Security – pah!

Most ‘security’ arguments are little more than thinly disguised attempts by IT departments to get back the power and control they had in the golden era of the mainframe.

That pretty much sums up the view of most of us at the dev conf last Saturday. And I think a fair bit of the web app and server based systems focus was put down to similar motivations.

I’m not saying security isn’t important and neither was anyone else, just that as business developers working in and around Excel it probably doesn’t need to be top of our agenda.

What do you think?

In most organisations it really is someone else’s job, or possibly something else’s job (Firewall, Anti virus etc etc). That’s not to say we abdicate all responsibility, just assign a level appropriate to our exposure.

I think for developers in other areas, especially web apps that are connected to the wild wild web, security does need serious focus. For most Excel/VBA stuff I’m not so sure.

Many of the delegates set macro security to low preferring instead to rely on other controls, like trust of where a workbook comes from and AV scanning etc. Personally I prefer medium, but having discussed it I can understand why others feel comfortable with low. (of course I can’t see how to set Excel 2007 to my preferred setting.)

Incidentally Charles also pointed out the most recent VBA malware report he could find was from 2002. I’m more concerned with crapware VBA (ostensibly innocent, but so badly written maliciousness may be closer).

Should our little part of the business/developer world worry more about security? what benefits would it bring? what real world losses could have been avoided? And what macro security setting do you use?

Cheers

Simon

Advertisements

15 Responses to “Security – pah!”

  1. Jon Peltier Says:

    I don’t recall where I saw this earlier this week:

    Any sufficiently advanced incompetence is indistinguishable from malice.

  2. Jon Peltier Says:

    BTW, I use medium security. It is hard to find in O2007. Unfortunately, sometimes the warning is cleared almost automatically by the user without considering what it means.

  3. Simon Says:

    Reminds me of Blunderon the spreadsheet sabatuer, as previous ‘work’ colleague who killed everything he touched.

    Glad its not just me hunting for medium. Presumably another victim of the User Experience disinformation.

  4. MacroMan Says:

    I use medium. In our office, we build our own spreadsheets. If we need to share it, we save it in a group drive where anyone has access. If we email it to a coworker it’s a non event since they know it’s coming from a trusted source.

  5. Dennis Wallentin Says:

    I always sign my VBA solutions (as well as VB/VB.NET) which eliminate to a high degree the macro security setting.

    Kind regards,
    Dennis

  6. Stephane Rodriguez Says:

    I especially like using signed macros. There’s nothing like getting emergency support to your customers whenever the digital certificate expires (usually breaks their business).

  7. MikeC Says:

    Medium, always. If something comes through from someone I know, I enable. If it comes from someone I don’t (a frequent event here), and asks for confirmation, I generally opt for “disable” and have a look at the code contained therein first, and would then re-open in enabled if ok. This is to avoid crapware as opposed to malware – we’ve had (e.g.) people getting carried away with Kill statements in the past, and seen huge swathes of stuff disappear because they weren’t quite specific enough in their instructions…

    Aside from a general awareness and an avoidance of doing particularly stupid things, I don’t think about it (security) too much.

    (I don’t need to find Medium in 2k7 for a while. The joys of working for a company still running on 2k!)

  8. Dennis Wallentin Says:

    Stephane,

    Can You give more info about the following two scenarios.

    Case: An Excel solution is signed with a certificate that expired yesterday 5-12-2007.

    Scenario 1: The customer open Excel and use the solution today 6-12-2007.

    Scenario 2: The customer open Excel and change and save the solution today 6-12-2007.

    What will happen?

    Kind regards,
    Dennis

  9. Charles Says:

    Google sabotages Excel with Desktop Search

    You may be amused to know that I finally found out what was slowing down most (but not all) of my Excel systems.

    Turned out to be the Google Desktop Office COM Addin.

    Looks like it sets up some application level events so that it gets triggered anytime you change selection, clear or delete or write from vba to excel! Presumably then tries to update its indexes.

    Definitely worth switching it off.

    regards
    Charles

  10. Stephane Rodriguez Says:

    @Dennis,

    You have written an insult the other day, and now asking me questions?

  11. Dennis Wallentin Says:

    Stephane,

    You seems to be the expert around here when it comes to certificates by claiming they break customers business.

    Can You please answer the questions?

    Kind regards,
    Dennis

  12. Ken Puls Says:

    Stephane, I’m also curious as to Dennis’s question.

    I use SelfCert to create my own digital certificates, but have never had one expire on me yet. (I appreciate that there are differences between SelfCert and commercial certificates.) I assume that you use a commercial cert, and am definitely curious as to what the customer sees when it expires… :)

  13. Charlie Says:

    I use medium and suggest to my clients they use medium – many have it set to low. I also use self-cert for my in-house macros – I have tried self-cert with clients, but it is a lot of hand holding to get their computers set up properly – so I have not pursued it much.

    Interesting comment on google desktop com conflict – will need to investigate

    –Charlie

  14. Nicholas Hebb Says:

    Re Medium in Excel 2007:

    I have a troubleshooting guide in my help file, including a small section on security settings. Just look at the number of steps to set the security in Excel 2007 compared to earlier versions:
    http://www.breezetree.com/flowcharting-software/help2/index.html?troubleshooting.htm

    It’s astounding.

    (BTW, if anyone spots an errors in that, please let me know.)

  15. Dennis Wallentin Says:

    Stephane,

    Let me fill in the gaps when it comes to digital certificates and signing Excel VBA solutions ( After all, I have only used it for about 8 years so I’m not an expert on the subject).

    Scenario 1:
    The VBA solutions will continue to run. The key aspect here is that we use time stamping and therefore the customers businesses will *not* be broken.

    Scenario 2:
    When saving the changes of the VBA solutions the digital certificate will be detached from the Excel file. This is not because the certificate has expired it’s due to the lack of the private key that is required to reassign the certificate for the solution after the changes has taken place.

    Therefore the customers businesses will *not* be broken.

    Ken,
    AFAIK certificates created with the SelfCert.exe should not have any limitations when it comes to expiring dates. But on the other hand they are limited when it comes to distribution.

    Thanks and good bye
    Dennis

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: