We’ve all been bored on the internet, right? Aimlessly scrolling through Twitter or clicking through TV Tropes, eyes glazing over as we spend hours doing the online equivalent of re-checking an empty fridge. But some people, it seems, use their boredom-induced internet browsing for more than just re-reading all of Catra’s tropes. Some use it to shine a light on the American surveillance state.
At least, that’s what Swiss hacker maia arson crimew does. Through her hacking endeavors, she’s gotten her paws on all sorts of auto-adjacent information — everything from Nissan source code to security camera footage from Tesla factories. But her latest get may be her biggest yet: The TSA’s no-fly list. Holy fucking bingle indeed.
For a hack of this scale, crimew’s process was relatively simple. She began with a site called Zoomeye — an international version of the search engine Shodan, which indexes internet-connected devices (like servers and routers) that have ports open for access from the broader web. In particular, crimew was looking for servers running Jenkins, software that automates some of the more tedious tasks of developing and testing new code. You see, when automating processes, lazier developers will often leave default credentials in place — credentials that hackers like crimew can use to gain unauthorized access.
Upon finding a server full of vaguely aeronautical-sounding words, crimew’s curiosity was piqued. So, like a wardialer of old discovering a new BBS, she started poking around its files and folders. Quickly, she stumbled upon all manner of sensitive information: crew manifests, communications between planes and ground crews, and some projects that made reference to something called “nofly” — as well as a link where the software looked for that list.
And, clicking through that link, she found it: A spreadsheet with 1.5 million rows of data, each one a person (or alias, or suspected alias) deemed unworthy to fly by the FBI. Its contents are unsurprising — a list primarily comprised of “Middle Eastern” names, picked out by algorithms that don’t much care whether someone’s actually committed a crime or not.
With each hack and data leak, crimew has pointed out how our personal information is rarely as secure as we think. Whether it’s Nissan sales data or actual, live surveillance footage, private companies often make our info far more broadly accessible than we expect through their poor security. Now, it seems, we have proof of government agencies doing the same.