The Transportation Security Administration’s No-Fly List is one of the most important ledgers in the United States, containing as it does the names of people who are perceived to be of such a threat to national security that they’re not allowed on airplanes. You’d have been forgiven then for thinking that list was a tightly-guarded state secret, but lol, nope.

A Swiss hacker known as “maia arson crimew” has got hold of a copy of the list—albeit a version from a few years ago—not by getting past fortress-like layers of cybersecurity, but by...finding a regional airline that had its data lying around in unprotected servers. They announced the discovery with the photo and screenshot above, in which the Pokémon Sprigatito is looking awfully pleased with themselves.

...

  • StewartCopelandsDad [he/him]
    ·
    2 years ago

    at this point i had found pretty much all PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot's license numbers, when their next linecheck is due and much more. i had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it.

    pretty substantial beyond the no-fly list too. devops is going to be in trouble

    as i kept looking at more and more config files in more and more of the projects, it dawned on me just how heavily i had already owned them within just half an hour or so. hardcoded credentials there would allow me access to navblue apis for refueling, cancelling and updating flights, swapping out crew members and so on (assuming i was willing to ever interact with a SOAP api in my life which i sure as hell am not).

    i'm in love

    it's really nice that this has been leaked. as I recall, people were getting put on the no-fly list, saying "hey i've been put on the no-fly list for no reason" in lawsuits, and then the government would deflect them by saying "we can't tell you whether you're on the no-fly list because national security"

    • 7bicycles [he/him]
      ·
      2 years ago

      it’s really nice that this has been leaked. as I recall, people were getting put on the no-fly list, saying “hey i’ve been put on the no-fly list for no reason” in lawsuits, and then the government would deflect them by saying “we can’t tell you whether you’re on the no-fly list because national security”

      I don't think that's going to work because the original reason was obvious bullshit to mask an exercise of power.

      The leaked list is from 2019, just say "that's not an up to date list, we can't tell you whether you're still on the no fly list because national security"