1/6
The Lucerne hacker Tillie Kottmann (23) is again in the sights of the US authorities: the young Swiss woman has gained access to the US no-fly list on an unsecured server.
Daniel KestenholzEditor night duty
A Swiss hacker discovered the US Transportation Security Administration’s (TSA) no-fly list on an unsecured computer server on Friday. The names of around 1.5 million known or suspected terrorists were publicly available. The data leak caused waves in the USA. Politicians are calling for a congressional investigation. Because whoever is on this list has to endure drastic checks or will not be allowed on a plane in the first place.
The hacker is a 23-year-old from Lucerne, Tillie Kottmann, who goes by the pseudonym Maia Arson Crimew. Also known as Crimew for short, Kottmann has published confidential data from US authorities and companies in numerous cases. In the United States, the young man, who now lives as a woman, is threatened with an arrest warrant. Kottmann is said to be behind the hack of over 150,000 surveillance cameras by the US company Verkada in March 2021.
According to her own statements, Kottmann deliberately exceeds the limits of the law – to identify security gaps and to make public data that she believes are of public interest, as Kottmann explained to “Swissinfo”. She cracked the flight list “out of boredom,” writes Kottmann on her blog.
Case for the US Congress
The hacker is now under renewed scrutiny by US authorities after she revealed last week that the identities of hundreds of thousands of people from the US government’s database for terrorism screening were publicly available.
The list of hundreds of thousands of terrorist suspects is causing unrest in the United States. “Apart from the fact that the list is a civil rights nightmare, how was this information so readily available,” Republican Rep. Dan Bishop (58) wrote on Twitter.
According to Bishop, Congress will have to investigate the disclosure of the data, as reported by CNN.
Hacking instructions published
In addition to confidential company and employee data, the unsecured server operated by the US airline CommuteAir also made an 80-megabyte file called “NoFly.csv” accessible. It refers to a subgroup of people in the so-called “Terrorist Screening Database”. The named individuals are banned from air travel due to suspected or known links to terrorist organizations.
Kottmann publishes all the relevant data and the exact instructions on how she “cracked” the confidential data in her blog. On Twitter, she linked to a post entitled “How to take over an airline completely in three simple steps – and crack the TSA no-fly list at the same time”.
According to Kottmann, the list contains more than 1.5 million entries. The data lists both names and dates of birth as well as pseudonyms. Several well-known people are on the list, including recently freed Russian arms dealer Viktor But, 56, for whom more than a dozen aliases are listed. Alleged members of the Irish IRA are also listed.
House search at the request of the US authorities
“For me it’s just crazy how big the ‘Terrorism Screening Database’ is,” explained Kottmann. With the “millions of entries, there is a clear trend towards almost exclusively Arabic and Russian-sounding names”.
Hina Shamsi, a civil rights activist from the American Civil Liberties Union, quoted US media as saying that over the past 20 years, a disproportionate number of US citizens who are Muslim or of Arab, Middle Eastern or South Asian descent have been placed on the surveillance list. “Sometimes it’s people who have a different opinion or who are considered unpopular. We’ve also seen journalists on watch lists.”
Kottmann has offered to cooperate with the US authorities. “I’m available for comments,” she wrote on Twitter. Kottmann was indicted by a US jury in March 2021 for alleged hacking activities between 2019 and 2021. At the request of the US authorities, the Swiss police searched her home and that of her parents and confiscated computers.