Download: Episode 40
This week Audrey and I talk about WayMo vs Uber, the surprising ways Expensify, and probably a lot of other web services are using Mechanical Turk, the recent macOS High Sierra vulnerability, and more. Enjoy!
WayMo vs Uber
- Waymo Trade Secret Trial Delayed After Uber Accused of Sneakily Withholding Evidence
- Uber Paid Hackers to Delete Stolen Data on 57 Million People – Bloomberg
Expensify and Mechanical Turk
- Expensify’s Use of Amazon Mechanical Turk Reveals Privacy Risks Behind AI | WIRED
- Introducing: Private SmartScan on Amazon Mechanical Turk « Expensify Blog
MacOS High Sierra root login vulnerability
- Apple MacOS High Sierra Security Flaw Lets Anyone Get Root Access, No Password Required | WIRED
- Daring Fireball: High Sierra Root Login Bug Was Mentioned on Apple’s Support Forums Two Weeks Ago
Contractor who disabled Trump’s Twitter account
Meet the man who deactivated Trump’s Twitter account | TechCrunch
Things we like on the internet this week
- Christie: You can now copy text from your Kindle highlights and highlights are preserved from library eBooks even after the lending period has expired!
- Audrey: Evolution row ends as scientists declare sponges to be sister of all other animals | Science | The Guardian
Holiday Newsletter Now, Through December 16th
We’re now sharing daily gift ideas, educational resources, and favorite causes to support, through December 16th. Stay with us through until the end to be included in a final gift drawing from The Recompiler and our friends. Further details and sign-up here.
Call for Contributors for Issue 10: Science!
For our second issue of 2018, we’ll be talking about science! From computers to data to social and natural sciences, it’s a way we explore the world and define our work.
Here’s a few ideas to get you started:
- Connecting computer science fundamentals with everyday programming
- How open source software tools power scientific exploration
- Ethical data collection and use
- Citizen science and ways of bringing non-specialists into our work
- When is computing an art, a science, a craft?
- Anything involving dinosaurs
We look for ideas that will be effective at an advanced beginner to intermediate level of technical knowledge, and that are grounded in the author’s personal experiences. We’re especially interested in work from people who are part of under-represented groups in technology. Contributors are paid.
Find the details and submit your ideas at https://recompilermag.com/participate/. Submissions are open through January 1.
Now Broadcasting LIVE Fridays at 10am PST
Taking what we learned from our first ever live telethon earlier this month, and equipped with a brand new mic for Audrey, we’ll now be broadcasting our episode recordings LIVE on most Fridays at 10am PST. Mark your calendars and visit recompilermag.live to tune-in.
We love hearing from you! Feedback, comments, questions…
We’d love hearing from you, so get in touch!
You can leave a comment on this post, tweet to @recompilermag or our host @christi3k, or send an email to firstname.lastname@example.org. You can also leave us an audio comment by calling (503) 489-9083.
Christie K: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler. Episode 40, Travis Colonic? This week Audrey and I talk about Waymo vs Uber, the surprising ways Expensify and probably a lot of other web services are using Mechanical Turk, the recent macOS High Sierra vulnerability and more. Enjoy!
Christie, back with some quick announcements before we get to the main part of the show. It’s December, which means winter holidays at least in North America and that means we’re in the middle of our holiday newsletter that runs from December 5th through 16th. Don’t worry that it’s already passed the 5th. You can still sign up and you’ll get daily gift ideas, educational resources and favorite causes to support. If you stick with us all the way through the end, you’ll be included in a final gift drawing from Recompiler and friends. Check out the show notes for the link. You can also go to recompilermag.com. The call for contributors for our issue 10, the second issue of 2018, Science, is now open.
From computers, to data to social and natural sciences, it’s a way we explore the world and find our work, so, some ideas to get you started connecting computer science fundamentals with every day programming, how open source software tools power scientific exploration, ethical data collection and use, we talk a lot about that stuff on the podcast, citizen science and ways of bringing nonspecialists into our work, witness computing and art, a science, a craft, anything that involves dinosaurs.
So, we are looking for ideas that will be effective and in advance, beginner to intermediate level of technical knowledge and that are grounded in the authors, that’s you, personal experiences. We’re especially interested in work from people who are part of under-represented groups in tech. Contributors are paid. Find all the details at recompilermag.com/participate. Submissions are open through January 1st to get these in.
We are now live broadcasting most Fridays at 10:00 a.m. Pacific. We’re still getting the hang of this, so, if you were listening last week, I deeply apologize for that weird echo you heard. But the more we do this, the more practice we’ll get and the better we’ll get. So, check that out, you can go to recompilermag.live on Fridays at 10:00. Here, Audrey and I record the podcast live. Thanks, enjoy the show.
Audrey: Should we start from the beginning for non-live purposes?
Christie K: Yes. Hi Audrey.
Audrey: Hi Christie.
Christie K: Happy recording day.
Christie K: What’s going on with you?
Audrey: Well, the Recompiler, we just had a big strategy meeting, I’m very excited about that.
Christie K: Oh, good stuff coming up for 2018?
Audrey: Yeah, we have a very ambitious plan but I think one that readers are going to be really excited about. We’re doing a lot more focus on some career related topics and have some special eBooks planned in addition to the next four issues. So, there’ll be some cool stuff to announce in the next few months.
Christie K: That’s exciting. So people should keep an eye on the Twitter and the Facebook and the blog and all kind of stuff that’s-
Audrey: Yeah — get on the mailing list, get on the mailing list because we’re doing a 12 day holiday guide as well. If you stay on the list for all 12 days, specifically on the holiday guide for 12 days, then we’re doing a drawing at the end from everybody who’s there and it’s going to include some special things from friends of the Recompiler but also subscription year two plus year three. So, some back issues as well.
Christie K: Yeah, cool, well I’m excited. So, the newsletter, what’s the best way to sign up for the newsletter? Go to recompilermag.com?
Audrey: Mm-hmm (affirmative), yeah and click on news and then there’s a dropdown for the newsletter sign up, or click the big button that says join us, something to that effect.
Christie K: Okay, great. For our first topic, and kind of listen up, so we’ve talked about Sarah Jeong’s profile of Judge Alsup, who has been presiding over the Oracle V Google and it is in there that the same judge would be presiding over Waymo versus Uber. Waymo is the autonomous driving startup that spun out of Google, right?
Audrey: Mm-hmm (affirmative), yeah the self-driving car project.
Christie K: I think I know this stuff and then I find myself saying it and just it’s like all the Waymo and Uber and these complicated things, I’m always like, “Wait a minute, do I have it right?”
Audrey: It feels like they keep, every spinoff, they rename something and so, yeah I don’t know, it helps me to remember that it’s those self-driving vans that Google was testing five years ago or whatever, that they’ve spun it into a separate company.
Christie K: Then, there was Otto and I can’t remember who bought Otto. Was it Uber that bought Otto?
Audrey: Oh, we covered this last spring, yeah. That sounds about right.
Christie K: Well, you know how short my memory is. Last spring might have been like last decade in like psychic years I think. So basically, Waymo is alleging that Uber stole intellectual property. I’m afraid to open this tab. Okay, I’m going to open it and-
Audrey: Hope that our news tab does not start playing video luckily.
Christie K: Right, and I’m only going to open one at a time so I know which tab is doing it.
Audrey: All right.
Christie K: So, Waymo trade secret trial delayed after Uber accused of sneakily withholding evidence. Here’s a video, pause, mute, oh I unmuted it. I’m bad at the internet, oh stop.
Audrey: We could really have like an entire podcast that’s just, we could have an entire podcast that’s just opening news tabs and trying to find out what the source of the noise is. It’s such a common problem.
Christie K: Right. You know what’s funny, is I, for the telethon, I went out of my way to ensure that the audio engineering was configured such that you and the podcast could hear things playing in the buzzer. Now, I’m thinking that’s not such a feature.
Audrey: We want to use it very selectively.
Christie K: Right.
Christie K: Okay. So basically, Waymo, the self-driving car company spun out of Google’s Moonshot unit, has accused Uber of recruiting its former employees and stealing its trade secrets in order to advance its development of autonomous vehicles. That’s why, we talked about how this Levandowski guy left Waymo to go head up Uber’s thing, allegedly stole a bunch of documents and they were going through svn logs and stuff like that. That’s the part we talked about right?
Audrey: Yeah, yeah and how any time an employee with a lot of control over a project leaves and goes to the competitor, there are these kinds of concerns about an intellectual property theft. I think the officially correct way to do it is that the person needs to remember as much as they can, right, no documents, no direct materials transfer and that they’re allowed to re-implement but …
Christie K: Yeah but if you do a whole big svn checkout or git-clone, or download an entire document repository right before you leave, it’s a little suspect.
Audrey: Mm-hmm (affirmative). It does imply that you are taking that to your new company.
Christie K: So Uber I guess has been maintaining that hey, we never got those documents, like no.
Audrey: He walked in the door with a folder but we never saw it.
Christie K: So, a former member of Uber’s global intelligence team, this guy named Richard Jacobs, wrote a letter and I’m not sure who he wrote it to but it was obtained by the US attorney’s office to make criminal investigations separate from Waymo’s lawsuit, says that Uber’s Marketplace Analytics Team worked on secret servers and devices that couldn’t be traced to Uber, in order to dig up information, private code and trade secrets from competitors.
Audrey: Mm-hmm (affirmative), like some proper corporate espionage.
Christie K: Right, right.
Audrey: It sounds so old school to me.
Christie K: Well, some tactics are ageless but they get new flavors I guess. It says, “Jacobs testified that the Marketplace Analytics Team scoured competitors’ GitHub accounts to find private code but balked to the letter suggesting that the team stole trade secrets.”
Audrey: That makes it sound like they weren’t very good at their jobs. If their goal was to get in there and find something useful, wouldn’t trade secrets be the key to that?
Christie K: Yeah, that’s a weird, I don’t really understand that comment.
Audrey: I think you have clipped in our notes about how they tried to avoid leaving a, not a paper trail but like a digital trail about these conversations. It’s pretty interesting to me. I think that in terms of internal corporate communications and how people talk to each other inside a company, there’s always that tension between what can be preserved and what maybe shouldn’t be.
Christie K: Right.
Audrey: It goes like on a lot of different layers but when there’s actual legal implications, the fact that you’re trying not to have things stay in record is also pretty suspicious.
Christie K: Right, and I have been advised by internal counsel to be mindful about what records I create. Particularly, like if you have legal questions, I don’t necessarily think it’s uncommon for inside counsel to be like, “Call me on the phone,” or I think with digital voice IP, we can’t necessarily count that as not being recorded. But if you ask questions over email or an above tracker, whatever, like that creates records that are potentially subject to retention orders and retention laws. I think Sarbanes-Oxley actually affects this.
Audrey: Oh, in terms of the retention of financial records, yeah.
Christie K: Right, I don’t know how it pertains to other kinds of records but I definitely know that, I’ve been on the end of receiving one of those letters that says there’s potential legal action pending a decision that is to retain records. Then at that point, if you do not even by accident, you can get in trouble for that. I think it’s also a different story if you’re knowingly engaging in like shady activity and trying to cover that up, right?
Audrey: Right, yeah, the liability becomes a lot more strong.
Christie K: It’s interesting too where the, I think there’s a portion of the hacker techno [inaudible 00:13:00] community that does encryption and thermal communication to protect people and then here’s another example of how it enables bad behavior. I also thought this is interesting because this guy Craig Clark who was recently dismissed from Uber for his role in covering up that big data breach that they had. I don’t think we talked about that because that was also, yeah that was just nine days ago or something.
Audrey: Oh yeah, yeah.
Christie K: I don’t know how the news got out that like 15 million people’s data was exposed.
Audrey: Uber customers specifically?
