STE WILLIAMS

Analysis Moxie Marlinspike is encouraging browser developers to support an experimental project to shake up the security of website authentication by moving beyond blind faith in secure sockets layer (SSL) credentials.

The Convergence open-source project is designed to address at least some of the main shortcomings that underpin trust in e-commerce and other vital services, such as webmail. The technology, available as a browser add-on for Firefox, allows users to query notary servers – which they can pick – to make sure the SSL certificate served up by any particular site is kosher.

Marlinspike described the Firefox add-on as a proof-of-concept, adding that he was talking to other browser vendors. “Browser vendors should lead because this is the only way that Convergence can become an ‘invisible platform’ where surfers can use it without knowing that’s what they are relying on,” he said.

“We’ve got the ball rolling and its now up to vendors to do the bulk of the work,” he added.

The approach, first outlined by Marlinspike in August 2011, is designed to flag up man-in-the-middle attacks that rely on forged credentials from any one of hundreds of organisations authorised to cryptographically sign the certificates that Amazon, Skype Gmail and countless other e-commerce services rely on to re-assure customers that their secure sites are genuine. About 650 organisations are authorised to sign certificates.

Hackers able to break into the systems of any of these certificate authorities would be able to issue counterfeit credentials, subverting the whole system of trust. The problem was graphically illustrated by hacks against Comodo, the second largest certificate authority, and DigiNotar.

Convergence, rather than relying on the public key infrastructure that ties together the current SSL system, utilises a loose confederation of notaries that independently vouch for the integrity of a given SSL certificate.

Marlinspike told delegates at the recent CSO Interchange conference in London that SSL was designed at Netscape in the early 90s when e-commerce didn’t exist. “SSL was only designed to prevent passive attacks,” Marlinspike explained. “Authenticity was thrown in at the end as a hand-wave.”

Having so many certificate authorities is only part of the problem, according to Marlinspike: “Nobody has a great track record. For example, VeriSign is in the lawful interception business so how can the same organisation be responsible for securing traffic?”

Many sites are broken because they rely on outdated certificates or they support insecure versions of SSL. The problem is further compounded by shortcomings in the certificate revocation process. “You can’t revoke trust – that’s the essence of the problem,” Marlinspike explained.

Trust agility

Convergence provides “trust agility” essentially by letting users decide which notaries they trust to vouch for the authenticity of digital certificate credentials and making it straightforward to swap notaries. “Even if one notary goes bad it doesn’t break the system,” Marlinspike said. “You can simply replace the notary.”

Around 50 organisations have signed up to become notaries, including privacy advocates such as the EFF and technology firms including Qualys. Running a notary requires very little resources, according to Marlinspike. “Most people visit only 20 or so sites and the certificates rarely change,” he told delegates at the CSO Interchange conference.

Marlinspike told El Reg that the project, though well documented, was currently largely experimental. Around 24 developers are working on Convergence. “We’re changing and adding functionality. It’s not currently an IETF standard but we are headed in that direction.”

Google Chrome team lead developer Adam Langley has expressed reservations about supporting the crowd-sourcing technology, for a variety of practical reasons, in particular the possibility of notary servers failing under heavy demand. Marlinspike described these concerns as valid for mainstream use of the technology in its present form. “We’re testing the waters on what works and what doesn’t,” Marlinspike explained. “There’s still a lot of work to be done on how users interact with the technology.”

“The industry can’t expect a fully packaged thing from a small team of developers working on an experimental project without getting involved,” he added.

Qualys Director of Engineering Ivan Ristic told El Reg that the main problem with Convergence was its “hard fail” functionality. “If you can’t reach a notary you can’t reach a secure web site.”

One approach to solving the availability problem might be to use thousands of notaries, hooked up in a peer-to-peer network, to balance the load.

Nonetheless Ristic praised the project as a “radical” and “promising” approach to solving problems with the internet’s trust infrastructure. He says he is convinced that stability and performance issues can be ironed out, but that “the only way to make production successful is to get browser vendor involvement,” he added.

