Slashdot Mirror
Valve Updates On Half-Life 2 Code Leak
Thanks to ShackNews for their updated report from Valve boss Gabe Newell regarding Thursday's leak of the Half-Life 2 source code. He says: "We're still finding machines internally that have been compromised" in relation to the "infiltration of our network" that led to the code leak, and warns that other developers may also be in danger: "There's anecdotal evidence that other game developers have been targeted by whoever attacked us." But he ends with a hopeful appeal to those who've been helping Valve hunt down the culprits online: "I've been fielding calls from the mainstream non-games, non-technical press all day. Hopefully they will get to report shortly what a mistake it is to piss off a whole bunch of gamers and get them hunting you around the Internet."
I hope that the folks at Valve now know that they need two machines on every desk, and two networks. If they had such an arrangement (with one of the networks COMPLETELY disconnected from the Internet) this would never have happened. A company with the money that Valve has can afford this level of redundancy. I hope Valve implements something like this now (and pretty much ANY gaming or large software facility) to prevent problems like this in the future.
they stored the source on a computer connected to the internet in the first place, and further, I don't see why they didn't take it off once they noted the suspicious activity...
It's fishy
The person was probably talking about bits of the Havok engine, which is used in HL2. (Although the Havok engine is actually released under the LGPL, not the GPL.) Now, before anyone starts shooting his mouth off about "stolen GPL'd code" in Half-Life 2, Valve purchased a commercial license for the Havok engine, so there's no foul play here.
From what I've read, there was apparently an initial knee-jerk reaction by some Slashdot dorks claiming that there was GPLed code in there, but a followup post by someone who wasn't retarded pointed out that the code in question was licensed under the LGPL, which allows for such uses.
You know, I really hate to say it, but I'm sorry to see the source go down (Valve says that they're asking websites to take it down -- not sure if that translates to asking or sending legal threats). I'm skimming through a copy of it that I downloaded with some interest. It's not often that you get such insight into game development (post-mortems are interesting as well, but source hasn't been neatly edited). While I doubt a commercial gaming company would ever swipe code from Valve (too much potential damage -- if there's even a 10% risk of exposure, they're better off just licensing it.) Cheating will obviously be a problem...if I were Valve, I think I'd consider significant protocol revisions.
Some people have said that Valve has included GPLed code in the Half Life 2 code. Dunno as to whether this is true, but I'd like to point out that while this is technically not kosher, I suspect that a lot of places do it -- as long as it's out by release time, I very much doubt that anyone will complain. (On the other hand, if it *isn't* out...)
This is a good example of why internal security is very important. I don't use any computers at work that don't talk to each other through encrypted connections. I maintain a single trust relationship (pubkey based, not IP based), from a machine that has a superset of the information on a second machine, so there's little point in exploiting trust relationships (plus, if superset machine A were compromised, a keygrabber could easily allow compromise of machine B anyway). I don't use Windows filesharing. These are all very easy to overlook, especially during crunch time, but as Valve has discovered, while the chances of things going sour may be low, the potential damages are enormous. I would urge folks who are working with *any* kind of important IP to do the same -- do *not* rely on Windows filesharing, do *not* use trust relationships, and do not use unencrypted connections, even on your local network. SFTP exists and there are free clients all over -- you do not have a good excuse for using FTP.
This is also another example of why it may be worthwhile to have a network admin that does regular security audits. It takes additional time, and the vast majority of time that cost is overhead, but Valve is certainly regretting not doing so at the moment. (We have irregular security audits, which is better than nothing, but obviously not ideal.)
Finally, I'd like to say "chin up" to the folks at Valve. This sort of thing can be very frusterating, and I'm sure it hasn't helped morale at Valve much, but it's not a game-killer, even if it necessitates changes in the protocol or game engine, and a release delay. Good luck -- I probably won't buy your game, since it's unlikely that there'll be a Linux client, but I expect you'll have healthy sales.
As for other folks -- remember crack.com, remember Valve -- secure your damn networks already.
May we never see th
Two machines on every desk!
