The Valve Sting: Tricking Hackers With Fake Job Interviews
Remember a few years back when the pre-release source code for FBI [http://www.valvesoftware.com/] that came this close to nailing the culprit.
Back in 2003, Valve's internal network was breached by a German hacker, ultimately resulting in the theft and dissemination of the source code for Half-Life 2, which at that point was still more than a year from release. It was a full-on debacle for Valve, not only because the source for one of the most anticipated shooters in history was suddenly loose in the wild long before the game was ready, but because the monumental lapse in security made the developer, to put it bluntly, look a bit stupid.
Valve honcho Gabe Newell appealed to the online community for help in tracking down those responsible. "If you have information about... the infiltration of our network, please send the details," Newell wrote in a message on the company forums. "There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great." Anonymous sources began feeding the FBI transcripts of IRC discussions of the hack (available [http://blog.wired.com/27bstroke6/files/ago.pdf], PDF format) but it wasn't until February 2004 that the big break came, courtesy of the hacker himself.
That month, Valve was contacted by "[email protected]," claiming credit for the break-in and providing details to back his claim but denying that he was responsible for putting the source code online. Valve stayed in contact with the user, who expressed interest in getting a job with the developer; at the same time, the FBI, who was in on the act, used clues in the emails to determine that their man was Axel Gembe of Schonau, Germany. The following month, several managers at Valve spent 40 minutes on the phone with Gembe in a fake job interview, learning how he'd cracked into their network and gained root access via remote exploits and scanning software. "I'm no bad guy, just a little misguided," he claimed.
After the interview, Newell invited Gembe to the U.S. for a face-to-face interview, saying that expenses for the trip would be covered, as would the costs for relocation if he was hired, which he claimed was "pretty standard for the game business." But at that point, for one reason or another, Gembe wised up and declined to leave Germany. In the end, he was charged with the crime in that country, and sentenced to probation.
It's a fantastic story with a not-quite-satisfying conclusion that leads to a painfully obvious question: Why couldn't a company as successful as Valve afford to hire some top German talent to take care of this guy in a more decisive and permanent fashion? What sounds better to you: Spending months chasing leads, sifting through mountains of tips and chat logs, dealing with bored FBI liaison officers and disinterested German prosecutors all while hoping that if you do actually manage to catch the guy he'll get something more than a year or two of probation? Or writing a six-figure check to Zane and Cannell and getting a copy of the missing persons report in the mail a month later?
In any event, U.S. authorities may yet get another crack at Gembe: Last month, federal prosecutors in Los Angeles added his name to a case involving a satellite TV retailer who launched "crippling" DDOS attacks against his competitors in 2003. Gembe is named in the indictment for allegedly providing the Agobot software, which he wrote, for use in the attacks.
via: Boing Boing [http://gadgets.boingboing.net/2008/11/13/the-job-is-a-lie-val.html]
Permalink
Remember a few years back when the pre-release source code for FBI [http://www.valvesoftware.com/] that came this close to nailing the culprit.
Back in 2003, Valve's internal network was breached by a German hacker, ultimately resulting in the theft and dissemination of the source code for Half-Life 2, which at that point was still more than a year from release. It was a full-on debacle for Valve, not only because the source for one of the most anticipated shooters in history was suddenly loose in the wild long before the game was ready, but because the monumental lapse in security made the developer, to put it bluntly, look a bit stupid.
Valve honcho Gabe Newell appealed to the online community for help in tracking down those responsible. "If you have information about... the infiltration of our network, please send the details," Newell wrote in a message on the company forums. "There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great." Anonymous sources began feeding the FBI transcripts of IRC discussions of the hack (available [http://blog.wired.com/27bstroke6/files/ago.pdf], PDF format) but it wasn't until February 2004 that the big break came, courtesy of the hacker himself.
That month, Valve was contacted by "[email protected]," claiming credit for the break-in and providing details to back his claim but denying that he was responsible for putting the source code online. Valve stayed in contact with the user, who expressed interest in getting a job with the developer; at the same time, the FBI, who was in on the act, used clues in the emails to determine that their man was Axel Gembe of Schonau, Germany. The following month, several managers at Valve spent 40 minutes on the phone with Gembe in a fake job interview, learning how he'd cracked into their network and gained root access via remote exploits and scanning software. "I'm no bad guy, just a little misguided," he claimed.
After the interview, Newell invited Gembe to the U.S. for a face-to-face interview, saying that expenses for the trip would be covered, as would the costs for relocation if he was hired, which he claimed was "pretty standard for the game business." But at that point, for one reason or another, Gembe wised up and declined to leave Germany. In the end, he was charged with the crime in that country, and sentenced to probation.
It's a fantastic story with a not-quite-satisfying conclusion that leads to a painfully obvious question: Why couldn't a company as successful as Valve afford to hire some top German talent to take care of this guy in a more decisive and permanent fashion? What sounds better to you: Spending months chasing leads, sifting through mountains of tips and chat logs, dealing with bored FBI liaison officers and disinterested German prosecutors all while hoping that if you do actually manage to catch the guy he'll get something more than a year or two of probation? Or writing a six-figure check to Zane and Cannell and getting a copy of the missing persons report in the mail a month later?
In any event, U.S. authorities may yet get another crack at Gembe: Last month, federal prosecutors in Los Angeles added his name to a case involving a satellite TV retailer who launched "crippling" DDOS attacks against his competitors in 2003. Gembe is named in the indictment for allegedly providing the Agobot software, which he wrote, for use in the attacks.
via: Boing Boing [http://gadgets.boingboing.net/2008/11/13/the-job-is-a-lie-val.html]
Permalink
