There’s been quite a lot of efforts done by people in the malaysian hacking community to increase the skill level of hackers here, and to find/produce talents in hacking so that malaysia can actually stand a chance in competing with other countries for hacking. I think its great that there are passionate people working on this, simply for the betterment of the malaysian hacking scene, but I do think that there are things that could be done differently, and that there should be changes in how the malaysian community thinks of hacking in general.

please don’t take this post the wrong way, I fully respect the people working on the communities, and their dedication to making hackers in malaysia better. This post is just me sharing some of my thoughts. cheers.

Don’t seek talents, make talents

I feel like people working on this has put quite an emphasis on finding existing talents in malaysia, but I think that the focus/aim shouldn’t actually be about finding talents, but to actually have a way of making talents, in a natural organic way.

Let’s be real here, how likely is it to find another cracked hacker in malaysia? I’m guessing not very likely. And if there really are, how likely is it that they would want to join the community and help malaysia in growing the community? How would it benefit them?

But if the aim is really finding existing malaysian hacking talents, then the solution kind of just boils down to two things.

  1. increasing exposure so that they actually know about the communities
  2. making them actually want to join the community.

And I’ll get back to how to do those things in a minute.

But if we actually want to make malaysia a force to be reckoned with in terms of hacking, we should be making talents instead. There is only going to be a limited number of talents in malaysia, so if you only look for talents, there is only going to be a limit on how good malaysia can be in hacking. Even if at one point there are a lot of talents, malaysia is just going to have great hackers at that point in time, and its gonna die down when the next generation comes. But if you have a good way of constantly making talents, then there is no limit, and malaysia is just going to get better and better.

So now, how do you “make talents”? What is a good way of doing that? By building a highly passionate and skilled community.

Skilled and passionate community

Let’s take a look at Indonesia. The 9th best ctf team last year on ctftime, SKSD, was a team full of indonesians. The members know the team through word of mouth, and well, through good ctf results. They don’t even have an application form, they just find members through the indonesian hacking community. Indonesia also has 2 people representing team asia this year for ICC, which kind of means that they were the best among the asian ctf players this year.

In short, indonesia has cracked hackers.
They don’t have much governement support, they aren’t really more technologically advanced than us, and idt their education system teaches hacking. So how did they do that? Through community. They are the prime example of what a skilled and passionate community can do.

If your community is skilled and passionate, you won’t have to worry about anything else. One of best things that hacking (and well geohot) taught me, is that

Skill is everything

Even more so in technical fields like hacking. And this doesn’t apply to just individuals, but applies to communities. If your community is skilled, it will automatically gain reputation through results, it will attract more people into your community, and it will ignite the passion of people in your community, to learn more about hacking and to get better. You don’t need to promote your community or do this and that if your community is skilled. Everything is easy once you have skill.

Pretty much everyone in indonesia knows SKSD, and they don’t even have a twitter page. They just did well in ctfs. I think that tells you everything you need to know.

If we now revisit the idea of seeking talents. Funnily enough, the best solution to seek talents is to make a skilled and passionate community as well. Since you automatically gain reputation, and talents would have a reason of joining your community, to meet other skilled people, and to get better themselves.

We have hacking communities in malaysia, quite a few of them actually, but the problem now is how do you make them skilled?

Before we discuss about that, I want to make a comment on how I think malaysian hacking communities should think about hacking.

What hacking is really about

I feel like malaysian hacking communities is really focused on the corporate side of hacking. People are more focused on getting certs and posting on linkedin, and well, getting jobs in companies. People play ctfs and go to events not mainly for the passion of it, but to have more things to write about in their cv .

Which obviously I understand, people go to universities to get degrees in “cybersecurity”, aiming to make a living out of hacking.

But I feel like that is not what hacking is about.
I feel like the essence of hacking is in the curiosity and passion for it. To be curious about how computers work on a deeper level, to be invested in how we can trick computers into doing what we want. To learn and research something even if there is no obvious use of it, simply because we are interested in it and want to learn how it works.

Is that not what hacking is about?

Isn’t that what original hacking culture is like? To learn about hacking through forums, through places like phrack. To experiment with computers yourself. To stay in during a friday night, staying up late, exploiting computers, simply for the fun and joy of it. Simply because you like to do it.

You don’t need to go to school to learn how to hack (and frankly, learn anything to do with computer science). You just need to be interested and passionate enough, to learn it through resources yourself.

I feel like maybe one of the reasons I like hacking so much is because of the culture behind it, because of what it represents. To learn and do things yourself simply because you’re interested, and to have skill put on such a high level of value.

Now the funny thing is, once you kind of have this mindset of doing things and learning hacking simply because you want to do it, you’re able to rack up a lot of hours doing this stuff, which will translate to skill. So you’ll gain a lot of skill doing what you like, and because you have skills, you’ll be able to get a job much easier.

So if the objective was to get a job, it’ll be harder to so, than if you were to just do what you like and have fun hacking.

Like what liveoverflow said in this video, to get good at something, you simply need to accumulate thousands of hours doing said thing. And if you think of hacking in the sense of the way you think of an education system, and you treat it as studying, I feel like it would be a lot harder to accumulate those hours, than if you were to just do what you like.

To truly be cracked at hacking, you first have to be passionate and interested in it. I mean if you’re not passionate/interested about it in the first place, what good reason do you have to get good at something like hacking? All of the cracked hackers I’ve talked to, loves to hack. Its not a chore like studying to them, its more so, a hobby.

I feel like malaysian hacking communities don’t really think of hacking this way. In other words, I feel like they focus more on “cybersecurity”, and not really hacking. So I think a shift in how the communities think about hacking, can greately increase the general skill level.

So now going back to how we can increase the skill level of existing communities.

Do more, get better

Like I mentioned above, the only way to get better is by accumulating hours, and I feel like the best way to accumulate those hours is by doing ctfs.

The 4 main categories of ctfs (pwn, web, crypto, re) are just some of the purest forms of hacking there is. If you’re able to perform well in hard ctfs, then you can pretty confidently say that you’re quite a good hacker. And if you want to cause real world impact, you just have to learn how to apply those skills in real life scenarios.

And so how do you get good at ctfs? you play.

Look at PPP for example, they started out as a hacking club in carnegie mellon, playing ctfs every week. And they went on to become one of the best teams ever, winning their 7th defcon in 2023.

When I was Sejong for hacktheon finals, mechfrog gave a really good suggestion to hold physical ctf sessions for M53. And I think that that’s one of the best things that could be done in malaysian hacking communities, to hold more physical ctf team sessions, playing international ctfs.

You don’t need a lot of people to show up, 10 - 20 people is more than enough! It gives motivation for people to actually go and play ctfs, and more importantly it gives opportunities for people to learn from better players.

Say you’re a really cracked web player, would you rather teach some guy how to do web on discord, or have a person ask you in real life how you solved some chall on a ctf. Definetely the latter right? Its just so much easier to learn from others when both of you have tried the same challange, and you could communicate with them directly in real life.

And since we do have quite a few talents in malaysia now, we should make full use of them by doing these physical ctf sessions. Talents are not the norm, I don’t think another good crypto player like mechfrog will pop up randomly in malaysia anytime soon. So what we should do now is to build the next generation of talents, by having beginners play ctf together physically with more experienced folks, giving the beginners the opportunity to learn from them.

And you don’t need a bunch of beginners too. Just having let say one crypto beginner who is passionate about crypto, does crypto for fun, and shows up to the physical ctf session every time, will have you a cracked crypto player in the future.

If we can do that, then the skilled community kind of becomes self sustaining, not needing to depend on random talents that pop up, but able to have the current generation of cracked people help build up the next gen of cracked people, and so on and so forth.

Quality of malaysian ctfs

Malaysian ctfs tend to focus more on forensics and osint and random categories like scada, and really really neglect pwn and crypto. The level of web challanges in local ctfs are also incomparable to international ones.

I think this is just a reflection of the current skill level and skillset of the malaysian hacking community. The amount of stuff you need to know/learn before actually doing pwn/crypto is a lot more than doing forensics and osint, so I think that’s why beginners tend to flock towards those categories instead of taking the time and learning pwn/crypto. Plus, since there are a lot of osint/forensics challs in local ctfs, beginners are more eager to learn them too since they give more points, so it kinda forms a positive feedback loop of, more forensics/osint players, causing and caused by more forensics/osint ctf challanges.

And I’m not saying that forensics and osint ctf challanges are bad, I’m just saying that they are so oversaturated in the local ctf scene, that beginners would just flock towards those categories, and not try out the other categories, making there be less and less pwn/web/crypto/re players.

trust me, pwn/web/crypto/re is a lot more fun than forensics and osint, you just have to take your time and learn them if you’re interested

So that is kind of way I specifically mentioned international ctfs for the physical ctf jam sessions. I mean it makes a lot of sense tho right, to compete internationally, you have to play internationally.

But this problem with the quality of malaysian ctfs shouldn’t be a priority to solve by malaysian communities, since it will be automatically solved when the skill level of the commmunity increases. So if you’re a community lead, the main emphasis should still be put on more physical ctf sessions playing medium difficulty international ctfs. You may not get results at first, but you will certainly be getting better.

A small group of people can influence the environment.
Say you’re able to form this small group of 10 - 15 people who frequently plays physical ctfs together, and they get more and more skilled, getting better and better results. And now ctf organisers look to them to make ctf challanges, and because they’re more skilled, they can make harder challanges with more quality. So now the whole ctf game is stepped up.

The environment influences people.
The local ctfs are getting harder and harder, there’s more pwn/web/crypto/re, and the quality is increasing rapidly. Thus the players will get better and better, and in turn, they will make better ctf challanges too.

Conclusion

I think that we already have the resources and the talent needed to make cracked hackers in malaysia, its just a matter of mindset and what to focus on that needs to be changed. There’s probably still quite a number of factors that I didn’t think about, but I think the general idea of what needs to be changed should be what I talked about above.

I got mock exams in 2 days, so I can’t spend anymore time on this. Might refine this more in the future, idk. Happy to talk about it, so just find me on twitter or discord or talk to me irl.

Some cool videos/things I’ve seen over the years that relates to the topic: