Well, that was “fun”. Last week, we wrote a newsletter post about the state of Hackaday’s comments. We get good ones and bad ones, and almost all the time, we leave you all up to your own devices. But every once in a while, it’s good to remind people to be nice to our fellow hackers who get featured here, because after all they are the people doing the work that gives us something to read and write about. The whole point of the comment section is for you all to help them, or other Hackaday readers who want to follow in their footsteps.
Someone decided to let loose a comment-reporting attack. It works like this: you hit the “report comment” button on a given comment multiple times from multiple different IP addresses, and our system sends the comments back to moderation until a human editor can re-approve them. Given the context of an article about moderation, most everyone whose comment disappeared thought that we were behind it. When more than 300 comments were suddenly sitting in the moderation queue, our weekend editors figured something was up and started un-flagging comments as fast as they could. Order was eventually restored, but it was ugly for a while.
We’ve had these attacks before, but probably only a handful of times over the last ten years, and there’s basically nothing we can do to prevent them that won’t also prevent you all from flagging honestly abusive or spammy comments. (For which, thanks! It helps keep Hackaday’s comments clean.) Why doesn’t it happen all the time? Most of you all are just good people. Thanks for that, too!
But despite the interruption, we got a good discussion started about how to make a comment section thrive. A valid critique of our current system that was particularly evident during the hack is that the reported comment mechanism is entirely opaque. A “your comment is being moderated” placeholder would be a lot nicer than simply having the comment disappear. We’ll have to look into that.
You were basically divided down the middle about whether an upvote/downvote system like on Reddit or Slashdot would serve us well. Those tend to push more constructive comments up to the top, but they also create a popularity contest that can become its own mini-game, and that’s not necessarily always a good thing. Everyone seemed pretty convinced that our continuing to allow anonymous comments is the right choice, and we think it is simply because it removes a registration burden when someone new wants to write something insightful.
What else? If you could re-design the Hackaday comment section from scratch, what would you do? Or better yet, do you have any examples of similar (tech) communities that are particularly well run? How do they do it?
We spend our time either writing and searching for cool hacks, or moderating, and you can guess which we’d rather. At the end of the day, our comments are made up of Hackaday readers. So thanks to all of you who have, over the last week, thought twice and kept it nice.
Certainly needs moar 2FA, moar AI and moar capchas!!1! Moar = betterer, amirite?
What? No ray tracing?
I’m here!
Every day!
I just don’t comment much.
Thanks, Ray, I feel better knowing you are here.
Microservices! Microservices!!! :P
Quantum blockchain verification powered by machine learning!!1
Agile dark mode ICO!
Needs more blast processing!
Throttle the report button to perhaps one per second or longer. Keep the anonymous option please
“Throttle the report button to perhaps one per second or longer.”
The post says that reports came in from multiple IPs. A bit more work to throttle that. Further, someone planning on doing this kind of attack could just slow down how often they hit the link.
A delay wouldn’t work at all as many VPN providers have 100 IPs. The attacker would hop from IP to IP and once his loop returns to the first IP, he’d be past all cooldowns already.
I’m not saying captchas for reports, but they would be effective.
Is something so bad that you would make the effort to solve a captcha for it? If the answer is yes, then it was probably report worthy and bad. Like a strong slur.
If it was just anger, I doubt someone has the air to solve 100 captchas for his evil pleasure.
VPNs make the IP address blocking workaround trivial. It’s not like when we were kids and having multiple IP addresses at your command was interesting. And having to access them uphill in the snow…
The captcha idea is interesting, but horrible. I hate captchas. And we’re almost getting to the point where image-recognition routines work as well as I do anyway. I don’t even know if the little bit of a motorcycle in that frame counts or not.
Thanks for your input Mr Williams, it is worth a shot though. If it wasn’t a VPN then I only know IPv6 mobile phone operators (with IPv4 NAT) having enough IPs for this kind of attack. The attacker would do it from both PC and phone (airplane mode on/off to cycle). Was it a commercial ISP for the average Joe in the attack?
Otherwise yes captchas can by bypassed, but I like some. Usually what is “6+3” type result below. They are easy to solve, both for humans and robots. But if it is an automated script, our adversary will need extra work over time.
In the end it boils down to what plugins this website can utilize with minimum effort.
Alternatively consider this: If an article has a long moderation queue maybe it is for the best to block all further reports as an investigation of the entire comment section may be required.
10% of comments are already flagged. The report button is now offline.
Worth a thought?
What if the captcha only appears when a threshold has been reached? If there’s suddenly an anomaly in reporting, then captcha gets turned on.
On this subject, the report button is very easy to hit while scrolling the page on a touchscreen device. A confirm dialog might help
That happened to me, too!
Yes and yes. Agreed.
+1 to this, confirm buttons should be way more common. If done with as little intrustion as possible, it could really help people who are prone to mistap or misclick due to jitters, poor eyesight, or inattention. For me its the latter, especially when browsing tired. I’ve found myself browsing 2 wikipedia articles away from where I last opened my eyes. And no, I have not landed on the Random Walk Down Wall Street article yet.
A confirm with a couple of second delay / countdown would help accidentally hitting report and slow down spammy report
And also the reply button. You don’t even have to “click” (touch and release, on mobile) on the reply link to get it to expand. Placing your finger anywhere near reply while starting a swiping scroll action expands the whole drawer, which is very annoying when trying to just quickly scroll the comments.
I wasn’t planning to reply to your comment, but my browser decided I was going to, while I was scrolling.
+1, please make this stop. Long time reader and I don’t remember it happening before a few months ago. it’s very annoying.
Otherwise, awesome site – keep up the great work!
To solve both problems at once, here’s what some sites do:
Clicking the button starts some JavaScript which hashes a string. It’s hashed many times, much like passwords are. It takes 1-2 seconds for the browser to do this operation. Then the “confirm” button posts the result to the server.
This approach:
Stops accidental clicks from humans
Stops accidental “clicks” from poorly-written spiders
Slows down attacks so maybe it’s not worth their while
is this actually a thing, do web developers waste cpu cycles just for a delay? my daily driver laptops are ten year old ultra low power cpus. the only thing that makes them feel slow is browsing the web. i had assumed it was the ads. i guess you should never attribute to malice what could be attributed to laziness.
It’s not just a delay, but a cryptographically provable delay, which could have useful applications such as slowing down attacks. This is also my first time hearing about it, though.
Maybe move the report button to the left or middle… Most folks are right handed and scrolling puts the thumb right on the report button.
I’m right handed, but scroll with my left thumb! Using my right to drink a coffee while reading this right now!
What about adding a captcha to the report button to act as a confirmation dialogue?
I thought they’d added that already, at some point in the past few years, after previous requests for it.
I’m surprised a site called HackADay isn’t hacked more often, it’s almost an invitation!
Would it be better though?
They are just a little behind schedule. Happens to the best of us.
I think it’s the idea of don’t defecate where you lay your head that keeps it from happening most often. The people who might be inclined to hack it are probably the most prolific posters.
If they’ll go after archive.org, they’ll go after anyone.
Someone with a working proxy list wrote eight lines of python-selenium?
I’ll quote what someone said in that post’s comments: “I see where this is going”
The iron is there was recently a post about that Doctorow(?) guy complaining about the dumbing-down and censorship state of the modern internet, and a hand full of obvious old-heads talking about the barrier of entry being gone..
Not even that, it just was three lines of AutoHotkey and a single search-replace regex in Notepad++. Don’t ask me how I know (;
Yes, we know you did it and gloated about it through multiple comments.
It’s not something to be proud of.
Grow up.
Please, do not implement registration. It will not stop spammers, they will find a way to register multiple accounts. It will just be an annoyance to ordinary users. Current state is ok, there is just one issue, multiple people can use same name, ie I noticed at least one or two more Martins. But it is not big problem.
Some transparency on moderation, as noted in article, would be nice.
And Seth’s comment is also correct, it is too easy to accidentally click on report button.
btw Why don’t I get new comments on email anymore even when I toggle this option?
Maybe if you do register you can snag your name, but if you don’t you can’t use a registered name?
There are several Johns running around too, but if I don’t care, why should anyone else? I don’t get cranky all that often.
That could be mitigated by allowing avatars and providing, for people without a WordPress or Gravatar account with the same email address, one or another of those algorithmically generated avatar designs that are based on a hash of your email address or something like that. I assume WordPress has that built in or otherwise easily addable, because I see them all over the place in other blogs’ comment sections.
I’ve tried it a few times, though many years ago, and I remember it would send you a confirmation email every time, and you’d have to click on a link in that before the notifications would be sent, so make sure you’re doing that if it still works that way.
What doesn’t work currently in my experience is the other option, “Save my name, email, and website in this browser for the next time I comment.” I turn that on every single time I comment, and, every single next time I comment, I have to type in my details again. (I don’t see any cookies being blocked.)
Speaking as a guy who both coded and admin’d a slashdot fork for eight years, I wouldn’t advise something like that. It absolutely turns into a popularity contest immediately. Yes, in theory it has some benefits but human nature being what it is, the downsides far outweigh them.
Crowd wisdom is seldom wise.
I do think an upvote / downvote system would be useful, but NOT to sort by it. In other words, the comments stay in the same order as they do now, buthtey have a +/- counter beside them.
Fully agree with the “accidentally hit the ‘report’ button”. A captcha would be very useful for that.
This would be my proposal as well, adding voting but not sorting by it. If we had voting, I would have just upvoted your comment rather than replying just to say I agree. And I bet several other people would have also upvoted it rather than just scrolling past while thinking “yeah, that!” to themselves due to laziness and not wanting to clutter the comment section with “this!” comments. (Of course, if we already had voting, your comment, and agreeing with it in any way, would be unnecessary.)
I agree with this. I avoid all those sites for a very good reason. Not just that most people disagree with me on somehow everything, but that it basically turns everything into all the bad parts of highschool.
The comment section of hackaday is one of the greatest sources of wisdom I’ve found. It beats the pants off of those question sites, and I’d probably stop reading the comments if it went that route. Might even abandon the site.
An upvote-downvote system without a visible “score” next to the comment could be nice. Ideally a set of more meaningful metrics like “helpful” “thanks” “report harassment” “report spam”.
Might be too much to ask for, and would make the comments section a project in itself, but if theres a place to try something new, why not a community full of makers, tinkers, and hackers?
The moderator is both a strength, and a weakness when overwhelmed.
Edit button: as a hidden email address has to be provided in order to post a comment, couldn’t an edit button be provided which prompted for the same email address and only allowed an edit when they match? Possibly only for a limited time after posting?
Next you are going to ask for world peace, fusion cars, and accessible healthcare. We’ll probably see those before hackaday comment edits
(Chuckle!)
+1. Since most contributors are “good humans” how about empowering them to increase their comment quality even more with an edit button? Instead of putting effort into thwart the negative use it to enhance to positive!
I think everyone has been advocating for this for a while, I certainly have. But what if an email was sent to your email address allowing you to edit the comment?
But it’s fun I finally got mine hack featured at hackaday.
Hack a day is the Facebook of diy/tech news. Something gets posted and either ppl attack the article writer for not knowing anything and putting up a word salad to ppl attacking each other. What I am saying is this site is just a bunch of salty ppl. If I ran this site I wouldn’t have a comment section. Maybe at most a thumbs up and down rating on the article. Just have articles and call it good. If you want ppl to have a penny for their thought then open up a old school billboard forum.
The comments are often where the really useful information is. Have you see who comments here? Dave Haynie, Bil Herd, Even Upton, the guy from Expressif, some real tech royalty. Don’t even think of getting rid of the comments
I think a best of both worlds is that reported commments are “collapsed” and need a click to open that thread with a highbar to deletion.
Similarly longer reply chains would be collapsed by default.
There’s not much downside if you like the thread you can open it up, people will see a wider variety of comments (since they will see the start of more threads).
Upsides, it will discharage long response chains. Finally it feels more transparent. And it might reduce bandwidth usage if unwieldy long chains are not loaded (?maybe…).
If nothing else a simple “collapse this chain of comments” button would be great!
I would also support this to collapse the chain of arguments between insightful comments.
That’s a good one. Thanks. Will scour around for plugins.
This still doesn’t really solve the report spam abuse issue.
Hiding reported comments is still effectively allowing people to censor stuff from others by spamming the report button. It’s just a softer version where you can still read the controversial comments, but only if you’re curious enough or you already don’t agree. This is a propaganda tactic where you suppress dissenting opinion without completely denying it by simply forcing more attention to the side of the discussion you want.
Do you see the problem? Commenter A posts “I think this common but discredited opinion is correct”, then others chime in to say “No it’s not, you’re wrong…” and commenter A or their buddies come back and spam the report button to collapse all the nay-saying replies. This has the effect that when new people come in, they will see A’s comment and not the replies – sustaining the common but discredited opinion. If they don’t see a reason to disagree, they’re more likely to just scroll by without looking at the replies.
Also, the report feature on HaD has been abused since day one. People go around old articles clicking report and sending messages they don’t like away for review, not only disrupting conversation as it’s going but attempting to erase past conversations in the hopes that the moderators are lazy. It works surprisingly well: I’ve commented on this before that HaD comment sections seem to be “scrubbed clean” after about two weeks. All the controversy goes away as if by magic. Maybe there are insiders…
The whole process shapes how the moderators behave on a subconscious level – because allowing what keeps getting reported just means more work for you as it keeps coming back. However, what seems to be the “community spirit” is more than likely just one or two determined individuals who have taken on the task of reporting everything they don’t like and “astroturfing” the whole thing.
I haven’t seen that “scrubbing clean”, though I don’t expect I would’ve, so I’ll have to try to watch for it. A solution to that could be to set it up somehow so that once a moderator has approved a comment (once, or maybe twice?) that comment is no longer reportable, or further reports on it have no effect.
I write quite a lot of comments on the KiCad forum and I like the way the Discourse forum software works. You do have to create an account before you can post, and the forum software gradually releases more functionality (such as uploading files, or the number of allowed links) when users are active and gain some “trust”. It also adds different “weights” to reporting posts. When an “experienced” user reports a post, it gets flagged immediately, but when a beginner flags a post, it might make take two or more (probably adjustable) flags before a post is hidden. When a post gets flagged, discourse also sends an email alert to the person who got flagged. This gives them an opportunity to edit their post, after which it is made visible again. When a post gets flagged for a 2nd time, it stays flagged pending human review.
In the past I’ve seen several people complaining in the comments about disappearing posts. There is no feedback at all to whoever created the post.
Having read through the comments, this seems like the most reasonable system. Rewards long-standing contributors, incentivises new-users to contribute more, all while not penalizing those who prefer to stay anonymous
You really do, and I appreciate your effort. Thank you.
This “feature” is the main reason I’ve disliked and distrusted Discourse since I first learned about it (from its own website, when it was new), despite by now having used it on multiple websites* ** where found it generally pleasant and liked many of its other innovative features. This “feature” (with the same developer(s) responsible for it, IIRC) is also the main reason I’ve never joined Stack Exchange.** I just refuse to subject myself to that kind of infantilization. New users can have legitimate need for “advanced” features, and can understand how to use them, just as much as established users can.
I had another paragraph in the middle here, but I don’t remember what it said. (I had to reconstruct this comment from memory after it failed to post—or maybe after it got sent for moderation due to nothing other than length, despite my successful posting of a few other comments here earlier, but there’s no way for me to know if that’s why it’s not showing up, because it doesn’t say. I have no form recovery extension in this browser and forgot to select all and copy before submitting.)
Sure, crowd-moderation features (if the site owners even want to have that) could be abused using new accounts created for that purpose, but I think that risk is a lot smaller than a lot of people seem to, and it’s easy to mitigate by requiring approval by an established user for any moderation action desired to be taken by a new user (so, e.g., established users can take moderation actions with immediate effect, while new users can put bad posts into a queue for quicker attention by established users) and/or requiring users to post at least once, without that post getting removed, before getting access to moderation functionality (which would slow down a censorship attack, as well as ensure any account with moderation ability is not effectively invisible to other users***), and you didn’t include crowd-moderation features in the examples you listed.
*I think I haven’t actually used a Discourse forum that didn’t disable or at least restrict this “progressive disclosure” (I think it’s called) functionality, which probably contributed to my finding the experience generally pleasant.
**This is part of the reason (though not a necessary one for me to hold my position, but it might sway others): When you’ve used Discourse on one website and learned how to use it, the next Discourse forum you join treats you as someone who’s never used Discourse before and therefore must have no idea how to responsibly use a forum. I think it works the same way between Stack Exchange sites, except the software there is connected between all of the sites and can see that you’re not new to the software or to abiding by the network-wide rules and etiquette.
***In the first version of my comment, this had the weakness that an attacker could use their multiple accounts to remove each other’s first posts and become invisible again in terms of posted content, but in this reconstructed version I added “without that post getting removed” to mitigate that. That should also help by automatically denying moderation features to, e.g., spammers whose first posts are removed by legitimate users.
Well, this one went through immediately, and the earlier one is still not here, so I guess it just failed. Too bad: I was going to post a link to a diff if both ended up showing up.
Also, I learned horizontal rules don’t seem to work in comments here. I tried to put one above the footnotes, but I don’t see anything there.
U wot m8?
Are you the real Dave Jones or the fake one?
I think the fake one. The real one would have known “u wot m8” must be followed by “I’ll ‘ave you, I swear on mi mam!”
Nah, u wot m8 is Britishish. Dave is Aussieish.
Certainly a fake though.
And still no edit button…
Sorry, you have to buy premium for that!
I suppose you could put a captcha type thing in the comment-reporting function. That’d at least slow them down a little.
Difficult, thanks for sharing the work you do. Could perhaps follow the report comment with a “not a robot” style verification, that makes it slower to report and help ensure only serious things are reported? That likely has been thought of already though…
Yes, including in the comment you replied to…
Have some point/role system where eligible users can step up and become moderators. Then the admins only have to regulate these community workers.
Oh god, not Reddit style…. That site has been ruined by too many moderators with god complexes. HAD a isn’t that bad (yet), kimplement points and it will be!
I did something similar to this in the late 2000s when i was a kid, used to be this chat site called Meebo. The entire site was flash based and stored data using the SOL(Shared Object Language, i think) file format. I made a small C# WinForms application that replaced every byte in the SOL file with 0 and locked the file by keeping the stream open. It opened several instances of the room I targeted in new browser objects and simulated clicks on each of them to “warn/report” every user. Since it couldn’t save your guest information in an SOL file it would trick the site into thinking every instance you opened was a new user. Eventually every user would be warned enough that it got everyone banned.
Looking back it’s not as funny as i thought it was.
We’ve all done something like this in our youth. Mine was targeting people I didn’t like at LANs by filling their writable shares with 0 byte files so they would run out of inodes. Windows would tell them the hard drive is full with hundreds of GB left.
Good to hear you’ve matured from it, unlike the person who performed this attack
Article reported for giving hope
Requests
1. Ability to edit
2. If a comment is deleted, the non-offensive replies DO NOT get deleted
3. It’s funny that when a comment or comment tree is deleted the total number of comments doesn’t change so you can easily tell when like half the comments got wiped out – keep that.
Perhaps a placeholder could be put up in place of the deleted comment, such as something saying “Comment Deleted”, or something like that. It would make such instances easier to follow for anyone who came along too late to see the original comment.
This would be a useful contextual clue
i think the ability to edit with anonymous comments can get out of hand. what keeps you from editing someone else’s post?
Indeed, and even if you can find a way to ‘avoid’ that which assuming everyone is OK with a functional Cookie and using the same browser for everything is plausible enough it really doesn’t the comments any good IMO. What do we all gain by correcting a bum spelling, or having the person who was factually incorrect etc amend the original comment without acknowledging the mistake and thus making the whole comment chain afterwards rather hard to parse.
As sure I’ve made a few grammar and spelling errors that bug me immensely, and made comments where my intended meaning was far less than clear and no doubt a few other types of screwups I don’t recall. But for that there is that nice freindly reply button to add a NB or PS clarification to your original idea if you need to – only downside to the ‘anonymous’ nature is anybody could appear to be anybody else with these corrections. But as this community really isn’t that toxic and the moderation team do a good job clearing out the bovine excrement….
If When you put an email into the comments section it sent you a link with like let’s say a 5 day expiry to edit your comment. That would be great.
As someone else commented, you have to leave an email address to comment so just make that email address required for the edit.
last thing I remember, we looked extensively into a plugin for that, and the only option we really had, didn’t pass the security audit.
this would leave a ton of replies out-of-context – I’ve seen it happen accidentally, it’s a mess. IMHO if you write a seriously asocial comment, prepare it to be gone.
That’s not even true in the slightest. Only the non-reported child comments missing its parent are shown in the count.
I’m not sure it was wise to leave attack instructions on a maker-oriented site…
What about requiring a captcha when a comment is reported?
I’ve accidentally hit Report comment a few times when I wanted to reply. By the time the “wrong color” cue popped up in my brain, the click command was already sent to my fingers.
Sorry!
Happens to me too. My brain sees the “R” and interprets it as “reply”.
Moving the report link (maybe to the top?) might fix this.
Also, telling it to save my info for next time doesn’t work. Don’t know if this is some interaction with my GDPR selection that I vaguely recall making, or a browser setting (iOS/Safari), or what, but it makes me comment less and I’m too lazy to chase it down.
Might help to put a “really? y/n” popup on the report button, perhaps with a “why?” field.
Some time ago the comment function worked on my laptop for a short time*), I didn’t change anything, not even restarted the browser. That was great, since the laptop has a real keyboard, and the auxiliary tablet I have to use now doesn’t. I don’t know if there was an update on the server side or a hiccup on the user side, though, but this seems the right place to mention it.
