Nicholai/block-nuke-telemetry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
block-nuke-telemetry/nuke_foundry_analysis.md
Nicholai 6fada7889a Initial public release - Nuke telemetry monitoring toolkit 
This toolkit provides comprehensive monitoring, analysis, and blocking capabilities
for network telemetry sent by The Foundry's Nuke compositor on Linux.

Key features:
- Network monitoring scripts with automated alerts
- Multi-tier blocking methods (hosts, firewall, namespace, AppArmor)
- Detailed packet capture analysis and documentation
- EULA legal analysis and privacy assessment
- Sanitized example captures and comprehensive guides

All sensitive data (personal IPs, usernames, packet captures) removed.
Ready for public sharing on Gitea.
2025-11-26 15:28:21 -07:00

4.6 KiB
Raw Blame History

NUKE FOUNDRY TRAFFIC ANALYSIS - 20 Minute Capture

CAPTURE SUMMARY:

  • Duration: ~20 minutes
  • Total packets: 136
  • Total data: 32KB
  • Result: NUKE WAS PHONING HOME!

Tags: #note-type/research #domain/technical #project-type/technical #status/complete #priority/high

FOUNDRY CONNECTIONS FOUND:

  1. UNENCRYPTED HTTP TO FOUNDRY (⚠️ NOT ENCRYPTED!) IP: 52.50.232.31 (AWS Ireland) Domain: learn.foundry.com Port: 80 (HTTP - unencrypted) Requests: 8 HEAD requests to /nuke/15.2/Default.html User-Agent: Mozilla/5.0

    WHAT THIS MEANS:

    • Nuke periodically checks if help documentation is available
    • HEAD requests = just checking existence, not downloading
    • Happens in the background while using Nuke
    • NOT encrypted - anyone on your network can see this

  2. ENCRYPTED TELEMETRY (HTTPS) IP: 52.205.16.9 (AWS US-East) Domain: api.honeycomb.io Port: 443 (HTTPS - encrypted) Data: 17KB (largest connection)

    WHAT THIS MEANS:

    • Honeycomb is an observability/telemetry platform
    • Used by companies to track app performance and usage
    • Collects: errors, performance metrics, usage patterns
    • Content is encrypted, but metadata visible (IP, timing, size)
    • This is likely what Foundry uses for analytics

  3. OTHER HTTPS CONNECTION IP: 52.250.30.213 (AWS) Domain: staticcdn.duckduckgo.com Port: 443 (HTTPS) Data: 7.5KB

    NOTE: This might be browser-related, not Nuke

WHAT DATA IS BEING SENT:

Based on the connections, Nuke is likely sending:

TO HONEYCOMB (encrypted): ✓ Usage telemetry ✓ Performance metrics
✓ Error reports ✓ Feature usage statistics ✓ System information (OS, hardware specs) ✓ Session duration and activity patterns

TO LEARN.FOUNDRY.COM (unencrypted): ✓ Version number (15.2) ✓ Documentation availability checks ✓ Your IP address (visible in HTTP headers)

PRIVACY CONCERNS:

MODERATE CONCERNS: ⚠️ Unencrypted HTTP to learn.foundry.com

  • Your ISP can see you're using Nuke
  • Network admin can see Nuke version
  • Easy to intercept on public WiFi

⚠️ Telemetry to Honeycomb

  • Even encrypted, shows you're actively using Nuke
  • Connection frequency reveals usage patterns
  • Metadata visible: when, how often, how long

⚠️ No obvious opt-out

  • Telemetry appears automatic
  • No clear way to disable in settings

POSITIVE OBSERVATIONS:

✓ No constant "phoning home" - only 136 packets in 20 min ✓ Relatively small data transfer (32KB total) ✓ No license server connections (using local license) ✓ Main telemetry is encrypted via HTTPS ✓ No Sentry crash reporter traffic (or not triggered)

COMPARISON TO YOUR SUSPICIONS:

YOUR HUNCH: "not encrypted and sending more than relevant data"

REALITY:

  • PARTIALLY CORRECT: learn.foundry.com uses unencrypted HTTP
  • MOSTLY INCORRECT: Main telemetry (Honeycomb) is encrypted
  • DATA AMOUNT: Hard to say without decrypting Honeycomb traffic but 17KB over 20 minutes seems reasonable for telemetry

RECOMMENDATIONS:

IF YOU WANT TO BLOCK FOUNDRY TELEMETRY:

  1. BLOCK AT HOSTS FILE: sudo nano /etc/hosts Add: 127.0.0.1 api.honeycomb.io 127.0.0.1 learn.foundry.com 127.0.0.1 sentry.foundry.com

  2. BLOCK AT FIREWALL: sudo ufw deny out to 52.205.16.9 sudo ufw deny out to 52.50.232.31

  3. USE A NETWORK-LEVEL BLOCKER:

    • Pi-hole
    • AdGuard Home
    • Add Foundry domains to blocklist

  4. CHECK NUKE PREFERENCES: Look for "Send usage data" or "Analytics" settings (May or may not exist)

  5. MONITOR IMPACT: After blocking, test if Nuke still works normally Some features (Help menu?) might be affected

TECHNICAL DETAILS:

AWS IPs Confirmed:

  • 52.50.232.31 (eu-west-1 - Ireland)
  • 52.205.16.9 (us-east-1 - Virginia)
  • 52.250.30.213 (region unknown)

Connection Timing:

  • Connections happen sporadically during use
  • Not continuous background chatter
  • Triggered by specific actions or time intervals

User-Agent:

  • "Mozilla/5.0" (generic browser string)
  • Nuke disguising itself as a browser? Odd choice.

BOTTOM LINE:

Your suspicions were partially correct. Nuke does send data to Foundry servers, including some unencrypted HTTP traffic. However:

  1. The volume seems reasonable (not excessive)
  2. Most sensitive data appears encrypted
  3. It's not constantly transmitting
  4. Typical for modern software telemetry

Whether this is acceptable depends on your privacy requirements. If you want complete privacy, block the domains/IPs listed above.