JavaScript Capability & Compatibility Research Page

Gang...

So here's my and GRC's first-ever JavaScript-driven page:

https://www.grc.com/r&d/js.htm

It's not a big deal -- though I think you'll find it somewhat 
interesting.  But mostly it is intended to verify a bunch of 
foundation for the next page I'll create, which I plan to start 
working on immediately ... the "Passcode Designer" which WILL 
actually do something.  :)

What would be VERY INTERESTING to me would be to know whether 
anyone has a JavaScript capable web browser on which this page 
FAILS to function.  THAT will immediately grab my attention!!

And I had a idea for a logo treatment for Snoop Proof. Don't 
worry, I am still going to have professional designers see
what they can come up with, but this was simple and fun ...

http://www.grc.com/sp/snoopproof.htm

Thanks ALL!

Follow-ups to:  grc.thinktank

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/18/2011 10:11:32 PM
grc.news.feedback 4181 articles. 0 followers. Follow

93 Replies
3482 Views

Similar Articles

[PageSpeed] 27

On 3/18/2011 6:11 PM, Steve Gibson wrote:
> Gang...
>
> So here's my and GRC's first-ever JavaScript-driven page:
>
> https://www.grc.com/r&d/js.htm
>
> It's not a big deal -- though I think you'll find it somewhat
> interesting.  But mostly it is intended to verify a bunch of
> foundation for the next page I'll create, which I plan to start
> working on immediately ... the "Passcode Designer" which WILL
> actually do something.  :)

On Win XP SP3. Both Firefox 3.6.15 and IE 8.0.6001.18702 work. I'll 
branch out later tonight.

>
> What would be VERY INTERESTING to me would be to know whether
> anyone has a JavaScript capable web browser on which this page
> FAILS to function.  THAT will immediately grab my attention!!

NoScript and my security zone settings for IE successfully interfere 
with your code, until I explicitly trust GRC.

>
> And I had a idea for a logo treatment for Snoop Proof. Don't
> worry, I am still going to have professional designers see
> what they can come up with, but this was simple and fun ...
>
> http://www.grc.com/sp/snoopproof.htm
>

Try to blindfold the snoop.

--
Alex



0
Alex
3/18/2011 10:35:37 PM
In grc.news, on Fri, 18 Mar 2011 15:11:32, Steve Gibson wrote:

>So here's my and GRC's first-ever JavaScript-driven page:
>
>https://www.grc.com/r&d/js.htm

Works as apparently expected here (XPpro, IE8), just a couple of 
spelling nits:

------------
In the interest of using all of the entropy available (because, why 
not?), the page also monitors and collects every movement of the user's 
mouse. Some mouse movement is likely and perhaps even unavoidable. And 
every specific unpredictable motion pours additional “uncertainty” 
into our ever-growing bucked

Bucket?
------------
  At some point we must settle upon a final 256-bit key for use in 
encrypting our 128-bit counter. At the same time, we'd like to collect 
whatever mouse motion may occur until we absolutely must have that key. 
For this development page wee

We?
------------
>http://www.grc.com/sp/snoopproof.htm

Like. :)

-- 
Jim Crowther
0
Jim
3/18/2011 10:38:41 PM
[for the unabridged version, see Alex's post above]

> On Win XP SP3. Both Firefox 3.6.15 and IE 8.0.6001.18702 work.
> I'll branch out later tonight.

Cool.  Thanks Alex.  And no hurry.  I have separated things
into a sort of "GRC standard library" so that I can fix things 
modularly.


> NoScript and my security zone settings for IE successfully
> interfere with your code, until I explicitly trust GRC.

.... and you received the nice notice on the page about scripting 
apparently being disabled?  :)


> > http://www.grc.com/sp/snoopproof.htm
> 
> Try to blindfold the snoop.

That's a nice idea, if the "oo" could still come through 
somehow.

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/18/2011 10:40:54 PM
On 03/18/2011 04:11 PM, Steve Gibson wrote:
> What would be VERY INTERESTING to me would be to know whether 
> anyone has a JavaScript capable web browser on which this page 
> FAILS to function.  THAT will immediately grab my attention!!

It appears to work for me using Firefox, Chromium, and Midori all on
Ubuntu. However, I have problems when using noscript (but obviously with it
set to allow scripts from grc) so I'll have to look into that to see why it
isn't working in that situation.

Orson

Works in:
Firefox 3.6.15
Chromium 10.0.648.133 (77742) Ubuntu 10.10
Midori 0.2.4 (another webkit based browser)
0
Orson
3/18/2011 10:41:10 PM
[for the unabridged version, see Jim Crowther's post above]

Thanks Jim!!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/18/2011 10:41:46 PM
On 03/18/2011 04:40 PM, Steve Gibson wrote:
>>> http://www.grc.com/sp/snoopproof.htm
>>
>> Try to blindfold the snoop.
> 
> That's a nice idea, if the "oo" could still come through 
> somehow.

I'm sure that could happen, but I doubt my (lack of) graphical prowess is
up to that challenge.

Orson
0
Orson
3/18/2011 10:44:57 PM
On 3/18/2011 6:40 PM, Steve Gibson wrote:
> [for the unabridged version, see Alex's post above]
>
>> On Win XP SP3. Both Firefox 3.6.15 and IE 8.0.6001.18702 work.
>> I'll branch out later tonight.
>
> Cool.  Thanks Alex.  And no hurry.  I have separated things
> into a sort of "GRC standard library" so that I can fix things
> modularly.
>
>
>> NoScript and my security zone settings for IE successfully
>> interfere with your code, until I explicitly trust GRC.
>
> ... and you received the nice notice on the page about scripting
> apparently being disabled?  :)
>
>
>>> http://www.grc.com/sp/snoopproof.htm
>>
>> Try to blindfold the snoop.
>
> That's a nice idea, if the "oo" could still come through
> somehow.
>

You could use a dancing GIF, or use some more JavaScript.

--
Alex


0
Alex
3/18/2011 10:46:11 PM
[for the unabridged version, see Steve Gibson's post above]

Errata:

I just realized that I hadn't set the "secure" flag on the 
'prng' cookie.  Duh!

And I also think that I might be able to IMMEDIATELY delete
the 'prng' cookie from the browser after grabbing its value.  
THAT would be very cool!  :)

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/18/2011 10:49:08 PM
[for the unabridged version, see Orson Jones's post above]

> I'm sure that could happen, but I doubt my (lack of)
> graphical prowess is up to that challenge.

Nor mine!  :)

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/18/2011 10:54:58 PM
Steve Gibson wrote:
>
> What would be VERY INTERESTING to me would be to know whether
> anyone has a JavaScript capable web browser on which this page
> FAILS to function.  THAT will immediately grab my attention!!
>

Parts of it work.


Box 1 is saying "Waiting for page to load"
Box 2 has "-" for all values except the last two - upper left = "(,)" and 
width/heigth = "w=,h="
Boxes 3, 4 and 5 have values.

Classic Rollover does nothing.



Browser Sea Monkey 2.0.12

AlanD
0
AlanD
3/18/2011 10:57:26 PM
On 3/18/2011 6:54 PM, Steve Gibson wrote:
> [for the unabridged version, see Orson Jones's post above]
>
>> I'm sure that could happen, but I doubt my (lack of)
>> graphical prowess is up to that challenge.
>
> Nor mine!  :)
>
I see if I can figure something out.
--
Alex
0
Alex
3/18/2011 11:07:07 PM
Steve Gibson <news07_@_grc.com> wrote in 
news:MPG.27ed81405899d12829fc@4.79.142.203:
> Errata:
> 
> I just realized that I hadn't set the "secure" flag on the 
> 'prng' cookie.  Duh!
> 
> And I also think that I might be able to IMMEDIATELY delete
> the 'prng' cookie from the browser after grabbing its value.  
> THAT would be very cool!  :)
> 
Yes, please do that.

Also, the "RollOver" *only* works if:
- JavaScript is allowed (Of course!)
- The 1st MouseDown is received (Counter-intuitive)
- The PRNG-cookie is accepted [the others may be refused]
  (Is that necessary for a roll-over?)

Have you changed the "JavaScript-Logo" in between?

[Tested on several platforms with several browsers]
-- 
(faded)
0
faded
3/18/2011 11:09:46 PM
AlanD <nospam@danburyonline.net> wrote in
news:im0o0h$1i79$1@news.grc.com: 
> Steve Gibson wrote:
>> What would be VERY INTERESTING to me would be to know whether
>> anyone has a JavaScript capable web browser on which this page
>> FAILS to function.  THAT will immediately grab my attention!!
> 
> Parts of it work.
> 
> Box 1 is saying "Waiting for page to load"
> Box 2 has "-" for all values except the last two - upper left = "(,)"
> and width/heigth = "w=,h="
> Boxes 3, 4 and 5 have values.
> 
> Classic Rollover does nothing.
> Browser Sea Monkey 2.0.12
> 
Check to see if you are accepting the PRNG-cookie (at least for this
session-only).

-- 
(faded)
0
faded
3/18/2011 11:12:29 PM
Op 19-3-2011 0:07, schreef Alex:
> On 3/18/2011 6:54 PM, Steve Gibson wrote:
>> [for the unabridged version, see Orson Jones's post above]
>>
>>> I'm sure that could happen, but I doubt my (lack of)
>>> graphical prowess is up to that challenge.
>>
>> Nor mine!  :)
>>
> I see if I can figure something out.
> -- 
> Alex

Why not create something starting with a blindfold with the words snoop
proof on it? Offer it for sale, just for the fun of it too . . . Or add
it as a gift with the sale of a copy.
-- 
Dirk Engelage
to the house of a friend the road is never long
0
Dirk
3/18/2011 11:48:03 PM
Op 19-3-2011 0:48, schreef Dirk Engelage:
> Op 19-3-2011 0:07, schreef Alex:
>> On 3/18/2011 6:54 PM, Steve Gibson wrote:
>>> [for the unabridged version, see Orson Jones's post above]
>>>
>>>> I'm sure that could happen, but I doubt my (lack of)
>>>> graphical prowess is up to that challenge.
>>>
>>> Nor mine!  :)
>>>
>> I see if I can figure something out.
>> -- 
>> Alex
> 
> Why not create something starting with a blindfold with the words snoop
> proof on it? Offer it for sale, just for the fun of it too . . . Or add
> it as a gift with the sale of a copy.

Thinking about it; create a lady justice with the words on the blindfold
she's wearing. Just a gimmick, with the legislation considering
backdoors in VPN-like software in mind . . . <grin>

-- 
Dirk Engelage
to the house of a friend the road is never long
0
Dirk
3/18/2011 11:51:43 PM

Firefox 3.6.15.   The mouse capture stuff (group #3) stops working if I 
scroll the page via the vertical scrollbar.

-- 
Dale Beckett
SimplyMEPIS 8.5
0
Dale
3/19/2011 12:00:07 AM
(faded) wrote:
> AlanD<nospam@danburyonline.net>  wrote in
> news:im0o0h$1i79$1@news.grc.com:
>> Steve Gibson wrote:
>>> What would be VERY INTERESTING to me would be to know whether
>>> anyone has a JavaScript capable web browser on which this page
>>> FAILS to function.  THAT will immediately grab my attention!!
>>
>> Parts of it work.
>>
>> Box 1 is saying "Waiting for page to load"
>> Box 2 has "-" for all values except the last two - upper left = "(,)"
>> and width/heigth = "w=,h="
>> Boxes 3, 4 and 5 have values.
>>
>> Classic Rollover does nothing.
>> Browser Sea Monkey 2.0.12
>>
> Check to see if you are accepting the PRNG-cookie (at least for this
> session-only).
>

That's the answer - default settings of "block all cookies".

It now works as expected.

AlanD
0
AlanD
3/19/2011 12:27:54 AM
Steve Gibson wrote:

> Gang...
> 
> So here's my and GRC's first-ever JavaScript-driven page:
> 
> https://www.grc.com/r&d/js.htm
> 
> It's not a big deal -- though I think you'll find it somewhat 
> interesting.  But mostly it is intended to verify a bunch of 
> foundation for the next page I'll create, which I plan to start 
> working on immediately ... the "Passcode Designer" which WILL 
> actually do something.  :)
> 
> What would be VERY INTERESTING to me would be to know whether 
> anyone has a JavaScript capable web browser on which this page 
> FAILS to function.  THAT will immediately grab my attention!!
> 
> And I had a idea for a logo treatment for Snoop Proof. Don't 
> worry, I am still going to have professional designers see
> what they can come up with, but this was simple and fun ...
> 
> http://www.grc.com/sp/snoopproof.htm
> 
> Thanks ALL!
> 
> Follow-ups to:  grc.thinktank

No, your "rollover" does not work for me.  Using Firefox 3.6.15.
0
Raven
3/19/2011 12:33:09 AM
On Sat, 19 Mar 2011 00:00:07 +0000 (UTC), Dale Beckett
<dale02@NOTsprynet.com> wrote:

> 
> 
> Firefox 3.6.15.   The mouse capture stuff (group #3) stops working if I 
> scroll the page via the vertical scrollbar.

By using the mouse?

-- 
tbl
0
tbl
3/19/2011 12:37:10 AM
Steve Gibson wrote:

> Gang...
> 
> So here's my and GRC's first-ever JavaScript-driven page:
> 
> https://www.grc.com/r&d/js.htm

> What would be VERY INTERESTING to me would be to know whether
> anyone has a JavaScript capable web browser on which this page
> FAILS to function.  THAT will immediately grab my attention!!

Loaded the page and:

1.- General values:
1.1.- 256 bits of High-quality server-side entropy is empty.
      Shows {~ Waiting for page to load ~}
1.2.- Load-time client-side data....
      All cells are empty.
1.3.- Post-load client-side data...
      Mouse capture,Time,count ALL work correctly.
1.4.- Time of 1st key, time of 1st key release, elapsed ALL work correctly.
1.5.- SHA256 hash shown "jHLruEt....." from the first load (after a delay).


Issues:

1.- Javascript can't grab the value of the "prng" cookie
    (cookie blocker active --CookieSafe-- )
2.- There is a delay (up to mouse moves) to get the first SHA256 hash.
3.- The SHA hash is the same for the same key pressed on every reload,
    (provided the page has detected no mouse movements)
    It seems that the only variable working in:
    grc.serverEntropy + grc.jsRandom + grc.browserLeft +
    grc.browserTop + grc.documentWidth + grc.documentHeight +
    grc.startTime + grc.stopTime + grc.downTime + grc.upTime +
    grc.mouseHistory.join('') + grc.mouseHistory.length; 

    is grc.jsRandom. As the size or the time doesn't change the hash.

        Could you provide cells for each variable to check the inner
        working of this code on all browsers?

4.- The classic "rollover" does NOT work.


Seems that you've got work to do !!     Enjoy !!

-- 
Mark Cross @ 03/18/2011 8:58 p.m.
If Linux doesn't have the solution, you have the wrong problem.

0
Mark
3/19/2011 1:00:07 AM
Steve Gibson wrote:

> ... and you received the nice notice on the page about scripting
> apparently being disabled?  :)

Yes, the note for enabling JavaScript did appear here, it seems to be 
working.

-- 
Mark Cross @ 03/18/2011 9:01 p.m.
If Linux doesn't have the solution, you have the wrong problem.

0
Mark
3/19/2011 1:02:46 AM
Mark Cross wrote:

I forgot to mention:
Debian squeeze, 2.6.32-5-amd64 x86_64 GNU/Linux, Iceweasel 3.5.17

Allowing cookies from grc.com all boxes are getting filled and the SHA hash 
is different on each reload (on pressing the same key).

However that is probably due to the entropy from the server, I am still 
puzzled why the variables:

      grc.browser {Left Top Width Height } "-> several browser window sizes"
      grc.startTime + grc.stopTime  "-> several times"

doesn't change the hash.

this variables won't change on "no mouse history":
      grc.downTime + grc.upTime
      grc.mouseHistory.length


I wonder:
Why a cookie? Isn't there any other way to send data to the loaded page?


> Seems that you've got work to do !!     Enjoy !!
-----------------------^^^^ insert "more"  :)


-- 
Mark Cross @ 03/18/2011 9:07 p.m.
If Linux doesn't have the solution, you have the wrong problem.

0
Mark
3/19/2011 1:22:12 AM
On 3/18/2011 3:11 PM, Steve Gibson wrote:
> Gang...
>
> So here's my and GRC's first-ever JavaScript-driven page:
>
> https://www.grc.com/r&d/js.htm
>
> It's not a big deal -- though I think you'll find it somewhat
> interesting.  But mostly it is intended to verify a bunch of
> foundation for the next page I'll create, which I plan to start
> working on immediately ... the "Passcode Designer" which WILL
> actually do something.  :)
>
> Thanks ALL!
>
> Follow-ups to:  grc.thinktank
>
So, off the bat, this SHA256 hash can be used instead of the World 
Famous 64 char random, pass-code.

BTW:  No problems here with JS.

-- 
<LWB>
0
LWBone
3/19/2011 1:32:27 AM
Mark Cross wrote:

> I wonder:
> Why a cookie? Isn't there any other way to send data to the loaded page?

Also the cookie acceptance makes the "RollOver" image work correctly.


-- 
Mark Cross @ 03/18/2011 9:43 p.m.
If Linux doesn't have the solution, you have the wrong problem.

0
Mark
3/19/2011 1:45:25 AM
On Firefox, with noscript, it caught that it had no javascript and asked 
me to enable it and then it worked fine. Then I tried it with Chrome 
with NotScripts enabled, and it did not catch that there was no 
javascript, and nothing worked, not even the rollover worked. Once I 
added grc.com to the allowed sites for NotScripts, everything worked 
perfectly.
0
msntechguy
3/19/2011 2:34:34 AM
Dale Beckett wrote:

>Firefox 3.6.15.   The mouse capture stuff (group #3) stops working if I 
>scroll the page via the vertical scrollbar.