Convergence is partly based on the Perspectives Project developed at Carnegie Mellon University. More detail on Convergence can be found at the project’s home page here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/convergence/

Indonesian train operators have come up with yet another ingeniously cruel system designed to discourage fare-dodging commuters from blagging a free ride on the roof of their carriages – this time involving brooms covered in putrid gunk.

Fresh from the success of its plans to dislodge the pesky roof-dwellers with small concrete balls hung from frames above the tracks, state-run railway PT Kereta Api Indonesia came up with the slightly less deadly idea of the stinky brooms, which will be installed at selected crossing this week, Mainichi Daily News reports.

“For anyone who is still up there, it’ll be like a whip,” said railway official Ahmad Sujadi.

“Some people say it’s inhumane, but that’s fine because letting them ride on the roofs is even more inhumane.”

The problem with the concrete ball strategy, apparently, is that it can only be used on non-electric tracks. Amazingly, no deaths have yet been reported on the routes where it is used, the paper said.

Dozens of these “rail surfers” are killed or injured each year after falling off the train or being electrocuted by the overhead cables, but the train company isn’t worried about adding a few more to that number in the short term if it discourages the habit in the long term.

For the record, the recipe of aforementioned putrid gloop was not disclosed.

All in all, probably something to be thankful for next time the 07.42 to Charing Cross is delayed again. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/indonesian_train_gloop_roof/

LinkedIn is now gradually rolling out secure browsing for its social-networking-for-suits service.

The company confirmed in a blog post yesterday that the site will encrypt web traffic over SSL. However, unlike Google, which uses HTTPS by default on its stuff, LinkedIn is offering it as an option for its users.

Facebook and Twitter similarly prefer not to switch SSL on by default.

“We are happy to announce LinkedIn now supports https for your browsing experience,” said the company’s Arvind Mani.

“This is currently an ‘opt in’ feature that will be rolled out gradually in the next coming weeks to all of our members. Serving our site over https is a key step to enhance the security for all of you, especially for those of you using public networks such as open Wi-Fi hotspots.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/linkedin_https/

The idea has been hovering in the ether for some time, but TomTom is the first satnav firm to sign on the dotted line and bring insurance to drivers through their GPS.

The Dutch company has joined up with Motaquote insurers to offer UK drivers “Fair Pay” insurance, where customers pay lower premiums because their satnav monitors how they’re driving.

“Our entry in the insurance market with our proven fleet management technology puts us at the forefront of a move that could help to revolutionise the motor insurance industry,” Thomas Schmidt, managing director of TomTom Business Solutions, said in a canned statement.

The idea is simple. Any driver that considers themselves to be a safe one signs on with Fair Pay and is given a specially developed TomTom PRO 3100 satnav. This GPS box includes “Active Driver Feedback” and “LIVE services”. The latter will alert the motorist to upcoming traffic issues (presumably to stop them slamming into the back of a long queue that has formed).

The feedback system will let the driver know when they’re not being quite as safe as they think they are, such as when they corner harshly or have to brake suddenly, presumably by yelling “Oy! That kind of driving will cost you 10p a minute, mate!” or something to that effect.

Assuming the customer is actually a safe driver, then their premiums will be charged accordingly, rather than being based on things like their postcode, gender, age or vehicle type.

“We’ve dispensed with generalisations and said to our customers, if you believe you’re a good driver, we’ll believe you and we’ll even give you the benefit up front… unlike some other telematics-based schemes where you may have to prove your ability over a number of months,” said Nigel Lombard, MD of Fair Pay Insurance.

The Fair Pay insured will also have a tracking unit fitted to their cars, which will allow “driver behaviour and habits to be monitored”.

“The telematics box (TomTom LINK – which is fitted within the dashboard) records the driving data,” a Fair Pay spokesperson told The Register.

“This, via Bluetooth, transfers data to the in-car TomTom navigation device and also feeds back data to the consumer dashboard. This enables drivers to also get real-time feedback, which we believe to be a unique offer in the personal motor insurance telematics market.”

The website does imply that this tracking won’t include “singing along to the radio loudly and out of tune” behaviour or “using the back seat of your car for a purpose other than that intended” behaviour; the tracker is only interested in car-owners’ safe driving, speed and mileage.

The data will be collated in the aforementioned online dashboard so that users can get an idea of their own style of driving, and could also be used anonymously for traffic analysis.

Tying insurance into safe driving while also slurping lots of lovely traffic data is a canny move for satnav companies, which need to broaden their horizons somewhat now that smartphones come packing passable navigation apps. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/tomtom_insurance/

In a story published yesterday your humble Reg writer wrongly confused Mozilla’s Telemetry project with the open-source outfit’s so-called Metrics Data Ping proposal. Mozilla has been in touch to clear things up.

The org’s global privacy and policy boss Alex Fowler kindly explained the differences between the two systems to us.

“The Metrica Data Ping proposal is not Telemetry. Telemetry is a component of Firefox that collects anonymous browser performance data for around 200 data points. It’s voluntary, doesn’t include a universally unique identifier (UUID), and is under the user’s control,” he said.

As we noted in our earlier piece, the Telemetry project that transmits data via secure encryption was slotted into Mozilla’s browser, Firefox 7, in September last year.

Fowler continued:

The Metrics Data Ping is currently a proposal under consideration to understand usage statistics. The proposal is to begin collecting a limited data set of fewer than 30 non-personal data elements in a statistically valid approach.

The current thinking is for the ping to be opt-out and introduce a UUID to enable longitudinal analysis. Users would be provided notice of the data collection and how it will contribute to the stability and performance of Firefox, the ability to view the non-personal data collected, and also to opt-out of the collection.

In addition, the team is developing other privacy-enhancing sampling techniques to further limit the collection wherever possible.

Mozilla works in the open and we are under active discussions about various approaches to determine how to measure Firefox usage so that we can improve the features and performance for all users.

As with any Mozilla project or offering we will make sure that if the proposal is integrated into Firefox, it’s in accordance with the Mozilla’s Privacy Principles and gives users complete control over their data.

Our original story wrongly suggested that a proposal had been put forward for Telemetry to have the longitudinal analysis UUID loaded into it. However, it is in fact being mulled over for use with Mozilla’s Metrics Data Ping.

Thanks to those readers who got in touch to point out the errors in that story, and we sincerely hope this piece clarifies Mozilla’s current position on tracking users online.

The outfit’s privacy policy is here, while the public and sometimes fiery discussion about the Metrics Data Ping proposal can be viewed here.

It’s a debate well worth getting stuck into. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/mozilla_difference_between_telemetry_metrics_data_ping/

Google will drop online checks for revoked website encryption certificates in future versions of its Chrome browser after it decided that the process no longer offers any tangible benefits.

For about a decade now, browsers check the validity of a website’s secure sockets layer (SSL) certificate by polling online revocation databases when a user attempts to connect to a secure HTTPS server. A certificate could be cancelled by a Certificate Authority (CA), and thus wind up on a certificate revocation list, if it was faulty or compromised in some way. Cancelling a certificate, or failing to validate it, should therefore warn the visitor to be wary of the site.

However browsers will still establish a connection even if this validation process fails. This behaviour is needed in case users attempt to connect from within heavily firewalled networks, such as public Wi-Fi hotspots and corporate environments: punters might have to sign into an HTTPS site while traffic to other services, including the CAs’ verification servers via the online certificate status protocol, are blocked.

Halting access to a HTTPS-secured website if a revocation check failed would leave users unable to connect to sites if the relevant CA was down for any reason, another bad idea.

The problem is that hackers can use a variety of tricks to cause the revocation checks to fail, something that would be ignored in the same way as if a CA was down or a user was signing into a Wi-Fi hotspot.

Google software developer Adam Langley compared such “soft-fail revocation checks” in this scenario to a “seat-belt that snaps when you crash”. He argued: “Even though it works 99 per cent of the time, it’s worthless because it only works when you don’t need it.”

SSL revocation checks also provide a false sense of assurance because attackers capable of spoofing websites and forging certificate credentials are also more than capable of replacing the warning that a certificate is invalid. In addition, ordinary users typically ignore such warnings.

Bringing SSL certificate checks in-house

“While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy,” Langley explains in a blog post. Checks can make SSL pages slower to load and create a potential means for CAs to compile logs of user IP addresses and the sites they visit – a privacy risk in itself.

Instead of relying on online certificate revocation list checks, future versions of Chrome will instead use an update mechanism to maintain the list within Chrome itself. This will become the norm but Google hasn’t decide whether to ditch these online certification revocation checks entirely.

“There is a class of higher-security certificate, called an EV [Extended Validation] certificate, where we haven’t made a decision about what to do yet,” Langely explains.

Browser vendors in general responded to last year’s DigiNotar hack by revoking certificates from the firm via a browser-based software update. Langely is proposing a more lighter weight method of revoking certificates so that lists can be updated on the fly, without requiring a software update.

“Our current method of revoking certificates in response to major incidents is to push a software update,” Langely writes. “Microsoft, Opera and Firefox also push software updates for serious incidents rather than rely on online revocation checks. But our software updates require that users restart their browser before they take effect, so we would like a lighter weight method of revoking certificates.”

It’s unclear over what timescale Google intends to introduce the certification revocation check changes but a spokesman for the web giant said that this would probably happen over a matter of months. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/chrome_ssl_revocation_checking/

Ideological hacktivism has replaced cybercrime as the main motivatation behind DDoS attacks, according to a study by Arbor Networks.

Up until last year, DDoS attacks were typically financially driven – either for reasons of competition or outright extortion – but the activities of Anonymous and related groups have changed that. The plethora of readily available DDoS attack tools (such as LOIC, a sometime favourite of Anonymous) means that anyone can launch an attack and any business could potentially be targeted.

Arbor, which specialises in supplying DDoS mitigation and traffic management tools to telcos and ISPs, describes the rise of hacktivism as a “sea-change in the threat landscape”.

“What we saw in 2011 was the democratisation of DDoS,” said Roland Dobbins, Arbor Networks solutions architect for Asia-Pacific, and the primary author of the 2012 edition of Arbor’s annual Worldwide Infrastructure Security Report. “Any enterprise operating online – which means just about any type and size of organisation – can become a target, because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Furthermore, the explosion of inexpensive and readily-accessible attack tools is enabling anyone to carry out DDoS attacks.”

Network operators quizzed by Arbor as it compiled its study reported a significant increase in the prevalence of high-bandwidth DDoS attacks. Around 13 per cent reported attacks greater than 10 Gbps between October 2010 and November 2011, the period covered by the report. An even greater number (25 per cent) observed DDoS attacks that exceeded the total bandwidth into their data centre.

The single largest reported DDoS attack during the survey period hit 60 Gbps, down from 100 Gbps reported in 2010. However this drop in the absolute volume of the worst attack disguises what Arbor describes as the “increasing sophistication and complexity of application-layer and multi-vector DDoS attacks”.

Around half of respondents reported application-layer attacks on their networks. More than 40 per cent of network operators quizzed by Arbor reported an inline firewall and/or IPS failing due to a DDoS attack.

For the first time, a respondent to Arbor’s survey observed a native IPv6 DDoS attack on their network. Arbor describes this as a “significant milestone” while noting that although “IPv6 deployments continue to advance, IPv6 is not yet economically or culturally significant enough to warrant serious attention by the internet criminal underground”.

Fifty per cent of respondents reported not seeing any attacks targeting their mobile infrastructure. Conversely, more than 30 per cent reported an average of 50 to 100 mobile DDoS attacks per month, suggesting some mobile operators lack the tools that would allow them to monitor problems on their networks.

Arbor’s findings were based on a survey of 114 of its service provider customers throughout the world.

Cyber machine guns flood networks

Another DDoS trend study from Prolexic Technologies, also published on Tuesday, reports that denial-of-service attack sophistication has increased even while assault durations have decreased.

Average attack duration was down to 34 hours in Q4 2011 from 43 hours in Q4 2010 but packet-per-second volume increased 18-fold. Prolexic mitigated 45 per cent more attacks in Q4 2011 compared to Q4 2010.

