I have been reading since about noon, that Valve’s Half-Life 2’s source code has been leaked onto the internet. And I felt the need to voice my opinion on the topic, since I am a software engineer.

I have been reading people’s comments like “Why did he have the source code on his computer that was connected to the internet? Why didn’t he protect it better?” and stuff like that, but it is really easy to look back on the situation and point out all the things he could have done, but how many of you keep personal records on your computer? I will bet you that you don’t have nearly the security system running on your network/computer that Valve has running on theirs, yet you, and I still do it, why?

Is it because we are stupid? Is it we are uneducated? Well the answer may be both, but there are other reasons as well. Most of took a good portion of the following into account.

1. Risk vs. cost/convenience. Now you may not have sat down and did all the figuring, but a version of it has passed through your mind. It may have even been unconscious, but you still did it. When you went down and bought, or decided not to buy that software/hardware firewall, unless you fall into that first question, you are aware that nothing is impenetrable. So buying that 50 dollar firewall as opposed to the 3,500 dollar firewall we use here at work seemed like a good investment. Then again who owns a second computer specifically to do their finances? And who wants to? I like using 1 computer for everything, it is all setup the way I like, and if I change something it stays. Or who wants to re-boot their computer to a different OS just to check their e-mail after playing a game, because that OS is more secure? I don’t.
2. Motive vs random attack. What are the 3 dangers of the fire swamp? Flame spouts, Lightning sand, and ROUSes. Wait, no, that’s not it but close. There are the random attacks: i.e. Send out a non-targeted virus that installs a Trojan and see who runs it. Well we all know of this one anymore, and think we can avoid these pretty easily. i.e. don’t open e-mail we don’t trust. Direct attack, well who is going to attack my computer directly? As long as I am not out there on the internet spouting off about my millions of dollars, it is unlikely my computer’s address will draw enough attention to be directly attacked. And 3rd if I keep my stuff at least decently hidden/password protected who is going to spend the time getting to the few dollars that I might have available.
3. Ego/experience. The belief that “It will never happen to me.” Or it never has happened to me, so what’s the likelihood that it will in the future?
4. Someone you trust in “The Field” told you it was ok.

Between these things you have made the rationalization that it is ok to do. Well if anyone of you ever gets something taken, any one or all of those reasons above will fail you, and someone can point it out that you where foolish. Well Gabe at Valve, and his IT department definitely went through the same process, likely more formalized than the version you went through though. I have gone through the same thing here at work with my boss as well. We plug the holes we see as glaring, or we have had experience with in the past, and we try to learn from others experiences to be prepared for the future. They did the same thing, and I don’t fault them for that. The attack that took their source code, was specifically directed at them, and likely took a lot of planning, intelligence, and time to pull off. Plus was excessively risky for the culprits future, if they are caught it could mean a good deal of time behind bars. Who would have guessed that source code was that important to someone? Now we can say beyond doubt that it was that important, but then again that is looking into the past.

Anyway, I think it is a shame this has happened, and although I don’t think I will play Half-Life 2(I am looking forward to Doom III myself), I am still very sorry to hear of this happening. That code took them a very long time to create, and now it isn’t worth much.

Take the last 5 or so years of your life, and undo it, and see how that makes you feel? That will then touch on what I am sure the guy’s over at Valve are feeling now.

We at Valve have always thought of ourselves as being part of a community, and I can't imagine a better group of people to help us take care of these problems than this community.

Hopefully he isn't talking about the same community that he flammed on the half-life forum a couple weeks ago. Oh yeah, I wouldn't be suprised if the "outlook bug" was actually a trojan cleverly disguised as a an e-mail attatchment promising to make him lose 50 pounds in 10 days that gabe downloaded.

Having an entire copy of the source code is really bad; you have a huge amount of power. It's really easy to distribute the code over P2P networks to other crackers and modify things such that there'd be absolutely no way of stopping cheating online, and the online play is one of the big draws of HL2. They can also make pirating the game extremely easy -- no longer would someone need to hex-edit and profile the game to figure out how to disable the anti-piracy measures.

I'm really looking forward to this game, but now its quality IS lowered, I can assure you, since someone got the code. Anyone who thinks the code link is good is a fucking moron who doesn't know the first thing about anything not involving masturbation.

By the way, this is most likely not the sole cause of the delay; the publisher announced early that the game would be delayed, which means that's what the developers told it, but Valve denied the delay because they only suspected it would be delayed, they weren't sure.

The worst part about this is that the source code will spread. You think half life is plagued by cheaters now? Wait till you see the kind of cheating that will happen when cheaters have the source code to the game.

................................................................................................................................................that's a shame

Yes, and you can read my reply o #71 in my previous post. I said that having the source-code available for FREEWARE projects wouldn't hurt Valve at all. Aside from that, I highly doubt that Valve will loose any money from licensing, just read my posts ok?

I don't want to get into a flamewar, so I'll just leave it at that.

Wiggamoe: Yeah, I noticed that too. BUt I think that the admins removed it, either out of ethical reason or out of fear of legal action against them. I'm a supporter of BT, and especially suprnova, and in this case I think they did the right thing by removing it.

This comment was edited on Oct 2, 19:41.

Looks like somebody posted it already to newsgroups at alt.binaries.comp

Well this sucks... I was rather surprised when I read it this morning on /., but the details are particularly ugly. The odds of them ever finding out who did this are pretty slim -- especially since it sounds like they don't have the greatest logging capabilities available to them.

As for all the people making claims about Outlook and crap -- no, I don't like Outlook, I use it only under duress at work, but get real. If they'd been using another client then the hacker probably would've found another way in. There's holes in just about any piece of software. And, no, a physical barrier between the Internet and development doesn't magically fix the issues. Go read up on Tempest and similar methods for remotely observing electronic data. Yes, it makes it harder. It's virtually impossible to stop someone sufficiently determined though. Not to mention that separating your dev systems from the 'net physically drastically reduces your work efficiency.

Frankly, I suspect that the leak was the cause of the delay. There's really not much else to explain it -- yeah, Steam could be better, yeah I'm sure they could fix more bugs, but given the vagueness about the release time and issues that caused the delay I'm guessing that they're now rewriting large portions of the engine -- the CD security for sure, very possibly parts of the netcode, and maybe other things to try and thwart cheaters. If you have a major intrusion and know that your source code has been compromised, do you then go off and release it? Hell no. You immediately stop, resecure your network, and look at what needs to be done to reduce the damage from the leak.

Holidays may be optimistic if they start mucking with the netcode. I guess we'll just have to wait and see.

* REMOVED *
This comment was deleted on Dec 16, 12:36.

75. No subject Oct 2, 19:29 Rictor

Nexus, the reason I have that attitude is becuase having the source code available for freeware projects is very beneficial to the gaming community, but it doesn't hurt Valve at all.

---------

Doesn't hurt them at all? Are you serious???
Go read my #71 post.

If anyone manages to dig up some Nvidia "de-optimizations" in there, the sh#t is really gonna hit the fan.

I would doubt it though.

yeah apart from the 100's of nerds who dont trust valve enough to not update their steam with a virus.

i wonder why somebody would do such a ting ?
well look at the bright side nobody is worried about steam anymore.

Just simply unbelieveable.

Mark my words, this isn't the result of some crappy script kiddies here. I guarantee that this was the work of someone who really knew what they were doing ... but who would do such a thing? Is it industrial espionage or just teenagers who are sick of writing stupid flash animations and want to break into DX9?

I honestly can't believe that such a thing like this can happen, it's like spending five years writing a book and then having someone pinch your manuscript and photocopy it just before you were about to get it published.

Just out of interest, have there been any comments from people who have the code about the way it's written, ie good, bad, well structured, ATI optimized (heheh)?

Nexus, the reason I have that attitude is becuase having the source code available for freeware projects is very beneficial to the gaming community, but it doesn't hurt Valve at all.

So, there would be plenty of winners but no losers if something like I have described were to happen. Look what the Tenebrae people did with the Quake 1 engine. Just imagine the possibilities with Source.

Though I doubt that this is what the hacker(s) had in mind, I still think that it may be a fortunate side-effect. I realise that stealing X years of someone's work is wrong, but if ends up causing more good than harm, I'm all for it. Again, the reason I take this position is becuase making the source-code public domain would not hurt Valve one bit.

z0dd: Its possible. But somehow, I don't think that having slightly compromised anti-cheating technology will deter anyone from purchasing the engine. Thats like not buying a BMW because it has a broken windshield wiper that can easily be fixed (by the licensees programmers.)

This comment was edited on Oct 2, 19:33.

Now I know why Duke Nukem Forever was delayed and delayed again - someone stole the source code from 3D Realms at every six months:o

And HL2 talks keep up, next there will be "A gang of 70 year old HL fans rape G.Newell for delaying the most anticipated game of all time" thread... and we'll just keep babling about it till it's released sometime christmas 2005...

Hmm, so my next question is, why is their no dedicated gaming os?

read up on the next major upgrade/build of Windows called "Longhorn" due out at the end of next year. Some interesting stuff going on along those lines.

----------------------------------------------------------------------
PAH!

43. No subject Oct 2, 18:42 Rictor

3. This likely won't affect any potential licensing of Source for future games. No one will release a commercial game with pirated source-code.

------------------

I disagree, and believe this has already resulted in the loss of many millions of dollars for Valve. Why? The creators of the most played online game ever (HL) spent the past 5 years making an engine they knew would be used/purchased for many upcoming online games. With the source code exposed, many customers will now have to ask themselves if they want to invest in an engine whose source code is in the hands of hackers/cheaters.

Some Companies will wait to see what boils over from this leak. Companies deciding to purchase their software now have a wonderful bargining tool. Additional costs, that havn't been brought up yet, will come from the development time spent on anti-hacking and security protocol overhauls expenses. Uhg. I hope Valve finds, and hangs, the culprits.

This comment was edited on Oct 2, 19:21.

And aparenlty its not just valves code, its all the code valve licenced from other companies, those companies could sue valve or at the least get very pissed off.

On sueing Valve, the only thing I can think of that they could get hit with would be negligence... and there's not a very good case against them.