The Alex Kibkalo case explained

By | June 14, 2014

I know this is old news, but I’ve been meaning to write this post for a while now since there are still a lot of people confused by Kibkalo’s arrest. A couple of days ago, news broke that Alex Kibkalo was sentenced to 3 months in prison so I figured this would be a good time to finish this post.
In this post I’ll try to explain what happened, why he got arrested and most importantly, what this means for future Windows leaks.

The information below is based on personal experience, but mostly on these court documents: Kibkalo-complaint.pdf, Kibkalo-plea.pdf, Kibkalo-def-memo.pdf and Kibkalo-judgment.pdf.

The protagonists of the story

Alex Kibkalo

Alex Kibkalo was a seven-year employee at Microsoft who was working as a software architect in Lebanon at the time of Microsoft’s investigation. He had previously worked at a location in his native Russia and had requested a transfer to Lebanon. In 2012, Kibkalo received a poor performance review and threatened to resign if the review was not amended. He was advised that the review would not be changed and that he needed to provide a formal resignation letter. He later left Microsoft for the Russian office of American software company 5nine. He reportedly holds advanced degrees in economics and mathematics and can speak seven languages.

Kibkalo provided Canouna with confidential Windows 8 development information, including full builds.

The French blogger a.k.a. Canouna

The court documents only talk about a “French blogger falsely claiming to be from Quebec”, they never name Canouna’s name, but anybody who was around during the development of Windows 8 knows that this is Canouna.
Canouna first posted screenshots and internal info on MDL, later he started a blog, WinUnleaked.tk, where he regularly blogged about unleaked builds. He later turned his blog into a forum where he continued to spread unleaked info. Canouna never leaked any full builds, just screenshots and bits of information. The court documents describe the blogger:

The blogger was known to those in the Microsoft blogging community for posting screenshots of pre-release versions of the Windows Operating System. The blogger began his online persona by posting Windows-related comments on forums related to Microsoft products. The blogger later started posting Microsoft news and information to his own websites. The blogger used his Twitter account to post comments about internal Microsoft build specifications for unreleased software and news relating to his latest postings. The blogger deliberately hid his identity, stating falsely that he was from Quebec, and ensured that key identifying information was not posted.

Microsoft even tried to track Canouna down long before Kibkalo’s leaks:

Trustworthy Computing Investigations (TWCI), a Microsoft department responsible for protecting the company from external threats such as hackers, and internal threats such as information leaks, had been tracking the blogger’s postings and had attempted to ascertain his identity prior to Kibkalo’s leak. At the time, TWCI could not determine if the blogger was an external party obtaining information from a contact within Microsoft, or whether the blogger was a Microsoft employee.

The Windows Activation Server SDK

This SDK is the most important piece of software Kibkalo leaked, Microsoft described the SDK as follows:

The SDK is used for product key validation and was distributed for internal Microsoft use only. Microsoft product teams use the SDK in customizing their product code to ensure proper validation in the product key activation process. Proper validation of product keys is part of Microsoft’s effort to protect against copyright infringement of its products.

(…)

The sample keys in the SDK would not enable product activation or allow product key generation on their own because the SDK contained obfuscated binaries and did not include the security algorithm. Nonetheless, the technology within the SDK could allow someone external to understand better the overall Microsoft product key validation scheme. Ultimately, while the potential for harm from misuse of the SDK is generally considered low, Microsoft Windows Principal Development Manager stated that the samples in the SDK “could help a hacker trying to reverse engineer the code.”

The Windows Activation Server SDK was part of the Windows Intellectual Property (WIP) security program, Microsoft goes great lengths to protect WIP assets:

All WIP assets (Windows program builds, development tools, Software Development Kits, Windows Driver Kits, etc.) are stored on a series of file servers located in specially secured rooms on Microsoft premises. These rooms are secured and access is controlled via special card-key access rights limited to a defined set of employees. The rooms are monitored at all times by camera and alarm by Microsoft’s Corporate Security team.