“Based on fourth quarter statistics, Prolexic predicts that 2012 will feature DDoS attacks that will be shorter in duration, but much more devastating in terms of packet-per-second volume,” said Paul Sop, chief technology officer at Prolexic. “Think of it this way. In the past, attackers had a rifle. In 2012, they have a machine gun with a laser sight.”

During Q411, approximately 22 per cent of attacks faced down by the firm were ICMP floods, 20 per cent were UDP Floods, 20 per cent were SYN Floods and 16 per cent were GET Floods. Prolexic clients in the e-Commerce sector “received a disproportionately high percentage of Layer 7 (application layer) attacks and much longer average attack durations,” the firm adds.

Prolexic’s report can be downloaded here (PDF, registration required).

A separate study from Akamai out last week reported an increase in attack traffic from Asia during the third quarter of 2011. Taiwan and China held the second and third place spots, respectively, accounting for just under 20 per cent of observed attack traffic combined. Asia Pacific as a whole generated nearly half (49 per cent) of online attacks observed across the Akamai platform during Q3 2011.

Attack traffic originating in Europe was down slightly to 28 per cent; with the Americas accounting for nearly 19 per cent over the same time-frame, Akamai reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/ddos_attack_trends/

Heathrow airport may now not get facial recognition technology at all five of its terminals in time for the Olympics as planned, according to the Financial Times.

Plans for BAA to install ‘e-gates’ facial recognition technology at the airport to allow registered non-EU nationals to use electronic self-service immigration controls were given the go-ahead last July following an 18-month trial with the UK Border Agency.

However, BAA has said that the roll out is being delayed while the UK Border Agency (UKBA) completes an investigation into last year’s border checks fiasco, during which fingerprint-matching checks on visa nationals from outside Europe were regularly suspended at Heathrow.

A spokeswoman for BAA said in a statement: “BAA has installed new automated immigration clearance gates at all Heathrow terminals to improve queuing times for passengers. UKBA is responsible for border security and has been working to bring these new gates online but has paused this process while it completes internal investigations.”

The investigation has meant that work that the UKBA had to complete before the gates could go live, including building a database of travellers that have registered to use the system, has not been completed, the Financial Times said.

John Holland-Kaye, BAA’s commercial director, told the publication: “We could be ready [in time for the Olympics] but this is entirely within the hands of government and what their strategy is is unclear.”

e-gates is an alternative to UKBA’s IRIS programme, which uses eye-scanning technology. It is designed to allow registered non-EU passengers to enter the UK more quickly than the conventional border process, allowing people to pass through automated barriers at certain airports.

The e-gates system uses facial recognition technology to compare a person’s face to the photograph recorded on the chip in their passport. Once the checks are made, the gates open and allow people to pass through. BAA had planned to introduce the technology ahead of the influx of passengers expected during the Olympics, with passenger numbers expected to be 45% higher during the games.

A spokesman for UKBA wouldn’t comment specifically on the progress of the programme when asked by Guardian Government Computing.

“Our responsibility is to secure the border at all times and we will ensure sufficient resources and technology are put in place to meet the extra demand during the Olympics period,” he said.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/facial_recognition_delay/

Hacktivists affiliated with Anonymous uploaded what they claim is the source code of Symantec’s pcAnywhere software early on Tuesday, following the breakdown of negotiations between the hacking group and “a federal agent posing as a Symantec employee”.

Symantec has confirmed that a dialogue had taken place between the hacktivists and “a law enforcement official”, saying it had turned the case over to the Feds as soon as the hackers had contacted it.

The release of the 1.27GB file as a torrent coincides with the breakdown of the “negotiations” – which the group has now published on Pastebin – that took place between “Symantec” and YamaTough, spokesperson of hacker group Lords of Dharmaraja. Lords of Dharmaraja are an Indian hacking crew affiliated with Anonymous’ Op AntiSec that claimed to have obtained access to the source code of pcAnywhere and other security software products from the security giant.

Taken at face value, the dialogue suggests that “Symantec” was prepared to offer payment of $50,000 (in instalments) on condition that the Lords of Dharmaraja were able to provide assurances that the hackers destroyed source code in their possession and made a statement that the hack it claimed against Symantec was a lie.

LoD claims it turned down $50k offer for the code

The purported Symantec spokesperson, who used a Gmail account, at one point tried to persuade the hackers to upload source code sample via an FTP server, a suggestion the hackers dismissed out of hand as a ruse designed to trick them into revealing their IP address.

The protracted negotiations involved much talk about payment methods, with the Lords of Dharmaraja insisting on payment by Liberty Reserve or via bank accounts in Lithuania and Latvia. “Symantec” offered to pay $1,000 via PayPal, an offer the AntiSec-affiliated hackers quickly rejected.

At several points the Lord of Dharmaraja set deadlines for response that “Symantec” then said it was unable to meet – supposedly because of the difficulty of reaching a quick decision in a corporate environment. Three weeks into the dialogue, the Lord of Dharmaraja and “Symantec” were still miles apart in terms of the negotiations. The hackers apparently became bored with the discussion and released both the dialogue and the source code.

“Since no code yet being released and our email communication wasn’t also released we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus totaling 2350MB in size (rar) 10 minutes if no reply from you we consider it a START this time we’ve made mirrors so it will be hard for you to get rid of it,” the hacktivists said in their final message on Monday.

A search on torrent sites suggests that only the code for pcAnywhere and Norton Antivirus has been released. Whether the code released is the genuine deal remains unconfirmed. Searches for either item may become contaminated with malicious links or malware, like any newsworthy item, something that has nothing to do with either the activists, Symantec or the FBI.

In a statement, Symantec said that the dialogue between the Lords of Dharmaraja actually took place with a law enforcement official rather than a representative of the security giant. It said it had turned the matter over to an unspecified agency as soon as it was clear the hackers wanted to extort payment in return for holding off on the release of its source code. The hackers claim they were offering Symantec first refusal on something they would otherwise auction off.

In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.

The e-mail string posted by Anonymous was actually between them and a fake e-mail address set up by law enforcement. Anonymous actually reached out to us, first, saying that if we provided them with money, they would not post any more source code. At that point, given that it was a clear cut case of extortion, we contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec. This was all part of their investigative techniques for these types of incidents.

Symantec was not immediately able to confirm whether the source code torrent was genuine.

The Lords of Dharmaraja previously released code snippets as proof of their hack, which Symantec initially blamed on a “third party” before admitting that older versions of its security software had been swiped from its own servers in a previously undetected hack dating back to 2006. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/07/pcanywhere_shenanigans/

Conclusive PROOF of human activity causing glacier to VANISH

• 
• 
• 
• 

Captain Prat blagger cuffed with hot ice slung in cooler

By Lewis Page • Get more from this author

Posted in Environment, 7th February 2012 13:17 GMT

Free whitepaper – Solid State Drives and High-Speed Memory

Even the Intergovernmental Panel on Climate Change has had to walk back on the idea that the world’s glaciers will all be gone within decades due to human-caused carbon powered global warming: but news has now emerged showing that in at least one case human action has absolutely indisputably led to the disappearance of large chunks of glacier.

Chilean media reported last week that plods in Patagonia have arrested a man driving a refrigerated lorry loaded with more than five tonnes of ice allegedly stolen from the Jorge Montt glacier in the Bernardo O’Higgins national park. It’s theorised that the frosty burglar intended to sell off his haul as designer ice cubes in the capital Santiago.

According to local news service Emol, Chilean prosecutors believe that the truck driver wasn’t working alone: he was part of an organised ring of ice bandits headed by an unnamed kingpin residing in Santiago. The stolen lorry-load of glacier lumps is thought to have a street value of around 3 million pesos – approximately £4,000.

Reportedly the local forestry-bureau chief in the southerly Capitán Prat Province* filed a complaint with prosectuors over the glacier robberies last month, leading to the seizure of the hot ice by federal carabineros. The Chilean cops are mulling charges of “crimes against the national heritage” in addition to petty theft. ®

*The province is named after the Chilean naval hero Arturo Prat.

Free whitepaper – Application Performance Management:

• Send corrections
  
• 15 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/07/glacier_robber/