bc-programming.com

In the early days of networked gaming (I mean, the days of Doom- (not to things like imaginet)) connections were slow.

If a game or application tried to pump too much data over the connection- it would take time. Also, sometimes the architecture itself and the hardware involved introduced a sort of “time-delay” into the equation. This was called “network lag”- a doom game might not be enjoyable due to network lag, for instance.

As Online gaming has become more prevalent and requires less PC familiarity, the term has started to be used completely erroneously in all sorts of situations.

For example- if your PC is underpowered for a new game, or you set the detail to high and it runs slowly, it’s not “lag” because there is no actual lag between your actions and what you see on screen. the term “lag” was originally used to indicate the time difference between when you pressed a key and when the server acknowledged you pressing that key. since even with the lowest framerates your key presses are being sent to the buffer in your local machine immediately. The term practically redefined itself when games such as quake implemented client-side prediction- you could see another player moving forward, and, instead of stopping dead as your PC is awaiting game state information, the client continues to draw that character moving in that direction.

The short story is- “Lag” is completely unrelated to framerate. they are separate. You can have a high lag/ping and a low framerate, or vice versa, or both, but that doesn’t suddenly make them interchangable.

For the user interface between a user and a computer, the basic options are mouse, and keyboard. Of course, joypads and joysticks are available and can be programmed to do all sorts of things, but such interface devices are generally used only for games.

For the seasoned Computer user, the keyboard is, IMO, far more powerful then the keyboard as far as strength of association and muscle memory is concerned. buying a new mouse that has a different shape can feel “Strange” for a while, but for me it takes maybe a few days, or a week. Buying a new keyboard with a different layout for the various “periphery” keys can take me upwards of a month.

As a user learned about the computer, eventually so too does their understanding of how various commands are done with the keyboard. When a person first learns to use a word processor, for example, they may use the Copy and Paste options on the menu, or in the toolbar. However, as they use these features more and more, they eventually discover, are told, or otherwise learn about the keyboard shortcuts for performing these tasks. In the same fashion, they will start out by selecting text, moving throughout their document, and so forth solely with the mouse. Eventually, they discover arrow keys, and later, the control block keys.

Arrow keys

The arrow keys were originally only present in the number pad area of the original IBM PC and XT keyboards. With the AT keyboard, the arrow keys were introduced and have traditionally been present beneath the control block keys, to the right of the main alphabetic keyboard block.

Today, the Arrow keys serve a myriad of functions. within any Windows edit box when it has the focus, the arrow keys can be used to move about a document. in combination with the Shift key, such movement is accompanied by the selection of the text. combined with the Control key, the selection moves a word at a time. A seasoned keyboarder will always beat out a mouser at the same text operation. The reason is mostly because, for typing, ones hands are both busy, well, typing. in order to click a button, toolbar, or menu, one needs to move their main hand (depending on their left or right handed ness) and move the mouse, and click it’s button. in contrast, one can perform the same task of most toolbar buttons using a number of keyboard shortcuts.

Control Block keys

For what I do with my computer, which involves a lot of editing of programming code, blog entries, web page files, and forum posts, the control block keys have become invaluable. The control block keys are the often ignored block of keys consisting of the Insert, Home, Page Up, Page Down, End, and Delete keys. When used properly, and in conjunction with modifier keys such as Control and Shift, one can perform a myriad of functions that take 5 or 10 seconds using the mouse. Use of these keys for selecting, copying, pasting, and moving text around has become almost second nature for me. However, this streamlined use completely disappears when I am forced to use a new keyboard whose layout differs. my current keyboard (MS Wired 500) has the control block keys in a vertically biased rectangle consisting of Home and End, Insert and Page Up, and Delete and Page down.

