Chrome is Using 10-13% More RAM to Fight Spectre

An anonymous reader quotes PCWorld: The critical Meltdown and Spectre bugs baked deep into modern computer processors will have ramifications on the entire industry for years to come, and Chrome just became collateral damage. Google 67 enabled "Site Isolation" Spectre protection for most users, and the browser now uses 10 to 13 percent more RAM due to how the fix behaves.

"Site Isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs," Googleâ(TM)s Charlie Reis says. "On the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes. Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure." It's a significant performance hit, especially for a browser battling a reputation for being a memory hog, but a worthwhile one nonetheless.
Chrome's Spectre-blocking site isolation "is now enabled by default for 99 percent of Chrome users on all platforms."

When will the next gen CPU

[AHuxley]

design fix all this?
No more slow CPU, no more extra RAM used, no more OS software to protect from CPU security flaws. Back to fast and secure CPU design work.

Anyone have a design time line for when this will all be fixed in the CPU again?

Re: When will the next gen CPU

Not until 2020.

Re:When will the next gen CPU

You make it sound like it's not a feature. Spectre was brought to you by the NSA, there will be something else there to take its place once new hardware is ready.

Re:When will the next gen CPU

[hcs_$reboot]

Too bad AMD is also affected (Spectre), otherwise Intel would have had more incentives to make new CPU earlier.

Re:When will the next gen CPU

[hcs_$reboot]

Well, there is still competition as who will have their fixed CPUs first..

Re: When will the next gen CPU

They were going to do this whether or not spectre and meltdown happened. This might have given them a kick in the as to hurry things up, but this ram was always going to be spent and you're not getting it back even if spectre & meltdown disappear.

Re:When will the next gen CPU

I don't expect CPU fixes to come until 3-5 years have passed. This requires a major redesign, it's not just a little fix.

Re:When will the next gen CPU

[arglebargle_xiv]

No more slow CPU, no more extra RAM used, no more OS software to protect from CPU security flaws.

Pick any two. Which do you want?

Re:When will the next gen CPU

Though intels problems require a quadruple bypass, while amd's require a band-aid on the finger.

Re:When will the next gen CPU

[AmiMoJo]

Just buy an AMD CPU. The massive performance killing fixes are not required for them.

Unfortunately it doesn't look like Chrome detects Intel CPUs before enabling this.

Re:When will the next gen CPU

[Humbubba]

You make it sound like it's not a feature. Spectre was brought to you by the NSA, there will be something else there to take its place once new hardware is ready.

Do you really think the CPU is intentionally designed to be exploitable, or, to borrow from Elon Musk, do those those huge idiots not know what they're doing? I really don't know Spectre an abuse of a mistake or making use of a feature. I'm not sure which scenario is worse.

Re: When will the next gen CPU

All of them!

Re:When will the next gen CPU

Intel promised this spring to provide an improvement already towards the end of the year while still using the 14nm process. AMD promised to do something with their Zen 2 architecture, as reported somewhere. Promises are not actual chips on the retail that normal people can buy, though.

Re: When will the next gen CPU

[ranton]

Out of those three I would clearly sacrifice RAM. That is the easiest and cheapest part to go overboard on to ensure it is never a problem. Just get 32GB and this 10-13% extra usage is probably not an issue.

Clearly I would love all three, but my ideal second choice would be to sacrifice RAM for better CPU performance.

Re: When will the next gen CPU

I would sacrifice 15% cpu performance for 50% lower ram usage. Chrome doesn't know what it's doing. We should all go back to the super economical memory usage of presto based opera.

Re: When will the next gen CPU

[UnknowingFool]

Yes but even if we accept your premise is true, users could opt out of this feature as a choice. With Spectre, users don't have much of a choice: Use less RAM and risk being hacked or use more RAM.

Re: When will the next gen CPU

[UnknowingFool]

My opinion it was more that most people were ignoring the dangers of using it. When Spectre and Meltdown were first disclosed, some people had warned about the security dangers and were largely ignored. It reminds me of the DNS cache poisoning that Dan Kaminsky found. Daniel J. Bernstein warned about that issue about 6 years earlier but not many in the community heeded his warning until Kaminsky was able to create an easy exploit.

Re:When will the next gen CPU

[Megol]

Yes they are required.

Spectre is a collection of related exploits some of which are very hard to use on AMD architectures but not impossible in theory. Meltdown isn't however a problem for AMD but this Chrome design isn't intended to combat Meltdown.

Re:When will the next gen CPU

Ok, I pick no more slow CPU and no more extra RAM used. I wouldn't care if my OS protected from security flaws if there was no performance or resource hit.

You didn't really think that one out, did you?

Re:When will the next gen CPU

[thegarbz]

No more slow CPU, no more extra RAM

And ponies! We want ponies too.

Remember the reason we're in this mess is because people didn't want slow CPUs in the first place.

Re:When will the next gen CPU

[thegarbz]

Unfortunately it doesn't look like Chrome detects Intel CPUs before enabling this.

And why would it? This kind of fix resolves Speculative execution bugs, but it doesn't exclusively target them. This form of isolation is just good security practice in general, especially given the most likely attack vector is not the primary domain you're connected to.

Re: When will the next gen CPU

This story contains an ad falsely claiming that Elon Musk is leaving Tesla to start a bitcoin venture. Of course it's a scam. But why does slashdot host these scam ads?

Re:When will the next gen CPU

[Agripa]

design fix all this?

No more slow CPU, no more extra RAM used, no more OS software to protect from CPU security flaws. Back to fast and secure CPU design work.

Anyone have a design time line for when this will all be fixed in the CPU again?

So programs will maintain two different codebases for processors which are vulnerable and processors which are not? That will not happen for a long time even assuming that Specter is solvable. At best the impact on processors immune to Meltdown will be minimized.

Re:When will the next gen CPU

[Agripa]

Well, there is still competition as who will have their fixed CPUs first..

If Spectre can be fixed which is not a given. Somehow they have to prevent speculative execution within the same process from altering CPU state.

Without a time machine, how do you prevent speculative loads in untaken branches without preventing speculative loads in taken branches?

Re:10-13% more RAM?

[AHuxley]

When the RAM is set in a factory and the device used is sold with a set amount?
The OS, other consumer applications and browser then all start using more RAM to keep the consumer safe.
How many times does 10% start to add up to a lot of RAM that was not used before?

How vary misleading.

This is only a problem for intel cpus.

Re:How vary misleading.

This is only a problem for intel cpus.

Oh, really?

In particular, we have verified Spectre on Intel, AMD, and ARM processors.
https://meltdownattack.com/

Re:How vary misleading.

Yes, vary much so. Vary much so indeed.

Stupid over-reaction

[GerryGilmore]

Supposedly, the biggest vulnerabilities are from cloud providers due to their extensive use of virtualization in their environs.
However, I've never seen a real server that surfs the web using any browser. Stupidity is rampant, paranoia rules and perspective has completely left the building when it comes to Spectre/Meltdown.
The most difficult "vulnerability" to leverage known to mankind has everyone scurrying like mad while basic security - allowing the Equifax breach, say - gets a passing nod. Well done, guys!

Re:Stupid over-reaction

[darkain]

"I've never seen a real server that surfs the web using any browser"

There are countless web based resources that include web page screen shots. These screen shots are not made on client machines by hand, they're made using automated tasks with web browsers running on the servers.

Re:Stupid over-reaction

[mccalli]

Corporate VDI. A lot of the larger corporates are moving away from physical desktops towards having virtual desktops and thin clients.

Re:Stupid over-reaction

just because it's only theoretical and difficult doesn't mean chrome shouldn't patch it... if someone successfully made an exploit you just need to put some JS in an advert and you basically own the entire world.

Re:Stupid over-reaction

[Antique+Geekmeister]

You would need to define "server". Downloading patches and running reporting toolkits to find precisely what hardware or software revisions is something I've seen available only via some browsers. I've also seen companies require the local scan to report to the vendor on the web page to select the correct patches for local application. It's as confusing and annoying as Sun's, now Oracle's, practice of forcing you through a web form to sign the latest license agreement for the latest Java toolkit.

Re:Stupid over-reaction

True, although one is still going to have more protection than the average desktop, since most desktops don't have an underlying VM. Not to mention the CPU/GPU* is a step above what's in a desktop.

*GPU virtualization requires a GPU that's VM aware, unless you start binding one GPU to each VM with pass-through.

Re: Stupid over-reaction

Good. I fart in their general direction!

Re:Stupid over-reaction

[tepples]

A lot of the larger corporates are moving away from physical desktops towards having virtual desktops and thin clients.

How much are these corporates spending on Terminal Server client access licenses (CALs) to allow virtual Windows desktops to work? Or are they instead using virtual FreeBSD or GNU/Linux desktops?

Re:Stupid over-reaction

Step 1: Force complaince, even if it breaks the company. Migrate all of your apps to webapps, even if it doesn't fit the busniess needs of your department. When said department complains, tell them their app is no longer supported and walk away. When they complain, inform their management the business case, which you have no understanding of whatsoever, is the same as every other department using software X.

Step 2: When software X needs minor tweaking such as, for example, adding barcodes to a form, charge 5-6 figures for the privelage, and inform the end users that this is the cost of doing business.

Step 3: You will discover a spattering of special sauce apps you were unable to politically assassinate or harass the management into getting rid of. Shove these on remoteapp\citrix servers, even when they often don't support it or when doing so is cumbersome, and provide them to the end users. Inform the management the next "refresh cycle" they will need to be looking for a webapp, as remoteapps are legacy systems, even if the business case makes zero sense.

Step 4: Start a BYOD program. Inform end users the webapps and remoteapps are supported, but their system is not. Tell them they have to install office and get their computer setup themselves. Create long processes for setting up user accounts to ensure they have time to figure it out, instead of bothering IT.

Step 5: Tell management you've cut the IT budget in half, and you're performing so much better than market its ridiculous, demand huge bonuses.

Step 6: After 3-4 years into the process, leave and go to work for a large contractor company complaning your comprensation package was not large enough.

Step 7: Finally, your previous employer will become tremendously dysfunctional from years of you shoving shoved square pegs through round holes producing catastrophe's and driving off the companies talent because hey, we need large managerial reserves or to pay off debt instead of raises and bonuses. The great Silo'd IT employee's will have moved on long ago, and you will have filled the ranks with cheap, talentless driftwood. You approach the executive management, who've been isolated from the staff by bad IT infrastructure and poor decisions, and tell them "well gee, your so behind the times, that's why you're dysfunctional!".

Step 8: Said contracting company comes in, clears some of the drift wood, perma-temp's the remainder, poaching any truely bright employee's. They rebuild everyrthing with the new AI-Powered VR Nanite-Infused Quantum Neural Lace that automates the turbo-encabulator which time-travel to the past and suck the money straight out of your competitors (or governments) pockets. They stay for 4-5 years, modernize everything, then you insource, lose your talent all over again.

Step 9: Some bright young buck gets an idea about cutting cost and jumping ship....

Re:Stupid over-reaction

[thegarbz]

Corporate VDI. A lot of the larger corporates are moving away from physical desktops towards having virtual desktops and thin clients.

A typical employee has far more access to systems and people to care about sophisticated spectre related vulnerabilities. If you have a nefarious employee you're effectively screwed. Corporate IT security is not equipped to handle this.

Re:Stupid over-reaction

[Rain]

Browsers are a concern for the same reason a cloud providers: you are running untrusted code in a sandboxed VM, and Spectre allows you to potentially exfiltrate data from outside the sandbox. Cloud providers are a bigger concern because they're more likely to contain interesting data* and because it's harder to exploit Spectre via Javascript than native code, but there are Spectre proof-of-concepts written in JS.

* interesting to an attacker, relative to the effort required

Site Isolation

I enabled Site Isolation a long time ago because a large part of the reason I switched to Chrome was precisely that it was supposed to have per-page processes, separate render process, etc to mitigate the risk of attack and lesson the impact of a crash (which might be part of the attack mitigation). 10-13% more RAM is nothing if means I can leave dozens of tabs open and one tab crashing or hanging only means killing that one tab.

But, yea, let's spring up Spectre specifically. Does this even protect against the Spectre variants?

And yet...

[insert your fave js blocker here] will reduce the footprint by MUCH more than that.

Re:And yet...

[AHuxley]

Ad brands who give away free OS my not like brokers not showing their OS approved ads.

Re:And yet...

[m.dillon]

Yes, an ad-blocker definitely reduces memory usage, by a lot. However, its a bad idea to use any add-on for 'important' sites. I compartmentalize my browser into different user ids so the actual chrome instance I use to access sensitive accounts is completely independent of the instance I use for general browsing. The ad-blocker is disabled for the one I use to access sensitive accounts (in fact, ALL add-ons are disabled for that one), and enabled for the one I use for general browsing.

-Matt

Re: 10-13% more RAM?

If each application uses 10% more RAM, total system usage goes up by 10% ...

Put the resouces into the LIPS! not Spectre

Or is this the result of some sort of spectre?

http://staticimg.stantondaily....

Here's who it hurts

Who cares if you're running 32+ GB of RAM. Sucks if you're stuck on that modern new Macbook that caps out at 16 GB...

The huge percentage of people who can't afford to replace their PC every couple of years.

Re:Here's who it hurts

[dohzer]

Well spending the big bucks on an Apple would definitely reduce your chances of being able to afford to upgrade.

Re:Here's who it hurts

[Ol+Olsoc]

Well spending the big bucks on an Apple would definitely reduce your chances of being able to afford to upgrade.

Pssst, Hey mister - that's a nice non-sequitur ya got there!

Re: 10-13% more RAM?

[hcs_$reboot]

Except if Chrome takes already 90%

Maybe I'm just stupid ...

How the heck does creating more processes each containing less data (ie, from a single "site" as they put it) have any effect in mitigating a flaw which is used to either (a) read information from other processes or (b) read information from kernel memory?

It may provide some protection against the javascript kiddie-malware which can read from its own process, but it certainly can not have the effect claimed in being any assistance whatsoever in mitigating Spectre or Meltdown. The most effective mitigation strategy for those particular vulnerabilities is to do away with the "lets all pretend we have process and kernel isolation" altogether and run as much as possible in a single monolithic process.

I knew those so-called Google Chrome folks were stupid assholes, and this just confirms it ...

Re:Maybe I'm just stupid ...

[hcs_$reboot]

Google developers are among the best in the world. A browser is a very complex program, and some algorithms might gain time-complexity by allowing more space-complexity. This is probably what happens here, Chrome is still performant, but in order to keep the same speed it had to sacrifice some 10-13% memory more.

Re:Maybe I'm just stupid ...

[drinkypoo]

Google developers are among the best in the world.

[citation needed]

I remember when Google used to be good at stuff. Lately, though, their developers seem to spend most of their time ruining interfaces for products people have been using for years...

Re:Maybe I'm just stupid ...

[hcs_$reboot]

The browser team has to be good (too complex to let web devs in charge).

Re:10-13% more RAM?

[Anubis+IV]

Who cares if you're running 32+ GB of RAM. Sucks if you're stuck on that modern new Macbook that caps out at 16 GB...

A) That’s like responding to a car analogy with “who cares if you own a private jet”? Suggesting that people should have 32GB of RAM to run a browser is preposterous.

B) The new MacBook Pros are configurable up to 32GB of RAM...

Re:10-13% more RAM?

[hcs_$reboot]

Seriously 10-13% to have a reliable fix while still having a fast Javascript, I'm ok with that.

Re:10-13% more RAM?

[hcs_$reboot]

16 GB is quite a lot, and while Chrome is greedy it doesn't take that much (less than 500MB with quite a few tabs opened). The 10-13% applies to Chrome memory, not the system memory..

Re:10-13% more RAM?

[antdude]

Or using old computers like mine with 2 GB & 6 GB of RAM. :(

Re:FRENCH!! STOMP!! CROATS!!

[hcs_$reboot]

Is this related to TFA, or maybe you plan to watch it in Chrome, and you wonder if your RAM is enough?

Re: 10-13% more RAM?

So that leaves you with 1% to play with, what are you complaining about? You're not trying to run any unapproved, non-Google software, are you comrade?

Re: 10-13% more RAM?

Here I thought 640k was all we would ever need.

Lies!!!

Chrome memory usage

Well, fortunately Chrome didn't use that much memory to begin with.

Oh, wait...

Web sites in this case

[Impy+the+Impiuos+Imp]

I guess porn leads the way in cutting edge innovation for more than just the obvious reason :-/

Re:Web sites in this case

[Agripa]

I guess porn leads the way in cutting edge innovation for more than just the obvious reason :-/

The original developers should have known; always practice safe hex.

Re:Web sites in this case :))

In this days porn sites are more clean and optimized for heavy traffic than others with great pretensions.

Re:10-13% more RAM?

[Rockoon]

Why do you want a fast infection and spying vector?

Chrome is spyware

Every click goes to Google. No thanks

Re:FRENCH!! STOMP!! CROATS!!

In real football you can only have a score of 1 to anything if the other team doesn't show up/forfeits. A typical score in real football is like 48 to 35. A stomping is something like 35 to 3. You know, manly scores. Maybe ladies are playing over there in CCCP?

Kill JavaScript!

Honestly 95% of JavaScriptâ(TM)s purpose on the web is track, spy, exploit and spam you with advertisements. Ad devs are douche nozzles and have ruined the web. Just say fuck it to JavaScript, the most abused language in the world.

Re:Kill JavaScript!

[tepples]

Let's say an application developer owns a Mac. He can choose to develop an application as a Mac application or as a web application. If he develops the application as a web application, then any user with a web browser can run it. But if he develops the application as a Mac application, then only those users whose computer happens to be a Mac can run it. Would you prefer to have to buy a Mac to run one application and buy a Windows PC[1] to run a second application?

[1] Yes, it's possible to virtualize Windows on a Mac, but only if you thought ahead and paid extra to order your Mac with enough RAM to run both macOS and Windows.

Re: Kill JavaScript!

This doesnâ(TM)t even come close to making up for javascripts abusive use percentage. They could write their app in java or free pascal or some desktop script language like python. Browsers have become to complex because of people trying to use them as app ui. To much attack surface. Like adobes great decision to include JavaScript which was riddled with exploitable bugs and the perfect script language tools to spray memory. I stand by the call to Kill or severely cripple JavaScript. Eliminating eval and the ability to call object[methonstringnamevar] would be the first things to ax

Re: Kill JavaScript!

[tepples]

They could write their app in java

Since when is Java less bad than JavaScript?

or some desktop script language like python

Because far fewer users of Windows applications have Python installed than have a web browser installed, either each end user would have to locate, download, and install the Python interpreter, or the developer would need to convert the script to a stand-alone application by bundling a copy of the interpreter with the application. Which of these two were you anticipating?

When I tried to convert a small Python+Pygame application that I developed to a stand-alone executable, it was 21 MB. In addition, Windows SmartScreen produces the "Windows protected your PC / Don't run" interstitial if not a lot of people have already downloaded and run the executable. What fraction of users would consider this an acceptable tradeoff?

Re: Kill JavaScript!

The browser being a general purpose UI for JS development is horribly abused and has lead to massive browser bloat and insecurity.

The majority use of JS and its consequences on the web is abusive garbage and does not enhance our lives.

There are no other points worth arguing on this. Desktop javascript apps or specially whitelisted pages whatever who cares.

 

Re:Kill JavaScript!

Web pages are ephemeral by nature and that makes them undependable. Features that are here today, gone tomorrow because of some stupid marketing, social, or even political issue are useless for anything critical. I'd prefer to have applications I depend on stored locally such that they are there when I need them. They don't change, disappear, or update, unless I decide it's time to do so. Google and their fellow SaaS industry clowns have already built quite the negative track record with the constant churn and have made it clear they don't care what disruptions they cause. While this churn has moved over to the client in recent years, the fact that client software resides on my box as opposed to their servers gives me a lot more leverage over this user-hostile vendor behavior.

The architecture sucks because the browser dependency makes it difficult to integrate them with existing workflows for anything but the most basic tasks. What apis do exist are, once again, here today, gone tomorrow with constant feature and licensing churn. Barring some specific (admittedly large and popular) workloads, for most single user cases, there's usually a client side application that does the job at least just as well if not better, and without the added costs of the browser and network dependencies. In addition, compiled, native C/C++ runs a lot better than interpreted javascript garbage running inside what's basically another framework that sits on top of the OS.

Finally, there's security, which is fundamentally at odds with the interest of those pushing SaaS: control, of both software and user data.

Re:Kill JavaScript!

[tepples]

In addition, compiled, native C/C++ runs a lot better than interpreted javascript garbage

How efficiently does a program written in C or C++ and compiled to x86-64 native code run on an ARM device or vice versa?

running inside what's basically another framework that sits on top of the OS.

In order to make a single program written in C++ run on Windows, macOS, and X11/Linux, you need something like Qt, which is also "another framework that sits on top of the OS."

Re: Kill JavaScript!

And how many megs of dependencies do browsers require to run js and give them access to the dom. How much framework does the js code require to be cross platform and handle all the nuances of each different rendering engine in each different browser. If you have ever looked at the js compile and execution process itâ(TM)s ridiculous what the execution flow goes through. Js is a ridiculous language and dependin on a variable browser layer for rendering is such a mess. And all of that earns you a limited framework with no file system access. If your whole app is a JavaScript web app itâ(TM)s not much of an app at all. Just saying

Re: Kill JavaScript!

> Since when is Java less bad than JavaScript?

Since Electron.

Re:10-13% more RAM?

[Joce640k]

Which Universe do you live in? If I start Chrome with no tabs open I get 7 processes.

One of those processes is using 1.5Gb and has 38 threads.

That's without opening any web pages, just an empty tab. No, I don't have any extensions installed. None.

Now you're just like the other nutsies

[tepples]

Now that you've wished the atrocities of the Holocaust on another person, I can NOT SEE myself promoting your Hosts File Engine anymore.

DEY

Re:Now you're just like the other nutsies

[drinkypoo]

Now that you've wished the atrocities of the Holocaust on another person, I can NOT SEE myself promoting your Hosts File Engine anymore.

It was insane to ever support APK on any level since you cannot tell his troll posts from APK-mocking troll posts. That is troubling on multiple levels.

Re:Now you're just like the other nutsies

[Highdude702]

I don't much like APK, But in certain cases im sure his host file shit works for the plebs that don't know how to protect them self. That being said, its easy to tell when the "fake" APK is posting. He has almost an Alex Jones personality about things, and even if he is off the deep end, I have never seen hatred in his posts. and doesn't seem antisemitic by any means. I think you have been duped by one of the many slashdork trolls.

Re: Now you're just like the other nutsies

His hosts file shit newer works because his application doesn't write a hosts file even after pegging the cpu to 100% for more than 2 hours. As far as I'm concerned he has a disguised crypto miner or seti@home running under the covers. His application never writes a hosts file, whether it's running on low-powered Celeron or top of the line Ryzen. Just sits there and uses the cpu and is unresponsive. At the same time doing in Cygwin bash what his app is purporting to be doing hardly takes more than 5 minutes.
And on top of that, if you are doing it per machine, you are doing it wrong.

Re: Now you're just like the other nutsies

[tepples]

Attempting to swing it back on topic: One might blocklist hostnames that serve unwanted scripts as a means of recovering the 10-13 percent of RAM that Chrome's Site Isolation is using.

At the same time doing in Cygwin bash what his app is purporting to be doing hardly takes more than 5 minutes.

Would there be merit in building the blocklist builder tool that I sketched in this article?

And on top of that, if you are doing [DNS blocklisting] per machine, you are doing it wrong.

The operator of a LAN could apply changes to devices on the LAN by configuring its DHCP server to point DNS at a local Pi-hole instance. But when you're out in public using your laptop on public Wi-Fi, you need a local blocklist if you're not running all of your laptop's DNS traffic through your Pi-hole at home.

Re: Now you're just like the other nutsies

When out in public I use https://mikrotik.com/product/RBmAPL-2nD
Traffic is policed, routes throug a vpn and all inbound is dropped. Yes there is a usb and Ethernet cables between the laptop and this router, but still much better security

Re:Now you're just like the other nutsies

See his original post.

Re:Now you're just like the other nutsies

It's his imitator, but the imitator actually reposted APK's post.

Bottom line is APK is not only a spammer, he is also a racist, homophobic, anti-semitic, islamophobic.

Re:Now you're just like the other nutsies

You really ARE too STUPID to live... time to FIRE UP THE OVENS again & Zyklon B showers

How's that not antisemitic?

Re:10-13% more RAM?

[Ol+Olsoc]

Who cares if you're running 32+ GB of RAM. Sucks if you're stuck on that modern new Macbook that caps out at 16 GB...

A) That’s like responding to a car analogy with “who cares if you own a private jet”? Suggesting that people should have 32GB of RAM to run a browser is preposterous.

B) The new MacBook Pros are configurable up to 32GB of RAM...

Hold on, hold on - let the guy make some non-sequitur's about systemd and Russian hacking maybe before you squanch him. Its the only way he can participate.

Re:10-13% more RAM?

[Ol+Olsoc]

Which Universe do you live in? If I start Chrome with no tabs open I get 7 processes.

One of those processes is using 1.5Gb and has 38 threads.

That's without opening any web pages, just an empty tab. No, I don't have any extensions installed. None.

Your answer is in your last two sentences.

Re:10-13% more RAM?

[tepples]

Because the alternative is native applications, which are specific to one operating system. If you have a Mac, you see an application that looks interesting to you, only to have to turn away because it's Windows-only. Or if you have anything but a Mac, you see an application that looks interesting to you, only to have to turn away because it's Mac-only. Do you want to have to return to that environment, where you have to buy multiple computers and operating system licenses just to run all the applications in your work flow?

Re: 10-13% more RAM?

[devslash0]

Just close all the excess tabs. There's no reason to keep 50 of them open at the same time.

Re:10-13% more RAM?

[Carrot007]

Have you not updated in like 15 years?

I have not updated in "forever" and I have 16GB.

I think "forever" is probably around 5 years now.

Re:FRENCH!! STOMP!! CROATS!!

The record is 149-0, apparently. I couldn't find any 48-35 matches.

Blofeld?

I thought the war against Spectre ended when Bond killed Blofeld

Re:10-13% more RAM?

[Highdude702]

Systemd made the russian trolls hack the election!! Why are you so blind to reality?!?!!!11!onetwotilde

Re:10-13% more RAM?

Suggesting that people should have 32GB of RAM to run a browser is preposterous.

Have you loaded a modern webpage recently?

Spectre bugs baked into modern computer processors

[najajomo]

"The critical Meltdown and Spectre bugs baked deep into modern computer processors"

That should be, the critical Meltdown and Spectre bugs baked deep into Intel x86 architecture processors. And such bugs wouldn't so serious if we didn't run our computing on a monoculture. As in nature, when a bug comes it doesn't wipe out a whole population.

"Spectre lets attackers access protected information in your PC’s kernel memory, potentially revealing sensitive details like passwords, cryptographic keys, personal photos, or anything else you’ve used on your computer"

It's for razor sharp analysis like that, that I come here for :]

Impersonating me? Please... apk

You impersonating me proves you wish you were me & imitation is the sincerest form of flattery - but you = poor imitation.

* You "threaten"you'd impersonate me as you STALKED ME via UNIDENTIFIABLE anonymous trollings of me too https://yro.slashdot.org/comme...

APK

P.S.=> Grow up & do something useful w/ yourself loser... apk

Impersonating me AGAIN? Please... apk

You impersonating me proves you wish you were me & imitation is the sincerest form of flattery - but you = poor imitation!

* You "threaten"you'd impersonate me as you STALKED ME via UNIDENTIFIABLE anonymous trollings of me too https://yro.slashdot.org/comme...

APK

P.S.=> Grow up & do something useful w/ yourself loser... apk

Re: Impersonating me AGAIN? Please... apk

Quick! Go post this in the article about automation, too!

I sense that you're getting angry about bump stocks not being banned. Perhaps there'll be some comments about over the next few days, too.

Impersonating me STILL yet AGAIN?... apk

You impersonating me proves you wish you were me & imitation is the sincerest form of flattery - but you = poor imitation.

* You "threaten"you'd impersonate me as you STALKED ME via UNIDENTIFIABLE anonymous trollings of me too https://yro.slashdot.org/comme...

APK

P.S.=> Grow up & do something useful w/ yourself loser... apk

Re:Impersonating me STILL yet AGAIN?... apk

Your original post

Detect, not Mitigate.

Detect, not Mitigate.

Solution.

Buy a device that is expandable. That means a regular sized laptop. If you buy a super thin device, that's YOUR fault for being trendy.

Re:Solution.

[Tyger-ZA]

Buy a device that is expandable. That means a regular sized DESKTOP. If you buy a super thin device, that's YOUR fault for being trendy.

FTFY. Laptops are compromise devices.

Re:Solution.

My laptop is expandable. I've got 64GB of RAM in it and I'm thinking about upgrading my GTX 1060 MXM to a GTX 1070 or 1080.

Re:Solution.

[Tyger-ZA]

My laptop is expandable. I've got 64GB of RAM in it and I'm thinking about upgrading my GTX 1060 MXM to a GTX 1070 or 1080.

That's great, but I didn't say laptops can't be upgraded. I said that they're compromise devices

This means that for whatever feature you gain, something other metric is worse off

Want a 17" screen? Comes with a larger and heavier laptop

Want a high end gaming machine? Worse battery life

Want a higher capacity battery? The upgraded battery adds more weight

Want something smaller and lighter? Cramped keyboard, typically paired with weaker hardware overall

Want to upgrade anything? Pay more than you would for desktop upgrades

Less RAM use by stopping ads/script... apk

See subject & via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats use hostnames vs. IP addresses most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* ONLY 1 of its kind in GUI on Linux!

Better vs. Windows model in speed/efficiency/merge.

APK

P.S.=> Best program of its kind bar-none & better vs. browser addons + other competitors (full of bugs, excess resource use, slowdown & complexity)... apk

Separate processes == good

[TeknoHog]

Browsers should be using different processes for different websites anyway, as a general security measure, and I believe they have been aiming to do that already. Since Spectre only allows reading memory within the same process, I don't understand the panic here (though I guess it's different for virtual machines).

We've already had countless issues where developers didn't sanitize their inputs, so a malicious piece of data could do something nasty; crucially, we didn't need Spectre for that. Meltdown is a wholly different beast, but I guess Intel needs to keep up the Spectre panic for AMD.

Re:Separate processes == good

[Agripa]

Browsers should be using different processes for different websites anyway, as a general security measure, and I believe they have been aiming to do that already. Since Spectre only allows reading memory within the same process, I don't understand the panic here (though I guess it's different for virtual machines).

It is a good thing each web page only loads scripts from one domain.

Registered /.ers review of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Best part = Linux 64-bit model's faster/more efficient (2x work & 1/2 the time)

APK

P.S.=> For a faster/safer/more reliable internet... apk

Re:10-13% more RAM?

[antdude]

My old PCs are about a decade old now. :)

UNTRUE (multiplatform codebase ports)... apk

FreePascal & Lazarus IDE let me port APK Hosts File Engine https://tech.slashdot.org/comm... Win32/64, Linux 64-bit (both released), BSD & MacOS X (former in testing & basis of latter imo, a matter of minutes once tests are done)...

* The SAME can be achieved via C/C++ & even REALBasic (& other lesser performing languages) is possible for a SINGLE CODEBASE multiplatform via porting as I did cross-platform.

APK

P.S.=> The days you speak of ala COM/DCOM/CORBA are OVER (vs. webservices competing w/ them) - True "stand-alone" SINGLE executables (dependent ONLY on OS or IP Stack API) are possible - your PROOF is above as a single example thereof... apk

Re:UNTRUE (multiplatform codebase ports)... apk

[tepples]

Can Lazarus cross-compile, or do you need to own a sufficiently recent Mac in order to ship for Mac?

choose your poison, i guess...

the chance someone uses a cpu flaw to extract data off your computer.

vs

google hoovering everything you do to add to its massive databases that make spy agencies drool.

so

So it'll use like a quarter of the ram that Firefox uses.

Re:so

Chrome is known as a memory hog for a reason.

Re:so

Uhm, how exactly? Chrome already uses double the amount of RAM Firefox uses. Adding 10-13%, I don't see how that could suddenly become less than Firefox...

Re: 10-13% more RAM?

Autodesk mechanical desktop runs just fine with 4gb with a detailed 3D drawings of a whole factory floor worth of machinery (I mean like every thread being detailed, every screw, nit, etc). If a web browser needs more than that, then that browser is shit

Feature is more swap-friendly, so actually

[m.dillon]

So actually even though the memory footprint is larger, using separate processes also makes chrome more swap-friendly, which means the kernel can page-in/page-out the tabs more efficiently. The result seems, at least for me, to be a smoother ride when I have a lot of tabs open.

Of course, swap space should always be configured on a SSD.

I always enable the site isolation option. Its nice to see google finally making it the default.

-Matt

Re:Feature is more swap-friendly, so actually

[Agripa]

So actually even though the memory footprint is larger, using separate processes also makes chrome more swap-friendly, which means the kernel can page-in/page-out the tabs more efficiently.

This is true except on processors vulnerable to Meltdown which have to trash the page tables. They change was needed but it moved the problem to the operating system. At least it was feasible.

Re:10-13% more RAM?

[MightyMartian]

If you want to turn your browser into a glorified version of Mosaic, be my guest. Some of us actually want to view the web of 2018, not the web of 1995.

Curious why AMD?

Why don't I see a seperate build?

I suspect these kinds of "fixes" will have no distintion between platforms, afterall can't have the masses beliving anything but Intel Marketing (TM).

Capatcha: portable. Creepy Slashdot.. creepy.

Re:10-13% more RAM?

[hcs_$reboot]

How much has your system? Chrome reserves some space if it's not used. Try to load a load of crap aside of Chrome, and you'll see (or do a quick malloc(big))

Re: 10-13% more RAM?

I had 50 tabs open 10 years ago. So I guess we are progressing backwards?

Re:10-13% more RAM?

[Ol+Olsoc]

Systemd made the russian trolls hack the election!! Why are you so blind to reality?!?!!!11!onetwotilde

Using Macs.

Re:10-13% more RAM?

At $6700...

Re: 10-13% more RAM?

Autodesk mechanical desktop runs just fine with 4gb with a detailed 3D drawings of a whole factory floor worth of machinery (I mean like every thread being detailed, every screw, nit, etc). If a web browser needs more than that, then that browser is shit

Well, the browser might be shit, but try taking a look at what it is being asked to do.

Most, and I really do mean most modern websites are horrifically wasteful of resources.

Re:Spectre bugs baked into modern computer process

[Megol]

Spectre is there for all processors with more than the most trivial support for speculative execution. Yes that includes all modern computer processors.

Meltdown is limited to Intel, some IBM designs and some ARM designs.

Worst Bond film ever

[TJHook3r]

Seriously, who are these new Bond films targeting? 3/10.

Hits RAM? Don't care.

[nashv]

Sorry, but I have more RAM than battery life. Why do I bring this up? Because the only real alternative Firefox reduces my battery life by about 30% when I do the exact same things on it as I would on Chrome. And Firefox doesn't even have site isolation yet.

I really want to use Firefox and occassionally fire up the latest version. But I cannot justify using it , because it is trivial to buy a laptop with 32 GB RAM to overcome the resource hungriness. Battery life is not so easy to obtain.

Re:Hits RAM? Don't care.

I hardly care about battery life at all. I mean, if it's free and on offer anyway, I'll take it (natch). But to prioritize it or pay more, or sacrifice something else to achieve it? No.

I plug in. All the time. Everywhere. Where can you go today that you cannot get access to power? The beach maybe... and urban transit... and that's about it.

Long battery life is one of the least useful laptop attributes for me.

WORKED FINE Win64- Linux (I wrote it so it did)

WORKED FINE Win64-> Linux (I wrote it so it did) -> BSD. The person handling it could be NO FINER than my relative recompiling on OS X (all it will take).

* "Savoir Faire, is ... EVERYWHERE!"

(FreePascal 3.0.4 & Lazarus 1.0.4 motto = "Write once, RUN ANYWHERE..." & I am LIVING proof thereof...)

APK

P.S=> It's real/true - I can DO things like that w/ ease - a whim... apk

Re: 10-13% more RAM?

[antdude]

I miss the old days web sites were simple and fast that were designed for dial-up modems. ;)

Re:Spectre bugs baked into modern computer process

[iggymanz]

show me proof Ultrasparc has it.

(No, don't buy an Ultarsparc machine, for anything)

Re:10-13% more RAM?

[thegarbz]

Suggesting that people should have 32GB of RAM to run a browser is preposterous

Indeed. But don't let the hyperbole get in the way of a solid argument. If you're the person likely affected by this 10% then you're a person not really concerned with your computer speed in the first place or you wouldn't be running a $300 POS with 2GB of RAM.

In this case POS can mean Piece of Shit or Point of Sale terminal but I actually think the latter may have more RAM than that in it these days.

I am APK the LORD of HOSTS

I am APK the great "LORD of HOSTS", a.k.a. AlecStaar or Alexander Peter Kowalski.

I am the godlike creator of various GUI front-ends for other people's configuration files.

Calling people ne'er-do-wells or Jealous JOWIEs is how I think I win every argument

When people state the truth about me I get really mad and accuse them of projecting which is something I do all the time.

Don't call me out on anything unless you are willing to prove you too can write some strings to a file programmatically

Spamming and being a general pain in the ass is what I do

Listen as I relive my glory days of being a college athlete in the early 80s

Bask in my greatness as I can do a ping as a non root user.

Watch as I whine about my work being flagged as malware by anti-virus software.

Witness my descent into madness

APK

You prove you WISH you were me

See subject: Your POOR imitation of myself (imitation's the sincerest form of flattery) proves that you WISH you were me...

APK

P.S.=> ... & you KNOW it... apk

When dependencies cause abandoned installation

[tepples]

Having to download and run two installers to run a single application causes a greater fraction of abandoned installations than having to download and run only one installer. Electron applications require one; Java applications require two: JRE and the application itself. Web applications require zero.

Re: When dependencies cause abandoned installation

JavaScript is clearly the winner. It can even run dos games like doom in the browser. Soon I will use webasm so I can write assembler to run in the browser. JavaScript will soon let me write a new kernel with asm and c transpiling. The os of the future will run in the browser and the browser will be the kernel and websockets and Ajax and Json will replace those old stupid database servers. Node is so powerful and the JavaScript frameworks so cool. Soon JavaScript will support sharding and map reduce and give me kick ass speeds by piping all results to dev null. JavaScript is clearly the winner, pfft I donâ(TM)t even have to declare variable types and I can add methods and variables to random objects at any time I want. Declarations and type safety are for n00bs who canâ(TM)t handle the raw awesome power of JavaScript. I myself an expert with JavaScript, I can handle ALL of these things like a 99th level mage juggling 1st level fireballs. I can not be burned. And the browser is so istable itâ(TM)s like a rock. I trust it as my runtime environment implicitly. Itâ(TM)s so simple. It doesnâ(TM)t have to many layers or to much code running behind it. It just starts with a simple blank page thatâ(TM)s all white until I command it. Also all browsers are reliable on all platforms and behave the same so my apps will be rock solid everywhere. You just canâ(TM)t compete with that. Yeah I looking at you QT! Js also has the most powerful debugging tools available. It is great you canâ(TM)t beat it. Pfft you guys just donâ(TM)t get it and you never will and thatâ(TM)s cool with me. I am the one who will be raking in the big bucks with my JavaScript apps running on all platforms able to reach all people in the world even on mobile! we donâ(TM)t even need c developers anymore they are obsolete!! Suck it n00bs

Re: When dependencies cause abandoned installatio

JavaScript is webscale: https://m.youtube.com/watch?v=b2F-DItXtZs

Re: When dependencies cause abandoned installatio

JavaScript is the secret ingredient in the web scale sauce