Bonus Episode: Hacking Into the No Fly List with Maia Arson Crimew
We interviewed the 23-year old Swiss hacker who got access to the No Fly List and leaked it to the media and other organizations: Maia Arson Crimew.
Subscribe for $5 a month to get an extra episode of QAA every week + access to ongoing series like 'Manclan' and 'Trickle Down': http://www.patreon.com/QAnonAnonymous
Maia: https://twitter.com/_nyancrimew / https://maia.crimew.gay/
Merch: http://merch.qanonanonymous.com
Music by Pontus Berghe. Editing by Corey Klotz.
Welcome to a bonus episode of the QAnon Anonymous podcast, an interview with the person responsible for obtaining and leaking the so-called no-fly list.
As usual, we are your hosts, Julian Field and Travis View.
We're speaking with Maja Arsene Kreimhugh, a hacker from Switzerland.
Welcome to the podcast, Maja.
Hi, I'm glad to be here.
For context, the No Fly List is a list of persons drawn up by the U.S.
Federal Government's Terrorist Screening Center.
The people listed on it are prohibited from boarding commercial aircraft for travel within, into, or out of the United States.
It was first put in place by the Bush administration in 2001, in the aftermath of 9-11.
By 2011, there were 16,000 names on it.
By 2013, there were 47,000 names on it.
By 2011, there were 16,000 names on it.
By 2013, there were 47,000 names on it.
In 2018, Senator Dianne Feinstein suggested that the list had over 81,000 people on it at the time.
My, uh, the list you gained access to has approximately 1.56 million entries.
Right.
So even accounting for duplicates, name variants, aliases of the same person, that seems extremely high.
Yeah, I don't know what's going on.
Like, I'm gonna be honest, like that's part of why we were confused at first and started to just assume it's the But for that it was too small, because the Terrorism Screening Database is once again even bigger than that, which is also crazy.
We were going with the assumption that it's the Terrorism Screening Database and probably from 2022, because that's when the file was uploaded to the directory we got it from.
But then for some reason the airlines started confirming in every media request ever that it is the NoFlyList and from 2019.
I don't know who's doing crisis communications for them, but they're great because they keep giving us No, we otherwise wouldn't have.
It is allegedly the actual no-fly list dated from 2019, and it has way more people in it than the government ever admitted to before.
Just to start, walk us through the hours you spent online that led to you obtaining this 2019 version of the no-fly list.
Directly on, like, the day I found this?
I don't know, maybe two hours?
Or, like, no.
Like, two hours until I, like, found the airline having data exposed, and then it took, like, another, like, two or three hours until we ended up just stumbling into the no-fly list.
Mostly because I just didn't look in the right place, not because I didn't have access to it.
I just hadn't looked at the right directory yet.
Yeah, so walk us through this stuff.
You can talk to us about Shodan and the Jenkins servers.
Right, yeah.
So basically, when I'm bored, I start looking through Shodan.
That's like Google, but if Google indexed smart toasters instead of websites, to explain it in a silly way.
You can search for servers and you can search for software that is running on servers instead of just web content.
And so yeah, I'm looking for Jenkins there and Jenkins is like software that is used to like test and build things while developing other software.
I don't know how well I'm explaining this.
I'm not good at dumbing down technical stuff.
But basically, a lot of companies are not very good at setting up Jenkins properly.
And it's often just like they're often just leaving their source code entirely publicly out to the open
or credentials or passwords and everything.
So it's like a good way to kill boredom.
Because a lot of times you won't--
I won't find anything big.
But it will be like, oh, yeah, this is an interesting e-commerce software.
Let's just look at this for five minutes and then move on.
Yeah.
But yeah, so that day I was just like going through like small things, atting small companies on Twitter being like, lol, please secure your shit.
And then eventually I was just like, hey, that's some familiar words.
It was like just words like ACARS and crew and I was like, hey, that reminds me of like the mentor pilot videos I watch while eating dinner.
Where he talks about various flight systems, and I'm like, oh, yeah, this is, like, this is definitely aviation.
This is, like, probably something serious.
But I still wasn't sure, like, how much access I would get.
I was like, yeah, maybe I can just see, like, some log files, or maybe Maybe a bit of their source code but like two minutes later I see that they have like hard-coded passwords everywhere and I'm like suddenly looking at live ACARS messages on like some server where they are transmitted like not directly the communications between airplane and ground control but where the messages are then sent for further processing and aviation software.
So I just kept digging into the server and finding access to more and more of their radiation systems, like crew info updating.
I could have potentially changed crews for flight.
Very good stuff I should definitely just have access to.
And employee data and everything.
Eventually I had access to most of their servers on Amazon Web Services.
Because they're a little more than a bookstore nowadays.
As I always do when I do something like this, I start working together with journalists because I want to make sure this stuff actually gets out into the open and isn't just like...
swept under the rug when I report the issues.
So I started working with Mikhail Talin from DailyDot and we looked at this together and then suddenly we were like, yo wait, we actually have the no-fly list because I was at this point for like two hours trying to figure out how exactly they process the list because I had access to like all the systems that it goes through but it was just nowhere to be found.
But suddenly we found that for testing their software they just left a copy of it inside their software repository and Okay.
There was just a copy of it there and it was put there in 2022 so we were like oh yeah this is a very recent copy from 2022 and we were gonna run with that but then like an hour before the story got published we got like a statement from commute there being like yeah lol this is the realest but it's like outdated so it's not really that big of a deal and it's just like thank you for giving us the exact information we were just guessing about so far but yeah that's like the basic rundown.
So I'm told that the file that you discovered was literally titled nofly.csv?
Exactly.
Yeah, it's just a CSV file with 1.56 lines.
It apparently breaks Excel.
I've never opened it in Excel.
I just opened it in a text editor because like, yeah, but apparently Excel doesn't even display all the lines.
It's like too big of a...
CSV file, yeah.
So were all the files with, like, the employee data, or is that all just CSV files too?
Yeah, there was also an employee CSV file there, because the service this was for is
where they compare all their employees, including non-crew, but just people who work at their
hangar, people who do cleaning at their offices or whatever.
They just compare all their staff to the no-fly list to see if anyone, even low-level office
people, because if they are in the no-fly list, you can't work in an office.
So there is a good blog post, a bit about this on Papers, Please, who did a really good
analysis of the list, who says, yeah, this is just mission creep.
This started as just a list for banning people who were in immediate danger from flying,
and it just grew and grew into, we need to do predictive things.
The list isn't highly predictive.
There are four-year-old kids on there.
That's not someone who has done any terrorism yet, I assume.
It's just the mission creep of going from, yeah, this is actual terrorists we can't let
on our planes, which to some degree makes sense as basic idea to just, this is a list
of people we don't like, and they are not allowed to do anything anymore.
You just can't get a job in anything, even vaguely aviation-related anymore if you're
on any of the lists.
And so you're 23 right now, which means you were an infant when 9/11 happened and the
no-fly list was first introduced.
So what led you to become what some call a hacktivist at this relatively young age?
I don't know.
I feel like it's hard to, in this day and age, not be in some way politicized.
And I mean, this wasn't, like, me specifically going for the no-fly list.
Even though, like, I heard about, like, the last time it got leaked in, like, 2021, and someone found, like, what is actually probably the entire terrorism screening database, and they just, like, didn't publish it, and I was like, no, this is, like, data researchers need to see.
So at the time, I was, like, briefly trying to specifically look for this to hand it to researchers.
So this is for once, actually, a thing I was like, yeah, I want to find this someday, and I actually did.
It just took some patience.
But so, what got you into hacking?
I mean, is this just something that you've done for a while now?
Yeah, I have been doing things that can be classified as hacking for a while now.
I come from an IT background.
I've always been interested in computer science.
I am autistic.
You know, this isn't the first time that your work runs afoul of US law.
curious and I like to look into how things work. And I'm also political and get angry
about stuff. So I feel like it was just kind of like, yeah, the things all culminated into
me becoming a hacktivist.
You know, this isn't the first time that your work runs afoul of US law. Obviously, you're
not at liberty to speak about the 2021 indictment by a grand jury in the Western District of
Washington. But just broadly, you know, I mean, what was the focus of your hacking?
And how come, you know, even though in 2021, this indictment happened, how come you decided
to continue and, and I guess just accept that maybe you're not going to come to the States?
Yeah, I mean, I wasn't going to come to the States anyway.
Like, what would I do there?
But I feel like a lot of my work, just in general, in activism, is about freedom of information.
A lot of the big things I do that are highly publicized are often about surveillance, be it surveillance capitalism with what happened in 2020, Yeah.
about state surveillance and watch listing.
Yeah, those are kind of my focus points.
At the end of the day, I'm an anarchist and I would like to end the entire system,
but I know that's not a realistic goal for one afternoon.
So yeah, I will just keep staying silly and combating my boredom.
I feel like what's also important to note is just that hacktivism and hacking
doesn't automatically equal illegal.
I feel like it's more a question of morals than legality anyways at the end of the day.
He's the guy who works with Papers, Please, right?
So he's an author and human rights advocate, and he kind of listed three things that he thought this list that you shared with journalists and researchers confirm, which is that the TSA has issues with Islamophobia, overconfidence in the certainty of its pre-crime predictions, and, like you mentioned earlier, mission creep.
So, I mean, what do you think of this statement?
Do you think this kind of encompasses it, and could you maybe speak about those three aspects?
Yeah, I feel like that's important.
The thing, the very specific focus on it almost entirely containing people from very specific ethnicities, that's the first thing that jumped out to me when I opened this file.
It didn't surprise me, but it was still shocking to see just how right everyone's assumption was about how much of just a list of Muslim names it is.
Right.
I think Bellingcat has, like, made a statistical analysis of, like, the names, and I think it's literally, like, 75% of the names on the list are, like, of Muslim origin.
Which is just... That's wild.
That's, like, over a million people from the Middle East, and it's just... Yeah, I don't know.
And, like, I addressed Mission Creep earlier.
And what was the other point?
I already...
Yeah, it's entirely a list of people that the US assumes will commit a crime at one point, and they're so confident about this that they put more people on the no-fly list than on the list of people who get extended screening, and I think that is pretty wild.
They're so confident in their pre-crime assessment that That they are willing to put people on no-fly instead of just enhanced screening.
Because I don't see why you should just... I generally don't see why you need to completely ban people from flying without questioning them if they haven't done anything.
On your website, you stated, quote, "While the nature of this information is sensitive,
I believe it's in the public interest for this list to be made available to journalists and
human rights organizations. If you're a journalist, researcher, or other party with legitimate
interest, the data is available for access upon request via DDoS secrets." So how did you decide
on this approach and how many people, I guess, have like inquired and been granted access so far?
Okay, so I don't know how many people have been granted access via DDoS,
because that's a separate organization.
I'm not involved with them.
I just trust them to make the right decisions in that regard.
I personally, I had to start handing it out myself.
I'm pretty sure it's been like 50 or so organizations and journalists, and I have given it out to... I have gotten hundreds upon hundreds of requests.
Most of them should have random people being like, I know I am not like, I do not have a legitimate interest, but can I please have it anyway?
I'm a little silly.
And I totally get that because I'm curious as well.
And I would probably also send an email if someone else put up a blog post like that.
But yeah, I don't know.
It's very hard to know the number.
I did not have the energy to count while I spent the week answering emails.
Yeah.
And so why did you decide on this approach?
You know, rather than any other?
I feel like just making it entirely public would put people at risk that I don't want to take and also would put me at even more risk of like... Yeah.
At risks I don't need to take.
I don't want to like just dox people the US considers bad.
I don't know, like... It's watchlisting.
I don't want the watch list to be public because it is at the end of the day a list of people the US government
considers bad and that can have like severe negative consequences for
people on that list.
Be that with their local governments finding out they're on that list and using that as some sort of meaning of that
person is a terrorist the US decided that and they have better
intelligence than we do so like we're just gonna trust that.
I have actually gotten a request from someone who claims to be from Brazilian intelligence and being like hey
we don't have the intelligence the US has can you please give us the list we would like to
go round up some people and it's just like yeah, it's just things like that that
Yeah, I don't know. I feel like it would have been irresponsible to just publish it
I expect it's only a matter of time until it's gonna be end up on like some pastebin site or something because yeah
That's how things go on the internet.
But I didn't want to be the person to put it out there.
I couldn't get that beyond me, but I still, like, I spent like a week thinking about this, of whether I should go with the very safe route and just not publish the list and just do that article and blog post and that's it.
But I feel like it's very important that this is something that's talked about.
I feel like the discussion that's already sparked is very important.
It probably wouldn't have been sparked if it weren't possible for researchers to access it.
And I'm very curious about what's going to come from it, from academic researchers, I'll give this to,
where we're going to have to wait months or years to see the results of it.
But I'm very interested to see that.
Because what's already also been shown with things that I've heard from various researchers and journalists
is that the list kind of also shows intelligence partnerships the US has.
Because you can see, for example, with Irish organized crime, there are a lot of Irish names on the list.
And a lot of them are people the US themselves clearly has, like, no interest in or, like, no reason to be interested in.
Like, why would the US be interested in boxing cartels in Ireland?
But, like, they're all on the list.
So you can start to make assumptions about who the US has, like, intelligence-sharing agreements with and who the US trusts enough to just put all the names directly on this list.
And I find that very interesting, what this is going to start showing just in general, like globally, like intelligence networks that exist.
As far as entries on the list and your discussions, I guess, so far with interested parties that got access, is there anything you found that's of particular interest?
I feel like just, yeah, the massive age range and the fact that apparently even being dead doesn't get you removed from the list.
Osama Bin Laden is still on the list. He cannot fly and I think we're all glad that he can't.
But just in case he gets resurrected I guess. The fact that there are such young people on there
just starts to make me wonder whether just being related to someone or living in the same village
as someone is actually just enough to end up on a list. I specifically find it so wild how young
some of the people on the list are. They are like eight now and were four at the time of the
Who knows how old they were when they were added to the list.
So among the long list of Arabic, Muslim, Latino, and Russian names, I believe those are like the kind of majority names in order.
Yeah.
There were some names of the white supremacist participants in the Charlottesville Unite the Right rally.
And so is that just, you know, the kind of screening list?
Does it bar them from flying?
I mean, what do you make of that?
I think most of them were just on the screening list.
They just get hassled at airports and I guess they now finally know why.
I feel like the fact that a lot of white supremacists already in 2019 were on these lists explains all the buses they always use.
Because, like, they always take buses to rallies across, like, half the country and I feel like that might have something to do with the fact that half of them can't fly anymore.
But I do find it interesting how apparently, like, white supremacists actually get added to these lists.
That is somewhat surprising to me, given the general US track record on things like that.
Yeah, I thought that was really interesting.
I don't know. It would have been very interesting to see a post-January
sex list, obviously, because the number of American citizens on there is probably significantly higher
How has the public broadly reacted to this?
Obviously, you said there was a lot of requests, but you also have open DMs.
I'm assuming those are flooded and media requests.
Yeah.
How has it been?
I got way more attention from this than I ever expected to.
And I feel like a big part of that is because I kind of became like a trans femme Tumblr meme really quickly because people saw my blog posts and were like, this looks kind of silly.
I feel like that is where a lot of my current fame actually comes from, and not, like, the actual leak itself.
But that obviously, on the other hand, then resulted in more people finding out about this.
Like, some younger people even first hearing about the concept of a no-fly list existing.
Right.
The public reception has been pretty good so far, like, from what I have seen.
If we ignore the whole, like, queer discourse I accidentally started on Twitter, but we're not gonna talk about that.
So you have had some kind of reactions already from organizations.
I know the senior litigation attorney for the Council on American Islamic Relations, he said this, these leaks confirm that in response to 9-11, the FBI decided to build a Muslim registry.
There's definitely a very, very clear bias there.
Like trying to deny that there is a bias against Muslim people in this list.
I'm very excited to see how the US tries to do that in court.
But if they do actually get taken to court, there are various organizations who have talked about potentially
opening a lawsuit, which I would be very excited for.
I find it interesting how this is happening at the same time from Muslim groups and activist groups,
from more on the left side of the spectrum, I guess.
And at the same time, we have a Republican congressman talking about potentially drafting up legislation over this,
which I find really interesting because you would assume the Republicans loved the no-fly list,
but I guess after January 6, their opinion changed a bit.
Right.
And because currently Joe Biden is president.
But it's interesting to see because they're at the very least starting a congressional inquiry.
I didn't expect myself to ever kick something like that off.
Do you think this is just the fact that, you know, in some ways we've become numb as the surveillance state expands and it's like the realization that there's so many names and that this is how it operates, that it's this simple?
Do you think that's kind of reawakened that conversation?
I hope so, but I feel like it has definitely kicked off a conversation about nofly and probably watchlisting in
general And I hope this conversation stays relevant and I kind of
hope Congress actually talks about it even though I'm kind of scared about what that will mean
for like my public image
Slash how I'm getting treated on the internet I'm very curious to see what comes out of this like
obviously I would hope like for an end of like nofly and watchlisting
But I don't know how realistic that is probably not very I feel like the probably the most immediate consequences is
better security protocols for securing the nofly list
That's probably going to be it.
Yeah, I assume so.
Apparently like that generally already changed in 20 like a few years ago, how that is supposed to be handled.
But some airlines still for specific things like this case still don't use the like Like, new TSA APIs they're supposed to use.
So I would assume that TSA will probably put an end to actually just handing out the list at this point.
Yeah, it seems imprudent to put it in a CSV file.
Yeah, it seems less than ideal.
And so, I mean, you kind of discussed a bit the potential ramifications, but what is the best case scenario, in your opinion, for what happens next in relation to the leak?
About what happens next, I don't know, but I feel like it would be interesting to see this bring an end to no-fly,
or at least limit some of the broad tools TSA and the FBI currently have, just like limit people from flying.
I assume the best case scenario is that the Republicans draft some bill banning the Terrorism Screening Center from adding American citizens to the list or some silly thing like that.
Because that's the best I can imagine.
But I really hope we get past this.
Because this is stupid, and especially given, like, apparently they're, like, currently working on, like, a UN-level no-fly list thing, which would obviously, like, make things even worse, like, for things such as, like, freedom of movement.
And I feel like I hope it kicks off a general discussion about, like, state surveillance and watchlisting especially.
And so what about you?
I mean, what's next for you?
What's the next thing you're going to be bored and get up to?
I don't have anything specific.
There was something I was going to work on, but I feel like a bunch of companies were like, wait, do we have a Jenkins server somewhere?
So the next thing that was going to be my next story has in the meantime been secured.
So that's not going to happen. So the Department of Energy can get some good sleep.
That's all I'm going to say.
Okay, well, where can people find your work?
I'm @_9CrimeU on Twitter. My website is maya.crimeu.gay.
And that's where people can find me.
And I'm also 9crimeyou pretty much everywhere else.
So, I mean, before you go, I have to ask, what is a bingle?
Why am I reading this everywhere?
This is bingle.
But it's basically just a nonsense word that started as an in-joke in the small Discord server I'm in.
And I guess the internet collectively decided that this was the silliest thing someone could say after leaking the no-fly list.
So that's just a meme now, but yeah, it started as a nonsense word.
It's still a nonsense word.
It is now also the name of my Sprigatito plushie because the internet decided so.
I mean, people can't see it, but yeah, that is a sort of stuffed cat.
Am I getting it wrong?
Yeah, it's a stuffed Pokemon cat, also better known as Weed Cat.
It's the Pokemon Sprigatito, but everyone probably knows it as Weed Cat or by now as Bingle.
So yeah.
Thanks for coming on the podcast, Maia.
Yeah, you're welcome.
I had fun.
Thanks for listening to another episode of the QAnon Anonymous podcast.
You can go to patreon.com slash QAnon Anonymous and subscribe for five bucks a month to get a whole second episode every week, plus access to our entire archive of premium episodes.
When you sub, you help us stay advertising free and editorially independent.
For everything else, we have a website, QAnonAnonymous.com.
Listener, until next week, may the bingle bless you and keep you.
It's not a conspiracy.
It's a fact.
And now, today's AutoCue.
There are reports tonight that a number of American citizens, including Americans who were at the Trump rally in January, the perfectly legal Trump rally in Washington in January, have been placed by this administration on the no-fly list, meaning they cannot fly domestically.
We have not been able to confirm that.
But if it's true, this is a turning point in American history.
These are people, again, who have not been charged with crimes.
If they have been prevented from traveling within their own country by the administration because the administration doesn't like their political views, that is not democracy.
It's dictatorship.
We ought to find out who's on the no-fly list, which American citizens are on the no-fly list, and why.
