I'm happy to see that, while he did something wrong, because he was honest and openly remorseful throughout, he ended up not going to prison. The cops even seemed cordial, they let him get breakfast and a smoke.
I wonder how differently things would have played out if he lived in the US.
I think the German police clearly thought he was not going to get justice from the US (hence the remarks about how lucky he was that they got him before he got on the plane) and saved him from falling into the FBI's trap.
Considering the rash of "OMG the police barged into my house, shot my goldfish and raped my star wars collection" type stories I've been hearing, is it safe to assume that the German police are quite a bit more sensible than their American counterparts?
The whole experience sounds rather civilized. The police let Gembe get dressed, eat breakfast and smoke a cigarette before bringing him down to the station. And when he confessed, his punishment was 2 years in probation.
I somehow doubt his experience with the FBI would have been similar.
> is it safe to assume that the German police are quite a bit more sensible than their American counterparts?
It depends. Gun ownership isn't nearly as common in the US, so they can safely assume that a 17 year old blackhat won't pull a gun on them.
On the other hand, I've seen a ~4.9 feet tall girl getting knocked unconsciously with a Mp5 during the eviction of a squat. In 2003, a schizophrenic in custody was beaten to death by officers in Cologne. They were sentenced from 12 to 18 months in probation. In 2005, Oury Jalloh burned to death in a holding cell in Dessau while being tied with handcuffs to a fire-proof mattress at his hands and feet. In 2008, Josef Hoss was beaten to a bloody pulp by a special unit after his arrest. He is irreparably crippled. He later recieved 30,000€ for compensation.
A lot larger as in landmass. People pay attention to what goes on in their geographic area, regardless of its population.
For example, a beating in California isn't going to be as troubling to a resident in Vermont. They'll simply say "different state, different police force". On the other hand, a beating in Berlin is going to trouble someone in any part of Germany.
Not true: the former border police (Bundesgrenzschutz, parent organization to the famous GSG 9) has been officially the Bundespolizeit (federal police) since 2005, and there has always (well, since the 1951) been a federal investigation agency (Bundeskriminalamt). Most claims of police violence are actually against the Bereitschaftspolizei (riot police units, exist both at state and federal level), which is not surprising since they are deployed (and trained) mainly for potentially violent situations.
To clarify: I know there are federal investigative police (but not as powerful as the FBI, right?) so I deliberately used the verb, meaning enforcement. I didn't know there were federal riot police though.
ANYWHERE you get people whose jobs are power-over-others based, you'll get fuckwads taking those jobs to feel powerful. Then abusing those jobs for the same reason. It has nothing to do with the nation and everything to do with the nature of people and policework.
Some of the police brutality comes down to poor decision-making due to poor training and little experience. I never saw it that way until I read Malcolm Gladwell's Blink. There's a chapter where he discusses an incident in New York where cops shot up an innocent guy. The analysis was that in high-pressure situations, the mind ceases to function and focuses purely on survival and sustaining one's self. One becomes essentially autistic in being unable to recognize social signs such as facial expressions, body movements, etc, and the outcomes when weapons are in play are often gruesome.
It was quite an enlightening read, and I think I take it seriously because my own experience in high pressure situations. First was a time when I was taking a walk with my dad and some kids surrounded us. One tried to spray pepper spray in my face from behind, but my dad saw he was doing something so yelled at him, and my dad got sprayed instead. Then they all ran. I was stunned and couldn't process what was going on; really, I was just so focused on the guy in front of me, my decision-making process was paralyzed.
My second was when I was the venue technology manager for Cypress Mountain at the Vancouver Winter Olympics (freestyle skiing and snowboarding). In terms of operational pressure, that was the most difficult thing I ever experienced, and even more so because Cypress was literally the most difficult and complicated venue of the Olympics. There were situations where my brain literally just shut down and I was going 100 miles an hour trying to fix whatever went wrong; there's a word for that, it's called panic. If it weren't for the training I had and some of my more experienced colleagues, I imagine it would have been an utter disaster.
I can only imagine that if I have some guns, batons, or any other type of weapon, and am meant to quell a situation, it could get ugly easily.
edit: One more anecdote, my friend is an immigration officer. He had an incident once where he and another officer were interrogating a guy because some papers or something needed clarification. The guy suddenly made a move, they misinterpreted, and it became an all-out brawl. My friend distinctly remembers yelling at his colleague and his colleague yelling back at him, but they could not hear each other. Their minds were in a zone where they could no longer communicate, they were just subconsciously focused on survival. Later, it all turned out to be a mistake, but in the heat of the moment, it was hard to discern that.
Germany neither has a War on Drugs nor a meth problem. There have been highly criticized raids in Germany, but there are fewer raids per capita in Germany, and in Germany police-citizen interaction is less violent (no automatic assumption that that driver that was just pulled over is armed, for example).
Please. Do we need any more anti-US rhetoric here?
I see no reason to believe that he would have been treated differently by the FBI, and besides, he would probably have been extradited right back to Germany.
You don't appear to be aware of what's going on in the US right now. I would also suggest reading what pg has to say about identity (and keeping it small).
"..There is a step beyond thinking of yourself as x but tolerating y: not even to consider yourself an x. The more labels you have for yourself, the dumber they make you."
No kidding. I would love to hear Gabe Newell's take on this article. That kid was a hairbreadth away from spending half a decade in a federal pen. That had to be a hell of a "whew" moment he had in that police station.
The cops were "cordial" after rousting him out of bed while pointing automatic weapons at him. In other words, they armed up and stormed the residence of a suspect of a non-violent crime. That sounds pretty standard for the US, and for the same reason indicated by the instruction, "Get out of bed. Do not touch the keyboard".
SWAT-style tactics are rarely about any actual belief that the suspect has weapons and is likely to resist arrest, but about violently (sometimes lethally) subduing a suspect who might destroy evidence and impair the prosecution's case.
And, of course, the overtime pay for SWAT work in many US jurisdictions. Don't know how that works in Germany.
Things would have been exactly the same in the US.
The stories that get all the publicity are the bad ones which of course leads you to think that's all there is.
But by far most cases end up exactly like this one.
Judges LOVE honesty, and so do cops. If you are honest and open with them you get a far milder punishment than someone who won't talk. I've seen it in so many case reports.
Judges are trying to figure out what kind of person you are. If you are open and honest they figure you made a mistake, but are basically a good person and thus don't need much punishment.
On the other hand someone who won't talk is assumed to have a more negative mindset.
I don't mean to suggest that not talking is taken as evidence for guilt - guilt is established separately and is not based on your cooperation. But the punishment for that guilt varies depending on your behavior in court and to the cops.
A lot of the advice on the internet about not talking to cops etc is aimed at avoiding guilt. And it may work. But it utterly ignores the second half, which to me seems almost as important, and that is punishment.
Traffic tickets are not even in the same league as the kind of offenses that we're talking about here, but if they are any indication then I have to agree. I've gotten out of my last three traffic stops by simply telling the cop exactly what I did: driving in the HOV lane without a passenger, rolling through a stop sign, and doing 40 in a 25.
These people -- law enforcement and the court -- get jerked around all day by people who insult their intelligence with bullshit stories. It must be refreshing to hear someone clearly admit what they did with no attempt to evade responsibility.
I was in a similar position once, many years ago, in the early days of the web. I had managed to get parts of the source code to a popular online game (no real hacking here, they left a tarball in an open directory I stumbled upon), and being a foolish young kid, I decided to brag about my insider knowledge of unfinished features on a website. A few weeks later, the company contacted me with a job offer... they just needed my name and address to start sending me checks. Fortunately, I wasn't that dumb.
As a counter anecdote, there is a CS lecturer at my alma mater who actually did get a job directly due to taking code (a physics simulator I believe) from some company's server.
He was careful to end the story by reminding students that things have changed a bit since his youth, and what he did would be multiple felonies now.
I found the story to be quite tragic. This kid really saw the people at Valve as his heroes. Valve knew this and totally abused of that fact. They tricked him and was planning to hand him to the FBI, despite the fact he was (still is) their biggest fan and that the leak was accidental. I would have really hired him if I was in Gabe's position. He had both passion and skills. I think he would make an awesome YC applicant if he directed those to creating a web startup.
Once, when riding through a neighbor's land as a shortcut to a far piece of his own ranch, Theodore Roosevelt and some of his men came across a stray calf. The rules of the range were that any stray calf would be branded with the mark of whoever owned the land on which the calf was found, and everyone carried branding irons of his neighbor's for that purpose. Roosevelt built a fire, but one of his men put Roosevelt's brand on the calf. Roosevelt fired him on the spot. The man protested that he had put Roosevelt's brand on the calf, and Roosevelt replied "Any man who would steal for me would steal from me."
This is a nice story however I don't think the same principal should apply in this case. You have to look at intention of the behavior to judge ones character like Roosevelt did. In Roosevelt's case the intention was clear, the guy took away from another and knowingly disregarded the loss the other guy suffered. It's this character of hurting others to benefit self that made the behavior bad and immoral.
