Half-Life 2 source code stolen
October 3, 2003 10:20 AM   Subscribe

Half-Life 2 source code leaked online Valve Software, the makers of Half-Life 2, said the leak followed a concerted hacking effort on the company's computers over a number of months. Easily one of most eagerly anticipated games ever, Half-Life 2 is regarded by many as the next step in the evolution in First Person Shooters. What does this mean for the future of Valve Software? (More inside)
posted by stazen (53 comments total)
 
Gabe Newell of Valve Software -
Ever have one of those weeks? This has just not been the best couple of days for me or for Valve.

Yes, the source code that has been posted is the HL-2 source code.

Here is what we know:

1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.

2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.

3) For the next week, there appears to have been suspicious activity on my webmail account.

4) Around 9/19 someone made a copy of the HL-2 source tree.

5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook's preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn't been seen anywhere else, and isn't detected by normal virus scanning tools).

6) Periodically for the last year we've been the subject of a variety of denial of service attacks targetted at our webservers and at Steam. We don't know if these are related or independent.

Well, this sucks.

What I'd appreciate is the assistance of the community in tracking this down. I have a special email address for people to send information to, helpvalve@valvesoftware.com. If you have information about the denial of service attacks or the infiltration of our network, please send the details. There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great.

We at Valve have always thought of ourselves as being part of a community, and I can't imagine a better group of people to help us take care of these problems than this community.

Gabe
posted by stazen at 10:23 AM on October 3, 2003


What it means is cheating in the online play. Lots and lots of cheating.

Since this is a game famous for its legendary online play modifications, this is a nasty, nasty knock for them. How a gaming company can be so blind to the needs of security is beyond me - everything for them relies around people not getting access to their intellectual property.
posted by Ryvar at 10:32 AM on October 3, 2003


It's bad enough that we have to deal with viruses, trogans, firewall tunnels and patches, but now this spyware crap. I have a fear that one of the executives where I work is going to click on these damn things in e-mail or on the web. He clicks on everything without thinking. I already removed Gator from his machine but these new spyware cards could be worse. Virus software doesn't cover these things, so then you end up spending more money on spyware detectors. It just doesn't seem to be getting any easier to remain safe.
posted by Akuinnen at 10:38 AM on October 3, 2003


That sucks. And it probably means the game will be delayed further. Thanks, Asshat!!
posted by black8 at 10:39 AM on October 3, 2003


Beyond using the code to figure out online cheats, doesn't this mean whoever has the source code could compile the code to create a playable game? If a fully playable game got out now, wouldn't this be bigger problem for valve than the cheats?
posted by Mbarron2896 at 10:48 AM on October 3, 2003


I see some bitchin' mods coming out in the future.
posted by pemulis at 10:51 AM on October 3, 2003


Our speculation is that these were done via a buffer overflow in Outlook's preview pane.

Thanks, Microsoft, for your limitless supply of raging security holes.
posted by mkultra at 10:54 AM on October 3, 2003


Microsoft makes stack smashing so easy.
posted by pemulis at 10:56 AM on October 3, 2003


It was only the source, not the resources. Can't make a game out of it but can reuse it's AI and the physics engine, which VALVe licensed from someone else. This could wind up getting them sued out of exsistince. Then no-one would have the game.
posted by Mick at 10:58 AM on October 3, 2003


I think they'll find their culprit if they go to Matthew Broderick's house. And they better do it fast, before he starts World War 3 by mistake.
posted by crunchland at 10:59 AM on October 3, 2003


I dont think they will end up sued out of existence. While a lawyer may try and make the case.. they really cant be held liable for the consequences of someone else's criminal act.
posted by MrLint at 11:16 AM on October 3, 2003


Anyone still using outlook for email is just asking for trouble. Especially in an environment where you're trying to keep something secure.
posted by piper28 at 11:25 AM on October 3, 2003


Is there any possible way of looking at this as a good thing? It's open source now!
posted by Pinwheel at 11:27 AM on October 3, 2003


Yeah, its not like its stealing, cos they haven't actually taken anything away from valve.
posted by biffa at 11:36 AM on October 3, 2003


I just want to go on the record right now as saying "HOAX."

I've been reading a bit about this today and it just sounds kinda stinky suspicious. And when was the last time an executive was SO forthcoming about a failure of his company -- a technology company at that. Usually you get " We had a security issue and the code got out" not "the hacker typed snuggles, which is my password, and broke into our mail server at mail.foo.com"

Yeah, it's an exaggeration, but it's been a while since we've had a good marketing hoax, and it's the kind of thing that might work itself into a game plotline..

If I'm wrong, oh well. But if I'm right! Oooh! I'll get a toldyaso out of so many people!
posted by fnirt at 11:47 AM on October 3, 2003


fnirt: It's real. Once you've looked through the occlusion system and node management, you know it's not a fake.
posted by Jairus at 11:52 AM on October 3, 2003


yeah, biffa, where are all the mefi'ers saying "what's the big deal? nothing was really stolen! no one is out anything." they sure pipe in loud and clear when they're the ones doing the downloading.

good luck to Valve on this one. half life was great.
posted by dobbs at 11:56 AM on October 3, 2003


dobbs/biffa: Nothing was stolen. Someone is, responsible for computer assault/intrusion, and is quite possibly violating trade secret law. It's not theft, however.
posted by Jairus at 12:02 PM on October 3, 2003


fnirt -- it's most definitely real, been confirmed by way too many reliable sources to be a hoax.

Beyond using the code to figure out online cheats, doesn't this mean whoever has the source code could compile the code to create a playable game?

The file was about 30 megs -- which might or might not be all the source, but it sure as hell doesn't include all the models, textures, levels, sounds, and the like.

The biggest problems are valve competitors seeing their engine code, and online cheaters seeing the steam code. Although I'm not convinced the latter will do anything but speed up the cheat development a bit, it's not like keygens aren't out for everything else in the world.
posted by malphigian at 12:06 PM on October 3, 2003


malphigian: The correct file size is 168,598,580 bytes. It doesn't include any resources such as audio/video.
posted by Jairus at 12:08 PM on October 3, 2003


My team at work has been working sixteen-hour days, chugging toward completion on our own game. The idea of getting so close to the finish line only to have some ass yank out the carpet from under our feet...

There's no doubt that this will require months of work and millions of dollars for Valve to even begin to rectify. The escape of the source code means that codehackers are at work already creating cheats for the game. If Valve doesn't go in and do an incredible amount of annoying but now necessary tweaking, the multiplayer aspect of the game could be rendered unplayable within hours rather than the normal weeks it takes cheating bastards to pollute the average blockbuster game.

It's also been widely said that the leak also included the code for HL2's CD authentication system (which ensures that retail customers have purchased and not stolen the game) and Steam, their upcoming online distribution system. If true, that would mean that both aspects are completely compromised and they would need to be completely redone from the ground up in order to be secured.

The upshot for the rest of us who have been waiting patiently and expectantly for HL2 is that we have been screwed by the stupidity and maliciousness of a l33t haXor.

On preview: fnirt--it's not a hoax. The full extent of the damage may not yet be clear, but it's real and it's a big deal.
posted by Inkslinger at 12:10 PM on October 3, 2003


How a gaming company can be so blind to the needs of security is beyond me - everything for them relies around people not getting access to their intellectual property.

A big part of how they got hacked looks to be something they couldn't have protected themselves against. If a MS system is connected to the net, it can be hacked with the right tools and determination, no matter how much ice you throw in the path. Some secure systems aren't worth the time and effort...obviously this one was.

I don't play 1st person shooters, don't much care for the genre, but I still think this sucks in a big, bad, way.

It's not theft, however.

How do you figure? If someone breaks in and downloads a copy of the source code onto their system, such that they then have a copy of, and can use code that other coders spent hundreds and hundreds of hours creating, how is that not stealing the code?
posted by dejah420 at 12:21 PM on October 3, 2003


I bet Havok are pissed. They make money licensing their excellent physics engine, and now it's all over the place.
posted by inpHilltr8r at 12:26 PM on October 3, 2003


Personally, I don't care much about HL2, but I've been waiting for Team Fortress 2 since 96/97. Who knows how long the games are both going to be delayed, now.

deja420: Why would they hook it up to the net, though? And then run Outlook on it? That's (quite obviously, now) a very, very poor idea.

It's not theft because theft involves the willful deprivation/removal of personal property, not the willful unauthorized copying of personal property. It's shitty, and it's illegal, but you couldn't charge SX (the guy who most likely did it) with theft.
posted by Jairus at 12:26 PM on October 3, 2003


And as far as my hoax thoughts, I've been reading slashdot and the forum and some other stuff, and as a developer I understand the implications if it's real -- which it probably is.

But if's kaycee code, I want the props on MeFi! :)
posted by fnirt at 12:31 PM on October 3, 2003


When are these guys gonna be done? That's what I wanna know.

Akuinnen: "It just doesn't seem to be getting any easier to remain safe."

Safety is an illusion. That is what the phrase, no such thing as an unhackable program means. You can come up with virus scanners, deflectors, firewalls, spyware detectors, and all kinds of things, but those are proggies, and to hackers that's a challenge, not a wall.

At best, you can slow them down, but they're not going to go away. My opinion of "socially conscious hackers" who claim to be offering a public service to the online community is so torn. If they don't come up with it first, then only the criminal element will be able to infiltrate. More benevolent forces actively seeking out these weaknesses does allow corporate and personal interests to function in cyberspace with less of a chance of being unprepared when a real threat comes along. However, there will never come a point where a solution will be found. This approach just perpetuates itself. Causing more money to be spent on a perpetual solution that only exacerbates the problem.

It's like the wolf blowing down the pig's houses. Only, when the pigs get to the brick house, the wolf goes and gets a bulldozer...
posted by ZachsMind at 12:31 PM on October 3, 2003


Would Valve have a legal leg to stand on if they decided to sue Microsoft over this? Or would MS just hide behind the "not responsible for any damages" clause in the standard EULA?
posted by Johnny Assay at 12:58 PM on October 3, 2003


The MS EULA has never been through any sustained legal challenge, so there's no telling how it'd hold up in court.

Generally, the people hit hard enough by MS weaknesses to sue MS are not the same people with enough money to sue MS.
posted by Jairus at 1:02 PM on October 3, 2003


I don't believe the source tree was on the hacked workstation. However, whatever was needed to get access to the system that contained the source tree was on the hacked workstation. Additionally, considering the fact that no software is secure, and also considering that MS stuff is notoriously insecure, I don't think MS shares any real fault in this.

That said: has no one yet put together a system whereby the system storing the master copy of the source tree spends the vast majority of its time disconnected from the network? Or why not give your workers two computer, one online-capable and one connected only to the intranet, with the second being the one where work is done? All programs may be hackable, but it seems foolish to me to have your source tree worth millions and millions of dollars connected in any way, shape, or form to the 'net.

Of course, hindsight is 20/20 or better, and god knows if that precaution would have occurred to me had security been my responsibility.
posted by kavasa at 1:18 PM on October 3, 2003


kavasa: My thoughts exactly. If an internet-connected PC has access to the source, then the source is on the internet. Period.

There's no reason why the source should have been connected in any way to the internet, unless they're involved in some strange dev voodoo that I'm not aware of. It only costs 500$ to put together a web/email/IM machine that you can put next to your dev box, so there's no reason for not having done this.

Mind you, the person who ended up with his system compromised is the co-founder of Valve, so he may have taken less precautions than his employees did (because they would've gotten fired), and opened himself up to an attack.
posted by Jairus at 1:23 PM on October 3, 2003


what jairus said. two words: air gap.
posted by juv3nal at 1:48 PM on October 3, 2003


If Valve sued MS for damages a ruling for them would not just alienate one of their most lucrative partners (MS, Valve, and ATI are all in a big circlejerk these days), it would turn right around and bite them in the ass - the very first thing that's going to happen like it or not when this game goes live is several thousand people getting hacked through it because of this leak.

Old Man Murray's classic Start-to-Crate rating system will have to be replaced by a Start-to-Format-C: measurement.

This is a huge blow for what is unquestionably the most anticipated title of the year for FPS fans everywhere.

There's no reason why the source should have been connected in any way to the internet, unless they're involved in some strange dev voodoo that I'm not aware of. It only costs 500$ to put together a web/email/IM machine that you can put next to your dev box, so there's no reason for not having done this.

Exactly. If it's good enough for the CIA (this is their method), it's good enough for a company whose entire existence revolves around their intellectual property. This won't change how many people buy the game - possibly more people will buy now out of guilt - but it will change the quality of online play in a serious way.

Strong suggestion to everyone regarding Half-Life 2 - avoid multiplayer for at least 3 months, if not 6.
posted by Ryvar at 1:51 PM on October 3, 2003


All you who have access to secret corporate data raise your hands... okay, that's everyone with a job at a company.

All you who use two networks with an airgap and have regular auditing of that airgap raise your hands... okay, that's everybody except the guy who works for the NSA, not a company.

Let's not blame Valve for not putting the code in a steel-encased server, at the bottom of the sea, guarded by sharks with freakin lasers. Hacks of a certain level of sophistication really just aren't expected events, and it would've been near impossible to realize that they were under attack of that level of sophistication until it was too late.
posted by mosch at 1:52 PM on October 3, 2003


Irony is....

Being hoisted by your own petard.

At some point, keystroke recorders got installed on several machines at Valve.

Kinda ironic considering the spyware in steam.

And yeah, I'm aware that its been removed.
(or at least better hidden)
posted by Trik at 2:19 PM on October 3, 2003


yeah, biffa, where are all the mefi'ers saying "what's the big deal? nothing was really stolen!

hey i'm right there! I think this is great. The HL2 engine is awesome. Now all the other game developers are going to be able to look at the source and include ideas from the HL2 engine in their engines! they wont be able to include the exact source, but its the ideas that matter. Result? Better games engines from all the developers, which is excellent for the end consumer. Yeah it sucks for valve, cause they've lost their competitive advantage, but good for everyone else.
posted by carfilhiot at 4:15 PM on October 3, 2003


A big part of how they got hacked looks to be something they couldn't have protected themselves against. If a MS system is connected to the net, it can be hacked with the right tools and determination, no matter how much ice you throw in the path.

If this was true, pretty much all code that Microsoft owns would have been leaked by now. As others here have said, it shouldn't be connected to the Internet in the first place. Code leaks do happen at MS from time-to-time, but AFAIK it's always been due to malicious employee behavior.
posted by ukamikanasi at 4:19 PM on October 3, 2003


MSNBC story about this. Interesting that the only thing we've heard from Valve so far is the message board posting from Gabe Newell. From the article:

Representatives of Valve did not return calls Friday seeking comment. A source familiar with the case said federal agents were investigating. An FBI spokesman in Seattle declined comment.

posted by pitchblende at 4:24 PM on October 3, 2003


"If a MS system is connected to the net, it can be hacked with the right tools and determination, no matter how much ice you throw in the path."

If you include "inside help" in "the right tools" then you have a point. If you include "bad aministration" and "user error" then you have a better point.

But to flat out say that MS tools can't be secure? Bull. Like anything else, the steps are:

1) Keep up to date with patches
2) have a good AV scanner, including on email
3) A good HW firewall to stop incomming attacks
4) A good SW tripwire ont he box to deteck trojans when they try and connect to the net.

Barring someone getting code inside, that will cover you pretty effectively - and I woudl take exactly the same steps on a Linux box. Have you seen the flaws in OpenSSH of late?

For truly, absolutely critical private information then you air gap it of course. Along with orbital bombardment, its the only way to be sure.
posted by soulhuntre at 6:20 PM on October 3, 2003


This is nearly a dead ringer for what happened to Quake. Former idster Dave Taylor (responsible, shockingly, for the iddt cheat codes in DOOM) had a copy of the code while he was at his own company called (appropriately enough) crack.com so that he could help id with a Linux port. Crack.com got cracked, and the Quake source code was downloaded.

Quake still managed to revolutionize internet action gaming on its way to making a buck or two.
posted by NortonDC at 7:08 PM on October 3, 2003


the very first thing that's going to happen like it or not when this game goes live is several thousand people getting hacked through it because of this leak.



Old Man Murray's classic Start-to-Crate rating system will have to be replaced by a Start-to-Format-C: measurement.

What are you talking about? Do you even understand how source code works? If I run linux can people hack into my server because they can get the source? pff
posted by delmoi at 7:40 PM on October 3, 2003


I think I'm going to cry.

So much for a '03 release date...
posted by Dillonlikescookies at 8:24 PM on October 3, 2003


If I run linux can people hack into my server because they can get the source?

Well maybe not, but these guys aren't exactly diligent about security. I mean, they use Outlook for an email client. Their code ain't gonna be up to the level of the linux kernel (imperfect as that may be.)

So hacked up versions of their game client, exploits for it, etc. will be around hours after (or before) the release, rather than a couple weeks later. That doesn't seem like much difference to me, but I guess it's something.
posted by sfenders at 8:35 PM on October 3, 2003


And its not just the game client people are talking about. THe hacker got the source for STEAM and the source for all their authentication stuff.

Last time i checked linux wasnt a big peice of spyware that automatically downloaded huge updates and other stuff.
posted by Iax at 8:48 PM on October 3, 2003


They were using Outlook? Securing your Windows computer starts with removing Outlook from the system.

What remarkable stupidity.
posted by five fresh fish at 11:38 PM on October 3, 2003


It is too bad for Valve--"whups" and for those of us drooling over HL2 release. Taking a step back, I am actually surprised that this type of incident hasn't happened sooner to a reputable software house.

Also, I have been so very amused how this incident has converted many people into programmers and security experts.
posted by rudyfink at 2:45 AM on October 4, 2003


Ooer! On the plus side, with the release date slipping, half life 2 won't be coming out before my exams, so I might actually get some study done and be able to get into University, and when it does come out I will have cable so I'll actually be able to play on the net... with all the dirty cheaters...

Everything works out for Dillon in the end.
posted by Dillonlikescookies at 4:58 AM on October 4, 2003


rudyfink - I am actually surprised that this type of incident hasn't happened sooner to a reputable software house.

Huh? Am I writing in code or something up there?
posted by NortonDC at 7:50 AM on October 4, 2003


And apparently the same thing happened with the flight simulator Falcon 4.0 (scroll to last paragraph).
posted by pitchblende at 11:21 AM on October 4, 2003


This is nearly a dead ringer for what happened to Quake.

Wow, I was going to say something condescending, like "This would never happen to Carmack." Thanks for keeping my foot out of my mouth, Norton.
posted by Eamon at 11:49 AM on October 4, 2003


It didn't happen to Carmack, really, it happened to Taylor. The closest anything like this has ever come to happening within the Id Software offices is when someone physically broke in and stole a server or two.
posted by Jairus at 3:09 PM on October 4, 2003


It's also been widely said that the leak also included the code for HL2's CD authentication system (which ensures that retail customers have purchased and not stolen the game) and Steam, their upcoming online distribution system. If true, that would mean that both aspects are completely compromised and they would need to be completely redone from the ground up in order to be secured.

If your encryption/authentication scheme can be compromised by releasing the source it is not a secure system. Almost by definition if you haven't had numerous open source reviews of your Cypt code it is not secure.
posted by Mitheral at 5:24 PM on October 4, 2003


Well, Jairus, there's no doubting Carmack's genius as a game engine coder, but he's pretty damn far from being a solid security programmer. id intentionally created log-free backdoors in Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions.
posted by NortonDC at 9:15 PM on October 5, 2003


*sigh*, but I suppose it is my fault for not putting more qualifiers.

By "this type of incident", I meant compromise, loss, and wide release of source code prior to program release.

When I wrote that I could not and still cannot think of anything like this happening before. I'm sure there are incidents, but such a public compromise on something as anticipated as HL2 seriously got my attention, and I imagine I am not alone.
posted by rudyfink at 11:40 PM on October 6, 2003


« Older First, do no evil...unless it costs us money   |   The Virtual Truck Route Newer »


This thread has been archived and is closed to new comments