Confirmed.  Even using the scrollbar trips the mousedown event.  Firefox
3.6.15 on XP SP3 here.

(Also confirmed the cookie issues previously mentioned, FWIW.)

0
CA
3/19/2011 4:58:51 AM
This is a multi-part message in MIME format.
--------------050200090805050505050200
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 3/18/2011 7:07 PM, Alex wrote:
> On 3/18/2011 6:54 PM, Steve Gibson wrote:
>> [for the unabridged version, see Orson Jones's post above]
>>
>>> I'm sure that could happen, but I doubt my (lack of)
>>> graphical prowess is up to that challenge.
>>
>> Nor mine! :)
>>
> I see if I can figure something out.
> --
> Alex

This is what happens when a man who can't draw, patches a png of text, 
with a jpeg of a blindfold, in MS paint.

The jpeg is from 
<https://secure.wikimedia.org/wikipedia/en/wiki/File:Sleep_mask.jpg> it 
is apparently a free image.

--
Alex

--------------050200090805050505050200
Content-Type: image/jpeg;
 name="SPlogoBlind.JPG"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="SPlogoBlind.JPG"

/9j/4AAQSkZJRgABAQEAYABgAAD/4QA2RXhpZgAASUkqAAgAAAACAAEDBQABAAAAJgAAAAMD
AQABAAAAAP///wAAAACghgEAj7EAAP/bAEMACAYGBwYFCAcHBwkJCAoMFA0MCwsMGRITDxQd
Gh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/bAEMBCQkJDAsMGA0NGDIh
HCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMv/A
ABEIAEgBYQMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1
EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKC
CQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOE
hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj
5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1
EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEK
FiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqC
g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri
4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APf65u/8c6JYNl5jLAUV1uIWRo3z2U7u
eMHI4565zhfHOojTvC9wXjV45/3LhsEbSpJBBBzkAr+NeO+HfCmqfES8v7hr/wCxQW+FE7wN
IGc9EUZUcAZPORleOeOWtWmpqnTWpxYjEVFUVKktT0lPi54aNysci30cZzunMIZVwCeQrFjn
GOAeT+NdzDNFcQRzwSJLDIodJEYMrKRkEEdQR3rwvxP8KdU0K2N5pc8urQGUgwJARNEhPy8A
nzPQkAeuMZx2HwgstdstJ1GPVEuYLRZlW1tbmJkaNsFpGAZR8rbl6EjIbgHOSlUq8/JUXzCh
Vrc/s6sfmej0UUV1HaFFFFABRRRQBntr2jpcC3bVrATmXyRGblNxkzt2YzndnjHXPFaFfN3j
rS7nR9fudNvJDMrgyxvJIJGliZmAZ/8AaOGByOoPbBPsfw58TXninwwbq/RBc285t3kTgS4V
W34/hJ3cgcZGRjOBzUq/PNwkrNHJQxLnN05qzR11FFFdJ1hVK11jTL6cwWeo2lxMF3mOGdXY
LwM4B6cjn3ri/iP4tXSQulIJlkeITyFSoWRDvURnvjK5PToByCwrh/hhYarrPjqLWlh/0CyM
nnzvwpZo2UInq3zAkdh1PKg80sR+9VOKv3OSWJftlSgr9z3miiiuk6wooooAKKKKACoby5Fn
Y3F0Y3kEMbSFI8bmwM4GSBk47kVNVTVW26PesO1vIf8Ax00pOybJk7RbMa/8caPpm0XbyRuw
zs+XcPr81ZsnxT8ORrkNcv7Kq5/9CryGHT5vF3jyPS2vDbPdSSDzinmbQqM3TIz93HXvXUX3
wR1eGJG07X7W6l3gMlzA0KhcHJBUuSc44wOp5458+nVxFRc0bWPMpV8XVjzQSsel6D420PxC
yxWl2IrpiQLW4wkh+8eBnDcKT8pOB1xXQ18ozwX+nXklvcRzWd/aSgMpO14pBgggj8CGB5GC
Dgg19CfDvxHN4m8H295dzJLfRO8F0yRlBvU5Bx0yUKE7eMk4x0HRQrubcZKzR04bEuo3CatJ
HVUUUV0nYFFFFABVK81jTNOcJfajaWrld22edUOPXk9OD+VRa/rMWgaJcanLE8qQ7RsQgElm
Cjk9Blhn2zgHpXzzrOp6j4m1iKysknvbudtijjfM+OWPQAYHsqgdgOOavX9m1FK7ZyYnE+ya
jFXbPpiis/QbKbTPDumWFyYzPbWkUMhjJKllQA4JAOMj0FaFdKOpbahWfd69o9hJLHeatYW7
xf6xZrlEKcZ5BPHBBrQrwb4oabd6V4jeSWZpLfUGaaB3k3Mcbd6kdQFLADttKjPXGNerKnHm
SuYYmtKlDmirnvNFec/CLxJdavotxpVzHHt0pIooZU43RkMFUqBj5QmM9wRxkEn0arhNTipI
1p1FUgpx6hVG+1e009xHM5MmzfsUdFzjJJ4H4kZwcZwavV89+M/EF9rWtiwtEIlupkQRKwXz
JGIVFLcDj5Vyce9ZYis6aSjuznxeIdKKUVqz0y7+K/hqzu1glN0QWCtKkasqc8k4bOB7An2N
dxXjFh8DruWOF9V1+NH35mhtYC427uiuxHJXuV4J6HHPs9VRdVp+0Lw7rNP2oUUUVsdBwnxZ
8z/hD49kbsv2pQ7KpIQFXGSewzgZPcgd64P4aeNIvDNzd6fqZk/s25PmrJGm/wAmUDByqgsw
YBRxnBUcckj23UdOs9W0+awv7dJ7WZdrxv0POQfUEEAgjkEAjkV4Z4j+F/iPRrqebS4Tqdgu
90aJh56IADhk43NyQNm7O3oMha468Kkaiq09Tz8RTqxqqtSV/I9zs9TsNQaRbK+trkx43iGV
X25zjODxnB/KrVfKq32o6ffMjG7sb+Dght0M0W5fwZcq35H3r274d+P/APhKI20y/Urq1vF5
jOqfJPGCBv44VskZHfORxkLVHEqb5ZKzNMPi1UlySVmZOo+MdZ0LxOy3WomWwW7kzA0Mf+q3
kbQQAcgdMnqBnPOc+/8AitcRyNLHcfMRgQwxr5aDJIyzAszYIBPAOMhRzXLfEu9x4hvFHPlS
yfnvNdf4N+D+nT6Pb6h4oFxc3VzFv+x73hSANggNja+8DOeQBkjBwGrlh7apJxjLS5xU/rFa
UoxlZXME/FnXnmR4rpQqsCUMSEMAeh4zg+xB967nwf8AE+y1jyrHWXhs9Tlm8uHYrCKbOdoB
JO1ui4Y8kjHLbRd1T4VeEdSeaVdPayuJdv72zlMYTGPupzGMgYPy9yevNeLeIdBvvCuty2Tz
P51u6vDcxho9w6q6nqD9CcMCMnGa0k62HfNJ3RpJ18K1KT5on07XH+IfiDpuk22bSSK5d0DR
yq4aI5BIIIPz9umBz1zWNd+OZh8O9Ev1umW9u4yJ3kiAeTygUlZSvyqTJtx/sscAHlfOtC8O
6l461eW5uJzZ6PbHdeXzEAIoGdiZ43Y7nhRyeytpVryclTpbs2r4mcpKlR3fU0PEnj+LxGkE
d9o+n3PkMWid1lRlJGCAUkBweMjODgHsK3vAXxB0rTFttFn0q2022kZ2e7hlbZ5jNwXD5YDG
BuLnGBwF+7r/APCK/CkRvF52l/M6uf8AibNuBUEDB8zIHzHIHB4znAx5X4otdFsddkXQdSS7
06XLohDBrc55QlgN68/KwycAg9AzQ6eIpvnXvGTp4mk/aJ835n0zBPDdW8VxbyxzQSoHjkjY
MrqRkEEcEEc5rN1vxBaaLaTs0kUl3HGHW2MoUnOQpbqVUlT82D0OMnivLvh/8SLHQtEmtfE+
tJHbRMqWKtBK8qrg7gSqkbOm3uPmHTaK4rxl49/tqcqmpR3ihAS8EbxxucZwocAhQTgA/mep
6KlSooJwi7v8Dpq15qmpQi7v8DpvF3jqz165j+0aXZ3MdvuEKyPMNm4Lu5R13ZKjtx+eZdE+
K13pFpHZxaNpxsoYikNvAXhIbOclyXz3zxkk5z1zL4O0j4YnR7a51fX9Lv8AUklEkjz3jW6K
wwdixuV3oPVlO7nOB8os634D8K6pp23wLqFjJqduDIbSPUfP+0JxkZZ2KsOx4GTg4yGXn9hi
F799Tm9hio/vFJcx6doXiPS/Edmtxp10jsEVpYCw82HOQA6g8cq3scHBI5rVr5m8M61c+EvF
lrfPi2VXFveieEkrAXXzAV+8GG3PHOVHB5B9s8e68NG0lYtjEzhmLDgbV2/LnOcksvYgjcDW
tPEp03N7o6KWLUqLqS3W5X8U+O4NISSKGVEyuElHzOxwclV6ccEMcg88EYJ4C5+Lmqk7YJyv
uyxk/wDoNZvhPwxefETX7qbUJbuHTYlPm3UIUFpONsalsjODuPBwAAcbga9THwn8EiJ4/wCx
fld1cn7VNuyoIGDvyB8xyBweM5wMYRjXrLn5rI5oQxOIXtOblXQ4fR/i9qVnL/xM4xqFuzZY
gLHLGCVztwArAAMcEAkn7wFexafqFpqthDfWM6T20y7o5F6Ef0IPBB5BBBrxHxx8Nj4aDalp
s7zadLPtEDRsWtgRkZfnK5BGTgjKD5ic0vwi1+XTvFb6G4drbUlLIoyRHKilt2M4AKhgSASS
E7CrpVakKnsqhpQrVKdX2NXXsz3aqWsf8gS//wCveT/0E1dqnq3/ACBr7/r3k/8AQTXZP4Wd
8/hZ4N4HH/F3dM/66XH/AKJevoWvmSXU5tC8UtqFjKIriGRtj7QcZBU8EEdCa2rn4p6rdQxr
NcvmNt4MUvlZOCOdmMjnoeOnoK83D4mNOHK0zyMJi4UafK073On+L6WJkimCH7aI1jaTdkFc
kquM8EZYngcMOT2vfA9g3g7UCP8AoJyf+i4q8qt4tb8b6hDp+k2m9Y9sQ8tCkFqhBxuIGEXC
n3OMAE4FfQvhHwxa+EfDtvpNs/mshLzTmMI00h6sQPwAySQqqMnGa2w6lOo6rVkb4VSqVZV2
rJnnkPj7XNDvol1K9TUECASRyqkWc4ywZE4I9MYPTjqK998WrqN2ME7MzY4EaKinAHyggt78
k9a4PxXczXOrtHbxvLMxWKOONSzMx4AAHJJPYV6z4Z+Deh6dbwT64G1TURsdw0jCCNwScKox
uXkA78g7egyRWFH29VWUtDnoLEV1ZSskcU3xa8RpcJPHdxOi5zBLChR8gjnaA3Gc8EdPTivb
dP1mC68O2Gr3bRWcd1BDKRJKNqGQLhdxxnlgB0yccVgSfCzwXJNLKdFAaVi7BLmZVBJzwofC
j0AAA7VzPxF8TnSXbRtOkihtbaGOMW8URTy3xnHoVCGPAAwCT1IG3pTnQg5Td+x1p1MNCUqk
r9i14p+I9skd5potYngk3REu7FpYiuGyq7ShJJx8xOB2JwOF0vxwvh+5mm0LRdLtpZVCNJIs
0rbc5xzLwM9QMZwM9BV7wZ4Hg1GMeIPGE6WekS/LbQzz+S10xBw7NkELjJUA5bGeFHz9Te+G
vhRHYMwu7KLyomjWW21FpJFySd20O29gW43BuAB0AFZqliKn7xuz6GKo4mrao5JPobHhX4l6
b4hnktb1ItMut6rAklwGWcMQAFYhfn3HG3HORjPIHcV8l3sMEc9zaJdxXsKMUWeNGVZlI4Ox
uR1wQehBwSME+wW3xZ0yDwnbQal4is4fELIvmObKcoPm6namN+zrj5d/bbxXRRnUaaqR1X4n
Vh6tRpxqx1X4nWeIfG1joaRmIw3Z8xkl2zhRHtyCMgHLbhjb25yRgA+W+IPiRLr1n9gv9M0y
7tg6uN8cqEMOhUrICp6jg8gkdCa4vUfEcXiLW4/tOqpaW8smHuZ0dxCvUttA3MfbuSMkDJHr
NloXwgNmg/tTS52mgVGkn1crIwyrbiN42MSoztCnkjgEiseXEVrv4Uc9sTiLu/KuxieCfH2m
eHZDbNodtbQ3U4NxdW0khZE24XKuXZgDk4DDAYkKTnd7LFqFvd6c19p7pfxbWMf2WRG80rkF
VYkLnII5IAPUivEfF/gmxhhbWvB9zDf6QmFuYbefzzbED7wbJLIepBOVznlSdlr4P69LY+IZ
tBlkjW0vVeaJPKJY3Chc4YdAY1bO7+4uMd3SqTpzVKp8iqFWpSmqNX5M0pPjHcJI3+hW5Ukl
VAYkDsCc8n3wK4Gz8RzaX4pj122jiM0bMVSUEr8ylTnBB6E96+gx4S8NgADw9pIA4AFlHx+l
eGeDNOtbj4k6bY3dvFc2xaYNFMgdWxC5GQeDyAfwrCtTqKcVKV7vQ5sRSrKpBSndt6eR0Gl/
FTXtS8XabCGtVtrmaK1kt/Kyg3SAFwc7t+CQPmK/7JNe11kR+FfDsM0c0WgaXHLE4kjdbOMF
GByGBxwQQCDWvXfShOKtN3PUoQqQTU5XCiiitTYKK8t+KmtarpGqWS297cW1vNbsYxDN5e5w
3z/dOTgGPrxzx3qt4P8AioIbNLDXlmndXVIrtME7DwTLkgnb/eGSR2JGW5/rMFUcJaHK8XBV
HTlodl4+8PQ694blPkQtd2v72GWQkFFBBkAI9UB46Ehc9AR498PYVj+KekocEo0+P+/Mg/rX
a+L/AIlWk1nLa6c8qqD99XAM33gQRg4T7rA5BPQgDIPOfCDRpdX8Wza85dbbTVZUYZAkmdSM
ZxggKSSAQQSnY1zzkqmIjydNzkqSjVxUXT1tuZPiawi1n4jyabcPIsN3qn2d2jIDBWlKkjII
zg+lfR1fPmokf8Lftsf9BuP/ANH19B1pg/teprgNp+oV5L8ZNPiSSz1Hc5llj8kqSNoCNkEc
ZyfMOeew/H1qvL/jOwGnaaM8lpMf+OVeL/gyNcd/u8v66nnl3fa5B4U0BZI1i0qMyPa3UCEO
JDK3Bk/hbKkgKRwFPUcYMjiV3nMxLtnLnkt+Nen2vh2bXvgppU1oqG7sWuZgBEXklj3yh4kI
5Bbg4AO4qo75Hl9hcixu1vLS2066+Rl8i9txNBIpHdeCCDghlII+hIJDERoxipLRpamUa8aM
YKS0aWvyIkXglvlB/iaogUxuLBjnHI7+n1r2LSdb8A3Oji9v/DNjaXyNtNrHGspIzwyuQoxg
552ngjB4JxNb+IUdhby2nh6C2sbbzt8YhhAAA24JByC2VzkAY4HOMnWeNpQV1qa1MXSgr3v6
Hmuo6XcX9vNFa2k00tuhmlWJCTGi43MRjgDPU4rnpdMngJZQ+3p8yEZr6c+G1hqOseHhq/iB
obiK6czWMBtVjMILMXkyAMmQndnByMNk7uPMvFw1DStdl0nVV067uLdECTyaXDiSPbhGUMh4
wMYBIBUrk7aJ4lwipyWn9eY6lb2cFOSdvT/gnlDW5z8+MjrimsijA2EH1Y4r3jQdW8C6oRaa
14O02xXav7+2XMbNg7iygBkGQMAb+vJGM1R8QWnw2hO7TdADSB33s9xN84AIUoBJgZODlh0G
NvPA8XRtzXB4uio83MeS6ZquoWj/AGW2X7RDcSRh7RsyJMQcgYBBB6jK4bBYAgE5+gPiXcXl
74R0G6vLf7NdTQGSeHBHluRGSvPPB4rjvAOmyeJvFRsbW006LTYQs19u0+ORXiDgiIsV6sRx
kj7rMMlcV6R8V/LTRbcN/dkAyc85SuevNVKEpJW/4cxrzjUw0ppWv/mQ/BW6s5PCd5awxpFd
QXrNcATbmk3Ku2Qr/ACBsA6Hyyeua9Jr5d8P+INT8OX73OlXpgaTaJUKh0lAOcMp/EZGGAJw
RmvYLT4r2E9jJJNapDcB8JGbjKFeOS23IPXjaeg554VDFU+RKTtYMPjKXs0pOzR0vjBLeXw1
cQXEaSiVkCo0pjywYMCCOu3aXx32kHjNeJeAHQ/FnSgn3S9xj6eTJWx40+JR1C0e1tXARsgs
oKgAk8DPU44z+QGa0fg54QuEnk8VanbbPNj2acsgG7a33pcEZXIwFIIyC/GCCc+b29dOOyMl
P6ziVKG0T2GqWr/8gW//AOveT/0E1dqjrTBNC1Bj0FtIT/3ya75/Cz05/CzwPwla22ofFOwt
b23hubeSSffFMgdGxE5GQeDyAfwr3D/hD/DH/QuaR/4Axf8AxNeJ+BGD/FvS2XkF7g/+QXr6
GrkwSTp69zhy+KdHVdSCzsrTTrVLWytYba3TOyGCMIi5JJwBwMkk/jU9FFdp6B88eFbO3v8A
4qaXFcx+Yi3DTAbiMPGjOh49GVT7454r6Hr5+8DsH+LGmsOQXn/9EvX0DXHgf4b9Tz8t/hP1
CvnbxzqWqL401UX3mWe5miiEaeUJrcHClv74O0cnPQegr6Jrx74xeHWjmTxAgj+ySiOC5RYT
kSDdtldhwQQQmTjGEAzuwOmc+SPNa9jrrS5Y81r2PK5FCphXPJztAwTTWGyHJKofQ9a1NA1V
NGuGEmiaTq1pI+9obyMLIh2kfu5cEqCcEggjg42kkn0LWtb8IWlpbPofhvRZpbiNjK12vl/Z
WwNu5VU+ZyTkBh9373OaUcZSlG97GMMXRlHm5rHk8ao8iqoDkgt93nA6n6e9Z+q6PcXSpex2
s5tN5hNwkZKeZt3BM4xnHbNd1qHjvWRZW+lWt495mL7JhrOJmuN+BsEYXG08KEA5wBya9h/4
RfVX8KBJr6zk8T7VdtRa2BUurhwuMdAAEDYyMbtueKIYr2t3BaDpV1Vu4LRf13Pkp7G4g4bI
B55BGKhMAByQT/u16KdUIvmln0nR55Y2ZXhvNKiHzDIKuAquCD2yDkYPcV1U3/CGa9p8N6uj
WWlXlnveTTygeG+UhsRrKoV424XD4AUtyrgVMMZTlo9H5k08XSlo3ZrvoeHkBXyq7SPVyDXc
fCvU9Ut/iBpS2tkb4mQIwfc3kRsdrSAg8YUnrkYJ4zgi3cW+hWxkuRpGnwzZcQ29vJNLHGpP
BkaVjvYAY4VRycg8Y9G+D2kXGoh9duIbOPT4Gkhso0sUjfzDtDyq6qOMAocE5O4HG3kWIp1J
csVe3UcMRTqz5Iq9uvQ9hr5/8E/8la03/fn/APRL19AV8/eBmD/FjTWXkF5//RL1jif4lP1/
yMsX/Gpev+R9A0UUV2HoBRRRQBS1TSNO1uzNpqdnDdQZJCyrnaSCu5T1VsMRkYIz1rzKf4Hp
9pc2niKWO342JNaiRxwM5YMoPOTwo9PevWqKznShU+JXMqlGnU+NXPKdP+CNpHfLJqmtTXlq
uD5EUHk7iCDhm3MdpGQQMHngjFel6Zpllo2mwadp1ulvaQLtjjToB1ySeSSckk8kkk8mrdFO
FOENIqw6dKFNWgrHm7/CqV/F66+ddGRqP23yPsfbzd+zdv8ATjOPfHavSKKKIU4wvyrccKcY
X5VuFch448EP4y+whdTFklr5mR9n8wuW24/iGMbT65z2xz19FOUVNcsthzhGceWWxi+FNBPh
nw1aaO10Lo25k/fCPy9252b7uTjG7HXtWB4s+F+k+I5Td2b/ANlX5yWlgiUxyktuZpE43Ny3
zAg5bndgCu5oocIuPK1oJ04uPI1oeQf8KPlx/wAjMP8AwA/+2Vt+H/g/oWlXEd1qcr6vOqOp
juI1Fucng+Wc5IXjliMknGcY9EorOOHpRd0jKGFowd4xCsjxD4Z0rxPYNa6lbK52MsVwqgSw
E4JKMQdpyqn0OACCOK16K1aT0Zu0mrM8if4Ht5shi8SFYi5MavZbmVc8AneATjqcDPoOlSW3
wOtjK39oeILmaAoQFtrdYWDZGDuYuMYzxj05459ZorH6tSvflOdYSgnflKOk6NpuhWK2el2U
NpbjBKxLjccBdzHqzYAyxyTjk15/8ZSRpmnAd2k/9kr06vKvjXOI7TSIz/GZj+Wz/Gpxf8Fk
41f7PK3l+Zm+H/hrp3i7wBpV/Hcvp+p4lQzxoHSQCduXTjcQoIBBB5GcgACb/hRs+Mf8JT/5
If8A2yuw+Fn/ACTfSvrN/wCjnrsaIUKcoRbXRBTw1KdOLlHojzPw/wDBbRtOuPtOtXUmsyq+
Y43TyoQAVI3ICSxyDnJ2kNgr3r0yiit4wjFWijphCMFaKsFV7+zj1HTrqylZ1juInhZkIDAM
CCRnvzViiq3KavoedeFfhSnhzxLBrMusvdvAr7I1txGNzKVyTubIwTxxzjnjB9FooqIQjBWi
RTpxprlirIKKKKss838M/CqTw94lsdYfXRctbb90X2PZv3Iy8Hecfez0PTHvXpFFFRCnGCtF
EU6cKatBWCo54Ibq3lt7iKOaCVCkkcihldSMEEHggjjFSUVZZ5lrnwasL/Unu9K1J9NSVmeS
3MAljUnGBGAVKDO44ORzgbQMVmP8DpmUgeJwD/14f/bK9gorCWGpSd3E55YSjJ3cTlPC/wAP
NA8KTPc2sMl1eM+5Lq82vJENpXahCjaMFs4GTu5JAAHV0UVskoqyN4xUVZHJeLfh7pHitGmK
/YtR5YXkCLudtu0eYP41GF7g4XAYAnPGj4Hy4wfEwz/14f8A2yvX6KznQpzd5IxqYalUd5RP
M9E+DGk2N1Ddatfz6m8Mu9YfLWOFxjgOnzFsHn7wB4BBGc+kQQQ2tvFb28UcMESBI441Cqig
YAAHAAHGKkoq4QjBWirGkKcKatFWILy0g1CxuLK6TzLe4jaKVNxG5WGCMjkcHtXm2i/B2PTd
e0/UrzWVvVtJRMYfspj3uvKEMJDjDhW75xg9a9QopSpxk02thTpQm1KS1QUUUVZoFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFVr3T7LUoRDf2dvdRK28JPErqGwRnBHX
BP50UUNXBq+46zsrTTrVLWxtYba3QkrFBGERckk4A4GSSfqanoooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/2Q==
--------------050200090805050505050200--
0
Alex
3/19/2011 5:01:19 AM
On 3/18/2011 6:35 PM, I wrote:

> On Win XP SP3. Both Firefox 3.6.15 and IE 8.0.6001.18702 work. I'll
> branch out later tonight.

On Debian 2.6.32-5-686 Iceweasel 3.5.16 works

However in the gnome-www-browser (aka epiphany) I could not even connect 
to grc at all. Not even the home page. Anybody know whats going on with 
that?

--
Alex.
0
Alex
3/19/2011 5:29:12 AM
Steve Gibson <news07_@_grc.com> wrote:
> What would be VERY INTERESTING to me would be to know whether 
> anyone has a JavaScript capable web browser on which this page 
> FAILS to function.  THAT will immediately grab my attention!!

Viewing on an iPad - *no mouse*.

Browser left and top coordinates are both zero.

Mouse coordinates section is devoid of any information. And I doubt you'll
be collecting much mouse entropy either!

The rollover changes when tapped on, but never changes back.
0
Fresher
3/19/2011 5:56:12 AM
Hi Steve;

Just found a minor 'nit' on your new js.htm page.

Towards the end of the paragraph marked with the number 1  is the text 
below.  I believe you meant 'even knowing' not 'evening knowing'.

<page quote>
evening knowledge of it would provide little value to an attacker. As stated 
above, it's purpose is to provide a high guaranteed lower level of entropy, 
which the user's browser then further increases.evening knowledge of it 
would provide little value to an attacker. As stated above, it's purpose is 
to provide a high guaranteed lower level of entropy, which the user's 
browser then further increases.
<page quote/>


BTW I'm so looking forward to playing with Snoop Proof during it's 
development.  :-)


-- 


BullBar


Steve Gibson wrote:
> Gang...
>
> So here's my and GRC's first-ever JavaScript-driven page:
>
> https://www.grc.com/r&d/js.htm
>
> It's not a big deal -- though I think you'll find it somewhat
> interesting.  But mostly it is intended to verify a bunch of
> foundation for the next page I'll create, which I plan to start
> working on immediately ... the "Passcode Designer" which WILL
> actually do something.  :)
>
> What would be VERY INTERESTING to me would be to know whether
> anyone has a JavaScript capable web browser on which this page
> FAILS to function.  THAT will immediately grab my attention!!
>
> And I had a idea for a logo treatment for Snoop Proof. Don't
> worry, I am still going to have professional designers see
> what they can come up with, but this was simple and fun ...
>
> http://www.grc.com/sp/snoopproof.htm
>
> Thanks ALL!
>
> Follow-ups to:  grc.thinktank


0
BullBar
3/19/2011 6:23:26 AM
This page, however, is NOT the Passcode Designer.

You might want to *BOLD* that or something, so folks will 
know not to use it as a password, hehe.

Torrance
0
Torrance
3/19/2011 6:45:41 AM
It works fine for me in my install of firefox.  It's not 
working in lynx though... <g>.


As a thought, one way to get random data from a user, aside 
from wiggling the mouse around;

have an area of the screen that's whitespace.  Have some 
kind of graphic pop up at a 'random' location and stay there 
until the user clicks on it.  Do this a few times.  Count 
the path the mouse takes, the length of time it takes to 
mouseover the graphic, and the length of time the user hold 
the mouseclick on the graphic (which should disappear as 
soon as it's clicked).

Torrance
0
Torrance
3/19/2011 6:56:12 AM
The mouse wheel does not contribute to a mouse movement.Don't 
know if it should. Anyway, never obsessed about mice movements.

0
Bazza
3/19/2011 7:01:46 AM
On Fri, 18 Mar 2011 15:11:32 -0700, Steve Gibson <news07_@_grc.com>
wrote:

>Gang...
>
>So here's my and GRC's first-ever JavaScript-driven page:
>
>https://www.grc.com/r&d/js.htm
>
>It's not a big deal -- though I think you'll find it somewhat 
>interesting.  But mostly it is intended to verify a bunch of 
>foundation for the next page I'll create, which I plan to start 
>working on immediately ... the "Passcode Designer" which WILL 
>actually do something.  :)
>
>What would be VERY INTERESTING to me would be to know whether 
>anyone has a JavaScript capable web browser on which this page 
>FAILS to function.  THAT will immediately grab my attention!!
>
>And I had a idea for a logo treatment for Snoop Proof. Don't 
>worry, I am still going to have professional designers see
>what they can come up with, but this was simple and fun ...
>
>http://www.grc.com/sp/snoopproof.htm
>
>Thanks ALL!
>
>Follow-ups to:  grc.thinktank

"Security experts agree: It is much more secure for you to choose
passcodes that are so complex you cannot remember them easily, and
thus must write them down, than to use passcodes that are easily
remembered but also inherently easier for attackers to guess: "

Seems like the second "passcode" should be "password".
0
Bob
3/19/2011 9:15:27 AM
On 18/03/11 22:11, Steve Gibson wrote:
> Gang...
> 
> So here's my and GRC's first-ever JavaScript-driven page:
> 
> https://www.grc.com/r&d/js.htm
>...
A quick test of The Ubuntu supplied browsers

##
Test page  www.grc.com/r&d/js.htm
Conclusion:- There were no JavaScript problems with any of the
browsers tested but Epiphany seemed to have other issues, CSS?. :( .
Mozilla/Gecko based browsers report a much shorter "Elapsed time for
page load" than the other browsers.

## Ubuntu 9.10 [browsers that are included in the standard
distribution] in a VirtualBox VM

Arora	0.10.1
simple webkit based webbrowser using Qt toolkit. Originally based
on the Qt demo browser to show the possibilities of Qt Webkit.
Arora is a very basic browser that supports history and bookmarks.
* No problems
* Elapsed time for page load:	4121

Galeon  2.0.7
A standards compliant web browser, which integrates well with the
GNOME desktop environment. It does not include an email client, irc
bot, website designer etc., therefore has a moderate resource usage.
Internally the program uses Mozilla's Gecko rendering engine to
display the web pages so is fully feature complete and standards
compliant, as well as rendering pages quickly.
* No problems
* Elapsed time for page load:	1889

Kazehakas  0.5.8
Kazehakase is a web browser that can use either Gecko or WebKit as
its rendering engine. Kazehakase has a toolbar with rss/rdf menus,
rss/rdf viewer, normal bookmarks, search window for google.  These are
to be available as plugins.
* No problems
* Elapsed time for page load:	1926

Konqueror Version 4.3.2 (KDE 4.3.2)  Using KDE 4.3.2 (KDE 4.3.2)
KDE 4's advanced file manager, web browser and document viewer
Konqueror is the KDE web browser and advanced file manager.
Konqueror is a standards-compliant web browser, supporting HTML 4.01,
Java, JavaScript, CSS3, and Netscape plugins such as Flash.
* No problems
* Elapsed time for page load:  3606

Epiphany  2.28.0-4
* FAILED to load the GRC js page. Hangs at about 60% progress bar
display. See notes in the 10.04 VM below.

## Ubuntu 10.04 in a VirtualBox VM
Firefox 3.6.15
* No problems
* Elapsed time for page load:	1696

Opera 11.0
* No problems
* Elapsed time for page load:	4340

Epiphany  2.30.2-1
Epiphany is a simple yet powerful GNOME web browser targeted at
non-technical users. Its principles are simplicity and standards
compliance. Simplicity is achieved by a well designed user interface
and reliance on external applications for performing external tasks
(such as reading email). Simplicity should not mean less powerful.
Standards compliance is achieved on the HTML side by using the
WebKitGTK+ rendering engine; and on the user interface side by
closely following the GNOME Human Interface Guidelines (HIG) and by
close integration with the GNOME desktop.
* Project home page  http://projects.gnome.org/epiphany/
* No reported errors during Epiphany installation.
* FAILED to load the GRC js page. Hangs at about 60% progress bar display
* The area of the page appears blank but moving the mouse pointer
around in the upper left of the page brings up the url
 "https://www.grc.com/sr/spinrite.htm" in the status bar.
* This url is part of the GRC main menu system which is very heavily
into CSS.
* Tried to load GRC home page and got exactly the same result except
with a black background.
* The problem is not a JS issue so not relevant to this test
* Will not consider this browser in any further JS tests.


-- 
Dave_K

0
dave_k
3/19/2011 1:49:09 PM
In message <im1i55$25ko$1@news.grc.com>, BullBar <bullbar@dev.null> 
writing at 17:23:26 in his/her local time opines:-
>Hi Steve;
>
>Just found a minor 'nit' on your new js.htm page.
>
>Towards the end of the paragraph marked with the number 1  is the text
>below.  I believe you meant 'even knowing' not 'evening knowing'.
>
><page quote>
>evening knowledge of it would provide little value to an attacker. As stated
>above, it's purpose is to provide a high guaranteed lower level of entropy,
>which the user's browser then further increases.evening knowledge of it
>would provide little value to an attacker. As stated above, it's purpose is
>to provide a high guaranteed lower level of entropy, which the user's
>browser then further increases.
><page quote/>

A second nit:-

"it's" is short for "it is".

The possessive form - no apostrophe - should be used for "its purpose".

Confusing, I know, since the apostrophe is normally used in possessives; 
but not for 'it', which is an exception to the rule.

>BTW I'm so looking forward to playing with Snoop Proof during its
>development.  :-)

(quote tweaked - see above)

Roy
-- 
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris
0
Roy
3/19/2011 2:34:09 PM
Steve Gibson wrote:
> Gang...
>
> So here's my and GRC's first-ever JavaScript-driven page:
>
> https://www.grc.com/r&d/js.htm
>
> It's not a big deal --...

and it's a one-liner, said Jay singularly.
0
rickmerrill
3/19/2011 2:38:18 PM
On 19/03/2011 01:22, Mark Cross wrote:
>
>
> I wonder:
> Why a cookie? Isn't there any other way to send data to the loaded page?
>

Yes, there is but Steve has said that he doesn't want to use AJAX. 
Cookies can be avoided though.  The random data could be written 
directly into the page by the server.  After all, the passwords page 
does just that so Steve has the technology.  Within the JS in the page 
you just put something like:

var randomData = "$$1";

and then a server side script just does a search and replace for $$1 
putting in the dynamic random data.  Of course any unique identifier 
between the quotes will do.  No need for a cookie at all.
0
sparky
3/19/2011 2:44:12 PM
On 3/19/2011 9:49 AM, dave_k wrote:
> Epiphany  2.28.0-4
> * FAILED to load the GRC js page. Hangs at about 60% progress bar
> display. See notes in the 10.04 VM below.

My setup Epiphany failed to load /any/ GRC page. Can you confirm?