In this kid's case, information was copied. The intention was not to take away sacarce resource for self benfit. He got the source simply because the act of looking produced a copy. Not because he was trying to seek self gain. You should not equate the two and pass the same judgement of character simply because we tend to label both acts as "theft." They are completely different. I really think there should be another word to distinct between these different acts.
He took away something so scarce it's irreplaceable: their secrecy/confidentiality. And if it wasn't for self-gain, who on Earth's gain was it? He committed a pre-meditated (for months) crime to fulfil his own whims.
I disagree with you if you are saying that he had planned for months with the intention of taking away Valve's secrecy and confidentiality so he can hurt them and as a result gain something from it. There is no question that a crime has been committed. What we are debating about is whether he exhibited the same immoral character that Roosevelt condemned. I believe that no he did not exhibit the condemned character of intentionally hurting others for self gain - at least not through his actions of making a copy of Valve's source code.
One of the reasons I believe that is because the ramifications of making copies of someone else's information is not very obvious compared to taking away a physical object from them. When you take something tangible from someone it is immediately clear that the other person will be suffering a loss. However the act of looking at files stored in a remote server (and as a result creating copies) is much less obvious. I think it is very plausible that the kid was just trying to see the state/progress of the game that he has been anticipating so long for (4 years) and simply did not think about the ramification of his actions. This is totally different than the pre-meditation of a crime with the intention to put another party at harm. He has zero motivations to harm Valve. He sees them as his heroes and still is a big fan.
If you broke into a safe in a factory office and stole 1) 20 dollars of cash and 2) documented trade-secrets which you later made public, I'd say you were guilty of both crimes, both the insignificant one and the catastrophic one (and also the crime of breaking-in/trespassing). This is essentially the same, except the safe was a computer drive and both 1) and 2) revolve around the same object (the source code).
You are still not understanding what I'm trying to say. We are talking about intentions here. Not actions. I'm not saying he's not guilty of those crimes. I'm just saying he did not exhibit the undesirable character of intentionally hurting others for self gain. When he committed the crimes he might not have thought about how much Valve would suffer as a result. This is a very different mentality than breaking into someone's safe to take away physical objects. The result of you taking away physical objects is immediately clear - the other party will suffer a loss of those objects.
What i don't understand is that you keep saying he was not motivated by self gain, and that you cannot recognise the significance of actions beyond their physical consequences. Only sadists hurt people for self gain, most cases including this one people do things for their own satisfaction disregarding the damage it causes to the other party. The only way he could fail to be aware of the negative repercussions is if he accidentally took the source code and thought it was something else. He clearly did know what the code was, its value and why it was protected, so i don't see how what he did was any different from someone breaking into a factory and stealing secret plans (' not for self gain, just for the hell of it'), or someone breaking into a house and setting it on fire to cover their tracks, or any other crime that causes an obvious side-effect beyond the central goal.
>What i don't understand is that you keep saying he was not motivated by self gain... people do things for their own satisfaction...
That's a different kind of self gain than the one I was talking about. There is no need to point out/talk about the one you mention - every action anyone does is/can be argued for self satisfaction/gain of some sort - since everyone does it already. Yes I agree with that one. However, the gain I'm talking about is taking away a physical object away from someone else for the sake of gaining possession of it. Again, this is not what motivated the kid to break in and obtain a copy of the source code. However this type of gain is exactly what motivated the guy from Roosevelt's story. My original reply was trying to point out this difference.
>...you cannot recognise the significance of actions beyond their physical consequences.
Yes I can. Not only I can, I am also making a distinction between the actions with obvious physical consequences and the actions with less/no obvious physical consequences. It is you who insist on generalizing the two into the same thing and cannot see the (somewhat subtle) difference.
>The only way he could fail to be aware of the negative repercussions is if he accidentally took the source code and thought it was something else. He clearly did know what the code was, its value and why it was protected...
I beg to differ. That is just one extreme way. It is definitely not the only way he could have failed to be aware of the negative ramification. This is where evaluating his intentions/motivations is helpful. He loves the Valve company. He wants to play this game that he's been waiting for 4 years to ship. But the game keeps on getting delayed. He wants know the progress of the game's development. So then he decides looking at the source code is a good way to achieve this. I think it's very reasonable to argue that, "Had he known that by doing what he did would only further delay the game he wants to play and cause his heroes a lot of trouble, he would not have done it." The ramifications in this case is not as nearly as straight forward compared to breaking into a factory for the sake of gaining possession of the factory's secret plans. I really hope you can see this difference.
>so i don't see how what he did was any different from someone breaking into a factory and stealing secret plans
I think I've already done the best I can to explain to you the differences. If you still cannot see it then you are just going to have to figure this one out on your own/with someone else. http://en.wikipedia.org/wiki/False_Dichotomy
That might be a good place to start. I notice coders often tend to engage in this kind of over generalization/all or nothing thinking.
Look, I'm not saying it wouldn't be worse if a rival company broke in and stole the plans to give themselves a competitive advantage, but the kid still knew it was wrong and proceeded for his own sake (not money, but bragging rights and curiousity). So his crime wasn't grossly malicious, but it was grossly irresponsible considering the damage caused.
Quite simply, he should have known better. I know what a false dichotomy is - and it's exactly what you are purveying by insisting (so far without justification) that crimes with physical effects are not comparable to those without.
As far as I know he was the only one who have succeeded in not only hacking in, but also not being traced back despite all of Valves efforts. (They even got the FBI involved.) How many of the "hackpplicants" can you say the same about? The only reason Valve even knew who did it was because he came forward to them. He admired Gabe and his team so much that his dream is to join them. All of this indicate to me that he would make an awesome employee. I have little doubt that he would have poured his heart and soul into the company had he been given the chance. In fact that is the main reason why I found the story to be so tragic.
My point is it would encourage more people to apply by trying to hack into the company's networks instead of just creating impressive mods, Valve is a game dev/platform company after all not a network security one.
Ahh, I see. Point taken. I would still hire this passionate kid and put him on the network security team. I would then make a public announcement about how the job you get depends on what skill you demonstrate. Which should be the way it works anyways. If you want to join us as a game developer then you need to demonstrate your game developing passion and skills. Either through creating mods with our SDK/platform or writing/creating your own from scratch. However if you want to join us as a network security expert then you got to beat this kid we just hired! =P
If any time you were hacked, you fired the previous network security engineer and hired the guy who just broke in, you'd have a network unusuable by legitimate users and still probably vulnerable to skilled attackers.
Who said anything about firing? How does hiring one guy on to join the team == firing of all of the previous guys? Is there a one man network security team rule at Valve that I'm suppose to know about?
If you hire somebody to your security team every time your network is compromised, and never fire anybody, your network security team will outnumber the rest of your company.
I agree with your point, but we shouldn't forget that this article is clearly sympathetic to the kid. Maybe he isn't quite as cute and cuddly as they make out.
I know he was young and didn't think about it but what he should have done is get into Valve network, watch it for 2 weeks, copy some source code to proof it AND after that say:
"Hey Gabe, you know what I love Valve and I love all of you guys. You are all my biggest heroes BUT you know your security systems aren't good. I hacked your system and it was quite easy. For two weeks no-one even noticed it. I DIDN'T steal anything but if you give me a job I will do my best to pretend such security issues and make your system as secure as I can. Would consider giving me a job?
I attached some source code of Half-Life 2 to proof my abilities.
I hope you all best and hope to hear from you back.
Eight years later, it's easy to read an article and empathize with him. But if someone sent me an email that said, "I kinda stole your multi-million dollar source code, but really do like you and want to be friends." I would not be very trusting.
I think it highly depends on the delivery. I've mentioned this in another comment lower in the thread. Basically, had he contacted Valve and informed them about security the flaws and then shared the source code with Valve to show/prove the potential danger (instead of the guy who leaked it,) I don't think it's totally unreasonable for Valve to hire him on to the security team after he truly demonstrates skill and passion for the company.
Am I the only one who thinks what he did was not only criminal but morally wrong, and that he deserved to go to prison for a long time?
I realize that everybody likes to call themselves a "hacker" because they can program a computer, but this is an actual black-hat hacker. There are bad guys in the world and he's one of them. He wrote malware. He stole source code and gave it to the world. And this wasn't some evil corporation he was trying to bring to justice for its crimes. This was Valve. All they do is make cool games for the world. It's incredibly difficult work and they do a fantastic job. What kind of asshole do you have to be to shit all over them like this kid did?
He himself admits that what he did was criminally and morally wrong.
I don’t know why he should go to prison for a long time for what he did, though. He was punished harshly (two years probation are no joke) and the judge made abundantly clear that the only reason for not punishing him harsher was his behavior after being caught.
I have no desire to destroy other people’s lives just out of spite and I find this desire to be quite baffling. The only question I care about is whether the punishment is sufficient to prevent future similar crimes from him or other people. I have no doubt that allowing him to keep his stable job and leaving it at a strong slap on the wrist is pretty much the optimal thing to do in this case, in terms of deterrence. (I would think that hackers who lose everything and go to prison for a few years are more likely to become criminals than hackers who get two years of probation but get to keep their job.)
