Category Archives: Uncategorized

NIC-BANK’s improved Ebanking System subsequent to my Exposé

A couple on months ago (7 months actually) I wrote a post on the security flaws on the Ebanking portal that NIC bank uses,If you didn’t read it then feel free to click here>>. I had actually taken it down following issues it had raised. The blog got over 150K views (whey do you expect when Robert Alai gets their hand on it) and my phone went crazy for days after that.Needless to say there were accusations of hacking thrown my way, I was sternly  reminded of the new cyber  laws in Kenya had been amended and I was facing jail term if I was found guilty. Needless to say no one went to jail, and my exploit actually put them on the spot from concerned customers. Thats a synopsis basically and in no way what I wanted to talk about.


Lets talk 7 months later and what had changed. If you bank at NIC Bank ,and I encourage you to if you don’t, then you will have noticed they deactivated ALL old passwords they had issued or that had been generated by users. This was necessitated by the risk of someone else (key word someone else) having used the exploit to get usernames and passwords. NIC bank has now moved to a more secure username and OTP (one time password) combination. The vendor they chose was ActivID® an established IT solutions company. In a nut shell here is how their new security system works.

HID Global’s ActivID® soft tokens provide  strong authentication for remote users accessing corporate IT systems and consumers logging on to online services, without the need to distribute hardware tokens. You can use either the web,mobile or pc soft token generators. I will talk about the mobile one since I am a mobile guy after all. Mobile Soft Token – A user wishing to access the online banking portal, uses the Mobile Token App to generate a One-Time Password. The application can be PIN protected.

It is licensed per user, and licenses can be used across multiple personal mobile devices. Once you download the app on your phone customer service asks you for your licence that is generated the first time you launch the app and they use this to link to your account. Subsequently you simply launch the app, provide the pin you set to protect  the app and it immediately generates a One time Password, that expires in 60 seconds if not used or the lifetime of the login session to the online banking platform if used. The app works totally offline  and all the OTPs are internally generated so no fear of remote agents intercepting it.

2014-11-11 15.38.49


The Mobile Token App is available for all leading mobile devices including Apple® iPhone® and iPad®, Android™, BlackBerry®, and many other Java 2 Platform, Micro Edition (J2ME) -enabled devices.

That covers security on your end (username password combo), but what about the actual portal.Well that’s a tricky one. First because of the nature of a vended system. Patches are rarely awarded on need basis. Secondly the flaw I pointed out was a complete mis config that has since been corrected, thirdly the servlet is only as secure as you make it, if you get social engineered then too bad.

While this issues have been solved I still believe they would have listened to more of what I had to say. To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

But I guess it works for now right, the system admins who caused the glich have since been fired maybe, Temenos has made their money on new modules T24 at NIC uses, muggles have a new app they can floss to their equity bank friends and feel all secure that they are savvy. I guess everyone is happy except me. I am not, I am still online daily looking at other poorly setup systems to advice. So in between grad school, code, subaru runs and this you know what i will be doing

Someone used to say: Wazi back to code, so I end it there.

Leave a comment

Posted by on November 11, 2014 in Uncategorized


What I have learnt after 5 Years of coding & Blogging


In 2010 I started this blog.Around the same time I started writing code at Finlays , seems like a long time ago. I am not a big shot blogger of course, I never show up in BAKE but I have maintained daily  4 figure  blog hits since 2011, although in the last 1 year they have increased  with blog searches to Idd Salim leading here, I am no big shot coder as well,I don’t attend meetings at innovation boards,nor will you find me in any Hub (Ihub,nailab, K street Hub etc)  anymore. I have however been the brain child of some of the most amazing software products Kenyans use (Nasiishi Runda Imagine)

I sometimes wonder how different my life would have been had I not taken this road less traveled. One of my philosophies has  always been to  pick the choice that scares me a little. The status quo, the path of least resistance, the everyday routine — that stuff is easy. Anyone can do that. But the right decisions, the decisions that challenge you, the ones that push you to evolve and grow and learn, are always a little scary. I am thinking this because today marks 5 years of the blog known as endingcampo *insert smiley face* With this memorable stage I thought it best to share what I have learnt over the last 5 years.

When I started code back in the day I was given this–> Teach Yourself Programming in Ten Years post to read by my mentor Idd sallim. It made no sense to me but I followed it religiously none the less, didn’t turn out so bad if I say so myself. In the 5 years I have moved from a Junior dev to a Senior  dev. Th distinction here is large and using my personal experience I will try to explain the difference

The Junior Dev Years

This was the stage where I knew it all, PHP,Java,C++ etc….this was the stage where I had more environments setup on my PC  that I did porn. Quoting Jonathan Barronville “You know how to write imperative, functional, event-driven, and object-oriented programs. You not only knows how to write fabulous factory methods, sexy singletons, delicious decorators, and prodigious prototypes,you know when to properly use them (or at least you think you do).” This is the stage where I was comfortable with my tools after all I had really straggled to learn them. I remember with great stupidity arguing years ago with @zacckOS  about using git. I had learnt to use SVN and I felt mimi ndio kusema. I had barely 3 production system in use and I felt like a code God. I looked at Senior developers and System architects and wondered what the fuss was all about. I remember building the EDS for Crown Berger with a collaboration Team from India  and I felt like this guys didn’t know shyt, This was despite the fact that they  got paid per hour while I had to wait for a completion cheque. I didn’t not know what experience was. I was a muggle who thought he was pure blood. I was a staple, you know how you eat ugali and Nyama  before you drink every single  time you order that Pilsner…yes..predictable…that’s what a staple is, I was  too attached to my technologies and productions. Spend an extensive amount of time perfecting my code, thinking about all of the design patterns and principles that apply, writing unit tests (often really useless ones)

The Pre Senior Dev Years

I learnt there is a difference between having a ton of knowledge and being experienced. It took me a while to understand that, but the difference is quite interesting I must say.I have worked on Banking Systems, Teleco integrated systems, consumer based Systems, Enterprise systems, Module integration etc…And I slowly became a Senior Dev. After working for people I decided to setup shop on my own and founded Ujuzi <Code/>. I now had junior coders under me..young-lings who thought they were Yoda. As a  more experienced coder I  learnt how to break the less experienced in order to shape them based on the experience I had gathered.

I had the foolish assumption that the stuff that I was building were well architected…they were far from that. I have gathered lots and I can share just a few things here to benefit someone starting out


1. Design

– As a Junior  dev I was all  about opening my IDE and building what the client asked for. But this is as wrong as taking out your dick and straight out over looking that foreplay.All I made sure was that the client was happy and that their requirements were met. As long as the poorly designed code produced the output requested by the client, all was good and everyone was happy. As a pre senior Dev I have learnt to take advantage fully of the design phase. I currently take 2-3 weeks simply doing designs,both system and UI designs. When it comes to UI I always use my designer to build the entire UI and  then use simulation tools to present to the client before the actual work begins. On system design I have learnt to account for system architecture,networking and security , monitoring and accounting for emergency Database rollbacks  and faulty transaction handling and importantly making sure one bad config on a key module component does not screw everything

2. Process

Process is usually how to start from point A to Z with at most efficiency.This is where project management, planning, and project management tools come into play. working with great people such as Mbugua Njihia I have learnt the power of tools like Trello on SDLC. An in depth understanding of QA  is also key

3. Source Code Management

When it comes to code management nothing can beat Git and or GitHub. This comes in handy when you have to commit code and also do rollbacks in case someone in the team messes with a module if you are collaborating. And also in the event of loss or damage of Hardware then you can easily rollback to your last commit and continue with the work

4. Testing

Writing Tests is always important when it comes to both Production and staging levels. The development should always be test driven TDD instead of final product driven (Does that make sense?? 🙂 ) Test Driven Development.

Learning from Jonathan Barronville:


Many junior developers  know folks with “Senior” as a prefix or “Architect” as a suffix of their title whom we feel are less knowledgeable (in terms of programming-related skills) than them. One interesting characteristic of many of these folks though is that they have been around for a long time, worked for many companies (not necessarily), made many mistakes, learned from their mistakes, et cetera. However, unlike junior developers, they might not know every language, environment, and/or technology out there. Instead what they do is they make themselves experts in a few areas (usually one or two, as far as I have seen), and instead of learning every language, environment, and/or technology out there, they pick maybe one or two languages, environments, and/or technologies, and make themselves true experts in those.

What does it mean to be a true expert in a language, environment, and/or technology? In my dictionary, a true expert in anything, is simply someone who is an expert, by not only knowing and understanding their domain at an expert level (inside and out, that is), but through years of experimentation and making use of such expertise. In other words, in my humble opinion, any developer with the time and commitment can become an expert in, say, a language like C# in maybe about a year (keep reading, keep reading), but to become a true expert like the honorable Jon Skeet or Commons Ware, it takes years.

Leave a comment

Posted by on August 21, 2014 in Uncategorized


Why Safaricom is afraid of Sim Overlay Technology proposed by Equity Bank

So hardly 2 days ago I wrote this piece about how winter was coming  MPESA and the looming Mobile Virtual Network Operators (MVNO). and today to my shock the news was back on with safaricom writing a letter to the Central Bank. I suggest you read the earlier link before reading this as it may be coupled to the first post.


Equity bank with finserve know for sure no Kenyan will ditch their current safaricom Line in favour of whatever carrier the MVNO will ride on…That is quite elementary my dear watson… so Equity bank is instead opting for a newer technology instead called Sim Ovelay. Let me explain what that is to begin with/. The SIM  is  paper-thin and is embedded with a chip. Users overlay it on their primary SIM card, regardless of the network, and can subsequently receive services from two mobile service providers simultaneously. Its use means Equity Bank does not have to issue its own SIM cards but could ride on the existing ones. The two videos here will demonstrate that:

Safaricom’s major concern is the security of , M-Pesa, which it says would be vulnerable to attacks since the other sim is the one in direct contact to the phone and acts as a medium. You have to hand it to Equity on this though but I agree with them here. since primarily the other Sim is acting as a transport layer to the second one then you can have a denial of service on MPESA if the wrote the code on the card well.

For example they could write code (JAVA code for java card) that responds on external stimuli to to trigger parts of the main operating code to do so selectively say give MPESA bound communication a 30 second delay for deposits and 5 min delay for withdraws. Meaning the STK app that MPESA resides on would time out due to this and you would have to do it over and over again. or cleverly do a count of the tries and if you do 3 retries remove the lag and allow instant communication or after 5 randm retries…I mean I can write said code and I dont even work for them so you can imagine someone whose sole job would be to create the overlay SIM..but then again its a big maybe.

Finserve Africa Ltd was in April granted an MVNO licence alongside Mobile Pay Ltd and Zioncell. Equity Bank plans to use the Finserve licence to roll out mobile banking services independent of any operator. Customers will also be given data and voice services on the network.

1 Comment

Posted by on July 3, 2014 in Uncategorized


MPESA and the looming Mobile Virtual Network Operators (MVNO)

Once Upon a time there was a monolithic system that was called MPESA, the system was the awe of all, friends and foe,and just like the proverbial story of the 3 little piggies it was targeted by several big bad wolves (YU Cash,Airtel Money etc), but the wolves huffed and puffed but since MPESA was housed in a brick house (At present M-Pesa’s has 15 million users conducting more than 2 million daily transactions, which by some estimates adds up to as much as 60 percent of the country’s gross domestic product.) they couldn’t do shyt…so most the wolves gave up and were content eating scraps as the piggies were safe. But the story doesn’t stop there….far from it….it goes on. The piggies lived in the brick house and grew hard headed….boastful you would say, they failed to innovate, they failed to let anyone in, they viewed everyone with scepticism  and in so doing exposed there weak under belly.


But as Game of Thrones taught us ..winter is coming….soon  there would be a bigger hurdle than the wolves they had fought…Enter MVNOs. Basically An MVNO is a wireless communications services provider that does not own the network over which it provides those services to customers.  sasa ni nini hiyo Jaymo? Relax…..As we speak Kenya has licenced three mobile virtual network operators, Finserve Africa, Mobile Pay, and Zioncell Kenya. Of Interest to me here is Equity Bank’s Finserve , this is because Equity Bank is Kenya’s biggest lender with eight million account holders.Equity should be able to make its offerings attractive by providing links to its core banking services, which are not available through M-Pesa. So basically if I have an account with Equity they can quickly deprecate the need for an ATM and instead use a mobile Phone for everything from withdraws,purchases etc

Finserve is not Equity Bank’s first foray into mobile money. It previously partnered with Safaricom on M-Kesho, a banking and savings service that proved to be unsuccessful due to complications over revenue sharing between the stakeholders.   Safaricom has since partnered with Commercial Bank of Africa (CBA) to launch a similar product branded as M-Shwari, which has signed up 7 million subscribers. On the strength of this adoption rate, CBA now claims to have overtaken Equity Bank as the lender with the highest number of retail loans.

I believe the biggest hurdle will be creating products that are  appealing to the ordinary Mwananchi… screw the lipa na MPESA stuff, am talking real world issues like Request for salo advance via Mobile Money, a realtime  fare systems for matatus etc. The second issue will also be an agent network that can rival Safaricom’s this will not happen overnight and will be expensive to roll out.  But lets just wait and see

1 Comment

Posted by on June 30, 2014 in Uncategorized


5 of My best Unsolved Mysteries of the Internet

Below are some of those things the Internet will never let the muggles find out. I have keenly been watching them with the hope that someone will one day solve them, to no avail. Feel free to add your own on the comment section.


1.Cicada 3301

A secret Group that posts Complex puzzles for people to solve, The purpose remains unknown with speculations ranging from CIA recruitment,M16 or online Hacking groups. The puzzles are usually posted on message boards  on the Internet as well as the Dark Internet. However one guy(Joel Eriksson) actually solved a puzzle they posted. Read more about him and the puzzle here>>> They have a cool Logo though



2. Bitcoin

The mystery here is not what bitcoin is but merely who created the online currency. All that is know is that  Satoshi Nakamoto was the first to publish a paper that theorized the currency. Satoshi Nakamoto is the potentially pseudonymous name associated with the person or group of people who released the original Bitcoin white paper in 2008 and worked on the original Bitcoin software that was released in 2009. Since Satoshi’s identity is tied up intricately with Bitcoin’s history, it is helpful to understand Bitcoin’s provenance. Bitcoin is one of the first digital currencies which use peer-to-peer technology to facilitate instant payments.


The reddit user named A858DE45F56D9BC9 posts long passages of coded text on the site. A dedicated community and an automated bot have yet to solve the riddle to date


4. The Markovian Denigrate Parallax  

But back in 1996, users of the proto-Web community Usenet got spammed with messages that reached an almost transcendent level of bizarre—a weirdness so precise it implied the influence of a very human intelligence. “Markovian Parallax Denigrate,” read the title of each post, followed by a mountain of seemingly meaningless word spew:

jitterbugging McKinley Abe break Newtonian inferring caw update Cohen
air collaborate rue sportswriting rococo invocate tousle shadflower
Debby Stirling pathogenesis escritoire adventitious novo ITT most
chairperson Dwight Hertzog different pinpoint dunk McKinley pendant
firelight Uranus episodic medicine ditty craggy flogging variac
brotherhood Webb impromptu file countenance inheritance cohesion
refrigerate morphine napkin inland Janeiro nameable yearbook hark

According to later accounts, hundreds of these messages flooded Usenet discussion groups on Aug. 5, 1996, launching the type of intense rigorous inquiries you’d expect from the geeky academics who frequented Usenet back then—none of which turned up any answers. Ten years later, 2006, patterns in the cypher and the originating email syntax raised  made people agree that  The Markovian Parallax Denigrate a message was probably a  cipher hiding a deep government secret? Read more here>>



5. Internet Black Holes

In networking, black holes refer to places in the network where incoming or outgoing traffic is silently discarded (or “dropped”), without informing the source that the data did not reach its intended recipient.When examining the topology of the network, the black holes themselves are invisible, and can only be detected by monitoring the lost traffic; hence the name. This was proved in around 2008, previously they were dismissed as WIFI or server issues





Posted by on June 9, 2014 in Uncategorized


NIC-BANK’s poor Ebanking System and possible security Flaws

NIC-Bank upgraded its core banking to T24 around September 2012. For a muggle reading this with no knowledge of what T24 is please click here to find out more>>.



I can confidently speak well of t24 and in my books I would say the below 4 are the best in  Core banking systems

  1. Temenos T24 (NIC,KCB,CBA,Cooperative Bank etc)
  2. Sungard SYMBOLS (2 banks that denied me a loan)
  3. Finacle 10 (Equity Bank)
  4. Misys (Our Local Chamaa 🙂 )

Back to NIC bank…so jana I log into the online banking system kama kawaida,check my deposits Ju I was all drained after Easter,ma balance,ATM withdrawals za 3AM, Another at 3.05AM….(Hii Pombe ni Mbaya) Everything was OK…I was a little bored after watching Game of Thrones S04e03 so I decided to put to test what the old Master Idd Salim taught me .I decide to poke and probe the banking portal,I was actually look to see if they patched the Heartbleed vulnerability on the SSL and viola just like a girl would drop her thong for me,NIC bank reveald the goodies.

nic bank1


I was inside the Localhost Jboss directory…pretty simple right…then from there I clicked on TomCat Status and the result was as below

nic bank



Again kama hujui una soma nini I suggest you read about Vera Sindika bleaching on Ghafla…its about to get technical. From this point I basically could read all traffic being directed to the T24 servelet that is there ebanking portal. I could easily for example tell how long this  portal>> had been running as shown below…Sema Orgasm Number 1


nic bank3

Lets get back to the logs shall we …from the posted Image  it all looks giberish right I mean What use would the following Isolated GET commands have? Nothing right? Look closely at the bolded lines.. USERNAME and PASSWORDS (pole hashed passwords)  za watu in real time as they log in,if you are keen at it you can actually see the actual transaction they are doing ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM296575598304&WS_FragmentName=TERM296575598304&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_LENAIB76311333EQ_296575598306&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas069005505702 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM171895621804&WS_FragmentName=TERM171895621804&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_RNDERITU_171895621806&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas171895621702 HTTP/1.1 **************GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM259965634004&WS_FragmentName=TERM259965634004&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_PARAPETLTD_259965634006&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas280095633902 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM216595639404&WS_FragmentName=TERM216595639404&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_GAITAJ36751_216595639406&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas280095586702 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM216595650904&WS_FragmentName=TERM216595650904&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_DCHEMERIL_216595650906&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas259965644102 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM270885699604&WS_FragmentName=TERM270885699604&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_VSAJJAN_270885699606&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas052495694502 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM293145773704&WS_FragmentName=TERM293145773704&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_GODFREYIB32010232EQ_293145773706&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas185385772902 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM076165652004&WS_FragmentName=TERM076165652004&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_JOANJ_076165652006&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas076165651802 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM105555915704&WS_FragmentName=TERM105555915704&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_GOTIENO_105555915706&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas030935915402 HTTP/1.1************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM095146107304&WS_FragmentName=TERM095146107304&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_IODHIAMBO_095146107306&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas095146105602 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM257346163204&WS_FragmentName=TERM257346163204&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_BENJAMINIB2510897EQ_257346163206&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas257346163002 HTTP/1.1 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=LOANS076165652005&WS_FragmentName=LOANS076165652005&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_MUTUMAK_076165652006&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.LOAN.FRONT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas076165651802 HTTP/1.1

Sorry But I will not reveal how to actually hash out the password but I did actually try it and the results are shocking …if this landed to the wrong hands basically  an Account with only one signatory would be drained in Minutes. Orgasm Number 2

Haya Tuendelee…wacha niende ka delmonte narudi…

nic bank2



The above shows all the applications running of the server,including but not limited to the actuall t24 (t24arcib1) manze hata hawaku change Jina…sawa tu.

A closer look at one of the Applications they are  running jbossws and the version is a below

Runtime information


So I leave it at that……I have since moved all my savings to my mattress account. If NIC-bank reads this feel free to ask for the vulnerabilities. Na msinitumie polisi I am not a thug

1 Comment

Posted by on April 24, 2014 in Uncategorized


My problem with Facebook: Case PesaBox FB Page

To Begin with,its a fact that Facebook keeps things from you from individual posts to those from pages. But let me begin with what you already Know. If I post something on my personal Facebook page,it will be  displayed  to my friends on their Time Line. If they in turn like it it will be shared on their wall and so on and so forth. In doing so this single post has the potential of being seen by everyone on Facebook (Not the key word potential).  But if no one likes,or comments then the  post simply ends there and Dies only appearing on your individual time Line and forever lost to others. So all you are left with  is posts on your TL that you like or your friends like…basically an echo of reaffirming views. You are never quite exposed to anything new. For example if its a match night the next morning the only thing you wake up to on your TL is scores and comments about this or that player. Do you honestly think that is the only thing people had to say that morning. If Yes you have already been brainwashed my Social Media.

But Facebook will argue this filtering is necessary and I agree. The average Kenyan has around 300 friends on FB  and say they averagely like 40 Pages each. According to stats from FB each day 4,750,000,000 posts are shared. Roughly 4 posts per Facebook User. That would mathematically mean that if you log in everyday you would be exposed to roughly  (4*300=1200 posts). clearly  some filtering is needed

The problem (To me that is)  is Facebook is using its  filtering algorithm to make Money.Take My PesaBox Page the last Post I wrote only went out to 98 people.


And my Numbers have been on a downward. Facebook was quoted saying Quote: “We expect organic distribution of an individual page’s posts to gradually decline over time as we continually work to make sure people have a meaningful experience on the site.”  That means Facebook is actively restricting the reach of posts from people who have pages (Like me) to the people people who have actively indicated they like what we do.And if we want that reach to be made then you know what Facebook is doing? Boost Post


Yes they want us to pay them. This goes as far as a personal post. Say a politician can say whatever crap he has to say and whether or not  you are friends to them them post can find its way to your TL simply because he paid 200 dollars for it. Meanwhile a pal of your may have posted about the ailing health of his mother and how he would like help and you may never get to see that post. All the while he/she will think his friends dont care.

Don’t get me wrong I have nothing against making Money.I for one advocate for it  (Explained by my Coding./work ethic)  but this is wrong. Lets look at it from another angle

On YouTube if you upload content that gets alot of views you get paid for it (Remember Gangnam style guy making hella scrilla $$$$),while on Facebook the more you get liked or viewed by users the more you have to pay for views (REALLY!!). But I propose 3 arguments FB would pose for this.

1.The main reason people go on FB is to view stuff about friends and family as opposed to YouTube where they go for entertainment,knowledge,research etc

2.The interaction per page post on FB is really low and its even harder to quantify the amount of time spent viewing said post as opposed to YouTube where the Interaction happens in Minutes.During which time an add embedded on the view can seen  (Revenue)

3. The role of everyone is know on YouTube; there are creators (who make the content), advertisers (Who bring in chapaa $$) and Viewers (who watch said Video and in turn see the add the advertisers embedded on the creators work. FB is tricky Creators are treated like advertisers (they have to pay to reach the viewers) and now even viewers can be creators by paying for their post to be featured on Peoples TLs So everyone on FB is an advertiser


And you know why? FB cant find another way to monetize its millions of users. I know people will say there are the paid adds on the left but who honestly clicks that. FB is not like Google where after searching  for something I will probably feel completed to click on a paid slot that I feel is best compelling to my search term,In FB all am interested in is Friends or Family Kwisha ave not gone to FB to shop (Unless Soko Nyeusi or Soko Kuu) FB has the poorest click through rate at 0.06% compared to 2% in favor of Google Ads.

In 2013 YouTube made over 5 Billion $ most of which was paid back to the creators of content on YouTube keeping it alive,FB on the other hand made 7.5 Billion $ but that all went back to Facebook share holders,Mark  and I guess his wife (yes am hating), not the people who make the great content that drew us to FaceBook and in turn allowing them to make that money in the first place

Social Media should allow us to share with everyone much like Twitter where all your Followers see your tweets  not like FB that has taken Control of what you see giving you only content that its making money from. Its continuing to block the reach of Organic Posts to people. So I guess am far off better tweeting about PesaBox that having a Page on Facebook

Leave a comment

Posted by on January 16, 2014 in Uncategorized


The Elusive MPESA API that may never be…and More


Alot has been Blogged about the MPESA api…and when I say Alot am talking about 1000’s of tweets,blogs,texts etc. When The Late Idd Salim (It still hurts me to call him late) was around he delved endlessly into this. Everyone has talked about how Devs would be able to leverage said APIs into their systems  if Safaricom Just agreed to play Ball. But You all know safcom….safcom is like that pretty chic,big booty, titties from here to Ronga..the whole Package…The hardest thing is kuingisha  dame kama Huyu Box…I mean the typical point of approach would be “Waaa Msupa si umeiva..” But kwani you think its the first time she has heard cource not she will just snob you and twerk that ass some where else. Same thing with Safcom we all approach them telling them the same thing..”aki safcom MPESA ni poa wacha tu code on it” And safcom will snob you. But even pretty chics get Lonely si ati they also dont want the D..kuna someone who will come with a new Different angle instead of cliche lines he will hit her with unxpected wordplay “Waa si I like your eyes,na si unajua Mwanamke ni Haga,why you have a small one??” and baam chic will  be disarmed nikama kufinya reset kwa system. Back to safcom someone actually ingishad them Box and build an API of sorts (Not new news really) I will get to that in a few

Ohh wait so Safcom just posted that MPESA is down as I write this for 2 days Runs to withdraw cash: *sigh*


Back  to said API ,Bernsoft kitu last year sucessfully developed  a system for MPESA that makes MPESA transactions realtime – this is why when you pay DSTV your account gets reconnected immediately or when you deposit money to your bank from MPESA its realtime or why your KPLC payment is more realtime than it was before. They developed this system called “MPESA Instant Payment Notification (IPN) ” originally for use on Kenya Airways ticketing then presented it to Safaricom and they liked the idea thus opened up MPESA for us them to integrate with and so most if not all of MPESA Paybill /Buy Good Transactions are now processed through this locally developed system.

Many Local companies are Using this (I for one do most of my MPESA stuff primarily on said IPN) But this is Not full proof.For starters its Not exactly Bi Directional and requires Integral Integration with a Paybill Number. If you have ever tried getting one you will know its one of the hardest things ..hard because the tarrifs are a CLOSELY guarded and No one can know what say Comapy A pays.Meaning If you dev a system and you set up a contract with them you may be charged x and Company A gets charged y Where x>y and you cant do shyt about It.

But this was a great leap since it was the first( Ata Virgo haitikiangi kila siku after the first time, you have to give  her time to Digest the awesomeness of the D) hahaha…Moving along swiftly..The problem with Safaricom is that Saf cannot be both the owner of the platform and also the gate keeper of innovations that may run on it. All the Innovations Devs talk about  will not stop them from earning money by coming up with standard licensing fees. However and Important to Note it should not be up to them to decide which idea they like and therefore should run on a payment system. This is the same problem AT&T had because they simultaneously owned Bell Labs which churned out landmark software technologies, they could decide that a technology that seemed a threat would not run on their network yet they were virtually a monopoly the way M-PESA by market positioning is a virtual monopoly.The fact is we cannot let Safaricom  stifle innovation and continue to prosper. AT&T was finally split up in 1984 not because of its overwhelming market dominance, but that IT WAS REFUSING TO ALLOW NEW INNOVATIONS TO WORK ON ITS PLATFORMS thus overall stifling technology.

There are thousands of programmers who could come up with software or games that could seamlessly integrate M-PESA as a payment platform for their services without having to go through an approval process where Safaricom technical people are the judges and jury particularly given the integrity issues that have long been raised of these Safaricom IT guys when it comes to dealing with developers.

Another key thing of Note if Safaricom will ShutDown MPESA today (11:00pm Saturday 9th November to 6.00a.m on Sunday 10th November) will this rumpant outages not cost the economy? 35% of our Kenyan GDP passes through M-PESA when there is no credible redundancy.That if MPESA is out of a week the economy stagnates? Potential systemic risks such as banking systems heavily exposed to one economic sector are heavily discouraged and neither should we say our national transactions are 35% exposed to one payment system and be happy about it.A system which No one but a select few know anything about

As Salim would Say: Wazi Back To code


Posted by on November 9, 2013 in Uncategorized


Tags: , ,

What if Jaymo worked in this 2 Kenyan Institutions ?

I have 30 Minutes before I write code for today…gotta pay those bills….so let me rant for a few minutes. I mentally placed myself on a job, somewhere, trying to imagine what I would add to this formal organizations, in terms of technical contribution in a technical capacity.

1. A supermarket Chain

Wait…bear with me here before you look at me like am crazy..Everyone visits a supermarket at one point…doesn’t matter if its a run down Nakumatt along Ronald Ngala or an Upmarket one at Westgate,we all do…based on research I can correctly approximate that only 15% of customers have smart cards…the rest simply have no observable use for the cards,the only thing supermarkets do is a loyalty scheme awarding points to customers based on the amount they spend.


In walks Jaymo: Add predictive modeling.Predictive modelling is the process by which a model is created or chosen to try to best predict the probability of an outcome.In many cases the model is chosen on the basis of detection theory to try to guess the probability of an outcome given a set amount of input data. Sasa Jaymo si you explain basi….off course…people buy stuff based on need (price being ignored,this is always countered by variety,size range etc) as such need recognition is the best bet for sales increase…enter consumer profiling and predictive modelling. Lets take an example: Say Njeri all of a sudden deviates from her current buying trend and starts buying coco butter lotion,Vaseline and supplements with an observable 40%+ change from her previous purchases then its safe to assume she is either pregnant or planning to get pregnant..upon which if an algorithm  exists we can target Njeri with coupons on baby stuff over her pregnancy and after delivery. Say Kamau changes from buying Alcohol and Durex condoms on Friday over a varied geographical span (nax,nairobi,coast) and starts buying  wine ,scented candles and lean meat on Fridays at Nakummat Junction then we can safely assume he has found a mamaa and is settling down…we can target him with adds relevant to his current stature. You get the picture I hope…make that loyalty card work for them….write a perfect predictive algorithm  based on data mining.

2. Safaricom (Vuma online division )

I know working for saf is overrated over blogged and over tweeted…sawa…I will not even try to go there. So Safaricom introduced Vuma online…sawa sawa good work. The pilot saw  200 Nairobi matatus and buses plying the Nairobi- Mombasa route have WiFi installed in them at a cost of KSh. 7 million….clap for yourself…first month was free I guess toka hapo the only thing that remained was the fansy logo on this matatus …Matatus were to  pay KSh. 2,000 per month and have the service accessible to users for free.Most opted not to…Typical Kenyan style the project went south on most routes.


In walks Jaymo: Safaricom should have offered it for only 500 bob per month (call this an activation fee) ..alafu hiyo 1500 bob itatoka wapi?? stick with me, what do people really do with WI-FI?? social media  kiasi google youtube. The 500 bob the mat pays would be primarily for this, then Safaricom would target industry  e.g Newspapers (Nation,standard),Olx,Capital fm,brighter monday,high traffic kenyan sites (kina ghafla,cheki,kra) have them pay a montly fee for free acess via this networks.what this would mean is that if the mat does not pay the 500 Bob then people cant use facebook,twitter and kina Whats App but they can still read the paper,visit Ghafla etc

1 Comment

Posted by on October 8, 2013 in Uncategorized


Voi railway station : Save the railway

The Agora

This series of photos taken at the Voi railway station is part of a photo essay that seeks to revive the railway and give it back that life and vigour that is slowly drifting away from it. Consequently showing the need and urgency to preserve, maintain and appreciate stations such as Voi which in this case serves as a representation of most stations within the country.




DSC08593DSC08478DSC08597DSC08602DSC08572DSC08656DSC08665DSC08592 - CopyDSC08512DSC08545DSC08623DSC08675






Download a compiled document of some of the photos here 

In the mean time “the chucks” and I say good bye 🙂 , stay tuned for the next post on Mombasa railway station ..“Lets save the railway”!!!


View original post

Leave a comment

Posted by on August 8, 2013 in Uncategorized