[ISN] Defendant: Microsoft source code sale was a setup

[InfoSec News]

http://www.theregister.co.uk/2004/11/12/microsoft_source_code_sale_was_setup/

By Kevin Poulsen
SecurityFocus 
Nov 12 2004 

A 27-year-old Connecticut man facing felony economic espionage charges
for allegedly selling a copy of Microsoft's leaked source code for $20
says he's being singled out only because the software giant and law
enforcement officials can't find the people who stole the code in the
first place.

"They're using me as an example, to show if you do something like
this, they're going to [work] you over," said William Genovese, in a
telephone interview Thursday. "Why go after me? Why not go after the
guy who took the code? Why not go after the guy who released it on the
net?"

In February, two 200 megabyte files containing incomplete portions of
the source code for the Windows 2000 and Windows NT operating systems
appeared on websites and peer-to-peer networks around the world.  
Evidence in the files pointed to Microsoft partner Mainsoft, a
developer of Unix tools for Windows, as the original source, but how
the files were leaked, and by whom, remains a mystery.

What distinguishes Genovese from perhaps thousands of other curious
computer geeks who shared the proprietary source code at the time is a
short message he posted to his website, illmob.org - a hacker
destination from which he distributes open source intrusion tools
written under his handle, "illwill."

"Everyone was throwing up Bit Torrent links and downloading it on
IRC," says Genovese. "I wrote on my website, joking, I have it, and if
anybody wants it they can donate to my site."

Genovese claims he meant it as a joke, and he was surprised when
someone actually responded a few days later and asked how much he
should donate. "I was laughing, because I thought it was somebody
stupid who wanted it and didn't know how to download it," he says.

The stranger gave Genovese $20 through the PayPal donation button on
his website, and Genovese let him download a copy of the source code
from his server. In July, the same man contacted Genovese again. "He
emailed me again and said he had formatted his computer and basically
he wanted to download the source again," says Genovese. "I didn't have
it any more, and he said if you can find it I'll send you more money
just for the hassle." Genovese says he found the files easily on a
peer-to-peer network, and again provided them to the donor.

He isn't laughing any more.

According to court records, the mysterious donor was actually an
investigator with an unnamed online security firm that Microsoft had
hired to track people sharing the source code online. After the first
"sale" was complete, Microsoft reported Genovese to the FBI.

The Bureau took the case seriously, and the Microsoft investigator
arranged the second transaction at the FBI's request.


'Economic Espionage'

Armed with a federal criminal complaint out of Manhattan, FBI agents
converged on Genovese's Connecticut home early Tuesday morning,
searched his condo and arrested him. Now free on a $50,000 signature
bond, Genovese stands accused of violating the 1996 Economic Espionage
Act.

Passed to meet the perceived threat of foreign espionage against
American companies, the Economic Espionage Act carries up to ten years
in prison for stealing trade secrets for personal financial gain, or
for a third party's economic benefit. For the first five years of its
existence the law could only be used with approval from the Justice
Department in Washington -- a limitation that was lifted in March,
2002.

The $20 payment is what opened the door for prosecutors to invoke the
rarely-used law, says attorney Jennifer Granick, executive director of
the Stanford Center for Internet and Society. "The statute requires
you to act for the economic benefit of someone other than the trade
secret owner," she says.

"The real question is whether this information remains a trade secret
after it is globally available to anyone with an Internet connection,"  
says Granick. "This is something that the courts have been grappling
with, so it's pretty shocking that the government would pursue
criminal charges for something that the civil courts can't even agree
on."

Government offices were closed Thursday for Veteran's Day. Microsoft
declined to comment for this story.

Although the complaint describes him as a "vendor" of stolen source
code, Genovese says the only person who took his website post
seriously was Microsoft's undercover agent. He claims that the same
person later purchased another widely-traded underground file, the
Paris Hilton video, for a $15 payment, though the transaction escaped
mention in the complaint.

If convicted, under federal sentencing guidelines Genovese's sentence
would be based on the value of the source code, if any, and his
criminal history: Genovese has a conviction for intruding into private
user's computers in 2000 and spying on their keystrokes, for which he
was sentenced to two years of probation. "It happened right after I
got my computer," he says. "I started using Trojan horses and stuff
like that, and I ended up getting in trouble."