Update: T-Mobile unlocks iPhone for a (big) price

T-Mobile GmbH will sell unlocked iPhones for $1,482, the German mobile carrier said today, marking the first time Apple Inc.'s smart phone has been officially available unlocked.

Unauthorized hacks, however, have been used for months by customers to unlock their iPhones so they can make calls on multiple networks or use the device in countries where Apple hasn't yet entered the handset market.

In a statement today, T-Mobile said it would immediately start selling unlocked iPhones, and unlock any already-purchased iPhone for no charge. It made both moves in response to a preliminary ruling Monday in a lawsuit brought by Vodafone Group PLC's subsidiary, Vodafone Germany. According to the injunction, which T-Mobile is appealing, Apple's wireless partner must offer the iPhone without a required 24-month contract.

The iPhone, which debuted in Germany on Nov. 9, sells for $592, value-added tax included, and has been offered with three rate plans -- called tariffs in Europe -- priced from $73 to $132 per month.

U.K.-based Vodafone had been among the mobile service providers negotiating with Apple for exclusive rights to the iPhone, but in Germany lost out to the larger T-Mobile, which is owned by Deutsche Telekom.

Vodafone has said it isn't interested in blocking sales of the iPhone in Germany, but wants the courts to level the playing field between carriers. Vodafone did not reach an agreement with Apple in the two other European markets that Apple has entered: Britain and France. Apple's U.K. partner is O2 (UK) Ltd., while Orange, the rebranded France Telecom, won the deal in France, where the iPhone goes on sale on Nov. 29.

"Apple can be profitable just on the hardware," argued Ezra Gottheil, an analyst at Technology Business Research Inc. "More is always better, of course, but by unlocking it for a larger price, Apple gets its money."

Gottheil wasn't surprised by Vodafone's move. "There's a great deal more resistance to locked phones in Europe," he said, noting that Apple has already promised to abide by French law, which bans locked cell phones, when it unveils the iPhone there next week.

"In the end, Apple is a provider of neat devices, and it will always return there," said Gottheil. "If and when it's seriously threatened by a rival, and depending on the duration and terms of its exclusive [contract] with AT&T, I think it would unlock the phone in the U.S. in a second."

But even as T-Mobile promised to abide by the injunction while it appeals the ruling, it also said it would retract the offer if it prevails. T-Mobile is also considering filing a lawsuit against Vodafone seeking unspecified damages, said company spokesman Klaus Czerwinski on Wednesday. "We think the law does not apply to this situation," Czerwinski said from Bonn. "We are still going to court."

T-Mobile will continue to sell iPhones tied to a contract, the company said today. As part of its revised pitch, T-Mobile reminded potential customers that some of the iPhone's built-in features, including Visual Voicemail, which lets users pick and choose messages to listen to, work when connected to its network.

Apple did not respond to a request for comment.

Microsoft confirms that XP contains random number generator bug

Windows XP, Microsoft Corp.'s most popular operating system, sports the same encryption flaws that Israeli researchers recently disclosed in Windows 2000, Microsoft officials confirmed late Tuesday.

The researchers, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, reverse-engineered the algorithm used by Windows 2000's pseudo-random number generator (PRNG), then used that knowledge to pick apart the operating system's encryption. Attackers could exploit a weakness in the PRNG, said Pinkas and his colleagues, to predict encryption keys that would be created in the future as well as reveal the keys that had been generated in the past.

As recently as last Friday, Microsoft hedged in answering questions about whether XP and Vista could be attacked in the same way, saying only that later versions of Windows "contain various changes and enhancements to the random number generator." Yesterday, however, Microsoft responded to further questions and acknowledged that Windows XP is vulnerable to the complex attack that Pinkas, Gutterman and Dorrendorf laid out in their paper, which was published earlier this month.

Windows Vista, Windows Server 2003 and the not-yet-released Windows Server 2008, however, apparently use a modified or different random number generator; Microsoft said they were immune to the attack strategy.

In addition, Microsoft said Windows XP Service Pack 3 (SP3), a major update expected sometime in the first half of 2008, includes fixes that address the random number generator problem.

Microsoft and Pinkas have argued over whether the flaw was a security vulnerability, with the former denying the bug met the definition and the latter claiming it is a serious problem that -- while it needs to piggyback on another, more common kind of exploit -- is far from just a theoretical threat.

Tuesday, even as it conceded that XP also had a weak PRNG, Microsoft continued to downplay the possibility of an attack. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP," a company spokeswoman said in an e-mail. To exploit the PRNG's flaws, an attacker must have administrative rights to the PC, something that's easily obtained by most run-of-the-mill attacks, Pinkas noted.

Previously, Microsoft had used that prerequisite to reject any claim that Windows 2000 contained the security vulnerability, since Pinkas' proposed attack could not accomplish anything on its own. Microsoft stuck to that position with XP. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," the company spokeswoman added.

Newer operating systems, however, are completely in the clear. "Windows Vista, Windows Server 2008 and Windows Server 2003 SP2 are not affected by the type of attack Pinkas describes," said the spokeswoman.

Pinkas applauded Microsoft's decision to patch Windows XP. "We're happy to learn that Microsoft is acknowledging that our attack is indeed an issue, and will fix it in XP SP3."

While Microsoft said it will fix the PRNG in Windows XP, it remained mute about patching the flaw in Windows 2000. The aging operating system, which, according to a recent survey by Forrester Research Inc., still powers approximately 9% of all American and European business computers, is in the last stages of support. In that phase, dubbed "extended support," Microsoft is committed to providing only security updates free of charge.

Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch.