Thus Spaketh Idd Salim

Mpesa : Well thought!

Well, I always am up for a big challenge. Ask all the neighbor’s daughters in my estate and they will testify. So, over the last week, since the inception of the pZ gateway, I have been privileged to have a-lot of Spare time to study the internal aspects of Mpesa, especially the IIS-based (cringe!!) web interface.

Mpesa is a VERY secure system. Well-thought and very polished.

But that is just for the average hello-world pinging -t and script-kiddie hackers we see around here.

There are 2 types of hacks I have discovered for the Mpesa system, especially the web interface.

• Constructive Hacks – That can help you as a C2B or B2C client use m-pesa better and more effectively. I will share these mostly ont his blog.
• Destructive Hacks – Hacks that can make you vulnerable to fraud based on some small details over-looked by Mpesa developers. I won’t share these, of-course, due to my moral and societal obligation as a WhiteHat.

Hack 1 of 4 – Porting Mpesa to Mozilla Firefox.

One of the biggest headaches about Mpesa Web interface is that it works *only* on IE6/7/8 and on Windows XP only. Not Opera. Not Firefox. Not Unix. I have visited alot of client sites where they have a spare Mpesa PC. How sad!

Well, the good news is that this cannot be further from the truth! Mpesa can work on VISTA. Mpesa can work on Firefox. Mpesa can work on Ubuntu and even on Lynx.

“Share, Salim!! How do we make Mpesa work on Firefox!! Please Share!!”, I hear you shouting. Relax. I will share. For Free.

Step 1 – Get your certificate from Voda

Go to https://vmtke.ca.vodafone.com/certsrv/ via your IE and login.

Get your cert

Important : Mark the SSL Certificate Keys as Exportable.

After 24 hours, come back to this site and INSTALL the keys to your IE browser.

Step 2 – Export the Keys from IE to a File

Click on :

• Tools [menu]
• Options [menu]
• Content [tab]
• Certificates [button]
• Select the ‘Vodafone MT KE 2009′ Certificate and click on Export
• Click Next
• Select ‘Yes, Export the private Key’ – Click Next
• Select PFX, Enable strong Encryption – Click Next
• Enter a password and confirm it. Important, save this password nowhere! Memorize it. – Click next
• Browse for file and save the Certificate + Key Combo. – my_mpesa_cert.pfx

Step 3 – Import the Key to Firefox. Any OS, Any PC

Open Firefox and follow the following steps

• Open Mozilla Firefox.
• Click Edit in the top menu, and select Preferences from the drop-down menu.
• Click the Advanced icon.
• In the Certificates section, click Manage Certificate.
• Click Import, and choose the text file containing the client certificate.
• Supply the token password if prompted. Same password you used during Export.
• Click OK. The new certificate is listed in the Your certificates tab.
• Restart Firefox, and Open : https://www.m-pesa.com/ke/ and Walla!!

I can see Kasomo and Alitsi smiling because I have just un-masked one of the biggest security PLUSES of Mpesa is that it thrives through security. Words like FireBug and Firefox WebDevToolbar come to mind. But be nice. Be positive.

Have fun!

Back to code kiasi.

Share on Facebook

One API to rule them all...

Great day today for Kenyan coders. Ok, let us say, EastAfrican Community coders, for political correctness. I don’t even know how to break this news, so I will just do it my plain no-beating-around-her-bushes method. No, the Octopus has not predicted that Safaricom, MTN and Zain will start supporting local innovations. No. The octopus would rather die than err. To err is to human; not to octopus.So, the hustle continues.

As a CSR, being  head of a team of very gifted coders at Symbiotic, I had committed to head the Pay.Zunguka Gateway and API development team and see to it that the Pay.Zunguka API was out before Mid May 2010. But one thing did not lead to another, and we had to inevitable delay the launch.

Well, here it is now. The API. The EuberAPI. One API to rule them all.

Download the API NOW!!

So first things first. What is an API, you would ask? Huh? You are having a larf if you expect me to answer that!! The API has been developed in PHP, jQuery and MySQL and the documentation provided with it makes it totally idiot-proof. Anyone and everyone can use the API and start earning from their hustle, Immediately! All transactions from Mpesa/Zap/yuCash will hit your system, via the API in 5 seconds. Anyone who can copy-paste, can use the API.

Safaricom have indirectly played ball this time round, so flawless end-to-end mPesa support is the first feature of the API. I hope this will not make them Mad. My QA team is still testing the ZAP and yuCash modules, but jump to it. Play with the fully working mPesa support and share your thought on the approach, the model, the logic and the illogic.

If you are a ‘BIG’ fish (read a big corporate with a lot of sensitive transactions) and don’t want to use our API as a payment aggregator, we can license the actual product. This would apply to guys like DSTV and KPLC. So instead of waiting for 48 hours for the transactions to hit their backend system, we can guarantee KPLC customers that their bills paid via Mpesa/Zap/yuCash will be reflected in their account within 5-7 seconds. Cute huh!

Like all my friends will tell you (real friends, not facebook jokers), I believe in seeing, showing and action. Si mdomo mob. So dive right into it! Visit http://pay.zunguka.com/ NOW and have a blast !!

Wazi.

-Salim, Idd

Share on Facebook

So, Today at 9:54am, I checked in after a thorough security search for metals and other things like screw drivers, hacksaws and pangas etc; stuff that can be used to HACK servers. (Fck! As I blog here, I remembered just I LEFT MY ID THERE!)

So we were welcomed with the usual ‘leteni IDs’ Kenyan greeting and we waited to be led to the training room. I sat on row 1 and the training started at 10:01 Sharp. Bwana Dennis Makau was out tutor and this guy really knows his stuff. Lively and not a boring monologuesue jamaa. He took us through all we wanted to know. He had rich knowledge of kila kitu. 10 outta 10.

