RSS

Category Archives: code

NIC Bank’s Data Breach,Hack and subsequent Extortion

Allow me to write this post as a letter to NIC Bank, I feel  despite the numerous times I have advised them to rectify their security to better protect us,their users, its simply gone to deaf ears.Well here goes.

NIC

Dear NIC Bank,

How are you? Hope you are well. This days when I wake up every morning I have developed a routine I read all my tech blogs, check my email and check my NIC bank portal for fear of breach, for fear that my hard earned shillings may have been skimmed by some hungry hacker or even worse my data may have been sold on silk road. I know many wonder why am still banking with you if all I do is complain, I mean if you constantly argue with your spouse then its better walking out and sparing yourself the agony, but like a cocaine addict am hooked, am hooked to your seamless banking process, the short cues in banking halls, the cute banker chics you guys have, the asset finance and off course the online banking portal that has proved to be your Achilles heel.

If you have been reading my blog you may be aware I have written 2 posts the first one NIC-BANK’s poor Ebanking System and possible security Flaws dated 24th April 2014  and the second NIC-BANK’s improved Ebanking System subsequent to my Exposé  dated 11th November. In the first I alerted you of the gaping holes in your security.  I also expressed my fear that someone else may have found this flaw and not being as noble as me, exploited it for profit.  I was pleased when a few months later I noticed you had bumped up your security and added OTP to the online portal. But if you remember I mentioned that this may be a little to late, I wrote in part

To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

Fast forward to a couple of days ago, wifey called me up at work and informed me that there were a couple of guys arrested on the grounds of extorting cash for data. Allow me to speak a little about the 2 hacker guys, first I condemn heavily their extortion of money for data. The 2 guys asked for 200 bitcoins from this we can see this guys aren’t exactly noobs but also we can see that they are just average hackers. Allow me to explain why

There exists a market on the dark web, the other part of the internet where Google doesn’t even dare go, where all the hackers meet and chat exchange tools etc. I remember the first time I showed wifey the dark web she was blown away by the level of sophistication there, I mean if you think of the internet we use as  5/10  then the dark web is 10/10. This is the first place where kids grow up worshiping Anonymous and the Lulz, the place where lizard squad was born and their skills sharpened. Back to said market, its called Silk road, silk road buys anything from weapons to kiddie porn.Its like the wild wild west of the Internet. So Where am I going with this..allow me to indulge you and generalize as well. Kenyan Banks should be aware that there are guys out there who wont send you an email and ask for cash, there are guys who will sell hacked data, attack vectors etc on silk road and then from there the Chinese or Russians will get a hold of it and wreck havock, the things that this guys can do is even beyond the scope of this blog.

Long story short, the 2 guys will probably be found guilty right, they will end up in kamiti and get Anally raped and we will forget about the whole thing. One or two guys will get fired and new ones hired they will come with bravado and a big solex padlock to lock the server rooms. But do you think anything will be done.Look at the stock price following the hack, did it even dip a point,NO,look at the ques did they even shrink by a fraction,No.

This banks need to be monitored by the Central Bank, not only on banking practices but also on security,its all good that CBK protects your cash from fraudulent manipulation by the banks but that shouldn’t end there, they should protect Wanjiku from Chinese hackers who had a cluster setup in their house with enough brute force power to use said data hacked by the 2 to make them millions. Kenya has to wake up to the fact that the rest of the world has invested billions on cyber security and are still getting  hacked (look at sony,xbox etc) what do you think will happen when this hackers discover easy targets in Kenya/Africa? You will see several hacking rigs being setup and the smart ones wont even move from their desk, the 4 fiber connections to Kenya make remote hacks even easy.

So in parting NIC go ahead sentence them,sure cast stones on them but don’t forget you are to blame for what is happening/ what will happen

 

 
3 Comments

Posted by on January 16, 2015 in code, grad school, hack, idd sallim

 

Tags: , , , , , ,

Hands on with Tuma Pesa –The MPESA companion

Hands on with Tuma Pesa –The MPESA companion

It’s happened to every MPESA user, you urgently need to send money to someone but you don’t have the number off head, just in your Address book, So you end up navigating to your Phonebook, copying the number, navigating back to your app drawer launching the SIM Tool Kit and pasting the number when prompted.

But that’s too much work and often we simply tempt fate and end up sending money to the wrong Number. What about PayBill Numbers and their respective accounts? Well that’s even worse, you copy the PayBill name and account somewhere on a piece of paper maybe and you key them in one by one into MPESA when prompted. You manually have to keep track of all the PayBill numbers and accounts so you can refer to them when you want to use them.

What if you didn’t have to do all that, What if it was as easy and convenient for you as downloading an app that takes care of all you Numbers, PayBills and Accounts? Well, that is what TumaPesa is all about. To use TumaPesa simply download from google play store or click on the following link [TumaPesa Mpesa Companion].

How does it work? Easy, let me walk you through the 3 key features that make TumaPesa revolutionary. Upon install you get a slide introduction of how to use the app. It highlights the key features of the app and directions of use as explained below.

  1. TumaPesa loads all your contacts and formats them for you in a nice intuitive list that can be searched by name or number. All the contacts are pulled from both Sim Card and Phone Memory.

 

Say I want to send cash to Savvy Kenya, well I simply search for her name, click on it and the SIM Tool Kit is opened. In addition to this her Number is copied to the clip board and a pop up of her details appears on the top right corner with her Name and Number. You can transact safely and securely without the fear of sending money to the wrong number

2014-10-24 07.17.15

 

 

2014-10-24 07.14.01

  1. For contacts you send money frequently you have the option of saving them by long pressing on a contact name and they automatically get stored in the Favorites Tab and a star appears next to them indicating they are now in favorites

2014-10-24 07.17.57

2014-10-24 09.15.17

3. For PayBill numbers and accounts you can save a list of them in the PayBill section of the app and use them whenever you need.

2014-10-24 07.09.54

 

2014-10-24 07.09.25

For PayBill numbers you can edit them by long pressing a PayBill Entry, this will allow you to edit,Delete or share

2014-10-24 08.12.40

 

 
2 Comments

Posted by on October 27, 2014 in code

 

Tags: , ,

In walked 2014 lessons I got from 2013

I don’t blog as Much as I used to…let me begin with that…most days I have to write down something but heck…midway in the day I forget….any who…..I know many of you will think its writers block

peer-review-cartoon

2013 was a year of realization for me personally.I lost someone I called my teacher,I got stubbed in the back by assholes I thought meant something to me,my code matured, she finally said Yes to me after years of being in the inner depths of friend zone…..vitu mob,so let me basically categorize them for you.

Code aka ma source code

This code maneno all begun as a pass time in seco,and after that it was what I did when I didn’t have the funds to go pints with the crew.But I never imagined I would do it for a living. dont get me confused I knew I would delve in to code post college not Math but not to this depths. From meetings in Central Bank to  Safaricom and in between sijui how many other  blue chip companies and banks in between. Code was good to me in 2013. And I guess I realized if its not this am going to do post colle then id rather try my hand at cooking meth like walter white.

You need to end some relationships

If you wake up in the morning and you are already weighed down then kuna kitu hufanyi poa…and that was me in 2013. The work load of a coder is mad enough as is,couple that with BS from assholes who surround you then you are shortening your lifespan.

I worked on projects that I got in only by this words “Niko na Idea poa,I think we should develop” only to realize you are building someones dreams.Au projects you think are paid only for you to get facked in the ass by the co dev…pesa amekula,product hakuna  and since its your name on the doted line you are the one left holding your dick in the cold. So you end up remitting monies back you didnt touch,burnt relationships that are tricky to salvage etc. I felt bad when the friendship I had with a character I this Blog I refer to as Jean Grey ended. But that life and thats how the dice rolled. So you just wake up like size 8 and say am done with that crap…fack yall

You need to outgro your mentors

As a kid you would hold on to mums dress and felt scared when she wasnt there..but there comes a time you have to move past that or you will never grow as an individual. I Respected Idd Salim as one of the key guys who made me. and I moaned deeply his loss,I got insluts about being a mini Salim sijui Idd Wanna be and what not. Because my Merian blood boils hot I would simply have countered,I went to speak but was like never mind   wacha tu…..sare Jaymo Dumisha amani.

kuna watu mob who also influenced and I will forever respect that….but pole  if you think I will forever be in your shadow..I always give reference to Iverson checking his mentor Jordan and thats when Iverson was truly born Did Jordan go ahead and call a press conference and say Allen Iverson is disrespecting him …sit at the corner and think about that.We all wanted to be like Mike

I got My Numbers Right 

Wako wapi wasee wakusema na copy  sijui nani…haya ndo hiyo am copying this from a blog I love ” I got my Numbers right,It finally got to my code cranium. All code without scrilla makes Jaymo an un-focused coder. That is All I will say.”

Partnerships and Relationships

Biggest lessons fall in this category. There are people who will stick with you no matter what. There are those that will RUN away at the first sight of trouble. There are those who are there to USE you to gratify their egos. There are those who are there to PROFIT from your efforts. There are those who will STEAL from you, without a moment’s hesitation. There are those who will KEEP AWAY from you as soon as they start ‘doing well’.There are those that will smile at you then stab you wearing the proverbial VELVET glove.

Clean Up your plate as soon as you get your serving

Am guilty of having taken too long on some projects.Not because singe hack but because I was busy arguing Android na Iphone ni gani poa…Vaseline au Dame ni gani poa, and while I was doing this people were churning stuff out. I am guilty of having kimbishad scrilla sanaa,sijui client hajalipa depo sijui nini…and subsequently I developed bad blood towards a project,only for the scrilla to come and you left there again holding that Long dick of yours in the cold,project haikumalizwa na uko na pressure ya kumaliza. Fack coding kwa hao onsite coding with fellow devs has its pros superseding its cons

Bottom line is if you can build it as fast as you get it than you have the time to read Ghafla or tweef on Twitter

Tell your Girl you Love her More

There are days you wake up and its straight meetings and code reviews…bosses on your neck and you can barely get time to text or call. Or times when its you and her na system ime crash na you have to leave…let her understand. Coz when shyt trully hits the fan you know she got you. Thank God for Her…{ Thts for you Irene I love you Ma }

 

 
1 Comment

Posted by on January 14, 2014 in code, Humour, Reflections

 

The final Letter to Idd Salim

Dear Idd Salim,

IddSalim

Its pretty hard writing this one…pretty hard,I just got a call from Vodaphone this morning about us guys missing our meeting for the 24th as planned. I had to break it to Clemence that you had passed on,A chill run down my spine as I said that.

I think most people have never known how you and me quite met,and why I called you Beste Mnoma while everyone else called you Salim. Flashing back to 2003 exactly 10 years ago,that was the time we met…actually you were with the other Jaymo (maina) and when you said Jaymo I answered instead,you retorted “wewe nani amekuita…” But that was it for me,you and James were on some weird server configuration maneno. I was barley out of primo the only comp knowledge I had was DOS and writing batch scripts to delete folders in the comp lab,but you still didn’t shun me,you told me there was a language called pearl that had a  similar effect,but I was way busy being a rubble in High school to give a hoot.

After high school was when I got more serious with code,and the first real system I was to write was a car hire website with 5% knowledge of PHP and crappy knowledge of any DB I wrote it and came to show you. You laughed “kijana hii ni nini sasa unanishow”. The damn thing was riddled with SQL injection exploits,bugs,slow db etc….You made me work my ass of for it…and I did and made my first 50K with your mentorship.I remember a pal once asking us why most coders have big heads and we laughed it saying we had a lot on our mind.

Anyone who knew me in college would attest to my love for your work,I always believed you were the Golden standard for code quality. I refused to learn J2ME before android and I remember in 2009 we had a long argument about this..in the legendary shiba kisha ulipe. I told you I would become a great Mobile dev, you always laughed  and said why stop at Mobile….we can be great fiber inakuja Kenya soon.

You were the big brother I never quite had,from YII to CodeIgnitor,when I was stuck I dialed your Number. In college guys thought I was some sort of code Ninja, but truth be told I was just really your Intern. A normal call would be  “Salim manze code ime leta noma” you would reply “kuja Ihub na ukuje na chapaa ya lunch” (you the only one who called money chapaa in the 21st century.

Blogging…ohh dear…we once had an arugment hapo Prestige with you and zack telling me I write like you. “Jaymo huwezi andika blog kama mimi,code kama mimi,kukatia dame kama mimi…kwani huna originality” But I always told you Imitation was the sincerest form of flattery.  And bought  a milkshake and we were good. I always made reference of you kwa Blog,and Idolized your posts.When I was finally man enough to do it on my own I came to you and asked “Salim sasa ju naeza andika code poa,unaona nikuwe coder kama wewe?” You minimized your windows and said “If you need me to hold your hand  you are not ready…code sio Mkate kijana,but inaweza kupatia mkate” And with that Jaymo the coder was born…from wining hackathons,to handling some of Kenya’s Bluest of the Blue chip companies. I hacked, and also got into trouble like you. I left Ihub over personal differences with people but we still used to talk.

The one thing I never quite will forget about you was how you would make my hardest of work look like Hello world..When I wrote a query and it run at 1 sec you rewrote it and it ran at 0.16 seconds. When I called you and told you to start using Fedora instead of Ubuntu you pimped your Ubuntu and made my  fedora look like windows XP. And how can I forget the ladies…a nerd is still a nerd, when I ogled you would be “Aiii dame sio shell script..talk politely and she may grant you root access to her drive V,where you can run bang bang or repeat finger.Na from that unaweza Man Mount alafu Man Dump au kama wewe ni sys admin kama wa safaricom unaweza Man Date”

Last week before you died You gave me code ya the project you were working on to test for you and finish up on some modules,I should  have known you were unwell,I should have noticed you weren’t Jovial,But I was busy being me,and for that brother I feel like I failed you and ask you forgive me.

I will miss you bro…I will…but you taught me well,and I will carry on the legacy you left. the shoes are big to fill,but I will be a master coder…you wait and see

 
3 Comments

Posted by on September 26, 2013 in 254, code, idd sallim

 

Uhuru Kenyatta’s Free Laptop Programme- a techies perspective

So Yesterday <16th April 2013>  I watched as the President iterated that the free laptop programme he promised is still on, to be precise this is what he had to say “6:09 pm Uhuru: My government will deliver on its promise of free laptops for our children starting next year. Our vision is to have laptops availed in future to be assembled locally”. Two things struck me …His time line(next year) and his ambition to have them locally assembled in future. But before I look into either one of his points let me first shed some light into one already existing laptops for primary schools  program.

In Rwanda the supplier  was One Laptop Per Child (OLPC), an American charity linked to  MIT,but this process was plagued with controversy. I will only highlight the techie bits and stay clear of any politics here, the first controversy was when Intel opted out of the program,meaning this computers where to run on another chip-set  The second and the one I was very keen on was the Operating system the machines were running on,the war raged between Open source and Windows based XP. But despite this the computers were indeed supplied later on; the computer was  dubbed the XO laptop and saw Rwanda get 120,000 units,Ghana 10,000,Sierra Leone 5,000.  Read more here>>>

Now coming back to Kenya and looking back at what the president said.The first point was the timeline. The government should indeed not deploy this computers with any rush. I would suggest a whole year before they are made available to any classroom..reason? Well lets face it majority of teachers who will end up using this devices to administer learning to kids have limited computer training. I mean I would imagine the scenario if a teacher in say Nyeri or Siaya just got handed a bunch of devices and told to use in teaching, it would be no easy feat. Second the actual devices themselves….If we choose indeed to administer laptops what Operating system will they run on?

There are only two options here. Windows or and Open Source platform eg Linux. Visiting the OLPC the issue was between exclusive use of open source software for the project  and those in favor made suggestions supporting a move towards adding Windows XP which Microsoft was in the process of porting over to the XO hardware. Microsoft’s Windows XP, however, was not seen by some as a sustainable operating system. Microsoft announced on May 16, 2008, that they had let them have Windows XP for $3 per computer. It would be offered as an option on XO-1 laptops and possibly be able to dual boot alongside Linux. However, no significant deployments elected to purchase Windows licenses.

Assuming this laptops are to indeed run on Windows at $3 per windows licence and assume the first phase sees 500,000 issued. That would mean Microsoft would charge $1,500,000  (120,000,000 KSH).  And since the government aspires to buy  5.86 million computers for kids that would translate to approximately $17,600,000 (1.4 Billion KSH) Just for the OS.The other scenario would be to use a free variant of Linux…and do away with this cost.And assuming that the computers are not going to run on an Intel based chip-set (to reduce cost per unit) then for the performance to be optimal Linux would make more sense. Then going ahead and looking at his suggestion that the computers get manufactured locally it would mean we buy the parts from a cheap source eg. China ship them to Kenya assemble them on an alternate chip-set and a Linux Variant and hand them over to the kids.

But the west would fight this with all their might…..not because they are losing out $17,600,000 , that’s pocket change, but because of a simple mathematical term called extrapolation. If a kid grows up using Linux since class 1 what are the odds that when he/she turns 20 and wants to buy their own computer they will choose Microsoft? This will mean slowly by slowly Microsoft will fade out of Kenya as the OS of choice would be Linux. Asia is a living example of these, kids grew up using Linux and Microsoft is not as big there as it was back in the day.Intel would also loose a large market presence in the country. So if Uhuru were to opt for this then he would be in turn be giving the west a big middle finger.But there would be the issue of Internet connection on these laptops

The other option would be to provide a solar powered tablet instead of a laptop. A simple Android based Kenyan assembled tablet would cost around $30 and would represent the least-expensive solution for bringing computing and, more importantly, internet connectivity, to students in Kenya, tablets of this kind can access data networks using the GPRS  where 3G or 3.75 G is unavailable.With the App bubble at its peak devs would have a fun day driving local online and offline based content for these devises. Data providers e.g Safaricom, Zain,Orange ,YU would see data revenues go up also translating to more Revenue for KRA to take home and job creation.

 
4 Comments

Posted by on April 17, 2013 in 254, code, JKUAT, kenyan clones, legal issues, true stories

 

Tags: , , , ,

Type of Code Clients I have met

So someone accused me of only writing about code this and code that, nimaka unaweza peleka Code Nakumatt upatiwe shopping au Butchery ya Kamau akukatie ka Nyama Nusu…of course not, there has to  be business involved or in the words of Uhuru Kenyatta, willing buyer willing seller…so today I will just talk a little bit about the two types of willing buyers I know/ have had the experience of working for.

I have been taught by time and of course by more seasoned business men to divide clients into two broad yet true categories: Clande/chips funga and Girlfriend/wifey

1.Clande/chips Client.

film_pick_up_line_801085

The name speaks for itself, this type is the tap and go…No strings attached no Numbers no natsing. Usually this is my best type of client since everyone goes home happy. A clande Client knows point blank what they want, and how they want it. They are straight forward, utapatiwa spec doc yako,depo na time line. Utafanya Kazi, ukimaliza UAT kiasi. bass…the story ends there final Installment paid and you both go home happy. In the event hamskizani, you both have the luxury of walking away since you just met and nothing has been invested yet in between the two of you.

