<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    > What concerns me is that you would "implore the community to
    focus" on anything. <br>
    <br>
    I am imploring the community to work on projects and documents that
    help spread good, technical information about application security.
    That's our mission Jeff.<br>
    <br>
    Even though I am a Board member I am also a very active volunteer
    working on a number of projects and documentation efforts. My
    opinion matters. Just likes your opinions matter as does the opinion
    of every other member of the community.<br>
    <br>
    My job is to to help everyone who wants to help spread AppSec
    awareness but that is by no means my only job. By no means. If you
    would like to understand 501c3 board member fiduciary duty and
    responsibility, I encourage you to read
    <a class="moz-txt-link-freetext" href="https://www.councilofnonprofits.org/tools-resources/board-roles-and-responsibilities">https://www.councilofnonprofits.org/tools-resources/board-roles-and-responsibilities</a>
    and more.<br>
    <br>
    Aloha,<br>
    - Jim<br>
    <br>
    <div class="moz-cite-prefix">On 6/21/15 3:48 PM, Jeff Williams
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFHKaBpEoGmgnqUAT5PEiaGc0cQjJWC9Cqyk8aRttiEwceUE-g@mail.gmail.com"
      type="cite">
      <div dir="ltr">Jim, I'm not concerned about this particular action
        at all. What concerns me is that you would "implore the
        community to focus" on anything.  At a minimum, speaking out
        with authority on issues related to our mission certainly COULD
        work.  In fact, I think there's a pretty good case to be made
        that any real progress in our field won't be made by the kind of
        action you suggest.
        <div><br>
        </div>
        <div>The point is that the Board shouldn't implore anyone to
          change how they believe they can help. The Board wasn't set up
          to be an arbiter of what activities are good ideas.  Your only
          job is to support everyone and anyone who wants to help
          appsec.  If you want to have opinions, get off the Board.</div>
        <div><br>
        </div>
        <div>--Jeff</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sun, Jun 21, 2015 at 9:35 PM, Jim
          Manico <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> This is not about
              changing OWASP's charter. It's a warning that we are
              engaging in activity that is on the edge of trying to
              influence legislation and that we should proceed with
              caution.<br>
              <br>
              Also, I am concerned that we are losing focus here and
              implore the community to focus less on announcements like
              this and to focus more on application security in a more
              direct way via projects and technical documentation.<span
                class="HOEnZb"><font color="#888888"><br>
                  <br>
                  - Jim</font></span>
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 6/21/15 3:32 PM, Jerry Hoff wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div>Agreed - but I was under the strong impression
                      this entire discussion was on putting out a
                      statement similar to the IAB.  Apologies if I
                      misunderstood. I was voicing support on that
                      specific action.</div>
                    <div><br>
                    </div>
                    <div>I didn't see anywhere in the thread (though I
                      may have missed it) anyone advocating political
                      campaigning or to change the OWASP charter such
                      that influencing legislation would be a
                      substantial activity. <br>
                      <br>
                      --
                      <div>Jerry Hoff</div>
                      <div><a moz-do-not-send="true"
                          href="mailto:jerry@owasp.com" target="_blank">jerry@owasp.com</a></div>
                      <div>@jerryhoff</div>
                    </div>
                    <div><br>
                      On Jun 21, 2015, at 21:25, Jim Manico <<a
                        moz-do-not-send="true"
                        href="mailto:jim.manico@owasp.org"
                        target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
                      wrote:<br>
                      <br>
                    </div>
                    <blockquote type="cite">
                      <div> Jerry,<br>
                        <br>
                        I'm a fan of OWASP taking technical stands such
                        as the IAB Statement on Internet Confidentiality
                        <a moz-do-not-send="true"
href="https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/"
                          target="_blank">https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/</a>
                        and similar. <br>
                        <br>
                        What our 501(c)(3) foundation needs to to steer
                        clear of from my understanding is...<br>
                        <br>
                        1) ... not to engage in political campaigning<br>
                        2) ... not to attempt to influence legislation
                        as a substantial part of our activities<br>
                        <br>
                        I am no fan of NACL's but this is a very
                        important topic.<br>
                        <br>
                        The exact quote from the IRS is (<a
                          moz-do-not-send="true"
href="http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501%28c%29%283%29-Organizations%29"
                          target="_blank"><a class="moz-txt-link-freetext" href="http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)">http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)</a></a><br>
                        <br>
                        <span
style="color:rgb(0,0,0);font-family:sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:16.0029983520508px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none;background-color:rgb(255,255,255)">"...it