Mpesa is REALLY one powerful tool, especially to developers.

Then came the tea break. I stole the chance I took my time to take the SmartTV ladies and the Sarova team on hwo they can really leverage Mpesa (powered by the virtual or dedicated modules of pay.Zunguka.com to maximize their profits and improve customer care, to a level Mpesa does not deliver – Last mile.)

After my pitch, Still at the tea-break, I checked out the Dell Sites and Gmail and Decided, “let me check my website”. Ha! Bummer!

IddSalim.com is Blocked from Safaricom LAN

And then came the hack

As you would expect, I couldn’t just sit there with all my skills. So i decided to chokora kiasi.

No, I did not escalate my privileges, get access to MJ’s PC and download data from their SQL Servers etc, like all my hack-mates would have expected. I am a Whitehack hacker, remember? I just prodded the systems. I discovered quite a few things.

1 – Mpesa Web Interface source code is susceptible to SQL Injection.

Mpesa Input not 100% Sanitized.

I took Mr Makau through a process where the Vodacom Mpesa SSL Certificate can be spoofed and replicated to grant access to rogue machines. Also, I mentioned to him the logic bug where after an account has been closed, the user session gets ‘bamboozled’ and the interface gives DB Server information.

But all in all I was really, really impressed with the accounting procedures and logic, flow logic and overall eagle-eye view of the system.

As a business tool, the Mpesa web Interface is perfect. But it’s security was well-thought… well-googled… but not well-consulted.

Back to code!

Share on Facebook

NTV - Turning off Youtube Channels...

Yesterday was a VERY sad day for me, an ardent Youtube user.

Well, as my confides might know, I was living in Uganda from 2004 to 2008. The I realized that unless I was selling matoke, there was no place for a coder like me there. I was always speaking Greek and talking of ‘advanced systems’. So I decided to come back to Kenya.

In 2007, me and some friends in Uganda decided to Start a Youtube Channel and named it Ndazi TV (NTV). This was meant to be a joke-site for lovers of Quarter-Ndazi like me, Danoch, Sibelenje and Cris Kiagiri. All Starehe boys LOVED quarter ndazis.

So, we registered the channel : http://www.youtube.com/ntvuganda

Then come 2008, Kenya’s NTV station started broadcasting in Uganda as NTV Uganda (A TV Station). I sent various proposals their way via email detailing how they could create a station-buzz using technologies like email,  web, social media and SMS. They called me on various talk shows like Money Matters etc.

Little did I know, that NTV would screw me in the rear orifices.

So on 24th July 2009, After I had relocated to Nairobi, I got an email from Robert Samuel Muganga of NTV Uganda. it read:

Hullo Sir;

Iam called Robert Samuel Muganga an IT/ Tech Support Engineer with NTV – U.
I got your address from Rosemary, and yes for some time now we have
perused through the channel on a request from administration.
It appears that due to the changes to the company group policy, all
divisions including NTVU are required to have a web presence with Youtube
only that by the time we checked we already had a presence to which we had
control over the content;

Would you please kindly  relinquish the passwords for this channel. we
would highly appreciate that sir.

Best Regards
Robert Samuel Muganga
IT/ Tech Support Engineer
NTV – Uganda

I was appalled! Now NTV wants to take what was rightfully mine!

I replied apologizing for the name collision stating it was purely coincidental.

So, they did not respond or contact me again, but last week, to my utter HORROR, it appears they had contacted YouTube, who YANKED me off my Ndazi TV network, deleted ALL my content, changed my passwords  and handed the channel over to NTV Station.

Wazi.

Share on Facebook

Long time ago, when the word ‘gay‘ meant ‘to be happy’, I used to do ALL aspects of a system myself. From idea, conceptualization, wire-frames, testing, debugging, installing etc. This was mainly due to the misguided Idea that:

1. No one around was good enough to do exactly what I wanted and I had to do it myself.
2. No one could be trusted as a code/project partner and that everyone was a SurfCon just waiting to understand, then pounce on my Idea and steal it.
3. Everyone was busy with their own hassle and no one cared about my bizarre ideas.

And so, night in, night out, I coded deep into the night. Coding alone and debugging endless projects. until I learnt one word. DELEGATE. This article from About HR changed my whole view. I stopped being a do-it-all coder. And started being a live-like-a-human coder. Delegation does not mean you are weak. It enables you focus your strengths on the real meat, while you , proverbially of course, ‘let the garbage-man handle the garbage‘.

Whether it is coding, running a shop or even trying to get laid, you need to delegate some parts of the entire puzzle, to achieve the final, expected result.

The word GAY might have evolved in meaning, but certain success principles remains the same

The Curse of Yangu-yangu

Directly translated to mine-mine, yangu-yangu is a street phrase depicting that the owner of the object [idea, item, place etc] will NOT share under whatever circumstances, even if sharing would improve the loot and bring MORE for everyone on the table.

A certain Kamaray, once posted a comment on my blog talking about this and how it affects Kenyans :

Nice piece…time the talking stopped and the “cash-ing” started.

1 Problem : Kenyans don’t share : Coder dies with brilliant code, Marketer dies with brilliant marketing strategy, Finance guru dies with financing connections……bring them together….BAM!

This is what I feel Kenyan need. A Symbiotic relationship. A convergence of thinkers, doers and talkers who all work towards filling a common bucket.

If a good coder and find a brilliant marketer and a finance guru puts all the other pieces together, then this will be a story worth writing home about.

Back to code!

Adios!

Share on Facebook