Levi Broderick
LightNews LightNews
banner
grabyourpitchforks.bsky.social
Levi Broderick
@grabyourpitchforks.bsky.social
590 followers 330 following 430 posts
Your friendly neighborhood security otter. Part of Microsoft's .NET team. Personal account, not speaking for my employer. 🔥🦦🛡️🔥 -- he/him
Posts Media Videos Starter Packs
Reposted by Levi Broderick
ericlippert.com
Eric Lippert @ericlippert.com · 1d
I'm writing another book, and the first few chapters are available through Manning Early Access now! For 50% off!

hubs.la/Q03Q9PGP0

More details, and the story of how I came to write it, are on my blog at

ericlippert.com/2025/10/30/i...

It feels great to be writing again after a long break. :)
Fabulous Adventures in Data Structures and Algorithms - Eric Lippert
Author Eric Lippert introduces fabulous solutions using uncommon algorithms and data structures. There’s a lot more to algorithms than the useful-but-boring recipes you recite for every interview. Th...
hubs.la
4 12 34
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 1d
Vote by mail continues to be a glorious thing. :)
Text message from from my local election board confirming that my ballot has been received and authenticated.
1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 1d
Funny. After reading that chart, I have a hankering for some beignets. 🥺
1 1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 5d
Me, a consummate intellectual: "It is so convenient to schedule the entire household to get vaccinated at the same time!"

Nature: *gleefully rubbing hands together* "Muahahahaha! You fool!"
1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 13d
Apropos of nothing, my fellow Washingtonians, there's an election coming up in a few weeks! We even have same-day registration, but it's far more convenient if you register in advance.

(They mail ballots! To your home! Return postage prepaid! How awesome is that?!)
Elections | WA Secretary of State
www.sos.wa.gov
2
Reposted by Levi Broderick
davepell.bsky.social
Dave Pell @davepell.bsky.social · 13d
Thank you Ron Conway for standing up for what's right and thank you Marc Benioff for listening.

www.sfchronicle.com/politics/art...
Amid criticism, Benioff apologizes, reverses course on National Guard
After strong backlash to his embrace of Trump and a week of blistering criticism, the Salesforce CEO has changed course.
www.sfchronicle.com
5 16
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 13d
We've looked into making System.Random be backed by a true CSPRNG, but it's impractical for a variety of reasons. One fatal flaw (among many) is that the Random class uses floating point in all its abstractions, which means any call to Next(...) has inherent bias, regardless of PRNG used.
1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 13d
That said, it's not a huge issue, but people look to Microsoft's docs for best practice and the docs really should be held to a gold standard.
2 3
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 13d
It's not a CSPRNG. We issued a CVE (the number escapes me right now and I don't have email access) for System.Web some months ago due to this exact issue: use of System.Random rather than a true CSPRNG for entropy generation.
1 2
Reposted by Levi Broderick
blowdart.me
Barry Dorrans @blowdart.me · 17d
It's Patch Tuesday and ASP.NET Core has a doozy, with a CVSS score of 9.9, our highest ever. Let's examine why.

The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...

* Thread- (1/7)
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability · Issue #371 · dotnet/announcements
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability i...
github.com
6 43 51
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 16d
I wonder how you'd even begin to balance these. The satisfaction of knowing you can make a lasting impact vs the stress of needing to manage all of this responsibly.
1 1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 21d
Wonderful news! Congrats to you both :)
1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · 29d
Good news! You don't need AI for this. You just need a sufficiently low resolution floating point data type. :)
1 2
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 29
Bonus slide!
Scaling PiP Selection with Automation to Support HR Managers Automated PiP selection handles vast data, reducing manual effort significantly. Saves HR managers time by quickly identifying employees needing intervention. Enables evaluation of tens of thousands of individual contributors efficiently. Improves consistency and fairness by minimizing human bias in selection. Companies like UiPath and Blue Prism leverage automation for large-scale HR processes.
1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 29
"Vibe working" a PowerPoint deck is fun! I had it generate a deck extolling the virtues of using Vibe HR to identify low-impact / low-engagement employees as layoff targets. (Note: Copilot forbids "layoff" as a dirty word, so I had to use "PiP" instead.)
Title slide: Leveraging Vibe HR to Identify and Support Low-Impact or Low-Engagement Employees for Performance Improvement Plans (PiP) Slide: Utilizing Vibe HR Dashboards for Tracking Performance Slide: Process for Selecting Employees for Performance Improvement Plans (PiP) Slide: Monitoring Progress with Vibe HR Tools
1 7
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 25
And Barry hasn't trolled you yet by throwing one onto your calendar? He's slacking today.
1 2
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 23
Congrats on your pending rapture! 🥳
1 1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 23
a video game scene with a sign that says " fleur "
Alt: Welcome to Rapture (Bioshock)
media.tenor.com
1
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 22
Ask one of us obviously-going-to-be-left-behind degenerates to badge you in every day after you've been raptured.
1 3
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 17
Take any dotnet program, for instance, drop .config files into the app directory, and watch the fireworks happen. Config files are executable equivalents in the dotnet world. Trusted .exe + malicious .config = attacker code running, and it even passes all the Authenticode checks!
2
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 17
I mean, it's kinda dangerous for there to be a free-for-all downloads folder in general. Most apps' threat models assumes the program folder (not cwd, but where the exe is located) is fully trusted. Browsers really should put downloads into dedicated subfolders.
2
Reposted by Levi Broderick
doublepulsar.com
Kevin Beaumont @doublepulsar.com · Sep 15
New by me:

A look into UK orgs outsourcing critical business and cyber functions to low cost providers and the fall out. I'll probably get in trouble for writing this one.

doublepulsar.com/the-elephant...
The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic…
Recently, there’s been three major UK ransomware and/or extortion incidents at three big UK companies — Co-op Group, Marks and Spencer and…
doublepulsar.com
7 37 99
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 15
@blowdart.me I think we should update .NET's envvar naming guidelines.
leak.bsky.social Lea Kissner @leak.bsky.social · Sep 15
TIL that setting LESSSECURE makes you more secure
Man page for the less command, telling you that the flag LESSSECURE puts the less command in secure mode
2 5
grabyourpitchforks.bsky.social
Levi Broderick @grabyourpitchforks.bsky.social · Sep 15
"In all honesty, you're probably the reason he's dead. Your code sent him to an early grave. Marvelously done."
1