Google funds an auto-update for Vidalia

by phobos | June 7, 2008

Google is funding a project to create an auto-update feature in Vidalia. This auto-update feature will provide a better user experience for Tor users. The goal is to create a system where Vidalia can detect when a new release is available, fetch the package, verify authenticity, and assist the user in upgrading the Vidalia/Tor package. The auto-update feature preserves the user's privacy and anonymity. Over the next six months we'll develop the auto-update system for general release around November 15, 2008.

We're excited to work with Google on this project and look forward to the collaboration.

Comments

Please note that the comment area below has been archived.

June 07, 2008

Permalink

Just curious, any chance one could use sparkle (http://sparkle.andymatuschak.org/) for the OSX side?

From sparkle main page...
"Sparkle can install .pkg files for more complicated products."

This would be really cool.

BTW: the CAPTCHA sucks, It does not work over tor!

June 17, 2008

Permalink

hey sounds good to me, many Windows users can already use the Vidalia bundle to easily run Tor, but having an auto-update feature would be the icing on the cake!

btw the CAPTCHA shows up fine for me using Tor, it is currently the "What is the ___ word in the phrase ____ ?" type.

June 23, 2008

Permalink

You guys are seriously starting to work with google, one of the companies, known to be collecting and storing as many information as possible of everyone ever having used their searchmachine?
Are you crazy? Have you been bribed?
To me this sounds more than ridiculous, since Google still refuses to stop their "information-collecting-behaviour", and also refuses to give any information about what exactly they are doing with all the information having been stored by them over the years!
Besides, Google resides in the US, which is one of the leading countries giving a shit on "privacy" and "anonymity".
This is like the guard inviting the thief to work with each other.

If TOR users are not able to update their clients themselves, they should not use programs as TOR, but rather stick to all the prgrams that offer everything possible to automate -and also hide- as much as possible and help make/keep the users minor and dependent.
Thank you guys, that was it for me concerning TOR.
What a pitty.

I actually initiated and helped to arrange this sponsorship, and I am about as ardent an opponent to long term tracking, profiling, and dragnet surveillance as you can get (see my Defcon 15 bio, for instance).

I initiated it because I do not believe that Google and Tor need be enemies. In fact, I believe we are in a position to be quite symbiotic, providing people with the opportunity to opt-out of censorship and surveillance that would otherwise reduce their Google usage due to chill and concerns over tracking.

Many Google users (in the USA and abroad) either cannot use Google effectively to conduct their work because certain arbitrary words are blocked by content filters put in place by their employers, schools, and governments; or they are concerned about privacy and would like to keep some queries disassociated from their Google accounts.

These users can still provide revenue for Google via adwords, but the advances in the new Torbutton extension prevent all known methods of long term correlation, tracking, profiling, and fingerprinting (see the Torbutton design document for technical details). This is the line we have drawn with code that is open and auditable: "Revenue is OK, long term tracking is not."

These users are also in a position where continual changes to censorship filters are going to necessitate a secure, automatic update process to keep their Tor clients connected and ahead of the censors. They will often be unable to access the main Tor website and many of its mirrors to perform updates themselves, and will need assistance by the software. The updates will be authenticated, anonymized, will not be tracked or logged, and likely won't even be hosted by Google (unless they decide they would like to run a mirror that fits these requirements, and that will likely require extended evaluation on our part).

Because of this balance and our shared interests, it makes perfect economic and social sense for Google to sponsor Tor, and for Tor to accept this sponsorship. Enlightened self-interest is a wonderful thing ;)

Dear anonymous person,

Are you sure you understood the post? Google is not funding us to stop working on privacy, to weaken our privacy, to endorse Google, to endorse their policies, to endorse their search engine, or to do anything anti-privacy. We would not take such funding from anybody if it were offered.

On the other hand, we will take funding to spend on developers to make Tor better, and that's what's been offered here. Google has been quite helpful to the open source world in the past. Have you heard of the Summer of Code program? This is the Tor Project's second year of participating in that, and contrary to what it seems you're suggesting, it hasn't made us stop supporting privacy.

>Besides, Google resides in the US, which is one of the leading countries giving a shit on "privacy" and "anonymity".

It sounds like you're proposing a funding model where, if we have any points of disagreement with a company or individual, or even if we do not like the policies of the country in which they reside, we do not accept help from them.

This would certainly make our project more appealing to people who believe that every incidence of funding constitutes an unconditional mutual endorsement, but it has a problem: we would be able to do almost no development at all.

>If TOR users are not able to update their clients themselves, they should not use programs as TOR, but rather stick to all the prgrams that offer everything possible to automate -and also hide- as much as possible and help make/keep the users minor and dependent.

Aside from the moral issues involved in giving up on helping people if they aren't good at computers, this suggestion would be bad for anonymity. Remember, anonymity systems like Tor hide users among other users. Dividing users into "power users" and "everybody else", and helping only the power users, would create a much smaller network population, and making the network population smaller makes it less anonymous. For more information, you might want to read Anonymity loves company: usability and the network effect.

yrs,
-Nick

Well, "Nick".
First of all, we, as the end-users will NEVER know who will be able and for how long to detect and re-route for "updates". We'll never know who will be able to track of our activities. For instance you're claiming to be "honest" and fare guy. How do I know this for REAL? How do I know that your Network is not logging EVERY handshake and not transfered them for "inquired" individuals or group? Do I have a knowledge to check it? Hell no. Does everyone allowed to do so? Well, now Google DOES with all their "friendly" snitch into your codes. Secondly, its just sounds lame. The updates is never an issue, simply bc if SOMEONE is looking for a privacy, he is DEAD sure how to handle the importance of updates for such tool. To stop by at the developer's website is not that logical brainstorm, would u agree? And after SO much ideas being figured out you turn such a small stuff to Google?????????????????????
And btw, please do not try to tell me that if Google will offer to hand you a few mills of USD, you'll reject it and get back to unfunded "open source" and continue for nothing.

read the details fool, they took google's money, not their evil bit.

April 03, 2012

In reply to by Anonymous (not verified)

Permalink

SAME. FUCKING. THING. And all Tor can say is, "trust us!" We will not allow their money to influence us!

I see at least one reason why supporting Tor makes sense for Google.

Say, Google isn't entirely evil and wants to provide some way to use its services anonymously, for those who need it. The problem is, they _have to_ record certain data under European data retention laws, whether they want it or not. (For example, German data retention law requires forum operators to track IPs of all posters, which means Google Groups _must_ keep record of all IPs. Failure to do so may result in criminal prosecution).
Tor, on the other hand, provides Google with a completely legal way to allow anonymous use: they fulfill their obligations by law (IP log is kept) but the poster remains anonymous.

I know a number of European forums and Usenet providers advising to use Tor for this exact reason: they warn users about logs they _must_ keep, and recommend to use Tor for those willing to stay anonymous.

1. Germany is not presently enforcing such a law. JonDos is a law-abiding German company, and the privacy policy of their website, which includes a forum, is very friendly. That said, there is a data retention law entering the enforcement stage in January. I am unclear on how strict it will be. In any case JonDos and the German Privacy Foundation are planning legal action against the law.

2. The European Union has actually pressured Google to improve it's privacy policies. See:
Privacy bodies back Google step
Google Privacy Policy Questions by European Union
EU: Google Privacy Changes 'Not Enough'

I whole heartily agree. Currently I am in Thailand where the government has setup mirroring servers to monitor and filter internet content. Google not only works with this government but others as well on filtering and reporting of internet usage by the citizens of these countries. Something for the for the freedom of the internet guys to really be proud of huh? How low have they gone in search of the almighty dollar. I agree Google and Tor certainly can not be a good mix for on line privacy.

And yes this is the worst Captcha ever.

I agree totally, why add Google influence to Tor , it will be the beginning of the end.
Yes , what a pitty.

Thanks for your comment on this, and thanks to the Tor team for making this available.

