Infrastructure

Being a permanent road-warrior not only requires a consciously curated set of items to travel with, but also a meticulously careful selection of services to use for everything from securing connections over public WiFi, storing data and retrieving e-mails. I've put together a collection of services that I use for personal and business purposes while on the go.

Infrastructure

Internet

Let’s start with the basics: Access to the internet. In many places today one can find prepaid SIM cards and free WiFi. For data connections over 3G/LTE I use a Netgear Nighthawk M2 router with local prepaid SIM cards. Depending on the usage limits, I get multiple cards to make sure I don’t run out of data. Also, some carriers are better than others depending on the region I’m currently in.

SIM Cards

I prefer to purchase and top-up local SIM cards in cash. In a lot of countries it’s possible to walk into small shops or kiosks and get prepaid SIM cards no questions asked. It is worth checking carriers' pop-up stalls on the streets and in malls, as they might even give away prepaid cards for free.

Additionally, there are providers that offer global SIM cards. With such SIM cards one can roam through multiple countries without the need to purchase individual local SIM cards on arrival. Here is a list of options for international SIM cards:

Keep in mind though, that apart from Google Fi – which is only available to people with a US bank account/address – most of these SIM cards are pretty expensive for what they offer. 99% of the times you’ll be cheaper (and enjoy better privacy) with a locally purchased SIM card.

WiFi

Free WiFi can be found through various resources on the internet. For example WiFi Map has iOS and Android apps that show publicly accessible access points on a map. Here is a Google (ghnar!) Map which contains wireless access info from airports and lounges all over the world.

VPN

I use VPNs for my online activities. My go-to provider has been ProtonVPN, but in the last months I’ve been on the lookout for an alternative. ProtonVPN works great, but it operates under a bad jurisdiction which is actively cooperating with Fourteen Eyes countries. Besides, I’m worried about the bs that’s happening in the EU and how it might affect ProtonVPN at some point.

Here is a list of interesting alternatives I’m currently trying out:

Travel caution: The use of Tor/VPNs by individuals is banned/blocked in the following countries: Belarus, Iran, Iraq, Oman, Turkey, Uganda and the United Arab Emirates. In China and Russia only VPN services that get a government approval are officially allowed. In North Korea, Cuba, Egypt, Vietnam, Bahrain, Turkmenistan, Myanmar, Syria, Libya and Venezuela there are no official bans, but due to their strict internet censorship, using Tor/VPNs might not be easily possible and come with risks.

Always make sure to check the current law when traveling to places that are in political turmoil or known for their controversial stance on privacy and free speech.

Self-contained networks / Darknets

At times when a VPN is insufficient from a privacy-standpoint or I cannot find the required information on the clearnet, I use ZeroNet, IPFS and the Tor networks.

DNS

With DNS being a leaky pipe it’s important to make sure that even though a VPN or P2P network is active, no DNS requests are being split-tunnelled.

I use encrypted (and ideally anonymized) DNS whenever possible. For this, I have DNSCrypt configured and use public DNSCrypt servers that do not have logging enabled. DNSCrypt on its own won’t prevent DNS leaks. Its sole purpose is to encrypt DNS traffic and prevent attacks like DNS spoofing / MitM.

Hint: Firefox already uses a technology called DoH to protect DNS requests. However, by default it makes use of the Cloudflare DNS. This should be changed to a different one.

Firewall

On macOS I use Little Snitch in alert mode, so that I get informed about new connection attempts and can decide whether I want to allow them or not.

For Linux desktops check out OpenSnitch.

Browsing

For my day-to-day browsing I switch between Safari and Firefox. For things that require a higher level of privacy or better annoyance-blocking (e.g. YouTube pre-rolls) I solely use Firefox. Unfortunately many privacy-enhancing extensions are not available for Safari. I use the following extensions in Firefox:

Keep in mind that extensions contribute to your browser fingerprint. Make sure to test your browser every once in a while to make sure it’s not too unique.

Additionally, I use the following about:config settings:

beacon.enabled = false
browser.contentblocking.category = strict
browser.safebrowsing.downloads.remote.enabled = false
browser.send_pings = false
browser.sessionstore.privacy_level = 2
browser.sessionstore.privacy_level = 2
browser.urlbar.speculativeConnect.enabled = false
datareporting.healthreport.uploadEnabled = false
dom.event.clipboardevents.enabled = false
media.eme.enabled = false
media.gmp-widevinecdm.enabled = false
media.navigator.enabled = false
network.cookie.cookieBehavior = 5
network.cookie.lifetimePolicy = 2
network.dns.disablePrefetch = true
network.dns.disablePrefetchFromHTTPS = true
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
network.IDN_show_punycode = true
network.predictor.enable-prefetch = false
network.predictor.enabled = false
network.prefetch-next = false
privacy.donottrackheader.enabled = true
privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
privacy.trackingprotection.cryptomining.enabled = true
privacy.trackingprotection.enabled = true
privacy.trackingprotection.fingerprinting.enabled = true
privacy.trackingprotection.socialtracking.enabled = true
webgl.disabled = true

Search Engines

My daily-drivers in terms of online search is Startpage for Firefox and Duckduckgo for Safari, even though the latter might not be the most privacy-conscious search engine. DDG is a good middle-ground between being paranoid and getting Google-quality results. Apart from Startpage and DDG, I sporadically use Qwant and any of the publicly available Searx instances.

If I should need Google (e.g. detailed, technical queries DDG and the others won’t have good enough results for) I use it in privat mode.

Maps

I mainly use Apple Maps and OpenStreetMap for address lookups and navigation. On iOS I use OsmAnd, but I keep Google Maps installed for emergencies. However, I have the precise location setting for Google Maps disabled.

Communication

One of the most important things while traveling are services and platforms for communication. These make a big part of my digital life. In order to keep in touch with friends as well as business contacts I use a variety of messengers, video-conferencing tools, social networks and other platforms.

E-Mail

It’s complicated or even partially impossible for me to retrieve physical mail. Therefor e-mails to me became what the physical mailbox was a decade ago: A place I can send and retrieve important documents from and at. In my case, little to no communication happens over e-mail. In fact, I can’t even remember when I wrote a mail longer than one or two lines to any of my acquaintances.

As detailed in an entry I wrote a while ago, e-mail to me is more of a temporary storage for important documents. Therefor I chose to use CTemplar as my main e-mail service. In addition, I share accounts with other people for less important kind-of-team-mail-things. These accounts run on ProtonMail because it allows for easier integration into regular workflows by using a bridge.

For unimportant things which will not require my personal information I use burner addresses like Guerrilla Mail and TempMail.

Direct & Small-Group Messaging

For the past decade I’ve been using Messages (formerly iMessage) and Signal (formerly TextSecure) for the means of instant messaging. While Messages caters to professional communication (e.g. with clients and business partners), Signal handles my private communication with friends.

A question that comes up frequently is “What if contacts don’t use neither Messages nor Signal?". In that case I don’t use instant messaging as a form of communication with these contacts. As ignorant as this might sound, but if privacy concerns or even scandals won’t make people switch from WhatsApp, Telegram and other shady platforms, then peer-pressure is the last resort.

Community- and Group-Messaging

I have been idling on the IRC (mainly freenode) for the past decades. I kept ZNC running as a bouncer and even had ZNC Push configured to send me push notifications via Pushover when someone mentioned me while being afk.

Additionally, I have been using Element (formerly Riot) for a long time now. Element runs on the Matrix network and has bridges for many other platforms and networks. On matrix.org they have freenode bridged, meaning that it’s possible to join IRC channels through Element.

While I don’t like Element (as a client) and wish there was a way to use my irssi setup on Matrix – spoiler, there is – I do like the privacy Matrix offers over plaintext IRC.

Recently I started the experiment to move from IRC to Element/Matrix by turning off my ZNC bouncer. I don’t know whether I can make Element stick, but it’s worth a try and I might be able to make irssi connect to it via pantalaimon.

In business contexts I (have to) use whichever platform my clients and business partners found to be working for them. Many times that’s Slack, but I have been part of projects in which management pushed for everyone (including the engineering teams) to use absurdities like Microsoft Teams. In those cases I find it better to refrain from using group-messaging altogether and instead find different means of communications (e.g. the ones described in Direct & Small-Group Messaging).

Voice- & Video-Calling

See Messaging. Additionally, if there’s a need conference calls with room links, moderation, screen-sharing, et al., I prefer to use Jami and Jitsi over Google Meet or Zoom. Unfortunately in the corporate world it’s hard to replace well-established products, hence I’m forced to use spyware from time to time. In these cases I make sure to allow these websites or iOS apps to access my microphone only temporary. I also make sure they don’t have access to neither my camera nor my desktop unless it’s required. Even then, I remove access to all these things afterwards or even delete the (iOS) apps altogether, until the next conference call comes up.

I barely do plain phone calls. Not only is the quality of calls miserable; Phone calls offer the least amount of privacy possible.

Social Networks

The social networks that I’m regularly active on are GitHub, Mastodon and Reddit. Apart from those, I regularly try new things in the decentralized space. Recently I looked at Lemmy and Pixelfed.

I don’t use social networks to share personal info like my exact location or what I had for lunch. Instead, for me these platforms are tools to find interesting new things, follow-up on what’s happening in the cities I’ve travelled to and the ones I’m planning to visit in the near future. I sometimes use social networks to share things I made and projects I’m working on.

While I don’t have a Facebook account, I do use their Instagram service for posting travel stories and photos. On Instagram I follow people I personally know. The reason I have an Instagram account is to blend in. If you desire privacy you have to maintain a public version of yourself that lives on. As long as the content that is shared on platforms like IG is intentional, there’s nothing wrong with letting other people know that you still exist. In fact, it even helps distracting attention from the things that you want to keep to yourself.

Contacts & Calendars

Currently I have my contacts and calendars on iCloud. As mentioned before this is a temporary solution that helped me get rid of Google.

TODO: Take a look at fruux and EteSync.

Documents & Data

Keeping data secure and private is important for someone who is constantly on the move. And while not everyone can carry a fully-encrypted and remotely backed-up data center with them all the time, there are nevertheless ways to retrieve, send and store data in ways in which things won’t blow up in the event of disaster.

An important note upfront: I always make sure that every device I carry with me has hard-drive encryption turned on. On macOS it’s called FileVault, on Linux it’s Dm-crypt. iOS devices have hardware full-disk encryption turned on by default.

An important topic when using encrypted devices is plausible deniability. Gregory Alvarez wrote a good piece on that, which I recommend reading.

Version Controlled Data

Much of my critical data is version controlled, meaning that I maintain it within a git repository. In addition, if the data is by any means confidential, I use git-crypt to transparently encrypt and decrypt it using my GPG key. Depending on the type of data, my git remote is either a public or private GitHub repository or a private git server that I run on my own infrastructure.

Additionally, I use git for collaborating, since it’s possible to give other people access to individual repositories.

Keep in mind that version control makes sense for changing data where you want to keep a revisions history. For everything else it might end up being a waste of space.

Synchronized Data

Data that doesn’t need to be version controlled and might not even require to be readily available at all times goes here. For example documents that might be kept for compliance reasons. For this sort of data, I use Resilio Sync. It allows me to sync individual folders from my laptop to one or multiple peers. Additionally, it offers selective synchronization, so that I can keep only the documents on my laptop that are still relevant. Everything I don’t sync to my laptop remains on the peers I’m synchronizing with. Resilio is basically a DIY Dropbox or Google Drive that’s built on Bittorrent technology.

If it wasn’t for the iOS client I would have switched to the open-source alternative Syncthing. Unfortunately Syncthing does not have one (yet?).

Shared Data

Sharing data is something I do in different ways. The easiest one is to send it through any means of communication (e-mail, messengers) or via OnionShare. Depending on the confidentiality and whether it will have to be sent back with modifications, git or Resilio Sync (or Syncthing) might work better.

Snapdrop is another option here, btw. It uses WebRTC to directly send files from peer to peer.

Office Suite

Instead of Google Docs or Microsoft Office 365 I use offline applications like LibreOffice and Apple’s office suite (Pages, Numbers, Keynote). For collaborative work, I use CryptPad. CryptPad uses parts of different software (like OnlyOffice) and packages everything into a privacy-friendly collaboration platform.

Diagrams

I use Monodraw on macOS to draw beautiful ASCII diagrams. Everything else I do in Diagrams.net (formerly Draw.io).
When I need to draw sophisticated service architecture diagrams, I use Cloudcraft.

Backups

For backing up my laptop I use TimeMachine. For data that needs to be backed up to a cloud-based co-location I use Duplicacy, which supports on-the-fly encryption.

Security

Apart from obvious things like encryption I also use a few methods to make sure that in case my data was compromised, I notice it and maybe get some clues about what happened. One of those methods consists of spreading canary traps across every set of data and online service that I’m using. Services I can recommend for that purpose are CanaryTokens.org and “BlueCloudDrive”.

Canary tokens can be added to…

  • filesystems, as website bookmarks or as tags included in HTML files
  • e-mail services (e.g. by having a mail titled “Important documents” in your inbox that contains an obfuscated link to the token
  • digital address books, by adding the link as website of a (fake) contact that might be of interest for others
  • calendars, by adding a recurring meeting with the token link as meeting URL
  • physical objects, e.g. to phones, credit cards and even printed documents, either as very short text-links or as QR codes

More info on canary tokens here

Cloud

In order to be able to work online I need infrastructure that runs somewhere in a well-connected and ideally heavily guarded environment. For simple things like websites, I use CDN-based storages. Amazon S3, Google Cloud Storage or GitHub Pages are sufficient for that purpose. For more complex setups and services, though, it can be tricky to strike a good balance between cost, comfort, privacy and availability. Through my attempt to drop Google I noticed that it can be incredibly tricky to find alternatives when you’ve been dealing with more sophisticated infrastructures.

Infrastructure Providers

For a long time I have been using Amazon Web Services and Google Cloud Platform as cloud providers for my cloud infrastructure. I cut ties with AWS, because GCP turned out to be cheaper for what I was doing. And even though GCP sucked (and in parts still does), I was able to migrate everything without too much effort.

When I began cutting ties with Google a year ago, I started experimenting with other cloud providers. One important requirement for me is an API for which Terraform has a provider plugin. This allows me to do (at least) the most basic things through code.
Additionally, since I was running many things on AWS Lambda (later Google Cloud Functions), I was eager to find a provider that would offer a serverless environment to which I could migrate.

Unfortunately there is no competition to Google and Amazon on the serverless playing field, which meant that I would have to go for the second best option: DIY.

I ended up on DigitalOcean, mainly because it was the cheapest cloud infrastructure provider at that time that had a working Terraform implementation. I migrated all my services into containers and pods and ran them on DO’s managed Kubernetes service, using the smallest available node sizes and horizontal auto-scaling enabled. Unfortunately it turned out to be more expensive and require more maintenance than everything I used on AWS and GCP before.

Right now I’m in the middle of reconsidering my infrastructure provider choice. Not much has changed and there still is no mature alternative to Lambda/Cloud Functions on the market. Here is a list of providers that offer at least a bare-minimums integration with Terraform and that I tried and found to be working well in general:

A honorable mention is OpenBSD Amsterdam, even though it does not have a Terraform provider integration.

Additionally, there are a couple of special use-case providers that I’m either actively using or keep using from time to time. They offer raw VPS instances without bells and whistles and require much more administrative work. Also they’re not exactly cheap. However, in return, these services operate in jurisdictions that value privacy and free speech and make it hard for foreign players to interfere with whatever operation is being run on their systems. Here are some interesting options:

Last but not least, I sometimes partner with business contacts who happen to run actual hardware in data-centers – mainly throughout Europe – and rent several Us of processing power.

Domains

Domains are an important part of web privacy. The majority of registrars offer paid privacy guard subscriptions for individual domains, that replace personal contact details with generic provider info in the data that’s being transmitted to ICANN. However, a simple phone call or a cease and desist letter will suffice to find out who is behind a guarded domain.

A better approach to this is using a provider like Njalla, which lets you register domains in their name, making them the owners of that domain. Since registrations on Njalla are possible over VPN/Tor and payment via Monero is available, Njalla can be used as truly private domain registrar, so that even if they would ever pass on customer data to whoever might be requesting it, it would be of no use to them.

Git

TODO: Document Git infrastructure.

Web

The web stack for nearly everything I do is as lean as possible. Landing pages and websites that I used to run on WordPress and Ghost have all been converted to static Hugo sites. For everything that requires more functionality I tend to use as little JavaScript as possible. I run a few heavy-weight front-ends that make use of Angular, but I’m working on replacing those with more lightweight implementations.

The majority of these web projects are currently running on services like render. Even though for example Cloudflare allows to run static sites on their infrastructure, I refrain from it due to their already big enough influence on the internet.

APIs & Services

As mentioned before in the Infrastructure Provider part, I prefer to use serverless architectures over containerized services, because it’s cheaper for me. However, since the serverless cloud provider market is a de facto oligopoly there’s not a lot of a choice:

Either stick to one of the big cloud providers or migrate to a different technology stack.
There are DIY serverless infrastructure projects around, for example Kubeless and OpenFaaS, but these unfortunately won’t help cutting costs.

Analytics

Since I have no use for the features Google Analytics offers, I’m using privacy-respecting alternatives that happen to be open-source projects. That way I can either roll my own analytics service if needed or use their paid subscription. Currently I’m running Plausible on many websites. Previous to that I used Fathom, which I recommend as well.

For more sophisticated projects like eCommerce websites Matomo is a more powerful choice.

Push Notifications

I use Pushover for retrieving push notifications about status changes of individual cloud services. For example, when CI runs for deploying this journal complete, I retrieve a push notification with the status. Pushover is a very minimalistic service and offers integrations for a wide variety of environments.

Dead Man’s Switch

TODO: Build dead man’s switch for data and cloud infrastructure.

Further Reading

published [2021-03-27] · updated [2021-04-11]