Standard buffer overflow exploits don't execute the stack. The most common form (so-called single instance exploits) alter the return point from a subroutine so that a particular command (also stored by the malicious code) gets executed. (E.g. in a Unix system, the attacker climbs around until he finds a call to exec, and branches to the exec with a call to/bin/sh in the right place on the stack.) The second most-common form consists of exploits that cause a function pointer to be replaced in a heap variable. Even if these exploits required the insertion of executable code -- and I don't know of any cases where they do -- a non-executable stack won't help against a heap attack.
Actually, that's what you do in the United States. In fact, the reason the courts over here allowed software patents in the first place was that they determined that there wasn't any practical way to distinguish between a device that contained computer instructions in a non-modifiable form (e.g. firmware in mask ROM) from a device that contained computer instructions in a modifiable form (e.g. a computer with a program stored on it.) Protection for things in the first class clearly needs to be extended to things in the second class, after all, and everything in the second class could have been included in the first. In that light, the courts (rather ruluctantly) decided to accept software patents.
As a result of that fiction, though, software patents usually start with the words "A device, consisting of a computer and associated software," even though they really only care about the software.
Re:Good for some, nightmare for others
on
Peek-a-Boo(ty)
·
· Score: 5, Insightful
I agree that jpegs of naked cheerleaders with hairy eyebrows are not security issues in and of themselves.
That doesn't really matter, though. The most vulnerable part of any corporate network is its users, now. A user who's violating the acceptable use policies for his or her employer's network is an automatic security risk. First, such an employee becomes a possible blackmail target. In the case of porn, a network admin must bar porn on a professional network because of the possibility of a sexual harassment suit being filed against the company. That means that the AUP must make accessing such materials through the corporate site a disciplinable offense...hey, presto, instant blackmail. Second, though, any user who is actively subverting procedures put in place to prevent such abuse must believe that he or she "knows better than you do". Although the user's right in the vast bulk of cases, the cost in those rare cases where they're wrong is disastrous. What if the site is malicious? If they can get around your barriers, then what else are they downloading? Do they necessarily even know? How tight are the barriers around their machines?
Would you be willing to bet the company on their care?
You know, there's this rhetorical device called "irony". Maybe you've heard about it? If I strongly encourage you to make its acquaintance. I've heard that it can be a useful tool for expressing certain kinds of opinions effectively, particularly when paired with its cousin, sarcasm.
I have an undergrad degree in Mathematics (with a minor in voice), a PhD in Mathematics, four years of post-doctoral work in neuropsychology. I, too, found that pursuing a professorship was a dicey proposition. I write code for a living.
I don't use my degrees, although the thinking skills are really useful. After all, writing sound code consists largely of asking "What could go wrong here, and what's the least restriction I can put on my code that will prevent it?" That's essentially the same skill that one uses in proving a theorem. It reduces your error count a lot, and time spent not fixing errors in thinking is time spent improving the feature set.
So major in math -- it's infinitely geeky, you can dress as strangely as you like, and it's loads of fun.
There's a good summary at the SANS Institute site. Schwartz did three different things: (1) installed a backdoor in a firewall, (2) did an unauthorized password scan, and (3) used one of the passwords he obtained through this scan to log into a system to which he should have had no access. He then copied the/etc/passwd file off that last machine, apparently to run an attack against it, as well.
Even a cursory review of the documents in the case make it clear that he wasn't framed, that he actually did the things he was charged with, and that at least one of the activities with which he was charged was not only unauthorized, but had been explicitly forbidden by his managers. He had been ordered to take his gateway down at one point. He did so, waited a few days, and then brought an equivalent service up on the same machine under a different name. (See this site for some more details.)
In my opinion, what he did was certainly grounds for dismissal, and almost certainly technically criminal. That said, I think the district attorney was unwise to pursue the case against Schwartz, since the damage done to his reputation just on the basis of what is clearly the case would have been punishment enough. Even without the convictions, no major site will ever touch him again: security geeks are dangerous, and the last one you need is one that won't obey the policies about what he or she may attack at any given time.
You know, all the rebuttals to the various "Linux has...% on the desktop" stories miss what I take to be the most important point those reports make. No matter how plausible the arguments about statistical bias may or may not be, the key thing which needs to be understood is this: no report, no matter how biased towards claims of Linux' usability on the desktop, is making the claim that Linux is being seen more frequently in browsing surveys. Both the LowEndMac report and the WebSideStory report show that the frequency of Linux hits on the sites being tracked is not rising.
Most of the predictions that Linux would be a factor on the desktop were based on the rapid growth that was seen two or three years ago. That shift has stopped. And that is far more ominous for "Linux on the desktop" than arguing over whether the actual adoption rate is.24% or 1.0%. If Windows stays at 90%, that's stability -- after all, Windows can realistically only fall. If Linux stays at less than 10%, that is irrelevance -- after all, Linux can realistically only rise.
That isn't true. The only part of the events up on the hill of sight are the meeting of Frodo and Aragorn -- that didn't happen in the book. Even the part about Sam starting to drown is form the text.
I personally despise _The Disposessed_; it was the first of her novels in which I felt her didacticism overrode her story.
There's a really interesting appendix to the reissue -- LeGuin rewrites the first chapter of the book using three different pronouns for the King: male (as it appeared in 1969), female, and a created neuter pronoun. I happen to prefer the male version, but it's a fascinating comparison.
It's just that we don't identify ourselves by our names. Most of us have always been like me: when we comment, we acknowledge our association with MS, but we don't give out any identifying information. I pass on the commentary that I pick up here to my product group. Frankly, I think that the Pocket PC is stronger for it.
There are two classes of reasons that we don't use our real names. First, we as individuals don't want to get spammed any more than we already do. Individuals from MS have been targeted and stalked in the past; none of us wants to be the victim of some kook. Second, the company has a right to manage its own messages. Sometimes, obviously, that's a bad thing; our quiet lets the company get away with lying. Usually, though, there are a number of of people who have the right to know before the public does. (Our partners, for instance, may need to adjust their strategies in response to changes that we make along the way in our own. There's nothing so humiliating as not knowing some key point about a change, and having some reporter tell you that he just read all about it in a newsgroup.) We need to protect that orderly flow of information.
No, parsing HTML on the Web is not rocket science. It's much close to neurosurgery -- theoretically trivial (cut, cauterize, and close), really incredibly delicate.
You see, HTML has traditionally been interpreted by parsers that will accept lots of errors: missing cell closure, misplaced tags, heaven only knows what else. That means that every real HTML renderer contains a huge error recovery routine which watches what the parser is doing, then backs up and recovers from erroneous source. If parsing HTML meant the same thing that parsing C did, it would be easy. But parsing HTML means much more than that -- and that's why it's so hard.
Jamie's ignores the inconvenient fact it is not clear that any harm to consumers could be proved at all. The unanimous Appellate Court decision in US v. Miscrosoft was pretty clear that any plaitiff representing consumers would need to prove net harm according to a stiff set of tests. I'd bet on Microsoft's odds to win that test in a court of law. (In fact, I continue to do so, since I'm not only an employee of the company, but continue to hold on to the bulk of the shares I've ever bought or been granted. My money is where my mouth is.)
However, even ignoring that, the key computation lay in asking how much each consumer would collect even if the most generous award were handed down. It turns out that the total payout would be less than $10/consumer before legal costs, and negative afterwards. The court isn't willing to go forward with a class-action lawsuit that will harm the plaitiffs even if they win.
This is a solution that makes everybody with a legitimate stake in the outcome win. Consumers benefit by getting something, the lawyers benefit by getting their costs covered, and Microsoft benefits by not having to go through another trial. The only losers are the third parties that make money off the continued controversy. I don't have a lot of sympathy for Larry Ellison or Scott McNealy, though -- do you?
It isn't safe, of course. Traditional chemo is a balance between killing the tumor and killing the patient. There are well-established long-term side effects of chemo, and they're not always pleasant...but, for most of the cancers that we treat that way, the choice is between dealing with those side effects and dying.
By the way -- if you live long enough to get cancer, don't "just do what the doctor says". Chemo works, and it does save lives, but make the effort to educate yourself. There are lots of different treatments, some of them experimental, and you can frequently benefit from finding the treatment that's right for your particular case.
Well, that and don't call it ARM-compatible, 'cause it ain't. If you read the EE Times article, Shen is having a teleconference with ARM later today. I'd guess that will the topic of discussion.
Be careful how you interpret this stuff; the headlines are much more inflammatory than the situation warrants.
If you go through to the original EE Times article, you'll discover that the nnARM implementation was radically incomplete: no interrupt handling, no virtual memory, no coprocessor instructions, no THUMB support. For what the guy in question was doing, that's fine; he can be perfectly comfortable building a GPS receiver w/o any of that -- but no large-scale embedded system builder would be interested in this chip. (A cell phone manufacturer would need to qualify any such chip set...no way. Linux and WinCE won't run on it. QNX won't run on it. Although I suppose ucLinux might run on it, that would require a full port to a new instruction set width, and that would cost much more than anyone would save by doing it.)
That puts quite a different light on this than the articles in the Reg implied. A chip like this poses no threat to ARM's licensing revenues. What it does do is confuse people about what an ARM core can do. In my opinion, ARM has a legitimate beef about that.
Ironically, Ultraviolet is the internal code name for one of the not-yet-released features of.NET.
(No, I'm not joking. It's bothered me since the first time that my group dealt with the.NET team about UV. And, no, I can't tell you which one -- you're not cleared to hear about unreleased products.)
The Computer is your friend. Trust the Computer. Keep watch for traitors.
You're confusing two separate points here. You're saying that the Taliban would have been entirely justified, and, in fact, probably correct, in not turning bin Laden over to the United States on the basis of the evidence presented prior to 10/7/2001. I'm not trying to refute that claim. I believe that it's false, but utterly irrelevant to the debate here.
I'm saying that (a) the Taliban would never accepted that they had enough evidence to turn him over for the WTC atrocities, because (b) they had already been presented with compelling evidence that he was complicit in other atrocities and had not handed him over then. The evidence I cite in (b) is public information, presented to a jury in US District Court last year. You could find it yourself; I did a single Google search for "Kenya embassy bombing transcipt" and came up with an Israeli site with the complete trial transcript here. From looking at some of the older CNN sites, it also appears that you can get a transcript through this point in the tree. That second site also contains the full text of the standing indictment against Osama bin Laden in regard to the actions of al Qaeda. That, in itself, is a pretty damning document.
Look, trendy as it may be to want to bad mouth the US, in this case, you don't have to trust the US gov't to realize that the Taliban are in an indefensible moral position here. There's plenty of publicly available evidence that shows bin Laden to be a murderous thug who has directed multiple acts of war against the US. You could have found it yourself, just as I did. That evidence was presented to the Taliban years ago. They should have turned him over on that basis and they did not. Complaining that they weren't shown this batch of evidence is a red herring, a dodge, and a lie. They didn't want to give bin Laden up, so they didn't. End of story.
What do you mean? Do you mean that there's no evidence that bin Laden was implicated in the WTC terror attack, or that there is no evidence against bin Laden himself which should have been adequate to justify his being bound over for trial?
The first is irrelevant in this case, and I haven't spoken to it. Look back at what I said: that I didn't believe the Taliban would turn bin Laden over for any evidence. I deliberately confined the evidence I mentioned to previous requests for the extradition of bin Laden and his lieutenants, and all the evidence that I mentioned is in the public record. More than that, it's in a trial transcript, and it's been available for years.
The question of the presence or absence of evidence in the WTC attack is a red herring. Sheik Omar had more than adequate reason to extradite bin Laden without any reference to the WTC attack. He could and should have done that years ago. The fact that he and his cadre have refused to do that for years discredits their more recent charm offensive.
