diff --git a/doc/ideas.txt b/doc/ideas.txt
index 0bf82e9..52954ed 100644
--- a/doc/ideas.txt
+++ b/doc/ideas.txt
@@ -1,6 +1,5 @@
 Ideas for puzzles
 =================
-* Hide something in a .docx zip file
 * Bootable image with FreeDOS, Linux, Inferno? HURD?
   * Bury puzzles in various weird locations within each OS
   * Maybe put some in the boot loader, too
@@ -9,7 +8,17 @@ Ideas for puzzles
   * DHCP option
   * Single TCP RST with token in payload
   * Multiple TCP RST with different payloads
+  * http://10.0.0.2/token
 * PXE boot some sort of points-gathering client
   * Init asks for a team hash, and starts awarding points
   * Broken startup scripts, when fixed award more points
   * Lots of remote exploits
+* "qemu -net socket" vpn thingy and then...
+* sfxrar packed with upx.  Change an instruction so it won't actually execute.
+
+
+Capture the Packet
+------------------
+
+* Jim Meilander could teach a class about Bro
+* Use qemu -net socket,connect=10.0.0.2:5399 for capture the packet
diff --git a/doc/openwrt/README b/doc/openwrt/README
new file mode 100644
index 0000000..cedb2f9
--- /dev/null
+++ b/doc/openwrt/README
@@ -0,0 +1,57 @@
+This directory contains the files used to set up an OpenWRT router.
+
+
+Bear in mind that the cheap consumer routers have relatively slow CPUs
+and won't stand up to high volume.  This same configuration applies to
+OpenWRT running on an x86 PC, or any other target of OpenWRT.  For
+larger contests, it would be a good idea to use a faster machine for the
+router.  I don't have any specific recommendations at this time (Oct
+2010).
+
+The router comes up as 10.0.0.1/16 on eth0.
+
+If the router has a built-in switch, it is brought up without VLAN
+support, since these switches typically only support 16 VLANs, and do
+not support QinQ (double VLAN tags).  All 5 ports work like an unmanaged
+switch, which ends up being handy for the contest table.
+
+Plugging a managed switch into the router enables access to 48 VLANs,
+each configured to a /16 network.  The router on VLAN number v comes up
+as 10.v.0.1/16.
+
+If the router has the ability to come up as a wireless access point, it
+will do so with SSID "CTF" and IP 10.254.0.1/16.
+
+All subnets can route to all other subnets, through the router.
+10.0.0.1/16 and 10.254.0.1/16 may have a higher TTL when routed to a
+VLAN (I haven't checked).  Keep in mind that anything connected directly
+to the router (ie. not through the managed switch) can do its own VLAN
+tagging.  This would be the way to hop on another team's subnet to do
+something like check service availability in such a way as to prevent
+teams from firewalling each other out.
+
+
+                                    SSID "CTF"
+                                  10.254.0.1/16
+                                    ((Y))
+                                      |
+                                      -------------
+                                     |   OpenWRT   |
+                                      -0-1-2-3-4---
+                                      /| | | | |
+                                     / | | | | |
+                                    /  | | | | |
+                                   /  10.0.0.1/16
+                                  /
+              -------------------t---
+             |   Managed Switch      |
+              -1-2-3-4-5-...-47-48---
+              /    |         |   \
+             /     |         |    \
+            /      |         |     \
+           /       |         |      \
+    10.1.0.1/16    |         |   10.48.0.1/16
+                   |         |
+              10.3.0.1/16    |
+                             |
+                        10.47.0.1/16
diff --git a/doc/openwrt/dhcp b/doc/openwrt/dhcp
new file mode 100644
index 0000000..91a9742
--- /dev/null
+++ b/doc/openwrt/dhcp
@@ -0,0 +1,2 @@
+config dnsmasq
+        option leasefile        '/tmp/dhcp.leases'
diff --git a/doc/openwrt/dnsmasq.conf b/doc/openwrt/dnsmasq.conf
new file mode 100644
index 0000000..eefc1a1
--- /dev/null
+++ b/doc/openwrt/dnsmasq.conf
@@ -0,0 +1,55 @@
+no-resolv
+local=/ctf/
+no-hosts
+domain=ctf
+dhcp-authoritative
+dhcp-range=10.0.1.10,10.0.1.254
+dhcp-range=10.1.1.10,10.1.1.254
+dhcp-range=10.2.1.10,10.2.1.254
+dhcp-range=10.3.1.10,10.3.1.254
+dhcp-range=10.4.1.10,10.4.1.254
+dhcp-range=10.5.1.10,10.5.1.254
+dhcp-range=10.6.1.10,10.6.1.254
+dhcp-range=10.7.1.10,10.7.1.254
+dhcp-range=10.8.1.10,10.8.1.254
+dhcp-range=10.9.1.10,10.9.1.254
+dhcp-range=10.10.1.10,10.10.1.254
+dhcp-range=10.11.1.10,10.11.1.254
+dhcp-range=10.12.1.10,10.12.1.254
+dhcp-range=10.13.1.10,10.13.1.254
+dhcp-range=10.14.1.10,10.14.1.254
+dhcp-range=10.15.1.10,10.15.1.254
+dhcp-range=10.16.1.10,10.16.1.254
+dhcp-range=10.17.1.10,10.17.1.254
+dhcp-range=10.18.1.10,10.18.1.254
+dhcp-range=10.19.1.10,10.19.1.254
+dhcp-range=10.20.1.10,10.20.1.254
+dhcp-range=10.21.1.10,10.21.1.254
+dhcp-range=10.22.1.10,10.22.1.254
+dhcp-range=10.23.1.10,10.23.1.254
+dhcp-range=10.24.1.10,10.24.1.254
+dhcp-range=10.25.1.10,10.25.1.254
+dhcp-range=10.26.1.10,10.26.1.254
+dhcp-range=10.27.1.10,10.27.1.254
+dhcp-range=10.28.1.10,10.28.1.254
+dhcp-range=10.29.1.10,10.29.1.254
+dhcp-range=10.30.1.10,10.30.1.254
+dhcp-range=10.31.1.10,10.31.1.254
+dhcp-range=10.32.1.10,10.32.1.254
+dhcp-range=10.33.1.10,10.33.1.254
+dhcp-range=10.34.1.10,10.34.1.254
+dhcp-range=10.35.1.10,10.35.1.254
+dhcp-range=10.36.1.10,10.36.1.254
+dhcp-range=10.37.1.10,10.37.1.254
+dhcp-range=10.38.1.10,10.38.1.254
+dhcp-range=10.39.1.10,10.39.1.254
+dhcp-range=10.40.1.10,10.40.1.254
+dhcp-range=10.41.1.10,10.41.1.254
+dhcp-range=10.42.1.10,10.42.1.254
+dhcp-range=10.43.1.10,10.43.1.254
+dhcp-range=10.44.1.10,10.44.1.254
+dhcp-range=10.45.1.10,10.45.1.254
+dhcp-range=10.46.1.10,10.46.1.254
+dhcp-range=10.47.1.10,10.47.1.254
+dhcp-range=10.48.1.10,10.48.1.254
+dhcp-range=10.254.1.10,10.254.1.254
diff --git a/doc/openwrt/iptables b/doc/openwrt/iptables
new file mode 100755
index 0000000..8671c22
--- /dev/null
+++ b/doc/openwrt/iptables
@@ -0,0 +1,27 @@
+#! /bin/sh /etc/rc.common
+
+START=45
+STOP=89
+
+VLANS=48
+
+start () {
+    stop
+
+    iptables -P INPUT ACCEPT
+    iptables -P OUTPUT ACCEPT
+    iptables -P FORWARD ACCEPT
+
+    iptables -A INPUT -p udp --dport 67 -j ACCEPT
+    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+    iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT
+    iptables -A INPUT -j REJECT
+}
+
+stop () {
+    iptables -F INPUT
+    iptables -F OUTPUT
+    iptables -F FORWARD
+}
+
+
diff --git a/doc/openwrt/network b/doc/openwrt/network
new file mode 100644
index 0000000..d2b22cb
--- /dev/null
+++ b/doc/openwrt/network
@@ -0,0 +1,27 @@
+#### Switch configuration 
+config switch eth0
+	option enable		1
+	option enable_vlan	0
+
+#### Loopback configuration
+config interface loopback
+	option ifname	"lo"
+	option proto	static
+	option ipaddr	127.0.0.1
+	option netmask	255.0.0.0
+
+#### Administrative network
+config interface admin
+	option ifname	"eth0"
+	option proto	static
+	option ipaddr	10.0.0.1
+	option netmask	255.255.0.0
+
+#### Wireless
+config interface wifi
+	option proto	static
+        option ipaddr   10.254.0.1
+        option netmask  255.255.0.0
+
+# OpenWRT's "ifup/ifdown" are horribly slow, so the 48
+# vlans are set up in an init script :)
diff --git a/doc/openwrt/vlan b/doc/openwrt/vlan
new file mode 100755
index 0000000..49bbdbd
--- /dev/null
+++ b/doc/openwrt/vlan
@@ -0,0 +1,20 @@
+#! /bin/sh /etc/rc.common
+
+START=41
+STOP=89
+
+VLANS=48
+
+start () {
+    for i in $(seq 1 $VLANS); do
+        vconfig add eth0 $i
+        ifconfig eth0.$i 10.$i.0.1 netmask 255.255.0.0
+    done
+}
+
+stop () {
+    for i in $(seq 1 $VLANS); do
+        vconfig rem eth0.$i
+    done
+}
+
diff --git a/doc/openwrt/wifi b/doc/openwrt/wifi
new file mode 100644
index 0000000..eefe021
--- /dev/null
+++ b/doc/openwrt/wifi
@@ -0,0 +1,9 @@
+config wifi-device wl0
+	option type	broadcom
+	option channel	1
+
+config wifi-iface
+	option device	wl0
+	option network	wifi
+	option mode	ap
+	option ssid	CTF
diff --git a/doc/problems.txt b/doc/problems.txt
new file mode 100644
index 0000000..6b1c955
--- /dev/null
+++ b/doc/problems.txt
@@ -0,0 +1,14 @@
+* "net-re" dash tripping up category validation in puzzler
+* scores not preserved in /var/lib/ctf, wtf?
+* bletchley 150 no key
+* claim.cgi not exiting
+* someone managed to get a point in no category.  that broke the scoreboard.
+* ha ha, guess what this does if points.log already exists:
+    install -o root -m 0644 /dev/null /var/lib/ctf/points.log
+* scoreboard: teams aren't properly filling columns (make td have size)
+* sequence 700 no key
+* steg 20 not m4ing key
+* no "pointscli" binary
+* steg 200 totally screwed up
+* get LAUR for contest
+
diff --git a/doc/todo.txt b/doc/todo.txt
index aa2836e..79483aa 100644
--- a/doc/todo.txt
+++ b/doc/todo.txt
@@ -2,5 +2,4 @@ Things That Need Fixin'
 =======================
 
 * puzzles.cgi really needs to cross out points your team has claimed.
-* I really hate C.  Is it possible to use some other language (like
-  Haskell)?
+* Make an OpenWRT router image for a FitPC
diff --git a/pwnables/service/sshd.pwn/log/run b/pwnables/service/sshd.pwn/log/run
new file mode 100755
index 0000000..4794c8e
--- /dev/null
+++ b/pwnables/service/sshd.pwn/log/run
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+exec logger -t sshd
diff --git a/pwnables/service/sshd.pwn/rsa.key b/pwnables/service/sshd.pwn/rsa.key
new file mode 100644
index 0000000..f530471
Binary files /dev/null and b/pwnables/service/sshd.pwn/rsa.key differ
diff --git a/pwnables/service/sshd.pwn/run b/pwnables/service/sshd.pwn/run
new file mode 100755
index 0000000..491adf6
--- /dev/null
+++ b/pwnables/service/sshd.pwn/run
@@ -0,0 +1,8 @@
+#! /bin/sh
+
+exec 2>&1
+if [ -d /opt/mcp ]; then
+  sv d .
+  exit
+fi
+exec dropbear -r ./rsa.key -E -F