Jan 27, 2018
Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here: 2017-040
#infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like.
One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms.
We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, or other 3rd parties.
Direct Show Download: http://traffic.libsyn.com/brakeingsecurity/2018-003-MTurk-NXVL-privacy_issues_using_crowdsourced_applications.mp3
ANNOUNCEMENTS:
Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time) If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast
Course Syllabus: https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit
#Spotify: https://brakesec.com/spotifyBDS
RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
Join our #Slack Channel! Email us at bds.podcast@gmail.com
or DM us on Twitter @brakesec
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Show Notes:
Mr. Boettcher gave a talk (discuss) http://DETSec.org
Brakeing Down Incident Response Podcast
Amanda’s class (starts 4 february, $100 for 4 sessions, $50 for early video access)
I need to mention HITB Amsterdam
David’s Resume Review -- Bsides Nash Resume Review
SANS SEC504 Mentor course
Guest: Nicolas Valcarcel
Twitter: @nxvl
Possible News to discuss:
https://www.reddit.com/r/sysadmin/comments/7sn23c/oh_security_team_how_i_loathe_you_meltdown/
Mechanical Turk
CircleCi 2.0
https://circleci.com/docs/2.0/
TaskRabbit
https://www.taskrabbit.com/
Historically: https://en.wikipedia.org/wiki/The_Turk
Expensify using Amazon Mechanical Turk
https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy
https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/
FTA: “"I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter.”
https://www.dailydot.com/debug/what-is-amazon-mechanical-turk-tips/
“About those tasks, they’re called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work.”
“Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings.”
Kind of like a Yelp for HIT reviewers?
Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties?
Is it an acceptable risk?
Privacy questions to ask for companies that employ ML/AI tech?
Are they using Mturk or the like for training their algos?
Are they using Master level doers for processing?
Nxvl links:
Securely Relying on the Crowd (paper Draft):
https://github.com/nxvl/crowd-security/blob/master/Securely%20relying%20on%20the%20Crowd.pdf
How to Make the Most of Mechanical Turk: https://www.rainforestqa.com/blog/2017-10-12-how-to-make-the-most-of-mechanical-turk/
How We Maintain a Trustworthy Rainforest Tester Network: https://www.rainforestqa.com/blog/2017-08-02-how-we-maintain-a-trustworthy-rainforest-tester-network/
The Pros and Cons of Using Crowdsourced Work: https://www.rainforestqa.com/blog/2017-06-06-the-pros-and-cons-of-using-crowdsourced-work/
How We Train Rainforest Testers: https://www.rainforestqa.com/blog/2016-04-21-how-we-train-rainforest-testers/
AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk: https://www.rainforestqa.com/blog/2017-01-06-aws-re-invent-crowdsourced-testing-work-with-amazon-mturk/
Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure: https://www.rainforestqa.com/blog/2017-05-02-virtual-machine-security-the-key-steps-we-take-to-keep-rainforest-vms/