The aliens of the forthcoming video game Half Life 2 have been upstaged by Grinch-like hackers who stole some of the game’s code and posted it online, meaning release of the real game likely will be pushed back until after the holiday season.
Valve Software, maker of the popular first-person shooter, confirmed that code posted online late last week was in fact Half Life 2 source code stolen from the Kirkland, Washington-based software company through a simple breach of security, namely Microsoft Outlook e-mail. As a result of the theft, which game publisher Vivendi Universal said is about one-third of the game’s code, Half Life 2’s release will be pushed well into next year, around April.
Considered one of the biggest hacks in the gaming industry to date, the exposure of the Half Life 2 code highlights the simple security holes that can plague even large companies and their most prized property. “Unfortunately, a lot of people don’t pay adequate attention to security until they’ve had an incident,” security expert and Half Life fan Ryan Russell told TechNewsWorld.
Confirming theft of the code, Valve founder and managing director Gabe Newell outlined how the company believes the half-baked version of Half Life 2 ended up in the hands of intruders and on the Internet.
Newell cited unauthorized e-mail access starting around September 11th, “weird” behavior from his machine and suspicious activity on his Web-mail account for the next week.
“Around September 19th, someone made a copy of the Half Life 2 source tree,” Newell said, describing the use of keystroke recorders installed on several Valve machines. “Our speculation is that these were done via a buffer overflow in Outlook’s preview pane.”
Valve also reported it has been periodically hit with several attacks, including denial-of-service assaults on its Web servers and on Steam, its system for game distribution.
PivX Solutions senior security researcher Thor Larholm posted to security mailing list NTBugTraq that the Half Life 2 code theft happened because of unpatched vulnerabilities in Microsoft’s Internet Explorer browser.
Larholm also wrote that he had seen screenshots of successfully compiled Half Life 2 installations using other software and directories from Half Life 2 and Counterstrike.
However, Russell downplayed the effect of the pirated game, which was not stolen in its entirety and does not include all levels.
“It’s not like the game itself has been leaked,” he said.
Call for Help
Still, Valve called on the gaming community to help track down those responsible for stealing the code and posting it online.
Newell also indicated the company is already working with some clues and has posted an e-mail address for anyone with information to help: [email protected]
“If you have information about the denial-of-service attacks or the infiltration of our network, please send the details,” Newell said in his post. “There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great.”
Cheating and Competing
Russell, who praised Valve for its openness on the matter, said that despite fears that the hack might lead to cheating in Half Life 2, the possibility of such an outcome did not increase greatly as a result of exposure of the code.
However, Russell did say a larger concern about the hack centers on Valve competitors that now will get a chance to look at code that might not have been otherwise available. He said this could affect Valve’s licensing of the software engine or could help competitors boost their own game engines.
While he expressed disappointment that Half Life 2 might be postponed until April of next year, Russell said the delay will not have too much of an impact on the gaming community.