Elie Bursztein
Security & anti-abuse Research Lead at GoogleExperiences
Present2018
Security and Anti-abuse Research Lead
Google Inc. Moutain View, CA, USAPresent2014
Staff Research Scientist
Google Inc. Moutain View, CA, USA20142013
Senior Research Scientist
Google Inc. Moutain View, CA, USA20132012
Research Scientist
Google Inc. Moutain View, CA, USA20122008
Researcher
Stanford University Stanford, CA, USA20082004
Adjunct Professor
PGSM Paris, France20062002
CEO
Option Sarl Paris, France20042002
Instuctor
EPITA Paris, France20022000
Advanced Tech Support
Club-Internet Paris, FranceEducation
20082005
Ph.D Computer science, Security
Ecole Normale Supérieure Paris-Saclay Paris, France20042003
Master in Computer Science
Université Paris Diderot Paris, France20041998
Engineering degree in Systems, Networks and Security
EPITA Paris, FranceSelected talks
2020
Account protections - A Google Perspective
Elie Bursztein International Cybersecurity Forum, Lille, France2020
A Hacker’s guide to reducing side-channel attack surfaces using deep-learning
Elie Bursztein, Jean-Michel Picod Defcon 28 & Black Hat USA, Safemode2020
Malicious Documents Emerging Trends: A Gmail Perspective
Elie Bursztein RSA, San Francisco, USA2019
A Hacker Guide To Deep Learning Based Side Channel Attacks
Elie Bursztein, Jean-Michel Picod Defcon 27, Las Vegas2019
Deconstructing the Phishing Campaigns that Target Gmail Users
Elie Bursztein, Daniela Oliveira Black Hat USA, Las Vegas, USA2019
Cutting Edge TensorFlow - Keras Tuner: hypertuning for humans
Elie Bursztein Google IO, Mountain View, USA2019
Rethinking the detection of child sexual abuse imagery on the internet
Elie Bursztein Enigma, Burlingame, USA2018
How to successfully harness AI to combat fraud and abuse
Elie Bursztein RSA, San Francisco, USA2017
Hunting down Gooligan — retrospective analysis
Elie Bursztein, Oren Koriat Botconf, Montpellier, France2017
Attacking encrypted USB keys the hard(ware) way
Jean-Michel Picod, Rémi Audebert, Elie Bursztein Black Hat USA, Las Vegas, USA2017
Tracking desktop ransomware payments end to end
Luca Invernizzi, Kylie McRoberts, Elie Bursztein Black Hat USA, Las Vegas, USA2017
How we created the first SHA-1 collision and what it means for hash security
Elie Bursztein Black Hat USA & Defcon 25, Las Vegas, USA2017
Targeted Attack Against Corporate Inboxes A Gmail Perspective
Elie Bursztein RSA, San Francisco, USA2016
Cheating at poker - James Bond Style
Elie Bursztein, Celine Bursztein, Jean-Michel Picod Defcon 24, Las Vegas2016
Does dropping usb drives really work?
Elie Bursztein Black Hat USA, Las Vegas, USA2016
Lessons learned while protecting Gmail
Elie Bursztein Enigma first edition, San Francisco, USA2014
I am a legend: hacking hearthstone with machine learning
Elie Bursztein, Celine Bursztein Defcon 22, Las Vegas2012
Fuzzing online games
Elie Bursztein, Patrick Samy Defcon 20, Las Vegas, USA2011
Beyond files recovery owade cloud-based forensic
Elie Bursztein, Ivan Fontarensky, Matthieu Martin, Jean-Michel Picod Black Hat USA, Las Vegas, USA2010
Kartograph
Elie Bursztein, Jocelyn Lagarenne, Dan Boneh Defcon 18, Las Vegas, USA2010
Bad memories
Elie Bursztein, Baptiste Gourdin, Dan Boneh Black Hat USA / Defcon 18, Las Vegas, USA2010
Reversing dpapi and stealing windows secrets offline
Jean-Michel Picod, Elie Bursztein Black Hat DC, Washington, USA2009
Embedded management interfaces emerging massive insecurity
Hristo Bojinov, Elie Bursztein Black Hat USA, Las Vegas, USASelected publications
Dec 2020
Spotlight: Malware Lead Generation At Scale
Fabian Kaczmarczyck , Bernhard Grill , Luca Invernizzi , Jennifer Pullman , Cecilia M. Procopiuc , David Tao , Borbala Benko , Elie Bursztein Proceedings of Annual Computer Security Applications Conference, VirtualNov 2019
Five years of the Right to Be Forgotten
Theo Bertram , Elie Bursztein , Stephanie Caro , Hubert Chao , Rutledge Chin Feman , Peter Fleischer , Albin Gustafsson , Jess Hemerly , Chris Hibbert , Luca Invernizzi , Lanah Kammourieh Donnelly , Jason Ketover , Jay Laefer , Paul Nicholas , Yuan Niu , Harjinder Obhi , David Price , Andrew Strait , Kurt Thomas , Al Verney Computer and Communications Security, London, UKAug 2019
Protecting accounts from credential stuffing with password breach alerting
Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, Sarvar Patel, Dan Boneh, Elie Bursztein Proceedings of the USENIX Security Symposium, Santa Clara, USAMay 2019
Rethinking the detection of child sexual abuse imagery on the Internet
Elie Bursztein, Travis Bright, Michelle DeLaune, David M. Eliff, Nick Hsu, Lindsey Olson, John Shehan, Madhukar Thakur, Kurt Thomas World Wide Web, San Francisco, USAMay 2019
They Don't Leave Us Alone Anywhere We Go - Gender and Digital Abuse in South Asia
Nithya Sambasivan, Amna Batool, Nova Ahmed, Tara Matthews, Kurt Thomas, Laura Sanely Gaytán-Lugo, David Nemer, Elie Bursztein, Elizabeth Churchill, Sunny Consolvo CHI Conference on Human Factors in Computing Systems, Glasgow, Scotland UKAug 2018
Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data
Sowmya Karunakaran, Kurt Thomas, Elie Bursztein, Oxana Comanescu Symposium on Usable Security and Privacy, Baltimore, USAMay 2018
Tracking desktop ransomware payments end to end
Danny Yuxing Huang, Maxwell Aliapoulios, Vector Guo, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy Security and Privacy, San Francisco, USAOct 2017
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials
Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, Elie Bursztein Computer and Communications Security, Dallas, USAAug 2017
The first collision for full SHA-1
Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov Crypto, Santa Barbara, USAAug 2017
Understanding the Mirai Botnet
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou Usenix Security, Vancouver, CanadaApr 2017
Pinning Down Abuse on Google Maps
Danny Y. Huang, Doug Grundman, Kurt Thomas, Abhishek Kumar, Elie Bursztein, Kirill Levchenko, Alex C. Snoeren World Wide Web, Perth, AustraliaFeb 2017
The Security Impact of HTTPS Interception
Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, Vern Paxson Network and Distributed Systems Symposium, San Diego, USAAug 2016
Investigating commercial pay-per-install and the distribution of unwanted software
Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-Andre Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy Usenix Security, Austin, USAJun 2016
Cloak of visibility: detecting when machines browse a different web
Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, Elie Bursztein Security and Privacy, San JoseApr 2016
Remedying web hijacking notification effectiveness and webmaster comprehension
Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, Vern Paxson Word Wide Web, Montreal, CanadaApr 2016
Users really do plug in usb drives they find
Matthew Tischer, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, Michael Bailey Security and Privacy, San Jose, USANov 2015
Neither snow nor rain nor mitm . . . an empirical analysis of email delivery security
Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Halderman IMC, TokyoMay 2015
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google
Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, Mike Williamson 22nd international conference on World Wide Web, Florence, ItalyMay 2015
Ad injection at scale: assessing deceptive advertisement modifications
Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon McCoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, Moheeb Abu Rajab Security and Privacy, OaklandNov 2014
Handcrafted fraud and extortion: manual account hijacking in the wild
Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, Stefan Savage Internet Measurement Conference, Vancouver, CanadaNov 2014
Dialing back abuse on phone verified accounts
Kurt Thomas, Dmytro Latskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, Damon McCoy Conference on Computer and Communications Security, Scottsdale, USAApr 2014
Cloak and swagger: understanding data sensitivity through the lens of user anonymity
Sai Teja Peddinti, Aleksandra Korolova, Elie Bursztein, Geetanjali Sampemane Security And Privacy, San JoseMar 2014
Online microsurveys for user experience research
Victoria Schwanda Sosik, Elie Bursztein, Sunny Consolvo, David Huffaker, Gueorgi Kossinets, Kerwell Liao, Paul McDonald, Aaron Sedley Human Factors in Computing Systems, VancouverMar 2014
Easy does it: more usable captchas
Elie Bursztein, Angelika Moscicki, Celine Fabry, Steven Bethard, John C. Mitchell, Dan Jurafsky Conference on Human Factors in Computing Systems, Toronto, CanadaMar 2012
Sessionjuggler secure web login from an untrusted terminal using session hijacking
Elie Bursztein, Chinmay Soman, Dan Boneh, John C. Mitchell World Wide Web, Lyon, FranceSep 2011
Text-based captcha strengths and weaknesses
Elie Bursztein, Matthieu Martin, John C. Mitchell Computer and Communications Security, Chicago, USAJul 2011
Towards secure embedded web interfaces
Baptiste Gourdin, Chinmay Soman, Hristo Bojinov, Elie Bursztein Usenix Security, San Francisco, USAApr 2011
Openconflict preventing real time map hacks in online games
Elie Bursztein, Jocelyn Lagarenne, Mike Hamburg, Dan Boneh Security and Privacy, Oakland, USAApr 2011
The failure of noise-based non-continuous audio captchas
Elie Bursztein, Romain Bauxis, Hristo Paskov, Daniele Perito, Celine Fabry, John C. Mitchell Security and Privacy, Oakland, USAJul 2010
An analysis of private browsing modes in modern browsers
Gaurav Aggarwal, Elie Bursztein, Collin Jackson, Dan Boneh Usenix Security, Washington, USAApr 2010
How good are humans at solving captchas a large scale evaluation
Elie Bursztein, Steven Bethard, Celine Fabry, Dan Jurafsky, John C. Mitchell Security and Privacy, Oakland, USAApr 2010
State of the art automated black-box web application vulnerability testing
Jason Bau, Elie Bursztein, Divij Gupta, John C. Mitchell Security and Privacy, Oakland, USAOct 2009
Xcs cross channel scripting and its impact on web applications
Hristo Bojinov, Elie Bursztein, Dan Boneh Computer and Communications Security, Chicago, USASelected press articles
Jan 2020
Google open-sources the tools needed to make 2FA security keys
Account protections - A Google Perspective EngadgetJan 2020
Google releases open-source 2FA security key platform called OpenSK
Account protections - A Google Perspective Android PoliceAug 2019
Checking your email when you’re grouchy could make you less likely to fall for phishing scams
Deconstructing the Phishing Campaigns that Target Gmail Users CNBCAug 2019
Phishing emails - Here's why we are still getting caught out after all these years
Deconstructing the Phishing Campaigns that Target Gmail Users ZDNetAug 2019
We keep falling for phishing emails, and Google just revealed why
Deconstructing the Phishing Campaigns that Target Gmail Users Fast CompanyAug 2019
Hackers want you to be happy. People in a good mood are easier to trick, research says
Deconstructing the Phishing Campaigns that Target Gmail Users CNETJan 2019
Fight against child sex abuse images requires smarter tech, Google expert says
Rethinking the detection of child sexual abuse imagery on the internet CNETApr 2018
AI can help cybersecurity - if it can fight through the hype
How to successfully harness AI to combat fraud and abuse WiredFeb 2018
People Have Asked Google to Remove 2.4 Million Links About Them. Here's What They Want to Forget
Five years of the Right to Be Forgotten FortuneFeb 2018
Droit à l’oubli : en presque quatre ans, Google a reçu plus de 650 000 demandes
Five years of the Right to Be Forgotten Le MondeFeb 2018
Recht auf Vergessenwerden: Google erhielt bislang 2,4 Millionen URL-Löschanfragen
Five years of the Right to Be Forgotten Heise OnlineFeb 2018
Google has received 2.4 million URL removal requests under EU 'right to be forgotten' laws
Five years of the Right to Be Forgotten The VergeNov 2017
Google investigators find hackers swipe nearly 250,000 passwords a week
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials MashableNov 2017
Google says hackers steal almost 250,000 web logins each week
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials CNNJul 2017
Ransomware 'here to stay', warns Google study
Tracking desktop ransomware payments end to end BBCJul 2017
Google Warns Ransomware Boom Scored Crooks $2 Million A Month
Tracking desktop ransomware payments end to end ForbesJul 2017
Google ransomware tracking finds vicious infection cycle
Tracking desktop ransomware payments end to end USA TodayFeb 2017
Google Team Cracks Longtime Pillar of Internet Security
The first collision for full SHA-1 WSJFeb 2017
Google Just 'Shattered' An Old Crypto Algorithm -- Here's Why That's Big For Web Security
The first collision for full SHA-1 ForbesFeb 2017
Google breaks SHA-1 web crypto for good
The first collision for full SHA-1 ZDnetFeb 2017
Google just cracked one of the building blocks of web encryption
The first collision for full SHA-1 The VergeOct 2016
The mobile phone that lets you cheat at ANY card game: Handset has secret sensors to read cards
Cheating at poker - James Bond Style Daily MailAug 2016
The state of cyber security: we're all screwed
Users really do plug in usb drives they find The GuardianNov 2015
Gmail to warn when messages take unencrypted routes
Neither snow nor rain nor mitm . . . an empirical analysis of email delivery security Daily MailMay 2015
Your Password Security Questions Are Terrible, And They’re Not Fooling Anyone
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google Huffington PostMay 2015
Google Study Shows Security Questions Aren’t All That Secure
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google Tech CrunchMay 2015
Those secret security answers may not be so secure
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google CBS NewsMay 2015
Google Reveals the Problem With Password Security Questions
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google ABC NewsMay 2015
Stop Using This Painfully Obvious Answer For Your Security Questions
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google TimeMay 2015
Ad Injection: Yet Another Challenge for Online Advertising
Ad injection at scale: assessing deceptive advertisement modifications The Wall Street JournalMay 2015
One in 20 web users infected with ad injection software
Ad injection at scale: assessing deceptive advertisement modifications The GuardianMay 2015
Busted! Google Names Key Culprits In Scammy Ad Software
Ad injection at scale: assessing deceptive advertisement modifications ForbesNov 2014
Gone in 180 Seconds: Hackers Quickly Raid E-Mails in Search of 'Wire Transfer' and Sex Photos
Handcrafted fraud and extortion: manual account hijacking in the wild BloombergNov 2014
Google Study Finds Email Scams Are More Effective Than You’d Expect
Handcrafted fraud and extortion: manual account hijacking in the wild Huffington PostNov 2014
This is how your Gmail account got hacked
Handcrafted fraud and extortion: manual account hijacking in the wild CNNNov 2014
Inside the world of professional e-mail account hijackers
Handcrafted fraud and extortion: manual account hijacking in the wild The Washington PostNov 2014
Hijackers get up close and personal with hacked accounts
Handcrafted fraud and extortion: manual account hijacking in the wild USA TodayFeb 2012
Stanford researchers crack video CAPTCHA
How we broke the nucaptcha video scheme and what we propose to fix it The VergeFeb 2012
Stanford University researchers break NuCaptcha video security
How we broke the nucaptcha video scheme and what we propose to fix it CNETNov 2011
Stanford Software Cracks Most Captchas
Text-based captcha strengths and weaknesses NBC NewsOct 2011
Captcha security not much of a gotcha
Text-based captcha strengths and weaknesses CBS NewsSep 2011
Forensic Tool Unlocks Online History
Beyond files recovery owade cloud-based forensic WSJSep 2011