 Welcome to the homelab show episode 75 privacy security and some Q&A This is kind of a part two to the one I did last week Uh, Jay was off that week, but we talked about a lot of things. Don't open your ports Don't just expose everything make sure you have a plan to update and execute that plan to update thing Segmentation so that's all in episode 74. We may address a few things like to Expand upon those in this one But we're gonna talk about the other side of it too, which is some of the privacy things You might want to think about doing because I focused on security things security and privacy I see people conflate them together a lot, but they're two different things and sometimes the two don't say are opposed to each other But there's different methodologies that you need to follow to get those set up before we dive into that one way to protect Your privacy is oh, no the scene of VPN ad. It's a linoad ad But you can protect your privacy of the things you host by hosting them with the node so people don't have your public IP address We don't want to do any VPN ads we've kind of counted for but if you want to run your own VPN She don't want trust those VPN companies linoad to be the place to run it They've been a sponsor of the show for quite a while. They're a great place to host many of the projects We talk about on here. We think linoad for Sponsoring this show and we don't think any VPN company so we will mention privacy VPN So if there's none of them sponsoring the shows is completely the node great place to host things great place to host your own VPN or any of the services as I said There's an offer code down below to get you started with the node and I'll thank you skin for sponsoring Let's jump into it. Jay was wondering Tom. Do we get a VPN sponsor? No, you know, it's hilarious because I I've had a few as I think every youtuber That's of a certain subscriber age will have, you know that please Mention this on your channel and all you money and commission and all this other stuff and I'm thinking That's great until you you're publicly exposed and you're just like making fools of yourselves on the news and And I got to go back and change all the recommendations to get rid of it. Yeah, no, thanks Yeah, there's in the back end and we comment to this on our VPN one because a lot of people ask about privacy VPNs We're gonna touch on them here There there's a limited amount of trust I have for those companies no matter how much they claim It's it's a hard claim to Hold up so to speak that they don't audit Or don't can retain any logs or anything like that They'll say independent third party But honestly, I mean, do you know the third party? Do you know them? It is kind of a trust problem with them to Just make the assumption at all the marketing speak they put on there And if it's not true, who holds them accountable, you know, they're registered in different places often not inside the united states So you now are relying on the laws of those areas to do it So I'll get off my soapbox about uh VPNs for me for the moment. We will be bringing them up though Like you don't like my um independent third party Um provider provider. I mean my friend owns the company. He's a very independent person. I'll have you know Yeah Like they're never logging until they are That's the thing Right never logging until they are They weren't logging when they did the report. All right Now one of the things that jay brought up first and this is one of them I don't think I deeply covered but uh jay wants to talk about some cv e miss This is more on the security side of the privacy side, but I think this is worth bringing up Yeah, and I feel like these myths are That makes sense because this this is not to shame anyone This is not to you know crack the web You shouldn't think this way because everybody does at a certain point right because You start off and then you learn and you learn and then you learn Well, maybe I should start caring about the things that I didn't think I should care about So what I mean in particular is when you have Vulnerabilities that really don't seem like a big deal at all like yeah, I don't care about that Obviously, if it's a vulnerability for a piece of software that you don't run, of course, that's the situation where you Are probably off the hook, but even then Does is there a library that's shared between applications? That could be a thing but specifically Let's say you have a remotely exploitable cv e or vulnerability and one that's not So obviously the one that is remotely exploitable is a higher priority. That's always true. That's not a myth That's fact. I mean obviously you want to close that down first But what is a myth is when you have a vulnerability that is not remotely exploitable Then you might think I don't care because my application is it just doesn't route to the internet. It's internal only so I don't care But you should because that's how lateral movement happens because if somebody gets into some other app Then maybe all they need is that other vulnerability to get further into your system or to escalate their privileges So even a low Priority bug could be a big deal. So that's why I often tell people don't Just focus on the fact that it's remotely exploitable or not because you'd be surprised what threat actors can do with that and that's why all updates should be installed and Sometimes I think you wanted to mention something about this too where you have a low score for vulnerability But it's not really low in in practice Well, and this is where vulnerability chaining becomes a really big deal and For example, I think it was dirty pipe came out this year in Linux You're going doesn't affect me because I'm the only one with a log into my Linux machine. It's a low vulnerability. I'll patch it later except log for j if you have something using log for j and that's something happens to be publicly exposed If you exploit log for j you're able to and we'll use unify as an example because it's popularly used Unify was vulnerable as many other things were to the log for j and unify properly runs as the Unify user so if you have this publicly exposed someone could then Pivot in use the log for j exploit and then go well all I got was the unify user and it's pretty limited Aha, they didn't patch for the dirty pipe because they thought hey No other users are logging in here only me but then now you privilege escalate again And that has been successfully done people have proved that you can chain Log for j to a lot of other things so those little things you didn't patch that you thought were well They're internal or they require a user to be on my system to exploit suddenly became a lot and you know bigger of a deal Directly talking to you as in the homelab folks This is still where browsers are a big threat because if there's a small problem of the browser to escape bigger Same problem can apply if there's a small vulnerability that gives them lateral movement The browser exploit could then bring them further where they need to be So it's just all those things to really take into consideration to try to make sure things are patched internally and externally Absolutely. Yep. Absolutely. So, yeah, definitely don't write off a cve or vulnerability Unless you really dive in but also keep in mind lateral movement because I feel like that's something we talk about a lot actually because it is what happens in the real world It's not just about one system It's about how do I get to that system? I might have to get through like five other systems to get to my target But how how that person gets to their target is all dependent upon which Things are passed and what's not and to borrow some common freezing as I see people putting the comments on there Your north south is your egress and ingress through your firewall and your east west is a common term That's that lateral movement as in adjacent machines inside your network. So you your north south is where your Threats are going to come in but your east west is that lateral movement? Those are common phrases you'll hear in the security community when you're looking these up in case You know, we say lateral movement But it does also mean your east east west movement for those of you that are wondering what that nomenclature means Yep Another one is Someone might be under the false impression that if they are fully passionate by the way good for you if that's you and you're fully past you are an awesome person, but Someone might think that they're just Bulletproof. I don't actually I don't think anyone really thinks of that but they might have an over heightened of You know security or something like that and the reality is The most dangerous CVEs are the ones that haven't been reported yet the ones that the general public. They just don't know about So if you are patching your systems As you should do then you are patched against the things that are known But if I was a threat actor and I found a really awesome vulnerability that just let me go right into a system I'm not really trying to let people know that I have that in my in my tool set because the minute that I do let somebody know That's when things start to get patched and then I can't use that anymore because now it's being patched So as a threat actor, I might you know keep that and use it as much as I can until people find out about it so In that sense, that's when your disaster recovery and disaster prevention plans come into place How you know can you delete a server and then spin it right back up if something were to happen to it? I hope so That being said, I wouldn't say that Homelab people aren't going to be as much of a target as a company, but don't let that all sense of confidence Stop you just make sure you have good backups to you know curb that kind of thing because you can't really protect what you don't know about So there's really not what you could do about that But to just be aware that it is a thing so that way if you do everything right in your own opinion And maybe we have some You know friends who are into security look at it and they agree you did a pretty good job Um, doesn't really mean that you're gonna not have a problem. It just it's very it's a lot less likely but I mean at today's day in age you could be playing an online game And just winning it is totally, you know, I don't know street fighter 6 and you're just like knocking people out left and right So be so upset with you in particular They map your username to Something always got a homelab and you know next thing you know these in your system and yeah, that's not good Now that might sound like a a funny hypothetical story, but things like that actually happen nowadays when I mean, so I remember when sore losers were just sore losers, right? But um, basically just keep everything passed and make sure you have good backups Yep, but I'll I'll leave you with uh, mike tyson's favorite cyber security quote. I love coding And you know me he had my favorite quote. He's ever said to apply cyber security Everyone has a plan to they get hit in the face That's not wrong You still should have a plan, but yeah be prepared for you know, if something goes really really wrong All right, what is next on our list here? So tails was something I think we wanted to bring up and I haven't used it much, but I have used it I have checked it out and You know unless anything has changed and correct me for wrong because I think your knowledge is probably more up to date It's a live cds. I keep saying live cd, but a live usb Yep, that's a live usb live image distribution that focuses on privacy Doing some pretty clever things to warn you if uh, you know, you might be tracked the ways you might not have thought about It's a good idea or a good solution if you just want to um, you know Browse and not be worrying about like all these trackers or whatever it is your use case might be Yeah, tails is a really cool project and you don't load it on a system You leave it on your usb. You boot from it. Um, you can run it virtually There's a couple extra clicks you need to do it warns you because if you run it in a virtualized environment There's still some tracking information that may come from this But tails is really cool because if you're looking for a way to truly be anonymous online It's going to use the tour system and it's going to force everything through the tour system And truly be a lot anonymous online. Maybe it's a little overstating it. I don't want to bolster confidence There are methodologies and I've talked about this a while ago Referencing some of the def con talks on this of how you figure out Something on tour. It's not easy people say oh tour's been compromised or whatever it has not been compromised There are ways if you have enough exit nodes, you can Basically look at certain things and try to figure out who those exit nodes and entrance nodes are By sending data and looking at some of the nuances away data traverses. It's not like it just Automatically makes you findable. So in general unless you have someone who has the resources to do something like that nation-state actors Tours a reasonably good way to remain private happened to be wearing my tour shirt today But in that's actually because the other side of tour I have a video that'll be up within the next 24 hours That is how to block tour on pf sets because the other side is of course it for all of its great uses The reason it's so popular is uh, people like to use it to poke back at things So it's a good and bad But tails is a good way if you want to look up something and not really be tracked It's a solid process for this. It also doesn't have any persistence. It just lives on that Live usb and that's it. So there's not any settings at stay. There's not any browser tracking cookies Because it spins up a new one each time it also makes sure everything's always going over the tour network It doesn't even let the browser do anything until it establishes those connections It's actually kind of a cool way to learn how tour relays work and some of the functionality of it So it's a really really clever system. I highly recommend you check it out Um, it's it's a nice all-in-one. So instead of just running like a tour based browser on your desktop This goes a step further as it wraps the entirety of the system and tour Yep, that's a really good explanation actually Yeah, it's a nice system. Um, I'll give a shout out. It's been a while since I've used it Parrot has that built in as well parrot os has a way to flip itself into tour mode I believe they still got that built in it's been a little while. I've got some older demos on parrot os that does it parrot os is a Another operating system similar to cali where they've got a lot of tools built in but it's More built to be a daily driver than cali is for starters like a linux distro Been a little while since I reviewed it. I know they've done a lot of work in the past That I thought it was great. So I'll it's it's probably still pretty reasonable Operating system that has tour built into it, but it's been a minute since I looked at it I'll just give them a runner up tails. That one's kept up to date and a good solid project Yep, and that it is Now when should you use privacy VPNs now? We were obviously saying we have a limited amount of trust we have for these companies But there is zero trust I have in large isps This can be a challenge if you're in an area where they're filtering where they're blocking This is a constant battle of anything related to usually rights when it comes to copyright issues and things like that or Issues of content of where you're located. So you're located in this country But that means you're restricted from watching this show in that country These are good reasons to use the VPN in terms of to get around these type of weird I don't know lawyers Invented ways of copyright problems, you know, it's like you're not trying to pay for this stuff You're just trying to do it. Also, if you're Seating ISOs the torrents, you know, things like that your isp may frown upon that So you probably want to consider one of the privacy VPNs for that That's another good reason to use it now. Just keeping things from your isp from a us perspective I don't see it as a Is this overly necessary? Like I must route all things seem to a vpm because I'm worried about Comcast or wide open west the two providers I use, you know, seeing my details But if you live elsewhere, this may be a bigger concern because elsewhere Well, I know there's some new laws coming in a few different countries that you may not want them tracking a lot of it Because that can be a different problem because the government's entanglement with the isps is a little deeper than it is here in the us So something something to consider when you're using those and those may be some good use cases But please remember you're still just pushing that trust over to one of these vpm companies As long as they are reputable and they all claim to be of course just take that into consideration when you're doing it Yep, I I would use one when I'm basically at a cafe or diner or something like that just browsing the internet I'll often use it when I do that, but um Yeah, I do agree. I feel like a lot of the vpn providers out there they just kind of overvalue their security and purpose like You know, you'll be able to do anything you want. Nobody will know really like no, it's not kind of how it works. So Um, but it but it as you're right. It does absolutely have some use cases I used it once to buy a cd from another country because it wasn't released in the united states So it's the only way I can get to the order page was to go through a vpn to buy the cd Which is weird, but I was able to get it. Um, and there's there's a lot of one also like that too that'll Come up every now and then Yeah, um, also worth mentioning. No, you had mentioned like in this I remember one of the big, you know, like mainstream newspapers had this as an article of not needing a vpn At your coffee house from mcdonald's anymore Um, and they they made some good points in that article and it's probably worth noting that since most things have moved over to HTTPS And you have the opportunity to use dns over HTTPS That's actually become Less of a need. Also, this is something to think about a big perspective here How many hackers are hanging out the coffee shop all day to try to attack another person at a coffee shop? Statistically the probability goes down people like to get excited about things and tell you this can be done Look at us redirect this person's dns and art poison this network at the coffee house to try to get tom or j That's a target attack of someone's trying to get us and just because it can be done How many times are hackers really hanging out there trying to interfere with people's dns? It's statistically less probable. Um, I'm not saying that the chances are zero But the chances aren't a whole lot above zero unless someone's actually tailing and targeting you with these So it's not like I would say every time you need to do this Also, as I mentioned dns over HTTPS if you're using a protocol like that, that's not as spoofful Someone would have to actually actively block that On a foreign network to stop you from getting the dns You know most of what you're worried about is then poisoning a dns to send you somewhere else But poisoning dns doesn't get you a valid ssl search So I can't just make up a new version of amazon and then your system will go. Oh, this is the amazon I'm gonna it's going to need a valid ssl search that matches things. So it's not as Arbitrally easy. I mean there are hacker scenarios and you can set these up and it's a great learning opportunity It's just not a constant likely opportunity to do that Someone said in here and this is this is another option. Why not just use your home vpn when you're out Yeah, that's an absolute Great idea is to if you're using something like pf sense combine that with something like tail scale because it's really easy to get Set up and you can use tail scale as an exit note and then you can vpn always back to your home That's absolutely a way to do that as well Yep, and I think uh, some of the coffee shop mentality I don't know how much of it probably came from the uh fire sheep era. Oh, yes Fire sheep I loved fire sheep those were the days now back in the days before let's encrypt kind of You know pushed the world forward and everyone got a little bit more Conscious of the dangers of this. Yeah in the early days fire sheep was a lot of fun If you look forward or some old videos, I want to say they're titled men in gray and they're using fire sheep to Session steel and everything else. It was so much fun things you could do Um because nothing was encrypted. We used to uh at one of the hacking events years ago We had we put a screen up and we grabbed anything that was passing in clear text and reassembled it on the screen It was actually a lot of fun. Um, you you could do so much stuff when things weren't encrypted It was just it was quite the disaster. So I mean things have come a long way I mean, I remember when I first started college and my teacher was saying, you know how secure windows 2000 was and he just went on Uh, this rant about how great the security was and um, then he looked at all the computers in the room He's like, why is the task scheduler open on every computer? I'm like because I just hacked into it while you're talking I just launched that app on every computer in the room. It was great But but you know and then after that fire sheep and all that I remember Steve Gibson saying that you should always use a vpn when you're in a coffee shop because of things like that But you are right. I mean the technology has excelled in terms of security to where it's not as important as it used to be Right, but um, you know, then again, you know, you got to make the choice for yourself I think I really like the idea about just vpn back home, you know Because because you can literally just at home send all of your logs to dev null and you have all the power to do that If that's what you want to do and you don't have to worry about Um that not being the case unless you broke something, right? So yeah I have um, each of my vpns as I set them up. I always install them twice on my laptop One is labeled split tunnel and one labeled full tunnel They're the same vpn and in linux It's really easy because it's just a checkbox of where your routing goes Full tunnel means send all of my traffic back encapsulate it I want not just resources that are on my vpn and on my local network that i'm vpn into Accessible I want all my traffic to go out that the split tunnel is well I don't necessarily want the speed hit that may come with tunneling all my traffic back I'm just watching youtube videos here at this mcdonald's and I only need to access Well this particular resource over here because I want to log into something that I need to grab I have at home So uh, you can also think about it that way to you know, make it pretty easy to set up Yeah, then meanwhile, I'm going to mcdonald's and getting on their wi-fi to see if I see mcdonald's ads on burger king's website Oh, yeah, that kind of person Exactly I'm using The next one and someone asked, you know, this is very relevant because they said how about email Do you exchange encryption keys with your business card? The answer is Me and jay and many other people in the security community Signal messenger is probably the most popular one out there hands down And it's I think the problem with email is even though pgp exists It never got to the point where it's easy to use. So I never consider email part of secure private communication Uh, it's all best effort, but in terms of if I have something that I don't want I have a real You know, I need a secure line to talk to someone because you can do conferencing over signal You can do messages over signal. I can do phone calls over signal signal is amazing when it comes to that They are set up as a foundation the history of signal is actually interesting because it's not like just some project Moxie marlin spike when he put this together he set it up as a foundation Run on donations so they can maintain it. So it's not like, hey, here's this project over here I'm gonna throw it up on github and I'll make it open source There's a lot more to signal than that now the other thing about signal It's good for secure communications. A lot of people get mad going But it makes me use my phone number and I actually think that's why I like signal so much One it's easy for me to do a key exchange and verify someone and identify him I have jay's phone number because he's a friend of mine. I have many of my security people I know their phone number because they're friends of mine I actually had seen some comments because I've got several videos on signal where people were debating But tom I want to be anonymous. What if I send something to someone? I don't want them knowing who I am I'm like, well, you're usually sending something not nice to someone is why you don't want to Know who they are a signal is all about the privacy and Because it requires a phone number and is not anonymous Makes me happy because I always know jay's gonna come from jay's phone number Tom's gonna come from tom's phone number if someone were cheap into clone jay's phone number Well signal his id would change and I would have questions and jay would have to validate why his id changed on there That validation of id is what keeps your spammers down, which helps me understand and Be solid with you know knowing who jay is At any given time and uh, that's one of the reasons that I've you know, really liked signal for that reason I think it's just one of the best ones out there Uh, I wish it was better adoption outside the security community But man when I go to a security conference like all of our group chats I'm going to a hacker conference. Um, I leave tonight And I already know the group chats all gonna be set up in signal because all my friends that are going to be there Already have signal. That's just how you communicate with them. It's a really good one to do for uh, secure communication Yeah, and I yeah totally spot on everything you just said and um I remember at least one company trying to make PGP happen, you know, it's kind of like the you know the term Or the phrase on mean girls stop trying to make fetch happen. It's not going to happen It's like, um, yeah PGP is used by a lot of people So I can't say it's not happening but it's it is the case that it's not happening in the sense that A lot of people are just gonna not understand the complexity and why it's necessary There's thunderbird add-ons and things that make it simpler. But um until your um, non Computer interested person can easily use it then it's it's just hard to make it hit mainstream But there's alternatives. So yeah, go that direction. I sometimes will Encrypt a file and email it as an attachment And then some random amount of time later I might call the person and give them the password over the phone or maybe email But I don't like to do that But at the very least I try to encrypt it that way which people generally understand they open up a file It asks for a password. They need a password. They need to get that for me and usually that's Probably an okay way to do it Yeah, and the number of users which surprises me over time is the number of just general people I know that start using signal now Is that's not really happened in the pgp world but from the perspective with signal Although I'll randomly find out. Hey your friends so and so I'm like, huh And they're not computer friends or just general friends. I have using it So I I actually see it on one of the biggest things that happened in signal was elan musk For whatever reason he decided to tweet about signal and it got it popular I think that actually since then they've actually increased the number of users on there because well elan tweets things and people follow them So uh get excited about it, but nonetheless more people are using it Um me and jay were just talking before the show because I was like I got actually have my wife using it because of I only told her I'd reply to signal messages The other thing about that is she found out when she loaded on her phone More of her friends have randomly started using and my wife doesn't work in the tech world at all So it's slowly becoming more and more popular, which is really cool So maybe they would have came out with pgp messenger. It would have been a lot more successful Yeah, I see people asking about telegram. I think it was bruce schneyer. I'd read he quoted. He's a really famous cyber security person I think he said something along the lines of I'd rather be poked in the eye than keep looking at this messy code that telegram wrote um I'm telegram is kind of a weird one I I don't use it if you want to use it I don't know of any known flaws with it, but they kind of rolled their own security in a unique way I don't I know there's been some bugs here and there with it But I don't really use it. Um, it seems to be popular amongst. Well lapsus was using it I believe in a few other hacking groups were using it I don't know that it's a terrible program, but it's just well I'm less interested in it personally signals kind of my go-to between the security researchers The fact that it ties it to a phone number so I can validate the person on the other end And don't have to deal with any spam. It's been a solid one for me to use I feel like telegram was great up to a point. I still have it on my phone and I still have a few people that use it but not really Um, it just seemed like it had a lot of momentum and then it kind of just slowed down and then everyone else caught up to it But there's still a lot of people that use it I don't know. I think one of the things about telegram is they have a lot more Chat rooms kind of like you would have with irc, but it's not as cool basically, but um, yeah, just I haven't I barely look at it anymore and it's like not a Decision that I made to stop using it. It just like kind of just fill out a favor on its own. It's kind of weird Yeah It's and it's not really It's I would say I see more of the hacking groups using it I mean, so I have security friends that definitely are using it But they'll communicate back to me with signal, but not on telegram. They'll communicate Generally with some of the things you're watching so I believe it's uh, as I mentioned lapsed a few others Like have their channels set up or they're dumping all kinds of things. So Yeah, and back to hiding your phone number is You know, uh trying to make it more anonymous a lot of people do that I I don't want to communicate. Honestly. I want to communicate privately with people without listening I also like the fact that and I set this up anyone who's uh friends of me on signal knows this Um, the first time you pop up on signal message me, you'll see me immediately change to disappearing messages over x amount of weeks Um, that's I I like the fact that these conversations are generally ephemeral. I think that's important I don't think we should always just keep data forever. Even if it's a small kilobits of data I'm not big on keeping all the data all the time Makes sense All right, what was next on our list? All right, let's see Oh the uh If I have nothing interesting going on, why should I care about privacy? I I think most of us probably understand that on on the homelab show here, but it's it's a good topic to bring up I think it really is because a lot of it is about the idea More so than what not only that just that I mean There's also wrong impressions or What if you're looking up a recipe and then they well, I guess I can't think of any recipe that would actually get the bomb squad Called to your house, but if there have been false Accusations that would come out of this but either way if you don't know what your privacy is Or your information is being used for Then it's probably easy to have that claim, but when you start to see what's being done with your privacy I think that is very important and I feel like we all have to care because You know, it's all about the weakest link, right? If um too many people just Don't care about it. Then nothing's ever going to be done. They'll keep doing what they do They'll keep tracking you they keep pulling your information And it seems like it's just getting worse. I remember at one point I would Not necessarily defend facebook, but I would just say if you want to use it You've made the choice to have your personal information Used for marketing purposes and whatnot at least then you know what's happening, but then later on they're Harvesting information even if you don't have an account and that's just really insane to me um And even if you don't feel like you have something that you care other people know You're allowing it to happen and by allowing it to happen You're kind of just allowing this to proliferate even more and I feel like We all have to take a stand. It may not be that we have something interesting Maybe all we do is watch cat videos after work every day. I mean come on who doesn't do that, right? but the idea is that the more A lot of people stop caring the more these issues and happen the more these companies Decide that they're just going to do whatever they want and they just don't care. There's no incentive for them to Not take their privacy Capturing shenanigans to another level and they will yeah And there's there's been the back and forth, you know facebook and all of our social media companies One of the things I've kind of come to the conclusion myself on In I a lot of other people agree with this and I'll let you guys ultimately decide whether or not this is something You agree with is I think people should have accounts on these one of the reasons why is it's like a placeholder So I know because there's an account for j. Lacroix and that account on facebook is a placeholder I know it's j. Lacroix if a new account popped up and j didn't have account because he decided I'm done with this facebook So I'm deleting it or insert name of other social media platforms Having a placeholder that someone can validate its use so someone doesn't impersonate you Or someone has a way to contact you and figure out which one's the real you It's usually the older account. This kind of comes full circle because LinkedIn is actually considering this crebs on security wrote an article recently about all these people Registering to be the c-sos of companies on linkedin. They were creating new accounts now I don't think anything good was coming of this He just took note that all these c-sos suddenly showed up in linkedin who also apparently didn't have linkedin profiles before So they're real people and someone was just registering as if they were them And there's not a conflict because these c-sos and you know if you're a high And c-so of a very large company You probably don't need a linkedin because well if you watch the Those people just kind of bounced between some of these other you know fortune 500 companies But it seemed pretty suspicious when someone started registering lots of them and linkedin's going to consider adding the creation date for that So yeah, that's going to be you know one of those indicators because you don't want someone impersonating you And if they do impersonate you and you go well, hold on I'm going to go be the real me and create an account today Well, now it's even harder to figure it out because there's one that was created last week And you got mad and found out someone was impersonating you when you created one today If you have an existing placeholder and i'm just saying do this with every social media Account that's not reasonable But maybe with the big ones that are out there It's probably worth having a placeholder Even if you don't put anything on there other than I don't know just a smiley face or whatever that default picture is that Facebook or whatever them have so I see someone actually put it in there plant your flag That's probably a good way to put it plant your flag on those properties Also, if you run businesses at all register your business names on platforms because if you don't someone else might So Noting that you should probably do that Yep, totally agree Yeah Uh, and what was the last one we had on our list the unattended upgrades versus Uh, live patching. Oh, actually there's two more, but I'll cover that now since I already started mentioning it, right? so um And this kind of came up again because we talked about this but um recently Ubuntu made their ubuntu pro program free for five users and normally that that's like home users only but it's actually for home users and small businesses as well. So um Ubuntu pro gives you some advantages, but I'm not really wanting to talk about that part of it One of the advantages that I want to talk about is live patching Which is something that they've offered for free for a while for like up to three machines And then um, you'd have to pay for more than that. So now it's five, but which is essentially what this boils down to Yes, there's more to it than that. Ubuntu pro is more than just that But um in terms of live patching and unattended upgrades Now unattended upgrades is just something I feel like everybody should enable. I mean, why not if your distribution offers that it's free um What that doesn't do is reboot it the instance for you actually you can have it reboot the instance for you, but Um, that'll give you the most recent updates is up to you whether you want it to reboot or not But at least you have that Live patching on the other hand is live kernel patches meaning Your system's running and your kernel's being patched It's like ripping the tablecloth off the table without disturbing the dinnerware on top of it while also putting another Tablecloth underneath it without disturbing anything It's it just that's just what it feels like to me because you have a running kernel And normally when you update the kernel for a security patch you have to reboot the system to boot into the kernel You still have to do that But you at least have the option of live patching with at least a boon to a number of others Offer this as well, but as far as I know I think a boon twos is the only one that's free right now And somebody can absolutely correct me if i'm wrong if another distribution is offering that But that's just something to consider if you want the uptime Now obviously the kernel is not the only thing that Needs to be patched. There's libraries and applications and services to restart and things like that But we have had a whole episode on that but I wanted to bring it up again just to kind of talk about the difference where unattended upgrades is just Almost like an automatic apt dist upgrade or whatever your distro's equivalent is overnight or something like that So it's not as special as live patching, but it's still important Live patching if you happen to use a boon to I feel like there's no reason not to But I'll leave that up to you guys at least turn on unattended upgrades to make it'll lessen the amount of time That it takes you to update your systems if they're already updating themselves So I think that'll just kind of simplify things and given the news about a boon to pro being free for five users now If that's something that interests you if you're already running a boon to and you're okay with that um, take a look at the things you might get from that you might actually Find value in that so I just wanted to bring that up Yeah, that's great that they've increased it like that and I don't know live kernel patching is magical It really is and Only one company that i'm aware of does live patching for shared libraries now. That's really cool. That's extremely cool I feel like we need more of that. We need a service that's more than just the kernel We need like everything if we can get it I feel like this is just the beginning if we could keep this going I just really can't believe in 2022. We still reboot things That blows me away like yeah 10 years ago I would have thought you know, especially with containers becoming popular that um, there would be more of a Yeah, just have this one running and then just remove one underneath update it and then just swap them You know that kind of thing, but um, I'm sure that's coming. It's just taking a long time to um You know actually be a thing. So I guess we'll see yep Well, and we still have to reboot to fix everything though, you know, that's that's Yeah, I hate that so much because I will avoid rebooting like I know it will fix it But I need to know the root cause and usually after about four maybe six hours I'll um just cave in and reboot it But usually I try to know what was going on But that because I feel like when you reboot you lose your ability to fully understand unless you have good logs You lose your ability to know what happened because um, basically Um, if it fixes itself, then you don't know what was broken in the first place unless it happens again Uh question jade did you do a video on kernel care? Um, I did and and actually that one is kind of out of date. So I'm going to be I'm actually Uh, I actually recorded a new one and it's not ready for public consumption yet I imagine in two or three weeks. So I have an updated tutorial on it People asking about it in the comments And so I thought you had done a previous video on it And so now you also have a future video coming on it Depending on what you're listening to this if you're living in that future check out learn linux tv and look for kernel care And you'll find the videos on that topic one of the thing I'll I'll mention a few things about it that I like a lot so One thing is that is cheaper than um boon 2 pro even last I looked I don't remember I don't know what the prices are after five. I didn't even bother looking at that But they also support different distributions. So if you run a little bit of debbie in, you know A little bit of a boon 2 maybe some susa enterprise or something Whatever it is they support five thousand combinations of distributions of kernels. So They don't support the non lts versions of a boon 2 which I hope they will do that because I feel it'd be great But I also know that it's really hard to keep up with those interim releases So I really like the fact that they do the multiple distributions. It's pretty cool So that's what I use and that's why I use it because for the channel, especially Yeah, I have a boon 2 server On most of my servers, but sometimes I don't sometimes I want to go a different direction And I like to have live patching on whatever I roll out. So As far as I know, it's the only one that does that but Kernel cares live patch is not the same thing as the built-in Kernel live patch because the kernel is using something called k patch I don't want to get into that because it's a rabbit hole you can google k patch linux kernel and find out all about it But uh kernel cares actually using their own system, which is kind of neat so You know the the other video is mostly relevant, but Stay tuned. I'll have a new one pretty soon awesome All right, and what's our next topic? all right, so It would be so cool if like all of my apps were like publicly exposed and easily accessible from anywhere, right? wouldn't it be awesome? That seems to be like, you know entry-level people. I love you guys. I really do um I wanted to kind of talk about that because I just find I guess I have a hard time Justifying anything being publicly available Especially given how easy it is to set up a vpn to your home lab at home or whatever. I just Fail to see unless you're running a personal blog or something like that Why anyone want to make something publicly available anymore? and I do understand when you're first starting out the fact that you can do that and once you actually do that It's really cool for the first time, but After the new air is off Maybe you might want to rethink that because it just makes me nervous Yeah It's if you go through and I you'd comment to this on the security one It is always what you know and even the people who contact us for consulting Um, it's frequently we want to expose all these things and I'm like I can't express how bad of an idea this probably is To start exposing everything so yeah that just try to limit it use of vpn That is just one of my biggest security tips for people to keep themselves out of trouble I will give another shout out. We've heard we use the word tail scale a few times from a ease of use standpoint Tail scale is one of the easiest ones to get going and set up to get your applications available to you outside of your network and someone will probably point out well Tom doesn't that mean I relinquish the control plane level of what machines are tied together through the tail scale interface? Yes, there is that sacrifice on there. I also know there's head scale if you'd like to manage something Uh yourself and I have a video on head scale to manage tail scale as well But it all depends on where your skill levels are and if you're new and just getting started out I think tail scales are a good place to start and you can level up to the level you want to get to To help protect these things but the level you don't want to be at is the I exposed it and not only crypto Lockered me This happened with especially and we'll throw qnap under the bus again because they can't stay out of the news People get their qnap open it up to the internet and figure out what qlocker is really quickly and unfortunately I'll lose a lot of files that way unless they pay the ransom. So um, yeah, there's definitely some challenges that come with and risks that comes with just opening up ports And and there's a another really huge issue with this that I feel like we can't solve because At least speaking for myself. I am not a psychologist. I troubleshoot computers I do not troubleshoot people now. What does they have to do with bpn? So when it comes to companies and I've worked with a number of them And I can't say the name of the company out loud I have a feeling though as I tell the story you might actually know who i'm talking about but You know don't say it obviously. Yeah, um, but but this company is not really about this company Anyway, because a lot of them are like this where VPN is a They feel like it's an inconvenience Right and this it just gets to be such a huge burden for an IT person who understands why it's necessary To explain to someone who doesn't appreciate having to Connect to a client put in their information and go through two factor whatever it is They have to do to get on to the work systems And they're fuming and mad about the whole thing because it's just you know, even those 15 seconds to them It's everything and then they just want the vpn done away with they want everything publicly available But when companies Support that yes, let's make that happen and then use the IT person like what? Um, so for example, we had a um person that would constantly complain about vpn as and the the reasoning I as I felt was to Kind of create more stigma around vpn to um, you know kind of impressed the higher-ups to um understand the concern and then come down to it and eliminate it which is exactly what was going to happen But then the person would come to me It was like yeah every time I go on the internet and do anything over vpn It's super slow. Oh, what website are you going to and he tells me the name of a new site Well, well good news that's not a problem because it's split tunnel We don't actually the vpn doesn't even go that direction It's not even part of it And he'll start like mentioning a bunch of problems with vpn and not one of them are actually problems because it's impossible for any of them to be um, you know impacting him at all because He's going to websites that are not, you know work websites. They're not part of the vpn So it's just no matter how many times these false claims come up This happens all the time where there's this stigma at work about vpn and connecting especially as we're working from home You know after the pandemic and everything and um, I wish there was something I could tell you guys to Do about this other than keep fighting the good fight, you know, you know What's necessary, you know, what's needed to secure the systems do not be Do not do not get discouraged about this just keep going, you know, we love you guys, you know So just keep keep it up and um, unfortunately You can fix computers, but we can't fix mindsets. Yeah Yep lock it all down Yeah, all right Is that the last on the list? I think it is. I think so All right. Well, thank you for joining us. This was a lot of fun and for those of you that are still with us We have something to announce and uh, do you tell them what the new address is jay? Um, oh my gosh, it's right on the tip of my tongue feedback feedback 2022 Yeah, the homelab.show Some people just don't like filling up forms. I get it and we're not going to publish this on our site We're just going to start announcing it. I probably should announce it at the beginning of the show, but nonetheless feedback 2022 Now we might change that email address next year. I'll let you guess what it'll be But we'll announce it when we change it Oh, we're going to keep it so we can try to minimize this bam But we realize some people want to contact us and have things mentioned in the show are brought up And a lot of people don't want to go to a website and a forum But if you send an email to feedback 2022 at the homelab.show We will be checking that Email going through it and it will add to our list of topics for our q&a episodes We're trying to make it easier for people who you know, I've said you can message us on twitter and some people do But some people don't like twitter. I don't like these other methods and I just want to send an email I don't want to use a google form because i'm blocking everything google in my life and that's fine These are all legit things so you can just email us Could be that decision for yourself. Now you have an alternative to contact us We just want to offer that as an option. So thank you again for joining us Check out jay's kernel care video and last week's show where I talked a lot And I have some show notes on there in that video where I dove into it I even referenced a dark net diaries one in the last time talking about how people pivot through home labs with one of their episodes So there's a lot to consume if you didn't listen to the last one Hopefully we enlightened you on this and we'll be back to projects Soon we have some more plenty to do on that and Plenty more ideas, but we do want to do a Q&A episode again soon. So throw your questions at us. Let's answer them We want to help the home lab people keep going It's just been great how this whole audience has been building up and how this live stream has over 100 people on it right now It's been pretty awesome. I know so thank you everyone who's joined us and we'll see you next time. Thanks