BrakeSec Education Podcast

  Matt Miller’s #Assembly and #Reverse #Engineering class $150USD for each class, 250USD for both classes Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd To sign up for both classes: https://paypal.me/BDSPodcast/250usd     Stories: https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/ TLS1.3 - https://www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time/ https://slate.com/technology/2018/03/facebook-acknowledges-it-kept-records-of-calls-and-texts-from-android-users.html https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13     Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2018-009-internships-mentorships-retooling-finding-that-unicorn-pentester.mp3 Topics discussed: How Jay Beale (@jaybeale @inguardians) and Brad A. (@sno0ose) do mentorship and apprenticeship in their respective orgs. Best methods to retool yourself if you are trying to move to a new industry Why 'hitting the ground running' isn't the sign of an immature organization... Matt Miller’s #Assembly and #Reverse #Engineering class $150USD for each class, 250USD for both classes Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd To sign up for both classes: https://paypal.me/BDSPodcast/250usd Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/ Sign up for Jay Beale's class at Black Hat 2018: https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec SHOW NOTES:   Guests: Mr. Jay Beale Guest: Mr. Brad Ammerman @?????????   Announcements: RE/ASM class (Matt Miller) SeaSec East Meetup at Black Lodge Jay’s class at Black Hat https://www.blackhat.com/us-18/training/aikido-on-the-command-line-linux-lockdown-and-proactive-security.html Slack channel “M3atshield”   What jobs are good segues into either blue or red teams/pentesting? SOC Analyst (network security, pcap, IR) SysAdmin (obviously) Cod devs (audits, binary analysis, they know the code internals) System architects (they know the nuts and bolts) Security architects (segue to red team, they know how to defend, threat analysis) Project management /management (client/customer facing, can understand the business side)   Journeyman pipelines vs. intern pipelines Different than interns = Already highly skilled in ‘something’ Code devs Physical security audit/compliance project/program management System admin Management “generalist”   Retooling can be difficult May be a paycut Fear of failure How do we alleviate that? (mentorship model?)   Companies looking for skilled people can’t look for what they want Think in the bigger picture   Is not being able to see the value in a non-infosec person coming to the team a sign of immaturity in a company? The phrase “must be able to hit the ground running” Turn off for those wanting to make that change Feel they must already know the job   People should be considered as like a block of clay, not an immutable stone. People can change if they want to… 2 party comfort zone. Both the person changing role/title, and the company understanding where the person sits in the position.   mentorship/menteeship in an org

BDIR Episode - 001 Our guests will be: Martin Brough - Manager of the Security Solutions Engineering team in the #email #phishing industry Topic of the Day: CREDENTIAL STEALING EMAILS WHAT CAN YOU DO   Join us for Episode-001, our guest will be: Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry Topic of the day will be: "CREDENTIAL STEALING EMAILS WHAT CAN YOU DO" Show Notes: Introductions Introduce our Guest Martin Brough Twitters - @HackerNinja Blog - InfoSec512.com   More show notes at https://www.imfsecurity.com/podcasts/2018/2/28/bdir-podcast-episode-001

https://www.auditscripts.com/free-resources/critical-security-controls/ Thanks to Slacker Ben Chung, who heard about this from John Strand...   BsidesIndy report - Amanda Bsides Austin - Brian   Log_MD 2.0 - www.log-md.com   https://www.bleepingcomputer.com/news/security/only-half-of-those-who-paid-a-ransomware-ransom-could-recover-their-data/ https://itsfoss.com/kali-linux-debian-wsl/ https://www.bleepingcomputer.com/news/security/kali-linux-now-in-windows-store-but-defender-flags-its-packages-as-threats/ Matt Miller’s #Assembly and #Reverse #Engineering class $150USD for each class, 250USD for both classes Syllabus : https://docs.google.com/document/d/1alsTUhGwAAnR6BA27gGo3OdjEHFnq2wtQsynPfeWzd0/edit?usp=sharing Please state which class you'd like to take when ordering in the "Notes" field in Paypal https://paypal.me/BDSPodcast/150usd To sign up for both classes: https://paypal.me/BDSPodcast/250usd Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/    #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec    

