They even have a non-free option that eliminates the VPN as a proxy feature.
"Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wifi (not on cellular)). This makes Hola the first VPN service without underlying operational costs. Although Hola doesn�t need to pay for bandwidth, we still need to pay the engineers who create, maintain and keep improving the free Hola service. Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand). This is what allows us to keep Hola free for our users. Users who want to enjoy the Hola network without contributing their idle resources can do so by joining the Hola premium service for $5 per month (or $45 per year)."
They changed their FAQ IN RESPONSE to my breaking the story on this.
Google cache of Hola FAQ as of 26 May: https://archive.is/tgujS
As you can see, there is no mention of Luminati, or the underlying mechanics at all.
I published hola.html and updated my global announcement just hours before the FAQ change: https://twitter.com/infinitechan/status/603178141650026498
There are millions of users who installed this and do not know how it works. Please do not downplay this issue.
Shady business all around.
Of course, I imagine most users are not so well informed.
But selling an API at $20/GB (bandwidth you pay $0 for) to flood message boards and scrape search engines from random people's IPs without their consent is horribly unethical in my opinion.
Edited to add: I also see it as a breach of trust in the original agreement, even if you were fully informed that by installing Hola you become an exit node. Originally you were an exit node for other humans, and this was reasonably "secure" due to the fact that Hola hadn't been reverse engineered yet. But when Hola released the first party flood/scrape API Luminati they changed the agreement after the fact, even if they didn't have to change the EULA to permit this.
I mean, how else would it work, Hola operating their own proxies and giving all of that infrastructure and bandwidth away for free?
Of course it would be P2P and would turn the user into a supplier of data and bandwidth to others. This basic model has been in use for "illegal" content for well over a decade now.
Now how they exploit that bandwidth is a different matter. Conflating those two is what will give you the "meh" reaction.
Also, "accusing" Hola of being unethical because it has no recognizable signature is another red herring. Of course it hasn't, otherwise it would get blocked by the geotarded services it is supposed to unblock. It's not an evil feature in itself.
The Luminati exploitation angle is the issue. Everything else about Hola is either transparant or at least pretty damn obvious.
But the Luminati angle is nothing different. It would make abusing the proxy network easier (from a technical perspective) but it's nothing you couldn't do with Hola alone. Luminati is just API access to Hola along with expensive pricing and a screening interview with sales staff. You could hack your own API out of only Hola if you really wanted.
The real story is that last time I checked, all their US exit nodes come from Digital Ocean, which is hardly worth $20/GB (should be more like $5/TB). I guess they don't have a lot of US users.
They didn't write "Luminati" but they wrote this:
"Hola and Hola premium are free for private, non-commercial use. For a commercial license to Hola please contact [...]. Your commercial license will provide you with these additional features: Hola For business: License to use Hola for commercial purposes.
Automation: developer API that enable controlling the routing of your HTTP requests via software.
Allow many concurrent sessions.
High bandwidth/high request rate with multiple IPs.
More precise resolution of exit node IP.
Faster changing of IP.
Engineering technical support."
"Typical VPNs need to maintain servers in various countries and to route your traffic through those servers in order to change your IP. This is very expensive. Hola is a network of peers that help each other to access sites, thereby eliminating the need for servers, and thus operating without costs."
So does Folding@Home. So does tor onion routing (relay node). Nowhere did it say outside of the EULA that they are using all their users as exit nodes.
They failed to specify which "resources". It's indefensible, and people would have fallen for this cover up had Google not archived it.
What happens is that someone who has already installed Hola, and who is ignorant by design as to what the extension actually does, tells a friend about Hola; the friend installs it, sees the expected functionality, is unaware of the malicious functionality, and the pyramid of ignorance continues to grow after he tells his own friends about how great Hola is.
These few sentences written in the sidebar here  are all that at least 7,102,584 of Hola's victims ever saw (judging by the install count for this malicious Chrome extension):
Access websites blocked in your country, company or school with Hola! Hola is free and easy to use!
FREE and secure VPN. Access websites blocked or censored in your country, company or school and stream media with the free Hola Unblocker VPN proxy service.
Hola is a free and ad-free VPN proxy service that provides a faster and more open Internet.
At no point do they attempt to make it clear in the slightest that they turn your browser into a for-profit bot net node, nor that your own browser becomes a proxy for others. In all venues where Hola expects 99.9% of interested parties to see their product pitch, they intentionally convey the false impression that they personally own their own VPN proxy backends.
Aside from all of that, hiding an explanation of your malware's behavior in the FAQ on some website no one ever sees doesn't suddenly transform it into normal, respectable software. Malware is malware, and bot nets are bot nets.
This is yet another criminal enterprise allowed to flourish and fester simply because Google refuses to police browser extensions in the Chrome web store.
Google runs what I assume must be the largest de facto Universal XSS exploit breeding ground in the world (Chrome extensions in the Chrome web store), and yet they refuse to police its contents.
Here's a recent example. I run AdSense on my site, and it kept running the same ad for an atrocious web game that a 10 year old could have made as their first programming project. I eventually saw the exact same ad running on another site, so I clicked it there in order to avoid the absurd rule that clicking ads on your own site gets you banned from AdSense. (Why don't they just silently discard those clicks, since they know they are from the publisher?) Clicking the ad took me to a page which did not have a game at all; it just falsely claimed you could play a game if you installed their malware browser extension, which it immediately prompted me to install . The extension actually has nothing whatsoever to do with games. It doesn't enable you to play a game at all, anywhere. All it does is replace ads across the entire web with ads from its own ad network for the remainder of the lifetime of that computer. The extension has millions of installs and probably causes Google to lose seven figures per year in AdSense revenue due to so many AdSense ads being replaced with ads from another network. I also think it's funny that ads were being run on my site for the specific purpose of installing malware that would replace the ads and destroy the ad revenue for the very same site that helped it get installed in the first place. I reported this extension three times using the official report forms for the directly relevant teams at Google (even explaining in detail how it damages their own AdSense platform, so unlike a typical consumer complaint, this was actually affecting their profits and they should listen for once), and I was consistently ignored.
What more do you want them to do?
Although the service seems shady, if everyone did this wouldn't it be for the better? (albeit at cost of slower connections)
Decoupling IP from people won't happen anytime soon. It's better for law enforcement to just go, seize everything, and deal with the false positives later.
See the long list of "suggestions" for people interested in running their own tor exit node . This is not something you should even think about doing from your personal home, mixed with your own traffic. It's asking for trouble.
This, come to think of it, sounds like a more ideal approach to creating exit nodes (whether for Tor, a more traditional VPN, etc.). Some low-profile innocuous-looking wall wart - perhaps with USB ports to double as a USB charging station, or some other "clever" disguise - could really be an "exit-node-in-a-box", relaying Tor users through public wifi hotspots in restaurants, hospitals, etc. I reckon this will be more prevalent if any jurisdictions start doing silly things like holding people liable for what their computers emit when they run exit nodes (or - worse - ban Tor, VPNs, etc. outright).
The issue is there's no informed consent. Outside of /r/netsec, /r/techsupport and HN etc, there probably aren't people who know how Hola works and what the implications are.
You can bet the majority of Hola users don't know what a MITM attack is. I'd wager more than half wouldn't know what a bot net is, or what an exit node is.
Most Hola users have not given informed consent.
Hell, I'd wager that more than 90% of their users have no idea what a bot net is.
Most people use Hola to watch internet shows not available in their country. Or, for example, some people use Hola to watch southparkstudios from Sweden, because it's freely available there, but in the US it requires hulu plus.
I'm on a college campus, I am always peeking at people's screens in the library and I'll see the little Hola flame in their navbar. I even saw it on a CS grad student's browser once before class.
No one has any idea.
So far as I have been able to discover, the number of times your scenario has occurred in real life could be counted on one hand.
dchuk beat me to it!
From the archive link provided by 8chan
Hola's goal is to make the internet faster and fully accessible to everyone. Install Hola on your PC, phone or tablet to make your internet faster, more open and more anonymous. Hola lets you have unlimited access to information that is otherwise not available in your geography while protecting your online privacy. It also lets you stream videos faster than ever before. Hola is a collaborative internet -- it works by sharing the idle resources of its users for the benefit of all.
The new version talks about luminati.
It was only recently that they started requiring the user auth for the proxy access, earlier it was a free for all without any auth at all. Now they have the option to track which accounts are causing traffic on their network and potentially put a stop to them (not that is isn't difficult to get around)
So, if he’s in the EU, he can do it. (IANAL, but this was the conclusio of an EUGH decision). Otherwise it gets harder.
(I can’t find the ruling right now either)
Two companies were involved, company A and company B. Company A developed an office suite containing a macro language, company B developed their own office suite and wanted to have compatibility to the macro language of company A’s suite.
So company B decompiled company A’s suite, copied the decompiled code of their APIs and built their own interpreter.
The court ruled that while source code itself is a copyrightable creative work, compiling and decompiling it produces code that is not directly related anymore, and, while it is based on the original code, the only similarities between both types of code are that they describe the same algorithms. But, per european law, algorithms are not copyrightable, only patentable, so the result of a decompilation step is not directly copyrighted work.
Additionally they argued that in other industries, like automobiles, it is common to take apart the products of your competitors, analyze them, and use the knowledge gained for your own products (unless you infringe patents, of course).
And this basic right to own stuff also gives you the right to take apart stuff you have a license to use under the condition that it does not provide a direct loss for the person selling you the license, for example you can not take apart a rented car, but you can take apart a car you bought.
Additionally the court argued that this right can not be signed away, not even in private contracts or through ToS or EULAs, as it would severely restrict the right to "own" stuff.
IANAL, this is not legal advice, consult a lawyer (or rather several, this topic is complex) if you intend to use this as defense in court.
'Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers'.
so it is a p2p system...
Then, immediately in the next paragraph:
An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan's post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.
How was that conclusion arrived at? Am I missing something here?
"The user flooding himself (Bui) spilled the beans and told me how he did it voluntarily in IRC. Otherwise I'd have no clue."
(Of course I run my own VPN server using OpenVPN, but Hola is really convenient when I'm only trying to get an American IP to avoid Australian geoblocking - it's also easy for non-technical friends to use.)
If you want anonymity, a VPN service is not the way to go.
I thought this thread may be good place to ask for an alternative.
Hook them up with Docker and connect them with Swarm.
Label them with an IP/city/country/continent combination.
Use Docker Swarm's affinity labelling to start instances in a particular city when needed. Additionally record the last IPs used and use Swarm to not deploy to those servers.
Cost of spinning up VPS instances, maintaining the software needed (to automatically close/open new ones and provision them) could be higher than the 20$/GB pricing Luminati offers.
I just looked up the cost and no kidding at $20/GB.
Pricing is a lot less and we only use our own IPs.
Thereby creating the world's largest extortion racket.
Yeah, maybe not such a good idea to encourage that sort of business model.
They appear to just sell VPN server by the GB. I see nothing about a botnet in there, there is no traffic amplification or ability to run programs on the clients.
1. Get a cheap server (ex: DigitalOcean $5/month) in the city/country you want to connect through.
2. Add these 2 lines to /etc/ssh/sshd_config:
3. Restart sshd (service ssh restart), or restart the server.
4. Connect to the server setting a dynamic port forward. On linux or Mac, this is just "ssh -D 8000 email@example.com". On Windows, putty lets you set a dynamic port forward.
5. Personally I use Chrome for my real browsing, and then use Firefox for the proxy since it allows configuring a proxy for the browser only rather than the entire operating system. You just set the SOCKS proxy under advanced networking settings (host 127.0.0.1, port 8000).
6. If you want all internet traffic to go over the proxy rather than just Firefox, this is easy on Mac through the Network Preferences panel. I'm not able to comment on linux/Windows in this regard.
1) If you want everything, UDP data, non-SOCKS supporting apps, etc to go through, you're better off configuring an OpenVPN server. It takes some extra effort, but this allows it to work easily on mobile platforms and stuff too.
2) If you want to use this from a restricted network, use port 443 (for OpenVPN or SSH).
3) If your network is extremely strict, use stunnel to make it look exactly like standard SSL web traffic. I've written a helper app for people who need this on Android, https://github.com/ultramancool/Stunneler
They have an interesting model: you buy a token that expires after a certain length of time (1 week, 1 month, 1 year, etc). The clock doesn't start ticking until the first time you log in. Instead of registering a username/password, you're sent the token via email and your login ends up being a sha512 hash of the token for the username. There is no password associated, just the hash of the token is all you need.
I like this because you're able to buy 'disposable' accounts basically. They take bitcoin and some alt coins too, which is nice. Dns protection and access to .onion and .bit domains. It all seems pretty solid. NordVPN tends to be a little bit faster for me, though it may depend on which servers you use.
As a former privacy VPN operator I can tell you its extremely hard to operate one securely.
even better just run socks5 thru ssh
Tho I recommend using autossh to maintain the ssh tunnel which could be flaky at times
One port (443) to rule them all!
I did the trial for 1 day and tried them out. Have no pressing reason to continue for now but have filed them in the mental rolodex.
It doesn't work if you want to anonymize yourself.
signup for a new account via this link and you get free premium which means you are off the exit node list
re-signup each month for a new account and a new month of premium
Are you arguing against anonymity on the internet altogether? IMO Mr. Brennan is a hero for taking on the risks associated with hosting an anonymous image board and not backing down in the face of people who time and time again continue to slander his name.
I don't want to live in a world where people live in fear of hosting an anonymous image board.
For the record, Brennan has admitted that 8chan has boards for sexualizing minors (which is legal) though he doesn't support them.
Unfortunately, yes. I don’t support the content on the boards you mentioned, but it is simply the cost of free speech and being the only active site to not impose more 'laws' than those that were passed in Washington, D.C.
...if you want /doll/ shut down you should instead focus on the studios who are producing this content. Some of them are even legally based in the USA. That’s the real story here, not some perverts posting them online after the fact.
Edit: Better source
"Teenagers ONLY! That means only 13+ But of course, 16 is the perfect age."
https://8ch.net/nnmodels/ "Young Models and Jailbait"
https://8ch.net/phile/ "Show some <18 love"
[nmmodels] young models and jailbait are legal under US law. blame the parents putting their kids into young beauty pageants, not pedophiles. write your representative to make them illegal.
cuteboys is a board for transgirls, gay guys, and crossdressers, along with others that don't fit the binary. you're not some homophobe / transphobe, are you? these people are consenting adults.
if you seriously think child porn could exist in the open on the Internet in 2015, you are delusional. the FBI regularly arrests people, and takes down people for hosting CP.
your argument literally only is supported by feels, not reals. everything that you have linked is legal under US law.
I visited the 8chan links you posted and didn't see any child pornography. It seems to me like you're trying a little too hard to paint this guy as some kind of pedofile. I don't completely agree with the types of things being posted, but I didn't see anything illegal.
Of course a site that allows anyone to create their own board is going to have some politically incorrect boards.
Reddit has had similar problems and you can still find sub reddits for the same things there.
I suppose you're against free speech completely then?
For someone who claims to be anti-child porn you sure did find those links fast, almost like you had them bookmarked..
(see how easy it is to make unfounded assumptions about people?)
It's all well and good to dispute their sources, but at least they brought sources to dispute.
My post highlights how easy it is to make unfounded assumptions about people on the internet.
Thanks for helping me prove my point.
Edit: oh and btw, zodiakzz did post a link to forum specifically for gay men as "proof" of 8chan hosting pedophilic content, so it's not much of a stretch to believe he lumps homosexuals in the same group as pedophiles.
And while zodiakzz may not have made any explicit statements about wanting to enforce limits on freedom of speech, it's a fairly safe assumption to make of the kind of people that feel the need to follow Fredrick around all over the internet, posting uninformed slander, reporting him to payment and crowdfunding services, and/or (topically) using botnets to DDoS his site. Hint: They don't care about similar or worse content being hosted on other user generated content sites, it's all about getting back at him for providing hosting to maligned groups like GamerGate, and killing intelligent discussion or attempts at reconciliation before they can happen by derailing threads.
Edit: Actually after thinking it over, it's free speech you should be against.
It really sucks when sites host opinions you don't agree with doesn't it? I googled gamer gate and they seem to be against people exactly like you: People who want to shut down other peoples opinions that they don't agree with.
Incredible that you just learned about GamerGate and are already an expert.
Oh wait: https://news.ycombinator.com/item?id=9394472
And More: https://news.ycombinator.com/item?id=9394708
The most ricidulous thing is, there are actually boards on 8chan that actually do the things gamergate is accused of, like swatting, doxing and so on, but they usually get a free pass because no-one cares about those things anymore except as a way to attack gamergate.