Find Article by Date
Wed, 18 Aug 2004

JP/Alleged KPU hacker charged under telecommunications law

Alleged KPU hacker charged under telecommunications law

Urip Hudiono, The Jakarta Post/Jakarta

In the country's first cyber crime trial, the prosecution recommended that defendant Dani Firmansyah be charged under the Telecommunications Law, for hacking into the General Elections Commission's (KPU) website in April.

Prosecutor Ramos Hutapea told a hearing on Monday at the Central Jakarta District Court that the defendant had violated Article 22 of Law No. 36/1999 on telecommunications, for illegally manipulating access to a telecommunications network.

Article 50 of the law stipulates a maximum sentence of six years in prison and/or a fine of Rp 600 million (US$ 66,666) for the offense.

Ramos told the court presided over by Judge Hamdi that the defendant had violated the law by hacking into KPU's election website on April 17, and changing the names of several parties, whose tallies were then being counted and displayed on the website.

The prosecution explained that the defendant had used a computer in his office at PT Danareksa, which had an Internet Protocol (IP) address of 202.158.10.117.

Twenty-five-year-old Dani then tried to elude tracking using a technique called spoofing, in which he hid his computer's real IP address behind that of a computer located in Thailand, with IP address 208.147.1.1.

Using that IP address, Dani then exploited a bug in the database program used by KPU's website, using a technique called Structured Query Language (SQL) injection, in which he entered an arbitrary code into the website using a web browser.

After analyzing the results of the code, Dani managed to understand the database program's algorithm, and entered further codes that eventually enabled him to change the names of the parties.

The KPU information technology (IT) team nevertheless managed to track down Dani and reported him to the police, who later arrested him on April 23.

The KPU said that no critical data had been compromised, as Dani had only hacked into a computer that was actually connected outside KPU's main network.

Several IT experts said that charging Dani under the Telecommunications Law would be inappropriate. The police and prosecution, however, said that the law would be sufficient as Indonesia does not have a law on cyber crime yet.

The experts also suggested that Dani be required to do community service, such as providing his expertise for the government or the police instead of sentencing him to prison.

While under arrest, Dani, who is a final year student at the School of International Relations at Muhammadiyah University Yogyakarta, has been asked by the Jakarta Police cyber crime unit to help improve its website.

The trial was adjourned until Aug. 23 to hear the defendant's response to the charges.