Google Open Sources Updater

Jamie noticed the news that Google Update is now Open Source. The article acknowledges the privacy and security concerns of an application that is always running in the background of your machine, and authorized to install new software. And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.

concerns alleviated...

[datapharmer]

Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.

Re:concerns alleviated...

[Philip+K+Dickhead]

Has anyone built this from source, then checksummed the result to validate that this is the same software?

Bait and switch would be just like these guys!

Re:concerns alleviated...

[xouumalperxe]

That would only work if you used the same build of the same compiler, with the same flags.

Re:concerns alleviated...

[fuzzyfuzzyfungus]

Somebody has to do this, so it might as well be me: Yes, the usual

Re:concerns alleviated...

[jollyreaper]

Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.

Don't worry, I checked. Has the little (u) and everything for Passover. Dunno how it'll be after the holiday's over, though.

Re:concerns alleviated...

[0xygen]

Still would not validate.

Theirs is digitally signed and has date stamps in.

I think the only options is to use something like bindiff, which excludes comparisons of much of the PE metadata.

Re:concerns alleviated...

[0xABADC0DA]

Bait and switch would be just like these guys!

Google wants an auto updater so badly because it allows them to gather more information on you. Why else would it have ever included a unique identifier? There is ZERO reason for a updater to identify anything besides installed product (if that), not even the currently installed version. Any intelligent person knows this, and google is a cut above. That means it was certainly their intention to collect more information through updates. And why wouldn't google do this?

Even today there are a lot of people that never log in to a google service. Google updater is really about identifying and categorizing these users, for better ad targeting or accounting or whatever purpose. All they have to do is install any one google product, even if they never use it. If you log in to google often they already have a great profile on you.

The update check lets them tie your IP address with their profile on you. Many people have 'stable' IP addresses, even though they are using DHCP they get the same address. The updater lets google determine this, or that a person's IP address isn't stable.

The simplest, most effective, and most obvious method to track individuals is with a unique ID. This was the first method updater used (ie, google thinks everybody else are idiots). This provides a direct IP to user mapping at ever update.

Next, they might try a last-update-at timestamp. Even at a second resolution with list of installed products this lets them easily map IP to user with a high degree of accuracy. But they'd probably try something to tighten this up, like return a time cookie from the server and store it for next time.

If they can't do a direct mapping like this, they'll try something more sneaky like 'anonymous usage data' that then can just look up in their database... how many users accessed gmail exactly 327 times and groups 136 times in the last week? Repeat until it narrows down to one.

So the updater software itself is irrelevant. The only issue is what data does it send and does it run often enough to lock down your IP, or determine how your IP changes over time. This is important because tracking images, google-analytics, ad-words can determine your IP as you visit sites.

Re:concerns alleviated...

[0xABADC0DA]

The unique ID is just a random number. How does that let Google tie your IP address to an advertising profile better than, say, a regular cookie?

Say the logs look like this:

17.205.76.119: update request from uid 229782969
17.205.76.119: log in to gmail as Joe User
17.205.76.119: request 1x1 dissident-456713.png
17.205.76.119: request google-analytics for site americanidol.com
continues for 1 week
17.205.76.119: update request from uid 229782969

Since there were no other updates from your IP they know you aren't behind a proxy. They can tell with high probability that everything done from that IP during the week is attributable to you. For advertising purposes they might not even care if it is not entirely correct as long as it makes their ads more targeted. Even if they can say there's an 80% probability that user from this IP were "Joe User-ish" that helps them.

In reality google might do nothing negative with this information, but they could, and if this were China for instance Joe User might be linked as dissident 456713 and locked up. Because of a random number. The reality is that "non-personally identifying information" or "anonymous usage data" is almost always uniquely attributable to you.

If you were building an auto-updater, you'd probably be interested in knowing how many people had your app installed too. That way you know if people uninstall the app you're doing something wrong!

If I were building an auto-updater I would have a URL for instance "http://my.domain.com/currentVersion/productName" that just returns the current build ID.

If I were building a spyware I would have the updater send me other information, like an ID or a timestamp, or a user name, or whatever. If I had the world's largest commercial database on user this would be a tempting option.

If I wanted to know if people were uninstalling my app I might have it contact my site on uninstall, or better give the user a dialog asking why they are installing it and the option to send a comment.

For the love of god

Someone add a feature to turn it off completely.

Re:For the love of god

[Jamie's+Nightmare]

Here's a wild and crazy idea. You could disable the Google Updater Service via Control Panel\Administrative Tools\Services. I know.... I know.... radical, but it actually works. Imagine that.

Re:For the love of god

[dfm3]

Google has already provided instructions on how to uninstall the updater.

Of course, it will be reinstalled within a few hours if you run another Google program. On my Mac I just changed permissions on the /Library/Google/GoogleSoftwareUpdate and ~/Library/Google/GoogleSoftwareUpdate folders to 000, and Google Earth no longer reinstalls the updater or asks me to do so. I never gave GE my password. I'm not sure what the workaround is for Windows.

Re:For the love of god

[Perseid]

And don't forget to turn off the scheduled event to turn the service back on. And don't forget to do it all over again every time you install/update anything by Google. Also, the instructions to kill it don't seem to be the same all the time. Maybe it depends on exactly what app you're installing. Maybe it's just Google trying to screw with my mind. Google Update needs to die.

Re:For the love of god

[syousef]

On my Mac I just changed permissions on the /Library/Google/GoogleSoftwareUpdate and ~/Library/Google/GoogleSoftwareUpdate folders to 000, and Google Earth no longer reinstalls the updater or asks me to do so. I never gave GE my password. I'm not sure what the workaround is for Windows.

1. Install Linux
2. Follow above instructions.

Re:For the love of god

[morgan_greywolf]

Google doesn't have an updater on Linux, at least not one that came with Google Earth or Google Picasa.

Re:For the love of god

[thePowerOfGrayskull]

I never gave GE my password. I'm not sure what the workaround is for Windows.

Similar. Using the CACLS command line tool, or the Security dialog in file properties, remove all file permissions for all users except the "delete" and "read attribute" permissions.

Read attribute might be able to go too, I haven't tested - but the above will make it so that the file can't be updated, can't be executed, but can still be deleted when you want to.

Finally some justification

[PhasmatisApparatus]

to the "do no evil" slogan.

And of course, this goes hand-in-hand with keeping Chromium easy to use.

Re:Finally some justification

[eln]

Yes, but as always happens when you open source software, a huge community will immediately spring up from the ground to fork it and start adding features to it. After a few months, that community will decide what it really needs is a ground-up rewrite. After 5 years and several hundred alpha releases, you'll be able to download the first beta of the rewritten app, which by this point will have morphed into an entire Linux distribution which, unfortunately, lacks decent software update capabilities.

Missing The Point

[Blue+Stone]

It's not the privacy and security aspects of having Googel Update always running in the background that concerns me, it's that a process that is only needed once in a while is constantly running using up resources unnecessarily.

Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched and in addition allow the user to modify the schedule. I can set Adobe Updater to never check for updates (do it manually) only once a month, or every time, but the crucial part is that it only runs when I run Photoshop (or whatever).

No need to have an updater constantly running in the background at all.

Re:Missing The Point

There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".

Google Update was coded pretty carefully to sleep nearly all the time and have as minimal a footprint as possible. I challenge you to detect any degredation of system performance with it running, especially since its CPU and memory load is less than any of several dozen always-running services that come with the OS.

Re:Missing The Point

[samkass]

In addition, make the installation really explicit and give me options to completely skip an upgrade and not have it bugging me all the time. Seriously, this open sourcing is just a red herring. The real issues are how Google is using it, not what the tool is specifically doing.

Re:Missing The Point

[ultrabot]

There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".

All of this handwaving is unnecessary, since the problem is "ethical" in a sense. The user does not want to have google updater running for whatever reason => the user should be able to remove it whenever he wants. I suppose the rootkit sony installed back in the day didn't consume too much resources either.

Re:Missing The Point

[jollyreaper]

There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".

Google Update was coded pretty carefully to sleep nearly all the time and have as minimal a footprint as possible. I challenge you to detect any degredation of system performance with it running, especially since its CPU and memory load is less than any of several dozen always-running services that come with the OS.

Doesn't matter. Just have it run once a week on startup like most apps do and we're fine.

As far as Windows goes, it'd be nice if third parties could register with Windows update. You install app X, it now gets to be polled on Windows update at whatever schedule you use. Update available, there you go. It'd be like what the Linux distros do with their lovely updaters.

I just hate extraneous shit that gets installed and harshes your computer's well-being. Perfect example are the shitty printer TSR's that just sit there in the corner hogging up resources waiting for you to print. Why? Unnecessary! And when you uninstall them it's like your computer gets a needle of adrenaline right in the heart, it's ten times faster than you're used to.

About only half of what sucks about Windows can be directly blamed on Microsoft. The rest of it has to be blamed on the third party apps.

Re:Missing The Point

[thePowerOfGrayskull]

And it sounds like you still don't understand the concept of sleeping processes. Just because there's a process taking up a number in a process table, it doesn't mean that it's doing anything else. It won't be using any RAM because it's paged out to disc. It won't be using any processor cycles because it's sleeping.

That all really depends on whether the process that you're assuming to be asleep is well-behaved.

Helps to understand these things before you complain about them.

Helps to not make assumptions about those proprietary binaries running on your system... (google update notwithstanding, since we don't know that the source they've released matches the binary we get.)

Would rather they fix it instead.

[ssjx]

"Unfortunately, the service has many bugs, it can't be disabled unless you uninstall all the applications that use it and there are some privacy issues"

I would prefer it if they fixed Google Update instead of releasing the source. Making it optional and easy to remove would be a good start. Amazingly Apple Update works better and most Apple software on windows, besides Safari, is lousy...

Re:Would rather they fix it instead.

[FrostDust]

I would prefer it if they fixed Google Update instead of releasing the source.

Thanks to the source release, you now have more than just one "they" to look at.

Wrong solution - why do we need it?

[Bearhouse]

Why do we need GoogleUpdater anyway?
OK, you could make a case that security updates, especially for 'critical' apps like Chrome, should be 'pushed', but what's wrong with doing that the way other people do, namely checking for an update when you run the program?

Re:Wrong solution - why do we need it?

[0xABADC0DA]

Because if you install chrome and use it only once, with a background service google still gets regular update checks from your IP address.

Using timestamps or unique IDs or other anonymous usage data they can then group your site accesses into a unique profile. Even if they can't map it to a specific user they get an anonymous profile from it, so they know the site access information they gather in other ways is from the same user instead of multiple users.

A Bad Idea Made Worse

[InklingBooks]

I'd agree with Bluestone's remarks and add some of my own.

First, an always running updater is a security hole of the first order. Gain access to it, and someone malicious could do anything it could do, meaning alter applications without our knowledge.

Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.

Third, CmdrTaco is being naive if he thinks open sourcing an abomination leads to the "obvious conclusion" that it's to be trusted. He forgets that the danger lies in the code that's being downloaded, not the code that is doing the downloading. It's the idea itself that's bad not the implementation.

Finally, what does Google intend this open sourcing to do? Do they want every application on our computer to have an auto-update-without-asking running continually in the background? Bad as what Google is doing, that'd be an even worse horror. And like Google, they're not likely to tell us what they're doing.

I believe it was the philosopher Kant who offered as a moral test the question, "What would the world be like if everyone did this?" One person lying doesn't usually do much harm. Everyone lying would make life almost unbearable.

Having every application behaving like Google's would be an utter disaster. Open-sourcing Google's code makes as much sense as marketing a "Do It Yourself A-Bomb Kit" in the Middle East. The malicious genie is out of the bottle. Now we have to consider the possibility that every obscure application we download contains Google's dastardly code. A seemingly benign application could mutate on command into a monster. And because it spreads any time we're online, it could spread like wildfire. Google doesn't even seem to have been thinking when they came up with open-sourcing their monster.

What the Greeks called hubris, overweening pride, has struck again. Google has replaced Microsoft as the giant, high-tech business that seems most clueless about the distinction between good and evil, sensible and foolish. They censored the Internet for China, they claimed to own every book not in print, and now they want to determine what's on our computers without our consent and without our knowledge.

Re:A Bad Idea Made Worse

[thePowerOfGrayskull]

Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.

Wait, what?

I don't know about OS X, but apple products on Windows absolutely demand this and a lot more. After installing itunes, I found I had "iTunesHelper.exe", "mDNSResponder.exe" and "iTunesService.exe", and the quicktime launcher always running in the background. When I disable them they come back every time I run iTunes (save the qt launcher) - and stay running after itunes is closed.

When I update iTunes, quicktime takes over all of my browser preferences again which means I have to spend time reverting them. Not to mention reinstalling its always-running launcher and updater. Every. Fscking. Time.

So when looking for an example of companies that don't "demand" to have their apps running, you'll want a better example than Apple.

Re:A Bad Idea Made Worse

[Qwavel]

Yes, all of this complaining about Google should be taken in context. People are saying that this is an instance of their 'we rule the world' attitude, but there are lots of other companies that do the same (constantly running updaters) and worse.

Quicktime is a good example, and HP printer software is another.

At least Google has shown us the code. No way that those others would.

Re:how to remove googleupdate.exe?

[jerwinch]

Find the service name in the Windows Service Browser (find googleupdate in the service list and double-click. It'll be named googleupdate followed by a bunch of random characters). Open a DOS prompt. Enter this command: INSTSRV REMOVE That will delete the service, then you can delete the GoogleUpdate folder from your Program Files.

This will work for any other unwanted service as well.

The command is:
INSTSRV servicename REMOVE

Re:Pfft

[fuzzyfuzzyfungus]

You appear to have missed the point by several hundred yards. Google isn't open sourcing this because its updater is OMG hotness! technology, nor does anybody particularly care about the prosaic details of yet another updater. They are releasing it to alleviate customer concerns about what is running on their machines, a somewhat rarer and more interesting move.

This isn't a story about "Software X added to supply of OSS, hurrah!" this is "Company Y uses OSS as disclosure strategy", which is modestly novel.

Managing Google is becoming more difficult.

[Futurepower(R)]

The problem is fundamentally social. Companies, and social groups in general, are always both growing socially and dying socially. In a company as well-established as Google, the challenge is to keep the processes of growth stronger than the processes of death.

More and more, Google seems to be out of control. There seems to be insufficient friendly oversight of the many initiatives inside the company. That typically occurs because everyone is busy, and because there is no one inside the company who both understands particular social processes and has the power and insight to influence them. Friendly, creative management is a lot more difficult than the average person realizes.

Of course, Google started from a very high level of excellent management. Google's management ability was initially not only in providing an excellent search engine, but also in being able to build the infrastructure necessary to serving billions of queries of a database, each in less than a second.

I'm very interested in such issues: Futurepower®.

Malware

[S77IM]

Google Update installs itself without my permission, runs without notifying me, and is difficult to disable and uninstall. This fits my definition of malware. I'd like to have an option for my anti-virus and anti-malware software to start detecting and destroying programs like these.

  -- 77IM

Processes that always run make admin complicated.

[Futurepower(R)]

MOD PARENT UP! '... the problem is "ethical" in a sense.'

Processes that run all the time make computer administration more complicated. The issue is not just one process; many, many companies want control over user's computers and believe that a system process is the way to achieve that.

Google Updater should run only when a program supplied by Google is running. Unnecessary control is always a reason for criticism, not just unnecessary control over other people's computers. Google managers must weigh whatever hidden benefits they hope to get with the widespread bad public relations that comes from being discussed on Slashdot for doing something many people don't like.

Re:Processes that always run make admin complicate

[Val314]

Google Updater should run only when a program supplied by Google is running.

So think about this scenario:

A product has a security issue tha can be exploited remotely (lets say (and this is hopefully not a real exploit, but something like this could theoretically happen)

Google earth has an issue with KMZ files (buffer overflow, whatever)
user gets a kmz file
opens it
--> exploit can do its thing.

It is now useless that Google Earth would display "there is an important security update available".

therefor: it is important to patch the apps *before* opening it.

please note: that is not specific to the google updater, but every app that only checks for updates while it runs.