-
-
Save mala/859854 to your computer and use it in GitHub Desktop.
| >> | |
| Hi, | |
| We apologize, but the only way we will be able to verify ownership of this account is if you reply to this email with an attached color image of your government-issued photo identification confirming your full name and date of birth. Rest assured that we will permanently delete your ID from our servers once we have used it to verify the authenticity of your account. | |
| Please note that we will not be able to process your request unless you send in proper identification. We apologize for any inconvenience this may cause. | |
| Thanks, | |
| << | |
| 私は日本で働いているプログラマで、UI設計やセキュリティリサーチなどを行っています。 | |
| 私のアカウント停止に関する問題ですが、お前じゃ話にならないからセキュリティ担当者と話を変わってくれないか。 | |
| 「ご安心ください」だと?だいたいメールで送れと言っている時点で戯言だ。 | |
| Ma Laというのは私が実生活で使っている名前ですが、あなた達はどうやらlegal nameを求めているようだ。 | |
| ユーザーオペレーションチームの「誰か」が私の存在を検証するために、私の政府発行の写真付き身分証明書を送ることには抵抗がない。 | |
| しかしFacebookにlegal nameで登録しろ、というのであれば、それを確実に非表示にするためのプライバシー設定が必要です。 | |
| 私はFacebookのサイト設計上の欠陥を把握しています。 | |
| Facebookにlegal nameを登録するということは、Facebookにログインしたまま悪意のあるサイトを訪問した際に、誰かにlegal nameを把握されうるということだ。 | |
| 私はそれを許容することができない。ひょっとするとあなた達はそれを「仕様だ」と言うかもしれない、しかし私は「欠陥」か「脆弱性」と表現するだろう。 | |
| 私は脆弱性の詳細を把握していて、プライバシーに関する不適切なデフォルト設定や、セキュリティに配慮されていない設計を理由に、あなた方のサイトを信用していない。 | |
| だから安心出来るまで「政府発行の写真付き身分証明書に記載されている名前」でFacebookに登録することを望まない。 | |
| Facebook内のルールは、あなた方のポリシーの問題でしょう。 | |
| しかしあなた方は、Facebook外のサイトでも常に「政府発行の写真付き身分証明書に記載されている名前」を使い、 | |
| それが不用意にサイト運営者に把握されても問題がないと考えていますか? | |
| 添付ファイルがないと見てくれないかもしれないから写真を添付する。もちろん政府発行のものではない。 | |
| 繰り返しますが、あなたが判断せず、セキュリティ担当者に転送してください。 |
いろいろ直してみた
I'm a Japanese programmer designing UI and researching about Security.
I would like to talk about stopping my account, but first, would you change to a security team?
I apologize, but you don't understand this problem.
This is a serious problem.
- email
Rest assured that we will permanently delete your ID from our servers
You mentioned "Don't worry", don't you?
In the first place, it's silly talk that you say "please send by email".
SMTP is Simple Mail Transfer Protocol, not Secure Mail Transfer Protocol.
Please stop saying "It's secure", "It's safety", "Please trust me", "You can control your privacy everything always", etc.
- vulnerability
The name "Ma La" is the "real name" that I use in real life. But you seem to want to my "legal name".
I don't hesitate to send my legal name and my government-issued photo ID for my existence proof to someone in user operation team.
(Facebook is not government so I think you should use credit card.)
But I don't want to use my legal name on Facebook, because I've found a vulnerability of the site design on Facebook.
If I register my legal name to Facebook, it means that
there is a possibility that my legal name can be known by others when I visit the malicious site.
I can't admit it, so I need privacy settings to hide my legal name.
Possibly you may insist "it is spec", but I'll express it as "bug" or "vulnerability".
I've grasped the details of the vulnerability and have not trusted your site
because the default settings about our privacy is not appropriate and the design that is not considered for security.
Therefore, I don't want to register to Facebook with my legal name on government-issued photo ID until I can feel relieved.
The rules in Facebook is a problem of your site policy, isn't it?
but I'm not talking about Facebook's policy.
What do you think about security, privacy and vulnerability?
Malicious site can get your legal name by Facebook's vulnerability, there is no matter?
I'm attaching photograph because you may not see this without attaching file.
Of course, it is not certified by government.
I say again, you don't judge it.
Please forward this mail to a security team.
thanks.
I am a Japanese programmer, UI designer and security researcher.
I would like to discuss on my account suspension with your security team. Please escalate this to the people who are knowledgeable on web security. This IS a serious problem.
- email
ここ良くわからん
Rest assured that we will permanently delete your ID from our servers
Your just writing "Don't worry" does not guarantee any security. First of all, requesting "please send it by email" does not make sense. SMTP is Simple Mail Transfer Protocol, not Secure Mail Transfer Protocol. Please stop saying "It's secure", "It's safety", "Please trust me", "You can control your privacy everything always", etc.