--
Alex
0
Alex
3/19/2011 3:01:48 PM
sparky wrote:
> On 19/03/2011 01:22, Mark Cross wrote:
>>
>>
>> I wonder:
>> Why a cookie? Isn't there any other way to send data to the loaded page?
>>
>
> Yes, there is but Steve has said that he doesn't want to use AJAX.
> Cookies can be avoided though. The random data could be written directly
> into the page by the server.

mmm, not to be a party pooper, but can't the raw page code be seen via "View Source" 
on most browsers?
0
rickmerrill
3/19/2011 3:20:27 PM
Roy Brown wrote:
....
>
> A second nit:-
>
> "it's" is short for "it is".
>
> The possessive form - no apostrophe - should be used for "its purpose".
>
> Confusing, I know, since the apostrophe is normally used in possessives;
> but not for 'it', which is an exception to the rule.
>
>> BTW I'm so looking forward to playing with Snoop Proof during its
>> development. :-)
>
> (quote tweaked - see above)

Yup.

"My wife's as possessive as an apostrophe!" - anon
0
rickmerrill
3/19/2011 3:22:05 PM
On 03/19/2011 12:56 AM, Torrance Bell wrote:
> It works fine for me in my install of firefox.  It's not working in lynx
> though... <g>.
> 
> 
> As a thought, one way to get random data from a user, aside from
> wiggling the mouse around;
> 
> have an area of the screen that's whitespace.  Have some kind of graphic
> pop up at a 'random' location and stay there until the user clicks on
> it.  Do this a few times.  Count the path the mouse takes, the length of
> time it takes to mouseover the graphic, and the length of time the user
> hold the mouseclick on the graphic (which should disappear as soon as
> it's clicked).
> 
> Torrance

Or have a square that changes color at a random interval, that they are
supposed to click whenever it changes, to measure their reaction time :D

-- 
Don't judge a cipher by it's name.

FireXware
    WWW:   http://ossbox.com
    Email: See PGP Public Key.
    GPG:   0xD46B8253685EE48F @ pgp.mit.edu
    Registered Linux User #518446
0
FireXware
3/19/2011 3:46:43 PM
On 03/18/2011 11:29 PM, Alex wrote:
> However in the gnome-www-browser (aka epiphany) I could not even connect
> to grc at all. Not even the home page. Anybody know whats going on with
> that?

I tried Epiphany 2.30.2 on Ubuntu 10.10 and the page worked for me.

Orson
0
Orson
3/19/2011 4:29:34 PM
On 03/18/2011 04:41 PM, Orson Jones wrote:
> It appears to work for me using Firefox, Chromium, and Midori all on
> Ubuntu. However, I have problems when using noscript (but obviously with it
> set to allow scripts from grc) so I'll have to look into that to see why it
> isn't working in that situation.

Apparantly it wasn't noscript that was causing the problem. If I have
cookies disabled, sections 1, 2 and the rollover don't work.

Orson
0
Orson
3/19/2011 4:32:13 PM
On 03/19/2011 09:20 AM, rickmerrill wrote:
> mmm, not to be a party pooper, but can't the raw page code be seen via
> "View Source" on most browsers?

Yes, but you are seeing your own random number and the only problem
comes from other people knowing yours.

Also, you can view the contents of your cookies without much trouble
either. (You don't even need an addon, it can be found in firefox
preferences window.)

Orson
0
Orson
3/19/2011 4:38:14 PM
Steve Gibson wrote:

> Gang...
> 
> So here's my and GRC's first-ever JavaScript-driven page:
> 
> https://www.grc.com/r&d/js.htm
> 
> It's not a big deal -- though I think you'll find it somewhat
> interesting.  But mostly it is intended to verify a bunch of
> foundation for the next page I'll create, which I plan to start
> working on immediately ... the "Passcode Designer" which WILL
> actually do something.  :)

	Just tried out the page. Looks good. The mouse trick works 
great. Tried the "roll over" test, works.

	Using Mandrive - KDE 4.5.0 - FireFox Ver 3.6.15. It work 
great for me.

			DaR
> 
> What would be VERY INTERESTING to me would be to know whether
> anyone has a JavaScript capable web browser on which this page
> FAILS to function.  THAT will immediately grab my attention!!
> 
0
DaR
3/19/2011 7:44:50 PM
On 3/18/2011 6:11 PM, Steve Gibson wrote:

> What would be VERY INTERESTING to me would be to know whether
> anyone has a JavaScript capable web browser on which this page
> FAILS to function.  THAT will immediately grab my attention!!

Works on the latest FireFox and Chrome and IE8.

I did notice that a couple of your "meta" tags at the top aren't 
properly closed, plus a few other HTML issues (unclosed "center" tag, 
unclosed "div" tag).

-- 
Robin
0
Robin
3/19/2011 8:49:51 PM
In message <MPG.27ed786be81d21929f6@4.79.142.203>, Steve Gibson 
<news07_@_grc.com> writing at 15:11:32 in his/her local time opines:-

>Gang...

Makes me feel like a Bowery Boy.. does that date me?

>So here's my and GRC's first-ever JavaScript-driven page:
>https://www.grc.com/r&d/js.htm

>It's not a big deal -- though I think you'll find it somewhat
>interesting.  But mostly it is intended to verify a bunch of
>foundation for the next page I'll create, which I plan to start
>working on immediately ... the "Passcode Designer" which WILL
>actually do something.  :)

>What would be VERY INTERESTING to me would be to know whether
>anyone has a JavaScript capable web browser on which this page
>FAILS to function.  THAT will immediately grab my attention!!

Tested in Firefox 4.0 (Updated, so I guess it's RC2, though it still 
just says 4.0) :-

(i) Works OK, except I see the previously reported 'freeze' of mouse 
position capture when mousing the RHS scroll bar (strictly, on releasing 
the left mouse button).

This seems to be the expected behaviour of a mouse click on the screen; 
maybe using the scroll bars is included in this, or maybe it should have 
been excluded?

(ii) But likewise, if you make the page very tall and narrow, so you get 
a bottom scroll bar, left-clicking and releasing here freezes those 
settings also.

(iii) The 'freeze' can also be provoked by selecting (left mouse button 
and drag) on the screen. Again, the left mouse down time is recorded, 
but the freeze does not take place until the left button release.

Indeed, all these things are driven by the common factor of left mouse 
button release.

(iv) I've seen reported, I think,  that someone's centre mouse wheel had 
no functionality; mine scrolled the page up and down as it does for 
other web pages. When scrolled in this fashion, the RHS scroll bar still 
moves, but mouse position capture continues OK.

(v) Also that 'View Source' did not work, though it worked fine for me 
here.

(vi) Rollover is the full Beethoven for me here....


Tested in IE9 9.0.8080.16413, which is the RC, I think :-

(i) Your certificate shows in yellow when the padlock in the address bar 
is clicked on, meanings its authenticity, or that of the authority that 
issues it, can't be verified. Which "might indicate a problem with the 
certification authority's website".

Steve, is that your expectation?

(ii) A box appears at the bottom saying that only secure content is 
displayed, with a selection box for 'Show all content'.

I can't see that anything changes when I click in this box (except that 
the box goes away, and the padlock on the address bar also goes away), 
but it is indicating that there is both secure and insecure content on 
this https page.

Again Steve, is that your expectation?

(iii) There is no loss of mouse position capture on using either the RHS 
or a bottom scroll bar in IE9. The page records a 1st mouse down when 
these are used, but not a 1st mouse release; and as it is the mouse 
release that triggers the freeze, it does not happen.

(See? Two wrongs *do* make a right. Sometimes. Maybe)

(iv) Click/release, with or without drag, centre scroll button, 
View/Source, and Rollover work as above for FF4.0, which is presumably 
correct.

NB: re (iii) for IE, IE8.0.6001/19019 does the same - no capture of the 
mouse release on scrolling, so the mouse position goes on updating.
Though incredibly sluggishly compared with FF, even FF3.6.15

Tested in Safari 5.0.4:-

(i) Using the scroll bars also gives no mouse release, and hence no 
freeze.

(ii) While the Rollover does work, it's very sluggish here. It's 
possible to cross it quite slowly, and yet not see it change; you have 
to hover on it to see it change. (Stop press: Same with IE8. But both 
FFs change like lightning).

Other than those, works like FF4.0 above.

Google Chrome 11.0.696.12:-

(i) Using the scroll bars also gives no mouse release, and hence no 
freeze.

Other than those, works like FF4.0 above, including fast and sensitive 
rollover.

Thoughts:

It looks as if FF is the odd man out wrt detecting/reporting mouse 
release in scroll bars.

Other info:-

All tests on Windows Vista Ultimate 32-bit on a 1.73GHz Core Duo in a 
Toshiba Equium A100 laptop
except IE9 on Windows 7 Home Premium 64-bit on a 1.6 - 2.4GHz i7 in a 
Dell Studio XPS 1645 laptop

FF4.0 and 3.6.15 tried on both, no observed difference in any of the 4 
combinations from the FF4 on Vista reported above.

Roy







-- 
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris
0
Roy
3/20/2011 1:49:04 AM
On Sat, 19 Mar 2011 in grc.thinktank, Fresher wrote
>Steve Gibson <news07_@_grc.com> wrote:
>> What would be VERY INTERESTING to me would be to know whether
>> anyone has a JavaScript capable web browser on which this page
>> FAILS to function.  THAT will immediately grab my attention!!
>
>Viewing on an iPad - *no mouse*.
>
>Browser left and top coordinates are both zero.
>
>Mouse coordinates section is devoid of any information. And I doubt you'll
>be collecting much mouse entropy either!
>
>The rollover changes when tapped on, but never changes back.

On my Blackberry using Opera Mini everything appears to work except the 
mouse over test at the bottom of the page.

In Opera and Firefox on XP everything works [once I allow javascript], 
but in both I get the freeze on release of the left mouse key.

This is also interesting. Many of the screenshots are from browsers with 
no javascript enabled, but you can also see some serious problems with a 
few browsers that might warrant further research. Certificate problems 
also seem to be pretty common.
http://browsershots.org/https://www.grc.com/r&d/js.htm
-- 
GRC Newsgroups/Guidelines/No Regrets:
http://www.imilly.com/noregrets.htm
 From invalid, Reply To works.
http://www.2kevin.net/munging.html
0
Kevin
3/20/2011 3:36:07 AM
On Sat, 19 Mar 2011 in grc.thinktank, Kevin A. wrote
>This is also interesting. Many of the screenshots are from browsers 
>with no javascript enabled, but you can also see some serious problems 
>with a few browsers that might warrant further research. Certificate 
>problems also seem to be pretty common.
>http://browsershots.org/https://www.grc.com/r&d/js.htm

<Sigh> Once more of the screenshots had loaded I looked closer, it 
appears that most [maybe all, I have a slow connection and didn't check 
them all] of what I thought were certificate issues were actually 
settings of the testers. Things like popups asking/providing information 
about viewing a secure site, or IE privacy settings. I don't know what's 
up with the blank and/or black pages though.
-- 
GRC Newsgroups/Guidelines/No Regrets:
http://www.imilly.com/noregrets.htm
 From invalid, Reply To works.
http://www.2kevin.net/munging.html
0
Kevin
3/20/2011 4:44:01 AM
On 03/18/2011 04:35 PM, Alex wrote:
> Try to blindfold the snoop.

Raccoon eyes!

-- 
Don't judge a cipher by its name.

FireXware
    WWW:   http://ossbox.com (fixed!)
    Email: See PGP Public Key.
    GPG:   0xD46B8253685EE48F @ pgp.mit.edu
    Registered Linux User #518446
0
FireXware
3/20/2011 5:58:08 AM
Bob R wrote:

>Seems like the second "passcode" should be "password".

That's deliberate.  Go to http://www.grc.com/sp/SnoopProof.htm and scroll
down about 2 pages worth to the big blueish box.

0
CA
3/20/2011 10:01:48 AM
On Sat, 19 Mar 2011 10:29:34 -0600, Orson Jones wrote:

> On 03/18/2011 11:29 PM, Alex wrote:
>> However in the gnome-www-browser (aka epiphany) I could not even
>> connect to grc at all. Not even the home page. Anybody know whats going
>> on with that?
> 
> I tried Epiphany 2.30.2 on Ubuntu 10.10 and the page worked for me.
> 
> Orson
Thanks for the confirmation that it works on some systems.

Well, as I said in my post it would not work for me, under Ubuntu 9.10 or 
10.04, on ANY of the GRC pages with the drop down menu, not just the js 
page.
Now both of those VM systems have been around for a while and have been 
personalised a lot, so may be I have done something that upsets Epiphany 
but none of the other browsers.
Today I created a new Ubuntu 10.10 VM and let Synaptic bring it up to-
date. I then installed and tried Epiphany 2.30.2 and the page worked 
fine. :)
I would have said that it was probably a problem with my set-up but Alex 
seems to also have the same issue, so maybe it is something to do with 
older versions of Ubuntu. Since it does not appear to be an issue with 
Steve's js code I don't intend to spend any more time on it unless it 
becomes a major problem.

-- 
dave_k
0
dave_k
3/20/2011 11:44:39 AM
Raven wrote:

> No, your "rollover" does not work for me.  Using Firefox 3.6.15.

I'm running a cookie manager.  After giving grc.com permission to set
cookies, the rollover *does* work.
0
Raven
3/20/2011 4:48:51 PM
[for the unabridged version, see FireXware's post above]

> > Try to blindfold the snoop.
> 
> Raccoon eyes!

I have the raccoon eyes a try.  I liked it, but it looked a bit 
too sinister.  I know that was the idea ... but it creeped me 
out!  <<grin>>

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 6:59:34 PM
[for the unabridged version, see Jim Crowther's post above]

> Works as apparently expected here (XPpro, IE8), just a couple of 
> spelling nits:

Good grabs Jim, thanks!!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 7:02:15 PM
[for the unabridged version, see Orson Jones's post above]

> Apparently it wasn't noscript that was causing the problem.
> If I have cookies disabled, sections 1, 2 and the rollover
> don't work.

Yep.  I have a LONG way to go to catch up here, but my first 
clear "takeaway" from Release 1 of this experimental page is 
that "cookies" cannot be relied upon for the operation of 
anything that needs to survive commercial-grade muster.

And BOY am I now more glad than ever that I designed a 100% 
cookie-free eCommerce system! (Or I'd likely be redesigning it 
now!)

I'll be removing the page's cookie dependence with the page's 
next release.

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 7:25:37 PM
[for the unabridged version, see Mark Cross's post above]

> Allowing cookies from grc.com all boxes are getting filled and
> the SHA hash is different on each reload (on pressing the same key).
> 
> However that is probably due to the entropy from the server, I am still 
> puzzled why the variables:
> 
>       grc.browser {Left Top Width Height } "-> several browser window sizes"
>       grc.startTime + grc.stopTime  "-> several times"
> 
> doesn't change the hash.

Great catch Mark.  ===>  Rookie mistake!

JavaScript places "virtual semicolons" at the end of each source 
line.  So breaking up the big summation onto multiple lines 
didn't ever work ... and, of course, being JavaScript, generated 
NO errors!  <<grumble>>


> this variables won't change on "no mouse history":
>       grc.downTime + grc.upTime
>       grc.mouseHistory.length

Yep.


> I wonder:
> Why a cookie? Isn't there any other way to send data to the
> loaded page?

There won't be one there soon.  I was never comfortable
with using one anyway, just due to "cookie reputation".

As 'sparky' mentions below, I have extremely mature (and really 
quite elegant) technology for doing server-side on-the-fly 
string replacement.  It's used all over the place.

But in this case, since this was a learning mode experiment for 
me, I wanted to play with and exercise JavaScript's cookie 
management.

 
> > Seems that you've got work to do !!     Enjoy !!
> -----------------------^^^^ insert "more"  :)

.... and loving every moment of it!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 7:40:58 PM
[for the unabridged version, see sparky's post above]

> Yes, there is but Steve has said that he doesn't want to use AJAX. 
> Cookies can be avoided though.  The random data could be written 
> directly into the page by the server.

Precisely.

> After all, the passwords page does just that so Steve has the
> technology.  Within the JS in the page you just put something like:
> 
> var randomData = "$$1";

Actually, I use "{1}" and have a very flexible and quite-elegant 
(and screamingly fast) on-the-fly string replacement system 
which is used all over the place.  :)


> and then a server side script...

I *know* you meant "a screamingly fast server-side assembly 
language pattern matching system that handles variable-length 
string replacements."


> ...just does a search and replace for $$1 putting in the
> dynamic random data.  Of course any unique identifier 
> between the quotes will do.  No need for a cookie at all.

And there won't be one in release #1!  Hell no!  <<grin>>

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 7:47:59 PM
[for the unabridged version, see LWBone's post above]

> So, off the bat, this SHA256 hash can be used instead
> of the World Famous 64 char random, pass-code.

Yes it could. What comes from GRC (when it's able to get there!) 
is a guaranteed-to-be-unique maximum-entropy 256-bit pseudo-
random value.  The client-side code then just adds more entropy 
to it.

And, in that sense it's better than the "World Famous 64 char 
random pass-code" since GRC *does* know what those are (though 
we're taking NO notice of them, FWIW) ... whereas no one knows 
what the final SHA256 will be that's produced by this page.

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 7:51:39 PM
[for the unabridged version, see msntechguy's post above]

> On Firefox, with noscript, it caught that it had no javascript
> and asked me to enable it and then it worked fine. Then I tried
> it with Chrome with NotScripts enabled, and it did not catch
> that there was no javascript, and nothing worked, not even the
> rollover worked. Once I added grc.com to the allowed sites for
> NotScripts, everything worked perfectly.

Ah!  Interesting.  So NotScript on Chrome is not running the 
<noscript> </noscript> HTML block when scripting has been 
selectively disabled.  That's definitely a bug!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 7:59:10 PM
[for the unabridged version, see BullBar's post above]

> Just found a minor 'nit' on your new js.htm page.
> 
> Towards the end of the paragraph marked with the number 1  is the text 
> below.  I believe you meant 'even knowing' not 'evening knowing'.

Nice catch, thanks bullbar!


> BTW I'm so looking forward to playing with Snoop Proof
> during it's development.  :-)

I'm glad, me too!!  :)

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:03:11 PM
[for the unabridged version, see Roy Brown's post above]

> A second nit:-

Thanks!  Got it!  :)

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:04:32 PM
[for the unabridged version, see Torrance Bell's post above]

> This page, however, is NOT the Passcode Designer.
> 
> You might want to *BOLD* that or something, so folks will 
> know not to use it as a password, hehe.

Good idea, thanks Torrance.

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:06:23 PM
[for the unabridged version, see Bob R's post above]

> Seems like the second "passcode" should be "password".

Good thought Bob, thanks!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:08:54 PM
[for the unabridged version, see Robin Keir's post above]

> Works on the latest FireFox and Chrome and IE8.

Thanks Robin.


> I did notice that a couple of your "meta" tags at the top
> aren't properly closed, plus a few other HTML issues
> (unclosed "center" tag, unclosed "div" tag).

That's weird Robin, it's validating correctly for me.

What tool are you using?  Perhaps I can duplicate
your finding and see what's going on.  Thanks!!!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:20:55 PM
[for the unabridged version, see Roy Brown's post above]

> Tested in IE9 9.0.8080.16413, which is the RC, I think :-
> 
> (i) Your certificate shows in yellow when the padlock in
> the address bar is clicked on, meanings its authenticity,
> or that of the authority that issues it, can't be verified.
> Which "might indicate a problem with the certification
> authority's website".
> 
> Steve, is that your expectation?

Hmmmmm.  I assume that's a GRC-wide effect?

It's also odd, since we use Verisign as our CA, and you can't 
get much more solid and stable than that!


> (ii) A box appears at the bottom saying that only secure content
> is displayed, with a selection box for 'Show all content'.
> 
> I can't see that anything changes when I click in this box
> (except that the box goes away, and the padlock on the address
> bar also goes away), but it is indicating that there is both
> secure and insecure content on this https page.
> 
> Again Steve, is that your expectation?

That's weird.  The only place there's any "http:" is in the 
page's DOCTYPE.

Thanks for all the testing Roy!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:26:56 PM
On 20/03/2011 19:47, Steve Gibson wrote:
>
>> After all, the passwords page does just that so Steve has the
>> technology.  Within the JS in the page you just put something like:
>>
>> var randomData = "$$1";
>
> Actually, I use "{1}" and have a very flexible and quite-elegant
> (and screamingly fast) on-the-fly string replacement system
> which is used all over the place.  :)
>

I know, I've seen it "all over the place" in your page source

>
>> and then a server side script...
>
> I *know* you meant "a screamingly fast server-side assembly
> language pattern matching system that handles variable-length
> string replacements."
>

Yes, of course :D  Working mostly on the client side (ActionScript, 
JavaScript) I mostly do that sort of thing with regular expressions. 
They are incredibly powerful and as I work on the assumption that a 
single call to a RegEx function can be more efficiently coded at the 
native level than a series of "byte code" steps, I use them where I can. 
  I maybe mistaken in that belief though.  Who knows what's going on 
under the hood.

>
>> ...just does a search and replace for $$1 putting in the
>> dynamic random data.  Of course any unique identifier
>> between the quotes will do.  No need for a cookie at all.
>
> And there won't be one in release #1!  Hell no!<<grin>>
>

Looking forward to it.
0
sparky
3/20/2011 8:31:04 PM
[for the unabridged version, see "(faded)" <(faded)
@vowel.invalid>'s post above]

> > And I also think that I might be able to IMMEDIATELY delete
> > the 'prng' cookie from the browser after grabbing its value.  
> > THAT would be very cool!  :)
> 
> Yes, please do that.

Instead... I'm removing all use of cookies!  :)


> Also, the "RollOver" *only* works if:
> - JavaScript is allowed (Of course!)
> - The 1st MouseDown is received (Counter-intuitive)
> - The PRNG-cookie is accepted [the others may be refused]
>   (Is that necessary for a roll-over?)

Hmmmmm.  I concur on points 1 and 3.  But if JavaScript is 
enabled and cookies are accepted, then everything should
work as intended and the rollover should work without/before
any first mousedown.


> [Tested on several platforms with several browsers]

Thanks!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:32:17 PM
[for the unabridged version, see sparky's post above]

> I mostly do that sort of thing with regular expressions. They
> are incredibly powerful and as I work on the assumption that a 
> single call to a RegEx function can be more efficiently coded
> at the native level than a series of "byte code" steps, I use
> them where I can.
>   I maybe mistaken in that belief though.  Who knows what's
> going on under the hood.

As someone who has coded many gizmos in PERL I am also well 
versed in RegEx usage... and I marvel at them!  I also shudder 
to think what must be going on under the hood to make them go.  

Some SERIOUSLY amazing/horrifying technology!!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 8:40:28 PM
[for the unabridged version, see Steve Gibson's post above]

> > However that is probably due to the entropy from the
> server, I am still puzzled why the variables:
> > 
> >       grc.browser {Left Top Width Height } "-> several browser window sizes"
> >       grc.startTime + grc.stopTime  "-> several times"
> > 
> > doesn't change the hash.
> 
> Great catch Mark.  ===>  Rookie mistake!
> 
> JavaScript places "virtual semicolons" at the end of each source 
> line.  So breaking up the big summation onto multiple lines 
> didn't ever work ... and, of course, being JavaScript, generated 
> NO errors!  <<grumble>>
> 
> 
> > this variables won't change on "no mouse history":
> >       grc.downTime + grc.upTime
> >       grc.mouseHistory.length


It turns out that I DIDN'T make a mistake here.  It was all a 
side effect of the expected 'prng=' cookie not being found.

My cookie extractor returned a 'null' (which is an actual 
testable value in JS).  But when my code then tried to take
a "slice" from it (to remove the trailing Base64 '=') it was 
trying to 'slice' a null, which silently crashed the JS.

After that, not much else worked!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 9:16:23 PM
Steve Gibson wrote:
> [for the unabridged version, see Orson Jones's post above]
>
>> Apparently it wasn't noscript that was causing the problem.
>> If I have cookies disabled, sections 1, 2 and the rollover
>> don't work.
>
> Yep.  I have a LONG way to go to catch up here, but my first
> clear "takeaway" from Release 1 of this experimental page is
> that "cookies" cannot be relied upon for the operation of
> anything that needs to survive commercial-grade muster.
>

That's your fault for highlighting the problems with cookies! before that, 
most of us did not care.


AlanD
0
AlanD
3/20/2011 9:35:11 PM
In message <MPG.27f002ef7dba29a72a0e@4.79.142.203>, Steve Gibson 
<news07_@_grc.com> writing at 13:26:56 in his/her local time opines:-
>[for the unabridged version, see Roy Brown's post above]

>> Tested in IE9 9.0.8080.16413, which is the RC, I think :-

>> (i) Your certificate shows in yellow when the padlock in
>> the address bar is clicked on, meanings its authenticity,
>> or that of the authority that issues it, can't be verified.
>> Which "might indicate a problem with the certification
>> authority's website".

>> Steve, is that your expectation?

>Hmmmmm.  I assume that's a GRC-wide effect?

>It's also odd, since we use Verisign as our CA, and you can't
>get much more solid and stable than that!

Well, duh, that was my fault. It's the colour that the *address bar* 
goes, not the colour that the *padlock* goes, that matters, and I was 
looking at the padlock, which goes yellow when you hover on it.

Wouldn't hurt Microsoft to show a little graphic there, would it? Ho 
hum....

But the address bar is white, so the certification (which shows up as 
Verisign when you click the padlock) is just fine.

>> (ii) A box appears at the bottom saying that only secure content
>> is displayed, with a selection box for 'Show all content'.

>> I can't see that anything changes when I click in this box
>> (except that the box goes away, and the padlock on the address
>> bar also goes away), but it is indicating that there is both
>> secure and insecure content on this https page.

>> Again Steve, is that your expectation?

>That's weird.  The only place there's any "http:" is in the
>page's DOCTYPE.

Same result on IE9 RTM, now that's out. I don't know if the DOCTYPE is 
enough to trigger the warning or not.

>Thanks for all the testing Roy!

You're welcome!

-- 
Roy Brown        'Have nothing in your houses that you do not know to be
Kelmscott Ltd     useful, or believe to be beautiful'  William Morris
0
Roy
3/20/2011 11:12:58 PM
Steve Gibson wrote:

> It turns out that I DIDN'T make a mistake here.  It was all a
> side effect of the expected 'prng=' cookie not being found.
> 
> My cookie extractor returned a 'null' (which is an actual
> testable value in JS).  But when my code then tried to take
> a "slice" from it (to remove the trailing Base64 '=') it was
> trying to 'slice' a null, which silently crashed the JS.

Yay, Good debugging !. Now that you know the reason the solution should be 
easy to code. Enjoy the challenge :)
 
> After that, not much else worked!

Indeed !

-- 
Mark Cross @ 03/20/2011 7:40 p.m.
If Linux doesn't have the solution, you have the wrong problem.

0
Mark
3/20/2011 11:43:33 PM
[for the unabridged version, see AlanD's post above]

> That's your fault for highlighting the problems with cookies!
> before that, most of us did not care.

I'm not sure that I deserve the credit and blame for that <g> 
but I'm impressed (and a bit surprised obviously) by how
locked-down many people here are!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/20/2011 11:49:53 PM
On Sun, 20 Mar 2011 in grc.thinktank, Steve Gibson wrote
>[for the unabridged version, see Robin Keir's post above]
>
>> Works on the latest FireFox and Chrome and IE8.
>
>Thanks Robin.
>
>
>> I did notice that a couple of your "meta" tags at the top
>> aren't properly closed, plus a few other HTML issues
>> (unclosed "center" tag, unclosed "div" tag).
>
>That's weird Robin, it's validating correctly for me.
>
>What tool are you using?  Perhaps I can duplicate
>your finding and see what's going on.  Thanks!!!

I don't know what Robin is using, but I use HTML Tidy as an extension in 
Firefox. I see at least the same things as Robin, maybe a few more, most 
of which are not "significant", like the "alt" and "summary" attributes, 
although they're helpful for screen readers among other things. The 
"unescaped & or unknown entity "&d"" is due to the raw ampersand, which 
happens on a lot of sites. The way to eliminate that one is to use 
"&amp;" instead of "&" [no quotes on either], but I don't _think_ it 
cause any problems if you don't. The 1st, 2nd and 4th lines in the list 
below would probably be worth tracking down just to be sure they're OK.

I've also found that HTML Tidy is a great way to track down that line 
where I didn't close something properly that makes half the page 
disappear. <g>

http://users.skynet.be/mgueury/mozilla/

Result: 0 errors / 21 warnings

line 9 column 1 - Warning: <meta> element not empty or not closed
line 10 column 1 - Warning: <meta> element not empty or not closed
line 177 column 21 - Warning: unescaped & or unknown entity "&d"
line 350 column 764 - Warning: missing </div>
line 38 column 22 - Warning: <img> lacks "alt" attribute
line 39 column 22 - Warning: <img> lacks "alt" attribute
line 44 column 3 - Warning: <input> proprietary attribute "width"
line 44 column 3 - Warning: <input> proprietary attribute "height"
line 227 column 1 - Warning: <table> lacks "summary" attribute
line 229 column 1 - Warning: <table> lacks "summary" attribute
line 236 column 1 - Warning: <table> lacks "summary" attribute
line 238 column 1 - Warning: <table> lacks "summary" attribute
line 251 column 1 - Warning: <table> lacks "summary" attribute
line 253 column 1 - Warning: <table> lacks "summary" attribute
line 261 column 1 - Warning: <table> lacks "summary" attribute
line 263 column 1 - Warning: <table> lacks "summary" attribute
line 273 column 1 - Warning: <table> lacks "summary" attribute
line 275 column 1 - Warning: <table> lacks "summary" attribute
line 323 column 1 - Warning: <table> lacks "summary" attribute
line 350 column 7 - Warning: <table> lacks "summary" attribute
line 352 column 1 - Warning: <table> lacks "summary" attribute
Info: Doctype given is "-//W3C//DTD XHTML 1.0 Transitional//EN"
Info: Document content looks like HTML Proprietary


-- 
GRC Newsgroups/Guidelines/No Regrets:
http://www.imilly.com/noregrets.htm
 From invalid, Reply To works.
http://www.2kevin.net/munging.html
0
Kevin
3/21/2011 12:32:27 AM
This is a multi-part message in MIME format.
--------------040105070305070908060107
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

On 3/20/2011 4:20 PM, Steve Gibson wrote:
> [for the unabridged version, see Robin Keir's post above]
>
>> Works on the latest FireFox and Chrome and IE8.
>
> Thanks Robin.
>
>
>> I did notice that a couple of your "meta" tags at the top
>> aren't properly closed, plus a few other HTML issues
>> (unclosed "center" tag, unclosed "div" tag).
>
> That's weird Robin, it's validating correctly for me.
>
> What tool are you using?  Perhaps I can duplicate
> your finding and see what's going on.  Thanks!!!

CSE HTML Validator 9.

See attached for the "meta" tag issue.  Should be a "/>" at the end, no?

-- 
Robin

--------------040105070305070908060107
Content-Type: image/png;
 name="2011-03-20_211627.png"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="2011-03-20_211627.png"

