Half-Life 2 Delayed Following Code Leak

jhol writes "CNN is reporting that Half-Life 2 is delayed "by at least four months, that is to April 2004.", due to the code leak. VU Games has already suffered a 29% fall in revenue and an operating loss of $61.36 million this year. A Christmas release of Half-Life 2 would probably have been most welcomed." Update: 10/07 20:38 GMT by S : CNN Money are now reporting there's a newly public leak, allegedly involving a partially playable, Beta pre-release of the game.

Delayed anyways?

[kneecarrot]

I just have to wonder if a serious delay was in the works anyway and the code theft gave Valve a publicly acceptable reason.

Re:Delayed anyways?

[shird]

Yes I think this is the case. I have taken a look at the code, and I can say there is a hell of a lot of 'TODO:/BUG:' stuff in there. I'm no expert, but I would say it seemed a long way off being complete. Not to mention all the artwork, levels, scripts etc that may or may not exist in very complete form.

As for ease for creating keygens, take a look at the code - it makes an external reference to a 'cdkeycheck()' function (cdkey.obj) in which there is even comments to the effect that they (valve) don't have the source code. In other words, they have outsourced the key verification algorithm, so it doesn't exist in the source tree. (either is the cdkey.obj file).

This is stupid

This is just another stupid excuse not to release their product on time (even though that's been set back several times). They probably planned this because it wasn't even close to being ready. You suck valve.

4 months to do what, exactly?

[Ndr_Amigo]

Four months to rewrite what exactly? Apart from possible Steam issues, for which I can't see four months solving any more than two weeks, there is (allegedly) nothing in the actual game source worth changing. Let's outline what will probably be done, to what should really NEED to be done:

* A week or so to fiddle with Steam and break compatibility enough to prevent the leaked source being of any use. Although, as it is supposibly a secure content distribution system, I do not see how the source floating around would hurt it. But then again, HL2's "Source" engine was supposed to be all new, but in reality it's (allegedly) still based off of Quake1/the original HL1 codebase.

* A few days to change some APIs to prevent engines compiled against the leaked code from running the release game DLLs. Again, this shouldn't really be needed - the server should be anti-cheat enough to catch abnormal physics behavior (eg, no walk/shoot-through walls, Neo style flying blah blah), and optimised enough not to send entitiy data for players/objects not REALLY in the players view (eg, no see-through-walls cheat)

* Another few days to similarly break the network protocol. This is easy enough to do ACCIDENTLY when coding engines, so... :)

In reality, nothing SHOULD need to change... and the only things worth changing should only take a short amount of time and only be in the form of obscurification and not be subject to the need for extensive re-testing.

Ah well.

Re:Can't blame anyone but themselves...

[Karhgath]

He wasn't that stupid. The email used a old buffer overflow bug in the preview pane of Outlook to install the program, Gabe just had to click(not even open) the email for it to install the trojan.

However, it's mind-bending that their Outlook weren't patched(it's a very old exploit) and that he uses the preview pane in Outlook, on his work related computer. I know that they are backed by Microsoft, and thus probably gets all the MS toys, but they still forgot to patch them.

A shame. Still, a custom written trojan made against Valve to target their system and get the code/data of the game isn't something you see everyday. Either this kind of thing doesn't happen often, or it happens often but it's never detected(or acknowledged). Think industrial espionnage. Either way, it's not an easy to spot/cure, not antivirus/firewall can detect it effectivly if it's custom written against you. They probably probed Valve to check what exploits would or wouldn't work, so it's not as easy as to say: they should have patched, because the hacker would probably have tried another way and with a little determination, would have still compromised their systems enough to get some data.

61MILLION dollars in a YEAR ?

[selderrr]

omfg... even if they work with 600 programmers, that's still a whopping $100.000 per programmer in one single year

HL2 better be damd good for such an insane amount of cash. Considering that they've been working on it for what, 5 years ? They've drained a staggering $300.000.000 or so. At 40$ per copy, they'd need to sell 7.5million copies of the game to get break even. And that's not counting money spent on advertising, distribution, and the cost of setting up a central network server that can handle 7.5 million players connecting to play online.

Wrong

[Overly+Critical+Guy]

Ever heard of a little thing called Steam? All mention of CD authentication and so forth aside, Steam was supposed to be the big thing to stop cheating.

Now it's all exposed. People were going to give their credit card numbers to this thing. Now it's open for all to see and anyone can exploit/spoof it.

Yes--contrary to the Slashbot idealist mindset--there are cases where security through obscurity is the best method. You have to look at each situation inviduallly and logically (instead of covering everything with a veil of ideology).

This is nothing more than them using this as an excuse for delaying the game - something that would have happened anyway.

Yeah, it's "nothing more," oh Valve Software insider. Please. The game was ready to ship for September 30. The hack happened September 11. Guess what was announced not much longer later? That's right, the delay.

We'd already be playing this game if it wasn't for the source leak. Valve's plans were ruined. I'm hoping for late November.

Re:Wrong

[Synn]

Yes--contrary to the Slashbot idealist mindset--there are cases where security through obscurity is the best method. You have to look at each situation inviduallly and logically (instead of covering everything with a veil of ideology).

If security through obscurity was the best method here, then what would've happened if the source was leaked after the game had hit the stores?

They would've been totally screwed.

That's why security through obscurity is never the best method.

Re:Wrong

[johnnyb]

"there are cases where security through obscurity is the best method"

PLEASE don't say this. I understand what you're trying to say, and that is correct, but your wording is completely horrid.

Obscurity is just that - obscurity. Using obscurity for protection is actually a decent plan in many cases - it's just not the same thing as security. The problem with "security through obscurity" is not that people aren't protected enough, it's that they are _confusing_ security and obscurity - thinking they have security when they only have obscurity. Both offer protection, but with different expectations.

There is NO SUCH THING as security through obscurity, and those who try show a complete misunderstanding of the issues. The can be _protection_ through obscurity, but security in relation to computers has a certain, specified meaning, and when people start throwing it around in connection with obscurity, it just makes the situation a lot more confusing than it needs to be.

Re:Lame excuse

[fermion]

With an intrusion like this one can never be sure of the extent of the damage. My guess that they will

Roll back to a known secure codebase
Allow the programmers add back in code written since that date
revalidate the codebase
rewrite protocols to make the new release less vulnerable to the hacks created from the code leak
Then add in any functionality originally scheduled for this release and validate

Re:Still haven't learned their lessons

[javatips]

This should not be a big problem as the VM is isolated from the host (it would take far more serious hacking, that what was done to get HL2 code, to get inside VMWare internals). One could always snif the physical ethernet card for packed, but having the VM connect through VPN to the "DEV" network would solve the problem. The host could be a barebone linux Install without any open ports. That would limit the risk of having the Host being hacked. Now you have a closed down host with two VM. One on a "private" network, and the other on "public" network.

Having a seperate machine on a seperate physical network would be more secure, but would cost much more than the VMWare approach.

There should be an investigation... of Valve.

[Lord_Pain]

I admit to being a cynic... but this stituation strikes me as being too much of a coincidence.

1. Valve is not in a very profitable place.
2. They promised the world with HL2.
3. Theft of code...

My conspiracy riddled mind tells me that they painted themselves into a corner with a brand of paint called Daikatana... and they need money.
So they arrange the "theft" of their source code. This gives them an excuse to delay release and avoid bad press. Perhaps they can claim insurance for the theft? This way they kill two birds with one stone.

Of course this is just baseless speculation on my part! Cheers!

Re:If you want anyone to blame

[Sir+Haxalot]

Mod parent down. There is no evidence that supports that any member of myg0t was the hacker. They are just a bunch of assholes that will claim anything to get attention.
Until the FBI knocks on someone's door, nobody truly knows who the hacker was.
Hitman was in #halflife2 EFNet giving links to the source HOURS before anyone else had it. Enough evidence?

HL2 Not delayed?

[slycrel]

Check this out: http://www.halflifesource.com/ These guys sound like they'll have the real scoop one way or the other here shortly.

Re:Still haven't learned their lessons

[CyberGarp]

The folks at the NSA use VMWare for this purpose (they do have a special version with additional security features).

How do you know this?

It's known that the NSA uses VMWare, but they're very tight lipped about how. Also if a VMWare image is sitting on a disk, that's on an OS that's on the network. Doesn't that make the image just as vunerable? I guess one could encrypt it, but still I think the original idea of a KVM is far more secure. If it's not on the net, or a completely private net with no outside connection, then it can only be pilfered by sneaker net.

This is not good

[failedlogic]

Valve is legitimately trying to protect their IP and if takes them until April to recode some parts of it then so be it. Gabe said its taken at least 30 people 5 years to code the game. Hopefully, Valve doesn't go broke because of this.

To have a trojaned e-mail sent to Gabe's computer is somewhat to be expected. I'm sure script kiddies have also tried similar things on Microsoft computers, etc. It was stupid to actually have any of the computer(s) with the source code connected on the Internet. If they have the budget to run w/o release for 5 years they have the money to buy a few extra computers for Internet use ONLY.

I think its kind of ironic though. Valve is acceptably asking that everyone respect their IP and remove links to and delete stolen source code. Everyone but the script kiddies and hax0rs will comply. But if you try and take credit for a script kiddies' work they'll whine and complain to no end.

Re:Still haven't learned their lessons

[rikkards]

Actually I believe the author of X-Plane does all of his development work on a mac and prefers it to a PC. I think that would be a good example of being able to do it successfully.

it really was myg0t that did it -- some logs

[Fo0eY]

chat log of myg0t member talking about hacking valve and stealing the code

http://gtwy.hl2arena.com/big_log.txt

and an email myg0t "recieved" that was sent internally at valve
remember, valve was hacked using an outlook virus and gabe talked about them knowing people where in his email

http://www.myg0t.com/ChrisNewcombe-PR.txt