View Full Version : Scans of the Half-Life 2 Source Theft Raid!
Biohazzard56
2004-02-03, 08:57 PM
This is O F N for those of you who have seen it, but here are some scans of the actuall warrant.
http://www.opencoding.net/misc/hl2/page0001.jpg
http://www.opencoding.net/misc/hl2/page0002.jpg
http://www.opencoding.net/misc/hl2/page0003.jpg
The interesting ones, which you probably care about
http://www.opencoding.net/misc/hl2/page0004.jpg
http://www.opencoding.net/misc/hl2/page0005.jpg
Corrosion
2004-02-03, 09:12 PM
:lol: nice find
AztecWarrior
2004-02-03, 09:55 PM
We got him?
Setari
2004-02-03, 10:06 PM
We got him?
prolly not :p but you said that it reminded my of that guy talkin about Saddam, Ladies and Gentlemen We've Got Him.
or after that interesting flash posted, Ladies and Gentlemen, We've always had him.
:doh:
Infernus
2004-02-03, 10:26 PM
If he gets charged... well lets just say that we SHOULD feel very sorry for him... wether or not we do...
Squick
2004-02-03, 10:56 PM
It is absolutely amazing that hackers get caught... Or for that mater that people try to hack corporate networks from the outside any more. Network security is just too great.
For example my firewall logs complete headers of every packet that goes in or out of my network, every five seconds incremental logs are transfered on a read-only basis from the firewall to an offsite location. From what I have read about the HL2 hack it involved the hacker getting a keylogger on internal client machines via an e-mail to those users. The keylogger then sent it's logs back to the hacker.
From there the hacker connected to Valve's network by FTP, using a stolen user's password, then downloaded a copy of the above listed software packages.
I am almost guarentee it will not be a seasoned, well educated, certified network security professional that conducted the theft, otherwise they would be scared shitless because while a lot of those steps could have their source address spoofed, the call backs and the download certainly are not spoofed; assuming he used automatic proxy hopping, it is still very likely that many of those free proxies out there are logging all traffic, or even being ran by the US government acting as live honey pots.
So assuming Valve did not decide network security was not worth a pretty penny, it is almost a given that they have exact times and either a direct IP, or a bunch of proxy IPs.
I would love know which keylogger he was using too... If it called back on it's own port it should have been blocked. If it called back using a port like 80 or 21 then the firewall should be running stateful application-level proxies, which would easily be able to detect that the packet is not a real packet. The only thing I could see is if it established a valid SSL tunnel back to the host, a firewall is unable to see what is in a SSL encrypted tunnel, so as long as it is a valid tunnel it is let through. But jeeze, that is a pretty specific requirement for a keylogger, I doubt your average script kiddie would have any clue how a keylogger works at all!
So I am really curious to see who it is that did this... A dumbass would not know how to do it, and someone that knew how to do it would not be dumb enough to do it! That is of course assuming their network security is up to snuff of course, otherwise they almost deserve it!
Squick
I hav a CD with the Half-Life 2 alpha code on it.
No shitting. Its been going around my school for the past week.
Dharkbayne
2004-02-03, 11:33 PM
I'd like to have it just to say I have it, not to do anyything with it
Best bug Evar -
when a texture does not exist, that texture is replaced by a big, red warning saying "ERROR." In one level, you have to throw a certain type of grenade, however, the explosion had not been skinned, so, you throw giant "ERROR" messages. It owns.
Biohazzard56
2004-03-09, 11:49 PM
This thread must be brought back
Dharkbayne
2004-03-09, 11:50 PM
No it must not. **lock plz **
http://news.bbc.co.uk/1/hi/technology/3414157.stm
The FBI has joined efforts to track down those who took part of the computer code of one of the year's most highly anticipated games, Half-Life 2.
Federal agents mounted a dawn raid on a San Franciscan computer programmer last week, seizing hardware and software.
The programmer, Chris Toshok, detailed the events on his web log, denying any illegal activity himself.
The FBI declined to confirm or deny the raid, but US law enforcement sources indicated the search did take place.
