This is a difference between the astronomical season of summer (defined by equinoxes and solstices) and the meteorological season of summer (defined by temperature of the months). It's common for meteorological seasons to be used for climate science, since they're based on temperature. By definition, the warmest quarter of the calendar year is "summer" and the coldest quarter is "winter" with the others occupying their spaces between. This in turn has been established as summer being, for example as used here, June to August inclusive. That doesn't mean if we end up with a spring hotter than summer that the entire calendar will be turned on its head - the divisions used for meteorological seasons have already been determined.

So, tldr - in climate science, meteorological seasons are often used as opposed to astronomical seasons because of their historic partitioning based on temperature. June-August is summer in meteorological seasons, and is the same consistent period that's been reported in relation to this discussion.

I mangled that last sentence and submitted prematurely. However, I was basically going to say - while they're technically right that an attacker with write access may be able to compromise other password managers, regardless, having such a trivial method of local compromise really weakens the overall product. Better, I would think, to use a password manager that simply doesn't have a "silently dump my entire database in plain text in the background" configuration option.

Sure! Actually, it was discussed on Slashdot previously.

The functionality in question is Triggers and the developers don't consider it a security flaw because it requires an attacker already having write access to the system, which already allows a system to be compromised in a number of other ways. While they're technically right, I disagree, simply because while other methods to extract the same information via system access such as keyloggers or screen recorders require significantly more technical know-how than notepad.exe.

KeePass's database is fairly secure, but the application itself does have a local-user security issue. The application has some enterprise-level automation scripting not really appropriate for consumer software. Normally that wouldn't be a problem (just don't use the extra stuff), but considering this programs purpose, it's a bit of a security flaw. For example, a local user can edit config files and tell KeePass to spit out a full plain-text database dump next time a database is logged into. It can do so transparently in the background, without the target user (you) ever being aware. The local user can then retrieve the dumped text file at their leisure and have access to all your passwords. Now, this doesn't mean if your PC is ever stolen that they can access your passwords - they can't; It requires unlocking the database in order to trigger the script. But if you live with tech-savvy folks, it could be compromised without you ever being aware.

For this reason, I recommend using an alternative open-source implementation of the same protocol, such as KeePassXC, which is cross-platform, very clean, without extraneous enterprise automation, arguably better functionality, and works with exactly the same databases you use for KeePass.

Not sure what you define that as. They sold the 'default search provider' slot in an auction. They have a paid referral agreement with Google, which is in large part realised by Google's position as default search engine. This has comprised almost the entirety of Mozilla's income (85%+) for the years it was being reported as a percentage of income, and since 2012 likely comprises almost their entire income. Once the initial agreement expired they had Yahoo as default for a while, but then in 2014, they struck a deal with Google for a billion dollars over three years in order to keep Google back at the top - that deal was then renewed in 2017.

Selling the 'default search provider' slot is their primary means of income. I don't understand why, when Microsoft is looking to get in on that position, you suddenly consider such a move "whoring themselves out". That's been the main way they make their money for a long time now. If Microsoft is willing to pay more than Google, undoubtedly the executives will be all for it. As usage has dwindled, executive pay and bonuses have skyrocketed, largely off the back of such deals.

To be clear, the master password DOES need to be entered. The TRIGGERS scripts are set to execute once the database is opened. The problem is that these scripts can be set to run silently in the background so the user who has just opened their database has no idea that at the same instance, their config told KeePass to extract and dump the keys to plain text. It's enterprise functionality that doesn't belong in a program also designed for home use, and should be disabled by default.

Also, to elaborate on one point it appears you may have misinterpreted, it doesn't simply require access to the kdbx file. The "exploit" is that the triggers functionality within KeePass allows you to run certain operations on a database when it's unlocked. So, simply copying the kdbx file if you don't have the password to it doesn't give you any access. To utilise the functionality, you need write access on the system to write a triggers script to export the database to plain text, then when the owner of the database logs in to KeePass, it will extract the data. So if an attacker only has read access, you're fine. If an attacker has write access, you weren't fine anyhow.

Because the below is a TLDR, I'll get out ahead here and say, to avoid such and better maintain your main-use case, I'd recommend switching to a modern cross-platform implementation, and highly recommend KeePassXC. OK, on with the explanation.

The point is an attacker having write access to your system already eliminates the protection provided. Your database is protected against people having read access, getting copies of your files, etc. But if an attacker has write access to your system, then them being able to write to and change your configuration file means they have the same level of access as required to exploit any of a thousand other means of accessing the same information once you've unlocked your database. And the point is the same is true of any method of password storage besides memorisation. If they're stored on your computer, and an attacked has write access, this is not a KeePass vulnerability - you're already rooted.

However, I'm not in complete agreement with the developers. I understand why an enterprise user might want an option to export passwords from a database, and might for security reasons even want the ability to do so from an automated script out of the view of the current user who's just logged in. However, the functionality of Triggers in KeePass which is utilised here has very little value to the average home user. I feel like there should be "Home" and "Enterprise" versions, where the Home version either omits it entirely, or at least protects the ability to export databases within permissions established when the database is created. Because such functionality makes it trivial for a 'trusted user' within your abode who has write access to your system to bypass your database security. Now, as devs are trying to point out, that's not a vulnerability because such a user has plenty of other methods at their disposal of achieving the same (such as compiling their own copy of KeePass with an exploit which mails out the passwords when the database is opened, etc), but let's be honest, the degrees of technical difficulty in doing so does differentiate.

So, a workaround is to simply use an implementation of the protocol which doesn't include functionality to automatically export your database in plain text if a local user decides that's what they want to do. I've tried various implementations, but KeePassXC is by far my preferred client, paired with KeePass2Android on the mobile.

Well, it's not really an ending at all. This isn't the hacker - this is a moron who got a hold of the sample data posted from the leak and thought he could use it to extort people while taking no steps to protect his identity at all. It's really just an aside to the whole saga, not any sort of resolution.

This was just a random idiot who got a hold of the sample data from the leak and tried to use it to extort people, with no idea what he was doing and no sophistication whatsoever.

Which was my entire point. Why are you painting NZ/Aus as some kind of freedom-hating backwater, when the same was done where appropriate in the US? If these actions are NZ/Aus hating freedom, then I guess America also hates freedom. Weird.

Are you unfamiliar with the Northern Territories? NT is self-governed, and not representative of the Australian Federal government response. It'd be like saying the decisions of the government of Texas or even Puerto Rico represent the US Federal Government. Are all of your stories going to be about the Northern Territories?

A proposed village so that folks would be able to stay in houses rather than hotel rooms during a quarantine period. Even less restrictive than a hotel is. Doesn't look like it will go forward.

Haha, ah yeah Hayley - typical troublemaker. Lied to contact tracers about getting tested, and Northern Territory officials put her in quarantine because of it. Again, NT, not really representative of Australia, but understandable you didn't understand that distinction. Yes - someone physically in the continent of Australia broke the law and had to deal with the repercussions of that.

The location the travel writer discussed, and the location in the YouTube video, are the same place. It was not set up specifically for "punitive COVID quarantine". It was set up for "COVID quarantine". That a public health menace had to quarantine there because she lied to contact tracers about testing negative doesn't deem the location as being "specifically set up for the purpose of punitive COVID quarantine". It was literally the only place they were quarantining people in Darwin.

No, it makes it a quarantine. Are you unfamiliar with how quarantines work? Have you never travelled anywhere in the world where quarantines are in place? Is your lack of experience the only basis for your idea that something uniquely terrible was happening in NZ/Aus? Did you not try to travel to Hawaii during the SafeTravel period, whilst unvaccinated?

No, it just didn't say anything that supports your position. It said Australia had some of the strongest border controls during COVID. Australia did - something I admitted from the outset; To quote myself
>> In truth, NZ/Aus did absolutely nothing different to what much of the US did during Covid, with the exception of having border quarantines.
Meanwhile this didn't affect almost anyone in NZ/Aus whatsoever.

Except they didn't, and this is what I keep trying to point out to you and you keep not getting. Most people did whatever they hell the wanted and it didn't affect anyone. Some people got fines when there were mask mandates, but most people got their fines overturned subsequently. Yes - there were strict border controls; I never denied that - only pointed out there were also strict border controls in the US in the only place they could possibly implement them - Hawaii. Literally all your articles about Australian COVID camps are about a single location in the Northern Territories which was almost entirely utilized for the aforementioned border quarantine arrivals in NT.

