Wednesday, April 30, 2003


Cryptograms are an interesting activity (hobby?) for some which involves (simple) cryptography at the character substitution level.



Tuesday, April 29, 2003

Anti-ptrace kernel mod

Using this might avoid the condition which allowed me to elevate priveleges in my end-of-semester lab . Compile/use at your own risk.

Proposed DDoS Attack & Defense Taxonomy has a pointer to a proposed taxonomy (a kind of RFC for a subset of the English language, think "a set of terms") to describe distributed denial of service attacks and defenses.

This sort of thing is needed. "To name something is to know it" is a bit old-hat, but has some truth to it. We do it for malicious code (though agreement has yet to be reached in some cases), biological viruses, and war. Why not directed virtual attacks?

Monday, April 28, 2003

Cybercrime cases

TaoSecurity pointed this out. Professor Orin Kerr uses a mailing list to write summaries of cybercrime cases. Even if you don't join the list, some of the cases in the archives are interesting.

Sunday, April 27, 2003

CDC has a blog? has a pointer to CDC's blog.

For anyone not knowing who the Cult of the Dead Cow is, they are the hacker group that brought the world Back Orifice, Camera/Shy, and Peekabooty.

The blog even has a RSS feed for those of us with aggregators.

Saturday, April 26, 2003

YANF (Yet Another New Format)

Here's yet another attempt at coming up with a pleasing format. This one breaks down the various templates into individual PHP chunks and heavily uses the "include" function.

Please let me know how it works/what you think.

Friday, April 25, 2003

Forensics disks

Here's a couple forensics disk distributions: one Linux and one FreeBSD-based:

- Snarl (update: this is a link to a description)
- Fire

Blog peeping

Sean McGrath has a pointer to something called Blogpeeping. Evidently someone has tied GeoURL to RSSAutodiscovery and has animated the output. What you get is an animated map of blog updates.

"Verrrry interrrestink! But schtuuupid." (Not really. How about weird but interesting.)

Don't tease the lion, please!

I don't condone either sides action so please don't construe this as support for either side. This one's prompted by the post over on Geek News Central.

Madonna decided to flog various (illegal) peer-to-peer filesharing networks with MP3's which downloaders thought were songs from her new album. What they actually got was a loop of Madonna saying, "What the fuck do you think you're doing" (or similar).

Remember the saying: "Those who don't learn from history are doomed to repeat it"? A little bit of research has shown that hackers respond to this sort of thing. Tell them they can't (or shouldn't) will usually provoke a response from one of them.

Obviously, that's all it takes as her web site was shortly hacked and actual copies of the songs were made available from her own URL. This one goes on the list, right after the group of major corporations that have claimed their product was completely secure or unhackable.

Madonna, what were you thinking? You made a childish gesture and expected an adult response?

Thursday, April 24, 2003

Wednesday, April 23, 2003

Ouch. Back to the drawing board

I got a good look at this site via an older version of IE this evening (from school). The text in the middle column folds under the left hand column, making it unreadable. I'll be removing the DHTML code from the templates over the next few days and minimizing the use of CSS instructions. Please bear with me.

Web Cache Filtering

Jim O'Halloran's Weblog: SquidGaurd and Dan's Guardian - Web Filtering Software is a post on Jim O'Halloran's blog about a couple filtering programs for the Squid web cache.

I wish him luck if he's going to do this sort of thing. Both are a slippery slope into constantly reconfiguring the filters to keep up with the new porn sites added every day.

I've tried keyword filters but that gets out of hand very quickly. Above a certain number of lines (256-character limit), the cache noticably slows.

We then tried various filtering plug-ins, like Squidguard, but they too slowed service once a certain number of sites were entered.

About the only way we were able to get above 5000 sites was to reconfigure Squid to use a private DNS server (only for the cache, but not on the cache) and set up a poison DNS zone for each porn site domain. We were up to well over 21,000 porn sites before we quit adding them (it was turning into a full time job).

The programs DO work, just not well under heavy loads. And there's always a new porn site that's not on the list. I'll post a howto here in the next few days for anyone that actually cares to read it.

Legislating the use of content filtering, while meaning well, is only going to expose various institutions to litigation. Anyone capable of using Google's extra features can get around filters very easily. Some soccer mom is going to sue a city library because her kid saw someone else's kid viewing porn in the back row of workstations at the library. I wish legislators would realize that a public library is an adult building, similar to a church or courthouse. In those areas, children are supposed to be supervised. A public library is no different.

Tuesday, April 22, 2003

chroot Theory

In December of last year, Linux Magazine published an article about chrooting your binaries. It's a decent howto for anyone concerned with running your binaries as something other than root.

Sunday, April 20, 2003

Upgrade broken!!

For anyone attempting to use my e-mail file server: it's broken. The latest upgrade broke the local input (due to a major change in how the mail server does things). I think it's time to jump to Postfix.

I'll let you know how things go.

3-column format

I've switched to the 3-column format. I had to add tables (for now) as the CSS layout was not setting the right-hand margin correctly when I changed font sizes. The text in the middle column was disappearing under the right-hand column.

Anyways.... Please let me know if there's any further display problems (it looks fine in Galeon, for me).

Saturday, April 19, 2003

OpenFuck / ptrace-kmod exploits

Please bear with me, I retyped this on the fly from memory (the original hardcopy is about 35 miles away) and Google.

Please consider this presentation notes rather than a paper and that this is my first time doing this sort of thing.

I chose the following for my end-of-semester presentation:


  • OpenSSL 0.9.6d and below
  • modprobe race condition in 2.2.x and 2.4.x kernels


  • OpenFuck
  • ptrace-kmod

My project started as an experiment with openssl-uzi, which was discussed in class a few weeks ago. It was only available (at the time) on (

Uzi is not a stack overflow. It's a heap overflow. Stack overflows involve fixed length buffers. Heap overflows involve overflowing dynamically allowcated regions of memory (allocated by a specific application or kernal mod). (See the bottom of this page for the location of a tutorial.)

I downloaded the tool at home and played with it. It comes with a vulnerability scanner which I used here in class. The scanner reported that classroom IP's and 251 are vulnerable.

To determine what versions of which software were being run on the boxes, I used wget with the -S switch (which includes the server header in the return data).


[root@localhost openssl-uzi]# wget -S
=> 'index.html.5'
Connecting to
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Date: Mon, 14 Apr 2003 22:58:23 GMT
3 Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01

A slew of good info. Try it yourself.

In doing research for the buffer overflow and the exploit, I discovered an even better (easier) exploit called OpenFuck. Better in that the programmer has figured out the required offsets for you. See the source code for the listing (quite a few more included in OpenFuck than in Uzi). Rob even found OpenFuck V2.

OpenFuck is available at:

According to the source code (most of the way down, look for the banner), OpenFuck is based on openssl-uzi's openssl-too-open exploit code.

OpenFuck was really nice. If you read the source code (or running it with no options), you get a list of Linux Distributions and their associated buffer offsets. Note: not restricted to Linux, FreeBSD is also listed.

So, for, the indicated offset is 0x5f. The syntax for the command is:

./openfuck 0x5f

Example output from the above command:

[root@localhost x]# ./openfuck 0x5f

* OpenFuck v ripped from openssl-too-open *
* If U know more offset please contact us *
* *
* offset by SPABAM added LSD shellcode *
* #highsecure *
* TNX special 2 #uname and #hackarena #SilverLords #isotk #BloodBR *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

Establishing SSL connection
cipher: 0x4078ba2c ciphers: 0x81f4568
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.04$ unset HISTFILE; uname -a; id; echo SPABAM R0X; pwd; w;
Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)

7:18pm up 4 min, 0 users, load average: 0.00, 0.03, 0.00

(Side note: this may not work if the version of OpenSSL that you're using is older than the version you're trying to attack. A good point to research? We had problems running the exploit from various machines in the open lab.)

Note: Using this a lot against the same box tends to cause a DoS as the binary locks up and refuses to answer connection attempts.

Because chroots its Apache binary as the user apache, we get a shell account as that user.

Once, you're in, check who you are via "whoami". Most often, this will report "apache" or "nobody", depending on the configuration of the Apache server.

