I am a security researcher with a Ph.D. in Computer Science and Engineering from the University of Michigan. Currently, I am working on Google's Production Security team in Mountain View, California. My work-related responsibilities focus on identifying, monitoring, and reducing insider threats as well as improving Google's overall infrastructure security. Outside of work, I am still actively researching Internet-scale computer security issues as well as working towards improving the security properties of widely used protocols and mechanisms.

My doctoral research focused on understanding Nation-State Attackers such as the NSA and GCHQ while also measuring Internet-scale vulnerabilities and attack-surfaces. By analyzing the known operations and behaviors of Nation-State Attackers, we can better understand how to detect attacks and build systems and protocols to protect against well resourced adversaries. In my graduate education, I was advised by Prof. J. Alex Halderman and funded by an NSF Graduate Research Fellowship and the Post-9/11 GI Bill.

My work helped explain how intelligence agencies may be able to defeat widely used cryptography. In other work, I showed that popular TLS crypto shortcuts could be exploited to retrospectively decrypt connections to many of the most popular destinations on the Internet. I studied how foreign adversaries could compromise Internet voting to interfere with elections, and I investigated HTTPS interception and FTP vulnerabilities.

My research has been covered and cited by The Wall Street Journal, The Washington Post, Ars Technica, The Guardian, US-CERT, NIST, FBI Cyber Division, and Playboy, and it has been referenced multiple times during the development of TLS 1.3. I contribute to open-source projects such as Censys and ZMap, and I occasionally help find RFC bugs during job interviews.


The Security Impact of HTTPS Interception

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J. Alex Halderman, and Vern Paxson
24th Network and Distributed System Security Symposium (NDSS ’17), February 2017

Measuring the Security Harm of TLS Crypto Shortcuts

Drew Springall, Zakir Durumeric, and J. Alex Halderman
16th ACM Internet Measurement Conference (IMC ’16), November 2016

FTP: The Forgotten Cloud

Drew Springall, Zakir Durumeric, and J. Alex Halderman
46th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN ’16), June 2016

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann
22nd ACM Conference on Computer and Communications Security (CCS ’15), October 2015
Best Paper Award
Pwnie Award for Most Innovative Research

Security Analysis of the Estonian Internet Voting System

Drew Springall, Travis Finkenauer, Zakir Durumeric, Jason Kitcat, Harri Hursti, Margaret MacAlpine, and J. Alex Halderman
21st ACM Conference on Computer and Communications Security (CCS ’14), November 2014

Words of Wisdom

Reminder: If it's not exploitable now, that doesn't mean it won't be later Image Source: Der Spiegel