A new boarding pass generator

You've probably heard about Christopher Soghoian and the fake boarding pass generator.  He's a PhD candidate specializing in security and he created a nice little program to create fake boarding passes in an effort to show exactly how weak this particular security measure is.  It's not really news, since Bruce Schneier pointed it out over 3 years ago., but we had members of Congress calling for his head on a platter ... I mean arrest (later rescinded).  And he was visited by the FBI, twice.  The second time they came by his house they did quite a job of trashing it.  Oh, and they had his ISP shut down his web site and make the Northwest Airlines boarding pass generator shut down.

But the Internet is a funny thing; once an idea is out there and has had a chance to catch popular attention, it's almost impossible for anyone, even the FBI to stop it's propagation.  A new fake boarding pass generator has been created, and this time it's self-contained and anyone can download a copy of the code to run on their own system.  It's a little bit of HTML and Java that doesn't require a web server and can be run locally or put on any web site.  The creator even put it in a tar'd file for easy download.  If the FBI shuts down this site, I predict we'll see multiple copies of the boarding pass generator up within hours. 

This system of using self-printed boarding passes is broken.  Soghoian didn't do anything that a halfway intelligent terrorist couldn't have done.  But what he did do is point out that there's a problem with the system that makes  it so porous as to be useless.  To refer to Bruce Schneier again, it's nothing but security theater, more about making the general public think the government is doing something than actually adding to the security at airports.  You could even argue that it's lessening security, since people are lowering their guard in the terminal since they think it's secure.  It's like the old network model of having a firewall to protect your network and nothing else; a hard crunchy outside and a soft chewy center.  Once you're past that hard shell, you're pretty much free to do what you want.

Speaking of which, that hard, crunchy outside?  It isn't really all that hard after all; in it's own testing the TSA failed 20 out of 22 tests recently.  Doesn't that make you feel more secure?