Thus Spaketh Idd Salim

Our recruitment process went well. We interviewed over 30 bright and very talented young coders from all walks of life. Some came in suits, some came cycling. I was pleasantly suprises on how the education quality has improved at UoN and Strath. Kudos to the IT departments! So, after all was coded and debugged, we had to select like 4 to start with in our Q1 expansion plan.

SMC will now officially expand its programming docket. The following are the architectural changes we are undergoing and would like developers aspiring to join us in Q3 2010 (or just for sharing) to learn these skills because we pay well. Actually, any programmer who will join us with a working and ready-to sell product [or killer idea], will get life-time equity on that product and we will adopt it into our mainstream.

• Symbian Programming – We will be developing Symbian apps mainly using the Python programming language, but the good old, sexy, faithful and voluptuous Java ME will still be called upon from time to time. We will release a Symbian/J2ME game and a 2 positively social apps in Q1.
• Blackberry Programming – We will release a business tool for blackberry that will take EA by storm in Q1 2010. That is all I am allowed to say, so as not to get shot. SMC will be releasing information about availability on her (soon to be redesigned) main Website.
• Kohana - No… Daniels. Not Kahuna. Just simple Kohana. We are going to ditch the Procedural programming practice and ACTIVELY use our OOP PHP and Python resources to redevelop all out websites using Kohana as the PHP  Framework of choice. Sorry CakePHP, Symfony and all the other pretenders. Kohana had bigger balls. We will redesign all our client’s website ala Zunguka version 4, CititizenTV, Hot96 FM etc on Kohana…

I wish I had more time to blog about the 3 other things we are working on, but Mbugua is giving me that ‘Go back to code!’ eye…

Laters!

In 2006

As hackers in Kenya, we have/are always been taken as fact-less doomsayers and merchants of fear about an IT apocalypse.

I remember in 2006, From a 32Kbps line in my bedroom in Kampala, I Hacked into a top Nairobi Stock brokerage firm registered with the CMA/NSE and downloaded their Entire Database of Investing clients. The database, obviously included some juicy details e.g. Names, Cell #s, Address, ID No, Trading History, Usernames and Password.

Being the Naive and PURELY technical hacker I was those days [No Business Sense or mentorship], I sent the MD and IT manager an email with the Database as a Zipped attachment and advised them on how to secure their enterprise and lock-out people. Maybe it is the Concortion of Matoke, Lumonde, Kallo and oBushere I had taken for lunch, But this was a very dumb move.

“You have just burned an opportunity to have these guys pay you through their noses!!”, Said an Irate and totally annoyed Mwaniki. “Next time, talk to me or get a BUSINESS PERSON to handle the BUSINESS for you. You are just a hacker”. Hmmn, Kumbe things I do for fun could rake big scrilla.

2 days later, ‘I received an Email ridden with threats and gloating on how they can send cops to my house before I could Spell the name ‘DjembaDjemba’ and have me locked out for good.

So, What makes Kenya a FAT Juicy Bulls-Eye for hackers?

A lot of  things make Kenya a big fat juicy and warm err.. target.

1. This is Kenya – Name me the country where Systems like Mpesa/Zap pioneered? Yeah, Kenya. Ushahidi? Kenya. This makes Software development houses a major target for Industrial IP espionage.
2. No IT Criminal Law – Well, breaking into a place requires physical presence. so, technically, hacking isnt breaking in. In some states in the US, for you to be convicted of Hacking, you must be caught LIVE actually logged on tho the victims machine. The server/route logs from their ends are totally inadmissible. For all they know, states the rule, the machine could just be hacking another, and not the user. Logs can also be manipulated to show anything the SysAdmin wants them to show.
3. Kenyans are too stressed, to remember complex passwords – During all the times  I have had to Prank-Call or Social Engineer an ISP Support desk or every time I have gone to a Dormans or a Java, I have concluded that Kenyans use the Following password for Cisco Routers, Wireless Networks etc [1234124, 12345678901, p@ssw0rd, jesussaves, welovejesus, railatosha, hague]. or if the username is kamau, the password is normally kamau123 or KamauMnoma or personal/Work/neighbours car Number Plate or Date of birth..
4. Kenyans Trust the padlocks – Alot of times I have visited organizations [Not all ofcourse] and have been given an IT tour. the conversations normally goes like this:

IT – “And this is our server room. You can see all the servers are securely locked in there with that huge padlock.”

Salim : “What firewall do you use?”

IT : “We have Fire Extinguishers and also motion detectors.”

Salim : “No, No. I meant, FIREWALL. To really secure the servers from intrusion. Internally and externally.”

IT : “Hiyo padlock no Solex original mzee”

Salim : “OK. good.”

It is also a culture that most people use the same password for their PC, FB Account, Gmail, Chat etc. Usual Excuse : “Sitaki Stress ya kukumbuka password kama 30 mzee!”

Who can/will be Hacked in 2010?

This is no indication at all that the cogs are already oiled and raring to go. Just plain fact-less prediction based on Obvious situations. If you are a pool player, you know that if a black ball is set, it will eventually be pocketed. What is in the plate, will eventually be eaten.

The following are my personal top 5:

1. The Stock Market – I will not be surprised to wake up one day and find The price of Safaricm Shares is 15 bob. Definitely, the regulations protect the Market against such differentials, but what about the confidence of oblivious investor? One of the Arms of the Trio [NSE, CMA, CDSC] has a very insecure setup that could be the achilles heel for a skilled/semi-skilled hacker.
2. The Banking Sector – Alot of banks are jumping to the SMS and Online banking bandwagon. I must agree I accept the software models and security architecture of some of the players, but MOSt banks seem happy to just fire up an IIS with default settings box, throw in some insecure code and walla! They have an online banking system!
3. Social / eCommerce Sites – The advent of fibre brings with itself a surge of websites and me-too replicas of social networks and eCommerce and payment platforms. Quite a number are designed with a very strict methodology taking care of performance and security concerns, but there are still alot of vulnerable apps in terms of data sanitation and business logic.
4. Government Websites – A great percentage of Government are done Gungho by just setting up a quick installation od Joomla or Drupal. There is no differentiation between CMS implementors and actual web developers worth their salt. I have a bad feeling The reliance of security features of the CMSes and the reliance on the un-educated CMS guru on security will have bad ramifications. Let me not even list the government websites that have been recently hacked.
5. Individuals/SMEs – Corporates and SMEs normally need a one-time secure setup by a seasoned pro and then everything runs smoothly. Behaviorally, to save cost, new devices and configurations are added to the LAN without consulting the pro, later on. The adding of new items and possibly the need to change [read adulterate] the secure settings leads to an insecure environment. Alot of reasons e.g. espionage [delete all their data because they are my competition], Disgruntled employees, Ex-staff with access etc make the SMES a risk factor. again, since most ISPs have same/default password for their equipment [for ease of remembrance for the techies], a hacker can hop from Zimmerman to Hurlingham Zombifying home computers without even the owner smelling the trap.

Habari ndio hiyo!

Back to code..

In a previous Post, I talked about how Google could use GoogleCheckOut to monetize Africa and do a 2-fold win-win move:

• Help Millions if Africans access e-Commerce and sell to the world, as opposed to locally.
• Enable Google take a big chuck of the millions of USDs sent from US/Europe back home to Africa.

I also talked about the blacklistic that payPal does for African IPs. So bubbling with Ideas and possibilities, I approached CK [of Google Kenya and not DjCk]. Google is your friend, right? Ohh how wrong I was!

CK Made it clear to me that [Quoting the chat]:

• unfortunately we [google] are not ready for monetization in Africa
• even if we were to monetize the entire existing online population in sub-saharan africa, it would not be a significant amount.

So, apparently, Africa is too small for Google. I thought not. So I googled (sic!) some facts about Africa Remittances and what I foind blew my mind. According to this report, :

Kenyans in the diaspora are contributing an equivalent of 3.8 per cent of national income through remittances.

In the year 2004, for instance, Kenyans living and working abroad remitted about Ksh35 billion ($464 million), which overshadows the net foreign direct investment (FDI) of Ksh3.6 billion ($50.4 million), which accounted for 0.41 per cent of the country’s gross domestic product.

