Hacktivist Finds US ‘No Fly’ List, Reveals Systemic Bias, Surveillance

Hacktivist Finds US ‘No Fly’ List, Reveals Systemic Bias, Surveillance

  • A Swiss hacker says he found a copy of the FBI’s “no fly” list on an unsecured server.
  • The 2019 list, with more than 1.5 million entries, includes an overwhelming number of Muslim passengers.
  • The server, maintained by CommuteAir, also contained private employee data, such as passport numbers.

The FBI’s secret “do not fly” list is now a lot less mysterious thanks to a bored Swiss hacker who was exploring unsecured servers in his spare time.

Maia Arson Crimew, described by the Justice Department as a “prolific” hacker in an unrelated indictment, said she was clicking through an online search engine full of unprotected servers on January 12 when she accessed one maintained by a little-known airline and found the highly classified documents, along with what she called a “jackpot” of other information.

The Daily Dot first reported Thursday that the server, hosted by CommuteAir, a regional airline that partners with United Airlines to form United Express routes, contained among its files a redacted version of the 2019 anti-terrorism “no fly” list. “. The “NoFly.csv” and “selectee.csv” files found by crimew contain more than 1.8 million entries including names and dates of birth of people the FBI identifies as “known or suspected terrorists” who are being prevented from boarding aircraft “when flying within, to, from, and over the United States.”

An airline spokesperson confirmed the authenticity of the files to Insider, saying personally identifiable information belonging to employees was also found in the hack.

“Based on our initial investigation, no customer data was exposed,” Erik Kane, a spokesman for CommuteAir, said in a statement to Insider. “CommuteAir immediately took the affected server offline and launched an investigation to determine the extent of the data access. CommuteAir reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees.”

The Transportation Security Administration confirmed to Insider that it had learned of the incident.

“We are investigating in coordination with our federal partners,” Lorie Dankers, a spokeswoman for the TSA, said in a statement to Insider.

The FBI did not immediately respond to Insider’s request for comment.

Easily accessible secrets

Crimew told Insider that it took just a few minutes for him to access the server and find the credentials that allowed him to view the database. She said that she was exploring the servers as a way to combat boredom while she was sitting alone and did not intend to discover anything with US national security implications.

While searching for files on the company’s server, “I realized how much I had already owned them in just a half hour or so,” crimew wrote in a blog post detailing the attack. The credentials he found, which gave him access to the files, would also allow him access to internal interfaces that controlled refueling, canceling and updating flights, and swapping crew members, if he wanted to, he wrote.

The massive files, reviewed by Insider, contain more than a dozen aliases for Viktor Bout, the Russian “merchant of death” who was traded in a prisoner swap for basketball player Brittney Griner, as well as a host of of names of persons suspected of organizing crime in Ireland. However, Crimew said there was a noticeable trend among the names.

“Looking at the files, it just confirmed a lot of the things that I, and probably everyone else, suspected in terms of the biases that are on that list,” Crimew told Insider. “Just scrolling through it, you’ll see that almost all the names are from the Middle East.”

Edward Hasbrouck, author and human rights advocate, wrote in his analysis of the documents that the lists “confirm (1) Islamophobia, (2) overconfidence in the accuracy of their pre-crime predictions, and (3) the TSA mission advance.”

“The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-sounding names,” Hasbrouck wrote in an essay published Friday by Papers, Please, an advocacy group dedicated to tackling growing national travel rules based on identity.

“No Fly” Mission Creep

The “no fly” list was created under the George W. Bush administration and originally began as a small list of people prevented from flying commercial flights due to specific threats. The list it was formalized and greatly expanded in scope after the 9/11 terrorist attacks in New York, a national tragedy that led to a rise in discrimination against Muslims and hate crimes across the country, according to the Justice Department.

The listing prevents individuals identified by the FBI as “may pose a threat to civil aviation or national security” from boarding aircraft flying within, to, from, or over the United States. They do not need to have been charged or convicted of a crime to be included, just “reasonable suspects” of aiding or planning acts of terrorism.

In the years since the original “no fly” list was formed, it has gained official federal recognition and has grown from just 16 names, according to the ACLU, to 1,807,230 entries in documents found by Crimew.

Looking at the list, Crimew told Insider, “you start to notice how young some of the people are.” Among the hundreds of thousands of names on the list are the children of suspected terrorists, including a boy whose date of birth indicates he would have been four or five years old at the time they were listed.

“What problem is this trying to solve in the first place?” Crimew told Insider. “I feel like this is just a very perverse consequence of the surveillance state. And not just in the US, this is a global trend.”

In the early 2000s, there were many reports of people being incorrectly placed on the “no fly” list, including then-Senator Ted Kennedy and peace activists Rebecca Gordon and Jan Adams. In 2006, the ACLU settled a federal lawsuit over the list, prompting the publication of its then 30,000 names and the TSA’s creation of an ombudsman to oversee complaints.

not the first trick

Crimew, a staunch leftist and self-described anti-capitalist, was charged with conspiracy, wire fraud, and aggravated identity theft related to a previous hack in 2021. The DOJ alleges that she and several co-conspirators “hacked dozens of companies and government entities”. and published the private data of victims of more than 100 entities on the web”.

The outcome of the 2021 case is still pending, crimew told Insider. Although police haven’t contacted her about the latest hack, he said he wouldn’t be surprised if it came to the attention of federal agencies once again.

“It’s just a lot of personally identifiable information that could be used against people, especially in the hands of non-US intelligence agencies,” crimew wrote in a statement to Insider. For that reason, he said he chose to publish the list through journalists and academic sources rather than post it freely on his blog. “I just feel dubious about publicly posting a list full of people that some government entity considers ‘bad.’ (It’s not that the US doesn’t use it against people, it just doesn’t need to put itself in the hands of even more people to do harm.)”

CommuteAir faced a similar data breach in November, CNN reported, after an “unauthorized party” accessed information including names, dates of birth and partial social security numbers held by the airline.

Crimew told Insider that the company’s lack of investment in its cybersecurity was an oversight caused by corporate greed, saying it’s cheaper for the company to cut corners in its security procedures and pay to take care of the consequences than to invest properly. in a more secure system.

“Even the fact that they’ve been hacked before apparently wasn’t enough for them to really invest in it. And that really shows where the priorities are,” Crimew told Insider: “I just hope maybe they learned their lesson the second time around. .”

Leave a Reply

Your email address will not be published. Required fields are marked *