Preview Mode Links will not work in preview mode

Jan 27, 2018

Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here:  2017-040

#infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like.

One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms.

We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, or other 3rd parties.

Direct Show Download:



Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to sign up, the fee is $100 and you can send that to our paypal account at 

Course Syllabus:


If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at





#Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:


Join our #Slack Channel! Email us at

or DM us on Twitter @brakesec

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast by using our #Paypal OR our #Patreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:




Show Notes:  


Mr. Boettcher gave a talk (discuss) 

Brakeing Down Incident Response Podcast


Amanda’s class (starts 4 february, $100 for 4 sessions, $50 for early video access)


I need to mention HITB Amsterdam

David’s Resume Review -- Bsides Nash Resume Review 

SANS SEC504 Mentor course

Guest: Nicolas Valcarcel

Twitter: @nxvl


Possible News to discuss:


Mechanical Turk



CircleCi 2.0






Expensify using Amazon Mechanical Turk

FTA: “"I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter.”

About those tasks, they’re called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work.”


Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings.”

Kind of like a Yelp for HIT reviewers?


Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties?

Is it an acceptable risk?


Privacy questions to ask for companies that employ ML/AI tech?

Are they using Mturk or the like for training their algos?

Are they using Master level doers for processing?


Nxvl links:

Securely Relying on the Crowd (paper Draft):

How to Make the Most of Mechanical Turk:

How We Maintain a Trustworthy Rainforest Tester Network:

The Pros and Cons of Using Crowdsourced Work:

How We Train Rainforest Testers:

AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk:

Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure: