Daily Archives: April 15, 2018

NBlog April 16 – skunkworks & 7 other awareness strategies

Over the weekend, I've been mulling over the issue I raised at the end of last week about how to get management fully behind the security awareness and training efforts. I've come up with several possible strategies.

A skunkworks approach is one possibility.
"The designation 'skunk works' or 'skunkworks' is widely used in business, engineering, and technical fields to describe a group within an organization given a high degree of autonomy and unhampered by bureaucracy, with the task of working on advanced or secret projects."

The idea is to assemble a small close-knit group of like-minded colleagues to work informally ('unhampered by bureaucracy') on management's awareness, specifically, with the aim of formally proposing an organization-wide security awareness and training program once management's interest has been piqued. Being a small team with a narrowly-defined purpose, the work can probably be done without dedicated resources, with no need for a project team and budget, or even timescale as such. The interest-piquing initial management awareness part can usefully take place in parallel with drafting the formal proposal, saving elapsed time and hopefully ensuring that the proposal aligns with management's evolving perspective. [Hinson tip: it would help if one or two friendly senior managers were brought in on the cunning plan early-on, though, to smooth the way once the strategy comes into view. Most of all, it would need at least one passionate leader, someone with the enthusiasm and energy to fire it up, get it rolling and keep it going for as long as it takes.]

Aside from skunkworks, there are at least 7 other strategies ...

#1 A risky, almost Machiavellian strategy is to engineer a crisis in which unawareness plays a crucial part, more likely seizing upon an opportunity such as an information security incident or an impending compliance deadline (such as May 25th ...) to catch management's attention first, softening them up for the follow-through "What we need right now is {ta-daaaaah} a Security Awareness and Training Program, just like this!". [Hinson tip: suggesting that awareness is The Ultimate Answer To Everything would be unwise but I'm convinced it is a valuable, or rather necessary part of the grand solution. It's hard to imagine anyone seriously suggesting that awareness is unnecessary, let alone detrimental.]

#2 Compliance is a strong driver. Scan applicable laws, regulations, contractual commitments etc. for any obligatory/mandatory requirements to run security awareness and training, plus any recommended/advisory suggestions or other hints that doing so might be A Jolly Good Idea. It's worth systematically assessing internal requirements too, such as corporate policies: aside from any specific mention of security awareness [Hinson tip: ... which the canny CISO or ISM will have previously slipped quietly into the security policies], there's an obvious need to make people aware of the policies if they are expected to know about and comply with them. Security standards such as the ISO27k and NIST SP800 series are further sources of advice, along with PCI-DSS, COBIT and others, although those are aimed at information security pros rather than general management, so would need to be interpreted somewhat to draw out the business advantages ...

#3 ... which leads to another approach: position security awareness as a tool supporting information risk management, information security, compliance, governance, privacy, safety, assurance And All That - or, even stronger still, as a business enabler. Given the choice, this is my preferred approach, directly supporting the idea that information security isn't just something that ought to be done because somebody says so: it is necessary for business reasons, and commercially valuable in its own right. [Hinson tip: it helps of course if management is already sold on the need for information risk management, preferably a structured, comprehensive approach. If they are not, we're heading back to square 1 and the conundrum I raised last week: to get awareness, first we need awareness. The difference here is that although management may not initially be keen on security awareness, hopefully they appreciate the need for information security, if only grudgingly for compliance reasons.]

#4 A related suggestion is to integrate security awareness with other planned business and security initiatives - not just tacked casually on the side as an optional extra (where it is vulnerable to being chopped at the outset, or later on when the going gets tough) but as a necessary core activity, an essential or fundamental part. This is easiest with information security projects, naturally, and not too hard with most IT- and information-related business change projects (e.g. all things cloudy). It takes more creativity, effort and care, though, to position security awareness as an integral part of other business activities, with rapidly diminishing returns, aside perhaps from hooking up with other forms of awareness and training (e.g. health and safety). Again there are risks here in pushing too hard. If management consciously chops out or cuts down on security awareness, it's going to be harder to get them back behind it later on, at least not until they've forgotten what they did! If you ever get to the point of someone saying "Oh not, not that bloody awareness stuff again! Give it a rest!" you'll know you've gone way too far. [Hinson tip: if the awareness stuff is robustly blocked, try to get the blockers to acknowledge that its is 'not appropriate right now' rather than accepting a flat-out "No!", preferably in writing even if YOU have to write it! Leave the door open for a later approach, when the time is ripe. Strategy is a long-term game, so think things through and keep on stacking the deck in your favor. Your time will come, glasshopper.] 