The only quarrel I have is that it took apparently three years to bring this case to court. Swift trials matter a lot more than the harshness of the punishment when it comes to deterrence. (In this particular case it was probably for the best that it played out like this but as a German citizen I would like to see a faster judiciary in general.)
I don't fully buy this concept of "morally wrong". You ask what kind of person could do X considering consequences Y for victim, but that presumes the person knows and understands Y, which in this case, they didn't. So no, they are not necessarily an asshole because of this.
I also think it's deeply immature to divide the world into black and white, good and bad, and put curious kids on the bad side of the line with the rapists and murderers. The world isn't black and white. The perspective on the other side of the line can be quite different; and the people who really are bad are probably more in need of being locked up for medical reasons than some biblical, retributive, medieval eye for an eye logic of punishment
I think that you're mis-interpreting the statement. He's not stating that he doesn't believe in morality. He's stating that he doesn't fully buy this concept of "morally wrong." I.e. He's doesn't believe in the same ideas as the poster he was replying to.
But the law allows for intent as well. From the article, it seems that his acts were committed as a result of maximal fanboyism rather than any real intent to do harm.
So, in this case, it's about whether the sentencing is punishment or deterrent. Sentencing as deterrent is only useful a small part of the time (if it was more effective, then the death penalty would be an excellent deterrent - which it appears not to be). Sentencing as punishment really depends on the person being sentenced and in his case, he actually worked pretty hard to turn his life around.
So, from the article, it appears he got what was coming to him, without having to waste his life in prison, where it does no one any good.
Any toddler knows it's wrong to steal a candy bar. I'm pretty sure every teenager smart enough to do so knows it's wrong to hack into a company's network, download their corporate secrets and distribute them to the internet.
Deterrance is absolutely the point of punishment. What he did was a white-collar crime. There's a perception in society that you can get away with certain extremely harmful things, like hacking or financial crime or environmental pollution, because it's hard to pin down intent and the results are hard to measure.
* Mugging. Damage: $50. Punishment: 3 years in jail.
* Hacking Valve. Damage: $250,000,000. Punishment: 2 years probation.
* Oil spill. Damage: $10,000,000,000. Punishment: have to sit through Senate hearing.
* Financial ponzi scheme. Damage: $18,000,000,000. Punishment: 150 years in jail.
Yeah, it worked out with Bernie Madoff, actually. Still it doesn't seem proportionate to his crimes.
I don't think jail terms are based mainly on financial damage caused. Mugging someone for $50 is punished relatively severely because people are afraid of violence, not really because of the $50 loss. Shoplifting $50, which scares people less, will rarely get you any jail time at all (unless it's a repeat offense).
I doubt their competitors will learn awesome secrets from their code-base and I doubt the pirates will compile their own binary instead of just using the standard DVD-Rip.
Yes, they embarrassed themselves. But they have nobody but themselves to blame for not investing in security.
And, as ramidarigaz points out, it was even free PR for them.
You sound like a very vindictive person. How is society helped by Madoff sitting in jail? He should be working in McDonalds with 60% of his paycheck garnished. The mugger is the only one who belongs in jail, because he's violent.
> There's a perception in society that you can get away with certain
> extremely harmful things, like hacking or financial crime or
> environmental pollution, because it's hard to pin down intent
> and the results are hard to measure.
I think that you're mis-directing anger here. 'Hacking' in some cases (in the US at least) carries harsher penalties than other more heinous crimes (regardless of the amount of damage done). Hackers usually face stiff minimum penalties (in the US). Had he been tried in the US he probably would have spend a decade or more in federal prison, and been destitute and/or a 'product of the system' by the time that he got out. This would have increased the chance that he would re-offend (and just not be stupid enough to get caught this time).
> * Hacking Valve. Damage: $250,000,000. Punishment: 2 years probation.
Do you really believe that Valve lost $250M? That number is probably equivalent to the amount of money that Valve had invested into the Half-Life 2 source code at that point in time or the amount of money that they expected to earn through that source code. In hind-sight, Valve didn't lose much. They were still able to monetize their source code, and were very successful at it. Do you really think that there are people out there that did not buy Half-Life 2 because they downloaded the source code to a broken pre-release version of it? Do you really think that there are any serious commercial game companies out there that are using the leaked source code in their code base rather than licensing the engine from Valve?
The amount of 'damages' that Valve incurred due to this is/was speculative. Of course, once the initial estimate comes out, Valve isn't going to go back and state what the actual damages were, because then people would question why the initial estimate was so high. There are also perverse incentives to inflate those numbers:
- Larger damages get more attention from the FBI.
- Larger damages are more likely to see harsher action by the justice system (aka courts).
- Larger damages garner more sympathy from the public.
