
The boy who stole Half Life 2 source code (2011) - abhimir
http://www.eurogamer.net/articles/2011-02-21-the-boy-who-stole-half-life-2-article
======
deftnerd
It's stories like these that's inspired me to start up a new project at
oppressed.me. I'm trying to compile a list of hackers and hacktivists that
have been imprisoned in order to let the internet easily send them
correspondence. I'm also going to ask publishers for donations of older copies
of technical books to send them.

A lot of hackers are just kids that make a stupid mistake. During their time
in jail, their skills get soft or they'll get hardened by their time there. My
hope is to let them know that people on the outside still are thinking of them
and to help them keep their skills up-to-date.

I'm a bit overwhelmed with a startup at the moment, but I anticipate the non-
profit to be formed and to launch sometime in the fall.

~~~
codexon
I don't feel sorry for malware writers. They are not oppressed and deserve
what they got.

And this guy also stole people's software keys.

If they were talented coders, they could've found less destructive ways to
make money. But he decided to go the greedy route.

~~~
FiloSottile
> If they were talented coders, they could've found less destructive ways to
> make money. But he decided to go the greedy route.

Let me guess: you are a US citizen, or anyway live in a country where
developer positions abound. Well, not everyone is. Some people live in small
towns where the cool programming positions are adapting invoice management
software for small businesses.

Also this was before Freelancer.com, before code.org. And he was a boy, he
couldn't just relocate. Also, before the App Store.

This is exactly the curiosity that people who enter the InfoSec world feel,
coupled with real skills. Often too much skills and too little to do to start.

Then you stumble upon a IRC channel and a world of challenges opens in front
of you.

By the way, he asked Valve to _hire him_. Maybe he just didn't find "less
destructive ways to make money" yet.

Don't judge if people are oppressed (or better, repressed) if you have never
been, please, either because at that age YOU had the occasions or guidance, or
because you hadn't that curiosity or talent.

~~~
sillysaurus3
_Some people live in small towns where the cool programming positions are
adapting invoice management software for small businesses._

That's a legitimate programming job. Cool software rarely makes money. Cool
software that makes money (game development) doesn't pay very much.

 _Then you stumble upon a IRC channel and a world of challenges opens in front
of you._

A book is far more challenging, because in an IRC channel you're a fish in a
small pond. Eventually you grow to be the biggest fish, or forever limit
yourself to being small. What a book can't give is peer recognition. But peer
recognition is a vain motive, and vanity is rarely lucrative. A book also
can't answer questions, but you can use IRC or a website like stackexchange
for that.

If anyone reading this has personal experience flirting with blackhattery,
please carefully consider what you're doing and why you're doing it. (And if
you'd like someone to talk to, please feel free to shoot me an email. I'd like
hearing about your experiences and your thoughts.)

~~~
psykotic
> Cool software that makes money (game development) doesn't pay very much.

Your thinking must be stuck in the last century. By the time I entered the
game industry 13 years ago, salaries were already on par with the software
industry at large. My first full-time position was in 2003 and paid
$85,000/year. Based on the numbers I've seen, game programmers currently earn
significantly more than web developers with an equivalent amount of
experience, despite the wage-inflationary effect of the VC money faucet.

The coolness factor used to play a greater role. I would say it still affects
the supply side for QA, design and very entry-level positions in programming.
For programmers with any level of competency and experience, its role is
negligible.

~~~
Bahamut
Are you sure about that? After 1 1/2 years in web development I am making
significantly more than all of my game developer friends (even 2x some).

~~~
psykotic
I'm going on personal knowledge and IGDA salary surveys. What part of the
industry are your friends in? I should maybe have mentioned that the growing
F2P, casual, mobile segment bears little resemblance, economically and
otherwise, to what I would consider the traditional AAA game industry (which
may eventually go the way of the dodo).

~~~
Bahamut
I have friends in various parts of the industry - F2P, AAA, mobile, and indie.

The consensus amongst my friends in game development is that it doesn't pay
well for the amount of work they're doing, but it's what they enjoy doing so
they're willing to tolerate it.

I should also mention that I am a bit of an anomaly - I'm an AngularJS expert,
which seems to be in extremely high demand right now. I'm making around $160k
(including stock compensation), and I may have even lowballed myself in salary
negotiations.

~~~
sillysaurus3
Wow, thanks for the salary datapoint! Do you live in a high cost of living
area like California, New York, etc (anywhere it costs $2k/mo for a 1 bedroom)
or a less expensive area?

~~~
Bahamut
Silicon Valley, recently moved from Washington, DC - I could have easily
nabbed compensation for a little less around Washington, DC for what I do
though. My move out west is for largely personal reasons.

------
phoboslab
I still remember the day HL2 leaked. All of my friends and I were in IRC
trying to download the damn thing from DCC bots.

I was lucky and got a slot that provided the full 80kbyte/s. I finished the
download first, but my PC was pretty old back then so I didn't even bother
trying to run it. Instead, I removed my hard drive (my system drive!), picked
up a friend and we drove to another friend who had the fastest PC at the time.
About 30 mins later all of us (I believe 5 or 6 guys) gathered in a tiny dorm
and just stood in awe as we booted up HL2.

There was barely any gameplay present. You could just walk around in some maps
and admire the graphics. It didn't matter. If we hadn't been stoked before, we
were now.

In hindsight, this all was just an amazing PR stunt. Fun times.

~~~
josefresco
Your account brings back gaming memories from the late 90's and early 00's.
"Leaks" and pirated copies of games ruled the day, and only served to make us
all even bigger fans/obsessed gamers. The idea that you were using/seeing
something that hadn't been released yet was thrilling and made us all even
more dedicated to gaming. Of course then we were all poor college/HS kids, but
most of us eventually got jobs and turned into Steam customers.

------
Tokala
Unfortunately, I've never found an in-depth discussion about the part about
where they attempt to lure him to the United States so that he can be
arrested. It always strikes me as a bit excessive.

That Valve worked with the FBI to get him sufficient permission to enter the
US with the false pretense of getting a job seems to make this feel like much
more personal than anything else.

And I'm left scratching my head as to what it really would have
accomplished...

------
ahuth
I'm not condoning breaking into the network and stealing source code, but what
financial damage did this cause to Valve? The article repeatedly refers to
financial damages, but I'm not sure how that is.

~~~
codexon
Well first of all, the game appeared to be playable, so there's the piracy
aspect.

The Source engine is also licensed to other games. If the code is public,
other engines could copy their features.

Also it is very annoying to re-secure all your computers after you have been
breached. Every single person has to change their password and you don't know
what backdoors the guy has installed without a full wipe sometimes.

~~~
ahuth
Obviously they should've spent the time to secure their network before hand!

Also, can't say I buy the hypothetical piracy cost. Does anyone have any
examples of other engines copying Source features from the source code?

~~~
jabagawee
I reject the argument that Valve had it coming since they didn't take the time
to secure their network beforehand. There are almost always going to be holes
in the security of any system, especially digital ones (since they have a
larger surface area to consider), so blaming the victim of a break-in implies
that everyone should just resign themselves to being hacked sooner or later.
Valve surely made at least some efforts to secure their systems, but even if
they did not, that would not justify the morality/ethicality of entering their
servers without permission.

~~~
jberryman
> I reject the argument that Valve had it coming since they didn't take the
> time to secure their network beforehand.

I think the suggestion was that the time taken to secure their networks
shouldn't be counted as "damages", just something that needed to be done
regardless.

~~~
sliverstorm
Scrubing all the machines for new backdoors isn't something that needed to be
done beforehand.

------
phaus
Interesting story, terrible article. Valve has always followed the "when its
ready" release model. The article makes it sound like there was a huge
conspiracy to keep valve's ineptness a secret, else Gabe would have no
alternative than to commit ritual suicide.

~~~
ZoFreX
We're used to that model then, but this was a long time ago - before "Valve
time" was so accepted. They had been publically stating that the game was
weeks from release, not saying "when it's done" at all. Additionally they had
demo'd at E3 and claimed the demo was not scripted, whereas the leak showed it
was almost entirely so.

~~~
phaus
>We're used to that model then, but this was a long time ago - before "Valve
time" was so accepted.

"Valve time" was already universally accepted. Between Half-Life, TFC, and
Counterstrike, there was an enormous amount of good will towards this company
even back then. Plus, we were already used to "Valve time" because it was
actually "id time." Id had been doing it for nearly a decade before HL2 game
out.

>Additionally they had demo'd at E3 and claimed the demo was not scripted,
whereas the leak showed it was almost entirely so.

The guy who obtained the source code himself said that there were so many
builds on valve's servers he had no way of knowing whether or not he had the
most current build.

------
atmosx
The guy is extremely lucky for getting into the hands of the German police and
because of his nationality.

I think that if he wasn't German, but from another 'major' or 'minor' EU
country, Austrilia and many others he would have been extradited at no time to
the US.

------
cyanbane
I remember reading this article a few years ago. It was a very divisive
article for me. Early 20s me would have felt bad for Gembe. Early 30s me felt
bad for Valve.

I don't know where the cycle goes from here. Maybe the real wisdom is feeling
bad for both?

------
MisterMashable
This was an amazing and somewhat sad story. How's Gembe doing today? Based on
his near adoration of the Valve developers, it would be fitting if he worked
in the gaming industry. Maybe he could set things right by helping to make
Half-Life 3?

~~~
ago
I worked programming fire alarm systems for a while, embedded device
programming and test automation. Now I started doing realtime graphics in
Bejing. Working on using the Kinect to do gesture input on presentations on
really big screens. Like Powerpoint on steroids.

~~~
zacharycohn
The article didn't have any information on the person you passed the source
code to. I assume they tried to figure out who it was? What happened to them?

~~~
ago
I think I already confirmed it on reddit after someone else said it. I shared
it with SourceX from myg0t and he shared it with other people inside myg0t. It
was really stupid to do ... yay hindsight :(

------
eqyiel
I wonder if it was around this time when people wisened up to disabling zone-
transfer requests. Tangentially, I took part in a CTF recently and one of the
tasks was to get the list of hosts from a domain. The hint was "My sword. My
bow. And my Axfr!"

------
harmonicon
"Have you any idea how lucky you are that we got to you before you got on that
plane?"

I think the German police officer was right. If you got arrested on US soil,
(your side of) the story could have been very, very different.

------
TwoBit
Valve didn't use password hash salting? That seems borderline ridiculous.
Pretty much the only way he could have broken the hashes is if this is so.

Valve's use of SourceSafe at the time is another black mark, though not
related to the security breach.

~~~
atmosx
The only take-away here is that it's better to pay for a third party to secure
your network, or a have a small team (2-3 guys) doing the
administration/security-audit properly. I can't blame developers for not being
security experts.

Developers != System Administrators != Security Experts

ps. The most important part however, are the developers, without them the
other two groups wouldn't exist. :-)

------
benihana
_" Have you any idea how lucky you are that we got to you before you got on
that plane?"_

The difference in the way he was treated by police and the justice system (and
how different it is than what we've come to expect in America) is what struck
me the most about this story.

~~~
macspoofing
Same. They let him grab something to eat and even smoke a cigarette before
they brought him in. Then he gets two years of probation. It all feels very
reasonable to me. Compare that to the $1 million fine, 35 years in prison
(followed by 3 years of supervised release) Aaron Swartz was facing by
downloading documents anyone can access just by virtue of connecting to the
campus Wifi. There is definitely something really off here.

~~~
tzs
> Compare that to the $1 million fine, 35 years in prison (followed by 3 years
> of supervised release) Aaron Swartz was facing

Swartz was NOT facing anywhere near 35 years in prison. He was facing, if he
went to trail and lost on all charges, and the court decided that he had
caused a large amount of monetary damage, around 7 years. If he had taken the
plea bargain that was on the table, he was facing a few months.

Prior discussion with more detail:
[https://news.ycombinator.com/item?id=7004640](https://news.ycombinator.com/item?id=7004640)

~~~
macspoofing
Unbelievable.

>Swartz was NOT facing anywhere near 35 years in prison.

You know why people keep using that number? Because that's the number the
attorney's office itself used in its own press release. That's why. But OK,
let's be reasonable here. I'll fix it:

>"Compare that to the $1 million fine, __up to __35 years in prison (followed
by 3 years of supervised release) Aaron Swartz was facing "

There fixed it. Happy??

I'm sure from your armchair perspective, you can find nuance in saying that he
wasn't __likely__ going to get 35 years, instead, he'd get a quick 7. Yet, I
think if you're in that position, you may still be looking at that 35 or 50
year number. The sentencing judge could have made an example out of him as
well, no? It's not like never happens. And of course, the best outcome is that
he's looking at 7 + . Justice!

Of course this raises another relevant question. Why is it that prosecutors
like to load-up on charges to get their nice maximums? Is it so that their
office can do those great press releases extolling how tough on crime they
are? Or maybe to bully the defendants into taking whatever deal they cook-up
in order to get another notch on their conviction belt? If you think 7 years
(here's your nice, reasonable almost-a-decade number, happy?) is what the law
calls for, why not charge him for 7 years?

>If he had taken the plea bargain that was on the table, he was facing a few
months.

That's right, he didn't, and then the prosecutor loaded up 35 years of charges
and pulled the plea bargain off the table. Because why? To teach the next guy
to not be so uppity and force them to cow-tow to prosecutor demands?

Ridiculous.

~~~
tzs
Macspoofing wrote:

    
    
        You know why people keep using that number? Because
        that's the number the attorney's office itself used
        in its own press release. That's why. But OK, let's
        be reasonable here. I'll fix it:
    
        "Compare that to the $1 million fine, up to 35 years
        in prison (followed by 3 years of supervised
        release) Aaron Swartz was facing"
    
        There fixed it. Happy??
    

If you had bothered to read the references that were in the comment I linked
to, you would know that prosecutor press releases are not useful in these
matters. This is the algorithm they use for coming up with a number:

    
    
        years = 0
        foreach charge as c
            years += maximum_sentence_someone_can_get_for(c)
    

Note that there is nothing in there about the particular defendant or the
particular instance of c that defendant is accused of. Each charge has a
sentencing range from probation up to several years in prison. The judge does
not have free reign to pick from within that range. The Federal Sentencing
Guidelines set a maximum based on the defendant's prior record and based on
the details of the particular instance of the crime at hand and on the damages
done.

Note also that the press release algorithm just adds these up for all charges.
In reality, related charges are grouped together under the Federal Sentencing
Guidelines. If you are convicted on more than one charge in the same
sentencing group, you are only actually sentenced for whichever one gives the
longest sentence.

    
    
        I'm sure from your armchair perspective, you can
        find nuance in saying that he wasn't __likely__
        going to get 35 years, instead, he'd get a quick 7.
        Yet, I think if you're in that position, you may
        still be looking at that 35 or 50 year number. The
        sentencing judge could have made an example out of
        him as well, no? It's not like never happens. And of
        course, the best outcome is that he's looking at 7 +
        . Justice!
    

No, 7 years was not the best outcome. It was the worst outcome. It was the
outcome if the judge decided to make an example of him. This is not the
armchair perspective. This is the perspective of anyone who is familiar with
the Federal Sentencing Guidelines, and how they are used.

You could have been one of those people, if you had bothered to read Orin
Kerr's incredibly detailed analysis of the law in this case that was cited in
the comment I linked to.

    
    
        Of course this raises another relevant question. Why
        is it that prosecutors like to load-up on charges to
        get their nice maximums? Is it so that their office
        can do those great press releases extolling how
        tough on crime they are?
    

Answered in the references I gave. Too bad you didn't read them.

    
    
        Or maybe to bully the defendants into taking
        whatever deal they cook-up in order to get another
        notch on their conviction belt? If you think 7 years
        (here's your nice, reasonable almost-a-decade
        number, happy?) is what the law calls for, why not
        charge him for 7 years?
    

Up to this point, you were simply being willfully ignorant. Now you just being
dumb. Defendants who have not dealt with federal charges before, and so have
had no occasion to learn about the Federal Sentencing Guidelines and how
prosecutor press releases are way overflow, will learn this as soon as they
talk to their lawyer after being charged.

    
    
            If he had taken the plea bargain that was on the
            table, he was facing a few months.
    
        That's right, he didn't, and then the prosecutor
        loaded up 35 years of charges and pulled the plea
        bargain off the table. Because why? To teach the
        next guy to not be so uppity and force them to
        cow-tow to prosecutor demands?
    

The plea bargain offer for a few months sentence was on the table until the
very end.

~~~
tptacek
Chiming in as per usual to note that Swartz's own lawyer wrote in a blog post
after the tragedy that he believed Swartz was unlikely to receive a custodial
sentence of any sort even had he taken the case to trial _and been found
guilty_. It was a non-remunerative computer crime by a first-time offender,
both of which are factors considered by the Federal Sentencing Guidelines.

------
hellbreakslose
You can't really blame a kid at that age... Kids at that age have no sense of
fear or can't recognize what is punishable or not. Everything is a game,
especially years back as that internet was not so evolved and the laws around
it weren't so strict.

Its Valve's fault for letting a 16 y/o install malwares on their computers...
When you are developing something you got to be serious about its security as
well if you want it to remain a secret. It feels to me like their employees
and IT department had no actual sense of what security was (Employees going
off installing whatever on their computer, and IT team not being able to track
down malware and outgoing packets to unknown sources...)

