Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".

As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.

> As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.

Right, which requires the attacker to be physically near the parking lot at some point! That decreases the number of possible attackers by several orders of magnitude at least.

> Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".

Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.

> Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.

Very much so. My point being that a truly air gapped system is objectively more secure than one that is networked, and yet, a bank or social network company that only operates with truly air gapped systems will be strictly worse off than their competitors in their actual business of banking or social networking. And so since their actual job is not objectively better cyber security, but banking or social networking, then they are inherently at a disadvantage compared to Attackers whose business IS attacking (or at one step removed, selling the resources obtained from attacking). In the name of making their business better, Defenders will chose weaker security, and attackers will chose stronger attacks.

Yeah, GP is sort of saying that seat belts are pointless since traffic fatalities can happen anyway