Adios, Hola
May 31, 2015 8:46 AM   Subscribe

Hola is probably the most popular VPN service today, allowing unblocked access to region-locked content. It has been discovered, however, that they have been selling access to their network to third parties. Hola was just used as a botnet for attacking 8chan. Adios, Hola lays down the reasons for why the extension is problematic, and helps you determine whether you are at risk. Hola's response? That was the agreement all along.
posted by Pyrogenesis (37 comments total) 17 users marked this as a favorite
 
"If it's free, you're not the customer, you're the product" Part 897198534.
posted by T.D. Strange at 8:50 AM on May 31, 2015 [5 favorites]


An appropriate Metafilter t-shirt, I think.
posted by BinaryApe at 8:51 AM on May 31, 2015 [4 favorites]


The free Hola users who are troubled by this somehow expected Hola to provide a free VPN service out of the goodness of its own little corporate heart? I don't expect the average user to understand how Hola's network-sharing works, but a free, no-ad ongoing service didn't elicit any suspicion?
posted by chimaera at 9:11 AM on May 31, 2015


Where do I sign up to assist future attacks against 8chan?
posted by idiopath at 9:12 AM on May 31, 2015 [35 favorites]


And on some systems, it gets worse; Hola will happily run whatever you feed it as the 'SYSTEM' user. What this means in simple terms, is that somebody can completely compromise your system, beyond any repair. It allows for installing things like a rootkit, for example.

Well, then. Glad I never got around to trying this out.
posted by XMLicious at 9:14 AM on May 31, 2015 [2 favorites]


Charlie Chan is top Chan, Stanstanistan is top Stan.
posted by rankfreudlite at 9:16 AM on May 31, 2015 [1 favorite]


But I can still access American and British Netflix, right?*

*I'm Canadian.
posted by Fizz at 9:17 AM on May 31, 2015 [5 favorites]


somehow expected Hola to provide a free VPN service out of the goodness of its own little corporate heart?

Setting up some kind of peer to peer VPN network, that only uses your bandwidth when your computer is completely idle + connected to wifi/wired internet sounds like a decent idea to watch TV in other countries, and I've not got a problem with adding a $5 premium service to make money, which lets you get the benefits without contributing your bandwidth. On the face of it, that sounds like a reasonable (though possibly legally sketchy? I don't know) business.

On the other hand, selling your P2P bandwidth as a botnet, that's sketchy as fuck. So no, I don't think you get to moralise about consumer naivety here, this is on Hola.
posted by Ned G at 9:29 AM on May 31, 2015 [15 favorites]


This is why I'm usually a late adopter.
posted by double block and bleed at 9:45 AM on May 31, 2015 [3 favorites]


Sooner or later there's going to be a major legal challenge to the idea that the User Agreement constitutes due notice or consent, simply because everyone just clicks through it, and propose that specific positive acknowledgement be required for any of certain categories of activity. A little like how on some forms they make you initial every line, and sometimes have a process in place where somebody reads every line to you out loud before you initial it.

Android is a step in the right direction where at least they tell you in a specific step what kinds of shit you're allowing the app the technical ability to do, leading some of the more responsible app makers to provide a web page in which they tell you what they use those permissions for.
posted by George_Spiggott at 10:02 AM on May 31, 2015 [9 favorites]


"And on some systems, it gets worse; Hola will happily run whatever you feed it as the 'SYSTEM' user. What this means in simple terms, is that somebody can completely compromise your system, beyond any repair. It allows for installing things like a rootkit, for example."

There is a reason why I only tried Hola in a Linux VM -- despite the fact that flash video playback tends to be rather crappy that way -- and this is that reason. So hey, go due caution and like that. I've just deleted that VM so I won't be tempted to use it again.
posted by George_Spiggott at 10:12 AM on May 31, 2015 [1 favorite]


Looks like Hola recently edited their ToS on this subject, according to the comments on the TorrentFreak article. Before and After.
posted by KathrynT at 10:16 AM on May 31, 2015 [1 favorite]


"Sooner or later there's going to be a major legal challenge to the idea that the User Agreement constitutes due notice or consent, simply because everyone just clicks through it, and propose that specific positive acknowledgement be required for any of certain categories of activity."

Find a service that's popular with Representatives, Senators and Judges (Supremes, ideally) and and add some buried, completely typical, but definitely unpleasant, clause to the EULA. That will get you legislation and/or legal action in no time.


Android is a step in the right direction where at least they tell you in a specific step what kinds of shit you're allowing the app the technical ability to do, leading some of the more responsible app makers to provide a web page in which they tell you what they use those permissions for.


It would be better, if it where done right there during the installation process. Why does that off-line game need access to my contacts and GPS? I'd like to know when I'm thinking of installing it, without having to leave the app store and go hunting for the information (cause android multitasking is so much fun!).
posted by oddman at 10:28 AM on May 31, 2015 [1 favorite]


Find a service that's popular with Representatives, Senators and Judges


Some sort of niche porn, I'd imagine.
posted by TheWhiteSkull at 10:46 AM on May 31, 2015 [3 favorites]


Android M to ask for permissions on first use, rather than at installation. Though I think it still won't tell you why it needs a specific permission.
posted by dirigibleman at 10:48 AM on May 31, 2015 [1 favorite]


Android M to ask for permissions on first use, rather than at installation.

I was wondering why this would be an improvement -- I prefer to be warned off before installing rather than after. But then I read it. The key thing is that it asks for individual permission -- camera, contacts, etc. -- rather than wholesale.

iOS has been doing this for a while. I typically leave it set to "ask every time", except for things like a QR scanner where I know it's doing it and granting permission just gets in the way.
posted by George_Spiggott at 11:18 AM on May 31, 2015


Why is it every program with "hello" or equivalent is a jerkface pain in the neck nobody wants?

First it was Bonjour, Apple's we're installing this useless cruft without your permission and will continue to do so with every iTunes update no matter what service. Then it was Hola, the VPN that's really a botnet. And a little while back Firefox added Hello, the mandatory cam-chat add-on you didn't ask for and maybe haven't even noticed yet, that is definitely not secretly recording you right now, nope, nope, nope!
posted by Sys Rq at 11:33 AM on May 31, 2015 [2 favorites]


Well, yes. I tried Hola for a bit in a sandbox, but it scored too highly on my VPN Creepometer. Things like - too much low level access, no easily researchable personnel info on the website (although they do have an address there), operating from a location where I don't understand the legal protection my data has, and me not believing their published business model. There is enough out there to find who the principals of Hola are and what their background is: this did not particularly reassure me. (I forget the details, but not the fact I decided Hola was Nola.)

But then, all VPN providers fall somewhere in that spectrum. If you want a good example of how 'ooo free stuff' together with 'how dare you block me! I can beat that!' combines to radically overrule any sense of "who's got my data and what are they doing with it?", then just look at public perceptions of VPNs. If you use one, you are giving it all your network traffic to play with, and if you use one that wants a special client installed rather than going through your OS's standard VPN client, you're exposing a lot more. It's a combination of malware with MITM, at least potentially, and if I were out to be really nasty to a lot of people with the added benefit that a lot of them would be shy about going to the plod, I'd have a VPN service set up. Come! Play!

People regularly indulge in Google/MS/Apple/telco/state paranoia, all places that have far higher barriers to internal abuse than FREETEEVEEZ VPN running out of Lower Oblivia. But that lovely little cuddly VPN with the cartoon bear or the happy complicit "we with you, bro!" marketing message? Why, that's delightful!

I don't like making predictions, but here I will: far worse to come.

(the only VPN I trust is my home one, which I use when on my non-home network to route my mobile traffic through a tunnel to my domestic broadband. Good when abroad for UK geo-blocked services, for additional reassurance on public wifi, and all that sort of thing.)
posted by Devonian at 11:47 AM on May 31, 2015 [4 favorites]


> a little while back Firefox added Hello, the mandatory cam-chat add-on you didn't ask for and
> maybe haven't even noticed yet

Note that Mozilla hasn't even bothered to say "Don't be evil" for itself. They pretty much work for Google now and my magic 8 ball tells me they figure Google's "Don't be evil" covers everything.

PS, my ancient 32-bit Craigslist laptop did not die, is now back to running as well as ever (I ain't an MCSE for nothing), and I can now add IDNHA webcam to the merit badges on my sash, along with to IDNHA TV.
posted by jfuller at 1:06 PM on May 31, 2015 [1 favorite]


this seems like as good a place as any to talk about how pleased i am with sshuttle, which basically tunnels your whole connection through ssh transparently with a single command. i've been using it as a public wifi condom in conjunction with a really cheap ($15/year) vps -- not specifically advocating any hosts but lowendbox is a great place to find them. only drawback is no windows support, but i've been seeing that as less and less as a drawback lately
posted by p3on at 1:15 PM on May 31, 2015 [4 favorites]


And a little while back Firefox added Hello, the mandatory cam-chat add-on you didn't ask for and maybe haven't even noticed yet, that is definitely not secretly recording you right now, nope, nope, nope!

haha wow, I hadn't even heard of this until now. FYI, to disable it, you must go into about:config and toggle off the vaguely-named "loop.enabled" variable. I guess I should give them a little credit for even giving people the option to disable it, but that is some pretty shady shit right there.
posted by indubitable at 1:45 PM on May 31, 2015 [6 favorites]


Can they guarantee that it'll ONLY be used as a botnet for the purposes of attacking 8chan? Just... curious.
posted by Sequence at 1:57 PM on May 31, 2015 [1 favorite]


I use LBE security master (English translated version 5.4.8358 on XDA) to control app permissions - you need root for this, but at least apps can then only access the areas of the phone you allow, regardless of the permissions you grant at installation.

I feel sorry for the poor folks with no more sense than to stick with iPhones where you have no control of your own privacy. And the really pathetic part is that it took a friggin Chinese app to protect us on Android!
posted by Yosemite Sam at 2:08 PM on May 31, 2015


A second vote for firefox.hello?wtf. I disabled it as per the directions, and nervously hope the fix is more than just cosmetic.
posted by hexatron at 2:34 PM on May 31, 2015


I still haven't rooted my Android phone because it requires unlocking the bootloader (which wipes the phone and voids the warranty). Android isn't in much of a better place control-wise than iOS.
posted by BungaDunga at 3:51 PM on May 31, 2015


oh, and I was expecting this post to be about the multiple remote-exploitable 0-days recently announced in the Hola client. but no, so apparently they're not just shitty programmers, they're shitty people too.
The Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application
contain multiple vulnerabilities which allow a remote or local attacker to gain code execution
and potentially escalate privileges on a user's system. Additional design flaws allow a Hola
user to be tracked across the internet via a persistent ID. Furthermore, as Hola users -
wittingly, or otherwise - act as exit-nodes for the overlay network, each is capable of acting
as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial
'bandwidth' service, Luminati, and thereby compromising the privacy and anonymity of their
browsing and exposing them to further attacks.
posted by russm at 7:01 PM on May 31, 2015


I too was weirded out by how ok people seemed with this service. It was very "don't look a gift horse in the mouth". I WANT to pay the service that will be be handling my data. How many "oh noes this free app is actually doing awful shit" instances do we have to go through? I'm old enough to remember all the sketchy P2P clients, uTorrent was relatively pretty recently awful, etc.

You can get good VPN service from somewhere like mulvad for under $10 a month. I really wish some service like that would develop like, the car2go of VPNs where you only pay for time used and you can just flip it on if you want to watch BBC iplayer or something and pay like 42 cents, but still it's cheap.

I wouldn't trust anything like this that was free unless it was the free trial to a paid service.
posted by emptythought at 10:09 PM on May 31, 2015


So if Hola is disabled, does it still use background bandwidth, etc.? A friend will soon be overseas I'm wondering what advice to give on this.
posted by Hactar at 10:36 PM on May 31, 2015


I wouldn't trust it unless you can, with your own two eyes, verify that it's not allowing incoming/outgoing connections. Something like wireshark might be a good tool to verify that, though figuring it out it might be a bit of a steep learning curve for non-techies. I

For "hello" I'd recommend maybe also setting the loop.server to "localhost" if you never ever intend to use it. I just noticed that stupid little grinning cartoon balloon on my toolbar since sys_rq mentioned it, maybe someone more familiar with it can verify that setting does what I think it does? I know for a fact it's not recording video of me at least, what with the gaff tape over the little hole in top of my bezel.
posted by mcrandello at 3:02 AM on June 1, 2015


According to the security advisory, the only safe thing to do is to uninstall it (and hope your machine hasn't been compromised already).
posted by russm at 3:39 AM on June 1, 2015


Firefox's Hello is it's implementation of WebRTC, which is built into all major web browsers not made by Apple (Facetime) or Microsoft (Skype). Unlike Firefox, it is impossible to disable WebRTC on Chrome.
posted by dirigibleman at 8:49 AM on June 1, 2015 [1 favorite]


I too was weirded out by how ok people seemed with this service. It was very "don't look a gift horse in the mouth". I WANT to pay the service that will be be handling my data.

Paid services are not necessarily any better. The question is: Can users see and review the code?
posted by anemone of the state at 12:23 PM on June 1, 2015


So if Hola is disabled, does it still use background bandwidth, etc.?

Based on some quick tests with the adios-hola web site, it looks like Hola does keep doing its background thing if you turn off the extension via Hola's own controls. But disabling it via Firefox's add-on manager does seem to truly disable it (and it opens up a "why u uninstall us?" page on the Hola web site, since I don't think an extension can tell the difference between being disabled and being uninstalled).
posted by klausness at 3:01 PM on June 1, 2015 [1 favorite]


If anyone has any good suggestions for alternatives to Hola, I've posted a question about this to Ask Metafilter.
posted by klausness at 3:27 PM on June 1, 2015


Hola now has posted a response to "The recent events on the Hola network"
posted by Blasdelb at 2:56 AM on June 2, 2015


The "Luminati" website (https://luminati.io/ if you want to visit) that's supposedly run by Hola doesn't even give any pretences about what it's selling. Those diagrams could literally only be showing a DDoS attack. (If they're trying to sell it for purely white hat load testing, why is the client in a different country than the target?).

So, so incredibly shady (slash illegal).
posted by leo_r at 11:53 AM on June 2, 2015


I feel sorry for the poor folks with no more sense than to stick with iPhones where you have no control of your own privacy.

Maybe it's because we don't have so much to worry about from Apple?

Appleā€™s Tim Cook Delivers Blistering Speech On Encryption, Privacy
posted by Johnny Wallflower at 5:40 PM on June 2, 2015 [1 favorite]


« Older Fatal police shootings in 2015 approaching 400...   |   We all need something to do, someone to love, and... Newer »


This thread has been archived and is closed to new comments