Elie Bursztein

Last updated

Elie Bursztein
Elie-200.Sic59Q5F.jpg
Born1980 (age 4344)
France
Education
Known for
Scientific career
Fields
Artificial intelligence

Computer Security Cryptography

Institutions
Thesis Anticipation games: Game theory applied to network security  (2008)
Doctoral advisor Jean Goubault-Larrecq
Website elie.net

Elie Bursztein, [r 1] (born 1980) is a French computer scientist and software engineer. He is Google and DeepMind AI cybersecurity technical and research lead.

Contents

Education and early career

Bursztein obtained a computer engineering degree from EPITA in 2004, a master's degree in computer science from Paris Diderot University/ENS in 2005, and a PhD in computer science from École normale supérieure Paris-Saclay in 2008 with a dissertation titled Anticipation games: Game theory applied to network security.

Before joining Google, Bursztein was a post-doctoral fellow at Stanford University's Security Laboratory, where he collaborated with Dan Boneh and John Mitchell on web security, [p 1] [p 2] game security, [p 3] [p 4] and applied cryptographic research. [p 5] His work at Stanford University included the first cryptanalysis of the inner workings of Microsoft's DPAPI (Data Protection Application Programming Interface), [p 6] the first evaluation of the effectiveness of private browsing, [p 7] [r 2] and many advances to CAPTCHA security [p 8] [p 9] [p 10] and usability. [p 11]

Bursztein has discovered, reported, and helped fix hundreds of vulnerabilities, including securing Twitter's frame-busting code, [r 3] exploiting Microsoft's location service to track the position of mobile devices, [r 4] and exploiting the lack of proper encryption in the Apple App Store to steal user passwords and install unwanted applications. [r 5]

Career at Google

Bursztein joined Google in 2012 as a research scientist. He founded the Anti-Abuse Research Team in 2014 and became the lead of the Security and Anti-Abuse Research teams in 2017. [r 6] In 2023, he became Google and DeepMind AI cybersecurity technical and research lead.

Bursztein's contributions at Google include:

Awards and honors

Best academic papers awards

Industry awards

Philanthropy

In 2023 Elie founded the Etteilla Foundation [r 25] dedicated to preserving and promoting the rich heritage of playing cards and donated his extensive collection of historical playing cards decks and tarots to it.

Trivia

Bursztein is an accomplished magician and he posted magic tricks weekly on Instagram during the 2019 pandemic. [r 26]

In 2014, following his talk on hacking Hearthstone using machine learning, [p 27] he decided not to make his prediction tool open source at Blizzard Entertainment’s request. [r 27]

Selected publications

  1. H. Bojinov; E. Bursztein; D. Boneh (2009). XCS: cross channel scripting and its impact on web applications. CCS'09 - SIGSAC conference on Computer and communications security. ACM. pp. 420–431.
  2. G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites. 3rd Web 2.0 Security and Privacy workshop. IEEE.
  3. 1 2 E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). OpenConflict: Preventing Real Time Map Hacks in Online Games. S&P'11 - Symposium on Security and Privacy. IEEE.
  4. E. Bursztein; J. Lagarenne (2010). Kartograph. DEF CON 18. Defcon.
  5. Bursztein, Elie; Picod, Jean Michel (2010). Recovering Windows secrets and EFS certificates offline. WoOT 2010. Usenix.
  6. J. M. Picod; E. Bursztein (2010). Reversing DPAPI and Stealing Windows Secrets Offline. Blackhat.
  7. Aggarwal, Gaurav; Bursztein, Elie; Collin, Jackson; Boneh, Dan (2010). An Analysis of Private Browsing Modes in Modern Browsers. 19th Usenix Security Symposium. Usenix.
  8. E. Bursztein; R. Beauxis; H.Paskov; D. Perito; C. Fabry; J. C. Mitchell (2011). The failure of noise-based non-continuous audio captchas. S&P'11 - Symposium on Security and Privacy. IEEE. pp. 19–31. doi:10.1109/SP.2011.14.
  9. E. Bursztein; M. Martin; J. C. Mitchell (2011). Text-based captcha strengths and weaknesses. CCS. ACM.
  10. E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). The end is nigh: generic solving of text-based CAPTCHAs. WoOT'14 - Workshop On Offensive Technology. Usenix.
  11. E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation. Symposium on Security and Privacy (S&P), 2010. IEEE. pp. 399–413. doi:10.1109/SP.2010.31.
  12. 1 2 Ghinea, Diana; Kaczmarczyck, Fabian; Pullman, Jennifer; Kolbl, Julien; Misoczki, Rafael; Jean-Michel, Picod; Luca, Invernizzi; Elie, Bursztein (2023). Hybrid Post-Quantum Signatures in Hardware Security Keys. International Conference on Applied Cryptography and Network Security 2023. Springer.
  13. Bursztein, Elie (2020). Malicious Documents Emerging Trends: A Gmail Perspective. RSA 2020. RSA.
  14. 1 2 Thomas, Kurt; Jennifer, Pullman; Kevin, Yeo; Raghunathan, Ananth; Gage Kelley, Patrick; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek; Patel, Sarvar; Boneh, Dan; Bursztein, Elie (2019). Protecting accounts from credential stuffing with password breach alerting. Usenix Security'19. Usenix.
  15. Bursztein, Elie; Bright, Travis; DeLaune, Michelle; Eliff, David; Hsu, Nick; Olson, Lindsey; Shehan, John; Thakur, Madhukar; Thomas, Kurt (2019). Rethinking the detection of child sexual abuse imagery on the Internet. Proceedings of the International Conference on World Wide Web. WWW.
  16. 1 2 Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik (2017). The first collision for full SHA-1. Crypto'17. IACR.
  17. 1 2 J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google. WWW'15 - International Conference on World Wide Web. World Wide Web.
  18. E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). Easy does it: More usable captchas. CHI'14 - SIGCHI Conference on Human Factors in Computing Systems. ACM. pp. 2637–2646. doi:10.1145/2556288.2557322.
  19. E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild. IMC '14 - Conference on Internet Measurement Conference. ACM. pp. 347–358. doi:10.1145/2663716.2663749.
  20. K. Thomas; D. Iatskiv; E. Bursztein; T. Pietraszek; C. Grier; D. McCoy (2014). Dialing Back Abuse on Phone Verified Accounts. CCS '14 - SIGSAC Conference on Computer and Communications Security. ACM. pp. 465–476. doi:10.1145/2660267.2660321.
  21. Consolvo, Sunny; Gage Kelley, Patrick; Matthews, Tara; Thomas, Kurt; Dunn, Lee; Bursztein, Elie (2021). "Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns. Usenix Security 2021. Usenix.
  22. Sambasivan, Nithya; Batool, Amna; Ahmed, Nova; Matthews, Tara; Thomas, Kurt; Sanely Gaytán-Lugo, Laura; Nemer, David; Bursztein, Elie; Elizabeth, Churchill; Consolvo, Sunny (2019). They Don't Leave Us Alone Anywhere We Go - Gender and Digital Abuse in South Asia. CHI Conference on Human Factors in Computing Systems. ACM.
  23. K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa; V. Paxson; P. Pearce; N. Provos; M. A. Rajab (2015). Ad injection at scale: Assessing deceptive advertisement modifications. S&P'15 - Symposium on Security and Privacy. IEEE.
  24. E. Bursztein (2008). Probabilistic Protocol Identification for Hard to Classify Protocol. Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Springer. pp. 49–63. doi: 10.1007/978-3-540-79966-5_4 .
  25. Z. Durumeric; D. Adrian; A. Mirian; J. Kasten; E. Bursztein; N. Lidzborski; K. Thomas; V. Eranti; M. Bailey; J. A. Halderman (2015). Neither snow nor rain nor mitm... an empirical analysis of email delivery security. Internet Measurement Conference. ACM.
  26. E. Bursztein; B. Gourdin; D. Boneh (2009). Bad memories. Blackhat USA 2010. Blackhat.
  27. E. Bursztein; C. Bursztein (2014). I am a legend: hacking hearthstone with machine learning. DEF CON 22. DEF CON.

Related Research Articles

A CAPTCHA is a type of challenge–response test used in computing to determine whether the user is human in order to deter bot attacks and spam.

<span class="mw-page-title-main">Dan Boneh</span> Israeli–American professor

Dan Boneh is an Israeli–American professor in applied cryptography and computer security at Stanford University.

Martín Abadi is an Argentine computer scientist, working at Google as of 2024. He earned his Doctor of Philosophy (PhD) in computer science from Stanford University in 1987 as a student of Zohar Manna.

Randy Howard Katz is a distinguished professor emeritus at University of California, Berkeley of the electrical engineering and computer science department.

<span class="mw-page-title-main">Gernot Heiser</span> Australian computer scientist

Gernot Heiser is a Scientia Professor and the John Lions Chair for operating systems at UNSW Sydney, where he leads the Trustworthy Systems group (TS).

Lorrie Faith Cranor is an American academic who is the FORE Systems Professor of Computer Science and Engineering and Public Policy at Carnegie Mellon University and is the director of the Carnegie Mellon Usable Privacy and Security Laboratory. She has served as Chief Technologist of the Federal Trade Commission, and she was formerly a member of the Electronic Frontier Foundation Board of Directors. Previously she was a researcher at AT&T Labs-Research and taught in the Stern School of Business at New York University. She has authored over 110 research papers on online privacy, phishing and semantic attacks, spam, electronic voting, anonymous publishing, usable access control, and other topics.

A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a fingerprinting algorithm. A browser fingerprint is information collected specifically by interaction with the web browser of the device.

<span class="mw-page-title-main">Moti Yung</span> Israeli computer scientist

Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography.

Stephanie Forrest is an American computer scientist and director of the Biodesign Center for Biocomputing, Security and Society at the Biodesign Institute at Arizona State University. She was previously Distinguished Professor of Computer Science at the University of New Mexico in Albuquerque. She is best known for her work in adaptive systems, including genetic algorithms, computational immunology, biological modeling, automated software repair, and computer security.

Patrick Denis Lincoln is an American computer scientist leading the Computer Science Laboratory (CSL) at SRI International. Educated at MIT and then Stanford, he joined SRI in 1989 and became director of the CSL around 1998. He previously held positions with ETA Systems, Los Alamos National Laboratory, and MCC.

Justin Cappos is a computer scientist and cybersecurity expert whose data-security software has been adopted by a number of widely used open-source projects. His research centers on software update systems, security, and virtualization, with a focus on real-world security problems.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

<span class="mw-page-title-main">J. Alex Halderman</span> American computer scientist

J. Alex Halderman is professor of computer science and engineering at the University of Michigan, where he is also director of the Center for Computer Security & Society. Halderman's research focuses on computer security and privacy, with an emphasis on problems that broadly impact society and public policy.

Sushil Jajodia is an American computer scientist known for his work on cyber security and privacy, databases, and distributed systems.

Differential testing, also known as differential fuzzing, is a popular software testing technique that attempts to detect bugs, by providing the same input to a series of similar applications, and observing differences in their execution. Differential testing complements traditional software testing, because it is well-suited to find semantic or logic bugs that do not exhibit explicit erroneous behaviors like crashes or assertion failures. Differential testing is sometimes called back-to-back testing.

<span class="mw-page-title-main">Carmela Troncoso</span> Spanish telecommunication engineer

Carmela González Troncoso is a Spanish telecommunication engineer and researcher specialized in privacy issues, and an LGBT+ activist. She is currently a tenure track assistant professor at École Polytechnique Fédérale de Lausanne (EPFL) in Switzerland and the head of the SPRING lab. Troncoso gained recognition for her leadership of the European team developing the DP-3T protocol that aims at the creation of an application to facilitate the tracing of COVID-19 infected persons without compromising on the privacy of citizens. Currently she is also member of the Swiss National COVID-19 Science Task Force in the expert group on Digital Epidemiology. In 2020, she was listed among Fortune magazine's 40 Under 40.

Cross-site leaks, also known as XS-leaks, are a class of attacks used to access a user's sensitive information on another website. It is a term found in internet security. Cross-site leaks allow an attacker to access a user's interactions with other websites. This can contain sensitive information. Web browsers normally stop other websites from seeing this information. This is enforced through a set of rules called the same-origin policy. Attackers can sometimes get around these rules, using a "cross-site leak". Attacks using a cross-site leak are often initiated by enticing users to visit the attacker's website. Upon visiting, the attacker uses malicious code on their website to interact with another website. This can be used by a attacker to learn about the user's previous actions on the other website. The information from this attack can uniquely identify the user to the attacker.

An oblivious pseudorandom function (OPRF) is a cryptographic function, similar to a keyed-hash function, but with the distinction that in an OPRF two parties cooperate to securely compute a pseudorandom function (PRF).

Hovav Shacham is a professor in computer security at the University of Texas at Austin. He has made many advances to both cryptography and computer security.

Keystroke inference attacks are a class of privacy-invasive technique that allows attackers to infer what a user is typing on a keyboard.

References

  1. Elie Bursztein. "Elie Bursztein's personal site" . Retrieved 4 April 2021.
  2. Ward, Mark (6 August 2010). "Private browsing modes leak data". BBC News. London.
  3. "Twitter Security Contributors List". Archived from the original on 18 February 2011.
  4. McCullagh, Declan (29 July 2011). "Stanford researcher exposes Microsoft's Wi-Fi database". CNET.
  5. Honorof, Marshall (11 March 2013). "Apple Fixes App Store Security Risk". NBC News.
  6. "Security, Privacy and Abuse research at Google" . Retrieved 4 November 2020.
  7. Andreas Tuerk (2 October 2020). "To stay secure online, Password Checkup has your back". Google. Retrieved 28 May 2021.
  8. Kelly Earley (20 June 2020). "Sundar Pichai announces new Google privacy features". Silicon Republic. Retrieved 28 May 2021.
  9. Tensorflow. "Introduction to the Keras Tuner". Tensorflow. Retrieved 28 May 2021.
  10. Tensorflow. "The Tuner TFX Pipeline Component". Tensorflow. Retrieved 28 May 2021.
  11. Brandom, Russell (22 February 2017). "Google just cracked one of the building blocks of web encryption". The Verge.
  12. Beres, Damon (5 May 2015). "Your Password Security Questions Are Terrible, And They're Not Fooling Anyone". Huffington Post.
  13. 1 2 Victor Luckerson. "Stop Using This Painfully Obvious Answer For Your Security Questions". Time. Retrieved 15 June 2015.
  14. 1 2 Usenix. "Usenix best papers". Usenix. Retrieved 15 August 2021.
  15. CHI. "CHI'19 best papers list". ACM. Retrieved 15 January 2020.
  16. ICAR. "CRYPTO best papers list". ICAR. Retrieved 15 January 2020.
  17. "WWW - World Wide Web conference 2015 award list". WWW. Retrieved 15 June 2015.
  18. "S&P - Security And Privacy Symposium 2015 award list". IEEE. Retrieved 15 June 2015.
  19. Russell Brandom. "Google survey finds more than five million users infected with adware". The Verge. Retrieved 15 June 2015.
  20. "S&P - Security And Privacy Symposium 2011 award list". IEEE. Retrieved 15 June 2015.
  21. L'usine nouvelle. "Qui sont les 100 Français qui comptent dans la cybersécurité". L'usine nouvelle. Retrieved 5 November 2020.
  22. Pwnie Awards Committee (July 2017). "Best Cryptographic Attack Pwnie Awards". Black Hat.
  23. IRTF. "Applied Networking Research Prize Winners". IRTF. Retrieved 5 November 2020.
  24. Grossman, Jeremiah. "Top Ten Web Hacking Techniques of 2010 (Official)".
  25. Etteilla Foundation. "Etteilla Foundation: the leading nonprofit dedicated to preserving and promoting the rich cultural heritage of playing cards" . Retrieved 1 March 2024.
  26. Elie Busztein. "Elie Bursztein magic tricks on Instagram". Instagram. Retrieved 28 May 2021.
  27. Bursztein, Elie. "I am a legend: Hacking Hearthstone with machine-learning Defcon talk wrap-up".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.