IE Blamed for Half Life 2 Code Theft

[TS | Thomas]

The theft of the code, which was made available for download on the Net, came after a monthlong concerted effort by hackers to infiltrate Valve's network. Malicious activity in the Valve network included denial-of-service attacks, suspicious e-mail activity & the installation of keystroke loggers, Newell added.

"This is what happens when you have 31 publicly known unpatched vulnerabilities in IE," wrote Thor Larholm, senior security researcher for PivX Solutions LLC, in a posting to the NTBugTraq mailing list. "I have seen screenshots of successfully compiled HL2 installations, with WorldCraft & Model Viewer running atop a listing of directories such as hl2, tf2 & cstrike."

Would you like to know more? You can find PivX's IE vulnerability listing here, as can be seen, much of these remaining vulnerabilities have been around for well over a year now - hopefully Microsoft will stop trying to hide behind technicalities as to how much user interaction is required for something to not be a vulnerability & just fixed the damned issues.

 

[Per Hansson]

Wow, I had no idea it was that many vulnerabilities

It's a pity that Windows Update only works with IE, otherwise I would uninstall the crap with 2000lite from www.litepc.com

 

[acidosmosis]

I am sure it has more. There will ALWAYS be this many and more vulnerabilities to ALL software. That is life. There is no changing it. We don't live in a perfect world, or in a world with "hero hackers" like the movies that can make the perfect software.

So, people need to quit complaining about how MS products are unsecure. You can't make software perfect and even if you did people would still complain because you can't make anyone happy.

Really makes me sick.

 

[TS | Thomas]

The listing there isn't totally complete as it says, though that listing there is based on a *patched* installation of IE (i.e. there's only 33 vulnerabilities assuming you've got all those security patches installed - the new cumulative IE patch will probably reduce that to 30 - it should be updated in a few days to reflect it).

As regards MS being only human, yeah that's fine, no-ones perfect. I can completely understand nothing is going to be released without some problems - that's inevitable.
BUT. Can you explain why these imperfect beings have failed to fix problems which have been *reported to them* over than a year ago? That's just inexcusable.

 

[snapon]

Why would anyone leave source code, the heart of your biggest project and financial well being, on a computer connected to the internet? Seems less of a MS/IE problem and more of a problem with how you handle and store your data. Rather careless of Valve imo.

 

[StormBringer]

I'm gonna keep my mouth shut. If I voice my opinion about this I will surely be banned. /me mutters something about morons and configuring a firewall......

 

[Per Hansson]

snapon and StormBringer, yea, I agree...

Why in the world they had their production machines connected to the internet is beyond me, had this been my corporation I would have made sure that no physical connection exsisted....

Nontheless Valve has the problem that they must supply for example the GFX card manufacturers with test versions of their game so they can optimize their code for it...

So I guess a more open design of the network can be benifitical here, though if that had been necessary the code could have been compiled and encrypted...

 

[Phantasm66]

I am afraid I would have to jump on the wagon with this one too!

I think that Value should have had better defences. Why weren't they surfing behind a proxy server, with good firewall, patched browser and e-mail client, etc?

It doesn't excuse the actual hacking, but its a bit like the following:

"I walked alone last night, on a known dangerous, dark path, and got attacked. Weren't the people who attacked me bad?"

"Yes, they were. But what the hell were you doing walking home that way? You are lucky to be alive hanging around there at night! What were you thinking?!"

These days, if you connect even a Windows box belonging to a complete nobody to the net, it gets hacked and attacked right away. Nevermind a computer that might contain something that someone wants.

No... I think that Value should have delt with this a little better. They seem to indicate that they had some warning that this was going on - why didn't that encourage them to take some sort of action? Like visit windowsupdate.microsoft.com ? Or install a better firewall? Come on, you are a software development company, you should know about these things....

 

[acidosmosis]

These things are why I don't believe the HL2 source story never actually happened. Valve isn't that stupid. Way too many things don't add up. Something is fishy. Someone is lying whether it is someone who made this story up or Valve is lying themselves. The code might have been leaked but I doubt at all that it happened the way they say it did. If it was even Valve that said these things and not some ***** website owner spreading rumors.

 

[StormBringer]

Well, I said all along I thought Valve did this to give themselves an excuse for delaying the game. Stolen source code pretty much gives them the opportunity to delay as long as they want, and no one is gonna ***** much because Valve are victims here right?.

Like I said when this first happened(or maybe I only said it in the IRC channel) anyone dumb enough to leave the code for their uber top secret, best thing since sliced bread project, laying around on a server connected to the internet deserves to have it stolen, just to teach them a lesson, when you try to blame an MS security flaw for this, that makes you a *****.

 

[acidosmosis]

Yea, I definately agree if Valve did indeed allow this to happen then they are definately reaping what they sowed. Or in this case, shall we say.. weeping what they sowed.

 

[tkteo]

I'd think that companies like ZoneAlarm, Symantec and McAfee would have been jostling to get Valve to install their internet security/firewall products, that is if Valve had wanted to do so.

Or ATI and Valve can also bundle the forthcoming Radeon 9800/9600 XTs with a software firewall.

"Don't get shot by a hacker while playing your favorite shooter." Message sponsored by ATI and Valve.

 

[Phantasm66]

Originally posted by tkteo

"Don't get shot by a hacker while playing your favorite shooter."

"Don't get shot by a hacker whilst developing your new shooter."

- Phantasm66.

 

[olefarte]

This, from The Inquirer, kind of echos some thoughts that have been expressed here first.

If Valve's security really is so weak that it somehow lost the code to a hacker through a purported problem with Microsoft Internet Exploder or Outlook, we need fear no aliens or gremlins invading the world from Alpha Centauri or Sirius or Rigel or wherever. If games designers don't know how to protect their own work, who does?

Like we said, excuse us for being uncharacteristically cynical, but doesn't the whole thing have the sniff of a fantastic David Blaine-like stunt?