Thus Spaketh Idd Salim

I finally get to meet the Don himself. The man with the plan. The Ikkiest of the Ikkie.  good tribute for Heroes day. What a coincidence!

Most one-dimensional thinkers would classify me as an ANTI-SAFARICOM blogger because I have no shame or reservations when it comes to pointing out what they do wrong.

The same blade would shave Zain, YU or Orange of they mis-behaved. So, I am agnostic. Most of my blog posts are about Safcom, however, because they are the biggest. So naturally, they get the most scrutiny.

So, I have been invited to the elimisha.us meet-up to Ask MJ ONE question. And the question will be a summary of all my grievances.

What are Safaricom’s plans to aid local developers. Really?.

Well, knowing me, knowing me, I know I will talk about Facebook, mXit and LBS. I have alot to ask and I hope I get at least 90 seconds to rap.

Relax. I will be civil

Wazi…

Back to life…

Ni kama mapenzi yamekwisha

Yes. We know. This is Kenya. Might is right and even if you can bite, you don’t stand a chance in a fight.

It does not matter what you know and what you can do. What matters is who you know and who you can do.

That is why we have a city full of muggers who can code or have a degree in Nursing and PR. Errr…Ok, I meant ‘program’.. not code.

Real coders don’t like humans anyway.

And so it came to pass. Safaricom is finally feeling the brunt. They must have really borrowed all 10 leaves from this tree.

Once upon a time (in 2002-2003), Safaricom came to the Market and met Zain (in campus, hot and called KenCell then). KenCell was termed as a network for the rich. Per minute billing and all. KSHS 28 per minute.

Safaricom came in and flashed her thighs and sumptuous cleavage with Per Second Billing and the peculiar Kenyans jumped on her like flies on a carcass. Like they say, the rest is history.

Delusions of Grandeur

Now, 8 years later, Safaricom our once-faithful lover and mother of a few of our adopted/plagiarized kids like Sambaza, Mpesa, WhoCalled, Mkesho etc, has started to act as if on Menopause. She is suddenly feeling too big and too hot for the small person and we no longer go home. We, nowadays, sleep at the office and pass by Mrs Zain’s place on our way home, if we get back home. Home is no longer the abode.

Why has our relationship become so bad, Dr Marriage Counselor asks. Well here is how, DrMC.

Abusive Relationships and Rip-Offs

DrMC, When I have money on Mpesa, and I use it to buy airtime, that is NOT recognized as legit airtime. I never get the 50% top-up bonuses, Internet bundle discounts etc that I might get on promos when I use a scratchcard. It is as if airtime via MPESA is NOT my money.

Too Scandalous

DrMC, she never gets enough. Today she was seen shamelessly smooching with mXit while local developers have better and more local solutions. But since when you go black, you don’t go back, when she wants to go local, she wants to rob our local developers blind using one-sided NDAs and Terms. Check yesterday’s Sunday Nation and they are being sued over stealing mKesho from another local. Karma is a b#$ch.

Forgetting the small person

DrMC, Safaricom is Safaricom because of the Bamba 10, bamba 20 and Bamba 5 airtimes. They were perceived as the network for the poor and low-spenders. Now she has gone to Westlands a few times and hanged out with ballers and she no longer values the small person. The small person now gets PUNISHED for topping up using small unites. Totally discriminative against the poor. This is even against our new constitution. Zain and YU on the other hand, welcome us all with open-arms and open-legs irrespective of our pocket size. Size does not matter to them. It is the thought that counts.

Chronically unreliable

You never know when or IF she will be at home nowadays. You might think that after the exodus of subscribers to YU and Zain, she would behave a bit since there is no network load. But Ohh no, not our beloved Safcom. She is too big and fly for that. Still we cant access customer care number, we are still treated as horny beggars when we go to their customer-service kiosks. The Mpesa system still experiences time-outs and has no up-time guarantee.

DrMC, I have had enough and thanks to my prenapse, she will get nothing once I finally sign these divorce papers. Zain and YU currently satisfy all my SMS and Call needs and even though their data-package is still wanting, I will persevere for a few months for them to get 3G.

Back to code!

Wazi.

One API to rule them all...

Great day today for Kenyan coders. Ok, let us say, EastAfrican Community coders, for political correctness. I don’t even know how to break this news, so I will just do it my plain no-beating-around-her-bushes method. No, the Octopus has not predicted that Safaricom, MTN and Zain will start supporting local innovations. No. The octopus would rather die than err. To err is to human; not to octopus.So, the hustle continues.

As a CSR, being  head of a team of very gifted coders at Symbiotic, I had committed to head the Pay.Zunguka Gateway and API development team and see to it that the Pay.Zunguka API was out before Mid May 2010. But one thing did not lead to another, and we had to inevitable delay the launch.

Well, here it is now. The API. The EuberAPI. One API to rule them all.

Download the API NOW!!

So first things first. What is an API, you would ask? Huh? You are having a larf if you expect me to answer that!! The API has been developed in PHP, jQuery and MySQL and the documentation provided with it makes it totally idiot-proof. Anyone and everyone can use the API and start earning from their hustle, Immediately! All transactions from Mpesa/Zap/yuCash will hit your system, via the API in 5 seconds. Anyone who can copy-paste, can use the API.

Safaricom have indirectly played ball this time round, so flawless end-to-end mPesa support is the first feature of the API. I hope this will not make them Mad. My QA team is still testing the ZAP and yuCash modules, but jump to it. Play with the fully working mPesa support and share your thought on the approach, the model, the logic and the illogic.

If you are a ‘BIG’ fish (read a big corporate with a lot of sensitive transactions) and don’t want to use our API as a payment aggregator, we can license the actual product. This would apply to guys like DSTV and KPLC. So instead of waiting for 48 hours for the transactions to hit their backend system, we can guarantee KPLC customers that their bills paid via Mpesa/Zap/yuCash will be reflected in their account within 5-7 seconds. Cute huh!

Like all my friends will tell you (real friends, not facebook jokers), I believe in seeing, showing and action. Si mdomo mob. So dive right into it! Visit http://pay.zunguka.com/ NOW and have a blast !!

Wazi.

-Salim, Idd

So, Today at 9:54am, I checked in after a thorough security search for metals and other things like screw drivers, hacksaws and pangas etc; stuff that can be used to HACK servers. (Fck! As I blog here, I remembered just I LEFT MY ID THERE!)

So we were welcomed with the usual ‘leteni IDs’ Kenyan greeting and we waited to be led to the training room. I sat on row 1 and the training started at 10:01 Sharp. Bwana Dennis Makau was out tutor and this guy really knows his stuff. Lively and not a boring monologuesue jamaa. He took us through all we wanted to know. He had rich knowledge of kila kitu. 10 outta 10.

Mpesa is REALLY one powerful tool, especially to developers.

Then came the tea break. I stole the chance I took my time to take the SmartTV ladies and the Sarova team on hwo they can really leverage Mpesa (powered by the virtual or dedicated modules of pay.Zunguka.com to maximize their profits and improve customer care, to a level Mpesa does not deliver – Last mile.)

After my pitch, Still at the tea-break, I checked out the Dell Sites and Gmail and Decided, “let me check my website”. Ha! Bummer!

IddSalim.com is Blocked from Safaricom LAN

And then came the hack

As you would expect, I couldn’t just sit there with all my skills. So i decided to chokora kiasi.

No, I did not escalate my privileges, get access to MJ’s PC and download data from their SQL Servers etc, like all my hack-mates would have expected. I am a Whitehack hacker, remember? I just prodded the systems. I discovered quite a few things.

1 – Mpesa Web Interface source code is susceptible to SQL Injection.

Mpesa Input not 100% Sanitized.

I took Mr Makau through a process where the Vodacom Mpesa SSL Certificate can be spoofed and replicated to grant access to rogue machines. Also, I mentioned to him the logic bug where after an account has been closed, the user session gets ‘bamboozled’ and the interface gives DB Server information.

But all in all I was really, really impressed with the accounting procedures and logic, flow logic and overall eagle-eye view of the system.

As a business tool, the Mpesa web Interface is perfect. But it’s security was well-thought… well-googled… but not well-consulted.

Back to code!