Nicholai 6fada7889a Initial public release - Nuke telemetry monitoring toolkit

This toolkit provides comprehensive monitoring, analysis, and blocking capabilities
for network telemetry sent by The Foundry's Nuke compositor on Linux.

Key features:
- Network monitoring scripts with automated alerts
- Multi-tier blocking methods (hosts, firewall, namespace, AppArmor)
- Detailed packet capture analysis and documentation
- EULA legal analysis and privacy assessment
- Sanitized example captures and comprehensive guides

All sensitive data (personal IPs, usernames, packet captures) removed.
Ready for public sharing on Gitea.

2025-11-26 15:28:21 -07:00

12 KiB

Raw Blame History

Block Nuke Telemetry

A comprehensive toolkit for monitoring, analyzing, and blocking network telemetry from The Foundry's Nuke compositor software on Linux.

About

This project documents an investigation into network telemetry sent by Nuke (a professional VFX compositing application) and provides tools to monitor, analyze, and optionally block these connections. The investigation was conducted on Arch Linux using packet capture and network monitoring tools.

Key Findings

Confirmed Foundry Network Connections:

Endpoint	IP Address	Port	Protocol	Purpose
`learn.foundry.com`	52.50.232.31	80	HTTP	Documentation checks (unencrypted)
`api.honeycomb.io`	52.205.16.9	443	HTTPS	Analytics/telemetry platform
`sentry.foundry.com`	-	443	HTTPS	Crash reporting via crashpad_handler

Telemetry Volume: ~32KB over 20 minutes of typical usage (136 packets) - minimal but present.

Privacy Concerns:

Unencrypted HTTP traffic to learn.foundry.com exposes Nuke version and usage patterns to ISP/network observers
No obvious opt-out mechanism in Nuke preferences
EULA grants Foundry "irrevocable authorization" to collect usage data, system details, and geographic location

See EULA-Analysis.md for detailed legal analysis and nuke_foundry_analysis.md for technical packet analysis.

Quick Start

Monitor Nuke Network Activity

# Automated monitoring with desktop notifications
bash scripts/monitor_nuke_network.sh --continuous

# Manual packet capture
sudo tcpdump -i any -w nuke_capture.pcap \
  'host sentry.foundry.com or host learn.foundry.com or host api.honeycomb.io'

Block Telemetry (Recommended Method)

The most effective approach uses firewall-level blocking:

# Apply firewall blocks (iptables or nftables)
sudo bash scripts/firewall_block_nuke.sh

# Verify blocks are active
sudo bash scripts/firewall_block_nuke.sh --status

# Monitor for any bypass attempts
bash scripts/monitor_nuke_network.sh --daemon

To unblock later:

sudo bash scripts/firewall_block_nuke.sh --uninstall

Alternative Blocking Methods

See Advanced-Blocking-Methods.md for comprehensive documentation on all blocking methods:

Tier 1: Essential (Recommended)

Firewall blocking (scripts/firewall_block_nuke.sh) - Most robust
Network monitoring (scripts/monitor_nuke_network.sh) - Verification

Tier 2: Maximum Isolation (Optional)

Network namespace isolation (scripts/nuke_isolated.sh) - Complete network isolation
AppArmor MAC (apparmor/nuke.profile) - Kernel-enforced security policy

Tier 3: Network-Wide (Optional)

Hosts file blocking (scripts/block_nuke_telemetry.sh) - Simple but bypassable
DNS sinkhole (scripts/dns_sinkhole_config.sh) - Network-wide blocking

Installation

No installation required - this is a collection of standalone scripts and documentation.

Requirements:

Linux (tested on Arch Linux)
tcpdump - Packet capture
iptables or nftables - Firewall blocking
ss / netstat - Connection monitoring
notify-send - Desktop notifications (optional)

Install dependencies on Arch Linux:

sudo pacman -S tcpdump iptables nftables iproute2 libnotify

Usage

Network Monitoring

# Continuous monitoring with alerts
bash scripts/monitor_nuke_network.sh --continuous

# Run as background daemon
bash scripts/monitor_nuke_network.sh --daemon

# View alert log
bash scripts/monitor_nuke_network.sh --log

# Check current Nuke connections
sudo ss -tnp | grep -i nuke

Packet Capture & Analysis

# Basic capture
sudo tcpdump -i any -w nuke_capture.pcap 'host sentry.foundry.com'

# Three-terminal method (detailed monitoring)
# Terminal 1: Process bandwidth monitoring
sudo nethogs | tee nethogs.log

# Terminal 2: Packet capture
sudo tcpdump -i any -w nuke_capture.pcap \
  'host sentry.foundry.com or host learn.foundry.com or host api.honeycomb.io'

# Terminal 3: DNS monitoring
sudo tcpdump -i any -n port 53 | grep -i foundry

# Analyze capture
tcpdump -r nuke_capture.pcap
wireshark nuke_capture.pcap

Blocking Telemetry

# Firewall blocking (recommended)
sudo bash scripts/firewall_block_nuke.sh
sudo bash scripts/firewall_block_nuke.sh --status

# Hosts file blocking (simple)
sudo bash scripts/block_nuke_telemetry.sh

# Network namespace isolation (maximum privacy)
sudo bash scripts/nuke_isolated.sh

# AppArmor enforcement (advanced)
sudo cp apparmor/nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2

All scripts include built-in help:

bash scripts/firewall_block_nuke.sh --help

Gap Testing

Run comprehensive tests to identify monitoring gaps:

# Test startup telemetry, crash reporting, and local data storage
bash scripts/run_gap_tests.sh

# Check local Nuke databases
bash scripts/inspect_local_data.sh

Repository Structure

.
├── README.md                           # This file
├── CLAUDE.md                           # Project instructions for Claude Code
├── UNLICENSE                           # Public domain dedication
├── Advanced-Blocking-Methods.md        # Comprehensive blocking guide
├── EULA-Analysis.md                    # Legal analysis of Foundry's EULA
├── FOUNDRY-EULA.md                     # Full EULA text
├── Foudry-Nuke-Monitoring.md          # Master conclusory document
├── nuke_foundry_analysis.md           # Detailed packet analysis
├── INTERCEPTING-HTTPS.md              # HTTPS interception guide
├── TROUBLESHOOTING.md                 # Common issues and solutions
├── Application_Behavior_Analysis.md   # Application behavior documentation
├── monitoring-gaps-analysis.md        # Analysis of monitoring coverage gaps
│
├── scripts/                           # Monitoring and blocking tools
│   ├── firewall_block_nuke.sh        # Firewall-level blocking (iptables/nftables)
│   ├── monitor_nuke_network.sh       # Automated network monitoring
│   ├── nuke_isolated.sh              # Network namespace isolation launcher
│   ├── dns_sinkhole_config.sh        # DNS blocking config generator
│   ├── block_nuke_telemetry.sh       # Simple hosts file blocking
│   ├── capture_startup_wide.sh       # Startup telemetry capture
│   ├── decrypt_nuke_traffic.sh       # HTTPS traffic decryption (MITM)
│   ├── debug_nuke_process.sh         # Process debugging utilities
│   ├── inspect_local_data.sh         # Local database inspection
│   ├── monitor_nuke_telemetry.sh     # Basic telemetry monitoring
│   ├── monitor_nuke_telemetry_service.sh  # Systemd service monitoring
│   └── run_gap_tests.sh              # Comprehensive gap testing
│
├── apparmor/                          # Mandatory access control
│   └── nuke.profile                   # AppArmor security profile
│
└── dump/                              # Capture artifacts (sanitized examples)
    ├── README.md                      # Dump directory documentation
    ├── example_capture.pcap.txt       # Example capture placeholder
    ├── 02/                            # Investigation phase 2
    │   └── logs.md
    └── gap-tests/                     # Gap testing results
        ├── databases_found.txt        # Sanitized database listing
        ├── sensitive_patterns.txt
        ├── sqlite_schema.txt
        └── sqlite_tables.txt

Documentation

Core Documentation

Advanced-Blocking-Methods.md - Master guide for all blocking methods
Foudry-Nuke-Monitoring.md - Master conclusory document (investigation hub)
nuke_foundry_analysis.md - Detailed 20-minute packet capture analysis
EULA-Analysis.md - Legal analysis of data collection clauses

Technical Guides

INTERCEPTING-HTTPS.md - HTTPS/TLS interception using mitmproxy
TROUBLESHOOTING.md - Common issues and solutions
Application_Behavior_Analysis.md - Application behavior patterns
monitoring-gaps-analysis.md - Monitoring coverage gaps

Privacy Assessment

What Foundry Collects (per EULA Clause 19.2):

License details and activation information
Computer and network equipment details
Operating system and system registry files
Email domain of equipment owners
Geographic location of computers
Usage profiling ("profile and extent of use")

Data Usage:

Usage modeling across customer base
Targeted customer support
License enforcement and usage limit verification
Anti-piracy / identifying unlicensed use / contacting enforcement bodies
Service notifications (updates, maintenance expiry)

No Opt-Out: The EULA states authorization is "irrevocable" - accepting the EULA means accepting all telemetry.

Investigation Methodology

This investigation used the following approach:

Initial discovery - Used nethogs, iftop, nload to identify suspicious bandwidth
Packet capture - Collected raw traffic with tcpdump during Nuke usage
Process correlation - Matched network connections to specific Nuke PIDs with ss/netstat
DNS analysis - Monitored DNS lookups to identify Foundry domains
Traffic filtering - Excluded local network and known services to isolate Foundry traffic
Capture analysis - Identified unencrypted HTTP and encrypted HTTPS connections
Mitigation development - Created layered blocking tools (hosts, firewall, namespace, AppArmor)
Gap testing - Validated monitoring coverage and identified edge cases

Technical Environment

OS: Arch Linux (kernel 6.17.4-arch2-1)
Nuke Version: 15.2v6 (identified from HTTP User-Agent headers)
Network Interface: enp12s0f0
Monitoring Tools: tcpdump, nethogs, ss, wireshark

Contributing

This project is released to the public domain. Contributions, improvements, and extensions are welcome.

Ideas for contributions:

Testing on other Linux distributions (Ubuntu, CentOS, etc.)
Testing on macOS (likely requires different firewall commands)
Windows monitoring and blocking tools (requires completely different approach)
Analysis of other Foundry products (Mari, Katana, Modo)
Integration with network security tools (Snort, Suricata, etc.)
Automated testing frameworks for validating blocks

Please feel free to fork, modify, and share your findings with the VFX community.

Community & Support

This project was created for the VFX/compositing community to promote transparency in software telemetry practices.

Sharing your findings:

Share on VFX forums (CGSociety, VFXTalk, etc.)
Discuss on Reddit (r/vfx, r/linux, r/privacy)
Report findings to The Foundry's support/feedback channels

No official support: This is a community research project, not official software. Use at your own risk.

Legal Notice

This project is for educational and research purposes only. It documents network behavior of commercial software and provides tools for users to control their own network traffic.

Blocking telemetry may violate your EULA agreement with The Foundry
This toolkit is provided as-is with no warranties
Users are responsible for compliance with applicable licenses and laws
The author(s) make no claims about the effectiveness or legality of these tools

Not affiliated with The Foundry. All trademarks are property of their respective owners.

License

This is free and unencumbered software released into the public domain.

See UNLICENSE for details.

Last Updated: 2025-11-26 Tested With: Nuke 15.2v6 on Arch Linux Repository: https://gitea.example.com/yourname/block-nuke-telemetry (update with your Gitea URL)

12 KiB Raw Blame History