Katie Paxton-Fear is neurodiverse (‘autistic’, she says). It’s a common, but not causal, condition among hackers. Autism weaves an intricate path through her hacking career and is a major part of her personality.
Katie Paxton-Fear did not originally consider herself a hacker, but she now accepts she has always been one. In her youth, she associated hacking with the common meme of a malicious hooded genius hunched over a computer. This is not how she saw herself, or sees herself.
“What changed my mind was the way Casey Ellis, the founder of Bugcrowd, talks and thinks about hacking,” she explains. “And I thought, yeah, okay, I’m like that. I’m a hacker, a tinkerer. I look at a system and I want to know how it works.”
She notes that many hackers can trace a similar innate curiosity to early childhood, where they were driven to take apart and reassemble every new toy. “But sometimes you have no idea how to put it back together. So, I think a hacker is someone who breaks everything, panics, and then sometimes puts everything back together – but not always.”
This is an important element in her hacking career: she is a natural reverse-engineer but has no desire to re-engineer what she has reversed.
Neurodivergence and computers
A common part of neurodivergence is a childhood attraction to computers. For some, it is enhanced by the usual accumulation of ‘symptoms’ that results in social awkwardness and personal withdrawal. For Paxton-Fear, a more limited but specific set of symptoms (an obsessive personality and a difficulty in navigating ambiguity) had the same effect.
“Autistic people tend to find their obsession early on,” she explains. “That’s when other people, especially parents, begin to think they’re weird. My obsession as a child was the online game Neopets. It fascinated me. How did it understand what I was doing, know where I’d been, what score I had got. I wanted to understand how it understands.”
This tendency toward obsessiveness is coupled with an antipathy to ambiguity. “I think for autistic people, computers are also autistic. They are predictable. There are no grayscales. They are not confused by emotions. It’s almost stereotypical for anyone who has autism to want to do computers.”
For her, it wasn’t just a retreat into computers and the internet, it was also a lifeline into the real world. “Life with autism is like living life without the instruction manual that everyone else has.” It’s confusing and difficult. “Computing provides that manual and makes it easier to make online friends. It provides accessibility without the overpowering emotions and ambiguities that exist in face-to-face real life relationships – so it’s almost helping you with your disability by providing that safe context you wouldn’t normally have.”
Paxton-Fear became obsessed with computing at an early age. She was fixated with taking systems apart to understand how they work, but without the common hacker desire to rebuild it differently.
Neurodivergent obsession and education
Paxton-Fear became interested in computing because of her fascination with Neopets and what made it work. Her father, while not personally a programmer, worked with programmers and fed her books on programming. She received a copy of Visual Studio Professional Edition for her tenth birthday and taught herself to code in C++.
“I got into computing and learned how to make websites because of my love for Neopets. I was very much the child at school that literally did not care about school. I did poorly at basically every subject because it was not making websites and programming – nothing else was important.”
And then she moved house, from southern England to midlands Birmingham. Suddenly she had a new school but no friends, sounded different to the other kids, and felt very isolated. Online gaming became even more important to her daily life. “When you’re 13 years old with no income,” she continued, “online gaming is an expensive hobby, and not one you can necessarily afford. It drew me into what’s known as Private Server Development.” This brought all her interests together: love of gaming, taking things (systems apart), computing and building websites.
In a gaming context, private servers are built and used to ‘freely’ share MMORPGs. The process involves reverse engineering the game client and using the information discovered to create a new server that mimics the behavior of an official server. It’s a complex process – and this was achieved by a girl of thirteen who basically flunked her school exams.
At that time, she did not equate this activity with the hacker meme, which explains her initial reluctance to call herself a hacker – even though she is clearly a hacker through and through. “My childhood crimes were copyright infringement rather than traditional hacking, but I used to get involved in reverse engineering. Paid-for games like World of Warcraft required a subscription that many youngsters could not afford. I made my own servers, hosted the game, and enabled people who could not afford the subscription to still play the game.”
She stopped Private Server Development when she was 16 and had to consider the next stage of her life. “I didn’t do great on my GCSEs [general certificate of secondary education, used in the UK as the foundation for higher education]. But I went to college [‘college’ in the UK is not synonymous with ‘university’] and took a course in, and gained, a BTEC in computing and games development.”
While she was there, she did well enough for her tutor to say, ‘Go do a PhD.’ “My goal from that moment on was to go get a PhD.” She took a year’s sabbatical, but with her BTEC she was then able to get into a university. She flunked out. She went to another, what she calls a “very much bottom tier university” to study computer science. And this time she flourished. She ran a computer society and gave her first conference talk.
After university, she took a job as a developer. She stuck it for just six months. One lunchtime, she thought, “I really hate my job. I don’t like it. I find it boring. I’m going to quit and go do that PhD, because this is a waste of my time.”
And that is what she did. She was late in applying and took Cybersecurity and AI because that was the only subject available at the time. So the girl who did poorly at her GCSEs ended up with a PhD in cybersecurity.
Serious hacking
During the second year into her PhD study, a friend from her earlier university days invited her to a bug bounty event held by HackerOne. She went – not to take part in the event (she still didn’t think she was a hacker nor understood anything about hacking), she went to meet up with other friends from the university days. She thought to herself, ‘I’m not going to find anything. I don’t know anything about hacking.’ “But then, while there, I found my first two vulnerabilities.”
She received a $1,000 bounty, but still thought it was a fluke. Then HackerOne invited her to another event at DEFCON. “Vegas during DEFCON? No way I could reject that!” So, she went. She found two more vulnerabilities; and for the first time in her life, she thought, “Hey, I might actually be quite good at this hacking game.”
The real surprise is that she was surprised, given her cumulative training. She self-taught C++ when she was 10, self-taught reverse engineering before she was a teenager, and self-taught private server development while still at secondary school. She gained a BTEC in computing and games development at college; gained a computer science degree at a second-tier university; and then a PhD in cybersecurity and AI from Cranfield University (absolutely not a second-tier university). It is ‘hacking’ that connected all these skills, and possibly for the first time in her life she had a forward looking focus.
After DEFCON, she started making YouTube videos, teaching other people how to find vulnerabilities. (Incidentally, later in her career, she did the dark web equivalent of googling herself, and found her videos being discussed and recommended on underground forums.) She finished her PhD and became a lecturer in cybersecurity at a university. Then she worked for Bugcrowd before going back to academia – she still does one day per week teaching ethical hacking. She joined Traceable, which was acquired by Harness, where she is today as principal security research engineer: “Still making and breaking web APIs then writing about how I did it.”
Katie Paxton-Fear – hacker motivations
This series seeks to discover the mind and motivation of the hacker and hacking. It’s not an easy task since the construct is based on multiple influences creating multiple psychological traits at different levels of intensity. Many hackers exhibit many of these traits, but nobody exhibits all (other, perhaps, than a stronger dose of curiosity than exists in most people).
Two common influences we have explored are the relevance of neurodivergence and the influence of a moral compass. You could say the first is involved in the process (hacking), while the second influences the direction (malicious or ethical). Neither are easy to quantify. For example, we used to classify neurodivergence as either autism, ADHD or Aspergers. The difficulty is that the same symptoms can occur in all these or some of them, and to different degrees of intensity. It is almost impossible to say with clinical certainty that this person is ADHD rather than Aspergers, or that person is Aspergers rather than ADHD. For this reason, healthcare has started to classify all people with autistic conditions as ASD (autism spectrum disorder).
Some of the more common ASD symptoms found in hackers include social and communication difficulties, a natural inclination toward Edward de Bono’s lateral thinking (finding solutions without imposing predetermined conditions or connected trains of thought), the ability or inclination to hyperfocus (deep and continuous concentration on a single subject), and a dislike bordering on phobia for all things ambiguous.
Paxton-Fear exhibits many, but certainly not all, these symptoms. She was driven by curiosity from an early age – but her skill was in disassembly without reassembly: she just needed to know how things work. And while many hackers are driven to computers as a shelter from social difficulties, she exhibits no serious or long lasting social difficulties. For her, the attraction of computers primarily comes from her dislike of ambiguity. She readily acknowledges that she sees life as unambiguously black or white with no shades of gray.
“I think, especially for autistic people, computers are kind of autistic themselves. Computers have a very predictable answer – a one or a zero. There is no grayscale area,” she said. “Autistic people see the world much more in black and white than shades of gray. And while I intellectually know that there are shades of gray, my thinking is still, at least for myself, very black and white in the way I view the world. So, while I understand that other people can see shades of gray, for me, I know if it’s not white, it’s black.”
This helps explain one of the biggest differences between her and most other hackers included in this series: her attitude to the morality of hacking. Everyone has a moral compass, but it differs between people. We use this idea of a moral compass as a guide to why some hackers become ethical while others become malicious. Most hackers have some early, perhaps teenage, flirtations with illegal hacking to impress friends – so the potential always exists although it is not always adopted. Many of those who progress from teenage shadiness into ethical hacking cite several drivers: upbringing, fear of the law, and bug bounty opportunities to make a legal living. But almost all refuse to condemn ‘malicious’ hackers who haven’t had such advantages.
Not so Paxton-Fear. She has never even considered the possibility of her using her hacking skills for personal gain at the expense of others. “The only time I ever did anything illegal,” she says, “was perhaps copyright infringement in developing private servers for online games.” She has a moral compass, but one directed by different causes. “I’m quite politically active,” she explains, “as you might expect from a disabled woman working in cybersecurity. Discrimination still exists.” She is acutely aware of the wrongs in life and has a strong sense of justice.
This, she suggests, is perhaps supported by the UK’s official attitude toward cyber – no cyber weapons. She has seen examples of double-dealing on vulnerabilities. “I know people who have done that and sold vulnerabilities for more than the vendor would pay for them. But in the end, they always know that those vulnerabilities still exist and can be used maliciously – and that can be a heavy burden for them.”
The overall effect is that her moral compass leans toward being ethical. But remember that her autistic abhorrence of ambiguity cannot cope with ‘leaning’ – it must be completely clear. The result is that Paxton-Fear is unambiguously ethical in her hacking. Nothing else is acceptable, and no form of malicious hacking can ever be excused. Even, she added, patriotic hacking undertaken by allies in a war situation is wrong.
Related: Harnessing Neurodiversity Within Cybersecurity Teams
Related: Hacker Conversations: John Kindervag, a Making not Breaking Hacker
Related: Hacker Conversations: Frank Trezza – From Phreaker to Pentester
Related: Hacker Conversations: Joe Grand – Mischiefmaker, Troublemaker, Teacher
Related: Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd
