Technical Report of the Bezos Phone Hack

Motherboard obtained and published the technical report on the hack of Jeff Bezos's phone, which is being attributed to Saudi Arabia, specifically to Crown Prince Mohammed bin Salman.

...investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018 that "appears to be an Arabic language promotional film about telecommunications."

That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented "study of the code delivered along with the video."

Investigators determined the video or downloader were suspicious only because Bezos' phone subsequently began transmitting large amounts of data. "[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos' phone began, continuing and escalating for months thereafter," the report states.

"The amount of data being transmitted out of Bezos' phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS' account, egress on the device immediately jumped by approximately 29,000 percent," it notes. "Forensic artifacts show that in the six (6) months prior to receiving the WhatsApp video, Bezos' phone had an average of 430KB of egress per day, fairly typical of an iPhone. Within hours of the WhatsApp video, egress jumped to 126MB. The phone maintained an unusually high average of 101MB of egress data per day for months thereafter, including many massive and highly atypical spikes of egress data."

The Motherboard article also quotes forensic experts on the report:

A mobile forensic expert told Motherboard that the investigation as depicted in the report is significantly incomplete and would only have provided the investigators with about 50 percent of what they needed, especially if this is a nation-state attack. She says the iTunes backup and other extractions they did would get them only messages, photo files, contacts and other files that the user is interested in saving from their applications, but not the core files.

"They would need to use a tool like Graykey or Cellebrite Premium or do a jailbreak to get a look at the full file system. That's where that state-sponsored malware is going to be found. Good state-sponsored malware should never show up in a backup," said Sarah Edwards, an author and teacher of mobile forensics for the SANS Institute.

"The full file system is getting into the device and getting every single file on there­ -- the whole operating system, the application data, the databases that will not be backed up. So really the in-depth analysis should be done on that full file system, for this level of investigation anyway. I would have insisted on that right from the start."

The investigators do note on the last page of their report that they need to jailbreak Bezos's phone to examine the root file system. Edwards said this would indeed get them everything they would need to search for persistent spyware like the kind created and sold by the NSO Group. But the report doesn't indicate if that did get done.

Posted on January 24, 2020 at 8:34 AM • 51 Comments

Comments

AlexJanuary 24, 2020 9:12 AM

I apologize for asking such a basic question, but I don't understand how WhatsApp dealt with the encrypted downloader.

Was it a situation where the media file caused a buffer overflow, which ran a program that was contained in the media file itself -- the encrypted downloader -- which then pulled down and ran something else that exfiltrated the data, then cleaned up after itself?

RedEye SecurityJanuary 24, 2020 9:23 AM

@Alex
Whatsapp is just a delivery mechanism.
In this case, the default action is to save delivered files onto the devices system which means that a message with attachment sent via whatsapp stored the file on the users phone from which then was accessed presumably by a video player.

This really isn't about whatsapp at all and there is a setting to turn this behavior off by default.

65535January 24, 2020 10:07 AM

"I apologize for asking such a basic question, but I don't understand how WhatsApp dealt with the encrypted downloader."-Alex

The technical explanition is a buffer overflow which doesn't require action or little action by the user. Some of your questions are still unasnwered.

Ars Techechnica:

"By exploiting a buffer overflow vulnerability in the WhatsApp VoIP stack, the calls could remotely install surveillance malware on both iPhones and Android devices. Targets need not have answered the call to be infected...."

see post by jeffbax Jan 21, 2020 8:12 PM

ht tps://arstechnica[.]com/information-technology/2020/01/report-bezos-phone-uploaded-gbs-of-personal-data-after-getting-saudi-princes-whatsapp-message/?comments=1&post=38573623#comment-38573623

I would not trust iPhone or Android. Just too much attack surface area.

It's sad an Big American Tech Boss cannot keep is phone safe with his resources and the NSA's resources. But, that is the state of smart phone technology at this time.

lurkerJanuary 24, 2020 11:13 AM

So his phone changes from 400k per day upload to 100M per day, goes on like that for `months`, and he doesn't notice or do anything about it? Another reason to exclude Bezos from one's list of trusted entities…

Chuck PergielJanuary 24, 2020 12:10 PM

How was this first detected? Data was getting sent from the phone for months without being noticed. Who noticed it? What triggered the investigation? Sorry if it's in a report somewhere, but it seems like a crucial bit of information that should have been right up front.

HumdeeJanuary 24, 2020 12:41 PM

@lurker

English must not be your first language. "Bananas" in this context does not mean wrong or erroneous, rather bananas means "super crazy" or "beyond belief". She's expressing incredulity that such a thing would or could be done. Now perhaps that is a tiny bit naive but it certainly doesn't speak to her competence.

Jon MarcusJanuary 24, 2020 12:46 PM

From news reports I've read, I believe this search was undertaken after the National Enquirer published photos of Bezos (presumably) gained from this exfiltration. So the attack itself wasn't detected until the fruits of the attack were deployed against Bezos.

lurkerJanuary 24, 2020 12:49 PM

@Humdee

I know exactly what "Bananas" means and in this case it means that "it is so crazy that i don't believe it". Well, if Director of Cybersecurity @EFF doesn't believe that this kind of hacking is possible, she should find for herself another job.

Clive RobinsonJanuary 24, 2020 12:52 PM

@ ALL,

If other stories are true this malware will have come from the NSA's Tailored Access Operations unit (TAO) and may well have had Israeli technical surveillance tools involved as well.

To understand what is going on you have to unwind what we know from the current (UAE Project Raven) into the past.

Basically the US have been using both Saudi Arabia and UAE to spy on other parts of the ME in the name of "anti-terrorism" and in the process have turned a blind eye to what both Saudi and the UAE paid operatives have been doing with regards "disidents".

However both Saudi and UAE have pushed what you might consider "dissidents" way further than expected, which has included US journalists and other citizens one of whom is Geff Bezos.

It got so bad in the UAE recently under Project Raven that EX-NSA staff have not just questioned, but raised questions via reports that amoungst others Reuters got to not just hear about but see.

https://arstechnica.com/information-technology/2019/02/uae-buys-its-way-toward-supremacy-in-gulf-cyberwar-using-us-and-israeli-experts/

https://www.reuters.com/investigates/special-report/usa-spying-raven/

https://www.reuters.com/investigates/section/usa-raven/

To understand why Geff Bezos got targeted, you need to know it was because of the Washington Post who employed Jamal Khashoggi before he was assassinated.

Initially it looked like the WasPo was not doing anything about it and CNN called them out on it. However mindfull of who they were going up against the WashPo was building it's case.

When the WashPo started publishing about the Khashoggi case and Crown Prince Mohammed bin Salman's direct involvment, retaliation started to try to discredit not just the WashPo, but Bezos and Amazon. Likewise Donald Trump being "a friend" of the Crown Prince and the political relationship of US dependence on the House of Saud got to hear about it and got pulled in...

It appears that operatives on the Crown Prince's behalf were responsible for sending to "the frend of Trump" National Enquirer boss the information about Bezos's alleged extramarital behaviours. The idea being that Bezos would in some way capitulate. Well Trump's friend tried to blackmail Bezos in writing, which was not exactly the brightest thing to do, worse it appears he's also suspected of some shady involvment with Trump.

Well Bezos didn't play ball and his investigator found sufficient information linking in Crown Prince Mohammed bin Salman (AKA MBS) that Bezos decided not to go for the National enquirers throat, Insted he made a statment about what the house of Saud and it's operatives had been upto.

Well it all appeared to go quiet after that, but as with deep current turbulant waters having a calm surface it appears quite a bit has been going on, and now dirty laundry is starting to fall out of cupboards by the basket load...

Because the whole thing has kicked off again in the last few days, with a story in the UK's "The Guardian" and the UN weighing in adding sufficient global attention that the FBI has been making noises about investigating but not realy stating any details.

https://www.motherjones.com/politics/2020/01/trump-pecker-ami-hacking-bezos-saudi-arabia-mbs-update/

https://revolutionmap.com/2020/01/24/calamar-a-link-between-khashoggi-death-bezos-phone-hacking/

https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince

But the real question outside of discussing the "tool in use" is "Why the F**k were Ex NSA and NSA staff seconded to Saudi and UAE, and alowed to hand over modified NSA TAO tools for use against US citizens?".

65535January 24, 2020 12:53 PM

The Saudi Prince surely did hack Bezos and sawed-up a reporter leading to death - probably while he was still alive. These are very serious crimes. But, will the Prince face punishment?

That is an important question because it test the US legal system. As most of you know Whatsapp is a Facebook product that was clearly hacked. Most of you know there is a current law suit from Whatsapp owner Facebook against the defendants [I am sure the legal people on this board can find the complaint].

"WHATSAPP INC., a Delaware corporation, and FACEBOOK, INC., a Delaware corporation, Plaintiffs, v. NSO GROUP TECHNOLOGIES LIMITED and Q CYBER TECHNOLOGIES LIMITED, Defendants"

There are Federal Charges such as:

"Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with intent to defraud accessed and caused to be accessed (a) Plaintiffs’ protected computers and (b) Target Devices without authorization..."

And State of California violations:

"Violated the California Comprehensive Computer Data Access and Fraud Act, in violation California Penal Code § 502; c. Breached their contracts with WhatsApp in violation of California law; d. Wrongfully trespassed on Plaintiffs’ property in violation of California law..."

The real question is will these US laws punish the guilty? Or, will the guilty go free?

Certainly the Prince and the NSO group should be fined, punished and their visas revoked - maybe even their right to fly their jets in American airspace should be revoked. This is a real test of the American Justice System. Time will tell.

AndersJanuary 24, 2020 1:00 PM

@Clive

Add DarkMatter to the equation.

theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/

Electron 007January 24, 2020 3:03 PM

the hack of Jeff Bezos's phone, which is being attributed to Saudi Arabia, specifically to Crown Prince Mohammed bin Salman.

Meanwhile "Lawfare" https://www.lawfareblog.com/rethinking-encryption has turned stateside and reiterated domestic law enforcement community talking points and complaints of "going dark" with respect to the "ability of the government to conduct effective lawful surveillance".

The domestic cops aren't that sophisticated. How are we supposed to preserve their backdoor access to our cell phones while keeping out hostile nation-state terrorists?

Clive RobinsonJanuary 24, 2020 3:25 PM

@ Anders,

Add DarkMatter to the equation.

I would have done, but I've fallen afoul of the "link count" filter in the past. So I settled for the fact they are prominently mentioned in the Reuters links.

But now you've saved me having to do it, thanks :-)

Clive RobinsonJanuary 24, 2020 4:13 PM

@ All,

Due to the very large amount of data sent, it would be sensible to consider that some of this traffic was audio or video from the phones microphones and cameras.

Now Jeff Bezos is a busy man incharge of quite a few companies thus privy to information that legaly has to be kept confidential.

Now Crown Prince MBS is incharge of one of the largest "Sovereign Funds" in the world, created by much of the US Petro-Dollars.

If it can be shown that confidential business information was taken by the Crown Prince or any others reporting to him then a question of "insider trading" arises. Not against Jeff Bezos but against the Crown Prince.

If evidence of the loss of confidential business information to the Crown Prince can be shown and SEC decides that the minimal requirments for "insider trading" are met. The Saudi Sovereign Fund amongst many other Saudi financial interests could find themselves subject to all sorts of fines, rullings and bindings...

If that were to happen I for one would walk around with a wry smile on my face for a while ;-)

SpaceLifeFormJanuary 24, 2020 4:29 PM

@ Clive

The Saudi Sovereign Fund amongst many other Saudi financial interests could find themselves subject to all sorts of fines, rullings and bindings...

Not likely to happen in current environment.

HumdeeJanuary 24, 2020 6:49 PM

@lurker

One can think something is possible and still be surprised when it actually happens. That is how I interperted her remark. YMMV.

Clive RobinsonJanuary 24, 2020 7:17 PM

@ SpaceLifeForm,

Not likely to happen in current environment.

No, probably not at the moment, but what is the statute of limitations if any?

This is one of those golden "Community Chest" cards that you can chose when to best play it to your advantage.

All it would need is a quiet word over those "hello handshakes" politicians appear to think are important for trade conferances and the like. It could be kept there dangling as though held by the hair of a horses bottom, just like "The Sword of Damocles".

After relating the tale of Damocles fate, Cicero asks of us,

    Does not King Dionysius seem to have made it sufficiently clear that there can be nothing happy for the person over whom some fear always looms?

PhaeteJanuary 24, 2020 9:01 PM

The non-action after the Merkel tap has set a nice precedent.
And now we are just talking commercial leaders, not governmental ones.
The USA's cries of outrageous indignation will persist but i doubt this will go far internationally.

David LeppikJanuary 24, 2020 9:52 PM

Weirdly, this is an argument for buying a new iPhone as frequently as possible. In case you need an excuse.

Clive RobinsonJanuary 25, 2020 1:13 AM

@ SpaceLifeForm,

Not likely to happen in current environment.

No, probably not at the moment, but what is the statute of limitations if any?

This is one of those golden oportunity "Community Chest" cards that you can chose when to best play it to your advantage.

All it would need is a quiet word over those "hello handshakes" politicians appear to think are important for trade conferances and the like. It could be kept there dangling as though held by the hair from a horses bottom, just like "The Sword of Damocles".

After relating the tale of Damocles fate, Cicero asks of us,

    Does not King Dionysius seem to have made it sufficiently clear that there can be nothing happy for the person over whom some fear always looms?

Clive RobinsonJanuary 25, 2020 1:40 AM

@ Moderator,

I have repeatedly tried to post a message to this page both last night (around 4:35 PM) and again this morning (~1:20 AM), even making minor variations to it. It has no links but each time it comes up as "comment blocked"...

Can you shed any light?

AmosJanuary 25, 2020 2:38 AM

Maybe this is out of topic but worth mentioning. As much as technology is making our lives easier, we probably need not trust it as much. Mobile devices and internet systems rely on a wide range of technologies that we sometimes cannot control. This makes 100% security almost impossible since cybercriminals are always ahead and developing new kinds of attacks every day. Now with such kind of an environment, is do we really need to record all our private life?

Why on earth would I take a photo o my private parts unless for medical purposes? Did other older generations do such things? One just needs to think of the worst-case scenario such as what if the information leaks out or gets in the wrong hands. If we don't want these, then let us not create sensitive data in the first place. Because if you do not want other people to see the private photos, what are they for?

RobinJanuary 25, 2020 4:57 AM

Amos, you raise some interesting questions which underpin a lot of security reasoning, viz. the security cost/benefit trade-off. In more general terms, I am continually astonished by revelations of wrong-doing (to various degrees from the merely embarrassing to the very criminal) by people in power. But I think the key is that to _become_ a person in power you must have a risk-taking personality, no choice. So what we see happening is because the rich and powerful _like and enjoy_ risk and that includes making decisions without enough information. Which is why they are rich and powerful, and living on the edge and not cautious, risk-averse, well-informed engineers living in their cyber-secure laboratory.

Of course survivor bias is a wonderful thing, which is why we see the rags to riches stories and not the riches to rags stories. Loving risk has its downsides.

I exagerate, of course.

AndersJanuary 25, 2020 8:33 AM

@Moderator @Bruce

Is here possible to make an exception to Clive?
I enjoy reading his comments all the time and it's a shame
if they "get lost".

Maybe even give to him a moderator power as he is always
here and his comment are even brought out as an example.

Who?January 25, 2020 10:46 AM

About cell phone security...

Social networking and "alien" apps inside cell phones are out of question. Let us talk for a moment about the core system as provided by the device manufacturer only (i.e. the operating system without add-ons and minimally hardened following, let us say, the recommendations from the DoD STIGs).

What cell phone operating system would a security-conscious user choose?

iOS? Android? I think the former is hardly a hardened operating system, and the latter is openly a security and privacy nightmare. Both corporations had links to the PRISM project years ago, and there is no reason for think their mind had changed recently.

My bet would be BlackBerry OS 10 (not the hardened Android available in some BlackBerry devices). Even if support for this operating system ended a month ago, it looks like the strongest operating system yet. It can be somewhat hardened (e.g., following the advice provided in some STIGs) and looks robust for basic communication needs. But at some time a serious vulnerability will be disclosed.

What choices do we have? If we go away from mainstream there are some interesting approaches (most of them based on open source hardware) like Librem 5... are there other choices?

MarkHJanuary 25, 2020 1:40 PM

@Clive:

Did your comment have some unusual proper name in it? Perhaps there was some string of characters that matched a "naughty word list"

Harry KingJanuary 25, 2020 3:38 PM

@Mod: Congratulations for saving us from the irrevelant (misspelling delib.) drivel of some posters.

