VMware security advisories now behind bureaucratic Broadcom barricade Much to the chagrin of security pros, VMware security advisories are now only viewable if users sign up for a Broadcom Support account first. Granted, it's free to register a support account, but the change, which was announced earlier this week, may create added friction for infosec professionals looking for details on the …
This post has been deleted by its author
Given the extent of easily automatable web activity snooping telemetry gathering, I've never understood mandatory free of charge registration to access web sites. It adds hardly anything of value to what can be acquired, particularly if those accessing a site do so from a corporate client.
Given Broadcom's recent "form" in massively increasing their "customer" (aka mark) fees my bet is that after a few months this will become a paid-for only service with an increase in price over the years massively exceeding inflation (witness Google and their recent price gouging for reCAPTCHA). Broadcom will then whinge when there's the inevitable customer security breach that it's because the customer in question hasn't upgraded their systems.
Microsoft's previous pathetic sliding scale reduction in security log duration depending on the version of MS365 purchased whilst bleating on about "Customer security being our highest priority" is yet another example of where this obviously translates to "$$$$$ is our highest priority".
They want to use the data to see who's still using VMware as that's what 99.9% of users will be doing. If you were previously a cloud partner of any description and paying monthly, your contract enabled VMware to conduct a physical audit, not just whilst the contract was in force but up to two years after it was terminated. I'm not a lawyer, so not sure if it's still possible for Broadcom/VMware to audit you given it was them who terminated the contract, but it won't stop them trying. I suspect they might be turning int the next Oracle regarding audits, if you're aware of how Orible operate.
So the whole crux of this article is a free support login is needed to read the advisories. That is a huge edge case, I've never seen that before. Wow, imagine the concept of having to sign up first before getting access. That's crazy, just what is the Internet coming to??!?
That is so irresponsible of Broadcom. They actually want to know who is reading their security advisories. VMWare was so much better - any random threat actor had anonymous access to read the advisories. Just insane that Broadcom would want to restrict security information to known individuals such as their customers.
Thank goodness I am able to post this comment without having to sign up on The Register....errr...nevermind.
(For those without humor, this post contains sarcasm)
As a long time user of VMware Fusion on my Mac desktop, I'm shocked to suddenly be told that I must now "migrate" my VMware support account over to Broadcom. Shocked, because as I try to do this I discover that the migration process requires a "site id" that I don't have, because I'm an end user, not a corporate customer.
So now I'm unable to access any of my product license details.
Nice one, Broadcom. NOT.
I've gotten a glut of emails from Broadcom about migrating to their portal, which I imagine will be used to show just how great of an idea the acquisition was due to "increased number of active broadcom account registrations".
Jokes on them, our partner vendor is getting hit with requests for alternatives, as they admitted when they were not at all surprised by my request.
I wonder if this would run afoul of those infosec firms who do the "Full disclosure or we release our exploit code on a much faster schedule"?
The clear intent of this type of policy is laudable -- in the past some firms would ask for more time to fix a problem and drag it out for 6 months, a year, more than a year; then silently fix the security flaws without disclosing they existed at all (which can cause problems when people don't update/upgrade, since they aren't hitting any bugs in their current software and, since it wasn't disclosed, don't realize they are at risk from security flaws.)
On the other hand some of these firms have shown, lets say, aggressive interpretations of this type of policy. I could easily see at least a few of these firms deciding if they go to Broadcom's site, and get a login request instead of full disclosure, that full disclosure has not taken place at all.
This whole VMware/Broadcom acquisition leaves me with a mucky dirty feel that makes me want to wash my hands until there's no trace left.
I've got a VMUG subscription so I can use and enhance my skills with VMware. But with all the customers now bailing out it seems like working skills in VMware won't be much sought after in the marketplace anyway.
I am considering attempting a migration to Proxmox sometime soon, because not only is it unlikely that I will renew, but it's looking like high risk that even things like VMUG will still be around when it comes up for renewal early next year. And in the process of migrating I'm going to get skills that probably are more in demand right now, namely "migration from vsphere".
With this latest change to the portal system, all of my links to software, release notes, KBs and things I'd use are now all broken. I might as well start afresh with all of those. 404 Page Not Found.
I don't have a Site ID so I can't add entitlements to anything and I can't get to the original download pages on VMware anymore.
I became subscribed to an ESXi community group (at some point in the distant past) and started receiving daily digests of all the posts since the migration. Whatever setting was there in VMware somehow has been changed during migration so I've had to go in and figure out how to unsubscribe from something I was never getting from the first place.
Now, even security notices are being hidden behind a login screen, seemingly for no good purpose.
All in all, I am just seeing breakage of previously useful things, carnage of productive resources, pointless inconvenience to me as a tech, and agro for no real purpose other than "Broadcom". The VMware name is now just becoming trash sucked up by an organisation which seems to operate some sort of twisted business model where it looks like they have no qualms about pissing people off and don't see that that their current approach is not going to help them make money and will simply destroy all goodwill.
Someone needs to tap people at Broadcom on the shoulder and remind them that they bought a business that while certainly needed changes, was worth what they paid for it because some things it did generated money. It makes no business sense at all to crap all over the things that made VMware valuable in the first place - least of all customers.
I've just recruited a new cloud engineer to join a small team and he said all of a sudden all the requests for VMware skills dropped to zero, nobody wants VMware skills now. I suspect companies are sticking with the people they have and just not recruiting more, until Broadcom stop rocking the boat. You might even see a drop in the price of VMware skilled professionals.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
