by cyberlurker on 8/18/21, 5:20 PM
> “The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime,” Diachenko wrote. “In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.”
I’m curious how many journalists are on the list. Now that we are pulling out of Afghanistan, we should reevaluate the other actions we took after 9/11. The patriot act deserves another look and possible edit.
by Rd6n6 on 8/18/21, 5:21 PM
Wikipedia says the no fly list only had 47k people on it. The terror watch list had about 1.9M though, so this must be the terror watch list.
1.9M people is a massive number of people
> The No Fly List is different from the Terrorist Watch List, a much longer list of people said to be suspected of some involvement with terrorism. As of June 2016, the Terrorist Watch List is estimated to contain over 2,484,442 records, consisting of 1,877,133 individual identities.
https://en.m.wikipedia.org/wiki/No_Fly_List
by Joker_vD on 8/18/21, 5:44 PM
You know, I can understand why the Terrorist Watch List is secret ― but not why the No Fly list is. If there is a list that governmental agencies and/or commercial companies are
obliged to check you're not on before providing you with their service, then
surely such list must be public or at the very least, one should be able to easily inquire about whether he/she is on it or not.
For a related example, Russian government maintains a list of banned Internet resources. The list is not public — at least in theory — but there is an official web site where you can input an URL or a domain name and it would response either with "no, it's not on the list", or with "yes, it's on the list, here's who ordered it and when".
by scrps on 8/16/21, 6:55 PM
>The researcher considers this data leak to be serious, considering watchlists can list people who are suspected of an illicit activity but not necessarily charged with any crime.
"In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families."
I'd imagine being on a list that limits your personal freedom without being charged with a crime and convicted falls pretty squarely within the definition of being oppressed & persecuted before even considering any second order effects of the list being leaked.
by ClumsyPilot on 8/18/21, 5:25 PM
As expected, it is only a matter of time untill all the intensely private data collected by NSA and pals is leaked or stolen and used by criminals for fraud and extortion.
by r1ch on 8/18/21, 8:02 PM
It's amazing how many hacks and data breaches all come down to dangerous default settings. Elasticsearch defaulted to no security, anyone hitting the IP has full access to the cluster. MongoDB is another infamous example. Even today, one of my sites is being DDoSed by a bunch of 2007-era Ubiquiti network devices which use ubnt / ubnt as the root login and naturally got exposed to the internet. Bad defaults linger for a long time.
by WrtCdEvrydy on 8/18/21, 5:08 PM
I wonder if this will end up on haveibeenpwned?
"The FBI leaked your name as a terrorist"
by gjsman-1000 on 8/18/21, 5:43 PM
Just an hour ago I was having a dialogue with someone on Hacker News saying we needed a national ID system after the T-Mobile hack. I said that the US Government should not be trusted to be any more secure than T-Mobile with such a system.
I rest my case.
by int_19h on 8/18/21, 9:13 PM
What really bugs me about these lists isn't just that they exist, but that there's continuous clamoring to expand the scope in which they are applied. For example:
https://www.theatlantic.com/politics/archive/2015/12/no-fly-...
So, basically, politicians have found it to be a convenient tool to skirt due process concerns in general when pushing for their favorite agenda.
by raxxorrax on 8/17/21, 2:39 PM
It is amazing what the hunt for terrorism has done to modern countries. They only look fearful and weak, exactly what professional terrorists always wanted them to be.
Anyone who knows bureaucratic behavior knows that even in the absence of real terrorists, people will find their way onto lists like these.
I hope the lists will leak to a wide audience. Find the cases that are wrong and sue those responsible behind the desks. This is the only way this can stop.
The website is extremely horrible. Did use a dev browser without adblock. Grave mistake.
by criticaltinker on 8/18/21, 5:01 PM
> [cybersecurity researcher Bob Diachenko] was able to find about 1.9 million records detailing individuals’ no-fly statuses, full names, citizenship, genders, passport numbers, and more. > “it seems plausible that the entire list was exposed”
by nurgasemetey on 8/18/21, 5:24 PM
Out of curiosity, how can I search myself?
by jl6 on 8/18/21, 5:23 PM
Would love to know how the FBI dealt with transliteration deduplication of non-Latin names, cf. the many spellings of Muammar Gaddafi. Although I guess they would just use whatever’s on the passport?
by _moof on 8/18/21, 8:03 PM
"In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families."
Teetering on the brink of an epiphany.
by voldacar on 8/18/21, 11:33 PM
So somebody found the terrorist watchlist and
didn't upload it anywhere or start a torrent, but instead took some screenshots and gave vague descriptions of the data to journalists?
I'd like my reality unmediated, please
by thepasswordis on 8/18/21, 6:55 PM
Suggestion:
Take the Facebook leak from earlier. Create hundreds of collections if 1.9M people. Release it to the dark web.
Just flood then zone with noise. FBI can still keep their list (and know it’s legit), and peoples privacy will be ensured.
Otherwise this is going to 100% get integrated into various social credit systems we have in the US.
by smitty1e on 8/19/21, 12:45 AM
Among the basic concepts of American Civil Rights used to be Sixth Amendment right to confront accusers.
Legal weenies may engage in mental gymnastics to rationalize the evil of no-fly lists.
They deserve the receiving end of their perfidy.
by Ceezy on 8/18/21, 5:29 PM
These people are morons! They claimed to be crème de la crème and watch. Few years ago they wanted to force Apple to create a "secure backdoor". Hope we gonna get more details.
Sorry for the rant
by tomc1985 on 8/18/21, 7:50 PM
Elasticsearch is like the security breach gift that keeps on giving...
by hughrr on 8/18/21, 6:23 PM
Awaiting future headline
“Secret CSAM hash list leaks online”.
Keeping lists secret appears to be something the human race is really really bad at.
by woodruffw on 8/18/21, 8:17 PM
> Additionally, the researcher noticed some elusive fields such as "tag," "nomination type," and "selectee indicator," that weren't immediately understood by him.
I'm not sure about the others, but "selectee indicator" might be whether the individual is on the Selectee list used for SSSS flagging[1].
[1]: https://en.wikipedia.org/wiki/Secondary_Security_Screening_S...
by thephyber on 8/19/21, 2:40 AM
I’m curious if anyone who is on the leaked list now has standing in court to litigate their status, whereas they could not prove their status/data before.
One of my biggest complaints with national security programs is that they tend to argue that transparency (even to the voters and elected representatives whom these programs ostensibly protect) threatens the program. Sometimes when leaks happen, it gives the citizens a tool they didn’t previously have to challenge those programs.
by outworlder on 8/18/21, 7:50 PM
"Misconfigured Elasticsearch cluster"
Doubly so. No passwords _and_ it was exposed. There's no real reason to ever directly expose a database to the internet for 0.0.0.0/0. Heck, there's no reason to expose to any routable address.
Yeah sure zero trust or whatever. Still, why even risk it? Layers.
by commandlinefan on 8/18/21, 8:21 PM
At least last time I looked at it, ElasticSearch is shockingly insecure by default (as are Mongo, Cassandra, Hadoop, and everything else that's popular in the relatively recent Java ecosystem).
by ransom1538 on 8/18/21, 6:22 PM
Can someone post the list?
by throwaway4688f on 8/18/21, 6:24 PM
Where is the torrent, dammit? Internet ain't what it used to be.
by sonicggg on 8/18/21, 6:08 PM
Where is this alleged list then? Very convenient that this guy is not disclosing a link to this supposed leak. I think someone wants notoriety.
by mygoodaccount on 8/18/21, 8:08 PM
Did some perusing - can't find it anywhere you'd normally find these things. Let me know if anyone does!
by afrcnc on 8/18/21, 9:55 PM
by trident5000 on 8/18/21, 8:27 PM
Once government agencies are given approval from congress they typically have very little oversight from that point on including from congress. Its why we get abusive behavior from so many of them.
NSA: Prism
DEA: Asset forfeiture
FBI/CIA: Abusing fisa and using five eyes to spy domestically
IRS: Political targeting
etc etc etc
by readonthegoapp on 8/20/21, 7:50 AM
I figure the FBI is using ES, with all its default insecurity and RCE features, as a honeypot.
by londons_explore on 8/18/21, 8:25 PM
With 1.9 million people,there must be plenty of people here whose data is in this list.
Any of you care to comment?
by tester756 on 8/18/21, 8:08 PM
Why "misconfigured" Elastichsearch being reason appears this often?
by thepasswordis on 8/18/21, 6:53 PM
So this is definitely going to be used for character assassinations right?
by 1023bytes on 8/18/21, 7:12 PM
Perhaps yet another unsecured MongoDB?
by alexfromapex on 8/18/21, 6:43 PM
The fact this wasn't protected by a VPN is amazing
by SevenSigs on 8/19/21, 12:43 AM
Where can I get the list? This should definitely public (unless they just put random people on the list).