MIT Warns of Critical Vulnerabilities in Kerberos 5

kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."

What?

[Saturn+SL1-WNY]

What doesn't cause a DoS attack now adays? If DOS still stood for Disk Operating System, and we all used that, we'd be safe.

Re:What?

[rjelks]

I read the headline and the X-men came to mind. Wasn't Kerberos the machine that Dr. Xavier used in that big, round room? /nevermind

Re:What?

[bigman8]

So . . . I guess that you couldn't DoS DOS? Interesting thesis . . . I think I'll write a research paper on the subject. Could you DDoS DOS? DoS DDOOSS? DDoS DDOS? So, how much wood could a woodchuck chuck . . .

Re:What?

I read the headline and the X-men came to mind. Wasn't Kerberos the machine that Dr. Xavier used in that big, round room? /nevermind

Kerberos is the three-headed dog from Greek Mythology. Cerebro is the machine used by the X-men mentor.

Re:What?

[FuzzyBad-Mofo]

What about the Department of State? Could you DOS DOS if they ran DOS?

Re:What?

[DarkOx]

You could not DOS does right out of the box. You could only DOS DOS if someone had installed add on software. Where there is no network support there is no DOS attack.

This is old news.

Mandrake already has security updates for the vulnerabilities. That article is from Aug 31st... It's now September 4th.

Oh well, guess we had a lot of news going on the past few days...

Re:This is old news.

[dr_dank]

Oh well, guess we had a lot of news going on the past few days...

Slashdot is still in an uproar over the revelation of the Ewok movies coming to DVD. What did you expect?

Re:This is old news.

Yep, it's old. But it's amazing how long it took for Slashdot to carry this story. If this had been a Windows flaw it would've been on Slashdot immediately and the intro to the story would've been filled with anti-MS snide remarks followed by a thread with much anti-MS chortling.

vulnerability in the implementation

[BigHungryJoe]

These are vulnerabilities in a particular implementation of K5, not in Kerberos itself. I think it's an important distinction.

Re:vulnerability in the implementation

For example, the Microsoft implementation is not affected. (MS was maligned by certain Open Sourcers for rolling their own rather than reusing MIT -- apart from the issue of Windows using different network credentials than UNIX.)

Re:vulnerability in the implementation

[k98sven]

Yes. Although MIT kerberos is the most used one. (on *ix platforms.)

Another one is Heimdal.

And of course, the Microsoft-tweaked Windows 2000 Kerberos.

Re:vulnerability in the implementation

[dpilot]

Does anyone know if Heimdal is affected?

I've been fooling with the whole Kerberos/SASL/LDAP thing, and for the moment that means using Heimdal, because MIT isn't thread-safe. I guess newer SASL can have thread-safe locks wrapped around the Kerberos calls, but I've already got Heimdal installed.

Heimdal can also store its keys in LDAP, kind of a Worm Ourboros. In ways it seems a little frightening, because another program has the keys to your keys, but I've seen others state that this opens up good capabilities. I need to read more. I need more time.

Re:vulnerability in the implementation

[jrockway]

I wonder if Bluestem is affected. It uses Kerberos as the backend.

It is internal to the UofI, so maybe nobody has really looked for vulnerabilities.

Re:vulnerability in the implementation

[killjoe]

Chances are the MS team found the bug and fixed it. Of course they never contributed their code back but then again the MIT license does not force them to.

Can anyone explain how ez this exploit really is

"...it is trivial to construct a corrupt encoding
which will trigger the infinite loop...

How about in 2K and XP

[newandyh-r]

Microsoft's directory service has "embraced and extended" Kerberos ... does it also have this vulnerability?

Re:How about in 2K and XP

[DaHat]

Nay, the windows version is a clean room implementation from the original standard instead of duplicated code.

Re:How about in 2K and XP

Microsoft made a point of only hiring engineers who had not "tainted" themselves by looking at the MIT reference implementation.

Same with their TCP/IP code.

Re:How about in 2K and XP

Same with their TCP/IP code.

Then why are the APIs nearly identical to Berkeley sockets? Quote from their docs:

"It uses the sockets paradigm that was first popularized by Berkeley Software Distribution (BSD) UNIX."

Re:How about in 2K and XP

Copying the interface does not mean they copied the implementation.

Re:How about in 2K and XP

I guess we'll never know. Unless you claim to be one of the developers?

One way to find out is to check the leaked Windows 2000 source. Not that I would do that, though.

Link for those who run mandrake

Here's a link to the security bulletin by mandrake:

http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:088

It's a double free, not easy to exploit

[Beryllium+Sphere(tm)]

Has anyone seen exploit code in the wild yet?

Re:It's a double free, not easy to exploit

[BetterThanCaesar]

Honest question: Has there ever been an exploit of a double free (or similar) bug? I see how it is a problem (I've segfaulted more than once because of it), but how does one inject and run code using it?

Re:It's a double free, not easy to exploit

[AaronMB]

It's pretty complicated to do (compared to the ease of stack based exploits). However, it is possible. This site has a good explanation/example of a double-free exploit(against CVS).
-Aaron

Re:It's a double free, not easy to exploit

[BetterThanCaesar]

Interesting read. Thank you for the link.

Re:It's a double free, not easy to exploit

[ca1v1n]

OpenSSH's privilege escalation vulnerability was due to a double free bug. Thus, the only root exploit in the default install to ever have been found in OpenBSD was due to a double free. The zlib vulnerability, which affects a whole bunch of programs that link with zlib, was also a double free bug. It's not something that typically gets taught in undergrad CS courses, like buffer overrun, but it's not unheard of for it to be exploited.

Re:It's a double free, not easy to exploit

please check out http://252.angelcities.com
for a tutorial about doug lea's malloc
and exploiting the heap.

later

Re:It's a double free, not easy to exploit

[PReDiToR]

Nice that when I load the page you linked to I get an Alert Box saying the document contains no data, and a firewall alert telling me that an intrusion attempt has been made consisting of

A computer with the IP address 127.0.0.1 sent information that is characteristic of the HTTP_ActivePerl_Overflow attack.

I wonder what happens if you're running IE or IIS?

VPN 3000 boxes not vulnerable

[caluml]

The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators.

Only if they're configured to authenticate against a KDC. From the Cisco advisory:
Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted.

Re:VPN 3000 boxes not vulnerable

I wish people wouldn't use "impact" as a verb. It just sounds like slang for constipation. (or is it just me?)

Wonder if Windows Kerberos will be affected?

[caluml]

It would be interesting if the Windows implementation of Kerberos used in AD was vulnerable too. Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

Re:Wonder if Windows Kerberos will be affected?

[GregChant]

Mac OS X, although disabled by default in the clients, uses Kerberos4 for authentication. Supposedly in OS X.4 it will be more prevalent.

Re:Wonder if Windows Kerberos will be affected?

[BetterThanCaesar]

Microsoft's implementation is supposedly not affected.

Re:Wonder if Windows Kerberos will be affected?

[xacting]

OS X Panther Server (10.3) ships with the ability to be a KDC, using Krb5 for authentication to a variety of services including OpenDirectory.

Re:Wonder if Windows Kerberos will be affected?

[oddityfds]

Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

No. You still need another infrastructure to get single sign on while avoiding having to passwords to remote hosts and to be able to detect MITM attacks. A PKI will get you some of that, but you'd still need to deal with storing private keys somewhere and figure out how to forward credentials.

Kerberos is good and can be used in an intuitive way in many applications. For everything else, there's nothing stopping you from also using SSH or SSL and (Kerberos) password authentication or even public-key authentication.

Re:Wonder if Windows Kerberos will be affected?

[narmer65]

No. SSH provides you with a secure method to log into a particular machine. However, if you have several services (applications, machines, etc) that require authentication it is desirable to have a secure method of not only having one username/password combo but allowing services to authenticate off of that username/password combo. That is where Kerberos comes in.

In the case of SSH it is quite common that its pam configuration is using Kerberos for authentication.

Check it out, truely intersting stuff.

Re:Wonder if Windows Kerberos will be affected?

[Whip]

SSH doesn't do the same thing Kerberos does. Kerberos provides for centralized authentication (ssh doesn't)... just having an authorized_keys file set up on every system you access is NOT the same as centralized authentication. It also provides for a number of other useful features that ssh just can't provide.

The difference, I suppose, is that they're equivilent in a small/home environment, but much different in an enterprise environment with many users and many hosts. On an enterprise scale, ssh alone just doesn't cut it.

Re:Wonder if Windows Kerberos will be affected?

[N7DR]

Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

PacketCable security (VoIP over cable) is based on Kerberos. (www.packetcable.com). Interestingly, it's version of Kerberos that uses public-key authentication (PKINIT).

FWIW, the most common KDC used in PacketCable networks (www.ipfonix.com) is not vulnerable, since it uses no MIT code.

I do wish that the original headline had been more accurate, since it's not a bug in Kerberos that has been found, but a bug in a particular implementation.

Re:Wonder if Windows Kerberos will be affected?

[ravenspear]

Apart from MIT, and Windows, who uses Kerberos nowadays?

Quite a few scientific, governmental, and higher education institutions use Kerberos for authentication across thousands of machines.

Re:Wonder if Windows Kerberos will be affected?

[dpilot]

Windows Kerberos is a different implementation, so it shouldn't be affected.

OTOH, as far as I can tell, MIT Kerberos is NOT under the GPL. A little quick searching and I can't really tell what license it is under, except perhaps MIT's own license. In that same look, I didn't see redistribution/modification provisions, so I have no way to know if it's more like GPL or BSD.

So perhaps Windows Kerberos really IS based on MIT. I just don't know, and don't know how to find out. As for the implementation-dependent security of Windows Kerberos, we just don't know about that, either. Furthermore, without signing some sort of potentially-restrictive NDA, or reverse-engineering the code, it may well be unknowable. So maybe it's more secure, maybe it isn't.

That's the point about Open Source. We know there's a flaw in the MIT implementation. We also know that there are fixes out, already.

Re:Wonder if Windows Kerberos will be affected?

[julesh]

MIT Kerberos is under the MIT license, which is largely similar to the BSD license.

I believe Windows' implementation was originally based on the MIT code, but I'm not sure.

Re:Wonder if Windows Kerberos will be affected?

[killjoe]

If you are right them MS found the problem and fixed it but didn't give the bugfix back to the community.

The GPL would have prohibited that.

Re:Wonder if Windows Kerberos will be affected?

I doubt that Microsoft "found the problem", they just don't have the problem because they used their own code.

Re:Wonder if Windows Kerberos will be affected?

[dpilot]

You appear to have missed julesh's statement. He has reason to believe that Microsoft started from the MIT code. That leaves 4 possibilities:

1: Julesh is wrong, and MS did their own Kerberos from the ground-up, in which case the rest is as you say.
2: MS began with the MIT Kerberos code, but tossed the part where the double-free was, because they had their own tweaks, anyway. Net result, largely the same as (1) above.
3: MS began with the MIT Kerberos code, but didn't touch the part where the double-free is. In this case, they have the same security exposure.
4: MS began with the MIT Kerberos code, found and fixed the double-free, but told nobody. This is what killjoe is talking about.

It's all moot, because most of us will never know. For that matter, I'm not competent to audit code for security, but I'm awfully glad that others are, and publish their results, appropriately.

Re:Wonder if Windows Kerberos will be affected?

[killjoe]

1) I said "if you are correct". If he was not correct then it goes without saying that my statement is moot.

2,3,4) The GPL would have prevented that.

"It's all moot, because most of us will never know"

The GPL would have prevented that.

Re:Wonder if Windows Kerberos will be affected?

[dpilot]

I wasn't arguing with you. Actually, I was sharing/defending your point.

'clean room'

[MarcQuadra]

Judging by how well Microsoft's kerberos plays with others, I'd say it's less of a 'clean room' implementation and more of a 'bachelor pad' or 'dorm suite' implementation.

Re:'clean room'

[SpaceLifeForm]

Well, MS does have coding standards that they have to follow.

Re:'clean room'

Have you ever actually worked with MS kerberos? It interoperates with every other implementation that I have tested. Unix realms using a trust or Unix machines in the w2k3 realm can't understand some group authorizarion data, but that data is in an optional field...it doesn't break them. You can actually map a trusted realm's spn's into windows groups that can then be used for authorization and acl'ing. I never know what you guys are talking about when you slam MS on this one. Kerberos and the CA are two of the coolest things they have done. AND every server product they have is kerberized. When was the last time you saw a Unix distro that came with only kerberized daemons?

get a clue, loser.

Re:'clean room'

[MarcQuadra]

I just saw an opportunity for a joke.

But really, at work we had to use some third-party KDC because some of our other third-party boxes wouldn't tie-in with the KDC included with the AD. That's what the admin said, and he was die-hard Microsoft.

I heard the MS implentation is little-endian, which is not the standard for network communications, too.

Affects Redhat, mandrake, mac OS X sun

[goombah99]

According to cnet, this affects Redhat, mandrake, mac OS X and sun but not Microsoft (who wrote their own implementation). The problem is a Double-freee which is when the same memory block is freed twice. Not quite sure how that happens or how it leads to insecurity. But apparently done properly this allows arbitrary user access but is hard to exploit.

would some one explain what kerberos does and how it works? and how one exploits a double-free?

Re:Affects Redhat, mandrake, mac OS X sun

[Dop]

The Kerberos Dialogue should help explain a little bit about what Kerberos is. I like it because it shows why certain design decisions were made.

I don't believe anyone has mentioned it yet, but so far I haven't heard that the Heimdal Kerberos distribution is affected.

Re:Affects Redhat, mandrake, mac OS X sun

[camcorder]

How cnet or anyone else than ms developers know vulnerability does not affect windows OS anyways?

Re:Affects Redhat, mandrake, mac OS X sun

[the_proton]

It'll probably be impossible to exploit on Mac OS X, as the Mac OS X free() calls detect double frees and handle them gracefully.

That's why you get messages like this in your console log:
*** malloc[7358]: error for object 0x38b730: Double free
or this:
*** malloc[7722]: Deallocation of a pointer not malloced: 0x55a020; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

- proton

Re:Affects Redhat, mandrake, mac OS X sun

How do you know that detecting a double-free (which any modern OS does) prevents the exploit? All of the major Unix based OSes are vulnerable to this flaw. Get over it.

Debian security advisory (Aug 31)

http://www.debian.org/security/2004/dsa-543

Probably the oldest known security hole

[hey!]

It's long been known that to get around Kerberos, all you have to do is throw him a sop.

Re:Probably the oldest known security hole

[kfg]

Or even simply brute force it, although this approach still requires speed and wisdom to pull it off.

KFG

Re:Maybe they should.....

[inburito]

Umm.. most of the .mit.edu computers are students' own dorm room computers. Mit doesn't care what people do with them unless they start disrupting the network operations.

It is a pretty good deal with a fixed ip address, your own mit-domain name and a direct hookup without any extra firewalls or nats. I know I like mine. However, smarter than average kids do not necessarily good sys admins make. A hack on an "mit"-computer seems to enjoy questionable prestige especially in asia even though nobody ever hacks the university's computers.. just random people's personal ones. What's so great about defacing some bio-major's laptop..

Other Schools

[trip11]

Iowa State University also uses kerberos for for their entire system and I think several other universites do too if I remember from my searches on how to set up my linux e-mail to work correctly with it. On a related note, does anyone know of a linux e-mail client that actually will use kerberos_v5 authentication well? I've tried setting up fetchmail to do it, but kerberos_v5 isn't compliled in by defalt and there seems to be some bugs in the code that prevent the compile from working now that MIT has changed a few pieces of the code. Oh and I'm running Mandrake btw. I'd really love to stop using webmail so any sugestions would be great. Thanks

Re:Other Schools

[oddityfds]

On a related note, does anyone know of a linux e-mail client that actually will use kerberos_v5 authentication well?

When I grew tired of Gnus I switched to Evolution because it was (and still is, AFAIK) the only graphical mailer for X with GSSAPI/Krb5 support and because it's a nice GNOME app. Works well with the Cyrus-IMAPd server.

