Elie Bursztein

Elie Bursztein
Elie Bursztein
Born 1980 (age 43–44)
France
Nationality French
Citizenship French
Education
Known for
Scientific career
Fields
Computer Security

Cryptography Machine Learning

Institutions
Thesis Anticipation games: Game theory applied to network security (2008)
Doctoral advisor Jean Goubault-Larrecq
Website elie.net

Elie Bursztein, born 1 June 1980 in France, is a French computer scientist and software engineer. He currently leads Google’s Security and Anti-Abuse Research Team.

Education and early career

Bursztein obtained a computer engineering degree from EPITA in 2004, a master’s degree in computer science from Paris Diderot University/ENS in 2005, and a PhD in computer science from École normale supérieure Paris-Saclay in 2008 with a dissertation titled Anticipation games: Game theory applied to network security. His PhD advisor was Jean Goubault-Larrecq.

Before joining Google, Bursztein was a post-doctoral fellow at Stanford University's Security Laboratory, where he collaborated with Dan Boneh and John Mitchell on web security, game security, and applied cryptographic research. His work at Stanford University included the first cryptanalysis of the inner workings of Microsoft’s DPAPI (Data Protection Application Programming Interface), the first evaluation of the effectiveness of private browsing, and many advances to CAPTCHA security and usability.

Bursztein has discovered, reported, and helped fix hundreds of vulnerabilities, including securing Twitter’s frame-busting code, exploiting Microsoft's location service to track the position of mobile devices, and exploiting the lack of proper encryption in the Apple App Store to steal user passwords and install unwanted applications.

Career at Google

Bursztein joined Google in 2012 as a research scientist. He founded the Anti-Abuse Research Team in 2014 and became the lead of the Security and Anti-Abuse Research Team in 2017. Bursztein's notable contributions at Google include:

  • 2020 Developing a deep-learning engine that helps to block malicious documents targeting Gmail users.
  • 2019 Developing a password-checking service that has allowed hundreds of millions of users to check whether their credentials have been stolen in a data breach while preserving their privacy.
  • 2019 Developing a Keras tuner that became the default hypertuner for TensorFlow and TFX.
  • 2018 Conducting the first large-scale study on the illegal online distribution of child sexual abuse material in partnership with NCMEC.
  • 2017 Finding the 1st SHA-1 full collision.
  • 2015 Deprecating security questions at Google after completing the first large in-the-wild study on the effectiveness of security questions, which showed that they were both insecure and had a very low recall rate.
  • 2014 Redesigning Google CAPTCHA to make it easier for humans, resulting in a 6.7% improvement in the pass rate.
  • 2013 Strengthening Google accounts protections against hijackers and fake accounts.

Awards and honors

Best academic papers awards

  • 2021 USENIX Security distinguished paper award for "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns
  • Bursztein 2019 USENIX Security distinguished paper award for Protecting accounts from credential stuffing with password breach alerting
  • 2019 CHI best paper award for “They don’t leave us alone anywhere we go”: Gender and digital abuse in South Asia
  • 2017 Crypto best paper award for The first collision for full SHA-1
  • 2015 WWW best student paper award for Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google
  • 2015 S&P Distinguished Practical Paper award for Ad Injection at Scale: Assessing Deceptive Advertisement Modifications
  • 2011 S&P best student paper award for OpenConflict: Preventing real time map hacks in online games
  • 2008 WISPT best paper award for Probabilistic protocol identification for hard to classify protocol

Industry awards

  • 2019 Recognized as one of the 100 most influential French people in cybersecurity
  • 2017 BlackHat Pwnie award for the first practical SHA-1 collision
  • 2015 IRTF Applied Networking Research Prize for Neither snow nor rain nor MITM … An empirical analysis of email delivery security
  • 2010 Top 10 Web Hacking Techniques for Attacking HTTPS with cache injection

Trivia

Bursztein is an accomplished magician and posted magic tricks weekly on Instagram during the 2019 pandemic.

In 2014, following his talk on hacking Hearthstone using machine learning, he decided not to make his prediction tool open source, because of the Hearthstone’s community disappointment and at Blizzard Entertainment’s request.

Selected publications

  1. H. Bojinov; E. Bursztein; D. Boneh (2009). XCS: cross channel scripting and its impact on web applications. CCS'09 - SIGSAC conference on Computer and communications security. ACM. pp. 420–431.
  2. G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites. 3rd Web 2.0 Security and Privacy workshop. IEEE.
  3. E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). OpenConflict: Preventing Real Time Map Hacks in Online Games. S&P'11 - Symposium on Security and Privacy. IEEE.
  4. E. Bursztein; J. Lagarenne (2010). Kartograph. DEF CON 18. Defcon.
  5. Bursztein, Elie; Picod, Jean Michel (2010). Recovering Windows secrets and EFS certificates offline. WoOT 2010. Usenix.
  6. J. M. Picod; E. Bursztein (2010). Reversing DPAPI and Stealing Windows Secrets Offline. Blackhat.
  7. Aggarwal, Gaurav; Bursztein, Elie; Collin, Jackson; Boneh, Dan (2010). An Analysis of Private Browsing Modes in Modern Browsers. 19th Usenix Security Symposium. Usenix.
  8. E. Bursztein; R. Beauxis; H.Paskov; D. Perito; C. Fabry; J. C. Mitchell (2011). The failure of noise-based non-continuous audio captchas. S&P'11 - Symposium on Security and Privacy. IEEE. pp. 19–31. doi:10.1109/SP.2011.14.
  9. E. Bursztein; M. Martin; J. C. Mitchell (2011). Text-based captcha strengths and weaknesses. CCS. ACM.
  10. E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). The end is nigh: generic solving of text-based CAPTCHAs. WoOT'14 - Workshop On Offensive Technology. Usenix.
  11. E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation. Symposium on Security and Privacy (S&P), 2010. IEEE. pp. 399–413. doi:10.1109/SP.2010.31.
  12. Bursztein, Elie (2020). Malicious Documents Emerging Trends: A Gmail Perspective. RSA 2020. RSA.
  13. Thomas, Kurt; Jennifer, Pullman; Kevin, Yeo; Raghunathan, Ananth; Gage Kelley, Patrick; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek; Patel, Sarvar; Boneh, Dan; Bursztein, Elie (2019). Protecting accounts from credential stuffing with password breach alerting. Usenix Security'19. Usenix.
  14. Bursztein, Elie; Bright, Travis; DeLaune, Michelle; Eliff, David; Hsu, Nick; Olson, Lindsey; Shehan, John; Thakur, Madhukar; Thomas, Kurt (2019). Rethinking the detection of child sexual abuse imagery on the Internet. Proceedings of the International Conference on World Wide Web. WWW.
  15. Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik (2017). The first collision for full SHA-1. Crypto'17. IACR.
  16. J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google. WWW'15 - International Conference on World Wide Web. World Wide Web.
  17. E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). Easy does it: More usable captchas. CHI'14 - SIGCHI Conference on Human Factors in Computing Systems. ACM. pp. 2637–2646. doi:10.1145/2556288.2557322.
  18. E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. IMC '14 - Conference on Internet Measurement Conference. ACM. pp. 347–358. doi:10.1145/2663716.2663749.
  19. K. Thomas; D. Iatskiv; E. Bursztein; T. Pietraszek; C. Grier; D. McCoy (2014). Dialing Back Abuse on Phone Verified Accounts. CCS '14 - SIGSAC Conference on Computer and Communications Security. ACM. pp. 465–476. doi:10.1145/2660267.2660321.
  20. Consolvo, Sunny; Gage Kelley, Patrick; Matthews, Tara; Thomas, Kurt; Dunn, Lee; Bursztein, Elie (2021). "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns. Usenix Security 2021. Usenix.
  21. Sambasivan, Nithya; Batool, Amna; Ahmed, Nova; Matthews, Tara; Thomas, Kurt; Sanely Gaytán-Lugo, Laura; Nemer, David; Bursztein, Elie; Elizabeth, Churchill; Consolvo, Sunny (2019). They Don't Leave Us Alone Anywhere We Go - Gender and Digital Abuse in South Asia. CHI Conference on Human Factors in Computing Systems. ACM.
  22. K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa; V. Paxson; P. Pearce; N. Provos; M. A. Rajab (2015). Ad injection at scale: Assessing deceptive advertisement modifications. S&P'15 - Symposium on Security and Privacy. IEEE.
  23. E. Bursztein (2008). Probabilistic Protocol Identification for Hard to Classify Protocol. Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Springer. pp. 49–63. doi:10.1007/978-3-540-79966-5_4.
  24. Z. Durumeric; D. Adrian; A. Mirian; J. Kasten; E. Bursztein; N. Lidzborski; K. Thomas; V. Eranti; M. Bailey; J. A. Halderman (2015). Neither snow nor rain nor mitm... an empirical analysis of email delivery security. Internet Measurement Conference. ACM.
  25. E. Bursztein; B. Gourdin; D. Boneh (2009). Bad memories. Blackhat USA 2010. Blackhat.
  26. E. Bursztein; C. Bursztein (2014). I am a legend: hacking hearthstone with machine learning. DEF CON 22. DEF CON.