How a Hacker Dug Up the TSA No Fly List

How a Hacker Dug Up the TSA No-Fly List

Image for article titled How a hacker dug up the TSA no-fly list

We’ve all gotten bored on the internet, haven’t we? Aimlessly scrolling through Twitter or clicking through TV tropes, eyes glaze over as we spend hours doing the online equivalent of rechecking an empty fridge. But some people, it seems, are using their boredom-induced web surfing for more than just rereading all of Catra’s tropes. Some use it to shed light on America’s surveillance state.

At least that’s what the Swiss hacker Maia Arson Crimew does. Through her hacking efforts, she’s gotten her hands on all sorts of automatically attached information – everything from Nissan source code to security camera footage of Tesla factories. But her latest win may be her biggest yet: the TSA’s no-fly list. Holy damn Bingle indeed.

Image for article titled How a hacker dug up the TSA no-fly list

Photo: Joe Raedle (Getty Images)

For a hack of this magnitude, Crimew’s process was relatively simple. She started with a website called Zoomeye — an international version of the Shodan search engine that indexes internet-connected devices (like servers and routers) that have open ports for access from the wider web. Crimew specifically looked for servers running Jenkins, software that automates some of the more tedious tasks of developing and testing new code. You see, when automating processes, lazier developers often leave default credentials—credentials that hackers like Crimew can use to gain unauthorized access.

When Crimew found a server full of vaguely aeronautical-sounding words, his curiosity was piqued. So she started rummaging through her files and folders like an old Wardialer discovering a new BBS. She quickly stumbled upon all sorts of sensitive information: crew lists, communications between planes and ground crew, and some projects related to something called “Nofly” — plus a link where the software looked for that list.

G/O Media may receive a commission

Samsung backup

Up to $100 credit

Samsung backup

Reserve the next generation Samsung device
All you have to do is sign up with your email address and boom: credit your pre-order on a new Samsung device.

And when she clicked through this link, she found it: A spreadsheet of 1.5 million rows of data, each one an individual (or alias or suspected alias) classified by the FBI as unfit to fly. Its content is unsurprising – a list consisting mostly of “Middle Eastern” names chosen by algorithms that don’t care whether someone actually committed a crime or not.

With every hack and data leak, Crimew has pointed out that our personal information is rarely as secure as we think it is. Whether it’s Nissan sales data or actual live surveillance footage, private companies often make our information much more widely available than we would expect given their poor security. Now, it seems, we have evidence that government agencies are doing the same.