Death only has to get lucky once. Are you going to stop wearing seatbelts?

ben_w · 2026-06-17T08:47:59 1781686079

I assume pjc50's quotation is referencing a quote attributed to a terrorist group after they failed to assassinate the UK Prime Minister: https://quoteinvestigator.com/2025/12/08/lucky-always/

You're in control of how much danger of accident you expose yourself to.

Nobody is in control of how much danger we are exposed to from other people who are actively trying to do us harm, who will keep going until they get what they're after or are stopped.

For most people, seatbelts are the former. Yeah, not perfect, but they reduce risk. For the latter, if you're known to be a seatbelt wearer, the attacker just does something where seatbelts don't matter.

Every new AI model introduces new capabilities and competencies, so we're not even sure what the true risk levels are yet for self-exposure in this category. The restrictions on AI may be like seatbelts and speed limits, or they may be like "if you install a 1000 HP turbojet engine in your Honda Civic it will no longer be road legal". And this analogy also includes how the first cars had speed limits set low enough to not risk the horse industry, i.e. we may be too cautious.

brookst · 2026-06-17T12:56:55 1781701015

The “attackers only have to win once” principle is core to infosec; a company has to ensure every single employee rejects every single phishing attempt every single time, an attacker just has to get one employee once.

But I think people misinterpret the principle to mean that only perfect solutions have any value.

When in reality defense in depth is the opposite principle: you scan incoming emails for phishing, and that’s good but imperfect. You do mandatory training, and that’s good but imperfect. You use RBAC to limit blast radius, and that’s good but imperfect. And so on.

Among tech people, especially on HN for some reason, there’s this odd thinking style that goes: 1) company announces security measure, 2) the measure could possibly limit my freedom to do whatever I want with the company’s products, 3) I don’t like that, 4) I can come up with scenarios where the security measure is not sufficient, entirely on its own, to address the claimed risk, 5) therefore the security measure does no good at all, 6) therefore this is a PR smokescreen to disguise their desire to capriciously fuck with me out of pure malice, and I am angry about it