QAA Podcast - Bonus Episode: Hacking Into the No Fly List with Maia Arson Crimew
Episode Date: January 25, 2023We interviewed the 23-year old Swiss hacker who got access to the No Fly List and leaked it to the media and other organizations: Maia Arson Crimew. Subscribe for $5 a month to get an extra episode o...f QAA every week + access to ongoing series like 'Manclan' and 'Trickle Down': http://www.patreon.com/QAnonAnonymous Maia: https://twitter.com/_nyancrimew / https://maia.crimew.gay/ Merch: http://merch.qanonanonymous.com Music by Pontus Berghe. Editing by Corey Klotz.
Transcript
Discussion (0)
What's up QAA listeners?
The fun games have begun.
I found a way to connect to the internet.
I'm sorry, boy.
Welcome to a bonus episode of the Q&ONANANANANANANAS podcast,
an interview with the person responsible for obtaining and leaking the so-called no-fly list.
As usual, we are your host Julian Field and Travis Vue.
We're speaking with Maya Arson Crime U, a hacker from Switzerland.
Welcome to the podcast, Maya.
Hi, I'm glad to be here.
For context, the no-fly list is a list of persons drawn up by the U.S. federal government's terrorist screening center.
The people listed on it are prohibited from boarding commercial aircraft for travel within, into, or out of the United States.
It was first put in place by the Bush administration in 2001 in the aftermath of 9-11.
By 2011, there were 16,000 names on it.
By 2013, there were 47,000 names on it.
In 2018, Senator Dianne Feinstein suggested that the list had over 81,000 people on it at the time.
Maya, the list you gained access to has approximately 1.56 million entries.
Right.
So even accounting for duplicates, name variants, aliases of the same person, that seems extremely high.
Yeah, I don't know what's going on.
Like, I'm going to be honest, like, that's part of why we were confused at first and started to just assume it's the terrorism screening database.
like the full thing. But for that it was too small because the terrorism screening databases
once again even bigger than that, which is also crazy. So we were going up with the assumption that
it's the terrorism screening database and probably from 2022 because that's when the file was
uploaded to the directory you got it from. But then for some reason, the airlines started confirming
in every media request ever that it is the no-fly list and from 2019. I don't know who's doing
crisis communications for them, but they're great because they keep giving
us lots of good info we otherwise wouldn't have. It is allegedly the actual no-fly list
dated from 2019, and it has way more people in it than the government ever admitted to before.
Just to start, walk us through the hours you spent online that led to you obtaining this
2019 version of the no-fly list. Directly on like the day I found this, I don't know,
maybe two hours. Or like, no, like two hours until I like found the airline having data exposed
and then it took like another, like, two or three hours
until we ended up just stumbling into the no-fly list,
mostly because I just didn't look in the right place,
not because I didn't have access to it.
I just hadn't looked at the right directory yet.
Yeah, so walk us through this stuff.
You can talk to us about Shodon and the Jenkins servers.
Right, yeah.
Yeah, so basically, I just, when I'm bored, start looking through Shodon.
That's like Google, but if Google indexed, like, smart toasters instead of a website,
to explain it in a silly way.
It's just, it's, you can search for servers
and you can search for software that is running on servers
instead of just like web content.
And so yeah, I'm looking for Jenkins there
and Jenkins is like software that is used to like test
and build things while developing other software.
I don't know how well I'm explaining this,
I'm not good at thumbing down technical stuff,
but basically a lot of companies are now very good
at setting up Jenkins properly and it's often just
like they're often just leaving their source code entirely publicly out to the open or
credentials or like passwords and and everything so it's it's like a good way to kill boredom is like
because a lot of times you want I won't find anything like big but it will be like oh yeah
this is an interesting e-commerce software let's just look at this for five minutes and then
like move on yeah but yeah so that day I was just like going through like small things
acting small companies on Twitter being like,
lol, please secure your shit.
And then eventually I was just like, hey, that's some familiar words.
It was like just, where it's like A-cars and crew.
And I was like, hey, that reminds me of like the mentor pilot videos.
I watch while eating dinner.
Where he talks about various flight systems.
And I'm like, oh, yeah, this is like, this is definitely aviation.
This is like probably something serious.
But I still wasn't sure like how much access I would get.
I was like, yeah, maybe I can just see, like, some log files or maybe a bit of their source code.
But, like, two minutes later, I see that they have, like, hard-coded passwords everywhere.
And I'm, like, suddenly looking at live ACAR's messages on, like, some server where they are transmitted, like, not directly the communications between airplane and ground control, but where the messages are then sent for further processing and aviation software.
Okay.
And so I just kept taking into the server and finding access to more and more of their aviation.
like crew info updating, like I could have potentially changed crews for flights.
Very good stuff I should definitely just have access to.
And like employee data and everything.
Eventually I had like access to most of their servers on like Amazon Web Services,
which is like the cloud Amazon runs because they're a little more than a bookstore nowadays.
Then eventually it's like, as I always do when I do something like this, I start working together with,
like journalists because I want to make sure this stuff actually gets out into the open
and isn't just like swept under the rock when I report the issues.
So I started working with Mikhail Daldon from Daily Dot and we looked at this together
and then suddenly we were like, yo, wait, we actually have the no-flylas because I was at this point
for like two hours trying to figure out how exactly they processed the list because I had access
to like all the systems that it goes through but it was just nowhere to be found.
But suddenly we found that for testing their software, they just left a copy of it inside their software repository.
Okay.
There was just a copy of it there, and it was put there in 2022.
So we were like, oh, yeah, this is a very recent copy from 2022, and we were going to run with that.
But then, like, an hour before the story got published, we got like a statement from commute there being like, yeah, lull, this is the realist, but it's like outdated.
So it's not really that big of a deal.
And it's just like, thank you for giving us the exact information we were just guessing about so far.
But yeah, that's like the basic rundown.
So I'm told that the file that you discovered was literally titled nofly.csv.
Exactly, yeah.
It's just a CSV file with 1.56 lines.
It apparently breaks Axel.
I've never opened it in Axel.
I just open it in a text editor because, like, yeah.
But apparently Excel doesn't even display all the lines.
It's like too big of a CSV file.
So were all the files with like the employee data?
Or is that all just just CSV files too?
Yeah, there was also an employee CSV file there.
Because like the service, the services was for is where they compare like all their employees,
including like non-crew, but like just people who like work at their hangar,
people who like do cleaning at their offices or whatever.
They just compare all their staff to the no-fly list to see if like anyone like even like low-level business,
office people because like if they are in the novel list I mean you can't work in an office so
there is a good blog post like a bit about this on papers please who did a really good analysis
of like the list who says yeah this is just mission creep like this started as just a list
for like banning people who were inmate immediate danger from flying and it just grew and grew
into we need to do predictive like things like the list isn't highly predictive like they're
four-year-old kids on there like that's not someone who has done any terrorism yet i assume yeah uh but
but yeah it's just the mission creep of going from yeah this is like actual terrorists we can't let on
our planes which to some degree makes sense like as like basic idea to just this is a list of people
we don't like and they are not allowed to do anything anymore yeah you just can't get a job
in anything even vaguely aviation related anymore if you're like
on any of the list.
And so you're 23 right now,
which means you were an infant when 9-11 happened
and the no-fly list was first introduced.
So, like, what led you to become,
what some call a hacktivist at this relatively young age?
I don't know.
I feel like it's hard to, like, in this day and age,
not be in some way politicized.
And I mean, this wasn't, like, me specifically going for the no-fly list.
Even though, like, I heard about, like,
the last time it got leaked in, like, 2021,
and someone found, like, what is actually probably the entire terrorism screening database.
And they just, like, didn't publish it.
And I was like, no, this is like data.
Researchers need to see.
So at the time, I was, like, briefly trying to specifically look for this to hand it to researchers.
So this is for once, actually, I was like, yeah, I want to find this someday.
And I actually did.
It just took some patience.
But so how, like, what got you into hacking?
I mean, is this just something that you've done for a while now?
or yeah i have been at like doing things that can be classified as hacking for a while now like
i i come from an IT background i've always been interested in like computer science i am autistic
uh and i it's just always been like a big focus of mine uh too like that and i'm just very
curious and i like to look into how things work and i'm also political and get angry about
stuff so i feel like it was just kind of like yeah that the things all culminated into
you're becoming a hackdoers.
You know, this isn't the first time that your work runs a foul of U.S. law.
Obviously, you're not at liberty to speak about the 2021 indictment by a grand jury in the
Western District of Washington.
But just broadly, you know, I mean, what was the focus of your hacking?
And how come, you know, even though in 2021 this indictment happened, how come you
decided to continue and I guess just accept that maybe you're not going to come to the States?
Yeah, I mean, I wasn't going to come to the States anyway.
Like, what would I do there?
But I feel like a lot of my work, just in general in activism, like, is about it's, like, freedom of information and a lot of, like, the big things I do that are highly publicized are often about, like, surveillance, be it surveillance capitalism with what happened in 2021, or be it now about state surveillance and watchlisting.
Yeah, those are kind of my focus points.
At the end of the day, I'm an anarchist, and I would like to end, like, the entire system.
but I know that's not like a realistic goal for like one afternoon.
So, yeah, I will just keep staying silly and combating my bored.
I feel like what's also important to note is just that like hacktivism and hacking
doesn't automatically like equal illegal.
Sure.
I feel like it's more a question of morals than legality anyways at the end of the day.
Edward Hasbrook, you mentioned him.
He's the guy who works with Papers Please, right?
So he's an author and human rights advocate and he kind of listed three things.
things that he thought this list that you shared with journalists and researchers confirm,
which is that the TSA has issues with Islamophobia, overconfidence in the certainty of its
pre-crime predictions, and like you mentioned earlier, mission creep. So, I mean, what do you
think of this statement? Do you think this kind of encompasses it? And could you maybe speak about
those three aspects? Yeah, I feel like that that's important. Like the thing like the very specific
focus on it almost entirely, like, containing people from very specific ethnicities.
It's like, that's the first thing that jumped out to me when I opened this file.
It didn't surprise me, but it was still shocking to see just how right, like, everyone's
assumption was about how much of, like, just a list of Muslim names it is.
Right.
I think Bellingcat has, like, made a statistical analysis of, like, the names, and I think
it's literally, like, 75% of the names on the list are, like, of Muslim origin, which
just that's wild that's like over a million people from the middle east and it's just yeah i don't know
and like i addressed mission creep earlier and what was the other point i already
pre-crime yeah it's entirely a list of people that the u.s assumes will commit a crime at one point
and they're so confident about this that they put more people on the no-fly list than on the like
list of people who get extended screening and i think that is that is pretty wild that they're so
confident in their pre-crime assessment that they are willing to put people on no-fly
instead of just an enhanced screening because I don't see like why you should just but I
generally don't see why like you need to completely ban people from flying without like questioning
them like if they haven't done anything. On your website you stated quote while the nature of
this information is sensitive I believe it's in the public interest for this list to be made available
to journalists and human rights organizations. If you're a journalist researcher or other party with
legitimate interest. The data is available for access upon request via DDoS Secrets. So how did you
decide on this approach and how many people, I guess, have like inquired and being granted access
so far? Okay. So I don't know how many people have been granted access via DDoS because like that's a
separate organization. I'm not involved with them. I just trust them to make the right decisions
in that regard. I personally, I had to start handed it out myself. I am pretty sure it's been like
50 or so organizations and journalists, and I have given it out to, I have forgotten hundreds
upon hundreds of requests.
Most of them should have random people being like, I know I am not like, I do not have
a legitimate interest, but can I please have it anyway?
I'm a little silly.
And I totally get that because I'm curious as well, and I would probably also send an email
if someone else put up a blog post like that.
But yeah, I don't know.
It's very hard to know the number.
I did not have the energy to count while I spent a week answering.
emails. Yeah. And so why did you decide on this approach, you know, rather than any other?
I feel like just making it entirely public would put people at risk that I don't want to take
and also would put me at even more risk of like, yeah, at risks I don't need to take. I don't want
to like just docks people the U.S. considers bad. I don't know. Like it's watchlisting. I don't
want the watch list to be public because it is at the end of the day a list of people the U.S.
government considers bad and that can have severe negative consequences for people on that list,
be that with their local governments finding out there on that list and using that as some
sort of meaning of that person is a terrorist, the US decided that and they have better
intelligence than we do. So like we're just going to trust that. I've actually gotten a request
from someone who claims to be from Brazilian intelligence and being like, hey, we don't have
the intelligence the US has. Can you please give us the list? We would like to go round up some
people. And it's just like, yeah, it's just things like that that, yeah, I don't know. I feel like
it would have been irresponsible to just publish it. I expect it's only a matter of time until it's
going to end up on like some pastebin sign or something because that's how things go on the
internet. But I didn't want to be the person to put it out there. I couldn't get that beyond me,
but I still like, like I spent like a week thinking about this of whether I should go with the
very safe route and just not publish the list and just do that article.
and blog post and that's it.
But I feel like it's very important that this is something that's talked about.
And I feel like the discussion that's already sparked is very important.
I probably wouldn't have been sparked if it were impossible for researchers to access it.
And I'm very curious of what's going to come from it from like academic researchers I give this to
where we're going to have to wait months or years to see the results of it.
But I'm very interested to see that.
Because what's already also like kind of been shown with things that I've heard from various
researchers and journalists, is that the list kind of also shows intelligence partnerships the
US has. Because you can see, for example, with Irish organized crime, there are a lot of Irish
names on the list. And a lot of them are people, the US themselves clearly has like no interest in
or like no reason to be interested in. Like, why would the US be interested in boxing cartels in
Ireland? But like, they're all on the list. So you can start to make assumptions about who the
US has like intelligence sharing agreements with and who the US trusts enough to just put all
the names directly on this list. And I find that very interesting what this is going to start
showing just in general, like globally, like intelligence networks that exist. As far as entries
on the list and your discussions, I guess, so far with interested parties that got access,
is there anything you found that's of particular interest? I feel like just, yeah, the massive age
range and the fact that apparently even being dead doesn't get he removed from the list
like osama bin laden is still on the list like he cannot fly and i think we're all glad that he
can't but like just in case he gets resurrected i guess the fact that there is such young people
on there just starts to make me wonder whether it's just being related to someone or living in
the same village as someone is like actually just enough to end up on a list i specifically find
it so wild how young some of the people on the list are like they are like eight now
and we're four at the time of the snapshot.
Who knows how old they were when they were added to the list.
So among the long list of Arabic, Muslim, Latino and Russian names,
I believe those are like the kind of majority names in order.
Yeah.
There were some names of the white supremacist participants in the Charlottesville
Unite the Right rally.
And so is that just, you know, the kind of screening list?
Does it bar them from flying?
I mean, what do you make of that?
I think most of them are just on the screening list.
They just get half of that airports and I guess they now finally know why.
I feel like the fact that a lot of white supremacists already in 2019 were on these lists
explains all the buses they always use.
Because like they always take buses to rallies across like half the country and
I feel like that might have something to do with the fact that half of them can't fly anymore.
But I do find it interesting how apparently white supremacists actually get added to these lists.
Like that is somewhat surprising to me, like given like general US track
record on things like that. Yeah, I thought that was really interesting. I don't know. It would have been
very interesting to see like a past post-January 6 list, obviously, because, yeah, the number of
American citizens on there is probably significantly higher now. How has the public broadly reacted
to this? Obviously, you said there was a lot of requests, but you also have open DMs. I'm assuming
those are flooded and media requests. Yeah, how has it been? I got way more attention from this than I
ever expected to. And I feel like a big part of that is because I kind of became like a trans femme
Tumblr meme really quickly because people saw my blogposts and were like, this looks kind of silly.
I feel like that that is where a lot of my current fame actually comes from and not like the actual
leak itself. But that obviously on the other hand then resulted in more people finding out about
this. Like some younger people even first hearing about the concept of a no-fly list existing.
The public reception has been pretty good so far, like from what I
have seen, if we ignore the whole, like, queer discourse, I accidentally started on Twitter,
but we're not going to talk about that.
So you have had some kind of reactions already from organizations.
I know the senior litigation attorney for the Council on American Islamic Relations.
He said this.
These leaks confirmed that in response to 9-11, the FBI decided to build a Muslim registry.
There's definitely a very, very clear bias there.
Like, like, trying to deny that there is a bias against Muslim people in this list.
I'm very excited to see how the US tries to do that in court, but if they do actually get taken to court, there are various organizations who have talked about potentially opening a lawsuit, which I would be very excited for it.
I find it interesting how this is happening at the same time from Muslim groups and activist groups from more on the left side of the spectrum, I guess.
And at the same time, we have a Republican congressman talking about potentially drafting
up legislation over this, which I find really interesting because, like, you would
assume the Republicans loved a lot, no fly list, but I guess after January 6th, their opinion
changed a bit.
Right.
And because currently Joe Biden as president, but it's interesting to see because they're
at the very least starting a congressional inquiry.
I didn't expect myself to ever, like, kick something like that off.
Do you think this is just the fact that, you know, in some ways we've become numb as the surveillance state expands and it's like the realization that there's so many names and that this is how it operates, that it's this simple?
Do you think that's kind of reawaken that conversation?
I hope so, but I feel like it has definitely kicked off a conversation about no-fly and probably watchlisting in general.
And I hope this conversation stays relevant.
And I kind of hope Congress actually talks about it, even though I'm kind of scared about what that will mean for like my public image.
and slash how I'm getting treated on the internet.
I'm very curious to see what comes out of this.
Like, obviously, I would hope, like, for an end of, like, no-fly and watch listing.
But I don't know how realistic that is.
Probably not very...
I feel like probably the most immediate consequences is better security protocols for securing the no-fly list.
That's probably going to be...
Yeah.
Yeah, I assume so.
Apparently, like, that generally already changed in 20, like,
a few years ago how that is supposed to be handled, but some airlines still for specific
things like this case still don't use the new TSA APIs they're supposed to use. So I would assume
the TSA will probably put the end to actually just handing out the list at this point. Yeah,
it seems imprudent to put it in a CSV file. Yeah, it seems it seems less than ideal.
And so, I mean, you know, you kind of discussed a bit the potential ramifications, but what is
the best case scenario, in your opinion, for what happens next in relation to the leak?
About what happens next? I don't know, but I feel like it would be interesting to see
this bring an end to no-fly, or at least limit some of like the broad tools TSA and the FBI
currently have just like limit people from flying. I assume the best case scenario is that
the Republicans drafts on Bill banning the TIS tourism screening center from adding American
citizens to the list or some silly thing like that because that's like the best i can imagine but i really
hope we get past this because this is stupid and especially given like apparently they're like
currently working on like an u.n level no-fly list thing which would obviously like make things even
worse like for things such as like freedom of movement and i feel like i hope it it kicks off a
general discussion about like state surveillance and watchlisting especially and so what about you
I mean, what's next for you?
What's the next thing you're going to be bored and get up to?
I don't have anything specific.
There was something I was going to work on,
but I feel like a bunch of companies who are like,
wait, do we have a check-in server somewhere?
So the next thing that was going to be,
my next story has in the meantime been secured.
So that's not going to happen.
So the Department of Energy can get some good sleep.
That's all I'm going to say.
Okay, well, where can people find your work?
I'm underscore 9 CrimeU on Twitter.
and my website is maya.crimeu.gay.
And that's where people can find me.
And I'm also nine crime you pretty much everywhere else.
So, I mean, before you go, I have to ask, what is a bingle?
Why am I reading this everywhere?
This is bingle.
But it's basically just a nonsense word that started as an in-choke in the small Discord server I'm in.
And I guess the internet collectively decided that this was the silliest thing someone could say after leaking the no-fly list.
So that's just the meme now.
But yeah, it started as a nonsense word.
It's still a nonsense word.
It is now also the name of my Spircottito plushy because the internet decided so.
I mean, people can't see it, but yeah, that is a sort of stuffed cat.
Am I getting it wrong?
Yeah, it's a stuffed Pokemon cat.
Also better known as Wheat Cat.
It's the Pokemon Sprikatito, but everyone probably knows it as Wheat Cat or by now as Bingle.
So, yeah.
Thanks for coming on the podcast, Maya.
Yeah, you're welcome. I have had fun.
Thanks for listening to another episode of the Q&On Anonymous podcast.
You can go to patreon.com slash Q&Nanonymous and subscribe for five bucks a month
to get a whole second episode every week plus access to our entire archive of premium episodes.
When you sub, you help us stay advertising free and editorially independent.
For everything else, we have a website, QAnonanonymous.com.
Listener, until next week, may the bingle bless you and keep you.
It's not a conspiracy. It's fact.
And now, today's AutoCube.
There are reports tonight that a number of American citizens, including Americans who were at the Trump rally in January, the perfectly legal Trump rally in Washington in January, have been placed by this administration on the no-fly list, meaning they cannot fly domestically.
We have not been able to confirm that.
But if it's true, this is a turning point in American history.
These are people, again, who have not been charged with crimes.
If they have been prevented from traveling within their own country by the administration,
because the administration doesn't like their political views, that is not democracy.
It's dictatorship.
We ought to find out who's on the no-fly list, which American citizens are on the no-fly list,
and why, and we should find out immediately.
And by the way, if they turn out to be members of Black Lives Matter,
if Black Lives Matter leaders turn out to be on that list, we'll be completely against that, too.
Thank you.
Thank you.
Thank you.