2012 June


 NetDynamics threats: In defense of Dewberry

June 27, 2012

Recall, when I registered sentechsucks.co.za and their legal firms sent me some nasty letters?

Shaun Dewberry, out of principle, at that time registered suckmywireless.co.za and fucksentech.co.za. I’ll show some solidarity and support Dewberry this time around.

He’s been served with a “takedown” notice, and given six hours to remove his “defamatory” content in the NetDynamics and Online Radio statistics lies saga.

Dear NetDynamics: Screw you. Serve me with a takedown too please. I’ve mirrored Shaun’s opinion piece at http://rodent.za.net/files/dewberry/ , including your takedown notice, and I will continue doing so in various places on the Internet until such time as you get your shit in order. A technical rebuttal is much more effective than legal threats.

Some NetDynamics network facts:

  • The main portion of their “CDN” is hosted with PlusServer AG, a brand of the German company Intergenia
  • This portion of the “CDN”  is a single /27 netblock ( wide for a total of 32 hosts.
  • Their other cdn hosts are scattered around the subnet.
  • All transit is by Intergenia’s AS8972, a well connected European AS.

I thus support Shaun’s argument that it is unlikely that they’re serving out to 100k+ users,  just from the size of their CDN infrastructure.

In fact, some Netflow stats from two medium sized networks (that I cannot name) show that traffic from AS8972, is <300kbps across both networks and has been for a long time. This traffic does not match with the claims made, from a pure back-of-napkin calculation, but hey, stats are always dodgy right ?

The only point that they could contend in Shaun’s assessment of their CDN is that they “anycast” their CDN IP addresses which would make it bigger than what it looks like. Some BGP lookups and traceroutes on  local public route servers show this not to be the case. And whilst it’s possible to anycast a single IP address, the typical practice is to anycast a /24 since that is the smallest size that will be generally accepted by a BGP peer, so it’s unlikely in any event.

The bottom line is that Websites and online publications have created associations  that force it’s members to use standardised measures such as Nielsens to verify readership, so that there is a verifiable baseline for online content impressions, and to verify reader uniqueness.

These organisations have not yet caught up with Internet Radio, and thus, failing a standardised measure for online listenership measurements, they’ll have to rely on the old school mechanisms that regular stations such as 702 and others use to measure listeners. The SAARF, which measures commercial and community radio listeners seems to be an option.

Ballz and 2Oceans don’t seem to feature there at all.

The only thing Netdynamics could possibly claim is that 100k+ unique IP’s have accessed their servers, and that would probably include portscans, and considering the dynamic nature of IP allocations amongst consumers. I would estimate that 10-20% of 100k IP’s are unique individuals (from experience). That would put NetDynamics served unique customers at around 10k+ unique, which seems more plausible.

The bottom line is that if a Streaming CDN is reporting listener numbers, and if a Radio station is claiming listener numbers then the basic assumption HAS to be “lies, lies, and more fucking lies” because it is in their own self-interest to inflate numbers.

Uncategorized | 10 comments
10 responses to “NetDynamics threats: In defense of Dewberry”
  1. gareth says:

    Best argument so far I’ve seen. Thx.

  2. roelf says:

    AS20860, which seems to host their Erlyvideo RTMP flash video server traffic is also sub 400kbps average traffic from some of my digging. Still doesn’t add up.

    2oceans RTMP server:
    Ballz RTMP server:

  3. […] There are a few blogs that picked up on the developing story. Some badly written and some providing more punch. Here is Roelf Diedericks's response to NetD's attack in defense of Dewberry. Awesome. -HERE- […]

  4. The RTMP flash video server has only been deployed in the past week or so, as far as I am aware.
    An attempt to cover up/build a CDN all of a sudden?

    • roelf says:

      This does indeed seem to be the case. Webservers tend to serve out a file’s last modification date, but maybe these muppets didn’t think about that.

      HEAD  http://2ovradio.ndstream.net/flashplayer.htm
      200 OK
      Connection: close
      Date: Wed, 27 Jun 2012 14:24:21 GMT
      Accept-Ranges: bytes
      ETag: "fb993c-e9-4c35beb2edd80"
      Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 DAV/2
      Vary: Accept-Encoding,User-Agent
      Content-Length: 233
      Content-Type: text/html
      Last-Modified: Tue, 26 Jun 2012 08:31:02 GMT
      HEAD http://ballz.ndstream.net/flashplayer2.htm
      200 OK
      Connection: close
      Date: Wed, 27 Jun 2012 14:25:30 GMT
      Accept-Ranges: bytes
      ETag: "11d818a-169b-4c35b6f80e0c0"
      Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 DAV/2
      Vary: Accept-Encoding,User-Agent
      Content-Length: 5787
      Content-Type: text/html
      Last-Modified: Tue, 26 Jun 2012 07:56:27 GMT
      Client-Date: Wed, 27 Jun 2012 14:14:51 GMT
      Client-Response-Num: 1
      HEAD http://ballz.ndstream.net/
      200 OK
      Connection: close
      Date: Wed, 27 Jun 2012 14:30:09 GMT
      Accept-Ranges: bytes
      ETag: "11d8193-1975-4c35bd1ca9f00"
      Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 DAV/2
      Vary: Accept-Encoding,User-Agent
      Content-Length: 6517
      Content-Type: text/html
      Last-Modified: Tue, 26 Jun 2012 08:23:56 GMT
      Client-Date: Wed, 27 Jun 2012 14:19:29 GMT
      Client-Response-Num: 1

      Both flash player pages that are typically framed by both stations, indicate last modification on Tuesday, 26 June.

      The Internet Archive shows that 2Ov’s pages previously pointed to which is one of the original Shoutcast based servers in the ND “CDN” that you analyzed. Those pages used a different kind of Flash Player that uses ShoutCast.

      http://ballz.ndstream.net/flashplayer.htm is the old player page (that still exists) for Ballz and uses, and thus, in the case of Ballz it’s easy to see there that it still uses the Shoutcast stream, but that the page was recently bait-and-switched, as can be seen from the modification dates of both http://ballz.ndstream.net/flashplayer2.htm and http://ballz.ndstream.net/

      Bottom Line:
      It would indeed appear that ND “recently” (this week) introduced the Flash Media Server bits in order to give credence to their prior Flash Media Claims, and attempt to discredit Shaun’s original research.

    • ANT says:

      There’s a conference next week at Wits on this very stuff. Your input is needed I reckon. Franz Kruger +27 11 717 4083

  5. daffy says:

    Netflow stats from 3 very large ISPs in Ireland show exactly 1 packet/s worth of traffic coming from AS8972 in the last day. So wherever those 15000 International listeners are, they’re not here…

  6. […] Other technical experts have also come out in Dewberry’s defence. […]

  7. Anonymous Coward says:

    * The most likely assumption is that the Shoucast servers are being replaced by backend infrastructure that do not public report active and peak listener stats.

    * If their Shoucast servers only handled 9% of traffic with the rest being served by Flash (as claimed) then simply looking at the PEAK users stats for Ballz (±830) that would still mean the other 91% is below 10k users.

    Quote from MyBroadband: ‘NetDynamix spokesperson Hanz Stricker said “percentage wise, it is reasonable to assume that 90.2% of our traffic is tunnelled to the Flash Media Server. Whereas 9% is tunnelled to a node on our Shoutcast network.”’


 DMA Don’t Contact LOL

June 26, 2012

The DMA Don’t Contact database is a bit of an oxymoron, and a joke.

But after the recent weeks’ spate of machine dialed spam, and human dialed spam, I’ve decided to give it a whirl.

  • The oxymoron is that the Don’t Contact me Database, contacts you.
  • And then the joke is that they cannot fucking spell.


I summarily reported the validation link as SPAM, so let’s hope that keeps them busy a while.



Uncategorized | Leave a comment


 Ericsson F3507g under Linux

June 19, 2012

After tearing my hair out making my Thinkpad’s Ericsson Business Mobile Networks BV F3507g Mobile Broadband Module work like it should I found the solution.

Without some magic initialization strings, whenever you create a PPP connection using pppd, you will simply get some cruft like the following

Connect: ppp20 <--> /dev/ttyACM1
sent [LCP ConfReq id=0x1 ]
rcvd [LCP ConfReq id=0x2 ]
sent [LCP ConfAck id=0x2 ]
rcvd [LCP ConfAck id=0x1 ]
sent [LCP EchoReq id=0x0 magic=0x7ee90359]
rcvd [LCP EchoRep id=0x0 magic=0xd1304c29]
rcvd [CHAP Challenge id=0x0 <4c95aa9b38117677e44d021350494e6f7c055a8b6881266714bdb20380b9fe5fac750a7b98f1d657442d62f3b029ae4fdce5ba6bc8618647749d12e3e0995e>, name = "Kermit"]
sent [CHAP Response id=0x0 <068d69fa57a15daa762f3d4ea548e605>, name = "xxxxx"]
rcvd [CHAP Success id=0x0 "Congratulations!"]
CHAP authentication succeeded: Congratulations!
CHAP authentication succeeded
sent [IPCP ConfReq id=0x1 ]
rcvd [LCP TermReq id=0x1]
LCP terminated by peer
sent [LCP TermAck id=0x1

The key being “LCP terminated by peer”. This modem seems to be faking a lot of stuff on the PPP layer, and the termination is actually initiated by the modem, and not the actual network itself, causing one to do some serious headscratching.

The magic, is in the following initialisation string, that you add to your chat script.


Yes, that’s right, lets have FUN=1 !

Without that bit in the init string there is no PPP to be had. Your connections will always report “Congratulations!” and then summarily disconnect.

You can also use AT+CFUN=5 for GSM/GPRS only mode or AT+CFUN=6 for 3G only mode.

Herewith a complete /etc/ppp/peers/fuckyouericsson chat script


"" AT
#set the APN
OK AT+CGDCONT=1,"IP","internet","",0,1
OK ATD*99***1#

Uncategorized | 1 comment
1 response to “Ericsson F3507g under Linux”
  1. Yea — FUN=1 simply turns the radio unit into ‘active’ mode – it will also light up the actual light on the LED if you have one.

    For most things Lenovo/IBM always look at thinkwiki first:


    Has helped me out a couple of times