Thus Spaketh Idd Salim

Well, as usual, I don’t sugar-coat my thought so as to appear compliant and non-rebellious. Kama hupendi ukweli, enda Facebook na u-poke Arunga.

So, with all my un-dying love and admiration for Safaricom and the everlasting hope that one day they will hire me as a sweeper, I was perplexed the other day to find out that they had partnered with Western Union, KenTV and Provident Cap to enable someone from UK send money to you, via Mpesa. Ofcourse, as always, at the cost of an arm and a leg.

Story here

Mpesa Success Factors

Kenyans are cheap. And have cheap phones. So how do you make money from this cheap lot? Create a USSD service, like Mpesa. I somehow believe that this is why Safaricom has only Opened USSD access to MobilePlanet, its sister company. So that the REAL Kenyan hard-code coders don’t get to innovate. Imagine if USSD was OPEN? So, Unless you are hired my MP, Sorry, No USSD for you. But we all know. Real coders don’t get hired.

So, Mpesa was born. Actually not developed in Kenya. No public USSD access. Which did not surprise many. No one at MP is good enough to do a simple system like Mpesa.

Mpesa got it right. It works on USSD meaning everyone can use it. Perfect for Kenya. Perfect for Afghanistan.

I am sure if PesaPal or JamboPay or even Kasomo had done Mpesa, it would be fully automated and I would not have to wait for 48 hours for my KPLC bill to clear. I would have direct Mpesa- to-PayPal integration, Direct-and-2-way mpesa-to-bank integration and a fully automated Mpesa standing orders system to automatically send 50 bob airtime to all my friends every 6 hours.

This type of coding might seem complicated to beginners on coding, or even advanced VB coders, but it is stuff we do everyday for fun. Reverse engineering Mpesa, hacking the HTTP public stack they have and USSD menu automation to automate such stuff. We are about to release a public Mpesa API. Open-source, ofcourse.

I am also sure that If Kelly or Koros had configured those servers, you would NEVER have the 24-hour Mpesa down-times that cripple all your weekend plots. These guys KNOW their shiite. EuberAdmins. The capacity problems Safaricom always experiences is due to sending boys to do a man’s job. Talk of sending kindergarten kids to do KCSE.

What’s so funny?

This is how it works:

• Go to any of the 19 agent locations in the UK. Yes 19. In the whole of UK.
• Deposit money.
• Your person gets it on their mpesa.

“Well, this is the same way it works in Kenya”, You say, “Shida Iko wapi?”

The following are the problems that are NOT addressed by this model that I believe are already addressed by the PesaPals, LipaNets and JamboPays of this world.

• Safaricom is using a model that has succeeded in the 3rd world in a first world country, ignoring all the reasons-for-success in Kenya.
• Majority of the people in the 1st world countries have Credit-Cards. They can do all this online. why the African Agents model in the UK? Safaricom would do well in passing the automation baton to LipaNet so that all UK users can do this ONLINE. No agents! Simply Register a simple domain line www.mpesafromuktokenyawithoutusingwesternunionorkentvoranyoneelseforthatmatter.com and have people enter credit card details and you move that money directly to Mpesa. This is Free advice because even my 5 year old daughter can do that.

It really beats me.

Safaricom have ALL the money, well, most of it. Why don’t they consult with local talent while doing some if this solutions.. We come cheap and we are ok with sleeping at KenyaComfort. Hatupendi Hilton. Spending millions to invite foreign ‘consultants’ who know NOTHING about the African market and mobile dynamics.

End of rant;

Ohh.. Pole.. back to code.

Well, on march 11, I had the privilege and the pleasure of meeting the creme-de-la-creme of Kenya’s Mobile Industry. The MoMo Kenyan chapter if official BABY! SHe is alive and kicking in Kenya.