*) now there is a placeholder with a link to jetpack.wordpress.com, as was before, instead of the text fields
A few years back, we greyed it out and made the font smaller, so it’s a smaller target.
A confirmation popup might be a good idea.
Sounds like you might be using uMatrix (or maybe another content-blocking extension, but I know that one at least puts a placeholder with the URL in place of blocked frames). I just fixed this recently in a new browser (which I’m commenting from now), so here’s what I did, in case it helps you. First, I allowed everything from wordpress.com. I didn’t try to figure out if only jetpack.wordpress.com is enough or if you actually need public-api.wordpress.com too, because the latter sounds innocuous and likely to be needed. I also didn’t test which types of request to those domains are needed—I’m just allowing everything but cookie, of which there are none there anyway. Then it still wasn’t working, so I had to allow s0.wp.com too—for that domain, I did find it needed both script and XHR, with css already being allowed (default for all domains) and nothing beyond those being requested. Then, because you’ve allowed new frames, you might need to force-reload (i.e., shift-click the reload button either in uMatrix or in the browser toolbar) to get them to actually load.
However, while I’m pretty sure it was working normally for me the other day, today submitting a comment never appears to complete, but reloading the page shows the comment published. I’m guessing that’s probably unrelated, because I didn’t change anything.
I’ve had the same problem with saving my info for many years in both Chrome and Firefox, on multiple computers. Very occasionally it does work, but probably for no more than a day or two out of a few years. I just checked and I’m allowing cookies for hackaday.com and not seeing any cookies at all for any other domains involved, so I guess that’s not the problem.
Perhaps an “Are you certain?” dialog box could be helpful for reporting comments.
especially problematic when you have a resident desk cat.
good news, it’s pretty harmless to hit a “Report” button as a stray, so don’t even worry – no need to leave an “oops accident” comments, either!
Oops just trying…
This. It is supper annoying without further confirmation.
I love the commitment to anonymous comments. Not having to keep track of a password or key and/or worrying that it will be leaked is wonderful peaceofmind.
Editing would be nice. Tho, I occasionally appreciate the finality of the “Comment” button since it promotes careful rereading and proofreading.
Perhaps a bit of lite markdown for formatting? With an option to read in plaintext for console browsing.
I very much appreciate the commitment to human moderation. Without AGI, programmable moderation will never understand the nuance of language well enough to distinguish when someone is being malicious or mistaken or just misunderstood, (let alone being jailbroken and wreaking havok across the site). By all means hang on to the spam filters and the tools you’re using to make the job easier, but by Crom, please keep those jobs in the capable hands of us ape-cousins for now.
All the formatting available here I know of is:
Let’s try and see what else works:
code?
bold?
italic?
italic (with double underscore)?
After I comment this we will know what works on HaD and what doesn’t
So HaD does have Markdown like formatting:
An arrow > is a quote
Code is formatted just like in Markdown
Bold is with a double underscore, italic with either an * or an _
With that information, I might become dangerous!
B^)
Do links work like markdown?
Hackaday
They do!
Images?
Heading 1
Heading 2
Heading 3
Images don’t work :(
Hmmm…
Heading 1?
Lists?
– 1
– 2
– 3
Lists???
+ first
+ second
+ third
I too would like to see an upvote/downvote, but not necessarily rearrange or prioritize comments depending on that. Along with that I’d like to see a “Ha Ha” button for all the hilarious and clever replies.
I like the up/downvote also, but the fear is that the top coments will always be jokes. Few monts go by and hackaday turns into another facebook.
Basically wouldn’t change anything.
Editing requires authentication, leads to other things, and really: who cares? You screw up, say something wrong, whatever. I’m human, I eff up all the time.
Upvote/downvote just leads to the mini game like you said.
Only thing is maybe add a confirmation to report. That’s it.
I agree. Sometimes I realize I’ve made a spelling error or wanted to add something where editing would be nice… But at the cost of adding authentication to the comments sections, I’d stick to the way it is… We’ll get by :) .
No up/down vote for me. No need.
Leave the way it is.
One site I belong to gives you a 3 minute window in which to edit. This works pretty good. Another option is a forced preview: your first submit goes to a preview window, with a back button for editing, and another to post.
And yes there should be a confirm step in reporting comments, and maybe a field to enter a reason.
Don’t use WordPress. Force a cookie along with a fingerprinting script. Block cloud providers.Geofence IPs allowing trusted countries and territories. Block useragents and inspect Chrome’s for useragent randomization. Allowlist previous good IPs after approval. Use regex to block content. Consider captchas. Use hidden form inputs. Hire more professionals. The list goes on, but I don’t like fighting WordPress’ editor.
The “web version of the newsletter” link this 2024 article is a part of goes to an undated page whose content appears to have been last updated in 2020, including all of the links off of said page? Either the link is the wrong one or something isn’t updating like you think on that newsletter sight. I didn’t see any controls for going to latest, etc., either.
“Geofence IPs allowing trusted countries and territories.”
And consider how stylish brown shirts would look? Shirley you’re not Sirius.
Don’t worry about going down a rabbit hole, worry about going down a snakehole. There’s one NY paper, not the Times, that trashes one-word comments like “flower” and “love” from one of my personas. I probably brought it on by overusing sexual innuendo, yah braa, I said it.
As long as the overuse goes in-you-endo, and not mine, fine!
B^)
Are you trying for a record for most bad ideas in a single comment? In case you’re actually not trolling, or in case somebody else sees this and thinks these are good ideas, here’s what I think.
“Don’t use WordPress”: I bet it would be a lot of work to find a good alternative and then switch to it, and WordPress looks like it’s working pretty well for them (from my point of view on the outside). What’s wrong with it?
“Force a cookie along with a fingerprinting script”: I think (and hope) that Hackaday would be against doing such things.
“Block cloud providers”: Then you’ll block most/all VPN, Tor, etc., users—and I expect Hackaday has more of those than most sites.
“Geofence IPs allowing trusted countries and territories”: Already responded to, but I’ll add that a not-insignificant number of the projects I’ve seen here over the years have come from Russia and other countries you might list as “untrustworthy”. Ukraine has also been known as a country from which many cyberattacks have come; when the war is over, I bet we’ll see a lot of content from there, as people get to do the projects they’ve had to put off, and get time and safety to document any war-related ones they did.
“Block useragents and inspect Chrome’s for useragent randomization”: You know you can trivially set your user-agent string to anything you want? And I don’t know what you mean about Chrome and randomization. I thought Chrome’s string was now frozen for all time (not even incrementing the version number anymore) as part of Google’s push to deprecate the whole technology.
“Allowlist previous good IPs after approval”: I don’t see what harm this would cause in the absence of any other changes, but I also don’t see what good it’s supposed to do. If it’s supposed to allow exceptions to the above general blocks, how are the exceptional IP addresses discovered before anything good is allowed to come from them?
“Use regex to block content”: Maybe you should visit Scunthorpe and ask the people there if they support that idea.
“Consider captchas”: Been considered, apparently. [Elliot] spoke against implementing them somewhere above.
“Use hidden form inputs”: To what end?
“Hire more professionals”: And turn Hackaday into another professional industry news site with a white background while reducing the budget for in-depth content?
“I don’t like fighting WordPress’s editor”: Assuming you mean the comment editor, what do you mean? It’s just a plain text box with none of those formatting buttons that often have bugs.
I think in honor of the Hack in Hackaday, we should be able to attach arbitrary JavaScript to our posts.
A bit like what cloudflare expects to do with us?
Anonymous commenting is good. I have, very occasionally, posted comments that I thought would be helpful here, and on basically no other sites in many many years. It’s not entirely about the registration burden, though that is a big part of it. Another part is that it soothes my social anxiety.
Making personal attacks harder is definitely a positive aspect of anonymous posting. I don’t even post all that anonymously. I use my real name and email address, but no one can track it except the folks at hackaday, and John is such a ridiculously common name it might as well be a psuedonym. I should probably log in and use my account which is more anonymous or even make a new one that’s completely original in all contact methods, but meh. I like not logging in.
Sorry for clicking report on a comment here that didn’t need it just now – had to see if there was a captcha or any sort of automation slowdown mechanism in place, confirmation, and nope! (Figured I couldn’t do it on my own comment? Maybe it doesn’t matter). On mobile especially, that could get really easy to accidentally tap just in general, but for bots, some sort of challenge can be a hindrance to those attacks (even if modern AI and determined people can bypass it).
Don’t leave a door unlocked even if it takes 20sec to pick it type mindset.
Not sure how feasible it would be to do a system where it requires some user input to report – maybe it’s already there for known “spam” IPs?
I don’t think the system has any way of knowing that a comment is your own, because you’re not logged in even if you use the “save my info” option (and even if it actually works for you).
One should never need to “mass report” comments. If you do, you’re either the worst kind of person or performing an attacker, therefore, it seems to me that a good solution to your problem is a captcha solution. They are relatively cheap and greatly increase the difficulty of attack. On top of this, the “Report comment” link is right where my thumb goes if I’m scrolling on my phone. A confirmation is an oft requested feature anyway. This will make accidental reporting nearly impossible.
If you guys feel like you need to moderate (read delete) a comment, then you should “Say it with your chest”. None of this stealth delete a comment and a whole thread thing. The comment that got deleted should show up as deleted and a generic explanation for why it was deleted should replace the comment. That way we don’t lose entire threads of often insightful comments. Also it will help prevent abusive moderation by overly sensitive Hackaday writers. If we see every other comment on a story deleted, it will be telling. By it being obvious what was deleted and why, people will be able to trust the moderation more, and it will keep the moderators honest. I would also like an option to “Show moderated messages”. Again, I’m a big boy, I can handle the big mean internet, and I want to know sometimes what Hackaday thinks is “inappropriate”. This again, will lead to transparency. You can still stop run-away troll threads by disabling replying to moderated messages. Sure, people might “quote-reply”, but I don’t think that will be a big problem, and assuming the original moderation was reasonable, moderating these follow-ups would also be “reasonable”.
If you implement voting (which I think has more pros than cons), I would recommend not allowing down voting. People should be able to vote for things they think are insightful which might elevate those messages, but downvoting tends to be utilized more and against people you disagree with and not bad comments. Bad / Abusive things can be handled via reporting and not down voting.
For the love of all that is holy, please also add an edit capability. This could be accomplished via magic cookies that you get when you post that last for like an hour and have a guid that allows you to edit a comment you posted (the GUID being the secret key that for an hour allows editing of that post). This could be done without requiring full accounts or even severely impacting anonimity
I like your idea.
Show me the plugin!
We’ve been looking for a WordPress comment plugin that allows a) anonymnity b) editing and comes with c) security. So far, we have not found something that’s more than pick-two, and that’s not gonna cut it.
But surely someone out there knows more than we do. We’re mostly hardware folks.
Only robots are patient enough for captcha :( And personally it offends me that websites force me to work for Google in training their AI’s which in the end only want to become my overlords.
