Introduction

Modern households often face the same threats as businesses, albeit without a dedicated IT support team. Families across the UK have voiced their concerns for cyberbullying, privacy, security and digital threats. ^[1] Despite this rise in cyber security awareness and a desire for a solid domestic framework, there remains little in terms of a consistent framework for a domestic self-hosted server addressing household security needs. ^[2]

Post-COVID

In a post-COVID world, individuals have shown that the security attitudes they deploy in a professional environment are not often brought into the home. ^[3] Suspicious emails do not get reported as often and VPNs aren’t enabled as much.

The failures of ‘Big Tech’

Modern tech giants have repeatedly demonstrated flaws in their data security. SAP’s AI infrastructure was found responsible for exposing sensitive data potentially allowing attackers to gain access to customer data, a vulnerability within NVIDIA’s AI containerisation framework could have allowed attackers to escape a container and gain full access to the host system and Microsoft recently accidentally exposed 38TB of private data, including passwords. This has created massive mistrust between the general public and these corporations with only 40% of the general British public viewing big tech companies as trustworthy.

AI

The move away from cloud infrastructure is also fueled by mistrust of the administrators especially given recent accusations made against big data companies. LinkedIn (owned by Microsoft) was sued in a US federal court by LinkedIn Premium customers, alleging private InMail messages and customer info were disclosed to third parties for AI training without consent, although the plaintiffs later dismissed the case. ^[4] A group of authors have filed a lawsuit against Microsoft alleging around 200,000 pirated books were used to train an AI model, demonstrating corporate use of large copyrighted data sets in training. Nvidia were even caught contacting Anna’s Archive (a shadow library) for access to millions of torrented books for AI training. ^[5]

Self-hosting

When commercial cloud corporations have repeatedly demonstrated an inability to keep customer data secure and private , some individuals have turned to designing, deploying and maintaining this infrastructure themselves. ‘Self-hosting’ is the practice of building, running and maintaining a server, service or website using a private server as opposed to using a service where total control is out of the user’s hands. For example, instead of storing photos on iCloud or Google Photos, a self-hoster would use an open-source image and video management program like ‘Immich’ for example. Self-hosters typically run these services on a DIY server called a ‘homelab’. Physically, these devices range from old laptops to Enterprise hardware and can run anything from a virtual machine to a household’s networking infrastructure.

‘Spirit of the Internet’

A major proponent of the push to return to a decentralised Internet is Tim Berners-Lee, its creator. He stated that “the ‘traditional model’ (referring to handing data over to companies in exchange for services) has not been in our best interests”. ^[6] In response, he has begun work on ‘Solid’, a framework for storing and distributing private data. The idea is that users host their own ‘pods’, repositories of personal data, letting them decide who can and cannot access their personal data. ^[7] He has described his current efforts with Solid as part of a “battle for the soul of the web”, a fight to reclaim the web’s original spirit of openness, collaboration and individual control.

Problems with self-hosting

On the other hand, self-hosters face their own issues. As the system grows older, small mistakes in configurations such as forwarded ports, firewall rules and user access control lead to compounding problems. Given that SentinelOne found 82% of cloud misconfigurations are caused by human mistakes as opposed to software errors, some users may question if it is worth taking back responsibility for their digital security.

Approach

To assess the security and privacy capabilities of a homelab, using research gathered from self-hosters, an example machine will be designed and built. To complete the assessment, a security assessment will be conducted on the device. Given that the goal of a homelab is to maintain the availability of the service without the privacy concerns of a cloud solution for example, a homelab that is easy to construct and maintain, particularly to a user without extensive computer science experience will likely be the most viable solution. With this in mind, it may be worth considering a ‘declarative’ deployment strategy. Literature review

Literature Review

Current research

The paper “To Cloud or Not to Cloud” is a qualitative study into the mindset of a self-hoster. It says “there is no directly related work on self-hosting security practices” and that a significant portion of self-hosters approach security without structure. ^[2] The study found heavy usage of cyber-security related terminology without understanding the ‘how’ and ‘why’ of the terminology. If a proportion of self-hosters do not have an actual threat model plan, segmentation would assist. Instead of planning for each specific threat, a secure home server could instead assume zero trust and place each service within a container and its own ‘VLAN’ with the intention of denying an attacker’s lateral-movement. This study also justifies the use of ‘declarative programming’ given that if the design of the entire system was pre-configured, users aren’t overwhelmed by complexity of network security.

Working from Home

The 2020 COVID Pandemic brought a rapid shift to ‘work from home’ (WFH) via shifts to laptops, VPNs and conference applications like Zoom and Microsoft Teams. “Cybersecurity in Working from Home: An Exploratory Study” by Bispham, Creese, Dutton, Esteve-González, and Goldsmith (Oxford, 2021) states that this also introduced more vectors of attack. It is now common for households to contain corporate infrastructure and now potentially targets for an attack. Cyber incidents originating from personal/home environments have become increasingly prominent. Notable breaches include LastPass ^[8] , 3CX ^[9] , a large-scale compromise involving 36 Chrome extensions ^[10] , and the 2025 Bybit $1.5B heist ^[11] . In each case, attackers leveraged user devices or accounts outside corporate-controlled infrastructure - e.g. an engineer’s home PC or developer workstation - to gain initial access. The common thread is unmanaged or personally-used devices lacking enterprise controls, which attackers exploited via malware, software-supply-chain trojans, or social engineering.

References

1. [1] Muir, K. & Joinson, A. - An Exploratory Study Into the Negotiation of Cyber-Security Within the Family Home ↩
2. [2] Gröber, L. - To Cloud or not to Cloud ↩
3. [3] Bispham, K. - Cybersecurity in Working from Home ↩
4. [4] Stempel, J. (Reuters) - Microsoft's LinkedIn Sued for Disclosing Customer Information to Train AI Models ↩
5. [5] Van der Sar, E. (TorrentFreak) - Anna's Archive Loses .LI Domain As Legal Pressure Mounts ↩
6. [6] Evershed, N. (The Guardian) - 'It's Not Too Late to Fix It': Tim Berners-Lee on the Battle for the Soul of the Web ↩
7. [7] Lohr, S. (New York Times) - He Created the Web. Now He's Trying to Redeem It. ↩
8. [8] Information Commissioner's Office - Password manager provider fined £1.2m by ICO for data breach ↩
9. [9] Johnson, J. et al (Google Cloud Blog) - 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible ↩
10. [10] Schwartz, M. (Bank Info Security) - 36 Chrome Extensions Compromised in Supply Chain Attack ↩
11. [11] Danielson, L. (Huntress) - Bybit Data Breach ↩