I've reverse engineered it a long time ago and are using their proxy clients (ZAgents as they refer to them internally) as proxies for clicking on my own ads. I have their username and password and a list of dyndns domains. Email me if you want the data.
If they are in the EU – great, the right to learn covers the right to take apart, understand, reassemble, and remix any technology that you have a license to use and where, during the process, the original owner has no material losses.
So, if he’s in the EU, he can do it. (IANAL, but this was the conclusio of an EUGH decision). Otherwise it gets harder.
There is a decision from the european court of justice on this matter, it is also the only info existing on the topic.
(I can’t find the ruling right now either)
Two companies were involved, company A and company B. Company A developed an office suite containing a macro language, company B developed their own office suite and wanted to have compatibility to the macro language of company A’s suite.
So company B decompiled company A’s suite, copied the decompiled code of their APIs and built their own interpreter.
The court ruled that while source code itself is a copyrightable creative work, compiling and decompiling it produces code that is not directly related anymore, and, while it is based on the original code, the only similarities between both types of code are that they describe the same algorithms. But, per european law, algorithms are not copyrightable, only patentable, so the result of a decompilation step is not directly copyrighted work.
Additionally they argued that in other industries, like automobiles, it is common to take apart the products of your competitors, analyze them, and use the knowledge gained for your own products (unless you infringe patents, of course).
And this basic right to own stuff also gives you the right to take apart stuff you have a license to use under the condition that it does not provide a direct loss for the person selling you the license, for example you can not take apart a rented car, but you can take apart a car you bought.
Additionally the court argued that this right can not be signed away, not even in private contracts or through ToS or EULAs, as it would severely restrict the right to "own" stuff.
IANAL, this is not legal advice, consult a lawyer (or rather several, this topic is complex) if you intend to use this as defense in court.
I assume they forward the requests to their own servers? In that case there isn't much to reverse engineer without access to their servers. Unless they use some kind of P2P system, which I doubt.
'Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers'.
It's a mix of both. Each peer connects to one of their servers which then acts as the middle-man for the traffic between users. The descriptions they use is incredibly incorrect in so many places. Reads like they have some marketing guys with a vague idea on how it works writing it up.
The Luminati angle is new, but the fact that free Hola users are used as peers or exit nodes is common knowledge among better informed users. I've warned others of that fact in the past myself.
Of course, I imagine most users are not so well informed.
Indeed, I knew for a while too, but I let it go so long as all posts were made by humans.
But selling an API at $20/GB (bandwidth you pay $0 for) to flood message boards and scrape search engines from random people's IPs without their consent is horribly unethical in my opinion.
Edited to add: I also see it as a breach of trust in the original agreement, even if you were fully informed that by installing Hola you become an exit node. Originally you were an exit node for other humans, and this was reasonably "secure" due to the fact that Hola hadn't been reverse engineered yet. But when Hola released the first party flood/scrape API Luminati they changed the agreement after the fact, even if they didn't have to change the EULA to permit this.
Not do downplay this issue, but wouldn't one simply assume it works this way.
I mean, how else would it work, Hola operating their own proxies and giving all of that infrastructure and bandwidth away for free?
Of course it would be P2P and would turn the user into a supplier of data and bandwidth to others. This basic model has been in use for "illegal" content for well over a decade now.
Now how they exploit that bandwidth is a different matter. Conflating those two is what will give you the "meh" reaction.
Also, "accusing" Hola of being unethical because it has no recognizable signature is another red herring. Of course it hasn't, otherwise it would get blocked by the geotarded services it is supposed to unblock. It's not an evil feature in itself.
The Luminati exploitation angle is the issue. Everything else about Hola is either transparant or at least pretty damn obvious.
I agree with most of what you said. When you're downloading proxy/vpn software like this, it's either P2P (and you're sharing your own resources) or it's centralized. They could make this clearer in the blurb to download the software, but they don't hide this fact and in fact make it clear from their FAQs and pricing pages.
But the Luminati angle is nothing different. It would make abusing the proxy network easier (from a technical perspective) but it's nothing you couldn't do with Hola alone. Luminati is just API access to Hola along with expensive pricing and a screening interview with sales staff. You could hack your own API out of only Hola if you really wanted.
The real story is that last time I checked, all their US exit nodes come from Digital Ocean, which is hardly worth $20/GB (should be more like $5/TB). I guess they don't have a lot of US users.
Agree that free proxies aren't free. But how many people would know about proxies. For most of the people if a content is country blocked, a google search and first or second link click solution will end up with hola installed, no more question asked. I think we should do better than "Don't use if you don't know" argument.
> As you can see, there is no mention of Luminati, or the underlying mechanics at all.
They didn't write "Luminati" but they wrote this:
"Hola and Hola premium are free for private, non-commercial use. For a commercial license to Hola please contact [...]. Your commercial license will provide you with these additional features: Hola For business: License to use Hola for commercial purposes.
Automation: developer API that enable controlling the routing of your HTTP requests via software.
Allow many concurrent sessions.
High bandwidth/high request rate with multiple IPs.
More precise resolution of exit node IP.
Faster changing of IP.
Engineering technical support."
"Typical VPNs need to maintain servers in various countries and to route your traffic through those servers in order to change your IP. This is very expensive. Hola is a network of peers that help each other to access sites, thereby eliminating the need for servers, and thus operating without costs."
It looks like they clarified their story, not changed it? It did say that it uses idle resources collaboratively...I'm not really trying to argue, just wondering if it was really that deceptive. I had never heard of them until this post.
> It did say that it uses idle resources collaboratively
So does Folding@Home. So does tor onion routing (relay node). Nowhere did it say outside of the EULA that they are using all their users as exit nodes.
They failed to specify which "resources". It's indefensible, and people would have fallen for this cover up had Google not archived it.
I see this Hola thing get upvoted all the time on reddit as a way to watch region-locked videos. Pretty disgusting that they've tricked millions into installing their software without informing them of all the illegal activities that could be funnled through their IP.
Even if they had said it all along in their FAQ, it's still infuriatingly disingenuous for someone to act as if anyone ever browses to Hola's site and reads their FAQ either before or after installing the Hola malware extension. No ordinary person will ever do this.
What happens is that someone who has already installed Hola, and who is ignorant by design as to what the extension actually does, tells a friend about Hola; the friend installs it, sees the expected functionality, is unaware of the malicious functionality, and the pyramid of ignorance continues to grow after he tells his own friends about how great Hola is.
These few sentences written in the sidebar here [1] are all that at least 7,102,584 of Hola's victims ever saw (judging by the install count for this malicious Chrome extension):
Access websites blocked in your country, company or school with Hola! Hola is free and easy to use!
FREE and secure VPN. Access websites blocked or censored in your country, company or school and stream media with the free Hola Unblocker VPN proxy service.
Hola is a free and ad-free VPN proxy service that provides a faster and more open Internet.
At no point do they attempt to make it clear in the slightest that they turn your browser into a for-profit bot net node, nor that your own browser becomes a proxy for others. In all venues where Hola expects 99.9% of interested parties to see their product pitch, they intentionally convey the false impression that they personally own their own VPN proxy backends.
Aside from all of that, hiding an explanation of your malware's behavior in the FAQ on some website no one ever sees doesn't suddenly transform it into normal, respectable software. Malware is malware, and bot nets are bot nets.
This is yet another criminal enterprise allowed to flourish and fester simply because Google refuses to police browser extensions in the Chrome web store.
Google runs what I assume must be the largest de facto Universal XSS exploit breeding ground in the world (Chrome extensions in the Chrome web store), and yet they refuse to police its contents.
Here's a recent example. I run AdSense on my site, and it kept running the same ad for an atrocious web game that a 10 year old could have made as their first programming project. I eventually saw the exact same ad running on another site, so I clicked it there in order to avoid the absurd rule that clicking ads on your own site gets you banned from AdSense. (Why don't they just silently discard those clicks, since they know they are from the publisher?) Clicking the ad took me to a page which did not have a game at all; it just falsely claimed you could play a game if you installed their malware browser extension, which it immediately prompted me to install [2]. The extension actually has nothing whatsoever to do with games. It doesn't enable you to play a game at all, anywhere. All it does is replace ads across the entire web with ads from its own ad network for the remainder of the lifetime of that computer. The extension has millions of installs and probably causes Google to lose seven figures per year in AdSense revenue due to so many AdSense ads being replaced with ads from another network. I also think it's funny that ads were being run on my site for the specific purpose of installing malware that would replace the ads and destroy the ad revenue for the very same site that helped it get installed in the first place. I reported this extension three times using the official report forms for the directly relevant teams at Google (even explaining in detail how it damages their own AdSense platform, so unlike a typical consumer complaint, this was actually affecting their profits and they should listen for once), and I was consistently ignored.
