Gaming —

Catching up with the guy who stole Half-Life 2’s source code, 10 years later

From Death by Video Game: can you love a game so much you must take its sequel?

Catching up with the guy who stole Half-Life 2’s source code, 10 years later
Valve

At 6am on May 7, 2004, Axel Gembe awoke in the small German town of Schönau im Schwarzwald to find his bed surrounded by police officers bearing automatic weapons.

One officer barked: "Get out of bed. Do not touch the keyboard." Gembe knew why they were there. But, bleary-eyed, he asked anyway.

"You are being charged with hacking into Valve Corporation's network, stealing the video game Half-Life 2 , leaking it onto the Internet, and causing damages in excess of $250 million," came the reply. "Get dressed."

Seven months earlier, on October 2, 2003, Valve Corporation director Gabe Newell awoke in Seattle to find that the source code for the game his company had been working on for almost five years had leaked onto the Internet. The game had been due for release a couple of weeks earlier, but the development team was almost a year behind schedule. Half-Life 2 , one of the most anticipated games of the year, was going to be late, and Newell had yet to admit to the public how late it would be. Such a leak was not only financially threatening, but also embarrassing.

After he had spent a few moments pondering these immediate concerns, an avalanche of questions tumbled through Newell's mind. How had this happened? Had the leak come from within Valve? Which member of his team, having given years of their life to building the game, would jeopardise the project in the final hour?

If it wasn't an inside job, how did it happen? Did someone have access to Valve's internal server?

Simon Parkin's book, <em>Death by Video Game: Danger, Pleasure and Obsession on the Virtual Frontline,</em> comes out on hardcover <a href="https://www.amazon.com/dp/1612195407/?tag=arstech20-20 21</a>.
Enlarge / Simon Parkin's book, Death by Video Game: Danger, Pleasure and Obsession on the Virtual Frontline, comes out on hardcover June 21.
Melville House

The question that rang loudest of all will be familiar to anyone who has ever had something stolen from them: who did this?

"I got into hacking by being infected myself," Gembe tells me. "It was a program that pretended to be a Warcraft 3 key generator and I was stupid enough to run it. It was an sdbot, a popular general-purpose malware at the time."

The young German soon realised what he had installed on his PC. But instead of scrubbing the malware and forgetting about it, he reverse-engineered the program to see how it worked and what it did.

By following the trail back, Gembe was able to track down its operator. Rather than confronting the man, Gembe began asking him questions about the malware.

"At the time I couldn't a afford to buy games," he explains. "So I coded my own malware to steal CD keys in order to unlock the titles I wanted to play. It grew quickly to one of the most prominent malwares at the time, mostly because I started writing exploits for some unpatched vulnerabilities in Windows."

AXFR

In Seattle, Newell's first thought was to go to the police. His second was to go to the players. At 11pm on October 2, 2003, Newell posted a thread on the official Half-Life 2 forum entitled, "I need the assistance of the community."

"Yes, the source code that has been posted is the HL-2 source code," he wrote in the post. Newell went on to outline the facts that Valve had been able to piece together so far. He explained that someone had gained access to his e-mail account about three weeks earlier. Not only that, but keystroke recorders had been installed on various machines at the company. According to Newell, these had been created specifically to target Valve, as they were not recognised by any virus-scanning applications.

Gembe's malware crimes, while undeniably exploitative and damaging, were crimes driven by a passion for games rather than profits. His favourite game of all was Half-Life. In 2002, like so many fans of the series, Gembe was eager for new details about the forthcoming sequel. That's when he had the idea: if he was able to hack into Valve's network, he might be able to find something out about the game nobody else knew yet. He would have his moment of glory but more than that, he would have the reassurance that the game's creators had everything under control.

"I wasn't really expecting to get anywhere," Gembe says. "But the first entry was easy. In fact, it happened by accident."

Gembe scanned Valve's network to check for accessible Web servers where he believed information about the game might be held. "Valve's network was reasonably secure from the outside, but their name server allowed anonymous AXFRs, which gave me quite a bit of information."

AXFR stands for Asynchronous Full Zone Transfer, a tool used to synchronise servers. It's also a protocol used by hackers to peek at a website's data. By transferring this data, Gembe was able to discover the names of all the sub-domains of the company's Web directory.

"In the port scan logs, I found an interesting server which was in Valve's network range from another corporation named Tangis that specialised in wearable computing devices," he says. " Valve didn't firewall this server from its internal network."

Gembe had found an unguarded tunnel into the network on his first attempt. "The Valve PDC had a username 'build' with a blank password," he explains. "I was able to crack the passwords in no time. Once I had done that... well, basically I had the keys to the kingdom."

Fall 2003 was not the greatest season for Valve's Gabe Newell.
Fall 2003 was not the greatest season for Valve's Gabe Newell.
Kyle Orland

"You cannot stop the Internet"

There's something about the secrets and codes that video-game developers leave in their games that allows players a kind of glimpse behind the curtain. For a moment, the game's fiction is broken and a player is able to see the cogs and workings behind the virtual world.

Arguably the earliest example of an "Easter egg" in a game was in the 1979 Atari 2600 game Adventure. The game was programmed by one of Atari's young employees, Warren Robinett. Like many of his colleagues, Robinett was disillusioned with his employer's policy of not crediting the game's designers and creators. He added a secret room to the game that, if discovered, revealed the text: "Created by Warren Robinett." It was a way to leave his own mark on the virtual world he created and, for players who first discovered the room (long after the designer left Atari), it was a link to an unseen creator.

Gembe had broken into another secret room, filled with illicit treasure. It was, as he put it, a kingdom, one that he believed would solve the Half-Life 2 mystery.

At this point, Gembe wasn't bothered about covering his tracks. So far he had nothing to hide. But he wanted to ensure that he would remain undetected as he explored further.

"All I cared about at that point was not being thrown out," he says. "My first job was to find a host where I could set up some sort of hideout."

Gembe began to search for information about the game. He found various design documents and notes about its creation, the kind of material he hoped he might find. As the weeks passed, Gembe realised that nobody at Valve had noticed he was inside the company's network. He began to push a little harder. That's when he found the ultimate prize: the source code for the game he had been waiting to play for so many years.

The temptation was too great. On September 19, 2003, Gembe downloaded the unfinished game's code and made off with Valve's crown jewels.

"Getting the source code was easy, but the game didn't run on my computer," he says. "I made some code changes to get it to run in a basic form, but it wasn't fun. Also, I only had the main development 'trunk' of the game. They had so many development branches that I couldn't even begin to check them all out."

The secret was too potent for Gembe to keep to himself. While he maintains that he was not the person who uploaded the source code to the Internet, he undoubtedly passed the code to the person who did.

"I didn't think it through," he says. "There was, of course, an element of bragging going on. But the person I shared the source with assured me he would keep it to himself. He didn't."

Once the game was on the Internet, there was no containing it.

"The cat was out of the bag," says Gembe. "You cannot stop the Internet."

Channel Ars Technica