Ex-Microsoft employee arrested, accused of stealing Windows RT, product activation secrets

Big mistake: Allegedly used Hotmail, SkyDrive to share trade secrets with French blogger

A former Microsoft employee accused Wednesday of leaking Windows RT updates and software that validates product key codes faces federal criminal charges of stealing trade secrets.

Alex Kibkalo, identified on his LinkedIn profile as director of product management at Beverly, Mass.-based 5nine Software, was arrested yesterday, according to the Seattle Post-Intelligencer, which first reported on the charges.

While he worked at Microsoft, Kibkalo allegedly leaked pre-release software updates for Windows RT, the tablet-specific operating system, to a French blogger in July and August 2012, months before its official release. The FBI, which was called into the case after a Microsoft investigation, also alleged that Kibkalo provided the same blogger with the Activation Server SDK (software development kit), internal-only code to create the activation systems which validate product keys, Microsoft's primary anti-piracy technology.

Kibkalo, a Russian national and at the time working for Microsoft in its Lebanon office, was apparently angry at a prior poor performance evaluation, and struck back by leaking the software, FBI Special Agent Armando Ramirez wrote the court in a criminal complaint filed with the U.S. District Court in Seattle on Monday.

After allegedly sharing the information with the unidentified French blogger -- who Microsoft had already been monitoring because of leaks published on the blogger's Twitter account and blog -- Kibkalo encouraged the blogger to contact a hacker who could use the Activation Server SDK to write a fake product key activation server.

The blogger subsequently posted screenshots and other information about the unreleased Windows software, and tried to sell Windows Server activation keys on eBay, said Ramirez.

Microsoft first got wind of Kibkalo's alleged theft in September 2012 when a source claimed that the blogger had shared the Activation Server SDK code, asking the source to help verify its legitimacy and assist the blogger to better understand the SDK. The source, also unnamed in the complaint, then contacted Steven Sinofsky, at the time the head of Windows development, but ousted from the company in November 2012.

Microsoft kicked off an internal investigation of the blogger, beginning with the bloggers Hotmail email account. Hotmail was renamed Outlook.com in mid-2013.

"After confirmation that the data was Microsoft's proprietary trade secret, on September 7, 2012, Microsoft's Office of Legal Compliance (OLC) approved content pull of the blogger's Hotmail account," wrote Ramirez.

Email from Kibkalo's own Hotmail account was discovered in the blogger's inbox. Further digging, presumably on Microsoft instant chat service, found messages between Kibkalo and the blogger.

"The sample code in Kibkalo's accounts was the same sample code that the Microsoft source received from the blogger, prompting Microsoft's investigation," Ramirez told the court.

Microsoft's Trustworthy Computing Investigations (TWCI), a Microsoft department tasked to protect the company from both outside hackers and internal leakers, interviewed Kibkalo in September 2012, when he allegedly admitted that he "leaked confidential and proprietary Microsoft information, products and product-related information to the blogger," the charge sheet stated.

But Microsoft did not bring charges against Kibkalo then. Instead, the company fired him.

Kibkalo's LinkedIn profile said that he left Microsoft in September 2012. Not surprisingly, the profile does not mention his termination. At some point he relocated to Russia. In August 2013, he took a job with 5nine, which has offices in St. Petersburg and Moscow. 5nine bills itself as "the leading virtualization management and security company, offering the first and only agentless security solution for Microsoft Hyper-V."

Hyper-V is Microsoft's virtualization technology for its Windows Server platform. In instant message chats -- some of which were transcribed and included in Ramirez's filing with the court -- Kibkalo claimed that he had also leaked Windows 7 code before its release and had snuck into Building 9 on Microsoft's Redmond, Wash. campus in an unsuccessful attempt to copy data from a server there.

In an Aug. 3, 2012, instant message conversation, the blogger was alleged to have reacted to Kibkalo's offer to leak the Activation Server SDK with, "That's crossing a line you know pretty illegal. lol."

Kibkalo's alleged reply: "I know :)"

In a separate document filed with the Seattle federal court Wednesday, Kibkalo was ordered detained because he was a flight risk. "Defendant poses a risk of nonappearance due to ties in Russia and lack of ties to this District," the detention order, also filed Wednesday, read. Kibkalo did not oppose the detention.

Kibkalo has been appointed a public defender.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2014 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon