Elie Bursztein

Elie Bursztein
Elie Bursztein
Born	1980 (age 43–44) France
Nationality	French
Citizenship	French
Education	École pour l'informatique et les techniques avancées (Engineering degree, 2004) Paris Diderot University (MS, 2005) École normale supérieure Paris-Saclay (PhD, 2008)
Known for	Password Checkup SHA-1 Collision
Scientific career
Fields	Artificial intelligence Computer Security Cryptography
Institutions	Stanford University Google DeepMind
Thesis	Anticipation games: Game theory applied to network security  (2008)
Doctoral advisor	Jean Goubault-Larrecq
Website	elie.net

Elie Bursztein,^{[r 1]} born 1 June 1980 in France, is a French computer scientist and software engineer. He is currently Google and DeepMind AI cybersecurity technical and research lead.

Education and early career

Bursztein obtained a computer engineering degree from EPITA in 2004, a master's degree in computer science from Paris Diderot University/ENS in 2005, and a PhD in computer science from École normale supérieure Paris-Saclay in 2008 with a dissertation titled Anticipation games: Game theory applied to network security. His PhD advisor was Jean Goubault-Larrecq.

Before joining Google, Bursztein was a post-doctoral fellow at Stanford University's Security Laboratory, where he collaborated with Dan Boneh and John Mitchell on web security,^{[p 1][p 2]} game security,^{[p 3][p 4]} and applied cryptographic research.^{[p 5]} His work at Stanford University included the first cryptanalysis of the inner workings of Microsoft's DPAPI (Data Protection Application Programming Interface),^{[p 6]} the first evaluation of the effectiveness of private browsing,^{[p 7][r 2]} and many advances to CAPTCHA security^{[p 8][p 9][p 10]} and usability.^{[p 11]}

Bursztein has discovered, reported, and helped fix hundreds of vulnerabilities, including securing Twitter's frame-busting code,^{[r 3]} exploiting Microsoft's location service to track the position of mobile devices,^{[r 4]} and exploiting the lack of proper encryption in the Apple App Store to steal user passwords and install unwanted applications.^{[r 5]}

Career at Google

Bursztein joined Google in 2012 as a research scientist. He founded the Anti-Abuse Research Team in 2014 and became the lead of the Security and Anti-Abuse Research teams in 2017.^{[r 6]} In 2023, he became Google and DeepMind AI cybersecurity technical and research lead.

Bursztein's notable contributions at Google include:

• 2022 Creating the first post quantum resilient security keys.^{[p 12]}
• 2020 Developing a deep-learning engine that helps to block malicious documents targeting Gmail users.^{[p 13]}
• 2019 Inventing Google's password-checking service^{[r 7]} Password Checkup that allows billion of users^{[r 8]} to check whether their credentials have been compromised due to data breaches while preserving their privacy.^{[p 14]}
• 2019 Developing Keras tuner which became the default hypertuner for TensorFlow^{[r 9]} and TFX.^{[r 10]}
• 2018 Conducting the first large-scale study on the illegal online distribution of child sexual abuse material in partnership with NCMEC.^{[p 15]}
• 2017 Finding the 1st SHA-1 full collision.^{[p 16][r 11]}
• 2015 Deprecating security questions at Google after completing the first large in-the-wild study on the effectiveness of security questions,^{[p 17]} which showed that they were both insecure and had a very low recall rate.^{[r 12][r 13]}
• 2014 Redesigning Google CAPTCHA to make it easier for humans, resulting in a 6.7% improvement in the pass rate.^{[p 18][1]}
• 2013 Strengthening Google accounts protections against hijackers^{[p 19]} and fake accounts.^{[p 20]}

Awards and honors

Best academic papers awards

• 2023 ACNS best workshop paper award for Hybrid Post-Quantum Signatures in Hardware Security Keys^{[p 12]}
• 2021 USENIX Security distinguished paper award ^{[r 14]} for "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns^{[p 21]}
• Bursztein 2019 USENIX Security distinguished paper award ^{[r 14]} for Protecting accounts from credential stuffing with password breach alerting^{[p 14]}
• 2019 CHI best paper award^{[r 15]} for “They don’t leave us alone anywhere we go”: Gender and digital abuse in South Asia^{[p 22]}
• 2017 Crypto best paper award^{[r 16]} for The first collision for full SHA-1^{[p 16]}
• 2015 WWW best student paper award^{[r 17]} for Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google^{[p 17][r 13]}
• 2015 S&P Distinguished Practical Paper award^{[r 18]} for Ad Injection at Scale: Assessing Deceptive Advertisement Modifications^{[p 23][r 19]}
• 2011 S&P best student paper award^{[r 20]} for OpenConflict: Preventing real time map hacks in online games^{[p 3]}
• 2008 WISPT best paper award for Probabilistic protocol identification for hard to classify protocol^{[p 24]}

Industry awards

• 2019 Recognized as one of the 100 most influential French people in cybersecurity^{[r 21]}
• 2017 BlackHat Pwnie award for the first practical SHA-1 collision^{[r 22]}
• 2015 IRTF Applied Networking Research Prize ^{[r 23]} for Neither snow nor rain nor MITM … An empirical analysis of email delivery security^{[p 25]}
• 2010 Top 10 Web Hacking Techniques for Attacking HTTPS with cache injection^{[r 24][p 26]}

Philanthropy

In 2023 Elie founded the Etteilla Foundation^{[r 25]} dedicated to preserving and promoting the rich cultural heritage of playing cards and donated his extensive collection of historical playing cards decks and tarots to it.

Trivia

Bursztein is an accomplished magician and he posted magic tricks weekly on Instagram during the 2019 pandemic.^{[r 26]}

In 2014, following his talk on hacking Hearthstone using machine learning,^{[p 27]} he decided not to make his prediction tool open source at Blizzard Entertainment’s request.^{[r 27]}

Selected publications

1. H. Bojinov; E. Bursztein; D. Boneh (2009). XCS: cross channel scripting and its impact on web applications. CCS'09 - SIGSAC conference on Computer and communications security. ACM. pp. 420–431.
2. G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites. 3rd Web 2.0 Security and Privacy workshop. IEEE.
3. E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). OpenConflict: Preventing Real Time Map Hacks in Online Games. S&P'11 - Symposium on Security and Privacy. IEEE.
4. E. Bursztein; J. Lagarenne (2010). Kartograph. DEF CON 18. Defcon.
5. Bursztein, Elie; Picod, Jean Michel (2010). Recovering Windows secrets and EFS certificates offline. WoOT 2010. Usenix.
6. J. M. Picod; E. Bursztein (2010). Reversing DPAPI and Stealing Windows Secrets Offline. Blackhat.
7. Aggarwal, Gaurav; Bursztein, Elie; Collin, Jackson; Boneh, Dan (2010). An Analysis of Private Browsing Modes in Modern Browsers. 19th Usenix Security Symposium. Usenix.
8. E. Bursztein; R. Beauxis; H.Paskov; D. Perito; C. Fabry; J. C. Mitchell (2011). The failure of noise-based non-continuous audio captchas. S&P'11 - Symposium on Security and Privacy. IEEE. pp. 19–31. doi:10.1109/SP.2011.14.
9. E. Bursztein; M. Martin; J. C. Mitchell (2011). Text-based captcha strengths and weaknesses. CCS. ACM.
10. E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). The end is nigh: generic solving of text-based CAPTCHAs. WoOT'14 - Workshop On Offensive Technology. Usenix.
11. E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation. Symposium on Security and Privacy (S&P), 2010. IEEE. pp. 399–413. doi:10.1109/SP.2010.31.
12. Ghinea, Diana; Kaczmarczyck, Fabian; Pullman, Jennifer; Kolbl, Julien; Misoczki, Rafael; Jean-Michel, Picod; Luca, Invernizzi; Elie, Bursztein (2023). Hybrid Post-Quantum Signatures in Hardware Security Keys. International Conference on Applied Cryptography and Network Security 2023. Springer.
13. Bursztein, Elie (2020). Malicious Documents Emerging Trends: A Gmail Perspective. RSA 2020. RSA.
14. Thomas, Kurt; Jennifer, Pullman; Kevin, Yeo; Raghunathan, Ananth; Gage Kelley, Patrick; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek; Patel, Sarvar; Boneh, Dan; Bursztein, Elie (2019). Protecting accounts from credential stuffing with password breach alerting. Usenix Security'19. Usenix.
15. Bursztein, Elie; Bright, Travis; DeLaune, Michelle; Eliff, David; Hsu, Nick; Olson, Lindsey; Shehan, John; Thakur, Madhukar; Thomas, Kurt (2019). Rethinking the detection of child sexual abuse imagery on the Internet. Proceedings of the International Conference on World Wide Web. WWW.
16. Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik (2017). The first collision for full SHA-1. Crypto'17. IACR.
17. J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google. WWW'15 - International Conference on World Wide Web. World Wide Web.
18. E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). Easy does it: More usable captchas. CHI'14 - SIGCHI Conference on Human Factors in Computing Systems. ACM. pp. 2637–2646. doi:10.1145/2556288.2557322.
19. E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. IMC '14 - Conference on Internet Measurement Conference. ACM. pp. 347–358. doi:10.1145/2663716.2663749.
20. K. Thomas; D. Iatskiv; E. Bursztein; T. Pietraszek; C. Grier; D. McCoy (2014). Dialing Back Abuse on Phone Verified Accounts. CCS '14 - SIGSAC Conference on Computer and Communications Security. ACM. pp. 465–476. doi:10.1145/2660267.2660321.
21. Consolvo, Sunny; Gage Kelley, Patrick; Matthews, Tara; Thomas, Kurt; Dunn, Lee; Bursztein, Elie (2021). "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns. Usenix Security 2021. Usenix.
22. Sambasivan, Nithya; Batool, Amna; Ahmed, Nova; Matthews, Tara; Thomas, Kurt; Sanely Gaytán-Lugo, Laura; Nemer, David; Bursztein, Elie; Elizabeth, Churchill; Consolvo, Sunny (2019). They Don't Leave Us Alone Anywhere We Go - Gender and Digital Abuse in South Asia. CHI Conference on Human Factors in Computing Systems. ACM.
23. K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa; V. Paxson; P. Pearce; N. Provos; M. A. Rajab (2015). Ad injection at scale: Assessing deceptive advertisement modifications. S&P'15 - Symposium on Security and Privacy. IEEE.
24. E. Bursztein (2008). Probabilistic Protocol Identification for Hard to Classify Protocol. Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Springer. pp. 49–63. doi:10.1007/978-3-540-79966-5_4.
25. Z. Durumeric; D. Adrian; A. Mirian; J. Kasten; E. Bursztein; N. Lidzborski; K. Thomas; V. Eranti; M. Bailey; J. A. Halderman (2015). Neither snow nor rain nor mitm... an empirical analysis of email delivery security. Internet Measurement Conference. ACM.
26. E. Bursztein; B. Gourdin; D. Boneh (2009). Bad memories. Blackhat USA 2010. Blackhat.
27. E. Bursztein; C. Bursztein (2014). I am a legend: hacking hearthstone with machine learning. DEF CON 22. DEF CON.

References

1. Elie Bursztein. "Elie Bursztein's personal site". Retrieved 4 April 2021.
2. Ward, Mark (6 August 2010). "Private browsing modes leak data". BBC News. London.
3. "Twitter Security Contributors List". Archived from the original on 18 February 2011.
4. McCullagh, Declan (29 July 2011). "Stanford researcher exposes Microsoft's Wi-Fi database". CNET.
5. Honorof, Marshall (11 March 2013). "Apple Fixes App Store Security Risk". NBC News.
6. "Security, Privacy and Abuse research at Google". Retrieved 4 November 2020.
7. Andreas Tuerk (2 October 2020). "To stay secure online, Password Checkup has your back". Google. Retrieved 28 May 2021.
8. Kelly Earley (20 June 2020). "Sundar Pichai announces new Google privacy features". Silicon Republic. Retrieved 28 May 2021.
9. Tensorflow. "Introduction to the Keras Tuner". Tensorflow. Retrieved 28 May 2021.
10. Tensorflow. "The Tuner TFX Pipeline Component". Tensorflow. Retrieved 28 May 2021.
11. Brandom, Russell (22 February 2017). "Google just cracked one of the building blocks of web encryption". The Verge.
12. Beres, Damon (5 May 2015). "Your Password Security Questions Are Terrible, And They're Not Fooling Anyone". Huffington Post.
13. Victor Luckerson. "Stop Using This Painfully Obvious Answer For Your Security Questions". Time. Retrieved 15 June 2015.
14. Usenix. "Usenix best papers". Usenix. Retrieved 15 August 2021.
15. CHI. "CHI'19 best papers list". ACM. Retrieved 15 January 2020.
16. ICAR. "CRYPTO best papers list". ICAR. Retrieved 15 January 2020.
17. "WWW - World Wide Web conference 2015 award list". WWW. Retrieved 15 June 2015.
18. "S&P - Security And Privacy Symposium 2015 award list". IEEE. Retrieved 15 June 2015.
19. Russell Brandom. "Google survey finds more than five million users infected with adware". The Verge. Retrieved 15 June 2015.
20. "S&P - Security And Privacy Symposium 2011 award list". IEEE. Retrieved 15 June 2015.
21. L'usine nouvelle. "Qui sont les 100 Français qui comptent dans la cybersécurité". L'usine nouvelle. Retrieved 5 November 2020.
22. Pwnie Awards Committee (July 2017). "Best Cryptographic Attack Pwnie Awards". Black Hat.
23. IRTF. "Applied Networking Research Prize Winners". IRTF. Retrieved 5 November 2020.
24. Grossman, Jeremiah. "Top Ten Web Hacking Techniques of 2010 (Official)".
25. Etteilla Foundation. "Etteilla Foundation: the leading nonprofit dedicated to preserving and promoting the rich cultural heritage of playing cards". Retrieved 1 March 2024.
26. Elie Busztein. "Elie Bursztein magic tricks on Instagram". Instagram. Retrieved 28 May 2021.
27. Bursztein, Elie. "I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up".

External links

• Elie Bursztein's personal site
• Elie Bursztein's channel on YouTube
• Elie Bursztein on Google Scholar

1. "Outsmarted: Captcha security not much of a gotcha". CNET.