#5 Divide and conquer involves putting effort into persuading specific senior managers, individually at first, of the value of security awareness, then working with them on a plan to convince their peers. As individuals are persuaded, put them in touch with each other. Using management's power and comms structure requires political acumen and drive, which is why I suggest singling-out and collaborating with friendly senior managers: they should know how stuff gets done, and hopefully how to avoid the potholes and barriers that those lower in the pecking order may not even appreciate. They are also a relatively soft-sell: if you can't convince them that awareness is worth doing, what are your chances of persuading the rest of management? [Hinson tip: watch out for those hot buttons - things that catch their imagination, spark genuine interest and hence show real promise. Emphasizing them in subsequent comms makes a lot of sense, perhaps to the point of building proposals around them.]

#6 If the previous strategies seem too much like hard work, here is a low effort low impact approach. Let your awareness and training activities evolve naturally, growing gradually from whatever you are doing already. This is a long, slow, plodding method, but that doesn't automatically discount it. This is the default approach, the straw-man against which to compare the other strategies. [Hinson tip: for more traction, it's possible to accelerate the rate of change using metrics - particularly my favorite, maturity metrics. Measure the current awareness and training activities relative to accepted good practices*, both to define the starting point and to drive improvements. Once things start working more effectively and efficiently, the metrics will demonstrate progress, which in turn encourages more effort - a positive feedback loop that you can use to your advantage. Obvious when you think about it, or when you stumble across it on some random blog ...] 

#7 'Some random blog' brings me to my final strategy: proactively use social networks and social media for security awareness purposes. Email this blog's URL to your colleagues to pump-prime the discussions about strategies that might be worth pursuing. Set up a 'friends of infosec' mailing list or group at work to drip-feed and discuss relevant news, gently and repeatedly reminding people of the value of security awareness, in the sense of spotting emerging risks and avoiding nasty surprises. Publish relevant clips and links to awareness stuff on information security's intranet Security Zone. Mention security awareness in responses and comments to other people's blogs, emails and assorted corridor-comms at work. Drop it casually into your progress reports and management updates. Mention it to your esteemed colleagues from Risk, Privacy, Compliance and Audit over coffee, lunch or beer. Pop it in your newsletters. Be enthusiastic or evangelical like me, hopefully not boring and obnoxious through. [Hinson tip: bring this up in your blog, too. I've scratched your back ...].

* Get in touch for help with that. Awareness metrics are right up my street.

Hajime Botnet Scanning for Vulnerable MikroTik Routers

Over the last few weeks, security researchers from around the globe have shared concerns about scans being carried out by a Hajime IoT botnet looking to mass-infect unpatched MikroTik devices. According to Bleeping Computer, the attackers were trying to use a vulnerability that affects MikroTik RouterOS firmware 6.38.4 and earlier, and which allows attackers to execute code and take over the device. This vulnerability, called "Chimay Red", was one of the flaws included in the WikiLeaks "Vault 7" leak of alleged CIA hacking tools, and has also been used to compromise MikroTik routers by changing hostnames of vulnerable devices in the past year.

This incident is a reminder of the widespread problem of security vulnerabilities within Internet-connected devices, which makes them an attractive target to hackers looking to recruit them within IoT botnets.

What is the Hajime botnet?

Hajime is an IoT worm that was discovered by security researchers at Rapidity Networks in October 2016. Like Mirai before it, Hajime takes advantage of default login details to brute-force its way into unsecured devices with open Telnet ports. These unsecured IoT devices offer huge spoils for malicious attackers, giving them the potential to harness thousands of devices and turn them into a botnet army and used to launch damaging DDoS attacks. Last year, Kaspersky Lab revealed that the botnet had already built up a compromised network of 300,000 devices.

