Feb 1, 2023
Content Warning: Racism
A certain cat has been making the rounds across the security world as of late. Her name is Maia Arson Crimew (yes, really). She did it while “being bored and browsing shodan,” a search engine that allows for anyone to browse exposed ‘Internet-of-Things’ devices and other servers that may have been unintentionally exposed to the internet. While browsing, she managed to find an exposed Jenkins server (a server used to manage automation of software projects) belonging to CommuteAir, a US regional airline headquartered in North Olmsted, Ohio. On this server, she managed to find projects labeled noflycomparison and noflycomparisonv2 “which seemingly take the TSA nofly [sic] list and check if any of commuteair’s [sic] crew members have ended up there.”1
When looking at these projects, she found that there were credentials for Amazon Web Services, a very commonly used cloud provider with monopolistic business practices2 (just like everything else Amazon does!). With these, she could basically do anything she wanted with CommuteAir’s infrastructure, from spinning up new servers to reading databases from their website. However, even though she had these credentials, she didn’t actually have to use them, as she went back to the noflycomparison repository in the Jenkins server and found a certain file named nofly.csv.
“holy shit, we actually have the nofly list. holy fucking bingle. what?! :3”3
- Maia Arson Crimew
With this highly sensitive, personally identifying information in her hands, she did the responsible thing and is only releasing it to “journalists and human rights organizations”4 via DDOSecrets, a nonprofit which specializes in the release of classified information “in the public interest”5. I personally reached out to DDOSecrets on behalf of The Student Insurgent making sure to follow their protocols6, and received access the very next day. Unfortunately, my analysis is still ongoing so it will not be available in-time for the release of this issue. Be sure to check out studentinsurgent.org (you’re here right now!) and follow our social media accounts to get notified about updates.
https://maia.crimew.gay/posts/how-to-hack-an-airline/ ↩︎
https://www.bloomberg.com/news/articles/2021-12-22/amazon-cloud-unit-draws-fresh-antitrust-scrutiny-from-khan-s-ftc | view without paywall: https://archive.ph/DWAOO ↩︎
https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets ↩︎
https://ddosecrets.com/wiki/Contact#Request_Access ↩︎