06 April 2007 Changes (HHH) --------------------------- 1. Action: added rules for ZoneAlarm Firewall Added: GoodDomains[i++] = "zonealarm.com"; GoodDomains[i++] = "zonelabs.com"; Reason: Had update.zonealarm.com show up in Homer, and had some problems with the forum. 2. Action: "seventeentraditions.com" Added: GoodDomains[i++] = "seventeentraditions.com"; Reason: // EXAMPLE RULE This is the web site for Ralph Nader's new book. Since he doesn't use spies (NONE), allow the site through. 3. Action: ".images-amazon.com" Added: GoodDomains[i++] = ".images-amazon.com"; Reason: Mon Mar 5 18:31:21: g-ec2.images-amazon.com/images/G/01/gateway/\ partner-logos/weightwatchers_logo._V58636048_.gif ^^^^ BadURL_Parts[i++] = "twat"; 4. Action: "cock" rule From: BadURL_Parts[i++] = "cock"; To: BadURL_Parts[i++] = "[^h]cock"; Reason: Fri Mar 23 19:35:09: i.cnn.net/v5cache/TCM/Images/Dynamic/i52/\ alfredhitchcockboxset_dv_60x90_031220070510.jpg The only false positives for the rule were the ones that had "Hitchcock", but further we had no false negatives with "hcock". A no brainer but we still have peacock, etc. 06 April 2007 UNresolved False Positives (HHH) ---------------------------------------------- 1. Pattern: "secret" Rules: BadURL_Parts[i++] = "secret"; Reason: Sat Mar 31 15:17:42 ndc.shockwave.com/images/picons/highlight/ hideandsecret_highlight.png Analysis: 326 secret_Parts.txt 68 secret_Starts_and_Ends.txt 279 secret_Passed_All_Rules.txt ------------------------------- 673 total This is the ONLY false-positive I have. I wonder why I don't have more. Shockwave.com is NOT part of Adobe that distributes the Shockwave player now that Macromedia has been bought out by Adobe. They are owned by MTV Networks. Furthermore, this was part of some unsolicited ads that was in my webmail account henrhhertzhobbit@yahoo.com (where lots of trash goes). This sums up my view of the ShockWave player succinctly: http://tinyurl.com/2kbsf8 The only problem is, PbsKids.org uses it for some of their games. And unlike pbs.org which employs the use of ad.doubleclick.net and one other spy, PbsKids.org still doesn't do that. Oh yes, the ShockWave player will NEVER be available for Sun Solaris, Linux, and other Unix systems, and the Flash Player is ALWAYS out of date. The only reason I know this is because there are Webinars, and in the field of Computer Security I am amazed that they think I would use Microsoft Windows as if it was secure platform. In other words for me, I blocked NOTHING! 06 April 2007 RESOLVED False Positives (HHH) -------------------------------------------- 1. Pattern: "twat Rules: BadURL_Parts[i++] = "twat"; Reason: Mon Mar 5 18:31:21: g-ec2.images-amazon.com/images/G/01/gateway/\ partner-logos/weightwatchers_logo._V58636048_.gif Analysis: For now I have added images-amazon.com. This is the ONLY false positive I have. Solution: added GoodDomains ".images-amazon.com" 2. Pattern: "cock" Rules: BadURL_Parts[i++] = "cock"; Reason: Fri Mar 23 19:35:09: i.cnn.net/v5cache/TCM/Images/Dynamic/i52/\ alfredhitchcockboxset_dv_60x90_031220070510.jpg Analysis: The picture was so small I didn't notice it was missing. ALL of my false positives are just the name "Hitchcock". Further, there were no other "hcock" other than Hitchcock. A no brainer but we still have peacock, etc. Solution: BadURL_Parts[i++] = "cock"; - became - BadURL_Parts[i++] = "[^h]cock";