Posted March 3Mar 3 We had a phone interview commencing at 11:03am PST on 03/26/2004 with someone claiming to be the person that hacked valve (daguy). He contacted me on my phone extension in my office (extension 100). His initial contact was via na IDSN connection into his PC. He had trouble with the connection (bad voice quality) so we terminated that call and he rang us back via another line. He said this line was his phone line. The second call commenced at 11:13 am PST. I spoke with him briefly when I answered the second call and introduced Greg Coome. At this time Greg Coomer, Matt Bamberger, Yahn Bernier and myself were in the room. Greg introduced himself and said that it was unusual to not know his name. Daguy then stated his name was "Axel Gembe" and that he was from Germany. Greg then explained how the interview would proceed and then passed him off to Matt Bamberger. Matt asked Axel a series of technical questions related to programming. He asked him what projects he has worked on before, how large those projects where and what problems they had and how he solved them. They also discussed source control and some issues about it. Axel also mentioned creating a remote administration program and discussed some issues with writing it and maintaining it. Once Matt had finished his questioning I was introduced to him. I quickly introduced myself and asked him if he would like to talk about some generic technical questions I had prepared or whether he wanted to go straight to talking about how he hacked us. He was eager to talk about the hacking event. My first question was simply how he did it. He then went on to describe how he infiltrated our network and the various programs and exploits he used. The details are as follows. He entered the network via the tangis.com machine. He claims to have used an account with an empty password to get on the machine initially. Once on the machine he exploited the web server with a remote CGI exploit to escalate his account privileges. One he had control of tangis.com he made use of the trust relationship on the firewall to scan our internal LAN network. He found a machine (a "distributed compiler" machine to use his words) that he claims had another blank password. He used that account to enter the machine. Once on this machine he used a cracking tool to attack the password database on the Primary Domain Controlled (PDC) and extract user accounts and passwords. Once he had harvested some passwords he used these to get on various workstation machines, he mentioned my workstation in particular. He also used VSS to gain access to our HL2 content and perforce to get our source code. He said that he got onto "jeeves" (the name of the perforce server) and the ip addresses 207.173.178.176, 207.173.178.173 and 207.173.178.12 (.12 is the ip address assigned to "jeeves"). Perforce is a source control system we use. I then asked him about any linux boxes he may have compromised. He described how he used a SSH buffer overflow exploit on one of the machines to gain access. He also claimed that one of the accounts on the machine had the same password as an account on the PDS (and that he used that). He then said he installed the "adore" rootkit onto the machine to mask his presence and used the "vrun" application to create a tunnel between his PC and our server. He said that he created the "hl2roxx" directory on one of our machines. I mentioned I found a ".bla" directory and he said that he had also created that directory. He also said he used a custom application to sync to our VSS tree across this vtun tunnel. Initially he used this application on a windows machine (he did not mention which one specifically) but he said that was too slow so he then ported the application to run on our linux machines. Next I asked him how HL2 had been leaked. He claimed that he had been discussing his break in of valve on IRC with a friend and he suspected the owner of the IRC server to be monitoring his chat. I asked him if he was still on our network (or had been in our network post October 1st 2003) and he said that he had compromised our FTP server since then but had been unable to get back across the firewall onto our internal LAN. I then thanked him for his time and passed the phone back to Greg Coomer. Greg asked him to send us a more detailed resume and told him that he would talk to Gabe early next week and get back to him. Greg also asked when he was available to fly over here so we could interview him in person. He said that he could come when we wanted him to as he could do any work he needed to do remotely. At this point we hung the phone up. The time was approximately 11:40am. The detailed information he provided to us fits with the information we discovered during our investigation of the break in. He provided us with details that we (Valve) have only revealed to the FBI (such as the names of the directories created on the machine and the use of the "vtun" and "adore" applications).
