Some of you may find http://grc.com/dos/grcdos.htm very interesting. Sean.
On Sat, 23 Jun 2001, Sean M. Doran wrote:
Some of you may find http://grc.com/dos/grcdos.htm very interesting.
This presses the issue of spoof filtering even harder. Question is, how do we solve all this. One measure could be something I have tried to press since 1996 or so, but I do not know how to implement it and nobody else seems to be interested in it: Unique identification of users. Let's say we can set some kind of nameserver record in the in-addr.arpa zone pointing to some kind of standardised ident server (or ident-equivalent) for a certain IP. This way ISPs could build systems that can provide some kind of unique identifier that could be used for logging accesses from an IP. In retrospect this identifier could be used when reporting issues to an ISP to speed up their work of identifying the physical connection the access was initiated from. Same thing could be used by a NAT or PAT device to provide some kind of tracking as to what internal (hidden) IP was actually doing the access thru the NAT/PAT device. ISPs could then presumably make some kind of system so you could email a certain adress with the unique identifier in the subject or TO: line and this email would be forwarded to the user in question (or to the admin of the site if it's a corporate site). Yes, spam would have to be dealt with, but I'm sure it's doable. This in combination with spoof filtering should make all our work a little easier, right? Any takers? Before I proposed that terminal servers could intercept the standard 113 identd requests sent to a certain IP and answer them itself (since the device presumably has login information about users on its ports) but I got no response to that either, a couple of years back. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Sat, 23 Jun 2001, Mikael Abrahamsson wrote:
On Sat, 23 Jun 2001, Sean M. Doran wrote:
Some of you may find http://grc.com/dos/grcdos.htm very interesting.
This presses the issue of spoof filtering even harder.
Question is, how do we solve all this. One measure could be something I have tried to press since 1996 or so, but I do not know how to implement it and nobody else seems to be interested in it:
Unique identification of users.
Although this is a nice idea, it will fail. The reason is very simple. If you(1) can track me when I hack your machine, you(2) can also track me when I look at your network banners. Users will flock to the ISP that won't let you(3). Cheers, Pi (1) The network operator (2) The doubleclick.net cockroach (3) Either, since nobody can tell in advance whether you're (1) or (2).
On Sat, 23 Jun 2001, Pim van Riezen wrote:
Although this is a nice idea, it will fail. The reason is very simple. If you(1) can track me when I hack your machine, you(2) can also track me when I look at your network banners. Users will flock to the ISP that won't let you(3).
Let's change the unique identifier once a week then. As long as the ISP can use it to identify you, it doesn't have to be the same for eternity. What I'm trying to accomplish here is the same thing as the ISP do by getting the IP and the time, and then looking thru their logs to see who was on. I already know several ISPs that mark port-switch-router.town.ispname.tld, for this same reason. Are you saying this is a better approach when it comes to privacy? I'm trying to solve the accountability issue without compromising privacy. There has got to be SOME way to figure this out, right? I am not the best man to do it, but I figure that the best people on the planet to do this should be on this list, or at least people on this list know the best people. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Sat, 23 Jun 2001, Mikael Abrahamsson wrote:
Some of you may find http://grc.com/dos/grcdos.htm very interesting.
This presses the issue of spoof filtering even harder.
Not really, the attack was unspoofed. It seems the area that needs more work (outside of Windows itself), is educating abuse departments on how to respond when a customer's box is attacking someone and the user is unaware of it. Charles
Question is, how do we solve all this. One measure could be something I have tried to press since 1996 or so, but I do not know how to implement it and nobody else seems to be interested in it:
Unique identification of users.
Let's say we can set some kind of nameserver record in the in-addr.arpa zone pointing to some kind of standardised ident server (or ident-equivalent) for a certain IP. This way ISPs could build systems that can provide some kind of unique identifier that could be used for logging accesses from an IP. In retrospect this identifier could be used when reporting issues to an ISP to speed up their work of identifying the physical connection the access was initiated from. Same thing could be used by a NAT or PAT device to provide some kind of tracking as to what internal (hidden) IP was actually doing the access thru the NAT/PAT device.
ISPs could then presumably make some kind of system so you could email a certain adress with the unique identifier in the subject or TO: line and this email would be forwarded to the user in question (or to the admin of the site if it's a corporate site). Yes, spam would have to be dealt with, but I'm sure it's doable.
This in combination with spoof filtering should make all our work a little easier, right? Any takers?
Before I proposed that terminal servers could intercept the standard 113 identd requests sent to a certain IP and answer them itself (since the device presumably has login information about users on its ports) but I got no response to that either, a couple of years back.
-- Mikael Abrahamsson email: swmike@swm.pp.se
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean M. Doran Sent: June 23, 2001 11:31 AM To: nanog@merit.edu Subject: DDOS anecdotes
Some of you may find http://grc.com/dos/grcdos.htm very interesting.
The rest of NANOG may, as we do, wonder why Mr. Gibson, after almost naming us in that page (he didn't name _us_ directly, but left enough not-so-subtle hints that both us and our users noticed us being mentioned), chose to brush off our offers to help, claiming instead that he just wanted to move on and forget about the whole thing. (I ought to mention that it took at least a week to get a reply from Mr. Gibson) We ended up concluding that Mr. Gibson's main goal is the distribution of large quantities of FUD. It seems, I might add, that Mr. Gibson is particularly successful at this remarkably valuable art. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
On Sat, 23 Jun 2001, Vivien M. wrote:
We ended up concluding that Mr. Gibson's main goal is the distribution of large quantities of FUD. It seems, I might add, that Mr. Gibson is
That might be so. I got this link approx 8 hours before I saw it on NANOG-l when I was investigating just this kind of thing he's talking about. I got in thru the irc-admin perspective though, saw a couple of clients that seemed to have things in common, sniffed some traffic, found a channel on IRCnet that was dedicated to whatever purpose these 100 or so clients/machines were up to. Talked to the "grand master" who approached me when I and a fellow IRC admin started throwing off his "bots" (he actually called them bots and then changed his mind that they were clients). This is a real problem. It's not FUD. Microsofts choice to include full IP stack capabilities will make the problem worse, but I do not blame their IP stack for this like Mr Gibson does though. So what do we do about it? There are 10th of thousands of "0wned" machines out there. 10.000 machines sending one SYN per second to somewhere constitutes a 6mbit SYN flood that'll make almost any web server get into trouble. 10 SYNs per second and we're really talking traffic here. From spoofed sources because ISPs do not source address filter? Gah. Basically untraceable. I know a few people have been put in jail for these kind of activies. I'd say it's not enough though. We might blame parents, society, whatever, but the question remains: What do we do about it? I saw figures that there are over 9 million homes in the US with "broadband internet access". This is going to 10fold in the next few years, worldwide we might have a couple of 100 million computers "always-on" in a few years. 95% (or more) of them running Microsoft OS, by people who have no idea how to secure it etc. What should we do? -- Mikael Abrahamsson email: swmike@swm.pp.se
This is a real problem. It's not FUD. Microsofts choice to include full IP stack capabilities will make the problem worse, but I do not blame their IP stack for this like Mr Gibson does though.
Oh, it's most certainly a real problem, but I don't agree that the changes in Win XP will really make any difference whatsoever. With some very trivial driver additions, raw sockets can be accessed under any previous version of Windows, just like in XP. That's where the FUD comes in - Gibson, it seems, is just trying to drum up support for whatever his next big project is to magically make your computer safe.
What should we do?
Well, like has already been mentioned, somehow getting people to filter properly could help - we got hit by a (unrelated, we think) spoofed SYN flood a few days back. If that ISP had simply egress filtered their traffic, that person using a single machine (only guessing here) couldn't have sent their 200k/sec of spoofed SYN at us. I'm sure they could have found another way, but it would have made them work a little harder, and this type of person often doesn't want to bother with that extra little bit of work, and would just give up. Tim -- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic DNS Network Services http://www.dyndns.org/
[ On Saturday, June 23, 2001 at 20:04:06 (+0200), Mikael Abrahamsson wrote: ]
Subject: RE: DDOS anecdotes
This is a real problem. It's not FUD. Microsofts choice to include full IP stack capabilities will make the problem worse, but I do not blame their IP stack for this like Mr Gibson does though.
No, their stack's not the root of the problem -- all the rest of their OS is (and of course in particular the security model, or lack thereof). -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
On Sat, Jun 23, 2001 at 01:49:57PM -0400, Vivien M. wrote:
The rest of NANOG may, as we do, wonder why Mr. Gibson, after almost naming us in that page (he didn't name _us_ directly, but left enough not-so-subtle hints that both us and our users noticed us being mentioned), chose to brush off our offers to help, claiming instead that he just wanted to move on and forget about the whole thing. (I ought to mention that it took at least a week to get a reply from Mr. Gibson)
Personally, I found this pretty amusing: "As you can see from the schematic diagram above, the Verio (our ISP) router that supplies our T1 trunks enjoys two massive 100 megabit connections to the Internet. But from there all of the traffic bound for us must be funnelled through our two T1 trunks." But it's not as good as: "were all originated from the same small IP address rane corresponding to the small ISP Genuity, BBN Planet, in Kenosha, Wisconsin - an Earthlink reseller." Clearly, someone has been missing out on the black rocket. --msa
I admit I only made it through half of this guy's page. And barring some of the reactionary speech, I was able to pull some technical content. My question, is this news to anyone? The capabilities of machines will continue to improve, the capabilities of networks will continue to improve [Moore's Law]. (Per my own rule of internet problem solving..) IFF the problem becomes a crisis, massive action will take place (similar to the spam problems in '97) to bring the abuse to a manageable level. This might be egress filtering at aggregation routers. I know most large networks use automated configuration management for their gear, and setting ingress filters from their PPPoE, PPPoA, and dial-up pools that only accept addresses from the likely pool of DHCP addresses wouldn't be too hard and probably a huge first step. I think most attacks (currently) are manageable either in their frequency or their ability to be filtered. IRC servers are an exception, and why many providers will not waste resources hosting small IRC servers. If the problem becomes severe, end-user address filtering will be the biggest single difference. One can draw examples from dialup providers (like MSN) filtering all attempts to connect to port 25 outbound from their dialup pool(s). And the corresponding drop in abuse, not just from them, but as a percentage of the whole. Spamming/attacking will then be left to the world of corporate internet connections and university dorms the way god intended. :) Deepak Jain -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean M. Doran Sent: Saturday, June 23, 2001 11:31 AM To: nanog@merit.edu Subject: DDOS anecdotes Some of you may find http://grc.com/dos/grcdos.htm very interesting. Sean.
What I fear the "easy solution" for the cable modem and ILEC DSL providers (i.e. the only ones who will be left selling DSL after Tauzin and Dingell have their way with Covad and company) is severe suppression of outbound bandwidth. For those who run personal servers on ADSL and cable lines, and who either (a) can't afford SDSL or (b) aren't in DSL range at all, life will be just a little bit harder. -C On Sat, Jun 23, 2001 at 02:49:34PM -0400, Deepak Jain wrote:
I admit I only made it through half of this guy's page. And barring some of the reactionary speech, I was able to pull some technical content.
My question, is this news to anyone?
The capabilities of machines will continue to improve, the capabilities of networks will continue to improve [Moore's Law]. (Per my own rule of internet problem solving..) IFF the problem becomes a crisis, massive action will take place (similar to the spam problems in '97) to bring the abuse to a manageable level. This might be egress filtering at aggregation routers. I know most large networks use automated configuration management for their gear, and setting ingress filters from their PPPoE, PPPoA, and dial-up pools that only accept addresses from the likely pool of DHCP addresses wouldn't be too hard and probably a huge first step.
I think most attacks (currently) are manageable either in their frequency or their ability to be filtered. IRC servers are an exception, and why many providers will not waste resources hosting small IRC servers.
If the problem becomes severe, end-user address filtering will be the biggest single difference. One can draw examples from dialup providers (like MSN) filtering all attempts to connect to port 25 outbound from their dialup pool(s). And the corresponding drop in abuse, not just from them, but as a percentage of the whole.
Spamming/attacking will then be left to the world of corporate internet connections and university dorms the way god intended. :)
Deepak Jain
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean M. Doran Sent: Saturday, June 23, 2001 11:31 AM To: nanog@merit.edu Subject: DDOS anecdotes
Some of you may find http://grc.com/dos/grcdos.htm very interesting.
Sean.
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
It's nice story, but nothing new except XT/2000 options allowing to generate SRC address. But when (at last) it happen: - use WFQ over all custiomer's links (if you have WFQ no such brute attack succeed, it only slow you down but does not block you); - Cisco force all IP fragments to be queued into the single WFQ query and allow filtering of the FRAGMENTS - any big ISP have skilled security person available. When I worked in Russia, it took 10 - 15 minutes to contact your ISP and install such filters; for EUnet, it took 20 minutes; for TELIA, it was the same. For any amertican ISP, it took a week (UUnet was an exception)... - all cable providers will have src address filters, so preventing src address frauding. It was discussed 5 years ago; it was discussed 2 years ago; it's discussed today. When something change? Alexei Roudnev ----- Original Message ----- From: "Sean M. Doran" <smd@clock.org> To: <nanog@merit.edu> Sent: Saturday, June 23, 2001 8:30 AM Subject: DDOS anecdotes
Some of you may find http://grc.com/dos/grcdos.htm very interesting.
Sean.
At a conference in late 1999, UUNet announced that they had anti-spoof filters in place on their dialup ports. Not that that amount to much in contrast to teh amount of spoofed DDOS traffic from cable providers, mind you...IIRC, it's the cable providers that need to put up the anti-spoofing filters the most. -C
- any big ISP have skilled security person available. When I worked in Russia, it took 10 - 15 minutes to contact your ISP and install such filters; for EUnet, it took 20 minutes; for TELIA, it was the same. For any amertican ISP, it took a week (UUnet was an exception)... - all cable providers will have src address filters, so preventing src address frauding.
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
On Sat, 23 Jun 2001, Christopher A. Woodfield wrote:
At a conference in late 1999, UUNet announced that they had anti-spoof filters in place on their dialup ports. Not that that amount to much in contrast to teh amount of spoofed DDOS traffic from cable providers, mind you...IIRC, it's the cable providers that need to put up the anti-spoofing filters the most.
The many ways in which cable providers fail to care about security is mindboggling. One local outfit here dumps customers by the dozens in a broadcast domain on what boils down to a non-switched network, allowing customers to sniff traffic from most of their neighborhood. Few people actually realize that they are sending plaintext passwords to ftp servers and pop3 servers, even those of the cable provider itself. I also have yet to see the first cable ISP that hands out instructions to its customers on how to close down unwanted network services of their Windows machines. People don't see the danger of remaining connected to the same ip-address for days at a stretch on a high bandwidth connection with a Windows machine that has hardly been configured. When they did dialin, this never was a problem; Chances of being hit by a malicious scan _and_ getting compromised by a scriptkiddy during the one hour a day they were actually online were much lower and so was the payoff for the scriptkiddies, since a shitty 28k8 dialup didn't really make much of a diference. Cheers, Pi
On Sun, 24 Jun 2001, Pim van Riezen wrote:
The many ways in which cable providers fail to care about security is mindboggling.
Actually doing something about security would cut into the bottom line, so they don't do it. Incidentally, the idea of handing out instructions on locking down 'puters connected to broadband lines is an excellent idea. Can't speak for anyone else, but I'm going to implement it. -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO - sjsobol@JustThe.net Donate a portion of your monthly ISP bill to your favorite charity or non-profit organization! E-mail me for details.
On Sat, 23 Jun 2001, Steven J. Sobol wrote:
On Sun, 24 Jun 2001, Pim van Riezen wrote:
The many ways in which cable providers fail to care about security is mindboggling.
Actually doing something about security would cut into the bottom line, so they don't do it.
That doesn't look right to me. I should say "actually doing something to educate people about security." It's unlikely that there are no security measures at all in place at the cable providers... -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO - sjsobol@JustThe.net Donate a portion of your monthly ISP bill to your favorite charity or non-profit organization! E-mail me for details.
On Sat, 23 Jun 2001, Steven J. Sobol wrote:
That doesn't look right to me. I should say "actually doing something to educate people about security." It's unlikely that there are no security measures at all in place at the cable providers...
Er, sure they do, I get scanned constantly by @home looking for rogue NNTP servers, I'm just happy they have their priorities straight. todd
That's because they came >< close to being slapped with the UDP last year. And you probably won't see them scan their network for open SMTP relays until Vixie drops all of their blocks into the RBL. @home seems unwilling to do jack and sh*t about customer security unless the alternative is a whacking on the tail with a really big cluebyfour, and only if the aforementioned piece of clue has a nail sticking out the end. -C On Sat, Jun 23, 2001 at 07:34:58PM -0700, Todd Suiter wrote:
On Sat, 23 Jun 2001, Steven J. Sobol wrote:
That doesn't look right to me. I should say "actually doing something to educate people about security." It's unlikely that there are no security measures at all in place at the cable providers...
Er, sure they do, I get scanned constantly by @home looking for rogue NNTP servers, I'm just happy they have their priorities straight.
todd
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
(OT post, but what else is new?)
Date: Sun, 24 Jun 2001 10:05:12 -0400 From: Christopher A. Woodfield <rekoil@semihuman.com>
That's because they came >< close to being slapped with the UDP last year.
And you probably won't see them scan their network for open SMTP relays until Vixie drops all of their blocks into the RBL.
Hmmmm.... would this be the same @Home where a customer spammed us, I reported to @Home, and their abuse address bounced? Not only that, but the "try this address" postmaster box referenced in the bounce _also_ bounced? Yup. Same @Home.
@home seems unwilling to do jack and sh*t about customer security unless the alternative is a whacking on the tail with a really big cluebyfour, and only if the aforementioned piece of clue has a nail sticking out the end.
Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Sun, 24 Jun 2001, E.B. Dreger wrote:
Hmmmm.... would this be the same @Home where a customer spammed us, I reported to @Home, and their abuse address bounced? Not only that, but the "try this address" postmaster box referenced in the bounce _also_ bounced? Yup. Same @Home.
I think it this @Home we're all referring to: The original message was received at Sat, 23 Jun 2001 04:23:20 -0700 (PDT) from mx10-sfba.mail.home.com [24.0.95.241] ----- The following addresses had transient non-fatal errors ----- sysadm@pita.svr.home.net (expanded from: <postmaster@home.com>) ----- Transcript of session follows ----- ... while talking to junk.mail.home.com.:
RCPT To:<sysadm@pita.svr.home.net> <<< 451 4.0.0 Can't create transcript file ./xff5O03gw27036: No space left on device sysadm@pita.svr.home.net... Deferred: 451 4.0.0 Can't create transcript file ./xff5O03gw27036: No space left on device Warning: message still undelivered after 12 hours Will keep trying until message is 5 days old
-- Mikael Abrahamsson email: swmike@swm.pp.se
On Sun, 24 Jun 2001, E.B. Dreger wrote:
And you probably won't see them scan their network for open SMTP relays until Vixie drops all of their blocks into the RBL.
Hmmmm.... would this be the same @Home where a customer spammed us, I reported to @Home, and their abuse address bounced? Not only that, but the "try this address" postmaster box referenced in the bounce _also_ bounced? Yup. Same @Home.
