I wanted to take a few minutes to analyse the affidavits that touch on IT given by John Githongo and Benson Wesonga. I got this off a tweet by @MwangoCapital. Thank you @David_Indeje for making it easy to access all the information.
The John Githongo affidavit available here: drive.google.com/drive/folders/… and the Benson Wesonga affidavit available here: https://t.co/oLKve5st8m.
John's affidavit is to show that he had been in touch with someone who knew of the goings on at the UDA tallying centre. Wesonga's affidavit is to back up John's affidavit as an ICT practitioner with many years of experience.
My interest was triggered by this statement by the young man...“were involved in a large scale, well-orchestrated fraudulent scheme that enabled them to interfere with and compromise the IEBC electoral data transmission system and manipulate the presidential election results...”
Let us delve into the documents provided.
From this screenshot, you will see that they have the IEBC site open on two windows and of course the page forms.iebc.or.ke. That little favicon on the left shows that one of the technologies https://t.co/G0CLiOOGjN is running is Vue.js. The page in current view is login. 
Because the credentials are not passed, it immediately writes to the screen the error. And it stops there. That greek for the layman is a language called XML. It formats data between <…> </….> and does not DO anything. If you have done any web design, it's similar to HTML.
In comes Filezilla Server to help us with telling the story that hacking had happened. Just download it and change the credentials to those you see and viola. Things look legit.
But then there is a small small problem. Things are going to get hard small in a few seconds.
So, the first people who accessed the forms that is asenge@iebc.or.ke and ekitum@iebc.or.ke did so from the IP address from 15:07:35 PM AND 15:44:39 pm.
So, the first people who accessed the forms that is asenge@iebc.or.ke and ekitum@iebc.or.ke did so from the IP address from 15:07:35 PM AND 15:44:39 pm.
Quick check on the IP - 197.156.129.137 - is on the Telkom network.
Coincidentally, it has an unsecured copy of the IEBC site. This information is now in the public domain, so hakuna hacking hapa. Check and screenshot before they pull it down....
So now, they want to show us what has been happening from the "server" side.
asenge@iebc.or.ke (197.156.129.137) at 15:07:35 PM starts the process of STOR. This is an FTP (file transfer protocol) command for uploading a file. In our case it is F34A-001-Changamwe.jpg.
The server opens up to receive the file being transferred (1) and successfully saves it (2).
(1) 150 Opening data channel for file upload to server of "/F34A-001-Changamwe.jpg"
(2). 226 Successfully transferred "/F34A-001-Changamwe.jpg"
(1) 150 Opening data channel for file upload to server of "/F34A-001-Changamwe.jpg"
(2). 226 Successfully transferred "/F34A-001-Changamwe.jpg"
Seems all normal.....well...NOT.
For each STOR command by default there is a response. Successful or not. To add the same document to the server, it also throws a response.
But that was not shown.
Hapo iko little editing. Haisuru. We shall continue. Let us take a chai break
For each STOR command by default there is a response. Successful or not. To add the same document to the server, it also throws a response.
But that was not shown.
Hapo iko little editing. Haisuru. We shall continue. Let us take a chai break
@JohnKenn4 insists that I should take tea while typing.
So, the small small edits other than deleting the responses is the time.
15:07:35 PM my military friends will be the first to note.
No way that the time is correct.
Continuing shortly.
So, the small small edits other than deleting the responses is the time.
15:07:35 PM my military friends will be the first to note.
No way that the time is correct.
Continuing shortly.
In comes mlempaka@iebc.or.ke using IP 105.166.230.78 look at the difference in timing for the same operation and the overflow onto the task bar. That overflow on the task bar shows how bad this story is.
Maybe it was a challenge for the person given that it was 23:15 and they may have missed their evening coffee break. But do we say?!
So, in the next page, they try to show how files were changed from .jpg to .pdf. They forgot to show us the process 🤓. All we see is the same file being uploaded as a PDF after a couple of minutes. Haisuru, let us continue.
The next page shows the same with a different user with a different IP. The overflow continues and the there is an uneven elevation where the print is on.
Then comes the bummer. There is a note but if you look carefully at the time, the user wchebukati@iebc.or.ke does not use the said IP.
Remember when you access a website, your IP address is NOT the same as the website. That detail was completely lost to this 'hacker team'.
Remember when you access a website, your IP address is NOT the same as the website. That detail was completely lost to this 'hacker team'.
The same distortion continues. What is interesting, is that jjwii@iebc.or.ke forgets that the password is required. So, he changes the directory, which we don't see of course, deletes a file, he wants to rename a file and is told it exists.
He then, Then he renames the file to F341-1-LAIKIPIAWEST.jpg because F34A-031-1 LAIKIPIAWEST.jpg exists.
The file is successfully renamed at that odd time.
The file is successfully renamed at that odd time.
Conclusion of this whole analysis.
Someone is lying about the hacking. The email addresses were known to the person. Time was not chronologically given because they were pulling from everywhere. This work was done in a hurry. To the untrained eye, it would have passed.
Someone is lying about the hacking. The email addresses were known to the person. Time was not chronologically given because they were pulling from everywhere. This work was done in a hurry. To the untrained eye, it would have passed.
PDFs are easy to generate from the side of either the KIEMS Kit or the server side automatically. The notion that individuals sat to change this....And it is proven by how much time it took them to display the same. Despite the wrong time display.
Lastly, if you look at the forms that they have tried to display, none has the name changed on the portal. Remember, this was what was open to us.
The times indicated are a figment of someone's imagination. Other than that, note that the forms all followed a format, county and identical polling station numbers. That number is both on the form and is on the corresponding file number.
Kesho ni siku. I will answer the questions on my TL.
Side note for techies. On the bookmarked items are the links to: Youtube Open-Source Intelli, DreDown and View Defeway cam. You know that someone was in class and off course, the last one...your guess is as good as mine.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
