It sounds as though this hack was done by logging keystrokes and thereby gaining access to user names and passwords. I think the obvious solution to this sort of problem is one of those RSA SecureID keyfobs, which generates a unique string of numbers every 60 seconds for each user. (I have one at work.)

I guess I'm surprised that Valve wouldn't be using something similar. I hope they will in the future.

It's pretty awful to have all your Intellectual Property from the past five years sprayed all over the internet because some hacker wants bragging rights.

Yeah, that make sense on a major, non-PC oriented company. But Valve, which specializes in computer games, should know better.

lol i wasnt attacking the sys admins i wasy just pointing out to the thread i was replying to that linux is as easy (well with the exeption of gentoo's compile times but we make sacrifices for speed) to update the systems. Heck you dont even need to sit at the machine to do these commands you just set it up to be a cron job that happens every night at midnight.

Don't beat up the poor sysadmin. It's all to easy for me to imagine the following conversation, in just about *every* games developer:

sysadmin: "Uh, excuse me, mr CEO, sir, but you really need to let me have some time with your laptop, because it needs several patches installed and a security review and a backup..."

megalomaniacal CEO: "Are you INSANE? I can't afford to be off-air for more than TEN SECONDS, because every email I get could be potentially worth MILLIONS OF DOLLARS if I reply fast enough! Besides, I'm going to be in twelve different cities over the next two weeks, and I need access to EVERYTHING while I'm there."

sysadmin: "um... but you didn't approve the expenditure for the new security..."

megalomaniacal CEO: "DAMNIT! I pay you good money so that I don't have to spend hundreds of dollars on expensive fancy firewalls and crap like that!! DO YOUR JOB, or by God you'll be answering level one helpdesk calls in a retirement village for the rest of your miserable existence!"

sysadmin: *cries*

...

*ahem* - or maybe that's just my vivid imagination.

This comment was edited on Oct 3, 00:18.

I'm not talking about the kiddies that put "U R Teh Suxx0R!1!!!!!!11!! P2P FOREVAAHH!!!!!!11!!!!!!1" on the RIAA's website. I'm talking about the kind of hackers that infiltrate the power grid computer system and just zoom around to see what all they can do, or those guys that hack credit card companies and the only thing you ever hear about it is when the companies fess up the breach several months later.

Well, there aren't many people who have the self control to hack into a system just to prove to themselves what they can do, and then never speak of it to anyone. The whole point is to gain notoriety in the social circles that thrive on this sort of thing. The people who do this kind of stuff can cover their tracks, but these people also cannot keep their mouths shut about it--I mean, why else steal the Half-Life 2 code except for bragging rights?

Here's a good message about the thing, and it basically parallels the view I have about it:
http://lists.insecure.org/lists/isn/2001/Dec/0113.html

Although, if things really did happen as simply as Gabe said they did, it doesn't look like it needed the kind of hacker that gives the Mossad fits.

Haha! I tend to agree. I doubt a simple script kiddie was responsible, but from the news we've received it sounds like a script kiddie could have done it without much problem. Sounds like Valve wasn't even logging their network activity, which makes it pretty damn easy for a hacker to cover his tracks.

"Tangled - I didn't realize that you were SO important that your eagerness for this game was worth the livelihood of *30* PEOPLE. Damn, you sure are an important kid!

--Noel "HB" Wade"

Seriously, can you please just get over yourself for the remainder of this thread? The mighty ex-level-designer with a holier-than-thou attitude...

It's a miracle you're not STILL working at Valve, you'd fit right in with the the pompous ass, AKA Gabe, over there. At least when Carmack is a smug bastard, he has every right to be. I don't recall Doom or Quake being popular because iD consumed every popular mod that was available, regurgitated it as if it was their own brilliant work, and attemped to make their customers pay for previously free stuff.

Someone said it further up, and I'll agree: It's karma, baby. Take your DRM solution and shove it.

gentoo linux: emerge -u world
1-2 hours later
Done!

redhat: up2date

mandrake: up2date

not sure any other *nix flavor's because i've never used them.

