Slashdot Mirror
Valve Updates On Half-Life 2 Code Leak
Thanks to ShackNews for their updated report from Valve boss Gabe Newell regarding Thursday's leak of the Half-Life 2 source code. He says: "We're still finding machines internally that have been compromised" in relation to the "infiltration of our network" that led to the code leak, and warns that other developers may also be in danger: "There's anecdotal evidence that other game developers have been targeted by whoever attacked us." But he ends with a hopeful appeal to those who've been helping Valve hunt down the culprits online: "I've been fielding calls from the mainstream non-games, non-technical press all day. Hopefully they will get to report shortly what a mistake it is to piss off a whole bunch of gamers and get them hunting you around the Internet."
I hope that the folks at Valve now know that they need two machines on every desk, and two networks. If they had such an arrangement (with one of the networks COMPLETELY disconnected from the Internet) this would never have happened. A company with the money that Valve has can afford this level of redundancy. I hope Valve implements something like this now (and pretty much ANY gaming or large software facility) to prevent problems like this in the future.
Two machines on every desk!
They're developing a game with multiplayer internet capabilities and internet-based content delivery. How are they supposed to not connect their development machines to the internet? If they aren't to ship with networking, sure.
The code should be locked up!
Every programmer, licensee - and presumably a few hardware developers (such as ATI) - would have the code. It would be sitting in a source control database somewhere, plus probably daily backups would be taken of that database. Employees might also be allowed to take their work home with them. For example, I'm a programmer (no, not at Valve) and can connect to my work LAN using a VPN and get direct access to the SourceSafe databases for our various projects.
They're using GPL source code they've not released!
Um... newsflash: HalfLife 2 isn't out yet. Way to start bitching about something that's not happened yet. Even if it did include GPL'd code - by the GPL terms they only have to release that code when the product is for sale. If they have included such code, I'd imagine it's LGPL - and they wouldn't have to release code they've used provided they didn't change it.
Anyway... Microsoft security = some very scary shit. I thought they'd solved the autorunning-virus-in-your-email thing, but I guess not. I patched the crap out of my Windows installation today, stopped using Outlook Express, went back to Pine for email and started using Mozilla Firebird. If I could work out why KDE 3.1 keeps hanging on me under FreeBSD 5.1, I'd move in that direction.
The assumption is if you're sitting behind your corporate firewall, you're safe. obviously in this case that was a very bad assumption to make... Neither can I say I agree that keeping the source on a seperate network is taking great lengths, especially not compared to using the extra resources for an IT department requires and trusting it to do it's job. Keeping the source seperate is simple and foolproof solution to the threat of attack from the web. It's one less thing to worry about.
Seriously, I considered downloading it since I like to toy with 3d programming, and I'd love to see how the "pros" do it, but then I realized that if I were to be caught, anything I might ever want to release myself could be considered infringement in some skewed sense. So I steered clear of it even though the educational benefits would be amazing. I've looked at the quake source code, but it didn't help me much, and by now it's horribly outdated, so seeing some real, working and current, source code to something like this would be beyond incredible for me to pick apart and analyze.
I wish VALVe could open their engine up, but I definitly understand the possibility for cheating, and their obvious right to make a profit on what so far looks incredible. I won't be buying the game for the same reason as you, no Linux client, but I know for a fact they'll do well. I hope they take the time to rework portions of the code that could allow cheating since that's probably the single worst thing that can happen to a game.
Honestly though, I'm really interested in what this will do to their overall release date, since it was already delayed for reasons unknown. Or maybe the reasons are known now, since the dates were around when it was supposed to go gold...hmmmm, makes you think.
Good luck to VALVe, take this opportunity to tighten your code and fix steam, I'm tired of hearing my Windows friends complaining about it :).
It seems like quite a few game companies are rather lacking when it comes to security. If the code is so important then why is he reading email, with Outlook no less, on a machine with access to the code? Frankly, it sounds like Valve didn't have any kind of security policy in place and they got bit by it. Hopefully they've learned their lesson.
it's almost impossible to defend against an inside job
Not sure if this has been mentioned before, but (IT) security firms generally estimate that 80% of (computer) crime come from inside a company (a disgruntled employee, low security passwords, bribes, taking data home from work etc.). Only 20% of all attacks happen from the internet. The numbers may be a bit outdated, but I doubt they have changed significantly.
I totally agree with you. Security can never be 100%, no matter how many gimmicks or firewalls you install.
My cats ate my karma. They also wrote this comment.
I noticed you worded your post very carefully, so I can't say anything to you directly. However, people like the ones you have described (be it you, or not) make me sick. They are stealing thousands of man hours from people who have poured their lives into this. Whether it be HL2, a movie, or MP3s. Yes, I used to download MP3s when I was a freshman in college, but I don't do it anymore because I've realized the ramifications of it. RIAA be damned, you're still taking money away from the people you claim to support.
/end rant
As for movies and games, I realize that many people download them as "demos" before going out and actually buying/watching the final product. This is no excuse. That's what demos and movie trailers are for. If that isn't enough for you, wait for reviews. You've waited four odd years already, another month won't kill you. I just find it heartbreaking that people will outright steal the blood, sweat, and tears of other human beings just to save a buck. I guess that's just one of the cons of the capitalist system. (And no, I'm not a communist, so please refrain from "In Soviet Russia, cons have capitalist system!")
Please, just think before you download stuff.
--------
This isn't the sig you're looking for. Move along.
Some people are acting like this is a gift from god that will force Valve to Open Source. Some are saying that it's payback for not making a Linux version. Do you guys actually believe this stuff?
Oh, as for the comments on licensing, it how much of the engine source you get depends on the licensing contract. A blanket statement like "You get it all." is erroneous.
There you have it, I don't see any post proclaiming how the attack on Valve was wrong, just people saying that this is payback for disrespecting the Linux community.
Ahhh yes, there's the Linux Way - If you can't make it yourself, use stolen code from Valve (the hard work of others) against the the very people whom you want on your side and blame Valve for not having perfect security instead of blaming the bastard who attacked them.
Let's see if they even give you the time of day on the next great game they make.
And you wonder why companies like SCO manage to make a living off you?