Sovereignty has mattered since the invention of the nation state—defined by borders, laws, and taxes that apply within and without. While many have tried to define it, the core idea remains: nations or jurisdictions seek to stay in control, usually to the benefit of those within their borders. Digital sovereignty is a relatively new concept, also difficult to define but straightforward to understand. Data and applications don’t understand borders unless they are specified in policy terms, as coded into the infrastructure. The World Wide Web had no such restrictions at its inception. Communitarian groups such as the Electronic Frontier Foundation, service providers and hyperscalers, non-profits and businesses all embraced a model that suggested data would look after itself. But data won’t look after itself, for several reasons. First, data is massively out of control. We generate more of it all the time, and for at least two or three decades (according to historical surveys I’ve run), most organizations haven’t fully understood their data assets. This creates inefficiency and risk—not least, widespread vulnerability to cyberattack. Risk is probability times impact—and right now, the probabilities have shot up. Invasions, tariffs, political tensions, and more have brought new urgency. This time last year, the idea of switching off another country’s IT systems was not on the radar. Now we’re seeing it happen—including the U.S. government blocking access to services overseas. Digital sovereignty isn’t just a European concern, though it is often framed as such. In South America for example, I am told that sovereignty is leading conversations with hyperscalers; in African countries, it is being stipulated in supplier agreements. Many jurisdictions are watching, assessing, and reviewing their stance on digital sovereignty. As the adage goes: a crisis is a problem with no time left to solve it. Digital sovereignty was a problem in waiting—but now it’s urgent. It’s gone from being an abstract ‘right to sovereignty’ to becoming a clear and present issue, in government thinking, corporate risk and how we architect and operate our computer systems. What does the digital sovereignty landscape look like today? Much has changed since this time last year. Unknowns remain, but much of what was unclear this time last year is now starting to solidify. Terminology is clearer – for example talking about classification and localisation rather than generic concepts. We’re seeing a shift from theory to practice. Governments and organizations are putting policies in place that simply didn’t exist before. For example, some countries are seeing “in-country” as a primary goal, whereas others (the UK included) are adopting a risk-based approach based on trusted locales. We’re also seeing a shift in risk priorities. From a risk standpoint, the classic triad of confidentiality, integrity, and availability are at the heart of the digital sovereignty conversation. Historically, the focus has been much more on confidentiality, driven by concerns about the US Cloud Act: essentially, can foreign governments see my data? This year however, availability is rising in prominence, due to geopolitics and very real concerns about data accessibility in third countries. Integrity is being talked about less from a sovereignty perspective, but is no less important as a cybercrime target—ransomware and fraud being two clear and present risks. Thinking more broadly, digital sovereignty is not just about data, or even intellectual property, but also the brain drain. Countries don’t want all their brightest young technologists leaving university only to end up in California or some other, more attractive country. They want to keep talent at home and innovate locally, to the benefit of their own GDP. How Are Cloud Providers Responding? Hyperscalers are playing catch-up, still looking for ways to satisfy the letter of the law whilst ignoring (in the French sense) its spirit. It’s not enough for Microsoft or AWS to say they will do everything they can to protect a jurisdiction’s data, if they are already legally obliged to do the opposite. Legislation, in this case US legislation, calls the shots—and we all know just how fragile this is right now. We see hyperscaler progress where they offer technology to be locally managed by a third party, rather than themselves. For example, Google’s partnership with Thales, or Microsoft with Orange, both in France (Microsoft has similar in Germany). However, these are point solutions, not part of a general standard. Meanwhile, AWS’ recent announcement about creating a local entity doesn’t solve for the problem of US over-reach, which remains a core issue. Non-hyperscaler providers and software vendors have an increasingly significant play: Oracle and HPE offer solutions that can be deployed and managed locally for example; Broadcom/VMware and Red Hat provide technologies that locally situated, private cloud providers can host. Digital sovereignty is thus a catalyst for a redistribution of “cloud spend” across a broader pool of players. What Can Enterprise Organizations Do About It? First, see digital sovereignty as a core element of data and application strategy. For a nation, sovereignty means having solid borders, control over IP, GDP, and so on. That’s the goal for corporations as well—control, self-determination, and resilience. If sovereignty isn’t seen as an element of strategy, it gets pushed down into the implementation layer, leading to inefficient architectures and duplicated effort. Far better to decide up front what data, applications and processes need to be treated as sovereign, and defining an architecture to support that. This sets the scene for making informed provisioning decisions. Your organization may have made some big bets on key vendors or hyperscalers, but multi-platform thinking increasingly dominates: multiple public and private cloud providers, with integrated operations and management. Sovereign cloud becomes one element of a well-structured multi-platform architecture. It is not cost-neutral to deliver on sovereignty, but the overall business value should be tangible. A sovereignty initiative should bring clear advantages, not just for itself, but through the benefits that come with better control, visibility, and efficiency. Knowing where your data is, understanding which data matters, managing it efficiently so you’re not duplicating or fragmenting it across systems—these are valuable outcomes. In addition, ignoring these questions can lead to non-compliance or be outright illegal. Even if we don’t use terms like ‘sovereignty’, organizations need a handle on their information estate. Organizations shouldn’t be thinking everything cloud-based needs to be sovereign, but should be building strategies and policies based on data classification, prioritization and risk. Build that picture and you can solve for the highest-priority items first—the data with the strongest classification and greatest risk. That process alone takes care of 80–90% of the problem space, avoiding making sovereignty another problem whilst solving nothing. Where to start? Look after your own organization first Sovereignty and systems thinking go hand in hand: it’s all about scope. In enterprise architecture or business design, the biggest mistake is boiling the ocean—trying to solve everything at once. Instead, focus on your own sovereignty. Worry about your own organization, your own jurisdiction. Know where your own borders are. Understand who your customers are, and what their requirements are. For example, if you’re a manufacturer selling into specific countries—what do those countries require? Solve for that, not for everything else. Don’t try to plan for every possible future scenario. Focus on what you have, what you’re responsible for, and what you need to address right now. Classify and prioritise your data assets based on real-world risk. Do that, and you’re already more than halfway toward solving digital sovereignty—with all the efficiency, control, and compliance benefits that come with it. Digital sovereignty isn’t just regulatory, but strategic. Organizations that act now can reduce risk, improve operational clarity, and prepare for a future based on trust, compliance, and resilience. The post Reclaiming Control: Digital Sovereignty in 2025 appeared first on Gigaom.

Over the past few weeks, VMware customers holding onto their perpetual licenses, which are often unsupported and in limbo, have reportedly begun receiving formal cease-and-desist letters from Broadcom. The message is as blunt as it is unsettling: your support contract has expired, and you are to immediately uninstall any updates, patches, or enhancements released since that expiration date. Not only that, but audits could follow, with the possibility of “enhanced damages” for breach of contract. This is a sharp escalation in an effort to push perpetual license holders toward VMware’s new subscription-only model. For many, it signals the end of an era where critical infrastructure software could be owned, maintained, and supported on long-term, stable terms. Now, even those who bought VMware licenses outright are being told that support access is off the table unless they sign on to the new subscription regime. As a result, enterprises are being forced to make tough decisions about how they manage and support one of the most foundational layers of their IT environments. VMware isn’t just another piece of enterprise software. It’s the plumbing. The foundation. The layer everything else runs on top of, which is precisely why many CIOs flinch at the idea of running unsupported. The potential risk is too great. A vulnerability or failure in your virtual infrastructure isn’t the same as a bug in a CRM. It’s a systemic weakness. It touches everything. This technical risk is, without question, the biggest barrier to any organization considering support options outside of VMware’s official offering. And it’s a valid concern.  But technical risk isn’t black and white. It varies widely depending on version, deployment model, network architecture, and operational maturity. A tightly managed and stable VMware environment running a mature release with minimal exposure doesn’t carry the same risk profile as an open, multi-tenant deployment on a newer build. The prevailing assumption is that support equals security—and that operating unsupported equals exposure. But this relationship is more complex than it appears. In most enterprise environments, security is not determined by whether a patch is available. It’s determined by how well the environment is configured, managed, and monitored. Patches are not applied instantly. Risk assessments, integration testing, and change control processes introduce natural delays. And in many cases, security gaps arise not from missing patches but from misconfigurations: exposed management interfaces, weak credentials, overly permissive access. An unpatched environment, properly maintained and reviewed, can be significantly more secure than a patched one with poor hygiene. Support models that focus on proactive security—through vulnerability analysis, environment-specific impact assessments, and mitigation strategies—offer a different but equally valid form of protection. They don’t rely on patch delivery alone. They consider how a vulnerability behaves in the attack chain, whether it’s exploitable, and what compensating controls are available.  Read more about VMware security Hacking contest exposes VMware security: In what has been described as a historical first, hackers in Berlin have been able to demo successful attacks on the ESXi hypervisor. No workaround leads to more pain for VMware users: There are patches for the latest batch of security alerts from Broadcom, but VMware users on perpetual licences may not have access. This kind of tailored risk management is especially important now, as vendor support for older VMware versions diminishes. Many reported vulnerabilities relate to newer product components or bundled services, not the core virtualization stack. The perception of rising security risk needs to be balanced against the stability and maturity of the versions in question. In other words, not all unsupported deployments are created equal. Some VMware environments—particularly older versions like vSphere 5.x or 6.x—are already beyond the range of vendor patching. In these cases, the transition to unsupported status may be more symbolic than substantive. The risk profile has not meaningfully changed.  Others, particularly organisations operating vSphere 7 or 8 without an active support contract, face a more complex challenge. Some critical security patches remain accessible, depending on severity and version, but the margin of certainty is shrinking.   These are the cases where enterprises are increasingly turning to alternative support models to bridge the gap—ensuring continuity, maintaining compliance, and retaining access to skilled technical expertise. Third-party support is sometimes seen as a temporary fix—a way to buy time while organizations figure out their long-term plans. And it can serve that purpose well. But increasingly, it’s also being recognized as a strategic choice in its own right: a long-term solution for enterprises that want to maintain operational stability with a reliable support partner while retaining control over their virtualization roadmap.What distinguishes third-party support in this context isn’t just cost control, it’s methodology.   Risk is assessed holistically, identifying which vulnerabilities truly matter, what can be addressed through configuration, and when escalation is genuinely required. This approach recognises that most enterprises aren’t chasing bleeding-edge features. They want to run stable, well-understood environments that don’t change unpredictably. Third-party support helps them do exactly that, without being forced into a rapid, costly migration or a subscription contract that may not align with their business needs.  Crucially, it enables organisations to move on their own timeline. Much of the conversation around unsupported VMware environments focuses on technical risk. But the longer-term threat may be strategic. The end of perpetual licensing, the sharp rise in subscription pricing, and now the legal enforcement of support boundaries all points to a much bigger problem: a loss of control over infrastructure strategy.  Vendor-imposed timelines, licensing models, and audit policies are increasingly dictating how organizations use the very software they once owned outright. Third-party support doesn’t eliminate risk—nothing can. But it redistributes and controls it. It gives enterprises more agency over when and how they migrate, how they manage updates, and where they invest. In a landscape shaped by vendor agendas, that independence is increasingly critical.  Broadcom’s cease-and-desist letters represent a new phase in the relationship between software vendors and customers—one defined not by collaboration, but by contractual enforcement. And for VMware customers still clinging to the idea of “owning” their infrastructure, it’s a rude awakening: support is no longer optional, and perpetual is no longer forever. Organizations now face three paths: accept the subscription model, attempt a rapid migration to an alternative platform, or find a support model that gives them the stability to decide their future on their own terms.  For many, the third option is the only one that balances operational security with strategic flexibility.  The question now isn’t whether unsupported infrastructure is risky. The question is whether the greater risk is allowing someone else to dictate what happens next. 

Editor's take: Broadcom aims to convert every valuable customer into a recurring online subscriber. The company has achieved notable financial success with this approach. However, regulators may soon scrutinize its business practices, raising the possibility of costly antitrust fines that could impact its future growth. The European Cloud Competition Observatory (ECCO) is a monitoring group founded by CISPE, a non-profit trade association of European cloud providers. Created as part of CISPE's antitrust settlement with Microsoft, ECCO now has its sights set on Broadcom and its conduct following the acquisition of VMware and its entry into the cloud and virtualization market. The observatory recently published a new report following an earlier study of Broadcom's abrupt licensing changes. The findings confirmed the ECCO's previous claims: Broadcom continues to impose harsh, unfair contract terms on European infrastructure providers. Many CISPE members reluctantly accepted the terms, forced by the lack of viable alternatives to VMware. The situation has worsened as Broadcom increasingly uses litigation to pressure its partners and customers into signing new agreements. Recently leaked memos reveal the company is sending cease-and-desist letters to VMware perpetual license holders. These letters reportedly demand payment for continued support or face legal consequences. Representatives from CISPE held one meeting with Broadcom, but ECCO reports it yielded no progress. The organization highlights a recent formal complaint submitted by VOICE, a German IT association, to the European Commission. VOICE called for an antitrust investigation and more decisive action against Broadcom's harmful practices, with ECCO lending its support. The European watchdog group claims Broadcom has done nothing to address complaints from European cloud providers. // Related Stories "Unlike Microsoft, Broadcom shows no interest in finding solutions or collaborating with European cloud infrastructure providers," CISPE secretary Francisco Mingorance said. The company can boast about its new contracts and financial results all it wants, but these punitive conditions will ultimately threaten the viability of the locked-in VMware ecosystem. The ECCO welcomed Brussels authorities' formal antitrust investigation and urged Broadcom to take immediate corrective steps. These include restoring fair business practices, introducing transparent pricing, reopening access to partner programs, and protecting customer privacy. While Broadcom is unlikely to comply, a spokesperson said the company seeks a constructive dialogue with CISPE to support European competitiveness.

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Microsoft fixes Account manager, improves activation and Widgets in build 26120.4161 Sayan Sen Neowin @ssc_combater007 · May 23, 2025 14:04 EDT Microsoft has released a new Windows 11 build for Insiders flighting the Beta Channel. The latest build, 26120.4161 KB5058515, is introducing some new features and improvements. First, the company is working on a new "Draft with Copilot in Word" Click to Do option. Essentially, Copilot will do the brainstorming for you when you are trying to quickly draft something up. Microsoft says it will begin rolling out "over the course of the coming weeks," but it will not be free and will require a Microsoft 365 Copilot subscription. With the latest build, Microsoft is also improving Widgets, which will now have multiple dashboards. If you don't like them already, this change will not change your mind; however, those who find widgets helpful and useful will likely enjoy the new additional boards. In addition, more options for the lock screen are also rolling out so that users can have more control over what widgets appear there. The new migration app that we reported on recently is also landing with this build. You can read this article to learn some of the details. The activation dialog box for the Windows 11 product key is finally getting the Windows 11 visual style treatment to improve the consistency of the UI. Microsoft has made changes like these in the past, but they were not quite up to the overall aesthetics of the OS. Finally, a new "Open with" dialog is being tested that will recommend Microsoft Store apps when you try opening a file. Aside from these new feature additions, Microsoft is also making several subtle improvements across many of the other elements, such as an inconvenience with Account Manager sign-in, Task Manager CPU reading issues, and more. The known issues are given below: [General] After you do a PC reset under Settings > System > Recovery, your build version may incorrectly show as Build 26100 instead of Build 26120. This will not prevent you from getting future Beta Channel updates, which will resolve this issue. The option to reset your PC under Settings > System > Recovery will not work on this build. [NEW] Starting in the last flight, when