HELP - SOS: 6230 SIM Blocked...!

On Mon, 20 Dec 2004 11:07:50 +0100, martin f krafft
<[email protected]> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>also sprach Ivor Jones <[email protected]> [2004.12.18.0932 +0100]:
>> What a load of b******s. Where do *you* get the PUK from then..?!
>
>In a sealed envelope upon purchase of the SIM card. One time only.
>Just like my parents got my notary-authenticated birth certificate
>when my birth was registered, one time only.

That may be the case with your particular Operator. With O2 and
Vodafone you can call at any time to request the code if you have
locked your SIM.

Do not assume that everybody is the same as you. That can come across
as arrogance.

--


Shevek

Get DigiGuide - a downloadable desktop PC TV and Radio Guide
http://getdigiguide.com/?p=1&r=31493

Get Firefox!
http://www.spreadfirefox.com/?q=affiliates&id=8681&t=1

---

› See More: HELP - SOS: 6230 SIM Blocked...!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

also sprach Shevek <[email protected]> [2004.12.20.1211 +0100]:
> That may be the case with your particular Operator. With O2 and
> Vodafone you can call at any time to request the code if you have
> locked your SIM.

what does "if you have locked your SIM" mean?

> Do not assume that everybody is the same as you. That can come
> across as arrogance.

sorry.

- --
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBxsm8IgvIgzMMSnURApiiAJ0bisHMJs2z2dPkMzP0/m/smNivLQCg1JFP
LHTWGUh/5Y2iYZbZVtheiFo=
=+RJS
-----END PGP SIGNATURE-----

On Mon, 20 Dec 2004 13:46:52 +0100, martin f krafft
<[email protected]> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>also sprach Shevek <[email protected]> [2004.12.20.1211 +0100]:
>> That may be the case with your particular Operator. With O2 and
>> Vodafone you can call at any time to request the code if you have
>> locked your SIM.
>
>what does "if you have locked your SIM" mean?

entered your pin number incorrectly too many times

>
>> Do not assume that everybody is the same as you. That can come
>> across as arrogance.
>
>sorry.


--


Shevek

Get DigiGuide - a downloadable desktop PC TV and Radio Guide
http://getdigiguide.com/?p=1&r=31493

Get Firefox!
http://www.spreadfirefox.com/?q=affiliates&id=8681&t=1

martin f krafft wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Ivor Jones <[email protected]> [2004.12.18.0932
> +0100]:
>> What a load of b******s. Where do *you* get the PUK from then..?!
>
> In a sealed envelope upon purchase of the SIM card. One time only.
> Just like my parents got my notary-authenticated birth certificate
> when my birth was registered, one time only.

What network and country are you describing..? Here in the UK some network
operators do supply the PUK with the SIM card, but I've never seen it done
in a sealed envelope. With Orange, the network I am on, the PUK is
available either directly from a customer services representative over the
phone, once identity is proven by use of my account password, or it is
also available from the website again after logging in to my account
details using my password.

This can be done as many times as is necessary, it is not limited to a
single occasion. What if you lose your sealed envelope..? What if you
forget your password more than once..?

BTW I still have my original birth certificate, but if I were to lose it I
could apply for a replacement.

Ivor

martin f krafft wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Shevek <[email protected]>
> [2004.12.20.1211 +0100]:
>> That may be the case with your particular Operator. With O2 and
>> Vodafone you can call at any time to request the code if you have
>> locked your SIM.
>
> what does "if you have locked your SIM" mean?

It means what it says, if you have locked your SIM by entering the wrong
password too many times..! Why else would you need your PUK code..?

Ivor

martin f krafft wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Richard Colton <[email protected]>
> [2004.12.18.0950 +0100]:
>>> It's the proof that you are the owner of a SIM card. If an
>>> operator hands you the PUK for an existing SIM card, he is
>>> violating the privacy agreement.
>>
>> Eh? Don't be daft. The PUK code is a security code that you are
>> entitled to have access to.
>
> Yeah, and you should have gotten it from your operator with the SIM
> card, and it was assigned to the SIM card before a number had been
> associated, a contract written, or even a provider known.

No it wasn't. The PUK is generated by software from an algorithm based on
the SIM card number, in a similar (although very different) way to which
unlock codes are generated from IMEI numbers.

> So I am sorry if you misunderstood. Of course you get the PUK code.
> It's just a problem if you can call up and get it just like that.
> Identify questions can be answered by anyone with knowledge about
> the identity.

I agree, which is why the account password is required. No-one but the
account holder should know this.

> If the provider hands out the PUK over the phone, it's a sign of
> their incompetence. It also suggests that they know the PUK, to
> which they are not entitled.

Of course they are entitled to know it, the operator has to run the
software that generates it so that they can supply it to you..!

> I am basing all this on German, French, and Swiss networks. However,
> it's mostly all Vodafone, Orange, and <barf>T-Mobile, and so I'd
> assume they have the same policies all over the place.

They don't.

Ivor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

also sprach Ivor Jones <[email protected]> [2004.12.20.1435 +0100]:
> No it wasn't. The PUK is generated by software from an algorithm
> based on the SIM card number, in a similar (although very
> different) way to which unlock codes are generated from IMEI
> numbers.

so where is the crack to allow me to unlock the SIM of the phone
i just stole? where can i create PUK numbers from the SIM card
numbers (which are easily accessible)?

> > So I am sorry if you misunderstood. Of course you get the PUK code.
> > It's just a problem if you can call up and get it just like that.
> > Identify questions can be answered by anyone with knowledge about
> > the identity.
>
> I agree, which is why the account password is required. No-one but the
> account holder should know this.

Ha! Passwords are really bad at this. Apart, go to any store and see
how they handle it there.

"Would you be so kind as to choose a password, M'am?"
"Oh, sure. Wait, let me see. Yeah, take rosebud, I use that all
the time"
"Okay, your password is rosebud, all lower-case, M'am. Anything
else I can help you with?"
"No."
"Then please sign here and we can hand you the SIM card."

> > If the provider hands out the PUK over the phone, it's a sign of
> > their incompetence. It also suggests that they know the PUK, to
> > which they are not entitled.
>
> Of course they are entitled to know it, the operator has to run
> the software that generates it so that they can supply it to
> you..!

I have different information. But apparently, the countries I know
have more restrictive policies... read on.



also sprach Ivor Jones <[email protected]> [2004.12.20.1425 +0100]:
> What network and country are you describing..?

Germany, Austria, Switzerland, France.

> Here in the UK some network operators do supply the PUK with the
> SIM card, but I've never seen it done in a sealed envelope. With
> Orange, the network I am on, the PUK is available either directly
> from a customer services representative over the phone, once
> identity is proven by use of my account password, or it is also
> available from the website again after logging in to my account
> details using my password.

How extraordinarily insecure

> This can be done as many times as is necessary, it is not limited
> to a single occasion. What if you lose your sealed envelope..?
> What if you forget your password more than once..?

You have to purchase a new SIM card.

> BTW I still have my original birth certificate, but if I were to lose it I
> could apply for a replacement.

okay, okay. Bad example.

- --
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBxtzFIgvIgzMMSnURAvkYAJ9i8oQ4cnqgqHc+NnDZT+ALz8waagCg6x8J
7FryK5isih0dNgBKMDkYrxY=
=3B1y
-----END PGP SIGNATURE-----

martin f krafft wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Ivor Jones <[email protected]> [2004.12.20.1435
> +0100]:
>> No it wasn't. The PUK is generated by software from an algorithm
>> based on the SIM card number, in a similar (although very
>> different) way to which unlock codes are generated from IMEI
>> numbers.
>
> so where is the crack to allow me to unlock the SIM of the phone
> i just stole? where can i create PUK numbers from the SIM card
> numbers (which are easily accessible)?

Hasn't been cracked and probably never will be. The algorithm is different
and more complicated.

>>> So I am sorry if you misunderstood. Of course you get the PUK
>>> code. It's just a problem if you can call up and get it just like
>>> that. Identify questions can be answered by anyone with knowledge
>>> about the identity.
>>
>> I agree, which is why the account password is required. No-one but
>> the account holder should know this.
>
> Ha! Passwords are really bad at this. Apart, go to any store and see
> how they handle it there.
>
> "Would you be so kind as to choose a password, M'am?"
> "Oh, sure. Wait, let me see. Yeah, take rosebud, I use that all
> the time"
> "Okay, your password is rosebud, all lower-case, M'am. Anything
> else I can help you with?"
> "No."
> "Then please sign here and we can hand you the SIM card."

You have a strange system there..! Here, the account password is never
disclosed to anyone except customer services.