Christie K: Uber customers yeah. I’m going to click on a Bloomberg article. Do not play video. Customers and drivers, a massive breach at the company concealed for more than a year, part of what this Craig, what was his last name, Craig-
Christie K: … Clark did was pay hackers. We’ll get, oh, stupid, stop.
Audrey: More video?
Christie K: Yeah, sorry, pay the hackers $100,000 to I guess keep it under wraps.
Audrey: To not brag about it? That’s decent money.
Christie K: “Data from October 2016 attack includes names, email addresses and phone numbers of 50 million Uber riders in the world. The personal information, about 7 million drivers was accessed as well, including some 600,000 US drivers license numbers.” It says, “No Social Security numbers, credit card information, trip location details or other data were taken.” So, I think different states are starting to look into this. I’m pretty sure I saw that Washington State is suing over the negligence and I think maybe New York might be.
Audrey: Under consumer protection laws or something like that?
Christie K: That I’m not sure of. This is a, it says, “Here’s how the hack went down, two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an AWS account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.”
Audrey: So, they wanted ransom.
Christie K: Yeah, not of the, this is reminding me of another thing I saw that said, because we had a horse bait of worms and things that encrypt the data and yet they paid Bitcoin to un-encrypt it.
Audrey: Yeah, we’ve talked about ransomware a few times.
Christie K: Right. I was seeing, there’s a Twitter thread, and I apologize, I don’t remember who it was, saying that this is just the beginning. That people will pay just as much or more to keep their data from being exposed.
Audrey: Mm-hmm (affirmative).
Christie K: So, I think this is a good example of that.
Audrey: It’s like a really sideways expensive bug bounty.
Christie K: Right. What struck me about this is that login credentials should not be in source code repository, even if it’s a private repo or on a GitHub enterprise instance because that’s, obviously that can be compromised.
Audrey: Maybe there’s only one layer of security to get that far and there are ways to create a lot more layers that would keep people out of your AWS account. Sometimes code gets shared in ways that people aren’t thinking about. You can have a lot of different people have access to that code base.
Christie K: It also means you’re using shared credentials. Then, I feel like we’ve also, this keeps coming too where there’s like a database backup of information like off another route somewhere.
Audrey: That it also isn’t secured, yeah. There’s lots of tools and techniques for dealing with this now. It’s a pretty common ops problem that you have a lot of API keys and login credentials and things like that that you’re managing. Depending on what set of tools or platform you’re using, it’s worth looking into. There’s a lot of ways that you can handle this.
Christie K: So, back to the original or the place we started, which was delaying the trial was that, Alsup delayed the trial because the revelation of this letter from Jacobs indicates that Uber might be withholding evidence and other materials from the discovery process. So, they’re going to work through that.
Audrey: Mm-hmm (affirmative) and that means that they have to continue discovery and deal with that problem.
Christie K: Right. So, it says, “Alsup instructed Uber to create a list of all its employees who had downloaded Wickr on a personal or work device since December 2015.” I don’t even know how you go about that.
Audrey: It might be hard to get a complete list. Then I wonder, what do they do? Do they depose every single person who had downloaded Wickr and make them talk about it under oath how they might have used it? How do they-?
Christie K: I don’t know.
Audrey: Like how do they retrieve the information that might have been hidden?
Christie K: Right. And Waymo also asked the court for additional depositions with Travis Colonic. I still can’t say his name.
Audrey: The CEO of-
Christie K: The former CEO.
Audrey: Yes right of Uber. So, we think the alleged problem is that somebody who worked for Waymo went to Uber, took private things, Uber also had a department that was trying to steal intellectual property from Waymo. This is all what? Waymo supposes what?
Christie K: Not just Waymo, like anybody, any potential competitor.
Audrey: Yeah anybody, any potential competitor, yeah. So Uber has all those things going on internally and then because they know that they’re going to be sued, there is an employee who is in charge of secure communications apparently and then they fired him because he covered up the data breach. Is that right?
Christie K: Someone’s got to take the fall, yeah.
Audrey: So, there’s this whole chain of things that’ll go together to basically make Uber look really, really shady.
Christie K: How surprised are we?
Audrey: Not very surprised.
Christie K: Yeah.
Audrey: Yeah, unfortunately.
Christie K: This is reminding me, I listened to a podcast episode and I can’t remember which podcast it was, but I’ll figure. It might have been Note to Self. So the United States is one of the, I think the last industrialized countries that does not have any real data protection laws. So, this episode was about, it piqued my interest because it was about Cambridge Analytica. Cambridge Analytica was supposedly spun off from a British called something I can’t remember right now. But there’s questions about whether or not it has really spun off and if much of the operations are still in the UK, which would mean that a lot of the data, including data about Americans is in the UK.
Audrey: Oh got it, so then, their protection laws.
Christie K: Yes.
Audrey: Privacy laws may actually apply.
Christie K: Yes. So, there’s this one group that’s been trying to find an American who will go through that process of requesting their data, like exercising some of that authority or agency. I don’t know, it was really interesting to me because there was just this, we don’t really have that concept here of, “Hey you’re collecting data about me, what is the data?” So, he actually requested his file from Cambridge Analytica.
Audrey: Oh interesting.
Christie K: That was the test. That was the test for if the company was based in the UK or if it was based in the States. If they ignored the response, that would mean it was based in the States. If they fulfilled it, it means that they were based in the UK and subject to these laws.
Christie K: It’s that way I think.
Audrey: That’s assuming that they acted legally in this circumstance.
Christie K: Right and they did. He actually got a file. So, I’ll dig that up and link to it.
Audrey: Yeah Cambridge Analytica is one of those companies that I probably wouldn’t know about if you hadn’t brought it up for the podcast because they caught your attention at some point like two years ago, right?
Christie K: Yeah and then I kept, it’s one of those things which you notice that you see it everywhere.
Audrey: I think it’s super interesting because we talk a lot about the internet and data and security and all of these things that there are these big players in terms of data brokerage and like assimilation and analysis of personal data. There are these companies that I think are well known in their industry and people would say, “Oh yeah, go hire them.” But, for the rest of us, we really, we’re not aware of it. It’s too insider even though it has a lot of impact on us.
