Scrubbing UserId in Windows Azure Mobile Services

First, many thanks to Chris Risner for the assistance on this solution!   Chris is part of the corp DPE team and has does an extensive amount of work with Windows Azure Mobile Services (WAMS) – including this session at //build, which was a great resource for getting started. If you go through the demo of getting started with WAMS building a TodoList, the idea is that the data in the todo list is locked down to each user.   One of the nice things about WAMS is that it’s easy to enforce this via server side javascript … for example, to ensure only the current user’s rows are returned, the following read script can be used that enforces the rows returned only belong to the current user: function read(query, user, request) { query.where({ userId: user.userId }); request.execute(); } If we crack open the database, we’ll see that the userId is an identifier, like the below for a Microsoft Account: MicrosoftAccount:0123456789abcd When the app connects to WAMS, the data returned includes the userId … for example, if we look at the JSON in fiddler: The app never displays this information, and it is requested over SSL, but it’s an important consideration and here’s why.   What if we have semi-public data?   In the next version of Dark Skies, I allow users to pin favorite spots on the map.  The user has the option to make those points public or keep them private … for example, maybe they pin a great location for stargazing and want to share it with the world: … Or, maybe the user pins their home locations or a private farm they have permission to use, where it might be inappropriate to show publically. Now here comes the issue:  if a location is shared publically, that userId is included in the JSON results.  Let’s say I launch the app and see 10 public pins.  If I view the JSON in fiddler, I’ll see the userId for each one of those public pins – for example: Now, the userId contains no personally identifiable information.   Is this a big deal, then?   It’s not like it is the user’s name or address, and it would only be included in spots the user is sharing publically anyway. But, if a hacker ever finds a way to map a userId back to a specific person, this is a security issue.  Even my app doesn’t know who the users really are, it just knows the identifier.  Still, I think from a best practice/threat modeling perspective, if we can scrub that data, we should.  Note: this issue doesn’t exist with the todo list example, because the user only, and ever, sees their own data. Ideally, what we’d like to do is return the userId if it’s the current user’s userId.  If the point belongs to another user, we should scrub that from the result set.   To do this via a read script in WAMS, we could do something like: function read(query, user, request) { request.execute( { success: function(results) { //scrub user token if (results.length > 0) { for (var i=0; i< results.length; i++) { if (results[i].UserId != user.userId) { results[i].UserId = 'scrubbeduser'; } } } request.respond(); } }); } .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }If we look at the results in fiddler, we’ll see that I’ll get my userId for any of my points, but the userId is scrubbed if it’s another user’s points that are shared publically: [Note: these locations are random spots on the map for testing.] Doing this is a good practice.  The database of course has the correct info, but the data for public points is guaranteed to be anonymous should a vulnerability ever present itself.   The downside of this approach is the extra overhead as we’re iterating the results – but, this is fairly minor given the relatively small amounts of data. Technical point:  In my database and classes, I use Pascal case (as a matter of preference), as you can see in the above fiddler captures, such as UserId.   In the todo example and in the javascript variables, objects are conventionally camel case.   So, if you’re using any code here, just be aware that case does matter in situations like this: if (results[i].UserId != user.userId) // watch casing! .csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; } Be sure they match your convention.   Since Pascal case is the standard for properties in C#, and camel case is the standard in javascript, properties in .NET can be decorated with the datamember attribute to make them consistent in both locations – something I, just as a matter of preference, prefer not to do: [DataMember(Name = "userId")] public string UserId { get; set; }

Best Buy Employees: Hear Me

Today I made a fairly exciting trek to Best Buy to buy some printer ink.  I live on the edge! While I was checking out and paying with my credit card, the cashier asked to see my ID.   I admit, I’ve shown it in the past, and it has always irritated me.  It doesn’t irritate me because it’s inconvenient to take my license out of my wallet, but rather, because it doesn’t do anything but put me at risk. Merchant agreements (at least with Visa cards) basically say the merchants can’t demand to see any form of ID to verify the card holder if the card is signed (of course they can require it if you’re buying something that requires ID – like alcohol), but they can ask (and most people may assume that if they’re asking, they don’t have a choice).  The problem with asking for ID is that it exposes essentially any information on that ID – your name, address, height, weight, eye color, license number, date of birth, etc.    Now, we can argue the cashier (or anyone else within visual distance) couldn’t possibly remember any incriminating information, but that’s not the point.   Fundamentally, it exposes you to a greater risk of identity theft. The clincher is this – I tried to explain in a friendly way why I was hesitant to show my ID, but the cashier was visibly aggravated and simply said, “I’m just trying to protect you.”   I firmly believe that he believes this, but it’s just not the case.  In a credit card transaction, we have Visa, the bank who issued me the card, Best Buy (in this case), and me, all involved in this transaction.   In reality, he’s protecting Best Buy, not me.  Nothing wrong with that as an employee, but not at the expense of exposing my personal information. On 2 occasions over the past 10 years, my credit card information has been compromised by someone – I never found out how because Visa won’t tell me, but they were pretty broad cases that happened to many people online so the presumption was an online retailer was compromised.    In any event, it was not really a problem – I signed a paper that said I didn’t make the charge, and the problem for me was gone.  It would be far worse if someone opened an account in my name or I was a victim of fully blown identity theft.   And the best way to avoid identity theft is to never expose your personal information. In this case, if I were a criminal (craftily trying to forestall suspicion by buying printer ink for $30 instead of a $10k home theater) I would’ve refused to show ID and Best Buy would have to accept the sale anyway (if my signatures matched).   So all I’m doing is proving I’m me, and I already knew that.  So what could the Best Buy cashier do?   Well, comparing signatures on the card is a pretty fool proof method --  nothing more is needed.  Next is applying common sense – I’m buying printer ink for $30.   Visa will automatically call me or block an ‘out of character’ transaction.    I used to work retail and the credit card machine would return a “Call” message instead of “Approved” in these cases.  If I fail the signature test, either call Visa or ask for an ID. What happens if I was a criminal and was able to buy the ink?  Well, I’d notice this on my statement and refute the charge, at which time someone will be screwed – either Best Buy or the bank – I’m guessing it depends on what kind of evidence is produced and perhaps their agreements in place, I’m not sure.    So if Best Buy or another merchant is so exposed, why accept Visa (or other) credit cards at all?   As I mentioned above, signatures are a pretty fool proof method.  But, the reason is getting more business.   Best Buy has the option to not accept Visa, but they have made the choice to accept the merchant agreement in doing so.   If Visa thought it was a problem, they’d change the agreement or put my picture on the card. Should the cashier or any other merchant read this, my advice is to always be friendly – lose the chip on your shoulder if you have one.  I was politely trying to explain this and not give the guy a hard time (no one was in line behind me), so as long as I’m friendly, be open to the possibility I might know what I’m talking about.   In turn, it aggravated me that he was so aggravated.   I’ve been there myself, and I work with customers all the time today – fortunately the vast majority are great.  Coincidentally, and to make this entry a little more apropos, while I was writing this I saw a Microsoft commercial for IE8 that talks about identity theft – check it out at http://ie8protects.com… it’s a “reality” style commercial where they set up a fake bank, and entice customers into a false sense of security – it was pretty funny actually, especially since I was writing this post! How about you?  Do you care if merchants ask to see your ID?   If so, did this post change your mind?

My Apps

Dark Skies Astrophotography Journal Vol 1 Explore The Moon
Mars Explorer Moons of Jupiter Messier Object Explorer
Brew Finder Earthquake Explorer Venus Explorer  

My Worldmap

Month List