Feeds

Google throws secret auto-updater to open sorcerers

Bloody Omaha privacy breach

Internet Security Threat Report 2014

Google has thrown a little-known but controversial part of its web services code to open sorcerers to prove to skeptics there's nothing funny going on under the covers. Oh, it also wants to give third parties a peek at what's going on inside your system, too.

The Mountain-View chocolate factory has released the code of Google Update under an Apache 2.0 open source license. Newly-transparent Google Update, now referred to as Omaha, was pushed into the wild late Friday while everyone was busy being fitted for Easter bonnets.

If you've got Google software on your Windows box like Chrome, Gears and Google Earth, then you've got GoogleUpdate.exe running in the background silently downloading product updates and beaming home certain use data back to Google.

As a central auto-updater for such applications it may be handy, but unfortunately GoogleUpdate is always on, can't be uninstalled unless every single Google apps is removed first, and until now, we've had to take Google's word that it's only sending innocuous user and system data back to Google's servers.

That’s left people angry at this violation of privacy, and seen others temporarily turn off the process for a few hours at a time using the simple CTRL + ALT + DEL.

Obviously, that impedes the ability of services from the Chocolate factory to keep feeding back into the systems at the Googleplex.

According to the Google Open Source blog:

Since Google Update is always running on your system, there's no simple way to stop it, and since it's a fundamental part of the Google software that needs it, it's not explicitly installed. Some users can be surprised to find this program running, and at Google, we don't like disappointing our users. We've been working hard to address these concerns, and releasing the source code for Omaha is our attempt to make the purpose of Google Update totally transparent. Obviously, we understand that not everyone is both willing and able to read through our code, but we hope that those of you who do will confirm for the rest that Google Update's functionality serves well to keep your software up to date.

Google said its secondary motivation for opening the auto-installer is to encourage developers to use the code and integrate it with their own products.

Supposedly, the outcome could be Omaha catching on as some sort of generic package manager for Windows. Yet while the shift to open source may stymie concerns Google is collecting more information with GoogleUpdate.exe than it discloses, it doesn't yet solve the software's other notable issues.

Google still doesn't inform users about the updater, and there's currently no option to make it ask before downloading updates. It's also constantly running in the background, using Window's task schedule every few hours only as a way to make sure the process hasn't been killed.

Which might explain why Google chose to put out this news over the Easter weekend, when people’s minds were turning to other types of chocolate.

While GoogleUpdate itself may not take a big chuck out of a computer's resources - it seems every big software company feels its necessary to have their own updater running in the background. Collectively, it bogs down a system. Omaha could help merge a few smaller software developers into a single update platform, but it's extremely unlikely a major player would take the bait.

Hopefully Google follows through with making the GoogleUpdate process less of a surprise to the average person. There is such a thing as simplicity without making the user give up all control.

Omaha's source code along with developer instructions are provided at the project's Google Code repository. ®

Internet Security Threat Report 2014

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.