when I first bought the keyboard, such a layout was clunky and took a lot of work to get used to. it ruined many a programming and debugging session as my mind was taken from the task and hand and instead had to focus on retraining my muscle memory. It took nearly, if not over a month before I became as proficient as I was. Oddly enough, my laptop used a even stranger layout, whereby the control block keys were aligned down the right side of the keyboard in a single column- Home,Page up, Page down, End. Delete is positioned in a horizontal block of keys above those, containing what is often the rightmost set of function keys on the top of the keyboard, Print Screen, Pause, Insert, and Delete. due to this layout the Delete key is actually right above the home/end… etc block of keys. The laptop I use now, a Toshiba Satellite L300, has a keyboard layout very similar to it’s “ancient” predecessor whose layout I was used to, my Satellite Pro 440CDX. the 440CDX had a few “quirks” in the keyboard department, for example, the windows and application keys were moved from their normal position on the bottom row to the left and right of the spacebar, respectively, to pinky stretching positions at the upper right, where my newer model satellite has the insert and delete keys, who, on the 440 CDX, took up positions to the immediate left of the Tilde key, which was also moved to the bottom row of keys with the space bar. So the bottom row went Ctrl, Fn, Alt, Spacebar, Tilde/backtick, Insert,Delete left, down, right. this made any attempt to use the right alt key (which, admittedly, is usually rather neglected on the average keyboard anyway) actually press the tilde/grave key. However, and perhaps more important, attempts to press tilde (which, having to type the short file name for long file names comes up more often then some people might expect) will type escape. Which could do any number of things.

Anyway, my point is, it was completely different from the normal keyboard I was using for my desktop. And yet I was equally fluent with it, as it became my main development machine for quite some time (I’m referring to the 440CDX). Therefore the main cause for such familiarity isn’t really a set number of “memorized” layouts, but rather frequency of use. To test, I started up my old laptop. I noticed several interesting changes keyboard wise. for some reason, I had difficulty typing keys in the upper left. my fingers would try to strike a key that they/I thought was there, only to meet the spot between two keys or pressing hte wrong key altogether. Additionally, and not strictly related to the keyboard, I found myself having the exact opposite problem I did when I first went to adjust to the newer laptop; mouse movement.

The older laptop used the TrackPoint II, or licensed clone, which is a small stick sticking out between the g and h keys on the keyboard. it’s nearly stationary and detects angular movement on the stick and converts it to mouse movement on-screen. the newer technology that has become the norm for laptops is the touchpad. I cursed loudly when trying to use this at first, often trying to use the trackpoint instinctively to move to mouse, only to meet with nothing, then remembering the touchpad, cursing again, etc.. basically, it took some getting used to.

However, now, whenever I fire up the old 440CDX to make sure it hasn’t died, I find myself trying to move the mouse cursor with a non-existent touchpoint. The exact opposite issue I had when first adopting it.

That being said, the first conclusion one might reach is that learning the touchpad “pushed” the trackpoint II out of my mind. However, I believe this is purely a case of how much I use it; if I used them both equally, I’d probably always know exactly which one to use based on some other number of unknown mental stimuli that tell me which one it is, much as I know automatically wether to use the Desktop control keys or the laptop control keys based when I’m using one or the other. It’s rather a case of how often I haven’t used the trackpoint that has caused it to become a “second attempt” sort of interface.

Function keys

Another important and often described as “advanced” group of keys are the Function keys present on the top row of most keyboards. It was these keys that made my wireless keyboard completely unusable to me. Each block of keys is traditionally separated into groups of four. For some reason, the designers of my wireless keyboard decided to do so in groups of three. This completely screws up every single thing I do with any key other then F1,F2, and F3. For example, Pressing Control-F9 “naturally” (via “muscle memory” on that keyboard makes me press F7- the first key on the third set of keys. I would need to literally retrain my brain to use that keyboard as well, and I’d rather not go through the angst I did previously, especially not for a very specific layout which probably will not become standard even among MS keyboards.

As with most people, when Vista was first released/announced, I was skeptical. Perhaps it was the rather high system requirements compared to XP, or, far more likely, the fact that I was running a 350Mhz K6-2 at the time that didn’t have a hope in hell of running it, but I hated it. In truth, I also hated Windows XP before I used/ran it.

I’ve used Vista on my main machine for quite some time now, and I didn’t realize how “used to” it I had become, until I went to do something in an XP Virtual Machine, and, without thinking, I pressed Windows Key, and typed a few letters, before I realized I was running XP. For a few moments I was completely disallusioned, and even said (out loud) how the hell did I do this before the search bar?

I finally remembered that I had to literally dig down through either the start menu All Programs Folder or actually get to the document or file manually through windows explorer.

I start nearly every program with the search bar, actually, except for those whose starting actions has become engrained in my mind (cmd prompt used to be in that category, but I had to change it in order to run as administrator if that is necessary).

It’s really an amazing feature that is bashed way to often. In fact I recently discovered yet another use for it- the Search bar in windows explorer that until today I had largely ignored. I was looking for something… and simply typed part of the name in the search bar (after changing to the drive and folder) and poof- there it was. Search completed. It almost felt wrong to not have to drop to the cmd shell to perform some dir /b | find “whatever” commands.

which translates, I suppose- to “the shell was doing it’s job”.

As Far as AV programs go, I haven’t had one installed for quite a long time.

The very reason I don’t use an AV solution myself is simply because of the “reverse pigeonhole principle” — they all do something different, and there is always something that will get through — for those “holes” the best defense is simply a knowledgeable user. The only way to be truly protected would be to have multiple Anti-Virus products installed, whereby one AV’s “Pigeonhole” is covered by another, and vice versa. This of course doesn’t work, since the AV products simply stomp on each other for everything else.

I might also point out that the very premise of AV comparing is somewhat flawed- all it tests is the AV vendors ability to update their virus database as well as the flexibility of that database to describe new viruses; the fact is, once a virus is detected by most major AV products, it’s no longer a “threat”. The reason any virus becomes prevalent is simply because the AV products don’t detect it.

an AV program works rather simply; wether it is “on-demand” (in the now prevalent sense of the word meaning the user is starting it, rather then the traditional sense where it is run when there is a demand for scanning (ie. opening a file), but I digress) or in the background, an AV scans a file in a rather simple manner.

First, of course, it opens the file. Now, this is where a problem can already arise. What if another process has it open? What about security restrictions? I’m sure we’ve all been encountered with the “the file is in use” dialogs when deleting or moving a file. Even with the most basic of settings, such as simply reading the file, a virus can easily mess about with the ACL of a file it creates to prevent anybody from reading the file at all, but still allowing the file to be executing, thereby nullifying the whole goal of the AV product.

Of course, now most AV’s have a kernel mode driver that forces a “dismount” of sorts on the file- that is, closing every open handle to the file. The problem here is of course two-fold, first, it doesn’t actually change the ACL of the file- if the ACL was set to Read and no execute, then the AV still will not be able to read it, and second, it can cause difficult to diagnose errors in other applications when their files handles are suddenly invalid.

Now, in order to combat the first issue, AV products often place their detection logic in kernel mode, where it has complete access to anything, including the ability to change file permissions (I think it can be done in user-mode, too, but I’m not sure), either way, a lot of AVs have their detection logic in kernel mode.

Now, this appears to solve the problem, but really, it introduces a far larger, and more malevolent one. Recall of course that a AV program scans files by essentially reading the file and comparing it using various heuristics to the signatures in it’s database. This is sensible. However, when running in kernel mode- any crash will give the user a blue-screen- and since the AV is dealing with potentially malevolent code in the form of data, a virus writer could use all sorts of tricks to force the AV to crash for any number of reasons.

On the other hand, what crashes one AV will probably not crash another- therefore the whole “reverse pigeonhole” concept rears it’s head once again. In fact, it is this very principle that makes AVs as effective as they are; a malware writer is not going to, for example, write pages of extra code just to circumvent detection on some rather unpopular virus program- it’s not worth the effort.

