“High risk”: Document shows HHS launched ObamaCare website without end-to-end security testing

posted at 2:41 pm on October 30, 2013 by Allahpundit

Via the WFB, if you watched this morning and were wondering what Mike Rogers was looking at while he was grilling Sebelius on site security, here’s your answer.

The Sept. 27 memo to Medicare chief Marylin Tavenner said a website contractor wasn’t able to test all the security controls in one complete version of the system.

Insufficient testing “exposed a level of uncertainty that can be deemed as a high risk,” the memo said.

The memo recommended setting up a security team to address risks, conduct daily tests, and a full security test within two to three months of going live.

“High risk,” but they launched it anyway. The result: A flaw in the password-reset part of the site that would have made it unusually easy for hackers to fool the site into letting them log on as other users. “This seems really sloppy,” said the IT specialist who uncovered it. The flaw was fixed on Monday night, but it is indeed a bad omen about the rest of the site’s security that something as basic as this went uncorrected for nearly a month. And things might get worse before they get better: Rogers’s point in the clip below isn’t merely that they rushed this thing out without a comprehensive security check, it’s that the ongoing repairs to the site’s functionality could be creating new security holes that they’re not even aware of yet. Even if they ran an end-to-end check now and everything was okay, there could be new flaws a month from now as a result of “fixes” being performed daily by the “tech surge” team. Security experts are worried too:

“A secure software development effort takes time,” [IT-Harvest consultant Richard] Stiennon said, “I am very concerned that a rush job on the Healthcare.gov site will introduce new security vulnerabilities.”…

“In all the coverage (of the glitches) and [at] all the official press conferences, I have heard them talk about how they are going to fix the technical glitches,” [HackSurfer founder Jason] Polancich said. “But I have not heard anyone talk about what they are doing from a cyber defense standpoint or of identifying and fixing vulnerabilities. I have not heard them talk about how they are going to address persistent cyber threats.”…

“Coordinating complex application and infrastructure changes is challenging under the best of circumstances and it’s even worse during a mad scramble,” [TripWire CTO Dwayne] Melancon said. “Haste is the enemy of good security. Security is complex and requires a lot of forethought and planning to be effective, so I’m concerned that trying to scramble and fix things quickly — especially on a live system — will introduce unintended security issues.”

Just another in the endless cascade of problems from their fateful decision to launch on time on October 1. The worse things get, the more mysterious that decision becomes. As embarrassing as it would have been for them to delay the rollout until, say, November 1, it’s minuscule compared to the cumulative embarrassment they’re suffering from a notoriously defective website, a mountain of media coverage about disruptions to the insurance market if people become disaffected and stop trying to enroll, the PR disaster of some sort of major security breach by hackers, etc. The only explanation I can come up with, apart from pure spiteful pride in not handing Republicans an easy “I told you so” by delaying, is that they knew that some critical mass of people with illnesses would persevere and sign up despite all of the problems and that would make it much harder for Republicans to argue later that the entire law should be delayed. That’s the White House’s ultimate goal — not building a site that runs well on the day it’s supposed to debut, not ensuring that the site isn’t a beehive for hackers looking to steal identities, but simply making sure that O doesn’t need to cry “uncle” for six months or a year in his endless political death struggle over ObamaCare with the GOP.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

Not directed at HA.

Why is this not reported? It’s charlatanry pure!!!

They changed the program so the young, up to 24 years see rates for those up to 50, the older, up to 50 see rates of up to 65, and the others see the cheapest rates.

This is illegal, “truth in advertising”.

Sibelius was roasted today on it. NO one reports it in the news.

Schadenfreude on October 30, 2013 at 2:42 PM

What difference, at this point, does it make?

redguy on October 30, 2013 at 2:45 PM

“High risk,” but they launched it anyway.

Translation: We got ourselves some healthcare, good luck to you suckers! Hey, give us a holla at 1-800-F*CK-YOU!

ted c on October 30, 2013 at 2:46 PM

No need to worry about the lack of security.
After 0care takes you to the cleaners, you won’t have enough money or credit rating left to be a worthwhile target for hacker scammers.

dentarthurdent on October 30, 2013 at 2:47 PM

I am very concerned that a rush job

Old and busted: Shovel ready Jobs
New and Hotness: Rush Jobs on a clusterfarknado of software glitches

How ’bout some Victory Gin, proles!!?

ted c on October 30, 2013 at 2:48 PM

Feature not a bug. All of this admins cronies can have access to this information without any risk of the admin being implicated given the complete failure of any security in the process.

