30 Nov 2021
There was a security breach over Thanksgiving weekend for the customer I’m contracting for. Another engineer had pushed some code to a public repository that contained the customer’s GCP service account key. The key was quickly impersonated and a malicious hacker spun up a couple thousand virtual machines for cryptomining. This caused a daily bill upwards of $100,000! Knowing what I know now about crytocurrency mining, the capabilities of infrastructure-as-code, security, and scripting; I came to the realization that hacking does not need to be as difficult as I had originally thought. Also, I was extremely thankful that I never think my code is worth sharing to ever push it out publicly, therefore this scenario could never happen to me (knock on wood!). I can’t even imagine what I would do if I was the reason for the sum of money lost that’s greater than my net worth! I’d probably quit in shame and become a snowboard instructor 😂.
One of my specializations is in security, but it’s simply a necessity in this industry and not for passion or fun. Unfortunately, you’re doing a great job at security if nothing scandalous happens and you spend your days documenting for various departments the reasons why their permissions were locked down. It’s pretty high risk and low reward being a security engineer. Not for me!