Valve Updates On Half-Life 2 Code Leak

Thanks to ShackNews for their updated report from Valve boss Gabe Newell regarding Thursday's leak of the Half-Life 2 source code. He says: "We're still finding machines internally that have been compromised" in relation to the "infiltration of our network" that led to the code leak, and warns that other developers may also be in danger: "There's anecdotal evidence that other game developers have been targeted by whoever attacked us." But he ends with a hopeful appeal to those who've been helping Valve hunt down the culprits online: "I've been fielding calls from the mainstream non-games, non-technical press all day. Hopefully they will get to report shortly what a mistake it is to piss off a whole bunch of gamers and get them hunting you around the Internet."

Two machines on every desktop

I hope that the folks at Valve now know that they need two machines on every desk, and two networks. If they had such an arrangement (with one of the networks COMPLETELY disconnected from the Internet) this would never have happened. A company with the money that Valve has can afford this level of redundancy. I hope Valve implements something like this now (and pretty much ANY gaming or large software facility) to prevent problems like this in the future.

Re:Two machines on every desktop

[arkanes]

Developers more than anyone need network access - documentation for libraries, IM communication with third parties that are providing those libraries, just using the internet as it was intended - as an information storage medium to look things up when you get stuck. The relaxing and stress release benefits are important too.

It all goes back to the same old crap - employers expect total, slavish obedience and loyalty but aren't willing (as a general rule) to give anything back for that. Just being able to blow off steam about an annoying problem (or even co-worker) in an IRC channel does more for my productivity than any other single benefit. Certainly more than any company picnic or other "morale building" exercise.

Re:Two machines on every desktop

[Paladin128]

Umm... this happenned because of email. This happenned because they got a trojan via Outlook.

Also, as a developer who worked for 6 months at a company without net access... it sucks. No access to online developer resources. We wrote enterprise-level backup software that ran on NT, Linux, UNIX (Solaris, Irix, HP-UX, *BSD, SCO, AIX, and a bunch of others I can't remember), Novell, OS/2, and a host of others I can't remember. Getting info from various online publications was a chore. Whenever we downloaded a file on our lone internet terminal split by 40 developers, we had to burn it to CD to take it to our desks. We NEVER ran Windows Update because we couldn't, and the sysadmin didn't have time to do it during his down time, so we had to live with bugs.

Not giving programmers Internet access is one of the dumbest things a company can do.

Re:GPL found?

[NSash]

The person was probably talking about bits of the Havok engine, which is used in HL2. (Although the Havok engine is actually released under the LGPL, not the GPL.) Now, before anyone starts shooting his mouth off about "stolen GPL'd code" in Half-Life 2, Valve purchased a commercial license for the Havok engine, so there's no foul play here.

Re:GPL found?

[Wonko42]

From what I've read, there was apparently an initial knee-jerk reaction by some Slashdot dorks claiming that there was GPLed code in there, but a followup post by someone who wasn't retarded pointed out that the code in question was licensed under the LGPL, which allows for such uses.

Hate to say it

[0x0d0a]

You know, I really hate to say it, but I'm sorry to see the source go down (Valve says that they're asking websites to take it down -- not sure if that translates to asking or sending legal threats). I'm skimming through a copy of it that I downloaded with some interest. It's not often that you get such insight into game development (post-mortems are interesting as well, but source hasn't been neatly edited). While I doubt a commercial gaming company would ever swipe code from Valve (too much potential damage -- if there's even a 10% risk of exposure, they're better off just licensing it.) Cheating will obviously be a problem...if I were Valve, I think I'd consider significant protocol revisions.

Some people have said that Valve has included GPLed code in the Half Life 2 code. Dunno as to whether this is true, but I'd like to point out that while this is technically not kosher, I suspect that a lot of places do it -- as long as it's out by release time, I very much doubt that anyone will complain. (On the other hand, if it *isn't* out...)

This is a good example of why internal security is very important. I don't use any computers at work that don't talk to each other through encrypted connections. I maintain a single trust relationship (pubkey based, not IP based), from a machine that has a superset of the information on a second machine, so there's little point in exploiting trust relationships (plus, if superset machine A were compromised, a keygrabber could easily allow compromise of machine B anyway). I don't use Windows filesharing. These are all very easy to overlook, especially during crunch time, but as Valve has discovered, while the chances of things going sour may be low, the potential damages are enormous. I would urge folks who are working with *any* kind of important IP to do the same -- do *not* rely on Windows filesharing, do *not* use trust relationships, and do not use unencrypted connections, even on your local network. SFTP exists and there are free clients all over -- you do not have a good excuse for using FTP.

This is also another example of why it may be worthwhile to have a network admin that does regular security audits. It takes additional time, and the vast majority of time that cost is overhead, but Valve is certainly regretting not doing so at the moment. (We have irregular security audits, which is better than nothing, but obviously not ideal.)

Finally, I'd like to say "chin up" to the folks at Valve. This sort of thing can be very frusterating, and I'm sure it hasn't helped morale at Valve much, but it's not a game-killer, even if it necessitates changes in the protocol or game engine, and a release delay. Good luck -- I probably won't buy your game, since it's unlikely that there'll be a Linux client, but I expect you'll have healthy sales.

As for other folks -- remember crack.com, remember Valve -- secure your damn networks already.

Re:Hate to say it

[NSash]

Some people have said that Valve has included GPLed code in the Half Life 2 code. Dunno as to whether this is true, but I'd like to point out that while this is technically not kosher, I suspect that a lot of places do it -- as long as it's out by release time, I very much doubt that anyone will complain.

They're talking about the Havok physics engine. Two things:

1. It's LGPL, not GPL
2. Valve is using the Havok physics engine under a commercial license, so it's legit.

Re:Hate to say it

[psyco484]

VALVe officially "0wnZ j00," should've posted anonymously...

Seriously, I considered downloading it since I like to toy with 3d programming, and I'd love to see how the "pros" do it, but then I realized that if I were to be caught, anything I might ever want to release myself could be considered infringement in some skewed sense. So I steered clear of it even though the educational benefits would be amazing. I've looked at the quake source code, but it didn't help me much, and by now it's horribly outdated, so seeing some real, working and current, source code to something like this would be beyond incredible for me to pick apart and analyze.

I wish VALVe could open their engine up, but I definitly understand the possibility for cheating, and their obvious right to make a profit on what so far looks incredible. I won't be buying the game for the same reason as you, no Linux client, but I know for a fact they'll do well. I hope they take the time to rework portions of the code that could allow cheating since that's probably the single worst thing that can happen to a game.

Honestly though, I'm really interested in what this will do to their overall release date, since it was already delayed for reasons unknown. Or maybe the reasons are known now, since the dates were around when it was supposed to go gold...hmmmm, makes you think.

Good luck to VALVe, take this opportunity to tighten your code and fix steam, I'm tired of hearing my Windows friends complaining about it :).

some stupid comments here already

Two machines on every desk!

They're developing a game with multiplayer internet capabilities and internet-based content delivery. How are they supposed to not connect their development machines to the internet? If they aren't to ship with networking, sure.

The code should be locked up!

Every programmer, licensee - and presumably a few hardware developers (such as ATI) - would have the code. It would be sitting in a source control database somewhere, plus probably daily backups would be taken of that database. Employees might also be allowed to take their work home with them. For example, I'm a programmer (no, not at Valve) and can connect to my work LAN using a VPN and get direct access to the SourceSafe databases for our various projects.

They're using GPL source code they've not released!

Um... newsflash: HalfLife 2 isn't out yet. Way to start bitching about something that's not happened yet. Even if it did include GPL'd code - by the GPL terms they only have to release that code when the product is for sale. If they have included such code, I'd imagine it's LGPL - and they wouldn't have to release code they've used provided they didn't change it.

Anyway... Microsoft security = some very scary shit. I thought they'd solved the autorunning-virus-in-your-email thing, but I guess not. I patched the crap out of my Windows installation today, stopped using Outlook Express, went back to Pine for email and started using Mozilla Firebird. If I could work out why KDE 3.1 keeps hanging on me under FreeBSD 5.1, I'd move in that direction.

Re:Oi!

It seems like quite a few game companies are rather lacking when it comes to security. If the code is so important then why is he reading email, with Outlook no less, on a machine with access to the code? Frankly, it sounds like Valve didn't have any kind of security policy in place and they got bit by it. Hopefully they've learned their lesson.

Linux port

[mmmjoy]

Looking through the code there is a directory called linux, full of makefiles and also #ifdef _LINUX switches through the code (especially in the parts using inline assembly). Whether this is just for the server or not I can't tell.

The linux makefiles work to an extent, but only after you rework some of the code. I've got to a point where there's some calculations done in asm that I can't get to compile.

If anyone has got further than that (I can compile up to studiorender/cstudiorender.cpp ) I would love to hear about it.

Re:Linux port

[mchappee]

All the way.

It took some effort, but I coaxed it into compiling and I got about 8 libraries and an executable. I had to go back and do some fixing, but after that it ran. It exited immediately after running. I stopped hacking on it after that. Anyway, it is just the server. However, it looks like the whole engine and helper libraries compile for use by the server. I'm waiting on a hint from valve as to whether they're going to get nasty about people messing with the code. I hope they take the attitude that you can't turn cheese back into milk, and adopt a noble policy wrt people messing around for curiosity's sake. If I see that I'll go further. I'd love to see just how far away a linux client is.

BTW, I'm not bragging about being 1337 or anything. It's code, I'm a programmer, I was curious. That's why I'm not posting anonymously. Don't even ask for the results, they are not available. Maybe if Valve does something cool, like releases under the Sun CL, or even the GPL (yeah right).

I've never been a Valve fan. I'm a linux user, and only a linux user. One of the priviliged few that get to use linux exclusively at home and work. That means that Valve allows me to further their cause by running a server but denies me the pleasure of playing their game. It's like they're throwing a party in my house and won't let me come. :-) It's obviously not worth installing/booting windows.

Gabe, what do you say? Can I come to your party? I'll help out.

Matthew

Re:I don't see why

[neglige]

it's almost impossible to defend against an inside job

Not sure if this has been mentioned before, but (IT) security firms generally estimate that 80% of (computer) crime come from inside a company (a disgruntled employee, low security passwords, bribes, taking data home from work etc.). Only 20% of all attacks happen from the internet. The numbers may be a bit outdated, but I doubt they have changed significantly.

I totally agree with you. Security can never be 100%, no matter how many gimmicks or firewalls you install.

So WTF

[TheOnlyCoolTim]

These guys are smart enough to completely own Valve's computers but they're not smart enough to realize that you have to get the art, sounds, levels, and such too if you want to play Half-Life 2.

Tim

Re:So WTF

[gavinroy]

they didnt steal the *source* to play the game, they stole the code to exploit it. (Cheats, hacks, etc).

This is very bad news for the existing hl community. The hlds code that can run hl1 games is there for example. They can hack that to cheat.

The CD Key verification code is there. I dont think I need to comment on why that's bad.

The anti-proxy/aimbot obfuscation code is there. Most of this code could be legacy hl1 code or share common patches. This IS VERY BAD.

This isnt just bad for HL2 delay, this has negative ramificiations for the most popular game/game server engine out there right now (HL/HLSDS).

What I've not heard about being there is any steam code, *but* if steam client code is there, theres even a bigger problem now.

The GPL issue is actually a LGPL code snipped in the Havok engine which is a 3rd party licensed physics engine, and the LGPL allows its redistribution without the open source.

Linux port?

[Ender+Ryan]

Maybe a pissed off Linux user "stole" the code in order to get someone to port it to Linux?

I would really like to see a Linux port, is anyone working on it yet? :)

Re:Hate to say it.....

[kaellinn18]

I noticed you worded your post very carefully, so I can't say anything to you directly. However, people like the ones you have described (be it you, or not) make me sick. They are stealing thousands of man hours from people who have poured their lives into this. Whether it be HL2, a movie, or MP3s. Yes, I used to download MP3s when I was a freshman in college, but I don't do it anymore because I've realized the ramifications of it. RIAA be damned, you're still taking money away from the people you claim to support.

As for movies and games, I realize that many people download them as "demos" before going out and actually buying/watching the final product. This is no excuse. That's what demos and movie trailers are for. If that isn't enough for you, wait for reviews. You've waited four odd years already, another month won't kill you. I just find it heartbreaking that people will outright steal the blood, sweat, and tears of other human beings just to save a buck. I guess that's just one of the cons of the capitalist system. (And no, I'm not a communist, so please refrain from "In Soviet Russia, cons have capitalist system!")

Please, just think before you download stuff.
/end rant

Re:dont get it

[Haeleth]

If you'd been looking forward for most of the year to the release of one of the most hyped games ever, and then someone leaked the source code, making it pretty likely that the game's release will be pushed back several months - wouldn't you be, oh, mildly irritated?

Crackers are happy. A lot of legit hackers and coders are happy as well, because you don't get to see this sort of code every day. But gamers? Gamers don't want source code, they want the damn finished product!

Some of the comments around here astound me.

[DaveCBio]

Some people are acting like this is a gift from god that will force Valve to Open Source. Some are saying that it's payback for not making a Linux version. Do you guys actually believe this stuff?

Oh, as for the comments on licensing, it how much of the engine source you get depends on the licensing contract. A blanket statement like "You get it all." is erroneous.

They asked for it...

They named the company Valve, they should expect leaks!

Other Developers? - Uh-oh

[deminisma]

"There's anecdotal evidence that other game developers have been targeted by whoever attacked us."

Bad news for 3D Realms today - Duke Nukem Forever source liberated. Sadly, there wasn't that much to liberate.

Here it is, contents of dukeforever.c:

main()
{
printf("Duke Nukem Forever\n");
}