Category Archives: Wikileaks

Fact Checking @LouiseMensch On @Wikileaks

I am equal parts pleased and surprised that @LouiseMensch has my tiny personal Twitter account blocked, and I mostly ignore her. She has become a nexus for interesting disclosures, but far too confident in her assessments. Today she made a statement that got one of my non-technical friends all percolated, so I had to use another account to see what she’s doing.

Mensch on Wikileaks

Mensch on Wikileaks

So what’s actually going on here, at a level deeper than a single traceroute and a lot of self promotion? Here is how an infrastructure savvy examiner might proceed. First, lets look at DNS for the Wikileaks domain. There are four Wikileaks nameservers. The first two are a pair at something called LLC Afk Group, which Maltego mis-identified as Solar Communications and which is indeed inside Russia. Russia’s  Mir Telematiki Ltd (AS49335), Netherland based LeaseWeb (AS60781), and Norway’s Blix Solutions (AS50304) each provide service for Wikileaks third and fourth nameservers. This is a load balancing scheme meant to thwart denial of service, which has been a historic problem for them.

Wikileaks DNS

Wikileaks DNS

Wikileaks runs specific servers for various projects so I trimmed the overall output a bit to make a sensible sized graph.

Wikileaks Servers

Wikileaks Servers

Wikileaks content is served from Netherlands, Norway, and Russia. This is their public facing stuff, these are probably some sort of load balancing and caching devices. I will speculate that there is an origin somewhere, perhaps not even in any of these datacenters. If I were running an operation like this the official ‘site’ would only talk to those seven load balancers and whatever systems the staff use to make updates.


I have no opinion on Mensch’s identification Chayanov as the operator and I’m not going to spend any time on this. Look at @briankrebs for his opinions on this, he is among the most trusted reporters covering this area.

I will take Mensch’s other assertions to task.

  • The Russian hacker and spammer can ‘monitor traffic’.

  • He can tell who is reading anything on the Wikileaks site.

  • The Russian hacker has access to all documents that have been sent to Wikileaks.

  • He can probably bust the anonymity of any computer or user who thought they were anonymously donating to Wikileaks.

  • Anyone sending secrets to Wikileaks as a whistleblower can be blackmailed.

This is all Very Scary and you should stop leaking to, donating to, or even visiting Wikileaks IMMEDIATELY. Or you can take a more sober look at the facts and the conclusions.

First, anyone who controls a load balancer could be observing the traffic between the system and a reader. This is a fundamental fact of life – if you visit a server, its operator can see the traffic generated between their system and you. This has been stated in a vague, scary fashion.

Second, anyone who controls the DNS servers can see which IP addresses are asking for name resolution, and this dovetails with the first statement. Put less breathily, if you visit a web site, the operator knows you are there, unless you happen to use a VPN or Tor.

The load balancers encrypt traffic using SSL but the operator could get in the middle of that and observe at a lower, unencrypted level. The content itself might be stored in encrypted file systems to discourage warrants being served on the hosting facilities. This seems like more breathy hand waving – infrastructure providers can read whats on the infrastructure of the public web site they’re assisting.  I think the intention here is to scare anyone from sending Wikileaks documents, which are absolutely handled in a very different fashion, based on their prior publication protection, Mensch is making broad, simple minded assumptions here and I doubt they would hold up to a cross examination.

I don’t know much about the Wikileaks donation process but such areas are hotly worked by fraudsters, so much so that a DNS and hosting operator typically can’t get in the middle of payment processing. The illogical leap from one of three hosting facilities used is in Russia to ZOMG THEY WILL GET YOUR CREDIT CARD needs to be explained in a careful, step by step fashion, or it’s just hand wringing.

Anyone sending content to Wikileaks as a whistleblower could be blackmailed, assuming they are under tight Russian control. Yep, that is entirely possible, and while it is obvious that Assange is taking his lead from Russian sources, I think it’s an extraordinary leap for Mensch to claim they have turned their entire leak intake process over, or that they are even permitting GRU or whomever to do oversight. One mistake in this area and Wikileaks is dead.

And killing Wikileaks is what Mensch is trying to do with this smear.  I don’t approve of everything Assange has done, and that goes double for the obvious collusion with Russia regarding the 2016 U.S. election, but her claims are sloppy and conspiratorial.  I actually took the time to go read the underlying analysis behind this by Laurelai Bailey aka @stuxnetsource and it’s less irresponsible than what Mensch has done, but there are unwarranted jumps in her thinking as well.