 Welcome to vlog Thursday 356 it nation 2023 because that's where I'm at astute watchers of the channel might recognize this as not my studio or A better way to describe it would be a hotel room Because I'm traveling and doing a talk and all that fun stuff, but I do like to be consistent and do my Livestream, although it doesn't have the most consistent time I've been trying to do it in the evening, but that's not really gonna work today So I'm doing it here. What would be 4 p.m. Eastern Standard Time? I do want to jump right in and talk first. Why am I here at it nation for those you don't know? I still got my badge on and everything else So I'm speaking or have spoken now as a speaker now spoken At the event here, which is kind of cool. So my talk went really well that was exciting We're gonna do a revised version of the talk This is a talk we've done before highway how I would hack you with Matt Lee and Jason Slagle and we do We've not done this four times in person I believe we have one version of it on the channel But we want to do a new version for the channel because the tactics and techniques have changed in a year or so Since we did that video. So I'm excited. We're gonna bring you some new content around there The old ones relevant though There's still a lot of things that we talked about our favorite answer in this talk though Was the fact that when we asked the question Did people make changes and how many people have changed conditional access token defaults to a better default? Those things all came up and people raised their hand people know what conditional access tokens are We're seeing a big increase in the number of people that are doing the right thing in cybersecurity Which is awesome to hear, you know, just everyone that keeps raising these topics has been like absolutely Key to getting a better awareness from the community that these things need to be changed and I've heard in the rumor mill and Hopefully we'll be able to talk about this soon that even Microsoft's gonna change some of their defaults to narrow down the Security because the biggest problem is the tyranny of the default as I've heard it called many times where most people won't change a default setting So if the default settings are insecure then most people will leave those default settings insecure This is a problem in a lot of technology will throw firewalls under the bus for this one too many firewall companies Will not have the best defaults. That's why people ask for guides on how to secure Things and that's never a way they should be they should be locked down by default and you have to open the things you want this is Then a change over the years because even you meekertick This is what led to a lot of their problems was a insecure by default template that was available That it's I don't believe that there's been a few years now But these are some of those things people who are less experienced or products may just not know that you have to lock them down And so that's why you should have good security fault defaults on any of the products And this is being pushed from policy for the way these products are made which is wonderful That's good news. These are the directions We want to go see out there that admin admin isn't everything things force you to change passwords and make them more complicated now there's a couple release things I want to talk about and Oh, I guess I should do this really quick here Yep, here we go. Just so people could see the image they'll throw on here first of how How I will hack you the talk that people took pictures of us and are posting on LinkedIn I thought that was kind of fun. So the talk went well We got a lot of engagement from the community there, which is all this is it nation if you looking up This is an event for it search writers But now I want to jump over to PF sense because I'm gonna keep this vlog short and moving along fast because I want to be able to use this as a reply when people ask me about some of the CVE's that are popping up right now and we'll share this tab instead because these are going to be real big issues very soon And for a lot of people I feel now I don't know that the CVE is particularly bad It's not rated because it's a waiting analysis, but I want to point out This is another CVE in open SSL. Oh, but SSL is very complicated and if you read through the CVE It's a complicated read for what's going on here that being said what makes this really important is And we'll zoom in a little bit here is that it's a CVE for open SSL version one I believe here it said in here Yes, but Too many projects are still based on this old open SSL The open SSL TL simplification not affected by it to you the open SL 3.0 and 3.1 are not affected by this that means this is a 1.1 bug This is the version that a lot of people are still very dependent on I've been kind of hammering down about this game. Hey This is this is gonna be a bigger bigger problem Yes, I was at the huntress talk as well. So Yes, that was where I went my talk was Right before huntress Definitely i'm here for anyone who happens to be seeing this live stream I'm still here at iD nation and will be for another couple days So hey reach out and say hi But why does this matter and why am I talking about it and that's going to come over to this right here? So we have net gate released 2309 of the pf sense plus software And yes as someone pointed out here and it's written up in the net gates blog changing SSL and everything can be an absolute nightmare So moving from the unsupported SSL 1.11 To a supported 3.0 series 2.0 is uh was I think reserved for fit so there's not a 2.0 They didn't go from 1 to 2 they went from 1 to 3 And a lot of projects and the projects I talk about specifically here pf sense has dependencies Of course because vpns and all kinds of things have a strong dependency on this So when we look and we see these you know open ssl upgrade That is one of the reasons for this is we wanted to get the version of open ssl upgraded to be current Whoops and supported. So I'm doing this on my laptop. So it's a little bit more awkward So we want this to be current and supported and so they did the engineering to do this with pf sense plus And we're going to get move over here. This is still in Uh release candidate, but this is net gate releases pf sense c e 271 it's funny because someone was just leaving comments net gate will never fix this in pf sense c e Here it is. It's a release candidate, which means it's almost finished So if you are concerned about the cve in here This is a reason you may want to try if you're using the c e community edition the pre-edition You want to update if you're using the plus edition. It's out. It's released. I've updated a handful of systems I'm not done because I'm traveling and we're still working through the process of updating all of our clients All of our clients are running plus. So we're migrating all of our clients You know to this latest version so we can get them on the latest version of ssl But this is really important work and people keep asking me and I'm just going to point it out that right here Because this question inevitably comes up. I'm moving to another project And I had a whole discussion about this and I talked about the history of firewalls in my last Video that I did for the home lab show and we'll talk about open sense. We'll bring it up here They are working towards this And because and I left that comment pinned up there for a reason changing out open ssl is hard They're aware that they're still stuck on open ssl 111 They're hoping to get it done by 24.1 when it does not negatively impact overall operation This is really important because this is heavy lift And this is one of the challenges where when you talk about your firewall being the security device and You know for all the controversy that is valiantly pointed at netgate related to the way they You know mishandled the home lab license changes and they didn't communicate them very well Hey, I got a whole separate video about that and people like why I'm just going to switch firewall softwares I'm like, you know, there used to be a lot of firewalls and this is my home lab talk I gave and maybe I'll do a dedicated secondary video I don't write dive even deeper into the history of all these firewalls But a lot of them just kind of failed and this is where the real challenge comes in How do you build an engineer and secure a firewall here in 2023 with the modern threats that we have And when all the features in here and all the vpn features that we all love How do we get an engineering team to build that? How do we give it away for free? That's a real question. There's got to be some funding model to support a series of developers And this is where they appear on my assumption is they're just struggling with open sense and you know Hey, cool. You get your free firewall, but these are the challenges that come with this is You know, they are behind now. They we all knew open SSL was getting deprecated and netgate had to put a lot of engineering Which is one of the reasons earlier in the year they jumped up to free vst 14 because they're doing many of the commits They are contributing back to the vst project heavily and committing back to it so open Sense like he's not throwing shade at them. I'm just saying hey You know, how do you want to handle this in? Uh person asking me questions like do you want to switch to open sense? I'm like, this is one of my problems Can they keep up with that? I kind of look at this going. Well, they're behind Getting their security up today. It's not that I'm trying to point out specifically like oh their bag Because by the way, this is a lot of other companies But I want people think about the ego system of what it takes to do the engineering needed to do it and if the company has enough engineers to keep this going and uh It's one of those things like this is I wanted to put this in a video because it's going to be reply because I've explained this to so many people What do you think about open sense? I've talked about it my forums and I said, you know, this is where the project is going to suffer And this is where we all kind of suffer right now for people who really want a free product But also are really struggling To you know, the companies themselves are struggling to keep that product up to date Provide the engineering for it. I'll provide the support for it. And there's just a lot of challenges and uh, let me find based I think they have a blog post on this. I want to share with everyone as well Because this was a great discussion here And I pull up their blog post Uh You know what I'll have to find it later I did tweet it out basically evades and I they did post this in her forums as well And it's basically they're the people behind xcpng and they talk about some of the challenges of running an open source company And how you keep it going how you keep it funded? Uh, it was a great post and it's just a big big challenge I'm going to try and pull up on my twitter So I think I posted it there too of how do you provide for the community get engagement? Listen to people tell you how your product sucks blah blah blah Um, also never want to buy any subscriptions to any of it and but then keep going forward pay a bunch of engineers and make it happen This is just the overall landscape of challenges that come with running an open source project So I just want people to always be Thinking about that. Um here I can now I found the link. I'm going to drop it to the chat here And it is the reality of running a large open source project. So There we go. That is now in the chat It is on uh Yeah, it's from the vates blog. So I just want people to think about that. I want people to understand about the security and uh Sounds like someone who likes pain. Yeah, running an open source project has a ton of pain There's a lot of great quotes in there that vates has he actually quotes a lot from the author of curl Who's also, you know, if you're not going to curl it is uh in everything It's you know command line tools so we can use it for The basic use is going to be like pulling down web information, but you can also do a lot more It's great for building into your scripts There's a lot of thankless work if you will that goes into uh curl and the writer of that has had a lot of He's catalogs all the interesting information. Uh that's around it. So but just want people to think about that It's not me just trying to poke at open sense. Uh because of some bias that people seem to think I have I don't have a bias. I have a bias towards security I don't have a bias as much towards a product and when it comes down to you know Netgate is still delivering on their promise to get open ssl to the latest version So if you're on c e try the release candidate if you're on plus, hopefully you've already Uh tested and upgraded and uh, we've been upgrading systems to the latest one because we want to make sure All of our clients are secure that are running it and that is always first priority when it comes to When I discuss firewalls is how are these things secure and in broader when you have anything that has a a lot of public threat surface You have to think critically about how good and secure that is um Has anyone thought about uh switching from pf sense to ubiquity or unify The challenge really comes down to unifies firewall doesn't have near the features This is one of the problems where someone there's a whole argument going on. It's continuing I don't always engage with it Asking me why I still push pf sense. I'm like if you're looking for an open source firewall They have the most features out there There's not other open source firewalls because people are trying to say i'm I said it was the only firewall I said no when we want to categorize it to open source. By the way, unify is not open source Uh, unify is definitely tied to hardware that's your business model That's why unify didn't build a firewall that you can just load on your own hard Load on your own hardware. You have to buy their hardware for it. Uh, so yeah really um They're most feature complete when it comes to the large features There's definitely plenty of other firewalls and enterprise ones out there that come with hefty license fees out there And there's also sofos. Uh sofos their business model is they have restrictions and limitations on a firewall they offer And then you can buy up to do some of the more advanced features. So yeah, it's definitely You know, there's a few other options out there But pf sense for being free with the ce community edition and being amazingly full feature is still one of the best pets out there And someone said there's better documented firewalls. I'm going to say pf sense is Leaps and bounds better documented than even some of the commercial ones I'm not saying better than all of them, but it is a lot better than a lot of things out there Especially when it comes to being the open source side Uh, when you deploy pf sense to your clients do you install third party packages and keep it as bare bones as possible? I'm weary of the support of those packages. Uh, pf sense doesn't let just anyone build a package It's not like they're just random third party packages. They are vetted through the pf sense distribution So that's not a really a problem. They they are vetted. This is one of the features of Um netgate is their team does go through and audit that Hello from meskegon and technically i'm in i'm not in michigan. It's actually really warm here in florida right now Uh, what would cause wan not to work unless using a vpn Uh, currently dealing with complete packet loss over wan, but when using a vpn on a separate gateway, it works That's an odd problem. You have clearly configured something very wrong. I'm guessing you've got some type of route or kill switch You put in for your wan. That's a hard one because that is not default behavior for sure Can you use them both uh enter and outer firewall? I mean you can double nat it just becomes more to manage You can set one firewall and another firewall behind it, but You now are double natting everything So you create one little bit of latency not probably substantial on that But you've now created complexity of having to manage two firewalls Uh customer has a barracuda firewall ever come across those. Yes, um barracuda is even one of the vendors here A friend of use to work for barracuda, but we don't see them as often anymore, but they they're out there Uh, they're they're barracuda mail server incident was really interesting from a security standpoint Uh, it would be good device to replace the discontinued sysco rv series vpn routers Um depends on the features you need if you need features I start with features before you start with product go. What are the needs? And go from there like I don't know that you're using every single thing on a sysco rv So think about the features and pf sense is a good choice, but maybe you want some of the other commercial vendors Start with features and expand out from there. I I don't I couldn't tell you off the top Mayhead the exact feature list of a sysco rv system Since roll back to see I'm finding I like being re-quaint with an old friend. I know I can't Trust has always been there when I needed them Yeah, pf sensei just works Um, can you explain me how I need to set up mirror in true nas when I have two by 18 sastis as I can't understand each sastis Has two partitions you have discs that have two partitions um Wendell did a video talking about that. I have not done any drives that have I are you talking about the ones that show up as two. Um, I'm not sure I'm so unclear on that. That's probably a better forum post Uh, anything out there or flag bad config in pf sense Sure, there's a red team et cetera, but I can't afford that. There's not really I mean, it's less most of the time your pf sensei problems are this you're going to leave ports open Scan and look for ports open look through your firewall rules. Look at the wan rules on the public side Those are your biggest enemies of did we open rdp and then forward it somewhere? Did we have a nat rule we shouldn't have those are the real ones There's not as much that there's some nefarious config other than did you leave the default password of some sort? Or did you set it to admin admin or admin pf sense? It asks you to change it, but I have seen people change it back and then forget You know, did you disabling admin accounts? Not a bad idea because if they know Or assume admin is the defaults they might start guessing passwords at it. So weak passwords It's not about checking as much the config against bad. It's more like did you open a port? Did you do something with the vpns and use a By default if you next and yes to open vpn the default settings and open vpn are secure But doesn't mean you can't change them. So did you downgrade to some? You know Deprecated I believe it let it warns you if you try to do this like it won't let you use some of the old ones It gives you warnings. So you kind of kind of it's you have to really force yourself into doing a bad one. So Good evening friends. Kind of get your opinion between vpn or tailscale. I have a video about It's titled vpn killer because people call it a vpn killer So I did because I know it would get the clicks, but it's really an overly network Which is really just another vpn tailscale is great using it now love it No complaints about tailscale Actually, I mean, I just realized my exit node is still tailscale. So this live stream is actually being routed through tailscale right now as we speak Would you recommend headscale instead of tailscale's coordination for the clients? It depends on your paranoia level Do you trust their control plane? So if you don't like tailscale's control plane headscales and alternative nothing wrong with it Tailscale seems like a trustworthy company. The data does not pass through tailscale But the control plane where you add remove clients is there. So you just have to decide if you want it I think heads I got a video on it. It's dated. So there's actually Some newer information about it that maybe I'll do a new video on but the project's still alive So I nothing wrong with it do this here. All right Um, have you ever aggregated porch for faster speeds? Yes, I have Uh, I I've done a video on it if you look at port aggregation I probably should do an updated video because they change a few things but the concept works the same 20 character password in your pf sense great idea Should upgrade a pf sense 2309 from 23051 or wait a bit. Um, I would It's up to you If you have boot slices use that so it's quick to roll back if you need to but I I started upgrading systems right away I so far have only upgraded like four but all of them have worked before is not a big test bed More have may been upgraded by my technicians. I just haven't done it myself Um So I don't know of any bad things yet, but I'm also traveling So I haven't been closely following if there's any bug reports check the forums to see if there's anybody having problems with it Weird live stream happening with sherry punts. Uh, okay, I didn't know he was um Doing a live stream. That's cool I just got a section where you're talking about open ssl situation and open sense like yeah, cool But look at wire guard with neck eight how the creator put them on blast on bsd, um Yeah, that's people with agendas and if you notice, uh, go check this out Neck eight has still contribution of that code. Why? Because everyone said the code was so bad jason domfield didn't somehow I don't know the argument or politics between personal people and I don't want to that's not my thing But the reality is if you look at the code differences that he didn't rewrite it He fixed some bugs in their code. That's why neck eight still has contribution for writing it And if neck eight didn't do it, I'm not clear on if jason don't feel or what why he didn't do it or why it didn't exist By the way, I guess who's benefiting from that? Open sense plans to pull in the kernel one into theirs and they're not the ones who wrote all that code But hey, the cool thing is they get to benefit from it too so you don't think uh The open ssl with cv eason is a big deal. We have different opinions on security. Um You can think running on an old version where there's flaws in it that runs vpns is not a big deal I will think that you're wrong Um, I think most people assume that you should run on the latest version of supported security software that manages encryption Uh, that's my opinion on it, but you have a different one. You're entitled to an opinion Uh, another question. I noticed some issues When allowing what's that web access your, uh proxy on some users it accesses the site, but when scanning QR code it remains running I don't I'm missing some context here. I'm not sure of the question on that 23 and upgrade on my 3100 uh php and just corrupt aptac light support got an image for 30 minutes to support quick help Back up and running that is awesome So yeah, sometimes things happen. Uh, that's good to know that they got a fix for you Oh Yes, yes hotel internet. I'm shocked. It's working as good as it is right now, especially hotel internet at a tech conference Um, internet's usually just hot garbage when you're at a hotel Yeah, um, I will point out that I took opportunity when I hit the back browser I I realized I was exit noting through Uh, my tail scale. So I actually moved it to not I didn't know if it was adding any latency Um, but hey, would anything less of problems is my goal Hot garbage. Yeah Hey, you just met me at the it nation hacking summer awesome I've had a lot of people. Uh, I love it. I was I'm still that's one of the reasons I come here I get to meet so many people that maybe have watched me in a video or I just want to talk in person It has been a lot of fun With all the zero does out there, uh, at least just get update with patches. Yeah, I mean the reality is there's You you really need to patch anyone who argues against patching to supported versions of software I don't get it like hey, you don't think it's a big deal. Okay. I mean, I'm gonna completely I'm at a security conference. I work with a lot of people you and go watch john hammond for a minute Um, it's not like I'm I'm not saying that I'm the authority on this thing. I'm talking I learned from smart people I know a lot of the people at huntress. Um, and There's enough security people here that I talked to so I can learn And I don't think any of them would tell you to not patch to the latest version of uh, open ssl thrown it out there I don't think any of the security people who are reputable that i'm aware of it all would tell you it's not a big deal Move from scale to core today, which you're asked today, but i'm getting ups not detective warning I don't own a ups that I toggle off on Reboot back on warning, uh, move from scale to core Yeah, I don't know. I've seen that Uh, I've seen that warning on one of my systems the one but the only on my scale ones where it kept wanting to do The ups that I don't have plugged into it. I don't know why Um, it's an odd bug. So I think it's been reported already though Tom what you do for a small there's amazing things for what you do I can never afford to hire your company, uh, but thanks again Well, I always try to do as many things as I can to make it as accessible as possible Put as much detail in here because I do want to see the community be able to use as many things as possible So, um, I my forums are there. I spend a lot of time in them So if you have questions, you you know, if you can't hire me directly I do participate a lot in my forums to engage with and interact with and have discussions with people When setting up guest wi-fi. Do you make the wan IP different or does that not increase security? It's a great idea when the client can afford this. Uh, for example, we did a medical facility and We this is uh, there's like 6 000 people on the wi-fi when we set them up the Uh guest wi-fi just the guest one we brought in a generic cable modem You know in there. So they have a fiber line that runs the medical facility They have a cable modem that handles like general internet if you will we put all the guest stuff on that cable modem That way it's separate. It doesn't tie up the fiber They don't have actually the fastest fiber, but they have a full sla agreement and everything else with it So yes, this is a great idea Whenever this is possible to take your guest network and put it somewhere else not on your ip Alternatively, if you have a lot of bandwidth and you want to Wondering about another reason to use a privacy vpn You can follow my privacy vpn video and maybe you set the guest network to go out the privacy vpn That way it doesn't come out of your ip address This will just save you problems when people use your guest ip to do something Or if they get a website blocked because of them doing something if they block it by ip address For whatever reason then they're blocking it for everybody not just the guests also funds I don't I don't know I can I can't fully disclose everything, but we'll just give you some hints around this Maybe if you're using ip restrictions for your aws when you're just restricted by ip How you log in maybe Don't leave your guest network on that same ip address Because if you're trying to off from ip and only allow certain restrictions in your aws by ip There's a chance that a former employee could show up in the parking lot and make a mess of your systems on your guest network Well, let's see So maybe this is already discussed but psntc is generally up to date with patching for normal abilities I remember there was a huge gap in between 2.6 and 2.7. Yes You know, this is one of the things that they build psntc following more like a Principles of least privilege policy where they're only compiling in what belongs there and that's it They don't put everything that comes with free bsd in there That means when you see a vulnerability related to free bsd and you're like, hey, I wonder if that's a problem for psntc You can Follow them and ask them and they're like, oh no, we don't compile that feature or when we compile We don't include that feature flag. Therefore, we're not vulnerable to it This has come up a couple times with like dns and ping What is a couple obscure things in there? But this was not a problem for psntc because they don't use that feature or they didn't run They didn't compile it with that feature flag turned on Uh, in your opinion, do you offer open source or paid firewalls open source ones do not contain options like, uh Notion attack zero day We offer a lot of pf sense it fits mostly the clients And when we do our updated hacking video, we're going to talk about what the tactics and techniques are today the tactics and techniques really focus on stealing identity and Stealing session tokens. That is where most of the focus is the firewalls The firewalls don't protect you from zero days. I hate every vendor that tries to say that they're usually full of it Good news is I've heard a rumor the sec is going to crack down on these companies that try to tell you that these Next-gen firewalls will protect you from all your threats because they're full of it Any take on cloud vpn security go cloud vpn azure. I don't understand what the take would be Use vpns to access your cloud is a great idea Um, but I don't understand what the take would be on it If I upgrade my 3100 something newer can I restore the settings on a new device using a 3100 backup? You have to be careful about how the ports map, but the answer is yes Netgate configs are portable between devices even netgate devices So if you started a netgate device and you go to your hardware or if you starting your hardware go to a netgate device They are portable Just gave you a great idea for networks. Awesome I know a company got their cloud account banned by mistake blocking all the businesses for a week It's a risk to be mentioned in the cloud. Yeah Okay, you went from core to scale. Yes, that makes sense because I know I got that vpn I'm sorry ups bug in scale I think it's been reported. I I didn't I had some other bugs that were more concerning to me I do think security in general is important. I don't think open ssl The I think this open ssl is an outlier. I don't think the the fundamental tool that runs uh Your security like open ssl is specifically Tied into all the vpns This is really to me a big deal We've had many open ssl vulnerabilities throughout the years If you start reading through the history of those vulnerabilities, you're like, oh, wow This affected a lot of things and if you don't use vpn. Yeah, it's maybe not a big deal to you if you use vpn It's a bigger deal. Now That's where it really comes down to and that's one of the reasons I think it's critical It's not like it's some obscure hardly use function Or you're only using it for like building internal certificates If you were just using open open ssl to build your internal certificates Okay, maybe not a big deal because they're not relying on it The moment you say vpn and I know a lot of people use vpns. So it matters at that point Like the latest video in unify vlan changes starting to think I'm not doing some things right and think keep changing What if there's a single resource explains the hardening needed? I'm working on that I want to do some hardening videos on these because I'm realizing With unifies changes and things like that. There's I I need to make more videos covering that as a broader topic, but um, but Is depending where you're at are you in the home lab if you're in the home lab? I hope your threat model isn't worry about someone vlan hopping inside your network and plugging things into different ports That is It is a threat model for companies with exposed closets that people can get into And things like that. It's the less likely of the threat models Like it's one of those things that I think is important But you have to kind of rake rake these things and go where is that important? Am I am I working on conditional access tokens? Am I working on endpoint security where the threats are really coming in or am I worried? Because if you've sorted all the really big things then you go Oh, yeah, I should probably have good port security because someone could vlan hop because vlan hop just gives you access on another network It doesn't mean if I give you access for example to my Personal network you I give you a box. What are you going to do? That's where it comes in. Well, you're going to start looking at my systems. Well, my systems are firewall So how are you going to pivot from there? That's where each piece, you know goes in for security And I might do a tiered security like that kind of talking about how you prioritize it because fix everything is not a realistic answer You want to tear your security with the Current threat models you look at what they are. What are the biggest risks you're going to take? All right, we're going to fix these risks first because these are the biggest and as you work your way down the line That's uh, kind of my thoughts on there Look at window windows video on it. I don't have any of those drives to give you any guidance on those so that's um That's going to be um Something that windows covered. I don't know if i'm going to buy any of those drives anytime soon to give anybody some insight on there Windows the only person I know that even has a video on it. I couldn't even tell you where else Wendell from level one text reach out to him his forums. I believe he's got an explainer in his forums on it already I don't have one so I can't really do the video and I would just pair it what window wendell said. I trust wendell on it Oh, yes, heart bleed was everywhere. You look up the heart bleed history and then you go. Oh open ssl is a big deal Uh, when will we get an updated video on pf sense installation and configuration best practices for newbies? I'm hoping soon. I can work on that Unify for small business. I think unify is great and they're huge in the small business market With your recent youtube video on blumera sim sim sim sim I'll let people argue about that Is the technology that can be implemented for the home user for monitoring and point security Is there a technology? Blumera is not for home users first. Uh, so no, that's not the right one. There's not really There's not any easy tools for home users. I don't think they're going to be but I will give a shout out to like windows defender for for people running windows to be Substantially better than it was. I got to meet the developers today for the windows that are working in the defender stuff They have a new book out and I might read that book. It's uh, it was interesting I had a good conversation with them windows defender isn't what it used to be It is a substantially changed and better product So if you're running windows, I'm going to tell you you can get a lot of good insight on your system from that And it goes better as you get to the higher tiers and the paid tiers of it Yeah, homelab is about learning for those larger threats. Absolutely. You're right about that Uh, doesn't unify support restricting port. Yes, you can do you can lock a MAC address to a port on unify um I mean It's not a bad. It's not a bad practice. Uh, it just becomes a tedious practice. That's uh Um, that's the important part. Oh, I actually will answer this. Uh The question right here with a more concise answer in about two seconds here I'm gonna sign in. I made a whole list of all the stuff I'm using with my, um I mean, uh, I got a login or something So many keys. I got a press to do that Stupid long passwords. All right. Let's go back to view profile And I've been going to drop drop a parts list. I've been wanting to do a home assistant video But what I did manage to do was make this So kit.co slash lauren systems. There's a whole home assistant parts list of all the parts I'm using and what switches I'm using and everything else. So Uh So I have covered at least in a list so you can have all the things actually I put my Oh, I'm not doing a friend's asking where I'm at I'm doing I'm doing live stream. There's apparently something going on. I'm not going to attend Yeah, light switch is not network stitches. So Let me mute this phone too. I forgot to turn my phone off There we go. Oh, let's see. Uh, this is a Uh, Garmin watch. So I like the Garmin one. It's great. I don't know the model exactly Do you tweet at me or something like that or one of the socials I'll answer which model it is because I'll look it up But I I think it's a venue. Actually, it's not my phone this is a I think it's Garmin venue too or Does it tell me what watch I don't know Yeah, venue two plus There we go. Now. Now, you know which watch it is And this is a good security practice here. I only allow a set list of MAC addresses to access my wi-fi network Hey, if you want to lock down a network locking it down by MAC address, you've really raised the bar For what type of security you're doing out there? Uh, what is your favorite OS to run daily? Um, I don't know pop OS works fine so you have, um Wazoo is out there. So you got wazoo and security onion security onion is even more Uh, complete than wazoo security onion will also ingest from wazoo the challenge with both of those Is there's a lot more complexity and setting up wazoo has actually done a lot of engineering to make it better um, but That it's one of those things. It's not set it and forget it. There's a lot of complexity with it It's not something you can't overcome. It's actually a great homeland project. It helps teach you about security So I do recommend like wazoo or security onion are definitely good open source solutions They're not going to be what lumera is in terms of turnkey and ease of use Uh, there is a 30 dollar premium on used 18 terabyte sass drives or similar data drives is sass worth the premium for home lab Most of the time know But they I mean you get you can get a better drive when you go with the enterprise drives, but Does your demand on those drives really mean the extra spend? That's where you got to kind of think about it on there Uh, why do you like garmin over apple? Uh, this is a reviewer solid on there and the this lasts like 10 days before I charge it Uh, the garmin stuff just seems to be top notch when I reviewed it. So garmin watch and um Combined with like 10 days of battery life. I've loved it. I've had it for Six months probably. I don't know I've had it for a little bit. I really like it Uh thoughts are running home assistant with a in a vm Um, you can as long as you as long as you get that vm part sorted out and passing through the usb It should work perfectly fine Yeah, let's see wasi and wasniak. Uh, oh, I didn't uh, he's in the hospital out here Yeah, I hope I hope the was is doing well wasniak is definitely an influential person