Game's source code stolen in hacking

Digital thieves compromise Valve Software's security and steal the source code for "Half Life 2," raising the specter that online players of the coming game may be vulnerable to attack.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
3 min read
Digital thieves have compromised Valve Software's Internet security and stolen the complete source code for "Half Life 2," raising the specter that online players of the coming game may be vulnerable to attack.

Gabe Newell, the company's founder and managing director, described the incident in a post to the "Half Life 2" community site HalfLife2.net, in response to rumors about the code being leaked. Valve wouldn't otherwise comment on the theft, but confirmed Monday that the post was authentic.

Appearing on Thursday, the account of the theft said that in mid-September a network intruder had access to Valve Software's e-mail accounts and, on Sept. 19, apparently copied the entire source-code tree for "Half Life 2."

"Ever have one of those weeks?" stated the post. "Yes, the source code that has been posted is the HL-2 source code."

According to the post, Valve's internal network had been almost completely compromised. Keystroke loggers--the computer equivalent of unauthorized wiretaps--had recorded employee passwords and confidential information, the post stated. Moreover, for the past year, the company has been suffering from intermittent denial-of-service attacks.

"Half Life 2" is a much-anticipated entry into the computer-game market. Due out in later this year, the game pits the human race against aliens from another dimension. The original game was popular, not only for its strong single-player story line, but for several expansions to the multiplayer game, including "Counter Strike." Released in 1998, "Half Life" remains the most popular first-person shooter online, according to current data from games site GameSpy.

Thor Larholm, senior security researcher for security firm PivX Solutions, obtained source code from available sources on the Internet and compiled the game. The program worked and appeared to be "Half Life 2," he said.

While some reports have focused on speculation that the digital thieves wanted a leg up in finding ways to cheat in the game, Larholm stressed that the leaked source code could be used by hackers and other to find security holes in the program. That could mean that people who play the game online may be opening themselves to attack.

"It is a very serious hack," he said. "It highlights some loose security policies. I definitely hope they catch these guys."

Valve wasn't the only one affected by the incident.

Components of the source code appear to be from other companies that had licensed the software to Valve, PivX's Larholm said. For example, some of the code apparently came from Havok, Dublin, Ireland's creator of software that emulates the physical interaction between in-game characters and their environment.

Steven Collins, chief technology officer for the company, couldn't confirm whether the stolen code contained the company's software, but said Havok is investigating the issue.

"We are working with Valve," he said. "I expect to be in a much more informed position in a few days."

In addition, the code from Valve's game distribution system, Steam, was also distributed along with the "Half Life 2" code, Larholm said.

In his post to the "Half Life 2" community, Newell asked for the community's help in tracking down the thieves who stole the code.

"I have a special e-mail address for people to send information to, helpvalve@valvesoftware.com," he wrote. "If you have information about the denial-of-service attacks or the infiltration of our network, please send the details."