Hacker News new | past | comments | ask | show | jobs | submit login
The boy who stole Half Life 2 source code (2011) (eurogamer.net)
261 points by abhimir on June 1, 2014 | hide | past | web | favorite | 153 comments



It's stories like these that's inspired me to start up a new project at oppressed.me. I'm trying to compile a list of hackers and hacktivists that have been imprisoned in order to let the internet easily send them correspondence. I'm also going to ask publishers for donations of older copies of technical books to send them.

A lot of hackers are just kids that make a stupid mistake. During their time in jail, their skills get soft or they'll get hardened by their time there. My hope is to let them know that people on the outside still are thinking of them and to help them keep their skills up-to-date.

I'm a bit overwhelmed with a startup at the moment, but I anticipate the non-profit to be formed and to launch sometime in the fall.


I think the system did quite well with Gembe all things considered...

  The judge sentenced him to two years' probation, citing his
  rough childhood and the way he had worked to turn his life
  around as considerations when it came to deciding on the
  relatively lenient punishment.
The arrest at gunpoint sounds quite dramatic, but then again they let him stop for coffee and a cigarette on the way out, so this is not the typical SWAT. They did offer that it was a concurrent raid along with Sven Jaschan (author of Sasser) and they thought there was potential for a tip-off.

I was cringing the whole time reading about the interrogation. I can imagine this whole thing would have ended so much worse for Gembe if he had actually gone for that job interview. Just try and compare Gembe to Weev, you might start pining for good ol Schönau im Schwarzwald.


You're completely right. The police were nice to me, probably because I was very cooperative. The team was about 15 people from the LKA, including the head of the cybercrime unit. I did cause a bit of a scare when I reached for the kitchen knife to cut some bread, but they quickly realized I didnt want to stab anyone. Of course I knew that I was far better off being in Germany than anywhere else, so I wasn't worried much. Overall I'm quite satisfied with how it went for me, even though it would be 4 years until the trial where I had to report to the police 3 times a week. I had the opportunity to turn my life around and get a good job. If I got put into jail neither me nor society would have been better off considering I paid a lot of taxes in the meantime and haven't done anything criminal since.


To be honest if find it kind of a dick move that Valve choose to have you arrested instead of making you work your ass off to make up for your mistake.

It is justified what you did was illegal and not cool but they had the chance to turn it into something positive.


I don't really think so. If I was working on a game for years, only to find out someone broke into my network, planted keyloggers on lots of my computers, and stole all of the source code for my game, I'd be interested in arresting the perpetrator as well. The game was practically Gabe's second baby.

Plus, there was no way Gabe could have known that Axel was 1) truly apologetic or 2) wasn't the one who also published the code publicly. And even if it was known, the fact that he shared it with friends showed that he didn't seem to care that much about protecting it.

That being said, I do work in the security industry and understand that Axel's motivations weren't evil or anything. Gabe still did what he should have done.


Well the damage was already there wasn't much he or anybody else could do about that so giving the guy a chance to make up for his mistake wouldn't have hurt.

Then again I'm sure he was really pissed so I can't blame him for doing what he did.


I can definitely think of at least one way that hiring the guy who hacked into your company's computers, planted keyloggers, and stole the source code of your project could hurt. I thought of another while I was typing that sentence.

Maybe the kid who did it wasn't actually sorry; maybe he was hoping to get more access so he could steal more stuff. That's a way it could hurt.

Maybe bringing the kid who stole your team's work and demoralized everybody isn't going to do great things for the company morale; that's another way it could hurt.

Giving people second chances is great and all, but it seems silly to say "[it] wouldn't have hurt"; it could have very easily gone wrong.


> giving the guy a chance to make up for his mistake wouldn't have hurt.

That presumes you are 100% confident that the guy is completely remorseful and will no longer do anything wrong. Given past behavior, why should Valve have had that confidence?


I do not believe Valve had much control over that. They needed to report it (failure to do so might get them in trouble with regulators, insurance, and all that crap), and once they do they don't get any say in how the investigation or prosecution is handled. Even if Newell refused to testify, chances are this wouldn't hinder prosecution very much... plenty of other evidence to stick it to the kid.


Should we not arrest master car theives because they are exceptionally talented? It's not unreasonable that their talent could be fit into some productive use. What about people who burglarize homes? Who fix soccer/football matches? Shoplifters? Assuming nonviolence in these cases. Would you preume perpetrators of all of those crimes just have to "work their asses off" to make up for "mistakes?" How do you arbitrarily draw a line and say such and such crime should not be punished or enforced and another should be?


Nope, we should not just arrest them. However, they should all be punished in some way.

'prison' and 'punishment' aren't synonyms. Make someone work their ass off to repay a crime IS punishment. As is locking them up, but by doing that, you severely decrease the chances of that person ever being a productive member of the society again.

Of course, should that person break the terms agreed upon, then I guess prison time is warranted as an additional punishment. And even in this case, with non violent criminals, in a setting where they can still work.


I strongly feel that those people should face some form of restorative justice rather than punitive fines or prison.

Prison is fantastically expensive, not particularly effective, and severely degrades the offender's life.

Restorative justice is much cheaper and more effective at fixing the offending behaviour, and the results of that behaviour.

Prison should be left for violent or unrepentant recidivists.


Did the leaking of the source code lead to competing games springing up, which cut into the profits of Valve, or any other damage?


No, but it's easy to say that with the benefit of hindsight.

Nobody knew everything would turn out OK back before HL2 was released.


if you were to enter the US now, would the police/fbi arrest you?


The arrest at gunpoint sounds quite dramatic, but

There are no buts here. Non-violent offenders shouldn't be arrested at gun point. And it's not just a matter of scaring someone, it's a matter of public safety. I don't get why whenever an issue like that comes out, there is always someone jumping to defend dangerous practices like that.


I don't feel sorry for malware writers. They are not oppressed and deserve what they got.

And this guy also stole people's software keys.

If they were talented coders, they could've found less destructive ways to make money. But he decided to go the greedy route.


> If they were talented coders, they could've found less destructive ways to make money. But he decided to go the greedy route.

Let me guess: you are a US citizen, or anyway live in a country where developer positions abound. Well, not everyone is. Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.

Also this was before Freelancer.com, before code.org. And he was a boy, he couldn't just relocate. Also, before the App Store.

This is exactly the curiosity that people who enter the InfoSec world feel, coupled with real skills. Often too much skills and too little to do to start.

Then you stumble upon a IRC channel and a world of challenges opens in front of you.

By the way, he asked Valve to hire him. Maybe he just didn't find "less destructive ways to make money" yet.

Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.


Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.

That's a legitimate programming job. Cool software rarely makes money. Cool software that makes money (game development) doesn't pay very much.

Then you stumble upon a IRC channel and a world of challenges opens in front of you.

A book is far more challenging, because in an IRC channel you're a fish in a small pond. Eventually you grow to be the biggest fish, or forever limit yourself to being small. What a book can't give is peer recognition. But peer recognition is a vain motive, and vanity is rarely lucrative. A book also can't answer questions, but you can use IRC or a website like stackexchange for that.

If anyone reading this has personal experience flirting with blackhattery, please carefully consider what you're doing and why you're doing it. (And if you'd like someone to talk to, please feel free to shoot me an email. I'd like hearing about your experiences and your thoughts.)


I think I should stress I'm speaking about young people.

Peer recognition is critical when starting at that age. Also careful consideration is not exactly common.

I'm in no way alleging that it is a reasonable way to go for a mature professional, but I acknowledge the charm it has for the young high-schooler that is being "taught" Excel at school and being told not to fiddle with that weird black terminal.

These boys and girls should not have their lives destroyed by a harsh punishment for their curiosity, that in a different setting would have been highly rewarded. I can totally picture myself doing the same errors in different conditions.

Btw, management software is a legitimate programming job of zero interest to security people. Just different curiosity fields.


It's a kinda strange thing. Before the digital age kids like myself just did not have access to many things that could get them into so much trouble. I caused my share of mischief when I was a kid, just like most boys will do. Probably the worst tools I had at my disposal were eggs or snowballs to throw at cars. The opportunity for me to reach out from my bedroom and cause damage to a multi-national corporation or government just was not available to me or anybody at the time. It's hard to imagine what I could have done as a kid to even get the attention of the FBI, let alone have them trying to trap me in a sting operation. Kids today have a lot more ways to do some serious damage and get themselves into real trouble.


I wonder what % of HN people never made anything illegal, like:

    * Hack into a remove computer server/friends PC.
    * Broke a WEP/WPA wifi network to gain access
    * Performed MiTM to see what kind of data can sniff
    * Performed brute-force dictionary attack without being asked.
    * Shared illegal digital material with friends
I feel it's about ~ 3%.


Add :

* Scraped website and used the data for some other opportunity


I sense optimism in that number...


I would think the first 4 together is probably a bit more than 3%, but the last one alone is probably >40%


You probably didn't have access because you didn't look for it. A kid with the right mindset and a copy of the Anarchist Cookbook or similar could cause a lot of panic and draw a lot of attention.

The difference is not access, it's the inherently nonviolent nature of digital. It's easier to get a kid to care about not hurting others than about not hurting an abstract legal entity like a company.


Before the Internet, how would I ever had acquired a copy of the anarchists cookbook in rural England? I did know the book existed, and I am sure I would have tried some of it out if I could have got a copy.


It's probably true there were ways to get yourself into real trouble before the Internet. I guess phone phreaking or calling in threats and such. Still it seems like there's a lot more temptation out there for a kid to cause mischief now that the entire world is wired together.


> Cool software that makes money (game development) doesn't pay very much.

Your thinking must be stuck in the last century. By the time I entered the game industry 13 years ago, salaries were already on par with the software industry at large. My first full-time position was in 2003 and paid $85,000/year. Based on the numbers I've seen, game programmers currently earn significantly more than web developers with an equivalent amount of experience, despite the wage-inflationary effect of the VC money faucet.

The coolness factor used to play a greater role. I would say it still affects the supply side for QA, design and very entry-level positions in programming. For programmers with any level of competency and experience, its role is negligible.


Are you sure about that? After 1 1/2 years in web development I am making significantly more than all of my game developer friends (even 2x some).


I'm going on personal knowledge and IGDA salary surveys. What part of the industry are your friends in? I should maybe have mentioned that the growing F2P, casual, mobile segment bears little resemblance, economically and otherwise, to what I would consider the traditional AAA game industry (which may eventually go the way of the dodo).


I have friends in various parts of the industry - F2P, AAA, mobile, and indie.

The consensus amongst my friends in game development is that it doesn't pay well for the amount of work they're doing, but it's what they enjoy doing so they're willing to tolerate it.

I should also mention that I am a bit of an anomaly - I'm an AngularJS expert, which seems to be in extremely high demand right now. I'm making around $160k (including stock compensation), and I may have even lowballed myself in salary negotiations.


You make almost twice the median for developers in the US, so I'm not surprised that you make twice as much as some of your friends (and more than twice as much as me).

To be honest, I had no idea such salaries were to be found in web dev, especially by specializing in popular JS frameworks. Thanks for sharing! I'd be curious to know your location and how much experience you have in Angular. [update: Oh, I see you posted 1.5 years in web dev.... wow, maybe I should reevaluate things]


Wow, thanks for the salary datapoint! Do you live in a high cost of living area like California, New York, etc (anywhere it costs $2k/mo for a 1 bedroom) or a less expensive area?


Silicon Valley, recently moved from Washington, DC - I could have easily nabbed compensation for a little less around Washington, DC for what I do though. My move out west is for largely personal reasons.


I have experienced similar. I have surmised that it's because as a web developer, sometimes the work I do for my clients one day translates into actual dollars either saved or generated the very next day.

It seems easy to justify paying well given that immediacy as opposed to a developer spending much more time/money optimizing GPU physics engines whose benefits would not be felt until the game was slightly better than its competition when it is released in a year.


As a web developer, that's very strange to me. Honestly game development seems MUCH harder (from what I've experienced). Not sure why that's the case.


Difficulty has minimal impact on pay. It's really just a supply / demand issue and plenty of people want to be a game dev at least for a while which drives down pay.

Not necessarily total compensation but defiantly pay / hour.


What are your thoughts on this alternate hypothesis? Rather than the whole gamedev industry being on par, perhaps only RAD's salaries have been.

I know your personal network is extremely large. If you have a lot of knowledge about the topic of gamedev salaries, I'd love to hear more. Since talking about salaries with colleagues is typically verboten, I'm curious how you collected your salary datapoints and what your sample size is.

There's a lot of anecdotal evidence of studios underpaying interns and programmers who are straight out of college, and regularly working people 60 or 80 hours a week. The anecdotal evidence fits my own personal experience, but perhaps my experience isn't representative of the whole industry; maybe I was just unlucky with my first couple studios.


I'm not using my own salary history as a benchmark. The IGDA salary surveys and my exposure to a range of developers seem to bear out my remarks. As for how I know salaries outside of public surveys, I am on a private forum where people talk about both their own salaries anonymously and what their companies typically offer when hiring.

I appended a paragraph to the original post explaining the effect of coolness on first-job salaries. I do think it plays a role there. Companies like EA are notorious for using fresh graduates as a revolving source of underpaid labor. As for long hours, my impression (here I have no survey data) is that it's become much rarer.

I think what happened economically is that by the early to mid 2000s, the main technical challenges of game development had almost nothing to do with anything specific to games. Compare that to the impression of game development you might have gotten from reading Abrash's articles on Quake. Because of that, good game programmers were able to easily get jobs outside of games, and good non-game programmers were able to quickly get up to speed on gamedev specifics. Hence wages equalized. That also explains why wages for designer and artists are still relatively lower.


Thank you for your insight. I'm trying to track down the surveys you mention. Is this one? http://www.gamecareerguide.com/features/1108/game_developer_...

It's from 2012. Average salary for devs with less than 3 years experience: $66,116. The average for 6+ years experience is $103,000.

Here's a survey from 2001 with 1,801 datapoints: http://www.gamasutra.com/features/20010715/Salary_Survey_200...

Average salary in 2001 for the same position: about $55,000. For those with 6+ years, it was about $70,000.

It seems like a webdev outside the Valley who has 6+ years experience should be making more than $103,000.

If those surveys are to be trusted, it sounds like your $85k starting salary was about 50% higher than average at the time.


From what I know, the three major salary surveys are from IGDA, Developer and GDMag (now defunct). Here's the summary of GDMag's 2012 survey: http://www.gamasutra.com/view/news/189893/Industry_in_flux_W...

It puts the US average at $84,337. The 2012 averages I can find for web developers are significantly less than that ($60,000-80,000). Part of the problem with these comparisons is that "web developer" is a much wider category.

> It seems like a webdev outside the Valley who has 6+ years experience should be making more than $103,000.

I don't see why, unless you are in a special high-demand bracket of web development. That's a very respectable salary in most areas!


> Also this was before Freelancer.com, before code.org.

This was in 2004, 3 years after the dot com bubble burst and was getting rosy again. Everyone and their mother's with a blog were making hundreds a month.

Programmers have been peddling shareware since BBS days.

Are you really calling Germany a 3rd world country?

> Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.

So why is this not legitimate work?

> Often too much skills and too little to do to start. Then you stumble upon a IRC channel and a world of challenges opens in front of you. Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.

This is a pretty arrogant statement. Many programmers don't program malware not because they aren't smart enough, they don't do it because it is socially unacceptable and they don't have a criminal mind.

If you feel the need to "learn" about security, don't exploit, trojan, or ddos my server. Do it to your own computer.


> Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.

I'm about four years older than Gembe, when I was 18 I endured:

Threats of violence, death threats, constant insults (such as 'paedophile', 'baby rapist', 'retard', 'cunt', 'fat cunt', 'queer'), people spitting in my face, prank calls at two in the morning, false accusations (eg. being accused of threatening someone, said someone would regularly say to me "I'm going to kick your fucking head in"). Being called 'cunt' every other day tends to become a drag after twenty years or so.

My 33rd birthday is fast approaching, I still have trouble with other members of society treating me poorly. When most people go to work, they don't expect to put up with threats of being punched in the face. When you complain about your treatment at work, you don't expect to lose your job a week later.

