marahmarie: my initials (MM) (Default)

ETA, 5-31-16: Support request, filed.

I've been reading about News Genius* with increasing alarm. It's a web annotation service** you don't need to join, download or install anything to use: you simply add "genius.it" without quotes to the front of any website URL and begin annotating. Annotated text shows up as highlighted fields. Clicking on a highlight shows discussions by others about your page in the right hand column, in an overlay that's added using a combination of JavaScript and CSS.

Anything can be highlighted and annotated: a website's name, the name of a post, the sentence I'm typing up right now, the next paragraph, all the paragraphs, All The Words, any tags attached to the post - in short, any words or links seen on any page.

I started off reading what's bad about it (in short: the code overrides built-in browser protection against cross-site scripting attacks; longer story: it overrides fucking everything via proxy and turns any webpage into an endless series of rewritten URLs prefaced with https://genius.it/; the makers claim they block form entry but that can be overridden quite trivially, and it works exactly as expected on private and friends-locked pages such as we have here on Dreamwidth, LiveJournal, Facebook, et al).

Then I read how one blogger was attacked - right on her page, where she can't see it - by employees of News Genius (the article about that, of course, has also been attacked by injecting her page to egg it on, which has got to be both irony and cruelty at its height) and finally what might be done to block News Genius from running on your webpage. Here's some more on that.

The answer to the last question - how to block News Genius if you're on Facebook, Twitter, Instagram, Dreamwidth, LiveJournal, InsaneJournal, Wordpress.com, or any website where you can make posts or run your own journal or blogspace but can't run scripts or add backend code - is not too much.

Facebook, Twitter, Instagram, and Wordpress.com users currently have no way to block News Genius.

LiveJournal, Dreamwidth, InsaneJournal and other LJ clone sites can use a custom theme layer to add CSS to the head portion of their webpages (which I'll explain below).

Caveats

Using CSS as a script hider is far from ideal, perhaps the worst hack there is. Genius's scripts will run even if you can't see them (if you want to test this, add the CSS below, compile your code, then hover any link on your pages after appending genius.it/ to the front of your page URL. Genius will still rewrite your pages to allow annotation and rewrite every link to use their proxy. You just can't see the annotations nor find the ability on the page to make the annotations with anymore).

If your page has *not* yet been annotated to your knowledge, then you might want to use CSS as a simple preventative.

The one thing hiding Genius via local CSS *will* do - until some yahoo finds a workaround or Genius devs rewrite to defeat it...and believe me, I spent a year or two fighting Google over similar turf but for different reasons so I know what I might be up against - is to deny others the ability to use Genius on your page, without your knowledge. While there might be some cursory workaround for those determined enough, until I hear of it I'll run with using CSS, as it's better than doing nothing.

I *do* plan on filing a Dreamwidth support request when I finish this pre-publishing edit: soon, because it's getting way too late asking if they'll look into blocking Genius, as it works on private and friends-only posts, which denies authors of the latter any idea what people are saying on what should be pages they have complete control over, and gives all authors of any private material a serious security vulnerability (that News Genius can possibly read, transmit and store non-public works, images, and so on, back to their own servers or where ever else).

To be clear, this annotation service is a serious security vulnerability and presents a privacy violation for every writer who uses the Internet. Annotations can be made without your knowledge; News Genius is proxying and transmitting data from every URL; non-public posts on any website, be it Wordpress.com, Dreamwidth, or LJ are at risk of being read, stored and annotated without your knowledge by anyone who has access to them. If this doesn't worry you, perhaps it should.

How

On websites that support editing the head section of your webpages, add the following CSS to block News Genius from visibly showing up:

The CSS is not minified, prettified nor compact. It can be modified however you like, but I'm not responsible for any weirdness or breakage should you choose to do so, nor will I troubleshoot if it stops working as it should.

You can see how I'm using it in my theme layer, with apologies for ranting a little and for DW stripping the ability to use comments, which forces me to do so via CSS.

ETA, 6-2-16: Dreamwidth strips HTML comments from custom code but upon testing I see it does not strip CSS comments, a possibility I hadn't initially considered, so this code might see more commenting added in the near future to explain what it does, minus the rant, which has already been removed.

If you know CSS, you can get away with less than I used, which is a future-proofed, admittedly paranoid idea of what it should block. It's my first pass with no edits to streamline or smooth it out, so change whatever you like. It actually works fine with just the CSS that sets display:none or just the CSS that MIAs URLs and edits backgrounds back into blessed transparency. It shouldn't affect web page display negatively (unless you have background colors set in areas touched by Genius's code, in which case, you should edit the CSS accordingly) no matter how much or little of it you use. Edit, post-publishing: But I'll be updating it soon with a better cursor replacement than uh, "none". Edit 2: done.

Also, News Genius has truly awful CSS. Check it out for yourself. Please. It repeats endlessly and quite needlessly (someone literally copy/pasted themselves senseless, giving it far from a professional look and feel!) so parsing what to hide was super-painful, and don't even get me started on the HTML[there's way too much of <---THIS CRAP---> going on, among other things that make me flail, like "100%" used as an actual psuedo-class. Seriously.].

I am - as always - taking questions, comments and criticisms in the comments section below - where I feel such things, you know, generally belong.

*News Genius was borne of Rap Genius being penalized by Google for black-hat SEO, in which they contacted high-profile bloggers with offers of online publicity in exchange for adding high-traffic Rap Genius links to their posts. Never mind the blogger who outed this scheme did not even normally write about Justin Bieber; that's the artist that the long list of links he was to add to his posts pointed to. The outing and subsequent penalization led Genius owners to learn how to permalink their site to every page on the planet, bypassing the need for Google altogether. I can't fathom how hungry for comeuppance they had to be to dream this up. Even my greatest "get Google" fantasies - and I've had some - don't stoop as low as to think to attach any website of mine - like a parasite - to every other page out there, especially not in response to the sort of penalization they so richly deserved.

**Bonus points if you've been here before and can remember me complaining about - and blocking, via similar use of CSS - at least one (comparatively primitive) web annotating service that appeared in the mid-aughts. We sure did have them back then and yes, I sure did. I'm singling News Genius out because it's currently the most talked about, popular and flat-out dangerous, but yes, I'll pre-empt any objections by saying I'm aware there are other services like it, but in their favor - at the very least - they don't seem to present the same cross-site scripting vulnerabilities that News Genius does.