Hacker AFK: InsiderPhD

January 19, 2023 HackerOne

Today's hacker InsiderPhD


JXoaT: My first question is always, "What was your first experience with hacking?" What really opened the door to you? 

InsiderPhD: I am a child of the '90s, and I remember getting access to Neopets. And Neopets- especially for many girls in computing, found the site a common gateway into computing. So, that site was my first exposure to tech in general.

And I remember I went up to my dad, and I was like, "I want to make Neopets!" So, my dad, a programmer, and technical manager bought me this massive book on HTML and said, "Here you go, do this." 

And that's how I started to learn and develop my programming skills. That was around 7 or 8 years old.  

I'm autistic- and if there's anything about autistic people, they F'in love computers!

*Both laugh*


JXoaT: Yeah! That has been my general experience.  

InsiderPhD: So, I find the idea of computer programming fascinating. But my first experience with hacking was with Habbo Hotel, which I wonder if anyone will know what that is- but they had microtransactions. You could buy coins in-game to furnish rooms. But 11-12 year old me didn't have money, so I started looking at "Private Servers." Which are places where people reverse-engineer the entire game to make their own recreations of it. 

JXoaT: This sounds like the warez scene. 

InsiderPhD: Yea, the same kind of idea. But that's where I really saw hacking people reverse-engineering online games like World of Warcraft and RuneScape. I was super involved in the Habbo community for many, many years. But- I never really got involved in security. I was much more of a programmer. So that was my first view of hacking. 

JXoaT: Where are you when you're away from the keyboard? 

InsiderPhD: Probably in front of a bunch of students teaching. *laughs* Yeah, I love teaching. It's such a passion for me. Of course, it's all well and good hacking, but actually trying to distill complex topics like hacking into simple explanations anyone can understand is really rewarding. 

JXoaT: Hacking is a lifestyle for some people. You can become very ingrained in the community and work that you're doing. However, I rarely meet a hacker who doesn't have a hobby external to hacking. So, is teaching a passion for you?   

InsiderPhD: It is, but it is also my job. I'd say my hobby is definitely knitting and crocheting. I am a creator. My partner has caught me switching from knitting to picking up my crocheting hooks and remarked on it; how I'm "full of this boundless creative energy." And it's true! I love to make things, especially physical stuff. 

I find myself at a computer often-- like REALLY sitting there. And everything is so virtual it feels like a lot of the time that I can't share my creative output when I'm hacking. But, to me, creating real-life objects or something people can touch communicates a lot. Along with videos too- 

JXoaT: Oh yeah, I've seen those!

I love your videos and know people who got into bug bounty using your approach. When I create something, if one person gets something out of it, it has accomplished its work. It just feels good to be able to give someone something of yours. 

InsiderPhD: Yeah, that's another reason why I love knitting and crocheting. I just made a tiny Cthulhu for my office. That's my favorite thing I made recently. When I made it, the pattern was recommended for those advanced at crochet. I wouldn't say I'm good at crochet. By this point, I had only made two other things. But I thought, "Yeah, this design sounds like me."

JXoaT: These are two very different skills you have-- hacking and crocheting. Are there methodologies or learning styles you take from one skill and use in another? 

InsiderPhD: It's really interesting because hacking is primarily about problem-solving in the opposite direction. So if you think about it, a programmer comes up with a problem and finds the best solution. For instance, the problem might be "How do we display x users in this particular way" or "I have this bug. How do I resolve it?" Hacking is doing the reverse. 

You have to figure out how to go from something working to being broken. This is a very different skill to have and isn't taught. For example, you're not really shown how to cause issues in programming. You are taught how to resolve them. It is a different school of thought. 

People who are really good at hacking have a solid idea of how to cause problems. Just as much as being able to solve them. And you get these perspectives from a wide variety of things. Like, in programming, there might be an obvious transition into hacking. But if you're also looking at something like knitting, when you make a mistake, you have to fix it before you continue. Since you're starting from the bottom and working your way up on a piece, making a single mistake on the first line could mean taking your piece back to the beginning. So, you have to think not necessarily, "how do I cause problems," but "how do I solve a problem that already occurred and I'm now seeing the repercussions of it?" Which teaches you that way of thinking. 

One thing I found really interesting was that just before this event (H1-702), I posted a thread on Twitter along the lines of "I'm going to talk about how I'm hacking at H1-702." Quite a lot of what I was posting was my general thoughts and opinions of what I was doing. And because my version of hacking is based on intuition, it was helpful to see how I broadcast my thoughts. I developed a lot of my focus and relations around certain problems by sharing the question of "why" with people.       

