
Team Fortress 2 source code has leaked - adam_fallon_
https://www.techradar.com/uk/news/team-fortress-2-source-code-has-leaked-and-you-can-apparently-get-malware-by-playing
======
notaplumber
What is up with the strange sensationalist claims in the article on and
Twitter? Source code availability is not a prerequisite to people finding
vulnerabilities or RCE exploits in games, there are many established games
with open source game clients. Security researchers routinely reverse engineer
proprietary software.

Bizarre.

~~~
ocdtrekkie
Source code availability makes it a lot easier to find vulnerabilities. Open
source code is much more likely to already have been audited better. Closed
source code often depends more heavily on security by obscurity, and
unexpected source release can definitely make vulnerabilities immediately
apparent that weren't known prior.

~~~
hitpointdrew
> Open source code is much more likely to already have been audited better.

Common wisdom. I just happens to not be true. People just aren't auditing
random code on github for fun. Auditing code is hard, and time consuming. Most
vulnerabilities are found by techniques like fuzzing, not by combing through
thousands of lines of code.

~~~
_pmf_
> People just aren't auditing random code on github for fun

No, just the important code that everyone is running.

~~~
josefx
Afaik it had the opposite effect for OpenSSL. Not only was the code so bad
that it would crash if ran with a secure malloc implementation. Due to being
free and open source nobody felt the need to donate[1], with only one
developer employed to work on it full time.

[1] [https://arstechnica.com/information-
technology/2014/04/tech-...](https://arstechnica.com/information-
technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-
openssl/)

~~~
_pmf_
Well. eventually someone looked at it. And probably Heartbleed has been used a
long time before it was published.

------
mappu
The leak also includes most of something called F-STOP, a cancelled Portal
project, that apparently looks like Superliminal:
[https://www.reddit.com/r/Games/comments/eebagv/gameplay_of_a...](https://www.reddit.com/r/Games/comments/eebagv/gameplay_of_aperture_camera_fstop_valves/)

~~~
philo23
The F-STOP included in this leak, from my understanding, isn't Valve's
prototype. It's just in-development fan-made game to try and replicate Valve's
unreleased prototype.

~~~
andbberger
Strong evidence that this is fan-made: there is Cave Johnson dialogue in the
video [0]. F-STOP significantly predates Portal 2 and I presume the Cave
Johnson character as well.

[0]
[https://www.youtube.com/watch?v=HboQWe3FYbg](https://www.youtube.com/watch?v=HboQWe3FYbg)

~~~
thatguy0900
Cave Johnsons name was referenced in portal 1. It could be they already had
the character idea in mind

------
exabrial
Cheats and hacks were already bad enough, I imagine this won't help :( Darn,
one of the most fun games I like to play.

Sadly, OSX Catalina killed the game for Mac users because Apple recognized the
extreme demand by casual users to break all their old 32bit applications.

~~~
ThomPete
I literally just downloaded Steam on the mac to show my boys Team Fortress
only to be met by this sad news :(

I really hope something like TF2 resurfaces in some form again. I never liked
the feel of Fortnite.

~~~
colinhmit
You should check out Overwatch, which I consider to be TF3. They reimplemented
many characters 1:1 including soldier (pharah), medic (mercy), demo (junkrat),
engi (torj), as well as the 2 point capture and pushthecart modes.

Valorant, a beta game from Riot, is then a blend of overwatch + csgo, making
it closer to tf2 6s.

~~~
markdown
The person you're replying to said he was disappointed to find that MacOS
Catalina can't run TF2. Why recommend a game that won't run on any version of
MacOS?

~~~
meestaahjoshee
> I really hope something like TF2 resurfaces in some form again. I never
> liked the feel of Fortnite.

------
gbrown
Maybe they should just embrace it and open source the code (without giving
away the trademarks). The community is pretty engaged, so I bet it would be a
boon for both security and modding.

~~~
plopz
I don't know what this contains, but many times games cannot be open sourced
because they use libraries that would have to be removed before they could
open source it.

~~~
hutzlibu
I've heard this a few times as well, but couldn't the game still be open-
sources just without those libaries?

And anyone who wants to compile it, needs a licence for those libaries, which
in many times is free for noncomercial purposes, or students. Btw. what
expensive libaries do exist in that area anyway?

~~~
Arelius
So I've been involved in this sort of process before. IANAL but the answer
likely yes, but it is complicated.

So, firstly IP rights may not be your only encumbrances, NDA's can be even
more restrictive, since leaking information about a library may be covered,
for instance.

Additionally, the IP of the game code itself may be encumbered, for instance
with publisher agreements, or if your code is derivative, source for instance
may still be considered partially derived from id code, which zenimax, or
maybe some other party may own, and getting those rights may be difficult,
(even if some large percentage may be released in the GPL'd id codebases) And
if your core engine is IP encumbered, that may not be something you could
"just release without"

So then someone is going to have to actually do the work of separating out all
the third-party libraries, which may not be trivial depending on how many, and
how well separated they are.

Then at any reasonably risk-averse company, somebody is going to have to do an
audit, which could be a lot of work.

And then we might not just have other people's files to remove, while it may
not be an copyright violation to reference API calls of a copyright work (I'm
honestly not sure) It sure could be an NDA violation depending on the NDA. Not
to mention code that may be derived from library samples. So you either have
to cut out all of that code, or rework it to just not be in violation.

And lastly, most companies care enough about their reputation to not want to
just dump a large pile of broken code in the wild (Maybe it'd be better if
they would) but want to make sure it builds and runs. So once you've removed
all those other bits, it may be a lot of work to just get everything building,
or running again. And not to mention that asides from just IP issues, a lot of
the build system may depend on local infrastructure, perhaps connecting to
local databases, or cache servers, so you will want to make it work without
that, and we also have to ensure no secrets are accidentally being divulged
(maybe signing keys, or credentials to servers)

As I understand it, Valve licenses Havok, which they possibly use for any and
all collision (or maybe just rigid-body stuff, who knows) and if so, even if
you get the game running you may fall through the world, or perhaps not be
able to move at all, which is hardly the TF2 we all want open-sourced. And
that's just one possible library, maybe they use RAD Granny to do animation,
etc.

Or if you want to allow people to buy the licenses to compile it, you still
have to do almost all of the above, then setup the infrastructure to download
the correct version, and set it up for builds, and that only works if they
didn't make any internal modifications, or maybe they can setup a patch file
that doesn't violate any copyrights, but that's also work. And that also
implies that the company the libraries are licensed from still exists and is
still selling, and still offers the old versions the game is built with. And
now you have to release the engine under a license that's compatible with the
third-party licenses, which given the precedent of using GPL that adds some
extra complications.

So, yeah, there is a good chance it's possible but there is a varying amount
of work, which is most likely at least a lot.

As for libraries that exist in that area, of the top of my head some examples:

* Havok/PhysX, physics library

* FMod/WWise, audio libraries

* Natural Motion, animation libraries

* Everything that RAD Game Tools offers, including audio/video codecs, compressors, animation libraries.

* Scaleform, animation libraries

* SpeedTree, tree modelling libraries

* Enlighten, lighting (global illumination) libraries

* Platform specific libraries

* NDA encumbered IHV libraries

Keep in mind, some of these are expensive, but some are more dependent on a
corporate relationship, which is not the sort of thing that frequently offers
a student or noncommercial version.

~~~
hutzlibu
Thank you for your detailed answer!

But I now go to bed, dreaming of a world, where Open-Source is the standard
and IP and NDA madness forgotten ..

~~~
Arelius
Ohh, I agree, I've been working on trying to make this happen for a project I
worked on previously for about 4 years now. Have gotten some traction.

------
abathur
@valvesoftware has commented on Twitter as of ~25m ago, I guess, by retweeting
[https://twitter.com/CSGO/status/1253075594901774336](https://twitter.com/CSGO/status/1253075594901774336)

~~~
pas
[https://twitter.com/valve_software_/status/12529934603547402...](https://twitter.com/valve_software_/status/1252993460354740224)

------
chaostheory
This is another reason why I have a computer for specific uses. One used
exclusively for gaming and nothing else, with the same for bills, random
browsing, and development. It's much easier for maintenance and sanity.

~~~
Polylactic_acid
The more common and realistic attack is anti cheat software and DRM. They are
functionally identical to rootkits/spyware in that they install themselves as
kernel drivers and monitor literally everything you do (sometimes when the
game is not even running) to work out if you are cheating/attempting to crack
the game. And we have no idea if they are limiting themselves to just that,
they could be selling your browsing history on the side as well.

The DRM is super invasive as well, A lot of wine developers have to deal with
denuvo repeatedly banning them as well as one user reporting that they were
banned from valorant after plugging in their phone to charge it.

------
ghostbrainalpha
Once you have the source code, how easy is it to "build" the game?

Using this code could I edit the character models so that certain characters
looked like Sesame Street characters and then publish that game to my personal
PC for my kids to have fun with?

~~~
HideousKojima
You could already do that even easier with the modding tools available for TF2

------
etaioinshrdlu
Maybe the community can help recompile the Source engine for 64 bit on macOS
now.

------
runawaybottle
Is there some kind of secret agent inside Valve? Half Life 2 source code got
leaked before it’s release date as well (or parts of it).

The TF2 subreddit announcement:
[https://www.reddit.com/r/tf2/comments/g64t0b/data_leak_warni...](https://www.reddit.com/r/tf2/comments/g64t0b/data_leak_warning/)

~~~
misnome
That was 2004, so not a very busy agent...

I’m slightly shocked with the phrasing in that post “It is definitely possible
that someone could install a virus on your machine by just being in the same
server.”

That.... seems like a pretty shocking security hole, unless they are talking
about unknown possibilities, in which case the term “definitely” is a bad
choice. If this can be done with the source, it could have been done before,
no?

~~~
MayeulC
That sounds pretty reasonable to assume for _any_ game, even those that are
singleplayer, if they access the network.

Game code is particularly known to be "spaghetti", "code cowoy"-style, where
the result is more important than the form or correctness. I mean, that's art,
after all, so that seems obvious.

And do you think a lot of companies update their games after they are out?
Most often, the code is definitive, refactors are out of the question, etc.
I've never seen a bug that fixes a security issue (CVE), let alone for old
titles.

And that's when RCE is not by design. It is in Garry's mod, but that's for
client-side mode scripted with lua, so theoretically sandboxed. Unreal
Tournament 99 though, has plenty of servers that put some dlls for "anti-
cheat" software on your computer before you join. That one probably sn't
sandboxed.

While we talk about anti-cheat software, can we think a moment about
everything that could go wrong with a piece of software that has a very deep
access to the system, is sometimes in-house, and not necessarily audited, and
whose functionality often includes:

* downloading challenges from servers, patch them into RAM and see what happens

* scan the RAM of the whole system, plus the filesystem, for known exploits

* upload parts of that RAM and filesystem to random servers for analysis

* take screenshots, log keypresses, monitor the system and upload all of this.

Takeaway: sandbox your games. There's a reason I run Steam in a flatpak, on
Wayland... Convenience is part of it, but that's not the main one.

~~~
gbrown
> Unreal Tournament 99 though, has plenty of servers that put some dlls for
> "anti-cheat" software on your computer before you join.

D:

People put up with that?

~~~
ThrowawayR2
Better than putting up with cheaters ruining the game.

~~~
Karunamon
Even if you actually believe this, Riot is _not_ known for their high-quality
code. This sounds a bit snarky but is entirely serious: Giving games root
rights is bad enough, I absolutely don't want to run _anything_ in kernel
space from the same people who wrote the client for League of Legends.

And it's not even about trusting that Riot are not bad actors, tencent
conspiracy nonsense aside, it's about leaving that trash running with that
level of access in a way that some malicious process could use to elevate its
permissions. That is the (ab)use case that worries me.

------
snvzz
Remember that, while available, it isn't legally so.

My advice is to avoid getting tainted. Do not read the code.

Of course, archivists, please do archive it. Even if Valve does never open
source this, it should be possible to preserve somewhat adequately, and it
should be legal to publish, at some point in the future, in some country or
another.

~~~
baby
Avoid getting tainted? What does that even mean.

~~~
nestorD
Avoid reading the code, being inpired by it and using the same pattern (or
worse, snippets) in your project (which could result in legal actions against
you).

I have often heard it in the context of windows operating system developper
which should be careful of not accidently introducing open-source code in the
kernel if it might have a license that is not compatible with Microsoft's one.

~~~
baby
There’s no law against that unless you’re implementing a patented algorithm,
which is dumb in any case.

~~~
snvzz
Alternative implementations of programs often use Clean Room reverse
engineering, for a reason.

------
mindslight
usercheto21351 posted a magnet link that appears to be legitimate, but which
is now [dead] for some reason. Do we really want to read speculative blogspam
while rejecting the original material?

------
BetaDeltaAlpha
Any clues as to Half-Life 3?

------
humaniania
What are the odds that this is a black hat move by Epic?

------
VectorLock
If the remote code execution thing in CS:GO is true I wonder if it could lead
to virtual item theft. We're talking about potential loss of items worth of
tens of thousands of dollars. I'm sure Valve could eventually recover them but
that could be some serious anxiety and opportunity loss for item holders that
are affected.

~~~
adam_fallon_
So far what i've send of the RCE i've seen so far has been a way of triggering
pop-ups on the start screen - not to say its not more dangerous than that, but
just thought i'd give some context.

Most RCE's aren't carte blanche to run arbitrary code on a users computer, but
are some way of triggering a particular code path on a remote computer.

~~~
dmurray
RCE by definition involves being able to run arbitrary code, for some
reasonable definition of arbitrary. "Triggering a particular code path"
doesn't get you anything: if you have a webpage you can trivially make your
visitors' computers execute plenty of predictable code paths, like the one to
render text to the screen or to send audio to the speakers.

------
trufas
The fact that the servers didn't immediately get shut down is pretty
irresponsible. There's tens of thousands of people logged in to tf2 who are at
risk of having their computers pwned because the tf2 servers are still up.

~~~
seabird
Valve has no control over user-owned servers, only the listings for the server
browser. Valve was informed of this leak years ago. All of this talk of an RCE
is pure speculation; the leak hasn't even been out for a day.

It's good to be informed and take steps toward being safe, but we're talking
about a leak where any meaningful security flaws have had multiple years to be
patched.

