 How many people like free stuff? Let's learn how to get free stuff with Twitter and Python. Let's give our next speaker a big hand. So if you guys ever had an idea that you tried, and it worked like 100 times better than you possibly could have hoped, this is one of those ideas. If I had to summarize this talk in one slide, it would be this. This is from the movie Real Genius, if you've never seen it. Val Kilmer, so good. So my name is Hunter. I'm a computer engineer, and I work for a startup in Silicon Valley that you've never heard of. So this started when I was on Twitter and saw that there was a bunch of contests. And all you have to do to enter them is retweet them. I was like, well, I can write a script to do that. So I'm sure you guys have all seen this comic. It's the XKCD, where he writes a script to buy something on eBay every day for $1 with free shipping. The idea is that you get all these packages showing up at your house, and you don't know what's in them. And that's super fun. And it kind of backfires on him, because at the end, he gets put on an FBI watch list because it buys all this really suspicious stuff. So this is kind of what I was going for. And it basically worked, because it was actually a little better, because I didn't have to pay any money. And as far as I know, I didn't end up on any watch list because of this particular project. But you can never be sure. So here's the Twitter account that I set up. You'll see that I really didn't try to be selfie at all. This is a default picture from Windows, because I was too lazy to Google for anything else. And it turns out you don't have to be selfie. And this seems to work anyway, which is kind of interesting. So how hard could it possibly be? You look for contests, and then you retweet them, and then you're done. So I started with the terms you might expect, variants of retweet to win. And I was using the Twitter API, just Tweepy in Python. Unfortunately, the Twitter API has a bunch of rate limits in it. So this is kind of lame, because it means you have to add a bunch of delays, which means you can't enter as many as you otherwise would be able to. So the first thing I did to get around this was, rather than use the API to search, I just scraped the Twitter search results page. And this works because you don't have to be signed in to use the search page. All you got to do is make your request of whatever search time you want as fast as you want. And then I used beautiful soup to go through and pull out all of the tweets that looked like contests. And then I stored their unique tweet ID, so I didn't have to check later to see if I had already retweeted that, because there's a lot of overlap between search results. As you start doing this, you'll notice that there's a lot of contests that require you to be following the person to win. So this is a pretty easy modification to make. You just regex against it and see if they ask you to follow, and if they do, then you follow them. The problem comes when you start following about person number 2,000, because Twitter has a limit that if you don't have any followers, or you have an under a threshold number that you can't follow more than 2,000 people. So OK, I need more followers. So what's the easiest way to get more followers? Buy them. This is Fiverr. And this here is actually a bad deal. 500 followers for $5. I paid $5, and I got about 4,000 followers. Also, I can guarantee you that they are not real Twitter followers. So this works OK. I mean, 4,000 people did actually show up, which was nice. Unfortunately, it's pretty easy to tell that they're not real people. Some of them still had the egg as their profile picture. And if you went into any of their profiles, it was clear they're not real people. And I'm sure if you did any kind of network analysis, you would find that they were all highly connected to each other. So at this point, this is the output of the script. Basically, I've extended the number of search terms now, so I have quite a few. And by the end of this, I'm fairly confident that I was covering almost every single contest that was launched on Twitter. So this was a pretty long list of search terms. You just kind of guess and check to see what people use when they're trying to launch a contest. So you go through the search results, looping through each time, and see, OK, is this a good contest? If it does, have we already entered it? If not, then enter it. Do we need to follow them? Are we all to be following them? If we're not, then follow them. So to get around the follower problem, I just built a FIFO, which is a pretty obvious solution. It's 2,000 people long. And so whenever we need to follow someone new, we kick out the very last person and pop on the new first person. And this had a couple. Well, I got lucky in a couple ways here. First of all, it turns out that the length of a contest is shorter than how long it takes one name to propagate all the way down to the bottom of the list, which means I basically was never unfollowing someone too early. Their contest had already ended. The other way I got lucky was the total number of contests that were launched on Twitter was low enough that I was able to enter every single one of them without hitting up any rate limits. Once I implemented a few of these tricks here. And there was a side effect here, which is that I guess it's some people, when you follow them, they automatically follow you back. There's a lot of bot activity on Twitter and scripts and services and things. I didn't realize how much there was until I started interacting with thousands of these things. But the way it works is you'll follow them and they'll say, oh, great, thanks. They'll automatically follow you back. But then when you unfollow them later, they don't unfollow you back. So my follower accounts started increasing with increasingly legitimate-looking accounts, companies and people and stuff that were running these things. So I kind of got a bonus there that the total number of people I was able to follow kept going up as I did this. So then I tried to figure out how I could parallelize this and run multiple accounts at the same time. I should say that the majority of the time that I was running this, I was actually only using a single account. But if you want to make multiple, this is what I try to do. So to use the Twitter API, you need a developer account, which means you need a phone number. And so I need to get another phone number. OK, I can use Google Voice. Well, to activate Google Voice, you need a phone number. OK, so I can use Twilio to make a phone number to activate Google Voice account to activate Twitter. You can't use Twilio to activate Twitter because Twitter somehow knows you're using a Twilio number. And now I think even Google Voice knows if you're using a Twilio number. I don't know how that works. So if you know how they're able to tell that, let me know, because I'm really curious how that works. Over the course of doing this, of course, I had a lot of interesting interactions with the great Twitter public. So this was one that I got busted on because this was when I was running two bots. And I had different Twitter user names, but I forgot to change the display name. So the person was running an account, running a contest, and they were picking multiple winners. And I won multiple of the wins. So yeah, I got busted here and ditched to this one. Another really great thing that I liked about this was some of the false positives I got. Some things look like contests, but they're not. So this guy says retweet for a chance to win these Tupperware lids that have been warped in the dishwasher. Must be following. So dutifully, my script followed them and retweeted them. And it actually won. The guy DMed me. He was like, hey, man, you won those warped Tupperware lids. I was like, yes. It was really disappointing, though, because you never actually mailed them to me. I was really hoping he would mail them to me, but I never did. You get a lot of weird interaction between other bots when you do this kind of stuff. So this is an example where someone is running some kind of service that at the end of the week on Friday, they tweet out the top five people who retweeted you. So when you don't have that many people who retweet you, but you do have a bot following you that's retweeting everything that you tweet about your contest, and your script is not checking to see if those people are the same, then you get all five slots. So my best retweets came from me, and me, and me, and me. You also get asked for really weird stuff. So the top one was someone, I don't know if this was a script or if it was a person copying and pasting. But it was some teenage girl who was trying to get people to retweet to get the attention of some pop star she wanted to ask on a date or something. So the fact that I was sent this makes me think that, I don't know, maybe she, I like to think that it's some 14-year-old girl slinging code somewhere trying to get a date with this guy, but I don't know. The middle one, like, super weird. I don't understand what this is. Can you make it to my party? April 27th, 7 p.m. Wear snowforts comma sleet. Like, I don't know if this is, they seem like there may be some kind of spam or social engineering. I don't know what these are, but they're almost certainly all not real people. Another, in the bottom one there, is someone who is promoting my account. I have no clue why anyone would be motivated to do that. This is a DM I got that I thought initially, oh, someone sent me some Rot13 or something, but no. This is just how the kids are talking now. And this was a really good one. This is someone whose contest the prize was an autographed by me. What? So I don't understand, first of all, how they expected to pull us off. I have no clue who this person is. And I don't understand why anyone would be motivated to win an autographed by what is very clearly a account that is only sending out contests. So I couldn't figure out what the motivation behind this one is either. But it was surprising to run across. Sometimes my bot was accidentally a jerk. Like in this case, this is because of the FIFO. This person doesn't have a lot of followers. And they ran a contest. So I entered because I found it. And then I didn't win. So they got pushed off the bottom. Later they ran another one. So I followed them again. And if you're a big company, you don't notice this kind of stuff. But if you're just like a person, they're like, oh, man, I can't believe this person is only in it for the contest. So sorry, man. I don't know who you are. This is another one of my favorites. It looks exactly like a contest, except for you win absolutely nothing. So yeah, I entered that one, too. Only entry. Here's one more false positive. I couldn't figure out why my bot entered this. It's a list of people's favorite cereals, you know what? And I figured out, I think it's because of this word lucky here, even though I wasn't actually looking for just the word lucky. For some reason, I picked it up. The reason I was showing you these false positives is I was not trying to hone in on any particular contest or any particular prize or anything, because I was able to enter everything that I could find, like, why not? You don't make your filter wide open. You can't lose a contest that doesn't exist, but you can lose a contest that you don't find. So here is the list of stuff that actually got shipped to my house. And I should point out that this is the stuff that managed to ship, which means it's not the huge list of stuff that wasn't physical, and it's not the list of stuff that they wouldn't ship because I lived in the United States and I had won the prize in some other country. So some items to point out here. The top thing there is an album. It's a vinyl, Papa Roach. Pretty great. Bunch of books and CDs, most of