
Hola VPN turns 10M users into exit nodes - ivank
https://8ch.net/hola.html
======
dchuk
They explicitly state in their FAQ how this works and why their service is
able to be free:
[http://hola.org/faq#in_how_is_free](http://hola.org/faq#in_how_is_free)

They even have a non-free option that eliminates the VPN as a proxy feature.

"Hola built a peer to peer overlay network for HTTP, which securely routes the
sites you choose through other Hola users' devices and not through expensive
servers. Hola never takes up valuable resources from these users, since it
only uses a user as a proxy if that users' device is completely idle (meaning
device is connected to electric power (not on battery), no mouse or keyboard
activity is detected, and device is connected to the local network or Wifi
(not on cellular)). This makes Hola the first VPN service without underlying
operational costs. Although Hola doesn�t need to pay for bandwidth, we still
need to pay the engineers who create, maintain and keep improving the free
Hola service. Hola generates revenue by selling a commercial version of the
Hola VPN service to businesses (through our Luminati brand). This is what
allows us to keep Hola free for our users. Users who want to enjoy the Hola
network without contributing their idle resources can do so by joining the
Hola premium service for $5 per month (or $45 per year)."

~~~
8chan
Hello, Fredrick Brennan here (8chan owner).

They changed their FAQ _IN RESPONSE_ to my breaking the story on this.

Proof:

Google cache of Hola FAQ as of 26 May:
[https://archive.is/tgujS](https://archive.is/tgujS)

As you can see, there is no mention of Luminati, or the underlying mechanics
at all.

I published hola.html and updated my global announcement just hours before the
FAQ change:
[https://twitter.com/infinitechan/status/603178141650026498](https://twitter.com/infinitechan/status/603178141650026498)

There are millions of users who installed this and do not know how it works.
Please do not downplay this issue.

~~~
makeitsuckless
Not do downplay this issue, but wouldn't one simply assume it works this way.

I mean, how else would it work, Hola operating their own proxies and giving
all of that infrastructure and bandwidth away for free?

Of course it would be P2P and would turn the user into a supplier of data and
bandwidth to others. This basic model has been in use for "illegal" content
for well over a decade now.

Now how they exploit that bandwidth is a different matter. Conflating those
two is what will give you the "meh" reaction.

Also, "accusing" Hola of being unethical because it has no recognizable
signature is another red herring. Of course it hasn't, otherwise it would get
blocked by the geotarded services it is supposed to unblock. It's not an evil
feature in itself.

The Luminati exploitation angle is the issue. Everything else about Hola is
either transparant or at least pretty damn obvious.

~~~
logn
I agree with most of what you said. When you're downloading proxy/vpn software
like this, it's either P2P (and you're sharing your own resources) or it's
centralized. They could make this clearer in the blurb to download the
software, but they don't hide this fact and in fact make it clear from their
FAQs and pricing pages.

But the Luminati angle is nothing different. It would make abusing the proxy
network easier (from a technical perspective) but it's nothing you couldn't do
with Hola alone. Luminati is just API access to Hola along with expensive
pricing and a screening interview with sales staff. You could hack your own
API out of only Hola if you really wanted.

The real story is that last time I checked, all their US exit nodes come from
Digital Ocean, which is hardly worth $20/GB (should be more like $5/TB). I
guess they don't have a lot of US users.

------
bifrost
This is basically why you never want to use a proprietary client with any VPN
service, you don't know what you're getting into at all. At least with
PPtP/L2TP/OpenVPN based services you can use well known clients or OS vendor
provided clients that are unlikely to have little goodies like this.

~~~
NeutronBoy
Hola explicitly say this is why they're able to offer the service for free
[http://hola.org/faq#in_how_is_free](http://hola.org/faq#in_how_is_free)

dchuk beat me to it!

~~~
Moru
Yes, now it says so. Didn't do that earlier :-)

~~~
manghoti
actually it did.

From the archive link provided by 8chan

Hola's goal is to make the internet faster and fully accessible to everyone.
Install Hola on your PC, phone or tablet to make your internet faster, more
open and more anonymous. Hola lets you have unlimited access to information
that is otherwise not available in your geography while protecting your online
privacy. It also lets you stream videos faster than ever before. Hola is a
collaborative internet -- it works by sharing the idle resources of its users
for the benefit of all.

The new version talks about luminati.

~~~
joepie91_
This doesn't _at all_ explain the associated risks in a manner that the
average user can understand it. It's presented as a feature, rather than the
risk it really is.

------
milankragujevic
If anyone cares for their proxy links, here are they:
[http://milankragujevic.com/uploads/hola/?ref=hackernews](http://milankragujevic.com/uploads/hola/?ref=hackernews)
And the blog post:
[http://milankragujevic.com/post.php?id=72&ref=hackernews&cid...](http://milankragujevic.com/post.php?id=72&ref=hackernews&cid=9615983)

~~~
prawnsalad
I had also broken down the way this works a long while ago and found they have
a _lot_ more proxies than this. In some cases they just have a digitalocean
VPS running somewhere to help beef up the network.

It was only recently that they started requiring the user auth for the proxy
access, earlier it was a free for all without any auth at all. Now they have
the option to track which accounts are causing traffic on their network and
potentially put a stop to them (not that is isn't difficult to get around)

~~~
milankragujevic
Yes, you can enumerate the number of proxies from 1 to 999 with a while(true)
loop. However I just used their own api for this.

------
eyeareque
This made me laugh--I wonder how many innocent people are going to have the
FBI kick their doors down for things that past through their "exit nodes" that
they hosted.

~~~
anc84
I wish it was the other way around, mass-spread sharing of internet access
leading to it becoming the norm and people finally getting some privacy from
mixing their connections.

------
tombozi
What if a node messes with the response and returns fake data? Do they route
the request over multiple nodes and compare the results? Then what if someone
owns a lot of nodes?

~~~
8chan
Hola's browser extension is proprietary. A friend of mine has been considering
reverse engineering it but is not sure of the laws.

~~~
milankragujevic
I've reverse engineered it a long time ago and are using their proxy clients
(ZAgents as they refer to them internally) as proxies for clicking on my own
ads. I have their username and password and a list of dyndns domains. Email me
if you want the data.

~~~
milankragujevic
Published the list here:
[http://milankragujevic.com/post.php?id=72&ref=hackernews&cid...](http://milankragujevic.com/post.php?id=72&ref=hackernews&cid=9615987)

------
userbinator
_So far as I can tell, there is no way to tell if an IP has the Hola VPN
software installed or not: no tell tale open port, no special header from
Luminati, and no specific range._

Then, immediately in the next paragraph:

 _An attacker used the Luminati network to send thousands of legitimate-
looking POST requests to 8chan 's post.php in 30 seconds, representing a 100x
spike over peak traffic and crashing PHP-FPM._

How was that conclusion arrived at? Am I missing something here?

~~~
darkengine
Copypaste is rate limited, he had this to say:
[https://twitter.com/HW_BEAT_THAT/status/603741442490642432](https://twitter.com/HW_BEAT_THAT/status/603741442490642432)

"The user flooding himself (Bui) spilled the beans and told me how he did it
voluntarily in IRC. Otherwise I'd have no clue."

------
ajdlinux
Anyone like to recommend a browser-extension-based VPN tool that's a bit more
respectful than Hola and is relatively cheap?

(Of course I run my own VPN server using OpenVPN, but Hola is really
convenient when I'm only trying to get an American IP to avoid Australian
geoblocking - it's also easy for non-technical friends to use.)

~~~
joelkesler
Tunnelbear recently released a chrome plugin for their VPN service. I hear
good things about it. (I personally use the application on my Mac)

~~~
DonGateley
Tunnlebear makes no claims relative to logging its users activities or about
its responsiveness to requests for them. Beware.

~~~
svintus
We have a pretty clear and accessible privacy policy that addresses these
issues in detail [https://www.tunnelbear.com/privacy-
policy/](https://www.tunnelbear.com/privacy-policy/) TL;DR: no logging

~~~
DonGateley
Thanks for the correction. It's improved considerably from when I was
considering it.

------
batuhanicoz
Anyone knows a better alternative to luminati.io? We've been using it in our
company but it feels expensive.

I thought this thread may be good place to ask for an alternative.

~~~
tonyhb
Spin up VPS instances across multiple cities, countries and continents.

Hook them up with Docker and connect them with Swarm.

Label them with an IP/city/country/continent combination.

Use Docker Swarm's affinity labelling to start instances in a particular city
when needed. Additionally record the last IPs used and use Swarm to _not_
deploy to those servers.

~~~
batuhanicoz
We scrape more than 120,000 web pages per day.

Cost of spinning up VPS instances, maintaining the software needed (to
automatically close/open new ones and provision them) could be higher than the
20$/GB pricing Luminati offers.

~~~
tonyhb
I already have the tech after 3 years experience building this. I can rebuild
it for you. Contact details in my profile.

------
imron
> or allows domains to pay them off for such a rejection.

Thereby creating the world's largest extortion racket.

Yeah, maybe not such a good idea to encourage that sort of business model.

------
Gladdyu
I doubt that if they sell their users as bots they will do anything about the
network being used as a botnet and there is nothing you can do about it,
especially considering the users 'responsible' won't even know what they are
taking part in.

~~~
ars
It's not clear that part of the article is even true.

They appear to just sell VPN server by the GB. I see nothing about a botnet in
there, there is no traffic amplification or ability to run programs on the
clients.

~~~
yellowapple
The point of that bit is that it's not only possible, but borderline-trivial,
for a malicious application (e.g. spambot, DDoSbot, etc.) to hook into the API
and flood a target using Hola users as endpoints; the article states that such
an incident has already happened, and that 24-hour captchas have been
instituted for all users as a result in an attempt to stifle future such
attacks on 8chan.

------
albertoleal
Anyone have VPN recommendations?

~~~
developer1
For technically inclined people, setting up your own SOCKS proxy is the
simplest method possible.

1\. Get a cheap server (ex: DigitalOcean $5/month) in the city/country you
want to connect through.

2\. Add these 2 lines to /etc/ssh/sshd_config:

AllowTcpForwarding yes

GatewayPorts yes

3\. Restart sshd (service ssh restart), or restart the server.

4\. Connect to the server setting a dynamic port forward. On linux or Mac,
this is just "ssh -D 8000 user@domain.com". On Windows, putty lets you set a
dynamic port forward.

5\. Personally I use Chrome for my real browsing, and then use Firefox for the
proxy since it allows configuring a proxy for the browser only rather than the
entire operating system. You just set the SOCKS proxy under advanced
networking settings (host 127.0.0.1, port 8000).

6\. If you want all internet traffic to go over the proxy rather than just
Firefox, this is easy on Mac through the Network Preferences panel. I'm not
able to comment on linux/Windows in this regard.

~~~
mahouse
As far as I know, that leads to terrible performance.

~~~
ultramancool
It actually leads to much better performance than using someone else's home
connection. Any VPN or proxy will have some performance penalty associated
with it.

------
CRR1
no need to uninstall.

signup for a new account via this link and you get free premium which means
you are off the exit node list

[http://hola.org/referral_signup?referrer_uid=basic%2Fg163589...](http://hola.org/referral_signup?referrer_uid=basic%2Fg1635898%40trbvm.com&ref=my_account&medium=manual)

re-signup each month for a new account and a new month of premium

------
cekanoni
that's sneaky and some one needs to point out for this!

