should work to assist and support *any* idea
        consistent with our mission...even if...especially if... you
        don't think it will work.</div>
      <div><br>
      </div>
      <div>You can't let *your* judgement influence the decision to
        support a project. If you do, then all we will ever get is Board
        ideas.  And, respectfully, I don't trust you or any other
        individual to think up the next great AppSec idea.</div>
      <div><br>
      </div>
      <div>The Board shouldn't interfere at all unless somebody is doing
        something harmful to the organization or the mission. And even
        then should try to figure out a productive path for that energy.</div>
      <div><br>
      </div>
      <div>Again respectfully, you should get out of the way.<br>
        <br>
        <div class="acompli_signature">--Jeff<br>
        </div>
      </div>
      <br>
      <br>
      <br>
      <div class="gmail_quote">On Sun, Jun 21, 2015 at 5:27 PM -0700,
        "Jim Manico" <span dir="ltr"><<a moz-do-not-send="true"
            href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
        wrote:<br>
        <br>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div dir="3D"ltr"">
            <meta http-equiv="content-type" content="text/html;
              charset=utf-8">
            <div>Jeff,</div>
            <div><br>
            </div>
            <div>My take on this is that "talk is cheap" and that
              "actions are more powerful words". I'd rather keep out of
              legislation and focus on making important projects like
              ESAPI, ASVS, Security Shepard and others more powerful.</div>
            <div><br>
            </div>
            <div>I am sorry you are disappointed in current board
              action, but there is good reason behind the perspective I
              am stating. Also, this is my opinion alone, not the entire
              boards.</div>
            <div><br>
            </div>
            <div>Again, take a look at Whisper Systems. They are
              providing incredibly well created and well assessed open
              source projects for secure communications. These open
              source projects are now being integrated into various
              Operating Systems and other projects.</div>
            <div><br>
            </div>
            <div>If ESAPI was not a abandoned, it could have been
              serving our mission - planet level. I want to see it and
              other key projects revived and well funded.</div>
            <div><br>
            </div>
            <div>The power of a well built security project is worth
              more than a thousand words. Talk is cheap. Actions that
              change the world take sweat, blood and staying the course
              even when it's no longer financially beneficial to do so.</div>
            <div><br>
            </div>
            <div>Respectfully,<br>
              <div>--</div>
              <div>Jim Manico</div>
              <div>
                <div apple-content-edited="true" class="">
                  <div class="" style="word-wrap: break-word;
                    -webkit-nbsp-mode: space; -webkit-line-break:
                    after-white-space;">
                    <div class=""><span style="background-color:
                        rgba(255, 255, 255, 0);">Global Board Member</span></div>
                    <span style="background-color: rgba(255, 255, 255,
                      0);">OWASP Foundation</span>
                    <div class=""><a moz-do-not-send="true"
                        href="https://www.owasp.org/" class=""
                        style="background-color: rgba(255, 255, 255,
                        0);"><font color="#000000">https://www.owasp.org</font></a></div>
                  </div>
                </div>
                <div class=""><span style="background-color: rgba(255,
                    255, 255, 0);">Join me at <a moz-do-not-send="true"
                      href="http://appsecusa.org/" target="_blank"
                      class="">AppSecUSA</a> 2015 in San Francisco!</span></div>
              </div>
            </div>
            <div><br>
              On Jun 21, 2015, at 2:12 PM, Jeff Williams <<a
                moz-do-not-send="true"
                href="mailto:jeff.williams@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jeff.williams@owasp.org">jeff.williams@owasp.org</a></a>>
              wrote:<br>
              <br>
            </div>
            <blockquote type="cite">
              <div>
                <div>For the record, the IAB is part of the IETF, which
                  *is* a 501c3.  Even though 501c3 organizations *can*
                  do some lobbying (as long as expenditures are not
                  substantial), the IAB is careful not to talk about
                  legislation or urge anyone to contact representatives
                  about legislation.</div>
                <div>As the creator and longtime Chair of the OWASP
                  Board, I'm frustrated that the current Board isn't
                  falling over themselves to support efforts like this.
                   IMO the whole purpose of the Board is to create a
                  great platform to support and amplify the efforts of
                  anyone willing to contribute to our important cause.
