IE Gets Blame for Theft of Half Life 2 Code

[Prelude76]

IE Gets Blame for Theft of Half Life 2 Code

Security experts are blaming known but unpatched vulnerabilities in Microsoft Corp.'s Internet Explorer for the theft and distribution of the source code for a much anticipated new video game.The source code for Valve Corp.'s Half Life 2, a sequel to the popular shoot-'em-up game that was due out by December, was posted on the Internet on Thursday, according to a statement from Valve Managing Director Gabe Newell.The theft of the code, which was made available for download on the Net, came after a monthlong concerted effort by hackers to infiltrate Valve's network. Malicious activity in the Valve network included denial-of-service attacks, suspicious e-mail activity and the installation of keystroke loggers, Newell added. "This is what happens when you have 31 publicly known unpatched vulnerabilities in IE," wrote Thor Larholm, senior security researcher for PivX Solutions LLC

looks like Valve should've been using Mozilla Firebird/Thunderbird

[havnblast]

That will learn em!

[nlinecomputers]

Oh bull----! I don't like IE either but what does a END USER APPLICATION have to do with a non secure server???

[GolfProRM]

I'm with Nathan here... It's not IE's fault that Valve didn't have their code secured properly. With proper firewalls and security setups, this wouldn't be an issue. Hard to blame an application when the company obviously knew this was coming (DoS attacks and emails). That's what they get for not being prepared and changing to meet security demands.

[Prelude76]

oh brother i *knew* i'd see these kinds of responsesYES, valve is to blameYES, they should've been more saferYES, IE is to blame too. it was infiltrated through KNOWN UNPATCHED vulnerabilities, as in MS didnt patch them yet.YES, their AV was weak. apparently, it was a remote trojan keylogger that took the important info, and IE allowed the doorway in. since it was a CUSTOM TROJAN, no AV could detect it.it just an example to illustrate that you can have your windows/IE patches up-to-date, and your AV up to date, and you can STILL get whacked. All this talk about "they needed better firewall. their server was weak" are just silly. we DONT know what they had, but if someone gets in thru a KNOWN UNPATCHED IE flaw, and then uses a custom undetectable keylogger, heck, they got the guy's password and then they could enter the network LEGALLY and not trip over any firewalls. right?and my comment about Mozilla, well, Valve should've been more careful, and running Mozilla would've made the theft that happened IMPOSSIBLE in its current way. it was an example that you cant take security for granted just by being up-to-date with IE patches and av signatures, not to be a Valve vs. MS arguement. :thumbsup:p.s. - my thoughts on this are actually leaning to conspirarcy theory. Valve wasn't going to make the december deadline, and in order not to piss off fans and to get publicity, leak the code (it might be old code, we dont know) and blame the theft to justify extending deadling to 2004 (as it was done earlier this week). either that or their arch-nemesis ID software stole it to improve Doom III.

[nlinecomputers]

Sorry I'm not buying it. OK so Valve says "IE holes caused our workstations to be infected" Ok I'll grant that can happen. Except that this was a directed attack not a random virus infection and that means the attacker had to know what the surfing habits of his victims were in order to either compromise a website viewed by his victim or create a website that the victim would go view. So this is either an Inside job or this is pure bull****. And yes there internal security was weak. Desktop firewalls would have flagged a keylogger sending in it's reports. Desktop file auditing systems would have checked file creation dates and checksums and noted changes. Email attachments would have been obvious places to check but even programmers are sometimes dumb enough to fall for the "hey check out my cool screen saver"(or in this case maybe the it was "check out my cool website trap"...) email trap. Personally I think it is all FUD. Blame M$ is a great way to avoid reporting that they have a mole in the building or that programmer X did something stupid and opened email he shouldn't or that Sysadmin Y didn't do the basics. This is a company creating a game. Warez crackers are all over the game market. A sysadmin running a game publishing's network should be a secuirty zelot. I'd be running the place with smart cards, double firewalls, and serious checksum audits.

[Prelude76]

Here is Valve's Gabe explaining what happened:

Ever have one of those weeks? This has just not been the best couple of days for me or for Valve. Yes, the source code that has been posted is the HL-2 source code. Here is what we know:1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.3) For the next week, there appears to have been suspicious activity on my webmail account.4) Around 9/19 someone made a copy of the HL-2 source tree.5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook's preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn't been seen anywhere else, and isn't detected by normal virus scanning tools).6) Periodically for the last year we've been the subject of a variety of denial of service attacks targetted at our webservers and at Steam. We don't know if these are related or independent.

