DEF CON 24 - Hunter Scott - RT to Win: 50 lines of Python made me the luckiest guy on Twitter

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how many people like free stuff let's learn how to get free stuff with twitter and Python let's give out the next speaker began so you guys ever had an idea that you tried and it works like a hundred times better than you possibly could have hoped this is one of those ideas if I had to summarize this talking one slide it would be this this is from the movie real genius if you've never seen it Val Kilmer so good so my name is hunter I'm a computer engineer and I work for a startup in Silicon Valley that you've never heard of so this started when I was on twitter and saw that there's a bunch of contest and only have to enter them is retweet them was like well i can write a script to do that so I'm sure you guys have all seen this comic it's the xkcd where he writes a script to buy something on ebay everyday for one dollar with free shipping the idea is that like you get all these packages showing up at your house and you don't know what's in them and that's super fun and it kind of backfires on him because at the end he gets put on an FBI watch list because it buys all this really suspicious stuff so this is kind of what I was going for and it basically works because it was actually better because I didn't have to pay any money and as far as i know i didn't end up on any watch list because of this particular project but I'm you know you can never be sure so here's the twitter account that i set up you'll see that i really didn't try to be stealthy at all this is a default picture for windows because i was too lazy to google for anything else and it turns out you don't have to be stealthy and this seems to work anyway which is kind of interesting so how hard could it possibly be you look for contests and then you retweet them and then you're done so i started with the terms you might expect variants of retweet to win and i was using the twitter api just sleepy and Python unfortunately the Twitter API has a bunch of rate limits in it so this is kind of lame because it means you have to add a bunch of delays means you can't enter as many as you otherwise would be able to so the first thing I did to get around this was rather than use the API to search I just scraped the twitter search results page and this works because you don't have to be signed in to use the search page i gotta do is make your request of whatever search term you want as fast as you want and then used beautifulsoup to go through and pull out all of the tweets that looked like contests and then I stored their unique tweet ID so i didn't have to check later to see if i had already reached that because there's a lot of overlap between search results as you start doing this you'll notice that there's a lot of contest that required to be following the person to win this is a pretty easy modification to make you just read X against it and see if they ask you to follow and if they do then you follow them the problem comes when you start following about person number two thousand because it has a limit that if you don't have any followers are you have a under a threshold number that you have to you can't follow more than 2,000 people so okay I need more followers so what's the easiest way to get more followers by them this is this is fiber and this here is actually a bad deal 500 followers for five dollars i paid five dollars i got about four thousand followers also i can guarantee you that they are not real twitter followers dislike so this works okay i mean.they 4,000 people did actually show up which was nice unfortunately it's pretty easy to tell they're not real people some of them still had like the egg as their profile picture and if you went into any their profiles clear they're not real people and I'm sure if you did any kind of network analysis you would find that they were all highly connected to each other so at this point this is the output of the script basically I'm just have extended the number of search terms now it's quite a few and by the end of this i'm fairly confident that i was covering almost every single contest that was launched on Twitter so this was a pretty long list of search terms you just kind of guess and check to see what people use when they're trying to launch a contest so you go to the search results eat looping through each time and see okay is the contest if it does have we already interested if not then enter it do we need to follow them that are we re following them or not didn't follow so to get around the follower problem i just built a fifo is a pretty obvious solution it's 2,000 people along and so whenever we need to follow someone new we kick out the very last person and pop on the new first person and this had a couple we'll get lucky and a couple ways here first of all it turns out that the length of a contest is shorter than how long it takes one name to propagate all the way down to the bottom of the list which means I basically was never unfollowing someone to early their contest had already ended the other way I got lucky was the total number of contest that were launched on Twitter was low enough that i was able to enter every single one of them without hitting up any rate limits once i implemented a few of these tricks here and there is a side effect here which is that I guess it's some people when you follow them they automatically follow you back there's a lot of bought activity on Twitter and scripts and services and things I didn't realize how much there was until i started interacting with like thousands of these things but the way it works is like you follow them and they'll say oh great thanks to automatically call you back but then when you unfollow them later they don't unfollow you back so my follower count started increasing with like increasingly legitimate looking accounts companies and people and stuff that were running these things so I kind of got a bonus there that I was the total number of people that i was able to follow kept going up as i did this so then I try to figure out how I could paralyze this and run multiple accounts at the same time i should say that the majority of the time that was running this i was actually only using a single account but if you want to make multiple this is what i try to do so to use the twitter api you need to develop our account which means new phone number and so I need to get another phone number okay i can use google voice well to activate google voice in your phone number ok so i can use to Leo to make a phone number to activate google voice account to activate Twitter you can't use twilio to activate twitter because Twitter somehow knows you're using a twilio number and now I think even google voice knows if using its really a number i don't know how that works so if you know how they're able to tell that let me know because it really curious how that works over the course of doing this of course a hell lot of interesting interactions with the great Twitter public this was one uh that I got busted on because this is what I was trying to box and I had different twitter username but i forgot to change the display name so person was running an account running a contest and they were picking multiple winners and i won multiple of the winds so yeah I got busted here and ditch this one another really great thing that I liked about this was some of the false positives I got some things look like contest but they're not so this guy says retweet for a chance to win these tupperware lids have been working the dishwasher must be following so dutifully my script followed them and retweeted them and it actually won the guy DNT was like hey man you want those work temporarily list yes it was really disappointing because you never actually mailed in to me i was really hoping he would mail into never did you get a lot of weird interaction between other box when you do this kind of stuff so this is an example where someone is running some kind of service that at the end of the week on friday they tweet out the top five people who retweeted you so when you don't have that many people who retweet you but you do have a bot following you that's retweeting everything that you tweet about your contest and your script is not checking to see if those people are the same then you get all five slots so my breasts retweets came from me and me and me and me and me you also get asked for really weird stuff so the top one was someone i don't know if this was an a script or if it was like a person copying and pasting but it was some like teenage girl who was trying to get people to retweet to get the attention of some like pop stars you want to ask on a date or something the fact that i was sent this makes me think that I don't know maybe she would like to think that it's unlike fourteen-year-old girl slinging code somewhere like trying to get a date with this guy but I don't know the middle one like super weird i don't understand what this is can you make it to my party April 27 7pm where snow forts comma sleet like I don't know if this is the seem like there may be some kind of spam or social engineering I don't know what these are but they're almost certainly all not real people another than the bottom when there is someone who is promoting my account I have no clue why you want to be motivated to do that this is a DM I got fit I thought initially oh someone something like some rot 13 or something but no this is just how the kids are talking now so and this was a really good one this is a someone who's contest the prize was an autographed by me what so I don't understand first we'll have expected to pull this off i have no clue who this person is and I don't understand why anyone would be motivated to win an autographed by what is very clearly a like account that is only sending out contest so I couldn't figure out what the motivation behind this one is either but it was surprising to run across sometimes my bot was actually a jerk like in this case is because of the fifo this person doesn't have a lot of followers and they ran a contest I entered because i found it and then I didn't win so they got pushed off the bottom later they ran another one so I followed them again and like if you're a big company you don't notice this kind of stuff but you're just like a person they're like oh man they play this person is only in it for the contest so sorry man who you are but this is another one of my favorites it looks exactly like a contest except for you went absolutely nothing so yeah I entered that 12 only entry here's one more false positive i couldn't figure out why my bot entered this is a list of people like favorite cereals what i figured out i think it's because we're lucky here even though I wasn't actually looking for just the word lucky for some reason i picked up the reason I'm showing these false positives because I was not trying to like hone in on any particular context or any particular prize anything because i was able to enter everything I could find like why not you don't make your filter wide open you can't lose a contest that doesn't exist but you can lose the contest that you don't find so here is a list of stuff that actually got shipped my house i should point out that this is the stuff that managed to shift which means it's not a huge list of stuff that wasn't physical as not the list of stuff that they wouldn't ship because i love the United States and I'd won the prize in some other country so some of the some items to point out here the top thing there is a an album two vinyl Papa Roach pretty great bunch of books and cds most which were signed which is cool t-shirts a lot of like stuff you would kind of get at like a career fair you know glasses and pens and stuff like that twelve bottles of cherry juice a