Honeypot Kittens privacy project

It's been a bit since I've written here, and the reason why is I have been working on a few things.

#1 - my Honeypot Kittens Project which is an art zine coupled with an educational website. Check it out: https://honeypotkittens.ju.mp/

I realized that while most of my experience surrounds moderation, privacy, and trust & safety, I need my own standalone side project. My aim with this is to further showcase my passion for these sectors.

#2 - I got to volunteer with Moxies.xyz lately to help boost their COPPA Compliance! They were released into beta last year and I am so fortunate to work with them. I will work with them for a few weeks while looking for a job, and I think I need further real-world experience with COPPA. While I am keenly aware of this important piece of legislation and have been for a while, real-world concrete experience is best.

Mental Health Crisis Response Flow - What to Avoid and to keep in mind

One of my close friends passed recently, and I was thinking about how social media can play a significant role in crisis responses. Two of my former employers had an internal process for crisis responses, including a preferred resources page setup for those in need of it most.

Blue Fever - Crisis Resources

With many platforms - and Blue Fever is definitely not unique with this issue - lack of personal information given can delay a more personal crisis response, spin false narratives, and even delay information given to law enforcement. Treading the line between being resourceful, following internal legal guidance, and stifling narratives is an extremely difficult job without internal processes in place. Here are some tips I would recommend:

Have multiple canned responses in place, and amend on-the-fly when necessary

Hearing a generic response can feel annoying, but this is necessary as to not “stir the pot” legally and morally. We don’t know the exact circumstances of any one person, and as a company it is important to respect the person’s privacy. Additionally, having slight amendments to your responses can create a more realistic and human-centered response flow. Towing the line between realistic, human-centered responses and following legal requirements is very difficult. However, focusing on evolving your responses can also create a dynamic environment where all parties (legal, customers, investors, internal staff) can understand situations better.

Consult your company’s legal team regularly – and mental health experts semi-regularly – to continually improve processes and wording

This not only helps create rapport with experts and your own legal team, but also ensures that your responses are closer to industry standard. (Or perhaps better!) By continually discussing these important issues and streamlining processes, this also assists in your job becoming easier. Also, this ties in with #1 so your responses don’t come off as insensitive or uninformed. 

Consult your database manager for a general login location for people in crisis 

Most “anonymous apps” simply have just an email or phone number for login. However, they often utilize general location for internal metrics. Many countries, provinces and states worldwide have crisis forms online and numbers to call if someone is in a state of distress. (As an example, Texas State HHS has a page for this.)

Most apps, even ‘anonymous’ apps generally collect these metrics:

Email and/or phone number

IP Address (You can look these up – if it’s VPN, probably ignore.)

Device model and basic information

Length of time spent engaging in the app itself

App version (which can also, in a way, hint at device model because of app versioning)

Country/Region - sometimes datacenters can give out a general location

It’s very important to note to not overreach and begin ‘stalking’ clients or customers if they are in distress. Not only is this extremely unethical, but often makes the situation worse.

Lock the Account until further notice while in crisis response mode

While this might seem demeaning and perhaps might make the person feel as though they’re not being heard, there might be potential for copycats on the platform. Additionally, this ensures that the account data can be safely secured in the case of a legal warrant.

Certain keywords should be flagged for auto-moderation

This should already be in play if you have an ML tool to flag harmful content; however, consider certain spellings of words to tag in your model. (such as ‘sewerslide’ ‘sooside’ for suicide) and track sentiments over time to see if there are any trends over time.  If your app is at-scale (more than a few 100’s thousands or millions,) consider having staff in place to carefully monitor trending terms and events. For example, X (Formerly Twitter) is currently hiring Crisis Escalation specialists as of writing this, and these folks’ specialty is closely monitoring trending crisis terms and mental health issues.

How police can backtrack Tor Nodes to unmask identity

Tor Project was co-founded in 2006 by 7 researchers and has had many sponsors throughout the years, including the Electronic Frontier Foundation (EFF). Here’s how it works:

When you click ‘Connect’ on Tor, you have 3 ‘firewalls’ of connections that shield your connection, and obfuscates it. However, as some might say, “...The internet is forever!” and your connections are definitely logged somewhere. This might include the exit node volunteer’s logs, Tor themselves - even if it might be indirectly/unintentional - or otherwise. 

 As of 23rd February 2025, there are around 8000 exit nodes – sounds pretty small, but is actually quite a lot of connections. Especially if you are doing investigative forensics!

Now you might ask yourself a few questions… such as, “How (and CAN…) the police track my usage?”, (Yes, they can, and have done so with some people before!) I will get to this question and others in a bit! (In my mind, Tor Project and similar projects are essentially glorified VPNs with a few extra features.)

If you studied IT at all in bootcamps or college, you might remember our bestie the OSI Model. This basically explains how you connect to the internet at all in 7 steps. Lets look!

As you can see, the main concern we have here is with the Network, Transport and Session layers. These 3 steps essentially bridge and keep your connection alive on any website. Tor actually recommends that you don’t have your Tor Browser fullscreen, and I personally recommend this as well! 

Most websites - even the onion routed websites - tend to track these metrics:

How long you’ve been on the website

Whether you came from an ad, marketing link, search engine

Device OS

Local time / Timezone

Region (Or within 50 miles radius)

Account signup email

Hints at past usernames (if you sign-in a username you often use)

ISP (Such as Cox, AT&T, Comcast)

….and more

These metrics and stats can be sold to other companies, threat actors, or given to police for investigating.

If police can’t determine from past information mentioned, they will just look through Tor Browser’s Exit Node List and compare your IP with past IPs you’ve utilized.

“Wait… where can they get your IP?!”

They can ask bigger companies (Google, Meta, etc) to provide information. 

Freedom of Information Act (FOIA) on you, which anyone can do.

Obtain a warrant to ask your Internet Service Provider (ISP)

If you are asked in-person via warrant to have your home searched, they can also collect the IP here.

So going back to the beginning… “Can the police track my identity and connections on Tor?” Yes. and it’s relatively easy. It’s why I mentioned earlier, how Tor and many Onion routers are essentially glorified VPNs - because they are.

In my opinion, though; they’re really stellar and show some unique websites that aren’t available on the clear net!

References

Risks and Benefits of buying AI Training Datasets

In today’s world, it can feel rather confusing and overwhelming training LLMs, AI Chatbots, and AI Tools for ethical AI uses. While I don’t have direct experience building AI Chatbots myself I do have experience building policy for both LLM Moderation + AI Chatbot/LLM Jailbreaking. These experiences are adjacent and directly amplified my past responsibilities in Trust and Safety. 

There are some places you can buy LLM Training Datasets, such as AWS Data Marketplace, CelestAI Marketplace, and a few others. Most provide unlabeled, uncategorized data but luckily these two provide labelled options. Below I will provide some Benefits and Downsides of Training Datasets for your models.

Pros

You automatically get data to feed into your model

Data used isn’t directly from your app, but from a 3rd-party 

Costs less to utilize a pre-trained Open-Source LLM

Having your own model increases queue speeds during peak usage hours 

Cons

Most times, data is unlabeled

Potential difficulties fine-tuning models with 3rd-party training data

High potential for Personally Identifiable Information (PII) exposure

Often times, high prices by default

Many brokers with tons of training data are individuals, and not bigger companies

Option to depend on a pre-built AI (API from GPT, LLaMa) or Open-Source

This can lead to issues if the company shuts down or the model stops having key updates

Lastly, consider the audience you are making your AI Chatbot and LLM Models for. Something to consider is to think ‘Like the customer’, and not as a developer when making these fine-tuned updates. For example, at one of my last jobs, I greatly impacted AI Policy when we built the AI Chatbot for our stakeholders. A few qualities we considered include:

Having the chatbot type shorter responses, in lowercase

Using some vernacular younger folks might use, yet not excessively

Additionally, researching how younger generations interact online and in real life for a more realistic model (TikTok, YouTube, Snapchat ‘research’ were great to use)

Excessive use of vernacular seems cringey, off-putting and unrealistic

Research and see in different online groups what people think about AI, their assumptions, etc and working around that

Make sure the models and UI of the Chatbots feel familiar and integrative, not different.

Doing your due diligence instead of "Just building a model" makes a significant difference in the quality of it. This not only applies to your AI Chatbot, but the LLM Models as well in terms of moderation. Avoiding false positives with automated moderation will help considerably.

References

One example of GDPR Violations and its Consequences

In 2021, Amazon was hit with a hefty fine of €746 MM Euros, because they were accused of ad targeting and overuse of data harvesting. This comes after a French digital rights group, ‘La Quadrature du Net’ made a complaint in 2018, and Luxembourg’s CNPD - National Commission for Data Protection - decided to take action on their behalf the same year

However, Amazon has stressed that no data breach or data exposure has ever happened; it seems they imply everything is customer-side-only in terms of data and ad targeting. Amazon has since attempted to appeal any decision and is currently in the process of overturning decisions currently deliberated. 

(Side note, 3 hours prior to my initial writing of this post – linked in references below!) Amazon was also accused of hosting sensitive information and CSAM via its image and ad hosting partner imgbb… very interesting…)

In this blog article I will explore how Amazon’s specific ad and ad trackers work. 

Method 1 - Advertising your Products and Tracking

If you are a seller on Amazon you can advertise your products one of two ways:

Affiliate links & Email / Social Media Campaigns

With this method, you already have to have a following. Also, you essentially blast your products’ links or affiliate links of other products to people to gain commission. With this method, you can track basic metrics, such as; location, how many times your links and emails were opened, how long people stayed on a page, how many people bought stuff, but not much else.

Ads and native Ads within Amazon

Paying for ads to get to people’s eyes can really help push your products further! Native Ad pages can also help make your products seem more attractive. This can really help you build an original audience, and if you use Amazon Ads, this could potentially advertise via an Amazon campaign Ad off of Amazon, onto other websites. So basically, Amazon does all the footwork for you and pushes it to other websites too. You just have to have free cash available!

Method 2 - Tracking data off-Amazon for product recommendations

Now, this method is sort of like #2 in the last explanation. Amazon advertises all sorts of products on its own website AND on others as well based off of your activity. I personally got really accurate recommendations just by scrolling on Pinterest every day. It’s actually really interesting to see how Amazon can recommend stuff to me based on activity that seems trivial and ‘meaningless’. Guess it’s not so meaningless after all!

You’re probably asking yourself, “What stuff does this ad system track?!” here is a list.

Clicks and views, length of time

Is it in your cart? How many carts is this item in?

IP, Cookies, Device Info

What you viewed on other websites (aggregated data to recommend you items)

Possibly your name, age, country, email to attach to this data

Unique link you clicked in the ad itself to get to the item

Other item ads you interacted with

Past purchases

Historical activity patterns on certain websites you frequent (data aggregate is sometimes sold or given to advertising partners)

This data is not just used for ads, but also used for data tracking all across Amazon itself. From what I can see, any sort of data aggregation given to sellers is just consolidated, anonymized data given to them so they can make informed business decisions. Personal information is only given during a sale, which is (usually) given to a 3rd-party or dropship warehouse to make and deliver the product.

I think that the issue is massively overblown, and a case of playing it too safe. While I do understand potential concern there would likely have to be a really large-scale breach of imgbb, Amazon Ads SDK and similar tooling. Additionally these threat actors - in this theoretical breach - would have to essentially go out of their way to doxx everyone… which is too much effort unless these folks had a personal quip against someone.

COPPA and the fight to restrict Data Access on Minors

The other morning, I asked myself, “Huh, I wonder why children’s and teen’s private data isn’t on the clearnet or in the hands of data brokers, compared to adults?!” one big answer to this is COPPA, or “the Children’s Online Privacy Protection Act.” This Act in question not only gives directives for website developers on what to show to minors… but also helps to protect their data. This makes it increasingly more difficult for places like ROBLOX and Fortnite (Epic Games) to have metrics on in-game activity from certain age groups.

Two more policies, CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Act) gives directives that restrict what data is given out. That is, unless parents explicitly consent and give permission. Many countries, entities, and companies worldwide are bound by these rules (I will discuss how enforceable these are later!)

However, back in 2019, a New Jersey data broker “…told regulators that it did not knowingly possess data on minors, even as it advertised a mailing list of more than a million high school students for sale on its website.” In addition, they did not follow their legal obligations on telling the state regulators on what they were even doing. This can be scary considering how easy some servers and ports can be easily entered by threat actors; who knows what they could do with this data?

One question raised earlier was, “Is COPPA even enforced?!” In 2019 after a massive COPPA violation by Google/Alphabet Group and YouTube themselves, were ordered to pay around $170MM to the FTC. While historically COPPA, GDPR and CCPA have been rather rocky with actual compliance, I have seen more and more websites comply with these regulations, or give consumers options.ROBLOX, for example, has had a rocky relationship with regulations since the beginning (References below related to child gambling allegations, grooming and much more!) but in 2022 introduced ID-based verification to beta Voice Chat. Initial verification efforts were interesting to follow as many users used fake IDs to get access, but this eventually got fixed. The platform went a step further to allow experiences ‘for users 17 and older’ around the same time. Epic Games (creator of Fortnite) settled $275MM with the FTC in violation of COPPA for collecting children’s data for market research and data analytics purposes. There are many more examples out there, but these types of cases pique my interest in terms of enforceability and accountability.

The main question posed here in my blog post is, “Can COPPA (and other privacy-focused legislation) be enforceable even if trends DON��T show it’s been enforced?” Simple answer: yes!

Though I do think that the Federal Trade Commission has been late to the game - namely due to the Pandemic - there is accountability being held, and accountability is definitely possible. The COVID-19 Pandemic has definitely given many things attention that were otherwise dismissed, and I feel as though these lawsuits are signs that maybe these companies will start following some rules.

We definitely have a long way to go in the fight to restrict data collection on minors for sure, but so far things are starting to look on the positive side. I would recommend reporting violations to the FTC while also contacting platforms themselves to restrict data collection on your children. Practicing your right to privacy is definitely needed these days, and I highly recommend.

COPPA + Epic Games https://www.malwarebytes.com/blog/news/2024/03/data-brokers-admit-theyre-selling-information-on-precise-location-kids-and-reproductive-healthcare https://news.law.fordham.edu/blog/2019/03/19/n-j-data-broker-tried-to-sell-personal-info-on-a-million-kids-but-didnt-tell-state-officials/ https://techpolicy.sanford.duke.edu/data-brokers-and-the-sale-of-students-data/ https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312 https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa https://gdpr-info.eu/art-8-gdpr/ https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations

ROBLOX links https://forums.thecookie.dev/t/massive-security-risk-roblox-voice-without-id/4258 https://www.pcgamesn.com/roblox/voice-chat-phone-verification https://corp.roblox.com/newsroom/2023/06/introducing-experiences-for-people-17-and-older https://www.theverge.com/2024/4/3/24120358/roblox-robux-illegal-gambling-online-casinos-lawsuit-section-230 https://www.bloomberg.com/features/2024-roblox-pedophile-problem/ https://www.theguardian.com/technology/2024/oct/15/roblox-allegations-ofcom-online-safety-act https://fortune.com/2024/10/09/roblox-hindenburg-research-report-pedophile-hellscape/

FREE Privacy Checklist

Sooo... I was bored and decided to write something interesting. It can be hard to forget all the wonderful things that give us peace of mind in terms of privacy. I was like, "Hey, why not make a checklist for everyone to use?!" Check it out :).

Just make sure to go to "File > Make a Copy" when you go. Let me know if you want me to add anything.

Tone Miscommunication and what to avoid

In one of my previous blog articles I explored connections between lack of access to healthcare and how that shapes communication online. Now, I want to explore a long-standing issue many folks online seem to face: misinterpreting tone and text online. 

On platforms such as TikTok and Instagram’s Reels, there is a seemingly intrinsic default tone utilized which indicates sarcasm to some extent, while Instagram overall seems to be a place to showcase happier moments in one’s life. On platforms such as Reddit or Quora, an overall tone that can be seen is that of a mostly ‘serious’ nature save for a few ironic/sarcastic subreddits, such as /r/StarterPacks for example. 

Still, even here, unless you have emojis - which are socially frowned upon or even banned in most contexts - the majority of people are likely going to have a hard time unless you deep dive into people’s specific profiles and have detailed cultural education on every culture possible. …Which is a lot, and I wouldn’t expect everyone to have the time to give themselves deep history lessons on that. Additionally, Reddit - casual nature as it is compared to Quora - is meant to have a semblance of anonymity to the site in respect to people’s privacy-by-default unless they reveal themselves. (I support this model.) 

Aside from cultural mismatch and lack of knowledge, it is proven that being online/on your phone for too long is linked directly to heightened anger and frustration. This is due to blue light exposure and sensitivity. The longer you expose yourself to technology lights given off by monitors, your brain will act a bit differently.

Some people - especially on Instagram and TikTok - have resorted to tone indicators to alleviate potential friction and to aid in replacing emojis. Even though Gen-Z and younger Millennials have historically used emojis, excessive usage is seen as cringe and juvenile, even to adults in both categories.