Skwor on October 30, 2013 at 2:48 PM

obama is in Mass, touting Romney’care’ today.

Mass. will go single payer, soon.

The nation will follow.

Putin laughs his azz off.

Schadenfreude on October 30, 2013 at 2:49 PM

She assured 3 Dimwits at the hearing today she was confident with the security piece. Therefore, it shall be. Carry on cake-eaters.

hillsoftx on October 30, 2013 at 2:49 PM

Hey! It’s all for the greater honor and glory of The Chosen One!

GarandFan on October 30, 2013 at 2:49 PM

But I have not heard anyone talk about what they are doing from a cyber defense standpoint or of identifying and fixing vulnerabilities.

Yo Jason….they got they some healthcare already….

/defense

ted c on October 30, 2013 at 2:50 PM

This is sorta like the joke about “someone stole my credit card, but the thief puts less on the card than my wife did, so I haven’t reported the theft”…. buh dum bum

I now seriously believe the government is going to do more damage to me than any hacker/scammer would.

dentarthurdent on October 30, 2013 at 2:50 PM

The result: A flaw in the password-reset part of the site that would have made it unusually easy for hackers to fool the site into letting them log on as other users.

Come on folks, this business of a ‘password’ to access a website is a pretty new concept on the internets. Obamacare is real cutting-edge stuff.

slickwillie2001 on October 30, 2013 at 2:53 PM

Obama had no idea.

Nobody did.

You can’t prove anybody did.

Wingnuts!

Good Lt on October 30, 2013 at 2:53 PM

I am going to make a prediction. Obama care is dead. Either the Dems will pull the plug or SCOTUS will rule it unconstitutional in one of the lawsuits that are winding their way through the Legal system.

The Dems have to do something about this mess before the 2014 election cycle or they will lose big time. This will play out in every close race in 2014 unless they get in front of it very soon.

Johnnyreb on October 30, 2013 at 2:54 PM

Schadenfreude on October 30, 2013 at 2:42 PM

Actually the site is showing the rates for a 27 year old for anyone who’s 49 or under, and the rates for a 50 year old for anyone who’s 50 or over. It’s still a bait and switch, of course, as it’s designed to show significantly lower rates for such broad categories of ages. Done on purpose of course.

TXUS on October 30, 2013 at 2:55 PM

My new favorite comment – from cnn comments section.

what difference does it make? whatever.

BoxHead1 on October 30, 2013 at 2:55 PM

Rogers was on CNN on Sunday:

Chairman of the House Intelligence Committee Mike Rogers (R., Mich.) said he is not convinced Obamacare is secure enough to protect private information Sunday on CNN…

MIKE ROGERS: Boy, I don’t — this worries me a lot, Candy. The fact that they have different segments of people controlling pieces of information and they say well we don’t store information but they have to store your application at some point. And that’s a lot of your very personal information. And it was very clear to me in the hearing that they do not have an overarching solid cyber security plan to prevent the loss of private information. I’m even more concerned today than I was even last week. I know that they’ve called in another private entity to try to help with the security of it. The problem is they may have to redesign the entire system. The way the system is designed, it is not secure. It is something called a boundary. Every time one agency goes to another agency with a piece of information, that is called a boundary. That’s the most — that’s the weakest, most vulnerable part of that conversation. It was clear to me they don’t have the boundaries concerned and that’s what I’m concerned about.

INC on October 30, 2013 at 2:56 PM

What difference, at this point, does it make?

redguy on October 30, 2013 at 2:45 PM

I think Sebelius put it more concisely than Billary with her now (in)famous ‘whatever’…Sebelius/Billary 2016 :) I’m all for a consistent ticket…

jimver on October 30, 2013 at 2:57 PM

Johnnyreb on October 30, 2013 at 2:54 PM

You have far more faith than I do that at least ONE of the Golgafrinchan refugees in charge is capable of making an intelligent decision – that is actually for the good of the people.

dentarthurdent on October 30, 2013 at 2:58 PM

I am going to make a prediction. Obama care is dead. Either the Dems will pull the plug or SCOTUS will rule it unconstitutional in one of the lawsuits that are winding their way through the Legal system.

The Dems have to do something about this mess before the 2014 election cycle or they will lose big time. This will play out in every close race in 2014 unless they get in front of it very soon.

Johnnyreb on October 30, 2013 at 2:54 PM

The problem is it can’t be fully repealed unless Obama signs off on it. I don’t see a veto-proof vote happening in Congress, even if the GOP cleans up in 2014. And Obama is more than willing to go down with the ship on this.

Doughboy on October 30, 2013 at 2:58 PM

What else can one say……
SMART Power!!!!!111!!!!elebinty

The worst and the dimmest have the controls of power.

jukin3 on October 30, 2013 at 2:58 PM

Why would the Obama administration care if the citizen’s personnel records were left unsecured and their identities stolen and lives ruined?

We are just to serfs to serve the Obama government.

I mean, gee, if they were concerned for the citizens’ well being they wouldn’t have passed Obamacare in the first place.

Axion on October 30, 2013 at 2:59 PM

“I didn’t do it. Nobody saw me. That’s my story and I’m sticking to it.” –Bart Simpson

Akzed on October 30, 2013 at 2:59 PM

kingsjester‏@kingsjester1

Sec. Sibelius, as a 50-something year old married couple, if we need Maternity Care, we won’t have to tell you. Just follow the 3 Wise Men

kingsjester on October 30, 2013 at 3:01 PM

Hilarious: Here are 7 amazing things that took less time to make than healthcare.gov

1. The Empire State Building

2. Defeating the Nazis

3. This Thing

4. The iPhone

5. The Rose Bowl

6. This Awesome Baby

7. Pretty Much Every Website Ever

INC on October 30, 2013 at 3:01 PM

Easier to ask for forgiveness after the failure, then delay up front and admit failure…

albill on October 30, 2013 at 3:03 PM

They couldn’t make copies of the memo, or email it, because of the sequester, Ted Cruz and GOP obstructionism or something.

mankai on October 30, 2013 at 3:05 PM

Rush mentioned this today. They launched on Oct.1 knowing the web site was not gonna work for 1 reason: SHUTDOWN WAS OCT. 1. When the web site didn’t work – it could be blamed on Republicans. Obama/Sebilius were too ignorant to comprehend the difference between a glitch & inoperable POS

drivingtheview on October 30, 2013 at 3:06 PM

“Men often need maternity care”

Schadenfreude on October 30, 2013 at 3:08 PM

Why isn’t some state AG pressing criminal charges for identity theft on HHS and Sebelious? What about false advertising, RICO, etc. You know a democrat AG would if under a republican president.

We. Have. To. Play. By. Their. Rules.

Or we will lose the country, if we have not already.

jukin3 on October 30, 2013 at 3:08 PM

“Men often need maternity care”

Schadenfreude on October 30, 2013 at 3:08 PM

1+1=POTATO now in blue.

jukin3 on October 30, 2013 at 3:09 PM

Actually the site is showing the rates for a 27 year old for anyone who’s 49 or under, and the rates for a 50 year old for anyone who’s 50 or over. It’s still a bait and switch, of course, as it’s designed to show significantly lower rates for such broad categories of ages. Done on purpose of course.

TXUS on October 30, 2013 at 2:55 PM

Thank you. It’s illegal “truth in advertising“.

How come the media ignore, even the so-called R media?

Schadenfreude on October 30, 2013 at 3:09 PM

ACA; it’s not just a website. It’s also a carburetor cleaner “and” a dessert topping.

AltTuning on October 30, 2013 at 3:09 PM

“…the IT specialist who uncovered it. The flaw was fixed on Monday night.”

So this is how we will proceed?

1. User finds bug.
2. User blogs bug.
3. Gov fixes bug.
4. Repeat until no bugs or no users.

Tsar of Earth on October 30, 2013 at 3:12 PM

Sebelius’s Abortion Dodge

Yeas and nays are not currently in style for the Obama administration. Obviously irritated when Shimkus persisted and altered his question, Sebelius told the committee that she thought her agency could certainly provide legislators with a list of the exchange plans and whether or not they cover elective abortion.

This is progress of a sort. But Sebelius did not say when Congress might obtain such a list, she did not commit to making that list available to visitors to the exchange website, and she certainly made no commitment that whatever level of transparency HHS would offer would actually be complete — that is, clear, complete, and accessible prior to the applicant’s entrusting government with personal data and enrolling in a particular plan.

INC on October 30, 2013 at 3:13 PM

“High risk,” but they launched it anyway.

because you see, who knows more about risky websites–an experienced computer nerd or an affirmitive action community organizer ?

burrata on October 30, 2013 at 3:15 PM

She is as dumb as a rock. Rogers is leaps and bounds ahead of her, and that’s a shame because the insecurity of data entered into the website is going to be a huge and ongoing crisis. Neither data at rest or going over the wire is secure, and this system is going to be the source of a lot of identity theft.

MTF on October 30, 2013 at 3:16 PM

Has there been any evidence of identity theft?

If there is, then I will believe that Obamacare is done.

At first it seemed the liberals were shocked at the truth.

Now they seem just fine with it, again.

But if people got their identity stolen, just for going on the site, then I think we can really be done with the whole mess.

I think everyone would be finished with big government.

petunia on October 30, 2013 at 3:17 PM

High Risk website…needs a condom…is that covered???…

PatriotRider on October 30, 2013 at 3:18 PM

So , no trolls I’m guessing ?

burrata on October 30, 2013 at 3:20 PM

“High risk,” but they launched it anyway.

‘Cause carin’ about stuff and having good intentions was s’posed to make it work.

mankai on October 30, 2013 at 3:21 PM

So , no trolls I’m guessing ?

burrata on October 30, 2013 at 3:20 PM

They’re busy trying to get their stolen IDs back.

mankai on October 30, 2013 at 3:22 PM

Fun fact: If a private entity were this sloppy with ePHI security, it would be subject at a minimum to civil HIPAA fines of up to $50,000 per affected user; for egregious cases, the DOJ could bring criminal charges carrying 5-year prison sentences.

Fabozz on October 30, 2013 at 3:22 PM

So did anybody ask Syphilius about Mooch’s GF ?

burrata on October 30, 2013 at 3:22 PM

but simply making sure that O doesn’t need to cry “uncle” for six months

You mean the uncle that is an illegal and faces deportation…not.

WashJeff on October 30, 2013 at 3:23 PM

NEWS ITEM : “John McAfee On Obamacare: web sites ‘What Idiot Set This Up?’ ‘This Is A Hacker’s Wet Dream!’”

FROM: All Hackers and Identity Thieves Throughout the World
TO: Everyone Who Manages to Sign Up for OBOZOCARE on a Government Web Site

Thank you, thank you, thank you !!!!

The information you placed on these UNSECURED, BADLY MANAGED JOKE SITES is appreciated. We promise to use this information to our maximum advantage in creating new accounts under your name and personal identifying information with every credit card and financial institution in the universe.

Please check your mailbox in the next couple of weeks for all the bills from our purchases.
Please be sure to pay on time and in full – DON’T BE A DEADBEAT !!!

Again, thanks for your generous support !!!!!

—Anonymous

PS – and if we don’t steal your identity, you can bet those criminals called OBOZCARE “navigators” hired by the OBOZO regime (with NO BACKGROUND CHECKS) will do it !

FYI: OBOZOCARE websites projected cost: $93 million. Actual cost: $634 million. These are people who are going to reduce your health care costs?

TeaPartyNation on October 30, 2013 at 3:24 PM

Here’s my question. I have employer-based insurance. Is my personal info going into the health care exchange databases?

hawksruleva on October 30, 2013 at 3:27 PM

Here’s my question. I have employer-based insurance. Is my personal info going into the health care exchange databases?

hawksruleva on October 30, 2013 at 3:27 PM

Absolutely

burrata on October 30, 2013 at 3:31 PM

Wow, who could have seen this coming?

