Sam Roberts wrote:

> Quoteing jamesUNDERBARb / neurogami.com, on Mon, Nov 15, 2004 at 02:15:51AM +0900:

>>Quick summary: Much spam.  Much from bots. Quick hack to stop bot spam 
>>by requiring urls to use uppercase HTTP.  Still spam from humans; at 
>>least make them work for it.
> 
> 
> Understood. I'm starting to like the login/passwd idea, though. At least
> internet users understand the mechanism. The capitialize all HTTP thing
> is more like a secret handshake!

Yes, very much so.

Thinking out loud:

The choice seems to depend on where best to shift the burden or cost of 
maintenance and compliance.  Using a login system, code must be added to 
manage it, which is a one-time cost, but there is also a recurring cost 
of checking that users are not abusing privileges.  Users may also 
forget their passwords, so one can either write code to manage that 
part, or carry the admin burden of manually providing the password.  For 
users, though, the system is familiar and easy, and password management 
is often built into the Web browser, so there is little to do once a 
login in obtained.

With the secret handshake approach, there is also a one-time code cost, 
but it is arguably much lower than the cost of a password system.  The 
burden of compliance is carried more by the user, who must go figure out 
the handshake.  There is a recurring admin cost of monitoring for spam, 
but that may always be the case no matter what.  And users tend to be 
the ones reporting spam, not a site admin.  Users also carry a recurring 
cost, having to employ the handshake for any post that includes a URL.

If the handshake needs to change, the overall cost is going to be much 
lower for the administrator than for users.

In general, what are the criteria when deciding how to assign such 
costs?  Partly it has to do with barriers to entry, so another question 
might be, what sort of barriers to participation produce the most useful 
or interesting results?


James