Macros Security

[Guest]

My school ICT manager, although impressed with my Excel programming (his
words, not mine!) of Interactive Whiteboard Maths Excel workbooks, tells me
that the school can not market them because of their use of MACROS - (really
VBA code behind Excel). Other schools probably won't have the courage or
imagination to allow my macros to be used my the machines on their networks.

I am assuming that I can't write code to "correct" their macro security to
"low".

What should I do? I notice a phrase "trusted macro developer" on a dialogue
box. Could you explain what that means and how someone is credited with that
status.

Thanking in anticipation

Bill Hall

 

[Tom Ogilvy]

In xl2002 and later, you could certify your project. The user of the
software has to then accept you as a trusted source when prompted. Trying
to set security to LOW would be the type of action expected of a person
distributing a virus.


An Overview:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnimo00/html/combat.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnoxpta/html/odc_dsvba.asp
Code Signing Office XP Visual Basic for Applications Macro Projects

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q288985
XL2002: About Digital Signatures in Excel Workbooks

http://support.microsoft.com/default.aspx?scid=kb;en-us;820738&Product=ofw
About Digital Signatures and Code Signing in Workbooks in Excel 2003

http://support.microsoft.com/?KBID=206637
OFF2000: Overview of Digital Certificates (Q206637)

http://support.microsoft.com/?KBID=217221
OFF2000: Using SelfCert to Create a Digital Certificate for VBA Projects
(Q217221)



Another reference:
http://msdn.microsoft.com/library/en-us/odeopg/html/deovrsigningvbaproject.asp



http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329228
OFFXP: How to Make Sure That Your Office Document Has a Valid Digital
Signature


http://office.microsoft.com/assistance/2002/articles/otelldigitalcertiftrustworthy.aspx
How to Tell if Digital Certificate Is Trustworthy in Office XP

Regards,
Tom Ogilvy

 

[Anne Troy]

You need a Digital Signature to market something like this Bill.
http://www.verisign.com/products-se...code-signing/index.html?sl=t41580041570000002

However, I don't recommend it because anyone can then copy/crack your code
and send it to others. If you have a great idea, my recommendations are:
1) Get a web developer to make a web-based application for you, to which you
let users subscribe on a monthly basis.
2) If web isn't feasible, then have a VB application created from it, or a
COM add-in, either of which is far harder to reverse-engineer than macros in
an Excel workbook.
As it stands now, anybody could take your macro home, self-sign it, and make
themselves the trusted developer at work.
*******************
~Anne Troy

www.OfficeArticles.com

 

[Tom Ogilvy]

So you saying anyone can get the code, modify it, and then certify that they
are Bill. I think not.

 

[Anne Troy]

Are you saying no one can export all the code, copy the sheets to a new
book, and sign it themselves?
*******************
~Anne Troy

www.OfficeArticles.com

 

[STEVE BELL]

If you password protect the VBE it makes it harder for anyone to see the
code.

 

[Guest]

well certainly they can sign it themselves ann. But without BILL'S
certificate they can either only sign with a self-made certificate or with
their own purchased certificate.

 

[Anne Troy]

My point exactly. So if the OP is wanting to SELL his technology, digitally
signing it really buys him no protection at all. Is that correct?
*******************
~Anne Troy

www.OfficeArticles.com

 

[Harald Staff]

Anne

There are two very different issues here: Protecting code from thieves, and
signing code so that it can be allowed to run in schools computers. A
signature is no protection against theft, it is a "run me without further
questions, I'm from a trusted programmer" label. Any good hacker can steal
the code, but the signature in question can not be hacked or imitated from
the file as far as I know.

HTH. Best wishes Harald

 

[Anne Troy]

Where did anyone ever get the idea that I was telling him people could hack
his signature? I never said that. He said that "the school can not market
them..." This tells me he wants to SELL it. Sorry, but I would never SELL
any Excel product that only has a digital signature.
*******************
~Anne Troy

www.OfficeArticles.com

 

[Gareth]

Hi Bill,

Looks like you generated a long discussion! I'm (very) far from an
expert in these matters but I won't let that stop me. It occurs to me
that you have two issues:
(1) Gaining the confidence of other schools to allow the macros to run
(your original question);
(2) Securing your code from theft.

To deal with the first issue:

(a) You don't definitely have to have a signature. If your code is an
AddIn and installed as such (by the school's IT staff) then security can
still be set as Very High. Rob Bovey's wonderful CodeCleaner runs just
fine on my machine under such conditions (XL2003). So if you deploy like
this the IT staff can be confident they're not exposed to other macros.

(b) OK - say you don't want to use an AddIn. Get yourself a signature
and have the IT staff trust it on their machines. It can't be recreated
by someone else. There are several ways to gain a signature. Buy one
(from Verisign and the like) - see Anne's post. (My take: expensive, not
worth it.) Create your own. You CAN do this (for free) - using MS's
makecert.exe or selfcert.exe. Once your original signature has been
trusted by the school's machines you can send new versions that are
still signed.

Second issue - securing your hard work. Again, a couple of options in my
mind:

(a) Just password protect your project (with a long password!). You can
also remove all the comments and spacing (using Codecleaner) - just to
be on the safe side and inconvenience any hacker. It's secure-ish -
people on this NG will be able to explain just how much.
But let's face it - this is for schools' whiteboards. Schools aren't in
the habit of stealing software (as far as I know). It's probably cheaper
to buy it than crack it. And if someone rips it off and sells it - sue
the hell out of them! Probably far more lucrative since they'll be doing
some hard selling for you for free! (I've sold AddIns before now and
haven't lost any sleep over it. There's probably thousands of AddIns out
there on the internet right now you can buy. So it works.)

(b) Make it uncrackable if you are worried. Anne's suggestion of a web
based solution is one. I think a far cheaper solution (and also her
suggestion) is to port it to a VB executable. This is very easy to do
generally. (Depending on your application's requirements... if you need
to control Excel still - event trapping through OLE might be tricky,
I've never tried..) Why a school is happy to trust an executable file
but not a cleanly installed AddIn is beyond me though.

I hope at least some of this might be helpful.

Good luck.
Gareth

 

[Tom Ogilvy]

He never asked about protecting his code. He asked about a trusted
developer and implied he wanted his code to open with a macro prompt. You
introduced concern about protecting the code. No one suggested distributing
the code with nothing but a certificate. You have mixed two different
topics together as Harald illuminated.

 

[Anne Troy]

If you say so.
*******************
~Anne Troy

www.OfficeArticles.com

 

[Tom Ogilvy]

You need a Digital Signature to market something like this Bill.

However, I don't recommend it because anyone can then copy/crack your code
and send it to others.

I think you said so <g>

 

[Guest]

My thanks to you all; for your suggestions and help; especially Gareth who
seems to have collected everything up and sent it gift wrapped!

It will take me some time to digest it all ( I guess that's what the
weekends are for!!) and then approach the network manager with all my new
advice.

thanks again

Bill (teacher in the UK)