back to article 'Free' VPN Hola is LITERALLY flogging access to users' devices

The VPN service Hola, which claims to have more than 9.7 million users, is now selling its access to users' machines as exit-nodes under the Luminati brand. Described as "the world's largest VPN network", Hola's Luminati brand is advertised as being simple and effective to use: "Route your HTTP, HTTPS or TLS requests to any …

  1. Anonymous Coward
    Anonymous Coward

    whats going on 'ere then

    9 million users will now be waiting the knock from plod for various illegal activies traced to their ip... honest it wasn't me...... let's be 'aving you.

    1. Anonymous Coward
      Anonymous Coward

      Re: whats going on 'ere then

      Separation of concerns is always a problem with networks unless there's extensive logging in play. For instance, Comcast has an "open" connection [xfinitiwifi] hanging out on many/most of their consumer's routers that anyone with a Comcast (ripped) logon can use. You have to explicitly tell Comcast to turn the damn thing off. Not having any desire to explore it further, I've no idea how the security is set up to separate the traffic between the home WiFi. What I do know is that the Arris routers they've been using have the TCP-32764 vulnerability and default credentials (the consumer has to change it!) that you can read on their site.

      I wouldn't mind seeing something like this being opt-in as it would drive the control freaks of all sorts right up the wall, although it does have that attribution problem/opportunity. Now the price? $20 GB for Luminat.io selling connections on other people's machines is ... even my this career sailor can't find the words. I pay $40 annually for a real VPN, works across all my devices (have to pick different portals for using multiple devices simulaneously), and seems to have no limit. It keeps whatever I'm doing away from the people that have their name attached, even on public WiFi, just in case. I'm not worried about myself. Blowback on them? No.

      [They want me, all they have to do is call or come over. Being terminal has its rewards if you look at the humor. What are they going to do to me? Like I can run away? Hell, I know I'd get a hell of a lot better medical care. That's a fact. And they'd just chain me to their computer systems. Lastly, the second biggest gang in prison is... <wait for it> ... veterans!]

      1. Sven Coenye

        Re: whats going on 'ere then

        I gets even better than coming with default credentials. Whenever Comcast feels the need to reset/reconfigure it, all the settings get blown out. The admin password goes back to ''password", uPnP gets turned back on, ... The only "good" thing is that they also blow away the WiFi configuration so it doesn't take too long to figure out something is wrong.

    2. Anonymous Coward
      Anonymous Coward

      Re: whats going on 'ere then

      > let's be 'aving you.

      Well, it really doesn't work like that.

      It is awfully hard trying to tie activity coming out of a particular IP address, or even a specific machine, to a specific user. Even when that user is the sole resident of a dwelling with a fixed IP connection and wired-only network (no Wifi).

      Without knowing the particulars of this service, I hazard it only makes the forensic discovery process much harder and even less conclusive than usual.

      Some places attempt to get around that difficulty by having laws that essentially make the subscriber responsible for whatever comes out of his router, but those laws are surrounded by uncertainty regarding their conformance to their respective legal frameworks and do not ease significantly the forensic process anyway.

      Of course, in many cases neither the accused nor less astute lawyers are aware of these evidential difficulties, which is how police can get people convicted by way of guile more than weight of proof.

      PS: I'm trained in computer forensics.

  2. Cari

    Well this completely passed me by. The twitter grapevine ain't doing its job properly.

    Nice to see an article mentioning based hotwheels and his site that doesn't lie and smear him. Good job! :)

  3. Jonathan Richards 1 Silver badge
    FAIL

    Finding work for idle nodes

    It worries me that the definition of idle includes 'no mouse or keyboard activity detected'. How do they know that, then? Clearly the Hola-running node must report to the network on keyboard and mouse actions. What does it report, and how often? Personally, I wouldn't touch something like this with a very long barge-pole; the opportunities for coming unstuck seem practically limitless.

    1. Jess--

      Re: Finding work for idle nodes

      If I was writing software that had to rely on whether the system was idle or not I would ask the operating system periodically (say once per minute) whether power saving had been activated (screen off / hard drive spun down / cpu speed dropped etc) or screensaver activated. Then if those tests say the system is idle have the software report as being available on the network. and continue checking that the system is still idle but at an increased frequency (maybe once every 5 seconds)

      As soon as the tests say that the system is not idle report to the network that the system is not available.

      doing it this way would allow my software to know whether there had been any activity without knowing (or needing to know) the details of the activity (leave that to the underlying operating system)

    2. Anonymous Coward
      Anonymous Coward

      Re: Finding work for idle nodes

      > It worries me that the definition of idle includes 'no mouse or keyboard activity detected'. How do they know that, then?

      I do not know about "they". That said, with my programmer hat on, "idle" means that CPU, disk, or network load, or some other criterion or combination thereof, is below a given threshold, not that the user is not moving the keyboard or typing away.

      In any event, both circumstances can be detected by querying the operating system or desktop environment via appropriate APIs (e.g., /proc/stat, KIdleTime, or similar stuff depending on what exactly you are trying to achieve).

  4. nancystuart

    Down with Hola, Up with Ivacy

    I was using Hola, but when I heard the news, I stopped using it immediately. The company was practically selling my bandwidth to God knows who! Now I’ve decided never to go for a free vpn... I’ve now started using Ivacy VPN and I must say it’s a good one.

  5. Steph718

    Free VPN a bad choice

    It make little or no sense using a free VPN when your primary objective is anonymity while surfing.

    More so after the recent exposes. Maybe we should keep away from "free" vpn and use paid ones like Slickvpn, Ghostpath, Cyberghost etc.

  6. Anonymous Coward
    Anonymous Coward

    Stay away from most of free vpns

    As they have to get money from somewhere vpn services needs to sell something and these will be your logs. If you are not paying anything think twice to installing these applications on your device. They said that keeping logs and found logless and free vpn named zpn.im . Will wait and see if its true to no log keeping and no 3rd party information share.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022