No, you aren't the person who remembers it, but you may be the only person who believes it. The Taliban already have sufficient evidence to absolutely require they extradite bin Laden: the public record of the trial of the bombers of the US embassies in Kenya and Tanzania six years ago. His associates were tried and convicted of that act, and the evidence used in that trial, which also implicated bin Laden, was presented to the Taliban three years ago, along with a demand for his surrender to the US to face trial for his own crimes in that matter, as well as in the matter of the bombing of the USS Cole in 1998.
First, unless you use IMAP4 or POP3 over SSL, you don't even have a reasonable expectation of privcacy about the body of the e-mails you pull down to you own personal machine. The argument is that if you really cared if anybody read your mail, you would send it in an envelope. Similarly, if you don't want people reading your e-mail, put it in an electronic envelope. (Notice that this envelope need not be secure in order to trigger the privacy provisions, just as a real physical envelope is not secure. You need merely have shown that you intended the communication to be private.) Even then, the address on your mail is only private because a post office box is a secure container. If you leave your mail on a table in a restaurant where I can read the addresses, even upside down, you just gave up your expectation of privacy about those addresses.
In that light, it's clear that the headers you send in the clear through a public network as dissassembled packets which not only can but must be reassembled on the way aren't sent with the expectation of privacy. If you wanted that, then you'd have sent the headers in a way that indicates you care whether third parties can read them. There's no case law about that, but I expect that the threshold you'd need to reach to trigger such an expectation would be quite low indeed. It might well be enough to send your headers as a post request over SSL -- that's the equivalent of putting your letter inside another envelope and having a trusted third party (such as your attorney) forward it for you. There, you have a reasonable expectation of privacy, even for the address to which the letter is sent.
Slashdot Mirror
Standard buffer overflow exploits don't execute the stack. The most common form (so-called single instance exploits) alter the return point from a subroutine so that a particular command (also stored by the malicious code) gets executed. (E.g. in a Unix system, the attacker climbs around until he finds a call to exec, and branches to the exec with a call to /bin/sh in the right place on the stack.) The second most-common form consists of exploits that cause a function pointer to be replaced in a heap variable. Even if these exploits required the insertion of executable code -- and I don't know of any cases where they do -- a non-executable stack won't help against a heap attack.
Actually, that's what you do in the United States. In fact, the reason the courts over here allowed software patents in the first place was that they determined that there wasn't any practical way to distinguish between a device that contained computer instructions in a non-modifiable form (e.g. firmware in mask ROM) from a device that contained computer instructions in a modifiable form (e.g. a computer with a program stored on it.) Protection for things in the first class clearly needs to be extended to things in the second class, after all, and everything in the second class could have been included in the first. In that light, the courts (rather ruluctantly) decided to accept software patents.
As a result of that fiction, though, software patents usually start with the words "A device, consisting of a computer and associated software," even though they really only care about the software.
Yes. Smartphone 2002 is "Stinger".
I agree that jpegs of naked cheerleaders with hairy eyebrows are not security issues in and of themselves.
That doesn't really matter, though. The most vulnerable part of any corporate network is its users, now. A user who's violating the acceptable use policies for his or her employer's network is an automatic security risk. First, such an employee becomes a possible blackmail target. In the case of porn, a network admin must bar porn on a professional network because of the possibility of a sexual harassment suit being filed against the company. That means that the AUP must make accessing such materials through the corporate site a disciplinable offense...hey, presto, instant blackmail. Second, though, any user who is actively subverting procedures put in place to prevent such abuse must believe that he or she "knows better than you do". Although the user's right in the vast bulk of cases, the cost in those rare cases where they're wrong is disastrous. What if the site is malicious? If they can get around your barriers, then what else are they downloading? Do they necessarily even know? How tight are the barriers around their machines?
Would you be willing to bet the company on their care?
You know, there's this rhetorical device called "irony". Maybe you've heard about it? If I strongly encourage you to make its acquaintance. I've heard that it can be a useful tool for expressing certain kinds of opinions effectively, particularly when paired with its cousin, sarcasm.
But I wouldn't know anything about that...
I have an undergrad degree in Mathematics (with a minor in voice), a PhD in Mathematics, four years of post-doctoral work in neuropsychology. I, too, found that pursuing a professorship was a dicey proposition. I write code for a living.
I don't use my degrees, although the thinking skills are really useful. After all, writing sound code consists largely of asking "What could go wrong here, and what's the least restriction I can put on my code that will prevent it?" That's essentially the same skill that one uses in proving a theorem. It reduces your error count a lot, and time spent not fixing errors in thinking is time spent improving the feature set.
So major in math -- it's infinitely geeky, you can dress as strangely as you like, and it's loads of fun.
It's a REALLY heavy metal T-shirt, I guess.
There's a good summary at the SANS Institute site. Schwartz did three different things: (1) installed a backdoor in a firewall, (2) did an unauthorized password scan, and (3) used one of the passwords he obtained through this scan to log into a system to which he should have had no access. He then copied the /etc/passwd file off that last machine, apparently to run an attack against it, as well.
Even a cursory review of the documents in the case make it clear that he wasn't framed, that he actually did the things he was charged with, and that at least one of the activities with which he was charged was not only unauthorized, but had been explicitly forbidden by his managers. He had been ordered to take his gateway down at one point. He did so, waited a few days, and then brought an equivalent service up on the same machine under a different name. (See this site for some more details.)
In my opinion, what he did was certainly grounds for dismissal, and almost certainly technically criminal. That said, I think the district attorney was unwise to pursue the case against Schwartz, since the damage done to his reputation just on the basis of what is clearly the case would have been punishment enough. Even without the convictions, no major site will ever touch him again: security geeks are dangerous, and the last one you need is one that won't obey the policies about what he or she may attack at any given time.
You know, all the rebuttals to the various "Linux has ...% on the desktop" stories miss what I take to be the most important point those reports make. No matter how plausible the arguments about statistical bias may or may not be, the key thing which needs to be understood is this: no report, no matter how biased towards claims of Linux' usability on the desktop, is making the claim that Linux is being seen more frequently in browsing surveys. Both the LowEndMac report and the WebSideStory report show that the frequency of Linux hits on the sites being tracked is not rising.
.24% or 1.0%. If Windows stays at 90%, that's stability -- after all, Windows can realistically only fall. If Linux stays at less than 10%, that is irrelevance -- after all, Linux can realistically only rise.
Most of the predictions that Linux would be a factor on the desktop were based on the rapid growth that was seen two or three years ago. That shift has stopped. And that is far more ominous for "Linux on the desktop" than arguing over whether the actual adoption rate is
That isn't true. The only part of the events up on the hill of sight are the meeting of Frodo and Aragorn -- that didn't happen in the book. Even the part about Sam starting to drown is form the text.
Now I can expect to get a bunch of e-mails with headers like "Make money fast! (WA residents only).... beeblebrox".
Oh, wait. I already do.
I personally despise _The Disposessed_; it was the first of her novels in which I felt her didacticism overrode her story.
There's a really interesting appendix to the reissue -- LeGuin rewrites the first chapter of the book using three different pronouns for the King: male (as it appeared in 1969), female, and a created neuter pronoun. I happen to prefer the male version, but it's a fascinating comparison.
It's just that we don't identify ourselves by our names. Most of us have always been like me: when we comment, we acknowledge our association with MS, but we don't give out any identifying information. I pass on the commentary that I pick up here to my product group. Frankly, I think that the Pocket PC is stronger for it.
There are two classes of reasons that we don't use our real names. First, we as individuals don't want to get spammed any more than we already do. Individuals from MS have been targeted and stalked in the past; none of us wants to be the victim of some kook. Second, the company has a right to manage its own messages. Sometimes, obviously, that's a bad thing; our quiet lets the company get away with lying. Usually, though, there are a number of of people who have the right to know before the public does. (Our partners, for instance, may need to adjust their strategies in response to changes that we make along the way in our own. There's nothing so humiliating as not knowing some key point about a change, and having some reporter tell you that he just read all about it in a newsgroup.) We need to protect that orderly flow of information.
No, parsing HTML on the Web is not rocket science. It's much close to neurosurgery -- theoretically trivial (cut, cauterize, and close), really incredibly delicate.
You see, HTML has traditionally been interpreted by parsers that will accept lots of errors: missing cell closure, misplaced tags, heaven only knows what else. That means that every real HTML renderer contains a huge error recovery routine which watches what the parser is doing, then backs up and recovers from erroneous source. If parsing HTML meant the same thing that parsing C did, it would be easy. But parsing HTML means much more than that -- and that's why it's so hard.
Jamie's ignores the inconvenient fact it is not clear that any harm to consumers could be proved at all. The unanimous Appellate Court decision in US v. Miscrosoft was pretty clear that any plaitiff representing consumers would need to prove net harm according to a stiff set of tests. I'd bet on Microsoft's odds to win that test in a court of law. (In fact, I continue to do so, since I'm not only an employee of the company, but continue to hold on to the bulk of the shares I've ever bought or been granted. My money is where my mouth is.)
However, even ignoring that, the key computation lay in asking how much each consumer would collect even if the most generous award were handed down. It turns out that the total payout would be less than $10/consumer before legal costs, and negative afterwards. The court isn't willing to go forward with a class-action lawsuit that will harm the plaitiffs even if they win.
This is a solution that makes everybody with a legitimate stake in the outcome win. Consumers benefit by getting something, the lawyers benefit by getting their costs covered, and Microsoft benefits by not having to go through another trial. The only losers are the third parties that make money off the continued controversy. I don't have a lot of sympathy for Larry Ellison or Scott McNealy, though -- do you?
It isn't safe, of course. Traditional chemo is a balance between killing the tumor and killing the patient. There are well-established long-term side effects of chemo, and they're not always pleasant...but, for most of the cancers that we treat that way, the choice is between dealing with those side effects and dying.
By the way -- if you live long enough to get cancer, don't "just do what the doctor says". Chemo works, and it does save lives, but make the effort to educate yourself. There are lots of different treatments, some of them experimental, and you can frequently benefit from finding the treatment that's right for your particular case.
Well, that and don't call it ARM-compatible, 'cause it ain't. If you read the EE Times article, Shen is having a teleconference with ARM later today. I'd guess that will the topic of discussion.
Be careful how you interpret this stuff; the headlines are much more inflammatory than the situation warrants.
If you go through to the original EE Times article, you'll discover that the nnARM implementation was radically incomplete: no interrupt handling, no virtual memory, no coprocessor instructions, no THUMB support. For what the guy in question was doing, that's fine; he can be perfectly comfortable building a GPS receiver w/o any of that -- but no large-scale embedded system builder would be interested in this chip. (A cell phone manufacturer would need to qualify any such chip set...no way. Linux and WinCE won't run on it. QNX won't run on it. Although I suppose ucLinux might run on it, that would require a full port to a new instruction set width, and that would cost much more than anyone would save by doing it.)
That puts quite a different light on this than the articles in the Reg implied. A chip like this poses no threat to ARM's licensing revenues. What it does do is confuse people about what an ARM core can do. In my opinion, ARM has a legitimate beef about that.
Ironically, Ultraviolet is the internal code name for one of the not-yet-released features of .NET.
.NET team about UV. And, no, I can't tell you which one -- you're not cleared to hear about unreleased products.)
(No, I'm not joking. It's bothered me since the first time that my group dealt with the
The Computer is your friend. Trust the Computer. Keep watch for traitors.
You're confusing two separate points here. You're saying that the Taliban would have been entirely justified, and, in fact, probably correct, in not turning bin Laden over to the United States on the basis of the evidence presented prior to 10/7/2001. I'm not trying to refute that claim. I believe that it's false, but utterly irrelevant to the debate here.
I'm saying that (a) the Taliban would never accepted that they had enough evidence to turn him over for the WTC atrocities, because (b) they had already been presented with compelling evidence that he was complicit in other atrocities and had not handed him over then. The evidence I cite in (b) is public information, presented to a jury in US District Court last year. You could find it yourself; I did a single Google search for "Kenya embassy bombing transcipt" and came up with an Israeli site with the complete trial transcript here. From looking at some of the older CNN sites, it also appears that you can get a transcript through this point in the tree. That second site also contains the full text of the standing indictment against Osama bin Laden in regard to the actions of al Qaeda. That, in itself, is a pretty damning document.
Look, trendy as it may be to want to bad mouth the US, in this case, you don't have to trust the US gov't to realize that the Taliban are in an indefensible moral position here. There's plenty of publicly available evidence that shows bin Laden to be a murderous thug who has directed multiple acts of war against the US. You could have found it yourself, just as I did. That evidence was presented to the Taliban years ago. They should have turned him over on that basis and they did not. Complaining that they weren't shown this batch of evidence is a red herring, a dodge, and a lie. They didn't want to give bin Laden up, so they didn't. End of story.
What do you mean? Do you mean that there's no evidence that bin Laden was implicated in the WTC terror attack, or that there is no evidence against bin Laden himself which should have been adequate to justify his being bound over for trial?
The first is irrelevant in this case, and I haven't spoken to it. Look back at what I said: that I didn't believe the Taliban would turn bin Laden over for any evidence. I deliberately confined the evidence I mentioned to previous requests for the extradition of bin Laden and his lieutenants, and all the evidence that I mentioned is in the public record. More than that, it's in a trial transcript, and it's been available for years.
The question of the presence or absence of evidence in the WTC attack is a red herring. Sheik Omar had more than adequate reason to extradite bin Laden without any reference to the WTC attack. He could and should have done that years ago. The fact that he and his cadre have refused to do that for years discredits their more recent charm offensive.
No, you aren't the person who remembers it, but you may be the only person who believes it. The Taliban already have sufficient evidence to absolutely require they extradite bin Laden: the public record of the trial of the bombers of the US embassies in Kenya and Tanzania six years ago. His associates were tried and convicted of that act, and the evidence used in that trial, which also implicated bin Laden, was presented to the Taliban three years ago, along with a demand for his surrender to the US to face trial for his own crimes in that matter, as well as in the matter of the bombing of the USS Cole in 1998.
It compliments the couch nicely? Wow! A computer case that praises other furniture? That's really cool!
Do they have a Dorothy Parker model that compliments the couch nastily, too? I might be interested in that one...
Disclaimer: IANAL.
First, unless you use IMAP4 or POP3 over SSL, you don't even have a reasonable expectation of privcacy about the body of the e-mails you pull down to you own personal machine. The argument is that if you really cared if anybody read your mail, you would send it in an envelope. Similarly, if you don't want people reading your e-mail, put it in an electronic envelope. (Notice that this envelope need not be secure in order to trigger the privacy provisions, just as a real physical envelope is not secure. You need merely have shown that you intended the communication to be private.) Even then, the address on your mail is only private because a post office box is a secure container. If you leave your mail on a table in a restaurant where I can read the addresses, even upside down, you just gave up your expectation of privacy about those addresses.
In that light, it's clear that the headers you send in the clear through a public network as dissassembled packets which not only can but must be reassembled on the way aren't sent with the expectation of privacy. If you wanted that, then you'd have sent the headers in a way that indicates you care whether third parties can read them. There's no case law about that, but I expect that the threshold you'd need to reach to trigger such an expectation would be quite low indeed. It might well be enough to send your headers as a post request over SSL -- that's the equivalent of putting your letter inside another envelope and having a trusted third party (such as your attorney) forward it for you. There, you have a reasonable expectation of privacy, even for the address to which the letter is sent.