Slashdot Mirror
Half-Life 2 Delayed Following Code Leak
jhol writes "CNN is reporting that Half-Life 2 is delayed "by at least four months, that is to April 2004.", due to the code leak. VU Games has already suffered a 29% fall in revenue and an operating loss of $61.36 million this year. A Christmas release of Half-Life 2 would probably have been most welcomed." Update: 10/07 20:38 GMT by S : CNN Money are now reporting there's a newly public leak, allegedly involving a partially playable, Beta pre-release of the game.
I have to wonder how long until people start to realize that for truly critical (read millions of dollars) work, you're best off having the production machines OFFLINE.
It would be a pain in the ass only being able to code on one machine, but even something as simple as a KVM switch would make it tolerable.
No internet, and none of this stuff is a problem. Not to mention you can keep working while various worms/viruses make their rounds.
The 'net is just too insecure these days, especially if you're running some version of Windows.
This is complete B.S. Why would having their code leaked force them to rewrite the game. Some people may say that it's due to cheat prevention... but c'mon. Security through obscurity is no security at all, if that's what they were relying on.
This is nothing more than them using this as an excuse for delaying the game - something that would have happened anyway. Also, by saying this, if they find the people that hacked their systems, they can sue for large monetary damages.
Why exactly should this delay the game? If it was close to being ready, and according to their release date(s) they should have been pretty close, why are we expected to believe a delay until April?
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
Was the code that was stolen then deleted by the thief? Why would this cause any sort of delay? This sounds like a fairly lame excuse for shipping late.
It only makes sense that code that would generate millions of dollars in revenue for Valve would be backed up quite reguarly offsite.
Forget the whales - save the babies.
Are you serious? How much money do you think Valve makes off of the sale of a game? How many MILLIONS?
Do you HONESTLY think that they would even make 1/10 of that solicting for donations from the good of one's heart?
How much money do you think cdex + xiph + bittorrent + scorched3d + blender + tons o' other donation-based projects get per year? Answer) A mere fraction of a fraction of a fraction as much as Valve does.
"allowing free reign for cheat coders and (most likely) unlimited cd keys... is six months really enoughtime to really fix these holes"
Err yes! 6 HOURS should be enough to come up with a new key generation algorithm! As for cheat coders, they can disassemble the executable anytime, they
don't need the source code and in fact it probably wouldn't be much help anyway. As other people have said , this is just BS to cover up more delays.
No Mac version of Half-Life....'nuff said
My other sig is extremely clever...
Yeah, or they could consider free copying of the games as promotion for their concerts, where they make the real money.
When will Slashdot users grow up?
Games, movies, and even songs from the Backstreet Boys cost huge amounts of money to produce. You will be charged for copies, one way or another.
If people can't figure out how to slow down this ridiculous level of IP theft pretty damn soon, I guarantee you that we will have DRM shoved down our throats. In this case already, the delay of several months is probably to put in place with is effectively DRM, in order to cut down on multiplayer cheats.
Still, it sounds more like this is a convenient excuse for late delivery to me. I'm sure this guys email really was compromised, and hey, it sounds good to the uninitiated - "our code was 'stolen', we have to go rewrite a lot of it, we'll be delayed by a few months".
Good idea. They could ask for $15 million or so and setup a Paypal link.
Better idea: they could setup a seperate paypal link for each employees paycheck!
Its obvious though that since the code was stolen, they need to completely change their business plan. That is obvious. There is no way that anyone else could possibly sell software now. Microsoft should give up selling software too, someone might steal the sourcecode to Wordpad.
It's not because the game leaked, but because the underlying systems that ensure that players can't easily cheat, warez the game, or access the personal information of other players.
Part of what was compromised was probably the code that handles CD key authentication, user online authentication, etc. So clearly warez and such for this game could be hugely rampant.
Part of what was compromized was probably the code that handles Valve's anti cheat system. So clearly the cheats that override that system could be hugely rampant.
Part of what was compromized was probably the code that is the game's engine. So clearly there could be cheat authors easily creating wall hacks, aim bots, and any number of other cheats.
Part of what was compromized was probably the code that handles purchasing the game over Steam. So clearly there could be some risk of credit card and online commerce fraud, personal information leaks, etc.
Look at it this way. The blueprints and plans for the bank got stolen. Thieves are studying them now. The bank is going over the blueprints with a fine toothed comb to fix the obvious (and not so obvious) weaknesses which are more clear when you have the plans.
Makes sense. There is really no reason to release the game as early as last month or even December. They really have no competition (next-gen FPS) other than Doom3, which won't show up until late next year. On top of that, they are just slightly too advanced for the current hardware out there. I mean, it appears that top-of-line hardware is required to even play the game at an acceptable rate. $400 dollars vid cards should never be *required* for a game. And don't think nVidia isn't heavily involved, either.
This is all marketing. The truth is, HL2 will have a better market 6 months down the road than in December. There will be more hype and more people woul can afford the HW to play it.
How many whiny posts do there need to be on: "Why did they have to delay it? This is BS". Well, here is a reason. If your company just got hacked in to and important information was stolen and leaked, instead of working on the product, you have to find what the vulnerability was, how to do damage control, how to re-structure how you do business so it doesn't happen again (i.e. redesign the network and create new security policies), and then have to get back to work on finishing the product while trying to make sure that anything cheaters would have gained from the source is fixed. I would say that is pretty large amount to do in a few months. Don't you think they would love to get it out so they can make money? Just use some freaking common sense here. If you are surprised by these delays, then you didn't think very hard. If you are upset by the delays, join the crowd, hunt the hackers, whatever. Just relax, it's a game, go buy a different one. It's not the end of the world.
Support a great indie game: http://www.abaddon360.com
When will Slashdot users grow up?
When people realize that when one slashdot user speaks, he doesn't speak for all slashdot users.
maybe online play doesn't matter to you, but i'd say that online play matters a LOT to most gamers. if not "most" it is certainly safe to classify it as "millions."
they've been working on this for 5 years. it's easy to say how long YOU think it should take them to rewrite parts that were stolen. you don't have to rewrite it. you don't even know what it is they have to re-implement.
anyway, we still haven't heard from valve. before we re-invent all of their intentions, why don't we read what valve has to say about this?
you probably shouldn't have read this.
moreover, IT'S A SINGLE PLAYER GAME mainly. and fuck, some id's games can be played pretty decently still on public servers when the source has been out for years
No one would still be playing Half-Life if it was selling for single player only (that being said, it's sold about 140x as many copies as there have been people playing it online).
As for id's games, Quake was completely pointless to play after the source was released. It may be significantly better now, after people have spent years working on anti-cheat software for the game, but for the year after release you couldn't join a game without at least one person using a blatantly hacked client, and who knows how many others using more subtle cheats. I didn't even bother trying Quake 2 after the source release, as I was already playing TFC (and by that time dealing with cheaters there, too).
That being said, I can only see the source release being a fairly minor delay, depending on how heavily Steam and the CD key verification need to be rewritten. For the rest of their code, they just need to be extra careful in reviewing their code for exploits, as now they have plenty of other eyes looking for anything that might be missed in the final code, and probably at least a dozen little utilities being developed to scan the HL2 binaries for anything found in that code.
-PainKilleR-[CE]
"Well, before you start blasting Valve, why don't you actually read up on the hack? It was a buffer overflow in the Outlook preview pane that allowed the hacker to install custom versions of RemoteAnywhere."
Alledgedly.
And when was that exploit patched in Outlook Express?
I think it's perfectly justifiable to have a giggle at Valve because that's the kind of schoolboy error that companies are not supposed to fall victim to, especially software companies.
Oddly Draconis
Too cynical to live, too stubborn to die.
I sware just about every darn forum has someone posting about how much Valve deserved this.
.
Some examples along the lines of the lame justifications I have heard:
"They promised it on Sept 30th."
Correct me if I am wrong, but I don't remember Vavle officially announcing a Sept 30th date. I wonder if these brain dead morons took the retailers dates as a fact.
"They hyped the game, and they are teasing us."
I can't even begin to say why this is a stupid reason. All I can say is that it is more then likely you hyped the game. I don't think they were teasing us, they announced the game when it is very close to ready instead of hyping the hell out of it for several years when they had nothing(i.e. Duke Nukem Forever)
"It will help the Mod makers."
I would think that mod makers would have more ethics then to download and use the unoffically released code. Considering that Valve is going to have to re-write a lot of their code this leak might as well be useless to them. They are better off waiting for the official SDK.
I think I have covered the main ones, feel free to add any more stupid "they deserved this" excuses you find.
Slashdot isn't populated by 400,000 clones of Richard Stallman. Many of us are sane people. It is quite possible for people to read slashdot and write closed source code. I personally, for example, feel that there is a place for open code, and a place for closed code. Neither option is the correct choice for all situations.
I am surprised, however, that none of the security gurus that post here on a regular basis have commented on the fact that had the game been written correctly and securely, even to source wouldn't have assisted cheaters, and this delay could have been avoided. That is, of course, if you believe the leak was really the cause of the delay and not just an excuse to mask that they're not really done yet.
One last thing:
And are they not going to charge the public money to buy a license for said game?
The game engine itself is worthless to the average game consumer. They make their money on retail licenses of the data. The reason they have a closed source game engine is so they can license it to other developers. If they were only aiming for retail revenue, an open source engine would have been a perfectly valid option.
There's a TCO argument if I ever heard one.
boycott slashdot February 10th - 17th check out: altSlashdot.org
In your online poker example you can have a central trusted server that insures that nobody is cheating (at least technically).
There is no way to do that with FPS's (not yet at least). The amount of info that would be needed to be passed between the client and the server in FPS games would be cripling if you expected the server to be the final arbitrator of all actions.
The only way FPS games can maintain the required speed is by offloading the majority of processing to the individual clients. In order to do this you have to trust the client. One of the key ways to trust the client is to obfuscate it. Not perfect, but at least it's one level more of protection than you would have if somebody has your source.
Really, the only way to protect the code is to build in some kind of self sanity check (i.e. return some kind of checksum to the server which verifies the client). This is only as good as the verification routine though. Once the method of verification is determined you're back to square one. You can improve upon this by constantly supplying new verification code to the client but it still comes down to security through obscurity.
When you need to trust your client but you don't have control over it this is about all you can do.
You are apparently not a programmer.
*Most* released software has known bugs in it, but is released when the software is in a good enough state.
Quake 1's QuakeC API code had lots of TODO's and even comments like "Oooh really ugly hack coming up!" in the code. Yet, Quake 1 *was* released and *was* a huge success. And even the unpatched version was very playable and of release-quality.
The same goes for Doom's later released source code, etc, etc...
So, once again, pretty much all released software has bugs. Nothing wrong with that. The problem is if the software has obvious glaring bugs, but a simple TODO/BUG entry won't tell you that.
Beware: In C++, your friends can see your privates!
I bet Slashdot wouldn't be so smug if the attacker had gotten in via the also patched SSH exploits that were out recently.
Yes we would be.
It is one thing to have a bug (i.e. buffer overflow) which can be exploited. That can happen to anyone.
It is a whole different thing to have software that is not designed with security in mind. SSH is designed to be secure. Outlook is not. IIS is not.
You're comparing a bug (which anyone can have) to a security design problem (which Microsoft seems to have plenty of).
Running a web server under the System account? Executing strange code merely by receiving e-mail? Showing spammer's links to external graphics by default? A web server that allows dot-dot-slash URL's to serve (or execute) files outside the WWWRoot directory? The people who wrote this were NOT thinking the slightest about security.
Um, yes we would still be as smug. And rightfully so.
I'll see your senator, and I'll raise you two judges.
There IS such a thing as an intranet that is physically separated from the internet.. internal servers completely inaccessable from the commercial 'net.. KVM switches so all machines are accessable from one workstation.. completely internal secure shell, telnet, ftp, whatever. A setup like that is totally realistic and desirable for a production and/or testbed environment.
Of course, this eliminates the ability of a coder to work from home or do things like surf the internet and check e-mail from the same box they code on.. But if you don't want your code leaked, don't put it on a box that's in any accessable from the commercial internet.
Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
I think he was saying that they have to halt everything for 4+ months because if somebody has seen the source, they can cheat. But with a game, that is somewhat understandable. Somebody can change their executable to, say, aim automatically, or draw all of the walls 75% transparent, or something. It's not like a ftp daemon, where just because they see the source doesn't mean they can hack a server.
There is NO way to prevent that. How would you do it? Checksum on the executable they are running? They could send you whatever value they want. Have a seperate app that checksums both files? That is how current anti-cheat systems work. They are pretty good, but not 100%. The only way to get the people with the source at about the same cheating-ability-level would be to change the protocols so they would have to do some work to actually get it to connect. And change the file formats so it won't be able to load the game maps without some work, either. And they can't be minor changes, because the less work the changes were, the less work the hackers have to do to make the same changes.
The piracy thing isn't as much of an issue. Sure, a pirated version will run single player, which is a good game in of itself (Judging by the first one.) But it won't play online. With a few changes, this could be extended to the single player game as well. When you install, it tells Valve your CD key and registers you. Whenever you play single player, it tells Valve that you are playing. Sure, you could play single player if you disconnect your internet (Because it would SUCK if you MADE them so they had to connect for single player) but how many people would be willing to do that? And as for being able to change the binary so that it doesn't check for the cd....Half-Life doesn't check for the CD.
On the other hand, STEAM shouldn't be compromized because somebody saw the source! It isn't like a game, it's like FTP. Seeing code for the client shouldn't let you download whatever you want. If they do ANY authorization at the client, its their own damn fault. NEVER TRUST THE CLIENT.
Oops, I didn't say "Security though obscurity" once :O
ASCII stupid question, get a stupid ANSI
It's already in place and seems to function.
It's called paying for the damn game.
It's not offtopic, dumbass. It's orthogonal.
Next you will tell me that XP is so full of holes because someone "stole" it's source code before M$ sold it to China and the former KGB. That's almost as good as them swearing that revealing the source code to Windoze would be a national security disaster. Give me a break, will you?
Warez only needs to hack a binary copy.
Cheats only need to watch their traffic.
None of this makes a difference if the system is well made to begin with. This is why OpenSSH is a secure system despite open publication of it's source code.
This is just more anti-open and anti-free FUD. Shame on VU for using Outlook and M$ for anything they wanted to keep to themselves. Shame on them for blaming software and the philosophy behind it for their own failures and shame on them for not being able to get their shit together. ID games rules, VU drools under Bill Gates thumb.
Friends don't help friends install M$ junk.