Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Open Sources Updater

Posted by CmdrTaco on from the step-in-the-right-direction dept.

Jamie noticed the news that Google Update is now Open Source. The article acknowledges the privacy and security concerns of an application that is always running in the background of your machine, and authorized to install new software. And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.

15 of 174 comments (clear)

  1. concerns alleviated... by datapharmer · · Score: 5, Insightful

    Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.

    --
    Get a web developer
    1. Re:concerns alleviated... by xouumalperxe · · Score: 4, Interesting

      That would only work if you used the same build of the same compiler, with the same flags.

    2. Re:concerns alleviated... by jollyreaper · · Score: 4, Funny

      Well I feel much safer now knowing that the updater is open source. I have for one have no worries about the code actually being updated... that of course is completely kosher.

      Don't worry, I checked. Has the little (u) and everything for Passover. Dunno how it'll be after the holiday's over, though.

      --
      Kwisatz Haderach
      Sell the spice to CHOAM
      This Mahdi took Shaddam's Throne
    3. Re:concerns alleviated... by 0xABADC0DA · · Score: 4, Interesting

      Bait and switch would be just like these guys!

      Google wants an auto updater so badly because it allows them to gather more information on you. Why else would it have ever included a unique identifier? There is ZERO reason for a updater to identify anything besides installed product (if that), not even the currently installed version. Any intelligent person knows this, and google is a cut above. That means it was certainly their intention to collect more information through updates. And why wouldn't google do this?

      Even today there are a lot of people that never log in to a google service. Google updater is really about identifying and categorizing these users, for better ad targeting or accounting or whatever purpose. All they have to do is install any one google product, even if they never use it. If you log in to google often they already have a great profile on you.

      The update check lets them tie your IP address with their profile on you. Many people have 'stable' IP addresses, even though they are using DHCP they get the same address. The updater lets google determine this, or that a person's IP address isn't stable.

      The simplest, most effective, and most obvious method to track individuals is with a unique ID. This was the first method updater used (ie, google thinks everybody else are idiots). This provides a direct IP to user mapping at ever update.

      Next, they might try a last-update-at timestamp. Even at a second resolution with list of installed products this lets them easily map IP to user with a high degree of accuracy. But they'd probably try something to tighten this up, like return a time cookie from the server and store it for next time.

      If they can't do a direct mapping like this, they'll try something more sneaky like 'anonymous usage data' that then can just look up in their database... how many users accessed gmail exactly 327 times and groups 136 times in the last week? Repeat until it narrows down to one.

      So the updater software itself is irrelevant. The only issue is what data does it send and does it run often enough to lock down your IP, or determine how your IP changes over time. This is important because tracking images, google-analytics, ad-words can determine your IP as you visit sites.

  2. For the love of god by Anonymous Coward · · Score: 5, Interesting

    Someone add a feature to turn it off completely.

    1. Re:For the love of god by Jamie's+Nightmare · · Score: 5, Informative

      Here's a wild and crazy idea. You could disable the Google Updater Service via Control Panel\Administrative Tools\Services. I know.... I know.... radical, but it actually works. Imagine that.

      --
      "When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
    2. Re:For the love of god by dfm3 · · Score: 5, Informative

      Google has already provided instructions on how to uninstall the updater.

      Of course, it will be reinstalled within a few hours if you run another Google program. On my Mac I just changed permissions on the /Library/Google/GoogleSoftwareUpdate and ~/Library/Google/GoogleSoftwareUpdate folders to 000, and Google Earth no longer reinstalls the updater or asks me to do so. I never gave GE my password. I'm not sure what the workaround is for Windows.

    3. Re:For the love of god by Perseid · · Score: 5, Informative

      And don't forget to turn off the scheduled event to turn the service back on. And don't forget to do it all over again every time you install/update anything by Google. Also, the instructions to kill it don't seem to be the same all the time. Maybe it depends on exactly what app you're installing. Maybe it's just Google trying to screw with my mind. Google Update needs to die.

    4. Re:For the love of god by syousef · · Score: 4, Insightful

      On my Mac I just changed permissions on the /Library/Google/GoogleSoftwareUpdate and ~/Library/Google/GoogleSoftwareUpdate folders to 000, and Google Earth no longer reinstalls the updater or asks me to do so. I never gave GE my password. I'm not sure what the workaround is for Windows.