(…)

There is a single access control tool that is used to provision access for employees. This tool checks to ensure that an employee is assigned to a Windows project before it grants the employee access to any WIP. If an employee who is not working on a Windows project wishes access to the Windows IP they must provide a detailed justification, obtain their manager’s approval, and then the approval of a sponsor within the Windows organization. If the justification is sufficient and all approvals are met then access can be granted at the discretion of the WIP security program management. Electronic files downloaded from WIP may be signed by a unique identifier to facilitate tracking back to the person who downloaded files.

A timeline of the events

July 31, 2012

Kibkalo uses his SkyDrive to send Canouna a set of pre-release Windows 8 RT f. These hotfixes were only distributed through Original Equipment Manufacturing (OEM) partners as preloaded software at that time as Windows 8 hadn’t been released yet.

August 1, 2012

Kibkalo requests access to Microsoft’s Out of Band (OOB) server, which was granted on August 2, 2012. Data traces to the OOB server showed that Kibkalo accessed it on August 18, 2012.

August 18, 2012

Alex Kibkalo sends the Windows Activation server SDK to Canouna through SkyDrive.

Kibkalo encouraged Canouna to share the SDK with “others who might be able to reverse engineer the software and write fake activation server code”. He knew what the potential implications were, he asked if Canouna knew any hackers who would like to participate in writing fake activation server codes. He later added that he wanted a developer to “play” with the SDK to “check what is inside.”

What follows is an MSN chat between Kibkalo and Canouna about leaking the SDK and reverse engineering it:

KIBKALO: Your hacker friend is in MSFT or out?

CANOUNA: Out

KIBKALO: Would he like to participate in writing fake activation server

CANOUNA: but…his GF is now msft employee, she start in December

KIBKALO: If I have sources of the real one

CANOUNA: I can ask now

KIBKALO: Sure

I have SDK, tokens, binaries, website, etc

need some developer to play with it, I am not

no commitments of course, but I won’t share

that just for collection, – if we do that, let’s

someone try to check what is inside

CANOUNA: Asked

reply:

“that’s crossing a line you know pretty illegal lol”

KIBKALO: I know :)

September 3, 2012

Canouna makes a big mistake and approaches another Microsoft employee and send him the SDK he got from Kibkalo to “examine the contents of the code to help the [him] better understand its contents.” The employee immediately contacted Steven Sinofsky, the former President of the Windows Division of Microsoft, who in turn contacted TWCI.

September 7, 2012

Microsoft’s Office of Legal Compliance (OLC) approves content pulls of the blogger’s Hotmail account. In Canouna’s Hotmail account TWCI found a bunch of evidence that proved Kibkalo was Canouna’s source, they found several emails from Kibkalo’s Windows Live Messenger account, akibkalo@mail.ru inclusing emails containing confidential information and unreleased hotfixes.

September 21, 2012

According to his last chat, Canouna already suspected that Microsoft was onto him: (“Lca” probably stands for Microsoft’s Office of Legal and Corporate Affairs)

CANOUNA: Lca

Grr

they scaring me

they have my name about leaks i think

KIBKALO: Guess they can’t prove it

otherwise we won’t be speaking

and if they can’t prove — don’t care

CANOUNA: Lol

why you think we wont speaking?

cuz i will be in jail?

KIBKALO:  :)

September 24, 2012

At the conclusion of Microsoft’s internal investigation, TWCI investigators interviewed Kibkalo over the course of two days, he admitted to sharing a number of internal products including unreleased Windows 8 hotfixes, unreleased versions of Windows Live Messenger, documents and presentations about Microsoft products and the Activation server SDK.

Kibkalo said he met Canouna in an online forum and communicated with him three to four times a week for several months.

Canouna was interviewed by TWCI too, the MSN chat logs above were pulled from his home computer.

July 2013

Microsoft hands over the results of their internal investigation to an FBI agent for further legal action.

March 14, 2014

Canouna, now known around the web as NTmarta posts one final message on MDL:

The NDA dude… the NDA… never forget the NDA

A couple of days later, all of his online accounts are gone, including his MDL account and his twitter account.

March 17, 2014

Kibkalo is officially arrested in Seattle, where he is working on a visa at a local software company. He has remained incarcerated ever since.

March 31, 2014

Kibkalo enters a guilty plea, he faces up to 10 years in prison, a maximum fine of $250,000 and an additional period of supervision of 3 years following his release from prison.

The plea agreement suggests a restitution of $22,500 to Microsoft and a jail sentence of 3 months.

June 11, 2014

Kibkalo is officially sentenced to 3 months in prison, because he has been imprisoned since March 19th, he is due to be released next week. Because he was in the US on a visa he is being deported back to Russia as soon as his jail term ends. In his guilty plea he agreed to a restitution of $22,500, but this has been waived because the judges deemed that Kibkalo is likely unable  to pay this fine.

In a letter to the court (Kibkalo-defense-letter.pdf) Kibkalo expressed his regrets about what he had done:

As of now, I deeply regret, that I have shared that information. Having done that I have lost a job, one can only dream about. Moreover, when I have found another interesting job a year after, the echo of my mistakes took that from me too.

For sure I was given good lessons, which I deserved.

He also detailed what he is planning on doing once he returns to Russia:

Last months in FDC gave me time to think about future steps, and to study some Spanish as well! When I return home I plan to continue with trainings, which I deliver for learning centers, and I am thinking about publishing a book about my mistakes and the result, which might make more people think on this topic. Of course I would be looking for another interesting full time job, preferably in software security again.

The future of Windows leaks

Now, what does Kibkalo’s conviction mean for future Windows leaks? The immediate effect was clear, all leaks stopped for a couple of weeks, no builds, not a single bit of inside information was leaked. Important leakers disappeared from the web completely, WZOR, for example, shut down his twitter account an his website, wzor.net. Things are slowly returning back to normal, information is finding it’s way out of Redmond again, albeit a lot less than before. WZOR returned too, but he hasn’t been all that active. Not a single build was leaked since Kibkalo’s arrest.

I do understand the initial scare, but the Kibkalo case is not a reason to stop the leaks! Although it might look like Kibkalo got convicted for leaking info and sharing builds with Canouna, that’s not the case at all. If he had just kept doing what he did he probably would’ve never run into trouble, only by sharing the Activation Server SDK did he cross a line. Kibkalo’s defendant had this to say about the matter:

…leaking Microsoft code to a technology blogger with whom he regularly (and legitimately) chatted about tech developments and other industry issues. This time the defendant went too far, giving up proprietary Microsoft software without permission and cavalierly suggesting that it could be reverse engineered to produce fake activation keys.

If you’re familiar with the court documents, you know Microsoft really only really cared about the SDK, the Windows builds only make up for a couple of lines in the court documents, while the SDK is described in great detail over the course of several pages. The prosecutor’s memo doesn’t include any mention of the Windows builds at all, nor does the final judgment!

What I’m trying to say is, Microsoft probably doesn’t care if you leak Windows builds or info, they won’t track you down and you won’t go to jail as long as you don’t go crazy with the leaks and start leaking really big stuff, like the Activation Server SDK. So, just keep those leaks coming, leakers!

Special thanks to Seattlepi.com reporter Levi Pulkkinen, who helped me with this post and provided me with the necessary court documents.
  • Lisse Duo

    suck my ass faggot !

    • http://bav0.com BAV0

      Wait, what?

  • The Distractor

    Sounds about right, being a mod on BetaArchive, who was in the beta scene during 2011-2012 (and longer than that!) and who spoke to canouna at length.. indeed I recognised the “blogger” was canouna as soon as I read one line from the provided logs.

    (In fact I remember one time he said to me on IRC he was bored with win8 haha.)

    Frankly, I don’t care what those with access to builds do, we’re lucky to get anything at all from them. If anyone decides to leak then they should use common sense and take all necessary measures to protect themselves.

    A few days ago I wondered what would have happened if Kibkalo had contacted someone in the warez scene, and not an idiot like canouna.

  • FatAmerica

    Leaking software means nothing to Microsoft. When you leak something that has to do with money you are in for trouble especially if they spent millions and millions they need to profit from it.

  • Pingback: Microsoft Is Not All That Troubled By Windows Leaks()

  • Pingback: Windows leaker Wzor resurfaces | 4an Nyheter()

  • Pingback: Windows leaker Wzor resurfaces | Ezspk Technical()