[{"content":"Summary Some Intel onboard NICs using the e1000e driver can intermittently lose network connectivity on Proxmox VE and repeatedly log errors like:\ne1000e … Detected Hardware Unit Hang This can cascade into Linux bridge ports being disabled (VM connectivity loss) and may trigger reboot/recovery automation if present.\nA commonly used mitigation is to disable specific NIC offloads (especially TSO) and disable EEE (Energy Efficient Ethernet), then re-apply those settings on every boot using a systemd unit.\nSymptoms Intermittent network loss on the Proxmox host VMs lose connectivity (bridge ports enter disabled state) Kernel logs show repeated hang messages Example kernel log line:\ntext Copy e1000e 0000:00:1f.6 enp0s31f6: Detected Hardware Unit Hang e1000e 0000:00:1f.6 enp0s31f6: Detected Hardware Unit Hang Affected components Proxmox VE host Intel onboard NIC using the e1000e driver Example interface: enp0s31f6 Solution overview Confirm the interface uses the e1000e driver Disable offloads (TSO/GSO/GRO) Disable EEE (if enabled/active) Persist both changes via a systemd oneshot unit Verify after reboot and monitor logs for recurrence Step 1 — Confirm NIC driver and interface shell Copy # Show NIC + driver mapping lspci -nnk | grep -A3 -i ethernet # Driver details for the interface ethtool -i enp0s31f6 # Show NIC + driver mapping lspci -nnk | grep -A3 -i ethernet # Driver details for the interface ethtool -i enp0s31f6 Step 2 — Apply mitigations immediately (runtime) 2.1 Disable offloads (recommended) Check current state:\nshell Copy ethtool -k enp0s31f6 | egrep \u0026#39;tcp-segmentation-offload|generic-segmentation-offload|generic-receive-offload\u0026#39; ethtool -k enp0s31f6 | egrep \u0026#39;tcp-segmentation-offload|generic-segmentation-offload|generic-receive-offload\u0026#39; Disable the common problematic features:\nshell Copy ethtool -K enp0s31f6 tso off gso off gro off ethtool -K enp0s31f6 tso off gso off gro off 2.2 Disable EEE (recommended if enabled/active) Check:\nshell Copy ethtool --show-eee enp0s31f6 ethtool --show-eee enp0s31f6 Disable:\nshell Copy ethtool --set-eee enp0s31f6 eee off ethtool --set-eee enp0s31f6 eee off Note: ethtool settings are not persistent across reboot unless re-applied.\nStep 3 — Persist across reboot with systemd 3.1 Create the service Create /etc/systemd/system/nic-offloads.service:\nini Copy [Unit] Description=Disable problematic NIC offloads + EEE for e1000e stability Wants=network-online.target After=network-online.target [Service] Type=oneshot # Offloads (common mitigation for e1000e hangs) ExecStart=/usr/sbin/ethtool -K enp0s31f6 tso off gso off gro off # EEE (recommended if active) ExecStart=/usr/sbin/ethtool --set-eee enp0s31f6 eee off RemainAfterExit=yes [Install] WantedBy=multi-user.target [Unit] Description=Disable problematic NIC offloads + EEE for e1000e stability Wants=network-online.target After=network-online.target [Service] Type=oneshot # Offloads (common mitigation for e1000e hangs) ExecStart=/usr/sbin/ethtool -K enp0s31f6 tso off gso off gro off # EEE (recommended if active) ExecStart=/usr/sbin/ethtool --set-eee enp0s31f6 eee off RemainAfterExit=yes [Install] WantedBy=multi-user.target 3.2 Enable and run it now shell Copy systemctl daemon-reload systemctl enable --now nic-offloads.service systemctl restart nic-offloads.service systemctl daemon-reload systemctl enable --now nic-offloads.service systemctl restart nic-offloads.service Step 4 — Verification checklist 4.1 Verify EEE is disabled shell Copy ethtool --show-eee enp0s31f6 ethtool --show-eee enp0s31f6 Expected:\nEEE status: disabled 4.2 Verify offloads are disabled shell Copy ethtool -k enp0s31f6 | egrep \u0026#39;tcp-segmentation-offload|generic-segmentation-offload|generic-receive-offload\u0026#39; ethtool -k enp0s31f6 | egrep \u0026#39;tcp-segmentation-offload|generic-segmentation-offload|generic-receive-offload\u0026#39; Expected:\ntcp-segmentation-offload: off generic-segmentation-offload: off generic-receive-offload: off 4.3 Verify service ran successfully shell Copy systemctl status nic-offloads.service --no-pager journalctl -u nic-offloads.service -b --no-pager systemctl status nic-offloads.service --no-pager journalctl -u nic-offloads.service -b --no-pager Step 5 — Logging \u0026amp; monitoring 5.1 Persist journal logs across reboots (recommended) shell Copy mkdir -p /var/log/journal systemctl restart systemd-journald mkdir -p /var/log/journal systemctl restart systemd-journald 5.2 Monitor for recurrence shell Copy journalctl -k -f | egrep -i \u0026#39;e1000e|Hardware Unit Hang|NETDEV WATCHDOG|timed out|reset\u0026#39; journalctl -k -f | egrep -i \u0026#39;e1000e|Hardware Unit Hang|NETDEV WATCHDOG|timed out|reset\u0026#39; To review the previous boot if a reboot happens again:\nshell Copy journalctl -b -1 -k --no-pager | egrep -i \u0026#39;e1000e|Hardware Unit Hang|NETDEV WATCHDOG|timed out|reset\u0026#39; journalctl -b -1 -k --no-pager | egrep -i \u0026#39;e1000e|Hardware Unit Hang|NETDEV WATCHDOG|timed out|reset\u0026#39; Rollback Re-enable offloads (choose what you want on):\nshell Copy ethtool -K enp0s31f6 tso on gso on gro on ethtool -K enp0s31f6 tso on gso on gro on Re-enable EEE (if desired):\nshell Copy ethtool --set-eee enp0s31f6 eee on ethtool --set-eee enp0s31f6 eee on Disable persistence:\nshell Copy systemctl disable --now nic-offloads.service rm -f /etc/systemd/system/nic-offloads.service systemctl daemon-reload systemctl disable --now nic-offloads.service rm -f /etc/systemd/system/nic-offloads.service systemctl daemon-reload If the issue persists Update BIOS/firmware (board + NIC) Test a different Proxmox kernel version (regression check) Consider e1000e tuning parameters (advanced) Long-term reliability: add a more robust NIC (e.g., Intel i210/i350 class) Quick copy/paste: reapply + verify shell Copy # Apply now ethtool -K enp0s31f6 tso off gso off gro off ethtool --set-eee enp0s31f6 eee off # Verify ethtool --show-eee enp0s31f6 ethtool -k enp0s31f6 | egrep \u0026#39;tcp-segmentation-offload|generic-segmentation-offload|generic-receive-offload\u0026#39; # Service logs systemctl status nic-offloads.service --no-pager journalctl -u nic-offloads.service -b --no-pager # Apply now ethtool -K enp0s31f6 tso off gso off gro off ethtool --set-eee enp0s31f6 eee off # Verify ethtool --show-eee enp0s31f6 ethtool -k enp0s31f6 | egrep \u0026#39;tcp-segmentation-offload|generic-segmentation-offload|generic-receive-offload\u0026#39; # Service logs systemctl status nic-offloads.service --no-pager journalctl -u nic-offloads.service -b --no-pager References Proxmox forum thread: Intel NIC e1000e hardware unit hang Garrett Laman: Fixing Intel e1000e NIC hangs on Proxmox nodes Kernel docs: Intel e1000e driver systemd: Running services after the network is up (network-online.target) ethtool documentation (EEE / offloads) ","permalink":"https://psalabs.eu/articles/kb/proxmox-nic-issues/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003eSome Intel onboard NICs using the \u003cstrong\u003ee1000e\u003c/strong\u003e driver can intermittently lose network connectivity on Proxmox VE and repeatedly log errors like:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003ee1000e … Detected Hardware Unit Hang\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis can cascade into Linux bridge ports being disabled (VM connectivity loss) and may trigger reboot/recovery automation if present.\u003c/p\u003e\n\u003cp\u003eA commonly used mitigation is to disable specific NIC offloads (especially \u003cstrong\u003eTSO\u003c/strong\u003e) and disable \u003cstrong\u003eEEE (Energy Efficient Ethernet)\u003c/strong\u003e, then re-apply those settings on every boot using a systemd unit.\u003c/p\u003e","title":"proxmox: NIC issues with e1000e network adapters"},{"content":"General Updates Update One-liner To Update without further confirmation:\nbash Copy sudo apt update -y \u0026amp;\u0026amp; sudo apt upgrade -y sudo apt update -y \u0026amp;\u0026amp; sudo apt upgrade -y Remove the -y flag to manually confirm actions\nFix Update Problems Removes bad cached packages and re-download\nbash Copy sudo rm -f /var/cache/apt/archives/linux-headers-6.8.0-94_*.deb sudo apt clean sudo apt update sudo apt --fix-broken install sudo rm -f /var/cache/apt/archives/linux-headers-6.8.0-94_*.deb sudo apt clean sudo apt update sudo apt --fix-broken install If this has run successfully you can trigger updates, I had best success with removing obsolete packages beforehand\nbash Copy sudo apt autoremove --purge sudo apt update -y \u0026amp;\u0026amp; sudo apt upgrade -y sudo apt autoremove --purge sudo apt update -y \u0026amp;\u0026amp; sudo apt upgrade -y Proxmos Agent Install bash Copy sudo apt update sudo apt install -y qemu-guest-agent sudo systemctl enable --now qemu-guest-agent sudo systemctl status qemu-guest-agent --no-pager sudo apt update sudo apt install -y qemu-guest-agent sudo systemctl enable --now qemu-guest-agent sudo systemctl status qemu-guest-agent --no-pager ","permalink":"https://psalabs.eu/articles/kb/ubuntu-maintenance/","summary":"\u003ch1 id=\"general-updates\"\u003eGeneral Updates\u003c/h1\u003e\n\u003ch2 id=\"update-one-liner\"\u003eUpdate One-liner\u003c/h2\u003e\n\u003cp\u003eTo Update without further confirmation:\u003c/p\u003e\n\u003cdiv class=\"psa-codeblock\" data-lang=\"bash\"\u003e\n  \u003cdiv class=\"psa-code-toolbar\" aria-hidden=\"true\"\u003e\n    \u003cdiv class=\"psa-code-toolbar-left\"\u003e\n      \u003cspan class=\"psa-code-dots\" aria-hidden=\"true\"\u003e\n        \u003cspan\u003e\u003c/span\u003e\u003cspan\u003e\u003c/span\u003e\u003cspan\u003e\u003c/span\u003e\n      \u003c/span\u003e\n        \u003cspan class=\"psa-code-lang\"\u003ebash\u003c/span\u003e\n    \u003c/div\u003e\n    \u003cbutton type=\"button\" class=\"psa-code-copy\" data-psa-copy-code\u003e\n      Copy\n    \u003c/button\u003e\n  \u003c/div\u003e\n\n  \u003cdiv class=\"psa-code-variant psa-code-variant--light\"\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt update -y \u003cspan style=\"color:#04a5e5;font-weight:bold\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e sudo apt upgrade -y\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/div\u003e\n  \u003cdiv class=\"psa-code-variant psa-code-variant--dark\"\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt update -y \u003cspan style=\"color:#f92672\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e sudo apt upgrade -y\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eRemove the -y flag to manually confirm actions\u003c/p\u003e\n\u003ch2 id=\"fix-update-problems\"\u003eFix Update Problems\u003c/h2\u003e\n\u003cp\u003eRemoves bad cached packages and re-download\u003c/p\u003e\n\u003cdiv class=\"psa-codeblock\" data-lang=\"bash\"\u003e\n  \u003cdiv class=\"psa-code-toolbar\" aria-hidden=\"true\"\u003e\n    \u003cdiv class=\"psa-code-toolbar-left\"\u003e\n      \u003cspan class=\"psa-code-dots\" aria-hidden=\"true\"\u003e\n        \u003cspan\u003e\u003c/span\u003e\u003cspan\u003e\u003c/span\u003e\u003cspan\u003e\u003c/span\u003e\n      \u003c/span\u003e\n        \u003cspan class=\"psa-code-lang\"\u003ebash\u003c/span\u003e\n    \u003c/div\u003e\n    \u003cbutton type=\"button\" class=\"psa-code-copy\" data-psa-copy-code\u003e\n      Copy\n    \u003c/button\u003e\n  \u003c/div\u003e\n\n  \u003cdiv class=\"psa-code-variant psa-code-variant--light\"\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo rm -f /var/cache/apt/archives/linux-headers-6.8.0-94_*.deb\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt clean\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt update\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt --fix-broken install\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/div\u003e\n  \u003cdiv class=\"psa-code-variant psa-code-variant--dark\"\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo rm -f /var/cache/apt/archives/linux-headers-6.8.0-94_*.deb\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt clean\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt update\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt --fix-broken install\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIf this has run successfully you can trigger updates, I had best success with removing obsolete packages beforehand\u003c/p\u003e","title":"ubuntu: general maintenance"},{"content":"Choose the right container Setup In the past i used docker a lot. Since they moved on more to please enterprises I prefer to use podman and podman compose.\nInstall Commands for podman \u0026amp; podman compose bash Copy sudo apt update sudo apt install -y podman podman-compose podman --version podman compose version || podman-compose --version systemctl --user enable --now podman.socket sudo apt update sudo apt install -y podman podman-compose podman --version podman compose version || podman-compose --version systemctl --user enable --now podman.socket Optional: make sure your user has a subuid/subgid range (needed for rootless features)\nbash Copy grep -E \u0026#34;^$USER:\u0026#34; /etc/subuid /etc/subgid || \\ ( echo \u0026#34;$USER:100000:65536\u0026#34; | sudo tee -a /etc/subuid \u0026gt;/dev/null \u0026amp;\u0026amp; \\ echo \u0026#34;$USER:100000:65536\u0026#34; | sudo tee -a /etc/subgid \u0026gt;/dev/null ) grep -E \u0026#34;^$USER:\u0026#34; /etc/subuid /etc/subgid || \\ ( echo \u0026#34;$USER:100000:65536\u0026#34; | sudo tee -a /etc/subuid \u0026gt;/dev/null \u0026amp;\u0026amp; \\ echo \u0026#34;$USER:100000:65536\u0026#34; | sudo tee -a /etc/subgid \u0026gt;/dev/null ) Alias for legacy systems Some systems still use docker (never change a running system). Thats why i created aliases for the commands and do not need to retrain muscle memory 😉\nbash Copy cat \u0026gt;\u0026gt; ~/.bashrc \u0026lt;\u0026lt;\u0026#39;EOF\u0026#39; # Docker muscle-memory -\u0026gt; Podman alias docker=\u0026#39;podman\u0026#39; # Prefer \u0026#34;podman compose\u0026#34; if available; fall back to podman-compose docker-compose() { command podman compose \u0026#34;$@\u0026#34; 2\u0026gt;/dev/null || command podman-compose \u0026#34;$@\u0026#34;; } # Make \u0026#34;docker compose ...\u0026#34; work (docker is aliased to podman, but keep this explicit) alias \u0026#39;docker compose\u0026#39;=\u0026#39;podman compose\u0026#39; EOF source ~/.bashrc cat \u0026gt;\u0026gt; ~/.bashrc \u0026lt;\u0026lt;\u0026#39;EOF\u0026#39; # Docker muscle-memory -\u0026gt; Podman alias docker=\u0026#39;podman\u0026#39; # Prefer \u0026#34;podman compose\u0026#34; if available; fall back to podman-compose docker-compose() { command podman compose \u0026#34;$@\u0026#34; 2\u0026gt;/dev/null || command podman-compose \u0026#34;$@\u0026#34;; } # Make \u0026#34;docker compose ...