Google Open Sources Updater 174
Jamie noticed the news that Google Update is now Open Source. The article acknowledges the privacy and security concerns of an application that is always running in the background of your machine, and authorized to install new software. And Google made the logically obvious conclusion that releasing the source code would alleviate those concerns.
Re:For the love of god (Score:5, Informative)
Here's a wild and crazy idea. You could disable the Google Updater Service via Control Panel\Administrative Tools\Services. I know.... I know.... radical, but it actually works. Imagine that.
Re:For the love of god (Score:5, Informative)
Of course, it will be reinstalled within a few hours if you run another Google program. On my Mac I just changed permissions on the
Re:For the love of god (Score:5, Informative)
Re:how to remove googleupdate.exe? (Score:1, Informative)
Find the service name in the Windows Service Browser (find googleupdate in the service list and double-click. It'll be named googleupdate followed by a bunch of random characters). Open a DOS prompt.
Enter this command: INSTSRV REMOVE
That will delete the service, then you can delete the GoogleUpdate folder from your Program Files.
This will work for any other unwanted service as well.
Re:how to remove googleupdate.exe? (Score:2, Informative)
Find the service name in the Windows Service Browser (find googleupdate in the service list and double-click. It'll be named googleupdate followed by a bunch of random characters). Open a DOS prompt. Enter this command: INSTSRV REMOVE That will delete the service, then you can delete the GoogleUpdate folder from your Program Files.
This will work for any other unwanted service as well.
The command is:
INSTSRV servicename REMOVE
Re:For the love of god (Score:4, Informative)
I never gave GE my password. I'm not sure what the workaround is for Windows.
Similar. Using the CACLS command line tool, or the Security dialog in file properties, remove all file permissions for all users except the "delete" and "read attribute" permissions.
Read attribute might be able to go too, I haven't tested - but the above will make it so that the file can't be updated, can't be executed, but can still be deleted when you want to.
Re:A Bad Idea Made Worse (Score:3, Informative)
Second, there's in this the now-typical Google 'we rule the world' attitude in this--much like that at Microsoft fifteen years ago. Why should Goggle applications has an always running updater while other don't? Not even Apple makes that sort of demands and OS X is one heck of a lot more important to a Mac than anything Google might do.
Wait, what?
I don't know about OS X, but apple products on Windows absolutely demand this and a lot more. After installing itunes, I found I had "iTunesHelper.exe", "mDNSResponder.exe" and "iTunesService.exe", and the quicktime launcher always running in the background. When I disable them they come back every time I run iTunes (save the qt launcher) - and stay running after itunes is closed.
When I update iTunes, quicktime takes over all of my browser preferences again which means I have to spend time reverting them. Not to mention reinstalling its always-running launcher and updater. Every. Fscking. Time.
So when looking for an example of companies that don't "demand" to have their apps running, you'll want a better example than Apple.
Re:concerns alleviated... (Score:3, Informative)
Still would not validate.
Theirs is digitally signed and has date stamps in.
I think the only options is to use something like bindiff, which excludes comparisons of much of the PE metadata.
Re:concerns alleviated... (Score:3, Informative)
The unique ID is just a random number. How does that let Google tie your IP address to an advertising profile better than, say, a regular cookie?
Say the logs look like this:
17.205.76.119: update request from uid 229782969
17.205.76.119: log in to gmail as Joe User
17.205.76.119: request 1x1 dissident-456713.png
17.205.76.119: request google-analytics for site americanidol.com
continues for 1 week
17.205.76.119: update request from uid 229782969
Since there were no other updates from your IP they know you aren't behind a proxy. They can tell with high probability that everything done from that IP during the week is attributable to you. For advertising purposes they might not even care if it is not entirely correct as long as it makes their ads more targeted. Even if they can say there's an 80% probability that user from this IP were "Joe User-ish" that helps them.
In reality google might do nothing negative with this information, but they could, and if this were China for instance Joe User might be linked as dissident 456713 and locked up. Because of a random number. The reality is that "non-personally identifying information" or "anonymous usage data" is almost always uniquely attributable to you.
If you were building an auto-updater, you'd probably be interested in knowing how many people had your app installed too. That way you know if people uninstall the app you're doing something wrong!
If I were building an auto-updater I would have a URL for instance "http://my.domain.com/currentVersion/productName" that just returns the current build ID.
If I were building a spyware I would have the updater send me other information, like an ID or a timestamp, or a user name, or whatever. If I had the world's largest commercial database on user this would be a tempting option.
If I wanted to know if people were uninstalling my app I might have it contact my site on uninstall, or better give the user a dialog asking why they are installing it and the option to send a comment.