The list is endless, but top of my mind was Paul Kukubo, Mark Kaigwa, Pratik, Forrest, Aly Khan Satchu, Kaburo, Lewela, Ronald Meru, Timo, Leon Asoyo Oywero, Kemibaro, Erik Hersman, Caroline Juma, Norman Gombe, Oscar from Zain… Just to mention whose who smiled at me, shook my hand and spent some seconds to talk to me with either advice or questions.

Slowly, Idd Salim is becoming a celeb. Hehehehehehaters. Relaxini bana. Cant a brother get some recognition?

Hersmann stated that the world is waiting for the Kenya’s version of FacebookMobile, but with focus on Local content and trends. I told him about our Zunguka Mobile site and he was pleasantly surprised. I smiled thinking, “A black Facebook on steroids. If only Symbiotic had 1/6473868 of the development investment/budget of Facebook. But no one believes in Kenya. We have to fend for ourselves!! Innovative Geniuses doing hand-to-mouth programming with emphasis on code-for-food-and-rent.”

Mark as always was happy and enthusiastic about our products like Sembuse and TumaSMS and hoped that GotIssuez could do a collabo with Symbiotic. I asked only one Question? ‘Why not?’. There is alot of content repetition in Kenya. What we need is content aggregation. Nipe nikupe. As in, Symbiotic.

Moses Kemibaro, the man whose mind is not narrow and got words like the mighty sparrow was next. “Salim, congrats bana. Your website was ‘Kenyas Blog of the week’ in the Business Daily”. I had no idea! Thanks BDA. BDA march 11, page 17. Moses then Introduced me to the great Aly. Well, the Kenyan Version.

I was most likely speaking from a whole meter below the Tall Aly. I think he was standing on his Wallet. Nevertheless,  I am sure he got me verbatim when I Explained how he could use the Sembuse platform to monetize his NSE Stocks Data on rich.co.ke and rake millions. Make the data go to the people, not make people come to your website for data. He was all smiles. Watch this space.

Ronald of Adtel and Norman of IMS told me sweet things I like hearing about some things we call USSD, MONEY and CHAPAA.

And then came a God-sent moment. No, not me finally speaking to a Female. I was doing dudes all night jana. I met this guy whose jobbo is to get poor and orphaned kids from slums and teach them photo-shop, web design etc, and then empower them to be self-reliant with web jobs. I told him about Symbiotic being a Company formed by Old Boys from Starehe, understand sponsorship and charity to the letter.

We are pamojaz with him and we got no Issuez with helping. I also suggested he talks to MobilePlanet. What I hear is that Safaricom has given ONLY mobile planet access to USSD and locked out all the other developers and PRSPS and these kids could really benefit from knowledge of USSD coding. maybe at last in Kenya, we can see more innovative solutions on USSD rather than wait for a Semeni every 3 years. [Btw, i have no beef with Semeni and I believe it is a great solution. It is actually named after Semenya, a real champion of the people. But come on, this is Kenya. We have the best coders and thinkers on earth. Am sure we can do better if these APIs are opened.]. Or maybe my Informer meant Safaricon, and I heard Safaricom. I stand corrected.

Speaking of our Beloved Saf, I did not meet anyone from Safaricom at MoMo. Either they were not there, ama maybe tu ni network haikuwa.

Oscar, Bi Juma and the rest of the esteemed Salim-meeters were all positive and I am sure all this will come to a good end. Or is it a start?

Only time will tell.

Err, Code time it is.

March 18, 2010.

It is the Tandaa Local Content Conference today in Nairobi. Thanks to ICT Board again.

I am at iHub Kenya and just heard Wanyama [@kenyafreelancer], say “What more do we Kenyans want? We have Fibre now”

I am at iHub Kenya and just heard Cynthia Muyoti of FabGuru , say “Facebook has made my business better? 1391 fans todate and I am soon expanding my Shoes Business”

Seated next to me is Agosta Liko, Mbugua Njihia and John Karanja. I hear talk after talk. Aly Khan Satchu talks about how anyone can be rich and gives examples.

So I brainstorm with fellow coders and the question becomes; ‘How can Kenyan Coders be rich?’. Not the “i can afford to go out and i own a toyota” rich. Or the “I pay all my bills and my rent is always paid on time” rich. How about the “I look at the food names on the menu, not the price before I order rich”, or the “I am undecided whether to drive my Range or my Mustang today rich”.

50 Cent said ‘get rich or die trying’ [GRODT], but I tell you, try ‘get rich or get rich’ [GRoGR]. We are in a position never experienced before. So, for free as usual, I will list the top 10 opportunities that are there open-legged and wet and just waiting for Kenyan coders to smell the coffee and dive in and start making the old-Money conglomerate wish they could impregnate their daughters.Only coders?? Naaah! ANYONE can jump into the eChapaa bandwagon. It is free and there for everyone.

My Top 10

1. Local Digital Content – Yes. Content is the buzzword. Enough Said. Anything you know [Yes, am speaking to Pamela, Wangechi and Anyanche] is sellable. Just grab word-press and google-checkout and walla!
2. Content Discovery Tools – Coders. The challenge is yours. Java Applications, Desktop Applications. There is over KSHS 100M not made per month by PRSPs because of lack of content discovery tools. That is why the guys down South are inviting  likes of Symbiotic to go down there and consult on HOW to convert content and knowledge into wallet-content.
3. Mobile Apps – Think of anything useful as a mobile phone app and there are 100, 000 people who NEED it and will PAY 20 bob each for it.
4. Mobile Games – Here we go again. the limit is only your imagination. grab a keyboard and write some code!! Stop these silly excuses that ‘programming is hard’. I got a miserable B in KCSE and can code, sembuse wewe!! But whatever you do, please don’t use VB.
5. Hacking and Security – The silence is deafening, but the hackers are on their way. Be equipped to defend Kenya. Your hacking knowledge will be invaluable in 3-6 months time. Tick.. tock…
6. Animation and Design – Some foreign jamaaz came here, partnered with HomeBoyz Studions and now are making millions of dollars per month. What are Kenyans doing? Facebook all day and complaining about how hard life is, how much of a a parent-hater Esther Arunga is and how much money Ruto is stealing. Kaeni papo hapo.
7. Kenyan Social Networks – YES. I said it. You can start your own Facebook tomorrow and become rich like crazy. There are 4M Kenyans with an Internet Connections. This number grows by the day. there are only 580, 000 kenyans on facebook. This is 14.5% percent of Kenyans with Internet. So what are the other 85.5% doing? Waiting for you to give them something better. Something Kenyan. Something more contextual. Lala tu.
8. Adult Sites – Ati Eish? We all know Kenyan is the mdinyano capital of East Africa. An average slut makes KSHS 2, 500 per night. And those are the cheap ones. Connect the clients and the vendors. Simple as! I wont say anything more.
9. eParty – Bring clubbing to the mobile phone. Hook people up to YOU on thursdays, fridays and sato. Just charge each user 10 bob per week. Kenyans will pay.
10. Your own WebTV Show – If you are that Kibera guy who can dance like MJ or that Kileleshwa bathroom singer, get heard online! Make some money. Sell yourself!

So maswali ni, what do KENYANS want! Are you going to waste all day thinking up cocky status updates for facebook and poking strangers who you mean NOTHING to, or are you going to monetize your time? Are you going to waste your life away in the digital world, or are you going to focus on what will really make your momma smile in public pointing at you and say, “yeah! that’s my baby!”. Are you going to complain all day about the government, corruption, the kaanjo and these bloody foreigners, or are you going to take control of your life?

Amua mwenyewe!

Ehh, back to code! Pole timo.

On Tuesday, I had the pleasure of being in the same room with some very influential development oriented people. Meeting was held at ICT board, hosted by PK. Invited were Symbiotic, MobileMonday, Safaricom, Top PRSPS and Developers in then Kenyan Mobile Arena

It was a good meeting of minds and well worth the time and effort. For Once, I was in a room with some guys from Safaricom who had their brains bigger than their Egos.

Present

Paul Kukubo – Head of ICT, Lewela and Kaburo

2 Peters from Safaricom, Sylvia Mulinge,

Salim, Timo from SMC, Wesley from Letti Games, Cellulant, Adtel and IMS teams.

Absent

All other Jokers in the country.

Agenda

• Why Safaricom is seen as a monster by Kenyan Software developers. Perception being that most ideas sent to Safaricom disappear at the Marketing department and and get ’stolen’ to make Safcom all this BILLIONS, while the real inventors languish in poverty.
• How do we as inventors and developers work together with Safaricom and make a living out of code.
• What are the key failure factors met by developers while dealing with Safaricom.

Mangumi na Mateke

The top 2 issues and responses are as listed below.

ISSUE: The current locus standi is grim and really pathetic. Wesley argued that Apple Automatically gives the developer 70% shares and keeps only 30%. This encourages the developers to innovate and pays them immediately. Safaricom and the PRSPs take over 75% leaving the developer with a measly and satanic 25%. As if that is not enough torture and an abuse of human rights, the developer WILL NOT get paid until after 4 months. A Kenyan Mobile developer CANNOT live on code, unless they decide to follow the path of the weak and prostitute themselves and get employed

RESPONSE: Safaricom expressed willingness to shift the revenue shares to the favor of the developer. Developers will get as high as 90% of the money they bring. Systems that bring DATA traffic and thus bring residual income to Safaricom, e.g. Sembuse from Symbiotic, will also attract special treatment and revenue share models from Safaricom.

ISSUE: There are SO MANY requirements from Safaricom before a developer can get to the platform where their services reach the market. CCK Licence, PRSP Licence etc.

RESPONSE: This challenge fell to the PRSPs. It is, obviously out of the Safaricom domain. Adtel and IMS expressed willingness to incubate developers and their systems [Apps, Games, Ideas] at a very sexy revenue share.

There is a positive vibe from Safaricom at last which might indicate the following:

• The actual problem and cause of the ‘Safaricom ni Madogi’ movement in Kenya by coders is due to the red-tape between the entry-level marketing department and the upper tier. I remember going with a proposal to SafCom and Evah from VAS asking if we were read to accept 5% revenue share while SafCom kept 95%. I felt like crying. Maybe she was Joking. Meeting people higher up makes you realize that SafCom aint all that bad.
• Safaricom have started to realize that Voice and SMS are dead! The next frontier for MSP Mkwanjalization is DATA and DATA driving solutions. Step in Java Developers!
• Safaricom have started to smell the coffee. Which is good. Of late, they have just been inhaling the AC!

Lemmi go back to code. Mbugua is giving me that ‘you have not coded for 12 minutes straight’ eye! And No, Deno, Safaricom have not ‘onad me kando’ to do a positive blog about them. Good stuff is happening.

Kenyan coders are all smiles. The real die-hards like Kasomo and Salim cant stand up OK because the erection that the new Mpesa move generates has taken all the blood from the legs. We have been waiting for this. Now it is Here! With one blow of the keyboard, The Mighty Safaricom (not to be confused with the satanic Safaricon), have finally made our wishes come true.

We, at Symbiotic, can now finalize our ZungukaPay payment gateway and overtake all the wannabes in the market.

“What has Safaricom done, Salim?!!”, You ask

Well, something they should have done even before Semenya started growing hard Female nipples. Safaricom, of late, have decided to attach the Number of the Money Sender and Money receiver in the M-Pesa mReceipt. How simple is that, to the un-educated eye!! How cool is that to payment gateways developers!!

Maybe, even the guys at Safaricom did it accidentally, but let me not spoil this post.

Now I will have to re-do the payment modules I had done for TumaSMS, Sembuse, Sovaya and Zunguka… But I aint complaining.

Now I have a clear and valid reason to apply for a Safaricom Mpesa Business Account.

I will blog once the payment gateway is done.

Kudos Safaricom!

Tick… tock… Tick… tock… Goes my HackOmeter. “Have they been hit yet?”, I ask myself. I switch on the TV to see if a Kenyan Bank has yet been hit. “Not yet”, I conclude. “I see voluptuous women flaunting naked in the streets an on bill boards. Soon the rapists are coming.”, I tell my friends. And Ohh, what a sad day it will be.

The Topic for today is SMS Banking.

What it is MEANT to do:

SMS banking is a remote banking service via mobile phones. Upon each money withdrawal operation with a card account (purchase using a card, cash withdrawal in an ATM), the client connected to the SMS Bank system receives an SMS message with information on the transaction. Such SMS message usually includes the charged amount, part of the credit card number, date, time, and place of the transaction (shop or ATM location). Full stop! That is what SMS Banking was meant to be, should Be and Must remain as.

What is has been ABUSED to be:

But hang on, there. What about these services all over the news that allow a user to check balances, transfer money, stop checks etc, all from SMS (or USSD as the case of Equity and Barclays) ? Isn’t that what SMS banking really is?

Well, this is classic example Security Through Obscurity.  Like walking at Tom Mboya at 2am waving a KSHS 1000 Note and reaching home safe. You won’t do that for long.

Shamelessly stolen from The RSA Website, :

We have all read about the iPhone and Blackberry SMS attacks and vulnerabilities. There is current commercially available (let alone black market) software that allows eaves dropping and spoofing of SMS. The lack of SMS confidentiality has been established by congressional members, city mayors, and international government officials in dozens of cases where their text messages were intercepted and made public. Like landline communication, cell phone communications including SMS should be considered to have no confidentiality.

An SMS can be:

• Intercepted on its way from your phone to Zain/Safaricon/Safaricom.
• Changed and edited [The content, the destination Numbers, The Source Number etc].
• Delayed.
• Deflected and even deleted before it ever gets there.

This can be done with equipment that cost less than USD 10, 000 and also with techniques that anyone who knows the difference between Hellon and Arunga can master in a week.

How Can this be done?

There are 3 Knows ways to Intercept communication between 2 sources that are sent via SMS:

• Phone cloning – The best. Totally bamboozles the MSP Cell Towers [Saf/Zain]. They see two phones with same phone number, MIN and ESN. Very effective on CDMA networks but not as effective on GSM – More Info -
• SIM Copying – VERY Illegal because it is 100% efficient. Clones the SIM and yours becomes active whereas the clone is dormant but receives copies of all your SMS and calls.
• Patched Firmware  – A very easy and common method is for a hacker to upload a super-firmware to their phone. This upgrade turns their phone into a super-phone radio transmitter and they can receive SMSes that are addressed to THEM and people AROUND them. You can really have fun with this at a club, a mall or a bus-stop.

Ever been robbed or attacked then the assailants returned your phone / SIM? Chances are you got cloned and All your phone-calls [as long as you are on the same Cell Area] and ALL your SMSES [irrespective], get delivered to YOU real phone and its clone.

Where is the problem?

Ok. Enough phone hacking lessons. For those dumb enough not to grasp where the problem is, so far, please, allow me to reiterate:

• Your SMSes are neither CONFIDENTIAL nor PERSONAL. Get over it! In a recent article about how guys from SafCon sell data call and SMS records shows the first level of breach. Your data can be bought!
• Your SMSes can be intercepted by hackers. SafCon can fire all those name-spoilers they hire, but your information is only secure from humans. It is NOT digitally secure. SMS and USSD traffic is rarely encrypted, if ever.

What is MY problem?

Just your money, my reader. You dont want all your hard-eraned cash to end up in Nigeria, do you?

Why doesnt Safcon [Not to be confused with Safaricom] etc do something?

Honestly, not their problem. You send SMSes, they make money. And it is not their mandate to SECURE these systems. they offer the ROAD. If you get an accident on it, hard luck!

Is All Lost in the Mobile Banking Sector?

Not by a long shot. But that is a topic for another day, or you can skype/gmail/yahoo me @iddsalim so tell you HOW Symbiotic is Countering this menace. Power through serious code..

Adios!

Back to code!

Well, someone once told me : “There is no group of people easier to lie to, than Kenyans”. I agreed. Especially the Kenyan non-gay male.

So, for the last 8 years or so, I have been reading reports from steadman on how many people like raila on mondays and how many like kibaki on fridays after 2 bottles etc. I took them as gospel truth. There was no way of verifying these stats.

For things that I have no knowledge of, I always Assume that THAT the truth is what I am told but people, I assume, know better.

But when someone grows the balls to LIE TO MY FACE about things I Know about, it really annoys me to the gut. Even more annoying than sitting with a Man Urinals FC fan. Are we that dumb?

Synovate are paid Millions of Kenya Shillings to research and report. But this time, they lied to my favorite news reporter, KK, at [HERE] and this really annoyed me. Thus Spaketh Synovate:

• Kenya now has over 2 million registered users on Facebook.
• Email is being discarded in favour of social networks like Facebook and Twitter by new Internet users in Kenya. One quarter of Kenyans who are online do not have email addresses.
• 79% of Kenya’s Internet users are members of Facebook.
• Daily and weekly internet usage in Kenya have both doubled in the last two years whereas monthly usage grew by over 80% in the same period.
• Kenyan Internet users spend approximately 70 minutes online during each visit. This utilization is comparable to the average amount of time spent on television.

Ohhh.. Phullllleeeez!!! How about some facts. How about some REAL facts.

• Kenya now has 561, 000 registered users on FB. Not 2M.
  
• Email is being discarded in favour of social networks like Facebook and Twitter by new Internet users in Kenya. One quarter of Kenyans who are online do not have email addresses. [Ohh dear!! You need an email address to register on twitter and facebook. Chicken and Egg, anyone?!]
  
• Only 16.7% of Kenya’s Internet users are members of Facebook. Not 79%!! Where did they get that from. There are just over 4M Kenyans with Internet – [Check Here]

I could not bother with the rest.

It is one thing to tell Kenyans that KTN is the best TV today and that KBC is the best after they pay some few coins, but please, leave the Internet Data and Statistics to the open. This is FREE and IMMANIPULATABLE information that we CAN verify.

This time, SINNOVATE, you have been measures, weighed and found wanting.

Amen.

Back to code!

As soon as my late grandma [mhsrip] told me ‘never bite more than you can chew’, she added, ‘mgema akisifiwa, pombe hulitia maji’.

I always blog about Safaricom because it is my hope that this big Kenyan company could up their game and style up to make sure their services and internal processes are upto scratch. But ohhhh, how disappointed I always am!

One of the biggest problems facing Safaricom is the glaring lack of capacity planning. At end of months and weekends when most mpesa transactions take place, there are always delays and outages. Obviously based on hardware constraints and total lack of responsible sysadminery.

The fact that Safaricom are just users of Mpesa and know absolutely zilch about the internal modus operandi, code  and garbage collection in Mpesa core system, could be used to excuse them form the blame. They dont own the Mpesa System like Zain owns Zap. But you would expect better from a company termed as the most profitable in Kenya.

It has become a common knowledge and a widely accepted fact that Safaricom are in business because Kenyans are always forgiving and ready to settle for mediocrity. Network congestion, Mpesa Outages etc are the order of the day.

The common phrase in town, ‘mpesa iko down’ [no pun intended] after mpesa servers go for lunch is generally acceptable. But watch out, Zap and yuCash are catching up.

