Nicholai/block-nuke-telemetry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial public release - Nuke telemetry monitoring toolkit

Browse Source 
This toolkit provides comprehensive monitoring, analysis, and blocking capabilities
for network telemetry sent by The Foundry's Nuke compositor on Linux.

Key features:
- Network monitoring scripts with automated alerts
- Multi-tier blocking methods (hosts, firewall, namespace, AppArmor)
- Detailed packet capture analysis and documentation
- EULA legal analysis and privacy assessment
- Sanitized example captures and comprehensive guides

All sensitive data (personal IPs, usernames, packet captures) removed.
Ready for public sharing on Gitea.
This commit is contained in:
Nicholai 2025-11-26 15:28:21 -07:00
commit 6fada7889a
32 changed files with 6499 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.gitignore vendored Normal file
View File

@ -0,0 +1,24 @@
# Claude Code configuration
CLAUDE.md
.claude
.claude/**
# Sensitive data - packet captures and logs
*.pcap
*.log
nohup.out
# Dump directory artifacts with personal data
dump/**/*.pcap
dump/**/*.log
dump/**/nohup.out
# Backup files
*.backup
*.bak
/etc/hosts.backup.*
# Temporary files
*.tmp
*.swp
*~

449
Advanced-Blocking-Methods.md Normal file
View File

@ -0,0 +1,449 @@
# Advanced Nuke Telemetry Blocking Methods
This document provides comprehensive guidance on blocking telemetry from The Foundry's Nuke compositor beyond basic hosts file blocking. All methods are designed for your specific installation at `/home/nicholai/Nuke15.2v6/`.
## Quick Reference
| Method | Effectiveness | Complexity | Nuke Functionality Impact |
|--------|---------------|------------|---------------------------|
| Hosts file blocking | Medium | Low | Minimal - Help menu may fail |
| Firewall (iptables/nftables) | **High** | Medium | Minimal - blocks by IP |
| Network namespace isolation | **Highest** | Medium | None - localhost preserved |
| AppArmor MAC | High | High | None - policy enforced at kernel |
| DNS sinkhole | Medium | Low | Minimal - depends on DNS setup |
| Automated monitoring | N/A (detection only) | Low | None - passive monitoring |
## Known Telemetry Endpoints
Based on packet capture analysis (see `nuke_foundry_analysis.md`):
| Domain | IP Address | Port | Protocol | Purpose |
|--------|-----------|------|----------|---------|
| `learn.foundry.com` | 52.50.232.31 | 80 | HTTP | Documentation checks (unencrypted) |
| `api.honeycomb.io` | 52.205.16.9 | 443 | HTTPS | Analytics/telemetry |
| `sentry.foundry.com` | (varies) | 443 | HTTPS | Crash reporting |
## Method 1: Firewall Blocking (Recommended)
**Why use this:** Blocks connections even if DNS resolves correctly; most robust defense against IP-based connections.
**Script:** `scripts/firewall_block_nuke.sh`
### Features:
- Blocks known Foundry telemetry IPs at the kernel level
- Supports both iptables (legacy) and nftables (modern)
- Persistent across reboots
- Includes restore/unblock functionality
- Logs blocked connection attempts
### Usage:
```bash
# Apply firewall blocks
cd /home/nicholai/Documents/obsidian-vault/2-projects/Nuke-monitoring
bash scripts/firewall_block_nuke.sh
# To unblock (run with --restore flag)
bash scripts/firewall_block_nuke.sh --restore
# Check current rules
sudo iptables -L OUTPUT -v -n | grep "52\\.50\\.232\\.31\\|52\\.205\\.16\\.9"
# Or for nftables:
sudo nft list ruleset | grep "52\\.50\\.232\\.31\\|52\\.205\\.16\\.9"
```
### How it works:
- Uses `iptables` or `nftables` OUTPUT chain to intercept outbound connections
- Rejects packets destined for Foundry IPs with ICMP host-unreachable
- Persists rules to `/etc/iptables/iptables.rules` or `/etc/nftables.conf`
- Can be combined with hosts file blocking for defense-in-depth
### Limitations:
- Requires root/sudo access
- If Foundry adds new IP addresses, rules must be updated
- May need adjustment if using Docker/virtual machines (bridge networks)
---
## Method 2: Network Namespace Isolation (Nuclear Option)
**Why use this:** Complete network isolation while preserving Nuke's localhost frameserver functionality.
**Script:** `scripts/nuke_isolated.sh`
### Features:
- Creates isolated network namespace with only loopback interface
- Blocks ALL external network access (not just Foundry)
- Frameserver communication still works (uses 127.0.0.1)
- Clean namespace cleanup on exit
### Usage:
```bash
# Launch Nuke in isolated namespace
bash scripts/nuke_isolated.sh
# Nuke will run with zero external network access
# Frameserver rendering still works normally
```
### How it works:
- Creates a Linux network namespace (`ip netns add nuke_isolated`)
- Enables only the loopback interface (lo)
- Launches Nuke inside the namespace with your user permissions
- Nuke cannot reach ANY external IPs, including telemetry servers
### Limitations:
- Breaks ALL network features (online help, license checks if using floating licenses, etc.)
- Requires sudo for namespace creation
- Slightly more complex troubleshooting if Nuke misbehaves
### When to use:
- Maximum privacy requirements
- Offline/air-gapped rendering workflows
- When you never use Nuke's online features
---
## Method 3: AppArmor Mandatory Access Control
**Why use this:** Kernel-enforced security policy; cannot be bypassed by the application.
**Profile:** `apparmor/nuke.profile`
### Features:
- Kernel-level enforcement (stronger than user-space blocking)
- Allows localhost, denies external network
- Granular file system access controls
- Audit mode for debugging
### Installation:
```bash
# Install the profile
sudo cp apparmor/nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
# Load and enforce
sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
# Check status
sudo aa-status | grep Nuke
# Set to complain mode for testing (logs violations without blocking)
sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
# Disable profile
sudo aa-disable /home/nicholai/Nuke15.2v6/Nuke15.2
```
### How it works:
- AppArmor kernel module intercepts Nuke's system calls
- Profile defines allowed operations (file access, network connections)
- Network rules: `deny network inet to !127.0.0.0/8` blocks non-localhost connections
- Violations are logged to `/var/log/audit/audit.log` or kernel log
### Limitations:
- Requires AppArmor-enabled kernel (default on Ubuntu, optional on Arch)
- Profile must be updated if Nuke changes installation paths
- Learning mode requires running Nuke extensively to capture all legitimate operations
- May need adjustments for render farm setups
### Troubleshooting:
```bash
# Check AppArmor is enabled
sudo systemctl status apparmor
# View denial logs
sudo journalctl -xe | grep apparmor | grep Nuke
# Generate profile from logs (if using complain mode)
sudo aa-logprof
```
---
## Method 4: DNS Sinkhole
**Why use this:** Centralized blocking across multiple machines; works network-wide if using Pi-hole or similar.
**Script:** `scripts/dns_sinkhole_config.sh`
### Features:
- Generates DNS configuration for various DNS servers
- Network-wide blocking if using Pi-hole/AdGuard Home
- Works for all devices querying your DNS server (75.75.75.75)
### Usage:
```bash
# Generate configs for your DNS setup
bash scripts/dns_sinkhole_config.sh
# Output includes snippets for:
# - dnsmasq
# - Pi-hole
# - AdGuard Home
# - BIND9
# Apply to your DNS server at 75.75.75.75
```
### How it works:
- DNS server returns 0.0.0.0 or 127.0.0.1 for Foundry domains
- Applications fail to connect before network traffic is sent
- Complements hosts file blocking (defense-in-depth)
### Your DNS Setup:
Based on your network configuration (DNS: 75.75.75.75), you're likely running:
- Pi-hole, AdGuard Home, dnsmasq, or custom DNS server
The script provides config snippets for all common platforms.
### Limitations:
- Requires access to DNS server configuration
- Doesn't block hardcoded IP addresses (combine with firewall rules)
- DNS cache may delay blocking (flush with `sudo systemd-resolve --flush-caches`)
---
## Method 5: Automated Monitoring and Alerts
**Why use this:** Detect new telemetry endpoints or verify blocking effectiveness.
**Script:** `scripts/monitor_nuke_network.sh`
### Features:
- Monitors Nuke processes for external network connections
- Desktop notifications (via `notify-send`)
- Logs alerts to `nuke_telemetry_alerts.log`
- Can run continuously or via cron/systemd timer
### Usage:
```bash
# Run monitoring in background
bash scripts/monitor_nuke_network.sh &
# Or set up as cron job (check every 5 minutes)
crontab -e
# Add: */5 * * * * /home/nicholai/Documents/obsidian-vault/2-projects/Nuke-monitoring/scripts/monitor_nuke_network.sh
# Or as systemd timer (advanced - see script comments)
# View alerts log
tail -f nuke_telemetry_alerts.log
```
### How it works:
- Uses `pgrep` to find Nuke processes
- Queries socket connections with `ss -tnp`
- Filters out localhost (127.0.0.1) connections
- Alerts when external connections detected
- Useful for discovering new telemetry endpoints Foundry may add
### Example alert:
```
[2025-11-25 14:23:15] ALERT: Nuke external connection detected
Process: Nuke15.2 (PID 867114)
Connection: 10.0.0.50:54321 -> 52.205.16.9:443 (ESTABLISHED)
Domain: api.honeycomb.io
```
### Limitations:
- Passive monitoring only (doesn't block)
- Requires Nuke to be running during checks
- Desktop notifications need X11/Wayland session
---
## Recommended Approach
For maximum effectiveness, use **layered defense**:
### Tier 1: Essential (Apply First)
1. **Hosts file blocking** (already applied via `block_nuke_telemetry.sh`)
2. **Firewall rules** (`scripts/firewall_block_nuke.sh`)
- Blocks even if DNS resolves
- Most important addition
### Tier 2: Enhanced Privacy
3. **Automated monitoring** (`scripts/monitor_nuke_network.sh`)
- Catches new endpoints Foundry may add
- Validates blocking effectiveness
### Tier 3: Maximum Isolation (Optional)
4. **Network namespace** (`scripts/nuke_isolated.sh`)
- Use when you need absolute certainty
- Acceptable if you never use online features
5. **AppArmor profile** (`apparmor/nuke.profile`)
- Kernel-enforced policy
- Good for multi-user systems or render farms
### Tier 4: Network-Wide (Optional)
6. **DNS sinkhole** (`scripts/dns_sinkhole_config.sh`)
- If you run Pi-hole or custom DNS
- Protects other machines on your network
## Verification Commands
After applying blocking methods, verify effectiveness:
### Test DNS resolution:
```bash
# Should resolve to 127.0.0.1 or fail
nslookup api.honeycomb.io
nslookup learn.foundry.com
nslookup sentry.foundry.com
```
### Test network connectivity:
```bash
# Should timeout or show connection refused
curl -I http://learn.foundry.com --max-time 5
curl -I https://api.honeycomb.io --max-time 5
curl -I https://sentry.foundry.com --max-time 5
```
### Capture Nuke traffic:
```bash
# Run Nuke, then check for external connections
sudo tcpdump -i any -n 'host 52.50.232.31 or host 52.205.16.9' -c 10
# Should see zero packets if blocking is effective
```
### Check firewall rules:
```bash
# iptables
sudo iptables -L OUTPUT -v -n | grep -E "52\.50\.232\.31|52\.205\.16\.9"
# nftables
sudo nft list ruleset | grep -E "52\.50\.232\.31|52\.205\.16\.9"
```
### Monitor active connections:
```bash
# While Nuke is running
sudo ss -tnp | grep Nuke | grep -v 127.0.0.1
# Should only show localhost connections (frameserver)
```
## Troubleshooting
### Nuke won't launch after applying blocks
1. Check AppArmor isn't blocking file access:
```bash
sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
```
2. Verify network namespace script uses correct executable path
3. Check firewall rules aren't blocking localhost (should never happen with provided scripts)
### Help menu doesn't work
**Expected behavior** - Help menu requires `learn.foundry.com` access. This is blocked intentionally.
Workaround: Use offline documentation or temporarily disable blocks:
```bash
# Disable firewall temporarily
sudo iptables -D OUTPUT -d 52.50.232.31 -j REJECT
# Re-enable after using help
sudo iptables -A OUTPUT -d 52.50.232.31 -j REJECT --reject-with icmp-host-unreachable
```
### Frameserver rendering fails
Network namespace isolation should NOT affect frameserver (uses localhost).
If rendering fails:
1. Check you're not blocking localhost in firewall rules
2. Verify loopback interface is up: `ip addr show lo`
3. Test localhost: `ping -c 1 127.0.0.1`
### New telemetry endpoint discovered
Update firewall and hosts files:
```bash
# Find new IP
sudo tcpdump -i any -n 'not net 10.0.0.0/8 and not net 127.0.0.0/8' | grep -i foundry
# Add to firewall
sudo iptables -A OUTPUT -d <new_ip> -j REJECT --reject-with icmp-host-unreachable
sudo iptables-save | sudo tee /etc/iptables/iptables.rules
# Add to hosts file
echo "127.0.0.1 <new_domain>" | sudo tee -a /etc/hosts
```
### Monitoring script shows false positives
Frameserver connections to 127.0.0.1 are expected.
Filter these out - the provided script already excludes localhost.
If you see connections to your local network (10.0.0.0/8), these may be:
- Render farm nodes
- Shared storage (NAS/NFS)
- License servers (floating licenses)
Not telemetry - these are normal.
## Privacy Assessment
**With all methods applied:**
- Telemetry transmission: **Blocked**
- Crash reporting: **Blocked**
- Documentation checks: **Blocked**
- ISP/network visibility: **Eliminated** (no packets leave your machine)
- Foundry data collection: **Prevented**
**Remaining exposure:**
- Local Nuke files still created (`~/.nuke/`, `~/Documents/nuke/`)
- Crash dumps cached locally in `sentry-db/` (not transmitted)
- License file may contain machine ID (needed for licensing)
**Verification:** Run monitoring script for 24 hours to confirm zero external connections.
## Performance Impact
All blocking methods have **negligible performance impact**:
- Hosts file: ~microseconds per DNS lookup
- Firewall: ~nanoseconds per packet (kernel-space)
- Network namespace: ~milliseconds at launch (one-time)
- AppArmor: ~nanoseconds per syscall (kernel-space)
- Monitoring: ~10ms per check (runs periodically, not during rendering)
Rendering performance is **unchanged**.
## Legal Considerations
See `EULA-Analysis.md` for full assessment of Foundry's EULA claims.
**Summary:**
- EULA grants "irrevocable authorization" for data collection (Clause 19.3)
- Blocking telemetry may technically violate EULA acceptance
- However, enforceability of such clauses is questionable in many jurisdictions
- No reports of Foundry taking action against users who block telemetry
- Offline/air-gapped use is common in VFX industry (studios routinely block telemetry)
**Recommendation:** Use blocking methods and accept minimal legal risk. Enterprise/studio users should consult legal counsel.
## References
- **Investigation methodology:** `Claude_2025-10-25.md` (full conversation log)
- **Packet capture analysis:** `nuke_foundry_analysis.md` (20-minute capture breakdown)
- **Basic blocking:** `block_nuke_telemetry.sh` (hosts file method)
- **EULA details:** `EULA-Analysis.md` (privacy clauses)
- **Master documentation:** `Foundry-Nuke-Monitoring.md` (conclusory report)
## Contributing
Discovered new telemetry endpoints? Improved blocking methods?
Document findings in this project and update:
1. This file (Advanced-Blocking-Methods.md)
2. Master doc (Foundry-Nuke-Monitoring.md)
3. CLAUDE.md (investigation areas)
Help the VFX community maintain privacy and informed consent.
---
**Last updated:** 2025-11-25
**Nuke version tested:** 15.2v6 (build 15.2.375648)
**OS:** Arch Linux (kernel 6.17.4-arch2-1)

606
Application_Behavior_Analysis.md Normal file
View File

@ -0,0 +1,606 @@
# Advanced Linux System Administration: Application Behavior Analysis
## Educational Module for Junior System Administrators
This comprehensive guide teaches systematic approaches to understanding how performance-critical applications interact with Linux at a low level—essential skills for debugging, optimization, and professional system administration.
---
## 1. Dynamic Library Dependencies and Loading
### Understanding the Dynamic Linker
**Core Concepts:**
- The dynamic linker (`ld-linux.so`) resolves and loads shared libraries at runtime
- Library search paths follow a specific hierarchy: `RPATH``LD_LIBRARY_PATH``RUNPATH``/etc/ld.so.cache` → system defaults
- Version conflicts occur when multiple library versions exist or ABI incompatibilities arise
### Practical Investigation Techniques
**Static Dependency Analysis:**
```bash
# List direct library dependencies
ldd /usr/bin/application
# Show library dependencies with full paths
ldd -v /usr/bin/application
# Alternative: use readelf for more detailed information
readelf -d /usr/bin/application | grep NEEDED
# Check RPATH/RUNPATH settings
readelf -d /usr/bin/application | grep -E 'RPATH|RUNPATH'
```
**Dynamic Loading Analysis:**
```bash
# Trace library loading in real-time with verbose output
LD_DEBUG=libs /usr/bin/application 2>&1 | less
# Detailed binding information
LD_DEBUG=bindings /usr/bin/application 2>&1 | less
# All debug information (very verbose)
LD_DEBUG=all /usr/bin/application 2>&1 | tee debug_output.log
# Alternative: use ltrace to see library calls
ltrace -C /usr/bin/application
```
**Version Conflict Detection:**
```bash
# Find all versions of a library on the system
locate libname.so | sort
# Check which version is being loaded
ldd /usr/bin/application | grep libname
# Verify library compatibility
objdump -p /usr/lib/libname.so.1 | grep SONAME
```
**Advanced: Using strace for dlopen() calls:**
```bash
# Track dynamically loaded libraries (plugins, modules)
strace -e openat,open -f /usr/bin/application 2>&1 | grep '\.so'
```
---
## 2. Process-Level Resource Consumption
### Comprehensive Resource Monitoring Strategy
**Real-Time Monitoring:**
```bash
# Interactive process monitoring with thread view
htop -p $(pgrep application)
# Top consumers sorted by CPU
top -b -n 1 -o %CPU | head -20
# Detailed process information
ps aux | grep application
ps -eLf | grep application # Include threads
```
**CPU Analysis:**
```bash
# Per-thread CPU usage
top -H -p $(pgrep application)
# CPU affinity and scheduling
taskset -cp $(pgrep application)
# Detailed CPU time breakdown
/usr/bin/time -v /usr/bin/application
# CPU profiling with perf
perf stat -p $(pgrep application) sleep 10
perf record -p $(pgrep application) -g -- sleep 30
perf report
```
**Memory Analysis:**
```bash
# Detailed memory map
pmap -x $(pgrep application)
# Memory usage breakdown
smem -P application -k
# Real-time memory monitoring
watch -n 1 'ps -o pid,vsz,rss,comm -p $(pgrep application)'
# Check for memory leaks over time
valgrind --leak-check=full --track-origins=yes /usr/bin/application
# Alternative: massif for heap profiling
valgrind --tool=massif /usr/bin/application
ms_print massif.out.*
```
**I/O Analysis:**
```bash
# Real-time I/O statistics per process
iotop -p $(pgrep application)
# File descriptor information
lsof -p $(pgrep application)
# I/O statistics from /proc
cat /proc/$(pgrep application)/io
# Disk I/O patterns
iostat -x 1
# Trace file operations
strace -e trace=file -p $(pgrep application)
```
**Network Analysis:**
```bash
# Active network connections
netstat -tulpn | grep application
ss -tupn | grep application
# Network I/O per process
nethogs
# Bandwidth usage
iftop -P -p
# Packet-level analysis
tcpdump -i any -n port 8080 -w capture.pcap
```
**Comprehensive Monitoring:**
```bash
# systemd resource accounting (if service runs under systemd)
systemctl status application.service
systemd-cgtop
# cgroups resource limits and usage
cat /sys/fs/cgroup/system.slice/application.service/memory.current
cat /sys/fs/cgroup/system.slice/application.service/cpu.stat
```
---
## 3. Inter-Process Communication (IPC) Analysis
### Understanding IPC Mechanisms
**Common IPC Types:**
- Pipes (named and unnamed)
- Unix domain sockets
- Network sockets (TCP/UDP)
- Shared memory segments
- Message queues
- Signals
- D-Bus (higher-level IPC)
### Systematic IPC Discovery
**File Descriptor Analysis:**
```bash
# List all open file descriptors
ls -l /proc/$(pgrep application)/fd/
# Detailed FD information with types
lsof -p $(pgrep application)
# Filter for specific IPC types
lsof -p $(pgrep application) | grep -E 'PIPE|unix|TCP|UDP'
```
**Socket Analysis:**
```bash
# Unix domain sockets
ss -x -p | grep application
# Network sockets with process info
ss -tunapw | grep application
# Alternative with netstat
netstat -anp | grep application
```
**Shared Memory Investigation:**
```bash
# List shared memory segments
ipcs -m
# Show which processes are using shared memory
ipcs -m -p
# Detailed information about specific segment
ipcs -m -i <shmid>
# Check memory mappings
grep -E 'shared|shmem' /proc/$(pgrep application)/maps
```
**Message Queue Analysis:**
```bash
# List message queues
ipcs -q
# Process associations
ipcs -q -p
# POSIX message queues
ls -la /dev/mqueue/
```
**D-Bus Monitoring:**
```bash
# Monitor system bus
dbus-monitor --system
# Monitor session bus
dbus-monitor --session
# List services on D-Bus
busctl list
# Introspect specific service
busctl introspect org.freedesktop.ServiceName
```
**Real-Time IPC Tracing:**
```bash
# Trace IPC-related system calls
strace -e trace=ipc -p $(pgrep application)
# Trace network operations
strace -e trace=network -p $(pgrep application)
# Comprehensive IPC system calls
strace -e trace=read,write,sendto,recvfrom,sendmsg,recvmsg,connect,accept -p $(pgrep application)
```
---
## 4. Application-Specific Configuration and Runtime Environment
### Systematic Configuration Discovery
**Environment Variables:**
```bash
# View process environment
cat /proc/$(pgrep application)/environ | tr '\0' '\n'
# Alternative
strings /proc/$(pgrep application)/environ
# Launch with modified environment for testing
ENV_VAR=value /usr/bin/application
# Common important variables to check
env | grep -E 'PATH|LD_LIBRARY_PATH|HOME|XDG_|DISPLAY'
```
**Configuration File Locations:**
**Standard locations to investigate:**
```bash
# User-specific configuration
~/.config/application/
~/.application/
~/.applicationrc
# System-wide configuration
/etc/application/
/etc/application.conf
/usr/share/application/
# Check what files application actually opens
strace -e openat,open /usr/bin/application 2>&1 | grep -E '\.(conf|cfg|ini|json|yaml|toml|xml)'
# Monitor configuration file access
inotifywait -m -r ~/.config/application/ -e access,modify,open
```
**Runtime Directories:**
```bash
# Working directory
readlink /proc/$(pgreg application)/cwd
# Runtime data directories
ls -la /run/user/$(id -u)/application/
ls -la /var/run/application/
# XDG Base Directory specification
echo $XDG_CONFIG_HOME # defaults to ~/.config
echo $XDG_DATA_HOME # defaults to ~/.local/share
echo $XDG_CACHE_HOME # defaults to ~/.cache
echo $XDG_RUNTIME_DIR # defaults to /run/user/UID
# Temporary files
ls -la /tmp/ | grep application
lsof -p $(pgrep application) | grep /tmp
```
**Command-Line Arguments Analysis:**
```bash
# View exact command used to start process
cat /proc/$(pgreg application)/cmdline | tr '\0' ' '; echo
# Alternative
ps -fp $(pgrep application)
# Help/documentation for configuration options
/usr/bin/application --help
man application
```
**Package-Provided Files:**
```bash
# On Arch Linux, see what files a package provides
pacman -Ql package-name
# Find which package owns a file
pacman -Qo /usr/bin/application
# View package information
pacman -Qi package-name
```
---
## 5. Event Tracing and System Call Monitoring
### Low-Level Behavioral Analysis
**System Call Tracing with strace:**
```bash
# Basic system call trace
strace /usr/bin/application
# Attach to running process
strace -p $(pgrep application)
# Filter specific system calls
strace -e trace=open,read,write -p $(pgreg application)
# Time spent in system calls
strace -c /usr/bin/application
# Detailed timing information
strace -T -tt -p $(pgrep application)
# Follow forks and threads
strace -f -p $(pgrep application)
# Output to file for analysis
strace -o trace.log -p $(pgreg application)
# String size for arguments
strace -s 256 -p $(pgrep application)
```
**Common strace Patterns:**
```bash
# File I/O bottlenecks
strace -e trace=file -T /usr/bin/application 2>&1 | grep -E '<[0-9]+\.[0-9]+>'
# Network operations
strace -e trace=network -p $(pgrep application)
# Memory operations
strace -e trace=memory -p $(pgreg application)
# Signal handling
strace -e trace=signal -p $(pgrep application)
```
**Kernel Event Tracing with perf:**
```bash
# Record system-wide events
sudo perf record -a -g -- sleep 30
# Record specific process
sudo perf record -p $(pgrep application) -g -- sleep 30
# View recorded events
sudo perf report
# Real-time event monitoring
sudo perf top
# Trace specific events
sudo perf stat -e cycles,instructions,cache-misses -p $(pgrep application)
# Function-level tracing
sudo perf probe --add function_name
sudo perf record -e probe:function_name -p $(pgrep application)
```
**eBPF-Based Tracing (Modern Approach):**
```bash
# Install bpftrace (if not already installed)
sudo pacman -S bpftrace
# Trace file opens
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)); }'
# Monitor process execution
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%s\n", str(args->filename)); }'
# Track memory allocations
sudo bpftrace -e 'tracepoint:kmem:kmalloc { @bytes = hist(args->bytes_alloc); }'
# Custom scripts for specific applications
sudo bpftrace application_trace.bt
```
**ftrace (Kernel Function Tracer):**
```bash
# Enable ftrace
echo 1 | sudo tee /sys/kernel/debug/tracing/tracing_on
# Set up function tracer
echo function | sudo tee /sys/kernel/debug/tracing/current_tracer
# Filter for specific functions
echo '*networking*' | sudo tee /sys/kernel/debug/tracing/set_ftrace_filter
# Read trace
sudo cat /sys/kernel/debug/tracing/trace
# Disable when done
echo 0 | sudo tee /sys/kernel/debug/tracing/tracing_on
```
**Performance Counter Monitoring:**
```bash
# Hardware performance counters
perf list # See available events
# Count cache misses
perf stat -e cache-misses,cache-references -p $(pgrep application)
# Branch prediction analysis
perf stat -e branches,branch-misses -p $(pgrep application)
# Memory access patterns
perf mem record -p $(pgreg application)
perf mem report
```
---
## Practical Workflow: Complete Application Analysis
### Step-by-Step Diagnostic Methodology
**Phase 1: Initial Assessment**
```bash
# 1. Identify the process
ps aux | grep application
pgrep -a application
# 2. Check basic resource usage
top -b -n 1 -p $(pgrep application)
# 3. View environment and configuration
cat /proc/$(pgrep application)/environ | tr '\0' '\n'
cat /proc/$(pgrep application)/cmdline | tr '\0' ' '; echo
```
**Phase 2: Dependency Analysis**
```bash
# 4. Check library dependencies
ldd /usr/bin/application
LD_DEBUG=libs /usr/bin/application 2>&1 | less
# 5. Verify library versions
pacman -Q | grep relevant-lib
```
**Phase 3: Resource Profiling**
```bash
# 6. CPU profiling
perf record -p $(pgrep application) -g -- sleep 30
perf report
# 7. Memory analysis
valgrind --tool=massif /usr/bin/application
# 8. I/O monitoring
iotop -p $(pgrep application)
```
**Phase 4: Communication Analysis**
```bash
# 9. Check IPC mechanisms
lsof -p $(pgreg application)
ss -xp | grep application
# 10. Monitor network activity
nethogs
tcpdump -i any -n -p $(pgrep application)
```
**Phase 5: Behavioral Tracing**
```bash
# 11. System call analysis
strace -c -p $(pgrep application) # Summary
strace -T -tt -p $(pgrep application) # Detailed
# 12. Event tracing
sudo perf trace -p $(pgrep application)
```
---
## Best Practices and Safety Considerations
### Debugging Without Disruption
1. **Use read-only tools first**: `ldd`, `pmap`, `lsof` don't affect application behavior
2. **Tracing has overhead**: Tools like `strace` can slow applications by 10-100x
3. **Test in non-production**: Always validate techniques in development environments first
4. **Document baseline behavior**: Capture normal operation before investigating issues
5. **Incremental analysis**: Start with lightweight tools, escalate to invasive ones only if needed
### Performance Impact Hierarchy
**Minimal impact:**
- `ps`, `top`, `htop`
- `ldd`, `readelf`
- `/proc` filesystem reads
- `lsof`, `ss`
**Moderate impact:**
- `perf stat` (sampling mode)
- `iotop`, `nethogs`
- `ltrace` (with filtering)
**High impact:**
- `strace` (especially without filtering)
- `valgrind`
- `perf record` (high-frequency sampling)
---
## Additional Resources for Continued Learning
### Documentation
```bash
# Essential man pages
man strace
man perf
man ldd
man proc # /proc filesystem documentation
man ld.so # Dynamic linker documentation
# Arch Wiki resources
# Visit: https://wiki.archlinux.org/title/Debugging
# Visit: https://wiki.archlinux.org/title/Performance
```
### Recommended Tools to Explore
- **SystemTap**: Advanced tracing and profiling
- **BCC**: eBPF-based performance tools collection
- **gdb**: Source-level debugging
- **rr**: Record and replay debugging
- **bpftrace**: High-level eBPF tracing language
---
This module provides a comprehensive foundation for understanding application behavior on Linux systems. The techniques described are universally applicable to any software and form essential skills for professional system administration, performance engineering, and DevOps roles.

241
EULA-Analysis.md Normal file
View File

@ -0,0 +1,241 @@
# Foundry EULA Telemetry Analysis
**Tags:** #note-type/research #domain/technical #project-type/technical #status/complete #priority/high
## Summary
The Foundry EULA **explicitly authorizes** extensive data collection from your computer and network. Your network captures confirm this telemetry is actively happening, though the actual data volume appears more modest than the EULA permits.
## Key EULA Clauses (Sections 19.2 & 19.3)
### What Foundry Claims to Collect (Clause 19.2)
The EULA states the Software "may include mechanisms to access and collect limited information" including:
1. **License details** - Foundry product licenses on your system
2. **Computer and network equipment details** - Hardware specifications
3. **Operating system details** - OS version, system registry files
4. **Email domain** - Domain of computer/network equipment owners
5. **Location data** - Geographic location of computers running Software
6. **Usage profiling** - "Profile and extent of use" of Software features
### How Foundry Uses This Data (Clause 19.2)
The EULA permits use of collected data for:
**(a) Usage modeling** - "model the profiles of usage, hardware and operating systems in use collectively across its customer base in order to focus development and support"
**(b) Targeted support** - "provide targeted support to individual customers"
**(c) License enforcement** - "ensure that the usage of the Software by Licensee is in accordance with the Agreement and does not exceed any user number or other limits"
**(d) Anti-piracy** - "confirm the identity of Licensee, to identify unlicensed use of the Software (including use of pirated or other unlicensed copies of the Software) and to **assist Foundry (and its resellers and any enforcement bodies)** in contacting any unlicensed users"
**(e) Service notifications** - "advise Licensee about service issues such as available upgrades and maintenance expiry dates"
### Critical Authorization (Clause 19.3)
> "By downloading or using the Software, you [...] **irrevocably authorise Foundry** (through the use of the Software) to **access such computer(s) and IT systems (including any system registry files)** and **collect the Information from them and to transmit that Information to Foundry and its resellers (and any enforcement bodies)**"
**Key points:**
- Authorization is **irrevocable** (you can't take it back)
- Applies to "IT systems" plural - potentially your entire network
- Data shared with "resellers and **enforcement bodies**"
- Access includes **system registry files**
## Network Capture vs EULA Claims
### What We Observed (20-minute capture)
| Connection | Purpose | EULA Justification |
|------------|---------|-------------------|
| `api.honeycomb.io` (17KB, HTTPS) | Usage telemetry, performance metrics, error tracking | Clause 19.2(a) - usage modeling |
| `learn.foundry.com` (HTTP, unencrypted) | Documentation availability checks, version reporting | Clause 19.2(e) - service notifications |
| `sentry.foundry.com` (process found, not active) | Crash reporting, error dumps | Clause 19.2(b) - targeted support |
### What We Did NOT Observe (But EULA Permits)
- Email domain collection
- Geographic location transmission
- System registry file access/transmission
- License enforcement data to "enforcement bodies"
- Network equipment enumeration
**This doesn't mean it's not happening** - these could occur:
- During startup/shutdown (we didn't capture these)
- Periodically (longer than 20-minute window)
- Only when triggered (crashes, license checks)
- In the encrypted Honeycomb payload (we can't see inside)
## Privacy Concerns
### 🚨 Major Issues
**1. Unencrypted HTTP**
- `learn.foundry.com` uses HTTP (port 80), not HTTPS
- Exposes Nuke version, IP address, and usage patterns to ISP/network observers
- Violates basic security best practices for data transmission
**2. No Opt-Out**
- EULA states authorization is "irrevocable"
- No telemetry toggle found in Nuke preferences
- Accepting EULA = accepting all data collection
**3. Broad Scope**
- "IT systems" (plural) - could mean entire network, not just one computer
- System registry access - can contain sensitive paths, usernames, installed software
- "Enforcement bodies" - unclear who this includes (lawyers? investigators? police?)
**4. Third-Party Sharing**
- Data shared with "resellers" (potentially dozens of companies worldwide)
- Honeycomb.io is a third-party SaaS platform (data leaves Foundry's control)
- Sentry is another third-party service
**5. Location Tracking**
- EULA permits collection of "location of the computer(s)"
- Could be used to enforce geographic licensing restrictions
- Potential violation of local privacy laws depending on jurisdiction
### ⚠️ Moderate Concerns
**6. Usage Profiling**
- "Profile and extent of use" - tracks which features you use, how often, for how long
- Could reveal workflow patterns, project types, professional activities
- Combined with location data = detailed professional surveillance
**7. License Enforcement Priority**
- Anti-piracy purpose (19.2d) gives Foundry incentive to collect more data than needed
- "Enforcement bodies" suggests potential legal action based on telemetry
**8. Indefinite Retention**
- EULA doesn't specify how long data is kept
- No mention of data deletion upon license termination
### ✅ Positive Observations
**9. Limited Actual Volume**
- Only 32KB over 20 minutes observed
- Not "constantly phoning home" during normal use
- Most telemetry uses HTTPS encryption
**10. GDPR Compliance Claim**
- Clause 19.2 references GDPR and Privacy Notice
- Suggests some legal compliance framework exists
## Legal Analysis
### Binding Nature
The EULA header explicitly states:
> "YOUR ATTENTION IS PARTICULARLY DRAWN TO [...] (D) CLAUSE 19.3 WHERE YOU AUTHORISE FOUNDRY TO USE THE SOFTWARE TO ACCESS AND COLLECT CERTAIN INFORMATION FROM YOUR COMPUTER NETWORKS AND TO TRANSMIT THIS INFORMATION TO FOUNDRY."
By using Nuke, you've legally consented to:
- Remote access to your computer and IT systems
- Collection and transmission of system information
- Sharing data with third parties (resellers, enforcement bodies)
- Irrevocable authorization (can't withdraw consent)
### Potential Legal Issues
**1. Computer Fraud and Abuse Act (CFAA) - USA**
- Authorized access exempts Foundry from CFAA liability
- But: authorization must be "knowing and voluntary"
- Question: Is burying this in page 8 of EULA sufficient notice?
**2. GDPR - EU/UK**
- EULA claims GDPR compliance
- But: GDPR requires explicit, informed, freely given consent
- Question: Is acceptance of entire EULA valid consent for data processing?
- Question: Can you use Nuke without consenting? (No = not "freely given")
**3. CCPA - California**
- Right to know what data is collected
- Right to deletion
- Right to opt-out of sale
- EULA doesn't clearly provide these rights
**4. Network Administrator Concerns**
- Clause 19.3(i): "warrant that you are entitled to control access to the computer(s)"
- If you're on a company/studio network, do you have authority to consent to Foundry accessing the entire network?
## Recommendations
### 1. Block Telemetry (Most Effective)
Use the provided blocking script:
```bash
./block_nuke_telemetry.sh
```
**Legal consideration:** EULA clause 3 prohibits "circumvent[ing] the license keys or other copy protection mechanisms" - but telemetry blocking is NOT bypassing license protection, just data collection. This should be legally defensible.
### 2. Network Isolation
Run Nuke on isolated network segment:
- No access to broader IT systems
- Firewall rules blocking Foundry domains
- Limits EULA clause 19.3 exposure to "IT systems"
### 3. Monitor Ongoing (What You're Doing)
Use monitoring scripts to track:
- What data is actually transmitted
- When it's transmitted
- Volume and frequency
- New domains/endpoints
### 4. Request Data Under GDPR/CCPA
If you're in EU/UK/California:
```
Subject Access Request to: privacy@foundry.com
"Under [GDPR Article 15 / CCPA Section 1798.100], I request:
1. All personal data you hold about me
2. Categories of data collected via telemetry
3. Third parties with whom my data has been shared
4. Purpose and legal basis for processing
5. Deletion of all data not required for license validation"
```
### 5. Corporate/Studio Users
If using Nuke in a business:
- Review with IT security team
- Assess EULA clause 19.3 network access authorization
- Consider contractual negotiation for enterprise licenses
- Implement network monitoring at perimeter
### 6. Raise Awareness
- Post findings to VFX communities (od|force, Reddit r/vfx, etc.)
- File feature request with Foundry for telemetry opt-out
- Consider alternatives (DaVinci Resolve Fusion, Natron, etc.)
## Conclusion
**Your suspicions were correct.** The EULA explicitly authorizes:
- Remote access to your computer(s) and IT systems
- Collection of usage data, system information, and location
- Transmission to third parties including "enforcement bodies"
- Irrevocable consent (no opt-out)
**What we observed in network captures:**
- Confirms telemetry is actively occurring
- Volume appears modest (32KB/20min)
- Some traffic unencrypted (learn.foundry.com)
- Main analytics encrypted via Honeycomb
**The real concern:** We can only see metadata of encrypted connections. The actual data payload to Honeycomb could include everything the EULA permits:
- System registry dumps
- Hardware enumeration
- Software inventory
- Usage patterns
- Location data
**Bottom line:** Foundry has granted themselves broad surveillance rights through the EULA. Whether they fully exercise these rights is unknown. Blocking telemetry is legally defensible and recommended for privacy-conscious users.
---
**Created:** 2025-10-25
**Related:** [[nuke_foundry_analysis]], [[block_nuke_telemetry.sh]], [[monitor_nuke_telemetry.sh]]

278
FOUNDRY-EULA.md Normal file
View File

@ -0,0 +1,278 @@
# End User License Agreement (EULA)
**Tags:** #note-type/research #domain/technical #status/reference #priority/medium
PLEASE READ THIS EULA CAREFULLY BEFORE ORDERING OR DOWNLOADING OR USING ANY SOFTWARE PRODUCTS OF FOUNDRY. YOUR ATTENTION IS PARTICULARLY DRAWN TO: (A) CLAUSE 8 IN WHICH SUBSCRIPTION CUSTOMERS AGREE TO THE AUTO-RENEWAL OF THEIR LICENSE ON AN ANNUAL BASIS; (B) CLAUSES 15 AND 16 WHERE WE LIMIT OUR LIABILITY TO USERS OF OUR SOFTWARE PRODUCTS; (C) CLAUSE 19.2 REGARDING THE DATA WE MAY COLLECT AND HOW WE MAY USE IT; AND (D) CLAUSE 19.3 WHERE YOU AUTHORISE FOUNDRY TO USE THE SOFTWARE TO ACCESS AND COLLECT CERTAIN INFORMATION FROM YOUR COMPUTER NETWORKS AND TO TRANSMIT THIS INFORMATION TO FOUNDRY.
IMPORTANT NOTICE TO ALL USERS: BY DOWNLOADING AND/OR USING THIS SOFTWARE YOU ACKNOWLEDGE THAT YOU HAVE READ THIS EULA, UNDERSTAND IT AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT DOWNLOAD, INSTALL, COPY OR USE THE SOFTWARE.
IMPORTANT NOTICE TO CONSUMERS WHO PURCHASE SOFTWARE PRODUCTS DIRECT FROM FOUNDRY: YOU HAVE THE RIGHT TO CANCEL YOUR CONTRACT AND OBTAIN A FULL REFUND IN ACCORDANCE WITH CLAUSE 9. HOWEVER YOU WILL LOSE THIS RIGHT ONCE YOU INSTALL THE SOFTWARE OR LOGIN TO AN INDIVIDUAL LOGIN OR TEAM LOGIN LICENSE. THIS DOES NOT AFFECT YOUR CONSUMER RIGHTS IN RELATION TO DEFECTIVE PRODUCTS OR SERVICES.
This END USER LICENSE AGREEMENT (“**EULA**”) is, in cases where you purchase our product(s) direct from Foundry, incorporated into the agreement between The Foundry Visionmongers Ltd a company registered in England and Wales with company number 4642027 and whose registered office is at Squire Patton Boggs Secretarial Services Limited, Rutland House, 148 Edmund Street, Birmingham, United Kingdom, B3 2JR and whose address for correspondence is 5 Golden Square, London W1F 9HT, (“**Foundry**”), and you, as either an individual or a single company or other legal entity (“**Licensee**”) on the terms of which you will purchase the products and services of Foundry (the “**Agreement**”). In cases where you purchase our product(s) from one of our resellers, the use of the term “Agreement” in this EULA refers to the arrangements between Foundry and Licensee on which Licensee is permitted to use Foundrys product(s), including this EULA.
Foundry reserves the right to refuse to grant a License (as defined in clause 1.1) to any Licensee who has failed to pay any sum due either to Foundry or to a reseller of Foundry, in connection with the Agreement, in connection with any other software license, in connection with any other agreed terms between Foundry and the Licensee, to use any Software product(s) of Foundry and/or in connection with any Maintenance and Support Agreement as defined in clause 11.1.
### **1\. GRANT OF LICENSE**
1.1 Subject to terms and the scope of the applicable licence model as set out in clause 2, the limitations of clause 3 and all the other terms of the Agreement, Foundry grants to Licensee a limited, non-transferable (subject to clause 2.1(b) below) and non-exclusive license to download, install and use a machine readable, object code version (subject to clauses 3 and 4 below) of the software program(s) purchased by Licensee (the “**Software**”) together with, and in accordance with, any accompanying user guide and other documentation (the “**Documentation**”), solely for Licensees, where the Licensee is a business, own internal purposes or, where the Licensee is a consumer, domestic and private purposes (the “**License**”); provided, however, that Licensees right to download, install and use the Software and the Documentation is limited to those rights expressly set out in this EULA.
1.2 Some types of license models set out in clause 2.1 limit the installation and use of the Software to the country in which Licensee is based at the date of purchase (the “**Home Country**”), unless otherwise agreed by Foundry in writing. For the avoidance of doubt, use in a Home Country requires the server, network and user to be based in the Home Country. Notwithstanding such limits, Licensee may still use the Software outside the Home Country if traveling or working outside the Home Country on a temporary basis provided that: a) such use does not exceed 70 days in aggregate in any rolling twelve month period or, in the case of any license which lasts for less than twelve months, does not exceed the number of days representing 20% of the term of the license, and b) our Software may not be accessed or used in countries which are subject to import/export controls or sanctions, as further detailed in Clause 22.
1.3 Only to the extent that is proportionate to, and reasonably necessary to support, Licensees licensed use of the Software in accordance with the Agreement, Licensee may (provided valid license keys or license entitlements have been obtained) install the Software on more than one computer, provided always that Licensees concurrent use of different installations of the Software does not exceed the number of valid Licenses that Licensee has paid for or licensed (as applicable).
### **2\. LICENSE MODELS**
2.1 For each Software product that you purchase from Foundry, the product will be licensed (and not sold) to you on either a rental or subscription basis in accordance with one or more of the license models set out in this clause 2.1 and clause 2.2, as specified in Foundrys invoice or order confirmation (as applicable), and subject to the other terms and conditions of this EULA. Please note that some licensing models set out below do not apply to certain Software products of Foundry. Whichever licensing model applies, Licensee shall not at any one time use more copies of the Software than the total number of valid licenses purchased by Licensee.
(a) “**Offline Node Locked License**”
If Licensee purchases an Offline Node Locked License, Licensee will install and use only a single copy of the Software on only one computer at a time in the Home Country.
(b) “**Modo Individual License**”
If Licensee has a Modo Individual License then: (a) Licensee warrants and represents that Licensee is a natural person and that only Licensee will use the Software; (b) Licensee may transfer or assign (“**transfer**”) the Modo Individual License to another natural person (“**Assignee**”) subject to Licensee: (i) notifying Foundry of such transfer and obtaining Foundrys express written consent, (ii) paying an administrative fee with respect to such transfer as may be required by Foundry, and (iii) after transferring a single copy of the Software to the Assignee, deleting any copies of the Software that Licensee may have in Licensees possession, custody or power; (c) Licensee shall not share its login details for the Software with any third party (d) Licensee shall be entitled to use the Software on different computers which may be located anywhere and use is not limited to the Home Country; (e) use of the Software shall be limited to no more than one concurrent use at all times.
(c) “**Offline Floating License**”
If Licensee purchases an Offline Floating License, then: (a) Licensee may use the Software on any number of computers, provided that the number of concurrent users shall never exceed the total number of valid Offline Floating Licenses purchased by Licensee; and (b) use of the Software shall be limited to any site in the Home Country.
(d) “**Individual Login License**”
If Licensee purchases an Individual Login License, Licensee warrants and represents that Licensee is a natural person and that only Licensee shall use the Software. Licensee will be issued with log in details and may use the Software on any number of computers (but not simultaneously). Use of the Software shall be limited to any site in the Home Country.
(e) “**Team Login License**”
If Licensee purchases a Team Login License, then: (a) Licensee may use the Software on any number of computers, provided that the number of concurrent users shall never exceed the total number of valid Team Login Licenses purchased by Licensee; (b) use of the Software shall be limited to any site in the Home Country; and (c) use of the Software, and changes to the user authorizations within Licensees team organization(s), shall be in accordance with any Team Login License guidance and instructions, as published on Foundrys website and which may be amended from time to time.
(f) “**Nuke Indie License**”
If Licensee purchases a License for Nuke Indie, then: (a) Licensee warrants and represents that Licensee (i) is a natural person and that only Licensee will use the Software; (ii) is working independently and shall not use the Nuke Indie License in a pipeline with other Nuke commercial or Nuke Indie licenses, whether those licenses are held by the Licensee, other individuals or other businesses or organisations; and (iii) earns less than $100,000 USD (or local equivalent) a year; and (iv) that Licensee satisfies all criteria set out in Foundrys Nuke Indie Eligibility Requirements as published on its website and which may be amended from time to time (the “**Nuke Indie Eligibility Requirements**”); (b) Licensee shall not share its login details for the Software with any third party; (c) Licensee shall not purchase or use more than one Nuke Indie License; (d) Licensee may use the License on different computers, subject to (i) a maximum of two computer authorisations at any one time and (ii) no more than one concurrent user at any one time; and (e) Licensee shall use the Software in accordance with terms of the Nuke Indie Eligibility Requirements, including abiding by any functional restrictions; and (f) the provisions of clause 8 shall apply.
(g) “**Modo Subscription License**”
If Licensee has a Modo Subscription License, then: (a) Licensee warrants and represents that Licensee is a natural person and that only Licensee will use the Software; (b) Licensee shall not share its login details for the Software with any third party; (c) Licensee may use the Software on different computers which may be located anywhere and use is not restricted to the Home Country; (d) Licensee may use the License on different computers, subject to (i) a maximum of two computer authorisations at any one time and (ii) no more than one concurrent user at any one time; (e) Licensee shall not purchase or use more than one Modo Subscription License; and (f) the provisions of clause 8 shall apply.
(h) “**Mari Individual Subscription License**”
If Licensee purchases a Mari Individual Subscription License then: (a) Licensee warrants and represents that Licensee is a natural person and that only Licensee will use the Software; (b) Licensee shall not share its login details for the Software with any third party; (c) Licensee may use the Software on different computers which may be located anywhere and use is not restricted to the Home Country; (d) Licensee may use the License on different computers, subject to (i) a maximum of two computer authorisations at any one time and (ii) no more than one concurrent user at any one time; (e) Licensee shall not purchase or use more than one Mari Individual Subscription License; and (f) the provisions of clause 8 shall apply.
(i) “**Rental License**”
If Licensee has purchased the Software on a rental basis, the License shall be limited to the term of the rental as agreed in writing with Foundry after which it shall automatically expire.
(j) “**Educational License**”
If Licensee has purchased the Software on the discounted terms of Foundrys educational program and eligibility criteria as published on its website and amended from time to time, Licensee warrants and represents to Foundry as a condition of the Educational License that: (i) it is an educational institution that will use the Software only for the purpose of training and instruction, and for no other purpose, (ii) Licensee will at all times comply with any eligibility criteria and guidelines in respect of the Educational License, as may be communicated to a Licensee and/or published on Foundrys website and amended from time to time, and (iii) use of the Software shall be limited to any site in the Home Country. Unless the Educational License is a Floating License, Licensee shall use the Software on only one computer at a time.
(k) “**Graduate License**”
If Licensee has purchased the Software on the discounted terms of Foundrys Graduate Licence, Licensee warrants and represents to Foundry as a condition of the Graduate Licence that the Licensee has graduated from a university or tertiary education institute no more than six (6) months prior to the grant of the Graduate Licence. The Licensee may use the Software in a personal capacity only (namely, as a sole trader or freelancer). For the avoidance of doubt, Licensee may not use the Graduate License in connection with any work or employment, whether paid or unpaid, or other such collaborations with studios or similar organisations. Foundry reserves the right to require evidence of graduation by the Licensee. Use of the Software shall be limited to any site in the Home Country.
(l) “**Student License**”
If Licensee has purchased the Software on the discounted terms of Foundrys student program and eligibility criteria as published on its website and amended from time to time, Licensee warrants and represents to Foundry as a condition of the Student License that: (i) the Licensee is a part-time or full-time student at the time of purchase and will not use the Software for any commercial, professional or for-profit purposes; (ii) Licensee will at all times comply with any eligibility criteria and guidelines in respect of the Student License, as may be communicated to a Licensee and/or published on Foundrys website and amended from time to time, and (iii) use of the Software shall be limited to any site in the Home Country. Unless the Student License is a Floating License, Licensee shall use the Software on only one computer at a time.
(m) “**Non-Commercial License**”
If the License is a Non-Commercial License, Licensee warrants and represents that Licensee is a natural person, that they will only access and/or use one copy of a Non-Commercial License for personal, recreational and non-commercial purposes and that only Licensee will use the Software. Under a Non-Commercial License, Licensee will not use the Software: (a) in conjunction with any other copies or versions of the Software, under any type of License model; (b) for any commercial, professional, for-profit and/or on-sale purpose or otherwise to provide any commercial service(s) to a third party (whether or not for financial or other reward and including for education, instruction of or demonstration to any third party for commercial purposes); (c) in the course of any employment or business undertaking of Licensee; (d) on any commercial premises during business hours (except where use of the Software is solely for a personal, recreational, educational or other non-commercial purpose); and/or (e) to create any commercial tools or plug ins.
(n) “**Mari indie**”
Variants of Mari with limited functionality as described in the Documentation are available to purchase. If Licensee has purchased such a variant, Licensee warrants and represents to Foundry as a condition of the Agreement that: (i) Licensee is a natural person; or (ii) Licensee is an entity in the direct ownership of a single natural person; (iii) Licensee will only access and/or use one copy of the Software; and (iv) only Licensee will use the Software.
(o) “**Trial License**”
Licensee may register for a “Trial License” of the Software (not available for all products or in all regions or markets). A Trial License is for product evaluation and learning purposes only and may only be used by a natural person, A Trial License lasts a limited specified period on the expiry of which the Software will automatically cease to function. Foundry may terminate any Trial License for convenience immediately on notice to Licensee. Licensee will use the Software for product evaluation and learning purposes only.
(p) “**Subscription License**”
If Licensee has purchased the Software on a subscription basis then: (a) the License shall be limited to the Subscription Period (as defined in clause 8.1) after which it shall automatically expire and; (b) the provisions of clause 8, including but not limited to auto-renewal, shall apply.
(q) “**Nuke Stage License**”
If Licensee purchases a Nuke Stage License, then: (a) Licensee may use the Software on any number of computers, provided that the number of concurrent Nuke Stage Output Device(s) shall never exceed the total number of valid Nuke Stage Floating Licenses purchased by Licensee; and (b) use of the Software shall be limited to any site in the Home Country. “Nuke Stage Output Device(s)” shall mean one region designated for rendered output, which may be mapped to one endpoint such as display windows, SDI outputs, files, or other render targets.
2.2 If Licensee has purchased a License that permits “non-interactive” use of the Software (“**Headless Rendering**”), Licensee is authorized to use a non-interactive version of the Software for rendering purposes only (i.e. without a user, in a non-interactive capacity) and shall not use such Software on workstations or otherwise in a user-interactive capacity. Headless Rendering is not available on all products. In all cases, Headless Rendering licenses may be used on any number of computers, provided that the number of concurrent computers shall never exceed the total number of valid Headless Rendering licenses purchased by Licensee.
### **3\. RESTRICTIONS ON USE**
**Please note that in order to guard against unlicensed use of the Software, a license key is required to access and enable the Software.** Licensee is authorised to use the Software in machine readable, object code form only (subject to clause 4), and Licensee shall not: (a) assign, sublicense, sell, distribute, transfer, pledge, lease, rent, lend, share or export the Software, the Documentation or Licensees rights under this EULA; (b) alter or circumvent the license keys or other copy protection mechanisms in the Software or reverse engineer, decompile, disassemble or otherwise attempt to discover the source code of the Software in each case except as and to the extent that applicable law requires such reverse engineering, decompilation, disassembly or discovery to be permitted and it is not lawful to contract out of such requirement; (c) implement or use any method or mechanism designed to enable product functionality not available in the Software but available in (i) other Foundry products; or (ii) other Foundry releases of the same product; (d) (subject to clause 4) modify, adapt, translate or create derivative works based on the Software or Documentation; (e) use, or allow the use of, the Software or Documentation on any project other than a project produced by Licensee (an “**Authorized Project**”) or to provide a service (whether or not any charge is made) to any third party; (f) allow or permit anyone (other than Licensee and Licensees authorized employees to the extent they are working on an Authorized Project) to use or have access to the Software or Documentation; (g) copy or install the Software or Documentation other than as expressly provided for in this EULA; or (h) take any action, or fail to take action, that could adversely affect the trademarks, service marks, patents, trade secrets, copyrights or other intellectual property rights of Foundry or any third party with intellectual property rights in the Software (each, a “**Third Party Licensor**”); (i) use the Software, or permit any third party to use the Software, for any illegal purpose. The Licensee shall maintain appropriate internal security, safeguards and controls which shall be at least as great as the measures the Licensee uses to keep Licensees own information secure (but in any case, using no less than a reasonable degree of care) to ensure that the Software is not used in any way which is in violation of this clause 3 or of this Agreement. For the avoidance of doubt, Licensee remains fully liable for any unauthorized use of the Software by its staff. For purposes of this clause 3, the term “Software” shall include any derivatives of the Software.
Notwithstanding clause 3(b) above, where the reduction of the Software to human readable form is necessary for the purposes of integrating the operation of the Software with the operation of other software or systems used by the Licensee in accordance with section 50B of the Copyright Designs and Patents Act 1988 (or any analogous legislation in other jurisdictions), prior to reducing the Software to human readable form (whether by reverse engineering, decompilation or disassembly), the Licensee shall notify Foundry in advance and allow Foundry a reasonable period to either carry out such action as is required to fulfil the integration or provide the information necessary to achieve such integration to the Licensee, and in either case the Licensee shall meet Foundrys reasonable costs in doing so.
Unless Licensee has purchased an Individual License, a Team Login License or an Individual Login License, for other license types, if the Software is moved from one computer to another (or, in the case of an Offline Floating License, from one license server to another), the issuing of replacement or substituted license keys or approval of the new server location, is in Foundrys sole discretion and is subject to and strictly in accordance with Foundrys License Transfer Policy, which is available on Foundrys website and which requires a fee to be paid in certain circumstances. Foundry may from time to time and at its sole discretion vary the terms and conditions of the License Transfer Policy.
The Software and/or any components thereof are not intended to be used for and Licensee shall not use the Software for (or modify the Software such that is suitable for): (i) prohibited practices under the European Union Artificial Intelligence Act (the “**EU AI Act**”) or similar legislation, (ii) any use that would result in the Software being considered a high-risk AI system or that otherwise qualifies as “high-risk” under the EU AI Act. Licensee may not remove, alter or obscure any metadata fields which are automatically applied to content generated by the Software which indicate that such content has been artificially generated or manipulated.
### **4\. SOURCE CODE**
Notwithstanding that clause 1 defines “Software” as an object code version and that clause 3 provides that Licensee may use the Software in object code form only:
4.1 if Foundry has agreed to license to Licensee (including by way of providing SDKs, upgrades, updates or enhancements/customization) source code or elements of the source code of the Software, the intellectual property rights in which belong either to Foundry or to a Third Party Licensor (“**Source Code**”), Licensee shall be licensed to use the Source Code as Software on the terms of this EULA and: (a) notwithstanding clause 3 (c), Licensee may use the Source Code at its own risk in any reasonable way for the limited purpose of enhancing its use of the Software solely for, where the Licensee is a business, its own internal business purposes or, where the Licensee is a consumer, domestic and private purposes and in all respects in accordance with this EULA; (b) Licensee shall in respect of the Source Code comply strictly with all other restrictions applying to its use of the Software under this EULA as well as any other restriction or instruction that is communicated to it by Foundry at any time during the Agreement (whether imposed or requested by Foundry or by any Third Party Licensor);
4.2 to the extent that the Software links to or itself incorporates any open source software and/or software libraries (“**OSS Components**”) that are provided to Licensee with or as part of the Software, then where such OSS Components are licensed on the terms of an open source software licence that requires Foundry to make the OSS Components available to the Licensee on specific terms (the “**OSS Licence Terms**”), those OSS Components are licensed to Licensee on, and subject to, the terms of the relevant OSS Licence Terms;
4.3 where Foundry is required by any OSS Licence Terms to make the source code of the relevant OSS Component available to the Licensee, Foundry will at any time during the three year period starting on the date of the Agreement, at the request of Licensee and subject to Licensee paying to Foundry a charge that does not exceed Foundrys costs of doing so, provide Licensee with the source code of the relevant OSS Component (the “**OSS Source Code**”) in order that Licensee may modify the OSS Component in accordance with the relevant OSS Licence Terms, together (where appropriate) with certain object code of the Software necessary to enable Licensee to re-link any modified OSS Components to the Software (the “**Object**”); and
4.4 notwithstanding any other term of the Agreement, Foundry gives no express or implied warranty, undertaking or indemnity whatsoever in respect of the Source Code, the OSS Components, the OSS Source Code or the Object, all of which are licensed on an “as is” basis, or in respect of any modification of the Source Code, the OSS Components or the OSS Source Code made by Licensee (“**Modification**”). Licensee may not use the Object for any purpose other than its use of the Software in accordance with this EULA. Notwithstanding any other term of the Agreement, Foundry shall have no obligation to provide support, maintenance, upgrades or updates of or in respect of any of the Source Code, the OSS Components (save for any obligations Foundry may have in respect of any elements that form part of the Software as a whole), the OSS Source Code, the Object or any Modification. Licensee shall indemnify Foundry against all liabilities and expenses (including reasonable legal costs) incurred by Foundry in relation to any claim asserting that any Modification infringes the intellectual property rights of any third party.
### **5\. BACK-UP COPY**
Licensee may store one copy of the Software and Documentation off-line and off-site in a secured location within the Home Country that is owned or leased by Licensee in order to provide a back-up in the event of destruction by fire, flood, acts of war, acts of nature, vandalism or other incident. In no event may Licensee use the back-up copy of the Software or Documentation to circumvent the usage or other limitations set forth in this EULA.
### **6\. OWNERSHIP**
Licensee acknowledges that the Software (including, for the avoidance of doubt, any Source Code that is licensed to Licensee) and Documentation and all related intellectual property rights and other proprietary rights are and shall remain the sole property of Foundry and the Third Party Licensors. Licensee shall not remove, or allow the removal of, any copyright or other proprietary rights notice included in and on the Software or Documentation or take any other action that could adversely affect the property rights of Foundry or any Third Party Licensor. To the extent that Licensee is authorized to make copies of the Software or Documentation under this EULA, Licensee shall reproduce in and on all such copies any copyright and/or other proprietary rights notices provided in and on the materials supplied by Foundry hereunder. Nothing in the Agreement shall be deemed to give Licensee any rights in the trademarks, service marks, patents, trade secrets, confidential information, copyrights or other intellectual property rights of Foundry or any Third Party Licensor, and Licensee shall be strictly prohibited from using the name, trademarks or service marks of Foundry or any Third Party Licensor in Licensees promotion or publicity without Foundrys prior express written approval.
Subject to clause 4.3, Foundry undertakes (the “**Undertaking**”) to defend Licensee or at Foundrys option settle any claim brought against Licensee alleging that Licensees possession or use of the Software or Documentation in accordance with the Agreement infringes the intellectual property rights of a third party in the same country as Licensee (“**Claim**”) and shall reimburse all reasonable losses, damages, costs (including reasonable legal fees) and expenses incurred by or awarded against Licensee in connection with any such Claim, provided that the Undertaking shall not apply where the Claim in question is attributable to possession or use of the Software or Documentation other than in accordance with the Agreement, or in combination with any hardware, software or service not supplied or specified by Foundry. The Undertaking is conditional on Licensee giving written notice of the Claim to Foundry as soon as reasonably possible, cooperating in the defence of the Claim and not making any admission of liability or taking any step prejudicial to the defence of the Claim. If any Claim is made, or in Foundrys reasonable opinion is likely to be made, against Licensee, Foundry may at its sole option and expense (a) procure for Licensee the right to continue using the Software, (b) modify the Software so that it ceases to be infringing, (c) replace the Software with non-infringing software, or (d) terminate the Agreement immediately by notice in writing to Licensee and refund the License Fee (less a reasonable sum in respect of Licensees use of the Software to the date of termination) on return of the Software and all copies by Licensee. The Undertaking constitutes Licensees exclusive remedy and Foundrys only liability in respect of any Claim.
### **7\. LICENSE FEE**
7.1 Licensee acknowledges that the rights granted to Licensee under this EULA are conditional on Licensees timely payment of the license fee payable to Foundry in connection with the Agreement or, as the case may be, payable to Foundrys reseller (the “**License Fee**”). Except where the applicable invoice expressly sets out payment in instalments, the License Fee shall be payable in full as one single payment.
7.2 Licensee will be charged and agrees to pay to Foundry or Foundrys authorized reseller (as applicable): (a) the License Fee as notified by Foundry (or its reseller) at the time of the initial purchase of the License; and (b) in respect of any Subscription Auto-renewal Period for a Subscription License, the License Fee as notified by Foundry (or its reseller) on or about the applicable Renewal Date.
7.3 Unless stated otherwise, any Licence Fee notified to the Licensee by Foundry (or its reseller) is exclusive of sales tax, VAT and any other similar taxes, duties or levies, which shall be payable by the Licensee (and the Licensee agrees to pay) in addition to the Licence Fee.
7.4 In the cases of Non-Commercial Licenses or Trial Licenses or specific End of Life Software, the fact that no License Fee may be payable shall not be construed as a waiver by Foundry of any right or remedy available to it in relation to any breach by the Licensee of this EULA or the Agreement, or of any other right or remedy arising under applicable law, all of which are expressly reserved.
### **8\. SUBSCRIPTION LICENSES AND AUTO-RENEWAL**
8.1 If Licensee has purchased a Subscription Licence, the License shall be limited to the Initial Subscription Period and any/all Auto-renewal Periods (each as defined below) (together the “**Subscription Period**”) after which it shall automatically expire.
8.2 The Subscription Licence shall begin as soon as Foundry accepts Licensees order by issuing Licensee with a license key (the “**Subscription Start Date**”) and shall continue for an initial period of twelve (12) months (the “**Initial Subscription Period**”) unless earlier terminated in accordance the terms of this EULA, or unless otherwise communicated by Foundry.
8.3 Unless Licensee opts out of auto-renewal in accordance with clause 8.5 then upon the first anniversary of the Subscription Start Date and each subsequent anniversary (each a “**Subscription Renewal Date**”), Licensees Subscription Licence shall renew automatically for a further twelve (12) months (each an “**Auto-renewal Period**”). Licensees Subscription License will continue to auto-renew in this manner until Licensee opts out of auto-renewal or unless earlier terminated in accordance with the terms of this EULA.
8.4 Prior to each Subscription Renewal Date, Foundry shall send one (1) email to advise you that your Subscription License is approaching auto-renewal to the contact email address as provided by Licensee in accordance with clause 23. The reminder email will be sent not less than thirty (30) days prior to the relevant Subscription Renewal Date.
8.5 **Opting Out of Auto-renewal and License Expiry.** If Licensee wishes to opt out of auto-renewal then you must email licenses@foundry.com providing details of the Subscription Licence(s) which you wish to opt out not less than seventy-two (72) hours prior to the relevant Subscription Renewal Date. Provided that Licensee notifies Foundry in accordance with the provisions of this clause 8.5 then your Subscription License(s) will not auto-renew and shall expire at the end of the then-current Subscription Period.
8.6 **Increases to the License Fee for Subscription Licenses.** Foundry reserves the right to increase the License Fee for Subscription Licenses from time to time provided that it shall provide Licensee with not less than thirty (30) days notice of any increase prior to the relevant Subscription Renewal Date.
### **9\. CANCELLATIONS**
9.1 Licensee may cancel a License within 14 days of the original purchase date to obtain a full refund and Licensee will no longer be able to use the Software from the cancellation date. Licensees right to obtain a refund will be lost once the Software has been installed.
9.2 Refunds are not payable for cancellations made after such date. This includes Subscription licenses which are subject to the fixed twelve (12) month terms and for which the Licensee may opt out of auto-renewal in accordance with Clause 8.
9.3 Cancellations and requests for refunds can be made by contacting Foundrys Sales Support team at licenses@foundry.com.
### **10\. END OF LIFE**
10.1 From time to time, Foundry will retire Software product(s) (and any/ all versions) by withdrawing them from the market. Such Software product(s) will be designated as end of life (“**EoL**”) and a corresponding announcement (the “**Announcement**”) will be published on Foundrys website from time to time (the date of such announcement being the “**EoL Notification Date**”). The announcement will include an EoL date (“**EoL Date**”) and other relevant information.
10.2 No new License(s) (including renewals, if applicable) for the EoL Software product(s) will be sold after the EoL Notification Date. Unless otherwise provided for in the Announcement, the EoL Date will be the last day that the EoL Software product(s) is sold, improved, maintained, updated, or supported (subject to the below).
10.3 Unless otherwise provided for in the Announcement, a Licensee with an active Subscription License(s) at the time of the EoL Date will receive certain limited support until the relevant Subscription Period expires. A Licensee with an active perpetual License(s) (purchased on or prior to 31 December 2023) for which it has renewed (or auto renewed) the associated Maintenance and Support Agreement prior to the EoL Notification Date, will receive certain limited support until the EoL Date, or for a period specified in the Announcement.
10.4 In the event of EoL, Foundry advises Licensee to install the latest product releases, security updates, fixes and patches available until the EoL Date, to remain as secure as possible. Older products may not meet security or performance requirements, and Foundry cannot confirm compatibility with future operating system updates after the EoL Date. To the maximum extent permitted by applicable law, Foundry shall not be liable for any form of loss, damage or disruption in respect of the EoL Software product(s) beyond the EoL Date.
10.5 Foundry retains all rights, including intellectual property rights, associated with the EoL Software product(s) beyond the EoL Date. Any use by Licensee of the EoL Software product(s) beyond the EoL Date will continue to be governed by the terms of this Agreement.
### **11\. MAINTENANCE AND SUPPORT**
11.1 Subject to Licensees timely payment of the applicable License Fee, each Subscription Licence and each Rental License shall include access to certain maintenance and support services in accordance with the Maintenance and Support Agreement which is available on Foundrys website (the “**Maintenance and Support Agreement**”).
11.2 If Licensee purchased a perpetual License on or prior to 31 December 2023 for which it has renewed (or auto-renewed) the associated Maintenance and Support Agreement, then such License shall include access to certain maintenance and support services for the relevant continuous Renewal Support Period(s) (as defined in, and in accordance with, the Maintenance and Support Agreement), after which Licensee shall not be entitled to purchase further maintenance and support for such License.
11.3 Foundry may vary the terms and conditions of the Maintenance and Support Agreement from time to time and at its sole discretion.
### **12\. TAXES AND DUTIES**
Licensee agrees to pay, and indemnify Foundry from claims for, any local, state or national tax (exclusive of taxes based on net income), duty, tariff or other impost related to or arising from the transaction contemplated by the Agreement.
### **13\. LIMITED WARRANTY**
13.1 Subject to clause 13.3, Foundry warrants that, for a period of ninety (90) days after Licensee first downloads the Software (“**Warranty Period**”): (a) the Software will, when properly used on an operating system for which it was designed, perform substantially in accordance with the functions described in the Documentation; and (b) that the Documentation correctly describes the operation of the Software in all material respects. If, within the Warranty Period, Licensee notifies Foundry in writing of any defect or fault in the Software as a result of which it fails to perform substantially in accordance with the Documentation, Foundry will, at its sole option, either repair or replace the Software, provided that Licensee makes available all the information that may be necessary to identify, recreate and remedy the defect or fault. This warranty will not apply to, and Foundry shall have no liability for, any defect or fault caused by: (a) unauthorised use of or any amendment made to the Software by any person other than Foundry; and/or (b) use of the Software in conjunction with third party technology. If Licensee is a consumer, the warranty given in this clause is in addition to Licensees legal rights in relation to any Software or Documentation that is faulty or not as described.
13.2 Foundry does not warrant that the Software or Documentation will meet Licensees requirements or that Licensees use of the Software will be uninterrupted or error free.
13.3 If Licensee purchases a license of the Software that is of a fixed term duration, the Warranty Period in clause 13.1 shall apply only to Licensees first purchase of such license and not to any subsequent renewal(s) even if a renewal involves another download.
### **14\. INDEMNIFICATION**
14.1 Licensee agrees to indemnify, hold harmless and defend Foundry, the Third Party Licensors and Foundrys and each Third Party Licensors respective affiliates, officers, directors, shareholders, employees, authorized resellers, agents and other representatives from all claims, defence costs (including, but not limited to, legal fees), judgments, settlements and other expenses arising from or connected with any claim that any authorised or unauthorised use including but not limited to modification of the Software or Documentation by Licensee or any person connected with Licensee or any person provided with the Software by Licensee, infringes the intellectual property rights or other proprietary rights of any third party.
14.2 Licensee agrees to indemnify, hold harmless and defend Foundry, the Third Party Licensors and Foundrys and each Third Party Licensors respective affiliates, officers, directors, shareholders, employees, authorized resellers, agents and other representatives from all claims, defence costs (including, but not limited to, legal fees), judgments, settlements and other expenses arising from or connected with any claim that any authorised or unauthorised use (including but not limited to modification) of the Software or Documentation, by Licensee, any person connected with Licensee or any person provided with the Software by Licensee, causes any of them or any third party (including but not limited to those viewing a product of the Software) to suffer harm or loss of any kind.
### **15\. LIMITATION OF LIABILITY TO BUSINESS USERS**
This clause applies where Licensee is a business user (and for these purposes any Licensee that is not a consumer shall be treated as a business user). Licensee acknowledges that the Software has not been developed to meet its individual requirements, and that it is therefore Licensees responsibility to ensure that the facilities and functions of the Software as described in the Documentation meet such Licensee requirements. The Software and Documentation is supplied only for Licensees internal use for its business, and not for any re-sale purposes or for the provision of the Software (whether directly or indirectly) to third parties. Foundry shall not under any circumstances whatever be liable to Licensee, its affiliates, officers, directors, shareholders, employees, agents or other representatives, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with the Agreement for loss of profits, sales, business, or revenue, business interruption, loss of anticipated savings, loss or corruption of data or information, loss of business opportunity, goodwill or reputation (in each case whether the loss is direct or indirect) or any indirect or consequential loss or damage. In respect of any other losses, Foundrys maximum aggregate liability under or in connection with the Agreement whether in contract, tort (including negligence) or otherwise, shall in all circumstances be limited to the greater of US$5,000 (five thousand USD) and a sum equal to the License Fee. Nothing in the Agreement shall limit or exclude Foundrys liability for death or personal injury resulting from our negligence, for fraud or fraudulent misrepresentation or for any other liability that cannot be excluded or limited by applicable law. This EULA sets out the full extent of our obligations and liabilities in respect of the supply of the Software and Documentation. Except as expressly stated in writing in this EULA, there are no conditions, warranties, representations or other terms, express or implied, that are binding on Foundry. Any condition, warranty, representation or other term concerning the supply of the Software and Documentation which might otherwise be implied into, or incorporated in, the Agreement, whether by statute, common law or otherwise, is excluded to the fullest extent permitted by law.
### **16\. LIMITATION OF LIABILITY TO CONSUMERS**
This clause applies where Licensee is a consumer. Licensee acknowledges that the Software has not been developed to meet Licensees individual requirements, and that it is therefore Licensees responsibility to ensure that the facilities and functions of the Software as described in the Documentation meet such Licensee requirements. The Software and Documentation are only supplied for Licensees domestic and private use. Licensee agrees not to use the Software and Documentation for any commercial, business or re-sale purposes, and Foundry has no liability to Licensee for any loss of profit, loss of business, business interruption, loss of business opportunity or loss or harm caused to property or data used for professional purposes. Foundry is only responsible for loss or damage suffered by Licensee that is a foreseeable result of Foundrys breach of the Agreement or its negligence but Foundry is not responsible for any loss or damage that is not foreseeable. Our maximum aggregate liability under or in connection with the Agreement, whether in contract, tort (including negligence) or otherwise, shall in all circumstances be limited to a sum equal to the greater of US$5,000 (five thousand USD) and a sum equal to the latest annual License Fee. Nothing in the Agreement shall limit or exclude Foundrys liability for death or personal injury resulting from our negligence, for fraud or fraudulent misrepresentation or for any other liability that cannot be excluded or limited by applicable law.
### **17\. TERM; TERMINATION**
17.1 The Agreement is effective upon Licensees download of the Software, and the Agreement will remain in effect until termination or expiry. Licensee may terminate the Agreement on written notice to Foundry if Foundry is in material breach of this Agreement and fails to cure the breach within 10 (ten) working days of receiving notice of such breach. If Licensee breaches the Agreement, Foundry may terminate the License immediately by notice to Licensee.
17.2 If the Agreement expires or is terminated, the License will cease immediately and Licensee will immediately cease use of any Software and Documentation and either return to Foundry all copies of the Software and Documentation in Licensees possession, custody or power or, if Foundry directs in writing, destroy all such copies. In the latter case, if requested by Foundry, Licensee shall provide Foundry with a certificate confirming that such destruction has been completed within 10 days.
17.3 Foundry reserves the right to terminate and/or suspend the License as it deems reasonable in its sole discretion by notice to Licensee if it becomes aware that Licensee has failed to pay any sum due either to Foundry or to a reseller of Foundry either in connection with the Agreement or in connection with any other Software license to use any product(s) of Foundry, in connection with any other agreed terms between Foundry and the Licensee in connection with the Software, in connection with any Maintenance and Support Agreement or if the Licensee is otherwise in breach of or fails to comply with any term of the Agreement.
17.4 Foundry may also terminate this Agreement if Licensee becomes subject to bankruptcy proceedings, becomes insolvent, or makes an arrangement with Licensees creditors. This Agreement, and for the avoidance of doubt the Licenses to which it relates, will terminate automatically without further notice or action by Foundry if Licensee goes into liquidation.
### **18\. CONFIDENTIALITY**
Licensee agrees that the Software (including, for the avoidance of doubt, any Source Code that is licensed to Licensee) and Documentation are proprietary to and the confidential information of Foundry or, as the case may be, the Third Party Licensors, and that all such information and any related communications (collectively, “**Confidential Information**”) are confidential and a fundamental and important trade secret of Foundry and/or the Third Party Licensors. If Licensee is a business user, Licensee shall disclose Confidential Information only to Licensees employees who are working on an Authorized Project and have a “need-to-know” such Confidential Information for the purposes of that Authorized Project, and shall advise any recipients of Confidential Information that it is to be used only as expressly authorized in the Agreement. Licensee shall not disclose Confidential Information or otherwise make any Confidential Information available to any other of Licensees employees or to any third parties without the express written consent of Foundry. Licensee agrees to segregate, to the extent it can be reasonably done, the Confidential Information from the confidential information and materials of others in order to prevent commingling. Licensee shall take reasonable security measures, which measures shall be at least as great as the measures Licensee uses to keep Licensees own confidential information secure (but in any case using no less than a reasonable degree of care), to hold the Software, Documentation and any other Confidential Information in strict confidence and safe custody. Foundry may request, in which case Licensee agrees to comply with, certain reasonable security measures as part of the use of the Software and Documentation. This clause shall not apply to any information that is in or comes into the public domain (other than as a result of the Licensees breach of its obligations under the Agreement), or was in Licensees lawful possession before receipt or which Licensee develops independently and without breach of this clause. Licensee acknowledges that monetary damages may not be a sufficient remedy for unauthorized disclosure of Confidential Information, and that Foundry shall be entitled, without waiving any other rights or remedies, to such injunctive or other equitable relief as may be deemed proper by a court of competent jurisdiction.
### **19\. INSPECTION AND INFORMATION**
19.1 Unless Licensee is a consumer, Licensee shall advise Foundry on demand of all locations where the Software or Documentation is used or stored. Licensee shall permit Foundry or its authorized agents to audit all such locations during normal business hours and on reasonable advance notice.
19.2 The Software may include mechanisms to access and collect limited information from computer(s) on which it is installed and from any IT systems to which those computer(s) may be connected (including any system registry files) and transmit it to Foundry and/or its resellers, including the ability to locally cache such information on such computers. Such information (the “**Information**”) may include details of relevant license(s) to Foundry products, details of computer and network equipment, details of the operating system(s) in use on such computer equipment, email domain relating to owners of such computer and network equipment, the location of the computer(s) on which the Software is installed and the profile and extent of use of the different elements of the Software and other Foundry software. Foundry may use the Information to (a) model the profiles of usage, hardware and operating systems in use collectively across its customer base in order to focus development and support, (b) to provide targeted support to individual customers, (c) to ensure that the usage of the Software by Licensee is in accordance with the Agreement and does not exceed any user number or other limits on its use, (d) to confirm the identity of Licensee, to identify unlicensed use of the Software (including use of pirated or other unlicensed copies of the Software) and to assist Foundry (and its resellers and any enforcement bodies) in contacting any unlicensed users of the Software and seeking to terminate unlicensed use of the Software, and (e) to advise Licensee about service issues such as available upgrades and maintenance expiry dates. To the extent that any Information constitutes personal data for the purposes of the General Data Protection Regulation (EU) 2016/679 (“**EU GDPR**”) and the version of the EU GDPR retained in UK domestic law as further defined in the Data Protection Act 2018 (“**UK GDPR**”), in each case, as amended, superseded or replaced from time to time (as applicable, “**GDPR**”) it shall be processed in accordance with the GDPR and with Foundrys Privacy Notice (see https://www.foundry.com/privacy-notice), as may be updated by Foundry from time to time. Licensee undertakes to make all of users of the Software aware of the uses which Foundry will make of the Information and of the terms of Foundrys Privacy Policy.
19.3 By downloading or using the Software, you (i) warrant that you are entitled to control access to the computer(s) on which the Software is downloaded and any IT systems to which they may be connected, and (ii) irrevocably authorise Foundry (through the use of the Software) to access such computer(s) and IT systems (including any system registry files) and collect the Information from them and to transmit that Information to Foundry and its resellers (and any enforcement bodies) and use it for the purposes identified at clause 19.2(a) to (e) above.
### **20\. U.S. GOVERNMENT LICENSE RIGHTS**
All Software, including all components thereof, and Documentation qualify as “commercial items,” as that term is defined at Federal Acquisition Regulation (“**FAR**”) (48 C.F.R.) 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which this Agreement may be incorporated, a government end user will acquire the Software and Documentation with only those rights set forth in this Agreement. Use of either the Software or Documentation or both constitutes agreement by the government that all Software and Documentation are “commercial computer software” and “commercial computer software documentation,” and constitutes acceptance of the rights and restrictions herein. The Software is the subject of the following notices:
\* Copyright © 2001 - 2025 The Foundry Visionmongers Ltd. All Rights Reserved.
\* Unpublished- rights reserved under the Copyright Laws of the United Kingdom.
### **21\. SURVIVAL**
Clause 6, clause 7 and clauses 12 to 25 inclusive shall survive any termination or expiration of the Agreement.
### **22\. IMPORT/EXPORT CONTROLS AND SANCTIONS**
To the extent that any Software made available under the Agreement is subject to restrictions upon export and/or re-export from any applicable jurisdiction (including the United States), Licensee agrees to comply with, and not act or fail to act in any way that would violate, applicable international, national, state, regional or local laws and regulations, including, without limitation, the U.S. Export Administration Act and the Export Administration Regulations, the regulations of the U.S. Department of Treasury Office of Foreign Assets Control, the International Traffic in Arms regulations, the United States Foreign Corrupt Practices Act, the UK Export Control Act 2002 and the UK Export Control Order 2008 (collectively, “**Export Laws**”) as those laws may be amended or otherwise modified from time to time, and neither Foundry nor Licensee shall be required under the Agreement to act or fail to act in any way which it believes in good faith will violate any such laws or regulations. Without limiting the foregoing, Licensee agrees that it will not sell, supply, transfer, export or re-export, directly or indirectly, Foundrys Software or related products and services, or any commodity, technology, technical data, software or service that incorporates, contains or is a direct product of Foundrys Software, products and/or services, (i) in violation of the Export Laws; (ii) to any country for which an export license or other governmental approval is required at the time of export, without first obtaining all necessary export licenses or other approvals; (iii) to any country, or national or resident of a country, to which trade is embargoed by the United States and/or sanctioned by the United Kingdom or the European Union; (iv) to any person or firm on any government agencys list of blocked, denied or barred persons or entities, including but not limited to the U.S. Department of Commerces Denied Persons List and Entities List, and the U.S Treasury Departments Specially Designated Nationals List; or (v) to the Russian Federation and/or Belarus or for use in the Russian Federation and/or Belarus, or (vi) for use in any nuclear, chemical or biological weapons, or missile technology end-use. Licensee warrants and represents that it is not subject to any Export Law, sanction and/or other form of trading compliance restriction or regulation which may limit or prohibit its right to download, install and/or use the Software in accordance with this EULA.
### **23\. MISCELLANEOUS**
Unless Licensee is a consumer, the Agreement is the exclusive agreement between the parties concerning its subject matter and supersedes any and all prior oral or written agreements, negotiations, or other dealings between the parties concerning such subject matter. Licensee acknowledges that Licensee has not relied upon any representation or collateral warranty not recorded in the Agreement inducing it to enter into the Agreement.
The Agreement may be modified only in writing, by Foundry, at any time.
The failure of either party to enforce any rights granted under the Agreement or to take action against the other party in the event of any such breach shall not be deemed a waiver by that party as to subsequent enforcement of rights or subsequent actions in the event of future breaches.
The Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including, unless Licensee is a consumer, non-contractual disputes or claims) shall be governed by, and construed in accordance with English Law and the parties irrevocably submit to the non-exclusive jurisdiction of the English Courts, subject to any right that a consumer may have to bring proceedings or to have proceedings brought against them in a different jurisdiction.
If Foundry fails to insist that Licensee performs any obligation under the Agreement, or delays in doing so, that will not mean that Foundry has waived its rights.
If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.
Unless Licensee is a consumer, Licensee agrees that Foundry may refer to Licensee as a client or a user of the Software, may display its logo(s) for this purpose and may publish quotations and testimonials from Licensee, its directors, partners, officers or employees. Foundry agrees to promptly cease any such use on Licensees written request.
Foundry and Licensee intend that each Third Party Licensor may enforce against Licensee under the Contracts (Rights of Third Parties) Act 1999 (the “Act”) any obligation owed by Licensee to Foundry under this EULA that is capable of application to any proprietary or other right of that Third Party Licensor in or in relation to the Software. Foundry and Licensee reserve the right under section 2(3)(a) of the Act to rescind, terminate or vary this EULA without the consent of any Third Party Licensor.
**Email Address for General Correspondence**: Licensee shall notify Foundry of an email address for the provision of any correspondence in connection with the Agreement and shall notify Foundry via licenses@foundry.com of any change(s) to that email address. Please note, the email address you provide is important for the provision of information and notices to you, including in relation to the autorenewal of any Subscription License (if applicable). It is your responsibility to provide and maintain an up-to-date email address. Foundry shall store details of and may use the email address to notify you in accordance with the terms of this Agreement.
### **24\. NOTICES**
Any legal notices from the Licensee to Foundry should be sent via postal mail or international delivery to The Foundry Visionmongers Ltd, 5 Golden Square, London, W1F 9HT, addressed to The General Counsel. These notices will be effective upon receipt by Foundry. Additionally, a copy of the notice should be emailed to Foundry at legal@foundry.com. Unless otherwise agreed in writing, any notices from Foundry to the Licensee will be provided either (a) by email to the registered email address associated with the Licensees account, or (b) in any other reasonable manner that involves specific notification to the Licensee. Notices from Foundry to the Licensee will be effective (i) one day after being sent by email, and (ii) five days after being posted or sent by international delivery service. The Licensee agrees that service of process may be effected on the Licensee by registered mail sent to the last known address on record with Foundry, if permitted by applicable law.
### **25\. COMPLAINTS & ONLINE DISPUTE RESOLUTION PLATFORM**
We hope that you are satisfied with any Software purchase made or service received from Foundry, but if you have a complaint, in the first instance, please contact us on licenses@foundry.com or through our Support Portal: https://support.foundry.com/hc/en-us (for technical support and bug reports), or you can request a call back from the Sales team here: https://www.foundry.com/contact-us.
Last updated 27 March 2025.
**Copyright © 27 March 2025 The Foundry Visionmongers Ltd.**
All Rights Reserved. Do not duplicate.

629
Foudry-Nuke-Monitoring.md Normal file
View File

@ -0,0 +1,629 @@
# The Foundry Nuke Telemetry Investigation
**Created:** 2025-10-25
**Status:** Complete - Telemetry Confirmed
**Priority:** High - Privacy Implications
---
## Executive Summary
This investigation confirmed that The Foundry's Nuke compositor software actively transmits telemetry data to third-party services without user consent or opt-out capability. Initial suspicions about unencrypted data transmission and excessive data collection were **partially validated** through network traffic analysis and EULA review.
**Key Findings:**
-  Nuke transmits telemetry to Honeycomb.io (17KB encrypted data per session)
-  Unencrypted HTTP traffic to learn.foundry.com exposes version and usage patterns
-  EULA grants Foundry "irrevocable" authorization to access computer systems and transmit data
-  No opt-out mechanism available
- <20> Actual telemetry volume modest (~32KB over 20 minutes), not excessive
- <20> Most telemetry uses HTTPS encryption (Honeycomb), but HTTP still present
---
## Investigation Timeline
### Phase 1: Initial Network Capture (20 Minutes)
**Objective:** Determine if Nuke was "phoning home" during normal use.
**Method:** Used `tcpdump` to capture all network traffic during a typical Nuke session.
**Results:** [[nuke_foundry_analysis.md]]
- **136 packets** captured totaling **32KB** of data
- **3 confirmed Foundry connections** identified:
1. `api.honeycomb.io` (52.205.16.9) - 17KB encrypted telemetry via HTTPS
2. `learn.foundry.com` (52.50.232.31) - 8 unencrypted HTTP HEAD requests
3. `crashpad_handler` process found pointing to `sentry.foundry.com` (not active during capture)
**Conclusion:** Telemetry confirmed, but volume less excessive than initially suspected.
### Phase 2: EULA Legal Analysis
**Objective:** Determine what data collection Foundry explicitly authorizes in their terms of service.
**Method:** Obtained and analyzed Foundry's End User License Agreement, focusing on data collection clauses.
**Results:** [[FOUNDRY-EULA.md]] and [[EULA-Analysis.md]]
**Critical EULA Clauses:**
**Clause 19.2** - Foundry collects:
- License details and validation data
- Computer and network equipment specifications
- Operating system details and system registry files
- Email domain of equipment owners
- **Geographic location of computers**
- **Usage profiling** ("profile and extent of use of different elements")
**Clause 19.3** - Binding authorization:
> "By downloading or using the Software, you [...] **irrevocably authorise Foundry** (through the use of the Software) to **access such computer(s) and IT systems (including any system registry files)** and **collect the Information from them and to transmit that Information to Foundry and its resellers (and any enforcement bodies)**"
**Data Usage Purposes:**
- (a) Usage modeling across customer base for development prioritization
- (b) Targeted customer support
- (c) **License enforcement and usage limit verification**
- (d) **Anti-piracy / identifying unlicensed use / contacting enforcement bodies**
- (e) Service notifications (updates, maintenance alerts)
**Privacy Concerns Identified:**
- =<3D> Authorization is **"irrevocable"** - cannot be withdrawn
- =<3D> Applies to **"IT systems" (plural)** - entire network, not just one computer
- =<3D> Data shared with **"resellers and enforcement bodies"** (undefined third parties)
- =<3D> System registry access permitted (sensitive system information)
- =<3D> **No opt-out mechanism** available
**Conclusion:** EULA grants Foundry far broader data collection rights than observed in network capture. Unknown how much of permitted collection actually occurs because most traffic is encrypted.
### Phase 3: Monitoring Infrastructure Setup
**Objective:** Create tools for ongoing telemetry observation.
**Method:** Developed automated monitoring scripts and blocking mechanisms.
**Tools Created:**
1. **[[monitor_nuke_telemetry.sh]]** - Real-time monitoring with logging
- Captures all Foundry domain connections
- Logs timestamps and connection details
- Generates session summaries
2. **[[monitor_nuke_telemetry_service.sh]]** - Systemd service installer
- Enables background monitoring
- Automatic startup on boot
- Journal logging integration
3. **[[block_nuke_telemetry.sh]]** - Telemetry blocking script
- Modifies `/etc/hosts` to redirect Foundry domains to localhost
- Backs up original hosts file
- Blocks: api.honeycomb.io, learn.foundry.com, sentry.foundry.com
**Conclusion:** Infrastructure ready for extended observation and optional blocking.
### Phase 4: Gap Analysis and Troubleshooting
**Objective:** Identify what telemetry data we're missing from captures.
**Method:** Analyzed methodology gaps and created troubleshooting procedures.
**Findings:** [[monitoring-gaps-analysis.md]]
**Definitely Missing:**
1. **Startup telemetry** - System scan during Nuke launch (not captured)
2. **Shutdown telemetry** - Session summary on Nuke close (not captured)
3. **Encrypted payload contents** - Cannot decrypt 17KB Honeycomb transmission
**Probably Missing:**
4. Crash reports (no crashes triggered during monitoring)
5. Periodic check-ins beyond 20-minute window
6. Local data collection (happens before network transmission)
**Likely Already Transmitted (But Encrypted):**
- Email domain (probably in Honeycomb payload or known from license registration)
- Geographic location (determined from IP address - unavoidable without VPN)
- System/hardware information (permitted by EULA, likely in encrypted payload)
- Usage profiling data (tool usage, session duration, feature utilization)
**Methodology Issues:**
- Startup captures showed no traffic (suggests telemetry only on first-ever launch)
- Subsequent launches silent until periodic check-in
- 20-minute capture caught periodic heartbeat, not startup burst
**Troubleshooting:** [[TROUBLESHOOTING.md]]
- Process detection fixes for automated scripts
- Wide-net capture strategies to catch all external connections
- Manual strace procedures to observe local system file access
**Conclusion:** Most EULA-permitted data likely already being transmitted in encrypted Honeycomb payload. Timing suggests telemetry is batched/periodic rather than constant.
---
## Technical Architecture
### Telemetry Services Identified
**1. Honeycomb.io (Primary Analytics Platform)**
- **Domain:** api.honeycomb.io
- **IP Address:** 52.205.16.9 (AWS US-East Virginia)
- **Protocol:** HTTPS (encrypted)
- **Data Volume:** ~17KB per session in observed capture
- **Purpose:** Observability and analytics SaaS platform for usage metrics, performance data, error tracking
- **Privacy Note:** Third-party service - data leaves Foundry's direct control
**2. Foundry Documentation Server**
- **Domain:** learn.foundry.com
- **IP Address:** 52.50.232.31 (AWS EU-West Ireland)
- **Protocol:** HTTP <20> (unencrypted!)
- **Traffic Pattern:** Periodic HEAD requests to `/nuke/15.2/Default.html`
- **Purpose:** Documentation availability checks
- **Privacy Note:** Unencrypted transmission exposes Nuke version, IP address, and usage timing to ISP/network observers
**3. Sentry Crash Reporting**
- **Domain:** sentry.foundry.com
- **Protocol:** HTTPS (port 443)
- **Process:** `/home/nicholai/Nuke15.2v6/crashpad_handler --url=https://sentry.foundry.com:443/api/6/minidump/`
- **Purpose:** Crash dumps, stack traces, error reports
- **Status:** Process found but not active during monitoring (no crashes occurred)
- **Privacy Note:** Crash dumps can contain sensitive project data and memory snapshots
### Local Data Storage
**Sync Database Found:**
- **Location:** `~/.nuke/.sync_8178bafde38a.db`
- **Size:** 1.27 MB
- **Format:** SQLite database
- **Purpose:** Unknown - requires further inspection via [[inspect_local_data.sh]]
- **Hypothesis:** May cache telemetry locally before batch transmission
**Sentry Database Directory:**
- **Location:** `~/Documents/nuke/15.2.375648/sentry-db/`
- **Purpose:** Local cache for crash reports before transmission
### Network Behavior Patterns
**Telemetry Timing:**
- **First launch:** Likely sends full system scan, license activation, initial telemetry (not captured)
- **Subsequent launches:** Silent - credentials and system info cached locally
- **During session:** Periodic heartbeats (~20-30 minute intervals based on observation)
- **Shutdown:** Unknown - may send session summary (not captured)
**Connection Frequency:**
- Not constant "phone home" behavior
- Modest packet count (136 packets in 20 minutes)
- Suggests batched transmission rather than real-time streaming
---
## Privacy Assessment
### Data Collection Confirmed
| Data Type | Evidence | Source |
|-----------|----------|--------|
| Nuke version | HTTP requests to learn.foundry.com | Network capture |
| Session duration | Implicit in connection timing | Network capture |
| License information | Required by EULA clause 19.2(a) | EULA |
| System specifications | Required by EULA clause 19.2 | EULA |
| Email domain | Explicitly listed in EULA 19.2 | EULA |
| Geographic location | Explicitly listed in EULA 19.2 | EULA |
| Usage profiling | EULA 19.2: "profile and extent of use" | EULA |
| System registry access | EULA 19.3 authorization | EULA |
### Data We Cannot See (Encrypted)
The 17KB Honeycomb payload is HTTPS encrypted. Based on EULA permissions and typical telemetry practices, it **likely contains**:
```json
{
"session_id": "...",
"timestamp": "2025-10-25T...",
"user": {
"email_domain": "example.com",
"license_type": "commercial",
"license_id": "..."
},
"location": {
"country": "US",
"region": "...",
"city": "..."
},
"system": {
"os": "Linux 6.17.4-arch2-1",
"cpu": "...",
"gpu": "...",
"ram": "...",
"installed_software": [...]
},
"usage": {
"session_duration_seconds": 1200,
"tools_used": ["Viewer", "Merge", "Grade", ...],
"nodes_created": 45,
"render_count": 5,
"errors": [...]
},
"performance": {
"frame_rate": ...,
"memory_usage": ...,
"crash_count": 0
}
}
```
**This is speculation based on EULA permissions and industry standards** - actual contents unknown without decryption.
### Privacy Violations and Concerns
**Critical Issues:**
1. **No Informed Consent**
- Telemetry enabled by default with no toggle
- EULA buried on page 8 (clauses 19.2-19.3)
- "Irrevocable" authorization - cannot be withdrawn
- Users likely unaware of data collection scope
2. **Unencrypted HTTP Traffic**
- learn.foundry.com uses HTTP (port 80)
- Exposes: Nuke version, IP address, usage timing
- Visible to: ISP, network administrators, public WiFi observers
- **Security malpractice** - violates industry standards for 2025
3. **Overly Broad EULA Authorization**
- "IT systems" (plural) - entire network, not just one computer
- System registry access - can contain passwords, file paths, installed software
- Sharing with "enforcement bodies" - undefined third parties
- Anti-piracy use case incentivizes aggressive data collection
4. **Third-Party Data Sharing**
- Honeycomb.io (US company) - subject to US surveillance laws
- Sentry (third-party service) - another external processor
- "Resellers" - potentially dozens of international companies
- No data processor agreements visible to end users
5. **GDPR/Privacy Law Concerns**
- EULA claims GDPR compliance (clause 19.2)
- **But:** GDPR requires explicit, informed, freely given consent
- **Question:** Is acceptance of entire EULA valid consent?
- **Question:** Can you use Nuke without consenting? (No = not "freely given")
- **Question:** Is notice adequate when buried in page 8 of legal document?
**Moderate Issues:**
6. **Location Tracking**
- EULA explicitly permits collection of "location of computers"
- Can be used to enforce geographic licensing restrictions
- Combined with usage data = detailed professional surveillance
- May violate local privacy laws depending on jurisdiction
7. **Usage Profiling**
- Tracks which features used, how often, for how long
- Reveals workflow patterns, project types, professional activities
- Could be used for pricing discrimination or feature deprecation
- No transparency into how profiles are used
8. **Indefinite Retention**
- EULA doesn't specify data retention period
- No mention of data deletion upon license termination
- Honeycomb/Sentry may have own retention policies
**Positive Observations:**
9. **Data Volume Not Excessive**
- 32KB over 20 minutes is modest
- Not constant background transmission
- Suggests targeted telemetry, not surveillance-level data hoarding
10. **Most Data Encrypted**
- Honeycomb uses HTTPS
- Sentry uses HTTPS
- Only learn.foundry.com uses unencrypted HTTP (documentation checks)
11. **No License Server Lockdown**
- Using local/node-locked license
- No constant license validation pings
- Offline work possible (unclear if telemetry queued)
---
## Legal and Compliance Analysis
### Foundry's Legal Position
**EULA Strategy:**
- Explicitly disclose data collection in clauses 19.2-19.3
- Highlight these clauses in ALL CAPS header warning
- Obtain "irrevocable authorization" as condition of use
- Reference GDPR compliance and link to Privacy Notice
**Legal Effect:**
- Likely enforceable in most jurisdictions as contract of adhesion
- "Irrevocable" clause may not be enforceable in EU (GDPR grants right to withdraw consent)
- Authorization protects Foundry from computer access laws (CFAA in US)
### User Rights by Jurisdiction
**European Union / United Kingdom (GDPR):**
Users have the right to:
- **Access** - Request all personal data held (Article 15)
- **Rectification** - Correct inaccurate data (Article 16)
- **Erasure** - "Right to be forgotten" (Article 17)
- **Restriction** - Limit processing (Article 18)
- **Portability** - Receive data in machine-readable format (Article 20)
- **Object** - Opt out of processing (Article 21)
- **Withdraw consent** - At any time (Article 7.3)
**How to exercise:** Email privacy@foundry.com with subject line "GDPR Subject Access Request" (template in [[EULA-Analysis.md]])
**California (CCPA):**
Users have the right to:
- **Know** - What personal information is collected (<28>1798.100)
- **Delete** - Request deletion of personal information (<28>1798.105)
- **Opt-out** - Opt out of sale of personal information (<28>1798.120)
- **Non-discrimination** - Cannot be penalized for exercising rights (<28>1798.125)
**How to exercise:** Email privacy@foundry.com with subject line "CCPA Consumer Rights Request"
**Other Jurisdictions:**
- Varies significantly
- Most modern privacy laws grant some access/deletion rights
- Consult local privacy regulations
### Potential Legal Challenges
**1. Computer Fraud and Abuse Act (CFAA) - USA**
- Foundry's EULA authorization exempts them from CFAA liability
- **But:** Authorization must be knowing, voluntary, and informed
- **Question:** Is burying authorization in page 8 of EULA sufficient notice?
- **Precedent:** Courts increasingly require clear, conspicuous consent for computer access
**2. GDPR Validity - EU/UK**
- GDPR requires consent to be explicit, informed, freely given, and specific
- **Issues:**
- Not "freely given" if required to use software (no alternative)
- Not "specific" if bundled with entire EULA acceptance
- "Irrevocable" contradicts right to withdraw consent (Article 7.3)
- **Potential outcome:** Foundry's consent mechanism may not be GDPR-compliant
**3. Wiretap Laws - Various Jurisdictions**
- Some jurisdictions require two-party consent for data collection
- Network traffic interception may constitute "wiretap"
- EULA may not satisfy statutory notice requirements
**4. Unfair Contract Terms - Consumer Protection**
- "Irrevocable authorization" may be unconscionable
- Excessive data collection may be deemed unfair
- One-sided terms favor Foundry at consumer expense
---
## Mitigation Strategies
### Option 1: Block Telemetry (Recommended)
**Method:** Use [[block_nuke_telemetry.sh]]
```bash
./block_nuke_telemetry.sh
```
**What it does:**
- Backs up `/etc/hosts` with timestamp
- Redirects Foundry telemetry domains to 127.0.0.1:
- api.honeycomb.io
- learn.foundry.com
- sentry.foundry.com
- Tests blocks with ping commands
**Legal considerations:**
- EULA clause 3 prohibits "circumvent[ing] copy protection mechanisms"
- **But:** Telemetry ` license protection
- Blocking analytics is not piracy
- **Legally defensible** - you have right to control your network
**Potential impact:**
- Help menu documentation might not load (learn.foundry.com blocked)
- Crash reports won't be sent (may impact support)
- Update notifications may not appear
- License validation should still work (node-locked/local)
**Recommendation:** Block and test. If critical features break, unblock selectively.
### Option 2: Network Isolation
**Method:** Run Nuke on isolated network segment
**Techniques:**
1. **Firewall rules:**
```bash
sudo ufw deny out to 52.205.16.9 comment 'Block Honeycomb'
sudo ufw deny out to 52.50.232.31 comment 'Block Foundry docs'
```
2. **Separate VLAN:**
- Run Nuke on network with no internet access
- Use separate machine/VM for online work
3. **VPN/proxy:**
- Route Nuke traffic through VPN
- Use privacy-focused VPN with no-log policy
- Obscures IP address from Foundry (location tracking)
**Benefit:** Limits EULA clause 19.3 exposure to "IT systems" - isolates data collection to one machine
### Option 3: Ongoing Monitoring
**Method:** Use [[monitor_nuke_telemetry.sh]] or service version
**Real-time monitoring:**
```bash
./monitor_nuke_telemetry.sh
# Logs all Foundry connections with timestamps
# Press Ctrl+C to stop and view summary
```
**Background service:**
```bash
./monitor_nuke_telemetry_service.sh
# Installs systemd service
# Runs automatically on boot
# View logs: sudo journalctl -u nuke-telemetry-monitor -f
```
**Benefits:**
- Documents exact data transmission for legal purposes
- Detects changes in telemetry behavior (new domains, increased volume)
- Evidence for GDPR/CCPA complaints if needed
### Option 4: Legal Action
**Data Subject Access Request (GDPR/CCPA):**
- Request all data Foundry holds about you
- Forces disclosure of what's actually collected
- Template provided in [[EULA-Analysis.md]]
**Complaint to Supervisory Authority (EU/UK):**
- File complaint with national data protection authority
- Claim EULA consent mechanism is not GDPR-compliant
- Request investigation of Foundry's data practices
**Class Action (USA):**
- CCPA provides private right of action for data breaches
- Potential claims: deceptive practices, unfair business practices
- Consult attorney specializing in privacy law
### Option 5: Alternative Software
**Open Source Alternatives:**
1. **Natron** - Free, open-source node-based compositor
- Similar workflow to Nuke
- No telemetry
- Smaller plugin ecosystem
2. **Blender** - Compositor module
- Part of larger 3D suite
- Open source, no telemetry
- Different workflow paradigm
3. **DaVinci Resolve Fusion**
- Free version available
- Professional-grade compositor
- Closed-source but reputable company (Blackmagic Design)
**Consideration:** Switching costs (retraining, project compatibility) may be prohibitive for professional work
---
## Recommendations
### For Individual Users
**Immediate Actions:**
1.  **Read this report** to understand data collection scope
2.  **Decide your risk tolerance** - is telemetry acceptable?
3.  **Block telemetry** if privacy is priority: `./block_nuke_telemetry.sh`
4.  **Test that Nuke still works** after blocking
5.  **Monitor ongoing** with scripts if paranoid: `./monitor_nuke_telemetry.sh`
**Long-term Actions:**
6. =<3D> **File GDPR/CCPA request** to see what data Foundry actually has
7. =<3D> **Share findings** with VFX community (Reddit r/vfx, od|force forums)
8. =<3D> **Contact Foundry** requesting telemetry opt-out feature
9. =
**Audit other software** using same techniques
**If You're in the EU/UK:**
10. <<EFBFBD> **Consider filing GDPR complaint** with national supervisory authority
11. <20> **Consult privacy lawyer** if you believe rights were violated
### For Studios and Businesses
**Critical Considerations:**
1. =<3D> **EULA clause 19.3 authorizes access to "IT systems" (plural)**
- Does your network administrator have authority to consent to Foundry accessing entire studio network?
- Review with legal counsel
2. = **Client confidentiality concerns**
- Crash reports may contain project data, client names, proprietary techniques
- Telemetry may reveal which clients you're working with (usage patterns)
- Review NDAs and confidentiality agreements
3. =<3D> **IT security policy compliance**
- Most studios prohibit software from "phoning home" without security review
- Unencrypted HTTP violates security best practices
- Coordinate with IT security team
**Recommended Actions:**
1. **Network segmentation** - Isolate Nuke workstations from sensitive data
2. **Enterprise license negotiation** - Request telemetry opt-out in contract
3. **Firewall rules** - Block telemetry domains at perimeter
4. **Policy documentation** - Include in security incident response plan
5. **Employee training** - Inform artists about data collection
### For The Foundry
**Recommendations to improve user trust:**
1. **Add telemetry toggle** - Allow users to opt out in preferences
2. **Encrypt all traffic** - Replace HTTP with HTTPS for learn.foundry.com
3. **Transparent dashboard** - Let users see what data was collected
4. **Data minimization** - Only collect what's necessary for stated purposes
5. **Clear consent dialog** - Separate telemetry consent from EULA acceptance
6. **Respect GDPR rights** - Honor withdrawal of consent (remove "irrevocable" clause)
7. **Annual transparency report** - Publish statistics on data collection practices
8. **Third-party audit** - Independent security review of telemetry implementation
---
## Conclusion
This investigation validates initial suspicions that The Foundry's Nuke software collects and transmits user data without adequate consent or transparency. While the observed telemetry volume is modest and most traffic is encrypted, the EULA grants Foundry far broader data collection rights than what was observed in network captures.
**The core privacy issue is not the telemetry itself** (which is common in modern software) **but the lack of user control and transparency:**
- L No opt-out mechanism
- L "Irrevocable" authorization that cannot be withdrawn
- L Buried in page 8 of legal document
- L Unencrypted HTTP traffic for documentation checks
- L Data shared with undefined "enforcement bodies"
- L Overly broad permission to access "IT systems"
**For privacy-conscious users, blocking telemetry is recommended and legally defensible.** The provided scripts enable both blocking and ongoing monitoring.
**For the VFX community, this investigation serves as a case study** in software surveillance and the importance of reading EULAs. Similar data collection likely exists in other professional creative software (Adobe, Autodesk, etc.) and warrants investigation.
**For The Foundry, implementing basic privacy controls** (opt-out toggle, transparent reporting) would align with industry best practices and restore user trust without significantly impacting legitimate business needs (crash reporting, usage analytics).
The choice to use Nuke with telemetry, block it, or seek alternatives depends on individual risk tolerance and professional requirements. This report provides the information necessary to make an informed decision.
---
## Related Documentation
### Investigation Files
- [[nuke_foundry_analysis.md]] - Original 20-minute packet capture analysis
- [[FOUNDRY-EULA.md]] - Complete EULA text with telemetry clauses
- [[EULA-Analysis.md]] - Detailed privacy and legal analysis
- [[monitoring-gaps-analysis.md]] - What we're missing and why
- [[TROUBLESHOOTING.md]] - Script issues and fixes
- [[CLAUDE.md]] - Technical reference for future investigations
### Tools and Scripts
- [[block_nuke_telemetry.sh]] - Block telemetry at hosts file level
- [[monitor_nuke_telemetry.sh]] - Real-time telemetry monitoring with logging
- [[monitor_nuke_telemetry_service.sh]] - Install monitoring as systemd service
- [[run_gap_tests.sh]] - Automated test suite for methodology gaps
- [[debug_nuke_process.sh]] - Find Nuke's actual process name
- [[capture_startup_wide.sh]] - Wide-net startup capture
- [[inspect_local_data.sh]] - Local database inspection
### Conversation Log
- [[Claude_2025-10-25.md]] - Complete investigation conversation transcript
---
**Tags:** #note-type/project #project-type/technical #status/complete #priority/high #domain/technical
**Created:** 2025-10-25
**Last Updated:** 2025-10-25
**Author:** Investigation conducted with Claude Code
**License:** Documentation free to share with VFX community

420
INTERCEPTING-HTTPS.md Normal file
View File

@ -0,0 +1,420 @@
# Intercepting and Decrypting Your Own HTTPS Traffic
## Important Legal and Technical Notice
**What this document covers:**
- ✅ Inspecting YOUR OWN traffic from YOUR OWN software on YOUR OWN computer
- ✅ Legally and technically sound methods using SSL/TLS interception
- ✅ Educational purposes for privacy research
- ✅ Complementing the master investigation in [[Foudry-Nuke-Monitoring#Executive Summary]]
**What this does NOT do:**
- ❌ Brute-force decrypt HTTPS (not possible with modern encryption)
- ❌ Intercept other people's traffic (illegal)
- ❌ Break into Foundry's servers (illegal)
**Legal basis:** You have the right to inspect data YOUR software sends from YOUR computer.
---
## Why You Can't Brute Force HTTPS
**Technical reality:**
- Modern TLS uses 2048-4096 bit RSA or 256-bit ECC keys
- Brute-forcing would take **billions of years** with current hardware
- Even nation-states with supercomputers cannot brute-force TLS
- Quantum computers (not yet practical) would still take months/years
**The only way to decrypt HTTPS is:**
1. **Intercept during handshake** (before encryption) - This is what we'll do
2. **Compromise the server** (illegal and we're not doing this)
3. **Extract keys from memory** (requires root access to Nuke process - possible but advanced)
---
## Method 1: SSL/TLS Interception Proxy (Recommended)
For master timeline context see [[Foudry-Nuke-Monitoring#Phase-4-Gap-Analysis-and-Troubleshooting]].
### How It Works
```
Nuke → Your Proxy → Foundry Servers
Decrypted logs
```
Your proxy acts as a "man-in-the-middle" between Nuke and Foundry:
1. Nuke connects to proxy (encrypted)
2. Proxy decrypts, logs the data
3. Proxy re-encrypts and forwards to Foundry
4. You get plaintext logs of what Nuke sent
**This works because:**
- You control both endpoints (Nuke and the proxy)
- Nuke is configured to trust your proxy's certificate
- It's YOUR traffic on YOUR machine
### Tool: mitmproxy
See [[Foudry-Nuke-Monitoring#Monitoring-Infrastructure-Setup]] for complementary automation scripts.
**Install mitmproxy:**
```bash
sudo pacman -S mitmproxy
```
**Step 1: Start mitmproxy**
```bash
# Start in transparent mode
sudo mitmproxy --mode transparent --showhost -w nuke_traffic.mitm
```
Or use the web interface:
```bash
sudo mitmweb --mode transparent --showhost
# Opens browser at http://127.0.0.1:8081
```
**Step 2: Configure iptables to redirect traffic**
Create a script to redirect Foundry traffic through the proxy:
```bash
#!/bin/bash
# redirect_to_proxy.sh
# Redirect traffic to Honeycomb through mitmproxy
sudo iptables -t nat -A OUTPUT -p tcp -d 52.205.16.9 --dport 443 -j REDIRECT --to-port 8080
# Redirect traffic to learn.foundry.com
sudo iptables -t nat -A OUTPUT -p tcp -d 52.50.232.31 --dport 443 -j REDIRECT --to-port 8080
# Redirect any other foundry.com traffic
sudo iptables -t nat -A OUTPUT -p tcp -d foundry.com --dport 443 -j REDIRECT --to-port 8080
echo "Traffic redirected to mitmproxy on port 8080"
echo "To undo: sudo iptables -t nat -F"
```
**Step 3: Install mitmproxy certificate in Nuke**
Nuke needs to trust the mitmproxy certificate:
```bash
# Start mitmproxy to generate certificate
mitmproxy &
sleep 2
killall mitmproxy
# Certificate is at ~/.mitmproxy/mitmproxy-ca-cert.pem
# Copy to system trust store
sudo cp ~/.mitmproxy/mitmproxy-ca-cert.pem /etc/ca-certificates/trust-source/anchors/mitmproxy.crt
sudo trust extract-compat
```
**Step 4: Launch Nuke and capture traffic**
```bash
# Start mitmproxy with logging
mitmweb --mode transparent --showhost -w ~/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/nuke_decrypted_$(date +%Y-%m-%d_%H-%M-%S).mitm
# In another terminal: redirect traffic
./redirect_to_proxy.sh
# Launch Nuke and use normally
# When done, restore iptables
sudo iptables -t nat -F
```
**Step 5: View captured traffic**
```bash
# Replay captured session
mitmproxy -r nuke_decrypted_*.mitm
# Export to JSON for analysis
mitmdump -r nuke_decrypted_*.mitm -w nuke_traffic.json
# Or use the web interface to browse requests/responses
```
**What you'll see:**
- Full HTTP headers (User-Agent, API keys if any)
- Complete request/response bodies (JSON telemetry data)
- Timing information
- All the data Nuke sends to Honeycomb/Sentry
---
## Method 2: Extract TLS Keys from Nuke Process
Background on why this matters: [[Foudry-Nuke-Monitoring#Data-We-Cannot-See-Encrypted]].
### How It Works
When Nuke establishes TLS connections, the encryption keys exist briefly in memory. We can extract them and use them to decrypt packet captures.
**This is ADVANCED and may not work if Nuke uses certificate pinning.**
### Tool: sslkeylog
**Step 1: Install sslkeylog**
```bash
# Install from AUR
yay -S sslkeylog-git
# or build from source: https://github.com/adulau/sslkeylog
```
**Step 2: Use LD_PRELOAD to capture keys**
```bash
# Set environment variable to log keys
export SSLKEYLOGFILE=~/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/sslkeys.log
# Launch Nuke with LD_PRELOAD
LD_PRELOAD=/usr/lib/libsslkeylog.so /path/to/Nuke15.2v6/Nuke
# Or if Nuke is already running, inject into process (requires root):
sudo gdb -p $(pgrep -f Nuke) -batch -ex "call setenv(\"SSLKEYLOGFILE\", \"$SSLKEYLOGFILE\", 1)"
```
**Step 3: Capture traffic while Nuke runs**
```bash
sudo tcpdump -i any -w nuke_for_decrypt.pcap 'host honeycomb.io or host foundry.com'
```
**Step 4: Decrypt with Wireshark**
```bash
# Open in Wireshark
wireshark nuke_for_decrypt.pcap
# Configure to use key log:
# Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename
# Browse to ~/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/sslkeys.log
# Wireshark will now decrypt all TLS traffic!
```
**What you'll see:**
- Decrypted HTTP/2 or HTTP/1.1 requests
- Full JSON payloads sent to Honeycomb
- API calls to Sentry
- All telemetry data in plaintext
---
## Method 3: HTTP Library Hooking (Most Reliable)
See also [[Foudry-Nuke-Monitoring#Technical-Architecture]] for service overview.
### How It Works
Hook into the SSL/HTTP libraries Nuke uses to log traffic BEFORE encryption.
**This intercepts at the application layer, so it works even with certificate pinning.**
### Tool: frida (Dynamic instrumentation)
**Step 1: Install frida**
```bash
sudo pacman -S frida frida-tools
```
**Step 2: Create hooking script**
Create `hook_nuke_ssl.js`:
```javascript
// Hook OpenSSL SSL_write to log data BEFORE encryption
Interceptor.attach(Module.findExportByName(null, "SSL_write"), {
onEnter: function(args) {
var ssl = args[0];
var buf = args[1];
var len = args[2].toInt32();
// Read the buffer contents
var data = Memory.readByteArray(buf, len);
// Try to parse as UTF-8
try {
var str = Memory.readUtf8String(buf, len);
console.log("\n[SSL_write] Sending " + len + " bytes:");
console.log(str);
} catch(e) {
console.log("\n[SSL_write] Sending " + len + " bytes (binary data)");
console.log(hexdump(data, { ansi: true }));
}
// Log to file
var file = new File("/tmp/nuke_ssl_log.txt", "a");
file.write(str + "\n---\n");
file.close();
}
});
// Hook SSL_read to log received data AFTER decryption
Interceptor.attach(Module.findExportByName(null, "SSL_read"), {
onLeave: function(retval) {
if(retval.toInt32() > 0) {
var len = retval.toInt32();
var buf = this.context.rsi; // Second argument (buffer)
try {
var str = Memory.readUtf8String(ptr(buf), len);
console.log("\n[SSL_read] Received " + len + " bytes:");
console.log(str);
} catch(e) {
console.log("\n[SSL_read] Received " + len + " bytes (binary)");
}
}
}
});
console.log("[*] SSL hooks installed. Monitoring Nuke SSL traffic...");
```
**Step 3: Attach to Nuke process**
```bash
# Find Nuke PID
NUKE_PID=$(pgrep -f Nuke)
# Attach frida
frida -p $NUKE_PID -l hook_nuke_ssl.js -o nuke_decrypted_$(date +%Y-%m-%d_%H-%M-%S).log
```
**Step 4: Use Nuke normally**
All SSL/TLS traffic will be logged in plaintext to:
- Console output
- `/tmp/nuke_ssl_log.txt`
- `nuke_decrypted_*.log`
**What you'll see:**
- Exact JSON payloads sent to Honeycomb
- HTTP headers (User-Agent, Authorization, API keys)
- Sentry crash report contents
- ALL telemetry data before encryption
---
## Method 4: Patch Nuke Binary (ADVANCED - NOT RECOMMENDED)
**This involves modifying Nuke's executable to disable certificate pinning or add logging. This is complex, may violate EULA, and can break Nuke.**
**Only mention for completeness - NOT recommended.**
---
## Recommended Approach
Cross-reference: [[Foudry-Nuke-Monitoring#Recommendations]].
**I recommend Method 1 (mitmproxy) or Method 3 (frida) depending on your technical comfort:**
| Method | Difficulty | Reliability | Notes |
|--------|-----------|-------------|-------|
| mitmproxy | Medium | Good | May fail if Nuke uses certificate pinning |
| sslkeylog | Hard | Medium | Requires LD_PRELOAD or GDB injection |
| frida | Medium-Hard | Excellent | Works even with certificate pinning |
**Start with mitmproxy.** If Nuke rejects the certificate (connection errors), fall back to frida.
---
## What You'll Discover
Once you decrypt the traffic, you'll see the **exact contents** of the 17KB Honeycomb payload, including:
**Likely contents (based on EULA and typical telemetry):**
```json
{
"telemetry_version": "1.0",
"timestamp": "2025-10-25T12:34:56Z",
"session_id": "abc123...",
"user": {
"license_id": "...",
"license_type": "commercial",
"email_domain": "example.com",
"user_id": "hashed_id"
},
"system": {
"os": "Linux",
"os_version": "6.17.4-arch2-1",
"cpu": "AMD Ryzen ...",
"gpu": "NVIDIA RTX ...",
"ram_gb": 64,
"disk_space_gb": 2048,
"locale": "en_US",
"timezone": "America/Los_Angeles"
},
"location": {
"country": "US",
"region": "California",
"city": "Los Angeles",
"ip_hash": "hashed_ip"
},
"software": {
"nuke_version": "15.2v6",
"plugins": ["Cryptomatte", "OpticalFlares", ...],
"python_version": "3.9.2"
},
"usage": {
"session_start": "2025-10-25T12:00:00Z",
"session_duration_seconds": 7200,
"nodes_created": {
"Read": 45,
"Write": 12,
"Merge": 23,
"Grade": 15,
...
},
"tools_used": ["Viewer", "Curve Editor", "Node Graph"],
"render_count": 5,
"render_frames_total": 240,
"scripts_executed": 12
},
"performance": {
"average_fps": 24.5,
"peak_memory_mb": 8192,
"crash_count": 0,
"error_count": 3
},
"errors": [
{
"type": "FileNotFound",
"message": "Could not load /path/to/missing_file.exr",
"timestamp": "2025-10-25T13:45:12Z"
}
]
}
```
**This will definitively answer:**
- ✅ Is email domain transmitted? (Yes/No + exact field)
- ✅ Is geographic location sent? (Yes/No + granularity)
- ✅ What system info is collected? (Exact fields)
- ✅ What usage data is tracked? (Which features, how often)
- ✅ Are file paths included? (Privacy concern if yes)
For broader context on unanswered questions, see [[Foudry-Nuke-Monitoring#Gap-Analysis-and-Troubleshooting]].
---
## Automated Decryption Script
I'll create a wrapper script that tries mitmproxy first, falls back to frida if needed:
} need ensure anchor correct; actual section

314
README.md Normal file
View File

@ -0,0 +1,314 @@
# Block Nuke Telemetry
A comprehensive toolkit for monitoring, analyzing, and blocking network telemetry from The Foundry's Nuke compositor software on Linux.
## About
This project documents an investigation into network telemetry sent by Nuke (a professional VFX compositing application) and provides tools to monitor, analyze, and optionally block these connections. The investigation was conducted on Arch Linux using packet capture and network monitoring tools.
## Key Findings
**Confirmed Foundry Network Connections:**
| Endpoint | IP Address | Port | Protocol | Purpose |
|----------|------------|------|----------|---------|
| `learn.foundry.com` | 52.50.232.31 | 80 | HTTP | Documentation checks (unencrypted) |
| `api.honeycomb.io` | 52.205.16.9 | 443 | HTTPS | Analytics/telemetry platform |
| `sentry.foundry.com` | - | 443 | HTTPS | Crash reporting via crashpad_handler |
**Telemetry Volume:** ~32KB over 20 minutes of typical usage (136 packets) - minimal but present.
**Privacy Concerns:**
- Unencrypted HTTP traffic to `learn.foundry.com` exposes Nuke version and usage patterns to ISP/network observers
- No obvious opt-out mechanism in Nuke preferences
- EULA grants Foundry "irrevocable authorization" to collect usage data, system details, and geographic location
See [EULA-Analysis.md](EULA-Analysis.md) for detailed legal analysis and [nuke_foundry_analysis.md](nuke_foundry_analysis.md) for technical packet analysis.
## Quick Start
### Monitor Nuke Network Activity
```bash
# Automated monitoring with desktop notifications
bash scripts/monitor_nuke_network.sh --continuous
# Manual packet capture
sudo tcpdump -i any -w nuke_capture.pcap \
'host sentry.foundry.com or host learn.foundry.com or host api.honeycomb.io'
```
### Block Telemetry (Recommended Method)
The most effective approach uses firewall-level blocking:
```bash
# Apply firewall blocks (iptables or nftables)
sudo bash scripts/firewall_block_nuke.sh
# Verify blocks are active
sudo bash scripts/firewall_block_nuke.sh --status
# Monitor for any bypass attempts
bash scripts/monitor_nuke_network.sh --daemon
```
To unblock later:
```bash
sudo bash scripts/firewall_block_nuke.sh --uninstall
```
### Alternative Blocking Methods
See [Advanced-Blocking-Methods.md](Advanced-Blocking-Methods.md) for comprehensive documentation on all blocking methods:
**Tier 1: Essential (Recommended)**
- Firewall blocking (`scripts/firewall_block_nuke.sh`) - Most robust
- Network monitoring (`scripts/monitor_nuke_network.sh`) - Verification
**Tier 2: Maximum Isolation (Optional)**
- Network namespace isolation (`scripts/nuke_isolated.sh`) - Complete network isolation
- AppArmor MAC (`apparmor/nuke.profile`) - Kernel-enforced security policy
**Tier 3: Network-Wide (Optional)**
- Hosts file blocking (`scripts/block_nuke_telemetry.sh`) - Simple but bypassable
- DNS sinkhole (`scripts/dns_sinkhole_config.sh`) - Network-wide blocking
## Installation
No installation required - this is a collection of standalone scripts and documentation.
**Requirements:**
- Linux (tested on Arch Linux)
- `tcpdump` - Packet capture
- `iptables` or `nftables` - Firewall blocking
- `ss` / `netstat` - Connection monitoring
- `notify-send` - Desktop notifications (optional)
Install dependencies on Arch Linux:
```bash
sudo pacman -S tcpdump iptables nftables iproute2 libnotify
```
## Usage
### Network Monitoring
```bash
# Continuous monitoring with alerts
bash scripts/monitor_nuke_network.sh --continuous
# Run as background daemon
bash scripts/monitor_nuke_network.sh --daemon
# View alert log
bash scripts/monitor_nuke_network.sh --log
# Check current Nuke connections
sudo ss -tnp | grep -i nuke
```
### Packet Capture & Analysis
```bash
# Basic capture
sudo tcpdump -i any -w nuke_capture.pcap 'host sentry.foundry.com'
# Three-terminal method (detailed monitoring)
# Terminal 1: Process bandwidth monitoring
sudo nethogs | tee nethogs.log
# Terminal 2: Packet capture
sudo tcpdump -i any -w nuke_capture.pcap \
'host sentry.foundry.com or host learn.foundry.com or host api.honeycomb.io'
# Terminal 3: DNS monitoring
sudo tcpdump -i any -n port 53 | grep -i foundry
# Analyze capture
tcpdump -r nuke_capture.pcap
wireshark nuke_capture.pcap
```
### Blocking Telemetry
```bash
# Firewall blocking (recommended)
sudo bash scripts/firewall_block_nuke.sh
sudo bash scripts/firewall_block_nuke.sh --status
# Hosts file blocking (simple)
sudo bash scripts/block_nuke_telemetry.sh
# Network namespace isolation (maximum privacy)
sudo bash scripts/nuke_isolated.sh
# AppArmor enforcement (advanced)
sudo cp apparmor/nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
```
All scripts include built-in help:
```bash
bash scripts/firewall_block_nuke.sh --help
```
### Gap Testing
Run comprehensive tests to identify monitoring gaps:
```bash
# Test startup telemetry, crash reporting, and local data storage
bash scripts/run_gap_tests.sh
# Check local Nuke databases
bash scripts/inspect_local_data.sh
```
## Repository Structure
```
.
├── README.md # This file
├── CLAUDE.md # Project instructions for Claude Code
├── UNLICENSE # Public domain dedication
├── Advanced-Blocking-Methods.md # Comprehensive blocking guide
├── EULA-Analysis.md # Legal analysis of Foundry's EULA
├── FOUNDRY-EULA.md # Full EULA text
├── Foudry-Nuke-Monitoring.md # Master conclusory document
├── nuke_foundry_analysis.md # Detailed packet analysis
├── INTERCEPTING-HTTPS.md # HTTPS interception guide
├── TROUBLESHOOTING.md # Common issues and solutions
├── Application_Behavior_Analysis.md # Application behavior documentation
├── monitoring-gaps-analysis.md # Analysis of monitoring coverage gaps
├── scripts/ # Monitoring and blocking tools
│ ├── firewall_block_nuke.sh # Firewall-level blocking (iptables/nftables)
│ ├── monitor_nuke_network.sh # Automated network monitoring
│ ├── nuke_isolated.sh # Network namespace isolation launcher
│ ├── dns_sinkhole_config.sh # DNS blocking config generator
│ ├── block_nuke_telemetry.sh # Simple hosts file blocking
│ ├── capture_startup_wide.sh # Startup telemetry capture
│ ├── decrypt_nuke_traffic.sh # HTTPS traffic decryption (MITM)
│ ├── debug_nuke_process.sh # Process debugging utilities
│ ├── inspect_local_data.sh # Local database inspection
│ ├── monitor_nuke_telemetry.sh # Basic telemetry monitoring
│ ├── monitor_nuke_telemetry_service.sh # Systemd service monitoring
│ └── run_gap_tests.sh # Comprehensive gap testing
├── apparmor/ # Mandatory access control
│ └── nuke.profile # AppArmor security profile
└── dump/ # Capture artifacts (sanitized examples)
├── README.md # Dump directory documentation
├── example_capture.pcap.txt # Example capture placeholder
├── 02/ # Investigation phase 2
│ └── logs.md
└── gap-tests/ # Gap testing results
├── databases_found.txt # Sanitized database listing
├── sensitive_patterns.txt
├── sqlite_schema.txt
└── sqlite_tables.txt
```
## Documentation
### Core Documentation
- **[Advanced-Blocking-Methods.md](Advanced-Blocking-Methods.md)** - Master guide for all blocking methods
- **[Foudry-Nuke-Monitoring.md](Foudry-Nuke-Monitoring.md)** - Master conclusory document (investigation hub)
- **[nuke_foundry_analysis.md](nuke_foundry_analysis.md)** - Detailed 20-minute packet capture analysis
- **[EULA-Analysis.md](EULA-Analysis.md)** - Legal analysis of data collection clauses
### Technical Guides
- **[INTERCEPTING-HTTPS.md](INTERCEPTING-HTTPS.md)** - HTTPS/TLS interception using mitmproxy
- **[TROUBLESHOOTING.md](TROUBLESHOOTING.md)** - Common issues and solutions
- **[Application_Behavior_Analysis.md](Application_Behavior_Analysis.md)** - Application behavior patterns
- **[monitoring-gaps-analysis.md](monitoring-gaps-analysis.md)** - Monitoring coverage gaps
## Privacy Assessment
**What Foundry Collects (per EULA Clause 19.2):**
- License details and activation information
- Computer and network equipment details
- Operating system and system registry files
- Email domain of equipment owners
- Geographic location of computers
- Usage profiling ("profile and extent of use")
**Data Usage:**
- Usage modeling across customer base
- Targeted customer support
- License enforcement and usage limit verification
- Anti-piracy / identifying unlicensed use / contacting enforcement bodies
- Service notifications (updates, maintenance expiry)
**No Opt-Out:** The EULA states authorization is "irrevocable" - accepting the EULA means accepting all telemetry.
## Investigation Methodology
This investigation used the following approach:
1. **Initial discovery** - Used `nethogs`, `iftop`, `nload` to identify suspicious bandwidth
2. **Packet capture** - Collected raw traffic with `tcpdump` during Nuke usage
3. **Process correlation** - Matched network connections to specific Nuke PIDs with `ss`/`netstat`
4. **DNS analysis** - Monitored DNS lookups to identify Foundry domains
5. **Traffic filtering** - Excluded local network and known services to isolate Foundry traffic
6. **Capture analysis** - Identified unencrypted HTTP and encrypted HTTPS connections
7. **Mitigation development** - Created layered blocking tools (hosts, firewall, namespace, AppArmor)
8. **Gap testing** - Validated monitoring coverage and identified edge cases
## Technical Environment
- **OS:** Arch Linux (kernel 6.17.4-arch2-1)
- **Nuke Version:** 15.2v6 (identified from HTTP User-Agent headers)
- **Network Interface:** enp12s0f0
- **Monitoring Tools:** tcpdump, nethogs, ss, wireshark
## Contributing
This project is released to the public domain. Contributions, improvements, and extensions are welcome.
**Ideas for contributions:**
- Testing on other Linux distributions (Ubuntu, CentOS, etc.)
- Testing on macOS (likely requires different firewall commands)
- Windows monitoring and blocking tools (requires completely different approach)
- Analysis of other Foundry products (Mari, Katana, Modo)
- Integration with network security tools (Snort, Suricata, etc.)
- Automated testing frameworks for validating blocks
Please feel free to fork, modify, and share your findings with the VFX community.
## Community & Support
This project was created for the VFX/compositing community to promote transparency in software telemetry practices.
**Sharing your findings:**
- Share on VFX forums (CGSociety, VFXTalk, etc.)
- Discuss on Reddit (r/vfx, r/linux, r/privacy)
- Report findings to The Foundry's support/feedback channels
**No official support:** This is a community research project, not official software. Use at your own risk.
## Legal Notice
This project is for **educational and research purposes only**. It documents network behavior of commercial software and provides tools for users to control their own network traffic.
- Blocking telemetry may violate your EULA agreement with The Foundry
- This toolkit is provided as-is with no warranties
- Users are responsible for compliance with applicable licenses and laws
- The author(s) make no claims about the effectiveness or legality of these tools
**Not affiliated with The Foundry.** All trademarks are property of their respective owners.
## License
This is free and unencumbered software released into the public domain.
See [UNLICENSE](UNLICENSE) for details.
---
**Last Updated:** 2025-11-26
**Tested With:** Nuke 15.2v6 on Arch Linux
**Repository:** https://gitea.example.com/yourname/block-nuke-telemetry (update with your Gitea URL)

369
TROUBLESHOOTING.md Normal file
View File

@ -0,0 +1,369 @@
# Nuke Telemetry Monitoring - Troubleshooting Guide
**Tags:** #note-type/research #domain/technical #status/in-progress #priority/medium
## Issues Encountered
### Issue 1: Test 2 Can't Detect Running Nuke Process
**Symptom:** Script says "Nuke is not running" when it actually is.
**Cause:** The `pgrep -f Nuke` command isn't matching Nuke's actual process name.
### Issue 2: Test 3 Found No Startup Telemetry
**Symptom:** Packet capture during Nuke startup shows no Foundry connections.
**Possible causes:**
- Telemetry only happens on FIRST launch (cached credentials)
- Telemetry is delayed beyond capture window
- Telemetry happens during session, not at startup
- Using node-locked license (minimal phone-home)
---
## Troubleshooting Steps
### Step 1: Find Nuke's Actual Process Name
**Run this script with Nuke OPEN:**
```bash
./debug_nuke_process.sh
```
**What to look for:**
Look through the output and identify which line shows Nuke. The process name might be:
- `Nuke15.2` (version in name)
- `nuke` (lowercase)
- `/home/nicholai/Nuke15.2v6/Nuke` (full path)
- Something completely different
**Example output to look for:**
```
2. Searching all processes for 'nuke' (case-insensitive):
nicholai 867114 ... /home/nicholai/Nuke15.2v6/Nuke15.2
```
In this example, the process name would be `Nuke15.2` or the full path `/home/nicholai/Nuke15.2v6/Nuke15.2`.
**Once you find it, note the:**
- Process name (e.g., `Nuke15.2`)
- PID (e.g., `867114`)
---
### Step 2: Wide-Net Startup Capture
This captures **ALL external network traffic**, not just Foundry domains, so we can see everything Nuke connects to.
**Close Nuke completely, then run:**
```bash
./capture_startup_wide.sh
```
**Follow the prompts:**
1. Script will start packet capture
2. When prompted, launch Nuke
3. Wait for Nuke to fully load
4. Press Enter to stop capture
5. Review the analysis
**What the script shows:**
- All unique destination IPs
- All DNS lookups during startup
- Any Foundry/Honeycomb/Sentry connections
- TLS server names (HTTPS destinations)
**Interpreting results:**
**If NO Foundry traffic found:**
This is normal! It likely means:
- Telemetry already happened on first-ever launch
- Subsequent launches are silent until periodic check-in
- Explains why your 20-min capture found data (periodic heartbeat) but startup didn't
**If Foundry traffic found:**
You'll see which Foundry domains Nuke contacts at startup.
---
### Step 3: Full Session Cycle Capture
Since startup might be silent, capture an entire Nuke session from launch to close.
**Close Nuke, then run these commands:**
```bash
# Create output directory
OUTPUT_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/full-cycle"
mkdir -p "$OUTPUT_DIR"
# Start capture (captures all external traffic)
sudo tcpdump -i any -w "$OUTPUT_DIR/full-cycle.pcap" 'not net 10.0.0.0/8 and not net 127.0.0.0/8' &
# Note the PID
TCPDUMP_PID=$!
echo "Capture running with PID: $TCPDUMP_PID"
```
**Now perform this sequence:**
1. Launch Nuke (from closed state)
2. Use Nuke normally for 5-10 minutes (open files, use tools, etc.)
3. Close Nuke completely
4. Wait 2 minutes (captures any shutdown telemetry)
5. Stop the capture:
```bash
# Stop capture
sudo kill $TCPDUMP_PID
```
**Analyze the capture:**
```bash
# If you have tshark installed:
cd "$OUTPUT_DIR"
# Show when Foundry connections happened
tshark -r full-cycle.pcap -Y "dns.qry.name contains \"foundry\" or dns.qry.name contains \"honeycomb\" or dns.qry.name contains \"sentry\"" -T fields -e frame.time -e dns.qry.name
# Show all DNS lookups with timestamps
tshark -r full-cycle.pcap -Y "dns.flags.response == 1" -T fields -e frame.time -e dns.qry.name | sort
# Count packets to Honeycomb
tshark -r full-cycle.pcap -Y "ip.dst == 52.205.16.9" | wc -l
# Count packets to learn.foundry.com
tshark -r full-cycle.pcap -Y "ip.dst == 52.50.232.31" | wc -l
```
**This tells you:**
- **When** telemetry happens (startup, during use, or shutdown)
- **How much** data is sent at each stage
- **Which services** are contacted at which times
---
### Step 4: Fix the run_gap_tests.sh Script
Once you know Nuke's actual process name from Step 1, we can fix the script.
**Example:** If the process name is `Nuke15.2`, change line in `run_gap_tests.sh`:
**From:**
```bash
NUKE_PID=$(pgrep -f Nuke)
```
**To:**
```bash
NUKE_PID=$(pgrep -f Nuke15.2)
```
Or use the full path if that's what worked:
```bash
NUKE_PID=$(pgrep -f "/home/nicholai/Nuke15.2v6/Nuke")
```
---
## Alternative: Manual strace (If Script Still Fails)
If the scripts keep failing, run strace manually:
**With Nuke running:**
```bash
# Find Nuke's PID manually
ps aux | grep -i nuke | grep -v grep
# Use the PID in strace (replace 867114 with your actual PID)
sudo strace -e trace=open,openat,read -p 867114 -o nuke_strace.log 2>&1 &
STRACE_PID=$!
# Let it run for 60 seconds while you use Nuke
sleep 60
# Stop strace
sudo kill $STRACE_PID
# Filter for system file access (use /bin/grep to avoid ripgrep alias)
/bin/grep -E '/proc|/sys|/etc' nuke_strace.log > nuke_system_access.log
# View results
less nuke_system_access.log
```
**This shows what system files/directories Nuke is reading** (the "registry" equivalent on Linux).
---
## Understanding the Results
### If Startup Capture Shows No Traffic
**This is NORMAL and EXPECTED** for subsequent launches. Here's why:
1. **First launch ever:** Nuke sends:
- License activation
- System information
- User identification
- Initial telemetry
2. **Subsequent launches:** Silent!
- Credentials cached locally
- No immediate phone-home needed
- Telemetry batched for periodic transmission
3. **During session:** Periodic heartbeats
- Your original 20-minute capture found 32KB
- This was likely a periodic check-in, not startup telemetry
4. **Shutdown:** May send session summary
- Duration, tools used, errors
- Depends on implementation
### What This Means
**Your original investigation was correct:**
- Nuke DOES send telemetry (confirmed by EULA and 20-min capture)
- But it's not constant/aggressive
- Startup is silent (after first activation)
- Periodic check-ins happen during use
**The 17KB to Honeycomb likely contains:**
- Usage statistics (batched from recent sessions)
- Performance metrics
- Error reports (if any)
- License validation
- System information (encrypted)
---
## Next Steps Based on Results
### If You Want to Block Telemetry
```bash
./block_nuke_telemetry.sh
```
This blocks at the hosts file level:
- api.honeycomb.io → 127.0.0.1
- learn.foundry.com → 127.0.0.1
- sentry.foundry.com → 127.0.0.1
**Test if Nuke still works after blocking.**
### If You Want Ongoing Monitoring
**Option 1: Manual monitoring session**
```bash
./monitor_nuke_telemetry.sh
# Leave running during typical Nuke usage
# Press Ctrl+C when done
# Review logs in telemetry-logs/
```
**Option 2: Install as background service**
```bash
./monitor_nuke_telemetry_service.sh
# Runs automatically in background
# View logs: sudo journalctl -u nuke-telemetry-monitor -f
```
### If You Want to Request Your Data
**Under GDPR (EU/UK) or CCPA (California):**
Email: privacy@foundry.com
```
Subject: Data Subject Access Request - GDPR Article 15
Dear Foundry Privacy Team,
Under GDPR Article 15 (or CCPA Section 1798.100), I request:
1. All personal data you hold about me collected via Nuke telemetry
2. Categories of data collected (system info, location, usage, etc.)
3. Third parties with whom my data has been shared (Honeycomb, Sentry, resellers, etc.)
4. Purpose and legal basis for processing
5. Retention period for telemetry data
License email: [your email]
Approximate first use date: [date]
Please provide this information within 30 days as required by GDPR.
Regards,
[Your name]
```
---
## Summary of Scripts
| Script | Purpose | When to Use |
|--------|---------|-------------|
| `debug_nuke_process.sh` | Find Nuke's actual process name | When scripts can't detect Nuke running |
| `capture_startup_wide.sh` | Capture all traffic during startup | To see if startup is truly silent |
| `run_gap_tests.sh` | Automated testing suite | After fixing process detection |
| `inspect_local_data.sh` | Check local Nuke databases | To see what's cached locally |
| `monitor_nuke_telemetry.sh` | Real-time monitoring session | For ongoing observation |
| `block_nuke_telemetry.sh` | Block telemetry at hosts file | To stop all telemetry |
---
## Expected Findings
Based on investigation so far:
**✓ Confirmed:**
- Nuke sends telemetry (EULA clauses 19.2-19.3)
- api.honeycomb.io receives encrypted data (~17KB/session)
- learn.foundry.com receives unencrypted HTTP requests
- sentry.foundry.com used for crash reporting
- Periodic check-ins during use (~32KB over 20 minutes)
**✓ Likely (but can't prove without decryption):**
- Email domain transmitted
- Geographic location (from IP or explicit data)
- System/hardware information
- Usage profiling (which tools, how long)
- All data permitted by EULA is probably in encrypted payload
**✓ Observed behavior:**
- Startup is silent (after initial activation)
- Telemetry happens during session use
- Modest data volume (not excessive)
- Not constant transmission
**? Unknown:**
- Exact contents of encrypted Honeycomb payload
- Shutdown telemetry (not yet captured)
- Crash report contents (no crashes triggered)
- Full periodic check-in schedule
---
## Questions?
If you hit issues:
1. Check that scripts are executable: `ls -l *.sh`
2. Run scripts with `bash -x script.sh` to see debug output
3. Check that you have required tools: `which tcpdump tshark sqlite3`
4. Make sure sudo/root access is available for packet capture
## Files in This Project
- `CLAUDE.md` - Main project documentation
- `FOUNDRY-EULA.md` - Full EULA text with telemetry clauses
- `EULA-Analysis.md` - Detailed privacy analysis of EULA
- `nuke_foundry_analysis.md` - Original 20-minute capture analysis
- `monitoring-gaps-analysis.md` - What we're missing and why
- `TROUBLESHOOTING.md` - This file
- `block_nuke_telemetry.sh` - Block telemetry script
- `monitor_nuke_telemetry.sh` - Real-time monitoring
- `run_gap_tests.sh` - Automated test suite
- `debug_nuke_process.sh` - Process detection debugging
- `capture_startup_wide.sh` - Wide-net startup capture
- `inspect_local_data.sh` - Local database inspection

24
UNLICENSE Normal file
View File

@ -0,0 +1,24 @@
This is free and unencumbered software released into the public domain.
Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.
In jurisdictions that recognize copyright laws, the author or authors
of this software dedicate any and all copyright interest in the
software to the public domain. We make this dedication for the benefit
of the public at large and to the detriment of our heirs and
successors. We intend this dedication to be an overt act of
relinquishment in perpetuity of all present and future rights to this
software under copyright law.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
For more information, please refer to <https://unlicense.org>

244
apparmor/nuke.profile Normal file
View File

@ -0,0 +1,244 @@
# AppArmor profile for The Foundry Nuke 15.2v6
# Blocks external network access while allowing localhost frameserver communication
#
# Installation:
# sudo cp nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
# sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
# sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
#
# Testing (complain mode - logs violations without blocking):
# sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
#
# Check status:
# sudo aa-status | grep Nuke
#
# View denials:
# sudo journalctl -xe | grep apparmor | grep Nuke
#
# Disable:
# sudo aa-disable /home/nicholai/Nuke15.2v6/Nuke15.2
#
#include <tunables/global>
/home/nicholai/Nuke15.2v6/Nuke15.2 flags=(complain) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/mesa>
#include <abstractions/dri-common>
#include <abstractions/opengl>
# Nuke installation directory
/home/nicholai/Nuke15.2v6/** r,
/home/nicholai/Nuke15.2v6/Nuke15.2 rix,
/home/nicholai/Nuke15.2v6/Nuke rix,
/home/nicholai/Nuke15.2v6/crashpad_handler rix,
# User Nuke directories
owner @{HOME}/.nuke/** rw,
owner @{HOME}/Documents/nuke/** rw,
owner @{HOME}/.config/Nuke/** rw,
owner @{HOME}/.local/share/Nuke/** rw,
# Temporary files
owner /tmp/** rw,
owner /var/tmp/** rw,
/tmp/** rw,
/var/tmp/** rw,
# Shared memory for frameserver
owner /dev/shm/** rw,
/dev/shm/** rw,
# Process communication (frameserver)
unix (send, receive) type=stream,
unix (send, receive) type=dgram,
# Allow reading project files and footage
# Add specific paths as needed for your workflow
owner @{HOME}/** r,
/media/** r,
/mnt/** r,
# System libraries and dependencies
/usr/lib/** rm,
/usr/share/** r,
/etc/** r,
/proc/** r,
/sys/** r,
/dev/null rw,
/dev/zero r,
/dev/urandom r,
/dev/dri/** rw,
# GPU access (required for rendering)
/dev/nvidia* rw,
/dev/dri/card* rw,
/dev/dri/renderD* rw,
# Allow creating child processes (frameserver, etc.)
/home/nicholai/Nuke15.2v6/Nuke15.2 px,
/home/nicholai/Nuke15.2v6/Nuke px,
# Network rules - CRITICAL SECTION FOR BLOCKING TELEMETRY
# Allow TCP and UDP (needed for frameserver)
network inet stream,
network inet6 stream,
network unix stream,
network unix dgram,
# BLOCK: Deny all external connections (only allow localhost)
deny network inet to !127.0.0.0/8,
deny network inet6 to !::1,
# BLOCK: Explicitly deny known telemetry endpoints
deny network inet to 52.50.232.31, # learn.foundry.com
deny network inet to 52.205.16.9, # api.honeycomb.io
# Signal permissions (needed for process management)
signal (send) set=(term, kill),
signal (receive) set=(term, kill, hup),
# Capabilities
capability sys_nice,
capability ipc_lock,
}
# Alternative profile name (if using /Nuke instead of /Nuke15.2)
/home/nicholai/Nuke15.2v6/Nuke flags=(complain) {
#include <tunables/global>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/mesa>
#include <abstractions/opengl>
# Same rules as above
/home/nicholai/Nuke15.2v6/** r,
/home/nicholai/Nuke15.2v6/Nuke rix,
/home/nicholai/Nuke15.2v6/Nuke15.2 rix,
/home/nicholai/Nuke15.2v6/crashpad_handler rix,
owner @{HOME}/.nuke/** rw,
owner @{HOME}/Documents/nuke/** rw,
owner @{HOME}/.config/Nuke/** rw,
owner @{HOME}/.local/share/Nuke/** rw,
owner /tmp/** rw,
owner /var/tmp/** rw,
owner /dev/shm/** rw,
unix (send, receive) type=stream,
unix (send, receive) type=dgram,
owner @{HOME}/** r,
/media/** r,
/mnt/** r,
/usr/lib/** rm,
/usr/share/** r,
/etc/** r,
/proc/** r,
/sys/** r,
/dev/null rw,
/dev/zero r,
/dev/urandom r,
/dev/dri/** rw,
/dev/nvidia* rw,
# Network blocking
network inet stream,
network inet6 stream,
network unix stream,
network unix dgram,
deny network inet to !127.0.0.0/8,
deny network inet6 to !::1,
deny network inet to 52.50.232.31,
deny network inet to 52.205.16.9,
signal (send) set=(term, kill),
signal (receive) set=(term, kill, hup),
capability sys_nice,
capability ipc_lock,
}
# Profile for crashpad_handler (crash reporting subprocess)
# This should be blocked from network entirely
/home/nicholai/Nuke15.2v6/crashpad_handler {
#include <abstractions/base>
/home/nicholai/Nuke15.2v6/crashpad_handler rix,
# Allow writing crash dumps locally
owner @{HOME}/.nuke/** rw,
owner @{HOME}/Documents/nuke/** rw,
owner /tmp/** rw,
/proc/** r,
/sys/** r,
# BLOCK ALL NETWORK (no crash reporting to sentry.foundry.com)
deny network inet,
deny network inet6,
}
# Installation Instructions:
#
# 1. Install AppArmor (if not already installed):
# Arch: sudo pacman -S apparmor
# Ubuntu: sudo apt install apparmor apparmor-utils
#
# 2. Enable AppArmor:
# sudo systemctl enable --now apparmor.service
#
# 3. Copy this profile:
# sudo cp nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
#
# 4. Load the profile in COMPLAIN mode first (for testing):
# sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
# sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
#
# 5. Run Nuke and test functionality:
# - Check rendering works
# - Verify frameserver works
# - Test file loading/saving
#
# 6. Check for violations:
# sudo journalctl -xe | grep apparmor | grep Nuke
# sudo aa-logprof # Interactive tool to adjust profile
#
# 7. If everything works, switch to ENFORCE mode:
# sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
#
# 8. Verify enforcement:
# sudo aa-status | grep Nuke
#
# Troubleshooting:
#
# - If Nuke won't start:
# Check violations: sudo journalctl -xe | grep apparmor | grep Nuke
# Switch to complain mode: sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
#
# - If rendering fails:
# May need to add specific file paths for footage/projects
# Update profile with your project directories
#
# - To disable temporarily:
# sudo aa-disable /home/nicholai/Nuke15.2v6/Nuke15.2
#
# - To re-enable:
# sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
#
# Notes:
#
# - This profile starts in complain mode (flags=(complain)) for safety
# - Network blocking rules allow localhost (127.0.0.0/8) for frameserver
# - All external IPs are denied, including known Foundry endpoints
# - Crashpad handler is completely blocked from network access
# - Profile may need adjustment for specific workflows (NFS, render farms, etc.)

22
dump/02/logs.md Normal file
View File

@ -0,0 +1,22 @@
1. Startup Capture:
```
┌─obsidian-vault/2-projects/Nuke-monitoring/dump/02
└─➜ tshark -r startup.pcap -q -z io,stat,0
tshark: The file "startup.pcap" doesn't exist.
```
2. Local database check:
```
┌─~
└─➜ find ~/Documents/nuke ~/.nuke -name "*.db" -ls
6199816 1240 -rw-r--r-- 1 nicholai nicholai 1269760 Oct 23 18:46 /home/nicholai/.nuke/.sync_8178bafde38a.db
```
3. System file access trace:
```
┌─obsidian-vault/2-projects/Nuke-monitoring/dump/02
└─➜ sudo strace -e trace=open,openat -p $(pgrep -f Nuke) 2>&1 | grep -E '/proc|/sys|/etc|registry' | tee nuke_system_access.log
rg: error parsing flag -E: grep config error: unknown encoding: /proc|/sys|/etc|registry
┌─obsidian-vault/2-projects/Nuke-monitoring/dump/02
└─➜ sudo strace -e trace=open,openat -p $(pgrep -f Nuke) 2>&1 | grep '/proc|/sys|/etc|registry' | tee nuke_system_access.log ┌─obsidian-vault/2-projects/Nuke-monitoring/dump/02
└─➜
```

65
dump/README.md Normal file
View File

@ -0,0 +1,65 @@
# Dump Directory
This directory contains captured network traffic, logs, and analysis artifacts from Nuke telemetry monitoring.
## Purpose
The dump/ directory is used to store:
- **Packet captures** (`.pcap` files) from tcpdump monitoring
- **Network logs** from nethogs, ss, and other monitoring tools
- **Test results** from gap-tests and validation scripts
- **Analysis artifacts** generated during investigation
## Privacy Notice
⚠️ **The files in this repository are sanitized examples only.**
Actual packet captures and logs contain sensitive information:
- Local IP addresses and network topology
- Process IDs and system usernames
- Timing information that could fingerprint your usage patterns
- Potentially encrypted but metadata-rich telemetry data
**Never commit real packet captures or logs to public repositories.**
## Directory Structure
```
dump/
├── README.md # This file
├── 02/ # Investigation phase 2 artifacts
│ └── logs.md # Log documentation
├── gap-tests/ # Gap testing results
│ ├── databases_found.txt # Sanitized database listing
│ ├── sensitive_patterns.txt # Search patterns used
│ ├── sqlite_schema.txt # Database schema dumps
│ └── sqlite_tables.txt # Table structure listings
└── example_capture.pcap.txt # Example capture file (text placeholder)
```
## Generating Your Own Dumps
To capture your own telemetry data, use the monitoring scripts:
```bash
# Basic packet capture
sudo tcpdump -i any -w dump/nuke_capture.pcap 'host sentry.foundry.com or host learn.foundry.com'
# Process monitoring
sudo nethogs | tee dump/nethogs_output.log
# Automated monitoring
bash scripts/monitor_nuke_network.sh --continuous
```
See the main README.md and monitoring scripts for detailed capture instructions.
## Analysis
The artifacts in this directory were used to identify:
1. Unencrypted HTTP traffic to `learn.foundry.com`
2. Encrypted HTTPS telemetry to `api.honeycomb.io`
3. Crash reporting to `sentry.foundry.com`
4. Local Nuke SQLite databases containing sync metadata
See `nuke_foundry_analysis.md` in the root directory for detailed findings.

37
dump/example_capture.pcap.txt Normal file
View File

@ -0,0 +1,37 @@
# Example Packet Capture Placeholder
This is a text placeholder representing where actual `.pcap` files would be stored.
## Real Capture Command
```bash
sudo tcpdump -i any -w dump/nuke_foundry_capture.pcap \
'host sentry.foundry.com or host learn.foundry.com or host api.honeycomb.io'
```
## Expected Contents
A real packet capture would contain:
- Ethernet/IP/TCP headers
- DNS queries for Foundry domains
- HTTP requests to learn.foundry.com (unencrypted)
- HTTPS handshakes and encrypted payloads to api.honeycomb.io and sentry.foundry.com
- Timing and packet size information
## Analysis Tools
```bash
# View packet summary
tcpdump -r dump/nuke_foundry_capture.pcap
# Extract HTTP requests
tcpdump -r dump/nuke_foundry_capture.pcap -A 'tcp port 80'
# Wireshark analysis
wireshark dump/nuke_foundry_capture.pcap
```
## Privacy Note
Actual `.pcap` files are NOT included in this repository for privacy reasons.
They are automatically ignored by `.gitignore`.

13
dump/gap-tests/databases_found.txt Normal file
View File

@ -0,0 +1,13 @@
# SQLite databases found during Nuke telemetry investigation
# Personal paths have been sanitized - replace $HOME with your actual home directory
# Nuke-related databases
$HOME/.nuke/.sync_8178bafde38a.db
# Example system databases found (truncated for privacy)
$HOME/.cache/spotify/first_party_sets.db
$HOME/.cache/application/Default/heavy_ad_intervention_opt_out.db
# Note: Full scan found 85+ databases across various applications
# Only Nuke-related entries are shown here for privacy
# Run the gap-tests scripts to generate a complete list for your system

12
dump/gap-tests/sensitive_patterns.txt Normal file
View File

@ -0,0 +1,12 @@
.git/hooks/sendemail-validate.sample
.git/hooks/sendemail-validate.sample
comfyui2nuke/.git/modules/nuke_util/hooks/sendemail-validate.sample
comfyui2nuke/.git/hooks/sendemail-validate.sample
comfyui2nuke/.git/modules/nuke_util/hooks/sendemail-validate.sample
comfyui2nuke/.git/hooks/sendemail-validate.sampleu
comfyui2nuke/.git/modules/python_util/hooks/sendemail-validate.sample
comfyui2nuke/.git/modules/python_util/hooks/sendemail-validate.sample
HEcomfyui2nuke/.git/modules/python_util/hooks/sendemail-validate.sample@
?$.git/hooks/sendemail-validate.sampleA
1comfyui2nuke/.git/hooks/sendemail-validate.sample@
Ccomfyui2nuke/.git/modules/nuke_util/hooks/sendemail-validate.sample@

22
dump/gap-tests/sqlite_schema.txt Normal file
View File

@ -0,0 +1,22 @@
CREATE TABLE metadata(phash INTEGER(8),pathlen INTEGER,path VARCHAR(4096),inode INTEGER,uid INTEGER,gid INTEGER,mode INTEGER,modtime INTEGER(8),type INTEGER,md5 VARCHAR(32), fileid VARCHAR(128), remotePerm VARCHAR(128), filesize BIGINT, ignoredChildrenRemote INT, contentChecksum TEXT, contentChecksumTypeId INTEGER, e2eMangledName TEXT, isE2eEncrypted INTEGER, e2eCertificateFingerprint TEXT, isShared INTEGER, lastShareStateFetchedTimestmap INTEGER, sharedByMe INTEGER, lock INTEGER, lockType INTEGER, lockOwnerDisplayName TEXT, lockOwnerId TEXT, lockOwnerEditor TEXT, lockTime INTEGER, lockTimeout INTEGER, lockToken TEXT, isLivePhoto INTEGER, livePhotoFile TEXT, quotaBytesUsed BIGINT DEFAULT -1 NOT NULL, quotaBytesAvailable BIGINT DEFAULT -1 NOT NULL,PRIMARY KEY(phash));
CREATE TABLE key_value_store(key VARCHAR(4096), value VARCHAR(4096), PRIMARY KEY(key));
CREATE TABLE downloadinfo(path VARCHAR(4096),tmpfile VARCHAR(4096),etag VARCHAR(32),errorcount INTEGER,PRIMARY KEY(path));
CREATE TABLE uploadinfo(path VARCHAR(4096),chunk INTEGER,transferid INTEGER,errorcount INTEGER,size INTEGER(8),modtime INTEGER(8),contentChecksum TEXT,PRIMARY KEY(path));
CREATE TABLE blacklist (path VARCHAR(4096),lastTryEtag VARCHAR[32],lastTryModtime INTEGER[8],retrycount INTEGER,errorstring VARCHAR[4096], lastTryTime INTEGER(8), ignoreDuration INTEGER(8), renameTarget VARCHAR(4096), errorCategory INTEGER(8), requestId VARCHAR(36),PRIMARY KEY(path));
CREATE TABLE async_poll(path VARCHAR(4096),modtime INTEGER(8),filesize BIGINT,pollpath VARCHAR(4096));
CREATE TABLE selectivesync (path VARCHAR(4096),type INTEGER);
CREATE TABLE checksumtype(id INTEGER PRIMARY KEY,name TEXT UNIQUE);
CREATE TABLE datafingerprint(fingerprint TEXT UNIQUE);
CREATE TABLE flags (path TEXT PRIMARY KEY,pinState INTEGER);
CREATE TABLE conflicts(path TEXT PRIMARY KEY,baseFileId TEXT,baseEtag TEXT,baseModtime INTEGER, basePath TEXT);
CREATE TABLE caseconflicts(path TEXT PRIMARY KEY,baseFileId TEXT,baseEtag TEXT,baseModtime INTEGER,basePath TEXT UNIQUE);
CREATE TABLE version(major INTEGER(8),minor INTEGER(8),patch INTEGER(8),custom VARCHAR(256));
CREATE TABLE e2EeLockedFolders(folderId VARCHAR(128) PRIMARY KEY,token VARCHAR(4096));
CREATE INDEX metadata_fileid ON metadata(fileid);
CREATE INDEX metadata_inode ON metadata(inode);
CREATE INDEX metadata_path ON metadata(path);
CREATE INDEX metadata_parent ON metadata(parent_hash(path));
CREATE INDEX metadata_e2e_id ON metadata(e2eMangledName);
CREATE INDEX caseconflicts_basePath ON caseconflicts(basePath);
CREATE INDEX blacklist_index ON blacklist(path collate nocase);
CREATE INDEX metadata_e2e_status ON metadata (path, phash, type, isE2eEncrypted);

4
dump/gap-tests/sqlite_tables.txt Normal file
View File

@ -0,0 +1,4 @@
async_poll conflicts flags uploadinfo
blacklist datafingerprint key_value_store version
caseconflicts downloadinfo metadata
checksumtype e2EeLockedFolders selectivesync

386
monitoring-gaps-analysis.md Normal file
View File

@ -0,0 +1,386 @@
# Monitoring Gaps Analysis
**Tags:** #note-type/research #domain/technical #status/in-progress #priority/high
## What We Captured
- **Duration:** ~20 minutes
- **Nuke state:** Already running, normal use
- **Connections observed:**
- api.honeycomb.io (17KB HTTPS - encrypted)
- learn.foundry.com (HEAD requests HTTP - unencrypted)
- crashpad_handler process (found but not active)
## What We Likely Missed
### 1. Startup Telemetry (HIGH PRIORITY)
**What could be sent:**
- Initial system scan (registry, hardware, OS)
- License validation and user identification
- Geographic location determination (IP geolocation)
- Email domain from license credentials
- Software environment enumeration
**Why we missed it:**
- Nuke was already running when we started monitoring
- Startup telemetry likely happens during Nuke launch
**How to capture:**
```bash
# Start monitoring BEFORE launching Nuke
sudo tcpdump -i any -w nuke_startup.pcap 'host foundry.com or host honeycomb.io or host sentry.foundry.com' &
sleep 2
# NOW launch Nuke
# Wait for it to fully load
# Stop capture
```
### 2. Shutdown Telemetry (HIGH PRIORITY)
**What could be sent:**
- Session summary (duration, tools used, errors)
- Final usage statistics
- Cached telemetry that wasn't sent during session
- License check-out confirmation
**Why we missed it:**
- We didn't capture Nuke closing
- Shutdown often triggers "flush" of cached data
**How to capture:**
```bash
# While Nuke is running, start capture
sudo tcpdump -i any -w nuke_shutdown.pcap 'host foundry.com or host honeycomb.io or host sentry.foundry.com' &
# Close Nuke normally
# Wait 30 seconds after Nuke closes
# Stop capture
```
### 3. Crash Reporting (MEDIUM PRIORITY)
**What could be sent:**
- Memory dumps (could include project data!)
- Stack traces
- System state at crash time
- User information
- Active projects/files
**Why we missed it:**
- No crashes occurred during monitoring
- crashpad_handler was idle
**How to capture:**
```bash
# Start capture
sudo tcpdump -i any -w nuke_crash.pcap 'host sentry.foundry.com' &
# Force kill Nuke to simulate crash
kill -9 $(pgrep -f Nuke)
# Wait 60 seconds (crash report upload)
# Stop capture
```
### 4. Periodic Check-ins (MEDIUM PRIORITY)
**What could be sent:**
- Heartbeat signals
- License validation pings
- Usage statistics batched from previous sessions
- Update checks
**Why we missed it:**
- 20 minutes might not cover the full interval
- Common intervals: 15min, 30min, 1hr, 4hr, 24hr
**How to capture:**
```bash
# Run monitoring for extended period
./monitor_nuke_telemetry.sh
# Leave Nuke idle for 4+ hours
# Check logs for periodic patterns
```
### 5. Specific Event Triggers (LOW-MEDIUM PRIORITY)
**Events that might trigger telemetry:**
**Help Menu Usage:**
- Accessing online documentation
- Checking for updates
- Viewing learning resources
**Rendering:**
- Large render jobs might report performance metrics
- Could include project complexity data
**Plugin/Script Usage:**
- Third-party plugin loads
- Python script execution
- Gizmo usage
**License Events:**
- License checkout/checkin (floating licenses)
- Seat availability checks
- License server connections
**Project Operations:**
- Opening certain project types
- Using specific nodes/features
- Render farm submissions
**How to capture:**
```bash
# Monitor while performing specific actions
sudo tcpdump -i any -w nuke_events.pcap 'host foundry.com or host honeycomb.io' &
# In Nuke:
# - Check for updates (Help menu)
# - Access online help
# - Render a complex scene
# - Use various nodes/tools
# Stop capture
```
## 3. Methodology Gaps
### Gap A: Local Data Collection
**The problem:**
- System registry access happens LOCALLY
- Data collection ≠ data transmission
- Could be cached and sent later
**Evidence of local caching:**
From earlier investigation:
```
~/Documents/nuke/15.2.375648/sentry-db/
```
**How to investigate:**
```bash
# Check what's in those Sentry database files
ls -lah ~/Documents/nuke/15.2.375648/sentry-db/
file ~/Documents/nuke/15.2.375648/sentry-db/*
# Monitor file changes during Nuke use
inotifywait -m ~/Documents/nuke/15.2.375648/sentry-db/
# Check for other telemetry databases
find ~/Documents/nuke ~/.nuke ~/.cache -name "*.db" -o -name "*.sqlite" -o -name "*telemetry*" -o -name "*analytics*"
```
### Gap B: DNS-Based Identification
**The problem:**
- Geographic location can be determined from DNS queries
- Doesn't require sending location data explicitly
- Foundry sees your IP address in connection logs
**What Foundry already knows from network metadata:**
- Your public IP address (from all connections)
- Geographic location (IP geolocation databases)
- ISP information
- Approximate physical location
**This is unavoidable** unless you use VPN/proxy
### Gap C: Different Protocols/Ports
**What we monitored:**
- TCP connections to known Foundry domains
- Ports 80, 443 (HTTP/HTTPS)
**What we might have missed:**
- UDP traffic (less common but possible)
- Different ports (custom license servers, etc.)
- DNS queries themselves (can leak info)
- IPv6 connections (if using dual-stack)
**How to capture everything:**
```bash
# Capture ALL external traffic (not filtered)
sudo tcpdump -i any -w nuke_full.pcap 'not net 10.0.0.0/8 and not net 127.0.0.0/8'
# Much larger file, but catches everything
```
### Gap D: System Registry Access
**The problem:**
- On Linux, "registry" means different things
- Could be checking:
- `/proc/` - Process and system info
- `/sys/` - Hardware information
- Environment variables
- Config files in `~/.config/`, `~/.local/share/`
- `/etc/` system files
**This happens in-process** - no network traffic!
**How to monitor:**
```bash
# Use strace to see what files Nuke accesses
sudo strace -f -e trace=open,openat,read,stat -p $(pgrep -f Nuke) 2>&1 | tee nuke_file_access.log
# Look for suspicious reads
grep -E '/proc|/sys|/etc|\.config' nuke_file_access.log
```
### Gap E: Email Domain Collection
**How they could get it:**
1. **From license credentials** (most likely)
- You logged in with email to activate license
- Email domain already known to Foundry
2. **From system username**
- If username is email format: `user@domain.com`
3. **From hostname/network**
- SMTP server domain
- Email client configuration files
**This might not require transmission** - they already have it from license registration
### Gap F: Third-Party Services (Honeycomb, Sentry)
**The problem:**
- Even if we block Foundry domains, third-party services collect metadata:
- Honeycomb sees: IP address, timing, data volume
- Sentry sees: IP address, user-agent, system info
- Both can geolocate your IP
**Honeycomb/Sentry also have access to:**
- All data Foundry sends them (obviously)
- Their own usage analytics
- Cross-customer correlation
## 4. How to Fill the Gaps
### Comprehensive Monitoring Plan
**Phase 1: Startup/Shutdown Capture (1 day)**
```bash
# Morning: Capture startup
sudo tcpdump -i any -w startup.pcap 'host foundry.com or host honeycomb.io or host sentry.foundry.com' &
# Launch Nuke, wait for full load, stop capture
# Evening: Capture shutdown
sudo tcpdump -i any -w shutdown.pcap 'host foundry.com or host honeycomb.io or host sentry.foundry.com' &
# Close Nuke, wait 60 seconds, stop capture
# Analyze differences
tshark -r startup.pcap -q -z io,stat,0
tshark -r shutdown.pcap -q -z io,stat,0
```
**Phase 2: Local File Monitoring (ongoing)**
```bash
# Install inotify-tools
sudo pacman -S inotify-tools
# Monitor Nuke directories for file changes
inotifywait -m -r ~/Documents/nuke ~/.nuke ~/.cache/nuke 2>&1 | tee nuke_file_changes.log
```
**Phase 3: System Call Tracing (1 session)**
```bash
# Trace file access during Nuke session
sudo strace -f -e trace=open,openat,read,readv,connect -p $(pgrep -f Nuke) -o nuke_strace.log
# After session, analyze
grep -E 'open|connect' nuke_strace.log | grep -vE '(ENOENT|EAGAIN)' > nuke_access_summary.txt
```
**Phase 4: Long-Duration Monitoring (1 week)**
```bash
# Start ongoing monitoring
./monitor_nuke_telemetry.sh
# Leave running during normal Nuke usage
# Check logs daily for patterns
ls -lh telemetry-logs/
grep "NEW CONNECTION" telemetry-logs/*.log
```
**Phase 5: Event-Triggered Capture (as needed)**
```bash
# While monitoring is running:
# - Check for updates (Help menu)
# - Trigger an error/warning
# - Access online help
# - Large render job
# - Use various plugins
# Note timing in log
```
### Ultimate Test: Compare with Block Enabled
```bash
# 1. Capture baseline (telemetry allowed)
sudo tcpdump -i any -w baseline.pcap 'host honeycomb.io or host foundry.com' &
# Use Nuke normally for 30 min
# Stop capture
# 2. Block telemetry
./block_nuke_telemetry.sh
# 3. Capture with blocking
sudo tcpdump -i any -w blocked.pcap 'host honeycomb.io or host foundry.com' &
# Use Nuke normally for 30 min
# Stop capture
# 4. Compare
tshark -r baseline.pcap | wc -l # Should have packets
tshark -r blocked.pcap | wc -l # Should be zero or connection failures
# 5. Check if Nuke still functions
# If features break, that tells us what relied on telemetry
```
## Summary: What We're Probably Missing
### Definitely Missing:
1. **Startup telemetry** - System scan, initial check-in
2. **Shutdown telemetry** - Session summary, cached data flush
3. **Content of encrypted payloads** - Everything in that 17KB to Honeycomb
### Probably Missing:
4. **Crash reports** - No crashes occurred
5. **Periodic check-ins** - 20 min might not cover the interval
6. **Local data collection** - Registry/system scans happen locally first
### Possibly Missing:
7. **Event-triggered telemetry** - Help menu, updates, specific features
8. **Alternative protocols** - UDP, different ports, IPv6
9. **License server traffic** - If using floating licenses
10. **Cached/batched data** - Stored locally, transmitted later
### Already Captured (But Can't Decrypt):
11. **Email domain** - Likely in Honeycomb payload or already known from license
12. **Geographic location** - Determined from IP address (unavoidable)
13. **Usage profiling** - Likely in Honeycomb payload
14. **System information** - Likely in Honeycomb payload
## Next Steps
**Immediate (to fill critical gaps):**
1. Capture Nuke startup telemetry
2. Capture Nuke shutdown telemetry
3. Check local Sentry database contents
4. Run `strace` to see file/registry access
**Short-term (deeper investigation):**
1. Monitor for 24+ hours to catch periodic check-ins
2. Force a crash and capture Sentry traffic
3. Test specific events (Help menu, updates, etc.)
4. Compare traffic with telemetry blocked
**Long-term (ongoing):**
1. Run monitoring service continuously
2. Build timeline of telemetry patterns
3. Correlate with Nuke usage events
4. File GDPR/CCPA request to see what Foundry actually has
---
**Bottom Line:** We're definitely missing startup/shutdown telemetry and can't see inside encrypted payloads. The EULA-permitted data (email, location, registry, usage) is almost certainly being transmitted - we just can't see it because it's encrypted inside the Honeycomb connection.

164
nuke_foundry_analysis.md Normal file
View File

@ -0,0 +1,164 @@
NUKE FOUNDRY TRAFFIC ANALYSIS - 20 Minute Capture
==================================================
CAPTURE SUMMARY:
- Duration: ~20 minutes
- Total packets: 136
- Total data: 32KB
- Result: NUKE WAS PHONING HOME!
**Tags:** #note-type/research #domain/technical #project-type/technical #status/complete #priority/high
FOUNDRY CONNECTIONS FOUND:
===========================
1. UNENCRYPTED HTTP TO FOUNDRY (⚠️ NOT ENCRYPTED!)
IP: 52.50.232.31 (AWS Ireland)
Domain: learn.foundry.com
Port: 80 (HTTP - unencrypted)
Requests: 8 HEAD requests to /nuke/15.2/Default.html
User-Agent: Mozilla/5.0
WHAT THIS MEANS:
- Nuke periodically checks if help documentation is available
- HEAD requests = just checking existence, not downloading
- Happens in the background while using Nuke
- NOT encrypted - anyone on your network can see this
2. ENCRYPTED TELEMETRY (HTTPS)
IP: 52.205.16.9 (AWS US-East)
Domain: api.honeycomb.io
Port: 443 (HTTPS - encrypted)
Data: 17KB (largest connection)
WHAT THIS MEANS:
- Honeycomb is an observability/telemetry platform
- Used by companies to track app performance and usage
- Collects: errors, performance metrics, usage patterns
- Content is encrypted, but metadata visible (IP, timing, size)
- This is likely what Foundry uses for analytics
3. OTHER HTTPS CONNECTION
IP: 52.250.30.213 (AWS)
Domain: staticcdn.duckduckgo.com
Port: 443 (HTTPS)
Data: 7.5KB
NOTE: This might be browser-related, not Nuke
WHAT DATA IS BEING SENT:
=========================
Based on the connections, Nuke is likely sending:
TO HONEYCOMB (encrypted):
✓ Usage telemetry
✓ Performance metrics
✓ Error reports
✓ Feature usage statistics
✓ System information (OS, hardware specs)
✓ Session duration and activity patterns
TO LEARN.FOUNDRY.COM (unencrypted):
✓ Version number (15.2)
✓ Documentation availability checks
✓ Your IP address (visible in HTTP headers)
PRIVACY CONCERNS:
=================
MODERATE CONCERNS:
⚠️ Unencrypted HTTP to learn.foundry.com
- Your ISP can see you're using Nuke
- Network admin can see Nuke version
- Easy to intercept on public WiFi
⚠️ Telemetry to Honeycomb
- Even encrypted, shows you're actively using Nuke
- Connection frequency reveals usage patterns
- Metadata visible: when, how often, how long
⚠️ No obvious opt-out
- Telemetry appears automatic
- No clear way to disable in settings
POSITIVE OBSERVATIONS:
======================
✓ No constant "phoning home" - only 136 packets in 20 min
✓ Relatively small data transfer (32KB total)
✓ No license server connections (using local license)
✓ Main telemetry is encrypted via HTTPS
✓ No Sentry crash reporter traffic (or not triggered)
COMPARISON TO YOUR SUSPICIONS:
==============================
YOUR HUNCH: "not encrypted and sending more than relevant data"
REALITY:
- PARTIALLY CORRECT: learn.foundry.com uses unencrypted HTTP
- MOSTLY INCORRECT: Main telemetry (Honeycomb) is encrypted
- DATA AMOUNT: Hard to say without decrypting Honeycomb traffic
but 17KB over 20 minutes seems reasonable for telemetry
RECOMMENDATIONS:
================
IF YOU WANT TO BLOCK FOUNDRY TELEMETRY:
1. BLOCK AT HOSTS FILE:
sudo nano /etc/hosts
Add:
127.0.0.1 api.honeycomb.io
127.0.0.1 learn.foundry.com
127.0.0.1 sentry.foundry.com
2. BLOCK AT FIREWALL:
sudo ufw deny out to 52.205.16.9
sudo ufw deny out to 52.50.232.31
3. USE A NETWORK-LEVEL BLOCKER:
- Pi-hole
- AdGuard Home
- Add Foundry domains to blocklist
4. CHECK NUKE PREFERENCES:
Look for "Send usage data" or "Analytics" settings
(May or may not exist)
5. MONITOR IMPACT:
After blocking, test if Nuke still works normally
Some features (Help menu?) might be affected
TECHNICAL DETAILS:
==================
AWS IPs Confirmed:
- 52.50.232.31 (eu-west-1 - Ireland)
- 52.205.16.9 (us-east-1 - Virginia)
- 52.250.30.213 (region unknown)
Connection Timing:
- Connections happen sporadically during use
- Not continuous background chatter
- Triggered by specific actions or time intervals
User-Agent:
- "Mozilla/5.0" (generic browser string)
- Nuke disguising itself as a browser? Odd choice.
BOTTOM LINE:
============
Your suspicions were partially correct. Nuke does send data to
Foundry servers, including some unencrypted HTTP traffic. However:
1. The volume seems reasonable (not excessive)
2. Most sensitive data appears encrypted
3. It's not constantly transmitting
4. Typical for modern software telemetry
Whether this is acceptable depends on your privacy requirements.
If you want complete privacy, block the domains/IPs listed above.

45
scripts/block_nuke_telemetry.sh Normal file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# Script to block Nuke/Foundry telemetry
echo "=== Nuke Telemetry Blocker ==="
echo ""
echo "This script will block Nuke from sending telemetry data to Foundry servers."
echo "WARNING: This may affect Help menu and other online features."
echo ""
read -p "Continue? (y/n): " confirm
if [ "$confirm" != "y" ]; then
echo "Aborted."
exit 0
fi
echo ""
echo "Backing up /etc/hosts..."
sudo cp /etc/hosts /etc/hosts.backup.$(date +%Y%m%d_%H%M%S)
echo "Adding Foundry domains to /etc/hosts..."
sudo bash -c 'cat >> /etc/hosts << HOSTS
# Block Nuke/Foundry Telemetry (added $(date))
127.0.0.1 api.honeycomb.io
127.0.0.1 learn.foundry.com
127.0.0.1 sentry.foundry.com
HOSTS
'
echo ""
echo "✓ Domains blocked in /etc/hosts"
echo ""
echo "Testing blocks..."
ping -c 1 api.honeycomb.io 2>&1 | head -2
ping -c 1 learn.foundry.com 2>&1 | head -2
echo ""
echo "=== DONE ==="
echo ""
echo "Nuke telemetry should now be blocked."
echo "If you experience issues, restore your hosts file:"
echo " sudo cp /etc/hosts.backup.* /etc/hosts"
echo ""
echo "To unblock, edit /etc/hosts and remove the Foundry entries:"
echo " sudo nano /etc/hosts"

121
scripts/capture_startup_wide.sh Executable file
View File

@ -0,0 +1,121 @@
#!/bin/bash
# Wide-net startup capture - catches EVERYTHING external
OUTPUT_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/startup-wide"
mkdir -p "$OUTPUT_DIR"
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
echo "=== Wide-Net Nuke Startup Capture ==="
echo ""
echo "This will capture ALL external network traffic (not just Foundry domains)"
echo "so we can see if Nuke is connecting to unexpected servers."
echo ""
# Check if Nuke is running
if pgrep -i nuke > /dev/null 2>&1; then
echo "WARNING: Nuke appears to be running. Please close it first."
echo ""
read -p "Press Enter after closing Nuke..."
fi
echo ""
echo "Starting wide capture (capturing ALL external traffic)..."
echo "This will be a larger file since we're not filtering by domain."
echo ""
# Capture everything EXCEPT local network traffic
sudo tcpdump -i any -w "$OUTPUT_DIR/startup_wide_$TIMESTAMP.pcap" \
'not (net 10.0.0.0/8 or net 127.0.0.0/8 or net 224.0.0.0/4 or net 239.0.0.0/8 or port 5353)' &
TCPDUMP_PID=$!
echo "Capture running (PID: $TCPDUMP_PID)"
echo ""
echo "================================================"
echo "NOW LAUNCH NUKE"
echo "================================================"
echo ""
read -p "Press Enter after Nuke has FULLY loaded (all windows open)..."
echo ""
echo "Stopping capture..."
sudo kill $TCPDUMP_PID 2>/dev/null
wait $TCPDUMP_PID 2>/dev/null
sleep 2
echo ""
echo "Capture complete!"
echo ""
PCAP_FILE="$OUTPUT_DIR/startup_wide_$TIMESTAMP.pcap"
if [ ! -f "$PCAP_FILE" ]; then
echo "ERROR: Capture file not created: $PCAP_FILE"
exit 1
fi
PCAP_SIZE=$(du -h "$PCAP_FILE" | cut -f1)
echo "File: $PCAP_FILE"
echo "Size: $PCAP_SIZE"
echo ""
# Basic analysis
echo "Analyzing capture..."
echo ""
if command -v tshark &> /dev/null; then
echo "=== Packet Statistics ==="
tshark -r "$PCAP_FILE" -q -z io,stat,0
echo ""
echo "=== Unique Destination IPs ==="
tshark -r "$PCAP_FILE" -T fields -e ip.dst 2>/dev/null | sort -u | tee "$OUTPUT_DIR/unique_ips_$TIMESTAMP.txt"
echo ""
echo "=== DNS Lookups During Startup ==="
tshark -r "$PCAP_FILE" -Y "dns.flags.response == 1" -T fields -e dns.qry.name 2>/dev/null | sort -u | tee "$OUTPUT_DIR/dns_lookups_$TIMESTAMP.txt"
echo ""
echo "=== Checking for Foundry/Honeycomb/Sentry ==="
FOUNDRY_COUNT=$(tshark -r "$PCAP_FILE" -Y "dns.qry.name contains \"foundry\" or dns.qry.name contains \"honeycomb\" or dns.qry.name contains \"sentry\"" 2>/dev/null | wc -l)
if [ "$FOUNDRY_COUNT" -gt 0 ]; then
echo "✓ FOUND $FOUNDRY_COUNT packets to Foundry/telemetry services:"
tshark -r "$PCAP_FILE" -Y "dns.qry.name contains \"foundry\" or dns.qry.name contains \"honeycomb\" or dns.qry.name contains \"sentry\"" 2>/dev/null
else
echo "✗ NO Foundry/telemetry traffic found during startup"
echo ""
echo "This suggests:"
echo " 1. Telemetry only happens on FIRST launch (not subsequent launches)"
echo " 2. Telemetry is delayed/batched (happens after startup)"
echo " 3. Telemetry is sent later during the session"
fi
echo ""
echo "=== HTTP Traffic (if any) ==="
tshark -r "$PCAP_FILE" -Y "http.request" -T fields -e http.host -e http.request.uri 2>/dev/null | head -20
echo ""
echo "=== TLS/HTTPS Connections (Server Name Indication) ==="
tshark -r "$PCAP_FILE" -Y "tls.handshake.extensions_server_name" -T fields -e tls.handshake.extensions_server_name 2>/dev/null | sort -u | tee "$OUTPUT_DIR/tls_servers_$TIMESTAMP.txt"
echo ""
else
echo "tshark not installed. Install wireshark-cli for analysis:"
echo " sudo pacman -S wireshark-cli"
echo ""
echo "You can analyze manually with:"
echo " wireshark $PCAP_FILE"
fi
echo ""
echo "=== Summary ==="
echo "Results saved to: $OUTPUT_DIR/"
echo " - Raw capture: $PCAP_FILE"
echo " - Unique IPs: $OUTPUT_DIR/unique_ips_$TIMESTAMP.txt"
echo " - DNS lookups: $OUTPUT_DIR/dns_lookups_$TIMESTAMP.txt"
echo " - TLS servers: $OUTPUT_DIR/tls_servers_$TIMESTAMP.txt"
echo ""
echo "Next: Compare these IPs/domains with your earlier 20-minute capture"
echo "to see if startup traffic differs from runtime traffic."
echo ""

51
scripts/debug_nuke_process.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# Debug script to find Nuke's actual process name
echo "=== Finding Nuke Process ==="
echo ""
echo "1. Trying various process name patterns:"
echo ""
echo "pgrep -f Nuke:"
pgrep -f Nuke
echo ""
echo "pgrep -f nuke:"
pgrep -f nuke
echo ""
echo "pgrep -i nuke:"
pgrep -i nuke
echo ""
echo "pgrep Nuke:"
pgrep Nuke
echo ""
echo "2. Searching all processes for 'nuke' (case-insensitive):"
ps aux | grep -i nuke | grep -v grep
echo ""
echo "3. Searching for Foundry-related processes:"
ps aux | grep -i foundry | grep -v grep
echo ""
echo "4. Searching for processes accessing Nuke directories:"
lsof 2>/dev/null | grep -i nuke | head -20
echo ""
echo "5. Checking /proc for Nuke:"
find /proc -maxdepth 2 -name cmdline -exec grep -l -i nuke {} \; 2>/dev/null | while read cmdline; do
PID=$(echo "$cmdline" | cut -d/ -f3)
echo "PID: $PID"
echo "Command: $(cat "$cmdline" | tr '\0' ' ')"
echo ""
done
echo "6. All currently running GUI applications:"
ps aux | awk '{print $11}' | sort -u | grep -E '^[A-Z]' | head -20
echo ""
echo "=== If Nuke is open, please look through the output above ==="
echo "=== and tell me which process name/PID belongs to Nuke ==="

242
scripts/decrypt_nuke_traffic.sh Executable file
View File

@ -0,0 +1,242 @@
#!/bin/bash
# Automated HTTPS decryption for Nuke telemetry
# Tries mitmproxy method, provides instructions for frida fallback
OUTPUT_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/decrypted"
mkdir -p "$OUTPUT_DIR"
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
echo "═══════════════════════════════════════════════════════"
echo " Nuke HTTPS Traffic Decryption Tool"
echo "═══════════════════════════════════════════════════════"
echo ""
echo "This tool will attempt to decrypt HTTPS traffic from Nuke"
echo "using SSL/TLS interception (mitmproxy method)."
echo ""
echo "LEGAL NOTE: This intercepts YOUR traffic from YOUR software"
echo "on YOUR computer. This is legal and ethical for privacy research."
echo ""
# Check if mitmproxy is installed
if ! command -v mitmproxy &> /dev/null; then
echo "ERROR: mitmproxy is not installed."
echo ""
echo "Install with:"
echo " sudo pacman -S mitmproxy"
echo ""
exit 1
fi
# Check if Nuke is running (it shouldn't be yet)
if pgrep -f Nuke > /dev/null 2>&1; then
echo "WARNING: Nuke is currently running."
echo "For best results, close Nuke before starting interception."
echo ""
read -p "Continue anyway? (y/n): " continue_anyway
if [ "$continue_anyway" != "y" ]; then
echo "Aborted."
exit 0
fi
fi
echo ""
echo "═══════════════════════════════════════════════════════"
echo " Step 1: Setup mitmproxy certificate"
echo "═══════════════════════════════════════════════════════"
echo ""
# Generate mitmproxy certificate if not exists
if [ ! -f "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" ]; then
echo "Generating mitmproxy certificate..."
mitmproxy --version > /dev/null 2>&1
sleep 2
if [ ! -f "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" ]; then
echo "Running mitmproxy briefly to generate certificate..."
timeout 3 mitmproxy 2>/dev/null || true
fi
fi
# Install certificate to system trust store
if [ -f "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" ]; then
echo "Installing mitmproxy certificate to system trust store..."
sudo cp "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" /etc/ca-certificates/trust-source/anchors/mitmproxy.crt 2>/dev/null || true
sudo trust extract-compat 2>/dev/null || true
sudo update-ca-trust 2>/dev/null || true
echo "✓ Certificate installed"
else
echo "WARNING: Could not generate mitmproxy certificate."
echo "Interception may not work properly."
fi
echo ""
echo "═══════════════════════════════════════════════════════"
echo " Step 2: Start mitmproxy web interface"
echo "═══════════════════════════════════════════════════════"
echo ""
MITM_LOG="$OUTPUT_DIR/nuke_traffic_$TIMESTAMP.mitm"
echo "Starting mitmweb on http://127.0.0.1:8081"
echo "Log file: $MITM_LOG"
echo ""
# Start mitmweb in background
mitmweb --mode transparent --showhost --set block_global=false -w "$MITM_LOG" > "$OUTPUT_DIR/mitmproxy_$TIMESTAMP.log" 2>&1 &
MITMPROXY_PID=$!
echo "mitmproxy PID: $MITMPROXY_PID"
sleep 3
# Check if mitmproxy started successfully
if ! kill -0 $MITMPROXY_PID 2>/dev/null; then
echo "ERROR: mitmproxy failed to start."
echo "Check log: $OUTPUT_DIR/mitmproxy_$TIMESTAMP.log"
exit 1
fi
echo "✓ mitmproxy started successfully"
echo ""
echo "═══════════════════════════════════════════════════════"
echo " Step 3: Setup iptables traffic redirection"
echo "═══════════════════════════════════════════════════════"
echo ""
# Save current iptables rules for restoration
sudo iptables-save > "$OUTPUT_DIR/iptables_backup_$TIMESTAMP.rules"
echo "Redirecting Foundry traffic through mitmproxy..."
# Redirect Honeycomb traffic
sudo iptables -t nat -A OUTPUT -p tcp -d 52.205.16.9 --dport 443 -j REDIRECT --to-port 8080
# Redirect learn.foundry.com
sudo iptables -t nat -A OUTPUT -p tcp -d 52.50.232.31 --dport 443 -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp -d 52.50.232.31 --dport 80 -j REDIRECT --to-port 8080
# Redirect any other foundry.com domains (by name - requires DNS)
# Note: This might not work for direct IP connections
echo "✓ iptables rules applied"
echo ""
echo "═══════════════════════════════════════════════════════"
echo " Step 4: Launch Nuke and capture traffic"
echo "═══════════════════════════════════════════════════════"
echo ""
echo "INSTRUCTIONS:"
echo ""
echo "1. Open your browser to: http://127.0.0.1:8081"
echo " (mitmproxy web interface)"
echo ""
echo "2. Launch Nuke now and use it normally"
echo ""
echo "3. Watch the mitmproxy interface for captured requests"
echo " Look for requests to:"
echo " - api.honeycomb.io"
echo " - learn.foundry.com"
echo " - sentry.foundry.com"
echo ""
echo "4. Click on any request to see:"
echo " - Full HTTP headers"
echo " - Complete request/response body (JSON)"
echo " - Timing information"
echo ""
echo "5. When done capturing, return to this terminal and press Enter"
echo ""
echo "═══════════════════════════════════════════════════════"
read -p "Press Enter after you're done capturing traffic..."
echo ""
echo "═══════════════════════════════════════════════════════"
echo " Step 5: Cleanup"
echo "═══════════════════════════════════════════════════════"
echo ""
echo "Stopping mitmproxy..."
kill $MITMPROXY_PID 2>/dev/null
wait $MITMPROXY_PID 2>/dev/null
echo "Restoring iptables rules..."
sudo iptables -t nat -F OUTPUT 2>/dev/null
echo "✓ Cleanup complete"
echo ""
echo "═══════════════════════════════════════════════════════"
echo " Results"
echo "═══════════════════════════════════════════════════════"
echo ""
if [ -f "$MITM_LOG" ]; then
CAPTURE_SIZE=$(du -h "$MITM_LOG" | cut -f1)
echo "Capture saved to: $MITM_LOG"
echo "Capture size: $CAPTURE_SIZE"
echo ""
echo "To replay and analyze:"
echo " mitmproxy -r $MITM_LOG"
echo ""
echo "To export to JSON:"
echo " mitmdump -r $MITM_LOG -w $OUTPUT_DIR/nuke_traffic_$TIMESTAMP.json"
echo ""
echo "To view in web interface again:"
echo " mitmweb -r $MITM_LOG"
echo ""
else
echo "WARNING: No capture file created."
echo "This could mean:"
echo " 1. No traffic was captured (Nuke didn't connect)"
echo " 2. Nuke rejected the mitmproxy certificate (certificate pinning)"
echo " 3. Traffic went around the proxy"
echo ""
echo "TROUBLESHOOTING:"
echo ""
echo "If Nuke showed SSL/certificate errors:"
echo " → Nuke likely uses certificate pinning"
echo " → Try Method 3 (frida) instead"
echo " → See INTERCEPTING-HTTPS.md for instructions"
echo ""
echo "If no errors but no traffic captured:"
echo " → Check that Foundry IPs are correct"
echo " → Try capturing during Nuke startup"
echo " → Monitor /tmp/mitmproxy_*.log for errors"
fi
echo ""
echo "═══════════════════════════════════════════════════════"
echo " Next Steps"
echo "═══════════════════════════════════════════════════════"
echo ""
if [ -f "$MITM_LOG" ] && [ -s "$MITM_LOG" ]; then
echo "✓ SUCCESS! Traffic was captured and decrypted."
echo ""
echo "Review the capture to find:"
echo " - Email domain transmission"
echo " - Geographic location data"
echo " - System information collected"
echo " - Usage profiling details"
echo " - Any sensitive data (file paths, project names)"
echo ""
echo "Document findings in:"
echo " $OUTPUT_DIR/analysis_$TIMESTAMP.txt"
echo ""
echo "Update the master document:"
echo " Foudry-Nuke-Monitoring.md"
else
echo "✗ No traffic captured."
echo ""
echo "OPTION 1: Try again with different approach"
echo " ./decrypt_nuke_traffic.sh"
echo ""
echo "OPTION 2: Use frida method (more reliable)"
echo " See: INTERCEPTING-HTTPS.md - Method 3"
echo ""
echo "OPTION 3: Check if telemetry is already blocked"
echo " cat /etc/hosts | grep foundry"
fi
echo ""
echo "For detailed instructions and alternative methods:"
echo " See: INTERCEPTING-HTTPS.md"
echo ""

443
scripts/dns_sinkhole_config.sh Executable file
View File

@ -0,0 +1,443 @@
#!/bin/bash
#
# Nuke Telemetry DNS Sinkhole Configuration Generator
# Generates DNS blocking configurations for various DNS servers
#
# Usage:
# bash dns_sinkhole_config.sh # Generate all configs
# bash dns_sinkhole_config.sh --dnsmasq # Generate dnsmasq config only
# bash dns_sinkhole_config.sh --pihole # Generate Pi-hole config only
# bash dns_sinkhole_config.sh --adguard # Generate AdGuard Home config only
# bash dns_sinkhole_config.sh --bind # Generate BIND9 config only
# bash dns_sinkhole_config.sh --apply # Apply to local system (if supported)
#
# Configuration
OUTPUT_DIR="./dns_configs"
DOMAINS=(
"api.honeycomb.io"
"learn.foundry.com"
"sentry.foundry.com"
)
# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log() {
echo -e "$1"
}
create_output_dir() {
mkdir -p "$OUTPUT_DIR"
log "${GREEN}Output directory: $OUTPUT_DIR${NC}"
echo ""
}
generate_dnsmasq() {
local file="$OUTPUT_DIR/dnsmasq-nuke-block.conf"
log "${BLUE}Generating dnsmasq configuration...${NC}"
cat > "$file" << 'EOF'
# dnsmasq configuration to block Nuke/Foundry telemetry
# Installation:
# 1. Copy to /etc/dnsmasq.d/nuke-block.conf
# 2. Or append to /etc/dnsmasq.conf
# 3. Restart: sudo systemctl restart dnsmasq
#
# Test:
# nslookup api.honeycomb.io
# nslookup learn.foundry.com
# (should return 0.0.0.0)
EOF
for domain in "${DOMAINS[@]}"; do
echo "address=/$domain/0.0.0.0" >> "$file"
done
cat >> "$file" << 'EOF'
# Alternative: redirect to localhost instead of 0.0.0.0
# Uncomment these and comment out the above if preferred
# address=/api.honeycomb.io/127.0.0.1
# address=/learn.foundry.com/127.0.0.1
# address=/sentry.foundry.com/127.0.0.1
EOF
log "${GREEN}✓ Created: $file${NC}"
echo ""
}
generate_pihole() {
local file="$OUTPUT_DIR/pihole-nuke-block.txt"
log "${BLUE}Generating Pi-hole blocklist...${NC}"
cat > "$file" << 'EOF'
# Pi-hole blocklist for Nuke/Foundry telemetry
# Installation:
# Method 1 (Web UI):
# 1. Open Pi-hole admin panel
# 2. Go to Group Management > Adlists
# 3. Add this file's URL or paste contents into Custom DNS
#
# Method 2 (CLI):
# 1. Add domains to /etc/pihole/custom.list
# 2. Run: pihole restartdns
#
# Method 3 (Regex blocking):
# 1. Open Pi-hole admin panel
# 2. Go to Group Management > Domains
# 3. Add each domain below
#
# Domains to block:
EOF
for domain in "${DOMAINS[@]}"; do
echo "$domain" >> "$file"
done
cat >> "$file" << 'EOF'
# Regex patterns (optional - use in Pi-hole Regex filter):
# (api\.honeycomb\.io|learn\.foundry\.com|sentry\.foundry\.com)
EOF
log "${GREEN}✓ Created: $file${NC}"
echo ""
# Also create custom.list format
local custom_file="$OUTPUT_DIR/pihole-custom.list"
log "${BLUE}Generating Pi-hole custom.list format...${NC}"
cat > "$custom_file" << 'EOF'
# Pi-hole custom.list format
# Copy these lines to /etc/pihole/custom.list
# Then run: pihole restartdns
EOF
for domain in "${DOMAINS[@]}"; do
echo "0.0.0.0 $domain" >> "$custom_file"
done
log "${GREEN}✓ Created: $custom_file${NC}"
echo ""
}
generate_adguard() {
local file="$OUTPUT_DIR/adguard-nuke-block.txt"
log "${BLUE}Generating AdGuard Home blocklist...${NC}"
cat > "$file" << 'EOF'
# AdGuard Home blocklist for Nuke/Foundry telemetry
# Installation:
# Method 1 (Web UI):
# 1. Open AdGuard Home admin panel
# 2. Go to Filters > DNS blocklists
# 3. Add Custom list and paste URL to this file
#
# Method 2 (Manual):
# 1. Copy contents to AdGuardHome/data/filters/
# 2. Or use Custom filtering rules (Filters > Custom filtering rules)
#
# AdGuard Home format (domain-only):
EOF
for domain in "${DOMAINS[@]}"; do
# AdGuard Home uses ||domain^ syntax for domain blocking
echo "||$domain^" >> "$file"
done
cat >> "$file" << 'EOF'
# Alternative format (hosts file style):
# 0.0.0.0 api.honeycomb.io
# 0.0.0.0 learn.foundry.com
# 0.0.0.0 sentry.foundry.com
# Custom filtering rules (advanced):
# Use these in "Custom filtering rules" section for more control
# /^.*foundry\.com$/
# ||honeycomb.io^$important
EOF
log "${GREEN}✓ Created: $file${NC}"
echo ""
}
generate_bind() {
local file="$OUTPUT_DIR/bind9-nuke-block.zone"
log "${BLUE}Generating BIND9 zone file...${NC}"
cat > "$file" << 'EOF'
; BIND9 zone file to block Nuke/Foundry telemetry
; Installation:
; 1. Create zone files for each domain
; 2. Add zone declarations to /etc/bind/named.conf.local:
;
; zone "api.honeycomb.io" {
; type master;
; file "/etc/bind/zones/null.zone.file";
; };
;
; zone "learn.foundry.com" {
; type master;
; file "/etc/bind/zones/null.zone.file";
; };
;
; zone "sentry.foundry.com" {
; type master;
; file "/etc/bind/zones/null.zone.file";
; };
;
; 3. Create /etc/bind/zones/null.zone.file with contents below
; 4. Restart BIND: sudo systemctl restart bind9 (or named)
;
; null.zone.file contents:
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
@ IN NS localhost.
@ IN A 0.0.0.0
* IN A 0.0.0.0
EOF
log "${GREEN}✓ Created: $file${NC}"
echo ""
# Generate named.conf snippet
local conf_file="$OUTPUT_DIR/bind9-named.conf.snippet"
log "${BLUE}Generating BIND9 named.conf snippet...${NC}"
cat > "$conf_file" << 'EOF'
// BIND9 named.conf snippet for blocking Nuke telemetry
// Add these lines to /etc/bind/named.conf.local
EOF
for domain in "${DOMAINS[@]}"; do
cat >> "$conf_file" << EOF
zone "$domain" {
type master;
file "/etc/bind/zones/null.zone.file";
};
EOF
done
log "${GREEN}✓ Created: $conf_file${NC}"
echo ""
}
generate_unbound() {
local file="$OUTPUT_DIR/unbound-nuke-block.conf"
log "${BLUE}Generating Unbound configuration...${NC}"
cat > "$file" << 'EOF'
# Unbound configuration to block Nuke/Foundry telemetry
# Installation:
# 1. Copy to /etc/unbound/unbound.conf.d/nuke-block.conf
# 2. Or append to /etc/unbound/unbound.conf
# 3. Restart: sudo systemctl restart unbound
#
# Test:
# dig @127.0.0.1 api.honeycomb.io
# (should return 0.0.0.0)
server:
EOF
for domain in "${DOMAINS[@]}"; do
cat >> "$file" << EOF
local-zone: "$domain" redirect
local-data: "$domain A 0.0.0.0"
EOF
done
log "${GREEN}✓ Created: $file${NC}"
echo ""
}
generate_hosts_file() {
local file="$OUTPUT_DIR/hosts-nuke-block.txt"
log "${BLUE}Generating hosts file format...${NC}"
cat > "$file" << 'EOF'
# Hosts file format for blocking Nuke/Foundry telemetry
# Installation:
# Linux/Mac: sudo bash -c 'cat >> /etc/hosts'
# Windows: Add to C:\Windows\System32\drivers\etc\hosts (as Administrator)
#
# Note: This is already handled by block_nuke_telemetry.sh
# Use this if you need manual installation
EOF
for domain in "${DOMAINS[@]}"; do
echo "127.0.0.1 $domain" >> "$file"
done
cat >> "$file" << 'EOF'
# IPv6 entries (optional):
# ::1 api.honeycomb.io
# ::1 learn.foundry.com
# ::1 sentry.foundry.com
EOF
log "${GREEN}✓ Created: $file${NC}"
echo ""
}
show_summary() {
log "${GREEN}=== DNS Sinkhole Configurations Generated ===${NC}"
echo ""
log "Output directory: $OUTPUT_DIR"
echo ""
log "Generated files:"
ls -lh "$OUTPUT_DIR" | tail -n +2
echo ""
log "${YELLOW}Next steps:${NC}"
log "1. Identify your DNS server type:"
log " - Pi-hole: Use pihole-*.txt files"
log " - AdGuard Home: Use adguard-*.txt file"
log " - dnsmasq: Use dnsmasq-*.conf file"
log " - BIND9: Use bind9-*.zone files"
log " - Unbound: Use unbound-*.conf file"
log " - Hosts file: Use hosts-*.txt file"
echo ""
log "2. Follow installation instructions in each file"
echo ""
log "3. Test blocking:"
log " nslookup api.honeycomb.io"
log " nslookup learn.foundry.com"
log " (should return 0.0.0.0 or 127.0.0.1)"
echo ""
log "${YELLOW}Your DNS server (from network config): 75.75.75.75${NC}"
log "If you control this DNS server, apply the appropriate config"
}
apply_local() {
log "${BLUE}Attempting to apply configuration to local system...${NC}"
echo ""
# Detect which DNS server is running
local dns_type=""
if systemctl is-active --quiet dnsmasq; then
dns_type="dnsmasq"
elif systemctl is-active --quiet pihole-FTL; then
dns_type="pihole"
elif systemctl is-active --quiet AdGuardHome; then
dns_type="adguard"
elif systemctl is-active --quiet bind9 || systemctl is-active --quiet named; then
dns_type="bind"
elif systemctl is-active --quiet unbound; then
dns_type="unbound"
else
log "${YELLOW}No DNS server detected on local system${NC}"
log "You may be using a remote DNS server (75.75.75.75)"
log "Apply configuration manually to that server"
return 1
fi
log "${GREEN}Detected DNS server: $dns_type${NC}"
echo ""
read -p "Apply $dns_type configuration? (y/n): " confirm
if [ "$confirm" != "y" ]; then
log "Aborted"
return 0
fi
case "$dns_type" in
dnsmasq)
sudo cp "$OUTPUT_DIR/dnsmasq-nuke-block.conf" /etc/dnsmasq.d/
sudo systemctl restart dnsmasq
log "${GREEN}✓ Applied to dnsmasq${NC}"
;;
pihole)
sudo cat "$OUTPUT_DIR/pihole-custom.list" >> /etc/pihole/custom.list
pihole restartdns
log "${GREEN}✓ Applied to Pi-hole${NC}"
;;
bind)
log "${YELLOW}BIND9 requires manual configuration${NC}"
log "See: $OUTPUT_DIR/bind9-named.conf.snippet"
;;
unbound)
sudo cp "$OUTPUT_DIR/unbound-nuke-block.conf" /etc/unbound/unbound.conf.d/
sudo systemctl restart unbound
log "${GREEN}✓ Applied to Unbound${NC}"
;;
esac
}
main() {
create_output_dir
case "$1" in
--dnsmasq)
generate_dnsmasq
;;
--pihole)
generate_pihole
;;
--adguard)
generate_adguard
;;
--bind)
generate_bind
;;
--unbound)
generate_unbound
;;
--hosts)
generate_hosts_file
;;
--apply)
generate_dnsmasq
generate_pihole
generate_adguard
generate_bind
generate_unbound
generate_hosts_file
show_summary
echo ""
apply_local
;;
*)
# Generate all
generate_dnsmasq
generate_pihole
generate_adguard
generate_bind
generate_unbound
generate_hosts_file
show_summary
;;
esac
}
main "$@"

239
scripts/firewall_block_nuke.sh Executable file
View File

@ -0,0 +1,239 @@
#!/bin/bash
#
# Nuke Telemetry Firewall Blocker
# Blocks Foundry telemetry at the firewall level using iptables or nftables
#
# Usage:
# sudo bash firewall_block_nuke.sh # Apply blocks
# sudo bash firewall_block_nuke.sh --restore # Remove blocks
# sudo bash firewall_block_nuke.sh --status # Check current rules
#
set -e
# Known Foundry telemetry IPs (from packet capture analysis)
LEARN_FOUNDRY_IP="52.50.232.31" # learn.foundry.com (AWS Ireland)
HONEYCOMB_IP="52.205.16.9" # api.honeycomb.io (AWS Virginia)
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Logging
LOG_FILE="/var/log/nuke_firewall_block.log"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | sudo tee -a "$LOG_FILE" >/dev/null
echo -e "$1"
}
check_root() {
if [ "$EUID" -ne 0 ]; then
echo -e "${RED}Error: This script must be run as root${NC}"
echo "Usage: sudo bash $0"
exit 1
fi
}
detect_firewall() {
if command -v nft &>/dev/null && nft list tables 2>/dev/null | grep -q "inet filter"; then
echo "nftables"
elif command -v iptables &>/dev/null; then
echo "iptables"
else
echo "none"
fi
}
apply_iptables_blocks() {
log "${GREEN}Applying iptables blocks...${NC}"
# Check if rules already exist
if iptables -C OUTPUT -d "$LEARN_FOUNDRY_IP" -j REJECT --reject-with icmp-host-unreachable 2>/dev/null; then
log "${YELLOW}iptables rules already exist, skipping...${NC}"
else
# Block learn.foundry.com
iptables -A OUTPUT -d "$LEARN_FOUNDRY_IP" -j REJECT --reject-with icmp-host-unreachable
log "Blocked $LEARN_FOUNDRY_IP (learn.foundry.com)"
# Block api.honeycomb.io
iptables -A OUTPUT -d "$HONEYCOMB_IP" -j REJECT --reject-with icmp-host-unreachable
log "Blocked $HONEYCOMB_IP (api.honeycomb.io)"
# Block sentry.foundry.com by domain (using string match)
iptables -A OUTPUT -p tcp --dport 443 -m string --string "sentry.foundry.com" --algo bm -j REJECT --reject-with tcp-reset
log "Blocked sentry.foundry.com (HTTPS string match)"
fi
# Make persistent
if [ -d "/etc/iptables" ]; then
iptables-save > /etc/iptables/iptables.rules
log "Rules saved to /etc/iptables/iptables.rules"
# Enable iptables service if available
if systemctl is-enabled iptables.service &>/dev/null; then
systemctl enable iptables.service
fi
else
log "${YELLOW}Warning: /etc/iptables/ directory not found. Rules may not persist across reboots.${NC}"
log "${YELLOW}Consider installing iptables-persistent or enabling iptables.service${NC}"
fi
}
apply_nftables_blocks() {
log "${GREEN}Applying nftables blocks...${NC}"
# Create table and chain if they don't exist
nft add table inet filter 2>/dev/null || true
nft add chain inet filter output { type filter hook output priority 0 \; } 2>/dev/null || true
# Check if rules already exist
if nft list chain inet filter output 2>/dev/null | grep -q "$LEARN_FOUNDRY_IP"; then
log "${YELLOW}nftables rules already exist, skipping...${NC}"
else
# Block learn.foundry.com
nft add rule inet filter output ip daddr "$LEARN_FOUNDRY_IP" counter reject
log "Blocked $LEARN_FOUNDRY_IP (learn.foundry.com)"
# Block api.honeycomb.io
nft add rule inet filter output ip daddr "$HONEYCOMB_IP" counter reject
log "Blocked $HONEYCOMB_IP (api.honeycomb.io)"
# Note: nftables doesn't have direct string matching like iptables
# For sentry.foundry.com, rely on DNS/hosts file blocking
log "${YELLOW}Note: sentry.foundry.com blocking requires DNS/hosts file (nftables limitation)${NC}"
fi
# Make persistent
nft list ruleset > /etc/nftables.conf
log "Rules saved to /etc/nftables.conf"
# Enable nftables service
if systemctl is-enabled nftables.service &>/dev/null; then
systemctl enable nftables.service
fi
}
remove_iptables_blocks() {
log "${YELLOW}Removing iptables blocks...${NC}"
# Remove specific rules
iptables -D OUTPUT -d "$LEARN_FOUNDRY_IP" -j REJECT --reject-with icmp-host-unreachable 2>/dev/null || true
iptables -D OUTPUT -d "$HONEYCOMB_IP" -j REJECT --reject-with icmp-host-unreachable 2>/dev/null || true
iptables -D OUTPUT -p tcp --dport 443 -m string --string "sentry.foundry.com" --algo bm -j REJECT --reject-with tcp-reset 2>/dev/null || true
log "iptables blocks removed"
# Save updated rules
if [ -d "/etc/iptables" ]; then
iptables-save > /etc/iptables/iptables.rules
log "Updated rules saved"
fi
}
remove_nftables_blocks() {
log "${YELLOW}Removing nftables blocks...${NC}"
# Get rule handles and delete
nft -a list chain inet filter output 2>/dev/null | grep "$LEARN_FOUNDRY_IP" | awk '{print $NF}' | while read handle; do
nft delete rule inet filter output handle "$handle" 2>/dev/null || true
done
nft -a list chain inet filter output 2>/dev/null | grep "$HONEYCOMB_IP" | awk '{print $NF}' | while read handle; do
nft delete rule inet filter output handle "$handle" 2>/dev/null || true
done
log "nftables blocks removed"
# Save updated rules
nft list ruleset > /etc/nftables.conf
log "Updated rules saved"
}
show_status() {
FIREWALL=$(detect_firewall)
log "${GREEN}=== Firewall Status ===${NC}"
log "Active firewall: $FIREWALL"
echo ""
if [ "$FIREWALL" = "iptables" ]; then
log "iptables OUTPUT chain (Nuke-related rules):"
iptables -L OUTPUT -v -n | grep -E "$LEARN_FOUNDRY_IP|$HONEYCOMB_IP|sentry.foundry.com" || echo "No Nuke blocking rules found"
elif [ "$FIREWALL" = "nftables" ]; then
log "nftables rules (Nuke-related):"
nft list chain inet filter output 2>/dev/null | grep -E "$LEARN_FOUNDRY_IP|$HONEYCOMB_IP" || echo "No Nuke blocking rules found"
else
log "${RED}No firewall detected${NC}"
fi
echo ""
log "Testing connectivity to blocked IPs:"
timeout 2 ping -c 1 "$LEARN_FOUNDRY_IP" &>/dev/null && echo " $LEARN_FOUNDRY_IP: REACHABLE (NOT BLOCKED)" || echo " $LEARN_FOUNDRY_IP: BLOCKED ✓"
timeout 2 ping -c 1 "$HONEYCOMB_IP" &>/dev/null && echo " $HONEYCOMB_IP: REACHABLE (NOT BLOCKED)" || echo " $HONEYCOMB_IP: BLOCKED ✓"
}
main() {
check_root
FIREWALL=$(detect_firewall)
if [ "$1" = "--restore" ] || [ "$1" = "--remove" ]; then
log "${YELLOW}=== Removing Nuke Telemetry Blocks ===${NC}"
if [ "$FIREWALL" = "iptables" ]; then
remove_iptables_blocks
elif [ "$FIREWALL" = "nftables" ]; then
remove_nftables_blocks
else
log "${RED}No firewall detected, nothing to remove${NC}"
exit 1
fi
log "${GREEN}Blocks removed successfully${NC}"
elif [ "$1" = "--status" ]; then
show_status
else
log "${GREEN}=== Nuke Telemetry Firewall Blocker ===${NC}"
log "This will block Foundry telemetry at the firewall level"
log "Known endpoints: learn.foundry.com, api.honeycomb.io, sentry.foundry.com"
echo ""
if [ "$FIREWALL" = "none" ]; then
log "${RED}Error: No firewall detected${NC}"
log "Install iptables or nftables first:"
log " Arch: sudo pacman -S iptables-nft"
log " Ubuntu: sudo apt install iptables"
exit 1
fi
log "Detected firewall: $FIREWALL"
echo ""
read -p "Continue? (y/n): " confirm
if [ "$confirm" != "y" ]; then
log "Aborted"
exit 0
fi
if [ "$FIREWALL" = "iptables" ]; then
apply_iptables_blocks
elif [ "$FIREWALL" = "nftables" ]; then
apply_nftables_blocks
fi
log ""
log "${GREEN}✓ Firewall blocks applied successfully${NC}"
log ""
log "Verify with: sudo bash $0 --status"
log "Remove with: sudo bash $0 --restore"
log ""
log "Log file: $LOG_FILE"
fi
}
main "$@"

55
scripts/inspect_local_data.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
# Inspect local Nuke databases for telemetry data
echo "=== Nuke Local Data Inspection ==="
echo ""
# Find all databases
echo "1. Finding all database files..."
find ~/Documents/nuke ~/.nuke ~/.cache -name "*.db" -o -name "*.sqlite" 2>/dev/null | while read dbfile; do
echo " Found: $dbfile"
ls -lh "$dbfile"
done
echo ""
echo "2. Checking sync database..."
SYNC_DB="$HOME/.nuke/.sync_8178bafde38a.db"
if [ -f "$SYNC_DB" ]; then
echo " File: $SYNC_DB"
echo " Size: $(du -h "$SYNC_DB" | cut -f1)"
echo " Type: $(file "$SYNC_DB")"
echo ""
# Check if it's a SQLite database
if file "$SYNC_DB" | grep -q SQLite; then
echo " It's a SQLite database. Inspecting tables..."
sqlite3 "$SYNC_DB" ".tables" 2>&1
echo ""
echo " Database schema:"
sqlite3 "$SYNC_DB" ".schema" 2>&1 | head -50
else
echo " Not a SQLite database. Checking for readable strings..."
strings "$SYNC_DB" | grep -iE 'email|domain|location|telemetry|analytics|foundry|honeycomb|sentry' | head -20
fi
else
echo " Sync database not found at expected location"
fi
echo ""
echo "3. Checking for Sentry database..."
find ~/Documents/nuke ~/.nuke -path "*sentry-db*" -ls 2>/dev/null
echo ""
echo "4. Checking Nuke config files for telemetry settings..."
find ~/Documents/nuke ~/.nuke -name "*.prefs" -o -name "*.xml" -o -name "*config*" 2>/dev/null | while read config; do
echo " Checking: $config"
grep -iE 'telemetry|analytics|sentry|honeycomb|crash|report' "$config" 2>/dev/null && echo " ^ FOUND TELEMETRY REFERENCE"
done
echo ""
echo "5. Recent Nuke cache files..."
find ~/.cache -name "*nuke*" -o -name "*foundry*" 2>/dev/null | head -10
echo ""
echo "=== Inspection Complete ==="

288
scripts/monitor_nuke_network.sh Executable file
View File

@ -0,0 +1,288 @@
#!/bin/bash
#
# Nuke Network Monitoring and Alert Script
# Monitors Nuke processes for external network connections and alerts when found
#
# Usage:
# bash monitor_nuke_network.sh # Run one-time check
# bash monitor_nuke_network.sh --continuous # Run continuously (Ctrl+C to stop)
# bash monitor_nuke_network.sh --daemon # Run as background daemon
#
# Cron installation (check every 5 minutes):
# */5 * * * * /home/nicholai/Documents/obsidian-vault/2-projects/Nuke-monitoring/scripts/monitor_nuke_network.sh >> /tmp/nuke_monitor.log 2>&1
#
# Configuration
ALERT_LOG="/home/nicholai/Documents/obsidian-vault/2-projects/Nuke-monitoring/nuke_telemetry_alerts.log"
CHECK_INTERVAL=5 # seconds for continuous mode
# Known Foundry domains and IPs (for enhanced alerting)
declare -A KNOWN_ENDPOINTS=(
["52.50.232.31"]="learn.foundry.com"
["52.205.16.9"]="api.honeycomb.io"
)
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_alert() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
# Log to file
echo "[$timestamp] $message" >> "$ALERT_LOG"
# Print to console
echo -e "${RED}[ALERT]${NC} $message"
# Desktop notification (if in X session)
if [ -n "$DISPLAY" ] && command -v notify-send &>/dev/null; then
notify-send -u critical "Nuke Telemetry Alert" "$message"
fi
}
log_info() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo -e "${BLUE}[INFO]${NC} [$timestamp] $message"
}
log_success() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo -e "${GREEN}[OK]${NC} [$timestamp] $message"
}
get_nuke_pids() {
# Find all Nuke processes (handles various process names)
pgrep -f "Nuke15\\.2|Nuke15\\.2v6|/Nuke$" 2>/dev/null
}
resolve_ip_to_domain() {
local ip="$1"
# Check known endpoints first
if [ -n "${KNOWN_ENDPOINTS[$ip]}" ]; then
echo "${KNOWN_ENDPOINTS[$ip]}"
return
fi
# Try reverse DNS lookup
local domain=$(dig -x "$ip" +short 2>/dev/null | head -1)
if [ -n "$domain" ]; then
echo "$domain"
else
echo "unknown"
fi
}
check_nuke_connections() {
local pids=$(get_nuke_pids)
if [ -z "$pids" ]; then
log_info "No Nuke processes running"
return 0
fi
log_info "Monitoring Nuke processes: $(echo $pids | tr '\n' ' ')"
local found_external=false
# Check each Nuke PID
for pid in $pids; do
# Get process name and command
local proc_info=$(ps -p "$pid" -o comm,cmd --no-headers 2>/dev/null)
if [ -z "$proc_info" ]; then
# Process may have exited
continue
fi
# Get established connections (exclude localhost)
local connections=$(sudo ss -tnp 2>/dev/null | grep "pid=$pid" | grep "ESTAB" | grep -v "127.0.0.1")
if [ -n "$connections" ]; then
# Parse connections
while IFS= read -r conn; do
# Extract remote IP and port
# ss output format: ESTAB 0 0 local_ip:port remote_ip:port
local remote=$(echo "$conn" | awk '{print $5}')
local remote_ip=$(echo "$remote" | cut -d':' -f1)
local remote_port=$(echo "$remote" | cut -d':' -f2)
# Skip if localhost or local network (adjust if needed)
if [[ "$remote_ip" == 127.* ]] || [[ "$remote_ip" == 10.* ]] || [[ "$remote_ip" == 192.168.* ]]; then
continue
fi
found_external=true
# Resolve domain
local domain=$(resolve_ip_to_domain "$remote_ip")
# Create detailed alert
local alert_msg="Nuke external connection detected"
alert_msg+="\n Process: $proc_info"
alert_msg+="\n PID: $pid"
alert_msg+="\n Remote: $remote_ip:$remote_port"
alert_msg+="\n Domain: $domain"
alert_msg+="\n Full connection: $conn"
log_alert "$alert_msg"
# Check if it's a known Foundry endpoint
if [ "$domain" != "unknown" ] && [[ "$domain" =~ foundry|honeycomb|sentry ]]; then
log_alert "⚠ Known telemetry endpoint: $domain"
fi
done <<< "$connections"
fi
done
if [ "$found_external" = false ]; then
log_success "No external connections detected (localhost only)"
fi
return 0
}
run_continuous() {
log_info "Starting continuous monitoring (interval: ${CHECK_INTERVAL}s)"
log_info "Press Ctrl+C to stop"
log_info "Alerts will be logged to: $ALERT_LOG"
echo ""
# Create alert log if it doesn't exist
touch "$ALERT_LOG"
while true; do
check_nuke_connections
echo ""
sleep "$CHECK_INTERVAL"
done
}
run_daemon() {
log_info "Starting daemon mode (background)"
# Redirect output to log
DAEMON_LOG="/tmp/nuke_monitor_daemon.log"
# Run in background
nohup bash "$0" --continuous > "$DAEMON_LOG" 2>&1 &
local daemon_pid=$!
log_success "Daemon started (PID: $daemon_pid)"
log_info "Daemon log: $DAEMON_LOG"
log_info "Alert log: $ALERT_LOG"
log_info "Stop with: kill $daemon_pid"
}
show_help() {
cat << EOF
Nuke Network Monitoring and Alert Script
Usage:
bash monitor_nuke_network.sh Run one-time check
bash monitor_nuke_network.sh --continuous Run continuously (Ctrl+C to stop)
bash monitor_nuke_network.sh --daemon Run as background daemon
bash monitor_nuke_network.sh --log Show alert log
bash monitor_nuke_network.sh --help Show this help
Installation as Cron Job:
# Check every 5 minutes
crontab -e
# Add this line:
*/5 * * * * /home/nicholai/Documents/obsidian-vault/2-projects/Nuke-monitoring/scripts/monitor_nuke_network.sh >> /tmp/nuke_monitor.log 2>&1
Installation as Systemd Timer:
# Create service file: /etc/systemd/system/nuke-monitor.service
# Create timer file: /etc/systemd/system/nuke-monitor.timer
# See script comments for full systemd unit files
What This Does:
- Finds all running Nuke processes
- Checks for external network connections (non-localhost)
- Alerts when Foundry telemetry endpoints are contacted
- Logs alerts to: $ALERT_LOG
- Sends desktop notifications (if available)
Alert Log: $ALERT_LOG
EOF
}
show_log() {
if [ ! -f "$ALERT_LOG" ]; then
log_info "No alerts logged yet"
log_info "Alert log will be created at: $ALERT_LOG"
return
fi
log_info "Recent alerts (last 20 lines):"
echo ""
tail -20 "$ALERT_LOG"
echo ""
log_info "Full log: $ALERT_LOG"
}
main() {
case "$1" in
--continuous|-c)
run_continuous
;;
--daemon|-d)
run_daemon
;;
--log|-l)
show_log
;;
--help|-h)
show_help
;;
*)
# Default: run single check
check_nuke_connections
;;
esac
}
main "$@"
# Systemd unit files for reference:
#
# /etc/systemd/system/nuke-monitor.service:
# [Unit]
# Description=Nuke Network Monitoring
# After=network.target
#
# [Service]
# Type=simple
# ExecStart=/home/nicholai/Documents/obsidian-vault/2-projects/Nuke-monitoring/scripts/monitor_nuke_network.sh --continuous
# Restart=always
# User=root
#
# [Install]
# WantedBy=multi-user.target
#
# /etc/systemd/system/nuke-monitor.timer:
# [Unit]
# Description=Nuke Network Monitoring Timer
#
# [Timer]
# OnBootSec=1min
# OnUnitActiveSec=5min
#
# [Install]
# WantedBy=timers.target
#
# Enable with:
# sudo systemctl daemon-reload
# sudo systemctl enable --now nuke-monitor.timer

117
scripts/monitor_nuke_telemetry.sh Executable file
View File

@ -0,0 +1,117 @@
#!/bin/bash
# Ongoing Nuke telemetry monitor
# Logs all Foundry-related network connections with timestamps
LOG_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/telemetry-logs"
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
LOG_FILE="$LOG_DIR/nuke_telemetry_$TIMESTAMP.log"
PCAP_FILE="$LOG_DIR/nuke_telemetry_$TIMESTAMP.pcap"
# Create log directory if it doesn't exist
mkdir -p "$LOG_DIR"
echo "=== Nuke Telemetry Monitor Started ===" | tee -a "$LOG_FILE"
echo "Started: $(date)" | tee -a "$LOG_FILE"
echo "Log file: $LOG_FILE" | tee -a "$LOG_FILE"
echo "Packet capture: $PCAP_FILE" | tee -a "$LOG_FILE"
echo "" | tee -a "$LOG_FILE"
# Known Foundry domains and IPs
FOUNDRY_DOMAINS=(
"foundry.com"
"learn.foundry.com"
"sentry.foundry.com"
"api.honeycomb.io"
"52.50.232.31" # AWS Ireland - learn.foundry.com
"52.205.16.9" # AWS Virginia - api.honeycomb.io
)
echo "Monitoring for connections to:" | tee -a "$LOG_FILE"
for domain in "${FOUNDRY_DOMAINS[@]}"; do
echo " - $domain" | tee -a "$LOG_FILE"
done
echo "" | tee -a "$LOG_FILE"
# Build tcpdump filter
FILTER=""
for i in "${!FOUNDRY_DOMAINS[@]}"; do
if [ $i -eq 0 ]; then
FILTER="host ${FOUNDRY_DOMAINS[$i]}"
else
FILTER="$FILTER or host ${FOUNDRY_DOMAINS[$i]}"
fi
done
# Start packet capture in background
echo "Starting packet capture..." | tee -a "$LOG_FILE"
sudo tcpdump -i any -w "$PCAP_FILE" "$FILTER" >> "$LOG_FILE" 2>&1 &
TCPDUMP_PID=$!
echo "tcpdump PID: $TCPDUMP_PID" | tee -a "$LOG_FILE"
echo "" | tee -a "$LOG_FILE"
# Function to log connection
log_connection() {
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] $1" | tee -a "$LOG_FILE"
}
# Function to cleanup on exit
cleanup() {
log_connection "Monitor stopped by user (Ctrl+C)"
log_connection "Stopping tcpdump (PID: $TCPDUMP_PID)..."
sudo kill $TCPDUMP_PID 2>/dev/null
# Generate summary
echo "" | tee -a "$LOG_FILE"
echo "=== Session Summary ===" | tee -a "$LOG_FILE"
echo "Ended: $(date)" | tee -a "$LOG_FILE"
if [ -f "$PCAP_FILE" ]; then
PACKET_COUNT=$(sudo tcpdump -r "$PCAP_FILE" 2>/dev/null | wc -l)
PCAP_SIZE=$(du -h "$PCAP_FILE" | cut -f1)
echo "Packets captured: $PACKET_COUNT" | tee -a "$LOG_FILE"
echo "Capture file size: $PCAP_SIZE" | tee -a "$LOG_FILE"
# Quick analysis
echo "" | tee -a "$LOG_FILE"
echo "Domains contacted:" | tee -a "$LOG_FILE"
sudo tcpdump -r "$PCAP_FILE" -n 2>/dev/null | \
grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \
sort -u | while read ip; do
echo " - $ip" | tee -a "$LOG_FILE"
done
fi
echo "" | tee -a "$LOG_FILE"
echo "Log saved to: $LOG_FILE" | tee -a "$LOG_FILE"
echo "Capture saved to: $PCAP_FILE" | tee -a "$LOG_FILE"
exit 0
}
trap cleanup INT TERM
# Monitor active connections in real-time
log_connection "Monitoring active connections (press Ctrl+C to stop)..."
echo "" | tee -a "$LOG_FILE"
LAST_CONNECTIONS=""
while true; do
# Check if Nuke is running
NUKE_PIDS=$(pgrep -f Nuke)
if [ -n "$NUKE_PIDS" ]; then
# Check for Foundry connections
CURRENT_CONNECTIONS=$(sudo ss -tnp 2>/dev/null | grep -E "$(echo ${FOUNDRY_DOMAINS[@]} | tr ' ' '|')" 2>/dev/null)
if [ -n "$CURRENT_CONNECTIONS" ] && [ "$CURRENT_CONNECTIONS" != "$LAST_CONNECTIONS" ]; then
log_connection "NEW CONNECTION DETECTED:"
echo "$CURRENT_CONNECTIONS" | while read line; do
echo " $line" | tee -a "$LOG_FILE"
done
echo "" | tee -a "$LOG_FILE"
LAST_CONNECTIONS="$CURRENT_CONNECTIONS"
fi
fi
sleep 5
done

83
scripts/monitor_nuke_telemetry_service.sh Executable file
View File

@ -0,0 +1,83 @@
#!/bin/bash
# Install Nuke telemetry monitoring as a systemd service
# This allows it to run automatically in the background
SERVICE_NAME="nuke-telemetry-monitor"
SERVICE_FILE="/etc/systemd/system/${SERVICE_NAME}.service"
MONITOR_SCRIPT="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/monitor_nuke_telemetry.sh"
echo "=== Nuke Telemetry Monitor Service Installer ==="
echo ""
echo "This will install a background service that monitors Nuke telemetry"
echo "whenever Nuke is running. Logs will be saved automatically."
echo ""
read -p "Continue? (y/n): " confirm
if [ "$confirm" != "y" ]; then
echo "Aborted."
exit 0
fi
# Make monitor script executable
chmod +x "$MONITOR_SCRIPT"
# Create systemd service file
echo ""
echo "Creating systemd service..."
sudo tee "$SERVICE_FILE" > /dev/null << EOF
[Unit]
Description=Nuke Telemetry Monitor
After=network.target
[Service]
Type=simple
User=$USER
ExecStart=$MONITOR_SCRIPT
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
EOF
echo "✓ Service file created: $SERVICE_FILE"
# Reload systemd
echo ""
echo "Reloading systemd..."
sudo systemctl daemon-reload
echo "✓ systemd reloaded"
# Enable and start service
echo ""
read -p "Start monitoring now? (y/n): " start_now
if [ "$start_now" = "y" ]; then
sudo systemctl enable "$SERVICE_NAME"
sudo systemctl start "$SERVICE_NAME"
echo "✓ Service enabled and started"
echo ""
echo "Check status with:"
echo " sudo systemctl status $SERVICE_NAME"
echo ""
echo "View logs with:"
echo " sudo journalctl -u $SERVICE_NAME -f"
else
echo "Service created but not started."
echo ""
echo "To start later:"
echo " sudo systemctl enable $SERVICE_NAME"
echo " sudo systemctl start $SERVICE_NAME"
fi
echo ""
echo "=== Service Management Commands ==="
echo "Start: sudo systemctl start $SERVICE_NAME"
echo "Stop: sudo systemctl stop $SERVICE_NAME"
echo "Restart: sudo systemctl restart $SERVICE_NAME"
echo "Status: sudo systemctl status $SERVICE_NAME"
echo "Logs: sudo journalctl -u $SERVICE_NAME -f"
echo "Disable: sudo systemctl disable $SERVICE_NAME"
echo ""

282
scripts/nuke_isolated.sh Executable file
View File

@ -0,0 +1,282 @@
#!/bin/bash
#
# Nuke Network Namespace Isolation Launcher
# Launches Nuke in a network namespace with only localhost access
# This blocks ALL external network connections while preserving frameserver communication
#
# Usage:
# sudo bash nuke_isolated.sh [NUKE_ARGS] # Launch Nuke in isolated namespace
# sudo bash nuke_isolated.sh --nukex # Launch NukeX in isolated namespace
# sudo bash nuke_isolated.sh --cleanup # Clean up namespace (run if Nuke crashes)
# sudo bash nuke_isolated.sh --status # Check namespace status
#
set -e
# Configuration
NUKE_EXECUTABLE="/home/nicholai/Nuke15.2v6/Nuke15.2"
NUKE_ALT_EXECUTABLE="/home/nicholai/Nuke15.2v6/Nuke" # Fallback name
NAMESPACE="nuke_isolated"
ACTUAL_USER="${SUDO_USER:-$USER}"
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log() {
echo -e "$1"
}
check_root() {
if [ "$EUID" -ne 0 ]; then
log "${RED}Error: This script must be run as root${NC}"
log "Usage: sudo bash $0"
exit 1
fi
}
check_nuke_exists() {
if [ -f "$NUKE_EXECUTABLE" ]; then
log "${GREEN}Found Nuke executable: $NUKE_EXECUTABLE${NC}"
return 0
elif [ -f "$NUKE_ALT_EXECUTABLE" ]; then
log "${YELLOW}Using alternate executable: $NUKE_ALT_EXECUTABLE${NC}"
NUKE_EXECUTABLE="$NUKE_ALT_EXECUTABLE"
return 0
else
log "${RED}Error: Nuke executable not found${NC}"
log "Expected locations:"
log " $NUKE_EXECUTABLE"
log " $NUKE_ALT_EXECUTABLE"
log ""
log "Update NUKE_EXECUTABLE in this script to match your installation"
exit 1
fi
}
namespace_exists() {
ip netns list 2>/dev/null | grep -q "^$NAMESPACE\$"
}
create_namespace() {
log "${BLUE}Creating network namespace: $NAMESPACE${NC}"
if namespace_exists; then
log "${YELLOW}Namespace already exists, cleaning up first...${NC}"
cleanup_namespace
fi
# Create namespace
ip netns add "$NAMESPACE"
log "Created namespace: $NAMESPACE"
# Bring up loopback interface (allows 127.0.0.1 connections)
ip netns exec "$NAMESPACE" ip link set lo up
log "Enabled loopback interface (frameserver will work)"
# Verify namespace configuration
log ""
log "${GREEN}Namespace configuration:${NC}"
ip netns exec "$NAMESPACE" ip addr show lo | grep -E "lo:|inet "
}
cleanup_namespace() {
log "${YELLOW}Cleaning up namespace: $NAMESPACE${NC}"
if namespace_exists; then
# Kill any processes still in the namespace
ip netns pids "$NAMESPACE" 2>/dev/null | while read pid; do
log "Killing process $pid in namespace"
kill -9 "$pid" 2>/dev/null || true
done
# Delete namespace
ip netns delete "$NAMESPACE"
log "Deleted namespace: $NAMESPACE"
else
log "Namespace does not exist, nothing to clean up"
fi
}
show_status() {
log "${GREEN}=== Network Namespace Status ===${NC}"
echo ""
if namespace_exists; then
log "${GREEN}Namespace '$NAMESPACE' exists${NC}"
echo ""
log "Network interfaces in namespace:"
ip netns exec "$NAMESPACE" ip addr show
echo ""
log "Processes running in namespace:"
if ip netns pids "$NAMESPACE" 2>/dev/null | grep -q .; then
ip netns pids "$NAMESPACE" | while read pid; do
ps -p "$pid" -o pid,cmd --no-headers
done
else
log " No processes running"
fi
else
log "${YELLOW}Namespace '$NAMESPACE' does not exist${NC}"
fi
}
launch_nuke() {
log "${GREEN}=== Launching Nuke in Isolated Network Namespace ===${NC}"
log ""
log "Configuration:"
log " Executable: $NUKE_EXECUTABLE"
log " Namespace: $NAMESPACE"
log " User: $ACTUAL_USER"
log " Network access: LOCALHOST ONLY (127.0.0.1)"
log ""
log "${YELLOW}WARNING: All external network features will be disabled${NC}"
log " - No telemetry transmission"
log " - No online help"
log " - No license server access (if using floating licenses)"
log " + Frameserver will work (uses localhost)"
log ""
read -p "Continue? (y/n): " confirm
if [ "$confirm" != "y" ]; then
log "Aborted"
exit 0
fi
# Create namespace
create_namespace
log ""
log "${BLUE}Launching Nuke...${NC}"
log ""
# Store user's display and X auth for GUI
XAUTHORITY_PATH="${XAUTHORITY:-/home/$ACTUAL_USER/.Xauthority}"
DISPLAY_VALUE="${DISPLAY:-:1}"
# Capture Wayland/Hyprland environment variables to prevent cursor scaling issues
WAYLAND_DISPLAY_VALUE="${WAYLAND_DISPLAY:-}"
XDG_RUNTIME_DIR_VALUE="${XDG_RUNTIME_DIR:-/run/user/1000}"
XCURSOR_SIZE_VALUE="${XCURSOR_SIZE:-24}"
XCURSOR_THEME_VALUE="${XCURSOR_THEME:-}"
HYPRCURSOR_SIZE_VALUE="${HYPRCURSOR_SIZE:-24}"
HYPRCURSOR_THEME_VALUE="${HYPRCURSOR_THEME:-}"
QT_QPA_PLATFORMTHEME_VALUE="${QT_QPA_PLATFORMTHEME:-}"
WLR_NO_HARDWARE_CURSORS_VALUE="${WLR_NO_HARDWARE_CURSORS:-}"
# Launch Nuke in namespace as the actual user
# We need to preserve X11/Wayland environment for GUI
ip netns exec "$NAMESPACE" sudo -u "$ACTUAL_USER" \
env DISPLAY="$DISPLAY_VALUE" \
XAUTHORITY="$XAUTHORITY_PATH" \
HOME="/home/$ACTUAL_USER" \
USER="$ACTUAL_USER" \
WAYLAND_DISPLAY="$WAYLAND_DISPLAY_VALUE" \
XDG_RUNTIME_DIR="$XDG_RUNTIME_DIR_VALUE" \
XCURSOR_SIZE="$XCURSOR_SIZE_VALUE" \
XCURSOR_THEME="$XCURSOR_THEME_VALUE" \
HYPRCURSOR_SIZE="$HYPRCURSOR_SIZE_VALUE" \
HYPRCURSOR_THEME="$HYPRCURSOR_THEME_VALUE" \
QT_QPA_PLATFORMTHEME="$QT_QPA_PLATFORMTHEME_VALUE" \
WLR_NO_HARDWARE_CURSORS="$WLR_NO_HARDWARE_CURSORS_VALUE" \
"$NUKE_EXECUTABLE" "$@" &
NUKE_PID=$!
log "${GREEN}Nuke launched (PID: $NUKE_PID)${NC}"
log ""
log "Monitoring network isolation..."
log "Press Ctrl+C to stop monitoring (Nuke will keep running)"
log ""
# Monitor for 10 seconds to verify isolation
for i in {1..10}; do
sleep 1
# Check if Nuke is still running
if ! kill -0 "$NUKE_PID" 2>/dev/null; then
log "${RED}Nuke exited unexpectedly${NC}"
log "Check for errors in Nuke's output or logs"
cleanup_namespace
exit 1
fi
# Verify no external connections
EXTERNAL_CONNS=$(ip netns exec "$NAMESPACE" ss -tnp 2>/dev/null | grep -v "127.0.0.1" | grep "ESTAB" || true)
if [ -n "$EXTERNAL_CONNS" ]; then
log "${RED}WARNING: External connection detected!${NC}"
echo "$EXTERNAL_CONNS"
else
echo -n "."
fi
done
log ""
log ""
log "${GREEN}✓ Nuke is running in isolated namespace${NC}"
log ""
log "Useful commands:"
log " Check namespace status: sudo bash $0 --status"
log " View Nuke connections: sudo ip netns exec $NAMESPACE ss -tnp | grep Nuke"
log " Kill Nuke: kill $NUKE_PID"
log " Cleanup namespace: sudo bash $0 --cleanup"
log ""
log "Note: Namespace will be automatically cleaned up when Nuke exits"
log " If Nuke crashes, run: sudo bash $0 --cleanup"
# Wait for Nuke to exit, then cleanup
wait "$NUKE_PID" 2>/dev/null || true
log ""
log "${YELLOW}Nuke exited, cleaning up namespace...${NC}"
cleanup_namespace
log "${GREEN}Cleanup complete${NC}"
}
main() {
check_root
if [ "$1" = "--cleanup" ] || [ "$1" = "--clean" ]; then
cleanup_namespace
elif [ "$1" = "--status" ]; then
show_status
elif [ "$1" = "--help" ] || [ "$1" = "-h" ]; then
log "Nuke Network Namespace Isolation Launcher"
log ""
log "Usage:"
log " sudo bash $0 [NUKE_ARGS] Launch Nuke in isolated namespace"
log " sudo bash $0 --cleanup Clean up namespace"
log " sudo bash $0 --status Check namespace status"
log " sudo bash $0 --help Show this help"
log ""
log "Examples:"
log " sudo bash $0 Launch Nuke normally"
log " sudo bash $0 --nukex Launch NukeX"
log " sudo bash $0 --nc Launch in non-commercial mode"
log ""
log "What this does:"
log " - Creates a network namespace with ONLY loopback interface"
log " - Launches Nuke inside the namespace"
log " - Blocks ALL external network access (no telemetry possible)"
log " - Preserves localhost (127.0.0.1) for frameserver communication"
log " - Preserves Wayland/Hyprland display settings (cursor theme/size)"
log ""
log "Configuration:"
log " Nuke executable: $NUKE_EXECUTABLE"
log " Namespace name: $NAMESPACE"
else
check_nuke_exists
# Pass all arguments to launch_nuke, which will forward them to Nuke
launch_nuke "$@"
fi
}
main "$@"

210
scripts/run_gap_tests.sh Executable file
View File

@ -0,0 +1,210 @@
#!/bin/bash
# Automated gap testing for Nuke telemetry
# Handles common issues and provides clear output
OUTPUT_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/gap-tests"
mkdir -p "$OUTPUT_DIR"
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
echo "=== Nuke Telemetry Gap Testing ==="
echo "Output directory: $OUTPUT_DIR"
echo ""
# Check if Nuke is running
NUKE_PID=$(pgrep -f Nuke)
if [ -z "$NUKE_PID" ]; then
echo "WARNING: Nuke is not currently running."
echo "Some tests require Nuke to be running."
echo ""
fi
# Test 1: Inspect local databases
echo "======================================"
echo "TEST 1: Local Database Inspection"
echo "======================================"
echo ""
echo "Finding database files..."
find ~/Documents/nuke ~/.nuke ~/.cache -name "*.db" -o -name "*.sqlite" 2>/dev/null | tee "$OUTPUT_DIR/databases_found.txt"
SYNC_DB="$HOME/.nuke/.sync_8178bafde38a.db"
if [ -f "$SYNC_DB" ]; then
echo ""
echo "Analyzing sync database: $SYNC_DB"
echo "Size: $(du -h "$SYNC_DB" | cut -f1)"
echo "Type: $(file "$SYNC_DB")"
# Try to read as SQLite
if command -v sqlite3 &> /dev/null; then
echo ""
echo "SQLite tables:"
sqlite3 "$SYNC_DB" ".tables" 2>&1 | tee "$OUTPUT_DIR/sqlite_tables.txt"
echo ""
echo "SQLite schema (first 50 lines):"
sqlite3 "$SYNC_DB" ".schema" 2>&1 | head -50 | tee "$OUTPUT_DIR/sqlite_schema.txt"
else
echo "sqlite3 not installed. Extracting readable strings..."
strings "$SYNC_DB" | head -100 > "$OUTPUT_DIR/sync_db_strings.txt"
echo "Strings saved to: $OUTPUT_DIR/sync_db_strings.txt"
fi
# Check for sensitive data
echo ""
echo "Checking for sensitive data patterns..."
strings "$SYNC_DB" | /bin/grep -iE 'email|domain|location|honeycomb|sentry|foundry' | head -20 | tee "$OUTPUT_DIR/sensitive_patterns.txt"
fi
echo ""
echo "Test 1 complete. Results saved to $OUTPUT_DIR/"
echo ""
read -p "Press Enter to continue to Test 2..."
# Test 2: System file access tracing (if Nuke is running)
echo ""
echo "======================================"
echo "TEST 2: System File Access Tracing"
echo "======================================"
echo ""
if [ -z "$NUKE_PID" ]; then
echo "SKIPPED: Nuke is not running"
else
echo "Tracing Nuke process: $NUKE_PID"
echo "This will run for 30 seconds..."
echo ""
# Run strace in background
sudo strace -e trace=open,openat,read -p "$NUKE_PID" -o "$OUTPUT_DIR/strace_raw_$TIMESTAMP.log" 2>&1 &
STRACE_PID=$!
echo "strace running (PID: $STRACE_PID)..."
echo "Please use Nuke normally for the next 30 seconds"
echo "(Open files, use tools, access menus, etc.)"
sleep 30
echo ""
echo "Stopping strace..."
sudo kill $STRACE_PID 2>/dev/null
wait $STRACE_PID 2>/dev/null
echo "Processing strace output..."
# Filter for system file access
/bin/grep -E '/proc|/sys|/etc' "$OUTPUT_DIR/strace_raw_$TIMESTAMP.log" > "$OUTPUT_DIR/system_file_access_$TIMESTAMP.txt" 2>/dev/null
# Count accesses
PROC_COUNT=$(/bin/grep -c '/proc' "$OUTPUT_DIR/system_file_access_$TIMESTAMP.txt" 2>/dev/null || echo "0")
SYS_COUNT=$(/bin/grep -c '/sys' "$OUTPUT_DIR/system_file_access_$TIMESTAMP.txt" 2>/dev/null || echo "0")
ETC_COUNT=$(/bin/grep -c '/etc' "$OUTPUT_DIR/system_file_access_$TIMESTAMP.txt" 2>/dev/null || echo "0")
echo ""
echo "System file accesses found:"
echo " /proc: $PROC_COUNT"
echo " /sys: $SYS_COUNT"
echo " /etc: $ETC_COUNT"
echo ""
echo "Sample accesses:"
head -20 "$OUTPUT_DIR/system_file_access_$TIMESTAMP.txt"
echo ""
echo "Full results: $OUTPUT_DIR/system_file_access_$TIMESTAMP.txt"
fi
echo ""
echo "Test 2 complete."
echo ""
read -p "Press Enter to continue to Test 3..."
# Test 3: Startup capture instructions
echo ""
echo "======================================"
echo "TEST 3: Startup Telemetry Capture"
echo "======================================"
echo ""
if [ -n "$NUKE_PID" ]; then
echo "Nuke is currently running. For this test, you need to:"
echo " 1. Close Nuke completely"
echo " 2. Run this script again"
echo " OR"
echo " 3. Manually run the startup capture (see below)"
echo ""
fi
echo "To manually capture startup telemetry:"
echo ""
echo "1. Close Nuke completely"
echo ""
echo "2. Start packet capture:"
echo " sudo tcpdump -i any -w $OUTPUT_DIR/startup_$TIMESTAMP.pcap 'host honeycomb.io or host foundry.com or host sentry.foundry.com' &"
echo ""
echo "3. Note the tcpdump PID, then launch Nuke"
echo ""
echo "4. After Nuke fully loads, stop tcpdump:"
echo " sudo kill <tcpdump_pid>"
echo ""
echo "5. Analyze the capture:"
echo " tshark -r $OUTPUT_DIR/startup_$TIMESTAMP.pcap -q -z io,stat,0"
echo ""
if [ -z "$NUKE_PID" ]; then
read -p "Nuke is not running. Do you want to run startup capture now? (y/n): " DO_STARTUP
if [ "$DO_STARTUP" = "y" ]; then
echo ""
echo "Starting packet capture..."
sudo tcpdump -i any -w "$OUTPUT_DIR/startup_$TIMESTAMP.pcap" 'host honeycomb.io or host foundry.com or host sentry.foundry.com' &
TCPDUMP_PID=$!
echo "Packet capture running (PID: $TCPDUMP_PID)"
echo ""
echo "NOW LAUNCH NUKE"
echo ""
read -p "Press Enter after Nuke has fully loaded..."
echo ""
echo "Stopping packet capture..."
sudo kill $TCPDUMP_PID 2>/dev/null
wait $TCPDUMP_PID 2>/dev/null
sleep 2
if [ -f "$OUTPUT_DIR/startup_$TIMESTAMP.pcap" ]; then
echo ""
echo "Capture complete! Analyzing..."
if command -v tshark &> /dev/null; then
tshark -r "$OUTPUT_DIR/startup_$TIMESTAMP.pcap" -q -z io,stat,0
echo ""
echo "Connections found:"
tshark -r "$OUTPUT_DIR/startup_$TIMESTAMP.pcap" -T fields -e ip.dst | sort -u
else
echo "tshark not installed. Capture saved to:"
echo "$OUTPUT_DIR/startup_$TIMESTAMP.pcap"
ls -lh "$OUTPUT_DIR/startup_$TIMESTAMP.pcap"
fi
else
echo "WARNING: Capture file not created. Check sudo permissions."
fi
fi
fi
echo ""
echo "======================================"
echo "TESTING COMPLETE"
echo "======================================"
echo ""
echo "Results saved to: $OUTPUT_DIR/"
echo ""
echo "Summary of findings:"
echo " - Database files: $OUTPUT_DIR/databases_found.txt"
if [ -n "$NUKE_PID" ]; then
echo " - System access: $OUTPUT_DIR/system_file_access_$TIMESTAMP.txt"
fi
echo ""
echo "Next steps:"
echo " 1. Review the output files in $OUTPUT_DIR/"
echo " 2. If you haven't done startup capture, close Nuke and run this script again"
echo " 3. Consider running shutdown capture manually (see monitoring-gaps-analysis.md)"
echo ""