Gah! where's the soap? he mentioned programming in VB!
It would have been stupidly negligent to spend a few days on Steam after the breakin and then release it. Off the top of my head you'd *at least* need to do a rundown of the stolen code and get a few programmers to team up and go through it for vulnerabilities, since you really don't want someone else to find a buffer overrun vulnerability in your source code while also having the ability to access all the online server lists, and then all the online player lists.
That would only be prudent and responsible, just so you don't distribute something that has the ability to track down and infect all your customers [remember, Steam interfaces with itself, but also with all the games that run it for messaging at the least, and as the model stands, even the single player will require people to be online to allow Steam access to verify them]
Steam performs the copy protection. If it were as simple a matter as just waving your hands and mentioning encryption, that might be fine, but there is some finer detail to consider. As you said, you need to stop people from generating the codes to validate a HL2 purchase on steam, but you've got more than just that as a problem. You're also quite likely trying to make sure that people can't get at the result of the one way hashing function you [I would have to guess] use to generate a unique identity for a computer.
They also probably have to consider the vulnerability of any of the algorithms that they use to known plaintext attacks, then doublecheck that no-one's got lazy anywhere (I'm sure most people familiar with the different versions of the enigma will be able to recall how despite a pretty robust design, some versions were implemented slightly differently with weaknesses, and how at some stages of use they were preceding the encrypted message with the key, repeated twice at the start)
You've also got to make sure you prevent people from simply finding where the game gets the ip of the central steam servers and then redirecting it to their own local and cut down server, which is programmed using the same steam code they now have in order to happily fool the game into thinking it's connected and authorised with the main servers, and that any bogus key they might have fed it was fine.
There's a lot of little things that Valve would have needed to consider. I can certainly see how your model of business might work with shadow / particle system code, but I think you make too many assumptions that their issues would be the same as yours across the board.
This comment was edited on Jan 20, 09:10.