Neowin.net - IE Gets Blame for Theft of Half Life 2 Code

IE Gets Blame for Theft of Half Life 2 Code

Posted by malebolgia on 04 October 2003 - 17:56 · 86 comments & 506 views

Security experts are blaming known but unpatched vulnerabilities in Microsoft Corp.'s Internet Explorer for the theft and distribution of the source code for a much anticipated new video game. The source code for Valve Corp.'s Half Life 2, a sequel to the popular shoot-'em-up game that was due out by December, was posted on the Internet on Thursday, according to a statement from Valve Managing Director Gabe Newell. The theft of the code, which was made available for download on the Net, came after a monthlong concerted effort by hackers to infiltrate Valve's network. Malicious activity in the Valve network included denial-of-service attacks, suspicious e-mail activity and the installation of keystroke loggers, Newell added.

This theft is only one item on a long list of security-related problems for the Redmond, Wash. software maker this week. Other happenings included the discovery of more security flaws in Internet Explorer and the filing of a class-action lawsuit against Microsoft over such vulnerabilities in both applications and system software. And the company was also stung by a recent report arguing that the dominance of Windows is a hindrance to computing security. "This is what happens when you have 31 publicly known unpatched vulnerabilities in IE," wrote Thor Larholm, senior security researcher for PivX Solutions LLC, in a posting to the NTBugTraq mailing list. "I have seen screenshots of successfully compiled HL2 installations, with WorldCraft and Model Viewer running atop a listing of directories such as hl2, tf2 and cstrike."

News source: eWeek

We have long been admirers of Shaun Garriok's ability to superbly investigate even a fully compiled program. We believe that he is capable of finding ANY sort of trojan, worm, or bug inside a compiled program. We are relieved that all he could find was these remote upgrade functions. He didn't find any bugs that send user data anywhere, no spyware, no adware, nothing in fact that gives away any
personal information about the user using Earthstation5.

It is also a fortunate fact that since Earthstation5 protects you from the RIAA lawsuits and hackers by hiding your ip address, the exploit program he wrote can only be used against your own computer which he states in his exploit. If you want to delete files from your own computer, we feel you have the right to do that.

We are glad he found this bug and pointed it out. We completely removed the automatic software upgrade code because as it turns out automatic upgrade is no longer popular as it once was because it gives people an uneasy feeling and rightly so.

Since Shaun Garriok seems to be concerned about everyone's security, and is not on a personal quest for revenge, we would be grateful if he would download the latest Earthstation5, version 1.1.31 (http://download.es5.com/es5_v1.1.31.exe) and verify that we have truly removed the remote update function which his exploit program accessed. We think his dedication to the good of all concerned would motivate him to do this. Anyone else who is concerned can do the same, download the latest Earthstation5 and test the exploit code against it.

Ras

Analysis

Well, its a pretty good cop out, if you want to buy it. The code clearly can be used for "automatic upgrade", but one does wonder if this was the real intent. Further, the the developers of ESV seem to have a certain animosity towards the Kazaalite developers. Either way, thanks to the revelation of the function in ESV they have now released a brand new version which does not contain this code. And its perfectly, perfectly safe to use.

Hide additional information

About the Author
Full name: Unknown
Forum name: vet

malebolgia
Contact: via forum PM
Submissions: Normal · Headline

Total votes: 0

Bookmark on del.icio.us

Advertisement

#1 Posted by sttroopers on 04 Oct 2003 - 17:58: Guess they shouldve been running Mozilla.

(10 replies) #2 Posted by corrosive23 on 04 Oct 2003 - 18:11: If those "experts" had read what gabe newell said, it wasnt IE but outlook

#3 Posted by jbones920 on 04 Oct 2003 - 18:12: sucessfully compiled hl2 installations? so what? nice to have the exes but not the art assets, because it's useless then! typical overhyping of an issue.

(3 replies) #4 Posted by Timan on 04 Oct 2003 - 18:20: vavle is acting like attention whores it seems.

(3 replies) #5 Posted by MEMO.INC on 04 Oct 2003 - 18:38: This doesnt look god i mean, they where harsh on nvidia (gabe comments) but no one desrves this, i mean, one thing is leaked binaries but malissiuns (sp/?) theft is defenetly not right this is also affects ati, wich was looking good with the bundle but now, HL2 was meant to be multiplayer game of choice, and now is compromized...

Blaming everything on MS is not good either, they had serius security issues (valve),
If you have something valuable then you protect it...
should i blame the car company for unsecure because their anti-theft failed cause i left the keys visible?

Microsoft is taking care of all security issues, there is just not a perfect security code.
and this lawsuits by people that just want to have money (one thing is valve suing ms for the vulnerability)..

(3 replies) #6 Posted by Kashida on 04 Oct 2003 - 19:06: it wasnt internet explorer it was tom!!!

(7 replies) #7 Posted by RaWShadow on 04 Oct 2003 - 19:31: Why put the source code on a computer connected to the internet? Its just dumb !!

(5 replies) #8 Posted by Lingwo on 04 Oct 2003 - 20:58: It was the imcompetence of Valve ...delaying HL2 had to piss off someone

(2 replies) #9 Posted by Darkness2k on 04 Oct 2003 - 21:33: Maybe Valve "leaked" a dated piece of source code so that they have a back-up excuse incase they can't meet the December release date

#10 Posted by kemical on 05 Oct 2003 - 01:19: it's a conspiracy. valve can't make due with the timeline so they pull this stunt. w0ot.

#11 Posted by altermind on 05 Oct 2003 - 01:57: what a bunch of whingers... .they should have patched there systems...... but it's not like the game itself was leaked

#12 Posted by [Thrice] on 05 Oct 2003 - 03:07: valves fault.. they are dumb..

#13 Posted by XxDesmus_MODxX on 05 Oct 2003 - 03:49: this is BullS***. everyone's excuse is to blame MS. it's valve's own fault. they need to suck it up, accept it, and deal with it.

(1 reply) #14 Posted by alexander777 on 05 Oct 2003 - 03:54: thats what happens when 1 o/s runs 97% of the software market. I dont feel sorry for em at all. live and learn.

(1 reply) #15 Posted by dougkinzinger on 05 Oct 2003 - 04:28: I hate comments like these....you can't blame bad (or faulty) technology for human theft....

that's like saying "I hate GM because they didn't make me aware that I could lock my car doors, and because my stereo was stolen".

Jeez.

#16 Posted by Gary_Player on 05 Oct 2003 - 05:11: Cmon, my little sister knows better than to put anything THAT important on a computer with an internet connection

#17 Posted by jerry on 05 Oct 2003 - 05:34: Its the blame game going on now until they find a scapegoat ... as usual somehow M$ gets blamed one way or other. I'd say it is Valve who should be responsible on what goes on in their networks.

(1 reply) #18 Posted by DOCa Cola on 05 Oct 2003 - 07:33: don't blame valve, don't blame microsoft, blame the people who stole the code. what they did was not right and was surely nothing everybody of us could do too. don't tell me you know how to use any outlook exploits to get control over a comp or whatever. so in my eyes valve never thought it could happen to them.

DOCa Cola

(1 reply) #19 Posted by nomis_nehc on 05 Oct 2003 - 11:04: ok, I am not too familiar with how some of the things work, but here's my question: does it friggin matter?

I mean, sure the source is out there, but if anybody or company decided to use their source and make a game, it would be damn obvious. And I am sure lawsuits would be filed even before the game is out. As for the other people that just gets ahold of it... well, wtf can they do with it anyways? Sure, they can modify or make something out of it, but if anything is released to the public, I am sure Valve would go after them too. In my opinion, it's no big deal. Unless, of course, I have this whole thing wrong.

(2 replies) #20 Posted by kioria on 05 Oct 2003 - 11:23: STUPID VALVE, BLAME YOUR SELVES ASSHOLES. WHAT DO THEY THINK IE/OUTLOOK IS MADE FOR? VIRUS SCANNER? PORTSCANNER? WTF ARE THEY ON ABOUT STUPID INELITERATE PROGRAMMERS.

(1 reply) #21 Posted by Sjokkel on 05 Oct 2003 - 11:45: intrusion detection is not so hard to implement. Makes t a bit easier to spot fishy network traffic. Maybe security wasn't their main concern at that moment. Getting the game out and getting that damned steam to work was.

#22 Posted by MitchShrader on 05 Oct 2003 - 13:38: sux to be them. but some part of this IS valves fault.. jeeze. keyloggers? IE holes? what do they USE for security? and far as the game goes, no this won't trash the game, and MS isn't to blame for hackettes being hackettes.. MS IS to blame cause their patches *SUCK* and aren't proactive enough.. i'ma call it an even split, security holes at valve and MS monopoly arrogance.. divided by the rotten ethics of whichever competitor/slimeball did the heist.. plenty of blame to go around.

(1 reply) #23 Posted by Hexicon on 05 Oct 2003 - 14:01: What about their IT Security Department It is pretty sad they dont have multiple detection methods to prevent this. Has anyone looked there for a possible leak?

(1 reply) #24 Posted by agge on 05 Oct 2003 - 15:37: Mozilla Thunderbird 4 ever !!!

(2 replies) #25 Posted by IndoShindo on 05 Oct 2003 - 17:10: ever think valve leaked it on purpose and now is saying this for media purposes to expose the game further as well as getting some $$$ from MS by suing them .. if the code is leaked, more mods like C-S could be made ...if it weren't for C-S, Half-Life wouldn't be what it is today ... C-S was made by some guy who lived at my Uni, and now with the source leaked u could have hundreds of guys like him working on mods ... nothing like good ol' conspiracy theories

#26 Posted by nookadum on 05 Oct 2003 - 17:51: Bah, STEAM should be able to eliminate any third-party-edited hl2.exe (or whatever the new executable is going to be named) from connecting to the internet and exploiting hacks. Besides, what use is the executable without the secondary files like models or sounds?

#27 Posted by [Thrice] on 05 Oct 2003 - 18:07: Microsoft > Valve

Simple as that

Valve should die, im not going to buy HL2 anyways

#28 Posted by Sub on 05 Oct 2003 - 19:24: Typical corporate America. Blame other companies for your own mistake...cough..firestone, ford...

#29 Posted by alexander777 on 05 Oct 2003 - 20:13: love how these people say dont blame ms for the problems uhhhh news flash when a person walks into a bank and walks out with money that isnt theirs who do they blame the security company thats who. same in this case a 3ard part was using their security and THEIR security was flawed case closed and more and more people are realizing that , thats why ms is now being sued.

#30 Posted by divertom15 on 05 Oct 2003 - 20:39: chill people there is not much you can do with it anyway u got to see the maps people are making with it they are nothing you can do anythig but move around in them it would take an average joe 2 years before he could make a mod for something like this and be able to do anything in it there is no guns no nothing

#31 Posted by monkey13 on 05 Oct 2003 - 21:28: I'm sure I read somewhere that the code for Steam was taken as well. (Could be wrong)
The thought that someone could find a way to compromise the Steam system and all the PCs using it is much more worrying than a few hl2 cheats.

(1 reply) #32 Posted by Killa-b on 06 Oct 2003 - 06:00: ok i have to word in after all these 12 year old thoughts.

Valve did not leak it to make an excuse for the delay, thats STUPID.
its not MS's fault. its Valve's its not MS's responsibility to lockdown your network with basic security (physical, software, etc) no-one out of the office should have had ingoing access to the computers.

now the result. HL will be pushed back a bit FOR SURE. Valve is going to get tied up in a MESSSSS of legal issues with ex potential engine customers. Code just like any written work is copyrighted the second you press save. its protected from anyone else using it without Valve's authorization.

that WILL NOT STOP 10,000's of coders looking at it using snipits compiling, branching off, porting, etc. some of this is good, but its all illegal. Valve makes money by selling the code for people to dev new games, with the code out there, why would u pay MILLIONS ~ 1.5-2 Million to get the code? when you can look at it, figure out how neat tricks here and there are done and re-code it your self, thus not breaking the law. this WILL result is less money for Valve, no doubt.

then the gameplay issues arise cheating will be at a new level.

this is exactly like Dupont or Pfizer having chemical formulas for new products/drugs leaked to potential compeditors. and if that happend would you say: ohh Pfizer leaked it because they wanted an excuse for why the cure for HIV was taking so long.

man, people think!

(1 reply) #33 Posted by nomis_nehc on 06 Oct 2003 - 08:23: well, I see your point, but think about it... you think that companies that actually license the engine... you think they keep it perfectly safe from intruders or potential leak by their own employees? but I don't really care for all the details, I mean, if copyright law is infringed, you know lawsuit will be filing from all directions. maybe this is just another kind of hype to divert/attract attention to half life 2.

#34 Posted by RanCorX2 on 06 Oct 2003 - 11:42: #33 posts = eat, sleep & drink HL2. clam down, its just a game. yes it may be a damn good game but people seem to go nuts when Half-Life 2 is mentioned..(well on the net anyhow). some of you probably wake up in the night screaming "ahhhhh hl2!!! ahhhhhh" oh right just a dream...(you know who you are).
Yes i agree the people or person who committed the act is scum and should delt with, and yea whats the point of compiling the little bit of source to create a cube, at least it doesn't ruin the game for us, that would spoil it. (the source leak shows jack sh*t) So maybe its got a little bit outta hand, shut up and let valve do there job.

#35 Posted by SimplyPotatoes on 06 Oct 2003 - 13:18: they should just use lotus for mail its so old lol besides if pople really wanted they could have used exploits for other email programs

(1 reply) #36 Posted by mlauzon on 06 Oct 2003 - 14:58: Has anyone seen this?:

http://www.razoric.com/flashtoons.php?file...=550&height=400

#37 Posted by voidunknown on 06 Oct 2003 - 16:39: 's did it.

#38 Posted by Ficman on 06 Oct 2003 - 20:42: Some very interesting comments, sure seems like someone F'd up here. It's easy to blame MS for it, but I am still wondering how you wouldn't have levels of security involved with something this big. Things like this happen because you didn't have measures in place up front to keep things locked down. Sure sounds funny (not haha) to me....

#39 Posted by thornz0 on 08 Oct 2003 - 05:14: seems to me nothing is totally secure or totally safe, and no amount of finger pointing makes it right. I dont know how much blame can really be blamed on microsoft, but there has to be a line somewhere, and thats what people seem to forget.

you can only make cars so resistant to impact, toys so durable to children, instructions so understandable, towering sky scrapers so strong (earthquakes, fire, bombs, etc), and software so secure/stable in all environments.

<shrug>

[1]

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Scroll to the Top