Archive for the ‘security’ Category

Information Rights Management in Excel

Tuesday, 24th November, 2009

I was poking around the newsgroups last night when I came across a thread about IRM failing in Excel.

A few people seem to be suffering the same problem – within the last two weeks something changed and now their credentials are not accepted by Excel and they are locked out of their files.(here is the link)

My first thought was the Nov security hotfix for 2007 and 2003, but actually the thread is developing more along the lines that something changed at Hotmail (the credential authority).

I have never used IRM

  • a. because I don’t put my Excel machine on the internet
  • b. because fear of being locked out of my own files far outweighs the comfort of knowing other people who might get hold of it will be locked out.

Do you use IRM?

Do you have a fix for the issue these folks are seeing?



Should we care about the Clients Environment?

Friday, 20th November, 2009

Dennis made an interesting comment on a previous thread about how as developers we should be making use of multiple virtual machine technology to mimic our clients’ environments so we can better support them.

Its a good point… but I completely disagree.

Some developers should do that for sure, what Microsoft calls ‘professional’ developers perhaps. I prefer to think of Excel/VBA developers as business developers, we are a bit closer to the business and a bit further away from the bits and bytes of hardcore coding.

We express our business knowledge in Excel and VBA for a variety of reasons. One vital one for me though is ease of deployment and hence support.

If I write a decent spreadsheet in Excel 2000, I can reasonably expect it to work perfectly in Excel 2000, 2002, and 2003. I can expect it to work at least partially in 2007. That is irrespective of the wider target environment, user rights, security credentials, previous installed components, corporate build oddities etc etc. There is no dll hell in Excel*.

If the client has Excel they can run my application. full stop, end of.

(Of course there is a little excitement about macro security, the way they messed up expired signatures, the fact no one uses them because they are such a blatant scam etc)

*(ok so we sometimes get cannot find project or library, but if we keep things close to Excel/VBA and develop with care, and with some consideration for the clients environment that doesn’t happen much, and can usually be easily fixed.)

This trivial deployment leaves us business developers free to invest our time in understanding the business better and improving our software development skills. Deployment skills? system admin/security skills? heard of them, don’t want them or need them.

This is one of the biggest reasons I have not focused on .net – its a deployment nightmare. Of course that’s solvable, just invest a bunch of time and effort learning sys admin stuff and security stuff, and a bit of virtual machine trickery and jobs a good’un. But I don’t want to do that, I want to improve my business knowledge and my coding skillz. Luckily Microsoft cater for folks like me with Excel VBA.

Don’t get me wrong .net works well for corporate developers (once they have the required sys admin knowledge) but for independent devs like me, there is way too much pain to trawl through to distribute and support custom built .net components.

So I care a little bit about my clients environment, but not much. And frankly I think the fact that developers have to spend time and effort creating such close replicas of a clients environment is a hugh fail for Windows software development and for Microsoft. ‘Write once deploy everywhere’ – in yer dreams!

Major service packs? fair enough.  When you need to remotely replicate their level of hotfixes across a broad swathe of operating system components and applications the process is seriously broken IMO.

When I did asp development I had to get intimate with IIS to be able to work out when things went wrong whether it was our code or the server environment. If my Excel apps goes wrong, it’s my code, no investigation required (roughly).

I don’t have anything against .net, there is much about it I like, I just don’t think its aimed at pragmatic delivery focused independent desktop developers (like me). (Hence for the observant, the pic is from .net 1.1 from 2003). I jump at any chances I get to develop in C#, the joy of a modern language and a modern IDE, but this tends to be when I am contracted on-site in the role of corporate dev, rather than independent software developer.

What about you? do you find distributing your .net apps a true joy, the real highlight of your dev cycle?

Are you juggling more than 10 virtual machines, and keeping the patching in step with clients?

Which do you prefer development or deployment?

Do you agree with the separate roles of corp dev and business dev?



New Excel zero day exploit

Thursday, 26th February, 2009

Be careful what you are opening!

Seems there is a new vuln being actively exploited – across all recent versions of Excel, including the viewers.



End User Computing Czar

Wednesday, 25th February, 2009

One of my firmly held spreadsheet quality views is that companies could benefit from a single point of focus for their End user computing.

That could be a person or a department, but lets start with a person. Their role would be to educate and support and where necessary force compliance with quality/control standards.

I think this role kind of exists in many small to medium companies in the shape of the Office expert – to whom everyone turns when they have a problem.

Larger orgs may have information protection czars, and or network czars, database czars, desktop build czars. In short they have a person or a department specifically responsible for every significant part of the IT infrastructure except the most important – the End User Computing jungle.

Does anyone know of any companies that do have a head of EUC or something similar on an equivalent level to the boss of networking, or client apps or whatever? Ie a senior role at or just below board level. No need to mention the co name, just a yes I have seen it or a no never.

How was it structured? did they report through IT/IS or finance or another user department or what?

I think organisations are realising what a mess their EUC resources are, but I don’t see much sign of the most obvious way to manage them – assign a manager!

do you see it?

Is it just too politically hard to work across deportments in the way this would need to succeed?




Tuesday, 20th January, 2009

Sometimes one might like to submit a spreadsheet somewhere for some help or support or whatever.

Often spreadsheets contain sensitive info, normally the main part of that is the text.

So great news then than Codematic today announces the release of a little workbook with a bit of VBA in that will enable you to remove or replace all that sensitive text.

Full details here

Its only been very basically tested, so if you come up with any issues please let me know.

If you would like to use it to help Microsoft in their quest for poor performing VBA in 2007 then please do.

It doesn’t do names, or styles or anything clever, just text. The code is unprotected, if you come up with an enhancement please leave the code as a comment.

Please let us know how you get on



Excel code deployment

Tuesday, 6th January, 2009

One of the oft quoted barriers to .net and Excel take up is the deployment hassles with the .net components. I have concerns in this area too (and have voiced them), but I wonder how obstructive they really are.

Every client I have worked with recently has at least .net 2.0 on their corporate desktops. Whilst no one seems keen to deploy more than necessary to their desktop estate, I can imagine getting say the VSTO runtimes deployed could be do-able. Everywhere I have worked uses rich powerful tools to manage their desktops, either SMS, or Altiris or similar.

Another common discovery is enterprise data sources replicated in tatty spreadsheets because the users did not know about, or could not access, or did not trust the enterprise solution.

These factors make me wonder if the challenge of .net/Excel solutions deployment is either all in the mind, or a cultural/business politics issue? I certainly don’t think there are significant technical barriers.

So if we want to boost uptake then we need to be addressing cultural/social type issues. Microsoft can’t do this alone, or maybe not even at all. They can address the technicalities, and I think they are with VSTO for example

Here are some of the obvious issues

  • business users rarely have official access to .net dev tools.
  • business users do not want to be tied to IT deployment requirements (time scales, quality, access, testing)

What we need are some compelling applications or systems that demonstrate how and why .net is so much better than what everyone is currently doing. Now I haven’t gone too far out of my way to look under absolutely every stone, but I haven’t come across anything in .net that made me think: wow that is so much better than anything we have now.

I have seen that with C. Fast UDFs is a compelling feature IMO. If .net could write UDFs that are as performant as the C API, but easier to learn, and safer to write, and supported on Excel services and realistic for business developers to deploy, and maybe worked with the numpty UI. Then I think .net might gain some traction with Excel devs. It would need to work (seamlessly) with more than the latest version of Excel.

.net apparently has some great UI stuff, but Excel is not Photoshop, or Powerpoint. I’m not sure glitzy UI is as important to many Excel users as the Office team seem to think. Although I’m not claiming any authority in this area – I’m not big on UI.

I have done a few data access apps in C# and it works very well. One was a command line app – C# is much better than VB6 for that, and much easier than C/C++.

Are you seeing more opportunities in .net?

Are business users starting to show more interest, or am I spending too much time in IT departments?



Spreadsheets as functions

Tuesday, 23rd December, 2008

Some significant time ago those nice people at Resolver emailed me about a new feature they had added to the then latest version. (BTW they have some competition on at the moment to win 17k USD – thats about half a million fine British pounds I think at today’s exchange rate?)

Unfortunately, it arrived at the point of maximum turmoil in my web life (change of hosting and all the crap that goes with)

Anyway the point was a new feature that allows one resolver workbook to expose its logic as if it were a function to other workbooks. That means you can pass in parameters and receive back an answer/value.

I think that’s pretty neat. I have always maintained that the most important component of spreadsheets is the logic not the data. The data is normally sourced from, and still available in, some enterprise system somewhere. People aren’t trying to expose the static data they have in spreadsheets – they are trying to expose the logic, certainly in my experience. Would you agree?

I’ve written a few systems that open up a specific workbook in Excel throw in a load of values, calc, run some VBA (sorry Excel services!) calc a bit more, then fire out a value or a few values to some web front end or other spreadsheet. I think that is a fairly common usage pattern, does anyone else come across it?

What sort of things do you do to implement this functionality?

Do you use Resolver to do it?



Safe spreadsheeting

Tuesday, 16th December, 2008

Has anyone done the safe spreasheet assessment from Q-Validus here?

A few (/load) of us did it at Eusprig last year as a trial run. I thought it was pretty good. Better than some of the on-line assessments I have done over the years.

Has anyone implemented a policy where only people who have passed that test and/or done some advanced training get to work on mission critical spreadsheets? How did that work?

One of the papers at Eusprig last year had it as a proposal that seemed logical and yet was strongly resisted. I can see why it would be, given the freewheeling nature of the end user computing world. But I can also see how it makes sense from a risk management pov.

Would you take the test (if ‘encouraged’)?

Do you think you could get the folks you work with or support to do it?

Do you have some ad-hoc or in house assessment process for managing access to these important resources?



Get patching

Wednesday, 10th December, 2008

I’ve finally found some readable details of the patches MS released yesterday. I’ve been looking out for them since JP emailed me last week asking what was going on (I didn’t know).

Anyway SANS has a good summary here. Note the traffic lights Red == Patch NOW

MS detail here for Excel.

Summary – Open a dodgy workbook, get pwned.

No need to enable macros, this is an error in the file parser that allows the bad guys to run what they want on your box.

Also there is a bunch of VB runtime bugs around several Activex controls.

Let us know if you hit any problems patching.



More code signing mischief

Tuesday, 9th December, 2008


So I took the general advice and didn’t bother renewing the codematic code signing signature.

The published version of the worksheet unprotector is signed, but the signature expired a while ago. It was valid and in-date when I signed it, although I did not timestamp it. (I hadn’t seen anything to suggest it was (effectively) obligatory)

So I got this screenshot from a potential customer (or maybe not after this farce). (Actually it was the French version – but I thought this would be clearer for most sos readers)

Signing my code effectively timebombs it – Excel 2007 will claim its invalid and refuse to even load it, even from a trusted zone, once the sig has expired.

Not signing my code just gets the user a quick familiar ‘enable macros?’ warning.

It’s not a hard choice is it? even ignoring the rip-off nature of buying a cert.

I’m not totally clear how all of this helps security, as it just makes code signing even less attractive. Is something that was signed but has expired really more of a security risk than something that was never signed? Bearing in mind everything that is signed will expire at some point.

I guess I should test it with something that is signed and timestamped, and expired. Has anyone else done that?

At this stage I’m all set to totally give up on signing. I really want to sign my code, because I think its the right thing to do. Perhaps I should just get over myself – who is going to immitate a codematic tool with some nastyware?

Hmm what shall I spend the 200 quid I have saved by not buying a cert on?