Honestly since we have all of this explained… what are we supposed to do to communicate?! What’s the game plan?! I actually have a few tips to give out 100% free for you all!

Do not engage with trolls (Know the signs)

Usually, trolls will pick fights and always have something to say about you. Doesn’t matter how correct or kind you try to be, trolls will always know how to peeve you. Ignore + Block liberally.

Be VERY careful with giving out personal information + be vigilant

If you, like teenager me, are prone to accidentally be involved with ‘drama-filled’ or unsafe folks, do not give out your personal information. If possible, ignore and block or even ask a trusted friend to help you out in a suspicious situation. 

“Act your age” and be around those your age!

This applies to adults too! Unless it’s professional stuff, try to not talk to people 5+ years older or 5-10+ years younger. Act mature/your age and also try to associate with people your age. It’s not just avoiding liabilities, it’s literally keeping you safe from potential power imbalances.

Learn the tone you should use on every website you encounter.

For example, LinkedIn is more professional and a place to pat yourself on the back. Instagram is for positive glimmers in you and your friends’ lives. Facebook is (usually) meant for family and some long-standing friends that you post updates to occasionally. (Also, using tone indicators should help.)

Limit screentime

This isn’t just for your kids! Limit your screentime and interact with people in real life. This will help immensely and ground you.

In the USA alone, most companies (66% according to Forbes!) Offshore atleast ONE department completely and of course, with the rise of Artificial Intelligence/LLMs, less jobs will be available at home as a result. I wanted to explore the benefits and downsides of offshoring vs. having your Trust & Safety staff in-house and perhaps with an addition of AI tooling.

Offshoring

Pros!

Reduced cost ($10s or $100s of thousands per year)

Eliminate hire/train-up/management time and money 

Less $$$ spent on staff means more scaleability

Cons!

Cultural nuances + differences can be interpreted differently

Moderation guidelines might need a facelift prior to outsourcing to account for T&S team cultural shifts, language barriers, etc

Long working hours for the moderation team and low pay, might create a morality issue

Near-Shore and InHouse

Pros!

Usually in-person/hybrid approach, allows you to put name-to-face

Allows for regular and deeper collaboration, opportunities to regularly amend policies

Can also consider gig economy work or contract work

Cons!

Higher pay and benefits cost means you lost more $$ as a business, not as scaleable

Your contractors or workers stay with you for way longer, can’t just fire like you can a whole firm 

Potential for less $$$ and time spent on AI tooling unless the T&S team is specialized to program AI/LLM models 

I'd personally recommend trying out all options if your company can afford it, and especially early on before rapidly scaling. Make sure your team is aware and has (some) background tech knowledge such as Python and SQL experience as well.

Correlation between lack of self-care, barriers to healthcare and toxic online environments

Today, a thought popped into my brain. “Is there a correlation between toxic online environments and a lack of self-care?” I remember back in 2021 and 2022, many folks on certain platforms started to become increasingly angry, communities were full of friction, and it seemed more dangerous to be online than ever. Now obviously the pandemic was a significant factor, but I also remember the Adderall shortages was an enormous problem as well.

I don’t want to dwell on possibilities for too long, but I want to see if problems like long COVID, lack of medication and lack of wellness resources contributes to toxic environments online. 

You can build the best apps, the best UIUX and have the best policies in the industry, but sometimes you can only go so far especially in an increasingly online era. Let’s dive in and see where this takes us.

Upon initial canvassing and Googling, some sources say that Adderall can actually adversely cause irritability and anger in people but I am quite skeptical about this considering they are from newer sources with potentially little verifiable research. Though multiple sources actually state that a LACK of Adderall/VyVanse medications (if a patient regularly takes them!) can cause social issues, irritability, lack of following directions, etc. 

Obviously, supply chain issues caused mass anger and panic as manufacturers were drawing near their ingredient usage capacities for Adderall and VyVanse. This in turn caused compounded irritability in addition to irritability within other parts of people’s lives.

Multiple sources also state that ADHD/ADD can cause folks diagnosed with this condition to maintain toxic relationships in their daily lives, even if they might not want to. Some folks with ADHD might also “Love Bomb” those around them if left untreated. 

There are a few similar symptoms in people with other conditions as well, although this particular post is focused on the Adderall shortage and COVID-19 effects.

Are these people narcissists? No, not most of them. Are some folks bad people? Potentially. Are ALL folks with ADHD bad? No. It is a diagnosable disorder just like the rest out there, with research-backed treatments. There is hope out there for sure. Also, just because anyone has a certain diagnoses does not mean they’re doomed, hopeless, etc. A diagnosis is actually one step closer to becoming better as a person!

Now how does this equate to toxic communities online? Words and conversations can be misconstrued, for example. People can take things out of context or make extremely rash decisions. Additionally, as stated earlier, toxic relationships and friendships are here to stay unless people get treated and get the help they need. This is often very tough to deal with as much of this is personal responsibility. Lastly, therapy can often be expensive and time-consuming, and many do not have the emotional or financial means to open up to this option.

Regarding Long COVID, as of 2023 about 65 million people worldwide have symptoms of this debilitating long-term illness, and Long COVID can cause irritability, brain fog, and can make it difficult to make responsible decisions. 

Obviously, some folks can’t really help it (just by the statements alone.) Whether it be Long COVID, drug shortages, or cost of quality healthcare, there are many barriers to proper healthcare and self-care as well. One small element can affect everything else, much like a domino effect, and it can be very messy and confusing on where to start and where/when to continue with the self-care journey.

That being said, how do trust and safety practitioners navigate this environment without causing chaos or panic? Much like introducing features, have soft launches or ample time between announcing policy features and implementation. Give chances, but also recognize that some repeat offenders definitely don’t deserve more than 2-4 opportunities of improvement before a permanent ban.

