HeatblurUi.exe communicates with external server

[Phoenix FR]

The file HeatblurUI.exe communicates with an external server.

What kind of data is sent to the external server ?

Here is a capture from my firewall.

Edited May 25, 2024 by Phoenix FR

[TerrorMango]

Guessing it's the web browser/manual. Being called "UI" and all that.

That way you always get the latest manual and no game update is necessary for new/corrected information.

[Phoenix FR]

Maybe.

I hope we'll have an answer from the dev.

[BJ55]

I've asked some info here: https://forum.dcs.world/topic/349202-heatbluruiexe-network-requests/ , they replied, but after a few minutes the reply was deleted.
The situation is worse than expexcted, I forgot to clear the hosts, so didn't noticed that some connections were dropped, HeatblurUI.exe connects to:
cdn.matomo.cloud - (ex Piwik) notorious for tracking, aggressive telemetry, and malware delivery.
fonts.googleapis.com update.googleapis.com - The Evil™ , everybody knows.
*.r.cloufront.net - Amazon, everybody knows.
cdnjs.cloudflare.com - notorious for mass surveillance and denial of service.
f4.heatblur.local - dunno.

They made a great work with this plane but:
-it was nowhere mentioned of this network requests.
-that multiple processes of google's crapware are eating cpu cycles and memory.

I must check if hbui is having memory leaks because of the firewall...

The funny thing is that everybody screams for realism, but it's fine if we use a youtube browser while flying:

Sorry, if I need to browse while flying I can use another device or another monitor or alt+tab, with a (privacy respecting) browser of choice and whithout overloading my PC.

I hope that they don't bring this PUP into the F-14, or at least that they give us the choice to keep using the Good ol' Jesta.

For every problem ther is a solution, for every solution there is a better solution.

[Aernov]

If additional in-game UI (manual and it's context search) affects performance, an option to disable it would be great, not to mention if some potential security risk exists. I used it maybe twice, found out that it can interfere with clickable cockpit (and it takes screen space), and just opened the manual on handheld device. And now, since I mostly learned what buttons do, I don't need in-game context search at all, and if I need to look up some procedure in the manual - I get my handheld or just Alt+Tab and open PDF, where I can do quick text search, make bookmarks, open multiple copies on different pages etc.

[Phoenix FR]

2 hours ago, BJ55 said:

I've asked some info here: https://forum.dcs.world/topic/349202-heatbluruiexe-network-requests/ , they replied, but after a few minutes the reply was deleted.
The situation is worse than expexcted, I forgot to clear the hosts, so didn't noticed that some connections were dropped, HeatblurUI.exe connects to:
cdn.matomo.cloud - (ex Piwik) notorious for tracking, aggressive telemetry, and malware delivery.
fonts.googleapis.com update.googleapis.com - The Evil™ , everybody knows.
*.r.cloufront.net - Amazon, everybody knows.
cdnjs.cloudflare.com - notorious for mass surveillance and denial of service.
f4.heatblur.local - dunno.

They made a great work with this plane but:
-it was nowhere mentioned of this network requests.
-that multiple processes of google's crapware are eating cpu cycles and memory.

I must check if hbui is having memory leaks because of the firewall...

The funny thing is that everybody screams for realism, but it's fine if we use a youtube browser while flying:

Sorry, if I need to browse while flying I can use another device or another monitor or alt+tab, with a (privacy respecting) browser of choice and whithout overloading my PC.

I hope that they don't bring this PUP into the F-14, or at least that they give us the choice to keep using the Good ol' Jesta.

For every problem ther is a solution, for every solution there is a better solution.

I didn't saw your topic.

I can't understand why they deleted their answer.

I hope and we must have an answer to know what data is collected.

Did you post on their discord ?

[Snappy]

3 hours ago, BJ55 said:

I've asked some info here: https://forum.dcs.world/topic/349202-heatbluruiexe-network-requests/ , they replied, but after a few minutes the reply was deleted.
The situation is worse than expexcted, I forgot to clear the hosts, so didn't noticed that some connections were dropped, HeatblurUI.exe connects to:
cdn.matomo.cloud - (ex Piwik) notorious for tracking, aggressive telemetry, and malware delivery.
fonts.googleapis.com update.googleapis.com - The Evil™ , everybody knows.
*.r.cloufront.net - Amazon, everybody knows.
cdnjs.cloudflare.com - notorious for mass surveillance and denial of service.
f4.heatblur.local - dunno.

They made a great work with this plane but:
-it was nowhere mentioned of this network requests.
-that multiple processes of google's crapware are eating cpu cycles and memory.

I must check if hbui is having memory leaks because of the firewall...

The funny thing is that everybody screams for realism, but it's fine if we use a youtube browser while flying:

Sorry, if I need to browse while flying I can use another device or another monitor or alt+tab, with a (privacy respecting) browser of choice and whithout overloading my PC.

I hope that they don't bring this PUP into the F-14, or at least that they give us the choice to keep using the Good ol' Jesta.

For every problem ther is a solution, for every solution there is a better solution.

Curious , what did they say about it in their now-deleted reply?

Edit: Ah , Cobra just replied again in your thread and explained!

Edited May 26, 2024 by Snappy

[Cobra847]

4 hours ago, BJ55 said:

They made a great work with this plane but:
-it was nowhere mentioned of this network requests.
-that multiple processes of google's crapware are eating cpu cycles and memory.

I must check if hbui is having memory leaks because of the firewall...

The funny thing is that everybody screams for realism, but it's fine if we use a youtube browser while flying:

Sorry, if I need to browse while flying I can use another device or another monitor or alt+tab, with a (privacy respecting) browser of choice and whithout overloading my PC.

I hope that they don't bring this PUP into the F-14, or at least that they give us the choice to keep using the Good ol' Jesta.

For every problem ther is a solution, for every solution there is a better solution.

I deleted the reply because I wanted to check something specific before re-posting it and subsequently got ill later in the evening. Nothing nefarious going on except busy developers and getting pulled in many directions. Apologies!

Our privacy policy is linked directly from our site, as well as linked from the EULA in the game folder. As mentioned in the other thread, since there seems to be concern about errant http requests, we'll add a new safeguard for ensuring there is no connectivity whatsoever. 
 

Quote

cdn.matomo.cloud - (ex Piwik) notorious for tracking, aggressive telemetry, and malware delivery.
fonts.googleapis.com update.googleapis.com - The Evil™ , everybody knows.
*.r.cloufront.net - Amazon, everybody knows.
cdnjs.cloudflare.com - notorious for mass surveillance and denial of service.
f4.heatblur.local - dunno..

There's absolutely no aggressive telemetry or malware delivery happening, at all. One of the google fonts was left in the manual which has since been removed (hence it was pulling it from Google) and as noted in the privacy policy, we only have a user counter otherwise. The font-fix should be available in the hotfix, apologies.

As noted in the other thread though, our UI will never rely on any online features, so we'll add a fully offline checkbox to inhibit any HTTP requests to inhibit any and all connection requests. As a stop-gap it should work totally fine to just firewall HeatblurUI.exe off entirely.

 

Quote

If additional in-game UI (manual and it's context search) affects performance,

 

It actually shouldn't; this may be a bug. I will look into it as we want as little CPU overhead as possible since the aircraft itself is very complex. When any UI element is closed, it should be mostly sleeping, and thus use very little CPU resources. We do have to periodically ping some of the UI elements to keep the JS ticking; but it shouldn't incur that much CPU usage.

Edited May 26, 2024 by Cobra847

[speed-of-heat]

thanks for the transparency

[BJ55]

55 minutes ago, Cobra847 said:

I deleted the reply because I wanted to check something specific before re-posting

I've immagined something like that, since the complexity of the issue and all the trouble your having after the release.

58 minutes ago, Cobra847 said:

so we'll add a fully offline checkbox to inhibit any HTTP requests to inhibit any and all connection requests

Thanks!

Best regards.

[Phoenix FR]

5 hours ago, Cobra847 said:

I deleted the reply because I wanted to check something specific before re-posting it and subsequently got ill later in the evening. Nothing nefarious going on except busy developers and getting pulled in many directions. Apologies!

Our privacy policy is linked directly from our site, as well as linked from the EULA in the game folder. As mentioned in the other thread, since there seems to be concern about errant http requests, we'll add a new safeguard for ensuring there is no connectivity whatsoever. 
 

There's absolutely no aggressive telemetry or malware delivery happening, at all. One of the google fonts was left in the manual which has since been removed (hence it was pulling it from Google) and as noted in the privacy policy, we only have a user counter otherwise. The font-fix should be available in the hotfix, apologies.

As noted in the other thread though, our UI will never rely on any online features, so we'll add a fully offline checkbox to inhibit any HTTP requests to inhibit any and all connection requests. As a stop-gap it should work totally fine to just firewall HeatblurUI.exe off entirely.

 

 

It actually shouldn't; this may be a bug. I will look into it as we want as little CPU overhead as possible since the aircraft itself is very complex. When any UI element is closed, it should be mostly sleeping, and thus use very little CPU resources. We do have to periodically ping some of the UI elements to keep the JS ticking; but it shouldn't incur that much CPU usage.

 

Thank you for the answer. I can block the traffic without loss of benefit. It's a good news.

I like the checkbox for inhibiting the communication. I hope it will come soon.

 

[Broeils]

Also wanted to chime in on Piwik/Matomo connections, nothing nefarious about that. Thats just user experience telemetry used on websites (such as the manual thats loaded in the browser) to see how customers are navigating using your website; not big bad centralized user tracking, ads or malware related. They probably could make it optional, like being asked if you want to share your usage statistics with the developers (like dcs does in the main menu now).

[BJ55]

I've had no chance to review the code when, in the past, my AV flagged piwik .js as trojan. "In 2012 hackers inserted malicious code into the open-source Piwik analytics software after compromising the Web server used for downloads", the same happened last year with a WP plugin... Do I have to blindly trust them and let run their scripts (in a unprotected browser)?

[speed-of-heat]

3 hours ago, Broeils said:

Also wanted to chime in on Piwik/Matomo connections, nothing nefarious about that. Thats just user experience telemetry used on websites (such as the manual thats loaded in the browser) to see how customers are navigating using your website; not big bad centralized user tracking, ads or malware related. They probably could make it optional, like being asked if you want to share your usage statistics with the developers (like dcs does in the main menu now).

as the manual is local, it shouldn't be reaching back as per Cobra's response here, we should only get a ping to their counter 

 

On 5/26/2024 at 11:25 AM, Cobra847 said:

One of the google fonts was left in the manual which has since been removed (hence it was pulling it from Google) and as noted in the privacy policy, we only have a user counter otherwise. The font-fix should be available in the hotfix, apologies.

 

[Broeils]

Sure. But still, nothing malicious about traffic to Matomo from a webbrowser. Personally I saw the traffic aswell (while I'm trying to debug crashes related to the F-4E module) and assumed it was because I told a popup in the menu I did want my usage data shared with the developers 

[Phoenix FR]

Even with the option on offline, HeatblurUI.exe continues to communicate to an external server.

 

[BJ55]

I see no outbound network requests from hbui, f4.heatblur.local is "local" https://en.wikipedia.org/wiki/.local .

 

[Cobra847]

@Phoenix FR - I've implemented a change that should always inhibit a request to update the video DRM plugin. This is an internal mechanism in CEF and it might have bypassed the domain whitelisting system (though it really shouldn't) - but there is now an extra guard. That said, I cannot reproduce this here in any mode, so not sure why you are seeing it. In any case, it should be in the next hotfix.

Like @BJ55 says otherwise there should be no online traffic in offline mode. I can't reproduce any external traffic here so hopefully the above is an edge case in case of it being outdated.

 

 

Edited June 9, 2024 by Cobra847

[AdrianL]

20 minutes ago, Cobra847 said:

any external traffic here

I suspect this is Chromium doing an update check, looking at the URL it is invoking. That would happen before your whitelist code.

 

[Cobra847]

Just now, AdrianL said:

I suspect this is Chromium doing an update check, looking at the URL it is invoking. That would happen before your whitelist code.

 

yes, it's an update not for Chromium but for a specific plugin to play certain types of videos that Google distributes from its end. I've inhibited this now to ensure it does not get past any whitelisting.

[Phoenix FR]

2 hours ago, Cobra847 said:

@Phoenix FR - I've implemented a change that should always inhibit a request to update the video DRM plugin. This is an internal mechanism in CEF and it might have bypassed the domain whitelisting system (though it really shouldn't) - but there is now an extra guard. That said, I cannot reproduce this here in any mode, so not sure why you are seeing it. In any case, it should be in the next hotfix.

Like @BJ55 says otherwise there should be no online traffic in offline mode. I can't reproduce any external traffic here so hopefully the above is an edge case in case of it being outdated.

 

 

 

Thank you for the answer.

[Weed89]

so..for dummies...can i RENAME the folder with this whitelist crap in it? and game will still function? - user\saved games\openbeta\DCS_F4E  <<  ?

to something like   user\saved games\openbeta\DCS_F4E.BAK    ?  will that block it AND game still work?

  Thanks  Im not savy enough to do it the way you guys did .

[BJ55]

That folder only contains the CEF user profile, so it will be recreated at first hbui restart. In order to prevent unwanted connections you must set "offline" in "HB UI Online Access" within the F-4 special options.

The CEF executable is contained inside main DCS folder and cannot be deleted. Since that folder must be excluded for detection because of false positives, the best thing to do remains blocking all network requests to untrustworthy corporations globally! (expect web breakage since The Four Horsemen tentacles are everywhere)

[Zabuzard]

6 hours ago, Weed89 said:

so..for dummies...can i RENAME the folder with this whitelist crap in it? and game will still function? - user\saved games\openbeta\DCS_F4E  <<  ?

to something like   user\saved games\openbeta\DCS_F4E.BAK    ?  will that block it AND game still work?

  Thanks  Im not savy enough to do it the way you guys did .

If you rename the folder, it will be recreated with the default files.

If you wish to fully deactivate all external communication made by HB UI, select the OFFLINE option in the Special Options tab, also see our manual which explains this in detail:

https://f4.manuals.heatblur.se/dcs/special_options.html#domain-access

Edited August 12, 2024 by Zabuzard