Half-Life 2 code theft - what really happened?

First, a disclaimer. I was horrified when the Half-Life 2 source code got leaked, and delighted when they apparently managed to arrest the person primarily responsible. So, I wanted to reprint the results of a theory on how Valve's internal network got hacked, and the Half-Life 2 source got out.

This is based on a post made by me to the QT3 forums a few weeks back, and I made some oblique references in a Slashdot Games post, but I couldn't really explain it properly in just 150 words. Other people, particularly heise.de, have made some of these connections before (though the Tangis part hasn't been well-publicized.)

The starting point to explaining things properly was a UK Guardian article published in July, which says that the main HL2 code thief is German, and has Valve's Gabe Newell confirming: "Through conversations with this individual, [we] had convinced him to fly out to us in Seattle for a job interview. The plan was changed so German authorities would do the arrests on German soil."

This fits in with previous rumors that the HL2 thief is the same German guy who coded the Agobot worm, which later morphed into Phatbot, and is a pretty dangerous little remote takeover util.

Furthermore, this seem to jibe with the idea that a certain IRC log called another_log.txt, which was floating around just after the code theft, is the 'smoking gun', and is actually all true. There was a now-defunct site at http://www.gtwy.net/hl2/ which started just after the code theft, and got lots of anonymous tips in, including IRC logs, and this another_log.txt was one of them. Looks like it was all true - a single tipster gave all the information needed to bring down those responsible.

Particularly interesting (and here's the bit you may not have heard before) - in this 'another_log.txt' file, this Ago chap says that he got into Valve's network via "a pc in valves net, that wasnt directly controlled by valve." How does that work? Well, I looked into this a little..

Some versions of that log text file seem to have details removed, but this one mentions the name of the site Ago found: tangis.com. So, turns out Tangis is a wearable computing firm, now largely defunct, but it was run by Dan Newell, an ex-Microsoft employee. I believe that Dan Newell is Gabe Newell (the Valve CEO)'s brother. What's more, according to the older version of the Tangis.com webpage, the offices of Tangis are 'currently located in downtown Bellevue in Bellevue Place - 10th Floor Room 42'.

This is, as far as I understand it, is the actual location of the Valve offices. So at one point, Tangis was operating out of the Valve offices, or their own offices right next to Valve's. It looks like this is the machine the hackers probably got in through - Tangis.com was, most likely, an outward-facing web server that was actually part of Valve's internal network. Ouch.

So, the Agobot creator was arrested in May, but the Half-Life 2 code theft wasn't mentioned then. It's noted in that story that "The arrest of the alleged creator of Agobot didn't come from informants... but from other, unspecified, leads." I think it was the HL2 code theft investigation and another_log.txt that uncovered the fact that the same person also coded Agobot. Valve and the authorities then had to deal with the other people mentioned in another_log.txt, and announced the arrests on June 10th. It would seem natural that Ago used Agobot's IRC-controlled backdoor commands to actually do the hacking - he may have used a buffer overflow trick in an unpatched version of Windows to get onto the site in the first place.

Some of this is speculation, obviously - there will be a trial pending, so I doubt we'll get much more info for now, but I'd love to know if Ago intentionally got in through Tangis.com, knowing it to be part of the Valve network, or whether he was just nosing around and happened to find it (more likely?) But I'll end with the author of another_log.txt's closing words - it restores a little faith in human nature that somebody actually cared enough to turn the leakers in:

'What these people did simply has gone too far and caused immense damage to one of the best game companies around.'

Amen.