[Update 7 - WikiLeaks have removed one of the US mirrors shortly after a Telegraph story went live - see my latest post, you might like to read the below first for context tough]
It’s been a tough week. My work backlog has grown since I’ve been ill most of the time, and I’ve been trying to catch up. However, just as I was going to bed tonight, my girlfriend was still at her office in Paris. She’s been writing some press coverage of the latest WikiLeaks release, and since it all went live tonight, I took a break to check out some of the work.
Techie as I am, eventually I branched off from looking at the press stories to see where the WikiLeaks Warlogs site servers were hosted – and since I was expecting it to be Sweden, I was somewhat blown away. It’s made me question if I’m still full of Ibuprofen, but I had to put this up to get some feedback.
First of all I checked Netcraft. This reported it was hosted on Amazon EC2 in Ireland. Ireland? Amazon Web Services? I thought it was wrong.
So then I checked what IP addresses were being returned globally and this is where it got really strange.
Originally when I wrote this there were four mirrors, but now there are five. The weird bit? Three out of the five are with US-owned company Amazon’s EC2 hosting service. A US-owned company. Two of those – two out of the five current mirrors – are on US soil in their west-coast datacenter. The remaining two are with Octopuce in France.
Isn’t it strange that WikiLeaks would host its latest inflammatory content on US soil, or even that some of the mirror servers are owned by a US company? WikiLeaks has taken great pains to ensure hosting of content in Sweden or other “friendly” jurisdictions in the past, and in fact their donation link is reporting itself as in Iceland. The US and Ireland – and France for that matter – don’t seem like the safest “haven” for this data to remain online, after all in the past we’ve been told those “havens” are Iceland, or Sweden. What happened to those reputed Scandinavian bunkers?
To be clear, this set of IP addresses isn’t a CDN. WikiLeaks isn’t giving French IP addresses to French visitors to aid in speed; this is a round-robin DNS spreading traffic crudely across multiple hosts around the world to cope with traffic and DDOS. What’s weird is that none of the IPs are in Sweden, and all of them are in principalities with relatively straightforward cease-and-desist legislation, and for any of them to be in the US seems absurd.
To caveat this, these are their front-end IPs. These nodes could simply be serving data retrieved from those reported bunkers. But it still seems strange to me. Conspiracy theorists might ponder if it’s just asking for trouble. The US’s position, reported tonight by the BBC, is that “WikiLeaks has committed a crime by publishing stolen documents”. If true, why exacerbate it by doing so on US machines? Hasn’t that now just brought the issue smack bang into US jurisdiction?
Maybe it’s the Ibuprofen and I’m missing something – but this seems very odd to me.
Traceroute from Seattle terminating in AWS's west-cost region
[Update 1 - Saturday 23rd] - WikiLeaks.org itself has now switched to these same servers, meaning the primary public-facing URL is now in part hosted inside the US, and in part by a US company.
[Update 2 - Saturday 23rd] – Another mirror has been added in Amazon’s west-coast US region increasing the amount of traffic being served from inside the US.
[Update 3 - Saturday 23rd] – My post has been picked-up by cryptome.org on their homepage
[Update 4 - Monday 25th] – My post has been picked up and covered by The Register
[Update 5 - Tuesday 26th] – Netcraft has picked up my post and concurred with the location data
[Update 6 - Tuesday 26th] – Telegraph story links here too
[Update 7 - Tuesday 26th] – WikiLeaks have removed one of the US mirrors shortly after the above Telegraph story went live