What's really behind Microsoft's investigation into software leaks?

Most of the coverage I’ve seen of the indictment of former Microsoft employee Alex A. Kibkalo treats the circumstances of the offense as a curious sidebar, a detail barely worth dwelling on. "Isn’t it stupid that the accused would use Microsoft services to commit this crime?" they ask. That’s followed by hearty laughter and then outrage at Microsoft’s assault on a customer’s privacy.

Those stories are completely missing the point.

Microsoft's investigators weren't trawling through private email messages as part of a fishing investigation to track down a leaker. They were interrupting a crime in progress.

The specific facts are all that matters in this case, and the circumstances were truly extraordinary. Microsoft’s lawyers did not order a “content pull” of one suspect’s Hotmail account because they are ethics-challenged snoops or because they were looking for evidence of a crime being committed elsewhere.

They accessed the contents of his Microsoft account because that’s where the crime was happening. And they kept a detailed trail of their actions, precisely because they knew how unusual this action was and how likely it was to end up in a criminal courtroom.

The entire series of events is reminiscent in some ways of that time San Mateo County Sheriffs knocked down a blogger's door and confiscated "three Apple laptops, a Samsung digital camera, a Seagate 500 GB external hard drive, USB flash drives, a HP MediaSmart server, a 32GB Apple iPad, an 16GB iPhone, and an IBM ThinkPad."

Apple had called the cops because they believed (correctly) that the blogger had their property, a prototype iPhone that an engineer had lost in a bar and which Apple considered a "trade secret."

There's one crucial difference between that case and this one, however. Unlike Apple, Microsoft didn't need to get a search warrant, because the stolen property was being stored in a place they owned and controlled.

A crime in progress

Let’s be clear: Stolen Microsoft code, part of the company’s carefully guarded anti-piracy technology, was being stored and accessed by an unauthorized person using Microsoft’s own SkyDrive servers. The person who allegedly stole that code, who was a Microsoft employee at the time, and the person who received the stolen property (identified by the FBI as a “French blogger”) were exchanging those files in real time. They were using Microsoft’s Hotmail and Messenger services to facilitate those transfers when the incidents came to light.

Microsoft's investigators weren't trawling through private email messages as part of a fishing investigation to track down a leaker. They were interrupting a crime in progress. The files being exchanged via SkyDrive were stolen property. The messages themselves were the means of transportation carrying that stolen property across state lines and beyond international borders, making it a genuine Federal case.

This case is not about a run-of-the-mill leak of a pre-release Windows version. Those happen all the time, because there are just too many people, inside and outside Microsoft, who have legitimate access to those early builds. As maddening as those leaks throughout 2011 and the first half of 2012 must have been to Steven Sinofsky and his lieutenants, there is no evidence that anyone even considered using the contents of the French connection’s Hotmail account to identify him.

No, the leaked code that was included in the September 3, 2012 email from the French blogger to a mysterious contact in Redmond (allegedly not a Microsoft employee, but one who knew Sinofsky well enough to forward the hot potato to him) was much more important.

The Microsoft Activation Server is one of Microsoft’s crown jewels, the internal code that validates product keys for activation. A hacker with access to its source could, conceivably, reverse-engineer the algorithms for generating and testing product keys. In the wrong hands, that would undo more than a decade of steady progress in stamping out pirated copies of Microsoft Windows and Office.

The "journalist" distraction

Several commentators have inaccurately characterized the person who received the stolen property as a “journalist.” That’s nonsense, as any actual journalist who covers Microsoft will gladly tell you. Those of us who were working in this space in 2011 and 2012 know the unnamed French blogger and his website all too well. He was not a journalist. Full stop. He was a reasonably skilled software pirate with good connections, a penchant for tweaking authority, and appallingly bad operational security skills.

And anyway, it doesn’t matter. The “journalist” label is a distraction, trotted out to support an agenda, to argue that Microsoft is picking on a critic or gadfly. Using that term allows a commentator to plant the suspicion that the company could easily target other “journalists” for the same treatment. That’s nonsense, too.

This code was leaked for the express purpose of making it easier to crack Microsoft’s product activation technologies. If someone can do that, the potential loss to Microsoft would be measured in billions of dollars. There’s no journalistic justification for leaking the code to a community that has a history of creating key generators and phony activation tools.

And based on the chat transcripts made public by the FBI, there's no question that was the intent of the principals in this criminal case. I've highlighted the relevant parts in the snippet below. (The "hacker friend" referred to in the first line is, presumably, the person who received the email containing samples of the stolen code and forwarded the note to Microsoft's Steven Sinofsky.)

The decision by Microsoft’s top lawyers to approve “content pulls of the blogger’s Hotmail account” was a direct response to a potential crisis. Someone outside Microsoft had access to very sensitive secrets, and they had raised the stakes substantially with this leak. At the time, there was no way of knowing whether this first leak was just the tip of the iceberg. Under those circumstances, there was absolutely reasonable justification for a direct response.

Could this happen to you or me?

Virtually everything I’ve read about this case so far tries to force its facts into one of two narratives:

“Microsoft should have called in the FBI before it poked through this guy’s email.” I think that’s a naïve conclusion. The first response of any for-profit company is to safeguard its most valuable assets. For a multi-billion-dollar global software company, that includes trade secrets like its activation technology. The Federal charges listed in the complaint against Kibkalo confirm that the stolen property was being transferred using Microsoft’s own servers.

 “Microsoft was willing to go through this guy’s email. Who’s to say you’re not next?” As far as I can tell, this is the first time in 18 years that Microsoft has “pulled content” from a customer’s Hotmail account without a search warrant. Like its competitors, Microsoft has strict institutional controls in place to prevent a rogue employee from accessing database files without setting off alarms and leaving a record. The fact we are talking about this case is testimony to just how rare the circumstances are.

If, several years ago, you had asked one of Microsoft’s lawyers to describe the set of facts that would allow this sort of extraordinary access, I doubt they would have come up with this chain of events. In fact, if a screenwriter had suggested this as the plot of a movie or TV show, it would have been rejected it as totally unrealistic. And yet here we are, with a pair of main actors who look like they stepped out of Dumb and Dumber.

Are there are other, less clear-cut examples of unwarranted searches of Microsoft accounts in the past 18 years? I’m eagerly awaiting the whistle-blower within Microsoft who points them out. (Pro tip: send me the details on my Yahoo account, OK?)

Waiting for the other shoe to drop

I think there are several bombshells yet to drop in this case. The original FBI affidavit supporting Kibkalo’s arrest notes, quite pointedly, that it “does not detail each and every fact and circumstance of the investigation or all the information known to the investigative participants.”

In fact, the questions raised by the original complaint could keep a conspiracy theorist going for several years. Here are a few of my questions:

• Microsoft’s initial statement on this case claims it “conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved.” The French blogger reportedly signed a confidentiality agreement with Microsoft. Was that part of a plea deal? Did that individual voluntarily turn over the contents of his email and online file storage to Microsoft investigators? As part of that deal, was he acting as an informant to avoid being charged himself?
• Why bring charges now? The alleged leaker, Kibkalo, had left Microsoft’s employ and was presumably no longer able to access sensitive code. Why bring these charges in March 2014, 18 months after the initial events occurred?
• Microsoft allowed its wayward employee, Kibkalo, to resign in September 2012, after which he relocated to Russia, where extradition is, how you say, awkward. As recently as March 13, 2014, Kibkalo was identifying himself as a Microsoft partner and contributing to Microsoft’s TechNet blog network. What brought him back to Seattle, where he was arrested?
• The French blogger shut down his website and deleted his most notorious Twitter account in early 2013. That’s not surprising. But my eyebrow hits the ceiling when I note that last month, just before all this madness happened, the same individual stopped posting on his personal Twitter account (one that wasn’t so widely known). On March 18 or 19, shortly after Kibkalo was arrested, he deleted that account completely. Why?

In some respects, this case reminds me of several high-profile investigations involving members of the Anonymous network. Investigators had the opportunity to throw the book at the first few targets they arrested. Instead, they turned those targets into confidential informants who proceeded to help take down the rest of the network.

Is the Windows Underground about to suffer a similar fate?