The response by these dipsh-ts is comedy. Almost seems like they are trying to cover up another massive mistake they made with this Shai-Hulud response. Too bad none of the incompetent workers will be laid off, only those with a brain and those that speak the truth will be laid off.
16 replies (most recent on top)
I wrote a hello world app in my lunch break! But ESRO said it was malware??
Incompetent leaders were fired, NT of security engineering, GB of risk, were all let go. Replaced with VPs for a cost savings. Not all of us in ESRO are re--rderos … we care, we try our best then leadership in the business makes bad decisions..
It shouldnt take the organization 5 days to determine if a breach occurred. Especially right after one actually happened.
@an Do you realize how stupid and expensive a major security breach is? I'm thinking that $3 Billion trumps some lost development time by just a tad. There are 2 sides to every coin. It's too bad that many people have been inconvenienced by this, but I'm not the least bit surprised that it's happening.
https://www.hcinnovationgroup.com/cybersecurity/article/55236413/unitedhealth-bumps-change-hack-cost-estimate-to-nearly-29b
this is the same guy making these threads and then posting in them 10 times as his own blog btw
@af so...instead of doing proper diagnosis on severity of a potential(emphasis on potential) nightmare/disaster in a timely manner, we will just take down ALL production builds, dev envs, ci/cd pipelines. Oh and not just for web applications that use npm but even for legacy java and c# applications. You realize how stupid and expensive this terrible process is right?
@ad If it did get in, it could be a disaster. After the Change Healthcare nightmare and the billions lost in that I'm betting that any sort of significant breach that stands any chance of getting into UHG will elicit an overreaction. The lawsuits from Change will be reverberating for decades.....so a bit of paranoia is understandable IMO.
@ac they are highly specific packages and version. It’s only going to be used by a tiny fraction of people. Ngx-color was probably the biggest risk but you’d have to update it in such a small window it likely never made it into Optum at all.
@a6 Just FYI, this wasn't just some obscure package. 2 million downloads a week ain't chicken feed. But I agree, the message to stop everything was over the top.
https://www.msn.com/en-gb/money/technology/a-terrifying-self-replicating-malwaere-has-infected-npm-packages-with-over-2-million-downloads-per-week-heres-how-to-stay-safe/ar-AA1MKGeB?ocid=BingNewsSerp
Yeah, anyone with more than 2 braincells know this is a massive overreaction. I’m not sure what they were thinking in pausing all development as if that would help at all.
The only group in UHG that when they F@&!$up, gets more funding. When are we going to learn there are bad leaders in ESRO. Incompetence hires incompetence. We’re going to need to clean house if we’re ever going to deliver with security built into solutions rather than the current “mother may I…” or death by thousand cuts processes. ESRO have old convoluted processes with little idea how all the services within their own team works. Most of that team do not know what their left or right internal teams do. No wonder we keep having breaches. The middle VPs need to go or be ready for another breach.
@a7 comical
@a5 Let's be fair, there's still a lot of good talent at this company, but yes, the way Optum operates pushes a lot of people with the motivation to leave out. And is responsible for a lot of the problems we have.
We still have a lot of good talent here, but they're burned out, they're depressed, life has been su-ked out of them from this soul-su-king shithole of a company. Because leadership is incompetent, and even your direct manager is unlikely to have a clue what you're doing.
ESRO stands for the Enterprise Security and Resilience Office within UnitedHealth Group (UHG), the parent company of Optum. As a business unit of UHG, Optum and its subsidiaries align with ESRO standards to safeguard data, systems, and operations.
ESRO's mission is to protect UnitedHealth Group against security threats and ensure the company can continue to operate and recover from any disruptions.
ESRO's functions
Security leadership: ESRO includes the Office of the Chief Security Officer, who directs the overall security strategy for UHG and its business segments, like UnitedHealthcare and Optum.
Resilience and continuity: The team is responsible for ensuring business continuity and responding to security events, including incident and crisis management.
Threat management: ESRO works to strengthen cyber defenses, improve ransomware resiliency, and mitigate vulnerabilities across the enterprise.
Protection of sensitive data: The office is responsible for protecting the sensitive data of the company's members and providers.
Strategic alignment: As part of the larger organization, Optum's security teams work to implement and maintain solutions that align with ESRO standards. For example, the Optum Serve division follows ESRO standards to protect systems that serve
STOP ALL DEVELOPMENT!!!!! SOME OBSCURE NPM PACKAGE GOT COMPROMISED FOR 3 HOURS!
Let’s be fair… the best talent left 3+ years ago and longer.. now they just have paper pushers and egomaniacs !!