Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Adios, Hola – Why you should immediately uninstall Hola (adios-hola.org)
100 points by OberstKrueger on May 31, 2015 | hide | past | web | favorite | 32 comments



This whole situation baffles me. I understand that the Hola service is not well executed in the slightest and should most likely be avoided if you do not want your net connection shared, but this is going way over the top IMHO.

The FAQ page had always mentioned that resources were shared unless you paid for the premium service. Yes, it could have been a lot clearer, but they have never out right denied it as many people seem to be making out.

People complained that their FAQ and information pages were not up to scratch to explain the details behind their network. So they update it with more information and now people complain that they updated it? Damned if they do, damned if they don't.

The service they provide is obviously targeted at non-technical users so it is completely understandable why they wouldn't be mentioning the technical details. This scares and baffles the users. If they were purposely deceiving the users with flat out lies then that wold be another thing but that doesn't seem to be the case here.

The exploits are serious and extremely stupid in the way they had developed launching the binaries and people should be made aware. However it does seem like Hola is getting a lot more flack than most others would.


> The FAQ page had always mentioned that resources were shared unless you paid for the premium service. Yes, it could have been a lot clearer, but they have never out right denied it as many people seem to be making out.

It completely glosses over the drawbacks of said approach. That's what the problem is. It doesn't provide enough information for informed consent.

> People complained that their FAQ and information pages were not up to scratch to explain the details behind their network. So they update it with more information and now people complain that they updated it? Damned if they do, damned if they don't.

We complain that they updated it quietly, and then presented it as if it had always been there. The update wasn't the problem, the manner in which it was made was. Indeed, now that they have released a more transparent update, it's pointed out as such on adios-hola.org

> The service they provide is obviously targeted at non-technical users so it is completely understandable why they wouldn't be mentioning the technical details. This scares and baffles the users. If they were purposely deceiving the users with flat out lies then that wold be another thing but that doesn't seem to be the case here.

"That doesn't seem to be the case here"? How about them completely leaving their users in the dark about the possible legal ramifications? Why does something need to be a "flat out lie" to be highly deceptive?

There is such a thing as lying by omission.

> The exploits are serious and extremely stupid in the way they had developed launching the binaries and people should be made aware. However it does seem like Hola is getting a lot more flack than most others would.

They're not. Hola is getting a lot of flak because every aspect of their business is completely and irreparably fucked up - the technical side and the ethical/business side.


They are using the connections of unsuspecting users as a literal botnet, and sell access to this botnet to people that use it to carry out DDoS attacks.


Whoa! When I installed Hola, I had no idea that I was proxyimg content and allowing my IP address to be used by others!

It's my fault really, I should have checked into it more carefully. But if you look at the Wayback Machine version from December 2014, there is nothing about this on the main page [1] and the FAQ says absolutely nothing about their commercial anonymization service, Luminati! im also curious: what is this patented DNS algorithm they are using that interferes with OpenDNS? [2]

1. http://web.archive.org/web/20150102160748/http://hola.org/

2. http://web.archive.org/web/20150102160748/http://hola.org/fa...


> what is this patented DNS algorithm

It's probably just them running their own resolver over an encrypted channel to avoid ISP rewriting DNS responses.


No, they appear to have their own app. According to the patent [1], they are querying all the host systems DNS resolvers concurrently.

The second part of the invention is as follows:

In accordance with the present method and system, and a first exemplary embodiment of the invention, in order to avoid wasting time when cache entries are expired, the present method and system performs two steps concurrently. First, the present method and system continues operation as if the expired cache entry is still valid and thus continues resolving the DNS request from the cache. In parallel, the present system and method queries the authoritative domain name server that provided the expired answer in the past for obtaining the latest valid entry for this URL. If, following the comparison of the cache entry to the one now received from the authoritative domain name server, the entry in the cache is still valid, the present method and system uses the final answer received from the first process herein. Acting on the assumption that the invalid cache entry was still valid is productive for the process.

If the IP address received from the authoritative domain name server is not the same as the expired entry in the cache, the present method and system ignores the result received from the first step and continues normally with the result received from the authoritative domain name server.This modification in the operation of the DNS recursor saves time, since in most cases of an expiration of a cached record, the record is still valid, and thus the serial recursive process would have been slower than the concurrent process of the present method and system. In other cases (i.e., in the cases where the assumption that the expired cache entry was still valid, but following the query to the authoritative domain name server it turned out not to be valid), the time the present method and system takes is the same as the prior art process, meaning that if the cache entry was indeed invalid, then doing the two steps in parallel as described above did not waste time—the end result is returned in the same time it would have taken a ‘normal’ DNS process to return a valid answer.

How they implement this, I don't know. Possible they are modifying the client's resolver? Seems like a recipe for disaster though.

1. https://www.google.com/patents/US8671221


I can see how this could improve the resolving latency slightly, at the expense of more network traffic. Like you said, it must be tricky to get that integrated properly.

It seems like a weird optimization to do and unrelated to VPN. Maybe they have fast-changing DNS entries when nodes are joining and leaving.


I'm honestly pretty surprised that so many people were unaware about how Hola worked up til now. I've had a seperate Chromium installation for Hola for years now, since I didn't want to contribute bandwidth/my IP.

It would have been impossible for them to give people unlimited IPs in almost all the countries in the world for free if they themselves had to buy and maintain them like a traditional VPN service.

Apart from the exploits (which should be fixed ASAP ofc), Hola is a great thing for the internet. Geofencing is the real enemy, and Hola kills it.

The problem with Hola isn't really that it shares your connection, the problem is that it is too uncommon. The internet would be a better place if you weren't responsible for what exited through your IP, if everyone were an exit node nobody could be held responsible. Plausible deniability only works if it's actually plausible.


> I'm honestly pretty surprised that so many people were unaware about how Hola worked up til now. I've had a seperate Chromium installation for Hola for years now, since I didn't want to contribute bandwidth/my IP.

> It would have been impossible for them to give people unlimited IPs in almost all the countries in the world for free if they themselves had to buy and maintain them like a traditional VPN service.

Hola markets itself explicitly to a demographic that doesn't understand what business models are and aren't feasible in the tech world. That's why.

> Apart from the exploits (which should be fixed ASAP ofc), Hola is a great thing for the internet. Geofencing is the real enemy, and Hola kills it.

And does so in a highly unethical way. The workings and possible drawbacks of Hola should be transparent, but they are not. And they are unlikely to ever be sufficiently transparent, as that will decrease their userbase and hurt their income through Luminati.

And this is exactly why you don't let a commercial business "fix the internet".

> The problem with Hola isn't really that it shares your connection, the problem is that it is too uncommon. The internet would be a better place if you weren't responsible for what exited through your IP, if everyone were an exit node nobody could be held responsible. Plausible deniability only works if it's actually plausible.

Sure, if that were the case, then it'd be great. Unfortunately, it's not.



Creepy... :(


It got removed from the Chrome Web Store by the looks of it (https://chrome.google.com/webstore/detail/hola-better-intern...)



That's the app, not the extension. They're two separate distributions.


Could not agree more. They have a clever idea but they are not clear about how it works.

What caught me onto it was seeing what they offered as 'premium' features. These basically involved not being a peer!

They have clarified things a little but to the uninitiated, being a 'helper' sounds like a good thing!


Its not just about being a helper. All peers have complete access to each other's machine, not just to initiate http requests. It even allows peers to download files from each other, and steal other personal information. Its just insanely stupid to come anywhere near this software. They should immediately patch the software, well before changing FAQs.


I think they could have made it clearer, and changing up their FAQ didn't exactly make a great impression on a lot of users. That said; I think providing they tell users about this upfront, and don't waste their bandwidth on mobile connections etc (as they say they don't) - then I see no problem with this.

It's a way for users to get a VPN for "free". For most end-users they won't even notice/care about the odd HTTP request they're proxying. I think transparency may have been the issue here.


> For most end-users they won't even notice/care about the odd HTTP request they're proxying.

I'm pretty sure people would care if the cops showed up because that odd HTTP request happened to requesting child pornography.


That is a risk they take. That's what I was saying about transparency. If the Hola website made had made the whole situation more obvious, then users either take this risk or pay the $X a month for an actual VPN service.


The problem is that that goes against Hola's own (commercial) interests.


Is CP on the clearnet really still a "thing"?


Yes, images of child sexual abuse still exist on regular Internet, no darknet services required.


What vpn does HN recommended?


For bypassing geoblocks Hola is great. Just have a seperate Chrome/Chromium installation just for Hola.

Or if you're a little bit evil, you can just use the Hola IPs as a regular HTTP/HTTPs proxy: http://milankragujevic.com/uploads/hola/

All the benefits, none of the downsides.


To do what Hola appears to do best (bypassing filter protection or basic traffic forwarding) I just use a socks5 proxy server, all you need is a box with ssh and make sure your dns requests as well as the http data go through the proxy.

I think you can even set it up with chrome/ff without addons, but I use foxyproxy since you can switch in seconds.


Set up an OpenVPN server on Digital Ocean's Germany region.


Germany?


Mullvad works very well for me.


F secure freedome is good.


You do realize that HN is more than one person, right?

Tomorrow you should ask, "What text editor does HN recommend?"


Hear me out. Perhaps the law should assume innocence and not think I'm guilty just because it looks like I am downloading something "bad".

In a perfect world, there would be no laws against downloading or uploading anything on the Internet. If you order a hit on someone, we have existing laws against that. if you threaten to kill someone, there are laws against that.

What a wonderful world that would be!


missing context. what is hola

i can google it, but still missing context. is hola popular. are some of its claims not true. was it obviously a scam already. what is notable about this.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: