Thus Spaketh Idd Salim

One API to rule them all...

Great day today for Kenyan coders. Ok, let us say, EastAfrican Community coders, for political correctness. I don’t even know how to break this news, so I will just do it my plain no-beating-around-her-bushes method. No, the Octopus has not predicted that Safaricom, MTN and Zain will start supporting local innovations. No. The octopus would rather die than err. To err is to human; not to octopus.So, the hustle continues.

As a CSR, being  head of a team of very gifted coders at Symbiotic, I had committed to head the Pay.Zunguka Gateway and API development team and see to it that the Pay.Zunguka API was out before Mid May 2010. But one thing did not lead to another, and we had to inevitable delay the launch.

Well, here it is now. The API. The EuberAPI. One API to rule them all.

Download the API NOW!!

So first things first. What is an API, you would ask? Huh? You are having a larf if you expect me to answer that!! The API has been developed in PHP, jQuery and MySQL and the documentation provided with it makes it totally idiot-proof. Anyone and everyone can use the API and start earning from their hustle, Immediately! All transactions from Mpesa/Zap/yuCash will hit your system, via the API in 5 seconds. Anyone who can copy-paste, can use the API.

Safaricom have indirectly played ball this time round, so flawless end-to-end mPesa support is the first feature of the API. I hope this will not make them Mad. My QA team is still testing the ZAP and yuCash modules, but jump to it. Play with the fully working mPesa support and share your thought on the approach, the model, the logic and the illogic.

If you are a ‘BIG’ fish (read a big corporate with a lot of sensitive transactions) and don’t want to use our API as a payment aggregator, we can license the actual product. This would apply to guys like DSTV and KPLC. So instead of waiting for 48 hours for the transactions to hit their backend system, we can guarantee KPLC customers that their bills paid via Mpesa/Zap/yuCash will be reflected in their account within 5-7 seconds. Cute huh!

Like all my friends will tell you (real friends, not facebook jokers), I believe in seeing, showing and action. Si mdomo mob. So dive right into it! Visit http://pay.zunguka.com/ NOW and have a blast !!

Wazi.

-Salim, Idd

This is part 1 of 3 of my Facebook Notes sequel on the pain I went through before getting my passport at Nyayo House, mainly because I had Muslim Names, despite the fact that I am a Meru.

At this point, I had already paid the mandatory fees, submitted my Birth Certificate, ID, PIN etc… All that was documented as mandatory documents in the application forms. I had also waited for double the 2 weeks waiting period. All I had planned to do that day was just go pick up my passport.

Ohh no! Not with the names ‘Idd Salim’, I came to lean painfully!

9:16 am
Went to outside tent and was referred to counter 14. Went to counter 14.

Attendant : ‘What are your names?’,
Me : ‘Idd Salim’
Attendant : ‘Enda Counter 13′,

Went to counter 13 with a smile. ‘YES!! Gonna get it leo!’, I thought. Met this annoyed lady in specs.

Me: ‘Habari ya asubuhi Madam’
Attendant : ‘Leta receipt na ID!’,
Me: ‘Ok.. Shika hizi hapa’
Attendant: ‘Ati Idd, Salim? Come after 3 weeks!’
Me: ‘But I was told passports are ready in 2 weeks max. And I applied 4 weeks ago!’
Attendant: ‘Next!!’

So I go back to the tent outside. Greeted the same tent lady with my usually charming smile and radiant eyes.

Me : ‘Madam, Nina complaint. I was told it will be ready in 2 weeks, na 4 weeks have passed. Sasa naambiwa nirudi after 3 weeks.’
Attendant: ‘Kama una haraka, enda ukacomplain kwa mdosi.’
Me: ‘Mdosi? Mdosi mgani?’ – I actually thought she was talking about Kibaki.
Attendant: ‘Enda room 16.’

At room 16, I met a very warm and friendly mdosi. (Funny how in Kenya, it is ONLY the small insignificant people who give you hell in all aspects of life. The wadosis are ALWAYS cool and OK.). he listened to me with empathy and checked my receipt and ID and took out a note-pad.

Mdosi : ‘Enda First floor and look for Ndambuki. Atakusaidia. Usiwe na shaka’

Went to first floor (OK, second floor then u take the back corridor fire-escape stairs to floor 1). Meet nice and smiling people willing to help all over. ‘Kwa Ndambuki ni pale’, One directed.

Kwa Ndambuki. Knock! Knock!, I greet a madam I found there. ‘I have been sent to meet Bwana Ndambuki’.
Lady :’This is his office, lakini ametoka. But I can help you. Leta receipt na ID’. She types in a URL of the Immigration System running as a JSP Web Service. ‘Url Not found!’

Lady : ‘Hii computer yangu ina shida, so let me call someone to help. Calls some extension and gets the Bad News.’:I Overhear : ‘Ati Muslim Name.? Ni suspect? Lazima Interview? OK’. She says : “Wewe enda room 8, Tafuta Bwana Lang’at”‘

Room 8. Closed. Waited outside for 20 Mins. The comes a gentleman called Lang’at.

Me : ‘Nimetumwa kwa Bwana Lang’at’
Lang’at : “Ni mimi. Karibu Kiti.” – Very warmly and in a read-to-serve mode.
Me : ‘Sasa niliapply for passport 4 weeks ago, na bado’
Lang’at : “Ehh! That is so LONG bana. Lemmi check. Hii tutamaliza leo. Usijali. We are here to serve you’. – Ohh!! what a good change in the government lingo.
Lang’at : “Ahh! Kuna shida hapa. Idd Salim. Hmmmn…”. – He refers me to the next desk.
Lang’at : “Saidia huyu Kijana. Ni Muslim, but from Meru. Mpe recommendation apate Passport. Go to his desk”

Guy 2 : ‘Ati Idd Salim. You will Never ever get a Kenyan Passport with those names’. He shows me some examples of Kenyan Names.
Josephat Njorge Mwaura, Owino Ochieng Omondi, Kimani, Wachira, Lagat, Chepdinya, Omolo.
Guy 2 : ‘Did you see any Abdi or Jamal or Salim there?’
Me : ‘So tufanyeje mzee. Mimi nataka tu passport’
Guy 2 interviews me about my parents. I am from a single-parent family and my only parent (my mum), died in 1998, December 28th.

Guy 2 : “Because of this Salim Idd names. You will never get a passport unless you bring your mum’s death certificate and birth certificate” – tears fill my eyes. Damn! I thought I was strong, but the mention of my late mum exposed the pain of losing a loved one.

Guy 2 : “Ungekuwa unaitwa Kimani ama Omondi ama other Kenyan names, Saa hii hii ningekupa passport.”

Guy 2 : “Last option, look for her National ID”…. What?????

Back @ Office

So I am googling for that ID. And unless I get it. No Passport.

On Tuesday, I had the pleasure of being in the same room with some very influential development oriented people. Meeting was held at ICT board, hosted by PK. Invited were Symbiotic, MobileMonday, Safaricom, Top PRSPS and Developers in then Kenyan Mobile Arena

It was a good meeting of minds and well worth the time and effort. For Once, I was in a room with some guys from Safaricom who had their brains bigger than their Egos.

Present

Paul Kukubo – Head of ICT, Lewela and Kaburo

2 Peters from Safaricom, Sylvia Mulinge,

Salim, Timo from SMC, Wesley from Letti Games, Cellulant, Adtel and IMS teams.

Absent

All other Jokers in the country.

Agenda

• Why Safaricom is seen as a monster by Kenyan Software developers. Perception being that most ideas sent to Safaricom disappear at the Marketing department and and get ‘stolen’ to make Safcom all this BILLIONS, while the real inventors languish in poverty.
• How do we as inventors and developers work together with Safaricom and make a living out of code.
• What are the key failure factors met by developers while dealing with Safaricom.

Mangumi na Mateke

The top 2 issues and responses are as listed below.

ISSUE: The current locus standi is grim and really pathetic. Wesley argued that Apple Automatically gives the developer 70% shares and keeps only 30%. This encourages the developers to innovate and pays them immediately. Safaricom and the PRSPs take over 75% leaving the developer with a measly and satanic 25%. As if that is not enough torture and an abuse of human rights, the developer WILL NOT get paid until after 4 months. A Kenyan Mobile developer CANNOT live on code, unless they decide to follow the path of the weak and prostitute themselves and get employed

RESPONSE: Safaricom expressed willingness to shift the revenue shares to the favor of the developer. Developers will get as high as 90% of the money they bring. Systems that bring DATA traffic and thus bring residual income to Safaricom, e.g. Sembuse from Symbiotic, will also attract special treatment and revenue share models from Safaricom.

ISSUE: There are SO MANY requirements from Safaricom before a developer can get to the platform where their services reach the market. CCK Licence, PRSP Licence etc.

RESPONSE: This challenge fell to the PRSPs. It is, obviously out of the Safaricom domain. Adtel and IMS expressed willingness to incubate developers and their systems [Apps, Games, Ideas] at a very sexy revenue share.

