6 min read

Updates from Core Lab!

Cyberpunk-themed hacker graphic with neon high-contrast visuals representing secure, encrypted media streaming and advanced digital privacy techniques.
Unlocking the 2026 Trinity strategy to outsmart ISP blocks.

You've almost made it through the week, Happy Thirsty Thursday. Let's get you ready for some weekend projects 😉

I've had a massive few weeks at the lab. While the "Dirty Snow" build has been purring along, I’ve spent most of my time lately looking at how we protect ourselves—not just our servers, but our actual identities. If you’re living north of the 49th parallel, this update is specifically for you. I've been a very busy beaver!

Here is the "TL;DR" of what’s been happening at the Core Lab.
🤔
Love or hate the AI header images? Let me know in the comments below!

For too long, security advice has been particularly NON-Canadian (telling us to "freeze our credit" at bureaus that don't exist here). I've put together a comprehensive 3-part masterclass on hardening your life in the Great White North.

  1. Part 1: The Data Pipeline - We like to think of identity theft as a sudden "hack." In reality, it’s a slow-motion leak. Your data doesn’t just disappear; it moves through a pipeline of corporate negligence and criminal aggregation. Welcome to a series of posts that may genuinely make you want to have a tinfoil hat surgically installed!
  2. Part 2: The 8-Minute Nightmare - Picture this: You’re sitting at home at 5:45 PM. Your phone starts buzzing. A call from an unknown number. You ignore it. Then another. And another. Fifty calls later, your phone goes dead. “Unregistered SIM.” Learn how to defend against this, or react to it fast.
  3. Part 3: The Domino Effect - What To Do When Your Email & Socials Get Hacked – It started with a Direct Message. A friend sent you a link: "Is this you in this video? OMG." Curious, you clicked. It looked like the Facebook login page. You typed your password. Nothing happened. Weird. You shrugged and went on with your day.
Read the Full Series: [Protecting Your Identity in Canada]

🛠️ The Lab Updates (The Fun Stuff!)😃

New posts, updated posts, the latest ongoings since the last big update. We'll start with the net-new full posts, and then followup with updated guides.

Wireguard guide!

    1. Maybe you've heard of Wireguard, maybe you want to switch off of OpenVPN? Maybe you just want to run Wiregaurd raw vs in Tailscale (Direct kernal vs userspace FTW!)... Regardless, here's your ticket & guide!
Mastering WireGuard: Site-to-Site & Road Warrior Setup (Docker + OPNsense)
Stop running WireGuard on your firewall. Learn how to decouple your VPN using Docker or Linux VMs behind OPNsense for better performance, portability, and Site-to-Site routing.

Home Assistant Container (Docker) vs. HA OS (VM)!

    1. Path A: Flash Home Assistant OS (HAOS) to a Raspberry Pi or run it as a VM. (The "easy" way).
    2. Path B: Run Home Assistant Container in Docker. (The "hard" way).

Figure out which is best for you, and why I chose B!

Home Assistant: Docker vs. OS? Why I Ditched the VM (2026)
Debating Home Assistant OS vs. Docker? Discover why the “limitations” of Docker are actually superpowers. Learn how to build a faster, flexible smart home.

Media Server Janitors: Maintainarr and Decluttarr!

    1. Sick of downloads being stuck? Maybe sick of 20TB of shows no one watches taking up very valuable spinnig disk space? Here's the solution!
Maintainerr & Declutarr: The Ultimate 2026 Media Maintenance Guide
Stop manual library cleanup. Learn how to use Maintainerr for Plex pruning and Declutarr for stalled queue management in this comprehensive 2026 guide.

OMV 7 to 8 Upgrade Guide: Trails and Tribulations Included!

  1. Upgrading your home server is usually a "one-click" affair. It's supposed to be boring... Hopefully yours is!
OMV 8 Upgrade Guide: Fixing 502 Errors, Kernel 6.17, & Debian 13
Master the OpenMediaVault 8 (Synchrony) upgrade. Learn to fix PHP 502 Bad Gateway errors, handle SHA-1 repo issues, and optimize Kernel 6.17 for your homelab.

Proving it Works 🛡️CrowdSec Day 2 Ops

CrowdSec Deep Dive: Forensics, Metrics & Whitelisting (2026)
Installed CrowdSec but see empty logs? Don’t panic. Learn how to verify your “invisible shield,” investigate attacker logs, and whitelist your own IP.

⚡ The Quick Hits: New & Revised Guides

  1. Revised some of the OPNsense part 1 guide (Thanks for feedback!)
  2. Updated the Ultimate Aarr Guide a bit (Thanks for feedback!)
  3. Revised the Ultimate Streaming Server guide (Decypharr!) (Thanks for feedback!)
    1. New 'Minor' posts below👇
How to Add a Dark Mode Toggle to Ghost Using Code Injection
If you are using the Edition theme for Ghost, you might have noticed it lacks a native Dark Mode toggle. While Ghost handles themes elegantly, sometimes you want to give your users the choice to save their retinas late at night without having to download, edit, and re-upload the entire

Save your retinas with this code injection hack!

NGINX 101: Understanding Configs, Headers & Docker (Deep Dive)
Stop relying on magic. Learn how NGINX actually works under the hood. A deep dive into config files, proxy headers, and Raw Docker deployments.

Move past "copy-paste" configs and understand the proxy!

The Self-Hosting Roadmap: DNS, Docker, and Nginx Proxy Manager (2026)
From Localhost to Public URL. A step-by-step architecture guide for self-hosting securely using Cloudflare, OPNsense, and Nginx Proxy Manager.

The self-hosting blueprint!


💀 The Threat Landscape

🚨 The "OAuth" Hijack Trend

We are seeing a massive spike in "Token Theft" over traditional password cracking. Attackers aren't stealing your password; they are stealing your session.

  • The Takeaway: If a random site asks you to "Log in with Google/Discord" for a simple tool, don't. Use a burner account or a masked email. Once they have that OAuth token, 2FA won't save you.

⚠️ Security Alert: The "OpenClaw" Nightmare

The viral AI assistant OpenClaw (formerly Moltbot/Clawdbot) is being labeled a "security nightmare" following the discovery of CVE-2026-25253. This critical vulnerability allows for one-click Remote Code Execution (RCE), essentially giving hackers full control over your machine if you visit a malicious link while the agent is running.

Because OpenClaw operates with high-level system permissions to execute tasks, compromised instances act as an "agentic Trojan horse"—leaking API keys, exfiltrating plaintext credentials, and even allowing attackers to bypass sandboxes. Security firms warn that over 40,000 instances are currently exposed online due to "insecure-by-default" configurations. The Fix: Immediately update to version 2026.1.29 or later and audit any third-party "skills" installed via ClawHub.

Weekend Project?

Even if you don't do the full lockdown, go check your credit report. You’d be surprised what "zombie accounts" are sitting there waiting to be compromised. Other suggestions, VLAN segregation, or self-hosted password manager setup!

Stay paranoid, stay safe.

Joe