Larry Osterman's WebLog : Fascinating geek stuff

Looking for new skillz (turning the blog around)…

LarryOsterman — Wed, 21 Oct 2009 00:31:36 GMT

Just for giggles, I went looking at the various job listings within Microsoft and outside Microsoft (no, I’m not going anywhere, I was just curious). While looking, I realized that I had absolutely no marketable skills :). Nobody seems to be hiring an OS developer these days.

To repeat and be even more clear: I’m *not* leaving Microsoft. I’m *not* leaving Windows.

I’m just looking for a book or two to read to improve my skills (I do this regularly – most of my recent reading has either been on Security or WPF and to be honest, I’m kinda bored of those topics so I’m interested in branching out beyond security and UI topics)…

I could run out and browse the bookstores (and I might just do that) but I figured “Hey, I’ve got a blog, why don’t I ask the folks who read my blog?”. So let me turn the blog around and ask:

If I wanted to go out and learn web development, which books should I read?

I’ve already read “Javascript: The ood Parts” and it was fascinating but it was more of a language book (and a very good language book), but it’s not a web development book. So what books should I read to learn web development?

I can make it arbitrarily fast if I don’t actually have to make it work.

LarryOsterman — Wed, 30 Sep 2009 00:49:37 GMT

Digging way back into my pre-Microsoft days, I was recently reminded of a story that I believe was told to me by Mary Shaw back when I took her Computer Optimization class at Carnegie-Mellon…

During the class, Mary told an anecdote about a developer “Sue” who found a bug in another developer’s “Joe” code that “Joe” introduced with a performance optimization. When “Sue” pointed the bug out to “Joe”, his response was “Oops, but it’s WAY faster with the bug”. “Sue” exploded “If it doesn’t have to be correct, I can calculate the result in 0 time!” [1].

Immediately after telling this anecdote, she discussed a contest that the CS faculty held for the graduate students every year. Each year the CS faculty posed a problem to the graduate students with a prize awarded to the grad student who came up with the most efficient (fastest) solution to the problem. She then assigned the exact same problem to us:

“Given a copy of the “Declaration of Independence”, calculate the 10 most common words in the document”

We all went off and built programs to parse the words in the document, inserting them into a tree (tracking usage) and read off the 10 most frequent words. The next assignment was “Now make it fast – the 5 fastest apps get an ‘A’, the next 5 get a ‘B’, etc.”

So everyone in the class (except me :)) went out and rewrote their apps to use a hash table so that their insertion time was constant and then they optimized the heck out of their hash tables[2].

After our class had our turn, Mary shared the results of what happened when the CS grad students were presented with the exact same problem.

Most of them basically did what most of the students in my class did – built hash tables and tweaked them. But a couple of results stood out.

The first one simply hard coded the 10 most common words in their app and printed them out. This was disqualified because it was perceived as breaking the rules.
The next one was quite clever. The grad student in question realized that they could write the program much faster if they wrote it in assembly language. But the rules of the contest required that they use Pascal for the program. So the grad student essentially created an array on the stack and introduced a buffer overflow and he loaded his assembly language program into the buffer and used that as a way of getting his assembly language version of the program to run. IIRC he wasn’t disqualified but he didn’t win because he circumvented the rules (I’m not sure, it’s been more than a quarter century since Mary told the class this story).
The winning entry was even more clever. He realized that he didn’t actually need to track all the words in the document. Instead he decided to track only some of the words in the document in a fixed array. His logic was that each of the 10 most frequent words were likely to appear in the first <n> words in the document so all he needed to do was to figure out what "”n” is and he’d be golden.

So the moral of the story is “Yes, if it doesn’t have to be correct, you can calculate the response in 0 time. But sometimes it’s ok to guess and if you guess right, you can get a huge performance benefit from the result”.

[1] This anecdote might also come from Jon L. Bentley’s “Writing Efficient Programs”, I’ll be honest and say that I don’t remember where I heard it (but it makes a great introduction to the subsequent story).

[2] I was stubborn and decided to take my binary tree program and make it as efficient as possible but keep the basic structure of the solution (for example, instead of comparing strings, I calculated a hash for the string and compared the hashes to determine if strings matched). I don’t remember if I was in the top 5 but I was certainly in the top 10. I do know that my program beat out most of the hash table based solutions.