                  Does't matter the topic, but instead of saying no or
                  criticizing ideas or projects, figure out a way to
                  make it work or make them better.</div>
                <div>In this case, and a million other topics, it would
                  be incredibly easy to stick to the technical realities
                  and feasibility of any approaches being discussed in
                  the news.  No need to mention legislation.</div>
                <div>
                  <div class="acompli_signature">--Jeff<br>
                    <br>
                    Jeff Williams | CTO<br>
                    Contrast Security<br>
                    <a moz-do-not-send="true" href="tel:410.707.1487"
                      x-apple-data-detectors="true"
                      x-apple-data-detectors-type="telephone"
                      x-apple-data-detectors-result="0/1">410.707.1487</a>
                    | @planetlevel @contrastsec<br>
                    <br>
                  </div>
                  <br>
                </div>
                <div class="gmail_quote">_____________________________<br>
                  From: Jim Manico <<a moz-do-not-send="true"
                    href="mailto:jim.manico@owasp.org"
                    x-apple-data-detectors="true"
                    x-apple-data-detectors-type="link"
                    x-apple-data-detectors-result="2">jim.manico@owasp.org</a>><br>
                  Sent: Sunday, June 21, 2015 7:37 PM<br>
                  Subject: Re: [Owasp-leaders] [Owasp-community]
                  [Owasp-board] IAB Statement on the Trade in Security
                  Technologies<br>
                  To: McGovern, James <<a moz-do-not-send="true"
                    href="mailto:james.mcgovern@hp.com"
                    x-apple-data-detectors="true"
                    x-apple-data-detectors-type="link"
                    x-apple-data-detectors-result="4">james.mcgovern@hp.com</a>><br>
                  Cc: <<a moz-do-not-send="true"
                    href="mailto:owasp-community@lists.owasp.org"
                    x-apple-data-detectors="true"
                    x-apple-data-detectors-type="link"
                    x-apple-data-detectors-result="5">owasp-community@lists.owasp.org</a>>,
                  OWASP Board List <<a moz-do-not-send="true"
                    href="mailto:owasp-board@lists.owasp.org"
                    x-apple-data-detectors="true"
                    x-apple-data-detectors-type="link"
                    x-apple-data-detectors-result="6">owasp-board@lists.owasp.org</a>>,
                  owasp-leaders <<a moz-do-not-send="true"
                    href="mailto:owasp-leaders@lists.owasp.org"
                    x-apple-data-detectors="true"
                    x-apple-data-detectors-type="link"
                    x-apple-data-detectors-result="7">owasp-leaders@lists.owasp.org</a>><br>
                  <br>
                  <br>
                  <meta content="text/html; charset=utf-8">
                  <div> I will - for sure - put this on the June 24th
                    Board meeting agenda. My opinion (based on research
                    over the years trying to understand my duty to the
                    foundation) is to keep AWAY from any even slight
                    attempt to influence legislation. </div>
                  <div> <br>
                  </div>
                  <div> In general I see projects, documentation efforts
                    and  conferences doing much to unite us in our
                    shared mission. But start discussing politics and it
                    will go a long way to divide us as a community. </div>
                  <div> <br>
                  </div>
                  <div> I suggest that we focus on •doing something• vs
                    •saying something•.  </div>
                  <div> <br>
                  </div>
                  <div> Imagine funding open source projects similar to
                    Whisper Systems or enhancing our documentation
                    projects to be much more up to date and relevant our
                    building professional open source training material?
                    This is how I think the foundation can best face
                    these issues while at the same time serve our
                    mission while at the same time keep away from
                    influencing legislation. :) </div>
                  <div> <br>
                  </div>
                  <div> And for what it's worth, I strongly dislike the
                    fact that I'm bringing these things up. I'm not
                    trying to ruin anyones party here. But I do feel
                    it's my duty as your elected board member to do so.
                  </div>
                  <div> <br>
                  </div>
                  <div> Aloha, </div>
                  <div> -- <br>
                    <div> Jim Manico </div>
                    <div>
                      <div class="">
                        <div class="" style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space;">
                          <div class=""> <span style="background-color:
                              rgba(255, 255, 255, 0);">Global Board
                              Member</span> </div>
                          <span style="background-color: rgba(255, 255,
                            255, 0);">OWASP Foundation</span>
                          <div class=""> <a moz-do-not-send="true"
                              href="https://www.owasp.org/" class=""
                              style="background-color: rgba(255, 255,
                              255, 0);"><font color="#000000">https://www.owasp.org</font></a>
                          </div>
                        </div>
                      </div>
                      <div class=""> <span style="background-color:
                          rgba(255, 255, 255, 0);">Join me at <a
                            moz-do-not-send="true"
                            href="http://appsecusa.org/" class="">AppSecUSA</a> 2015
                          in San Francisco!</span> </div>
                    </div>
                  </div>
                  <div> <br>
                    On Jun 21, 2015, at 1:23 PM, McGovern, James < <a
                      moz-do-not-send="true"
                      href="mailto:james.mcgovern@hp.com"><a class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a></a>>
                    wrote: <br>
                    <br>
                  </div>
                  <blockquote>
                    <div> <span>Jim, while you are going to the board
                        for legal clarification, please inquire:</span>
                      <br>
                      <span></span> <br>
                      <span>1. 501c3 is a US thing. Can we influence
                        non-US government and still comply?</span> <br>
                      <span>2. Understanding the US political issues
                        sometimes will put us on a partisan path. For
                        example, in CT I have commented in the past in a
                        political context on why smart guns are just
                        plain stupid. This particular issue leans more
                        conservative/libertarian than it does Liberal.
                        Therefore, we must attempt to understand the
                        flow of politics on any given Sunday.</span> <br>
                      <span>3. Maybe we could somehow solve this by
                        having a policy that encourages legislators of
                        all parties to reach out to their local chapter
                        leader for an informed opinion.</span> <br>
                      <span></span> <br>
                      <span>-----Original Message-----</span> <br>
                      <span>From: <a moz-do-not-send="true"
                          href="mailto:owasp-community-bounces@lists.owasp.org">owasp-community-bounces@lists.owasp.org</a>
                        [<a moz-do-not-send="true"
                          href="mailto:owasp-community-bounces@lists.owasp.org">mailto:owasp-community-bounces@lists.owasp.org</a>]
                        On Behalf Of Jim Manico</span> <br>
                      <span>Sent: Saturday, June 20, 2015 4:37 PM</span>
                      <br>
                      <span>To: Kevin W. Wall</span> <br>
                      <span>Cc: OWASP Board List; <a
                          moz-do-not-send="true"
                          href="mailto:owasp-community@lists.owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:owasp-community@lists.owasp.org">owasp-community@lists.owasp.org</a></a>;
                        owasp-leaders</span> <br>
                      <span>Subject: Re: [Owasp-community] [Owasp-board]
                        IAB Statement on the Trade in Security
                        Technologies</span> <br>
                      <span></span> <br>
                      <span>I agree with you Kevin. Even the IRS is
                        cagey about this topic. </span> <br>
                      <span></span> <br>
                      <span>However, this is an organization risk that I
                        feel we should be aware of before charging to
                        far into policy. It would behoove is to get
                        legal review before going to far. I'll bring
                        this up at the next board meeting.</span> <br>
                      <span></span> <br>
                      <span>Aloha,</span> <br>
                      <span>--</span> <br>
                      <span>Jim Manico</span> <br>
                      <span>@Manicode</span> <br>
                      <span><a moz-do-not-send="true"
                          href="tel:%28808%29%20652-3805"
                          x-apple-data-detectors="true"
                          x-apple-data-detectors-type="telephone"
                          x-apple-data-detectors-result="18/1">(808)
                          652-3805</a></span> <br>
                      <span></span> <br>
                      <blockquote> <span>On Jun 20, 2015, at 9:47 AM,
                          Kevin W. Wall <<a moz-do-not-send="true"
                            href="mailto:kevin.w.wall@gmail.com">kevin.w.wall@gmail.com</a>>
                          wrote:</span> <br>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote> <span>Jim,</span> <br>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote>
                        <blockquote> <span>On Sat, Jun 20, 2015 at 2:55
                            PM, Jim Manico <<a moz-do-not-send="true"
                              href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>
                            wrote:</span> <br>
                        </blockquote>
                      </blockquote>
                      <blockquote>
                        <blockquote> <span>That is fair Michael.</span>
                          <br>
                        </blockquote>
                      </blockquote>
                      <blockquote>
                        <blockquote> <span></span> <br>
                        </blockquote>
                      </blockquote>
                      <blockquote>
                        <blockquote> <span>But I do want to warn the
                            community that this is a slippery slope, we
                          </span> <br>
                        </blockquote>
                      </blockquote>
                      <blockquote>
                        <blockquote> <span>are being watched, and
                            trying to influence legislation is one of
                            the </span> <br>
                        </blockquote>
                      </blockquote>
                      <blockquote>
                        <blockquote> <span>few ways OWASP can lose it's
                            charitable status. And if that happens, </span>
                          <br>
                        </blockquote>
                      </blockquote>
                      <blockquote>
                        <blockquote> <span>the debate about what to do
                            with our funds will quickly change for the
                            worse.</span> <br>
                        </blockquote>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote> <span>I don't think that it is
                          impossible for charitable organizations to </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>comment on public possible
                          without loosing their 501(c)(3) status, but </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>it just has to be done in the
                          right way. (However, IANAL, so I don't </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>even begin to know the details
                          of what that "right way" would entail.)</span>
                        <br>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote> <span>As a case in point, the ACM
                          has a 501(c)(3) not-for-profit status, and </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>yet their public policy
                          arm--the USACM--has certainly tried to </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>influence public policy.
                          (Recall the crypto debate from the late </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>1990s? The USACM and IEEE
                          wrote a letter to Sen. John McCain to try to </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>influence the US legislation
                          not to pass laws to mandate weak </span> <br>
                      </blockquote>
                      <blockquote> <span>encryption. E.g., see</span> <br>
                      </blockquote>
                      <blockquote> <span><<a moz-do-not-send="true"
href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri">http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri</a></span>
                        <br>
                      </blockquote>
                      <blockquote> <span>vacy%20and%20Security>.)</span>
                        <br>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote> <span>So I'm guessing that the devil
                          is in the details of how it is done.  </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>In fact, according to Spaf's
                          blog at </span> <br>
                      </blockquote>
                      <blockquote> <span><<a moz-do-not-send="true"
href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t">https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t</a></span>
                        <br>
                      </blockquote>
                      <blockquote> <span>he_attack_on_encryption/>
                          the USACM is going through this same this </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>this again. Like I said, I am
                          not a lawyer and maybe this attempt to </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>influence public policy
                          doesn't strictly qualify as "lobbying" in the
                        </span> <br>
                      </blockquote>
                      <blockquote> <span>eyes of the IRS. But it
                          certainly doesn't seem impossible.</span> <br>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote> <span>Also, we can--and should--all
                          speak out strongly against things that </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>we believe are against the
                          OWASP mission, but we don't have to do it </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>in a manner as representing
                          OWASP. Do that on your personal blogs or </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>social media instead of OWASP
                          mailing lists and there shouldn't be an </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>issue, especially if you add a
                          short disclaimer as to how your opinion </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>does not necessarily affect
                          the opinion of OWASP overall (in the cases
                          when there might be some doubt).</span> <br>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote> <span>So perhaps if we decide that
                          we officially want to speak out on </span> <br>
                      </blockquote>
                      <blockquote> <span>certain public policy as an
                          organization in order to influence public </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>policy in accordance with our
                          mission statements, then someone who </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>understands the nuances of the
                          501(c)(3) IRS regulations could help </span>
                        <br>
                      </blockquote>
                      <blockquote> <span>OWASP navigate these waters.</span>
                        <br>
                      </blockquote>
                      <blockquote> <span></span> <br>
                      </blockquote>
                      <blockquote> <span>-kevin</span> <br>
                      </blockquote>
                      <blockquote> <span>--</span> <br>
                      </blockquote>
                      <blockquote> <span>Blog: <a
                            moz-do-not-send="true"
                            href="http://off-the-wall-security.blogspot.com/"><a class="moz-txt-link-freetext" href="http://off-the-wall-security.blogspot.com/">http://off-the-wall-security.blogspot.com/</a></a></span>
                        <br>
                      </blockquote>
                      <blockquote> <span>NSA: All your crypto bit are
                          belong to us.</span> <br>
                      </blockquote>
                      <span>_______________________________________________</span>
                      <br>
                      <span>Owasp-community mailing list</span> <br>
                      <span><a moz-do-not-send="true"
                          href="mailto:Owasp-community@lists.owasp.org">Owasp-community@lists.owasp.org</a></span>
                      <br>
                      <span><a moz-do-not-send="true"
                          href="https://lists.owasp.org/mailman/listinfo/owasp-community">https://lists.owasp.org/mailman/listinfo/owasp-community</a></span>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                  <br>
                </div>
              </div>
            </blockquote>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>