BWS 2.0: phoning home,why?

[thetechnobear]

can someone tell me why Bitwig is 'phoning home'?
(this is 2.0... I don't know if it did with 1.x)

tcp4 0 0 gh56464.64012 services.bitwig..https ESTABLISHED

this is 'unacceptable', an applications phoning home like this can potentially send any information/files it likes about your computer.
I accept some 'online features' might require this (e.g. collaboration, online activation, online crash reporting) but at this point its clearly accepted by the user.

BWS should make it clear whenever they are going to be sending data to their hosts, and what data this is.

can this be deactivated/blocked?

(Im assuming it can run without, since many studio computers do not have internet access)

note: this is normal running, not during/after online activation, which i did yesterday.

[leegee]

+1 -- I too am concerned. I don't mind the app asking me if it can connect, and explaining why it wants to do so.

Any reason I should allow this communication through the firewall?

[thetechnobear]

Actually I guess it's for checking for updates - I'll see if I can disable this, and check If that stops it.

[odz]

There's also a package manager built-in to Bitwig. Could that have anything to do with it?

[thetechnobear]

again, packages you choose to update, so you expect internet access.

Im pretty certain this is about automatic updates, but I cannot find a way to disable it.
this was raised in a previous topic 2 years ago:
viewtopic.php?f=259&t=433733

as raised there, BW please fix this. users should explicitly opt-in (and be able to opt-out) .. as you can with other companies apps.


(I'll admit this subscription model, whilst I've grudgingly accepted it, has diminished my trust a little)

[ere2learn]

On windows just block it at firewall level

Control Panel\System and Security\Windows Firewall

Then advanced settings on left side panel,outbound rules and create a new rule to block any program of your choice

[thetechnobear]

Im perfectly aware how to block access (but not all users are) ...the point is BWS should not be doing this without user consent in the first place.

[Excds]

I guess this is the same behavior as before.

On application start it tells you if there's a new version available, which means it calls home.

If you haven't activated your license for offline use, it will call home.

To in the package manager update the list to see if there are any updates, it has to call home.

It's not as if they would continuously log information about what you're doing (Well, it would almost be a feature to crash the DAW if someone is trying to make Bieber covers...).

[anttimaatteri]

Im perfectly aware how to block access (but not all users are) ...the point is BWS should not be doing this without user consent in the first place.

the question is what exactly do you mean with "phoning home"? the stuff ms or apple is sending? or the antivirus progs? or the router when he just wanna stay in contact with the outside?

sure its the best to give people the opportunity to decide and its a sign of trustworthy to do so, but on the other hand, not evry little fartpackage sent outside means that mr. big is infront of your door listening or "phoning home".
best is to just clear things out, use wireshark or packetyzer and analyse the data-packs in depths and know which data is sent out and if its encrypted or not.

btw wireshark years ago showed me that ms outlook was sending login and password unencrypted. thats far more dangerous than programs sending home technical data for maintenance.

and last. working completely offline with an audio-comp should be mandatory for evryone beyond semipro level anyway tbh. but principally you are right about questioning stuff like that.

[Excds]

btw wireshark years ago showed me that ms outlook was sending login and password unencrypted. thats far more dangerous than programs sending home technical data for maintenance.

That totally depends on the authentication scheme and such that's enabled for that account. But on the other hand, any email provider who does not require encryption should be immediately discarded...

[thetechnobear]

I doubt your going to packet sniff this data its over https (see original post) and Id expect it to be binary encoded (if only to reduce the data size) - did you try to decode the data? or are you just assuming this is whats being sent?

I'm not 'beyond semipro level' (amateur musician, professional developer) so does that mean I should not concern myself with what applications are sending outside?

frankly, people are far too trusting with access to their data - there have been many examples of companies taking more data than is 'required', look what has happened with the tightening up of data/access on mobile phones.

but back on topic... if you want to collect data/find out about updates etc, make it an option? ask the user?
(telling users to change their firewalls settings is not a solution... the app shouldn't be doing it in the first place.)

[mikoatkvr]

Just did a quick packet capture in Wireshark and followed the T.C.P stream, seems like a validation certificate is checked for roughly once every 60 seconds while Bitwig is just idle. It looks like an SSL encrypted certificate and I see some references to SHA hashes. Mostly the data seems to be in binary format ( someone with more knowledge can verify if this could be some kind of vulnerability or not? ).
The bit i dont like is this 'Heart beat' sending every 60 seconds, which could potentially cause xruns if your soundcard is sharing an IRC with the wifi card.

[jonljacobi]

It should check once on startup (optionally) and close the connection. Did you disconnect from the Internet to see what it does?

[mikoatkvr]

It should check once on startup (optionally) and close the connection. Did you disconnect from the Internet to see what it does?

Disconnecting from the internet ( wifi ) Bitwig is still sending packets and waiting for a response to .services.bitwig.com sent out on source port 53 and destination port 37488 , this is from localhost ( 127.0.1.1 ) ( UDP ),I guess this is possibly the localhost trying to make the TCP connection [ is this for updates, package management or to check that Bitwig is registered? ] but failing? I see in the firewall that Bitwig is using port 1234 for some kind of connection too.

[gelabs]

I have just sent an email to Bitwig support about this BWS behaviour, as I would like an official statement regarding this issue.
Does anybody got any information from support already ?