Posted March 3Mar 3 On Tue, 17 Feb 2004 Gabe Newell <gaben@valvesoftware.com> wrote: >I get a couple of hundred spam messages a day, which sucks. Ooh, that's bad 🙂 I usually use addresses I dump later for most stuff, but I assume you can't do that as easily. >I downloaded the VSS client, but I haven't had a chance to look >at it >yet. I need to run home to deliver chicken yakisoba to the starving >children, but I'll take a look at it tonight. yaki="fried" soba="buckwheat noodles" with chicken? Mmmmm, I like asian food, except sushi 🙂 Thx for having a look at it, but don't if you're too busy, just throw it at someone else. I imagine you'd have to check the source for nasty backdoors, but be assured there are none. Anyways, I'd just like that tool to be used, cause I though its pretty kewl tool, but I have no use for it anymore cause I use cvs and/or BitKeeper for my programming work. >So it's cool that you are clearing up the mystery for us, but why are >you >doing it? Does knowing that you should have done this long time ago count? Also I wanted to know if you'd still want to catch me when you know that the real hacker didn't distribute HL2 but was getting sniffed. What would you have said if I told you of this in time ? Well, I also didn't like what the people releasing HL2 have done, so I want to disclose my part of the story. But I also gotta say that you people didn't do too much at that time for your network security (I think you were just too busy with HL2), even after october, I had access to 4 Valve-owner systems, 1 being a team-server, 1 being the adminmod sf.net servers, 1 being your webserver (but someone kicked me out there and left messages on the FTP for me) and 1 being a MySQL server where I could have added malicious stuff into /root/.bash_history or into a .bat/.cmd file in startup folder). So, my point here is: get a dedicated security person for the network, someone who only is there to administrate/audit networks. Also you should consider auditing the steam source sometimes, because that is critical infrastructure. In a network I administer we have all critical infrastructure stuff behind a second firewall that also runs an IDS, theres 1 internet facing host running Linux & WebServer, and it also runs a self written program that checks for anomalies in TCP traffic and blocks offending hosts at both firewalls. Also I want to note that I wrote me some kind of sourcecode encryption tool, that also is a build system, which will produce signed self-checking binaries using RSA private/public keys, maybe you could also think about using more secure build system. What I'd also like to know is what was installed on your PC, cause I never even had access to it. When you wrote to hl2.net forums, you only mentioned a few of my tools, but the RemoteAnywhere and the keylogger were not installed by me. Basically I only did do the minimum required stuff, which was crack the PCS (I used the "Build" - "" Administrator account), crack MD5 hashes using rainbow tables (took a few seconds to get most of em), g get access to some good headless Win32 machine to use first (your compiler farm), get angry about sourcesafe speed, code my own tool, get HL2 fast but not fast enough, get access to some linux host (lists.valvesoftware.com, which was later cleaned, then I used Alfreds profiler host), port my tool to Linux and finally get HL2 fast enough. I've always used P4Win from a .cmd file, cause that was fast enough over Internet. After I accomplished this, I leaned back and watched your development process, which is the most amazing thing I ever saw. Also I wanted to write you because lots of people claim they hacked you, like that Anon fag, but all this is based on a few passwords and some other info that was sniffed from me. I really shouldn't have transmitted that stuff in cleartext. Well, write me if you wanna know anymore facts or other details, I think I can give you answers to much questions. - Da Guy PS: as much as I'd like to disclose my identity, I still fear getting caught for this, though I didn't want to harm anybody. Think about it, someone else could have entered your system as easily as me. But still I acknowledge that this was my fault & your fault, my fault for transmitting passwords in clear text and even entering those systems, your fault for not securing them properly.
