Scott Hanselman

Teach your kids to be fans

February 15, '13 Comments [15] Posted in Musings | Parenting
Sponsored By

I love how social media shatters the barriers to entry for fans. I can tweet my favorite actors and authors, like my favorite comic artists or writers and connect with them in a way that has not just immediacy but a social connectedness that's so satisfying.

But there's also something to be said for a letter in the mail. Being a fan can be reading and enjoying but it can also be appreciating and reaching out. I'm trying to teach a sense of appreciation to my sons and encouraging them to reach out.

They love these books in the Joey Fly Private Eye series. They are super cute and great fun for the kids.

After reading them (many times) my boys decided that they needed to write a fan letter to the writer, Aaron Reynolds, and the artist, Neil Numberman.

It was more than a fan letter, though, it was a reminder there are Makers out there. There are real humans who think up and create the things they love. Perhaps it's also a reminder that they can be Makers as well if they choose.

Here's what they wrote (the 5 year old, so bear with him):

Are you making more Joey Flies? We think you should

The kids also mentioned that they liked tennis and that my oldest had recently lost a tooth.

And here's what showed up in the mail from Neil Numberman.

My sons as bugs, by Neil Numberman

Note the missing tooth on the bug on the right.

There are no words for the awesomeness of this. This is how you get life long fans, my friends.

Thank you, Neil. You should use your twitter more. ;)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

I'd like to use the web my way, thank you very much Quora.

February 14, '13 Comments [68] Posted in Musings
Sponsored By

I was browsing the web today, as I often do, with my iPhone on the can. (Yeah, you do it too, don't front.)

A link to an interesting Q&A on Quora came along, so I clicked.

And got this.

No I don't want your app, Quora

Wow. This is bold, even for Quora.

I can peek at one answer, then presumably I'll be so enamored with Quora's walled garden that I'll rush to download their app.

The introduction of iOS 6 also introduced "smart app banners" as a way to let users know that your site has an associated app. The site author just adds a META tag and mobile safari handles the rest.

<meta name="apple-itunes-app" content="app-id=999">

Note that the giant DOWNLOAD THIS APP PLEASE arrow is all Quora and is not part of the iOS 6 Smart App Banner feature. This is equivalent to a YouTube video embedding a "please subscribe video" or a reporter pointing at an unseen 1-800 number added later in post production.

This implementation goes against everything on the web. You're not just actively preventing me from visiting your site by forcing me to log in, but you're also actively forcing me to download your app to access your server.

I don't want your app. Apps are too much like 1990's CD-ROMs and not enough like the Web.

The Web Rejects Hacks

There's a pay wall over at the New York Times, in case you hadn't heard. When you hit the Times enough times or in different ways you'll be prompted to buy a subscription, and it's apparently working pretty well. At least, better than you'd expect.

But the Times uses a number of techniques strike a balance between "open looking" and "totally not open." If you hit a Times link from Google or Twitter, it works. If you hit the times from an email, you get a pay wall. If you read the Times a lot, you get a pay wall. These techniques are wide and varied. They appear to look at your IP, use cookies, use HTTP_Referer, use URL querystrings.

However, the New York Times and other web properties are attempting to use the web in a way that the web doesn't like.  In fact, the NYTimes is actively playing Web Whack a Mole with those that would reject their pay wall.

The web itself actively doesn't like these hacks. It's not just that the people of the web don't like it, that's a social issue. It's that the technology underlayment doesn't like it.

Sites like this want to have their cake and eat it too. They want Google to freely index their content for searching, but when a person tries to actually READ the site they'll pop interstitial ads, use DIVs to cover the content and actively hide it from the user.

The uncomfortable tension for a business is that the web will never see content that's not indexed (by Google, effectively), but it's not OK to serve one piece of content to the GoogleBot and another piece to the live user. So, sites play tricks and the attempt to funnel us into usage patterns that fit their models and their perceptions. They HAVE to serve the whole page to all comers - ah, but do they have to actually let you SEE it?

What's Underneath?

Check out any Quora answer while on a mobile device not logged in. See that scroll bar there? The entire page actually loaded. I can scroll around! The white area is on top, blocking the content.

