The “Sophos” case – heroes or villains?

So now one of the biggest manufacturers of security software has admitted to hacking itself and spying on some of its customers.

The manufacturer is Sophos and the hackers were a group of Chinese hackers who were suspected of trying to hack customers with Sophos systems.

๐—ช๐—ฎ๐˜€ ๐—ด๐—ฒ๐—ป๐—ฎ๐˜‚ ๐—ถ๐˜€๐˜ ๐—ฑ๐—ฎ ๐—ฝ๐—ฎ๐˜€๐˜€๐—ถ๐—ฒ๐—ฟ๐˜?

The story is basically quite simple: a software manufacturer suspects that there are bad people somewhere in China who want to do him (or his customers) harm. So he preemptively attacks them (and who knows who else) himself to find out how the damage is to be caused and to prevent it from spreading in advance, so to speak. Sophos is extremely proud of this action and describes in great detail what measures were taken(https://www.sophos.com/en-us/content/pacific-rim). It almost reads like a detective story…

๐—”ฬˆ๐—ต๐—บ…. ๐—ฑ๐—ฎ๐—ฟ๐—ณ ๐—บ๐—ฎ๐—ป ๐—ฑ๐—ฎ๐˜€?

Of course not! Legally, the matter is completely clear. You are not allowed to access other people’s computers without a court order, regardless of the justification, and certainly not as a company (nor as a private individual, of course). Sophos is therefore keeping a very low profile as far as support/cooperation with the authorities is concerned.

๐—”๐—ฏ๐—ฒ๐—ฟ ๐˜„๐—ฒ๐—ป๐—ป ๐—ฒ๐˜€ ๐—ฑ๐—ผ๐—ฐ๐—ต ๐—ฑ๐—ฒ๐—ฟ ๐—ด๐˜‚๐˜๐—ฒ๐—ป ๐—ฆ๐—ฎ๐—ฐ๐—ต๐—ฒ ๐—ฑ๐—ถ๐—ฒ๐—ป๐˜?
๐—ช๐—ฒ๐—ป๐—ป ๐—ฎ๐˜‚๐—ณ ๐—ฑ๐—ฒ๐—ฟ ๐—ฎ๐—ป๐—ฑ๐—ฒ๐—ฟ๐—ฒ๐—ป ๐—ฆ๐—ฒ๐—ถ๐˜๐—ฒ ๐—ฑ๐—ผ๐—ฐ๐—ต ๐—ฑ๐—ถ๐—ฒ “๐—•๐—ผฬˆ๐˜€๐—ฒ๐—ป” ๐˜€๐—ถ๐˜๐˜‡๐—ฒ๐—ป?

And now we are in the middle of a moral dilemma. There is no legal way to put a stop to a Chinese hacker group – at least not if they are also working with the Chinese government, as Sophos claims. However, the hacker group in question can very well paralyze, blackmail or damage hospitals, infrastructure, companies, etc.

๐—™๐—ฎ๐—ถ๐—ฟ ๐—ถ๐˜€๐˜ ๐—ฑ๐—ฎ๐˜€ ๐—ป๐—ถ๐—ฐ๐—ต๐˜.
๐—ฅ๐—ฒ๐—ฐ๐—ต๐˜๐—ณ๐—ฒ๐—ฟ๐˜๐—ถ๐—ด๐˜ ๐—ฑ๐—ฒ๐—ฟ ๐—ญ๐˜„๐—ฒ๐—ฐ๐—ธ ๐—ต๐—ถ๐—ฒ๐—ฟ ๐—ป๐—ถ๐—ฐ๐—ต๐˜ ๐˜ƒ๐—ถ๐—ฒ๐—น๐—น๐—ฒ๐—ถ๐—ฐ๐—ต๐˜ ๐—ฑ๐—ผ๐—ฐ๐—ต ๐—ฑ๐—ถ๐—ฒ ๐— ๐—ถ๐˜๐˜๐—ฒ๐—น?

I don’t know.
But I am firmly convinced that we will sink into complete chaos if we arbitrarily or selectively ignore our values and laws. We therefore need to find legal means that are appropriate to the times and the technical possibilities. A huge challenge for politicians, computer scientists and lawyers.

Sophos is currently being celebrated in the industry for this kind of “forward defense”.

๐—œ๐—ฐ๐—ต ๐—ต๐—ฎ๐—น๐˜๐—ฒ ๐—ฑ๐—ถ๐—ฒ๐˜€๐—ฒ๐—ป ๐—™๐—ฎ๐—น๐—น ๐—ณ๐˜‚ฬˆ๐—ฟ ๐—ฒ๐—ถ๐—ป ๐˜€๐—ฒ๐—ต๐—ฟ ๐—ด๐˜‚๐˜๐—ฒ๐˜€ ๐˜‚๐—ป๐—ฑ ๐—ฒ๐—ฟ๐˜€๐—ฐ๐—ต๐—ฟ๐—ฒ๐—ฐ๐—ธ๐—ฒ๐—ป๐—ฑ๐—ฒ๐˜€ ๐—•๐—ฒ๐—ถ๐˜€๐—ฝ๐—ถ๐—ฒ๐—น, ๐—ฑ๐—ฎ๐˜€๐˜€ ๐˜‚๐—ป๐˜€ ๐—›๐—ฎ๐—ฐ๐—ธ๐—ฒ๐—ฟ ๐˜‚๐—ป๐—ฑ ๐—”๐—ป๐—ด๐—ฟ๐—ฒ๐—ถ๐—ณ๐—ฒ๐—ฟ ๐—ถ๐—ป ๐—ฝ๐˜‚๐—ป๐—ฐ๐˜๐—ผ ๐—–๐˜†๐—ฏ๐—ฒ๐—ฟ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ต๐—ฎฬˆ๐˜‚๐—ณ๐—ถ๐—ด ๐—ฒ๐—ถ๐—ป๐—ฒ๐—ป ๐—ฆ๐—ฐ๐—ต๐—ฟ๐—ถ๐˜๐˜ ๐˜ƒ๐—ผ๐—ฟ๐—ฎ๐˜‚๐˜€ ๐˜€๐—ถ๐—ป๐—ฑ, ๐—ฑ๐—ฒ๐—ป๐—ป ๐—ณ๐˜‚ฬˆ๐—ฟ ๐˜€๐—ถ๐—ฒ ๐—ด๐—ฒ๐—น๐˜๐—ฒ๐—ป ๐—ฎ๐—ป๐—ฑ๐—ฒ๐—ฟ๐—ฒ ๐—ผ๐—ฑ๐—ฒ๐—ฟ ๐—ธ๐—ฒ๐—ถ๐—ป๐—ฒ ๐—ฅ๐—ฒ๐—ด๐—ฒ๐—น๐—ป.

What do you think?

#informatikersindcool#juristenauch#letshacktogether