Christie K: I think this is one of those things where to find out more, you figure out where these people are advertising, like what are their trade shows.
Audrey: Sure yeah.
Christie K: I can’t remember if it’s in that same episode or a different one but they were also talking about how good are they, is Cambridge Analytica actually what they say they’re good at and there’s conjecture about that.
Audrey: What if they’re just making a mess of everything?
Christie K: Right.
Audrey: Like negatively impacting our privacy without actually whatever result they were aiming for?
Christie K: Right, right, especially as we learn more about Russian interference and bots and fake news and things like that. I think it may turn out that it wasn’t any one thing, it was like the combinations of these things, like everything nudged everybody along. So, last week, was last week Thanksgiving? Whenever Thanksgiving week was, yeah last week.
Audrey: Yeah, it was last week.
Christie K: This, I saw this in tweets about Expensify and Mechanical Turk.
Audrey: Kind of an intriguing statement.
Christie K: Yeah and I actually think, I feel like, I started to see this right when we recorded the last episode, certainly I’ve mentioned it to you but it was still unfolding. Then, someone, I don’t [inaudible 00:25:34] the original tweet in here but it’s in one of these articles, about something like, “I wonder if Expensify’s smart scan customers know that Mechanical Turkers can see all their receipts and they’re basically like their personal …” oh, here we go. This is Rochelle Laplante, who’s a Mechanical Turk worker, “I wonder if Expensify smart scan users know M-Turk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up and drop off addresses.” So Expensify, which is a software as a service that allows you to submit receipts and submit them to your boss or your company for reimbursement. They have global apps, mobile apps and you can take a photo of your receipt. If smart scan is enabled, it, well I’ve “OCRs”, I’m making big air quotes, in it-
Audrey: It theoretically OCRs the information on the receipt.
Christie K: Right.
Audrey: So that it can be searched.
Christie K: Also, the form about your expense can be automatically filled yeah. If you’ve ever had to do expense reports, they’re really, this is actually something I did on one of my first jobs is I did the expense reports for a director. This was quite a long time, almost 15 years ago and I wrote them out in a form, these are forms from UC Davis. Anyway, it’s very time consuming and it’s kind of time consuming really no matter the system and you have to categorize them.
Audrey: It’s repetitive and most people do not find this to be their favorite work.
Christie K: Right. If you’re like me and you have bad habits like you crumple up receipts in stick them in your pocket and then spend hours searching for them later on and uncrumpling them and trying to read them, so like, the value proposition is, just whip out your phone, take a photo right when you get the receipt. It’s in the cloud, most of the data entry is done, it’s like pretty compelling. We used Expensify at Mozilla, we switched to it from Shoeboxed I think, I don’t know if they’re still using it. So, I saw this and I was a little surprised, which I’m not sure I should have been.
Audrey: Well okay, so, in terms of will a tech company do a thing that we’re like, “Oh God, no!” Yeah, we’re never truly surprised but I do think that it wasn’t handled very well. I understand what they were trying to do in terms of, “Hey, these receipts are highly varied and if people did the data entry, then that would help a lot.” But there’s just a lot about it. Like the idea that anybody could have access to these jobs, I think that’s what you’re getting into because the Mechanical Turk worker pointed this out like, “Hey, all of us can go find these things and find these receipt jobs.” Then, that means that everybody who’s signed on to Mechanical Turk has access to that.
Christie K: Right. Travel receipts can have personal information. Companies can be using these for all kids of expenses, medical expenses, stuff like that. So, there’s definitely sensitive data. It’s another one of these cases of where is the accountability when you’re outsourcing work?
Audrey: Also, that sometimes what’s a good technical solution is not a good personal solution.
Christie K: Mm-hmm (affirmative).
Audrey: They picked an effective way to do it from a lot of perspectives but in terms of handling people’s personal information, that’s a really bad choice.
Christie K: It’s one of those things where, again, this is an issue and endemic to the cloud is that, you’re not buying an app that you install in your computer that you have a certain amount of control over and you could argue aspects of that but when it’s in the cloud, you don’t tie yourself to one version of the software. It just, like you don’t have control over that. You’re using whatever they’ve pushed out. So, part of what I think got people is surprise that this was happening. So, I was glad that we actually didn’t talk about it right away because I was hoping someone would do some more investigating and provide some more details and Wired did. They’ve got a good overview here.
It says, “From the time Expensify launched in 2009 up until 2012, it used third party Mechanical Turk workers to help process the receipts, reimbursement forms and benefit claims. Since this fall, the company returned to a limited capacity to Turk,” a limited capacity, then I think they go into a summary of the blog post that Expensify put out over the long weekend. Not only did they put out over the long weekend but I saw it because it was a promoted tweet.
Audrey: So for people who happen to be looking at Twitter over Thanksgiving, that’s a limited crowd.
Christie K: So, you know that they were getting some flack from this, that they were concerned about because the CEO worked with his PR people to write this up and push it out and promote it over the long weekend. He tried, not tried but their take on it, was that it’s a feature that they’ve gone back to Mechanica Turk because it will allow their enterprise customers to set up their own team of Mechanical Turkers and that will afford them more privacy. So, this is what they were testing. So, that the receipts that people were seeing were just test receipts, they were like from Expensify workers themselves, they tried to say I think.
Audrey: I sure hope that the workers knew that that’s what was going on.
Christie K: So, they’re saying that if you want more privacy, and this is only available at the enterprise level of course, that you can then have your own workers that you vet apply to be Mechanical Turkers.
Audrey: Then it’ll be a private pool of work going to those people.
Christie K: Right. I’ve never done Mechanical Turk, so I don’t know how to verify that but that part of it made a certain kind of sense.
Audrey: They’re sort of claiming that they were just testing out the interface to make sure that the system sends the receipt correctly into the Mechanical Turk Pool and so on and so forth. But I don’t know, it’s so interest that this one little thing reveals a whole historical truth about the software that nobody knew or maybe very few people were actually aware of. That their way of sneaking back into this feature was just to try it, not to tell their, I don’t know, there’s just like a lot of ways to communicate with your customers about this, like, “Hey, we’ve found it really efficient to do this thing. We’d love to opt you into a program to try that. Here’s what’s actually going to happen.” I found the official statement to be really, really weird and confusing in terms of like what he was promoting there. Things like the workers looking at these receipts won’t be in the US. I just, I don’t know, there’s a lot of things about that as a supposed security measure.
Christie K: Yeah. I think I just sent the link to you and I was like, “This is astounding.” I couldn’t really describe, there was … Other things in this Wired article that I thought were interesting was that, the researchers have found, “Other techniques that limit, segment and systematically control of data individual workers can see during a task or more effective safeguards in the confidentiality clauses, that [inaudible 00:34:55] service agreements,” that shouldn’t really be surprising.
Audrey: So to split up the receipts into a series of parts that don’t necessarily, it can’t necessarily be reassembled by any one worker.
Christie K: Yeah, I think that’s one way. Let’s see. It says here, “In one [inaudible 00:35:15] example, a team from Microsoft research posted tasks on Mechanical Turk that involved fake user data. They then set up another task offering to pay Turkers to do the first tasks, record data from them and then report into the second task. Essentially, the research has showed that they could pay Turkers to steal data if it was presented as a legitimate task.”
Audrey: Interesting. They would know it was coming from Microsoft though wouldn’t they?
Christie K: Presumably, I don’t know the vetting process that you have to go through to submit jobs.
Audrey: To be a company that does that?
Christie K: Yeah.
Audrey: I guess they could have always set up some side organization for that. It seems so self-contained though to use Mechanical Turk to assess Mechanical Turk.
Christie K: Right. Then they’re just, they’re kind of like, [inaudible 00:36:12] moment for me was just this, I knew this to a certain extent but I don’t know, this one got to me that, “Every product that uses AI also uses people, Sir Jeffrey Bigham a researcher at Carnegie Mellon, who studies crowed sourced workforces, “having even said that the buck stop so much as a core part of the process. People definitely believe their technology is powered only by AI when it seems intelligent and there’s every incentive for the companies to perpetuate that myth.”
So, we keep getting more and more magical tech like your phone can recognize your face and your phone with cloud technology behind it can organize your photos so you can pull up all the photos of your kids in one batch or whatever. So, we keep getting this magical technology and the AI powering it has problems but then also, there’s aspects where we might say, “Okay, well then the machines aren’t different or the machines aren’t interested in stealing your data or whatever.” But we can’t. It’s not just limited to the problems of the machines, people are also involved.
Audrey: Mm-hmm (affirmative), yeah.
Christie K: Not just as architects of the system.
Audrey: But as core components, parts of machinery.
Christie K: Again, we started off talking about Uber and that user data was able to be compromised because they get into a GitHub repository, which had credentials in it. There’s a similar aspect here. It’s not like, I’ve been on one side of this conversation, I’m sure you have Audrey, where you point out, “Oh well, we shouldn’t do it this way because it doesn’t make sense for someone to have access.” Then someone else says, “Well, they’re good people, they’re not going to do anything with that access, or we have a contract in place,” right?
Audrey: Yeah or it’s just, “It’s our team, it’s a known thing and instead, we’re not controlling for the unknown, unexpected possibilities.” It’s what separates us, those of us who do work, “what could possibly go wrong?”, from the ones who have an itemized list. I think the two of us are on the itemized list side of this instead of the no, what could …
Christie K: Definitely. What’s funny to me is I’m kind of also laughing at myself because the name Mechanical Turk, it tells you everything about this, right?
Audrey: Mm-hmm (affirmative).
Christie K: Like, it was a machine that was made to look like the machine was playing chess but it was really a guy inside.
Audrey: Mm-hmm (affirmative), yeah. Amazon quite proudly chose that name.
Christie K: It’s a great name for what the service does, you couldn’t pick a better name and that’s kind of what’s funny is like, I don’t know, it’s always a little amusing to me when people tell you exactly what something is and you forget.
Audrey: Yeah and maybe it gets missed that they’re actually being quite clear.
Christie K: Mm-hmm (affirmative).
Audrey: I don’t think this is necessarily a bad service. I do have a lot of questions about the labor aspects of it and whether it’s really compensating people for the value that they provide. But I see why it would be a very appealing and a very useful component of something that much like some of the stuff that I’ve read about CAPTCHAs where it’s not that you necessarily need computers to solve captures. It’s like you need to create a reason for people to go solve the CAPTCHAs for you.
Christie K: What do you mean?
Audrey: Like, there’s systems that I’ve read about that basically swap CAPTCHAS. So, it’s like, “Hey, you can access a thing or you can do a puzzle if you solve this CAPTCHA. But what they’re actually doing is, taking ones off of other sites and so they’re creating archive of solutions.
Christie K: So that it can be spammed or hacked later?
Audrey: Yeah, yeah.
Christie K: Okay, okay.
Audrey: No, so you create a reason for people to go do the thing that the computer would.
Christie K: So, it’s turning people that just want to play a game or something into inadvertent Mechanical Turkers?
Audrey: Mm-hmm (affirmative). I think that there are probably a lot of examples of that. We know that when we do recapture that what we’re doing is helping train, at least I hope that people know, when reCAPTCHA says, “Hey, click on all the things that are a business address,” what it’s actually asking you to do is to verify the data, the image processing.
Christie K: Oh, okay. It also reminds me, well, that’s a little different but those quizzes you can take of like, “Which Game of Thrones character are you,” or whatever, that’s all part of the Cambridge Analytic and other groups that are doing this socio-metrics or whatever they’re called.
Audrey: Yeah, it makes a lot of things look like a fun activity or cute, being asked identify portions of a photo to get to post a blog comment or something, it’s sort of key, that’s more entertaining than trying to look at those weird distorted letters. But yeah, you’re helping train image processing or you’re helping train systems for breaking CAPTCHAs depending on whether you’re on a shady or more reputable site to begin with. So, it’s just an interesting way that we all participate in this.
Christie K: Right and especially since the election, there’s been so much talk among the technology workers of like, “If your boss asks you to do something shady, it’s your job to say no.” To me, the question is increasingly, are you going to even know that your boss is asking you to do something shady or are you going to be asked to address such a small part of the elephant that you’re not even going to know what part you’re playing in the bigger picture.
Audrey: I think when we hear about this, we’re hearing about the least successful companies are doing this. We hear Uber just kind of screws up a lot, so we hear a lot about what Uber’s done, or Expensify makes one giant mistake and it becomes very visible. But I think when companies are successful at this, it’s invisible to us. We’re not going to see it or hear about it.
Christie K: Right, right. If you just think about like how things are normally distributed, most companies are not going to be as bluntly evil and obvious about it as Uber is.
Audrey: Sure and sometimes we’re seeing very common problems that just have a huge impact because of the company where it’s happening.
Christie K: So, this whole thing got me thinking about Mechanical Turk and I feel like there was a lot of conversation about it a handful of years ago and especially the labor aspect of it because it seems, it’s one of those things where people who submit the jobs are much more favored over people that do the work. Like, I think you get paid based on whether the work is satisfactory or something, not just completed. So, people can get shafted. Again, it’s part of the gig economy and stuff but I feel like we just got used to it.
Audrey: Yeah, I think that was the big thing that I heard about.
Christie K: I feel like we just got used to it.
Audrey: Mm-hmm (affirmative), I think that’s true, yeah. We forget about things as they just become part of the routine.
Christie K: It also made me wonder, and I feel this way about AWS, just all of AWS, I don’t know whether Mechanical Turk is technically under that or not, but how much, we know how much Amazon has encroached into books, retail and groceries but I think the ways that they’ve encroached into other areas of commerce might be quite obscured. So, like how many services are running on Mechanical Turk? How many things are hosted on AWS?
Audrey: Mm-hmm (affirmative), yeah, it’s extensive. I think something we’ve gotten into a couple of times previously is how, well even last week, how companies like Amazon just eat up more and more and more of these markets. Sometimes by creating a service like Mechanical Turk, there wasn’t really an initial competitor to that but sometimes just by eating pieces of it, by using their size to out-compete everybody else and just sit on that aspect of commerce or communication or whatever.
Christie K: You pointed out that AWS makes so much money for Amazon and that really, it’s one of it’s only divisions that makes a substantial amount of profit that it subsidizes all the other ones and it allows Amazon to just keep expanding its monopoly by undercutting pricing because it’s being subsidized by AWS.
Audrey: Yeah, well and if it wasn’t, Amazon’s an old enough company that it needs something internally to provide that but there are so, so many companies. Again, Uber is one of them but for all I know, Lyft is too, companies that subsidize what they’re doing at the price that they’re doing it for consumers with their VC money. The way that they’re doing it is never going to be profitable on its own but the VC money is there to keep it going long enough for them to get a big enough market share that they can eventually turn a profit.
Christie K: Right, right. I feel like that’s another thing that’s really obvious but yet I’m not sure it’s talked about a lot.
Audrey: I would just love to have an index of that. I’m not an expert on the financials of this. I don’t actually even know where to start looking for the financial reports but I think a lot of this is really just out there as data. I think that you can go and find a lot of information, I’m sorry, I just hit my microphone. I think you can go out and find a lot of information about how companies are doing this with their investment. I just, I’ve never seen like a score card or an index that shows to what extent are companies distorting their markets. That would be really interesting for me to see.
Christie K: Right. Someone argued that this is a feature of markets and capitalism.
Audrey: If you’re a capitalist.
Christie K: Okay, I looked at the time and we’re, we should move on.
Christie K: So, have you upgraded to High Sierra yet?
Christie K: Neither have I.
Audrey: I was afraid that my computer had tried to and then hopefully it hadn’t.
Christie K: We were validated this week.
Audrey: Yeah. I just never, every time I’ve upgraded software before I’ve really thought about it, I have regretted that so much, especially for something major like my operating system.
Christie K: And a major release too.
Audrey: Yeah, yeah, I’ll be the person who updates six months later. For a lot of people, it really does make sense to go like as soon as the first patch releases out but I try to wait three or six months on these just to be sure.
Christie K: So, when did High Sierra come out? I don’t know.
Audrey: I think I read September.
Christie K: Oh, okay, so it wasn’t that long.
Christie K: Okay, I don’t feel so bad.
Audrey: You’re worried about being behind the curve on this?
Christie K: Well, I don’t have the best sense of time so in my mind I’m like, “Has it been a year or has it just been a couple of months?” Because you don’t want to get too far behind when, at least I don’t.
Audrey: No, no, as long as, but I feel like as long as they’re releasing security patches for the previous version, then it’s fairly safe. But I wait for all of the software I use to have updates for multiple patch releases for any big bugs like this to potentially have been resolved.
Christie K: So, in a bug, and a lot of people have probably heard a lot about it but we’ll say, you could basically login as root with no credentials.
Audrey: Mm-hmm (affirmative), with no password. You would just type root and then enter on password and yeah.
Christie K: It was one of those things of like previously, I think if I remember correctly, like previously, the root account was not enabled by default and so it has an empty password and then I think this enabled it. I don’t know. It’s one of those, you could see how it happened even though it’s pretty egregious. But the thing that you’re interested about it was how it was disclosed.
Audrey: Mm-hmm (affirmative). It’s a fairly major vulnerability because if the computer’s already unlocked and you have physical access to it, then you can walk up, and this happens all the time in coffee shops where there are laptops that are sitting open, you could walk up, open the user dialog, go ahead and find the root password, the root account, change it and then you’d have access. It would be that simple. So, it’s a big deal. With bigger security vulnerabilities especially, there’s supposed to be a process for reporting them. I think it’s novel that the first people really heard about this and saw the scope of it was on Twitter, a very public post on Twitter.
Christie K: So someone basically tweeted @applesupport, “Hey, we’ve got this huge vulnerability.” Usually the way this goes is that you contact the company privately and give them a certain amount of time to respond and fix their stuff. Typically, you give them time to fix their staff and release a patch before you disclose the vulnerability.
Audrey: Yeah and generally, if there’s like multiple aspects to it or multiple systems that need to be addressed, you wait for everybody to have a chance to coordinate it. There is, hopefully for any major product, there is a route for this. I’ve certainly seen stories from security people saying, “I tried really hard to contact them. I tried very hard to contact them and they just wouldn’t respond to this so now I’m finally going public.” But the tweet gave no indication that that’s what had happened.
Christie K: [inaudible 00:52:06], so, do you think, this person’s a software developer, they work not work in security but they were loaded to this by their security staff at their company. Does this show like a gap in developer education about security hygiene or security norms or I’m not sure what to call it?
Audrey: Yeah quite possibly. I don’t think that I learned about security reporting processes as a web developer. I think that I learned about it from watching security specialists on Twitter and on their blogs talk about this.
Christie K: I get all my quality education from Twitter so …
Audrey: So, I think that I had seen a lot of examples of this, so it’s kind of been for me about how it would be handled. I could see how somebody might not think about the scope or the impact of what they were saying and just wants to call attention to it. But, that’s reason that there should be a process here.
Christie K: It sounds like Apple does have some culpability in it and it has a bug bounty program but only for iOS, not macOS, which is interesting. That also reminds me that I’ve seen a lot of, there are people who are theorizing that macOS is eventually going to go away and there’ll just be iOS. I don’t know if this is a harbinger of that or not. I think the patch is out now, right?
Audrey: I haven’t looked since yesterday. So, if there’s a patch out, that would be great, yeah.
Christie K: Then the other fix root is just to set a root password.
Audrey: Mm-hmm (affirmative), yeah to go in and take care of it yourself before somebody else can.
Christie K: This whole thing, I feel like knowing whatever operating system you use, knowing if there’s a root account, by default enabled or not and passwords there, it’s just a good thing to know in general. I ran into this a couple of times when I was still using Ubuntu regularly, where if you didn’t set that, I can remember if it was setting a password for root or even enable it. If you’d locked out your one user account, you were kind of screwed and I did that to myself one time. So, it’s sort of interesting.
Audrey: Yeah, at the same time, how many non-developer, non-technology worker users would think about this?
Christie K: Very few. I think only if there are family members that have harassed them about this stuff.
Audrey: Yeah. Have you ever tried to explain like what a root account is or what an admin super user account is to somebody who just uses their computer as them? I think the idea that they are accounts at all, at best it sounds like social media accounts or personal profiles or something, not that it would be an access control system.
Christie K: Right. I already know that account sharing is like-
Audrey: Super common.
Christie K: Right, right. I get itchy when I’m in a public place and someone walks away from their laptop and it’s unlocked. That just, I want to run over and lock the computer for the person. I don’t, because that feels-
Audrey: That would also be weird.
Christie K: But I sit there and-
Audrey: Yeah people don’t think about it.
Christie K: … yeah and squirm.
Audrey: I’m glad that they’re fixing it. I do think that it would be beneficial for Apple to do education around this and to have a really visible bug bounty program where they offer to pay people for reporting things under a certain process when they’re, when it’s a useful bug to be aware of. I think there’s a lot of benefits to that.
Christie K: Definitely.
Audrey: It makes us feel better. That’s a part of us trusting those systems and believing in their security is seeing that there’s a system that works.
Christie K: Right.
Audrey: So, we don’t need to deep dive too much into this but Tech Crunch found the person who deactivated Trump’s Twitter and did a little interview with him.
Christie K: The customer service employee that was on their way out?
Christie K: What I thought was interesting was that they didn’t think it would actually work, and it’s unclear to me why they didn’t think it would work. So, they got a report so it wasn’t just a haha I’m going to do this on my own and then leave. They got, someone reported Trump’s account and so they said, “Okay,” went and tweaked the action to deactivate it and then left.
Audrey: Thinking that it probably won’t work but hey, it’s reasonable action given that we’ve received this abuse report.
Christie K: Right. It sounded like it wasn’t supposed to work and that maybe some aspect of their system didn’t hold up.
Audrey: Oh, interesting. Like multiple people should have had to sign off on it?
Christie K: Yeah. It made it sound like there are certain accounts that have extra steps to be deactivated because there’s that exception to the terms of service if the accounts are newsworthy, right?
Audrey: Yeah, they’ve decided that if you are a major public figure, that you can post anything that you want, which is pretty horrifying from my perspective.
Christie K: So, the young guy with the Turkish background who was born and raised in Germany, he’s working on as a contractor, it sounds like with a company called Pro Unlimited, and he had other assignments including monetization at Google and YouTube, he had another contract with Varco, which this got me thinking about that whole groupie YouTube video thing, which we haven’t talked about yet.
Audrey: We did kind of in passing last week.
Christie K: Okay. But another one of these cases where a lot of these work is being done by contractors. So, there’s another layer between the people that ought to be accountable and people that are actually doing the work. I think there’s a lot to explore there.
Audrey: Yeah and I feel like that’s rough from the contractor’s point of view. When you are probably going to be fired for anything you speak out on and you don’t have a lot of job security, you don’t have a lot of protection, there’s every reason for you to just keep doing what they tell you to.
Christie K: It also makes me want to go find these contractors because I thought they know a lot because they move from company to company and I imagine they know a lot of stuff.
Audrey: Probably yes.
Christie K: He’s also wearing a gray scale American flag sweater, which I don’t think that was intentional but it adds something to the profile that I found amusing.
Audrey: Well, we’ll all have to read that then.
Christie K: So well into that. We can talk about this other thing I think in another episode.
Christie K: So, this is my favorite part of the show where we share what we like on the internet this week, what’s made us happy.
Audrey: Mm-hmm (affirmative), which is a necessary component to all of this, now that we’ve talked about how terrible Uber is and hey, it was Uber’s turn it wasn’t Facebook this week.
Christie K: Right, even I get tired of, complaining about Facebook. I’m tired about complaining about Uber too. I feel it’s an I told you so moment, so, I kind of want to stretch it out a little bit to be honest.
Audrey: That they’re terrible and let’s find even more layers of how terrible they are.
Christie K: Something that is not terrible are Sponges.
Audrey: Yeah, I like Sponges.
Christie K: So, these are the animal sponges. Are they animals?
Audrey: Yes, yeah. I feel like I have to go back a little bit and explain why this is very exciting for me.
Christie K: Okay.
Audrey: So, in fifth grade and in general, I was a kid that was really into like whales and marine biology. So, in fifth grade, we had this science assignment to write like a short paper on an animal. I have no idea how this came to my attention but I discovered that sea sponges were animals, at least in the area and that there had been some past debate about this. So, I thought that I would annoy my teacher by writing my animal profile about the thing that was very marginally an animal. So that’s my [crosstalk 01:01:58].
Christie K: Always looking for those edge cases.
Audrey: That’s why sea sponges are personally very interesting. But this morning, I was looking at the news and I saw this report that said that scientists had done a lot of analysis of previous data. There’s apparently two species or sets of species that have potentially are like the first animals to branch off from the collective tree. So, sponges were one of the two contenders. This latest research that was released, they said, “Okay, based on all the data that we have, the sponge best fits that data for the thing that we are all related to.” I thought that was just delightful because, as animals go, sponges do nothing, they sit there. They filter nutrients but they don’t move, they don’t act, they don’t respond. They are just, they’re nearly inanimate.
Christie K: But they’re still animals.
Audrey: But they’re still animals.
Christie K: They’re really old it sounds like.
Audrey: Yeah, yeah.
Christie K: If they’re that common of an ancestor, then they’re like among the oldest animals right?
Audrey: Mm-hmm (affirmative).
Christie K: How cool, that was exciting.
Christie K: I’m wielding to the Guardian article that talks about this, they’re calling it, Sponges the sister of all other animals.
Audrey: I don’t know, there’s something very calming to me to think that the thing that we’re all collectively related to just sits there and just exists.
Christie K: It takes some of the pressure off to always be doing something.
Christie K: My favorite thing on the internet is related to Amazon, which I feel so weird about because we criticize Amazon a lot but also unlike Facebook, Uber and things, Amazon’s really integral. So, out of my daily life and I-
Audrey: I think you own more Amazon things than anybody I know, technology devices.
Christie K: Yeah, I think that’s true. So among them are Kindles. I take a lot of notes and I make a lot of highlights when I’m reading. From the last time, I was really frustrated because I could see the highlight but not copy text out of it, so what if I wanted to put that in my citation manager or just share it on a blog post or whatever, I had to retype it. I had explored some workarounds like you could tweet the quote and I was like, “Oh, then can I copy it or tweet or Facebook it?” I think I never quite finished what [inaudible 01:04:50]. Anyway, I just stumbled across the fact that you can now copy text out of the Kindle highlights from the Kindle app. They also show up in Goodreads, which is pretty cool.
Audrey: Oh yeah, they just started a lot of this integration, I noticed.
Christie K: So, I was a little nervous when Amazon bought Goodreads but the stuff that they’ve [inaudible 01:05:12] recently has been really nice and I think they’ve done a good job of, like all their links to books, you can still link to all the different store and libraries and I think they’ve walked a good line between integrating that with Amazon ecosystem and still making it not neutral but somewhat open of a platform. So, yeah you can get the notes from Goodreads, from the Kindle app, you can set a highlight to share it on Goodreads, which is cool.
The other thing I noticed is that we are a library at the [inaudible 01:05:53] library, you can check out eBooks, which is also, if you didn’t know this, if you have a Kindle or even just a computer, go see if your library supports this because you don’t even have to go to the library, you don’t return things late because they just automatically get returned when the due date comes up. For someone like me who hasn’t been fancy to rack up fines, that’s a great bonus.
Audrey: There’s a lot of things especially for fiction. At least our library collection has quite a few eBooks. It’s pretty cool.
Christie K: There’s tons of stuff, there’s tons of stuff. You can have it delivered directly to your Kindle just like you’ve bought it. The highlights stick around after the book has been returned, which is like super cool. I think that’s super cool.
Audrey: Yeah, I’d seen part of that and I thought, like for a recipe clipping, this would be perfect. There’s a lot of cookbooks I check out from the library because I don’t know if I want to buy the whole thing and then I discover there’s only two recipes I care about anyhow. So, what I had been doing was, like with the paper book, just photographing those pages with my phone. But I like the idea that I can just highlight and clip the information.
Christie K: For nonfiction, I just don’t remember stuff that I haven’t taken notes. It’s really laborious to write stuff out of a print book. Yeah, I’ve done the thing where I take photos, which is also a little tedious. So, I was really happy I discovered this and I want to make sure people know about it.
Audrey: That’s cool.
Christie K: All right, we’re only a little bit late and hopefully we’ll keep working out the bugs with this live podcast thing.
Audrey: Pure news videos, blasting at people when we don’t intend them.
Christie K: Right, right. If you turned into the feed on time, that’s what happened. Thanks everyone for listening, we’re going to sign off of the live feed now. Talk to you or talk at you, I don’t know, see you next week.
Audrey: All right, thank you.
Christie K: That’s a wrap. You’ve been listening to the Recompiler podcast. You can find this and our previous episodes at recompilermag.com/podcast. There, you’ll find links to individual episodes as well as their show notes. You’ll also find links to subscribe to the Recompiler podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review, it really helps us out. Speaking of which, we love your feedback, what do you like, what do you not like, what do you want to hear more of? Let us know. You can send email feedback to email@example.com or send feedback via Twitter to @recompilermag or directly to me Christi with an i, 3k. You can also leave an audio comment by calling 503-489-9083 and leaving a message. The Recompiler podcast is a project of Recompiler Media founded and led by Audrey Eschright and is hosted and produced by yours truly Christi Koehler. Thanks for listening.