I know this is old news, but I’ve been meaning to write this post for a while now since there are still a lot of people confused by Kibkalo’s arrest. A couple of days ago, news broke that Alex Kibkalo was sentenced to 3 months in prison so I figured this would be a good time to finish this post.
In this post I’ll try to explain what happened, why he got arrested and most importantly, what this means for future Windows leaks.
The protagonists of the story
Alex Kibkalo was a seven-year employee at Microsoft who was working as a software architect in Lebanon at the time of Microsoft’s investigation. He had previously worked at a location in his native Russia and had requested a transfer to Lebanon. In 2012, Kibkalo received a poor performance review and threatened to resign if the review was not amended. He was advised that the review would not be changed and that he needed to provide a formal resignation letter. He later left Microsoft for the Russian office of American software company 5nine. He reportedly holds advanced degrees in economics and mathematics and can speak seven languages.
Kibkalo provided Canouna with confidential Windows 8 development information, including full builds.
The French blogger a.k.a. Canouna
The court documents only talk about a “French blogger falsely claiming to be from Quebec”, they never name Canouna’s name, but anybody who was around during the development of Windows 8 knows that this is Canouna.
Canouna first posted screenshots and internal info on MDL, later he started a blog, WinUnleaked.tk, where he regularly blogged about unleaked builds. He later turned his blog into a forum where he continued to spread unleaked info. Canouna never leaked any full builds, just screenshots and bits of information. The court documents describe the blogger:
The blogger was known to those in the Microsoft blogging community for posting screenshots of pre-release versions of the Windows Operating System. The blogger began his online persona by posting Windows-related comments on forums related to Microsoft products. The blogger later started posting Microsoft news and information to his own websites. The blogger used his Twitter account to post comments about internal Microsoft build specifications for unreleased software and news relating to his latest postings. The blogger deliberately hid his identity, stating falsely that he was from Quebec, and ensured that key identifying information was not posted.
Microsoft even tried to track Canouna down long before Kibkalo’s leaks:
Trustworthy Computing Investigations (TWCI), a Microsoft department responsible for protecting the company from external threats such as hackers, and internal threats such as information leaks, had been tracking the blogger’s postings and had attempted to ascertain his identity prior to Kibkalo’s leak. At the time, TWCI could not determine if the blogger was an external party obtaining information from a contact within Microsoft, or whether the blogger was a Microsoft employee.
The Windows Activation Server SDK
This SDK is the most important piece of software Kibkalo leaked, Microsoft described the SDK as follows:
The SDK is used for product key validation and was distributed for internal Microsoft use only. Microsoft product teams use the SDK in customizing their product code to ensure proper validation in the product key activation process. Proper validation of product keys is part of Microsoft’s effort to protect against copyright infringement of its products.
The sample keys in the SDK would not enable product activation or allow product key generation on their own because the SDK contained obfuscated binaries and did not include the security algorithm. Nonetheless, the technology within the SDK could allow someone external to understand better the overall Microsoft product key validation scheme. Ultimately, while the potential for harm from misuse of the SDK is generally considered low, Microsoft Windows Principal Development Manager stated that the samples in the SDK “could help a hacker trying to reverse engineer the code.”
The Windows Activation Server SDK was part of the Windows Intellectual Property (WIP) security program, Microsoft goes great lengths to protect WIP assets:
All WIP assets (Windows program builds, development tools, Software Development Kits, Windows Driver Kits, etc.) are stored on a series of file servers located in specially secured rooms on Microsoft premises. These rooms are secured and access is controlled via special card-key access rights limited to a defined set of employees. The rooms are monitored at all times by camera and alarm by Microsoft’s Corporate Security team.
There is a single access control tool that is used to provision access for employees. This tool checks to ensure that an employee is assigned to a Windows project before it grants the employee access to any WIP. If an employee who is not working on a Windows project wishes access to the Windows IP they must provide a detailed justification, obtain their manager’s approval, and then the approval of a sponsor within the Windows organization. If the justification is sufficient and all approvals are met then access can be granted at the discretion of the WIP security program management. Electronic files downloaded from WIP may be signed by a unique identifier to facilitate tracking back to the person who downloaded files.
A timeline of the events
July 31, 2012
Kibkalo uses his SkyDrive to send Canouna a set of pre-release Windows 8 RT f. These hotfixes were only distributed through Original Equipment Manufacturing (OEM) partners as preloaded software at that time as Windows 8 hadn’t been released yet.
August 1, 2012
Kibkalo requests access to Microsoft’s Out of Band (OOB) server, which was granted on August 2, 2012. Data traces to the OOB server showed that Kibkalo accessed it on August 18, 2012.
August 18, 2012
Alex Kibkalo sends the Windows Activation server SDK to Canouna through SkyDrive.
Kibkalo encouraged Canouna to share the SDK with “others who might be able to reverse engineer the software and write fake activation server code”. He knew what the potential implications were, he asked if Canouna knew any hackers who would like to participate in writing fake activation server codes. He later added that he wanted a developer to “play” with the SDK to “check what is inside.”
What follows is an MSN chat between Kibkalo and Canouna about leaking the SDK and reverse engineering it:
KIBKALO: Your hacker friend is in MSFT or out?
KIBKALO: Would he like to participate in writing fake activation server
CANOUNA: but…his GF is now msft employee, she start in December
KIBKALO: If I have sources of the real one
CANOUNA: I can ask now
I have SDK, tokens, binaries, website, etc
need some developer to play with it, I am not
no commitments of course, but I won’t share
that just for collection, – if we do that, let’s
someone try to check what is inside
“that’s crossing a line you know pretty illegal lol”
KIBKALO: I know :)
September 3, 2012
Canouna makes a big mistake and approaches another Microsoft employee and send him the SDK he got from Kibkalo to “examine the contents of the code to help the [him] better understand its contents.” The employee immediately contacted Steven Sinofsky, the former President of the Windows Division of Microsoft, who in turn contacted TWCI.
September 7, 2012
Microsoft’s Office of Legal Compliance (OLC) approves content pulls of the blogger’s Hotmail account. In Canouna’s Hotmail account TWCI found a bunch of evidence that proved Kibkalo was Canouna’s source, they found several emails from Kibkalo’s Windows Live Messenger account, email@example.com inclusing emails containing confidential information and unreleased hotfixes.
September 21, 2012
According to his last chat, Canouna already suspected that Microsoft was onto him: (“Lca” probably stands for Microsoft’s Office of Legal and Corporate Affairs)
they scaring me
they have my name about leaks i think
KIBKALO: Guess they can’t prove it
otherwise we won’t be speaking
and if they can’t prove — don’t care
why you think we wont speaking?
cuz i will be in jail?
September 24, 2012
At the conclusion of Microsoft’s internal investigation, TWCI investigators interviewed Kibkalo over the course of two days, he admitted to sharing a number of internal products including unreleased Windows 8 hotfixes, unreleased versions of Windows Live Messenger, documents and presentations about Microsoft products and the Activation server SDK.
Kibkalo said he met Canouna in an online forum and communicated with him three to four times a week for several months.
Canouna was interviewed by TWCI too, the MSN chat logs above were pulled from his home computer.
Microsoft hands over the results of their internal investigation to an FBI agent for further legal action.
March 14, 2014
Canouna, now known around the web as NTmarta posts one final message on MDL:
The NDA dude… the NDA… never forget the NDA
A couple of days later, all of his online accounts are gone, including his MDL account and his twitter account.
March 17, 2014
Kibkalo is officially arrested in Seattle, where he is working on a visa at a local software company. He has remained incarcerated ever since.
March 31, 2014
Kibkalo enters a guilty plea, he faces up to 10 years in prison, a maximum fine of $250,000 and an additional period of supervision of 3 years following his release from prison.
The plea agreement suggests a restitution of $22,500 to Microsoft and a jail sentence of 3 months.
June 11, 2014
Kibkalo is officially sentenced to 3 months in prison, because he has been imprisoned since March 19th, he is due to be released next week. Because he was in the US on a visa he is being deported back to Russia as soon as his jail term ends. In his guilty plea he agreed to a restitution of $22,500, but this has been waived because the judges deemed that Kibkalo is likely unable to pay this fine.
In a letter to the court (Kibkalo-defense-letter.pdf) Kibkalo expressed his regrets about what he had done:
As of now, I deeply regret, that I have shared that information. Having done that I have lost a job, one can only dream about. Moreover, when I have found another interesting job a year after, the echo of my mistakes took that from me too.
For sure I was given good lessons, which I deserved.
He also detailed what he is planning on doing once he returns to Russia:
Last months in FDC gave me time to think about future steps, and to study some Spanish as well! When I return home I plan to continue with trainings, which I deliver for learning centers, and I am thinking about publishing a book about my mistakes and the result, which might make more people think on this topic. Of course I would be looking for another interesting full time job, preferably in software security again.
The future of Windows leaks
Now, what does Kibkalo’s conviction mean for future Windows leaks? The immediate effect was clear, all leaks stopped for a couple of weeks, no builds, not a single bit of inside information was leaked. Important leakers disappeared from the web completely, WZOR, for example, shut down his twitter account an his website, wzor.net. Things are slowly returning back to normal, information is finding it’s way out of Redmond again, albeit a lot less than before. WZOR returned too, but he hasn’t been all that active. Not a single build was leaked since Kibkalo’s arrest.
I do understand the initial scare, but the Kibkalo case is not a reason to stop the leaks! Although it might look like Kibkalo got convicted for leaking info and sharing builds with Canouna, that’s not the case at all. If he had just kept doing what he did he probably would’ve never run into trouble, only by sharing the Activation Server SDK did he cross a line. Kibkalo’s defendant had this to say about the matter:
…leaking Microsoft code to a technology blogger with whom he regularly (and legitimately) chatted about tech developments and other industry issues. This time the defendant went too far, giving up proprietary Microsoft software without permission and cavalierly suggesting that it could be reverse engineered to produce fake activation keys.
If you’re familiar with the court documents, you know Microsoft really only really cared about the SDK, the Windows builds only make up for a couple of lines in the court documents, while the SDK is described in great detail over the course of several pages. The prosecutor’s memo doesn’t include any mention of the Windows builds at all, nor does the final judgment!
What I’m trying to say is, Microsoft probably doesn’t care if you leak Windows builds or info, they won’t track you down and you won’t go to jail as long as you don’t go crazy with the leaks and start leaking really big stuff, like the Activation Server SDK. So, just keep those leaks coming, leakers!Special thanks to Seattlepi.com reporter Levi Pulkkinen, who helped me with this post and provided me with the necessary court documents.