The "How does Passbox work?" isn't clear to me. Is it encrypted at rest? Who has the password (or passwords), and is it just one secret key to unlock everything? Do my Trusted friends have to remember how to access Passbox, and a Passbox password? Am I notified if they do? How many of them do I need to select, and what if they die before I do, or move out of my life, or otherwise cease to be Trusted?
This all feels like it's trying to apply the web-SAAS model to a domain where it really doesn't fit.
I'd rather have a simple system where I could take any data, easily encrypt it on the client-side, and put it somewhere that's going to stay around for a long time (S3? thumb drive?). Then I give my lawyer the password and instructions on how to use it, on a sheet of paper. At any point, I can upload new data, replacing the old data. Digital security isn't as important because it's always encrypted before it leaves my desk. I don't need to maintain Trusted Friends because the only person with the password is my lawyer, who keeps it with my will.
Dealing with my possessions after my death is a solved problem. It's possible to simplify parts of it, but we shouldn't try to replace it entirely with another model that discards the good parts of what we have.
Here's a similar service with a straightforward description (I have no connection, I think I saw this on HN): https://www.deadmansswitch.net/
Personally, I know a handful of people I would trust to execute a non-legally-binding will who are also competent enough to combine a key and some encrypted data if they have both.
That's mine, by the way, so I'm available to answer questions if anyone wants.
I'm actually planning to rewrite it and move it to a new stack soon. It also accepts cryptocurrencies if you are so inclined (you have to email me to arrange that, but I'll add a payment processor with the rewrite).
I plan to add some more features with the rewrite, mainly file hosting for a monthly fee (many people have requested it).
If you don't already have it the ability to specify multiple check-in email addresses would probably be good. Too many ways to lose access to email accounts for that to cause distribution of "if you're reading this then I'm probably dead" messages.
I'm not a native speaker, so maybe there is some nuance I am missing... Why not a "dead person's switch'? Is legacy control a male only thing? Nevertheless, great service indeed!
At one point I was considering a Shamir's Secret Sharing based idea with the thought of especially targeting lawyers as a key part of "digital estate planning". The trouble happened that the more I talked off hand with various lawyers about the idea, the more it sounded what I really needed to make was a political lobby first (and that's not something I'd enjoy).
We have a lot of estate laws for arranging physical goods. We have almost no digital asset rights that survive our passing. Most of our accounts are explicitly locked to our lifetimes in Terms of Services agreements (generally, they are between me and only me and the service).
There's likely going to be some big political battles over the next decade or two as folks with big Steam collections or Movies Anywhere accounts or Dropbox file stores pass on and try to pass those digital "assets" to surviving family members.
So my "simple" idea of "I want to build a tool for lawyers to securely write down and file people's passwords in their wills/trusts" became a giant rabbit hole of "securing the will/trust may not be the hard part, making sure those passwords are useful to survivors is a very hard problem that currently everyone is kicking the can on".
In most cases, like Steam and Dropbox, those services don't seem to check or particularly care that you are the original account owner. They do two factor authentication, security questions, etc, but that's just trying to make sure you haven't been hacked, and preparing for it would be part of giving someone secure passwords in your will.
The point is that lax enforcement doesn't matter to lawyers when questioning the legal basis for something. If you are going to start encouraging every lawyer to start contemplating adding passwords to wills and trusts, they start to ask a lot of questions if that is something that can even legally be put in a will or entrusted to an estate.
We don't have good legal protections for that at all. Consider that some Terms of Service agreements, sharing a password at all, no matter the reason, is itself a breach of Terms of Service. That most services may not enforce such ToS clauses today doesn't imply that they won't start enforcing them tomorrow.
(Multi-factor is another land mine mess in digital asset rights. We barely understand how biometric locks should affect things like privacy laws, let alone has anyone really started talking about how you deal with a dead relative's thumbprint or "face ID" in their absence. Passwords are at least physically transferable, a lot of MFA, especially biometrics, is not.)
They told me that they wouldn't pay for a service to securely provide passwords to heirs without the legal issues addressed first. There's a difference between "my client intended to include this bit of secret information to their heir and what the heir chooses to do with it is their responsibility" and "I'm going to encourage my client to work with me to sign up and pay for this service in order to entrust their passwords to future heirs" in terms of good old fashioned CYA [Cover Your Rear].
Which is a big part of why it needs to be a political lobby or working group: lawyers don't think anything about the ad hoc cases ("give this password to my heirs") because it is isn't their responsibility at that point other than storage and it isn't distinct from the rest of wills/trust documents. Then there is the problem that it isn't yet common enough for them to abstract it into a "class" and/or yet think to ask every client of theirs for passwords for continuity of digital estates/digital asset planning. As soon as they do start to consider the repercussions of the latter is when they do start to get antsy about their responsibilities (is it legal for every service, the answer to which is currently "no" [the discussion above], and then increasingly complicated follow ups such as can you "split an account among multiple heirs" and "what's the retail value if it needs to be auctioned" and so on and so forth). Lawyers at that point want the comfort of laws to back them up in any such responsibilities, at which time it looks necessary to start a political lobby to build digital assets rights into laws.
Thanks for checking it out! Apologies for not striking the right balance of brevity while also being informative for you. I'm trying to improve there.
All the sensitive data is encrypted at rest using a key/passphrase determined by the user. Passbox doesn't store it and can't assist if it's lost/forgot.
That key would need to be shared with your trusted users and they would need to create their own Passbox accounts. Only folks you assign to your account (via email) can request access to view your data. No one else.
On the standard plan you can assign as many trusted contacts as you'd like. This is potentially useful for segmenting who gets what collections of data.
Both you and the requested user are notified of access requests to your account and also of any approved requests. A group without assignees is shared with all the trusted users you've linked to your account if they're approved access.
Any trusted user you assign can be easily removed or replaced.
---
Again thanks for your perspective! This is one way I'm thinking about tackling it and appreciate other ideas.
Have you thought about secret sharing cryptographic schemes? Nobody gets access to your data until most everyone that has a share of the key agrees that something bad has happened to you.
I’ve given a lot of thought to this problem lately after becoming a parent. However, I just can’t picture trusting this to a third party. Ideally I’d store my master password to my password manager and give instructions on what accounts exist and what to do with them. By storing this on someone else’s server I’m at risk of that data being leaked which is effectively the ‘keys to the kingdom’. You can talk about encryption all you want but without knowing what’s actually happening with that extremely sensitive data behind the scenes I cannot trust your product. Perhaps a Bitwarden style model where the source is provided could be a solution? Because Bitwarden is open source, self-host able, and audited I can have some degree of comfort that my data is actually encrypted client side and stored safely.
Speaking of the problem space, what non-tech techniques do people use for this scenario? The best I’ve been able to come up with is storing the information in two safes and leaving instructions on how to open the safe in a will or with trusted persons. Other thoughts?
Although I haven't personally set this up, my plan has been to at some point:
* Put important documents and passwords in an encrypted archive or true/veracrypt container.
* Distribute the archive to relevant parties via physical media (e.g. USB stick), possibly put a public version online on somewhat reliable free hosting.
* Store the password to the archive (without any indication as to the purpose of the password) on a service such as the one in the article or an alternative, e.g. Dead Man's Switch
Because of the physical distribution of the archive, it makes it hard to change the secrets in the archive - but other than that it seems solid enough...
I created https://www.deadmantracker.com and am implementing the reverse of this but your solution is a good alternative that I might support too.
The way I saw it working was:
* Encrypt docs into a compressed archive
* Upload encrypted docs to service
* Distribute password for unencryption using something not build into the service (tell them via Signal, or Protonmail, or a piece of paper, or word of mouth)
* Link for encrypted archive only becomes available once the dead mans switch is triggered
In the same way a password could be uploaded and only released when the switch is triggered. A service just can't hold both parts.
You could in theory have a digital safe that you yourself can open with one key, and a quorum set of 2 keys that require both. You distribute 1/2 combination keys to your kids and keep one yourself. When you die your 1/2 key is passed to the kids who can now open the data. The keys themselves are useless without the other keys so anyone in the chain of custody of the key until it reaches your kids wouldn't be able to open the data. No one would have to have your singular key.
I've wrote https://bs.parity.io/#/ exactly for this; it also tries to avoid the most obvious opsec mistakes, like trusting your printer too much =)
BananaSplit is of very experimental quality, it hasn't been battle-tested and independently reviewed yet.
But at least it's there, it's FOSS, and I encourage you inspecting the code, contributing to it, or re-hosting the HTML.
I hope you’re kidding about the two safes thing. Either hire an attorney for this purpose or accept that your family will have little to no recourse for challenging claims from individuals, businesses and family members who claim rightful ownership of parts of your estate. You can buy all the safes you want but they won’t hold up in court.
Even if you want your spouse to be your executor you need an attorney to receive your power of attorney immediately so that they can make him/her the executor. Without an attorney and notarized documents, if someone shows up with a piece of paper that says they get everything and it has your signature then their claim is just as valid as your spouse’s.
The idea behind the safes is to store instructions for accessing a password database so loved ones would have access to the various online accounts. Think utility bills, banking, email, etc.
If the system for providing a third party (spouse, children, etc) access to online accounts is broken then surely you can see all the ways that ones life could be turned upside down.
I’m well aware that I also need an attorney and necessary legal documents for establishing power of attorney and executor of the estate. Would an attorney be an appropriate person to share the information about unlocking my online life with? I know they’re bound by various ethical and legal frameworks but it still doesn’t stop people from doing crazy things.
I like 1Passwords auth for this. There's a long key you need once (this stays in a lockbox), and a master password you need every sign in (safety deposit box with no information about what it is).
>I hope you’re kidding about the two safes thing. Either hire an attorney for this purpose or accept that your family will have little to no recourse for challenging claims
Silicon Valley: who needs accountants or lawyers?
Also Silicon Valley: how many safes do I need to ensure my spouse can access my KeePass database?
Interesting! This was kind of my software engineering II project back in college a decade ago. I wrote it in PHP. You configured all sorts of different actions that would occur if you failed to check in every once in a while (there were lots of ways to kick the deadman switch down the road. A simple phone app, you could text message a number with anything, you could send an email..)
The idea was that you could configure "I loved you and never told you!" emails to out, cancel your electricity / gas, ask people to return your videotapes, send your top secret dossier to journalists, and give access to sekret treasure maps if you get eaten by a bear while on a hike.
I never had the moxy to make it public, but I always liked the idea. I wish you the best of luck!
- I think the pricing structure is way too high. $60/year is quite a bit for what you are offering. At that price, I would rather rent a safety deposit box with a bank and just tell my friends and family about it. That way, I can store passwords as well as physical valuables there.
- This seems a lot less useful than Lastpass's Emergency Access feature. Once i'm trusting a third party with my secrets, I might as well keep it to just one third party. Again, if the service was cheap enough, then maybe I wouldn't care, but $60/year is a lot.
- It also seems like a hassle to update my passwords in passbox every time I change them. I'm going to forget. I need it to sync automatically.
I’m not tied to pricing at all and had to start somewhere. There’s been pretty good discussion on it throughout this post. I’ll consider everything while also taking into account this being the HN crowd. I personally don’t think an actual safety deposit box compares both in terms of ease of updating its contents for digital-related items (which you also mention about Passbox in your last point) and for modifying access to it - physical key distribution and revocation.
How is it less useful than emergency access (assuming it’s not just the price which is a work in progress)? Also, I’ve built it to allow for you to segment who can get what so there’s the idea that you can have multiple trusted parties getting access to varying groups of data (or all of them equally).
I’m with you in the updating aspect. Currently one could update with csv exports but it’s not the most ideal scenario. I’ve got thoughts on this but nothing ready for public discussion as yet.
Thank you again for checking it out and commenting!
I agree this is too high, but a better question is, will this service even be solvent in 50+ years? I don't even expect my Gmail account to last to my death. Maybe at that point, maintenance and support engineers will be entirely automated.
While I agree that your pricing makes more sense to the customer, consider that $99 is only 17 months.
Someone who signs up with this service and sort of forgets about it or thinks about it like life insurance (just another small monthly bill), could be a paying customer for 20 years and ultimately be worth $1,200 to the company.
Couple that with the monthly fee model is much easier to pari with a "3 months free" offer, and the current pricing may be optimal for the company even if it results in significantly less signups or a less common sense pricing strategy.
The price doesn't matter. In fact, $99 is very likely too little. I shouldn't have thrown out a token number.
I mean, it would cost ~$0.11 to store 1KB of data for 100,000 years [1]. I don't plan on living that long.
$99 would be more than enough to store 1KB, 10KB, 1MB for 100 years. Business-wise, death is big business, charge $1,000, $1,500, whatever as long as you can convince people it is worth it.
Emotionally it feels much better to pay a lump sum and now it is taken care of rather than having to swallow and maintain a monthly payment regardless of its size.
I don't want to look or think about my will every month. I want it to be done and filed.
Thanks for your thoughts and the clarification to your original point
I understand your set and forget mentality with respect to paying a single fee, setting Passbox up and then leaving it be. Does that change for you at all given the fact that digital items/accounts/etc get updated on occasion? You may also fall into and out of favor with trusted folks and may need to adjust who is allowed to access your account or even assign the data differently.
Other than this I like how you explained not wanting to think about the price on a recurring basis.
Free alternative: use one of several tools that implement Shamir's Secret Sharing Scheme to split your master password into chunks. You can create a bunch of chunks and require that at least a certain subset of them be used to recover the password.
For example, you could encode your password into 10 chunks and require that at least 5 chunks be presented together to recover the secret. Any 5 chunks of the 10 (in this example) could be used, but it is mathematically impossible to recover the secret with just 4 or fewer of the chunks (in this example). Thus, you could spread those 10 chunks among 10 trusted friends, the idea being that they would recombine the chunks only in the event of your death. Moreover, if you are not yet dead, at least five of your trusted friends (again, in this example) would need to betray you for your secret to be stolen.
I'm with you. That's one of the big challenges I (and anyone in the space, I presume) would have from outset. On the bright side Passbox would only be random until it's not. The right news article, partnership or some other form of validation would inspire trust. It's not there yet but any company has to start somewhere and build up.
Maybe. "random" wasn't intended to be the focus of my comment. But even if, I can't see how something like this is feasible. Even with the best of intentions, services get hacked and they break. A tiny mistake (maybe some extra logging, now or down the line) could expose user's data. All services dealing with personal data claim being secure, until users receive that dreaded "we're sorry" email.
Maybe if you allow uploading files (that would be gpg encrypted by users, locally) with some mechanism to have their keys physically sent to their relatives in a way that you don't store it or even have access to it, it'd be something worth paying for. But at this point, one can just get a safety deposit box, and they can give their loved ones the encrypted file(s) even before death.
Serious question. Why wouldn't I just use a safety deposit box? Outside of the convenience of being electronic what benefit does this add over a physical storage space? The deposit box can store non-electronic stuff as well. When I die, I can pass the key over to the executor and that person can go through the contents etc.
To me I think that'd definitely work with static content/data and of course physical items. Things like passwords, accounts, devices and any special notes you may want to leave can change pretty often and presumably could become a chore to replace in the box and get neglected.
It could also be a hassle handling physical keys and also re-assigning who gets what. The barrier to having multiple and also changing accessors goes down.
Overall I'm not knocking the deposit box approach but it could be a little more work to maintain.
I created Passbox after buying my first motorcycle and thinking that if anything happened to me on it I'd like for my devices/accounts/photos and such to not be walled off forever.
I'd love to hear your thoughts on the app, approach and any feedback in general! Thanks!
I've thought about this. Not a final decision per se (and I haven't coded anything for the scenario) but I imagine I'd maybe have the third party accessing the data pay (up to a cap) to reconcile the account to make it "current" before giving them access - something like that.
It avoids folks signing up, canceling the card and then riding for free.
My 2cents, ditch the monthly plan, price it yearly instead. Monthly plans are for things you will actually use day to day like netflix, yearly are more like "insurance" products which is what this is, I think displaying the yearly option will be a better value proposition for people looking at it.
Second, I don't know what payment you're using, but seriously consider paypal if you're not already, because I'm pretty sure you can setup yearly recurring "subscriptions" on paypal and people are much more likely to keep their paypal funding sources up to date. So you're not going to have to nag them to update credit card info every couple years and they're less likely to have occasion to think "do I really want to pay for this", it'll just be pay automatically.
That's an idea for sure. What could be interesting is cases of some credentials/data/whatever being shared among multiple folks. So do you wait until each person has viewed/downloaded then close? Do I (Passbox) notify everyone else if one person gets access then allow them all access? To be continued...
I would suggest a mix of both. The issue with lifetime fees is eventually someone will start to cost you money. I had a friend who sold some lifetime subscriptions to a VPN service, it's just not entirely feasible.
On the other hand, this is what I use BitWarden for, so my wife has access to important accounts and vice-versa. BitWarden does provide free shared passwords for 2 users.
And with lifetime pricing I don't like the idea of just keeping that money if someone churns. Maybe I'm just not enough of a hardened business person haha.
In your case with Bitwarden you're sharing access to your credentials and such with your wife right now, today, right?
With Passbox I'm looking to defer that access for data that makes sense. In my case I'm currently single and no one else has access to my iPhone but if I passed then maybe my mom or best friend should have that - as a hypothetical.
If you're sticking with recurring, you'll still need to keep the data for some time after the payments stop. The PR will be disastrous for you if someone passed away, and therefore the payments stop, and then all of their data is lost (worse: now imagine consequential financial loss from the loss of their data). I don't know whether you could be held liable for that or not.
That is correct, and yeah I see what you're saying. For example if both me and my wife were to pass away I don't know who would be able to access our things.
> On the other hand, this is what I use BitWarden for, so my wife has access to important accounts and vice-versa. BitWarden does provide free shared passwords for 2 users.
I just set my wife's email as the recovery address for my Gmail, figuring she can reset most of the important stuff from there.
But that's only a solution for "get into my accounts when I'm dead", not "share access to these things right now", and doesn't have the added benefit of a relatively secure password manager. And it ties you to Google, which may not be the wisest decision (but of course you could do something similar with a different service).
One potential benefit of something like a Passbox is that the important accounts would be ideally listed out vs having to guess what they are then reset the password via your gmail etc.
I don't think that's a fair comparison. VPN services have significant ongoing technical costs: bandwidth, servers, labour (upgrades, support, security, incident resolution) etc which you must pay monthly but are never recovered when charging a one-off price.
If you're finding that the users you're sharing your passbox with are requesting your passwords every day, that's probably signal enough to remove them so they automatically use the service less. I'd expect the lifetime marginal cost of an additional user here to be a very small percentage of the revenue for that client.
> If you're finding that the users you're sharing your passbox with are requesting your passwords every day
This is an interesting scenario I've thought about. Thanks for sharing!
It could be the case that once the "death trigger" happens there's a countdown for the requesting user to download the data and then I (Passbox) locks everything down or deletes the original data or something. To be determined...
Given cloud pricing structures and some basic actuarial tables, it shouldn't be too hard to put a reasonable limit on your resource costs. The real question is whether the cloud will last, or if you'll need to migrate everything off of AWS and onto something incompatible some time in the next 40 years.
Thank you for checking it out and for your feedback!
An initial thought I had was to look at it as being akin to an insurance policy of sorts and that's what sort of led me down the recurring revenue path. Definitely will consider one-time fees for the future! Thanks again!
Those types of insurance polices payout on an event, so a monthly premium makes sense as nobody can afford to pay it upfront.
I'd say your service is the internet version of someone creating their will, and leaving it with a friend or family member, which are all one-off costs.
While I like the general idea, I do have mixed feelings storing so much valuable data online, on servers of a company I don't know, that operates in the US.
Do your feelings change at all with knowing that the data is completely encrypted at rest and inaccessible by me/the company even though I have access to the database?
> 1 - Even with access to the trusted contact's account a passphrase/access key (specific to the main account and not stored by the service) is required
I understand that your service is encrypting the data before saving it (vs that happening completely on the client and only encrypted data being sent to you), so there's nothing stopping you from logging it to a plain text file (even accidentally). Given that these passwords will likely hold the keys to that person's identity, that's a huge amount of trust that they need to have in you, your technical abilities and future decisions.
100% agreed with you here - no denying it - and no different from any service that we use where it's up to our trust that they will do the right thing. That said, I can for sure revisit my encryption strategy.
Overall that's one uphill challenge I've seen emerge as I've chatted with folks about the product: inspiring trust.
Bring on the questions! I don’t mind one bit. Feel free to tweet or email me if needed too (email at the bottom of the landing page)!
What’s funny is earlier versions of the landing page had way more detail for what you’re asking about and I got chided for it during user testing reviews haha.
Every user generates their own key (which can make it more friendly) and would need to provide it to their contacts on their own. It’s required to be set before you add any data.
Modifying users doesn’t change anything for me. Any new contact would need to be sent the same key or you can change it! Old users wouldn’t be able to request access regardless of knowing your (maybe old) key.
Hey! One of my best friends died in a motorcycle accident -- he was a developer as well (got me in the field!).
After his passing, no one knew how to get on his server and/or his domain registrar's account so as a result, someone else snatched up his personal site as soon as it expired, and pretended to be him for several years.
I really love hearing about projects like yours cause I'd definitely want to avoid stuff like that!
If this actually goes anywhere I personally wouldn't shut the company down silently. I'd have contact information for everyone involved to help them prep for its sunsetting.
Saved a PGP encrypted message to some friends.
One time fee of $20, but the free tier is more than enough.
Super simple UX.
I click a link in an email once a month.
My solution is to doubly encrypt a 7zip file with 2 separate passwords and send each password to a different individual so that they need to cooperate in order to access the information.
I’m surprised there wasn’t a lifetime plan for $5.99. The cost to store that amount of minimal data is moot. I would never pay monthly for something like this - but would likely jump in a second for my aforementioned plan.
Good idea thinking out of the box with your SaaS. Good luck!
As you can imagine I had to pick an approach and run with it. Nothing’s set in stone and I’m considering the exceptional feedback throughout to see what changes I should make that are mutually beneficial.
Taking pricing off the table would you be game to give the app a test drive and email me your feedback/thoughts?
LP is cheaper depending on how many users you have. My current model allows for unlimited trusted users (people who can request access to your account) for the same price. LP charges per user.
I haven’t coded anything for that yet but my thinking is to possibly have the third party user pay the balance of what’s owed (probably up to a cap) to access the account owners data. Reason being that without that anyone could ride for free by using a card that is then canceled
Another solution is to share the data with friends and family why you are living. Most services and passwords can go with you to the grave no dramas. Bank accounts etc. would be covered by a will. Access to domains etc.: Personal blog, who cares (just author in Github then someone can grab the source if they want) anything valuable domain wise should be owned by a company. That company should have procedures if you die and probably will share passwords between trusted owners or employees.
I don't disagree with you here. I just aim to offer a one-stop shop to get that access.
The ideal scenario too is for credentials, data, etc that's not currently shared between people when alive. So I, for example, as a single dude don't have anyone else with access to me iPhone, email, or Facebook. That's not something I'd just hand over to anyone just in case. In a Passbox scenario though then by all means!
I know what they're trying to do, but "bank level" doesn't inspire confidence. Financial institutions have regularly clunky rules like max password sizes, and I've gotten a plain text password emailed to me by a bank before. I also feel like they're over represented in the Troy Hunt security shaming (https://twitter.com/troyhunt).
My trusted friend decides to try to access all my online accounts, and requests access to my Passbox. Passbox sends me an email informing me of the request.
Oops. The email from Passbox ends up in my junk email folder by mistake. I never see it.
After the waiting period, my trusted friend gets the information from Passbox and proceeds to wreak havoc with all my online accounts.
Email is the current approach I decided to _start_ with but isn't the only way to go about it. Voice calls, text messages and maybe even push notifications (if a mobile app materializes) are feasible approaches too.
I’m with you on number 1. It’s going to be an interesting challenge to overcome but I’m mindful that even the biggest of names today started from scratch.
Understood on your second point but should it be wound down it’s easy to contact everyone, provide a suitable sunset notice and allow off-boarding.
You should line up the free and paid features, perhaps in a table. I can't glance at a list of 8 items and a list of 10 items and distinguish what changed between them, so I'm not sure what I'd be paying for.
You'd really be giving the company garbled (read: encrypted) data and allowing folks you care about access to your actual data/passwords/notes/whatever.
This all feels like it's trying to apply the web-SAAS model to a domain where it really doesn't fit.
I'd rather have a simple system where I could take any data, easily encrypt it on the client-side, and put it somewhere that's going to stay around for a long time (S3? thumb drive?). Then I give my lawyer the password and instructions on how to use it, on a sheet of paper. At any point, I can upload new data, replacing the old data. Digital security isn't as important because it's always encrypted before it leaves my desk. I don't need to maintain Trusted Friends because the only person with the password is my lawyer, who keeps it with my will.
Dealing with my possessions after my death is a solved problem. It's possible to simplify parts of it, but we shouldn't try to replace it entirely with another model that discards the good parts of what we have.