00:00:00.000,00:00:06.073 >>How many people like free stuff? [cheering] Let's learn how to get free stuff with 00:00:06.073,00:00:11.078 Twitter and Python let's give uh let's give our next speaker a big hand [applause] >>So have 00:00:16.817,00:00:21.521 you guys ever had an idea uh that you tried and it worked like a hundred times better than 00:00:21.521,00:00:28.028 you possibly could have hoped? This is one of those ideas um if I had to summarize this talk in 00:00:28.028,00:00:33.100 one slide it would be this uh this is from the movie [laughter] Real Genius if you've 00:00:33.100,00:00:38.105 never seen it, Val Kilmer, so good. Uh so my name is Hunter I'm a computer engineer and I 00:00:40.641,00:00:45.045 work for a startup in Silicon Valley that you've never heard of. Um so this started when I 00:00:45.045,00:00:50.517 was on Twitter and saw that there's a bunch of contests and and all you have to do to enter 00:00:50.517,00:00:55.722 them is retweet them I was like well I can write a script to do that. So I'm sure you guys have 00:00:55.722,00:01:01.595 all seen this comic it's the XKCD where he writes a script to buy something on Ebay every day 00:01:01.595,00:01:05.232 for one dollar with free shipping the idea is that like you get all these packages 00:01:05.232,00:01:08.368 showing up at your house and you don't know what's in them and that's super fun and it kind of 00:01:08.368,00:01:12.472 backfires on him because at the end he gets put on an FBI watch list because it buys all this 00:01:12.472,00:01:19.079 really suspicious stuff. So this is kind of what I was going for um and it basically worked 00:01:19.079,00:01:23.717 because it was actually better because I didn't have to pay any money um and as far as I know I 00:01:23.717,00:01:27.454 didn't end up on any watch lists because of this particular project but I'm you know you can 00:01:27.454,00:01:32.459 never be sure. Um so here's the Twitter account that I set up um you'll see that [laughter] I 00:01:35.429,00:01:40.934 really didn't try to be stealthy at all um this is a default picture from WIndows because I 00:01:40.934,00:01:45.405 was too lazy to google for anything else and um it turns out you don't have to be 00:01:45.405,00:01:50.444 stealthy and this seems to work anyway which is kind of interesting so how hard could it 00:01:50.444,00:01:55.449 possibly be? Um you look for contests and then you retweet them uh and then you're done so 00:01:57.751,00:02:01.822 I started with the terms you might expect variance of retweet2win and I was using the 00:02:01.822,00:02:06.960 Twitter API just twypi in Python um unfortunately the Twitter API has a bunch of rate limits in it 00:02:06.960,00:02:10.430 so this is kind of lame because it means you have to add a bunch of delays which means you can't 00:02:10.430,00:02:14.101 enter as many as you otherwise would be able to. So the first thing I did to get around this 00:02:14.101,00:02:19.673 was um rather than use the API to search I just scraped the Twitter search results page and 00:02:19.673,00:02:23.510 this works because you don't have to be signed into use the search page all you gotta do is 00:02:23.510,00:02:28.815 um make your request of whatever search term you want as fast as you want and then um use 00:02:28.815,00:02:33.420 Beautiful Soup to go through and pull out all of the tweets that look like contests and then I 00:02:33.420,00:02:37.958 stored their unique tweet ID so I didn't have to check later to see if I retweeted that 'cause 00:02:37.958,00:02:44.231 there's a lot of uh overlap between search results. Uh as you start doing this you'll 00:02:44.231,00:02:47.601 notice that there's a lot of contests that require you to be following the person to win so 00:02:47.601,00:02:51.772 this is a pretty easy modification to make you just uh rayex against it and see if they 00:02:51.772,00:02:56.109 ask you to follow and if they do then you follow them. The problem comes when uh you start 00:02:56.109,00:03:00.380 following about person number two thousand because Twitter has a limit that if you don't have 00:03:00.380,00:03:05.152 any followers or you have an- under a threshold number that uh you have to- you can't follow 00:03:05.152,00:03:09.256 more than two thousand people so okay I need more followers so what's the easiest way to get 00:03:09.256,00:03:14.261 more followers? Buy them. Um this is [laughter] this is Fiverr um and this here is 00:03:16.663,00:03:21.001 actually a bad deal, five hundred followers for five dollars um I paid five dollars 00:03:21.001,00:03:24.738 and I got about four thousand followers um also I can guarantee you that they are not 00:03:24.738,00:03:29.676 real Twitter followers um this like- so this works okay um I mean they- four thousand people 00:03:29.676,00:03:33.480 did actually show up which is nice, unfortunately uh it's pretty easy to tell that they 00:03:33.480,00:03:39.186 aren't real people, some of them still had like the egg as their profile picture and if you went 00:03:39.186,00:03:42.189 into any of their profiles it was clear they aren't real people and I'm sure if you did 00:03:42.189,00:03:45.325 any kind of network analysis you would find that they were all highly connected to each other. 00:03:45.325,00:03:51.098 Um so at this point, this is uh the output of the script, basically I'm just- I've 00:03:51.098,00:03:54.835 extended the number of search terms now so I have quite a few and by the end of this um I'm 00:03:54.835,00:03:58.438 fairly confident that I was covering almost every single contest that was launched on 00:03:58.438,00:04:02.976 Twitter um so this was a pretty long list of search terms you know you just kind of guess and 00:04:02.976,00:04:06.780 check to see what people use when they're trying to launch a contest so uh you go through the 00:04:06.780,00:04:10.984 search results e- looping through each time and see okay does this look like a contest? 00:04:10.984,00:04:14.654 If it does have we already entered it? If not, then enter it? Uh do we need to follow 00:04:14.654,00:04:18.458 them? Ha- are we already following them, if we're not then follow them. So to get 00:04:18.458,00:04:24.831 around the follower problem um I just built a FIFO which is a pretty obvious solution um it's 00:04:24.831,00:04:28.034 two thousand people long and so whenever we need to follow someone new we kick out the very 00:04:28.034,00:04:34.441 last person and pop on the new first person and um this had a couple I- well I got lucky in a 00:04:34.441,00:04:40.080 couple ways here, first of all um it turns out that the length of a contest is shorter than how 00:04:40.080,00:04:43.884 long it takes one name to propagate all the way to the bottom of the list which means I 00:04:43.884,00:04:47.721 basically was never unfollowing someone too early, their contest had already ended, the other way 00:04:47.721,00:04:51.858 I got lucky was the total number of contests that were launched on Twitter was low enough that I 00:04:51.858,00:04:55.829 was able to enter every single one of them without hitting a- uh any rate limits once I 00:04:55.829,00:05:00.901 implemented a few of these uh tricks here and there was a side effect here which is that I 00:05:00.901,00:05:05.305 guess it's some people when you follow them they automatically follow you back there's a lot of 00:05:05.305,00:05:08.542 bot activity on Twitter and scripts and services and things. I didn't realize how much there 00:05:08.542,00:05:12.946 was until I started interacting with like thousands of these things. But um the way it works 00:05:12.946,00:05:15.649 is like you'll follow them and they'll say oh great thanks and they'll automatically follow you 00:05:15.649,00:05:19.886 back, but then when you unfollow them later, they don't unfollow you back. So my follower count 00:05:19.886,00:05:24.391 started increasing with like increasingly legitimate looking accounts, companies, and people 00:05:24.391,00:05:29.496 and stuff that were running these things um so I kinda got a bonus there that I was- the 00:05:29.496,00:05:34.201 total number of people that I- uh I was able to follow kept going up as I did this. So then 00:05:34.201,00:05:37.504 I tried to figure out uh how I could parallelize this and run multiple accounts at the same 00:05:37.504,00:05:41.508 time um I should say that the majority of the time that I was running this I was actually only 00:05:41.508,00:05:47.714 using a single account but um if you want to make multiple this is what I tried to do so to use 00:05:47.714,00:05:51.384 the Twitter API you need a developer account which means you need a phone number and so I 00:05:51.384,00:05:54.654 need to get another phone number okay I can use Google voice well to activate Google Voice you 00:05:54.654,00:05:58.191 need a phone number okay so I can use Tulio to make a phone number to activate Google Voice 00:05:58.191,00:06:02.128 account to activate Twitter, you can't use Tulio to activate Twitter because Twitter somehow 00:06:02.128,00:06:05.632 knows you're using a Tulio number and now i think even google voice knows if you're 00:06:05.632,00:06:08.835 using a Tulio number, I don't know how that works so if you know how they're able to tell 00:06:08.835,00:06:13.506 that, let me know, 'cause it really curious how that works. Uh over the course of doing this 00:06:13.506,00:06:20.480 of course I had a lot of interesting interactions with the great Twitter public um 00:06:20.480,00:06:25.719 [laughter]. This was one uh that I got busted on because this was when I was running two bots and 00:06:25.719,00:06:31.057 um I had different Twitter usernames but I forgot to change the display name so person was 00:06:31.057,00:06:34.828 running an account- uh running a contest and they were picking multiple winners and I won 00:06:34.828,00:06:39.833 multiple of the wins [laughter] um so uh yeah I I got busted here and ditched this one um 00:06:43.937,00:06:47.941 another really great thing that I liked about this was some of the false positives I got some 00:06:47.941,00:06:53.146 things look like contests but they're not. Um so this guy says uh retweet for a chance to win 00:06:53.146,00:06:58.151 these Tupperware lids that have been warped in the dishwasher [laughter] must be following 00:07:01.655,00:07:07.427 [laugh] so dutifully my script followed them and retweeted them and uh it actually won the guy 00:07:07.427,00:07:12.432 DM'd me was like hey man you won those warped tupperware lids I was like yes! [laughter] It was 00:07:14.968,00:07:17.837 really disappointing though because he never actually mailed them to me, I was really hoping 00:07:17.837,00:07:23.643 he would mail them to me but he never did. Um you get a lot of weird interaction between other 00:07:23.643,00:07:27.447 bots when you do this kinda stuff so this is an example where someone is running some 00:07:27.447,00:07:31.818 kind of service that at the end of the week on Friday they tweet out the top five people who 00:07:31.818,00:07:35.789 retweeted you. So when you don't have that many people that retweet you but you do have a 00:07:35.789,00:07:40.560 bot following you that's retweeting everything you tweet about your contest and your 00:07:40.560,00:07:44.631 script is not checking to see if those people are the same, then you get all five slots, so. 00:07:44.631,00:07:46.633 [laughter] my best retweets came from me and me and me and me and me [laughter]. Uh you also get 00:07:46.633,00:07:51.638 asked for really weird stuff um so the top one was someone- I don't know if this was an- a 00:07:58.378,00:08:03.550 script or if it was like a person copy and pasting but it was some like teenage girl who 00:08:03.550,00:08:08.021 was trying to get people to retweet to get the attention of some like pop star she wanted to 00:08:08.021,00:08:13.226 ask on a date or something um so the fact that I was sent this makes me think that I don't know 00:08:13.226,00:08:16.663 maybe she- I'd like to think that it's some like fourteen year old girl slinging code 00:08:16.663,00:08:21.701 somewhere like trying to get a date with this guy but I don't know um the middle one like 00:08:21.701,00:08:28.041 super weird I don't understand what this is um can you make it to my party? April 27th seven pm 00:08:28.041,00:08:33.880 wear snow forts comma sleet like I don't know if this is- they seem like there may be some kind 00:08:33.880,00:08:38.885 of spam or a social engineering- I don't know what these are but uh they're almost certainly all 00:08:38.885,00:08:44.057 not real people um another in the bottom one there is someone who is promoting my account, I 00:08:44.057,00:08:50.764 have no clue why anyone would be motivated to do that [laughter]. Uh this is a DM I got that I 00:08:50.764,00:08:56.102 thought initially it was someone sent me like some ROT13 or something [laughter] but uh no 00:08:56.102,00:09:01.041 this is just how the kids are talking now so um and this was a really good one this is uh 00:09:03.810,00:09:08.815 someone who's contest the prize wasn't autographed by me [laughter] what? So I don't 00:09:11.484,00:09:14.821 understand first of all how they expected to pull this off, I have no clue who this person is, 00:09:14.821,00:09:18.224 and I don't understand why anyone would be motivated to win an autograph by what is very 00:09:18.224,00:09:23.496 clearly a like account that is only sending out contests um so I couldn't figure out what the 00:09:23.496,00:09:28.868 motivation behind this one is either but it was surprising to run across. Sometimes my bot was 00:09:28.868,00:09:33.373 accidentally a jerk um like in this case this is because of the FIFO this person doesn't have a 00:09:33.373,00:09:38.778 lot of followers and they ran a contest so I entered 'cause I found it and then I didn't win 00:09:38.778,00:09:42.882 so they got pushed off the bottom later they ran another one so I followed them again and 00:09:42.882,00:09:45.618 like if you're a big company you don't notice this kind of stuff but if you're just like a person 00:09:45.618,00:09:50.490 they're like oh man can't believe this person is only in it for the contests [laughter] 00:09:50.490,00:09:55.495 so sorry man I don't know who you are but. This is another one of my favorites um it looks 00:09:58.098,00:10:03.103 exactly like a contest except for you win absolutely nothing um so I entered that one too 00:10:06.206,00:10:11.211 [laughter] only entry. Uh here's one more false positive I couldn't figure out why my bot 00:10:16.049,00:10:20.186 entered this, it's a list of people's like favorite cereals what? And I figured out I think 00:10:20.186,00:10:22.789 it's because of this word lucky here, even though I wasn't actually looking for just the 00:10:22.789,00:10:27.060 word lucky um for some reason it picked it up the reason I was showing you these false 00:10:27.060,00:10:31.498 positives is because I was not trying to like hone in on any particular contest or any 00:10:31.498,00:10:34.968 particular prize or anything because I was able to enter everything that I could find 00:10:34.968,00:10:40.740 like why not you know make your filter wide open um you can't lose a contest that doesn't 00:10:40.740,00:10:46.045 exist but you can lose a contest that you don't find so here is a list of stuff that actually got 00:10:46.045,00:10:51.050 shipped to my house and I should point out that this is the stuff that managed to ship which means 00:10:51.050,00:10:55.255 it's not the huge list of stuff that wasn't physical and it's not the list of stuff that uh 00:10:55.255,00:10:59.959 they wouldn't ship because I lived in the United States and I had won the prize in some other 00:10:59.959,00:11:06.599 country um so some of the uh some items to point out here the top thing there is a uh an 00:11:06.599,00:11:12.405 album, it's a vinyl, Papa Roach um pretty great, bunch of books and CDs most of which were 00:11:12.405,00:11:16.910 signed which is cool uh t-shirts, a lot a like stuff you would kinda get at like a career 00:11:16.910,00:11:22.949 fair you know glasses and pens and stuff like that uh twelve bottles of Cherry juice 00:11:22.949,00:11:29.055 [laughter] a uh calendar of 365 cats [laughter] and my favorite physical thing that I got was 00:11:29.055,00:11:33.326 that cowboy hat over there, because that is a cowboy hat that is signed by the stars of a 00:11:33.326,00:11:35.628 Mexican soap opera that I have never heard of before [laughter][applause] The reason 00:11:43.970,00:11:49.375 I love it is because it's like the perfect example of the totally random stuff that showed 00:11:49.375,00:11:54.113 up at my door that I would never have expected to get. Some people like when I uh wrote 00:11:54.113,00:11:57.650 about this were saying hey you know that's kind of lame because maybe there was someone who like 00:11:57.650,00:12:01.854 was a huge fan of that Mexican soap opera and like they didn't get that thing and you did and 00:12:01.854,00:12:05.525 that's wasted on you and like I understand where they're coming from to some extent they're 00:12:05.525,00:12:08.761 right but I would say that I have exactly the same amount of appreciation if not more for 00:12:08.761,00:12:13.199 that thing than they do but for a totally different reason [laughter] so I think that's 00:12:13.199,00:12:18.171 okay. There's a lot of weird uh intangible stuff I got too, Um there was some restaurant in 00:12:18.171,00:12:22.342 England that I won reservations to like thirty times in a row couldn't figure out why they 00:12:22.342,00:12:28.281 weren't getting on to me um I also won a uh there was some like cam girl who had a contest 00:12:28.281,00:12:31.384 to win- she would write whatever you wanted on her body in chocolate sauce and take a 00:12:31.384,00:12:34.420 picture of it and send it to you. So I won and so I'm trying to think alright what can I have 00:12:34.420,00:12:39.959 her write so I try to get her to write the Maxwell's equations but [laughter] she didn't do it 00:12:39.959,00:12:45.632 it's kinda lame. Uh if you wanna see the full list of stuff, this is it, um there's a ton of stuff 00:12:45.632,00:12:49.168 on here that I didn't cover because it's way too long but it's fun to dig through there 00:12:49.168,00:12:55.942 there's uh some really random stuff. Uh so towards the end I uh tried to repurpose my bot for 00:12:55.942,00:13:01.881 good 'cause I noticed that there were some tweets uh where you would retweet to uh donate to 00:13:01.881,00:13:05.118 stuff people would say retweet and I'll donate a dollar to some charity I was like well I can 00:13:05.118,00:13:10.123 add that to the end of the list, why not? So some people like actually appreciated it and they 00:13:10.123,00:13:12.125 were like hey this is great because I had real followers at this point who were seeing it 00:13:12.125,00:13:17.130 but uh even this backfired at the end unfortunately [laughter]. Yep, retweeted that 00:13:25.338,00:13:32.278 one. [laughter] alright so the the stats at the end here uh I entered about a hundred and 00:13:32.278,00:13:38.017 sixty five thousand contests and uh on average I won four contests per day every day for 00:13:38.017,00:13:43.022 nine months straight [laughter] um so this works [applause]. Uh the most uh valuable thing that 00:13:52.231,00:13:57.070 I won was a four thousand dollar trip to fashion week in New York City uh I did not actually 00:13:57.070,00:14:00.573 redeem this prize because first of all they didn't pay for travel and I didn't live in New 00:14:00.573,00:14:03.876 York, second of all I wasn't that interested in going to fashion week anyway, and third 00:14:03.876,00:14:07.747 of all you have to pay taxes on four thousand dollar prize which I was not psyched about um if 00:14:07.747,00:14:11.417 you're not from the US you may be surprised to learn that you have to pay taxes on contest 00:14:11.417,00:14:16.122 winnings in the United States uh and speaking of that, yes I paid the taxes on the things that I 00:14:16.122,00:14:22.428 won. Uh I never released the code for this in what may have been a futile attempt to try to 00:14:22.428,00:14:28.801 stem the flow of Twitter contest spam um but I wrote about it and people made their own version 00:14:28.801,00:14:33.005 anyway so there's a whole bunch on Github if you wanna look at some um most of them are fairly 00:14:33.005,00:14:36.476 naive I still get emails sometimes of people being like hey man I tried to make a 00:14:36.476,00:14:42.415 version of that Python script and I got banned immediately. It's like yeah well so 00:14:42.415,00:14:45.918 [laughter] if you- if you look through some of these there there are some things that uh in 00:14:45.918,00:14:48.988 this talk that I don't think a lot of them implement that you can probably improve if you 00:14:48.988,00:14:53.993 wanted to. Um so if you want to keep me from winning a contest it's really simple um obviously 00:14:58.564,00:15:03.703 I was not trying to do this stealthily and it turns out that that didn't really matter so if 00:15:03.703,00:15:08.808 you're trying to prevent this kind of people from winning then all you gotta do is check to see 00:15:08.808,00:15:13.479 if the person looks very obviously like a spam bot if you would've gone to my page you 00:15:13.479,00:15:17.483 would've seen that it's tweeting contests every thirty seconds without sleeping ever it's 00:15:17.483,00:15:21.821 probably not a person um weirdly there were versions of this that I found I was looking before I 00:15:21.821,00:15:25.992 started to see if anyone had tried this before and um I know there was at least one or two 00:15:25.992,00:15:29.829 people who were doing an extremely stealthy version of this um and 'cause the only 00:15:29.829,00:15:36.402 reason I know is because he emailed me and said like hey I tried this too um and those it's 00:15:36.402,00:15:42.108 unlikely uh you would ever be able to actually catch but um I also saw some examples of what 00:15:42.108,00:15:46.579 looked like I don't know people who were kind of doing this manually they would sit at their 00:15:46.579,00:15:50.516 computer for like four or five hour stretches and just like literally do the exact same 00:15:50.516,00:15:56.122 thing and go through the search results and just retweet retweet retweet um so I guess it depends 00:15:56.122,00:16:01.460 how much you want uh how insane you want your entrance to be able to be to to be able to tell 00:16:01.460,00:16:05.364 the difference between a person who spends four hours versus a script um you could also try to 00:16:05.364,00:16:11.571 make it harder uh to programmatically enter and you can do this by adding a second 00:16:11.571,00:16:15.842 step like you know asking a question or something this works okay but it's not great because 00:16:15.842,00:16:20.680 um all you have to do because everything on Twitter is public is look to see what everyone 00:16:20.680,00:16:24.817 else is responding to this question about and then just repeat it um so this may stem 00:16:24.817,00:16:30.356 like some really innate attempts and you could also try running it on another platform um it 00:16:30.356,00:16:34.994 seems like it's more difficult to make a legitimate looking fake facebook account than it is 00:16:34.994,00:16:40.366 a fake Twitter account um and it can also be tied to a real identity which a Twitter account 00:16:40.366,00:16:46.038 obviously isn't um and finally you just have to accept the fact that if you're running a contest 00:16:46.038,00:16:49.308 people are going to try to game it ever since people have been running contests people have 00:16:49.308,00:16:54.113 been trying to game them and that's kinda the way it's always gonna be so that's just part of 00:16:54.113,00:17:00.786 doing it um so again here's the list of stuff uh if you want to look over it um and if you want 00:17:00.786,00:17:04.423 to follow me on Twitter I guarantee it's one hundred percent human generated content 00:17:04.423,00:17:09.428 um then that's my Twitter username, thanks! [applause]