 Today we're going to be talking about hype bots. Um if you're acquainted you already know what this is but if you don't uh you might see these online as sneaker bots, supreme bots, adidas, easy bots uh they're everywhere and they're a big deal and they're a big reason why I look so good today. So we're going to talk about hype bots. So who am I? This is a good question. Uh my name is Final Phoenix. I live in Shanghai China. I'm basically the Jane Goodall of bots. I came to live among them and learn about them because China as we all know as security professionals is where bots live. So I started in 2012 and I wanted to buy a dress. This all started with a dress. It wasn't easy or anything like that. It was one dress and it was something I could never buy because it was me and like a hundred other Chinese girls and we were all fighting in one minute to get this Japanese dress and I said there's got to be a better way. So I decided because I was working in a marketing agency at the time I had to rate unit tests. I had to optimize all my code that there had to be some way I could get this dress faster than everyone else. And since I was writing code for bots to crawl, what if I became a bot? So I got that dress and then I became a little mad with power and I got sneakers and street wear and everything else. And now I use it for Korean pop concerts and person shaped like teddy bears. And why did I start this? Because competition sucks. You want to look good. You want to be adored by all on Instagram and you're fighting and you're fighting and you're fighting and you can't get anything. And I said I will become the Google. I will become a bot. Why bots? Why now? We built the internet for bots. To be fair I think we have been writing bots a lot longer than we remember. When I was very young I would write fortune bots on IRC because I thought the UNIX fortune command was the most hilarious thing ever at 12 years old. And so I like to spam all the channels on my IRC server with fortune commands. And of course that evolved into the ubiquitous now playing bots that everyone hated me for because no one wants to know that you're listening to the Dance Dance Revolution soundtrack for the 30th time. And then these IRC bots moved to HTTP with the release of AOL web crawler. This was in 1994 so that was a very long time ago. And at the time web crawler was released the internet was not written for robots. Web crawler only did one thing. It scraped other web directories to make sure that AOL had the most listings. Our bots on IRC grew up into bigger bots and then bot nets. And then in 2007 we saw bot nets move to the world by web. And now in 2019 50% of the traffic on our internet is automated. And 25% of that traffic are the bots we're talking about today. They don't just purchase shoes of course. They don't just purchase supreme super soakers which I lost. They purchase stocks and everything else. This is a large attack landscape. So this isn't about our IRC fortune bots. This is about web crawler and how we turned it into a monster. Web crawler at the time was a good little bot. And then Google said I have an idea. Instead of writing websites like directories and just crawling those other directories, you write your website for robots. You tag your HTML, you add metadata, no double div IDs, all sorts of things that we do now as a web developer to make sure that Google can crawl our site as fast as humanly possible. And of course as our websites grew up from geo cities into large scale web applications, we needed it to be reliable. Not only because we didn't know when Google bot was going to do a health check, but because we wanted reliable, predictable processes to support our ecosystems. So we got into APIs. And then finally, we need to make a reliable stable SEO to the max website that allows you to purchase and spend money as easily and fast as human possible. As one click as possible as Amazon would say. This is the internet of today. It's not written for us. It's written for robots. So a lot of you know what test driven development is. And as full disclosure, I hate writing tests, therefore I hate test driven development. But if you're writing tests right now, you're writing bots before you even have a product to bot. You're writing a botable website and you're writing the blueprints for this botable website. And you're one evil genius moment away from getting a closet full of sneakers and supreme like your speaker. So why do we write tests? A lot of people have like super ethical medium blog posts about them. You know, I want to get 100% pass or 100% coverage or I want to make sure my junior devs know what they're writing and not breaking. So these are all ethical reasons. But of course, we all know one thing. Capitalism encourages bad behavior. When you add money into the mix, if I told you, you could make your monthly paycheck writing a unit test, would you do it? Of course you would. It would be a lot easier to make your monthly paycheck on a Saturday listing some supreme on Instagram than it is to solve complex problems. And this is where purchasing bots really shine. Because now we have an ecosystem of people encouraged by capitalism to act badly. So I'm going to put this in an us versus them dichotomy because no one in this room or on this stage is a malicious corporate money making reselling machine that just turns out, you know, tons and tons of supreme. We are just victims of the free market. We just want likes and adoration and clout, most important thing. And to brag to our friends that we have the latest and greatest from any one of these companies, Balenciaga, et cetera. Why do we bought? Because resellers bought. We are competing against people who are trying to make a profit and we are just trying to wear nice clothes. So the only way that we can do this is optimize our checkout process. Buy as fast as humanly possible. Well, that's not working anymore. Now we need to buy as fast as programmatically possible. So now we have computers using computers. This of course is not why they bought. Now I have friends that are resellers and as much as I want to think of them as these fashionable demons living in penthouses in San Francisco with hot tubs full of crystal and the latest kicks, I can't really hate them that much. So I still love you resellers even if you make my life a little bit difficult. These people buy up all the inventory of any given product and then they control the price of that product. When a hype beast like me loses a drop or a purchasing window, which is now only one minute or less on very high in demand items, we will do anything. We will pay any money right after to say that we won so that we can be like, oh yeah, I got that shirt. I got that Akira jacket from Supreme. So resellers will mark up two, three, even seven times the price. Right after they have purchased all the inventory and hype beasts are willing to pay seven to ten to even a hundred times the retail price for a pair of shoes, for a shirt, for a lighter that says Supreme on it. We encourage this behavior because we will pay anything to win. And so they know that they have a market, a captive market of people looking for clout. So they scale this up to a thousand millions so that they can make money off of us. And they make my salary in a month, not just my paycheck. So everyone's probably here not to hear about the ethics of botting, but about how bots work. Bots are simple answers to complex systems. Now bots that you buy online will be like, we have some secret sauce, you know, we had like the most brilliant MIT graduate coder bot, but really they all have the same core principles. There are two types of bots in the wild. There's a low level bot. These are the most stable bots. All they do is they go behind the UX layer and they use APIs that are built to support our site and go from call to call to call. This is much faster than using the website as a human being. And it's much faster than using a browser based bot. But it also takes a lot of time. You have to reverse engineer all the calls, all the headers, all the form data, anything else. But it's also easily scalable and very cheap. So you will see these bots on scales of thousands to millions of calls per minute. On the other end, there's browser based bots. We'll take a look on how to code these today because they're very easy to get started and give you kind of the feeling of how you should be coding these bots. It's just a puppeteer test. And it mimics the user by loading the browser and walking through a checkout flow. This is very easy to do. And if you've ever written a puppeteer test, you know how easy it is. It's harder to catch because in puppeteer you can mimic a human being by mouse clicks or typing slower or adding weights or scrolling around? Which you cannot do with a low level bot. A low level bot is programmatic no matter how you hide it with weights or with different user agents. And even though browser based bots are easier to write, they're more expensive to scale due to the computing power that's required to run Chromium or Firefox or what have you. No bot on the internet today is one or the other. Most bots, and I will show you, are both of them combined. Because companies are not interested in making everything easy for us. So we must find new ways to solve the solutions. So, no bot is just one script. They're usually a team of guys. No one 10x bot here. They all work together to get us what we need and what we need fast. So the first of our crew is the monitor bot. The monitor bot is our scout. He runs constantly, never tires out. He scans websites all the time looking for the link or the drop time to make sure that you get off the line at exactly the right time. Because if you're too late or even too early, you're out of the running. Next is the account bot. The account bot is something that generates user accounts. And you might say, well why do I need user accounts to purchase something? Because a lot of sites, they, for high heat items or for like very desired items, they don't let non-users purchase. And you need to access an API ecosystem most of the time. And those are only for authorized users. And of course, you're trying to make a little bit of a profit. So they might have coupons or discounts for logged in users which may make your profit margins a little bit higher. My bot is the most sexy of the bots. He's got the secret sauce. He's what everybody wants to see. He's also the most expensive. His only goal is to run through checkout by any means necessary. So we'll look at all of these guys today except for sell bot. You may remember a few years ago that these bots on Amazon were getting into bidding wars with each other to resell books. And they would bid up one cent more than the other bot. And it got up into like three to 13 million for some used college textbooks. Which, fair, that's how much I felt college textbooks cost when I was in college. But these are what sell bots do. They list on stock X or goat or grail automatically and run through the selling process as well. Because the scale of what we're talking about is in the thousands. And you're not going to be able to sell thousands of shirts or thousands of lighters or thousands of K-pop tickets all on your own. So we won't be looking at sell bots today, but they're basically buy bots and reverse. So here is our first bot. It's a very easy bot to write. And if you've written a test before, you know what this looks like. This is a puppeteer test that goes to a website and looks for a div and expects it to be truth be. In fact, my very first bot that I wrote was a bastardized version of a just test that went through and even did like expects true, expects false. The entire time it was running through the purchase, which wasn't necessary, but made me feel better to see all that black and green scrolling down. And I was like, ugh, I finally have hacked my way into fashion. Okay, so this doesn't really purchase anything, it just looks for a div. Let's make it work. So if you look at this, this is the actual purchasing bot. We're going to a target site. We're looking for a specific product. And then I used the keyboard to make it look like a user was typing in and going through the website to make it more credible that a user was coming to buy as a legitimate user instead of a robot. And then we go through the checkout and you can see at the bottom we have like the checkout form being filled out. So I'm going to show you this in action. My goodness. I haven't used windows in a long time. There was a full screen button right there. So here's the test. It's 50 lines of code. You can see there. And all we're doing is we're running to a website and trying to purchase happy path mode. I use Bodega store, which is a streetwear store, hosted by Shopify. I'm sorry, Bodega store. And you can see it's kind of slow. This is because I'm running it in head full mode, which opens the browser and goes through and shows you like what the bot is actually doing. And you can see it's just running through the checkout as fast as it can. When you run it in headless mode, it's obviously quite a bit faster. So you go ahead and auto fill out all of the shipping. A lot of bots like to use PayPal because PayPal cookies can be stored in the script. And you can just run through the PayPal with a cookie for their one touch. As we said, it's one click as possible. And go ahead and purchase. So you can see it's going to PayPal. And that was all automated. So that is your first bot. And that was actually my first bot too. Back in 2012, it was like beautiful soup at the time and not fancy puppeteer. But yeah, so it was an easy first bot. I think that everyone here could write that. It took me about 20 minutes. The problem with these bots is they're not very stable because they depend on the UI. So if between submitting my CFP for DEF CON and today, I've had to rewrite this bot twice because they changed the div for the search and they changed the div for like the actual checkout. Okay. Let's talk about more bots. When do we run this simple bot? Well, there's one rule of botting. Always be checking. And not just one site either. All sites, you know, will have the item that you're looking for in stock. So how do we check? Well, that's the job of our monitor bot. So let's look at the code for a simple monitor. You might be like, oh my goodness, this is just an XML parser and you're correct. Remember when we talked about Google coming in and saying, hey, all sites, code your web one way for my bot. Well, we're going to piggyback off of that. All sites for that bot, Google bot, have to have a site map. And that site map usually now is automatically generated by the content management system. And generally, when you're looking at these big e-commerce stores, they have the drop ready to go, just not published or visible from the front end. Well, it's still in the site map. So all we have to do is look at that site map and grab it and then query the page until it goes live. So this is what we're doing here. We're just going into the site map and searching for what we are looking for. We're going to look at a simple monitor. So you can see this one is only 54 lines of code. And that's it. It just looks up for the site map and the site map is always updated when Shopify updates the store. So now you have the link, the go live link that's given to Google before it's given to the consumer. I'm sorry, Shopify. So how can we make this monitor bot better? Well, because we will be querying this XML a lot, we need to run these through a proxy because we don't want to be, we don't want to show people that we're just one guy at one IP running the same request over and over. That's a good way to get blocked. So let's run through a rotating proxy. Then let's like make it a little better. And let's also change our user agent each time we query. And we need to make some money because we're obviously going to be spending a lot of money. So within the high beast community and the people who run these bots, there are these groups of people called cook groups. They run in Discord chats and you have to pay $15 to $30 to be friends with these people. I used to pay money for ops and IRC and now I have to pay money for fashionable friends. So we need to make this bot post to Discord so that I can be cool and get money. You can also create an API endpoint for these bots and have people subscribe to that, but that's not as pretty. So let's look at a fancier bot. You can see that this just runs through a public proxy API, grabs the closest public proxy and then goes ahead and posts to Discord. And if it fails, try it and try it again because you should always be checking. So you can see this bot is a little bit longer because we have the user agent, randomizer, and also the proxy. So one thing I want to say after seeing this, I use the node package that just grabbed a random user agent. Please restrict your user agent to something believable. This one is running links, which is not very believable and probably will make you stand out like a sore thumb when you're trying to request some site maps. So this one ahead found the item which was a sock and then posted it to Discord and now people can pay me money to subscribe to my bot. This is very often for people or a common behavior for people who are new to the entire scene is they will subscribe to a monitor bot that's already been configured so they have to do less work. But we'll talk about that a little bit later. Okay, so now it's time for the pistol of resistance. The most realistic bot we have today which I call the complicated bot. This bot waits for the monitor bot to return an okay and the link and then runs through an API based purchasing flow. So you can see this is a very long bot because we have basically promised chain hell but it works. The other thing to know is that Shopify does have an anti-bot measure. So this is what would be considered a hybrid bot because each time in the checkout process you must download the DOM and then pull out the secret key that is embedded in the form field and then pass it along for the next request. This slows my bot down by like 0.2 seconds each time. So it's not a very effective way but this is a very common way for websites to have an anti-bot measure. They say bots are only using APIs. They will never query the DOM so they will never see this secret key but when you're reverse engineering you see that secret key. You're like where is the security key coming from? It's coming from the DOM and another popular e-commerce site that uses this secret key is WooCommerce. They hide it in C data at the top. They generate the secret key and the nonce in JavaScript. So you can just pull it out. We'll talk about why that's important in a little bit. I don't know if it's an ode or just sad. How could we make this better? It's got to be something complicated because these bots cost a lot of money online. So there's got to be something more that has to happen to make this bot worth like 15 to $2,000. So one thing you should be doing is monitoring multiple outlets. There are many e-commerce retailers that will have the drop of the same item. Try everything. It increases your odds. Another thing that you would do is you purchase verified accounts in bulk off of AliExpress and we'll talk about how those happen in a second. If it can be a variable it should be. Right now you're creating thousands if not millions of requests to one website. That's really hard to get lost in a crowd unless you are the crowd. So change your user agent, change your proxy, change a little bit of each thing each time and become the crowd because it's really embarrassing if you try a million requests against Adidas and you notice that all of your requests have the same user agent string. And of course cluster deploy to increase chances. You need to be scaling this. And scaling this is incredibly cheap so there's no excuse not to. I wrote all of these bots in JavaScript because JavaScript is a bit of a joke in Infosec. And so I wanted to show you that these bots are so simple that you can write them in JavaScript. A lot of the bots that you buy online are in Java. And you can buy, you can look at the source code online of all of these Java bots and they're the exact same thing in a language I don't care for. So this is all about money. It never was not about money. So let's talk about the economy. Because this isn't about just shoes or about shirts or about supreme super soakers. There's an economy based around these scripts itself. If there's a market, there's a profit. And there's not just a market for sneakers. There's a market for these bots themselves. And so we're going to see that you can purchase every bit of part of these, the team that we introduced earlier for pretty penny. So let's talk about what you need to purchase to make this enterprise an enterprise. So first you're going to need to buy accounts. A lot of sites need you to have verified accounts via like multi-factor authentication or something else. So there's literally sweatshops in China that I'm not even making this up. There are tables and tables full of iPhones and androids and SIM cards that run through account creation scripts for these websites. They cost about five to ten dollars for five hundred to even ten thousand accounts at a time. You use one and then you're done with it. Because you cannot continue to bot with the same accounts. You are creating suspicious behavior and you do not want to be tracked because you don't want to rewrite all of your code and you have a signature each time that you bought. Secondly we need to buy a cook group. These are friends that always know what's up and can help you configure your bots, help you write your own bot, give you a monitor bot. They're like a private stack overflow community. And so these are fifteen to thirty dollars and a lot of the times it's just a bunch of fashionable dudes on discord and some of them have God complexes and you're like okay I get it but it's important if you're starting to join a cook group. And finally the most expensive thing is the purchasing scripts. Um these are just the scripts we saw earlier that managed to hire somebody to do UX and they often wrap everything up into a single console that you run repeatedly. If you can find a way to automate any part of these there will be plenty of people lining up to pay you money for your scripts also. Let's see where we can invest our time. We have the buy bot. These like AIO bot or project destroyer range anywhere from three hundred dollars to fifteen hundred dollars. And there is a resell market for these bots because these bots are only released in small batches just like what we're trying to buy of one hundred to five hundred each season. And they sell out almost immediately so you can always resell these for profit. These expensive buy bots especially like project destroyer have everything in the one console. They have the account creation, the monitor bot, they often come bundled with like a support group and it's important if you're new also if you invest in a buy bot you will get dedicated support because companies will often be trying to work against these bots and you want a active purchasing bot with an active development core because you're going to want somebody who's always trying to sidestep new protections that are put in. On the other hand the monitor bots which I call the Adobe Creative Cloud subscription model start at fifteen dollars per month and go up to thirty. You can also buy these. They're rather cheap but it's really hard to configure them. You're just buying basically an XML parser or just something pinging a site and you're hoping that you configured the right site or the right SKU. This is why more often than not people will join or subscribe to a monitor bot that's already running. Since these come mostly with cook groups they come with three real friends as real as a discord friends can get and they usually integrate with your purchasing script so they will have like a little API endpoint that you can plug in to your fancy buy bot and the buy bot will know what to do from there. So we saw the prices and what I love about these prices is that these are for resellers and there's one thing that resellers know how to do is resell. So I thought what do coders know how to do best? And I said I know how to code best. So I wrote a bot that buys other bots and then resells these bots. So I went to AIO bot which is one of the cheaper bots that we have here and I went through this is it. This is the script to buy a bot. On a side note project destroyer AIO bot and many of the other high end bots are all running on WooCommerce and we talked earlier about how if you just download the DOM you can get all the secret tokens. So if you really are interested in the bots that buy bots and resell bots the resell rate is probably a thousand to fifteen hundred over what you invest. So if anyone's looking for a job. So let's look at this guy in action. So it's another puppeteer test. You can see how expensive these bots are. If you add Twitter Bootstrap to any script you can add an extra hundred and fifty dollars to the price. The logical end of this script is to add a Twitter bot or a redditor posting bot that posts the forth sale and there's lots of markets on Twitter where you just buy and sell bots. That's all they do. So if you take this to the end and create the sell bot at the other end of the buy bot now you have an entire bot ecosystem for other bots. I'm going to learn this once. So finally we come to the future. I have a lot of questions. Mostly will I have to become a robot to wear more supreme? Am I a robot for even wanting to wear supreme in the first place? These questions and more. We won't answer in this question. So when the web started with bots, with web crawler, it was not written for web crawler. Web crawler was written for the web. Nowadays when we write the web, we write the web for Googlebot. So this creates a problem. But a lot of you in the audience may be saying is this a problem? Because companies are getting paid. People are getting product eventually. So why do we think this is a problem? If the money is flowing freely, everybody looks good on Instagram, it doesn't matter. Because companies care about money. This is the truth of it. And resellers suck from a company's perspective. When you create a $50 box logo t-shirt and you see somebody reselling that $50 t-shirt for 500 and you spent the money designing the red box with supreme in it, tilting the future of font a little bit to the left, making it so that every wrapper wears your new shirt. That's a lot of money. So you want to make a lot of profit from these shirts. And then some guy who happens to know a bit of Java managed to make four to five to ten times your profit on the same thing. Well, that really grinds my gears. I don't actually make supreme, by the way. Another thing is that resellers crowd real consumers out. If you know a site is only for resellers, you're not going to go to it. And so now you are sent, you as a company are sending all your products to some random guy with a penthouse and SF, a hot tub full of crystal. And he decides the price for your product and he decides how much it will cost. And then finally, it's about fairness. This is the most obvious, in my opinion, about why bots are bad. Because it's not fair. Robots can't even wear t-shirts. Only me. So why should I be competing with robots to buy clothes? When we were little, we said, you know, if this isn't fair, I'm taking my ball and I'm going home. This is what companies are really worried about and why this is a problem. Because one day, instead of waiting in line with a bunch of robots that look like pepper, you're going to take your ball and you're going to go to a brand that actually has some stock for you so that you can wear whatever brand that is and it will make it more popular. So bots aren't fair, resellers aren't fair. So what can we do about it? I know there's accounts we can just blacklist it. It's a universal truth that every company who cannot hire a security engineer is in possession of a useless blacklist. Most of the time, you'll be blocking real consumers. Or these purchased accounts are what you're going to block. Or the proxy IPs are what you're going to block. You're trying to find a whack-a-mole game. Everything is changing. We made everything random so that we would not get caught. And as companies try to whack the mole to get you to stop running your bot against their website, their blacklist gets longer and longer and more useless and useless. Blacklisting doesn't work and I'm at DEF CON so we all know that blacklisting doesn't work. So what else can we do besides blacklisting? There's got to be a better way, right? Well, companies are doing a lot of superficial things to make it worse. I'm going to tell you a story about my friend. He trains every night before a drop or a purchase drop to click through a website as fast as possible. He has an Excel sheet of times and he memorizes where to the mouse should go and he trains like an Olympian to purchase shoes. He's very proud of this for some reason. I do not know. He thinks he's more ethical or holier than thou because he has not resorted to scripts. And he does make a fair bit of money. But a sneaker website which I won't mention created a fake page. The first in the usual button said if you click this button you will pay $10,000 for a $100 sneaker. And people bought that $10,000 sneaker. Because if a human, this is what the company thought, reads the text on the page he will see that it says clearly this is not the purchase button. If you click this button you will be charged $10,000. This worked somewhat. But then I remember my friend who for some reason trains every night before a shoe drop to purchase through clicking. I also do this. I click as fast as possible. I'm trying to charge my card as fast as possible. And so false listings are going to confuse me. I most likely will click the wrong button because I have less than 30 seconds to click through a UI to charge my card. I live in Shanghai. Shanghai has so many hype beasts. It's not really hype anymore. It's just the norm. We have many sneaker shops near where I live. Then you will see a line around the block of middle-aged women. These women are not wearing the latest kicks. They're not wearing supreme. They were charged 20 rem in B or about $3 to wait in line for the resellers for shoes. So now you have this kind of economy based on paying middle-aged ladies to wait in line so that you can charge $200, $300 more for those shoes. In-person sales mean in-person resellers. It's distributed reselling. And finally, this is the one that I hate the most because it doesn't make much sense to me. They have lottery systems in a lot of the latest releases. Bots can buy anything. We just talked about it. They buy teddy bears. They buy K-pop concert tickets. They buy stocks. What means they cannot buy lottery tickets? And so now you'll see a lottery ticket and you as a human being get one lottery ticket. And a bot gets $5 million. The odds aren't in your favor even if it's supposed to be statistically random. So all of these suck. They're very superficial and it's easy to poke holes through all of these solutions. So we need to find a way around this. And it's very easy. We need to go back to an unpredictable web. We need to go back to a web before web crawler. We need to go back to a random human curated web. Adding entropy in your system does not mean breaking your system. When we wrote code earlier, we wrote code to be as random as humanly possible. It still worked. It was a little bit of extra effort. It didn't break anything. If you add just a little bit of unpredictability, bots cannot handle it. Encrypt your process. Encrypt little bits and pieces of everything you do. Do not make it clear, one click, easy as humanly possible. The easier you make a process, the more you code your website for SEO, the easier it is for bots to get on your website. And in the great words of a mid-thousand emo band that everyone forgot but me, follow up boy. This ain't a scene, it's an arms race. There's not going to be one answer or one nuclear weapon against bots. Because there's a profit to be made. What I get paid for writing websites, others get paid to write bots against those websites. They get paid probably more than I do. Which is kind of sad because they're probably better dressed than I am too. Only way forward is to deal with bots in only the way that a human can. And humans are very good at one thing. And that's dealing with the unfamiliar. Bots cannot handle the unfamiliar. And if we start to make the web unfamiliar to bots and more familiar to humans, I think we have a way forward. This ain't a scene and it's not just about sneakers, it's not just about supreme, it's about everything. And it's an arms race for all of us to be able to be the best dressed at DEF CON this year and every year forward. Thank you.