

Mechanical Turk is Insecure - ukd1
https://medium.com/what-i-learned-building/fa943c70b853

======
mkr-hn
Mechanical Turk is Amazon's Google Reader. I had to write a whole guide[1] on
not getting screwed over by scam requesters because all the tools for it don't
exist as part of Mechanical Turk. I don't think Amazon has touched the service
since they launched it.

[1] [http://mkronline.com/2013/09/17/how-to-make-money-with-
mecha...](http://mkronline.com/2013/09/17/how-to-make-money-with-mechanical-
turk-without-being-scammed/)

------
sashaeslami
This is absurd.

What is the work-around/alternative? Well written post.

~~~
ukd1
The only one I've thought of since writing this is to have a separate AWS
account and link it as a sub account for billing. Solves someone shutting down
your main servers, but still means they can spin stuff up / use lots of cash.
This would be a massive pain for us as we'd loose our worker pool. I could do
it the other way, move our infrastructure to a new account...but that sounds
equally painful.

~~~
tillk
I would like to see IAM as well, but I would say that the solution right now
is using a seperate account and using AWS MFA:

[http://aws.amazon.com/mfa/](http://aws.amazon.com/mfa/)

A new account doesn't have all AWS services enabled by default, so the impact
seems minimal to start with. Not sure if you can lock this down further as I
haven't looked into it.

All in all this is not perfect, but "securer".

------
anandkulkarni
Worse yet, the tasks are public on the web, and anyone can see what's being
posted: there's not even a minimal level of privacy.

~~~
ukd1
Well this is the same for most services, I've seen - including MobileWorks? If
you register as a worker and you can accept tasks, if you meet the
requirements.

It's avoided to some extent by us due to the way we issue training / challenge
work before any actual work is given to new workers.

~~~
anandkulkarni
Not quite: in MobileWorks, work is assigned to private workers, so nothing is
public. The same goes for CloudFactory, TaskUs, and the other non-marketplace
crowd platforms.

You're right that challenge work does a reasonable job of screening tasks from
search engines, though!

------
dnsco
Hopefully this draws enough attention for amazon to want to fix the problem.

