Ex-Microsoft Worker Arrested After Passing Windows 8 Trade Secrets to Blogger

A former employee of Microsoft has been accused of stealing trade secrets related to Windows 8 from the company, and passing them to a technology blogger.

25 March 2014

Ex-Microsoft Worker Arrested After Windows 8 Trade Secrets Passed to Blogger

A former employee of Microsoft has been accused of stealing trade secrets related to Windows 8 from the company and of passing them to a technology blogger, after allegedly bragging that he had sneaked into a building on Microsoft's Redmond campus and had attempted to copy data from a server

Purportedly frustrated by a poor performance review, software engineer Alex Kibkalo is said to have divulged  secrets related to Microsoft's Windows 8 RT and ARM devices, as well as details of Microsoft's Activation Server SDK (Software Development Kit) that could be used to help hackers reverse-engineer the company's anti-piracy code.

Microsoft realized something had occurred when it noticed screenshots appearing in technology blogs, ahead of Windows 8's official release. Kibkalo was arrested on Wednesday and now faces federal criminal charges that he leaked Windows 8 code to an unidentified French technology blogger in mid-2012, prior to the operating system's release.

Microsoft has now found itself in the midst of a privacy storm, after admitting that it read the Hotmail email messages of the blogger while investigating the source of the software leak.

The curious debate revolves around Microsoft's failure to secure a court order for the electronic search.  The reason, according to Microsoft?

Courts do not... issue orders authorizing someone to search themselves.

In an official blog post, Microsoft Deputy General Counsel John Frank has  argued that it was technically legal for the firm to search one of its Hotmail user's inboxes as it searched for who was leaking its intellectual property, but that in the future it will strengthen its security policies.

While our actions were within our policies and applicable law in this previous case, we understand the concerns that people have. Therefore, we are announcing steps that will add to and continue to strengthen further our policies in any future situations involving our customers.

If you're interested, you can read those "strengthened" policies in the Microsoft blog post.

It's obviously understandable that companies would want to protect their intellectual property and plug any holes which might be dripping sensitive information into the public domain.

But rather than trying to shut the stable door after the horse is bolted, wouldn't it be better if tighter control had been put in place over the sensitive information in the first place?

Companies need to protect the life blood of their organisations by carefully controlling who has access to valuable intellectual property and trade secrets and revoking the access if a worker leaves the company or is otherwise no longer trusted.

Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.