Valve Updates On Half-Life 2 Code Leak

Thanks to ShackNews for their updated report from Valve boss Gabe Newell regarding Thursday's leak of the Half-Life 2 source code. He says: "We're still finding machines internally that have been compromised" in relation to the "infiltration of our network" that led to the code leak, and warns that other developers may also be in danger: "There's anecdotal evidence that other game developers have been targeted by whoever attacked us." But he ends with a hopeful appeal to those who've been helping Valve hunt down the culprits online: "I've been fielding calls from the mainstream non-games, non-technical press all day. Hopefully they will get to report shortly what a mistake it is to piss off a whole bunch of gamers and get them hunting you around the Internet."

Re:GPL found?

[Wonko42]

From what I've read, there was apparently an initial knee-jerk reaction by some Slashdot dorks claiming that there was GPLed code in there, but a followup post by someone who wasn't retarded pointed out that the code in question was licensed under the LGPL, which allows for such uses.

Hate to say it

[0x0d0a]

You know, I really hate to say it, but I'm sorry to see the source go down (Valve says that they're asking websites to take it down -- not sure if that translates to asking or sending legal threats). I'm skimming through a copy of it that I downloaded with some interest. It's not often that you get such insight into game development (post-mortems are interesting as well, but source hasn't been neatly edited). While I doubt a commercial gaming company would ever swipe code from Valve (too much potential damage -- if there's even a 10% risk of exposure, they're better off just licensing it.) Cheating will obviously be a problem...if I were Valve, I think I'd consider significant protocol revisions.

Some people have said that Valve has included GPLed code in the Half Life 2 code. Dunno as to whether this is true, but I'd like to point out that while this is technically not kosher, I suspect that a lot of places do it -- as long as it's out by release time, I very much doubt that anyone will complain. (On the other hand, if it *isn't* out...)

This is a good example of why internal security is very important. I don't use any computers at work that don't talk to each other through encrypted connections. I maintain a single trust relationship (pubkey based, not IP based), from a machine that has a superset of the information on a second machine, so there's little point in exploiting trust relationships (plus, if superset machine A were compromised, a keygrabber could easily allow compromise of machine B anyway). I don't use Windows filesharing. These are all very easy to overlook, especially during crunch time, but as Valve has discovered, while the chances of things going sour may be low, the potential damages are enormous. I would urge folks who are working with *any* kind of important IP to do the same -- do *not* rely on Windows filesharing, do *not* use trust relationships, and do not use unencrypted connections, even on your local network. SFTP exists and there are free clients all over -- you do not have a good excuse for using FTP.

This is also another example of why it may be worthwhile to have a network admin that does regular security audits. It takes additional time, and the vast majority of time that cost is overhead, but Valve is certainly regretting not doing so at the moment. (We have irregular security audits, which is better than nothing, but obviously not ideal.)

Finally, I'd like to say "chin up" to the folks at Valve. This sort of thing can be very frusterating, and I'm sure it hasn't helped morale at Valve much, but it's not a game-killer, even if it necessitates changes in the protocol or game engine, and a release delay. Good luck -- I probably won't buy your game, since it's unlikely that there'll be a Linux client, but I expect you'll have healthy sales.

As for other folks -- remember crack.com, remember Valve -- secure your damn networks already.

Re:Hate to say it

[NSash]

Some people have said that Valve has included GPLed code in the Half Life 2 code. Dunno as to whether this is true, but I'd like to point out that while this is technically not kosher, I suspect that a lot of places do it -- as long as it's out by release time, I very much doubt that anyone will complain.

They're talking about the Havok physics engine. Two things:

1. It's LGPL, not GPL
2. Valve is using the Havok physics engine under a commercial license, so it's legit.

Re:Hate to say it

[psyco484]

VALVe officially "0wnZ j00," should've posted anonymously...

Seriously, I considered downloading it since I like to toy with 3d programming, and I'd love to see how the "pros" do it, but then I realized that if I were to be caught, anything I might ever want to release myself could be considered infringement in some skewed sense. So I steered clear of it even though the educational benefits would be amazing. I've looked at the quake source code, but it didn't help me much, and by now it's horribly outdated, so seeing some real, working and current, source code to something like this would be beyond incredible for me to pick apart and analyze.

I wish VALVe could open their engine up, but I definitly understand the possibility for cheating, and their obvious right to make a profit on what so far looks incredible. I won't be buying the game for the same reason as you, no Linux client, but I know for a fact they'll do well. I hope they take the time to rework portions of the code that could allow cheating since that's probably the single worst thing that can happen to a game.

Honestly though, I'm really interested in what this will do to their overall release date, since it was already delayed for reasons unknown. Or maybe the reasons are known now, since the dates were around when it was supposed to go gold...hmmmm, makes you think.

Good luck to VALVe, take this opportunity to tighten your code and fix steam, I'm tired of hearing my Windows friends complaining about it :).

some stupid comments here already

Two machines on every desk!

They're developing a game with multiplayer internet capabilities and internet-based content delivery. How are they supposed to not connect their development machines to the internet? If they aren't to ship with networking, sure.

The code should be locked up!

Every programmer, licensee - and presumably a few hardware developers (such as ATI) - would have the code. It would be sitting in a source control database somewhere, plus probably daily backups would be taken of that database. Employees might also be allowed to take their work home with them. For example, I'm a programmer (no, not at Valve) and can connect to my work LAN using a VPN and get direct access to the SourceSafe databases for our various projects.

They're using GPL source code they've not released!

Um... newsflash: HalfLife 2 isn't out yet. Way to start bitching about something that's not happened yet. Even if it did include GPL'd code - by the GPL terms they only have to release that code when the product is for sale. If they have included such code, I'd imagine it's LGPL - and they wouldn't have to release code they've used provided they didn't change it.

Anyway... Microsoft security = some very scary shit. I thought they'd solved the autorunning-virus-in-your-email thing, but I guess not. I patched the crap out of my Windows installation today, stopped using Outlook Express, went back to Pine for email and started using Mozilla Firebird. If I could work out why KDE 3.1 keeps hanging on me under FreeBSD 5.1, I'd move in that direction.

Linux port

[mmmjoy]

Looking through the code there is a directory called linux, full of makefiles and also #ifdef _LINUX switches through the code (especially in the parts using inline assembly). Whether this is just for the server or not I can't tell.

The linux makefiles work to an extent, but only after you rework some of the code. I've got to a point where there's some calculations done in asm that I can't get to compile.

If anyone has got further than that (I can compile up to studiorender/cstudiorender.cpp ) I would love to hear about it.

Some of the comments around here astound me.

[DaveCBio]

Some people are acting like this is a gift from god that will force Valve to Open Source. Some are saying that it's payback for not making a Linux version. Do you guys actually believe this stuff?

Oh, as for the comments on licensing, it how much of the engine source you get depends on the licensing contract. A blanket statement like "You get it all." is erroneous.

Other Developers? - Uh-oh

[deminisma]

"There's anecdotal evidence that other game developers have been targeted by whoever attacked us."

Bad news for 3D Realms today - Duke Nukem Forever source liberated. Sadly, there wasn't that much to liberate.

Here it is, contents of dukeforever.c:

main()
{
printf("Duke Nukem Forever\n");
}