Rogers are a big media company, owning cable, cell phone, ISP, broadcasting, and sports team assets. Annual sales are around $14 billion. Whatever their excuse is going to be for this mistake, lack of resources to do things properly can't be it.
No big deal, Rogers, your internal source code and keys are only on the open web. Don't hurry to take it down
Source code, internal user names and passwords, and private keys, for the website and online account systems of Canadian telecoms giant Rogers have been found sitting on the open internet. The leaked software, seemingly uploaded to GitHub by a Rogers engineer before they left the telco, is written in Java and powered various …
COMMENTS
-
-
Saturday 25th January 2020 02:47 GMT Martin-73
I REALLY don't understand that attitude from Rogers (not denying it's true)...
For Joe Random Company, IT can be seen as an expense... But for rogers it's their damn business ... they SUPPLY INTERNET.. lol
The sports thing I've never understood, I don't do sportsball and have never understood why my bank, phone company and former ISP are proud to be associated with sportsball.
-
-
Friday 24th January 2020 08:32 GMT Anonymous Coward
""Having now seen Rogers’ standard of code, I have to point out that they should have set up server environment variables on the host machines, and then pulled any credentials and keys at run time," said Coulls. "
No they shouldn't, they should store / generate passwords in a password vault, keeping them away from any server and code until its needed for runtime and having it generate a new one at every start and interval.
-
-
Friday 24th January 2020 18:05 GMT Jesterr
Re: Do you have a scalable way of doing that across a a server farm?
There are a number of ways to do it. It mostly depends on how large of a farm, the topology/architecture, and the technologies involved. Centrify or Hashicorp's Vault are two examples that I can vouch for that work well in different environments. Considerations for on-prem only, on-prem/cloud hybrid, container based farms, etc all will change the "best answer" but the answer is definitely out there.
A co-worker just mentioned cyberark when I asked him, so there's a third possible for you.
-
-