The Washington Post posted this story a few days ago regarding the FTC’s Do Not Call web site. The most amusing part of the article references a comment I made in a previous post about the lack of security in the process, as anyone could conceivably register or unregister a phone number, even if it wasn’t theirs.
The article contains the following quote:
After looking over the registration site online, Aswath Rao thought its verification and unregistration processes could pose problems. "It looks like one can verify the status of the registration of any telephone number," the Holmdel, N.J., resident wrote. "Worse, any telephone number can be maliciously unregistered."David Torok, the Federal Trade Commission's director of the Do Not Call Registry, says Rao is right, but he doesn't anticipate a big problem.
"Technically, yes, that is possible. If someone wants to play a prank, he can register someone else or delete someone else," Torok says. But, for one thing, there's a limit on the number of times any e-mail address, the only identifier required, can use the online registration -- a limit Torok won't divulge.
Now, this seems to be the silliest thing I’ve ever heard of. A limit on the number of times one can use an e-mail address? What happens when I legitimately use my e-mail address too many times? Who corrects that? Even funnier is the fact that Torok seems to not be aware how spammers use millions of e-mail addresses to avoid spam filters. Does he not believe that anyone can do exactly the same thing and create dozens of e-mail addresses on the fly?
It was suggested to me that an amusing experiment would be to unregister a particular exchange to prove the point. That’s a mere 10000 phone numbers and it would be almost trivial to do in Perl. The web site uses a simple URL scheme to post the phone numbers that you want on or off the list. In sendmail, it’s easy to redirect the email from a single domain (“@yourdomain.com”) to a single e-mail address, so generating 10000 e-mail addresses would be no problem. You’d get 10000 e-mails in, each with a URL to validate — easy to collect and process using a trivial piece of POP3 client software. The messages are in text, so processing the message would be similarly easy.
The fact is that this “feel good” service isn’t really going to be that useful. Hackers outside the country will be hired to destroy this service considering how easy it is. Since they will be off-shore, prosecuting them will be difficult at best. The FTC feels so good about this service that they are going to try to set up the same thing with spam. Again, more silliness — spam is even easier to take outside the US. Just think — these are your tax dollars at work.