to clarify, they dont know 100% how keyloggers got put on their system. and as i'm sure their programmers do a lot of work from out of office at times, and they might use a remote access program like 'Remote Anywhere', if someone used a custom version of Remote Anywhere, the firewall should pop up saying program changed, but they might've thought it was updated normally and clicked ok. i mean, we are speculating, and so is Valve and so are 'security experts' that have blamed IE for this, but you're right, it looks more like combination of human error and/or inside mole using IE's flaw to access Gabe's account. (he's the head designer).and then you have this article released today:

Vivendi Universal Entertainment has canned the Christmas launch of Half Life 2 in response to last week's leak of source code onto the Internet.In a statement today, the games publisher said that Half Life 2, an expected blockbuster, will now contribute to 2004 results.VUE says that crackers scooped up a third of the code of Half Life 2, making it "almost impossible" for bootleggers to exploit the leak.

so, the code leaked is virtually useless, yet their delaying launch of HL2, yet again. i tell you, the more i look into this, the more i smell conspiracy on part of Valve. they're getting lots of publicity thru this.

[Peachy]

My vote is for conspiracy theory. I was reading some other news sites this morning about Valve saying they won't make the Christmas deadline. That's too convenient an excuse for running late on the code by saying it was stolen. Why else to explain such an unbelievable excuse as IE vulnerability. This is all marketing and spin-doctoring. We as consumers should be aware of how corporations lie to us. Remember the adage, "Marketing is just a lie to sell you a bigger lie."

[nlinecomputers]

My vote is for conspiracy theory.    I was reading some other news sites this morning about Valve saying they won't make the Christmas deadline. That's too convenient an excuse for running late on the code by saying it was stolen. Why else to explain such an unbelievable excuse as IE vulnerability. This is all marketing and spin-doctoring. We as consumers should be aware of how corporations lie to us. Remember the adage, "Marketing is just a lie to sell you a bigger lie."

I agree this smells like a big pile of doo-doo being spread in the hope that something good will grow out of it. If there security is that easily compromised then I doubt Half-Life I would have made it to market.

[Peachy]

Vivendi Universal Entertainment has canned the Christmas launch of Half Life 2 in response to last week's leak of source code onto the Internet.In a statement today, the games publisher said that Half Life 2, an expected blockbuster, will now contribute to 2004 results.VUE says that crackers scooped up a third of the code of Half Life 2, making it "almost impossible" for bootleggers to exploit the leak.

This quote says it all. ... Half Life 2, an expected blockbuster, will now contribute to 2004 results.If they released it during 2003 then more than half the potential sales would be put into 2003's books. Nice sum, but probably won't change the overall yearly financial profit. Release it in 2004 and you capture the bulk of the sales in the new year without breaking a sweat and they can tell shareholders, "Look this was released this year and look how much money it's bringing in!" as opposed to "We haven't released a blockbuster this year. All that profit is the result of a 2003 product launch and most of the profit was recorded in the 2003 fiscal year." It's all marketing. In this case to their shareholders.

[nlinecomputers]

For a program to hit the shelves by Thanksgiving it would have to be RTM right about NOW. So say your a big software maker and your Code got stolen days before RTM. Would that stop you from production? I doubt it. I mean within hours of it hitting the shelves it will be on Kazza anyway so what the heck is the problem here?God what is that smell....

[Prelude76]

I mean within hours of it hitting the shelves it will be on Kazza anyway so what the heck is the problem here?

hours before? try weeks before! most 'warez' start appearing as soon as they are RTM. not that i know, i heard from someone who told someone about this.

[Prelude76]

i guess the hackers stole a lot more than 'partial source code' as first reported. a full beta version is now floating around the net. a PLAYABLE beta version. hmmm, it screws up my consipiracy theory. there's no way Valve would allow its nearly finished game to leak out to the masses in such a way. back to IE sucks theory. jk!

Originally the source code leaked in a 32meg package last week. The leak spelt the beginning of an investigation into how this could have happened. The result? A flurry of forums across the internet all buzzing about the leak of code to one of the most anticipated games of all time. Most believe the leak of source code is a bad thing and yet the leak of a beta copy of the game isn't.Today the Half Life 2 Beta leaked across the world onto the internet via IRC channels. The release by "anon" shows it's obvious that the hackers who managed to sucessfully steal source code of the game itself also stole the game itself and who knows what else.Today there are reports that Half Life 2 has been put back to 2004 due to the source code leaks, although these reports haven't been officially denied by Valve or confirmed. This latest leak of the game itself is sure to hit Valve hard.UPDATE: According to this article by CNN, Valve has pushed the release date by four months, to April 2004, for spending time to rewrite parts of the game.Contrary to CNN's report, The Inquirer is reporting that Sources close to them say that the "holiday season" release date is still set in stone. Valve is going to issue a statement confirming all this soon.

[GolfProRM]

maybe someone internal leaked the beta Figure they'll never get caught as it'll be blamed on the attacks

[Guest genaldar]

Maybe a beta tester leaked it. After all halo beta was leaked a couple of months back.