blackroad-os/alexa-amundson-resume
9
0
Fork 0
mirror of https://github.com/blackboxprogramming/alexa-amundson-resume.git synced 2026-03-18 03:34:08 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
32fdb3feb73a151e8140c6da77e31f63a2d31f8a
alexa-amundson-resume/roles/14-security-engineer.md
Alexa Amundson ec7b1445b5 kpi: auto-update metrics 2026-03-13 
RoadChain-SHA2048: c645c1292ab1555e
RoadChain-Identity: alexa@sovereign
RoadChain-Full: c645c1292ab1555ebe6982915536d1c94701ff6bb16c20ed6ef4144eb50c9f984b4bfe5b9902109e8defd958d6be43ced8ec11cf95d6241536cd4da0b75f8fb48cbeb1b9f450c8f665b73d39e837d23e73e2ba4201af4dc40c02a34283efb04b39c612083465536f194f16adfadb1b56f714a65b918f40750f54eebf7724236861de173ec31963ff3b1b988d712be7e5acc3fe391eb804d3fdcfb9ccf77afc732660d23fff801f894318327eabf775eb4f4e67f7f22d07f23b0e17f6594cfe95b83b275fb7baaa97115e86562604fc5b47cc8024574b61396924e0ee2b7e454b0a1480c3076c7ad72408ceb4a75360d2d49c7d805c37ac5315af00e4a8ca2262
2026-03-13 23:16:12 -05:00

2.3 KiB
Raw Blame History

Alexa Amundson

Security Engineer

amundsonalexa@gmail.com | github.com/blackboxprogramming

Summary

Found a crypto miner, a cron dropper, and a leaked PAT in my own infrastructure. Cleaned all of it, rotated credentials fleet-wide, and rebuilt security from zero-trust architecture up — because the hardest incidents are the ones inside your own network.

Experience

BlackRoad OS | Founder & Security Engineer | 2025Present

The Incidents: What I Found and How I Fixed It

  • Obfuscated cron dropper on Cecilia — exec'ing from /tmp/op.py every 5 minutes. Traced it, removed the cron entry, cleaned /tmp, audited all nodes
  • xmrig crypto miner service configured on Lucidia — unit file referencing mining pool. Service removed, system audited for persistence mechanisms
  • Leaked GitHub PAT (gho_Gfu...) embedded in a systemd service file on Lucidia — removed from config, token revoked on GitHub, all secrets migrated to chmod 600 env files
  • 50+ SSH authorized keys on some nodes — audited every key, identified which ones are active, locked down access paths

The Architecture: Trust Nothing by Default

  • Zero open ports — all external access through Cloudflare tunnels. No port forwarding, no exposed SSH, no public APIs
  • WireGuard encryption for all inter-node traffic. UFW with INPUT DROP policy on edge nodes. Credential rotation enforced fleet-wide
  • GitHub security scanning workflows check for AWS keys, tokens, passwords on every push — catches secrets before they ship

The Lesson

  • Security isn't a feature you add — it's what you find when you actually look. Every fleet needs an adversarial audit, not just a firewall

Technical Skills

incident response, malware analysis, credential rotation, WireGuard, Cloudflare tunnels, UFW, SSH, Linux hardening

Metrics

Metric Value Source
Failed Units live services.sh — systemctl --failed via SSH
Fleet Nodes live fleet.sh — SSH probe to all nodes
Systemd Services live services.sh — systemctl list-units via SSH
Tailscale Peers live services.sh — tailscale status via SSH
Nginx Sites live services.sh — /etc/nginx/sites-enabled via SSH
Nodes Online live fleet.sh — SSH probe to all nodes
Reference in New Issue View Git Blame Copy Permalink