 Good evening again here in the R3S stage. The next talk is again referring to the nightmares of an infosec professional who got imprisoned because, well, because he simply did his job. He's a cybersecurity expert and he didn't commit a crime at all. Yet he got arrested in 2017 and only received a copy of his 1000 pages file of his case last year in 2019. And here he is tonight to tell us his story and he does not only want to hear your questions but also your feedback. So please get interactive and let him know what you think about his case and his story. Please use our channels to get in touch and join in and welcome Alberto Daniel Hill who talks about his lock-in to hell. Welcome Alberto, the stage is yours. Hello Sherman, this is Alberto Hill. I'm from Uruguay and I am the first information security professional that was sent to prison in my country. Well, since then they call me the hacker not the infosec professional and I am here to share my story with you. Forget about being guilty or not guilty but focus on the process and I want you to visualize all the problems that are obviously in the system that must be changed immediately because it's full of flaws and lacks of any warranty of having a fair process and what happened to me can happen to anyone and things must change and when you see that something is wrong and you want to change it to improve it what do you do? You talk about it and that's what I'm doing here right now and sharing my story with you. Well, I am an information security professional that has worked in security for 20 years in computer forensics, consulting, managing projects, implementing ESO-YEC 27,000 systems. I work almost in every field of information security and also an ethical hacker. In 2016, I detected a problem in the stock exchange of Asuncion Paraguay and the system had an important problem. I couldn't contact them so I contact the surf of my country so they could be a link with them to report the problem. December of 2016, I found a very important problem in the most important insurance company of Uruguay, the largest one where I had a car accident and when I got home, I got an SMS with a code where I could enter the web and track the status of my insurance. Well, after entering, I realized that I could access to all the records of all the accidents, all the people involved, the personal information of the people, police reports, the reports of the doctors, everything, the pictures of the accidents, everything. I report that to the surf immediately. And in 2017, I basically hacked one of the largest information security organizations in the world. I reported that to them, as I always did. And also by the way, in 2016, I reported a debility in the YouTube TV service, just a little debility that they had. So before that, I have always reported every problem that I found because that's the way I am. I didn't, I never ever got anything in return. Here we don't have Banti established, so you don't get money for reporting those problems. Well, and in 2014, I report a problem in a medical provider of UDUY, where you could access to all the system using the password admin and the username admin. Via web, you could access to all the systems with privileges of administrator. A year after that, in the same medical provider that was the medical provider of my ex-girlfriend, that's why I was accessing the website, I found another big problem where I could access to all the information, just modifying the parameters of the URL. You don't have to be logged in, you don't have to authenticate your, you just have to alter just a number in the URL and you could browse all the patient's data, all the financial records of the medical provider, it was serious, I report that. In 2017, September, Interpol arrested me. They told me it was because of the medical provider. Apparently they received, they were attacked in February of that year and they received an extorsive email asking for certain amount of bitcoins in order not to release the information that they had. And well, in my first interrogation with the people of the Interpol, they asked me, did you send this email? They told me, we have this paper where your IP address is linked to the email. I knew they were bluffing that was a lie, that was not possible. So I smiled and said, okay, if you have that, then the mail was sent from my house but I knew that it was not possible. And well, the day after that, they came to my house to execute a search warrant and one of the officers came and told me, okay, if you don't confess that you send the email, we'll go to your mother's house, we will destroy everything like we are doing here, we will go and arrest her and interrogate her, we will do the same with your girlfriend. So you decide, well, I didn't know my rights, I didn't know whether I could have a lawyer or not and I didn't know the implications of saying, yes, I did send the email, but I decided to say yes, I did send the email, okay, to protect my beloved ones. And that was it. The thing is that when they came to my house, they were surprised by all the elements that I had, all the gadgets, all the equipment and they were convinced that all those things were used as tools to commit crimes. There are just tools that any information security professional has. It was just the house of somebody with my profile. I think that they have no clue of what open source intelligence means because they didn't even bother to enter into my LinkedIn account to see who I was. So they could try to see things from a different angle and try to understand why I had all those devices in my house. I had a lot of, for example, credit cards, blank credit cards, a reader and writer of magnetic cards, which has an explanation why I had that, but they were convinced that I was carding. Later, in the most important newspaper of the country, appeared that, okay, the hacker was also cloning credit cards as an affirmation without having done any research or review of the material. They just said I was cloning credit cards. That was not very professional, I think. And well, I was sent to prison. I didn't have time, I didn't understand anything. Everything was very, very fast. And I was sent to prison. I spent eight months in prison. I was denied being released three times by the judge because she considered that my possibility of escaping the country was high and that I could alter the process because of my high knowledge of computers. Basically, she was saying that with my mind, I could alter evidence that was stored and locked in a police facility, which is ridiculous. Okay, my lawyer appealed what the judge said. And after eight months, the appeal was in my favor. I was released with a bail. I am actually on a bail right now. And that's when I could get home. When I get home, when I return to my house, I couldn't believe what I found. I found 30, yes, 30 hardy stripes on the floor of my apartment. 30, that was ridiculous. I mean, how could they leave 30 hardy stripes? That's impossible to understand. I don't know. I don't have an answer for that. After a year of being released, I could finally access to the file of the case that is a 1,000 pages file that I have a copy with me and I couldn't believe all I read. The Director of Security of Desert, the person which I reported the problem with the medical provider was interviewed by the judge and the judge asked him, okay, did Alberto Hill report any problem in the medical provider? And his answer was, I do not recall that I checked some files and I didn't find anything. That's not an answer for that question in that scenario. You are in the middle of a criminal case and the males have a tracking number, an ID number, and all you have to do is to get into the system and answer yes or no. I do not recall, it's not an answer for that. I do not recall, it's for the judge. Okay, the Director doesn't remember, so this guy didn't send anything. He's lying, and as he's lying in this, he's lying in everything. Let's put him behind cells because all he's saying is a lie. He's not trustable, he's lying us in everything. Why did he do that? Why? You don't forget those reports of incidents. You might forget about a virus problem or I don't know. But when somebody reports that you can access to a system of a medical provider with the credentials admin, you don't forget that. And the second report also, you don't forget that. And you have to work with the medical provider in order to solve the problem. So I don't understand why his answer was that. And well, it was all very frustrating for me. And well, there were some problems such as the search warrant didn't have... My name was wrong, the date was wrong and the scope of the search warrant was not respected. The register of cased items was a paper saying, we cased many pendrives, many hard disk drives, no chain of custody, all the evidence was contaminated. Could never have used for anything and they chased all that from my house. But then I asked for a third party independent review of the investigation and that was denied. It's a right that we all have in any process of this kind requesting another opinion from somebody independent who can review all the things how they were done. No, that was denied and they didn't preserve the evidence which is the servers of the medical provider that they were not preserved, they were not cloned. They were not, they didn't make any images of the servers of the information. For the records, the only copy of the extorsive email is a printed paper. That's not serious at all and that is surprising that they don't follow the standards regarding computer forensics in a case that is in, basically it's very serious. They didn't do anything of the things they should have done in order to preserve the evidence. I offered them to give them all my credentials, all my username, passwords, pins, anything to access to all the status of the equipment. So to make them easy to review what I have because I had nothing to hide. Also, I offered them to give them my credentials to access to all my services online on the web. I mean, I offer them, I will give you all the passwords of all my computers, of all the systems that I access, of all the encrypted devices that I have and the prosecutor didn't accept. I don't understand that. I mean, everything they could do wrong, they did wrong and makes no sense. So many things that I cannot explain. And the last thing is just one tiny detail. The medical provider, here's a copy of the report to the police about the attack and the security problem. And it was made a report before they received the email. If you check the dates, you see that they made a report to the police before getting the email. And the email did not have a Bitcoin address to pay for the Bitcoins that were requested. And I had to wait a year and it had to be me, the one who found out all that. Nobody ever pay attention to that. No one ever cared. When I was interrogated in court, the prosecutor asked me about pendrives and viruses and a USB killer and a mask of anonymous. But he didn't ask me why this email doesn't have a Bitcoin address to deposit the payment. No, nobody, I mean, it was me, myself and I who had to wait one year and eight months to access to all that and find out all that. And I'm still in the process, the process is still going. And the incompetence that I have to cope with is such that I feel so powerless that the only thing I can do is share the story with the world and try to force change in the system. Thank you. Cermony, I hope to be there one day in person, really. I love your country and I love your conference. Thank you. What I have lived is something that I couldn't imagine that could happen to anyone. And I was sent to prison in like so fast. So fast, I should have had time with my lawyer to analyze the documents that were supporting, supporting the hold on a second, supporting the accusation. But no, I was sent to prison eight months, nobody reviewed the documentation, nobody found out those things that were not consistent, those things that I have no answers and there are no answers in the file. That could happen to anyone. And that's scary, that's really scary because it happened to me, it could happen to anyone and something must be done. And here in Uruguay, I am like fighting with a wall. Imagine, I offer to provide all the passwords so they can review my equipment without any problem. I offer them, I ask for a review of third party, they denied everything without a justification. They didn't justify the things that they denied. So it's basically, I am powerless against a system that is powerful and here there's not much more than I can do then just go on with the system where the charge has no knowledge about all these things related to completely related crimes. She doesn't have to know, but she has to have competent people that give support to the charge in order to understand the problem. But those people are incompetent and she has to trust them. So I'm in a situation that is really, really sad and I don't find a solution for this because I did all I could to have a fast process to clear things fast. But no, the system has its time, it's taking ages and all the answers that I get are not reasonable. And I don't know what's going to be the end of all this but it's obviously not fair for me and it shouldn't be like this. There should be a change, it's obvious. Well, personally, I agree wholeheartedly. So we have the first question coming in from the audience who I think is still digesting what you just said. And I remember during the video you mentioned like when you came back to your apartment that there were like 30 hard drives kind of spread across the floor. And the question is that obviously, can you add some more context? It wasn't 100% clear. What was the purpose of those 30 hard drives? What's the content, were these your own or did somebody throw them onto the floor? Can you just add a bit more background information and add context, please? Yes, sure, that's a good question. Basically, I was doing a research. I was buying used hard disk drive for computers that were being sent to trash. And I got them for almost nothing for a very low prices. I got hard disk drives and I was doing a research about what information those hard disk drive had. For example, there were hard disk drive for companies and I could see that they didn't have any kind of measure to wipe the information to the left information before sending the computers to trash. So I bought that for that purpose, they were mine. And I'm actually lucky that in part that they left them because the contents were not mine actually. It's a Pandora box. I didn't know what they could have found and probably it would meant more problems to me, but yeah, they were mine. And I have to add not only that, I said starting hard disk drive but they also left three computers, three cell phones, among other things that they didn't say. Unbelievable. Absolutely unbelievable. So on one hand with what you did, it wasn't only environmentally friendly, like recycling the stuff, but also obviously checking how companies or owners of computers deal with the data stored on those HDDs. Is that right? Yeah, absolutely. And that's lack of awareness. I mean, here in Uruguay, we need a lot of awareness about information security. We are, well, compared, I think it's all the same. The justice, the police, the companies are all the same level of maturity in terms of information security. We are like 10 hundred years behind the rest of the world. Wow. So at the moment, we didn't get any additional questions and this is not because people aren't interesting. I think, again, it is absolutely unbelievable. And I think hard for the people to believe that this is actually a reality in the year 2019 slash the year 2020. Give me one second, because now my pad also just crashed. Feedback I'm getting is thanks for the talk, what a horrifying story. And then, of course, a question that is also coming to my mind, you're saying that the case still isn't over yet for you. So question from the audience now is, are you still facing the fallout of all this and how you're doing today? Yeah, yeah, I mean, it's been very complicated for me. It's not easy and spending time in prison. It's something that leave scars in you, it changes you. It changes you. I mean, somebody with my profile that it's not violent, it has never committed a crime, is from one day to another, introducing to an environment full of violence, full of drugs, full of things that you are not used to be around. And eight months in that environment, cause you have problems, it's not easy to deal with that. I mean, I never thought I would have to go to prison. And well, after I was released, incredible, the director of a security company in South America contacted me and he offered me a pentesting position. So I was like, in society here and anywhere in the world, they don't see me as a criminal. They don't consider me as a criminal. And actually in the market, they actually see it as a plus, as a bonus. If I should spend time in prison, it's like your market value goes up, like I don't know, Kevin Meadnik, all the most famous hackers spend time in prison. So it's like your status goes up, but okay, I wish I wouldn't have to leave that. And I didn't accept the position because I was coping with some post-traumatic stress disorder and other conditions that were direct costs by the prison time. And I had a lot of offers to work from many companies in Uruguay and other countries that I had to reshape because my doctor that is treating me, he doesn't recommend me to enter into any position that requires a lot of responsibility. So that's the price that I am paying right now for all that. So it's not nice, but I am living and I can't change the past. I hope to change the future. I hope to be the last person that lives something like this in Uruguay. Well, and with all the elements that I have, I think eventually the case will close in my favor. I mean, if it's not, I could eventually go to international tribunal in the hug or I don't know. And in that scenario, there's no chance I can lose, but that involves a lot of energies, time, money that after three years, I am very, I have lost a lot of energies and my health, I need to take care of my health. So I have to put everything in a balance and decide what to do. Do I go with this till the end? I would like to, because if I do, I know I will win and that will, yes or yes, make things change in Uruguay if I do that. But on the other hand, I have to think of my health and my family and this hasn't been easy for any of us. Yeah, I understand. And on a, so what do you think if you have the energy at all to think about it? Not sure if I would have it to be perfectly honest with you. What do you think would need to happen in your country in order for the system to change? Is it a lack of education related to cybersecurity topics in general? Is it a problem that lies within the legal system in total, but I mean, you mentioned that even Interpol got involved and they didn't behave any better. So any thoughts on that? So how do you think or what would need to be done that it won't happen again? And that your case will be closed pretty quickly. And of course, to your favor. Yeah, yes, good question. There are many elements that are involved in the whole problem that I could visualize. I mean, I was lucky that I had the experience of having worked in computer forensics. I have experienced in that. So I could clearly visualize the problems that maybe another person without my profile or my experience would never be able to defend themselves and they wouldn't notice, for example, the problems that for me were obvious. The thing is that for the first thing is the legal, from the legal aspect, the laws in Uruguay are from the last century and there are no legislation or laws against computer crimes. If you have a computer system, it's not a crime in Uruguay. All the crimes related to computers are prosecuted by analogy. For example, if you are a victim of a ransomware attack, they used the case of the old legislation that is extortion. But there's no such thing as computer related crimes. If you release confidential information, well, there's a law from 100 years ago where if you release confidential information and you work for the government, then that's a crime. So it's all with analogies. There are no laws related to computer crimes. That's the first thing. There should be a new legislation and we should update and be aware that we are in the 21st century, it's 2020 and we cannot keep using laws that were created 100 years ago. That's the first thing. And the second thing, when you mention all the, when you asked me about the interpolations and the competence, well, here in Uruguay, they do not require any certification, any certain experience or anything in order to work for, in computer forensics, for example, you can be a person who started in the police and then was being changed in positions and you end up, because you know about computers in the part of computer forensics, but you have no qualifications, no formation about that. And even in South America, in the region, in Argentina, if you are going to work as a computer in computer forensics for the government, you are required to have certain certifications from science, I think, I'm not sure, but you need to prove that you are competent for that. It doesn't happen that here in Uruguay. So those are two things that need to be improved. The legal system and also the people, the processes and the police has to also be, need a change to address all these problems. Yeah, and it sounds like your country isn't the only one that still has a long way to go, unfortunately. Yes, I am, I was, after my story was made public and well, it was part of a podcast called Darklight Diaries and it was heard by 200, more than 200,000 people. I was contacted by people from all over the world and people that experienced also, not things like mine, because my situation is an extreme case that is for a movie, a comic movie or I don't know, a tragic movie, I don't know what, but people from Turkey, from another countries in Central America, they also have those problems with the laws and the law enforcement. Yeah, it's not only Uruguay. On the other hand, in the region as I told you, Argentina, which is our neighborhood, is pretty advanced in that part, Brazil also, but maybe the smallest countries are not. Who, how do we, internationally, do we force the countries to adopt certain, I don't know, we have to use certain norms or you have to require this to do this job. I don't know, I thought, for example, Interpol should have a standard worldwide, before what happened to me, I took for granted, Interpol should work in the same way all over the world, should have the same requirements all over the world, but it's not like that. How do the world that sees this problem force the country to make changes? Me alone, I can do it, but if I share my story, maybe somebody will actually do something, somebody will contact me or something will happen, but the key is to talk about the problem and reach as many people as possible, because the change we'll have eventually is a matter of time, that's for sure, but it has to be immediately from my point of view. Yeah, I agree, I agree wholeheartedly, but anyway, good to hear, I'm just also checking and I see that obviously your story, God, I'll say the beginning of your horrible story has already been picked up by Linus two years ago at the 35th C3, so anybody out there who is interested in learning more about your story because we are now also running out of time a little bit, can definitely find more background information, I think also anybody out there who would like to give you additional personal support can contact you via Twitter and I'm pretty sure through many other social media channels. I don't know what to say, so the only thing that comes to my mind stills, if Hollywood would pick your story up, I think it will definitely have to be a thriller, that is the only category I think that is suitable. You are not the first person that had told me that, you're like, I don't know, everybody that hears my story ends up with the conclusion, this has to be, they have to be a movie about your story or a TV series because Mr. Robot is nothing compared to what you had to live. There must be a movie, at least a documentary about my story and actually that would be a nice way or a good way to reach the people that I want to reach as many as possible. I mean, having a documentary or a movie or whatever could be very, very positive in my objective to generate a change somehow. Yeah, indeed. I would definitely think so too. Alberto, again, thank you so much for sharing your story. Absolutely amazing. Good luck, fingers crossed. I think everybody here says, you are very, very welcome. Oh man, lovely guy. Yeah, so we are keeping our fingers crossed that everything will turn out perfectly for you and that you will be a true free man and professional in your course. Thank you. Thank you very much. Thank you.