You don’t need to know
By Charles Miller
“You don’t need to know.” As an answer to a question just asked, this is a response almost guaranteed not to satisfy the asker of the question. Just because someone wants to know the answer to a question does not mean they are entitled to know the answer though. There are some subjects that are best to put on a need-to-know basis and if you are one of the people who do not need to know, well; then you do not need to know.
You might be asking yourself what in blazes I am talking about there, and rest assured the answer to that question is not going to be “you don’t need to know.” Instead, what I hope to be able to do here is explain the nature of some of some of these things you do not need to know and why.
In the area of security there is an element referred to as “security through obscurity,” meaning simply that if nobody knows about something it might just be more secure. This is the principle employed by the Secret Service when they sometimes decline to publicize the whereabouts or means of travel used by the protectees. The fewer people who know the specifics of their movements, the lower the threat to security. Without your being aware of it, this is the same principle your email provider, your bank, and others use to protect you.
Some of you may have already experienced the frustration of being locked out of one of your online accounts and receiving a message such as “You have tried three incorrect passwords and as a result your account is locked. Please try again later.” Obviously this is being done for your protection, but how much later? They never tell you how long you have to wait. Why? Because “you don’t need to know.”
Another common situation is when you try to log onto your bank, email, or other online account and receive a message saying “Either your username or password is incorrect.” Which is it? It would be a big help if they would tell you if it is the username or the password you are entering wrong, but they never tell you this so you never know which it is. Why? You don’t need to know.
There is actually a very good reason for all this sometimes-frustrating secrecy and that is to foil attempts by cyber criminals to compromise your accounts. Your bank absolutely never wants anyone to know that if you try five incorrect passwords in a 90 second period that their computer will lock your account for 30 minutes. If the crooks knew this was the way the bank’s security worked then they would simply program their password-stealing program to try four passwords, wait 91 seconds, try four more passwords, wait another 91 seconds and keep doing so for as long as it took to hack into your bank account.
Security professionals understand that any “information leakage” will aid the bad guys. This is why your bank never tells how many wrong passwords you can try before your account is locked, or for how long it stays locked before you can try another password. This is why your email provider does not tell you if it is your name or your password that is wrong, better to not leak that information to the crooks. Likewise, this is why email providers never tell what the limits are on how many outgoing emails you are permitted every hour; better to keep the spammers guessing.
So please, then next time you ask a question and the answer you get is “You don’t need to know that,” try not to be upset. There is probably a very good reason for not wanting the bad guys to know the answer to that question. The best way to keep the crooks from obtaining the information that helps them steal your password is to put certain information on a need-to-know basis.
Charles Miller is a contributor who as of this publication has had 500 articles published in Atención San Miguel. His column is syndicated in other English-language newspapers, but if you are reading this in San Miguel that is something “you probably don’t need to know