I just read this news “Popular Chrome extension Hola sold users’ bandwidth for botnets” and I decided to share it with my userbase. This is a #rant post, TL’DR… It seems creating a Bot Net is now even more easier and more straightforward than ever. In summary, you can just create a Chrome, Firefox, iOS, Android extension/plugin/app for free, let it grow bigger overtime and then just sell idle users bandwidth to Bot Net for profit. And you just put that somewhere in your looong ToS that everyone just presses “I Agree, get it over with and let me use the service already“.
Geeeee wheee, and when we get in, detect a bug in large enterprise software’s and publish in our blogs, we become the Blackhat instead of getting recognition? The world has become a twisted place and IT carries the flag for flogging good Samaritans.
LuminatiVPN Network is a popular VPN Network that allows you to DoS and do all sorts of stuffs online. It’s been there for sometime and it looks like they just got bigger. By bigger I meant they’ve just acquired more bandwidth and more bandwidth for a VPN Network (Super Proxy) means bigger and more powerful DoS attack. So how did they do it? Easy…
Hola provides and service for users to view blocked videos and TV shows from other countries, much like Unblock-US and Unotelly enables you to change your DNS and thus enjoy Netflix, BBC etc. etc. from countries where they are blocked. Hola used to do that for free and their userbase went upto 9 million+ in short time. It was all good until they decided to make some money out of it. (Yes, I am fully aware the amount of time and effort the developers spent to create this ‘former great’ Google Chrome Extension and they deserve something in return but there’s other ways to make money (i.e. advertisements, affiliates etc.).
So, finally another WhiteHat gave in and became BlackHat (or a BlackHat became white collar and decided to rob us with within the limits of law) and started selling users ‘idle resources a.k.a. bandwidth’ through LuminatiVPN Network allowing anyone to use that as a Denial-of-Service i.e. DoS attack. So if you were a Hola user and someday some Law enforcement Agency comes knocking in your door accusing you of DoS’ng some random Govt. Network, you know you were the ‘mule’ who was used unknowingly for a Denial-of-Service attack orchestrated by some random cave-dweller, facilitated possibly by Hola extension.
8chan got a nice post about Hola that says something like this:
Hola “Better Internet” is an extremely popular free VPN. How it works is not very clear to all its users though, as I quickly became aware in the past week when 8chan was hit by multiple denial of service attacks from their network.
When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this. On the other hand, with the Tor onion router, users must specifically opt in to be exit nodes and are aware that completely anonymous traffic can pass through their connections, which means they should be ready for abuse reports for child porn, spam, copyrighted content and other ills that come with the territory.
Hola was created by the Israeli corporation Hola Networks Limited at the end of 2012, and at first was just the VPN service. However, Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io .
Luminati boasts of having “More than 9,761,015 exit nodes” on their website, and based on what I saw in the past week I have no reason to doubt it. The only silver lining is their greed: they charge $20/GB to use lines that cost them nothing, their software simply mooches off of the unfortunate users who have installed the proprietary Hola software.
Hola is the most unethical VPN I have ever seen.
So far as I can tell, there is no way to tell if an IP has the Hola VPN software installed or not: no tell tale open port, no special header from Luminati, and no specific range.
This is a huge issue for 8ch, which allows posters to post completely anonymously, and has some protections in place for typically abused ranges (like Tor and VPN ranges) but still allows posts through. An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.
I have had to regretfully turn on the 24 hour CAPTCHA for all users until a solution can be found, but I’m not sure how quickly that will happen. I hope that Luminati takes my advice and rejects POST requests through their service, or allows domains to pay them off for such a rejection.
Arguably Hola’s founder Ofer Vilenski has said that the site has “always made it clear” how this business model works, but Hola’s users seem to have been almost universally unaware that their bandwidth was being sold off. Hola makes money by selling idle bandwidth from its free users under the Luminati brand. Users who don’t want to contribute their bandwidth have to pay $5 a month explains the site’s FAQ.
I mean hey, seriously, I am happy to donate my bandwidth for other users (I got 100/40mbps link with unlimited bandwidth) and I don’t even use 10% of it and paying my ISP for it. But least don’t use my IP for DoS’ing and illegal activities, I guess that’s fair to ask for from any service providers. I did that for TOR network for a long long time, I did that for Torrent and before that Kazaa and so many p2p programs. But seriously, I only shared things that were legit (i.e. Linux ISO’s mostly … Download 5gb over p2p and upload 15gb before stopping seed)… but I do have a seriously objection when someone uses my IP for something that I don’t approve of. Like when was the last time you’ve read any ToS or Disclaimers of a software/plugin/extension? Maybe they are within their rights but it’s still dodgy.
A thread on Reddit discussing the news is full of commenters expressing their outrage and surprise. “I’ve had it for years,” writes one commenter, “fuck knows who has been using my internet connection!! And for what?!” Even users who might have taken the time to read Hola’s FAQ could have been misled — TorrentFreak alleges that the site “only recently” added details explaining the role of the Luminati service to its site.
James from The Verge had the best conclusion and I couldn’t agree more
“I would say the worry for some users is not only that Hola has been leeching their bandwidth, but that their connection might have been used for illegal purposes — accessing anything from copyrighted content to images of child abuse. In the case of the DoS against 8chan, Hola’s Vilenski has said that the attacker “could have used any commercial VPN network, but chose to do so with ours” and has now had their account “terminated.” Hola’s millions of users, though, might not be comforted by this news.”
Started the last year and a half or so I’ve committed to reading ToS’s and Privacy Agreements in full on websites I visit or services I sign up for. Sometimes I feel like the only person in the world who does this… but I’m glad to take the time. I’ve read some crazy nonsense that some companies try to slip in that definitely turns me off. It’s worth it to read these docs when you’re downloading apps for iOS or Android devices too… glad I never signed up for Hola.
Here’s a site that could help some folks:
https://tosdr.org/
Terms of Service Didn’t Read
“I have read and agree to the Terms” is the biggest lie on the web. We aim to fix that.
Amanda,
IT world needs people like you, specially FOSS/Open Source world.
Apache, GNU, GPL, BSD etc. licenses are used randomly around the web and it would be really nice to have a checklist or someone who got a keen interest to come up with the correct anatomy/hierarchy for these licenses including pointing out flaws and loopholes so that big corporates can’t bury independent devops so easily.
Thanks for your comment. Cheers,
-BMO
It’s simple and straightforward, and the signing authorization is provided.