To get root, we'll need to employ a local exploit. It took a bit of searching around, but for this system, I found ptrace-kmod.c, which exploits a race condition in this version of the kernel. The source code for this portion of the kernel (kmod.c) is written so that it creates threads in an insecure manner. The exploit causes ptrace to fail while tracking cloned processes which allows the exploit to take control over the provileged modprobe binary. Supposedly it works against all unpatched 2.2.x and 2.4.x kernels.

When the binary fails, shellcode is inserted, and a shell is opened. Viola! You don't get a shell prompt, but it still works. (Show "whoami" and "ls").

Source at:


  • Update your patches!
  • OpenSSL is currently at version 0.9.6j for the production code and 0.9.7b for the cutting edge development stuff.
  • There's also an update for the kernel.


  • Update your patches.
  • Check for updates on a daily basis.
  • Chroot your binaries! It won't stop hackers, but it will slow most moderately talented ones and frustrate the script kiddies. Remember, the script kiddies are after the low-hanging fruit (and if I can do this, it's script-kiddie-level).
  • Log everything! Preferably at a remote, inaccessable log server (use a one-way cable, a sniffing log server, hardcode the actual server to be located other than what's listed in /etc/syslog.conf, all of the above?, etc.)
  • Use ipfw, iptables, or similar. This will prevent access to unauthorized ports if you're box does get hacked. Again, it will slow down moderately talented hackers and frustrate the script kiddies.

A good explanation of the OpenSSL heap vulnerability (with colored pictures) is available at:

The heap overflow tutorial available at:

Beware of strangers bearing opinions

Yeah, that applies to me, too. Take what you read with a grain of salt. A lot of it can be opinion.

In an article entitled " Intruder Alerts: Detection or Protection", a "panel of analysts" said that "Intrusion detection systems are dead". Can this be the same panel of experts that said Linux/Windows/Disco balls/roller skating is dead?

I think the quote from Vic Wheatman of the Gartner Group gives a good hint: "People bought it, installed it and turned it down when they had too many alerts."

What can you get from reading between the lines? People bought what they'd thought was a black box cure-all, plugged it in, turned it on and refused to face the fact that IDS requires reconfiguring every time your network config changes.

Intrusion detection systems have their place and funtion in any network. You just have to remember that they have their own shortcomings (and configure around those):

  1. You should install them to watch for attacks on known services on specific boxes. They are of little value in front of high-traffic firewalls as they tend to drop packets when extremely loaded. Also, you can get most of that logging at the firewall.
  2. Commercial IDS's normally come with a ruleset with around 200 entries. When choosing an IDS, be sure you can add your own rules!
  3. They have blind spots. (i.e., they watch for attacks on known services.) They don't watch for the non-standard ports/protocols. Again, make sure you can add your own rules.
  4. Fragmented packets often pass an IDS undetected. To prevent this, have the upstream and downstream routers reassemble or block fragmented packets.
  5. For them to function properly, you need a trained operator. Either train one in-house or hire one.

IDS are intended to be part of Defense in depth. Hackneyed as that buzz-phrase has become, there's still truth in it. Use multiple layers of protections (filtering routers, firewalls, DMZ's, etc.). Use differing operating systems and vendors in multiple layers (only the more talented hackers will be able to get through multiple layers)(and the majority of your problems are the script kiddies after low-hanging fruit).

In addition to all that, remember: "It's not if but when."

Oh! And there's still a market for disco balls (Ask Saddam. It's said that his love nest was straight out of the 70's.) and roller skates (visit Europe or the People Republic of California!).

Friday, April 18, 2003

Hack for watching logs

When I first saw the headline on Meerkat, I thought it was about Microsoft Messenger, which we've seen here recently. It turned out to be a way to print to the bottom of a terminal. Haven't got it to work yet but:

Supposedly you can tail your logs at the bottom of a terminal.

Thursday, April 17, 2003

IRC XDCC paper

Here's a paper on how your compromised box is being used as a file server to host up illegal copies of movies, music, etc.


Sorry about the lack of blog yesterday. Ended up shopping for dinner for the rest of the week and got home late and tired.

Monday, April 14, 2003

IP Spoofing

SecurityFocus has an article explaining the basic theory behind IP Spoofing. It's more of a general overview but does contain some good-to-know definitions.

NO OP (3-Column Layout)

No entry for today other than I'm playing with a 3-column layout. Please let me know if it's any better/worse than the 2-column layout. If all goes well, I'll swap the 3-column into the regular site.

The new layout is based on some CSS resources that Simon Willison had pointed to.

Sunday, April 13, 2003

Pop Quiz Answers

Answers to yesterday's quiz:
  1. Wasn't really a question. Rather, it's more of a suggestion that you familiarize yourself with the people that run your community or place of employment.
  2. Something you are (biometrics), something you have (tokens), something you know (passwords)
  3. Confidentiality, Integrity, Availability
  4. 1) he did not have his ID, was aware of this and did not go get it, 2) he repeatedly attempted to gain entry without it, and 3) he made a public statement when he was refused.

Craig from basically nailed this on (the question about your Vice Mayor didn't really count).

Historically, security managers have always had problems with those people who feel that rank gives them the privelege to be the exception to the rule. These exceptions should not exist. The "priveleged life" is a self-made/self-perpetuating fantasy (actually it's a petty display of power, as in "I'm senior enough that the rules don't apply to me"), and the source of +50% of a security managers problems (insider abuse).

If an organization is set up correctly, the security manager answers only to the #1 person (the person whose signature is at the bottom of the policy statements) in the organization. Once you start allowing exceptions to any policy, it corrupts the overall impression of that policy, and often leads to large scale contempt of that policy.

Mr. Ibarra stated that City Hall was a public building. That's incorrect. City Hall is the building where elected officials and public employees work and expect a secure environment to perform that work in. It may be a common belief that a building is public property but that does not give anyone the automatic "right" of access. The same rules that apply to the person pushing the mop (who actually needs more access to do their job) should apply to the person weilding the pen or gavel (who usually needs access to only 2-4 rooms in the building).

Saturday, April 12, 2003

Ignorable Computing?

Kenneth Hunt has a piece about one of Cringely's articles, talking about how Google ignores failed nodes in their clusters. Seems it's cheaper to ignore them than to repair them.

Cringely's article (at least this one) is entertaining (if you can consider massive waste a form of entertainment). I've seen similar things and can attest that you can make a marginal living collecting/buying, repairing and reselling those throwaway technologies. (You've seen the used bicycle repair shop downtown right?) Google should consider allowing volunteer techs from a local charity to cart them out and Frankenstein them. Heck, it'd probably make a decent tax write-off.

Nowadays, my wife looks at me cross-eyed when I object to her suggestion of getting rid of her old computer when we upgrade. During my teenage years, we kept out POS cars running by scavenging off of same model junkers in the local junk yard. I just know that computer will make a good mail/file server.

Generic Firewall Tips

SearchSecurity runs a weekly piece in which the editors pick five tips of the week (not sure if that URL floats). This week includes "Firewall Best Practices" which lists best practices for configuration and use of a firewall(s).

Another fun part of their site is the daily trivia page.


killHUP has a pointer to a Security Focus article about steganography which contains good basic theory. Nice to see an article that recognizes the difference between steganography (hidden writing) and cryptography (secret writing).

Security Blog Listing at BlogAttic

The new phonebook's here! The new phonebook's here! I'm a real person now! - Steve Martin

BlogAttic has compiled a list of security blogs. Contact 'em if you know of any sites that should be added.

HTML to Postscript or PDF

Could anyone point me in the right direction? I'm looking for a utility to dump modified HTML to paper in a 2 or 3-column format, either via TeX, Postscript, or PDF.

I've got about three years worth of news articles (mostly text) in MySQL tables which I've formatted into a single table (mostly HTML) and have inserted into the submissions queue in PHP-Nuke. I still have the original tables if it helps.

I've found html2ps but appears to be overkill. Anyone know of something better?


My favorite online comics:

No longer in pub: Exploitation Now

Friday, April 11, 2003

Politics vs. Security

This article is not directly related to Information Security but is a classic example of why security often has holes poked in it because it was inconvenient to those who have seniority over the security managers.

The short version is that the former Vice Mayor of Tuscon was stopped from entering the city building (twice, same day, different doors) because of his lack of ID. The guards were just doing their job: "no ID, no entrance". Councilman Ibarra was then critical of them while talking to the local newspaper.

If the Mayor of Tuscon has a head on his shoulders, he'll take the Honorable Mr. Ibarra to task (privately this time) for his actions and publicly commend the City Clerk (in charge), the four security officers and the city maintenance worker.

Pop Quiz:

  1. Anyone else know what your Vice Mayors look like?(1 point)
  2. What are the three things you can choose from to authenticate someone? (1 point each)
  3. What are the three tenets of security? (1 point per answer)
  4. What were Mr. Ibarra's three mistakes (two technical, one policitical)? (1 point each)

Answers tomorrow!

Honeypots & Botnets

Not that I like a lot of the articles out of ZDNetAU (I don't), but this one discusses a subject that admin and security mailing lists have touched on a lot recently. The short version is that the article is a brief explanation of honeypots and botnets.

Thanks to for pointing it out.


In Googling/Feedstering for info for one of the projects, ran across "Layer 3 Switching - Introducing the Router" and "Understanding Routing Protocols" by Michael Norton, part of O'Reilly's Networking as a Second Language column.

No in-depth explanations or theory, but a good starting point if you're just beginning admin or security.

Thursday, April 10, 2003

Opinion: I signed away which child?!?

From the "I-like-MS-as-software-but-MS-marketing/security-really-pisses-me-off" Dept.:

File this one under "How to Profit from a Declining Economy". Seems that Microsoft has discovered a way to profit from the downsizing or divesting of other companies. InfoWorld has an article here. Wanna bet this also applies to the purchase programs where employees are allowed to buy the systems the company has decided to replace? How long before the BSA starts visiting your local yard sale to see if anyone selling their old systems in the driveway?

Read your licensing agreements people!!

Rootkits Paper

iDEFENSE has a paper entitled "An Overview of Unix Rootkits. Might be worth a read (requires registration and a PDF viewer).

Thanks to SecuriTeam for pointing it out.

Wednesday, April 9, 2003

Student's Web Site Hacked by al-Qaida has an article about a college student's website being hacked and terrorist web pages hidden in the normal content.

I disagree with Mr. Flintz's position that it would be near impossible to check all of its customers' web sites. They can either: 1) use a tripwire like program to alert for changes, 2) read their server log files, 3) Parse existing websites for relationship trees (more than one tree means a hidden site!), or 4) make usage logs available to each customer and prompt them to monitor their own traffic.

Upgrade your OpenSSL!

It's time to, once again, upgrade your code. The KEY_ARG overflow in OpenSSL versions 0.9.6d and prior now has a nasty exploit that anyone can use (hey, if I can use it, it's easy). We looked at OpenSSL-Uzi during Tuesday night's security class and all agree that it's something that shouldn't be in script kiddie hands. (What legitimate reason can you have for opening a clear-text shell on a remote machine?)

On the plus side: included in the tar ball is a scanner to determine if (a|your) web server is vulnerable. You should, at least, compile that one and test your servers.

Initial impressions:

  • The exploit is targeted at various OpenSSL versions hosted on various Linux distributions
  • The exploit comes with 22 precalculated offsets for those versions
  • The README file has a basic explanation of how the exploit works.
  • The shell obtained works nicely though it takes some getting "used to" as there are no environment variables attached to the shell. (more doesn't work, vi doesn't work, etc.)
  • The entire session is clear-text so it might be detected/hijacked with the proper tools (something to look at?). (How about a Snort sig?)

Note: Since I wrote this last weekend, I've found a derivative of OpenSSL-Uzi called OpenFuck and a second version of it. Each are based on Uzi's code but include the offsets for a lot more distributions (and not only Linux!)

Anyone have anything to add?

Turning off Windows Messenger

No, not the Instant Messenger, the systems messenger. You know, the one that you UPS uses to notify everyone on the network that there's been a power outage. Or that a spammer has used to offer college diplomas to anyone logging in. Thanks to Flangy News for pointing out this howto.

Tuesday, April 8, 2003

Jim O'Halloran

Jim O'Halloran has an article about the recent hacking activity at his site. It's similar to what has happened at customer and school systems nearby.

Sunday, April 6, 2003

Hold on to your seats, kids!

Well, they've done it. A marketing type has said, "We do view Google more and more as a competitor. We believe that we can provide consumers with a better product and a better user experience."

Note: The rest of this piece is speculative conjecture.