Don't get me started. I found out the hard way why it's damned near impossible to get in touch with the @Home NOC to report security issues... They have had so many people reporting spam as DoS that they just automatically assume the reporter doesn't know what he's talking about and the caller gets shunted to support. Of course, if they'd deal with spam issues, they might actually not have that problem. -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO - sjsobol@JustThe.net Donate a portion of your monthly ISP bill to your favorite charity or non-profit organization! E-mail me for details.
Yes. But 99% of the cable/provbider customers are residential ones, and so are not multy-home, so simple _SRC filtering by default_ implemented by the hw vendor can help. And notice, thet this _cable residential users_ are most affected to the hackers because they areusially non-skilled and non-professionals, and so it's very important to prevent hackers from abusing them at least as a source for the DDOS attacks. (and for me the weakness of this customers looks like a great danger - they really are very affected to be broken and abused, and (on the other hand) they make a bridge to the more serious hacking because they have some passwords/logins on their home sites). ----- Original Message ----- From: "Christopher A. Woodfield" <rekoil@semihuman.com> To: "Alexei Roudnev" <alex@relcom.EU.net> Cc: <nanog@merit.edu>; "Sean M. Doran" <smd@clock.org> Sent: Saturday, June 23, 2001 5:56 PM Subject: Re: Few questions to the american ISPs [Re: DDOS anecdotes]
At a conference in late 1999, UUNet announced that they had anti-spoof filters in place on their dialup ports. Not that that amount to much in contrast to teh amount of spoofed DDOS traffic from cable providers, mind you...IIRC, it's the cable providers that need to put up the anti-spoofing filters the most.
-C
- any big ISP have skilled security person available. When I worked in Russia, it took 10 - 15 minutes to contact your ISP and install such filters; for EUnet, it took 20 minutes; for TELIA, it was the same. For any amertican ISP, it took a week (UUnet was an exception)... - all cable providers will have src address filters, so preventing src address frauding.
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com
PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
At 21:39 23/06/01, Alexei Roudnev wrote:
Yes.
But 99% of the cable/provbider customers are residential ones, and so are not multy-home, so simple _SRC filtering by default_ implemented by the hw vendor can help.
It doesn't prevent DDOS attacks that use legitimate source IP addresses, such as the GRC case outlines. I'll note that the cisco uBR-72xx is by far the most commonly deployed DOCSIS cable router these days. It has an RPF check that works just fine. That check is enabled in deployed systems, by at least the leading cable ISP, or so I'm told reliably.
And notice, thet this _cable residential users_ are most affected to the hackers because they areusially non-skilled and non-professionals, and so it's very important to prevent hackers from abusing them at least as a source for the DDOS attacks.
When a cable ISP tries to filter out common attacks, folks verbally and in print flame the cable ISP for putting in such filters. Watched that one several times now. Ran
At 20:56 23/06/01, Christopher A. Woodfield wrote:
At a conference in late 1999, UUNet announced that they had anti-spoof filters in place on their dialup ports. Not that that amount to much in contrast to teh amount of spoofed DDOS traffic from cable providers, mind you...IIRC, it's the cable providers that need to put up the anti-spoofing filters the most.
Mistakes happen in any network, because people are human. That noted, the two major Cable ISPs *do* regularly put in anti-spoofing filters on their access routers. Anti-spoofing filters wouldn't have helped with the GRC DDOS situation though, since the addresses used by the attacking systems were *valid* in that case -- according to the GRC web site. Ran
participants (15)
-
Alexei Roudnev -
Charles Sprickman -
Christopher A. Woodfield -
Deepak Jain -
E.B. Dreger -
Majdi S. Abbas -
Mikael Abrahamsson -
Pim van Riezen -
RJ Atkinson -
smd@clock.org -
Steven J. Sobol -
Tim Wilde -
Todd Suiter -
Vivien M. -
woods@weird.com