Security thinking: "But what can you *not* do with the attack?"

When a vulnerability occurs in a system, they tend to ask the question "but what can you do with it?". That's the wrong question, from a security perspective it's better to ask "what can you *not* do with it?". As long as you cannot prove that you cannot do something bad, there is a risk that you can.