Virtualization Based Security is enabled, applications dependent on virtualization, such as VMware Workstation, lose the ability to run unless the “Windows Hypervisor Platform” Windows optional component is installed on the system. Previously, installing the optional component was not required. [Xbox Controllers] Some Insiders are experiencing an issue where using their Xbox Controller via Bluetooth is causing their PC to bugcheck. Here is how to resolve the issue. Open Device Manager by searching for it via the search box on your taskbar. Once Device Manager is open, click on “View” and then “Devices by Driver”. Find the driver named “oemXXX.inf (XboxGameControllerDriver.inf)” where the “XXX” will be a specific number on your PC. Right-click on that driver and click “Uninstall”. [Click to Do (Preview)] The following known issues will be fixed in future updates to Windows Insiders: Windows Insiders on AMD or Intel™-powered Copilot+ PCs may experience long wait times on the first attempt to perform intelligent text actions in Click to Do after a new build or model update. [Improved Windows Search] [REMINDER] For improved Windows Search on Copilot+ PCs, it is recommended that you plug in your Copilot+ PC for the initial search indexing to get completed. You can check your search indexing status under Settings > Privacy & security > Searching Windows. [Taskbar & System Tray] [NEW] In some cases, taskbar icons may appear small even though the setting to show smaller taskbar buttons is configured as “never”. [File Explorer] The following are known issues for AI actions in File Explorer: Narrator scan mode may not work properly in the action result canvas window for the Summarize AI action for Microsoft 365 files when reading bulleted lists. As a workaround, you can use Caps + Right key to navigate. When your Windows display language is configured with a right-to-left language, the action result canvas displays text from left to right for AI actions for Microsoft 365 files. [Widgets] Until we complete support for pinning in the new widgets board experience, pinning reverts you back to the previous experience You can find the blog post for build 26120.4161 (KB5058515) here on Microsoft's official website. Tags Report a problem with article Follow @NeowinFeed

The European Cloud Competition Observatory has issued its second damming report against Broadcom, relating to VMware pricing.

Mike Kiev - Fotolia News Hacking contest exposes VMware security In what has been described as a historical first, hackers in Berlin have been able to demo successful attacks on the ESXi hypervisor By Cliff Saran, Managing Editor Published: 20 May 2025 16:30 The cyber security team at Broadcom has acknowledged that during the Pwn2Own hacking contest in Berlin in March, there were three successful attacks on the VMware hypervisor.  On March 16, Nguyen Hoang Thach, a security researcher from Star Labs, successfully exploited VMware ESXi. “This is the first time VMware ESXi was exploited in the Pwn2Own hacking event,” Praveen Singh and Monty Ijzerman, from the product security and incident response team in the VMware Cloud Foundation division of Broadcom, wrote on the company’s website.  This is something that has not been achieved before, according to a LinkedIn post by Bob Carver, CEO of Cybersecurity Boardroom. “This was the first time in Pwn2Own’s history, stretching back to 2007, that the hypervisor has been successfully exploited,” he wrote, adding that the hacker was able to deploy a single integer overflow exploit. Singh and Ijzerman also noted that on 17 March, Corentin Bayet, chief technology officer of Reverse Tactics, successfully exploited ESXi by chaining two vulnerabilities. According to Singh and Ijzerman, one of the vulnerabilities used in the exploit was already known. The third successful attack, also on 17 March, was run by Thomas Bouzerar and Etienne Helluy-Lafont, security experts from Synacktiv, who managed to successfully exploit the VMware workstation. Singh and Ijzerman said the team at Broadcom were actively working on the remediation. “We plan to publish a VMware Security Advisory to provide information on updates for the affected products,” they said. Read more VMware stories No workaround leads to more pain for VMware users: There are patches for the latest batch of security alerts from Broadcom, but VMware users on perpetual licences may not have access. VMware patches put spotlight on support: Recent security updates in VMware products have highlighted the challenge IT decision-makers face as they navigate Broadcom licensing changes. While Broadcom has so far committed to providing patches for zero-day exploits, its current strategy to move customers onto VMware Cloud Foundation subscription bundles may leave some VMware users with gaps in their security, especially if their support contract is up for renewal. As Computer Weekly reported earlier this month, Broadcom informed customers it would no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support would only continue for those that moved to a VMware subscription. On 12 May, Broadcom issued a critical security advisory, CVE-2025-22249, which affects the Aria toolset. The Cybersecurity Centre for Belgium said that given the vulnerability requires user interaction, it could be exploited through a phishing attack if a VMware admin clicked on a malicious URL link. “If the user is logged in to their VMware Aria Automation account, the threat actor could gain full control of their account and perform any actions the user has the rights to perform. The vulnerability has a severe impact to the confidentiality and low impact to the integrity of the affected systems,” it warned, urging VMware users to “patch immediately”. Broadcom has issued patches for VMware Aria Automation 8.18.x and version 5.x and 4.x of VMware Cloud Foundation, but it has not provided any workarounds, which means those users running an older version of the tool remain at risk. There are a number of reports that many VMware customers have been sent cease-and-desist emails from Broadcom regarding their perpetual VMware licenses, which demand removal of patches and bug fixes that they may have installed. While details of the successful exploits of the VMware hypervisor have yet to be published, the patches are not yet available, and questions remain as to how widely these will be distributed. In The Current Issue: UK critical systems at risk from ‘digital divide’ created by AI threats UK at risk of Russian cyber and physical attacks as Ukraine seeks peace deal Standard Chartered grounds AI ambitions in data governance Download Current Issue Starburst chews into the fruits of agentic – CW Developer Network Calm settles over digital identity market - for now... (Hark, is that Big Tech on the horizon?) – Computer Weekly Editors Blog View All Blogs

May 19, 2025Ravie LakshmananMalware / Supply Chain Attack The official site for RVTools has been hacked to serve a compromised installer for the popular VMware environment reporting utility. "Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience," the company said in a statement posted on its website. "Robware.net and RVTools.com are the only authorized and supported websites for RVTools software. Do not search for or download purported RVTools software from any other websites or sources." The development comes after security researcher Aidan Leon revealed that an infected version of the installer downloaded from the website was being used to sideload a malicious DLL that turned out to be a known malware loader called Bumblebee. It's currently not known how long the trojanized version of RVTools had been available for download and how many had installed it before the site was taken offline. In the interim, users are recommended to verify the installer's hash and review any execution of version.dll from user directories. The disclosure comes as it has come to light that the official software supplied with Procolored printers included a Delphi-based backdoor called XRed and a clipper malware dubbed SnipVex that's capable of substituting wallet addresses in the clipboard with that of a hard-coded address. Details of the malicious activity were first discovered by Cameron Coward, who is behind the YouTube channel Serial Hobbyism. XRed, believed to be active since at least 2019, comes with features to collect system information, log keystrokes, propagate via connected USB drives, and execute commands sent from an attacker-controlled server to capture screenshots, enumerate file systems and directories, download files, and delete files from the system. "[SnipVex] searches the clipboard for content that resembles a BTC address and replaces it with the attacker's address, such that cryptocurrency transactions will be diverted to the attacker," G DATA researcher Karsten Hahn, who further investigated the incident, said. But in an interesting twist, the malware infects .EXE files with the clipper functionality and makes use of an infection marker sequence – 0x0A 0x0B 0x0C – at the end to avoid re-infecting the files a second time. The wallet address in question has received 9.30857859 BTC (about $974,000) to date. Procolored has since acknowledged that the software packages were uploaded to the Mega file hosting service in October 2024 via USB drives and that the malware may have been introduced during this process. Software downloads are currently only available for F13 Pro, VF13 Pro, and V11 Pro products. "The malware's command-and-control server has been offline since February 2024," Hahn noted. "So it is not possible that XRed established a successful remote connection after that date. The accompanying clipbanker virus SnipVex is still a serious threat. Although transactions to the BTC address stopped on March 3, 2024, the file infection itself damages systems." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    