Receiving leaks from Microsoft? Don’t use Hotmail/Outlook.com!

The Seattle PI reported yesterday that a former Microsoft employee, Alex Kibkalo, was arrested for “theft of trade secrets”, stemming from his leaking pre-release Windows 8 information to a French blogger, known as Canouna, and concerned mainly with the theft and unauthorized release of a copy of Microsoft’s Activation Server Software Development Kit. While the indictment (PDF here) makes it clear that Microsoft was concerned more with the release of the SDK than the Windows 8 information, it also reveals an interesting timeline and set of circumstances on how the company caught Kibkalo.

According to the indictment, Canouna (who is not named in the documents but it’s pretty clear who it is by the timeline and content of the Windows 8 leaks, which he was posting via WinUnleaked.TK), contacted an outside source to determine the veracity of the SDK. That source then went straight to at the time Microsoft Windows Division President Steven Sinofsky, reporting to him that the blogger had provided him/her a copy of the unreleased SDK. Microsoft, through its leak protection department TWCI (Trustworthy Computing Initiative), had already been tracking Canouna, but had been unable to determine “if the blogger was an external party obtaining information from a contact within Microsoft, or whether the blogger was a Microsoft employee”.

Once Microsoft had established that Canouna had possession of the SDK, and that he had a Hotmail account which had been used to contact the outside source, TWCI went to work. From the indictment:

13. The source indicated that the blogger contacted the source using a Microsoft Hotmail e-mail address that TWCI had previously connected to the blogger. After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012 Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account.

14. An e-mail from Microsoft employee ALEX KIBKALO was found within the blogger’s Hotmail account which established that KIBKALO shared confidential Microsoft information and data with the blogger through KIBKALO’s Windows Live Messenger account, akibkalo@mail.ru. Specifically, on or around July 31, 2012, KIBKALO used his akibkalo@mail.ru e-mail account to send the blogger an email with the subject line of “Alex A. has shared a folder with you”. That e-mail contained six zip files of pre-release “hot fixes” for Windows 8 RT for ARM devices, which KIBKALO made accessible through his SkyDrive account. The fixes were not publicly available, as Microsoft had not yet released Windows 8.

Canouna made quite a splash with his Windows 8 leaks, and this new information is an interesting case study of how a blogger came to be contacted by a disgruntled employee, how the leaks occurred, and the steps Microsoft took to shut down the leaks.

Canouna continued to leak information on Windows 8 well after Microsoft began going through his mail, although he somewhat abruptly shut down WinUnleaked.TK in January of 2013, redirecting the domain to Microsoft.com.