US Airline Leaves No Fly List Details Accessible On The Open Web

from the well-I-guess-it's-death-by-terrorism-for-us-all dept

The nation is no longer secure.

I’m sorry I’m being so blunt here. But there’s no way the union can survive, not with the omnipresent threat of airborne terrorism that justifies the existence of the absolutely horrendous TSA.

The “no fly” list is one of America’s many post-9/11 travesties. It’s the place we put people we think are threatening enough to be forbidden from boarding airplanes, but not so dangerous we consider them to be arrestable.

You don’t have to be a terrorist to get “nominated” for no flying privileges. All it takes is a federal agent’s imagination. Or some fat-fingering of the keyboard by federal employees. This has, of course, generated lawsuits. The government has tried to escape these lawsuits by claiming the very fabric of national security would be rent in twain if any of this was discussed in court. It says the same thing about informing people they’ve been placed on the no fly list.

Travelers have exactly one way to discover whether or not they’re on the no fly list. They can buy a ticket and discover (after spending their often nonrefundable money) at the TSA checkpoint whether or not they can ride the rides. Some courts have called this process (and built-in lack of recourse) unconstitutional. Others have simply let NatSec bygones be bygone, assuming the government knows more than the judicial system about the intricacies of protecting the nation.

It’s all a bunch of hot garbage. And I guarantee this leak will expose the government’s “but national security!” protestations in defense of its carelessly assembled, ever-growing no fly list as being particularly full of shit. David Covucci and Mikael Thalen — writing for the Daily Dot — have quite the breaking news.

An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.” 

Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees.

Analysis of the server resulted in the discovery of a text file named “NoFly.csv,” a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

Before we continue, let’s just take a moment to appreciate the file-naming conventions that made it immediately apparent what this file contained. It’s like having a desktop folder titled “NotPorn.”

OK. Back to business at hand: CommuteAir is leaky. And it leaked the thing the government definitely doesn’t want leaked. According to the government (in winning and losing court battles), divulging any information from this list would make 9/11 look like… um… 9/11, I guess.

What’s in it that’s so sensitive? Names. 1.5 million names. The Daily Dot cautions that some will be duplicates because of aliases, misspellings, etc., but the upshot is a massive list of people the government considers too dangerous to be allowed on a plane, but benign enough they can’t be arrested.

Who’s on it? The usual suspects:

Many entries on the list were names that appeared to be of Arabic or Middle Eastern descent

The Daily Dot writers go on to explain the list also contains names that aren’t in these two inherently suspicious categories. Like… Hispanics. And some surnames that appear to be white.

Who’s on the whitelist? IRA members and Russian arms dealers.

Who else?

Another individual, according to crimew, was listed as 8 years old based on their birth year

No surprise there.

class-action lawsuit has been filed in Virginia challenging the government’s terrorist watchlist. Eighteen plaintiffs — including a 4-year-old boy who was placed on the watchlist at the age of 7 months — claim their placement on the watchlist is discriminatory and has deprived them of their rights.

Since this doesn’t appear to be the government’s fault (I mean, other than compiling a list of 1.5 million people replete with misspellings…), the government has been quick to respond.

In a statement to the Daily Dot, TSA said that it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”

Great. The agency that’s incapable of finding contraband is on top of this. I’m sure the TSA’s participation is of great comfort to its “federal partners,” any of which are presumably better at doing the stuff they’re supposed to do.

The airline’s statement is no more reassuring.

In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes.

I’m sorry, but did you say you have a test server containing sensitive government information? Is it impossible to run a test environment with dummy data and lorem ipsum? Or do you absolutely have to upload government-created Excel sheets to the new sandbox? Take your time. I assume honest answers won’t be forthcoming.

The TSA blames no one. CommuteAir, on the other hand, blames the person who found the unsecured data, rather than itself.

“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane said. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”

There’s plenty of legitimate criticism of the government’s no fly list, as well as its poorly vetted Terrorist Screening Database. This incident doesn’t nullify any of that criticism. And this isn’t the first leak of the watchlist. Another happened in 2021. And yet, we continue to enjoy a life in a country largely free of (foreign) terrorist attacks. This exposure will not make the nation less safe. But it will show the government is lying when it says this information is too sensitive to discuss honestly or openly. We’ll all be fine, even if alleged terrorists now know the US government considers them to be terrorists.

Filed Under: , , ,
Companies: commuteair

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “US Airline Leaves No Fly List Details Accessible On The Open Web”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
This comment has been deemed funny by the community.
Thad (profile) says:

Back when I was a freshman in college, an English professor gave me shit for citing an article by jamie on Slashdot. (“What if it had been cmdrtaco?” is perhaps the greatest red-pen correction I have ever received.)

And look where we are today: we’ve got Business Insider citing someone named “Maia arson crimew”.

Paul Brinker says:


Getting them to even admit the list exists, and then using all kinds of filler words like “we will not confirm or deny said list exists, that your name is or is not on any such list or lists, or that the leaked list is in fact an actual list”

I would also like to remind you that leaked classified information, even printed in the paper, or posted in Times Square, is still classified and as such anyone with a security clearance including many judges, may not be allowed to even look at the leak or be threatened with revocation of said clearance.

Leaks are absolutely toxic now because the average citizen can now know what’s going on, but unless they are willing to get into an expensive lawsuit filled with appeals on the most basic elements of their suit nothing will change.

LTJ says:

Re: No Fly List available?

If the US No Fly List has been leaked and made public, does this mean it is currently available for downloading from a given server or website? If so, what is the name of the server or website with this file? It could be an FTP server.

It’s been reported that the list is in an ASCII (plain text) file named “NoFly.csv” containing over 1.5 million lines of data. Note that “csv” means “Comma Separated Variables” and is a common format which can be loaded into applications such as spreadsheets and databases, or even searched directly from the command-line with programs like “grep” (a standard utility included on Unix and Linux systems).

Anonymous Coward says:

With new infrastructure, no more 3rd world scapegoats to blame psuedo-data security on.

I’m still laughing at the roomba that used 3rd world labor who in turn, posted the stupidest photos for a cheap laugh from their beta testing data thqt was gathered. 3rd world cloud is stupid.

Data security much in the 3rd world? Thats how you know they are liars.

This comment has been deemed insightful by the community.
PaulT (profile) says:

“In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes.”

That looks like a misprint to me. I think it means to say “we are fully incompetent and have no business being anywhere near a secure system”.

I’ve known developers who will ignore any protocols and safety standards because it’s easier for them just to dump a production database and use confidential data on their laptop. They usually don’t last long.

Anonymous Coward says:

data FAIL!

these are the some of the same people that want everyone to have a digital ID! be forced to use the digital dushe dollar! have a GENOCIDE JAB passport! and thinks that everything digital is just fine and secure! when they can’t even keep low end data from getting out into the wild! and yet they insist that everyone needs to have there everything all in a government database with more holes then a pasta strainer!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...