Pakistan's bug bounty culture is destroying our cyber youth

A second cybersecurity conversation, prompted by a hacked embassy

The episode opens with Muzamil explaining why he has come back to cybersecurity so soon. He had done a podcast on the subject recently and, by his own admission, his appetite had not been satisfied. The audience had asked for more. And the day before recording, the Instagram account of the Pakistani embassy in Argentina had been hacked — the second major compromise of a state asset in roughly a month, after a similar incident in Eastern Europe.

“This is an alarming situation,” Muzamil says, and uses it as the launch pad to introduce his guest. Etizaz Mohsin is, at the time of recording, the only Pakistani to hold the OSWE certification — a credential Muzamil notes that fewer than a hundred people in the world possess. Etizaz has also spoken at more than twenty-five global cybersecurity conferences. The conversation is set up as the technical deep-dive the previous episode could not be.

A borrowed PC in 1997 and a self-taught hacker

Muzamil asks Etizaz to walk through his path from high school to the present, and the answer reframes the entire conversation: this is not a story about a curriculum. Etizaz did his FSc at Aslam Foundation College in Rawalpindi after schooling at Sir Syed, then took admission in software engineering at Riphah International University in February 2013. By that point, he had already been working in the field for years.

“I started my field at the end of 2009,” he says. “I knew what I had to do.” His first contact with a computer was 1997, at a friend’s house. He taught himself, without anyone guiding him, what the machine did. Later he tried to follow what was happening in the Pakistan Cyber Army and Indian Cyber Army communities of the time.

The contrast he draws is the most honest part of this section. He points to a seventeen-year-old American who, in 2003, produced an open-source reimplementation of the Windows operating system — reverse-engineering a closed-source product and trolling Microsoft with the result. “That kid had the privilege, the internet, the community,” Etizaz says. “How did he become capable? Because his community was like that.” His own environment offered none of that scaffolding. He had to build it himself.

He had originally gone into pre-medical, did well in the first year, and walked away in the second. “I told myself I wasn’t going to waste second year on studies,” he says. “I had no idea how, but FSc would clear.” It did. His marks were not strong enough for the universities he wanted. He ended up at Riphah by default.

The final-year project that exposed the curriculum

Later in the discussion, Etizaz describes the moment his self-taught capability collided with the formal degree. For his eighth-semester project, classmates were doing standard car-parking systems and similar exercises. He was building something far more ambitious — a tool that would automatically exploit weaknesses in Wi-Fi networks to keep a mobile device connected. He describes the energy of that moment with one line: “The josh was very high.”

Four days before the internal evaluation, the implementation was not where he wanted it. He pulled a commercial vulnerability scanner’s template, integrated two or three open-source scanners behind a clean front-end, presented it, and demonstrated an SQL injection that bypassed an admin portal live in front of his faculty. The room reacted as he expected — “everyone was like, wow.”

The undercurrent here is what Muzamil pulls out: the system did not know how to deal with a student who already worked at this level. The convocation, as Etizaz tells it, became its own act of pettiness. The computer-science batch graduated, and the department arranged for him to walk and be photographed with the electrical-engineering batch instead. “Because you weren’t sitting and coding computer-science assignments, you were the biggest failure in the world,” is how Muzamil paraphrases the message. Etizaz is generous about it: the faculty members who could not technically help him still encouraged him, and that was enough.

What OSCP, OSCE, OSWE, and OSEE actually mean

Muzamil asks Etizaz to break down the certifications, and this is where the conversation becomes a primer that does not exist cleanly elsewhere in Pakistani media. Offensive Security, the Israeli-founded company behind the OffSec series, broke a market previously dominated by EC-Council’s mostly theoretical Certified Ethical Hacker credential. OffSec built labs grounded in actual penetration testing experience, gave students sparse documentation, and famously answered most help requests with two words: “Try harder.”

Etizaz walks up the ladder. OSCP — Offensive Security Certified Professional — is the network penetration testing certification. Its core teaching, he says, is enumeration: not how to use ready-made exploits from a blog post, but the proper methodology for finding and chaining already-disclosed weaknesses at the network level. He registered for it after coming back to Pakistan, cleared it in a month, then registered for OSCE and cleared that within a month as well. He was the second Pakistani ever to hold OSCE.

OSCE moves down a layer — into low-level work, the kind of memory-corruption research that traces back to the Morris worm. “It was mostly related to what Morris did,” Etizaz says. The exam pushes you to identify mishandled inputs in old Windows-era software, the kind of test cases that bug-bounty hunters rarely touch because the modern bounty economy lives almost entirely on the web.

OSWE is the web-expert certification: not a generic OWASP Top 10 walkthrough, but training in chaining vulnerabilities together so that bugs which are individually un-exploitable can be combined into a working attack. And OSEE — Offensive Security Exploitation Expert — is, in Etizaz’s words, “close to impossible.” That is the certification associated with Pegasus-class research, where you are taught to build the kind of exploit chains used by state actors. He attended the Black Hat Singapore training to pursue it. “I asked them how many people have done that in the world,” he says. “Less than a hundred, as per the instructors. Usually twenty-five seats per year.”

The Morris worm and where the security industry actually comes from

When Muzamil asks the deceptively simple question — “What is this world, practically?” — Etizaz answers with history rather than buzzwords. The 1980s, he says, were a development era. Mainframes shrank into PCs, IT was a business, and security was not yet a concept. Then in 1988 the Morris worm appeared. A graduate from MIT (or possibly Stanford — Etizaz doesn’t remember which) wrote a program whose only function was to destroy the PCs of the era.

The conceptual leap matters. “Sochne wali baat hai — how is it even possible?” he says. You have given someone a machine whose maximum job is to add two and two. You have given them an email system whose job is to deliver a message. And then a person comes along, looks at the stack the machine was built on, finds weakness inside the memory and the operating system, and weaponises it. That is the moment, in his telling, when the psyche of “security is a thing” enters computing.

Morris specifically discovered the stack-based buffer overflow as an attack vector. Once disclosed, every other piece of C-language software written in that paradigm became a candidate for the same class of bug. Etizaz uses this to draw the line between “hacker” — the person who finds a new attack vector — and “black hat” — the person who turns it on a target for personal benefit.

How Pegasus actually works

The Pegasus section is the one general listeners will remember, and Etizaz gives the cleanest non-technical walkthrough of it. NSO Group, he explains, is in the spyware business — software that gets onto a target’s device and exfiltrates camera feeds, microphone audio, critical files, and decrypted messages. The hard part is getting on. Apple and Android are not in their initial stages anymore. Their defenses are strong.

So NSO does not build everything from scratch. There is a zero-day acquisition market — brokers worldwide who buy zero-days from researchers and resell them. Apple’s own bug bounty might pay a researcher a million dollars for a particular exploit; a broker might pay two. The broker then bundles the exploit into infrastructure and sells it onward, almost exclusively to governments. “Why only to governments?” Etizaz asks rhetorically. “Because the more they sell it, the higher the detection rate goes.”

He walks through the 2016 Pegasus sample as a worked example. The vector was an iMessage delivery: the user receives a message, opens it, and behind the scenes Safari renders embedded HTML, JavaScript and CSS. Safari, like any sufficiently complex browser, is prone to memory corruption bugs. The Trident exploit chain (he refers to it as “Kismet” — which is in fact the iOS 14 zero-click chain Project Zero later documented) used a Safari bug to break out of Apple’s per-app sandbox, then chained into a kernel exploit. “Combine it with a kernel exploit and your phone is gone.”

The newer iMessage variant Project Zero documented later worked through a PDF carrier containing a GIF whose processing was handled by Apple’s graphics library — the bug lived there. “It is not that difficult,” he says. “You just have to invest some time.”

A hotel chain, a Wi-Fi network, and six hundred properties

In the most cinematic moment of the conversation, Etizaz describes his own research into the hospitality industry. He was staying at a hotel. He connected to the Wi-Fi. He noticed a weakness in the property-management system that ran reception, HR, room assignments, VIP flags, DNS, firewall configuration, IP allocation — every connected layer of guest experience and back-office operation.

He exploited it from his laptop. From that one access point, he could reach more than six hundred connected hotels worldwide — including, he notes, Emirates Palace, the world’s second seven-star property. UK, Germany, Saudi. He frames it carefully against a 2015 Silensec disclosure of a simpler bug in a similar device, which he describes as “stupid” — the kind of weakness no vendor should leave in a product that critical. His own finding, he argues, was more advanced.

The point, in context, is not the bragging right. It is that the surface area Pakistan and the wider region depend on is wider and softer than anyone admits.

K-Electric, the grid, and a country with no real defence

Muzamil pivots to the question the entire episode has been building toward: is Pakistan ready? He invokes the K-Electric incident some commentators had called a cyber attack and others had called a glitch, and asks whether the country’s companies and infrastructure are protected.

Etizaz is direct. Pakistani companies can buy foreign defence products — firewalls for web applications, endpoint solutions, antivirus for systems. There is a ceiling on how much that helps. The threat model that actually matters is the Advanced Persistent Threat: a sustained actor who builds a custom malware or spyware and gets one employee to bring it inside the perimeter. “Once one employee has brought a malware inside your network, all the systems you put up for blocking outside are irrelevant,” he says. The Log4j vulnerability, then making global headlines, was his example of how universally these defences could collapse.

He says there are genuinely talented Pakistanis in the field — friends of his he believes could represent the country internationally — but they have neither been given the opportunity nor do they want to be public figures. The state, in his read, has not built the channels that would let them contribute.

Why the bug bounty culture is destroying Pakistan’s youth

The sharpest claim in the conversation, and the one Muzamil lets land without interruption, is Etizaz’s view on bug bounties. “The bug bounty culture is destroying our country,” he says. “It is ruining the coming youth.”

His critique is precise. Bug bounties live on web applications. The economic incentive structures researchers’ careers around finding the same classes of bugs on the same kinds of targets — fast money, public leaderboards, repeat patterns. The result is that an entire generation that could be working on the low-level systems research a national cyber capability requires is instead optimising for web finds. He contrasts this with the model OffSec, ZDI’s Pwn2Own, and competitions like Tianfu Cup represent: vendors bring fully patched, up-to-date products to a stage, and researchers earn their reputation by producing original exploit chains against them. China responded to Tianfu Cup by banning Chinese researchers from Pwn2Own and forcing them to sell exploits domestically. That is what a state mobilising its talent pool looks like.

Muzamil and Etizaz agree on the comparison neither side wants to make. Pakistan runs a few annual events under banners like “Cyber Secure Pakistan” and considers the box ticked. Etizaz describes the Capture-the-Flag tournament he saw at a Black Hat event abroad — school children in line, organised, competing. “That is the Israeli policy,” he says. “Who was at our event? University students. Why aren’t school children there? Why aren’t college children there? If you want to build Pakistan’s cyber power, holding two or three events isn’t going to make your country secure.”

The cyber dimension of the next war

Muzamil closes by raising the stakes explicitly. “Cybersecurity’s requirement today is as important as the importance of the nuclear bomb was,” he says. He notes that Pakistan’s warfare equipment is integrating IT at a level he is not going to detail, and that every layer of integration adds vulnerability surface. The country needs the top talent capable of building a domestic internet with security baked into its foundations.

Etizaz agrees on the trajectory. Pakistan’s IT exports have grown. Digitalisation is moving. But the deciding variable is whether the government works on the youth in time. He is critical, without being dismissive, of the assumption that universities are nonsense — there is truth in the complaint, he concedes, but the answer is to rewire the system, not to write off the talent it produces.

Muzamil ends the conversation by acknowledging this was one of the most technically demanding episodes he has hosted. He estimates he could keep up with about eighty-five percent of it, despite his own computer-science background, and tells the audience that the listeners who can engage with the rest are the ones the country needs to keep an eye on. He plugs the launch of a sister show, the Pakistan Pavement, focused on conversations with policy makers, former ambassadors, and diplomats. Then he thanks Etizaz, and signs off.