Forgot your password?
typodupeerror
Data Storage

SSDs Cause Crisis For Digital Forensics 491

Posted by CmdrTaco
from the yeah-so-sad dept.
rifles only writes "Firmware built into many solid state drives (SSDs) to improve their storage efficiency could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, Australian researchers have discovered. They found that SSDs start wiping themselves within minutes after a quick format (or a file delete or full format) and can even do so when disconnected from a PC and rigged up to a hardware blocker." So either SSDs are really hard to erase, or really hard to recover. I'm so confused.
This discussion has been archived. No new comments can be posted.

SSDs Cause Crisis For Digital Forensics

Comments Filter:
  • Good. (Score:5, Insightful)

    by Anonymous Coward on Tuesday March 01, 2011 @02:04PM (#35349172)

    Deleted, should mean deleted.

    • Re:Good. (Score:4, Informative)

      by EyelessFade (618151) on Tuesday March 01, 2011 @02:46PM (#35349728) Homepage
      I'm not to sure. Ibas [wikimedia.org] says they are almost impossibly to wipe out. That even with secure delete, almost 90% is still intact. And I think I believe them.
      • Re:Good. (Score:5, Informative)

        by graeme_ssd (2006566) on Tuesday March 01, 2011 @03:17PM (#35350030) Homepage
        Hello, I'm one of the authors of the original article.

        The drive's firmware is responsible for remapping blocks, and so the OS can't really control what happens whenever the OS tries to permanently delete things by asking the drive nicely to do so. Consequently, if the drive decides it's best to remap the logical block silently while not deleting the cell contents, then the OS doesn't realise the data is still there. That's what the other SSD study noted.

        On the other hand, in this situation, the thing doing the purging is the drive's firmware itself, not the OS, and the firmware knows for sure where the data is in the cells, and furthermore it's on a mission - to purge cells that it knows the filesystem is no longer using for data.

        The purging that is being done here, is taking place with the specific intention of getting cells freshened up and ready to be written to in future without delay. Consequently we can reasonably expect that the drive firmware really *wants* to nuke cells that contain real data that is no longer needed according to the filesystem metadata since that's the only way to boost performance, and that's the GC's job.

        If you want to check for yourself, try carrying out reads at the sector level yourself after running the experiment with the experimental setup described in the paper. You won't get much.

        I guess what I'm saying is that both studies are right despite the apparent contradiction, since they're dealing with completely different circumstances and motivations for 'purging' - OS or drive GC controlled.

        Graeme.

        p.s. Does anyone know of a postdoc position in AI, robotics, or bioinformatics in Grenoble, France? I'm currently looking for a new job.

  • by Tomun (144651) on Tuesday March 01, 2011 @02:06PM (#35349206)

    At a guess this is caused by mounting with the discard option, or trim as its called in Windows. It tells the drive you don't need the data stored where a deleted file used to be.

    Maybe it's still there if you look with a microscope but who really does that?

    • Re:trim/discard (Score:4, Insightful)

      by Hatta (162192) on Tuesday March 01, 2011 @02:15PM (#35349328) Journal

      Deleting a file should tell the OS that I don't need that data. That's what deleting is.

      • Re:trim/discard (Score:5, Informative)

        by Artraze (600366) on Tuesday March 01, 2011 @02:34PM (#35349580)

        > Deleting a file should tell the OS that I don't need that data. That's what deleting is.

        It does, and that is, in fact, what it is. So Windows unlinks the file from the directory and removes the blocks from the in-use map.

        The drive, however, doesn't know any of this. It updates the requested sectors representing the directory and volume info, and that's about it. It has no idea that blocks somewhere else on the drive are no longer needed, so it will dutifully copy and maintain that data while rewriting blocks.

        The idea of the trim command is that it tells the drive that the data is deleted so the drive doesn't have to worry about maintaining it. This was never needed in old drives because the data was basically ignored after being written. In SSDs, the data needs to be continuously copied around to facilitate the erasing (which wipes several thousand blocks at once).

        • Re:trim/discard (Score:5, Informative)

          by graeme_ssd (2006566) on Tuesday March 01, 2011 @03:21PM (#35350070) Homepage
          Hello there,

          "The drive, however, doesn't know any of this. It updates the requested sectors representing the directory and volume info, and that's about it. It has no idea that blocks somewhere else on the drive are no longer needed, so it will dutifully copy and maintain that data while rewriting blocks."

