Thus Spaketh Idd Salim

Audio - But from where?

4 minutes, 35 seconds, 1 phone call, 3 possible sources.

Well, I was saddened to hear that gutter-press radio-station Classic FM really milked the whole sexually explicit audio and playing it on LIVE radio, in the MORNING. Just for Kicks.

Pathetic. Really.

Minor KaGayni (maybe just to confuse his enemies) was all over the clip. So I hear. Talking about a man having sex with a woman. As if he know anything about that. I might as well start talking about Budhism. Again, So I hear. I never listen to classic FM. Mainly because I don’t subscribe to content from people with an IQ of a shoe, and so, that is all I will say about classic FM.

The question the few Kenyans with a brain are asking is this. “Hiyo simu waliiskiza aje?”. The question the few coders/security analysts are asking is this. “Have phone-call interception equipment finally come to Kenya? Do we, FINALLY, have hackers who can do what Salim has been talking about, akatukanwa? Are our worst fears finally here? Should we be worried?”. So, I decided to demystify the source of the clip.

I remember in 2009, I was in a relationship with an insecure, controlling and hyper-jealous person. She had an employee at a local telco (no names mentioning, activating PussyMode…) on a ‘payroll’ and the employee would giver her a list of ALL SMSes and PhoneCalls that I had made everyday. All SMSes in a PDF and all calls in MP3. It is government policy that all Telcos MUST keep records of all phone-calls and SMSes for at least 6 months. If not stored properly and restricted (like the case is, sadly) it only costs KSHS 2k to get the data.

I tried looking at the Audio file in MP3 using Nyquist-Shannon sampling theorem and other audio analysis models and the results were outstanding. The recording came out as a perfectly flowing person-to-person convo. The convo took place and could not have been cooked. And so, I came up with these scenarios.

1 – A telco employee did it

As stated above, it is POSSIBLE and IT HAPPENS that phone call and SMS records can be sold. The question becomes, how comes it was ONLY this call that got out. How idle would a telco employee be, to sift through ALL the GBs of data to get this ONE call? Still, idlers exist. And there is something called luck.

2 – Muturi did it

Using a Smart or Smart-Enuff phone, one can record a phone call. Muturi might have recorded the call (knowingly or just automatically), found it funny as f*u*ck, and decided to share. Nicole would not have shared this. Stupid female pride would not have let her. Muturi would. Stupid male ego would not let him not share. “Muone vile madem hunikufia”.

3 – It was a studio-born viral prank call

High probability too. A ‘real’ phone call can be, unfortunately, manufactured. At the last few seconds of the call, we hear the credit/airtime beep. If a studio call, then this is a specially crafted section to add to LEGITIMACY. Stupid Kenyans must have been heard saying: “Si hata uliskia credit ikikatika. Ni ya ukweli.” How would someone willing to pay a cab and pika nyama not have more than KSHS 16.8 of credit?

Back to code!

Wazi.

Hacked? Really?

Well, today morning I woke up to a barrage of ‘Iz How?’ messages from my friends.

Rimbui, Msupa, Archer, Zack, Mumbi, Vuyanzi, Lisege etc were all in lamentation.

Seems that someone/something had gained access to my Twitter Account in the hours between 6am and 9am and was sending them ‘funny’ links.

We are not speaking Funny, HAHA here. But links with Spam content, porn and Man U games highlights. The kind of things we ALL abhor. I was stuck between being embarrassed and impressed by the ‘hacker’. So i decided to investigate.

This article should actually be on TechMataa.com‘s Hacking and Security Section, but I will post it here, and there, later.

So, How can this happen?

When it comes to site passwords [gMail, Google, FaceBook, Twitter, Ngwati etc], there are ONLY 3 ways that your account can be used by someone else without your permission:

1. Someone using an active session from a machine you have used but forgotten to log out of. e.g. A CyberCafe. This is the most common one.
2. Someone guessing/sniffing your password. If you use public spaces [iHub, NaiLab, KICC] and don’t have a complex password, this will happen. People will sniff your password if you are not using HTTPS.
3. 3rd party sites that you have allowed account access getting compromised. The site hacker now has access to YOUR account.

What twitter recommends:

Twitter has a support page for people whose account has been ‘hacked’. I won’t copy-paste here and try to sound all-knowing. Read from there and learn.

My additional thoughts:

1. Services like Google and WordPress offer you a link to ‘Log Out All Sessions’, even from machines you don’t/can’t access. Twitter does not, AFAIK. Always log out before leaving! Don’t allow public browsers to ‘Remember Password’
2. A paranoid solution to password sniffing is to always use twitter HTTPS, although this will make your sessions slower and make twitter servers busier. HTTPs should be used sparingly and only on actions that REALLY require a secure connection.
3. Use a strong password. Yes, this was my mistake. We know this is ONLY twitter. Not your server, or email. But use a strong password. My old password had not been changed since 2009 and it was something like salim123. Very easy to guess and brute-force. I know. I am totally ashamed by this. Learn from my mistakes. Your password should have at least a special character, caps and numbers. E.g. &mAdemw@Kenya! or #manUniM%sh0_ga.
4. Allowing access to third-party sites is a good things as it saves you from having to log in every time you need to use their services. However, be careful who you allow! Don’t allow perpetually, and occasionally, go to the twitter page for App permissions and see who you don’t need to allow any more and revoke the access.

Back to code…

Wazi.

I was all smiles yesterday when I checked the comments some people had posted on my blog from a certain employee of Temenos [Is that a Dentist Firm?? Sincerely, Sijui]. I was saddened by the fact that someone who can use a computer, in 2011, could reason like the Flintstones.

Here I am with a few REAL coders like AfroWave, SoyFactor and Muniu and real entrepreneurs like Mbugua and Majani. Hustling daily to bring out some true KENYAN SUCCESS STORY. Stories of people who started from NOTHING and became THE_THING.

If you ignore the wonderful Ushahidi and the bloated ELMA [Plus a few Cool Apps like AroundMe, MedKenya, Tuvitu, NikoHapa, c_360, m-Order], there are not many apps that we can talk about as Kenyan Apps out there turning heads. Of course, we wish to add to this in  September when my crew and I will finish some euberApps that we are working on.

The comment was something to the effect that : “If you were that Good, the the CEO of CS would hire you immediately.”. I was first offended. Me? Hired? Are you on drugs? But then it all came back to me. These people are in a small-thinkers circle. Go to school, cram and get good results, finish, get a job, climb the corporate ladder [Horizontally or Diagonally], die.

To these sad group, there is no room for real inventors. All of us must be employed and slaving for some boss somewhere to be seen as successful. If your question to “Where do you work?” is something close to, “Self-employed, IT Consultant or Startup”, If you ain’t hired, then you ain’t any good. It is this thinking, common among the mediocre, that always leaves one with a lot of month at the end of the money.

I started reminiscing on the fact that the reason that I am not working at ANY company doing anything close to telco and IT is by choice. The need to be free. The knowledge that I can go to work at 10am and leave at 9PM and no one asks me questions. It comes with discipline and sacrifice.

No wonder my CV has not been updated since 2009. What for?

Trust me, I am better off working for myself at a USD 4k project a month and bag ALL the money, that get involved in a BIG USD 2000000 project and take home a pathetic USD 2000-4000 paycheck per month. Sure, you will buy your vitz, when the real coders are still on ShoeBaru, but in time, the END justifies the MEANS.

But then again, not all of us were meant to be free thinkers. Some of us are comfortable sitting behind a computer screen and insulting all the hustlers out here. Yeah, Until you get fired.

Back to code

Wazi.

Salim Hatupendi

Well, we have all seen it. Kenyans love that word. Beef. Greet someone on Twitter and the fail to respond and some loser will post something like ‘#tweef’ or ‘#tweefAlert’. Whistle-blowers for something with no need for an alarm. People so sad, they wish everyone was as sad as them so as to feel important.

I say something in 2009 about the way the OLD but, now beloved, Safaricom was treating developers and giving access [like USSD etc] to only a few and ‘Salim has Beef with Safaricom’. Beef, Beef, Beef.

Is this the case of people talking about things they cannot afford? Beef?

Wait, Now IddSalim is beefing about these people with beef with him. Beef. Right?

You begin to wonder. Don’t these losers have a life? No wonder some gutter-press blogs get so much traffic. People always focusing on the negative and seeing/making trouble where there should be none. It is a habit. An annoying habit.

The difference between this blog and the gutter-press we know of is that these are things I can PROVE. Not CLAIM to be able to prove. But actually be able to.

Step In CS

I blog about the problems I have seen at Banking Websites done by CS and try to ‘tell them to style up and secure these sites before the russians come in’. But NOOO! This is an attack to their manhood.

People start following me on twitter asking me to ‘Hack to prove’. As if I was born yesterday.

Setting the record straight, I have no issues with CS. Even the fact that ELMA seems to be 72-apps-in-one does not bother me. Of course, with their m/billions, they can afford to give all the local developers a big ‘F Y’. It is like our own little China in Kenya. Come up with an Idea, and it will be part of the humongous ELMA tomorrow. To me, it is a local Snaptu on steroids. This is something about whose negative effects on the local dev scene I could blog about for a week.

But I choose to address real issues. Real Financial Risks. Real Insecure websites. Risks to innocent Kenyans.

I am not envious about their awards and BBC articles. Everyone has their 13 seconds of fame. What I fear for is the example they are setting to the Kenyan Kids. Someone once asked me, “But CS websites are insecure. Does that not show that you don’t REALLY need security yet in Africa for your solutions to sell?”. I was saddened.

I will be very happy to blog about the security revamps on the affected sites if CS can fix this. Until then, it is only fair to talk about the pregnant elephant in the room. Or, like most of us, we can ignore it and act as if everything is OK.

What do you think?

Back to code…

Wazi.