back to article VMware security advisories now behind bureaucratic Broadcom barricade

Much to the chagrin of security pros, VMware security advisories are now only viewable if users sign up for a Broadcom Support account first. Granted, it's free to register a support account, but the change, which was announced earlier this week, may create added friction for infosec professionals looking for details on the …

  1. This post has been deleted by its author

  2. b0llchit Silver badge

    A new milestone

    The enshittification of security.

    What could possibly go wrong?

    1. hx

      Re: A new milestone

      Doesn't matter. VMware is done. Ther will be no development. There will barely be maintenance. Any enterprise that isn't already acting on its migration plan was their target victim all along.

  3. Mike 137 Silver badge

    Wondering why

    Given the extent of easily automatable web activity snooping telemetry gathering, I've never understood mandatory free of charge registration to access web sites. It adds hardly anything of value to what can be acquired, particularly if those accessing a site do so from a corporate client.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wondering why

      It makes it easier to spam you with adverts

    2. StewartWhite

      Re: Wondering why

      Given Broadcom's recent "form" in massively increasing their "customer" (aka mark) fees my bet is that after a few months this will become a paid-for only service with an increase in price over the years massively exceeding inflation (witness Google and their recent price gouging for reCAPTCHA). Broadcom will then whinge when there's the inevitable customer security breach that it's because the customer in question hasn't upgraded their systems.

      Microsoft's previous pathetic sliding scale reduction in security log duration depending on the version of MS365 purchased whilst bleating on about "Customer security being our highest priority" is yet another example of where this obviously translates to "$$$$$ is our highest priority".

  4. Anonymous Coward
    Anonymous Coward

    They want to use the data to see who's still using VMware as that's what 99.9% of users will be doing. If you were previously a cloud partner of any description and paying monthly, your contract enabled VMware to conduct a physical audit, not just whilst the contract was in force but up to two years after it was terminated. I'm not a lawyer, so not sure if it's still possible for Broadcom/VMware to audit you given it was them who terminated the contract, but it won't stop them trying. I suspect they might be turning int the next Oracle regarding audits, if you're aware of how Orible operate.

    1. gryphon

      Broadcom are also very hectoring about not using out of date software versions even if properly licensed.

  5. Anonymous Coward
    Anonymous Coward

    Mountain meet mole hill

    So the whole crux of this article is a free support login is needed to read the advisories. That is a huge edge case, I've never seen that before. Wow, imagine the concept of having to sign up first before getting access. That's crazy, just what is the Internet coming to??!?

    That is so irresponsible of Broadcom. They actually want to know who is reading their security advisories. VMWare was so much better - any random threat actor had anonymous access to read the advisories. Just insane that Broadcom would want to restrict security information to known individuals such as their customers.

    Thank goodness I am able to post this comment without having to sign up on The Register....errr...nevermind.

    (For those without humor, this post contains sarcasm)

    1. t0m5k1

      Re: Mountain meet mole hill

      Tell us you don't understand fast access to security advisories without telling us you don't understand fast access to security advisories.

    2. ChoHag Silver badge

      Re: Mountain meet mole hill

      Known individuals such as their customers and anybody who can sign up for free internet accounts. Presumably this doesn't include the threat actors?

  6. Anonymous Coward
    Anonymous Coward

    VMWare end user product licensing

    As a long time user of VMware Fusion on my Mac desktop, I'm shocked to suddenly be told that I must now "migrate" my VMware support account over to Broadcom. Shocked, because as I try to do this I discover that the migration process requires a "site id" that I don't have, because I'm an end user, not a corporate customer.

    So now I'm unable to access any of my product license details.

    Nice one, Broadcom. NOT.

  7. John1918

    Time To Boost "Userbase" Numbers?

    I've gotten a glut of emails from Broadcom about migrating to their portal, which I imagine will be used to show just how great of an idea the acquisition was due to "increased number of active broadcom account registrations".

    Jokes on them, our partner vendor is getting hit with requests for alternatives, as they admitted when they were not at all surprised by my request.

  8. Henry Wertz 1 Gold badge

    Full disclosure?

    I wonder if this would run afoul of those infosec firms who do the "Full disclosure or we release our exploit code on a much faster schedule"?

    The clear intent of this type of policy is laudable -- in the past some firms would ask for more time to fix a problem and drag it out for 6 months, a year, more than a year; then silently fix the security flaws without disclosing they existed at all (which can cause problems when people don't update/upgrade, since they aren't hitting any bugs in their current software and, since it wasn't disclosed, don't realize they are at risk from security flaws.)

    On the other hand some of these firms have shown, lets say, aggressive interpretations of this type of policy. I could easily see at least a few of these firms deciding if they go to Broadcom's site, and get a login request instead of full disclosure, that full disclosure has not taken place at all.

  9. TheWeetabix Bronze badge

    it has taken customer feedback into account...

    Of course they have. "We are almost certain we can push and get away with this and not piss anyone (important) off too much."

    Feedback can be used for more than one thing....

  10. reub

    HOWTO: Buy a Business Then Screw Everything Up About It (Including Customers)

    This whole VMware/Broadcom acquisition leaves me with a mucky dirty feel that makes me want to wash my hands until there's no trace left.

    I've got a VMUG subscription so I can use and enhance my skills with VMware. But with all the customers now bailing out it seems like working skills in VMware won't be much sought after in the marketplace anyway.

    I am considering attempting a migration to Proxmox sometime soon, because not only is it unlikely that I will renew, but it's looking like high risk that even things like VMUG will still be around when it comes up for renewal early next year. And in the process of migrating I'm going to get skills that probably are more in demand right now, namely "migration from vsphere".

    With this latest change to the portal system, all of my links to software, release notes, KBs and things I'd use are now all broken. I might as well start afresh with all of those. 404 Page Not Found.

    I don't have a Site ID so I can't add entitlements to anything and I can't get to the original download pages on VMware anymore.

    I became subscribed to an ESXi community group (at some point in the distant past) and started receiving daily digests of all the posts since the migration. Whatever setting was there in VMware somehow has been changed during migration so I've had to go in and figure out how to unsubscribe from something I was never getting from the first place.

    Now, even security notices are being hidden behind a login screen, seemingly for no good purpose.

    All in all, I am just seeing breakage of previously useful things, carnage of productive resources, pointless inconvenience to me as a tech, and agro for no real purpose other than "Broadcom". The VMware name is now just becoming trash sucked up by an organisation which seems to operate some sort of twisted business model where it looks like they have no qualms about pissing people off and don't see that that their current approach is not going to help them make money and will simply destroy all goodwill.

    Someone needs to tap people at Broadcom on the shoulder and remind them that they bought a business that while certainly needed changes, was worth what they paid for it because some things it did generated money. It makes no business sense at all to crap all over the things that made VMware valuable in the first place - least of all customers.

    1. Anonymous Coward
      Anonymous Coward

      Re: HOWTO: Buy a Business Then Screw Everything Up About It (Including Customers)

      I've just recruited a new cloud engineer to join a small team and he said all of a sudden all the requests for VMware skills dropped to zero, nobody wants VMware skills now. I suspect companies are sticking with the people they have and just not recruiting more, until Broadcom stop rocking the boat. You might even see a drop in the price of VMware skilled professionals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like