The mysterious blue tea

blue tea in cup on plants' backgroundRecently I wrote about the wonderful six colors of tea. Often people raise an eye brow when they read blue tea. It’s not a color you expect your tea to have. If you search for the term you will find a variety of drinks such as hibiscus tea which starts out blue and turns red or tea made with butterfly pea flowers. You may even find some brand name ice tea before you actually see a reference to “real” tea from Camellia sinensis.

Blue tea is the ancient name given to oolong (or ‘wu long’) tea. The Chinese character representing oolong tea has changed over time so often this type of tea is called blue-green which more closely resembles the actual color of certain types of oolong tea (it is also possible to brew a much darker browner tea).


China is the main source of oolong tea. In the south east the Fujian province (especially their cliffs), its close neighbor Taiwan and the Guangdong province a little further south contribute to most of the world’s oolong production.



Oolong is one of the most difficult teas to make and gives the tea maker lot’s of freedom in creating the final tea. Fine oolong teas are best brewed multiple times in order for the leaves to fully unfold and reveal their full taste.

The tienguanyin style of oolong tea produces one of the most expensive teas in the world and the exact process is a highly guarded secret consisting of up to eighteen steps.

milk oolong teaA lot of oolong produced today uses the Fujian style which still goes through ten steps from raw leaf to the final tea. The sixth step ‘Shajing’ is the deciding step for important characteristics of the tea. Here the leaf is rolled for a few minutes to break the cell structure and release the juices. This step alone takes up to half a day and tea leaves are allowed to rest for about two hours between rollings. Fujian style can be recognized by small tea balls about the size of a marble.semi-fermented oolong tea Da Hong Pao

If you encounter a longer straighter style of oolong this is the Min-Bei style. Here much larger leaves are used and it takes more than 30 hours to produce.

Fact sheet for brewing oolong:

  • Boil water but let it sit for about 5 minutes to cool to 95°.
  • Use a small pot or larger tea glass (~250ml) with a lid and 1 (tightly rolled leaves) to 2 (very loose leaves) tea spoons of oolong.
  • Brew repeatedly starting with 1 minute and increasing about half a minute each time.
  • Pour into a drinking cup after brewing and let the leaves breathe between each round (open lid).

Happy oolong-ing!


How colorful is your tea?

Tea assortmentIn western culture tea is predominantly black. Thanks to a recent increased consumption of tea you are starting to see an assortment of green tea in our homes. Unless you have a special interest in tea those are usually the only two colors associated with my favorite beverage.

Most people will be surprised to learn that in ancient China, the birthplace of tea, they distinguish between six different colors: red, black, blue, green, yellow and white. Some of these colors have since been replaced by modern names such as oolong or pu-erh, but each of the six can be distinguished from each other. But how are they different?

First we must clarify what is meant by tea. The word is very often used to describe any drink made from combining hot water with something from a plant. The original term only applied to infusions using tea plants. If a different plant is used you are making herbal tea or tisane (a distinction the french language still uses).

The six colors mentioned apply to true tea all produced from a single species: the tea plant or Camellia sinensis. Even though there are three sub types based on leaf size and some harvesting properties, the colors really only define differences in the processing of tea. It does not say very much about the origins of the plant leaves. Theoretically any type of leaf can be used to produce one of the six colors of tea, although some of the sub types are more frequently used to make specific colors.

Tea processing consists of many steps including drying, twisting, steaming and firing. These steps are designed alter the properties of the leaves and ultimately control how much oxidization and fermentation takes place.

The most important factor is oxidation. In the color range the oxidization runs from minimal (in green and yellow tea) to partial (in white and oolong teas). Full oxidization takes place in making red tea (which is what we westerners commonly refer to as black tea). Pu-Erh tea (what chinese refer to as black tea) is the only class of tea which is fermented. A very common mistake made is to wrongly say western black tea is fermented, which I assume must be caused by the confusing translation of red tea to black tea.

If you ever have the chance to taste each color of tea you would be one of the lucky ones. Real white tea can be hard to get outside of China and yellow tea is almost impossible to purchase without connections to a tea maker.

Happy tea time.

WhatsApp conversations increase your medical bills? When ads are not just ads.

Europeans on the web have typically been much more privacy aware than their US counterparts. So the WhatsApp exodus post Facebook purchase (as seen in the iOS AppStore charts led by alternative clients in a number of European countries) didn’t surprise me that much.


iTunes AppStore Charts for Germany on 24.02.2014 – Source:

But what was unusual is my personal decision to join the masses and move to alternative messaging clients. Having spent the better part of the decade working in an IT security competence center (with a WhatsApp history) I try my best to distinguish between privacy paranoia and real issues. WhatsApp has had terrible privacy and security issues in the past but in my mind the sale poses a much larger concern than anything before. Since a lot of my knowledgeable and respected peers are downplaying the risks I will try to explain my point of view.

Facebook is a business and wants to make more money than it spent buying WhatsApp

Facebook paid 40 USD per user and WhatsApp charges roughly 1 USD per year per user. They have announced that they won’t be putting ads on WhatsApp and we can also safely assume no single user will spend 40 years on WhatsApp. So Facebook needs to generate more income per user to cover their costs. One option would be to up-sell additional services, like the recently announced voice features. But seeing as there are often free alternatives I don’t think this will be the major revenue stream for the average user*.

Facebook has one of the best ad targeting features


Facebook Ad Campaign Targeting – Source:

The more obvious revenue stream is of course advertising. Not on WhatsApp itself, but on Facebook. Very few people have come in contact with their ad platform and probably don’t realize that Facebook has one the best ad targeting platforms available.

Take a look on the right at what features (or “signals”) you can choose to specify your audience: basic demographics, interest but you can also include or exclude people based on likes, connections etc. The signals available here are more or less opt-in meaning I chose to tell Facebook about them. If I specify an interest in Japanese sencha then I can expect to be shown ads that sell tea. Fair enough.

More data leads to better targeting and more revenue

Take into account that Facebook is data hungry enough to save messages you never even sent it is more than likely that your WhatsApp messaging data will somehow generate new signals for the Facebook ad platform that advertisers can use. And that’s where the problem lies. I never opted-in to the use of my messages on WhatsApp in the past for this purpose. Their firm stance on not using ads actually reduced the risk of them ever using conversations between friends and family for this purpose, but after the sale all bets are off (especially considering the maths).

Think back to your conversations for a moment. Did you ever mention an injury to a friend in an apology for not going to their birthday party? You most certainly didn’t “like” that type of injury on Facebook or specified it as an interest – but what if Facebook decides that ads can be targeted to you for your injury in future by using the WhatsApp data? By now I imagine a lot of you asking: “Who cares? So I’ll be bombarded by medical ads in the future. I don’t care.” This is where things get ugly and most people don’t think around the corner.

Risk reduction leads to even more revenue

Marketers are clever people. Risk managers are often even cleverer. Let me outline the scenario: Your insurance company is constantly trying improve their risk assessment of you. Of course they would like to know of any hip injuries you have that may need treatment in the future because it increases their costs. But how do they get that information? Let’s say they create an enticing ad with a pretty girl smiling and the phrase “win XYZ”. There’s a good chance you will click on it.

What you don’t realize is that the ad was only shown to people who talked about hip injuries using Facebook’s ad targeting. By clicking on the ad you were taken to a specific page on the insurers website and they can now change your personal risk assessment based on that click**. Suddenly your insurance rates go up and you may never even know why.

Advertising fuels the internet – but it’s about opting in

As an internet user I am aware that a lot of what we consume is free thanks to advertising. I’m not inherently opposed to that and believe that good ads are personalized. Also I believe you have to make a conscious choice what you decide to share on the web. If you post, share or like anything on an ad supported platform, think of it as public information.

Sure I notice ads following me around different site on the internet for ages if I just once check the flights to Barcelona*** and yes Amazon still recommends jigsaw puzzles because I once bought some as a gift for a friend. But in both cases I entered that information knowing fully how these systems work. In the best case scenario Facebook changes the privacy policy to only allow them to use any future messages for advertising purposes.

So by making a conscious decision to change to a messaging tool that is not entangled with an ad network I can theoretically not be targeted in the aforementioned way. My choice is Threema – sure it has it’s issues – but as a European company I put some trust in EU privacy laws.

And in the worst case… Well, my data is already out there. Game over.


Visual Studio 2013 Preview and Apps for SharePoint

In case you installed Visual Studio 2013 Preview onto a fresh machine (in my case Windows 8.1 Preview) and ran into one of the following problems when creating an App for SharePoint install the prerequisites mentioned below…

Problems on compiling the empty ASP.NET MVC (App for SharePoint template solution):

  • The type or namespace name ‘SharePointContextFilter’ could not be found (are you missing a using directive or an assembly reference?) …\Controllers\HomeController.cs
  • The type or namespace name ‘SharePointContextFilterAttribute’ could not be found (are you missing a using directive or an assembly reference?) …\Controllers\HomeController.cs
  • The name ‘SharePointContextProvider’ does not exist in the current context …\Controllers\HomeController.cs
  • The file “SharePointContext.cs” is missing in the root of your web application.

Installed the following prerequisites to solve the problem:

When a missed flight is not a lost opportunity – the birth of a product

“If you never miss a plane, you’re spending too much time at the airport.”
George Stigler, U.S. economist

shutterstock_59317648In my case it was more a combination of a traffic jam and an invalid ticket that caused me to fly to Madrid a day later than originally planned. Most people would consider this a nuisance. For me it was a gift.

The most valuable gift of all: free time.

Here a full day with unallocated time.

When this happens my little black idea book comes out for a review. I decided to use this extra time to take some baby steps for a new product idea. I settled on a personal pain point I’ve been having for a couple of months.

Whenever I create proposals, plans or any kind of non trivial document I end up taking a corporate template and then start copy pasting from existing documents and hopefully end up with a useful starting point. I still haven’t started writing the actual document yet! Definitely something that can be improved on, right?

The main venture I work on (WhatAVenture) is all about improving and simplifying the way to develop business models from ideas just like in this case. Even though this is “just a small product” I’m approaching it the same way I would approach a much bigger idea.

In our approach which is very lean oriented I need to start by testing some of my basic assumptions. Specifically I must ask myself: Am I “normal” or not? I’m not talking about talking to a psychiatrist, but rather is my painpoint something that is unique to me or are others out there that have the same problem. I’m not going to write a single line of code before I at least know that I have a handfull of early beta testers that can’t wait to try it.

1. Problem

Let’s begin with defining what my painpoint is in detail. While I’m writing this I’m automatically creating a set of assumptions. These become the hypotheses I have to test!

Small businesses (<50 people) create proposals by copy pasting elements from other documents. This approach costs time (time for creating the basics of the proposal takes about 50% time of creating a propsal) and causes errors (at least 1 recognized error per 10 proposals).

Notice how this is formulated as a measurable and testable problem hypothesis. I could start to test this by simply talking to potential customers. Then again I want to work somewhat efficiently, so I will also describe my proposed solution but I must take care to always ask about the problem first.

2. Proposed Solution

A hosted service that manages a toolbox of document elements to create proposals in Microsoft Word.

This is keeping it simple for the beginning. A click and point solution for creating new proposals for the dominant technology in the small business space. (Strictly speaking testing this will involve testing if Microsoft Word is still the dominant player her).

Armed with two hypotheses who do I ask? I’m going to also go ahead and propose a primary customer group (based on my problem hypothesis) which gives me an idea of who to ask for feedback. The customer group may also be wrong, so even if my feedback is negative, I have to ask if need to change my customer group.

3. Customer Groups

The hosted solution solves the problem for small businesses (<50 people).


Granted it took some time to come up with these definition, but it didn’t take up all of the 12 hours that I had just gained. So where did I spend the rest of my time?

In addition to in-person interviews I created a landing page with some basic product mockups. This is an approach a lot of bootstrapped entrepreneurs and other startups (should) take. It gives me something to point people to (if I can only reach then async), people may pass it on by themselves (free feedback from other sources) and if I want to test via ads I’m prepared to do so. A little investment for a lot of options..

So all that’s left is to walk out the door and start talking …

Check back for updates. (Or go to and if you have feedback send me a message.)

“Bob is on” – Your system is leaking information

ImageExchange with a more risqué site and at best the grapevine starts talking. In the worst case political views, private activities etc are used to blackmail you.

A very common security best practice is to avoid information leakage on web sites. This basically means you shouldn’t be able to figure out if a user account exists, by just simply typing in an email address into a website and interpreting the response.

This is achieved by not disclosing whether “your email or your password was incorrect” when logging in and by responding with “if this email exists, we will send an reset password link” when you forget your password. In both cases you can’t find out if the email address exists in their system.

Or can you?

Most of us receive emails almost instantaneously on our private (or maybe even on the business) phone. Let’s say you’re within hearing or seeing distance of the potential beard groomer that you’re targeting. Enter their email address into the forgot password field and wait for the “ding” on their phone. Now you can be pretty sure they just received that reset password link and you’ve uncovered their beard secret.

Of course this requires knowing their email address. But how hard is to guess your own private email address? Try firstname.lastname@gmail/ and you’re probably good to go.

Another scenario often seen is sending the user an email if too many invalid login attempts have occurred (and subsequently the account is now locked). What was meant to increase security (the automatic lock out) again leaks information indirectly via the email.

The core of the problem lies in the coupling between the secret event and the notification at a known destination. 

How can we mitigate this? 

The lock out scenario is fairly simple. Don’t send an email when the locking occurs, but rather tell the user you are going to send a reset link when the user next logs on with the correct credentials (and provide the option to postpone sending).

The forgot password is a bit harder. Here security will come at the cost of some usability. The idea again is to separate the event causing the email and the actual sending of the email. If you wait a random number of minutes (>15) before sending the email then the attacker can’t be sure the email is related.

As a final note, this scenario can be extended to private message notifications. If the attacker creates a fake account, reduces the number of potential accounts belonging to the victim (usually by knowing some information such as location, age etc) and just sends a private message to each one, chances are that he will hit the victim’s account sooner or later and “ding”. The beard groomer is uncovered once again.

The Importance of Committing


As a start-up team you’re ideally a heterogeneous bunch of people with different ideas and opinions. You will have to make decisions that are not unanimous. On the other hand successful startups seem to always have a shared vision and one plan of actions. How do they do that? They can’t be living in a happy fluffy everybody agrees world, can they?

The magic word is “commitment” and so far our team has decided on important things like this:

  1. Discuss about available options.
  2. Argue as much as you like about your favorites.
  3. Decide by area of expertise, majority vote or hierarchy, but then
  4. Commit to the decision. 

There is no step 5: Bitching, Complaining or Backstabbing. I know it’s hard to accept anything that you don’t fully believe in, but for the sake of the adventure you’re in you have to try your utmost to act as one team and one mindset (at least facing outwards).

How am I coping so far? I try to over commit. Print and wear the t-shirt with the logo that wasn’t your first choice, write the user guide prematurely for the feature that you think is a waste of time and also watch out for colleagues that aren’t aligned. Stop and remind them to align with the group decision. Over time it will become second nature and you will forget you ever had a different opinion (at least until the company biographer asks).