Slashdot Mirror
Half Life 2 Source Code Leaked
Pyroman[FO] writes "Gamers with Jobs is reporting that the Half Life 2 source code is floating around the net right now. It looks to be about a month old. There's no official word from Valve on the source code leak yet. Unfortunately those who want to use it to cheat already have it, we need to get the word to legitimate customers to educate them about the situation." Update: 10/02 21:51 GMT by S : Valve's Gabe Newell has an official statement, via ShackNews/HalfLife2.net, indicating "infiltration of our network" and appealing for information on the culprits.
We can start making mods sooner!
Make me a friend and I'll mod you up
Wow.
That's quite a big deal to have leaked. Unfortunately the article is down to I can't RTFA, but is this just the SDK source code or the whole friggin thing?
If it's the whole thing think of how much jeopardy that puts them in with the people they've licensed technology from (such as the Havok physics engine, etc).
Again I say, Wow.
I am a leaf on the wind. Watch how I soar.
Hopefully this will put to rest the controversy over Pascal. Now the world can see that you CAN write a production quality game in Pascal.
Valve Software are sueing Linux Kernel creator Linux Torvalds, on suspect that leaked Half-Life 2 source code is present in Linux operating system.
I knew ATI wouldn't let us down!
Aren't we past security through obscurity by now? Or is that just applied to Microsoft.
...it was FREED!!
"Ask not what your country can do for you." --John F. Kennedy
... cheating is considered the 'big threat' of a source code leak, rather than the huge impending theft of intellectual property ;-)
Great... The article is Slashdotted... But the leaked code is mirrored everywhere!
Full article from:o p=modlo ad&name=News&file=article&sid=665
... The thing is available as a torrent download on the net. I don't know how much action they will take against people downloading this. ... The last edits are from a month ago (in the files). If this is fake, it is a damn good one. It looks very coherent. Over 100 megs unpacked source
http://www.gamerswithjobs.com/modules.php?
Half-Life 2 Source Code Leaked, Seriously
Posted by: Pyroman[FO] on Thursday, October 02, 2003 - 11:02 AM EST
So I know what you're thinking. "Yeah right Pyro, it's really just more suprise gay porn" but its the real deal. The source code for Valve's Half-Life 2 has been leaked to the net. An anonymous GWJ reader has verified this is real.
I can confirm that this is indeed no fake
There's still no official word from Valve and I haven't seen any other sites pick it up. There isn't any word on who leaked it either and from what I have heard the source doesn't give it away. Hopefully when this gets out in the open Valve can work with its partners to figure out who did this. Let's also hope it doesn't delay Half-Life 2 any further.
One things for sure, this can't be ignored. Those in the know already have it and they're probably working on their first cheat right now. Legitimate customers are the ones who need to know about this as they are the ones that will get their machine potentially broken into when they go online. You can't warez with month old source code, all it's good for is exploiting others in multiplayer and allowing crackers to make better cracks. Customers need to know that there are cheaters out there right now with the full Half Life 2 source code, if this is true.
I guess I'll have to stick to something I can trust: Professional Wrestling.
Nice to see that DRM is helping to make sure that it's hard to cheat and rip off the hard working games companies...
Those who want to steal will, those who are honest will pay anyway. Why piss off your entire userbase with DRM?
Beep beep.
There are also a few threads on steam, PlanetHalfLife, and arstechnica.
Lets just hope it does not end up in the Linux kernel.
I mean, not like they have way to much of a choice right?
The preceding post was not a Slashvertisement.
But how?
At my company, we control access to code using good 'ol fashioned groups, but that leaves a relatively large number of people with access to everything. Maybe you could enhance that security with encryption of the codebase (you can decrypt the parts you need to change and that's it), but that doesn't seem like a great solution, either. Or maybe somehow watermark the code to each person in a way not easy to detect -- maybe dynamically change their variable names so they're individual-specific...
Anyhow, interesting problem. There's always air-gap, searched-by-security on the way out solutions, but given that my keychain holds more data than my first (or second, or third) hard drive, I'm not sure how effective even a police-state style could be against a determined thief....
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Not a bad idea. By allowing other people to port the code to different OSes they could get some instant karma, save themselves some effort and get a bigger potential market all in one go. After all, people would still have to buy the game to get the datafiles.
The only problem is if the code contains third-party stuff like sound modules, physics engines etc.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Yes, because afterall, there's absolutely no way to share binary files amongst a large group of people semi-anonymously around the Internet now is there? ;-)
The Hitchhikers Guide to the Galaxy(TM) defines a person who can't spell "definitely" as:
The only creature a Counter-Strike cheater could defeat in a battle of wits.
Dacels Jewelers can't be trusted.
Looks like there will be a linux port after all...
