The Day Netflix Became Stupid

As a systems administrator of 21 years, 7 of which has been spent working in the film industry for two Academy award-winning companies (one winning an Academy science-tech award for their contribution to the VFX and post-production community), I can tell you that there is nothing worse dealing with a Big Content company such as Netflix and telling them they’re plain wrong about something, only to be brushed away like a pesky fly.

The bother surrounds Netflix’s download function on iOS devices.  At the moment I’m downloading TV shows like Star Trek Voyager and Star Trek Deep Space Nine to watch while I’m commuting to work.  I’ll do this on my home internet connection via Sky Broadband if I remember, otherwise, if I have good 4GEE Max connectivity on my phone connection, I’ll use that.


As people have been using VPNs to circumvent geoblocking and accessing content that hasn’t been licensed to a particular country or region, Netflix has been coming down hard on IP connections that do not match the country in which the account is in.  However, this is a lot more complicated in practice because of the complete lack of IPv4 addresses (with many blocks being re-allocated from different countries) and things like the ARIN/RIPE databases not being up to date, or any other geolocation database from any third parties not being particularly inaccurate.  There are many other considerations to take into account too.

Recently, while attempting to download an episode of Star Trek Deep Space Nine on the Netflix iOS app on my iPhone X, one episode downloaded.  The next failed.  And the following episode also failed to download.  I was at Woking station at the time, waiting for the train, and had good 4G connectivity.  I should mention I also have a highly generous bandwidth allowance from EE too.  Upon looking up an error code (what is it with error codes – please make errors more meaningful!) it apparently meant that I was using a VPN or proxy and should disable it.

ALAS again!

I’m not.  No VPN connection.  A proxy?  Only if EE is transparently routing me through some form of web proxy.  But that doesn’t explain how previous downloads have all worked perfectly well when connected to the EE 4GEE Max network.

Now, if EE is doing some form of proxying to cache/reduce the load on their network, the IP address blocks which they use should show that it is coming from the UK.  Every EE block I’ve looked at is designated GB as the country of origin.  But Netflix wasn’t having any of it.  Looking at the IP I had been allocated through several iOS apps and mobile Google Chrome (just use the query, “What’s my IP?”) and using a Mac terminal to WHOIS the IP, it’s in the UK.  So I went online to chat with a Netflix representative..

Netflix says ‘There was a problem with this download. (10013)’~~
Carolina Netflix
Hi there, thanks for reaching us today. I see that you are experiencing error code 10013 Click Here in this case you would need to disable any vpn connection
I’m not using any kind of VPN or peering software. I’m directly connected to my phone provider’s 4G network.
Netflix systems are misidentifying the IP address. At the moment, it is according to Googling “what’s my IP?” in Chrome mobile browser.
route: EE routeorigin: AS12576mnt-by: AS12576-mntcreated: 2012-12-07T14:43:16Zlast-modified: 2015-04-27T10:21:30Zsource: RIPE
Carolina Netflix
Can you please check the ip address you have by following the steps on this article Click Here ?
But I’ve already done that as evidenced by the the above – full output from WHOIS: inetnum:  (snipped for brevity – the key point is country: GB
Carolina Netflix
If you are getting that error message, it’s because we have identified a different ip address and we are unable to know what is your physicall address, that’s why the service was stopped. Now, to recover the access you would need to get in contact with your ISP to request an IP address that matches the country in which you’re located.
How about putting some diagnostics into the Netflix iOS apps that can display this info as well as report back that info to you guys, because all I can do is repeat the IP address and IP block that I’ve given you based on information obtained from Google in a mobile Chrome session.
Carolina Netflix
What happens Martyn is that our service is not designed to work with VPNs or proxy connections. You may have trouble using our service when connected to one, and since this is the case, you would need to disable them and we cannot do it on our end. That’s why we recommend you to get in contact with your ISP so they can assist you better provinding you the reason why this is happening and the right resolution to go back to streaming
The responsibility for me to prove where I am should not be mine. Having worked as a systems administrator in the film industry (2 academy award winning VFX companies) managing networks, I find this sort of thing extremely frustrating.
Just as a matter of interest, what are your systems reporting back as the IP I’m connecting from. If I have to speak to EE about this, I need some evidence from your side.
Carolina Netflix
Sorry about that Martyn, this has to be done with the ISP, they are the proper team that can fixed this inconvenience on your end.
Carolina Netflix
This error code Click Here provide us the steps to work on, and it recommends to contact the ISP

I don’t believe it should be up to the Netflix subscriber to contact their ISP.  It should absolutely 100% be on Netflix to take the report given to it by the subscriber and work with the ISP concerned to determine how they’re connecting to the Netflix network.  In order to do this, Netflix should be building diagnostics into their applications so that everybody can see the IP address and network that’s connecting to the Netflix network.  I can only provide the IP address I see to EE (who have reached out, which is kind, but I don’t believe they need to act on my behalf – it should Netflix who should be doing so).

What did Netflix actually see when I attempted to download those episodes?  Given that I work with multiple third-party network providers (Akamai, Limelight and CloudFlare to name but a few) in which a customer’s real IP is carried through a number of proxies, we can still determine with reasonable accuracy where they’re coming from.  It’s important for us because we need to allow/deny to various internal systems based on the real IP.  Granted, that IP is likely to be static, and granted, we know in advance where they’re connecting from regardless of whether or not that is a VPN endpoint.  I appreciate this is rather more complicated in Netflix’s situation.

We are in this mess because of Big Content and people trying to circumvent restrictions.  Hollywood is still a massive headache for everybody (and belive me, as a former film/TV sysadmin, Hollywood.   Piracy is still a massive headache for everybody.  Rights are still a massive headache for everybody.  But please, don’t make it any harder on the consumer/subscriber than it is necessary to do so, else people will simply go elsewhere.  I’m finding that I’m buying more content from iTunes than I am consuming from Netflix and Amazon because Apple makes it easier for me to watch their content.  We just need Apple to offer TV shows in UltraHD/4K where available and offer iTunes Extras for TV shows and we’re good.  As for the Apple TV streaming service, let’s hope it works as well as iTunes film/TV.

When streaming services and more ISPs support IPv6 – now that’s going to be FUN!  Though, in theory, it should help things along a bit.  Providing everybody keeps their IP allocation entries up to date with the relevant Internet authorities.

At the moment I’m still deciding whether to keep my Netflix subscription or not based on that exchange.  I hate being made to jump through hoops to get something working because of something that isn’t my fault.  I have contracts with both Netflix and EE, but the responsibility for me being allowed to watch those shows should be on Netflix.  If the cell/ISP throttles or restricts video streaming, why shouldn’t I be allowed to use a VPN to access it (providing endpoint is the same country as my account)?  Mind you, if that were the case, I wouldn’t be using that kind of ISP in the first place – have always avoided those sorts,

You don’t need ransomware to make me WannaCry about Windows..

Windows Servers.  What a load of old tosh.  The past three weeks or so have seen me tinkering unnecessarily with the blasted things because of Microsoft’s inability to write an operating system which is so super sensitive to hardware changes – principally because of licensing – that just by upgrading underlying virtualisation software triggers the operating system to think it has a new network card.  You can imagine the chaos something like that can cause!

It’s not just that which makes me despise Windows Server.  For similar reasons, if a dedicated server chassis dies and needs to be swapped out – you’d better have a spare because any hardware changes will cause Windows to freak out.  Linux has no problem with such things providing you’re using a modern distribution and reasonably up to date hardware.  Generally speaking, with maybe a very few exceptions, Linux Just Works(tm).

Don’t get me started on those people that are still running the now 15 year old Windows 2003.. (though this article about Fasthosts running Windows 2003 for their backup platform made me laugh a lot more than it should – and bury my hands in my face for leaving an obsolete OS in charge of managing critical customer backups).

The whole WCry situation around these parts has been, strangely, pretty good – indeed, a lot more people have taken an interest in their backups and patching their systems and this is only to be commended.  A good old major outbreak tends to kick people in the teeth and get them thinking about disaster recovery.

Just because I use MacOS and Linux isn’t making me complacent – oh no.  Very recently Apple just released updates to iOS, MacOS and WatchOS to fix a rather nasty exploit, as well as general performance updates.  It’s one of the reasons I went back to iOS – Apple has become very good at rolling out updates much faster and on schedule than the likes of Samsung.

The server on which this blog runs on utilises something called KernelCare which patches the kernel in real time for newly discovered exploits.  This has the advantage of:

  1. Not having to wait for the OS vendor to release a patch.
  2. You don’t have to reboot the machine.

In my testing of KernelCare, it has worked very well.  If you’re using it in a VPS, it must support full virtualisation – paravirtualisation won’t cut it.

Meanwhile, Microsoft should stick to producing office productivity software and gaming (Xbox One) – it’s what they’re good at.  I’ve completely lost faith in their desktop and server operating system divisions.

Flim Flam Film Spam

I am convinced somebody out there is putting themselves out there as a spammer-for-hire for a number of UK film distributors.  It’s all exceptionally dodgy because the spammer is utilising a number of domains (far too many) and super cheap web hosting outside the UK where dedicated servers are super cheap – the bandwidth doubly so.

There appears to be absolutely no logic to the spammers mailing list of spamees – it feels completely random.  You’d think they’d use a list of known investors with money to burn, but this feels like it’s targeting individuals, promising them many riches and rewards for investing in the UK film industry.

The latest spam originates from a Spanish server.  The Spanish web host/ISP doesn’t offer an abuse@ email address (which they should under the relevant published RFCs), plus the unsubscription URL is invalid – it doesn’t resolve.

I’ve been in contact with the distribution company mentioned in the spam, asking them if they’re aware of the email (it could be they not, and the whole spam thing is a massive scam – in which case, the distribution company had better be informed so they can take action against the spammers themselves).  I doubt I’ll hear back, but it’s better to let them know than not.

If you do want to invest in British film – ignore random spam.  Look towards the BFI whom I’m sure can advise accordingly.  And remember – there have been a number of high profile court cases filed by the HMRC about tax schemes regarding alleged tax avoidance.  So it’s vital to get the correct advice.

Stay safe.

Apple owes a lot of money, but thankfully a new iPhone model is around the corner..

Personally, I don’t think Apple will get away with an appeal.  But I reckon it’ll make Apple think about where they’re going to want to put their next European HQ.  Probably a country which is in the process of leaving the EU…

Regardless, we can probably expect iPhone 7 announcements next Wednesday.  But I don’t care.  I’ve got my Samsung Galaxy Note 7, and it’s a thing of beauty.  This little (haha – but in all seriousness, even at 5.7″, it’s not as big as you might imagine) thing will have to last me at least a year – if not two.  But that’s okay, it’s got enough oomph in it to last the course.

The Hitchhiker's Guide to the Samsung Galaxy Note 7.. DON'T PANIC!
The Hitchhiker’s Guide to the Samsung Galaxy Note 7.. DON’T PANIC!

In comparison to the S7 Edge:

Samsung Galaxy Note 7 (left) versus the Samsung Galaxy S7 Edge (right). Note 7 has a Spigen case, the S7 Edge has a Griffin case.
Samsung Galaxy Note 7 (left) versus the Samsung Galaxy S7 Edge (right). Note 7 has a Spigen case, the S7 Edge has a Griffin case.

What I love about the Note 7 is how clean the UI is in comparison to the S7 Edge.  I’m able to put many more app icons on each screen, and the icons are much more “professional” looking.  The S Pen works fantastically well, and I’m extremely impressed with the ability to write on the screen when it’s “off” (Samsung’s “Always On” display feature) and save the notes for later use.  Only slight issue is that the case tends to hinder even my E.T. fingers at pushing out the pen, but I’ll get used to this.  Unlike the Apple Pencil which I still keep in its original packaging because Apple couldn’t be arsed to design a holder with their covers.

While the screen is curved like the S7 Edge, it’s less pronounced and makes it much, much, much easier to grip with or without the case.  It really does feel much nicer in the hand over the S7 Edge.

The S Pen works fantastically well, and I’m extremely impressed with the ability to write on the screen when it’s “off” (Samsung’s “Always On” display feature) and save the notes for later use.  Only slight issue is that the case tends to hinder even my E.T. fingers at pushing out the pen, but I’ll get used to this.  Unlike the Apple Pencil which I still keep in its original packaging because Apple couldn’t be arsed to design a holder with their covers.

Here’s the first image I took with the Note 7.  It should be identical to that of the S7 Edge.

Note 7 image test
Note 7 image test

Finally, a word about the Iris scanner.  It’s a pain in the rear end.  I’ll be sticking with the finger scanner (and others) for the time being.

I’ll post a more in-depth review after a week’s use.

(Note: I was due to post a report on Guildford’s Comic Con, but WordPress’ text editor / image editor is playing silly buggers at the moment.  I’ll to sort the photos out in Photoshop and deal with them that way.. sigh)

No longer just Let’s Encrypt, cPanel offers free Comodo-backed SSL certificates

With the latest release (to the CURRENT tier, which is considered “release candidate” worthy) of cPanel/WHM, you can now obtain completely free 90 day SSL certificates from cPanel themselves (backed by Comodo) for your web site.  This requires version 58 of cPanel/WHM.  These certificates will automatically be renewed.


This blog is already using them, and long may I do so.  As I’ve said earlier, obtaining SSL certificates for securing usernames and passwords or e-commerce is now the cheapest (e.g. free) it’s ever been.  There’s absolutely no excuse to run a web site that’s not secured by an SSL certificate now.  None.

If you don’t want to use Comodo backed SSL certificates, there will be a Let’s Encrypt plugin for cPanel/WHM appearing soon from cPanel themselves.