Right, but you would think that an organization with the kind of operational security needs that they would go to the lengths of installing a separate physical network would have their systems on that network locked down to prevent ANY form of removable media - whether it's used for installation of an OS or storage of documents due to various threats and the idea of preventing data loss/leakage. As to your thought on connecting to a possibly infected system - organizations that go to these lengths would most likely also install brand new hardware on that network to mitigate that risk. Of course, it's possible that those systems would come from the factory with something onboard (which is the big knock against Lenovo at this point) to allow for snooping. At this point, the only real way to mitigate and eliminate every risk would be to leave the systems in the original shipping container, surrounded by a Faraday cage, in a locked room with no lights or windows a single door locked, welded shut, surrounded by thermal, IR and visual spectrum cameras, barbed wire, land mines, a moat filled with flesh eating bacteria and patrolled by a vampire bunny with a hangover, a .45 and a bad attitude. But, since that would put a slight crimp in worker productivity... --- A On Thu, Dec 4, 2014 at 12:02 PM, Libertas <libertas@xxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 12/04/2014 11:18 AM, Andrew Hornback wrote: > > In an environment that requires an air-gap level of security and > > scrutiny, to allow removable media (especially USB drives) > > unfettered borderlines on the infinitely stupid. > > It's not about allowing unfettered access, it's about using a USB on > the machine for any reason at any point. Its firmware could have been > infected in many ways, as it's likely been attached to another machine > which was networked. This is especially true considering that many > cheap laptops don't have CD drives these days, and that USBs are > commonly used as install drives. >