Office Secure ™

I was thinking about the current general security undercurrent/fashion. I’m seeing a lot of auditor driven pointless security, and tick box driven busy work, but it did get me thinking.

All you auditors – if the bad guys are on your nework they own you completely. Password protecting financial spreadsheets is not going to save you. In fact suggesting it as security when MS explicitly state it is not, probably amounts to professional negligence. </end rant>

back on topic:

What if MS produced a new ‘secure’ version of Office (in addition to the real one).

  1. No macros (xlm style)
  2. no VBA at all
  3. no automation from external clients (VB/.net etc)
  4. no call/register
  5. no scripting
  6. maybe just code signed .net extensions?
  7. some kind of file access limitations
  8. no linked tables/ external data stuff
  9. no email automation etc.
  10. what others have I missed?

I am resisting suggesting that this is similar to some open source alternatives, because many of them have a rich feature set. But open source could well be a viable alternative to office secure ™.

Could you see your organisation moving over to gain the ‘security’ benefits? Or would you continue with the ‘insecure’ one because it offers functionaliy that you rely on?

I think MS are probably under pressure to improve the ‘security’ (as measured by the tick box brigade), I worry that may be at the expense of functionality we rely on. If they brought out an additional cut down version, then the box tickers could migrate to that and suffer the limitations but feel secure. And the rest of us could continue adding real business value using the full power of the full fat version.

I’m sure the cut down version could be generated from the same source code – just remove all the useful stuff, compile and release. So there shouldn’t be too much of a maintenance headache.

What do you reckon?

If you would be interested in office secure ™, maybe you would be interested in my PC secure ™ application? (It just turns your PC off and stops it booting up – now thats real security!) (send your cash in small denominations notes to …)

cheers

Simon

Advertisements

7 Responses to “Office Secure ™”

  1. Marcus Says:

    Hi Simon,

    Another layer to the security model, at least in corporate environments, is the network itself. You need access rights to log on – even then to a limited number of resources (printers, drives etc.) Even this isn’t perfect (as pointed out with DOS batch files in a previous post). Then there’s the physical layer. Although non of this is iron-clad.

    I recall a conversation I had with a policeman (neighbourhood watch meeting, I think). The basic gist was: if a thief is determined enough (and the payoff high enough), there’s pretty much not much you can do to prevent them stealing your car (or robbing the house). The best you can do is make it so difficult that they look for another target.

    Regards – Marcus

  2. sam Says:

    Hi Simon,

    1 ) How about just increasing the encryption level of the sheet, workbook and VBA moudle password to the same level as that of the file password…..

    Today the file level password is the only password that cant be broken under a minute if it is resonabaly long (6+ characters containing, text, numbers, special chars)

    If the same happened for the remaining passwords I would be more than happy….

    2) The second feature I would like to see in “Office Secure TM” is to include a file attribute called “Original” which should change to “Copy of Original” moment the user creats a copy of that file through any means…..

    This would help Copyright issues….

    Regards -Sam

  3. Simon Says:

    Sam
    increasing s/s security as you suggest would be like putting locks on all your internal house doors. Might be useful if you live in a high risk area, but much better to keep the bad guys out altogether.

    Defense in depth makes lots of sense but I suspect we all have a different security v productivity sweet spot. I wish they would remove all the password stuff from Excel to make sharing and communicating better/easier.
    I think security effort should be focused at the perimeter, and on user training. Most users will give a stranger their logon credentials for a piece of chocolate.
    cheers
    Simon

  4. Ross Says:

    “Sam
    increasing s/s security as you suggest would be like putting locks on all your internal house doors. Might be useful if you live in a high risk area, but much better to keep the bad guys out altogether.”

    Quite right.

    “security” in the modern sense, is fundamentally flawed. Vista is rubbish because MS have followed the modern security idiom, what Simon has called his “PC secure ™ application”.

    The reason why these security issues have arisen is due to poor user skills / stupid users. I don’t think stupid users is a problem that can be fixed. I don’t think you can stop people from trying to exploit stupid users either….

    So I guess that leaves you with Vista and Office Secure TM!

    So where does that leave us?!

  5. Harlan Grove Says:

    So what are the numbers? How many Office document exploits are there compared to malicious e-mail attachments (not Office documents), malicious websites, infected removable media?

    Anyway, if you’re paranoid about computer security, WHY, OH WHY would you run any version of Windows as opposed to Mac OS X or Unix/Linux/BSD? If the goal of security is convincing the crooks to bother someone else, wouldn’t OS choice be the obvious starting point?

    Impractical for you 3rd party developers. So how much Excel work would there still be for y’all if there were nothing other than worksheet formulas?

  6. sam Says:

    Harlan…..

    I also feel the security of a software is some how linked to the popularity…..more popular the software….less secure it would appear to be…

    Lets look at Excel v/s any other spreadsheets (say Quattra pro or Lotus)….

    Now if you googled for a password breaker for Excel…you probably get very long list of sites offering solutions (free and paid)….

    On the other hand for other spreadsheet the list would be shorter….

    My theory is – who would want to spend time trying to break a password of an application no one uses…….

    So just because there are not may password breakers for a particular application does not necessecarily mean that it is more secure than its popular counter part…it could mean that not many people have spent time breaking it….

    I think this is what has happened to Win / Office combo….they are just far too popular than their other counter parts …….
    …..I am not denying the general negligence on MS regarding security in all their applications….but maybe popularity has its negative effects…

    Sam

  7. Harlan Grove Says:

    Sam,

    Did I say anything about applications? Perhaps you could point out where if I did because I can’t find any mention.

    Does Excel run on Macs under Mac OS? Yes, it does. Does Excel run on PCs under Linux using sealed off, emulated Windows virtual machines? Yes, it does. Is it NECESSARY to run ANY version of Windows to run any version of Excel? Maybe Excel 2007, but not ANY other version.

    On their own, how are applications insecure? They aren’t. They can’t even corrupt their own stored data without going through the OS to write or modify files. It’s the OS interface that causes trouble, and Windows provides inadequate means to isolate applications from the OS.

    Now let’s get back to Simon’s metaphor. If the most popular area to live also has the highest number of home and auto burglaries, what would be the simplest way to reduce your own odds of being burgled, assuming you gave greater weight to protecting your property than living at the poshest address? OTOH, if your address is everything, learn to accept the crime rate as part of the ambiance.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: