Welcome
I lead Google's anti-abuse research and invent new ways to protect our users against cyber-criminal activities and Internet threats. I recently redesigned Google's CAPTCHA to make it easier, and made Chrome safer and faster by implementing better cryptography. I was born in Paris, France, wear berets, and now live with my wife in Mountain View, California.

Featured publications

My most popular publications
privacy
Cloak and Swagger: Understanding Data Sensitivity Through the Lens of User Anonymity
Most of what we understand about data sensitivity is through user self-report (e.g., surveys); this paper is the first to use behavioral data to determine content sensitivity, via the clues that users give as to what information they consider private or sensitive through their use of Quora privacy enhancing product features. We show that data sensitivity is a nuanced measure that should be viewed on a continuum rather than as a binary concept, and advance the idea that machine learning over behavioral data can be effectively used in order to develop product features that can help keep users safe.
@S&P, May 2014
medias:1
captcha
Easy Does It: More Usable CAPTCHAs
Websites present users with puzzles called CAPTCHAs to curb abuse caused by computer algorithms masquerading as people. While CAPTCHAs are generally effective at stopping abuse, they might impair website usability if they are not properly designed. In this paper we describe how we designed a new CAPTCHA schemes for Google that focus on maximizing usability. Our new scheme which is now an integral part of our production system and is served to millions of users, achieved a 95.3% human accuracy, a 6.7% improvement compared to the old one.
@CHI, April 2014
medias:1
user experience
Online Microsurveys for User Experience Research
This case study presents a critical analysis of microsurveys as a method for conducting user experience research. We focus specifically on Google Consumer Surveys (GCS) and analyze a combination of log data and GCSs run by the authors to investigate how they are used, who the respondents are, and the quality of the data. We find that such microsurveys can be a great way to quickly and cheaply gather large amounts of survey data, but that there are pitfalls that user experience researchers should be aware of when using the method.
@CHI, April 2014
medias:1
mobile
SessionJuggler Secure Web Login from an Untrusted Terminal Using Session Hijacking
Session Juggler allows to log into any websites on an untrusted terminal on any modern browser by using a simple bookmarklet and a smartphone. The site credentials are never transmited to the untrusted. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal.
@WWW, April 2012
medias:2
captcha
Text-based CAPTCHA Strengths and Weaknesses
Based on sucessfull attacks on 13 of the most popular captchas schemes we show how to attack text-based captchas and provide guidelines on how to design secure ones.
@CCS, October 2011
medias:2
forensic
Beyond files recovery OWADE cloud-based forensic
We present how to by pass offline the 4 layers of Windows encryption that protect web credentials and instant messengers credentials. We explain how to extract the sensitive data stored by the four major web browsers and the most popular instant messengers softwares such as Skype and Live messenger.
@BlackHat USA, August 2011
medias:2
embedded devices
Towards Secure Embedded Web Interfaces
We audited the security of more than 30 embedded devices web interfaces and found more than 50 vulnerabilities. To help developers, we have developed WebDroid the first framework specifically dedicated to build secure embedded WebApp.
@Usenix Security, August 2011
medias:2
video game
OpenConflict Preventing Real Time Map Hacks in Online Games
We show how to perform memory based attack against real-strategy games using our tool Kartograph to create map-hack. To defend against theses attacks we develop secure protocols for distributing game state among players so that each client only has the data he is allowed to see.
@S&P, May 2011
medias:3
captcha
The Failure of Noise-Based Non-Continuous Audio Captchas
We show how using a generic approach, based on advanced audio processing and machine learning algorithm, our captcha breaker "Decaptcha" is able to break all the popular audio CAPTCHA schemes, including Microsoft and Yahoo.
@S&P, May 2011
medias:2
video game
Kartograph
We present Kartograph our memory analyzer designed to perform live memory attacks against various games. We demonstrate how to use Kartograph to create undetectable map-hacks against various populars RTS such as Civ 4, Warcraft 3 and Supreme commander 2 in a matter of minutes.
@Defcon 18, August 2010
medias:4