[Ed: The technique outlined in this blog post was also documented by a journalist at Slate last year. See: http://www.slate.com/id/2113157/
The only way for these kind of problems to get fixed, are through through public full disclosure. TSA/DHS cannot be expected to fix anything unless they are publicly shamed into doing so.]
Shortly after 9/11, the airlines introduced a very reasonable security check (amongst a bunch of other stupid ones): They started checking ID at the gate.
It's really important to note why this is good. You see, when they scan your boarding pass, the screen will either beep yes, to tell them it's valid, or beep no, and tell them that it's a bogus pass. They'll be able to look on their terminal, see the name attached to the booking reference, and check it against the ID in front of them (ok, they rarely did this, and instead checked the name on the boarding pass - but at least they had the potential to do it correctly).
However, checking the ID of 300 passengers when you're trying to fill up and airplane can lead to considerable delays, and thus, once the hysteria of a few terrorists armed with exacto blades had calmed down, the airlines did away with this requirement, and instead offloaded it to TSA.
Herein lies the problem: TSA doesn't have access to the Airline's computer systems. Thus, they have no real way of knowing if a boarding pass is real or not. All they can do is verify that the name on the piece of paper (which may or may not be a boarding pass) matches the ID they have been given.
This situtation is made even worse when you consider the fact that you can print your own boarding pass online at home. This is often a bunch of text/html, with one or two images (a barcode, and perhaps an airline logo). It is trivially easy - as in, 20 seconds with a text-editor, and not even requiring you to open photoshop - to open it up, and change the name.
And thus, I introduce a perfectly valid method for a terrorist - known to the government, and already on the domestic no fly list, to board a US commercial flight.
Step 1. Purchase an airplane ticket in the name of "George P. Watkins"
Step 2. Check-in online the night before, and print out your boarding pass online.
Step 3. Save as HTML, edit the boarding pass code, and change it to your real name "Ali Terrorist"
Step 4. Print both boarding passes - the one which lists your real name, and the one with the name that the ticket was actually purchased under.
Step 5. Go to the airport the next day with both boarding passes.
Step 6. Present your real drivers license and modified boarding pass to the TSA checkpoint officers. Note that as they do not have access to a computer, they cannot check you against the no fly list, nor can they even verify that the name on the piece of paper matches the booking in the airline's reservation system.
Step 7. Clear security (after being frisked 5 times for looking middle eastern)
Step 8. Wait patiently at the checkin-counter, and when the gate agent announces that is time to board:
Step 9. Hand her the original boarding pass (with the fake name), which should scan perfectly, and should she even look at the computer, she'll see that the name on her screen matches the name on the boarding pass. She won't ask you for ID (as TSA already performed that task), and thus will let you on the plane.
Step 10. Board the plane, and do whatever nasty stuff you intend to do.
This is insanely easy, and unfortunately, will work.
The reasons for this massive security hole:
1. TSA agents cannot verify the authenticity of boarding passes.
2. TSA agents cannot access the airline's reservation systems, nor do a on-the-spot lookup of the ID presented to them against the no-fly-list.
3. Boarding passes are not tamper evident. One can easily edit them at home.
And just for fun, I thought I'd show off the modified boarding pass for my flight tomorrow. Of course, I won't be using this, as it'd guarantee me a one-way ticket straight to Gitmo. (Habeas Corpus not included):