iVBORw0KGgoAAAANSUhEUgAABTwAAAB2CAIAAABqCsttAAAABmJLR0QAAAAAAAD5Q7t/AAAA
CXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR42u2dzY4cRdb+66KGO/Ci7oB36yvwwCQLz6rR
jGGBWDCS1dJQSKyQN9Aay8KCWSRIjTUGyQssobYGq5BHgMZqg8WHxYzf91//yMrKzIjMcyLj
ZGV9dPfv0SNksrIjIuPjxHniREZOFgAAAAAAAAAAANhLTKgCAAAAAAAAAAAA0Q4AAAAAAAAA
AABEOwAAAAAAAAAAcDFF+/8DAAAAAAAAAADAehhNtIup/x8AAAAAAAAAAADsSNfwkxS5Xib6
vwAAAAAAAAAAABgbvpJPFe21XC+TeP78+X8r/AcAAAAAAAAAAADroVbZTnHX6r0l3Se9ir2U
67/99tuzZ89+/fXXX3755WcAAAAAAAAAAACsB6evncp2Wtsp7lq6t3S7KtpLxV7KdZeKS+7p
06dPnjw5PT19XOHfAAAAAAAAAAAAsKDW1E5fO5XttLZT3E53l9K91u2qaPcV+y8bw2Qy0X7i
TH8AAAAAAAAAABcBjx49+vbbb52A//HHH5107+r2ibYx/vnz5+5uRDsAAKyP+Wwxne1ReU5n
h4ezU9oFAAAAAGDn+PLLLx88ePDNN998//33P/zwQ6nbnR6vN8kLor0Os5dvsKfj9pXJCldu
nyfR/v2N2f/87trhnTPfG+69du3qjSdrJZEvJpPFJCsUiPuHL0LybPmT47T4NcvPWOXMplX5
s0U2HS7MykTWkWd1Ij5n81GfVm/H84k9eN5sssj36LlOjiZHJ8yQAAAAAAB7gE8//fTu3bv3
799/+PCh0+0//vijU+J+sH3SUux+mP2nn35KV+xfXb9Ua3Wn3ntle7poP50dHqzhXx5PR/BN
nW7XRPutyzfvWa6fbcwX01IbLNVCrcwLxZ4FmnOwaHfieRRtY0rHj4IWzzJdqzxrxlTrP3cl
KavRlWFk0a604xYw1riwpaM/73b626bC7EPbMQyzOwF/QNQdAAAAAGBXeP/99z/66KPPPvvs
yy+//Oabbx4/fuyUuB9sF0R7GWZ/9uzZ06dPTaK9Furu35eufzWCaJ8fH04ODqbHtWd5MD0s
/js5PM6XP7l/lGImPzoo/nfJ1f3Vn3s8qp1a7/4Ub7UQ7TfuXH3h2v/87tqLL1Rq4V+rKzVX
wl65fuuy+9vZrRs3y4vFv//Vl/Gdm3UiL172lw0eHL5QJ1782/3q7wi491rxUx1XL3/yr9T3
rC5WGdXptOiLhEIb5F74113MYmKmDhfnXiJOGE/F6x4bEZJ716eBYrGlY9JUejqZ97+rwPg0
mppY/j7Uor2GmG9Zw7OZFJbX8hXbMYq6t7gecuty03Vdr676czAuXrw8Sx0vWj83pjOk3w7o
b146q6QS+ls3zO7vTPEXZZrx4jr2VBpH/nV7O1a2tL2UeTz1zCkAAAAAANgiZrPZjRs3nG6/
e/fugwcPvvvuO6fEnR4vg+2CaPf3xj958mTY7vjJpevrb4+XnMhCtxfCu5DcxU9VvCjwQYvI
fK3b1Uj7yUneeKtHfaLO6YFaY7t/+9LXFGlf6nZfe8SjhU6NNzcUZVjpmUKlV4JnpdibxQVP
CLU2w7dK3r5y5+aLrz3o7VKZJ1TySuFoUUSnNJqf8rb+KTVGS+KKEUtf8xRidWg6saEylUW1
nE4ey6sr2tXyG0W7lm9ZeH/NIu/LV2jHqGKv+4Y/Flx/DvpPoLfTx4vWz63pGPvtOv2tVssJ
/a3bH7o7U7p92N/xEdkJYmrH2kLKK5XBIikAAAAAANgS3nzzTafbP/jgg08++eT+/fuPHj1y
StzfIa+KdieeT09PTZrdi7Rf6Qu0x0T7cj+8GAA/OSodSudcZieN9+mH2VdshLos2sMgfIpo
18SwVbT72+yrZJuweRC09MKPreuBuvbEklW0+3qpDp/GIpayuFREeycC7/SGEJzP+8R2Lrzj
nS/s6VSRaiGdUGKlbI9vrncevy3S9PLHyyOIdiVfd9G/c3WmQKTebHhweFl6OcQp6nCV595r
VQTe/6l3vGj93JiOud8O6G+LJq7eCmtHRHs3zB45NCFTGitbtxH9pc/YG0O6+QUAAAAAABvB
q6+++tZbb7333nsff/zxvXv35vN5qcT7RfvPP//8+PFji2b3dsQH/zM80t5xHHXRnqleqCTa
ndvaxPBdIlsU7cGW+Mir8ouFHvpuXXfCZrhor/4kLcwuYx7s492IaM/0rC2iPRG+ylLTqUrV
vUEQ7dmQYoiiXcy39dJ7I9qzUczIxkW72vdM6QyCrb95kr7VNFo/Ed+8SDrpMFd2ZOSGNyxE
TR4R5K1tSgAAAAAAYAu4evXqG2+88e6773744YdffPHFw4cPnRJ3erxHtP/nP/+xinb/nfZR
RPtC2CGviPboFvfjqf/eeyngvVjTMuS+nmivhIrTHt4uX/F6sT3e0z+9wqMVmW9ElJdRsXXZ
E+2rsi3f+00R7aUka60mDJCXvjLJJvIJatk0SWyv/iRvgoqtSHKiaO+mE1HpTTnDtYZIOsVP
kiTr6jS1/ANEu5RvsT1e2h0wLN8uwu8ONG9nhN3G0/YxsS2PC3n1ypjOMNGe3t/Krex51WdS
+pt4aHzSePHWDrTrduhhdvbGAwAAAADsCK+88srrr7/+zjvv3Lp16/PPP//6669L0e5Ueb9o
//e//z3wnfaEb76lnh7fuJLLg+jKf5cXsxNvJ2f1a2d7vLd5PnzvfXXx8Cg7jO+Qr7fdlhHp
9olu9RFuLeUgXXdK4/C1ZhNvwgfYgp3zTVL+wV2v3TwMz+5anXK3PPFumYWy/d57wOFhdl83
dg/iCs/oWl2vL2ZN3DJ49b1ve/Dqp0HpaKJd/b5aJJ28p5At8Za+Tb311bfefAuRmTX3twTh
ZIyd1fWBc8EBcuGZcK2DGItOlTpepH4+JJ0BC06p/a1uFP/Vg3h/ixwaL44X/+Ik3O4xSiMq
YfaTowmn0AEAAAAA7Awvv/zytWvX3n777Zs3b969e9eJdqfENyTabThD32kfEWsGtFVhf/kO
fX0HyHf0hfNciOSP/E04MAayyV61S/BaEAAAAAAA2BO89NJLf/rTn0rR/o9//OOf//wnon2H
il38eNta8D/ERXffnmrODN+T23S+2rn3AAAAAAAAgP3H73//eyfa//rXv/7tb39DtAMAAAAA
AAAAAIh2RDsAAAAAAAAAAHAuRfvBZAIhhBBCCCGEEJ57ItohhBBCCCGEEEJEO6IdQgghhBBC
CCFEtEMIIfR5OJufzqbp1+Gw+oQQQghhP+uvHM1n1MbeifbbVyYrXLl9nkT74fJTyyfZme8N
R/liXTe0HIF5VtZJYmoj5BttmsSSHBVlnx9Px0h/UD2ccWYnUct7PE+t2831h6qVDenb7pfa
fT/sg2ud/MhwHQ6rz/2ww2uYStd7h/X/Efv5WHbVZP/hvnv2rXZvfUw1nHqOq+68yPOT1U/L
GUpRCEd585PLxe/GiePRHynNaBpPitjHV+x5z4q9ktpxz/rheP7k6H51jVZ/1q5v205OZ6dV
Fbncz4GG2oL/v0XR7iT7peveP78aS7Qv62W4/3Q8H8H3aln5lPRHyXfvWAzCZR9d9to9GYTp
MbF0YdmT/u7qYax+NSCdYn7VplVXD6EY2Nn6mitGlif2B+v9Wrvv3D4QZt+3MPt+2X/XXauR
6ztPA8aLtZ9vwa7uVSc/n/P+putBt6t1y/qSo3U9mJVcUvPZUR5M9MU91fS0ztqTS/a0fq5l
RuPWT2R8xaqu87xn0cy22/Es+LfD/Mlx/Gqt+63XLTc4jaZ7WRdbB21PtH91/ZIXX799pRLw
a4n2ZdUs/GXU+Xy5uDg/zpY/1Qtd/qJs3WXLP19Iy07e/YlBhpNZnZpntcX0levLNcX58axZ
8u0f8OJzhYusJ9kqBOrPRq34iRiRqBfk6s638NJpwa/SIovi/lX5I88ViYT4K9++7WtWXufz
ROsjOG1K+xYZZXXrePWv1nPMuWzVQ+qyqPa8rX7lHj+xv8X7f3I6sXavi6ooc/dTXZid9wfz
9GAU7d1234p9KIe8KZweXF/VZNWCqwovatt2vTds4iqzauhO7q121O2w1h/6IzadTIXyTD0j
sKzwMPd2farpiOXXx6nc/7VxGi1ntz41e16KjaYCXZqtUWwS7an9PDpfj2dXbaJdq0+T/exP
vN3uYv+JzNfx+Wi9+UVrl6H+lWmestvVYFh5wltr8ZXu9bt0t8MP3alRjKNZtTwdqiOD/Yna
B2F8payjNc9rb0fdvpnna7tfLd9mKWfE7lmf12p/FH9y5ZwHblV8FOv5iv3qKNyD4i/IitfX
aUd1h0uCP1bNO6sK6e8Sin2O+BVWP2FtOzl8ntrrSLsT8L1b5HtF+8qF7bitfk1VYz7wsYp2
Dcan7M4eZYLeiO5cWhWmZWhMkbTlQ/kGIm6Xteeq6qGzaTlYqe24Yl0T2VoJSwiWuuyW9RAW
Pv5c3Xw7K99C3aavvEqmX27foFM15Yz1Hy19sR5ilkJ6XleeoP4Dfyi9v+nlt6UzeJucKHJ2
1h82KNqVdt+KfVBFe2qYveO8ruZU6/WUdcbKZ6odF6Ud5XGq9YeIYpfHkVyeqhH9JfPe+pSe
KzKPRMaXIla7/Uctp1afmj1vi/bWODLtTLHZJXG+Hs2uGkW7Vp9D7Kc5wqyMC2m+7pmP1p5f
In6U0b8abX5R7aq/ShWOL01UVHO6tzIYb7j0RZ9yHDXmscrCaH9ikfbFwP7mPe8gP1krp2m+
tvrVSjuay6nYvQHPa7M/ij/Z7nIJY0H1q9V+ZY+0J7ejWm9Wf6waL4v2OprNPqvtZfUTRrKT
A+epfXynfanVl7h0PYi7G0W7/p5AZZgqb3JVia13n9qLnVKdhoudKaJdE8NWp7xlDZugRLf8
2nO11LU3mK2i3R+f9bJTb8T1IPW5tHwz/eUlvyrqClTqpy9iI0Y8hHJG+88Y2y+V542IIv+n
3v4WKb8lnQHtfqDI8t32h02K9p3Yh9HeZi8zrV5zaKrdet1emWI7auM0s73cGF9c6JYntJ9C
bxTrU3wufR4xi/buOI2VU6lPyZ6PK9ot/VyZr8fe1p6ajlafg+znANHe/XO5Pvvmo7XnF61d
7P6VaZ5a5yAGPUwXiLFgoaoaj2OL9tUIqseR1f4kbo9P6W/i8w7ykyPZGeZro18tt+OQckp2
b+jzml4Y1Obrpn0HZxTvVyOIdqUdY/WmzTux8bJqkd56iM/Lwp8b/YTR7OTQUxvShsauTo8f
YXt8sPjRK9r1ELESAQi3tm5PtLf3B8ay1p6rdd0bpXbR7gnXNd5Jjj+XRaTJ72EanTa1feVy
9j37GRDtWvk37FTpon2X/eEsi3aLfbC/zb7sYEVtF//Imr5hvb5WZQYr2eI43apob90Q2bGp
hoWlxhpdtKsVG44L0aYFhwCtuT3+vIh2tZ7T7OdmRbttLt68aN/R/BIurGgJNoKtvT1Y2sc+
gmiv97HvWrTLzzvITx5DtJv9arkdB5VTsHtDn3ccv7fKffhA2KFoT5voEyPtzVJO/P74fHdm
Rbs4bPdOtN++0n9+fMo77Z0d8molRrbihAtvne3Q9csJw52Vbvrq9dZRXr3jWXmuIBYkb49M
3/a5rNU1T9SIP5e4LacVNape6w3fM0/zXWKxsrB9g3J6UjO+lWv9sZr0vL5NiTlDcr+Sy29M
Z/iqRHd7/O76QzTYmxxEHU20j2UfxPIbD43P8pM8Lx2403lQZtv1SH1Klam0ozpOtf6g5auO
I1VsB6GDMK900RWbRyLjK1W06+WMjgvJnk9nJ962xratSB4vxn6+Z6I9Vp9m+9nvx7faXRHt
4nyduLV46PxiFO27m1/8ll0dmtgRh14Z2k55bT+j9mSIaG+9lmi0P2r9GEW79rxD/GSLaNfq
0+pXa+04rJyC3Rv2vAP9XjF0MVsrl1i/Gml7vGI35Hqz+mNGCx+Zl+X2svoJI9nJcyPamw++
jfrJt+YsumpjRrkxqX3gfmvHbDBZdi96267mJ3nPaaL1zf5WaunMmPYeXWmv/iq75LM6lOfy
d7D4n8qQD3Lo316+5tHfynPF8vU3jbQO7EnefqOmL7Zv+YkOr5zhQBXS6duGPXSTTBD1ihxU
tjzYOa2/SeUfks44+8R21B/Ug1giRjzyVSHrHs4N2wdZRNkOjW/eQe04TKbrcnna7dvbjhE7
LI8XbbFA22afcHDjalUivqzZd7CcMI8I7av0/8g4VcoZHxeiPfc+rZQNGy/Gfh6Zr2cj2VW7
fVbqc4j97M9CbXfJ/rcOGtT9mXXnF7VdFlb/atPzS+cLz817OmGvDaJ5i+Dsq/C43B77EC9q
cOCZcAaNxf5I9dMzviJHdk2lZzH4yVo5zfO1ya+W29Hij7USl+zekHTSpZfuT44UDtFf85R2
WGjXze2o2R+rP5YeGIva51h72fyEMezk+rp9HyPtKZicne+0j8jRPhGx1i6Rs/Jc8OwwXHal
P2xlHHWFdPw6jEcD9rre+Hof9QkhPENOERamWccxxgUvrH1GtO+VR75WQK8ntLg73b6J54Jn
V3DSHxhH1Da9gvqEEF5A+juYxv2IN/YZ0Y5ohxBCCCGEEEIIEe2IdgghhBBCCCE80wzfBu9/
4916P6Id0Q4hhBBCCCGEECLaEe0QQgghhBBCCCGiHUIIIYQQQgghRLQr8lvIGtE+mOZvL0MI
IYQQQgghRLQbA+kH64v2DX44IcvLLweWXxEsxXD5711/oSE7kY9k0K5fbErtuNt8y07bLUnT
mcPvVVqvR9Z6xPub62mf0NDu76bfXGnQfOa6/nRHqyq0+tGopWP9/qd2v1bP/fXpX99iPzR+
yz21HkZcc9yf9Oub01tETn86OxWHj3Z9ZbH5rhiEEEIIdyraJyE2Itpj/tDaXJ5hWHhyS2+7
FurOY9NE+/Fc1szadcLs26DSjrvKt/D4na+f5e3GcrdVndmpxOZX5foqnep6/3OF6dT3F4q0
up7ShdT7pfTrG+ortZ70nqWQLv31o5dHTEd7Xmv9qPWspa9d31o/dOmvI4at9XYu0jcYTz19
LbtIMYr1pmAKK/owZhxCCCGEu4+011p9TdHux9hbQb/jufCRgPKi84eqOEmfkF462YWzVTjZ
TeSqEO2z+psEVSKdrxSsvDTl+rIw8+NZ3g0/NhEYWzg9uL6qAU9slFVkvd5bP6vCLx+k9DUj
9dw0WZFjfzBQu7/TvmXAan5SFiYrC1bdr7RjSuS23b7z+Wn6xyfi+XZEabgYlJ14wrj3eprY
9srgyibpOuu6j39/PP24fBIWwmTRHhkX7XRSnjelfrR61u5X8zX2Q7O98v6wtVJg6rfWegvG
i8uobxXVlH5tAerFjl67NKD8pp4fS98ebC+qrlPC1ewwxTuBEEII4RYj7d2X2zcaaXcejxj9
a3aolleyvC8I4xTC0nMqHN/G2V360CuPquXqmSLtS8/M14T+Pao4SQ2zC6qpehbT9d7K8UOI
0Xou/O9g13SPV6rdr7RvFWWtFJFXIXI7RhSI3H+KP5fb3dR/VFHq5bV83upPtOurTpK6rb0t
NjrxvYVhp65wfzT9uGhvViLWE+1BOvHyWOpHrmft/mg6hn5ot1fKop6x31rrLVzI6O9C66Sf
sonAmv66or09jkSzpl0P99R0l0TZOQ8hhBDC7UfaW1mPcBBd1yeLi8/kPbdx987fCruOaPe9
8Miue2uY3c+02n7Z6Bnr9ZQtuG2XV6jnvgRThFysfav7qxsGviwQ6T/+T+t3JCkF/11xv8/I
1z0VdzjLE7Yt9IsZVUL0b00fKtrr+HOSaE/Y19DzvJ4CD4PPavmVeraL9nE6SUI9dES7pd/a
y+9XqT2Sn5T+Ktm07Tk7FO1tq957vbdUC3bLQwghhHC3kfYLL9oDBzRFtJveZl8+eCFli39k
re27hutJ7822KhbRvq4e06qruW7t2O33q+X2Hd5M8fRF0R7bcGGpYTGdtOftv1+rZ/1+W777
J9rXKH9rZ9NI6a9sY9q7+sPKbxHtsfRHFO1FrybSDiGEEMLtR9oTd8WvvT3ed99DEbJx0V5l
Xexr9d8wF663jiAKhb24Ddh4aHyWn+R5+S7o6Twos+26XB4/087hSVI9h1Hc8Mww6Xm1+5X2
HUm0R/rPFkV7yolWkX4o95/p7EQSnL6c8F9J0NJR71fSj1yJaZLk7fFqOtHypN+v1rOWvjXf
cUW7uD3e1G+N5Q/GS4quHlI/xTBMPRJ/UP0bzEUsffP2+Mi2ERQ7hBBCCLcaae/G20cR7cet
j0mFBz51vgPX3hY7zJmuNypXr0+H3wrKcnmbqHTd+aAnefMMvaLLfGh88y5r6DJar2sisHmo
xUrt99Wz32R9iwL6/UL7eq9Yl7+u82Etsf/UF5cHm1u/EdUWq+IBil59Cp8KEz5hFdmW3Fef
WjptnaAtHsn3i+mHX33rO7gxesCkUB49Hf15I/rTVs9a+tZ8+/ac2+yVcBCdsd+ayh/a4aR3
9QfUj3+G/6jpq69LDEl/yFffxPJwCh2EEEIIdx1pH0u0n3Uav6U8UgxnM+RrcxDuC9f85Bsc
ygGffIMQQgghRLTvs2I3nPvNU0AIN7YgCMfgCGF2CCGEEEJEO4QQQgghhBBCiGhHtEMIIYQQ
QgghhIh2CCGEEEIIIYQQ0Y5ohxBCCCGEEEIIEe2IdgghhBBCCCGEENEOIYQXhdqnGflk47j1
CSHE7kEI4dkQ7bevOMU9uXT9q9b1r65fmpS4cvs8iXZn/V3lnIOP8R7li3WnsSwvOkqelXWS
mNoI+UabJrEkR0XZbZ/LUtMfVA9nnNlJ9Pt/6Z8i21x/qFrZkL7tfqnd98M+uNbJjwzX99vO
7EVv31S97aR+alPmem84bBeJJnTEfj6WXTXZ/3PP0pSVGNkcYffOB7fot2zo06Sm+XpE+2D1
K3blz5zPfK2fVj3L/vn4or1Q5k6T377SFu1Oyl+6Xv+zV7ani/ZlvQ+3v8fzEWy3K4M2OWnp
j5Lv3tENnnIMLEfFnixkpK+pD5tIhPR3Vw9j9asB6RT+vWY6XT2EYmBn62uuGFlumNQt92vt
vnP7QLhp38Ls+2X/XXetRq7ziuq+6i0fFEtyvXZsQD/fgl3dq06+s3a3+rVjzPvYPfy3bfoD
5vl6pM4wLN9dPe+5zNefts6oTtn19viOaA8uOGXfp9qTRPuy6itvowz0zYv/LubH2fKnOnCa
eYvM9dRV/vlCWn727k/pl8XkNKtTq2YdLX3l+jKmMT+e1VknCEjxueraWCW+CoH6K9+t9Spx
xbFemK8798JLpwW/SossivtX5Y88V2SlswkLzGe+lq4jP66tE70QwSgr7VtklNWt49W/Ws8x
57JVD6lhEO15W/3KPX5if4v3/+R0Yu1eF1WZid1PdWF23h/Mk41RtHfbfSv2oRzyprBScH1V
k1ULriq8qG3b9WGRDbF9yyzczdUfVqU12md5HEXSn3pGYFnhYS7t+rSVUx+ncv1o4zRazu64
0Oz58ievL7k0pVEcEWCD5sHofD2eXbU55Vp9muxnf+Ltdhf7T2S+js9H8Rh7609s4wK7N8ju
af0qUs/afLe2/xAdd8bxZe4nkj8QKX/b5djM/N61D5vNV7cbW3hecbxvNN/IvDNmvqZFyUHz
yIUX7VXUfbBoX5nyjvn2W6IajYGNLjpKMGnJZv0oU+2L4ow2hibUgYYV5eVD+XNb3Ahqz+VH
RYJNy4Hj1en6ovEKHIX+xVGX3bIewsLHn6ubbzHOq7y0ui3uGSzalfYNOlVTzlj/0dIX6yFm
16TndeUJ6j/wF9P7m15+WzqDt/WKImdn/WGDol1p963YB9V5TQ03ddTaSstZr9vHo9a+jT4p
WzbLa7Nmss/qOJLTrxrRX5LvrU9jOSPjSxGr3f6jllMbF5o9b4t2YRxlJwmDy9jPtfl6NLtq
FO1afQ6xn+ZIu9R/lPm6Zz5Kj7QbxwV2b5jdi9oTqZ5j9nAE/yEy7uzjy9ZPZH8gMr97CzrJ
4moM0b7ZfBW7sel8tfG+6Xy1eWfUfL1RNtRPQ7RvSrTr7yFUjkVlVVd9Jcs7AUJfT0ptFi76
2rYFhl3KOjn5eVXJNmHzoPzac7XUtTg400S7b17V5c9OxPUg9bm0fCMOol8VdQUq9dMXsREj
HkI5o/1njO1VyvNGnAP/p97+Fim/JZ0B7X6gyPLd9odNivad2IfR3uosM61ec2iq3Xrd6CRF
/1BbVk+3z3Enu5t+aD+F0or1aSynWbR3x2msnOK4kO15v2iv4xIj93Nlvh57D3NqOlp9DrKf
A0R798/l+uybj1JFu3VcYPeG2b24PRHqOdWQDvUfesaddaO7+W+7yy79+xQs4dCxtsdvLt+4
3dhQvr2LTRusZ3neGTfflOX7tD0IGzv746yJdu899jG2xweLRr2iXQ8RKxGAcIvX9kR7e39g
LGvtuVrXvdnaLto94brGO0jx57I58dJihFkkKO0rl7Pv2c+AaNfKb0pnrTflWqJ9l/3hLIt2
i32wv9W57GBFbRf/yJq+Yb2+YdFutM/rifbWDepgN5ZzdNGu9tJwXIg2LXghMKyulEDfuRTt
aj2nO9+bE+0D5uKzLdrPst2Lj1NEe/x5rYpuLNG+0XwjdmNz+cbH+4brWfWlx8t3TdEubmC5
0KLdCfUr1ZWxDqLr7JBXjVGkOZv5oFjA7myHTgsyRCenbvrq9dZRXr3CSXmuYC1Z3h6Zvu1z
WatrHvUZfy5xu2wralS93hbumx0sEpT2DcrpTS1xc7C+c5n0vP7cFhPbcr+Sy29MZ/iqRHd7
/O76g769SolZbVa0j2UfxPIbD0/O8pM8Lxc6T+dBmW3XjdtWtfbVxXDEPgv5quOoN/1lamHZ
0kVXrJyR8ZUq2vVyRseFZM+nsxNvO71/EN2iZ5NLu+SWfr5noj1Wn2b72b9+3Wp3RbSL8/UQ
91TeHm8aF9i9YYixfYsAABOrSURBVHYvYk8m2qlaqj2UntfoP+xatEvb4+XnDRRd8lrG+qJ9
0/lqdmPD+cb8yY3XszzvjJevaXs8or3zvbcG3jb4+otvY37yrTmLrtoQ6P5dXgwO9G/tmA0m
y+jBDPOTvOfLJfXN/lZq6cyY9h5daa/+KrvkM5aU5/J30OX5iXD2nn8gSv/28jWP+lSeK5av
v1mldWBP8p5ANX2xfctPvnnlDA2ckE7fNuyhm3OCqFfkwJ7lQZpp/U0q/5B0hj9dS7Hsoj/E
DmTSnKEhB6Xsxj7IIsp2eHIziYZToPW66rya2rd9f/fANsk+S068vE1dTd+3nyvvPL6sOaCc
Qvsq9RMZp0o54+NCtOfNn9Q/RQ62lOrZ2M8j8/VsJLtqt89KfQ6xn/1ZqO0u2f/WQYO6P5Oy
81Np4v5xgd0bYve0fhWrZ9kf0BdDk/2HuJ+81vhK7yfdVSex/Nb513i/ah82m69uNzb8vOrr
WhvPV5l3xsx3A1/HuGCR9rUxOTvfaR+Rm/l2pXW31Vl5Lnh2GIb76A9bGUfa2vP4a9LnmPLB
b3tdTkh9Yvf21O7Rr4a/4gHhmRLYiPZzLtq9j/TMRuzKo6e5D88Fz67jRX9gHFHb9ArqE16c
FqFfEciBm+IGwuyIdkQ7hBBCCCGEEEKIaIcQQgghhBBCCBHtiHYIIYQQQgghhBDRjmiHEEII
IYQQQohoR7RDCCGEEEIIIYQXR7SLWZ8D0W7+FigcVJ8Qwv0fp4xfCCGEEMLzFmnv1e0R0e68
Q1eYXX+ULztZ5EeG63BYfY7Ao3yxfTlR9tIC4fdIy4/wpZRnxH5eF6adb5aXJSxv6C2Vms6F
ZPM9xdHNkdQu2L2zR+P4WodrfkJJs1ebtoc7SX+AHZPT1z41FPsEkRspfPcLQgjh3oj2SYhx
RXs5g2rO6/Fc9h2164SbzkeYfdz2HcFZr9wyJ+3qvlp4fs7ny/LEhx3Qz22V7JzL0nNdqotE
QbhXnXxn7b7RT4Mq7YLdO2McNL4GGpx1xLBirzZtD3ebvqHT6ulr2UWKUXyyOzAdhYxn+EAI
IdyvSHut1UcQ7bPCHyqXvo88D8nHatZUrhdz52J+PKvjZa1IxXJF3BZWCq4fz4OF+VVcbj6z
Xo8qllW4oIoDdHIvUpg36iJrgoMtL6EJGxYl6Q/aNOl3MhXK0zTBqsLD3Nv1qaYjll9rdy2i
Ut7vqqVT/kg5u/VZ11jtlNftdZR7FejSbPnTJtGe2s/LAM78pCx8Vt4TtKMm2os/L8qfGqkz
OLtafXrt2PTwSLv0JN5ud7H/+JHq9n4HsTxpMfbWn9jGRfTRuu2C3Yv3q0g9W+2bdn+nfaPj
zji+zP3E+8NGIlrHUa+9itt/f34ZI/2IXR2x/CY7FkvfHmwvqq5TwtWonOKVQggh3FGkvfty
+1iivZ7hWlOvKeK0nCl939e/R3VeU8NNHe9hNfdbr6fswCz9gywvXTe/JIUP1HgP2VEm+HnF
PVXWft1GPLZA8PjeiVAeV5OBF9uqPbk+pefSyh+PKCpitdt/1HJq9Rmk7AW72k5ey3uziHZL
Py96rK8QWn8i1XP1yO3OP4qzq9VnoPGKZwx0u/y85ki7Mi6aPtO0gl4eY6TdOC4Sqi5sF+xe
fJxq9Wy1b9r9SvtGxp19fNn6ibKYYhxHPfYq2uLh/DJ++imbCKzpryva23FysTtp1/XXtVar
LeychxBCuNNIeyvrNQ+iU5zvIc6r7xVFdp8Oe6uzzLTaDpedVPOx9XrcyZM8gNLzjkSS/chk
Wka9TrlWntDr6rhKSn2KzyWXf5Bor4tUZxQrp1KfXuH9cNyIot3Sz6t2rJ4uQbRv8l0GrT6z
Vpw6FJDddhkq2rt/LtdnpDwm0W4dF4NqHrvXY0+EejbaN+1+tX17xp11p7f5b7srAsZxZBe9
mj0cMX3Bru6laG+Ppt7rCQu17JaHEEK4N5H2vRHt7f3DvbOs6a3O5WRfuHTFP7LGkbJeX8vJ
CyJC4VbbXYj21g2q5yQ633L5NyLa1YoNI6irYoR/G7zQuOb2+PMi2tV6XkNsjCbaB7wPfLZF
+1m2e/FximgfItqj9ir5fe8R0xft6rjlt4j2WPojivbUbT4QQggR7Vt7p32Tor3yR4sAmv+m
pXC9dSRM6OCK20SNhydn+Umel+/mnc6DMtuuR7atSj5Z4JQ3fo9XyPplS2HDXrXbU883dPpD
H1cW2/Wftw7d0Q+djqcTlj/S7gbRrpdTqc/m8dvhoOnsxNs+2nbdYpsj2iW39PM9E+2x+lTc
2SGiXWl3RbSvLobbqofExOTt8aZxMa5ovzh2L2JP5Hq22jftfqV9dy3axe3xpnEUt1fxRZ8U
XW1MX7WrY6ZvO5tDT9+8Pf4gckwDih1CCOGuIu3dePv6or0+Xax6jVA7Uyr0Y6Trzic4yefK
2WyyiLIdnty8WxhO4dbrqvMaO4ir+7zNd2sWqwcX/6R/sUDbZq+Ux9+BvPLOY/WmphMpv9S+
7XRWP9WFXx7kHjS9Uk6tPptSyQcLtT8RFDnArFvPxn5ePaxLs3zA5kNTs5MB27979sSmpaPU
ZyepvnZJykJt9/YZXcJBg1J5omc6hLdnA8eFfd8sdk/vV7F6ttk37X6hfSPjbrrm+ErvJ8JB
dMZxJNqrtP6fZExM6Ufs6hjpZwPsoZr+kK++ieXhFDoIIYT7FGkfRbSP+PzGb9uOtKZ+sSkf
/LbX5YTU57niebJ79Kvhr3jAtTngk28QQgghot3quRo+8gQvSG3TK6hPWoSnOO8LMXAMjhBm
hxBCCBHtEEIIIYQQQgghoh3RDiGEEEIIIYQQItoLLAAAAAAAAAAAgAsARDsAAAAAAAAAAIBo
R7QDAAAAAAAAAACIdgD2B/PZYjozXAe7bRdA/QP61b7hdHZ4ODulfQEAANE+pmi/fcUp7sml
618lXh9RtLuJ7WBy4ChObyfZQeK0dzx1iRw2XxUaG9/fmP3P7645Xr3xJOkP8sVksphkhUfi
/tFySvJsY25KNF/xoQ7vjJb5vdeulbXUn6xUzvLfWb7jMZZNFrnl+kXwqve5XdKeYTGdLLvc
ktt8lNl0lal1yLvnnUyDRGaKfdugPYnWv8u3rtJ1usd2yr+RfC32dpfY1Xy06XG9T/Npy3k5
mhyd4LECAACifUTR/tX1S5Mrt51Ab4lz7fr6on0p1IP5bJQ16ePpBkV7rXJTRftSJBRzfL5d
wWPM1z3RaKL9X3euXr6zZjmdb6SV2emW3HJ9sEA9Z2H2Ueon0i5bWzhIrH/5eV1/y3YsCzO7
HcimwXPN5vtU/65Kpxd+Qrbb+VuXb947C+Xct3F9VtpXcmmcgD8g6g4AAIj2kbbHa+J8XNE+
Pz6cHBxMj6MzXC3sOxH41Z8fHi5/ain/UrTXf3gQXee+dXkVNi+jzS++UDlSd27WseIXOxK0
Jdrr8LtPf7Iv5vg8CJGVC/bimn0TtpoGDnodqWsihGXYcNoED/PQyejmGxPtN+5cfeFaUAn2
+vFj7PVPw+onm3WeKwyTNs6Tcn0Vlpw111v1kOnh1pQw+6pFsrDhpubrvc7iqvBekKdMyv27
7kh5pP9o9baoIkgToSRiP5TbpU+vJvbnMqRcNsosX+XSbbL+TCPPK4l2fwdBWdp6VEbqWR2P
Xn8Wh1698BHrD94juJu7on0+C3KX7UmkPEq/6l8+COvfj7EHXcjrV3XK9c21+Kn/ZOP2UNeK
I+Rrtbf/WlnaznakB4cvNP+7MrmX7zgj/OILs1s3Via3+Pe/qqQkOzzWfBQbj1L7xvqVbmeE
fpU2jsZvx/HmU0+lt92PTW8GBAAAgGgfTbRHJi0t0i5cL3T7KpHWr55oT9uWtvR7Vh7PnZtL
h8k5T41wdT5QS7cbIu1Ld6QWTnnH1ehuUKyd+NIRKf0D52E0d+ae37NMthZULZdLy1cU7bUv
2H46a/2YIu1KOf1nbz2XKdJeema+T5YniPbUMHtHAbrmWz2L6Xpv5Sy8UM8i1EXT1b8bzSn1
H61+sladT3v6YaRdVMVu6c9Z6Bm3sjCF49RIu7Q9PthBkPfXc/94rL38bp1P+/qP3+7h9viW
aO+1J1p5Yv0qKo2EO5VIe543BfZ30AT1lm3PHpqey5yv0d4utEj7nZu+7a3vWer26v5C85f/
7pmn1p+PIuNRbF+tX2l2xtpvN96OI82ncX9GC1oAAABAtO+LaC+j35HtYTbRnlWSPD8KRfsy
wJ4+I4Z+Ui1Tg4jxC4GDZYi0G52MTIy7RsSe/1M+fIdhsD2+VSHW+umI9gH1ExFRVtHuO3yJ
u7vT32YvMy2WBqZB81mvK5I3UDXt3iI1dyRBoX7yMEzqB72n5naRa9LYn7NpcEPXb86Tu3T/
6wB54NBHRLugKCKLL3N5j0D9k98D5f6Qd9aGpu11KDFcqYrqVnni/co6LkTRHi6O+I9cJ9Ld
578rezhCvnZo2+Ob657hdaLdf31pZa4VOzz+fNQdj2L7av1KtzM9/aozjrJoOvszny7R8zZ7
rzsEAAAA0b77SLs2UY0l2o+yo4P0018kUfriaw/iEjc90n4uRXusfoyR9k2Ldt/nSxHtprfZ
y4ZwrVb8I2/awno9RbT3i8kBoj2ziO2dinbrW68p7/DXxRtTtOfykWytjQ+x/tAn2rPMskMk
l96JyHo6Uvq4EEV71nrVpbtwJvU9RLtvXf0bbl32tsR7oj0+T402H3XGo9y+Wr/S7UysX+Xm
ow33SrTHD+gpFDuRdgAAQLTv/zvt2g75kUT7MuX8KH17fFeBtyIbWxPtrfNvM+/17CDgIO6w
3Zpoj9fP5kW7/15lHr1exzBFISduj7cdGp8XCqp8R3c6Dcpsu66Ux880m/SLdq3/ROpH9Im1
dOKivVt+a3+OiHbr4dLa8/qrAH6k3Q8h9tazVn5/13rWep17KisTsT9krUMKugfR5Unb47Xy
xPqVtsCh1b8i2vNFU5/tfj6Vj9PbtD1Mfx3GnO8Q0V7pcKe9w51cxU83Wvvkg6ND/G3zI371
wyTaxfbV+pVmZ7R+pfXbszKfxsLs7I0HAABE+5qivfyuW4NL1+PX1z09Ppi6ilNVDwKWE55y
vfxbR6fbC3HenFRXLwecZAeRb8hVWB38I32fLPjpxeYdwti2+XREtvn5B+QEB2hFDmDLmrjE
AD+j3k7pb7lcuozW+lkdXNdcHxQIqk8V8g8iCl5BFA+ayuXKzDLlzCTJiTcfGu+9A+lHn8zX
NVHhPVQWnkA+UbYfy/1Hr7csuR/2tIsiitL7c1afU1X+6n1gacjh0srzNuWZttuxe4BWFjnQ
bpJcP/GD8cT+4O8ozprX2utPvgWHuin2JNZeSr9Kl0PdxvUP1fPPySsHYCvY3gq9bsceZn2d
f2C+w3DnpjqJSDL+8LVm07un52U7PMp8FB+Pcvvq/Uq0M2K/6rUzez6f6uGH0p/hFDoAAEC0
jxJpXxvDvtMOwCZg/T5WppwMnE12+Z2tnoWDC4B9qP/zipR+Rf1vFZ3NTa3t8fSr/YYT5yhz
AAAAiHYAkhV75CNDPAVgdNCv9gr+JzPrbU319qUXL9+hXwEAAACIdkQ7AAAAAAAAAAAwAl56
6SUn2t9+++2bN28i2gEAFwydF8Xlkw4A9QkAAAAAsCO8/PLL165dK0X73bt3v/76a4Nof/z4
MaIdAAAAAAAAAADYEF555ZXXX3/9nXfeuXXr1ueff+5Eu1Pi/aL9v//9L6IdAAAAAAAAAADY
KK5evfrGG2+8++67H3744RdffPHw4cNStDtV3iPanXg+PT1FtAMAAAAAAAAAABvCq6+++tZb
b7333nsff/zxvXv35vN5qcT7Rfuvv/765MmTR48e3b9//5NPPvnggw9ms9mbb77pUvzjH//4
yiuv/OEPf3hpid8DAAAAAAAAAACgD6WIdmraaWqnrJ2+dirbaW2nuJ3udurbaXCnxJ0eV0W7
Qynanz179vTp0+++++7Bgwd379796KOPbty44dL6y1/+8sYbb7z++uvXrl3785///CcAAAAA
AAAAAACkwelop6adpnbK2ulrp7Kd1naK2+lup76dBndK3OnxUrQ7hS6Idiflnz9//ttvv/30
00+PHz/+5ptvvvzyy88++8yl8v7777/33nvvvvvuO++88/YSfwUAAAAAAAAAAEAaSintNLVT
1k5fO5XttLZT3E53O/XtNLhT4k6PO1XutHlbtHd3yP/444/ff//9w4cP79+/73T/p59++ve/
//3DDz+8devWzQp/AwAAAAAAAAAAQB9qHe00tVPWTl87le20tlPcTnc79e00uL83XhbtfrD9
559//uGHH9xfOsX/4MEDJ/3v3bv3xRdf3F3iHwAAAAAAAAAAALCgFNROWTt97VS209pOcTvd
7dS30+B+mF0Q7a1ge6nbndZ//Pjxt99+++jRo/l8/vDhw6+//vqfAAAAAAAAAAAAsMNpaqes
nb52Kttpbae4ne4uFbsfZncKfSIeOt/S7b/++qv746dPnz558uT09PRxhX8DAAAAAAAAAADA
glpTO33tVLbT2k5xO93dVewx0V7r9ufPn5fS/dmzZy6VX3755WcAAAAAAAAAAACsB6evncp2
WruU605914q9R7S3dHst3Uv8BwAAAAAAAAAAAOuhVtmlXO8q9phob0n3Wr0DAAAAAAAAAABg
RJSiuyXXk0S7L91b+D8AAAAAAAAAAADYIapsUY//f37++7OpDlWjAAAAAElFTkSuQmCC
--------------040105070305070908060107--
0
Robin
3/21/2011 1:21:43 AM
[for the unabridged version, see Robin Keir's post above]