I've spent the last two years learning programming, ten years ago I decided to learn a load of maths (my education wasn't that good). On both occasions the response often was "stick to what you are capable of" or "go and learn something useful instead". Or how about the time someone at the Job Centre decided I was incapable of filling out forms by myself, then filled it on my behalf without my permission, complete with a few silly spelling mistakes.

Gembe sounds to me like he has had it easy.


I think you're being a tad melodramatic. I think this guy should be held accountable because he did wrong. The 2 years of probation he got feels reasonable.


> Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.

Nice justification of criminality. "But I was bored and talented!"

Oh dear, who are we to stand in the way of your genius then?


Nice black-and-white view of humanity. I felt for this guy, because it could easily have happened to me, and my upbringing was probably a paradise compared to his.

Especially in the case of juveniles, we (as a society) should be understanding of minor indiscretions, and look to guide kids onto a better path. Thankfully the German justice system seemed to get that.


> Nice black-and-white view of humanity

I don't have a black and white view, I just don't buy "I was bored and clever" as a justification for breaking the law.


> I don't have a black and white view, I just don't buy "I was bored and clever" as a justification for breaking the law.

What is "the law", for who and by whom they are created for?

We need to first realize that there are no such a thing as "The law", and the limits of right and wrong are pretty shady if you think we live in a world that is multicultural and multi-subjective with several different realities and values, all of them valid in their own context..

For me "The law" here, which we supposed that are controlled by the state in our own interests, are actually serving corporate interests.. the same ones the US(at least the people) now are fighting against in cases like the net neutrality..

Whatever "The Law" is, it must serve their own people, and care if the execution of the law are being effective not only for the society in general, but also for the people being convicted by it..

In that context, we need to ask, why "the american society" represented by "the law" thought that kid was a risk to them, in a way he should be in prison for it..

The other aspect is , the culture and the companies created in american soil have to right to use the american law to put a german kid in jail

What values are you defending, when you put a kid the way they did in prison? what this gonna do with the kid? destroy his life? sure!! for what? this kid did marketing to HL2 for free!! Valve made millions of it!!

I think it didnt work for the society in general and less so for the kid.. really America scares me(as a outsider), sometimes the same way a country where i would be in doubt about my human rights being respected.. because of things like this...

I think this is not something to be proud of, but ashamed


Okay, I can understand you feel passionately about it, but I'm not commenting on the validity of the American legal system's actions.

I'm merely commenting on how intelligence doesn't lift one above the legal system you reside within.


An odd position, as you're well known for hiring someone to break into TriOptimum and remove ethical constraints for the Sentient Hyper Optimised Data Access Network.


A pragmatic approach to the situation might suggest that reward is a better deterrent than punishment in these cases.


> Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.

That's been essentially my entire (for money) programming career and I adore it, taking a crappy manual/outdated process and refining it to create a tool that becomes a core part of a customers business is vastly rewarding to me.


Why should we not treat people who make mistakes like humans if they show genuine remose and a desire to reform, such as this guy or e.g.: Kevin Mitnick? The justice system is supposed to be (in most countries, at least) to be a method of both punishment and rehibilitation. Why not find ways to assist them in completing the latter?

I don't think it's particularly farfetched to expect relatively socially ostracised teenaged boys to not make the best judgement decisions right as they are developing their computer science skills. Most of them end up becoming relatively well-adjusted (within the scope of an introverted computer nerd) people so why not help them in that development?


Why should we not start with black guys instead of making special exceptions for white kids committing "white collar" crimes? Why does the involvement of computers make some criminals better than others?


I see nothing in what NamTaf said that means we should be 'making special exceptions for white kids committing "white collar" crimes'. To me they're saying that we should treat anyone as a human if they show genuine remorse and a desire to change. This could apply to any crime committed by any race, any age and any gender.

The fact that you throw the race card down so quickly when it comes to a discussion about crime concerns me.


https://en.wikipedia.org/wiki/Fallacy_of_relative_privation

"What about the people wrongfully on death row?"


He's not saying that we shouldn't. But the U.S. is overwhelmingly focused on punishment, retribution, and incapacitation rather than rehabilitation. Essentially victim blaming, if you want to look at it like that. Opinion: It's going to take system-wide reform to accomplish anything meaningful.


I was specifically trying to avoid making a judgement on particular nations' systems because I didn't particularly want to bring that in to it. You are right however and that's touched on in the article, where the German federal police say that he was lucky they got to him before their US equivalents did. The US system is far more punitive than many European equivalents.


so..a person that murders an innocent person is now a victim?

some people are past the point of rehabilitation and should be in prison.


> some people are past the point of rehabilitation and should be in prison.

If we made a serious effort of rehabilitation in the US penal system, then this might be fair. We don't. Prisoners, especially those who commit the crimes in their youth, are screwed under our current system. The younger criminals, like their non-criminal youth counterparts, just don't know or don't appreciate the options available to them regarding education and learning trade skills. We put them into an environment with other people we've given up on and somehow expect that when they get out a year or a decade later they'll be ready to reintegrate into society. They didn't have the skill set going in, and they won't have it coming out. Many of them will continue to live on the fringes of our society, perhaps making a meager living as unskilled laborers. Others will fall into a crowd that keeps them involved in crime or other "antisocial", or however you want to describe it, behavior.


As harsh as this sounds, I agree. My brother is my personal example. He had 4-5 chances at rehabilitation. First it was small stuff like pawning my mom's jewelry then it was breaking and entering to the neighbors or my dad's truck or whatever as I've not heard all of the charges. The system gave him several breaks and it would last 6 months (or less) before he was at it again each time worse than the last. I am only grateful that he is in for the next 20 years so he cannot be even worse. Also as a juvenile the book was not thrown at him and was always released back to custody of my father who was very welcoming and tried his best but some people are beyond hope.

The only good thing that came from him was my nieces and even they didn't really turn out that great due to probably a twisted childhood and weird relation with dad.


Because violent crime is, uh, worse than non-violent crime? Because it harms others more directly, and because the second-order effects of living in a society where violent crime happens are much worse than those of living in a society where white-collar crime happens?


Violence wasn't mentioned at all


Let me cite another comment.

"I felt for this guy, because it could easily have happened to me,"

This doesn't explain why we ought treat these crimes as different. But it does explain why we do treat them different. I think.


I agree that what I did was bad, but to say that it takes no talent is just wrong. In fact some of the things were more challenging than anything I've come accross at any of my jobs (programming embedded device firmware, test automation and realtime graphics) in the last 10 years. And no, I couldn't find even a "boring" programming job where I lived. Of course I tried, I tried a lot. Really, you have no idea what kind of shithole the place I grew up at was for programmers. Still, that doesn't excuse what I did, and I'm sorry for it.


The past is the past. You shouldn't have to run around apologizing for the rest of your life. And I hope you feel welcome in communities like HN. You have a lot of talent.

What have you been up to over the years? It'd be cool to hear about your career and life in general.


> I don't feel sorry for malware writers. They are not oppressed and deserve what they got.

Few people in US prisons [1] deserve what they're getting. It takes a cold-hearted prick to honestly believe what you've written.

[1] While this guy wasn't, the sort of people deftnerd is talking about are.


The problem is that this guy was young, relatively speaking, maybe about 20. The headline calls him a "boy", so he was certainly under 21.

By the time I was 21, I certainly wouldn't have done something like what he did. But, just a few years earlier, say at 18, yes, I did stupid things. In his position I probably could have done what he did. At that age many "boys" brains just aren't developed enough to truly understand right and wrong.

I'm not saying they shouldn't be punished. But I am saying they definitely shouldn't be punished harshly. In this case he was lucky to receive two years of probation as punishment. Something like that, or perhaps what we call "community service", is certainly more appropriate than throwing him in adult jail with hardened criminals.


>They are not oppressed and deserve what they got.

Depends what you mean by that. In this guy's case, had he boarded the plane he would have gotten two decades in an American jail, versus two years of probation in Germany. I think he should be held accountable, but somehow, given the nature of the crime and the surrounding context, I think Germany got it right.


Some of the people behind bars are because they did something that was morally right but condoned by the government. While I can't argue for the guy mentioned in the article, people like Bradley Manning are wasting away their lives. Do you really don't want to help these victims?


I don't like doing this (replying without actually extending the conversation) but you've missed a word:

  morally right but not condoned by the government.
                    ^^^


This guy doesn't belong in the same category as Manning and Aaron Swartz.


How was what Chelsea Manning did morally right? Leaking that much information that could put other peoples' lives at risk isn't exactly morally right.


You're assuming he made money.

Not everybody does it for money actually his motivation was quite clear he liked the games but couldn't afford to buy them legit.

A situation i can relate with given I've been in a similar one.

Nowhere in this article was there a mention of hacking in order to make money.


How sad it must be, to live without compassion.


I must have been following the grugq[1] way too much because all I couldn't help thinking about the massive OPSEC mistakes he did.

Fortunately he was apprehended by the German Police, but things would've been way different had took that plane.

[1] There's a great presentation from him on video, including analysis of OPSEC failures from other hacker groups: https://www.youtube.com/watch?v=9XaYdCdwiWU

[2] Another timeless classic: "Don't talk to [the] police", which explains why it is never in your interest to talk to the police when you are suspected of a crime (even if you are innocent): https://www.youtube.com/watch?v=6wXkI4t7nuc


Sounds like a cool project. Let me know if you want some front end help.


I'm also going to ask publishers for donations of older copies of technical books to send them.

Not allowed to send books for UK prisoners as it contravenes their new "incentives and earned privileges scheme". Books are a luxury to be earned, apparently. http://www.theguardian.com/society/2014/mar/24/ban-books-pri...


I still remember the day HL2 leaked. All of my friends and I were in IRC trying to download the damn thing from DCC bots.

I was lucky and got a slot that provided the full 80kbyte/s. I finished the download first, but my PC was pretty old back then so I didn't even bother trying to run it. Instead, I removed my hard drive (my system drive!), picked up a friend and we drove to another friend who had the fastest PC at the time. About 30 mins later all of us (I believe 5 or 6 guys) gathered in a tiny dorm and just stood in awe as we booted up HL2.

There was barely any gameplay present. You could just walk around in some maps and admire the graphics. It didn't matter. If we hadn't been stoked before, we were now.

In hindsight, this all was just an amazing PR stunt. Fun times.


Your account brings back gaming memories from the late 90's and early 00's. "Leaks" and pirated copies of games ruled the day, and only served to make us all even bigger fans/obsessed gamers. The idea that you were using/seeing something that hadn't been released yet was thrilling and made us all even more dedicated to gaming. Of course then we were all poor college/HS kids, but most of us eventually got jobs and turned into Steam customers.


Unfortunately, I've never found an in-depth discussion about the part about where they attempt to lure him to the United States so that he can be arrested. It always strikes me as a bit excessive.

That Valve worked with the FBI to get him sufficient permission to enter the US with the false pretense of getting a job seems to make this feel like much more personal than anything else.

And I'm left scratching my head as to what it really would have accomplished...


I'm not condoning breaking into the network and stealing source code, but what financial damage did this cause to Valve? The article repeatedly refers to financial damages, but I'm not sure how that is.


