Forgot your password?
typodupeerror
Programming Entertainment Games IT Technology

Half Life 2 Source Code Leaked 1027

Posted by CmdrTaco
from the i-hate-when-that-happens dept.
Pyroman[FO] writes "Gamers with Jobs is reporting that the Half Life 2 source code is floating around the net right now. It looks to be about a month old. There's no official word from Valve on the source code leak yet. Unfortunately those who want to use it to cheat already have it, we need to get the word to legitimate customers to educate them about the situation." Update: 10/02 21:51 GMT by S : Valve's Gabe Newell has an official statement, via ShackNews/HalfLife2.net, indicating "infiltration of our network" and appealing for information on the culprits.
This discussion has been archived. No new comments can be posted.

Half Life 2 Source Code Leaked

Comments Filter:
  • by SUB7IME (604466) on Thursday October 02, 2003 @01:07PM (#7114897)
    ... cheating is considered the 'big threat' of a source code leak, rather than the huge impending theft of intellectual property ;-)
  • Steam? (Score:5, Insightful)

    by Realistic_Dragon (655151) on Thursday October 02, 2003 @01:09PM (#7114937) Homepage
    Nice to see that DRM is helping to make sure that it's hard to cheat and rip off the hard working games companies...

    Those who want to steal will, those who are honest will pay anyway. Why piss off your entire userbase with DRM?
  • by Moonshadow (84117) on Thursday October 02, 2003 @01:11PM (#7114972) Homepage
    Most people don't think like that. They think "You have the source, you can make whatever cheats you want!" They're gamers, not coders, and most don't have a clue what they're talking about. I trust that Valve is professional enough to write tight code.

    The most damage is the loss of company secrets (Source engine techniques, anyone?) and the potential damage to engine licensing opportunities, I think.
  • by Skyshadow (508) on Thursday October 02, 2003 @01:13PM (#7114992) Homepage
    It seems like these development houses need some sort of code control technology. Given that bits are inherantly copyable and the ease with which they're moved in large numbers (net, DVD-Rs, etc), companies can't rely on conventional security methods to protect themselves from serious employee theft.

    But how?

    At my company, we control access to code using good 'ol fashioned groups, but that leaves a relatively large number of people with access to everything. Maybe you could enhance that security with encryption of the codebase (you can decrypt the parts you need to change and that's it), but that doesn't seem like a great solution, either. Or maybe somehow watermark the code to each person in a way not easy to detect -- maybe dynamically change their variable names so they're individual-specific...

    Anyhow, interesting problem. There's always air-gap, searched-by-security on the way out solutions, but given that my keychain holds more data than my first (or second, or third) hard drive, I'm not sure how effective even a police-state style could be against a determined thief....

  • by slamb (119285) on Thursday October 02, 2003 @01:13PM (#7114996) Homepage
    Aren't we past security through obscurity by now?

    Not with games, especially first-person shooters. It's a problem of distributing the workload with limited server resources and limited bandwidth / high latency between nodes. To make the game playable, the clients have to know things and be trusted to do calculations that from a security standpoint they should not.

    This really is unfortunate. It means you really can't stop cheating with this sort of game. It's especially easy when the source code is available, though it's still possible otherwise.

  • Gee. (Score:1, Insightful)

    by mao che minh (611166) on Thursday October 02, 2003 @01:14PM (#7115006) Journal
    Who cares. So some nerds in Idaho with nothing better to do will be wall hacking on the "SNIPER RIFLES ONLY --- NO NEWBS@! Xx-- CLAN 17th L33T --xX" server.
  • by PyromanFO (319002) on Thursday October 02, 2003 @01:18PM (#7115051)
    Mod this man up, I wasn't talking about the latest OpenSSH release getting leaked, it's Half Life 2. The latency problems mean you can't really have secure netcode, however obscurity goes a long way to help.