JXoaT: Is there something you think people consistently get wrong about hackers? 

InsiderPhD: It's interesting. A lot of what I notice is the stereotypes. People don't see me as a hacker because I'm-- like a woman, to start with. And I feel that's a bit weird. So many people get caught up in what they think a hacker is until you tell them that some are just regular people. It conflicts with their worldviews. Not to the point that they don't accept that it is reality, but they think you're an exception to the rule. And they don't realize there's just a bunch of other perfectly normal individuals, as well.

The thing that people really get wrong about hackers is that they are just computer nerds. Even though I certainly fit the stereotype of being a computer nerd, so is my partner- he's a programmer and doesn't hack anything! So it isn't something exclusive. 


The last thing would be the motivation of hackers. A lot of people don't hack for money. Since, a lot of the time, they could instead already have professional jobs that make them loads of money. I feel like they will usually be weirdly motivated to kind of break sh*t. 

They enjoy figuring things out and would spend forever sitting somewhere thinking about a problem. The type of people who won't let go of that problem. Once they have something in mind, they are always thinking about it. 

Even during this interview, I'm mulling over some of the bugs I'm working on for this event. They are just sitting in my head. I'm leaving them on a simmer. 

JXoaT: So what's a piece of advice people don't typically hear about getting into hacking? 

InsiderPhD: My advice for people who want to get into hacking and are reading this thinking, "Wow, that sounds super cool. I want to get into this"- have a hobby outside of hacking. I can't tell you how many bugs I found while not hacking. Or, just not even being around a computer. Time away from a computer is so valuable. 

One, stepping away from your computer is good for your mental health. Because, quite frankly, being around the anxiety machine all the time isn't doing you any favors. 

Two, practicing a hobby engages you in ways that promote positive mental health. Knitting, for example, has mental health benefits. It just makes you feel good. 

I've also talked to plenty of other hackers, and they've told me the same thing. They will find some of their best bugs when they aren't even at a computer. Being away changes the way you think about a problem.

JXoaT: It is a nice reset. You're right. It is an essential one. I like how you mentioned mental health there because it is something we often avoid when zeroing in on something. It can get stressful. 

InsiderPhD: Yeah, but there's a benefit to getting off the computer and doing something else. Let your brain sit with it. If you do, you'll find so many sparks of inspiration. 

It is crucial to have a creative hobby that allows you to express yourself. So I draw, knit, crochet, and paint-- because I have this need to create. 


JXoaT: There’s a lot of people who have the fear of failure when attempting something new. What do you have to say to those who ready out a new field like bug bounty? 

InsiderPhD: When people talk about talent, most people assume there are the talented and the untalented- and if they aren't good immediately, they must be untalented. But you don't get good at something immediately; nobody does. The best people in their fields are not experts when they start. It does come from putting a little bit in every day and sticking with it.     

I tell my first-year students that I don't care if they "learn" anything from this class. I don't care if you decide this class is boring or what grade you get on your assignments. I care if you find a single nugget of what you learn here interesting. I want you to find what inspires you, even if it comes from the rule of elimination. I want you to find something that sparks joy for you. Find one thing in this class that interests you; that's enough.

JXoaT: So, essentially, experiencing something for the sake of the adventure and seeing where it can take you? 

InsiderPhD: Yeah. I'm proof of that. I wasn't interested in hacking when I came to my first live hacking event. I was like, "I'll give it a go." But I wasn't like, "I bug bounty hunter" or "I want to do mentoring."

Instead, I was ready to try and see how far I could get. And now, I'm sitting in front of you here, right now-- proof that you just don't know unless you give it a go.

JXoaT: Anybody can be a hacker? 

InsiderPhD: Anybody can be a hacker. Not a joke, not marketing material- anyone can be a hacker.








Previous Article
Beyond a VDP: How a Challenge Brings Proactive Security to Your Agency
Beyond a VDP: How a Challenge Brings Proactive Security to Your Agency

Vulnerability Disclosure Programs create an effective means for researchers and other users to report disco...

Next Article
HackerOne Named a Leader in Penetration Testing as a Service (PTaaS) GigaOm Radar Report
HackerOne Named a Leader in Penetration Testing as a Service (PTaaS) GigaOm Radar Report

The report provides a technical evaluation of key PTaaS vendor offerings in the market. A select group of s...