Computer underground Digest Sun July 21 1993 Volume 5 : Issue 55 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cpyp Editor: Etaoin Shrdlu, Senior CONTENTS, #5.55 (July 21 1993) File 1--"What is CPSR and how can we Join?" File 2--Incident Response Workshop info File 3--"Science & Tech Through Science Fiction" Conference File 4--New hearing set for E-Fingerprinting in SF Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud aql.gatech.edu (128.61.10.53) in /pub/eff/cud AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Mon, 19 Jul 93 13:04:39 PDT From: Nikki Draper Subject: File 1--"What is CPSR and how can we Join?" ((MODERATORS' NOTE: CPSR, like EFF, is dedicated to improving cyberspace. CPSR has been relatively low-key in expanding its membership, and we asked them to provide some information on what they do and how people can join. In our view, it's a dynamic and productive organization, and one well worth supporting by joining. CPSR has been instrumental in filing a number of FOIA suits related to Operation Sun Devil and other law enforcement abuses, in lobbying efforts, and most recently, in filing FOIA requests and suits to peruse the U.S. Secret Service's role in the surveillance of the 2600 meeting in Washington, D.C., last fall. As the following summary indicates, CPSR is interested in a wide range of activities, and their track record over the years has been rather impressive)). ************************************************************************ COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY ************************************************************************ CPSR empowers computer professionals and computer users to advocate for the responsible use of information technology and empowers all who use computer technology to participate in the public debate. As technical experts, CPSR members provide the public and policymakers with realistic assessments of the power, promise, and limitations of computer technology. As an organization of concerned citizens, CPSR directs public attention to critical choices concerning the applications of computing and how those choices affect society. Every project we undertake is based on five principles: * We foster and support public discussion of and public responsibility for decisions involving the use of computers in systems critical to society. * We work to dispel popular myths about the infallibility of technological systems. * We challenge the assumption that technology alone can solve political and social problems. * We critically examine social and technical issues within the computer profession, nationally and internationally. * We encourage the use of computer technology to improve the quality of life. Founded in 1981 by a small group of computer scientists concerned about the use of computers in nuclear weapons systems, CPSR has grown into a national public-interest alliance of computer industry professionals dedicated to examining the impact of technology on society. ************************************************************************ CPSR PROJECTS ************************************************************************ As computer technology becomes increasingly pervasive, the issues facing us become more complex. CPSR provides a forum where we can examine technology's impact on our lives, the lives of our fellow citizens, and on society as a whole. By sponsoring both national and local projects, CPSR serves as a catalyst for in-depth discussion and effective action in key areas: Civil Liberties and Privacy The National Information Infrastructure Workplace Issues and Participatory Design Reliability and Risk In addition, CPSR's chapter-based projects and national working groups tackle issues ranging from the development of nanotechnology and virtual reality to computing and ethics to community computing to computers and education. ************************************************************************ HOW TO BECOME A MEMBER ************************************************************************ CPSR is a democratically organized grass roots alliance. Our accomplishments are the result of the member activism. Many CPSR members serve as national organizers Just fill out the membership form, enclose a check and mail it to CPSR, P.O. Box 717, Palo Alto, CA 94301. CPSR's cost to provide members with services is covered by the $75 dues. To keep CPSR membership open to a wide range of people, we offer dues levels of $20 and $50. ************************************************************************ MEMBERSHIP BENEFITS ************************************************************************ When you become a member of CPSR, you are joining a nationwide network of computer professionals who are committed to bringing social responsibility to all aspects of computer technology. CPSR sponsors, supports, and participates in conferences, roundtables and meetings on advanced issues in computing, local civic networks, cryptography, participatory design, and computers and social change. Every fall the CPSR Annual Meeting brings together the foremost representatives of the technology industry to explore current topics in seminars and panel discussions. Our conferences and chapter meetings provide important opportunities to meet other members and share ideas and expertise. ************************************************************************ OTHER MEMBERSHIP BENEFITS INCLUDE: ************************************************************************ * a quarterly newsletter which provides in-depth analysis of key issues in computing as well as updates on CPSR activities and action alerts, * an organized voice for socially responsible computing in Washington, * well-researched public testimony and public policy development, * invitations and discounts to CPSR events, * discounts on research papers, books.and educational videotapes, * on-line information and discussion of key issues in computing, * membership in a local CPSR chapter (where available) and notices of chapter meetings and activities, * participation in local and national working groups which allow you to have effective impact on the issues you care about, * information and referral about crucial issues in computing. ORGANIZATIONAL INFORMATION CPSR National Office P.O. Box 717 Palo Alto, CA 94301 415-322-3778 415-322-3798 (FAX) E-mail: cpsr@csli.stanford.edu CPSR Washington Office 666 Pennsylvania Ave SE, Suite 303 Washington, D.C. 20003 202-544-9240 202-547-5481 FAX rotenberg@washofc.cpsr.org ************************************************************************ PRIVACY NOTICE ************************************************************************ The CPSR membership database is never sold, rented, lent, exchanged, or used for anything other than official CPSR activity. CPSR may elect to send members mailings with information from other groups, but the mailings will always originate with CPSR. ============================ clip and mail =========================== CPSR MEMBERSHIP FORM Name ___________________________________________________________ Address ___________________________________________________________ ___________________________________________________________ City/State/Zip _____________________________________________________ Home phone _____________________ Work phone ______________________ Company ___________________________________________________________ Type of work ______________________________________________________ E-mail address _____________________________________________________ CPSR Chapter __ Acadiana __ Austin __ Berkeley __ Boston __ Chicago __ Denver/Boulder __ Los Angeles __ Madison __ Maine __ Milwaukee __ Minnesota __ New Haven __ New York __ Palo Alto __ Philadelphia __ Pittsburgh __ Portland __ San Diego __ Santa Cruz __ Seattle __ Washington, DC __ No chapter in my area CPSR Membership Categories __ $ 75 REGULAR MEMBER __ $ 50 Basic member __ $ 200 Supporting member __ $ 500 Sponsoring member __ $1000 Lifetime member __ $ 20 Student/low income member __ $ 50 Foreign subscriber __ $ 50 Library/institutional subscriber Additional tax-deductible contribution to support CPSR projects: __ $50 __ $75 __ $100 __ $250 __ $500 __ $1000 __ Other Total Enclosed: $ ________ Make check out to CPSR and mail to: CPSR P.O. Box 717 Palo Alto, CA 94301 ************************************************************************ CPSR has several different electronic resources available at no cost. We established a list server to archive CPSR related materials and make them available on request, and to quickly disseminate official, short, CPSR announcements (e.g., press releases, conference announcements, and project updates). Mail traffic will be light P only the CPSR Board and staff can post to it. We encourage you to subscribe to the list server and publicize it widely to anyone else interested in CPSRUs areas of work. To subscribe, send mail to: listserv@gwuvm.gwu.edu (Internet) OR listserv@gwuvm (Bitnet) Your message needs to contain only one line: subscribe cpsr You will get a message that confirms your subscription. The message also explains how to use the list server to request archived materials (including an index of everything in CPSRUs archive) If you have a problem with the list server, please contact Paul Hyland (phyland@gwuvm.gwu.edu or phyland@gwuvm). There is a second list server at cpsr.org. This list server also has an extensive archive and houses several different lists on more specialized subjects relating to computing. For more detailed information on the listserv and other services, send email to listserv@cpsr.org with the message: GET CPSR/CPSR.ORG SOURCES or, GET CPSR/CPSR.ORG QUICK_REF If you have a problem using cpsr.org, contact ftp-admin@cpsr.org. ************************************************************************ We hope you enjoy this new service. ************************************************************************ ------------------------------ Date: 8 Jul 1993 20:14:44 -0500 From: spaf@CS.PURDUE.EDU(Gene Spafford) Subject: File 2--Incident Response Workshop info ** NOTE: July 10 is the deadline for discounted registration!! ** PRELIMINARY AGENDA 5th Computer Security Incident Handling Workshop Sponsored by the Forum of Incident Response and Security Teams (FIRST) August 10-13, 1993 St. Louis, MO TUESDAY, August 10, 1993 Full-day Tutorials 1. Creating a Security Policy presented by Charles Cresson Wood: [no abstract available at time of posting] 2. Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan Horses, and Things That Go Bump In The Night presented by A. Padgett Peterson: An intensive look into the architecture of the IBM-PC and MS/PC-DOS -- What it is and why it was designed that way. An understanding of assembly language and the interrupt structure of the Intel 80x86 processor is helpful. The day will begin with the BIOS and what makes the PC a fully functional computer before any higher operating system is introduced. Next will be a discussion of the various operating systems, what they add and what is masked. Finally, the role and effects of the PC and various LAN configurations (peer-peer and client server) will be examined with emphasis on the potential protection afforded by login scripting and RIGHTS. At each step, vulnerabilities will be examined and demonstrations made of how malicious software exploits them. Demonstrations may include STONED, MICHELANGELO, AZUSA, FORM, JERUSALEM, SUNDAY, 4096, and EXEBUG viruses depending on time and equipment available. On completion attendees will understand the vulnerabilities and how to detect attempted exploitation using simple tools included with DOS such as DEBUG and MEM. 3. Unix Security presented by Matt Bishop: Unix can be a secure operating system if the appropriate controls and tools are used. However, it is difficult for even experienced system administrators to know all the appropriate controls to use. This tutorial covers the most important aspects of Unix security administration, including internal and external controls, useful tools, and administration techniques to develop better security. Upon completion, Unix system administrators will have a better understanding of vulnerabilities in Unix, and of methods to protect their systems. WEDNESDAY, August 11, 1993 8:30 - 8:45 Opening Remarks - Rich Pethia (CERT/CC) 8:45 - 9:30 Keynote Speaker - Dr. Vinton Cerf (XXXX) 9:30 - 10:00 Break 10:00 - 12:00 International Issues - Computer networks and communication lines span national borders. This session will focus on how computer incidents may be handled in an international context, and on some ways investigators can coordinate their efforts. SPEAKERS: Harry Onderwater (Dutch Federal Police) John Austien (New Scotland Yard) other speakers pending 12:00 - 1:30 Lunch with Presentations by various Response Teams 1:30 - 3:00 Professional Certification & Qualification - how do you know if the people you hire for security work are qualified for the job? How can we even know what the appropriate qualifications are? The speakers in this session will discuss some approaches to the problem for some segments of industry and government. SPEAKERS: Sally Meglathery ((ISC)2) Lynn McNulty (NIST) Genevieve Burns (ISSA) 3:00 - 3:30 Break 3:30 - 6:00 Incident Aftermath and Press Relations - What happens after an incident has been discovered? What are some of the consequences of dealing with law enforcement and the press? This session will feature presentations on these issues, and include a panel to answer audience questions. SPEAKERS: Laurie Sefton (Apple Computer) Jeffrey Sebring (MITRE) Terry McGillen (Software Engineering Institute) John Markoff (NY Times) Mike Alexander (InfoSecurity News) 7:00 - 9:00 Reception THURSDAY August 12 8:30 - 10:00 Preserving Rights During an Investigation - During an investigation, sometimes more damage is done by the investigators than from the original incident. This session reinforces the importance of respecting the rights of victims, bystanders, and suspects while also gathering evidence that may be used in legal or administrative actions. SPEAKERS: Mike Godwin (Electronic Frontiers Foundation) Scott Charney (Department of Justice) other speaker pending 10:00 - 10:30 Break 10:30 - 12:00 Coordinating an Investigation - What are the steps in an investigation? When should law enforcement be called in? How should evidence be preserved? Veteran investigators discuss these questions. A panel will answer questions, time permitting. SPEAKER: Jim Settle (FBI) other speakers pending 12:00 - 1:30 Special Interest Lunch 1:30 - 3:00 Liabilities and Insurance - You organize security measures but a loss occurs. Can you somehow recover the cost of damages? You investigate an incident, only to cause some incidental damage. Can you be sued? This session examines these and related questions. SPEAKERS: Mark Rasch (Arent Fox) Bill Cook (Willian, Brinks, Olds, Hoffer, & Gibson) Marr Haack (USF&G Insurance Companies) 3:00 - 3:15 Break 3:15 - 5:30 Incident Role Playing -- An exercise by the attendees to develop new insights into the process of investigating a computer security incident. Organized by Dr. Tom Longstaff of the CERT/CC. 7:30 - ? Birds of a Feather and Poster Sessions FRIDAY August 13 8:30 - 10:00 Virus Incidents - How do you organize a successful virus analysis and response group? The speakers in this session have considerable experience ans success in doing exactly this. In their talks, and subsequent panel, they will explain how to organize computer virus response. SPEAKERS: Werner Uhrig (Macintosh Anti-virus Expert) David Grisham (University of New Mexico) Christoph Fischer (CARO) Karen Picharczyk (LLNL/DoE CIAC) Ken van Wyk (DISA/Virus-L) 10:00 - 10:15 Break 10:15 - 11:15 Databases - How do you store incident, suspect, and vulnerability information safely, but still allow the information to be used effectively? The speakers in this session will share some of their insights and methods on this topic. SPEAKERS: John Carr (CCTA) Michael Higgins (DISA) speaker pending 11:15 - 12:15 Threats - Part of incidence response is to anticipate riska and threats. This session will focus on some likely trends and possible new problems to be faced in computer security. SPEAKERS: Karl A. Seeger speakers pending 12:15 - 12:30 Closing Remarks - Dennis Steinauer (NIST/FIRST) 12:30 - 2:00 Lunch 2:00 - 3:00 FIRST General Meeting and the Steering Committee Elections 3:00 - 4:00 FIRST Steering Committee Meeting ^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^ INQUIRES: Direct questions concerning registration and payment to: Events at 412-268-6531 Direct general questions concerning the workshop to: Mary Alice "Sam" Toocheck at 214-268-6933 Return to: Helen E. Joyce Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Facsimile: 412-268-7401 TERMS: Please make checks or purchase orders payable to SEI/CMU. Credit cards are not accepted. No refunds will be issued, substitutions are encouraged. The registrations fee includes materials, continental breakfast, lunches (not included on August 13), morning and afternoon breaks and an evening reception on August 11. Completed registration materials must be received by the SEI no later than July 10, 1993. A minimum of 7 attendees are needed for each tutorial and there will be limit of 50 attendees. You MUST indicate which tutorial you would like to attend and an alternate if your first choice is full. GOVERNMENT TERMS: If your organization has not made prior arrangements for reimbursement of workshop expenses, please provide authorization (1556) from your agency at the time of registration. GENERAL REGISTRATION INFORMATION: Workshop................................. ..............$300.00 All registrations received after July 10, 1993..........$350.00 Tutorials (Must be registered by July, 10, 1993)........$190.00 NAME: TITLE: COMPANY: DIVISION: ADDRESS: CITY: STATE: ZIP: BUSINESS PHONE: EMERGENCY PHONE: FACSIMILE NUMBER: E-MAIL ADDRESS: DIETARY/ACCESS REQUIREMENTS: CITIZENSHIP: Are you a U.S. Citizen? YES/NO Identify country where citizenship is held if not the U.S.: (Note: there will be no classified information disclosed at this workshop. There is no attendance restriction based on citizenship or other criteria.) GENERAL HOTEL INFORMATION: RATES: A block of rooms has been reserved at the Hyatt Regency at Union Station, One St. Louis Union Station, St. Louis, Missouri 63103. The hotel will hold these rooms until July 10, 1993. Hotel arrangements should be made directly with the Hyatt, 314-231-1234. To receive the special rate of $65.00 per night, please mention the Fifth Computer Security Incident Handling Workshop when making your hotel arrangements. ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including 20 suites. All rooms have individual climate control, direct-dial telephone with message alert, color TV with cable and optional pay movies. Suites available with wet bar. Hotel offers three floors of Regency accommodations, along with a Hyatt Good Passport floor, and a special floor for women travelers. LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic Union Station one mile from Cervantes Convention Center and St. Louis Convention Center and St. Louis Arch. Fifteen miles (30 minutes) from St. Louis Zoo. DINING/ENTERTAINMENT: Italian Cuisine is features at Aldo's, the hotel's full-service restaurant. Enjoy afternoon cocktails in the Grand Hall, an open-air, six-story area featuring filigree work, fresco and stained glass windows. The station Grille offers a chop house and seafood menu. RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool. Full health club; suana in both men's and women's locker rooms. Jogging maps are available at the hotel front desk. SERVICES/FACILITIES/SHOPS: Over 100 specialty shops throughout the hotel, including men's and women's boutiques, children's toy shops and train stores. -- Gene Spafford, COAST Project Director Software Engineering Research Center & Dept. of Computer Sciences Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Thu, 15 Jul 1993 14:24:18 UTC+0100 From: Miquel Barcelo Subject: File 3--"Science & Tech Through Science Fiction" Conference Friends, You will find here the CALL OF PAPERS of a new Workshop on SCIENCE AND TECHNOLOGY THROUGH SCIENCE FICTION to be held next summer in Barcelona, Spain (22nd and 23rd, June 1994). This will be the first edition of such a Workshop so, if you know more people that could be interested, please help in making this information available just forwarding this message. If you need more information, please feel free to ask to: blo@lsi.upc.es Yours, Dr. Miquel Barcel Software Department - UPC Pau Gargallo, 5 E 08028 BARCELONA (Spain) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ First Announcement and CALL FOR PAPERS STSF '94 An International Workshop on SCIENCE and TECHNOLOGY through SCIENCE FICTION 22nd-23rd June 1994 - BARCELONA (Spain) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Organized by: CONSELL SOCIAL (Board of Trustees) of Universitat PolitKcnica de Catalunya (UPC) in cooperation with: Software Department (UPC) Physics and Nuclear Engineering Department (UPC) WORLD SF (Hispanic Chapter) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ THE WORKSHOP A good working definition of science fiction is "speculative ex- trapolation about the effect of science and technology on society". The aim of this International Workshop is to provide a forum for iden- tifying, encouraging and discussing research about science and tech- nology, or their consequences, as portrayed in science fiction. The Workshop will bring together researchers, scientists, and other aca- demics with science fiction professionals to share information and ex- plore new ideas about the relationship between science fiction, science and technology. TOPICS OF INTEREST The topics of interest include but are not limited to: - Biotechnology, genetic engineering - Computer science, robotics, artificial intelligence - Macroengineering - Nanotechnology - Physics, astronomy, cosmology - Professional activity of scientists and engineers - Social impact of science and technology - Teaching science and technology with science fiction +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PROGRAM COMMITTEE * Miquel Barcel (Software Dept., UPC, SPAIN) * Joe Haldeman (SFWA president, M.I.T. Associate Professor, USA) * Elizabeth A. Hull (SFRA past-president, USA) * Frederik Pohl (SFWA and WSF past-president, USA) * Vernor Vinge (Dept. of Math Sciences, SDSU, USA) ORGANIZING COMMITTEE * Miquel Barcel (Software Dept., UPC) * Laura Cabarrocas (Board of Trustees (secr.), UPC) * Gay Haldeman (Writing Program, M.I.T.,USA) * Pedro Jorge (Hispanic Chapter of WORLD SF) * Jordi JosJ (Physics and Nuclear Engineering Dept., UPC) * Louis Lemkow (Sociology Dept., UAB) * Manel Moreno (Physics and Nuclear Engineering Dept., UPC) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ INSTRUCTIONS TO AUTHORS Paper submissions must be in English and no more than 6000 words long. The Proceedings of the Workshop will be published by the organi- zing institution. Authors are requested to submit a "Letter of Intention" with the title of the paper and a short abstract (less than one page) be- fore November 30, 1993. Authors must submit five copies of each paper, before January 31, 1994, to the: Program Chairperson: Miquel Barcel Facultat d'Inform Subject: File 4--New hearing set for E-Fingerprinting in SF NEW HEARING SET FOR JULY 27 on ELECTRONIC FINGERPRINTING for WELFARE RECIPIENTS IN SAN FRANCISCO Once again electronic fingerprinting for San Francisco welfare recipients is on the Board of Supervisors agenda. A formal request has been made by the SF Department of Social Services (DSS) to change the ordinance governing General Assistance (GA) to begin requiring electronic fingerprints as a condition for receiving GA benefits. Prints are matched ostensibly to prevent people from obtaining aid more than once. A hearing on the ordinance has been set for TUESDAY, JULY 27 at 2:00 p.m. in Room 228 of City Hall, San Francisco. The Automated Fingerprint Image Reporting and Match (AFIRM) system is essentially a _political_ plan, using vague and unsubstantiated claims of welfare fraud as a justification for installing the computer system. That is, it is NOT a real fiscal savings plan and is incapable of introducing "accountability" into the welfare system, because no data exists to support its use (see below for details). As such the only way that the AFIRM system will be stopped is by raising as much noise about it as possible. If you think that electronic fingerprinting is a bad idea, please let the following supervisors know, and/or come to the hearing: Supervisor Willie Kennedy (415) 554-5734 (voice) (415) 554-7034 (fax) Supervisor Barbara Kaufman (415) 554-4880 (voice) (415) 554-4885 (fax) Supervisor Annemarie Conroy (415) 554-7788 (voice) (415) 554-5163 (fax) Mail address for all supervisors: Room 235 City Hall San Francisco, CA 94102 ******* Here are some abbreviated details on the situation. I have a longer question/answer analysis type background piece which I'm happy to send to you, you can also FTP it from cpsr.org (/ftp/cpsr/fingerprints/sffinger.analysis) Key points are: -- IT'S NOT CLEAR THAT THERE IS A NEED FOR THE SYSTEM, OR THAT THE SYSTEM WILL SAVE ANY MONEY The Department of Social Services (DSS) has presented NO DATA to substantiate how extensive the problem of "double-dipping" is, and data from Los Angeles County (which has been using the same system for two years) and Alameda County (using it since February) shows that the problem may be quite minuscule. Wild claims of cost-savings by Los Angeles and Alameda Counties do not stand up to careful scrutiny. During a changeover period, cases are closed for "non-compliance" if people fail to show up for their fingerprint appointment. I.e., no evidence of "fraud deterred" exists. It appears that cases counted as being closed because of the fingerprint program include cases that would already have been closed because of the normal 15 - 20% monthly turnover in GA cases (i.e., they would have been closed anyway, but are assigned as savings to AFIRM). "Non-compliance" could be the result of lost mail, lack of bus fare, paperwork screw-up, mental disability, or confusion about the rule change. Actual fraud that does occur may be caught by existing DSS security measures, including their ID process, social security number matching with other counties, the Fraud Early Detection Program, etc, so are unfairly assigned to the AFIRM system. And the cost of the system is probably understated. After an accurate cost-benefit accounting is made (none has been done yet), it could very well show that the system does NOT save _any_ money. -- THERE ARE PROFOUND PRIVACY CONCERNS. EDS, the computer services giant, will store and process the data. The data will be shared with other counties. The police, legally, under specific conditions, may get information from DSS on recipients. Conceivably this will include some kind of access to, or search capability of, the fingerprint data. And laws governing access to confidential welfare data may change. Historically, breaches in privacy protection have started with welfare programs (e.g., computer matching of data in 1977), and from their extend to other programs after the precedent has been established. -- IT PUSHES SOCIAL SERVICES TOWARDS BEING A LAW ENFORCEMENT ACTIVITY. Regardless of its extension into many areas, fingerprinting is still commonly perceived as a law enforcement technology. While fingerprinting in some professions has a rationale because public safety is involved, or for personal security reasons, these do not apply to its use in welfare, where people must rely on the government for their survival. Being poor is technically not a crime, but the fingerprinting scheme reinforces this too common perception. -- THE AFIRM SYSTEM IS DESIGNED FOR EXPANSION. After GA, fingerprinting will extend to AFDC (mostly welfare mothers & kids). LA County is planning to extend AFIRM to AFDC recipients, as a pilot program this summer. This will quadruple the records on their system to 400,000. Will they fingerprint the kids? After that, food stamps is a likely candidate. Then we are well on the way to establishing a national poverty database. As the system extends to more government programs, it becomes a threat to everyone. In short, the electronic fingerprinting scheme is a bad idea. It is an expensive solution to a problem of unknown (but most likely overstated) dimensions, which will have undetermined results, with potentially serious negative side-effects. The proposed AFIRM system is not focused, cheap, or safe enough to merit its social and financial cost. The system is simply a poor use of taxpayer money. Again letters, faxes, and phone calls are important! Jim Davis Western Region Director CPSR Please repost where appropriate! ------------------------------ End of Computer Underground Digest #5.55