Jaan Yeh, a final year student at Malaysia Multimedia University (MMU) invited to me to its Melaka campus to conduct another training on software exploitation. I was ready and eager to take on this first overseas training engagement. But little did I know there was a big surprise awaiting.

Arriving at the Kuala Lumpur International Airport a day before the training started, I was welcomed by three fellas who were going to be in the workshop. One of them is from the nearby Cyberjaya campus, the other two are flat-mates at the Melaka campus. It was around 2:30pm and these fellas had not had any food yet. So shortly after a quick Burger King meal, we headed to our training site, a two-hour drive away.

Melaka is a rustic old Portugal port settlement with small houses, narrow streets, and great seafood! On the first night there, the chaps took me out to a "satay" house. But this satay is different from the satay in Singapore where they grill chicken and paste on some satay. This satay is a steamboat, or, at least, a steam-pot. We dunked all the raw meat into a boiling pot and had a leisure talk while waiting for them to be edible. The best thing about this place is they sell big prawn, 20cm long prawn, for 60 cents (RMY 0.60). That's a steal! On my last night there, we again had seafood, this time by the sea. That night's meal could have cost about RMY 300 if we had had it in Singapore. Here, it was only RMY 120. Cheap!

If food is the second best thing in this trip, the best is gonna be the training itself. And as I said, there was a big surprise for me. I thought this training was only for 12 students majoring in IT Security. It turned out there were only 9 students (Fabian, Nan, Jeremy, Yeh, Aidid, Wee, Zeon, Tan, Najib), and only one of them is from IT Security. The others are from Data Communication, Knowledge Management, etc. A multi-disciplined group. Not only that, two of the lecturers (Muslim, and Hadi) from Faculty of Engineering and Technology (FET) and one professional (Victor) from F-Secure malware analysis lab (in KL) also joined in. It was a big turn out. The biggest surprise though, was that Najib was in wheelchair! Man, I couldn't imagine the training would be so well received. Thank you for your passion and presence, Najib!

Throughout the whole workshop, everyone was able to conduct the analysis, and exploits themselves. One of them (Tan) even solved a quiz within only 20 minutes (two-thirds the allowed time). Fabian, Yeh, Zeon got stuck with it for a few minutes but managed to pull it off successfully too. I shouldn't praise Hadi, Muslim and Victor here because that was kind of expected of them but they made me feel like I was teaching the oh-so-obvious stuffs. I was also glad that Najib got the gist of a successful format string exploitation.

The training lasted a little bit more than 2 days because these participants demanded more deep technical explanation than an average Joe and I also allowed them to play around with their creativity a little bit more. In general, I say the training was another success.

Not only was the trip a gastronomy treat, it was also a personal fulfillment. I managed to buy a book that I could not find in many bookstores in Singapore nor Sydney. I also got some presents home. The last day is the best polishing touch to this whole wonderful trip.

Thank you Jaan Yeh for the invitation, and your hospitality. Thank you Muslim for providing necessary facility. And thank you everyone for your active participation! Keep the interest level high, will ya?

He is a brilliant guy. Under his usual silence is the loud noise of his neuron machine cranking up and down. I am talking about Jeremy, a student in my software exploitation training in October.

Few days ago, he messaged me that he had been offered an internship with DSO (used to stand for Defense Science Organization), Singapore. This organization, among others, deals with national security and only accepts top Singapore citizens to join its rank. Being able to join DSO as a Software Pentester (I assume it deals with analysis and exploitation here) proved Jeremy a technically smart guy.

Congratulation to you, Jeremy!

And for me, I am so glad my training paid off well.

During the HITB 2007 Malaysia I met a young smart group of students from Singapore Polytechnic. They took part in the Capture the Flag competition and managed to score better than some professionals (need I make it clear?) in total contrast to their name: t3nth (they ranked eighth, by the way).

I thought that was impressive enough for these young chaps and maybe if they had proper training, they could turn as capable as any other qualified security engineer. And so I offered them a free workshop on software exploitation to serve as a primer. It was received enthusiastically.

An intensive four (or five, I dont quite remember)-session training was given on every week end through out last month. It covered all basic concepts, techniques, and some few advanced skills. I don't know but it seemed like the boys grasped them pretty quickly. Actually, they surprised me! I didn't expect that Paul could understand the stack diagram I drew on the white board in an instance, Louis would get the return-to-libc technique immediately when I mentioned it, Jeremy were able to analyze binary files in a few minutes, and Choon Rui mastered format string with no difficulty at all.

Through out the training, challenges from the CtF (no, not the binary, but with reconstructed source by yours truly) were used but these boys weren't informed at all. They solved them, fluidly. What others weren't able to do in Dubai 2007, and Malaysia 2007, they did it in only one or a few hours. Brilliant, ain't they?

I hope it was a conducive workshop to them and that they loved it as much as I loved teaching them. It's always a pleasure to work with smart guys. I believe these chaps will score much better in subsequent challenges. And if you are looking for interns, get them!