Tor Newbie

July 16, 2008

Permalink

I am rather new to Tor and do not know its history and various stages of development. In any case, I am probably stating the obvious but here goes........

Based upon what I have seen forming around us though, I would read the first three words and stop.
"Google is funding"

So what has happened here? The people that maintain and update the Tor software probably did so gladly for a while. They realized they needed money, probably asked for donations and nobody participated. The people maintaining Tor were disappointed.

Meanwhile.......
Google has a "fit" when you visit it with Tor. It doesn't know what to do! Captcha this and "sorry about that" and whatever whatever.

So, Google got angry. "How dare these little pinheads? We'll make them an offer they can't refuse."

So the Tor people were approached. "But we have to maintain privacy! We cannot sacrifice that" they cried.

"Yeah, yeah take the money and shut the hell up" Google replied.
"We'll help you with the crap to post on your site so again just take the money and shut up."

And as you all know that is what happened. It gets "glossed over".

Looking forward, what will happen is that many will leave Tor. Once the "takeover" is forgotten a new generation of privacy seekers will download Tor thinking it is what it once was. Those able to tell the difference will have been pushed farther and farther to the fringes until they are eventually using smoke signals to communicate. At which point of course, smoke signals will be taken to court and sued because they damage the environment.

At this juncture, people have to realize that the average person "knows too much" This has happened because of the Internet.
It is only natural that the last bastion of freedom (aside from living on a deserted island or remote mountain) will be attacked.

August 18, 2008

In reply to by Anonymous (not verified)

Permalink

Woah, you're telling me that all Tor has to do is accept money from Google and all the crazies and paranoids will go somewhere else? Holy shit. Maybe or-talk will become usable again and people will think and read before posting insane drivel.

Fuck, I know a couple of people who work for Google already. I bet I can get them to give the Tor devs $5 each right now if it meant Tor might have a reasonable mailinglist and blog forum.

Why didn't the devs think of this earlier?? Pure genius!

Yo,
This is not in a power of your "Google worker" to decide which policy to endorse. Secondly, they will DO and BAND-OVER at any given time The Almightiness tell them to do. Or - file for State Unemployment Benefits next month.
Is that enough reason to Do and DEVELOP what Google ask from its employees.
So what we're all saying is even before Google approached Tor for some "friendly" coding together for good", we have NO CLUE who's watching us in their Network pits. Do you know for sure?
Plus different servers were we all "going" in order to pull data that we need may have different types of "watchers activities", and different level of such.
Its just Tor's reason to turn to The Giant for such lame issue. Not even issue in my opinion.
And hey, maybe this Captcha was setup specifically to check your input for specific set of tries? Like these first phone calls identifiers were set for at least 45 secs of connection to naildown.

July 16, 2008

Permalink

Oh yeah.....
We can't forget that very soon after the release of the new "Google-ized" software, the old software ("non-Googlized") will be steered towards a timely death.

"Download the new TOR! The best, fastest and safest version is here!"

Eventually we will all wind up on youtube for our daily spelling lessons. In reality even if you do know how to spell, you forget what you know after reading some of those posts.

Besides, the people maintaining Tor were/are more than capable of creating their own auto-update feature and didn't need Google funding to do so.

We all need money to live and we all have dreams of being prosperous, successful and happy. This, however, is not accomplished by selling your soul to the devil. We never appreciate what we have until we lose it.

If google is so beneficent, why are there so many addons for firefox to eliminate its tracking features? We don't have to be fully paid up members of the tinfoil hat brigade to be suspicious of this proposal.

Once Tor joins up with google, it will have lost its edge. Who will google try to buy out next? FoxyProxy? Or why not join up with Special Branch and the CIA to log every single use of Tor?

Good luck!

August 18, 2008

Permalink

People abusing websites using TOR to keep getting in.

And now you want money to help enable this - screw that. I wonder how long this will stay up since TOR seems to think helping this sort of crap happening to other sites is no big deal.

Here is an idea - give us website owners a way to BLOCK TOR users that are causing problems. Otherwise get bent.

How about just allow us to come to you and get exempted from your customers. I've only got one guy coming from TOR out of nearly 20,000. So a place that says "keep TOR off my server" and keep us from having to deal with the headaches you cause.

Seems like a reasonable request to me.

Yeah, I third the nomination. Where can I inform the millions of open proxy operators while I'm at it? Will the Tor project please volunteer to contact them for me as well? It would be really nice if they would. One less thing for me to deal with.

And this whole Internet thing. I hate it when it sends packets to me. If only someone would provide me with a list of all the IP addresses so I could ask ARIN to contact them all for me. That sure would make my life easier.

Or better still, can't we just shut 'er down?

I support Tor for the same reason you are against it. Web site abuse goes both ways. I use it to gain access to the DemocraticUnderground site that will ban you by IP address the instant that you question ANYONE's stupid liberal (lack of) logic.

August 19, 2008

Permalink

Or how about TOR quit acting like they don't help people create issues when they know they do. And quit hiding behind their product by being so sanctimonious. How long until backlash starts? I saw that Wikapedia is getting fed up with them - how long until Youtube, Vbulletin, and others start trying to come up with ways to totally shut out TOR because TOR thinks they are not creating an issue at all?

Sure - act like you are just providing a nice service while you are really making it easy for some no-tallent hack to continue to bypass security on sites run by the other average joe that doesn't want to try to get a Phd in Computer Science to shut out some of the worst idiots on our sites that have downloaded TOR

Thanks for the sarcasm there fucktard

Your position wasn't being ignored. Maybe you just have trouble reading?

Didn't someone already give you this information:

https://www.torproject.org/faq-abuse.html.en#Bans
https://www.torproject.org/tordnsel/

I think the sarcasm was directed at you because you're not paying any attention and seem to just want to complain about technology. Tor is not your problem, your system is.

As soon as you ban Tor, your troll(s) will just download FoxyProxy and use it with one of those lists the other poster gave. Heck, it even has its own lists! What will you do then? Tell the FoxyProxy author he's destroying the Internet? Or maybe you'll blame Firefox next for supporting proxies.

So how about you devote your energy to a real solution for dealing with trolls. Maybe require each user to have an email account and go through a waiting period before contributing content. The best way to stop trolls is to make it boring and slow for them to get reaction. Or even better, some CMS's have "Troll" modules that allow you to make a Troll's posts only visible to them. Do this with a few accounts your troll has created and they will quickly get bored without the reaction and move on.

Or just use the provided tools to ban Tor users from posting. That's what they're there for. But good luck if your troll finds an open proxy list..

August 25, 2008

Permalink

Freespeech is definitely more important than the bottom line.
I would rather lose all my clients from hacking attempts, than lose my freedom.

January 26, 2009

Permalink

I have something to ask because VIDALIA was working properly. Unfortunately, when i chekced my Youtube all videos not working same all mp3 widgets.

How can i view all the videos in YouTube or in other sites?

February 18, 2009

Permalink

once start up the computer,it have screen remind need to update, and said our tor is old version.

if I don't want to update, and donte want have the remind screen again, what can i do.

thank you

April 04, 2009

Permalink

If you introduce an autoupdate function you must have an option to disable the updates.
People must have the ability to choose for them selfs when they should update the software, if they want to.

Depending on what settings you use in torrc it could become a securityrisk if the software updates itself and don't work as supposed thereafter, as has happened numerous time before when one changes versions.

Also the software should not "dial home"/check for updates with certain intervalls if you disable this autoupdate function, it could also be an security issue.

November 24, 2009

Permalink

oh, i'm sure people will want a "friendly" auto-update on their software

a "friendly" auto-update feature:

when they "friendly" pop-up a message to tell you to update

or

when they "friendly" pop-up a message to tell you to update now or update later, very "friendly" because there is no "no" option, only "now" or "later"

or

when they "friendly" pop-up a message to tell you "update" is progressing because you click yes when you were installing a software where they place the information in some place "important!!! please read!"

or

when they "friendly" pop-up message to tell you "update" is finished because "see above"

or

when they "friendly" update your software without any message

WOW!!!! VERY FRIENDLY!!!!

