Latest from the Lab - Jun 22 '26

Latest posts & updates from the lab!

Three big ones dropping this week, and they couldn't be more different from each other! We've got a civic fire alarm (In Canada & the greater 5 Eyes community), a hands-on security deep dive, and a shameless gear haul. Something for everyone. It's a meaty update, so I've dropped a table of contents below.

You can also read the previous update, New from Core Lab (June 9 '26), for a look at a year of running this blog and the Linux gaming showcase.

🔒 1. Canada Is Quietly Dismantling Digital Privacy (And You’re Probably Not Paying Attention)

This one's been sitting on my desk for a while, and after Bills C-22, C-34, and C-9 all made serious legislative progress in the past few weeks, I couldn't hold it any longer. I know - politics on a homelab blog. Stick with me, it matters!

When the federal government tables a bill that could compel VPN providers to build real-time interception capabilities into their own infrastructure - and Windscribe (a Canadian company!) responds by saying it will move its headquarters out of the country, that's not an abstract policy debate. That's Signal's threat to exit the UK, playing out in Ottawa.

Canada Is Quietly Dismantling Digital Privacy - And You're Probably Not Paying Attention

Canada Is Dismantling Digital Privacy: Bills C-22, C-34 & C-9 Explained

Buried inside federal Bills C-22, C-34, and C-9 is a sweeping surveillance architecture. Here is what it means for Canadians and how to self-host your way out.

Core LabCore Lab Joe

The post covers:

• What's actually in each bill - not just the headline, but the technical provisions around metadata retention, interception infrastructure mandates, and the lowered evidentiary threshold for subscriber data
• How C-22 Part 2's "electronic service provider" language is broad enough to sweep up VPN operators, device manufacturers, and potentially open-source software maintainers
• The Five Eyes playbook - the same legislative architecture that already passed in Australia (2018), is in force in the UK (IPA + Online Safety Act), and is working its way through the EU (Chat Control) — Canada isn't leading here, it's following a well-worn script
• The uncomfortable engineering reality of mandated backdoors: a vulnerability built for your government is a vulnerability that exists, full stop
• And most importantly: what you can do right now - with cross-references to the WireGuard, Gluetun, and Vaultwarden guides here on the site

Windscribe (Canadian), NordVPN, and Signal have all publicly flagged concerns with or threatened withdrawal over C-22's interception capability provisions. The U.S. House Judiciary and Foreign Affairs Committees wrote to Ottawa over this. These are not fringe reactions.

I tried to be fair to both sides, the stated goals around child safety and national security are real, and I've fact-checked the more alarmist takes where they're overstated. But the structural concerns are documented, serious, and coming from the government's own oversight body, not just Reddit.

Worth a read whether or not you consider yourself politically engaged. If you self-host anything (especially in a "5 Eyes" Country), this is directly relevant to you.

🛡️ How to Harder Your Personal Stack Right Now

To keep your data containerized and out of the dragnet, verify your defensive routing. Ensure you review our existing implementation guides: 👉 [The WireGuard Deployment Guide] | [Gluetun VPN Client Container Setup] | [Self-Hosting Vaultwarden Safely]

🛒 Prime Day Is Here: Joe's Favorite Tested Homelab Gear

Alright, time to talk toys. 🎉 Amazon Prime Day 2026 kicks off officially at midnight tonight (though a ton of early hardware deals are already active), and if you've been sitting on any homelab hardware upgrades, this is genuinely the best window outside of Black Friday.

I spent the morning digging past the paid placements and consumer trash in the deal catalog to compile the gear I’ve empirically tested, deployed in my own clusters, or routinely recommended to readers with feedback.

🚀 Highlight Deals on My Radar:

• High-Speed Switches: The fanless MikroTik CRS309 (8-port 10GbE SFP+) is sitting at a rare discount, alongside the ultra-budget Binardat 10GbE managed box for those trying to break into high-speed storage tiers for roughly $125 CAD.
• Mini-PCs & Nodes: From dedicated OPNsense firewall builds utilizing the GMKtec M8 to unified-memory local LLM nodes, we rank the price-to-performance sweet spots.
• Storage Pools: Deep price cuts on Samsung 990 EVO Plus NVMe blades (which I just finished benchmarking on Linux) and enterprise-grade Seagate IronWolf spinning rust.

Prime Day 2026 Homelab & Networking Deals: Top Picks

Don’t waste hours scrolling through consumer trash. I dug through the active Prime Day catalog to pull out the hardware genuinely worth your click - most of which is currently running inside my own infrastructure.

Core LabCore Lab Joe

🛡️ Auditing the Castle: How to Scan and Pen-Test Your Homelab (2026 Guide)

This is one of those posts I wish existed when I was setting up my first homelab. Everyone talks about securing their network - VLANs, firewall rules, fail2ban, the whole stack. Far fewer people talk about verifying that it actually worked!

🛡️ Auditing the Castle: How to Scan and Pen-Test Your Homelab (2026 Guide) - Stop guessing if your self-hosted infrastructure is secure.

🛡️ Auditing the Castle: How to Scan and Pen-Test Your Homelab (2026 Guide)

Stop guessing if your self-hosted infrastructure is secure. Use Shodan, Greenbone OpenVAS in Docker, and Trivy to audit your homelab like a professional.

Core LabCore Lab Joe

This guide walks through the full audit pipeline I run on my own lab:

• Shodan recon: what the internet thinks your homelab looks like from the outside. Genuinely eye-opening the first time you run this. (Spoiler: you probably have something exposed you forgot about.)
• Greenbone OpenVAS in Docker: full vulnerability scanning against your internal network. I walk through the whole deployment since OpenVAS's documentation is... let's say characteristically generous with ambiguity.
• Trivy for container image scanning: if you're running a stack like mine (~50 containers), knowing which images have CVEs before they get exploited is not optional. Trivy plugs directly into your Docker workflow.
• Nmap essentials: targeted service fingerprinting so you actually know what's listening and on what. Not just nmap -sV, but the specific flag combinations that give you useful signal without setting off your own IDS.

Complete the Defensive Stack:

Pair this with the OPNsense Security Through Obscurity guide and the Cybersecurity Roadmap for the full defensive stack!

Beyond Default Deny: Reducing Attack Surface & Exposure in 2026

Stop Shodan and Censys from mapping your network. Learn how to use OPNsense 26.1, CrowdSec, and Divert Mode to achieve true Security through Obscurity in 2026.

Core LabCore Lab Joe

The Digital Fortress: A Homelab Security Roadmap

Stop exposing port 32400 to the world. Here is how to build a defense-in-depth strategy for your self-hosted stack. 🛡️

Core LabCore Lab Joe

Join the Discussion 🪵

Are you running variations of these auditing tools or tracking the active privacy bills moving through Ottawa? Drop a comment below or reach out via email - I am always curious to see what workflows or amendments other lab operators are tracking.

If you found these deep dives helpful, sharing the articles with a fellow self-hosting enthusiast or network engineer is the single best way to support the blog.

As always, thanks for being part of the Core Lab journey. See you in the logs 😉