Then you've just admitted breaking the law in an open public forum. I'd be wary of doing that.
Why? There's no other evidence. There's plenty of reasonable doubt. I could be lying.
You used a resource that didn't belong to you just because you could.
My reason wasn't because I could. My reason was that I wanted internet accessing.
Saying you didn't do anything wrong because "It didn't cost them anything" is bullshit. Does that mean I can borrow your car without permission as long as I put gas in the tank and leave you money (31 cents a mile?) for wear and tear?
No. That's different. We can't both use the car at the same time. I would say that you can use it whenever I don't need it, but since I'm a volunteer firefighter I could potentially need it at any time. So no, you can't borrow my car.
You wouldn't go to jail for 10 years for what you did (unless you pissed off the DA or Judge). You would (in all likelihood) be prosecuted though.
The law shouldn't allow me to go to jail at all for what I did. Certainly not for 10 years.
Umm, because you DON'T HAVE PERMISSION. I'm sorry, but you don't go using something that belongs to somebody else without permission, unless it's some sort of life or death emergency.
I'm sorry, I just don't follow that rule. If I can use something that "belongs" to someone else, and they aren't going to be harmed by my use of it, then I'm going to. If you need a pen, and you see one lying in front of you, do you go around looking for the owner of the pen, or do you just use it?
Breaking into your neighbors house to use his phone to report a gas leak in your house or a medical emergancy is ok. Breaking into his house because (for whatever reason) your phone doesn't work and you want to make calls (local or not) is unacceptable.
Sure, because it's breaking into someone's house. Even if you don't actually break anything, you could scare the shit out of the person if they're home or they come home and see you. It's completely different.
I can take your lawn mower and mow my lawn without your permission -- that doesn't harm you as long as I put gas in it when I'm done. For some reason however I think any sane person would have a problem with me doing this.
I guess I'm insane. You can borrow my lawn mower any time you want.
If it was unintentional then you didn't break any laws.
It was intentional. I wanted internet access, I found an open AP, and I used it.
"My Internet connection went down so I used this one" that you did break the law.
Yeah. I did. At least, the Canadian one. I don't know what the exact wording of the law is in the US.
Saying "I didn't harm anyone" is a piss poor excuse.
It's not really an excuse. To call it an excuse implies that I did something wrong in the first place.
How do you know that the connection in question isn't billed on a per-use basis?
I don't. If it was, then I did something wrong. I still shouldn't go to jail for 10 years, though.
If your phone line stops working is it ok to start using your neighbors just because your cordless phones happen to be the same model and your receiver will work with his base station?
Sure, why not? As long as you're making a local call, and they have call waiting, and they aren't trying to use the phone, anyway.
I don't see why it should be any different for Internet connections.
The difference is that I can use other people's internet connection without harming anybody.
ok, so the voters are going to offload the code installed on the voting machines and assume that they're not only being given the code that's actually running, but that every machine is the same?
You could just install md5sum on the voting machine itself.
I can just see the election judge stopping everyone from voting because some guy with a laptop wants to personally verify each voting machine.
No need to stop people from voting. These checks can take place before the voting begins.
If not, then who does the verification? Who watches the watchers?
Anyone who is listed on the ballot or registered as a write-in candidate certainly should be allowed to appoint someone. Really, I'd say anyone registered to vote in that district should be allowed to.
Linking war driving strongly to the child porn aspect and never mentioning that most people who do this aren't doing anything illegal with the information or access they're using.
Wardriving doesn't even necessarily involve using the access, does it? I thought wardriving was simply looking for open access points, not necessarily using them.
Is the person who ran the unsecured AP in any way liable for what was done from his connection?
Civilly, he could probably be found guilty of negligence, if someone is damaged through his connection. But in this case there's no one who was harmed by his negligence, so no.
Criminally, there generally needs to be gross negligence involved (the mens reus), which there isn't, and there would need to be some kind of serious crime committed (the actus reus), which is basically impossible over the internet.
Absolutely. I read that law, and it's something that I've broken before myself. I was at work. Our internet connection went down. I happened to pick up an 802.11 signal from the place next door, so I used it.
I didn't harm anyone. I certainly don't deserve to go to jail for 10 years for doing it.
I have a hard time accepting this often used stance against the choice of closed vs. open source in voting.
I have a better reason. It's a waste of money for the government not to insist on an open source solution. Voting systems are going to be around for a long time. We shouldn't tie ourselves to a single company. Doing so is wasting the taxpayer's money.
Unfortunately, election rules, including voting machine standards, are governed by the state, not the federal government.
The national government can and does regulate voting standards. In fact, the 14th, 15th, 19th, and 26th amendments, as well as article IV, Section 4, require it to.
Actually, it doesn't say anywhere in the article that the company did any of that. The emails may have come from third parties, and most likely the company did not create or install the adware.
As quoted in many of the news articles, the house and senate members claim that their isn't a town hall meeting where they aren't asked to fix the SPAM problem.
Too bad they don't have the power to fix the spam problem.
The thing I find disturbing is that the bill only allows 'ISP's' to sue under the law and not individuals.
Ick. That's kind of dumb. Of course, what individual is going to have the time, patience, and money to track down a spammer? Then again, what ISP is going to be able to do it? It's not going to be a very useful law. No law will be.
Five minutes per domain The fact you have fifty million domains makes the problem five orders of magnitude harder.
Not really, most people are bunched up on a small number of domains. Another huge number of domains don't run mail servers. You're usually targetting one country at a time, so you can ignore domains resolving in different countries. The work can be cut down to a quite manageable size.
If you are going to search in a given domain there are much easier ways to do that.
Such as? Obviously this is faster than sending out messages and waiting for a bounce, since you get an answer immediately, not an hour later (or sometimes not at all). It's also much less bandwidth intensive. And you don't have to give away your IP address and risk getting blocked.
The objective here is to make harvesting addresses from the list harder than other harvesting techniques.
And I don't think this will accomplish that.
You do not need a huge level of security to avchieve that, harvesting is so easy.
You can get a large chunk scraping the web. But at some point you reach a limit, and continuing to harvest becomes counterproductive, as most new addresses are spamtraps anyway. Established spammers have already reached that limit. If your email address has appeared online it's probably already on many lists. As a nice bonus, this hashed list allows spammers to confirm the address.
What we are doing here is avoiding a lengthy detour through the law courts with spammers attacking the spam law on first ammendment grounds.
Hey, I agree with the do-not-email list. I believe that that is the only way to make a constitutional law against spam. I've been saying that for months now. I'm just saying that one-way-hashing the list isn't going to accomplish much. And I've offered an alternative solution. Allow the ability to add full domains.
Who has the right to put, say, earthlink.net on the do-not-spam list?
The owner of earthlink.net, who sets up the MX records and and controls the mail servers.
What if some of Earthlink's customers want to get spam?
Well, it would be best done like a firewall list, where you can override the defaults. So *@earthlink.net is on the DNE list, but idiot@earthlink.net can get an override. Alternatively, if you want spam, find a service provider that's going to let you get spam.
Unilaterally deciding that a customer isn't going to get a certain type of e-mail makes the lawyers nervous, and rightly so.
Rightly so? No way. It's their servers, they can do whatever they want with them.
Now let's go a step further - after all, you won't find the word "fred" in a dictionary.
Depends on the dictionary. Obviously it wouldn't make sense to use a normal dictionary.
So we'll have to add a list of common first names (maybe English-only, maybe not).
Something the spammers already have.
Maybe we'd better generate all possible addresses.
Nope, that would be dumb. Take the list of email addresses you already have. Separate out the domain names. Run sort. Run uniq. Now run that through the list of domain names. You'll get 80, 90% right there.
Now you're up to 8,975,162 days.
That's why it's stupid to try to generate all possible addresses. Take a look at the source code for crack. Last time I ran that, on a company server, after telling everyone that I was going to do it, and that they better pick better passwords, I still got something like a 60% hit rate. And that's passwords, which people are supposed to try to make hard to guess. One again, look at the source for that program. It doesn't try all combinations. That's idiotic. It runs through a dictionary (which includes names), it adds numbers, it truncates, it combines words. Still way fewer combinations, and completely doable.
Don't forget to multiply that by the number of domains you're trying.
And divide by the number of spamming machines that are available to do the work.
And while you're considering whether it's worth the effort, keep in mind that you can buy a CD of "millions of e-mail addresses!" from countless other spammers.
Sure. And once you create this list, you can be the one selling the CD of millions of e-mail addresses.
And don't forget what I said earlier - a brute-force decrypted FTC list will give you a list of the least desirable people to market to.
And I've agreed with that. I just think one-way hashing the list is pretty much useless.
So I looked at final example and I was just about to complain about how messed up it was. The words in the boxes on the right were all scrunched against the left edge. There were these stupid little dots in front of the links. It was just plain ugly. Then I went to the real site and realized it had always been that way, I just haven't paid attention to it.
Of course this is not evenly populated, but the odd thing is that the usernames turn out to be more random than the average password.
Of course the average password can be cracked in about 5 minutes if you have/etc/shadow and a copy of crack (that's what it's called, right, it's been so long since I've actually used it).
Many usernames are surnames, many are compounds of initial plus surname, only a relative handfull are commonly used names and those tend to get grabbed fast. so you have a pretty big search space, millions of possibilities and that for each one of fifty million domains.
Well you don't have to get them all for this to be effective. Surnames will be easy. Initial plus surname will be easy. And what about those of us who are fortunate enough to have one of those commonly used names? Sure, you're not going to get every name at every domain, but in the first day you'll get plenty of addresses to get your spamming machines working until you find some more. Spammers already have the software to guess email addresses. With this list they can save a ton of time and bandwidth compared to sending to all these addresses and waiting for a bounce.
I'm sorry, I have to say that one-way hashing the addresses is pretty much useless. Allowing people to add entire domains would be much more effective.
Once I've done that, all I need to do is compare each of those 450,000 addresses to the FTC's 1,000,000 addresses and look for a match. That's 450,000,000,000 different combinations that I'm going to have try.
Sure, you can do some other things to optimize it (maybe take your encrypted list and the FTC's list and do some diff(1) tricks with it)...
Wow. I can't believe I even let this slip through. It's nowhere near that hard. You sort both lists, and we're talking about an O(1,000,000) job, not an O(450,000,000,000) job.
The hard part is generating the list, not matching things up. I could probably have the whole thing cracked (for the dictionary words) in a day using just my laptop.
I agree that this line probably is a totally unnecessary addition, but I don't see any evidence that it was put there by the RIAA or MPAA or any other such AA
Really? Who do you think put it there? I think it's kind of obvious that it was an AA.
even though this isn't even ABOUT copyright, it's about spam, so it's stupid that it's even mentioned IMO
I agree. Like I said, I don't have a problem with this clause. But I think it shows who really has the power in this country. If you want to close your eyes and say no, it was probably a senator looking out for free software authors, go ahead.
That's 450,000,000,000 different combinations that I'm going to have try.
Is that supposed to be a lot? My laptop can try 123,640,000 RC-5 keys in a minute. I handle 450,000,000,000 combinations in less than 3 days. And that's RC-5 cracking. This is much simpler, probably thousands of times simpler. And once it's cracked you can sell the list to others, so we're really talking about a distributed effort. And sending spam isn't all that CPU intensive, it's pretty much bandwidth limited. Just in the spare CPU cycles of the spammers this could be cracked in seconds.
Sure, you can do some other things to optimize it (maybe take your encrypted list and the FTC's list and do some diff(1) tricks with it)... but the bottom line is, it's gonna be a whole lot harder for spammers to get any usable info from an encrypted FTC Do-Not-Spam list than it will be to either just 1) buy a list from another spammer or 2) just make stuff up and fire e-mail messages to your list scatter-shot fashion, ignoring any bounced messages.
I'm not going to argue on the first one, but on the second it's obviously easier to do a local check against a hashed value than it is to send an email and wait for a bounce (which might not even come if the server is set up not to bounce incorrect addresses).
Add to that the further disincentive that spending countless hours decrypting the FTC list would give you a list of people least likely to buy your product... and you can see why I still don't think spammers will gain any advantage from having an encrypted Do-Not-Spam list.
I think I've shown that an encrypted Do-Not-Spam list is just as useful as an unencrypted one. Whether or not you consider an unencrypted one as useful is up to you.
If they're going to do it right, they should allow entire domains to be added to the list.
Secondly, doesn't a protester on the street force you to cover your ears?
Free speech is a legitimate concern. However, I think a properly implemented DO-NOT-EMAIL list is a legitimate answer to that concern.
Of course, I'm still against the law, because I'm against all US Government regulation of the internet. I think the internet community needs to regulate itself. ICANN is not doing its job. Let's replace it with something that will.
Slashdot Mirror
Then you've just admitted breaking the law in an open public forum. I'd be wary of doing that.
Why? There's no other evidence. There's plenty of reasonable doubt. I could be lying.
You used a resource that didn't belong to you just because you could.
My reason wasn't because I could. My reason was that I wanted internet accessing.
Saying you didn't do anything wrong because "It didn't cost them anything" is bullshit. Does that mean I can borrow your car without permission as long as I put gas in the tank and leave you money (31 cents a mile?) for wear and tear?
No. That's different. We can't both use the car at the same time. I would say that you can use it whenever I don't need it, but since I'm a volunteer firefighter I could potentially need it at any time. So no, you can't borrow my car.
You wouldn't go to jail for 10 years for what you did (unless you pissed off the DA or Judge). You would (in all likelihood) be prosecuted though.
The law shouldn't allow me to go to jail at all for what I did. Certainly not for 10 years.
Umm, because you DON'T HAVE PERMISSION. I'm sorry, but you don't go using something that belongs to somebody else without permission, unless it's some sort of life or death emergency.
I'm sorry, I just don't follow that rule. If I can use something that "belongs" to someone else, and they aren't going to be harmed by my use of it, then I'm going to. If you need a pen, and you see one lying in front of you, do you go around looking for the owner of the pen, or do you just use it?
Breaking into your neighbors house to use his phone to report a gas leak in your house or a medical emergancy is ok. Breaking into his house because (for whatever reason) your phone doesn't work and you want to make calls (local or not) is unacceptable.
Sure, because it's breaking into someone's house. Even if you don't actually break anything, you could scare the shit out of the person if they're home or they come home and see you. It's completely different.
I can take your lawn mower and mow my lawn without your permission -- that doesn't harm you as long as I put gas in it when I'm done. For some reason however I think any sane person would have a problem with me doing this.
I guess I'm insane. You can borrow my lawn mower any time you want.
How do the voters know that the md5sum source code...?
Look at it. The source to md5sum isn't that complicated. Then check it against a bunch of known test cases.
If it was unintentional then you didn't break any laws.
It was intentional. I wanted internet access, I found an open AP, and I used it.
"My Internet connection went down so I used this one" that you did break the law.
Yeah. I did. At least, the Canadian one. I don't know what the exact wording of the law is in the US.
Saying "I didn't harm anyone" is a piss poor excuse.
It's not really an excuse. To call it an excuse implies that I did something wrong in the first place.
How do you know that the connection in question isn't billed on a per-use basis?
I don't. If it was, then I did something wrong. I still shouldn't go to jail for 10 years, though.
If your phone line stops working is it ok to start using your neighbors just because your cordless phones happen to be the same model and your receiver will work with his base station?
Sure, why not? As long as you're making a local call, and they have call waiting, and they aren't trying to use the phone, anyway.
I don't see why it should be any different for Internet connections.
The difference is that I can use other people's internet connection without harming anybody.
ok, so the voters are going to offload the code installed on the voting machines and assume that they're not only being given the code that's actually running, but that every machine is the same?
You could just install md5sum on the voting machine itself.
I can just see the election judge stopping everyone from voting because some guy with a laptop wants to personally verify each voting machine.
No need to stop people from voting. These checks can take place before the voting begins.
If not, then who does the verification? Who watches the watchers?
Anyone who is listed on the ballot or registered as a write-in candidate certainly should be allowed to appoint someone. Really, I'd say anyone registered to vote in that district should be allowed to.
Linking war driving strongly to the child porn aspect and never mentioning that most people who do this aren't doing anything illegal with the information or access they're using.
Wardriving doesn't even necessarily involve using the access, does it? I thought wardriving was simply looking for open access points, not necessarily using them.
Is the person who ran the unsecured AP in any way liable for what was done from his connection?
Civilly, he could probably be found guilty of negligence, if someone is damaged through his connection. But in this case there's no one who was harmed by his negligence, so no.
Criminally, there generally needs to be gross negligence involved (the mens reus), which there isn't, and there would need to be some kind of serious crime committed (the actus reus), which is basically impossible over the internet.
And that's a bad thing?
Absolutely. I read that law, and it's something that I've broken before myself. I was at work. Our internet connection went down. I happened to pick up an 802.11 signal from the place next door, so I used it.
I didn't harm anyone. I certainly don't deserve to go to jail for 10 years for doing it.
How do the voters know that the source code they've seen is what's in the machine?
md5sum?
I have a hard time accepting this often used stance against the choice of closed vs. open source in voting.
I have a better reason. It's a waste of money for the government not to insist on an open source solution. Voting systems are going to be around for a long time. We shouldn't tie ourselves to a single company. Doing so is wasting the taxpayer's money.
Unfortunately, election rules, including voting machine standards, are governed by the state, not the federal government.
The national government can and does regulate voting standards. In fact, the 14th, 15th, 19th, and 26th amendments, as well as article IV, Section 4, require it to.
Actually, it doesn't say anywhere in the article that the company did any of that. The emails may have come from third parties, and most likely the company did not create or install the adware.
We're not talking about Slashdotters needing to worry about life in prison because they threatened to sue, or demand other ISPs cut off some spammer.
Of course not. Just don't mention anthrax. Oh, shit, I said it...
If that doesn't work maybe he could use the "Twinkie Defense".
Claim that he was "suffering from a long-standing and untreated depression that diminished his capacity to distinguish right from wrong?"
As quoted in many of the news articles, the house and senate members claim that their isn't a town hall meeting where they aren't asked to fix the SPAM problem.
Too bad they don't have the power to fix the spam problem.
The thing I find disturbing is that the bill only allows 'ISP's' to sue under the law and not individuals.
Ick. That's kind of dumb. Of course, what individual is going to have the time, patience, and money to track down a spammer? Then again, what ISP is going to be able to do it? It's not going to be a very useful law. No law will be.
I would have preferred an opt-in.
No way. Opt-in is unconstitutional.
I see no reason to stick with the current look or layout, despite history.
And laziness. Can't forget laziness.
Five minutes per domain The fact you have fifty million domains makes the problem five orders of magnitude harder.
Not really, most people are bunched up on a small number of domains. Another huge number of domains don't run mail servers. You're usually targetting one country at a time, so you can ignore domains resolving in different countries. The work can be cut down to a quite manageable size.
If you are going to search in a given domain there are much easier ways to do that.
Such as? Obviously this is faster than sending out messages and waiting for a bounce, since you get an answer immediately, not an hour later (or sometimes not at all). It's also much less bandwidth intensive. And you don't have to give away your IP address and risk getting blocked.
The objective here is to make harvesting addresses from the list harder than other harvesting techniques.
And I don't think this will accomplish that.
You do not need a huge level of security to avchieve that, harvesting is so easy.
You can get a large chunk scraping the web. But at some point you reach a limit, and continuing to harvest becomes counterproductive, as most new addresses are spamtraps anyway. Established spammers have already reached that limit. If your email address has appeared online it's probably already on many lists. As a nice bonus, this hashed list allows spammers to confirm the address.
What we are doing here is avoiding a lengthy detour through the law courts with spammers attacking the spam law on first ammendment grounds.
Hey, I agree with the do-not-email list. I believe that that is the only way to make a constitutional law against spam. I've been saying that for months now. I'm just saying that one-way-hashing the list isn't going to accomplish much. And I've offered an alternative solution. Allow the ability to add full domains.
You don't read do you?
Clearly I didn't read the law. That's why I prefaced my statement with the word "if."
The California law is not unconstitutional.
Yes it is.
SCOTUS already declined to hear spammer appeals that any state laws were a burden on interstate commerce.
Sure, they're waiting to see what Congress is going to do first. It's called judicial restraint.
Who has the right to put, say, earthlink.net on the do-not-spam list?
The owner of earthlink.net, who sets up the MX records and and controls the mail servers.
What if some of Earthlink's customers want to get spam?
Well, it would be best done like a firewall list, where you can override the defaults. So *@earthlink.net is on the DNE list, but idiot@earthlink.net can get an override. Alternatively, if you want spam, find a service provider that's going to let you get spam.
Unilaterally deciding that a customer isn't going to get a certain type of e-mail makes the lawyers nervous, and rightly so.
Rightly so? No way. It's their servers, they can do whatever they want with them.
Now let's go a step further - after all, you won't find the word "fred" in a dictionary.
Depends on the dictionary. Obviously it wouldn't make sense to use a normal dictionary.
So we'll have to add a list of common first names (maybe English-only, maybe not).
Something the spammers already have.
Maybe we'd better generate all possible addresses.
Nope, that would be dumb. Take the list of email addresses you already have. Separate out the domain names. Run sort. Run uniq. Now run that through the list of domain names. You'll get 80, 90% right there.
Now you're up to 8,975,162 days.
That's why it's stupid to try to generate all possible addresses. Take a look at the source code for crack. Last time I ran that, on a company server, after telling everyone that I was going to do it, and that they better pick better passwords, I still got something like a 60% hit rate. And that's passwords, which people are supposed to try to make hard to guess. One again, look at the source for that program. It doesn't try all combinations. That's idiotic. It runs through a dictionary (which includes names), it adds numbers, it truncates, it combines words. Still way fewer combinations, and completely doable.
Don't forget to multiply that by the number of domains you're trying.
And divide by the number of spamming machines that are available to do the work.
And while you're considering whether it's worth the effort, keep in mind that you can buy a CD of "millions of e-mail addresses!" from countless other spammers.
Sure. And once you create this list, you can be the one selling the CD of millions of e-mail addresses.
And don't forget what I said earlier - a brute-force decrypted FTC list will give you a list of the least desirable people to market to.
And I've agreed with that. I just think one-way hashing the list is pretty much useless.
So I looked at final example and I was just about to complain about how messed up it was. The words in the boxes on the right were all scrunched against the left edge. There were these stupid little dots in front of the links. It was just plain ugly. Then I went to the real site and realized it had always been that way, I just haven't paid attention to it.
Of course this is not evenly populated, but the odd thing is that the usernames turn out to be more random than the average password.
Of course the average password can be cracked in about 5 minutes if you have /etc/shadow and a copy of crack (that's what it's called, right, it's been so long since I've actually used it).
Many usernames are surnames, many are compounds of initial plus surname, only a relative handfull are commonly used names and those tend to get grabbed fast. so you have a pretty big search space, millions of possibilities and that for each one of fifty million domains.
Well you don't have to get them all for this to be effective. Surnames will be easy. Initial plus surname will be easy. And what about those of us who are fortunate enough to have one of those commonly used names? Sure, you're not going to get every name at every domain, but in the first day you'll get plenty of addresses to get your spamming machines working until you find some more. Spammers already have the software to guess email addresses. With this list they can save a ton of time and bandwidth compared to sending to all these addresses and waiting for a bounce.
I'm sorry, I have to say that one-way hashing the addresses is pretty much useless. Allowing people to add entire domains would be much more effective.
Oh yeah, and I meant for the entire list of domain names, not just the 10 popular ones.
Once I've done that, all I need to do is compare each of those 450,000 addresses to the FTC's 1,000,000 addresses and look for a match. That's 450,000,000,000 different combinations that I'm going to have try.
Sure, you can do some other things to optimize it (maybe take your encrypted list and the FTC's list and do some diff(1) tricks with it)...
Wow. I can't believe I even let this slip through. It's nowhere near that hard. You sort both lists, and we're talking about an O(1,000,000) job, not an O(450,000,000,000) job.
The hard part is generating the list, not matching things up. I could probably have the whole thing cracked (for the dictionary words) in a day using just my laptop.
I agree that this line probably is a totally unnecessary addition, but I don't see any evidence that it was put there by the RIAA or MPAA or any other such AA
Really? Who do you think put it there? I think it's kind of obvious that it was an AA.
even though this isn't even ABOUT copyright, it's about spam, so it's stupid that it's even mentioned IMO
I agree. Like I said, I don't have a problem with this clause. But I think it shows who really has the power in this country. If you want to close your eyes and say no, it was probably a senator looking out for free software authors, go ahead.
That's 450,000,000,000 different combinations that I'm going to have try.
Is that supposed to be a lot? My laptop can try 123,640,000 RC-5 keys in a minute. I handle 450,000,000,000 combinations in less than 3 days. And that's RC-5 cracking. This is much simpler, probably thousands of times simpler. And once it's cracked you can sell the list to others, so we're really talking about a distributed effort. And sending spam isn't all that CPU intensive, it's pretty much bandwidth limited. Just in the spare CPU cycles of the spammers this could be cracked in seconds.
Sure, you can do some other things to optimize it (maybe take your encrypted list and the FTC's list and do some diff(1) tricks with it)... but the bottom line is, it's gonna be a whole lot harder for spammers to get any usable info from an encrypted FTC Do-Not-Spam list than it will be to either just 1) buy a list from another spammer or 2) just make stuff up and fire e-mail messages to your list scatter-shot fashion, ignoring any bounced messages.
I'm not going to argue on the first one, but on the second it's obviously easier to do a local check against a hashed value than it is to send an email and wait for a bounce (which might not even come if the server is set up not to bounce incorrect addresses).
Add to that the further disincentive that spending countless hours decrypting the FTC list would give you a list of people least likely to buy your product... and you can see why I still don't think spammers will gain any advantage from having an encrypted Do-Not-Spam list.
I think I've shown that an encrypted Do-Not-Spam list is just as useful as an unencrypted one. Whether or not you consider an unencrypted one as useful is up to you.
If they're going to do it right, they should allow entire domains to be added to the list.
It forces me to hit delete.
First of all, no it doesn't.
Secondly, doesn't a protester on the street force you to cover your ears?
Free speech is a legitimate concern. However, I think a properly implemented DO-NOT-EMAIL list is a legitimate answer to that concern.
Of course, I'm still against the law, because I'm against all US Government regulation of the internet. I think the internet community needs to regulate itself. ICANN is not doing its job. Let's replace it with something that will.