Preview Mode Links will not work in preview mode

Nov 30, 2017

With Mr. Boettcher out this week due to family illness, Ms. Berlin and I discussed a little bit of what is going on in the world.

Expensify unveiled a new 'feature' where random people would help train their AI to better analyze receipts. Problem is that the random people could see medical receipts, hotel bills, and other PII. We discuss how they allowed this and the press surrounding it. We also discuss why these kinds of issues are prime reasons to do periodic vendor reviews.

Our second story was on Apple's "passwordless root" account. We talk about the steps to mitigate it, why it was allowed to happen, and why the most straight forward methods of dealing with something like this may not always be the best way.



Direct Link:


*NEW* we are now on Spotify!:


Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:


Join our #Slack Channel! Sign up at

or DM us on Twitter, or email us.

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast on #Patreon:

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:



---Show Notes---


Trip report from Amanda to New Zealand

Did we talk about Amanda’s appearance on PSW?


Discuss last week’s show about custom training

Comments? Suggestions for custom training solutions?

Expensify -


How is this different than like a medical transcriptionist?

Don’t you go in and modify the receipts yourself? Or is that a feature you can force?


It’s a privacy issue.

Hotel receipts, boarding passes, even medical receipts


Turn off ‘smart scan’?

Many companies like using it, and some will only accept smart scanned receipts

Fat fingering receipts isn’t ‘cool’

Snap a photo, move along


Expensify is global, and could have wide reaching effects for this new ‘feature’...

Expensify used Mechanical Turk, a ‘human intelligence tasks’

Micropayments to do menial tasks


Example of why periodic review of your 3rd parties is necessary

New ‘features’ = new nightmares

Privacy requirements change

Functionality not in alignment with your business goals

Apple ‘passwordless root’


HIgh Sierra before today (29 November 2017) had the ability to login as root with no password…

That is a problem… Original Tweet:


It also works on remote services, like ARD (apple remote desktop), and file shares…

Rolling IR

Was it necessary?

Serious, yes

Was discovered two weeks prior

Dev (chethan177) on the forum “didn’t realize it was a security issue”


Easy enough fix  (Bryan IR story)

Open Terminal

Sudo passwd root

Change password


Do you trust users to do that? Not across a large enterprise