HL2 source has supposedly been leaked

Discussion in 'PC Gaming' started by bloodbob, Oct 2, 2003.

  1. WaltC

    Veteran

    Joined:
    Jul 22, 2002
    Messages:
    2,710
    Likes Received:
    8
    Location:
    BelleVue Sanatorium, Billary, NY. Patient privile
    In most companies where this kind of thing happens you find an employee behind it--there's no patch M$ can apply for that. As far as the web-browser buffer overrun theory of Newell's goes, I was under the impression M$ had patched that months ago. But, maybe he's talking about something else, I couldn't say based on what he said, honestly. What I've seen a lot over the years is that individuals in companies have a particular aversion to taking responsibility for their mistakes--and when the explanations are needed it's become quite fashionable to say, "M$ made me do it." The problem here is that what Gabe described is very patchy and incomplete, I think, which is creating speculation. What I wonder about is whether the authorites are involved, and if so, I'd imagine that they don't want a lot of detail circulated about what happened for the time being.

    But usually somebody's looking after security, though. Backups, file maintenance, network management, etc. Don't know how Valve does it, but it usually falls to somebody. Seems odd--but then again maybe that's just because a lot of pertinent detail is being deliberately withheld.
     
  2. 3dcgi

    Veteran Subscriber

    Joined:
    Feb 7, 2002
    Messages:
    2,492
    Likes Received:
    471
    Of course you still need security like firewalls, etc. I also imagine that there are a number of non-intrusive steps Valve and other companies can still make. Actually, I bet they're looking into that right now. :)
     
  3. V3

    V3
    Veteran

    Joined:
    Feb 7, 2002
    Messages:
    3,304
    Likes Received:
    5
    Don't stuffs like this happend all the time ? Its the risk of being connected.
     
  4. T2k

    T2k
    Veteran

    Joined:
    Jun 12, 2002
    Messages:
    2,004
    Likes Received:
    0
    Location:
    The Slope & TriBeCa (NYC)
    I can't get it... just can't buy it...

    Yes, exactly.
    I'm thinking about the same, WaltC...
    I don't understand this Gabe guy: when he experienced the very first weird thing - he did NOTHING??? What is this 'I couldn't find.." etc BS? He's not an expert - so why he DID NOT contacta professional company IMMEDIATELY???

    As CIO of an animation/production company, if I or anybody at my office would experience the same symptoms and our first internal steps can't localize the source or explain this behavior, I can't imagine I wouldn't do anything but scratching my head. I'd contact some professional intrusion detector company and request a full, strictly security analysis IMMEDIATELY.

    In the meantime I'd close out the company hermetically from the outer world. We need email? Use few fully separated, designated machine and only for webmail. So for the internet research.
    No connection would be permitted anymore between internal and external networks. All communication changed to only wired connections. If necessary, ALL PC WOULD BE L<OCKED IMMEDIATELY, all usage SHOULD BE REQUESTED FIRST and I'd keep the rights to refuse ANY OF THEM, without explanation. All wireless, mobile or private devices swicthed off immediately and disconnected from the network and SHOULD BE QUARANTINED for further investigation. Employees SHOULD STAY at their desk and so on... Many-many possible steps - and no action has been taken over at Valve? :?:
    We have expensive IP as Valve has - what his network/system administrator did after he was informed the very first symptoms?
    How old is this Gabe guy, fifteen? It's not goddamn game - it's FIVE YEARS HARD WORK!

    Dunno but this whole Newell-story sounds VERY suspicious for me... something is missing...
     
  5. WaltC

    Veteran

    Joined:
    Jul 22, 2002
    Messages:
    2,710
    Likes Received:
    8
    Location:
    BelleVue Sanatorium, Billary, NY. Patient privile
    What is this got to do with taking a look at the Merrill Lynch report, or considering any of the other financial setbacks nVidia has suffered this year?

    You know--I just recount a few major facts that are a part of the public record--and you start talking about "devils" and "demons"....*chuckle* I guess that's one way to avoid looking the facts, I suppose.

    Oh, sure, Russ--they have no motive for anything they do. Like, when they quit the FM program last year--they had no motive for it--it was just a mindless act, totally devoid of meaning. No significance whatsoever. Uh-huh. And when they started cheating in earnest--no motive there, either, I suppose? Just more mindlessness--more aimless behavior without thought or intention. OK...:D Sure....:) OF *course* they have no motive--how could they? They're angelic, after all...:) Spectral, maybe. Gosh, and here I was just looking at them like the rest of us sinful mortals who most of the time act out of motivation of one sort or another....How silly of me to think such a silly thought.. ..

    Wow...what an impressive rejoinder. So far, your response to my points has been to tell me to quit thinking of nVidia as Satan, and to get off the crack pipe. Of course, the fact that I've never called the company "evil" nor am I using a crack pipe, is of utterly no concern to you. Great dicussion, Russ. You should try for the company debating team--what tactics, what strategy...:)

    And of course--Enron, WorldCom/MCI, the Savings & Loans--and all of the other companies who have done what you declare has never been done, because--what?--they aren't companies? They all prove your theory about "a company would never do this" to be completey wrong. Companies have done much worse. Yours is not a factual assertion. That's why I brought these companies up. So you ignore them and tell me to get off the crack pipe--when it's you screaming in capital letters and talking about demons and devils. Heh...Wow...OK

    You know--I made it quite plain in the post--at least twice--that although I consider nVidia to have a motive in this case for the reasons I spelled out--I was not prepared to personally convict them of anything at this time, in my own mind--which I'm sure nVidia could care less about one way or the other. But, as it is inconvenient for your diatribe to take note of what I said, and more convenient for you to invent fantasies regarding what I said, I can hardly expect you to respond to what I actually said, can I?

    For the record: I never said, "nVidia sucks." I am sorry if that's your interpretation--but I have to insist I did not say that. Perhaps you might be better off taking my comments literally instead of interpreting them so broadly as you do. Personally, I can't understand why the word "nVidia," sets you off as it does. Discussed in what you perceive to be a less than flattering light--when I'm merely trying to make sense of things and turn over concepts and examine them--you become instantly defensive about nVidia--without ever actually defending the company in your replies. One would think I had been discussing you personally, instead of nVidia, by the extent of your emotional reactions. You do, realize, Russ, that I when make comments about nVidia in the abstract I am not talking about you? I hope you'll think about that.


    Yea, right. Blame it on "some hacker" who also, you think, was acting mindlessly with no motive. You have exactly as much "proof" for that theory as I have for mine. But I'm not sure what that has to do with discussing possibilities and weighing probablities. I forgot--you can't tolerate *thinking* about things and discussing things as they appear in the abstract. You think we're in court and nVidia's on trial and I am the prosecutor and you are the defense counsel. I'm not asking you to "prove" your points to me--I have simply told you why I disagree with your comments that "companies don't do things like this." If I had asked you to prove you contention you could not do so. But I didn't ask you to prove it, I simply told you why I disagreed with your assessment of "what companies can do." So far, you have failed to convince me of your premise that "companies don't do things like this." And screaming at me in capital letters does not strengthen your "argument."

    Since I have to spell it out--"It sounds like it's corporate espionage to me." There, is that better? Don't be frightened by assertive opinion--it's not going to bite you...:) Neither is it aimed at you, which I hope you know. Again, on the question of proof, we are not in court, but in a forum ostensibly turning over ideas and looking at them. It's not your job to defend nVidia, nor is it mine to prosecute them. The idea was to have a discussion, but with you it seems you cannot distinguish that from some kind of personal attack.

    OK, now I will ask you to prove your statement. Which of the facts that I mentioned in my post concering nVidia is a "paranoid delusion"? Was it, perhaps, when I said I wasn't prepared to assume nVidia guilty as of yet which you dispute as delusional? Try and be specific. To my knowledge, the "delusional" facts you reference are all a plain matter of public record, and if you do not think so then I can only suggest that it is you and not me who delusional on this topic.