There was no financial loss. The surrounding press attention may have even helped sales. I still remember the news at the time a decade later. The real cost is the ordeal he put the people at Valve through.


I also think that Valve used him a bit as convenient scapegoat to explain why the release of the game was pushed back another year.


Probably. Background: Half-Life 2 was contending with Duke Nukem Forever for the greatest vaporware title ever, when Valve released gameplay footage and a definite release date. The half-done state of leaked game and the subsequent one year delay caused people to think it might never ship.

Of course, when the game finally came out to rave reviews, all was forgiven.


Good point. I'm sure those were stressful times to be at Valve


Well first of all, the game appeared to be playable, so there's the piracy aspect.

The Source engine is also licensed to other games. If the code is public, other engines could copy their features.

Also it is very annoying to re-secure all your computers after you have been breached. Every single person has to change their password and you don't know what backdoors the guy has installed without a full wipe sometimes.


The game was not really that playable - you could boot up isolated levels, but it was completely unfinished. Huge chunks were missing. There's no way it would make a suitable replacement for the game that would be released much later.


Playable???? Not even close :/ It barely worked from what I can remember (I was very young at the time). It certainly made me even more excited for HL2's release though.


The piracy aspect is bogus, most games are cracked within days of release anyway.

Like other commenters said, they used him as a scapegoat; he did zero damage except make poor ol' Gabe worry.


Obviously they should've spent the time to secure their network before hand!

Also, can't say I buy the hypothetical piracy cost. Does anyone have any examples of other engines copying Source features from the source code?


I reject the argument that Valve had it coming since they didn't take the time to secure their network beforehand. There are almost always going to be holes in the security of any system, especially digital ones (since they have a larger surface area to consider), so blaming the victim of a break-in implies that everyone should just resign themselves to being hacked sooner or later. Valve surely made at least some efforts to secure their systems, but even if they did not, that would not justify the morality/ethicality of entering their servers without permission.


> I reject the argument that Valve had it coming since they didn't take the time to secure their network beforehand.

I think the suggestion was that the time taken to secure their networks shouldn't be counted as "damages", just something that needed to be done regardless.


Scrubing all the machines for new backdoors isn't something that needed to be done beforehand.


I reject that I said they had it coming.

My point is that re-securing their network does not seems like a financial damage to me. If they had known about their vulnerability beforehand, I'm sure they would've spent the time and money to fix it then.

Plus it's something they needed to do anyway.


The Half-Life 2 source would have been an incredible learning tool for anyone interested in engine design at the time. That knowledge is their competitive advantage.


This I can start to understand/buy. Good point


Valve claimed it to be $250 million. German police made fun of that figure, they believed someone added a few too many zeres.


Securing their network properly after that probably costed them some money they wouldn't bother to spend otherwise.


Can't say I'm convinced. They probably wish they'd spent that money securing their network before this happened...

Also, who else had access to their network? This kid getting caught may have saved Valve from other breaches...


The game was delayed a year because of the hack.


It said it was delayed by a year before the hack.


In what way? How could that make sense?


The HL2 team rewrote major portions of the Source Engine in response to the hack.


Why would the leak cause major portions of the engine to need to be rewritten?

Seems more likely that it was a convenient excuse.


it was used as an excuse, the real reason is that Valve is REALLY slow at developing games.


I wouldn't say they're slow. You wouldn't believe the rate they're adding features to Dota 2, for example. I believe that they're actually quite a small crew with very ambitious projects, and they tend to move around a lot.


Major parts needed rewrite to not make it so easy to develop cheats for the game.

If the hackers would have the source, they would not even need to reverse engineer the engine to build their aimbots/wallhacks.


That does make zero sense.


It was a fear years ago when Quake was open sourced [1]. In Valve's case, the programmers probably had to audit all the source code in order to reduce possible exploits.

[1] http://www.bluesnews.com/cgi-bin/finger.pl?id=1&time=1999122...


I don't know. Ask gaben.


So he can act interested in my question, invite me for a friendly discussion over coffee, and then arrange to put me in a cage? Seems like a terrible idea.

Gosh, Valve must hire great PR. I had completely forgotten their overt evil actions around this incident.


The bigger issue was that (IIRC) the source for Steam, which wasn't yet launched, was also leaked.


Interesting story, terrible article. Valve has always followed the "when its ready" release model. The article makes it sound like there was a huge conspiracy to keep valve's ineptness a secret, else Gabe would have no alternative than to commit ritual suicide.


We're used to that model then, but this was a long time ago - before "Valve time" was so accepted. They had been publically stating that the game was weeks from release, not saying "when it's done" at all. Additionally they had demo'd at E3 and claimed the demo was not scripted, whereas the leak showed it was almost entirely so.


>We're used to that model then, but this was a long time ago - before "Valve time" was so accepted.

"Valve time" was already universally accepted. Between Half-Life, TFC, and Counterstrike, there was an enormous amount of good will towards this company even back then. Plus, we were already used to "Valve time" because it was actually "id time." Id had been doing it for nearly a decade before HL2 game out.

>Additionally they had demo'd at E3 and claimed the demo was not scripted, whereas the leak showed it was almost entirely so.

The guy who obtained the source code himself said that there were so many builds on valve's servers he had no way of knowing whether or not he had the most current build.


Furthermore "...to find his bed surrounded by police officers. Automatic weapons were pointing at his head..." - that doesn't sound like Germany. Guns are only drawn if you are visibly armed.


Pretty amazing accomplishment for the German police: they fired only 85 bullets in 2011 http://www.thewire.com/global/2012/05/german-police-used-onl...


The guy is extremely lucky for getting into the hands of the German police and because of his nationality.

I think that if he wasn't German, but from another 'major' or 'minor' EU country, Austrilia and many others he would have been extradited at no time to the US.


I remember reading this article a few years ago. It was a very divisive article for me. Early 20s me would have felt bad for Gembe. Early 30s me felt bad for Valve.

I don't know where the cycle goes from here. Maybe the real wisdom is feeling bad for both?


This was an amazing and somewhat sad story. How's Gembe doing today? Based on his near adoration of the Valve developers, it would be fitting if he worked in the gaming industry. Maybe he could set things right by helping to make Half-Life 3?


I worked programming fire alarm systems for a while, embedded device programming and test automation. Now I started doing realtime graphics in Bejing. Working on using the Kinect to do gesture input on presentations on really big screens. Like Powerpoint on steroids.


The article didn't have any information on the person you passed the source code to. I assume they tried to figure out who it was? What happened to them?


I think I already confirmed it on reddit after someone else said it. I shared it with SourceX from myg0t and he shared it with other people inside myg0t. It was really stupid to do ... yay hindsight :(


LOL! I like the fact (happens all to often on HN) that we 'discuss' about a guy and he shows up and answers himself :-)

What was done, is done. Wish you all the best in your life.


haha yeah. I was surprised at that too. Its really a great community we have here at HN.


From the previously linked AmA:

"This was actually one of the interview questions, don't know why they didn't use the answer. I work as a software developer and a bit of a system administrator. I work in a company that does physical security, like fire alarms and such. Most of the work I do is programming PC control software for our systems and also quite some firmware development for various uCs. I know quite a bit of different assemblers. Measurement and automation is another field that I'm currently learning more and more."



Maybe he'd share the source with his friend again.


I wonder if it was around this time when people wisened up to disabling zone-transfer requests. Tangentially, I took part in a CTF recently and one of the tasks was to get the list of hosts from a domain. The hint was "My sword. My bow. And my Axfr!"


"Have you any idea how lucky you are that we got to you before you got on that plane?"

I think the German police officer was right. If you got arrested on US soil, (your side of) the story could have been very, very different.


Valve didn't use password hash salting? That seems borderline ridiculous. Pretty much the only way he could have broken the hashes is if this is so.

Valve's use of SourceSafe at the time is another black mark, though not related to the security breach.


The only take-away here is that it's better to pay for a third party to secure your network, or a have a small team (2-3 guys) doing the administration/security-audit properly. I can't blame developers for not being security experts.

Developers != System Administrators != Security Experts

ps. The most important part however, are the developers, without them the other two groups wouldn't exist. :-)


"Have you any idea how lucky you are that we got to you before you got on that plane?"

The difference in the way he was treated by police and the justice system (and how different it is than what we've come to expect in America) is what struck me the most about this story.


Same. They let him grab something to eat and even smoke a cigarette before they brought him in. Then he gets two years of probation. It all feels very reasonable to me. Compare that to the $1 million fine, 35 years in prison (followed by 3 years of supervised release) Aaron Swartz was facing by downloading documents anyone can access just by virtue of connecting to the campus Wifi. There is definitely something really off here.


> Compare that to the $1 million fine, 35 years in prison (followed by 3 years of supervised release) Aaron Swartz was facing

Swartz was NOT facing anywhere near 35 years in prison. He was facing, if he went to trail and lost on all charges, and the court decided that he had caused a large amount of monetary damage, around 7 years. If he had taken the plea bargain that was on the table, he was facing a few months.

Prior discussion with more detail: https://news.ycombinator.com/item?id=7004640


Unbelievable.

>Swartz was NOT facing anywhere near 35 years in prison.

You know why people keep using that number? Because that's the number the attorney's office itself used in its own press release. That's why. But OK, let's be reasonable here. I'll fix it:

>"Compare that to the $1 million fine, up to 35 years in prison (followed by 3 years of supervised release) Aaron Swartz was facing"

There fixed it. Happy??

I'm sure from your armchair perspective, you can find nuance in saying that he wasn't __likely__ going to get 35 years, instead, he'd get a quick 7. Yet, I think if you're in that position, you may still be looking at that 35 or 50 year number. The sentencing judge could have made an example out of him as well, no? It's not like never happens. And of course, the best outcome is that he's looking at 7 + . Justice!

Of course this raises another relevant question. Why is it that prosecutors like to load-up on charges to get their nice maximums? Is it so that their office can do those great press releases extolling how tough on crime they are? Or maybe to bully the defendants into taking whatever deal they cook-up in order to get another notch on their conviction belt? If you think 7 years (here's your nice, reasonable almost-a-decade number, happy?) is what the law calls for, why not charge him for 7 years?

>If he had taken the plea bargain that was on the table, he was facing a few months.

That's right, he didn't, and then the prosecutor loaded up 35 years of charges and pulled the plea bargain off the table. Because why? To teach the next guy to not be so uppity and force them to cow-tow to prosecutor demands?

Ridiculous.


Macspoofing wrote:

    You know why people keep using that number? Because
    that's the number the attorney's office itself used
    in its own press release. That's why. But OK, let's
    be reasonable here. I'll fix it:

    "Compare that to the $1 million fine, up to 35 years
    in prison (followed by 3 years of supervised
    release) Aaron Swartz was facing"

    There fixed it. Happy??
If you had bothered to read the references that were in the comment I linked to, you would know that prosecutor press releases are not useful in these matters. This is the algorithm they use for coming up with a number:

    years = 0
    foreach charge as c
        years += maximum_sentence_someone_can_get_for(c)
Note that there is nothing in there about the particular defendant or the particular instance of c that defendant is accused of. Each charge has a sentencing range from probation up to several years in prison. The judge does not have free reign to pick from within that range. The Federal Sentencing Guidelines set a maximum based on the defendant's prior record and based on the details of the particular instance of the crime at hand and on the damages done.

Note also that the press release algorithm just adds these up for all charges. In reality, related charges are grouped together under the Federal Sentencing Guidelines. If you are convicted on more than one charge in the same sentencing group, you are only actually sentenced for whichever one gives the longest sentence.

    I'm sure from your armchair perspective, you can
    find nuance in saying that he wasn't __likely__
    going to get 35 years, instead, he'd get a quick 7.
    Yet, I think if you're in that position, you may
    still be looking at that 35 or 50 year number. The
    sentencing judge could have made an example out of
    him as well, no? It's not like never happens. And of
    course, the best outcome is that he's looking at 7 +
    . Justice!
No, 7 years was not the best outcome. It was the worst outcome. It was the outcome if the judge decided to make an example of him. This is not the armchair perspective. This is the perspective of anyone who is familiar with the Federal Sentencing Guidelines, and how they are used.

You could have been one of those people, if you had bothered to read Orin Kerr's incredibly detailed analysis of the law in this case that was cited in the comment I linked to.

    Of course this raises another relevant question. Why
    is it that prosecutors like to load-up on charges to
    get their nice maximums? Is it so that their office
    can do those great press releases extolling how
    tough on crime they are?
Answered in the references I gave. Too bad you didn't read them.

    Or maybe to bully the defendants into taking
    whatever deal they cook-up in order to get another
    notch on their conviction belt? If you think 7 years
    (here's your nice, reasonable almost-a-decade
    number, happy?) is what the law calls for, why not
    charge him for 7 years?
Up to this point, you were simply being willfully ignorant. Now you just being dumb. Defendants who have not dealt with federal charges before, and so have had no occasion to learn about the Federal Sentencing Guidelines and how prosecutor press releases are way overflow, will learn this as soon as they talk to their lawyer after being charged.

        If he had taken the plea bargain that was on the
        table, he was facing a few months.

    That's right, he didn't, and then the prosecutor
    loaded up 35 years of charges and pulled the plea
    bargain off the table. Because why? To teach the
    next guy to not be so uppity and force them to
    cow-tow to prosecutor demands?
The plea bargain offer for a few months sentence was on the table until the very end.


Chiming in as per usual to note that Swartz's own lawyer wrote in a blog post after the tragedy that he believed Swartz was unlikely to receive a custodial sentence of any sort even had he taken the case to trial and been found guilty. It was a non-remunerative computer crime by a first-time offender, both of which are factors considered by the Federal Sentencing Guidelines.


>There is definitely something really off here.

It's almost as though, by treating criminals so harshly as we do here ("tough on crime" is a popular slogan for politicians), that instead of reducing crime, we reduce our society's recognition of each individual's humanity and value, and thus cause crime to rise.


You mean the difference between justice system and revenge system.


> The difference in the way he was treated by police and the justice system (and how different it is than what we've come to expect in America) is what struck me the most about this story.

The fact that they were setting a trap for him was also relatively shocking. Don't they have to follow due process?


What part of inviting a criminal you've gathered significant recorded evidence against (eg, their own telephone confession) to a place you can arrest him do you think violates due process?


Well, lying about your true intent. It's not like he knew he was going to be arrested.


Police in the US don't have to tell you what they're doing up until the point they decide to exercise their power (i.e. searches or arrests) either, last time I checked. They can ask you to go somewhere and you can voluntarily comply or choose not to.


So you are OK with women police officers dressing up as prostitutes to attract potential costumers and then arresting them on the spot ? That's extremely twisted. There's a reason why in many countries police officers HAVE to wear uniforms.


Yes? I'm pretty okay with this. I'm okay with police going undercover, too, to bust up gangs. It turns out that policework is more than just standing in a pretty uniform.


Which countries are you talking of, may I ask?


Why is it twisted?


Because the police should be busy catching criminals instead of trying to trick innocent people into criminal acts when they are not doing any.


There are two points I want to address here: first, let's be clear that if you commit a crime just because somebody asks you to, it's probably better if the police have you on their radar.

Second: Let's not forget what you were originally complaining about. "The fact that they were setting a trap for him" is what you said.

But it's not really the same sort of trap, is it? In one scenario, you think the police are tricking somebody into committing a crime, so they can be arrested. Sure, that's a valid and interesting discussion to have. But in the other scenario, you're complaining that somebody who has ALREADY committed a crime, and confessed to it on the phone, with no duress, is being tricked into being arrested. That's a very different situation, and I'd be very interested to know why you think that this situation in particular is objectionable. The kid committed a crime; he confessed to it freely. The police got busy catching him; isn't that exactly what you think they should be doing? He's not an innocent person being tricked into a criminal act.


You can't really blame a kid at that age... Kids at that age have no sense of fear or can't recognize what is punishable or not. Everything is a game, especially years back as that internet was not so evolved and the laws around it weren't so strict.

Its Valve's fault for letting a 16 y/o install malwares on their computers... When you are developing something you got to be serious about its security as well if you want it to remain a secret. It feels to me like their employees and IT department had no actual sense of what security was (Employees going off installing whatever on their computer, and IT team not being able to track down malware and outgoing packets to unknown sources...)




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: