Slashdot Mirror
Techie Story On TCP Stacks
a9db0 writes: "Ars Technica is running an article on TCP stack research done by Stefan Savage at the University of Washington. Stefan presented one interesting tool and a couple of ingenious hacks. The tool measures response time more accurately between nodes without additional software on the server. The hacks are TCP modifications, one of which could help defeat DDoS attacks.
"
Did you even read the article? and if you did? have you any clue about TCP/IP? This guy just pulled a neat trick with TCP, no need for ICMP, do you know how many sites are blocking their a lot of ICMP traffics these days? Your statement above makes no sense. If you don't have something useful to say, don't talk.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
What about privacy?
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
I did like the graph of how a flood of TCP packets shows up at the same time, essentally dumping all 60Mb of IE across a fat pipe all at once. That works when you are only a few hops away from the server (UoW to Redmond, line of sight), but it falls apart if you have 18-20 routers inbetween with widly fluctuating available bandwidth.
The problem is this can be turned into a very effective DoS tool. By using OptAck you can get the server to flood the outgoing pipe.
The Economics of Website Security
Yes, sorry. I found a powerpoint file from one of Kung's lectures on the web, and he uses this as an example. It is not stated whether or not this is congruent with reality - so I took it for truth without further evidence.
Sorry.
actually, no. DSL is the same price as cable out here, it's just that the phone company can't (won't) deploy to my neighborhood. As a result, I'm left with no choice but oversubscribed cable. It costs the same, but I'm getting less for my money. I'm NOT happy.
Heh. Anyone here noticed the feedback loop we've all fallen into? People dislike things that Slashdot is doing, so they begin trashing it with 'trolls' and the like. This causes Slashdot to being implementing rather fascist techniques to attempt to cut down on the trolls. This causes more people to get fed up with things that Slashdot is doing, causing more people to behave in an immature manner. This causes Slashdot and the high-karma gang to implement MORE draconian measures to try to prevent the "growing spread of corruption". This causes MORE people to become offended, some rightfully so [any legal system will eventually hit someone innocent], causing MORE fed-up people to start behaving childishly. And noone's going to stop, because after all, "Hey, I didn't start it!" What are we to do?
-Hentai [in vita non pacem est]
I'm a moderator for the third time in a month. This sucks!
... well, what can one do ...
Well, you could always moderate another thread you don't care about to burn your points up, and so your posting doesn't take away your moderations.
That's what I do, I look for a Katz article and moderate it. And since I'm so unbiased about Jon
Will in Seattle
Well, duh.
Because this researcher is telling you exactly what he is doing, so you can implement it in a compatible way, while MS is not telling how to build a modified Kerberos that is compatible with their scheme.
You could just add detectors for stuff like this to your network, and start deprioritizing packets from offenders. It's not exactly trivial, but it's possible.
TCP certainly isn't perfect, but it's pretty good job at using bandwidth efficiently and fairly
even when the link gets congested.
If everyone starts breaking the rules it won't really work for anyone.
Taking the highway system example, people can get away with driving 160km/h, and if there's not much traffic it's reasonably safe too. But everyone doing it at the same time and you start getting _BIG_ problems.
it's in the article? whoops. I had heard about the guy before hence why i posted the links. I didn't check which links the article supplied, sorry.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Basically roughly every 20,000 packets, a router chooses a packet at random and sends an ICMP traceback message to the packet's destination listing the router's address and the previous and next hop that the data packet took. At the receiver, if you're being seriously flooded, you start monitoring the traceback packets and when you get enough you can piece together the paths back to the attackers.
It won't stop the attack itself, but will at least help in discovering the cracked hosts being used to launch the attack.
-Fzz
Let's not forget that Microsoft BROKE Kerberos. This guy is proposing a change that allows existing TCP to continue working, unaffected.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
outgoing packets: it did not depend upon seeing the ack packets. This
kind of traffic analysis of this kind was made necessary by the MBONE
multicast protocol, which was built on top of UDP (which does not do
the same kind of binary backoff that TCP does): if there are widely
deployed protocols that do not respect binary backoff, then the
network really would grind to a halt, and so some external method of
`niceness checking' is required.
Cisco make routers that do the necessary tests to spot abuse. It's
worth noting that the consequence of being blacklisted is not having
your service blocked altogether, only that intermediate routers will
have to route around the routers that drop your packets: it will spoil
your performance but not interrupt it. Rememeber that IP makes no
assumptions about packets actually arriving. Yes it can be abused:
but we knew that anyway, and it's much harder to do that than the DDoS
attacks.
Proof? You could ask Cisco I suppose. If you're willing to put up
with less than proof look at all the IETF discussions about the MBONE
protocol. I'll have a look around and see if I find any online articles about testing for backoff.
At least on my system, the maximum TCP window size can be controlled on a per-route basis. You could probably dynamically determine an appropriate max window size from RTT information. The idea is that an optimistic-ACKing client operates on the assumption that the window can grow without limit, so one imposes a relatively large but finite limit on the server side. At some point the client will then ACK data that hasn't been sent, because it's assuming the server has increased the window when it fact it has hit it's limit. That should create a permanent hole in the TCP data stream, causing interesting times for the client machine.
Assumption: any link has a capacity determined by transfer speed and latency. Rough estimate is that the window will naturally settle at about 2x capacity, give or take. Correct or not?
--
OptAck has been around for a while, but any commercial IP stack isn't going to implement it. It can and does break TCP transfers, and lusers will just complain the network is broken.
:-) :-)
I did like the graph of how a flood of TCP packets shows up at the same time, essentally dumping all 60Mb of IE across a fat pipe all at once. That works when you are only a few hops away from the server (UoW to Redmond, line of sight), but it falls apart if you have 18-20 routers inbetween with widly fluctuating available bandwidth.
Time to hack this into the linux net3 stack as a switch during compile time. ENABLE_OPTIM_TCPACK_FLOOD=true and then get some hacked utilities taking advantage of it. Could be good for cable/dsl/OC3 people, but won't do much for poor modem users. A carefully controlled predictive TCP ACK can increase modem connections as well for big transfers. Another fun research project to take up my precious time AAAAUUUUGGGGGHHHHH!!!!
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
#1: Red Herring. We're talking about protocol-level enhancements that make attacks like TCP-based DDoS fundamentally difficult to perform. This is a totally different subject from "making sure all programs on my workstation are free of buffer overflows." It is also true that the types of solutions needed to correctly protect systems are usually fairly intrusive and systemic. As the article says (you did read the whole thing before posting, didn't you?),
#2: University IT departments treat researchers pretty uniformly as "clueless", and assume that their own employees are clueful. The result? Clueful hacker-researchers with well-maintained machines are all locked up behind firewalls and active monitoring unnecessarily, while wide-open boxen sit on the public subnets waiting for j0e h4x0r to set up a DDoS outpost.
Very simple. It's not their job.
...
Researchers are paid to do research. Not system administration.
System administrators are paid to sysadmin. Not to do research.
I am a PhD student at a leading university, and know enough about networking to make some of our systems more secure than they are at present. However, sysadmins are a strange bunch -- they jealously protect their turf; they are NOT going to give root access to a mere 'researcher' like me, so that I can secure their systems for them. (Yeah, since their systems are so insecure, I probably could crack 'em and get root, and then fix it, but why bother? They'd never appreciate the 'help' -- they'd probably kill my user account for 'unauthorized activities' once I told them about it.) Besides, it's just not worth my time to do their job for them.
It's worse than that, though. Public universities just cannot keep up with the IT salaries. When you're paying a history prof with a PhD $40k, it's really hard to convince the regents/deans to fork over > $100k for a truly qualified sysadmin. So universities only pay rock-bottom salaries. This leads to two types of university sysadmins: (1) rock-bottom talent (2) 'temporary' -- they work in academia for reasons OTHER than salary; maybe they like the hours, or NOT being on call on the weekends, or they're working on a degree and want reduced tuition,
In case (1), it's easy to see why university computer systems are so unprotected. In case (2), the sysadmin job is NOT the person's primary focus in life, so some things (like keeping current on bugs/security fixes/best practices) fall through the cracks, no matter how talented the person is.
The answer? Fire some profs and use the money to hire a GOOD sysadmin at a salary that'll keep him around (e.g. near $100k), instead of jumping ship in six months when he gets an offer that doubles or triples his measly current salary of $30k.
And if you think there's a university out there willing to do that, I've got a bridge in Brooklyn for ya.
Have you read the IPv6 spec at all? It has allowances for tracebacks. Now I don't know if they're any good, but they exist.
"Widget choice makes me horny." -
The Web100 Project is working on putting automatic TCP tuning into the stack. This will allow a TCP connection to use all of the available bandwidth, without breaking any of the internal algorithms or stomping on other connections. It is already possible to tune most TCP implementations by measuring the bandwidth*delay product and tweaking the socket buffer size; the NLANR TCP Tuning page has instructions.
This turns out to be one of several new attacks made possible by by really knowing how to hack your TCP setup
"It is a greater offense to steal men's labor, than their clothes"
I really like the fact that research is publicized
on such a popular site as Slashdot. I think Slashdot is definitely the place where people should be able to consistently find out about new developments in science.
Perhaps Slashdot could run some sort of a sweep/review of the latest hot papers in particular research areas or published on recent conferences and post the summaries, impressions and links.
This is already being done for books and all kinds of miscellanous topics (think Quickies).
Occasional discoveries in CS, Physics and Chemistry are also sometimes publicized. How does the selection process work? Why does some research find its way to Slashdot and tons of other, no less exciting, research does not?
What have YOU done for advancement of humanity?
I think the individual user is still anonymous under this scheme, but I ain't no expert.
Stop by my site where I write about ERP systems & more
Lovely how the "Lameness Filter" (COPYRIGHT 2000 Slashdot Thought Police. All rights reserved.) didn't catch this but refuses to let me post the following:
"If I Ever Meet The Inventor Of RSH I Will KICK HIS ASS!"
Moderation is a failure.
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
You are making all of this up.
Colleges and universities are never going to be convinced to pay what is necessary for a good sysadmin. This is the way my the CS department at my college (a fairly major engineering/science school) dealt with this problem for their network and unix shop.
The CS department would hire a clueful sysadmin who was just out of college and did not have an impressive enough resume to get a full sysadmin job elsewhere, but had personal experience. They would place the SA underneath the professor who was a cluefull researcher in the area of networking and operating systems. My college also maintained a staff of part time student sysadmins who performed tasks for the lead sysadmin, and could help a new lead grow accustomed to the environment. Some of these students stayed over the summer to research and to do admin tasks that couldn't be done during the school year, and this is when the new lead was trained.
After a couple years, the lead would get a new job for twice what he was making for my college, and we would start looking for a new lead. This worked quite well for everyone involved, and the college didn't need to be convinced to pay real money.
Yes, but it would also cause aborted connections if the client happened to have two ACKs on the net at once, and they arrived out of order.
If you can find most of the intermediary machines used as launch points, of which the assumption is there will be a lot, you can hope that at least one of them will have logs and/or tracks which the cracker forgot to wipe or missed wiping. Sure, most of 'em may be duds, but it may only take one good, unaltered log out of a couple of hundred machines to trace the attack back much closer to the source.
- #3 - Insiders vs. Firewalls - Attacks by students. Firewalls are usually designed to keep unauthorised outsiders out. But universities have lots of bright kids with time and computer resources on their hands, who know a lot more about computers than they did in junior high school, know a lot more people who know a lot more about computers, and have a lot more computing resources than when they were using their Mom's AOL account and 486 Win3.1 box. One of the standard computer security problems is "How do you know you're talking to the server you think you're talking to and not to some grad student at Berkeley?" Well, if you're the sysadmin at Berkeley, that's a tough question
:-) It's harder than the corporate "disgruntled employee" situation, except that most of your security problem students aren't malicious - they're just more creative than you are....
- #4 - Newbies with lots of bandwidth - Most college students aren't experienced computer security experts - they're English Majors, and Chemical Engineers, and MBA-seekers, and pre-law or pre-meds, and Freshman CS Students who aren't all experienced yet, and most of them are running Windows versions that are fundamentally insecure even when administered well. And all these attractive targets are in one place with lots more bandwidth than dialup users and relatively stable IP addresses - so if you crack one of them, you can use it to search for more targets, and it's a lot easier on a campus LAN than in a dialup network. Once you've got your suckers, they can output a lot more bandwidth than AOL newbies you've suckered with a new game program like "Attack On Troy", though networked games are a fun attack at colleges as well - especially high-pressure high-tech schools where students do their recreation intensely as well.
- #5 - Not every school is MIT. Podunk Community College may not have quite the same resources to abuse, but it doesn't have the same level of defenses, either, and it may have more resources than half the small ISPs on the market.
- #6 - Early Adopters of Networked applications - Universities are great places to distribute things like napster://horse_with_no_name.mp3 and IRCfreefone and Quake 6.2: Mass Destruction and CryptoStealthGnuTella and UsenetPornHider and that eXcellent rave-support tool XFinder. Bad Guys don't need to infect everybody - just enough people to reach critical mass.
It's a target-rich environment out there. We've been lucky so far.Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Oh really? What makes you say that, I wonder?
Well Well.. I wonder if IPv6 wouldn't be a better (or alternate) solution. With tools like PING, any kid can just flood a modem with his massive T1. Yet tools like PING and TRACEROUTE are the finest troubleshooting tools there are!
Sting is set apart from other such tools by two characteristics. First, you should note that existing tools, like ping and traceroute rely on ICMP packets, which are increasingly deprioritized or filtered. (Just try pinging www.yahoo.com or www.aol.com if you don't believe this is happening).
enichols [~] oxygen >ping www.yahoo.com
PING www9.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from www9.yahoo.com (204.71.200.74): seq=0 ttl=243 time=82.7 ms.
64 bytes from www9.yahoo.com (204.71.200.74): seq=1 ttl=243 time=82.4 ms.
64 bytes from www9.yahoo.com (204.71.200.74): seq=2 ttl=243 time=77.7 ms.
64 bytes from www9.yahoo.com (204.71.200.74): seq=3 ttl=243 time=76.6 ms.
64 bytes from www9.yahoo.com (204.71.200.74): seq=4 ttl=243 time=77.6 ms.
64 bytes from www9.yahoo.com (204.71.200.74): seq=5 ttl=243 time=80.6 ms.
^C
---- www9.yahoo.com (204.71.200.74) PING Statistics ----
6 packets transmitted, 6 packets received, 0% packet loss
round-trip (ms) min/avg/max = 76.6/79.6/82.7 (std = 2.42)
//Phizzy
"Most European technology just isn't worth our stealing," -- Former CIA chief James Woolsey, referring to Echelon
tcd004
Here's my Microsoft parody , where's yours?
This leads me to the conclusion that the lameness filter is either designed only to let the non-lame (i.e the 31337) through, or it is a spelling mistake (which should have said "Lameass Filter"). Either way Taco, your "lameness" heuristic is pretty poor and I suggest you remove it from Slashcode.
The lameness filter is just supressing free speech, and will drive more people to using 1337speak when they want to troll. Is improving the signal to noise ratio really a fair price to pay for the recent spate of censorship that has taken place on Slashdot (e.g. Taco's "Bitchslapping" technique (the thing responsible for the abolition of Slashdot-Terminal, but which has also caught some innocent users in the crossfire, such as people who dared to moderate Signal 11 down) and the lameness filter.)
Don't get me wrong, I still love Slashdot, but it just isn't the same as it used to be.
Please note: I am only posting AC because I don't want to get on the wrong side of a "bitchslapping". It is now too dangerous to express one's opinion on this site as a logged-in user.
If I was running a large site and I were concerned about people running 'predictive acknowledgers', could I not modify my stack to send packets of varied size? I could just modify the last bit or two of the packet size semi-randomly. The bogus ACK would be ignored, the luser using such a technique wouldn't get his download and would eventually play fair.
Also, if I tell the server to dump my 2Meg download into 1 packet, what happens when my wife picks up the phone and interrupts transmission? Will the whole 2Meg need to be resent? IOW, is this technique only useful on extremely reliable connections (which are VERY rare)?
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
A user connects. Server uses sting to determine network characteristics. If the user is ACKing faster than what is reasonably possible start decreasing the window size. That'll teach them to try to cheat!! Bwhahaha...
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Why is this a nifty solution, but when Microsoft hacked the Kerberos thingee a little to make it work with Active Directory, everyone freaked out?
--
Peace,
Lord Omlette
AOL IM: jeanlucpikachu
[o]_O
ok, so when are these hacks going to be incorporated into download accellerator? :)
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
It is this set of victim machines which launches the final attack.
:)
I personally doubt that there is any defence against a propperly executed DDOS attack.
Stefan is not proposing a way to catch the perpetrator, but to locate the computers that are performing the DDoS attack.
As in the article simply put...
The basic idea behind the approach Stefan outlined is for each router that forwards a packet to mark it with information that will allow the recipient of the packet to trace it to it's source.
This is over simplified but in the article he explains a way to mark packets, in a kinda random way, in such a manner as to be able to trace the source and then taking the proper action. Temporarly shutting down the deliquent computer's internet connection.
This would not prevent the DDoS attack but it would speed up the process of shutting it down by removing the human factor in tracing the attacks.
Because there is no difference between a propper DDOS and "The SlashDot Effect."
Yes there is! A DDoS attack is a larg number of computers sending/requesting Massive amounts of information. The "Slashdot Effect" is Massive amounts of computers sending/requesiting moderate amounts of information. Except for large downloads then they are requesting Massive amounts of information, i.e. when netscape pre-6 was announced
If at first you don't succeed, skydiving is not for you.
Ok several questions about the method for identifying the DDOS user.
First the method employed is to XOR the addresses of the first and second routers on an edge. Now it is clear that you can trace back IF you are sure what the IP of the secondary router is. However given that the data can follow multiple paths how are you ever certain what this IP is. Secondly as it is a probablisitic process the second IP of the router may be one of many. Is this solved because the IP's of routers along the path are very sparse?
Secondly what prevents a DDos attack from faking this field. Make it look like the attack came through another nearby router.
Thirdly as most DDOS bounce pings off of remote boxes this doesn't let you catch the perpratrtor only identify what boxes are pinging you (these boxes most likely not being aware they are used in a DDOS attack won't be using these methods) thus as this method doesn't allow you to block the DOS attack (most of the packets will be encoded only with routers close to the destination and you don't want to cut off all trafic) what good is it?
If you liked this thought maybe you would find my blog nice too:
the `niceness' constraints in TCP: actually the strategy suggested
will get you blacklisted on quite a few routers, which means it will
simply drop all packets originating from your IP address. The routers
use standard traffic profiling tools to spot just the kind of tricks
Janotti describes.
To plug some work done in my department, Azer Bestavros has done
some nice work on network
profiling : the idea I liked most was a way to make the TCP binary
backoff work better by grouping together similar packets: this can be
done entirely end-to-end, and really gets big improvements in overall
performance. See in particular the paper `QoS Controllers for the Internet'.
Congestion control was developed in response to a congestion *crisis* in the late 1980s. Proper congestion control is a requirement for the Internet to function. The LACK of congestion control is common streaming and multicast protocols is a commonly cited major hurdle for the deployment of multicast applications on the Internet.
It's been a nightmare scenario for awhile now that Microsoft (they of the "transient failure" RST packet) would unscrupulously try to gain a competitive advantage by manipulating congestion control. By "breaking the rules" they could make a faster stack. Another scary thought is that silly "Internet Accelerator" products could actually sell REAL accelerators, that provide horsepower boosts at the expense of the entire network.
What you DON'T want to see happen is for Linux to gain "turbocharging" via congestion-ignorance. What that does is set up an arms race between Linux and every other stack vendor, and particularly Microsoft. That arms race could easily lead to congestion collapse and yet another Internet scaleability crisis.
What Stefan Savage is describing are VULNERABILITIES in common TCP/IP stacks. They need to be fixed, and programs that take advantage of them need to be considered in the same light as programs that get rid of pesky security measures on remote computers --- as exploits.
Just chiming in here, because I think it's odd that people here are paying more attention to the clever backtracking hack Savage came up with and less attention to the important, new security vulnerabilities he has documented.
I'm actually on CS staff, and a great thing it is. And yes, the sysadmin turnover is still what it was (I assume you're a graduate).
Small world, I guess.
--Nate Eldredge, nate@cs.hmc.edu
There is one other method of encoding data, which would allow for more data throughput. The one I am thinking of is to make a subtle modification to a TCP/IP stack, so that it must send all IP packets twice for which it wishes to encapsulate data within. The first packet sent would have a sequence number which is made to look wrong, and the second packet would have the correct sequence number. The receiving host could have a similar modification made so that it recognizes when there is data to be found buried in the payload of the (seemingly) error ridden packet.
With this method, you could potentially encode a larger percentage of covert data per byte of legitimate data sent.
Just so you know, if everybody turned off the TCP bandwidth control mechanisms today, the Internet would go into meltdown. That's right: it would not work. Tragedy of the Commons.
Thank you for your time.
Most cable modems have QOS/traffic shaping built-in, so I don't think this will do much for you. It might help with ping rates, but not bandwidth. (Stomp all over me if I'm wrong!)
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
No. You are way wrong on number two. Our central systems where I work are much, much more secure than most people think. There is a full time person who does nothing but work on security things.
And, we dont packet filter here. We run nfr, yeah.. but the only time we packet filter is when a research group asks for full control of a machine, or in other words, they want us to lose responsibilty of that machines actions.
Then we firewall their machines.
It isn't 'clueless', its about where the 'blame' goes when one gets cracked and sits for weeks unnoticed. If it was to happen to the paid sysadmins, I would fire them on the spot if it were obvious there was a crack.
Hrm.
-- dieman - Scott Dier
In summary, in a noisy or bandwidth limited environment, playing games with the ACKs probably won't buy you much, and if you congest the pipe to the point where the routers start discarding packets, you're arbitrarily large download is likely to take more, not less, time.
"Freedom means freedom for everybody" -- Dick Cheney
Would the slashdot of old prefix the story with "techie"? I guess most people who read slashdot are not longer techies.
I ask this question in all seriousness. oh well.
Phillip
Now I know what my next nonprofit time-wasting project will be! The prospect of even greater download speeds with a cable modem is just too great to pass up.
Yeah. Damn those jerks for actually believing they'll get the high bandwidth they payed the cable company for. :P
How is it that downloading something is "abuse"? I'm paying for 1.5Mbit DSL, if I'm paying for it, I'm gonna max it.
I know cable users are on one big segment, and that's why I'm paying a bit more for DSL, I'm more likely to get the bandwidth I'm rated for.
You get what you pay for.
WWJD? JWRTFM!!!
The place where he's addressing the DDOS attacks is at the end of the article. He's not actually stopping the attacks, he's just allowing the victim to analyze the flooding packets and find out where they're coming from. I guess that by analyzing the traffic more quickly (encoding route information in the TCP header) the good guys should be able to black hole the bad guys sooner, thus shutting down the attack.
Oh, go on, check out my job.
A DDOS attack involves two layers of victims. The obvious victim is the recipient of the attack. But before the attack can be launched several (hundred) intermediate systems must be penetrated and exploited. It is this set of victim machines which launches the final attack.
The procedure proposed by Stephen is quite clever and could be used to trace the attack back to the first layer of victims. But that is where it would end. The procedure requires hundreds of packets to make its trace. But the attacking machine is only listening for a single packet - whose IP can be spoofed - for the command to launch the attack. So the perpetrator remains safe behind his proxy army until he starts bragging on irc.
I personally doubt that there is any defence against a propperly executed DDOS attack. Why? Because there is no difference between a propper DDOS and "The SlashDot Effect."
Forget the ICMP packets. Want to take down a web site? Flood it with web page requests. You now have nothing to filter on and the legitimate users are crowded out.
He's looking for an academic job, and some of his papers (Especially the project team that created the SPIN kernel stuff) are quite impressive.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty