The Boy Who Stole Half-Life 2 Article
At 6am on 7th May 2004, Axel Gembe awoke in the small German town of Schönau im Schwarzwald to find his bed surrounded by police officers. Automatic weapons were pointing at his head and the words "Get out of bed. Do not touch the keyboard" were ringing in his ears.
Gembe knew why they were there. But, bleary-eyed, he asked anyway.
"You are being charged with hacking into Valve Corporation's network, stealing the videogame Half-Life 2, leaking it onto the internet and causing damages in excess of $250 million," came the reply. "Get dressed."
Seven months earlier, on 2nd October 2003, Valve Corporation director Gabe Newell awoke in the large American city of Seattle to find the source code for the game his company had been working on for almost five years had leaked onto the internet.
The game had been due for release a couple of weeks earlier but the development team was behind. 12 months behind. Half-Life 2 was going to be late, and Newell had yet to admit how late. Such a leak was not only financially threatening but deeply embarrassing.
After a few moments pondering these immediate concerns, an avalanche of questions tumbled through Newell's mind. How had this happened? Had the leak come from within Valve? Which member of his team, having given years of their life to building the game, would jeopardise the project in the final hour?
If it wasn't an inside job, how the hell did it happen? Did someone have access to Valve's internal server?
But the question which rang out loudest of all was the one anyone who has ever had something stolen from them cannot push from their mind: who did this?
"I got into hacking by being infected myself," Gembe says today. "It was a program that pretended to be a Warcraft III key generator and I was stupid enough to run it. It was an sdbot, a popular general purpose malware at the time."
The young German soon realised what he had installed on his PC. But instead of scrubbing the malware and forgetting about it, he reverse engineered the program to see how it worked and what it did.
This led him to an IRC server from which the malware was being controlled. By following the trail back, Gembe was able to track down its operator. Rather than confronting the man, Gembe began asking him questions about the malware. He had a plan.
"While I have a €2000 Steam account nowadays, at the time I couldn't afford to buy games," he explains.
"So I coded my own malware to steal CD keys in order to unlock the titles I wanted to play. It grew quickly to one of the most prominent malwares at the time, mostly because I started writing exploits for some unpatched vulnerabilities in Windows."
On discovering the breach, Newell's first thought was to go to the police. His second was to go to the players.
At 11pm on 2nd October 2003, Newell posted a thread on the official Half-Life 2 forum titled, "I need the assistance of the community."
"Yes, the source code that has been posted is the HL-2 source code," he admitted in the post. Newell went on to outline the facts Valve had been able to piece together so far.
He explained that someone had gained access to his email account around three weeks earlier. Not only that, but keystroke recorders had been installed on various machines at the company. According to Newell, these had been created specifically to target Valve as they were not recognised by any virus-scanning applications.
Whoever had done this was smart, capable and specifically interested in his company. But why?
Gembe's malware crimes, while undeniably exploitative and damaging, were crimes driven by a passion for games rather than profits.
His favourite game of all was Half-Life. In 2002, like so many fans of the series, Gembe was hungry for details about the forthcoming sequel. That's when he had the idea. If Gembe could hack into Valve's network, he might be able to find something out about the game nobody else knew yet.
A socially awkward loner who had endured a tough upbringing, he would gain status in the community of gamers he had adopted as his family by offering up such insider information. It was worth a try.
"I wasn't really expecting to get anywhere," Gembe says. "But the first entry was easy. In fact, it happened by accident.
"I was scanning Valve's network to check for accessible web servers where I thought information about the game might have been held. Valve's network was reasonably secure from the outside, but the weakness was that their name server allowed anonymous AXFRs, which gave me quite a bit of information."
AXFR stands for Asynchronous Full Zone Transfer, a tool used to synchronize backup DNS servers with the same data as the primary server. But it's also a protocol used by hackers to sneak a peek at a website's data. By transferring this data, Gembe was able to discover the names of all the subdomains of ValveSoftware.com.
"In the port scan logs, I found an interesting server which was in Valve's network range from another corporation named Tangis that specialised in wearable computing devices," he says.
"This server had a publically writable web root where I could upload ASP scripts and execute them via the web server. Valve didn't firewall this server from its internal network."
Gembe had found an unguarded tunnel into the network on his first attempt.
"The Valve PDC had an username "build" with a blank password," he explains. "This allowed me to dump the hashed passwords for the system. At the time the Eidgenössische Technische Hochschule Zürich offered an online cracker for hashes, so I was able to crack the passwords in no time."
"Once I had done that... Well, basically I had the keys to the kingdom."
At this point, Gembe wasn't bothered about covering his tracks. So far he had nothing to hide. But he wanted to ensure he would remain undetected as he explored further.
"All I cared about at that point was not being thrown out," he says. "But I had access to an almost unlimited amount of proxy servers, so I wasn't worried. My first job was to find a host where I could set up some sort of hideout."
Gembe began poking around for information about the game. He found various design documents and notes about the game's creation. This was what he had come looking for. This was why he was here.
As the weeks rolled by, Gembe realised nobody at Valve had noticed he was inside the company's network. He began to push a little harder.
That's when he hit the payload: the source code for the game he had been waiting to play for so many years.
The temptation was too great. On 19th September 2003, Gembe hit the download button and made off with Valve's crown jewels.
"Getting the source code was easy, thanks to the network performance of the Perforce client, but the SourceSafe client for the game data was horrible," he explains.
"Because of this I coded my own client that basically had its own transfer mechanism over TCP, detected changed files by hashing them and transferred the changes.
"The game didn't run on my computer. I made some code changes to get it to run in a basic form without shaders or anything, but it wasn't fun. Also, I only had the main development trunk of the game. They had so many development branches that I couldn't even begin to check them all out."
To this day, Gembe maintains he was not the person who uploaded the source code to the internet. But there's no denying he handed it over to whoever did.
"I didn't think it through," he says. "There was, of course, an element of bragging going on. But the person I shared the source with assured me he would keep it to himself. He didn't."
Once the game was on Bit Torrent, there was no containing it.
"The cat was out of the bag," says Gembe. "You cannot stop the internet."
"A Red Letter Day"
The response of the community to Newell's plea for help was mixed. While many expressed their sympathy at the theft, others felt betrayed by Valve for being led to believe the game would be ready for its scheduled launch in late 2003.
Despite a few leads, nobody was able to provide information about who might have perpetrated the crime. The FBI became involved in the investigation but also drew blanks.
Meanwhile the team at Valve, which had been in crunch mode for months, was left reeling by the leak. The game was costing the company $1 million a month to build and the end was still far from sight. The leak had not only caused financial damage but had demotivated a tired team. One young designer asked Newell, "Is this going to destroy the company?"
At 6:18am on 15th February 2004, Valve's MD received an email with a blank subject line from sender 'Da Guy'.
"Hello Gabe," the author began, before going on to claim responsibility for infiltrating Valve's network months earlier.
Newell was unsure whether to believe the story at first. But two attached documents, both of which could only have been obtained by someone with access to private areas of Valve's server, proved the sender's claims were valid.
Five months after Half-Life 2 was released onto the internet, long after all leads had gone cold, Newell's man had turned up on his doorstep.
Why did Gembe send that email? "Because I was sorry for what happened," he says. "I wanted them to know who did this thing, and that my intention was never for things to work out the way they did." But that wasn't all that Gembe was after. The young man saw a way he could create a positive outcome from his crime, both for Valve and himself. In a separate email, he asked if Newell would consider giving him a job.
"I was very naïve back then," he says. "It was and still is my dream to work for a game development company, so I just asked. I hoped that they could forgive what I had done, mostly because it wasn't intentional."
To Gembe's surprise, Newell wrote back a few days later saying yes, Valve was interested. He asked if Gembe would agree to a phone interview.
The real motivation behind the suggestion was not to discover whether Gembe would be a strong candidate for a position within the company. It was to obtain an on-the-record admission from Gembe that he had been responsible for the leak. It's an old FBI trick, designed to gain a confession by appealing to a person's sense of pride.
Gembe had his suspicions but he pushed them to the back of his mind. "I hoped for the best," he says. "I was not the brightest kid back then."
He recalls the phone interview being conducted by Alfred Reynolds, developer on Counter-Strike and Steam, and Portal writer Erik Wolpaw, but says he could be wrong. (In fact, Wolpaw says he had yet to join the company at this point.)
"At first they wanted to know how I hacked into the network. I told them in full detail. Then they asked me about my experience and skills. I still remember they were surprised that I spoke fluent English without much of an accent."
The trio talked for 40 minutes. Any sense of guilt dissipated for Gembe in the presence of his heroes. But that was nothing compared to the adrenaline rush he felt when he received an invitation to a second interview. This one would be face-to-face at Valve's headquarters in Seattle, on American soil.
Having set the trap, Valve and the FBI needed to obtain a visa for Gembe (and his father and brother, as he had asked if they could accompany him to the US). But there were concerns about the ongoing access Gembe had to Valve's servers and the potential damage he could still cause. So the FBI contacted the German police, alerting them to the plan.
It was soon after this that Gembe awoke to find himself staring down the barrel of a gun. He got dressed and headed downstairs, escorted by the armed policemen squeezed into the small hallways of his father's house.
"Can I get something to eat before we leave?" asked Gembe.
"No problem," said one of the policemen.
Gembe reached for a kitchen knife to cut some bread. "Every policeman in the room raised his rifle at me," he says.
After drinking a cup of coffee and smoking a cigarette, Gembe climbed into the back of a van and was driven to the local police station. There he was greeted by the police chief. He walked up to Gembe, looked him in the eye and said, "Have you any idea how lucky you are that we got to you before you got on that plane?"
Gembe was interrogated by the police for three hours. "Most of the questions they asked me were about the Sasser-Worm," he says, referring to a particularly vicious malware that affects computers running vulnerable versions of Windows XP and Windows 2000.
"For some reason they thought there was a connection between me and Sasser, which I denied. Sasser was big news back then and its author, Sven Jaschan, was raided the same day as me in a co-ordinated operation, because they thought I could warn him.
"My bot used the same vulnerability in the LSASS service that his did, except it didn't crash the host system, so I guess they thought I gave him the exploit code. Of course I denied this and told them that I never write such shoddy code."
After the police began to realise there was no link between Gembe and the Sasser-Worm, they moved on to asking him about Valve.
"I could have refused to answer and demanded an attorney, but I chose to tell them everything I knew honestly and completely, which I guess they appreciated," he says. "The guy questioning me liked me because, he said, 'You are not an asshole like most of the other guys.' That department has to deal mostly with child porn.
"I guess I was so open with them because I didn't believe I did much wrong, at the time."
Gembe was remanded in custody for two weeks. He was released once the police were determined he wasn't about to flee, with the proviso that he check-in with them three times a week, every week, for three years, until his trial.
While waiting for his day in court, Gembe worked hard to change his life. He finished an apprenticeship and got a job in the security sector, writing Windows applications to manage security systems and performing database and server administration work.
Axel Gembe's trial lasted for seven hours. No one from Valve was present, though someone from the Wall Street Journal turned up. Security breach aside, there was no evidence to suggest Gembe had been responsible for pushing the Half-Life 2 source code on the internet.
However, Gembe admitted to hacking into Valve's network. The judge sentenced him to two years' probation, citing his rough childhood and the way he had worked to turn his life around as considerations when it came to deciding on the relatively lenient punishment.
By the time of the trial 8.6 million copies of Half-Life 2 had been sold, its success seemingly unaffected by the leak of 4th October 2003.
Today Gembe is 28. Nearly a decade on, he is remorseful about the Half-Life 2 episode.
"I was naïve and did things that I should never have done," he says. "There were so many better uses of my time. I regret having caused Valve Software trouble and financial loss. I also regret having caused some universities financial harm by using them as speed tests for my malware.
"Basically I regret all the illegal things I did at that time... And I regret not doing anything worthwhile with my life before I got busted."
What of the man he stole a game from? What would Axel Gembe say to Gabe Newell today?
"I would say this: I am so very sorry for what I did to you. I never intended to cause you harm. If I could undo it, I would. It still makes me sad thinking about it. I would have loved to just stay and watch you do your thing, but in the end I screwed it up.
"You are my favorite developer, and I will always buy your games."
Want to comment on this article? Log in, or register!