(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

jisusaiche: Java's installer telemetry

Posted June 05, 2019 by shaun

Beginning with Java JRE 8u211, the online Windows installer appears to generate a prolific amount of traffic not seen in previous versions. In my environment, it attempted to contact the following hosts:

0138-0-nyc104[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc108[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc10a[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc10d[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc10e[unique-id-removed].beacon.rum.dynapis.info
aws-iad1.rum.dynapis.com
aws-sfo1.rum.dynapis.com
azr-dsm1.rum.dynapis.com
azr-iad1.rum.dynapis.com
azr-ord1.rum.dynapis.com
azr-sat1.rum.dynapis.com
azr-sjc1.rum.dynapis.com
beacon.rum.dynapis.com
cdnet.jisusaiche.com
cdnet.jisusaiche.com.wtxcdn.com
dgo-nyc1.rum.dynapis.com
dgo-sfo1.rum.dynapis.com
dgo-yyz1.rum.dynapis.com
edge.jisusaiche.com
flare.jisusaiche.biz
goo-cbf1a.rum.dynapis.com
goo-chs1b.rum.dynapis.com
ibm-iad1.rum.dynapis.com
ibm-sjc1.rum.dynapis.com
jisusaiche-475487.c.cdn77.org
jisusaiche-componentrysolut.netdna-ssl.com
jisusaiche.global.ssl.fastly.net
jisusaiche.secure.footprint.net
ll.jisusaiche.com
rck-dfw1.rum.dynapis.com
rck-iad1.rum.dynapis.com
rck-ord1.rum.dynapis.com
sjremetrics.java.com
z.rum.dynapis.com

In web operations parlance, "RUM" generally indicates a realtime user monitoring service. Indeed, Oracle's Dyn offers such a mechanism that's been implemented in the Java installer. Aside from being noisy on the wire, most of this is harmless; the installer is interacting with multiple download mirrors to see which one might perform the best. But several of the hostnames contained what appeared to be unique identifiers, and that's enough for me to sinkhole all of rum.dynapis.(com|info) in DNS.

I'm less clear on what "jisusaiche" represents — perhaps jisusaiche Christ that's a lot of telemetry! — or what data is being transmitted to those hosts, but they've earned a spot in the firewall, too.

I think I'll be using the offline Java installer from now on. That comes directly from javadl.oracle.com and doesn't generate a bunch of dubious network traffic in the background.



Recent articles

📰 Jay Niffley, Man of Mystery

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

▲ Back to top | Permalink to this page