Even for malware, hiding from Activity Monitor would be quite a feat. Short of an exploit, you couldn't hide your process without a kernel rootkit, but macOS has required user approval to load kernel extensions for several versions now. I suppose you could go the low-tech way and just name your process "WindowServer" to confuse the user, but you'd still end up with two WindowServers.
The idea that Chrome's auto-updater is doing this is ludicrous.
For those of you who are unaware, Comex is one of the most respected security researchers of all time and has done extensive research into Chrome and won Pwn2Own multiple times. He is completely correct, keystone is just Chrome's auto updater. The technical content of this article is super thin. This shouldn't be on the top of hacker news.
The parent did not rely on authority; they posted actual substantive content. Read their comment history.
You can choose to flip off people's qualifications if you want.... but it doesn't make what they say wrong, no matter hooooooowwwww much you don't like it. :)
I remember quite well the Google update process being notorious for evading Little Snitch firewall rules. It popped up every intervall as if it were a new (unseen) process. There's definitely something going on with the app signature. (Haven't used Chrome for some time by now.)
I am curious why that happens. From some Googling it seems like the updater copies itself to a random directory each time it runs [1], and I guess Little Snitch classifies programs by their full path, so it sees it as a new program each time.
Copying itself is odd and probably suboptimal behavior, but it is explainable without assuming malice: my guess is that it’s related to some kind of “before we update let’s update the updater” bootstrapping logic. I could be wrong, but IIRC the updater code is open source, so it should be easy to find out.
[Edit: Oops, it's actually not open source. Their Windows updater (Omaha) is open source, but their Mac one (Keystone) is not. Of course, one can still open the binaries in a decompiler.]
Regardless, moving a program around on disk, or even deleting the program while it’s running (which is possible on macOS), would not prevent it from showing up in Activity Monitor.
I think the observation is just out of date now. "Haven't used Chrome for some time by now." At present, Little Snitch does just fine at blocking GoogleSoftwareUpdate.
While it's indeed unlikely that there is deliberately hiding, there is a chance that the google updater triggers something in some (OS-level) components via some (implicit) IPC mechanism that causes load spikes in those components. You'd hardly see any load for the real culprit itself but those other connected components may run hot.
This user says their WindowServer runs hot. Some Chrome-related software may have entered a state where it accidentally DoS'es the WindowServer either due to a bug in google software or a bug in WindowServer that google software triggers, at least in the system configurations particular to this user.
True, that much is possible. But fairly unlikely, especially since Chrome's updater normally does not even pop up a GUI. We'd need stronger evidence than "I deleted some Google stuff and rebooted and now feels faster". I suppose the author did claim to have reproduced it on two computers, but only once each, and with no objective performance measurements. Sadly, there are a lot of things that can make macOS 'randomly' seem slower or faster, especially after rebooting, and with subjective measurements, confirmation bias is a huge factor.
Well, the author is blaming it on the updater kinda, but it could have been chrome itself or the updater might be trying to create a window for whatever purpose in a tight loop or do something else that somehow ends up eventually calling into the WindowServer. There are plenty of things that can go wrong.
I had my own run in with chrome recently where dwm.exe (Desktop Windows Manager on win10) would eat and eat memory until everything OOM'ed. Didn't use much CPU tho. I eventually tracked it down to a single chrome tab that had a specific website open. It's reproducible at least on my system but I haven't yet had the time to look into it more thoroughly. If I had to guess, it was the website making Chrome use some "hardware layers/surfaces" or something like that and cause the corresponding buffers in dwm to be retained forever. No idea if it's a chrome bug or a dwm bug or even some kind of driver bug, and just closing the tab was enough as a "quick fix".
For those that didn't measure, it's almost irrelevant — I'm telling you it's not a subtle difference. It's night-and-day.
It's very low on my list of plausible theories, but if there was a hypothetical keystone exploit, what is the latest on code-injecting WindowServer?
Also added an FAQ to the site: https://chromeisbad.com/#faq to address the low-hanging fruit of obvious objections to the possibility that Chrome/keystone is doing something to the system to cause it to thrash.
I’ve been having WindowServer problems for month taking almost 100% of cpu out of the blue. I never could find any solutions and believe me it’s really painful when working when my IDE becomes so slow if takes seconds for every keystroke. So far it seems to fix my problem and I have the same computer setups. I switched to Brave to get back the Dev Tools.
I don’t have a day to take off to analyze the my system deeply without knowing where to start so in my case it’s a welcome fix
Afaik you don't need to hide from the monitor to cause load by WindowServer while staying silent yourself. You just need to do graphics-intensive stuff. WindowServer then shows up as the manifestation of graphics being processed.
In fact, Un-googled Chromium (without the autoupdater) easily causes load that's displayed as WindowServer's, for me—when I open a Youtube video on my oldish Macbook with a shitty integrated video card. However there's little chance that I would think this to be caused by something else.
I may have got it wrong, but I interpreted the page to say only that Chrome and/or its updater made Window Server work hard, not that they're impersonating it.
Chrome does have the capacity for screen sharing (e.g. Chrome Remote Desktop), but I assume it wouldn't inject any extensions into the window server unless it was actively invoked.
The author went so far as to create a domain for this rant, and yet didn't even do any performance metrics or basic forensic analysis at all. I'm not saying the author is wrong, but there's a lot of questions here. How does Keystone hide itself from the Activity Monitor? Is there a Keystone process if you run `ps aux`? Did you run dtruss/strace? What is it doing when Chrome isn't running that causes it to degrade performance?
Because this sounded outlandish, I decided to have a look on my own system. Since the author didn't give any technical details, I grepped `~/Library` and `/Library` for files containing `keystone` in either name or contents. This yielded the following interesting candidates, along with similar entries for daemons etc:
They all reference the same binary, `~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent`, and frankly are wholly uninteresting configuration files to integrate with launchd and other stuff.
Looking through a full system trace in Instruments didn't yield anything interesting either (outside of discovering that I forgot to shut down one of my virtual machines).
All in all, this sounds like hot air, and I can't help but wonder what the motivation behind making this page was.
Thank you for digging in to it on your machine. That level of forensics is exactly what we need in this issue.
Because there is a rich history of issues that only affect certain configurations, and those configurations are typically only revealed in hindsight: your results have to be seen as a single datapoint and not a nail in the coffin.
To others who are curious about this: please contribute more datapoints
I'm not really one for conspiracies, more so I fail to see where the evidence is that Chrome was somehow related to begin with. I do agree my wording could be better there, though.
The page says "I deleted Chrome, and all the files Keystone had littered on the computer, restarted, and it was so snappy it felt like a brand new computer. Yeah, I realize this sounds like a freakin' infomercial, but it worked so well I spent $5 on a domain name and set up this website even if it makes me sound like a raving nut."
To then "wonder what the motivation is" is to suggest that you don't believe this simple positive explanation, and imply there's something less simple, and more scheming.
Yeah, there was no super master plan here, just that after dealing with one sluggish computer for days (you name it, I tried it), and another one for 5 years... the fact that it turned out to be slow because of an app that wasn't even running was pretty frustrating.
Filing a bug report that would get "works on my machine"'d and then ignored and auto-closed by a bot in 5 years didn't quite feel worthy.
Auto-updating browsers are a good idea. Keystone is bad auto-updating software. It should probably get scrapped.
Well, for one, going as far as buying a domain for a single rant is a little bit suspicious. If at least it was a website dedicated to gathering issues with chrome, but a single issue with zero evidence or research. That's not generally how people "decide to share it".
Sure looks suspicious and not the content I expect to see on HN.
"Please don't post insinuations about astroturfing, shilling, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data."
It's not suspicious, its $5 which is not much to a lot of people in 1st world countries, especially those with at least enough curiosity/knowledge to be able to set one up if he/she has be frustrated a long time by a slow computer.
Personal attacks are not ok here. Please don't respond to a comment that breaks the site guidelines by breaking them yourself. That just makes the thread even worse.
This is a serious, non-sarcastic response: honestly, sincerely, in my experience as a HN reader off and on for years, a commenter for 6 months, and occasional author of submitted articles (usually submitted by someone other than me) that have reached #1, violation of the HN guidelines is the norm on HN, and abiding by the guidelines is the exception.
I myself have been personally attacked on here, or been interpreted uncharitably, etc., countless times. Mostly with no moderators intervening. In general I have no objection to "policing" the comments, if it is done well, and consistently, but the problem with policing, not just on HN but in general, is the selective, arbitrary enforcement of rules.
Just looking at the current case, for example, why was my reply flagged, but the comment I replied to, which you also cited as violating the guidelines, was not flagged?
Moreover, IMO this whole submission seems to be a strange time to be pedantic about enforcing the guidelines. After all, the submission itself was flagged as very low quality, and many of the commenters were justifiably complaining about the low quality of the submission and wondering why it was #1. The author is deserving of some rebuke, especially for the "nefariously hides itself from Activity Monitor" bit, which is technically false, indeed impossible. The author should know better, being or having been a Mac software engineer himself.
In fairness, HN is no worse off than any other site that allows comments from the general public. HN wants to believe that its comments are higher quality than other sites, but the reality is that it's not really true, and it's hard to see how that will ever become true. Maybe it was true in the distant past when HN was less trafficked, I don't know.
> violation of the HN guidelines is the norm on HN
It happens much more than we'd prefer, but to say "the norm" is a huge exaggeration.
I understand how it can feel like the norm—it's common enough to run into frequently, and painful experiences leave a stronger imprint than pleasant ones [1]. But these false feelings of generality are dangerous because they lead to an attitude of why-bother. Current toxin levels, though bad enough to produce symptoms, at least aren't fatal. Why-bother would kill the community if it spread.
> selective, arbitrary enforcement of rules
HN moderation is inconsistent in one way but consistent in another—call them strong and weak consistency. Strong consistency would be "every post that breaks the guidelines gets moderated in the same way". That would require moderators to read all the posts, and there are far too many for that to be feasible. Weak consistency would be "when a post does get moderated, the mods do it consistently and even-handedly". That's at least possible, and what we're shooting for. We don't get everything right but we're open to hearing about and fixing our mistakes.
If you see a post that ought to have been moderated but hasn't been, the likeliest explanation is that we didn't see it [2]. (You can help by flagging it or emailing us at hn@ycombinator.com.)
> why was my reply flagged, but the comment I replied to, which you also cited as violating the guidelines, was not flagged?
Users flagged one more than the other. Your post violated the guidelines worse, so I don't think that was unfair.
> this whole submission seems to be a strange time to be pedantic about enforcing the guidelines
That's not how moderation works. When users break the guidelines and we see it, we ask them not to. Keep in mind that we don't necessarily read the threads in order—sometimes we do, but other times we're looking in via more random-access views. The guidelines don't change relative to the submission, so I don't see why moderation should.
Another thing you can do: profile the process to find out what exactly it’s spending all that CPU time on. There are a few different ways to do this on macOS, including the GUI Instruments.app which comes with Xcode, and dtrace. But if you’re the sort who always has a terminal open, the quickest way is to just run
sudo spindump
Also useful when a process is hung, even if it’s not taking up CPU time.
Sometimes the output isn’t useful due to a binary having been stripped of symbol names, but all macOS system libraries have symbols, so you can usually figure out something.
> So users are expected to run debugger tools in order to figure out what some hidden program is doing?
That's like saying "So we're expected to investigate and have a full trial before sending someone to jail?". If you just want to delete it, go ahead. If you want to go as far as creating a whole domain to blame Chrome, yes, you do need more than just "I deleted it and coincidentally my computer got fast".
> If you want to go as far as creating a whole domain to blame Chrome, yes, you do need more than just "I deleted it and coincidentally my computer got fast".
I think the fact that the site exists and is a pretty highly ranked story on HN probably proves that incorrect.
Clearly if you read the thread, most people here aren't happy about this being at the top of HN, and it honestly reminds me of reddit where people just upvote things purely based on the headline, without even looking at the content. If anything this is just a sad day for HN.
Of course your comment also violates the guidelines: "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith." Reinforcing my claim that violation of the guidelines is the norm here rather than the exception.
My point was that authors of HN submissions are almost always treated with disrespect by HN commenters, and I was citing my repeated personal experience of having been such an author. (I believe the HN moderators are in denial and view the site through rose-colored/orange-colored glasses). I don't view having been #1 on HN to be an "accomplishment". I don't find it useful at all, because I run an independent business, yet being #1 on HN never increases my software sales at all, so it's pretty useless as far as I'm concerned. It just increases my server usage. I've sometimes considered (as I'm sure many people have) simply blocking Hacker News referers on my server. Could still happen...
In fact I finally created an account on HN simply to try to have some "control over the narrative" in HN comments about my own authored articles, because there are often some really dumb misunderstandings in the comments. Not sure it has been worth it though.
Technically, I "lost it" on HN about 3 weeks ago, when I got sick and tired of accurate information being downvoted. The only reason I'm still here now is that I have way too much free time on my hands due to the pandemic/social distancing.
Maybe a notification of what it is doing. "We are using your computer for machine learning" or "Currently upgrading Chrome". Or some sort of documentation on what the program is supposed to do.
Yep lots of responsible software companies will tell you what software is doing if it goes outside the parameters of their software. Say if a program is scanning your computer for information when it's really only supposed to be a web browser.
Speaking of the GUI Instruments.app. Is there a way to start a process from there, instead of attaching to an already running process? I used it the other day and could only figure out how to attach to an already running process with it.
Create a new profiling environment based on the template you're interested in, making sure "Choose a profiling template for:" is set to "Your Computer > All Processes." Next, in the top-left of the window, where it says "Your Computer > All Processes", click on All Processes. Select Choose Target... and navigate to your binary and hit Choose. Then hit the red circle to begin recording. This will launch a new instance of the specified binary and profile it.
This may not work for binaries that set PT_DENY_ATTACH, though.
> The author went so far as to create a domain for this rant
It's not a 'far' thing to purchase a domain anymore. Domains are cheap as chips, and have gotten cheaper now since the advent of novel generic TLDs where usually the first year is sold cheap but to roll it over into the next few years the price is hiked (which is why so many people now purchase a domain for a year only).
It is common now and expected to see single-serving-sites[0] that are just thinly veiled blogposts.
Yeah. After reading your comment I tried out a couple of similar domains on the form x is bad and x is good and they were both parked waiting for someone to pay whatever ridiculous price the owner is wanting to demand to sell it. I wish it was illegal to do that.
besides, most probably would learn themselves the hard way when put in the same position the OP detailed
problems with Goo are widely known in circles of the Mac-communities ever since Goo-acc's first became avail in the beginning only by invitation, back then
also worth to look into the history of why, when and by whom LS aka LittleSnitch was developed in the first place -- tho this was more related to issues with that then must-go-to site 'versiontracker' [for all sorts of Mac shareware] and a vintaged firewall [3rd party] product widely used that time that didn't work as advertised
a Mac OS w/out LS these days ? back then very few only were concerned with 'calling-/phoning-home' issues on a scale nobody could imagine, least speak or post about in public, in those pre-iPhone ages
I was reading through the comments and hoping someone would know what keystone actually was and if there was any possibility of the claim in the article :) . I mean there's a lot of stuff in chrome other than this keystone thing, maybe it was one of those other things.
Hating Google is very fashionable on HN these days, I'm not surprised to see this so highly voted. I also wouldn't be surprised if most of the upvotes are based on the title/domain rather than the actual "content".
>Why shouldn't apple? For some reason apple gets a pass on HN
Or, you know, Apple gets the same or more kind of criticism, but since you are biased to agree with it, you are blind to it, and only see the praise/defenses.
>for things like fighting to keep forced labor camps open
That's probably because the framing of this by the media is BS, playing into the trade war objectives and narrative of the US foreign policy.
It's just that these companies have a lot of suppliers in those areas, unrelated with any "labor camps", whereas the US/law has put a wide canvas that includes a huge area and all kinds of inoffensive suppliers. Seeing that the companies can't just cut off their supply chain on the drop of a hat, they ask for extention period, better monitoring on which and if any of their particular suppliers might actually involve such labor, etc.
But that doesn't make for good headlines for the masses, or for good propaganda.
>Or, you know, Apple gets the same or more kind of criticism, but since you are biased to agree with it, you are blind to it, and only see the praise/defenses.
Do you honestly believe if this post was about apple or an apple product with the exact same lack of content, it would have gotten the same number of up votes as quickly as this one did?
This law is untenable. For one thing outside of companies like Apple or Amazon who -might- be able to negotiate with the Chinese government on audits, middle to small businesses would have no possibility of that because they mean nothing to the CCP. This is a government to government thing, not a company thing and the bill doesn't make sense to make companies culpable for the entire supply chain. It's just punting responsibilities to companies who trade rather the US government whose job it is really to investigate such things. It's just a feel good law to blame corps rather than Congress Critters, which they've been trying to get rid of responsibilities for decades.
Or, you know, maybe the world isn’t black and white, and you could read the whole linked article to see why Apple might want to reasonably oppose certain provisions of the bill, instead of simply being “evil”, whatever that means:
> However, there is one potential explanation.
> In July, campaign groups called on Apple to err on the side of caution by ceasing using production facilities based in the Uyghur Region of China. The bill as it is currently written might make that the only way that US companies could ensure compliance.
> > One provision in the bill requires public companies to certify to the Securities and Exchange Commission that their products are not made using forced labor from Xinjiang. If companies are found to have used forced labor from the region, they could be prosecuted for securities violations.
> If Apple cannot easily avoid using downstream suppliers based in the region, it may be that it is trying to dilute the provision to something more along the lines of a requirement to conduct audits, investigate claims, and to take all reasonable steps to prevent the use of forced labor.
> > Apple lobbyists are trying to weaken a bill aimed at preventing forced labor in China, according to two congressional staffers familiar with the matter, highlighting the clash between its business imperatives and its official stance on human rights.
"Apple lobbyists are trying to weaken a bill aimed at preventing forced labor in China, according to two congressional staffers familiar with the matter, highlighting the clash between its business imperatives and its official stance on human rights."
1) The US legislators could not care less about "forced labor" in China (or even in the US for that matter, e.g. penal labor). Same way they don't care when it is their allies doing it (or worse things). It's all about the trade and dominance war with China.
2) Apple and the other companies involved don't care about forced labor either (if they could legally and without media repurcusion use it, they would). But they also don't need and don't seek forced labor. Good old capitalist low wage labor is good enough for them. So it's not like they try to defend China's forced labor because they benefit for it.
3) What Apple and the other companies have is multiple suppliers all over China, including that area. Most of them (if not all) have little or nothing to do with forced labor. But because the law aims to hurt China and not to stop forced labor, it doesn't care about little details, but uses blunt force and a wide net.
4) Understandingly (from a business/logistics perspective) Apple, Google, and co, can't just drop/replace suppliers at the drop of a hat. So they ask for more time for check, and a better look at which suppliers are actually problematic to be added to the bill. So "weaken the provisions" is actually "make the law more accurate and fairer", but they won't say that.
Then the mix of propaganda for foreign policy (as if those legislators care), hypocrisy, business interests (from Apple and co) and extremely bad reporting for clickbait and patriotic reasons, then turns into:
"Apple lobbies in favor of force labor".
It's as if some companies wanted to continue to use some useful drug medically, and e.g. tried to "weaken the provisions" of an strict anti-drug law that forbade it without nuance, and the headlines were like "Company X lobbies in favor of heroin".
I agree, this is a deal that should be between governments, this is just an attempt of the US government to push responsibility to companies rather than actually acting against the Chinese government to end these labor camps. Whether tariffs or whatever. Few companies have the ability to follow every link of the supply chain for corruption. Most small to mid size to just find a distributer and buy what they need, they don't have the ability or authority to send in a small army of auditers, that the CCP isn't going to allow anyway.
There's been a massive influx of reddit-quality comments for quite a while. I guess it was only a matter of time before it was reflected in the submissions.
So are you also going to point out that the vast majority of other top links are actually quite credible? It's easy to declare a whole site bad over one thing isn't it? Like the author in this article did under similar circumstances?
I think that in HN there is a high quality in the comments and a low quality in the voting of publications, because in the first, people refrain from commenting stupid things because it gets them harsh criticism, but in the second, people can vote for stupid (or low quality) publications because they will not be criticized.
And most of HN (and of social media, and the world in general) is dominated by dumb people.
I'm not low-level enough to confirm or deny the specific claims in the article.
I will say that my experience with regards to CPU performance "leaks" and Chrome seeming to always be running in the background even when I didn't want it to, as well as Chrome starting up on system startup when there didn't seem to be any references to it anywhere I'd expect to cause that, are consistent with the article.
I saw a lot of "low-level integration" with my system going on, a lot more than I understood, ever wanted or asked for, and there was no way I knew of to turn it off. It was like IE on Windows all over again.
I was also able to solve the issues by removing Chrome from my systems.
I sometimes install it temporarily to do Web testing and remove it shortly afterwards, but I think I'll do that in a VM from now on.
Chrome can/does definitely run in the background if you have chrome Remote Desktop enabled. It wouldn’t surprise me if they had a daemon always running in case you want to enable Remote Desktop.
I just tested it. Setting up Chrome Remote Desktop requires installing a separate package which Chrome downloads for you. When it's enabled, there are indeed two always-running processes located under /Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app, which are apparently launched thanks to /Library/LaunchAgents/org.chromium.chromoting.plist. But those weren't running before I set up Remote Desktop; I imagine they were installed as part of the package and didn't exist before.
If I disable Remote Desktop again… well, it doesn't actually delete the LaunchAgents plist or ChromeRemoteDesktopHost.app. That's rude. But it does make the processes stop running.
(To be totally clear, Chrome's updater does run in the background, though not all the time.)
I have a standard install of chrome on big sur, as well as brave, and a bunch of electron apps. When I start up my mac none of these are running, there is no process with chrome or chromium in the name, and nothing in the process list that I can link back to chrome. When I launch some of the electron apps, chrome_crashpad_handler launches, which I assume is some kind of default electron behavior. When I close those apps, all chrome-related processes disappear from my process list. There is nothing untoward about chrome I can tell, nor is my system seeing any kind of recognizable slowdown, with or without chrome running. I also have chrome on very low-end macs, a 2009 mini with 8 GB ram and a 2014 air with 4 GB RAM, both running catalina. It runs fine on both, without seeming to cause particular performance issues. I just went through a reinstall of the 2009, and there was no performance difference before and after installing chrome.
I'm not saying yours or other people's bad experiences with chrome are not real, but I do wonder how it's possible that there are such very different experiences out there with what is ostensibly the same product. Maybe it's not just one cause: bad extensions, broken profiles, old installs with broken updaters (I had a broken microsoft updater causing havoc for a while), badly configured enterprise deployments, etc...
On mac OS, Activity Monitor itself causes WindowServer CPU usage to spike. This is the "observer effect".
To test, just open a terminal and compare a few samples of `ps aux | grep WindowServer` with Activity Monitor open and with it closed.
Mine averages 7-11% with Activity Monitor closed and 20-40% with Activity Monitor open. It's even more noticeable if your refresh rate is set to "Very Often". Closing Activity Monitor brings the WindowServer CPU back to normal.
As other have noted, this site provides no evidence. The keystone daemon is not running in the background constantly. When it does run, it's plainly visible and not "hiding itself". According to the launchd job config located at `/Library/LaunchAgents/com.google.keystone.agent.plist` my keystone process is set to run itself every 3623 seconds. Probably randomized to avoid the thundering herd problem. When it does run it checks for updates, often downloading new ones, and then quits.
This is because since macOS Catalina Activity Monitor did something to itself to make itself spend half a core just updating its table view and literally nobody who works on it (which I suspect is <1 person) understands that a monitoring tool that uses more CPU than the thing it is meant to monitor is absurd. I have seriously considered rewriting it multiple times and if the app stays like it is one day I probably will.
Please do! I like Mac, but I yearn a quality of 1st and 3rd party Windows tools. Task manager is nicely readable and lightweight, and process explorer is a godsend.
Meanwhile Activity Monitor updates once per 30 seconds when the system is under load.
Agreed! I recently used Windows for the first time in years, and was impressed by two of the built in monitoring programs. It was dead simple to actually get a global view of all file system activity and the processes responsible. Mac’s first party "fs_usage" tool is far less usable. As an example, there’s no way to prevent it from truncating long paths.
I do use htop occasionally; however, I am not really a fan of keeping around a terminal for something that could be a well-integrated native app. Plus htop is missing a lot of information Activity Monitor has, as well as the ability to do things like run sample or spindump.
This should not be the #1 story on HN right now. :(
It's a single anecdote that deleting Chrome on two computers sped them up. It provides zero evidence (even anecdotal) that it has anything to do with "Keystone" specifically. It provides zero evidence for the idea that "Keystone" is able to "nefariously hide itself from Activity Monitor". And it also completely contradicts the normal user experience of Chrome, which is that most people's computers don't slow down after a Chrome install. (WindowServer on my MBP usually uses <10% CPU and I've used Chrome for many, many years.)
Why is this nonsense being upvoted? I get people dislike Google and Chrome, but wouldn't it be better to stick to things backed by real evidence?
Indignation attracts upvotes, then flags. When an indignant post is relatively empty or misleading, flags will eventually win, but it's like the immune system—it takes some time to marshall enoguh white blood cells.
This is a nice case because moderators only saw it after the process was done.
Hundreds of people commented and how many tens of thousands read it first though? Reminds me of the moderation problem big tech companies face. Humans are prone to confirmation bias which means that when they read inaccurate information that confirms a bias it even further twist people's brains. For example, this article likely twisted thousands of people just a little further against Google even with though there was no good reason for it.
My grandpa twenty years ago had some legitimate gripes with the other side of the political aisle. However, he has seen so many biased and false news stories that his confirmation bias has accepted as truth without critical thinking that he now believes the other side is literally made up of evil criminals intent on destroying the country.
The only solution I can think of is something like a libel law that makes anyone who publishes false information liable to anyone who reads that information... Basically, cut out the enormous amount of garbage produced by media and people chasing pennies. People should only publish things they firmly believe based on evidence to be true.
> The only solution I can think of is something like a libel law
Let's bring things a little bit back into perspective, because on the whole nobody's getting hurt here.
It's just Google Chrome. It's not a person. A thread like this isn't going to hurt its dominance of the browser ecosystem. And if it did, it would even be good for the diversity.
I don't think it would make a really big dent in people's bias against Google, because slowing your computer down is way way WAY less bad than the things that people biased against Google are worried about (being a gigantic faceless corporation with power equal to nation states that is controlled by something that is not, does not care for democracy).
It's like badmouthing Thanos because he has bad breath.
If true then Chrome has some bad code, and what else is new. If false then ... then what. At worst somebody deinstalls Chrome, and then?
Let's not bring libel law into this, or in fact even compare it to biased and false political news stories.
That's a different and much harder problem. I don't think there's a way around it. Community mechanisms need time for people to evaluate what they're looking at.
It's also an old problem - the adage "A lie flies around the world while the truth is still getting its trousers on" traces back to Jonathan Swift:
Falsehood flies, and the Truth comes limping after it; so that when Men come to be undeceiv’d, it is too late; the Jest is over, and the Tale has had its Effect.
A perfect 18th century description of internet dynamics!
The interesting thing here is I follow Loren on twitter - and he has dozens of credible people repeating the experiment and getting the same result, including people that I would consider unimpeachable sources such as:
Well, I agree—that's interesting. It implies that something real is happening, though not that the OP's interpretation was accurate. It often happens in such cases that the observation is right but the interpretation is wrong [1]. It's when the interpretation rushes into angry denunciation, and especially a campaign using baity tricks to rile people up, that fair-minded readers start to have adverse reactions.
A discussion oriented more around a question (what explains this odd phenomenon?) could be a good thing. A more neutral submission, with a less baity title, might get a different reception from the community. But the combination of overstated claims and baity denunciation is usually going to trigger an immune response.
[1] I have no idea if it's wrong or not, just that a lot of informed commenters reacted that way.
Indeed. It’s almost as though Loren was reading this thread an took your advice. His post as of a few hours ago (he continues to troubleshoot this with google and tons of people experiencing the same thing)
“ Also, sincere apologies for any misleading language in the original post, coming down off my fury that this was possible (helps not wanting to hurl your mac through a wall).
Thanks to everyone for coming through now with samples/evidence.
Something's up, but I'll shut up now.“
Thanks, as always for the calming and wise guidance Dang.
My WindowServer usage was over 90% before but it went back down to under 10% after I did what he said. I also only needed it to test one site I was developing. I had the exact same things he did: MBP slow even when nothing is running, WindowServer always running high. So I think I can vouch for it being true. It seems to have worked for me also.
EDIT: Maybe it's just placebo. I checked the CPU usage on WindowServer before and after deleting & restarting.
You're awfully confident for someone who has provided no additional evidence.
The OP claims the high CPU usage went after uninstalling chrome and rebooting their machine.
Rebooting their machine.
The thing we tell everyone to as the absolute first step in trying to solve any problem with a computer, "have you tried turning it off and on again?".
This isn't proof that chrome or keystone or anything at all caused the problem. We have nothing to determine the root cause.
Apple likes it when the products they sell work properly and would like to hear about it when common third party products are causing that to not happen.
Maybe you are right. A lot of comments here are complaining about the post in terms of scant evidence. Someone could pretty easily myth-bust this, but I have not seen that in the comments here yet.
At the same time even "hard" evidence would likely get dismissed as anecdotal, and there's certainly enough of it now (and even plenty in the past) to point a clear finger at Chrome/Keystone.
This certainly beat filing it in the black hole that is Chromium's bug reporter where it would have been ignored / works-on-my-machine'd / or dismissed as anecdotal there.
Whatever it is doing is sketchy and causing WindowServer to thrash. And this is not the first sketchy thing it has done.
I will say that it seemed like this was a pretty big story to be not be covered in the tech press. I do wonder if there really is much evidence.
On the other hand, I generally feel that Chrome is garbage that slows computers down, so I wouldn't be surprised. But I don't see enough evidence here.
To make an argument of this scale you have the burden of proof. There is no proof here past casual correlation.
An analogy I see here is the scene from an old film where a woman walks behind a wooden screen and a goose walks out thus the woman is a shape shifting witch.
Oh this is normal. People upvote the title, then comment, then read it if the comments aren’t agreeing with their preconception. Humans are a mess of a species.
There isn't a website on the planet that allows for votes where it doesn't very often happen that they provide a viewport into the boundless stupidity of the human species.
I wonder how H.N. and similar websites would work if ranking was purely a function of activity and not of votes — simply push to the top whichever branch of the tree has the last reply so highly debated news is statistically more often at the top, but whichever link had the last reply somewhere will be currently at the top.
Many of us believe, with some justice, the causalization of computers has been to the diminishment of power users.
Therefore chrome bad gets hundreds of upvotes. I guarantee you not everyone read the entire article, and then ran their own diagnostic CPU benchmarking to verify the results, and also compared it against chrome competitors.
It's more like the common folk like chrome, and chrome ruin PCS for us
This is why dates on articles is so important. I can’t tell if this website is newer or older than that response so I can’t tell if this is a problem today or was a problem that was resolved
Huh. Chromeisbad.com doesn't have an author credit, but the tweet implies it's by notable iOS developer Loren Brichter, creator of Tweetie, Letterpress, and inventor of pull-to-refresh.
Yeah, it felt weird to put my name on it, people usually do that when they have something to sell. Someone mentioned that it seems sketchy being anonymous so I'll probably sign it.
Hopefully the upside has been learning to do a bit more investigation, provide a bit more evidence, before registering a domain for your theory and submitting to HN :)
I've had noticeable issues with "WindowServer" in the past (taking 80% CPU usage and causing the fans to ramp up even when the system seemed like it should be idling even after a reboot) so I decided to give this a shot.
This is anecdotal but there is a noticeable difference for me with responsiveness after following these steps. Currently the WindowServer process is hovering around 14%.
Most likely the issue was resolved by the reboot, not by uninstalling Chrome. From my experience Mac OS tends to slow down after a few days. Animations and scrolling gets choppy and there's nothing I can do to fix it, short of rebooting.
I can assure you that it wasn't related just to rebooting as this has been something that's been bugging me for months. I had previously rebooted earlier in the day because of this exact same issue (a runaway WindowServer process), before I saw this article. I also did a fresh reboot before following these instructions too as a sort of "control".
The change only happened for me after removing Chrome as well as the launch agent for keystone.
I use macOS daily for months at a time without rebooting and have not seen this problem on any of the 5 Macs I've been using for the past several years, for what that's worth. It does seem like it's something specific to your machine.
Does your system have Chrome on it, because if it doesn't then you observations don't really apply since the conversation is centered around a bug possibly associated with that. Personally I don't allow chrome on my machines. I do install brave for those cases where I have to use "chrome" because some company simply doesn't design their web app for anything else otherwise it's firefox.
(I have recently started using Apple tools for developping with Swift/Xcode on iPad. I am very unimpressed by the quality of the tools, and quite impressed by the range and depth of features....)
The amount of effort I need to invest to get my development team to even look at our apps in a browser other than Chrome is exhausting and I have to put up with snark and eye rolling every step of the way.
This point is truly worthy of an article or domain name. People here ask why there is so much “hate” for Chrome, but forget something important, that it doesn’t fall out of the sky.
More and more I find that sites / apps work badly on my FF or Safari. It’s truly shameful and that IS my why absolutely am disappointed with Chrome and devs who can’t be arsed to do the work for other browsers.
This must be how things like some alternative medicine and anti-vax start: Things like feeling healthy and your computer being slow can be very subjective.
The author appears to be technical enough to know that there is something called keystone on his computer, but not technical enough to benchmark and investigate further. The name keystone sounds kind of nefarious, so it makes sense that someone would be able to convince themselves that it makes their computer slower.
Well yeah, because "my kid has autism and his also got a vaccine so obviously that's the reason my kid got autism" is exactly how it gets started because they heard about that paper (or rumors thereof) that has been debunked a 1000 times over in the medical literature but now it's a part of folklore and almost impossible to kill like other superstitions.
the linked 2009 wired article quotes adobe saying 'yeah we don't see the need to have an always-on updater process'
fast forward to 2020 when (1) adobe has this and (2) they still email me every so often to remind me to install their software which (3) I have installed and been using
I think life would be better if there were a 3rd-party update service that wasn't trying to also own marketing + distribution (i.e. take 15-30% of the sale and also maintain platform dominance). A tool that was 'just updates' so my other software doesn't get to install a rootkit.
Most of the GUI apps I use on macos update themselves using a framework like sparkle. Just uses an occasional (typically weekly) connection to check if an update is available and doesn’t need its own daemon.
This is the way. Windows is rife with these updater things. It's one of the first things I disable when I'm debugging a friend's Windows computer. I much prefer Mac and Linux because they (mostly) don't do such things, although I still have to keep a windows machine around for various reasons.
Not necessarily all open source, homebrew-cask has been merged into brew and you have e.g. Jetbrains IDEs and Zoom available.
Personally I use homebrew-cask to manage almost all applications and their updates, turning auto-updating off in almost all apps. That way I am in control and can update when it is convenient, know if an update broke something, etc.
They could make an exception, for the larger benefits to their platform. Custom updaters are helping no one, and it seems like the spark has left Sparkle (the last I looked, sparkle 1 was for an era long past, and sparkle 2 was still incomplete).
On an alternate timeline, Apple could have allowed software vendors to hook into the old software update application, and pull in updates through that mechanism, in addition to the first party updates.
The Mac App Store is for well behaving apps haha. For some definition of well behaving, anyways. This compromise is actually great -- the MAS is available to those who want to live in a cozy little walled garden of perfection. Those who are willing to compromise on security in exchange for apps that have free run of the system are welcome to do that also.
I know I can’t because the iOS App Store argument is “and you can’t have it any other way.” On macOS for as long as you can have it other ways I’m totally ok with it.
The PC equivalent is the 'reporter' process? App locker really comes in handy for such a thing. I used Chrome for so long but it was Firefox containers that finally forced me to switch and never look back.
You probably mean 'Windows equivalent'. Many people don't care, but it really is a bad habit to use 'Windows' and 'PC' ambivalently. Yes, Windows is the dominant OS for the PC, but there are others as well.
Not sure about this Keystone, but the Chrome Software Reporter Tool keeps annoying me A LOT. It frequently causes high CPU load and at least the last time I checked I could not find a proper documentation on what it is or does.
Hm. I figure I'll give it a try. I have stability/slowdown issues, but I don't attribute it to anything more than I'm a native software/device control developer, and often running dodgy, hacked-together tools. I generally have to do a "deep cleaning" of my system once a year or so.
I do often have a windowserver hang.
I don't really use Chrome much (just for testing, or the odd times that a site won't work on Safari). Not a big deal for me to rip it out.
If it were a tool that I use all the time, though, I might be more comfortable with a posting that had a bit more detail.
> This exact part of your comment is why big companies are fighting so hard to own and gatekeep web browsers.
Yes. And it goes even further, it's also why they're working hard to destroy the WWW, and have everybody silo-d into their app.
It's why on most social/media networks you can't really link to anything. Why they're dressing down the address bar so that people don't see (and learn about!) URLs any more. Or learn about their use, that they are one of the fundamental building blocks of what was the WWW.
Although there's more, they already burned some parts of the woods before attacking the WWW. Do you remember there was a time when almost all of the popular instant messaging protocols were supported in ONE (free, non-tracking, non-ad infested) app (and there was even a choice of such apps: Pidgin, Trillian, Miranda ..).
Some of them could even talk to each other. It's crazy to imagine, but ultimately even more crazy is that we don't have this any more!!
They won the instant messaging war, it was pretty silent in fact. Just wasn't as ingrained as the WWW used to be. They had to wean the users off slowly, which is exactly what they're doing right now.
The time is coming but not yet. If they could, they would completely do away with the browser and just have their own apps. All the browser represents to them is a liability; an opportunity to click away and leave their platform for another.
Well, Microsoft gave up and are using Google's browser. And Mozilla just downsized the Firefox team (and they're paid by Google to keep Firefox going, basically). And Safari is only ever a presence on Apple computers, which Apple already control completely. It's not really a huge competition...
Microsoft Edge is not "Google's browser". It uses the Chromium rendering engine but it's still developed and distributed by Microsoft, which means they own the telemetry, the features, the defaults, and the user experience (which are the parts that matter, no one cares about the renderer from a business POV).
Google has Chrome, we've covered that already.
Apple has Safari.
Firefox exists, and is only funded by Google - in my opinion - to fend off anti-trust at this point.
Just because Google has more or less won the browser wars doesn't mean all those other companies wouldn't _love_ to regain market share in the future.
And perhaps they will. Owning that window is hugely valuable and lucrative, so why wouldn't they?
I agree completely that Firefox is only maintained as an anti-trust foil by Google.
When Google worked out that Microsoft owning the browser might cost them in the long run, they started working on Chrome.
I don't see anyone doing anything similar at the moment. Microsoft's adoption of Chrome is a tacit admission that they lost the browser wars and are not interested in continuing that fight. Apple isn't trying to get Safari adopted en masse on any other OS, it just seems to want to have a browser that it controls on its platform, which I guess makes sense. But it's not a play for "controlling the browser" - they don't even stop you from installing other browsers on their platform.
This just isn't an area anyone is fighting for any more. Building a standards-complient fully-featured browser is a huge project, but not so huge that a large corporate couldn't afford it. Persuading people to use it is a larger problem, but again, nothing that hasn't been done before and can't be done again. But no-one at this scale is even trying.
There are a few attempts from the other direction, dedicated companies like Brave trying to make this happen, and I hope they succeed.
Its frustrating to see replies discussing the definition of the internet.
The point I wanted to discuss is that there are not many choices for browsers and it takes a lot of effort to build one from scratch. Thus the competition is lacking.
While I'm not sure if the author is right or wrong about this, Google definitely has a liberal approach to using the computers of their users. You are not asked (or even informed!) they will run the Software Reporter Tool and you won't probably notice it until the fan gets louder and you start investigating what is draining your battery now. Yes, I know they do it in good faith but still find in arrogant.
I find it maddening when articles presume a specific operating system without ever explicitly mentioning it. This is not limited to a Mac - happens with Windows and Linux articles as well.
I used to be concerned about it. But so does Brave and other Chromium-based browsers. The script in `/etc/cron.daily/google-chrome` on Fedora ensures that the google chrome repository configuration file is correct, but it doesn't update Chrome itself. You still update Chrome manually with `dnf update`.
Yes, since the cron script automatically runs as root on a repeating schedule.
If you want to see what it does:
mkdir junk
cd junk
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
ar x google-chrome-stable_current_amd64.deb
tar xf data.tar.xz
cat opt/google/chrome/cron/google-chrome
It's not nefarious - it's well-documented and explained.
It's just making a decision for me that, as an administrator, I need to be the one deciding instead.
If Google is doing this, that's not great. I am much more disturbed by the behavior of Microsoft Teams, which installs itself into your login items on install. Then you remove it from your login items and think you're all good. But if you ever open the application, it automatically adds itself to your login items again.
As far as I can tell, it will re-add itself no matter how many times you have removed it. This strikes me as incredibly user hostile and I'm surprised Microsoft is quite so brazen about it. I would expect this behavior would lead people to just uninstall the desktop application and use Teams through a browser when needed.
The idea that a process could hide itself from Activity Monitor seems hard to believe, so since that is one of the first claims in the article it seems like it’d be easy to demonstrate or disprove.
I'm starting to think that there's some truth to OP's accusations. The fan on my MacBook has had a tendency to spin like crazy and it's been quite unresponsive at times for it's spec and age. When this post came out, I went for it and deleted it all and it's been acting surprisingly more responsive. Doing a conference-call used to kick of the fan after about a minute or so, the fan doesn't make a sound at all now. I've put in an order for an M1, but I think dropping Chrome (Canary in my case) could have been a worthwhile solution.
To add to my suspicion.
A month or so ago, I was running Big Sur beta and was asked to give a system service from Google, admin access and restart. That in turn broke my Mac, so I had to spend hours to get back up and running. Why does the service require admin-access? Why did it require me to restart my computer?
I don’t know about the author’s claims, but I find Google Chrome unusable on my Ubuntu laptop. Whenever it’s running, my fan is blasting. If I clear the Chrome cache, this fixes it for a while, but it’s not long before it starts exercising the CPU again.
Could that happen due to some Chrome extension, mining in the background? XD
> When any installed hosted app, packaged app, or extension has "background" permission, Chrome runs (invisibly) as soon as the user logs into their computer—before the user launches Chrome. The "background" permission also makes Chrome continue running (even after its last window is closed) until the user explicitly quits Chrome.
Only show the upvote / down vote button after clicking the link. This small bit of resistance would go a long way to solving the issue of upvoting titles, rather than the content.
I never use Chrome really and decided to try it. I figured it wouldnt actually make a difference, so I didn't try to take any tests etc to see before and after.
But, subjectively, my computer post-restart is MUCH more responsive and e.g. firefox is MUCH faster. WHereas it would take like 30-45 seconds for fx to load all of my pinned tabs, just now it loaded in like 5.
I don't know what is going on, but I definitely notice a difference. I honestly expected this not to work, and was really surprised when it did.
I recently started to use Edge. It is funny that YouTube couldn't detect my identity, so it will ask me to login in almost every video I play, and it won't display any comments for videos. If I want to read comments, I will have to switch to Chrome. YouTube behaves very strangely when you are not using Chrome.
I do see many times WindowServer would be at 40%-50% CPU usage, it happens fairly often. I might just delete Chrome now.
That's nice. The YouTube problem on Edge appeared after a few weeks usage. Maybe I accidentally use of Google service triggered it. Now it assumes that I have an account, insist me logging in with my account to get better experience. It is very annoying. I cannot delete Chrome because I use it for gmail. I don't want to log into gmail with other browsers. Maybe I should keep using Chrome for YouTube as well.
If you find a bug in Chrome then I'm sure the team would like to know about it. We even have a website for reporting bugs in Chrome - crbug.com. Filing a bug there isn't as flashy as creating a website but it is probably more effective.
It sucks because Chrome is so much better usability wise than all those others. I wish they would just fix whatever this keystone trash is, and leave that to stonehenge
I found out, surprised, that current Edge is basically a better Chrome - even compatible with all extensions, faster, and with lower battery consumption.
And, yes, Microsoft AutoUpdate, which however seems reasonable so far.
For me - it works properly on spotty connections. I have fast, but unreliable internet that drops connection few times an hour and Safari and Firefox are almost unusable - when connection drops for just a few seconds they cannot open many websites for up to 5 minutes (reddit, google and youtube among many others; hacker news is one of the few that work all the time).
Chromium based browsers do not have that issue, I used to use Vivaldi but temporarily switched to Safari as I wait for ARM build of Vivaldi and I am constantly frustrated by that issue.
I have tried debugging it but got nowhere, it seems to be system wide issue as some 3rd party apps exhibit this behaviour too (for example live streaming through IINA or Skype) while others not (Electron based apps usually work fine). Recently switched to new M1 Macbook and it happens on it too.
This was my first idea, I tried setting DNS to 8.8.8.8, tried 1.1.1.1, tried others, tried setting them in Network Setting, tried on router, tried sudo killall -HUP mDNSResponder. I can ping those faulty websites during Safari downtime without issue, but somehow the browser does not even try opening the website (Timeline Recording in Safari shows no Network Requests). It looks like macOS is caching something somewhere and when that cache expires it starts to work again. Emptying Safari caches does not help and I don't know if there is any way to purge all system networking caches.
Chromium based browsers certainly ignore something, it might be DNS related but I'm out of concrete ideas what exactly to change.
Does anyone know a way to get Safari to show a preview of the url when you hover over a link?
I tried to switch recently since it's supposed to waste less battery but two things I found were a bad experience after Chrome:
- no decent ad blocker? the one I saw recommended was Ad Guard but that seems to require you to have an Electron app running simultaneously (!) in order for it to block anything
- in Chrome when I hover over a link I see the url in the bottom left 'status' area... I had no idea how much I like this until it wasn't there in Safari... it feels really weird to click on a link and not know where it goes to
The other thing I miss with Safari I don't think there is a solution for... there's no version for Android, so I miss sharing history and passwords with the browser on my phone.
You can force click on the link if you have a trackpad that supports it. There are probably ways to simulate a force click even without such a trackpad. The same also applies to iOS: links can be previewed across many apps by long pressing.
That shows the whole webpage. It looks like they just want to see the link in the lower left, which can be done, as others have said, by turning on the status bar from the View menu.
Supports web standards ? Extensions ? Developer tools ?
I'm using Safari as my primary browser because Chrome is a resource hog and this i9 MBP sounds like a 747 taking off when it starts using CPU but Chrome is a better browser feature wise - I plan on switching back to desktop (since this WFH shift it's just better) and I will 100% use Chrome even if Safari was an option (fan noise/CPU power/power consumption aren't a concern).
Google’s Keystone acts basically like malware; it sits in the background and has the ability to basically have its way with your computer. That being said it is hidden but I have never seen it try to hide itself; as a non-Chrome user who has it installed on my machine I see it run from time to time. Other than that it just waits in the background largely silently. Clearly, Google engineers should never have shipped the violation of consent that is Keystone, but the claims here are almost certainly bogus.
Fuck this site! Firefox devs are working their butts off to make a bbetter web for all of us and this site says not to use it?
As a Firefox contributor in my spare time I really feel offended. You would prefer a monopoly with tons more money and a lot less features? You would also prefer a shady centralized shitcoin funded by vulture capitalists?
Please recommend Firefox. It's the only honest browser out there. The servo team has been fired because we told our friends and family to use bloated spyware.
The author should probably note that not updating Chrome is a very bad idea.
There's a good reason for automated updates on a web browser for the general public and there's a good reason why Chrome is the most secure browser on the market.
It could autoupdate when running/on launch though. No idea why Google litters my system with weird backgroundtasks, unless it's to get a few more datapoints on me..
Safari is arguably the worst browser to do general tests in if you're not making iOS apps, as it has a history of rendering and behaving differently than any other browser.
The dev tools are also unusable compared to Chrome.
I think you misunderstood the GP's comment. They aren't advocating to work with Safari, but to work with Firefox then to test with Safari. If it works in Safari after being developed in Firefox, it's likely to work everywhere.
OK so to summarize this thread if I'm reading it correctly, TFA makes claims that are easily proven to be related to an old technical snafu in the auto-updater
Now consider
> The [other thing] has a universal back door through which that $G_GAFAM_COMPANY2 can forcibly change the software. This is called "auto-update". It puts the user helplessly at $G_GAFAM_COMPANY2 mercy.
we are all at NSA/Alphabet Google+Microsoft's mercy, and auto-updater although arguably useful for normie-facing software like the world's standard web browser has downsides.
Chrome's security is, however, light years ahead of anyone else's; it remains the sole reason I still use it.
It's possible to use Little Snitch to deny Keystone/ksupdate all network access, which is what I do, which removes the Google RCE vulnerability it places on your machine.
Make sure to periodically manually update Chrome, however.
In the security industry it's commonly known Chrome has the best security, this partly due to the amount of money Google invests in finding vulnerabilities (via fuzzing) in Chrome.
For "proof", you can check how much exploit vendors pay for exploits for each browser. For example Zerodium offer:
The higher amount would generally indicate its harder to get an RCE in Chrome
That does not follow at all. Chrome has the highest market share and so an exploit would have the greatest impact potential. More users affected => more economic value for an exploit.
If they both have similar market share, then that variable has been isolated and the conclusion that the cheaper exploit is the less secure is sound. When that variable has not been isolated, it's not possible to conclude that the difference in price is due to security and not due to the exploit affecting more people.
"The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc)."
So, if chrome, with ~65% of the market share had the same payout as firefox at ~4% of the market share, it would be fair to conclude it's less secure. However, we see 5x the payout and 16x the market share. Doesn't seem conclusive.
In fact, given Firefox's tiny market share (despite my efforts) I'm surprised the disparity isn't higher. Maybe it's harder to find Firefox exploits?
It's more likely that more popular browsers equally have more people attempting to crack them; and software in general is so buggy that results probably scale in proportion to the number of people looking.
Thats a valid point if we're referring to relatively unknown browsers. But the main three browsers are all high profile enough that they all have significant eyes on them and are thoroughly tested.
Firefox may have a small market share, but exploits for Firefox may even have more value to some entities/governments, due to its use in Tor Browser.
To clear any confusion, all three are extremely secure in comparison to other types of products (which is why exploits are so expensive), however Chrome just edges ahead, due to its sandboxing, and rapid patch cycle.
> chrome's security is, however, light years ahead of anyone else's
give evidence to support your claim. I've been using Firefox for the past 10 years and I fail to see how it's insecure. I do see however, how it's not nearly as user-hostile as chrome.
All the metrics you've given are either subjective or inconclusive. I think the claim that firefox is less secure than chrome needs to be backed by a metric such as the number of critical issues and how long they took to be patched. Otherwise it sounds as mere speculation.
Even for malware, hiding from Activity Monitor would be quite a feat. Short of an exploit, you couldn't hide your process without a kernel rootkit, but macOS has required user approval to load kernel extensions for several versions now. I suppose you could go the low-tech way and just name your process "WindowServer" to confuse the user, but you'd still end up with two WindowServers.
The idea that Chrome's auto-updater is doing this is ludicrous.