Pakistanis don't care about their own data

From Karachi web developer to bug-bounty hunter

The episode opens with Muzamil introducing Mirza Burhan Baig over the line from Riyadh, where Burhan is a senior security consultant at Riyad Bank and an international speaker on information security. Muzamil’s first question is the obvious one: how did someone end up here, in a field that most computer-science graduates in Pakistan still do not consider a career?

Burhan’s path is conventional on the surface and deliberate underneath. School and university in Karachi, then a master’s at Iqra in Islamabad, all in computer science with security as the personal interest he ran in parallel. He started, like everyone else, as a web and mobile developer — “once you are a developer, you know how to develop, then you go for the security” — and from there moved into bug-bounty work in 2013, when the idea that companies would pay strangers in dollars to find holes in their websites was still novel in Pakistan.

He delays his graduation to take a full-time job at Delta Tech in Karachi, where he ends up spending five years and watches the team grow from one room to thirty people. The work is core banking security for Bank Alfalah. He moves to Riyadh in January 2021 after a year of working there remotely.

The bounty economy: hundreds of bugs, dollars on rare occasions

Muzamil asks Burhan to expand on the vocabulary. White-hat, black-hat, grey-hat. Burhan walks through it cleanly. Black-hats use their ability for destructive purposes — phishing attacks, account takeovers, scams. He pauses on phishing specifically: a domain that looks like Facebook with an extra letter, an SSL certificate purchased to make the lock icon appear, credentials typed in and lost.

White-hats do the same work in reverse. They find a vulnerability, report it, and sometimes get paid. The infrastructure for getting paid is what changed the industry — Burhan names Bugcrowd, HackerOne, and Synack as the platforms that publish programs, set minimum and maximum bounty ranges, and pay in dollars routed through PayPal or Payoneer.

“Hundreds of them,” Burhan says, when Muzamil asks how many bounties he has found. Five to seven public listings on Facebook, Google, and Microsoft. A larger number on smaller sites no one would recognise. He is honest about the Pakistani end of the market: he once found a vulnerability in a well-known Pakistani website and was offered two cinema tickets as a reward.

Why universities aren’t producing security people

Muzamil widens the question. Pakistan’s freelancer boom, he argues, is stuck at the low-value end of the supply chain — design tools, basic content writing — because the country has no clear ladder to the more technical work above it. Where does that ladder come from? Four years of computer science?

Burhan’s answer is sharper. The field is not waiting on degrees; the field is starving for people. The good resources are not in Pakistan. Universities are not teaching security. He tells a story about a friend’s final-year project: the supervisor sat through a half-hour presentation on network attacks, malware, and viruses, and at the end said he did not understand the topic but would not be fooled, and would read up before the next session. Burhan is generous about it — the supervisor did, in the end, let the project go through — but the point lands. Even the people grading the next generation of security graduates are learning on the job.

Why Pakistani banks keep getting breached

The conversation turns to the recent leak of Pakistani bank data on the dark web. Muzamil asks the direct question: why are banks, of all institutions, still getting hacked?

Burhan’s first answer is organisational. Inside a bank, the CIO, CISO, and CTO have overlapping mandates, and the security team and the IT team end up blocking each other. A business team wants to launch a product on a specific date; the security team finds a problem; the launch slips or the problem ships. The hierarchy is built for friction, not for shipping secure software.

But the second answer is the one he keeps returning to. “We — as a nation, as Pakistanis — we don’t care about our own data,” he says. “I’m telling you honestly.” Every person on the call has four contacts whose phone-number databases are sitting in someone’s leaked spreadsheet. The most valuable thing on the dark web, he notes, is not credit cards but medical records — and Pakistan has no compliance regime tracking which clinics and pharmacies hold what. There is no functioning national computer emergency response team. The groups that have tried to build one, he says, have been blocked.

The bank phishing red-team that worked seventy percent of the time

The most concrete moment in the episode is Burhan describing a red-team service his firm sold to multiple Pakistani banks. The setup is almost embarrassingly simple. They registered a domain along the lines of abcbankhealth.com — a dollar’s purchase. They built a one-page site with the bank’s logo, colour theme, and a COVID dashboard with live-updating graphs. They wrote a single line of copy: COVID testing is free for bank employees and their families. To register, submit your employee ID, your username, and your national ID number.

They emailed that link to bank employees on their official addresses.

“If a hundred people were there, seventy gave the data,” Burhan says. “Without verifying.” This was not one bank. They ran the same exercise on five to eight banks. The follow-on sale was awareness training — which the same firm could provide.

The lesson he draws is the one he kept returning to throughout the conversation: “The system is secure, but the end user is not.” Burhan is clear that the new wave of Pakistani fintech licences — SadaPay, NayaPay, TAG, FonePay — have, as systems, tight security. The hole is in the person.

Hospitals, mobile phones, and the cost of a pirated copy of Windows

Muzamil asks where else the same problem shows up. Burhan names hospitals next. He cannot disclose the institution, but his team ran a red-team assignment on a major Pakistani hospital that included physical access to the data centre, RFID card cloning, Wi-Fi compromise, and the kind of deep network access that should not have been possible. The exercise was contractually consented to; no one was prosecuted; the hospital, he implies, has work to do.

Then he turns to personal devices, and the answer becomes a small parable about the Pakistani computing culture. People run pirated copies of Windows and install pirated antivirus on top of it. “First your Windows is not right, then your antivirus is not right,” he says, “and then you complain that you got hacked.” Every cracked installer carries malware that opens a command-and-control channel out of the network — webcam access, screen capture, file exfiltration, ransomware encryption. The mobile equivalent is the photo editor that asks for contact-list permissions and is granted them because the user clicks through.

Why iPhones are harder to hack than Androids

Muzamil brings up the obvious comparison. Burhan does not hedge. “Yes, way too secure from Android,” he says, “because Android is open source.” On Android, anyone can modify the kernel, sideload a custom ROM, root the device in minutes. Apple’s App Store requires code signatures and verification before an app reaches a phone, and although things still get through, the bar is meaningfully higher.

He uses the moment to explain DNS spoofing and a more specific public Wi-Fi trap: hotel and café networks that ask you to install a certificate to access the captive portal. Installing that certificate authorises the network operator to read your traffic in plain text, including data that would otherwise be encrypted end-to-end. His rule for public Wi-Fi is short. Use it if you have to. Do not install any certificates. Do not do anything financial on it.

On VPNs, Burhan separates the legitimate use case — corporate remote work, accessing services blocked in a particular region — from the consumer-grade free VPNs whose business model is unclear. He flags ProtonMail and ProtonVPN as the example of a privacy-first stack built around the principle that the operator should not be able to read the data passing through their own nodes.

Pegasus, zero-days, and state-level actors

Muzamil brings the conversation to Pegasus. Burhan explains the underlying concept first: a zero-day is a vulnerability that no one — not even the platform’s developers — knows about, which means no patch exists. Pegasus, he says, was built on three chained zero-days, all unpublished, all in the iOS stack.

The economics tell the rest of the story. Microsoft pays roughly a hundred thousand US dollars for a critical vulnerability through its bounty programs. That number is enough motivation for a white-hat. It is not enough motivation for a state-sponsored actor — what the industry calls an advanced persistent threat, or APT — whose budget is essentially political rather than financial. State-level actors can outbid the bounty programs and keep the exploits private. Pegasus, built by an Israeli company that publicly claims to sell only to legitimate governments for legitimate purposes, is what that asymmetry buys.

Muzamil floats the theory that the hacker collective Anonymous is itself a US government asset. Burhan does not confirm or deny — “we can’t say” — but he points out that high-profile hacker groups have been quietly flipped by states before and that the practice continues in Asian countries as well.

What he wants to build next, and what he thinks Pakistan looks like at a hundred

Toward the end, Muzamil asks Burhan where he sees himself in a decade. The answer is short. He wants to build a product, not sell services. Thousands of consultancies sell hours; a product compounds. He points to security.ai’s GDPR product as the kind of shape he has in mind — a tool that earns its keep without requiring its founder to keep selling time.

Muzamil closes the conversation with the question he asks every guest. Burhan is twenty-nine. Thirty years from now Pakistan turns a hundred and three. What does he think the country looks like?

“If the mindset changes, Pakistan will boost,” Burhan says. “If the mindset doesn’t change, Pakistan will remain the same, or worse.” He is talking about a specific mindset — the one that still says votes are bought with biryani, the one that still treats personal data as worthless, the one that runs pirated antivirus on a pirated operating system and then complains about getting hacked. The technical fixes, he implies, are downstream of that.