If there’s one thing several people are really, really good at, it’s ruining the web. The latest attempt is something quite insipid, something that had me scratching my head a few times before I realised what was going on. When copying and pasting text from certain websites, content would be added to your clipboard without you knowing about it – something like “Read more at”. John Gruber finds this just as insipid as I do, and investigated a little further – while also coming up with a way to block this nonsense. Seriously – this is right up there with those in-text underline ad things.
So, what exactly are we dealing with here? Well, as you’ll most certainly understand, this OSNews thing I do requires me to copy and paste quite a few times every day. Especially the short items in the right column mainly consist of copy/paste content, but on the front page you’ll see quite some copied content as well.
Recently, I’ve been confronted with some incredibly annoying JavaScript nonsense that inserts a few blank lines followed by “read more at ” to every piece of pasted text. I’ve seen it happen on TechCruch and several other sites, although I never kept track of which. For example, were we at OSNews to ever stoop this low, copying and then pasting some text from our site would look like this (that last bit in the link is a hash tracking code):
So, what exactly are we dealing with here? Well, as you’ll most certainly understand, this OSNews thing I do requires me to copy and paste quite a few times every day.Read more at http://www.osnews.com/story/23373/Title/#4734hgbt
There’s some rule that governs this behaviour, as Gruber found out. “On the New Yorker web site, copying up to seven words from an article works normally – no attribution URL is appended. Copy eight or more words, however, and you get the attribution appendage,” he details, “On TechCrunch, the attribution appendage again only kicks in for selections of eight or more words.”
TechCrunch, however, takes the insipidity to a whole new level by adding an additional “feature” to the copy and paste routine: if you select one to three words and then invoke the copy command (menu or keyboard), a search pop-up will appear that covers the actual content of the article. Gruber has a screenshot showing how it looks.
The technology comes courtesy of a company called Tynt, and one quick glance at Tynt’s homepage will tell you what kind of a company this is. “Drive traffic”, “Improve search rank”, “SEO benefits”… Basically, what these guys hope is that you leave the inserted link and hash code in place so that websites can track where the copied text ends up. Since most people will probably delete the inserted bit anyway, the tracking stuff won’t work. Gruber believes that the eventual goal will be to add advertisements to the copied text.
“Whatever their justification for using Tynt is, I’ll bet it involves repeated use of the phrase ‘biz dev’,” Gruber concludes, “All they’re really doing is annoying their readers. Their websites are theirs, but our clipboards are ours. Tynt is intrusive, obnoxious, and disrespectful. I can’t believe some websites need to be told this.”
This is what we call user-hostile behaviour, and it must be nipped in the bud right away before it becomes as widespread as those in-text advertisement things (remember, for every single one of those ads, a unicorn gets shot). Luckily, there are two ways to end this stuff – you can install a browser plugin for Chrome, but in its current incarnation, it will display a warning (once) for each website with Tynt enabled.
A more permanent solution is to use your hosts file to block Tynt. Just append this at the end of the file:
127.0.0.1 tcr.tynt.com
Depending on your operating system, the hosts file can be found in different locations; on UNIX-like systems such as Linux and Mac OS X, it’s /etc/hosts, and on Windows NT it’s in %SystemRoot%\system32\drivers\etc. From the top of my head, I know the BeOS one (and thus, Haiku?) resides at /boot/beos/etc/hosts, but that’s about all I can recall without diving into Google.
After adding the line, this Tynt nonsense will no longer work. A more preferable option would be better browser plugins, and as such, I hope some Awesome Developer takes up the challenge. You will be rewarded a thousand Tinkerbell kisses. And yes, I realise how incredibly wrong that sounds.
You know what else is annoying?
Ctrl+z not working in text edit boxes.
Also annoying is when cut & paste functionality is disabled on a site. Grrr!
That, at least, seems to work for me here..
You mean ctrl+z does not work within the textboxes on Osnews?
Works fine here, Firefox 3.6.3 / Fedora 13
Fails here on Chrome. Tried on Linux and Windows.
Then get rid of your browser…
…or write a feature request
If your text counter breaks with the best browser out there (if you go by quantifiable figures like benchmark results), you fix the text counter.
Insert something about Mohammed & mountain here.
Could you please explain what’s this mountain story ? ^^’
http://answers.yahoo.com/question/index?qid=20061121123121AAGFPxI
It seems americans generally understand the saying to have opposite meaning:
http://wiki.answers.com/Q/Where_is_if_mohammad_wont_go_to_the_mount…
some random mountain made fun of mohammed by putting him in a cartoon.
that angered his followers and they ordered the mountain to come to their country so that they could vent out their religious anger on it in the name of their prophet.
but the mountain did not come. and now the muslims are coming. (for the mountain).
No. If the text counter is compliant code, then you ask the browser vendor to fix the browser.
Your thinking is the same sort of idiocy that got us a web full of sites “‘optimized’ for Internet Explorer.”
Edited 2010-05-29 14:57 UTC
And who should chech whether the counter is compliant code? Google developers?
I would think it would go something like this:
1. Customer complains to Google/files a bug report that the OSNews widget doesn’t work in Chrome, but works in other browsers
2. Google devs visit OSNews, check the code of the widget, test it against all the major browsers on all the major platforms, and see that it is indeed a Chrome issue
3. Devs find the problem in the Chromium code, patch it and include in the next scheduled update
Of course, that’s in a perfect world where Google’s devs have time for every little bug that one out of 100,000 users might notice. Here in the real world, it may never get fixed because it’s one of those things that is simply not a big deal.
For me personally, if a website doesn’t work well in my favorite browser, I try my second favorite. If it still doesn’t work, that website obviously isn’t worth visiting as the maintainer doesn’t care about web standards (my two favorite browsers being Firefox and Chrome, respectively). If it works in Chrome but not FF, well that’s bearable.
I won’t mention Mohammed but I will say this is the same attitude that made IE6 the less standards-compliant browser on this planet.
Edited 2010-05-29 18:10 UTC
Works on Firefox for me here too, both Linux and Windows. Also works on IE8, and Safari in OS X (though in OS X all text fields support undo regardless of app, the os handles that, so that might not count). Sounds like a bug in Chrome to me.
Ran into a site with copy blocking the other day. Try “view source” through your applicable browser.
One handy workaround for this crap, is to use the lesser known antiquated versions of cut + paste:
CTRL + Insert (copy)
SHIFT + Delete (cut)
SHIFT + Insert (paste)
Most web dev’s forget to disable these old shortcuts so you can use them in most HTML forms that have the usual cut/paste shortcuts disabled.
Edited 2010-05-31 03:43 UTC
I just had this happen the other day. I copied and pasted like 3 times trying to figure out what the heck was going on. I just turned NoScipt back on for that website and the behavior is gone again.
I only noticed it too a few days ago because it never happened to me. But I also have the habit of pasting text first to Notepad then copying then and pasting it to its final destination so reduce everything to plain ASCII.
Whoa, creepy. I have to wonder if a technique like this could be used to create a buffer overflow and execute malicious code. If so, that makes it even more disturbing…
Unless I’m mistaken, the word insipid means bland and doesn’t really have anything to do with what you’re describing, at least as far as I can see. Do you mean insidious?
Also, I was pleased to notice that tcr.tynt.com is already blocked by the useful hosts file provided at http://someonewhocares.org/hosts/ by an awesome guy called Dan Pollock. Use a cron job to keep it updated and you’ll avoid all kinds of nasty crap, no matter which browser or other software you’re using.
i think he is implying more like its done in poor taste.
Insipid means flavourless, not tasteless. I thought it was a pretty stand out error but if I’m being finicky I guess I’ll shut up.
Don’t be so insipid…
Not to be a vocabulary nazi, but…
http://www.merriam-webster.com/dictionary/insipid
“1 : lacking taste or savor : tasteless <insipid food>”
http://www.merriam-webster.com/dictionary/tasteless
“2 : not having or exhibiting good taste <a tasteless joke>” (em added)
It fits quite well.
Pfft, well if you’ll take an American’s word for it…
I’d guess he actually meant “Insidious”.
How would you go about setting up such a cron job? I’ve never done that before, and while there are enough explanations out there on cron in general, I’m wondering what the most optimal solution would be in this specific case. I’d imagine you run a wget command, followed by a cp? Or just wget it straight to /etc/hosts?
Can anyone help out on that one? I’ll put it up as a separate article for other users to reference when Googling this stuff.
While we’re at it, we may want to gather solutions for other operating systems as well, like Windows and Mac OS X.
Edited 2010-05-29 11:18 UTC
http://fraglimit.net/st/update-hosts-blocklist
A tiny shell script, using wget as you suggested. Backs up your existing hosts file to hosts.local so nothing will be lost and reverting is easy.
You can drop it in /etc/cron.daily/ and chmod a+x it, or you can put it anywhere and add a crontab line like:
0 0 * * * root /path/to/update-hosts-blocklist
You first have to edit the crontab file, using ‘crontab -e’
Each job’s format is ‘Minute Hour DayOfMonth Month DayOfWeek Command’, where each field can be either a value, a * meaning everything or a comma separated list of values. There is also a shorthand where */2 means every two minutes/hours/etc, */10 every ten, etc.
A job that runs everyday would be ‘0 0 * * * /path/to/script’.
A job that runs twice a year would be ‘0 0 1 */6 * /path/to/script’
A job that runs every Sunday and Friday would be ‘0 0 * * 0,5 /path/to/script’.
etc.
The script could be
Of course this isn’t as simple as it sounds, since it would overwrite your hosts file and you would lose anything that it contains and isn’t already on that list. Perhaps you could write a more complete program that would compare the downloaded list with the existing hosts file and update the file accordignly.
OS X comes already with cron installed, but without wget. You can download it and install it manually or, if you have macports intalled, use ‘sudo port install wget’. For Windows I don’t know a way to do the same thing, but I imagine it would also involve a scheduler and a script to download and replace the hosts file.
I haven’t actually encountered this in a while, but the first time I saw it I seriously thought I’d gone nuts… well, more nuts than I already am anyway. Given that this is javascript though, I suspect the reason I haven’t seen it in a while is Noscript (mandatory add-on whenever I browse the web) and I don’t enable javascript on any web page unless I either use the site frequently or a feature requires it (then the temporary permissions in Noscript come in handy).
I, like the poster above, am also concerned about what this could do if someone manages to exploit it. The clipboard is something common to all GUI oses and all browsers are able to utilize it, and Javascript is the same for this across all platforms. If someone finds a browser-specific exploit with this stuff, it could be very nasty indeed. This is why I use Noscript in the first place, I’m all too aware of what rogue js can do (and not using a certain os is no guarantee of protection), but I understand that a casual user might get annoyed with Noscript.
As for the /etc/hosts bit, I wonder how long that’ll be effective? If enough people start doing it, they’ll just move the domain name and force everyone to edit /etc/hosts again. If it gets bad enough, they’ll probably implement a round-robin approach and keep adding more domains into the list. Best to block this at the browser level, if possible.
And one last centiment: To hell with all these tracking cookies and js tracking, and I hope the companies that implement this die a firey death! Had to get that out of my system.
Try out Ghostery .. extension for IE, FF, and Chrome — though Chrome does not have the blocking feature yet.
I’ve killed 5 trackers since being on OSNews to read this story
Thanks for the tip on Ghostery.
Ah, nice. Added it to my ff installations, thanks. Seems to be doing its job.
Noscript certainly works in stopping this stuff. Marking “tynt” as “untrusted” basically gets rid of the problem.
If you go the hosts file route, you need to update it periodically. If you do, you will likely keep blocking “tynt,” even if it switches domains. I think you will find domain switching rather uncommon, however. Remember, if “tynt” changes, then the Web sites that use the service must make changes, too. I use the following hosts file: http://mvps.org/winhelp2002/hosts.txt. It blocks “tynt.”
Another way to block is to use Adblock Plus. Tynt is blocked by the Easy Privacy list.
heh heh, I use both no script and adblock+, one of the reasons that I abandoned Chrome as it has zero capabilities to offer similar functionality at present. And the latest ff builds “feel” just as fast to me, on the sites that I normally browse, as Chrome does.
(Actually ff’s even faster because I was trying the various adblockers for Chrome and found that they all first download the crap, then just hide it instead of blocking in the first place…)
Even though Chrome is my preferred browser right now, crap like this always makes me glad for noscript and greesemonkey on firefox, between the two you can usually stop or fix whatever crazy shit websites try to pull on you.
I’ve never seen this problem – not even on TechCrunch.
So I can only assume that Opera automatically disables this crap.
Can any other Opera users confirm the same?
[edit]
Upon further investigation, it appears it’s an option in Opera that’s disabled by default:
“allow scripts to detect context menu events” in the ‘JavaScript options’ (located on the ‘advanced’ tab of ‘preferences’)
Edited 2010-05-28 20:48 UTC
I haven’t encountered this URL adding problem with Opera 10.53 on Vista either. On my side, the “allow scripts to detect context menu events” is ticked. So it’s probably not (only?) this option that keeps us, Opera users, from that annoying thing. What OS are you using? I’ve been on both sites (the new yorker and techcrunch) and nothing has been added: ClipDiary shows no url and the clipboard content, when pasted, contains only what I’ve selected… go figure.
Ahhh. Maybe it’s not that specific option then.
I’m running ArchLinux 64bit
Good!
I just tried the given sites, of course I am running opera. No harmful text added to the copy&paste mechanism.
Another plus for Opera!
Chaning copy&paste is always irritating. Skype does it too, by adding tags to qutoe the text, I hate it.
I actually kind of like this, I cite the works of others I use in my work, this actually saves me a step.
As a user side plugin it would be of use. I’m surprise there is not already plugins for citation work.
The problem here is that it’s implemented on the foreign side of the connection manipulating the local machine. This is also happening without the explicit permission of the user in most cases. Technically, this is a malware attack already even if the payload is currently harmless.
Since when does a browser allow a website to control something as basic as copy+paste ?
Such things should be hardwired in the operating system’s GUI toolkit and not be left as the mercy of user software… Isn’t it ? And even if it’s made so, which is bad coding practices, it should not be made tweakable by untrusted javascript code.
Edited 2010-05-28 21:13 UTC
Agreed. But the problem with Javascript is that you don’t say “this is trusted” or “this is not trusted”.
It’s not a big problem. It just means that from a security point of view, ALL Javascript code is untrusted and should not be allowed to take over basic controls of the browser and the operating system like right click and copy n paste ^^
I’m using Ubuntu 9.10 and Firefox 3.6 here at home, and no such links or searches get added. So I guess you guys are just using crappy OSes and software. Switch to Linux and be free! 😉
On my girlfriends computer with the same OS and Browser, the crap does get inserted into the clipboard.
Maybe you should consider sending a bug-report.
I have not been aware of this copy/pasting tracking. it is very interesting. What is problematic is that tracking is done by single company, instead of by each website on which i’m. They have pretty good privacy police, but still I would more like if site owners will use own servers for this than some external company (with unknown reputation).
On http://www.tynt.com/support/opt-inout/ you can opt-out. It is probably based on cookies.
Acording to FAQ and Tynt’s site, not every website which uses Tynt’s services adds link at the bottom of the copied text. I think adding “From TechCrunch: ” prefix without new lines will be less invading.
As of tracking what is copied by user I understand it can be usefull information, but still if this is done by single external company isn’t good. (OK it is good, becuase then it is easier to block all trafic to tynt.com, and they have nice dashboard and statistics panel, and they are free
).
And there are much more annoying things on some pages, like this trying to disable ctrl-c at all.
BTW. I think in Opera by default JS can’t detect or modify usage of contect menu after right-click. (This can be changed in settings).
Edited 2010-05-28 22:01 UTC
Since it blocks most of that crap in the first place.
It is amazing though how badly many people want to screw their own websites in terms of desirability. Every extra bit of ‘gee ain’t it neat’ crap – from javascript for goofy animations to flash based navigations – from auto-playing music to those annoying “site preview” popups on links… it’s just unnecessary bloat that gets between the user and what they actually went to the site for – the CONTENT.
Yeah, and what’s worse are those damn CSS windows that pop up right in your face – ‘We are conducting a survey’ or ‘Join our community!’ I mean, do these website operators not browse the web and understand how ANNOYING this is? The sure stupidity of these people blows my mind. It’s like, “Hey, people thought popup windows were annoying and started installing popup blockers, so let’s do it with CSS!!!!”
I weep for humanity.
I deeply second that. When I see those (almost) unblockable windows, it looks to me like web people will never learn unless we totally remove the ability for them to show any kind of pop-up alert, which is equally stupid because they prove to be pretty useful on e.g e-shopping sites…
Well ok, it does indeed put that crap in the clipboard, I’m using Firefox 3.6.3 on Arch Linux.
But I almost always just highlight the text I want, and then middle mouse click to paste it. Javascript can’t screw with something that has been part of X11 since as long as I can remember.
I must say, I’ve never run into that problem. Then again, the DNS server’s I use are very good at blocking this type of “bad technology”. For anyone interested:
67.21.4.100
71.249.184.157
205.232.175.67
They even block ads from Hulu (and bypass their ad block detection too!).
I have to point out that if these sites are coming up with original content then it’s fair enough for them to do this. While I don’t agree with the tracking side of it, I don’t see a problem limiting what you copy. If you want to link to their content then do so, but if you can’t be bothered to even write your own precis then why shouldn’t they block you?
I’ve been a reader of OSNews for many years now, and I like that the news is collected for me and presented well. Perhaps this is a good thing though, and will encourage more obvious links to the content creator’s site. It may even mean that we get a synopsis of a story rather than a random snippet of the story. I must admit I always assumed this site was driven by XML feeds until now!