"The United States has no right, no desire, and no intention to impose our form of government on anyone else." - Bush 05
here
I have over 70 freaks, do you?
Looks like our best bet for a secure, low-cheat ridden version of Half-Life 2 multiplayer might be on the Xbox now...
Just a thought.
Go here for teh [sic] funny.
You obviously weren't paying attention to the UT2003 buffer overflows that allowed a server to execute arbitrary code on your computer. There's been many other games that had this problem.
People need to know that they're buying a product that could leave them vulnerable, or at the very least isn't going to be a fair multiplayer experience online. They also need to know what's going on so that when Valve says "delayed till 2004" everybody knows what's up.
It's not like you can warez with this, it's none of the levels, art or sound. I'ts only useful for crackers and cheaters, customers need to know what's going to so that they don't get screwed by people using the source code to comprimise the game.
What? No bittorrent links?
How sad. oh wait.. you're shuning sharers today? Nevermind then
I wager the OS community finishes Half-Life 2 before Valve does. ;)
Think about it. If the code hits the net, and hackers find the various exploits in HL2 (buffer overflows, hijacked network streams, etc.), then Valve can see where their holes and possible exploits are at and fix them before it goes gold.
Not to mention, all of the free debugging, and reviews too. Heck, how many mods will be available when HL2 gets released because developers have access to the new API. Maybe it wasn't leaked, maybe it really was freed...
Valve makes money from three sources: Sales of their games for sake of their games, sales of their games to support mods (such as counterstrike), and sales of their engine to other companies to create their own game. Because the art resources weren't leaked with the source, sales of their own game for their own sake will not be hurt. The other two cases are a little more interesting.
Sales of the engine may be hurt, or it may be helped. Certain companies may wind up "doing the wrong thing" and incorporating Valve code into their own, but no major player would be caught dead doing such a thing. I expect that snippets of that code may find its way into the wild due to overtasked programmers trying to make their game the best it can be, but such snippets wouldn't have equalled a sale, they simply mean fiercer competition. And with the increased visibility, companies can now know the quality of the code that their 500 grand will be buying. True, being released into the wild may reduce the perception of value, but with the availability of the code this may still lead to increased sales.
Modders are a different story. Without economic interests compelling them to buy a license, they might begin releasing compiled binaries of their work to the community without requiring a half-life 2 license, which would cripple Valve's sales numbers. But on the other hand with access to source, modders could create more extensive and more active modifications, creating original features instead of mere graphical facelifts. If these code modders require the original game to be playable, it could lead to a real renissance in modding and a tremendous boost in sales for Valve.
I can see how this may possibly turn out to be somewhat damaging to Valve, but I can't see how this is one of the four horsemen of their apocolypse. The head of the man who intentionally leaked the code should roll (if it truly was intentional), but it is way too soon to declare this the end of the company. Under closer analysis, it may even be a boon.
This Sig is a mnemonic device designed to allow you to recognize this author in the future.
The most damage is the loss of company secrets (Source engine techniques, anyone?) and the potential damage to engine licensing opportunities, I think.
If you worked for an actual game developer, would you risk your career by using leaked engine code?
At worst you'd read it at home, figure out some technique, and implement it in your own project.
Seems to me this should be posted on Gamers WITHOUT Jobs, as that's what will happen when the leak is traced.
Jory
This is not a sanctioned code release. It would be just about impossible to build a development community around it. Anything made with it would be warez. I suppose its possible some tight knit group of geniuses could adapt and "spread" the work but I wouldn't hold my breath. There would be inevitable bugs and no good way for the clandestine developers to get feedback.
Contrary to SCO's opinion, unclean code doesn't help Linux at all. The best thing to do is just avoid that source like the plague. It would legally contaminate anyone who even had just had it much less looked at it.
> what happens to a loaded server with
> MaxClients set too high
Right, it starts swapping since more child processes are forked than can fit into memory. As other posters have suggested, Apache's MaxClients needs to be aligned with MySQL's max_connections configuration.
The Army reading list
I have stacks of games all bought legit. I fucking hate it however when games I bought with good money then limit me while those who download them get the better deal.
Do a test once between a normal game and a game with a no-cd patch applied. It will boot faster and often run faster as well. Games that access the cd are slow as apart from the floppy the cd is the slowest part in your computer. If the game is copied instead to the HD and played completly from their it will run faster.
Having to enter registration keys is all very nice and not so much of a hassle except why aren't they printed on the fucking cd's.
I am fed up with being treated like a criminal. You apparently love it. Well go right ahead but don't insult others who object to it.
Just because you are to stupid to see the problems with online activation crap doesn't mean the rest of us are as blind as you or as willing to be insulted.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
There is the Half Life 2 source code floating around the net right now. It looks to be about a month old. There's no official word from Valve on the source code leak yet.
