Updates from Core Lab!
You've almost made it through the week, Happy Thirsty Thursday. Let's get you ready for some weekend projects 😉
I've had a massive few weeks at the lab. While the "Dirty Snow" build has been purring along, I’ve spent most of my time lately looking at how we protect ourselves—not just our servers, but our actual identities. If you’re living north of the 49th parallel, this update is specifically for you. I've been a very busy beaver!
Here is the "TL;DR" of what’s been happening at the Core Lab.
🛡️ Featured Series: Personal Security & Identity Theft (Canadian Edition) 🇨🇦
For too long, security advice has been particularly NON-Canadian (telling us to "freeze our credit" at bureaus that don't exist here). I've put together a comprehensive 3-part masterclass on hardening your life in the Great White North.
- Part 1: The Data Pipeline - We like to think of identity theft as a sudden "hack." In reality, it’s a slow-motion leak. Your data doesn’t just disappear; it moves through a pipeline of corporate negligence and criminal aggregation. Welcome to a series of posts that may genuinely make you want to have a tinfoil hat surgically installed!
- Part 2: The 8-Minute Nightmare - Picture this: You’re sitting at home at 5:45 PM. Your phone starts buzzing. A call from an unknown number. You ignore it. Then another. And another. Fifty calls later, your phone goes dead. “Unregistered SIM.” Learn how to defend against this, or react to it fast.
- Part 3: The Domino Effect - What To Do When Your Email & Socials Get Hacked – It started with a Direct Message. A friend sent you a link: "Is this you in this video? OMG." Curious, you clicked. It looked like the Facebook login page. You typed your password. Nothing happened. Weird. You shrugged and went on with your day.
Read the Full Series: [Protecting Your Identity in Canada]
🛠️ The Lab Updates (The Fun Stuff!)😃
New posts, updated posts, the latest ongoings since the last big update. We'll start with the net-new full posts, and then followup with updated guides.
Wireguard guide!
- Maybe you've heard of Wireguard, maybe you want to switch off of OpenVPN? Maybe you just want to run Wiregaurd raw vs in Tailscale (Direct kernal vs userspace FTW!)... Regardless, here's your ticket & guide!

Home Assistant Container (Docker) vs. HA OS (VM)!
- Path A: Flash Home Assistant OS (HAOS) to a Raspberry Pi or run it as a VM. (The "easy" way).
- Path B: Run Home Assistant Container in Docker. (The "hard" way).
Figure out which is best for you, and why I chose B!

Media Server Janitors: Maintainarr and Decluttarr!
- Sick of downloads being stuck? Maybe sick of 20TB of shows no one watches taking up very valuable spinnig disk space? Here's the solution!

OMV 7 to 8 Upgrade Guide: Trails and Tribulations Included!
- Upgrading your home server is usually a "one-click" affair. It's supposed to be boring... Hopefully yours is!

Proving it Works 🛡️CrowdSec Day 2 Ops

⚡ The Quick Hits: New & Revised Guides
- Revised some of the OPNsense part 1 guide (Thanks for feedback!)
- Updated the Ultimate Aarr Guide a bit (Thanks for feedback!)
- Revised the Ultimate Streaming Server guide (Decypharr!) (Thanks for feedback!)
- New 'Minor' posts below👇

Save your retinas with this code injection hack!

Move past "copy-paste" configs and understand the proxy!

The self-hosting blueprint!
💀 The Threat Landscape
🚨 The "OAuth" Hijack Trend
We are seeing a massive spike in "Token Theft" over traditional password cracking. Attackers aren't stealing your password; they are stealing your session.
- The Takeaway: If a random site asks you to "Log in with Google/Discord" for a simple tool, don't. Use a burner account or a masked email. Once they have that OAuth token, 2FA won't save you.
⚠️ Security Alert: The "OpenClaw" Nightmare
The viral AI assistant OpenClaw (formerly Moltbot/Clawdbot) is being labeled a "security nightmare" following the discovery of CVE-2026-25253. This critical vulnerability allows for one-click Remote Code Execution (RCE), essentially giving hackers full control over your machine if you visit a malicious link while the agent is running.
Because OpenClaw operates with high-level system permissions to execute tasks, compromised instances act as an "agentic Trojan horse"—leaking API keys, exfiltrating plaintext credentials, and even allowing attackers to bypass sandboxes. Security firms warn that over 40,000 instances are currently exposed online due to "insecure-by-default" configurations. The Fix: Immediately update to version 2026.1.29 or later and audit any third-party "skills" installed via ClawHub.
Weekend Project?
Even if you don't do the full lockdown, go check your credit report. You’d be surprised what "zombie accounts" are sitting there waiting to be compromised. Other suggestions, VLAN segregation, or self-hosted password manager setup!
Stay paranoid, stay safe.
Joe








Member discussion