TL:DR; This is a garbage product created by jerks :-) Read on for a teensy bit more nuance.

The Real TL:DR in three-ish bullets:

It's actually not that garbagey of a product, but the opaqueness of it bothers me, it could be a very useful thing for admins who aren't me.

Comcast (Nominum) are either MITM'ing and changing results in flight of DNS lookups, which is super fucking irritating, or they're directing all port 53 traffic to their resolvers. Either way, that's super not great.

I need a way to open a goddamn case with my "Business" ISP without trying to explain myself in a conversation with L1 support or some chatbot. The fact that those are my only options caused me to abandon the possibility of getting help from my ISP, which is clearly why they do it this way.

This could be fixed by making it much more obvious that "SecurityEdge" is a thing and what it's doing. Also by giving users and site owners some way to feed back and get their sites delisted. It's not a "bad" product, but it's so opaque as to be useless to me, and I use similar products (Umbrella) in my real job, so I'm not exactly new to the category or how DNS works at a protocol level.

I'm sure this isn't news to anyone in the DNS security space full-time, but definitely surprised me

Comcast needs to make their Business site available on Firefox. It's embarrassing for them to require Chrome-based in a very 1996 "Built for IE 4" way.

About 3 weeks ago Natalie mentioned to me that she couldn't get to her site, and that it was blocked for "Malware and Phishing". Her site is hosted by SquareSpace, so a compromise of her site would likely impact a lot more than just her site. We've been here before and I'll come back to this in a bit.

The issue didn't only affect Natalie's SquareSpace site though, it also hit "shop.nataliecurtiss.com", which is hosted on the machine behind me, on my network, using the Comcast Business network. That page consists of a single redirect to Natalie's store on Etsy. I strongly recommend going there and buying some nesting dolls or something. So that's odd. I can categorically say that at this moment in time, "shop.nataliecurtiss.com" is not hosting a "phishing and malware" ridden garbage fire. That is subject to change, but right now, it's all clean.

So the page we're presented with is this:

That's about as generic as they come and there's no indication of who is showing it to us and why. For the record, I do not use Comcast's DNS resolvers. Until today there has been no "real" reason for this, but Comcast specifically has a long and proud history of DNS fuckery going back to the 90s. After today I'll be taking additional steps to ensure my DNS queries aren't being "improved" by my ISP.

Looking at the source of this page though, the only indication of whose fault this is a reference to an "xfinity" font family:

body {
font-family: Xfinity, Open Sans, Arial, sans-serif;
font-size: 14px;
line-height: 22px;
font-weight: 300;
color: #212121;
display: flex;
flex-direction: column;
}

Clearly at some point, Comcast is yoinking the plaintext DNS reply I'm getting from my upstream resolvers and replacing it, directing me to their "Malware and Phishing" page.

This is easily shown with nslookup. If I do a lookup against the public DNS resolver at 4.2.2.2 for www.nataliecurtiss.com from my home workstation I get 104.225.8.28(29), but if I do the same request against the same public resolver from off-site, I get the correct CNAME record for natalie-curtiss.squarespace.com.

Home

> server 4.2.2.2
Default server: 4.2.2.2
Address: 4.2.2.2#53
> www.nataliecurtiss.com
Server: 4.2.2.2
Address: 4.2.2.2#53

Non-authoritative answer:
Name: www.nataliecurtiss.com
Address: 104.225.8.29
Name: www.nataliecurtiss.com
Address: 104.225.8.28
Name: www.nataliecurtiss.com
Address: 2607:fc50:3000:2::1b
Name: www.nataliecurtiss.com
Address: 2607:fc50:3000:2::55

Off-site

> server 4.2.2.2
Default server: 4.2.2.2
Address: 4.2.2.2#53
> www.nataliecurtiss.com
Server: 4.2.2.2
Address: 4.2.2.2#53

Non-authoritative answer:
www.nataliecurtiss.com canonical name = natalie-curtiss.squarespace.com.
Name: natalie-curtiss.squarespace.com
Address: 198.49.23.176
Name: natalie-curtiss.squarespace.com
Address: 198.49.23.177
Name: natalie-curtiss.squarespace.com
Address: 198.185.159.177
Name: natalie-curtiss.squarespace.com
Address: 198.185.159.176

104.225.8.29 is a Nominum IP that doesn't tell me a whole lot about who's paying them and why exactly but at least identifies the specific flavor of DNS fuckery that's happening here.

So I started searching around for what people do about such blocked page messages as a site admin. The simplest thing is to visit this XFinity page, select "I can't reach a website I want to go to" and request the site be unblocked. There is no positive feedback here. You get an automated "we're gonna look into and see about unblocking you, bye forever!" response. I put as much context in my More Information box as I could, that I am the owner of these domains, if there's something wrong that's causing them to be blocked I want to know so I can fix it.

I did this twice a couple of weeks apart, and as expected it had no impact. If Comcast Business had a way to open a case without sitting on hold or dealing with an in-browser chat (bot?) I would have taken that route at this point.

Only the other day did it occur to me to have other Comcast/XFinity customers test this. I had one home user and one business user test and both were able to hit the site just fine. So is it a volume thing? We hit the site a lot from here, so it trips some kind of threshold? WTAF?

Today I remembered that a couple of weeks ago when the whole "Mozilla Terms of Service" issue blew up everyone and their brother was offering alternate browser suggestions. I recall someone suggested Zen at www.zen-browser.app, and recall getting the Malware and Phishing page for that. At the time I was like "hey nice security Zen, you get a nanosecond of traction and immediately get hacked into a malware farm?". I had forgotten this by the time Natalie complained about access to nataliecurtiss.com

Today is when it all clicked in my head. Oh, hey Comcast started sending me "SecurityEdge Activity Reports" in the mail some time ago. Wonder what's up with that. So I hit my account and logged into the SecurityEdge site for the first time. It looks a whole lot like a scaled down consumery version of Cisco Umbrella. You can select various "Category" blocks and there's a "Malware and Phishing" slider that is "ON" and ghosted so you can't turn it "OFF". You can disable SecurityEdge globally, which of course is what I've done.

Looking at my stats, over the past 30 days the Dashboard claims to have blocked an impressive 692 Things:

However drilling in and downloading the full csv output of all the blocks, there are only 196 rows (195 results and a header row). So whatever, I can't account for 692. There's no multiplier column that I can see, identical requests are just repeated as multiple rows. Anyway they break down like this. Here are the results for things where I know 100% are traffic I intentionally generated:

1 www.freeroms.com
7 nataliecurtiss.com
9 comms-sl-events.squarespace.info
10 yestonstore.com
16 eviltracker.net
22 shop.nataliecurtiss.com
25 zen-browser.app
69 www.nataliecurtiss.com

That's 160 of the 195 total, I removed two other heavy hitters at 16 and 20 hits each since I'm still investigating them. There are only three which either aren't related to my wife's site or the aforementioned Zen browser anomaly.

Whenever we let the cat in and out at night we'll leave notes so we can kind of track how long he was out:

- 12:30a - out
- 12:32a - too cold for kitty cats

That kind of thing.

So Natalie made a whiteboard to indicate his current status. Since I immediately added a Cat Thoughts thought bubble I think she's going to make another whiteboard piece to make a permanent one.

As noted previously we basically just bought our way into a retro-computer collection with the addition of an Atari ST and two further 8-bit systems. This created problems for us, but we decided to solve them with craftsmanship and as a result Natalie built an impressive henge.

Previously my office had a bookshelf that Natalie built while I was out of town for work. It worked great for 10 years or so but the shelves were only 10" deep, and while I was able to cram an impressive amount of stuff on there, it had to change. So we designed one 24" deep with a work surface a couple of inches deeper than that, and then a 20" hutch for the top section. This will allow us to have several layers of display items with storage behind them.
Because as is my motto: "If It's Not Display, It's In The Way"

So we've spent the last week setting everything up and trying to consolidate all the new stuff into bins, test what's working and what needs repair, and cabling up all the systems and network hardware. We put two 12u racks in the bottom, one is full of network hardware, NAS, and webservers and the other has several Atari 8-bit peripherals that are hooked up and then storage for in-progress projects like the Kaypro II. We designed it with the three cubbies to accommodate our printer and scanner, but decided that they were better used with books and stuff, so as a bonus we swapped out the top on a metal cabinet we already had and it really fits in well.

You can already see there's room for 4 computers/keyboards and mice "comfortably", and we could probably have 6 going if we really wanted to add anything more. We'll be spending some time to come trying to find the most effective way to fill this thing, but I think it's off to a good start, and we can nearly eat on our dining room table again, so that's a bonus! I think all we have left to do is unfortunately send the Elvis tapestry on a permanent vacation and replace him with 3 or 4 bookshelves to hold all the software and documentation we got with this haul.

Success. Today we (Mainly Natalie), recapped the high voltage board and after a couple of long waits starts, it boots straight up off the 40MB hard drive into System 7.01!

Of course, there's nothing on this machine. It's got Word, Hypercard, and that's about it. No Mac Paint! No Oregon Trail! So the next step on this adventure is obviously going to be to figure out how to get some software onto the machine.

Since posting about the week of 1983 TV Guide viewing, I've had questions from some people wondering about the storage and other hardware and software we use for our media library. It's really not very complicated to do, though I do have preferences and recommendations.

So here's what we've got.

Motivation:

Mainly I don't like the level of control streaming companies have. That they monitor everything we do, and that stuff comes and goes from services like Netflix and Amazon Prime on their timeline, not mine. I don't like the concept of paying for things like Spotify so that I can rent access to music I already own.

I realized like 15 years ago that while we often spent $200/$300 per week on CDs earlier in our marriage, Natalie and I were drifting away from actually listening to it much, because who wants to dig around for a CD to hear one song, then move to another CD. Ultimately, the same applies to movies, we have lots of DVDs, and I don't want to have to dig through booklets just to watch a couple of James Bond movies.

It's super easy to maintain, and we like being able to watch Saturday morning cartoons, "Nick-at-Nite" or throw on music videos while we play arcade games and eat pizza. Once up and running, it's all pretty much push-button access to all the media we like.

Media:

- 2000-2500 CDs (Maybe 200GB of music)

- Couple hundred movies, really probably not as many as most people.

- Lots of TV shows. Space-wise, this is where it adds up fast when you're ripping a box-set of 10 seasons of some show.

- Commercials, mainly from the '80s and '90s, but I'll grab anything fun that strikes us.

- Music videos. We have an overall collection of around 2000, and a subgroup of about 700 which represent "'80s arcade or pizza place" music. That's music that was just ubiquitous when we were growing up in the '80s and early '90s, and you heard it all the time whether you liked it or not. I've since come to appreciate these songs and bands in a way I didn't when I was a dickhead punk kid.

So all told, there's about a 5TB library of stuff, mainly TV shows, but also a decent music library that needs to get maintained and served.

Hardware:

- Ripping machines - Mainly, all I need is the maximum number of DVD trays I can get my hands on. There's nothing special here. My tools work on Mac or Linux so I can work wherever. We have one main Mac Pro that has 2x 8TB drives mirrored which hold the master copy of the media collection.

- NAS - Seagate GoFlex Home from like 10 years ago. I think I originally bought this with a 1TB drive, and have since upgraded it twice, which is kind of a massive pain. Now it's got an 8TB drive which has a copy of the media library from our main machine. I'll get into the pros and cons of this thing below.

- Raspberry Pi - I have a multi-use RaspberryPi which does various tasks to make things convenient and optimizing TV viewing. There are a handful of scripts which create random playlists every night for various categories of music videos, TV shows (Sitcoms, 'BritBox', 'Nick-at-Nite'), etc. It also runs mt-daapd, which I'll get into below.

- Amazon Fire Sticks - We have a couple of them. I'm not super impressed with their 8GB storage limit, but I'm definitely happy enough for the money they cost. They're cheap, around $20 now, and they do what they say on the box. Play video. I have side-loaded Kodi 17.x, but they seem not to quite have the resources for 18.x, though I'm really not sure why not. It's just slower.

- The Shitphone Army - I've got obsolete phones (Samsung Galaxy S4-ish) around the house and decent speakers set up so we can have music playing while doing the dishes for example.

Software:

- Kodi - I mentioned Kodi, which is just an excellent Free Software media library manager. Kodi gets /such/ a bad rap because of all the malware infected pirate boxes for sale, but you never see much from people who actually use it to manage a locally stored library of media they own. Can't recommend it enough. Get familiar with customizing menus in Kodi and making home-screen buttons linking directly to playlists. It's worth it and makes it look nice and easy to use.

- mt-daapd - I'm running out of patience with music streaming, though everything does work right now. MT-Daapd just basically serves up a library of music using the DAAP protocol, which used to be used by iTunes

- DAAP (Android app) - This could be great, but it seems to be completely un-maintained, and somewhat recently moved from being open source to closed, so unless I have an off-line copy of the source, there go my dreams of updating it. But it works well on the Shitphone Army and on the road so we can basically stream from anywhere. Other DAAP players for Android are pretty much all paid applications, and none of them seem to work better particularly than DAAP.

- Scripts A handful of poorly written scripts for ripping DVDs and maintenance of the library (below)

Recommendations:

Players - While the Fire Sticks work great, they're really very dependent on having constant access to Amazon. Were I installing mainly a Kodi machine, it would be much better to use a Raspberry Pi either with a direct-connected drive or mounting a network share. It's super easy to set up with ready-to-go disk images which boot straight into Kodi.

Playlists - Create lots of playlists. Playlists and randomizing things are two things that Kodi is terrible at, so I don't try to make it do it. These scripts run nightly on the Raspberry Pi and make .M3Us for us.

Filenames - Have a good naming convention. All my playlists are M3Us of just lists of files. That means that you don't get Kodi's metadata database with the pretty titles and descriptions, and so the files must be named descriptively enough that you can tell what episode you're looking at from the list of filenames. My template is "Name of the Show - S02E25 - Title of the Episode". Kodi's scrapers work well with that format and it makes it easy enough to fire up the Nick-at-Nite playlist and decide where to jump in.

At various times, I've considered parsing a copy of the Kodi database to suck out the metadata and add it in before the file location. In an M3U, that looks like this:

#EXTINF:185,Ian Dury & The Blockheads - There Ain't Half Been Some Clever Bastards
/mnt/eSata/filestore/CDs/Ian Dury & The Blockheads/Ian Dury And The Blockheads The Best Of Sex & Drugs & Rock & Roll/17 There Ain't Half Been Some Clever Bastards.mp3

It seems like having all that sqlite stuff happening would add a lot of overhead to generating playlists, and having well-named files saves me from having to worry about it, so I haven't bothered.

Storage - Though I use a "Home NAS" product that overall I've been pretty happy with, it does irritate me. Consumer market stuff is /so/ proprietary that it's quite hard to just get to the Linux system beneath and customize it the way you see fit. Specifically in the case of the GoFlex, "rooting" it even involved replacing Seagate's customized version of SSH with a vanilla one. Screw that up and you brick the device. I also run into network bottleneck issues with that thing. While you can enable jumbo frames, for instance, when syncing new content the CPU gets pegged, I believe I'm running out of network or disk buffer, which is kind of unacceptable in a NAS device.

Building it today, I'd just use a Raspberry Pi 3 with a USB drive enclosure. For the time being, my growth curve is still (barely) pacing along with the largest "reasonably priced" drives on the market. My ceiling is about $200 per drive when I do upgrades, because I am a very cheap man.

I have no opinion on consumer RAID arrays. I can only imagine consumer RAID based NASs come with all the shit I hate about the GoFlex. Yes, I'm biased against consumer grade garbage tech and that's probably not going to change. I'll have to buy one someday I'm sure, but for now it's all being kept simple.

Backups Keep backups. While I have multiple copies of everything, it does make me somewhat nervous that the only part of the media library currently being backed up off-site is the MP3 collection. That's got to change, and rsync is your friend. Ultimately I'll probably end up upgrading my home Internet from 20Mb/2Mb to something which will allow me to sync over a VPN tunnel to somewhere off-site (friend's house, work...).

Sample Scripts:

Here are some samples of the shitty bash scripts that run this whole nonsense. I know the better ways to write these, but the fastest possible way to hammer these out worked well enough and there's no way I'm going to bother going back and fixing them to be honest.

Rip CDs

I use an application called MAX on the Mac to rip CDs. I think its usefulness might be coming to an end, and I'm not sure what to do about that. It uses (used?) MusicBrainz database to automatically fingerprint and tag discs, but the last CD I ripped it seemed to have problems. You can run iTunes side by side with Max and drag the metadata over from there, so maybe that works well enough?

Anyway, I use that because I rip to both 320k CBR MP3 and FLAC. I have a shitload of stuff that really should be re-ripped since they're 128k and no FLAC, but I've so far been unmotivated to do so.

I wrote a bunch of stuff to move all the output files around and update iTunes libraries. Honestly I don't rip a whole lot of new music, which is a shame and which I should really fix.

Rip DVDs

DVD ripping is a lot more fragile than it should be. Good software like Handbrake are bullied into removing the ability to rip protected DVDs, and things are being pushed toward the commercial. I use mencoder in the script below.

DVD titles are sketchy at best, and as far as I know, you can't really fingerprint a DVD and scrape titles in the way you can with CDs. So I do what I can. I take whatever title the DVD presents and make an output directory based on that name plus a timestamp. That way if you're doing a whole box set and all the DVD titles are the same they're at least writing out to separate directories and not overwriting each other.

As far as file-naming, unfortuantely we don't live in the future yet and that's all down to manually renaming each output file. I use the information from TVDB, not IMDB, since that's the default library used by Kodi's scrapers. Sometimes the order of things is different between that and IMDB (production order vs airing order vs DVD order issues plague this whole enterprise).

#! /bin/bash

timestamp=`date +%m%d%Y%H%M`
pid="$$"
caffeinate -w $pid

id=$(drutil status |grep -m1 -o '/dev/disk[0-9]*')
if [ -z "$id" ]; then
echo "No Media Inserted"
else
name=`df | grep "$id" |grep -o /Volumes.* | awk -F "Volumes\/" '{print $2}' | sed 's/ /_/g'`

fi
name=`df | grep "$id" |grep -o /Volumes.* | awk -F "Volumes\/" '{print $2}' | sed 's/ /_/g'`
echo $name
dir="$name-$timestamp"
mkdir /Volumes/Filestore/dvdrip-output/$dir

echo $dir

for title in {1..100}
do
/Applications/mencoder dvd://$title -alang en -ovc lavc -lavcopts vcodec=mpeg4:vhq:vbitrate="1200" -vf scale -zoom -xy 640 -oac mp3lame -lameopts br=128 -o /Volumes/Filestore/dvdrip-output/$dir/$title.avi
done
chmod -R 775 /Volumes/Filestore/dvdrip-output/$dir

Playlist Script

The simplest Music Videos one below just looks at one directory of videos and one directory of TV commercials and randomizes all the content into an M3U. The more complicated ones have dozens of directories, and I'm sure I'm doing this array-building the wrong way. I'm sure I could have a text file with the un-escaped directory names I want and read that to build the array, either way, it really doesn't matter because if I want to add a TV series, I still have to edit a file, so this works fine. I've also thought about having a file in each directory like ".tags" that I search for terms in, like "comedy,nickatnite,british" and build the array from that, I dunno, sounds like work.

#! /bin/bash

array=`find ./ -type f;
find ../../Commercials -type f`

printf '%s\n' "${array[@]}" | sort -R | grep -v dvd_extras | grep -v "./$" | grep -v "\.m3u" | grep -v -i ds_store | grep -v ".nzb" | grep -v ".srt" > full-collection-random.m3u

- rsync the TV library. I have several of these, one for TV shows, one for movies, music videos, mp3s etc. It's just somewhat faster to only sync the thing I'm actually adding content to, rather than have to stat the entire library every time I rip a single DVD. The TV show sync tool also deals with the playlists, which are actually created on the NAS drive, so they have to be copied local before syncing or else they'll just get destroyed every day.

This checks to see if the NAS volume is mounted, if not it will mount it and re-run the script.

#! /bin/bash

mounted=`cat /Users/xrayspx/xrayspx-fs01/.touchfile`

if [ "$mounted" == "1" ]
then

cp ~/xrayspx-fs01/Common/TV\ Shows/1\ -\ Playlists/* /Volumes/Filestore/Common/TV\ Shows/1\ -\ Playlists/

rsync --progress -a --delete /Volumes/Filestore/Common/TV\ Shows/ ~/xrayspx-fs01/Common/TV\ Shows/

~/bin/umounter.sh
exit 1
else
mount -t smbfs //192.168.0.2/filestore ~/xrayspx-fs01/
~/bin/synctv
fi