Posted on 28 Aug 2016 by Matt Traudt
Last updated 28 Sep 2020 at 9:10 am
I work for the Naval Research Lab. From 2016-2020 I worked among world experts
on privacy and security performing research and development on Tor, and
sometimes the Internet in general. You will find this reflected in my
As of 2021 I still work for NRL but not to work with Tor.
If you like the privacy/security things that I do, please consider donating to
help me keep doing them.
Your support will help rationalize spending my free time on these important
causes. You will be supporting:
- The ongoing development of FlashFlow, a better bandwidth
measurement system for Tor. FlashFlow better balances load in the Tor
network, making it faster for you. FlashFlow limits the amount of weight a
malicious party can obtain, making it more secure for you. FlashFlow measures
relays accurately the first time and every time, making relay operators happy
that their resource contribution is more fully utilized.
- The operation of Tor relays. I have managed 10s of relays over the
years, many of which are exits. I would like to operate more. Please contact
me if you would like to support the operation of high-quality up-to-date relays
and/or relays running new experimental versions of Tor. I will also run exits
with your support. The relays I run can be found here (link likely to
stop working without me noticing).
- The operation of a bitcoin node and
ElectrumX onion service at
kmkm7ntkwrlb7a3ay2lyycguvf7xleuv7tf3wzregzpjuhqxiogf7tyd.onion that does not
log. tcp/ssl/ws/wss ports 50001-50004 respectively.
- The operation of an IRC bouncer for Tor Project members.
Peer-Reviewed Journals and Conferences
Self-Authenticating Traditional Domain Names
IEEE Secure Development Conference (SecDev 2019)
Paul Syverson and Matthew Traudt
KIST: Kernel-Informed Socket Transport for Tor
ACM Transactions on Privacy and Security (TOPS 2018)
Rob Jansen, Matthew Traudt, John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson
Privacy-preserving Dynamic Learning of Tor Network Traffic
25th ACM Conference on Computer and Communication Security (CCS 2018)
Rob Jansen, Matthew Traudt, and Nick Hopper
Does Pushing Security on Clients Make Them Safer?
12th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2019)
Matthew Traudt and Paul Syverson
HSTS Supports Targeted Surveillance
8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 2018)
Paul Syverson and Matthew Traudt
FlashFlow: A Secure Speed Test for Tor (Parent Proposal) prop#316, 2020
Matthew Traudt, Rob Jansen, Aaron Johnson, and Mike Perry
FlashFlow: A Secure Speed Test for Tor
Technical Report arXiv:2004.09583 [cs.CR] (arXiv 2020)
Matthew Traudt, Rob Jansen, and Aaron Johnson
Tor’s Been KIST: A Case Study of Transitioning Tor Research to Practice
Technical Report arXiv:1709.01044 [cs.CR] (arXiv 2017)
Rob Jansen and Matthew Traudt
Personal: sirmatt |at| ksu d0t edu
Read the entire post
Tor: pastly |at| torproject d0t org
Work: matthew d0t traudt |at| nrl d0t navy d0t mil
Reddit: /u/system33- and /u/pastlytor. Any other username claiming to be me is lying.
Posted on 01 Apr 2020 by Matt Traudt
Last updated 14 Apr 2020 at 11:31 am
I was training for a half marathon in May 2020. Training three days a week.
Increasingly longer runs each time. Ya know. Preparing. Then COVID-19 hit the
US. I'm now on week 3 of working from home and the race is
Coincidentally I've been eating so poorly (for so long) that increasing miles
weren't decreasing pounds.
Thus far we're still allowed to go outdoors for exercise as long as we maintain
social distance. I lack a big firm goal of a half marathon, but don't want to
regress back into the comfortable laziness I've been enjoying for far too long.
So I've decided to modify my exercise regimen to (at least initially) involve
more frequent but shorter runs.
Also I'm going to count calories, which in the past has been the key to
actually successfully losing weight. If I don't count, I don't make much
progress and regress quickly. Oh and being accountable helps.
So here we go. Time to be accountable to the Internet and improve my life while
on "lock down."
This is the weight I've lost. I want to lose ~2 pounds per week, which in the
past has been attainable. I want to lose ~30 pounds, so I'm looking at about 13
weeks (91 days) here. This will put me at a BMI of ~22, squarely within the
"normal" range of 18.5-24.9.
Here are the runs I've gone on.
Posted on 04 Mar 2020 by Matt Traudt
Hey look. This dead project is getting a new major version. Don't count on this
continuing to happen! ;)
The default/bundled markdown parser is changed from
cmark-gfm. While making the change, I sometimes noticed the content of my
pages being rendered differently. Once the change was finally fully made,
however, the content renders the same. I have no idea why it would be
different, nor do I know what I was doing to make it break/unbreak.
Thus, to be cautious, I'm calling this a breaking change. Thus a new major
version for BM is required.
The full spec for Github Flavored Markdown is
here. BM bundles
cmark-gfm v0.29.0, so
assuming the spec still says it applies to that version at the top, BM should
support everything you read there. I haven't tested anything other than
I do not expect to update the bundled
cmark-gfm with any regularity. I don't
even expect to update BM!
Other new features
A static directory. Put stuff in
static/ and it will be copied to
build/static/. Put your resume at
static/docs/resume.pdf and link to it
RSS feed generation. I think I implemented it poorly. I don't know. I
don't use RSS feeds.
Posted on 19 Dec 2019 by Matt Traudt
My hosting provider went out of business.
I didn't get my onion service's keys off the box in time. Stupid. Kept putting
it off like an idiot.
I took this opportunity to stop offering a v2 onion service. Now you have to
use that that hot v3 goodness. Oh nooooo.
It's at http://tv54samlti22655ohq3oaswm64cwf7ulp6wzkjcvdla2hagqcu7uokid.onion now.
Like you've always been able to (but probably no one has ever done), you can
verify this post was written by me by downloading this page, downloading the
signature of this page by appending
.asc to the URL, and using (e.g.) GnuPG.
Oh and hopefully you already have my key or have a good reason to trust that
the key in the footer of my website is mine. I am
B7E105FC4E6D9377F89CBA4C83BCA95294FBBB0A. But the preceeding sentence is
meaningless if you didn't already know that. But now I'm repeating myself. Ugh
$ wget -q https://matt.traudt.xyz/posts/yes-my-websites-w6t3nxCA.html
$ wget -q https://matt.traudt.xyz/posts/yes-my-websites-w6t3nxCA.html.asc
$ gpg --verify yes-my-websites-w6t3nxCA.html.asc
gpg: assuming signed data in 'yes-my-websites-w6t3nxCA.html'
gpg: Signature made Thu 19 Dec 2019 07:51:10 PM EST
gpg: using RSA key B7E105FC4E6D9377F89CBA4C83BCA95294FBBB0A
gpg: Good signature from "Matt Traudt <email@example.com>" [unknown]
gpg: aka "Matt Traudt <firstname.lastname@example.org>" [unknown]
gpg: aka "Matt Traudt <email@example.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B7E1 05FC 4E6D 9377 F89C BA4C 83BC A952 94FB BB0A
If you're familiar with PGP you know what can be different from the above
without concern. If you're not familiar with PGP, you shouldn't be trusting
things because they are "PGP verified."
Posted on 11 Nov 2019 by Matt Traudt
Last updated 22 Nov 2019 at 7:56 am
The focus/organization of this post is poor and it does not contain much
technical information. You might want to skip this one.
I spent about an hour searching the web for the phrase "the hidden wiki" and
collected all the resulting websites I could find that called themselves that
or some slight variation of that. I searched using DuckDuckGo,
Ahamia, something called OnionLand Search, and something
After deduplication, I found 48 websites, of which 46 were up right now. 40
sites were onion services. 40 onion services that you can easily find that
all call themselves the hidden wiki. When someone asks "hey, how do I find cool
onion services?" and you respond with "look up the hidden wiki," which one are
you talking about? Does it even matter? Do you even care that they will
probably type "the hidden wiki" into the URL bar of Tor Browser, which
defaults to searching with DuckDuckGo, which doesn't even index onion services,
so they're going to visit something like thehiddenwiki.org? Is that really what
you were intending?
Let's assume for a little bit that when you say "the hidden wiki," you're
talking about a specific one and you have the means to easily pull it up again.
It has also somehow established itself as trustworthy: it doesn't link to scams,
supposed to find it?
The more-secure web comprised of onion services (colloquially and stupidly
referred to as "the deep web") does not yet have good search engines**.
There's no good reputation tracking systems. The ones that exist look easily
gameable or malicious themselves. Good results don't just rise to the top.
Imposters don't get crowded out. **No one knows which "hidden wiki" you're
Read the entire post
Posted on 17 Oct 2019 by Matt Traudt
Last updated 28 Oct 2019 at 2:28 pm
In most cases.
Untruth: VPNs protect you from local network hackers
This is usually claimed in the context of open WiFi networks such as those at
airports or coffee shops, and is basically correct. As long as you have a
reputable VPN company and they set up their software correctly, then VPNs help.
Today, well over 2/3 of web traffic being protected by TLS
and all (not scientifically determined, just a baseless claim by me) of sites
worth using have and force HTTPS on clients. TLS and the CA system has its
issues, but your average little coffee shop hacker is not going to be able to
attack it nor convince your browser to downgrade to clear text, so you were
already fine. All this hacker is going to learn is the sites that you are
visiting: not your account name, not your password, and not what you do on that
Claims that VPNs protect your passwords or bank accounts or that they add any
meaningful amount of security/privacy/anonymity in this context inside your
home are bullshit.
VPN vs Tor Browser
In this context, since the VPN wasn't doing much of anything to begin with,
they are essentially the same. Tor (thus Tor Browser) is in fact built
correctly to disallow anyone from ever intercepting and reading the traffic
between you and your guard relay. If your chosen VPN isn't (good luck figuring
it out), then Tor (Browser) is better. But honestly, your VPN is probably just
Read the entire post