Selling user's bandwidth is shady, but consistent with VPN usage (i.e. traffic routing). You can present it as "hey, that's our actual business model, we just forgot to tell you guys" and maybe get away with it.
But this:
Hola [...] installs its own code-signing certificate on
the user’s system.
Hola contains a built-in console (“zconsole”) that is not
only constantly active but also has powerful functions
including the ability to kill running processes, download
a file and run it whilst bypassing anti-virus software plus
read and write content to any IP address or device.
This is going so far into shady territory it becomes indistinguishable from actual malware. This is Lenovo/Superfish all over again.
Completely different. Superfish, I'm willing to believe, was just incompetence/indifference. If Hola really is installing a backdoor with high privileges, then that's deliberate malice.
> Superfish, I'm willing to believe, was just incompetence/indifference. If Hola really is installing a backdoor with high privileges, then that's deliberate malice.
But that's what Superfish was as well. Why are you willing to give Superfish a free pass on doing the same thing?
Yes, that's what Superfish was. However, I'm willing to believe that Lenovo's marketing department was incompetent enough to agree to bundling it without malice.
I assure you that at any large company, especially one the size of Lenovo, the marketing department does not single handedly make any technical decisions.
Not sure, but I think I might be on madeofpalk's team on this one too: Superfish was ostensibly doing it to feed data into targeted advertising; Hola has no such (marginally) benevolent excuse.
First, I fundamentally disagree that targeted advertising is in any way benevolent, even marginally. Though that's a debate for another thread.
However, they knew full well what they consequences of this mechanism would be[0]. I find it impossible to believe that there was no person at any point along the chain who knew that MITMing all connections would be a security vulnerability[1]. And if that somehow managed to be the case, that makes them even less credible in my mind, since they're an OEM. They really have no excuse.
[0] I mean, seriously, just look at the name "Superfish". That's not a catchy phrase invented to publicize the vulnerability, like "Heartbleed" and "Shellshock". That's the actual name of the company whose product Lenovo bought.
I think there's a second question. Who are we mad at in Lenovo/Superfish, and who knew about the risks.
I'd be mad at Lenovo - because they installed the malware without considering the consequence. I can, however, believe that plenty of decision making people at lenovo were unaware of the risks underlying the software.
So, does lenovo have more in common with the consumer who did something dumb based on poor information, or with the vendor distributing malware.
There is quite a difference between the security issues of MITM HTTPS and installing a control console. The first is a potential security issue that might lead to something bad, the seconds is already one of those bad things that might happen. Given that this console is as exploitable as it sounds.
Installing a backdoor is only ok for operating systems? like Android that can remotely and automatically remove apps? or Amazon that can delete books, etc...
That's the business model of VC's and Founders, not the companies. The company business model will only be established on 3, if they monetize. Selling to the bigger fool not included, ofcourse.
I have zero connection to this company but if you are looking for a reliable, fast, unlimited VPN I would check out Private Internet Access (https://www.privateinternetaccess.com/) I've got a number of friends who use this and I've been using it for a little over a month and have nothing but good things to say. At $40/yr it's well worth it IMHO and provides a native VPN client, PPTP, and Socks5 (They have mobile apps as well to make it easier but you can use PPTP directly as well).
I use it 100% of the time on my phone and on my laptop unless I'm at work (internal resources that I haven't figured out how to play nice with yet).
I recently bought a year for around $35 with some coupon code or other and honestly...I'm a bit underwhelmed. No matter what settings I use or what node I connect to, my ~100mbps (down) cable connection drops to somewhere between 1-10mbps. I was originally going to set up OpenVPN on my router so everything would go through it but I heard it can tax router hardware and lead to slower speeds so I figured I'd just test the desktop client first. Now I'm glad I didn't go mucking around with my router setup since it would have led to house-wide issues. As it stands, I can handle the slower speeds when torrenting some TV episode I missed but after that, I usually need to turn it off.
I have a 50Mbps connection and don't actively notice the speed drop but speed tests (which are not that reliable and I didn't do enough tests to really confirm) show about a 10Mbps difference (slower on VPN). My phone connection is never anywhere near that fast so I really don't notice it there. I'm sure that fast home connections will have more issues (as in being slower) but I'm willing to take the hit (as long as it's only about 1/5 penalty as it appears to be now for me) for the gain.
I've tried running my own VPN but every time I run into some odd issues or it doesn't work on all my devices. PIA's offerings are well worth $40/yr IMHO but I understand that that would be the same for everyone.
Yeah, I expected some latency and lower bandwidth due to the extra hops and their capacity but going from 100 to 5 is a bit much.
I'm still guessing it's either something I need to set up differently or it's Comcast somehow throttling it but I've tried both TCP and UDP set to auto and to each of the other choices they give you. I've tried connecting to the closest server and to others. And if I do the speedtests on their site (testing the speed of their connections) they seem to be as fast as you would expect.
Just not quite sure what to try next. I'm only out $35 and on the rare occasions where I really need to use it (occasional TV show torrenting), I have no complaints about longer waits since I'm not paying for them. At this point it's mostly just bugging me that I haven't found a solution.
Yeah, 100->5 is terrible. I'm on Time Warner (not sure how much that matters but wanted to throw out a data point at a minimum) and 50->40 is fine for most things. I'd be interested to try downloading from usenet and see what speeds you get (to see if encrypted connections are being throttled) as I regularly can get 5.0-6.5MBps (Notice capital "B").
Hmm, depending on the exit, on my 100/25mbps connection I tend to get about 30/10 from PIA. It isn't perfect, but it's an acceptable tradeoff for me, and I don't run all my machines through it all the time
Same. I have been a customer for almost two years now, but recently the UK servers have been so slow I can't even stream iPlayer in HD anymore. I contacted their customer service about the issue a few months ago and they said they were aware of capacity issues, but it's only gotten worse. It seems users have also realised and quickly moved from London > Southampton server and overwhelmed that one also (which always served me well when London was slow).
That's the same issue I ran into with using a VPN; I know I want to be using one as a (theoretical) enhancement to my privacy, but it was just too slow.
No, it's not. This article is about Hola which was a VPN and how it was being used for malicious purposes. It stands to reason that people reading the comments are either looking for or seriously considering going with a different VPN provider in light of this news (compounded on top of the story that broke a day or so ago about being used as an exit node). I posted about a service I use that I find reliable and cheap that fills nearly (if not completely) the need that Hola once filled.
I am a 3rd party who has no connection to PIA and receive nothing for recommending them. There are countless cases of a HN post concerning some tech or concept where in the comments you can find alternatives that other HN'ers have recommended. I'm unsure how, given all of this, my comment is "completely unrelated to the article".
It's completely unrelated. It's like if there was an article talking about a flaw in Yosemite and you went here and pasted a link to microsoft.com, talking of how reliable Windows is.
Hola extension has been removed from Firefox and Chrome download sites. I read the source of the Firefox extension at one point and don't remember seeing any binaries or the so-called "zconsole". But CSO Online [1] is reporting the extensions were vulnerable (despite Vectra [2] not mentioning this).
It was also unclear to me how the browser extension could be used to share user's traffic; it didn't seem like the extension did that, but I didn't read the source code too carefully.
Does anyone has a copy of these extensions?
I am disappointed the Windows and Android apps were vulnerable and that Hola didn't market their software better. It's probably the coolest app since Napster. Yes, it's a botnet of sorts, but the Internet needs a way to let users disassociate themselves from IP addresses. And most proxy services are easily identified.
Tons of articles being written about it? I hate to say this, but because of Google+ it is pretty easy to see if users are legitimate or not. And from what I could tell many in those reviews are legitimate users (at least on G+).
Coming from the receiving end of this. As a user of a anonymous image board this happen recently. It seems that hola is selling botnet access. Of course users are "vetted" that they are not going to use the access for nefarious purposes before they gain access. In this case one of the "vetted" users decided to DDOS said anonymous image board. (Note:Could be some other actors involved, but have confirmation from other board users).
Hola is going down a dangerous route here by turning all of their users into exit nodes, but if they actually make this work it would give them a unique position among all VPN providers.
Legally this is a very risky endeavor though. In Germany for example (where I'm based), people are even scared of sharing their Internet contract with their neighbors since the account owner can be held responsible for any illegal activities (e.g. downloading copyrighted content) that are carried out through his/her connection. Allowing other people to "freeload" on my connection would therefore be a big no-no here. The only way around this risk would be to record and attribute the connection information to each user of the service, but this would of course eliminate many of the advantages of using a VPN again (e.g. privacy).
Downloading copyrighted content is the least of worries here, that is mostly a private matter.
But there is a very real risk that if someone accesses child pornography and other content using Hola and your internet connection that you will wake up to police searching your home.
This is a far more real risk than you might think, I'm currently on the tail end of a police investigation triggered by a device on my home network accessing child porn via Tor. My current theory is that something got added to a botnet and used as a proxy, but I'm not eager to leave things running to find out.
While the police have been incredibly professional about this, its been a truly horrible process. Anything in my house which could be used for digital storage was seized, and I spent 9 hours in a police station, variously being interviewed, and sitting in a cell with plenty of time to think about how horribly wrong it could all go. Since then I've been on bail with the condition that I'm not allowed to be unsupervised with anyone under the age of sixteen, which when you have a one year old son is inconvenient to say the least - there was a short time when it seemed a real possibility that he may be taken into care because social services didn't like that my wife believes I'm innocent. It also cost us hundreds of pounds in buying new laptops to use for work while we wait for our existing ones to be returned.
Thankfully the investigation is coming to an end now (in fact I got a call this morning to say the remaining two computers are going to be returned tomorrow), and it looks like everything is going to be ok. I've spent the last few months worrying that maybe one of our computers has also been used as a server.
To come vaguely back on topic, find a better way to get at TV you want to watch, because no amount of Game of Thrones is worth months of worrying whether the next knock at the door is going to be the police come to take you off to jail.
I'd been using Tor to bypass torrent sites being blocked by UK ISPs - while Game of Thrones wasn't directly connected to my problems, the fact I had two computers with Tor installed definitely didn't do me any favours while being interviewed.
Ok. This was missing from your description. It seemed like what happened to you could have happened outside of people using VPNs/Tor to download pirated material. E.g. you could have even just been running an open access point.
Perhaps you haven't attempted to view GoT from "unapproved" locations? That is why some people used Hola: to VPN to an "approved" IP address. Parent's troubles are different, but similar, in that his unwanted traffic came from Tor [EDIT: or maybe just a pwned device? I see now that it's unclear...] rather than Hola. I appreciate reading anything he cares to share, as I am interested in running Tor nodes.
I've got very little information on precisely what happened. The wording on the warrant they had for my arrest was that they'd traced an attempt to access child porn using Tor "through undisclosed means". I'm assuming that means the police are running their own nodes and logging any traffic to go through them, but that's pure guesswork.
Also guesswork, but I think the source was probably the one Windows box in the house which I've run Tor on in the past to get round UK ISPs blocking torrent sites. The most likely thing seems to be that it was turned into part of a botnet and used as a Tor relay, but at least until I get that machine back I've got no way of verifying that (and in all honesty, will probably just format the disk and reinstall it).
As I understand it if you're just passively using Tor (on a computer which hasn't been compromised) then it won't cause you any trouble, but if you start running relay nodes or an endpoint then make sure you've got the number of a good solicitor who understands this stuff - the one I got given by the police opened the conversation with "I know nothing about computers", and was quite clearly convinced I was guilty as charged. Thankfully the police do seem to know what they're talking about, and are well aware that an IP address is far from damning evidence, they've looked like their just going through the motions because they're obliged to ever since finishing their interview the first morning.
> I'm assuming that means the police are running their own nodes and logging any traffic to go through them, but that's pure guesswork.
This is not how tor works. Every connection uses several nodes, and unless they control the entire chain they cannot determine both the origin and the destination of the traffic.
Unless you mean you (or one of your compromised servers) were running an exit node?
So this is interesting to me because lately, I've been looking for a VPN that would work for my little brother who is trying to make it to the point that he can stream full time on Twitch. The problem is that he has been targeted by script kiddies, who found his IP address through Skype. Shame on you skype.
That said, I've been looking for a good VPN for him. It seems that ProXpn isn't as solid as I thought it was because they found his IP there and were able to (D)DOS not sure how exactly they are doing it at this point, him. They have also been able to get him banned from Twitch via his IP. He needs a VPN with enough bandwith that he can do Twitch and Skype (under a different name), all while playing games. I figured ProXpn would be sufficient, but I've never loaded it like that.
Also, there is no guide out there for streamers, or people who are in the public eye on the internet, on how to avoid getting attacked by script kiddies. Or at least no guide that I've found sufficiently useful, and yes I have googled this. Does anyone here have any references they can point me to that give the "what not to do" for streamers, youtubers, big twitter people, etc?
So far I've told him.
-Use strong passwords: LastPass and yes I know this is a point of contention but it's better then what he is using and it's accessible enough for him that he'll actually use it.
-Don't click links in chat: Because duh (Is there a way to verify the safety of said links first)? I know of none.
-Obfuscate your Skype id: This seems to be a major tool in finding IPs.
-Keep a personal and a public email: Personal goes to banks and stuff, public goes to everyone else.
-Don't friend people on Steam you don't know.
Am I missing any major advice points that seem easy to follow?
>Also, there is no guide out there for streamers, or people who are in the public eye on the internet, on how to avoid getting attacked by script kiddies.
A famous StarCraft streamer made a guide on how to avoid this:
Yeah I've seen this, and gone over it with him. He has some added exposure due to Steam which is another potential risk. I added a bullet point for that.
Thanks for pointing this out but what do you think about the VPS vs VPN. It has an increased exposure to attack because everything else you do on your pc isn't being routed through the VPS.
It also doesn't do anything for best practices for avoiding other forms of hacking. So it's a good guide but definitely incomplete.
I looked pretty hard, I spent the better part of 4 hours just looking around and reading these sort of articles and evaluating whether or not a VPN or a VPS would be better. And in retrospect a VPS might actually be better for his skype connection. So thanks for pointing me to this again so that I could think on that again. I wouldn't have gone back through it otherwise.
The main reason of using a VPN or VPS is that you keep using your normal IP for the stream and the game. Everything else (where the attacker can get your IP) you use the VPN/VPS for. This will not protect your chat or browsing from getting DDOSed but it WILL prevent the attacker from killing your stream and your game. The benefit with using a VPS is the much bigger bandwidth of the host company to soak up the DDOS trafic so you can stay online.
If he has a fixed IP this is too late for him, he needs to get a new IP for this to be useful.
>They have also been able to get him banned from Twitch via his IP.
This sounds like they have access to his computer (with a RAT or something). You shouldn't be getting IP banned unless you actually break Twitch rules from that IP.
>The problem is that he has been targeted by script kiddies, who found his IP address through Skype. Shame on you skype.
So if Skype relays through servers, they get flak for spying, but if they use P2P it's their fault for giving his IP out? The Skype options have a choice for exposing it. "Allow direct connections to contacts only". Make sure it's checked, and don't add bad actors to Skype.
I wish to just use OpenVPN but it's not so easy. Certificates - no problem. Forward DNS requests - there is an option for it in the config file. Routing entire traffic through OpenVPN - quite tricky unless you're fluent in command line network management tools and computer networks in general.
No need to configure anything at remote host, no excessive amount of options. Capable of DNS forwarding, routing of entire traffic or just traffic to chosen remote hosts.
This is quite odd, most VPN routers make full tunneling very easy. Literally a checkbox in the control panel. It's when you want to do split tunneling that you have added the complexity of writing rules and sanity checking.
Hola really don't make it clear what you are installing when you download it.
All you think is, "I'm installing a browser add-on to watch Netflix in another country". You sort of assume it's only actually running when you are actively using it for Netflix, but it's running all of the time.
I first noticed something was up when I installed Hola (for Netflix) then all of a sudden Fiddler wouldn't work anymore. Had me completely stumped, then somebody on StackOverflow suggested turning off Hola and that indeed sorted it. - http://stackoverflow.com/a/19905099/969613
I think that Chrome users are relatively unaffected by this if they installed the extension trough Google Play thanks to Chrome's security model. In that case I think it's just routing the traffic trough their proxy and not installing the shady zconsole or changing the SSL certificates.
Still, creating a new user profile just for watching netflix is recommended.
Is there a way to make sure hola uninstalling the hola extension removed everything hola related from my pc? I can imagine with the level of access this extension had(I didn't even know Chrome extensions could have this level of access) just removing the extension isn't enough.
i used Hola VPN experience . i am sorry to say used bad experience for web surfing and ip changing because show the top domain surfing our country and reconnect and reconnect the hola ip. Otherwise good system and add on but reconnect the web surfing heritage. it compare the other VPN Like Ivacy and PureVpn is Good Vpn services both experience nice, not encryption from website browsing and surfing , also secure
Your best option? Pick a provider that uses OpenVPN (or roll your own) and use the open source OpenVPN for Android application => https://github.com/schwabe/ics-openvpn. Done.
But this:
This is going so far into shady territory it becomes indistinguishable from actual malware. This is Lenovo/Superfish all over again.