Thus Spaketh Idd Salim

Bye 2010. Thanks for everything.

I will keep this short and simple. Some people, as always, will get annoyed. Some people will feel that IddSalim is attacking them (the blog, not the person). Some people will say, ‘Go Salim! Tell dem! Say what we would love to say but are too scared to say’.

2010 has been a testing year. I made a few friends and enemies (due to misunderstanding) and met some brilliant and inspiring people. I will dedicate this post to the people and organizations that have shaped my Life in 2010.

1 – Safaricom

After I blogged about ‘Hacking Mpesa for Fun and Profit’ I attracted bad blood from Mpesa Department and a barrage of nice and not-so-nice emails and reactions from Safaricom and Vodafone. The blog was about how to Export the Mpesa SSL client certificates from IE to Mozilla and Opera.

An Innocent article that should have earned me some Bonga Points. But NOOOO!! Ohh No! This was seen as a direct ATTACK to Mpesa and Vodafone over-reacted. Our Mpesa PayBill contract was revoked out of fear that I know so much about Mpesa and could hack it. (My God!).

There were questions that were raised that I wish to answer, before end of 2010. Q: (How did Salim gain access to Safaricom Lan. How did he do a vulnerability Assessment on Mpesa. Why does he hate .NET apps that much?) A: (I do not have any priviledged access to Saf. Just the kawaida bambanet access. What I discovered about Mpesa is as open to any hacker worth his salt as it was to me. As an act of Good faith, I can share all I know and my Security Analysis of the Mpesa System. The information I had/have is for the pre-november-update Mpesa system. If All the issues have been fixed now, then there is nothing to fear.).

2 – Google

After my Interview with Google, I was enlightened. I was humbled. I was taught to never ignore even the most minute details in IT. Finally, I understand true inheritance and polymorphism. I finally understand and can write my own optimization and logic algorithms. Finally, I was forced to learn Python. Real learning. From Scratch. To Understand the language. Not just to know how to solve problem X. Thank you Google for the challenge. Talk to you soon.

3 – Buju, Too, Vera and Shazie

It finally got to my code cranium. All code without scrilla makes Salim an un-focused coder. That is All I will say.

4 – Partnerships and Relationships

Biggest lessons fall in this category. There are people who will stick with you no matter what. There are those that will RUN away at the first sight of trouble. There are those who are there to USE you to gratify their egos. There are those who are there to PROFIT from your efforts. There are those who will STEAL from you, without a moment’s hesitation. There are those who will KEEP AWAY from you as soon as they start ‘doing well’.There are those that will smile at you then stab you wearing the proverbial VELVET glove.

I have met all these people.

5 – This blog

One year old now and I have met, befriended and equally and annoyed more people than the last 8 years of my life. I had to pull down extremist blog posts (#mashogaHatuwapendi) and some posts got me into trouble due to misunderstandings #SafaricomGotmeWrong. But all that is water under the Athi Bridge.

We will do alot of business together next year. Cant wait to forge long-lasting data relationships once 2011 starts.

Wazi.

Back to code.

So, Today at 9:54am, I checked in after a thorough security search for metals and other things like screw drivers, hacksaws and pangas etc; stuff that can be used to HACK servers. (Fck! As I blog here, I remembered just I LEFT MY ID THERE!)

So we were welcomed with the usual ‘leteni IDs’ Kenyan greeting and we waited to be led to the training room. I sat on row 1 and the training started at 10:01 Sharp. Bwana Dennis Makau was out tutor and this guy really knows his stuff. Lively and not a boring monologuesue jamaa. He took us through all we wanted to know. He had rich knowledge of kila kitu. 10 outta 10.

Mpesa is REALLY one powerful tool, especially to developers.

Then came the tea break. I stole the chance I took my time to take the SmartTV ladies and the Sarova team on hwo they can really leverage Mpesa (powered by the virtual or dedicated modules of pay.Zunguka.com to maximize their profits and improve customer care, to a level Mpesa does not deliver – Last mile.)

After my pitch, Still at the tea-break, I checked out the Dell Sites and Gmail and Decided, “let me check my website”. Ha! Bummer!

IddSalim.com is Blocked from Safaricom LAN

And then came the hack

As you would expect, I couldn’t just sit there with all my skills. So i decided to chokora kiasi.

No, I did not escalate my privileges, get access to MJ’s PC and download data from their SQL Servers etc, like all my hack-mates would have expected. I am a Whitehack hacker, remember? I just prodded the systems. I discovered quite a few things.

1 – Mpesa Web Interface source code is susceptible to SQL Injection.

Mpesa Input not 100% Sanitized.

I took Mr Makau through a process where the Vodacom Mpesa SSL Certificate can be spoofed and replicated to grant access to rogue machines. Also, I mentioned to him the logic bug where after an account has been closed, the user session gets ‘bamboozled’ and the interface gives DB Server information.

But all in all I was really, really impressed with the accounting procedures and logic, flow logic and overall eagle-eye view of the system.

As a business tool, the Mpesa web Interface is perfect. But it’s security was well-thought… well-googled… but not well-consulted.

Back to code!

Well, we all know that Mpesa is

One Gateway to rule them all

widely used in Kenya, Tanzania and Afghanistan. Zap is available to the 22+ Zain One-Network Countries.

We also know that Paypal hates Africa.

Lastly, We know that Symbiotic Media Consortium has developed a working Payment Gateway that already links PayPal, Mpesa and Zap. Needless to say, there was no help or support at all from Safaricom, because safaricom knows as much about Mpesa as Wangechi.

So this presents a very clear advantage for players like Google to come into the Africa playing field. Africa has millions of people who have NO WAY doing e-commerce, unless they have credit-cards and can cheat Paypal to not be seen as originating from Africa, the Dark Continent full of thieves.

Using The Symbiotic Payment Platform, Google can rule the African Market and Leverage the un-tapped m/e-commerce. We know Google Loves Africa. She has Offices in Kenya.

This being a man-eat-man society where people just sleep and wait for others to think then steal the ideas, I will share no more, but will email it as a PDF to Google, detailing each and every step, hoping they will adopt it. They will. I know.

-Salim, Idd