which were signed, which was cool. T-shirts, a lot of stuff you would kind of get at a career fair, glasses and pens and stuff like that. 12 bottles of cherry juice, a calendar of 365 cats. And my favorite physical thing that I got was that cowboy hat over there, because that is a cowboy hat that is signed by the stars of a Mexican soap opera that I have never heard of before. The reason I love it is because it's like the perfect example of the totally random stuff that showed up at my door that I would never have expected to get. Some people, like when I wrote about this, were saying, hey, you know, that's kind of lame because maybe there was someone who was a huge fan of that Mexican soap opera and they didn't get that thing and you did and let's waste it on you. And I understand where they're coming from, to some extent they're right, but I would say that I have exactly the same amount of appreciation, if not more for that thing than they do, but for a totally different reason. So I think that's okay. There's a lot of weird intangible stuff I got, too. There was some restaurant in England that I won reservations to 30 times in a row. Couldn't figure out why they weren't getting onto me. I also won a, there was some like Camgirl who had a contest to win. She would write whatever you wanted on her body in chocolate sauce and take a picture of it and send it to you. So I won and so I'm trying to think, all right, what can I have her write? So I tried to get her to write the Maxwell's equations, but she didn't do it, that's kind of lame. If you wanna see the fullest of stuff, this is it. There's a ton of stuff on here that I didn't cover because it's way too long, but it's fun to dig through there. There's some really random stuff. So towards the end, I tried to repurpose my bot for good because I noticed that there were some tweets where you would retweet to donate to stuff. People would say retweet and I'll donate a dollar to some charity. I was like, well, I can add that to the end of the list. Why not? So some people actually appreciated it and they were like, hey, this is great because I had real followers at this point who were seeing it. But even this backfired at the end, unfortunately. Yeah, retweeted that one. All right, so the stats at the end here. I entered about 165,000 contests and on average I won four contests per day, every day for nine months straight. So this works. The most valuable thing that I won was a $4,000 trip to Fashion Week in New York City. I did not actually redeem this prize because first of all, they didn't pay for travel and I didn't live in New York. Second of all, I wasn't that interested in going to Fashion Week anyway. And third of all, you have to pay taxes on $4,000 prize, which I was not psyched about. If you're not from the US, you may be surprised to learn that you have to pay taxes on contest winnings in the United States. And speaking of that, yes, I paid the taxes on the things that I won. I never released the code for this in what may have been a futile attempt to try to stem the flow of Twitter contest spam. But I wrote about it and people made their own version anyway. So there's a whole bunch on GitHub if you wanna look at some. Most of them are fairly naive. I still get emails sometimes of people being like, hey man, I tried to make a version of that Python script and I got banned immediately. It's like, well, yeah. So if you look through some of these, there are some things that in this talk that I don't think a lot of them implement that you could probably improve if you wanted to. So if you want to keep me from winning contests, it's really simple. Obviously I was not trying to do this stealthily and it turns out that that didn't really matter. So if you're trying to prevent this kind of people from winning, then all you gotta do is check to see if the person looks very obviously like a spam bot. If you would have gone to my page, you would have seen that it's tweeting contest every 30 seconds without sleeping ever. It's probably not a person. Weirdly, there were versions of this that I found. I was looking before I started to see if anyone had tried this before. And I know there was at least one or two people who were doing an extremely stealthy version of this. And the only reason I know is because he emailed me and said like, hey, I tried this too. And those that's unlikely, you would ever be able to actually catch. But I also saw some examples of what looked like, I don't know, people who were kind of doing this manually. They would sit at their computer for like four or five hour stretches and just like, literally do the exact same thing. Go through the search results and just retweet, retweet, retweet. So I guess it depends how much you want, how insane you want your entrance to be able to tell the person who spends four hours versus a script. You can also try to make it harder to programmatically enter. And you can do this by adding a second step like asking a question or something. This works okay, but it's not great because all you have to do because everything on Twitter is public is look to see what everyone else is responding to this question about and then just repeat it. So this may stem like some really naive attempts. And you can also try running it on another platform it seems like it's more difficult to make a legitimate looking fake Facebook account than it is a fake Twitter account. And it can also be tied to a real identity which Twitter account obviously isn't. And finally, you just have to accept the fact that if you're running a contest people are gonna try to game it. Ever since people have been running contests people have been trying to game them and that's kind of the way it's always gonna be. So that's just part of doing it. So again, here's the list of stuff if you wanna look over it. If you wanna follow me on Twitter, I guarantee it's 100% human generated content then that's my intrusion name. Thanks.