i was contacted on twitter by the journalist at dailydot who broke the news (<a href="https://twitter.com/davidcovucci" rel="nofollow">https://twitter.com/davidcovucci</a>) because i have java code on github from ~10 years ago that reads a certain ‘nofly.csv’ file (<a href="https://gist.github.com/yawboakye/3888617" rel="nofollow">https://gist.github.com/yawboakye/3888617</a>). the interaction was short and i wondered what he was looking for exactly. well, it was joke code, written as part of introduction to java. all this makes me wonder where ‘super-secret-nuclear-codes.csv’ could get me
The way the no fly list was shared, it was absolutely inevitable that this would happen. A much more secure way to handle this:<p>1. Airlines are each given a no fly list that only includes tokens, e.g. each person's name hashed with a secret key that is specific to the airline, on a periodic basis.<p>2. When the airline wants to check if a user is on the list, they hit a government-owned service that returns the user's token (again, the token will be unique for each airline because each airline gets their own secret key).<p>3. The airline would then check the token against their revoked token list.<p>The benefit of this is:<p>1. The full token list by itself is useless<p>2. Even if the airlines API credentials are stolen, the response from the government-owned service is useless on its own.<p>3. So a bad guy would need to steal the token list AND the API creds to get any value, and even then it would be easy for the government to detect unusual access patterns to their service.<p>Remember back in the late 90s when we all used to store passwords in plain text? Yeah, we know how that turned out, and in this case, storing the list not only in plain text but sharing it to tons of different companies willy nilly is a million times worse if you expect it to stay secret.
Link to the actual forum, since it's not provided for some reason: <a href="https://breached.vc/Thread-TSA-NoFly-List-Database-Leaked-Download" rel="nofollow">https://breached.vc/Thread-TSA-NoFly-List-Database-Leaked-Do...</a>
Seems there is a blog post authored by the same person credited in the dump ("maia arson crimew") describing how the data was acquired here: <a href="https://maia.crimew.gay/posts/how-to-hack-an-airline/" rel="nofollow">https://maia.crimew.gay/posts/how-to-hack-an-airline/</a> ("how to completely own an airline in 3 easy steps and grab the TSA nofly list along the way")<p>Discussed 10 days ago on HN (1024 points | 642 comments): <a href="https://news.ycombinator.com/item?id=34446673" rel="nofollow">https://news.ycombinator.com/item?id=34446673</a>
This is one of those terrifying security and operational scenarios. Sure the TSA can say nothing on our end was compromised but if the data is readily accessible to download and accessed by every mom and pop carrier with a 3 person IT staff that can barely keep the lights on is anything actually secure?
Including the birthdate would be an improvement. Here in Canada, there's babies that get put through enhanced screening for having a flagged name, but there's an IT contract out there for many millions to provide something like redress numbers.<p>ChatGpt could likely generate the SQL for well under a million.
What security benefit is there for this list being secret? Sure privacy may be an issue but I should have the right to know if I am on it as I see absolutely not benefit if this list being secret other than the government having another reason to put people in jail.<p>Also if you know you are on it you can save the airlines and everyone else a lot of trouble by not trying to fly in the first place.<p>Does the list even state why you are on it?
My comment linking to the file seems to have been quietly censored by dang or some other moderator. Not [flagged], just [dead].<p><a href="https://news.ycombinator.com/item?id=34583299" rel="nofollow">https://news.ycombinator.com/item?id=34583299</a><p>Linking to this file does not seem to violate any documented HN rules, and download links charging money for the file were allowed to stay up.
Let me tell you about the No-Rent list. Oh yes, if you fuck up a rental car or boat or do any kind of chargebacks for the rental, you will be immediately and automatically added to the No-Rent list for that company. Sometimes these lists can be distributed to central repositories where other rental companies can choose to follow the suggestions and not rent a car to you due to your status as high risk. One of my earliest jobs involved working on a system with such a list. I’ve had quite a bit of experience in engineering solutions to keep people in check.<p>I suspect there might be something for real estate, but more fragmented. You could end up on a no-rental list and be banned from renting property. I am certain Airbnb has such a list as well.
Discussion for original blog post detailing how the leak occurred: <a href="https://news.ycombinator.com/item?id=34446673" rel="nofollow">https://news.ycombinator.com/item?id=34446673</a>
Too bad there isn't a "reason" column showing even a summary of why they ended up on the no-fly list - probably because the reason is too sensitive for the people who regularly access the list to see.<p>"Matters of National Security" and all that jazz.
I'm very curious about this list and whether I'm on it. I have an extremely common Anglo-American first+last name and there was a period of years when I would regularly get my boarding pass stamped "SSSS" and pulled aside for the secondary screening almost every time I flew, which at the time was 5-6 times a year or more.<p>Now, my name is truly so common that I have convinced myself there was something more than just that name triggering the SSSS designation. Otherwise, most major airports would have been patting down someone with my name multiple times a day. I suppose that's possible, but if so it would really damn the value of this sort of list. The extra screening did seem to depend on which airline and which airports I was using, so maybe there was something else going on. Or maybe some dude with my name just crossed some line he shouldn't have and me and everyone else with that name paid the price for a few years.
List like these must be publicly available to anyone, like credit history/score. Also, there must some justice process for getting in and out of this list.<p>I still don't understand how societies accepted no-fly list, civil forfeiture, de-banking, de-platforming people and other clearly totalitarian practices in or "democratic" and "free" countries.
Interestringly the spreadsheet includes the columns SID,CLEARED,LASTNAME FIRSTNAME,MIDDLENAME,TYPE,DOB,POB,CITIZENSHIP,PASSPORT/IDNUMBER,MISC, but only LASTNAME, FIRSTNAME, DOB is populated.<p>And there are some guys from 1911 and 1912 there.
Our industry is still not, in general, an industry that employs licensed professionals. Subsets of it, to be sure, but there is no such thing as a "computer engineering license" in the same sense as a "civil engineering license," for example.<p>If there were, using production PII in the test infrastructure would be grounds for license revocation.
I wonder if they got the list from crimew or if they followed the directions on her blog. You'd hope the offending airline would have fixed the issue over the past few weeks but who knows.
Oh dear, yes we understand this is the world post 911, but many, many criminals will simply use entirelly fake identities.<p>And the data hygiene and itegrity are horrible,there are dead people on it.
What are the ethics of publishing such a list? The act of doing so exposes people and damages their reputations, and because there isn't a just procedure for adding people to that list that damage is likely unfair. It's not like this is the registry of sex offenders, where at least there was an actual court case to determine their registry and there are well-defined procedures for removal in case of mistakes or issues. Shouldn't we advocate for there to be a fair, just procedure for adding and removing people from the no-fly list before making it public?
I'm honestly surprised it's taken this long for one of these lists to be <i>leaked</i>. Many businesses are required to pull this and many other lists into their applications to approve/deny people and this is not just airlines. For the longest time these lists were on an unencrypted FTP server with a simple username/pw. I only had to deal with this because one of our firewalls did not play well with FTP. I tried to convince them to use HTTPS or SFTP. Hopefully they have at least done that by now.
Assuming this list doesn’t include anyone who’s on the Secondary Security Screening Selection (SSSS) list by default:<p>- <a href="https://wikipedia.org/wiki/Secondary_Security_Screening_Selection" rel="nofollow">https://wikipedia.org/wiki/Secondary_Security_Screening_Sele...</a>