ADVERTISEMENT

How Has WikiLeaks Managed to Keep Its Web Site Up and Running?

Despite cyber attacks, the loss of key service providers and threats from government officials worldwide, the controversial site continues to add to its online cache of cablegate documents



iStockphoto

The arrest of WikiLeaks founder Julian Assange in London Tuesday may have brought an end to the standoff between the 39-year-old Australian and European law enforcement, but the organization he leads has vowed to continue releasing sensitive documents. Just how WikiLeaks has been able to continue posting classified material from U.S. and other nations' diplomats and officials—despite numerous cyber attacks against the Web site and the defection of key service providers—is a bit of Internet trickery commonly deployed by legitimate and criminal online organizations alike to protect themselves from traffic spikes and from being shut down. Such is the persistence of information in the Internet Age.

PRQ.se, the Swedish Internet service provider hosting the original wikiLeaks.org Web site, has reported denial-of-service (DOS) attacks against its servers hosting WikiLeaks material. In a DOS attack computers are programmed to flood Internet servers with requests for data to the extent that those servers cannot function. WikiLeaks has since moved its Web site to the wikiLeaks.ch address. The organization last week was cut off from its provider of domain name system (DNS) service, which is used to route Internet traffic from a Web address, such as wikiLeaks.org, to the actual Internet Protocol (IP) address where WikiLeaks's data resides. EveryDNS.net dropped wikiLeaks.org as a client on December 2, citing the danger that the cyber attacks aimed at that site poses to the service's 500,000 other clients.

The U.S. government has spent the past week sticking its fingers in the dike that Wikileaks breached. The Library of Congress on December 3 confirmed that it is blocking access to the WikiLeaks site across its computer systems, including those for use by patrons in the reading rooms. "The Library decided to block Wikileaks because applicable law obligates federal agencies to protect classified information. Unauthorized disclosures of classified documents do not alter the documents' classified status or automatically result in declassification of the documents," according to a statement on the Library of Congress Web site. Many, but not all, of the documents published as part of "cablegate" contain classified information.

Yet, by keeping copies of its Web site hosted at 507 different locations, or "mirror sites," worldwide, WikiLeaks persists. In general, the organization encrypts its data and keeps the source of its whistle-blower submissions anonymous. In addition, at any given time WikiLeaks computers are feeding hundreds of thousands of fake submissions throughout its network to obscure the real documents, their points of origin and their destinations, The New Yorker reported in June.

A posting on the WikiLeaks Twitter feed Tuesday morning read: "Today's actions against our editor-in-chief, Julian Assange, won't affect our operations: We will release more cables tonight as normal." Meanwhile, Assange fights extradition to Sweden, where he is accused of one count of rape, one charge of unlawful coercion and two allegations of sexual molestation stemming from a trip to that country in August.

To better understand how WikiLeaks has been able to keep its Web site functioning despite having incurred the ire of the U.S. government and many of its allies, Scientific American spoke with Hemanshu Nigam, a former U.S. Department of Justice prosecutor of child and computer crimes who has also held high-level cyber security positions at Microsoft and News Corp. Nigam, who in May founded his own online safety, security and privacy firm called SSP Blue, points out that WikiLeaks's resilience is an important reminder of the care that must be taken by governments and individuals alike with important information, that once shared, rarely ever goes away completely.

[An edited transcript of the interview follows.]

The cat-and-mouse game that WikiLeaks is playing with authorities worldwide is a prime example of the persistence of information on the Internet. Of course, the cat is fully out of the bag now that media outlets are reporting extensively on the contents of the leaked files, but why couldn't the U.S. government or some other entity simply shut down direct access to WikiLeaks's cablegate files?
You can shut down a Web site, but there's no question an individual intent on distributing that information will already have thought about keeping a copy of it in multiple other locations, either online or offline. When you run a Web site, if you're worried about an attack on that Web site, whether it's a distributed denial-of-service attack or some sort of virus attack, the best solution to those worries is to create backup plans. There could be a copy of that information sitting on a thumb drive that everyone buys at Costco for really cheap nowadays. It could be backed up on a CD. It could be stored with a cloud network storage company that can be accessed from anywhere. That's why this is a pretty significant challenge for the government to try to shut down a site—the task is, frankly, impossible.

What can be done to stem the tide of information?
If you think [Assange] has done something criminal in nature and against national security, then focus on the arrest and prosecution, and focus on recovering the diplomatic damage that's already been done.

Over the past week, the WikiLeaks Web site has been brought down due to distributed denial-of-service [DOS] attacks, and then subsequently brought back online. What tools and techniques are available to Web sites to enable them to route and re-route access?
One tool is redirection, where you could have 10 different Web site addresses set up that send you to a particular location. [For example, readers who visit SciAm.com will automatically be redirected to ScientificAmerican.com.] Another option is to set up mirror sites—if the core Web server goes down, there's another Web server at a different location that will have the exact same look, feel and content. Redirects and mirror sites are common and they're necessary in order to run a legitimate business online.

Beyond the proactive steps that can be taken, the Web keeps a cache of data even after it has been taken offline. Google is a perfect example of a data cache—it doesn't actually go out on the Internet and crawl with its crawling capabilities to go find what you're looking for and bring it back to you each time you do a search. It's already done that; it's spent hours and hours of background computing time crawling the Web, sorting it and organizing it, putting it in a way that when you search for something, Google goes into its own cached data set to find it. The history maintained by your Web browser is another example of a data cache. In addition, some Web searches will return listings containing a "cached" hyperlink. When you click on that link, the original site may not exist, but the cache may still be there. It can take anywhere from three months to a year for Web browsers to re-crawl the Internet and update their cache to shed deleted Web pages.

Malicious hackers use these methods as well as proxy servers to obfuscate the location of their data and avoid prosecution. Are there legitimate uses for proxies, redirection, mirror sites and data caches?
A lot of legitimate sites use proxy servers, for example, because they keep data requests from being bottlenecked at a single server and make data flow faster. This can also be used to hide your location, which is useful when you're operating a controversial site and are worried about it being attacked or vandalized online. You could be standing up for a cause that you believe in such as gay rights and you have a Web site dedicated to that, but you're worried that people against your cause will try to take your site down. Then you would want to try to use proxies and route the data traffic to other locations, jump from one router to another and put the site behind a caching wall. You use multiple layers of security to protect yourself. Of course, proxy servers are also used by those doing things that are illegal to help avoid prosecution.

EveryDNS.net, a provider of domain name system [DNS] service that routes Internet traffic from domain names to IP addresses, dropped the wikiLeaks.org account last week. EveryDNS.net does not host content, however, so what did this action mean for WikiLeaks?
Basically if you don't have a DNS provider, nobody can find you. When you punch in wikiLeaks.org, your system says, I need to go find wikiLeaks.org, so it goes to a DNS provider that says, "I can point you to that direction." When you take that away that DNS provider there's nobody telling the computer where to go to retrieve it. You in essence go dark.

EveryDNS.net indicated on its Web site that  having WikiLeaks as a clientand providing DNS services for the site's contentput other clients at a security risk. Could cyber attacks against wikiLeaks.org actually endanger other EveryDNS.net sites?
I think this is a positive statement [by EveryDNS.net] and has a lot to do with them being worried about their reputation and being seen as aligned with a guy who may be charged pretty soon with crimes against the United States. This is what I would drop into the category of corporate reputation management. From a security perspective, I don't think there's really a worry here, unless what they're worried about is a potential anti-WikiLeaks attacker saying, "I'm going to go after all of your clients simply because you are supporting wikiLeaks.org."

All of the documents posted to WikiLeaks's Web site thus far amount to a few gigabytes of data. Now WikiLeaks claims to have a 1.4-gigabyte "insurance" file, or poison pill, (containing information about BP and Guantánamo Bay) protected by a 256-digit key encryption to use in the event founder Julian Assange is prosecuted or the Web site is permanently shuttered. Why is this significant? What would it take to decrypt such a heavily protected file?
Use of 256-digit key encryption is [a level of encryption that is] more than serious—it's ridiculous. Here's a guy who's backed into a corner and who's telling the world that he has the button to what in his mind is a nuclear bomb. What he's saying is, "I have a file that is guarded heavily that you can't break into but I can." He's set it up in a way that there is nothing that can be done to destroy or tamper with the file—it would take you years to decrypt 256-digit encryption.

What does the WikiLeaks incident tell people about the way information lives on the Internet, and what lesson should be learned here?
The message is loud and clear to individuals, businesses and the government. On your laptop you should have a sentence taped to the top of your screen that says, "Before I hit send, do I want to see this on the front page of The New York Times or in Scientific American?" Once you hit send and send it to the Internet world, it's going to be persistent—and in many ways permanent. If you don't put certain information onto the public Net, you're not going to have this problem in the first place. The message to the government is that as much as it wants to embrace the digital world it still needs to take almost a pause and look at the data they have and consider whether that data should be stored in digital form. If it is going to go into digital form, then there's a very long list of security measures that the government needs to be focused on. The government really needs to be on a red-alert status when it comes to protecting their top-secret information.

Rights & Permissions
Share this Article:

Comments

You must sign in or register as a ScientificAmerican.com member to submit a comment.
Scientific American Dinosaurs

Get Total Access to our Digital Anthology

1,200 Articles

Order Now - Just $39! >

X

Email this Article

X