'Free' VPN Hola is LITERALLY flogging access to users' devices

The road to woebegone peers

The architecture of the P2P VPN has provoked much disagreement between the company and outside parties regarding both the ability of Hola to take responsibility for malicious use of Luminati, and whether any effective protections could possibly be engineered to prevent such misuse.

The Register spoke to Sean Sullivan, security advisor at F-Secure, who suggested the structure of the service had to inform the apportioning of responsibility if it was misused.

Having a peer-to-peer structure, there is some credibility to the argument that Hola can’t be accountable enough for bad actors who use "its" service – because they don’t own the infrastructure, it’s made up of its users' computers. If there is a bad actor using the service to abuse people, the users are contributing to that abuse. That’s a factor which could cause some to rethink the cost of free.

As the users themselves effectively psuedonymise malicious actors with their own IP address, the service has been alleged to be commercially providing, as in the case of the 8chan attack, a kind of voluntary botnet - although the degree to which users can be considered to have volunteered is contentious.

Talking to The Register, Vilenski rejected the idea that the Hola service subverted important security standards at other sites, stating that "we are very concerned about not having cyber criminals use our network, and are doing our best to be able to offer a great service to consumers, while protecting them and the network against criminals. For this we screen users of our commercial network (Luminati) prior to them using it to avoid this type of mis-use as much as possible, and in this case [the attacker] got through our screening process. We have adjusted our procedures and technology accordingly."

Like Tor, only much larger, faster and more anonymous

Whether criminality can be screened whilst providing an effective network for users to circumvent location locks, for instance to access domestic entertainment content whilst abroad, is an established debate, as is that regarding private and unmonitored access to the internet.

However, Vilenski's claims - which do explain what is possible when preventing or redressing attacks - may be considered selective in the light of archived pages for the Luminati service.

Luminati has explicitly advertised "Real anonymity – the Exit Nodes in the Luminati network are regular PCs, laptops and phones, and thus are not identified as proxies or as Tor network nodes."

The current site has notably updated these claims about the service and now simply asserts: "Unidentifiable. Exit nodes are personal devices".

A series of updates at both Hola and Luminati, largely covering the sites' promotional and user/customer-facing material, occurred after when Brennan asserted the attack on his site began.

Brennan told The Register that "before the 26th of May, Hola's FAQ was very vague as to how the service worked".

While Hola's old FAQ stated that the service "works by sharing the idle resources of its users for the benefit of all", it does not explicitly inform downloaders that they are providing the VPN service for their peers. The current FAQ is certainly more explanatory:

Hola built a peer-to-peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wi-Fi (not on cellular)).

These changes, Brennan notes, followed sharply after his criticisms. Vilenski does not dispute this, and told El Reg: "We are listening to the conversations about Hola and while we think we've been clear about what we are doing, we have decided to provide more details about how this works, and thus the changes in the past 24 hours."

With regard to Hola's claims that it has "more than 9,761,015 exit nodes" on its Luminati site, Brennan criticised the service, saying: "They charge $20/GB to use lines that cost them nothing, their software simply mooches off of the unfortunate users who have installed the proprietary Hola software."

He also noted that the site had formerly advertised itself as being "like Tor, only much larger, faster and more anonymous".

When The Register asked Vilenski what he thought of this, the Hola founder said that Hola/Luminati "are not good networks for hardcore cyber-criminals to use", and offered three reasons why:

• 1. TOR network is completely anonymous, and nobody (except the NSA maybe :-) has access to the source of the requests on that network. That makes it the ideal network for hardcore criminal activity, and running an exit node is most likely helping many of the wrong people, as well as putting the operator in danger
• 2. Hola on the other hand is a commercial network, run by a commercial company that has its customers and its business in mind. Thus if we sensed criminal activity on our network we are able to see the source of the request and thus to help law enforcement get to the real criminal, not the Hola user through which that traffic was relayed
• 3. The above two points seem to discourage this kind of activity on our network. We've never heard of a case where a Hola user had any such problems, despite having an install base which is thousands of times bigger than the Tor base