The Good thing about this type of client is just like a clande kwa bar uko guaranteed not to sleep hungry . Its cash at hand so you are happy,your landlord is happy and even the real Clandes are happy. Moving along

2.Girlfriend/wifey Client

art-cartoon-couple-cute-drawing-heart-Favim.com-48970

Sasa huyu ni ule wa long term…yaani in other words ata sio Strings attached ni more like ropes.This is the worst client ever. Let me explain using the analogy of a real world Girlfriend. You meet a hot mama, someone you think is a keeper…unaanza courtship. if you take that leap of faith you should know you will be in it for the long haul,during which anaweza amua hakuvunjii (utaka nja baba)…the only thing you get are hugs and smonches…you will have to be there for her 24/7(kama customer care)..handling all her Hormonal maneno and stuff……you get the picture.

Back to the client, you meet a big client <usually some corporate or Gov deal> una strike ka deal nao ,depo labda 30% unapatiwa kazi inaanza….1 month in system changes zimeanza,sijui integration na system flani wanatumia,2 month HR wanataka module yao…una call meeting…”hii haikuwa kwa spec doc…bla bla bla” wanakuangalia “How much more will it cost us” una peana figure…na ju uko na Njaa 20% unapewa,una endelea na code…3 months later huna rent,dame yako ana kuagalianga asubuhi ana skia Nausea ju huna any..zako ni “Ngoja niko karibu kulipwa” …they drag payment…na the day they actually give you your loot ni Friday Jioni na ni cheque ita take 3 days ku mature kwa hivyo tuseme next week Thursday ndo utakuwa monied. DAFAQ

All the while hiyo monday next wana kuambia you drive to their place to sort some stuff out, nikama walikupatia fuel card  ya kutumia. The Girlfriend client will also catch feelings if there is a bug “aki na vile tume kulipa vipoa..” This are the clients who will ask for refunds/sue you/want you in the office every week etc.

Any who those are my two categories of clients. Hope one of you out there can relate.

In other news if you haven’t yet tried PesaBox here is the link>>, and here is a brief Wiki entry of how it works/what it does.

 

 
Leave a comment

Posted by on April 5, 2013 in code, hack, Humour

 

Tags: , , , ,

New MPESA application: Enter PesaBox

So I remember a while back reading this Post by Idd Salim on his bog, about him not being able to get his MPESA statement dating back more than 3 months. Safaricom does offer  you a statement at a fee of 25 bob a page read here  (with a 3 month cap of course ). So why not make a system that  does that for you for FREE 

Time to Unveil PesaBox that does exactly that,This will be a pictorial Blog with few words and More Images just to give an impression of the App and the web back-end

Available on Android : Google Play,Samsung Store,PesaBox site  {Symbian ,Blackberry,J2ME still in sand box stage,release date soon}

GooglePlayLogo

Uploaded: February- 18 -2013  (Google Play)

February- 18 -2013  (Samsung Store)

Description: 

What is PesaBox?

PesaBox is a mobile application that works by syncing all your MPESA transactions on-line to give you reports by logging in with your credentials on pesabox.co.ke

Benefits of using PesaBox

  1. Print out statements of your MPESA transactions
  2. Find out how much you spend on bills
  3. See your cash flow over any period of time*
  4. Find out where you transact most frequently
  5. Compare your income to your expenditure in your MPESA account and many more…

What reports are on PesaBox?

  1. Summarized reports
  2. Consolidated reports
  3. Expense reports
  4. Transaction statement
  5. Cash-flow report
  6. Deposit Vs Withdraws
  7. Income Vs Expenditure
  8. Money In VS Money Out
  9. Location Frequency
  10. Bills by Category

*Time period for reports can only span back to when you joined PesaBox

Download link: 1.) Google Play.

2.)PesaBox Website

View our Facebook page here>> ,feel free to like

image1 image2

App based Mini Statement  report

image3

– Once you are logged in to your personal page at pesabox.co.ke  here are the reports that you can get:

Bills by Category

Screen Shot 7

Summarized Report

Screen Shot 1

Transaction Statement

Screen Shot 2

Consolidated Report

Screen Shot 3

CashFlow Reports

Screen Shot 4

Location Frequency

Screen Shot 5

Deposits vs Withdrawals 

Screen Shot 6

 
Leave a comment

Posted by on February 18, 2013 in 254, code, hack, kenyan clones

 

Tags: , , ,