[Cryptography] Forget the Enigma Code; embrace the Hammurabi Code

Henry Baker hbaker1 at pipeline.com
Thu May 28 19:58:42 EDT 2015

Now the IRS admits to enabling the hacking of the identities of >100,000 taxpayers.

Cyberbreach after cyberbreach of customer data happens without anyone taking any responsibility -- leaving the poor consumer/citizen/taxpayer, whose identities were the ones stolen, with only "free credit reports".  Since credit reports are already free 1x per year, this "compensation" is downright insulting.  I'm getting fed up with this whole cyber insecurity situation, and I suspect that a lot of other voters are, too.

It's time to stop just complaining about the poor implementation of encryption codes, and bring back Hammurabi's Codes.  Hammurabi knew in 1750 B.C. that an ordinary citizen could not possibly be expected to know all the details & calculations involved in building a building, so Hammurabi placed the liability on the heads (literally) of those who were in a position to know: the architect and builder.  If the building fell down and killed its owner, the architect and/or builder were put to death.  The ancient Romans extended this theory to the building of bridges: the builder had to stand under the bridge the first time it carried a load; you now know why many ancient Roman bridges are not only still standing, but still carrying traffic today.

Nassim Nicholas Taleb (see below) recognized the wisdom of Hammurabi and suggests its use for bank fraud.  But why stop with bankers?  Lets use Hammurabi's Code for all computer security.

The closest thing we have to Hammurabi's Code today are _surety bonds_, which professional architects and engineers must typically have.  Every computer product or web service that handles consumer identity data should be required to put up a surety bond necessary to cover the entire amount which could be lost due to the theft of each person's identity.  Since the losses from identity theft could easily exceed 100x to 100,000x the cost of the product or service, the costs of these bonds would quickly deter firms from asking for information that they cannot reliably protect.

These bonds should be posted by both the firm producing the product or web site, as well as by all of the contractors & subcontractors -- including any "security consultants", etc.  Inspired by Sarbanes-Oxley and IRS regulations, company officers and directors should be personally liable for the thefts of identity that were entrusted to their products and websites.

I further suggest that Bitcoins in the amount of the bonds' face value be placed in "honeypots" within the company networks, so that these bonds will be the first items to be stolen if the company's networks were breached.  If you don't feel comfortable leaving millions of dollars worth of Bitcoins lying around in your internal network, why should hundreds/thousands/millions of ordinary consumers trust you with their valuable identity data?

I see that some progress is finally being made along these lines; Cottage Health System just found out that their insurance won't cover their computer security negligence.




'The ancients were fully aware of this upside-without-downside asymmetry, and they built simple rules in response.  Nearly 4,000 years ago, Hammurabi’s code specified this: “If a builder builds a house for a man and does not make its construction firm, and the house which he has built collapses and causes the death of the owner of the house, that builder shall be put to death.”'

'This was simply the best risk-management rule ever.  The Babylonians understood that the builder will always know more about the risks than the client, and can hide fragilities and improve his profitability by cutting corners ­ in, say, the foundation.  The builder can also fool the inspector; the person hiding risk has a large informational advantage over the one who has to find it.'



229. If a builder has built a house for a man, and has not made his work sound, and the house he built has fallen, and caused the death of its owner, that builder shall be put to death. 

230. If it is the owner's son that is killed, the builder's son shall be put to death.

231. If it is the slave of the owner that is killed, the builder shall give slave for slave to the owner of the house. 

232. If he has caused the loss of goods, he shall render back whatever he has destroyed.  Moreover, because he did not make sound the house he built, and it fell, at his own cost he shall rebuild the house that fell. 

More information about the cryptography mailing list