Blog Archives

Full list of my blog posts.
Blog about web technologies and games with a focus on performance and security
Filter by
blurry image for loading
blurry image for loading
security
Stay safe online in 10 easy steps
Stay safe online in 10 easy steps
Aug 2021
Here are the ten most important steps you can take to stay safe online.
blurry image for loading
blurry image for loading
Magic
3 million smiles during the pandemic - the retrospective
3 million smiles during the pandemic - the retrospective
Jul 2021
Retrospective of my attempt to make people smile during the COVID pandemic by performing magic tricks online for 32 weeks in a row.
blurry image for loading
blurry image for loading
cryptography
Hacker's guide to deep-learning side-channel attacks: code walkthrough
Hacker's guide to deep-learning side-channel attacks: code walkthrough
Jun 2021
Learn how to perform a deep-learning side-channels attack using TensorFlow to recover AES cryptographic keys from a hardware device power traces, step by step.
blurry image for loading
blurry image for loading
cryptography
Hacker's guide to deep-learning side-channel attacks: the theory
Hacker's guide to deep-learning side-channel attacks: the theory
May 2021
Learn the concepts behind deep-learning side-channels attack, a powerful cryptanalysis technique, by using it to recover AES cryptographic keys from a hardware device.
blurry image for loading
blurry image for loading
web
Insights about the first five years of Right to Be Forgotten requests at Google
Insights about the first five years of Right to Be Forgotten requests at Google
Dec 2019
This blog post distills the key findings of our longitudinal analysis of how Europe’s right to be forgotten (RTBF) is being applied in practice.
blurry image for loading
blurry image for loading
user experience
Understanding the online safety and privacy challenges faced by South Asian women
Understanding the online safety and privacy challenges faced by South Asian...
Jun 2019
For South Asian women, a major hurdle to their meaningful participation online is their ability to ensure their safety. This post illustrates this challenge by recounting the safety and privacy challenges faced by women across India, Pakistan, and Bangladesh, who talked to us about their online experiences.
blurry image for loading
blurry image for loading
security
Password checkup: from 0 to 650, 000 users in 20 days
Password checkup: from 0 to 650, 000 users in 20 days
Mar 2019
Password checkup allows users to check, in a privacy-preserving manner, whether their username and password matches one of the more than 4B+ credentials exposed by third-party data breaches of which Google is aware.
blurry image for loading
blurry image for loading
security
Account security - a divided user perception
Account security - a divided user perception
Feb 2019
This post considers the perception clash that exists between what users perceive to be their most valuable accounts (email and social networks) and those they think they should protect the most (online banking).
blurry image for loading
blurry image for loading
security
The bleak picture of two-factor authentication adoption in the wild
The bleak picture of two-factor authentication adoption in the wild
Dec 2018
This post looks at two-factor authentication adoption in the wild, highlights the disparity of support between the various categories of websites, and illuminates how fragmented the two factor ecosystem is in terms of standard adoption.
blurry image for loading
blurry image for loading
web
Quantifying the impact of the Twitter fake accounts purge - a technical analysis
Quantifying the impact of the Twitter fake accounts purge - a technical analysis
Aug 2018
This post provides an overview of the impact of the Twitter 2018 accounts purge through the lens of its impact on 16k of Twitter’s most popular accounts.
blurry image for loading
blurry image for loading
ai
Attacks against machine learning — an overview
Attacks against machine learning — an overview
May 2018
This blog post surveys the attacks techniques that target AI (Artificial Intelligence) systems and how to protect against them.
blurry image for loading
blurry image for loading
ai
How to handle mistakes while using AI to block attacks
How to handle mistakes while using AI to block attacks
Apr 2018
This post looks at the main difficulty faced while using a classifier to block attacks: handling mistakes and uncertainty such that the overall system remains secure and usable.
blurry image for loading
blurry image for loading
ai
Challenges faced while training an AI to combat abuse
Challenges faced while training an AI to combat abuse
Apr 2018
This post looks at the four main challenges that arise when training a classifier to combat fraud and abuse.
blurry image for loading
blurry image for loading
ai
Why AI is the key to robust anti-abuse defenses
Why AI is the key to robust anti-abuse defenses
Apr 2018
This post explains why artificial intelligence (AI) is the key to build anti-abuse defenses that keep up with user expectations and combat increasingly sophisticated attacks. This is the first post of a series of four posts dedicated to provide a concise overview of how to harness AI to build robust anti-abuse protections.
blurry image for loading
blurry image for loading
network security
Taking down Gooligan part 3 — monetization and clean-up
Taking down Gooligan part 3 — monetization and clean-up
Mar 2018
This post provides an in-depth analysis of Gooligan monetization schemas and recounts how Google took it down with the help of external partners.
blurry image for loading
blurry image for loading
network security
Taking down Gooligan: part 2 — inner workings
Taking down Gooligan: part 2 — inner workings
Mar 2018
This post provides an in-depth analysis of how the Gooligan malware inner-working.
blurry image for loading
blurry image for loading
network security
Taking down Gooligan: part 1 — overview
Taking down Gooligan: part 1 — overview
Mar 2018
This posts provide an overview of how Gooligan the infamous Android OAuth stealing botnet works.
blurry image for loading
blurry image for loading
network security
Inside Mirai the infamous IoT Botnet: A Retrospective Analysis
Inside Mirai the infamous IoT Botnet: A Retrospective Analysis
Dec 2017
This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices.
blurry image for loading
blurry image for loading
security
Unmasking the ransomware kingpins
Unmasking the ransomware kingpins
Oct 2017
This blog post exposes the cybercriminal groups that dominate the ransomware underworld, and analyzes the reasons for their success.
blurry image for loading
blurry image for loading
security
Exposing the inner-workings of the ransomware economy
Exposing the inner-workings of the ransomware economy
Sep 2017
This blog post will shed light on the inner workings of ransomsphere economics and expose which cybercriminal groups are the biggest earners.
blurry image for loading
blurry image for loading
security
How to trace ransomware payments end-to-end - an overview
How to trace ransomware payments end-to-end - an overview
Aug 2017
This blog post, the first in the series, explains the methodology and techniques we developed to trace ransomware payments end-to-end.
blurry image for loading
blurry image for loading
privacy
Understanding how people use private browsing
Understanding how people use private browsing
Jul 2017
This post looks at how and why people are using the private browsing mode.
blurry image for loading
blurry image for loading
web security
Understanding the prevalence of web traffic interception
Understanding the prevalence of web traffic interception
Jun 2017
This post summarizes how prevalent encrypted web traffic interception is and how it negatively affects online security according to a study we published at NDSS 2017.
blurry image for loading
blurry image for loading
how-to
Ten simple steps for keeping your laptop secure
Ten simple steps for keeping your laptop secure
Apr 2017
Here are ten quick and easy steps that you can take to increase the security of your laptop.
blurry image for loading
blurry image for loading
hacking
Bad beat: practical attacks against poker cheating devices
Bad beat: practical attacks against poker cheating devices
Mar 2017
This post discusses practical attacks against poker cheating devices designed to detect and jam these devices.
blurry image for loading
blurry image for loading
hacking
Royal flush: an in-depth look at poker cheating devices accessories
Royal flush: an in-depth look at poker cheating devices accessories
Nov 2016
In this post, we analyze how the accessories designed to conceal the use of high-end poker cheating devices in real games work.
blurry image for loading
blurry image for loading
hacking
Full(er) House: Exposing high-end poker cheating devices
Full(er) House: Exposing high-end poker cheating devices
Oct 2016
This post exposes how real-world highly advanced poker cheating devices work.
blurry image for loading
blurry image for loading
video game
Predicting Hearthstone game outcome with machine learning
Predicting Hearthstone game outcome with machine learning
Oct 2016
Here is how to use machine learning to predict the outcome of a Hearthstone game.
blurry image for loading
blurry image for loading
hacking
What are malicious usb keys and how to create a realistic one?
What are malicious usb keys and how to create a realistic one?
Aug 2016
This blog post shows how to create a reliable and realistic-looking malicious USB key that can be used in a drop attack.
blurry image for loading
blurry image for loading
how-to
5 useful tips to bulletproof your credit cards against identity theft
5 useful tips to bulletproof your credit cards against identity theft
Jul 2016
Here are the 5 ways I bulletproof my credit cards against identity theft, and you can use them yourself very easily. As a bonus, at the end of the post I have added an experimental step to defend against the recent chip downgrading attack.
blurry image for loading
blurry image for loading
web security
How google helps 600,000 webmasters re-secure their hacked sites every year
How google helps 600,000 webmasters re-secure their hacked sites every year
Jun 2016
Every year, close to 600,000 sites are hacked. Given the scale of the problem, notifying users to prevent harm and webmasters so they can clean up their sites is critical to combat hacking. This post looks at the effectiveness of the current warning strategies used by Google and their long-term impact.
blurry image for loading
blurry image for loading
hacking
Concerns about usb security are real: 48% of people do plug-in usb drives found in...
Concerns about usb security are real: 48% of people do plug-in usb drives...
Apr 2016
As an experiment we dropped nearly 300 USB sticks on the UIUC campus to assess if USB drop attacks work and see if concerns about USB security were justified. We found out that at least 48% of the drive were plugged. This blog post summarizes how we ran the study, highlights the key findings, looks at what motivates people to plug in USB sticks, and discusses...
blurry image for loading
blurry image for loading
anti-abuse
In-depth analysis of the lessons we learned while protecting gmail users
In-depth analysis of the lessons we learned while protecting gmail users
Apr 2016
This post provides an in-depth analysis of the lessons we learned while protecting Gmail users and their inboxes. We felt it was about time to share the key lessons we learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them. To that effect, with the help of various Gmail safety leaders...
blurry image for loading
blurry image for loading
web
How an improved responsive design and faster site increased visitor engagement by 104%
How an improved responsive design and faster site increased visitor...
Mar 2016
This blog post recounts how moving this site to a fast joyful responsive design with a lot of images improved session duration by 104% and decreased bounce rate by 53%
blurry image for loading
blurry image for loading
hacking
The dark side of online poker or the commoditization and weaponization of big data and...
The dark side of online poker or the commoditization and weaponization of...
Feb 2016
Big data weaponization and malware-based espionage are usually associated with governments; however, they don’t own a monopoly on such activities. Also, online poker uses big data to profile user behavior. Players search for fish (bad players) and they use malware to spy on and rip off infected players at the (online) poker table. This blog post is a brief tour of...
blurry image for loading
blurry image for loading
hacking
What tools do the fbi use when seizing computers or the curious case of the mouse...
What tools do the fbi use when seizing computers or the curious case of the...
Jan 2016
This post summarizes which equipement the FBI use to seize the content of servers and laptops despite many of them use full disk encryption and which defenses exist.
blurry image for loading
blurry image for loading
network security
How email in transit can be intercepted using dns hijacking
How email in transit can be intercepted using dns hijacking
Jan 2016
This post looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack. While our research on the state of email delivery security indicates that this attack is less pervasive than the TLS downgrade attack discussed in a previous post, it is equally effective at defeating email...
blurry image for loading
blurry image for loading
network security
Understanding how tls downgrade attacks prevent email encryption
Understanding how tls downgrade attacks prevent email encryption
Dec 2015
Over the last two years, the number of encrypted emails received by Gmail has almost doubled, as I reported earlier on the Google security blog. This very encouraging trend is sadly accompanied with an increase of SMTP TLS downgrade attacks, which prevent encryption of emails in transit as discussed in our research paper on the state of email transport security....
blurry image for loading
blurry image for loading
anti-abuse
How phishing works
How phishing works
Aug 2015
Phishing is a social-engineering attack where the attacker entice his victims to give-up their credentials for a given website by impersonating it. Believe it or not phishing campaigns are well organized and follow a very strict playbook. This post aim at shedding some light on how phishing campaign works under the hood, showcase which infrastructure phishers use...
blurry image for loading
blurry image for loading
video game
Hearthstone 3d card viewer in pure javascript/css3
Hearthstone 3d card viewer in pure javascript/css3
Apr 2015
To celebrate the new Hearthstone extension, Blackrock Mountain, I’m releasing a Hearthstone 3D card viewer written in pure Javascript. I feel Blackrock Mountain’s release is the perfect opportunity to showcase HTML5’s top notch performance and inspire more people to do cool visualizations on the web. With well over 500 cards, it’s high time to create a tool with...
blurry image for loading
blurry image for loading
web security
19.5% of https sites trigger browser warning as they use sha-1 signed certificates
19.5% of https sites trigger browser warning as they use sha-1 signed...
Jan 2015
19.5% of HTTPS-enabled sites in Alexa's Top 1 Million trigger or will soon trigger a Chrome security warning because they are using the now deprecated SHA-1 signature algorithm to sign their HTTPS certificate. Soon those sites will be flagged by all major browsers as insecure.
blurry image for loading
blurry image for loading
video game
I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up
I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up
Sep 2014
A wrap-up of my Defcon talk about hacking Hearthstone with machine learning including slides and a video.
blurry image for loading
blurry image for loading
video game
Predicting a Hearthstone opponent’s deck using machine learning
Predicting a Hearthstone opponent’s deck using machine learning
Aug 2014
How a Hearthstone player can use machine learning to predict what their opponent will play next.
blurry image for loading
blurry image for loading
video game
Pricing hearthstone cards with unique abilities: VanCleef and The Twilight Drake
Pricing hearthstone cards with unique abilities: VanCleef and The Twilight Drake
Aug 2014
This post explains how to price Hearthstone cards with unique abilities.
blurry image for loading
blurry image for loading
video game
How to find undervalued Hearthstone cards automatically
How to find undervalued Hearthstone cards automatically
Jul 2014
How to find Hearthstone’s most undervalued cards automatically using machine learning.
blurry image for loading
blurry image for loading
video game
How to appraise Hearthstone card values
How to appraise Hearthstone card values
Jul 2014
This post explains how to appraise the value of Hearthstone cards using a pricing model.
blurry image for loading
blurry image for loading
web
Choose the right sharing icon to boost user engagement
Choose the right sharing icon to boost user engagement
Jun 2014
What’s the best icon to entice people to share something through their social networks? It turns out to be the one used on Android. While this may contradict guidelines proposed by some designers, this conclusion is based on the results of a survey of 7,500 users.
blurry image for loading
blurry image for loading
privacy
Using big data to understand users' privacy concerns
Using big data to understand users' privacy concerns
May 2014
Worries about big data and privacy are all over the news, but our new research shows that big data can also help better understand users' privacy concerns.
blurry image for loading
blurry image for loading
user experience
Meaning matters: why google switched to numeric captchas
Meaning matters: why google switched to numeric captchas
Apr 2014
This is the story of how — and why — Google switched to numeric captchas.
blurry image for loading
blurry image for loading
security
Survey: most people don't lock their android phones - but should
Survey: most people don't lock their android phones - but should
Mar 2014
Half of Android users don’t bother to lock their phones, despite having the choice of using patterns, passwords, PINs, and even their faces to secure their devices. This contrasts starkly with a report from the Federal Communications Commission warning that up to 40 percent of robberies in major cities involve cell phones. More precisely, over 52 percent.
blurry image for loading
blurry image for loading
user experience
Phone screen size: bigger isn't always better
Phone screen size: bigger isn't always better
Jan 2014
Marketers agree: screen size is a top priority for anyone shopping for their next cell phone but my new consumer survey challenges this conventional wisdom.
blurry image for loading
blurry image for loading
web
High-end macbook pro retina (late 2013, 15in) benchmark
High-end macbook pro retina (late 2013, 15in) benchmark
Oct 2013
I was lucky enough to get the new 2013 high-end Macbook Pro Retina (15in) yesterday and started wondering about how it compares to the mid-2012 Retina (15in) model. On a personal level, I'm also pretty interested in how its gaming performance compares with its predecessor's.
blurry image for loading
blurry image for loading
web
The (untold) price of doing local search
The (untold) price of doing local search
Sep 2013
Nearly everyone loves mobile apps that can perform local searches, get directions, or find the nearest decent restaurant. But what’s not so obvious is that these local apps can have hidden bandwidth costs — meaning that, in some cases, they can run up your phone bill in ways you might not expect.
blurry image for loading
blurry image for loading
anti-abuse
When a porn site masquerades as the apple app store
When a porn site masquerades as the apple app store
May 2013
The next time you think you’re buying an iOS app from Apple’s online store, be warned: it could be a lookalike site. Recently I was redirected via an ad to an Apple-spoofing site at Badoink.
blurry image for loading
blurry image for loading
web security
Apple finally turns HTTPS on for the app store, fixing a lot of vulnerabilities
Apple finally turns HTTPS on for the app store, fixing a lot of vulnerabilities
Mar 2013
Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Last week Apple finally issued a fix for it and turned on HTTPS for the App Store. I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users. This post discuss the vulnerabilities
blurry image for loading
blurry image for loading
anti-abuse
18.4% of us internet users got at least one of their account compromised
18.4% of us internet users got at least one of their account compromised
Jan 2013
Almost one in five US Internet users report that one of their online accounts had been comprised at some point. That is the result of the study I conducted using Google Consumer Surveys.  This a much higher percentage than I imagined and it emphasizes how pervasive account compromises are.
blurry image for loading
blurry image for loading
web
Survey: internet explorer users are older, chrome seduces youth
Survey: internet explorer users are older, chrome seduces youth
Sep 2012
Teens and college-age kids like Chrome. Their grandparents would rather use Internet Explorer. That’s an exaggeration, but not much of one: a survey I recently conducted shows that approximately half of Americans 45 years or older prefer Internet Explorer, with the remainder of senior citizens opting for Firefox, Chrome, Safari, or Opera, in that order.
blurry image for loading
blurry image for loading
web
New job and new site. hello google
New job and new site. hello google
Mar 2012
Over the last few weeks, except for RSA, you might have noticed I have been very quiet. The reason behind my silence was that I was changing job and getting settled in a new appartement in Mountain-View.  I am now a research scientist at Google where I will work on trying to fix the Internet.
blurry image for loading
web security
How we broke the nucaptcha video scheme and what we propose to fix it
How we broke the nucaptcha video scheme and what we propose to fix it
Feb 2012
NuCaptcha is the first widely deployed video captcha scheme.  Since Technology Review interviewed me about NuCaptcha in October 2010,  I have been working on evaluating its security and usability.  In this blog post, I will discuss how we are able to break the current version of NuCaptcha with >90% success
blurry image for loading
blurry image for loading
web
Porn domain not that sexy: no rush to have .xxx
Porn domain not that sexy: no rush to have .xxx
Dec 2011
While their is a huge hype surrounding .xxx domains and companies rushing to buy them to protect their brand, it seems that registration data disagree with this.  My analysis of the 50000 most popular websites in the world shows that only 24% of them actually registered their .xxx domain.
blurry image for loading
blurry image for loading
anti-abuse
What phishing sites look like ? (study)
What phishing sites look like ? (study)
Nov 2011
In this post we are going to take a closer look on what are the current phishing tactics employed in the wild. The trends uncovered by analyzing our new data-set of 5000 recents phishing sites will change the way you think about phishing.
blurry image for loading
blurry image for loading
web security
Evolution of the https lock icon (infographic)
Evolution of the https lock icon (infographic)
Nov 2011
Since the introduction of HTTPS by Netscape, the lock icon have been the indicator of choice to tell users that their communication is secure. Over the years, this “prestigious” icon shape and position kept changing from browser to browser and from version to version so I made a couple of infographic to illustrate this. I hope you will enjoy them.
blurry image for loading
blurry image for loading
privacy
Using the microsoft geolocalization api to retrace where a windows laptop has been
Using the microsoft geolocalization api to retrace where a windows laptop...
Jul 2011
EDIT (Tuesday 2nd August) Microsoft Statement is available from here EDIT (Sunday 31th July) The flaw is fixed: I had a phone call with some people from Microsoft  yesterday (yes on a Saturday) and they told me they fixed the problem. I will update this post with their response as soon as it is out.
blurry image for loading
blurry image for loading
web security
Tracking users that block cookies with a http redirect
Tracking users that block cookies with a http redirect
Jul 2011
While the standard technique to track users across multiples sites / visits is to use cookies this is by no means the only way to do this.  Last year Samy, with his famous evercookie application, showed that in fact many browser storages (Flash, locale storage) can be used to store a unique identifier.
blurry image for loading
blurry image for loading
web security
Five surprising captcha schemes
Five surprising captcha schemes
Mar 2011
Since I started doing research on CAPTCHA security two years ago, I have relentlessly collected samples of all the different schemes I have encountered.  In this blog post, I want to share with you five of the most crazy, funny, and interesting schemes I collected.
blurry image for loading
blurry image for loading
security
Some insights about password shapes
Some insights about password shapes
Feb 2011
Today, I would like to share with you some insights that I discovered about password “shapes.” More specifically, I will discuss some of the interesting metrics I computed from the RockYou database, which is, as far as I know, the largest password database ever leaked, with 32 million passwords!
blurry image for loading
blurry image for loading
hacking
Identifying internet explorer user with a smb query
Identifying internet explorer user with a smb query
Aug 2010
Internet Explorer privacy is flawed. This blog post shows how to abuse SMB query to force Internet explorer to disclose windows username, domain and version even while in private mode or using an HTTP proxy. Proof of concept included.
--
Get cutting edge research directly in your inbox.