I think whoever wrote that presentation wasn't being very precise. What I described is known as the "evil maid" attack, and does require that someone (a) not notice the USB stick and (b) power up the machine.

I agree. The presentation seemed to target suites with little or no experience. I found while working for the state of Nebraska that the most important decisions relating to IT were made by suites with the least (or no) networking, programming or computer experience or knowlege. Over the years their decisions have cost taxpayers tens of millions of dollars.

The "evil maid" attack works very well, but at the State dept it is the "sneaky employee" who does all the damage. The guy who puts his favorite music on CDs or USB sticks at home and brings them to work to listen to. We bought a $28K Linux server to act as an Internet gateway and malware filter, It worked fantasticlly. But, viruses suddenly began appearing again. They were traced to workstations used by employees bringing in those CDs or USBs. The IT staff disabled USB and CD devices on all workstations except those used by management and developers like myself.

It's hard to block social engineering.

Because there is no patch for stupidity.