You can truly only handle what happens on your platform, and it is expected that users will most likely use multiple platforms to communicate. That being said, you and your teams might want to consider taking in account off-platform behavior patterns if the offender in question so you can make informed decisions about moderation policies.

What can YOU do to have peace of mind and take care of yourself?

Goal setting: make sure you have goals for both your professional life and your hobbies. This can help you look forward towards the future

Stay hydrated and EAT!!! Doesn’t matter if you have body image issues, if your big or small, please just do it. It’ll help you.

Time Management is your best friend. Seriously! Pomodoro method, alarm clocks, calendars, Calendly… whatever you use, use it. Also, reminders help.

Invest in therapy, counseling, or invest time in learning how to help yourself. I wouldn’t recommend self-help books or anything pop psychology. But I also would be extremely careful about Dr Google too, find a healthy balance between consulting experts and the Dr Google method. 

Limit Social Media. In today’s climate, not everything is moderated perfectly. Not everyone has your back! Make smart decisions on who you affiliate with.

References

https://www.nytimes.com/2023/08/15/well/mind/adhd-adderall-shortage-children.html

https://add.org/adhd-love-bombing/#:~:text=Essentially%2C%20the%20partner%20with%20ADHD,reciprocated%20at%20the%20same%20level.

How Bloons Tower Defense 6 related to Product Management

Recently, I have been revisiting one of my most favorite beloved games of all time: Bloons Tower Defense 6 which was made in 2018 by game studio Ninja Kiwi. While previous iterations were Java Applets and Flash games, this one is a full fledged Windows PC Game released on Steam. 

Essentially, there is a track or a path that balloons and blimps go on, and you place monkeys on the sides to pop the balloons; you lose health points if the balloons reach the exit. It’s extremely colorful and whimsical as a game. Seems rather childish and easy until you realize that further levels require you to literally look up tutorials and play with others to win the final rounds. (Still very fun regardless!)

Levels range from easiest of the easy -> multiple extremely hard modes on over 30+ maps. Some more difficult levels on these maps include having half cash, double health on the blimps, and 1 Health Max, to name a few. With all of these really have you think about how you spend your money, which qualities in the monkeys you pick out, etc.

You’re probably wondering why I like it in the first place, and how this even relates to Product Management and Strategy. Let's get the obvious out of the way: I don’t like First-Person Shooters like many other folks do, and I really do like the bright colors Bloons TD 6 provides. The bright colors really are deceiving with how challenging the game can be. Additionally, it’s stress relieving and makes me forget frustrating stuff in life. 

Now, on to the PM side… how does a Tower Defense game relate to PM strategy and Business Intelligence?

You have to thoughtfully craft out and strategize your next moves until each map fully ends

Budgeting is an extremely important component between dying and winning within the Bloons TD Series. One wrong purchase can literally mean you’re dead, especially in the harder modes.

Top-down, you have to know every skill tree that monkeys offer in order to maximize gains and strategize budget. 

Yes you can look these features up while playing, but it often times wastes time and it’s better just memorizing the skill trees

Big Picture: you not only have to take into account all of the above for every level you play. In addition, you also have Knowledge Points skill trees so you can buff up your defaults for every level. Strategizing this can set you up for greater success even more.

While yes, you can purchase some of these with real life currency, working hard for these is much more rewarding. One particular level I am struggling with right now is Half Cash mode on the first map, Monkey Meadows. Once I figure out the solution I’ll definitely come back here with some stellar advice! But for now, I have been trying to slowly figure out the perfect solution.

Actually, in a way, this issue is comparable to a dilemma that some companies share. How can you create a value-add to the customer that's cost effective, revenue-gaining, without cutting corners down the line? something I have noticed from other levels in Bloons TD 6:

Be consistent with your service offerings and prices 

You need to be generally consistent with your pricing model and service offerings or you might get a high customer churn

if there is a significant change, have an off boarding scheme and also notify customers with ample time to consider options

You can always add in perks later but don't add too late in the process

this indirectly might cause churn as customers might think, “I can get/should have gotten these features for a similar price elsewhere!”

If you have a service installation, conduct regular meeting/satisfaction check-ins and health checks on the service offered

You can determine a meeting cadence that's appropriate with the customer if needed but it's not recommended to have random or surprise meetings unless there is an emergency. (also, “should have been an email” is definitely a consideration depending on the situation.)

Additionally make sure you regularly check in with customer care and marketing teams to make sure canned responses and response funnels are up to speed

Team Preparations - make sure your team is skilled enough + ready for the project

See how I worded that – I didn't say omnipotent and super-expert people needed to be in your team. Just make sure they know what they're talking about have the experiences needed, AND know how to talk about it in different contexts, different audiences. Keep explanations simple when needed!

Many teams over-hired during the Pandemic and took a bet on many people who under performed. I have also actually seen folks be promoted to senior and staff roles right out of college (Eek!) While we all need income, you should be reasonable when hiring and bringing folks into projects.

While this is definitely a video game and not real professional experience, this does very closely echo some of the real-world experiences I have had. I had an interview a few months ago for a PM Position and they have heavily emphasized budgetary measures. (Their solutions offered to customers included cost-effective cloud products and architecture.) This really has had me thinking since, "Is it even possible to be cost-effective AND have quality service offerings?" Yes, it's definitely possible, and Bloons has taught me this. Obviously you can't have everything in life. In Bloons, I always anticipate and can't WAIT to have the final skill in the skill trees when I'm beating a map. But looking at bigger picture and my current budget the whole time, while doing budget forecasting has really helped my long-term vision of what is possible.

Deepfakes, AI, and crime

Although a relatively new technology created in 2017 - by amateurs and professionals alike - Deepfake technology was truly first developed in the 1990’s and refined in the 2010’s. Many Politicians and Academics alike have raised serious concerns about the negative potential of Artificial Intelligence, Deepfakes, and LLM’s can have on people worldwide. One such concern raised includes deep fake nudes, especially that of children.  

In 2017, many first modern versions of deepfakes were created and posted via 4chan and Reddit, and the modern term as we know it today was coined by reddit user /u/deepfakes themselves. Many took it upon themselves to post their own deepfakes of celebrities, politicians such as Barack Obama, and much more. Although many early variations of such content were trivial and unrealistic at best, technology has quickly evolved towards a more realistic view. 

In the USA, states such as Utah, California, Pennsylvania and New York have all brought forth legislation banning or restricting the use of deepfakes. Many folks who are caught making deepfakes - or even in possession of CSAM (Child Sexual Abuse Material), fake or not - will receive serious jail time.  In addition, up to 40 states have strict nonconsensual revenge porn laws as well. Although some might argue that charging folks with deepfake felonies might be difficult, many counties and states can charge offenders with similar charges and also hit the books on them.

For example, Montgomery County, TX police often does sex offender stings online using a variety of platforms. Obviously, much of their “Pedo Pouncing” might involve talking directly to offenders to meet up in real life. However, this could also include convicting those in possession of deepfakes, CSAM and other content. Although I am positive there are other counties doing this regularly, Montgomery County is the ONLY county I have seen do sex stings regularly and not on a 1-off whim.

According to IWF, over 20,000 Deepfake images were shared and created to a dark web deepfake/CSAM forum in Fall 2023 within a 1-month period. Additionally, IWF states that, “Perpetrators can legally download everything they need to generate these images, then can produce as many images as they want – offline, with no opportunity for detection. Various tools exist for improving and editing generated images until they look exactly like the perpetrator wants.” Definitely tricky to see someone have theirown internal LLM/AI Image tool to utilize to just use for creative purposes, and wondering if they are using it “for more”. 

According to Dutch researchers Henry Ajder, Giorgio Patrini, Francesco Cavalli & Laurence Cullen, in Fall 2019, 96% of all deepfakes were pornographic and perhaps can be assumed to be nonconsensual as well. 

Although there is much legislation in the United States convicting deepfake creation and possession, the United Kingdom and most of Asia hardly have policies convicting against these heinous actions. There is also not much research into deepfake conviction rates, however some websites highly recommend verifying your identity to help against bots, spam accounts, and of course deepfake pages themselves.

RECOMMENDATIONS

Recognize parts of AI/Deepfake: 

Is the voice robotic or cutting out? Is what the person is saying realistic to how they usually act?

How pixellated is it and are the movements weird / too stiff?

Are people and items in the background unrealistic? Are words not pixel-perfect? Look into the fine details.

Educate your friends, family and children on safe internet habits

Proceed with caution on every website (+ every internet interaction!) Just because someone has a lot of engagement, follows, is a big name doesn’t mean they are trustworthy, unfortunately.

Learn to recognize patterns in behavior. How would you expect your loved ones and trustworthy folks to act? You know the saying “treat people how you would want to be treated!” not everyone online is there as a friend. Some are manipulators, some are ‘friends’ only as an intermediary spy. Some folks are just bad actors.

Limit the amount of information you share online and block liberally, check websites to see if they are the legitimate website you intend to be on!

Be careful with who you are friends with as well! v(“Trust, but Verify”)

For both real life and online, be VERY cautious who you are friends with. Simply because, unfortunately, there will always be “that one person” you might have a rift and drift away from and they will mess around and play dirty. Fortunately most folks do not make deepfakes of their ‘friends’. However, doesn’t hurt to be aware and atleast a bit careful!

https://fox5sandiego.com/news/what-state-laws-protect-kids-against-ai-generated-deepfakes/

Gabb Phone -- Is it worth it?

Gabb Phones definitely aren't too new, but were made and released in 2018 as an alternative to smartphones. Enabled with GPS tracking, parental approval mechanisms, logging on basically every app etc. this is a comprehensive tracking phone so parents can have peace of mind and help keep their kids safer.

As of October 2024, iPhones hold majority in the market with around 54-55 % of the market share and Gabb Phones (according to CanvasBusinessModel) are estimated to have peaked at 11% share in the market. So they have quite a long way to go to gain any sort of significant margins and favoritism with parents. Some folks might posit that it could be unaffordable (Pretty much petty to me, considering it's only around $49.99 for the basic Pro model...) some might argue it might be "dipping too much into stalker mode. teens need their privacy!" it's definitely tricky to balance the parenting mode and being too helicopter-ey.

Pinwheel phones are a bit more expensive, with the most expensive being around $500. However, their features are more comprehensive and thought out, and they have way more apps offered. Lastly, I couldn't find a market share % but as of 2023 they are currently sitting at #212 / 5000 in market/company standings. So, not too shabby as an alternative!

Another alternative to the Gabb Phone is Bark Phones. It's basically in-between the Pinwheel Phones and the Gabb Phones in terms of apps offered, parental monitoring (and the phone automatically takes screenshots too!) but they also have apps for iOS and Android, so buying a phone separately is not really necessary.

If I were a parent and saw this chart of qualities being compared I would likely choose Bark or Pinwheel. Many Parents are super busy and many are dual-income households constantly in the workplace. So while I cannot personally recommend for you, look and research into the best options for your family! Some teens have opened up online and have stated they feel phones like this are way too invasive (I have to agree!) If possible, try talking with your kid; be a partner in their care and have extremely open communication with them. It’s definitely tricky to get teenagers to open up but having a welcoming, trusting and open environment where they can come to you is one of the biggest things you can do to enable trust with your child! Practicing genuine kindness with your teen especially where it seems our world often lacks kindness can also make a huge difference. I would recommend being consistent and build trust before you consider getting these phones. 

https://www.dcurbanmom.com/jforum/posts/list/1057960.pagehttps://www.techdetoxbox.com/my-kids-have-no-smartphones-and-they-are-ok/https://tenminutemomentum.com/should-children-have-cell-phones-gabb-phone/https://gabb.com/blog/welcome-to-gabb/https://gabb.com/reviews/https://gabb.com/blog/gabb-vs-iphone/https://gabb.com/product/gabb-phone-4-prohttps://www.pinwheel.com/phoneshttps://www.reddit.com/r/Parenting/comments/ns9t86/anyone_tried_gabb_or_pinwheel_phones_or_other/https://www.reddit.com/r/AskParents/comments/18amtev/is_bark_parental_control_phone_good/https://www.reddit.com/r/parentalcontrols/comments/1cfd48r/help_my_parents_are_forcing_me_to_install_the/https://www.prnewswire.com/news-releases/bark-technologies-releases-2022-annual-report-301725824.htmlhttps://www.globalatlanta.com/bark-goes-global-with-tech-tools-for-protecting-kids-online/https://www.pinwheel.com/phoneshttps://www.bark.us/https://www.reddit.com/r/parentalcontrols/comments/1c8t2xg/parents_got_me_the_bark_phone/https://www.reddit.com/r/parentalcontrols/comments/1cr27q2/does_anyone_have_a_bark_phone_or_know_any/

Bluetooth and Headphone Safety

Although there are two main types of device-to-device intercommunications vulnerabilities that are associated with Bluetooth tech, there are also some health risks you need to be aware of. I wanted to talk about these issues not to fearmonger or cause panic but to simply educate. Let’s dive in!

One big method is called Bluejacking. Essentially, attackers will send unsolicited and unwanted messages via Bluetooth from device to device. One of the first messages sent was by a Malaysian man in or around 2001. One other individual claims to have been the first at an earlier date; however, both are Nokia phone related incidents with poor Bluetooth security especially at the time when Bluetooth was still very early on.

If a victim of Bluejacking, most people are completely unaware of what has happened to their devices when they’re BlueJacked, and just think their phones have glitched out or perhaps have had age-related issues.

Bluesnarfing happens when an attacker gains unauthorized access to your devices via active bluetooth integration. When utilized as intended by the threat actors, they can then have access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos. Fortunately, you sort of need to be within extremely close range of the attackers as the vast majority of attacks have happened within the maximum range of 10 meters.

Tech-related advice

Keep Bluetooth off when you aren’t using it

Toggling it off within the iOS quick functionality squares WON’T work. You have to go all the way to Settings to toggle it off fully.

Make sure you know what your devices are named and don’t accept Bluetooth connections from people you don’t know

Health/Physical Security advice

Our ears are very sensitive to high decibel ranges, so try and find quality, cost-effective earphones/headphones without compromising on your hearing range.

Noise canceling headphones and earbuds, especially at lower volumes can really help ease the damage or even protect your ears from future damage.

"What does this have to do with trust and safety?!" well, not only is protecting your devices extremely important to your personal data, but also your physical health is at risk if you misuse headphones or if you are uninformed.

First of all, some people think that it's totally ok to have high volume on your headphones. If you practice this bad exercise over time this will cause you to have tinnitus and hearing loss and perhaps even go deaf. Secondly, some folks out there believe that Bluetooth is some cancer-causing technology or something of that nature. Though, due to how low the signals/frequencies etc are, the impact on your health in this aspect is very low.

Trust & Safety mainly encompasses fraud, information assurance, and moderation in most day to day duties. But also, fighting disinformation is also a massive part of the duties many don't discuss and I want to do my best in what I know to combat this issue :)

REFERENCES

https://ieeexplore.ieee.org/document/1369156

How you can manage and implement moderation into your GCP/Firebase apps

In this day and age, many moderation tools are AI-powered, automated or even outsourced internationally. More especially if you’re a smaller firm or a startup , saving on $$$ and manual labor can really make a difference. 

GCP Natural Language Processing API

Biggest concern I have seen is that this can very easily run through the free initial $300 you are given in credits if you aren't careful.

Through this Natural Language processing API, you can utilize custom JSON files and strings to call for specific entity sentiment analyses and syntactic analyses to break up a phrase. By utilizing methods such as analyzeSentiment or analyzeEntity you can really dive deep into the details and specify certain settings within these methods.

GCP’s Translation API can auto-translate strings of text within conversational settings and chat rooms. This can work seamlessly with your other API’s and can provide feature rich experiences for international users. This is especially important if you plan on moving past the anglosphere and your home country as well, adding a net positive to your app’s reach and value. This is also super neat for video games - ROBLOX actually implemented similar tooling during the Pandemic - so users can have automated translation while they enjoy their games.

Within a moderation perspective, this is great if your keyword catching is strictly in one or two languages and you want to moderate in these primary languages themselves.

These two API's I have listed above are really stellar at processing language and helps you have a great start to your moderation journey. I would highly recommend having a linguist or copywriter on board as well if necessary.

Lastly let's talk about Firebase! Firebase is a suite of back-end services for your app that provides hierarchical setup, scripts, Crashlytics, and A/B testing. This is a cheap and effective option if you do not wish to go the AWS or Azure route. 

With Firebase you can access a desktop / web suite of moderation tools so you can manually moderate usernames and posts users input. I personally utilized this feature extensively when I was at Blue Fever and although it is a very effective tool, we did have to input AI-Based tooling based off of a list of words and sentiment / past posts as well. 

Some words we input for the AI (Not an extensive list obviously….) were obviously cuss words and sexually charged words, and any alternate spellings. 

For example, stupid could be also spelled out stewpid, stup1d, stüüpid, etc there are many more examples, but this is a short and sweet one that we potentially put into our list. A lot of younger folks especially will try their best to circumvent rules, so as a custodian to moderation you need to find the fine line between keeping your user-base stickiness and moderating with high quality standards.

Now…. how does this all factor into Privacy Laws, Child Safety etc.?

Apple’s strict requirements force most app developers to keep users 12 years old and up. under that age you should ban or restrict these underage almost entirely.

 Additionally, with many privacy and data laws such as CCPA, GDPR, COPPA and TRUSTe Guidelines, it is going to be considerably difficult to collect data on children to determine if they are actually children (Meaning, themselves or their parents would likely have to tell you). Also, you can't catch everything on an app or website and that is why so many policies and app platforms have strict requirements regarding age boundaries.

Aside from the features app developers can utilize and import into their developer toolkit, inputting the ability for parents to make Parental Accounts and Parent Settings is very important. This is especially important if you want parents of kids under 12 to keep a close eye on their kids internet activity.

Some companies have recommended that forced ID be put in place to circumvent the issues; however, ROBLOX (one such company who implemented this for voice chats during the Pandemic) noticed that many users were being auto-approved with a fake Spongebob ID. This begs the question, "How quality are ID checkers and how far is too far??"

Some teenagers circumvent laws by doing the Spongebob ID move, some just get their parents ID's because most don't have full on Real ID or Drivers Licenses. So this begs another question to be asked, "how far is too far with enforced app rules/age requirements before shutting down these features?" I would recommend some version of ID checking, just not too hardcore to the point where teens feel the need to do this regularly (and it has to not be sloppily implemented.)

Some places such as China banned gaming for more than 3 hours a week a few years ago, and recently Australia banned social media usage for teens under 16. (Sweden is planning something similar...)

References

Open Source / Google Dork like a pro! (repost)

“Oh no! I LOST the link to an old website/file/xyz I had and was dumb enough to NOT save it!” Yeah, I’m sure we’ve all been there at some point and we’re even more worried that it’s been - gasp - deleted! Anyways, I actually have this problem so let’s go on an adventure!

“What’s OSINT? Nobody uses your weird tech terms ya nerd��� Basically it means Open-Source Intelligence, or gathering publicly available data. There’s other terms related to it such as SIGINT, and GEOINT.

PROBLEM: Someone on Reddit, pre-pandemic, posted a link of the full discography of an artist I listen to, including never-released-before remixes. Thing is, this artist is in Japan and only sells their content at Comiket Comic Market in-person.

GOAL: Find the link!

ARTIST: Kokyo Active NEETs from Tokyo, JP

Firstly, I headed over to Kokyo Active NEET’s Official YouTube Page to get a hint on what some of the cover art looks like. 

Sidenote: Looking through my browser history actually didn’t work! So for those asking… here you have it.

I also listened to some of their music as a refresher to jog my memory and attempted to remember some of it.

I then went directly to Reddit with the search terms, “Kokyo Active NEETs full discography”, “Kokyo Active NEETs OneDrive” (since it was uploaded to OneDrive) and similar terms only to be met with YouTube links. Suddenly in the middle of this whole shenanigans, I got the idea to just Google Kokyo Active NEETs All Albums and with scrolling down a little, I found a website that seemingly gave them away for free.

I went directly to Reddit with the search terms, “Kokyo Active NEETs full discography”, “Kokyo Active NEETs OneDrive” (since it was uploaded to OneDrive) and similar terms only to be met with YouTube links. Suddenly in the middle of this whole shenanigans, I got the idea to just Google Kokyo Active NEETs All Albums and with scrolling down a little, I found a website that seemingly gave them away for free.

All links led to MEGA/MediaFire File links that matched up with them. I was slightly suspicious, so I looked more into it. According to /r/Touhou on Reddit over a decade ago, DoujinStyle apparently hosts Pirated files.

Although it does seem like that is the only person saying such things. In any such case I downloaded Malwarebytes since I know they have a file scanner. 

I also added their free browser guard as an added bonus :)

Since I already had a subscription I just signed in and continued back with the files from before.

Since I am on Windows 11, I had to right-click > More Options > Scan with MalwareBytes. On my first ZIP File, nothing suspicious was shown. Of course MalwareBytes is not the only solution. 

I went to VirusTotal: Nothing Detected out of 100+ scanners.

I also went to FileScan.io: Showed “100 % suspicious” with only one MITRE Technique which was “Exfiltration by an attacker to Cloud Storage”. I personally take MITRE with a grain of salt if it’s the only one listed. I think it’s safe to say that they are generally safe files, but obviously I am going to scan every single one and practice safe security anyways…

Introduction Post

Hi there! I'm not new to blogging at all, but decided to make a Tumblr for the sole reason of putting my tech content out there. I will be migrating all of my tech stuff off of GDrive and onto here pretty soon.

In the meantime, more about me! I graduated last year with a Bachelor's in Cybersecurity and literally just ended a research externship with Extern/ParagonOne and am currently a technical writer for UserSearch. !! I am currently on the market for OSINT/Threat Hunting and Research/Documentation Writer Roles. I am also open to a potential gig in Digital Forensics long term.

So... why Tumblr?! Why not Medium, Twitter, Notion...? I'm used to this platform and I believe this integrates seamlessly with carrd, my website's main platform. I know how to use the other platforms, I know how to code... there are several reasons!

I don't want to deal with AWS, GCP/Firebase and the stress of the microtransaction-y nature these platforms both give. I'm still looking for a job, you know!

Since most products eventually go priced, I am looking for cost-effective means (basically #1...)

Tumblr allows for more text that Twitter cannot give, and many folks are leaving Twitter or just going semi-AWOL from the platform. I want to also limit how much I post to LinkedIn.

Tumblr's custom blog features and visuals enables me to basically code too. I could definitely use some sort of combo of GitHub/Vercel/Heroku + namecheap but this is what I choose to do :)Tumblr and Carrd are tools out there just like SquareSpace, Wordpress, etc and these are just the tools I choose to use even though I have experience with the latter.

Anyways this has gotten to be a bit long so I will see you when I see you!