PGP, Heartbleed, and Everything Else In Between

Alex SherbuckPrior to working at UPMC, I had used Pretty Good Privacy (PGP)/Public Key Cryptography tools. However, throughout all my coursework and previous IT jobs I was never required to learn about PGP. It wasn’t until using it every day at UPMC that I discovered how much there is to this technology. It’s used for signing digital files, encrypting & decrypting data, file directories, or entire hard disks, for secure email communications, etc., and chances are you’ve used it countless times today and never even noticed.

PGP isn’t a device or software, although you need software to do it and almost all devices employ it. That’s not a riddle. Public Key Cryptography is just math. Such sophisticated mathematics that if you were to try and perform the calculations yourself with a pen and paper you would probably never finish a problem in your lifetime. That’s why you need software to do it. It’s so ubiquitous because, well, it solves some very difficult problems; also it’s free, and extraordinarily secure. I’d like to share my understanding of PGP in a way that leaves out the scary math functions and Greek symbols.

What’s your definition of a big number? Is it a trillion? Is it a trillion trillions? Go bigger. PGP is just math with two goals. The first is creating really, really big numbers. We call the first numbers private keys. The second goal is creating more really, really big numbers that are linked to the first – using a second algorithm. We call the second numbers public keys. I’ll explain these names and purposes as we go on, first it’s important to know what they are and how they are created.

If you pressed a button on your computer and generated a new PGP private key you would have a pretty good assurance that you are the only person, ever, in the history (or future) of the universe to know that number. As long as you keep that number private, you can rely on the mathematics for security. The math algorithm is so sufficiently random and the numbers so large that you could keep pressing that button all day, every day and never in your lifetime see a duplicate. In fact, every person on Earth could do the same thing, pooling our outputs, and none of the results would ever be the same.

Current theories on the absolute minimum energy cost to store 1 bit of data support the statement that there just isn’t enough energy in the universe to compute every possible private key. That means if every human being, computer, alien life form, and even if we could somehow bend all the energy in the universe to work together computing these numbers we would reach the end of the universe’s lifespan before completion. To quote the bard, Keanu Reeves, “Whoa.”

By themselves, these numbers are functionally worthless. Sorry, big build up for a huge let down, right? It’s cool to think about the theory but how do you apply these things and give them a use? The magic really happens with the second numbers, the public keys.

So we have our universe and it has been dissected into an incredibly large number of parts. We’ve turned the universe in to a giant graph. We could even appoint a theoretical center with an X, Y, and Z axis and start assigning values. If we wanted, we could draw a giant curve through the universe. Just like drawing a curved line on a Cartesian plane in geometry class. This is what PGP, effectively, does.

 This is far from y=mx+b (which was as far as younger me wanted to go with math) but it is the same idea. Algebra teaches us that if the properties of a line are known you can predict the other points that fall on that line. The same is true for a PGP elliptic curve. The private key is used to generate this curved line. As long as the same key is used the same line is created each time. Points can be picked on this curved line and they will be linked to your private key because only your private key can generate this line. These points are just numbers and they become the public keys.

As long as a private key is secure no one can predict any possible points of its elliptic curve. This is why we call the first number a private key. It must be kept a secret. We use the second numbers, the public keys, to do the data encryption that secures websites, email, and all those great things from way back at the first paragraph. Public keys can be given out freely. If someone were to try and use it to identify your private key they would still have to check it against the PGP curves of every private key in the universe. That’s just impossible. Private keys can also be used to encrypt data that only public keys can decrypt. This provides you a guarantee that if you can decrypt data with a public key it is from the key holder.

If you are connecting to a website and want a secure connection you likely had to download a security certificate. There are many standards but you are likely storing one of the public keys for the web server’s private key in that certificate. When your browser connects to the secure site it will send traffic that is encrypted using the public key. That data can only be decrypted by the person or software that has access to the private key to which it is now linked. Yes, I am saying that if your encrypted banking traffic were to be scanned, sniffed or otherwise copied while transferred over the wire even an alien race thousands of years more advanced than ours probably couldn’t see a bit of useful data, let alone an account balance.

Though the math has been peer reviewed for decades and is considered sound PGP has a major weakness – humans. We are excellent when it comes to physical security; bank vaults, locks on doors, bars on windows, etc. We’ve been doing those things for so long. Digital security is still new. Although the mathematics of PGP is sound the way it is deployed or used by software can leave you vulnerable.

Recently, with respect to the time of this writing, the Heartbleed Bug has affected an insurmountable number of systems, devices and enterprises. This was not a bug In PGP. This was a bug in software that used PGP. Popular opensource software, OpenSSL, was exposing portions of client memory on systems where it was running. For affected clients, this meant the private keys that were in use were compromised. Eavesdroppers, whether they are aliens with technology beyond our understanding or a neophyte hacker snooping on your network traffic from their parents’ basement, could view keys private keys stored in memory. Once someone has your private key your security is gone. OpenSSL is used in home computers, websites, printers, cell phones, firewalls, operating systems and an unquantifiable number of software.

Pretty Good Privacy/Public Key Cryptography is far from flying cars and hover boards, but it is still pretty good sci-fi. Though reading its white papers or technical articles makes it easy to fall asleep, new technologies built with or upon PGP are astounding. Among these projects are anonymous proof of identity systems, decentralized peer-to-peer network based agreements, and, my favorite, autonomous corporations. There is too much to say about all these systems to cover them here. However, as PGP is concerned the cliché “When you’ve done something right no one will think you’ve done anything at all” applies. (Unless something breaks, thanks Heartbleed).

By Alex Sherbuck, Systems Analyst – ISDR

Leave a comment

Filed under ISDR

ISDR Class of 2015: Paving the Way

Caleb MullerWhen I first applied to the ISDR Program, I had no idea that it would be the first year of the program. I was expecting there to be a great deal of structure and requirements, but what I found was more the opposite. While there was still some structure, the first ISDRs were given the freedom to pave the way, to make the program into whatever we wanted it to be.

The program is a unique opportunity that few get the chance to experience. After learning the ropes, we hit the ground running. Before our first monthly meeting, we had already spontaneously decided that our first Day of Caring would be to refurbish old Macintosh computers at Goodwill in Pittsburgh. Since then, we have developed a Wiki to document our rotations, hosted numerous service events, planned a large fundraiser for the end of the summer, and been involved in recruitment and interviews of Summer Associates and the next class of ISDRs.

Personally, this has been an empowering experience. I’m not sure where my drive comes from – whether it’s from being a competitive runner or that I’ve been highly ambitious since I was a child – but I thrive on being challenged. I excel when I am thrown out of my comfort zone. Being a part of the first class of ISDRs created this experience for me. I am constantly challenged in my rotation, through organizing events mostly from scratch, and in presenting my work to senior leadership, just to name a few areas. It is sometimes a little nerve-racking not knowing where the program is going to go and where it will take me, but it keeps me on my toes and that’s a great thing.

Although the ISDR Class of 2015 will be the only “first class”, the nature of the program allows for growth and change to continually make it better and more fulfilling. There is no set-in-stone picture for how the two years and four rotations will go. So, if you are one of the lucky ones who are accepted into the ISDR program, don’t think you have missed out on the chance to pave your own way!


By Caleb Muller, Systems Analyst – ISDR

Leave a comment

Filed under ISDR

Work Environment: An Important Piece of the ISDR Puzzle

The ISDR program is great in that it provides us the opportunity to not only explore different areas of IT at UPMC, but it also exposes us to different work environments and work cultures.Whitney Soldo

I’ve had a lot of jobs over the years: babysitting, tutoring, retail, random on-campus jobs at college, internships, and now 2 out of 4 rotations in this program. I’ve worked in an array of settings with a range of employers, and with a diverse pool of team members and managers. However, until this point, I haven’t really had the chance to reflect on my ideal work environment and culture. To figure this out, I think it’s important to consider what has or has not worked for me in the past and what environment will be conducive to developing my skill set, networking, and furthering my overall career development.

While I could have some pretty high-maintenance, temporal demands like needing an all-paid yoga studio in the building, and a window view so that my plants have a chance of surviving (although I wouldn’t complain if those were available), I’ll be reasonable –

My ideal work environment is being surrounded by people I get along with, having people to eat lunch with, and one where everyone around me is supportive, helpful, open-minded, respectful, and not afraid of change.

We spend roughly 34% of our waking hours at work. That’s a LOT of our time! It is important that we find a work environment that provides us with what we need and expect, and ultimately is a good fit for us. For those of us just entering the corporate world full time, we have great ideas, we have energy, we are willing to learn and work (and work hard), we want to contribute, and we want to find something we love doing that we can help with. We want to be full speed ahead, but that may not be the environment we are walking into, so there may be an adjustment period of adapting and finding common ground, learning and mistake-making. In our deep dive with Tami Minnier, she said that “to be successful you cannot only be competent, you have to be confident.”  I know there will be people and places that make me question my confidence, but I also know that I have worked in great places with great people that through challenging work have fostered healthy environments and as a bi-product promote confidence. 

When considering future rotations and positions following the ISDR program, I will definitely be asking questions (and I would encourage everyone reading this to do the same!) to make sure I’m not only focused on content of work, but also work environment, and how I will fit in and contribute, because I believe work environment plays a huge role in productivity and functionality.

(But flexible work hours, a yoga studio, and other amenities at all of my rotations may help my morale, too!)

By Whitney Soldo, Systems Analyst – ISDR

Leave a comment

Filed under ISDR

A Shift in Thinking: How the ISDR Program Shaped My Career Goals

The two rotations that I have experienced so far at UPMC have changed my perception of career goals.  Going into college, I knew what I wanted to study.  I knew for years that computer science was the road ahead of me.  Upon graduation, I had the same belief that software engineering would be my career path.  I decided that doing a rotation program would be a unique opportunity that I could greatly benefit from, and one that I would not have a chance to experience later in my career.  However, what I was really looking forward to was being in a software engineering role. KellyPhotoWhat I have experienced so far in the program has challenged the former clarity I once had about my career.  Working for such a complex organization like UPMC’s Information Services Division exposes you to so many moving parts.  There are a several different groups that I have encountered throughout my rotations of which I can envision myself being a member.  This has really led me to considering other possibilities for my career in the future.  I love software engineering, and still plan on doing so at some point in the future, but who knows?  This uncertainty used to scare me, however, with the insight I have gained through this program, I now find it exciting. The opportunities at UPMC are abundant, and with my experience from the ISDR program, I am well equipped for whichever one comes my way.  At the very least, I now have a much deeper appreciation for the other areas of ISD, and a sincere interest in experiencing different roles.

By Ryan Kelly, Systems Analyst – ISDR

Leave a comment

Filed under ISDR

Lessons Learned as an ISDR

1. It’s harder than you would expect to coordinate with others. Coordinating with others while in college is fairly straightforward: “Hey do you want to grab coffee and work on our project after class?” – “Sure, that would be great!” Most of the time, this method is effective. Transitioning into a professional environment, the situation becomes similar to: “Hey do you want to grab coffee and discuss our ideas for our upcoming meeting?” – “Sure, I’m busy this afternoon and  tomorrow morning, and you are booked tomorrow… it looks like we both have a free half hour on Thursday so we can meet then!” Everyone has a busy schedule and trying to find time can sometimes be very difficult. This is increasingly difficult when trying to plan meetings with larger groups.

2. Public speaking is not as scary as it seems. When I started the ISDR program, I hated the idea of speaking in front of people. It was not something I felt I was particularly good at, or had much experience with. I was afraid of people asking questions and not being able to answer them. Luckily, I found out that speaking about your own accomplishments is far easier than giving a presentation that you had to research information for. Because you did all of the work, and understand the information you are presenting, the speaking aspect is not nearly as scary. Realizing that ‘I did this’, made the experience less nerve-wracking and has been easier ever since.

3. Excel is your friend… and your enemy. If you think you will not use Excel in your career (like I did), you are mistaken. Whether you are working on a budget, or using it to keep information together, you will use it. Excel is a powerful tool. Having an understanding of Excel is one thing, but being an Excel wizard is an entirely different story. Pivot tables can be your best friend, putting together complex formulas from multiple spreadsheets can be your worst nightmare. I have a love/hate relationship with Excel, and it’s very likely to stay that way.

4. There is way more to corporate IT than what I originally expected.
There are many different groups throughout ISD that work together to run the business. Learning how these groups work together takes some time figure out. Who is in charge of what? Who needs to approve this before it can be moved forward? The amount of areas can be intimidating, but they become easier to understand as time goes by.There are many different groups throughout ISD that work together to run the
business. Learning how these groups work together takes some time figure out. Who is in charge of what? Who needs to approve this before it can be moved forward? The amount of areas can be intimidating, but they become easier to understand as time goes by.

Antonio Greco Image 25. Network, Network, Network. Networking is very important,
especially when moving from one rotation to the next. Your client in one rotation could be could be your team in the next. Networking is also beneficial when you are looking for more information. If you know someone in a particular area, you can feel comfortable reaching out to them for advice or to point you in the right direction. It’s also good to build relationships with everyone you meet, because you never know where you might end up when the two years are over.

By Antonio Greco, Systems Analyst – ISDR

Leave a comment

Filed under ISDR

Life in the Cave

Gone are the days of interns fetching coffee, filing papers and stapling for hours.  As any Summer Associate knows, internships at companies like UPMC are coveted positions of which we prepare ourselves for up to a year in advance by seeking out the most desirable programs, stalking HR representatives and rewriting our resumes to the point of perfection. Most of my expectations were met as I look back on the program: involvement in big and important projects, corporate events, dress codes, networking events and more.

Anne MerrickHowever, one aspect I never saw coming was sitting in a square formation with 11 strangers staring at one another into a medium sized conference room with no windows.  Fondly labeled as “The Cave” or “the S.A.C.,” (Summer Associates Cave), we Marketing/Communications Summer Associates quickly got to know each other very, very well.  It would be misleading to say that this was not a challenging arrangement for everyone, but it was a situation that was clearly an invaluable preparation for any professional working environment.

For some reason, people in the office seem to have the impression that The Cave is a quiet place.  This is likely due to our innate ability to stop mid argument or laughing fit, whenever anyone other than a Summer Associate walks in.  Little do they know, they probably missed by seconds a heated argument about the Royal baby, a flying stress-ball or everyone reduced to tears of laughter from our witty dialogue.  I’m not exaggerating when I say, we all know everything about each other.  We should probably make a pact, in case anyone ever wants to run for office someday.

The Cave is our war room.  It’s a place of solidarity and teamwork, where we celebrate each other’s wins and challenge each other’s losses.  And it’s not like we all love each other, but the atmosphere became one where we couldn’t help but be there for each other.  Everything took place against a backdrop of ambition, perfectionism, and dedication.

The Cave experience was invaluable.  It was full of those intangible lessons that at the time are annoying and frustrating but in retrospect were the highlight of the summer.  There probably isn’t a single work experience we couldn’t handle.  In a lot of ways we were legitimately like puppies.  We honestly had to watch our group sugar consumption so we didn’t get too wound up, and we poked and prodded at one another to no end.  We learned to love it, we got sick of it and each other, but ultimately we were made better for it.  And while The Cave helped us in a larger, professional sense, it truly fostered lifelong friendships.  My fellow Cave-mates inspire, motivate, infuriate and comfort me and I will miss them all very much.  So here’s to the cave life!

By Anne Merrick, Summer Associate

Leave a comment

Filed under Marketing, Summer Associates

Career Goals and My Progress at UPMC

 “Don’t aim for success if you want it; just do what you love and believe, and it will come naturally.”
 -David Frost

Petro,%20ElanaGrowing up, I always heard those words around me say, similar to “do what you love and you will never work a day in your life.”  I never understood the value in this statement until I began my professional career.  Coming into my internship with UPMC this summer, I had no idea how much I was going to learn or the advances in my career I was going to make by pursuing what I love to do.  I arrived with the expectation to learn a lot about finance and gain some new experiences, but I have since learned many things beyond what I expected.  Not only have I learned a lot about finance in my position, but I have surprisingly learned more about healthcare than I ever imagined.  I have also learned many things about working in a corporate environment as well as understanding the dynamics that come into play when working with different people.  I have made many new friends, enabling me to develop as an individual.  Through service events, I have come to understand the beliefs that are at the core of UPMC.  My career goal was to one day work in finance, and I never knew it could lead me to UPMC.  I never saw myself loving this kind of work, but my summer at UPMC has given me the ability to experience something new and succeed at it.  I have learned that sometimes your career goals change as your experiences enumerate.  Often times, an experience can enable you to better understand yourself and shape your goals.  My summer here at UPMC has given me that ability.  While the work was valuable, the ability to better know myself and understand my goals is an experience that will always be of value in my life.

By Elana Petro, Summer Associate

Leave a comment

Filed under Finance, Summer Associates