I would say there was no “hack” involved, just a fault in your website’s logic. If Alice, Bob, and Clark each want to report a comment, there’s a thing in computer science called “a unique record” and you only need to accept the first report. Otherwise what you have now is a stealth voting system. “Il faut cultiver notre jardin.”
I’ve read since the days of the b/w taped pictures, occasionally commenting. I very much like the anonymous contents since I don’t have to keep track of yet another login.
I don’t think a ranking system would add enough value to be worth it; it’s easy enough to read all 25-30 comments get on a good day. The occasional ginormous comment section would benefit from a “latest first / highlight new” function, though.
The report button could be in the middle. I keep hitting it by mistake since I read a fair bit on mobile, and it’s right where I scroll with my thumb.
Overall, this is one of the best comment sections on the internets. It’s very much quality over quantity. It’s not the 800+ answers to a reddit thread, but you do get three useful answers rather than 750 useless, 49 misleading and the actual answer down voted to oblivion.
my hack for new comments is [Strg]+[f] for the date … would be more efficient if the am/pm was between the date and the hour, but that is as it is
I’d love to see comments with insightful or informative points tagged onto it. I usually read the comments looking for the occasional gems that substantially add to the article. Having an option to sorry those to the top (slashdot style) would be great. Slashdot does a decent job of voting and moderating, not a bad place to refer to.
….. celebrity list should include William Shakespeare, Charles Dickens, Leonard Cohen, Taylor Swift, Brian Benchoff and the notably infantile style of one of the front runners for a certain election in November.
Agree bigly.
It’s not like voldemort. You can say his or her name and it won’t cause your keyboard to break. You do sound really silly when you act so afraid to say the name though. Grow up.
Not being silly. I’ve tried writing ‘The Name’ in the past and it always gets my comment auto thrown in some kind of bin. Word press must have an editable black list where this name has been added. I’m just glad that Benchoff isn’t in it (yet).
Or maybe just avoid politics on what one would assume is a non-political site…
Nuf said…
Never forget that hacking as a subject (hopefully) attracts people who know something about something, so the audience/stakeholders is a bunch that is rarely found elsewhere and should on the average be more dependable than those hanging out on other sites. (I’m conciously avoiding words like “clever” or “stupid” ;)). Flagging inappropriate comments, I think, should be enough to keep things clean… But: I love how silly comments quickly get corrected with facts, that’s something that should IMO be promoted (or at least not broken). So maybe introduce some kind of corrections instead of downvoting – yeah, why not hack the design as well? Instead of a thumbs down button, maybe give as a “you’re wrong” button (or a more polite “I think you’re wrong”), and force anyone who presses it to explain him/herself… Just an idea.
On the other hand, I kind of maybe possibly could find use for some sort of Hackaday Forum to ask these knowledgeable people something. (I need to find a glue to fix a broken polycarbonate part for my kettle, for example). Or maybe introduce an “open mic day” equivalent where people can get their questions answered. But I’m aware that that’s a whole other can of worms, so not insisting.
“I kind of maybe possibly could find use for some sort of Hackaday Forum to ask these knowledgeable people something.”
I so much agree!
There is a UK site that has such a forum, even subdivided into various categories e.g. microprocessors, repairs, homework questions, that I visit occasionally. But I do miss the Hackaday Forum of yor, it was nice to read k-wws (?) answers to various questions, but I seldom see their comments on the blog now.
You can ask questions here: https://hackaday.io/stack. I think that’s the official successor to the forum, though it functions more like a subreddit. It doesn’t seem to get a huge amount of traffic, though the forum never got much traffic from me, so I don’t know if it got much from others either.
Voting fosters formation of a hivemind, and the winning mindset is a lottery: will it be in favor of jokes, cynicism, or insight?
But please, do implement editable comments, even if limited to a few minutes after posting.
Changing the way comments are shown from newest first instead of oldest first. If a nasty/negative/troll comment gets in early then it enjoys front billing and lots of replies. Sorting by newest first also improves churn and gives all comments a spot to be seen.
I don’t agree with sorting messages “oldest first”: the replies to a message then always remain in chronological order and reading such comments becomes a real mess…
Maybe just top-level comments get sorted in reverse, then.
I think being able to sort the comments yourself would be very helpful.
A registered account and karma score does loads to gamify people to write reasonable comments.
I think we have different ideas of what reasonable means, and if you have to be tricked into being reasonable, that’s not very reasonable.
Where did my earlier comments go? Have the hackers hacked HackADay’s Hacked article?
I’ve reported this comment for being irreverent.
I’ve reported yours for being irrelevant!
B^)
I’ve reported yours for copying my idea.
I pressed “Report comment” by mistake.
And now my earlier comments are back this comment makes no sense, but I can’t delete it. Should I report myself?
The reply button is missing from Andrew’s comment, is there a limit to the number of nested replies or something?
Yes, that is the limit!
To continue, just use the last comment with the Reply button, and indicate who you are replying to.
I just reported my own comment cos I’m a hater :) jk
+1
One technique to consider is to monitor the average number of reports per comment on posts. If that metric goes crazy, say 4 or 5 times normal, then system can automatically switch that post to an “suspected attack mode” with a banner telling people what is going on and maybe a captcha or other step for reporting posts to make it tougher on bots.
Normalizing the metric as # reports/ #comments ensures popular articles don’t trip the metric just on volume. We are se similar metrics in factories for SPC or statistical process control to automatically detect if she mething goes wonky in the line
Elliot?
So have the 3 IPs that bombed the Report Comment queue been locked out?
