Selling user's bandwidth is shady, but consistent with VPN usage (i.e. traffic routing). You can present it as "hey, that's our actual business model, we just forgot to tell you guys" and maybe get away with it.
But this:
Hola [...] installs its own code-signing certificate on
the user’s system.
Hola contains a built-in console (“zconsole”) that is not
only constantly active but also has powerful functions
including the ability to kill running processes, download
a file and run it whilst bypassing anti-virus software plus
read and write content to any IP address or device.
This is going so far into shady territory it becomes indistinguishable from actual malware. This is Lenovo/Superfish all over again.
Completely different. Superfish, I'm willing to believe, was just incompetence/indifference. If Hola really is installing a backdoor with high privileges, then that's deliberate malice.
> Superfish, I'm willing to believe, was just incompetence/indifference. If Hola really is installing a backdoor with high privileges, then that's deliberate malice.
But that's what Superfish was as well. Why are you willing to give Superfish a free pass on doing the same thing?
Yes, that's what Superfish was. However, I'm willing to believe that Lenovo's marketing department was incompetent enough to agree to bundling it without malice.
I assure you that at any large company, especially one the size of Lenovo, the marketing department does not single handedly make any technical decisions.
Not sure, but I think I might be on madeofpalk's team on this one too: Superfish was ostensibly doing it to feed data into targeted advertising; Hola has no such (marginally) benevolent excuse.
First, I fundamentally disagree that targeted advertising is in any way benevolent, even marginally. Though that's a debate for another thread.
However, they knew full well what they consequences of this mechanism would be[0]. I find it impossible to believe that there was no person at any point along the chain who knew that MITMing all connections would be a security vulnerability[1]. And if that somehow managed to be the case, that makes them even less credible in my mind, since they're an OEM. They really have no excuse.
[0] I mean, seriously, just look at the name "Superfish". That's not a catchy phrase invented to publicize the vulnerability, like "Heartbleed" and "Shellshock". That's the actual name of the company whose product Lenovo bought.
I think there's a second question. Who are we mad at in Lenovo/Superfish, and who knew about the risks.
I'd be mad at Lenovo - because they installed the malware without considering the consequence. I can, however, believe that plenty of decision making people at lenovo were unaware of the risks underlying the software.
So, does lenovo have more in common with the consumer who did something dumb based on poor information, or with the vendor distributing malware.
There is quite a difference between the security issues of MITM HTTPS and installing a control console. The first is a potential security issue that might lead to something bad, the seconds is already one of those bad things that might happen. Given that this console is as exploitable as it sounds.
Installing a backdoor is only ok for operating systems? like Android that can remotely and automatically remove apps? or Amazon that can delete books, etc...
That's the business model of VC's and Founders, not the companies. The company business model will only be established on 3, if they monetize. Selling to the bigger fool not included, ofcourse.
But this:
This is going so far into shady territory it becomes indistinguishable from actual malware. This is Lenovo/Superfish all over again.