>>> If the provider hands out the PUK over the phone, it's a sign of
>>> their incompetence. It also suggests that they know the PUK, to
>>> which they are not entitled.
>>
>> Of course they are entitled to know it, the operator has to run
>> the software that generates it so that they can supply it to
>> you..!
>
> I have different information. But apparently, the countries I know
> have more restrictive policies... read on.
>
>
>
> also sprach Ivor Jones <[email protected]> [2004.12.20.1425
> +0100]:
>> What network and country are you describing..?
>
> Germany, Austria, Switzerland, France.
>
>> Here in the UK some network operators do supply the PUK with the
>> SIM card, but I've never seen it done in a sealed envelope. With
>> Orange, the network I am on, the PUK is available either directly
>> from a customer services representative over the phone, once
>> identity is proven by use of my account password, or it is also
>> available from the website again after logging in to my account
>> details using my password.
>
> How extraordinarily insecure

Nothing insecure about a password, as long as it isn't disclosed to
someone who shouldn't have it.

>> This can be done as many times as is necessary, it is not limited
>> to a single occasion. What if you lose your sealed envelope..?
>> What if you forget your password more than once..?
>
> You have to purchase a new SIM card.

How extrordinarily restrictive. But it does generate more revenue selling
SIM cards I suppose. Are you allowed to keep your old number..?

>
>> BTW I still have my original birth certificate, but if I were to
>> lose it I could apply for a replacement.
>
> okay, okay. Bad example.


Ivor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

also sprach Ivor Jones <[email protected]> [2004.12.20.1539 +0100]:
> > "Okay, your password is rosebud, all lower-case, M'am. Anything
> > else I can help you with?"
> > "No."
> > "Then please sign here and we can hand you the SIM card."
>
> You have a strange system there..! Here, the account password is never
> disclosed to anyone except customer services.

It is disclosed. Read on below.

> Nothing insecure about a password, as long as it isn't disclosed
> to someone who shouldn't have it.

Once it has been disclosed, you have no way to keep track on how
many people know it. Leaks tend to expand with time.

> > You have to purchase a new SIM card.
>
> How extrordinarily restrictive. But it does generate more revenue selling
> SIM cards I suppose. Are you allowed to keep your old number..?

You get to keep your old number.

What happens if you forget your customer service password and lock
yourself out of the phone. That's akin to losing the sealed
envelope, if you ask me.

- --
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBxvP2IgvIgzMMSnURApYUAKCA4zE491mwFS/d7e1dSua0eYkxAACgiorj
x0UNZTjWbTaj/3IW+ONxPys=
=0Tmw
-----END PGP SIGNATURE-----

"martin f krafft" <[email protected]> wrote in message
news:[email protected]...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Ivor Jones <[email protected]> [2004.12.20.1435
> +0100]:
>> No it wasn't. The PUK is generated by software from an algorithm
>> based on the SIM card number, in a similar (although very
>> different) way to which unlock codes are generated from IMEI
>> numbers.
>
> so where is the crack to allow me to unlock the SIM of the phone
> i just stole? where can i create PUK numbers from the SIM card
> numbers (which are easily accessible)?

There isn't one. Plenty of people ahve tried cracking the algorhythm but
none have succeeded.

>> > So I am sorry if you misunderstood. Of course you get the PUK code.
>> > It's just a problem if you can call up and get it just like that.
>> > Identify questions can be answered by anyone with knowledge about
>> > the identity.
>>
>> I agree, which is why the account password is required. No-one but the
>> account holder should know this.
>
> Ha! Passwords are really bad at this. Apart, go to any store and see
> how they handle it there.

Err... and?

> "Would you be so kind as to choose a password, M'am?"
> "Oh, sure. Wait, let me see. Yeah, take rosebud, I use that all
> the time"
> "Okay, your password is rosebud, all lower-case, M'am. Anything
> else I can help you with?"
> "No."
> "Then please sign here and we can hand you the SIM card."

Nope, it's not as easy as that. Most operators will need more information
than an account password prior to handing over the PUK code (or even
discussing the account). The password is just an extra layer of security.

>> > If the provider hands out the PUK over the phone, it's a sign of
>> > their incompetence. It also suggests that they know the PUK, to
>> > which they are not entitled.
>>
>> Of course they are entitled to know it, the operator has to run
>> the software that generates it so that they can supply it to
>> you..!

Nope, the operator runs a database not a code calculator.

> I have different information. But apparently, the countries I know
> have more restrictive policies... read on.

Some do, the requirements for each country will be different.

> also sprach Ivor Jones <[email protected]> [2004.12.20.1425
> +0100]:
>> What network and country are you describing..?
>
> Germany, Austria, Switzerland, France.
>
>> Here in the UK some network operators do supply the PUK with the
>> SIM card, but I've never seen it done in a sealed envelope. With
>> Orange, the network I am on, the PUK is available either directly
>> from a customer services representative over the phone, once
>> identity is proven by use of my account password, or it is also
>> available from the website again after logging in to my account
>> details using my password.
>
> How extraordinarily insecure

Well what would you suggest to improve the situation?

>> This can be done as many times as is necessary, it is not limited
>> to a single occasion. What if you lose your sealed envelope..?
>> What if you forget your password more than once..?
>
> You have to purchase a new SIM card.

Not too easy if it's a contract SIM card.

--
>>> Unlock Your Phone's Potential <<<
>>> www.uselessinfo.org.uk <<<
>>> www.thephonelocker.co.uk <<<
>>> www.gsm-solutions.co.uk <<<

"martin f krafft" <[email protected]> wrote in message
news:[email protected]...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Richard Colton <[email protected]>
> [2004.12.18.0950 +0100]:
>> > It's the proof that you are the owner of a SIM card. If an
>> > operator hands you the PUK for an existing SIM card, he is
>> > violating the privacy agreement.
>>
>> Eh? Don't be daft. The PUK code is a security code that you are
>> entitled to have access to.
>
> Yeah, and you should have gotten it from your operator with the SIM
> card, and it was assigned to the SIM card before a number had been
> associated, a contract written, or even a provider known.

Maybe you should get it with the SIM card (that's another discussion), but
not all operators provide it at the point of sale.

> So I am sorry if you misunderstood. Of course you get the PUK code.
> It's just a problem if you can call up and get it just like that.
> Identify questions can be answered by anyone with knowledge about
> the identity.

Maybe they can, but the combination of identity questions & password
confirmation make the system more secure than many credit card transactions,
so I don't quite see what your point is.

> If the provider hands out the PUK over the phone, it's a sign of
> their incompetence.

Eh? How on earth do you come to that conclusion. The customer is entitled
to the PUK code & the network operator is providing it after the customer
has been identified.

> It also suggests that they know the PUK, to
> which they are not entitled.

Rubbish, the SIM belongs to the network not the customer therefore they are
perfectly entitled to it. In addition, none of the networks can generate
PUk codes, they have to look them up in a database.

> I am basing all this on German, French, and Swiss networks. However,
> it's mostly all Vodafone, Orange, and <barf>T-Mobile, and so I'd
> assume they have the same policies all over the place.

Not in the UK apparantly.
<snip>

>> All of the network operators in the UK will supply the PUK codes
>> on request to the registered account holder.
>
> How do you prove that you are the account holder?
>
>> BTW, your sig is still borked.
>
> How so?

Your sig sep is semi-broken for starters (it should be dash dash space), and
your sig is way too long by generally accepted standards (no more than four
lines). HTH.

--
>>> Unlock Your Phone's Potential <<<
>>> www.uselessinfo.org.uk <<<
>>> www.thephonelocker.co.uk <<<
>>> www.gsm-solutions.co.uk <<<

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

also sprach Richard Colton <[email protected]> [2004.12.20.1727 +0100]:
> Nope, it's not as easy as that. Most operators will need more
> information than an account password prior to handing over the PUK
> code (or even discussing the account). The password is just an
> extra layer of security.

It's not a layer. It is part of the "what you know" layer in this
context.

> > How extraordinarily insecure
>
> Well what would you suggest to improve the situation?

Using an asymmetric encryption scheme and PUKs assigned to SIM cards
before the operator "slaps a contract on them". And the sealed
envelope.

> > You have to purchase a new SIM card.
>
> Not too easy if it's a contract SIM card.

Trivial. Takes a day or 10 minutes at the shop. I've just been
through it for two of my SIM cards, after having my wallet stolen
while in a country where I had purchased a local SIM card.

- --
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBxwGuIgvIgzMMSnURAjHYAJ0dHdT2INVRYBUejGugAVpjrDqoIACeOP92
n0FXkjTgcynd0fbxz7GMloY=
=BmGj
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

also sprach Richard Colton <[email protected]> [2004.12.20.1736 +0100]:
> > If the provider hands out the PUK over the phone, it's a sign of
> > their incompetence.
>
> Eh? How on earth do you come to that conclusion. The customer is
> entitled to the PUK code

Sure, but not the operator. It's not like they manufacture the SIM
cards. They only attach SIM card numbers to contracts.

If you ask me, then what is happening is that some operators
apparently open the pre-sealed envelopes to retrieve the passwords.

I have a direct contact at Orange, I will inquire when I get
a chance.

> the network operator is providing it after the customer has been
> identified.

Identification is just one of those problems that has not been
solved.

> Your sig sep is semi-broken for starters (it should be dash dash space),

It is dash-dash-space. Maybe your client does not support MIME?

> and your sig is way too long by generally accepted standards (no
> more than four lines). HTH.

These standards are way old. Apart, I have a four line signature (an
empty line does not count). The rest is a digital signature. Welcome
to today, where we don't do things the way they were done 20 years
ago.

Anyway, if you all are really annoyed by this, I will turn them
off... reluctantly.

- --
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBxwLfIgvIgzMMSnURAgE5AJsFx73Wgvo6Z08ECPReWkESCWz2oQCcDhTu
h/40tAfRoFdfMjpYKcx86F8=
=NW0v
-----END PGP SIGNATURE-----

"martin f krafft" <[email protected]> wrote in message
news:[email protected]...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Richard Colton <[email protected]>
> [2004.12.20.1727 +0100]:
>> Nope, it's not as easy as that. Most operators will need more
>> information than an account password prior to handing over the PUK
>> code (or even discussing the account). The password is just an
>> extra layer of security.
>
> It's not a layer. It is part of the "what you know" layer in this
> context.

And whilst some of the personal information may be easy to come by, the
password should be a little harder to get.

>> > How extraordinarily insecure
>>
>> Well what would you suggest to improve the situation?
>
> Using an asymmetric encryption scheme and PUKs assigned to SIM cards
> before the operator "slaps a contract on them". And the sealed
> envelope.

PUK's are assigned to SIMs prior to the operator "slapping a contract on
them". Any level of encryption has to be balanced against usability.

>> > You have to purchase a new SIM card.
>>
>> Not too easy if it's a contract SIM card.
>
> Trivial. Takes a day or 10 minutes at the shop.

Maybe in your country, but not in the UK. It can very from a couple of days
to a few weeks depending on the operator, so hardly trivial plus the costs
involved will be substantially higher than maintaining a database of PUK 's.

> I've just been
> through it for two of my SIM cards, after having my wallet stolen
> while in a country where I had purchased a local SIM card.

You have my sympathies.

--
>>> Unlock Your Phone's Potential <<<
>>> www.uselessinfo.org.uk <<<
>>> www.thephonelocker.co.uk <<<
>>> www.gsm-solutions.co.uk <<<

"martin f krafft" <[email protected]> wrote in message
news:[email protected]...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> also sprach Richard Colton <[email protected]>
> [2004.12.20.1736 +0100]:
>> > If the provider hands out the PUK over the phone, it's a sign of
>> > their incompetence.
>>
>> Eh? How on earth do you come to that conclusion. The customer is
>> entitled to the PUK code
>
> Sure, but not the operator. It's not like they manufacture the SIM
> cards. They only attach SIM card numbers to contracts.
>
> If you ask me, then what is happening is that some operators
> apparently open the pre-sealed envelopes to retrieve the passwords.

No, they consult the database and retrieve the PUK that is registered
against that given SIM.

> I have a direct contact at Orange, I will inquire when I get
> a chance.
>
>> the network operator is providing it after the customer has been
>> identified.
>
> Identification is just one of those problems that has not been
> solved.

Nor will it ever be 100% secure if it's be be accessible to the end user.

>> Your sig sep is semi-broken for starters (it should be dash dash space),
>
> It is dash-dash-space. Maybe your client does not support MIME?
>
>> and your sig is way too long by generally accepted standards (no
>> more than four lines). HTH.
>
> These standards are way old. Apart, I have a four line signature (an
> empty line does not count). The rest is a digital signature. Welcome
> to today, where we don't do things the way they were done 20 years
> ago.
>
> Anyway, if you all are really annoyed by this, I will turn them
> off... reluctantly.

It doesn't bother me personally that much (unlimited broadband), but it is a
matter of courtesy. Quite a lot of people reading the mobile/cellular
newsgroups in particular do so on mobile devices where they have to pay for
every byte downloaded. I'm fully aware of what your sig is, and what it
contains - I just don't see the need for it to be quite so large. Just
because the standards are old doesn't make them wrong.

--
>>> Unlock Your Phone's Potential <<<
>>> www.uselessinfo.org.uk <<<
>>> www.thephonelocker.co.uk <<<
>>> www.gsm-solutions.co.uk <<<