The scrollbar gives it away

Don't believe me? Gobsmacked? Here's a screenshot of a View Source from my iPhone of this page. Sure the markup is really awful, but squint and you can see the content is there. All of it.

View Source on Quora

I love that my mobile data plan was used to download the full contents of a page that I'm not able to see.

No, I don't want your app. I want to use the web my way. You're not doing it right, therefore I reject you. You need to change your ways.

Yes, it's your prerogative on how you want to run your website, but I propose that just like ExpertsExchange and others before you, the open web will reject your chicanery.

I said Good Day Sir!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Chasing an active Social Engineering Fraud at Amazon Kindle

February 12, '13 Comments [78] Posted in Musings
Sponsored By

TL;DR: I've just spent several hours chasing a socially engineered (not password compromised) stolen Kindle through a series of phone calls, chats, virtual shipping addresses, UPS tracking numbers and more. The irony is that my wasted time is the real loss.

NOTE: Amazon Kindle Support is, and continues to be truly amazing. However, in this instance, they have flawed policies that I have no doubt will be fixed.

All this for the want of a $119 Kindle. Let me start over.

Yesterday I got an email from Amazon that said:

I'm writing to follow-up on our recent chat conversation.
I'm sorry to hear about the problem with your Kindle. I'm sending you a replacement Kindle via Two-Day shipping to get it to you as soon as possible.
Guaranteed Delivery Date: Tuesday, February 12, 2013.

Hm? What? Is this a Phish? No, all the links are valid, email return path is correct, and I confirmed I've received emails like this before.

I log into my Amazon account and I see:


Holy crap. I didn't order that. I click Cancel. Then I get this email a few minutes later:

We weren't able to cancel the following item(s) from your order:
Kindle Paperwhite 3G, 6" High Resolution Display with Built-in Light, Free 3G + Wi-Fi

Looks like they are so efficient that they got the Kindle on the truck already. I check UPS. It's on the way to my house.

I login to Amazon's "Manage Your Kindle" page, and sure enough, there's already 'Scott's 2nd Kindle' sitting there, ready to go. I deregister it.

Hm? Why is this useful? Why do they want a Kindle sent to my house?

At this point I call Amazon and explain the situation to a human. Sue is SUPER nice, SUPER knowledgeable and immediately I can tell she gets it, so someone give Sue G. a raise. She says she's taking it to Fraud and I should hear from them soon. I want to point out here that I'm talking to a human on the phone here.

Sue looks through their details and says there are a series of chats with "Scott" using their Live Chat system. So, this is a social engineering hack, not a "password compromised" hack. The person has reported that "Scott's" Kindle is broken and has asked for a replacement, but then later tried to redirect the delivery. The customer rep says they can't redirect it. However, it appears the bad guy tried multiple support folks until they finally got the package redirected. More on that in a second.

Note that none of this required anything more than my address and my email. They were able to get the Amazon Customer Service to accept that they were me without my password or any additional verification.

I ask Sue to send me the chat logs. She talks to a supervisor and says she can't send them to me because the chat logs contain the address that the bad guy wants to redirect to. She does tell me the redirect address is in Portland, however.

ASIDE: Amazon customer support also "brick" the Kindle for me. It's not just Deregistered (disassociated from my account) now, but it's remotely deactivated. However, I still don't want the bad guy to succeed.

Sue also mentions that the bad guy asked that the customer representative "not bother to send a follow up email, as I never check my email anyway." The bad guy is consistent in this behavior, always asking to avoid the return emails so I won't see them. Of course, the automated system can't NOT send the follow up, which is why we're here now. If that automated email hadn't gone out I wouldn't have noticed this hack until I checked my Amazon Recent Orders at some point in the future.

ASIDE: It's rather ironic that the bad guy's address has more privacy than I do. 
RECOMMENDATION: I recommend that Amazon implement a policy wherein they email the complete customer chat transcripts after the chat completes.
Additionally, my chat transcripts are mine and should be available to me online.

I figure it's done and I go about my day. Next morning I wake up to see a bunch of mails like this, all from different people at Amazon:

Thank you for contacting about your inquiry. It was a pleasure to help you with your concern.
I can confirm that we still expect to ship your order in time to be delivered to you by February 12th, 2013.
We'll send you an e-mail when your order is shipped with your tracking number.  Your order could ship any time between now and right before the estimated delivery date.

Waa? What "concern?" I go to UPS and check the tracking number for the ill-gotten Kindle.

Note the times. Someone is doing this when Amazon phone support is overseas, or when they (the bad guy) is overseas, or at least, up late.


They are still trying to redirect the Kindle to another address, again with the web chat system and multiple times. This sure is a lot of work for a Kindle.

I call Amazon again and re-explain what's up. I ask for the chat transcripts again but they won't send them. Simultaneous to this phone call I email Amazon Customer Support and ask for the chat transcripts (via email, just to be clear) and the chat transcripts show up quickly in my inbox. Doh.

RECOMMENDATION: I'm reiterating here. Policies only work when everyone follows them. The phone folks at Amazon are very consistent, but the chat and email support is, in this case at least, demonstrably spotty.

NOTE: The bad guy isn't "ordering" new stuff, but rather requesting a replacement of an existing product exploiting Amazon's liberal warranty replacement service, then redirecting the package.

OK, now I've got chat transcripts. Here's the annotated and edited transcript.

In case it's not crystal clear here, that's not me chatting here.

Transfer Notes : May I check on my replacement Kindle shipment status that was placed earlier today?
10:11 PM Scott is off hold.
10:12 PM Scott : Hi [Name withheld]
10:12 PM Amazon Rep : Hello, Scott.
10:12 PM Amazon Rep : Could you please help me with the order number?
10:13 PM Scott : I do not have the order number with me right now. Could you please help look into my account? The order was placed earlier in the day.
(ED: Note to Amazon, this is odd, as they are sitting at a computer)
10:13 PM Amazon Rep : Scott, I need the email address associated with your amazon account?
10:13 PM Scott : sure.
10:13 PM Scott : [my email address]
10:14 PM Amazon Rep : Please give me a minute to check that.
10:15 PM Amazon Rep : Before I can view your account I'll need to do a quick security check. Please confirm the email address, complete name, and billing address on your account.
10:16 PM Scott : [my address]
10:16 PM Scott : scott hanselman
10:17 PM Amazon Rep : Thank you for the information.
10:19 PM Amazon Rep : The kindle device which your referring to will be delivered to you by: Tuesday, February 12, 2013
10:19 PM Scott : do you have the tracking number for this shipment?
10:20 PM Amazon Rep : Yes, the tracking number is 1Z0ERxxxxxxxxxxxx
10:23 PM Scott : Thank you.
10:23 PM Amazon Rep : You’re welcome!
10:24 PM Scott : Please hold on.
10:24 PM Amazon Rep : Sure.
10:25 PM Scott : May I know how can I change the shipping address?
10:25 PM Scott : I just contacted UPS, and was told to contact the shipper, which is Amazon, to change the shipping address.
10:25 PM Amazon Rep : This is the shipping address:
Scott Hanselman
[my address]
United States
(ED: Note that they included "United States." This tells me this was copy pasted. No one writes that.)
Primary Phone: [my phone]
10:26 PM Scott : Yes, but I would like to change the shipping address.
10:26 PM Amazon Rep : I am sorry, the shipping address cannot be changed now, since the item has been shipped.
10:27 PM Scott : I understand, but UPS told me that this is still possible, but only Amazon can contact UPS to do so.
10:27 PM Scott : Are you able to transfer me to someone who is able to help out?
10:27 PM Amazon Rep : Please give me a minute to check that.
10:29 PM Amazon Rep : Thank you for being on hold.
10:29 PM Amazon Rep : I've contacted UPS and asked them to hold this package for you.
10:29 PM Scott : ?
10:30 PM Scott : I do not need UPS to hold the package for me.
10:30 PM Scott : Please confirm with me first before making any changes.
10:30 PM Amazon Rep : I understand that you want to change the address, but that cannot be done now since the package has been shipped.
10:31 PM Scott : Could you please help me call UPS to enquire?
10:31 PM Amazon Rep : Sure.
10:32 PM Scott : If you are not able to make any outgoing calls, please transfer me to a colleague who may do so.
10:34 PM Amazon Rep : Please give me a minute to do that.
10:34 PM Scott : Sure.
10:35 PM Scott :
10:41 PM Amazon Rep : Scott, could you please help me with the address to which you want the package to be redirected to?
10:41 PM Scott : Sure.
10:42 PM Scott : [Address in Portland with "NUM99999" at the end of the street]
(ED: This US address is a "Shipping Portal into another country. More on this soon.)
10:43 PM Amazon Rep : Thank you for the information.
10:43 PM Amazon Rep : Please be on hold while I contact UPS regarding it.
10:52 PM Amazon Rep : Thank you for being on hold.
10:52 PM Amazon Rep : Could you please help me with your phone number?
10:53 PM Scott : No worries.
10:53 PM Scott : Sure
10:53 PM Scott : 425-406-xxxx
(ED: I called this. It's a disconnected VOIP number)
10:53 PM Amazon Rep : Please give me a minute.
10:55 PM Amazon Rep : Could you please help me with your country code?
10:56 PM Amazon Rep : Thank you.
11:01 PM Amazon Rep : I am sorry for the delay.
11:01 PM Scott : No worries.
(ED: Conjecture: People comfortable with English say this. This isn't something you hear a lot of non-natives say.)
11:01 PM Amazon Rep : I have requested for a delivery change of the address to the UPS carrier.
11:02 PM Scott : Thank you. May I know when is the scheduled delivery date?
11:03 PM Amazon Rep : You're Welcome. Yes, it will be delivered as scheduled.
11:03 PM Amazon Rep : Here is the link, you may view the details:
11:04 PM Scott : Thank you so much. You do not need to follow up with an email to me as I hardly check my emails. Would that be okay?
(ED: Seriously?)
11:05 PM Amazon Rep : You're Welcome. I am sorry, I'll need to send you an follow up email.
11:05 PM Scott : Oh. You do not have to do so actually.
11:06 PM Amazon Rep : I understand your concern, but as per our policy I'll need to send you an email.
11:06 PM Scott : An auto generated email to complete the survey is fine.
11:06 PM Amazon Rep : Okay, sure.
11:07 PM Scott : I will complete the survey when I have the time, but you don't have to include other details in the email.
(ED: Not cool, Amazon.)
11:07 PM Amazon Rep : Sure, Scott. I'll do that.

Amazon Fraud will handle the IP address tracking and deal with the bad guy, but now I have an address. I get a website and phone number from the address. It's a global shipping logistics company. The weird number at the end of their address is a Virtual Routing number.

An address with a number after it allows folks to have a package mailed to them in the US, then the package is transparently forwarded overseas. This number points to an account they have with a post office in a country in Southeast Asia. They received packages from all over, consolidate them, then ship them on masse. This allows governments and companies (and apparently bad guys) to order stuff from companies inside the US, then pay the international shipping and tariffs as a large shipment when it's sent overseas.

I call UPS with Amazon and we initiate an irreversible Return to Shipper. Amazon Fraud is on it, police contacted. This event is done.


UPDATE: Looks like the use of a Domestic Remailer company also hit Chris Cardinal. Someone tried to have a product mailed to an address in Portland, to a different "logistics company" that forwards mail overseas.

Buy why?

Why all this work for a Kindle? No rock solid idea. Perhaps:

  • Practice? If they can do one they can do 10, then 100?
  • Kindles, especially 3G Kindles, are preregistered to an account that may have One Click Ordering turned on.

How does Amazon fix this?

Here's my recommendations to Amazon on how to fix this.

  • The IP address that the chat happened from was clearly not mine, nor was it likely in my neighborhood.
    • Amazon, like a bank, should notice if a chat or request happens from an unknown location and enforce secondary protocols to check identity.
  • Everything was done over web chat without the user being logged in.
    • No order change should EVER happen anonymously over web chat. Authenticate the user the way you already know how - by making them log in.
  • The bad guy was saying clearly suspicious things. They asked the rep NOT to send emails. That behavior is not normal.
    • Train customer service reps to watch for obviously sneaky behavior, and re-authenticate.
  • The chat transcript wasn't emailed to me. I was notified about an interaction, but not given the context.
    • All chat transcripts should be emailed to the account owner after they are concluded. Chat transcripts should be available to me from my account pages.
  • A half dozen attempts were made in a short period.
    • It appears that the customer reps didn't read the previous interactions and notice that this person was effectively phishing the reps themselves, trying to get satisfaction.
  • The UPS shipping redirect was allowed without authorization.
    • Changing where something is shipped is a big deal. It should be done with significant authentication in place.
  • The resulting destination address was a known international logistics package distributor.
    • There are three in Oregon, which means there are likely only a few hundred, maybe a thousand in the US. Scrutinize orders sent to these "mail launderers."

What do you think?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Video: Effectively Managing Your Personal Brand Online

February 9, '13 Comments [9] Posted in Blogging | Speaking
Sponsored By

This blog, my twitter, my YouTube are all part of my online presence. While my day job is ensuring that Microsoft's web developer tools work well across many cross cutting concerns, my passion remains teaching.

When I went to work for Microsoft 5 years ago I made it clear that the blog, it's content, and my online voice would remain mine. I also told them I would do 'side work' in social media. Often I blog about the things I'm working on, but I also blog about family, diabetes, gardening, culture, diversity, languages, gadgets and lots more.

One of the things I enjoy doing besides programming and teaching, is helping folks in other industries manage their personal brands and use social media effectively. I've spoken at conferences and to many different blogging special interests from interior designers to bloggers of color.

The things I've learned - largely by making many mistakes - in the last 10+ years of blogging apply not just to the technical world, but to anyone with an online presence.

Last year at Blogging While Brown I presented the technical keynote along with my very close friends Luvvie Ajayi and Adria Richards. You may know Luvvie from our podcast Ratchet And The Geek. Adria works for SendGrid and you may have seen Adria on Channel 9 with me at the BUILD Conference this year.

The audience was filled with bloggers of all interests. Tech, Culture, Social Justice, Entertainment, Cupcakes (yes!), Yoga, Green Lifestyles and hundreds more. Luvvie, Adria and I have three very different online styles but each is effective in its own way. We combined what we learned into what we think is an edutaining and useful talk.

Together we discussed how to effectively present a clear Voice online, how your Medium affects your Message. We explore different ways to Reach and audience, but then how to reach them in an authentic way. Then we cover consistent Visuals and what Results look like.

The keynote was split into three segments. Luvvie starts at 2min in, Adria around 14 min, and me about 31 min, or watch the whole thing as it was intended.

I hope you enjoy it. We had a wonderful time creating and presenting it.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Simultaneous Editing for Visual Studio with the free MultiEdit extension

February 6, '13 Comments [47] Posted in Open Source | VS2012
Sponsored By

I use a number of text editors. The three I have pinned to my taskbar are Visual Studio, Sublime Text 2, and Notepad 2.

Visual Studio, Sublime Text, and Notepad2

I have three because I like features from one and wish those features were in another.

Sublime Text (and a few other editors) has a great feature called Simultaneous Editing. It's the very definition of an advanced - but core - editor feature.

Enter the MultiEdit extension for Visual Studio. Holding down ALT while mouse-clicking in the editor will add multiple selection points, so when you type, text will be added to all the selected positions. So today, MultiEdit supports multiple carets, but not multiple selections.

Here's an animated gif of MultiEdit in action.

This wonderful MultiEdit extension was released by the Visual Studio "Core Editor" Program Manager Ala Shiban (@AlaShiban). I'd like you guys to encourage our new friend with good reviews and nice comments if you like it. If you find a good bug, offer a clear bug report.

Perhaps if this thing gets a few hundred thousand downloads, we can get some new features, updates and more importantly show Ala's boss and make it a real live built-in feature. ;)

Version 1.0 supports:

  • Typing
  • Backspacing / Deleting
  • Moving the caret around using the keyboard
  • Undo-ing

What isn't supported:

  • Multiple selections
  • Virtual Spaces

Go get MultiEdit now for Visual Studio 2012 and then share it with all your friends.

Even better, perhaps we'll see even more "power toys" from the Core Editor team.

What would you like to see?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.