Fixing an accessibility bug with the trackbar common control

LarryOsterman — Wed, 28 Jan 2009 04:17:00 GMT

The trackbar common control is a strange beast.

The trackbar can be oriented either horizontally or vertically. On LTR language machines, when the trackbar is horizontal, it works much as you’d expect it to: The minimum value of the trackbar is on the left, the maximum value is on the right (it’s reversed for RTL languages so it works consistently).

When the trackbar is vertical, it’s a different beast entirely. For whatever reason, the trackbar control designers set the minimum value of the trackbar at the top, the maximum value at the bottom. If you think about how the trackbar designers actually implemented the trackbar this makes sense. If you orient the trackbar so that the minimum value is at the top, then when you need to draw the trackbar you can use the same drawing code to draw the horizontal trackbar – you just swap the X and Y axis (I have absolutely no idea if that’s how it works internally, it just seems to make sense that way).

While this works great for the implementer, for the consumer of the trackbar, it’s a pain in the neck. That’s because the users who interact with the control expect the maximum value to be at the top of the control, not the bottom.

As a result, when you look at code that uses the trackbar control, you end up seeing a lot of:

LRESULT MyDialog::OnNeedTTText(int idCtrl, LPNMHDR pnmh)
{
    LPTOOLTIPTEXT pTT = (LPTOOLTIPTEXT)pnmh;
    if (idCtrl == IDD_TRACKBAR)
    {
        int nPos = (int)SendMessage(TBM_GETPOS, 0, 0);

        StringCchPrintf(pTT->szText, ARRAYSIZE(pTT->szText), TEXT("%d"), 100 - nPos);
    }
    return 0;
}

In other words, retrieve the position from the trackbar, convert it from 0..100 to 100..0 and return that as a tooltip text.

All of this works great – you have a lot of 100 - <n> scattered throughout your code, but it’s not the end of the world. And then one day a tester comes to you and says that when he uses the narrator tool to read the contents of your tool, it reports that the value reported by the control is wrong – when the slider’s at the top (tooltip 100), it reports that the value is 0, when it’s at the 1/4 point (tooltip 75), it reports that the value is 25.

Crud. At this point many developers start scratching their heads and start thinking about subclassing the trackbar to replace the reported position. However that’s way more work than they need to do.

It turns out that the designers of the trackbar control thought of this problem. If you’re using version 5.8 or higher of the common controls, you can specify the TBS_REVERSED trackbar control style to your trackbar. If you do, the visuals of the trackbar are unchanged as is the trackbar functionality, but the Microsoft accessibility framework will look for the presence of the TBS_REVERSED style and if it is found, it assumes that the control is “backwards” and it reports the position for the toolbar as if the maximum and minimum values were reversed.

And no, I didn’t know about this before today. But it was too good a trick not to share.

When you do UX work, sometimes you have to worry about the strangest things…

LarryOsterman — Tue, 13 Jan 2009 20:13:40 GMT

I recently got a bug reported to me about the visuals in the sound control panel applet not being aligned properly (this is from the UI for a new Windows 7 feature):

The problem as reported was that the microphone was aligned incorrectly w.r.t. the down arrow. – the microphone was too far to the right.

But if you look carefully, you’ll see that that isn’t the case – drawing a box around the controls makes it clearer:

Nitpickers Corner: For those of you that love to count pixels, it’s entirely possible that the arrow might be off by a couple of pixels but fixing it wouldn’t fix the problem, because then the arrow would be off-center with respect to the speakers. The real problem is that the microphone icon is visually weighted to the right – the actual icon resource was lined up with the arrow, but because the visual weight was to the right, it displayed poorly.

It turns out that there’s really no good way of fixing this – if we were to adjust the location of the icons, it wouldn’t help, because a different device would have a different visual center (as the speaker icon does)…

Instead, we looked at the visuals and realized that there was an alternative solution: Adjust the layout for the dialog and the problem more-or-less goes away:

The problem still exists at some level because the arrow is centered with the icons but some icons (like the stalk microphone above) are bottom heavy. But for whatever reason, the visuals aren’t as disconcerting when laid out horizontally.

As I said in the title – sometimes you need to worry about the strangest things.

Fixing a customer problem: “No Audio Device is Installed” when launching sndvol on Windows Vista

LarryOsterman — Tue, 06 Jan 2009 22:26:03 GMT

Yesterday someone forwarded me an email from one of our DirectShow MVPs – he was having problems playing audio on his Windows Vista machine.

Fortunately David (the MVP) had done most of the diagnostic work – the symptoms he saw were that he was receiving a “No Audio Device is Installed” error launching sndvol (and other assorted problems).

David tried the usual things (confirming that the driver for his audio solution was correctly installed (this probably fixes 99% of the problems)). He also tried reinstalling the driver to no avail.

He next ran the Sysinternals Process Monitor tool to see what was going on. He very quickly found the following line in the output from process monitor:

"RegOpenKey", "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{e4ee1234-fc70-4925-94e9-4117395f7995}", "ACCESS DENIED", "Desired Access: Write"

With that information, he looked for the ACL on that registry key:

He then looked at the configuration for the Windows Audio service:

Woah – the Windows Audio service doesn’t have access rights to that registry key – the Windows Audio service is running as LocalService and the LocalService account doesn’t have any access to the registry key.

At this point he decided to contact Microsoft with his problem.

I looked at his info and quickly realized that the problem was that somehow the ACL on the registry key had been corrupted: something had removed the entries for the audio services. On a normal Windows Vista installation this registry key’s ACL should look something like:

Something that ran on David’s machines went in and reset the permissions for this registry key to the ACL that is on the root node of the HKEY_LOCAL_MACHINE\Software registry hive. I have no idea what did this, but messing with the ACLs on the registry is a known cause of various compatibility problems. That’s why Microsoft KB 885409 has such strong warnings about why it’s important to not apply blind modifications to files or registry keys in Windows. It’s unfortunate, but the warnings in the KB articles that say that modifying registry keys or permissions can cause your machine to malfunction are absolutely right – it’s not hard to make modifications to registry keys that can really screw up a machine, if you make the right ones. From the KB article:

For example, modifications to registry ACLs affect large parts of the registry hives and may cause systems to no longer function as expected. Modifying the ACLs on single registry keys poses less of a problem to many systems. However, we recommend that you carefully consider and test these changes before you implement them. Again, we can only guarantee that you can return to the recommended out-of-the-box settings if you reformat and reinstall the operating system.

The good news is that it should be relatively simple to fix David’s problem – As far as I know, he has two options. The first is to reinstall Windows Vista – that should reset the ACLs on the property key to their default values (because it will recreate the property keys), which should resolve the problem.

The second solution is to add an ACL to the registry keys under the MMDevices registry key to allow the LocalService account to have permissions to modify this registry key.

I get spam :)

LarryOsterman — Tue, 14 Oct 2008 19:13:04 GMT

I just received this spam message the other day:

From: Microsoft [mailto:customerservice@microsoft.com]

Sent: Saturday, October 11, 2008 11:13 PM

To: Larry Osterman

Subject: Security Update for OS Microsoft Windows

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.

2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner

Director of Security Assurance

Microsoft Corp.

-----BEGIN PGP SIGNATURE-----

Version: PGP 7.1

AN86DCS206WKI6IK8LIFD5S1VODA48SHXDCG6KT8V4C50MO21RUHP8O84T6P73YGX

EO755U27OA5JVX3U51QF8N2E97FQQDOC6IRHH7T3TSQJRFYYPR3434M634A375LAO

49ICIMQZ680BR307KVS857K6U9UYSBHE20RNI16HUB45SMTDF0DDMQZ4YIR2QIHLD

UVPMVD54LRY8HNLDA020KWMIFYYD9B1A07AM1VWIA0YO8QZO2WLY27KAPXBFDN6DT

48VYUVW7M7JZ5P2NIU7FGDRIGCM819WMKJ2==

-----END PGP SIGNATURE-----

Attached to the message was an attachment named “KB266311.exe”.

I’ve heard that these before but I’ve never received one. Apparently the email was sent from “koln-5d8184e2.pool.einsundeins.de (93.129.132.226)”, which I suspect is a trojaned machine in Germany. In this case I’m pretty impressed with the email – it’s in plain text with the name of a real Microsoft employee, it has a PGP signature (which tends to give credence to the email). On the other hand it has some grammatical errors (“Please notice that Microsoft company has…”, “We apologize for any inconvenience this back order may be causing you”) that give the scam away. I also don’t know what trojan was inside KB266311 because it was filtered by our email servers before it got to me.

For those that are wondering how I knew it came from koln-5d8184e2.pool.einsundeins.de, here’s what I did:

I started with the raw email headers (some servers and IP addresses obscured):

Received: from XXX.microsoft.com (n.n.n.n) by
YYY.microsoft.com (m.m.m.m) with Microsoft SMTP
Server (TLS) id 8.2.83.0; Sat, 11 Oct 2008 23:13:52 -0700
Received: from koln-5d8184e2.pool.einsundeins.de (93.129.132.226) by
ZZZ.microsoft.com (o.o.o.o) with Microsoft SMTP Server id
8.1.291.1; Sat, 11 Oct 2008 23:13:41 -0700
Received: from [93.129.132.226] by QQQ.hotmail.com; Sun, 12 Oct 2008 07:13:17
+0100
From: Microsoft <customerservice@microsoft.com>
To: <<Larry’s Email Address>>
Subject: Security Update for OS Microsoft Windows
Date: Sun, 12 Oct 2008 07:13:17 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01C92C39.FF9CE480"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6Q862Q89QD80AN22RHXR0U7WZ61==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Message-ID: <01c92c39$ff9ce480$e284815d@60GC7Q>
Return-Path: 60GC7Q@hotmail.com
X-MS-Exchange-Organization-PRD: microsoft.com
Received-SPF: TempError (XXX.microsoft.com: error in
processing during lookup of customerservice@microsoft.com: DNS timeout)
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.7011.600;SV:3.3.7011.1437;SID:SenderIDStatus
TempError;OrigIP:93.129.132.226
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-SenderIdResult: TEMPERROR

RFC 2821 says that SMTP servers should prepend a Received: header to an email message whenever they process the email message. In this case the last email server was XXX.microsoft.com. XXX.microsoft.com received the message from YYY.microsoft.com which in turn received the message from koln-5d8184e2.pool.einsundeins.de (einsundeins.de appears to be a german ISP). The next bit of trace is confusing. The machine at 93.129.132.226 says that it received the message from QQQ.hotmail.com.

It’s possible that this spam email originated from hotmail, but I don’t think so. First off, as far as I know, you can’t relay through the hotmail SMTP servers and the sender of the email is “customerservice@microsoft.com” (the sender is included in the Received-SPF header which indicates that the “MAIL FROM” header in the SMTP exchange was “customerservice@microsoft.com”. Secondly the hotmail servers don’t set the X-Mailer header, but this header indicates that it was sent from Outlook 2003. Instead, I think that the bottom Received: header was forged to throw off people trying to figure out where the email came from.

Needless to say, Microsoft will never EVER send a security update to customers by mail, and customers should immediately delete any emails that claim to have security fixes from Microsoft.

THIS is what a Windows PC should look like…

LarryOsterman — Tue, 05 Aug 2008 18:53:48 GMT

We had a neighborhood picnic on Saturday at our neighbors house. While we were chatting in the kitchen, I noticed their new computer.

They had an HP TouchSmart computer, and I have to say that I was blown away by it. I really liked the industrial design and the touch interface is really smooth.

All in all a machine that I’d be happy put in my kitchen. It wouldn’t work as a desktop PC for me (I prefer to have more customizability than you can get in an all-in-one), but for our kitchen PC (which we almost never upgrade) it would be absolutely perfect.

I wish more OEMs spent as much time as HP clearly has on making their machines beautiful.

Oh Wow, Dr. Horrible is AWESOME!

LarryOsterman — Thu, 17 Jul 2008 21:34:06 GMT

Someone just pointed me to http://www.drhorrible.com, which is Joss Whedon’s newest epic.

The first two acts are up on the web (the final act will go up on Saturday).

They are spectacularly cool, especially to a musical nut. I knew that Neil Patrick Harris had great musical chops (after all, he did Assassins on Broadway) but the rest was just fantastic.

Well worth checking out, there are some really funny bits. They did a truly great job on it.

Wow - We hired Crispin Cowan!!!

LarryOsterman — Fri, 18 Jan 2008 21:31:27 GMT

Michael Howard just announced that we've hired Crispin Cowan!

This is incredibly awesome, I have a huge amount of respect for Crispin, he's one of the most respected researchers out there.

Among other things, Crispin's the author and designer of AppArmor, which adds sandboxing capabilities to Linux. Apparently he's going to be working on the core Windows Security team, which is absolutely cool.

I'm totally stoked to hear this - I literally let out a whoot when I read Michael's blog post.

Welcome aboard Crispin :).

Playing Librarian...

LarryOsterman — Fri, 04 Jan 2008 08:22:02 GMT

Those of you who know me (and my family) from beyond my blog know that among my our many passions, one of the biggest is books. And we've got a lot of them.

A couple of years ago, Valorie got me a Flic barcode scanner and a copy of the program Book Collector. I've been using it steadily since then adding the books from the biggest of the 4 different libraries in our house (yeah, we've got 4 separate libraries in the house, I did say we read a lot of books - they are: grown up fiction, kids fiction, non fiction and teaching materials).

Since I was fortunate enough to take the month of December off this year (one of the benefits of working at Microsoft for as long as I have is that I get a lot of vacation time, some of which was due to disappear), I decided to take on the project of working through the books in the big library.

Since I've been working on it pretty much every day off and on for the past 4 weeks, I've looked at a LOT of books recently.

I've developed a pretty good workflow (it could unquestionably be improved, but this one works) for the process of scanning books:

Start Book Collector.
Head into the library from my computer with the Flic scanner in hand.
Start where I last scanned.
Take a book off the shelf:

If the back cover contains a UPC code, check the barcode - if it starts 978 or 979, scan it and go to step 5.
Open the book to the inside front flap. If it contains a UPC code, scan it and go to step 5.
Put the book on the "to be scanned manually" pile.

Take the books on the "to be scanned manually" pile back to the computer.
Plug the scanner into the computer, which will cause the UPC codes to be read in and let the program search for the books.
Add the books found by the scanner to the program.
For each book on the "to be scanned manually" pile:

Check for an ISBN number on the back of the book (usually near the UPC code). If it's there, enter it and go to step 9.
Check the spine of the book. If one of the numbers there looks like an ISBN number, enter it and go to step 9 (I often combine step 8.1 and 8.2 together).

If the number on the spine looks like an ISBN number but is 1 digit too short, try typing it in but add an "X" for the last digit.

Look at the page after the title page of the book - sometimes there's an ISBN number there, if so, enter it and go to step 9.
If no ISBN number is found, put the book on the "to be entered manually" pile.

Have the program scan for the ISBN numbers you just entered, verifying each one as it's found, then add the books if they're correct.
For each book on the "to be entered manually" pile:

Enter the title and author for the book manually
Search for the book.
Walk through the items found adding the best fit ("best fit" can be subjective, I try to find an entry with accurate cover art or an accurate publishers number - but the only books that fall into that final set of books are typically more than 20 years old, so your ability to find accurate information on those books is spotty).

Pick up the books you took from the library and to back to step 2.

That's it. So far I'm up to just short of 3000 books scanned, and I'm in the middle of the letter "S" in the biggest of the 4 libraries. I've added more than 2 thousand books to the program this month (wow).

Some things I've noticed in the process...

We have a lot of books.
As far as the scanning process goes, books fall into roughly five categories:

Those with ISBN numbers on their UPC code - this includes most graphic novels, hard cover books and trade books. Many new paperback books have ISBN13 numbers on their UPC code, but some still don't.
Those with ISBN numbers in a bar code on the inside front cover - essentially this category contains all paperback books from some time in the early 1990s to the present.
Those without ISBN numbers in a bar code on the inside front cover, but with UPC codes that include the ISBN number. Essentially this category contains all books from the mid 1980s to the early 1990s.
Those without a UPC code on the book, but with an ISBN number (or sometimes a SBN number) inside the book. This includes most (but not all) books from the 1970s.
Those without ISBN numbers at all. This includes most books before the early 1970s (yeah, I've got paperback books that date from the mid 1960s).

For books that have ISBN numbers, the amount of information available about the book depends highly on how new it is. For those that post-date Amazon and Barnes&Noble (the primary data sources for Book Collector), the information available is quite good (including reasonably accurate book cover images). For older books, the information available is spotty, usually dependant on the information that 3rd party sellers provide to the various online retailers.
We have an awful lot of books.

I'm only beginning the process of taming the book collection, and I've not even started thinking about dealing with how to maintain the library going forward (but I've got some ideas). As I said, my workflow above could be improved (for instance, I should use a laptop and take the computer to the library to deal with the "to be scanned manually" pile instead of schlepping the pile back and forth.

But working through the piles has absolutely been an enjoyable process - I've also appreciated the opportunity to re-discover old friends, which is always a good thing.

Every Domain Name tells a story, I wonder what this one's was.

LarryOsterman — Wed, 02 Jan 2008 02:17:34 GMT

And I'd love to know the story behind this site: http://www.modestapparelchristianclothinglydiaofpurpledressescustomsewing.com/choosing_your_fabric.htm. I ran across it while shopping online the other day. The root page of the domain (http://www.modestapparelchristianclothinglydiaofpurpledressescustomsewing.com/index.htm) is a 404, but there's a number of pages live under that domain.

I wonder how they ever chose that particular domain name - it's as if they were trying for a half a dozen names and messed them up when they were registering the domain name.

Hanselminutes

LarryOsterman — Wed, 21 Nov 2007 19:29:26 GMT

A couple of weeks ago, Scott Hanselman stopped by my office, and we chatted for almost an hour for his Hanselminutes podcast.

On Monday, he posted the interview - it's mostly me rambling on about security and other stuff, but my ego requires that I mention it :)

So Amazon brought out this "Kindle" thingy... But I have one question for them...

LarryOsterman — Tue, 20 Nov 2007 10:25:14 GMT

Amazon just brought out a new eBook reader called "Kindle". It looks pretty cool, but I have one question: "Where can I go to try one of these out before I fork over $399 for one of them?"

I have a real problem with buying a new technology item (especially one where the form factor is as critical as an eBook reader) without actually having one in my hand before I purchase it. So I'm sitting here wondering which retailers carry the Kindle. For some strange reason, I can't seem to find it on Amazon's web site :).

Somehow I think that once again, I'm going to be waiting until one of my co-workers buys one before I can play with it.

See, there ARE some things that brick&mortar stores do better than electronic retailers - they let you touch the merchandise before you buy it.

Think Geek Responds

LarryOsterman — Mon, 19 Nov 2007 22:19:19 GMT

Valorie just received the following email from Think Geek (in response to our previous issue with them):

From: Caroline Offutt [mailto:<email address at thinkgeek.com>]
Sent: Sunday, November 18, 2007 7:05 PM
To: <valorie's email address>
Cc: Rob Patak
Subject: Issues with ThinkGeek order
Ms. Osterman,
I would like to apologize for all of ThinkGeek for the fraud issues you had with your recent order and the response you received from our customer service department. We are about to roll out our new fraud prevention program including implementing CVN this week (it is unfortunate that we didn't roll it out two weeks earlier). With our new program, most orders, like yours, will process without a hitch and we hope that only those orders that are truly fraud will be stopped. If you are interested, I would be happy to go into more detail of why your order was stopped and how we are changing the process.
If you decide to have your ThinkGeek order# <order number>processed, we would like to take $50 off it. Or if you rather, we will email you a $50 gift certificate to use towards a future order. Please let me know how your would like to proceed. Also, feel free to contact me directly if there is ever anything we can do for you. Because of the holidays, I will be at our warehouse much of the next month and not always available, so please contact Robert Patak, Customer Service Supervisor, if you are unable to reach me (<email address>@thinkgeek.com, <phone number>).
Sincerely,
Caroline Offutt
--
Caroline Offutt, VP & GM
ThinkGeek, Inc.
Tel: <phone number>| Fax: <phone number>

I'm glad to see that they realized that they have an issue - I don't know if they found my earlier whine, or if their internal processes picked up on the issue, but I'm very happy that they're attempting to address our annoyance.

We've still not decided what to do about this issue yet, but I do need to acknowledge that they are listening and are trying to resolve the issue. Two points to Think Geek.

How to lose customers without really trying...

LarryOsterman — Fri, 16 Nov 2007 02:21:00 GMT

Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek. But no longer. Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email:

From: ThinkGeek Customer Service [mailto:custserv@thinkgeek.com]
Sent: Thursday, November 15, 2007 4:28 AM
To: <Valorie's Email Address>
Subject: URGENT - Information Needed to Complete Your ThinkGeek Order

Hi Valorie,
Thank you for your recent order with ThinkGeek, <order number>. We would like to process your order as soon as possible, but we need some additional information in order to complete your order.
To complete your order, we must do a manual billing address verification check.
If you paid for your order via Paypal, please send us a phone bill or other utility bill showing the same billing address that was entered on your order.
If you paid for your order via credit card, please send us one of the following:
- A phone bill or other utility bill showing the same billing address that was entered on your order
- A credit card statement with your billing address and last four digits of your credit card displayed
- A copy of your credit card with last four digits displayed AND a copy of a government-issued photo ID, such as a driver's license or passport.
To send these via e-mail (a scan or legible digital photo) please reply to custserv@thinkgeek.com or via fax (703-839-8611) at your earliest convenience. If you send your documentation as digital images via email, please make sure they total less than 500kb in size or we may not receive your email. We ask that you send this verification within the next two weeks, or your order may be canceled. Also, we are unable to accept billing address verification from customers over the phone. We must receive the requested documentation before your order can be processed and shipped out.
For the security-minded among you, we are able to accept PGP-encrypted emails. It is not mandatory to encrypt your response, so if you have no idea what we're talking about, don't sweat it. Further information, including our public key and fingerprint, can be found at the following
link:
http://www.thinkgeek.com/help/encryption.shtml
At ThinkGeek we take your security and privacy very seriously. We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek.
We apologize for any inconvenience this may cause, and we appreciate your understanding. If you have any questions, please feel free to email or call us at the number below.
Thanks-
ThinkGeek Customer Service
1-888-433-5788 (phone)
1-703-839-8611 (fax)

Wow. We've ordered from them in the past (and placed other large orders with them), but we've never seen anything as outrageous as this. They're asking for exactly the kind information that would be necessary to perpetuate an identity theft of Valorie's identity, and they're holding our order hostage if we don't comply.

What was worse is that their order form didn't even ask for the CVE code on the back of the credit card (the one that's not imprinted). So not only didn't they follow the "standard" practices that most e-commerce sites follow when dealing with credit cards, but they felt it was necessary for us to provide exactly the kind of information that an identity thief would ask for.

Valorie contacted them to let them know how she felt about it, and their response was:

Thank you for your recent ThinkGeek order. Sometimes, when an order is placed with a discrepancy between the billing and the shipping addresses, or with a billing address outside the US, or the order is above a certain value, our ordering system will flag the transaction. In these circumstances, we request physical documentation of the billing address on the order in question, to make sure that the order has been placed by the account holder. At ThinkGeek we take your security and privacy very seriously. We hope you understand that when we have to take extra security measures such as this, we do it to protect you as well as ThinkGeek.
Unfortunately, without this documentation, we are unable to complete the processing of your order. If we do not receive the requested documentation within two weeks of your initial order date, your order will automatically be cancelled. If you can't provide documentation of the billing address on your order, you will need to cancel your current order and reorder using the proper billing address for your credit card. Once we receive and process your documentation, you should not need to provide it on subsequent orders. Please let us know if you have any further questions.

The good news is that we have absolutely no problems with them canceling the order, and we're never going to do business with them again. There are plenty of other retailers out there that sell the same stuff that ThinkGeek does who are willing to accept our business without being offensive about it.

Edit to add: Think Geek responded to our issues, their latest response can be found here.