> See attached for the "meta" tag issue.  Should be a "/>" at the end, no?

Ah!  Yes!  Got it!  Thanks!!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/21/2011 1:56:51 AM
[for the unabridged version, see Kevin A.'s post above]

> I've also found that HTML Tidy is a great way to track down
> that line where I didn't close something properly that makes
> half the page disappear. <g>

Yeah, I hate that!  <g>

I'll check it out.  Thanks Kevin!

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/21/2011 2:02:31 AM
[for the unabridged version, see Kevin A.'s post above]

Very nice Kevin!

I cleaned up a few long-standing site-wide things, and the 
JavaScript R&D page now gets a "Green Checkmark" clean bill of 
health!  :)

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/21/2011 2:45:31 AM
While Steve Gibson dreams of electric sheep...:
> Gang...
> 
> So here's my and GRC's first-ever JavaScript-driven page:
> 
> https://www.grc.com/r&d/js.htm
> 
> It's not a big deal -- though I think you'll find it somewhat 
> interesting.  But mostly it is intended to verify a bunch of 
> foundation for the next page I'll create, which I plan to start 
> working on immediately ... the "Passcode Designer" which WILL 
> actually do something.  :)

2. This section gathers data that cannot be exactly known to anyone
outside of the browser

Two pieces of data collected "could be" predictable. Browser
position and size. It occurred to me that I was viewing the page
"maximized". This could create predictable values. Position could be
predicted at 0,0 (in my case in Gnome I have a top bar which if left
at default size could also be predictable) Most desktops (Windows
and KDE) have the menu at the bottom so this could be a predictable
value.

Once we assume that the browser is maximized we can guess the
browser document area (do you mean the client area [space below
toolbars] or DOM ?) Since Dom can access even the title bar and
toolbars then this value could be even more predictable. Otherwise
an attacker would have to guess how many toolbars you have.

Width would be easy to guess, you have only three to five screen
resolutions to iterate through. Height would be the hardest.
I must have a 15 pixel scroll bar.

Just had a thought for guessing number three. With the most popular
browsers being IE and Firefox, it wouldn't be too hard to write a
Javascript Interpreter that has two or three PRNG's (one to mimic
each popular browser). Firefox source is available so that shouldn't
be too hard to mimic.

> What would be VERY INTERESTING to me would be to know whether 
> anyone has a JavaScript capable web browser on which this page 
> FAILS to function.  THAT will immediately grab my attention!!

It was a little slow loading but odd that considering all you did
was set one var and collect the time.
108,000(ish) on first load, 34,000(ish) refreshed after that

Mouse rollover fails.
Firefox 3.6.15
Ubuntu 8.04 Hardy
Javascript enabled but turned off
	Move/Resize Windows
	Raise/Lower Windows
	Disable/Replace Context
	Hide Status
	Change Status text

Addons that "might" affect Java (or DOM)
BetterPrivacy
Dom Inspector
Firebug
Javascript Debugger
Web Developer

Other mouse weirdness.
Document height and mouse position don't match.
Width is okay that can agree with mouse.
On my system Document height is 4077 but mouse position is 700 max.
There isn't enough browser toolbars to account for 3300 pixels
That I don't even have. Screen resolution for height is not that large.
The 700px mouse position makes since but where do you get that the
document is 4077px ?

Mouse measurement seems to end at status bar and browser tabs.
Is the "Document" the browser window or the page being viewed ?

Mouse measurement is *really* slow, a low sampling rate ?
If I move it too quickly readout stutters.

> And I had a idea for a logo treatment for Snoop Proof. Don't 
> worry, I am still going to have professional designers see what 
> they can come up with, but this was simple and fun ...
> 
> http://www.grc.com/sp/snoopproof.htm

Logo idea. A white box with a black question mark. There's a
magnifying glass overlooking it. Inside the magnifying glass we see
a black box with a white question mark.

Simple and the end user would get the idea that what you inside the
box is the same as the outside.

(Yes I know it would be technically incorrect, magnifying glasses
don't see inside things. But it a design for a common market)

> Follow-ups to:  grc.thinktank

Crap I thought it might be a grc.snoopproof follow-up

-- 
Where's there's smoke, There are mirrors.
Give me Free as in Freedom not Speech or Beer.
Thank You and Welcome to the Internet.
0
DarkWolf
3/21/2011 6:32:59 PM
On 03/20/2011 02:40 PM, Steve Gibson wrote:
> [for the unabridged version, see sparky's post above]
> 
>> I mostly do that sort of thing with regular expressions. They
>> are incredibly powerful and as I work on the assumption that a 
>> single call to a RegEx function can be more efficiently coded
>> at the native level than a series of "byte code" steps, I use
>> them where I can.
>>   I maybe mistaken in that belief though.  Who knows what's
>> going on under the hood.
> 
> As someone who has coded many gizmos in PERL I am also well 
> versed in RegEx usage... and I marvel at them!  I also shudder 
> to think what must be going on under the hood to make them go.  
> 
> Some SERIOUSLY amazing/horrifying technology!!
> 

RegEx stuff is pretty cool. In the few times I have bothered to test
differences in doing a comparison using a simple RegEx (implemented in c
presumably) and the same logic implemented using basic string
search/comparison functions and if/then logic in the high level language.
The overhead of the high level language has always outweighed the overhead
of using the RegEx engine. I don't know what they are doing with that RegEx
stuff, but they are doing it well.

Orson
0
Orson
3/21/2011 10:00:45 PM
Steve Gibson wrote:

>I'm not sure that I deserve the credit and blame for that <g> 
>but I'm impressed (and a bit surprised obviously) by how
>locked-down many people here are!

I'll use this opportunity to remind you that some time back we dubbed our
reactions to security vulnerabilities as a Gibsonian Response.

0
CA
3/22/2011 9:33:14 AM
> So here's my and GRC's first-ever JavaScript-driven page:
>
> https://www.grc.com/r&d/js.htm
>
> It's not a big deal -- though I think you'll find it somewhat
> interesting.  But mostly it is intended to verify a bunch of
> foundation for the next page I'll create, which I plan to start
> working on immediately ... the "Passcode Designer" which
> WILL actually do something.  :)

I fetched js.js, sjcl.js and grc_std_lib.js and had a peek and those
and well... it sounds like you're having fun :D as for the mouse
position, notice that the script won't trigger if one uses the mouse
wheel to scroll while keeping the cursor "on the page" but I think
that it's expected (not sure if all browsers do that, my FF does)
as for entropy *and* keeping "secret stuff" outside of GRC
server... you already have (given I recall it correctly) a quite
good entropy generator, now... imagine setting things up so
that, when the "js.htm" page is called, some server side code
will request a block of data to the *server* entropy generator
such a block will then be sent to the client where, the client side
javascript will "shuffle" it and use it as an additional source of
entropy; I think that such an approach may help improving the
generator while leaving it "unlinked" from GRC which, in such
a case, would only be responsible for feeding a data block
but which won't have any idea about how it will be after it will
get reshuffled by the clientside javascript

> And I had a idea for a logo treatment for Snoop Proof. Don't
> worry, I am still going to have professional designers see
> what they can come up with, but this was simple and fun ...
>
> http://www.grc.com/sp/snoopproof.htm

Hmmm... what about adding a little bit of "js" there so that
the logo "eyes" will follow the mouse cursor :D ?


0
ObiWan
3/22/2011 12:08:44 PM
"ObiWan" <sgr.20.trashsink@spamgourmet.com> wrote:
> Hmmm... what about adding a little bit of "js" there so that
> the logo "eyes" will follow the mouse cursor :D ?

If the product were called "I'm Snooping On You" that would be a good idea,
but since the product will do the exact opposite of that, I don't like that
idea. The impression you want to give is that the snooper has *no idea*
what you're doing, not that it's watching everything you do..
0
Fresher
3/22/2011 12:46:48 PM
> If the product were called "I'm Snooping On You" that would be a good
> idea, but since the product will do the exact opposite of that, I
> don't like that idea. The impression you want to give is that the
> snooper has *no idea* what you're doing, not that it's watching
> everything you do..

so, just add a *delay* to eyes movement :D


0
ObiWan
3/22/2011 2:13:20 PM
> such a block will then be sent to the client where, the client side
> javascript will "shuffle" it and use it as an additional source of
> entropy; I think that such an approach may help improving the

Just in case; let's say the page loads with a 4096 bytes entropy
directly feeded from the server generator; at that point you may
have something like (pseudocode)

for (i=0; i<loopcount; i++) {
    offset = rnd();
    size = rnd();
    outbuff += getblock(offset, size);
}

at that point the "getblock" should pick a "piece" of the entropy
data and treat that data block as a "loop" that is, given the size
of the block is 4096 and we have offset=4096, size=5, the getblock
function will pick one byte at position 4096 and the first four bytes
of the buffer (aka circular buffer) and return those; with such an
approach, the GRC server will *only* feed some entropy but the
entropy will then be "reused" in a way which keeps the server
totally outside the loop so, even if someone may ask about
the "entropy block" being handled out, that won't be of any use
since all the "shuffling" will take place on the CLIENT side :D

But... given that you reached this point, Steve (and I understand
the reasons)... why don't you just write some kind of "applet" ?


0
ObiWan
3/22/2011 2:20:36 PM
[for the unabridged version, see DarkWolf's post above]

Thanks DarkWolf!

As you probably know, in the case of "entropy collection" the 
exact values don't matter.  And even the "high bits" are not 
providing much entropy since they are much more guessable than 
all of the least significant bits.

So we just pour everything that we can get into one big entropy 
bucket and then keep adding more as it comes along.

I think that the Release #3 of the JS R&D page ought to solve 
those performance issues you were seeing.

More soon...

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/22/2011 4:51:42 PM
[for the unabridged version, see ObiWan's post above]

I think that I see your points Obi.  But I think that it's 
probably overkill.

Right now I am already receiving a "starter seed" of 256-bits of 
ultra high quality entropy from GRC's server with every instance 
of the JS.htm page.

Even the best of the PRNG's (like Fortuna) ultimately reduce 
everything down to a single 256-bit value which is used to key 
an AES-256 (or similar, but typically AES-256) symmetric cipher 
that's being driven by a counter.

Consequently, it's never *actually* possible to have more than 
256 bits of entropy.  You can condense many more bits down into 
256 bits, but then you still wind up with just 256 bits.

Now, admittedly, if you had 4096 bits of "not so great entropy" 
then hashing that down to 256 bits would essentially 
"concentrate" the entropy scattered around in the larger 4096 
bit pool into a really good smaller 256-bit pool.

But that's already what the JS.htm page is doing.

It STARTS OFF with 256 *really*good* bits of entropy, then 
continually adds more.  But it's not because we don't already 
have 256 really good bits, it's because we'd like to migrate the 
active PRNG seed *AWAY* from anything that GRC could know.

So we just continuously pour whatever else we can get into the 
entropy pot.

-- 
________________________________________________________________
Steve.   / Scarce as facts are, supply too often exceeds demand.
0
Steve
3/22/2011 5:10:05 PM
> I think that I see your points Obi.  But I think that it's
> probably overkill.

Hmm... well, maybe, although I think it may help a bit

> Right now I am already receiving a "starter seed" of 256-bits
> of ultra high quality entropy from GRC's server with every
> instance of the JS.htm page.
>
> Even the best of the PRNG's (like Fortuna) ultimately reduce
> everything down to a single 256-bit value which is used to key
> an AES-256 (or similar, but typically AES-256) symmetric cipher
> that's being driven by a counter.

Fine; my "4096" was just to feed a block of quite good entropy
which may then be used by the client as an "initial seed"; at this
point, to totally disjoint the really used entropy from what the
server handled out, the client may "shuffle" it or, in any case,
pick a portion of the block; in such a case, instead of a full
reshuffle, the client side code may just generate a random
offset and pick its initial 256 bits starting from that offset (and
wrapping around if needed); so the idea of using a "4096"
block is just meant to offer more "combinations" :) then, by
the way, the client code may also use some random bits
from the block to increase the randomness of the initial
values

> It STARTS OFF with 256 *really*good* bits of entropy

yes, but those are *exactly* the ones generated by GRC
server, while "shuffling" the block (as above) the value
handled over from the server will become "unlinked" from
the one really used by the client and this imHo may help
a bit to improve things


0
ObiWan
3/24/2011 7:47:16 AM
While Steve Gibson dreams of electric sheep...:

> So we just pour everything that we can get into one big entropy 
> bucket and then keep adding more as it comes along.

But should you add predictable values into a bit bucket ?
Yes there is going to be all this other collection to add to entropy
but several of the values are known or guessable.

Should you use guessable values in a algorithm for cryptography ?
Isn't it just a matter of principle not to use predictable values ?

> I think that the Release #3 of the JS R&D page ought to solve 
> those performance issues you were seeing.

The window height being reported was one of the strange things that
got my head scratching.

I know that my habit of enabling JS (but turning all the settings
off) has done strange things to websites before. I wished browsers
had more/better control over JS (like controls for allowing or
disallowing read/write to DOM )

-- 
Where's there's smoke, There are mirrors.
Give me Free as in Freedom not Speech or Beer.
Thank You and Welcome to the Internet.
0
DarkWolf
3/28/2011 6:36:08 PM
On 03/28/2011 12:36 PM, DarkWolf wrote:
> While Steve Gibson dreams of electric sheep...:
> 
>> So we just pour everything that we can get into one big entropy 
>> bucket and then keep adding more as it comes along.
> 
> But should you add predictable values into a bit bucket ?
> Yes there is going to be all this other collection to add to entropy
> but several of the values are known or guessable.

There is a property of hash functions called the "avalanche effect."
What it means is that if you change just ONE bit of the input, the
resulting hash will look COMPLETELY DIFFERENT. For example:

The SHA256 hash of "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is:

a27c896c4859204843166af66f0e902b9c3b3ed6d2fd13d435abc020065c526f

But the SHA256 of "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaA" (one bit
difference) is:

cc6ae761baa460823da14c8e2cfd74f53eea66c71c812f2eaef1da80598a8ee6

Since hash functions have this property, when we use them to construct
random number generators, we're allowed to include as much information
as we want, no matter how predictable it is, even if we included 500GB
of zero bytes.

The unpredictability of the output is based on the unpredictability of
the input as a whole. So say we got the equivalent of 128 bits of
entropy from the mouse movements of the user. We could hash that data
with any amount of unpredictable data (500GB of zeroes if we were
crazy), and still the ONLY way someone would be able to figure out the
output of the hash would be to know (or brute force) those unpredictable
128 bits from the mouse movements.

Since we have that property of hash functions, we want to throw in as
much information related to the client as possible, even if it may be
predictable.

> 
> Should you use guessable values in a algorithm for cryptography ?
> Isn't it just a matter of principle not to use predictable values ?

There should be no predictability (or sufficient unpredictability) when
it comes to making encryption keys. Steve's page will get the
unpredictability from mouse movements etc. But unencrypted data is
ALWAYS predictable to some degree, it's cryptography's job to turn that
into seemingly random data.

> 
>> I think that the Release #3 of the JS R&D page ought to solve 
>> those performance issues you were seeing.
> 
> The window height being reported was one of the strange things that
> got my head scratching.
> 
> I know that my habit of enabling JS (but turning all the settings
> off) has done strange things to websites before. I wished browsers
> had more/better control over JS (like controls for allowing or
> disallowing read/write to DOM )
> 


-- 
Win32, get ready to be LEARNED... page 42 of 1233 of Programming Windows.
0
FireXware
3/28/2011 10:53:11 PM
On 3/18/2011 6:11 PM, Steve Gibson wrote:
> Gang...
>
> So here's my and GRC's first-ever JavaScript-driven page:
>
> https://www.grc.com/r&d/js.htm

Nice! Very cool!
0
war59312
4/1/2011 7:38:37 PM
Reply: