Who is Pierre Poutine?

poutine

John Ivison published an interesting piece in the National Post last week that breezed by what would have been technobabble to some,

Mr. Meier set out to follow the digital trail himself. Pierre Jones had covered his tracks sufficiently that a “burner” phone, PayPal account and the Gmail address he’d been using offered no clues. Mr. Meier spent hours piecing together a “session log,” breaking down when Pierre Jones used the RackNine system and what he did while on it. “We put it together one Lego block at a time. It pierces the veil to indicate who is using the system,” he said.

Mr. Meier said he had his “Eureka” moment at 3 a.m. one morning, and by 5 a.m. had written a 22 page report for Elections Canada. “He [Pierre Jones] screwed up. Just for a fraction of a second but it was enough for me to find him,” he said.

Let’s get right to the point.

A “cookie” in web browsing terms is a string of characters that is stored in a file on your computer that your computer relays back to a website when you’re browsing. For example, when you login to a website, the reason why you can go from one page to another is because of this file stored on the user’s computer. A secure site (e.g. gmail) asks the computer if it has any of that site’s cookies on its hard-drive. If so, what does the cookie say? If the cookie has the same encoded string common to what the site is expecting, the user can proceed to the next page, and the next without having to login for each new page.

Session are a bit different but are similar in tracking utility. From About.com,

Sessions are not reliant on the user allowing a cookie. They work instead like a token allowing access and passing information while the user has their browser open. The problem with sessions is that when you close your browser you also lose the session. So, if you had a site requiring a login, this couldn’t be saved as a session like it could as a cookie, and the user would be forced to re-login every time they visit.

So, Meier reconstructed the session log, and had a Eureka moment. This means that there was likely a common session linking two users. This likely means that one ‘client’ of Racknine’s logged out of Racknine’s web interface. Likely holding a session token on the same computer, another ‘client’ (Poutine) was logged in. Oops.

To see an example of this, logout of Facebook and look at the url. Logging in with new credentials can store the session key under the newly logged in user as well.

We can deduce that Pierre Poutine very possibly used the same computer as another legitimate user account on Racknine. Alternatively, a web url with a session key (e.g. racknine.com/menu.php?id=4due2sjdh29c809encgg) could have been shared from one user on one computer to another computer.

  • http://twitter.com/markjohnh Mark John Hiemstra

    I don’t think it’s that difficult at all. All he had to do was query his database for the IP address from which the order in question originated. He could then query other activity from that address. No “eureka” moment is required. 

  • http://twitter.com/saltorio Shawn S. Altorio

    That wouldn’t give a clear indication, as many private networks run under only a few IP addresses. Look at the Vikileaks30 issues for an example of that. Parliament Hill uses only a small number of IP addresses for it’s hundreds of users.

  • Claudia Lemire

    I wholeheartedly support Matt, and can’t wait to see his name and his company’s cleared out FULLY! Getting there luckily.

  • Anonymous

    From this post and Iveson’s article, the biggest takeaway for me, is how shockingly lax the system is. I mean the whole system, from flaky accounting in the campaign offices, right through to the apparent fact, if Mr Meier’s explanation is to be believed, that his firm (Racknine) would happily broadcast any phone message, to any phone list, without requiring confirmed id from the client.

    Not squirming yet? Let me put it another way. Mr Meier is in effect confirming that his company let this apparently unknown person send any old message to any given phone list, and all he required was payment.

    So while you all may be thinking how clever Mr Meier was to track down the infamous Mr Poutine, I’m still wondering why Mr Meier would allow an untraceable user to use Racknine to transmit any message, political or otherwise, to possibly thousands of households.  Frankly, wtf?

  • http://twitter.com/Rose215 Rose215

    Why would the company need to hear what is in the mssg.?  Surely there are hundreds of such messages sent every day.   Usually what is involved is a contract indicating you won’t do anything illegal, etc.  Meier is providing a technical service.  Do web companies vet everything that gets posted on their servers?   I would also guess that most of RackNine’s customers are unknown until they become regular customers. 

  • Anonymous

    Why would the company need to hear what is in the mssg.?

     I didn’t say that. I’m simply saying that an untraceable person can broadcast political speech to who knows how many recipients. And, now that this is all under investigation, it will require months of digging from EC, instead of all these records being immediately available.

    Does this sound right to you? I’m talking about all parties here.