 Hello and welcome to recon village. My name is Kayla Kaye and I will be walking you through a presentation on oscent for sex workers So for starters, you know 2020 was a strange year. I Have a lot of friends friends of friends who were looking for alternative ways to make money this year So obviously, you know bands took to twitch to try to do socially distance concerts We had people trying to start a podcast But overwhelmingly the way that people found to make money was through only fans or just for fans So as the person that people knew who does security a lot of people came to me and said, you know, how can I stay safe and Anonymous thought that made a good idea for a community project So I thought about it, you know, what are some of the limitations to and entertainers and in committee? So obviously there are some that are harder to change than others You have physical attributes such as physique tattoos birthmarks hair and eye color Additionally your location a big scam that popped up over the year was the Amazon wish list trap Again promotion was fairly difficult because there's a huge Conflict between promotion and privacy They're not mutually exclusive, which I'll discuss, but they're not it's not easy to achieve a balance either Additionally Payments there was the Venmo trap. So these payment platforms, which are also social media platforms and Again, you know stolen images. So finding leaked images and recordings can be very difficult And of course, you know, there's always data breaches. So there are lessons to be learned from things like Ashley Madison So my general answer was if you know how to use open source intelligence, you might stand a chance And I thought in order to explain this it would be good to create a sex worker's toolkit so in working with people throughout the year did a lot of work to help people understand there's a difference between Establishing an alias and just picking a stage name Establishing an alias is much more than just picking a stage name Also using best practices for privacy Doesn't mean that you can't promote but you do have to strike a balance and you can have a lot of fun with counterintelligence tactics and This becomes especially apparent once you learn how to cyber stock yourself your alias and any counterintel that you put into the world So when I say that an alias is more than a stage name When you want to be an entertainer and entertainer you should start by checking your real identity and the identity of your significant others friends and roommates I Usually recommend starting with that's them calm a lot of the services to do this within the OSINT framework Have turned into paid-for services But I wanted to make sure that Anything that I talked about within the sex workers toolkit was free and available to individuals at no cost so If you were to use that tool you'll probably be likely to you'll likely be dismayed to be honest You're going to be disappointed Because you're likely to find your home address Your phone number your email address and social media not just your own but of anyone who's been physically close to you So this is problematic because the process of cyber stocking in a media in a world with social media isn't just about you It's about everyone who's physically in your orbit or On in your orbit online as well so In order to break this out further When you're establishing an alias you want to get a dedicated business phone There can be no overlap in your phone contacts or your search history So when you are deciding to go into this any social media is immediately going to pick up on your contacts and start referring people to you That's very problematic if you're trying to have a hidden profile if you're trying to maintain some anonymity in the world Or at least keep some privacy from certain people who would normally be on your Facebook Instagram Twitter accounts Additionally when it comes to creating a new email You're going to want to create a new email and a backup email You're going to want to make sure that those have Multifactor authentication on them you want to make sure that they have a secure password and If you can use a system with N10 encryption something like proton mail That would be a big plus when it comes to delivering private messages Additionally You want to start by creating a virtual p.o. Box with your staging and you want to use that fake address for all of your new accounts You do not want to create any accounts on only fans just for fans cash app Or anywhere else until you have this step out of the way You want to make sure that your virtual p.o. Box is located in a different city that you live in This relates directly back to the Amazon wish list scam So the Amazon wish list scam is that a lot of people will say that they want to buy you gifts and many genuinely do But as an entertainer when someone buys you a gift off of your wish list, they're at least given your city and your state with and when you combine that with information from your pictures and The social media and promotions that you put out there you ended with a lot of identifiable data that could allow someone to figure out your geographic location in addition There was a scam out there that if you Allowed them to buy you something they could set themselves up as a third party and Amazon releases your actual address information to that third party So scammers would put up the item that you wanted Pretend that they were selling it purchase it from themselves and then they would be given your physical address and location Immediately from Amazon it would be released and they would know where you live This is a huge problem for anyone who's an online in the online entertainment industry Anyone who's working for only fans or just for fans the fine line between a Parasocial relationship and an actual relationship is often blurred. It does not help if Those people who don't understand the difference get your physical address So I can't understate the need for this if you're going to have an Amazon wish list You can't go back and do this step later. This has to be one of your first steps that you actually perform additionally When it comes to Your social media accounts, you're going to need them to promote you're gonna have to create an Instagram You're gonna have to create, you know, Facebook or Twitter, whatever Snapchats You know, TikTok, whatever it is that you would like to use For promotional purposes. This has to be absolutely separate from anything that you've done previously And the extent to which it needs to be separate cannot be understated So I'll go into some of the issues around photo posting and Some of the stuff that you need to do in order to protect yourself when I talk about privacy But when it comes to establishing an alias, there cannot be any overlap. You cannot friend any of your friends. You cannot share What you're doing with anyone who's in your social circle if you hope to maintain anonymity from everyone Else who's in their social circle All right so moving on Obviously when you're establishing an alias you want to use a VPN you should never reveal your real IP address Your real IP address can be geolocated using open source intelligence tools This means that someone could figure out your exact street address or at least down to a couple of blocks for most services Just using your actual IP address Additionally When it comes to payment platforms a lot of people do private videos Outside of only fans are just for fans. They get to keep more of the money that way This is problematic for reasons I'll talk about later whether it's legal protection or Privacy or ability to take legal action However It is one of the best ways to make money. So when you're establishing an alias You need to set up a cash app if Venmo is linked to your contacts and social group Then you should use cash up and vice versa if Venmo is not your primary one And you're using cash up and you need to switch to Venmo for your business account You should never Share the information between them. You never want to share the social networks on those two platforms Additionally when you're creating a Alias you want to create a fake real you this is for plausible deniability purposes You can go on LinkedIn. Give them a real sounding job you can use the same Photoshop filters that you use on your Content for your only fans are just for fans This gives you plausible deniability and you can track the people who are tracking that I'm like a honeypot in order to figure out what your risks are so it's a interesting Way to build up your cyber skills because you know this person isn't real any traffic that's driven to this fake real You is going to be driven by people who are trying to cyber stock you so it'll give you a chance to cyber stock them back and prove your skillset and Also to see how much interest there is in you in this, you know, not so wholesome or Maybe wanted way All right, the last item on establishing an alias is you're gonna have fun You should use a mask wig eye contacts Use concealer to cover tattoos moles and birthmarks. This is all part of the counterintelligence and You can have a lot of fun with that so Counterintelligence will be any challenges around your physical attributes. You can actually address with those counterintelligence tactics You can use Photoshop to slightly change your features. You can get Tattoos and put them where you don't have tattoos. You can cover up the tattoos you do have You can change your hair color You can change your eye color and you can wear a mask. So there are multiple ways to layer these kind of counterintelligence techniques in the real world as well as online So when it comes to using best practices for privacy, this is a multi-part issue So privacy and promotion are at odds with each other In concepts so conceptually There's some real problems there, but in practice some privacy practices are essential to your safety as an entertainer So if you want to stay anonymous, you may be less successful Then if you weren't trying to stay anonymous, that's At this point being quantified It's kind of a known fact of the industry There are phenomena of phenomenal exceptions, but for the most parts The more private you are the less promotion the less promoted you are and therefore Less accessible and you may not get as big of a following But if you're interested in striking a balance between privacy and promotion, there are things that you can do So removing the permissions from your social media apps on your phone on your business phone And making sure to never share your location is extremely important. So I have an example here of geocreepy.com You can go and view all of the locations ever associated with someone's uh social media accounts and in pulling that up Obviously that gives an attacker an entire list of places to meet you naturally, which is um Could be unwanted So obviously it's really creepy. Uh, there are a lot of tools like this, but this one's very visual I recommend you go to geocreepy.com and give it a try I think when it comes to using uh practices for privacy Your past social media can be compared to your promotional media So to put that in perspective if you've taken a photo at a location that you love for your original social media Um changing the permissions on your original account is not enough to protect you So you can use facebook graph to go through any picture Whether it's been whether your privacy settings have been set or not So just by using facebook's own tools you're able to see Uh past items that are in their history and using those past items they may be able to See that it was you Putting a similar post at a spot that you love on your real social media accounts as well as your obviously promoted Social media accounts So this is problematic. You should really take into account the physical location. Uh, there are a lot of efforts to do geolocation Not just through metadata. You should always remove your metadata, but even more, uh, you know complicated ways have been used So as an example, you can go to sun calc dot net Or like a more look at more of the tools on the oscent framework If you go to sun calc dot net it helps to geolocate someone according to The sun's positioning and a photo So just time of day when posted Uh the way that the sun is reflected in the post may be enough to help someone Figure out where you are at least to a relative degree And with additional features that can help them stalk you which is not something that you want. Um When it comes to keeping your social networks You should also keep your social events separate. So similarly if you go to a special invite only event You should not be taking a picture with your private cell phone and your business cell phone to promote uh where you are At the same time just by putting those two things up at the same time that obviously Uh gives positive correlation to anybody who might be using a tool like facebook graph to go through your historical pictures and try to figure out if that version of you on facebook matches the version of you and your uh promotional materials again, um You know facebook's not the only one this can be done with instagram This can be done with tiktok or snapchat or any of the social media platforms You want to be really careful to keep your social networks and social events separate Just even seeing someone in the background of your picture if that person actually keeps the a very public social media profile They'll be able to find you through stalking them to a relative degree as well Additionally uh removing metadata from photos before you store or share them is important to ensuring that your location is not discovered Um, this is a basic thing, but not everyone is aware. They're varying degrees of You know technical skill sets. There are a lot of tools for removing your metadata I will say the one thing that seemed to be the most common mistake in sharing metadata Was not removing the metadata before it was stored. So if your iCloud account was breached Then they could get all of your pictures, which included metadata So you want to go ahead and make sure to restore your metadata. You want to remove the metadata before you even store it You want to keep a copy of the picture that has no metadata on it Additionally, you know a lot of services remove it, but wherever you store it it can be stolen from that location Um, so you want to make sure that you are scrubbing it as soon as the photo is taken all right, so using best practices for promotion so Not just talking about privacy here. Um, we have to strike a balance So there's good news in the oscent world kind of so let me explain what I mean by that Um, you might be grateful to find there's so many social media management monitoring tools. So you have wiki.kenberberry.com As an example, we'll have all of these social media and management monitoring tools Many are paid for but there's still a lot that are free And you can use uh oscent on your competition. So you can create a private list of your competitors on twitter No one will know who you are following. So that allows you to know when they're online know when they're offline um Know when the right time to blast out a tweet knowing how to pick up their followers You can get a lot of um intelligence off of what your competitors are doing without them even knowing Additionally, you can use facebook watch to notify When they're promoting or going online similar for ig You have the same thing for tiktok so That's another way that you can use oscent to track your competition And of course you can set up google alerts to see anything that pops up about a specific competitor online The reason why I say this is good news is you can do it to your competition But they could also do it to you and of course an attacker can use this But this is the level to which even if you're using good privacy practices You are still going to have this amount of information out there So use it to your advantage. Um And hopefully it'll help you with promoting your account And when it comes to using best practices for safety Um, you want to use the platform security if you're on only fans or just for fans There are security options there Never start streaming without at least taking a peek at those security options Um, probably the most important thing you can do is use multi factor authentication on your email and all of your accounts You want to make sure that you never click on links or open files that were sent to you whether it's in chat or email You should never open those files. There's no need Um and avoid clicking on any links just because they can Um compromise the machine that you're on whether that's your cell phone or a laptop So you want to be very careful when you're doing that Um, additionally platforms like only fans are just for fans tie your real identity to your alias And there's nothing you can do other than contact them and ask that they increase their security efforts So unfortunately, this is the part where I said if you know oscent then maybe you stand a chance Even if you were to do everything right and be very Good at what you're doing. Um, you're still at the mercy of your payment platform and you're at the mercy of These platforms that host your content to ensure that they're actually taking steps to protect your privacy and your safety So what's next for me over the next year? So two interesting problems relating to oscent popped up over the last year Um, number one banning an account is not the same as banning a user making moderation 10 times as hard as it should be I think there's room to create an oscent tool and I've been uh working on that with another woman that I invited to help me with the project And The second thing is that most money is made off of private recordings Which lack licensing and tracking to prevent piracy If you have someone who uses fraps to record without your consent Only fans and then upload it to another adult site. You can use the only fan lawyers to send them a Notice that to send the platform that they uploaded it to a notice that it must be removed But your only ramifications are legal ramifications through the only fans platform. You have no other way to Get these recordings off if you privately provide them to someone So there's definitely some work to be done there The biggest challenge is finding out where your image has been uploaded If they didn't specifically use your alias or your stage name. It's going to be very difficult to find um, and even if you do find it Obviously you'd have to reach out to a lawyer or work with someone to get it taken down um, this leads to a lot of entertainers using Uh watermarks on their videos and watermarks do lead to a lot of complaints. So Well, there are image recognition tools Like roboten Out there. They're not very good at this point There's definitely a lot of work being done in the space and a lot more That can be done So I hope to come back with some interesting tools next year And in order to help me build those tools, I invited Jay Lynn Denise. Um, she's going to be running the twitter account She's a developer. Uh, she's got experience in the industry and she'll be able to Help me with all of the cyber security questions that everyone has been sending So you can go to the modestyproject.com or you can tweet directly at her Let her know if you've uncovered any other scams or have any other questions And uh, we hope to speak to you soon. Thank you