Free VPNs and why you should be wary

We get it – signing up for a VPN and paying money for it seems a waste when there are free VPN services out there! But do you really know what you’re getting into with a free service?

The first question is how is a free VPN sustained? There are obviously lots of ongoing costs in running a VPN service the biggest one being servers and bandwidth. Without a paid model, there has to be a way to monetize unless someone is running VPNs at a huge operating loss out of goodwill.

“If you’re not paying for a product, you ARE the product.”

– Anonymous

The most common way is to serve advertising, selling customer data or aggregated statistics on customer use. However Hola VPN, a free VPN provider, took it a step further by using a user’s bandwidth!

With over 7 million installs on the Chrome Webstore alone, it’s easy to trust such a provider. It’s free, and it works on almost all devices. You’re thinking: It must be pretty huge with a lot of servers all over the country then!

Nope. Hola uses user devices as endpoints. This means that no one is routed through servers owned by Hola but instead of through each other. And there is evidence that this has been abused leading to potentially serious security ramifications for its users.

A paid for VPN service (example: BolehVPN) instead only routes traffic through it’s own servers and its own bandwidth and uses proven techniques in ensuring privacy. The responsibility lies with us and also because we do monitor our server’s overall bandwidth usage (not user activity), we are able to ensure a consistent quality of service across our servers. The trust of the VPN provider is still key but Hola’s approach introduces outside factors as well as other users can also abuse the system as we shall see below.

What is an endpoint though?

Endpoints are nodes that talk to websites or services that other Hola users access. Basically: YOU are the VPN server. This means that your bandwidth is being used, and your real IP potentially exposed. And there’s no way to opt-out for free, only if you purchase Hola Premium.

Hola also sells YOU to commercial users through their Luminati site; their endpoints are sold as use for brand monitoring, load tests, or in one case they were used for a DDOS attack on 8chan. This means that your real IP is the IP that will show up on a website or services logs if someone were to use Luminati for illegal activities. To their credit, Hola says they have a record of the real ID of Luminati users. But do you really want to risk the headache of explaining all this to your local authorities?

You can read more about Hola’s response here.

What’s the takeaway?

Things are seldom for free. Take this in mind when choosing whether to go for a free or paid VPN service. Alternatively, if you don’t mind the slow loading speeds, TOR makes an excellent privacy tool for free, however remember that you are trusting an anonymous exit node/endpoint as well. Read more about this here and here.


Malaysian Internet Censorship in relation to 1MDB marks a new low

Regardless on which side you’re on the 1MDB debacle that has been plaguing Malaysia, suspending Edge Malaysia without first finding out whether the allegations are true, and more confusingly, after the damage had already been done is something that we at BolehVPN condemn. On a more relevant note to us, the censorship of Sarawak Report, Malaysia Chronicle and other sites is not surprising however marks an important milestone where the government has openly admitted to it.

Internet surveillance and censorship. Deeper red colors indicate more surveillance and censorship
Internet surveillance and censorship. Deeper red colors indicate more surveillance and censorship

Anti Piracy to Pornography to Political Censorship

This series of events, more importantly has seen the Malaysian government and the MCMC take increasingly desperate measures to block access to the internet and social media. Internet filtering is not new and probably began back in 2007 when they started throttling P2P using Deep Packet Inspection techniques. Yet most people didn’t really mind, as it was justified as ‘anti piracy’ though it was more likely to be a cost saving measure. In 2009, pornography filters came into the picture blocking major porn sites and again it was justified as for ‘public morality’. In 2013 during the run-up to the GE13, the government was rumored to have limited access to opposition websites (though the MCMC claimed it was due to congestion). However, in the following year, access to an article on BBC on the ‘kangkung incident’ was blocked and despite denials, there was substantial evidence to show that there was filtering.

Malaysian Government engages companies to spy on its citizens

This is also supported by reports that Malaysia engaged Hacking Team’s services and other providers in order to spy on its citizens or for political manipulation. The bad news is that yes, the Malaysian government has the tools and capabilities to spy on its citizen, the good news is that based on the e-mails, the local counterparts (Miliserv Technologies (M) Sdn. Bhd.) handling it appear to be incompetent (probably as a result of cronyism instead of meritocracy) which is rather ironic. This from a company that charges the government several million Ringgit to do this!

I highly recommend reading Keith Rozario’s post on this. Some of Miliserv’s purported leaked e-mails are quite funny.

Source: Wikileaks

I need help with my internetz, please recommend modem and router:

I’m not sure what type of modem they use, but it’s from the ISP with fiber connection.  

We use both Modem and wireless router. So the router connect to modem using internet port at the rounter.   I thing we just need to change the router only right?

Can I install my anonymizer software on a VPS?

can you help me to verify following VPS to meets the annonymizer requirements;

operating system – centos
server spec – disk – 20GB
– ram – 512MB
– virtual processor – 8
– IP – 1
– bandwidth – 400GB

2. Linode
OS: Linux CentOS
Plan linode 1024
storage 48GB
transfer 400GB
OS: Linux CentOS
• RAM: 1 GB
• Storage: 40 GB‡‡
• Bandwidth: 1,000 GB/

How do I deploy spyware on an Internet Service Provider?

Our customer from Prime Minister Office (PMO) would like to know more details about Network Injector Appliance (NIA) especially about how to deploy an agent at the ISP.

If possible I would like to request an updated document about NIA. I will be grateful if you could explain briefly about NIA such as what procedures is needed or how the technique to deploy at the ISP, requirement, specification and etc.

This is better opportunity for us to introduce to them about NIA and hopefully you can help me on this.

However the censorship of Sarawak Report marks a new low in that the government has openly admitted to censoring it and on shaky legal grounds. The sections relied upon do not actually allow censorship but prescribe fines and imprisonment. Even if it did provide for it, the MCMC still has to satisfy itself that the report falls under one of the following: indecent, obscene, false, menacing, or offensive in character with intent to annoy, abuse, threaten or harass any person.

What can you do and what is BolehVPN doing?

It’s time to use tools such as BolehVPN or TOR. BolehVPN offers a much better surfing experience however as TOR can be rather slow and painful to use.

We are offering a free 7 day trial as a show of support for a free uncensored internet in Malaysia. Process of redemption is:

  1. Create and account at our Customer Portal
  2. E-mail us with your username and put the subject matter of that e-mail as : “We support the Edge: Freedom of speech , freedom of internet
  3. We will activate a subscription for you and you will receive an e-mail.

None of our servers hosting customer data are located in Malaysia and we are taking steps to close down our Malaysian entity and transition to a company registered in a country that respects internet freedom and privacy. We do not take any logs on user activity and we also implement shared IP crowding that makes it a lot harder to attribute an outgoing connection to an incoming one.

TM/Streamyx/Unifi Services Interruption in Malaysia

There have been reports of internet service interruption from users using TM/Streamyx/Unifi in Malaysia since 4:30PM (GMT+0800).

Lowyat reports even Time Fibre users are experiencing this issue, TM has declined to comment. The cause of this interruption is yet unknown even for Telekom Malaysia. However Connectivity seems to be coming back slowly.

More information here:

P.S: TM/Streamyx/Unifi users, try restarting your modem or refresh your IP, It works for some of us.

Google files creepy patent for toys that can watch and record you.


The Internet of Things (IOT) revolution is here…Most people have a common conception of IOT as fridges telling you when you’re running low on milk, thermostats automatically controlling temperature, washing machines that tell you when the laundry is done and other mundane tasks. Google’s new patent filing shows a creepier side of IOT, by integrating them into toys that can record, watch and speak to you. It even has body gestures and facial expressions…

To express interest, an anthropomorphic device may open its eyes, lift its head, and/or focus its gaze on the user or object of its interest. To express curiosity, an anthropomorphic device may tilt its head, furrow its brow, and/or scratch its head with an arm. To express boredom, an anthropomorphic device may defocus its gaze, direct its gaze in a downward fashion, tap its foot, and/or close its eyes. To express surprise, an anthropomorphic device may make a sudden movement, sit or stand up straight, and/or dilate its pupils.


As creepy as it sounds, the privacy implications of IOT are far reaching. In the recent paper, Iota of Fear: eDiscovery of the Internet of Things, there was a reason why Google bought Nest, the company that built the smartphone controlled thermostat.

Google knows alot about its users from scanning Gmail accounts and now it will know when individuals are statistically likely to leave their house. By connecting multiple communication devices into a single automated ecosystem, one can create not only a very accurate data map about a person’s part and recent activity, but also dispense a sensory device – robotic or otherwise – to cater to the person’s anticipatory needs. But will you have control over your personal data map?

Having IOT also gives hackers potential control over the real world. For example, Kevin Munro has hacked into the internet connected My Kayla Doll to spew curse words. Humorous as it may be, with a slight twist, all our Chucky nightmares can be made real…

Chucky's backkkk...
Chucky’s backkkk…