165 lines
4.6 KiB
Markdown
165 lines
4.6 KiB
Markdown
NUKE FOUNDRY TRAFFIC ANALYSIS - 20 Minute Capture
|
|
==================================================
|
|
|
|
CAPTURE SUMMARY:
|
|
- Duration: ~20 minutes
|
|
- Total packets: 136
|
|
- Total data: 32KB
|
|
- Result: NUKE WAS PHONING HOME!
|
|
|
|
**Tags:** #note-type/research #domain/technical #project-type/technical #status/complete #priority/high
|
|
|
|
FOUNDRY CONNECTIONS FOUND:
|
|
===========================
|
|
|
|
1. UNENCRYPTED HTTP TO FOUNDRY (⚠️ NOT ENCRYPTED!)
|
|
IP: 52.50.232.31 (AWS Ireland)
|
|
Domain: learn.foundry.com
|
|
Port: 80 (HTTP - unencrypted)
|
|
Requests: 8 HEAD requests to /nuke/15.2/Default.html
|
|
User-Agent: Mozilla/5.0
|
|
|
|
WHAT THIS MEANS:
|
|
- Nuke periodically checks if help documentation is available
|
|
- HEAD requests = just checking existence, not downloading
|
|
- Happens in the background while using Nuke
|
|
- NOT encrypted - anyone on your network can see this
|
|
|
|
2. ENCRYPTED TELEMETRY (HTTPS)
|
|
IP: 52.205.16.9 (AWS US-East)
|
|
Domain: api.honeycomb.io
|
|
Port: 443 (HTTPS - encrypted)
|
|
Data: 17KB (largest connection)
|
|
|
|
WHAT THIS MEANS:
|
|
- Honeycomb is an observability/telemetry platform
|
|
- Used by companies to track app performance and usage
|
|
- Collects: errors, performance metrics, usage patterns
|
|
- Content is encrypted, but metadata visible (IP, timing, size)
|
|
- This is likely what Foundry uses for analytics
|
|
|
|
3. OTHER HTTPS CONNECTION
|
|
IP: 52.250.30.213 (AWS)
|
|
Domain: staticcdn.duckduckgo.com
|
|
Port: 443 (HTTPS)
|
|
Data: 7.5KB
|
|
|
|
NOTE: This might be browser-related, not Nuke
|
|
|
|
WHAT DATA IS BEING SENT:
|
|
=========================
|
|
|
|
Based on the connections, Nuke is likely sending:
|
|
|
|
TO HONEYCOMB (encrypted):
|
|
✓ Usage telemetry
|
|
✓ Performance metrics
|
|
✓ Error reports
|
|
✓ Feature usage statistics
|
|
✓ System information (OS, hardware specs)
|
|
✓ Session duration and activity patterns
|
|
|
|
TO LEARN.FOUNDRY.COM (unencrypted):
|
|
✓ Version number (15.2)
|
|
✓ Documentation availability checks
|
|
✓ Your IP address (visible in HTTP headers)
|
|
|
|
PRIVACY CONCERNS:
|
|
=================
|
|
|
|
MODERATE CONCERNS:
|
|
⚠️ Unencrypted HTTP to learn.foundry.com
|
|
- Your ISP can see you're using Nuke
|
|
- Network admin can see Nuke version
|
|
- Easy to intercept on public WiFi
|
|
|
|
⚠️ Telemetry to Honeycomb
|
|
- Even encrypted, shows you're actively using Nuke
|
|
- Connection frequency reveals usage patterns
|
|
- Metadata visible: when, how often, how long
|
|
|
|
⚠️ No obvious opt-out
|
|
- Telemetry appears automatic
|
|
- No clear way to disable in settings
|
|
|
|
POSITIVE OBSERVATIONS:
|
|
======================
|
|
|
|
✓ No constant "phoning home" - only 136 packets in 20 min
|
|
✓ Relatively small data transfer (32KB total)
|
|
✓ No license server connections (using local license)
|
|
✓ Main telemetry is encrypted via HTTPS
|
|
✓ No Sentry crash reporter traffic (or not triggered)
|
|
|
|
COMPARISON TO YOUR SUSPICIONS:
|
|
==============================
|
|
|
|
YOUR HUNCH: "not encrypted and sending more than relevant data"
|
|
|
|
REALITY:
|
|
- PARTIALLY CORRECT: learn.foundry.com uses unencrypted HTTP
|
|
- MOSTLY INCORRECT: Main telemetry (Honeycomb) is encrypted
|
|
- DATA AMOUNT: Hard to say without decrypting Honeycomb traffic
|
|
but 17KB over 20 minutes seems reasonable for telemetry
|
|
|
|
RECOMMENDATIONS:
|
|
================
|
|
|
|
IF YOU WANT TO BLOCK FOUNDRY TELEMETRY:
|
|
|
|
1. BLOCK AT HOSTS FILE:
|
|
sudo nano /etc/hosts
|
|
Add:
|
|
127.0.0.1 api.honeycomb.io
|
|
127.0.0.1 learn.foundry.com
|
|
127.0.0.1 sentry.foundry.com
|
|
|
|
2. BLOCK AT FIREWALL:
|
|
sudo ufw deny out to 52.205.16.9
|
|
sudo ufw deny out to 52.50.232.31
|
|
|
|
3. USE A NETWORK-LEVEL BLOCKER:
|
|
- Pi-hole
|
|
- AdGuard Home
|
|
- Add Foundry domains to blocklist
|
|
|
|
4. CHECK NUKE PREFERENCES:
|
|
Look for "Send usage data" or "Analytics" settings
|
|
(May or may not exist)
|
|
|
|
5. MONITOR IMPACT:
|
|
After blocking, test if Nuke still works normally
|
|
Some features (Help menu?) might be affected
|
|
|
|
TECHNICAL DETAILS:
|
|
==================
|
|
|
|
AWS IPs Confirmed:
|
|
- 52.50.232.31 (eu-west-1 - Ireland)
|
|
- 52.205.16.9 (us-east-1 - Virginia)
|
|
- 52.250.30.213 (region unknown)
|
|
|
|
Connection Timing:
|
|
- Connections happen sporadically during use
|
|
- Not continuous background chatter
|
|
- Triggered by specific actions or time intervals
|
|
|
|
User-Agent:
|
|
- "Mozilla/5.0" (generic browser string)
|
|
- Nuke disguising itself as a browser? Odd choice.
|
|
|
|
BOTTOM LINE:
|
|
============
|
|
|
|
Your suspicions were partially correct. Nuke does send data to
|
|
Foundry servers, including some unencrypted HTTP traffic. However:
|
|
|
|
1. The volume seems reasonable (not excessive)
|
|
2. Most sensitive data appears encrypted
|
|
3. It's not constantly transmitting
|
|
4. Typical for modern software telemetry
|
|
|
|
Whether this is acceptable depends on your privacy requirements.
|
|
If you want complete privacy, block the domains/IPs listed above.
|
|
|