Similar to the previous campaign TAG reported on, North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.

[...]

In addition to targeting researchers with 0-day exploits, the threat actors also developed a standalone Windows tool that has the stated goal of 'download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.' The source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since. On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources. Symbols provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research.

But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain. If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system.

[...]

As part of our efforts to combat serious threat actors, TAG uses the results of our research to improve the safety and security of Google’s products. Upon discovery, all identified websites and domains are added to Safe Browsing to protect users from further exploitation. TAG also sends all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity and encourages potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

I'm starting to notice spam accounts here — accounts that do nothing but post and crosspost links to low-quality or promotional websites.

My inclination is to simply downvote and report each spam post, but this maybe generates a lot of mod queue activity for community moderators. And when an account is used for nothing but spam, presumably that would be better handled by admins banning the account than by each community moderator needing to respond individually to each spam post.

And maybe by the time mods or admins get around to looking at the reports, they've already noticed the spam and responded to it directly.

So — if you're a community moderator or an instance admin, what are your preferences for receiving reports of spam accounts? Is it worth it to you to get reports of spam posts, or messages pointing out a spammer account, or would you prefer that we just downvote, block, and move on?

Why YSK: Getting along in a new social environment is easier if you understand the role you've been invited into.

It has been said that "if you're not paying for the service, you're not the customer, you're the product."

It has also been said that "the customer is always right".

Right here and now, you're neither the customer nor the product.

You're a person interacting with a website, alongside a lot of other people.

You're using a service that you aren't being charged for; but that service isn't part of a scheme to profit off of your creativity or interests, either. Rather, you're participating in a social activity, hosted by a group of awesome people.

You've probably interacted with other nonprofit Internet services in the past. Wikipedia is a standard example: it's one of the most popular websites in the world, but it's not operated for profit: the servers are paid-for by a US nonprofit corporation that takes donations, and almost all of the actual work is volunteer. You might have noticed that Wikipedia consistently puts out high-quality information about all sorts of things. It has community drama and disputes, but those problems don't imperil the service itself.

The folks who run public Lemmy instances have invited us to use their stuff. They're not business people trying to make a profit off of your activity, but they're also not business people trying to sell you a thing. This is, so far, a volunteer effort: lots of people pulling together to make this thing happen.

Treat them well. Treat the service well. Do awesome things.

Why YSK: Popcorn fans often want a buttery flavor, but plain butter is a bad choice for popping popcorn in a pot, because the proteins and sugars smoke and burn around the same temperature where it's hot enough to pop the kernels.

Ghee, or Indian-style clarified butter, is butter that's been simmered and the milk solids (proteins and sugars) skimmed off. This leaves a clear yellow oil that doesn't smoke when it's heated and doesn't go rancid quickly, but has a distinct toasty butter flavor.

Vegetable oil is either flavorless or faintly bitter, and some high-temperature vegetable oils tend to start polymerizing (i.e. becoming plastic) when heated in small amounts. This is also not good for popcorn.

Good-quality popcorn popped in ghee reliably produces lots of "butterfly" popcorn with few unpopped "duds" and no scorched kernels or batches ruined by smoke.

Try it! I'm sure not going back to canola oil.