Headline buries the real lede a bit in my opinion; the author has gotten a snapshot of the no-fly list from 2019. Presumably the system under attack processes more up-to-date versions of it regularly.
I wonder which no-fly list it is. Is it a government no-fly list that would contain suspected international criminals and terrorists, or an airline's private no-fly list that would contain people who cause a ruckus on flights, drunks, anti-maskers, and so on. Maybe one shared between airlines? I would imagine that second list has grown substantially since 2020 given all the craziness airlines have had to deal with since then.
> the nofly csv is almost 80mb in size and contains over 1.56 million rows of data. this HAS to be the real deal (we later get confirmation that it is indeed a copy of the nofly list from 2019).
Also seems to have gotten a crew list from the CommutAir’s CASS or possibly from other airlines as part of the shared deadheading crew list, which includes crew addresses and employment information.
There were also prod AWS credentials in the files exposed in Jenkins.
Basically any air charter service (no matter how small) will have access to the no fly list. It's honestly surprising that it's not up to date online within minutes.
If I was the US government, I would add some fake but legitimate-looking IDs in such lists, different ones for every airline I send the list to, so I can identify who leaked the list ex post facto, and come down with God's Wrath on any airline that leaked theirs.
But then, I am not a Bond-esque criminal organization bent for world domination.
And as always... Never use production data in the test pipeline.
At the very least, I don't think the company was operating like every random developer should have full-access to the no-fly list, which is what they de-facto gave them when they dumped an old copy into the test pipeline.
As a software engineer even I sometimes can't help romanticising hacking in my imagination. But so many times it turns out to be just like some company left the front gate wide open and the "hacker" walked in and took a look around.
Underneath all the garbage, good story. But Holy Hell, why do bloggers write so terribly and self-indulgently? That's a half hour of my life I'll never get back that shouldn't have been more than 10 minutes. Don't they have Ritalin in Australia? They really should.
Aussie, can confirm. They have Vyvanse, Dexamfetamine, Adderal and Ritalin.
I didn't mind reading this one though, was a novel change to see sentences starting without capital letters.
Since when are passport numbers supposed to be sensitive information? This isn't something you could use for identity fraud in any normal circumstances.
Don't all sorts of person-related details come in handy to stage a social engineering hack? Maybe a caller could demonstrate legitimacy by coughing up a passport number. At this point, it may impress me more than someone having found my SSN (_love you for that, Equifax_). Yet, SSN is still by many institutions considered something that should be stored in the vault.
Interesting hack, but this seems quite the brazen confession to a fair number of computer crimes. If I were the author, I'd be worried about getting arrested and potentially extradited for this. Especially as he deliberately downloaded a load of confidential information after gaining access, and then shared it around. He'd be looking at years in prison for this, in the US.
Switzerland's federal constitution prohibits extradition of swiss citizens to foreign powers. Now technically, this one amendment can be overriden by a mere act of Parliement, so unless there is a special act I'm not aware of, they are safe.
I had always assumed that the “no fly” list was a phrase and that it didn’t refer to an actual list, but rather a database with more detailed information than a “can they fly?” Column with a Y/N entry. In pharmacy we have a database we have to access when we suspect there is abuse, fraud, or diversion of controlled substances. The database is regularly updated with current information about prescriptions that were dispensed including location, prescribing physician, etc. I had always assumed the “no fly” list would be something similar. Now that I think about it though, that wouldn’t be efficient or useful at all. It would make sense for it to be much more simple.
I naively thought a secret list (file) with secret data is not distributed among random developers of random organizations in full but having a private access point where specific persons could be checked for no fly list by those with right for it, audited, with measures to avoid abusing the service. Potentially with training set available for developers separately. There are services where the accuracy of certain data can be validated (i.e. for cars by license plate and other data) so those who query should already possess the data of a particular person when using it and not just browse everyone in the secret list they please.
I had a friend with a common Indian name get bounced off a flight and then be unable to book flights after it turned out he shared his name with someone on the no-fly. He had to petition his senator/congress person to get off it. TSA had no easy way to prove innocence. It was very clear the list was just a list of names with no useful or distinguishing unique fields with it.
This was roughly 10 years ago, so things might have changed, but at the time it seemed like federal agencies could easily append to the list, but there was no standard process to get off it. I'd guess there are obvious incentive for agencies to add ("hey look, we've found terrorists", even if nothing was actually done about it), and none to remove people from it.
Network connectivity in airports can be patchy at best, and connectivity from the airport internal network to the internet even worse. All the check-in and boarding systems are designed to be able to work offline (with semi-automatic reconciliation afterwards). You have to query the no-fly list at check-in and boarding, so it's more resilient to have a list that can be loaded airport-side every morning
yeah, surprised as well. In finance, there is ofac for people forbidden from moving money, but it's also typically used as a service/db instead of passing around csv files to everyone. Very bizarre.
Indeed, the de-editorializing of the title made the interpretation more ambiguous. I'd actually prefer the real title ("how to completely own an airline...") or a more clear adjustment ("how to hack an airline...").
I was disappointed too. I wouldn't know what to do with an airline, I never had one, I wouldn't even know which one I'd like, perhaps Virgin Airlines?, but the thought of having one was exciting still.
I too was at first annoyed by a bit of an overhyping in the title and the overall style as well, until I remembered how it felt when you discovered something yourself, or even just read a good clever report from someone else. You get this rush that this is the coolest craftiest thing in the world.
For those unaware, maia is a pretty prolific hacktivist, and it has been indicted by a grand jury for a variety of USA govt penetrations but has USA proceedings on hold until it's extradited, which it's confident won't happen.
This is clearly on the darker side of gray-hat. Hate to be preachy but anyone seeking to emulate this sort of attack-finding should consider their ethical obligations as a computer scientist and follow best practices for responsible disclosure. It appears this was completely ignored here, including sharing stolen sensitive data of normal people with whoever can plead a case.
Am I missing something? It seems Maia didn't share the data at all, and only offers to if someone can demonstrate they will use it responsibly.
Moreover, depending on the contents of the list, this likely offers proof of what is generally suspected, that the no fly list is a form of discrimination and authoritarian overreach, targeting people that haven't been convicted of a crime but are "suspected" due to race, religion, etc. The whole thing is probably unconstitutional/illegal, but it's hard to prove that since it's been secret.
This seems like a clear case of hacktivism- trying to expose an unethical government program for what it is, so that it can be stopped.
The problem is to define "demonstrate" and the criteria. Remember the gatekeeper is now an unemployed gal who "know lot's of things about cyber security" according to her main page. Seems likely a competent bad actor could easily impersonate a well-meaning reporter...
Yes, security through obscurity isn't security, but this also seems incredibly irresponsible for any "security researcher". AFAIK, just basic standard good practice is to report the flaws and allow a reasonable interval before publishing, and there seems to be no hint of this.
Modern society really is held together with duct tape, baling twine, and a few pieces of bubble gum...
I get the impression that she's/it's doing this from a place of pain and desire to lash out, and "the system" is an easy target for her to fix onto. Not out of any sense of morality.
Maybe we should or shouldn't, but the potential victims of this aren't just some greedy corporation. Leaking the no fly list could cause irreparable harm to individuals whose names are on it or even similar, causing discrimination by employers and other organizations.
Though I don’t like the idea of it, I’m also not certain that I know better than people whose careers are in national defence. I’m not convinced that it’s a black and white thing. There are bad actors out there, and sometimes it’s clearly advantageous to hide information from them, which means hiding it from everyone.
Maybe there are reasons this is short sighted or I’m missing a greater point. I’d be interested to hear ideas in any case.
Breaking into private S3 buckets because you are bored is not considered an appropriate “Step 1” by the _professional community_ (people who get paid to do this for a living) at large.
Among people who plan to be financially rewarded for their work and also not be in handcuffs, Step 1 is usually to “Get written permission”.
Perhaps this is just my autism speaking, but am I the only one who gets completely freaked out by sentences like the above? "It" refers to inanimate objects, things which can't have free will, do crimes, or be prosecuted.
It's almost like you're talking about how a lawnmower decided to run a child over and then incriminate itself by boasting about it on social media. It makes no sense!
I know she picked that pronoun herself, but I really wish she didn't. It just makes communication difficult.
Readit News
Corresponding news story: https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotecte...
There were also prod AWS credentials in the files exposed in Jenkins.
But then, I am not a Bond-esque criminal organization bent for world domination.
At the very least, I don't think the company was operating like every random developer should have full-access to the no-fly list, which is what they de-facto gave them when they dumped an old copy into the test pipeline.
Eg when an airline had a public API where you could get someone's passport number and details just from their boarding pass https://mango.pdf.zone/finding-former-australian-prime-minis...
Password salts that were identical for the entire set?
"Random" initialization vectors always created from the same prng seed?
Without coders like these, hackers would really have to work for it.
(And, yes, I've encountered all of these in my career.)
Deleted Comment
Underneath all the garbage, good story. But Holy Hell, why do bloggers write so terribly and self-indulgently? That's a half hour of my life I'll never get back that shouldn't have been more than 10 minutes. Don't they have Ritalin in Australia? They really should.
Deleted Comment
This was roughly 10 years ago, so things might have changed, but at the time it seemed like federal agencies could easily append to the list, but there was no standard process to get off it. I'd guess there are obvious incentive for agencies to add ("hey look, we've found terrorists", even if nothing was actually done about it), and none to remove people from it.
https://www.treasury.gov/ofac/downloads/sdnlist.txt
1) Be a billionaire
2) Start an Airline
1. Create Tesla. 2.
https://en.wikipedia.org/wiki/Maia_arson_crimew
You won't be extradited though.
The Swiss could maybe prosecute domestically, but its not (currently) in the public interest to do so.
Moreover, depending on the contents of the list, this likely offers proof of what is generally suspected, that the no fly list is a form of discrimination and authoritarian overreach, targeting people that haven't been convicted of a crime but are "suspected" due to race, religion, etc. The whole thing is probably unconstitutional/illegal, but it's hard to prove that since it's been secret.
This seems like a clear case of hacktivism- trying to expose an unethical government program for what it is, so that it can be stopped.
You literally immediately falsified that assertion:
> and only offers to if someone can demonstrate they will use it responsibly.
And nobody ever lies of course.
The problem is to define "demonstrate" and the criteria. Remember the gatekeeper is now an unemployed gal who "know lot's of things about cyber security" according to her main page. Seems likely a competent bad actor could easily impersonate a well-meaning reporter...
Yes, security through obscurity isn't security, but this also seems incredibly irresponsible for any "security researcher". AFAIK, just basic standard good practice is to report the flaws and allow a reasonable interval before publishing, and there seems to be no hint of this.
Modern society really is held together with duct tape, baling twine, and a few pieces of bubble gum...
[EDIT: pronouns]
Deleted Comment
Maybe there are reasons this is short sighted or I’m missing a greater point. I’d be interested to hear ideas in any case.
Deleted Comment
Breaking into private S3 buckets because you are bored is not considered an appropriate “Step 1” by the _professional community_ (people who get paid to do this for a living) at large.
Among people who plan to be financially rewarded for their work and also not be in handcuffs, Step 1 is usually to “Get written permission”.
It's almost like you're talking about how a lawnmower decided to run a child over and then incriminate itself by boasting about it on social media. It makes no sense!
I know she picked that pronoun herself, but I really wish she didn't. It just makes communication difficult.
Deleted Comment
Graciously, though, they’re at least feigning caution with handing out the no-fly list.