Levi Broderick's Avatar

Levi Broderick

@grabyourpitchforks.bsky.social

Your friendly neighborhood security otter. Part of Microsoft's .NET team. Personal account, not speaking for my employer. πŸ”₯πŸ¦¦πŸ›‘οΈπŸ”₯ -- he/him

593 Followers  |  330 Following  |  425 Posts  |  Joined: 08.11.2024  |  2.266

Latest posts by grabyourpitchforks.bsky.social on Bluesky

Preview
Fabulous Adventures in Data Structures and Algorithms - Eric Lippert Author Eric Lippert introduces fabulous solutions using uncommon algorithms and data structures. There’s a lot more to algorithms than the useful-but-boring recipes you recite for every interview. Th...

I'm writing another book, and the first few chapters are available through Manning Early Access now! For 50% off!

hubs.la/Q03Q9PGP0

More details, and the story of how I came to write it, are on my blog at

ericlippert.com/2025/10/30/i...

It feels great to be writing again after a long break. :)

30.10.2025 16:39 β€” πŸ‘ 38    πŸ” 15    πŸ’¬ 4    πŸ“Œ 0
Text message from from my local election board confirming that my ballot has been received and authenticated.

Text message from from my local election board confirming that my ballot has been received and authenticated.

Vote by mail continues to be a glorious thing. :)

30.10.2025 15:56 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Funny. After reading that chart, I have a hankering for some beignets. πŸ₯Ί

30.10.2025 15:49 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Me, a consummate intellectual: "It is so convenient to schedule the entire household to get vaccinated at the same time!"

Nature: *gleefully rubbing hands together* "Muahahahaha! You fool!"

25.10.2025 22:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Elections | WA Secretary of State

Apropos of nothing, my fellow Washingtonians, there's an election coming up in a few weeks! We even have same-day registration, but it's far more convenient if you register in advance.

(They mail ballots! To your home! Return postage prepaid! How awesome is that?!)

18.10.2025 16:51 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Amid criticism, Benioff apologizes, reverses course on National Guard After strong backlash to his embrace of Trump and a week of blistering criticism, the Salesforce CEO has changed course.

Thank you Ron Conway for standing up for what's right and thank you Marc Benioff for listening.

www.sfchronicle.com/politics/art...

17.10.2025 21:31 β€” πŸ‘ 16    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0

We've looked into making System.Random be backed by a true CSPRNG, but it's impractical for a variety of reasons. One fatal flaw (among many) is that the Random class uses floating point in all its abstractions, which means any call to Next(...) has inherent bias, regardless of PRNG used.

17.10.2025 21:38 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

That said, it's not a huge issue, but people look to Microsoft's docs for best practice and the docs really should be held to a gold standard.

17.10.2025 21:35 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

It's not a CSPRNG. We issued a CVE (the number escapes me right now and I don't have email access) for System.Web some months ago due to this exact issue: use of System.Random rather than a true CSPRNG for entropy generation.

17.10.2025 21:34 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability Β· Issue #371 Β· dotnet/announcements Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability i...

It's Patch Tuesday and ASP.NET Core has a doozy, with a CVSS score of 9.9, our highest ever. Let's examine why.

The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...

* Thread- (1/7)

14.10.2025 18:01 β€” πŸ‘ 51    πŸ” 43    πŸ’¬ 6    πŸ“Œ 2

I wonder how you'd even begin to balance these. The satisfaction of knowing you can make a lasting impact vs the stress of needing to manage all of this responsibly.

14.10.2025 22:48 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Wonderful news! Congrats to you both :)

10.10.2025 06:41 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Good news! You don't need AI for this. You just need a sufficiently low resolution floating point data type. :)

01.10.2025 19:06 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Scaling PiP Selection with Automation to Support HR Managers Automated PiP selection handles vast data, reducing manual effort significantly. Saves HR managers time by quickly identifying employees needing intervention. Enables evaluation of tens of thousands of individual contributors efficiently. Improves consistency and fairness by minimizing human bias in selection. Companies like UiPath and Blue Prism leverage automation for large-scale HR processes.

Scaling PiP Selection with Automation to Support HR Managers Automated PiP selection handles vast data, reducing manual effort significantly. Saves HR managers time by quickly identifying employees needing intervention. Enables evaluation of tens of thousands of individual contributors efficiently. Improves consistency and fairness by minimizing human bias in selection. Companies like UiPath and Blue Prism leverage automation for large-scale HR processes.

Bonus slide!

29.09.2025 15:45 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Title slide: Leveraging Vibe HR to Identify and Support Low-Impact or Low-Engagement Employees for Performance Improvement Plans (PiP)

Title slide: Leveraging Vibe HR to Identify and Support Low-Impact or Low-Engagement Employees for Performance Improvement Plans (PiP)

Slide: Utilizing Vibe HR Dashboards for Tracking Performance

Slide: Utilizing Vibe HR Dashboards for Tracking Performance

Slide: Process for Selecting Employees for Performance Improvement Plans (PiP)

Slide: Process for Selecting Employees for Performance Improvement Plans (PiP)

Slide: Monitoring Progress with Vibe HR Tools

Slide: Monitoring Progress with Vibe HR Tools

"Vibe working" a PowerPoint deck is fun! I had it generate a deck extolling the virtues of using Vibe HR to identify low-impact / low-engagement employees as layoff targets. (Note: Copilot forbids "layoff" as a dirty word, so I had to use "PiP" instead.)

29.09.2025 15:37 β€” πŸ‘ 7    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

And Barry hasn't trolled you yet by throwing one onto your calendar? He's slacking today.

25.09.2025 18:32 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Congrats on your pending rapture! πŸ₯³

23.09.2025 15:43 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
a video game scene with a sign that says " fleur " Alt: Welcome to Rapture (Bioshock)
23.09.2025 14:59 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Ask one of us obviously-going-to-be-left-behind degenerates to badge you in every day after you've been raptured.

22.09.2025 16:05 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Take any dotnet program, for instance, drop .config files into the app directory, and watch the fireworks happen. Config files are executable equivalents in the dotnet world. Trusted .exe + malicious .config = attacker code running, and it even passes all the Authenticode checks!

17.09.2025 23:40 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I mean, it's kinda dangerous for there to be a free-for-all downloads folder in general. Most apps' threat models assumes the program folder (not cwd, but where the exe is located) is fully trusted. Browsers really should put downloads into dedicated subfolders.

17.09.2025 23:39 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0
Preview
The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic… Recently, there’s been three major UK ransomware and/or extortion incidents at three big UK companiesβ€Šβ€”β€ŠCo-op Group, Marks and Spencer and…

New by me:

A look into UK orgs outsourcing critical business and cyber functions to low cost providers and the fall out. I'll probably get in trouble for writing this one.

doublepulsar.com/the-elephant...

15.09.2025 20:29 β€” πŸ‘ 99    πŸ” 37    πŸ’¬ 7    πŸ“Œ 7

@blowdart.me I think we should update .NET's envvar naming guidelines.

15.09.2025 21:38 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

"In all honesty, you're probably the reason he's dead. Your code sent him to an early grave. Marvelously done."

15.09.2025 19:46 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

✈️ Thinking about holiday travel? Make sure your passport is ready! If you live in WA-01, join us in Mill Creek on Oct. 16 for a passport application event.

Register below to renew or apply for a passport at the event.
bit.ly/46gI5w1

15.09.2025 01:05 β€” πŸ‘ 78    πŸ” 29    πŸ’¬ 5    πŸ“Œ 2

Sadly, this is why I had to turn off the weather widgets in Windows. Because it's now inextricably tied to the news feed, and Bing News headlines some absolute dumpster fire sources. It's a shame. :(

14.09.2025 23:44 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

the actual advances in new iPhone models are often about security (everyone is always trying to make memory allocation more secure and less of an attack surface because memory reuse/corruption attacks are key to a lot of exploits)

09.09.2025 19:32 β€” πŸ‘ 10    πŸ” 3    πŸ’¬ 2    πŸ“Œ 0

All those Teams virtual meetings taking up too much valuable compute that could otherwise be allotted to Copilot!

09.09.2025 15:22 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

"You can’t be expected to have a successful AI program when every single article, book, or anything else that you’ve read or studied, you're supposed to pay for..."

Looking forward to the rebate check from my university bookstore!

08.09.2025 16:29 β€” πŸ‘ 6    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

@grabyourpitchforks is following 20 prominent accounts