They're developing a game with multiplayer internet capabilities and internet-based content delivery. How are they supposed to not connect their development machines to the internet? If they aren't to ship with networking, sure.
The code should be locked up!
Every programmer, licensee - and presumably a few hardware developers (such as ATI) - would have the code. It would be sitting in a source control database somewhere, plus probably daily backups would be taken of that database. Employees might also be allowed to take their work home with them. For example, I'm a programmer (no, not at Valve) and can connect to my work LAN using a VPN and get direct access to the SourceSafe databases for our various projects.
They're using GPL source code they've not released!
Um... newsflash: HalfLife 2 isn't out yet. Way to start bitching about something that's not happened yet. Even if it did include GPL'd code - by the GPL terms they only have to release that code when the product is for sale. If they have included such code, I'd imagine it's LGPL - and they wouldn't have to release code they've used provided they didn't change it.
Anyway... Microsoft security = some very scary shit. I thought they'd solved the autorunning-virus-in-your-email thing, but I guess not. I patched the crap out of my Windows installation today, stopped using Outlook Express, went back to Pine for email and started using Mozilla Firebird. If I could work out why KDE 3.1 keeps hanging on me under FreeBSD 5.1, I'd move in that direction.
It seems like quite a few game companies are rather lacking when it comes to security. If the code is so important then why is he reading email, with Outlook no less, on a machine with access to the code? Frankly, it sounds like Valve didn't have any kind of security policy in place and they got bit by it. Hopefully they've learned their lesson.
Isn't it rather a moot point... as anyone attempting to call Valve on using any GPL (or any other copyright'd code) would have to prove it... and proving it would mean producing the source code... which would be showing that the accusers had a copy of the stolen source code...
I'm not defending the illegal use of GPL, I'm just saying that it would be a tough claim to file currently.
Not to say I wouldn't love to see it happen, I just know it won't, so I'm not holding my breath. If the code were open, someone would port it to other OSs within a couple months. I hope someone doesn't do this however since they're obviously talented, and would likely get screwed by VALVe. Besides, I've got plenty of games to buy that WILL run on Linux, I do think that VALVe just might stand to loose out on at least some customers by not making a Linux client this round of releases (Doom3, MP2 under wine, and UT2004 will all get my $50 when they're released because they at least offer support in varying levels). If a community developer wants to port the code, great, but I hope if they do that VALVe won't get upset that someone did the porting work for them, I'm sure that they'd see it as unauthorized use of their IP, and therefore, a "no no" in general though.
This is really getting more interesting day by day.
As for someone unlawfully porting the game to linux.. well, I can't say it wouldn't get played, and the source code would most likely be open (although you never know.. this source could becomes a guarded treasure). Valve would then be stupid not to pick up all that free development and offer a Linux client (although I doubt they'd want to support it).
How we know is more important than what we know.
Kazaa? .
Oh dear. .
As soon as the gold disc has been sent to the cd plant, it'll appear all over the net.. including your precious kazaa
Looking through the code there is a directory called linux, full of makefiles and also #ifdef _LINUX switches through the code (especially in the parts using inline assembly). Whether this is just for the server or not I can't tell.
The linux makefiles work to an extent, but only after you rework some of the code. I've got to a point where there's some calculations done in asm that I can't get to compile.
If anyone has got further than that (I can compile up to studiorender/cstudiorender.cpp ) I would love to hear about it.
why are gamers mad? or is valve just trying to paint it that way?
Gah, what the hell. Why can't they just make a Linux client with SDL/OpenGL, for God's sake. They're using LGPL code, they expect us Linux users to support their servers, yet they can't even be bothered to give us a client. Screw you Valve, you just lost another customer.
What do "Linux users" have to do with "using LGPL code"?
Just because the Linux kernel is licensed under the GPL doesn't mean every piece of software that uses LGPL licensed code should be ported to it.
They are doing nothing outside of their rights.
As far as I can think there are many possible outcomes:
1: Cheats become widely available. Cheat programs are made to stop them eg. punkbuster. This = good. I don't mind the supposed "bandwidth hogging" programs on cable.
2: Cheats are made but not let out for free use. This would be a small problem due to only a few l33t hax0rz having cheats. I prefer to just kill them with my handhack(tm).
3: A combination of 1 & 2.
4: Valve delays hl2 to make changes to the code. I hate to say it but I'd rather 1,2 or 3 than this. Besides, anti cheat could possibly be put in with a patch.---best scenario.
_______________
Karma: -2^0.5 . Mainly due to the imbibing of dihydrogen monoxide
Actually the code in question most likely was statically linked (as someone reported and as one could imagine that a 3D-game's physics system must be) and the LGPL only permits dynamic linking. So that would not save them.
But the trail leads to the Crystal Space engine as previously reported here.
The code in question seems to be contributed to Crystal Space by someone working at Havok who then of course has all the rights to also license it for use in a proprietary product (Havok). This is an assumption based on the fact that the person (Alexander Michael Ewert) has a @havok.com email address.
I only wish he would have removed the licensing information from the source code file as the code that is included inside HL2 clearly isn't under the LGPL, only the version that was formerly in Crystal Space is.
Anyway, as far as I can see there is no LGPL violation here. Just a misplaced copyright notice. But it had to be asked and I'm glad we could find out what the situation was.
These guys are smart enough to completely own Valve's computers but they're not smart enough to realize that you have to get the art, sounds, levels, and such too if you want to play Half-Life 2.
Tim
Omnia vestra castrorum habetur nobis.
I would really like to see a Linux port, is anyone working on it yet? :)
Sticking feathers up your butt does not make you a chicken - Tyler Durden
I noticed you worded your post very carefully, so I can't say anything to you directly. However, people like the ones you have described (be it you, or not) make me sick. They are stealing thousands of man hours from people who have poured their lives into this. Whether it be HL2, a movie, or MP3s. Yes, I used to download MP3s when I was a freshman in college, but I don't do it anymore because I've realized the ramifications of it. RIAA be damned, you're still taking money away from the people you claim to support.
/end rant
As for movies and games, I realize that many people download them as "demos" before going out and actually buying/watching the final product. This is no excuse. That's what demos and movie trailers are for. If that isn't enough for you, wait for reviews. You've waited four odd years already, another month won't kill you. I just find it heartbreaking that people will outright steal the blood, sweat, and tears of other human beings just to save a buck. I guess that's just one of the cons of the capitalist system. (And no, I'm not a communist, so please refrain from "In Soviet Russia, cons have capitalist system!")
Please, just think before you download stuff.
--------
This isn't the sig you're looking for. Move along.
They're not using SDL because they'd like for the game to run fast on anything less than the new 7 GHz processors coming out. You'd buy the Linux version and then have to wait a year to play it. Then you'd accuse Intel of cooperating with Valve in order to sell more processors.
I hope you, for one, welcome your new linux-hating-conspiracy overlords.
If they Open Source/GPL it, then others can sell stuff based on it as long as they provide the code freely.
So Valve Open Source/GPL it, someone builds a game with just textures/maps/ai (which is not OpenSourced/GPL and it doesn't have to be) and then sells it with no license required from Valve.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
One connected to an "unsecure" T1 (though still behind a firewall, no ports open incoming, no use of Outlook and/or Outlook express). The other computer is connected to the standard frame relay circuit that everyone else in the company is on.
A mini 2-computer KVM, and I don't have to worry about compromising one network by any actions in the other.
Some people are acting like this is a gift from god that will force Valve to Open Source. Some are saying that it's payback for not making a Linux version. Do you guys actually believe this stuff?
Oh, as for the comments on licensing, it how much of the engine source you get depends on the licensing contract. A blanket statement like "You get it all." is erroneous.
It's been done, the email/web system a Mac and the dev system a PC. The extra cost of a Mac not being an issue since you can get 5 years out of a Mac when used for such lightweight tasks.
Some thought it was an odd idea originally but that was before the iPod and the iTunes Music Store existed. Opinions changed and the setup is popular now.
I'd agree to a point that a Linux box could also be used in a similar manner but that argument is not as strong as it used to be. Newer Macs are pretty damn nice Unix boxes. And some large corps. (think financial) take it a little more seriously when their site has problems with a Mac than a Linux box. I am not endorsing this attitude but it happens.
I think valve should bait them into the open by offering a sprcial edition won.net multiplayer half life 2.
The key point there is that you'd get source *after* you license it. If you get the source beforehand, you could make an entire game and Valve would never legally be able to prove that you used their source in order to do it.
yes, a business run for profit has an absolute obligation to spend its time and money on something that won't return the investment, just to make you happy.
...what about iD?
(Sorry, people that capitalize something wrong trying to mimic a logo really annoy me.)
Buy Steampunk Clothing Online!
There you have it, I don't see any post proclaiming how the attack on Valve was wrong, just people saying that this is payback for disrespecting the Linux community.
Ahhh yes, there's the Linux Way - If you can't make it yourself, use stolen code from Valve (the hard work of others) against the the very people whom you want on your side and blame Valve for not having perfect security instead of blaming the bastard who attacked them.
Let's see if they even give you the time of day on the next great game they make.
And you wonder why companies like SCO manage to make a living off you?
I was browsing the forum at halflife2.net, and all I could think of was a bunch of kids scouring the forums and irc channels following up on every single pathetic lead they can put their hands on. And at virtually any little piece of info they're emailing Valve with it (in fact, the halflife2.net forum is down right now probably for that very reason). Any real leads will just be lost in the noise. And any tracks are now probably overrun by a stampede of kids full of good intentions. If I were Valve, I'd ask them NOT to help...
Unless Valve really needs those guys' help. Which could be the case, considering the level of amateurism of this whole thing.
They named the company Valve, they should expect leaks!
My computer is infected with the "Steam" virus - so far it's deleted Half Life and all it's mods, and is filling my disk with these 500MB files of junk!
"There's anecdotal evidence that other game developers have been targeted by whoever attacked us."
Bad news for 3D Realms today - Duke Nukem Forever source liberated. Sadly, there wasn't that much to liberate.
Here it is, contents of dukeforever.c:
main()
{
printf("Duke Nukem Forever\n");
}
Honestly, I don't see how this is a problem for Valve. Assuming they don't do something really nasty in the code, the exposure is harmless. It's unlikely another developer will use the code - too much risk. Cheaters might be a minor problem, but HL2 is primarily a single-player game, so Valve probably has at least a year to update the network code for multiplayer mods. Yes, the secrecy makes some sense in early development stages, but even then not much. The only problem might be early exposure to the game, like in the case of Doom3 alpha, but that won't usually affect the sales anyway. Look at Enter the Matrix - how much were sales hurt by negative reviews? Not at all. How much will Doom3 sales suffer from the leak. Not at all. How much will HL2 sales suffer. Again, not a single bit.
Future Wiki -- If you don't think about the future, you cannot have one.
I do that all the time, my source code and all the company work I do at home is on an encrypted .DMG on my ipod.
If someone stoled it or even the machines at work, all the data is unusable since to mount the dmg image on OS X you need the password. I create 4.7 DMG images to burn on DVD once a month in case of hardware failures.
This is very usefull for me and protects the company.
Ok, I agree with your point of not downloading other peoples work, but GET REAL. How can you expect the lowman like you and myself to not save a buck and abuse others rights when the very companies that we work for, and those that we buy from, are all doing the same.
In the end, things go round in circles.
At the end of the day we are cows...We go out to work to get greens, we come home with those greens and we get milked by the very people we work for...
It's all a circle...Earning money to give it back to get some delusion that it makes our lives better (well, playing games...hmmm)...
Just to update, CNN.com reports that because of the code theft, Valve is delaying the release of Half-Life II until April 2004 while they rewrite the game, with possible revenue loss because they're going to miss the holiday season. Thank you, code thieves...
Vivendi's 'Half Life II' code stolen
Gabe's post never indicated the attack vector. It could have been a trojan through outlook, it could have been something else (poor passwords, a machine infected with a trojan that later VPN'ed into the corporate network, etc).
There's not enough information available externally to blame any attack vector.