More recently,  [According to this]:

Despite the global recession, remittances by Kenyans abroad, a key source of hard currency, grew 6.6 per cent to $611 million (Sh49 billion) last year, Central Bank has said.

However, the growth was much slower than the 41 per cent rise the previous year [2007] when the remittances stood at $573.6 million (Sh46 billion).

The figure above oscillates between .6B and 1B USD depending on the source.

So, WHERE IS THE OPPORTUNITY FOR PAYPAL?

I believe that internet has reached sign-up saturation… people no longer jump to a bandwagon and register with no clear benefits. They now need a REASON. Free email sevices like yahoo and lycos had a boom because they had that UNIQUE offering.. FREE. Sadly, FREE is no longer a selling point nowadays.. people need to feed the fundamental human urge.. the urge to trade.

If a big player [PayPal] could use TRADE as a reason to get people online, this would be a winner. You know africans. We NEED a valid and convincing REASON to do anything constructive.

Trust me… Wangechi will not get online to poke Otieno… but tell her that Otieno will pay… she will log on to your site faster than you can say Paypal. Think of all the possible implementations of MicroPayment and MicroLending for social and business reasons in a typical African/Kenyan setup.

I will seek audiences with Menekse and the like and see if this cross-continent trade with Paypal Linking to Zap and Mpesa using our hand-made KuKanja Payment gateway can be made a reality.

More later…

My 5 year old daughter, Nuria, came to my coderoom, on the morning of Jan 1, as I was debugging the jQuery bits of the Hot96 Fm Website that Mbugua decided I should do personally. She said, ‘Happy New Year Daddy!’…. Hmmn, I look at her suggestive smile deciphered the stenography on it.

I remembered, ‘Ohh, it is Baby Shazma’s 1st Birthday!!’.  Shazma has now made 1 year and even though she has Flu, it has not stopped her from walking with support and saying ‘Baba’, ‘Mama’, ‘Java’ and ocassionally, ‘Gog’ when the Dogs outside Bark. Nuria wanted a big cake bought ‘for the baby’.

So I asked myself, ‘Salim. New year. Same stuff?’. Nooot! And I came up with a few resolutions. The resolutions are nothing as drastic as ‘I will start using IE’ or ‘I will code in VB’. They are now as sacrilegious as ‘I will start Support Man Urinals’ or ‘I will Insult a server by Installing Windows on it.’. No! They are well calculated steps and decisions based on advice and lectures from well-wishers that I am sure will make me a better Coder, Daddy, Gunner, Haxor, Business man and person.

• Do What PO told me. Stop Selling technology. Sell Solutions. Adapt the ‘you tell me what you want and i will build it’ approach. Ditch the ‘We have these solution that you might need’ approach.
• Do What PO told me 2. Wake up every morning hungry for more! Don’t celebrate Jana’s success today. That is the past. Break new grounds every day. Day! Not Week.
• Do What PO told me 3. Stop learning! I already know enough to develop any web/desktop/mobile solution. learning and meeting investors kills my time. Focus on the solutions and fine-tune them. Make them user friendly.
• Do What PO told me 4. Stop working from home! Kids, TV, Pool, Neighbours. Too much distractions. Until my Kitisuru home is complete, I will go work from office everyday. wake up daily at 4am and sleep not ater than 12am.

• Do What Daniels told me 1. Business Acumen. I am good in technical stuff, but I sometimes leave clients more confused when I throw some terms like MiTMA or NMAP in an explanation. I need to find a business writer for alot of my paperwork.

• Do What Rashid told me 1. Salat! I missed alot of prayers last year and even my Fasting was flawed. I need to become more religious this time round. Allah’s blessings come to those who seek them.
• Take my pool professional. Will actively participate on all pool tournaments in East Africa. Will enable me travel more and also meet new people on a social setup.
• Do what Jude/Rashid Told me. Get married. make everything official.
• Do what Kelly Told me. My hacking skills are good and natural. We need to setup an organization to legally and ethically offer serious security consultancy to willing banks, corporates, ISPs and individuals.

That’s  all folks.