Welcome
I lead Google's anti-abuse research and invent new ways to protect our users against cyber-criminal activities and Internet threats. I recently redesigned Google's CAPTCHA to make it easier, and made Chrome safer and faster by implementing better cryptography. I was born in Paris, France, wear berets, and now live with my wife in Mountain View, California.

Featured publications

My most popular publications
captcha
Easy Does It: More Usable CAPTCHAs
Websites present users with puzzles called CAPTCHAs to curb abuse caused by computer algorithms masquerading as people. While CAPTCHAs are generally effective at stopping abuse, they might impair website usability if they are not properly designed. In this paper we describe how we designed a new CAPTCHA schemes for Google that focus on maximizing usability. Our new scheme which is now an integral part of our production system and is served to millions of users, achieved a 95.3% human accuracy, a 6.7% improvement compared to the old one.
@CHI, April 2014
medias:1
mobile
SessionJuggler Secure Web Login from an Untrusted Terminal Using Session Hijacking
Session Juggler allows to log into any websites on an untrusted terminal on any modern browser by using a simple bookmarklet and a smartphone. The site credentials are never transmited to the untrusted. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal.
@WWW, April 2012
medias:2
captcha
Text-based CAPTCHA Strengths and Weaknesses
Based on sucessfull attacks on 13 of the most popular captchas schemes we show how to attack text-based captchas and provide guidelines on how to design secure ones.
@CCS, October 2011
medias:2
forensic
Beyond files recovery OWADE cloud-based forensic
We present how to by pass offline the 4 layers of Windows encryption that protect web credentials and instant messengers credentials. We explain how to extract the sensitive data stored by the four major web browsers and the most popular instant messengers softwares such as Skype and Live messenger.
@BlackHat USA, August 2011
medias:2
embedded devices
Towards Secure Embedded Web Interfaces
We audited the security of more than 30 embedded devices web interfaces and found more than 50 vulnerabilities. To help developers, we have developed WebDroid the first framework specifically dedicated to build secure embedded WebApp.
@Usenix Security, August 2011
medias:2
video game
OpenConflict Preventing Real Time Map Hacks in Online Games
We show how to perform memory based attack against real-strategy games using our tool Kartograph to create map-hack. To defend against theses attacks we develop secure protocols for distributing game state among players so that each client only has the data he is allowed to see.
@S&P, May 2011
medias:3
captcha
The Failure of Noise-Based Non-Continuous Audio Captchas
We show how using a generic approach, based on advanced audio processing and machine learning algorithm, our captcha breaker "Decaptcha" is able to break all the popular audio CAPTCHA schemes, including Microsoft and Yahoo.
@S&P, May 2011
medias:2
video game
Kartograph
We present Kartograph our memory analyzer designed to perform live memory attacks against various games. We demonstrate how to use Kartograph to create undetectable map-hacks against various populars RTS such as Civ 4, Warcraft 3 and Supreme commander 2 in a matter of minutes.
@Defcon 18, August 2010
medias:4
web security
An Analysis of Private Browsing Modes in Modern Browsers
We analyze how each of the major browser implements the private browsing mode and show their limitations and describe attacks against them. We also measure on which kind of website people use the private browsing mode.
@Usenix Security, August 2010
medias:2
web security
Bad Memories
We demonstrate how to steal a WiFi network WPA key and location by attacking the router web interface. Then we show how to bypass SSL warning on Internet Explorer and Firefox to perform HTTPS cache injection attacks. Finally we show how to perform various advanced click-jacking attacks on browser and phones (tapjacking).
@BlackHat USA / Defcon, July 2010
medias:5
Performance
headers: 0.00106000900269
publication list: 0.0346999168396
sidebar: 0.222239971161
total: 0.258019924164