- Larger damages can make you look like a hero to investors when the reality turns out to not be so bleak. You can always spin yourself as the hero that saved the company from financial ruin.
- Larger damages make the incident a likely scapegoat should the financial quarter be tough on the company (much like piracy is the scapegoat for the MPAA). E.g. "Yea we did poorly, but it wasn't our fault! It was all that darn hacker!" When in reality the leak had nothing to do with the losses.
> Yeah, it worked out with Bernie Madoff, actually. Still it
> doesn't seem proportionate to his crimes.
What exactly should the punishment for Madoff be? 1000 years in prison? I somehow don't think that extra prison time would be much of a deterrent or a punishment. (Unless you're advocating torture, but in that case, you've really shown us your true colors.)
So let me get this straight, because this wasn't "some evil corporation", but rather a corporation who "make cool games", you think that some kid deserves a "long time" in fucking PRISON?
Are you not familiar with the American justice system at all? I have a hard time wishing American prison on murders and rapists, people who do actual tangible harm to people.
I was trying to draw a distinction between this and something like Wikileaks. There are acts which are illegal but might be done for the ultimate good of society. If Gembe hacked into a company's network in order to secure evidence of their involvement in some heinous thing like genocide, it would still be illegal, but he would have my sympathy. But Valve just makes games. It was a dick move.
You seem to divide the world starkly into black and white. A fallacy that is common to people who think this way is the either-or, or False Dilemma (http://en.wikipedia.org/wiki/False_dilemma) fallacy.
Despite your first sentence, where you try to introduce some nuance to your argument, your other statements suggest that you don't have any room in your schema for people who commit damaging, non-violent crimes but express remorse for them. Essentially remorse is less important (if at all) to you than the fact that someone, somewhere was damaged in some way.
Many people here have expressed the opinion that yes, this kid f-ed up real bad and damaged/destroyed Valve's reputation significantly. But no, there isn't a need to lock him up, because it wouldn't serve a purpose.
If the purpose of the lockup is only to punish him (for punishment's sake), which you seem to be intent upon, then yeah it makes sense to give him 10-20 years despite a marked shift in his personality and outlook on life. To me, it seems like a horrible waste of money and of everyone's time to punish him so severely given that he's already had a change of heart, has the beginning of a successful career doing legitimate work, and he didn't commit any violence.
Also, we have the benefit of hindsight here: Valve went on to be an even bigger success after this, as HL2 + Steam is practically a money printing machine for them.
I believe what he did was wrong, but probably not "go to prison for a long time" kind of wrong. At the end of the day, he didn't kill or hurt anybody, or destroy property, or probably even intend to do those things.
Certainly he wasted a lot of expensive people's time and at a critical point in a software development project. You can bet they wanted to wring his little neck badly.
By the time of the trial 8.6 million copies of Half-Life 2 had been sold, its success seemingly unaffected by the leak of 4th October 2003.
But it's unclear how much money he really cost the company. This $250M figure is obviously not credible when they were spending $1M a month on development costs.
You are not the only one. At this point, most of the people who agree with your point of view have accepted the futility of making that point in a venue where the comment immediately preceding yours, modded 5 times higher, claims that the the guy who leaked Valve's source code is the victim and Valve the villain.
No, you aren't. And what I find galling about the article is how they go out of their way to use sympathetic language in describing him. Just one example:
"Gembe's malware crimes, while undeniably exploitative and damaging, were crimes driven by a passion for games rather than profits."
I understand that it is important to explore his motivations, but the way this is phrased (in particular what seems to be an attempt to contrast the boy's "passion" with Valves lust for "profits") is pretty terrible. I don't think his "pure" motivations matter at all-- what matters is that he chose to steal the property of Valve and make it available to others. Whether Gembe meant for it to end up on the internet doesn't matter when it ends up on the internet.
I see a lot of comments on this that are sympathetic to the kid, and while I understand that feeling, I think a more sensible look at the situation demands that you feel sorry for him because he brought this upon himself, not because he was any kind of "victim".
I'm glad to see that he was able to get on with his life, and I probably don't agree with what U.S. authorities would like to have sentenced him to had they gotten ahold of him. But that doesn't make him the persecuted hero that so many people seem to think he is. And that doesn't mean he shouldn't have done some jail time either.
> in particular what seems to be an attempt to contrast the boy's "passion" with Valves lust for "profits"
Wow, did you read the same sentence I did? They weren't implying Valve had a lust for profits, they were indicating that Gembe wasn't motivated by profit. I think you're reading way too much into that particular sentence.
> I see a lot of comments on this that are sympathetic to the kid, and while I understand that feeling, I think a more sensible look at the situation demands that you feel sorry for him because he brought this upon himself, not because he was any kind of "victim".
I see the comments here differently--I don't think anyone thinks he's strictly innocent, I think people are sympathetic because he was looking down the barrel of the American Corporate Legal System™ and only narrowly escaped.
I understand Valve's anger at having their stuff ripped off and published around the internet and if I were in their position I might have the same outlook. But, having the gift of 20/20 hindsight, we can see that it didn't actually affect them negatively in any tangible way. Half-life 2 was released and overwhelmingly successful and there are no game engines with stolen Valve code stealing licensing profits from them.
So I am sympathetic to the fact that he escaped any jail time because in the end what he did didn't matter. 2 Years of probation seems perfectly appropriate.
>Wow, did you read the same sentence I did? They weren't implying Valve had a lust for profits, they were indicating that Gembe wasn't motivated by profit.
Fair enough. I think its a fairly straightforward example. Reading it again, I still think its fairly obvious that the piece was designed to minimize the clearly stupid, clearly wrong actions of an individual, and in order to do so, they needed to paint Valve as the villain. But I appreciate that this is my own interpretation and certainly one could read it differently. (The example I cited should have been changed regardless, as I don't think its necessary to the story and to me still reads as an attempt to vilify Gembe's victim).
> we can see that it didn't actually affect them negatively in any tangible way
Red herring. This probably helped Valve's sales, but that doesn't mean that it necessarily would have, and has nothing to do with the morality/legality of the matter, and as such, it has very little impact on my view of Gembe's actions.
It was indeed criminally and morally wrong. It does not follow that sending him to prison for a long time is the proper response, even if he acted like an annoying jerk to some "cool" people.
Go to prison? Prison should be reserved for violent offenders. IMO, putting non-violent offenders in a pen with violent offenders is very clearly "cruel and unusual punishment".
Considering that he's been sentenced and assuming he has served the term of probation, if he were to set foot on the US, could he be tried and sentenced again, or does Double Jeopardy protect him even if he already had proceeded through the German court system?
It does prevent multiple convictions if the crime only happened in one jurisdiction.
However, since in this case the defendant wasn't tried in the United States but in Germany it would all depend on criminal offense treaties between the two countries, not just US law.
They were treated as seperate instances since the crimes were committed against people in X jurisdiction. That's applicable in this case as well since the Valve folk are in the US jurisdiction.
If the instances were partitioned between those three jurisdictions, then it isn't really an example of avoiding double jeopardy limitations by changing jurisdiction.
Right, I guess what I'm getting at is that neither case (the one in the article and the one I mentioned) was about Double Jeopardy because the police could partition the crimes to different jurisdictions.
Legalistically, its correct but ethically it means that police can try you multiple times so long as they narrow the jurisdiction on the first attempts. For instance, a car chase that crosses multi-jurisdictions can result in multiple trials (and consecutive sentences) even though its really just one offense.
Agreed. I remember reading about this years and years ago, and I thought Gabe Newell said the resolution was that they flew him to the U.S. and arrested him as he de-boarded his plane.
"For some reason they thought there was a connection between me and Sasser, which I denied. Sasser was big news back then and its author, Sven Jaschan, was raided the same day as me in a co-ordinated operation, because they thought I could warn him.
"My bot used the same vulnerability in the LSASS service that his did, except it didn't crash the host system, so I guess they thought I gave him the exploit code. Of course I denied this and told them that I never write such shoddy code."
At the risk of repeating a tired Internet cliche, I think the leak may have helped Half-Life 2.
If the project was already months behind schedule and had a year before a GM build would be ready, having the source code leaked may have given hardcore gamers reassurance that the game was actually coming along and would be finished at some point.
Of course, there's also the newsworthiness and buzz coming from the leak itself.
How does reassuring hardcore gamers that the game is actually being made help Valve? Do you think they would have boycotted the biggest game of the decade simply because it was released late? Seriously... how did this help Valve? I know everything worked out well in the end, but the leak did somewhat spoil the game for a lot of people. I certainly didn't appreciate it at the time.
I suspect Duke is one of the reasons for the complete lack of E3 related announcements so far this year. That and their own Portal 2. They'll not want a "coming next year" annoucement about E3 to be wasted by it being overshadowed by the big things being released in the next few months. Hopefully there will be an announcement later in the year, during one of the release dry spells.
Though you could be right, we've already been waiting for E3 twice as long as E2.
Unless it is a small project and works without a dataceter the sourcecode itself is useless.
Yet, so many people believe that there is actually any (usable) value in the source code alone.
I flunked (thank god) an interview with a company once that ended up going belly up.