It was a lot more than three IP addresses. But with VPNs, that’s really no barrier for anyone who’s sufficiently motivated.
Thanks!
Can you move the Reply link over a bit?
Currently it’s placed exactly where my left thumb touches for scrolling (I read HaD exclusively in my phone) which means I’m always hitting reply by mistake.
Love the comments otherwise. Often helpful or insightful and lead down interesting paths.
Looks like we’ve got a left-hander here.
Between this and the report button comments, it would seem both buttons should move to aid usability on mobile.
The annoying thing is the “Email me new comments”-option doesn’t work – at least not for newer articles. I recently (sept 27) got a reply notification on https://hackaday.com/2019/08/21/automatic-rewinder-makes-kite-retrieval-a-breeze/ and got some other notifications on articles from 2019 or earlier. So it seems there is something different in the e-mailing between older and newer articles. This means that when I comment and expect useful discussion, I just keep an article open for a few days and regularly check…
Thanks! I’ll put that on the figure-it-out list!
Thanks!
ArsTechnica has a great system where upvotes/downvotes do not influence the order of comments (they are ordered by time posted), rather they automatically hide a message behind a warning if it gets a significant amount of downvotes and put the top voted ones in a little “featured comments” box towards the top.
I think that is a good idea to help minimize spam comments if that ever becomes a problem.
No, no, no… This would suck big time…
Instead of the box one could link to “best comment in thread” when there are more than, say, 20 comments. With this link under the “thoughts” in the comment header it wouldn’t take any additional space, if that’s the problem.
(just brainstorming)
Yeah, I quit reading Ars Technica thanks to their comment system. The like-minded all gang up any anyone with differing points of view and it sucks. If you disagree with someone, you should be able to debate the topic and explain why you’re right or they’re wrong. In the ars system, if you can’t defend your pov, just downvote and forget it. The hive mind will back you up if you have high karma. That’s not a system to emulate.
Just leave comments up until a moderator takes them down manually. Problem solved. I’d rather deal with spam than have my posts disappear.
I read Hackaday via RSS, so I don’t see any comments.
I grew up on Usenet and never really liked comments on articles on websites.
I’m more comfortable with editorial choices made by a knowledgeable team across articles than comments from strangers.
You’re missing out on a lot of wonderful wisdom. This isn’t YouTube. These are highly intelligent people for the most part. I’ve learned a ton from these comments over the years.
As well as some good laughs. Ren is a lot of fun to read.
Even YouTube “isn’t YouTube”. You must be watching the wrong channels. Every technical channel I watch has amazing comments filled with insights from SMEs you’ll never find anywhere else, and I rarely see anything offensive or argumentative.
The comments section would certainly work better if it wasn’t managed by WordPress.
I am the owner of a site (bilingual, worldwide distribution) that I created twenty years ago. At the beginning I knew a little PHP, but not HTML/Javascript.
.
When I added a comments section, it was therefore made with an html form and a standard submit: it was immediately overwhelmed by spam.
I then tried to control this by analyzing the writing time of the message on the server side to avoid submission by robots, without success.
Finally I used Javascript (I know it’s bad, but I’m ashamed, so it’s less serious) and JQuery / AJAX with JS dialog boxes: no more spam!
As the solution was encouraging I also implemented the possibility to edit a comment, provided that it has not yet received a response.
I do the moderation, despite about 2000 comments / year, but since it’s a technical site, there are few poorly educated people.
Regardless of the comments, I also used htaccess to filter the main IP addresses of abuse, mainly VPN anonymizers and all the other internet thugs I’ve encountered:
– Amazon Data Service
– Amazonaw
– DataCamp
– MS Data Center/Web Hosting/Transit
– googleusercontent.com
– filtering against IP addresses from China (obviously).
etc.
By examining the NGINX connection logs, I also noticed that half of the traffic concerned requests to hack WordPress. This is logical since most website creators don’t want to bother mastering a real website development language.
It’s a bit like car theft: if you just use the stock “anti-theft security”, you’ll get your car stolen since all the bad guys can know the technology of the car manufacturers. But if you design your own anti-theft system, you have a better chance.
I should mention that website creation is not my job, I do it for fun and to take a break from embedded real-time C++ and mainframe database management.
So making a more powerful comments section on HaD shouldn’t be that hard ! ;-)
I’d have thought Eliot + crew would be able to edit .htaccess for this site? Basic stuff really.
But this does rely on “security by obscurity”, which we know is not really security at all.
Refer: hardcoded credentials, cisco type 7 passwords, etc
Have the HaD team ever considered running a community driven pentest, vulnerable and surface mapping exercise. Happy to help organise and/or participate.
Love you content and share with every cyber security cohort I teach. 🙏🤓
It seems to me that anyone who complains about the commenting on HaD must not have spent much time in the comment sections of many other sites on the nastywebs. The unpleasantness here is so mild—and often humorous—compared to most sites that I, at least, am not the slightest bit bothered by it. The only change I would like to see would be the addition of an edit function (because I hate seeing my errors cast in stone). I understand the issues with anonymous editing that have been described above, but surely there is a workaround. One option might be to allow only registered users to edit their comments (and only for a certain amount of time—say, five minutes after posting), with anonymous comments locked. Maybe not entirely “fair”, but I think it would be a reasonable compromise.
Comcast unable to remove from personal page.
Comcast removed all personal pages.;
https://prosefights2.org/irp2023/p101924/haxrootrap/haxrootrap.mp3
Besides editing, a nice-to-have might be the ability to collapse reply-threads. Sometimes a discussion about one tangent can get rather long, and it can be hard to scroll past it to find the next topic.