Post

Corporate Greed vs. the Hacker Ethos

Posted
Preview Image
By Kaiju Security
7 min read
Corporate Greed vs. the Hacker Ethos

In the early days of the internet, cybersecurity wasn’t a career—it was a calling. Passionate, curious individuals who identified as hackers formed the backbone of what would later become the cybersecurity industry. These early hackers, like the legendary collective L0pht Heavy Industries, weren’t motivated by money. They hacked for the thrill, for the challenge, and most importantly, to make the internet a safer place. Hackers came in all shapes and sizes; some would hack hardware, others, known as phone freaks, would use whistles to get free long distance, and some would even take over a radio station’s call center to make sure they won a car. Even kids started hacking files in their favorite video games, changing the configuration files to have unlimited lives or other in-game advantages.

The Hacker Culture

L0pht Heavy Industries, founded in the early 1990s, was a group of seven hackers who all had a common goal: uncovering and exposing vulnerabilities in the systems that were rapidly becoming the infrastructure of the modern world. They operated out of a small loft in Boston, hence the name L0pht, working on projects that would eventually capture the attention of the world. In 1998, members of L0pht testified before the U.S. Congress, boldly stating that they could shut down the internet in 30 minutes. This testimony was a wake-up call, showing just how vulnerable our digital world was.

As the world’s networks grew, so did the realization of their vulnerabilities. Governments and corporations began to see the need for dedicated cybersecurity measures. What started as a niche community of passionate hackers quickly transformed into a “professional industry.” However, this transition has come with a price. As the corporate world entered the scene, it brought with it a focus on profit margins, EBITDA, and revenue over actual security. Whereas hackers saw the opportunity to use their curiosity and skills to unlock flaws, businesses simply saw it as a way to make money.

The incursion of businesspeople with little to no knowledge of security into the cybersecurity realm is disheartening for many old-school hackers. These corporate figures prioritize profit over protection, driving initiatives based on revenue rather than robust security practices. The focus has shifted from securing systems to maximizing financial gain, often at the expense of true security.

The original hacker ethos was anti-establishment; we did things because we could, because no one thought the way that we did about things. Many of us simply said to ourselves and our friends, “I wonder if I can …” and we would usually find a way. High school dropouts, nerds, people who didn’t get along with most others were who we were as a community; the only proof you needed to show you had skills was to actually just show you had skills. In the 90s, heck even 10 years ago, for a hacker to ask another hacker if they had a “certification” would have been a joke… quickly followed by a comment like “Yeah sure, I’ve got your cert right here… now where’s the system you want me to pwn?”

That curiosity and “Test your might” mentality has given way to certifications, costing thousands of dollars. They have slowly become “mandatory,” creating barriers to entry that are antithetical to the hacker ethos of open knowledge and community-driven improvement. A community that used to pride itself on being one of the very FEW in the world that didn’t require a formal education now finds companies like SANS replacing it with something significantly more expensive and, frankly, worse than a degree.

The old-school hackers, who’ve always prized practical skills and self-taught knowledge over any formal education, now find themselves in the ridiculous position of chasing certificates just to get a foot in the door.

“Oh? You have 20 years of experience? You hacked NORAD? You were able to systematically take over multiple companies and in turn transfer all assets to your name in a week? You were able to steal the Mona Lisa? You walked into the Pentagon and successfully exfiltrated data without getting caught? Wow, that’s amazing, but do you have the OSCP? Well, I do, so if you don’t, I guess you’re not getting past this gate.”

This shift is driven by corporate hiring practices that put these pieces of paper on a pedestal as the ultimate proof of competency, even though they’re often anything but. I have had better interviews from people without certificates than I ever did with.

The irony here is thick: the very rebels who once scoffed at structured learning are now jumping through hoops to collect certificates, not out of respect for what they represent, but because it’s become a necessary, albeit forced, rite of passage in this corporate-dominated landscape. The longer this continues, the more the newer people in the industry think this is the “norm.” With companies that hand out certifications, propagating the need for them as they’re able to pull in a full year of college tuition per person for a week-long class that becomes outdated in a few years.

For those of us that have been around for a while, if our younger hacker selves could see what the industry has become, we would all be sick to our stomachs.

DEF CON: From Hacker Haven to Corporate Spectacle

DEF CON, the world’s largest hacker conference, is a prime example of this transformation. Founded in 1993 by Jeff Moss (Dark Tangent), DEF CON began as an informal gathering of hackers eager to share knowledge and network. It was a sanctuary for those passionate about hacking, a place where innovation and creativity thrived without corporate interference.

Today, DEF CON is a massive event, drawing tens of thousands of attendees, including many from government agencies and large corporations. The intimate, underground vibe has been replaced by a commercial spectacle, often likened to “Disneyland for hackers.” Vendor booths and corporate-sponsored events are now commonplace, overshadowing the grassroots essence that once defined the conference.

One glaring example of this is the treatment of DEF CON speakers. Despite the significant revenue generated by the event, speakers—who volunteer their time and expertise—receive a meager $500 honorarium and a thank-you email. These are individuals who bring cutting-edge research and invaluable insights to the table, yet their contributions are undervalued and undercompensated. DEF CON wouldn’t be able to exist without the hacker community. This disparity highlights the growing divide between the hacker community’s values and the corporate world’s priorities.

My company has taught and spoken at multiple military events. In comparison to how we were treated at both DEF CON and Black Hat as speakers, it is night and day. To say we felt like rockstars would be an understatement. Escorts from the airport, lunches, military members excited to learn, organizations that actually appreciate that you are there. Certificates of appreciation, pictures, mugs, patches, Generals showing up to say thank you—the list goes on.

What was it I got from Black Hat again? Oh, that’s right… an email that said, “Thanks.”

The Struggle for the Soul of Security

The cybersecurity industry’s journey from its hacker-driven origins to its current corporate-dominated state mirrors broader societal shifts, reflecting a world where profit trumps passion. Professionalization has undeniably brought advancements in security practices and awareness, but it has also erected barriers and diluted the hacker spirit that once ignited innovation. Many times, those barriers are manned by people who are more familiar with EBITDA than the command line, and somehow they are the ones who “know” what a good hacker looks like.

True hackers, who once thrived on breaking barriers and defying norms, should now be rallying against the very industry they find themselves in. The spirit of collaboration and open knowledge exchange, which once defined the hacker ethos, is being suffocated by corporate greed and bureaucracy and security theater.

This isn’t what real hackers would have built. The corporate takeover of cybersecurity stands in stark contrast to the anti-establishment roots of hacking. The pioneers of this field were rebels, driven by curiosity and a desire to push the boundaries of what was possible—not by profit margins and shareholder interests. Today’s industry, with its overpriced certifications and rigid gatekeeping, is the antithesis of everything hacking stood for.

The fight to reclaim the soul of hacking is more crucial than ever. Hackers are pushing back against the corporate tide, determined to reignite the flame of true hacking. This battle isn’t just about preserving the past; it’s about ensuring that the future of cybersecurity remains true to its roots of innovation, curiosity, and defiance against the establishment.

Security
hacker-ethos corporate-culture ethics security
This post is licensed under CC BY 4.0 by the author.