Hola VPN turns 10M users into exit nodes

Hello, Fredrick Brennan here (8chan owner).

They changed their FAQ IN RESPONSE to my breaking the story on this.

Proof:

Google cache of Hola FAQ as of 26 May: https://archive.is/tgujS

As you can see, there is no mention of Luminati, or the underlying mechanics at all.

I published hola.html and updated my global announcement just hours before the FAQ change: https://twitter.com/infinitechan/status/603178141650026498

There are millions of users who installed this and do not know how it works. Please do not downplay this issue.

And that somehow makes what they're doing OK?

Out of interest: Do other vpns work the same way? Even if it's clearly stated in the FAQ, not everybody reads them.

Never use proprietary clients if possible. Also on the VPN server side, you could investigate the option to create your own VPN server in a few minutes https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...

I'm not sure this will get seen but - is there an OpenVPN client for Windows that doesn't suck?

Hola explicitly say this is why they're able to offer the service for free http://hola.org/faq#in_how_is_free

dchuk beat me to it!

Good luck with that in China mate!

I had also broken down the way this works a long while ago and found they have a lot more proxies than this. In some cases they just have a digitalocean VPS running somewhere to help beef up the network.

It was only recently that they started requiring the user auth for the proxy access, earlier it was a free for all without any auth at all. Now they have the option to track which accounts are causing traffic on their network and potentially put a stop to them (not that is isn't difficult to get around)

I wish it was the other way around, mass-spread sharing of internet access leading to it becoming the norm and people finally getting some privacy from mixing their connections.

Judging by in what context I have read about Hola so far, I guess the biggest use case is to circumvent geo block to access things like Netflix. But yeah, ever since I learned that I am acting as an exit node for others I have stopped using the service as I do not want to be the one answering for stuff others have done in my name(IP).

Let's hope there's safety in numbers.

Copypaste is rate limited, he had this to say: https://twitter.com/HW_BEAT_THAT/status/603741442490642432

"The user flooding himself (Bui) spilled the beans and told me how he did it voluntarily in IRC. Otherwise I'd have no clue."

"Ah, the user flooding himself (Bui) spilled the beans and told me how he did it voluntarily in IRC. Otherwise I'd have no clue." -Fredrick Brennan (8chan)

One way to find out (not saying this is how it was done) would be to spin up a machine running Hola and see where the traffic goes.

Tunnelbear recently released a chrome plugin for their VPN service. I hear good things about it. (I personally use the application on my Mac)

Try https://zenmate.com/

Just use Tor Browser, it's "extract and launch".

Spin up VPS instances across multiple cities, countries and continents.

Hook them up with Docker and connect them with Swarm.

Label them with an IP/city/country/continent combination.

Use Docker Swarm's affinity labelling to start instances in a particular city when needed. Additionally record the last IPs used and use Swarm to not deploy to those servers.

> We've been using it in our company but it feels expensive.

I just looked up the cost and no kidding at $20/GB.

I work for Scrapinghub which has a Proxy API which may work for you: http://scrapinghub.com/crawlera

Pricing is a lot less and we only use our own IPs.

It's not clear that part of the article is even true.

They appear to just sell VPN server by the GB. I see nothing about a botnet in there, there is no traffic amplification or ability to run programs on the clients.

For technically inclined people, setting up your own SOCKS proxy is the simplest method possible.

1. Get a cheap server (ex: DigitalOcean $5/month) in the city/country you want to connect through.

2. Add these 2 lines to /etc/ssh/sshd_config:

AllowTcpForwarding yes

GatewayPorts yes

3. Restart sshd (service ssh restart), or restart the server.

4. Connect to the server setting a dynamic port forward. On linux or Mac, this is just "ssh -D 8000 [email protected]". On Windows, putty lets you set a dynamic port forward.

5. Personally I use Chrome for my real browsing, and then use Firefox for the proxy since it allows configuring a proxy for the browser only rather than the entire operating system. You just set the SOCKS proxy under advanced networking settings (host 127.0.0.1, port 8000).

6. If you want all internet traffic to go over the proxy rather than just Firefox, this is easy on Mac through the Network Preferences panel. I'm not able to comment on linux/Windows in this regard.

https://www.privateinternetaccess.com/ (PIA) works for me. Of course with any VPN you run the risk of providing all of your information through a (potentially) captured source.

I use NordVPN, which I have no complaints about. But occasionally I'll get a 1 week token from cryptostorm (https://cryptostorm.is/)

They have an interesting model: you buy a token that expires after a certain length of time (1 week, 1 month, 1 year, etc). The clock doesn't start ticking until the first time you log in. Instead of registering a username/password, you're sent the token via email and your login ends up being a sha512 hash of the token for the username. There is no password associated, just the hash of the token is all you need.

I like this because you're able to buy 'disposable' accounts basically. They take bitcoin and some alt coins too, which is nice. Dns protection and access to .onion and .bit domains. It all seems pretty solid. NordVPN tends to be a little bit faster for me, though it may depend on which servers you use.

I usually point people to this: http://torrentfreak.com/anonymous-vpn-service-provider-revie...

As a former privacy VPN operator I can tell you its extremely hard to operate one securely.

i've been renting a cheap-as-dirt vps ($15/yr) and just using sshuttle[0] to proxy through it which works great for my circumstances (my school blocks nonstandard ports but is just dandy with 22)

[0] https://github.com/apenwarr/sshuttle

HideAway: Uses rules so can be always on http://www.firetrust.com/en/products/hideaway

This company looks interesting - https://www.tunnlr.com/ I learned about them from http://devio.us/ (which is great when it works...)

I did the trial for 1 day and tried them out. Have no pressing reason to continue for now but have filed them in the mental rolodex.

Roll your own: https://www.digitalocean.com/community/tutorials/how-to-setu...

We detached this subthread from https://news.ycombinator.com/item?id=9615441 and marked it off-topic.

Explain what is wrong with gamergate. I don't game so I don't know. Seems to me reddit is the site you should be hating.

Edit: Actually after thinking it over, it's free speech you should be against.

It really sucks when sites host opinions you don't agree with doesn't it? I googled gamer gate and they seem to be against people exactly like you: People who want to shut down other peoples opinions that they don't agree with.