Of late, Safcom have introduced a all you can eat Internet bundle for 7 days at Kshs 999. To the uneducated and freebies loving majority of Kenyans, this is an offer from heaven. But this could not be further from the truth.

Imagine the JAM that would be on our roads if for one week the government offered FREE fuel for everyone. That is what is happening to Safaricom Internet.

The once famed 2MBPS pipe I could get now crawls at a pathetic 6Kbps.

Poor capacity planning. Once again.

The 999 per week journeymen are now jamming the lines and slurping all the capacity for the ardent daily users. You would expect Safaricom to demilitarize the Unlimited Net from the mainstream net, but hey, they are Safaricom. They can do whatever they want.

The unlimited internet bundle is now SO LIMITED, it should be converted to a company. Maybe they can do another IPO on it.

Maybe sasa I will even be banned from wearing green shirts. Adios!

Our recruitment process went well. We interviewed over 30 bright and very talented young coders from all walks of life. Some came in suits, some came cycling. I was pleasantly suprises on how the education quality has improved at UoN and Strath. Kudos to the IT departments! So, after all was coded and debugged, we had to select like 4 to start with in our Q1 expansion plan.

SMC will now officially expand its programming docket. The following are the architectural changes we are undergoing and would like developers aspiring to join us in Q3 2010 (or just for sharing) to learn these skills because we pay well. Actually, any programmer who will join us with a working and ready-to sell product [or killer idea], will get life-time equity on that product and we will adopt it into our mainstream.

• Symbian Programming – We will be developing Symbian apps mainly using the Python programming language, but the good old, sexy, faithful and voluptuous Java ME will still be called upon from time to time. We will release a Symbian/J2ME game and a 2 positively social apps in Q1.
• Blackberry Programming – We will release a business tool for blackberry that will take EA by storm in Q1 2010. That is all I am allowed to say, so as not to get shot. SMC will be releasing information about availability on her (soon to be redesigned) main Website.
• Kohana - No… Daniels. Not Kahuna. Just simple Kohana. We are going to ditch the Procedural programming practice and ACTIVELY use our OOP PHP and Python resources to redevelop all out websites using Kohana as the PHP  Framework of choice. Sorry CakePHP, Symfony and all the other pretenders. Kohana had bigger balls. We will redesign all our client’s website ala Zunguka version 4, CititizenTV, Hot96 FM etc on Kohana…

I wish I had more time to blog about the 3 other things we are working on, but Mbugua is giving me that ‘Go back to code!’ eye…

Laters!

In 2006

As hackers in Kenya, we have/are always been taken as fact-less doomsayers and merchants of fear about an IT apocalypse.

I remember in 2006, From a 32Kbps line in my bedroom in Kampala, I Hacked into a top Nairobi Stock brokerage firm registered with the CMA/NSE and downloaded their Entire Database of Investing clients. The database, obviously included some juicy details e.g. Names, Cell #s, Address, ID No, Trading History, Usernames and Password.

Being the Naive and PURELY technical hacker I was those days [No Business Sense or mentorship], I sent the MD and IT manager an email with the Database as a Zipped attachment and advised them on how to secure their enterprise and lock-out people. Maybe it is the Concortion of Matoke, Lumonde, Kallo and oBushere I had taken for lunch, But this was a very dumb move.

“You have just burned an opportunity to have these guys pay you through their noses!!”, Said an Irate and totally annoyed Mwaniki. “Next time, talk to me or get a BUSINESS PERSON to handle the BUSINESS for you. You are just a hacker”. Hmmn, Kumbe things I do for fun could rake big scrilla.

2 days later, ‘I received an Email ridden with threats and gloating on how they can send cops to my house before I could Spell the name ‘DjembaDjemba’ and have me locked out for good.

So, What makes Kenya a FAT Juicy Bulls-Eye for hackers?

A lot of  things make Kenya a big fat juicy and warm err.. target.