The capital came from angel investors (mostly lawyers). When they ran out of money they locked everybody out of the premises (even though all their stuff was still in the building) for the fear somebody would take the source. This was 6 or 7 years ago.. To this date these lawyers still sit on their precious source code.
What I learned from this is: Never trust any of your friends or family when you have such important things in your hands.
You know in everyone of us is this little devil and if you have something which is important you can earn something with it (money or even credit in the community) there is a good chance that people will go the devil way.
I even would consider saying I even DON'T trust myself on such important and valued things!
What I don't get is why the police had to wake them up with a gun pointed to his head. Is this standard procedure for hackers, or criminals in general? Is it because some time ago it was decided that hackers are terrorists?
Suppose I cheated on my taxes (which I would of course never do, but I think many people consider that fair game), would the police also wake me with a gun pointed at my head?
Well, Mitnick was kept in solitary because they were afraid he could start a nuclear exchange if given access to a phone. I think a bit of paranoia is common procedure for hackers because what they do seems like magic to most people.
As for the taxes, that's entirely dependent on your behavior. There have definitely been stand-offs between tax protesters and armed law enforcement personnel.
Oh! So it was real? I remember downloading a file called "HL2 Source Code.rar", long time ago, from eDonkey network. Never payed enough attention to it, thinking it was a fake!
Valve maintains systems that contain sensitive financial information, sensitive internal IP, and a whole library of external IP from other publishers. This wasn't a script kiddie pulling things off bit-torrent, this was an elaborate penetration into a corporate network.
If I was in Valve's position, I would blackball him from working there because he couldn't be trusted, and the damage he caused.
Damage caused was at least time spent cleaning up his mess in their network. Conversely it sounds like Valve had a very weak security setup in their network.
I haven't the faintest clue about how accurate the sort of story I'm about to use as a counter-point is, but what about capable hackers that succeed in breaking into government servers then being given a choice to either work for said government organization, or go to jail for a very long time?
Assuming those sorts of cases actually happen, how is this any different?
A lot of those stories are more in the realm of folklore, and the agencies that are said to have offered such choices have "alternate choices" for reduction in personnel than a private business has if the arrangement doesn't work out.
If the article was 100% accurate, then I would have due to this particularly unusual circumstance. The kid was too naive and handled the situation poorly. The leak in fact was purely accidental. I think if he had contacted Valve and gave them the source code instead of to the guy who leaked it, the whole thing would have had a very different turn out.
The kid recognized what he did was wrong and regretted it. That was why he came forward and emailed Gabe. If he really just wanted steal and cause harm, he would have never been found or caught. You can tell he truly loved the company and was simply misguided in the way he chose to show it. Yes he made a mistake, but I would have still given the kid a chance rather than beat him down. It's this kind of tragic beat downs that often create villains. (in the worlds of comic books at least. =)
He'd probably be a good hire now, but his confession to Gabe was only a few months after the incident. If you knew it was a naive kid that didn't understand the boundaries, that alone is enough reason to wait a few years before you hire him. People who think it's cool to swap your company's proprietary information with untrustworthy outsiders should be avoided.
I don't think what this kid did was actual "stealing". Had I been at Valve in a position to hire, I would have definitely considered hiring the kid (after evaluating how contrite he was, and how good he was, and on the condition that he keep his mouth shut, for fear of spawning copycats). But maybe that's because I've done such rebellious things in the past myself, and have a soft spot for true "hackers".
I also found it hard to not sympathize with him after statements like this:
"My bot used the same vulnerability in the LSASS service that his did, except it didn't crash the host system, so I guess they thought I gave him the exploit code. Of course I denied this and told them that I never write such shoddy code."
He doesn't come across like a criminal mind to me.
Don't blame an 18yr old kid for naively crossing lines he shouldn't.
Blame the million dollar company for not securing their assets against 18yr old kids.
Yet another know-it-all blaming the victim. There is no magic immunity which accrues from being 18, the kid knew what he was doing and wilfully committed criminal acts.
It would have been more plausible if you didn't claim to know better than the know-it-all in the next sentence ("willfully").
If you really want this discussion then perhaps take into consideration the nature of the crime and try to recall your own youth (you've once been 18, too, right?).
I'm not saying he doesn't deserve a slap on the wrist. It's however beyond ridiculous to try and charge him with virtual 9 figure damages - potentially sending him to jail and ruining the rest of his life.
The more interesting question is who was charged for criminal negligence - or at least fired - at Valve over this?
This is the more interesting question because curious and slightly naive 18yr olds are a natural law. They will always be around, and there's strong evidence that deterrence does not work very well against them.
I wonder how differently things would have played out if he lived in the US.