Matt Traudt

An onion a day keeps the bad guys away | About me

About Me

Posted on 28 Aug 2016 by Matt Traudt

Last updated 28 Sep 2020 at 9:10 am
Pinned post

I work for the Naval Research Lab. From 2016-2020 I worked among world experts on privacy and security performing research and development on Tor, and sometimes the Internet in general. You will find this reflected in my publications below.

As of 2021 I still work for NRL but not to work with Tor. If you like the privacy/security things that I do, please consider donating to help me keep doing them. 1HDKN3KdD7NWu4dWCQae9gQytZMuyTPb4J Your support will help rationalize spending my free time on these important causes. You will be supporting:


Peer-Reviewed Journals and Conferences

Self-Authenticating Traditional Domain Names [pdf] [code]
IEEE Secure Development Conference (SecDev 2019)
Paul Syverson and Matthew Traudt

KIST: Kernel-Informed Socket Transport for Tor [pdf] [acm]
ACM Transactions on Privacy and Security (TOPS 2018)
Rob Jansen, Matthew Traudt, John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson

Privacy-preserving Dynamic Learning of Tor Network Traffic [pdf] [data]
25th ACM Conference on Computer and Communication Security (CCS 2018)
Rob Jansen, Matthew Traudt, and Nick Hopper

Peer-Reviewed Workshops

Does Pushing Security on Clients Make Them Safer? [slides] [pdf]
12th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2019)
Matthew Traudt and Paul Syverson

HSTS Supports Targeted Surveillance [pdf] [foci]
8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2018)
Paul Syverson and Matthew Traudt

Tor Proposals

FlashFlow: A Secure Speed Test for Tor (Parent Proposal) prop#316, 2020
Matthew Traudt, Rob Jansen, Aaron Johnson, and Mike Perry


FlashFlow: A Secure Speed Test for Tor [arxiv]
Technical Report arXiv:2004.09583 [cs.CR] (arXiv 2020)
Matthew Traudt, Rob Jansen, and Aaron Johnson

Tor’s Been KIST: A Case Study of Transitioning Tor Research to Practice [pdf] [arxiv]
Technical Report arXiv:1709.01044 [cs.CR] (arXiv 2017)
Rob Jansen and Matthew Traudt


Personal: sirmatt |at| ksu d0t edu
Tor: pastly |at| torproject d0t org
Work: matthew d0t traudt |at| nrl d0t navy d0t mil
GPG 0x83BCA95294FBBB0A
Reddit: /u/system33- and /u/pastlytor. Any other username claiming to be me is lying.

Read the entire post

Quarantine Fitness

Posted on 01 Apr 2020 by Matt Traudt

Last updated 14 Apr 2020 at 11:31 am

I was training for a half marathon in May 2020. Training three days a week. Increasingly longer runs each time. Ya know. Preparing. Then COVID-19 hit the US. I'm now on week 3 of working from home and the race is canceled postponed.

Coincidentally I've been eating so poorly (for so long) that increasing miles weren't decreasing pounds.

Thus far we're still allowed to go outdoors for exercise as long as we maintain social distance. I lack a big firm goal of a half marathon, but don't want to regress back into the comfortable laziness I've been enjoying for far too long. So I've decided to modify my exercise regimen to (at least initially) involve more frequent but shorter runs.

Also I'm going to count calories, which in the past has been the key to actually successfully losing weight. If I don't count, I don't make much progress and regress quickly. Oh and being accountable helps.

So here we go. Time to be accountable to the Internet and improve my life while on "lock down."

This is the weight I've lost. I want to lose ~2 pounds per week, which in the past has been attainable. I want to lose ~30 pounds, so I'm looking at about 13 weeks (91 days) here. This will put me at a BMI of ~22, squarely within the "normal" range of 18.5-24.9.

main weight plot

Here are the runs I've gone on.

main run plot

tags: personal

BM v5.0.0 is Released

Posted on 04 Mar 2020 by Matt Traudt


Hey look. This dead project is getting a new major version. Don't count on this continuing to happen! ;)


The default/bundled markdown parser is changed from to cmark-gfm. While making the change, I sometimes noticed the content of my pages being rendered differently. Once the change was finally fully made, however, the content renders the same. I have no idea why it would be different, nor do I know what I was doing to make it break/unbreak.

Thus, to be cautious, I'm calling this a breaking change. Thus a new major version for BM is required.

The full spec for Github Flavored Markdown is here. BM bundles cmark-gfm v0.29.0, so assuming the spec still says it applies to that version at the top, BM should support everything you read there. I haven't tested anything other than strikethrough and

tables tables
tables tables

I do not expect to update the bundled cmark-gfm with any regularity. I don't even expect to update BM!

Other new features

Since v4.0.0

A static directory. Put stuff in static/ and it will be copied to build/static/. Put your resume at static/docs/resume.pdf and link to it with [my resume](/static/docs/resume.pdf).

RSS feed generation. I think I implemented it poorly. I don't know. I don't use RSS feeds.

Yes my website's onion service has changed

Posted on 19 Dec 2019 by Matt Traudt


My hosting provider went out of business.

I didn't get my onion service's keys off the box in time. Stupid. Kept putting it off like an idiot.

I took this opportunity to stop offering a v2 onion service. Now you have to use that that hot v3 goodness. Oh nooooo.

It's at http://tv54samlti22655ohq3oaswm64cwf7ulp6wzkjcvdla2hagqcu7uokid.onion now.

Like you've always been able to (but probably no one has ever done), you can verify this post was written by me by downloading this page, downloading the signature of this page by appending .asc to the URL, and using (e.g.) GnuPG. Oh and hopefully you already have my key or have a good reason to trust that the key in the footer of my website is mine. I am B7E105FC4E6D9377F89CBA4C83BCA95294FBBB0A. But the preceeding sentence is meaningless if you didn't already know that. But now I'm repeating myself. Ugh trust. Identities.

$ wget -q
$ wget -q
$ gpg --verify yes-my-websites-w6t3nxCA.html.asc 
gpg: assuming signed data in 'yes-my-websites-w6t3nxCA.html'
gpg: Signature made Thu 19 Dec 2019 07:51:10 PM EST
gpg:                using RSA key B7E105FC4E6D9377F89CBA4C83BCA95294FBBB0A
gpg: Good signature from "Matt Traudt <>" [unknown]
gpg:                 aka "Matt Traudt <>" [unknown]
gpg:                 aka "Matt Traudt <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B7E1 05FC 4E6D 9377 F89C  BA4C 83BC A952 94FB BB0A

If you're familiar with PGP you know what can be different from the above without concern. If you're not familiar with PGP, you shouldn't be trusting things because they are "PGP verified."

Shut up about The Hidden Wiki

Posted on 11 Nov 2019 by Matt Traudt

Last updated 22 Nov 2019 at 7:56 am

The focus/organization of this post is poor and it does not contain much technical information. You might want to skip this one.

I spent about an hour searching the web for the phrase "the hidden wiki" and collected all the resulting websites I could find that called themselves that or some slight variation of that. I searched using DuckDuckGo, Ahamia, something called OnionLand Search, and something called Tor66*.

After deduplication, I found 48 websites, of which 46 were up right now. 40 sites were onion services. 40 onion services that you can easily find that all call themselves the hidden wiki. When someone asks "hey, how do I find cool onion services?" and you respond with "look up the hidden wiki," which one are you talking about? Does it even matter? Do you even care that they will probably type "the hidden wiki" into the URL bar of Tor Browser, which defaults to searching with DuckDuckGo, which doesn't even index onion services, so they're going to visit something like Is that really what you were intending?

Let's assume for a little bit that when you say "the hidden wiki," you're talking about a specific one and you have the means to easily pull it up again. It has also somehow established itself as trustworthy: it doesn't link to scams, doesn't serve you malicious JavaScript, etc. Whatever. How the hell is anyone supposed to find it? The more-secure web comprised of onion services (colloquially and stupidly referred to as "the deep web") does not yet have good search engines**. There's no good reputation tracking systems. The ones that exist look easily gameable or malicious themselves. Good results don't just rise to the top. Imposters don't get crowded out. **No one knows which "hidden wiki" you're

Read the entire post

You want Tor Browser ... not a VPN

Posted on 17 Oct 2019 by Matt Traudt

Last updated 28 Oct 2019 at 2:28 pm

In most cases.

Untruth: VPNs protect you from local network hackers

This is usually claimed in the context of open WiFi networks such as those at airports or coffee shops, and is basically correct. As long as you have a reputable VPN company and they set up their software correctly, then VPNs help.

A little.

Today, well over 2/3 of web traffic being protected by TLS and all (not scientifically determined, just a baseless claim by me) of sites worth using have and force HTTPS on clients. TLS and the CA system has its issues, but your average little coffee shop hacker is not going to be able to attack it nor convince your browser to downgrade to clear text, so you were already fine. All this hacker is going to learn is the sites that you are visiting: not your account name, not your password, and not what you do on that site.

Claims that VPNs protect your passwords or bank accounts or that they add any meaningful amount of security/privacy/anonymity in this context inside your home are bullshit.

VPN vs Tor Browser

In this context, since the VPN wasn't doing much of anything to begin with, they are essentially the same. Tor (thus Tor Browser) is in fact built correctly to disallow anyone from ever intercepting and reading the traffic between you and your guard relay. If your chosen VPN isn't (good luck figuring it out), then Tor (Browser) is better. But honestly, your VPN is probably just as good.

Read the entire post