Scott Hanselman

You're just another carriage return line feed in the wall

February 20, '13 Comments [77] Posted in Musings
Sponsored By

An image of a screaming face from Pink Floyd's "The Wall" album, coming out of a wall as if the wall were elastic, with the characters CR/LF in its mouth

I love getting pull requests on GitHub. It's such a lovely gift when someone wants to contribute their code to my code. However, it seems there are three kinds of pull requests that I get.

  1. Awesome, appreciated and wanted.
  2. Not so good, thanks for trying, but perhaps another time.

I'd like to talk about The Wall of Pink. This is a pull request that is possibly useful, possibly awesome, but I'll never know because 672 lines (GitHub tells me) changed because they used CRs and I used LFs or I used CRLF and they used LF, or I used...well, you get the idea.

There is definitely a problem here. But what's the problem? Well, it's kind of like endianness, except we're still talking about it in 2013.

"A big-endian machine stores the most significant byte first—at the lowest byte address—while a little-endian machine stores the least significant byte first." - Endianness

Did you know for a long time Apple computers were big endian and Intel computers were little endian? The Java VM is big endian. I wrote shareware code generator 16 years ago that generated a byte array on an Intel PC that was later entered into a PalmPilot running a Motorola 68328. This was the last time I thought about endianness in my career. Folks working on lower-level stuff do think about this sometimes, admittedly, but the majority of folks don't sweat endianness day to day..

TCP/IP itself is, in fact, big endian. There was a time when we had to really think about the measurable performance hit involved in using TCP/IP on a little-endian processor. But we don't think about that anymore. It's there but the abstraction is not very leaky.

It's years later, but CR/LF issues plague us weekly. That Wall of Pink I mentioned? It looks like this. I had to scroll 672 lines before I saw the +green where the added lines were added. Who knows what really changed here though? Can't tell since this diff tool thinks every line changed.



Whose fault is this?

Perhaps we blame Émile Baudot in 1870 and Donald Murray in 1899 for adding control characters to instruct a typewriter carriage to return to the home position plus a line feed to advance the paper on the roller. Or we blame Teletype machines. Or the folks at DEC, or perhraps Gary Kidall and CP/M for using DEC as a convention. Then the bastards at IBM who moved to ASCII from EBCDIC and needed a carriage return when punch-cards fell out of favor.

The text files we have to day on Windows still have a CR LF (0D 0A) after every line. But Apple uses just uses a line feed (LF) character. There's no carriage to return, but there are lines to advance so it's a logical savings.

Typewriter picture via Wikimedia Commons

Macs and PCs are sharing text more than ever. We live in a world where Git is FTP for code, we're up a level, above TCP/IP where Endianness is hidden, but still in text where CR LF's aren't.

We store our text files in different formats on disk, but later when the files are committed to Git, how are they stored? It depends on your settings and the defaults are never what's recommended.

You can setup a .gitattributes per repo to do things like this:

*.txt -crlf

Or you can do what GitHub for Windows suggests with text=auto.

# Auto detect text files and perform LF normalization
* text=auto

What's text=auto do?

This ensures that all files that git considers to be text will have normalized (LF) line endings in the repository. The core.eol configuration variable controls which line endings git will use for normalized files in your working directory; the default is to use the native line ending for your platform, or CRLF if core.autocrlf is set.

GitHub for Windows offers to normalize the repository's line endingsIt uses the native line ending for your platform. But if you spend a few minutes googling around you'll find arguments several ways with no 100% clear answer, although most folks seem to believe GitHub has the right one.

If this is the right answer, why isn't it a default? Is it time to make this the default?

This is such a problem that did you know GitHub for Windows has dedicated "normalize your repo's CRLF" code? They'll fix them all and make a one-time commit to fix the line endings.

I think a more complete solution would also include improvements to the online diff tool. If the GitHub repro and server knows something is wrong, that's a great chance for the server to suggest a fix, proactively.


