International Hacking Scenes: Indonesia

The Indonesian hacking scene was born out of struggle, back in the 80's when the early hacking scene in Indonesia was still newborn, President Suharto was running the country with an iron grip. The early Indonesian hacker community had been traumatised by the 'occupation' of their campus at the Bandung Institute of Technology  by military troops in 1978, a brutal crackdown on student activists and strict laws which prohibited political activities on-campus.

Introduction

Phrack is a hacker ezine written for and by hackers, it holds a special place in the hearts of an older generation of hackers who grew reading it in the 80's and 90's and it was described by the legendary Fydor as the "the best, and by far the longest running hacker zines". One of my favorite Phrack columns by far is the International Scenes column, a wonderful column that worked to unite international hacking communities and shed light on the hacking scenes in other countries.

It used to be published on a regular basis and was a brilliant collection of stories, anecdotes and technical information about each countries telephony networks. They covered a lot of ground, publishing philes on a large number of countries after talking to hackers on the ground. The column had a lot of heart and was incredibly supportive of the nascent international hacker communities. With this article I pay homage to the original series and cover a country that the original missed, Indonesia.

Indonesian Hackers

I have been lucky enough to work with some very talented Indonesian hackers over the last few months and spent a great deal of time talking to them about their scene and its roots. It took them a while to open up to me, primarily because they have learned to operate in secrecy and beneath the shadow of Indonesia's very strict laws and harsh penalties for those found intruding in networks without permission. In order to protect the identities and careers of those I spoke to I will not be mentioning any of the names of the hackers I worked with, the threat of repercussions against them is still very real and many of them actually work for or with the government now.

The Indonesians are incredibly discreet about their roots and early hacking experiences because many of them started out as hacktivists fighting against the dictators security and intelligence apparatus, many of them began their careers taking down and defacing government websites with pro-democracy messages and doxxing the regimes most brutal actors. I loved hearing their stories and it was obvious that they take a great deal of pride in the idealistic activism of their youth, and rightly so.

Here is an archived version of the Indonesian Police website after it had been defaced by the Kecoak Elektronik hacking crew in 1998 during the East Timor uprising, it is a wonderful example of the idealism and hunger for justice felt by the group, their stated goals and ambitions are nothing short of noble. They were real hacktivists fighting against real injustice and brutal police and military oppression.

Make my words a crime, I will shout out louder.  Silence my voice, I will find another.  Make my voice a crime, I will create a new one.  Hunt me down, I will find a new place to hide.  Lock me up, ten will rise in my place.  You cannot silence me.  You cannot stop me.  Me and my kind,  we are forever.

The fact that these guys were doing this work at a time when thousands of people were being disappeared, raped and tortured by the security forces makes them heroic, these guys are bonafide hacking heroes and I have never met hackers like them before. These days they all work for the government and private sector, their hacktivist days are now behind them, but their hacking scene is thriving.

The Indonesian Hacking Scene

In comparison to the noisy, chaotic, vibrancy of the American hacking scene the Indonesian hacking scene can seem quiet at first, it is also much smaller than the US scene because there are a lot fewer hackers despite their huge population, but its growing at a fast rate. There are a small number of well established hacker clans that have been around for a long time and new ones are starting to pop up as the scene grows and attracts new members.  I spoke to members of the three oldest hacker clans in Indonesia, Kecoak Elektronik, Pau Mikro and Echo and learned their story.

These clans originally grew out of the boards, the earliest activity of the Kecoak Elektronik clan and Pau Mikro clan are still available as public archives. Most of their messages are written in Bahasa but it gives you a feel for the vibe in their communities back then. You can feel their idealism in their writing, the second I read the Echo clan manifesto I just knew that I was going to really like them.

We are a group of individuals who want to freely spur the performance of the brain and adrenaline in our body; want to be free to do interesting things that are difficult to solve even impossible though, want to be free to examine the existing string of code, look for weaknesses not to weaken; want to be free to find the fun of tracing electrons and baud without time limit; want to be free to move in the flow of pulses that are delivered freely to all points in the world; want to be free to determine for ourselves what we need and we believe; want to be free to communicate, explore and enjoy this freely without any difference; want to be free to exchange, learn and share all the purity of science; not by rules that have been determined and controlled by greed; not for the sake of a heap of wealth, glory or eternity; nor to damage, frighten or even destroy; but only for the sake of the fact that we are the same.

This is what I love about the Indonesian clans, they are much more idealistic than their American counterparts and a lot of this has to do with them being repressed by the state for so long in their past, they naturally yearn to be free. You have to love them for it, there is something in their mentality that chimes with the soul.

In my conversations I kept hearing about how small the Indonesian scene is, I was told repeatedly that "everyone knows each other" to the point where many vulnerability disclosures were made directly by hackers to other hackers they know working in the vulnerable organization. If they didn't know the person well, they almost certainly knew someone who did, with a population of 264 million in Indonesia it just goes to show how few hackers their really are in the country.

Indonesian Cybercrime Laws

Before we move on to the real cybercrime it is well worth touching on what you and I would not consider to be a cybercrime, but which is classed as a cybercrime in Indonesia by their Constitutional Court; insulting someone online.

Under Indonesia's controversial defamation laws if you publicly insult a public institution, or a public official on social media, you face a jail term of up to 18 months and if you insult an individual online you can go to jail for up to six years in addition to a $100k USD fine! Think about that in the context of American security researchers who embarrass businesses on social media for not resolving their serious vulnerabilities within 3-6 months, under Indonesian law they would be liable for serious jail time just for publicly disclosing the vulnerability. This means that public vulnerability disclosures rarely happen in Indonesia, its just not worth the legal problems if the affect organization decides to press charges.

Even worse are the penalties for unauthorized network access, I was talking to a group of Indonesian penetration testers and they told me that hackers who get caught face up to 12 years in jail for the person who is ultimately responsible for the unauthorized access and Rp. 12 billion fine (+/- USD 1 million), all of which creates a hostile legal environment for both hackers and cybersecurity consultants.

Jim Geovedi - Indonesia's Most Famous Hacker

I know that I said I was not going to name any names in this article, but one hacker worth mentioning is Jim Geovedi, almost every I spoke to told me that he is one of their best and that I had to speak to him. I have not had the chance to speak with him yet, but hopefully he will see this article and reach out to me for a conversation, we would love to write an Unusual Journey article on him and his illustrious career.

The BBC described Jim in an amusing way, they said that "he doesn't look like a Bond villain, but possesses secrets that some of them might kill for" and now I am dying to know what some of those secrets are. Jim was one of the original members of the now infamous 'billion dollar hacker club' W00w00, although if you were to ask one of them they would tell you that "there are no members, only participants".

The W00w00 clan formed in 1996 and were active until the early 2000's, there has been a lot of press coverage of this group because of some of its other notable members, people like Shawn Fanning (cofounder of Napster), Jan Koum (founder of Whatsapp), Dug Song (co-founder of Duo Security) and Michael A Davis (CTO of CounterTack). Suffice to say that Jim was in good company at W00w00. He is also a professional DJ and music producer signed with Elektrax Recordings in Australia, if there is such a thing as a 'cool Indonesian hacker' then Jim definitely is one.