Fog Creek Software
Discussion Board




More on the Half Life 2 code theft

Latest public posting from the Valve guy in charge - I am *amazed* at the depth of this attack, and the patience of the attackers - this whole thing took more than just a couple of days to set up.  Could this really be just a bunch of high school script kiddies, or something much more? 

---

1) We've taken our network connection down to pretty much a minimum. We're still finding machines internally that have been compromised.

2) The suite of tools that the attacker was using included the modified version of RemotelyAnywhere (basically a Remote Desktop-style remote admin tool), Haxker Defender (a process, registry key and file hiding tool), the key logger, and various networking utilities that allowed them to transfer files (compressors, NetCat, and FTP). We also are pretty sure they were sniffing our network to gather passwords and other information. Haxker Defender includes a file system driver that allows an attacker to have stuff on your machine that is invisible, unless you do something like mount the drive under another OS that has NTFS support.

We have determined one way of detecting some infected machines, which is using a connection viewer to detect connections to anomalous hosts external to our network.

We still don't know their entry method.

3) In general, the community has been remarkably swift at tracking down the sources of the leak. What would be most helpful now are IP addresses of the people who were responsible for the intrusion or for the denial of service attacks.

4) Also, please continue to send in URLs of websites hosting the source code. We've been contacting people and asking them to take it down.

5) There's anecdotal evidence that other game developers have been targeted by whoever attacked us. This hasn't been confirmed. We've been providing other game developers with more detailed information about the exploits and evidence of infiltration.

6) We're running a little bit blind with our network shut down, but it seems like some of the press has picked up the story. I've been fielding calls from the mainstream non-games, non-technical press.all day. Hopefully they will get to report shortly what a mistake it is to piss off a whole bunch of gamers and get them hunting you around the Internet.

For any information related to this, please send it to helpvalve@valvesoftware.com, or you can always send to gaben@valvesoftware.com as well.

Mitch & Murray (from downtown)
Tuesday, October 07, 2003

i'm wondering what one would even do with the half life 2 code? it seems without massive modifications (and probably even with massive modifications) that it would be pretty easy to identify a derivative product.

rz
Tuesday, October 07, 2003

Unfortunately, Valve announced today that Half Life 2 was going to be delayed (again) until April.

http://www.gamespot.com/pc/action/halflife2/news_6076466.html

(Originally it was scheduled for October 2003 release, I think -- then was delayed until "hollidays 2003.")

Impossible to know whether the delay is actually attributable to this theft, or whether it just provides a convenient excuse for Valve to take some extra time to polish the game.  However, I read some speculation that the antipiracy elements (registration numbers, etc.) could have been compromised.

I hope they catch whoever did this.

Robert Jacobson
Wednesday, October 08, 2003

I'm not certain there's likely to be a point to stealing it, beyond "because I can".

I'm sure there's not any good way to profit from it, but anything as complex as described is hard. There's always some people who will attempt something, merely to have done it. And, if you trust your cohorts, you'd get massive bragging rights.

Which is also how this guy's going to be caught. Too bad.

Mike Swieton
Wednesday, October 08, 2003

The half life 2 code was stolen? And here I was thinking it was merely copied ...

Sum Dum Gai
Wednesday, October 08, 2003

If its copied such that other copies can be generated or derivatives made then it is theft.

Theft of Intellectual Property Rights, but theft nonetheless.

Making use of the copy in order to subvert licencing and registration schemes would be a separate theft each time a crack was used.

Simon Lucy
Wednesday, October 08, 2003

That would be copyright violation, not theft. They're seperate laws for seperate things, lets not muddy the waters by using an intentionally emotive word like "theft" to describe copyright violation.

As far as the significance of this, my prediction is that in the grand scheme of things, it matters little. Nobody can use the source in their product - they'd be sued into oblivion. Plus the fact that most of the effort creating a game is spent on art and design not code, and that by the time you could produce anything with it, it will look outdated, it starts to look less serious for Valve.

They were probably going to miss the release date anyway, so I'm not even sure that's directly related to this. When it is released, having the source isn't going to help anyone pirate it, since it's going to use server side id tracking, just like half life does.

I predict this will eventually blow over and everyone will wonder what people were so worried about. Sure it's a PITA for Valve right now, but when it all dies down, they can look back and say they got free publicity in the mainstream media for their upcoming game. It may actually turn out to be a net positive when you look at it that way.

Oh well, I guess I'll go back to eating popcorn and watching the meldrama unfold. ;)

Sum Dum Gai
Wednesday, October 08, 2003

Judging by the quality of the latest STEAM release, Valve's code is probably garbage anyway.

hahaha

F
Wednesday, October 08, 2003

Simon, as hideous as this thing is, it is NOT theft.

There are legal definitions for various crimes, and for something to be a theft, the original owner must be denied its use.

It's copyright infringement, which - in many countries in the western world, carries HEAVIER punishment than theft. (For copying a CD, you can get up to $150,000 fine in the U.S; For stealing the same CD, you'll get away with much, much less - possibly a hundred times less).

You can call it "theft", "rape", "murder" or whatever other name you choose. But legally, it's still copyright infringement, which is a TOTALLY DIFFERENT thing.

Ori Berger
Wednesday, October 08, 2003

I am sick and tired of the folks saying that copyright is wrong.

It's not wrong.

Intellectual property is starting to become more important than physical property.

This is why we need stronger, not weaker IP protection laws.

People who are against copyright probably never created a valuable intellectual work on their own, but want to use others' for free.

Hacker Rex
Wednesday, October 08, 2003

How will they determine that the code they still have is not changed in some subtle ways, that would allow the hackers to compromise machines running the game in dozens of different ways from the first day it is released?
HL2 released -> next day vulnerability -> patched -> next day vulnerability -> patched -> next day vulnerability -> ...
It is hard enough to secure code that was not intentionally cooked to be full of holes.
Interesting stuff.
Should every dev. shop require a PKI with developers needing smartcard based digital identities that require a non-remotable operation (enter PIN, or biometrics) to interact with the CVS? Maybe developer machines shoud be the first on the list to migrate to a Palladin style environment?

Just me (Sir to you)
Wednesday, October 08, 2003

I'm more interested in seeing how Valve will deal with <a href="http://saladwithsteve.com/2003_10_01_archive_index.html#b106529538166675637">allegations that the leaked source contains bits of GPL'd Quake source</a>.  If they were using GPL'd code and weren't planning on distributing their source with the game, then I'm going to have a really tough time working up any sympathy for them as a result of this intrusion.

anonymouse
Wednesday, October 08, 2003

http://saladwithsteve.com/2003_10_01_archive_index.html#b106529538166675637

anonymouse
Wednesday, October 08, 2003

Hacker Rex, who exactly are you going out against?

The attack on Valve is criminal, I don't think anyone in their right mind would think otherwise.

Copyrights are essential; I don't think anyone in their right mind would think otherwise either. Don't believe teh FUD spread around by zealots - Richard Stallman, GNU and the FSF all support copyright laws and rely on them. Yes, without copyright law, the GPL becomes invalid. You can ask Stallman yourself.

Trademarks are generally regarded as a good thing everywhere, especially since trademark dilution *can* and *does* happen.

Patents are acceptable for many areas (although their value to community at large is debatable). But Software and Business patents are a horrible hack that mostly stalls progress and hurts society at large.

It is common to wrap all of these under "IP" but "IP" has no legal meaning. Copyrights, Trademarks, and Patents are all (relatively) well defined concepts, each with (relatively) well defined rights and obligations. What "IP" laws would you like strengthened, why, and how?

And I remind you - that hack to valve is already illegal by various acts (at the very least, Computer misuse/tresspassing, Copyright - the first of these is, I believe, criminal and jail punishable).

Ori Berger
Wednesday, October 08, 2003

The code won't do them any good as far as piracy is concerned, since they'd be able to take the finished product and make copies anyway.

The most likely reason is that they got their hands on the source code so they can hack it to enable cheats during multiplayer games over the Internet.  Because of the quick response times required by multiplayer action games, the servers don't do much validation of the data coming from the player's computers, which makes cheating possible.

So they are delaying the release by 4 months, probably to alter the network code to make it incompatible with the current exposed version.

T. Norman
Wednesday, October 08, 2003

"Gabe Newell gave no indication that there would be a delay. He also stated that only a portion of the code was stolen. They did not confirm a delay. Today, Valve still hasn't confirmed such a delay.

Meanwhile, Christophe Ramboz, Vivendi Universal Games president of international operations, told Reuters the source code theft would result in a four month delay, pushing Half-Life 2 back to April 2004."

http://www.halflifesource.com/

That Haxker Defender program looks pretty nasty. The whole "how do you store your passwords" thread seemed pretty strange to me, especially people who store their passwords in one encrypted location, because all your passwords could be comprimised then from one simple keystroke logger / shoulder surfer and a copy of your file.

Mark T A W .com
Wednesday, October 08, 2003

I made no mention of Copyright, though copyright is one manifestion of intellectual property rights, it is not the only one.

Intellectual Property rights can be defined as
"Intellectual property is information that derives its intrinsic value from creative ideas. It is also information with a commercial value. Intellectual property rights (IPRs) are bestowed on owners of ideas, inventions and creative expression that have the status of property. Like tangible property, IPRs give owners the right to exclude others from access to or use of their property."

Note that this is not Copyright, which is the bestowing of the right to make copies and distribute.

IPR is the ownership which enables Copyright to be given.

The concept of IPR was created in order to recognise ideas and other intellectual or creative endeavours as physical property even if they had no physical counterpart.  The notion of property also means that it can be stolen.

Hence, the theft of the source which may never have been copyrighted in the sense of having been published and distributed is indeed theft and not simply a breach of Copyright.

Simon Lucy
Wednesday, October 08, 2003

Oh, I created a word, manifestion.  I wonder what it means.

Simon Lucy
Wednesday, October 08, 2003

Think about it:
You are a dev. shop. You just disovered your whole development network is 0wNeD, and possibly has been for a considerable period. What can you do?

First off: total blackout of the old network. Nothing gets in or out.
You acquire  & install new dev facility.
Start forensics & carefull asset recovery from the latest backup.
Determine with reasonable certainty the exact time of compromise.
Then you retrieve an archived backup of all your sources from before that time.
Now all the code that has changed since then has to go through an intense security review.
...

Imagine how nervewrecking this must be. Any tool in your own developed toolchain could contain a planted dead-man switched timebomb etc.etc.

Now this certainly must have an effect on the  project schedule, no?

Just me (Sir to you)
Wednesday, October 08, 2003

Simon, I'm not sure about the UK, but in the US and in many other places, what you are saying is simply not true, in the legal sense, and you are implying theft in the legal sense.

There's a difference between murder and manslaughter.

There's a difference between theft and copyright violation.
The first requires denial of use from the original owner.

Ori Berger
Wednesday, October 08, 2003

P.S - In the U.S (and most of the world, I think it's part of the berne convention), you have automatic copyright on anything you produce, whether or not you publish, register or distribute it.

"intellectual property" can be stolen, but this was not the case here, as the original owner can still use it.

Ori Berger
Wednesday, October 08, 2003

Good grief. JOS has sunk to new lows of geeky, pedantic arguing.

But not to be deterred...the crime - and yes, it is a crime, goes beyond taking a copy of the source code. There is the matter of hacking into their systems. I'm sure this will fuel another round of silly debate of legal definitions, but the way the perps gained access to Valve's computers was illegal.

Mark Hoffman
Wednesday, October 08, 2003

Well, US Law professors seem to have a different opinion

http://www.cni.org/Hforums/cni-copyright/1998-04/0187.html

As an example of an IPR statement which specifically talks about theft of electronic images.  http://www.titanmen.com/ipr.htm

The FBI and US Customs seem to think its theft as well
http://www.customs.ustreas.gov/xp/cgov/newsroom/press_releases/72002/07172002_2.xml

This is the whole point of using the term 'property'.  I'll say it again, but for the last time, that Copyright is not the only form in which IPR can be bestowed.

Simon Lucy
Wednesday, October 08, 2003

Just to make me appear even more anal about this... :-)

It is theft because it prevents the owner from enjoying the benefits of their intellectual labour.  The licencing and registration scheme is now known and so cannot be used.

Not only that but the entire way in which the code approaches security, whether it has multiple branches to the licence checking to avoid the single prune exploit; whether it uses checksums on all or part of files; regardless the code now has to be rearchitected so as to make all knowledge that can be gleaned from the current version worthless.

This version of the software has been effectively stolen.

Simon Lucy
Wednesday, October 08, 2003

"The licencing and registration scheme is now known and so cannot be used."

If they plan to distribute binaries, the same (basically) applies. You'd be amazed on how good some people are at reverse-engineering...

BC
Wednesday, October 08, 2003

While 'intellectual property theft' is often used as a poor synonym for copyright violation, in this case it is MORE correct than copyright violation.

Why?  Because this is misappropriation of trade secrets.  Now, it's true that there is an amount of copyright violation going on (anyone who is distributing the source), but from Valve's standpoint the trade secret status of the source is much more serious.

Steve Monk
Wednesday, October 08, 2003

I just wanted to toss in that the reason "theft" has been bad for millennia has nothing to do with getting a free thing - it's about depriving the rightful owner of its use. (Ability of the owner to possess/repossess is often a factor in determining the crime that took place)

So calling a copyright violation "theft" is wholly inaccurate, since the copyright holder is not deprived of ownership of anything. (potential profit loss is not a factor in any aspect of determining copyright violation).

Illegally copying something is violation of copyright; to call it "theft" belittles actual theft which I think we'd all agree is always a more egregious crime.

I've had a car stolen, I've had code copied. I can tell you absolutely which hurt more. :-)

Philo

Philo
Wednesday, October 08, 2003

So, you guys that say this is not theft -- if I were to break into CocaCola headquarters and copy their top secret recipe for Coke (which is not copyrighted, by the way) then no crime has been committed. I have not stolen anythinwg from them since they still have the recipe...

And then I could go after the Colonel's 11 herbs and spices in his original chicken coating... and that would be fine becasue I haven't really stolen anything.

Or I could copy a hard drive at Los Alamos. No worries, mate! It was only a copy! They still have the original nuclear secrets! I am guilty of no crime!

You really see it this way, huh?

Tony Chang
Wednesday, October 08, 2003

You can replace a car pretty darn easily at a small or nonexistent cost, if it was insured.

If your source code containing your trade secrets is stolen, years of your life may be gone.

The company that they licensed their physics engine from is now going to sue them. They will have no choice but to sue Microsoft, since unpatched by MS vulnerabilities in IE enabled the initial compromise.

You're not really a developer are you Philo? You're a Kc48K0R and the whole Camel thing was a big shen, right? A pretty good one, but you never really discussed anything that wasn't straight out of a Scott Adams book.

If you are a developer, show us a web page with some code you've developed.

I claim that a real developer would understand that source code THEFT of trade secrets valued at tens of millions of dollars is way more serious that getting some stupid car stolen.

.
Wednesday, October 08, 2003

Yep.  The charges of breaking and entering, and unauthorized use of whatever physical thing(s) you got the information from, should be sufficient.

The notion of ideas as property, requires a police state for its execution.  Ideas aren't and never have been property.  The state grants *limited* monopolies to creators in order to secure benefits for *everybody else*.  This is not the same thing as a "right".