Seriously, you have some weird idea that things were much worse in Australia/NZ than they actually were.

about the new series. I remember from, I think it was, the Captains mini-doc, that they were asking what they thought of eachothers series, and Patrick Stewart gushed about TOS, and how inspirational and influential it had been on him, etc. Then Shatner said he'd never watched an episode of TNG. He didn't indicate he ever planned to. They'd done 7 seasons and he hadn't watched a single episode.

When Shatner says he doesn't like what's in any new series, it's unlikely he's ever actually watched any of them. He's "heard stuff", and simple doesn't like that any of them exist. If he's not in it, it seems like he doesn't consider it Star Trek.

Which isn't a counter-argument to my reply to either poster. Both were trying to suggest things were somehow less free in NZ/Aus, yet both were wrong. So sure - the border quarantines in NZ/Aus were just as much a cell as the border quarantines in the US' island state. Whether you consider a temporary hotel quarantine a cell be it in Auckland, Sydney, or Honolulu, is irrelevant to the fallacious argument that was being made.

Except, the article is BS. The man was a new arrival in 14 day hotel quarantine, not in a "camp". He was not removed from his home and forced into a camp. The article alludes to that situation being a possibility, but never actually says that's what happened, because that isn't what happened. Ie, they're intentionally deceiving you.

As I said in the direct quote above, NZ/Aus did nothing different to what much of the US did during Covid, with the exception of *having border quarantines*. Comparatively, the only US island State, Hawaii, also had border quarantines. OPs suggestion that NZ/Aus are some kind of authoritarian loving backwater which hate freedom, while the same conditions existed in much of the US (not border quarantine, because the virus was already in community spread and no hard-borders exist. However, where border quarantine was possible, Hawaii, it was likewise utilized) makes their position laughable. Like OP, you must get your news from right-wing sources which love the idea that NZ/Aus were shipping citizens off to camps, and keep spreading the same story, regardless of whether it's true or not.

You seem to get your "information" from Fox or OAN. These countries weren't putting people in camps. They put new international arrivals in hotels for 14 days - pretty standard for a quarantine. Citizens weren't stuck out of the country if they didn't "go along with the regime's demands to get vaxxed and wear a mask". Airlines were not permitted to bring convey international arrivals unvaxxed except with exemption, but if you have your own transport, there was no vaccination requirement for arrival - plenty of unvaxxed wealthy flew their own jets in. As for masks, US airlines likewise required masks. Free to get kicked out of their job? Yes - likewise, in the US, workplaces which mandate vaccines kick people out who don't have them. The US military kicked out hundreds for refusing to get vaccinated. It's not like just anywhere can mandate vaccines without reason - some businesses that mandated them in Australia were then successfully sued by their employees. There was never a national requirement by either nation to get vaccinated, but rather private businesses deciding to. And mask mandates? You mean, like those employed by a multitude of US states affecting far more US citizens than NZ and Aus combined?

In truth, NZ/Aus did absolutely nothing different to what much of the US did during Covid, with the exception of having border quarantines. Something that States can't very well independently impose (except, perhaps, Hawaii which - btw - did have a Safe Arrivals policy during the height of covid which required domestic arrivals to show proof of vaccination and a negative test, and quarantine if it couldn't be provided - you literally have no clue what you're talking about when you're making these statements about authoritarianism in NZ/Aus, do you?), and Covid was already well into community spread before the Federal government even thought about whether international border quarantines should be utilized (as decided, ultimately useless, since - as mentioned - covid was already well into community spread in the US).

TLDR: NZ/Aus did nothing that many US states didn't do. Generally, vaccine mandates were at the business, not government level. Even border controls, the one exception you could possibly argue, were likewise implemented for Hawaii with vaccination requirements, negative PCR test results, and 14 day quarantine periods. Nobody in either country was forced to be vaccinated against their will. You literally have no idea what you're talking about and are repeating conservative talking points that you have no conceptually relevant comparative insight to.