I can't imagine I'm the first to try this, but new hobby acquired:

1. Go to the British Museum (other museums with statues will work too!)
2. Find broken statues
3. Take a photo
4. Erase the gaps (DALL-E 2 lets you upload and edit on the fly)
5. Write the name of the piece as the prompt, with the date
6. Use image inpainting to fill in the rest of the statue

I ran the ones below on the spot and it was quite fun. Before this, whenever I visited the British Museum (a few times a year), I didn't really give most of those statues a second glance.

An exercise for the reader (this one's interesting because they put a reference of what it could have look like if it were complete based on a different statue):

And another bust of good old Caesar (might be interesting as there's so much reference material, and it's so broken):

Try it and have fun! I'll try another batch the next time I go.

Recently, people whose work I admire made me have to confront the "art not artist" dilemma once more. In this case, Nick Bostrom with racism, and Justin Roiland with domestic abuse.

Thinking about it, more generally, I guess it comes down to:

1. I can no longer consume a creator's work work without it being tainted by the context of their negative actions, so it became worse for me
2. I do not want to a give a voice/reach to their views by making them more famous
3. I do not want to do 2 indirectly by financially supporting them
4. More selfishly, I do not want to be associated with them or for people to think I support their views/actions by supporting their work
5. I do not wanting to signal to others that they can normalise these kinds of views, or behave a certain way, without consequences

However, it makes me think about the question: what if an AI were to be in a similar situation? Done something good and also done something bad. The current vibe seems to be that AI is a "tool" and "guns don't kill people, people kill people". But once you assign agency to AI, it starts opening up unexplored questions I think.

For example, what if you clone an AI state, one goes on to kill, the other goes on to save lives, in what way is the other liable? It's a bit like the entanglement experiment that won the 2022 Nobel physics prize -- you're entangling across space (two forks of a mind) vs time (old "good" version of a celebrity vs new "bad" version of a celebrity) where all versions are equally capable of bad in theory. To what extent are versions of people connected, and their potential?

It also reminds me of the sci-fi story Accelerando by Charles Stross (which I recommend, and you can read online for free here) where different forks of humans can be liable for debts incurred by their forks.

On a related note, I was recently reading a section in Existential Physics by Sabine Hossenfelder titled "Free Will and Morals". Forgive the awful photos, but give it a read:

So it doesn't even have to be AI. If someone is criminally insane, they are no longer agents responsible for their own actions, but rather chaotic systems to be managed, just like you don't "blame" the weather for being bad, or a small child for making mistakes.

Then, what if in a sufficiently advanced society we could simply alter our memories or reprogram criminal intent away? Are we killing the undesirable version? The main reasons for punishment are retribution, incapacitation, deterrence, and rehabilitation, but is there research out there that has really thought about how this applies to AI?

There's a fifth reason that applies only to AI: Roko's Basilisk (warning: infohazard) but it's all connected, as I wonder what majority beliefs we hold today that future cultures will find morally reprehensible. It might be things like consuming animals or the treatment of non-human intelligence that is equivalent to or greater than humans by some metric. At least we can say that racism and domestic violence are pretty obviously bad though.

Twilio used to be a cool and trustworthy company. I remember when I was in uni, some CS students (I was not a CS student) built little SMS conversation trees like it was nothing, and suddenly SMS become something you could build things with as a hobby.

Over the past month, my view of Twilio has completely changed.

The attack

Ten days ago (Jan 19th) at around 7am UTC, I woke up to large charges to our business account from Twilio, as well as a series of auto-recharge emails and finally an account suspension email. These charges happened in the span of 3 minutes just before 5am UTC. My reaction at this point was confusion. We were part of Twilio's startup programme and I didn't expect any of our usage to surpass our startup credits at this stage.

I checked the Twilio dashboard and saw that there was a large influx of OTP verification requests from Myanmar numbers that were clearly automated. I could tell that they're automated because they came basically all at once, and mostly from the same IP address (in Palestine). At this point, I realised it was an attack. I could also see that this was some kind of app automation (rather than spamming the underlying API endpoint) as we were also getting app navigation events.

After we were suspended, the verifications failed, so the attack stopped. The attacker seemed to have manually tried a California IP after that some hours later, probably to check if they've been IP blocked, and it probably wasn't a physical phone (Android 7). Then they stopped.

I also saw that our account balance was more than £1.5k in the red (in addition to the charges to our bank account) and our account was suspended until we zero that balance. The timing could not have been worse as we were scheduled to have an important pitch to partners at a tier 1 VC firm. They could be trying the app out already and unable to get in as phone verification was confirmed broken.

Our response

We're on the lowest tier (as a startup) which means our support is limited to email. I immediately opened a ticket to inform Twilio that we were victims of a clear attack, and to ask Twilio for help in blocking these area codes, as we needed our account to be un-suspended ASAP. They took quite a long time to respond, so after some hours I went ahead and paid off the £1.5k balance in order for our account to be un-suspended, with the hope that they can refund us later.

I was scratching my head at what the possible motive of such an attack could be. I thought it must be denial of service, but couldn't think of a motive. We're not big enough for competitors to want to sabotage us, so I was expecting an email at any point from someone asking for bitcoin to stop attacking us, or a dodgy security company coming in and asking for money to prevent it. But Twilio sent an email saying that this is a case of toll fraud.

I recommend reading that article, but in essence, those numbers are premium numbers owned by the attacker, and every time Twilio sends them a verification SMS, they make money, and we foot the bill.

Twilio's response

Twilio seemed to follow a set playbook that they use for these situations. Their documentation names a set of countries as the one where toll fraud numbers most likely come from and recommend are blocked (I suppose it's easy to get premium numbers there): Bangladesh, Sri-Lanka, Myanmar, Pakistan, Uzbekistan, Azerbaijan, Kyrgyzstan, and Nigeria.

I immediately went and blocked those area codes from our side, though Twilio also automatically blocked all countries except the US and the UK anyway, so it didn't really make a difference. Also, the attacker tried again using Indonesian numbers after that, so clearly a blocklist like that is not enough. Later I went and one by one selectively allowed only countries we actually serve.

Beyond this, Twilio's response was to try and do everything to blame this on us. They wash their hands of the responsibility to secure their own APIs, and instead the onus is on us to implement our own unreasonable security measures.

I told a friend about this, and through that friend found out that this is actually a very common problem that people have been having with Twilio, because Twilio dropped the ball. Apparently, out of all of those cases, we got pretty lucky (some people lost 6 figures). For me, the main issues are:

• Why aren't risky countries blocked by default? Worse, why are all countries in the world allowed by default?
• Why isn't "Fraud Guard", one of the switches (free) that Twilio told us we should have turned on, already turned by default?
• I had set up an auto-recharge rule (charge to £20 if balance goes below £10) just in case the startup credits ever ran low. This backfired dramatically as the account kept auto-recharging in an infinite loop until we were suspended (the reason for the huge charges to our bank account). Why?!
• We were already using the default rate-limiting that applies to individual numbers (something like 5 verification requests every 10 minutes), and our server had some general global rate-limiting per-IP (this probably already protected us quite a bit from what could have been). How is it reasonable to expect your clients to put a global rate limit, across IPs and numbers, for specifically the endpoint that asks for Twilio verification? Just have the rate limit on your side maybe? It's not our responsibility to think of these kinds of things; that's why we're using third party provider!

Their email was incredibly patronising, like others have reported, and they acted like they're doing us a huge favour by blessing us with a partial refund in account credits (not even real money). But we need to explain to them first how we promise to be better and not do a silly mistake like this again!

The refund

Twilio tries to push you into agreeing not to dispute the bank charges (see the link above for why they do this). I refused to agree to this, and first wanted to know exactly how much they would refund us, and if they would refund us in real money, not account credits (they agreed to "prioritize" this).

They told us that their finance team is who decides the refund amount, based on the information we provide on how we'll do better and a breakdown of the charges. I told them exactly what we did to combat this, and what the charges were. We had lost a few hundred in startup credits, then just over £2k in real money.

Instead of telling me how much they would refund (remember, I still haven't agreed not to dispute the charges, which they "required" in order to issue a refund), they went ahead and refunded us £847 and some change immediately.

I believe this to be a ploy to try and prevent us from disputing the original charges, because if we dispute now, we would have more back than what they charged.

What now?

I sought some advice, with mixed opinions, but it seems quite clear that if we dispute these charges, at the very least it would mean that we can no longer use Twilio for SMS anymore (which I don't want to anyway). But, this means switching to a different provider before disputing.

