IE 11 is not supported. For an optimal experience visit our site on another browser.

The problem of suspicious packages

The Homeland Security Department could really benefit from enrolling in the school of hard knocks that software developers have been attending for the past decade or so. The primary lesson the geeks could teach is this: Rely on consumers to follow complicated, optional security procedures, and you're sure to fail. Give them easy tools that are designed from the start to be safe, and give them a clear path to do the things they need to do, and you stand a fighting chance.

Let me put it another way: Expect people to choose and remember complex passwords, and they'll use sticky notes and affix those passwords to their computer monitors. Tell users not to open e-mail attachments, but give them the ability to do so, and they will most certainly click on something that looks like a love letter. Leave it up to the users, and you'll have major incidents on your hands like the I Love You virus. Blame those users, and you'll feel superior, but no one will be any safer.

On Tuesday, I had my first personal taste of a post-9/11 Homeland Security situation. The planning felt eerily similar to the kind of strategy that doomed computer security 10 years ago. Give me a moment to describe the doomed "every man for himself," approach. Then I'll explain the parallels to tech security.

It was rush hour, and suddenly all the trains heading west out of New York's biggest train station were shut down. I had a plane to catch in Jersey in three hours, and now, I had no clear way across the river. Tens of thousands of commuters faced the same kind of dillema. The station was a sea of confused people yelling into their cell phones and staring at station monitors. Passengers were told only this: “Trains are delayed for police activity." That was it.

I learned from my pals at the NBC News desk that investigators were checking into a suspicious package discovered on the other side of the Hudson River. So all the trains to New Jersey were marooned indefinitely in Manhattan.

New Jersey’s commuter rail system is the largest in the country, feeding hundreds of thousands of workers into New York every morning. This shutdown stranded them all.

Mob rule

What happened next is a scene I know New Yorkers have repeated again and again since 9/11-- the frustrated mob slowly but surely developed its own plan for escaping Manhattan that night. It quickly passed through the crowd: walk a few blocks east to a different train system that crosses the Hudson called the Path, and take that to get to the Jersey side. Then take a second subway to Newark, which would reconnect people to some of New Jersey’s commuter rail. It was far from their intended destinations, and wouldn’t work for everyone, but somehow, most of the crowd silently agreed to this alternative.

So off it went, parading up 33rd Street, taking over the busy Manhattan street, then cramming down an escalator.

Once down underground, the chaos really began. Effectively, passengers from six different train lines tried to cram their way onto one subway line. Sardine-style compression soon followed. But things got much worse on the Jersey side, after we were all summarily dumped on the other side of Hudson. The second line was ill-prepared for the exodus. The platform in Jersey City, where we were left, was nearly overrun. I had to let three subways headed for Newark go by before I finally shoved my way onto the fourth. As I did, I shouldered a man who tried to push past me, as if we were fighting for a rebound on a basketball court. It was instinctual on my part; his scowl made me glad he didn’t follow his instincts.

The platform I was on had been dangerously full; but the final subway ride was even more so. With arms and legs thrust every which way, even caught in the door for a while, it's a wonder no one was injured.

Preparing alternatives

But it's outrageous that Homeland Security wasn't better prepared. The disorderly evacuation, in the end, was far more dangerous than the suspicious package. (It turned out to be a drum of hydrolic oil that had fallen off a train.)

Clearly, we live in a time when bomb threats and "police actions" are the norm. So why isn’t a clear Plan B also the norm?

It's not enough to invest in million-dollar technologies for diffusing bombs and super-sci-fi tools that allegedly smell them out. We also need to plan orderly alternatives for our citizens when disruptions occur. In the days immediately following Sept. 11, it was understandable that security officials asked for our patience. Long lines were an inconvenience, surely, but well worth it for safety's sake. But five years after 9-11, it is not enough to tell rush hour commuters in Manhattan to fend for themselves whenever there is a suspicious package. It’s not enough to tell people to grin and bear massive delays. Alternatives should be spelled out. Extra trains and buses should be raced into action. Commuters should be told more than "a police action" is causing delays, and they should be given a clear alternative method to get home.

Doing so is not simply a matter of convenience. Failure to do so will eventually lead to dangerous, even fatal consequences. Angry commuters who take matters into their own hands will hurt each other, or take unnecessary risks packing themselves onto subways cars, or trample each other on escalators, or end up being a great target for terrorists as they line up on some other crazy queue.

Back to the geeks

Here’s where the geeks can teach the spooks something. For years, software developers took the attitude that consumers needed to defend themselves against hackers -- and if they didn't, it was their own fault. “Use your dog’s name as a password, and you deserve to lose your money,” I’ve heard whispered by more than one tech elitist.

And so, until recently, every single wireless networking device sold to consumers was configured to broadcast all your bandwidth to your neighbors. It was up to consumers to add the security. Likewise, for years, the only thing between a hacker and the money in your online bank was an easily-guessable user name and password. Sure, banks told consumers not to use 1234 for their passwords . But they did anyway. And likewise, consumers opened e-mail attachments that looked like love letters or pictures of Anna Kournikova.

Now things have changed in the software world. Many companies now ban attachments - a clear step that protects people from understandable, human mistakes like clicking before thinking. Banks now rely more on back-end algorithms to catch fraud than strong passwords remembered by consumers.

But most important, software firms and information technology companies now understand the need to give users a safe alternative to dangerous things they might want to do. It's not enough to simply bar an activity like opening attachments. When you do that, users simply sneak around the ban somehow. People always find a way to do what they have to do. They'll have a document e-mailed to an unsafe Web e-mail service and end up opening it anyway. Just as, eventually, a crowd trying to get home will think to run across town to another train service. Even if that train service turns out to be just as dangerous.

Companies have learned they must provide safe alternatives to employees who want to receive Excel spreadsheets and Word documents in e-mail. Attachments can be mailed to specially quarantined computers, for example. Banks need to provide safe login tools for people who just can't remember passwords like "th1s0ne." So they've created easy password alternatives that are now making their way through the online banking sector.

Similarly, Homeland Security needs to plan -- not just for attacks -- but for safe alternatives so commuters can get home when there's a potential hazard. Serious energy needs to be put into creating and communicating safe alternatives that help us move in a time of crisis. There must be alternatives that prevent us from needlessly costing people time, money, and anxiety. Preventing attacks is only one way of winning the war on terror. Preserving our way of life is equally important.