for sure in the tech community um The interesting side effect of 3100 went down is that I could not reach anything in the network. I can just be Went down was the I could not reach anything on the network I mean Not if if the firewall is where things are being routed through you're going to have a trouble reaching things to the network If it's on the same network, it should work. Uh, but yeah I've seen this too and So people ask it where my stand on adblock. Here's the problem um We have to find a better revenue model just let's talk big picture We're treating symptoms, but not the problem. I I've heard it called the original sin of the internet is that we just copied the business model of radio And then tv copied the radio business model of all these sponsored spots So we start with radio. How are we gonna pay for radio? We'll do ad reads. All right, cool in you know, this is Newspapers have ad reads or you know, things they sold and the radio had it then tv had it And then we innovated to this incredible technology and got everybody the internet and we still have ad reads We haven't figured out a better model To figure out how to support all the infrastructure it takes to run A large-scale delivery platform like youtube for all their faults are the best platform out there for creators they're willing to give creators a cut to make it a good ecosystem and uh, but The other side of it is you're right. Um, they're one of the few places that offer like a decent premium subscription And I think they're one of the few that are sustainable There's always some startup and I've watched so many of them in the creator space Because so many of them reach out to me and before you ever heard of them They try to reach out to all the creators. They try to get the creators on the platform They promise us, um, if we release on their platform first and they'll give us deals But then their runway of vc money runs out They don't have a good long-term plan and then they flop and fail and waste a bunch of people's time So yeah, it's really challenging trying to compete Um and deal with a competitor. It's also look at float plane. Look at some of the other ones out there Uh, nebula is kind of cool, but nebula is also a tighter ecosystem Not just any creator can get on nebula So there's not an easy model to compete with it and I think youtube for what it costs for premium Is such a good value that it's worth it. I watch a ton of youtube I've discussed this so many times and I don't watch. Oh, I watch some tech youtube I watch a ton of vintage tech youtube I also watch videos on tractors and uh other fun things that whatever is my interest like I like old equipment and showing how people restore it I like watching adam savage and all the stuff he does and all the crafting things and for how little youtube is It's a better deal. I get better value out of that than I do out of things like netflix out of amazon prime or any of those Um, so to me, it's like look, it's what is youtube premium? $15 $16 a month It it may be less. I don't know. I actually buy the family plan So I pay a little bit more um so I can put it on my kids But I think it's absolutely worth it and Yeah, that's you're still going to see some ad reach from creators because We we can't just rely the youtube ad revenue is not enough to run a channel It costs too much to run the channel produce the content That I do so yes, I do have some other ad revenue reads that I do Blumera as I said was a sponsored video my sponsored ones are in a playlist so you can say who was sponsored I'm very very clear on that. Um, but yeah, that's my kind of rant on the whole ad thing I don't know. I don't have an easy answer for it. Uh, but I think it needs to be rethought Um and subscriptions are kind of the way to do that Uh, we've been putting xcp and g in your 45 drives homeland system probably not Um, I'm probably gonna run this native with houston on it But yeah, I'm gonna I'll play I may load it on there for testing But it's not likely where it's gonna live on there This is more going to be a linux system that does all the things I want it to do This is going to be a linux focused system With the 45 drives houston software on there and yes Travis is an apple fanboy. I can I can agree with that. Uh, the battery life is not great on the apple ones. Yeah When compared to the garmin devices, yes Internet killed the television star there we go Uh This is possible for uh for an admin to be 100 percent satisfied infrastructure unless you're a millionaire and change everything every three months It seems complicated me to always be on top. It is Um, it's part of the fun. You have to like the cycle and the moving forward But you are right. Is anyone ever 100 percent happy with it? I don't know. I don't think so Have you looked at nebula or flow playing able to like a good solid content? I had nebula is not you have to get an invite from nebula. I can't invite myself to nebula So that's complicated Uh flow playing turned me down, but I my friends that are on flow playing don't I don't think they get a lot Lot of engagement. I don't know that my content would get a lot of engagement so much of my contents watched by people who don't subscribe and because of that the number of people that would probably watch me on flow playing is minimal and I don't know what other platforms you're talking about that are able to do it at the scale But people don't realize the scale that youtube operates at Even nebulas because they are in some of the other ones. They they're operating at like the one or two percent scale of a company Like youtube and that's the challenge like how do you have discoverability large-scale audience and how do we Build that I mean i'm all forced swapping out for someone ordering youtube But the other side of it is i don't seen i haven't seen anyone who's actually built out the infrastructure Matter of fact, one of the problems is the only people who could really compete at youtube scale Is going to be aws. There's aws is probably The only people with enough infrastructure and delivery to be a competitor to youtube If they wanted to be which by the way, they they've not done the best with twitch Where their infrastructure runs so there's a lot of challenges. There's just so many challenges and it's not an easy task I see other people saying a hundred percent agree. Yeah youtube premium is so inexpensive Ad suck doesn't matter where you are. Yeah No, it will not always be impossible to compete with the google machine. I've seen someone say that I'm using three x Lenovo m m9 20 q tiny pcs from my proxmox ve cluster It doesn't have ecc ram but uh ram How critical is ecc ram if I do memory tests once per month, so I should be okay you all zcc ram is Is something that is going to Catch the air if it happens if there's a bit flip there's something going on Hopefully it catches it and it doesn't crash. It's not something. I would I would concern myself with in the days of old This was a issue because well Things were less reliable in the modern era unless you're running things like financial transactions that need to be Absolutely, like you're running all the financial transactions for visa or mastercard. Definitely. You gotta have ecc When you start talking about a home lab, it's generally fine and most crashes If there's some crash from memory Usually the system just crashes you can recover it and then start sorting out Do we have a pattern of behavior where this hardware is starting to fail? Do we see a common area where this particular? System keeps crashing for home lab people most of the time. It's fine. Matter of fact, we're really impressed We actually have a del server crunch and it does have ecc, but it's been running since 1998 it's still running a business right now and We might