The Transportation Security Administration’s No-Fly List is one of the most important ledgers in the United States, containing as it does the names of people who are perceived to be of such a threat to national security that they’re not allowed on airplanes. You’d have been forgiven then for thinking that list was a tightly-guarded state secret, but lol, nope.

A Swiss hacker known as “maia arson crimew” has got hold of a copy of the list—albeit a version from a few years ago—not by getting past fortress-like layers of cybersecurity, but by...finding a regional airline that had its data lying around in unprotected servers. They announced the discovery with the photo and screenshot above, in which the Pokémon Sprigatito is looking awfully pleased with themselves.

...

  • Vampire [any]
    ·
    2 years ago

    while the nature of this information is sensitive, i believe it is in the public interest for this list to be made available to journalists and human rights organizations. if you are a journalist, researcher, or other party with legitimate interest, please reach out at nofly@crimew.gay. i will only give this data to parties that i believe will do the right thing with it. alternatively the data is now also available for access (upon request) via DDoSecrets.

    https://maia.crimew.gay/posts/how-to-hack-an-airline/

  • StewartCopelandsDad [he/him]
    ·
    2 years ago

    at this point i had found pretty much all PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot's license numbers, when their next linecheck is due and much more. i had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it.

    pretty substantial beyond the no-fly list too. devops is going to be in trouble

    as i kept looking at more and more config files in more and more of the projects, it dawned on me just how heavily i had already owned them within just half an hour or so. hardcoded credentials there would allow me access to navblue apis for refueling, cancelling and updating flights, swapping out crew members and so on (assuming i was willing to ever interact with a SOAP api in my life which i sure as hell am not).

    i'm in love

    it's really nice that this has been leaked. as I recall, people were getting put on the no-fly list, saying "hey i've been put on the no-fly list for no reason" in lawsuits, and then the government would deflect them by saying "we can't tell you whether you're on the no-fly list because national security"

    • 7bicycles [he/him]
      ·
      2 years ago

      it’s really nice that this has been leaked. as I recall, people were getting put on the no-fly list, saying “hey i’ve been put on the no-fly list for no reason” in lawsuits, and then the government would deflect them by saying “we can’t tell you whether you’re on the no-fly list because national security”

      I don't think that's going to work because the original reason was obvious bullshit to mask an exercise of power.

      The leaked list is from 2019, just say "that's not an up to date list, we can't tell you whether you're still on the no fly list because national security"

  • W_Hexa_W
    ·
    edit-2
    1 year ago

    deleted by creator

      • silent_water [she/her]
        ·
        2 years ago

        csvs are just text files that can be interpreted with some minimal syntax. but they're still plain-text.

          • silent_water [she/her]
            ·
            2 years ago

            file extensions are a convention lol. you can just change it to whatever you like. content and interpretation are left up to the reader.

            • dat_math [they/them]
              ·
              2 years ago

              sure, but are you out there renaming your csvs to silent_waters_csv.txt?

              • silent_water [she/her]
                ·
                2 years ago

                I don't follow why the extension matters in the slightest. text files are ASCII or UTF encoded. that's it.

                • dat_math [they/them]
                  ·
                  2 years ago

                  Agreed. I don't understand why you're so passionate about pointing out the lack of difference in the distinction

  • AcidSmiley [she/her]
    ·
    2 years ago

    that's a funny coincidence, i just remembered them yesterday because arson is such an amazing middle name to pick as an enbie

  • Awoo [she/her]
    ·
    2 years ago

    I hope it gets released. Badge of honour if you're on the list lmao

  • Findom_DeLuise [she/her, they/them]
    ·
    2 years ago

    looking for exposed jenkins servers that may contain some interesting goods

    Well that's a fun phrase to read about a week after I get roped into doing Jenkins admin at work. Reminds me of the unsecured MongoDB debacle from several years back.

  • Weedian [he/him]
    ·
    2 years ago

    I knew an airline captain who had the exact same name as someone else on the no fly list, any time he would fly the 80,000 lb airplane back from Mexico he had to jump through a bunch of hoops and prove to TSA/customs he was in fact a different person with the same name. Every time.