          Actually, this is no longer correct. SSDs (such as the one in this study) are quite capable of examining the filesystem stored on the drive, independently, and the concept of 'dutifully' and ignorantly maintaining deleted data goes out of the window as a result.

          The main point of the paper is not that this 'analyse-and-purge' drive GC behaviour happens (which is well known among SSD enthusiasts), but that it fouls up long-accepted court and forensics assumptions about what computer drives are. It can result in loss of evidence (of guilt or innocence) very easily in court cases in a manner which might be incorrectly attributed to malicious human intention.

          Graeme.

      • by afidel (530433)
        For most of modern computing it's meant unlink the inode or remove the FAT entry which makes the blocks available. This was done because it was too expensive to actually cleanse the data in 99+% of situations. Now with SSD's there is a performance gain to be had by pre-wiping the block in the background so deletes eventually mean actually cleansing the data. The flip side is with most current SSD's there's no way to force a particular physical address to be wiped because of sector to block mapping (though t
      • by sjames (1099)

        That is, of course, true.

        The new part is that in ages past, the OS would just mark the blocks free and that was that. The data tended to remain there until the space was needed for another file, then it would be overwritten.

        Because flash has to be erased before it is written (directly overwriting doesn't work), erase can take some time, and the drive is not just a dumb device, it is now necessary to actually let the drive know that the data is no longer needed as well rather than just making a note somewher

    • by Firehed (942385)

      Maybe it's still there if you look with a microscope but who really does that?

      The forensics team mentioned in TFS?

    • Re:trim/discard (Score:5, Informative)

      by graeme_ssd (2006566) on Tuesday March 01, 2011 @02:39PM (#35349642) Homepage

      At a guess this is caused by mounting with the discard option, or trim as its called in Windows. It tells the drive you don't need the data stored where a deleted file used to be.

      Maybe it's still there if you look with a microscope but who really does that?

      Hello there, I'm one of the authors of the paper (Graeme).

      This finding isn't related to TRIM in any way, though TRIM poses another nightmare for forensic investigators and may make the idea of examining deleted data/metadata redundant in a few years.

      What's happening here is that the drive itself has some code, a garbage collector, that reads the NTFS filesystem metadata and wipes any cells it thinks aren't needed any more, so that the next set of writes over those cells can take place more quickly.

      Normally this GC has seemed to take a while to kick in (various benchmarking sites suggest e.g. 30-60 minutes and unpredictable behaviour, e.g. not always kicking in when expected); here, we found that after a quick format has taken place, it reliably can be seen to kick in within minutes and also purges the drive within minutes. This is just one example of a case when the GC can kick in, of course.

      Current court-accepted forensics practice is to stick a write blocker between the drive and computer, under the assumption that the drive only modifies data when a PC tells it to: but that doesn't help you when the drive itself nukes all it's data cells within minutes of being powered on.

      I can imagine a situation where someone connects up the drive to power, (and possibly a write blocker), but not to the PC and makes a cup of coffee for a few minutes - by the time they connect it up for data transfer, it's too late, and they wouldn't even realise it had happened - the drive doesn't exactly make any whirrs or clicks as it wipes itself.

      Alternatively, the circumstances we found: in less than the time that would be taken to read an entire image off the disk for forensic study, the GC is racing ahead of you and purging the disk! Yikes. So you can imagine... a forensic investigator takes an image, examines it, presents it to the court, and when the court verifies the original disk that the copy was taken from, nothing is there any more, and the forensic investigator seems to be making it all up....

      So this feature has the potential to make it look like the police or forensic investigator themselves tampered with the original disk, as well as potentially destroying evidence that could help establish guilt or help establish innocence. We've put a number of 'interesting legal grey areas' at the back of the paper that we hammered out with reviewers, which are worth being aware of.

      Graeme.

      • Re:trim/discard (Score:5, Insightful)

        by Lorien_the_first_one (1178397) on Tuesday March 01, 2011 @04:01PM (#35350478)
        Wow. Thanks for dropping by. That's one thing I really enjoy about slashdot - seeing an author come by to post a clarification. Indeed, that really helps me to understand the process better.
  • by Anonymous Coward

    You need to disassemble the drive and read the memory chips independently of the controller. I believe I read this is how one of the major drive recovery companies is handling SSDs.

