HOLY F*CKING BINGLE!
be gay, do crime with crimew
The plan has always been for Queer Computer to be a semi-regular affair, but alas, it’s been 3 months since my last post. I had considered logging on to discuss the whole Elon Musk/Twitter debacle, and I even wrote a few words that amounted to “Twitter has always sucked and now it is suckier”. However I didn’t publish this hot take because it didn’t feel very hot — it was lukewarm at best.
But holy fucking bingle, maia arson crimew has pulled me back onto my Queer Computer bullshit.
Who the hell is crimew?
maia arson crimew is a (self-described) ‘indicted hacktivist/security researcher, artist, mentally ill enby polyam trans lesbian anarchist kitten’; pronouns: it/she. There’s so much to unpack here, so I’m going to break it down one by one:
indicted hactivist/security researcher: maia is a Swiss developer and computer hacker who was indicted in 2021 by the US Justice department for conspiracy to commit computer fraud and abuse, wire fraud and aggravated identity theft. She is unable to leave Switzerland at risk of being arrested and extradited to the US. If charged, crimew faces up to 20 years imprisonment.
artist: I’ve been listening to its Soundcloud while writing this post and I feel sufficiently gay and ready to do crime.
mentally ill enby polyam trans lesbian anarchist kitten: woah okay! Hold ya horses — I’m not qualified to break this down. On a recent episode of the podcast Gender Reveal maia said that she identifies as a girl ‘but like in a kitten way, not in a lady way’, and that ultimately their goal is ‘to topple the system and to overthrow capitalism’. Cool. Also maia allegedly has 9 girlfriends.
Okay, so what did ‘it’ do this time?
On 19 January 2023 crimew published ‘how to completely own an airline in 3 easy steps’ on their notably cute af website. The blog post details the steps she took to hack into a server belonging to CommuteAir — a regional US airline.
It all started when maia was bored and scrolling through Zoomeye (a Chinese version of Shodan). This is a search engine that indexes devices connected to the internet and makes them searchable — allowing users to find and potentially access internet-connected devices and servers almost as easily as using Google. For example, I could theoretically use Shodan to search for internet-connected security cameras that have weak or easily guessable credentials. Or, as maia did, search for servers that are running vulnerable or misconfigured versions of software such as Jenkins. (Jenkins is an open-source automation server that allows developers to build, test, and deploy software projects.)
So, maia found an exposed Jenkins server belonging to CommuteAir and gained access to the airline’s build workspaces — a directory of their source code, build logs, and configuration files, as well as access to their Navblue APIs. Navblue is a provider of digital solutions for the aviation industry. Navblue's APIs allow developers to integrate flight planning and crew management systems. So she could say … cancel or reschedule a flight, swap out crew members, redirect planes for refuelling. Some pretty hardcore stuff.
Further digging leads maia to the personal information of CommuteAir crew members, including their full names, addresses, phone numbers, passport numbers, pilot licence numbers, everything. This is known as PII — Personally Identifiable Information — which organisations are legally bound to protect. In the context of hacking, PII is used for identity theft, financial fraud, and spear-phishing.
But the real jackpot of this hack was that the server was cross referencing the airline’s crew members against America’s no-fly list. And after some more sleuthing maia found the spreadsheet named “NoFly.csv” — a reference list to individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organisations.
holy shit, we actually have the nofly list. holy fucking bingle. what?! :3
The spreadsheet has over 1.5 million lines of names, birthdates and aliases of people barred from flying, and maia also found a smaller seperate spreadsheet of people who are subject to extensive security checks before flying. I won’t go too deep into the implications of this leak as it’s beyond the scope of Queer Computer, but from what I’ve read, the key takeaways from journalists and researchers have been that:
the list predominately contains names that appear to be of Arabic or Middle Eastern descent;
the youngest on the lists are four-years old — suggesting a disturbing reliance on pre-crime predictions;
the list points to a massively bloated watchlisting system in the US that stigmatises people arbitrarily without any meaningful process to challenge government error.
Here’s a link to the Daily Dot who originally broke the story for more on this.
The world has gone bingle
So this really blew up. When maia published the blog post she had a little over 2,000 Twitter followers, 3 days later it skyrocketed to over 27,000 followers, and now she’s sitting at nearly 80k.
There was, of course, Twitter discourse over its identity: can you really be a queer lesbian trans enby it/she polyamorous anarchist kitten hacker? To this I say, ‘yeah, who cares’. Some people have weird genders and confusing sexualities … and animal fixations too … I’m not going to call myself an it/he puppy anytime soon but honestly, what does it matter if I did. Woof woof. It doesn’t seem to bother maia’s polyam army of 9 girlfriends, the TikTok creators who made her trend and the insane amount people who made fan art on Twitter and Tumblr #MAIABINGLEART.
One last thing — maia gives some context to the whole ‘holy fucking bingle’ thing in this Twitter thread.
tl;dr: it was just a nonsense inside joke between friends that went viral. The word ‘Bingle’ became associated with her Pokemon plushie due to their close proximity in her original blogpost. The internet is a strange and wonderful place.
Thanks for logging on to Queer Computer, it’s great to be back! If you liked this post, please consider sharing it and subscribing.
I’ll be back in your inbox next week … I swear!