back to article No big deal, Rogers, your internal source code and keys are only on the open web. Don't hurry to take it down

Source code, internal user names and passwords, and private keys, for the website and online account systems of Canadian telecoms giant Rogers have been found sitting on the open internet. The leaked software, seemingly uploaded to GitHub by a Rogers engineer before they left the telco, is written in Java and powered various …

  1. thames

    Rogers are a big media company, owning cable, cell phone, ISP, broadcasting, and sports team assets. Annual sales are around $14 billion. Whatever their excuse is going to be for this mistake, lack of resources to do things properly can't be it.

    1. Blank Reg

      Too many companies only see IT as an expense, so don't be so sure that they have the resources to prevent such issues. When you only hire the cheapest staff that you can find then you get what you pay for.

      1. Anonymous Coward
        Facepalm

        Too true. Better control would have cost them every year while this breach was essentially a no cost event - just some clean up and a PR release.

    2. Martin-73 Silver badge

      I REALLY don't understand that attitude from Rogers (not denying it's true)...

      For Joe Random Company, IT can be seen as an expense... But for rogers it's their damn business ... they SUPPLY INTERNET.. lol

      The sports thing I've never understood, I don't do sportsball and have never understood why my bank, phone company and former ISP are proud to be associated with sportsball.

  2. Bitsminer Silver badge
    FAIL

    We take...

    ...your security seriously.

    Seriously.

  3. KittenHuffer Silver badge
    Pirate

    I guess Roger is not very Jolly at the moment!

    See title!

  4. Anonymous Coward
    Anonymous Coward

    ""Having now seen Rogers’ standard of code, I have to point out that they should have set up server environment variables on the host machines, and then pulled any credentials and keys at run time," said Coulls. "

    No they shouldn't, they should store / generate passwords in a password vault, keeping them away from any server and code until its needed for runtime and having it generate a new one at every start and interval.

    1. bpfh

      Do you have a scalable way of doing that across a a server farm?

      Honest question: If you have a way of doing that automatically across multiple servers and services, I'm interested.

      1. Jesterr

        Re: Do you have a scalable way of doing that across a a server farm?

        There are a number of ways to do it. It mostly depends on how large of a farm, the topology/architecture, and the technologies involved. Centrify or Hashicorp's Vault are two examples that I can vouch for that work well in different environments. Considerations for on-prem only, on-prem/cloud hybrid, container based farms, etc all will change the "best answer" but the answer is definitely out there.

        A co-worker just mentioned cyberark when I asked him, so there's a third possible for you.

        1. bpfh

          Re: Do you have a scalable way of doing that across a a server farm?

          Thank you! I have some reading to do!

  5. Pascal Monett Silver badge
    Coat

    "We have multiple layers of security"

    But keeping our code from public viewing is not one of them.

  6. JaseCoulls

    Update

    Update: Rogers said no data got out. I’ve reached out to a Rogers customer whose data has not gotten out, explaining where it did not get out, and advising them to contact Rogers to discuss how it did not get out.

    1. WolfFan

      Re: Update

      You can expect a DCMA cease-and-desist note from Rogers' lawyers.

      Enforcing it may be... difficult.

  7. Anonymous Coward
    Trollface

    Just think ...

    ... how much worse it would've been if they'd been infiltrated by Huawei instead of Oracle-supplied kit.

    No, wait ...

    I'll get me coat. It's the one with the Trump for POTUS slogan on the back.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like