- vulnerability
The name "Ma La" is the "real name" that I use in real life. But you seem to want to my "legal name". I don't hesitate to send my legal name and my government-issued photo ID for my existence proof to someone in user operation team. (Facebook is not government so I think you should use credit card though.) However, I have found a vulnerability on the Facebook site design, and so, I do not want to hand over my legal name to it until the privacy setting to hide it in secure way.
If I register my legal name to Facebook, at now it means that there are possibilities that my legal name can be known by others when I visit the malicious third-party sites, which I can not put up with. I need a privacy settings to hide my legal name.
Possibly you may insist "It is by specification.", but I have to call it as "bug" or "vulnerability".
I have grasped the details of the vulnerability and have not trusted your site
because the default settings about our privacy is not appropriate and the design is not considered for security. Therefore, I do not want to register on Facebook with my legal name on government-issued photo ID until I am convinced that it is protected.
The rules in Facebook is a problem of your site policy. I am not talking about Facebook's policy.
Please tell me how do you think security, privacy and vulnerability. Malicious sites can get anyone's legal name by exploiting Facebook's vulnerability. Any sites being able to fetch everyone's legal name (checked by Facebook) and reusing are not a security issue?
I am attaching photograph because you may not see this without attaching file, which is, of courses not a certification by government.
I say again, you should forward this mail to person who understands security issue. Please do not size it up by yourselve, forward this mail to a security team.
thanks.
こんな感じかな。
Dear Sir,
I'm a programmer working on UI design and security in Japan.
Before talking about the account deletion,
I would like you to pass me on to someone from the security team
because this is a serious security problem and
I don't think you understand the seriousness of the problem.
I have found a vulnerability of the site design on Facebook.
This is not a bluff or FUD. I am ready to show you a proof-of-concept video.
The name "Ma La" is a "real name" that I use in real life. But you seem to want my "legal name".
I don't hesitate to send my legal name and my government-issued photo ID for my existence proof to someone in user operation team.
(Facebook is not a government so I think you should not require a government-issued ID, but accept a credit card.)
However, I don't want to use my legal name on Facebook because of the said problem.
If I register my legal name to Facebook, it means that any malicious site that exploits the vulnerability
can know my legal name just by me visiting their site.
Since I can't accept that, I want you to create privacy settings to hide my legal name.
You may insist "it is spec", but I consider it as "bug" or "vulnerability".
I've grasped the details of the vulnerability and have not trusted your site
because the default settings about privacy is not appropriate, and because of the design that is not considered for security.
Therefore, I don't want to register to Facebook with my legal name on government-issued photo ID until I can feel secure.
I'm not only talking about Facebook's policy.
What do you think about security, privacy and vulnerability?
Malicious site can get your legal name by Facebook's vulnerability, there is no matter?
Would you consider that it is not a problem that any site can get your legal name by abusing Facebook's vulnerability?
Rest assured that we will permanently delete your ID from our servers
Even if you delete my personal ID from your server, sending it by email itself is insecure.
SMTP is Simple Mail Transfer Protocol, not Secure Mail Transfer Protocol.
Please stop saying "It's secure", "It's safety", "Please trust me", "You can control your privacy everything always", etc.
I'm attaching a photograph because you may not see this without an attachment.
Of course, it is not certified by government.
Again, please DO NOT judge it by yourself.
Please forward this mail to the security team.
thanks.
I'm a Japanese programmer designing UI and researching about Security.
I would like to talk about stopping My account.
Would you change to a security official? Because you don't understand this problem.
You mentioned "Don't worry", don't you?
In the first place, it's silly talk that you say "please send by email".
You seem to want to my legal name, though the name of "Ma La" is the name that I use in real life.
I don't hesitate to send my ID with my photograph which is certified by government to inspect existence of me by someone in user operation team.
You have to need privacy settings not to indicate the legal name, if you require me to register with my legal name to facebook.
I've found a vulnerability of the site design on facebook.
If you register your legal name to facebook, it means that there is a possibility that the name can be known by others when you visit the malicious site with having logged in to facebook.
I can't admit it.
Possibly you may insist it is specification, but I'll express it as flaw or vulnerability.
I've grasped the details of the vulnerability and have not trusted your site because the default settings about our privacy is not appropriate and the design that is not considered for security.
Therefore, I don't want to register to facebook with my legal name on my ID with my photograph which is certified by government until I can feel relieved.
The rules in facebook is a problem of your policy, isn't it ?
Do you think there is no matter, even though you use your legal name in the site out of Facebook and the name is known by a site operator carelessly?
I'm attaching photograph because you may not see this without attaching file.
Of course, it is not certified by government.
I say again, you don't judge it, and please transfer this to a security official.
文が長くて途中からよくわからなくなったので見直し推奨、、、