      1. Install Linux
      2. Follow above instructions.

      --
      These posts express my own personal views, not those of my employer
  3. Missing The Point by Blue+Stone · · Score: 4, Interesting

    It's not the privacy and security aspects of having Googel Update always running in the background that concerns me, it's that a process that is only needed once in a while is constantly running using up resources unnecessarily.

    Adobe seems to have got it right with its latest version of Adobe Updater - only launch when an Adobe product is launched and in addition allow the user to modify the schedule. I can set Adobe Updater to never check for updates (do it manually) only once a month, or every time, but the crucial part is that it only runs when I run Photoshop (or whatever).

    No need to have an updater constantly running in the background at all.

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
    1. Re:Missing The Point by ultrabot · · Score: 5, Insightful

      There are several reasons why Google Update runs all the time that you're missing, but the crucial assumption you seem to be making is that the process is "constantly running using up resources".

      All of this handwaving is unnecessary, since the problem is "ethical" in a sense. The user does not want to have google updater running for whatever reason => the user should be able to remove it whenever he wants. I suppose the rootkit sony installed back in the day didn't consume too much resources either.

      --
      Save your wrists today - switch to Dvorak
  4. Re:Finally some justification by eln · · Score: 5, Funny

    Yes, but as always happens when you open source software, a huge community will immediately spring up from the ground to fork it and start adding features to it. After a few months, that community will decide what it really needs is a ground-up rewrite. After 5 years and several hundred alpha releases, you'll be able to download the first beta of the rewritten app, which by this point will have morphed into an entire Linux distribution which, unfortunately, lacks decent software update capabilities.

  5. A Bad Idea Made Worse by InklingBooks · · Score: 5, Insightful
    I'd agree with Bluestone's remarks and add some of my own.

    First, an always running updater is a security hole of the first order. Gain access to it, and someone malicious could do anything it could do, meaning alter applications without our knowledge.

    Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.

    Third, CmdrTaco is being naive if he thinks open sourcing an abomination leads to the "obvious conclusion" that it's to be trusted. He forgets that the danger lies in the code that's being downloaded, not the code that is doing the downloading. It's the idea itself that's bad not the implementation.

    Finally, what does Google intend this open sourcing to do? Do they want every application on our computer to have an auto-update-without-asking running continually in the background? Bad as what Google is doing, that'd be an even worse horror. And like Google, they're not likely to tell us what they're doing.

    I believe it was the philosopher Kant who offered as a moral test the question, "What would the world be like if everyone did this?" One person lying doesn't usually do much harm. Everyone lying would make life almost unbearable.

    Having every application behaving like Google's would be an utter disaster. Open-sourcing Google's code makes as much sense as marketing a "Do It Yourself A-Bomb Kit" in the Middle East. The malicious genie is out of the bottle. Now we have to consider the possibility that every obscure application we download contains Google's dastardly code. A seemingly benign application could mutate on command into a monster. And because it spreads any time we're online, it could spread like wildfire. Google doesn't even seem to have been thinking when they came up with open-sourcing their monster.

    What the Greeks called hubris, overweening pride, has struck again. Google has replaced Microsoft as the giant, high-tech business that seems most clueless about the distinction between good and evil, sensible and foolish. They censored the Internet for China, they claimed to own every book not in print, and now they want to determine what's on our computers without our consent and without our knowledge.

  6. Malware by S77IM · · Score: 5, Insightful

    Google Update installs itself without my permission, runs without notifying me, and is difficult to disable and uninstall. This fits my definition of malware. I'd like to have an option for my anti-virus and anti-malware software to start detecting and destroying programs like these.

      -- 77IM

    --
    Student: Is it true that the foundation of the universe is paradox?
    Master: Well, yes and no.
  7. Processes that always run make admin complicated. by Futurepower(R) · · Score: 4, Insightful

    MOD PARENT UP! '... the problem is "ethical" in a sense.'

    Processes that run all the time make computer administration more complicated. The issue is not just one process; many, many companies want control over user's computers and believe that a system process is the way to achieve that.

    Google Updater should run only when a program supplied by Google is running. Unnecessary control is always a reason for criticism, not just unnecessary control over other people's computers. Google managers must weigh whatever hidden benefits they hope to get with the widespread bad public relations that comes from being discussed on Slashdot for doing something many people don't like.