The FBI action is the first sign of a serious criminal investigation following the appearance of part of the Half-Life 2 source code on the internet last year.
Doug Lombardi, a spokesperson for the developers Valve, told BBC News Online, "the Half-Life 2 Source code theft investigation is ongoing."
Valve said the blueprints to the game had been taken from its computers after a hacking effort in September.
As a result of the leaked top-secret code, which accounted for about a third of the game, the release of Half-Life 2 has been delayed twice. It is now due out in April.
Hungry for 'evidence'
The FBI operation appears to have been handled by the Seattle field office.
The agents were accompanied by US Secret Service representatives, according to Mr Toshok. They questioned him about a group known as the Hungry Programmers, with whom Mr Toshok previously shared a house, he said.
Half-Life 2 pits you against alien invaders
Mr Toshok alleged the agents who carried out the raid were armed with a search warrant, which he scanned and posted on his blog.
It stated they had permission to confiscate any computer equipment, software or documentation that "contain evidence or fruits or that are or were instrumentalities of criminal activity".
The search warrant was issued by the Northern Californian District Court, and included the name of a Seattle FBI agent. The San Franciscan District Attorney's Office also verified to the BBC the identity of the judge who signed the warrant.
If any warrant is issued by the District Court, it means the operation is an "exclusive FBI operation", the San Francisco Police Department indicated.
The warrant also specified the seizure of "any and all items and documentation, in whatever form, referring to, or relating to Valve Software, Half-Life, Half-Life 2, Team Fortress, Team Fortress 2, Counter Strike, and Condition Zero".
The numerous items listed on the seizure receipt which Mr Toshok said the agents gave him, included an Xbox with controller, several computers, plastic containers, CDs, cables and several hard drives.
Lauded title
Half-Life 2's developers were devastated when they realised key parts of code had been leaked on the net in September last year.
They appealed to millions of the game's devotees to help track down the culprits.
The leaked code included the physics engine which drives how the game's action is shown, as well as the sound system and other bits of code from various developers.
Half-Life 2 is the follow-up to one of the most lauded games ever and has taken over five years and teams of 30 developers to create.
The first release won several awards for its intelligent characters, plot and challenging puzzles.
Cyanide
2004-03-10, 12:15 AM
Ok, what possible relevance could a CPU, printer, keyboard, monitor, and aucoustic coupler have in a hacking investigation? Stupid cops.
BTW, if the guy did his hacking from an unsecured wireless network, he could easily log into Valves network and it wouldn't matter if the firewalls or proxies logged his IP, because they'd never be able to trace it back to the right computer.
Biohazzard56
2004-03-10, 08:24 AM
It was a buffer overflow exploit in Outlook Express
Phaelon
2004-03-10, 11:15 AM
Interesting ideas Squick. For a company that is running dual DS3 lines, do you have any freaking idea how much traffic would be generated by examining every header to every file? Seriously dude, just because you do it on your home network does not mean it is feasible for most businesses.
If I go to a clients, and security is to notch priority, then I recommend things like this, however 99% of companys out there do not do this. Why? because it costs sooooooo . . soooooo . . much money to have great security.
Security today is NOT so good, it is horrible. Security on the internet is awful and wretched. If you think that for one second businesses are secured, you are wrong buddyo.
Lets take for instance my home network. I house a SPam proxy server, that pushes email to an exchange server. I run Linux as a webserver. I have 2 routers that run ACLs. If it gets through that, it hits my IPCop firewall. I have IDS turned on on it, it is a pentium III 500 with 256 megs of ram. With IDS Monitoring my network It uses anywhere from 20 to 50% of its CPU and about 200 megs of its memory. It writes enough entries that it filles a 22 meg log file in 2 days. It then pushes that to my Linux webserver who runs a cron job to automatically post it to a Website PHP generates.
in 8 days I have 88 Megs of log file. This is for a network with 500 KB/s down and around 100 KB/s up.
