[kictanet] [Skunkworks] Fwd: Safaricom and Internet Traffic Tampering

Kevin Kamonye kevin.kamonye at gmail.com
Fri Mar 24 16:56:13 EAT 2017


In the defense of my good friend Thuo;

1. The kind of entities that would (allegedly so far) compel Safaricom (SC)
to mine your data has access to all the below mentioned.

1. National ID card details
2. High school results slip, and university transcripts
3. Payslip
4. Bank statement
5. Health status, and medical records
6. Name of past and current girl friends, wife, and kids (Unless you have
never texted or called them)
7. The name of your kids, age, where they go to school, and class

2. I think we also need to give some benefit of doubt that SC is simply
running an optimizer that could essentially be doing some transparent
caching. Whenever the actual truth will be confirmed, I will perhaps join
the protest by making some serious noises with my keyboard.

3. We could also blowing this out of proportion. How much sensitive data do
we transmit over the basic HTTP protocol nowadays? And if you are telling
me that KE has NSA and GCHQ grade HTTPS popping capabilities, then first of
all I am impressed..

The issue for me would be more towards the protection of this data by
requiring court orders (even if in secret but recorded requests eg. between
AG -> CJ) for a particular person's data to be accessed from the archives
or in real-time.

For my part, a concern that I have had with SC has to do with the
permissions they request for on their Apps. I could be very wrong here, but
I believe that these Apps only need Internet access so that they can pull
your data from SC servers. These permissions could potentially grant a
malicious attacker access to a lot of information if SC's systems were to
be compromised.

I request Steve to clarify these in detail so that I may be able to have
the peace of mind of installing and using their very useful (really)
features, and remove my bad rating for mledger :)

Below are the current permission requests.

mLedger:-

Version 5.0 can access:
Identity

   - find accounts on the device

Contacts

   - find accounts on the device
   - read your contacts

SMS

   - read your text messages (SMS or MMS)
   - edit your text messages (SMS or MMS)

Phone

   - directly call phone numbers
   - read phone status and identity

Photos/Media/Files

   - read the contents of your USB storage
   - modify or delete the contents of your USB storage

Storage

   - read the contents of your USB storage
   - modify or delete the contents of your USB storage

Device ID & call information

   - read phone status and identity

Other

   - view network connections
   - create accounts and set passwords
   - full network access
   - run at startup
   - control vibration
   - prevent device from sleeping
   - set an alarm
   - install shortcuts
   - uninstall shortcuts

[image: Inline images 2]
MySafaricom:-

​Version 1.1.1.0 can access:
Device & app history

   - retrieve running apps

Contacts

   - read your contacts

Location

   - approximate location (network-based)
   - precise location (GPS and network-based)

SMS

   - read your text messages (SMS or MMS)
   - receive text messages (SMS)

Phone

   - read call log
   - read phone status and identity

Photos/Media/Files

   - read the contents of your USB storage
   - modify or delete the contents of your USB storage

Storage

   - read the contents of your USB storage
   - modify or delete the contents of your USB storage

Wi-Fi connection information

   - view Wi-Fi connections

Device ID & call information

   - read phone status and identity

Other

   - receive data from Internet
   - view network connections
   - full network access
   - run at startup
   - control vibration
   - prevent device from sleeping
   - install shortcuts
   - read Google service configuration

​Kevin

On 23 March 2017 at 21:01, Mwendwa Kivuva via skunkworks <
skunkworks at lists.my.co.ke> wrote:

> At the expense of digressing such an important thread, I will ask Thuo,
> who claims to not have anything to hide to share the following information
> on this list
> 1. National ID card details
> 2. High school results slip, and university transcripts
> 3. Payslip
> 4. Bank statement
> 5. Health status, and medical records
> 6. Name of past and current girl friends, wife, and kids
> 7. The name of your kids, age, where they go to school, and class
> 8. Listers can add more mundane data here
>
> The point is, the mundane information about us belongs only to us, and
> those we have entrusted the information. In the wrong hands, this
> information may be potent
> On Mar 23, 2017 2:56 PM, "Thuo Wilson via skunkworks" <
> skunkworks at lists.my.co.ke> wrote:
>
>>
>> On 23 March 2017 at 09:52, Odhiambo Washington via skunkworks <
>> skunkworks at lists.my.co.ke> wrote:
>>
>>> In light of such dual uses, this report makes clear that service
>>> providers operating middle-boxes must communicate to the public in a
>>> transparent manner the justification for such activity. This is especially
>>> relevant as government bodies announce plans to monitor and possibly censor
>>> the Internet during Kenya’s current electoral processes.
>>
>>
>> ​i always wonder, what do people hide? Safcom and telcos of the world can
>> sniff on my data all they want [so long as they dont tamper with my bank
>> account]- if you have nothing to hide what's fear for?​
>>
>>
>> Kind Regards,
>> Wilson./
>>
>> _______________________________________________
>> skunkworks mailing list
>> skunkworks at lists.my.co.ke
>> ------------
>> List info, subscribe/unsubscribe
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> ------------
>>
>> Skunkworks Rules
>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> ------------
>> Other services @ http://my.co.ke
>>
>
> _______________________________________________
> skunkworks mailing list
> skunkworks at lists.my.co.ke
> ------------
> List info, subscribe/unsubscribe
> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------
>
> Skunkworks Rules
> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
> ------------
> Other services @ http://my.co.ke
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170324/5e19f116/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 23342 bytes
Desc: not available
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170324/5e19f116/attachment.png>


More information about the KICTANet mailing list