    • by Zerth (26112) on Tuesday March 01, 2011 @02:20PM (#35349404)

      You need to disassemble the drive and read the memory chips independently of the controller.

      Bingo. Forensic tech are used to being able to just plug in a write-blocker and assume the disk will remain intact and unchanged, which is the "legally safe" part they are complaining about. Since SSDs do lots more under the hood than spinning rust drives, they can't guarantee the device is unchanged unless they disassemble it, which might be considered tampering and leaves room for the other side's lawyers to ask "and then you took a soldering iron to a delicate IC?".

      It also requires a lot more know-how than "Use this magic cable when copying drives for investigation".

      • by rwa2 (4391) *

        Yep, I bet this has a lot to do with money as well. With that write-blocker attached to the drive, you can just use software to clone the disk bits and reconstruct the filesystem and recent deletes.

        Sure it's possible (and more expensive) to do a complete magnetic scan of a disk platter and reconstruct that past few layers of content written (and rewritten) to the drive... the kind of thing that the secure wipe utilities are supposed to defeat with multiple layers of white noise. But I doubt law enforcemen

    • Re: (Score:3, Informative)

      by graeme_ssd (2006566)
      Repeating a comment I made elsewhere on this board:

      -----

      Hey there

      Yep, it's the answer that immediately springs to mind when you approach the problem as a techie, and we touched on in the paper (see point 16, page 13).

      Keep in mind though that this is extremely non-trivial - e.g. not many court officers will know how to do it - and that a court may have real trouble with a forensics guy telling them that for 'this particular case', they need to not use the standard procedure to preserve the data unmod

  • Encrypt your data (Score:5, Insightful)

    by rcb1974 (654474) <richardballantyne@@@gmail...com> on Tuesday March 01, 2011 @02:07PM (#35349224) Homepage
    Problem solved. People need control over their own privacy. Tough luck Digital Forensic folks.
    • Yeah, but you can still go to jail for that in the UK, unlike TRIM.
    • by Jonner (189691)

      This property of modern SSDs is neither positive nor negative by itself. It's a property you'd be thankful for if you were organizing protests in Iran and stored contacts on an SSD. You'd curse it if it were exploited to destroy incriminating photos by someone who'd stalked you or a loved one.

  • ..destroyed overnight, go with the SSDs. The melting point of a surface mount IC is a lot less than that of a spinning platter.

  • Well... (Score:5, Insightful)

    by Minwee (522556) <dcr@neverwhen.org> on Tuesday March 01, 2011 @02:08PM (#35349238) Homepage

    So either SSDs are really hard to erase, or really hard to recover. I'm so confused.

    All I know is that if SSDs were really hard to erase, and I was in the business of recovering data that other people didn't want recovered, this is exactly the kind of story that I would tell them so that they would continue using SSDs.

    Not that I'm paranoid or anything.

    • Re:Well... (Score:4, Insightful)

      by EasyTarget (43516) on Tuesday March 01, 2011 @02:27PM (#35349488) Journal

      What wear levelling gives with one hand (performance and life) at the expense of the OS never knowing in which memory cell the data has -actually- been stored; making targeted deletion runreliable..

      ..it takes back with the other; deleted files will begin to be overwritten very rapidly when new data arrives; whatever the OS thinks about it, data recovery, even using specialist tooling, will struggle to get complete files or metadata from the media if the drive has seen some real use after the data was deleted.

      and, most importantly:

      $ cat /dev/urandom >> /dev/ssdX

      Just needs to be run once to -really- bollox an investigation..

      • Re:Well... (Score:4, Funny)

        by The Wild Norseman (1404891) <tw.norseman@gmai l . c om> on Tuesday March 01, 2011 @02:37PM (#35349608)

        What wear levelling gives with one hand (performance and life) at the expense of the OS never knowing in which memory cell the data has -actually- been stored; making targeted deletion runreliable..

        Ruh-roh, Raggy! It's runreliable!

    • Re:Well... (Score:5, Interesting)

      by graeme_ssd (2006566) on Tuesday March 01, 2011 @02:45PM (#35349720) Homepage
      Hi, I'm one of the authors of the research (Graeme).