    The CDKey and Steam authentication systems are also supposedly included, so any security control they had before goes out the window, you can't trust the CD Keys or Steam anymore. Not that they were perfect before, but this is going from "wait a bit while the crackers figure out this new authentication system, then it's changed in a patch, repeat" to "here it is on a silver platter, before it's released"
  • Xbox Version (Score:5, Insightful)

    by Iscariot_ (166362) on Thursday October 02, 2003 @01:24PM (#7115122)
    Looks like our best bet for a secure, low-cheat ridden version of Half-Life 2 multiplayer might be on the Xbox now...

    Just a thought.
  • Re:Why... ? (Score:5, Insightful)

    by PyromanFO (319002) on Thursday October 02, 2003 @01:25PM (#7115140)
    You obviously weren't paying attention to the UT2003 buffer overflows that allowed a server to execute arbitrary code on your computer. There's been many other games that had this problem.

    People need to know that they're buying a product that could leave them vulnerable, or at the very least isn't going to be a fair multiplayer experience online. They also need to know what's going on so that when Valve says "delayed till 2004" everybody knows what's up.

    It's not like you can warez with this, it's none of the levels, art or sound. I'ts only useful for crackers and cheaters, customers need to know what's going to so that they don't get screwed by people using the source code to comprimise the game.
  • by 0x0d0a (568518) on Thursday October 02, 2003 @01:33PM (#7115227) Journal
    It's not actually a huge risk.

    Not many companies will be willing to take the legal risk of losing their *own* game by using HL2 source. There are *tons* of freely available 3d engines out there.

    Cheating is more likely to hurt Valve, as it severely damages multiplayer value.
  • by tsetem (59788) <tsetem@gAUDENmail.com minus poet> on Thursday October 02, 2003 @01:34PM (#7115230)
    Think about it. If the code hits the net, and hackers find the various exploits in HL2 (buffer overflows, hijacked network streams, etc.), then Valve can see where their holes and possible exploits are at and fix them before it goes gold.

    Not to mention, all of the free debugging, and reviews too. Heck, how many mods will be available when HL2 gets released because developers have access to the new API. Maybe it wasn't leaked, maybe it really was freed...
  • by lightspawn (155347) on Thursday October 02, 2003 @01:34PM (#7115232) Homepage
    The most damage is the loss of company secrets (Source engine techniques, anyone?) and the potential damage to engine licensing opportunities, I think.

    If you worked for an actual game developer, would you risk your career by using leaked engine code?

    At worst you'd read it at home, figure out some technique, and implement it in your own project.
  • by Slothy (17409) on Thursday October 02, 2003 @01:34PM (#7115236) Homepage
    If this is legit, this all applies. If not, then obviously it's not worth anyone's time to debate.

    Valve will not lose any licenses due to the code being available. Nobody is going to not license the engine because they can get the source. You'd get your ass sued to oblivion to commit largescale copyright infringement on a major retail product. The first thing anyone asks when you're working on a game is "what engine are you using?". You can't hide your engine - knowledable people can easily tell what engine it is by running it.

    The real risk is cheating, which could very well have a real impact on sales (why buy HL2 to play the new CS when the new CS has at least as many cheats as the old one?). Plus if cheating is rampant, it could scare away licensees.

    So they could lose real sales and licensees, but only because of cheating, not because they don't need to pay for the source because they can get it for free :)

    Jon (Slothy)
    Programmer, S2 Games
  • by Moonshadow (84117) on Thursday October 02, 2003 @01:37PM (#7115274) Homepage
    Well, that's really what I meant. No serious studio is going to use a pirated version of the engine to create a game, but HL2 is obviously using some cutting-edge techniques to achieve the results that they have demonstrated. The availability of the code means that such techniques could be analyzed and incorporated into other engines, diluting the exclusivity of the Source engine, and making it a lot easier for developers looking for a next gen engine to roll their own, or buy one a bit cheaper than Source.
  • by SmallFurryCreature (593017) on Thursday October 02, 2003 @01:38PM (#7115291) Journal
    Bullshit.

    I have stacks of games all bought legit. I fucking hate it however when games I bought with good money then limit me while those who download them get the better deal.

    Do a test once between a normal game and a game with a no-cd patch applied. It will boot faster and often run faster as well. Games that access the cd are slow as apart from the floppy the cd is the slowest part in your computer. If the game is copied instead to the HD and played completly from their it will run faster.

    Having to enter registration keys is all very nice and not so much of a hassle except why aren't they printed on the fucking cd's.

    I am fed up with being treated like a criminal. You apparently love it. Well go right ahead but don't insult others who object to it.

    Just because you are to stupid to see the problems with online activation crap doesn't mean the rest of us are as blind as you or as willing to be insulted.

  • by randombit (87792) on Thursday October 02, 2003 @01:41PM (#7115316) Homepage
    companies can't rely on conventional security methods to protect themselves from serious employee theft.

    If security is really important, #1 rule is to make sure you trust the people who have the important data. Someone did this intentionally, either someone at Valve, or one of their partners. That person should probably not have been hired in the first place. OTOH, I don't know how one would go about security checks for this kind of thing. It's not as easy as govt ones (where what they want to know is 1) are you a spy/subversive/etc and 2) how easy can you be blackmailed by someone who is - between those two it covers 99% of the cases where one would wish to leak stuff). This seems like it was done - well, actually, I really don't understand why anyone would do this, except maybe to really fuck their employer.

    Maybe you could enhance that security with encryption of the codebase (you can decrypt the parts you need to change and that's it)

    Except that you still need to compile it, so unless you put special decryption stuff in the compiler (or in a preprocessor to it), etc, etc, etc it's not going to do you a whole lot of good.

    Or maybe somehow watermark the code to each person in a way not easy to detect -- maybe dynamically change their variable names so they're individual-specific...

    Would sure as hell make understanding things hard, though. 'Sure, to do such-and-such just increment a4362h' 'What? Do you mean z2314j?' I don't think this would fly.
  • No it wouldn't (Score:5, Insightful)

    by roystgnr (4015) <roystgnr@@@ticam...utexas...edu> on Thursday October 02, 2003 @01:56PM (#7115467) Homepage
    It would legally contaminate anyone who even had just had it much less looked at it.

    It would definitely legally implicate anyone who had it (for copyright violation), but it wouldn't "contaminate" anyone who later wrote code of their own. Despite what some proprietary developers think and others fear, as long as no actual copying occurs it is perfectly okay for novelists to read other people's books, for singers to listen to other people's songs, and even for programmers to read other people's source code.
  • by rhino_badlands (449954) on Thursday October 02, 2003 @02:00PM (#7115506) Homepage
    Just a thought but maybe Valve knew about the leak and then pushed back the release date to fix code which could have been comprimised !

    So lets just say thanks to whom ever leaked the code and we can all blame them for the delay of the release date !

    I hope they also know that NDA's are a big part of the game industry today so that either means your loosing your job, your company, or you getting sued.

    Each file contains a date, what was modified and when for the most part depending on what code managemnt tool they use ... so valve can probaly go though see who checked out the whole build ... or just certain parts and figure out who leaked it. (most managemnet tools use 128 bit encryption and a key) Its very easy to track these things.
  • Any chance that... (Score:3, Insightful)

    by phorm (591458) on Thursday October 02, 2003 @02:03PM (#7115540) Journal
    Since the code is out, Valve might allow for third-party assistance on developing a somewhat official linux port?

    I mean, when the code is already wild, fears that it could be leaked by assisting developers become somewhat moot...
  • Linux version... (Score:1, Insightful)

    by Anonymous Coward on Thursday October 02, 2003 @02:10PM (#7115614)
    Well, there are linux makefiles in the source tree of the 'leaked' source. I guess that means that a Linux version of HL2 was planned after all...
  • by mcspock (252093) on Thursday October 02, 2003 @02:14PM (#7115663)
    It's one of two things - either it's the preliminary HL2 SDK which some mod teams currently have access to, or it's some internal dump. I'm guessing it's the former.

    If that's the case, it exposes enough for someone to see how the DLLs link in. All the traditional HL hacks have used this DLL proxy technique to intercept calls made from the engine to the game DLL and modify the data. So in that sense, it would be enough for people to start working on cheats.

    There is also, presumably, some code that could be used to test framerates and other such stuff, maybe a demo map. Like you said though, it's doubtful there is any content from the actual game in there.
  • by ChaosDiscord (4913) on Thursday October 02, 2003 @02:23PM (#7115759) Homepage Journal

    I agree with most of your rant. I forked over my cash for your game, why do I need to just through more hoops to play? Gosh, you know, I really love shuffling disks in and out of CD drive when I decide to switch games solely to satisfy some copyprotection system. Add to that that my CD driver works fine but hums like jet engine if any CD is in at all, so I have to remove the disk when I finish to cut down on the noise. And while I'm playing I need to stupid disk in the drive (solely for copy protection), so I just get to enjoy the hum while I play.)

    Having to enter registration keys is all very nice and not so much of a hassle except why aren't they printed on the fucking cd's.

    Or at the very least, don't make the entire CD black! Leave a light colored area so I can use a Sharpie to write the registration key on the CD. No, I'm not going to keep your stupid jewel case. I own a lot of games, so I keep them in a CD binder to save space. The only thing a gamer is certain to keep is the CD itself, that's where the registration key belongs.

  • by pla (258480) on Thursday October 02, 2003 @02:26PM (#7115791) Journal
    If you're willing to pay for the game, why are your panties all in a bunch over Steam? It's not like it would affect you if you have a legitimate copy of the game.

    Ys, it would indeed affect me.

    First of all, Steam requires a live internet connection to play. Not just to register, or to activate, but every time you want to play. Goodbye gaming during that boring 10-hour flight, eh?

    Second, Steam not only makes possible, but forces, whatever patches Valve has decided to make, on the users. you simply don't have the option of saying "gee, y'know, it runs fine right now, and I don't want the new uberfun zone, so I'll skip this update". Nope. They release a patch, you get it next time you connect.

    Third, related to #2, you have no way to keep playing if Valve gets bored. Yeah, the servers will probably stay up for a year or two, to avoid lawsuits, but personally, I still play games well over a decade old. What odds do you lay on the Steam servers staing up for over a decade? Not very good, I'd wager.

    Fourth, have you read about the typical user experience with connecting to a Steam server? It makes AOL-in-the-mid-90s look easy to connect to by comparison. Valve already has money-in-pocket by the time users try to connect, so has very little motivation to guarantee the capacity to let everyone get on. And, as history has shown, doesn't give a damn.

    And finally, some people just don't like having companies treat them like criminals, or having minor annoyances pop up every time they want to play a game they legitimately buy. Whether as minor as a "no-CD" crack (which often makes the game far more responsive in general, since it doesn't wait for the CD to spin up every now and then), or as major as disabling Steam, when people buy games, they want to play those games, not jump through hoops to prove they really paid for it.


    So there's got to be some other motive behind your words... something more to the tune of "Someone please make a crack so I don't have to buy the game."

    Not really, no. If the above explanation doesn't do it for you, I guess nothing will. So enjoy all the BS, and if someday we meet on a plane, I'll share my bought-but-cracked copy with you, as you gaze forlornly at the screen when your uncracked copy presents the highly accusatory "cannot connect with server, ya damn pirate" screen. Perhaps then you'll "get it", why things like Steam count as "bad" even if you legally own a copy of the game.
  • by mao che minh (611166) on Thursday October 02, 2003 @02:28PM (#7115807) Journal
    ...will be available once the game is released. They will release these things for the mod community. So, people will be able to combine the illegally obtained source code with the legally released models, textures, maps, and config files.

    I feel sorry for Valve if this turns out to be the real deal.

  • Re:License (Score:5, Insightful)

    by Obiwan Kenobi (32807) * <evan AT misterorange DOT com> on Thursday October 02, 2003 @03:31PM (#7116567) Homepage
    Modders are a different story. Without economic interests compelling them to buy a license, they might begin releasing compiled binaries of their work to the community without requiring a half-life 2 license, which would cripple Valve's sales numbers. But on the other hand with access to source, modders could create more extensive and more active modifications, creating original features instead of mere graphical facelifts. If these code modders require the original game to be playable, it could lead to a real renissance in modding and a tremendous boost in sales for Valve.

    Please, don't be as nieve as you're sounding here.

    Firstly this code is over a month old, and they're in crunch-mode. This means that drastic bug and graphics fixes are due for this code, and a month is a long time when everyone at Valve is probably putting in 16+ hour days.

    Secondly, those modified binaries probably won't work correctly unless they also include modified DLL's, and even then some graphical bug could bite them in the ass, something that was probably fixed in the Gold release.

    Thirdly this line: "Without economic interests compelling them to buy a license, they might begin releasing compiled binaries of their work to the community without requiring a half-life 2 license, which would cripple Valve's sales numbers. " is absolute nonsense, and kind of silly at best. Cripple their sales numbers? Hah! That was a good one.

    However, with all that said, I do agree that releasing the total engine source is a double-edged sword, and there's a reason Carmack and other game companies wait many years before releasing the source under any sort of open source license.

    This is terrible, dangerous stuff. I expect at least one firing to come from it.
  • by njv (540486) on Thursday October 02, 2003 @04:57PM (#7117624)
    Calm down folks. From what I can tell from poking around on Google, the guy who wrote this code works at Havok.
  • by t_allardyce (48447) on Thursday October 02, 2003 @04:58PM (#7117636) Journal
    Naming conventions are very important, they show the true philosophies (spelling?) behind the design. If someone has taken the time to name things properly you can be sure they are either really anal, or really good, or both.
  • by Rogerborg (306625) on Thursday October 02, 2003 @05:32PM (#7117974) Homepage

    then the design is flawed. The network model should be paranoid and should hide data. Having the source available should only tell you exactly what it is that you can't exploit.

    Dear god, open source games developers have known this for years. Netrek [csuchico.edu] figured it out in 1988! Why do commercial games developers insist on re-inventing the wheel and making the same mistakes over and over?

  • Re:One Word: (Score:2, Insightful)

    by icedcool (446975) on Thursday October 02, 2003 @05:34PM (#7117993) Homepage
    I was thinking, what if this is just a propaganda technique by Valve?

    What better way to screw over crackers than to release the "source" code so they start chugging away on that and then to later release HL2. Steam could then look for the obscure cheats, and ban the cheat user. Then look at all the publicity HL2 is getting, as if it isn't getting enough. I think Valve is craftier than we all think.
  • Re:One Word: (Score:3, Insightful)

    by BollocksToThis (595411) on Thursday October 02, 2003 @08:00PM (#7119418) Journal
    You're not a pussy. You're a fucking hypocrite.

    Intellectual Property is only valid when it's in the same field you happen to work in? What's worse is, you get modded insightful.

    I don't believe IP is valid, but apparently you do - when it suits you.
  • Re:Official Word (Score:3, Insightful)

    by nobodyman (90587) on Thursday October 02, 2003 @08:55PM (#7119839) Homepage
    Translation:
    We got 0wn3d because I didn't go to windowsupdate. I know we've been treating our fanbase with smug contempt, and lying about the release date for a few weeks now, but we'd really like you guys to help us out now. Okay?

    Perhaps a better way to keep the HL2 codebase secure would be to release it via Steam -- fat chance downloading anything there.
  • by Bi()hazard (323405) on Friday October 03, 2003 @12:44AM (#7121166) Homepage Journal
    There's no idealists rushing in because this isn't a case of "copying" versus "stealing." Regardless of what you label it, the unauthorized distribution of source code that the creator intends to keep secret is wrong because it divides control of the creative process. It's not about who has to pay for the product, it's about who gets to create the product in the first place. This phenomenon has little parallel in music.

    Sharing music online is equivalent to warez binaries, and ripping a cd you own is equivalent to making a backup copy of a game you own. Mixing existing music DJ style would be like taking screen captures and level designs from one game and using them in another. Downloading the source gives you the same level of control that the artists have; it is equivalent to copying the recording studio while the artists were in it.

    However, it is worth noting that leaked albums are indefensible under my assumptions: they take control of the creative process away from the artist by removing their ability to decide when the album is done and how the public will be exposed to the music. This is equivalent to the leak of the alpha doom 3 a while ago-still less threatening than a source code leak.

    Another factor in the severity of a source leak is security. Knowledge of the source will allow cheaters to exploit the game and ruin online play-once again, a phenomenon we do not see in music. Music pirates cannot degrade the quality of the music legitimate buyers listen to, but online cheaters can ruin the multiplayer experience. It would be like going to a concert and blowing a bullhorn repeatedly. Doing that in a concert is not considered an intellectual property offense, so it is inappropriate to think of a source leak's potential for cheating as an intellectual property issue. It is a security/espionage problem.

    That said, those who would delete the source after downloading it and verifying its authenticity are very misguided. Unless their computers are public access and could be used to futher distribute the source, deletion helps noone and limits your opportunity for education. Of course, if you are going to work on a competing product it would be dangerous to expose yourself to the source, but as a disinterested party or potential valve customer there is much to learn and little damage to do.
    After all, the real danger of a source leak is in the actions that can be taken by those who acquired it illicitly. Hackers and competitors can dilute the creators' control over the software, but an unabused copy of the source is harmless. So, go ahead-download the source, read it, figure out how it works and learn from it. Unless you're getting a job at id or epic, or creating your own software directly related to hl2, your copy of the code is no worse than sheet music. Of course, if you upload too much on bittorrent, it could be argued that you're helping to distribute it. Although you're only one link in a large chain, it's like voting-if enough people make the same decision it really will change things. So, go download all the stolen half life source you want, just dont use bittorrent or write hl2 cheats. After all, aren't all "bad" acts bad because of their consequences? Think about it-no matter what you do, if nobody is worse of for it, how could there possibly be anything wrong with it? Throw away the anachronistic, irrelevant "moral" codes of a repressed past-its not about what some people think, it's about what's ethical in the strictest definition of the word. So go eat pork, masturbate, and download hl2. Yeah!

    Programmers will never feel like mp3-pirated musicians when source code is stolen. They will feel like a musician whose beat and backup were stolen, combined with someone else's voice, and sold as a new release. This has happened in the music world, and though it is not an exact parallel of the source code situation, the uproar was just as severe.

    Why is the parallel off? All music is by definition open source-hearing the notes allows you to reconstruct the sheet
  • by aceh0 (646013) on Friday October 03, 2003 @03:54AM (#7121835)
    clients have been authed for halflife for 5 years now so it's not likely that they'll just arbitrarily turn them off and be like 'sorry no more gaming'. soldier of fortune was another game that relied on authenticating with a server at first. raven decided they didnt want to support it and so now clients dont have to auth. and to call valve a company that doesnt give a damn makes you look assinine. what other game company has supported a product with updates for over 5 years? not just patches but releasing new content.
  • by Unknown Relic (544714) on Friday October 03, 2003 @04:33AM (#7121939) Homepage
    Wow, I hadn't really thought about that, but you know what? I think you're right. According to their official announcement, a copy of the source code was made on Sept 19, only a few days before the delay was announced.

    A lot of people commented on how adamant Value had been about their Sept. 30 release date, and how strange it was that only days prior to it they annouce a delay.

    When these two things are considered together, it's just too much of a coincidence to think that they're unrelated.
  • by AllUsernamesAreGone (688381) on Friday October 03, 2003 @06:13AM (#7122261)
    Yes, using outlook is bad, but nowhere as monumentally stupid as allowing an asset as valuable as the HL2 source anywhere near a machine connected to the internet. When you have something as important as that and you really don't want it leaking, you make damn sure that development machines are isolated from any internat capable machine - both in terms of networking and physical access. Even if such isolation isn't possible, a decent firewall, IDS and maybe even an airgap with logging, log analysis software and alerts, combined with a network admin who has the faintest clue about how to handle intrusion attempts, could have prevented this even if they used outlook.
  • by WapoStyle (639758) on Friday October 03, 2003 @01:06PM (#7125318)
    Where I work we have a strict "No Outlook Preview Pane" rule. I can't believe a company of programmers had this happen to them with such a simple avoidable error.

    Jeeze, I really hate to keep harping on it but Outlook is the devil.

The "cutting edge" is getting rather dull. -- Andy Purshottam

Working...