Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Software Linux

DARPA-Funded Linux Security Hub Withers 281

mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."
This discussion has been archived. No new comments can be posted.

DARPA-Funded Linux Security Hub Withers

Comments Filter:
  • by Zeinfeld ( 263942 ) on Sunday February 01, 2004 @07:25PM (#8154576) Homepage
    If there is a bug in the kernel and nobody notices it, can we still flame Microsoft?
  • Really? (Score:4, Funny)

    by Limburgher ( 523006 ) on Sunday February 01, 2004 @07:25PM (#8154578) Homepage Journal
    NOBODY showed up? I would think having a high Sardonix rating would be a nice piece of "hacker-street-cred", like a low /. ID number, or running Linux on a beowulf cluster of 286s.
    • Re:Really? (Score:5, Funny)

      by alexandre ( 53 ) on Sunday February 01, 2004 @07:34PM (#8154635) Journal
      So, next time i get an interview i should mention my /. ID ? :-)
      • Re:Really? (Score:5, Funny)

        by Saeed al-Sahaf ( 665390 ) on Sunday February 01, 2004 @07:39PM (#8154677) Homepage
        Holy shit. 53? Your prospective boss should bow down! I assumed that most of the first 1000 where DEAD by now...
        • Heck, I'm in the 3k range and I thought the first 100 (or so) uids were test uids from when they made and tested the system before rolling it... I've NEVER seen one before.
        • I have a 9000's uid that I forgot the password for and no longer have the email. Any chance I can use it?

          I'd like to see Slashdot ID counter vs. time graph. I came to the party late.
        • by Venner ( 59051 )
          I didn't create an account on slashdot until almost a year after I'd first started visiting and I have this horribly high UID to show for it. Who could have known that, years later, a low UID would be such a symbol of power, fear, and respect!

          I'm glad I didn't have to say that in person; I couldn't possibly have kept a straight face :-)

        • No doubt resurrected by the ID# polling ritual we performed earlier.
        • Nah, they're all in hiding because they're being hunted by the United Nations Transitional Authority troops, aided by Subarashii.

          Wait, that's the First Hundred, not the first thousand. /redmars
        • Nay, the First Ones are alive still - they journeyed to the Uncharted Lands, to return once again when the land is in peril once again from the Shadow Realm...
      • Re:Really? (Score:2, Funny)

        by polymath69 ( 94161 )
        So, next time i get an interview i should mention my /. ID ?

        Not with a UID that low, dude. That only tells your prospective employer, "I spend way too much time cruising the Internet instead of working."

      • Only 187 comments though, and 2 5s and a 3 in the last 24 :)
      • Re:Really? (Score:5, Funny)

        by wrmrxxx ( 696969 ) on Sunday February 01, 2004 @08:23PM (#8154931)
        I'm always sure to mention mine. Has got me some really interesting job offers...
        • I'm always sure to mention mine. Has got me some really interesting job offers...

          Any of them from NineNine or autopr0n by any chance? :)

    • Re:Really? (Score:4, Interesting)

      by Jason Earl ( 1894 ) on Sunday February 01, 2004 @07:35PM (#8154645) Homepage Journal

      The free market beat them to the punch. Why play for Sardonix "street-cred" when you can start your own security company. Most security companies do a fair share of the advertising on the existing security mailing lists.

      Besides which, the Linux Kernel Mailing Lists already purport to do the same thing. You think that the Linux kernel hackers don't think that they are already creating secure code? By the time a security bug gets through the LKML's brutal peer review the chances that some outsider gunning for "street cred" is going to find it is essentially nil. Why join Sardonix when you can pile right in to the LKML?

    • Re:Really? (Score:5, Funny)

      by rampant mac ( 561036 ) on Sunday February 01, 2004 @07:47PM (#8154722)
      "NOBODY showed up? I would think having a high Sardonix rating would be a nice piece of "hacker-street-cred"

      This isn't Compton.

      You're not going to go on an interview and throw up your Linux "signs."

      Slackware beeyotch. Represent.

      apt-get 4 life, thug.

      Werd.

    • Sigh, Too old to be new, too new to be OldSchool!

      I have a pretty low ICQ # too... wonder what it is??? I don't seem to remember.. must be old age.

      Damn kids... always going on about how "OLD SCHOOL" they are. How many of them walked 10 miles to a university lab to have access to a VT-100 terminal... oh well was for mudding ... not like I was addicted to IRC or some stupid shit like that. : )

  • DARPA "funded" !? (Score:5, Insightful)

    by gtrubetskoy ( 734033 ) * on Sunday February 01, 2004 @07:25PM (#8154581)

    Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code.

    I'm sorry, appreciation does not pay bills.

    • I'm sorry, appreciation does not pay bills.

      True, but also true of most work being done for Free & Open Source software.

      Just look at how many people got seriously enthusiastic about their SETI @ Home rankings. That doesn't pay the bills either, and it uses real electricity.

      If they could just find a way to tap into _that_ enthusiasm. Maybe all they need to do is put up a bightly-colored blinking screensaver whenever someone found a bug . . .

      • by gtrubetskoy ( 734033 ) * on Sunday February 01, 2004 @07:59PM (#8154802)
        If they could just find a way to tap into _that_ enthusiasm.

        Ah give me a break!

        As someone who has written [modpython.org] open source software, I can tell you that there is no enthusiasm that you "tap into".

        When you are an agency that is part of a department of the government whose budget is in the billions (or is it trillions?), no sane "enthusiast" is going to do jack for you for "appreciation", especially when you are a military organization...

        But even if this wasn't DOD we were talking about, I find the assumption that people will perform valuable services for simple recognition just plain weird. People who think this way just don't get it - you want someone to do something for you, you pay for it.

        When I feel like releasing code to the public is a good idea, I will do it, but don't think that I am some sort of an OSS monkey who jumps at every opportunity to work for free!

        • by Dark Bard ( 627623 ) on Sunday February 01, 2004 @10:33PM (#8155578)
          Very interesting attitude. I've gotten into several very heated exchanges on Slashdot concerning copyrights. The universal answer was copyright laws favor the artists too much and they should do it out of love and there's nothing wrong with downloading music and movies for free even if it robs the artist. I was given the pious example of people writing open source code for free. I was never given an example of how they were suppose to feed themselves while they worked for free. Now I hear code writers should aways be paid for their work even if it's for the benefit of all. Feels different when the shoes on the other foot. If all intellectual property should be free why aren't code writers working for free and working at the local 7 eleven to pay their bills? I realize no one wants to hear this and I'm sure this post will get a low mod because it's tradition to kill the messenger but you can't have it both ways. Everyone has a right to earn a living and working for free or giving away your work ain't going to pay the bills. I'm thrilled people write open source code for free. Artist often work for free and work a disturbing number of unpaid hours. The hardest thing for an artist is generally getting some one to pay for their work in the first place. Free market basically works, inspite of a few bumps. Change the law and allow people to go into a famer's field and pick the crops without paying and see how quick people give up on farming. Sorry there's no difference.
          • Well, in regards to your Music Artists analogies, I believe the general consensus on Slashdot is not that they do not deserve money for their work, just that downloading the music on P2P is not hurting artists. Firstly, there's the old argument of those who wouldn't buy it anyway, and are thus not hurting anybody. However, consider this: For those who really like a certain band who happens to be signed under the RIAA, which option is more attractive?

            #1. Buy CD from the store. Cost, $20. The artist w
            • The trouble with choice 2 is that even with good intentions, you probably won't do it.
              It's just too easy to procrastinate after you have what you wanted.

              That said, I think you overestimate what the RIAA pays the average artist. (Not what they claim to pay them, but they do funny things with accounting. And they won't let anyone check their books. Well, not without a lawsuit, and getting plenty of time to make things look right.)
            • Music is the easier subject now but film will be getting hit harder and hard as downloading speeds become less of an issue. The artists have always gotten the short end of the stick in both industries, worse in music than film. Unfortunately the falling revenues have forced groups to look to touring as potentially their primary source of income. A lot of artist prefer not to tour due to it making it virtually impossible to have a life. They are having to look serious at touring now as an option. It's changi
    • Multi-billion dollar budget and this is for the "bragging rights". Please!!!! If they let go a few crumbs as a prize for .... say, $100k at the end of the year for the best ranked.... you could not beat the takers off with a stick.

      Just my two cents...since Darpa won't give me $100k...or 2 dollars. I want my two dollars.
  • never heard of it! (Score:5, Interesting)

    by Anonymous Coward on Sunday February 01, 2004 @07:28PM (#8154599)
    Well, maybe they needed a little more exposure, eh?

    I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!

    Oh well! Try try again...
    • It's been a story on Slashdot (2002) [slashdot.org] at least once. And I remember it being mentioned in a thread in another story last year--mind you, that's only because Crispin's name jumped out at me. (Like the time Tanya Huff did something nasty to him in one of her books. ;)
  • Let's be honest (Score:5, Insightful)

    by Anonymous Coward on Sunday February 01, 2004 @07:28PM (#8154600)
    Auditing is boring. If you've got the skills to audit, you'd probably be much happier writing the code yourself.
    • Re:Let's be honest (Score:3, Interesting)

      by bluGill ( 862 )

      Not nessicarly. I know a number of programers who read code to learn how it works. They aren't auditing directly, just looking to see how/if they can use something in their own code. Programers are lazy, if they can use someone else's debuged work they will.

      There is far too much code to write, without wasting time re-inventing the wheel.

    • by Mr2cents ( 323101 ) on Sunday February 01, 2004 @11:26PM (#8155870)
      Auditing is boring.

      Don't forget we live in a world where people collect stamps..
  • Still A Good Idea (Score:5, Insightful)

    by Naked Chef ( 626614 ) on Sunday February 01, 2004 @07:28PM (#8154602)
    Whose time may eventually come. Part of the problems is, as the article mentions, the "Bugtraq" mentality - people are only interested in the flashy big bugs, not the little ones that "only" increase stability. The other problem seems to simply be one of logistics, which the web site apparently didn't sort out. People are already doing this, on a smaller scale. How to get it into a single group under this Sardonix name without duplicating effort? Still difficult. I'd look for it again, in another form, in a few years :)
    • Yeah...

      Too bad that the real work to be done here was largeley undertaken previously by the "Kernel Janitors" [kerneljanitors.org]. This is a genuinely community-based effort, designed EXACTLY to remediate the less-than-glorious issues within existing kernel trees.

      And, Hey!

      They are training aspiring kernel developers, who can hone their skills and become intimately familiar with kernel internals by contributing in a meaningful way! Even if it's just repairing bad use of whitespace...

    • "...under this Sardonix name..."

      Well, there's your problem. Nobody is particularly interested in making a name for Crispin-whoever through working their arse off on unglamorous bugs. People are quite happy to work under their own names and on the existing projects.
  • by Mysteray ( 713473 ) on Sunday February 01, 2004 @07:30PM (#8154612)
    Two years after its hopeful launch, a U.S.-backed research project aimed at drawing skilled eyeballs to the thankless task of open-source security auditing is prepared to throw in the towel.

    It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.

    Interestingly, the OpenBSD [openbsd.org] project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?

    • by Anonymous Coward
      Interestingly, OpenBSD also don't have any documentation as to what it is exactly they are doing with their audit.

      They talk a good game but let's face it, if you don't run any services on any platform it's about as secure as an OpenBSD install is out of the box. That's not exactly securing the code through audit, it's just locking down a box.

      I like what they are saying they are doing but I have no idea what it is they are changing or why those changes make OpenBSD any more secure than anything else.

      • <offtopic>Your comments are discussion-worthy! Why post as an AC? I've been reading /. since at least 1998, but never got around to signing up and commenting properly. I'm glad I finally did, but I could have had bragging rights with one of those low UIDs if I had registered earlier.<offtopic>

        Anyway, I see these comments often enough so I suppose they merit some response. I'm not sure I'm the one to do it, but anyway . . .

        Interestingly, OpenBSD also don't have any documentation as to what it

  • by Saeed al-Sahaf ( 665390 ) on Sunday February 01, 2004 @07:31PM (#8154615) Homepage
    As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up.

    Perhaps this is because for most of the (incredibly smart) people who make contributions to Linux kernel development, it's not about points? Now if they had attached MONEY value to those points, maybe the result would have been different; I mean at least SOME motivation to play the NSA game.

  • by RedLeg ( 22564 ) on Sunday February 01, 2004 @07:31PM (#8154620) Journal
    If a project fails, and nobody's ever even heard of it, has it really failed?

    I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?

    • Marketing! The magic word:

      Sardonix web site [sardonix.org] (Why isn't this on the front page?)
      List of vulnerabilities [sardonix.org]
      Subscribe to the Mailing list [sardonix.org]
      Become an auditor [sardonix.org]
      Audited programas [sardonix.org]
      Unaudited programs [sardonix.org]

      (Yes, I just linked the left menu in wwww.sardonix.org [sardonix.org]. Isn't that what marketing is all about after all?)

      Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?

      It's NOT that bored. It CAN'T be that bored. Hell, there're d
      • The project is not dead. You can still go there and submit an audit. We have no intention of turning it off, and if people want to contribute, we welcome that.

        All the conspiracy theory noise on this topic is just a load of crap. DARPA didn't cut us off for any spooky reason, the contract just ended on schedule. I did my best to market the project to suitable audiences, but it never caught on. I'm still all for making it work, but I no longer have Federal money to pay for it, so its now all-volunteer.

        Crisp

  • by AndroidCat ( 229562 ) on Sunday February 01, 2004 @07:32PM (#8154627) Homepage
    I guess they couldn't decide how to spell Cris Cowan/Cowen's last name so they alternated.

    They should have a volunteer review process to catch spelling mistakes...

  • by mikeophile ( 647318 ) on Sunday February 01, 2004 @07:44PM (#8154707)
    Sardonic

    sardonic (sar-dnk) adj.

    Scornfully or cynically mocking.

    See Synonyms at sarcastic.

  • by realmolo ( 574068 ) on Sunday February 01, 2004 @07:46PM (#8154720)
    Here's what they were asking for: WANTED- Extremely experienced Linux coders, familiar with all aspects of security, to verify others undocumented code, so that the federal government doesn't have to do it themselves. Salary starts at 0 dollars per year. Benefits include- No health care No 401k
    • In all seriousness, if this was a funded grant, why couldn't they afford to pay per-bug? Yes, that makes it more complicated, but much more enticing.

      I wonder if there are any legal implications to this? Funding an OSS project in an indirect manner?
    • Not only that, they dont understand one of the core motivations of an open source developer: self determination.

      You know what I do all day at "work"? I write python code. Python happens to be my favorite language but I HATE GOD DAMNED DATABASE PROGRAMMING. Guess what though? It pays the bills :)

      When i work on open source software, I want to do something I believe in or something I'm good at or something that I want to see done. Not something the NSA wants to see done, thats alot like "work" and alot

  • geek.paranoia++; (Score:5, Insightful)

    by RalphBNumbers ( 655475 ) on Sunday February 01, 2004 @07:47PM (#8154726)
    So they wanted people to do possibly the most tedious and unpleasant task in software engineering, over and over, for free, outside of the established (and frankly much more interesting, because they usually involve something besides solitary code reviewing) channels, and they're supprised they didn't get a flood of volunteers?

    Not to mention the job is thankless, it's an infinite loop of paranoia and nit-picking.

    code.insecure = true;
    While(code.insecure) {
    geek.paranoia++;
    geek.review(code);
    }
  • by qtp ( 461286 ) on Sunday February 01, 2004 @08:00PM (#8154807) Journal
    And with a name like "Sardonix" who could blame them:

    ~$ dict -d wn sardonic

    1 definition found

    From WordNet (r) 2.0 (August 2003) [wn]:

    sardonic
    adj : disdainfully or ironically humorous; scornful and mocking;"his rebellion is the bitter, sardonic laughter of all great satirists"- Frank Schoenberner; "a wry pleasure to be...reminded of all that one is missing"- Irwin Edman [syn: {wry}]
  • Too low profile (Score:4, Informative)

    by adamsc ( 985 ) on Sunday February 01, 2004 @08:14PM (#8154883) Homepage
    I follow the security community pretty closely, monitor a fair number of techie news sites and otherwise try to stay aware of this sort of thing. The first I heard of the project was this story - I must have missed it the last time it was mentioned two years ago. Not many sites linked to sardonix.org [google.com] after the initial news stories, either.
  • by Lucius Sour ( 636091 ) on Sunday February 01, 2004 @08:17PM (#8154891) Journal
    A lot of government and military projects have the sole purpose of attracting money to, or showing deference to whatever fashioanble political/buzzword compliant initiative that has sway that week. This isn't news to slashdotters, I know, but I wonder what real hopes the project had, or was it one of those "impress the boss and get a cheque to swell the department" projects. It seems that's the way things work in the government service and industry these days. Whatever happened to doing the bloody job?
  • by Anonymous Coward
    it's really boring shit work, so let's spice it up by making it competitive. Tommy, Jane, how fast can you clean your rooms?
  • and yet no one shows. I guess we have to wait until someone finds something with negative intent before a bug is fixed.

    Mod me down -50....I don't care anymore, my faith is lost.
    • Why do you assume that no bug fixing or code auditing was being done outside of this apparently obscure government-funded project no one heard of?

      "OSS's strongest argument", as you put it, is that people who use the code will find the bugs, fix the bugs, and share the fixes. I fix a bug that may affect you, you fix a bug that may affect me, we both benefit; so does the guy that hasn't run into either bug yet.

      But Crispin Cowan scratches his head because the few people who heard of his project thought comin
  • It's true, people would rather write code than fix people's broken shit.

    Rather than fixing borken code, why don't we teach some people how to write decent programs? Maybe put up some documentation of some common security flaws and how people could have avoided coming near them by structuring their code differently.

    I know some code needs to be fixed, but lets face it, most people aren't willing to do it. There are a few unappreciated people out there who do this, and their job would be easier if people kne
    • Noone writes perfect, bug free, unexploitable code. Exploits are found in code previously thought to be perfect.

      There are some obvious things you can do, but on a sufficiently complex project, it's impossible to think of every possible use or misuse of the resulting code. Hell, some exploitable stuff is injected by the compiler.

  • by 0x1337 ( 659448 ) on Sunday February 01, 2004 @09:06PM (#8155166)
    Who can blame the project for having failed, when it was named for the famous "stone of all bad" Sardonyx, i.e. Chtrag Sardius, the opposite of the Orb, or Chtrag Yaska?

    Who 'lead' the project, Ctuchik The Grolim High Priest?

    ------>

    Ok, ok... I'm a dork. Read David Eddings' "Belgariad" and "Malloreon" though - they make for a great read.
  • by El Volio ( 40489 ) on Sunday February 01, 2004 @09:15PM (#8155209) Homepage

    Sardonix got me interested in source code auditing, but I didn't like the reputation model [xwell.org]. It's been more interesting to just do it; while so far I haven't found anything in the packages I've audited (and haven't bothered to report), it's taught me a lot about auditing in general and so I've found multiple vulnerabilities in various web packages I use both personally and professionally.

    If you want to encourage source code auditing, then the current system needs to be mended just a bit: as long as researchers are disdained by vendors who don't want to give credit for the problem or even prosecute folks who were kind enough to let them know about the vulnerability of their software, then there's going to be a chilling effect. That's what leads to the disclosure impasse that many find themselves in: disclose to the vendor first and not get credit, or disclose to the public first and get criticized?

  • by bluGill ( 862 ) on Sunday February 01, 2004 @09:33PM (#8155293)

    I visited the site a few times, but didn't see anything to help me get started. Just some "we need to get project X reviewed". Then a complex point system that sounded motivating, but didn't do anything.

    I just wanted to get started. All they said was "read this code and look for problems". No duh, but how about some examples. Some help. I'd learn much more if 30 people read one file, each commented on it, and I could read them all. Once I learn to think of everything 30 people think of (who have expirence reading code) I'll do some more on my own. Nothing gets me started though. I'm an okay programer (better than most really, but that isn't saying much considering the typical programer I've seen), and I need to learn how to do this. How do expert code reviewers think?

    I just got back from wineconf, Alexander personally reads every single line that is commited to Wine. I know it can be done, but I need expirence before I could possibly do that, and noone bootstraps me to get the expirence.

    I understand this is a hard thing. I've developed before, and I can't document my code any better than anyone else. They made it their stated goal to help me, but then never did anything useful.

  • 1. Read some router code
    2. Document all critical security vulnerabilities
    3. Do not report any bugs
    4. ???
    5. Profit!
  • by Crispin Cowan ( 20238 ) <crispin@crispinc[ ]n.com ['owa' in gap]> on Sunday February 01, 2004 @11:01PM (#8155734) Homepage
    The /. story says that Sardonix [sardonix.org] "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article [securityfocus.com]. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general [sardonix.org], and not the Linux kernel in particular [sourceforge.net].

    Crispin
    ----
    Crispin Cowan, Ph.D.
    CTO, Immunix Inc. [immunix.com]

  • by slamb ( 119285 ) on Monday February 02, 2004 @01:45AM (#8156495) Homepage
    There are a few reasons why this project never took off:

    First, they widely advertised it and then took forever to get the site going. I think most people had forgotten about it or given up on it by that point. And then they never publicized it again. (Specifically, it was initially slashdotted on 6 Feb 2002 [slashdot.org]. On 13 Oct 2002, a message on the Sardonix mailing list mentioned that it had been mostly live for a couple weeks, and that the point system still wasn't online. No wider announcement.)

    Second, all the packages listed there for review were fairly well-respected blocks of code written by skilled coders. Consequently, most of the reviews were of the form "yup, this code essentially looks good". They were also extremely large projects, so people said "I didn't do a full review; I just tried this automated tool". It doesn't really mesh up with what he said in the article:

    Cowen believes Sardonix was a casualty of security community culture, which he says rewards researchers who find clever or splashy holes in a program, but not for making software more secure. "The Bugtraq model is: find a bug, win a prize -- a modest amount of fame," says Cowen. "Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code.

    "It seems the Sardonix lesson is people don't want to play this game, they want to play the Bugtraq game."

    There was no "making software more secure [...] eventually finding no bugs"; I don't think anyone ever really found a significant bug through this project.

    If they had targeted lots of small projects on freshmeat (like web stuff - PHP, mod_perl, JSP/servlet, etc.), it would have been much more interesting. Those projects have all kinds of security bugs. They could have taught the people in question some good security practices and actually accomplished what they set out to do. Maybe they would have eventually branched out into certifying these infrastructure projects, but it wasn't a good initial goal.

    Lastly, who knows they did with that DARPA funding. Plenty of open source projects with no funding do much more impressive works than that website, and in much less time, too.

  • code audits (Score:4, Insightful)

    by Tom ( 822 ) on Monday February 02, 2004 @04:07AM (#8156853) Homepage Journal
    This is then the 3rd or 4th Linux code audit project to fail. (I was a participant in 2 others)

    Why? Because auditing code is

    * difficult and tricky
    * unrewarding
    * lots of hard work

    It simply isn't something you want to do unless you are as passionate and fanatic about your project as the OpenBSD guys are.

My sister opened a computer store in Hawaii. She sells C shells down by the seashore.

Working...