It would be relatively easy to switch, as they all tend to work the same way anyway, but would still require:

• Researching other providers (that don't use Twilio in the backend)
• Reading their documentation
• Swapping out the libraries and a dozen or so lines of code
• Making sure we leave no room for another round of toll fraud
• Testing and deploying

This is not difficult, but time and effort that I don't have right now, as well as a distraction from our actual core product. I don't know if £1.1k is worth that "labour", or any extra stress that may come if Twilio decides to make a stink about this and pass us on to collections etc.

All I know is: Twilio, never again. I will advise people to not use Twilio for the rest of my life and longer depending on how that advice may spread and how long this article survives.

Selvan sent over another coffee break puzzle!

My brother's in New York and I was reminded of a scam we fell for there once. This wasn't the typical Time's Square Elmo-league stuff, but seemed quite legitimate! I wanted to recount the story in case it might help someone.

We were planning to visit the Empire State building (which by the way, wasn't that great, especially that foggy day) and when we arrived there we were shocked to see a queue going all around the block and across several streets. We were approached by a man named DeShawn Cassidy selling the New York Pass.

"You can leave. Your Wallet. At home," he says. "You can laugh at aaaaall these people," as he points to the massive queue, telling us we can skip it with the glorious New York Pass. It's fast-lane entry and cheaper tickets into the Empire State building and a bunch of other attractions around New York within a certain time period.

He was a very convincing and charismatic salesman. We asked him why the people in the queue aren't cleaning him out if it's so good. He threw his hands up and said, "It behooves me!" misunderstanding what that word means.

We paid him $80 for 5 passes I believe, which was a great deal. He rubbed his hands like a fly about to have a meal as we were taking the money out, and gave us a receipt, staking his name and reputation on it, "DeShawn Cassidy", and that we can call him at any time if we need anything.

Of course, you know how the rest of the story goes. DeShawn was all but erased from existence, and we didn't have the opportunity to "laugh at all these people" as the security made us queue like everyone else. The special entrances were only for people who actually worked in the building.

We thought that maybe there's a faster queue inside, after clearing the building queue, and at least we don't need to get new tickets. Wrong again! The man at the till took one look at our little plastic cards, and in the strongest New York accent that still rings in my mind to this day, said the infamous words:

New York Pass? Don't do nothin'!

A while ago I dug into my DNA via a number of services. I had the uncommon opportunity of being able to compare the results of two services (while only really paying for one). Now I finally got around to writing this up and might update it over time as I do more genealogy-related things. https://yousefamar.com/memo/notes/my/dna/

My friend Selvan sent me this puzzle:

Feel free to give it a try before revealing my thought process and solution! Also, in case you're wondering, the sticks do have to have marshmallows on both ends, and they're straight, and marshmallows can't be in the same position or at infinity. Also, the sticks can cross (this doesn't violate the "2D" requirement). None of this was obvious to me!

Almost exactly 6 years ago, I ate too many Pringles, as reminded by my photo app throwback. My brother won a contest where the prize was crates of Pringles and he gave me all the sour cream and onion ones. I ate too many of them in too short a time and since then I kind of lost my taste for them. The same thing happened to me with peanuts — I used to love them and now I basically never eat them.

When I was a student, I got an oyster photocard for commuting with a discount. Eventually I also had my railcard added to this (though IIRC, the discounts aren't cumulative). I had it renewed right at the last possible moment before expiry and aging out, and the new card was meant to expire on the 31st of Jan 2020. It never did and I've been using it since — maybe expiry meant the discount?

Eventually the outermost plastic layers peeled off (the layer with my name and photo on it) leaving an ominous blank card.

The card number was also peeled off, so when I had an incomplete trip one day, while getting that sorted, a friendly TFL employee let me know what it was on a receipt of my past few journeys. Only then did I really think about what the point of using an oyster card is (since I'm not getting discounts anymore) over a contactless credit card.

It seems there isn't really much of a benefit for me, so I'll probably just let it run out and stop using it. I might draw a little picture in that empty spot.

I had a normal oyster card many many years ago (before the first photocard) that I at some point added to the online dashboard with 60p still on it. I had given this oyster card to a homeless lady thinking there was more than that on it and she probably tossed it. I reckon if I plan my last trip in such a way that the balance goes to -60p, then never top it up again, then my overall balance with TFL should be... well, balanced!