The Transportation Security Administration’s No-Fly List is one of the most important ledgers in the United States, containing as it does the names of people who are perceived to be of such a threat to national security that they’re not allowed on airplanes. You’d have been forgiven then for thinking that list was a tightly-guarded state secret, but lol, nope.
A Swiss hacker known as “maia arson crimew” has got hold of a copy of the list—albeit a version from a few years ago—not by getting past fortress-like layers of cybersecurity, but by...finding a regional airline that had its data lying around in unprotected servers. They announced the discovery with the photo and screenshot above, in which the Pokémon Sprigatito is looking awfully pleased with themselves.
...
I'll bet a dollar there's at least one completely fictional character on the list
AGENT: sorry Mike--
MIKE: Call me Mr Ock, you're not my friend.
AGENT: --Mr. Ock, at this time the federal government requires us to deny you entry to today's flight
And a minor celebrity or local politician who either died before the list was created or has never been on a plane.
maia arson crimew is the world's most hyperpop pseudonym.
while the nature of this information is sensitive, i believe it is in the public interest for this list to be made available to journalists and human rights organizations. if you are a journalist, researcher, or other party with legitimate interest, please reach out at nofly@crimew.gay. i will only give this data to parties that i believe will do the right thing with it. alternatively the data is now also available for access (upon request) via DDoSecrets.
https://maia.crimew.gay/posts/how-to-hack-an-airline/
honestly it kinda sounds lib gatekeepy to me, especially with journos being a "legitimate interest"
yeah, I mean I found that message while looking for the list to check my name
:rat-salute: uncritical support for the weed cat on this beautiful day
at this point i had found pretty much all PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot's license numbers, when their next linecheck is due and much more. i had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it.
pretty substantial beyond the no-fly list too. devops is going to be in trouble
as i kept looking at more and more config files in more and more of the projects, it dawned on me just how heavily i had already owned them within just half an hour or so. hardcoded credentials there would allow me access to navblue apis for refueling, cancelling and updating flights, swapping out crew members and so on (assuming i was willing to ever interact with a SOAP api in my life which i sure as hell am not).
i'm in love
it's really nice that this has been leaked. as I recall, people were getting put on the no-fly list, saying "hey i've been put on the no-fly list for no reason" in lawsuits, and then the government would deflect them by saying "we can't tell you whether you're on the no-fly list because national security"
it’s really nice that this has been leaked. as I recall, people were getting put on the no-fly list, saying “hey i’ve been put on the no-fly list for no reason” in lawsuits, and then the government would deflect them by saying “we can’t tell you whether you’re on the no-fly list because national security”
I don't think that's going to work because the original reason was obvious bullshit to mask an exercise of power.
The leaked list is from 2019, just say "that's not an up to date list, we can't tell you whether you're still on the no fly list because national security"
csvs are just text files that can be interpreted with some minimal syntax. but they're still plain-text.
file extensions are a convention lol. you can just change it to whatever you like. content and interpretation are left up to the reader.
sure, but are you out there renaming your csvs to silent_waters_csv.txt?
I don't follow why the extension matters in the slightest. text files are ASCII or UTF encoded. that's it.
Agreed. I don't understand why you're so passionate about pointing out the lack of difference in the distinction
that's a funny coincidence, i just remembered them yesterday because arson is such an amazing middle name to pick as an enbie
looking for exposed jenkins servers that may contain some interesting goods
Well that's a fun phrase to read about a week after I get roped into doing Jenkins admin at work. Reminds me of the unsecured MongoDB debacle from several years back.
I knew an airline captain who had the exact same name as someone else on the no fly list, any time he would fly the 80,000 lb airplane back from Mexico he had to jump through a bunch of hoops and prove to TSA/customs he was in fact a different person with the same name. Every time.