                          may not attempt to influence legislation as a
                          substantial part of its activities and it may
                          not participate in any campaign activity for
                          or against political candidates..."</span><br>
                        <br>
                        So as long as our "official foundation
                        statement" on this matter steers clear of these
                        issues, I will support it.<br>
                        <br>
                        We will be discussing this at the June 24th
                        meeting, I hope you can make it.<br>
                        <br>
                        <a moz-do-not-send="true"
                          href="https://www.owasp.org/index.php/June_24,_2015"
                          target="_blank">https://www.owasp.org/index.php/June_24,_2015</a><br>
                        <br>
                        Aloha,<br>
                        Jim<br>
                        <br>
                        <div>On 6/21/15 3:16 PM, Jerry Hoff wrote:<br>
                        </div>
                        <blockquote type="cite">
                          <div>I believe this debate is based off wrong
                            assumptions - for example the EFF is
                            501(c)(3) and that does not prevent them
                            from taking a position on relevant issues as
                            an organization.<br>
                            <br>
                            --
                            <div>Jerry Hoff</div>
                            <div><a moz-do-not-send="true"
                                href="mailto:jerry@owasp.com"
                                target="_blank">jerry@owasp.com</a></div>
                            <div>@jerryhoff</div>
                          </div>
                          <div><br>
                            On Jun 21, 2015, at 21:05, Jim Manico <<a
                              moz-do-not-send="true"
                              href="mailto:jim.manico@owasp.org"
                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>


                            wrote:<br>
                            <br>
                          </div>
                          <blockquote type="cite">
                            <div> With respect, I disagree with your
                              take on this Jeff. Official OWASP public
                              statements should be done with care.<br>
                              <br>
                              Also, this issue is not resolved yet and I
                              am simply stating *my opinion* on the
                              matter backed by research and references
                              to IRS guidelines discussing this matter.
                              And again I've stated that this is a
                              nebulous area even by IRS regulation.<br>
                              <br>
                              <u><b>We are discussing this at the June
                                  24 board meeting</b></u><u><b> - a
                                  meeting in which I hope that you and
                                  the community attend.</b></u> <br>
                              <br>
                              Making a big statement like this as an
                              official message of the OWASP foundation -
                              especial since it's political in nature -
                              does in my opinion require board
                              discussion. I know you want us to "jump on
                              this" immediately - and we are Jeff - in
                              just a few days.<br>
                              <br>
                              In fact, if the language is crafted in a
                              way that keeps clear of specific
                              legislation, I will likely vote to push
                              this out. I agree with it 100%, I am only
                              concerned if it's the right thing for
                              OWASP to be making such a public
                              statement. <br>
                              <br>
                              It is critical for all of us in OWASP
                              leadership to be aware of the limits of
                              what a 501(c)(3) should be doing, and when
                              I hear that the members of foundation want
                              OWASP to make a public and politically
                              charged statement of intent, I think it's
                              crucial for the board to be a part of it
                              since the board holds legal responsibility
                              for the operations of the foundation.<br>
                              <br>
                              See you June 24th?<br>
                              <br>
                              <a moz-do-not-send="true"
                                href="https://www.owasp.org/index.php/June_24,_2015"
                                target="_blank">https://www.owasp.org/index.php/June_24,_2015</a><br>
                              <br>
                              Aloha,<br>
                              Jim<br>
                              <br>
                              <br>
                              <br>
                              <br>
                              <br>
                              <div>On 6/21/15 2:47 PM, Jeff Williams
                                wrote:<br>
                              </div>
                              <blockquote type="cite">
                                <div>This is a false dichotomy -- OWASP
                                  can and should do both. The Board
                                  should work to assist and support
                                  *any* idea consistent with our
                                  mission...even if...especially if...
                                  you don't think it will work.</div>
                                <div><br>
                                </div>
                                <div>You can't let *your* judgement
                                  influence the decision to support a
                                  project. If you do, then all we will
                                  ever get is Board ideas.  And,
                                  respectfully, I don't trust you or any
                                  other individual to think up the next
                                  great AppSec idea.</div>
                                <div><br>
                                </div>
                                <div>The Board shouldn't interfere at
                                  all unless somebody is doing something
                                  harmful to the organization or the
                                  mission. And even then should try to
                                  figure out a productive path for that
                                  energy.</div>
                                <div><br>
                                </div>
                                <div>Again respectfully, you should get
                                  out of the way.<br>
                                  <br>
                                  <div>--Jeff<br>
                                  </div>
                                </div>
                                <br>
                                <br>
                                <br>
                                <div class="gmail_quote">On Sun, Jun 21,
                                  2015 at 5:27 PM -0700, "Jim Manico" <span
                                    dir="ltr"><<a
                                      moz-do-not-send="true"
                                      href="mailto:jim.manico@owasp.org"
                                      target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                                  wrote:<br>
                                  <br>
                                  <blockquote class="gmail_quote"
                                    style="margin:0 0 0
                                    .8ex;border-left:1px #ccc
                                    solid;padding-left:1ex">
                                    <div dir="3D"ltr"">
                                      <div>Jeff,</div>
                                      <div><br>
                                      </div>
                                      <div>My take on this is that "talk
                                        is cheap" and that "actions are
                                        more powerful words". I'd rather
                                        keep out of legislation and
                                        focus on making important
                                        projects like ESAPI, ASVS,
                                        Security Shepard and others more
                                        powerful.</div>
                                      <div><br>
                                      </div>
                                      <div>I am sorry you are
                                        disappointed in current board
                                        action, but there is good reason
                                        behind the perspective I am
                                        stating. Also, this is my
                                        opinion alone, not the entire
                                        boards.</div>
                                      <div><br>
                                      </div>
                                      <div>Again, take a look at Whisper
                                        Systems. They are providing
                                        incredibly well created and well
                                        assessed open source projects
                                        for secure communications. These
                                        open source projects are now
                                        being integrated into various
                                        Operating Systems and other
                                        projects.</div>
                                      <div><br>
                                      </div>
                                      <div>If ESAPI was not a abandoned,
                                        it could have been serving our
                                        mission - planet level. I want
                                        to see it and other key projects
                                        revived and well funded.</div>
                                      <div><br>
                                      </div>
                                      <div>The power of a well built
                                        security project is worth more
                                        than a thousand words. Talk is
                                        cheap. Actions that change the
                                        world take sweat, blood and
                                        staying the course even when
                                        it's no longer financially
                                        beneficial to do so.</div>
                                      <div><br>
                                      </div>
                                      <div>Respectfully,<br>
                                        <div>--</div>
                                        <div>Jim Manico</div>
                                        <div>
                                          <div>
                                            <div
                                              style="word-wrap:break-word">
                                              <div><span
                                                  style="background-color:rgba(255,255,255,0)">Global
                                                  Board Member</span></div>
                                              <span
                                                style="background-color:rgba(255,255,255,0)">OWASP
                                                Foundation</span>
                                              <div><a
                                                  moz-do-not-send="true"
href="https://www.owasp.org/"
                                                  style="background-color:rgba(255,255,255,0)"
                                                  target="_blank"><font
                                                    color="#000000"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font></a></div>
                                            </div>
                                          </div>
                                          <div><span
                                              style="background-color:rgba(255,255,255,0)">Join
                                              me at <a
                                                moz-do-not-send="true"
                                                href="http://appsecusa.org/"
                                                target="_blank">AppSecUSA</a> 2015

                                              in San Francisco!</span></div>
                                        </div>
                                      </div>
                                      <div><br>
                                        On Jun 21, 2015, at 2:12 PM,
                                        Jeff Williams <<a
                                          moz-do-not-send="true"
                                          href="mailto:jeff.williams@owasp.org"
                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jeff.williams@owasp.org">jeff.williams@owasp.org</a></a>>



                                        wrote:<br>
                                        <br>
                                      </div>
                                      <blockquote type="cite">
                                        <div>
                                          <div>For the record, the IAB
                                            is part of the IETF, which
                                            *is* a 501c3.  Even though
                                            501c3 organizations *can* do
                                            some lobbying (as long as
                                            expenditures are not
                                            substantial), the IAB is
                                            careful not to talk about
                                            legislation or urge anyone
                                            to contact representatives
                                            about legislation.</div>
                                          <div>As the creator and
                                            longtime Chair of the OWASP
                                            Board, I'm frustrated that
                                            the current Board isn't
                                            falling over themselves to
                                            support efforts like this.
                                             IMO the whole purpose of
                                            the Board is to create a
                                            great platform to support
                                            and amplify the efforts of
                                            anyone willing to contribute
                                            to our important cause.
                                            Does't matter the topic, but
                                            instead of saying no or
                                            criticizing ideas or
                                            projects, figure out a way
                                            to make it work or make them
                                            better.</div>
                                          <div>In this case, and a
                                            million other topics, it
                                            would be incredibly easy to
                                            stick to the technical
                                            realities and feasibility of
                                            any approaches being
                                            discussed in the news.  No
                                            need to mention legislation.</div>
                                          <div>
                                            <div>--Jeff<br>
                                              <br>
                                              Jeff Williams | CTO<br>
                                              Contrast Security<br>
                                              <a moz-do-not-send="true"
                                                href="tel:410.707.1487"
                                                target="_blank">410.707.1487</a>
                                              | @planetlevel
                                              @contrastsec<br>
                                              <br>
                                            </div>
                                            <br>
                                          </div>
                                          <div class="gmail_quote">_____________________________<br>
                                            From: Jim Manico <<a
                                              moz-do-not-send="true"
                                              href="mailto:jim.manico@owasp.org"
                                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>><br>
                                            Sent: Sunday, June 21, 2015
                                            7:37 PM<br>
                                            Subject: Re: [Owasp-leaders]
                                            [Owasp-community]
                                            [Owasp-board] IAB Statement
                                            on the Trade in Security
                                            Technologies<br>
                                            To: McGovern, James <<a
                                              moz-do-not-send="true"
                                              href="mailto:james.mcgovern@hp.com"
                                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a></a>><br>
                                            Cc: <<a
                                              moz-do-not-send="true"
                                              href="mailto:owasp-community@lists.owasp.org"
                                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:owasp-community@lists.owasp.org">owasp-community@lists.owasp.org</a></a>>,



                                            OWASP Board List <<a
                                              moz-do-not-send="true"
                                              href="mailto:owasp-board@lists.owasp.org"
                                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:owasp-board@lists.owasp.org">owasp-board@lists.owasp.org</a></a>>,



                                            owasp-leaders <<a
                                              moz-do-not-send="true"
                                              href="mailto:owasp-leaders@lists.owasp.org"
                                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a></a>><br>
                                            <br>
                                            <br>
                                            <div> I will - for sure -
                                              put this on the June 24th
                                              Board meeting agenda. My
                                              opinion (based on research
                                              over the years trying to
                                              understand my duty to the
                                              foundation) is to keep
                                              AWAY from any even slight
                                              attempt to influence
                                              legislation. </div>
                                            <div> <br>
                                            </div>
                                            <div> In general I see
                                              projects, documentation
                                              efforts and  conferences
                                              doing much to unite us in
                                              our shared mission. But
                                              start discussing politics
                                              and it will go a long way
                                              to divide us as a
                                              community. </div>
                                            <div> <br>
                                            </div>
                                            <div> I suggest that we
                                              focus on •doing something•
                                              vs •saying something•.  </div>
                                            <div> <br>
                                            </div>
                                            <div> Imagine funding open
                                              source projects similar to
                                              Whisper Systems or
                                              enhancing our
                                              documentation projects to
                                              be much more up to date
                                              and relevant our building
                                              professional open source
                                              training material? This is
                                              how I think the foundation
                                              can best face these issues
                                              while at the same time
                                              serve our mission while at
                                              the same time keep away
                                              from influencing
                                              legislation. :) </div>
                                            <div> <br>
                                            </div>
                                            <div> And for what it's
                                              worth, I strongly dislike
                                              the fact that I'm bringing
                                              these things up. I'm not
                                              trying to ruin anyones
                                              party here. But I do feel
                                              it's my duty as your
                                              elected board member to do
                                              so. </div>
                                            <div> <br>
                                            </div>
                                            <div> Aloha, </div>
                                            <div> -- <br>
                                              <div> Jim Manico </div>
                                              <div>
                                                <div>
                                                  <div
                                                    style="word-wrap:break-word">
                                                    <div> <span
                                                        style="background-color:rgba(255,255,255,0)">Global

                                                        Board Member</span>
                                                    </div>
                                                    <span
                                                      style="background-color:rgba(255,255,255,0)">OWASP

                                                      Foundation</span>
                                                    <div> <font
                                                        color="#000000"><a
moz-do-not-send="true" href="https://www.owasp.org" target="_blank"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></a></font>
                                                    </div>
                                                  </div>
                                                </div>
                                                <div> <span
                                                    style="background-color:rgba(255,255,255,0)">Join
                                                    me at <a
                                                      moz-do-not-send="true"
href="http://appsecusa.org/" target="_blank">AppSecUSA</a> 2015 in San
                                                    Francisco!</span> </div>
                                              </div>
                                            </div>
                                            <div> <br>
                                              On Jun 21, 2015, at 1:23
                                              PM, McGovern, James < <a
                                                moz-do-not-send="true"
                                                href="mailto:james.mcgovern@hp.com"
                                                target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a></a>>



                                              wrote: <br>
                                              <br>
                                            </div>
                                            <blockquote>
                                              <div> <span>Jim, while
                                                  you are going to the
                                                  board for legal
                                                  clarification, please
                                                  inquire:</span> <br>
                                                <span></span> <br>
                                                <span>1. 501c3 is a US
                                                  thing. Can we
                                                  influence non-US
                                                  government and still
                                                  comply?</span> <br>
                                                <span>2. Understanding
                                                  the US political
                                                  issues sometimes will
                                                  put us on a partisan
                                                  path. For example, in
                                                  CT I have commented in
                                                  the past in a
                                                  political context on
                                                  why smart guns are
                                                  just plain stupid.
                                                  This particular issue
                                                  leans more
                                                  conservative/libertarian
                                                  than it does Liberal.
                                                  Therefore, we must
                                                  attempt to understand
                                                  the flow of politics
                                                  on any given Sunday.</span>
                                                <br>
                                                <span>3. Maybe we could
                                                  somehow solve this by
                                                  having a policy that
                                                  encourages legislators
                                                  of all parties to
                                                  reach out to their
                                                  local chapter leader
                                                  for an informed
                                                  opinion.</span> <br>
                                                <span></span> <br>
                                                <span>-----Original
                                                  Message-----</span> <br>
                                                <span>From: <a
                                                    moz-do-not-send="true"
href="mailto:owasp-community-bounces@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:owasp-community-bounces@lists.owasp.org">owasp-community-bounces@lists.owasp.org</a></a>
                                                  [<a
                                                    moz-do-not-send="true"
href="mailto:owasp-community-bounces@lists.owasp.org" target="_blank"><a class="moz-txt-link-freetext" href="mailto:owasp-community-bounces@lists.owasp.org">mailto:owasp-community-bounces@lists.owasp.org</a></a>]
                                                  On Behalf Of Jim
                                                  Manico</span> <br>
                                                <span>Sent: Saturday,
                                                  June 20, 2015 4:37 PM</span>
                                                <br>
                                                <span>To: Kevin W. Wall</span>
                                                <br>
                                                <span>Cc: OWASP Board
                                                  List; <a
                                                    moz-do-not-send="true"
href="mailto:owasp-community@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:owasp-community@lists.owasp.org">owasp-community@lists.owasp.org</a></a>;
                                                  owasp-leaders</span> <br>
                                                <span>Subject: Re:
                                                  [Owasp-community]
                                                  [Owasp-board] IAB
                                                  Statement on the Trade
                                                  in Security
                                                  Technologies</span> <br>
                                                <span></span> <br>
                                                <span>I agree with you
                                                  Kevin. Even the IRS is
                                                  cagey about this
                                                  topic. </span> <br>
                                                <span></span> <br>
                                                <span>However, this is
                                                  an organization risk
                                                  that I feel we should
                                                  be aware of before
                                                  charging to far into
                                                  policy. It would
                                                  behoove is to get
                                                  legal review before
                                                  going to far. I'll
                                                  bring this up at the
                                                  next board meeting.</span>
                                                <br>
                                                <span></span> <br>
                                                <span>Aloha,</span> <br>
                                                <span>--</span> <br>
                                                <span>Jim Manico</span>
                                                <br>
                                                <span>@Manicode</span> <br>
                                                <span><a
                                                    moz-do-not-send="true"
href="tel:%28808%29%20652-3805" target="_blank">(808) 652-3805</a></span>
                                                <br>
                                                <span></span> <br>
                                                <blockquote> <span>On
                                                    Jun 20, 2015, at
                                                    9:47 AM, Kevin W.
                                                    Wall <<a
                                                      moz-do-not-send="true"
href="mailto:kevin.w.wall@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:kevin.w.wall@gmail.com">kevin.w.wall@gmail.com</a></a>>

                                                    wrote:</span> <br>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>Jim,</span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote>
                                                  <blockquote> <span>On
                                                      Sat, Jun 20, 2015
                                                      at 2:55 PM, Jim
                                                      Manico <<a
                                                        moz-do-not-send="true"
href="mailto:jim.manico@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
                                                      wrote:</span> <br>
                                                  </blockquote>
                                                </blockquote>
                                                <blockquote>
                                                  <blockquote> <span>That
                                                      is fair Michael.</span>
                                                    <br>
                                                  </blockquote>
                                                </blockquote>
                                                <blockquote>
                                                  <blockquote> <span></span>
                                                    <br>
                                                  </blockquote>
                                                </blockquote>
                                                <blockquote>
                                                  <blockquote> <span>But
                                                      I do want to warn
                                                      the community that
                                                      this is a slippery
                                                      slope, we </span>
                                                    <br>
                                                  </blockquote>
                                                </blockquote>
                                                <blockquote>
                                                  <blockquote> <span>are
                                                      being watched, and
                                                      trying to
                                                      influence
                                                      legislation is one
                                                      of the </span> <br>
                                                  </blockquote>
                                                </blockquote>
                                                <blockquote>
                                                  <blockquote> <span>few
                                                      ways OWASP can
                                                      lose it's
                                                      charitable status.
                                                      And if that
                                                      happens, </span>
                                                    <br>
                                                  </blockquote>
                                                </blockquote>
                                                <blockquote>
                                                  <blockquote> <span>the
                                                      debate about what
                                                      to do with our
                                                      funds will quickly
                                                      change for the
                                                      worse.</span> <br>
                                                  </blockquote>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>I
                                                    don't think that it
                                                    is impossible for
                                                    charitable
                                                    organizations to </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>comment
                                                    on public possible
                                                    without loosing
                                                    their 501(c)(3)
                                                    status, but </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>it
                                                    just has to be done
                                                    in the right way.
                                                    (However, IANAL, so
                                                    I don't </span> <br>
                                                </blockquote>
                                                <blockquote> <span>even
                                                    begin to know the
                                                    details of what that
                                                    "right way" would
                                                    entail.)</span> <br>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>As a
                                                    case in point, the
                                                    ACM has a 501(c)(3)
                                                    not-for-profit
                                                    status, and </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>yet
                                                    their public policy
                                                    arm--the USACM--has
                                                    certainly tried to </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>influence
                                                    public policy.
                                                    (Recall the crypto
                                                    debate from the late
                                                  </span> <br>
                                                </blockquote>
                                                <blockquote> <span>1990s?
                                                    The USACM and IEEE
                                                    wrote a letter to
                                                    Sen. John McCain to
                                                    try to </span> <br>
                                                </blockquote>
                                                <blockquote> <span>influence
                                                    the US legislation
                                                    not to pass laws to
                                                    mandate weak </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>encryption.
                                                    E.g., see</span> <br>
                                                </blockquote>
                                                <blockquote> <span><<a
moz-do-not-send="true"
href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri"
                                                      target="_blank"><a class="moz-txt-link-freetext" href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri">http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri</a></a></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>vacy%20and%20Security>.)</span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>So
                                                    I'm guessing that
                                                    the devil is in the
                                                    details of how it is
                                                    done.  </span> <br>
                                                </blockquote>
                                                <blockquote> <span>In
                                                    fact, according to
                                                    Spaf's blog at </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span><<a
moz-do-not-send="true"
href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t"
                                                      target="_blank"><a class="moz-txt-link-freetext" href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t">https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t</a></a></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>he_attack_on_encryption/>



                                                    the USACM is going
                                                    through this same
                                                    this </span> <br>
                                                </blockquote>
                                                <blockquote> <span>this
                                                    again. Like I said,
                                                    I am not a lawyer
                                                    and maybe this
                                                    attempt to </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>influence
                                                    public policy
                                                    doesn't strictly
                                                    qualify as
                                                    "lobbying" in the </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>eyes
                                                    of the IRS. But it
                                                    certainly doesn't
                                                    seem impossible.</span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>Also,
                                                    we can--and
                                                    should--all speak
                                                    out strongly against
                                                    things that </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>we
                                                    believe are against
                                                    the OWASP mission,
                                                    but we don't have to
                                                    do it </span> <br>
                                                </blockquote>
                                                <blockquote> <span>in a
                                                    manner as
                                                    representing OWASP.
                                                    Do that on your
                                                    personal blogs or </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>social
                                                    media instead of
                                                    OWASP mailing lists
                                                    and there shouldn't
                                                    be an </span> <br>
                                                </blockquote>
                                                <blockquote> <span>issue,
                                                    especially if you
                                                    add a short
                                                    disclaimer as to how
                                                    your opinion </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>does
                                                    not necessarily
                                                    affect the opinion
                                                    of OWASP overall (in
                                                    the cases when there
                                                    might be some
                                                    doubt).</span> <br>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>So
                                                    perhaps if we decide
                                                    that we officially
                                                    want to speak out on
                                                  </span> <br>
                                                </blockquote>
                                                <blockquote> <span>certain
                                                    public policy as an
                                                    organization in
                                                    order to influence
                                                    public </span> <br>
                                                </blockquote>
                                                <blockquote> <span>policy
                                                    in accordance with
                                                    our mission
                                                    statements, then
                                                    someone who </span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>understands
                                                    the nuances of the
                                                    501(c)(3) IRS
                                                    regulations could
                                                    help </span> <br>
                                                </blockquote>
                                                <blockquote> <span>OWASP
                                                    navigate these
                                                    waters.</span> <br>
                                                </blockquote>
                                                <blockquote> <span></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>-kevin</span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>--</span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>Blog:
                                                    <a
                                                      moz-do-not-send="true"
href="http://off-the-wall-security.blogspot.com/" target="_blank"><a class="moz-txt-link-freetext" href="http://off-the-wall-security.blogspot.com/">http://off-the-wall-security.blogspot.com/</a></a></span>
                                                  <br>
                                                </blockquote>
                                                <blockquote> <span>NSA:
                                                    All your crypto bit
                                                    are belong to us.</span>
                                                  <br>
                                                </blockquote>
                                                <span>_______________________________________________</span>
                                                <br>
                                                <span>Owasp-community
                                                  mailing list</span> <br>
                                                <span><a
                                                    moz-do-not-send="true"
href="mailto:Owasp-community@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-community@lists.owasp.org">Owasp-community@lists.owasp.org</a></a></span>
                                                <br>
                                                <span><a
                                                    moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-community"
                                                    target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-community">https://lists.owasp.org/mailman/listinfo/owasp-community</a></a></span>
                                                <br>
                                              </div>
                                            </blockquote>
                                            <br>
                                            <br>
                                          </div>
                                        </div>
                                      </blockquote>
                                    </div>
                                  </blockquote>
                                </div>
                              </blockquote>
                              <br>
                            </div>
                          </blockquote>
                          <blockquote type="cite">
                            <div><span>_______________________________________________</span><br>
                              <span>OWASP-Leaders mailing list</span><br>
                              <span><a moz-do-not-send="true"
                                  href="mailto:OWASP-Leaders@lists.owasp.org"
                                  target="_blank">OWASP-Leaders@lists.owasp.org</a></span><br>
                              <span><a moz-do-not-send="true"
                                  href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                  target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
                            </div>
                          </blockquote>
                        </blockquote>
                        <br>
                      </div>
                    </blockquote>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>