How a hacker dug up the TSA No-Fly list

Image for article titled How a Hacker Unearthed the TSA No-Fly List

We all get bored on the internet, right? Aimless scroll through Twitter or click through TV tropes, eyes glassy as we spend hours doing the online equivalent of rechecking an empty fridge. But some people, it seems, use their boredom-induced web surfing for more than just rereading all tropes of Catra. Some use it to shed light on the US surveillance state.

At least, that’s what the Swiss hacker says maia arson crime is doing. Her attempts at hacking have gotten her paws on all sorts of auto-adjacent information – everything from Nissan source code until security camera footage from Tesla factories. But her latest hit might just be her biggest yet: The TSA no-fly list. Holy fucking bingle indeed.

Image for article titled How a Hacker Unearthed the TSA No-Fly List

Photo: Joe Raedle (Getty Images)

For a hack of this scale, crime trial was relatively easy. She started with a site called Zoomeye – an international version of the Shodan search engine, which indexes Internet-connected devices (such as servers and routers) that have open ports for access from the wider web. Crimew was mainly looking for running servers Jenkins, software that automates some of the more tedious tasks of developing and testing new code. You see, when automating processes, lazy developers often leave the default credentials – credentials that hackers like crimew can use to gain unauthorized access.

Upon finding a server full of vaguely aviation-sounding words, Crimew’s curiosity was piqued. So, like one guard When she discovered a new BBS traditionally, she started poking around in the files and folders. Soon she came across all sorts of sensitive information: crew lists, communications between aircraft and ground crews, and some projects that referenced something called “nofly” — as well as a link where the software looked for that list.

And when she clicked that link, she found it: a spreadsheet containing 1.5 million rows of data, each representing a person (or alias, or suspected alias) the FBI deemed unworthy to fly. The content is not surprising – a list consisting mainly of “Middle Eastnames selected by algorithms that don’t care much about whether someone actually committed a crime or not.

With every hack and data breach, crimew has pointed out that our personal information is rarely as secure as we think. Whether it’s Nissan sales data or real, live surveillance footage, private companies often make our information much more widely accessible than we expect due to their poor security. Now it seems we have evidence that government agencies are doing the same.

Leave a Comment