RISKS-LIST: Risks-Forum Digest Wednesday 18 June 2003 Volume 22 : Issue 77 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.77.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Cyberterrorists in the U.S. Senate (Curt Sampson) Digital mobile phones can phreak pacemakers (George Michaelson) United Airlines to offer e-mail on domestic flights (NewsScan) $24-million spreadsheet "boo-boo" (Jonathan Levine) Crash loses names of Canadian firearms registrants (Derek K. Miller) Scotland Yard outage chaos (Dave Austin) eBay fraud (John Reinke) Tiny tracking chips surface in retail use (Monty Solomon) Smart cellphone would spend your money (Steve Holzworth) Virginia grievance system online - with a slight problem (Jeremy Epstein) Sign someone up to be an organ donor! (Giles Todd) Continental Airlines check-in computer foul-up (Steve Bellovin) Downloading data can turn your computer into a server (greep) Re: U of Calgary to teach virus writing (Crispin Cowan) Computer bugs and believing reliable sources (Mark Brader) Re: Slade's Review of Mission Critical Security Planner (Eric Greenberg) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 18 Jun 2003 14:56:12 +0900 (JST) From: Curt Sampson <cjsat_private> Subject: Cyberterrorists in the U.S. Senate The chairman of the Senate Judiciary Committee [Sen. Orrin Hatch, R-Utah] said Tuesday he favors developing new technology to remotely destroy the computers of people who illegally download music from the Internet. http://www.salon.com/tech/wire/2003/06/17/hatch_download/ I don't know that there's much more to be said. Curt Sampson <cjsat_private> +81 90 7737 2974 http://www.netbsd.org [There's lots more to be said. For example, some software vendors would like to do that to their competitors, not just to their customers. PGN] ------------------------------ Date: Thu, 12 Jun 2003 10:02:57 +1000 From: George Michaelson <ggmat_private> Subject: Digital mobile phones can phreak pacemakers http://www.newsfactor.com/perl/story/21695.html The new generation of digital mobile phones can interfere with many types of heart pacemakers, claims a new study in the Institute of Physics journal Physics in Medicine and Biology. Pacemakers can confuse mobile-phone signals with the heart's own electrical signals, causing a malfunction. George Michaelson, APNIC, PO Box 2131 Milton QLD 4064, Australia +61 7 3367 0490 http://www.apnic.net ggmat_private ------------------------------ Date: Wed, 18 Jun 2003 08:35:11 -0700 From: "NewsScan" <newsscanat_private> Subject: United Airlines to offer e-mail on domestic flights By the end of the year, United Airlines will become the first domestic airline to offer e-mail on all of its domestic flights. Industry analyst Jonathan Gaw of IDC says the service will be a good attraction for business users, who both need their e-mail and who can expense it." For $15.98 a flight, a passenger will be able to send and receive e-mail and attachments, by connecting a laptop computer to a jack on the Verizon Airfone handset available throughout the plane. [*Baltimore Sun*, 18 Jun 2003; NewsScan Daily, 18 June 2003] http://www.sunspot.net/technology/bal-bz.email18jun18,0,7414783.story ?coll=bal-technology-headlines [And I presume first-class passengers will be offered a plate of Spam as an appetizer, with Monterey Jack. (And why is Jack always female in this context?) What about people SENDING spam from the plane? What about spam filters for incoming e-mail? Nothing like sitting on a 6-hour flight and watching your spam pile up. PGN] ------------------------------ Date: Wed, 4 Jun 2003 17:08:10 -0600 From: Victor the Cleaner <jonathanat_private> Subject: $24-million spreadsheet "boo-boo" From *The Calgary Sun*, 4 Jun 2003: TransAlta Corp said yesterday a "clerical error" was a costly one for the power producer -- $24 million US to be exact. The Calgary-based company said a spreadsheet goof by an employee last April caused the company to pay higher than intended rates to ship power in New York. CEO Steve Snyder told a conference call yesterday a "cut-and-paste" foul-up in an Excel spreadsheet on a bid to New York's power grid operator led TransAlta to secure 15 times the capacity of power lines at 10 times the price. The costly human error couldn't be reversed by the grid operator and while TransAlta has since tried to recoup the mammoth losses, it was left with a $24-million US lesson. [...] The RISKS? Jeez, where do you start? This sort of thing is becoming so depressingly common that it barely makes print. Enormously complicated and powerful tools that are capable of simultaneously magnifying minor errors and burying from sight the megabuck consequences? The apparent "we're terribly sorry, but our computers aren't programmed to issue refunds" response of the "New York power grid operator"? Jonathan Levine, Middle Digital Inc. http://www.realweasel.com [Also noted by Morty Ovits. http://reddeeradvocate.com/editorials/radB948F.htm and George N. White III. PGN] ------------------------------ Date: Wed, 04 Jun 2003 15:29:19 -0700 From: "Derek K. Miller" <dkmillerat_private> Subject: Crash loses names of Canadian firearms registrants A database crash now threatens to turn people trying to comply with an unpopular law into lawbreakers instead. The Canadian government has been attempting to implement a nationwide firearms registry for several years now. What was originally supposed to cost at most a few million dollars to document every previously undocumented rifle or shotgun in the country has now ballooned into a $1 billion-plus megaproject that appears not to work. http://www.cbc.ca/news/features/firearms_act.html Even those, like me, who are firmly for Canada's strong gun-control laws find the way this project has been put together to be laughable (and that's a charitable assessment). In many rural parts of Canada, a long gun is a necessity, at least to hunt for food or as protection against potentially dangerous wildlife (everything from polar bears to moose and wolverines, depending on where you are) for people living or working in the bush, from native communities to petroleum exploration teams. The latest registry mishap to come to light is that the database software, overloaded before the registration deadline was extended several months from its original 1 January 2003 date, crashed, and apparently took some registrants' names with it. No one seems to know how many, and I haven't been able to track down any details of the kinds of software or platforms that were in use. http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1054726691584_31/ To add to the federal government's trouble, a number of provinces have now said they will refuse to prosecute people who flout the act by not registering their guns -- and there are many such scofflaws. >From the CTV article above: > The federal Firearms Act and the Criminal Code state that anyone possessing a > firearm as defined in Section 2 of the Code must hold a valid firearms > registration certificate. The new legislation requires that owners of > long-guns such as rifles and shotguns, register their weapons by July 1 or > face legal action. > > Critics of the gun registry have argued that the legislation is nothing more > than a costly waste of time. > > The auditor general has projected it could end up costing more than $1 > billion by 2005 rather than the net $2 million over 10 years projected > when it was established in 1995. And many say people who would use their > firearms for violent offences aren't likely to register their guns anyway. Aside from the direct risks of setting up a database without the bandwidth or computational headroom for large increases of traffic before a deadline, lacking proper file journaling, and insufficiently backed up, there is the additional risk that the predictable failure of such a system will cast further bad light on a project already suffering from a reputation for inefficiency and poor planning. Derek K. Miller - dkmillerat_private [Also noted by Dan Haggarty. PGN] ------------------------------ Date: Fri, 6 Jun 2003 11:01:37 +0100 From: "Dave Austin" <dave.austinat_private> Subject: Scotland Yard outage chaos I thought that this was of interest, an old risk but surprising to find such a high profile building vulnerable: Yard crisis as power fails , 4 Jun 2003 Scotland Yard was plunged into crisis today by a massive power and communications failure. All phones in the building were cut off as all lines to the Yard were down, while the central system for handling 999 calls also failed and had to be switched to local police stations. Computers which log emergency and other calls to police in London - known as the CAD system - failed, along with a second system to Hendon which was supposed to provide an emergency back-up. Emergency generators restored power to the building, but officers had to resort to using mobile phones. A group of senior officers was called together to handle the crisis. One police source said the meeting had examined the possibility that the power failure was a terrorist or a criminal act, though this had been ruled out. The failure showed the vulnerability of the Yard's communications network at a time when London is on alert for a possible terrorist outrage. The phones and electricity crashed at about 9.30am and were still out of action two hours later. A Yard spokesman said the crisis was caused by a single workman cutting through an electricity cable in the Victoria area, and that the company's chief executive had personally apologised to senior officers. As engineers from the Yard and outside companies were working flat-out to solve the problem, the police spokesman emphasised that officers were still responding to 999 calls which had been routed through the main London police stations. "We have contingency plans in place which are working well," added the spokesman. "We are still able to provide emergency cover for London. "This is a serious matter and we are seeking to bring the building back on-line as quickly as possible." One employee at the building said: "We're in the hands of the engineers." Asked if it was causing huge problems, he said: "You could say that." Visitors to the Yard's reception who had fixed appointments were told they couldn't be seen today because of "internal communication problems". Staff at reception were unable to make internal phone calls and unless visitors had the mobile phone numbers of staff they were due to meet, they were told they would not be able to see them. Other buildings in the area were also affected by the blackout. London Ambulance said its 999 service was still operational but calls were being handled on paper for about an hour and a half while the power was disrupted. Scotland Yard has contingency plans to relocate its emergency systems and senior officers in the event of a massive crisis such as a terrorist attack. However, this did not happen this morning. Another police source said: "This could come from the plot of a film. "One wonders whether there is a massive criminal heist going on somewhere in London. "The fact that someone can bring the building to a halt by cutting a single cable is a little alarming. "I am sure there will be a few internal inquiries about this." Police chiefs told to explain blackout 5 June 2003 Police chiefs have been ordered to provide a full report into the power failure which led to computers and telephones at Scotland Yard crashing for more than seven hours. Toby Harris, chair of the Metropolitan Police Authority, said there were "grave concerns" after an engineer blacked out the HQ yesterday by accidentally cutting a single cable in the street. He added it called into question the Met's ability to cope in a crisis. Source: (London) Evening Standard - also covered in The Times et al. Dave Austin <dave.austinat_private> www.insight.co.uk ------------------------------ Date: Fri, 13 Jun 2003 09:14:12 -0400 From: "John Reinke" <reinkeat_private> Subject: eBay fraud Police in South Salt Lake, Utah, are working with eBay to determine just how many people were victimized by what authorities say was one of the biggest frauds in the auction site's history. Police arrested 31-year-old Russell Dana Smith last weekend after hundreds of auction winners complained that they sent $1,000 or more to a company named Liquidation Universe for laptop computers they never received. Police say the firm appears to have raked in $1 million from about 1,000 victims in just a few weeks. [...] [Source: Bob Sullivan, MSNBC, Man arrested in huge eBay fraud; Buyers criticize auction site's seller verification service] http://www.msnbc.com/news/925433.asp?0dm=C12LT [FJR: Guarantees are only as good as the guarantor. There ain't no free lunch. When will people take security seriously?] [This one is a long and ugly story. PGN] ------------------------------ Date: Tue, 10 Jun 2003 01:34:38 -0400 From: Monty Solomon <montyat_private> Subject: Tiny tracking chips surface in retail use Tom Pounds waved his overflowing grocery basket at the wall and offered a glimpse of our shopping future. The coffee cans, razor blades, and other items in his basket each carried a stowaway -- a tiny chip, the size of a fleck of black pepper, coupled with an antenna. Each emitted a short burst of identifying data that streamed via radio waves to a sensor on the wall. [...] Within fractions of a second, a computer translated those received signals onto a monitor as images of each product in the basket. [...] In 15 or 20 years, futurists predict, the pervasive RFID tags will link to massive computer networks, enabling speedy checkout from the grocery store, medicine cabinets that tell you when to take pills, and milk cartons that inform your fridge when to add another gallon to the grocery list. [...] [Source: Chris Gaither, Radio Frequency Identification Tiny tracking chips surface in retail use Retail uses for ID chips surfacing, *The Boston Globe*, 9 Jun 2003] http://www.boston.com/dailyglobe2/160/business/ Tiny_tracking_chips_surface_in_retail_use+.shtml ------------------------------ Date: Tue, 17 Jun 2003 11:32:52 -0400 From: Steve Holzworth <schat_private> Subject: Smart cellphone would spend your money "A consortium of the world's top consumer electronics firms, mobile networks and broadcasters are funding the development of cellphones that will spend money on your behalf. The consortium, called Mobile VCE, includes Nokia, Sony, Vodafone and the BBC. It might sound like a bankruptcy waiting to happen, but software engineer Nick Jennings is supremely confident the phones will not mess up anybody's life. [...] The cellphone agents only offer help if triggered by a diary event or if a definite pattern of behaviour, such as going to the movies every Friday, has been established." [Source: New Scientist] http://www.newscientist.com/news/news.jsp?id=ns99993818 [SCH - how many "supremely confident" software engineers have watched as their rocket booster exploded, their online store got hacked, etc.?] What mechanisms will be in place to dispute or refuse purchases that your cellphone agent makes on your behalf? Be *sure* that you always want to go to the movies every Friday... I own a DirecTivo video recorder, which has a similar agent-like process that automatically records "suggested" programs for you, based on analyzing your previous viewing habits. I'm still often amused by some of the "suggestions" it makes, which have no obvious relevance whatsoever to my typical viewing habits. I suppose that if your life runs on a rigid schedule, this might be useful. My life certainly doesn't... Steve Holzworth Senior Systems Developer SAS Institute - Open Systems R&D VMS/MAC/UNIX, Cary, N.C. schat_private ------------------------------ Date: Fri, 6 Jun 2003 11:10:44 -0400 From: Jeremy Epstein <jeremy.epsteinat_private> Subject: Virginia grievance system online - with a slight problem Virginia put its workplace grievance system online as a way of improving responsiveness (the old system typically took a year to process), according to *The Washington Post* Expected savings are $100,000/year, possibly more. As a Virginia taxpayer, that's good.... every little bit helps. [http://www.washingtonpost.com/wp-dyn/articles/A10481-2003Jun3.html] "The system is secure from prying eyes, yet those who need to know a case history can view an entire file by using the employee's Social Security number." So... yet another new system that uses the employee's SSN as the key. That's bad. [And we won't even get into how they know that "the system is secure from prying eyes".] ------------------------------ Date: Fri, 13 Jun 2003 22:22:23 +0200 From: Giles Todd <gat_private> Subject: Sign someone up to be an organ donor! Add anyone you like to the UK's NHS Organ Donor Register at: https://www.uktransplant.org.uk/odronline/servlet/mydetailsservlet Apart from trivial address validity checks, the sole attempt to ensure that the person being signed up is really who he or she says he or she is is an e-mail message sent to the e-mail address supplied. Date: Fri, 13 Jun 2003 21:11:12 +0100 (BST) From: odrat_private Subject: I want to be a donor Thank you for joining the NHS Organ Donor Register. Your new record will now be downloaded directly to the register. If you wish to amend the personal information held on the register at any time you can do so through this website, or by contacting: The Organ Donor Line (0845 60 60 400) between 7am and 11pm seven days a week for a form, or by writing to: The NHS Organ Donor Register, UK Transplant, PO Box 14, FREEPOST Patchway, BRISTOL BS34 8ZZ UK ------------------------------ Date: Sat, 14 Jun 2003 13:35:54 -0400 From: Steve Bellovin <smbat_private> Subject: Continental Airlines check-in computer foul-up This morning, I tried to check in for a Continental flight from Newark to Seattle. But all of the self-service check-in kiosks and all of the domestic check-in computers were down. It seems that they'd done a software upgrade at 0200, and when things got busy the system died. One of the customer service managers was muttering that they should have installed the upgrade on a Sunday morning instead. They told people to go upstairs to the International check-in area, which hadn't been "upgraded". But they didn't allocate enough desks -- or enough people from the non-functional domestic check-in -- to handle the crowd. Nor, despite assurances from Customer Service, did they hold any flights. The system wouldn't let me check in 10 minutes prior to flight time, of course, which is reasonable under normal circumstances but not when their own software has fouled things up. They also didn't have any priority procedure for folks on earlier flights. But it turns out that they did hold the flight, or so it seems -- checking the Continental Web site when I got home, I found that my flight took off 25 minutes late. In possibly-unrelated computer confusion, one of the arrival status monitors at EWR was displaying the Internet Explorer "this page is not available" screen, while one of the departure monitors was showing a typical Windows desktop. Hmm -- looking at the pictures I took, I see that it has Winzip installed.... Steve Bellovin, http://www.research.att.com/~smb ------------------------------ Date: Fri, 6 Jun 2003 12:49:02 -0700 From: greep <greepat_private> Subject: Downloading data can turn your computer into a server The Register reports (<http://www.theregister.co.uk/content/6/31080.html>) that Joltid is using "content distribution technology that utilises users' own PCs to disseminate content for publishers." According to the article, when someone loads content (such as software) using the Joltid system, the computer loading the data then becomes a server for that same data. There seem to be a number of potential risks to users of such a system: They could held liable for "publishing" information over which they have no control. This liability could include copyright and patent infringement. If the content is found to contain viruses or material which is illegal, the liability could be even more severe. Bugs in the Joltid software could expose their personal files to the outside world, even if their computers run no other server software. Their own network throughput, or other computer resources, might be affected by having their computers act as servers. They may be subject to additional ISP charges for excessive outbound traffic. People who retrieve data from another customer's computer (not from the original publisher) need to consider the possibility that the data has been altered. The article does say: "All files are digitally signed to prevent tampering, the company claims", but no details are provided. ------------------------------ Date: Sat, 14 Jun 2003 14:53:10 -0700 From: Crispin Cowan <crispinat_private> Subject: Re: U of Calgary to teach virus writing (Weaver, RISKS-22.76) How is it that worms specifically, or malicious code in general, is a legitimate area of research, but not a legitimate study topic for students in a class? How are we to obtain more defensive experts such as Weaver if we do not train young people in the area. Techniques to write viruses and worms are evidently already very well known in the black hat community, as evidenced by the proliferation of such worms. It is only in the defensive community where ignorance is relatively common, as evidenced by the naive defenses that are proposed over and over again. In light of that, how is the suppression of malicious coding techniques in the education system any different from the suppression of how to sharpen a pointed stick with which to murder one's neighbor? I'm sorry, but the cat is clearly out of the bag, and there is little benefit in attempting to suppress knowledge of how to write a worm. IMHO, all the hand-wringing over this course is badly misplaced. Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/ ------------------------------ Date: Fri, 13 Jun 2003 17:13:52 -0400 (EDT) From: msbat_private (Mark Brader) Subject: Computer bugs and believing reliable sources Back in comp.risks 22.73, Monty Solomon quoted <http://finance.lycos.com/home/news/story.asp?story=34131541>: | Computer bugs have been around since malfunctions in a 1945 | [Harvard] Mark II were blamed (facetiously) on a moth trapped | in a relay. In fact, the malfunction in question *was* caused by the moth trapped in a relay -- the facetious part was the association of this event with the existing slang term for a problem, i.e. "bug". As <http://americanhistory.si.edu/csr/comphist/objects/bug.htm> shows, the moth was preserved along with the annotation, "First actual case of bug being found". (Note the word "actual".) Now that's not Risks-worthy, but I think the other error in the quoted sentence is: the Lycos writer gave the date of the incident as 1945. As the web page I just cited shows, the logbook with the moth now belongs to the Smithsonian Institution's National Museum of American History, and *they* say that the correct date is 1947. Since the illustrated page does not show the year, I e-mailed infoat_private to query the point. They replied to say that 1947 is correct and that "The year does not appear on the page, but it does appear elsewhere in the logbook." Now try a google search for the phrase "first computer bug" and each of the years 1945 and 1947. Go ahead, I'll wait... But here are the counts I get when I do it. "first computer bug" 1945 388 "first computer bug" 1947 140 Of course, some of these will be false hits -- the year being mentioned in another context on the same web page -- but it's easy to see from the google synopses that many of the 388 hits do give the wrong date. Among these are: http://www.history.navy.mil/photos/images/h96000/h96566kc.htm http://www.computer.org/history/development/1945.htm and a *large* number of university sites. Obviously sources that you would expect things to be right, aren't they? I even found one page (but I lost it again, so no cite) that seems to show Grace Murray Hopper, who was part of the group working on the computer, herself saying that the incident was in 1945. And it's actually even worse than the above numbers suggest. Of the 140 hits in the second (1947) search, many *are* false. If you search for the phrase together with *both* years, there are 103 hits, and many of these are pages that date the incident to 1945 and then mention 1947 in another context. Everyone learns quickly enough that you can't believe everything you read on the Web. But in this case there are enough pages at enough reliable-seeming sites that it's hard to believe that they're all wrong -- and yet (unless my correspondent at the Smithsonian, where the actual logbook is, was lying or mistaken) they are. The difference between a 1945 and 1947 date for a minor piece of etymological history is a trivial error to practically everyone. But the next time you believe what you read, it might not be trivial. (Of course this sort of problem can happen with non-Internet research too. The Risks relevance is that Web searching makes it so much easier to become very sure very fast...) Mark Brader | "I'm a little worried about the bug-eater", she said. Toronto | "We're embedded in bugs, have you noticed?" msbat_private | -- Niven, "The Integral Trees" ------------------------------ Date: Mon, 16 Jun 2003 09:14:49 -0400 From: "Eric Greenberg" <ericat_private> Subject: Re: Slade's Review of Mission Critical Security Planner My book titled Mission Critical Security Planner (Wiley, 2003), which Slade has critiqued here, survived full scrutiny and review on slashdot.org, a tough group of folks http://books.slashdot.org/article.pl?sid=03/02/13/1515257 and has been reviewed by many reviewers, all of which have offered nothing but praise. I encourage you to see the other reviews on Amazon.com and elsewhere on the Internet. http://www.amazon.com/exec/obidos/ASIN/0471211656 You might also visit the Mission Critical Security Planner companion Web site, where you can download a free electronic copy of the Chapter 1 and the free worksheets used in the book, at http://www.CriticalSecurity.com Judge my commitment to this book, supporting the readers, and security planning in general, by that material and the Web site. Eric Greenberg http://www.CriticalSecurity.com http://www.amazon.com/exec/obidos/ASIN/0471211656 ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-requestat_private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-requestat_private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomoat_private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshallat_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.77 ************************
This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 11:24:17 PDT