• Human Infrastructure
  • Posts
  • Human Infrastructure 411: Home Labs and Self-Hosting, Happier Eyeballs, and 5G Zeppelins

Human Infrastructure 411: Home Labs and Self-Hosting, Happier Eyeballs, and 5G Zeppelins

AuthorAuthor

Drew Conry-Murray & Ethan Banks
August 07, 2025

THIS WEEK’S MUST-READ BLOGS 🤓

I ran into 3 blogs covering different aspects of home labbing & self-hosting this week.

  1. In Over engineering my homelab so I don't pay cloud providers, Thibault Martin discusses his migration from a VPS to a home setup using Proxmox VE and Ansible.

  2. Over at the Polymathic blog, Dr. Paul Welty covers transitioning from a frustrating setup of port forwarding, certs, and firewall policies for container access to using a Tailscale container mesh network via sidecars. Read How I eliminated networking complexity: Docker Tailscale sidecar patterns.

  3. Brandon Lee wrote Stop Exposing Your Home Lab – Do This Instead comparing Twingate, Tailscale, plain ol’ Wireguard, and Cloudflare Tunnel as remote access technologies.

FWIW, I’m still using ZeroTier to access my lab server remotely. I know ZT is not the latest and greatest flavor of these sorts of tools. I haven’t updated to anything more modern because I haven’t found ZeroTier lacking anything I need yet. - Ethan

Natalie notes that there’s a growing trend of shimming container runtimes into a microVM to provide an additional layer of isolation. Examples include Firecracker and Kata Containers. They’re designed to be lightweight but also secure.  

This post is written for folks who may be conducting threat research, playing with exploits, or running a red-teaming exercise based around privilege escalation in container environments. If you’re trying to escalate privileges and find yourself stymied, Natalie offers some suggestions on how to figure out if you’ve landed inside a microVM, and ways to pivot. - Drew 

Noah Smith analyzes the amount of money being spent on data center builds driven by AI. Then he ponders what happens to the global economy if we’re overbuilding, they don’t come, and the money spent building these data centers can’t be recovered. The key to his analysis is consideration of how the money is sourced. In particular, Noah spends time on private credit, a source of funding that’s a bit of a wildcard. Worth a read if our AI future interests you. - Ethan

Cole Grolmus looks at the PANW acquisition of CyberArk. He considers the expense, other identity companies PANW might have acquired instead, and risks inherent in this acquisition. In his conclusion, he suggests that PANW has changed the identity market significantly.

"Large, multi-domain cybersecurity companies have historically stayed away from the identity market. That era appears to be over. This is an industry-altering deal. The place to watch next is what happens with the rest of the market. CrowdStrike, Fortinet, Check Point, Zscaler, and anyone else who wants to be a broad cybersecurity market leader is now under tremendous pressure to enter the identity market.” - Ethan

Daniel, primary force behind CLI tool curl, does a quick review of the original Happy Eyeballs RFC 6555, the practical implementation challenges of Happy Eyeballs v2 RFC 8305, and looks ahead as Happy Eyeballs v3 is beginning to take shape. It’s gotten more complicated than simply selecting IPv4 vs. IPv6 based on performance. Now there’s DNS resolution times to consider, as well as the complexities that HTTP/3, QUIC, HTTPS-RR DNS records, and more bring to the party. - Ethan

MORE BLOGS

5 things you haven’t considered (but should) before upgrading to Windows 11

Windows 11 comes with more than just new UI — it's a whole new set of rollout variables. From hardware requirements and Copilot+ PCs to shifting support timelines and end-user readiness, the migration path is packed with hidden wildcards (and budget busters).

We’ll walk through 5 overlooked considerations that catch teams off guard. You’ll get practical guidance on how to adjust your planning, testing, and user prep to stay ahead.

Join SmartDeploy on Wednesday August 20th. Sign up here!

TECH NEWS 📣

Instead of satellites in low earth orbit, “Tokyo’s SoftBank Corp. will be beaming a prototype 4G and 5G phone and broadband service from the stratosphere to Japanese end users. Floating 20 kilometers above the Earth, the company’s airship-based mast will be using energy-regeneration tech and newly allocated spectrum. And the tech could ultimately pose a real, competitive threat to satellite-based platforms like Starlink.”

The high-altitude platform system (HAPS) tower-in-the-sky is solar powered, offers 20ms latency, and operates below outer space but above weather. The floating tower is also a true base station, and not just a relay. Backhaul appears to be over microwave bands between 700MHz and 2.6GHz as opposed to weather-vulnerable millimeter waves used in earlier HAPS experiments.

Our future is dirigible. - Ethan

US tech companies are going to have to make some hard choices about the kind of society they want to exist in. I think there's a cadre of founders and CEOs who assume their wealth, power, and influence will allow them to navigate an autocracy without any loss of position or privilege (or see an autocracy as an opportunity to enhance their power). I'd remind them about the number of Russian oligarchs who've fallen out of windows or had strange encounters with polonium.

There's a larger number just hoping to stay on the sidelines and concentrate on share prices. In some ways, that's even worse than picking a side. - Drew

Google says its LLM-based AI tool called Big Sleep has discovered 20 vulnerabilities in open-source software (see them here), and that there was a human expert in the loop to validate the discovery. This is an inevitable use for AI, and Tech Crunch reports that similar bug-hunting AIs already exist. Of course, these tools won’t just be used by threat researchers, software developers, or legitimate bug hunters; criminals, nation-states, and other malicious actors can also avail themselves. Prepare for an acceleration in zero days, vulnerabilities, and CVEs. - Drew  

Don’t panic! The bugs were found by researchers who reported them to CyberArk and HashiCorp (no word if any LLMs were involved), and the two vendors say patches are available. But the researchers, who publicized their findings at Black Hat USA 2025, used some interesting techniques to find these flaws. You may find the details interesting/alarming. - Drew   

MORE NEWS

FOR THE LULZ 🤣

RESEARCH & RESOURCES 📒

Nick (co-host of the IPv6 Buzz pod) made a thing. From the README. “A command-line tool for generating hierarchical IPv6 address plans with subnet counts at each level.” Written in Go. You’ll clone the repo, build it on your system, then proceed to carve v6 blocks into subnets. Output in text, JSON, or (coming soon) HTML. - Ethan

This website’s been around for quite a while, and is still actively updated. Use it for free to sleuth around for information about various autonomous systems, IP prefixes, upstream connections, reverse DNS blocks, RADB cross checking, and quite a bit more. If you’d like BGP.tools to monitor & alert on something commercial for you, they offer a flat-fee service based on the largest ASN in your account. - Ethan

Yep, there’s an upgrade path from v8 to v9. Yep, 8.4 will get still patches until August 2026. Click through for more details about the stable v9.0 release. - Ethan

MORE RESOURCES

  1. Wiredoor (self-hosted reverse VPN to expose internal apps to the Internet) - see also their GitHub

  2. addr.zone (IP intelligence API free up to 175/day or 5,000/month)

  3. LangExtract (structured data from unstructured text) - Google via GitHub

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

ThreatLocker has released a new feature called DAC, or Defense Against Configuration. As the name suggests, the feature provides a dashboard that tracks endpoint misconfigurations and provides a color-coded guide to risk severity. It’s meant to help teams find and fix misconfigurations before they become a problem. It’s available for free for existing ThreatLocker customers.

I have to admit that the name “Defense Against Configuration” made me chuckle; they might as well have called it “Protecting you from yourself.” : ) - Drew 

SquareX is making two open-source toolkits available to help security teams and threat researchers simulate and defend against browser-based attacks. From the press release: “Developed by SquareX security researchers, these tools enable security teams to simulate browser-based attacks across two critical vectors: data exfiltration that bypasses DLP systems and identity attacks executed through browser extensions. More importantly, they provide blue teams with concrete examples of what to monitor and defend against.” - Drew 

HPE has a slew of security-related announcements coming out of Black Hat USA 2025. Two that jumped out to me are an AI copilot for HPE’s SASE offering, and the ability for Aruba Central NAC to use third-party switches (including Juniper, Cisco, and Arista) for policy enforcement. I wrote a blog about it with more details if you’re interested. - Drew 

KPMG is offering a management solution for generative AI that includes pre-built and tailored AI agents, prompt management, and other features. It’s all built on top of Oracle Cloud’s generative AI service. 

I’m not surprised to see a consulting firm dive into agentic AI. These advisory companies tend to have the ears of executives, and it’s easy to imagine a squad of sharp-suited advisors rolling into a conference room with PowerPoint deck finely calibrated to play on a CIO’s anxieties about being left behind. Given that KPMG has built this on top of Oracle, I presume it will be extra spendy. Then again, with all the staff you could make redundant, the ROI should line up. - Drew 

MORE INDUSTRY NOISES

DYSTOPIA IRL 🐙

TOO MANY LINKS WOULD NEVER BE ENOUGH 🐳

LAST LAUGH 😆