Insecure server exposes the US government's "No Fly List"
A bloated database mostly flagging Arabic or Russian-sounding namesBy Alfonso Maruccia
Why it matters: A US regional airline accidentally exposed a secret "No Fly List" document shared among government agencies. While the list was taken offline, the hacker who discovered the snafu revealed a series of troublesome traits concerning security and systematic racism against "dissenting" people.
CommuteAir was using an Internet-exposed server as a development platform, and a Swiss hacker known as "maia arson crimew" was able to access the system and have a look around. The server turned out to be a trove of confidential data, coming from both the company's business activities and a secret database about people banned from flying in the US.
Data stored on the insecure server contained a lot of company-related information, including private data on almost 1,000 CommuteAir employees. Furthermore, a simple text file named "NoFly.csv" included more than 1.5 million different entries with names and birth dates, even though many of those entries were aliases or misspells of pre-existing IDs.
The official "No Fly List" the secret file was referring to is a subset of the much larger Terrorist Screening Database (TSDB), which is the central terrorist watchlist managed by the FBI and used by multiple federal agencies to compile specific watchlists and for passenger screening activities. People present in the TSDB are suspected or known for having ties with terrorist organizations, while individuals on the No Fly List are not allowed to board airline flights in any case.
According to crimew, the No Fly List included notable individuals like Viktor Bout (with over 16 potential aliases), the Russian arms dealer recently released by the US in a prisoner exchange initiative to free American basketball player Brittney Griner. The list also included suspected members of the Irish paramilitary organization IRA, and oddly an eight-year-old child based on the birth date alone.
CommuteAir later confirmed the security incident with the development server and the legitimacy of the included data, stating that the no fly list discovered by crimew was a federal database dating back to 2019. The US No Fly List is an ever-growing database which, according to recent estimations, should include more than 80,000 people. A previously exposed copy of the larger TSDB contained 1.9 million entries.
What CommuteAir is identifying as a no fly list could indeed be just a copy of the much larger TSDB. Both lists have been criticized many times for being massive and bloated systems designed as surveillance device against dissidents.
According to Hina Shamsi, director of the National Security Project at the American Civil Liberties (ACLU), the TSDB and the smaller No Fly List have been used for 20 years to target US citizens which are "disproportionately Muslim and people of Arab or Middle Eastern and South Asian descent." These people have to endure stigma, embarrassment and "life hardships of being unable to fly in our modern age," Shamsi said, while the US government is maintaining its bloated surveillance system based "on secret standards and secret evidence without a meaningful process to challenge government error and clear their names."