US Airline Leaves No Fly List Details Accessible On The Open Web
The nation is no longer secure.
I'm sorry I'm being so blunt here. But there's no way the union can survive, not with the omnipresent threat of airborne terrorism that justifies the existence of the absolutely horrendous TSA.
The no fly" list is one of America's many post-9/11 travesties. It's the place we put people we think are threatening enough to be forbidden from boarding airplanes, but not so dangerous we consider them to be arrestable.
You don't have to be a terrorist to get nominated" for no flying privileges. All it takes is a federal agent's imagination. Or some fat-fingering of the keyboard by federal employees. This has, of course, generated lawsuits. The government has tried to escape these lawsuits by claiming the very fabric of national security would be rent in twain if any of this was discussed in court. It says the same thing about informing people they've been placed on the no fly list.
Travelers have exactly one way to discover whether or not they're on the no fly list. They can buy a ticket and discover (after spending their often nonrefundable money) at the TSA checkpoint whether or not they can ride the rides. Some courts have called this process (and built-in lack of recourse) unconstitutional. Others have simply let NatSec bygones be bygone, assuming the government knows more than the judicial system about the intricacies of protecting the nation.
It's all a bunch of hot garbage. And I guarantee this leak will expose the government's but national security!" protestations in defense of its carelessly assembled, ever-growing no fly list as being particularly full of shit. David Covucci and Mikael Thalen - writing for the Daily Dot - have quite the breaking news.
An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government's Terrorist Screening Database and No Fly List."
Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees.
Analysis of the server resulted in the discovery of a text file named NoFly.csv," a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.
Before we continue, let's just take a moment to appreciate the file-naming conventions that made it immediately apparent what this file contained. It's like having a desktop folder titled NotPorn."
OK. Back to business at hand: CommuteAir is leaky. And it leaked the thing the government definitely doesn't want leaked. According to the government (in winning and losing court battles), divulging any information from this list would make 9/11 look like... um... 9/11, I guess.
What's in it that's so sensitive? Names. 1.5 million names. The Daily Dot cautions that some will be duplicates because of aliases, misspellings, etc., but the upshot is a massive list of people the government considers too dangerous to be allowed on a plane, but benign enough they can't be arrested.
Who's on it? The usual suspects:
Many entries on the list were names that appeared to be of Arabic or Middle Eastern descent...
The Daily Dot writers go on to explain the list also contains names that aren't in these two inherently suspicious categories. Like... Hispanics. And some surnames that appear to be white.
Who's on the whitelist? IRA members and Russian arms dealers.
Who else?
Another individual, according to crimew, was listed as 8 years old based on their birth year.
A class-action lawsuit has been filed in Virginia challenging the government's terrorist watchlist. Eighteen plaintiffs - including a 4-year-old boy who was placed on the watchlist at the age of 7 months - claim their placement on the watchlist is discriminatory and has deprived them of their rights.
Since this doesn't appear to be the government's fault (I mean, other than compiling a list of 1.5 million people replete with misspellings...), the government has been quick to respond.
In a statement to the Daily Dot, TSA said that it was aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners."
Great. The agency that's incapable of finding contraband is on top of this. I'm sure the TSA's participation is of great comfort to its federal partners," any of which are presumably better at doing the stuff they're supposed to do.
The airline's statement is no more reassuring.
In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes.
I'm sorry, but did you say you have a test server containing sensitive government information? Is it impossible to run a test environment with dummy data and lorem ipsum? Or do you absolutely have to upload government-created Excel sheets to the new sandbox? Take your time. I assume honest answers won't be forthcoming.
The TSA blames no one. CommuteAir, on the other hand, blames the person who found the unsecured data, rather than itself.
The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth," CommuteAir Corporate Communications Manager Erik Kane said. In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation."
There's plenty of legitimate criticism of the government's no fly list, as well as its poorly vetted Terrorist Screening Database. This incident doesn't nullify any of that criticism. And this isn't the first leak of the watchlist. Another happened in 2021. And yet, we continue to enjoy a life in a country largely free of (foreign) terrorist attacks. This exposure will not make the nation less safe. But it will show the government is lying when it says this information is too sensitive to discuss honestly or openly. We'll all be fine, even if alleged terrorists now know the US government considers them to be terrorists.