    The fact is that although you say I am delusional, you have not quoted a single fact about nVidia's history this year which I referenced in the post, nor rebutted a single one. In fact, you have completely avoided discussing any of the publicly known facts I referenced which gave me reason to suspect nVidia of motivations you claim "cannot" exist, by some mechanism you have not defined. All you have done is to characterize my remarks without addressing them in the slightest, with the exception of name calling--which doesn't bother me in the least--but which I find disappointing coming from you. But not, on reflection, unexpected.

    I'm sure the heads of these companies who are now serving time would be delighted to hear your advice on the subject, and ecstatic to learn that you personally are absolutely sure "companies don't do such things." You might like to consider visiting them in prison as you'd probably make an excellent counselor for all of the imprisoned corporate heads, and those soon to follow, who will be delighted to learn that your solution for them is to "not perpetrate the crime." I am sure that will provide them a great comfort as they serve out their years.

    The point here is that when the crime is in the past tense--as is the one revolving around the theft of the HL2 source code--it's far too late to decide "not to perpetrate the crime" because the crime has already occurred. You see, it was that crime I was discussing and theorizing about, not something which is yet to occur in the future--because if it was yet to occur then your advice might have some meaning for the "potential perpetrator."

    But I think the distinction here probably eludes you. If your idea (which seems to be that people who work for corporations never do illegal things, because they are all smart enough to understand that by "not perpetrating the crime" they can stay out of jail) has any merit then there would be no corporate officers currently in jail at this time, correct? But there are such persons in jail for that type of corporate crime--therefore your idea must be incorrect. In fact, the jails are full of all kinds of criminals for whom the threat of jail proved to be no deterrent whatsoever. But I suppose this is too much of an abstract for you to feel comfortable with.

    Sorry for wasting time responding to two of your posts--it was foolish of me to expect you to discuss any facts in detail, because to you there are no facts to discuss, there are only demons, devils, and crack pipes. Sorry, my mistake. I'll try not to let it happen again.
     
  6. digitalwanderer

    digitalwanderer Dangerously Mirthful
    Legend

    Joined:
    Feb 19, 2002
    Messages:
    18,227
    Likes Received:
    2,827
    Location:
    Winfield, IN USA
    Sorry, sorry...that was me. ;)
     
  7. jvd

    jvd
    Banned

    Joined:
    Feb 13, 2002
    Messages:
    12,724
    Likes Received:
    9
    Location:
    new jersey
    So what are the results of this leak. Will the game and benchmark be delayed even more . Will valve loose clients because of this ? Or is there just a bunch of code that only a few people that have it will be able to use it .
     
  8. WaltC

    Veteran

    Joined:
    Jul 22, 2002
    Messages:
    2,710
    Likes Received:
    8
    Location:
    BelleVue Sanatorium, Billary, NY. Patient privile
    Re: I can't get it... just can't buy it...

    I have to agree that I'm not comfortable, or satisfied, with it either.

    The only credible possibility I can imagine for such an odd tale is that the authorities are already involved and are asking Gabe to limit what he discloses publicly.

    But I'm not entirely convinced about that, either. Honestly, had it been me, I would have first contacted the authorities to begin an investigation and then, after it had gotten underway, I would have made a joint statement with the FBI or SBI or whomever explaining what had happened and what steps were being taken. Of course, apparently the code only showed up online today and Gabe's posting was probably knee-jerk in character. I'm sure it must have been a terrific shock. Maybe, hopefully, we'll be getting some more info shortly which will help to flesh in the pieces. No doubt, though, as it stands it's less than convincing because some pieces are missing, as you say.
     
  9. hoom

    Veteran

    Joined:
    Sep 23, 2003
    Messages:
    3,155
    Likes Received:
    707
    I don't see why this would be nVidia.

    Wouldn't the 'working very closely' involve giving nVidia access to the source code so that nVidia can see where it can be altered to aid performance?

    I understand the 'nVidia is liable to do anything if it thinks it might help them' arguement & agree that they, like most any company, have no scruples & nVidia has been implicated in all sorts of dirty scams lately (several that I think they should be in court for, particularly calling FX cards directx9 compliant), but if they've already got access to the code, why hack in to Valve to get it?

    I mean, Valve would be letting nVidia have access to the DX9 code path as well as the NV30 path because the DX9 path hasn't got anything proprietary to ATI in it has it?
    Maybe Valve would withold some ATI bugfixes but that shouldn't be anything major or worth hacking for.

    -------------

    I think its more likely to be someone pissed off at Steam.

    <sidenote: Steam is not something that I have paid attention to since I don't play MP due to a combo of dialup connection & figuring that if M$ with all its money & coders can't manage to make its software secure even though they try, then what hope for game programmers with limited budgets, release deadlines & just plain trying to get the damn game to work properly?>

    When was Steam 1.0 released?
    Early September if I recall.

    When do Valve say they spotted strange things happening?
    Early September.

    1+1= ?

    For proof, just search the Rage3d forums for references to Steam & you'll find untold raves about how crap Steam is, that Valve suxors & that people should do something to Valve to teach them a lesson.

    If just one of the people expressing those opinions happened to be a decent hacker...

    Since Valve missed the Sep30th release date, many have been mouthing off about Valve even more for 'Ripping us off by lying about the release date, I mean, they assured us that it would be out on the 30th & then they go and do this shit!!! Who do they think they are ? God? Time for someone to teach them a lesson!'

    So now a source code release.

    --------------

    Regarding LGPL content in HL2, since the game hasn't come out, there is no proof that there wouldn't have been a paragraph in the licence stating that that piece of LGPL software was used. (unless the licence.txt is included with the leak? & doesn't have any mention)
    M$ software uses plenty of that kind of stuff & if you bother reading the licences, they're listed in there.

    -----------------

    Definitely a bad failure of network security.

    Not that I do anything such since I'm only a student, I'd be highly disinclined to have full source of a big expensive project sitting on a PC that is connected to the internet for exactly that reason.

    Most game developers are (like me) not computer security experts & it wouldn't surprise me if Valve had fairly slack network security like so many other businesses with important intellectual property flowing through their networks.

    Mention of a keyboard tracker custom written for Valve is interesting & possibly evidence of decent network security since slack security would presumably not require custom code to crack?

    --------------

    All up this is really shit :(

    There is a very strange attitude I keep coming across in forums:
    That people seem to think they have the right to have free access to everything on the internet.

    Now, I'm generally pretty socialist really, but until such time as I live in a proper socialist society, I expect to have to pay a fair price for stuff.

    The question of what counts as a fair price I can argue all day but free is generally not fair unless something has been intentionally released as free by the person with the rights to do so.
    Who has those rights, for how long & what the limits of those rights are, I can also argue about but the source for an as yet unreleased but nearly complete game? grrrrr.
     
  10. flf

    flf
    Newcomer

    Joined:
    Feb 15, 2002
    Messages:
    214
    Likes Received:
    5
    I'm almost beginning to feel that this whole episode looks like a very wild publicity stunt.

    What is known:

    1. Some code is out there. It looks like HL2 (as if we know what we're looking for), but it also looks like old HL1 code. I don't have a copy of the .rar that's floating around, so I can't look myself.

    2. There are some oddities that don't make sense about the code. Supposedly the HL2 engine is "new from the ground up", yet the leaked code has opengl stuff, HL1 and TF1 references and batch builds, and a /cstrike folder. I would tend to feel that valve would keep their projects segregated such that old resources and new don't get intermixed, especially with code.

    3. It's uncertain whether the code that is bouncing around is everything that the "hacker" downloaded, or if it's just a portion that they spit out to the world. Seems odd that the hacker or group hasn't included the usual fileid.diz and hackname.nfo ascii file as is typical for the hacker crowd.

    4. The only acknowledgement has come in the form of a post from Gabe Newell on the halflife2.net forums. Really odd. Major upheavals such as this usually elicit a press release from a corporation such as valve.

    5. I hope Valve has a good mail server, because everyone and their dog is probably going to email that help@valvesoftware email account.

    6. This is the really weird one: Gamasutra.com has no story about this whole affair. Of all the sites, I would expect gamasutra to carry a story about this if it is acknowledged by the Valve. Heck, they carry stories about tiny developers closing, you'd think they'd have a story about the biggest developer snafu in history, wouldn't you think? I've just checked www.theregister.co.uk, and while they are more of an IT reporting site, they'd surely gleefully report a story about failed virus and firewall protection if such was the case.

    Until there is an actual press release, or such time that confirmation arrives in the form of documented news items from a major site, I'm inclined to think that this is a publicity stunt.

    Final question: Has any of the Beyond3D management expressed any opinion about this affair? They seem mysteriously silent about this. (I'm not talking about the forum mods.)

    A final bit of non-linear thinking: What if valve's leaked code is a canary trap? What if it's networking and client code is designed to expose those that try to hack the release code using the leaked code as a base?

    Until we get a real, official notification from Valve, I'm going to be holding out for the idea that they're being far sneakier than we give them credit for.

    (In followup to my original post: The more I think about it, the more I doubt that Valve has a development network that can be accessed from the internet. I can't think of any sane development company that would do this.)
     
  11. WaltC

    Veteran

    Joined:
    Jul 22, 2002
    Messages:
    2,710
    Likes Received:
    8
    Location:
    BelleVue Sanatorium, Billary, NY. Patient privile
    If your assumption here is correct, then I agree it's an excellent point. Thank you for bringing it up! I don't know that either ATi or nVidia would have the source code by virtue of their work with Valve, but if so, that would let them both off the hook, unquestionably. That's really an interesting point--I would tend to think that the source stayed with Valve and that ATi and nVidia provided info to Valve, probably under NDA--most especially, nVidia, for whom Valve wrote the mixed-mode path. They'd have had to have details about nV3x to do that no doubt. It makes more sense to me to think that Valve held on to the source and it was the IHVs who provided necessary info at Valve's behest. But good point regardless...you could be right.
     
  12. hoom

    Veteran

    Joined:
    Sep 23, 2003
    Messages:
    3,155
    Likes Received:
    707
    Well nVidia at least gets development builds as evidenced in the 'use det 50s to benchmark HL2' press release.

    I guess it depends on how they work.
    I understand that NV & ATI do send out programmers to work with the developers to see & work with the code directly, but for something as huge as HL2 & for general cost/benefit it would seem more likely that source code would be sent out by Valve under NDA.
     
  13. WaltC

    Veteran

    Joined:
    Jul 22, 2002
    Messages:
    2,710
    Likes Received:
    8
    Location:
    BelleVue Sanatorium, Billary, NY. Patient privile
    I have to say that reading this materialized a feeling I've had all day since I read the "Newell" response. I have to say that I agree that something's wrong here. That response just did not ring the bell for me, but as it was being reported as accurate--I didn't see much choice about accepting it that way. But you are right--something's out of place here. Something doesn't fit. Thanks for helping me crystalize what has been bothering me since I read that "Gabe" statement. Heh... long day...

    Yes, I read something by someone else who'd looked at it and concluded it was old stuff.

    Yes, if the code was indeed stolen, I would not necessarily expect that the culprit would post it online in an unmodified fashion--if there was an intent on the part of thief to portray a company related to the code in a certain light--I would expect modifications prior to it being posted online.

    It's brevity, lack of detail, and overall lack of emotion seemed odd to me as well. Not to mention it's an extremely odd way to convey such information. Oddest of all--no mention on the game schedule.

    I thought that was kind of an odd way to handle something like this.

    Good observation. A lot of these sites would pick up the info and run with it without bothering to get verification.

    Good notion--but what's the purpose?...:)

    Here's another theory--Valve detects someone snooping its network and decides to try and catch them by laying a trap with dummy source code, which the thief takes. They want the thief to think he has succeeded in order to garner time to trace him--which they are in the process of doing presently. Although...heh...:) I'm not quite sure why they might wish to do it that way....:) If this was the case, then it might explain the lack of "official" information thus far because sites who might have ordinarily publicized it have been warned off in advance. Eh...probably all wet...need to hit the hay sometime soon...
     
  14. Gubbi

    Veteran

    Joined:
    Feb 8, 2002
    Messages:
    3,633
    Likes Received:
    1,070
    Valve is in the making-games business, in the catch-a-hacker business. Why would they waste their time with this.

    I can see this as postponing Steam and HL2 since they have to wade through all the source code to make sure there aren't any backdoors.

    Cheers
    Gubbi
     
  15. Simon F

    Simon F Tea maker
    Moderator Veteran

    Joined:
    Feb 8, 2002
    Messages:
    4,560
    Likes Received:
    157
    Location:
    In the Island of Sodor, where the steam trains lie
    More likely, if it is the work of crackers, then those involved were probably trying to target anyone they could (say of the big game developers) and just got "lucky" with Valve.
     
  16. mat

    mat
    Regular

    Joined:
    Feb 6, 2002
    Messages:
    321
    Likes Received:
    0
    Location:
    Vienna, Austria
    That would be a good idea, but on my last job (at a large Company who should have enough money) everyone just had one (quite old) PC for everything [VS.Net 2003 on a PII with 256 MB is sooo much fun ;) ]. And guess what Mail Programm was installed? right: Outlook with HTML set as standard Email format.
     
  17. Humus

    Humus Crazy coder
    Veteran

    Joined:
    Feb 6, 2002
    Messages:
    3,217
    Likes Received:
    77
    Location:
    Stockholm, Sweden
    M$ has patched such bugs many times. And I would be surprised if there wasn't still many buffer overflow possibilities left in several of their apps.
     
  18. Humus

    Humus Crazy coder
    Veteran

    Joined:
    Feb 6, 2002
    Messages:
    3,217
    Likes Received:
    77
    Location:
    Stockholm, Sweden
    Well, I couldn't resist, so I got my hands on the files. And there's no doubt in my mind that these belong to HL2. Sure, they are probably reusing some code from earlier projects, but looking into the all the shaders it's clear that this is HL2. There are a buttload of shaders there, some assembly, some HLSL, lots of ps2.0 level shaders.

    All it takes is for someone to somehow get an executable to run on any dev machine. Using buffer overflows or other flaws this is probably possible. Their network most likely isn't directly accessible from the net, but the dev machines most likely have access to both the internet and the network, so once the hacker has its code running there it's not hard to upload it to somewhere else.
     
  19. Bouncing Zabaglione Bros.

    Legend

    Joined:
    Jun 24, 2003
    Messages:
    6,363
    Likes Received:
    83
    That's what I was thinking. Didn't they have anyone checking their firewall logs or looking at packets? They saw unusual activity on Gabe's mail account, but didn't change passwords or close it down? What else, did they have - developers walking around the world with the source code on their laptops?

    We'll probably never get the exact truth of how the Valve machines were penetrated, but I bet there were a lot of basic security errors on their part that made the hacker's job much, much easier than it should have been.
     
  20. jpaana

    Newcomer

    Joined:
    Jul 31, 2002
    Messages:
    154
    Likes Received:
    2
    Location:
    Tampere, Finland
    Well, besides being in the Havok physics library (and thus more Havok's problem than Valve's, depending on the licensing terms obviously) the guy seems have worked for Havok at some point in time and as the author of the code can dual license the code as he wishes. Interesting that they still left the LGLP stuff there without mentioning any other license.

     
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...