National Geographic reports:
About a million years ago, an asteroid smacked into the normally tranquil surface of Mars. The impact released a fountain of debris, and some of the rocky fragments pierced the sky, escaping the planet’s gravity to journey through the dark. Some of the rocks eventually found their way to Earth and survived the plunge through our planet’s atmosphere to thud into the surface-including a hefty 15-pound shard that crashed into Morocco in 2011…. Determining what part of Mars these meteorites came from is a critical part of piecing together the planet’s history — but it’s proven to be a major scientific challenge.

Now, with the assistance of a crater-counting machine learning program, a team of researchers studying the depleted shergottites may have finally cracked the case: They concluded that these geologic projectiles came from a single crater atop Tharsis, the largest volcanic feature in the solar system. This ancient volcanic behemoth on Mars is adorned with thousands of individual volcanoes and extends three times the area of the continental United States. It was built over billions of years by countless magma injections and lava flows. It is so heavy that, as it formed, it effectively tipped the planet over by 20 degrees. If these meteorites do come from Tharsis, as the analysis published in Nature Communications suggests, then scientists have their hands on meteorites that can help identify the infernal forces that fueled the construction of this world-tipping edifice. “This could really change the game about how we understand Mars,” says Luke Daly, a meteorite expert at the University of Glasgow who was not involved with the study.

Debris from meteor impacts tend to also form smaller craters — so the scientists trained their machine learning tools to scan orbital images of Mars to find appropriately-sized crazers (less than two thirds of a mile long). “It quickly found about 90 million, says Kosta Servis, a data scientist at Curtin University and co-author of the study…”

But after sifting through the data, “the team identified 19 large craters in volcanic regions on Mars that were surrounded by multiple secondary craters — a sign that these planetary scars could be as young as the 1.1-million-year-old crater they sought…”

Out of those 19 craters, just two were excavated from youthful volcanic deposits by an impact event 1.1 million years ago: crater 09-00015 and Tooting crater. The latter (named after a district in London) looks to have been formed by a powerful oblique impact — the kind of collision that would propel a lot of Martian meteorites into space…”

Buoyed by their discovery, Lagain’s team is hoping to identify the source craters of other Martian meteorites — including some of the very oldest, which could reveal more about Mars’s waterlogged past…. Machine learning “is a really inventive way of trying to tackle this problem,” says Lauren Jozwiak, a planetary volcanologist at Johns Hopkins University Applied Physics Laboratory not involved with the study. “Boy, I hope this method works,” she says, because if it does, “it would be really cool to take this and apply it to other planets.”

Read more of this story at Slashdot.

Source: Slashdot – Scientists May Have Identified the Crater on Mars that Launched a Rock to Earth

In 2020 Microsoft’s GitHub acquired NPM (makers of the default package manager for Node.js). The company’s web page boasts that npm “is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world.”

But now BleepingComputer reports on two security flaws found (and remediated) in its software registry. Names of private npm packages on npmjs.com’s ‘replica’ server (consumed by third-party services) were leaked — but in addition, a second flaw could’ve allowed attackers “to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks.”

In a blog post this week GitHub’s chief security officer explained the details:
During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages. This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time. Package names in the format of @owner/package for private packages created prior to October 20 were exposed between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC. Upon discovery of the issue, we immediately began work on implementing a fix and determining the scope of the exposure. On October 29, all records containing private package names were removed from the replication database. While these records were removed from the replicate.npmjs.com service on this date, the data on this service is consumed by third-parties who may have replicated the data elsewhere. To prevent this issue from occuring again, we have made changes to how we provision this public replication database to ensure records containing private package names are not generated during this process.

Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.

We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.

This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020.

BleepingComputer adds:
Both announcements come not too long after popular npm libraries, ‘ua-parser-js,’ ‘coa,’ and ‘rc’ were hijacked in a series of attacks aimed at infecting open source software consumers with trojans and crypto-miners. These attacks were attributed to the compromise of npm accounts [1, 2] belonging to the maintainers behind these libraries.

None of the maintainers of these popular libraries had two-factor authentication (2FA) enabled on their accounts, according to GitHub. Attackers who can manage to hijack npm accounts of maintainers can trivially publish new versions of these legitimate packages, after contaminating them with malware. As such, to minimize the possibility of such compromises from recurring in near future, GitHub will start requiring npm maintainers to enable 2FA, sometime in the first quarter of 2022.

Read more of this story at Slashdot.

Source: Slashdot – GitHub Fixes a Private-Package-Names Leak and Serious Authorization Bug

DevNull127 writes: Saturday afternoon, 91 geeks huddled around a Twitch stream to hear the winners announced for the 27th Annual Interactive Fiction Competition. This year’s competition attracted 71 entries, and $10,396 was raised for a cash-prize fund (which is divided among all the game authors whose entries ranked in the top two-thirds, with the first-place finisher receiving a prize in the hundreds of dollars and the last entry in the top two-thirds receiving $10). But there’s also a long list of fun non-cash prizes available in a “prize pool,” and starting with the author of the first-place game, authors take their turn choosing. (Prizes included everything from 0.055 in Ethereum cryptocurrency to the conversion of your text adventure into a professionally-produced audiobook.)

After a six-week period where the general public played and voted on the 71 games, the first-place winner was chosen. It had a strange title — “And Then You Come to a House Not Unlike the Previous One.” Its welcome screen jokingly promises “the latest in ASCII graphic technology to occasionally write high-res, text-based images directly onto a screen that is eighty characters wide or more…” In this text adventure game you play a teenager who starts out….playing a text adventure game (called “THE GLUTTONOUS ELF: Adventure #1”), with the game itself ultimately offering a kind of meta-commentary on the world of text adventures over the years.

Perhaps not surprisingly, this game also won a second award — the contest’s special prize for the entry most-liked by the other game author’s who’d entered this year’s competition.

This year’s runner-up was “Dr Horror’s House of Terror”. It’s not to be confused with the Christopher Lee/Peter Cushing movie with a similar name — except perhaps with some playful and intentional overlap which becomes apparent as the game progresses.
And a splendid time was had by all.

Read more of this story at Slashdot.

Source: Slashdot – 27th Annual Text Adventure Competition Won By Game About – Text Adventures