Botnet herding

So far the Hajime botnet has not been observed launching any high profile attacks, but it remains a concern for security experts due to its sophisticated mechanisms, its flexible design and the fact that its objectives remain unknown. In this recently reported activity, Hajime is being observed while performing its IoT worm activity. It is aggressively scanning specific network ports to find vulnerable MikroTik devices, including trying the Chimay Red exploit. If successful, it will install a new copy of itself on the victim. Bot herders do this to gather an ever-growing “herd” of bots that can be subsequently used to launch malicious activity, including DDoS attacks.

A step towards protection

The sheer volume of unsecured or vulnerable IoT devices in circulation poses a serious challenge for security. After all, any device that has an Internet connection and a processor can be an exploit target. In an ideal world, all devices should be forced to go through some sort of basic configuration check before being connected to the Internet to avoid default vulnerabilities. Many industry figures are arguing for increased regulation of IoT devices, but even if this is brought into effect, it will likely only relate to new devices being manufactured in the future, rather than the plethora of unsecured devices already available and currently acting as ‘sitting ducks’ waiting to be recruited into botnets. The best defence against IoT botnet-driven DDoS attacks is to deploy an in-line, automated solution at the network edge, which can detect and mitigate any unusual network activity in real-time, and eliminate threats from entering a network.

For more information, please contact us.

Cloud Protection Moves Into a New Phase

It’s RSA Conference season and a great time to talk about containers and security.

No, not traditional shipping containers.

Containers have become developers’ preferred deployment model for modern cloud applications, helping organizations accelerate innovation and differentiate themselves in the marketplace. This is part of the natural progression of the datacenter, moving from the physical, on-premise servers of old, to virtual servers, and then to the public cloud.

According to a report released today by McAfee, “Navigating a Cloudy Sky,” containers have grown rapidly in popularity over the past few years, with 80 percent of those surveyed using or experimenting with them. However, only 66 percent of organizations have a strategy to apply security to containers, so there is still work to be done.

Realistically, most companies will have a mixed, or “hybrid cloud” solution for some time. A big challenge for customers is to maintain security and visibility as they migrate to the public cloud and adopt new technologies like containers.

As containers gain in popularity, getting visibility of their container workloads and understanding how security policies are applied is something that enterprises will need to assess to ensure workloads are secure in the cloud. In the shared security responsibility model laid out by cloud providers, enterprises can leverage the available native controls and the interconnectivity with production workloads and data stores, but will need to actively manage the security of those workloads. Gaining visibility, mitigating risk and protecting container workloads helps build a strong foundation for secure container initiatives.

McAfee is helping to fill the security need in this new environment by offering hybrid cloud security solutions to customers. For example, the release of McAfee Cloud Workload Security (CWS) v5.1 – announced today and available Q2 2018 – gives customers a tool that identifies and secures Docker containers, workloads and servers in both private and public cloud environments.

McAfee CSW 5.1 quarantines infected workloads and containers with a single click, thus reducing misconfiguration risk and increasing initial remediation efficiency by nearly 90 percent.

Previously, point solutions were needed to help secure containers. But with multiple technologies to control multiple environments, security management faced unnecessary complexities. McAfee CWS can span multi-cloud environments: private data centers using virtual VMware servers, workloads in AWS, and workloads in Azure, all from a single interface.

McAfee CWS identifies Docker containers within five minutes from their deployment and quickly secures them using micro and nano-segmentation, with a new interface and workflow. Other new features include discovery of Docker containers using Kubernetes, a popular open source platform used to manage containerized workloads and services, and enhanced threat monitoring and detection with AWS GuardDuty alerts – available directly within the CWS dashboard.

McAfee is the first company to provide a comprehensive cloud security solution that protect both data and workloads across the entire Software as a Service and Infrastructure as a Service spectrum.  So, when you’re talking containers, be sure to include McAfee in the conversation.

And don’t forget to stop by the McAfee booth, North Hall, #3801, if you’re attending RSA.

The post Cloud Protection Moves Into a New Phase appeared first on McAfee Blogs.

GDPR Planning and the Cloud

Data protection is on a lot of people’s minds this week. The Facebook testimony in Congress has focused attention on data privacy. Against this backdrop, IT security professionals are focused on two on-going developments: the roll-out next month of new European regulations on data (the General Data Protection Regulation, or GDPR) as well as the continued migrations of data to the public cloud.

GDPR is mostly about giving people back their right over their data by empowering them. Among other rights and duties, it concerns the safe handling of data, the “right to be forgotten” (among other data subject rights) and breach reporting. But apparently it will not slow migration to the cloud.

According to a McAfee report being released today, Navigating a Cloudy Sky, nearly half of companies responding plan to increase or keep stable their investment in the public, private or hybrid cloud, and the GDPR does not appear to be a showstopper for them. Fewer than 10 percent of companies anticipate decreasing their cloud investment because of the GDPR.

Getting Help for GDPR Compliance

What is the practical impact of all this? Say your CISO is in the early stages of setting up a GDPR compliance program. In any enterprise it’s important to understand the areas of risk. The first step in managing risk is taking a deep look at where the risk areas exist.

McAfee will feature a GDPR Demo1 at the RSA conference in San Francisco this week that will help IT pros understand where to start. The demo walks conference attendees through five different GDPR compliance scenarios, at different levels of a fictional company and for different GDPR Articles, so that they can start to get a feel for GDPR procedure and see the tools which will help identify risk areas and demonstrate the capabilities for each.

Remember, with GDPR end-users are now empowered to request data that they are the subject of, and can request it be wiped away. With the latest data loss prevention software, compliance teams will be able to service these requests by exporting reports for given users, and the ability to wipe data on those users. But a lot of companies need to learn the specific procedures on compliance with GDPR rules.

GDPR could be looked at as another regulation to be complied with – but savvy companies can also look at it as a competitive advantage. Customers are increasingly asking for privacy and control. Will your business be there waiting for them?

The cloud, GDPR and customer calls for privacy are three developments that are not going away – the best stance is preparation.

1 McAfee will be in the North Hall, booth #N3801 (the “Data Protection and GDPR” booth) and also in the South Hall at the McAfee Skyhigh booth, # S1301.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post GDPR Planning and the Cloud appeared first on McAfee Blogs.

Let’s stop talking about password strength

Picture from EFF -- CC-BY license
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavior, such as using bcrypt, there is less onus on the user.

But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

RSA Influencers Identify Cybersecurity’s Top Issues

More interest, more news, and more money are swirling through the cybersecurity industry than perhaps ever before. Data breaches make headlines, shape elections, and lead to Congressional hearings. Artificial intelligence tools wow the public and stretch the limits of the imagination.

And the 40,000 RSA Conference attendees pouring into San Francisco are not impressed. Cybersecurity is a profession, they say, not a circus.

We reached out to RSA speakers and attendees and asked what they think is the most relevant recent development in cybersecurity. They gave us a variety of answers, many with the central theme that companies and consumers should not believe the hype. Cybersecurity still is – and perhaps always will be – about seasoned professionals patiently applying good tools in a comprehensive way.

“The problem we’re seeing at trade shows recently is there is very little new,” said John Bambenek, a vice president at ThreatSTOP who lectures on cybersecurity at the University of Illinois. “We’re still trying to solve the same old problems in the same ways with newish looking packaging. What’s being overlooked is actually spending the time developing understanding of attacks, threats, and trends so models can be truly informed before making decisions.”

Caroline Wong, Vice President of Security Strategy at Cobalt, agreed. You can’t just turn the latest tools on and watch them vanquish threats. “There’s a big push in DevSecOps for more and more automation, but it’s critical to remember that when it comes to web applications and APIs, manual pen testing is required to discover vulnerabilities in application business logic. Automated scans often miss the most interesting security vulnerabilities.”



“Automated scans often miss the most interesting security vulnerabilities.”

