Nobody ever got fired for buying Microsoft?

Valve Software had the source code for their newest game, Half Life 2, stolen in a security breach last month. The owner says a keystroke-logger was customized specifically to hack Valve, and was installed on their computers through a hole in Microsoft Outlook. Ouch. Game companies are notoriously secretive and security conscious, and the fact that these guys got nailed shows that no one running a Microsoft shop is really safe.

One could argue that no operating system can ever be 100% secure, and that a determined hacker can get in almost anywhere. That argument is true. But the relentless drum beat of Microsoft security failures makes it seem that you don't need to be particularly determined to hack into a Microsoft box.

A nimble systems administrator who keeps on top of patches and constantly studies and updates his or her knowledge can keep Microsoft systems reasonably secure. But running Microsoft means you can never let your guard down. You must properly install and maintain a firewall, and provide up-to-date virus protection on all computers and on e-mail. You must train users in proper security, and do regular scans of computers, both for viruses and for spyware and adware. And you must keep your fingers crossed that you won't end up in the crosshairs of a determined, talented hacker. If you're a small business, the odds of that happening are almost nil. But if you're a bank, or a big online merchant, or a game company, you're much more likely to be targeted, as Valve found out. And if you're a home user on a DSL or cable modem connection, without the interest or time to learn the basics of computer security, you're in a world of hurt.

From the tone of the stories on this I've read, and their overuse of the word "stolen," it appeared at first that the hacker had downloaded the game's source code and then deleted it from the server. Although Valve might not admit this if it happened, I would doubt that this is the case. Valve would undoubtedly be performing daily backups; for the hacker to remove or damage these as well as the copies of the source code on their servers would require that the hacker had been deep in the system for a long, long time. The code has actually been "copied without permission," not "stolen." (This is a distinction that would probably have greatly reduced the sentences of several computer hackers.)

The effect of the hacker's work on Valve as a company is unclear. Depending on who you listen to, it's a crippling blow or has no effect whatsoever. But one thing is clear: high-end security consulting companies will continue having good years as more and more companies realize the importance and difficulty of good security.