"The gaming community DESERVES To be flamed every once in a while. Its fanatacism, mob-behavior, and habit of biting the hands that feed it are a constant source of frustration for those of us that make games for a living."

Being an apologist like this just goes to show how immature the software industry is and how far it has to go before it reaches the quality standards of well-established ones.

Well - a lot of X-files type stuff to believe in order to buy your theory...but let me ask you this - what about Havok and Miles? Are they involved too? According to what I have heard, the entire source for Havok 2.0 is in that leak/stolen source. I really don't think Havok and/or Miles would partake in a "hoax" or ploy like this.

Rip Taylor's pants.


This comment was edited on Oct 17, 01:53.

A hacker bragging about what he did? That's unheard of!!!

I'm not talking about the kiddies that put "U R Teh Suxx0R!1!!!!!!11!! P2P FOREVAAHH!!!!!!11!!!!!!1" on the RIAA's website. I'm talking about the kind of hackers that infiltrate the power grid computer system and just zoom around to see what all they can do, or those guys that hack credit card companies and the only thing you ever hear about it is when the companies fess up the breach several months later.

Although, if things really did happen as simply as Gabe said they did, it doesn't look like it needed the kind of hacker that gives the Mossad fits.

But having your source code on a machine that's connected to the Internet just makes me shake my head in disgust.

Before some Valve fanboys start flaming, I'm not exactly thrilled that his has happened, but stupidity will do this.

I wonder why people are so worked up about it though. There are 3.5 million people that lost their jobs since 2001 in the US alone, where's your pity for them? I feel a lot sorrier for the people at Enron than I do for the guys at Valve. The people at Enron REALLY couldn't do anything about it themselves. Valve has very little to blame BUT themselves, for implementing such shoddy network security measures.

I wonder, does a game developer of a moderate size actually employ a network admin? And a network security guy? Or is this just a job that's tacked onto one of the junior programmers, and he really doesn't want to do it, since he's having a lot more fun programming weapon effects?
Judging from Valve, it would seem to be the latter. We have a couple of developers posting here, how about your own company guys? Do you actually have someone that knows anything about networking and security?

Creston

Unless he's expecting the perp to be bragging about it (or will be, or has been bragging about it, take your pick), which seems unlikely, given the fact he / she / they seemed to know what they were doing.

A hacker bragging about what he did? That's unheard of!!!

(bahahahhahahahahahahahhaha!)

couple of problems with that though

"Thirdly the annoucement of the stolen code. IF it was real you would want to convince people it WASNT real wouldnt you? That way people are less likely to go after it."

If the code is real there was no way they could deny that without looking really stupid later on. People are already saying that they've compiled it, and once the game is eventually out, if the compiled exe worked with the maps/models, then gabe looks like a big tool.

and about the email, it looks like they did hack his logs.
http://www.myg0t.com/ChrisNewcombe-PR.txt

This is really sad. Thats all I have to say

Re : #94

The gaming community DESERVES To be flamed every once in a while. Its fanatacism, mob-behavior, and habit of biting the hands that feed it are a constant source of frustration for those of us that make games for a living

Hbringer,

I know this is an attitude that many game developers seem to have these days, and quite frankly I find it stupendously arrogant. You are not providing me or the community with something vital to my existence. You are providing me with one form of entertainment. It's a very good form of entertainment, granted, but it's just that. Entertainment. If you stopped making games, if the entire industry stopped making games, I'd read more books. Or watch more television. Go to the zoo or the lake more often. Go out to the movies or theater more often.

Maybe once game developers start realising that it is WE, the gamers, who are feeding YOU, the developer, you'll see this attitude from the community change. It'd be real nice for the game developer to understand (like they once did) that WE are YOUR customer, not the other way around. My money pays your rent, yours doesn't pay mine. Many companies in the world understand this, the gaming industry seems to understand it less and less every day. I can't think of any other industry where this EULA bullshit etc comes into play.

Btw, this isn't meant personally towards you, so please don't take it as such, it's a general comment towards game developers who seem to think that the Electronic Arts attitude is the right way to go...

Creston

This is a post from a message baord I visit and it really kind of makes sense when you think about it.

---------------------

I have completed my musing on this subject and I have the truth of what happened. Many of you wont believe me, but I am convinced I am right none the less

I was trying to put things together in my head and hadnt got the final piece, now I have. the last piece was WHY he announced it as he did, what was he aiming for. I had to really study the posts over and over to understand its impetus but I am 100% convinced its targeted AT the people who stole it.

The post by gabe Newell was designed to support the ruse he implemented.

Heres the scenario.

Gabe discovers someone has hacked his machine. They have logged keystrokes and are clearly loooking for HL2.

So what does he do? Naturally he is comprimised so he formats the machine. Obviously if you suspect virus or trojan you isolate the machine from the Intranet and if your security has failed you isioplate the Intranet from the Internet. So he does this.

Then he comes on a great idea. What if he lets the people THINK they have got him. they get decoy code, Gabe gets lots of Hype and Free advertising, sympathy AND an excuse for the delay and the late annoucnement. Killer manouver.

So they slap together some clever ruse code and they stick Gabes machine complete with bait onto the network connected to the web and they wait.

Now we have the aprt that was eluding me. The announcement. What is he trying to achieve. Firstly theres the step by step guide. Why?
Thats not normal, so why is he dojng it. he wants someone to know EXACTLY what happened in the setaling of the code. This to me says its trageting someone who already knows. he wants the thief to know it is them.

Second he thorws in Microsoft Outlook. Huge exploits and commonly know for being insecure and everyone likes to balme Microsoft. Easy, people arent going to question a weakness in security caused by Microsoft Oulook.

Thirdly the annoucement of the stolen code. IF it was real you would want to convince people it WASNT real wouldnt you? That way people are less likely to go after it.

If it wasnt real however you wouldnt mind them thinking it was. If you SET IT UP to be stolen yourself, you would want the people that stole it and everyone else to believe that what was out there was the real thing.

Bingo. There we have the Reality of Gabes annmouncement. its not an announcement at all its a very cleverly worder confirmation of soemthing he wants to be believed because he staged it this way.

He saw an opportunity and he took it. Clever boy Mr Newell.

On top of everything esle the little 'someone accessed my mail' throw away line also covers him for any emails he might have sent saying 30th september was still a go.

Its actually quite a clever ruse, but its a ruse for sure.

You have to admit my thinking on this makes very good sense. More than what gabe is asking you to believe

Probably was done at night

I think the real story behind this is much simpler. Gabe was offered a lifetime supply of Hostess Twinkies in exchange for the source code to Half-Life 2.

even if both ends had an OC192 (a HD couldn't handle it anyway) it would still take a long time to transfer 390+MB of indiviual files (the source) to another pc.. would take a long time... plain FTPing 100 1MB files take a ton longer than a single 100MB, each file requires a command, unless of course the whole shebang was tarred before d/l which i doubt...

something smells fishy, i think there's alot more to the story... if i were to see "the source" being copied i know i'd be yanking cat5's left and right

PR stunt? risky Covering up for another reason, perhaps.. in the end it's great delay tactic......

This comment was edited on Oct 2, 22:56.

1) The guy in charge of network security at Valve isn't worth a nickel in salary.

2) Gabe Newell really has no fucking clue. Sure Gabe, piss everyone off by chanting September 30th as if it was a Divine Mantra for Enlightenment, only to tell the entire community "Fuck you, you WILL use our shitty delivery system if you want to play", followed by "Fuck you again, it's not done yet, so September 30th ain't happening", a week before that supposedly sacrosanct date.

And now you want the community to HELP you track down some meany haxx0rs that trundled all over your pisspoor security? Something tells me it's not really going to happen.

Also, I'd really like to know exactly what Gabe expects the community to actually DO about this. If his firewall and sniffer logfiles don't show anything, how the fuck is some joe schmoe on IRC supposed to find out anything? Unless he's expecting the perp to be bragging about it (or will be, or has been bragging about it, take your pick), which seems unlikely, given the fact he / she / they seemed to know what they were doing.

But seriously, keystroke recorders? We figured out how to get rid of those in the early 90's, Valve...


Maybe it's a modder who doesn't want to wait any longer...

Creston