1. This is Kenya – Name me the country where Systems like Mpesa/Zap pioneered? Yeah, Kenya. Ushahidi? Kenya. This makes Software development houses a major target for Industrial IP espionage.
2. No IT Criminal Law – Well, breaking into a place requires physical presence. so, technically, hacking isnt breaking in. In some states in the US, for you to be convicted of Hacking, you must be caught LIVE actually logged on tho the victims machine. The server/route logs from their ends are totally inadmissible. For all they know, states the rule, the machine could just be hacking another, and not the user. Logs can also be manipulated to show anything the SysAdmin wants them to show.
3. Kenyans are too stressed, to remember complex passwords – During all the times  I have had to Prank-Call or Social Engineer an ISP Support desk or every time I have gone to a Dormans or a Java, I have concluded that Kenyans use the Following password for Cisco Routers, Wireless Networks etc [1234124, 12345678901, p@ssw0rd, jesussaves, welovejesus, railatosha, hague]. or if the username is kamau, the password is normally kamau123 or KamauMnoma or personal/Work/neighbours car Number Plate or Date of birth..
4. Kenyans Trust the padlocks – Alot of times I have visited organizations [Not all ofcourse] and have been given an IT tour. the conversations normally goes like this:

IT – “And this is our server room. You can see all the servers are securely locked in there with that huge padlock.”

Salim : “What firewall do you use?”

IT : “We have Fire Extinguishers and also motion detectors.”

Salim : “No, No. I meant, FIREWALL. To really secure the servers from intrusion. Internally and externally.”

IT : “Hiyo padlock no Solex original mzee”

Salim : “OK. good.”

It is also a culture that most people use the same password for their PC, FB Account, Gmail, Chat etc. Usual Excuse : “Sitaki Stress ya kukumbuka password kama 30 mzee!”

Who can/will be Hacked in 2010?

This is no indication at all that the cogs are already oiled and raring to go. Just plain fact-less prediction based on Obvious situations. If you are a pool player, you know that if a black ball is set, it will eventually be pocketed. What is in the plate, will eventually be eaten.

The following are my personal top 5:

1. The Stock Market – I will not be surprised to wake up one day and find The price of Safaricm Shares is 15 bob. Definitely, the regulations protect the Market against such differentials, but what about the confidence of oblivious investor? One of the Arms of the Trio [NSE, CMA, CDSC] has a very insecure setup that could be the achilles heel for a skilled/semi-skilled hacker.
2. The Banking Sector – Alot of banks are jumping to the SMS and Online banking bandwagon. I must agree I accept the software models and security architecture of some of the players, but MOSt banks seem happy to just fire up an IIS with default settings box, throw in some insecure code and walla! They have an online banking system!
3. Social / eCommerce Sites – The advent of fibre brings with itself a surge of websites and me-too replicas of social networks and eCommerce and payment platforms. Quite a number are designed with a very strict methodology taking care of performance and security concerns, but there are still alot of vulnerable apps in terms of data sanitation and business logic.
4. Government Websites – A great percentage of Government are done Gungho by just setting up a quick installation od Joomla or Drupal. There is no differentiation between CMS implementors and actual web developers worth their salt. I have a bad feeling The reliance of security features of the CMSes and the reliance on the un-educated CMS guru on security will have bad ramifications. Let me not even list the government websites that have been recently hacked.
5. Individuals/SMEs – Corporates and SMEs normally need a one-time secure setup by a seasoned pro and then everything runs smoothly. Behaviorally, to save cost, new devices and configurations are added to the LAN without consulting the pro, later on. The adding of new items and possibly the need to change [read adulterate] the secure settings leads to an insecure environment. Alot of reasons e.g. espionage [delete all their data because they are my competition], Disgruntled employees, Ex-staff with access etc make the SMES a risk factor. again, since most ISPs have same/default password for their equipment [for ease of remembrance for the techies], a hacker can hop from Zimmerman to Hurlingham Zombifying home computers without even the owner smelling the trap.

Habari ndio hiyo!

Back to code..