Exposure for leaked source code to Counter-Strike: Global Offensive and Team Fortress 2 has experts concerned that it could possibly lead to cheats, exploits, and a fastrack to Valve’s Source 2.
Though an outdated model, source code for Valve’s beloved FPS title has been getting shared online. This gives everyone from CSGO enthusiasts to malicious actors a way to “literally build the game,” according to ‘2Eggss,’ an ethical hacker and Steamworks developer.
To be clear, everything that hackers and exploit makers needed to make cheats in CSGO was already out in the wild, which is why services like the Valve anti-cheat (VAC) system exist to try to thwart any potential hacks that may come out of them.
A 2017-2018 source code for CSGO has been leaked.
While the source code has been dwelling around corners of the internet for some time, now it’s been made public.
The information getting shared online works as sort of a beacon for anyone interested in creating harmful exploits, since they now have fairly recent and complete builds for two of Steam’s most popular titles.
That might not be entirely exciting for those with prior knowledge of the situation, but people are already coming across things like a remote code execution (RCE) exploit for Team Fortress 2 that could potentially let someone make use of a player’s computer that is logged into the game.
In less than a day of these leaks being made public, TF2 players are being advised by people like 2Eggss to refrain from opening their game, in case anyone is looking to gain remote access.
CSGO historian and President of competitive club Dogmination, Nors3, said that Valve will almost certainly address the leaks in the coming days for what they could mean for the FPS title and developers of other games.
“CSGO code to make cheats was already very public in many repositories,” he said. “This leak just gives more advertising to it. It means more to Valve as a whole. It involves a lot of people and projects, it’s a bad leak for them and gives to other devs an advantage.”
“This [leak] is awful, and I wish that it didn’t happen,” user ‘Vadographer’ said. “However, this does open the door for both games to potentially be ported to Source 2.”
Valve has already been teasing refined features from the new engine like 2018’s Panorama UI update for CSGO.
Valve, a company known for their closed doors, are expected to address the leaks that exposed their CSGO source code.
The source code leak would give eager eyes a look into the inner workings of Valve’s popular titles, a reality that the developers, who tend to like their privacy, would have a problem with.
“Expect a Valve statement about the Source code leak. It can take days tho, and Gaben for sure will step in,” Nors3 said. “New internal rules could appear, and someone could be fired and maybe sued.”
Update on April 22 4:54 P.M.:
Valve has responded to the reemergence of the leaked code by notifying players there is no “reason for players to be alarmed or avoid the current builds.”
We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.
“This time last year our rulebook and our whole setup were based on LAN events,” BLAST’s director of operations and production Andrew Haworth told Dexerto. “We hadn’t really done a huge amount of work on how that would be replicated in an online world.”
Earlier this year, with the global health situation emerging, governments all around the world were forced to reduce the feasibility of hosting events, and thus, they were moved online — halfway through a tournament, in some cases.
Prior to the restrictions, tournament organizer BLAST managed to host their first big competition of the year in February, impressing many and unknowingly hosting what would be one of the only prominent offline events in the 2020 Counter-Strike calendar. They didn’t have the same privilege later in the year, however, as limitations had yet to be permanently relaxed in many locations. Nonetheless, they went on with their plans to host the BLAST Premier Fall Series, albeit online.
Another layer of absurdity was added as a factor of hosting an event, and that was the revelation of a spectating bug that spanned multiple years. With the Esports Integrity Commission — a body devised to maintain the integrity of competitive gaming — issuing bans to dozens of coaches, integrity questions were more prominent than ever during an online era, no less, where it’s harder to monitor the activity of teams and their coaches.
Commentators Scrawny and launders arrived at the production location early to accommodate local restrictions.
Haworth’s background working on major music festivals and the Olympics Games means he’s no stranger to crafting contingency plans to put in place in case of a problem arising. Prior to hosting the Fall Series, they went through sessions of scenario testing with key department leads to devise numerous methods of still getting the job done.
Considering BLAST have deployed everything at their disposal to maintain competitive integrity within their events, Dexerto spoke with Haworth to see how they adapted their processes to move to a remote production while monitoring the gameplay itself both in and out of the server.
Going back to esports’ roots
“We were fairly lucky in the timing of the outbreak, we just finished our Spring Series in February and didn’t have another live event till the end of May,” he said. “Other tournament organizers didn’t and were thrown into that halfway through a show. We had a bit of time, purely by luck, to have a look at what we need to do for our Spring Showdown and our Spring Final.”
While esports, like most other sports, is fundamentally an entertainment product, the need for competitive integrity is essential. Fans tune in to watch the best players in the world face off against each other, and that’s no different during an era of online competition.
“If the fans don’t have faith in what we’re putting on if our broadcasters and sponsors don’t have faith in what we’re putting on, and the teams ultimately lose faith in it, then none of us can stand behind it proudly,” Haworth said. “So competitive integrity is in integral to what we do, none of us are arrogant enough to think that we’re perfect in that.
“There may be things that we’re doing now that we’ll review and determine haven’t worked quite as well or are not effective. Some of the things that we have done we want to ensure, while maintaining competitive integrity at all times, doesn’t affect the performance of play. We don’t want to be taking up computer performance for the matches because that isn’t going to gain the right tone with anybody.”
The venue had no players in sight, with only production staff and broadcast talent being present.
With a change in circumstance comes a need to change the parameters in which events are run, and that filters all the way down to the gameplay itself. BLAST saw the need to adapt their guidelines early in the year, when LAN events no longer seemed possible, so all of the teams were on the same page.
“The rulebook gets issued at the start of every season, we generally review it and update it after every event,” Haworth said. “We did less of that last year — I think we only made one or two slight revisions from Spring Series into Spring Showdown because the former was very much for a LAN. We also have our competitive integrity policy, which is broadly drawn out of the rulebook and is a short, sharp summary to articulate to what we do. That’s on our website. We’ve worked with experienced tournament officials that have worked with other tournament organizers and in other settings, it’s important to us that they can see elsewhere what has worked, and equally what hasn’t worked, so we can pick up best practices.”
From bad to worse
All partners of ESIC — including the likes of ESL and DreamHack — vow to enforce rulings decided upon by the commission, and that was no different for BLAST. The spectating exploit utilized by at least 37 coaches rocked the CS:GO community and certainly begged the question as to what tournament organizers are doing to ensure fair play is had at all times.
Moving online adds another layer of difficulty to constantly and accurately monitoring the matches played, especially considering tournament officials can’t be present to see how teams are operating with their own two eyes. BLAST believes they’ve reached the pinnacle of monitoring at this precise moment.
“Some of the measures we put in place aren’t perfect but they’re the best available solution we’ve found so far,” Haworth told Dexerto. “There are methods that we’re developing and evolving. We are confident that the measures we have in place currently are giving the desired result in not allowing anybody to manipulate the system or take advantage of it.
“From a coaching bug point of view, the player cams that we’ve put in place have been a really useful feature. That’s something that we looked at, to start with, as a broadcast feature that had some great context and depth. It grew into something that we now utilize to ensure we can see what players are doing.
“We’ve worked with players on camera angles, we have down-the-line shots, coaches have cameras on them and we listen to TeamSpeak for both a broadcast feature and in terms of integrity,” he continued. “The MOss system is far from perfect but it allows us to know what’s open on someone’s computer, there’s a report sent to us post-match with that information.
Moving forward in the face of adversity
Despite having what they believe is a solid solution to both playing online and safeguarding the integrity of the tournament, it would be understandable if a tournament organizer decided to postpone an event due to the recent exploit revelation and subsequent disciplinary rulings. Haworth ensured Dexerto, however, that that wasn’t an eventuality BLAST considered.
BLAST have undergone plenty of growth in 2020 so far despite the difficulties, expanding into new titles like Valorant and Dota 2.
“We’ve never really moved our date around. We put our 21 days in the international calendar [that’s shared by all CS:GO tournament organizers] in April this year to try and provide full transparency,” he said. “We worked on this straight after the Spring Final, there were a couple of bits that we thought we could include like the coach cams but there were also a couple of things that weren’t ready for the Fall Series. We played around with them but wasn’t sure if it would cause performance issues on players’ PCs so we didn’t want to risk it.”
There’s not the only difficulty in providing a fair and stable environment for the players, BLAST have plenty of staff that are needed to execute a full production. Having staff at home using personal internet lines isn’t the most confidence-inducing prospect, but the company has managed to execute a means of working that allows for maximum efficiency given the circumstances.
While online play, and the copious amount of events that are taking place, may not be ideal, esports has proven to be resilient in the face of extreme and unpredictable challenge. The Fall Series was revered by industry professionals and Counter-Strike fans alike, but it’s clear that BLAST are not resting on their laurels leading up to the next phase of the competition.