Chris of Rights on October 30, 2013 at 3:34 PM

‘Cause carin’ about stuff and having good intentions was s’posed to make it work.

mankai on October 30, 2013 at 3:21 PM

“My superpower is to pretend I give a dam about your trivial little problems – and that’s 24/7 buddy…”

dentarthurdent on October 30, 2013 at 3:42 PM

So did anybody ask Syphilius about Mooch’s GF ?

burrata on October 30, 2013 at 3:22 PM

Weel, we know the Dems sure as he11 wouldn’t.
Are there ANY Republicans with enough balls (or any at all) to ask about that?

dentarthurdent on October 30, 2013 at 3:44 PM

Wow, who could have seen this coming?

Chris of Rights on October 30, 2013 at 3:34 PM

Shirley not any Dem voters…
And stop calling me Shirley….

dentarthurdent on October 30, 2013 at 3:45 PM

Has there been any evidence of identity theft?

petunia on October 30, 2013 at 3:17 PM

I went on the site two days ago and was able to enter a false name on the Forgot My Password page and they said they would send the info to change the persons password to the email address I provided (not the one on the account). So if I had the name of a person who was registered I could have basically stolen their account. Then yesterday they had that disabled.

kcewa on October 30, 2013 at 3:46 PM

I went on the site two days ago and was able to enter a false name on the Forgot My Password page and they said they would send the info to change the persons password to the email address I provided (not the one on the account). So if I had the name of a person who was registered I could have basically stolen their account. Then yesterday they had that disabled.

kcewa on October 30, 2013 at 3:46 PM

Oh. I had no idea that could even happen.

But has anyone had information stolen? SS numbers used for social services that kind of thing?

Is it too soon to know?

I think if there is any of that, the plug will just be pulled.

petunia on October 30, 2013 at 3:51 PM

Has there been any evidence of identity theft?

petunia on October 30, 2013 at 3:17 PM

If there has been, the media is desperately trying to hide it.

But then the likely Dem voter victims probably just haven’t figured out yet that a certain member of the Nigerian royal family isn’t actually going to pay their premiums.

dentarthurdent on October 30, 2013 at 3:53 PM

Has there been any evidence of identity theft?

petunia on October 30, 2013 at 3:17 PM

Hawaii, August 1961… just sayin’

;)

mankai on October 30, 2013 at 3:53 PM

Hawaii, August 1961… just sayin’

;)

mankai on October 30, 2013 at 3:53 PM

ROFL!!!

dentarthurdent on October 30, 2013 at 3:54 PM

I’d think internet security would be important to the young and healthies Obamacare’s trying to attract.

In the meantime, summing up Sebelius today: “I don’t know nuthin’ about nuthin’.”

BuckeyeSam on October 30, 2013 at 3:56 PM

This administration is absolutely incompetent. If they weren’t so dangerous they’d be a knee slapping joke.

rplat on October 30, 2013 at 3:56 PM

Clearly, the only goal of the Administration was to launch this EpicClusterFark on time – simply because of the political optics.

They knew it wouldn’t work. They knew not only was the technology flawed and not working, but that the fundamental architecture of Obamacare had no resemblance to what was promised to the American people.

They figured, with the complicity of the bankrupt media, they would do the same thing they always do – lie, obfuscate, deny, stonewall, and spin while not taking a hit for their incompetence, mendacity, and malfeasance.

The fact that the site / program doesn’t work, doesn’t do what it was promised to do, and in fact, makes things significantly worse, are all features, not bugs in the long run. It’s not their information that is at risk. It’s not their premiums that are increasing. They aren’t the one’s that can’t keep the plan or the doctor they like. It’s all about the ‘greater good’.

Athos on October 30, 2013 at 3:57 PM

The only explanation I can come up with, apart from pure spiteful pride in not handing Republicans an easy “I told you so” by delaying, is that they knew that some critical mass of people with illnesses would persevere and sign up despite all of the problems and that would make it much harder for Republicans to argue later that the entire law should be delayed.

About half of it is spite, yes. The other half is them just not caring very much about whether the site works or not. They also could not care less if identity thieves get their hands on the personal information of every single person in the USA. Realistically, what are those people whose identities have been stolen going to do? Short of the people actually going into the streets and rioting, nothing concrete will happen to anyone.

Doomberg on October 30, 2013 at 3:57 PM

Security was important but not considered critically important enough to delay the rollout because, in politics, a failure to meet the launch date, regardless of the other flaws, would be considered disasterous.

The LAW says customers have to come to the site and buy from whatever is offered, so something like security flaws that could compromise personal information are not overwhelmingly important, especially if those in charge won’t have to use the site.

Russ808 on October 30, 2013 at 4:00 PM

In the meantime, summing up Sebelius today: “I don’t know nuthin’ about nuthin’.”

BuckeyeSam on October 30, 2013 at 3:56 PM

This is quickly turning into the Sgt Schultz regime – all of them.
“I know nothingk, I see nothingk,…”

The buck stops, somewhere else….

It’s like the Joe’s Crab Shack slogan on the side of the building – “Free crab, tomorrow”.

dentarthurdent on October 30, 2013 at 4:01 PM

And Obama just runs around the country glad handing his buddies and smiling like Cheshire cat eating crap, completely oblivious to the disasters in his wake. God help us.

rplat on October 30, 2013 at 4:02 PM

dentarthurdent on October 30, 2013 at 4:01 PM

I’m repeating myself, but I’m also finding the blame game–blaming the contractors, the insurance companies, and Republicans–reminiscent of an old Flip Wilson routine: “The Devil made me do it.”

Enjoy.

http://www.youtube.com/watch?v=a0qYaZYE4QM

BuckeyeSam on October 30, 2013 at 4:07 PM

I’m repeating myself, but I’m also finding the blame game–blaming the contractors, the insurance companies, and Republicans–reminiscent of an old Flip Wilson routine: “The Devil made me do it.”

Enjoy.

http://www.youtube.com/watch?v=a0qYaZYE4QM

BuckeyeSam on October 30, 2013 at 4:07 PM

Can’t access youtube where I am right now – but I do know the routine.

Madame Syphilitius is bordering on that. On the one hand she says she’s responsible, but then proceeds to blame everyone else for it.

dentarthurdent on October 30, 2013 at 4:12 PM

Madame Syphilitius is bordering on that. On the one hand she says she’s responsible, but then proceeds to blame everyone else for it.

dentarthurdent on October 30, 2013 at 4:12 PM

Analogous to the non-apology apology.

“I’m accountable…but there are no consequences for me except from people who do pay my salary.”

BuckeyeSam on October 30, 2013 at 4:22 PM

“whatever….” the way sullen teenagers mean this word with its particular intonation, the way anyone uses it, translates to “you are an stupid a-hole, and f-you and the horse you rode in on.” Think about it.

This is why I would never allow anyone I am in authority over to get away unchallenged with using ” whatever..” toward me.

It is a sullen, sarcastic, know-it-all, nastily pejorative phrase…as is Sebelius. Using it the way she did mirrored her boss perfectly, and makes her just as small and vindictive as he is.

marybel on October 30, 2013 at 4:58 PM

They designed it to fail, knew it would fail and it failed right on schedule. Big Biz and the Unions got a carve out, congress got theirs and other favorites got a subsidy. We got left holding the bag when a lot of prezzy’s followers believed his lie. It’s the path to single payer which is already being touted by libs. The Won was in Boston claiming he didn’t lie it’s just that some people had bad apples or something and the crowd behind him went wild. Meanwhile, back at the ranch, Boner and the boys want to delay so this mess can be fixed and McLame is ready to pass amnesty after the primaries. Everybody in that town is nuts.

Kissmygrits on October 31, 2013 at 8:56 AM

A FEW SMALL MATTERS WHICH HAVE BEEN IGNORED:

When Healthcare.gov spills a citizen’s Social Security number, health information, etc. to the Identity Theft industry, who compensates the victim and helps him recover???

If HHS, or anyone else makes a mistake in a citizen’s Healthcare.gov record, who corrects the mistake? Who authorizes the correction? How long does correction take? Is the citizen victim unable to obtain appropriate health care during the time it takes to correct mistakes?

What if Healthcare.gov erroneously declares me “dead”? Does the government then proceed to kill me? Do I get to object?

What if HHS orders my doctor to administer a harmful treatment? What if HHS fails to allow my doctor to administer a helpful, life-saving treatment?

Can a citizen sue to get relief from harm done by HHS? Who pays for the suit and how long does it take to get a hearing in court?

In short, none of the principles in the ACA battle seem to be concerned in the slightest about the real, life-threatening consequences of what the ACA does to real people.

landlines on October 31, 2013 at 11:36 AM