The main problem with the very concept of software based malware detection is just that- it’s software based. Software is of course designed to make well-defined tasks easier, but defining what is and is not malware is a very difficult thing to do. Consider for a moment what would happen if our standard court judges were replaced by software of some form, and you have an idea what I mean. Basically, it’s a problem set that is only partially incalcable. No AV product can filter out the “criminal” code from the not-guilty, for the same reasons a software based implementation of a judge or jury wouldn’t work- it’s a defined ruleset.

a Jury/Judge obviously runs through the same sort of logic when faced with deciding wether an alleged criminal is guilty, or innocent of a crime. however, it’s important to note that when dealing with the “big time” offenses, the decision is not made by a single person, but by a group of people- in a sense, a group of “criminal detectors” whose various life experiences and intelligence combine to, ideally, properly determine the guilt or non-guilt of an offender.

Perhaps an “ideal AV” would follow the same set of rules- rather then using a single set of rules and hueristics, run the possibly malicious code through a number of tests by various companies. Of course, this implementation has a number of huge problems which are why it hasn’t been implemented in the first place. The first issue is of course Company co-operation- why put in for a slice of pizza when you can go for the whole box? Another, and perhaps even more derisive issue with this method is simply the time it would take to do so- jurors, for example, are often coming to a verdict for days, and in some cases will even get hung, at which point it might become a ranking system for an AV system of the same form- which brings us right back to AV rankings and where we started to begin with. Additionally, with on-demand scanning, even with the additional speed of a computer a “judgement” will not be made in a reasonable amount of time.

Which brings us to the real reason AV programs are not as effective as could be- it’s simple- Performance. It has been noted on several occasions that the later versions of an Anti-Virus are often more “bloated” and “slower” then previous versions. UI changes aside, this is often the case for good reason. As the par for the course of Computer hardware moves up, the speed with which a AV has to work with does as well. most AV vendors take advantage of this extra speed- often unwittingly, as their application may simply not be tested on older hardware at all).

The fact is, a “perfect AV” is not something that can ever exist. And even the term “definitive best” is rather uncongenial; I mean, the very fact is a metric cannot be suitably established to determine with any amount of granularity when one AV is better then another- if one AV has a bigger database, for example, it’s rather meaningless for several reasons- for example, many AV databases include signatures for all sorts of ancient and long annihalated Viruses like “Stoned” and “Michelangelo” this analogous to innoculating children, not for diseases they can get, but rather things like Smallpox or Polio or the Black Death or Cholera; which, while not completely eradicated, can generally be easily treated if contracted (or in some cases, the antibodies are given to them by their mothers anyway). So, while the one AV A has a larger database then AV B, AV B having a “innoculation” for the latest “supervirus” is going to do a whole lot more for them then having “innoculations” for otherwise eliminated viruses.

Adding to the confusion is of course the concept of hueristic detection- since all AVs use a different algorithm, they can of course come up with widely varying “diagnoses” on any number of infected (or even benign or nonexistent) viruses. Add to this the fact that analyzing code paths and branches and trying to use this determine wether a file is “good” or “bad” on a boolean scale is rather optimistic; any number of applications, for example, access Software\Microsoft\Windows\CurrentVersion\Run and related keys, and yet there was a time where all applications accessing this key were labelled as keyloggers- the rule was apparently that any file containing that string was malware, and additionally a very specific form of malware that amounts to nothing more then a shot in the dark. (this was Mcaffee some number of years ago, btw). To make things worse the fix was simple- I simply reversed the string. if I can reverse a string and turn a evil keylogger into a harmless program according to an otherwise popular AV program then the malware writers who create the very thing the detection is supposed to find can do so as well, creating an essentially useless database entry that only serves to add to their little spikey bubble on the their product box/advertisements < >.

returning back to the main issue of AV detection- speed.

Now, from what I can tell- the rules of AV detection are pretty much this- you can either have speed or you can have accuracy. I’m sure with 24 hours to think about it an AV heuristic algorithm could determine with nearly 100% certainty wether a given file is a virus, even for those sneaky viruses that haven’t been discovered. but people want to use their computer, not watch the hourglass for hours after every file access, so AV vendors have to compromise.

In all honestly, I think many of them have done a bloody fine job of compromise; there is of course a performance hit on every file access, simply because there is extra code running, but the AV vendors have largely made it something that is short enough that it isn’t even noticable, which is rather amazing. Now, if course, it is because of this need for speed that any AV program has holes. It’s not because they detect every possible piece of code, it’s because they can’t do it in a reasonable time frame and with 100% certainty that makes using them almost like playing a game of pinata without a pinata. Eventually you realize there isn’t one and get pissed off at your friends. What I mean is, it’s only a matter of time before a virus slips by- and at that point who do you blame?

The very reason I don’t use an AV is simply because it gives you a false sense of total security; you think, well, there’s only this little tiny hole in my shield… but meh, nobody has a sword small enough to fit through. The problem is of course that you are eventually going to fit somebody using a foil and then you’re screwed. This “eventually” factor is also important. a user who uses their PC maybe an hour a day is far less likely to meet the virus with a foil then the user who doesn’t, in the same way a person who downloads a good number of files is far more likely to install a trojan by accident then somebody who only looks at recipes online.

Lastly- it doesn’t matter HOW effective an AV is if the user doesn’t care. a user, regardless of their AV, needs to be informed of some basic “rules of the internet” you cannot just slap on some so-called “definitive best AV” and assume they will be fine- they need to have some basic education. So- any “definitive best” AV will have as part of it the user- and since the user is part of the formula, the variable that results when you solve the “equation” may bring out a different AV as the “best” for different people.

Myself- when I want to judge a User interface blindly- I just imagine my mother using it. Now, some of you may be under the impression that my mother is probably some sort of Cobol goddess or something. The truth is, in fact, that she can’t even use a mouse… (actually, wait, that would fit the Cobol Goddess theme.. .dammit). Anyway- she fits the profile of a total newbie to computers and the internet in general. For example, Firefox is not firefox, but rather her “facepage” and of course she cannot and will not connect her camera to any computer, because the moment you connect it to a PC every single picture is put onto a web page (regardless of what I, somebody who knows what they are talking about for the most part, says).

Since the User is such a critical component of the equation, it’s important to factor in the User interface of the Anti-Virus solution that they are coupled with. In my experience, AV programs often make “alerts” regarding viruses scary and full of technical jargon, often with cute little pictures of viruses.

They do this when the program updates as well. when my Mother was using my brothers computer, the AV updated; and displayed it’s little “update” dialog. the dialog included the VERY SAME “scary” virus image (this was ages ago, with AVG) that is shown when a virus was detected. She was terrified that she somehow got a virus onto his computer or something. Not to mention the very hopelessness the image sent- she was even saying “I hope I didn’t infect it, we can’t afford to buy him another one” and other such talk. While one can simply say this is simply user newness to the entire computer scene, it’s important to realize that AV programs are not simply marketed to the technical elite, they are also marketed towards people who have never used computers before and therefore really have no idea what an Anti-virus program does or how it works- all they know is that they “need” one because everybody says they do.

This isn’t to say that they don’t, of course. Really, I’m pointing out that simply saying for them to use “X program” as their AV solution is more software evangelism then it is a proper recommendation, simply on the grounds that the AV and the user are both part of the package; they need to work together. if the user is scared of the user interface presented, they may simply click the “X” button (which, in the case of that version of AVG, was for some reason mapped to “ignore”) so even though AVG was detecting the viruses, nothing was being done to them simply because of the user.

To summarize- the user is part of the AV, in a sense that without a well-informed user, a AV simply may not be able to do it’s job of eliminating and preventing virus infections. It is pertinent to educate users about viruses, and malware in general as well as how an AV works in order for it to be fully effective.

And yes, there are a number of users who could care less about how a PC works, or whatever, and consider it a tool. Well I think they’re full of it.

First off, not all tools are intuitive. you don’t grab a belt sander and instantly know how to use it and the various types of sandpaper and their ideal uses- you learn those things. Even a simple hammer has a learning curve where you gradually reduce the frequency of a smashed thumb. The people who think that a “tool” shouldn’t require any sort of education are the same people who think they can dry off their cat’s in the microwave.