      It's a good joke, but with a grain of truth in it. If you're concerned, you can buy the drive we used, flash it to the firmware we used, (optionally) buy a write blocker if you like, and run the programs I placed at the back of the paper and see what happens. We carefully documented as many of the experimental setup parameters as we could so it should be possible to reproduce the results exactly.

      Skepticism is a good thing - so I hope you'll reproduce the experiment at home and tell the world afterwards if you still think we're running PsyOps for the forensics community :-)

      Graeme. p.s. I'm currently looking for a postdoctoral/research engineer/research scientist position in Grenoble.

  • On magnetic storage I can change controller boards, even swap out the
    platters in a clean environment into another drive with working heads.
    For a few hundred to some thousands, your poor choice of having no backup media
    can be resolved.

    On SSD I can desolder the chips, dump them and then tell you there's nothing recoverable.
    For a few hundred to some thousands, your poor choice of having no backup media
    can be resolved.
  • Ultimately since the Flash Translation Layer goes and does things under-the-hood that are not externally visible, it is hard to be sure your data were erased, and it's also hard to be sure they were not erased... Essentially since there is an opaque interface at the logical-block level and the device is internally free to behave as it chooses so long as that interface is maintained, it makes it tricky to guess how the internal implementation will behave.
    Plain old magnetic disks used a fairly predictable im

  • by flaming error (1041742) on Tuesday March 01, 2011 @02:11PM (#35349280) Journal

    Why the confusion, dear editor? This should be well understood.

    If you want to recover, you can't. If you want to erase, you can't. It's Murphy's Law of Data Storage.

  • Forgive my ignorance, but how is this possible? Does this mean that the drives understand NTFS and are actually zeroing out data on the drive when the OS simply deletes the entry from the FAT table? How can the SSD second guess what the OS is doing? I thought that SSD's use the same interface as regular HD's and should behave the same.

    • Re:Huh? (Score:5, Informative)

      by Pathwalker (103) * <hotgrits@yourpants.net> on Tuesday March 01, 2011 @02:22PM (#35349424) Homepage Journal

      There is an ATA command called "TRIM [wikipedia.org]". If a device supports it, the OS can tell it that a group of sectors is no longer needed, and should be wiped.

      • by Rich0 (548339)

        I would think that the command would also be useful for wear-leveling.

        The more space that the device can understand as "free" the more opportunity it has to avoid writing to places that are wearing. if the whole drive is 100% free the best it can do is try to move data back and forth if it notices one spot getting written to more. That wastes writes and time. If it knows that a spot is now free, the drive can take the opportunity to optimize more.

    • by Osgeld (1900440)

      they use the same interface tween the computer and the device but tween that device controller and the actual raw memory is a whole different story

  • ...we better ban them, then.
  • The whole point of the referenced article is that it is somehow a "problem" that data deleted (and intended to be deleted) by the owner of the SSD cannot be later recovered. Why should deleted data be recoverable? Will "police state" now require SSDs to stop this seemingly desirable behavior to ensure evidence be recoverable from an impounded device? I for one applaud the behavior of these new storage devices.
    • by DrgnDancer (137700) on Tuesday March 01, 2011 @02:43PM (#35349694) Homepage

      Well to be fair, that's only part of the problem. Say you're a stupid criminal. You store all your records of your criminal acts on your computer which happens to have an SSD drive. You've never deleted your records of your criminal acts, but just before the police busted through the door you were deleting some old pictures of your cat, Fluffy. So in order to maintain evidence chain of custody, the police immediately turn off you computer and turn it over to a tech. The tech's first two actions should always be the same. He should plug your drive into a a special read only device that will first do an MD5sum or other fingerprint of the whole contents of the drive, and then do a bit for bit copy of the drive.

      The idea here is that the police can prove that nothing was done to alter the data present at the time of seizure. Power was removed from the system and the drive was immediately fingerprinted and copied. Assuming the fingerprints match, there should be no question that the copy on which the actual analysis is done is identical to the original drive. The problem is that you were deleting pictures of Fluffy when the Police came in. It's highly likely that as the drive does its self cleaning routine the fingerprint of the data will change. They fingerprint, get a value, but while they're copying the drive self cleans the bits associated with your cat pics. Bam, the copy has a different fingerprint. Now there's reasonable doubt about the usefulness of the evidence you stupidly left unencrypted in your desktop folder.

      Now I'm not saying this is a problem, and that they need to modify the design of SSDs. I didn't get the impression that article said that either. What they are saying is "Hey, we need to come up with another way to do this, becasue what we've been doing will no longer stand up in court."

  • by RichMan (8097) on Tuesday March 01, 2011 @02:18PM (#35349370)

    The drives have internal overprovisioning and perform internal garbage collection. This means that marked for deletion data has an unknown lifetime and may disappear at any point without interaction from a controller.

    The hard to erase bit means that you really can't be sure something is totally erased without a full specific erase command to all flash blocks. Without that a page marked unused but not erased may be nestled in with a bunch of valid pages. As all pages in a block are erased together that marked unused page can hang around for a wile.

    On the other side the firmware does garbage collection it actively looks for blocks with many erased pages and then tries to consolidate things so it can create more free blocks. This means if the drive is powered but not connected to a host machine it can still be doing data moves for consilidation and erasing marked for deletion pages.

    There are thresholds for the garbage collection so it won't overwork and try for 100% consolidation. Thus you get both the presence of some really sticky stale marked unused pages and some active erasing of others.

  • I'm on the fence about this, and it's possible neither pasture is green. On the one hand, I might be the victim of a genuine crime, evidence of which happens to be hiding in an SSD drive. On the other hand, these techniques are just as routinely abused now to go after people for political noncriminal reasons that don't serve the Common Good at all, people and organizations like Julian Assange, Wikileaks, Bradley Manning, the U.S. Chamber of Commerce opponents... you name it.

    These techniques are like nuclear physics: just as easily applied for Bad Things as Good. If we can't selectively prevent the abuses, maybe we should err on the side of caution and ban the techniques altogether. They aren't being universally applied to serve justice.

  • by joeyblades (785896) on Tuesday March 01, 2011 @02:19PM (#35349386)

    I thought that this was particularly telling. In the article it said:

    ... the state of the drive cannot be taken to indicate that its owner did or did not interact with it in ways that allow prosecutors to infer guilt or innocence. The fact that data has been purged does not mean a human knowingly did it (e.g. accidental guilt)...

    So in other words, until SSDs came along, evidence of purged data was evidence of guilt... at least in Austrailia.

    • Destroying evidence is a crime in the US, too.

      • by H0p313ss (811249)

        Destroying evidence is a crime in the US, too.

        Yes, but destroying data is not. The point is that evidence that something was destroyed is not itself evidence of crime.

  • "Firmware built into many solid state drives (SSDs) to improve their storage efficiency could be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, Australian researchers have discovered..."

    So expect some government intervention on matters concerning which firmware should be built into the devices we use.

    I cannot see any government worth its credibility endorse a product which if employed in crime and confiscated (by police), it is almost impossible to use it to prosecute the perpetrators by government agencies and the FBI in the case of these United States.

    You might wonder how a government might endorse a product:

    By allowing its importation or production and subsequent collection of taxes fro

  • Wasn't this... (Score:5, Interesting)

    by MrNemesis (587188) on Tuesday March 01, 2011 @02:28PM (#35349490) Homepage Journal

    ...a foregone conclusion ever since ATA Secure Erase and TRIM were introduced?

    Secure Erase basically tells the SSD that all of its cells are now blank (AFAIK implementations actually zero the drive as well but I'm happy to be corrected on that); therefore as soon as anything is written to the disc, it will be written here, there and everywhere. It took about 30s to run on my first vertex and I couldn't find any trace of

    TRIM support in the ATA spec, along with kernel/filesystem support, tells the disc that when file A is deleted, cells X, Y, and ABQ are now officially "empty" and that if the controller feels like it, it can zero them out, shunt other data in there, or have a mardi gras for all it cares. The same happens when a drive is formatted; OS tells drive controller "I've just formatted you" and for the sake of preserving performance the controller goes "Brilliant! I can chuck out all this shit I've been saddled with."

    As soon as hard drives start intelligently erasing/shuffling bits of themselves about so that cells are utilised to their utmost efficiency this was bound to happen. Unlike spinning platters where bad blocks were reallocated only if a) the hard disc knew about it and b) the data could actually be read/recovered, it becomes terribly obvious that data on SSD's is going to be read and written and deleted completely and utterly all over the place, without sequential series of sector found in slackspace like you would on a magnetic drive.

    Magnetic drives have no performance penalties for not actually erasing the data, so if you work your way around that double negative you'll see that one of the staples of digital forensics (e.g. recovering files from slack) is a by-product of people trying to make magnetic platters as fast as possible by not actually erasing stuff, because as long as the controller knows that sector is blank then it'll just be overwritten as needed. Technology has now changed sufficiently that the performance gains from new solid state tech are helped by a drive controller that erases stuff as soon as possible, since writing over an occupied cell is slower than writing over a blank one.

    I'm sure there'll be new methods to mitigate the change in tech, we're just somewhat on the cusp of a completely new tech. They'll probably come to an agreement that TRIM doesn't actually delete stuff until the amount of free space in the cells reaches a certain threshold or something like that.

    Disclaimer: I'm not a digital forensic scientist, but am friends with one and we discussed this problem over some exquisite cocktails a few months back. And I don't think TRIM instructions follow the exact specifications I laid out above (e.g. using Brilliant! as an ACK).

    • by ledow (319597)

      To be honest, most data recovery from a hard drive is foiled by a simple zero anyway. All this "must wipe several times with certain patterns" thing is cobblers. Yes, if I was the military, I'd be doing it too, just to make sure, but no-one has yet provided convincing proof that "magnetic history" from drives can actually be recovered in anywhere near a cost-effective or reliable way.

      Digital forensics consists of taking an image of the drive and seeing what you can get from that. Any half-decent implemen

  • by Ossifer (703813) on Tuesday March 01, 2011 @02:34PM (#35349588)

    Why does the government have this expectation that technology should be built in order to make it easy to spy on citizens?

    • by dave562 (969951)

      Why does it always come down to the "government spying on citizens". There are plenty of uses for digital forensics that do not involve tin-foil hats. The only time the government is going to doing forensics on a drive is during a criminal investigation. Those investigations are well documented.

      Look at it from the other side of the coin. "Well your honor, we know that those bastards at Enron cooked the books, and we have the data... but the MD5 fingerprint does not match, so all of that evidence is inad

  • by graeme_ssd (2006566) on Tuesday March 01, 2011 @04:16PM (#35350646) Homepage
    "So either SSDs are really hard to erase, or really hard to recover. I'm so confused."

    Hello, I'm one of the authors of the paper. To explain the apparent paradox in rough terms:

    Drive data was traditionally purged manually, by having the computer tell the drive to write something else over the top of the old data. In the absence of such an overwrite, magnetically stored data persists. However, if you try that trick on an SSD, it may not work. The logical address you try to overwrite may be remapped on the fly, so that your 'overwrite' goes to some other physical cell rather than the one which stored the data. From a logical viewpoint, it looks like the overwrite worked - you can't access the data any more through your computer's OS. But from the drives point of view, the data is still there, lurking in some physical cell that is presently out of use as far as the logical sector list is concerned. A cunning firmware or a hacker with a soldering iron might still get at it.

    However, separately to this, modern SSD drives use tricks to try and automatically improve their performance, and one of these tricks is to pre-empetively wipe data cells that contain data no longer referenced by the filesystem. Here, the drive is actively attempting to permanently purge everything it can from the drive, all of it's own accord, in the interests of accelerating future writes by having a pool of completely unused cells available.

    Summary:

    - If you're a computer telling a drive to zero over some data, the drive may lie to you a bit, and not bother to zero it.

    - If you're a drive, you do whatever the heck you like, and you see the physical layer directly (unlike the computer). That means the drive can open up the NTFS metadata, looking for data cells which could be preemptively reset, and nuking that data out of existence (when it might traditionally have been recoverable to an expert).

    In summary. If your drive wants to nuke something, (and we've shown, they really DO want to nuke everything they can at a few minutes notice), it gets nuked. If your PC wants to nuke something, it may or may not get nuked by attempting an overwrite.

    Finally, separate to this is TRIM, which is a hybrid of the two situations - an ATA command by which the OS can signal to the drive that it would like the corresponding physical cell for a particular logical sector address to be nuked, thank you very much.

    Hope that clears things up.

    Graeme.

Stupidity, like virtue, is its own reward.

Working...