# Block Nuke Telemetry

A comprehensive toolkit for monitoring, analyzing, and blocking network telemetry from The Foundry's Nuke compositor software on Linux.

## About

This project documents an investigation into network telemetry sent by Nuke (a professional VFX compositing application) and provides tools to monitor, analyze, and optionally block these connections. The investigation was conducted on Arch Linux using packet capture and network monitoring tools.

## Key Findings

**Confirmed Foundry Network Connections:**

| Endpoint | IP Address | Port | Protocol | Purpose |
|----------|------------|------|----------|---------|
| `learn.foundry.com` | 52.50.232.31 | 80 | HTTP | Documentation checks (unencrypted) |
| `api.honeycomb.io` | 52.205.16.9 | 443 | HTTPS | Analytics/telemetry platform |
| `sentry.foundry.com` | - | 443 | HTTPS | Crash reporting via crashpad_handler |

**Telemetry Volume:** ~32KB over 20 minutes of typical usage (136 packets) - minimal but present.

**Privacy Concerns:**
- Unencrypted HTTP traffic to `learn.foundry.com` exposes Nuke version and usage patterns to ISP/network observers
- No obvious opt-out mechanism in Nuke preferences
- EULA grants Foundry "irrevocable authorization" to collect usage data, system details, and geographic location

See [EULA-Analysis.md](EULA-Analysis.md) for detailed legal analysis and [nuke_foundry_analysis.md](nuke_foundry_analysis.md) for technical packet analysis.

## Quick Start

### Monitor Nuke Network Activity

```bash
# Automated monitoring with desktop notifications
bash scripts/monitor_nuke_network.sh --continuous

# Manual packet capture
sudo tcpdump -i any -w nuke_capture.pcap \
  'host sentry.foundry.com or host learn.foundry.com or host api.honeycomb.io'
```

### Block Telemetry (Recommended Method)

The most effective approach uses firewall-level blocking:

```bash
# Apply firewall blocks (iptables or nftables)
sudo bash scripts/firewall_block_nuke.sh

# Verify blocks are active
sudo bash scripts/firewall_block_nuke.sh --status

# Monitor for any bypass attempts
bash scripts/monitor_nuke_network.sh --daemon
```

To unblock later:
```bash
sudo bash scripts/firewall_block_nuke.sh --uninstall
```

### Alternative Blocking Methods

See [Advanced-Blocking-Methods.md](Advanced-Blocking-Methods.md) for comprehensive documentation on all blocking methods:

**Tier 1: Essential (Recommended)**
- Firewall blocking (`scripts/firewall_block_nuke.sh`) - Most robust
- Network monitoring (`scripts/monitor_nuke_network.sh`) - Verification

**Tier 2: Maximum Isolation (Optional)**
- Network namespace isolation (`scripts/nuke_isolated.sh`) - Complete network isolation
- AppArmor MAC (`apparmor/nuke.profile`) - Kernel-enforced security policy

**Tier 3: Network-Wide (Optional)**
- Hosts file blocking (`scripts/block_nuke_telemetry.sh`) - Simple but bypassable
- DNS sinkhole (`scripts/dns_sinkhole_config.sh`) - Network-wide blocking

## Installation

No installation required - this is a collection of standalone scripts and documentation.

**Requirements:**
- Linux (tested on Arch Linux)
- `tcpdump` - Packet capture
- `iptables` or `nftables` - Firewall blocking
- `ss` / `netstat` - Connection monitoring
- `notify-send` - Desktop notifications (optional)

Install dependencies on Arch Linux:
```bash
sudo pacman -S tcpdump iptables nftables iproute2 libnotify
```

## Usage

### Network Monitoring

```bash
# Continuous monitoring with alerts
bash scripts/monitor_nuke_network.sh --continuous

# Run as background daemon
bash scripts/monitor_nuke_network.sh --daemon

# View alert log
bash scripts/monitor_nuke_network.sh --log

# Check current Nuke connections
sudo ss -tnp | grep -i nuke
```

### Packet Capture & Analysis

```bash
# Basic capture
sudo tcpdump -i any -w nuke_capture.pcap 'host sentry.foundry.com'

# Three-terminal method (detailed monitoring)
# Terminal 1: Process bandwidth monitoring
sudo nethogs | tee nethogs.log

# Terminal 2: Packet capture
sudo tcpdump -i any -w nuke_capture.pcap \
  'host sentry.foundry.com or host learn.foundry.com or host api.honeycomb.io'

# Terminal 3: DNS monitoring
sudo tcpdump -i any -n port 53 | grep -i foundry

# Analyze capture
tcpdump -r nuke_capture.pcap
wireshark nuke_capture.pcap
```

### Blocking Telemetry

```bash
# Firewall blocking (recommended)
sudo bash scripts/firewall_block_nuke.sh
sudo bash scripts/firewall_block_nuke.sh --status

# Hosts file blocking (simple)
sudo bash scripts/block_nuke_telemetry.sh

# Network namespace isolation (maximum privacy)
sudo bash scripts/nuke_isolated.sh

# AppArmor enforcement (advanced)
sudo cp apparmor/nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
```

All scripts include built-in help:
```bash
bash scripts/firewall_block_nuke.sh --help
```

### Gap Testing

Run comprehensive tests to identify monitoring gaps:

```bash
# Test startup telemetry, crash reporting, and local data storage
bash scripts/run_gap_tests.sh

# Check local Nuke databases
bash scripts/inspect_local_data.sh
```

## Repository Structure

```
.
├── README.md                           # This file
├── CLAUDE.md                           # Project instructions for Claude Code
├── UNLICENSE                           # Public domain dedication
├── Advanced-Blocking-Methods.md        # Comprehensive blocking guide
├── EULA-Analysis.md                    # Legal analysis of Foundry's EULA
├── FOUNDRY-EULA.md                     # Full EULA text
├── Foudry-Nuke-Monitoring.md          # Master conclusory document
├── nuke_foundry_analysis.md           # Detailed packet analysis
├── INTERCEPTING-HTTPS.md              # HTTPS interception guide
├── TROUBLESHOOTING.md                 # Common issues and solutions
├── Application_Behavior_Analysis.md   # Application behavior documentation
├── monitoring-gaps-analysis.md        # Analysis of monitoring coverage gaps
│
├── scripts/                           # Monitoring and blocking tools
│   ├── firewall_block_nuke.sh        # Firewall-level blocking (iptables/nftables)
│   ├── monitor_nuke_network.sh       # Automated network monitoring
│   ├── nuke_isolated.sh              # Network namespace isolation launcher
│   ├── dns_sinkhole_config.sh        # DNS blocking config generator
│   ├── block_nuke_telemetry.sh       # Simple hosts file blocking
│   ├── capture_startup_wide.sh       # Startup telemetry capture
│   ├── decrypt_nuke_traffic.sh       # HTTPS traffic decryption (MITM)
│   ├── debug_nuke_process.sh         # Process debugging utilities
│   ├── inspect_local_data.sh         # Local database inspection
│   ├── monitor_nuke_telemetry.sh     # Basic telemetry monitoring
│   ├── monitor_nuke_telemetry_service.sh  # Systemd service monitoring
│   └── run_gap_tests.sh              # Comprehensive gap testing
│
├── apparmor/                          # Mandatory access control
│   └── nuke.profile                   # AppArmor security profile
│
└── dump/                              # Capture artifacts (sanitized examples)
    ├── README.md                      # Dump directory documentation
    ├── example_capture.pcap.txt       # Example capture placeholder
    ├── 02/                            # Investigation phase 2
    │   └── logs.md
    └── gap-tests/                     # Gap testing results
        ├── databases_found.txt        # Sanitized database listing
        ├── sensitive_patterns.txt
        ├── sqlite_schema.txt
        └── sqlite_tables.txt
```

## Documentation

### Core Documentation
- **[Advanced-Blocking-Methods.md](Advanced-Blocking-Methods.md)** - Master guide for all blocking methods
- **[Foudry-Nuke-Monitoring.md](Foudry-Nuke-Monitoring.md)** - Master conclusory document (investigation hub)
- **[nuke_foundry_analysis.md](nuke_foundry_analysis.md)** - Detailed 20-minute packet capture analysis
- **[EULA-Analysis.md](EULA-Analysis.md)** - Legal analysis of data collection clauses

### Technical Guides
- **[INTERCEPTING-HTTPS.md](INTERCEPTING-HTTPS.md)** - HTTPS/TLS interception using mitmproxy
- **[TROUBLESHOOTING.md](TROUBLESHOOTING.md)** - Common issues and solutions
- **[Application_Behavior_Analysis.md](Application_Behavior_Analysis.md)** - Application behavior patterns
- **[monitoring-gaps-analysis.md](monitoring-gaps-analysis.md)** - Monitoring coverage gaps

## Privacy Assessment

**What Foundry Collects (per EULA Clause 19.2):**
- License details and activation information
- Computer and network equipment details
- Operating system and system registry files
- Email domain of equipment owners
- Geographic location of computers
- Usage profiling ("profile and extent of use")

**Data Usage:**
- Usage modeling across customer base
- Targeted customer support
- License enforcement and usage limit verification
- Anti-piracy / identifying unlicensed use / contacting enforcement bodies
- Service notifications (updates, maintenance expiry)

**No Opt-Out:** The EULA states authorization is "irrevocable" - accepting the EULA means accepting all telemetry.

## Investigation Methodology

This investigation used the following approach:

1. **Initial discovery** - Used `nethogs`, `iftop`, `nload` to identify suspicious bandwidth
2. **Packet capture** - Collected raw traffic with `tcpdump` during Nuke usage
3. **Process correlation** - Matched network connections to specific Nuke PIDs with `ss`/`netstat`
4. **DNS analysis** - Monitored DNS lookups to identify Foundry domains
5. **Traffic filtering** - Excluded local network and known services to isolate Foundry traffic
6. **Capture analysis** - Identified unencrypted HTTP and encrypted HTTPS connections
7. **Mitigation development** - Created layered blocking tools (hosts, firewall, namespace, AppArmor)
8. **Gap testing** - Validated monitoring coverage and identified edge cases

## Technical Environment

- **OS:** Arch Linux (kernel 6.17.4-arch2-1)
- **Nuke Version:** 15.2v6 (identified from HTTP User-Agent headers)
- **Network Interface:** enp12s0f0
- **Monitoring Tools:** tcpdump, nethogs, ss, wireshark

## Contributing

This project is released to the public domain. Contributions, improvements, and extensions are welcome.

**Ideas for contributions:**
- Testing on other Linux distributions (Ubuntu, CentOS, etc.)
- Testing on macOS (likely requires different firewall commands)
- Windows monitoring and blocking tools (requires completely different approach)
- Analysis of other Foundry products (Mari, Katana, Modo)
- Integration with network security tools (Snort, Suricata, etc.)
- Automated testing frameworks for validating blocks

Please feel free to fork, modify, and share your findings with the VFX community.

## Community & Support

This project was created for the VFX/compositing community to promote transparency in software telemetry practices.

**Sharing your findings:**
- Share on VFX forums (CGSociety, VFXTalk, etc.)
- Discuss on Reddit (r/vfx, r/linux, r/privacy)
- Report findings to The Foundry's support/feedback channels

**No official support:** This is a community research project, not official software. Use at your own risk.

## Legal Notice

This project is for **educational and research purposes only**. It documents network behavior of commercial software and provides tools for users to control their own network traffic.

- Blocking telemetry may violate your EULA agreement with The Foundry
- This toolkit is provided as-is with no warranties
- Users are responsible for compliance with applicable licenses and laws
- The author(s) make no claims about the effectiveness or legality of these tools

**Not affiliated with The Foundry.** All trademarks are property of their respective owners.

## License

This is free and unencumbered software released into the public domain.

See [UNLICENSE](UNLICENSE) for details.

---

**Last Updated:** 2025-11-26
**Tested With:** Nuke 15.2v6 on Arch Linux
**Repository:** https://git.biohazardvfx.com/Nicholai/block-nuke-telemetry