Elie Bursztein
Elie Bursztein
Born1980 (age 4344)
NationalityFrench
CitizenshipFrench
Education
Known for
Scientific career
Fields
Institutions
ThesisAnticipation games: Game theory applied to network security (2008)
Doctoral advisorJean Goubault-Larrecq
Websiteelie.net

Elie Bursztein,[r 1] born 1 June 1980 in France, is a French computer scientist and software engineer. He currently leads Google’s Security and Anti-Abuse Research Team.

Education and early career

Bursztein obtained a computer engineering degree from EPITA in 2004, a master’s degree in computer science from Paris Diderot University/ENS in 2005, and a PhD in computer science from École normale supérieure Paris-Saclay in 2008 with a dissertation titled Anticipation games: Game theory applied to network security. His PhD advisor was Jean Goubault-Larrecq.

Before joining Google, Bursztein was a post-doctoral fellow at Stanford University's Security Laboratory, where he collaborated with Dan Boneh and John Mitchell on web security,[p 1][p 2] game security,[p 3][p 4] and applied cryptographic research.[p 5] His work at Stanford University included the first cryptanalysis of the inner workings of Microsoft’s DPAPI (Data Protection Application Programming Interface),[p 6] the first evaluation of the effectiveness of private browsing,[p 7][r 2] and many advances to CAPTCHA security[p 8][p 9][p 10] and usability.[p 11]

Bursztein has discovered, reported, and helped fix hundreds of vulnerabilities, including securing Twitter’s frame-busting code,[r 3] exploiting Microsoft's location service to track the position of mobile devices,[r 4] and exploiting the lack of proper encryption in the Apple App Store to steal user passwords and install unwanted applications.[r 5]

Career at Google

Bursztein joined Google in 2012 as a research scientist. He founded the Anti-Abuse Research Team in 2014 and became the lead of the Security and Anti-Abuse Research Team in 2017.[r 6] Bursztein's notable contributions at Google include:

  • 2020 Developing a deep-learning engine that helps to block malicious documents targeting Gmail users.[p 12]
  • 2019 Developing a password-checking service[r 7] that has allowed hundreds of millions of users[r 8] to check whether their credentials have been stolen in a data breach while preserving their privacy.[p 13]
  • 2019 Developing a Keras tuner that became the default hypertuner for TensorFlow[r 9] and TFX.[r 10]
  • 2018 Conducting the first large-scale study on the illegal online distribution of child sexual abuse material in partnership with NCMEC.[p 14]
  • 2017 Finding the 1st SHA-1 full collision.[p 15][r 11]
  • 2015 Deprecating security questions at Google after completing the first large in-the-wild study on the effectiveness of security questions,[p 16] which showed that they were both insecure and had a very low recall rate.[r 12][r 13]
  • 2014 Redesigning Google CAPTCHA to make it easier for humans, resulting in a 6.7% improvement in the pass rate.[p 17][1]
  • 2013 Strengthening Google accounts protections against hijackers[p 18] and fake accounts.[p 19]

Awards and honors

Best academic papers awards

  • 2021 USENIX Security distinguished paper award [r 14] for "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns[p 20]
  • Bursztein 2019 USENIX Security distinguished paper award [r 14] for Protecting accounts from credential stuffing with password breach alerting[p 13]
  • 2019 CHI best paper award[r 15] for “They don’t leave us alone anywhere we go”: Gender and digital abuse in South Asia[p 21]
  • 2017 Crypto best paper award[r 16] for The first collision for full SHA-1[p 15]
  • 2015 WWW best student paper award[r 17] for Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google[p 16][r 13]
  • 2015 S&P Distinguished Practical Paper award[r 18] for Ad Injection at Scale: Assessing Deceptive Advertisement Modifications[p 22][r 19]
  • 2011 S&P best student paper award[r 20] for OpenConflict: Preventing real time map hacks in online games[p 3]
  • 2008 WISPT best paper award for Probabilistic protocol identification for hard to classify protocol[p 23]

Industry awards

  • 2019 Recognized as one of the 100 most influential French people in cybersecurity[r 21]
  • 2017 BlackHat Pwnie award for the first practical SHA-1 collision[r 22]
  • 2015 IRTF Applied Networking Research Prize [r 23] for Neither snow nor rain nor MITM … An empirical analysis of email delivery security[p 24]
  • 2010 Top 10 Web Hacking Techniques for Attacking HTTPS with cache injection[r 24][p 25]

