Q&A with Elie Bursztein, Google’s Anti-Abuse Research Lead.

How a a simple design change increased Gmail encryption use by 25%, why security questions are not your friend, and what the team does to battles malicious hackers across Google products.

In addition to leading Google’s anti-abuse research team, Elie Bursztein is an aggressive beret-advocate (caveat: he was born in Paris) and, in his spare time, an amateur magician.

When I spoke with Elie via Google Hangouts this week, I suggested there was some commonality between these two pursuits: coming up with new ways to keep Gmail safe and literally, pulling, rabbits out of hats. But Bursztein saw it differently. “We’re more like the magician-busters,” he told me. “An attacker or a vulnerability is like a trick. If you know the trick, you can do something that is not under the assumption of the system. That’s what security’s about. Finding attacker’s tricks and defeating them.”

So who are these Voldemort’s trying to infiltrate our inbox? How does Google figure out their tricks and come up with just the right way to fight back? And what if the enemy happens to be our own bad judgment…?

—

So number-wise, what is the biggest thing menacing our Gmail inboxes today?

In term of volume, spam is number one for sure, by a huge, huge margin. Then malware is a distant second. And social engineering attacks would be very, very low.

I know I’m trying to pull back the Wizard-of-Oz curtain here, but I’m wondering how much evil is showering down on an average email account each day. Is there a ratio of good email to bad email? Like, for every legitimate email that lands in your inbox, there are ten attacks that Gmail filters out?

There is a ratio, but I won’t tell you what it is. It is not a secret thing, we just don’t want people to focus on the volume. Everyone is unique, and your inbox is unique. Let’s talk about spam for a second. You say, “I don’t want this in my inbox” but what you don’t want in your inbox might not be what the next guy doesn’t want in his inbox.

What I mean is, we have hardcore spam, the thing no one wants, which is like “buy this cheap bag.” But then maybe five years ago you were really into fitness and subscribed to a bunch of mailing lists. Later, those notices became very annoying to you, so you reported them as spam. It’s not really spam, it’s just like, “Oh Gmail, don’t show me those guys.”

Spam today is more this notion of “this is something I don’t want.” Just because you don’t want to see it, doesn’t mean the company did anything wrong. So the number of “spam” does not mean much. That’s why we don’t want to reveal the number. It’s not meaningful.

It seems like Gmail has to find ways to save users from their own judgment slips. So much of the time we users are the ones clicking on suspicious things, or inviting suspicious people into our account, like with romance scams.

We don’t prevent you from communicating with people. Gmail’s mission is to keep your inbox clean and safe which means, only you get access to your inbox, and you only see the contacts you want. But when it comes to things like family attacks, do we protect you from your kids logging into to your account…? No. It’s impossible for us.

The romance scams are really impactful. It really hurts. You think you have a relationship with someone. You think you are making progress! And then they will scam you for money for a visa or a plane ticket that will never be bought. Or, they can go further, with blackmail and extortion. We do report them, but most of those sextortion problems come through YouTube. Of course, YouTube is Google too, and we try to work with many abuse-fighting teams to protect every group of products: Play Store, YouTube, Hangouts, Blogger, and so forth.

Another social engineering scam that is particularly distressing is what we call “viral phishing.” Viral phishing occurs when your account gets compromised — someone gets your password — and they send a message to your contacts saying something like, “I’ve been traveling out of the country and I was robbed. I don’t have my phone. I don’t have my laptop. Please wire me money.” And then your grandma sends “you” $2000. It’s not only about the money; it’s about the emotional distress.

Some sites try to create an added layer of protection to keep hackers from breaking into people’s personal accounts, by requiring users to answer a “secret question,” but your team’s research shows that “secret question” is kind of a misnomer.

We wrote a long paper about why you should not use secret questions. Wedo use them when we don’t have anything else, but we’d rather have a phone number or recovery email.

There is an undercurrent in the security community that using secret question is a “best practice,” but it’s not. It’s really bad for usability.

The recall for certain questions is not that great for certain people. Some people, they try to be cheeky. They don’t remember what they put down. The recovery rate is lower than if one uses an SMS or email. That’s why Google asks you for a recovery email or a phone number. It’s not that we want to advertise anything to you, it’s because you won’t get your account back, which sucks, right?

The other problem is, when people try to be cheeky they think they’re going to make this super secret smart answer, but we end up having a few thousand or a few million people with the same super secret smart answer, for the same phone number. It’s also not that great, not only for security, but for systemic security, because people put the same answer. So you get the worst of both worlds: not very secure, not very usable. That said, I want to be positive about it for just a second. When you log into Gmail, we always try to assess if it’s really you (based on suspicious signals like your location, and so forth). We use what we call “knowledge tests” or “login challenges.” Even if you use your password, sometimes we might challenge you. And the challenge is where we find it useful to ask the equivalent of a security question, like: What was the last location you logged in from? What’s your recovery email address? So secret question as a login challenge is pretty useful.

As new insights emerge from your team’s research, how does Gmail decide when and how to introduce a new protective features?

People think we’re slow. We’re not; we’re thorough. And we don’t make decisions for millions of people on a whim. We really have to do the usability testing and understand how it’s going to change things. One example of how we pushed the envelope, and were a little bit worried, is with email encryption. You may have friends who don’t use Gmail, but Microsoft, Yahoo, or even a lesser-known provider. Well these were the ones we were really worried about — providers that don’t have the bandwidth, or expertise, to go to encryption.)

In 2014, we started to release a transparency report to show how many of the emails received are encrypted. At the time it was 60%, which means that 4 emails out of 10 were not being encrypted and could have been snooped by anyone. We were concerned about that. The transparency dashboard had this mechanical affect of getting more people aware of encryption, and pushing more people to adopt it.

But in 2015, we worked with the University of Michigan to research the amount of email interception around the world and realized: we’re not there yet. So based on this we made a decision — and it was a difficult decision — to add a small icon of a broken lock when you receive an email, or are about to send an email, to someone who don’t support encryption. You’d think, “Oh, it’s just an icon.” No, it’s not just an icon; it’s a very complicated process. You have to ask your user: Are you understanding what we’re trying to say to you? Is it meaningful to you? And ask ourselves: How are we going to phrase this? When are we going to release it? How is going to affect the world? Is it a good thing to do?

We didn’t want to come off as trying to shame anyone. That wasn’t the goal. We just wanted to provide our users with the information they needed to make a choice: You’re going to send an email, and there’s a risk it’s going to be intercepted in transit. Do you want to do that?

Forty-four days after the icon was added, we looked at how much the number of encrypted emails had increased around the world — it was 25%. A huge win. But we spent two years doing a lot of research after launching the transparency dashboard to understand what we could do better.

Your most recent research paper, tested a common pentester boast: that “they can break into any company by dropping malicious USB drives in the company’s parking lot.” 48% of subjects self-infected their computers from!

I’d heard the anecdotes many times over — it’s been in the black hat culture for years — that’s why I wanted to test it in a most scientific way. 48% is a lower approximation. That’s the number that clicked on the [non-malicious] files we installed. How many plugged in the USB, but didn’t click on the files? We don’t know. It is crazy!

Consumers spend a lot of time worrying about the kinds of things we’ve been discussing — passwords, encryption, malware — but how big a threat is this analog stuff? Stolen paperwork? Malicious USB drives?

Do you have a shredder at home?

Er, no.

There you go.

Do you?

Of course! If you look at my last personal blog post, I actually give tips for how to secure a credit card, which most people don’t think about. One of the reasons you should buy a shredder is to shred your old credit cards and PIN letter, but most people don’t do that.

It’s still hard to believe that so many people would pick a USB drive off the ground, stick it in their computer and start clicking around. It’s kind of like finding an apple on the ground and taking a bite out of it.

If you find a $100 bill on the ground, would you use it?

Totally! (Beat) Mm, I guess storage kind of is money…

It is. Right?