calendar of 365 cats and my favorite physical thing that I got was that cowboy hat over there because that is a cowboy hat is signed by the stars of a Mexican soap opera that I've never heard of before the reason i love it is because it's like the perfect example of a totally random stuff that showed up at my door that I would never have expected to get some people like when i wrote about this we're saying you know it's kinda lame because maybe there was someone who liked was a huge fan of that mexican soap opera and like they didn't get that thing and you did and it's wasted on you and like I understand where they're coming from to some extent the right but i would say that i have exactly the same amount of appreciation if not more for that thing they do but for a totally different reason so I think that's okay there's a lot of weird intangible stuff I got to there were some restaurant in England that I want reservations to like 30 times in a row can figure out why they weren't getting onto me also won a there were some like cam girl who had a contest to win should write whatever you want it on her body and chocolate sauce and take a picture and send it to you so I want and so I'm trying to think all right what can I have a right to try to go to right the maxwell's equations but she didn't do it was kinda lame if you wanna see the full list of stuff is it there's a ton of stuff on here that I didn't cover because it's way too long but it's fun to dig through there there's some really random stuff so towards the end I tried to repurpose my bot for good because I noticed that there were some tweets where you would retweet to donate to stuff people say retweet now donate a dollar to security was like well i can add that to the into the list why not so some people like actually appreciate and they're like hey this is great because i had real followers at this point we're seeing it but even this backfired at the end unfortunately retweet of that one alright so the the stats at the end here i entered about 265,000 contests and on average I 14 comments per day every day for nine months straight so this works the most valuable thing I one was a four thousand dollar trip to Fashion Week in New York City i did not actually regime this prize because first of all they didn't pay for travel and I didn't live in New York second I wasn't that interested in going to Fashion Week anyway and third of all you have to pay taxes on four thousand dollar prize which I was not selective about you're not from the US you may be surprised to learn that you have to pay taxes on contest winnings the United States and speaking of that yes I pay taxes on the things that I want I never released the code for this in what may have been a futile attempt to try to stem the flow of twitter contest spam but I wrote about it and people made their own version anyway so there's a whole bunch on github if you want to look at some most of them are fairly naive i still get email sometimes people like a man i try to make a version of that python script and i got banned immediately like well yeah so if you if you look through some of these there there are some things that in this talk that I don't think a lot of them implement that you could probably improve if you wanted to so if you want to keep me from winning contests it's really simple obviously I was not trying to do this stealthily and it turns out that didn't really matter so if you're trying to prevent this kind of people from winning then i gotta do is check to see if the person looks very obviously like a spambot if you would have gone to my page you would have seen that it's tweeting contest every 30 seconds without sleeping ever it's probably not a person weirdly their version of this that i found i was looking before I started to see if anyone had tried this before and I know there's at least one or two people who are doing extremely stealthy version of this and because i don't really know is because he emailed me and said like hey I try this too and those it's unlikely you would ever be able to actually catch but i also saw some examples of what looked like I don't know people who were kind of doing this manually would sit at the computer for like 45 hour stretches and just like literally the exact same thing go to the church alternates retweet so i guess it depends how much you want how insane you want your entrance to be able to be to be able to restrain a person who spends four hours versus the script can also try to make it harder to programmatically enter and you can do this by adding a second step like you know asking a question or something this works okay but it's not great because all you have to do because everything on Twitter's public is look to see what everyone else is responding to this question about and then just repeat it so this may stem like some really naive attempts and you can also try running it on another platform it seems like it's more difficult to make a legitimate looking fake facebook account than it is a fake Twitter account and it can also be tied to a real identity which twitter can obviously isn't and finally you just have to accept the fact that if you're running a contest people are going to try to game it ever since people have been running contests people have been trying to gain them and that's kind of the way it's always going to be so that's just part of doing it so again here's the list of stuff if you want to look over it and if you want to follow me on twitter i guarantee it's one percent human generated content then that's my provisional thanks

Info

Channel: DEFCONConference

Views: 195,256

Rating: 4.9330478 out of 5

Keywords: DEF CON, DEFCON, Hacking, Hacker Conference, Computer Security, Security Research, Defcon 24, DEF CON 24, DC-24, DC24, Lockpicking, Hardware hacking, Hunter Scott, Twitter

Id: iAOOdYsK7MM

Channel Id: undefined

Length: 17min 17sec (1037 seconds)

Published: Sun Nov 13 2016