\u0026#34; work (docker is aliased to podman, but keep this explicit) alias \u0026#39;docker compose\u0026#39;=\u0026#39;podman compose\u0026#39; EOF source ~/.bashrc ","permalink":"https://psalabs.eu/articles/kb/ubuntu-podman-compose/","summary":"\u003ch1 id=\"choose-the-right-container-setup\"\u003eChoose the right container Setup\u003c/h1\u003e\n\u003cp\u003eIn the past i used docker a lot. Since they moved on more to please enterprises I prefer to use podman and podman compose.\u003c/p\u003e\n\u003ch2 id=\"install-commands-for-podman--podman-compose\"\u003eInstall Commands for podman \u0026amp; podman compose\u003c/h2\u003e\n\u003cdiv class=\"psa-codeblock\" data-lang=\"bash\"\u003e\n  \u003cdiv class=\"psa-code-toolbar\" aria-hidden=\"true\"\u003e\n    \u003cdiv class=\"psa-code-toolbar-left\"\u003e\n      \u003cspan class=\"psa-code-dots\" aria-hidden=\"true\"\u003e\n        \u003cspan\u003e\u003c/span\u003e\u003cspan\u003e\u003c/span\u003e\u003cspan\u003e\u003c/span\u003e\n      \u003c/span\u003e\n        \u003cspan class=\"psa-code-lang\"\u003ebash\u003c/span\u003e\n    \u003c/div\u003e\n    \u003cbutton type=\"button\" class=\"psa-code-copy\" data-psa-copy-code\u003e\n      Copy\n    \u003c/button\u003e\n  \u003c/div\u003e\n\n  \u003cdiv class=\"psa-code-variant psa-code-variant--light\"\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#4c4f69;background-color:#eff1f5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt update\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install -y podman podman-compose\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epodman --version\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epodman compose version \u003cspan style=\"color:#04a5e5;font-weight:bold\"\u003e||\u003c/span\u003e podman-compose --version\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esystemctl --user \u003cspan style=\"color:#04a5e5\"\u003eenable\u003c/span\u003e --now podman.socket\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/div\u003e\n  \u003cdiv class=\"psa-code-variant psa-code-variant--dark\"\u003e\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt update\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install -y podman podman-compose\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epodman --version\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epodman compose version \u003cspan style=\"color:#f92672\"\u003e||\u003c/span\u003e podman-compose --version\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esystemctl --user enable --now podman.socket\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eOptional: make sure your user has a subuid/subgid range (needed for rootless features)\u003c/p\u003e","title":"ubuntu: podman \u0026 podman compose"},{"content":"PSA Labs is a privacy-first, security-minded project. This page sets expectations for how we treat each other and how content is created.\nBe respectful Assume good intent, but be direct and constructive. No harassment, hate speech, doxxing, threats, or personal attacks. Keep discussions focused on the topic and the learning outcome. Privacy-first by default Don’t share personal data (yours or anyone else’s) in comments, issues, or submissions. If you reference logs/screenshots, redact secrets, tokens, email addresses, IPs, and identifiers. If a topic involves exploitation, keep it educational and defensive. No “how to break into X” content. AI usage \u0026amp; transparency AI may be used as a tool to improve clarity and speed up writing, but we do not publish unverified AI output.\nAI labels used on PSA Labs AI Improved (green)\nAI helped with spelling/grammar, clarity, structure, or brainstorming. The core content is human-authored; AI assistance is limited to improvements. The final article is reviewed and edited by a human. AI Generated (Verified) (blue)\nAI produced a significant part of the draft (examples, text, or steps), but: the content was reviewed by a human, commands/steps were tested (where applicable), and the final article was edited to remove ambiguity and “slop”. Generative AI for graphics Some of the visual assets on PSA Labs (for example the mascot “pabu” and the experimental flask) are currently generated with AI. As the project grows, we plan to replace these with human-made assets (commissioned or licensed) where feasible.\nWe aim to handle visuals responsibly:\nWe disclose AI-generated visuals when they are used. We don’t intentionally imitate a specific artist’s recognizable style. We only publish assets we have the rights to use. Photos are credited and linked to their source/licensing where applicable. Screenshots are our own, or treated like photos (with attribution when needed). What we don’t publish Purely AI-generated articles that aren’t reviewed and validated. “Copy-paste” content that looks correct but wasn’t tested. If something looks wrong, unclear, or outdated, please report it so it can be corrected.\n","permalink":"https://psalabs.eu/pages/code-of-conduct/","summary":"\u003cp\u003ePSA Labs is a privacy-first, security-minded project. This page sets expectations for how we treat each other and how content is created.\u003c/p\u003e\n\u003ch2 id=\"be-respectful\"\u003eBe respectful\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAssume good intent, but be direct and constructive.\u003c/li\u003e\n\u003cli\u003eNo harassment, hate speech, doxxing, threats, or personal attacks.\u003c/li\u003e\n\u003cli\u003eKeep discussions focused on the topic and the learning outcome.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"privacy-first-by-default\"\u003ePrivacy-first by default\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDon’t share personal data (yours or anyone else’s) in comments, issues, or submissions.\u003c/li\u003e\n\u003cli\u003eIf you reference logs/screenshots, redact secrets, tokens, email addresses, IPs, and identifiers.\u003c/li\u003e\n\u003cli\u003eIf a topic involves exploitation, keep it educational and defensive. No “how to break into X” content.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ai-usage--transparency\"\u003eAI usage \u0026amp; transparency\u003c/h2\u003e\n\u003cp\u003eAI may be used as a tool to improve clarity and speed up writing, but we do not publish unverified AI output.\u003c/p\u003e","title":"Code of Conduct"},{"content":"If you do anything admin-related on macOS, you know the drill: a random dialog pops up, you type your password, you continue\u0026hellip; and repeat that 20 times a day.\nGUI prompts (System Settings, installers, “needs your password”, \u0026hellip;) can use Touch ID and often Apple Watch confirmation. Terminal sudo can be upgraded to use Touch ID as well (so you don’t have two authentication experiences). Clamshell reality check:\nTouch ID for sudo only works when a Touch ID sensor is available. With the MacBook lid closed, the built-in Touch ID button isn’t usable — you’ll need an external Touch ID keyboard. Apple Watch can approve many GUI prompts, but it won’t replace the password prompt for sudo.\nPrerequisites For Touch ID A Mac with Touch ID or an external keyboard with Touch ID (e.g. Magic Keyboard with Touch ID) A local admin account on the Mac For Apple Watch confirmation (mostly for GUI prompts) An Apple Watch that can unlock your Mac The Watch and the Mac signed into the same Apple ID (with 2FA enabled) Bluetooth + Wi‑Fi enabled on the Mac The Watch has a passcode and is unlocked on your wrist If your MacBook lid is closed (clamshell mode) External display + power connected External keyboard + mouse/trackpad If you want Touch ID for sudo: an external keyboard with Touch ID Step 1: Turn on Touch ID / Apple Watch unlock Open: System Settings → Touch ID \u0026amp; Password\nThen enable what you want:\nTouch ID: add at least one fingerprint Apple Watch: enable “Use Apple Watch to unlock your Mac” (wording may vary slightly) From now on, many system dialogs will already offer Touch ID / Apple Watch instead of asking for your password.\nStep 2: Make sudo use Touch ID By default, Terminal still wants your password for sudo. To align sudo with the rest of your Mac, enable the built-in PAM module pam_tid.so.\nIf you’re using your MacBook in clamshell mode: this only works with an external Touch ID keyboard (otherwise sudo will keep asking for your password).\nRun this once:\nbash Copy sudo sh -c \u0026#39;grep -q \u0026#34;pam_tid\\\\.so\u0026#34; /etc/pam.d/sudo || (cp /etc/pam.d/sudo /etc/pam.d/sudo.bak \u0026amp;\u0026amp; sed -i \u0026#34;\u0026#34; \u0026#34;1s/^/auth sufficient pam_tid.so\\\\n/\u0026#34; /etc/pam.d/sudo)\u0026#39; sudo sh -c \u0026#39;grep -q \u0026#34;pam_tid\\\\.so\u0026#34; /etc/pam.d/sudo || (cp /etc/pam.d/sudo /etc/pam.d/sudo.bak \u0026amp;\u0026amp; sed -i \u0026#34;\u0026#34; \u0026#34;1s/^/auth sufficient pam_tid.so\\\\n/\u0026#34; /etc/pam.d/sudo)\u0026#39; Test it:\nbash Copy sudo -v sudo -v You should get a Touch ID prompt instead of a password prompt like this: Considerations / Notes Important\nThis affects sudo in local Terminal sessions. Over SSH, you’ll still need a password (Touch ID can’t be forwarded). In clamshell mode, Touch ID only works if your keyboard has a Touch ID sensor. Otherwise you’ll mostly rely on Apple Watch for GUI prompts. Apple Watch confirmation is supported for many macOS dialogs, but it does not replace the password prompt for sudo out of the box. Major macOS updates can overwrite /etc/pam.d/sudo. If Touch ID suddenly stops working for sudo, re-run the one-liner. Security tradeoff: anyone who can authenticate as you (Touch ID) while you’re logged in can run sudo. If that’s not acceptable for your threat model, skip this tweak. Rollback / Undo If you want the original behavior back just run this command:\nbash Copy sudo mv /etc/pam.d/sudo.bak /etc/pam.d/sudo sudo mv /etc/pam.d/sudo.bak /etc/pam.d/sudo ","permalink":"https://psalabs.eu/articles/2026/01/macos-seamless-authentication/","summary":"\u003cp\u003eIf you do anything admin-related on macOS, you know the drill:\na random dialog pops up, you type your password, you continue\u0026hellip; and repeat that 20 times a day.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGUI prompts (System Settings, installers, “needs your password”, \u0026hellip;) can use Touch ID and often Apple Watch confirmation.\u003c/li\u003e\n\u003cli\u003eTerminal \u003ccode\u003esudo\u003c/code\u003e can be upgraded to use Touch ID as well (so you don’t have \u003cem\u003etwo\u003c/em\u003e authentication experiences).\u003c/li\u003e\n\u003c/ul\u003e\n\n\n    \u003cblockquote class=\"alert alert-note\"\u003e\n        \u003cp class=\"alert-title\"\u003eClamshell reality check:\u003c/p\u003e\n        \u003cp\u003eTouch ID for \u003ccode\u003esudo\u003c/code\u003e only works when a Touch ID sensor is available. With the MacBook lid closed, the built-in Touch ID button isn’t usable — you’ll need an external Touch ID keyboard. Apple Watch can approve many GUI prompts, but it won’t replace the password prompt for \u003ccode\u003esudo\u003c/code\u003e.\u003c/p\u003e","title":"macOS seamless authentication"},{"content":"English version: Legal Notice (EN)\nAngaben gemäß § 5 TMG [Name / Firma] [Rechtsform, falls zutreffend] [Straße + Hausnummer] [PLZ Ort] [Land]\nKontakt E-Mail: [E-Mail-Adresse] Telefon: [Telefonnummer] (optional) Vertretungsberechtigte Person(en) [Geschäftsführer:in / Inhaber:in / Vertretungsberechtigte:r] (falls zutreffend)\nRegistereintrag (falls zutreffend) Registergericht: [Registergericht] Registernummer: [HRB/HRA/etc.] Umsatzsteuer-ID (falls zutreffend) Umsatzsteuer-Identifikationsnummer gemäß § 27a UStG: [USt-IdNr.]\nVerantwortlich i.S.d. § 18 Abs. 2 MStV [Name der verantwortlichen Person] [Anschrift]\nDatenschutz / Privacy Informationen zum Datenschutz und zur Website-Analyse findest du in unserer Privacy Policy. Wir verwenden Simple Analytics für eine datenschutzfreundliche Website-Analyse (wird nur nach Einwilligung geladen).\nHinweis zur Richtigkeit / keine Beratung Wir erstellen unsere Inhalte mit Sorgfalt und bemühen uns um Aktualität und Richtigkeit. Dennoch können sich Informationen ändern oder Fehler auftreten. Alle Inhalte auf dieser Website dienen ausschließlich der allgemeinen Information und Bildung und stellen keine Rechtsberatung, technische Beratung, Sicherheitsberatung oder sonstige professionelle Beratung dar.\nWir übernehmen keine Gewähr für Vollständigkeit, Richtigkeit oder Eignung für einen bestimmten Zweck. Die Nutzung der Inhalte erfolgt auf eigene Verantwortung; prüfe Schritte stets in deiner eigenen Umgebung.\nHaftung für Inhalte Als Diensteanbieter sind wir gemäß § 7 Abs. 1 TMG für eigene Inhalte auf diesen Seiten nach den allgemeinen Gesetzen verantwortlich. Nach §§ 8 bis 10 TMG sind wir als Diensteanbieter jedoch nicht verpflichtet, übermittelte oder gespeicherte fremde Informationen zu überwachen oder nach Umständen zu forschen, die auf eine rechtswidrige Tätigkeit hinweisen. Verpflichtungen zur Entfernung oder Sperrung der Nutzung von Informationen nach den allgemeinen Gesetzen bleiben hiervon unberührt. Eine diesbezügliche Haftung ist jedoch erst ab dem Zeitpunkt der Kenntnis einer konkreten Rechtsverletzung möglich. Bei Bekanntwerden von entsprechenden Rechtsverletzungen werden wir diese Inhalte umgehend entfernen.\nHaftung für Links Unser Angebot enthält Links zu externen Websites Dritter, auf deren Inhalte wir keinen Einfluss haben. Deshalb können wir für diese fremden Inhalte auch keine Gewähr übernehmen. Für die Inhalte der verlinkten Seiten ist stets der jeweilige Anbieter oder Betreiber der Seiten verantwortlich. Die verlinkten Seiten wurden zum Zeitpunkt der Verlinkung auf mögliche Rechtsverstöße überprüft. Rechtswidrige Inhalte waren zum Zeitpunkt der Verlinkung nicht erkennbar. Eine permanente inhaltliche Kontrolle der verlinkten Seiten ist jedoch ohne konkrete Anhaltspunkte einer Rechtsverletzung nicht zumutbar. Bei Bekanntwerden von Rechtsverletzungen werden wir derartige Links umgehend entfernen.\nUrheberrecht Die durch die Seitenbetreiber erstellten Inhalte und Werke auf diesen Seiten unterliegen dem deutschen Urheberrecht. Beiträge Dritter sind als solche gekennzeichnet. Die Vervielfältigung, Bearbeitung, Verbreitung und jede Art der Verwertung außerhalb der Grenzen des Urheberrechtes bedürfen der schriftlichen Zustimmung des jeweiligen Autors bzw. Erstellers.\nStreitbeilegung / Verbraucherstreitbeilegung Die Europäische Kommission stellt eine Plattform zur Online-Streitbeilegung (OS) bereit: https://ec.europa.eu/consumers/odr/\nWir sind nicht verpflichtet und nicht bereit, an Streitbeilegungsverfahren vor einer Verbraucherschlichtungsstelle teilzunehmen, sofern nicht anders angegeben.\n","permalink":"https://psalabs.eu/pages/impressum/","summary":"\u003cp\u003eEnglish version: \u003ca href=\"/pages/legal/\"\n   class=\"psa-brand-purple-highlight\"\u003eLegal Notice (EN)\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"angaben-gemäß--5-tmg\"\u003eAngaben gemäß § 5 TMG\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003e[Name / Firma]\u003c/strong\u003e\n\u003cstrong\u003e[Rechtsform, falls zutreffend]\u003c/strong\u003e\n\u003cstrong\u003e[Straße + Hausnummer]\u003c/strong\u003e\n\u003cstrong\u003e[PLZ Ort]\u003c/strong\u003e\n\u003cstrong\u003e[Land]\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"kontakt\"\u003eKontakt\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eE-Mail: \u003cstrong\u003e[E-Mail-Adresse]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003eTelefon: \u003cstrong\u003e[Telefonnummer]\u003c/strong\u003e (optional)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"vertretungsberechtigte-personen\"\u003eVertretungsberechtigte Person(en)\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003e[Geschäftsführer:in / Inhaber:in / Vertretungsberechtigte:r]\u003c/strong\u003e (falls zutreffend)\u003c/p\u003e\n\u003ch2 id=\"registereintrag-falls-zutreffend\"\u003eRegistereintrag (falls zutreffend)\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRegistergericht: \u003cstrong\u003e[Registergericht]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003eRegisternummer: \u003cstrong\u003e[HRB/HRA/etc.]\u003c/strong\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"umsatzsteuer-id-falls-zutreffend\"\u003eUmsatzsteuer-ID (falls zutreffend)\u003c/h2\u003e\n\u003cp\u003eUmsatzsteuer-Identifikationsnummer gemäß § 27a UStG: \u003cstrong\u003e[USt-IdNr.]\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"verantwortlich-isd--18-abs-2-mstv\"\u003eVerantwortlich i.S.d. § 18 Abs. 2 MStV\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003e[Name der verantwortlichen Person]\u003c/strong\u003e\n\u003cstrong\u003e[Anschrift]\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"datenschutz--privacy\"\u003eDatenschutz / Privacy\u003c/h2\u003e\n\u003cp\u003eInformationen zum Datenschutz und zur Website-Analyse findest du in unserer \u003ca href=\"/pages/privacy/\"\n   class=\"psa-brand-purple-highlight\"\u003ePrivacy Policy\u003c/a\u003e.\nWir verwenden Simple Analytics für eine datenschutzfreundliche Website-Analyse (wird nur nach Einwilligung geladen).\u003c/p\u003e","title":"Impressum"},{"content":"German version: Impressum\nProvider information (Sec. 5 TMG) [Name / Company] [Legal form, if applicable] [Street + No.] [Postal code, City] [Country] Contact E-mail: [E-mail address] Phone: [Phone number] (optional) Authorized representative(s) [Managing director / owner / authorized representative] (if applicable)\nCompany register (if applicable) Register court: [Register court] Register number: [Register number] VAT ID (if applicable) VAT identification number according to Sec. 27a UStG: [VAT ID]\nResponsible for content (Sec. 18(2) MStV) [Responsible person’s name] [Address]* Data protection / privacy Information about data protection and website analytics can be found in our Privacy Policy. We use Simple Analytics for privacy-friendly website analytics (loaded only after consent).\nAccuracy of information / no professional advice We create our articles with care and aim to keep them accurate and up to date. However, security and technology change quickly and mistakes can happen. All content on this site is provided for general informational and educational purposes only and does not constitute legal, technical, security, or other professional advice.\nWe do not guarantee completeness, correctness, or suitability for any particular purpose. Use the information at your own risk and validate steps in your own environment.\nLiability for content As a service provider, we are responsible for our own content on these pages under general laws (Sec. 7(1) TMG). However, under Secs. 8 to 10 TMG, we are not obliged to monitor transmitted or stored third-party information or to investigate circumstances indicating illegal activity. Obligations to remove or block the use of information under general laws remain unaffected. Liability in this respect is only possible from the time we become aware of a specific infringement. If we become aware of such infringements, we will remove the content immediately.\nLiability for links Our website contains links to external third-party websites over whose content we have no control. Therefore, we cannot assume any liability for this external content. The respective provider or operator is always responsible for the content of the linked pages. The linked pages were checked for possible legal violations at the time of linking; illegal content was not apparent at that time. Permanent monitoring of the content of the linked pages is not reasonable without specific indications of an infringement. If we become aware of legal violations, we will remove such links immediately.\nCopyright The content and works created by the site operator on these pages are subject to German copyright law. Third-party contributions are marked as such. Reproduction, processing, distribution, and any kind of use outside the limits of copyright law require the written consent of the respective author or creator.\nDispute resolution / consumer dispute resolution The European Commission provides a platform for online dispute resolution (ODR): https://ec.europa.eu/consumers/odr/\nWe are not willing or obliged to participate in dispute resolution proceedings before a consumer arbitration board unless otherwise stated.\n","permalink":"https://psalabs.eu/pages/legal/","summary":"\u003cp\u003eGerman version: \u003ca href=\"/pages/impressum/\"\n   class=\"psa-brand-purple-highlight\"\u003eImpressum\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"provider-information-sec-5-tmg\"\u003eProvider information (Sec. 5 TMG)\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e[Name / Company]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e[Legal form, if applicable]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e[Street + No.]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e[Postal code, City]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e[Country]\u003c/strong\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"contact\"\u003eContact\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eE-mail: \u003cstrong\u003e[E-mail address]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003ePhone: \u003cstrong\u003e[Phone number]\u003c/strong\u003e (optional)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"authorized-representatives\"\u003eAuthorized representative(s)\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003e[Managing director / owner / authorized representative]\u003c/strong\u003e (if applicable)\u003c/p\u003e\n\u003ch2 id=\"company-register-if-applicable\"\u003eCompany register (if applicable)\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRegister court: \u003cstrong\u003e[Register court]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003eRegister number: \u003cstrong\u003e[Register number]\u003c/strong\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"vat-id-if-applicable\"\u003eVAT ID (if applicable)\u003c/h2\u003e\n\u003cp\u003eVAT identification number according to Sec. 27a UStG: \u003cstrong\u003e[VAT ID]\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"responsible-for-content-sec-182-mstv\"\u003eResponsible for content (Sec. 18(2) MStV)\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e[Responsible person’s name]\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003e\u003cem\u003e[Address]\u003c/em\u003e*\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"data-protection--privacy\"\u003eData protection / privacy\u003c/h2\u003e\n\u003cp\u003eInformation about data protection and website analytics can be found in our \u003ca href=\"/pages/privacy/\"\n   class=\"psa-brand-purple-highlight\"\u003ePrivacy Policy\u003c/a\u003e.\nWe use Simple Analytics for privacy-friendly website analytics (loaded only after consent).\u003c/p\u003e","title":"Legal Notice"},{"content":"This privacy policy explains how we process personal data when you use psalabs.eu.~~~~\n1. Controller (data protection contact) Controller within the meaning of Art. 4(7) GDPR:\n[Name / Company] [Street + No.] [Postal code, City] [Country]\nE-mail: [E-mail address] Website: https://psalabs.eu\n2. Scope This privacy policy explains how we process personal data when you:\nvisit this website, contact us (e.g., by e-mail), follow external links (e.g., to GitHub or YouTube), and, if applicable in the future, interact with ads or tracking that we may add later. We follow a privacy-first approach and, for the site itself, avoid third-party assets by default. See also: External Sources \u0026amp; Licenses.\n3. Hosting (GitHub Pages) This website is hosted on GitHub Pages (GitHub, Inc.). When you access our site, GitHub may process technical data required to deliver the website, such as:\nIP address date/time of request requested URL / path user agent (browser and device info) referrer URL (if provided) Purpose: delivery, stability, and security of the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable website operation).\nGitHub’s privacy policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement\n4. Content delivery \u0026amp; security (Cloudflare) We use Cloudflare as a reverse proxy / CDN in front of psalabs.eu to improve performance and protect the website (e.g., against abuse). When you access our site, Cloudflare may process technical data such as:\nIP address date/time of request requested URL / path request headers (e.g., user agent) referrer URL (if provided) Purpose: performance, reliability, and security (e.g., DDoS protection). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient website operation).\nCloudflare may set cookies in connection with security features (for example, when a security challenge is required). If this happens, these cookies are used for security and not for advertising tracking.\nCloudflare’s privacy policy: https://www.cloudflare.com/privacypolicy/\n5. Server log files As a static website, we do not operate our own server-side application. However, our hosting provider (GitHub Pages) and our CDN / security provider (Cloudflare) may create server log files (see sections 3 and 4).\nRetention: controlled by GitHub. We do not receive or manage raw server logs unless GitHub makes them available to us.\n6. Cookies and local storage At the time of writing, we do not intentionally set tracking cookies.\nThis site’s theme may use local storage for UI convenience features (for example, menu scroll position). This data remains in your browser and is not transmitted to us.\nWe also store your theme preference in your browser’s local storage so your choice persists across visits. This is stored under the key pref-color with a value of system, light, or dark.\nIf you make a choice in our analytics consent banner, we store your decision so we can remember it:\nLocal storage: psa_analytics_consent (granted / denied) Cookie: psa_analytics_consent (granted / denied, max 180 days) This is used only to store your preference and is not used for cross-site tracking.\n7. Contacting us If you contact us via e-mail, we process the information you provide (e.g., your e-mail address and message content) to respond.\nPurpose: communication and handling your request. Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps / contract) and/or Art. 6(1)(f) GDPR (legitimate interest in communication). Retention: until the request is resolved; longer if legal retention obligations apply.\n8. Embedded content \u0026amp; external links (GitHub, YouTube) Our pages may contain links to external sites (e.g., GitHub, YouTube). When you click such a link, you leave our website. The external provider may process personal data according to their own privacy policies.\nWe do not control how these external providers process data.\n9. Ads and tracking (planned) We currently use a privacy-friendly analytics solution (see section 9.1). We may add advertising and/or additional analytics/tracking in the future. If we do, we will:\nupdate this privacy policy, document the vendors and purposes, and, where legally required, request consent before loading non-essential scripts. 9.1 Analytics (Simple Analytics) We use Simple Analytics to understand overall usage of our website (e.g., which pages are visited).\nWe only load analytics after you opt in via the on-site consent banner.\nProvider: Simple Analytics B.V. (Netherlands) Purpose: website analytics and improvement Legal basis: Art. 6(1)(a) GDPR (consent)\nAccording to Simple Analytics, it is designed to work without tracking cookies and without collecting directly identifying personal data. For details, please refer to Simple Analytics’ documentation and privacy policy:\nhttps://simpleanalytics.com/privacy Analytics preferences You can change your analytics preference at any time:\nAllow analytics Disable analytics Ask me again Do Not Track (DNT) Simple Analytics respects your browser’s Do Not Track (DNT) setting. If you have DNT enabled, our analytics provider will not count your visits.\nTo help us understand what content is useful (and support PSA Labs, including through ads/sponsors), we may show a small on-site notice asking you to consider disabling DNT for this website. If you dismiss that notice, we store a “dismissed” flag in your browser’s local storage so it won’t keep showing.\n10. Your rights under the GDPR If the GDPR applies, you have the right to:\naccess (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), object to processing (Art. 21 GDPR), withdraw consent at any time (Art. 7(3) GDPR), if processing is based on consent. 11. Right to lodge a complaint You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).\nGermany: list of supervisory authorities: https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html\n12. Updates to this policy We may update this privacy policy to reflect changes in our site, features, or legal requirements.\n","permalink":"https://psalabs.eu/pages/privacy/","summary":"\u003cp\u003eThis privacy policy explains how we process personal data when you use \u003cstrong\u003epsalabs.eu\u003c/strong\u003e.~~~~\u003c/p\u003e\n\u003ch2 id=\"1-controller-data-protection-contact\"\u003e1. Controller (data protection contact)\u003c/h2\u003e\n\u003cp\u003eController within the meaning of Art. 4(7) GDPR:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e[Name / Company]\u003c/strong\u003e\n\u003cstrong\u003e[Street + No.]\u003c/strong\u003e\n\u003cstrong\u003e[Postal code, City]\u003c/strong\u003e\n\u003cstrong\u003e[Country]\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eE-mail: \u003cstrong\u003e[E-mail address]\u003c/strong\u003e\nWebsite: \u003ca href=\"https://psalabs.eu\"\n   class=\"psa-brand-purple-highlight\"\u003ehttps://psalabs.eu\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"2-scope\"\u003e2. Scope\u003c/h2\u003e\n\u003cp\u003eThis privacy policy explains how we process personal data when you:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003evisit this website,\u003c/li\u003e\n\u003cli\u003econtact us (e.g., by e-mail),\u003c/li\u003e\n\u003cli\u003efollow external links (e.g., to GitHub or YouTube),\u003c/li\u003e\n\u003cli\u003eand, if applicable in the future, interact with ads or tracking that we may add later.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eWe follow a \u003cstrong\u003eprivacy-first\u003c/strong\u003e approach and, for the site itself, avoid third-party assets by default.\nSee also: \u003ca href=\"/pages/external-sources/\"\n   class=\"psa-brand-purple-highlight\"\u003eExternal Sources \u0026amp; Licenses\u003c/a\u003e.\u003c/p\u003e","title":"Privacy Policy"},{"content":"Security is for everyone In 2026, the digital world is connected more than ever. Everybody has a computer; they are just not the traditional computer anymore.\nYes, your smartphone on which you are currently reading this counts as a computer. Maybe in a more stretched way, but still, your device computes.\nYou doomscroll on it, communicate with friends and family over it, and you do your daily business with it.\nSecurity is not just that annoying thing big corpo wants you to follow, it\u0026rsquo;s more than this.\nSecurity is not about being paranoid. It\u0026rsquo;s about reducing risk with small habits, so one bad day doesn\u0026rsquo;t turn into a disaster.\n\u0026ldquo;I have nothing to hide!\u0026rdquo; That\u0026rsquo;s the catchphrase a lot of people use when we try to teach them about Cyber Security at Work.\nWell, I think times have changed.\nGetting hacked doesn\u0026rsquo;t mean someone reads your diary. It usually means: account takeover, money gone, identity used, or your data sold in a bundle.\nMost attacks are boring and automated. You\u0026rsquo;re not \u0026ldquo;targeted\u0026rdquo;, you\u0026rsquo;re just \u0026ldquo;available\u0026rdquo;.\nYou don\u0026rsquo;t run around with your deepest beliefs on a hat or t-shirt. Well, this one is rhetorical. But the following questions are not:\nThe question is, would you also print your current balance on a shirt? Would you tell your whole friend group what your favourite categories are on TheHub? Would you share your credit card details with a moose online? If you answered 2/3 with \u0026ldquo;HELL NO\u0026rdquo;, here are some ideas to stay more secure and private online.\nQuick reality check:\nWhat do you want to protect (money, accounts, photos)? From who (random bots, scammers, exes, coworkers)? And how much inconvenience can you tolerate? That\u0026rsquo;s your security level.\nBasic Principles of staying secure online The No-Money required options Do not share personal information online Name Last Name Address Phone Number Photos with Location Data (alt. EXIF) Photos of you or your loved ones Especially photos of minors Use different passwords for each service When data breaches occur and your e-mail and password get public, you want to have different passwords for each account. Once data is out there you won\u0026rsquo;t get it back. Never reuse a password for critical applications. Banking and PayPal should not share the same password. Once a combination is out there, you are out of luck. Monitor your e-mail address for data leaks. One of the biggest platforms that offer a free service is https://haveibeenpwned.com/ Use different e-mail addresses Separate your gaming, banking, government, health data Many e-mail providers nowadays have the option for \u0026ldquo;plus addressing\u0026rdquo; This means your e-mail for example looks like \u0026ldquo;my.name@mail.com\u0026rdquo;; to create a plus address you simply can add \u0026ldquo;my.name+service9876@mail.com\u0026rdquo; This allows you to still have one inbox, but the e-mail \u0026amp; password combination will never be 100% the same for each service. While this is not the most secure way, there are some services out there that cost money that can make it more secure. Use MFA or Multi-Factor Authentication Get an MFA application and set it up. SMS tokens are very weak, especially in countries where SIM-swapping attacks are common (US as a prime example) Free options: Microsoft Authenticator, Authy, Google Authenticator, Yubico Authenticator. These are a great start. Make sure when setting them up, also screenshot the QR codes and store them to an external device like a USB stick that you store securely at home or other secure locations. Secure the device itself Updates on Screen lock on Find-My-Device enabled Full disk encryption (usually on by default, but check) Use Passkeys when possible If a service offers passkeys, use them. They’re harder to phish than passwords and often smoother than MFA. Recovery is part of Security If you lose your phone and your MFA lives on it… you’re cooked. Store recovery codes offline. Have at least 2 ways back into your most important accounts. The #1 Attack: Phishing (and it still works) If it’s urgent, it’s probably a scam. Don’t click login links. Open the website yourself. Check the sender address, not just the name. If someone asks for a code: it’s a scam. Always. The 15-minute Starter Kit (do this today) Update your phone + apps (yes, right now). Turn on screen lock + auto lock. Enable MFA on your main e-mail account. Change your e-mail password to something long and unique. Save recovery codes somewhere offline (paper beats screenshots here). The Small Investment options Everything from above still applies to these options, they often have a better security score but mostly they have more comfort features.\nComfort features are not just \u0026ldquo;nice\u0026rdquo;. They reduce mistakes. And most security failures are human mistakes.\nPassword Manager\nDo not use your browser\u0026rsquo;s password manager They often lack security. They might work okay for a start but anyone that has access to your device can export them easily. Suggestions for Password Managers If you\u0026rsquo;re an Apple user, you can use the on-device Password App. Nowadays the usability is much better than before. Bitwarden - Self-Hosted or the Single-User for $10/year is one of the best password managers right now for the price you pay ProtonPass - Free Tier, if you want Account Monitoring, Privacy E-Mail and a good VPN you might want to look into the Proton Unlimited Tier. If you go for the full bundle, keep in mind, 1 password to ALL your Personal Life. I personally would split at least the password manager into another Service. Keeper - State of the Art Security. On-device encryption, easy time-based password sharing, that\u0026rsquo;s the Password Manager for you. Privacy E-Mail Providers\nProtonMail - Overall Best in Class, they offer a free tier to get you started with up to 1GB. Plus addressing is also working here. If you want to go to the max with plus addressing and privacy I would recommend SimpleLogin as an Add-On Service. SimpleLogin works with every mail provider btw. so even if you do not want to let Gmail go, you still can get a more privacy-focused mailbox with them. I would say you start a new mailbox anyway, so your old accounts, newsletters etc. do not flush into your new privacy-focused mail journey. Mailbox.org - Integrated cloud storage and document editing, German-based servers, eco friendly Runbox.com - Norwegian-based Servers, custom domains, eco friendly MFA the Endgame\nImportant\nHardware tokens are one of the best ways to make sure it is actually you that wants access to YOUR Account and Data.\nThey are little USB sticks that have built-in secure storage to store your MFA Tokens, Certificates and Passkeys. I always recommend to get at least two of those tokens. One is your daily driver you may attach to your keychain and the other is stored securely at home.\nThe only tricky thing is, that when setting up a new MFA Account you need to configure both at the same time OR you store the information (the QR Code or Phrase) on a USB Device (encrypted SSDs, SanDisks Extreme Portable Devices come to mind with built-in Encryption) and add the accounts later to the second token.\nYubico Yubikey 5c NFC - Hardware Tokens. Yes, the best way to ensure that only you have access to your most valuable accounts is a Hardware Token. Yubikeys are the most recognizable ones. Google Titan Security Key - A Hardware Token by Google. Yep, while Google still big bad corpo, hardware tokens are simply just that. They do not send your data across the pond and work like you want to. Feitian FIDO Tokens - Another reputable Token Vendor. There are many more ways to increase your security and privacy.\nThis will probably become a series, so come back later for more.\n","permalink":"https://psalabs.eu/articles/2026/01/why-you-should-care-about-security/","summary":"\u003ch2 id=\"security-is-for-everyone\"\u003eSecurity is for everyone\u003c/h2\u003e\n\u003cp\u003eIn 2026, the digital world is connected more than ever.\nEverybody has a computer; they are just not the traditional computer anymore.\u003c/p\u003e\n\u003cp\u003eYes, your smartphone on which you are currently reading this counts as a computer.\nMaybe in a more stretched way, but still, your device computes.\u003c/p\u003e\n\u003cp\u003eYou doomscroll on it, communicate with friends and family over it, and you do your daily business with it.\u003c/p\u003e","title":"Why you should care about IT-Security"},{"content":" Welcome to my Blog. I\u0026rsquo;m Pabu and this is my first public project to track everything that is relevant for my Job as a IT Security Analyst, Homelabber and Tech Inthusiast.\nIn the past I spent 10 Years as an IT System Administrator. I can\u0026rsquo;t stop tinkering with IT Infrastructure that\u0026rsquo;s why my Homelab is still my offside project.\nInspired from YouTubers like NetworkChuck, David Bombal and Christian Lempa I want to contribute to this world of cyber and tech.\nSo this is my starting Point, a small Blog where I documennt relevant topics for everybody interessted in it or whoverer owns a phone 😉 (LOOKING @ YOU BLIZZARD).\n","permalink":"https://psalabs.eu/pages/about/","summary":"\u003cfigure class=\"psa-avatar psa-avatar--plain\"\u003e\n  \u003cimg\n    class=\"psa-avatar-img\"\n    src=\"/img/psa-labs-logo.png\"\n    alt=\"PSA Labs logo\"\n    loading=\"lazy\"\n    decoding=\"async\"\n  \u003e\n\u003c/figure\u003e\n\n\u003cp\u003eWelcome to my Blog. I\u0026rsquo;m Pabu and this is my first public project to track everything that is relevant for my Job as a IT Security Analyst, Homelabber and Tech Inthusiast.\u003c/p\u003e\n\u003cp\u003eIn the past I spent 10 Years as an IT System Administrator. I can\u0026rsquo;t stop tinkering with IT Infrastructure that\u0026rsquo;s why my Homelab is still my offside project.\u003c/p\u003e\n\u003cp\u003eInspired from YouTubers like NetworkChuck, David Bombal and Christian Lempa I want to contribute to this world of cyber and tech.\u003c/p\u003e","title":"About"},{"content":"This page lists third‑party components used by this website and links to their license texts.\nPhotography Pexels — Pexels License License: https://www.pexels.com/license/ Notes: Individual photo credits are shown on the relevant article pages. Fonts JetBrains Mono — OFL 1.1 License: /licenses/jetbrains-mono-OFL.txt IBM Plex Sans — OFL 1.1 License: /licenses/ibm-plex-sans-OFL.txt IBM Plex Mono — OFL 1.1 License: /licenses/ibm-plex-mono-OFL.txt Icons Tabler Icons — MIT License: /licenses/tabler-icons-LICENSE.txt Theme Hugo Neso theme — MIT License: /licenses/hugo-neso-LICENSE.txt Notes: PSA Labs theme derives from the Hugo Neso base. Tooling (build-time) Hugo — Apache-2.0 License: /licenses/hugo-LICENSE.txt Tailwind CSS — MIT License: /licenses/tailwindcss-LICENSE.txt Fuse.js — Apache-2.0 License: /licenses/fusejs-LICENSE.txt ","permalink":"https://psalabs.eu/pages/external-sources/","summary":"\u003cp\u003eThis page lists third‑party components used by this website and links to their license texts.\u003c/p\u003e\n\u003ch2 id=\"photography\"\u003ePhotography\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePexels — Pexels License\nLicense: \u003ca href=\"https://www.pexels.com/license/\"\n   class=\"psa-brand-purple-highlight\"\u003ehttps://www.pexels.com/license/\u003c/a\u003e\nNotes: Individual photo credits are shown on the relevant article pages.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"fonts\"\u003eFonts\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eJetBrains Mono — OFL 1.1\nLicense: \u003ca href=\"/licenses/jetbrains-mono-OFL.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/jetbrains-mono-OFL.txt\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eIBM Plex Sans — OFL 1.1\nLicense: \u003ca href=\"/licenses/ibm-plex-sans-OFL.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/ibm-plex-sans-OFL.txt\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eIBM Plex Mono — OFL 1.1\nLicense: \u003ca href=\"/licenses/ibm-plex-mono-OFL.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/ibm-plex-mono-OFL.txt\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"icons\"\u003eIcons\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eTabler Icons — MIT\nLicense: \u003ca href=\"/licenses/tabler-icons-LICENSE.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/tabler-icons-LICENSE.txt\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"theme\"\u003eTheme\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHugo Neso theme — MIT\nLicense: \u003ca href=\"/licenses/hugo-neso-LICENSE.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/hugo-neso-LICENSE.txt\u003c/a\u003e\nNotes: PSA Labs theme derives from the Hugo Neso base.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"tooling-build-time\"\u003eTooling (build-time)\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHugo — Apache-2.0\nLicense: \u003ca href=\"/licenses/hugo-LICENSE.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/hugo-LICENSE.txt\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eTailwind CSS — MIT\nLicense: \u003ca href=\"/licenses/tailwindcss-LICENSE.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/tailwindcss-LICENSE.txt\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFuse.js — Apache-2.0\nLicense: \u003ca href=\"/licenses/fusejs-LICENSE.txt\"\n   class=\"psa-brand-purple-highlight\"\u003e/licenses/fusejs-LICENSE.txt\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e","title":"External Sources \u0026 Licenses"}]