Here's some possible solutions as I see it.

  • Make Windows switch all text files and decades of convention to use just LF
  • Git needs to install with correct platform-specific defaults without needing .gitattributes file
  • Have the GitHub web application be more proactive in suggesting solutions and preventing badness
  • Have the GitHub for Windows desktop application proactively notice issues (before I go to settings) and offer to help
  • Make the diff tool CR/LF aware and "do the right thing" like desktop diff tools that can ignore line ending issues

Until something is done, I'll always tense up when I see an incoming pull request and hope it's not a Wall of Pink.


About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Released: ASP.NET and Web Tools 2012.2 in Context

February 18, '13 Comments [87] Posted in ASP.NET | ASP.NET MVC | ASP.NET Web API | VS2012
Sponsored By

One ASP.NETLast year the ASP.NET team started talking about something we're calling "One ASP.NET." I showed some mockups of our ideas last summer at the aspConf Keynote that you can watch online.

We also announced then that we would add new features to ASP.NET as out of band releases (OOB) without breaking existing functionality. This means that developers don't have to wait for the next version of Visual Studio for great web development features today. We're aiming to add to ASP.NET and Web Tools every 6 months.

For those that don't want to wait, Mads and the team also started a feature playground called Web Essentials. This is an extension to Visual Studio that updates all the time with ideas and brainstorms about how VS can be an even better editor for the web. As features "graduate" from Web Essentials, they move into ASP.NET and Web Tools proper. A bunch of features graduate with today's release.

Today we announced ASP.NET and Web Tools 2012.2. You can use the Web Platform Installer to get ASP.NET and Web Tools 2012.2 now.

Get it with the Online Installer:

Get ASP.NET and Web Tools 2012.2 with Web Platform Installer

OR use the Offline Installers:

1. Get the ASP.NET 2012.2 pieces then get one of these

2. Web Tools 2012.2 for any regular Visual Studio 2012 or  Web Tools 2012.2 for Visual Studio Web Express 

Here's some highlights:


Syntax Highlighting for client side templating languages within the HTML editor like:

  • CoffeeScript
  • Mustache
  • Handlebars
  • JsRender

Other editors get new features as well:

  • Syntax Highlighting, intellisense and validation for LESS files.
  • Intellisense for Knockout.js bindings!
  • CSS Auto Sync - type into the CSS editor while the site running and get live updates in Page Inspector
  • Everyone's favorite "Paste JSON as Class." Copy some JSON into the clipboard, paste and get either C# or VB classes for your JSON to serialize into.


Mobile Emulator support adds extensibility hooks so that third-party emulators and unusual browsers can be installed as a VSIX. The installed emulators will show up in the F5 dropdown, so that developers can preview their websites on a variety of devices. Read more about this feature in my entry on the new BrowserStack integration with Visual Studio.


With today’s release, all of the ASP.NET templates have updated versions of jQuery, jQuery UI, jQuery Validation, Modernizr, Knockout, and other open source NuGet packages. Your existing projects won't update unless you update them explicitly.


  • OData support in ASP.NET Web API
  • SignalR included out of the box and fully supported
  • Web Forms now supports Friendly URLs (no more .aspx extension)
  • Web Forms supports device (mobile) specific pages, so product.aspx can also have
  • Updated Single Page Application template
  • MVC Facebook Application Template
  • Web Sites get the same publishing tools as Web Projects

These are just the highlights. But let me call out one specific feature that gets us closer to one of the main goals for One ASP.NET which is what I call a more level playing field.

Community Project Templates

One of the most significant "under the hood" changes is the ability to add a project template via a VSIX.

We'll be seeing an update to the Visual Studio Gallery soon that will make it so you can upload your own VSIX files (Visual Studio Extensions) that can be installed (and easily updated) into the ASP.NET MVC File New Project dialog with one click.

It's important to know that we're only halfway there. This is likely not what the final unified One ASP.NET dialog will end up looking like, but it's a start as it's a good place to open up for new templates.

Phrased differently, project templates should be as easy to share as NuGet packages. That's a goal.

Another goal is to be able to take an example project that looks the way you want, with the NuGet packages setup as you like them, then "Save As | Project Template" then publish the resulting template/VSIX to the gallery. That means projects like NancyFX, or FubuMvc or whatever you can think of can live next to out of the box templates.

Here's the initial documentation on how you can create VSIXs of project templates, get in this dialog and make it easy to spread your vision of a great web app. We are working to make this process fewer steps and unify things, but this works great now with VS2012.2 so you can get started today. Stay tuned for more on this.

In the near future we'd like to see the community sharing project templates that look the way the community wants them to look, living side by side with templates from Microsoft.

The fully populated ASP.NET MVC 4 New Project dialog has many new templates

As start, we're announcing four Single Page Application (SPA) templates you can install now. Please note that these community templates could be anything, the VSIX hooks are wide open, it's just that the first few happen to be SPA templates.

And, a clever play on words from John Papa (because what do you get in a SPA?)

  • HotTowel - a more complex template that includes knockout, bootstrap, sammy, toastr, q, momentjs, breeze and puts them all together into one SPA example.

Note how nice the HTML editor looks when working on an Ember project, for example. We've got syntax highlighting, HTML5 Intellisense and coloring in our Mustache templates.

Mustache template syntax highlighting

Remember, you'll need the 2012.2 release to see these new templates, so use Web Platform Installer to get ASP.NET and Web Tools 2012.2 now. And, if you want check out our future playground features like Zen Coding, CoffeeScript and lots more, also pick up Web Essentials. Note that Web Essentials is a small extension and if it causes you any trouble you can just disable it.

Should you fear this release?

ASP.NET and Web Tools 2012.2 doesn't change any GAC'ed (Global Assembly Cache) files. It won't mess up your install of ASP.NET or change any existing projects. It's changes are either tooling within Visual Studio, or additions and improvements via local NuGet packages.

Go get it. ASP.NET and Web Tools 2012.2

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Teach your kids to be fans

February 15, '13 Comments [15] Posted in Musings | Parenting
Sponsored By

I love how social media shatters the barriers to entry for fans. I can tweet my favorite actors and authors, like my favorite comic artists or writers and connect with them in a way that has not just immediacy but a social connectedness that's so satisfying.

But there's also something to be said for a letter in the mail. Being a fan can be reading and enjoying but it can also be appreciating and reaching out. I'm trying to teach a sense of appreciation to my sons and encouraging them to reach out.

They love these books in the Joey Fly Private Eye series. They are super cute and great fun for the kids.

After reading them (many times) my boys decided that they needed to write a fan letter to the writer, Aaron Reynolds, and the artist, Neil Numberman.

It was more than a fan letter, though, it was a reminder there are Makers out there. There are real humans who think up and create the things they love. Perhaps it's also a reminder that they can be Makers as well if they choose.

Here's what they wrote (the 5 year old, so bear with him):

Are you making more Joey Flies? We think you should

The kids also mentioned that they liked tennis and that my oldest had recently lost a tooth.

And here's what showed up in the mail from Neil Numberman.

My sons as bugs, by Neil Numberman

Note the missing tooth on the bug on the right.

There are no words for the awesomeness of this. This is how you get life long fans, my friends.

Thank you, Neil. You should use your twitter more. ;)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

I'd like to use the web my way, thank you very much Quora.

February 14, '13 Comments [68] Posted in Musings
Sponsored By

I was browsing the web today, as I often do, with my iPhone on the can. (Yeah, you do it too, don't front.)

A link to an interesting Q&A on Quora came along, so I clicked.

And got this.

No I don't want your app, Quora

Wow. This is bold, even for Quora.

I can peek at one answer, then presumably I'll be so enamored with Quora's walled garden that I'll rush to download their app.

The introduction of iOS 6 also introduced "smart app banners" as a way to let users know that your site has an associated app. The site author just adds a META tag and mobile safari handles the rest.

<meta name="apple-itunes-app" content="app-id=999">

Note that the giant DOWNLOAD THIS APP PLEASE arrow is all Quora and is not part of the iOS 6 Smart App Banner feature. This is equivalent to a YouTube video embedding a "please subscribe video" or a reporter pointing at an unseen 1-800 number added later in post production.

This implementation goes against everything on the web. You're not just actively preventing me from visiting your site by forcing me to log in, but you're also actively forcing me to download your app to access your server.

I don't want your app. Apps are too much like 1990's CD-ROMs and not enough like the Web.

The Web Rejects Hacks

There's a pay wall over at the New York Times, in case you hadn't heard. When you hit the Times enough times or in different ways you'll be prompted to buy a subscription, and it's apparently working pretty well. At least, better than you'd expect.

But the Times uses a number of techniques strike a balance between "open looking" and "totally not open." If you hit a Times link from Google or Twitter, it works. If you hit the times from an email, you get a pay wall. If you read the Times a lot, you get a pay wall. These techniques are wide and varied. They appear to look at your IP, use cookies, use HTTP_Referer, use URL querystrings.

However, the New York Times and other web properties are attempting to use the web in a way that the web doesn't like.  In fact, the NYTimes is actively playing Web Whack a Mole with those that would reject their pay wall.

The web itself actively doesn't like these hacks. It's not just that the people of the web don't like it, that's a social issue. It's that the technology underlayment doesn't like it.

Sites like this want to have their cake and eat it too. They want Google to freely index their content for searching, but when a person tries to actually READ the site they'll pop interstitial ads, use DIVs to cover the content and actively hide it from the user.

The uncomfortable tension for a business is that the web will never see content that's not indexed (by Google, effectively), but it's not OK to serve one piece of content to the GoogleBot and another piece to the live user. So, sites play tricks and the attempt to funnel us into usage patterns that fit their models and their perceptions. They HAVE to serve the whole page to all comers - ah, but do they have to actually let you SEE it?

What's Underneath?

Check out any Quora answer while on a mobile device not logged in. See that scroll bar there? The entire page actually loaded. I can scroll around! The white area is on top, blocking the content.

The scrollbar gives it away

Don't believe me? Gobsmacked? Here's a screenshot of a View Source from my iPhone of this page. Sure the markup is really awful, but squint and you can see the content is there. All of it.

View Source on Quora

I love that my mobile data plan was used to download the full contents of a page that I'm not able to see.

No, I don't want your app. I want to use the web my way. You're not doing it right, therefore I reject you. You need to change your ways.

Yes, it's your prerogative on how you want to run your website, but I propose that just like ExpertsExchange and others before you, the open web will reject your chicanery.

I said Good Day Sir!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Chasing an active Social Engineering Fraud at Amazon Kindle

February 12, '13 Comments [78] Posted in Musings
Sponsored By

TL;DR: I've just spent several hours chasing a socially engineered (not password compromised) stolen Kindle through a series of phone calls, chats, virtual shipping addresses, UPS tracking numbers and more. The irony is that my wasted time is the real loss.

NOTE: Amazon Kindle Support is, and continues to be truly amazing. However, in this instance, they have flawed policies that I have no doubt will be fixed.

All this for the want of a $119 Kindle. Let me start over.

Yesterday I got an email from Amazon that said:

I'm writing to follow-up on our recent chat conversation.
I'm sorry to hear about the problem with your Kindle. I'm sending you a replacement Kindle via Two-Day shipping to get it to you as soon as possible.
Guaranteed Delivery Date: Tuesday, February 12, 2013.

Hm? What? Is this a Phish? No, all the links are valid, email return path is correct, and I confirmed I've received emails like this before.

I log into my Amazon account and I see:


Holy crap. I didn't order that. I click Cancel. Then I get this email a few minutes later:

We weren't able to cancel the following item(s) from your order:
Kindle Paperwhite 3G, 6" High Resolution Display with Built-in Light, Free 3G + Wi-Fi

Looks like they are so efficient that they got the Kindle on the truck already. I check UPS. It's on the way to my house.

I login to Amazon's "Manage Your Kindle" page, and sure enough, there's already 'Scott's 2nd Kindle' sitting there, ready to go. I deregister it.

Hm? Why is this useful? Why do they want a Kindle sent to my house?

At this point I call Amazon and explain the situation to a human. Sue is SUPER nice, SUPER knowledgeable and immediately I can tell she gets it, so someone give Sue G. a raise. She says she's taking it to Fraud and I should hear from them soon. I want to point out here that I'm talking to a human on the phone here.

Sue looks through their details and says there are a series of chats with "Scott" using their Live Chat system. So, this is a social engineering hack, not a "password compromised" hack. The person has reported that "Scott's" Kindle is broken and has asked for a replacement, but then later tried to redirect the delivery. The customer rep says they can't redirect it. However, it appears the bad guy tried multiple support folks until they finally got the package redirected. More on that in a second.

Note that none of this required anything more than my address and my email. They were able to get the Amazon Customer Service to accept that they were me without my password or any additional verification.

I ask Sue to send me the chat logs. She talks to a supervisor and says she can't send them to me because the chat logs contain the address that the bad guy wants to redirect to. She does tell me the redirect address is in Portland, however.

ASIDE: Amazon customer support also "brick" the Kindle for me. It's not just Deregistered (disassociated from my account) now, but it's remotely deactivated. However, I still don't want the bad guy to succeed.

Sue also mentions that the bad guy asked that the customer representative "not bother to send a follow up email, as I never check my email anyway." The bad guy is consistent in this behavior, always asking to avoid the return emails so I won't see them. Of course, the automated system can't NOT send the follow up, which is why we're here now. If that automated email hadn't gone out I wouldn't have noticed this hack until I checked my Amazon Recent Orders at some point in the future.

ASIDE: It's rather ironic that the bad guy's address has more privacy than I do. 
RECOMMENDATION: I recommend that Amazon implement a policy wherein they email the complete customer chat transcripts after the chat completes.
Additionally, my chat transcripts are mine and should be available to me online.

I figure it's done and I go about my day. Next morning I wake up to see a bunch of mails like this, all from different people at Amazon:

Thank you for contacting about your inquiry. It was a pleasure to help you with your concern.
I can confirm that we still expect to ship your order in time to be delivered to you by February 12th, 2013.
We'll send you an e-mail when your order is shipped with your tracking number.  Your order could ship any time between now and right before the estimated delivery date.

Waa? What "concern?" I go to UPS and check the tracking number for the ill-gotten Kindle.

Note the times. Someone is doing this when Amazon phone support is overseas, or when they (the bad guy) is overseas, or at least, up late.


They are still trying to redirect the Kindle to another address, again with the web chat system and multiple times. This sure is a lot of work for a Kindle.

I call Amazon again and re-explain what's up. I ask for the chat transcripts again but they won't send them. Simultaneous to this phone call I email Amazon Customer Support and ask for the chat transcripts (via email, just to be clear) and the chat transcripts show up quickly in my inbox. Doh.

RECOMMENDATION: I'm reiterating here. Policies only work when everyone follows them. The phone folks at Amazon are very consistent, but the chat and email support is, in this case at least, demonstrably spotty.

NOTE: The bad guy isn't "ordering" new stuff, but rather requesting a replacement of an existing product exploiting Amazon's liberal warranty replacement service, then redirecting the package.

OK, now I've got chat transcripts. Here's the annotated and edited transcript.

In case it's not crystal clear here, that's not me chatting here.

Transfer Notes : May I check on my replacement Kindle shipment status that was placed earlier today?
10:11 PM Scott is off hold.
10:12 PM Scott : Hi [Name withheld]
10:12 PM Amazon Rep : Hello, Scott.
10:12 PM Amazon Rep : Could you please help me with the order number?
10:13 PM Scott : I do not have the order number with me right now. Could you please help look into my account? The order was placed earlier in the day.
(ED: Note to Amazon, this is odd, as they are sitting at a computer)
10:13 PM Amazon Rep : Scott, I need the email address associated with your amazon account?
10:13 PM Scott : sure.
10:13 PM Scott : [my email address]
10:14 PM Amazon Rep : Please give me a minute to check that.
10:15 PM Amazon Rep : Before I can view your account I'll need to do a quick security check. Please confirm the email address, complete name, and billing address on your account.
10:16 PM Scott : [my address]
10:16 PM Scott : scott hanselman
10:17 PM Amazon Rep : Thank you for the information.
10:19 PM Amazon Rep : The kindle device which your referring to will be delivered to you by: Tuesday, February 12, 2013
10:19 PM Scott : do you have the tracking number for this shipment?
10:20 PM Amazon Rep : Yes, the tracking number is 1Z0ERxxxxxxxxxxxx
10:23 PM Scott : Thank you.
10:23 PM Amazon Rep : You’re welcome!
10:24 PM Scott : Please hold on.
10:24 PM Amazon Rep : Sure.
10:25 PM Scott : May I know how can I change the shipping address?
10:25 PM Scott : I just contacted UPS, and was told to contact the shipper, which is Amazon, to change the shipping address.
10:25 PM Amazon Rep : This is the shipping address:
Scott Hanselman
[my address]
United States
(ED: Note that they included "United States." This tells me this was copy pasted. No one writes that.)
Primary Phone: [my phone]
10:26 PM Scott : Yes, but I would like to change the shipping address.
10:26 PM Amazon Rep : I am sorry, the shipping address cannot be changed now, since the item has been shipped.
10:27 PM Scott : I understand, but UPS told me that this is still possible, but only Amazon can contact UPS to do so.
10:27 PM Scott : Are you able to transfer me to someone who is able to help out?
10:27 PM Amazon Rep : Please give me a minute to check that.
10:29 PM Amazon Rep : Thank you for being on hold.
10:29 PM Amazon Rep : I've contacted UPS and asked them to hold this package for you.
10:29 PM Scott : ?
10:30 PM Scott : I do not need UPS to hold the package for me.
10:30 PM Scott : Please confirm with me first before making any changes.
10:30 PM Amazon Rep : I understand that you want to change the address, but that cannot be done now since the package has been shipped.
10:31 PM Scott : Could you please help me call UPS to enquire?
10:31 PM Amazon Rep : Sure.
10:32 PM Scott : If you are not able to make any outgoing calls, please transfer me to a colleague who may do so.
10:34 PM Amazon Rep : Please give me a minute to do that.
10:34 PM Scott : Sure.
10:35 PM Scott :
10:41 PM Amazon Rep : Scott, could you please help me with the address to which you want the package to be redirected to?
10:41 PM Scott : Sure.
10:42 PM Scott : [Address in Portland with "NUM99999" at the end of the street]
(ED: This US address is a "Shipping Portal into another country. More on this soon.)
10:43 PM Amazon Rep : Thank you for the information.
10:43 PM Amazon Rep : Please be on hold while I contact UPS regarding it.
10:52 PM Amazon Rep : Thank you for being on hold.
10:52 PM Amazon Rep : Could you please help me with your phone number?
10:53 PM Scott : No worries.
10:53 PM Scott : Sure
10:53 PM Scott : 425-406-xxxx
(ED: I called this. It's a disconnected VOIP number)
10:53 PM Amazon Rep : Please give me a minute.
10:55 PM Amazon Rep : Could you please help me with your country code?
10:56 PM Amazon Rep : Thank you.
11:01 PM Amazon Rep : I am sorry for the delay.
11:01 PM Scott : No worries.
(ED: Conjecture: People comfortable with English say this. This isn't something you hear a lot of non-natives say.)
11:01 PM Amazon Rep : I have requested for a delivery change of the address to the UPS carrier.
11:02 PM Scott : Thank you. May I know when is the scheduled delivery date?
11:03 PM Amazon Rep : You're Welcome. Yes, it will be delivered as scheduled.
11:03 PM Amazon Rep : Here is the link, you may view the details:
11:04 PM Scott : Thank you so much. You do not need to follow up with an email to me as I hardly check my emails. Would that be okay?
(ED: Seriously?)
11:05 PM Amazon Rep : You're Welcome. I am sorry, I'll need to send you an follow up email.
11:05 PM Scott : Oh. You do not have to do so actually.
11:06 PM Amazon Rep : I understand your concern, but as per our policy I'll need to send you an email.
11:06 PM Scott : An auto generated email to complete the survey is fine.
11:06 PM Amazon Rep : Okay, sure.
11:07 PM Scott : I will complete the survey when I have the time, but you don't have to include other details in the email.
(ED: Not cool, Amazon.)
11:07 PM Amazon Rep : Sure, Scott. I'll do that.

Amazon Fraud will handle the IP address tracking and deal with the bad guy, but now I have an address. I get a website and phone number from the address. It's a global shipping logistics company. The weird number at the end of their address is a Virtual Routing number.

An address with a number after it allows folks to have a package mailed to them in the US, then the package is transparently forwarded overseas. This number points to an account they have with a post office in a country in Southeast Asia. They received packages from all over, consolidate them, then ship them on masse. This allows governments and companies (and apparently bad guys) to order stuff from companies inside the US, then pay the international shipping and tariffs as a large shipment when it's sent overseas.

I call UPS with Amazon and we initiate an irreversible Return to Shipper. Amazon Fraud is on it, police contacted. This event is done.


UPDATE: Looks like the use of a Domestic Remailer company also hit Chris Cardinal. Someone tried to have a product mailed to an address in Portland, to a different "logistics company" that forwards mail overseas.

Buy why?

Why all this work for a Kindle? No rock solid idea. Perhaps:

  • Practice? If they can do one they can do 10, then 100?
  • Kindles, especially 3G Kindles, are preregistered to an account that may have One Click Ordering turned on.

How does Amazon fix this?

Here's my recommendations to Amazon on how to fix this.

  • The IP address that the chat happened from was clearly not mine, nor was it likely in my neighborhood.
    • Amazon, like a bank, should notice if a chat or request happens from an unknown location and enforce secondary protocols to check identity.
  • Everything was done over web chat without the user being logged in.
    • No order change should EVER happen anonymously over web chat. Authenticate the user the way you already know how - by making them log in.
  • The bad guy was saying clearly suspicious things. They asked the rep NOT to send emails. That behavior is not normal.
    • Train customer service reps to watch for obviously sneaky behavior, and re-authenticate.
  • The chat transcript wasn't emailed to me. I was notified about an interaction, but not given the context.
    • All chat transcripts should be emailed to the account owner after they are concluded. Chat transcripts should be available to me from my account pages.
  • A half dozen attempts were made in a short period.
    • It appears that the customer reps didn't read the previous interactions and notice that this person was effectively phishing the reps themselves, trying to get satisfaction.
  • The UPS shipping redirect was allowed without authorization.
    • Changing where something is shipped is a big deal. It should be done with significant authentication in place.
  • The resulting destination address was a known international logistics package distributor.
    • There are three in Oregon, which means there are likely only a few hundred, maybe a thousand in the US. Scrutinize orders sent to these "mail launderers."

What do you think?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.