Clive RobinsonJanuary 25, 2020 3:48 PM

@ Harry King,

Yet another sock?

You realy do get through them don't you, what's your Ratio these days?

Oh speaking of "irrelevant" have you ever posted anything of relevance even tangentially to a topic thread?

MarkHJanuary 25, 2020 4:07 PM

@Electron:

I don't see reason to worry that lawfare has somehow "gone to the dark side".

In general it's a very good thing (in a democratic society, at least) to publish perspectives that you significantly disagree with, if the writer is knowledgeable, thoughtful and has interesting points to make.

I often read pieces with viewpoints or conclusions with which I disagree, because sometimes I gain valuable insights. Nobody died and made me God (or at least, if this happened nobody told me about it) ... as a "boy scientist," I understand that virtually anything I believe to be true might be challenged by new data. I want to learn about ways I have understood incorrectly.
____________________________________

In any case, Mr Baker's conclusion is that, although he understands and cares about law enforcement concerns (he worked for the FBI, after all) ... he believes that cybersecurity is far more important, and that law enforcement should "suck it up" and come to terms with the necessity of encryption.

AnJanuary 25, 2020 10:04 PM

I can see why they called it bananas... apparently we know this was SA because they sent it from MbS' phone and sent malware in the form of a DRM'd movie flying the SA flag that they can't fully decrypt?

Wait, what? I can understand from a cui bono perspective how you might think it was SA, but, uhh, this seems a bit odd for a way to conduct secret surveillance. Also, there's a new report that says Bezos' GF showed it to her brother who sold it. While I can believe that Bezos' phone got hacked, the evidence of that is, shall we say, more than a bit lacking and seems to be crafted as a way to deflect from Bezos sending dick pics.

None of which is to defend SA, they're rat bastards and the sooner we break our oil addiction, the better. Khashoggi sure knew how to pick the worst employers, though. I'd never want to work for Bezos or SA.

Clive RobinsonJanuary 26, 2020 3:17 AM

@ An,

Also, there's a new report that says Bezos' GF showed it to her brother who sold it.

I don't know about "new report" but that story about him was put forward befor, when the National Enquirer boss got cornered, and the brother vehmently denied he had done anything of the sort.

Whilst I would agree primary evidence is currently missing, circumstantial evidence is not.

Look at it this way, you find an unconciouse body down by the river with a small hole in the front and a large hole in the back and a blood spatter pattern going in the direction of the water. After a search you find a 9mm round casing on the ground....

What would your preliminary finding be?

Would you need bullet or a smoking gun to make it?

No, in general you would hand over the pwrson and evidence over for more detailed investigation by others.

Thus the question arises as to if Jeff Bezos is going to hand over the phone for a more detailed investigation?

But remember one thing that whilst Jeff Bezos's phone says it came from Crown Prince Mohammed bin Salman's (MBS) WhatsApp account that does not mean he sent it or it even originated from his phone.

When there are so many politician's to be embarrassed involved, it's best to tread with care.

But as I've said befor the chances are it was modified NSA TAO tools along with tools from Israel. Because we know that the Saudi's along with the UAE security forces have them and they have both been "misusing them" under the direct command in both cases one man. For Saudi it's the aforementioned Crown Prince MBS and for the UAE Crown Prince Sheikh Mohammed bin Zayed Al Nahyan (MbZ) Deputy Supreme Commander of the United Arab Emirates Armed Forces, who for various reasons in effect runs the UAE and sets foreign policy and runs the security services. Oh and the UAE has probably the worlds largest Sovereign Fund as well from petro dollars.

AndersJanuary 26, 2020 3:30 AM

@ALL

Those who called it "Bananas" are just close-minded.

mobile.twitter.com/dinodaizovi/status/1221324029841244161

Sed ContraJanuary 26, 2020 11:06 AM

@Who?

BlackBerry OS 10

Maybe as they have abandoned it, BlackBerry could be prevailed upon to make BB10 free and open source. Seems a shame that it should just moulder away. Of course, maybe this would mean open sourcing QNX ...

SpaceLifeFormJanuary 26, 2020 1:42 PM

@ Moderator, Clive, Bruce, Anders, MarkH

I see two posts by Clive (now well after the fact of the issue).

Times are GMT:

2020-01-24 19:17
2020-01-25 01:13

Content the same. Only linebreaks different.

Are you all sure no hidden double MITM with hidden caching servers?

That release after some timeframe?

Are you sure?

Clive, can you see them now?

Are you seeing what I am seeing?

SpaceLifeFormJanuary 26, 2020 1:53 PM

@ Clive

"No, probably not at the moment, but what is the statute of limitations if any?"

No statute of limitations for murder.

Certainly, Khashoggi knew that.

SpaceLifeFormJanuary 26, 2020 2:36 PM

@ Anders

While the attack may not be 'Bananas', the actual attribution may be. We don't know for sure.

Compare to the 'server' that Crowdstrike allegedly investigated.

Clive RobinsonJanuary 27, 2020 6:33 AM

@ SpaceLifeForm,

Clive, can you see them now?

Not sure.

Howevere I am one missing from around 3:40 PM on Jan 25 blog time that was a reply to @Anders and @MarkH.

I only tried posting it that one time, but I've still got a copy locally.

So I'll try posting it again after this.

Clive RobinsonJanuary 27, 2020 6:35 AM

@ SpaceLifeForm,

No it did not post it came up with the comment blocked page again.

NikJanuary 27, 2020 10:11 AM

"No it did not post it came up with the comment blocked page again"
How odd. That's the advantage of ML/AI and neural networks.
Things happen, nobody really knows why.

Rot-13 or Base64 encode?

SpaceLifeFormJanuary 27, 2020 1:43 PM

@ Clive

Ok, re-parsing, it was probably not about S of D, but dee em.

Former or latter?

SpaceLifeFormJanuary 27, 2020 2:41 PM

@ Clive

Actually, could be both.

The second keyword of the former is a codeword.

I had to not spell it out, otherwise I encountered same symptoms as you did.

Clive RobinsonJanuary 27, 2020 4:12 PM

@ SpaceLifeForm,

I had to not spell it out, otherwise I encountered same symptoms as you did.

The brain is tired tonight it's been a long day one way or another and it's not yet over :-(

You could try the "watchmaker solution" and put things in, in the reverse order like pulling of a push down stack.

fajensenJanuary 28, 2020 7:47 AM

Stupid Question:

Why would an extremely wealthy individual like Bezos be so (seemingly) unprepared for this?

He is a double-digit billionaire, 'bigger' than some nation states, certainly a worthy target for both high-level industrial spying and sophisticated information attacks. There should be a hardened 'firewall' around him of security people, IT-security, IT-services, mean secretaries, and good advisors, with authority to pull in more experts when the need arises.

Rooting an iPhone should simply not be a severe problem for someone with access to Bezo's money. I wonder why they chose not to do that.

SpaceLifeFormJanuary 28, 2020 11:59 AM

@ Clive

I had to not spell it out, otherwise I encountered same symptoms as you did.

By not spelling it out, I wss referring to
The S of [redacted]

It looks like [redacted] was the trigger word.

AndersJanuary 28, 2020 3:27 PM

@Clive @SpaceLifeForm

www.nytimes.com/2020/01/28/reader-center/phone-hacking-saudi-arabia.html

myliitJanuary 28, 2020 4:56 PM

Maybe both Saudi Arabia and the girlfriend’s brother were involved with Bezos’ stuff.

https://www.wsj.com/articles/prosecutors-have-evidence-bezos-girlfriend-gave-texts-to-brother-who-leaked-to-national-enquirer-11579908912

“How the National Enquirer Got Bezos’ Texts: It Paid $200,000 to His Lover’s Brother
Michael Sanchez sold the billionaire’s secrets to American Media, the Enquirer’s publisher, said people familiar with the matter

Amazon.com Inc. founder Jeff Bezos and his allies have publicly speculated about how the National Enquirer acquired racy texts he sent to his girlfriend, including at one point hinting Saudi Arabia or the White House may have been involved.

The reality is simpler: Michael Sanchez, the brother of Mr. Bezos’ lover, sold the billionaire’s secrets for $200,000 to the Enquirer’s publisher, said people familiar with the matter.

