Slashdot Mirror
Half-Life 2 Delayed Following Code Leak
jhol writes "CNN is reporting that Half-Life 2 is delayed "by at least four months, that is to April 2004.", due to the code leak. VU Games has already suffered a 29% fall in revenue and an operating loss of $61.36 million this year. A Christmas release of Half-Life 2 would probably have been most welcomed." Update: 10/07 20:38 GMT by S : CNN Money are now reporting there's a newly public leak, allegedly involving a partially playable, Beta pre-release of the game.
I have to wonder how long until people start to realize that for truly critical (read millions of dollars) work, you're best off having the production machines OFFLINE.
It would be a pain in the ass only being able to code on one machine, but even something as simple as a KVM switch would make it tolerable.
No internet, and none of this stuff is a problem. Not to mention you can keep working while various worms/viruses make their rounds.
The 'net is just too insecure these days, especially if you're running some version of Windows.
I just have to wonder if a serious delay was in the works anyway and the code theft gave Valve a publicly acceptable reason.
I always save my last mod point to mod up a good troll. You people are too serious.
This is complete B.S. Why would having their code leaked force them to rewrite the game. Some people may say that it's due to cheat prevention... but c'mon. Security through obscurity is no security at all, if that's what they were relying on.
This is nothing more than them using this as an excuse for delaying the game - something that would have happened anyway. Also, by saying this, if they find the people that hacked their systems, they can sue for large monetary damages.
...maybe the Valve version has been delayed.
Karma: Bad. Calmer, good.
Was the code that was stolen then deleted by the thief? Why would this cause any sort of delay? This sounds like a fairly lame excuse for shipping late.
It only makes sense that code that would generate millions of dollars in revenue for Valve would be backed up quite reguarly offsite.
Forget the whales - save the babies.
Are you serious? How much money do you think Valve makes off of the sale of a game? How many MILLIONS?
Do you HONESTLY think that they would even make 1/10 of that solicting for donations from the good of one's heart?
How much money do you think cdex + xiph + bittorrent + scorched3d + blender + tons o' other donation-based projects get per year? Answer) A mere fraction of a fraction of a fraction as much as Valve does.
It was Myg0t that got it, and Hitman, an ex-member of Myg0t, that released it.
I have over 70 freaks, do you?
Ok, it's not that bad but I'm modarately disappointed. But some of these fanboys I've been reading posts from on USENET might just kill themselves. Maybe someone should set up a crisis counciling center?
I would submit it as a story, but someone else probably has, and I've never had a story accepted yet :)
The NFO was on nforce.nl for a short time, but has since been removed. The leak has been confirmed here, and a few claim to have it (but they could be lying).
I've also seen a screenshot of the folders with all the map files in it, and the names look very much like what one would expect the long gameplay demo to be made from.
Not good news for valve :( I am disappointed that the game had to be delayed - and for all of you who have taken the source or download the beta, I hope you remember your duty to purchase the game when it does come out.
"allowing free reign for cheat coders and (most likely) unlimited cd keys... is six months really enoughtime to really fix these holes"
Err yes! 6 HOURS should be enough to come up with a new key generation algorithm! As for cheat coders, they can disassemble the executable anytime, they
don't need the source code and in fact it probably wouldn't be much help anyway. As other people have said , this is just BS to cover up more delays.
Yeah, or they could consider free copying of the games as promotion for their concerts, where they make the real money.
When will Slashdot users grow up?
Games, movies, and even songs from the Backstreet Boys cost huge amounts of money to produce. You will be charged for copies, one way or another.
If people can't figure out how to slow down this ridiculous level of IP theft pretty damn soon, I guarantee you that we will have DRM shoved down our throats. In this case already, the delay of several months is probably to put in place with is effectively DRM, in order to cut down on multiplayer cheats.
Still, it sounds more like this is a convenient excuse for late delivery to me. I'm sure this guys email really was compromised, and hey, it sounds good to the uninitiated - "our code was 'stolen', we have to go rewrite a lot of it, we'll be delayed by a few months".
There are a lot of posts asking why the delay and why does it need rewriting. I would guess that the majority of the game WON'T need to be recoded, but certain things like CD key auth code will, certain networking code, etc.
Four months to rewrite what exactly? Apart from possible Steam issues, for which I can't see four months solving any more than two weeks, there is (allegedly) nothing in the actual game source worth changing. Let's outline what will probably be done, to what should really NEED to be done:
:)
* A week or so to fiddle with Steam and break compatibility enough to prevent the leaked source being of any use. Although, as it is supposibly a secure content distribution system, I do not see how the source floating around would hurt it. But then again, HL2's "Source" engine was supposed to be all new, but in reality it's (allegedly) still based off of Quake1/the original HL1 codebase.
* A few days to change some APIs to prevent engines compiled against the leaked code from running the release game DLLs. Again, this shouldn't really be needed - the server should be anti-cheat enough to catch abnormal physics behavior (eg, no walk/shoot-through walls, Neo style flying blah blah), and optimised enough not to send entitiy data for players/objects not REALLY in the players view (eg, no see-through-walls cheat)
* Another few days to similarly break the network protocol. This is easy enough to do ACCIDENTLY when coding engines, so...
In reality, nothing SHOULD need to change... and the only things worth changing should only take a short amount of time and only be in the form of obscurification and not be subject to the need for extensive re-testing.
Ah well.
He wasn't that stupid. The email used a old buffer overflow bug in the preview pane of Outlook to install the program, Gabe just had to click(not even open) the email for it to install the trojan.
However, it's mind-bending that their Outlook weren't patched(it's a very old exploit) and that he uses the preview pane in Outlook, on his work related computer. I know that they are backed by Microsoft, and thus probably gets all the MS toys, but they still forgot to patch them.
A shame. Still, a custom written trojan made against Valve to target their system and get the code/data of the game isn't something you see everyday. Either this kind of thing doesn't happen often, or it happens often but it's never detected(or acknowledged). Think industrial espionnage. Either way, it's not an easy to spot/cure, not antivirus/firewall can detect it effectivly if it's custom written against you. They probably probed Valve to check what exploits would or wouldn't work, so it's not as easy as to say: they should have patched, because the hacker would probably have tried another way and with a little determination, would have still compromised their systems enough to get some data.
Generally HL hacks intercept the DLL calls. SSL on the network connection wouldn't help at all.
Doom3 to beat Half-Life 2 to market
Now isn't this a scary messed up thought
It's not because the game leaked, but because the underlying systems that ensure that players can't easily cheat, warez the game, or access the personal information of other players.
Part of what was compromised was probably the code that handles CD key authentication, user online authentication, etc. So clearly warez and such for this game could be hugely rampant.
Part of what was compromized was probably the code that handles Valve's anti cheat system. So clearly the cheats that override that system could be hugely rampant.
Part of what was compromized was probably the code that is the game's engine. So clearly there could be cheat authors easily creating wall hacks, aim bots, and any number of other cheats.
Part of what was compromized was probably the code that handles purchasing the game over Steam. So clearly there could be some risk of credit card and online commerce fraud, personal information leaks, etc.
Look at it this way. The blueprints and plans for the bank got stolen. Thieves are studying them now. The bank is going over the blueprints with a fine toothed comb to fix the obvious (and not so obvious) weaknesses which are more clear when you have the plans.
Ever heard of a little thing called Steam? All mention of CD authentication and so forth aside, Steam was supposed to be the big thing to stop cheating.
Now it's all exposed. People were going to give their credit card numbers to this thing. Now it's open for all to see and anyone can exploit/spoof it.
Yes--contrary to the Slashbot idealist mindset--there are cases where security through obscurity is the best method. You have to look at each situation inviduallly and logically (instead of covering everything with a veil of ideology).
This is nothing more than them using this as an excuse for delaying the game - something that would have happened anyway.
Yeah, it's "nothing more," oh Valve Software insider. Please. The game was ready to ship for September 30. The hack happened September 11. Guess what was announced not much longer later? That's right, the delay.
We'd already be playing this game if it wasn't for the source leak. Valve's plans were ruined. I'm hoping for late November.
"Sufferin' succotash."
Roll back to a known secure codebase
Allow the programmers add back in code written since that date
revalidate the codebase
rewrite protocols to make the new release less vulnerable to the hacks created from the code leak
Then add in any functionality originally scheduled for this release and validate
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
See the story at The Register. They link to Valve's forum, where the general manager details how the code was leaked: in short, his own account information was stolen via Outlook, then several other employees were hit with a Outlook preview-pane virus that installed a keylogger.
Of course, this is no reason to think that Outlook isn't a perfectly good solution for email. Outlook is great. There's no reason to consider any alternatives. No matter how much money you lose to Outlook virii, simply look at the silly dancing monkey!
"Nothing was broken, and it's been fixed." -- Jon Carroll
How many whiny posts do there need to be on: "Why did they have to delay it? This is BS". Well, here is a reason. If your company just got hacked in to and important information was stolen and leaked, instead of working on the product, you have to find what the vulnerability was, how to do damage control, how to re-structure how you do business so it doesn't happen again (i.e. redesign the network and create new security policies), and then have to get back to work on finishing the product while trying to make sure that anything cheaters would have gained from the source is fixed. I would say that is pretty large amount to do in a few months. Don't you think they would love to get it out so they can make money? Just use some freaking common sense here. If you are surprised by these delays, then you didn't think very hard. If you are upset by the delays, join the crowd, hunt the hackers, whatever. Just relax, it's a game, go buy a different one. It's not the end of the world.
Support a great indie game: http://www.abaddon360.com
I admit to being a cynic... but this stituation strikes me as being too much of a coincidence.
1. Valve is not in a very profitable place.
2. They promised the world with HL2.
3. Theft of code...
My conspiracy riddled mind tells me that they painted themselves into a corner with a brand of paint called Daikatana... and they need money.
So they arrange the "theft" of their source code. This gives them an excuse to delay release and avoid bad press. Perhaps they can claim insurance for the theft? This way they kill two birds with one stone.
Of course this is just baseless speculation on my part! Cheers!
-- What's this '-r *' file doing here? -- Oh well, a simple 'rm' should do the trick.
Check this out: http://www.halflifesource.com/ These guys sound like they'll have the real scoop one way or the other here shortly.
Vivendi Universal Says Delay Not Confirmed
Tuesday, October 7, 2003
According to a news article posted today on a UK press release, there is a Half-Life 2 delay. We already know that Valve does is not mentioning a delay.
We received an email from Mike Thompson who says he works for Vivendi Universal and writes:
quote: "delay is not confirmed..."
Here we go around and around... again...
From Half-Life Source Dot Com
When will Slashdot users grow up?
When people realize that when one slashdot user speaks, he doesn't speak for all slashdot users.
"Well, before you start blasting Valve, why don't you actually read up on the hack? It was a buffer overflow in the Outlook preview pane that allowed the hacker to install custom versions of RemoteAnywhere."
Alledgedly.
And when was that exploit patched in Outlook Express?
I think it's perfectly justifiable to have a giggle at Valve because that's the kind of schoolboy error that companies are not supposed to fall victim to, especially software companies.
Oddly Draconis
Too cynical to live, too stubborn to die.
Since VU is operating at a substantial lost, they are prime to be saved by Bill Gate's wallet. Since Half Life2 [neoseeker.com] and Xbox2 [arstechnica.com] are both optimized to run on ATI's hardware, I can see the Richmond's Borg needing their killer app for XBOX2. Gates says "Hmmmm, Half Life2 sounds good. Buy them out boys!"
One big problem:
VU doesn't own Valve. VU owns Sierra, and Sierra is the publisher for Half-Life (and currently for HL2), but Valve owns Half-Life 2 and is self-funded. Gabe Newell formed Valve with his own money (gotten from being a well-payed Microsoft employee) and funded Half-Life without Sierra's (or VU) help. This is why Valve was able to delay Half-Life for a year in the first place. This is why Valve can push back HL2 without VU forcing it out when VU is operating at a loss. VU has no say in when the game is released unless their own QA finds problems with the final code and sends it back to Valve for more work (in other words, Sierra can delay HL2, but they can't force it to be released early).
Microsoft could probably buy Valve if they wanted HL2 bad enough, but I think it would be more than it's worth, since Valve is privately owned, self-funded, and making money hand over fist off the best-selling FPS of all time.
-PainKilleR-[CE]
There are a lot of TODOs and HACKHACKs in all Quake-derived code, even the Quake 'SDK' probably has a couple of them left. It's some kind of design style I think. At least it's not a bad one as it highlights the areas that are not really finished(not that anyone will ever fix it though, they are more like - I want this, someone do it for me?).
If you grep through the official Half-Life SDK you'll find at least 50 TODOs and HACKHACKs. (Much more than that probably, but I'm playing safe.)
When people realize that when one slashdot user speaks, he doesn't speak for all slashdot users.
April 2004
Slashdot isn't populated by 400,000 clones of Richard Stallman. Many of us are sane people. It is quite possible for people to read slashdot and write closed source code. I personally, for example, feel that there is a place for open code, and a place for closed code. Neither option is the correct choice for all situations.
I am surprised, however, that none of the security gurus that post here on a regular basis have commented on the fact that had the game been written correctly and securely, even to source wouldn't have assisted cheaters, and this delay could have been avoided. That is, of course, if you believe the leak was really the cause of the delay and not just an excuse to mask that they're not really done yet.
One last thing:
And are they not going to charge the public money to buy a license for said game?
The game engine itself is worthless to the average game consumer. They make their money on retail licenses of the data. The reason they have a closed source game engine is so they can license it to other developers. If they were only aiming for retail revenue, an open source engine would have been a perfectly valid option.
You know the Duke Nukem developers are kicking themselves, saying "Why didn't we think of that."
cat
Valve is legitimately trying to protect their IP and if takes them until April to recode some parts of it then so be it. Gabe said its taken at least 30 people 5 years to code the game. Hopefully, Valve doesn't go broke because of this.
To have a trojaned e-mail sent to Gabe's computer is somewhat to be expected. I'm sure script kiddies have also tried similar things on Microsoft computers, etc. It was stupid to actually have any of the computer(s) with the source code connected on the Internet. If they have the budget to run w/o release for 5 years they have the money to buy a few extra computers for Internet use ONLY.
I think its kind of ironic though. Valve is acceptably asking that everyone respect their IP and remove links to and delete stolen source code. Everyone but the script kiddies and hax0rs will comply. But if you try and take credit for a script kiddies' work they'll whine and complain to no end.
There's a TCO argument if I ever heard one.
boycott slashdot February 10th - 17th check out: altSlashdot.org
In your online poker example you can have a central trusted server that insures that nobody is cheating (at least technically).
There is no way to do that with FPS's (not yet at least). The amount of info that would be needed to be passed between the client and the server in FPS games would be cripling if you expected the server to be the final arbitrator of all actions.
The only way FPS games can maintain the required speed is by offloading the majority of processing to the individual clients. In order to do this you have to trust the client. One of the key ways to trust the client is to obfuscate it. Not perfect, but at least it's one level more of protection than you would have if somebody has your source.
Really, the only way to protect the code is to build in some kind of self sanity check (i.e. return some kind of checksum to the server which verifies the client). This is only as good as the verification routine though. Once the method of verification is determined you're back to square one. You can improve upon this by constantly supplying new verification code to the client but it still comes down to security through obscurity.
When you need to trust your client but you don't have control over it this is about all you can do.
Because they'd need actual source to leak? :-)
But could they have made such a great mod without having something to start with? I don't think so. How many from scratch, free, quality games do you see?
I had never heard of those games but I googled for them. They look interesting and I will try atleast bzflag as soon as I finished my latest game (halo on the PC...which isn't nearly as good as XBOX'rs said it was). However, I don't think those can compare to HL, CS or HL2.
There IS such a thing as an intranet that is physically separated from the internet.. internal servers completely inaccessable from the commercial 'net.. KVM switches so all machines are accessable from one workstation.. completely internal secure shell, telnet, ftp, whatever. A setup like that is totally realistic and desirable for a production and/or testbed environment.
Of course, this eliminates the ability of a coder to work from home or do things like surf the internet and check e-mail from the same box they code on.. But if you don't want your code leaked, don't put it on a box that's in any accessable from the commercial internet.
Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
I know that Valve aren't the greatest where security is concerned, But if you ask me, it serves them right for having such insecure systems.
I like many others have pre-ordered half-life2, but I'm seriously considering cancelling my order. If they can't grasp basic security proceedures, they don't deserve to be successful.
I love to know why a source code leak cost them four months? I could understand it if they lost a portion of the code.
I think he was saying that they have to halt everything for 4+ months because if somebody has seen the source, they can cheat. But with a game, that is somewhat understandable. Somebody can change their executable to, say, aim automatically, or draw all of the walls 75% transparent, or something. It's not like a ftp daemon, where just because they see the source doesn't mean they can hack a server.
There is NO way to prevent that. How would you do it? Checksum on the executable they are running? They could send you whatever value they want. Have a seperate app that checksums both files? That is how current anti-cheat systems work. They are pretty good, but not 100%. The only way to get the people with the source at about the same cheating-ability-level would be to change the protocols so they would have to do some work to actually get it to connect. And change the file formats so it won't be able to load the game maps without some work, either. And they can't be minor changes, because the less work the changes were, the less work the hackers have to do to make the same changes.
The piracy thing isn't as much of an issue. Sure, a pirated version will run single player, which is a good game in of itself (Judging by the first one.) But it won't play online. With a few changes, this could be extended to the single player game as well. When you install, it tells Valve your CD key and registers you. Whenever you play single player, it tells Valve that you are playing. Sure, you could play single player if you disconnect your internet (Because it would SUCK if you MADE them so they had to connect for single player) but how many people would be willing to do that? And as for being able to change the binary so that it doesn't check for the cd....Half-Life doesn't check for the CD.
On the other hand, STEAM shouldn't be compromized because somebody saw the source! It isn't like a game, it's like FTP. Seeing code for the client shouldn't let you download whatever you want. If they do ANY authorization at the client, its their own damn fault. NEVER TRUST THE CLIENT.
Oops, I didn't say "Security though obscurity" once :O
ASCII stupid question, get a stupid ANSI
It's already in place and seems to function.
It's called paying for the damn game.
It's not offtopic, dumbass. It's orthogonal.
having to rewrite the part that was lost
;)
You do know that when people say "stolen" now they just mean "illegally copied". Valve still has all the code.
And just for clarification, the "part that was lost" is the entire source tree for Half-Life 2, Counter-Strike, Team Fortress 2, Steam, and all the dev-tools/utilities (map editor, 3dsmax plugins, etc). Which would probably take them another 5 years to rewrite if they chose to take that route.
chat log of myg0t member talking about hacking valve and stealing the code
http://gtwy.hl2arena.com/big_log.txt
and an email myg0t "recieved" that was sent internally at valve
remember, valve was hacked using an outlook virus and gabe talked about them knowing people where in his email
http://www.myg0t.com/ChrisNewcombe-PR.txt
Next you will tell me that XP is so full of holes because someone "stole" it's source code before M$ sold it to China and the former KGB. That's almost as good as them swearing that revealing the source code to Windoze would be a national security disaster. Give me a break, will you?
Warez only needs to hack a binary copy.
Cheats only need to watch their traffic.
None of this makes a difference if the system is well made to begin with. This is why OpenSSH is a secure system despite open publication of it's source code.
This is just more anti-open and anti-free FUD. Shame on VU for using Outlook and M$ for anything they wanted to keep to themselves. Shame on them for blaming software and the philosophy behind it for their own failures and shame on them for not being able to get their shit together. ID games rules, VU drools under Bill Gates thumb.
Friends don't help friends install M$ junk.
Not to nitpick, but if he doesn't have a graphics engine, how does anything else work?
As for an engine, the source for Quake2 is released. Could he use that?