do a video on that once we're finished figuring out how to recover how to how to get it moved It's still running. We're trying to get it migrated to some modern hardware and the data on it Uh, nope. I'm traveling right now. So I did not get to visit. I I Got to I left the same day it arrived. So it arrived. I took a picture of it I got a box took a picture of it and it's still sitting on a shelf Um, I haven't I had time to review it yet Uh, have you ever looked at the evo security? I have not I don't know that I make a video about open ssl. Um, I mean I could talk about the history of all the problems found in opus ssl But I don't know what the video would be about Besides the history of all the open ssl problems Uh, does the 45 drives home lab system have the anti ransomware feature? Ah You can put it on anything so they could I don't think they they don't ship it with it, but absolutely it could have it if you're using the 45 drive system and the I did a video on this on their new ransomware a few stuff. It's awesome. It's really cool You could put it on whatever so I don't I'm not specifically going to use it on my server I don't need it, but it's novel for sure Uranium particles and intel chips were a pain Yeah Um aws twitch performance is woeful. Yeah, they've had all kinds of challenges and they've never really Um, they've never really broken out of the market of I mean, there's things they have on there more other than gaming Uh, but youtube is still the big platform for things like diy people You know me and some of my other people the big discussion we had here at it nation with a lot of other Technical people it was like, oh, we I was talking to a guy about like, oh, I got to fix Something in my house, you know, I got to look up a plumbing video pretty much youtube is going to be the place Where you're going to find those there's just not other platforms that have that level of Videos that you're going to be able to find Where people can just easily upload get it going set it up and say here's a whole video and how you replace this on a thing Matter of fact, I kind of let's go really esoteric. I had a specific Furnace and youtube was the first result and it was perfect Someone did a video of a chip that goes bad and I had a furnace that broke. I'm googling away going You know, why isn't my furnace coming? I'm not want to call the person because it's at night and it's really cold and it you know I don't want to pay an emergency service call and someone did a video like hey There's a solder joint on a chip So I pulled a little circuit board out and they were perfectly right exactly where they said there's a little solder spot I'm like, oh, I'll fix it and I boom furnace is working again I'm just a simple circuit board thing and then I went and Followed some more videos on it and was able to find where you can buy that circuit board And I ordered a new circuit board to control my furnace and it's plug-and-play. It just has A couple little plugs that popped out and I replaced my furnace circuits I was like that was cool. And once again youtube for the win on that one Things your clarification could remember a snap shield was only available if you're running on their first party hardware or not Yeah, their whole snap shield system. Um, because it's just looking at smb and linux It can be ported really anywhere. It's there's nothing that it ties it to the hardware 45 drives goal is to sell hardware, but their hardware sales fund All the cool things they do with houston and just lots of development ideas that they have This is kind of back to that open source like 45 drives is a company very committed open source But how do they fund it? Well consulting they offer consulting on saff and things like that They sell hardware that brings them expertise These are one of those things as I talked about much earlier in this video about thinking about how open source Ecosystems works how products get delivered and how you build sustainability in those products Uh, maybe as this earlier, we're doing a video on 23 and that seems like a significant but straightforward upgrade for anyone using Uh, not using open vpn Yeah, I will do a video on when I get back for my travels next week So I upgraded some systems. I have more to upgrade but I will be covering Both and actually I may wait or not Because it's I don't think there's going to be much change from release candidate I may wait till both the release and just talk about them because the changes are kind of parallel For all the all the significant changes that happened are going to be um Going basically your your Issues are the same in both all all the significant changes are related to open ssl So I might just cover it in one video For both that way I get both parties upgraded to the latest version with open ssl But I have a question I often check youtube along with google search occasion. I get desperate and ask google barred. Yeah Um fun fact about google barred I like it on my phone a lot It will summarize things for you and it turns out if they have stupid Pop-up ads kind of on the ad topic again that make the trying to figure out the article hard Uh barred on your phone will summarize things for you having barred give you a summary answer So I just know because I get it. They want you to click the link You're not going to believe what this does blah blah blah barred summarize link Oh, they're just talking about a new feature on this. Oh cool Maybe I want to read and that that will determine for me. Do I read the article or And deal with the stupid ads in the article if i'm reading on my phone or you know, uh, I'd skip it Um Recently you bought a meeker 6 6 reset button came off glad I learned how to solder. Yeah Fix that bad boy right up Yeah, and if you want to hey, if you don't know how to solder you can go over to youtube And I haven't looked at this in a long time, but I mean there's a lot of videos. I'm sure uh That would teach you how to be better at soldering and doing electronics Um, I think watch guards better than it used to be I had my own biases against watch guard from their early days Uh, I had gotten an argument with their support team back in I don't know circa 2007 or eight. They the fact that they're still in business means, okay They must be doing something. I don't think they're necessarily a bad company. I I don't have a lot of firsthand experience of watch guard I used to hate the way they used a separate windows tool Instead of a web interface to manage it So the early days of watch guard and grant them talk on 14 years ago I thought sucked the modern watch guard has a web interface and everything else I don't think they suck like they used to Uh need an open source tool for remote monitoring, you know outside of mess central Um, and they've had their controversies. I haven't really kept up with the project really well They I see controversies because if you read through people overstated it I the person who was putting it together had a separate repository where they were running a bunch of um Bitcoin stuff. So people started assuming they were installing some type of bitcoin on theirs. They weren't That turned into a big hoopla and everyone got mad at them, but there's really not Um, there's not any I can't name the next one. There's like mess central That's it. Uh, and I don't use any of these commercially. We're using ninja one for our rmm Uh, what do you think about the EU undermining christian by forcing browsers to include government owned ca's? I think that uh, many companies will fight this. It's a bad idea They don't suck like they used to there we go Uh, what do you recommend for a remote access tool? My company is looking at go to assist We're still a big fan of screen connect. It's one of the best remote access tools out there Um, it kind of depends on all your use cases, but screen connect has been one of my go-tos for a while I don't know if it'll fit your use case, but that's what we're using ourselves as screen connect Um, I haven't looked at go-to assistant a very long time Have you done any esp 32 with all the new, uh wake world home assistant stuff? I have not Um, I don't do a lot of that level things. I usually just buy things. I know we're compatible with my home assistant Uh, what do you think about the 45 drives? Uh hl 15 I mean, I think they're building a premium product So that's one of the things I want to be covering with it is if if you're someone looking for the cheapest deal You then don't look here if you're if you're trying to build on the absolute budget It may not be the right product for you if you're looking for a premium product for the home lab And you got to figure a chassis will last you years so you may swap out the motherboard a few times and A few more times and a power supply a couple times It's something you keep for a long time and that's how I look at the 45 drives home lab device is something I'll buy I'll have now I should say and then you keep it over time And you swap out hard drives when hard drives get bigger At some point maybe they have a new backplane that isn't sata but generally hard drive back planes last a really long time But the motherboard a every four or five years you update a motherboard So it's one of those kind of investment and keep it with you things That's one of the reasons we like it. It's it's for people You know not just youtubers, but people who go i'm doing well in tech I want my lab to have some premium things in there and I don't really necessarily want to buy an old Used server because it's noisy and pulls a lot of watts. Matter of fact, I talked to some people It's like one of my friends and he was he's quite well off very and it was funny that he's like I don't even know why I keep so many of these he had like three I think it was our 640s. They're fairly new. They were you know bought used but he's like Yeah, I probably increased my electric bill substantially and I don't even doing much with it How do you deal with updates on clients firewalls when if I'm really pops up just Call them and go over there. Is there a lot of convincing? No, you just start doing Um, you I mean you have to schedule it. You can't have downtime you measure the risk What's their risk surface how fast we need to get this up to date? But yeah, we use start update if we're in charge of managing those firewalls We get them on the schedule to get them updated and coordinate with the client because well firewall updates do Generally require not always but generally require to reboot the firewall And if they require us to reboot the firewall, we're gonna have to work out when we can reboot that firewall And we actually you have to know this ahead of time when you engage with your clients These are things you have to know can I? Update the firewall at six o'clock seven o'clock eight o'clock what times are those business closed? These are things you establish first with a client that way when it comes up you can just go at it and have it done I'm not a big fan of 40 net. I think they're needing to refactor a lot of code I think they've been fixing a lot of code Um, but yeah, I'm not a big fan. Their history is kind of a sketch I see people recommend rust desk the thing I point out when you're talking about a remote access tool Is a very specific very important thing here? Please make sure that is been security audited. You don't want to find a flaw in there that Causes the problem I'm gonna turn that down. I'm gonna wind this down here in a minute because I can only turn the AC thing next to me that makes a lot of noise down so many times What do you use for voice control or home assistant? I don't use voice control for home assistant. So I don't care about talking to my devices I prefer things like presence detection to turn things on and off. I like automation through Either presence detection or time of day or event happening You know, I have like lights that come on if it detects a car or a person in my driveway But not a motion detection. So I like those type of automations. I don't really like talking to devices as much That's me though. I don't see I'm not telling you not to do it. I'm just saying I prefer not to do it Uh, maybe I miss remembering was there something about the 45 drives getting into consumer market Yeah, that's where the homelab 15 is the hl 15. Uh, that's what jeff from craft computing already has a review of it So, yes Open ssl 3 on free bsd is still in beta. No You you are mistaken about that The open ssl is not in beta now free bsd 14 has it I believe I think I don't know 14 is 14 still considered beta But net gate is part of the kernel development team. So they're also Honing it in so it's not that the beta is out of security concern here I noticed dhcp has deprecated any idea how to update this Yes, the latest versions of pf sense have the new Uh, dhcp in there as well. So that is also, um, one of the changes That's why I want to do a video on it where I talk about a couple of major changes Uh, Palo Alto is a pretty popular product. They're expensive, but they they make a pretty good product microwave radar for detecting the presence of humans. It's super efficient with home assistant neat yeah, there's um There's a bunch of small Z-wave and zigby. I don't maybe I don't which one they're the z-wave or zigby if you watch some of the I don't do I'm not going to do I should say a deep dive on home every home assistant device But I will go through because I've been watching a few of the channels I don't remember them off the top of my head, but they're they're the ones that come up at the top of youtube Usually there's a lot of good Uh, there is a lot of good channels out there for home assistant and people who I kept dedicated channels to talk about How to set things up which devices to use When I do my home assistant video, I'll reference those other channels because they were helpful in me learning home assistant and me understanding which things to buy So, uh, yeah, I'll I'll be covering that. I mean go on youtube. There's easy enough to find or some There's a couple big channels really dedicated to it Um, I don't think there's enough information for me to really answer the question about the dual actuator ones I think they're novel. Uh, I think there's some cool features on them They're not Tested in the market very well and there's still some trickiness to setting them up Wendell has a video on it and I defer to him on it because he's he's actually done more testing than I have with him Open ssl 3.2 is beta not open ssl 3 That's my understanding as well Ooh, we got a riddle here. What's the programmers least favorite Pixar movie? I'll I'll await the answer to that one there. I don't know You got me on that one I'm assuming it's a riddle of some sort A bug's life. Okay, I definitely like that joke All right. Well, I'm gonna wind this down here. Um, I have some stuff. I'm gonna go do I got to go head back down and Attend the event and all the fun stuff that comes with it. So thanks everyone for joining awesome having all of you here uh, look for some upcoming videos when I get back and everything from the Home lab 15 to all the pf sense updates and in the meantime update pf sense and reach out to me in my forums and everything else So, uh, definitely, uh, if you want to engage with me when I'm not doing videos That's where I do a lot of posts if you have a more in-depth technical question The forums either my forums if you're asking me a question or the forums related to the product are definitely great places to go So thank you everyone for being here and take care