CommentSystem


Page Created: 7/31/2014   Last Modified: 3/9/2016   Last Generated: 12/11/2017

The comment system is designed to allow reader feedback for particular pages. It is not intended to be a forum or track conversation threads. It was custom built by me since I didn't want to use a 3rd party service or set up a complicated dynamic server and database that I would have to manage. It is minimalistic on purpose.

It also has the ability to send private messages to me via the contact link found on the AboutThisSite page. Please note that all of your information is sent clear text (unencrypted) over the Internet.

For the public comment pages, the comments system doesn't make you create accounts or require passwords. It doesn't want to know who you are and requests a first name or pseudonym only. It doesn't ask for or intentionally track any personally identifiable information other than IP addresses which it uses for a short time for spam filtering. All of this makes it easy on me, easy on you, and computationally easy for the tiny Raspberry Pis on which it is running.

By leaving a public comment on one of the Comments pages, you agree that you are the original author of your comment and that you license it under the Creative Commons Attribution 4.0 International License. The comment will be attributed to you only under the first name or pseudonym that you enter and the ID that was generated (see below). Full names are not allowed, since I cannot verify who you are, and only letters and numbers are allowed in the name, with no spaces. Only basic punctuation (comma, period, question mark, exclamation mark, hyphen) is allowed in the comment itself and other symbols will be removed.

I do not want a copyright to your comment, as this information is your creation, but I just need to be free to share your comment with others (which is the only reason you should be leaving this public comment in the first place). I always retain the right to remove or delete your comment from my site at any time, and by licensing your Comment under that Creative Commons license, you cannot revoke your license (which also means that you cannot remove your comment once posted).

For the private contact function on the AboutThisSite page, however, it will not be made public and it records your IP, User-Agent string and requires a real name and optional e-mail address. If you don't want to provide this to me, then please don't send me a private message. Just post publicly on one of the Comments pages (if it isn't full). I rarely respond to messages, so please don't send me anything private unless there is something important. I am not a social networker.

Commenting systems are hard to build. The main web site is static and simple, but the commenting system is about 3 times larger underneath. By nature, it has to be dynamic. It has to receive input from you, and this puts an extra burden on the servers and opens it up to spam and security exploits. So most people don't build their own. But I knew of no way to run a commenting system that worked reliably on the Raspberry Pi unless I built one. See OswaldCluster for more details on this project.

To allow people to see the "signal in the noise", I run your comments through several filters before they finally become visible.

The CAPTCHA

The first is a knowledge captcha. The system will ask you a random question and expect the correct answer. These questions should be very simple for human beings but difficult for Internet robots. I write the questions and answers, so if you can't answer them, then blame me. If you don't see a captcha question when you enter your comments, then you may need to refresh the page using your browser.

No linking or weird characters

I strip out any special characters (to prevent exploitation of software bugs). Comments are limited to the English alphabet. This also prevents direct URL's from being entered (which are used by many spam bots).

SPAM filtering

For the public comments, I compare your text statistically with known spam and non-spam (Bayesian filtering). What is initially decided to be spam or non-spam is flagged by me, not by any algorithm, but it takes time for it to get more reliable.

I do lots of other things too, but in short, if you submit a comment and it doesn't appear right away, it was blocked by the system. If I later find out it was blocked in error, I will unblock it.

First name only

For the public comments, you are required to enter in a first name or pseudonym, but you are not allowed to enter in a last name. If the system detects a space in your name it will prevent the comment from being entered. If I see that a last name has been entered, it will remove the comment. Any names that you see on this site are not verified with any real world names, so last names should not be used.

ID is optional

Now, being anonymous can be beneficial, and I feel that allowing anonymity is essential to free speech and a free society, but it is also a dual-edged sword. Anyone can masquerade as anyone else, so you don't know if the "John" that left comments yesterday is the same "John" today.

So I provided a 4-character cryptography based passcode as an option. When you leave a comment, a passcode is randomly generated and you are flagged to others as "NEW", as in a new person. You don't have to worry about this at all unless you want people to know that you are not a new person, but are the same person that left a comment before. If you write this down and when you submit future comments, replace the randomly generated passcode with the passcode you wrote down, and also use the same name you used previously, the system will no longer mark you as NEW.

People will see a 5-character ID next to your name that will not change (unless you decide to no longer use your 4-character passcode again and become NEW again).

Just make sure you don't get the 4-character passcode confused with the 5-character ID, since they both have the same random-like appearance. The 4-character passcode is your private passcode, but the 5-character ID is your public ID that everyone sees next to your name.

Do not type over the passcode with a word or something you made up, or it will weaken the security. It is best to just write down the passcode that was randomly generated.

If your optional ID is ever compromised...

If in the future, someone else gets a hold of your 4-character passcode and masquerades as you in the public comments, you can click the checkbox on the Comment form to mark your passcode as compromised and it will mark all of your comments as "COMPROMISED". It doesn't know when it was actually compromised, so it just marks them all. It can't take your word for it, because you could be the person who compromised the passcode. Once they are marked as compromised, then just begin using a new random passcode. You will start as NEW again for your first post. Please note that this won't mark all pages and it won't stop future comments. But any past comments on that page that anyone left during that time frame will be marked as compromised, which is the primary purpose of this option--to tell others that someone got a hold of your passcode at some point.

Please note that if your passcode is marked as compromised, it calls into question the unique authorship of all of your previous comments, and nobody can tell which ones were from which person. Some comments were yours, some were not. But it couldn't really be verified anyway, since we are just taking your word for it. But that's kind of how the real world works. If you type something on a piece of paper and have it delivered to someone, someone else can always intercept that delivery and substitute your piece of paper with their own. And we can't tell if you gave your passcode to a friend. There really is no way around this unless human beings somehow used quantum encryption to interface with the DNA of each unique individual or put some kind of chip in everyone's brain...but let's hope that day never occurs...

So if the system is hacked, nothing of value is lost. The system didn't know who you were to begin with, so there isn't any data for anyone to steal. If the system is hacked and modified or replaced by a malicious system...well that is out of my control and another story entirely. There is no way that I know of to ensure this will never occur. Even if I used cryptographic authentication, such as TLS, there have been cases where Certificate Authority servers have been hacked, so there is really no point in complicating the technology. Any organization with enough resources can do just about anything, including tracking down IP addresses to individual people or analyzing other types of patterns to get a unique signature. True point-to-point anonymity is almost physically impossible and if possible, it is probably in the realm of quantum physics, not mathematics. The moral is, don't say anything on this site that you wouldn't say in a physical place. Electronic communication is no different in this respect than sending a postcard in the mail.

Any private comments to me are immediately sent off the server to another place where I can read them and delete them. I don't keep them on the main servers like I do with the public comments. Again, you shouldn't send me anything that you wouldn't put in a postcard. I don't have much time to read them, so please don't send me anything unless it is important.

By the way, the system stores your NEW status in a memory caching server, for speed. If that server goes down, it may mark you as NEW again. Your ID won't change, and subsequent comments will work normally, but this may happen from time to time.

Comment limits

One last thing, there is also a limit on the size of the comment and amount of comments per page before the system locks it and does not allow more comments. This is because I don't have time to manage huge numbers of comments, and the resources on the tiny Raspberry Pi's are small.