Friday, November 20, 2009

Lingvo 12 на Windows 7

Lingvo 12 не хочет запускаться под Windows 7: выдается такое сообщение:

"Нет доступа к файлу c:\ProgramData\ABBYY\Lingvo\12.0\Licenses\Licensing.bin"

Проблему можно решить, если выдать права на "Полный доступ" на указанный файл группе "Пользователи" (по умолчанию эта группа имеет доступ только на чтение).

Tuesday, November 10, 2009

How to open Outlook Developer Reference in Office 2007

If you are a developer working with Outlook, you will definitely need Outlook Object Model reference that ships with Outlook. Unfortunately, getting to it in Outlook 2007 is not exactly straightforward.
The standard way, apparently envisioned by Microsoft, is as follows. First, you need to enable Developer tab in Outlook. For this:
  1. On the Tools menu, click Options.
  2. On the Other tab, click Advanced Options, and then select the Show Developer tab in the Ribbon check box.
Once that's done, you'll need to do the following:
  1. Open an old email or create a new one.
  2. In the email viewing/editing window, click on Developer tab
  3. Press Visual Basic button
  4. Once Visual Basic editor opens, select Help from the menu or toolbar.
Cumbersome to say the least! Fortunately, there's a quicker way. Just run the following command (in cmd window or through a shortcut):
c:\Program Files\Microsoft Office\Office12\CLVIEW.EXE OUTLOOK.DEV Outlook
CLVIEW.EXE is Office 2007 help viewer. The path to it may need to be adjusted depending on the location of your Office 2007 installation.
This method of course works for other Office applicaitons: all you need to do is replace OUTLOOK.DEV with WINWORD.DEV or EXCEL.DEV in the first command line parameter. The second command line parameter is just window title, so it can be anything.

Friday, November 06, 2009

Delphi 5 on Windows 7

Delphi 5 may seem like an ancient tool nowadays, but some of us need to use it. Here are some pitfalls of running Delphi on Windows 7:

1. Delphi fails to compile a project with a type library (*.tlb file) with the following error:

[Error] RLINK32: Error opening file: "...tlb"
The message is in fact misleading, since the TLB file itself is perfectly accessible. Monitoring the compilation process with Sysinternal's Process Monitor revelead that Delphi tries to write a temporary file named dfwtemp.tlb to its bin folder (under Program Files), which under Windows 7 is not permitted unless you run Delphi as administrator.

To resolve the problem, grant full access on Delphi bin folder to the Users local group.

2. Windows 7 no longer opens old help files (hlp extension). For some reason Microsoft decided not to include WinHlp32.exe anymore, even though the one from Windows XP works perfectly. To be precise, there IS a file named WinHlp32.exe in Windows directory, but it DOES NOT open HLP files; instead it shows a message that this functionality is no longer available.

To read Deplhi's HLP files (or any other HLP files), copy winhlp32.exe from an XP computer to Windows directory. This is not going to be easy though, since Windows 7 is very fussy about overwriting anything in Windows directory. To overwrite the existing dummy file (which is owned by a pseudo-user TrustedInstaller), first take ownership of it, then grant yourself full access, then copy the file "as administrator".

Tuesday, November 03, 2009

Administration under Windows 7

I received a new computer with Windows 7, and here are the first impression of doing system administration tasks from this new OS:

1. Windows Server 2003 admin pack no longer works, need to download Remote Server Administration Tools for Windows 7 from here.

2. Even then, Dial-in tab is not available. There is an old workaround from Windows XP time that still works though. Its descrption can be found in many places, including here, but here's brief recap:

  • Copy/Paste the following to a Dialin.reg file:
    Windows Registry Editor Version 5.00
    "{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}"="RAS Dialin - User Node Extension"
  • Merge the Dialin.reg file with your Windows XP registry, or run regedit /s dialin.reg.
  • Copy 3 DLLs from a Windows Server 2003 domain controller's system32 directory to your computer's system32 directory: mprsnap.dll, rasuser.dll, rtrfiltr.dll and register rasuser.dll with regsvr32. This can be automated by the following sequence of commands:
    CD /D %SystemRoot%\System32
    copy \\ServerName\Admin$\System32\mprsnap.dll *.*
    copy \\ServerName\Admin$\System32\rasuser.dll *.*
    copy \\ServerName\Admin$\System32\rtrfiltr.dll *.*
    regsvr32 rasuser.dll

3. There's no Exchange System Manager for Windows 7 (at least for Exchange 2003). The one from Exchange 2003 doesn't work. The ESM for Vista works, but its installer fails to install it on Windows 7 (it strictly checks for Vista). Some generous soul has hacked the install to work on Windows 7 and made it available for download from this page: See the discussion here

Tuesday, October 13, 2009

Samba shares inaccessible after power failure

A test Samba server (domain member with ADS security) suffered a crash due to power failure, and after that its shared became inacessible: when Windows clients tried to access them, password dialog was shown and the correct password was not accepted.

Samba log showed the following:

[2009/10/08 13:22:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

Winbind log showed the following

[2009/10/08 13:13:45, 5] nsswitch/winbindd_user.c:winbindd_getpwnam(353)
  Could not parse domain user: lz

The problem was resolved by removing all *.tdb files in /var/lib/samba.

WARNING. This was a test server, so removing the files were not a problem. If it were a production server, removing windbindd_idmap.tdb would destroy the mapping of Windows and Unix users, and thus all file permissions on Samba shares would be screwed up. On a production server one would try to rescue at least windbindd_idmap.tdb.

Friday, October 02, 2009

О сыре

Маасдам - must die

Sunday, June 07, 2009

Что есть истина?

"Что есть истина?", говорят, спросил Понтий Пилат у Иисуса.

Спустя около 1900 лет польский логик Альфред Тарский задался тем же вопросом, но не из религиозных соображений (Тарский родился евреем, принял католицизм, но на самом деле был атеистом), а из сугубо математических. Тарского беспокоило, что математика оперирует тем, что он называл "семантическими понятиями" (например, "истина" или "доказательство"), не имея четких их определений. Тарский взялся исправить эту ситуацию и создал метод определения истины для формальных языков. Важнейшей, на мой взгляд, особенностью определения истины Тарского является то, что понятие истинности высказываний какого-либо языка L определяется не на самом этом языке, а на его метаязыке - т.е. более широком языке, на котором можно говорить о высказываниях языка L. Если здесь возможно выйти за пределы языков формальной логики и рассмотреть некий всеобщий человеческий язык, т.е. совокупность всех высказываний, которые человек теоретически в состоянии сделать на любом естественном языке, языке математических формул, языке программирования и т.п., то получается, что истинность этих высказываний может быть определена только на метаязыке, т.е. языке более широком, и потому автоматически выходящем за пределы познаваемого человеком.

"Г-сподь Б-г ваш - истина", - так завершается главная еврейская молитва "Шма".

Tuesday, May 19, 2009

Лучшие вопросы туристов в Риме

  • В Сикстинской капелле: "А где же Сикстинская Мадонна?"
  • На площади Навона: "А кто такой Навон"?
  • В соборе Св. Петра:

    Экскурсовод: "Вот какого надгробного памятника удостоился скромный рыбак из Галилеи".

    Турист: "А Галилея что, названа в честь Галилео Галилея"?

Monday, April 13, 2009

Network access blocked to a server

A domain controller running Windows 2003 Server SP1 ran out of disk space. When I tried to connect to it to clean up the disk, I found that the server was not accessible from network. Even ping didn't work. I logged in to the server's console and found the following events in the system log:

Source: IPSec
Event ID: 4294
The IPSec driver has entered Secure mode. IPSec policies, if they have been
configured, are now being applied to this computer.

Event type: Error
Source: IPSec
Event ID: 4292
The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound 
TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. 
User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec 
services, and then restart the computer.  For detailed troubleshooting information, 
review the events in the Security event log.

The explanation was found in the following Microsoft KB article: Apparently, the IPsec security policy registry key got corrupted, and IPsec panicked and blocked all access to the computer. The solution was, as described in the KB article in detail, to remove the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local.

Sunday, April 12, 2009

Первоапрельские тезисы - 2009

С некоторым опозданием, сводка первоапрельских новостей.

В мире высоких технологий. Netcraft сообщает о резком всплеске популярности браузера Lynx вследствие массовых проблем с безопасностью в других браузерах. Особенно популярен стал Lynx на банковских сайтах.

Google сообщает о запуске CADIE, первой в мире системы с подлинным искусственным интеллектом.

Opera вводит с своем браузере новую возможность: управление выражением лица (face gestures): "By using an internal technology dubbed Face Observation Opera Language, we are able to recognize pre-determined facial expressions and match them to commands on the Opera browser."

Qt Software запустило новое сообщество:

The eBook Russia сообщает о новом устройстве для чтения с революционно изогнутым экраном.

IETF выпустило RFC5514, предлагающий новый способ решения проблемы внедрения IPv6: IPv6 over Social Networks

Издательство O'Reilly готовит новую книгу "Mastering cat", посвященную UNIX-ной команде cat, и публикует интервью с автором.

Наконец, газета Guardian переходит с бумажного издания на Twitter.

Переходим к новостям политики. Жена Ющенко (якобы) сообщила своему мужу-президенту, что снова беременна. На сайте программы Подробности сообщили, что Кабмин ввел временную администрацию в НБУ (кто бы ввел временную администрацию а Кабмин?). не очень смешно пошутил, что Валуев уходит в монастырь (ссылку дать не могу, новость снята). Зато их же шутка о том, что с 1-го мая в Киеве будут продавать не более одной бутылки водки в руки имела большой резонанс, так что Киевской администрации пришлось даже выступать с официальным опровержением.

В Бельгии пошутили, что королевский дворец продадут российскому бизнесмену.

Наконец, Паше Бернштаму присвоено очередное воинское звание.

Saturday, April 11, 2009

Setting ip IPsec tunnel from Linux to Cisco PIX

In this post I am going to put down my experience setting up a IPsec tunnel from a Linux router to a Cisco PIX device. I'll explain the setup, the solution, and the pitfalls encountered along the way.


We have a LAN using IP subnet, connected to the Internet through a Linux router, whose external IP address is (address made up for the sake of example, of course). The goal was to connect to a network within customer's LAN through IPsec tunnel. The destination net was (yes, the netmask here is 32, since this actually was a single host; but I'd like to talk about it as a subnet, because in the case of a true subnet our solution would be the same, just netmask would have less bits). Even though the destination's IP address is "external-looking", it is blocked off the Internet by a firewall and is only reachable through IPsec via an external gateway whose address is The following crude ASCII art diagram illustrates the setup:

   Our LAN     |------------|/              
---------------+Linux router+--------------| |------------|              |
            IPsec tunnel                   |
    |         \|---------|  Dest. subnet
    |----------+Cisco PIX+----------------

Additional complication was that our IP address range was in use in the customer's LAN, thus we could not allow our packets to go into their network with their original source IP addresses. To circumvent this, our first step was to set up SNAT to masquerade all our outgoing packets as coming from IP address

The Cisco PIX was managed by the customer, and thus outside of our control. I was responsible to set up our Linux router.


Now I will jump forward and describe the solution that worked.

Some theory on IPsec and indispensable guidance on setting up IPsec in Linux can be found at Linux IPsec HOWTO. The solution below was based on the information obtained from the HOWTO.


As mentioned above, our first step was to set up SNAT for our packets going off to the customer's net:

iptables -t nat -A POSTROUTING -d -j SNAT --to-source

Note that this is independent of IPsec. It just tells the kernel to masquerade any packets going out to as coming from source address (which does not need to correspond to any physical network interface of the router). Before any tunnel was set up, I could test the SNAT by pinging and watching the source address of outgoing packets with tcpdump.

Kernel security policy

The next step is to set up kernel's security policy. Simply put, we need to tell the kernel that whenever it sees a packet going to it has to send it through tunnel that runs from (our external address) to (customer's external address). This is achieved with the following script:



/sbin/setkey -c  >/dev/null 2>&1 << EOF

spdadd $SRCNET $DSTNET any -P out ipsec

spdadd $DSTNET $SRCNET any -P in ipsec

Note that we only tell the kernel to use ESP and not AH. Many sources would tell you to use both, and this is a good thing to do; it's just that in our case, for some reason, the customer insisted on using ESP only. Also note that the SRCNET is set to, as the SNAT we set up earlier will modify the packets' source addresses before IPsec sees them. Had we not used SNAT, SRCNET would have been

Now the kernel knows when to use the tunnel, but to create the tunnel a security association should be set up between our router and the remote Cisco box. This is the job of racoon daemon, and I'm moving on to describe its configuration.

Racoon and ISAKMP

Racoon speaks ISAKMP protocol in order to create the tunnel. A detailed description if ISAKMP is outside the scope of this post, but it is important to know that creation of the tunnel proceeds in two phases. At phase 1 racoon negotiates a preliminary secure connection to the remote site called ISAKMP Security Association (SA). At phase 2, using the existing ISAKMP SA, it is able to privately talk to the remote site and negotiate the parameters of the IPsec tunnel itself. At phase 2 the actual IPSec Security Association (SA) is created.

There are many details of ISAKMP that racoon needs to negotiate with the remote end of the tunnel. Description of them all is outside of our scope now. Our customer wanted to use the following parameters:

Phase 1:

  • Authentication Method: RSA-Key
  • Diffie-Hellman Group: 5 (1536 bit)
  • Encryption Algorithm: AES-256
  • Data Integrity Algorithm: SHA-1
  • Use aggressive mode: No
  • Lifetime: 86400s (1 day)

Phase 2:

  • Encapsulation (ESP or AH): ESP
  • Encryption Algorithm: AES-256
  • Authentication Algorithm: SHA-1
  • Perfect Forward Secrecy: No
  • Lifetime: 3600s (1 hour)

Let's to go over these requirements and try to make sense of them.

Phase 1:

  • Authentication Method: RSA-Key. There are several possible authentication methods, such as pre-shared key or RSA keys (or, rather, X509 certificates). We are going to use certificates.
  • Diffie-Hellman Group: 5 (1536 bit). Diffie-Hellman algorithm is used to exchange session keys between the IPsec peers. The "group" is one the algorithm's parameters. The important thing is that both peers use the same value.
  • Encryption Algorithm: AES-256. This just means that out of the multitude of encryption algorithms they want to use AES with 256-bit long keys.
  • Data Integrity Algorithm: SHA-1. Similarly this just means that of all the hash algorithms they want to use SHA-1.
  • Use aggressive mode: No. Aggressive mode is an optional feature of Phase 1 negotiation that "reduces the number of round-trips at the expense of not providing identity protection" (RFC2408). They don't want to use it. I guess they care about identity protection.
  • Lifetime: 86400s (1 day). This means that the ISAKMP SA that we establish at Phase 1 will have lifetime of 1 day, and after that will have to be renegotiated.

Phase 2:

  • Encapsulation (ESP or AH): ESP. IPsec uses two protocols, ESP and AH. For some reason, they only want to use ESP (this is why when setting up kernel security policy above I told it to use ESP only).
  • Encryption Algorithm: AES-256. Just using the same encryption algorithm as in Phase 1.
  • Authentication Algorithm: SHA-1. Just using the same hash algorithm as in Phase 1.
  • Perfect Forward Secrecy: No. Perfect Forward Secrecy is an optional feature of Phase 2 negotiation, which means that "disclosure of longterm secret keying material [RSA private key in our case] does not compromise the secrecy of the exchanged keys from previous communications". For whatever reason, they don't want to use it.
  • Lifetime: 3600s (1 hour). This means that the IPsec SA that we establish at Phase 2 will have lifetime of 1 hour, and after that will have to be renegotiated, so that if anyone is eavesdropping on us, they won't have much time to brute-force our keys.

The above requirements translate into the following racoon config that can be added to /etc/racoon/racoon.conf. The comments in the config below explain how config directives correspond to the requirements.

# The following section tells racoon how to conduct Phase 1 
# negotiation to the remote peer
  # We are NOT using aggressive mode, therefore the mode is "main"
  exchange_mode main;
  # The peer identifies themselves by their IP address. See below in "Pitfalls" 
  # section on why this directive was necessary.
  peers_identifier address;
  # We will not verify the peer's certificate. See below in "Pitfalls" 
  # section on why this directive was necessary.
  verify_cert off;
  # The following line specifies the location of our certificate and private key
  certificate_type x509 "ipsec.cer" "ipsec.key";

  proposal {
    # for encryption algorithm we will use AES 256
    encryption_algorithm aes 256;
    # for hash algorithm we will use SHA1
    hash_algorithm sha1;
    # we will authenticate with X509 certificate (called rsasig here)
    authentication_method rsasig;
    # We will use Diffie-Hellman group 5
    dh_group 5;
    # Lifetime of phase 1 association will be 24 hours
    lifetime time 86400 sec;

# The following section tells racoon how to conduct Phase 2
# negotiation for packets exchanged between subnets and
# Notice that here we use "internal" source and destination
# subnet addresses, and NOT tunnel endpoint addresses.
sainfo address any address any
  # Lifetime of Phase 2 association will be 1 hour
  lifetime time 1 hour ;
  # for encryption algorithm we will use AES 256
  encryption_algorithm aes 256 ;
  # for authentication algorithm we will use SHA1
  authentication_algorithm hmac_sha1;
  # For compression algorithm we will use "deflate". This wasn't in the specs,
  # but it's the default
  compression_algorithm deflate ;


IPsec is a complex protocol and many are the pitfalls on the road to a successful IPsec tunnel.


Parameters offered by the initiator side (such as encryption algorithms, lifetimes, Diffie-Hellman group, etc.) must be exactly the same as expected by the remote side. In theory ISAKMP is supposed to negotiate the parameters, but in practice I found that even the slightest difference led to failed negotiation. The problem is aggravated by the fact that different implementation of IPsec (in our case that of Linux and Cisco PIX) use different configuration syntax and slightly different terminology, so that translating the requirements of Cisco PIX into the configuration language of racoon is not always straightforward.


In IPsec each party identifies itself to the other party and presents credentials to prove their identity. The protocol allows for several forms of identification, such as:

  • By IP address (i.e. a peer says "I am the owner of this IP address")
  • By DNS name (i.e. a peer says "I am the owner of this DNS name")
  • By distinguished name from an X509 certificate (i.e. a peer says "My DN is as follows")
etc. When you configure a tunnel, you need to specify which form of identification you use. When your credential is an X509 certificate, the best choice is identification by distinguished name, because the certificate is exactly the kind of credential that proves that the DN belongs to you. This form of identification is achieved by the following line in racoon configuration:

my_identifier asn1dn; 

However, our customer configured its Cisco to identify itself by IP address. How does one prove with an X509 certificate that the IP address is his? Well, racoon expects that the certificate in this case will have an subjectAltName attribute with the value "IP:xx.xx.xx.xx" (where xx.xx.xx.xx is the peer's IP address). Unfortunately, our customer's certificate did not have such attribute. To work around, I had to turn off the certificate validation with "verify_cert off;" directive.

Tunnel stability

Unfortunately, the tunnel proved to be unstable. Approximately once in several days the remote end would terminate the ISAKMP association. This is not a problem in itself, since racoon is capable of re-negotiating the association when needed. However, apparently the remote end also terminates the IPsec association, but racoon does not notice this; thus it continues to use the IPsec association that the remote end no longer accepts and no data comes through.

In about an hour's time racoon will expire the IPsec connection and re-negotiation a new one, so the tunnel will be re-established. If you can't wait, you can force the renegotiation. One way to do it is to delete all security policy entries with setkey -F command. Another is to remove the IPsec association with racoonctl command (see manpage for details).

Wednesday, March 11, 2009

Anathem: Bunjo and proton decay

From Neal Stephenson's Anathem:
Bunjo was a Millenarian math built around an empty salt mine two miles underground. Its fraas and suurs worked in shifts, sitting in total darkness waiting to see flashes of light from a vast array of crystalline particle detectors. Every thousand years they published their results. During the First Millennium they were pretty sure they had seen flashes on three separate occasions, but since then they had come up empty.

Compare this to the following paragraph from Lee Smolin's book "The Trouble with Physics" that tells the story of failed attempt to detect proton decay - the effect that, if observed, would confirm a wonderful physical theory known as SU(5):

... all you had to do was surround the tank with detectors and wait. Funds were raised, and huge tanks were built in mines deep underground. The result were impatiently awaited.

Alter some twenty-five years, we are still waiting. No protons have decayed.

Add to it that Stephenson specifically lists Smolin's book among the sources for Anathem at his Acknowledgements page, while Stephenson's praise for the book is printed on its back cover, and it's easy to imagine that the former quote is a joke at the expense of the latter.

Saturday, February 14, 2009

Anathem: Iconographies

Having finished Neal Stephenson's Anathem I feel like making a few notes.

First and foremost, it's a great book.

For the rest of this post I'll try to decipher some of the iconographies from the book.

  • Temnestrian Iconography:
    It depicts us as clowns... But… clowns with a sinister aspect. [...] [Originates from] The Cloud-weaver, a satirical play by the Ethran playwright Temnestra that mocks Thelenes by name and that was used as evidence in his trial.
    This is a reference to The Clouds, a satirical play by the Athenian playwrite Aristophanes that mocked Socrates and contributed to the latter's trial. That Thelenes is Arbre's Socrates is evident from many other references.
  • Doxan Iconography:
    [Originates from] A Praxic Age moving picture serial. An adventure drama about a military spaceship sent to a remote part of the galaxy to prevent hostile aliens from establishing hegemony, and marooned when their hyperdrive is damaged in an ambush. The captain of the ship was passionate, a hothead. His second-in-command was Dox, a theorician, brilliant, but unemotional and cold.
    This must be obvious to the American audience, but took me a while to figure out. The moving picture serial is Star Trek, the ship is USS Enterprise, the passionate captain is Kirk, the unemotional and cold theorician is Spock.
  • Yorran Iconography. This one is from "an illustrated book", but "later they made moving pictures of it":
    Yorr is identified as a theorician, but if you see how he actually spends his time, he’s really more of a praxic. He has turned green from working with chemicals, and he has a tentacle sprouting from the back of his skull. Always wears a white laboratory smock. Criminally insane. Always has a scheme to take over the world.
    Must be another American pop culture reference. I am not sure, but thinking of Lex Luthor, the arch-enemy of Superman.
  • Muncostran Iconography:
    Eccentric, lovable, disheveled theorician, absent-minded, means well
    Saunt Muncoster is Arbre's Einstein, as evidenced by this depiction, as well as the more direct reference in Glossary: "A theor of the late Praxic Age, responsible for crucial advances in what is called, on Earth, general relativity".

Sunday, January 04, 2009


Сейчас две основные темы новостей: газ и Газа.