Trivia

Bursztein is an accomplished magician and posted magic tricks weekly on Instagram during the 2019 pandemic.[r 25]

In 2014, following his talk on hacking Hearthstone using machine learning,[p 26] he decided not to make his prediction tool open source, because of the Hearthstone’s community disappointment and at Blizzard Entertainment’s request.[r 26]

Selected publications

  1. H. Bojinov; E. Bursztein; D. Boneh (2009). XCS: cross channel scripting and its impact on web applications. CCS'09 - SIGSAC conference on Computer and communications security. ACM. pp. 420–431.
  2. G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites. 3rd Web 2.0 Security and Privacy workshop. IEEE.
  3. 1 2 E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). OpenConflict: Preventing Real Time Map Hacks in Online Games. S&P'11 - Symposium on Security and Privacy. IEEE.
  4. E. Bursztein; J. Lagarenne (2010). Kartograph. DEF CON 18. Defcon.
  5. Bursztein, Elie; Picod, Jean Michel (2010). Recovering Windows secrets and EFS certificates offline. WoOT 2010. Usenix.
  6. J. M. Picod; E. Bursztein (2010). Reversing DPAPI and Stealing Windows Secrets Offline. Blackhat.
  7. Aggarwal, Gaurav; Bursztein, Elie; Collin, Jackson; Boneh, Dan (2010). An Analysis of Private Browsing Modes in Modern Browsers. 19th Usenix Security Symposium. Usenix.
  8. E. Bursztein; R. Beauxis; H.Paskov; D. Perito; C. Fabry; J. C. Mitchell (2011). The failure of noise-based non-continuous audio captchas. S&P'11 - Symposium on Security and Privacy. IEEE. pp. 19–31. doi:10.1109/SP.2011.14.
  9. E. Bursztein; M. Martin; J. C. Mitchell (2011). Text-based captcha strengths and weaknesses. CCS. ACM.
  10. E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). The end is nigh: generic solving of text-based CAPTCHAs. WoOT'14 - Workshop On Offensive Technology. Usenix.
  11. E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation. Symposium on Security and Privacy (S&P), 2010. IEEE. pp. 399–413. doi:10.1109/SP.2010.31.
  12. Bursztein, Elie (2020). Malicious Documents Emerging Trends: A Gmail Perspective. RSA 2020. RSA.
  13. 1 2 Thomas, Kurt; Jennifer, Pullman; Kevin, Yeo; Raghunathan, Ananth; Gage Kelley, Patrick; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek; Patel, Sarvar; Boneh, Dan; Bursztein, Elie (2019). Protecting accounts from credential stuffing with password breach alerting. Usenix Security'19. Usenix.
  14. Bursztein, Elie; Bright, Travis; DeLaune, Michelle; Eliff, David; Hsu, Nick; Olson, Lindsey; Shehan, John; Thakur, Madhukar; Thomas, Kurt (2019). Rethinking the detection of child sexual abuse imagery on the Internet. Proceedings of the International Conference on World Wide Web. WWW.
  15. 1 2 Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik (2017). The first collision for full SHA-1. Crypto'17. IACR.
  16. 1 2 J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google. WWW'15 - International Conference on World Wide Web. World Wide Web.
  17. E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). Easy does it: More usable captchas. CHI'14 - SIGCHI Conference on Human Factors in Computing Systems. ACM. pp. 2637–2646. doi:10.1145/2556288.2557322.
  18. E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. IMC '14 - Conference on Internet Measurement Conference. ACM. pp. 347–358. doi:10.1145/2663716.2663749.
  19. K. Thomas; D. Iatskiv; E. Bursztein; T. Pietraszek; C. Grier; D. McCoy (2014). Dialing Back Abuse on Phone Verified Accounts. CCS '14 - SIGSAC Conference on Computer and Communications Security. ACM. pp. 465–476. doi:10.1145/2660267.2660321.
  20. Consolvo, Sunny; Gage Kelley, Patrick; Matthews, Tara; Thomas, Kurt; Dunn, Lee; Bursztein, Elie (2021). "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns. Usenix Security 2021. Usenix.
  21. Sambasivan, Nithya; Batool, Amna; Ahmed, Nova; Matthews, Tara; Thomas, Kurt; Sanely Gaytán-Lugo, Laura; Nemer, David; Bursztein, Elie; Elizabeth, Churchill; Consolvo, Sunny (2019). They Don't Leave Us Alone Anywhere We Go - Gender and Digital Abuse in South Asia. CHI Conference on Human Factors in Computing Systems. ACM.
  22. K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa; V. Paxson; P. Pearce; N. Provos; M. A. Rajab (2015). Ad injection at scale: Assessing deceptive advertisement modifications. S&P'15 - Symposium on Security and Privacy. IEEE.
  23. E. Bursztein (2008). Probabilistic Protocol Identification for Hard to Classify Protocol. Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Springer. pp. 49–63. doi:10.1007/978-3-540-79966-5_4.
  24. Z. Durumeric; D. Adrian; A. Mirian; J. Kasten; E. Bursztein; N. Lidzborski; K. Thomas; V. Eranti; M. Bailey; J. A. Halderman (2015). Neither snow nor rain nor mitm... an empirical analysis of email delivery security. Internet Measurement Conference. ACM.
  25. E. Bursztein; B. Gourdin; D. Boneh (2009). Bad memories. Blackhat USA 2010. Blackhat.
  26. E. Bursztein; C. Bursztein (2014). I am a legend: hacking hearthstone with machine learning. DEF CON 22. DEF CON.

References

  1. Elie Bursztein. "Elie Bursztein's personal site". Retrieved 4 April 2021.
  2. Ward, Mark (6 August 2010). "Private browsing modes leak data". BBC News. London.
  3. "Twitter Security Contributors List". Archived from the original on 18 February 2011.
  4. McCullagh, Declan (29 July 2011). "Stanford researcher exposes Microsoft's Wi-Fi database". CNET.
  5. Honorof, Marshall (11 March 2013). "Apple Fixes App Store Security Risk". NBC News.
  6. "Security, Privacy and Abuse research at Google". Retrieved 4 November 2020.
  7. Andreas Tuerk (2 October 2020). "To stay secure online, Password Checkup has your back". Google. Retrieved 28 May 2021.
  8. Kelly Earley (20 June 2020). "Sundar Pichai announces new Google privacy features". Silicon Republic. Retrieved 28 May 2021.
  9. Tensorflow. "Introduction to the Keras Tuner". Tensorflow. Retrieved 28 May 2021.
  10. Tensorflow. "The Tuner TFX Pipeline Component". Tensorflow. Retrieved 28 May 2021.
  11. Brandom, Russell (22 February 2017). "Google just cracked one of the building blocks of web encryption". The Verge.
  12. Beres, Damon (5 May 2015). "Your Password Security Questions Are Terrible, And They're Not Fooling Anyone". Huffington Post.
  13. 1 2 Victor Luckerson. "Stop Using This Painfully Obvious Answer For Your Security Questions". Time. Retrieved 15 June 2015.
  14. 1 2 Usenix. "Usenix best papers". Usenix. Retrieved 15 August 2021.
  15. CHI. "CHI'19 best papers list". ACM. Retrieved 15 January 2020.
  16. ICAR. "CRYPTO best papers list". ICAR. Retrieved 15 January 2020.
  17. "WWW - World Wide Web conference 2015 award list". WWW. Retrieved 15 June 2015.
  18. "S&P - Security And Privacy Symposium 2015 award list". IEEE. Retrieved 15 June 2015.
  19. Russell Brandom. "Google survey finds more than five million users infected with adware". The Verge. Retrieved 15 June 2015.
  20. "S&P - Security And Privacy Symposium 2011 award list". IEEE. Retrieved 15 June 2015.
  21. L'usine nouvelle. "Qui sont les 100 Français qui comptent dans la cybersécurité". L'usine nouvelle. Retrieved 5 November 2020.
  22. Pwnie Awards Committee (July 2017). "Best Cryptographic Attack Pwnie Awards". Black Hat.
  23. IRTF. "Applied Networking Research Prize Winners". IRTF. Retrieved 5 November 2020.
  24. Grossman, Jeremiah. "Top Ten Web Hacking Techniques of 2010 (Official)".
  25. Elie Busztein. "Elie Bursztein magic tricks on Instagram". Instagram. Retrieved 28 May 2021.
  26. Bursztein, Elie. "I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up".


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.