Anyone tried XeroBank (formerly Torrify)

Re: XB and Tor

Yes, NoScript does not differentiate between Java, Javascript and Flash. However if you use a more advanced filter that does (a standalone one like Proxomitron or a firewall option like Outpost's Active Content plugin) you can permit Java or Flash on a site-by-site basis.

That's not even using Javascript, but an IE-specific flaw.

Returns the Tor-supplied IP address for me, even with all filtering bypassed.

Uses (and requres) Java.

YMMV then, but I only encounter problems due to Javascript-blocking on 20% of sites I visit. I have yet to encounter a problem blocking Java, and would certainly be very cautious of a site that required it.

If a site you "require" won't work without Java and Javascript enabled, then you indeed "have" to trust it, since not only can your real IP address be found (unless blocked with tight firewall rules), but you also the possibility of obfuscated/encrypted malware or webpage exploits. Giving sites such trust by default though, is highly risky and potential loss of anonymity is more a minor danger.

Not heard about Flash being used for CAPTCHAs before and it would seem a questionable decision on a webmaster's part. However, as I have said above, allowing Javascript alone has yet to provide a means of unmasking Tor/XB users.

I tested it with all filtering disabled (just disabling Java in Opera) and it failed, not even attempting a direct connection. On that basis, I can be certain that allowing Javascript alone would not allow your real address to be revealed in that case.

For the time being, the risks of public backlash would seem to far outweigh the benefits (finding the real address of a tiny minority of users). That may change in the future with a greater number of people using anonymity services, but for now this isn't a mainstream issue.

 

Re: XB and Tor

Outpost firewall, from what I checked here, is unable to covers Firefox browsers (or at least with xB browser?). The plugin section is only working with IE, which is sad. Unless this problem was somehow solved.

I haven't checked Proxomitron yet. But remember, we are assuming that most people don't even know the existence of such filters, and are assuming that Noscript by itself is capable of preventing such threats.

That's correct - the link posted below explains that IE have a flaw that FF doesn't:

http://sla.ckers.org/forum/read.php?3,4022

Since you allow everything on the Noscript whitelist, you're allowing Java to perform the test, and also Javascript. In my test here, using Noscript, FrostJedi returned my Tor IP and also my internal IP, however, instead of my "true IP" (a number like 300.900.200.8.1) it was 127.0.0.1 / localhost.

Until now, every single website like gemal.dk was returning the same result. So, if you're saying that this code uses and requires Java, we are perfectly safe, since this code is not bypassing any proxy browser rules. And they can't break anyone's anonymity. That's why I was telling you that this code is worthless. And if it's worthless, allowing all plugins from a privacy perspective, will not leak anything.

http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=utf16
http://stud1.tuwien.ac.at/~e9125168/javas/jhostip.html

That's exactly my point, we don't know what sites can be trusted. Even trusted sites these days can have any exploit, and perhaps a way to break anyone's anonymity, if everyone becomes interested on privacy (which is very unlikely, but not impossible). Speaking for myself, I don't trust anyone. Whenever I am forced to activate Java/Javascript/whatever, it's not my decision, it's something needed to use all important and required resources.

I will give you one example of site who works this way: Orkut.com. You don't have to activate anything to make a register there (from what I know). But if you're going to make new posts, delete scraps, change your settings, that sorf of things, you have to put them on your whitelist. In fact, you have to add 5 entries on Noscript whitelist.

img1.orkut.com
img2.orkut.com
img3.orkut.com
img4.orkut.com
www.orkut.com

You can't disable anything to perform this test, that's obvious. If you do that, you will not see what I was trying to show here.

You have to assume that most people are allowing that page http://ha.ckers.org/weird/tor.cgi on their Noscript whitelist, just like any trusted site.

Assuming that you're using XeroBank, Steve have already configured this plugin to not allow anything while you're visiting that page. Of course this protection is removed after you allowed them on the whitelist.

When you are exposed to that CGI code, he attempts to make a direct connection bypassing the browser rules. That's the first code I ever encountered that is really working.

The firewall is preventing that attempt, so your true IP is not revealed, and the page can't continue loading anything anymore. That kind of protection, from what I understand, it's only performed by your firewall. When I turn off Outpost, my true IP was imediatelly revealed.

My point is, we don't need to block this exactly exploit, we need to prevent him from working. And your firewall is the only one doing this job.

 

Since this question has been brought up, I have another one: why didn't you try to modify Firefox to not make direct connections, Steve? Is it possible to block (or even remove) the option to make these connections, only using the proxy manual settings?

I know there's a Tor button on XeroBank, however, I never used it to disable Tor network. I mean, why someone will bother to turn off this thing, if it's already having all the trouble to download the browser? If I ever need to make direct connections, I may use Firefox itself, not XeroBank.

Regarding the rules to prevent this link:
http://ha.ckers.org/weird/tor.cgi

From working, here they are:

Browser Block Direct Access

Where the Protocol is TCP
Where the Direction is Outbound
and Where the Remote port is HTTP, HTTPS
Block It

So, why didn't you just make an extension or modify Firefox to never connect to such ports (80, 443) in the first place? I don't get it.

Sorry if I am missing something here.

 

There are a couple of issues. If I edit the mozilla binaries, I then have to distributed the Mozilla Firefox source code, and then have to manage the code forever. Big big hassle. Although, we'll probably do that in the future when I can hire 3 guys to do that programming.

Until then, what I've decided to do is hardcode the settings into the profile, so the user can't change the proxy settings and save it between sessions. It will only use the proxy settings I tell it. This can be done without editing Firefox at all, and seems the smart way to go, to me.

We'll actually probably get rid of it. It is a vestigial organ from when we didn't have an ultra-fast alternative to Tor. However, some purists might object. Some people still want xB Browser for Tor use only, in which case they could keep it around as their only browser. Anyone else have any comments on that?

The suggestions for firewall rules don't really apply. What you are suggesting is to keep people from being able to browse the web via http and https. We don't want to stop that, we want to stop direct outbound connections from the host computer to the internet, and force them through the proxy. But the browser already handles that. So just forcing the user not to be able to change the settings seems to be enough. Thus the above suggestion.

 

Steve, what I was explaining on my last post was that Java trick is capable of bypassing proxy browser settings, which you have placed for XeroBank.

It doesn't matter if Tor is enabled and everything is fine on the browser, or even if all users can't change their settings. What matters is the fact that there's a flaw (or breach?) in security who is actually compromising the privacy of all users. And being pessimistic, everyone who doesn't have set the same rules on a firewall is not 100% anonymous while using XeroBank.

You may also consider the fact that, in the past, XB was crashing in a way that all settings were reseted (this doesn't happen anymore). So, if all configs were reseted in the past, you may be surfing without Tor enabled and don't even know it (if you didn't put the status on your sight). Another risk is the possiblity of by acident turn this thing off.

I can't speak for the others. But in my opinion, XB should not be a hibrid, only an anonymous (and safe in terms of privacy) browser. And that means removing all the possible breachs to compromise this in the first place.

Listen to this, that rule posted above which is blocking ports 80 and 443 (HTTP and HTTPS) from my firewall is currently the only tool who is preventing that Java code from disclosing our true IP. As I said before, we may be using Noscript to allow a "trusted" site who might be running that code and we don't even know it.

That rule (correct me if I am wrong) it's the same thing you said on your post:

We don't want to stop that, we want to stop direct outbound connections from the host computer to the internet, and force them through the proxy.

You can't stop these outbound connections if you let Firefox/XeroBank make connections to the ports 80 and 443 (the way that Java code works).

In my opinion, everything should be forced to go through the proxy manual settings. But, as you can see, this is not happening.

 

Re: XB and Tor

The plugin filters HTTP traffic so will work with any browser (though it cannot cope with HTTPS-encrypted sites) - there is a toolbar for IE but that's the only browser-specific feature.

Well, technically it can if set to block but in cases like this, more finer-grained control (the ability to filter Java or Flash only) would clearly be useful.

Given the information that social networking sites typically collect on members (see Snooping on users Facebook 'staff perk' - claim for one example), I would consider their real IP addresses to be the least of their concerns. And in Orkut's case, since it is owned by Google, they have the ability to link a profile with any search queries made using the same computer unless you are very specific with your cookie settings (and even then, that isn't a guarantee of privacy - the better choice would be to switch to Clusty or Scroogle for searches).

In fairness, most other personal firewalls should be able to do the same. However it would also seem a prudent step to modify the XB browser to either block outright or issue a warning prompt whenever a direct network connection is attempted.

 

Jim, even if you do get a crash where you lose all your settings, the default settings are to block java, javascript, flash, quicktime, pdf, and all other compromising plugins.

But you're right about it being a hybrid. It shouldn't. It should be all or nothing, and I'm going to change that.

 

Re: Xerobank from Saudi

• 
  
  But it doesn't seem that I need to worry about any of these things with xerobank. I tried the link that Jim posted that was able to reveal my IP with tor, but it was not able to reveal my IP with xerobank Pro VPN. Nothing so far has been able to. That is why I feel more secure with xerobank. Am I missing something?

 

What I meant by that was that every program like messenger or voip or anything that I use to connect to the internet is through xerobank and that is all that is ever seen. By the way, I was able to detect my real IP while using tor with one of those links that you posted, but it did NOT reveal my IP while connected to xerobank. It just just gave me xerobank's IP again.

 

Caspian, you're right on. Jim is probably just using Plus services, which if you mess up your profile from our default settings, can allow leakage.

Shortly that won't be the case, no matter what.

 

I could never settle for a Plus account. I want to enjoy my video players and music, messengers, Skype and everything without having to think about anything. Well, except maybe clearing cookies and private data and not giving out personal info. I don't have a lot of money, but I would go out and mow a lawn to get a pro account if I needed to. It would be well worth it to me. I am completely spoiled now. I especially like taking it with me when I travel. I just think it is amazing. I hope xerobank stays around for a while.

 

Re: XB and Tor

Steve, I am using the free browser, which is connected to the Tor network.

I suggest you see the previous page from this thread where I (and other members) have placed another questions regarding your services.

I have to disagree on this one. Considering the way this social network has become in the past years, leaking your true IP it's the only (or at least the most important) thing that will make you vulnerable. A recommended article: Google, Privacy and You

Perhaps I wasn't clear on my last messages. I don't want to be anonymous by only erasing all common traces like cookies, cache, authenticated sessions, referrers and that sort of things. Everyone can do that. It's the most logical course of action.

I am always cleaning all these things after I left each website. And not using Google search (and other services from them). Even my profile, like this board, has no personal info.

I want to be untraceable. That's how we really know we are anonymous. I know what you're going to say. There's no such thing, since you're lefting different IPs behind. We are not invisible on the internet. We all know that. But assuming that identifying people behind Tor (or even XeroBank) it's very difficult by ordinary reasons, our privacy is somehow guaranteed.

Assuming, of course, you're always hiding/masking your true IP.

More specifically your ISP gives you your IP address. Their Log file looks something like this (very general, not exact):

Leased IP address 204.200.156.255 to HWADDR 00:00:00:FF:FF:AB:BA

They take this, then they go to the billing department and they say "Hey who did we give cable modem 00:00:00:FF:FF:AB:BA to?" The billing guy types it in and says, "Looks like we gave that one to Jim Scheinheimer, he lives at 1456 oacrest terrace se. He downloaded 15 GB of data last month, and uploaded 20 GB."

And unless you are running some type of anonymous routing or proxy system, if you are successfully downloading data off of a P2P network right now, people can see your IP address.

Look at it sort of like a telephone. Feel free to publish a fake telephone number in the phone book or unplug your telephone from the wall, nobody can call you (aka you cannot download).

But if you want to be able to receive calls (aka download files) the sender MUST KNOW YOUR ACTUAL IP ADDRESS. The same goes with changing your telephone number. Feel free to change it every day, or even sooner. But if you want to receive an incoming call, you must let others know your current telephone number. Unfortunately this is how the internet works.

Being able to change your IP by not using Tor don't matter really (except for maybe hiding from a hacker) because there are still records associated with them to a certain time frame, a certain specific person was using. And with these data retention practices, these records may last for a long time.

Regarding modems, they are all unique, and all are Identified via tags that are specific to that individual modem (and also routers, and also NIC cards), so even without a specific time date stamp, a user can be Identified via their MAC address (ID tag for above items) over a wide time period (like the whole time they were in posession of said piece of hardware), knowledge of said MAC address also gives certain people the ability to track your actions all over the net.

So, in a nutshell, of course your dynamic IP address can be traced directly to you, and only to you given the fact a person has a time/date stamp to place you as the 'owner' of said IP address at a specific time.

 

Jim, was there a question in there?

Btw, xB Pro changes your mac address too, not that it matters because we don't log it anyway.

 

About my previous question, please see the following link:
Post 246

Torrify, I just found that one directory was created on the UserData with the following file:

oXMLStore[1].xml

I don't know where it came from, but is not being deleted from XeroBank.

I know that you have taken care of the file "YL[*].xml" which is a hidden cookie (and a way of identify users, no matter what they do) while using Yahoo services (Yahoo Groups for example).

I think XB is better than CCleaner because CCleaner apparently uses Yahoo toolbar (you may install or not), and that might explain why they haven't modify CCleaner to erase this file from Yahoo.

Any idea where this oXMLStore[1].xml came from?

 

Ah ha. Okay here we go:

1. That button should be there. This is a symptom of me not having the profile issues fully fixed.

2. Yes, Pro covers the entire machine. It installs a virtual network driver that routes on top of your hardware, replacing with a virtual NIC that connects to XeroBank. Your OS is then virtually incapable of leaking your data because all of the outbound connections, regardless of proxy settings, are routed through the NIC connected to xB.

3. See Above

4. oXMLStore[1].xml... this is a MSN output I *think*. If you send it to me, I'll dig around in it.

 

Re: Xerobank from Saudi

A good point that I missed - VPNs set up to cover all network traffic shouldn't be subject to "direct connection" type leaks so XB Pro users shouldn't need to worry about them.

 

Re: Xerobank from Saudi

And that makes everything simple for an oaf like me. I don't even understand half of what you guys are talking about, but I am picking up a little at a time.

 

Having looked at a number of "VPN-provider" solutions with reasonable bandwidth, it seems to me that Xerobank offers by far the safest and most sophisticated solution from the technical, legal and practical perspectives. It also feels credible that the venture is driven by a true committment to privacy issues.

Still, a potential issue with this and all similar solutions is that whilst the content of my traffic is reasonably secure, the fact that I am using the service is easily detected (one must assume that most possibly concerned parties will be aware of and able to monitor these services at the entry nodes, right? On the ISP side, traffic analysis will show VPN to an offshore location.).Thus one goes from relative obscurity to membership of a comparatively small and select population of potential terrorists, child molesters, copyright violators and tax evaders. The consequences could be anything, from nothing to registration on watchlists, wiretaps, personal surveillance, etc.

Any thoughts on this? Any solutions to combine privacy with obscurity?

Cheers

 

Adam, that is always going to be a problem. Or maybe it's not, depending on how you look at it. It is a given. I read a quote recently, regarding Tor, where a poster stated, "Tor does not turn you into an invisible light being of energy."

Tongue in cheek, but a point well taken. Thus we conduct ourselves accordingly, if that makes sense. Your ISP can see that you are connected to the Tor network, your ISP can see that you are connected to the XB network. But from that point, you have stepped behind the curtain. I've heard Tor referred to as the "Tor Cloud." You can see the cloud, but you can't see what's inside the cloud.

But it simply isn't physically possible for one to simply step into an unknown black hole, as it were. Connections will always be identifiable no matter what you use.

You wrote: "Still, a potential issue with this and all similar solutions is that whilst the content of my traffic is reasonably secure, the fact that I am using the service is easily detected (one must assume that most possibly concerned parties will be aware of and able to monitor these services at the entry nodes, right?"

Remember, all an entity sees is your connection. Nothing more. With XB your data is encrypted. Monitor all they like.. Nothing to see.


Consider this, though, if an entity has gone to the trouble of monitoring your personal connections, you probably have much bigger problems than Tor or Xerobank. Make sense? I do see your point that the fact that if one has an anonymized connection, that can arouse suspicion.

And the recent rumblings out of Washington, combined with the new German Data Retention Law and legislation in the UK compelling users to submit encryptions keys invloving their data in criminal investigations do not bode well at all.

"Intel Official: Say Goodbye to Privacy."

"WASHINGTON (AP) - A top intelligence official says it is time people in the United States changed their definition of privacy.

Privacy no longer can mean anonymity, says Donald Kerr, the principal Deputy Director of National Intelligence. Instead, it should mean that government and businesses properly safeguards people's private communications and financial information."

Clearly, the ante' has been upped. Anonymity is no longer a "right." And if people claim it as a "right" it will be something people will have to fight for. An ongoing battle. Not only a matter of good software, but how people use it.


Tor does not anonymize YOU, Tor merely anonymizes your TCP traffic. It seperates your TCP/IP streams from your data, thus making the originator of the data nearly impossible to identify.

Anonymity is achievable and here today. Invisibility, is not and never will be.

But with Tor and XB, these are the cream of the crop.

Best,

B

 

Cool, does that mean i can sign up for a plus account, connect it to the xBmachine and do a bit of FTP now and then? Or are the ports restricted on the plus account. I rather have a xBmachine since I want my credit card payments, onlinebanking and IM running over my real IP.

And does the xB machine offer stronger protection while surfing against snooping javascripts, flash and similar?

Right now I sometimes run Tor and janusVM when I want to browse with javascript enabled, maybe thats false security? Thought there was no other way out for the java then through the VPN...

---

This thread is great reading and the main reason I go for Xerobank, but as honestly stated: "the bad guys will be thrown to the wolfs"

Now who is the bad guy? With the latest hushmail issue in mind, are steroid-minded people bad guys? The sure are in USA since the last couple of years, but probably legal in many offshore location where you keep your servers.

What is your view on this, I'm sure the over 1 million steroids users and dealers are looking forward to your reply.

Already looking forward to my plus account, your slogan should be:

"Life is to short for TOR"

All the best,

Thór

 

Ballzo,

I think we are pretty much in agreement and on the same page on this.

You write "..if an entity goes through the trouble of monitoring your personal connections..." However, our personal connections are, typically, already being passively monitored (and with data retention will remain available for retrospective monitoring, potentially in perpetuity). As I see it, it is therefore rather a matter of being "paid attention to" than "monitored".

This is the core issue of my post. If you end up in focus, you might be in trouble, and it cannot be excluded that the very measures you undertake to protect your privacy might provoke precisely that focus. ..

Our elected masters see it fit to abolish fundamental individual rights to privacy, and give themselves the necessary legal tools to unleash whatever human and technical resources they might have at their disposal to violate our newly abolished civil rights. Clearly the willingness to apply these new toys is there and will only be contained by limited resources. In the context of blanket surveillance of enormous amounts of information, some automated pruning and grafting must be employed in order to sift out the most likely offenders to subject to more comprehensive measures. A combination of IP blacklists, traffic analysis, behavioural analysis and content analysis is likely to be employed. (Several ISP's already use Traffic Analysis/Deep Packet Inspection etc. to detect "abuse" and throttle peer-to-peer connections for instance.)

To quote John Adams:

Apologies for the melodramatic background rant and back to topic:

Xerobank, and similar solutions, offers good protection of traffic content but has a possible flip side of drawing unwanted and potentially harmful attention to the user. (Note: I am making the assumption that Xerobank maintains a finite and relatively small number of offshore entry nodes that are either known or easily identifiable, and/or that a VPN to an offshore location in itself could flag attention.)

Is this inextricably inherent in the problem, or might there be solutions to add a layer of reasonable obscurity?

I don't have the technical proficiency to have any meaningful thoughts on this, so please regard the following as nothing more than a brainstorming dump of approaches that may well be technically unfeasible, economically unviable, generally pointless or just plain stupid:

First, remember that this deals with the very subjective issue of obscurity, i.e. improving the odds against detection.

1. A, prefferrably large, number of alternative onshore/inconspicuous entry nodes with significant "normal" traffic volume from various web services in addition to the VPN routing functionality. Possibly a second onshore layer before hitting the offshore exit layers. This could produce an amount of obscurity with regard to ISP level monitoring, with the user connecting to a number of onshore locations instead of constantly tunneling offshore.

2. A private entry node, exclusive to the user, in the form of a VPS configured as a VPN Router. Does not require much hardware and is relatively simple to clone and administrate. Could offer some obscurity by not being public and thus less likely to be "blacklisted".

3. If downloading sensitive material is a concern, and with higher bandwitdh requirements it probably is, a SeedBox-like solution might be worth considering. The traffic volume for controlling the SeedBox can be very modest and might thus be routed inconspicously at low cost. With the SeedBox encrypting and re-naming downloaded material and subsequently placing it on various public and/or private inconspicuous onshore servers for ultimate downloading, an element of obscurity should be possible since the bulk traffic is unencrypted (although the files are encrypted) and with inconspicuous onshore servers. Also source based tracking through traffic analysis or tagging would be quite complicated.

4. Steganography of traffic. For the sake of completeness, though I understand that, even if theoretically possible, the overhead would be prohibitive.

I don't know if any of the above makes much sense, but a good VPN provider, like Xerobank, with a plausible obscurity solution would definitely get my money.

Cheers

 

Thinking about getting an account for quite a while now and getting near to a decision I would like to know what are the things that are coming up - as Steve has stated for quite some time now already.

What is actually in the pipeline and might be released within the next weeks?

 

And therein lays the problem, if you are coming from a USA or UK ISP. Massive encrypted traffic, heading to parts unknown is going to get flagged in a heart beat. Doing traffic analysis on everyone who is on a VPN to non business links, as opposed to a SSLVPN or SSL for prolonged periods is going to be flagged/logged by ISP's. Yes they don't know what your traffic contains, but they do know it is encrypted and will take the position of where there is smoke there is fire approach until proven otherwise. Your freedoms and right to privacy are gone in America the UK and elsewhere. Once an account is flagged for analysis, that is it. Will it lead to anything? Who knows? But there could be a knock on the door and computers seized. The only way around it is war-driving. A lot of public access systems, universities and such already block most if not all VPN access ports so option are limited.

This isn't to knock XeroBank. They appear to have a good offering. But if you are connecting out of your home on an account registered to you. You are playing the odds and they are not in your favour if all is not on the up-and-up.

Good luck

 

Adam you said: "..if an entity goes through the trouble of monitoring your personal connections..." However, our personal connections are, typically, already being passively monitored (and with data retention will remain available for retrospective monitoring, potentially in perpetuity). As I see it, it is therefore rather a matter of being "paid attention to" than "monitored".

Wholly agreed. My own personal definition of "monitoring" is more an active process of surveillance. They are specifically looking at YOUR connections. Passive monitoring in my world view, falls more under the aegis of "logging." They're not driving down the street looking for suspicious activity, they're looking at YOUR house.

And to recap my feelings, if an individual's Internet connections are under active scrutiny, then that entity has a suspicion whether well-founded or not, that their anonymized or private Internet traffic is concealing some illegal activity that the authorities have an interest in finding out about. And if they have gone that far with it, it would be logical to assume they probably know far more about your activities then simple anomymized traffic. Or at least they think they do.

With all due respect, you seem stuck on the point of, "Xerobank, and similar solutions, offers good protection of traffic content but has a possible flip side of drawing unwanted and potentially harmful attention to the user."

I acknowlege that, but see no way around it, but I'm not sure that this is even a problem. Again, this is the obscurity/anonymity vs: invisibilty arguement. You can be anonymous, but you can't be invisible. Even with Tor, Adam, your traffic can be seen.... From the exit node it is in cleartext. But it CANNOT be associated with the originator. Thus.. One's traffic is anonymous. But it is not invisible. But for me , I see little or no problem. To reiterate, Your ISP can see that you are connected either to Tor or XB. Beyond that, one might say it's a dead-end. Tor traffic may be nearly impossible to trace, same with XB and please understand that it's not possible for XB to connect a specific user with traffic. XB will divulge no traffic information unless appropriate subpoenas are executed in every jurisdiction that the data passes through, if indeed, it can be traced at all. Steve has stated elsewhere, that XB is served with approximately 50 subpoenas a month. Not one has been successfully executed. Tor exit nodes are also subject to harassment. A recent discussion on or-talk references a criminal case in Germany. The exit node operator is being blamed for fraudulent activity passed through his node. The node operator had the Hercualen task of trying to explain to a Magistrate that this was not his traffic. Point being with Tor or XB, darned well nigh impossible to associate specific traffic with a specific user.

B

 

Yep, hacking into WLANs, mobile access through identity theft/cloning or stolen cell phones, is clearly how any REAL criminal or terrorist with a fraction of a brain communicates. All well known and understood in intelligence and law enforcement circles, which makes the abolishment and violation of our fundamental rights to privacy even more questionable. It's got nothing to do with fighting terrorism or even serious crime, and everything to do with pursuing copyright infringement and tax evasion. Go figure what's ahead.

Good night, and good luck - indeed...