Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
AMD Games

AMD Accidentally Leaks 1.7 Million DiRT 3 Keys 187

An anonymous reader writes "The free game with every graphics card deal has finally backfired for AMD and Codemasters. Due to a lack of .htaccess, 1.7 million keys for a free copy of DiRT 3 on Steam have been leaked. No word from AMD or Codemasters yet, but I'm sure Valve will block all the codes on Steam soon. One question that remains: if you used one of the codes, will Steam ban your account? There could be a few very unhappy gamers later today if that happens." The exact number of keys is in question — reports range from 250,000 to 3 million — but AMD confirmed that a leak did occur.
This discussion has been archived. No new comments can be posted.

AMD Accidentally Leaks 1.7 Million DiRT 3 Keys

Comments Filter:
  • by djsmiley ( 752149 ) <djsmiley2k@gmail.com> on Wednesday September 07, 2011 @04:23AM (#37324352) Homepage Journal

    What about people with legal keys..... I hope I don't miss out on using this.

    I'll likely give the key away as I'm a Linux user and don't care about the Dirt game either, but it'll be a shame if everyone misses out now because of this?

    • I thought the same thing - I can't imagine Valve would ban users if there is any risk of banning legitimate users, that would be opening them up to a huge backlash from users. More likely they'll just void the keys and Codemasters/AMD will have to set up a different scheme to compensate the legitimate purchasers.
    • What about people with legal keys..... I hope I don't miss out on using this.

      With 1.7 million keys, I'm guessing some semi-intelligent hacker can reverse engineer Dirt 3's key generator.
      Soon there will be legal keys for everyone.

      • by WNight ( 23683 )

        Perhaps, but if they generate them cryptographically (hash random strings to generate more-random keys) there won't be a practical way.

        It's (usually) not like it used to be where the keys were just a pattern thing, now your specific key is looked up and if it's not there it doesn't let you in.

        • by Ark42 ( 522144 )

          It might be theoretically somewhat possible, if the keys are just random number indexes into a database (requiring an online check) and you have 1.7 million in order, maybe you can figure out the seed and formula for the pseudo-random number generator used. With the right information (which may be much more than 1.7 million sequential numbers) I know it's eventually possible to predict the output of a pseudo-random number generator. Although a single reset of the seed number (re-calling srand() with some ra

  • by headLITE ( 171240 ) on Wednesday September 07, 2011 @04:24AM (#37324360)


    There is a Zero-Tolerance policy for any violations of the Steam Subscriber Agreement and Online Code of Conduct. All accounts in a user's possession for any of the following activities will be suspended:
    Piracy or Hacking

    This includes using an unauthorized ("hacked") Steam client to access Steam, attempting to register fake CD Keys or attempting to register a CD Key which has been published on the internet.

    • ...attempting to register a CD Key which has been published on the internet.

      The question is, did the leaked keyset also contained legitimate keys that were distributed with games ? Maybe a mix of:
      - keys yet unused
      - keys printed on CDs not yet sold
      - keys that already in the hands of customers

      If that's the case, not only Valve can't penalize those accounts - they need to actually support online game play as advertised, at the very least for keys in the last category, if they can sort them out.

      I don't care if it's free, and I don't care if the publisher leaked my key: the bundling of

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The leak was full of legitimate keys, and also included the IDs that were sold with the hardware.

        The text files were simple rows of Dirt 3 Keys, Hardware IDs, and database identifiers.
        If you wanted, it was simple enough to copy a hardware ID instead of a Dirt 3 key, paste that ID into the amd4u promotion, and receive the appropriate Dirt 3 key in your inbox from AMD themselves.

        If someone did that, there'd be absolutely no way of distinguishing them from a legitimate customer that owned the product, since th

        • by jandrese ( 485 )
          They could also revoke everyone using the key on a machine with an nVidia graphics card (or Intel).
          • Because no one plays their Steam game on two different machines, perhaps a PC (with the AMD graphics card) and a laptop (with a different graphics card).

          • Because, you know, no one would every buy an AMD video card for one machine but install the game on another machine, one with an nVidia card.

            Unless, of course, there's some secret codicil to the license of the "free" version of the game restricting it to use with an AMD product... which would be so blatantly improper product tying that even Microsoft would facepalm.

      • Indeed you are right sir. The game was included in the purchase price, regardless of it being marketed as 'free'.
    • by Xest ( 935314 )

      What exactly happens when Steam bans your account? Do you lose access to every game you've ever paid for? Do they refund you?

      I'd be amazed if it's legal for them to block access to content you've legitimately paid for. Has this been tested thus far?

      • by heypete ( 60671 )

        My understanding (based off of a friend who had an account banned because he was using various cheats in online multiplayer games on Steam) of the situation is that you can still play games in your account. However, you cannot play on any "Valve Anti-Cheat"-enabled multiplayer server (which is nearly all of them).

        I'm not sure if the penalties are different for attempting to pirate things with Steam.

        • There are levels of ban. The one you've just described is the "lightest" - basically, you lose the ability to play certain steam games (primarily Valve produced ones) online. This tends to be a response to in-game abuses, such as cheating or general bad behaviour. In other words, stuff that is rude and unpleasant but not, in most jurisdictions, illegal. As a former hardcore online gamer, I am enthusiastically supportive of this bit of the policy.

          The use of stolen or leaked keys, or attempts at using a steam

        • by rwa2 ( 4391 ) *

          Meh, doesn't sound like anything of value was lost. I've played Grid and maybe the demo of one of the earlier Dirts, but they're pretty much arcade racers that get boring and monotonous fast. Go play Gran Turismo something, or better yet Live4Speed [lfs.net], those seem to be the only racing games that feel anything remotely similar to driving real cars (at least if you have a wheel & pedals).

          I'm still waiting for some sort of retribution from Steam for cashing in on a stash of high-level loot some random Level

          • Jsut shut your pie hole. Dirt was the first GOOD racing game for PC in a LOOONG time. Half the reason i bought consoles in the past was because PCs had shit for driving games. I have Gran Turismo 3-5, they are not that great, especially when you consider Forza.
            • by rwa2 ( 4391 ) *

              Heh, I won't argue that there's a dearth of driving sims, period. The passenger giving you pointers for speeds to take the next turn in Dirt was a nice touch, but actually controlling the cars felt more like sledding than driving; I'd just as soon be playing tuxracer :-P I bought Grid because it got fairly good reviews and worked with my Logitech G25 wheel (yeah, the PS2 + GT4 I picked up a few years ago was merely an accessory for the wheel), but it still feels more like an arcade racer than a sim.


      • by TheRaven64 ( 641858 ) on Wednesday September 07, 2011 @07:12AM (#37325042) Journal

        I'd be amazed if it's legal for them to block access to content you've legitimately paid for.

        It's perfectly legal. You are not buying anything from Steam. You do not own anything that you pay for on Steam. You are paying for a revokable license, at the sole discretion of Valve. If you confuse this with an actual purchase, then that's your problem.

        • Using the words of their lawyers (e.g. the EULAs) is a great way to describe services of that sort to discredit them, but actually buying their words means that they have won. If I had my account blocked, I'd still sue them, until a judge says so - legal my ass.

          • Two hours of any competent lawyers time would cost more then my entire investment in Steam. Have fun tilting at windmills....
        • by AmiMoJo ( 196126 ) <mojo@wo[ ]3.net ['rld' in gap]> on Wednesday September 07, 2011 @08:14AM (#37325408) Homepage Journal

          That's what the EULA says, but consumer protection laws override that. In the UK the Sale of Goods Act requires that goods sold be "as described" and "fit for purpose", i.e. if it says free Dirt 3 game on the box you must get a free working copy of Dirt 3 or your money back.

          Contracts can never override your statutory rights, even if you had read and signed it before purchase.

          • That's true in the UK and many other countries but I'm not sure if US law is the same.

          • The Sale of Goods Act applies to sales of goods, not rental of services. Before you buy anything from Steam, it makes it clear in the terms and conditions that you are not actually buying anything. With regards to sale of a boxed game, the Act only applies between the seller and the purchaser. Valve is not one of these entities. They can revoke your copy of the game, and the Sale of Goods Act means that you can sue the shop that sold you the box if they refuse to give you a full refund. You will, howev
            • by AmiMoJo ( 196126 )

              Before you buy anything from Steam, it makes it clear in the terms and conditions that you are not actually buying anything.

              No judge would ever accept that. That has been tested in court. Some ringtone sellers were actually signing people up to a monthly service but fell foul of the law.

              If companies could get away with that then nothing would ever be sold to anyone, just rented indefinitely.

              You are correct in saying that you would get a refund from the shop, who would then be rather upset with their supplier who in turn would be upset with Valve. However you don't have to have the receipt, merely proof that you bought it from th

          • > if it says free Dirt 3 game on the box you must get a free working copy of Dirt 3 or your money back.

            If you got the box for free, your "money back" is "nothing".

            If you paid for the box, the cost of the box (relative to the lawsuit required to enforce your rights) is negligible. Although in the UK, you might also have a "loser pays" legal system....

            • by AmiMoJo ( 196126 )

              Small claims court, £30 to set up, loser pays and you get time off work and travel expenses too. Generally it isn't necessary though, most retailers will honour their legal obligations.

          • But Steam is first and foremost about DRM. That means you never purchase a game from them and end up owning it, you only rent them for an unspecified duration of time (presumably until they go out of business). Now if the box says "free access to download a DRM restricted game" then it'd be up front and honest, but if it said "free game!" then it'd be lying.

        • by Xest ( 935314 )

          So how does this work where I bought a game such as Dawn of War II as an actual boxed copy but was forced to activate via Steam?

          I do not see how it's my problem to believe that this was an actual purchase. Nor do I think for a second that the courts would disagree in fact.

          I suspect that you are wrong, that in at least some cases such as this it is Valve's problem, they're just playing fast and loose with the law whilst they can get away with it.

          • In this case, as I said in another post, the Sale of Goods Act would apply, but that defines the relationship between buyer and seller, not between buyer and third party. You would be able to return the game to the shop where you bought it and they would be required to give you a refund. Valve is providing you with a service that you agree to when you install the game. They can withdraw this at any time. The product that you bought requires the provision of the service to be suitable for the purpose for

            • by Xest ( 935314 )

              Actually, by law, in the UK, the service provider does now have an obligation to unlock the device for you. Companies like Vodafone recognise this so explicitly now that you can ask before your contract is even up for an unlock code.

              It's really not as clear cut as you think it is. It's a grey area, and I think it's likely a court would side against Valve. Whether the court would have any power to do anything with Valve being based in the US though is a different story I suppose, though few companies would r

              • Actually, by law, in the UK, the service provider does now have an obligation to unlock the device for you.

                Yes, because a law was specifically passed in this area. Before this law was passed, they did not have to.

                however her daughter contested this in court saying she deserved some

                Again, in the UK there are specific laws covering how little you can leave to your surviving relatives. If a will violates these, it can be overturned in it entirety and it acts as if you died intestate. It's completely irrelevant in this case, because you're talking about an area with very specific laws.

                • by Xest ( 935314 )

                  "Again, in the UK there are specific laws covering how little you can leave to your surviving relatives. If a will violates these, it can be overturned in it entirety and it acts as if you died intestate. It's completely irrelevant in this case, because you're talking about an area with very specific laws."

                  This is completely false, there is no such law, it was entirely based on a judicial decision.

      • by Hadlock ( 143607 )

        They can VAC ban you, which means you can't play certain games on registered servers (i.e. most of them). VAC bans can be for single games, or account wide. You can still open the game and play them in single player/lan mode. That's the least intrusive way. The most intrusive way is locking your account, which is on par with taking away all your toys and stuffing them down the garbage disposal, because you can't even log in to play your single player games or view your steam friends list. Though you can som

    • There's no way to determine the source of a key someone entered.

      What if a friend found the keys on the net, and decided to pretend they're gifting the person a copy of Dirt 3? Boom, suspended account, all because someone thought they were receiving a gift.

      It's a dumb idea to suspend one's entire account for entering a "stolen" key when the key can simply be revoked and the user told that it was stolen. It's the virtual equivalent of throwing someone in jail because a friend bought a stolen laptop at a flea

  • The keys were on a site kept by a 3rd party fulfillment partner that had really bad security (or really great lack of it if you prefer)...

  • We've got some real morons working in the security area of the gaming industry.

    • by Krneki ( 1192201 )
      It always amaze me how people know the problem without even looking into the details.

      Security costs money and if no one is willing to pay for it, who will deploy it?
    • Given the industry's reputation for overworking and underpaying, I can't say I'm that surprised. The real problem is they all seem to get away with it, on the whole customers don't care unless it has a direct negative impact on them, and even then if it's too much effort to go elsewhere they don't seem to care. It seems to be the herd mentality at work, there are so many users/purchasers that everyone thinks it won't be them that gets hurt... right up until it is.
      • by mlts ( 1038732 ) *

        The gaming industry has been a race to the bottom now for a number of years. We have seen this in the way game releases have been done, where quality essentially has gone from a true release version to quality equal to an early beta, then if you are lucky, get a patch that gets the game to a late state beta in terms of bug fixes and such. If you are unlucky, the game remains unplayable, and a waste of the $70 you plunked down.

        I'm not surprised at all about the lack of security. Most businesses provide at

    • by scumdamn ( 82357 )
      Agency. It's an agency. Look at the whois for AMD4U.com.
  • Why has this "finally backfired" - in what way was this an accident waiting to happen? What was it about the promo that leads the submitter to believe it was set up to fail from the start?

    • Well for one thing Codemasters has already been hacked recently. I got one of those "Hi, we've been pwned! Please change any passwords that you used and we hope you didn't use them anywhere else! kthnksbai" from Codemasters. So their record on security wasn't great to start with.

      Second of all and slightly OT, but why Dirt? Ever since the Intel bribery scandal I've been buying nothing but AMD yet that promo was a giant turn OFF for me, can't think of any of my customers that would give a crap either. All the

      • Wait, what? You're comparing the least-skilled racing (nascar) with the most skilled racing (rally)? Whats wrong with this picture?

      • Dirt 1 brought racing back to the PC, thats why. Any racing 'guy' that plays Nascar is jsut sad. Not only is PC racing popular, but they also have the best setups. Triple screens and very nice steering wheels/pedals
  • When I bought my Radeon HD 5770 something like a year ago, it contained a Steam code for Dirt 2. When I tried to register it, the code had already been used.

    • by Ogive17 ( 691899 )
      When Steam was first in its' infancy, I received a code for a free version of Half-Life 2 due to purchasing a specific vcard. The game was not yet released at the time and Steam never gave me a copy of the game when it did release.
      • I DID get my free copy of HL2. The code came on a card that came with the 9600 pro i bought. I held onto that code for over a year. ( this was during the period where Valve delayed the release for a year.) Worked perfectly on HL2 launch day. It is still listed in my Steam purchase history as "ATI Bundle"
      • ATI Radeon 9something XT?

        I got my free copy. IIRC there was a time limit on the giveaway that started when HL2 was released. I remember not paying close enough attention and almost missing the window. Is that what happened to you?

  • WTF? (Score:5, Insightful)

    by Megane ( 129182 ) on Wednesday September 07, 2011 @06:05AM (#37324782) Homepage

    The reason access to all these keys has been granted is due to a lack of .htaccess on AMD’s site.

    What's all this stupid talk about .htacess anyway? Those are the kind of files that should not be below a web server's DocumentRoot in the first place. The reason access to all these keys has been grated is because some moron put them in a live area of the web server where they didn't belong.

    • That's what happens when you let stories be written by some guy with a $9 web hosting account.

  • It's a shame that they didn't leak the keys for a game that someone actually wants to play.

  • That many keys will guarantee a keygen is butt easy to make.

    • I'm pretty sure when it comes to online activation, all game developers keep their own lists like this which blocks out anything but keys in the list, which makes keygen keys invalid.

      Not that keygen writers actually need a list of keys to reverse engineer the key structure. They just analyze the code that checks the key in order to figure out how to generate keys that will validate the installer key check.

    • If they use good crypto, it won't help at all.

      Not that I expect them to use good crypto. It seems everybody fails to do so, even when all the algorithms and code are freely available for everybody (or maybe the problem is really that the algorithms and code are freely available for everybody, some people simply like to pay for things).

  • In the case that x million keys were used, would Steam really ban x million of its own clients and lose all of that ongoing revenue just for AMD?

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"