Topics: Secure Framework documents Modifying chromebooks so you can use Debian/Ubuntu Memcached is the new DDoS hotness Announcement of the next BrakeSec Training Class (see Show Notes below for more info) Link to secure framework document: https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/    #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   --Show Notes-- Announcements: Matt Miller’s class on Assembly and Reverse engineering Starts 2 April - 6 sessions 2nd Class - 6 sessions, beginning 21 May Beginner course on Assembly Advanced course, dealing with more advanced topics $150 for each class, or a $250 deal if you sign up for both classes paypal.me/BDSPodcast/150USD - Specify in the NOTES if you want the “Beginner” or “Advanced” course paypal.me/BDSPodcast/250USD - If you want both courses We need a minimum of 10 students per class   Projects: Chromebook with Debian Bit of a pain, if I could be honest.. Needed USB hub with eth0, and a USB soundcard USB3 low profile thumbdrives would be better https://www.amazon.com/gp/product/B01K5EBCES/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1 https://www.securecontrolsframework.com/ ←--well well worth the signup https://drive.google.com/open?id=1xLfY4uI88K2AiA1mosWJ7jFyP100Jv5d - ‘secure.xlsx’ http://www.dummies.com/programming/certification/security-control-frameworks/ Numerous security frameworks already exist: Cisco NiST CoBIT ITIL (can be utilized) SWIFT  https://www.accesspay.com/wp-content/uploads/2017/09/SWIFT_Customer_Security_Controls_Framework.pdf “My weird path to #infosec” on twitter https://en.wikipedia.org/wiki/Hydrocolloid_dressing

Topics on today's show: NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems? Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it. Using code without testing - NPM released a 'not ready for primetime' version of it's package manager. We discuss the issues in running 'alpha', and 'beta'   Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/     #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec   SHOW NOTES: Previous podcast referenced:  http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3 NPM - https://www.techrepublic.com/article/series-of-critical-bugs-in-npm-are-destroying-server-configurations/ https://www.bleepingcomputer.com/news/linux/botched-npm-update-crashes-linux-systems-forces-users-to-reinstall/ Using ‘pre-production’ software without testing is not advisable Unfortunately, many assume all software is stable A product of ‘devops’ - failing forward “we’ll just fix it in post”   Talked last podcast about ‘supply chain security’ https://givan.se/do-not-sudo-npm/ https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/   Developers can leave a project, leaving code unmaintained… or dependencies   Also, a modicum of trust is required… verifying the code before you use it. Verification that the code came from where it was supposed to   Many important code bases aren’t signed or have verification Wordpress does not appear to publish file hashes Can you always trust the download? Sure, they do TLS… but no integrity, or non-repudiation   https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf Bsides NASH- https://bsidesnash.org/2018/02/20/interview-and-resume-workshop/

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3 Topics: Discussion of Ms. Berlin's course CAPEC discussion RTF malware MS Office A Phishing story... Mobile Supply Chain Security CMS Supply Chain Security Ms. Berlin’s course - recap of 2nd session   Brakeing Down IR -date?   Any malware of note? Upgrade your Office!  Just double-clicked, used rtf and document never opened, just the script ran.   Supply chain isn’t just Hardware… software stacks abound and not followed   Wordpress plugins, CMS plugins/themes… not monitored, weakly secure Keeping track is as important as asset management Do you know what your CMS is running, plugin wise? And if plugins aren’t bad enough, you have PHP to deal with   Suggestions: Buy plugins - you get what you pay for Check what support  you get (always a good idea) Require reviews for new plugins, and old ones, esp if they haven’t updated in a while Are they still maintained? (abandonware bad) New owners? (many plugins and apps get bought and then start changing permissions, or worse, serving malware)   Joomla - Vulnerable Extensions list - https://vel.joomla.org/live-vel Wordpress - WPScan     https://wpvulndb.com/plugins https://capec.mitre.org/ https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485 PYPI - https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/ CCleaner - https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security News: https://hotforsecurity.bitdefender.com/blog/uh-oh-how-just-inserting-a-usb-drive-can-pwn-a-linux-box-19586.html Adversary generation systems Red Baron - https://www.coalfire.com/Solutions/Coalfire-Labs/The-Coalfire-LABS-Blog/february-2018/introducing-red-baron https://github.com/uber-common/metta https://github.com/NextronSystems/ https://www.kitploit.com/2018/02/venom-1015-metasploit-shellcode.html Quickly building Redteam Infrastructure https://rastamouse.me/2017/08/automated-red-team-infrastructure-deployment-with-terraform---part-1/ If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/     #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Show Notes: https://docs.google.com/document/d/1CSjskf-3vrguoyIyg8yOK2KLqg7srxYlee4RD6jzgNc/edit?usp=sharing Topics Discussed: New tool : AutoSploit - Does it lower the bar? How should Blue teamers be using Shodan? Discuss WPAD attacks, what WPAD is, and why it's a thing blue teams should worry about.    ANNOUNCEMENTS: Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 5th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast, send as a 'gift'  Course Syllabus:   https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit     If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/     #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

Here is the inaugural episode of the "Brakeing Down Incident Response"   Please check it out!   BDIR Episode - 000 Our guests will be: Dave Cowen - Forensic Lunch Podcast and G-C Partners Tyler Hudak - Trainer in Malware Analysis and Reverse Engineering Topic of the Day: WHAT IS THIS NEW PODCAST ALL ABOUT, WHAT WILL IT COVER? "Incident Response, Malware Discovery, and Basic Malware Analysis, Detection and Response, Active Defense, Threat Hunting, and where does it fit within DFIR" SHOW NOTES: https://www.imfsecurity.com/podcast/2018/1/18/bdir-podcast-episode-000      

Back in late 2017, we did a show about expensify and how the organization was using a service called 'Amazon Mechanical Turk' (MTurk) to process receipts and to help train their Machine Learning Algorithms. You can download that show and listen to it here:  2017-040 #infosec people on Twitter and elsewhere were worried about #privacy issues, as examples of receipts on MTurk included things like business receipts, medical invoices, travel receipts and the like. One of our Slack members (@nxvl) came on our #Slack channel after the show reached out and said that his company uses services like these at their company. They use these services to test applications, unit testing, and creation of test cases for training and refinement of their own applications and algorithms. We discuss the privacy implications of employing these services, how to reduce the chances of data loss, the technology behind how they make the testing work, and what other companies should do if they want to employ the Mturk, or other 3rd parties. Direct Show Download:   http://traffic.libsyn.com/brakeingsecurity/2018-003-MTurk-NXVL-privacy_issues_using_crowdsourced_applications.mp3   ANNOUNCEMENTS: Ms. Amanda Berlin is running 4 session of her workshop "Disrupting the Killchain" starting on the 4th of February at 6:30pm Pacific Time (9:30 Eastern Time)  If you would like to sign up, the fee is $100 and you can send that to our paypal account at https://paypal.me/BDSPodcast  Course Syllabus:   https://docs.google.com/document/d/12glnkY0nxKU9nAvekypL4N910nd-Nd6PPvGdYYJOyR4/edit     If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box #HITB Amsterdam conference, which will take place between 9 and 13 April 2018. Tickets are already on sale,  And using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/     #Spotify: https://brakesec.com/spotifyBDS RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec         Show Notes:     Mr. Boettcher gave a talk (discuss) http://DETSec.org  Brakeing Down Incident Response Podcast   Amanda’s class (starts 4 february, $100 for 4 sessions, $50 for early video access)   I need to mention HITB Amsterdam David’s Resume Review -- Bsides Nash Resume Review  SANS SEC504 Mentor course Guest: Nicolas Valcarcel Twitter: @nxvl   Possible News to discuss: https://www.reddit.com/r/sysadmin/comments/7sn23c/oh_security_team_how_i_loathe_you_meltdown/   Mechanical Turk https://www.mturk.com/     CircleCi 2.0 https://circleci.com/docs/2.0/   TaskRabbit https://www.taskrabbit.com/   Historically:  https://en.wikipedia.org/wiki/The_Turk   Expensify using Amazon Mechanical Turk https://www.theverge.com/2017/11/28/16703962/expensify-receipts-amazon-turk-privacy-controversy   https://www.wired.com/story/not-always-ai-that-sifts-through-sensitive-info-crowdsourced-labor/ FTA: “"I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses," Rochelle LaPlante, a Mechanical Turk worker who is also a co-administrator of the MTurk Crowd forum, wrote on Twitter.”   https://www.dailydot.com/debug/what-is-amazon-mechanical-turk-tips/ “About those tasks, they’re called HITs, which is short for Human Intelligence Tasks. A single HIT can be paid as low as a penny but may take only a couple seconds to complete. Requesters often list how long a task is supposed to take, along with the nature of the work and the requirements for completing the work.”   “Since mTurk has been around for over a decade, Amazon has created a special class of workers called Masters Qualification. Turkers with masters have usually completed over 1,000 HITs and have high approval ratings.” Kind of like a Yelp for HIT reviewers?   Are companies like expensify aware of the data that could be collected and analyzed by 3rd parties? Is it an acceptable risk?   Privacy questions to ask for companies that employ ML/AI tech? Are they using Mturk or the like for training their algos? Are they using Master level doers for processing?   Nxvl links: Securely Relying on the Crowd (paper Draft): https://github.com/nxvl/crowd-security/blob/master/Securely%20relying%20on%20the%20Crowd.pdf How to Make the Most of Mechanical Turk: https://www.rainforestqa.com/blog/2017-10-12-how-to-make-the-most-of-mechanical-turk/ How We Maintain a Trustworthy Rainforest Tester Network: https://www.rainforestqa.com/blog/2017-08-02-how-we-maintain-a-trustworthy-rainforest-tester-network/ The Pros and Cons of Using Crowdsourced Work: https://www.rainforestqa.com/blog/2017-06-06-the-pros-and-cons-of-using-crowdsourced-work/ How We Train Rainforest Testers: https://www.rainforestqa.com/blog/2016-04-21-how-we-train-rainforest-testers/ AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk: https://www.rainforestqa.com/blog/2017-01-06-aws-re-invent-crowdsourced-testing-work-with-amazon-mturk/ Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure: https://www.rainforestqa.com/blog/2017-05-02-virtual-machine-security-the-key-steps-we-take-to-keep-rainforest-vms/