O’Reilly has a great interview up with NASA’s Peter Gluck, project software engineer for the Mars Phoenix Lander. I always find the design and implementation of mission-critical systems interesting. In short, they’re running a radiation-hardened system (the RAD 6000 board) with a 33MHz CPU, 128 megabytes of RAM, and a PCI peripheral interface… pretty advanced stuff for space. This usually surprises people when they first hear about these systems, but the circumstances require proven technology that is hardened against the perils of outer space (for example, the Hubble Space Telescope was recently upgraded to an Intel 486 processor… the Space Shuttle still runs on hardened PDP-11s).

The software is written in C and running on the VxWorks real-time OS… Lockheed Martin (who wrote the control systems) switched from ADA to C a few years back. There are plenty more interesting details in the article. Here are a few teasers:

The RAD 6000 has built in error detection and corrections. So the hardware does RAM scrubbing. There is a RAM scrubbing that occurs on a continuous basis. And beyond that, we have internal fault protection that monitors the health and safety of the software. And if a software task, for example, fails to respond to a ping, we have pings in the system, then the fault protection task will declare that a fault has occurred and will safe the spacecraft. And what that means, by “safeing”, we mean that the spacecraft will enter into a power and communications safe mode where it will just sit and wait for the ground to respond. It’ll basically phone home and say, I’ve got a problem; somebody tell me what to do.

So if it were to completely lock-up, the hardware has to be stroked every 64 seconds. There’s a watch-stop timer. And so if that 64 second period expires, then the hardware resets and the software is rebooted, and hopefully that clears whatever error occurred. Now in the event that that doesn’t work, we have a whole second set of avionics onboard. So the hardware will try to boot to the same side, and if the same side doesn’t come up and start stroking the watch-stop timer, then it will swap to the other side and boot the first side.

Interviewer: Am I right in assuming that there’s very little process separation in the older RAD 6000 boards?

Peter: Exactly… We have strict coding guidelines that we use. We don’t allow dynamic memory allocation, for example.

These are true fail-safe systems… not the stuff we mortal engineers play with. Click HERE to read the rest of the interview.

There was an interesting article this last Friday at the New Scientist about how the contents of encrypted VOIP conversations could still be deduced via traffic analysis. The short version is that many spoken words have a signature to them even when they are encrypted. This signature is related to the size of the data packets used to represent the sound data. Many phonemes in a word have a distinct encoded data size… by analyzing the packet sizes you can deduce the phonemes and thus the spoken word.

This got me thinking I should write about the complex problem of securing a video stream. There are many aspects to securing a video stream: integrity, authenticity, and privacy being the most important. I’m not going to spend time talking about integrity and authenticity, because those are somewhat simpler problems to solve (integritiy = digital signatures, authenticity = digital certificates). The main focus of this post is about privacy; keeping an eavesdropper from deducing the contents of a video stream.

Read the rest…

I found this great site MoBuck.com that allows you to easily create your own motivational posters. For $1, you can download a high-resolution version, and for $14 they will send you a 8.5 x 11 inch print. It’s a lot of fun.

Here’s a Mr. T poster I made about not breaking the software build:

So, I finally added a CAPTCHA to my blog to prevent comment spam. I chose to go with reCAPTCHA from Carnegie Mellon University for a couple reasons:

1. It’s pretty popular right now so I know the code will be actively maintained (important, because CAPTCHAs are broken all the time with bots).
2. There’s a Wordpress plugin for it, so it was easy to integrate (check out WP-reCAPTCHA).
3. It offers a benefit to society by helping to digitize old books (read more HERE).

I got the plugin installed, activated, and configured but the CAPTCHA wasn’t appearing in the comments section of my posts… problem. After some searching, I discovered that the Wordpress theme I’m using was missing the following line of code in Comments.php:

<?php do_action(’comment_form’, $post->ID); ?>

This line of code should be placed within the <form> block for submitting comments.

Once I added the above line of code, everything worked. However, my pages wouldn’t validate anymore (arg!). The reCAPTCHA code uses the <style> tag in the body, which can only be used in the HTML <head> block. Here’s the offending line of code in the WP-reCAPTCHA plugin (version 2.8.1, line 300):

<style type=’text/css’>#submit {display:none;}</style>

Since this code simply tries to set the style of the ‘Submit’ button, I just commented it out and everything validated again.

—

UPDATE 7/22/2008: Paul over a BlogLESS has an addition to this method that fixes a problem with double submit buttons being present. I took his code (HERE) and tweaked it slightly for my theme and added it to my comments.php file (located with my theme files). I replaced:

<input name=”submit” type=”submit” class=”submit1″ id=”submit” tabindex=”5″ value=”Submit Comment” />

with:

<script type=”text/javascript”>
//<![CDATA[
/* Cf. http://www.designlessbetter.com/blogless/posts/making-recaptcha-validate */
document.write('<input name="submit" type="submit" class="submit1" id="submit" tabindex="5" value="Submit Comment" />');
//]]>
</script>

Thanks Paul!

So I took the plunge today and got my website to pass CSS and XHTML validation tests. This ensures that my site renders correctly in most browsers and on mobile devices. Check out UITest.com for links to several validation tools.

The hardest thing to get validated are embedded YouTube videos. The <embed> tag they use is depreciated in XHTML 1.0. As soon as you embed a video, your site will fail validation. I found several code samples for fixing this, but only one of them actually worked. I just had to tweak the size so the output matched that from the YouTube script.

Here’s the HTML:

<object type=”application/x-shockwave-flash” data=”http://www.youtube.com/v/sM_WEohK3bo&hl=en” width=”425″ height=”355″>
<param name=”movie” value=”http://www.youtube.com/v/sM_WEohK3bo&hl=en” />
<param name=”FlashVars” value=”playerMode=embedded” />
<param name=”wmode” value=”transparent” />
</object>

The original script came from HERE.

The only problem I’ve had is with the visual editor in Wordpress auto-replacing this code with the original YouTube code.

InfoQ has a great article up from Randy Shoup, a senior architect at eBay. He discusses the philosophies and practices employed by eBay to ensure their software scales to the demands of the site. I like articles like this because the techniques used by large systems (eBay, Google, Amazon, etc) tend to also apply to smaller systems. These larger systems help flush out the problems that a smaller system may not run into until it is too late.

From the article:

At eBay, one of the primary architectural forces we contend with every day is scalability. It colors and drives every architectural and design decision we make. With hundreds of millions of users worldwide, over two billion page views a day, and petabytes of data in our systems, this is not a choice - it is a necessity.

Click HERE to watch the video presentation and corresponding slides.

Funny, because it is so true!

A man in a hot air balloon realised he was lost. He reduced altitude and spotted a woman below. He descended a bit more and shouted,
“Excuse me, can you help me? I promised a friend I would meet him an hour ago, but I don’t know where I am.”

The woman below replied,
“You’re in a hot air balloon hovering approximately 30 feet above the ground. You’re between 40 and 41 degrees north latitude and between 59 and 60 degrees west longitude.”

“You must be an engineer,” said the balloonist.

“I am,” replied the woman, “How did you know?”

“Well,” answered the balloonist, “everything you told me is technically correct, but I’ve no idea what to make of your information, and the fact is I’m still lost. Frankly, you’ve not been much help at all. If anything, you’ve delayed my trip.”

The woman below responded, “You must be in Management.”

“I am,” replied the balloonist, “but how did you know?”

“Well,” said the woman, “you don’t know where you are or where you’re going. You have risen to where you are due to a large quantity of hot air. You made a promise, which you’ve no idea how to keep, and you expect people beneath you to solve your problems. The fact is you are in exactly the same position you were in before we met, but now, somehow, it’s my fault.”

Over the last 2 weeks, Rob and I have been working hard to get custom video streams into WPF without using WinForms. The issue with WPF is that the application has no access to the lower-level DirectShow stuff to control how the filter graph is built. This leaves the programmer with 2 choices: (1) build a custom WinForms user control and build the filter graph manually (2) register a custom protocol type that will allow DirectShow’s Intelligent Connect to build the graph you want via a specially formed URL.

Option #1 works, but doesn’t allow WPF to do any overlays on the video. This means that all overlays (text, timestamps, images, controls, etc) must be drawn at the DirectShow layer. This is difficult, inflexible, and bypasses all the visual effects power of WPF (not to mention to loose hardware acceleration).

Option #2 is the optimal solution, and was what we set out to prove. This option allows WPF to control the render surface, and thus provide all the overlay functionality the UI designer can expect from WPF. We succeed this week in proving that option #2 is possible, and one of our UI guys went off and used it to create a custom list box for choosing video (good job Brent). The video clips below are live and displayed in real time:

The videos are displayed using WPF MediaElement objects, and passing in a URL with our custom protocol type and the id of the camera to connect to. The great thing about WPF is that we get all the scaling, reflection, and overlays you see above for free. Another one of our UI guys (Nick) did a demo with live video playing on a 3D cube that can be rotated by the mouse. (UPDATED) Check it out:

You can find information about registering custom protocols at http://msdn2.microsoft.com/en-us/library/ms787558.aspx. The DirectShow documentation is at http://msdn2.microsoft.com/en-us/library/ms783323%28VS.85%29.aspx. We downloaded the Windows Vista Platform SDK and built off of the Push Source Filters sample.

I recently (June 2007) did an evaluation of C++ portable runtimes for my employer (a large video security company) for use in our system level code. We were looking for a set of libraries that would abstract the operating system (threads, IPC, File I/O, etc) and allow our code to be portable across many architectures and environments. I’ve decided to publish the results of my evaluation here for anyone interested in portable runtimes.
Spoiler: We chose to go with the ACE version 5.4.1.
I initially considered the following runtimes for evaluation:

• Adaptive Communication Environment (ACE)
• Portable Components (POCO)
• Portable Types (PTypes)
• Boost
• Platinum
• VR Juggler Portable Runtime (VPR)

After considering the criteria we were using for evaluation (see below), I narrowed the field down to 3 candidates:

• ACE
• POCO
• PTypes

I’ve included the selection criteria and evaluation results below. Happy reading.

UPDATE 11/14/2008: Read my post about problems with ACE and debugging memory leaks in Windows.

Read the rest…

Overview

When writing a shared library, it is sometimes useful to have a set of functions that get called when the library is loaded and unloaded. In Windows, this is done by implementing the DllMain function. This function is called by the loader whenever a DLL is loaded or unloaded into the address space of a process (and also when the process creates a new thread, but it is less common to handle this case). A value is passed in as an argument to the DllMain function that indicates which event is occurring: DLL load or unload.

On Linux, one must use the GCC __attribute__((constructor)) and __attribute__((destructor)) keywords (double underscores before and after) to explicitly declare functions to be called on load and unload. These keywords cause the compiler/linker to add the specified functions to the __CTOR_LIST__ and __DTOR_LIST__ (”ConstrucTOR LIST” and “DestrucTOR LIST” respectively) in the object file. Functions on the __CTOR_LIST__ are called by the loader when the library is loaded (either implicitly or by dlopen()). The main purpose for this list is to call the constructors on global objects in the library. Conversely, functions on the __DTOR_LIST__ are called when the library is unloaded (either implicitly or by dlclose()). By adding initialization and clean-up functions to this list, one can effectively replicate the DllMain functionality on Linux.

NOTE: There are many ways to “shoot yourself in the foot” with these methods (on both Windows and Linux) because certain things aren’t available to your library until loading is complete. Don’t use these methods unless you have a real need… just export an Initialize() and Destroy() function instead, and force the consuming application to call them. Please read the “Gotcha’s” section below.

Read the rest…