Alco Blom has released version 5 of his venerable Web Confidential password manager (which TidBITS has been covering for more than two decades; see 'Web Confidential: Securing Information of All Sorts,' 3 August 1998), which was rewritten from scratch to meet the 64-bit requirements in the upcoming macOS 10.15 Catalina. Additionally, the update adds support for Touch ID and the Touch Bar on MacBook Pro models, incorporates support for AppleScript, enables you to import passwords from tab-delimited text files, and adds support for large text sizes. Web Confidential 5 costs $25, and you can upgrade from previous versions for $20. ($25 new from the Web Confidential Web site or the Mac App Store, $20 upgrade, 6.2 MB, release notes, macOS 10.13+)
DISCLAIMER
Web Confidential 5.0 has some AppleScript support. It should be handy to import password files from other sources. Please check it out and let me know and perhaps send me your scripts. By the way, there is also the command Import from Text from the File menu to. Web 4.0 services will be autonomous, proactive, content-exploring, self-learning, collaborative, and content-generating agents based on fully matured semantic and reasoning technologies as well as AI. They will support adaptive content presentation that will use the Web database via an intelligent agent. Examples might be services interacting with sensors and implants, natural.
This information is provided by Lincoln Stein (lstein@cshl.org)and John Stewart (jns@digitalisland.net).The World Wide Web Consortium (W3C) hosts this document as a service tothe Web Community; however, it does not endorse its contents. For furtherinformation, please contact Lincoln Stein or John Stewart directly.- This will deny access to everybody but the indicated hosts (18.157.0.5 and stoat.outback.au), subnets (192.198.2) and domains (.zoo.org). Although you can use either numeric IP addresses or host names, it's safer to use the numeric form because this form of identification is less easily subverted ( Q1 ).
- NOTE Kind of Confidential willl be back with final season! 89 - Fallen (Mid Season Finale) Jun 3, 2020 like 23,942 #98 Ep. 88 - Hide and seek May 27, 2020 like 19,875 #97.
Forward to Denial of Service Attacks |
Q1: What types of access restrictions are available?
There are three types of access restriction available:- Restriction by IP address, subnet, or domain:
Individual documents or whole directories are protected in such a waythat only browsers connecting from certain IP (Internet) addresses, IPsubnets, or domains can access them. - Restriction by user name and password:
Documents or directories are protected so that the remote user hasto provide a name and password in order to get access. - Encryption using public key cryptography:
Both the request for the document and the document itself are encryptedin such a way that the text cannot be read by anyone but the intended recipient.Public key cryptography can also be used for reliable user verification.See below.
Q2: How safe is restriction by IP address or domainname?
Restriction by IP address is secure against casual nosiness but not againsta determined hacker. There are several ways around IP address restrictions.With the proper equipment and software, a hacker can 'spoof' his IP address,making it seem as if he's connecting from a location different from hisreal one. Nor is there any guarantee that the person contacting your serverfrom an authorized host is in fact the person you think he is. The remotehost may have been broken into and is being used as a front. To be safe,IP address restriction must be combined with something that checks theidentity of the user, such as a check for user name and password.IP address restriction can be made much safer by running your serverbehind a firewall machine that is capable of detecting and rejecting attemptsat spoofing IP addresses. Such detection works best for intercepting packetsfrom the outside world that claim to be from trusted machines on your internalnetwork.
One thing to be aware of is that if a browser is set to use a proxyserver to fetch documents, then your server will only know about the IPaddress of the proxy, not the real user's. This means that if the proxyis in a trusted domain, anyone can use that proxy to access your site.Unless you know that you can trust a particular proxy to do its own restriction,don't add the IP address of a proxy (or a domain containing a proxy server)to the list of authorized addresses.
Web Confidential 5 0 4 0
One thing to be aware of is that if a browser is set to use a proxyserver to fetch documents, then your server will only know about the IPaddress of the proxy, not the real user's. This means that if the proxyis in a trusted domain, anyone can use that proxy to access your site.Unless you know that you can trust a particular proxy to do its own restriction,don't add the IP address of a proxy (or a domain containing a proxy server)to the list of authorized addresses.
Web Confidential 5 0 4 0
Restriction by host or domain name has the same risks as restrictionby IP address, but also suffers from the risk of 'DNS spoofing', an attackin which your server is temporarily fooled into thinking that a trustedhost name belongs to an alien IP address. To lessen that risk, some serverscan be configured to do an extra DNS lookup for each client. After translatingthe IP address of the incoming request to a host name, the server usesthe DNS to translate from the host name back to the IP address. If thetwo addresses don't match, the access is forbidden. Seebelow for instructions on enabling this feature in NCSA's httpd
Q3: How safe is restriction by user name and password?
Restriction by user name and password also has its problems. A passwordis only good if it's chosen carefully. Too often users choose obvious passwordslike middle names, their birthday, their office phone number, or the nameof a favorite pet goldfish. These passwords can be guessed at, and WWWservers, unlike Unix login programs, don't complain after repeated unsuccessfulguesses. A determined hacker can employ a password guessing program tobreak in by brute force. You also should be alert to the possibility ofremote users sharing their user names and passwords. It is more secureto use a combination of IP address restriction and password than to useeither of them alone.Another problem is that the password is vulnerable to interception asit is transmitted from browser to server. It is not encrypted in any meaningfulway, so a hacker with the right hardware and software can pull it off theInternet as it passes through. Barsoom 2 1 download free. Furthermore, unlike a login session, inwhich the password is passed over the Internet just once, a browser sendsthe password each and every time it fetches a protected document. Thismakes it easier for a hacker to intercept the transmitted data as it flowsacross the Internet. To avoid this, you have to encrypt the data. See below.
If you need to protect documents against _local_ users on the server'shost system, you'll need to run the server as something other than 'nobody'and to set the permissions of both the restricted documents and serverscripts so that they're not world readable. See Q9.
Q4: What is user authentication?
User verification is any system that for determining, and verifying, theidentity of a remote user. User name and password is a simple form of userauthentication. Public key cryptographic systems, described below, providea more sophisticated form authentication that uses an unforgeable electronicsignature.Q5: How do I restrict access to documents by the IPaddress or domain name of the remote browser?
The details are different for each server. See your server's documentationfor details. For servers based on NCSA httpd, you'll need to add a directorycontrol section to access.conf that looks something like this:This will deny access to everybody but the indicated hosts (18.157.0.5and stoat.outback.au), subnets (192.198.2) and domains (.zoo.org). Althoughyou can use either numeric IP addresses or host names, it's safer to usethe numeric form because this form of identification is less easily subverted(Q1).One way to increase the security of restriction by domain name is tomake sure that your server double-checks the results of its DNS lookups. Youcan enable this feature in NCSA's httpd (and the related Apache server)by making sure that the-DMAXIMUM_DNS flag is set in the Makefile.
For the CERN server, you'll need to declare a protection scheme withthe Protection directive, and associate it with a local URL using the Protectdirective. An entry in httpd.conf that limits access to certain domainsmight look like this:
Q6: How do I add new users and passwords?
Unix-based servers use password and group files similar to the like-namedUnix files. Although the format of these files are similar enough to allowyou to use the Unix versions for the Web server, this isn't a good idea.You don't want to give a hacker who's guessed a Web password carte blancheto log into the Unix host.Check your server documentation for the precise details of how to addnew users. For NCSA httpd, you can add a new user to the password fileusing the htpasswd program that comes with the server software:htpasswd will then prompt you for the password to use. The first time youinvoke htpasswd you must provide a -c flag to create the password filefrom scratch.
The CERN server comes with a slightly different program called htadm:htadm will then prompt you for the new password.
After you add all the authorized users, you can attach password protectionto the directories of your choice. In NCSA httpd and its derivatives, addsomething like this to access.conf:You'll need to replace AuthUserFile with the full path to the passwordfile. This type of protection can be combined with IP address restrictionas described in the previous section. See NCSA's online documentation (http://hoohoo.ncsa.uiuc.edu/)or the author's book (How toSet Up and Maintain a Web Site) for more details.
For the CERN server, the corresponding entry in httpd.conf looks likethis:Again, see the documentation or the author's book for details.
Q7: Is there a CGI script to allow users to change theirpasswords online?
There are several floating around. The one I use is a Perl script thatI wrote myself, user_manage. It works with the password and groupfiles used by the Apache, NCSA httpd, CERN and Netscape Unix servers, andprobably other Unix-based servers. Users can use it to safely change theirown passwords, and Web administrators can use it to add new users, manipulategroups, and edit the privileges of existing users. You can find this scriptathttp://stein.cshl.org/~lstein/user_manage/Bill Jones has written a multi-purpose script calledWebPass. Inaddition to allowing users to change their Web passwords, they can alsochange their POP, log-in and news passwords, if they have them. It usesa combination of Perl and Expect to do its magic. You can find it at:
http://web.fccj.org/~wcjones/WebPass.htmlSeveral vendors of commercial Web servers also offer remote user administrationscripts. See your server documentation for details.
Q8: Using per-directory access control files to controlaccess to directories is so convenient, why should I use access.conf?
Instead of placing directory access restrictions directives in centralizedconfiguration files, most servers give you the ability to control accessby putting a 'hidden' file in the directory you want to restrict accessto (this file is called '.htaccess' in NCSA-derived servers and '.www_acl'in the CERN server). It is very convenient to use these files since youcan adjust the restrictions on a directory without having to edit the centralaccess control file. There are several problems with relying on .htaccessfiles too heavily. One is that with access control files scattered allover the document hierarchy, there is no central place where the accesspolicy for the site is clearly set out. Another problem is that it is easyfor these files to get modified or overwritten inadvertently, opening upa section of the document tree to the public. Finally, there is a bug inmany servers (including the NCSA server) that allows the access controlfiles to be fetched just like any other file using a URL such as:This is clearly an undesirable feature since it gives out important informationabout your system, including the location of the server password file.Another problem with the the per-directory access files is that if youever need to change the server software, it's a lot easier to update asingle central access control file than to search and fix a hundred smallfiles.
Q9: How does encryption work?
Encryption works by encoding the text of a message with a key. In traditionalencryption systems, the same key was used for both encoding and decoding.In the new public key or asymmetric encryption systems, keys come in pairs:one key is used for encoding and another for decoding. In this system everyoneowns a unique pair of keys. One of the keys, called the public key, iswidely distributed and used for encoding messages. The other key, calledthe private key, is a closely held secret used to decrypt incoming message.Under this system, a person who needs to send a message to a second personcan encrypt the message with that person's public key. The message canonly be decrypted by the owner of the secret private key, making it safefrom interception. This system can also be used to create unforgeable digitalsignatures.Most practical implementations of secure Internet encryption actuallycombine the traditional symmetric and the new asymmetric schemes. Publickey encryption is used to negotiate a secret symmetric key that is thenused to encrypt the actual data.
Since commercial ventures have a critical need for secure transmissionon the Web, there is very active interest in developing schemes for encryptingthe data that passes between browser and server.
More information on public key cryptography can be found in the book'Applied Cryptography', by Bruce Schneier.
Q10: What are: SSL, SHTTP, Shen?
These are all proposed encryption and user authentication standards forthe Web. Each requires the right combination of compatible browser andserver to operate, so none is yet the universal solution to the securedata transmission problem.SSL (Secure Socket Layer) is the scheme proposed by NetscapeCommunications Corporation. It is a low level encryption scheme used toencrypt transactions in higher-level protocols such as HTTP, NNTP and FTP.The SSL protocol includes provisions for server authentication (verifyingthe server's identity to the client), encryption of data in transit, andoptional client authentication (verifying the client's identity to theserver). SSL is currently implemented commercially on several differentbrowsers, including Netscape Navigator, Secure Mosaic, and Microsoft InternetExplorer, and many different servers, including ones from Netscape, Microsoft,IBM, Quarterdeck, OpenMarket and O'Reilly and Associates. Rocket typist 1 1 2b – expand typed abbreviations words. Details on SSLcan be found at:
SHTTP (Secure HTTP) is the scheme proposed by CommerceNet, acoalition of businesses interested in developing the Internet for commercialuses. It is a higher level protocol that only works with the HTTP protocol,but is potentially more extensible than SSL. Currently SHTTP is implementedfor the Open Marketplace Server marketed by Open Market, Inc on the serverside, and Secure HTTP Mosaic by Enterprise Integration Technologies onthe client side. See here for details:
Shen is scheme proposed by Phillip Hallam-Baker of CERN. Like SHTTPit is a high level replacement for the existing HTTP protocol. Althoughit has existed as a proposal for nearly two years, no browser or servervendor has implemented it. Further, the URL that described it is no longeravailable, so for all intents and purposes it can be considered moribund.
Q11: Are there any 'freeware' secure servers?
There is a freeware implementation of SSL, known asSSLeay. Thisimplementation comes as C source code that can be linked into such applicationsas Telnet and FTP. Among the supported applications are the freely redistributableUnix Web servers Apache and NCSA httpd, and several Unix-based Web browsers,including Mosaic. Outside United States borders this package can be usedfree of charge in both commercial and non-commercial applications. Withinthe United States, however, you will need to pay a licensing fee to RSAData Security in order to use SSL for commercial applications (it mightbe easier to obtain one of the commercial versions of Apache-SSL, whichprovide the license as part of the purchase price).There are several components to this software. You will need to obtainand install them all in order to have a working SSL-based Web server:
- The SSLeay FAQ
- http://www.psy.uq.oz.au/~ftp/Crypto/.You'll need to read this carefully.
- SSLeay
- This is the SSL library itself. It can be obtained via FTP at ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/
- Patches to various internet applications
- These are source code patches to telnet, ftp, Mosaic, and the like to takeadvantage of SSL. They can be found via FTP at ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/.
- Patches for the Apache server
- Currently there are patches for the Apache 0.8.14h and 1.0.1a servers.The patches may work with other versions as well, but are not guaranteed.ftp://ftp.ox.ac.uk/pub/crypto/SSL/
- The Apache server source code
- http://www.apache.org
After installing an SSL-enabled server you will need to obtain aservercertificate from a certifying authority. Server certificates are availablefrom a number of different companies, each with a slightly different applicationprocedure and fee schedule. In the United States, the VeriSignCorporation was the first and still most widely used certifying authority.Because of a recent fee increase ($495 for a commercial server certificate),however, VeriSign is currently one of the more expensive agencies. A goodalternative to VeriSign is Thawte Consulting;its fees are significantly lower and its application procedure for non-Americanorganization is far less of a hassle. Other certifying authorities include:
- Entrust
- http://www.entrust.com/
- GTE CyberTrust
- http://www.cybertrust.gte.com/
- EuroSign
- http://eurosign.com
- COST
- http://www.cost.se
- BiNARY SuRGEONS
- http://www.surgeons.co.za/certificate.html
- Keywitness
- http://www.keywitness.ca
- SoftForum
- http://www.softforum.co.kr/
- CompuSource
- http://www.compusource.co.za/
The process of obtaining a server certificate is slightly differentfrom CA to CA, but follows the same basic outline. After choosing a certifyingauthority, connect to its Web site and find the server certificate applicationsection. From here locate the appropriate application form for your serversoftware, and fill it out. You'll be asked to provide your Web site's domainname, company name, and contact information. You'll also be asked to providedocumentation, such as a Dun and Bradstreet number, articles of incorporation,or a notarized letter from the bursar of your college to prove the identityof your organization. You'll also be asked to provide payment information,such as a credit card number.
The application form is only half of the process. You'll also need togenerate an electronic certificate request. After submitting the applicationform to the CA, you'll use a program provided with your server softwareto generate a public/private key pair. In the Apache-SSL distributions,the program is calledgenkey.
After generating the key pair, the key generation software will createa file containing the key request. In some cases it will automaticallymail the file to the CA. In other cases, it will ask you to manually mailthe file to the CA. In either case there will now be a wait of days toweeks while the CA confirms the validity of your request. Eventually youwill receive a signed certificate by return e-mail. You then complete theprocess by installing the signed certificate on your server. The detailsagain vary from server to server. For Apache-SSL you'll use a program calledgetca.
At this point users will be able to retrieve documents from your serverand to submit forms without fear of interception. Your server's certificateprovides remote users with proof of your server's identity.
Q12: Can I use Personal Certificates to Control ServerAccess?
SSL can also be used to verify the users' identity to the server,providing more reliable authentication than the common password-based authenticationschemes. To take advantage of this system each user will have to obtaina 'personal certificate' from a CA.Users can obtain inexpensive personal certificates from VeriSign.VeriSign offers two classes of certificate. Class 1 certificates cost amere $9.95 yearly, but provide no assurance that the user is who he orshe claims to be because VeriSign performs no validation of the informationsubmitted by the user on the application form. At most, class 1 certificatescertify that the user can receive e-mail at the address provided in theapplication. Class 2 certificates, available for $19.95 yearly, providea greater level of assurance. In order to obtain such a certificate, theuser must provide personal identifying information that is validated bya credit bureau.
If you are running an intranet, you may wish to issue personal certificatesyourself, in order to provide fine-grained access control to employeesof your organization. To do this, you will need to obtain and install acertificate server. Such systems are available from Microsoft,Netscape,XCert,Entrustand GTE.
To use personal certificates for access control, your server will needto be specially configured. The mechanics of setting this up are beyondthe scope of this document, but detailed directions can be found in theauthor's book, Web Security: A Step-by-Step Reference Guide.
Q13: How do I accept credit card orders over the Web?
You can always instruct users to call your 800 number :-). Seriously, though,you _shouldn't_ ask remote users to submit their credit card number ina fill-out form field unless you are using an encrypting server/browsercombination. Your alternate is to use one of the credit card proxy systemsdescribed in the next section.Even with an encrypting server, you should be careful about what happensto the credit card number after it's received by the server. Forexample, if the number is received by a server script, make sure not towrite it out to a world-readable log file or send it via e-mail to a remotesite.
Q14: What are: CyberCash, SET, OpenMarket?
These are all schemes that have been developed to process commercial transactionsover the Web without compromising credit card numbers or other confidentialinformation.CyberCash
CyberCash, a product of the CyberCash Corporation, uses specializedsoftware on the merchant and customer's sides of the connections to providefor secure payments across the Internet. CyberCash supports both creditcards and electronic checks. The credit card service enables online storesand Internet billers to accept credit card payments for goods or servicesand the 'PayNow' service enables Internet billers to accept electroniccheck payments for bills presented on the Internet. For a consumeror business to make CyberCash payments, they submit credit card or checkingaccount information via an SSL-enabled form provided by the merchant. Alternatively, the consumer may use an InstaBuyWallet to simplify the purchasing process. InstaBuy saves user credit cardinformation (electronic checks are not yet supported), in 128-bit encryptedform, on the InstaBuy servers.When a user goes to purchase an item from a CyberCash enrolled merchant,the user fills out a traditional payment form to be submitted via SSL,or, if the merchant also supports InstaBuy, clicks on the InstaBuy iconto to set up or use a Wallet. CyberCash merchants may choose whetheror not to implement InstaBuy, which is a new service owned by CyberCash.Payment information is then sent to the merchant's web server which packagesthe transaction for forwarding to the CyberCash Gateway servers, whichare linked to financial institutions. CyberCash, in contrast to the associationscreated by its name, is really a back-end payment system, transparent tothe user, which merchants use for payment processing.
An advantage of CyberCash is its use of triple-DES encryption when transmittingpayment information. Also, because payments are processed entirelyby CyberCash, there is really no need for merchants to record credit cardor checking account information in a database or other static memory location. This lessens the merchant's risk that financial information can be stolenby individuals who have broken into the merchant's computer system. The onus is on CyberCash to handle all security concerns.
For merchants to accept CyberCash payments they must first establisha credit card merchant account with an acquiring financial institution.More than 95 percent of the acquiring financial institutions in the UnitedStates are CyberCash-enabled. Fees to open merchant accounts vary, as theyare set by the regional banks themselves. A typical scenario wouldinclude: a one-time fee of approximately $100 to create the account, amonthly fee of approximately $15 to keep the account open, and a transactionfee of 2-3% of the purchase price of each transaction. In additionto fees charged by the acquiring financial institution, CyberCash saysthat merchants should expect to pay (to CyberCash) a one-time service setupfee ($500 to $1,000), and monthly service fees typically comprised of aservice access fee (usually $40 - $80) and transaction charges based onvolume (usually $0.20 to $0.60 per transaction).
After setting up a merchant bank account, the merchant must installsoftware called the 'Merchant Connection Kit' (MCK) on their Web server.This software is launched when the user presses the 'pay' button in a shoppingcart script (or equivalent), and forwards the transaction to the 'CashRegister'service running on the CyberCash servers. The MCK is downloadable freeof charge and available for many platforms, including Windows NT and Unix.It requires only 100k of hard disk space, and consists of encryption andcommunication libraries, HTML templates, and CGI scripts for handling paymentsat your online store.
The MCK's job is to transmit all payment information to the CyberCashGateway servers, which are responsible for executing the transaction. These are payment servers which communicate with financial institutionsin such a way that, to the financial institution, the transactions looklike standard point of sale events, not internet transactions.
CyberCash also offers an 'Administrative Interface', which is a website that enables you to perform administrative tasks such as queryingfor transactions, getting daily transaction totals, or refunding moneyfor returned items.
The main advantage of CyberCash is that it provides the merchant witha fully functional, externally managed payment processing system. The merchantneed only set up a merchant account and configure the MCK to get started.Disadvantages include the risk of centralizing so much financial informationon one server system (CyberCash), and the accompanying dependence on theCyberCash servers' performance and throughput characteristics. In addition,the fees charged to merchants for processing credit card transactions makeCyberCash impractical for small purchases, such as 'pay per play' on-linevideo games.
Commander 3 1 – advanced two pane file manager word. More information on CyberCash is available at: http://www.cybercash.com
SET
SET, or Secure Electronic Transaction protocol, is an open standardfor processing of credit card transactions over the Internet created jointlyby Netscape, Microsoft, Visa and Mastercard. The main justification forSET is interoperability. By adhering to the standard, one vendor's softwarewill be interoperable with any other vendor's software.Web Confidential 5 0 46
To address the high potential for fraud on the Internet, the SET standarduses a complex system of certifying authorities to vouch for the identifyof every party in the transaction: customer, merchant, card-issuer andmerchant's bank are all identified by signed, unforgeable certificates.To address privacy concerns, the transaction is separated in such a waythat the merchant has access to information about what is being purchased,how much it costs, and whether the payment is approved, but no informationon what payment method the customer is using. Similarly, the card-issuerhas access to the purchase price, but no information on the type of merchandiseinvolved. Despite these precautions, however, SET does not provide completeanonymity to the consumer.
SET requires specialized software on both the customer's and merchant'sside of the connection. Cardholders shopping on SET-compliant sites whowant to take advantage of secure SET processing must have a SET compliantwallet, available from SET merchants or financial institutions. Some merchantsmay also require that the cardholder have a SET Certificate. The main advantagesof SET to the consumer are security guaranteed by digital certificates,and the ability to utilize the same wallet, theoretically, on any SET-compliantsite.
Web Confidential 5 0 4 +
Merchant's who wish to become a SET online merchant site need to buildor purchase a SET-compliant merchant server product. The SET websiteprovides a Vendor StatusMatrix with information about purchasing and installing merchant serverapplications. Merchants then need to contact their financial institutionto obtain a digital certificate.
Microsoft offers Site Server Commerce Edition, a superset of the MicrosoftSite Server server product, which is itself a superset of Internet InformationServer. Site Server Commerce Edition supports real-time credit authorizationwith SET. It also includes all of Site Server's features for dynamicallypublishing content, searching content and the delivery of content in multipleformats. For more information on Site Server Commerce, go to http://www.microsoft.com/siteserver/commerce/default.htm.
For its part, the iPlanet.com collaboration of Netscape Corporationand Sun Microsystems, offers MerchantXPertwhich provides catalog management, order management, membership services,and payment services. While Netscape's earlier e-commerce merchant serverproduct, LivePayment, was moving in the direction of full SET compliance,the new offering from the Alliance is not SET-compliant and does not appearto be headed in that direction.
For more information on SET, see the SecureElectronic Transaction LLC website. They are responsible for the ongoingmanagement of the SET specification.
Open Market Web Commerce System
Open Market, Inc., also offers an online commerce system. In the Open Marketscheme, a back-end transaction system and a front-end catalog interfaceto create an end to end e-commerce solution. The back-end system, knownas Transact, provides core business functions such as order fulfillment,billing and connections to payment services. LiveCommerce, the front-endsystem, provides the storage, manipulation and presentation of the productcatalog. Open Market's prices reflect the fact that the products are gearedmainly to large corporations, banks, and service providers who wish topresent large catalogs or set up multiple independent e-commerce storefronts.More information is available from Open Market at http://www.openmarket.com.Forward to Denial of Service Attacks |
$Id: wwwsf5.html,v 1.10 2005/03/24 10:39:20 ot Exp $