Feeds

Google throws secret auto-updater to open sorcerers

Bloody Omaha privacy breach

SANS - Survey on application security programs

Google has thrown a little-known but controversial part of its web services code to open sorcerers to prove to skeptics there's nothing funny going on under the covers. Oh, it also wants to give third parties a peek at what's going on inside your system, too.

The Mountain-View chocolate factory has released the code of Google Update under an Apache 2.0 open source license. Newly-transparent Google Update, now referred to as Omaha, was pushed into the wild late Friday while everyone was busy being fitted for Easter bonnets.

If you've got Google software on your Windows box like Chrome, Gears and Google Earth, then you've got GoogleUpdate.exe running in the background silently downloading product updates and beaming home certain use data back to Google.

As a central auto-updater for such applications it may be handy, but unfortunately GoogleUpdate is always on, can't be uninstalled unless every single Google apps is removed first, and until now, we've had to take Google's word that it's only sending innocuous user and system data back to Google's servers.

That’s left people angry at this violation of privacy, and seen others temporarily turn off the process for a few hours at a time using the simple CTRL + ALT + DEL.

Obviously, that impedes the ability of services from the Chocolate factory to keep feeding back into the systems at the Googleplex.

According to the Google Open Source blog:

Since Google Update is always running on your system, there's no simple way to stop it, and since it's a fundamental part of the Google software that needs it, it's not explicitly installed. Some users can be surprised to find this program running, and at Google, we don't like disappointing our users. We've been working hard to address these concerns, and releasing the source code for Omaha is our attempt to make the purpose of Google Update totally transparent. Obviously, we understand that not everyone is both willing and able to read through our code, but we hope that those of you who do will confirm for the rest that Google Update's functionality serves well to keep your software up to date.

Google said its secondary motivation for opening the auto-installer is to encourage developers to use the code and integrate it with their own products.

Supposedly, the outcome could be Omaha catching on as some sort of generic package manager for Windows. Yet while the shift to open source may stymie concerns Google is collecting more information with GoogleUpdate.exe than it discloses, it doesn't yet solve the software's other notable issues.

Google still doesn't inform users about the updater, and there's currently no option to make it ask before downloading updates. It's also constantly running in the background, using Window's task schedule every few hours only as a way to make sure the process hasn't been killed.

Which might explain why Google chose to put out this news over the Easter weekend, when people’s minds were turning to other types of chocolate.

While GoogleUpdate itself may not take a big chuck out of a computer's resources - it seems every big software company feels its necessary to have their own updater running in the background. Collectively, it bogs down a system. Omaha could help merge a few smaller software developers into a single update platform, but it's extremely unlikely a major player would take the bait.

Hopefully Google follows through with making the GoogleUpdate process less of a surprise to the average person. There is such a thing as simplicity without making the user give up all control.

Omaha's source code along with developer instructions are provided at the project's Google Code repository. ®

3 Big data security analytics techniques

More from The Register

next story
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Apple inaugurates free OS X beta program for world+dog
Prerelease software now open to anyone, not just developers – as long as you keep quiet
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.