Applying for Software Engineering Jobs in the U.S.

I am in the process of applying to some tech companies for the next summer (contact me if you have an open position hehe). Here are some things I experienced and also some tips for the ones also applying.

From Germany I was used to a very easy-going process. Companies highly valued credentials (degrees, courses taken, references, ...) for the technical skills. Interviews were then focused on soft skills and assessing at which team/project I could apply my strength best. Soft skills would be assessed through role plays, team exercises (not technical), experience questions (like"can you tell me about a situation where it was difficult to work with other people?") and other questions like "what do you think is important for good time management?". Then, for the rest of the interview the company would explain different projects they are hiring for and try to see how I could fit into them. The whole process would usually only involve an initial phone call to discuss logistics and then one on-site interview. Most German companies value etiquette highly. Your writing better be flawless and the cover letter is probably the most important part of the application. It is really important to make a good point about why this company excites you.

My experience in the U.S. is very different. The initial contact is very focused on the "résumé". Recruiters at job fairs will sometimes just ask you for your résumé and that's it. Students will sometimes come to tech talks just to give their résumé to the recruiter and won't even stay for the talk. Also there are companies whose entire application process just consists of uploading a résumé. So are applications in the US very credential based? I can't say either, because most companies haven't even asked me for transcripts or reference letters. Weird. Instead, I would say that recruiting is less credential based than in Germany, because the U.S. companies all want to assess technical skills themselves through a series of phone interviews. And only if you pass through them you get an onsite interview. I honestly have my doubts on how good this process is as the sample size the company gets from two or three 45 minute technical phone interviews is rather small. But maybe degrees from U.S. universities don't say much, many applicants went through a different education or many applicants are from foreign countries with uncertainty about the significance of their degrees.

Anyways. To be successful, one needs to specifically prepare for this kind of interview. I recommend skimming the book Cracking the Coding Interview to get gist of why companies think they do these interviews, what they are looking for, what to expect, as well as some general strategies for answering questions. The book also contains sufficient review material to quickly freshen up your basic programming skills if needed. Then there is also a section of typical interview problems. But there are websites that provide the same and also let you write and test the code on the website directly. I can recommend CodeLab and LeetCode. Topcoder is another site that many recommend, but it's much more blown up. The book, on the other hand has very good solutions to the problems and also a good system of giving you hints if you're stuck. But don't be fooled. The interview questions I was asked in the actual interviews were sometimes much tougher than the ones in the book or online.

Another recommendation I have is Triplebyte (a Y Combinator company). The concept is that you do the first round of technical interviews with them (first online and then over the phone). If you are successful, you can then directly go to the onsite interviews of their partners. And they have a lot of very interesting partner companies. They save you a lot of stress. Otherwise you would have pretty much the same interview round with all the companies you apply for. That's not only cost for you, it's also cost for the companies. So by saving this cost, Triplebyte is able to invest more into optimizing their interview process. They also have a nice philosophy: Very data-driven, they don't look at credentials at all, and they focus on the applicants strength instead of weaknesses. So I highly recommend checking them out if you are applying for interviews/jobs in the space: Triplebyte.


US Credit Cards Overview

This was written in 2016. If you read this in >= 2018 there is a good chance this is outdated.

Usually I don't post commercial stuff. But I think other people moving to the US might find this helpful. I did a quite comprehensive survey of the consumer credit card market and want to share my findings. If you live here for a year or longer you need to get a US credit card. Often enough this is the only form of payment accepted and international credit cards often enough fail for random reasons. I'm going to assume that you do not want the credit card for the credit, and that you will pay your total balance all at once and on time. If not, you should look into other offers. If not explicitly said, cards mentioned here do not come with annual membership fees.

Using the best offers I found, I'll get roughly $1000 cash back per year with the spending profile of a regular graduate student, so it is worth thinking for a few hours about a good strategy. Continue reading

My Take on The Internet of Things

Right now we are on the way to create a next generation of the Internet, the Internet of Things. The Internet of Things (IoT) will have a huge impact on many aspects of our lives. It will change the way we interact, the way we live, and the way we think. Remember the years where we had big debates on how the electronic address book in our phones will change our ability to remember things? Well, in the next years not only our phones will become smarter, every_thing will become smarter. Ordinary “things” like our cars, our TVs, our refrigerators, watches, light bulbs, but also industrial assembly-line robots become more and more connected and “smarter”. In an exemplary scenario this means that the bulk of data produces by an ensemble of sensors in our cars can be analyzed in the cloud to find subtle defects or inefficiencies and this information can directly be communicated to the robots in the assembly line to improve the production process. Next to mobility and industry, the health sector, urban living, retail and energy are just a few other sectors where the IoT will have a huge impact.

Trying to predict the future and imagine how the IoT will exactly change things and identify upcoming challenges on this path, I want to first distill the game-changing factors related to IoT. I will then relate those to the Security and Privacy issues arising and present a (not even) half-baked solution.

In IoT there is the I and the T. Let’s look at the T, the things, first. The number of things with general purpose chips and rich connectivity will skyrocket in the next decade. While a traffic light today might only hold a small electronic circuit of a few gates, it will soon be equipped with a whole general purpose microprocessor and in addition to the signal wire which connects it with the other lights at the intersection, it will have a WiFi chip or an Ethernet interface. Putting more hardware into things and giving them more capabilities is simply a ramification of always decreasing cost of this hardware. Continue reading

Security: Status Quo

On Tuesday, June 21, 2016, the Commission on Enhancing National Cybersecurity #WHCyberComm met in Berkeley to get input from Industry and others. The main goal of the commission is to produce a “transition” memo to the next president to implement important policy changes within the first 100 days of the new administration, which is usually a time window where dramatic moves are made. The industry witnesses highly valued their chance to bring across their views and influence policy decisions to their benefit which made it an interesting event to watch. In this blog post I try to summarize the most important points that were made during the day. Continue reading

WhatsApp Retransmission Vulnerability

Last week I already tweeted

WhatsApp message not delivered. Contact announces new public key. Auto retransmits messages encrypted under new key. head -> table.

That explains this simple bug in the latest WhatsApp version, which now promises beautiful end-to-end encryption, very good. But for my not so nerdy friends I want to provide some more explanation. I'm not following the usual responsible disclosure procedure here as WhatsApp users are not less secure than when they did not have end-to-end encryption at all. A white-hat report to facebook (#1008534892515816) has been submitted.

Setting: Three phones. Phone A is Alice's phone. Phone B is Bob's phone. Phone C is the attacker's phone. Continue reading

Secure Communication, Finally!

A beta version of the Signal Desktop client is now available and What's App integrated the Signal protocol into their widely used messenger. TLS certificates are now available for free, many websites provide https, and certificate transparency is on a good way to solve the CA problem. It really seems like the world of computer security has become a bit less broken over the past few years. I'm wondering why it took humanity so long to create a usable secure communication platform that supports multiple devices and group chats, but I'm happy that this problem finally solved. Nobody should have an excuse to communicate insecurely anymore!


  1. How do we get rid of insecure e-mail?
  2. When will What's App hide the meta data?

Von Niehl in die Welt

This German article appears in the anniversary magazine of my high-school, the Erich Kästner-Gymnasium, Köln Niehl.

Hallo liebe Mitmenschen, die ihr noch im Käfig „Schulsystem“ gefangen seid und sehnsüchtig auf den Tag wartet, an dem Ihr einen Zettel mit der Überschrift “Abitur” überreicht bekommt, der euch endlich erlaubt in die schöne Welt hinaus zu gehen und eure Träume zu verwirklichen. Ich habe den Sprung geschafft. Ich promoviere aktuell an der UC Berkeley bei bestem kalifornischen Wetter und in Gesellschaft mit einigen der klügsten und interessantesten Menschen, die diese Welt zu bieten hat.

Auch wenn ich ausgesprochen ungern in die Schule gegangen bin, muss ich fairerweise sagen, dass das EKG noch ein ertragbarer Käfig war. Die Offenheit der Schule für neue Initiativen und die gute Beziehung zu ein paar Lehrern waren ein wichtiger Baustein für meine Karriere.

Das EKG ermöglichte mir mit verschiedenen Angeboten, mich neben dem normalen Unterricht meinem eigenen Tempo entsprechend zu entwickeln. Es war kein Problem, fachspezifisch den Unterricht eines höheren Jahrganges zu besuchen. Und ein sehr engagierter Herr Müller-Alander, hatte sich dem Projekt Schülerfirma verschrieben, das uns die Möglichkeit gab einen gewissen “entrepreneurial spirit” zu entwickeln. Am wichtigsten aber war das Projekt “Schüler an der Universität”. Das hieß für mich: Schulfrei und stattdessen spannende Vorlesungen an der Uni. Zwei Wochen Mathestudium an der Uni entsprechen im Umfang gut und gerne zwei Jahren Mathe LK. Erstaunlich, was man erreichen kann, wenn man nicht mehr an die Geschwindigkeit des Lehrers gebunden ist. Also: Auch wenn das Schulsystem sehr einschränkend wirkt, es gibt Möglichkeiten, seinen eigenen Weg zu gehen, auch schon vor dem Abitur.

„If you can dream it, you can do it“ (Walt Disney) und „Spaß ist nicht gleich Freude“ (Norman Mellein).

UC Berkeley spies on all Students, Staff, Faculty 24/7

The University of California Office of the President (UCOP) has been secretly monitoring university network traffic since about August 2015. ALL data including all private E-Mail communication and everything else sent from or to the UC Network is analyzed by a not disclosed third party and retained for at least 30 days. Sources: SF Chronicle, Blogpost, Letter from Raechel Nava, Executive Vice President — Chief Operating Officer

The people responsible for implementing the unconditional and extremely invasive surveillance of all people on campus claim that this installation will enhance individual's privacy as it is necessary for improving campus security, and security is a requirement for privacy. lol. or cry. idk.

Yes, security is a requirement for privacy, but analyzing and storing all data, including the most private information, is a particularly bad attempt to achieve the goal. First, it is only a matter of time until the skillful attackers break into the surveillance system and get all data served on a silver tray. Second, the main use-case would be to analyze attacks after they happened, not prevent them. Third, parts of the UC IT are quite outdated and presumably contain lots of security holes. Fixing them first would be much more effective. Fourth, giving a third party access to all private data is a bad idea because it greatly extends the set of trusted people, devices, and networks. Fifth, today they promise to only use the data for protecting the network. When we already store all this data the next generation will legitimately ask, why it is not used to resolve other crime cases as well. A few years later, the government just slightly changes how to define crime.

Again we see the security argument applied as a plain decoy to justify peoples nasty surveillance dreams. Or maybe they just don't know better? Idk. Btw: Berkeley is worldwide one of the top research institutions in Computer Security. Apparently non of the faculty or students were asked to assist with making the network more secure. Instead an external party was secretly contracted.

Notice that the security fence is full of holes

Notice that the security fence is full of holes

So, what can we do against this. I don't know. Convincing the administration that this form of surveillance it no good might be fruitful in case they just did not know what else to do. I doubt it. And even then other actors are monitoring all your communication anyways. So it seems like as long as there is no better solution available, we all have to protect ourselves a little bit more. We can


Not to care about privacy because you have nothing to hide is like not caring about free speech because you have nothing to say. - Edward Snowden

Comments allowed and welcome.

The day I almost became stupid

Today is Friday, Jan 22, 2016. I will remember this day. In discussions we security researchers often talk about the dumb average computer user. Today I almost became one of them. I received the following email from a spoofed sender address

Screen Shot 2016-01-22 at 5.40.26 PM


It tells me that because I am a non-resident alien in the US I need to submit additional information to the IRS because I opened a bank account and I am exempt from "tax withholdings on interest paid". All this was true to me and because I only very quickly skimmed the e-mail I did not detect any major flaws in the language. I would never expect a German authority to send me such an request by email but the Americans do many sensitive stuff online so I was not really surprised by the fact that "IRS" was communicating with me via email. I also gave them my email address on another form a few month ago.

What finally helped me to identify that it was a phishing attempt was that a google search for the indicated Fax number did not give any results. I would have expected to find it on some IRS website. Then I looked at the mail headers which revealed that the sender address was spoofed and finally made it clear that this is indeed a phishing attempt.

Screen Shot 2016-01-22 at 5.33.31 PM

I am glad I realized this in the last minute as the information I would have provided on the form would be enough for an attacker to try to call my bank and reset the password with the information or something similar.

I am wondering why the phishing email was so well targeted at me. Or is my view just biased because I directly delete all other phishing mails?

By the way, the IRS never communicates by email. More information on their website.

New Series: Business Ideas for Cryptographers

As you know I like startups. I like doing startups. I like the culture of startups and I like to see startups disrupt and overtake the world. But now I'm doing a PhD. And I love what I'm doing. So no startups for me. At least until I finish my PhD.

So why don't you take my business ideas and build your start-ups. While you do so, put me into your advisory board. Hence I'm starting this series of blogposts. Each of them will have a cool crypto primitive in it and an idea how to make money out of it. I did not do any market validation for those ideas, that's your job, but I think they are all pretty cool and worth investigating. This first article is more about why doing a startup in cryptography. Continue reading