The standard is to put superglue into the ports.

In my experience it doesn’t stop admins connecting an “offline Root CA” to the WiFi network to install their entire suite of server management software — none of which are functional without an active network connection.

Yes, my plan was to physically remove the wifi adapter daughter card. They exposed the CA to gigabytes of third-party software before I turned up to do the setup. Yes, I warned them not to even take the computer out of the box.

Offline anything just breaks people’s brains.

“How do we keep the anti-virus pattern file up to date?”

“You don’t.”

Do they still make non-USB mice/keyboards? I am also wondering if the CEC HDMI protocol could be exploited. Plugin a nefarious monitor which can send a payload and receive a graphic stream back with the response.

We used a Dell workstation laptop, which has ECC memory and a Xeon processor like a server. Built-in keyboard and trackpad reduces the risk of random external devices needing to be used.

Protection was BitLocker drive encryption with a manually entered (long!) passphrase to decrypt. Backups were to encrypted USB media never plugged into anything else other than a redundant clone of the CA used for DR testing. Everything went into safes.

This design works Well Enough for all but the most demanding purposes, but the whole rigmarole was undone by a well-meaning but naive admin “just doing his job”.

Absolutely.

Fibre for networking, PS/2 (with or without) adapters for keyboards and mice, and VGA for monitors.

as an example of what it's still like in some of those spaces, here's a product sheet for a cross-domain chat solution - the screenshot on the second page appears to be CDE. https://owlcyberdefense.com/wp-content/uploads/2020/12/20-OW...

Yup. PS2 keyboard and mice are still easy to find. As are VGA monitors. If you are super paranoid, you still need something more, as both PS2 and VGA allow for bidirectional transfer. But, at a certain point you need to trust your supply chain. If someone can tamper with your new monitor, they can probably tamper with your new server as well. Even without compromising the host, you wouldn't want a monitor mirroring the output to an attacker, or a keyboard mirroring every stroke.

Reminds me of this ticket [0]. No matter how hard you try to tell people things, sometimes you just can't.

[0] https://github.com/reactjs/react.dev/issues/3896

Perhaps the issue author thought the member was given this name because only privileged/blessed developers get to use the “cool stuff” of React. They likely don’t understand the reason why the concept of access modifiers exist in many programming languages.

Namely that (good) library authors will do everything possible to avoid breaking the public API, which can be seen as a “promise” from them in what can be relied upon, while internal/private members offer no such promises and the library author can feel free to change/remove them as desired with no prior notice.