How Microsoft tracked down a spy who leaked its secrets

How Microsoft tracked down a spy who leaked its secrets

Summary: Alex A. Kibkalo, the former Microsoft employee charged this week with leaking the company's trade secrets, was a little too loyal to Microsoft services. That turned out to be his undoing.

SHARE:

[Updated March 20, 3:20PM, with Microsoft statement and timeline]

Here’s a pro tip if you’re planning to get into the industrial espionage business: Don’t use your company’s free email, file storage, and messaging services to do the actual business of transferring that same company's trade secrets to a shadowy figure overseas.

kibkalo-canouna-messenger
A snippet from an IM exchange between the alleged spy and a French blogger

That advice comes courtesy of the very bad example set by Alex A. Kibkalo, a former Microsoft employee who was charged this week with a single count of violating Title 18, United States Code, Section 1832, Theft of Trade Secrets.

According to an affidavit from FBI Special Agent Armando Ramirez III, a disgruntled Kibkalo stole top-secret source code and software development kits, pre-release hotfixes, and documents from Microsoft. He then used Windows Live Messenger to send links to the stolen files, which he had placed in his personal Windows Live SkyDrive account. And for good measure, he sent email messages with additional details to the Hotmail address of his contact in France.

The French Windows enthusiast, widely believed to have used Canouna as his alias, developed quite a reputation during the months leading up to the release of Windows 8, when he became a star in underground circles with leaks of information and code.

According to the FBI, Microsoft’s Trustworthy Computing Investigations department (TWCI) had been trying to track down Canouna’s true identity but had failed. They could not determine if the blogger was an external party obtaining information from a contact within Microsoft, or whether the blogger was a Microsoft employee.

Around September 3, 2012, Canouna sent an email to a person in Redmond, allegedly including some sample code from the Microsoft Activation Server Software Development Kit and asking if the recipient could help him “better understand its contents.” The outside source, who asked to remain anonymous, contacted Microsoft’s Steven Sinofsky instead.

Four days later, on September 7, 2012, the FBI says Microsoft acted:

The source indicated that the blogger contacted the source using a Microsoft Hotmail e-mail address that TWCI had previously connected to the blogger. After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account[emphasis added]

Those email messages in turn led to instant messaging conversations and links to files shared on SkyDrive. Every piece of data was stored on Microsoft servers using an account allegedly linked to Kibkalo.

And there's no question that both parties knew they were breaking the law, as this snippet of conversatrion shows:

kibkalo-canouna-messenger-2

Three days after that exchange, on September 24, Microsoft investigators hauled their employee, Kibkalo, in for two days of questioning.

If the messages and files in question had been transferred using Gmail and Dropbox, Microsoft would have probably asked for and received court orders to get access to these communications. But because Kibkalo and his French connection had used servers that are run by Microsoft, the company was able to exercise the rights it had reserved in section 3.5 of the Microsoft Services Agreement:

Content that violates this agreement … or your local law isn’t permitted on the services. Microsoft reserves the right to review content for the purpose of enforcing this agreement. [emphasis added]

In its Code of Conduct for Microsoft services, which is part of the agreement mentioned in that section of the TOS, Microsoft expressly mentions "software piracy" under the Prohibited Uses section.

Microsoft Online Privacy Statement includes similar wording:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public. [emphasis added]

The internal-only code that Kibkalo allegedly leaked includes the Microsoft Activation Server SDK, which is a core piece of Microsoft’s anti-piracy infrastructure. In the FBI affidavit, Microsoft admits that “the potential for harm from misuse of the SDK is generally considered low,” but the risk is that someone could use the code to reverse-engineer a reliable generator of valid product keys for Windows and Office. That prospect is guaranteed to give Microsoft executives major heartburn.

It's worth noting here that this whole incident happened in Summer 2012, before Ed Snowden upended all the pieces on the online privacy game board. In response to a request for comment on this story, a Microsoft spokesperson initially nprovided the following statement:

During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.

As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

One interesting detail in Microsoft's statement is not included in the FBI Special Agent Ramirez's affidavit. According to Microsoft, there was "clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past." That suggests the possibility that more charges will be filed, perhaps in France.

The FBI affidavit and Microsoft's statement only tell one side of the story, of course. Kibkalo will get the opportunity to present his defense soon. Meanwhile, the facts were compelling enough that the United States Attorney asked a Federal magistrate to detain Kibkalo pending trial because of the “serious risk the defendant will flee,” presumably to his native Russia.

In a further update, Microsoft says it will tighten its procedures going forward:

John Frank, Vice President & Deputy General Counsel:

We believe that Outlook and Hotmail email are and should be private.  Today there has been coverage about a particular case.  While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies. 

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed.  So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available.  In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

  • To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge.  We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order. 
  • Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information.  We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.
  • Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders.  We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.

The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business.   And in these cases, the review will be confined to the subject matter of the investigation.   

The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency. 

TIMELINE

The following timeline of events in this case is taken from documents filed with the United States District Court in Seattle, Washington:

July 31, 2012: Kibkalo uses an email account associated with his Windows Live Messenger account to communicate with his contact in France, sending SkyDrive links to six zip files of prerelease hotfixes for Windows RT.

August 1, 2012: Kibkalo requests access to Microsoft's Out-Of-Band [OOB] server. Access is granted on August 2.

August 18, 2012: Kibkalo accesses the OOB server and transfers code to a virtual machine on a server in Redmond. He subsequently places one compressed file (PIDGENXSDK.RAR) on his personal SkyDrive account and then uses MSN Messenger to provide the blogger with links to files on his SkyDrive account and encourages him to share the SDK with others to write "fake activation server" code.

September 3, 2012: Outside source contacts Steven Sinofsky, indicates he had been contacted by blogger who sent proprietary code.

September 7, 2012: After what it describes as "a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites," Microsoft's Office of Legal Compliance (OLC) approves "content pulls of the blogger's Hotmail account."

September 9, 2012: Via IM, Kibkalo and the French blogger discuss the logistics of exchanging data.

September 24, 2012: Microsoft investigators interview Kibkalo over the course of two days; those investigators tell the FBI Kibkalo admitted to stealing a large number of products. Investigators also say they found evidence that he had given the blogger access to servers on Microsoft's corporate network.

July 2013: Microsoft investigators share the results of their internal investigation with the FBI.

March 17, 2014: On the basis of an affidavit submitted by the FBI, United States Magistrate Judge Mary Alice Theiler "finds that there is probable cause to believe the Defendant [Kibkalo] committed the offense set forth in the Complaint."

Topics: Microsoft, Security, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

47 comments
Log in or register to join the discussion
  • You're an idiot.

    Microsoft complied with the law. They service email to court ordered warrants. Like tapping phone call. They would have done the same for any court case out there. If it was illegally attained, then its not admisable evidence, and nothing derived after that evidence was divulged is court admisable. They wouldn't risk thier case. The courts issued a warrant. Gmail would have complied just the same.
    CharlesClarke
    • Well, upon a more thorough reading.

      I suppose I'm inaccurate, but they do have the law on thier side. They had a legitimate reason as you can see. I'm sure if the court finds otherwise the entire case will be thrown out, but life goes on. Can't blaime them too much I don't think.
      CharlesClarke
      • Microsoft Scroogles its users

        Clearly the guy is at fault, MS should have complied with the law and have gotten a court order. Then their actions would be air tight. They didn't, and what that shows users is that :

        Users should NEVER TRUST Microsoft.

        The guy was foolish considering doing anything illegal, though Microsoft's actions where right up there along with the fellow who committed these actions .
        Uralbas
        • You didn't read the article very thoroughly, did you?

          As Microsoft says, they can't get a court order to authorise them to search themselves because courts can't issue something like that. What they have done is put in place a process where they have to take evidence to an external attorney to get approval, similar to what they would have to do to get approval from a court for a search on another provider's system. They are giving their users more protection than they are required to by the law.
          CageySee
  • Before things get blown out of proportion...

    "According to the FBI, Microsoft’s Trustworthy Computing Investigations department (TWCI) had been trying to track down Canouna’s true identity but had failed. They could not determine if the blogger was an external party obtaining information from a contact within Microsoft, or whether the blogger was a Microsoft employee.

    Around September 3, 2012, Canouna sent an email to a person in Redmond, allegedly including some sample code from the Microsoft Activation Server Software Development Kit and asking if the recipient could help him “better understand its contents.” The outside source, who asked to remain anonymous, contacted Microsoft’s Steven Sinofsky instead."

    Basically, he got reported by the person he contacted, and Microsoft responded accordingly.

    So before we get a bunch of "MS IS SPYING ON ITS USERS" comments, think before you post.
    ForeverCookie
    • Did I miss something,

      or was there a comment above deleted before I got here?
      WhoRUKiddin
      • Probably a spam-bot.

        Sometimes, they just pop in and out of ZD|Net, leaving behind a broken tree of comments.
        ForeverCookie
        • Keep towing the line...

          Well, quite. You wouldn't want a break in an otherwise perfect circle-jerk would you?
          PhilYourBoots
    • Speak of the devil...

      Looks like the next few sets of Anti-MS comments directly ignored everything I said.

      The fact that someone's spamming flags and votes is another matter entirely.
      ForeverCookie
  • He needs to be locked up

    For his own protection if nothing else.
    I nominate for the Darwin Award.
    Boothy_p
  • Of all the idiots in the world . . .

    . . . why would tech company have hired this dolt? Stealing Microsoft IP using Microsoft servers? It's not hard to encrypt email or files. It's not hard to use a secure VPN. It's not hard to get an email account through a provider in Sweden or Italy. Was he trying to get caught?
    sporkfighter
    • He called a Microsoft employee.

      That's like stealing a car, visiting the owner, and asking them how to turn on the AC.
      ForeverCookie
      • If you are referring to the Sept. 3, 2012, entry...

        it was someone outside Microsoft that was contacted. This outsider, rather than replying, told Steven Sinofsky of Microsoft about the contact (from the "blogger", not Kibkalo). Kibkalo is not alleged to have "called" Microsoft. Of course, Ed Bott makes the point that Kibkalo used the Microsoft infrastructure he was used to, which may have been part of his downfall. Yes, this was a fascinating article - thanks, Ed!
        randysmith@...
  • Ed Bott!!!!

    Best write up I've read about this. Great job, Ed!
    DayTrader$
  • Deliberately missing the elephants in the room?

    If you want to read more substantive and relevant coverage of, and in particular, comments on this story, head over to The Register:

    http://www.theregister.co.uk/2014/03/21/microsoft_changes_email_snoop_policies/

    and Ars Technica:

    http://arstechnica.com/tech-policy/2014/03/arrest-of-secret-leaking-ex-microsoftie-raises-hotmail-privacy-concerns/

    There are issues here beyond the trivial and superficial "how" and "timeline" stuff.
    Economister
    • Where have you been? Did you read the article here?

      It is pretty much a direct rebuttal on the nonsense by the Register and responds to the Hotmail privacy concerns directly. So this article clarifies what the other articles speculate on.
      grayknight
      • The most important part of the article...

        "Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves."

        In other words, trust us. We won't spy on our users private accounts unless we believe we should spy on them. Yeah, that's the ticket.
        jasonp@...
  • Interesting Revelation

    As part of the court proceedings, Microsoft asserts that is can and will search any customer's email without obtaining a court order because they are reading content on their own servers.

    http://www.pcpro.co.uk/news/387733/microsoft-we-can-search-your-hotmail-without-court-order

    So, if Microsoft decides a court would/might grant an order, they will go ahead and read your content. So much for scroogled.
    allenfalcon
    • Old News

      Apparently you missed the part about section 3.5 of the Microsoft Services Agreement.
      Wild Biker Bill
      • Apparently you missed the part that said...

        "Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves."

        In other words, "Hey...trust us." Uh huh.
        jasonp@...