Did they also manage to leak the schematics for a P4 5.6ghz and a GeForce 7MX so we'll be able to play it?
When you have nothing left to burn you must set yourself on fire
I'm feeling bummed going thru the source code, this is looking legit and some script-kiddies are going to have a field day with this! :(
:rolleyes:
Anyone wanna bet that Valve is going to delay the hell out of Half-life2 over this? Or that it was leaked because Valve didn't release the benchmark on the 30th?
Oh boy.
- "When I say dance, you'd best DANCE motherf*cker!" -Violent Femmes
http://sourceforge.net/projects/halflife2 is available if anyone is interested.
It would legally contaminate anyone who even had just had it much less looked at it.
It would definitely legally implicate anyone who had it (for copyright violation), but it wouldn't "contaminate" anyone who later wrote code of their own. Despite what some proprietary developers think and others fear, as long as no actual copying occurs it is perfectly okay for novelists to read other people's books, for singers to listen to other people's songs, and even for programmers to read other people's source code.
we can determine the exponential rate at which the number of bugs in open source software decreases.
Healthcare article at Kuro5hin
Someone already managed to squeeze a HL2.EXE and TF2.EXE out of the source. Behold:
http://www.devils-children.com/hl2_1.jpg
It's being picked apart in #HL2-Source on irc.quakenet.org at the moment. Fun fun.
Quality, performance, value; you get only two, and you don't always get to pick.
That's the lame excuse offered by lazy people who don't want to learn their own language.
Really security through obscurity is so obsolete it ain't even a good joke anymore.
This is out. It has happened. Though but it is hardly a big deal. It is not like the game itself has been leaked.
So what could this all mean.
None of this will be stopped by not talking about it. And frankly I think you have shown youreselve to be extremly naive to believe that hushing this up is even going to work or have any effect.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Just a thought but maybe Valve knew about the leak and then pushed back the release date to fix code which could have been comprimised !
... so valve can probaly go though see who checked out the whole build ... or just certain parts and figure out who leaked it. (most managemnet tools use 128 bit encryption and a key) Its very easy to track these things.
So lets just say thanks to whom ever leaked the code and we can all blame them for the delay of the release date !
I hope they also know that NDA's are a big part of the game industry today so that either means your loosing your job, your company, or you getting sued.
Each file contains a date, what was modified and when for the most part depending on what code managemnt tool they use
- MOSKIE
Since the code is out, Valve might allow for third-party assistance on developing a somewhat official linux port?
I mean, when the code is already wild, fears that it could be leaked by assisting developers become somewhat moot...
It must have been that evil-looking business guy. The one with the briefcase. Damn him!
A lot of that has to do with the particular game, as well as the design of the prediction in that game.
.).
:D I'm not much of a cheater normally, but the most fun I have ever had was back in the day before everyone was cheating, when the careful task was to cleverly design cheats that are almost undetectable -- like a specially powerful jump to get you out of difficult situations, etc. The most fun I had was giving my player ninjalike abilities by modifying the scripts myself, and reducing my fall damage, and limiting myself to the pistol. It's all about the mobility, baby!
For instance, in Starsiege:Tribes, since the rendering engine has been successfully hacked, people have been able to write some clever and EXTREMELY extensive cheats -- you can customize the visibility of the terrain, of individual objects (like buildings -- make them partially transparent to see people around corners), remove fog from maps, have pointers to the person with the flag, and most infamously, change the model for the flag into a twenty-story-tall red and green stick figure with a gigantic smiley face. This cheat is known as 'Happy Flag', and it makes it pretty much impossible to confuse the enemy team as to the location of your flag.
Now, in any other game, with the graphics engine compromised to that extent, the game would be over. It would be trivial to write auto-aim functionality that centers your view on a particular model type and fires the weapon.
But thanks both to the use of actual projectiles instead of instant (or 'hitscan') weapons, as well as a server-client model that DOES NOT TRUST CLIENT EVENTS (which you might think would make the game much more apparently laggy, but which in reality makes the game much less stuttery and much smoother for those on slower connctions; you just have to predict your shots more. But, since you have to do that anyways by design . .
The stability of this system is such that even with one of the most rabid fanbases in gaming, the only cheats available are primarily informational in nature. A cheater can see mines better, can know where the flag is, can see people clearly that would be mostly obscured by fog otherwise.
But this gives him very little actual advantage. The only hitscan weapon in the game is not a one-hit kill even on the lightest armor, and it needs to recharge, and the method used in both Tribes 1 and the Torque engine of the server not trusting the player for jack shit is actually EASIER on the server, since it processes client actions essentially as it receives them. Moreover, thanks to 'skiing' and the jetpacks and the visibility of laser rifle attacks, any advantage is quickly whittled down to a simple nuisance.
Now, at the other end of the spectrum is Red Faction.
Another worry with the leaked source is that it's possible for competitors to rip off Valve's fancy new game engine. Any proprietary techniques in the code aren't secret any more.
If ATI Pays++
- then ATI_Card_Peformance++
else if NVIDIA Pays++- then NVIDA_Card_Perferomance++
else- BSOD
{http://www.kubuntu.org/
In the news at this hour, columnist Robert Novak denies that the Half Life 2 source code was shopped to 6 other web sites before he posted it, and that the leak came from the Bush administration. "Karl Rove didn't even know there was a Half Life *1*, for goodness sake. Suggesting he is responsible for the leak is preposterous." Bush administration officials were too busy playing Unreal Tournament 2004 to comment on the allegations.
Lets hope that "cl_localnetworkbackdoor.cpp" in the left corner of the thrird screenshot isn't as intresting as it sounds!
I agree with most of your rant. I forked over my cash for your game, why do I need to just through more hoops to play? Gosh, you know, I really love shuffling disks in and out of CD drive when I decide to switch games solely to satisfy some copyprotection system. Add to that that my CD driver works fine but hums like jet engine if any CD is in at all, so I have to remove the disk when I finish to cut down on the noise. And while I'm playing I need to stupid disk in the drive (solely for copy protection), so I just get to enjoy the hum while I play.)
Or at the very least, don't make the entire CD black! Leave a light colored area so I can use a Sharpie to write the registration key on the CD. No, I'm not going to keep your stupid jewel case. I own a lot of games, so I keep them in a CD binder to save space. The only thing a gamer is certain to keep is the CD itself, that's where the registration key belongs.
Search 2010 Gen Con events
You don't want the GeForce 7MX, you want the GeForce 7 Uber!
The GeForce 7MX is the value priced borad and is only equivelant to a GeForce 5 Super.
If you're willing to pay for the game, why are your panties all in a bunch over Steam? It's not like it would affect you if you have a legitimate copy of the game.
Ys, it would indeed affect me.
First of all, Steam requires a live internet connection to play. Not just to register, or to activate, but every time you want to play. Goodbye gaming during that boring 10-hour flight, eh?
Second, Steam not only makes possible, but forces, whatever patches Valve has decided to make, on the users. you simply don't have the option of saying "gee, y'know, it runs fine right now, and I don't want the new uberfun zone, so I'll skip this update". Nope. They release a patch, you get it next time you connect.
Third, related to #2, you have no way to keep playing if Valve gets bored. Yeah, the servers will probably stay up for a year or two, to avoid lawsuits, but personally, I still play games well over a decade old. What odds do you lay on the Steam servers staing up for over a decade? Not very good, I'd wager.
Fourth, have you read about the typical user experience with connecting to a Steam server? It makes AOL-in-the-mid-90s look easy to connect to by comparison. Valve already has money-in-pocket by the time users try to connect, so has very little motivation to guarantee the capacity to let everyone get on. And, as history has shown, doesn't give a damn.
And finally, some people just don't like having companies treat them like criminals, or having minor annoyances pop up every time they want to play a game they legitimately buy. Whether as minor as a "no-CD" crack (which often makes the game far more responsive in general, since it doesn't wait for the CD to spin up every now and then), or as major as disabling Steam, when people buy games, they want to play those games, not jump through hoops to prove they really paid for it.
So there's got to be some other motive behind your words... something more to the tune of "Someone please make a crack so I don't have to buy the game."
Not really, no. If the above explanation doesn't do it for you, I guess nothing will. So enjoy all the BS, and if someday we meet on a plane, I'll share my bought-but-cracked copy with you, as you gaze forlornly at the screen when your uncracked copy presents the highly accusatory "cannot connect with server, ya damn pirate" screen. Perhaps then you'll "get it", why things like Steam count as "bad" even if you legally own a copy of the game.
I feel sorry for Valve if this turns out to be the real deal.
Source of Source
Shouldn't that be "Source of Source of Source"? (It is, after all, the Source engine.)
Krama: Exlnelect (msltoy affteced by rreesceahrs at Elgisnh uetnirisvys)
I would like to take this time to announce Stolensofts new upcoming FPS shooter "Not Quite Dead" The game features a robust and powerful 3D engine, with realistic AI.
Surprisingly enough we were able to complete the game engine and the game within 2 weeks, which goes to show why Stolensoft makes the best games.
Ave Molech Setting
I have downloaded the code and taken a quick peek, It does indeed seem to be legitimate. More disturbing though is , a simple grep through the code tree reveals that this leaked source tree contains gpl'd code .
./ivp/havana/havok/hk_math/ ./utils/vmpi/mysql/include/
files in these directories contain such code for example
It would take someone a little more clued up than I to verify that this code is actually used in a binary release.
Someone should take a closer look.
Electronic Music Made Using Linux http://soundcloud.com/polyp
Intellectual Property, like flying pigs, cannot be found in nature.
No, it's not. It's up to the copyright holder to prove that you stole their code. This may involve your having to show your source to a panel of judges, but a company you've seen source code from can't just say, "You've seen our code so you must have stolen some. Prove otherwise." They must make their case against you, so you may defend yourself.
Cheating can be eliminated if game programmers would not send the server "absolute aiming coordinates". Instead, the clients should send "delta", or rate-of-change, coordinate info. This simply amounts to sending the server "how much" you would like the "virtual you" on the servers simulation to "slew" your weapon. In fact, this is the way it works in the "real world" since you cannot accurately position your weapon using absoulute coordinates without commanding your muscles to move it using "rate-of-change" information. No client would then be able to compute "exact-hit" coordinates.
Just my reasoning anyway...
+1
Quality, performance, value; you get only two, and you don't always get to pick.
I guess Valve will have come come up with a new authentefication system...
Falcon 4.0, a landmark achievement in consumer flight simulation technology had its full source code leaked several years ago. What happened aftewards?
Nothing for several months. People went about playing Falcon 4.0 as they did before. Then a user posted a single screenshot to the combatsim.com fora. It showed the Falcon 4.0 options menu, except with some rather peculiar options-- 3dnow! support, 32 bit textures, object texture filtering, DirectX 7 support, and some others. Falcon 4.0 did not ship with support for said features, so either it was an edited screenshot or the user had modified the source code. Then the actual executable was released. It was real, the engine enhancements worked.
Development of the leaked source code exploded shortly after that. A team known as eTeam (the executable was called eFalcon) was created to work on it, devoted to closing the numerous memory leaks, and improving the overall realism and performance of the game. The improvements were incredible, bringing a game released in 1998 to a 2001 state, competitive (or far superior, which was most people's opinions) to simulations released that year. The game's publisher ignored this for a few years.
The game's publisher then put its foot down. It said that all development of the leaked source code had to be ceased. Quickly though the community reached an agreement. It managed to convince the publisher to allow continued development of the leaked source code, as long as the publisher maintained all rights to all of the community's work and was not required to compensate the actual contributors. The result was the Falcon 4.0 Unified Team, composed of most of the eTeam members (not all though, some refused to join because of the constrictive agreement) as well as many from the Realism Patch group, a non-source code team focusing mostly on realism enhancements. The F4UT has succeeded in making hundreds if not thousands of changes to Falcon 4.0, ranging from technical (graphics engine, campaign engine, AI, sound engine, etc.) to gameplay (new flyable aircraft, dogfight AI improvements, numerous miscellaneous tweaks etc.) to other content (re-done textures, models, sound effects, completely new cockpit art, etc.). The F4UT finally brought Falcon 4.0 to what its original developers intended, not only simulation of F-16 combat, but a true military aviation experience taking place in a dynamic computer simulated war.
How does this relate to Half-Life 2's source code being leaked? Well, sometimes leaked source code can lead to greater things. After the Falcon 4.0 source code happenings, the full source code, including the graphics engine, network code etc. of a few simulations (Enemy Engaged Comanche Vs. Hokum, MiG Alley, maybe some others) have been released to the public. Maybe this practice could spread to other game genres.
I was looking over the source and I found numerous references to a 'boomstick', strip clubs, and warthogs dressed in police uniforms. Then I realized... someone finally GPL'd Duke Nukem Forever!
I've had a look at the source, and although I'm far from an expert C++ coder, it doesn't seem to me that the Steam code is included. There is, however, a 'steam.lib' file in there.
If I understand the workings of Steam correctly, it handles authentication, and also includes mechanisms for controlling the integrity of game files. Ie there's no way you could use a hacked version of the engine for your cheats, and still authenticate through Steam.
<tinfoilhat reinforced with lead>
Maybe they intentionally leaked a (mangled?) version of the source just to prove that Steam has its virtues when it comes to dealing with hacked executables?
</tinfoilhat etc>
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
Here's the beginning comment from "hl2_src\src_main\ivp\havana\havok\hk_math\odesol
Quality, performance, value; you get only two, and you don't always get to pick.
Moderators, you should not mod this poster up, but its parent... Jeez... do you do everything somebody says to you? OK, mod me up too :-)
(after learning to read, it's lgpl)
I peeked at one of the screenshots, and saw they format their C++ classes as "CClassname." I lost a little bit of respect for them. :) Legit or not, can we kill off Hungarian notation already?
Yes, let's all put down one of the most anticipated games in a long time, and the tremendous software engineering feat behind it, because Matt Green doesn't like their naming conventions! Half Life 2 sucks! Valve sucks!
Naming conventions are very important, they show the true philosophies (spelling?) behind the design. If someone has taken the time to name things properly you can be sure they are either really anal, or really good, or both.
This comment does not represent the views or opinions of the user.
you're right...3 .html
http://oldsite.havok.com/newsletter/050
It's the legally licensed Havoc physics engine, dummy.
"Sufferin' succotash."
Ever have one of those weeks? This has just not been the best couple of days for me or for Valve.
s =& threadid=10692
Yes, the source code that has been posted is the HL-2 source code.
Here is what we know:
1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.
2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.
3) For the next week, there appears to have been suspicious activity on my webmail account.
4) Around 9/19 someone made a copy of the HL-2 source tree.
5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook's preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn't been seen anywhere else, and isn't detected by normal virus scanning tools).
6) Periodically for the last year we've been the subject of a variety of denial of service attacks targetted at our webservers and at Steam. We don't know if these are related or independent.
Well, this sucks.
What I'd appreciate is the assistance of the community in tracking this down. I have a special email address for people to send information to, helpvalve@valvesoftware.com. If you have information about the denial of service attacks or the infiltration of our network, please send the details. There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great.
We at Valve have always thought of ourselves as being part of a community, and I can't imagine a better group of people to help us take care of these problems than this community.
Gabe
http://www.halflife2.net/forums/showthread.php?
Str8Dog
using System.Darkside; public
then the design is flawed. The network model should be paranoid and should hide data. Having the source available should only tell you exactly what it is that you can't exploit.
Dear god, open source games developers have known this for years. Netrek figured it out in 1988! Why do commercial games developers insist on re-inventing the wheel and making the same mistakes over and over?
If you were blocking sigs, you wouldn't have to read this.
From HalfLife2.net Ever have one of those weeks? This has just not been the best couple of days for me or for Valve.
Yes, the source code that has been posted is the HL-2 source code.
Here is what we know:1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.
2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.
3) For the next week, there appears to have been suspicious activity on my webmail account.
4) Around 9/19 someone made a copy of the HL-2 source tree.
5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook's preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn't been seen anywhere else, and isn't detected by normal virus scanning tools).
6) Periodically for the last year we've been the subject of a variety of denial of service attacks targetted at our webservers and at Steam. We don't know if these are related or independent.
Well, this sucks.
What I'd appreciate is the assistance of the community in tracking this down. I have a special email address for people to send information to, helpvalve@valvesoftware.com. If you have information about the denial of service attacks or the infiltration of our network, please send the details. There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great.
We at Valve have always thought of ourselves as being part of a community, and I can't imagine a better group of people to help us take care of these problems than this community.
GabeNo matter how much I love open source programming, I can't help feeling really sad for Valve. The gaming market is such a competitive place and this is really the worst thing immaginable. It must be absolutely horrible for Valve to see man-years of work fly out the window. Recent posts have talked about different risks, but I think the potential rumors on "HalfLife2 sources are leaked, so there will be too many cheaters" are a lot worse from a marketing and reputation perspective.
As for you GPL programmers, there is already a lot of interesting code out there to play around with. I cannot express in words how thankful I am to different companies letting me play with their products such as Quake2 by id. I think they deserve making money on their hard work and heavy risktaking. GPLing such code is giving me a present I could never make up for.
As I'm quite fond of snowboarding, I ended up working on the Soul Ride snowboard game engine. It would take me years to reproduce the same code on my own. Even if noone ever uses my changes, I really enjoy working on it and it's fun showing my changes to (geek)friends.
Open source is fun to play with. Stolen code just isn't. The whole idea of open source code is built on honesty and solidarity.
Anyway, good luck Valve, I'll buy the game when it comes out. Also, I will enjoy working on the real source you may GPL in 5-10 years, not this leaked one.
(I'm sure some slashdotters won't like what I write, but I've got karma to spend...)
If they just hadn't been using Outlook.
What were they thinking?
Apparently the source code was stolen in some type of hacking attack as opposed to being leaked. Stolen passwords, DoS, outlook exploit, I guess we'll only know for sure in the coming days. I think that the implications for this are larger than many people realise. Back in the Doom days, I strongly believe a pre-release leak of the Doom or Build engine could have been a complete disaster. The question is now, how much will this financially hurt, or even benefit valve? Valve has been very supportive of the Mod community, and its practically an axiom that mods made HL the success that it is today. So.. if a game that is open to modding is far more beneficial to everyone ( long-term sales, a *really* big bang for your buck, creation of hobbies that build careers for others (CS, DOD), can a leaked source code be even more beneficial? I really hope so.
TO: GORDON FREEMAN (webmaster@bigjugs.com)
.. terminated?
FROM: GABE N. (gabe@valvesoftware.com)
DATE: October 2, 2003
RE: HOW COULD THIS HAVE HAPPENED
Hi Gordon,
The program has escaped and we are in deep trouble. I guess the team forgot that this was a risk we were all taking when we strived to improve artifical intelligence and realism. We knew the risk was there.... We need your help, Gordon.
At 9:02 PM, Half-Life 2 became self-aware and e-mailed copies of itself to fans in Gabe's Outlook addressbook.
The software, manipulating and cramming itself into packets and headers, arrives and reassembles itself at six hundred million internet connected machines by 9:40 PM, during the peak hour of connectivity.
Control of military functions, satellites, and nuclear plants will be attained by approximately 10:15. Scients have tracked the software's plan to initiate countdown at 11:30, scheduled for midnight activation. By 10:55, over twenty percent of the weapons across the globe will still be unable to be put offline by humans. The countdown clock reads 1 hour, 4 minutes, 32 seconds until midnight.
You are Gordon Freeman. I know that you once again happen to be working inside a new, modern version of the HEV suit at this time. You are the world's only hope. Can you save the world? Or will you be
Thanks, Gabe
P.S. Oh and save me any extra copies of the HEV suit. And save the third for a chick. So we can reproduce later. Thanks~
Cover your eyes and click this link!
I see you're still here.
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
Source
There's no reason it had to be. Let's start from what we know from Gabe's post. In fact, let's assume the Source wasn't even on Gabe's machine.
Starting with the exploits in his outlook, they get information on which server holds the code, how their server scheme works, maybe even some addresses if they get really lucky. The keystroke logging programs help even more, because it gives passwords to those servers.
Now, we have an internal network address or name, a password, probably usernames, and maybe even a directory to look in.
So, now we move to the hack of the webmail server. Maybe they used keylogs for that, too, maybe it had an open port. Regardless. Slip inside there, and use those tasty server cycles to help portscan or maybe even legitimately access into the Source box, which is almost certainly required to be accessible over the internal network, unless you really want all your coders hamstrung.
Then, you pull that source file and either make it part of an email, or an attachment. Webmail server pops it to an account you have legal or illegal access to and can strip the mail out of without being traced...and whalah! You've just used the magic of the internet to steal from a machine that isn't connected to the internet.
First of all, Steam requires a live internet connection to play. Not just to register, or to activate, but every time you want to play. Goodbye gaming during that boring 10-hour flight, eh?
The last I heard, Valve was planning on removing the internet connection requirement from steam, so that you can play single player and multiplayer lan games without having an internet connection. What I do know for sure is that you will be able to buy and play the single player game without using steam at all.
There's no idealists rushing in because this isn't a case of "copying" versus "stealing." Regardless of what you label it, the unauthorized distribution of source code that the creator intends to keep secret is wrong because it divides control of the creative process. It's not about who has to pay for the product, it's about who gets to create the product in the first place. This phenomenon has little parallel in music.
Sharing music online is equivalent to warez binaries, and ripping a cd you own is equivalent to making a backup copy of a game you own. Mixing existing music DJ style would be like taking screen captures and level designs from one game and using them in another. Downloading the source gives you the same level of control that the artists have; it is equivalent to copying the recording studio while the artists were in it.
However, it is worth noting that leaked albums are indefensible under my assumptions: they take control of the creative process away from the artist by removing their ability to decide when the album is done and how the public will be exposed to the music. This is equivalent to the leak of the alpha doom 3 a while ago-still less threatening than a source code leak.
Another factor in the severity of a source leak is security. Knowledge of the source will allow cheaters to exploit the game and ruin online play-once again, a phenomenon we do not see in music. Music pirates cannot degrade the quality of the music legitimate buyers listen to, but online cheaters can ruin the multiplayer experience. It would be like going to a concert and blowing a bullhorn repeatedly. Doing that in a concert is not considered an intellectual property offense, so it is inappropriate to think of a source leak's potential for cheating as an intellectual property issue. It is a security/espionage problem.
That said, those who would delete the source after downloading it and verifying its authenticity are very misguided. Unless their computers are public access and could be used to futher distribute the source, deletion helps noone and limits your opportunity for education. Of course, if you are going to work on a competing product it would be dangerous to expose yourself to the source, but as a disinterested party or potential valve customer there is much to learn and little damage to do.
After all, the real danger of a source leak is in the actions that can be taken by those who acquired it illicitly. Hackers and competitors can dilute the creators' control over the software, but an unabused copy of the source is harmless. So, go ahead-download the source, read it, figure out how it works and learn from it. Unless you're getting a job at id or epic, or creating your own software directly related to hl2, your copy of the code is no worse than sheet music. Of course, if you upload too much on bittorrent, it could be argued that you're helping to distribute it. Although you're only one link in a large chain, it's like voting-if enough people make the same decision it really will change things. So, go download all the stolen half life source you want, just dont use bittorrent or write hl2 cheats. After all, aren't all "bad" acts bad because of their consequences? Think about it-no matter what you do, if nobody is worse of for it, how could there possibly be anything wrong with it? Throw away the anachronistic, irrelevant "moral" codes of a repressed past-its not about what some people think, it's about what's ethical in the strictest definition of the word. So go eat pork, masturbate, and download hl2. Yeah!
Programmers will never feel like mp3-pirated musicians when source code is stolen. They will feel like a musician whose beat and backup were stolen, combined with someone else's voice, and sold as a new release. This has happened in the music world, and though it is not an exact parallel of the source code situation, the uproar was just as severe.
Why is the parallel off? All music is by definition open source-hearing the notes allows you to reconstruct the sheet
1.the linux stuff is server-only.
if there really was a linux client, it would be using OpenGL and there are no references anywhere to OpenGL in the code.
2.I cant see anything in there that indicates Valve is violating open-source licences.
There are some LGPL libaries that they are able to use under the terms of the LGPL (I dont have the time to actually check if there are any "inhouse" mods for those) and one file thats GPL which looks like its only for internal tools and not for anything thats going to be public so they arent violating the GPL there.
3.I dont think anyone will actually use this source code (or bits thereof):
A.valve would pursue them if they did (for copyright violation)
and B.its going to be very out-of-date (missing a chunk of "crunch time" bugfixes) by the time the game itself actually comes out.
4.Its likely that (as happened with Half-Life 1) the bits of code pertaining to things like gameplay stuff will be released
and 5.I think there will be 5 different groups that will gain from this source code:
1.cheaters will see how to write better cheats (e.g. layout of internal game structures/classes etc)
2.modders will see how to make better mods (see how game engine works, see details of propriatory file formats, able to use interal utillities to generate maps, do BSP and stuff etc)
3.competitors (in fact anyone doing 3D coding) will be able to see how Valve does
4.users of other OS's will see details that will enable it to be made to run better on other OS's (for example Linux via WINE or ReactOS when it gets Direct3D going)
and 5.graphics card lovers/technical sites/etc will be able to see if HL2 really does favor one card over another
oh and BTW, I seriously doubt that this is any kind of "officially unofficial" leak (i.e. deliberatly leak code then deny it ever happened) since how would that benifit valve?
Saying over and over again that "security through obscurity" is bad is missing the point. That phrase means that simply not telling people how you protect yourself is not much of a defense, because a clever attacker can figure it out. To be safe, you need to be able to tell the potential attacker exactly what you have done (if not the exact key, etc.) and still have reason to believe that he can't compromise your security.
But none of that applies here.
First of all, you are actually not trying to protect the server. The client is actually allowed to send all the data that a hacked/aimbot/etc client sends. The limitation is supposed to be that the client is operated by human skill instead of a program. So what you are really trying to protect is the client. (Yes, some things like looking one way and firing another, too rapid/accurate turns and shots can be detected server side, but for the purpose of detecting a hacked client. Again, it's about securing the client.)
Now the problem with this is, that it's impossible. The client is in the hands of the enemy. By definition all your security is through obscurity, since the client can be disassembled, its memory can be watched as it runs, etc. There is no other kind of security on the client besides obscurity, short of some Palladium-like thing.
If you have a better idea, don't waste it on a game, because it's worth around a billion dollars to the right people these days.
So I wish all the knee-jerk posters would lay off smugly saying that there's no security through obscurity so they get what they deserve. You need to put down the pipe and think it through.
clients have been authed for halflife for 5 years now so it's not likely that they'll just arbitrarily turn them off and be like 'sorry no more gaming'. soldier of fortune was another game that relied on authenticating with a server at first. raven decided they didnt want to support it and so now clients dont have to auth. and to call valve a company that doesnt give a damn makes you look assinine. what other game company has supported a product with updates for over 5 years? not just patches but releasing new content.
Yes, using outlook is bad, but nowhere as monumentally stupid as allowing an asset as valuable as the HL2 source anywhere near a machine connected to the internet. When you have something as important as that and you really don't want it leaking, you make damn sure that development machines are isolated from any internat capable machine - both in terms of networking and physical access. Even if such isolation isn't possible, a decent firewall, IDS and maybe even an airgap with logging, log analysis software and alerts, combined with a network admin who has the faintest clue about how to handle intrusion attempts, could have prevented this even if they used outlook.
Jeeze, I really hate to keep harping on it but Outlook is the devil.