snellspace.com

via Instapundit.com.

I wonder how Democrats would react if the Republicans did nominate a black female for president in 2008. Barring any unknown skeletons in the closet, I for one would definitely like to see Condi run.

Brightest Galactic Flash Ever Detected Hits Earth: ““Had this happened within 10 light-years of us, it would have severely damaged our atmosphere and possibly have triggered a mass extinction,” said Bryan Gaensler of the Harvard-Smithsonian Center for Astrophysics (CfA).”

You know, you just gotta wonder… IF there is life on other planets, how much of it WAS affected by this? It’s kind of mind boggling to thing about.

via Instapundit - Rob Galbraith DPI: Canon unveils Digital Rebel XT

This looks like a very nice camera. The price range is very appealing.

Last week my blog got hit with a bunch of trackbacks and comment spam. This week, I see that other folks are starting to gripe more about it. Since setting up typekey on my blog, comment spam has been rare for my blog, but trackback, which continues to be unauthenticated, continues to be a problem. Shelley over at Burningbird has a solution that involves simply turning trackback off and not dealing with it anymore. That’s one solution, but I think it gives in to the problem rather than working to actually deal with it.

Now, I am under no illusion that the spam problem can actually ever be eliminated, but I do think there are ways we can mitigate the problem so that more accountability is added to the system. Here’s one potential idea.

Rather than having a blog receive trackbacks/comments directly, allow them to use a third party “trackback service”. The trackback endpoint and resulting content would be hosted by the third party rather than on an individuals blog. The trackback content would be spliced into the blog using javascript. The “trackback service” would require anyone sending trackbacks / comments to be authenticated. There could still be an option for having comments appear as anonymous, but at the trackback server, there would still be a traceable link between every trackback and comment to a specific user account that could be blacklisted if abused.

So what’s so new about this? MT, Blogger, etc all already have comment authentication and spammers get by it easily. Also, this just sounds like yet another pie-in-the-sky centralized authentication service idea. Several points:

It does not have to be centralized by any means. A federated trust model could be used to allow for distributed authentication. For instance, supposed a user is running a Movable Type blog. Their site uses Typekey for authentication. Someone with a Blogger account comes and wants to leave a comment, or send a trackback from their blog. They would authenticate with their Blogger service, then send the comment/trackback to the MT users off-blog third-party trackback service along with a identity assertion from their blogger service. The trackback service determines whether or not it trusts the Blogger identity service, uses some form of backchannel interaction to verify the token, then determines based on some set of policies whether or not to accept the comment/trackback.

The decision to allow comments/trackbacks can be based on a number of things. Throttling is an option. Payment is another. For instance, receiving trackbacks/comments could be done for free. Sending x number of trackbacks/comments per month could be done for free. Going above that limit could have various costs associated with it. A trackback service *could* require anyone wishing to send trackbacks/comments to provide a credit card / paypal / etc upon registration. Should a spammer set up an account, then start to spam, their accounts would be automatically throttled / blocked until payment is received. Of course, it is highly unlikely that they would ever pay, but that is not the point. The idea is to associate a cost with sending trackbacks/comments. Legitimate users would never/rarely bump up against those limits.

So why a off-blog service? Several reasons: first, it removes the extra processing burden that is placed on a blog that is dealing with a large amount of spam. Second, it physically removes the content of the trackback/comment from the blog it is associated with. The content would be spliced into the blog on the client side using javascript. The third party service could aggregate efforts to track and control known spammers — e.g. by blacklisting accounts, ip addresses, etc — and deal with such things in a more efficient way than individual bloggers can.

Now, there are some folks who don’t like the idea of using some centralized service they have no control over. With a federated trust model and some form of standardized service interface that third party trackback services could implement, folks could deploy their own trackback services. They set up the service, establish the trust links with the authentication providers they want, establish their own throttling and control policies, etc. They can have as much control over the process as they want. For folks who don’t wish to go through the effort involved in such things, a third party service could make it easier for them.

Ok, so what about spammers that set up legitimate user accounts with various blog services (e.g. this one http://information.typepad.com). They have access to an authentication service that my trackback service may trust, how do I defend against them spamming my site? Again, it goes back to associating a cost with sending trackbacks/comments. This idea will not eliminate spam, but it could reduce it by associating costs. Because comments/trackbacks would be traceable to accounts rather than IP addresses, etc, they can more effectively be tracked and blacklisted as necessary. If a given authentication service fails to deal with problem users effectively, the trust relationship with them can be voided and users of that service blocked. Legimate users of that service who find that they are no longer able to leave comments/trackbacks at other sites would either find new service providers or force the provider they’re using to deal with the problem.

So what would be needed to make this happen?

1. The various blog authentication providers would need to get together and figure out how to federate their systems
2. A standardized spec for the “trackback service” would need to be developed
3. Policies that enforce sender accountability while not punishing legitimate users would need to be developed
4. Blog software and service providers would need to work together on this.

Someday I’m going to have to make up my own pseudo-science goofy woo-woo theory and see how many folks I can get to actually buy into it.