– Caroline Wong, Cobalt

“Assuming that machine learning models and classifiers will work 100% of the time is setting your SOC up to fail,” wrote McAfee CISO Grant Bourzikas in an RSA blog post titled, “What humans do better than machines.” Bourzikas and McAfee Chief Human Resources Officer Chatelle Lynch will host a session at RSA on how innovation can help companies retain top talent. “Recruiting and retaining a diverse talent pool in cybersecurity today is so competitive,” Lynch said of her session. “Employees want to know they are at a company that strives for the latest innovation.” But that is always within the realm of human-machine teaming at McAfee, Bourzikas says. Shiny new tech must be paired with human analysis.

Many cited human decisions about data regulation – the opposite of whiz-bang security tech – as one of the main issues in cybersecurity today.

“The most important development in cybersecurity is Facebook’s reaction to the imminent enforcement of GDPR,” says Kevin L. Jackson, Founder and CEO of GovCloud Network. “The sound of Facebook’s leadership failure is deafening. The legal battles around data privacy and security will drive whatever happens across the entire cybersecurity landscape, including what technology is deployed.”



“The sound of Facebook’s leadership failure is deafening.”

– Kevin L. Jackson, GovCloud Network

Kathy Delaney Winger, a Tucson-based lawyer whose areas of practice include cybersecurity, concurred. “Businesses may be surprised to learn that they are obligated to comply with laws such as New York’s cybersecurity regulation and the GDPR – even though they do not fall under the jurisdiction of the enacting entities.”


“Far too many small and mid-size businesses simply underestimate the impact that the EU General Data Protection Regulation will have on them,” said Ben Rothke, principal security consultant for Nettitude.



GDPR preparation doesn’t have to be drudgery. Flora Garcia, a McAfee attorney writing about the regulations, has suggested GDPR can also stand for Great Data Protection Rocks. Data protection could even be a shared global citizenship effort along the lines of environmentalism, she says.


The data-protection revolution may even have us rethinking the nature of identity. “The identity industry is moving away from identity,” said Steve Wilson, vice president and principal analyst of Constellation Research, Inc. “What matters in authentication? Not who someone is, but what they are. You need to know something specific about a counter-party, like their age, or their address, or their credit card number, or their nationality, or some mix of these things. You don’t really need to know their identity. This is a very fundamental shift in thinking, and it’s just the beginning of a major regulatory push around data provenance.”


“The identity industry is moving away from identity.”

– Steve Wilson, Constellation Research, Inc.

Grounded data-protection hygiene and cybersecurity discipline that looks past the cool factor are not preventing RSA attendees from looking at the very latest threats. “These days, attackers are increasingly focused on cryptocurrencies – stealing them, mining them via cryptojacking or obtaining them as ransom,” said Nick Bilogorskiy, who drives cybersecurity strategy at Juniper Networks and was previously Chief Malware Expert at Facebook. “As companies do not usually have crypto wallets to steal, attackers turn to ransomware because it provides the best bang for the buck and is the logical choice for attackers to monetize business breaches. I expect ransomware and other cryptocurrency malware attacks to grow in popularity this year.”

But even the most quickly evolving threats are enterprises launched by people, aimed at people, and shut down by people. Raj Samani, McAfee’s Chief Scientist, says ransomware and its many forms can be beaten by people – if they get the right help. “The purpose of pseudo-ransomware is typically destruction, but we have seen evidence of its use as a diversionary tactic, and whilst it may appear as traditional ransomware the attackers are unlikely to provide any decryption capability regardless whether the ransom is paid. Either way, with actual ransomware or the decoy tactic, organizations need guidance to mitigate the risk.” Samani is speaking about pseudo-ransomware during his session on the topic at RSA.

Everything in cybersecurity may seem new, baffling, and roiling with change. But people can apply lessons of the past – such as with airport security changes after 9/11 – to find solutions in the future, said McAfee CEO Chris Young. “Smart security changed air travel from top to bottom. We need to bring a cybersecurity paradigm shift that is more collaborative, clear and accessible,” Young said of his RSA keynote on what cybersecurity can learn from those who keep air travel safe.


The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post RSA Influencers Identify Cybersecurity’s Top Issues appeared first on McAfee Blogs.

RSA Conference 2018: Fun Telco History in SF

Welcome to SF everyone! As the RSA Conference week begins, which really is a cluster of hundreds of security conferences running simultaneously for over 40,000 people converging from around the world, I sometimes get asked for local curiosities.

As a historian I feel the pull towards the past, and this year is no exception. Here are three fine examples from hundreds of interesting security landmarks in SF.

Chinese Telephone Exchange

During a period of rampant xenophobia in America, as European immigrants were committing acts of mass murder (e.g. Deep Creek, Rock Springs) against Asian immigrants, a Chinese switchboard in 1887 came to life in SF (just before the Scott Act). By 1901 it moved into a 3-tier building at 743 Washington Street. Here’s a little context for how and why the Chinese Telephone Exchange was separated from other telephone services:

Today when you visit Chinatown in SF you may notice free tea tastings are all around. This is a distant reminder of life 100 years ago, even for visitors to the Chinese Telephone Exchange, as a San Francisco Examiner report describes in 1901:

Tea and tobacco are always served to visitors, a compliment of hospitality which no Chinese business transaction is complete

At it’s peak of operation about 40 women memorized the names and switching algorithms for 1,500 lines in five dialects of Chinese, as well as English of course. Rather than use numbers, callers would ask to be connected to a person by name.

The service switched over 13,000 connections per day until it closed in 1949. Initially only men were hired, although after the 1906 earthquake only women were. Any guesses as to why? An Examiner reporter in 1901 again gives context, explaining that men used anti-competitive practices to make women too expensive to hire:

The Chinese telephone company was to put in girl operators when the exchange was refitted, and doubtless it will be done eventually. The company prefers women operators for many reasons, chiefly on account of good temper.

But when the company found that girls would be unobtainable unless they were purchased outright, and that it would be necessary to keep a platoon of armed men to guard them, to say nothing of an official chaperon to look after the proprieties, the idea of girl operators was abandoned.

“They come too high,” remarks the facetious general manager, “but in the next century we’ll be able to afford them, for girls will be cheaper then.”

Pacific Telephone Building

One of the first really tall developments in SF, which towered above the skyline (so tall it was used to fly weather warning flags and lights) for the next 40 years, were the Pacific Telephone offices. At 140 Montgomery Street, PacTel poured $4 million into their flagship office building for 2,000 women to handle the explosive growth of telephone switching services (a far cry from the 40 mentioned above at 743 Washington Street).

By 1928, the year after 140 New Montgomery was completed, the San Francisco Examiner declared “with clay from a hole in the ground in Lincoln, California, the modern city of San Francisco has come.”

It was modeled after a Gottlieb Eliel Saarinen design that lost a Chicago competition, and came to life because of the infamous local architect Timothy Pflueger. Pflueger never went to college yet left us a number of iconic buildings such as Olympic Club, Castro Theater, Alhambra Theater, and perhaps most notably for locals, a series of beautiful cocktail lounges created in the prohibition years.

AT&T Wiretap

Fast-forward to today and there are several windowless tall buildings scattered about the city, filled with automated switched connecting the city’s copper and fiber. One of particular note is 611 Folsom Street, near the latest boom in startups.

Unlike the many years of American history where telco staff would regularly moonlight by working for the police, this building gained attention for a retired member of staff who disclosed his surprise and disgust that President Bush had setup surreptitious multi-gigabit taps on telco peering links.

“What the heck is the NSA doing here?” Mark Klein, a former AT&T technician, said he asked himself.

A year or so later, he stumbled upon documents that, he said, nearly caused him to fall out of his chair. The documents, he said, show that the NSA gained access to massive amounts of e-mail and search and other Internet records of more than a dozen global and regional telecommunications providers. AT&T allowed the agency to hook into its network at a facility in San Francisco and, according to Klein, many of the other telecom companies probably knew nothing about it.


The job entailed building a “secret room” in an AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office and assigned to the Internet room. He asked a technician there about the secret room on the 6th floor, and the technician told him it was connected to the Internet room a floor above. The technician, who was about to retire, handed him some wiring diagrams.

“That was my ‘aha!’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”


Klein was last in Washington in 1969, to take part in an antiwar protest. Now, he said with a chuckle, he’s here in a gray suit as a lobbyist.

In some sense we’ve come a long way since 1887, tempting us to look at how different things are from technological change, and yet in other ways things haven’t moved very far at all.