At a clients, I use Dual DS3 lines, I have 15 Linux Snort machines setup running IDS and checking everything. I have 2 people responsible for nothing but monitoring those machines and thier logs. I am going to need a third person come May.
Valve was hacked solely because thier IT department did not keep thier patch level up to date. The majority of Windows bugs are found after a patch is released. From a network standpoint, There is only so much I can do.
I cannot sit down and examine every header, are you insane? Futhermore if you understand how the internet works, then most headers don't matter any more because of CIDR. A header will get you to point A, however the path that packet will now take is dictated by the router to which CIDR resides.
Phaelon
2004-03-10, 11:20 AM
"I would love know which keylogger he was using too... If it called back on it's own port it should have been blocked. If it called back using a port like 80 or 21 then the firewall should be running stateful application-level proxies, which would easily be able to detect that the packet is not a real packet. The only thing I could see is if it established a valid SSL tunnel back to the host, a firewall is unable to see what is in a SSL encrypted tunnel, so as long as it is a valid tunnel it is let through. But jeeze, that is a pretty specific requirement for a keylogger, I doubt your average script kiddie would have any clue how a keylogger works at all!"
While you bring to light a very good point, Stateful application-level proxies are generally not turned on by default. I have no doubt thier network personal did this, however there are ways to get around this, and I can easily attest to spoofing myself onto other ports to play a game while at work, when I clearly set up the PIX to block that traffic.
The second you plug in, your are no longer secure, When you build the network, the routers, the firewalls and switches, you learn exactly where your holes will be, some can be stopped, some can't. Your network security goes from 100% to 50% that secondd you plug in.
Hamma
2004-03-10, 11:21 AM
Very nice :p
ZeusCali
2004-03-10, 01:07 PM
Interesting ideas Squick. For a company that is running dual DS3 lines, do you have any freaking idea how much traffic would be generated by examining every header to every file? Seriously dude, just because you do it on your home network does not mean it is feasible for most businesses.
If I go to a clients, and security is to notch priority, then I recommend things like this, however 99% of companys out there do not do this. Why? because it costs sooooooo . . soooooo . . much money to have great security.
Security today is NOT so good, it is horrible. Security on the internet is awful and wretched. If you think that for one second businesses are secured, you are wrong buddyo.
Lets take for instance my home network. I house a SPam proxy server, that pushes email to an exchange server. I run Linux as a webserver. I have 2 routers that run ACLs. If it gets through that, it hits my IPCop firewall. I have IDS turned on on it, it is a pentium III 500 with 256 megs of ram. With IDS Monitoring my network It uses anywhere from 20 to 50% of its CPU and about 200 megs of its memory. It writes enough entries that it filles a 22 meg log file in 2 days. It then pushes that to my Linux webserver who runs a cron job to automatically post it to a Website PHP generates.
in 8 days I have 88 Megs of log file. This is for a network with 500 KB/s down and around 100 KB/s up.
At a clients, I use Dual DS3 lines, I have 15 Linux Snort machines setup running IDS and checking everything. I have 2 people responsible for nothing but monitoring those machines and thier logs. I am going to need a third person come May.
Valve was hacked solely because thier IT department did not keep thier patch level up to date. The majority of Windows bugs are found after a patch is released. From a network standpoint, There is only so much I can do.
I cannot sit down and examine every header, are you insane? Futhermore if you understand how the internet works, then most headers don't matter any more because of CIDR. A header will get you to point A, however the path that packet will now take is dictated by the router to which CIDR resides.
Squick (http://www.planetside-universe.com/forums/member.php?u=2340) vbmenu_register("postmenu_311171", true); got owned didn't he?
Thank You Phaelon that is the 3rd time squick has posted that statement and each time he does the same thing "my super cool network would pwn haxors i r l33t theiyd nvr pass mi"
All Hail the Foriegn IT man!!!!
Biohazzard56
2004-03-10, 05:40 PM
o f n
I made this thread over a month ago, i just bumped it
vBulletin® v3.8.7, Copyright ©2000-2024, vBulletin Solutions, Inc.