Bereits 2021 ist maia arson crimew als Teil einer Gruppe von Hacker*innen (APT-69420 Arson Cats) mit dem Verkada-Hack aufgefallen. Damals waren noch Sicherheitskameras einer cloud-basierten Firma das Ziel, letzte Woche war es die "No Fly List", über die maia mehr oder weniger aus Langeweile gestolpert ist. Beim neusten Fall ist einiges anders abgelaufen, und zwar besonders die Dinge, die nach dem Hack passiert sind: Das Internet reagiert diesmal mit Memes auf maias Fund und plötzlich meldet sich auch der Brasilianische Geheimdienst bei der Hacker*in. Was bleibt sind viele Schweizer Medien, über deren Berichterstattung maia immer noch ab und zu enttäuscht ist.
Wenige Tage ist's her, seitdem Luzerner Hacker*in maia arson crimew die US-Amerikanische "No Fly List" gehackt hat. Die Liste stammt aus dem Jahr 2019 und beinhaltet über 1.5 Millionen Namen, welche weder in den USA selbst noch über dessen Landesgrenzen fliegen dürfen. Diese Liste entstand zum ersten Mal nach 9/11 – und wurde seither immer wieder erweitert. Heikel ist die Liste deswegen, weil damit unter anderem ersichtlich wird, wen die USA als gefährlich einstuft.
"Ich bin jetzt ein transfem Meme und ich weiss nicht, wie das passiert ist"
Wie maia an das geheime Dokument gelangt ist, hat es in einem Blog auf der eigenen Website nachgezeichnet. Was daraufhin passiert ist, sind Memes auf Tumblr und Reddit, Artikel in Online-Magazinen und Zeitungen, und Interviews in diversen Podcasts. Warum es dieses Mal zu einer so grossen Resonanz in den traditionellen und den Sozialen Medien kommen musste, hörst du im Interview. (Kein Bock auf Hören? Das ganze Gespräch gibt es auch weiter unten zum Lesen.)
Interview als Podcast (Deutsch)
Für die Lesekätzchen (Englisch)
(Das Interview wurde aus dem Schweizerdeutschen auf Englisch übersetzt.)
Trojaner: You stumbled upon the server from the airline “CommuteAir” (and thus upon the No Fly List) by browsing through [the search engine] “Shodan”. Do most of your afternoons start by cracking open a monster energy and clicking through sites like these?
maia: Kind of. But a bit less than before. I’m trying to take more care of my mental health, which is difficult at the moment with all the [media] attention I’m getting. Hacking-wise, I’m taking things easy right now.
So yes, some afternoons when I’m bored and chilling on the couch with my girlfriend I’ll click through some sites. It’s quite normal for me – but then, on one “normal afternoon” you’ll find your biggest story of 2023.
Trojaner: What’s the most entertaining part of clicking through, in this case, exposed “jenkins” servers?
maia: The fun thing about jenkins is that it’s really easy to find big things as well as small, funny shit. There are a lot of things published on the internet, which weren’t intended to be as accessible as they are. And it’s actually astonishing how much random software source code you’ll find after a quick five-minute look around.
Trojaner: While digging around the CommuteAir server you recognized the term “ACARS”. Did you know right away that you found something big or was it more of a “shot in the dark” moment?
maia: At that point I just knew that it was something about an airline or aviation in general. However, I did understand pretty early on that finding ACARS was newsworthy. Of course, at that point I couldn’t have known how big of a news story it would eventually turn out to be.
I started looking for journalists that would be interested in further working with me on this project. I usually contact journalists the moment I’ve hit something big - just so the hack can go public and won’t be covered up.
I continued working on the hack and gained full access on their AVS server structure as Mikael Thalen, a “Daily Dot” journalist, confirmed that he would publish my findings. But at that point I hadn’t found the list yet.
Although I found a project named “No Fly List compare”, I didn’t really think that the list would be in there. I only found out that they always delete the list as soon as it gets edited.
Trojaner: However, you eventually found the No Fly List. How did you feel when, and I quote your blog, “the aviation shit got serious”?
maia: Yes, the aviation shit really did get serious. The reason I didn’t find the list right away was that I had never checked the test directories! Because why would the actual list be in the test directories, right?
Well… I talked about it with Mikael and he quickly clicked through the test directory and was like: “Hey, I found the No Fly List!”. And I was like: “What, where?! I’ve been looking for it for the past two hours! How did you manage to find it in two minutes?!”. In the end it was just because he clicked on some folders that I hadn’t checked before… and there it was.
It's funny actually… I don’t really have a lot of specific goals as to what I want to accomplish, hack or publish. In 2021, I read about someone who had found the No Fly List but didn’t end up publishing it. Since then, I always thought in the back of my head that I wanted to find it one day.
And now we’re here.
Trojaner: So, at the end of the day, was this one of the few projects that you have really planned on achieving?
maia: Well, I wasn’t really going at it with a plan, but it was indeed a goal of mine to achieve this one day.
Trojaner: How far has the story [about the hack] spread by now? What has been the funniest medium that has contacted you?
maia: I got a message from «Weltwoche» today – from a literary journalist and I don’t know why the literary journalist from «Weltwoche» is contacting me. I don’t know what kind of funny answer I want to give them yet, because I don’t actually want to give them my statement. Other than that, the newspaper about conspiracy theories «Epoch Times» has also contacted me – pretty much everyone has messaged me by now. The thing is: I’ve created a public e-mail, which you can message if you want access to the [no-fly] list.
Oh right, I just remembered the craziest message I’ve gotten! Two of them have been from the Brazilian Secret Service – they said they wanted the list to also have account of the terrorists that the USA seemingly knows about. I obviously didn’t hand them the list – I’m not going to give data to the secret service. The moment I clicked on that mail and saw that the sender was some sort of government e-mail, and the message said something along the lines of “hey, I’m from the secret service” I was like “what the fuck? My life a movie for real.”
Trojaner: I’m going to add onto this: In your blog you’ve said that people could contact the mail and that you would share the list if the person or medium receiving it would do good with it. How do you decide on whether someone is going to use the list appropriately, or with whom you were to share the list?
maia: It really depends. On one hand, I’ll be quick to share the list if it’s a pretty well-known media company that you know is going to work well with investigative stuff. Same with academical things – as long as the request comes from an actual academic mail, because, hey, it’d be really cool if I suddenly were to be cited in academical papers.
Then there are other requests where I have to think about whether I have the energy for them. But on multiple occasions I have shared the data with some high school newspapers, or have also given a comment or an interview on the topic, because I don’t mean to gatekeep! I just want to be sure that the data won’t be completely publicized and have it get used in a negative way. Especially then I want to try to give a chance to student journalists.
Trojaner: Do you feel like the media reports about the course of events regarding the hack are accurate?
maia: I think because I did a technical blog post about the hack (which I’m really glad I did), the reports about the hack are pretty accurate. In the past I didn’t really have the energy to write technical blog posts about my hacks. This time the journalist I was working with (Mikael Thalen) told me that it would be cool for me to do something like that and really pushed me on that matter.
Another upside to this is that I have to answer a lot less interview questions about the way that I had gained access [to the No Fly List]. Because everyone can just read about it on my blog.
In the past, news outlets would contact me just to have me confirm a quote that I had once given to another news site - just so that they wouldn’t have to quote another news site in their article. It’s funny how journalism works like that.
Trojaner: Are there things that really bother you about the current news reports?
maia: In Switzerland? Yes! The Swiss media seem to need countless confirmations from me about my name change. Even SRF needed a reminder. They’ve changed it by now – writing a comment about it on their Instagram post seemed to reach them, funnily enough. The fact that the Swiss media is 10 years behind on this makes me really angry.
Especially because I communicate very clearly (even on my Wikipedia page) that it’s ok to use my dead name if they’re talking about my hacks from the past to try and make a connection with current events that way.
But with Swiss media I have to answer every request by telling them to please stop using my dead name the way that they do.
And then we have the best example with nau.ch who deadname me in their article with the addition of: also known as “maia arson crimew”.
That’s my real name! My legal name is maia arson and that’s cool! Please call me that! I really think that Swiss media genuinely have a problem with calling me “maia arson crimew” because they think it’s funny or because it’s in English.
US media, however, don’t seem to have any problems with it. Even CNN used my correct name, and the Swiss media can’t get it right even though it’s the name written on Wikipedia! That’s next level transphobia.
Trojaner: You only needed one day to find most of the information regarding the [No Fly] list. Were you suprised that it turned out to be this easy?
maia: Not really. Most of the time it’s way too easy. That’s the story which is consistent in my discoveries, and that’s also why many people accuse me of not being a real hacker. But, at the end of the day, this is the right way to this craft: to know how to do these things the easiest and fastest way. It still shocks me how little effort it takes to completely own an airline.
Trojaner: So, is it normal that such confidential information is so simple to obtain?
maia: Yes. It shouldn’t be that way, but it is, because you can save a lot of money if you neglect your security.
Trojaner: Now this No Fly List is in your hands. This has created a big stir not only in Switzerland but around the whole world. How did the internet react to all of this?
maia: At first, only the security community and aviation community showed interest in this. They said: «Oh that’s sick!» Then I received more and more requests from journalists… and eventually tumblr found my blog. [Users] took screenshots of my blog [where I’d written the whole story down in a quite silly way]. From there on out, I was all over the internet and also on the reddit homepage. The whole of tumblr has been fangirling about me since then, and somehow I have over 50 000 followers on twitter and am a transfem meme now. But I think it’s funny that this has gotten me more fame than what I had done originally.
Meanwhile, there’s a whole queer discourse about my identity on twitter. So, everything is going according to plan and I’m famous… somehow, because I’m a meme now (laughs). This is just funny to me because every time someone says: «Oh you’ve gotten so many followers because of this!» On one hand, yeah, that’s true in a way, but on the other hand, it’s also collateral. Because it’s more about me being queer and silly and about the way that I had posted a picture of my plushie in my blog, and not because of my discovery of the No Fly List.
I can just open TikTok and on my own for you page there will be videos about me showing up. It’s very bizarre.
It sounds a bit weird when I say this myself, but: I was already somewhat famous (because people knew who I was) but now I also have the clout. It’s just weird!
Trojaner: Although so many people now know about the No Fly List and about you on the internet: Did you gain something from all this for yourself as well? You don’t earn money with your actions, as far as I know.
maia: Well, this time I’ve put up a more official way for people to give me donations. Because of this, I’ve gotten some money this time. Especially through the «holy fucking bingle» merch I’ve made. (Which is absolute low effort bullshit, because it’s also a totally low effort meme.)
So, I also got some money out of this. But that wasn’t the goal in the end. It’s still nice because I don’t really have money and no job, so this is always appreciated.
Other than that: This is activism. I don't do this for myself, but for a greater fight.