The Mail app that comes with MacOS X also has Krb5 support.

Yah, it'll get modded down

Because it's wrong. This vulnerability is very hard to exploit and there isn't an exploit in the wild. So what you're saying really isn't relevant to this discussion.

same goes for the XP SP2 writeup

[MOMOCROME]

read the comments, even the +5 buggers make it clear that the writeup and the source article were complete rancid crap, even perhaps outright fabrications!

the story got posted the way it did simply because it was sensational and slammed microsoft in a super-snotty manner. so hey, my point still stands, whaddya know.

Can you trust the word of a convict?

[burnin1965]

I suppose it is pointless to argue about whether or not Microsoft borrowed code unless you are prepared to file a law suit that will force Microsoft to show everyone their code. But I would not put much faith into the word of a corporation which has been found guilty of corporate misconduct when it comes to dealing with competitors and customers.

What I can say though is that after doing some TCP and UDP IP socket programming in Windows and in linux the API, header files, and what not sure seem to be earily similar for Microsofts TCP/IP stack to be a "clean room" implementation from non "tainted" programmers.

burnin

Re:Can you trust the word of a convict?

[PygmySurfer]

What I can say though is that after doing some TCP and UDP IP socket programming in Windows and in linux the API, header files, and what not sure seem to be earily similar for Microsofts TCP/IP stack to be a "clean room" implementation from non "tainted" programmers.

The Windows TCP/IP stack has large amounts of BSD code in it. I wouldn't be surprised if the Linux stack had a fair amount as well. Regardless, MS can hardly be found at fault here.

Re:Can you trust the word of a convict?

Eerily similar.

Re:Can you trust the word of a convict?

[burnin1965]

I know the linux TCP/IP stack has a fair amount of BSD code and hence I would also agree that Microsofts implementation has a fair amount of BSD code. This would explain the similarities you may notice when using both implementations. We are in agreement. Perhaps I should have been more blunt, so here it is.

I doubt that Microsofts TCP/IP implementation is a clean room implementation from non tainted programmers. And I suspect there is a fair amount of BSD code in the Microsoft implementation. This is not to say there is anything wrong with this, however, if anyone tries to tell you how good Microsoft is at ensuring no open source code makes it into their proprietary products you can tell them its likely they are full of something.

And thus I take the comments concerning whether Microsofts implementation of Kerberos is clean room, non tainted, and free of any open source code which may have security holes as a statement that I would not put much faith in even if it was a statement directly from the halls of Redmond.

better?

burnin

Re:Can you trust the word of a convict?

[mikefe]

I read that the Linux people asked the BSD people if they could copy the BSD TCP/IP stack, but the BSD people declined.

So, the Linux network stack should be different code.

Re:Can you trust the word of a convict?

Why would they have to ask, when the code is freely available without any licensing restrictions?

Re:Can you trust the word of a convict?

[mikefe]

Out of courtecy.

Even though the letters of the BSD license allows you to use the code without asking, the Linux developers asked to use the BSD networking code (remember, they'd have to relicense it as GPL). The BSD guys said no. There was already network code in linux at the time, so that was improved instead.

I'm no expert on this, and am only recalling threads I read of others recalling events so I'm probably a bit off on the details.

Mike

Did MS steal from MIT?

[blackhedd]

Having looked at the source code (our product incorporates a KDC and we had to patch it the other day when this story broke), the double-free problem is essentially a regression that crept in a few versions ago.

Someone at MS commented a few days ago (it was picked up by cnet i think) that their "Kerberos" implementation is not vulnerable to the double free because it's their own code. But of course MIT's implementation is not GPL-licensed so MS could easily have stolen^H^H^H^H^H^H adapted it just as they did with BSD's TCP stack.

Has anyone bothered to do behavioral scanning of MS's "Kerberos" to see if it matches up with MIT's?

Re:Did MS steal from MIT?

[jrcamp]

I have seen a Microsoft developer post on the MIT Kerberos dev list before, asking a question about code. Was probably 4 months or so ago. Didn't check the headers, though, just saw the FROM field. Seemed legit to me.

MIT chose to license it under their license. There's no reason anybody should be pissy at Microsoft if they used free code. Obviously this is what the MIT Kerberos developers wanted, so nobody has a right to bash Microsoft if they did use the code. There are plenty of other reasons to bash them that they deserve.

Re:Did MS steal from MIT?

[blackhedd]

The question being addressed is: "does MS's implementation suffer from the double-free problem?"

"bashing" - are you referring to my use of the word "stealing"? The MIT license does not require open-sourcing of derivative works but it does require proper attribution.

Re:Did MS steal from MIT?

[killjoe]

Yes but you'd think that they would have at least told the MIT guys about the problem they found and fixed.

Re:Did MS steal from MIT?

I doubt that Microsoft "found the problem", they just don't have it because they used their own implementation.

Active Directory?

[nurb432]

No, ive not read the real articles yet ( they dont seem to load from here ) .. but does this also efect Microsofts Active Directory?

Re:Active Directory?

Nope. Sorry to disappoint you.

http://news.com.com/Security+pros+warn+of+critical +flaws+in+Kerberos/2100-1002_3-5343325.html#yourta ke

"Kerberos is a building block of many network security devices and software. Microsoft uses the mechanism to control security in its Active Directory authentication. However, the company uses a homegrown version of Kerberos that is not affected by the flaws, Hartman said. However, Sun's Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies, such as Sun and Red Hat, have announced patches for the problem, but not all have."

Redhat Fedora fixed also

[hey]

go to:
http://download.fedora.redhat.com/pub/fedora/ linux /core/updates/2/i386/
and grab krb*

Or use yum, up2date, etc.

Re:Maybe they should.....

[attam]

actually MIT cares A LOT what students do with their machines. i can't tell you how many times they threatened to shut down our house network because someone's windows box didn't have all the necessary security updates.

they are continually monitoring for vulnerable hosts on the MIT (18.*) network. my guess is that you won't see the above-mentioned vulnerabilities persist for long.

Re:Maybe they should.....

[inburito]

Like I said.. "unless they start disrupting the network operations." Windows worms fall under this category.

In my experience, unless you're running kazaa with a high volume of uploads (some people still don't disable the uploads) or are spreading worms from your computer, they do not care. In either of these cases they generally tend to disable the network drop in your room (works for I/S ran places like most of the dorms, but not fraternities).

Generic worm patterns are relatively easy to detect but anything more complicated will go unnoticed for sure.. If somebody roots your linux box nothing is going to happen unless that particular box begins to misbehave in disruptive ways.

I guess the Open Source crowd argument...

...about "many-eyes" on the source always being more secure is deflated somewhat by this, if, in fact, the MS implementation does NOT have this flaw because they developed their implementation from spec.

I guess "sharper eyes" are better than "many eyes"...

He's from RIAA/MPAA!

[johu]

What you think would happen if everyone disabled upload and be leech like you? Exactly, there would be no more Kazaa of any other P2P network left. Therefore I'm confident that Inburito is actually RIAA/MPAA employee. Beware!

Re:He's from RIAA/MPAA!

The trick is to only upload to places you trust. Kazaa users should generally not be trusted due the sheer number of MPAA/RIAA bots there.

Kerberos 4

[dpilot]

ISTR that Kerberos 4 is flawed at the protocol level, not just implementation. Does anyone else know about this one?

Open SSHD issues

[mabu]

About two weeks ago, we had an issue with our SSHD server. I didn't have Kerberos enabled but someone sent a malformed handshake that crashed the ssh server. It turns out the version of OpenSSH we had installed by default had Kerberos enabled. The later versions do not, so if you're using OpenSSH, make sure you're using the latest version.

EVERYBODY has Updates... VERY old news indeed!

[rickst29]

SUSE, Debian, Fedora, etc. have ALL released updates to fix the two vulnerabilities. And most of the Updates were release more than two days ago.

In this case, /. missed the train.

Sorry, NOT dissapointed

[nurb432]

Since i have to help support 10,000+ windows machines, i would not look foward to having to patch for such a fundamental flaw...

MIT? Pfft

[supmylO]

Who are these MIT guys anyways and what do they know about anything? Ha!