[Update 7 - WikiLeaks have removed one of the US mirrors shortly after a Telegraph story went live - see my latest post, you might like to read the below first for context tough]
It’s been a tough week. My work backlog has grown since I’ve been ill most of the time, and I’ve been trying to catch up. However, just as I was going to bed tonight, my girlfriend was still at her office in Paris. She’s been writing some press coverage of the latest WikiLeaks release, and since it all went live tonight, I took a break to check out some of the work.
Techie as I am, eventually I branched off from looking at the press stories to see where the WikiLeaks Warlogs site servers were hosted – and since I was expecting it to be Sweden, I was somewhat blown away. It’s made me question if I’m still full of Ibuprofen, but I had to put this up to get some feedback.
First of all I checked Netcraft. This reported it was hosted on Amazon EC2 in Ireland. Ireland? Amazon Web Services? I thought it was wrong.
So then I checked what IP addresses were being returned globally and this is where it got really strange.
Originally when I wrote this there were four mirrors, but now there are five. The weird bit? Three out of the five are with US-owned company Amazon’s EC2 hosting service. A US-owned company. Two of those – two out of the five current mirrors – are on US soil in their west-coast datacenter. The remaining two are with Octopuce in France.
Isn’t it strange that WikiLeaks would host its latest inflammatory content on US soil, or even that some of the mirror servers are owned by a US company? WikiLeaks has taken great pains to ensure hosting of content in Sweden or other “friendly” jurisdictions in the past, and in fact their donation link is reporting itself as in Iceland. The US and Ireland – and France for that matter – don’t seem like the safest “haven” for this data to remain online, after all in the past we’ve been told those “havens” are Iceland, or Sweden. What happened to those reputed Scandinavian bunkers?
To be clear, this set of IP addresses isn’t a CDN. WikiLeaks isn’t giving French IP addresses to French visitors to aid in speed; this is a round-robin DNS spreading traffic crudely across multiple hosts around the world to cope with traffic and DDOS. What’s weird is that none of the IPs are in Sweden, and all of them are in principalities with relatively straightforward cease-and-desist legislation, and for any of them to be in the US seems absurd.
To caveat this, these are their front-end IPs. These nodes could simply be serving data retrieved from those reported bunkers. But it still seems strange to me. Conspiracy theorists might ponder if it’s just asking for trouble. The US’s position, reported tonight by the BBC, is that “WikiLeaks has committed a crime by publishing stolen documents”. If true, why exacerbate it by doing so on US machines? Hasn’t that now just brought the issue smack bang into US jurisdiction?
Maybe it’s the Ibuprofen and I’m missing something – but this seems very odd to me.
Traceroute from Seattle terminating in AWS's west-cost region
[Update 1 - Saturday 23rd] - WikiLeaks.org itself has now switched to these same servers, meaning the primary public-facing URL is now in part hosted inside the US, and in part by a US company.
[Update 2 - Saturday 23rd] – Another mirror has been added in Amazon’s west-coast US region increasing the amount of traffic being served from inside the US.
[Update 3 - Saturday 23rd] – My post has been picked-up by cryptome.org on their homepage
[Update 4 - Monday 25th] – My post has been picked up and covered by The Register
[Update 5 - Tuesday 26th] – Netcraft has picked up my post and concurred with the location data
[Update 6 - Tuesday 26th] – Telegraph story links here too
[Update 7 - Tuesday 26th] – WikiLeaks have removed one of the US mirrors shortly after the above Telegraph story went live
…
They are waiting for the U.S. to shut down those servers so that they can say “Oh, look at the information the U.S. doesn’t want you to know!”
It’s a publicity stunt, and a nice catch by you.
The thought crossed my mind too. It certainly seems an odd provocation.
I think I spoke a little too much like that is definitely their intention…. but that’s sure where’d I’d put my money right now.
In Ireland too:
http://geotool.flagfox.net/?ip=46.51.186.222&host=warlogs.wikileaks.org
Hostname warlogs.wikileaks.org ISP Amazon EU DC
Continent Europe Flag IE
Country Ireland Country Code IE (IRL)
Region Dublin Local time*
23 Oct 2010 19:50
City Dublin Latitude 53.3331
IP Address 46.51.186.222 Longitude -6.2489
SO ?????
As I mentioned in my post, the Ireland servers are also on Amazon Web Services which is a company headquartered in the US.
It appears to Ireland for you due to Amazon’s configuration that loads servers geographically (Ireland server for Irish customer, US server for US customer, etc)
Hi – thanks for your comment! However that’s not correct as far as I’m aware; Amazon doesn’t publicly offer geographic DNS resolution for application servers, only for its CloudFront service which is only usable for static files at the moment (i.e. anything you can put on S3, its only permitted origin service). WikiLeaks’ DNS is using a round-robin resolution which in fact means users in Ireland are in fact no more likely to get to an Irish server than a Parisian one.
However the greater point is that it’s on Amazon at all, since it’s a US-owned company, and furthermore on US soil – which would seem to perpetuate the accusation of criminality against WikiLeaks now that the artefacts are hosted within US jurisdiction.
Probably because of “scheduled maintenance.”
It’s not octopuse, it’s octopuce : “puce” means “chip” as in “computer chip” in french
Corrected – thanks!
We’re talking about this here: http://acidpulse.us/viewtopic.php?f=3&t=3967 as well.
Great to know – thanks!
also i’m covering my thoughts here at http://blogs.computerworlduk.com/unscrewing-security/2010/10/wikileaks-is-mirroring-on-amazon-and-some-people-dont-get-it/
Thanks, I’ve replied there. To paraphrase: I don’t question the legitimacy of the services or the suitability of scaling the hosting to cope with demand; I’ve used Amazon for a few years and used it to scale out some very busy websites.
My query is the legitimacy of putting the hosts on US soil. WikiLeaks haven’t in the past, apparently owing to the legal protection offered by hosting it in countries such as Sweden; what has changed which makes this protection unnecessary?
Hi Alex – responded to your comment at the blog. Sorry for delay, have been getting my house redecorated, total chaos here.
Every time I see blogs as good as this because I should stop bludging and start working on mine.Thanks