Given that:

  • banner ads have been done (and ended up as not a very profitable measure)
  • pop-overs/unders have been done (and ticked off quite a few)
  • competing search engines have been done (Google was a late-comer but had a better product [and wasn't driven by its marketing department])
  • competing news services have been done (and MSNBC has turned into more of a political vehicle than a better news source)
  • competing game consoles have been done (and XBox reported a loss last year)(Yes, it's a better product. But development is stifled because marketing wants their cut before you're even allowed to code for the darn thing.)
  • Competing content providers has been done (AOL is still #1).
  • Competing Instant Messengers have been done. (All of them tend to be my #1 headache security-wise.)

At the risk of driving my coworkers into seizures by my restating this, MS Office is a very nice product. Ignoring the security problems, there is very little to compare with it. But remember, they were in at the start of that race. Everything else since then (including networking) has failed supplant competitors.

Since Microsoft's marketing practices, of late, appears to view everything as an "income stream" (including Joe Sixpack users)(Can you say "license subscriptions"?), stand by for a LOT of hype following the release of, at best, a fair product.

To compete with Google and it's half-doze or so cousins, MS is going to have to come up with a better product (without infringing on Google's code). About the only way I think they can improve on Google is to use all of those idle processing cycles on the user's desktop. All it would take would be a slight modification of the EULA and MS would have the "right" to use them. That or some really nasty marketing/legal/political actions.

I wonder what they're up to. And how much of a security nightmare it's going to be.

Saturday, April 5, 2003

Friday, April 4, 2003

FreeBSD 4.8 released has released version 4.8 of the operating system. New features include:
  • rudimentary hyperthreading in the kernel
  • a new in-kernel cryptographic framework
  • an IPFilter upgrade
  • and various software and driver (firewire, USB, etc.) upgrades.

I think I'll try installing it on the SRX-77 again since it now supports ACPI (needed for the wireless).

Evil, The Sequel

In Evil I, we witness blog comment spam from a marketing company in Malaysia. (That one was easy as the CMS software logged the offending IP's and it's not like we read each others blogs now is it?).

In this sequel, we witness this. Seems that some spammers are no longer content with forging headers and hijacking mail servers, some are now rerouting traffic across the Internet to disguise themselves. Think of it as something like turning on the tube to watch Fox News and getting Faux News.

Thursday, April 3, 2003

Comment hijacking

Another new problem with blogging that I just learned of:

Comment page hijacking. Seems that if you leave "Allow HTML" turned on, comment authors can add which will drag the browsing user to the new URL.

Source: MT User Forums.

Shell coding

Mostly for my own benefit (I have two end-of-semester projects coming up) but...

Blackbox eZine has an article about shell coding for buffer overflow exploits.

Wednesday, April 2, 2003

Securing MySQL

From, an article about things you should be/shouldn't be doing if you're running MySQL.

Tuesday, April 1, 2003

Responsible Reporting Gone Bad?

The politics involved with Information Security is heating up again. Since Symantec bought SecurityFocus, the SecFocus mailing lists' content has changed. Some say that it's not for the good, accusing Symantec/SecFocus of improper censorship. Bugtraq, being one of SecFocus's lists, is involved in the argument. eWeek has an article about it here.

FBI used to enforce AUP

Here's an article from the Toledo Babble in which the local police AND the FBI were employed to seize PC's and cable modems from individuals who had modified the cap on their cable modems.

Doing the math, the estamated "loss" was a cool 1/4 mil., generated by 13 cable connections. That comes to approximately $20K per household. Given the maximum speed of an uncapped modem, I doubt the local cable company let things go so long that each generated an upstream bill for the cable company amounting to $20K.

Somehow I think the cable company futzed the numbers so that they were high enough to get the FBI involved (you've got to convince the judge). Wanna bet the majority of the Toledo 13 are teenagers? Is this a case of the "victim" wasting the FBI's time and resources?

Would someone who agrees with the cable company's loss please explain it to me? (But keep in mind that I have a ready rant about bandwidth not being a conservable resource.) Yes, I can see the cable companies side of the argument. I just can't figure out the numbers or why the FBI got involved. This probably should have been just an issue for local law enforcement.

There's got to be more to the story.