Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Open Sources Updater

Posted by CmdrTaco on from the step-in-the-right-direction dept.

Jamie noticed the news that Google Update is now Open Source. The article acknowledges the privacy and security concerns of an application that is always running in the background of your machine, and authorized to install new software. And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.

13 of 174 comments (clear)

  1. For the love of god by Anonymous Coward · · Score: 5, Interesting

    Someone add a feature to turn it off completely.

  2. Missing The Point by Blue+Stone · · Score: 4, Interesting

    It's not the privacy and security aspects of having Googel Update always running in the background that concerns me, it's that a process that is only needed once in a while is constantly running using up resources unnecessarily.

    Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched and in addition allow the user to modify the schedule. I can set Adobe Updater to never check for updates (do it manually) only once a month, or every time, but the crucial part is that it only runs when I run Photoshop (or whatever).

    No need to have an updater constantly running in the background at all.

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
    1. Re:Missing The Point by samkass · · Score: 2, Interesting

      In addition, make the installation really explicit and give me options to completely skip an upgrade and not have it bugging me all the time. Seriously, this open sourcing is just a red herring. The real issues are how Google is using it, not what the tool is specifically doing.

      --
      E pluribus unum
    2. Re:Missing The Point by thePowerOfGrayskull · · Score: 2, Interesting

      And it sounds like you still don't understand the concept of sleeping processes. Just because there's a process taking up a number in a process table, it doesn't mean that it's doing anything else. It won't be using any RAM because it's paged out to disc. It won't be using any processor cycles because it's sleeping.

      That all really depends on whether the process that you're assuming to be asleep is well-behaved.

      Helps to understand these things before you complain about them.

      Helps to not make assumptions about those proprietary binaries running on your system... (google update notwithstanding, since we don't know that the source they've released matches the binary we get.)

  3. Would rather they fix it instead. by ssjx · · Score: 2, Interesting

    "Unfortunately, the service has many bugs, it can't be disabled unless you uninstall all the applications that use it and there are some privacy issues"

    I would prefer it if they fixed Google Update instead of releasing the source. Making it optional and easy to remove would be a good start. Amazingly Apple Update works better and most Apple software on windows, besides Safari, is lousy...

    --
    Visit ssjx.co.uk
  4. Re:concerns alleviated... by Philip+K+Dickhead · · Score: 2, Interesting

    Has anyone built this from source, then checksummed the result to validate that this is the same software?

    Bait and switch would be just like these guys!

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  5. Re:concerns alleviated... by xouumalperxe · · Score: 4, Interesting

    That would only work if you used the same build of the same compiler, with the same flags.

  6. Re:concerns alleviated... by fuzzyfuzzyfungus · · Score: 2, Interesting

    Somebody has to do this, so it might as well be me: Yes, the usual

  7. Re:Pfft by fuzzyfuzzyfungus · · Score: 3, Interesting

    You appear to have missed the point by several hundred yards. Google isn't open sourcing this because its updater is OMG hotness! technology, nor does anybody particularly care about the prosaic details of yet another updater. They are releasing it to alleviate customer concerns about what is running on their machines, a somewhat rarer and more interesting move.

    This isn't a story about "Software X added to supply of OSS, hurrah!" this is "Company Y uses OSS as disclosure strategy", which is modestly novel.

  8. Re:Malware by Anonymous Coward · · Score: 1, Interesting

    (Anon to protect modding) As someone who worked for an anti-virus company for more than a decade, I can tell you that the categorization as MALware requires some specific MALicious action on the part of the software. In fact, we looked at GoogleUpdate.exe quite explicitly, and despite the traits you mention, it did nothing malicious... so we classified it as not malware...

  9. Re:concerns alleviated... by 0xABADC0DA · · Score: 4, Interesting

    Bait and switch would be just like these guys!

    Google wants an auto updater so badly because it allows them to gather more information on you. Why else would it have ever included a unique identifier? There is ZERO reason for a updater to identify anything besides installed product (if that), not even the currently installed version. Any intelligent person knows this, and google is a cut above. That means it was certainly their intention to collect more information through updates. And why wouldn't google do this?

    Even today there are a lot of people that never log in to a google service. Google updater is really about identifying and categorizing these users, for better ad targeting or accounting or whatever purpose. All they have to do is install any one google product, even if they never use it. If you log in to google often they already have a great profile on you.

    The update check lets them tie your IP address with their profile on you. Many people have 'stable' IP addresses, even though they are using DHCP they get the same address. The updater lets google determine this, or that a person's IP address isn't stable.

    The simplest, most effective, and most obvious method to track individuals is with a unique ID. This was the first method updater used (ie, google thinks everybody else are idiots). This provides a direct IP to user mapping at ever update.

    Next, they might try a last-update-at timestamp. Even at a second resolution with list of installed products this lets them easily map IP to user with a high degree of accuracy. But they'd probably try something to tighten this up, like return a time cookie from the server and store it for next time.

    If they can't do a direct mapping like this, they'll try something more sneaky like 'anonymous usage data' that then can just look up in their database... how many users accessed gmail exactly 327 times and groups 136 times in the last week? Repeat until it narrows down to one.

    So the updater software itself is irrelevant. The only issue is what data does it send and does it run often enough to lock down your IP, or determine how your IP changes over time. This is important because tracking images, google-analytics, ad-words can determine your IP as you visit sites.

  10. Re:Wrong solution - why do we need it? by 0xABADC0DA · · Score: 2, Interesting

    Because if you install chrome and use it only once, with a background service google still gets regular update checks from your IP address.

    Using timestamps or unique IDs or other anonymous usage data they can then group your site accesses into a unique profile. Even if they can't map it to a specific user they get an anonymous profile from it, so they know the site access information they gather in other ways is from the same user instead of multiple users.

  11. Re:Processes that always run make admin complicate by Val314 · · Score: 2, Interesting

    Google Updater should run only when a program supplied by Google is running.

    So think about this scenario:

    A product has a security issue tha can be exploited remotely (lets say (and this is hopefully not a real exploit, but something like this could theoretically happen)

    Google earth has an issue with KMZ files (buffer overflow, whatever)
    user gets a kmz file
    opens it
    --> exploit can do its thing.

    It is now useless that Google Earth would display "there is an important security update available".

    therefor: it is important to patch the apps *before* opening it.

    please note: that is not specific to the google updater, but every app that only checks for updates while it runs.