Trade in exploits, so ways and means to exploit well-known and unknown safety chucks, is roughly lucrative. Many government agencies now cover themselves with private companies with such tools, also to use them offensively against third parties. The industry sometimes has little inhibitions to sell to authoritar regimes. The german start-up go root wanted to do it differently and failed, as research from mirrors and bavarian broadcasting demonstrate. The backup of the german state should also have contributed to this.
The two media have evaluated internal documents as well as spoken with stakeholders and thus gained an insight into the naturally closed world of such specialized companies. Accordingly, go root was founded in 2017 and marketed its products on militar conferences, but also to german resistances and rusts.
Attack yes, but morally clean
The documents were offered for such products that can paralyze the data networks of whole regions. Even otherwise you probably had a lot for a rather offensive strategy in the cooker. Dafur were also involved employees of competitors who developed suitable tools within a few months and then adapted to the customer’s request accordingly. A promise that allegedly attracted some talents was to work together only with reliable and german laws legitimate partners. What autorite states exploit, which often use such tools against domestic opponents.
One of the coagulants of go root was sandro gaycken, who has not only published a cyberwar book, nato consultant was and advised the federal government to cyber security. He released a more often an offensive strategy in cyber security. In an article on the bnd scandal, he defended the us espionage in german companies in 2015 as "root control" and denied the suspicion of economic espionage.
Sap in the sights
Even for the german economy rather delicate projects had go root probably in mind. So there was loud mirrors consolidate sap databases, but also to cast them and put it with it. In view of the numerous sap customers worldwide, in addition to coarse companies also numerous aggregates, a very far-reaching attack tool.
It is unclear whether such software actually existed or even used. According to gaycken, the project became "never made functional" and an sap product is "never developed, offered or sold" has been. However, the advanced thought game suggests that one knew potential leach or at least which suspected. Accordingly, the question arises what happens to this knowledge.
Because despite good contacts, the financiers of go root soon lost the interest, lack of application. Therefore, the company should either be sold or cooperate with other companies. Also interested parties from the arab states should allegedly have existed. Co-primer gaycken warned internal prior to the possible legal consequences, soon deducted business administration and in line with the company in the dispute. Numerous the recruiting specialists followed him. Meanwhile, go root rather than the commercial security company is marketed, not without referring to the world’s best ethical hackers.
No success with high standards
Why ultimately go root with his concept failed, although it is evident in the current strategy of german security authorities is not quite clear. Even german authorities are particularly not awarding explicitly to exploit security swallowing for their purposes. With the central location for information technology in the security area (citis) one has about one "hacker work" created, which is amed to the ministry of the interior; interior minister seehofer wants the "responsible handling of 0-day vulnerabilities and exploits demand".
To the mirrors according to, the "command cyber and information room" the bundeswehr talking to the company "as part of a fundamental market analysis", but there have no contract. Other, not mentioned pages, said the report suggest that applications were not yet mature or did not held what was promised. Go root, on the other hand, liked that that "business model under the self-set high ethical and compliance guidelines could not be successfully implemented". According to gaycken were the germans were too slow and inflexible "for an agile cooperation".
Unlike original written, the commanded cyber and information room of the bundswehr did not look for the quality of the software, instead there was no cooperation with go root. The section was corrected accordingly.