This one’s going up because I know some people here on the Odeck use Hola (the Firefox or Chrome extensions for it at least) to watch content that is otherwise blocked to them because of geographical restrictions.
I know not everyone keeps up with the latest tech news, so I figured I’d do a quick write up on what’s going on with Hola and add some links for additional reading.
The long and short of it is that if you are using the free version of Hola you’re basically an exit node for someone else. This is something that is never without risk for you, if someone does something nefarious and/or illegal you might be held accountable. Why? Because they used your connection to do it. In this day and age where they want to make simply using a computer without permission illegal as fuck (and if you think I’m joking go and look into that because I am absolutely not joking and that is pure insanity, “hacking” laws are a joke and politicians and law enforcement are fucking idiots who shouldn’t be allowed to pass any such laws without first being forced to listen to actual security and computer experts, not that they’d listen to anything they were told as has been made very apparent of late) you’re basically opening yourself up to a world of hurt legally if you allow this to happen.
So quit using Hola if you are using it.
Oh yeah, guess what else they do on top of that? They charge people to use your connection! They’re making $20 per gig. That’s off a connection they pay nothing for, so they’re making a killing off of you and your connection.
It is worth pointing out that the company has also changed their FAQ in response to the story breaking. So it only now makes clear what it does and how it does it and why, but it took news of this spreading like a wildfire to get them to post that. That info wasn’t readily available before, which makes this whole thing that much worse. That info would not be up if people hadn’t found out what was going on.
Oh and it gets worse, as was also found:
And on some systems, it gets worse; Hola will happily run whatever you feed it as the ‘SYSTEM’ user. What this means in simple terms, is that somebody can completely compromise your system, beyond any repair. It allows for installing things like a rootkit, for example.
This problem is not just an ‘oversight’. It’s not a thing where you say ‘well, bugs can happen’. This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn’t care about the security of their users. It’s negligence, plain and simple, and there’s no excuse for it.
That is bad, bad, bad. Especially to the average user who may not be aware of just why that is a serious issue.
So like I said in the title of the post, stay away from Hola.
And for what it’s worth, here is a great alternative to it. Keeping in mind these are paid alternatives, because per the example above you truly get what you pay for and free is seldom free without some kind of a catch.
Private Internet Access. For $39.95 a year you get an absolutely trustworthy VPN, as well as VPN access for 5 devices and this is not limited to just computers (it works with Windows, OSX, and Linux), as it also works with iOS and Android devices. Additionally assuming you’re running DD-WRT or Tomato on your router then you can also just set it up directly there. They have gateways in 15+ countries, so you’re covered if you want to check out what’s on Netflix in the U.S. or Canada or Mexico or the UK or wherever else. And so on and so forth.
Honestly, I’ve done the research on VPNs for quite a few friends of mine and Private Internet Access is always my go to recommend.
If for whatever reason you want an alternative then by all means check out TorrentFreak’s 2015 write-up on “Which VPN Services Take Your Anonymity Seriously?” It’s a great read and it certainly helps decide who you can trust and who you might want to avoid.
UPDATE! I want to tack this on at the end in the hopes people read the above and then read through and get some more info out of this post. I just saw the following shared elsewhere and am going to share the relevant part as it pertains to the story, but you can read the full thing here.
There are three issues:
1. Hola is about sharing resources
We assumed that by stating that Hola is a P2P network, it was clear that people were sharing their bandwidth with the community network in return for their free service. After all, people have been doing that for years with services like Skype. It was not clear to all our users, and we want it to be completely clear.
We have changed our site and product installation flows to make it crystal clear that Hola is P2P, and that you are sharing your resources with others. This information is now “in your face” - and no longer appears only in the FAQ.
Now, we understand some members of our community prefer not to share their resources - and that’s fine. That’s why we offer Hola Premium. To make it even easier, new Hola Premium users can purchase one month of Hola premium until end of June, and get 2 months free (send email to firstname.lastname@example.org after activation with your user name).
In 2009 as Skype was growing, it was accused of ‘stealing your bandwidth’ for being a P2P technology - see http://tech.blorge.com/Structure:%20/…
2. Does Hola make you part of a botnet?
No! Hola makes its money by selling its VPN service to businesses for legitimate commercial purposes, such as brand monitoring (checking the prices of their products in various stores), self test (checking how their corporate site looks from multiple countries), anti ad fraud (ensuring that the adverts are not inserted enroute to use), etc.
So how much bandwidth is this really “costing” you? On average about 6MB per day now, which is like an additional 3 web page loads per day or 15 seconds of a YouTube clip. You can choose this “value exchange” model, or opt out with the Hola premium ($5 per month).
Luminati is the commercial name we chose for “Hola for business”. We did not make this clear enough to our community. Therefore, we have now clarified this on hola.org, luminati.io and in our Hola FAQ. To ensure full transparency, any change to our documentation is highlighted, and includes a link to all previous versions.
There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation). The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals - as opposed to Tor for example, which provides them complete anonymity for free.
Last week a spammer used Luminati by posing as a corporation. He passed through our filters and was able to take advantage of our network. We analyzed the incident, and built the necessary measures in our processes to ensure that such incidents do not occur, and deactivated his service. We will cooperate with any investigation of the incident to ensure that he will be punished to the fullest extent.
In 2011 a hacker paid Amazon and used their servers to attack the Sony Playstation network. Following such attacks, Amazon required additional proof of identity from customers for use of their network. At Hola we learned the same lesson this past week, and will be developing technological monitoring solutions to minimize the risk of abuse.
We will be boosting our security team with the appointment of a Chief Security Officer in the coming weeks.
3. Vulnerability of the Hola client
Part of the growing pains of creating a new service can be vulnerability to attack. It has happened to everyone (Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft…), and now, to Hola. Two vulnerabilities were found in our product this past week. This means that there was a risk of a hacker being able to operate remote code on some devices that Hola is installed on. The hackers who identified these issues did their job, and we did our job by fixing them. In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community. We are now undergoing an internal security review, as well as an external audit we have committed to with one of the big 4 auditing companies’ cyber auditing team.
We will soon announce a bug bounty program for anyone that finds additional vulnerabilities in our products.
Hola was built for you, the user. We want to do what’s right for our community. We will continue to serve you. We have experienced the growing pains of our large network now, and are implementing these lessons.
So that’s the official statement regarding all this and while I can understand it coming out given the events of the weekend nothing of what was said am I still okay with on a personal level. I mean I get it. Trust me, of all people I get it. Shit happens. But there FAQ page was updated after the fact to reflect what was going on that the average person wasn’t aware. To me that still puts the company and Hola in the “do not trust/use” list I keep stored away inside my head. If you aren’t honest up front then I can’t help but wonder why that is. If it takes something like what happened to make you be honest then again I can’t help but wonder why that is. I mean I get that too to a degree, closing the barn door after the horses have made their escape and all, but it’s still not cool and more so because if people weren’t being alerted to all this then plenty of people would still be using Hola and opening themselves up to potential issues.
Yeah, it’s great that they keep logs (which is still kinda scary from an anonymity perspective) of who is using your connection but that doesn’t mean you won’t hear a knock on your door and open up to see law enforcement accusing you of this or that. Does that sound like a far fetched scenario? At this time and place in history? I think not.
So my opinion, yet again, is to stop using Hola VPN. There are plenty of other companies out there who are far more upfront about things like this than Hola. There are free options I’d trust more, but if you really need to use a VPN then there are definitely better options out there. You might have to pay for them, but the monthly fees are pretty low (and the yearly fees are even lower). And per this example you clearly get what you pay for.