How a Hacker Discovered the TSA’s No-Fly List

We’ve all been bored on the internet, haven’t we? Without any goal scroll twitter or clicking through TV tropes, eyes shining as we spend hours doing the online equivalent of rechecking an empty fridge. But some people, it seems, use their boredom-induced internet browsing for more than just proofreading. all Catra tropes. Some use it to shed light on the US surveillance state.

At least that’s what a Swiss hacker maia arson What is. Through her hacking efforts, she got her hands on all sorts of self-adjacent information – ranging from Nissan source code to security camera footage of Tesla factories. But his latest acquisition may be his biggest to date: The TSA’s no-fly list. Holy fucking bingle indeed.

Image for article titled How a Hacker Discovered the TSA's No-Fly List

Photo: Joe Raedle (Getty Images)

For a hack of this magnitude, crime process was relatively simple. It started with a site called Zoomeye – an international version of the Shodan search engine, which indexes internet-connected devices (like servers and routers) that have open ports for access from the wider web. In particular, crimew was looking for servers running Jenkins, software that automates some of the most tedious tasks of developing and testing new code. You see, when automating processes, lazier developers often leave default credentials in place — credentials that hackers like crime can use to gain unauthorized access.

Upon finding a server full of vaguely aeronautical words, crimew’s curiosity was piqued. So like a dialer or old discovering a new BBS, she started snooping around in her files and folders. Quickly, she came across all sorts of sensitive information: crew manifests, communications between aircraft and ground crew, and some projects that referenced something called “nofly” – as well as a link where the software was looking for this list.

And, by clicking on this link, she found it: a spreadsheet with 1.5 million rows of data, each a person (or alias, or suspected alias) deemed unworthy to fly by the FBI. Its content is not surprising – a list consisting mainly of “Middle East” names, chosen by algorithms that don’t really care whether someone actually committed a crime or not.

With each hack and data leak, crime has underscored how our personal information is rarely as secure as we think it is. Whether it’s Nissan sales data or actual live surveillance footage, private companies often make our information much more widely available than expected due to weak security. Now, it looks like we have proof that government agencies are doing the same.


Leave a Comment

Your email address will not be published. Required fields are marked *