James Galvin

The Daily Tech have an article about a hacker who is curretly holding Valve Software (the makers of Half-life) to ransom, having hacked into the system that manages internet cafe licences, and retrieved details and credit card information.

Most gamers will remember the bit of trouble that Valve had a couple of years ago, when a German hacker known as Axel G, or “Osama Bin Leaker” when he’s in a particularly powerful mood, snuck into their network. Internal emails were leaked, demos were leaked, and ultimately the source code was to Half-life 2 was put on the internet. Valve burst into action like a coiled spring - instantly assembling a dynamic and energetic tiger team:

The fiasco resulted in a lot of hassle for the company, but they got some consolation in the end when they caught the perpetrators by pulling the oldest trick in the book - offering to hire Axel G as an in-house security auditor. Beaming with pride as he headed for the plane, ready to start his new life in America working on the game he loves, the poor boy had no idea that the FBI were laughing their asses off at the airport, doing Axel G impressions as they waited for him to arrive.

Axel G - a misguided enthusiast, suffering from classic notions of teenage hackers convinced himself that he was working for the greater good. He claimed that the motive behind the source code leak was to expose Valve for lying to the public about the state of the game, which was far from finished, implying that they demoed a fake version of the game at E3.

This latest haxor, MaddoxX, displays the same symptoms of a glorified self-image, probably seeing himself as half Robin Hood, half Darth Vader and half Zerocool. However, by comparing the number of x’s in their names, we can assume that MaddoxX is at least twice as l33t as Axel G, and thus less likely to fall for the “hey, you’re good! Come and work for us” trick. I would remind Valve of the old Chinese proverb that is strangely apt here: “Blind eagles soar with wings, but do not mess with psycho Russian hackers because you’ll get pwned”.

The Daily Tech article quotes MaddoxX, who outlines his motives:

In fact, MaddoxX says that he’s been tooling around on the Steam server’s back door since January. “I did try [to] contact them several months ago. At the time, I didn’t do anything harmful — just got [a few free copies of games] but never heard anything from them,” he says. “Later,” the steamed hacker adds, “I tried to warn them to fix bugs…but as usual, they don’t listen.” He recounts that he allegedly tried e-mailing Valve employees on several occasions without a reply. When a friend of his called attention to the potential security breaches on Valve forums, every trace of each thread got shut down. “They don’t even warn or reply to their Café customers that private information is leaked,” he says.

And here we come to the issue that is bothering me: MaddoxX is dead right in what he says. When you take confidential information from your customers - be it credit card details, home phone numbers, or their dog’s middle name, you take on a degree of responsibility. My guess is that Valve’s IT guys are still sitting around eating sandwiches in front of an empty whiteboard. The director of marketing at Valve, Doug Lombardi, just recently confirmed the security breach and released this statement:

There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam.

The Daily Tech refers to a very reasonable Californian Law which says that you are required by law to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed). I’m not a lawyer, so I don’t know if Valve are bound by this, but I am aware of a general rule of thumb: if you discover a security breach, you snap to it and do something about it. You don’t hum and haw and mumble some comment a week later about an “alleged hacker” who broke into the system. If the guy has got:

• Screenshots of internal Valve web pages
• A portion of Valve’s Cafe directory
• Error logs
• Credit card information of customers
• Financial information on Valve

…then I think its safe to put your hands up and acknowledge this. Funnily enough, the Cork gaming cafe Area 51 even makes an appearence on one of MaddoxX’s screenshots. I wonder if they know that their credit card details could be compromised? Perhaps I’m being unfair, and all of the affected customers have been contacted and informed, but judging by the concerned cafe account owners on the steam forums and elsewhere, this does not seem to be the case. This only serves to validate what MaddoxX is saying, and highlights a gross lack of responsibility on Valve’s part. I believe the guy when he says he has contacted them many times about exploits and bugs and never got a reply. They sound like an absolute disaster.

Security breaches happen occasionally, and that is inevitable. I won’t dwell on the fact that it seems to be a recurring event for this particular company, I’m more concerned about the reaction when something does go wrong. Read this example of how it should be done, from Wordpress. A responsible, well worded, concise account of what happened, when it happened, who is affected, and what to do if you are affected.

What would you have said if Automattic had come out with drivel like this: “There is no security breach at Akismet. I repeat, AKISMET IS SECURE AND SAFE. oh, by the way, Wordpress got allegedly hacked.” Doug Lombardi: the issue is not “There has been no security breach of Steam”; the issue is: “THERE HAS BEEN A SECURITY BREACH“.

This entry was posted on Friday, April 20th, 2007 at 5:49 am and is filed under Games, Hacking, Half-life, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.