[HN Gopher] Microsoft fixes 5-year-old Defender bug, reducing Fi...
___________________________________________________________________
Microsoft fixes 5-year-old Defender bug, reducing Firefox-related
CPU use by 75%
Author : ylere
Score : 780 points
Date : 2023-04-10 12:58 UTC (10 hours ago)
(HTM) web link (bugzilla.mozilla.org)
(TXT) w3m dump (bugzilla.mozilla.org)
| nabakin wrote:
| Firefox-related CPU use is only reduced by 75% when this bug is
| caused. NOT in the general case as this title implies
| yarg wrote:
| That's actually fairly clear in the title - the second clause
| depends upon the first.
| nabakin wrote:
| Then why are comments assuming a large decrease in power
| consumption?
| jldl805 wrote:
| Because the bug is a frequent occurrence and the increased
| CPU usage is frequently noticeable?
| gtop3 wrote:
| I would like anyone that considers Microsoft to be a recent
| champion of Open Source to reflect on corporate doublespeak. It's
| plausible that this bug was engineered as an attack on Firefox.
| maccard wrote:
| Have you any semblance of proof of this?
|
| By the looks of it took Firefox a few years to figure out what
| the repro was, they reported it to MS, it was (very) promptly
| fixed and they were warned that the syscall they were using
| isn't being used as intended and they should consider changes
| to FF for future use cases.
| JustSomeNobody wrote:
| >> It's plausible that this bug was engineered as an attack
| on Firefox.
|
| > Have you any semblance of proof of this?
|
| Does it _need_ proof? Someone can make a statement like this
| solely based upon past behavior. They 're merely stating that
| it is _plausible_.
| gtop3 wrote:
| I don't have proof. I'm presenting a theory based on
| circumstantial evidence. I think it says just as much to
| reject a theory without proof as it does to present a theory
| without proof. Let me break down the context in which I make
| put forward my theory.
|
| * Corporate doublespeak is a well documented tactic in which
| a business will project a message when the truth is the
| opposite of the message. Sometimes they use euphemisms,
| ambiguity, or omissions. I am stating that we cannot take
| Microsoft's press releases about being Open Source friendly
| at face value.
|
| * Five years ago Edge was rebuilt with a chromium backend and
| Microsoft had a large campaign to increase adoption of Edge.
|
| * Reduced Firefox performance would make Edge compare more
| favorably. This error was clearly in Microsoft's favor.
|
| * It is common for companies that own a platform to create
| advantages for their applications running on the platform.
|
| * Microsoft has a long history in the browser wars,
| highlighted by an antitrust lawsuit in the late 90s. Their
| anticompetitive behavior regarding browsers was a key part of
| the lawsuit.
| xutopia wrote:
| I've lived through the browser wars and I can tell you that
| this would not surprise me one bit.
| maccard wrote:
| There's a difference between something not surprising you
| and a wild, totally baseless accusation. Ill happily eat my
| words if there is a shred of proof, but right now it's
| "company fixes old bug when it was reported to them"
| mrb wrote:
| It's the AV that was calling TdhFormatProperty(), not FF. The
| problem was mostly on the AV side, not FF. FF itself was
| generating many events due to too many VirtualProtect() calls
| which in itself was only a smaller part of the problem.
| DonHopkins wrote:
| If Microsoft were so good at software engineering that they
| could pull off such an attack on Firefox, then maybe they do
| deserve to have a monopoly. /s
| vntok wrote:
| What a weird take. If this bug was engineered as an attack on
| Firefox, then it seems like the project has been infiltrated by
| bad actors, because the bug comes from Firefox's codebase.
| Indeed, the developers themselves contradict your comment in
| the linked bug conversation:
|
| > This problem has two sides: Microsoft was doing a lot of
| useless computations upon each event; and we are generating a
| lot of events. The combination is explosive. Now that Microsoft
| has done their part of the job (comment 82), we need to reduce
| our dependency to VirtualProtect.
|
| (https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c90)
|
| Compare how many calls other browsers make (this is also quoted
| in the link): Firefox was generating up to 46 times more
| (costly) events than Chrome. It is a bit ludicrous to shame
| Microsoft for the whole situation.
|
| > Firefox with normal configuration: ~14000 events, 98% of
| which are PROTECTVM_LOCAL;
|
| > Firefox with the preferences from comment 83: ~6500 events,
| 95% of which are PROTECTVM_LOCAL;
|
| > Edge: ~2000 events, 91% of which are ALLOCVM_LOCAL;
|
| > Chrome: ~300 events.
| DoctorOW wrote:
| Devils advocate, why then did they fix it?
| mistrial9 wrote:
| slow walk.. or.. in comparison, have you contacted your local
| city government to fix obvious holes in the road recently?
| Around here, a two-year wait time to fix it is common.
| justinclift wrote:
| Because it became public knowledge that it was happening?
| stalfosknight wrote:
| Do we have to assume negative intent every time something like
| this happens?
| agloe_dreams wrote:
| Well no, but I also would question the inverse. Holding
| accountable companies that gain from possibly bad actions and
| asking the questions is helpful.
|
| See: Microsoft's Supreme court case over their preference for
| IE and forced monopoly. While Microsoft 'won' the case, the
| outcomes were exactly what the case feared but "convenient"
| political climate helped them avoid travelling back to court
| of course. Microsoft took extreme steps to avoid being broken
| up in the 1990s however and it's arguable that one of their
| political mitigation methods, investing in Apple, actually
| had worse effects on them. (Prior to the iPhone in 2007, it
| was assumed that RIM and Microsoft would be the big two
| players in the smartphone space, Apple and Google have
| basically become the big two players in the Computing space
| mindshare)
|
| https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor.
| ...
| uoaei wrote:
| We should at least be aware of it as an option. Many call
| this "healthy skepticism". It becomes unhealthy when you veer
| into blind optimism/pessimism/cynicism.
| princevegeta89 wrote:
| Very interesting point. They might have had the intentions of
| pushing everyone to use Edge, and it is not surprising after
| their so many consistent nags and misleading messages to think
| its the "better" browser compared to anything else.
| chaostheory wrote:
| This is a relic of Bill's tenor. Satya is different in good
| way.
| markphip wrote:
| It is amusing that anyone thinks a company with > 200K
| employees and probably 10K products is organized enough for
| something like this.
| naremu wrote:
| Inaction is a pretty low "bandwidth" form of action, and can
| sometimes produce the results you're looking for just as
| well, if not more effectively.
|
| Microsoft has a storied history of anti-competitive views
| leaking to public eyes/ears, something like this is quite
| literally a matter of _not_ organizing anyone.
| garbagecoder wrote:
| The WWEification of every discourse is the worst thing about
| $current-year
| echelon wrote:
| Why would Microsoft attack Firefox specifically and not Chrome?
| Chrome is the bigger threat to their business. Firefox has
| become almost too small to care about - little revenue, small
| browser market share.
| agloe_dreams wrote:
| There's an argument that Microsoft's Edge use of Chromium and
| then the Surface Duo would cause 'don't bite the hand that
| feeds you" problems. Not agreeing with OP, but it would make
| sense.
| babypuncher wrote:
| This seems incredibly unlikely and overly cynical just for the
| sake of being cynical.
| layer8 wrote:
| Never attribute to malice...
| alpaca128 wrote:
| Nowadays a lot of malicious acts are intentionally disguised
| as stupidity and incompetence. Not necessarily in this case,
| but that quote really is showing its age.
| Animats wrote:
| How fast would this have been fixed if was Microsoft Edge that
| was wasting CPU time?
| jahsome wrote:
| Depends on how fast google patched it.
| jiggawatts wrote:
| Looks like there's more work left to do to catch up to Chrome:
| https://bugzilla.mozilla.org/show_bug.cgi?id=1823634
|
| That bug is more subtle. Apparently the various ways to use
| VirtualAlloc is not self evident, and some variations have wildly
| different performance characteristics due to undocumented
| interactions with Event Tracing for Windows (ETW) events that get
| sent to anti virus products.
|
| So it's not _only_ the original problem of the events being
| handled inefficiently, it 's also that the way they're generated
| is a bit of a black box and hard to predict without detailed
| performance tracing work.
| subarctic wrote:
| When you say reduced by 75%, would that mean, say, going from %40
| to 10% or from 75% to 0%?
| chucksmash wrote:
| It means the former.
|
| If you reduced something to zero, you reduced it by 100%.
| [deleted]
| swamp40 wrote:
| Title should be _Microsoft fixes 5-year-old Defender bug which
| used up more energy than every Bitcoin ever created._
| dgellow wrote:
| > mpengine.dll version 1.1.20200.4 was released on April 4, so
| the fix should be available for everybody now. See the end of
| comment 91 to know what version you are using. Also, the latest
| discoveries in bug 1822650 comment 6 suggest that we can go even
| further down in CPU usage, with all antivirus software this time,
| not just Windows Defender.
|
| Really nice to see open collaboration between Mozilla and
| Microsoft development teams resulting in a net improvement for
| everybody.
| hgsgm wrote:
| Well, a net improvement for the people who paid Microsoft for
| an OS that wasted their energy and wore down their computer
| (heat damage) for 5 years.
| bornfreddy wrote:
| Yes. I mean it took 5 years, but who would count. /s
| dan-robertson wrote:
| People care about open Firefox bugs much older than that.
| Basically any long-lived program will have ancient bugs that
| never made it onto someone's todo list.
| sicariusnoctis wrote:
| For example, it only took 20 years (!!) to stop Ctrl+Q from
| quitting Firefox on Linux. :)
|
| IIRC, a couple of patches did get submitted, but never
| accepted for unknown reasons.
| crest wrote:
| "bug"
| tcfunk wrote:
| I wonder if this is why Firefox often gets killed when I have
| other high-resource apps open?
| cronix wrote:
| If you're on a Mac and using FF (probably not FF specific),
| turning off "ambient mode" in youtube can save 30% cpu. I just
| found this out while searching why FF was taking 90% of my cpu
| while watching youtube videos in normal mode, but went down to
| 40% use if viewing in full screen. Turns out that this youtube
| "ambient mode" was the culprit. My lap is now cooler and the fan
| doesn't turn on anymore. I wonder how much power I've wasted due
| to this new "feature" they added 6 months ago that I didn't know
| about.
| asvitkine wrote:
| To save a search:
|
| "Ambient mode uses a lighting effect to make watching videos in
| Dark theme more immersive, by casting gentle colors from the
| video, into your screen's background."
| qotgalaxy wrote:
| [dead]
| bee_rider wrote:
| Neat idea, I bet the intern had fun implementing it, why was
| it on by default?
| tablespoon wrote:
| > Neat idea, I bet the intern had fun implementing it, why
| was it on by default?
|
| Total speculation, but Firefox seems to be pushing out a
| lot of UI gimmicks. Maybe they're trying to drum up
| interest in the browser that way, since they seem intent on
| killing many of their other differentiators.
| [deleted]
| Georgelemental wrote:
| This is a YouTube feature, not a Firefox one.
| rejectfinite wrote:
| I really like it!
|
| Then again, I am using a real computer and not a toy.
| CyanBird wrote:
| Because the target audience for the feature is not tech
| savvy people but common users whom won't know it exists
| until it is shown to them/might be intimidated to delve
| onto FF settings
|
| If you are tech savvy, you are then expected to be able to
| "bear the burden" of turning the feature off if it bothers
| you
| devilbunny wrote:
| Hell, I'm tech savvy - not a tech worker, but you'd
| better believe that you want me to be your end-user
| contact, I know a hell of a lot more than the people I
| work with - and I didn't even know this was an option.
| I'm not afraid of fixing FF settings, done it plenty of
| times. It's on by default. If someone who can install
| OpenBSD and make it a router for DSL over PPPoE in 2001
| (side job) doesn't even know it exists and eats cycles
| [i.e., a "prosumer", not an expert, but not too far below
| a new hire and well beyond the masses), it's a bad idea.
| I don't have _time_ to stay up on every way that people
| want to eat my electricity. I _do_ know that YouTube
| spins up the fan on my iMac with disturbing regularity in
| a way that videos from alternative sources do not. So it
| 's not the decoding.
| oarsinsync wrote:
| > might be intimidated to delve onto FF settings
|
| It's a YouTube setting, not a Firefox setting.
| warent wrote:
| This seems unnecessarily passive aggressive. Everyone makes
| mistakes or bugs, intern or not. It makes no sense to get
| this salty about basic human error. Also there's nothing
| wrong with implementing minor UX enhancements.
|
| If anything redirect the frustration to the leadership that
| doesn't prioritize fixing these kinds of errors.
| TechBro8615 wrote:
| It's not unreasonable to hold YouTube devs and QA
| engineers to a higher standard than everyone else who
| doesn't work for a ~trillion dollar corporation or deploy
| code that runs on billions of devices.
| wiseowise wrote:
| We aren't talking about misaligned element here, you
| know.
|
| There are millions of FF Mac users, it's not unreasonable
| to expect YouTube to do some basic testing. Never got any
| issues showing ads, though.
| alluro2 wrote:
| I don't think there's any error to fix. It's a feature -
| casting light from the video onto the UI, using JS,
| surely takes that amount of CPU.
|
| The question of why it is on by default stands - because
| it's little bit of eye candy, vs people's laptop
| batteries, CPU that could have been used to get other
| stuff done faster - so also their time, device thermals
| etc... I don't think it's just unnecessarily salty to
| point out how the choice to turn this on by default
| should have been more nuanced and thought through.
| tempestn wrote:
| How much can websites determine about the power of the
| device they're running on? Obviously it'd be a security
| issue for them to know too much, but it would be nice to
| be able to progressively enhance the experience for more
| powerful devices that can handle it, beyond just mobile
| vs PC. Even just knowing whether a device was running off
| battery power could be useful.
| simlevesque wrote:
| Here's what's available, requires permissions:
|
| - BatteryManager.charging
|
| - BatteryManager.chargingTime
|
| - BatteryManager.dischargingTime
|
| - BatteryManager.level
|
| https://developer.mozilla.org/en-
| US/docs/Web/API/BatteryMana...
|
| https://caniuse.com/?search=BatteryManager
| rileyphone wrote:
| Isn't available in Firefox though...
| lobocinza wrote:
| IMO the implementation sucks and the feature is
| questionable. Recently I set the browser to dark mode,
| which tells YT to also use dark mode, and if I haven't
| read here I wouldn't know that this is a toggleable
| feature. It's sad when we can't tell a feature and a bug
| apart.
| Consultant32452 wrote:
| Not being able to distinguish between a feature and a bug
| is a feature, not a bug.
| kortilla wrote:
| This is definitely worth getting salty about when you
| consider the cumulative electricity wasted for something
| so trivial. Google should be strictly monitoring
| performance and CPU consumption of their changes on
| youtube since a screwup there is the climate change
| equivalent of paying for 747s to fly in circles.
| bee_rider wrote:
| Just to be clear I was being a bit snarky, but what I
| meant is that this is sort of a small, fun, less
| important project that could be easily given to an
| intern.
|
| I don't think there is a bug? It seems like a sort of
| image processing thing that might take a bit of compute
| run. To the extent that there's blame, I'd lay the blame
| at the feet of whoever decided it should be turned on by
| default.
| Dwedit wrote:
| Looks like it's a Youtube feature rather than a Firefox
| feature?
| [deleted]
| shapefrog wrote:
| They are not the intern anymore - they are senior vice
| president of battery draining, this feature absolutely
| killed it at the end of year review.
| runnerup wrote:
| [flagged]
| tough wrote:
| They went for copying philips ambient lights on tv's but with
| software, what could go worng
| javajosh wrote:
| To save another search:
|
| On desktop and mobile devices: While
| playing a video, select the Settings button. Locate
| the Ambient Mode setting in the list of preferences.
| Toggle it to off to disable Ambient Mode for all videos on
| YouTube (in that browser).
|
| It's in the same popup used for video quality and playback
| speed.
| LegitShady wrote:
| I dont have that option. firefox on windows 10.
| jonesnc wrote:
| For those who may be wondering, the Settings button
| referred to here is the gear button in the Youtube video
| player.
| 867-5309 wrote:
| for those unfamiliar with visualising a gear, seek the
| doughnut with a notched circumference
| musicale wrote:
| for those unfamiliar with visualizing a doughnut, imagine
| a bagel-shaped treat of sweet cake-like dough, deep-fried
| and frosted, with optional sprinkles
| JohnFen wrote:
| What's a bagel?
| shrewduser wrote:
| oh i saw this happen to me the other day, i was wondering if
| it was a new youtube feature or something. can't say i care
| for it.
| LanternLight83 wrote:
| Just noticed it recently too, though it might have been an
| update to the stylus theme I use, I actually quite like it
| sicariusnoctis wrote:
| The "average color" (or whatever it is) could have been pre-
| computed server-side rather than tiring out the poor innocent
| client CPUs.
| Phiwise_ wrote:
| But then Google would be responsible for that one-time
| computation instead of making the clients do it billions of
| times.
| hsbauauvhabzb wrote:
| They could do it on a few clients then ship the data back
| to the server. If they're resourceful those clients don't
| even need to be watching the video! (they could send it
| and compute the output in the background of another
| stream)
| TeMPOraL wrote:
| But that's a distributed problem now and those use up
| valuable developer time, which we know is the most
| important resource in the world...
| KeplerBoy wrote:
| Couldn't this be done cheaply on the GPU?
| musicale wrote:
| > make watching videos in Dark theme more immersive
|
| the best way to make youtube videos more immersive is to
| block obnoxious advertisements, remove useless algorithm-
| driven recommendations, and delete the comment section
| tmtvl wrote:
| As I don't use edgelord mode I'm guessing I don't have to
| worry about it.
| JohnFen wrote:
| Thank you! I had no idea this was a thing YouTube did.
| Tagbert wrote:
| Where is that setting? In YouTube Settings? I don't see it,
| there.
| b215826 wrote:
| If you use uBlock, add the following to the filters:
| youtube.com###cinematics.ytd-watch-flexy
| erulabs wrote:
| It's not in the general settings - instead it's in the
| setting menu in the video player itself, where you'd select
| the quality and playback speed, etc.
| LegitShady wrote:
| its not there for me. I dont see it in any settings
| anywhere.
| zamadatix wrote:
| I don't see it either, maybe it's on an A/B rollout for
| desktop.
| wslh wrote:
| I think it is time to have a way to fine tune consumption based
| on settings. I assume the less complex way to do this is,
| really, use the telemetry information gathered.
| treis wrote:
| Similarly gifs and animated emojis in Slack chews up the CPU.
| Something like 20% at idle before I turned it off.
| hapticmonkey wrote:
| I honestly thought my monitor or GPU was having issues with
| weird colour banding around YouTube videos. Turns out it was an
| intentional choice they made to do that. I don't know why it's
| on by default.
| thih9 wrote:
| This is why I like terminal, rss, or other technologies where
| it's hard to add this kind of fireworks to the UI.
|
| When done right, sure, they improves the user experience by
| some percentage. But when done badly, the UX goes down by
| orders of magnitude.
| xk_id wrote:
| absolutely. besides, graphical UIs bombard the brain with
| everyone's unique take on visual aesthetics, consuming
| limited mental resources like attention
| tiagod wrote:
| If you turn off your computer power usage goes to 0% too.
| emoII wrote:
| Same behaviour for me using Safari.
| xk_id wrote:
| as I don't care about the comments section or the recommender
| algo, I search (youtube-fzf) and launch (yt-dlp + mpv) youtube
| videos directly from the terminal. i have a bash pipeline for
| this and, naturally, it is very resource efficient
| Affric wrote:
| post the script pretty please
| winter_blue wrote:
| This is one of the myriad reasons why I have a strong
| preference for Linux.
| ok_dad wrote:
| I just bought a Macbook because my dedicated Linux laptop,
| made by a popular Linux-only manufacturer, had so many issues
| that I got tired of diagnosing. I love Linux, but it's not a
| panacea for every computer issue under the sun, just a few of
| them. I, personally, am stoked I no longer have to deal with
| issues with this new machine, and can just take it into a
| Genius bar appointment to let someone else deal with it, for
| pennies a day. You can't get _that_ on Linux!
|
| Feel free to tell me I'm a sell-out, I am happy to be one
| today.
| mbernstein wrote:
| You're a sellout but I am too, so welcome :).
| zamnos wrote:
| With all the attention being paid to macOS these days,
| there's enough mods and addon's that I don't miss Linux
| _so_ much on my laptop. Hammerspoon gets me drag and resize
| windows how I want, and there 's Rectangle.app for tiling-
| ish window management. There's no /proc, and all the rest
| of the cli utilities are just wrong (netstat, route, top,
| etc) but I can live with my M1.
|
| (brew addresses a lot of the issues though, even if I do
| have to remember to run gdu instead of du (for gnu du))
| xk_id wrote:
| yabai is the full featured window manager for macos
| acomjean wrote:
| I switched to linux. I like it and haven't really had any
| issues to speak of. Not with sound, video, wifi or any of
| the other things people complain about. My fan went, but
| likely it was a pet fur issue, and easy to fix... I'm not
| an admin. I know how to use the command line, and how to
| use it as a work machine. Really my experience over the
| past 3 years, its been as trouble free as my Mac used to
| be. It really is the great development platform.
|
| Glad you like your machine.
| grugagag wrote:
| Can you hybernate your system without issues?
| javaunsafe2019 wrote:
| You are not sellout but just the average Joe. No problem
| with that I guess. Have fun with your Mac that uses a
| soldered ssd that when failing makes your whole Mac useless
| as well.
| jutrewag wrote:
| Meh hasn't happened yet but I'd just buy a new one. That
| being said, I always also have a windows and Linux
| machine, they're just not my daily drivers.
| freedomben wrote:
| > _I, personally, am stoked I no longer have to deal with
| issues with this new machine, and can just take it into a
| Genius bar appointment to let someone else deal with it,
| for pennies a day. You can 't get that on Linux!_
|
| Honest question. If you _could_ get that on Linux, would
| you? and what kind of pricing would you consider
| reasonable? Is it something that would have to come with
| the computer (i.e. would you pay for it separately or would
| you only use it if it was "free" aka included with your
| laptop purchase)? Did you stick with the vendor-provided
| install or did you wipe and install your own preferred
| distro?
| runnerup wrote:
| I would pay the same amount for a Linux laptop that
| worked as easily as a MBP and had similar build quality,
| performance and battery life.
|
| Howver, whatever crazy-stable and easy to use and well
| supported hypothetical Linux this is wouldn't be
| compatible with my "real" Linux use cases so I would then
| also install Arch or whatever and live with constantly
| borked everything and just swap between my Arch "Dev" OS
| and my "Linux Mac" business/work/consumer OS.
|
| Current Linux cannot be made "MacOS"-stable. But maybe in
| 5 years.
| fiddlerwoaroof wrote:
| This has nothing to do with macOS vs. Linux, though
| ezfe wrote:
| not sure what your point is... ambient mode is a visual
| effects thing YouTube does and reading the descriptions, not
| surprised it causes increased CPU usage regardless of OS.
| DevKoala wrote:
| _Something happens_
|
| > This is one of the myriad reasons why I have a strong
| preference for Linux.
| xen2xen1 wrote:
| Because browser users on Linux have never, ever been
| shafted by a browser bug? Riiiiiight.
| sicariusnoctis wrote:
| This happens on Linux too. I was wondering if the weird CPU-
| hogging flickering was a bug in my compositor (picom) or
| window manager (i3) or browser (Firefox). Turns out to be a
| "feature".
| whalesalad wrote:
| My only interaction with Windows Defender is the (undefeatable)
| nag popup every boot that warns me it is disabled.
| Renaud wrote:
| If you use Windows Pro and Enterprise, you can use GPO to
| disable Defender. Just run gpedit.msc and edit a few of the
| policies to disable real-time protection etc.
|
| Under Computer Configuration > Administrative Templates >
| Windows Components > Microsoft Defender Antivirus
| - Turn off Microsoft Defender Antivirus -> set to Enabled
|
| Under Computer Configuration > Administrative Templates >
| Windows Components > Microsoft Defender Antivirus > Real-Time
| Protection - Turn on behavior monitoring -> set
| to Disabled - Monitor file and program activity on your
| computer -> set to Disabled - Turn on process scanning
| whenever real-time protection -> set to Disabled - Turn
| on behavior monitoring -> set to Disabled
|
| Restart the computer and Real-time protection should be
| disabled permanently (until you reverse the same settings
| through gpedit.msc at least).
| bob1029 wrote:
| You can also elevate to Trusted Installer or System and
| completely remove this garbage from your computer.
|
| Alternatively, if you run windows server as your workstation
| OS, you can perform an uninstall using Remove-WindowsFeature
| from powershell.
|
| The old gpedit tricks don't really work anymore in my
| experience.
| zamadatix wrote:
| With 11 (or possibly newer versions of 10, haven't tried
| lately) this doesn't seem to actually disable MsMpEng.exe
| from loading anymore. Using something like
| https://github.com/jbara2002/windows-defender-remover seems
| to work though.
| ChuckNorris89 wrote:
| My car also nags me every time I unbuckle my seatbelt to park
| yet that doesn't mean everyone should have it unbuckled all the
| time. There's a reason it's designed to be naggy.
|
| Having everyone easily disable Windows Defender will not lead
| to a great outcome.
|
| There's a reason malware on Windows has been on a steep decline
| from the Windows XP days and I'd prefer it to keep it that way.
| whalesalad wrote:
| TBH the main reason I commented this was to get some kind of
| validation from the community (positive or negative). Sounds
| like I need to turn it back on :)
|
| I really only use this machine for MWII, Halo and Titanfall.
| It's a glorified Xbox. I even contemplated putting it on a
| standalone VLAN to 100% physically isolate it from my core
| net.
| akira2501 wrote:
| Not all uses cases for a car are the same. Some are held
| entirely on private property and are used as work vehicles
| where the seat belt chime would be unnecessary and
| distracting. Which is why most manufacturers provide a sneaky
| mechanism to disable it. I own the vehicle, why wouldn't they
| let me disable the nag?
|
| Their solution? Make it intentionally complicated, but still
| possible:
|
| Step 1: Turn your headlight switch off
|
| Step 2: Unbuckle your seatbelt and turn the key to the off
| position
|
| Step 3: Turn your key to the on position till the seatbelt
| warning light turns off
|
| Step 4: Buckle and unbuckle the seatbelt three times and end
| on the unbuckled position
|
| Step 5: Turn your headlight switch on for three seconds and
| then turn it off
|
| Step 6: Repeat step number 3
|
| Step 7: Wait for the seat belt warning light to turn on and
| off again then buckle and buckle the seat belt
| callesgg wrote:
| Sounds like you are arguing that seatbelts do not increase
| the safety of its users when it is used on private
| property.
|
| I know it's not your main point. But anyways.. it does not
| increase the rhetorical power of your comment.
| whalesalad wrote:
| I remember doing this sort of song and dance with my RAM
| and Jeep. Sometimes I am just moving around a parking lot
| for a brief moment, or especially when off roading (read:
| stuck) and don't want the constant beeping.
|
| Seat belts are 100% an immediate habit for me. Driving at
| any rate of speed without one makes me feel super sketchy
| and uncomfortable, so the nag is not needed at all.
|
| On my Ford's I would use FORScan to defeat it via the OBD2
| port.
|
| I do have a security gateway bypass module for my truck
| though so hopefully I will be able to start playing around
| with AlfaOBD soon.
| garbagecoder wrote:
| It's humbling to be in the presence of such greatness.
| badrabbit wrote:
| Haha, you should enable it with exclusions. It's the best AV
| out there that isn't an EDR. I disable it in labs but I can't
| imagine running windows in prod with defender enabled. Don't
| use windows like it's Linux.
| TecoAndJix wrote:
| Defender, under certain licenses, is an EDR -
| https://learn.microsoft.com/en-
| us/microsoft-365/security/def...
| mesebrec wrote:
| What is an EDR?
| libraryatnight wrote:
| endpoint detection and response:
| https://learn.microsoft.com/en-
| us/microsoft-365/security/def...
| [deleted]
| [deleted]
| Brosper wrote:
| Wow Microsoft should say at least sorry to Mozilla and somehow
| repay them for this!
| nabakin wrote:
| Previous post:
|
| https://news.ycombinator.com/item?id=35458746
|
| @dang
| jeffbee wrote:
| That's one way to look at it, but a very biased take. An equally
| valid take is that Firefox was calling an expensive platform
| feature too often, and even though it has been killing
| performance for years (possibly, for the entire history of the
| project) nobody noticed or bothered to fix it on the application
| side.
| jupp0r wrote:
| The platform feature in question was normally cheap and just
| made artificially expensive by Defender intercepting calls to
| it and blocking until analysis was performed. I don't think
| it's the FireFox' team's responsibility to be aware of and take
| into account arbitrary software intercepting system calls.
| pradn wrote:
| It's the application owner's responsibility to make it the
| app run as best as it can on a given platform. Platforms are
| messy, but you have to deal with it. You should escalate to
| the platform owner, sure, but you can't rely on them fixing
| it in any reasonable time-frame.
|
| I worked on a desktop<->cloud file sync app. On Windows, only
| one badge can show up on a file's icon in Explorer. If
| there's multiple apps trying to set the badge, who wins?
| Well, it depends on the lexicographical order of the
| registrants names. So what did we do? We added some spaces to
| our registration name to make them show up first. Good for
| the user, as best as we can know - since the user or their
| admin had to install the app to get these badges in the first
| place. And they were useful ones too - whether a file was
| synced or not. We tried our best, and escalated.
| jeffbee wrote:
| Windows Defender real-time protection is enabled by default.
| shadowgovt wrote:
| > I don't think it's the FireFox' team's responsibility to be
| aware of and take into account arbitrary software
| intercepting system calls.
|
| One of the first, hard lessons I had to learn about web
| development (like, stare-at-a-wall-and-consider-my-career-
| hard) is that web development is _way_ more about network
| effects than application architecture.
|
| Real people run systems with real configurations, and when
| you're targeting "the public" as your userbase you must
| account for that. And Mozilla knows this: if you go into the
| source code (circa 2009, YMMV) and look through the
| initialization and boot-up logic, you would find places where
| the system used heuristics to figure out whether some
| extensions had been installed in odd places instead of the
| "Extensions" directory (because the tool had been installed
| before Firefox) and hot-patch paths to pull in that
| component. Because if a user installs Flash and then installs
| Firefox and Flash doesn't work in Firefox, it's not Flash
| that's broken... It's Firefox.
|
| It doesn't matter if the bug is in "Microsoft's code" or
| "Mozilla's code." That's unimportant. If you're a Mozilla
| engineer, all that matters is whether this bug would cause a
| user to get pissed off and uninstall Firefox.
|
| Thats. All. That. Matters.
| jupp0r wrote:
| I completely agree with you and have been on the other side
| of this too, having worked on a native enterprise app
| running on various MacOS, Windows, iOS and Android
| versions. Customers don't care if you have a great
| explanation why stuff with your app doesn't work. That
| being said, it's completely unreasonable to have the
| proactive expectation of something working well today
| (writing many files) breaking tomorrow (due to defender
| heuristics changing) and proactively trying to prevent this
| by optimizing. Mozilla reacting to this by both reporting
| the bug to Microsoft and optimizing to work around the
| problem is really the best you can do.
|
| "They shouldn't have written so many files in the first
| place" is not a valid preventative strategy, but a one way
| road to premature optimization hell.
| chris_wot wrote:
| Yes, but it's incredibly difficult to work out what is
| causing the problem. That's what happened here.
| vntok wrote:
| > I don't think it's the FireFox' team's responsibility to be
| aware of and take into account arbitrary software
| intercepting system calls.
|
| Per the bug report, Firefox was generating up to ~14,000
| calls where Chrome was generating ~300, though.
|
| Surely it is Firefox' team's responsibility to use system
| calls in a sane way, say not almost 50x more than the
| competition?
| bogwog wrote:
| > Surely it is Firefox' team's responsibility to use system
| calls in a sane way, say not almost 50x more than the
| competition?
|
| The docs for that function don't say anything about
| performance: https://learn.microsoft.com/en-
| us/windows/win32/api/memoryap...
|
| They also don't say anything about "sane" usage, and while
| I don't have an MBA, I'm pretty sure they don't teach
| anything about `VirtualProtect` ratios when doing
| competitor analysis.
|
| One possibility is that the Chrome team's implementation
| was more efficient due to luck, or they invested the
| resources to identify the performance characteristics of
| this function call, whereas the Firefox team missed it. I
| don't think "Chrome has more development resources than
| Firefox" is news to anybody.
| [deleted]
| shadowgovt wrote:
| There are three facets to any protocol, API, or standard
| in software:
|
| The spec, the intent of the spec, and the implementation
| of the spec.
|
| Doesn't matter what the docs say; what matters is what
| performance testing shows. Docs lie.
|
| And even if Chrome lucked into a cheaper implementation:
| that luck has given them a market edge.
| jupp0r wrote:
| Did you read the bug report? This is literally about
| writing to files in a temp folder. Surely you can optimize
| that but you should also be able to assume that this does
| not use excessive amounts of CPU on a modern operating
| system.
| vntok wrote:
| Yes, I have read the bug report. It mentions that Firefox
| writes wayyyyy too much in the temp folder. It also
| mentions that the team should fix this behaviour
| independently of the fact that some of those calls are
| more costly than they should be because of the bug in
| Defender:
|
| > With a standard Firefox configuration, _the amount of
| calls to VirtualProtect is currently very high,_ and that
| is what explains the high CPU usage with Firefox. The
| information that the most impactful event originates from
| calls to VirtualProtect was forwarded to us by Microsoft,
| and I confirm it. In Firefox, disabling JIT makes
| MsMpEng.exe behave much more reasonably, as _JIT engines
| are the source of the vast majority of calls_ to
| VirtualProtect.
|
| > On Firefox's side, _independently from the issue
| mentioned above, we should not consider that calls to
| VirtualProtect are cheap. We should look for
| opportunities to group multiple calls to VirtualProtect
| together,_ if possible. Even after the performance issue
| will be mitigated, each call to VirtualProtect will still
| trigger some amount of computation in MsMpEng.exe (or
| third-party AV software); the computation will just be
| more reasonably expensive.
| cesarb wrote:
| > It mentions that Firefox writes wayyyyy too much in the
| temp folder.
|
| > > the amount of calls to VirtualProtect is currently
| very high
|
| Calling VirtualProtect is not writing to the temp folder.
| The VirtualProtect call is to change the permissions of
| the in-memory pages. It should be an inexpensive system
| call (other than the cost of TLB flushes and/or
| shootdowns).
| IshKebab wrote:
| Come on, anyone that has even unzipped Linux-centric
| stuff on Windows knows how slow individual file
| operations are compared to Mac or Linux.
|
| It's very common knowledge that on Windows you will get
| terrible performance if you have many many small files.
|
| I don't know why Microsoft doesn't fix that. Maybe they
| can't for compatibility reasons or something. But that's
| the way it is, and any software that wants to run well on
| Windows needs to deal with it by using fewer bigger
| files.
| thfuran wrote:
| I usually assume that even vaguely considering looking in
| the same direction as a file on windows will melt my CPU.
| hgsgm wrote:
| Windows Search Indexer automates that for me. CPU keeps
| burning even when monitor is off and I'm working on
| another computer.
| 0cf8612b2e1e wrote:
| Why is Search Indexer constantly rescanning the same
| files? Can they not cache the results from the previous
| scan? That and OneDrive are constantly making my work
| laptop scream.
| [deleted]
| BuckRogers wrote:
| You really shouldn't assume anything in software or any
| complex system. I know this wouldn't fly at my job, and I
| don't work at Mozilla.
|
| This is basic testing.
|
| Normally this is the mark of a bad software engineer, but
| attempting to blame the platform you're on for your lack
| of testing takes it a to a new low.
|
| Mistakes happen, admitting full incompetence that basic
| testing isn't done is damning. This is not a good defense
| of Firefox nor Mozilla.
| jupp0r wrote:
| Not sure what your job is, but in my job:
|
| - we implement a feature, test it thoroughly for
| functional and non-functional requirements
|
| - when we are happy, we release it
|
| I don't see myself being responsible for a third party
| software company coming along years later and introducing
| a bug in code that injects itself between my software and
| the operating system that users of the software I wrote
| happens to install at some point.
| garbagecoder wrote:
| You basically just said you stop supporting things once
| they ship. Doesn't work properly on Windows? Shrug.
| dpkirchner wrote:
| Maybe you're not responsible, but if someone says
| "something changed in the OS and your previous method is
| now adding substantial overhead", you could either a)
| report the change to the OS and mitigate or b) report the
| change to the OS and ignore the problem for years. It
| sounds like Mozilla chose b, for whatever reason.
|
| As a software developer, I've had to workaround many many
| bugs in OSs, especially when dealing with updates to
| Android. It's just part of the job.
| thfuran wrote:
| The OS isn't some random third party software, it's one
| of your dependencies. Your software doesn't work without
| the OS and if it also doesn't work with the OS, it just
| plain doesn't work.
| wtallis wrote:
| That's really not a tenable mindset to be taking these
| days. With how much Windows has become a constantly-
| moving target rather than a stable platform, you need to
| regard it first and foremost as your adversary, whether
| you are developing against it or are simply an end user.
| And the days of being able to thoroughly test against
| every relevant version of the OS are long gone; Microsoft
| has ensured your QA will be Sisyphean.
| shadowgovt wrote:
| At the end of the day, it's about your users.
|
| If your users are on Windows, you have to be where they
| are. Moving target, wonky API, warts, and all.
|
| Yes, it's Sisyphean. That's why my shop had a whole room
| stuffed with parallel Windows installs. We couldn't
| afford to have our users be the first ones to notice
| Microsoft pulled the rug out from under us again.
| jesse__ wrote:
| I'm not sure how you can possibly qualify VirtualProtect as "an
| expensive platform feature". Looking at the operation that
| VirtualProtect actually has to perform, from first principals,
| it should be one of the cheapest syscalls in the entire kernel.
|
| The bug was that ETW (in the antivirus process) was doing
| something braindead; zeroing a megabyte of memory unnecessarily
| every time someone called it just to get the size of a buffer.
| kramerger wrote:
| > it should be one of the cheapest syscalls in the entire
| kernel.
|
| That's an educated guess... that is unfortunately very easy
| to disprove :(
| jeffbee wrote:
| Exactly. If you're going to assume some call is free, write
| that down in a test that can be periodically verified and,
| preferably, is.
| shadowgovt wrote:
| Branch prediction should be a super-dumb algorithm, but then
| Spectre comes along and, oh dear.
|
| Malware protection algorithms make fools of us all.
| jupp0r wrote:
| Also worth noting that the "expensive platform feature" you
| refer to in this specific case means "writing to a file".
| Something as basic as this should be assumed to be fast on
| modern operating systems.
| jeffbee wrote:
| It is not a bug that there are overlooked optimizations in
| some platform features. Windows has a ton of slow features.
| Starting a process, for example, takes forever. It is the
| responsibility of application authors to write their
| performance-sensitive critical path in such a way as to avoid
| bogus platform behaviors. This goes for Linux, which has more
| than its fair share of brain damage, as well as Windows.
| jupp0r wrote:
| I generally agree with you. Having worked on lots of cross
| platform software, a big part of that job is to work around
| quirks of the underlying platforms, which can be
| significant. However in this case, it's not that Firefox
| was introducing the usage of these APIs and was then
| starting to have performance problems. They used the APIs
| without problems when suddenly Defender came along and
| slowed them down by orders of magnitude when they had been
| working fine for years.
| pavon wrote:
| No it had nothing to do with Firefox writing files. Firefox
| was making a bunch of calls to VirtualProtect. Windows
| Defender (MsMpEng.exe) was then writing to file (an sqlite
| database) every time one of these calls was made, which was
| slowing down the system.
|
| This comment is a good summary of what the issue was once
| they understood the problem:
| https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c82
| Randor wrote:
| Where did you get that idea? Sqlite? Windows Defender isn't
| using sqlite at all.
| sroussey wrote:
| It detects the use of SQLite, then copies it, etc etc.
| Read the bug for more details.
| vntok wrote:
| Yeah, your program definitely should not do as many useless
| writes on the system it runs on, it's just bad behaviour. If
| every program did the same the disk would grind to a halt,
| SSD or not.
| CWuestefeld wrote:
| Recent discussion of this here also cited a problem (not sure
| if it was the same problem) with Defender causing 100x
| performance drop with some PowerShell operations.
| arnaudsm wrote:
| Quick napkin math of the wasted power : Firefox has ~300e6 users,
| let's assume the bug wasted 5 extra watts 4 hours a day.
|
| That's 250 megawatts saved, the equivalent of an average coal
| power plant. Because some Microsoft engineer missed a bug.
| HPsquared wrote:
| Would be interesting to see the energy usage of Windows Update
| computed in a similar way.
| marricks wrote:
| > Because some Microsoft engineer missed a bug
|
| That might be a bit too kind given how much Google liked to
| Oops Firefox. Wouldn't be surprised if MS did too.
|
| Oops:
|
| https://www.computerworld.com/article/3389882/former-mozilla...
| cutler wrote:
| Don't underestimate Microsoft Won't Fix which helped IE
| dominate the browser market for over a decade.
| jonhohle wrote:
| I love calculations like this and hope they are part of every
| engineer's line of thinking. I originally came across this
| thinking in Andy Hertzfeld's book -
| https://www.folklore.org/StoryView.py?story=Saving_Lives.txt
|
| Performance is time, energy, heat. It's one of the easiest
| features to get and there are lots of tools, research, and
| philosophies to help get it. Memory and storage are similar.
|
| For anyone working on large scale apps that are on millions of
| devices, hundreds of thousands of servers, or even just some
| back office guy who has minutes less stress in his day,
| performance benefits the world. For programmers, it's one of
| the easiest ways to Save the Planet(tm).
| harshreality wrote:
| How did the idea of avoiding premature optimization get
| misapplied to client-side apps where the entity writing the
| software is not the one paying for electricity, cooling, and
| people's time when the software takes much longer to run than
| it could? When did a lot of software devs stop caring?
|
| Pardon me, I think there are some electron devs at my door
| asking for a word. They might have baseball bats.
| rocqua wrote:
| Premature optimization should be avoided client side as
| well I imagine? It just seems like lots of development
| shops skip optimization altogether, even when it stops
| being Premature (when it matures?).
|
| And it's not like those Shops suffer for it, so it isn't
| very surprising they continue.
| aranchelk wrote:
| I use a 7 year old low-power laptop. Cooling, electricity
| usage, and performance of Electron apps are never an issue.
| Crashes, bugs, lost data, and bad usability still are. I'd
| rather have devs spend time on that stuff.
|
| If Electron frees up organizational resources to do what's
| actually important, I applaud devs for using it.
| zerkten wrote:
| >> When did a lot of software devs stop caring?
|
| I'm not sure the devs stopped caring as much as the powers
| at be. Software development has become more commoditized
| than we want to believe. Devs following an agile workflow
| with every intent of performing multiple rounds of
| optimization find that the product gets shipped as soon as
| it approximates the thing that had been conceived
| originally.
|
| It doesn't look like an immediate failure, so the less that
| leadership takes from it is frequently that the level of
| maturity they shipped is safe. The cycle continues and
| eventually folks lower down succumb to this shipping
| pattern. The only things that get them to optimize is
| competition that successfully drive home their win was due
| to performance. This doesn't always lead to optimizations
| when you are an incumbent who can still close more feature
| gaps because those often result in higher sales and
| revenue.
| zerocrates wrote:
| There's a similar calculation (in a slightly different
| context) in a good scene in the movie _Margin Call_ , about
| all the miles and hours saved by one bridge:
| https://www.youtube.com/watch?v=m8Mc-38C88g
| sseagull wrote:
| Don't forget the waste caused by people throwing away devices
| that are "too slow", and the resources required to build new
| computers/phones.
|
| Somewhere I saw a rough figure about phones. Something like:
| if everyone was able to keep their phone one year longer, it
| would be the equivalent of 600,000 cars off the road or
| something. (Just looked it up - source is possibly the
| founder of iFixit).
|
| But you know, development velocity or whatever.
| einpoklum wrote:
| Actually, in the PC/laptop space, I believe this phenomenon
| has been waning somewhat over the past... oh, the better
| part of a decade.
|
| This is a result of:
|
| * Single-core performance no longer dramatically improving
| - almost plateauing
|
| * The rate or extent of "bells and whistles" and other OS
| overhead being added - decreasing.
|
| * Budget consumer CPUs having reached smooth desktop
| performance (with sufficient memory and and an SSD)
| already, even with multiple applications open.
|
| .. and all of these had not been the case during the 1980s,
| 1990s and 2000s. Now, if your machine's hardware doesn't
| brake down - and you're just a plain desktop user - your
| motivation for throwing away your machine is quite limited.
|
| ---
|
| Of course, this is not the case for smartphones, we're
| still on the roller-coaster there.
| RodgerTheGreat wrote:
| It can be a bit dangerous (especially to your employer) to
| continue that line of thinking, though. How many pieces of
| software do we collectively work on which would make the
| world a better place _if they didn 't exist at all_?
| hinkley wrote:
| Oh no!
|
| ... anyway...
| asoneth wrote:
| Is that really a downside?
|
| In some cases you convince your organization to shift focus
| onto more useful products, and that can be a really great
| feeling. In other cases (company is too large, management
| too committed) it helps you confront exactly who you're
| working for. Because if you're going to sell your soul, you
| should at least make sure you're getting a good price.
| i-use-nixos-btw wrote:
| Meh. I feel like there needs to be an active movement to
| assess programs that have huge scale (>10m users) to
| identify unnecessary power usage - whether it be because of
| a bug, because of unused functionality that nonetheless
| takes resources, or intermediate steps that take
| unnecessary power.
|
| Perhaps I'm getting into a bit of a niche here, but the
| rise of stringy formats for data transfer concerns me.
| There are many-stage pipelines on machines that agree on
| what a 64 bit integer is, yet each stage performs encoding
| and decoding of JSON twice (decoding upon receipt, encoding
| to pass it on to the right place, decoding the response,
| encoding it in another manner to reply to the original
| sender). Sounds like a minor concern, but the scale of this
| instinctively feels like it'd dwarf 250MW globally.
| chillstreem wrote:
| doesn't this bug only manifest itself if one is using microsoft
| defender as their only security solution, and not a 3rd party
| AV/IS? if so, then the number of Firefox users in this
| calculation is much lower.
| slowmovintarget wrote:
| I run an antivirus suite and have attempted to turn Defender
| off several times. Windows Update keeps switching it back on.
| SketchySeaBeast wrote:
| I don't know if that's the case. I'm a Firefox user but
| consider all the 3rd party apps nearly as much malware as the
| things they are trying to solve. I run strictly defender and
| try to make good choices when downloading and browsing.
| chillstreem wrote:
| well, if we're taking strictly subjective personal
| experiences as some sort of a relevant benchmark, then I'm
| a Windows Firefox user that has never used MS defender for
| any length of time, and always strictly a reliable low-
| impact 3rd party AV like ESET or Emsisoft. so I guess the
| two of us cancel each other out.
| hgsgm wrote:
| > strictly a reliable low-impact 3rd party AV
|
| Sounds good
|
| > like ESET
|
| What?! ESET used to burn constant CPU when wifi
| disconnected.
| SketchySeaBeast wrote:
| So based upon rigorous analysis, approximately half of
| all Firefox users use the default choice, and half use a
| different AV.
| UberFly wrote:
| I actually replace Defender with a 3rd party choice (Eset)
| for this very same reason - to wrestle some control over my
| OS from Microsoft. I find Defender to be overbearing in so
| many ways.
| guestbest wrote:
| I agree with this and try to practice myself. I download
| portablespps.com hoping they have a scanner and stick to
| the open source ones
| Neil44 wrote:
| More complicated still, defender does not completely stop
| working when 3rd party AV is installed. Also maybe Firefox is
| not the only app triggering this bug?
| zerkten wrote:
| This is just one bug in the world affecting power usage with
| Firefox. There are loads more like
| https://bugzilla.mozilla.org/show_bug.cgi?id=1404042 which
| caused me to abandon it on macOS as my primary browser.
| recursive wrote:
| The units don't make sense. You might mean megawatt-hours?
| hgomersall wrote:
| It was not so well explained, but the GP does mean averaged
| over 24 hours, the power requirement is 250MW.
| arnaudsm wrote:
| No typo, I meant Watts. I averaged the 4 hours per day
| teraflop wrote:
| No, it makes sense. The parent is talking about continuous
| power measured in megawatts, i.e. megawatt-hours per hour, or
| megawatt-days per day.
|
| 300 million users * 4 hours/day * 5 watts = an _average_
| continuous savings of 250 MW.
| recursive wrote:
| Ok, I get it now. This does make sense.
| xdavidliu wrote:
| one way it could just be mW is if he/she meant "a coal power
| plant for the 5 years that the bug was active"
| ChuckNorris89 wrote:
| You assume all Firefox users are on Windows (they're not) and
| that all Firefox users on Windows are affected (I and my SO
| were not).
|
| Who knows what edge case triggered that bug to manifest but I
| for one haven't seen it in the wild in the years we've been
| using FF.
|
| Probably difficult in such a large org to allocate dev
| resources to chase down and fix a bug few people were impacted
| by.
| callahad wrote:
| Around 80% of Firefox users are on Windows, per
| https://data.firefox.com/dashboard/hardware
|
| That same site also suggests that Firefox has around 200e6
| monthly active users, the average user uses Firefox 3.5 days
| a week, and for 5.5 hours per day.
|
| My math could be wrong, but taking the above into account,
| and arnaudsm's 5 W estimate, I come up with an upper bound of
| around 80 MW. Discount that further by whatever proportion of
| Windows users you assume were actually affected. Not a whole
| coal power plant, but nothing to sneeze at.
| warner25 wrote:
| Wow, that's fascinating. It really speaks to the utter
| dominance of Windows over Linux more than anything else.
| Like _even among Firefox_ users, as of _last year_ , there
| were an order-of-magnitude more Windows _7 and 8_ users
| than Linux 5.x users.
| jonas-w wrote:
| Don't have any data to back this up, but I would think
| that the average linux user will instantly turn off
| firefox telemetry and won't show up on these graphs. It's
| one of the first things when I install firefox, disable
| ff telemetry, set privacy mode to strict and then install
| uBlock. Nevertheless Windows has a huge market share,
| even if no one turned off data collection, and the year
| of linux on desktop didn't happen.
| perfmode wrote:
| user must be running windows
| pjmlp wrote:
| If it isn't on the Sprint board it doesn't exist.
| dylan604 wrote:
| You also have to assume that at least one Microsoft employee
| has Firefox installed. There's no bug if there's no users
| sterlind wrote:
| I work at MS, tried to use Firefox but couldn't because FF
| doesn't integrate with the Windows cert store. Crucially,
| this keeps Windows Hello (TPM auth) from working, which
| makes it useless for any internal websites. For a while I
| used a hand-compiled PKCS#12 plugin that bridged to the
| cert store, but that was extremely fragile and eventually I
| gave up.
|
| I think this is probably a major blocker for many
| enterprise users, and wish Mozilla would have fixed it.
|
| edit: it looks like they may have fixed this in the past
| couple years, though you might have to go poking around in
| about:config.
| reynoldsbd wrote:
| Current MS employee here. For a time this was true, but
| FF recently added this integration. No about:config
| needed, there's simply a checkbox under the FF security
| settings. Since this was added, I have gone back to using
| FF as my daily driver, and I haven't really encountered
| any other friction.
| protastus wrote:
| Indeed. https://support.mozilla.org/en-US/kb/windows-sso
| pixel16 wrote:
| Microsoft now blocks non edge browsers with conditional
| access policies.
| anonymousiam wrote:
| Firefox not integrating with the Windows cert store is
| actually a good thing in many use cases. The ability to
| have an alternate browser that's not integrated has saved
| my butt more than once.
| chlorion wrote:
| Gaming on a mid-tier modern GPU probably uses around 50-100w,
| the Steam stats probably have a number of users to multiply
| with. I'm sure it's a massive amount of power.
|
| I don't like video games and they are not-necessary so I
| propose that we ban them globally, or only allow gaming if
| using renewable energy. If you don't live in a place where this
| is an option, too bad!
|
| Maybe instead of this we require all games to be limited in
| graphical effect (imagine early source games or something). We
| could save a lot of power globally if we enforced this.
|
| This is why I strongly dislike this line of thinking. I don't
| think power plants work that way anyways, they probably make a
| constant-ish amount of power rather than taking exactly 50w
| worth of fuel every time someone opens up Call Of Duty.
|
| There are also much lower hanging fruit to get upset about if
| you care about the planet, like cars with large motors or
| people with heated drive ways (yes thats a thing).
| ericye16 wrote:
| This is a bad comparison, gaming presumably brings utility to
| someone whereas this was a pure bug with no upside.
| kortilla wrote:
| People get entertainment out of games. They got nothing out
| of this wasted cpu.
| dist-epoch wrote:
| > _That 's 250 megawatts saved, the equivalent of an average
| coal power plant. Because some Microsoft engineer missed a
| bug._
|
| Are you sure you want to invoke this logic? Because following
| it through imagine the energy savings if Firefox users switched
| to Chrome.
| volkk wrote:
| > Because following it through imagine the energy savings if
| Firefox users switched to Chrome
|
| i've read everywhere that Firefox at this point is far more
| energy efficient than Chrome...is that not true?
| hanoz wrote:
| _> imagine the energy savings if Firefox users switched to
| Chrome._
|
| Imagine the energy squandered on all the extra goods and
| services bought by users using a browser owned by an
| advertising company, instead of Firefox.
| LeoPanthera wrote:
| > Are you sure you want to invoke this logic? Because
| following it through imagine the energy savings if Firefox
| users switched to Chrome.
|
| Ironically, Mac users routinely complain about how power-
| hungry Chrome is on the Mac. Safari is _significantly_ more
| efficient.
| ChuckNorris89 wrote:
| _> Safari is significantly more efficient._
|
| Based on the increased laptop battery life I notice, so is
| using Edge on Windows.
|
| It makes sense that both Apple and Microsoft can extract
| the best out of their OS + browser. There's no way Firefox
| can compete on such OS specific optimizations.
| Karunamon wrote:
| Is that because of the quality of Chrome or because Safari
| is a "blessed" application and probably gets to do things
| other applications do not?
|
| Entirely serious question. Apple is known to severely
| privilege their own applications over competitors.
| ojosilva wrote:
| Totally guesswork here, but I'd say Chrome has a lot more
| telemetry, profiling and tracking built-in and its users
| tend to use a lot more plugins, including things like ad-
| blockers that scan over each webpage and can be
| beneficial (battery-wise) or not depending on content.
| Safari users are more of a barefoot type. A power user is
| more likely to not be running Safari. And a _power_ user
| may, well, prefer to sacrifice battery _power_ to get the
| _power_ they seek.
|
| Besides, there's some precedent set in 1998 by a certain
| OS that "favored" their embedded browser over the
| competition, so I doubt Apple would want to tickle that
| fancy.
| LeoPanthera wrote:
| It's not impossible, but I doubt it, if only because very
| few third party applications use as much as Chrome does.
| The only exceptions are things that actively use a lot of
| CPU, like compilers or compressors.
| jeron wrote:
| Blessed or not, I still end up using Safari. The
| improvement in battery life is too significant to ignore
| dijit wrote:
| Its been a really long time but safari on Windows was a
| thing and it did run a lot leaner in the background than
| anything else available at the time (except Opera if
| memory serves).
|
| It's entirely possible that Safari is intentionally
| avoiding features that make it wake up-
|
| I doubt that it does anything unavailable to other
| browsers, thats MS territory, because they wanted
| features. I feel like safari, by contrast, doesn't want
| to add features.
| drdrey wrote:
| That's because optimizing for battery life is a stated
| goal of the Safari team, it's actively benchmarked
| harry8 wrote:
| Imagine the power savings if chrome users switched to lynx.
|
| Imagine the power savings if everyone used pihole, ublock
| etc.
|
| Second uses more power than the first and is better. Do it!
| ChuckNorris89 wrote:
| Or the energy used by all the electron apps on all operation
| systems.
| xxs wrote:
| >Firefox users switched to Chrome.
|
| Far worse due to privacy/adblock addons.
| wiseowise wrote:
| > Because following it through imagine the energy savings if
| Firefox users switched to Chrome.
|
| Enlighten us.
| airza wrote:
| There are good reasons to not use chrome over firefox, but
| few reasons to leave firefox bugged. I don't think the same
| utilitarian logic applies.
| throwbadubadu wrote:
| Yeah, finally as the market share is where it should be for
| Firefox Microsoft had no more reasons to leave it on :D
| omneity wrote:
| It's not too bad an analogy. Think of it this way:
|
| - Switching from Firefox to Chrome might be similar to
| switching between two car models, one consuming less energy
| than the other.
|
| - Fixing this bug is more like going to a car workshop to fix
| an injector issue in your car that was causing higher fuel
| consumption and more pollutants.
|
| The first one is really a matter of tradeoffs and personal
| choices. The second one is less of a choice and more of an
| actual issue that was left due to negligence. Hardly similar.
| sgtnoodle wrote:
| Isn't it more like an auto maker issuing a recall to fix an
| injector issue in all their cars?
| omneity wrote:
| An analogy can only get you so far, but in this case the
| bug is caused by Microsoft Defender, yet Firefox, the car
| manufacturer, is a different entity. So I wouldn't call
| it a recall.
| sgtnoodle wrote:
| A bunch of cars across many manufacturers were recalled
| in the 2010's due to a defect in the airbags made by the
| same manufacturer.
|
| One could also argue that the OS is the car, the browser
| is the chauffeur, and the user is the passenger.
| Georgelemental wrote:
| If one user switches to Chrome, the energy savings are only
| for that one user. If one Microsoft engineer fixes a bug, the
| energy savings are for the many thousands who use Firefox on
| up-to-date Windows.
| lkbm wrote:
| I mean, sure, I could also just turn off my computer.
| Presumably people use Firefox for a reason, and making that a
| option use less energy is pure upside, and it's very
| interesting to see how big of an upside it might be.
| tgv wrote:
| Think more like this: this bug cost an average coal power
| plant, all other things being equal. I doubt it's that much,
| but it certainly did waste a lot of energy.
|
| > imagine the energy savings if Firefox users switched to
| Chrome.
|
| Imagine the privacy savings if Chrome users switched to
| Firefox.
| axolotlgod wrote:
| Does Chrome really use significantly less resources than
| Firefox? Are there numbers there?
| haupt wrote:
| According to Tom's Guide[1] Microsoft Edge beats out both
| when it comes to RAM utilization but Chrome just edges out
| Firefox when loading >10 tabs. That was in 2021. I'd be
| interested to see any other comparisons or benchmarks.
|
| 1. https://www.tomsguide.com/news/chrome-firefox-edge-ram-
| compa...
| prmoustache wrote:
| This is with no extensions installed right?
| IntelMiner wrote:
| It took a lot longer for Firefox to get GPU accelerated
| video playback on Linux iirc
|
| Perhaps a "niche" use case for some, but there's a lot more
| Firefox users on Linux in particular
| lotsofpulp wrote:
| The cause and effect exists whether or not some commenter on
| HN writes about it.
|
| The reason it is not "invoked" is because energy prices are
| sufficiently low (due to not pricing in externalities) that
| there exists little incentive for end users to optimize for
| power usage.
| gruez wrote:
| >The reason it is not "invoked" is because energy prices
| are sufficiently low (due to not pricing in externalities)
| that there exists little incentive for end users to
| optimize for power usage.
|
| You're right in principle, but in practice even factoring
| in externalities electricity prices won't be high enough
| for people to care. Using current US carbon intensity for
| electricity generation[1] and the higher end estimates for
| the social cost of carbon[2] gets us carbon costs of $0.142
| per kWh. The average prices in US is $0.168. Adding in
| carbon costs would almost double the price, but there are
| countries with even higher electricity prices[4] and
| they're not exactly switching to more efficient software in
| droves to save energy.
|
| [1] https://emissionsindex.org/
|
| [2] https://en.wikipedia.org/wiki/Social_cost_of_carbon#Car
| bon_p...
|
| [3] https://www.bls.gov/regions/midwest/data/averageenergyp
| rices...
|
| [4] https://www.statista.com/statistics/263492/electricity-
| price...
| kramerger wrote:
| > imagine the energy savings if Firefox users switched to
| Chrome.
|
| Nah, I like my privacy. How about replacing Electron apps
| with native apps instead?
| shapefrog wrote:
| > imagine the energy savings if Firefox users switched to
| Chrome
|
| This _is_ why I left firefox.
| ouid wrote:
| Using firefox without memory errors is a pareto optimization
| over using firefox with memory errors.
| tyingq wrote:
| Maybe compare manifest v2 friendly Firefox with uBlock Origin
| vs eventual Chrome without it :)
| revolvingocelot wrote:
| Serious savings indeed when the Javascript cryptominer some
| ad network blithely serves up is ad-blocker'd, but we
| prefer _synthetic benchmarks_.
|
| In seriousness, though, this is an issue. Elsewhere, I
| observe arguments about eg userbenchmark rankings, and the
| comparative relevance of single-core vs multicore
| performance. Are you playing a game, or rendering video
| 24/7 -- or running some entirely synthetic workload that
| allows for a peak performance the real world would never
| achieve? Same kinda problem.
| duxup wrote:
| > the equivalent of an average coal power plant
|
| Produces in an hour, four hours?
| rimunroe wrote:
| I'm pretty sure you're mistaking power for energy. Watts are
| units of power, which is the rate of change in energy (joules
| per second). Asking for how much power something produces in
| an hour is like asking how many miles per hour your car goes
| in an hour.
| lordnacho wrote:
| Continuous. We need one less coal plant to support the
| Firefox code after the bug fix.
| akomtu wrote:
| Coal makes only 12% of the electricity, in the US at least.
| Natural gas makes 36% and oil makes 33%.
|
| https://www.eia.gov/energyexplained/us-energy-facts/
| flangola7 wrote:
| What does that have to do with anything? "Coal plant" is
| being used as a unit of power here.
| akomtu wrote:
| And a unit of pollution. I'm sure that one extra solar
| plant or hydro plant wouldn't draw as much attention.
| sdfghswe wrote:
| > let's assume the bug wasted 5 extra watts 4 hours a day.
|
| How did you come to this?
| mrinterweb wrote:
| Great question. Based on my use, it would be a lot more than
| 5 watts/day.
| rationalfaith wrote:
| [dead]
| MagicMoonlight wrote:
| "Bug"
| dbg31415 wrote:
| I have screamed about this like a crazy person and filed bugs and
| was always told, "Meh there's nothing there..."
|
| But if you use Firefox to call yourself on Chrome... you'll see
| that Firefox takes up a TON more energy on an Intel MBP than
| Chrome does.
|
| You can tell because Firefox literally heats your laptop up to do
| streaming videos. You hear the fans kick on, the laptop gets
| hotter to hold.
|
| Anyway I'm sure there are more bugs like this! Glad Firefox is
| getting some of the people to fix their code... but look,
| Microsoft isn't the only culprit. Until Firefox takes as little
| power as Chrome in MacOS & Windows... I think we should all stay
| outraged! (=
| GrumpyNl wrote:
| maybe AI helped them out.
| neilv wrote:
| When I've heard people speak of changing Web browsers in recent
| years, I think the two most common reasons given are performance
| and privacy.
|
| I wonder whether this situation with Microsoft Defender cost
| Firefox some market share.
| dalmo3 wrote:
| I can count at least one user that Firefox lost to this bug.
| Pretty happy with Brave now, won't even bother trying FF again.
| somid3 wrote:
| Conspiracy theory -- could this have been done on purpose for
| browser share dominance purposes?
| toenailtag wrote:
| I would bet it is more likely that MS devs noticed but just
| didn't care. The farthest it would have gotten in conversation
| with QA triage would have been "does this issue affect any of
| our services? Ok then that is Mozilla's problem."
| shadowgovt wrote:
| Sometimes, but probably not in this context.
|
| a) That'd be a very untargeted way to get that effect; Firefox
| isn't the only app that's going to be making calls like that.
|
| b) Mozilla doesn't need any help losing marketshare in this
| era.
| shadowgovt wrote:
| Woof, that's a long time for a bug like that to have sat around
| and Mozilla to not have come up with a workaround for it.
| 29athrowaway wrote:
| "DOS ain't done until Lotus won't run"
|
| "Windows ain't done until Firefox won't run"
| jupp0r wrote:
| You'd think they'd target Chrome (>60% market share on Desktop)
| rather than Firefox with < 8% market share.
| uoaei wrote:
| The new Edge browser is basically a revamped Chromium, so
| that'd be a pretty dumb move.
| recursive wrote:
| Seems less dumb than targeting Firefox though. Presumably,
| in the universe of this conspiracy hypothesis, they would
| do it in a way that wouldn't effect Edge.
| uoaei wrote:
| Then they would lose any semblance of plausible
| deniability, which would expose them to being positively
| identified as bad actors. What it looks like now is mere
| incompetence in the face of enormous complexity, which
| means they lose a lot less face compared to doing what
| you suggest. Put bluntly, they're hiding within the space
| covered by Hanlon's razor.
| dylan604 wrote:
| if processName != Edge {}
| andrewstuart wrote:
| DOS ain't done till lotus won't run.
| NelsonMinar wrote:
| It's so frustrating this discussion took _five years_.
|
| I'd be grateful for an overview of the bug. I don't think I've
| seen it on my two systems but I can't be confident.
| stronglikedan wrote:
| Five years is nothing for MS. You should see how long the bug
| in File Explorer has been there, where after navigating to a
| folder and pressing the down arrow, the _second_ item is
| selected instead of the first. And it 's one of those things
| that, even though I'm aware of it, it still always catches me
| causing extra keystrokes. It's like they're trying to _force_
| me to use the mouse for some reason.
| zamadatix wrote:
| That one I can almost agree with the reasoning for. The first
| item is selected by default but also by default you have to
| intentionally trigger a keyboard navigation for it to go into
| that mode since most don't intend to do that when hitting
| enter on a freshly loaded directory. As evidence of this
| behavior instead of hitting a directional key to change the
| selection whacking space should activate the highlight on the
| first item and then another navigation action is needed to
| actually do anything.
|
| I think it'd be more convenient (for me as a keyboard centric
| user at least) if it were done differently but I don't think
| it's actually a bug as much as an intentional decision at the
| cost of keyboard user. This is unlike the Defender issue
| where it's of no purpose to be significantly slower than it
| needed to be.
| bsder wrote:
| Windows Update and Windows Defender are _notorious_ piles of
| shit that eat up huge amounts of CPU for seemingly no reason.
|
| The problem is that there is _zero_ incentive to get them
| right. Nobody is going to get promoted because they use 10%
| less CPU. Nobody is losing their bonus because 10% of all
| computers melt down. etc.
| MuffinFlavored wrote:
| What apps other than Firefox might this have affected that badly
| (75% CPU usage)?
| CWuestefeld wrote:
| It's not clear to me if it's the same bug, but recent
| conversation here about this issue had this to say [1]:
|
| > It also has a bug(?) which makes method calls 100x slower in
| PowerShell 7:
| https://github.com/PowerShell/PowerShell/issues/19431
|
| [1] https://news.ycombinator.com/item?id=35459984
| fsfod wrote:
| I would think anything with a JIT that is toggling the page
| protection for machine code many times a second, based on a
| very quick reading of the bug report talking about
| VirtualProtect calls and the processing of ETW events for them
| by defender.
| sfink wrote:
| I don't think anything is toggling them back and forth, it's
| just that a lot of chunks of executable code are being
| produced. But I could be wrong; maybe if you have space left
| for more code on a page, you'll toggle it off and append some
| new code, then toggle it on again.
|
| My guess is that this would mostly come from inline caches
| (ICs), since they're typically small and a lot of them are
| generated.
| xnx wrote:
| I'm hoping that this fixes other apps, because Defender active
| scanning is a huge and near constant strain on my CPU.
| agloe_dreams wrote:
| I had an issue in early builds of W11 with use of WSL 2 & Node,
| Github and VS Code. Something in the git change detection
| process caused Defender to decide it just decided it wanted
| 100% of a single thread on the 5600X system I was using. While
| coding it would just have a core screaming at well over 4Ghz.
| Just all of Mankind's greatest innovations that lead to 7nm
| lithography and incredible processor design just to be a space
| heater. I never did get it figured out at the time. It also re-
| enables itself. So that's cool.
| sfink wrote:
| Defender (or other AV) can slow down a lot of things, but in
| terms of the exact way that Firefox ran into it, the other apps
| would be anything with a JIT. Well, a JIT that uses memory
| protection as a security measure, though that's very common.
| (After generating executable code, the JIT marks the pages as
| executable but non-writable, so an attacker can't change the
| code after it starts running.)
|
| Although the V8 JIT stopped using this, at least in some
| configurations (?), for the stated reason that it's not perfect
| --another thread could sneak in and modify the executable code
| in between when it was generated and when it is protected in
| preparation for execution. They're instead planning to rely on
| memory protection keys, which should be faster and more robust,
| but are only available on some hardware.
|
| JITs can show up in unexpected places. Regular expression
| engines will sometimes have a JIT.
|
| So... I don't know?
| snerbles wrote:
| Newer versions of Thunderbird have been rendered completely
| unusable unless I exclude
| %userprofile%\AppData\Local\Thunderbird from real-time scans.
| Avamander wrote:
| Thunderbird is atrociously slow even without an AV with any
| mailbox that isn't tiny. Could it be that yours has just
| grown over the years and Defender amplifies it?
| snerbles wrote:
| It went from ~20 seconds of freezing on every server
| request to no freezing at all after adding the exception.
| That's quite the amplification.
| Culonavirus wrote:
| All of them? From IDEs through games to email clients. Remove
| that malware as soon as you can. Either replace it with some
| more competent antivirus (not sure there are any) or don't use
| any antivirus at all - as a visitor of this site you should
| generally know what you're doing and what is and what isn't
| safe. I use https://github.com/jbara2002/windows-defender-
| remover and have been running my Windows machines without any
| antivirus and without any issue for years (if you ask how do I
| know Defender sucks if I don't run it - I do run it at work
| where I can't remove it - only disable it temporarily and it
| turns itself on again after a while).
| rzzzt wrote:
| Eclipse and IDEA both have tickets dedicated to Defender's
| shenanigans: https://github.com/microsoft/java-wdb/issues/9
___________________________________________________________________
(page generated 2023-04-10 23:00 UTC)