They even have a non-free option that eliminates the VPN as a proxy feature.
"Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wifi (not on cellular)). This makes Hola the first VPN service without underlying operational costs. Although Hola doesn�t need to pay for bandwidth, we still need to pay the engineers who create, maintain and keep improving the free Hola service. Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand). This is what allows us to keep Hola free for our users. Users who want to enjoy the Hola network without contributing their idle resources can do so by joining the Hola premium service for $5 per month (or $45 per year)."
The Luminati angle is new, but the fact that free Hola users are used as peers or exit nodes is common knowledge among better informed users. I've warned others of that fact in the past myself.
Of course, I imagine most users are not so well informed.
Indeed, I knew for a while too, but I let it go so long as all posts were made by humans.
But selling an API at $20/GB (bandwidth you pay $0 for) to flood message boards and scrape search engines from random people's IPs without their consent is horribly unethical in my opinion.
Edited to add: I also see it as a breach of trust in the original agreement, even if you were fully informed that by installing Hola you become an exit node. Originally you were an exit node for other humans, and this was reasonably "secure" due to the fact that Hola hadn't been reverse engineered yet. But when Hola released the first party flood/scrape API Luminati they changed the agreement after the fact, even if they didn't have to change the EULA to permit this.
Not do downplay this issue, but wouldn't one simply assume it works this way.
I mean, how else would it work, Hola operating their own proxies and giving all of that infrastructure and bandwidth away for free?
Of course it would be P2P and would turn the user into a supplier of data and bandwidth to others. This basic model has been in use for "illegal" content for well over a decade now.
Now how they exploit that bandwidth is a different matter. Conflating those two is what will give you the "meh" reaction.
Also, "accusing" Hola of being unethical because it has no recognizable signature is another red herring. Of course it hasn't, otherwise it would get blocked by the geotarded services it is supposed to unblock. It's not an evil feature in itself.
The Luminati exploitation angle is the issue. Everything else about Hola is either transparant or at least pretty damn obvious.
I agree with most of what you said. When you're downloading proxy/vpn software like this, it's either P2P (and you're sharing your own resources) or it's centralized. They could make this clearer in the blurb to download the software, but they don't hide this fact and in fact make it clear from their FAQs and pricing pages.
But the Luminati angle is nothing different. It would make abusing the proxy network easier (from a technical perspective) but it's nothing you couldn't do with Hola alone. Luminati is just API access to Hola along with expensive pricing and a screening interview with sales staff. You could hack your own API out of only Hola if you really wanted.
The real story is that last time I checked, all their US exit nodes come from Digital Ocean, which is hardly worth $20/GB (should be more like $5/TB). I guess they don't have a lot of US users.
Agree that free proxies aren't free. But how many people would know about proxies. For most of the people if a content is country blocked, a google search and first or second link click solution will end up with hola installed, no more question asked. I think we should do better than "Don't use if you don't know" argument.
> As you can see, there is no mention of Luminati, or the underlying mechanics at all.
They didn't write "Luminati" but they wrote this:
"Hola and Hola premium are free for private, non-commercial use. For a commercial license to Hola please contact [...]. Your commercial license will provide you with these additional features: Hola For business: License to use Hola for commercial purposes.
Automation: developer API that enable controlling the routing of your HTTP requests via software.
Allow many concurrent sessions.
High bandwidth/high request rate with multiple IPs.
More precise resolution of exit node IP.
Faster changing of IP.
Engineering technical support."
"Typical VPNs need to maintain servers in various countries and to route your traffic through those servers in order to change your IP. This is very expensive. Hola is a network of peers that help each other to access sites, thereby eliminating the need for servers, and thus operating without costs."
It looks like they clarified their story, not changed it? It did say that it uses idle resources collaboratively...I'm not really trying to argue, just wondering if it was really that deceptive. I had never heard of them until this post.
> It did say that it uses idle resources collaboratively
So does Folding@Home. So does tor onion routing (relay node). Nowhere did it say outside of the EULA that they are using all their users as exit nodes.
They failed to specify which "resources". It's indefensible, and people would have fallen for this cover up had Google not archived it.
I see this Hola thing get upvoted all the time on reddit as a way to watch region-locked videos. Pretty disgusting that they've tricked millions into installing their software without informing them of all the illegal activities that could be funnled through their IP.
Even if they had said it all along in their FAQ, it's still infuriatingly disingenuous for someone to act as if anyone ever browses to Hola's site and reads their FAQ either before or after installing the Hola malware extension. No ordinary person will ever do this.
What happens is that someone who has already installed Hola, and who is ignorant by design as to what the extension actually does, tells a friend about Hola; the friend installs it, sees the expected functionality, is unaware of the malicious functionality, and the pyramid of ignorance continues to grow after he tells his own friends about how great Hola is.
These few sentences written in the sidebar here [1] are all that at least 7,102,584 of Hola's victims ever saw (judging by the install count for this malicious Chrome extension):
Access websites blocked in your country, company or school with Hola! Hola is free and easy to use!
FREE and secure VPN. Access websites blocked or censored in your country, company or school and stream media with the free Hola Unblocker VPN proxy service.
Hola is a free and ad-free VPN proxy service that provides a faster and more open Internet.
At no point do they attempt to make it clear in the slightest that they turn your browser into a for-profit bot net node, nor that your own browser becomes a proxy for others. In all venues where Hola expects 99.9% of interested parties to see their product pitch, they intentionally convey the false impression that they personally own their own VPN proxy backends.
Aside from all of that, hiding an explanation of your malware's behavior in the FAQ on some website no one ever sees doesn't suddenly transform it into normal, respectable software. Malware is malware, and bot nets are bot nets.
This is yet another criminal enterprise allowed to flourish and fester simply because Google refuses to police browser extensions in the Chrome web store.
Google runs what I assume must be the largest de facto Universal XSS exploit breeding ground in the world (Chrome extensions in the Chrome web store), and yet they refuse to police its contents.
Here's a recent example. I run AdSense on my site, and it kept running the same ad for an atrocious web game that a 10 year old could have made as their first programming project. I eventually saw the exact same ad running on another site, so I clicked it there in order to avoid the absurd rule that clicking ads on your own site gets you banned from AdSense. (Why don't they just silently discard those clicks, since they know they are from the publisher?) Clicking the ad took me to a page which did not have a game at all; it just falsely claimed you could play a game if you installed their malware browser extension, which it immediately prompted me to install [2]. The extension actually has nothing whatsoever to do with games. It doesn't enable you to play a game at all, anywhere. All it does is replace ads across the entire web with ads from its own ad network for the remainder of the lifetime of that computer. The extension has millions of installs and probably causes Google to lose seven figures per year in AdSense revenue due to so many AdSense ads being replaced with ads from another network. I also think it's funny that ads were being run on my site for the specific purpose of installing malware that would replace the ads and destroy the ad revenue for the very same site that helped it get installed in the first place. I reported this extension three times using the official report forms for the directly relevant teams at Google (even explaining in detail how it damages their own AdSense platform, so unlike a typical consumer complaint, this was actually affecting their profits and they should listen for once), and I was consistently ignored.
I'm not sure I understand your logic here. They've come up with a clever way to create a sustainable, free vpn service, with the ability to easily opt-out for a still reasonable price. All the while clearly stating how it all works in their FAQ.
To play devil's advocate: isn't this kind of a good thing for privacy though? If everyone routed everyone else's stuff, it will decouple the notion that IP = person.
Although the service seems shady, if everyone did this wouldn't it be for the better? (albeit at cost of slower connections)
Sure, except for the poor soul that was looking for some anonymity, and now has the FBI knocking on her door with a mandate, because a shady service that didn't disclose what it was doing to your connection.
Decoupling IP from people won't happen anytime soon. It's better for law enforcement to just go, seize everything, and deal with the false positives later.
See the long list of "suggestions" for people interested in running their own tor exit node [1]. This is not something you should even think about doing from your personal home, mixed with your own traffic. It's asking for trouble.
You can already decouple the notion that IP = person if you look at public wifi hotspots, where one IP address will typically correspond to hundreds or even thousands of devices owned by the customers of the hotspot's owner (like a Starbucks or McDonald's location) plus (depending on the setup and whether or not the hotspot is on a separate WAN connection) the company's own machines.
This, come to think of it, sounds like a more ideal approach to creating exit nodes (whether for Tor, a more traditional VPN, etc.). Some low-profile innocuous-looking wall wart - perhaps with USB ports to double as a USB charging station, or some other "clever" disguise - could really be an "exit-node-in-a-box", relaying Tor users through public wifi hotspots in restaurants, hospitals, etc. I reckon this will be more prevalent if any jurisdictions start doing silly things like holding people liable for what their computers emit when they run exit nodes (or - worse - ban Tor, VPNs, etc. outright).
It provides plausible deniability. It wasn't me, it was Hola.
The issue is there's no informed consent. Outside of /r/netsec, /r/techsupport and HN etc, there probably aren't people who know how Hola works and what the implications are.
You can bet the majority of Hola users don't know what a MITM attack is. I'd wager more than half wouldn't know what a bot net is, or what an exit node is.
I'm not sure that plausible deniability has much value if, say, a user's ISP has a policy of suspending accounts that attract too many complaints about copyright, hacking, spam, etc. The account itself is a nuisance to them, regardless of whose fault it is.
You're right, it would be good for privacy if we can convince the courts that users installing the software are not responsible for the traffic of other users. I'm afraid this argument will fall on deaf ears.
That's exactly the point, people hosting tor exit nodes are very aware of the risk they're taking. Hola users aren't.
Most people use Hola to watch internet shows not available in their country. Or, for example, some people use Hola to watch southparkstudios from Sweden, because it's freely available there, but in the US it requires hulu plus.
I'm on a college campus, I am always peeking at people's screens in the library and I'll see the little Hola flame in their navbar. I even saw it on a CS grad student's browser once before class.
I'm sure people do all kinds of things. My question is, do the people running exit nodes actually get in legal trouble for traffic that happens to transit their routers? It seems to be an accepted bit of folk wisdom that they do, but I cannot find many actual, documented cases where it has actually happened. This leaves me wondering whether the widely-assumed legal risk is real or just an urban legend.
This is basically why you never want to use a proprietary client with any VPN service, you don't know what you're getting into at all. At least with PPtP/L2TP/OpenVPN based services you can use well known clients or OS vendor provided clients that are unlikely to have little goodies like this.
Hola's goal is to make the internet faster and fully accessible to everyone. Install Hola on your PC, phone or tablet to make your internet faster, more open and more anonymous. Hola lets you have unlimited access to information that is otherwise not available in your geography while protecting your online privacy. It also lets you stream videos faster than ever before. Hola is a collaborative internet -- it works by sharing the idle resources of its users for the benefit of all.
This doesn't at all explain the associated risks in a manner that the average user can understand it. It's presented as a feature, rather than the risk it really is.
I had also broken down the way this works a long while ago and found they have a lot more proxies than this. In some cases they just have a digitalocean VPS running somewhere to help beef up the network.
It was only recently that they started requiring the user auth for the proxy access, earlier it was a free for all without any auth at all. Now they have the option to track which accounts are causing traffic on their network and potentially put a stop to them (not that is isn't difficult to get around)
This made me laugh--I wonder how many innocent people are going to have the FBI kick their doors down for things that past through their "exit nodes" that they hosted.
I wish it was the other way around, mass-spread sharing of internet access leading to it becoming the norm and people finally getting some privacy from mixing their connections.
Judging by in what context I have read about Hola so far, I guess the biggest use case is to circumvent geo block to access things like Netflix.
But yeah, ever since I learned that I am acting as an exit node for others I have stopped using the service as I do not want to be the one answering for stuff others have done in my name(IP).
What if a node messes with the response and returns fake data? Do they route the request over multiple nodes and compare the results? Then what if someone owns a lot of nodes?
I've reverse engineered it a long time ago and are using their proxy clients (ZAgents as they refer to them internally) as proxies for clicking on my own ads. I have their username and password and a list of dyndns domains. Email me if you want the data.
If they are in the EU – great, the right to learn covers the right to take apart, understand, reassemble, and remix any technology that you have a license to use and where, during the process, the original owner has no material losses.
So, if he’s in the EU, he can do it. (IANAL, but this was the conclusio of an EUGH decision). Otherwise it gets harder.
There is a decision from the european court of justice on this matter, it is also the only info existing on the topic.
(I can’t find the ruling right now either)
Two companies were involved, company A and company B. Company A developed an office suite containing a macro language, company B developed their own office suite and wanted to have compatibility to the macro language of company A’s suite.
So company B decompiled company A’s suite, copied the decompiled code of their APIs and built their own interpreter.
The court ruled that while source code itself is a copyrightable creative work, compiling and decompiling it produces code that is not directly related anymore, and, while it is based on the original code, the only similarities between both types of code are that they describe the same algorithms. But, per european law, algorithms are not copyrightable, only patentable, so the result of a decompilation step is not directly copyrighted work.
Additionally they argued that in other industries, like automobiles, it is common to take apart the products of your competitors, analyze them, and use the knowledge gained for your own products (unless you infringe patents, of course).
And this basic right to own stuff also gives you the right to take apart stuff you have a license to use under the condition that it does not provide a direct loss for the person selling you the license, for example you can not take apart a rented car, but you can take apart a car you bought.
Additionally the court argued that this right can not be signed away, not even in private contracts or through ToS or EULAs, as it would severely restrict the right to "own" stuff.
IANAL, this is not legal advice, consult a lawyer (or rather several, this topic is complex) if you intend to use this as defense in court.
I assume they forward the requests to their own servers? In that case there isn't much to reverse engineer without access to their servers. Unless they use some kind of P2P system, which I doubt.
'Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers'.
It's a mix of both. Each peer connects to one of their servers which then acts as the middle-man for the traffic between users. The descriptions they use is incredibly incorrect in so many places. Reads like they have some marketing guys with a vague idea on how it works writing it up.
So far as I can tell, there is no way to tell if an IP has the Hola VPN software installed or not: no tell tale open port, no special header from Luminati, and no specific range.
Then, immediately in the next paragraph:
An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan's post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.
How was that conclusion arrived at? Am I missing something here?
"Ah, the user flooding himself (Bui) spilled the beans and told me how he did it voluntarily in IRC. Otherwise I'd have no clue." -Fredrick Brennan (8chan)
Anyone like to recommend a browser-extension-based VPN tool that's a bit more respectful than Hola and is relatively cheap?
(Of course I run my own VPN server using OpenVPN, but Hola is really convenient when I'm only trying to get an American IP to avoid Australian geoblocking - it's also easy for non-technical friends to use.)
Spin up VPS instances across multiple cities, countries and continents.
Hook them up with Docker and connect them with Swarm.
Label them with an IP/city/country/continent combination.
Use Docker Swarm's affinity labelling to start instances in a particular city when needed. Additionally record the last IPs used and use Swarm to not deploy to those servers.
Cost of spinning up VPS instances, maintaining the software needed (to automatically close/open new ones and provision them) could be higher than the 20$/GB pricing Luminati offers.
I doubt that if they sell their users as bots they will do anything about the network being used as a botnet and there is nothing you can do about it, especially considering the users 'responsible' won't even know what they are taking part in.
It's not clear that part of the article is even true.
They appear to just sell VPN server by the GB. I see nothing about a botnet in there, there is no traffic amplification or ability to run programs on the clients.
The point of that bit is that it's not only possible, but borderline-trivial, for a malicious application (e.g. spambot, DDoSbot, etc.) to hook into the API and flood a target using Hola users as endpoints; the article states that such an incident has already happened, and that 24-hour captchas have been instituted for all users as a result in an attempt to stifle future such attacks on 8chan.
For technically inclined people, setting up your own SOCKS proxy is the simplest method possible.
1. Get a cheap server (ex: DigitalOcean $5/month) in the city/country you want to connect through.
2. Add these 2 lines to /etc/ssh/sshd_config:
AllowTcpForwarding yes
GatewayPorts yes
3. Restart sshd (service ssh restart), or restart the server.
4. Connect to the server setting a dynamic port forward. On linux or Mac, this is just "ssh -D 8000 user@domain.com". On Windows, putty lets you set a dynamic port forward.
5. Personally I use Chrome for my real browsing, and then use Firefox for the proxy since it allows configuring a proxy for the browser only rather than the entire operating system. You just set the SOCKS proxy under advanced networking settings (host 127.0.0.1, port 8000).
6. If you want all internet traffic to go over the proxy rather than just Firefox, this is easy on Mac through the Network Preferences panel. I'm not able to comment on linux/Windows in this regard.
1) If you want everything, UDP data, non-SOCKS supporting apps, etc to go through, you're better off configuring an OpenVPN server. It takes some extra effort, but this allows it to work easily on mobile platforms and stuff too.
2) If you want to use this from a restricted network, use port 443 (for OpenVPN or SSH).
3) If your network is extremely strict, use stunnel to make it look exactly like standard SSL web traffic. I've written a helper app for people who need this on Android, https://github.com/ultramancool/Stunneler
It actually leads to much better performance than using someone else's home connection. Any VPN or proxy will have some performance penalty associated with it.
https://www.privateinternetaccess.com/ (PIA) works for me. Of course with any VPN you run the risk of providing all of your information through a (potentially) captured source.
I use NordVPN, which I have no complaints about. But occasionally I'll get a 1 week token from cryptostorm (https://cryptostorm.is/)
They have an interesting model: you buy a token that expires after a certain length of time (1 week, 1 month, 1 year, etc). The clock doesn't start ticking until the first time you log in. Instead of registering a username/password, you're sent the token via email and your login ends up being a sha512 hash of the token for the username. There is no password associated, just the hash of the token is all you need.
I like this because you're able to buy 'disposable' accounts basically. They take bitcoin and some alt coins too, which is nice. Dns protection and access to .onion and .bit domains. It all seems pretty solid. NordVPN tends to be a little bit faster for me, though it may depend on which servers you use.
i've been renting a cheap-as-dirt vps ($15/yr) and just using sshuttle[0] to proxy through it which works great for my circumstances (my school blocks nonstandard ports but is just dandy with 22)
And just in case you're in a network that does block access to port 22, use sslh to listen to port 443 and map all ssh traffic to port 22 (and all https traffic to httpd, and all openvpn traffic to 1194).
Are you arguing against anonymity on the internet altogether? IMO Mr. Brennan is a hero for taking on the risks associated with hosting an anonymous image board and not backing down in the face of people who time and time again continue to slander his name.
I don't want to live in a world where people live in fear of hosting an anonymous image board.
For the record, Brennan has admitted that 8chan has boards for sexualizing minors (which is legal) though he doesn't support them.
"
Unfortunately, yes. I don’t support the content on the boards you mentioned, but it is simply the cost of free speech and being the only active site to not impose more 'laws' than those that were passed in Washington, D.C.
...if you want /doll/ shut down you should instead focus on the studios who are producing this content. Some of them are even legally based in the USA. That’s the real story here, not some perverts posting them online after the fact.
"
[ephe] clothed teens are legal under US law- but only if they do not fail the DOST test.
[nmmodels] young models and jailbait are legal under US law. blame the parents putting their kids into young beauty pageants, not pedophiles. write your representative to make them illegal.
cuteboys is a board for transgirls, gay guys, and crossdressers, along with others that don't fit the binary. you're not some homophobe / transphobe, are you? these people are consenting adults.
if you seriously think child porn could exist in the open on the Internet in 2015, you are delusional. the FBI regularly arrests people, and takes down people for hosting CP.
your argument literally only is supported by feels, not reals. everything that you have linked is legal under US law.
This is not "proof" of him knowingly hosting child pornography. Sites get accused of such things all the time and I personally believe there is a group of people who intentionally orchestrated this fiasco.
I visited the 8chan links you posted and didn't see any child pornography. It seems to me like you're trying a little too hard to paint this guy as some kind of pedofile. I don't completely agree with the types of things being posted, but I didn't see anything illegal.
Of course a site that allows anyone to create their own board is going to have some politically incorrect boards.
Reddit has had similar problems and you can still find sub reddits for the same things there.
I suppose you're against free speech completely then?
For someone who claims to be anti-child porn you sure did find those links fast, almost like you had them bookmarked..
/cuteboys/ in particular is a board for effeminate gay
men, that does not allow underaged posters or pictures thereof. Just goes to show how zodiakzz hasn't bothered to actually visit or understand the site he's crusading against.
Seeing as zodiakzz seems to be completely against free speech I wouldn't be surprised if he/she equates homosexuality with pedophilia. It seems to always be the people who crusade against pedofiles who end up being the child abusers.
(see how easy it is to make unfounded assumptions about people?)
I see nothing in zodiakzz's comments which suggests that they are 'completely against free speech,' and your personal attacks are completely out of line and against the culture and terms of Hacker News.
It's all well and good to dispute their sources, but at least they brought sources to dispute.
zodiakzz is the one who engaged in personal attacks against the founder of 8chan to begin with. I'm simply giving him a taste of his own medicine.
My post highlights how easy it is to make unfounded assumptions about people on the internet.
Thanks for helping me prove my point.
Edit: oh and btw, zodiakzz did post a link to forum specifically for gay men as "proof" of 8chan hosting pedophilic content, so it's not much of a stretch to believe he lumps homosexuals in the same group as pedophiles.
Proving you're willing to stoop to their level doesn't prove them wrong, though. All it does it get a potentially interesting thread flagged into oblivion.
I was not trying to "prove them wrong", just highlight the absurdity. I guess I should have made it more clear in my original post. I'm sorry. I let my "smart ass" side get the best of me.
zxcvcxz could have been a bit more civil about it, but "You seem rather high on the moral horse for someone hosting child/underage porn." is a kind of personal attack as well. You're right about "stooping to their level," though; it would have been better if zxcvcz had made their intent clear with an addition like "see how easy it is to make uncharitable assumptions about people?" in the original post.
And while zodiakzz may not have made any explicit statements about wanting to enforce limits on freedom of speech, it's a fairly safe assumption to make of the kind of people that feel the need to follow Fredrick around all over the internet, posting uninformed slander, reporting him to payment and crowdfunding services, and/or (topically) using botnets to DDoS his site. Hint: They don't care about similar or worse content being hosted on other user generated content sites, it's all about getting back at him for providing hosting to maligned groups like GamerGate, and killing intelligent discussion or attempts at reconciliation before they can happen by derailing threads.
Explain what is wrong with gamergate. I don't game so I don't know. Seems to me reddit is the site you should be hating.
Edit: Actually after thinking it over, it's free speech you should be against.
It really sucks when sites host opinions you don't agree with doesn't it? I googled gamer gate and they seem to be against people exactly like you: People who want to shut down other peoples opinions that they don't agree with.
Yes, exactly! It is meaningless as a term, lacking any referent, but oh so useful as a shibboleth: anyone who believes in it can be killfiled on sight.
What's wrong with gamergate is that they pissed off the media. Officially, it's because they're trying to harass women out of gaming, but (a) they're not, and (b) almost everyone opposed to them is quite happy to side with people who are just because gamergate is against them. Like, there's one guy who sent a massive number of specific, actionable death threats against Leigh Alexander and other women in tech, and pretty much everyone has sided with him because gamergate tried to get the police to take action against his threats and portrayed this as proof gg is evil, even though that's exactly what they're supposedly calling for the police to do.
The most ricidulous thing is, there are actually boards on 8chan that actually do the things gamergate is accused of, like swatting, doxing and so on, but they usually get a free pass because no-one cares about those things anymore except as a way to attack gamergate.
They even have a non-free option that eliminates the VPN as a proxy feature.
"Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wifi (not on cellular)). This makes Hola the first VPN service without underlying operational costs. Although Hola doesn�t need to pay for bandwidth, we still need to pay the engineers who create, maintain and keep improving the free Hola service. Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand). This is what allows us to keep Hola free for our users. Users who want to enjoy the Hola network without contributing their idle resources can do so by joining the Hola premium service for $5 per month (or $45 per year)."