March 25, 2010

Permalink

would an auto-update help me use Google search? Google search requires a captcha that doesn't work in my Ubuntu Firefox Tor Privoxy Vidalia Tor-Button setup. the Google captcha shows up fine and i can usually work out the letters but all i get is another captcha.

perhaps you are not taking enough Google funding for code improvements? maybe if you ask for more, they will allow Tor users like me to use their search engine? maybe they can offer some helpful code changes to make Tor more compatible with their particular search engine?

omg. i can't post here. cookies are required for captcha validation. aren't Tor users recommended to turn off cookies to allow for greater anonymity? as far as Google's captcha, doesn't allowing them a unique ID tracking cookie defeat the purpose of Tor?

April 20, 2010

Permalink

I have tried to set up TOR and it reportedly did not work so simplifying it would be a good idea. But 19/04/2010 in Australia a show called 4 corners had a very good story about the allegations of China using spy and tracking software and worms as well as other methods to obtain information from businesses and Government agencies alike in the wake of Rio Tinto. The allegations were very serious and concerning not just for business but for individuals going there for holidays. I had been in China 3 times and on my first visit we stayed in a hotel for a week. My personal address book went missing from our room. I did not make a fuss over it but it was a concern as I was wondering who would be interested in obtaining this information as I was not a person whom would be considered to be in possession of any secrets or information that would not be available to any police or government agency. How ever it did spoil a wonderful holiday and it happened at the end of our stay. I did not even tell my wife and she is Chinese. Surprisingly Google was one of the first companies to report their suspicion about the hack attacks and spy ware coming from China. I know Google keeps a record of browsing histories and other information when we use it. I have done some I.T courses for networking and the teachers were quick to point this out. Nothing on the internet is secret all we can do is try to minimize the effects we may suffer and hope we have not been compromised so as to loose our bank account details and other information we may consider precious. The problem is that it can get a lot more serious including black mail and extortion as well as trying to set up individuals with criminal offenses and coerce them into situations that would have them compromise their employers and spy on them. But this is not necessary these days as a lot more information can be obtained from servers that have a large data base on a very large number of people and companies. The security requirements and I.T. knowledge for 90% of the individuals are probably not reachable and even corporate basic trained PC users would struggle as it is advisable to remove your phone (like blueberry) batteries before going to meetings.The show forgot to mention that blue tooth technology can also be used to hack into mobiles from any location as long as an connection can be established ( there are programs that can be purchased or obtained to hack into mobiles from mobiles). Not sure if newer mobiles have had the security upgraded to prevent this. So is this Google funding proposal a concern? Yes, but only if it is an attempt by Google to misuse the Tor service. But I am sure they would be able to work around the tor program if they really wanted to anyway. Perhaps they are trying to get better security for anonymous surfing and get some one else to help with the program as they now fear the outcome if their data bases are compromised. Not only that there are a lot of people using Tor programs for corporate , personal and other reasons. If the crims or agents are using similar programs there are commercial options available. And Tor would not be my choice if I had millions of dollars to spend or had a multi million dollar empire or even worked for any organization that had professional I.T. People and security infrastructure in place. And if you fear the federal agencies or state police spying on you, well you are very silly as they have ways of penetrating and obtaining most of our details it would be a matter of time and most of us would get busted within minutes. Now I.T. Teachers consider hackers as good guys as they help expose vulnerabilities that certain Operating Systems have in Particular M S Windows as it is most widely used. And most of the people using computers use Microsoft products.. Privacy legislations are just a snow ball effect to give us a false sense of security, as in reality privacy is something we are told we are legally entitled to but these days with so many data bases around the globe such as Police, Government, Health, ISP, Business, to mention a few. Unless you are from a very distant remote and backward place your details can be purchased or discovered/ revealed and you are going to have to be a ghost to remain anonymous. Mobile telephones can be tracked by satellite and conversations can be listened in on. Bugging by organizations could be done from exchanges decades ago these days it would probably be a lot easier with new technological advances and gizmos. The old dial up INTERNET service was a lot more secure than Networked computers. Hiding your IP address or masking it may protect you from some but it is no guarantee and I dare guess it will not keep you safe for long if someone who is trained in security network hacking and has the resources to get to you. I am told by some that this is impossible unless your computer is compromised and that the spy or villain would have to have access to your machine. Well I some how believe that this may not be 100% true as your machine may have been compromised within minutes of your Initial Internet access. And this was confirmed by some Networking teachers I had. The safest option is to keep a separate NON Network PC with all your personal files and use a network PC for the transfer of the information you need to be exchanged and for browsing. But you still run the risk of infecting the non Internet PC when you transfer files to it as certain viruses and malware needs to have continuous Security updates to have protection against the new viruses or add ware and spy ware. So your computer may suffer a sudden glitch so you would have to have a back up. Sounds like a catch 22. The biggest problem seems to be the ports that can be accessed and are open when the Operating system is written. I would like to say that Microsoft is the easiest to get into but that may not be true as I have had connections from servers using ubuntu on ports that were alien to me as I discovered that communications for updates and other reasons were what I assume placed on the OS by design but at least the tools were available to back track these as standard network tools on the OS. Where with MS products it is not that easy if you don't know how to do it and there are a lot more trained people that can hack into MS products than Linux. This is my assumption judged by the most widely used for training and other uses. So if browser security is your main concern I'd be inclined to user the least popular one or the least known one but then you may find that this may also have draw backs as if ti is open source there may be spy ware or glitches already programmed into it or vulnerabilities that were not intentionally placed on it. This would leave you at a higher risk from those that can exploit this unless you are an expert programmer and check the browser code before you start to use it and maintain the security of this personsly. But how clever and trained is the average PC user?

September 27, 2010

Permalink

I could not agree more with the anonymous poster who pointed out that Google is, in fact, quite hostile to Tor users and anyone else who would attempt to foil Google's user tracking mechanisms.
This isn't about Google being a "good" company; this is about Google's ability to maximize profit through the perfection of complete user profiles, and the sale (or compelled disclosure) of those profiles to Google clients and any government who asks. Tor users don't want Google to have these powers: that's why they use Tor! This produces a FUNDAMENTAL conflict of interest when Google, claw-in-glove and out of the "goodness" of their hearts, dangles money in front of certain Tor developers.
Make no mistake about it. Google’s funding of Tor will give it the power to destroy or effectively disable Tor’s ability to protect Tor users, and must be vigorously opposed. We must find some way to satisfy the lust for money on the part of certain Tor developers OTHER THAN TO HAVE GOOGLE PUT THEM ON THE PAYROLL. Perhaps, we should throw the rascals right out. Let them go to work for Google, where we can keep a proper eye on them! Failing this, we need to think hard and fast about alternatives to Tor!

May 15, 2011

Permalink

who ever thinks Google is not in bed with the GOV bureaucrats is a fool, read the news.

And once again, the CAPTCHA NEVER works, I have yet to get past it. I have to use Yahoo with Tor.
Google is NOT working with Tor users, but rather against them.

Google has gotten too large, they need to be boycott. STOP USING GOOGLE search engine and their services. The only thing they're good for is Google Earth. This reminds me of the Malaysia ISP that block all Torrent traffic with no option to use it.

Stop using Google fools.

September 28, 2011

Permalink

so this feature was abandoned? is there even a trac ticket for it?

January 07, 2012

Permalink

google released statistics about how many items they have to remove from youtube or their search results. They did it to combat government censorship in western countries.

On-Topic: Wish this feature would exist...

May 04, 2012

Permalink

what happened to this auto update feature?

btw im thinking it should be simple to write a .bat script or similar to check for new versions of tor and autoupdate it, i cant be the only one to have thought of this, does anyone know of a decent implementation of an autoupdate script for windows?