Bulletproof Coffee

I have been hearing a lot of talk about Bulletproof Coffee lately. I decided to take the plunge and give it a shot this morning as who doesn’t like a good body hack. I made mine with 1 Tbsp of Kerrygold butter which is the normal butter I eat anyway and 1 TBSP of virgin coconut oil. I ran it through the magic bullet to blend it and gave it a go.

I have to say the butter seemed way to rich for me in a cup of coffee, I found myself continually adding more black coffee to the mix to tone down the flavor. I used coconut oil instead of MCT (medium chain triglycerides) Oil as that is what I normally eat anyway and I am not convinced about MCT yet vs something more natural. Here is an article talking about MCT vs coconut oil. In theory I like the concept as someone who sometimes eats a Primal Diet I have seen the benefits of a higher fat diet, for both appetite control and weight loss so this seems to fit right into that.

The question is did it do anything for me? So far I am not noticing any difference as far as mental clarity goes on day one of it, I will see how it works for appetite control. I suspect it will work for that based on previous experiments with a high fat diet. Will I make it again? I think I will try it again to get a better sample than just one day, but I don’t think I am going to blend it anymore. I don’t like the consistency of it blended, I would rather drink coffee with oil on top of it instead. I will post again if I see any different results from future experiments with it, but for me right now, the jury is still out on it.

Speaking of security…

Today I came across the following news.┬áThe Chrome security team is considering marking all non-HTTPS sites as insecure (since they are.)┬áCheck out the story here. What this means is that if you don’t setup SSL on your site you are likely to lose users who are going to fear if your site is safe to use. Google has already announced that they are going to score pages higher in their search index if they use encryption and this is just more incentive for people to take the time to secure their sites. In 2014 it no longer makes sense to run a non-encrypted website. Techdirt also covered the story here.

Update
I forgot to mention you can get free SSL certificates at Start SSL so price isn’t an excuse for not upgrading your site.

Security is about tradeoffs

When I was working on this site on of the first things I did after setting up SSL was to run the Qualys SSL Labs Test on my site. This tool will analyze your site security and point out any weaknesses and assign a grade to your site. I initially scored a C and used the test results to get this site up to an A. When I got to an A I thought I was doing well as I had robust forward secrecy and my scores 100, 95, 80, 90. Then I saw this blog post over here and noticed his site while also had an A score he had a key exchange score of 100. This sent me down the rabbit hole of tweaking SSL configs to figure out how to really get a high score on this test.

After hours of testing I determined the difference was disabling the kEDH Ciphers which are “cipher suites using ephemeral DH key agreement, including anonymous cipher suites.” Once those are disabled my key exchange score went up to 100, however I lost my robust forward secrecy rating. There is the tradeoff if you drop those ciphers there are a bunch of devices out there that can’t do forward secrecy anymore, but if you keep them you are using what are considered to be weaker ciphers. In the end I decided to drop them, and then since I was in there I continued tweaking to one up Christopher Burg and got my site all the way up to an A+ before his. Who says a little friendly competition isn’t good motivation.

For anyone who is curious I looked into what it would take to get all 100s on the test and it is a price I am unwilling to pay at this time. Basically you have to run only TLS1.2 and have things really locked down. The other thing I would like to figure out is are the Camellia ciphers good and considered secure? I saw some sites recommending them, but I haven’t really heard much about them. I would love to know what the security community thinks of them, whether they are considered secure or efficient. I considered testing with them, against the Qualys SSL report card but it was midnight when I finally got to my A+ so I just left things where they were. If you want to check out my score on the test go here. Also check out this lovely image of my report card:

ssl-reportcard

Google Apps for Business

So when I finally resurrected my domain after it being idle for probably about 10 years I was thinking oh I should just roll out google apps to host my email. Back in the day I ran haskovec.com off of a Sparc Server I had running I think Solaris 10 maybe, but I am not 100% sure on the version of Solaris anymore. I just ran it off of my DSL and I used dyndns to map the dynamic dns to my home DSL as I was too cheap to pay for a static IP. At that time I was running a postfix smtp server for email.

Fast forward to now, I had been considering getting a Raspberry Pi and bringing this stuff back and then I remembered seeing the offer from Amazon about free EC2 on micro-instances. I realized free hosting for a year, a real static IP and not having to fool with hardware at my house and EC2 it is. This time around I was thinking hosting my own email is too much work and the spam filtering never seems as good as going with gmail, so I figured I would sign up for googles free for 10 email addresses account. Only it doesn’t exist anymore. I needed an email to get my SSL Cert setup so I signed up for the 30 day gmail just to get that setup. As I got to thinking about it, I was like no way I am keeping this around as I am not planning on using this email so why pay for it? After some google searches and messing around I am running postfix again just to forward messages to my main email account. Problem solved and it was a free solution!

Spring 4.1 / AspectJ Progress

My coworker discovered that the new version of AspectJ already has the flags built in to turn off the annotation processing. If we can do that we can continue using the Maven Processor Plugin to generate the Hibernate Metamodel data and not have to abandon this. The problem at this point is the AspectJ Maven plugin doesn’t support passing those flags along to AspectJ. So the next step is to get a patch in to that plugin and hopefully we can make the jump to Spring 4.1 at the start of the new year. After that I am going to focus on updating our container so we can finally make the move to Java 8 at work.

SpringOne2GX 2014 Java8 Language Capabilities

I was fortunate enough to attend SpringOne this year and I attended a talk by Venkat Subramaniam on Java 8. I have to say before attending this talk I have always been sort of meh on the functional features brought into the language, but this really got me excited about them. This is the first talk on functional programming that I have ever heard that wasn’t boring, but really engaged the listeners. I strongly recommend people check it out:

Maven Compiler Plugins, AspectJ, and the Hibernate Metamodel generator

For a while now I have been avoiding upgrading the maven java compiler plugin. We are running 2.5.1 at work. The problem is, in the 3.x version, they seemed to have rewritten it, and it doesn’t want to play nice with the maven-processor-plugin that we used to run the hibernate meta model generator. So far it was like cool, I just won’t upgrade to the new version.

Then AspectJ came out with 1.8.2 and the new AspectJ compiler plugin which also seems to be built like the new compiler plugin. At this point I was like well then I might as well update both since Spring 4.1 wants at least AspectJ 1.8.2. But I still have the whole thing fall apart at that meta model step. I found a flag for the maven compiler about forceJavacCompilerUse but even that didn’t solve the problem for me. A coworker said basically AspectJ seems to be doing what we were using the maven-processor-plugin for and generating the meta models for the entities, so he disabled that plugin. However for some reason instead of dumping the generated files in the target directory it is putting them in whatever directory you are in for the build and we can’t seem to find a way to get it to drop them in the target folder.

So at this point we either need to keep banging our head against the wall on this, or consider rewriting the one place we use the meta model classes to not use them and throw that code out in order to be able to upgrade to Spring 4.1.

PGP and the trouble with the web of trust

I have been a fan of Pretty Good Privacy and Gnu Privacy Guard for years. It was just a great idea and I would love to see it more widely used. One problem PGP has always had is the learning curve and ease of use. It used to be very difficult to integrate it into your email. Today it is easier to use with plugins for Thunderbird and other mail apps.

One of the greatest weaknesses of PGP from way back in the day until today is key exchange and how to know you have a valid key for someone you are trying to contact. We have key servers where you can search for a key for someone’s email address, but again you have the issue of how do you know that the person you are contacting actually posted that key and it isn’t an adversary who is pretending to be that user. Back in the day there used to be discussions of key signing parties and other things that just didn’t seem practical. I think my PGP key has been signed by 1 user. Then along comes Keybase. This seems to solve the big issue with PGP which is how to find a key for someone and how to know you can trust that key. Now if someone follows me on Twitter and this website they can see that Keybase has validated my PGP key against ownership of this domain and my twitter account among other things finally solving the issue.

Now we finally have better tools for PGP, and the world has moved on to web mail which makes it much more difficult to encrypt end to end again. Anyway if Keybase sounds interesting to you, you can find me here. If anyone wants an invite to it send me a request for an invite on twitter.

G1GC String Deduplication of a simple Spring Boot Webapp

I was messing around with some of the settings in the Java 8 VM. I have been playing around with Spring Boot lately. So I have a minimal webapp in Spring boot, that has a couple of entities, and services and controllers. I have it configured to run as a standalone jar with an embedded tomcat 8 server. When I do a java -server -jar myapp.jar Spring boot launches my app and when it finishes loading the java process is sitting at 870,160K of memory.

Then I launched my app as: java -server -XX:+UseG1GC -XX:+UseStringDeduplication -jar myapp.jar Spring Boot launches the app and when it finished loading it was using 525,076K. That seems like a pretty big savings to me, and I was seeing some even more dramatic results when I was testing over the weekend like a memory size of 900,000K for the first case and 366,000K for the second case. Either way I have to think that if I were to launch a site today on something like Amazon EC2, where the cost goes up quite a bit as the memory rises I would be strongly tempted to try to run on this GC. I know the tests I have seen show this isn’t quite as fast as ConcMarkSweep and some of the other options, but if you are memory constrained I think it would be worth testing to see if this is fast enough. This test was run under a 64bit Java 8 Update 25 VM under Windows 7 (with 8 GB of Ram on the machine).