The...“

AnJanuary 28, 2020 10:41 PM

@Clive

The problem is that this circumstantial evidence is a result of people who don't fully know what they're doing. They should have been able to decrypt the file:

See: https://twitter.com/dinodaizovi/status/1221324029841244161

It's also utterly beyond weird that someone would go out of their way to fly their own flag on the alleged malware. Which is why they should redo the report after decrypting it with the code above. I'm going to have to infer that they're too embarrassed about what they found if they don't publish an actual malware sample now that everyone is aware that there's no excuse for being unable to decrypt it.

If this was a murder case, the police investigation would have failed to find the murder weapon or the body, which they suspect was smuggled away at some point. Meanwhile, they're trying to explain how the investigation excluded the one person actually pointed to by witnesses simply because he said he didn't do it in favor of putting out a warrant for a foreign guy that nobody likes who was seen in the area.

Maybe that helps you understand why I find this report problematic? I mean, beyond the fact that they failed to investigate a lot of things they could and should have.

Oh, and the WSJ saw the texts of the pics being sold, so there's that, too... so I'm going to have to say that this conspiracy theory has been pretty well debunked at this point. Bezos will have to own up to his dick pics no matter which newspapers he owns.

Clive RobinsonJanuary 29, 2020 3:41 AM

@ an,

The problem is that this circumstantial evidence is a result of people who don't fully know what they're doing.

It's why I said "preliminary finding" and,

    No, in general you would hand over the pwrson and evidence over for more detailed investigation by others.

The evidence of "effect" --upping of data rate-- and potential "cause" --alleged MBS messages-- that were near time coincident has been put forward as a hypothesis by the investigators[1] but not any other evidence.

Hence my wondering if Jeff Bezos would hand his phone over to other investigators. He may well have disposed of it by now for various reasons or if still in use it's become hopelessly contaminated.

But as you note,

It's also utterly beyond weird that someone would go out of their way to fly their own flag on the alleged malware.

Yes and no. If you believe you are above legal consideration as MBS and his other staff have shown them selves to be (the killing etc) and you are "sending a message" then you might well behave in exactly that way.

But there is a problem in all forensics of going backwards in time[1] a given effect can have a myriad of courses, hence my comment about the WhatsApp messages of,

    But remember one thing that whilst Jeff Bezos's phone says it came from Crown Prince Mohammed bin Salman's (MBS) WhatsApp account that does not mean he sent it or it even originated from his phone.

It could well have been done by others in any number of SigInt or IC entities around the world. There would need to be a lot further evidence needed to make that atribution solid.

As for the WSJ article, sorry I'm not able to read their articles for a number of reasons so I can not comment on what they have said.

But I will note again the fact that the House of Saud and the Whitehouse encumbrant are tied into this in one way or another means that the normal rules and considerations are out the window. As I further said,

    When there are so many politician's to be embarrassed involved, it's best to tread with care.

There may well be one or more "Red Flag" operations either directly or indirectly involved.

So I would be cautious of what others claim to have seen or not seen with regards the source of the leaks, heresay is not evidence and what people think they see as with a magicians act is what somebody might want them to see.

After all would you have thought a SigInt agency might get into what they consider a terrorists computer? Most would say yes as thats one of their assigned tasks. But upload a cake recipe? Most would say probably not. Then use it to replace bomb making instructions, such that it gets published in a "magazine"? Some would just say "wierd" or stronger, but then for the SigInt agency to make it publically known, then some are going to say "utterly beyond weird"... But it happened nevertheless.

The important point to note is when the people involved are Heads of State that it is not unreasonable to consider that in fact Crown Prince MBS's phone was "hacked" --as was the German Chancellor and many others-- and the messages whilst comming from his phone as with the cake recipe actually originated else where...

Thus utterly weird is kind of normal at this level. Which also means that the brother could be being setup.

Which is why real primary evidence is required of actuall actions by named individuals. Which I expect on this case is going to be hard to find. I suspect smoking guns will turn up but not fingerprints on the trigger or on the ammunition in it.

After all ask yourself the question of why this report leaked when it did... It won't be the first at the start of a Presidential election cycle...

[1] I'm on record as saying that going from "effect to cause" is not science, because an effect can have many causes. Also that many mistakes in foresic evidence occure because of this unscientific method of "effect to cause".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.