Google Analytics And Secret Messages Options

[uhNigMuh]

Some assistance is required. I need to confirm my findings by one that is familiar with bitshifting within JavaScript.

I was able to decode the message, but I am a power user, not a C programmer or engineer--my method of discovery was indirect--me and my lateral thinking.

It appears to me that there is a STRONG......and I mean STRONG possibility that google-analytics is embedding a message within the browser computer memory of all people visiting any website that pulls the common urchin javascript include.

The code to be analyzed:
http://www.google-analytics.com/urchin.js

Now, please don't get me wrong. I do know and will post the most obvious features this tracker is performing.

I will give you the scenario:

Some web marketer named Ken McCarthy (he first gave an internet seminar in 1994 along with Netscape founder up in San Francisco) posted a message to his list, of which I am a member.......

For whatever reason, he had ran that code thru his email filter, and it detected Porn. So, he asked if anybody knew what the code was. I rushed off an answer, but when I got to the bitshift section, I was a little concerned--but this was google, i thought, so i thought it must be some internal security feature (weak if it was)........

So I initially sent him the details below........

But I couldn't stop thinking about that bit shifting--something that is not uncommon to me......that is how I entered search optimization back in 1999, when the infamous Black and White Knights were my mentors in the WebPosition forums......oh, and hello Kim.....it has been a long time.


So I began to run all the cool programs I have........I wasn't having any results.

But then I came across a solution........and I was revealed this secret message that was being written into the computer's browser memory via java script:

Real housewives write extensions.

So this is why Ken's email filter detected porn. It appears that the google-analytics.com urchin.js file has bitshifted that text message and it is being written to MILLIONS of computer's memory's across the world every single day--something I find offensive from a public company.

So, if there are any programmers in here that are familiar with bit shifts, if they could please decode that file and confirm my findings, please.


thanks,
Steven

here is what i originally sent to the guy:

re:
P.S. Does anybody know what this is in the source code?

http://www.google-analytics.com/urchin.js

Google Analytics tracking after they bought out Urchin
http://www.google.com/analytics/index.html

I am not sure I follow the question. That is a javascript tracker--you know, to track browsers that support javascript. It is a lot of code, but basically it:

1. sets cookies--this is why there is so much date stuff and string parsing--if it can't set a cookie, it will get you by the image request as it is all appended to that image request---and of course the image doesnt even exist, as a web application just collects the data.
2. tracks referrers
3. tries to tie the referrer to known traffic sources for you (google, yahoo, aol, lycos, etc)
4. tries to get the title of the document
5. detects screen size and color depth
6. detects support for flash
7. tracks campaigns--for people that like to do ad testing for ROI. http://www.google.com/analytics/feature_kcc.html
8. it ignores the phrase "urchin" to prevent anomalies with itself.
9. tries to detect browser agent
10. tries to detect Java support
11. tries to detect ShockWave support
12. does some bit shifting
13. encodes the URL so it is returned to them correctly (ie encodes for spaces, etc)

[JohnMu]

Hi Steven

Are you talking about the function __utmVisitorCode()? or where do you mean specifically? Do you mean the _utma or _utmz cookie?

John

[uhNigMuh]

I believe the offending code is within the HASH functions and indeed, the __utmVisitorCode()

However, let it be known that this particular code eludes my understanding, and that I used a tool that was able to capture the rendered result within the browser itself. It was not written to the document, but instead resided within memory.......when you render the code, the rendered message is ONE message on your machine.......the rest of the code, of course, is relayed to google-analytics.

so, make a blank page, call that single line of code, view the rendered result within the memory of the browser, and you will see your hidden message.

quite offensive.

But for definitive proof we need somebody who doesn't use the browser to render the result, but instead can take apart that code and show PRECISELY where the bit shifting is taking place that is producing the message.......

And, in my opinion, Google needs to do a cease and desist--while the webmaster has a choice to put that code on a page or not, by God, the millions of people visiting these websites are not expecting a public company to be writing such "housewives" messages into their computer's memory.

[yannis]

Bit shifting the resulting function call came up with some strange results. In Opera it brought up the offending word but in Firefox it had a number listed. I am sure it was coded but I could not decode as it was bit-shifted as well. But the resulting memory in Amaya was AIC/IBF could this be CIA and FBI mispelled?In IE (it seemed it hit an internal bug and the browser kept blinking and shifted all the content to the right) switched to text mode. I tried to explore more but the machine re-booted. I think by this time the message got through that I was trying to decrypt it.

See now even if this was not true........ this has been going on longer then anyone person can think of... honestly everyone here has probably seen The Matrix.... and theres a good chance that everyone in the USA is in that state of limbo where you are just "funding the machine"..

The true way to stop this is not to sit back and say .. oh they are not doing anything wrong, and if they are someone else well save us.... no one is saving you... companies on the government...

So next time you are working in your job.. just think how google is censoring the world. If they want to censor an item they just make sure that they serve the site with a ban and all the webmasters delink... They are using User Agents to crawl the web. Think about it! They even have a minister of disinformation.. his name is Matt Cutts.


Yannis

This post has been edited by yannis: Sep 26 2006, 09:50 AM

[FP_Guy]

I really have no input on this and the coding is above my head, but would like to subscribe to the topic. I wonder if Google is extracting information for it's algorithm?

[uhNigMuh]

I think I am going to go ahead and post a demonstration on the power user method I deployed to reveal the hidden message.

Everybody please go update their Macromedia Flash ocx. The demo will be an embeded .swf file. And I am telling you to update because about 10 days ago there was a vulnerability that allowed complete admin control over your computer if you visited a bad site--specializing in security, amongst other things, the demo inspired me to provide this info--it isnt auto updates like windows (and if you want to disable WGA let me know).

http://www.adobe.com/shockwave/download/do...=ShockwaveFlash

UNCHECK the freakin' yahoo toolbar option.


I don't really *want* to do the demo, but if you all really want to see the message for yourselves, I will show you.

Let me know--it is just that i hate uploading stuff for scrutiny. If you all post a positive for the demo, I will do it.

[JohnMu]

Go ahead, please

PS Who else here hides "easter eggs" in their html code?

[uhNigMuh]

Sorry, it took me awhile. It has been a long time since I have made a tutorial.

Now, before we continue.......I am not saying any of this is true. I do not know how to decode bit shifted stuff in Javascript. It took me awhile to figure out how to find an appropriate power tool.

I have done this demo so YOU can repeat the results for yourself and come to your own conclusions. I would like somebody to VERIFY my findings by tearing apart the code and finding the exact functions and bit shifting that is producing the secret message.

The website is a slow one......so be patient as it is a 1.8mb flash file, swf. You will need to click twice to continue......click twice on the button. And you'll need to have the macromedia flash plugin installed as in the previous post.

As all of you know, google-analytics.com IS under the control and authority of google.com;

So, now just look at what they are putting into our computer memory's (bull _ _ _ _ if you ask me, if this is indeed true--i need corroboration:


http://www.horseracingfirm.com/bad.html


Let me know what you all think.

Somebody let Kim know I said Hi, along with Mr. Ammon Johns.

SM

[JohnMu]

nice demo, SM. I'll cross-check and check the code and let you know what's I find

Check line 390 in vrsOverlay.js from the "View Source Chart" extension:

CODE

var realH = "<span style=\"color:#ffffff;\">Real housewives write extensions.</span>";

Copyright © 2006 Jennifer Madden



You have to go after that girl, not Google

John

PS what you're actually doing in the demo is a 'view source chart' of the 'view source chart' output - you can also spot the inserted hidden text by doing a Ctrl-A in the first window of 'view source chart'. To get the generated output, I prefer using the Web-Developer toolbar (toolbar 'view source' -> 'view generated source').

This post has been edited by softplus: Sep 26 2006, 01:07 PM

[uhNigMuh]

Yes, because of the color coding.....hidden message......i figured i wouldnt confuse anybody and MAKE SURE they saw ONLY the generated code of the script itself, which is why i preferred the latter method........

I wasn't sure if everybody would pick up on the rgb 255.

[JohnMu]

Those extension writers are sometimes creative - I forgot which other extension it was, but there's one where a whole story is hidden in the source code (which nobody ever bothers to look at, except perhaps me ). Maybe we can get Jennifer to comment on that sentance...

John

[uhNigMuh]

It may be funny on the surface.......

but when you become a public company, you should be careful about what you force into browser memory, in my opinion.

I am sure alot of people wouldn't like this joke of putting millions of housewives messages into the memories of visitors computers......i think they would expert more from google.

for instance, i did. When Ken brought this to my attention.....that it set off his email filter, at first I immediately dismissed it.

I was disappointed with the finding.

How about the readers here? They have no objection for google doing this with its analytics program?

What could be next?

[JohnMu]

SM, no wait -- it's NOT Google, it's in the Firefox Extension written by Jennifer Madden (who as far as I know doesn't work for Google, nor for Mozilla / Firefox). You can see the same on *any* page which you look at with the 'view source chart' extension, it doesn't need the Analytics / Urchin code on it, you can even see it on an empty page (or try this forum).

Jennifer Madden must have added it as a private joke to her extension; perhaps she is also a "housewife" (whatever she mean with that - there are so many possible meanings) and is glad to get out and write some extensions .

You can send her a mail if you want or take a look at her homepage at http://jennifermadden.com/ - I'm sure she can explain her reasoning behind it (or perhaps it's just an inside joke that you happened to stumble upon).

John

PS slightly off topic, but her last menu item on the left hand side is a unique one, I like how she slid that one in

[uhNigMuh]

Now you know why I never make assumptions.

So it was all coincidental.

Had Ken not asked about the porn filter, I wouldn't have used that extension......and then that extension generated that phrase.

wow, very coincidental.

thank you for all your insight on the matter.

[cre8pc]

Somebody let Kim know I said Hi, along with Mr. Ammon Johns.

I'm here! Been reading (haunting) this thread, marveling at how amazing you guys are and then trying to pretend I actually understand half of what you're describing

Added: I just ran the Demo. I think John is right, about Jennifer slipping in something she felt was funny.
Fiesty women and all that...

Still, is there something to be learned from this? I'm not a whiz bang programmer, but this looks like OPPORTUNITY to me.

[uhNigMuh]

No, nothing to learn.

Luckily for me, I do not make assumptions.

Basically Ken McCarthy had sent out a request to his list, asking for an interpretation of the google analytics code, because he ran the file thru his email filter, and it tagged it as porn.

I dismissed his fear, by first sending off a quick reply based on the most common features I could see that the Javascript was doing.

But the hash and the bit shifting--it is used to conceal stuff, usually. So I decided to run the javascript thru an interpreter that would show me what was rendered in the browser.

You saw the results......so then I made an "assumption" that perhaps the word "housewives" REALLY was in the javascript code on the google server--luckily for me, I asked for verification from a programmer who was familiar with bit shifting.

My assumption was incorrect. It was NOT the google code who put in the message. It was the darned FireFox extension that I used to see if THERE WAS any porn words in the file........

and darned.

I then suspected that the "housewives" was put in from the google code, when in fact the programmer that wrote the firefox extension was the culprit......SHE wrote that code!!!!!!

What a bad coincidence.

I was trying to verify the validity of a porn word in google code, and the creator of the tool I used to do it just happened to put in the darned housewives word.

How embarrassing.

Thank God I asked for verification on the matter.

I must thank John for his help--thank you John. I saved myself some embarrassment....not completely, as I just made this public blunder here..........

it may be wise to delete these posts actually.


Kim--I hope it is more clear now? Don't feel bad.....if you think that I understand bit shifts and hashes within Javascript, you are mistaken. I don't. I know basic javascript, and it doesnt include bit shifting.


thanks,

steven

[cre8pc]

I love this thread because it:

a. shows we shouldn't jump to conclusions, but we can can if they allow a chance to really dig into something to find proof of said conclusion

b. probably shouldn't blame for Google for everything, even if they deserve it

c. John got to show off how smart he is.

d. Kim got to show off how she's not.

heh

[uhNigMuh]

Well, I truly DID believe google was innocent.

But, you see, I have a problem with being thorough.

Ammon knows how thorough I am if he wants to recall my questionings back in 1999.

But, in this case, it was my thoroughness that *almost* made me come to the wrong conclusion. I still have to be even more thorough......and John helped me, putting the problem straight.

Having said that, I would STILL like to know precisely what that bit shifting is doing.



You see, that is my thoroughness again. And if anybody wants to do a javascript tutorial demonstrating the bit shifting of the following phrase:

Kim Krause

Please let me watch the video.


thanks,
steven

[cre8pc]

bit shifting

Steven, I never heard of this term before today, although in my previous life as an equestrian, I met a few horses who were quite clever at grabbing ahold of the bit and shocking the heck of out of their frightened rider.

Aren't you glad you stopped by?

[uhNigMuh]

I will briefly tell you what it is about.

A byte is composed of 8 bits. Here is the code for zero:

00000000

Logically, here is for one:

00000001

If I 'shift the last bit' to the right, like this >>

then that 1 gets dropped off, and the value is

10000000

when you right bit shift 1, it becomes 128.

Now, they "seed" their bit shift with a logical sequence, but that sequence they use, that seed, isn't always so obvious--in other words, they don't just shift it once to the right or it would be very easy to decode.


So, each of the characters on a keyboard.......in america.......for instance......has a numerical value.

They range from 0 to 255 for each and every character on an English keyboard. They call this an ASCII chart, and it is mapped to a value of 0 to 255.

The ascii value for K is 75.

Now, 75 in binary, which is like that 00000000 stuff, is:

01001011

if we bit shift and knock that last one off, it moves over.....the 1 moves from the far right, to the far left, and gives a totally different value:

10100101

That was shifted to the right once, and now the value is 165

The ascii value for 165 is u.

So that K became a u when we bit shifted once to the right.

By putting that into a loop and adding a hash seed, you can semi-encrypt or should I say "obfuscate" text.


So, to simplify, in this case, bit shifting is:

1. take an 8 bit number mapped to an ascii chart
2. shift the 8 bits to the left or right and get a new number
3. replace the value in 1 with the new value in 2.

Now we "encoded" the K if we know what to seed it with to unlock the pattern.


that is my rough understanding of it.


but i aint no programmer.


Yes, I suppose it was nice to stop by. I usually am not very welcomed in places due to my harshness, as you know.


Horses-- I trained several. It was my duty to take them into the bull ring and green break them. Then my sister would do the nice stuff. I just had to break their spirits. Horses are very tough. I have had a couple beat the crap out of me......studs, of course......just try turning your back on one when you are a small boy trying to clean their stall.

Of course, I always had the last word.

This post has been edited by uhNigMuh: Sep 26 2006, 05:46 PM