Edit: Decided to go with the Ubiquiti Dream Machine Pro. Thank you for all the suggestions and advice!

Hey Tildenauts,

I'm planning to help a local nonprofit replace their aging hardware firewall pro bono. I have a fair amount of experience with networking and security, especially where web servers are concerned, but I haven't setup a hardware firewall recently enough to know off the top of my head which are the best options here.

The organization is fairly small but on its way to medium sized, around 30 employees at the moment but will likely expand to 50+ in coming years. So I'm looking for a solution that will comfortably scale up to 100 employees. There is remote work, accessing their local server via VPN, so something that comes bundled with a user friendly VPN client would be ideal. I haven't seen their physical setup yet but I know their server gets a lot of use. Not all employees use it remotely on a regular basis but many do.

From past experience I know that Cisco, Sophos and SonicWall are potential options. Cisco seems to be pushing their Meraki platform pretty hard but I don't think this organization needs a subscription based solution.

Anyone have recommendations for hardware firewalls I should consider? Any potential footguns I should know about?

Thanks in advance!

Any clever ways to connect to the Internet safely to update drivers, security, etc? I'd only want to connect to Intel, AMD, Microsoft, etc, and then would physically disconnect the lan card. I know, dangerous, but I'm trying a piecemeal approach with a flash drive and getting mixed results. I tried to update to Service Pack 2, and it bricked the computer on restart, back to flashing Vista.

Sorry if this isn't the best place to ask. IT and cybersecurity-focused communities over on Reddit aren't exactly the most welcoming places for such questions, and reading the r/ITCareerQuestions wiki has made me seriously question if I'm being sold false promises of working in a sector that actually has a low demand for workers. Then again, that wiki page seems more geared towards the US job market.

Two weeks ago, I responded to an Instagram ad advertising cybersecurity courses, because the job market is horrible here in the UK right now, and after some setbacks with my ACCA studies, I am seriously considering just giving up on trying to get into chartered accountancy because that path is closing many more doors for me. A course advisor rang me asking about the reasons I showed interest in the ad, then we had a long discussion about any questions I had, what the sector is apparently like, etc.

Some of the claims seem too good to be true, i.e. that it's an industry where you can afford to be picky, jobs outnumber people by almost 3 to 1, most jobs are remote, the provider boasts a 90%+ employment rate, I don't need programming experience, the most complex thing I'd be doing is running command prompt/powershell commands and scripts.

The firm itself seems legitimate. They offer CompTIA, Microsoft, Cisco, AWS and EC-Council certifications, have good review scores on Trustpilot, are a registered training provider and limited company in the UK, and are supposedly an assured service provider with the National Cyber Security Centre (NCSC.) The courses they mentioned to me in their syllabus supposedly come to £4k and would take about six months.

1. Am I right to be wary about what this training provider are offering?
2. Do you require extensive programming knowledge or a computer science background to work in cybersecurity in any capacity? A friend with an IT background has told me that Python is useful in his field.
3. Is the reality of IT and cybersecurity jobs in the UK (or in the West) far different from what has been painted to me?

I have changed my email more than once, just as part of customizing my online identity and all that.

and that obviously required me to login into any accounts I had and updating the email associated with them.

the most common workflow I have found is
login -> navigate to settings page -> edit the email field to the new email -> go to the inbox for the new email -> click confirm on confirmation email

then you can go to that website and do the forgot password, provide your email and change the password and get complete control.

I have always found that workflow weird cause it's the most prevalent one I have come across and seems so susceptible to tampering.

if someone leaves their laptop unattended for 3-4 minutes in public while visiting a bathroom (which happened often in the library of my university), there was nothing preventing me from going to their Facebook or whatever account they had open on their computer, changing the email to my own email and then clicking confirm on my inbox once I am back at my desk.

and most people don't have 2FA so that would effectively give me control of their account.
Hell, my university once had a potential data breach and they were 99.999% sure the data was not actually accessed by a malicious actor but still sent a mass email saying that they were advising everyone to change their passwords. a classmate of mine in the software systems program's attitude was basically "oh well, who cares?" and I just facepalmed internally.

there are maybe 3 websites I have come across that instead first send a confirmation email to your current inbox and after you confirm on that, then you get a confirmation email on the new email inbox. which isn't perfect but I feel like it's a bit more sensical and the best you can do without involving 2FA.

even then, that's also susceptible to the situation I described above if the user is always logged into their email.

I find it odd that websites don't prompt for a password as part of the email update process (or better yet 2FA with an app as even prompting for a password isn't a guarantee if the user has the password manager as an extension in their browser and they recently unlocked it before leaving their session unattended) to ensure that email changes are always done by the account owner.

I went down the path of thinking about switching to Passkeys but it seems like more hassle than it is worth, so I hoped this community could tell me if I am crazy.

I use Bitwarden to generate and save passwords for anything important and always use an authentication app when the option is present. I never use the same password. Sadly, most Canadian banks are awful and only allow SMS 2FA if anything at all. That said, of the two banks I primarily use, one does allow an authentication app and the other uses its own app to send authentication codes.

I always read that Passkeys are better for people who are lazy/bad with their passwords. For someone like me, is the security practically the same or is there still some benefit to switching everything I can to Passkeys?

Part of my role at work is in security policy & implementation. I can't figure this out so maybe someone will have some advice.

With the advent of AI coding, people who don't know how to code now start to use the AI to automate their work. This isn't new - previously they might use already other low code tools like Excel, UIPath, n8n, etc. but it still require learning the tools to use it. Now, anyone can "vibe coding" and get an output, which is fine for engineers who understand how the output should work and can design how it should be tested (edge cases, etc.)

I had a team come up with me that they managed to automate their work, which is good, but they did it with ChatGPT and the code works as they expected, but they doesn't fully understand how the code works and of course they're deploying this "to production" which means they're setting up an environment that supposed to be for internal tools, but use real customer data fed in from the production systems.

If you're an engineer, usually this violates a lot of policies - you should get the code peer reviewed by people who know what it does (incl. business context), the QA should test the code and think about edge cases and the best ways to test it and sign it off, the code should be developed & tested in non-production environment with fake data.

I can't think of a way non-engineers can do this - they cannot read code (and it get worse if you need two people in the same team to review each other) and if you're outsourcing it to AI, the AI company doesn't accept liability, nor you can retrain the AI from postmortems. The only way is to include lessons learned into the prompt, and I guess at some point it will become one long holy bible everyone has to paste into the limited context window. They are not trained to work on non-production data (if you ever try, usually they'll claim that the data doesn't match production - which I think because they aren't trained to design and test for edge cases). The only way to solve this directly is asking engineers to review them, but engineers aren't cheap and they're best doing something more important.

So far I think the best way to approach this problem is to think of it like Excel - the formulas are always safe to use - they don't send data to the internet, they don't create malware, etc. The worst think they can do is probably destroy that file or hangs your PC. And people don't know how to write VBA so they never do it. Now you have people copy pasting VBA code that they don't understand. The new AI workspace has to be done by building technical guardrails that the AI are limited to. I think it has to be done in some low-code tools that people using AI has to use (like say n8n). For example, blocks that do computation can be used, blocks that send data to the intranet/internet or run arbitrary code requires approval before use. And engineers can build safe blocks that can be used, such as sending messages to Slack that can only be used to send to corporate workspace only.

Does your work has adjusted policies for this AI epidemic? or other ideas that you wanted to share?

I am planning to use Plaid API and have a spring boot backend but given that I will be storing my financial information (such as whatever the Plaid API needs me to store to use their endpoints as well as just the transactions on my credit and chequing account), the security of the data is obviously crucial. and I think my problem is I don't know what I don't know.

I have a basic idea of what kind of things I need to protect against.

1. WIll have to use Spring security (or whatever is best) for thing like protecting against xss and csrf
2. I need to ensure that the PostgreSQL database is encrypted

but beyond that, I don't know much about the nuances of each type of security and customizations I should be on the look-out for. wonder if there's a trustworthy resource for at least detailing for me the kind of security I need to implement on either the Spring or PostgreSQL side of things?