Gov leaves Terrorist No-Fly List Unsecured

298
Photo from  crimew website here

The Transportation Security Administration’s No-Fly List contains the names of people who are recognized as a threat to national security and are not allowed on airplanes. (I have personal experience of this. McCarthy is a common Irish name and I believe at least one member of the IRA shares it. Flying after 9/11 was doubly fraught as TSA believed I was a potential terrorist).

Anyhow, it’s a sensitive document so you think it would be locked up safe, wouldn’t you? Actually, that’s not the case!

Turns out it was a bored Swiss hacker ,called maia arson crimew, who happened to be poking around in a small regional airline’s unprotected server when he came across the No Fly list on what is basically an Excel list. As he says here:

step 1: boredom

like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, chinese shodan), looking for exposed jenkins servers that may contain some interesting goods. at this point i’ve probably clicked through about 20 boring exposed servers with very little of any interest, when i suddenly start seeing some familar words. “ACARS“, lots of mentions of “crew” and so on. lots of words i’ve heard before, most likely while binge watching Mentour Pilot YouTube videos. jackpot. an exposed jenkins server belonging to CommuteAir.

A bit of digging later (all laid out here) and he uncovered the No Fly list.

i also share with him ( Mikael Thalen, a staff writer at dailydot) how close we seemingly are to actually finding the TSA nofly list, which would obviously immediately make this an even bigger story than if it were “only” a super trivially ownable airline. i had even peeked at the nofly s3 bucket at this point which was seemingly empty. so we took one last look at the noflycomparison repositories to see if there is anything in there, and for the first time actually take a peek at the test data in the repository. and there it is. three csv files, employee_information.csvNOFLY.CSV and SELECTEE.CSV. all commited to the repository in july 2022. the nofly csv is almost 80mb in size and contains over 1.56 million rows of data. this HAS to be the real deal (we later get confirmation that it is indeed a copy of the nofly list from 2019).

holy shit, we actually have the nofly list. holy fucking bingle. what?!

so what happens next with the nofly data

while the nature of this information is sensitive, i believe it is in the public interest for this list to be made available to journalists and human rights organizations. if you are a journalist, researcher, or other party with legitimate interest, the data is available for access (upon request) via DDoSecrets.