People like free stuff. Let's learn how to get free stuff with Twitter and Python. Let's
give, uh, let's give our next speaker a big hand. So have you guys ever had an idea, uh, that
you tried and it worked like a hundred times better than you possibly could have hoped? This
is one of those ideas. Um, if I had to summarize this talk in one slide it would be this.
Uh, this is from the movie Real Genius if you've never seen it. Val Kilmer, so good. Uh, so
my name is Hunter. I'm a computer engineer and I work for a startup in Silicon Valley that
you've never heard of. Um, so this started when I was on Twitter and saw that there was a bunch
of contests and all you have to do to enter them is retweet them. I was like, well, I can write
a script to do that. So I'm sure you guys have all seen this comic. It's the xkcd where he
writes a script to buy something on eBay every day for one dollar with free shipping. The idea is
that like you get all these packages showing up at your house and you don't know what's in them
and that's super fun. And it kind of backfires on him because at the end he gets put on an FBI
watch list because it buys all this really suspicious stuff. So this is kind of what I was
going for. Um, and it basically worked because it was actually a little better because I didn't
have to pay any money. Um, and as far as I know I didn't end up on any watch list because of
this particular project but I'm, you know, you can never be sure. Um, so I'm going to talk a little
bit about this. Um, so here's the Twitter account that I set up. Um, you'll see that I really
didn't try to be stealthy at all. Um, this is a default picture from Windows because I was too
lazy to Google for anything else. And, um, it turns out you don't have to be stealthy and this
seems to work anyway which is kind of interesting. So how hard could it possibly be? Um, you
look for contests and then you retweet them. Uh, and then you're done. So I started with the
terms you might expect, variants of retweet to win. And I was using the Twitter API, just Tweepy
in Python. Um, unfortunately the Twitter API has a bunch of rate limits in it. So this is kind of
lame because it means you have to add a bunch of delays, which means you can't enter as many as
you otherwise would be able to. So the first thing I did to get around this was, um, rather
than use the API to search I just scraped the Twitter search results page. And this works
because you don't have to be signed in to use the search page. All you got to do is, um, make
your request of whatever search term you want as fast as you want. And then, uh, you
use the beautiful soup to go through and pull out all of the tweets that looked like contests.
And then I stored their unique tweet ID so I didn't have to check later to see if I had already
retweeted that because there's a lot of, uh, overlap between search results. Uh, as you start
doing this you'll notice that there's a lot of contests that require you to be following the
person to win. So this is a pretty easy modification to make. You just, uh, reg X against it
and see if they ask you to follow. And if they do, then you follow them. The problem comes when,
uh, you start following about person number two thousand because two thousand is the number
Twitter has a limit that if you don't have any followers or you have an under a threshold number
that, uh, you have to, you can't follow more than two thousand people. So, okay, I need more
followers. So what's the easiest way to get more followers? Buy them. Um, this is, this is
Fiverr, um, and this here is actually a bad deal. Five hundred followers for five dollars. Um, I
paid five dollars and I got about four thousand followers. Um, also I can guarantee you that they
are not real Twitter followers. Um, this, like, so this works okay. Um, I mean,
they, four thousand people did actually show up, which is nice. Unfortunately, uh, it's pretty easy
to tell that they're not real people. Some of them still had, like, the egg as their, uh, profile
picture. And if you went into any of their profiles, it was clear they're not real people. And
I'm sure if you did any kind of network analysis, you would find that they were all highly
connected to each other. Um, so at this point, this is, uh, the output of the script. Basically,
I'm just, I've extended the number of search terms now, so I have quite a few. And by the end of
this, um, I'm fairly confident that I was covering almost every single contest that was launched on
Twitter. Um, so this was a pretty long list of search terms. You know, you just kind of guess and
check to see what people use when they're trying to launch a contest. So, uh, you go through the
search results, looping through each time and see, okay, is this a good contest? If it does, have
we already entered it? If not, then enter it. Uh, do we need to follow them? Are we already
following them? If we're not, then follow them. So to get around the follower problem, um, I just
built a FIFO, which is a pretty obvious solution. Um, it's two thousand people long, and so
whenever we need to follow someone new, we kick out the very last
person and pop on the new first person. And, um, this had a couple, well, I got lucky in a couple
ways here. First of all, um, it turns out that the length of a contest is shorter than how long it
takes one name to propagate all the way down to the bottom of the list. Which means I basically
was never unfollowing someone too early. Their contest had already ended. The other way I got
lucky was the total number of contests that were launched on Twitter was low enough that I was
able to enter every single one of them without hitting up, uh, any rate limits once I implemented
a few of these, uh, tricks here.
And there was a side effect here, which is that, I guess it's some people, when you follow them,
they automatically follow you back. There's a lot of bot activity on Twitter and scripts and
services and things. I didn't realize how much there was until I started interacting with, like,
thousands of these things. But, um, the way it works is, like, you'll follow them and they'll
say, oh, great, thanks, and they'll automatically follow you back, but then when you unfollow them
later, they don't unfollow you back. So my follower count started increasing with, like,
increasingly legitimate looking accounts, companies and people and stuff that were running these
things. Um, so I kind of got a bonus.
I got a bonus there that I was, the total number of people that I, uh, I was able to follow kept
going up as I did this. So then I tried to figure out, uh, how I could parallelize this and run
multiple accounts at the same time. Um, I should say that the majority of the time that I was
running this, I was actually only using a single account. But, um, if you want to make multiple,
this is what I tried to do. So to use the Twitter API, you need a developer account, which means you
need a phone number. And so I need to get another phone number. Okay, I can use Google Voice.
Well, to activate Google Voice, you need a phone number. Okay, so I can use Twilio to make a phone
number. To activate Google Voice, I need a phone number. And so I need to get another phone number.
And so I need to get another phone number. And so I need to get another phone number. Um, and
I'm using Twilio to activate Twitter. You can't use Twilio to activate Twitter, because Twitter
somehow knows you're using a Twilio number. And now I think even Google Voice knows if you're
using a Twilio number. I don't know how that works. So if you know how they're able to tell
that, let me know, because I'm really curious how that works. Uh, over the course of doing this,
of course, I had a lot of interesting interactions with the great Twitter public. Um, this was
one, uh, that I got busted on because this was when I was running two bots and, um, I had
different Twitter user names. Um, and I got busted on, because this was when I was running two
names but I forgot to change the display name. So, person was running an account, uh, running
a contest and they were picking multiple winners and I won multiple of the wins. Um, so, uh,
yeah, I got busted here and ditched this one. Um, another really great thing that I liked
about this was some of the false positives I got. Some things look like contests but they're
not. Um, so this guy says, uh, retweet for a chance to win these Tupperware lids that have
been warped in the dishwasher. Must be following. So, dutifully, my script followed them and
retweeted them and, uh, it actually won. The guy DM'd me and was like, hey man, you won those
warped Tupperware lids. I was like, yes. It was really disappointing though cause he never
actually mailed them to me. I was really hoping he would mail them to me but he never did. Um,
you get a lot of weird interaction between other bots when you do this kind of stuff.
So, this is an example where someone is running some kind of service that at the end of the
week on Friday they tweet out the top five people who retweeted you. So, when you don't
have that many people who retweet you but you do have a bot following you that's retweeting
everything that you tweet about your contest and your script is not checking to see if
those people are the same, then you get all five slots. So, my best retweets came from
me and me and me and me and me. Uh, you also get asked for really weird stuff. Uh, I'm
not sure if this was a script or if it was like a person copying and pasting. Um, but it was
some like teenage girl who was trying to get people to retweet to get the attention of some
like pop star she wanted to ask on a date or something. Um, so the fact that I was sent
this makes me think that, I don't know, maybe she, I like to think that it's some like 14-year-old
girl slinging code somewhere like trying to get a date with this guy but I don't know. Um, the
middle one, like super weird. I don't understand what this is. Um, can you tell me what this is? Um,
can you make it to my party? April 27th, 7pm. Where? Snowforts, Sleet. Like, I don't know if
this is, these seem like there may be some kind of spam or social engineering. I don't know what
these are but, uh, they're almost certainly all not real people. Um, another in the bottom one
there is someone who is promoting my account. I have no clue why anyone would be motivated to do
that. Uh, this is a DM I got that I thought initially, oh, someone sent me like some rot 13 or
something but, uh, no.
This is just how the kids are talking now, so, um. And this was a really good one. This is, uh,
someone whose contest, the prize was an autograph by me. What? So I don't understand, first of all,
how they expected to pull this off. I have no clue who this person is. And I don't understand
why anyone would be motivated to win an autograph by what is very clearly a, like, account that is
only sending out contests. Um, so I couldn't figure out what the motivation behind this one is
either.
But it was surprising to run across. Sometimes my bot was accidentally a jerk. Um, like in this
case, this is because of the FIFO. This person doesn't have a lot of followers and they ran a
contest. So I entered because I found it. And then I didn't win. So they got pushed off the
bottom. Later they ran another one. So I followed them again. And, like, if you're a big company,
you don't notice this kind of stuff. But if you're just, like, a person, they're like, oh,
man. I can't believe this person is only in it for the contest. So, sorry, man. I don't know who
you are, but.
This is another one of my favorites. Um, it looks exactly like a contest, except for you win
absolutely nothing. Um, so, yeah, I entered that one, too.
Only entry. Uh, here's one more false positive. I couldn't figure out why my bot entered this.
It's a list of people's, like, favorite cereals. Like, what? And I figured out, I think it's
because of this word lucky here. Even though I wasn't actually looking for just the word lucky, um,
for some reason it picked it up. The reason I was showing you these false positives is
because I was not trying to, like, hone in on any particular contest or any particular prize or
anything. Because I was able to enter anything I could find, like, why not? You know, make your
filter wide open. Um, you can't lose a contest that doesn't exist. But you can lose a contest
that you don't find. So, here is, uh, a list of stuff that actually got shipped to my house. I
should point out that this is the stuff that managed to ship, which means it's not the huge list of
stuff that wasn't physical. And it's not the list of stuff that works where I've typically looked.
that they wouldn't ship because I lived in the United States
and I'd won the prize in some other country.
So some items to point out here.
The top thing there is an album.
It's a vinyl Papa Roach.
Pretty great.
A bunch of books and CDs, most of which were signed, which was cool.
T-shirts, a lot of stuff you would kind of get at a career fair,
you know, glasses and pens and stuff like that.
Twelve bottles of cherry juice.
A calendar of 365 cats.
And my favorite physical thing that I got was that cowboy hat over there
because that is a cowboy hat that is signed by the stars of a Mexican soap opera
that I have never heard of before.
The reason I love it is because it's like the perfect example
of the totally random stuff that showed up at my door
that I would never have expected to get.
Some people don't like it.
Some people like when I wrote about this were saying,
hey, you know, that's kind of lame because maybe there was someone who like was a huge fan
of that Mexican soap opera and like they didn't get that thing and you did and it's wasted on you.
And like I understand where they're coming from.
To some extent they're right.
But I would say that I have exactly the same amount of appreciation, if not more,
for that thing than they do, but for a totally different reason.
So I think that's okay.
There's a lot of weird intangible stuff I got too.
There was some restaurant in England that I won reservation suit like 30 times in a row.
Couldn't figure out why I didn't get it.
Why they weren't getting on to me.
I also won a, there was some like cam girl who had a contest to win.
She would write whatever you wanted on her body in chocolate sauce
and take a picture of it and send it to you.
So I won.
And so I'm trying to think, all right, what can I have her write?
So I tried to get her to write the Maxwell's equations, but she didn't do it.
It's kind of lame.
If you want to see the full list of stuff, this is it.
There's a ton of stuff on here that I didn't cover because it's way too long.
But it's fun to dig through there.
There's some really random stuff.
So towards the end, I tried to repurpose my bot for good because I noticed that there
were some tweets where you would retweet to donate to stuff.
People would say, retweet and I'll donate a dollar to some charity.
I was like, well, I can add that to the end of the list.
Why not?
So some people like actually appreciate it and they were like, hey, this is great because
I had real followers at this point who were seeing it.
But even this backfired at the end, unfortunately.
Okay.
All right.
So the stats at the end here.
I entered about 165,000 contests and on average I won four contests per day every day for
nine months straight.
So this works.
.
.
.
With some of thekry ads down here which
The most valuable thing that I won was a $4,000 trip to fashion week in New York City.
.
.
.
I did not actually redeem this prize because first of all, they didn't pay for travel
and I didn't live in New York.
Second of all, I wasn't that interested in go ng to fashion week anyway and third of
all, you have to pay taxes on $4,000 prize which I was not psyched about.
If you're not from the U.S., you may be surprised to learn that you have to pay taxes on contest
winnings in the United States.
And speaking of that, yes I paid the taxes on the things that I won.
.
.
never released the code for this in what may have been a futile attempt to try to stem
the flow of Twitter contest spam. But I wrote about it and people made their own version
anyway. So there's a whole bunch on GitHub if you want to look at some. Most of them
are fairly naive. I still get emails sometimes of people being like, hey, man, I tried to
make a version of that Python script and I got banned immediately. It's like, well, yeah.
So if you look through some of these, there are some things in this talk that I don't
think a lot of them implement that you could probably improve if you wanted to.
So if you want to keep me from winning contests, it's really simple. Obviously I was not trying
to do this stealthily and it turns out that that didn't really matter. So if you're trying
to prevent this kind of people from winning, then all you've got to do is check to see
if the person looks very obviously like a spam bot. If you would have gone to my page,
you would have seen that it's tweeting contests every 30 seconds.
It's probably not a person. Weirdly, there were versions of this that I found. I was
looking before I started to see if anyone had tried this before. And I know there was
at least one or two people who were doing an extremely stealthy version of this. And
the only reason I know is because he emailed me and said, like, hey, I tried this too.
And those it's unlikely you would ever be able to actually catch.
But I also saw some examples of what looked like, I don't know, people who were kind of
doing this manually.
You would sit at their computer for, like, four or five hour stretches and just, like,
literally do the exact same thing. Go through the search results and just retweet, retweet.
So I guess it depends how much you want, how insane you want your entrance to be able
to be, to be able to tell the difference between a person who spends four hours versus
a script. You can also try to make it harder to programmatically enter. And you can do
this by adding a second step, like, you know, asking a question or something. This works
okay, but it's not great because
all you have to do, because everything on Twitter is public, is look to see what everyone
else is responding to this question about and then just repeat it. So this may stem,
like, some really naive attempts. And you can also try running it on another platform.
It seems like it's more difficult to make a legitimate-looking fake Facebook account
than it is a fake Twitter account. And it can also be tied to a real identity, which
Twitter account obviously isn't. And finally, you just have to accept the fact that if you're
running a contest, people are going to try to game it. Ever since people have been running
contests, people have been trying to game them, and that's kind of the way it's always going
to be. So that's just part of doing it.
So again, here's the list of stuff if you want to look over it. And if you want to follow
me on Twitter, I guarantee it's 100% human-generated content, then that's my per-user name. Thanks.
Thank you.