There is a positive vibe from Safaricom at last which might indicate the following:

• The actual problem and cause of the ‘Safaricom ni Madogi’ movement in Kenya by coders is due to the red-tape between the entry-level marketing department and the upper tier. I remember going with a proposal to SafCom and Evah from VAS asking if we were read to accept 5% revenue share while SafCom kept 95%. I felt like crying. Maybe she was Joking. Meeting people higher up makes you realize that SafCom aint all that bad.
• Safaricom have started to realize that Voice and SMS are dead! The next frontier for MSP Mkwanjalization is DATA and DATA driving solutions. Step in Java Developers!
• Safaricom have started to smell the coffee. Which is good. Of late, they have just been inhaling the AC!

Lemmi go back to code. Mbugua is giving me that ‘you have not coded for 12 minutes straight’ eye! And No, Deno, Safaricom have not ‘onad me kando’ to do a positive blog about them. Good stuff is happening.

Tick… tock… Tick… tock… Goes my HackOmeter. “Have they been hit yet?”, I ask myself. I switch on the TV to see if a Kenyan Bank has yet been hit. “Not yet”, I conclude. “I see voluptuous women flaunting naked in the streets an on bill boards. Soon the rapists are coming.”, I tell my friends. And Ohh, what a sad day it will be.

The Topic for today is SMS Banking.

What it is MEANT to do:

SMS banking is a remote banking service via mobile phones. Upon each money withdrawal operation with a card account (purchase using a card, cash withdrawal in an ATM), the client connected to the SMS Bank system receives an SMS message with information on the transaction. Such SMS message usually includes the charged amount, part of the credit card number, date, time, and place of the transaction (shop or ATM location). Full stop! That is what SMS Banking was meant to be, should Be and Must remain as.

What is has been ABUSED to be:

But hang on, there. What about these services all over the news that allow a user to check balances, transfer money, stop checks etc, all from SMS (or USSD as the case of Equity and Barclays) ? Isn’t that what SMS banking really is?

Well, this is classic example Security Through Obscurity.  Like walking at Tom Mboya at 2am waving a KSHS 1000 Note and reaching home safe. You won’t do that for long.

Shamelessly stolen from The RSA Website, :

We have all read about the iPhone and Blackberry SMS attacks and vulnerabilities. There is current commercially available (let alone black market) software that allows eaves dropping and spoofing of SMS. The lack of SMS confidentiality has been established by congressional members, city mayors, and international government officials in dozens of cases where their text messages were intercepted and made public. Like landline communication, cell phone communications including SMS should be considered to have no confidentiality.

An SMS can be:

• Intercepted on its way from your phone to Zain/Safaricon/Safaricom.
• Changed and edited [The content, the destination Numbers, The Source Number etc].
• Delayed.
• Deflected and even deleted before it ever gets there.

This can be done with equipment that cost less than USD 10, 000 and also with techniques that anyone who knows the difference between Hellon and Arunga can master in a week.

How Can this be done?

There are 3 Knows ways to Intercept communication between 2 sources that are sent via SMS:

• Phone cloning – The best. Totally bamboozles the MSP Cell Towers [Saf/Zain]. They see two phones with same phone number, MIN and ESN. Very effective on CDMA networks but not as effective on GSM – More Info -
• SIM Copying – VERY Illegal because it is 100% efficient. Clones the SIM and yours becomes active whereas the clone is dormant but receives copies of all your SMS and calls.
• Patched Firmware  – A very easy and common method is for a hacker to upload a super-firmware to their phone. This upgrade turns their phone into a super-phone radio transmitter and they can receive SMSes that are addressed to THEM and people AROUND them. You can really have fun with this at a club, a mall or a bus-stop.

Ever been robbed or attacked then the assailants returned your phone / SIM? Chances are you got cloned and All your phone-calls [as long as you are on the same Cell Area] and ALL your SMSES [irrespective], get delivered to YOU real phone and its clone.

Where is the problem?

Ok. Enough phone hacking lessons. For those dumb enough not to grasp where the problem is, so far, please, allow me to reiterate:

• Your SMSes are neither CONFIDENTIAL nor PERSONAL. Get over it! In a recent article about how guys from SafCon sell data call and SMS records shows the first level of breach. Your data can be bought!
• Your SMSes can be intercepted by hackers. SafCon can fire all those name-spoilers they hire, but your information is only secure from humans. It is NOT digitally secure. SMS and USSD traffic is rarely encrypted, if ever.

What is MY problem?

Just your money, my reader. You dont want all your hard-eraned cash to end up in Nigeria, do you?

Why doesnt Safcon [Not to be confused with Safaricom] etc do something?

Honestly, not their problem. You send SMSes, they make money. And it is not their mandate to SECURE these systems. they offer the ROAD. If you get an accident on it, hard luck!

Is All Lost in the Mobile Banking Sector?

Not by a long shot. But that is a topic for another day, or you can skype/gmail/yahoo me @iddsalim so tell you HOW Symbiotic is Countering this menace. Power through serious code..

Adios!

Back to code!