Note that if I own a thing, I do not need to force everybody else to not use it.  They don't get to use it unless *they* force *me*.  But the *opposite* is true for intangibles, since I am not deprived of my idea through someone else having it.  If I want to deprive others of it, I have to force them *not* to use my ideas.

Thus, in any moral system that considers the initiation of force wrong, attempting to establish a system of intellectual "property" is inherently immoral, because it causes harm to people who have not harmed another.  It's like saying, "you should buy some insurance from me, or else I'll beat you up for depriving me of my insurance sales."

Phillip J. Eby
Wednesday, October 08, 2003

Ummm well, it doesn't require a police state at all, does the maintenance of Real Property Law require a police state?

Of course not.

There has been permanent loss involved as has been pointed out.

As for reverse-engineering, I'm more than well aware of the possibilities, if code is executed it can be traced.  Similarly, Coca Cola's recipe can be analysed as well as the 11 herbs and spices belonging to the Colonel.

In some ways this is worse than just stealing a recipe, as not only is the current software version compromised but the methods used to create new software, in relation to licencing and  security, are also compromised. 

Simon Lucy
Wednesday, October 08, 2003

Tony - for copying the recipes of Coca-Cola and KFC that is absolutely correct, no crime has been committed. (We have to put aside your breaking and entering for the moment)

Get this straight - in general, violating copyright IS NOT CRIMINAL. There *are* criminal sanctions for gross violation of copyright, which is generally selling a lot of copies of copyrighted work; but when Joe Schmoe, downloads a CD from Napster, he has committed NO CRIME. The *holder* of the copyright has grounds for a LAWSUIT against Joe, but he can't call the cops on him.

Just wanted to clear that up, thanks.

This is not a value judgement on my part - I am simply trying to clarify the way the law is. Theft/larceny, et al go back thousands of years due to the deprivation of possession. Copyright is a civil action that originated around the popularization of the printing press.

Philo

Philo
Wednesday, October 08, 2003

That's true.  However the current TRIPS agreement does require provision for criminal enforcement of breaches of copyright at the very least when those breaches can be construed as piracy on a commercial scale.

I imagine they mean actual duplication of product rather than the taking of the source but I see an argument where this could be construed as organised and commercial piracy given the methods taken to extract the source.

Even 10-11 years ago in Singapore the little traders were raided by FAST people with the support of the Police to seize counterfeit copies of 123, Autocad and DR DOS.  This was actual product though of course, not sources.

Simon Lucy
Wednesday, October 08, 2003

Just to add to the pedanticism...

Yes, a copyright violation -- by itself -- generally isn't a criminal offense, although this line is getting blurry:

http://www.usdoj.gov/criminal/cybercrime/iplaws.htm#Xa

However, this isn't a situation of downloading an MP3, but actively breaking into a computer network to gain access to a company's proprietary code.  If I break into Coca Cola's vault and take a picture of the secret recipie with my spycam, I'm guilty of breaking and entering.  If I hack into Valve's computer network to copy its code, I'm guilty of violating the federal Computer Fraud and Abuse Act (and probably other laws), with the potential for many years in the slammer.

If they catch the miscreant who pulled this off, a copyright lawsuit from Valve will be the least of this guy's problems.

Robert Jacobson
Wednesday, October 08, 2003

"""Ummm well, it doesn't require a police state at all, does the maintenance of Real Property Law require a police state?"""

You completely missed the point.  "Real" property doesn't require a police state, because to steal it, you have to act at a *single location*.  You therefore have only one point to protect against force.

However, to prevent the so-called theft of so-called "intellectual property", you must initiate force to stop people doing things on their *own*, *anywhere in the world*.  To do this, you have to *know* that somebody is doing the thing you want them not to do.  And that's where the police state comes in: to the extent that one has privacy, IP laws are unenforceable, and vice versa.

Phillip J. Eby
Thursday, October 09, 2003

To steal 'Real Property', ie land,  you just have to steal the title, you don't have to be in a particular place to do it, you don't have to go near the property itself to achieve it.

Forgetting the old saw of 'possession is nine-tenths', unless you can prove with some kind of document that you own something if someone else comes along with 'proof ' then de facto, they own it.

We've abstracted the notion of ownership into documentation of ownership and its something we've done for a very long time.  It might even have been the spur for the creation of writing in the first place.

Those of us that think a little like Korzybyski might be able to see through the thicket of paper and not confuse the map with the territory.  But we live in a world where the map is more important.

Simon Lucy
Thursday, October 09, 2003

"To steal 'Real Property', ie land,  you just have to steal the title, you don't have to be in a particular place to do it, you don't have to go near the property itself to achieve it."

But that again comes back to encroaching on the single location where the title is stored.

IP law on the other hand says that nobody in the land can put certain patterns of words on their own paper using their own ink, nobody can use their own hands and tools to build mousetraps in a certain way, nobody can use their own fingers and own piano to play a certain series of notes, and nobody can burn a certain series of bit patterns onto their own blank disc (other than the "owner" of the IP).  As a result, enforcement of IP requires much more widespread policing and more intrusion into the lives of the non-owners of the IP, than does enforcement of physical property rights.

T. Norman
Friday, October 10, 2003

Title in Land Registries is just an entry in a database these days.

Simon Lucy
Friday, October 10, 2003

I read an article recently, and I will try to find a link to it, that listed ways to acquire property. One way was simply by using it. In just about every state in the US, if you use someone else's piece of property for a certain period of time (different in each state) without an objection by the owner, you can file a claim to take possession of the property. So, if you own a vacant lot, and I park my trailer on it, and you don't object for several years, I could take possession of the lot.

Bill
Friday, October 10, 2003

That's called "adverse possession", and the requirements are a bit steeper than you imply.  For example, your use of the property has to be "notorious", e.g. "everybody knows Bill's been parking his trailer there."  I think it also has to be adverse, that is, you did it without the owner's permission.  (Otherwise, he can just withdraw permission.)

Anyway, I'm not a lawyer, and I'm not sure what I think of the ethics of this, anyway.

Phillip J. Eby
Friday, October 10, 2003

not only to you need to 'steal' the title (maybe in the database, maybe a filing cabinet), you need to occupy the real land--again, it's the denial of the 'proper' owner which convert this to something like theft. if you just try to sell photocopied titles of the brooklyn bridge all day long, you're doing something wrong, but haven't stolen the bridge.

mb
Friday, October 10, 2003

This quibbling over the word "theft" misses the point that one usage is a technical legal usage, and the other a popular usage. Both are valid and convey their meaning.

Unauthorised obtaining of source code is most certainly theft in the popular sense.

abc
Sunday, October 12, 2003

Hey y'all: I'm a gamer who happens to be a law student as well.  I played and loved HalfLife, and the theft of this code has prompted me to write an article for my school's law review.

Some previous authors had good points re: the IP issues surrounding gaming software in general, but I have a question that goes sort of to the open-source side of this debate...

I was wondering if you have any thoughts as to how to reconcile the fact that CounterStrike was really what made HalfLife the huge commercial success that it was and the issue that that mod wouldn't have been developed w/out individual programmers efforts.  I guess I want to figure out and discuss how the original product deserves protection to encourage Valve to keep creating great games, but also address the point that the game itself can be but a starting point toward a much more commercially successful version.

any thoughts?  By the way, law school is no fun.

cheers

Alex Barton
Wednesday, October 15, 2003

As well, if anyone responds please do so to the message board rather than the email link so I can cite to your comment and the website in a footnote for publishing purposes.  Thanks

Alex Barton
Wednesday, October 15, 2003

oh, I'd also be happy to clear up any confusion as to the caveats of property laws and criminal vs civil legal action to help ease the tension in these exchanges.

Alex Barton
Wednesday, October 15, 2003

*  Recent Topics

*  Fog Creek Home