Dear Tim,
Oh yes Kalmany still exists, but it’s a little broken; not much the simulation, the little Kalmans are still going about their days, voting, electing, but the site i.e. the Aquarium is down. And it’s partly my fault.
With a large amount of refactoring, I managed to upgrade the database and the scripts that run the simulation with little pain. The next step has been a little arduous as I revamped the API and began the process of committing it to a repository. Silly me, however, didn’t vet my code before it hit GitHub and I managed to reveal my AWS root access key to the internet.
Let me repeat. My AWS ROOT ACCESS key. To the internet. I knew Kalmany would be open to abuse, but I obviously thought I’d allow the actual infrastructure to be compromised. Luckily Kalmany is not widely used so I didn’t have a proper security breach (though that’s technically what happened as my email was accessible), but I did have bitcoin miners attempting to launch several large EC2 instances on my infrastructure. AWS’ support was nice enough to let me know that I was stupid and had attempted to tell me that I had done something stupid, but me being oblivious was too busy doing something to realise that I’d committed the code a month ago.
So after they got in touch, I had to hit the deck and clean up after myself. Everything secured. All access keys rescinded, and recreated. Accounts wiped and created. Removed all those EC2 instances including some Auto-Scaling Groups the thieves had made. They put them across a couple regions as well which was annoying. Then I checked my VPCs and removed anything that was unnatural, or any security groups granting them access.
Then my git repos got a wipe – all their histories had to be destroyed to eliminate any chances they contained information, and I did that across them all (apart from the frontend – not so worried about that one).
But to be absolutely sure, all my Lambda functions are gone. I’m going to rebuild them anyway, so their code is all stored in my git repo. But on the off chance any of them were modified without my knowledge they’re gone.
External access to my DB is gone – only my computer, my script EC2 instance, and my Lambda functions can continue to speak with it.
Because I already switched how I would be deploying my application, I was able to remove some of the access rights I had – no more Root Access key, now I’ve got specifically privileged accounts to handle each of my deployment mechanisms. Really, the whole process has meant I’ve just gone all out on hardening the platform. A better step now is to ensure my site is fully protected, and checking the hardening measures available in React.
I’ve also set-up a budget to protect my interests. Any forecast of more than $25 will flag, which is the amount that’d I’d expect it to rise to, and $50 being my ultimate limit. I’m not making money, I gotta keep costs down!
But it just means that a deployment system I’m happy with is imperative right now. With the security measures I took, I was able to save myself from wiping out my account and starting fresh, but if I had my database would need rebuilding, and so would my scripting machine (maybe EC2 should just be Lamda Functions too…). I had started playing with Jenkins to handle this, as my builds are meant to be rudimentary enough that I shouldn’t get into a situation… well a situation like this: my DB is on v2.0.0 and my site and API are lagging in v1. They’re not matching and it means that at the moment, Kalmany can’t display any DB data at all. We can’t watch the elections!
But not to worry – like I say, there’s no audience apart from me and a few friends. And its best I had an attack like this now rather than if I had hundreds of people logging in. Then a security breach like that would be even worse and a harsher headache…
Anyway, once we’re back and running, we’ll continues with v2 and have our new government sectors and industries show up. We’ll also be showing off genders and sexualities in better representation. It requires a bit of playing with the API to return the data quick enough and cleanly enough, but future updates will be less of a bore and more of a tweak here and there. That’s the overall intention!
Anyway, I hope that’s a sufficient update. I hear that the Black Hand has risen again, and you’re trying to foil their latest plan. I heard on the grapevine they’re planning to steal the Louvre Museum – like the whole building. You can beat them! You did it last time at Milan, you can do it in Paris. Just remember: the monkey is the dangerous one.
Yours,
Stan
WoodenSocks 