Slashdot Mirror

← Back to Stories (view on slashdot.org)

Valve Updates On Half-Life 2 Code Leak

Posted by simoniker on from the fear-for-your-hax0r-lives dept.

Thanks to ShackNews for their updated report from Valve boss Gabe Newell regarding Thursday's leak of the Half-Life 2 source code. He says: "We're still finding machines internally that have been compromised" in relation to the "infiltration of our network" that led to the code leak, and warns that other developers may also be in danger: "There's anecdotal evidence that other game developers have been targeted by whoever attacked us." But he ends with a hopeful appeal to those who've been helping Valve hunt down the culprits online: "I've been fielding calls from the mainstream non-games, non-technical press all day. Hopefully they will get to report shortly what a mistake it is to piss off a whole bunch of gamers and get them hunting you around the Internet."

6 of 119 comments (clear)

  1. I don't see why by silan · · Score: 0, Interesting

    they stored the source on a computer connected to the internet in the first place, and further, I don't see why they didn't take it off once they noted the suspicious activity...

    It's fishy

  2. Hate to say it by 0x0d0a · · Score: 4, Interesting

    You know, I really hate to say it, but I'm sorry to see the source go down (Valve says that they're asking websites to take it down -- not sure if that translates to asking or sending legal threats). I'm skimming through a copy of it that I downloaded with some interest. It's not often that you get such insight into game development (post-mortems are interesting as well, but source hasn't been neatly edited). While I doubt a commercial gaming company would ever swipe code from Valve (too much potential damage -- if there's even a 10% risk of exposure, they're better off just licensing it.) Cheating will obviously be a problem...if I were Valve, I think I'd consider significant protocol revisions.

    Some people have said that Valve has included GPLed code in the Half Life 2 code. Dunno as to whether this is true, but I'd like to point out that while this is technically not kosher, I suspect that a lot of places do it -- as long as it's out by release time, I very much doubt that anyone will complain. (On the other hand, if it *isn't* out...)

    This is a good example of why internal security is very important. I don't use any computers at work that don't talk to each other through encrypted connections. I maintain a single trust relationship (pubkey based, not IP based), from a machine that has a superset of the information on a second machine, so there's little point in exploiting trust relationships (plus, if superset machine A were compromised, a keygrabber could easily allow compromise of machine B anyway). I don't use Windows filesharing. These are all very easy to overlook, especially during crunch time, but as Valve has discovered, while the chances of things going sour may be low, the potential damages are enormous. I would urge folks who are working with *any* kind of important IP to do the same -- do *not* rely on Windows filesharing, do *not* use trust relationships, and do not use unencrypted connections, even on your local network. SFTP exists and there are free clients all over -- you do not have a good excuse for using FTP.

    This is also another example of why it may be worthwhile to have a network admin that does regular security audits. It takes additional time, and the vast majority of time that cost is overhead, but Valve is certainly regretting not doing so at the moment. (We have irregular security audits, which is better than nothing, but obviously not ideal.)

    Finally, I'd like to say "chin up" to the folks at Valve. This sort of thing can be very frusterating, and I'm sure it hasn't helped morale at Valve much, but it's not a game-killer, even if it necessitates changes in the protocol or game engine, and a release delay. Good luck -- I probably won't buy your game, since it's unlikely that there'll be a Linux client, but I expect you'll have healthy sales.

    As for other folks -- remember crack.com, remember Valve -- secure your damn networks already.

    --
    May we never see th
  3. Linux port by mmmjoy · · Score: 5, Interesting

    Looking through the code there is a directory called linux, full of makefiles and also #ifdef _LINUX switches through the code (especially in the parts using inline assembly). Whether this is just for the server or not I can't tell.

    The linux makefiles work to an extent, but only after you rework some of the code. I've got to a point where there's some calculations done in asm that I can't get to compile.

    If anyone has got further than that (I can compile up to studiorender/cstudiorender.cpp ) I would love to hear about it.

    1. Re:Linux port by mchappee · · Score: 3, Interesting

      All the way.

      It took some effort, but I coaxed it into compiling and I got about 8 libraries and an executable. I had to go back and do some fixing, but after that it ran. It exited immediately after running. I stopped hacking on it after that. Anyway, it is just the server. However, it looks like the whole engine and helper libraries compile for use by the server. I'm waiting on a hint from valve as to whether they're going to get nasty about people messing with the code. I hope they take the attitude that you can't turn cheese back into milk, and adopt a noble policy wrt people messing around for curiosity's sake. If I see that I'll go further. I'd love to see just how far away a linux client is.

      BTW, I'm not bragging about being 1337 or anything. It's code, I'm a programmer, I was curious. That's why I'm not posting anonymously. Don't even ask for the results, they are not available. Maybe if Valve does something cool, like releases under the Sun CL, or even the GPL (yeah right).

      I've never been a Valve fan. I'm a linux user, and only a linux user. One of the priviliged few that get to use linux exclusively at home and work. That means that Valve allows me to further their cause by running a server but denies me the pleasure of playing their game. It's like they're throwing a party in my house and won't let me come. :-) It's obviously not worth installing/booting windows.

      Gabe, what do you say? Can I come to your party? I'll help out.

      Matthew

      --
      /. finds me to be 20% Troll, 80% Funny
  4. Re:Two machines on every desktop by Paladin128 · · Score: 2, Interesting

    Umm... this happenned because of email. This happenned because they got a trojan via Outlook.

    Also, as a developer who worked for 6 months at a company without net access... it sucks. No access to online developer resources. We wrote enterprise-level backup software that ran on NT, Linux, UNIX (Solaris, Irix, HP-UX, *BSD, SCO, AIX, and a bunch of others I can't remember), Novell, OS/2, and a host of others I can't remember. Getting info from various online publications was a chore. Whenever we downloaded a file on our lone internet terminal split by 40 developers, we had to burn it to CD to take it to our desks. We NEVER ran Windows Update because we couldn't, and the sysadmin didn't have time to do it during his down time, so we had to live with bugs.

    Not giving programmers Internet access is one of the dumbest things a company can do.

    --
    Lex orandi, lex credendi.
  5. Taking source code home by Anonymous Coward · · Score: 1, Interesting

    I do that all the time, my source code and all the company work I do at home is on an encrypted .DMG on my ipod.
    If someone stoled it or even the machines at work, all the data is unusable since to mount the dmg image on OS X you need the password. I create 4.7 DMG images to burn on DVD once a month in case of hardware failures.
    This is very usefull for me and protects the company.