Elie Bursztein
Anti-Fraud and Abuse Research Lead at GoogleExperiences
Present2014
Anti-Fraud and Abuse Research Lead
Google Inc. Moutain View, CA, USA20142013
Senior Research Scientist
Google Inc. Moutain View, CA, USA20132012
Research Scientist
Google Inc. Moutain View, CA, USA20122008
Researcher
Stanford University Stanford, CA, USA20082004
Adjunct Professor
PGSM Paris, France20062002
CEO
Option Sarl Paris, France20042002
Instuctor
EPITA Paris, France20022000
Advanced Tech Support
Club-Internet Paris, FranceEducation
20082005
Ph.D Computer science, Security
Ecole Normale Supérieure Paris-Saclay Paris, France20042003
Master in Computer Science
Université Paris Diderot Paris, France20041998
Engineering degree in Systems, Networks and Security
EPITA Paris, FranceSelected talks
2018
How to successfully harness AI to combat fraud and abuse
Elie Bursztein RSA, San Francisco, USA2017
Hunting down Gooligan — retrospective analysis
Elie Bursztein, Oren Koriat Botconf, Montpellier, France2017
Attacking encrypted USB keys the hard(ware) way
Jean-Michel Picod, Rémi Audebert, Elie Bursztein Black Hat USA, Las Vegas, USA2017
Tracking desktop ransomware payments end to end
Luca Invernizzi, Kylie McRoberts, Elie Bursztein Black Hat USA, Las Vegas, USA2017
How we created the first SHA-1 collision and what it means for hash security
Elie Bursztein Black Hat USA & Defcon 25, Las Vegas, USA2017
Targeted Attack Against Corporate Inboxes A Gmail Perspective
Elie Bursztein RSA, San Francisco, USA2016
Cheating at poker - James Bond Style
Elie Bursztein, Celine Bursztein, Jean-Michel Picod Defcon 24, Las Vegas2016
Does dropping usb drives really work?
Elie Bursztein Black Hat USA, Las Vegas, USA2016
Lessons learned while protecting Gmail
Elie Bursztein Enigma first edition, San Francisco, USA2014
I am a legend: hacking hearthstone with machine learning
Elie Bursztein, Celine Bursztein Defcon 22, Las Vegas2012
Fuzzing online games
Elie Bursztein, Patrick Samy Defcon 20, Las Vegas, USA2011
Beyond files recovery owade cloud-based forensic
Elie Bursztein, Ivan Fontarensky, Matthieu Martin, Jean-Michel Picod Black Hat USA, Las Vegas, USA2010
Kartograph
Elie Bursztein, Jocelyn Lagarenne, Dan Boneh Defcon 18, Las Vegas, USA2010
Bad memories
Elie Bursztein, Baptiste Gourdin, Dan Boneh Black Hat USA / Defcon 18, Las Vegas, USA2010
Reversing dpapi and stealing windows secrets offline
Jean-Michel Picod, Elie Bursztein Black Hat DC, Washington, USA2009
Embedded management interfaces emerging massive insecurity
Hristo Bojinov, Elie Bursztein Black Hat USA, Las Vegas, USASelected publications
Tracking desktop ransomware payments end to end
Danny Yuxing Huang, Maxwell Aliapoulios, Vector Guo, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy Security and Privacy, San Francisco, USAThree years of the Right to be Forgotten
Theo Bertram , Elie Bursztein , Stephanie Caro , Hubert Chao , Rutledge Chin Feman , Peter Fleischer , Albin Gustafsson , Jess Hemerly , Chris Hibbert , Luca Invernizzi , Lanah Kammourieh Donnelly , Jason Ketover , Jay Laefer , Paul Nicholas , Yuan Niu , Harjinder Obhi , David Price , Andrew Strait , Kurt Thomas , Al Verney Under Submission, FebData Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials
Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, Elie Bursztein Computer and Communications Security, Dallas, USAThe first collision for full SHA-1
Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov Crypto, Santa Barbara, USAUnderstanding the Mirai Botnet
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou Usenix Security, Vancouver, CanadaPinning Down Abuse on Google Maps
Danny Y. Huang, Doug Grundman, Kurt Thomas, Abhishek Kumar, Elie Bursztein, Kirill Levchenko, Alex C. Snoeren World Wide Web, Perth, AustraliaThe Security Impact of HTTPS Interception
Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, Vern Paxson Network and Distributed Systems Symposium, San Diego, USAInvestigating commercial pay-per-install and the distribution of unwanted software
Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-Andre Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy Usenix Security, Austin, USACloak of visibility: detecting when machines browse a different web
Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, Elie Bursztein Security and Privacy, San JoseRemedying web hijacking notification effectiveness and webmaster comprehension
Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, Vern Paxson Word Wide Web, Montreal, CanadaUsers really do plug in usb drives they find
Matthew Tischer, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, Michael Bailey Security and Privacy, San Jose, USANeither snow nor rain nor mitm . . . an empirical analysis of email delivery security
Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Halderman IMC, TokyoSecrets, lies, and account recovery: lessons from the use of personal knowledge questions at google
Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, Mike Williamson 22nd international conference on World Wide Web, Florence, ItalyAd injection at scale: assessing deceptive advertisement modifications
Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon McCoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, Moheeb Abu Rajab Security and Privacy, OaklandHandcrafted fraud and extortion: manual account hijacking in the wild
Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, Stefan Savage Internet Measurement Conference, Vancouver, CanadaDialing back abuse on phone verified accounts
Kurt Thomas, Dmytro Latskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, Damon McCoy Conference on Computer and Communications Security, Scottsdale, USACloak and swagger: understanding data sensitivity through the lens of user anonymity
Sai Teja Peddinti, Aleksandra Korolova, Elie Bursztein, Geetanjali Sampemane Security And Privacy, San JoseOnline microsurveys for user experience research
Victoria Schwanda Sosik, Elie Bursztein, Sunny Consolvo, David Huffaker, Gueorgi Kossinets, Kerwell Liao, Paul McDonald, Aaron Sedley Human Factors in Computing Systems, VancouverEasy does it: more usable captchas
Elie Bursztein, Angelika Moscicki, Celine Fabry, Steven Bethard, John C. Mitchell, Dan Jurafsky Conference on Human Factors in Computing Systems, Toronto, CanadaSessionjuggler secure web login from an untrusted terminal using session hijacking
Elie Bursztein, Chinmay Soman, Dan Boneh, John C. Mitchell World Wide Web, Lyon, FranceText-based captcha strengths and weaknesses
Elie Bursztein, Matthieu Martin, John C. Mitchell Computer and Communications Security, Chicago, USATowards secure embedded web interfaces
Baptiste Gourdin, Chinmay Soman, Hristo Bojinov, Elie Bursztein Usenix Security, San Francisco, USAThe failure of noise-based non-continuous audio captchas
Elie Bursztein, Romain Bauxis, Hristo Paskov, Daniele Perito, Celine Fabry, John C. Mitchell Security and Privacy, Oakland, USAOpenconflict preventing real time map hacks in online games
Elie Bursztein, Jocelyn Lagarenne, Mike Hamburg, Dan Boneh Security and Privacy, Oakland, USAAn analysis of private browsing modes in modern browsers
Gaurav Aggarwal, Elie Bursztein, Collin Jackson, Dan Boneh Usenix Security, Washington, USAState of the art automated black-box web application vulnerability testing
Jason Bau, Elie Bursztein, Divij Gupta, John C. Mitchell Security and Privacy, Oakland, USAHow good are humans at solving captchas a large scale evaluation
Elie Bursztein, Steven Bethard, Celine Fabry, Dan Jurafsky, John C. Mitchell Security and Privacy, Oakland, USAXcs cross channel scripting and its impact on web applications
Hristo Bojinov, Elie Bursztein, Dan Boneh Computer and Communications Security, Chicago, USASelected press articles
Apr 2018
AI can help cybersecurity - if it can fight through the hype
How to successfully harness AI to combat fraud and abuse WiredFeb 2018
People Have Asked Google to Remove 2.4 Million Links About Them. Here's What They Want to Forget
Three years of the Right to be Forgotten FortuneFeb 2018
Droit à l’oubli : en presque quatre ans, Google a reçu plus de 650 000 demandes
Three years of the Right to be Forgotten Le MondeFeb 2018
Recht auf Vergessenwerden: Google erhielt bislang 2,4 Millionen URL-Löschanfragen
Three years of the Right to be Forgotten Heise OnlineFeb 2018
Google has received 2.4 million URL removal requests under EU 'right to be forgotten' laws
Three years of the Right to be Forgotten The VergeNov 2017
Google investigators find hackers swipe nearly 250,000 passwords a week
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials MashableNov 2017
Google says hackers steal almost 250,000 web logins each week
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials CNNJul 2017
Ransomware 'here to stay', warns Google study
Tracking desktop ransomware payments end to end BBCJul 2017
Google ransomware tracking finds vicious infection cycle
Tracking desktop ransomware payments end to end USA TodayJul 2017
Google Warns Ransomware Boom Scored Crooks $2 Million A Month
Tracking desktop ransomware payments end to end ForbesFeb 2017
Google Team Cracks Longtime Pillar of Internet Security
The first collision for full SHA-1 WSJFeb 2017
Google breaks SHA-1 web crypto for good
The first collision for full SHA-1 ZDnetFeb 2017
Google Just 'Shattered' An Old Crypto Algorithm -- Here's Why That's Big For Web Security
The first collision for full SHA-1 ForbesFeb 2017
Google just cracked one of the building blocks of web encryption
The first collision for full SHA-1 The VergeOct 2016
The mobile phone that lets you cheat at ANY card game: Handset has secret sensors to read cards
Cheating at poker - James Bond Style Daily MailAug 2016
The state of cyber security: we're all screwed
Users really do plug in usb drives they find The GuardianNov 2015
Gmail to warn when messages take unencrypted routes
Neither snow nor rain nor mitm . . . an empirical analysis of email delivery security Daily MailMay 2015
Your Password Security Questions Are Terrible, And They’re Not Fooling Anyone
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google Huffington PostMay 2015
Google Study Shows Security Questions Aren’t All That Secure
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google Tech CrunchMay 2015
Google Reveals the Problem With Password Security Questions
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google ABC NewsMay 2015
Stop Using This Painfully Obvious Answer For Your Security Questions
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google TimeMay 2015
Those secret security answers may not be so secure
Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google CBS NewsMay 2015
Busted! Google Names Key Culprits In Scammy Ad Software
Ad injection at scale: assessing deceptive advertisement modifications ForbesMay 2015
One in 20 web users infected with ad injection software
Ad injection at scale: assessing deceptive advertisement modifications The GuardianMay 2015
Ad Injection: Yet Another Challenge for Online Advertising
Ad injection at scale: assessing deceptive advertisement modifications The Wall Street JournalNov 2014
Gone in 180 Seconds: Hackers Quickly Raid E-Mails in Search of 'Wire Transfer' and Sex Photos
Handcrafted fraud and extortion: manual account hijacking in the wild BloombergNov 2014
This is how your Gmail account got hacked
Handcrafted fraud and extortion: manual account hijacking in the wild CNNNov 2014
Google Study Finds Email Scams Are More Effective Than You’d Expect
Handcrafted fraud and extortion: manual account hijacking in the wild Huffington PostNov 2014
Hijackers get up close and personal with hacked accounts
Handcrafted fraud and extortion: manual account hijacking in the wild USA TodayNov 2014
Inside the world of professional e-mail account hijackers
Handcrafted fraud and extortion: manual account hijacking in the wild The Washington PostFeb 2012
Stanford researchers crack video CAPTCHA
How we broke the nucaptcha video scheme and what we propose to fix it The VergeFeb 2012
Stanford University researchers break NuCaptcha video security
How we broke the nucaptcha video scheme and what we propose to fix it CNETNov 2011
Stanford Software Cracks Most Captchas
Text-based captcha strengths and weaknesses NBC NewsOct 2011
Captcha security not much of a gotcha
Text-based captcha strengths and weaknesses CBS NewsSep 2011
Forensic Tool Unlocks Online History
Beyond files recovery owade cloud-based forensic WSJSep 2011