Information Technology

Image: ZDNet, WordPress
A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site’s search engine ranking and reputation and promote online scams.

ZDNet Recommends

The best VPNs in 2020
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

The attacks were discovered earlier this month targeting a WordPress honeypot set up and managed by Larry Cashdollar, a security researcher for the Akamai security team.
Also: The best web hosting providers: Find the right service for your site 
The attackers leveraged brute-force attacks to gain access to the site’s admin account, after which they overwrote the WordPress site’s main index file and appended malicious code.
While the code was heavily obfuscated, Cashdollar said the malware’s primary role was to act as a proxy and redirect all incoming traffic to a remote command-and-control (C&C) server managed by the hackers.
It was on this server where the entire “business logic” of the attacks took place. According to Cashdollar, a typical attack would go as follows:
User visits hacked WordPress site.
The hacked WordPress site redirects the user’s request to view the site to the malware’s C&C server.
If a user meets certain criteria, the C&C server tells the site to reply with an HTML file containing an online store peddling a wide variety of mundane objects.
The hacked site responds to the user’s request with a scammy online store instead of the original site the user wanted to view.

Image: Akamai
Cashdollar said that during the time the hackers had access to his honeypot, the attackers hosted more than 7,000 e-commerce stores that they intended to serve to incoming visitors.
Intruders poisoned the site’s XML sitemap

In addition, the Akamai researchers said the hackers also generated XML sitemaps for the hacked WordPress sites that contained entries for the fake online stores together with the site’s authentic pages.
The attackers generated the sitemaps, submitted them to Google’s search engine, and then deleted the sitemap to avoid detection.
While this procedure looked pretty harmless, it actually had a pretty big impact on the WordPress site because it ended up poisoning its keywords with unrelated and scammy entries that lowered the website’s search engine results page (SERP) ranking.
Cashdollar now believes that this kind of malware could be used for SEO extortion schemes — where criminal groups intentionally poison a site’s SERP ranking and then ask for a ransom to revert the effects.
“This makes them a low-barrier attack for criminals to pull off, as they only need a few compromised hosts to get started,” Cashdollar said. “Given that there are hundreds of thousands of abandoned WordPress installations online, and millions more with outdated plug-ins or weak credentials, the potential victim pool is massive.” More

GoDaddy employees were exploited to facilitate attacks on multiple cryptocurrency exchanges through social engineering and phishing. 

Staff at the domain name registrar were subject to a social engineering scam that duped them into changing email and registration records, used to conduct attacks on other organizations. 
Also: The best web hosting providers: Find the right service for your site 
As reported by security expert Brian Krebs last week, GoDaddy confirmed that the scam led to a “small number” of customer domain names being ‘modified” earlier this month.
Starting in mid-November, fraudsters ensured that email and web traffic intended for cryptocurrency exchanges was redirected. Liquid.com and the NiceHash cryptocurrency trading posts were impacted, and it is suspected that other exchanges may also have been affected. 
According to Liquid CEO Mike Kayamori, a security incident on November 13 was caused by GoDaddy incorrectly transferring control of an account related to the firm’s core domain names. 
“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts,” Kayamori said in a blog post. “In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

Liquid.com contained the attack after discovery, and while the attacker may have accessed user emails, names, addresses, and encrypted passwords, client funds were accounted for. 
In NiceHash’s case, the company blamed “technical issues” at GoDaddy resulting in “unauthorized access” to domain settings, leading to the DNS records for nicehash.com being changed. 
Also: Best VPN 2020: NordVPN, PureVPN, others with free VPN tiers
This attack occurred on November 18. NiceHash responded quickly, freezing all wallet activity to prevent any loss of user cryptocurrency. Withdrawals were suspended for 24 hours while an internal audit took place and normal service has since resumed. 
NiceHash says that it does not look like user information was exposed or compromised, but urges caution if users receive links or suspicious emails claiming to be from the cryptocurrency exchange. 
The company also recommended that users change their passwords and enable two-factor authentication (2FA) to be on the safe side.
Speaking to Krebs, NiceHash founder Matjaz Skorjanc added that the attackers attempted to force password resets on third-party services, including Slack, but NiceHash was able to fend off these attempts. 
A GoDaddy spokesperson said the domain registrar “immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts.”
TechRepublic: It’s time for banks to rethink how they secure customer information
The spokesperson added that as “threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them.”
In May, GoDaddy reported a security breach in which an individual was able to access SSH accounts within the firm’s hosting infrastructure without permission. GoDaddy said there was no evidence of tampering that would impact customers, but security bolt-ons would be provided for a year, for free, to anyone affected. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals will be targeting online shopping as people take to the internet to bag Black Friday and Cyber Monday bargains as Christmas shopping begins – and the UK’s National Cyber Security Centre (NCSC) has urged shoppers to be vigilant and report suspected cyberattacks and scams.
The run up to Christmas is a lucrative period for retailers as people look to stock up on gifts – and many outlets will run promotional offers to coincide with Black Friday and Cyber Monday to encourage spending.

More on privacy

Retailers send emails offering promotions and discounts – and that’s something cyber criminals can exploit by sending messages of their own; phishing emails tempting people with an offer of bargains in order to steal money, usernames and passwords, personal information and more.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The NCSC is warning shoppers to be cautious when shopping by being selective about where they make purchases from.
For example, people should be mindful if they’ve not heard of a particular retailer before, or if they receive an email claiming to offer direct links to bargain items. It’s best to take the precaution of visiting the retailer’s web address rather than clicking on a direct link.
And users should be wary of websites that ask for an unnecessary amount of personal information when taking payments – if they’re asking for additional security details, like a codeword or an answer to a secret question used to retrieve your password, it’s highly likely to be a scam.

“You shouldn’t have to provide security details (such as your mother’s maiden name, or the name of your first pet) to complete your purchase,” NCSC notes.
It also suggests: “The store may also ask you if they can save your payment details for a quicker check-out next time you shop with them. Unless you’re going to use the site regularly, don’t allow this.”
If people see suspicious emails or websites that seem to ask for too much information or seem to be too good to be true, the NCSC suggests the potential phishing emails or scam sites should be reported to its Suspicious Email Reporting Service (SERS).
Since being launched earlier this year, SERS had resulted in over two million reports of suspicious emails and websites, and has led to thousands of malicious sites being taken down.

“At this time of year our inboxes are filling up with promotional emails promising incredible deals, making it hard to tell real bargains from scams,” said Sarah Lyons, NCSC deputy director for economy and society.
“If you spot a suspicious email, report it to us or, if you think you’ve fallen victim to a scam, report the details to Action Fraud and contact your bank as soon as you can,” she added.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
Other tips the NCSC recommends for staying safe online while making Christmas purchases include keeping accounts secure with two-factor authentication as well as looking for the closed padlock in the browser’s address bar of the payment page on a retailer’s website. The padlock icon doesn’t guarantee that the retailer itself is legitimate, but it at least means your connection to it is secured. 
Retailers are also being urged to play their part in helping consumers stay safe online in the run up to Christmas.

ZDNet Recommends

MORE ON CYBERSECURITY More

TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain. 

Reported via the bug bounty platform HackerOne by researcher Muhammed “milly” Taskiran, the first vulnerability relates to a URL parameter on the tiktok.com domain which was not properly sanitized.
See also: What TikTok’s big deal means for cloud, e-commerce: TikTok Global created with Oracle, Walmart owning 20%
While fuzzing the platform, the bug bounty researcher found that this issue could be exploited to achieve reflected cross-site scripting (XSS), potentially leading to the execution of malicious code in a user’s browser session. 
In addition, Taskiran found an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an attack in which threat actors can dupe users into submitting actions on their behalf to a web application as a trusted user.
CNET: What’s the best cheap VPN? We found 3 good options
Taskiran was able to create a simple JavaScript payload that combined both vulnerabilities. The script was able to trigger the CSRF issue, and then if injected into the vulnerable URL parameter, would lead to a one-click account takeover. 

“The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” the bug bounty hunter said. 
TechRepublic: It’s time for banks to rethink how they secure customer information
TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18. 
Taskiran was awarded a bug bounty reward of $3,860. 
ZDNet has reached out to TikTok and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago. 
The bug affected GitHub’s Actions feature – a developer workflow automation tool – that Google Project Zero researcher Felix Wilhelm said was “highly vulnerable to injection attacks”. GitHub’s Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.  

More on privacy

While Google described it as a ‘high severity’ bug, GitHub argued it was a ‘moderate security vulnerability’.
SEE: Network security policy (TechRepublic Premium)
Google Project Zero usually discloses any flaws it finds 90 day after reporting them, and by November 2, GitHub had exceeded Google’s one-off grace period of 14 days without having fixed the flaw. 
A day before the extended disclosure deadline, GitHub told Google it would not be disabling the vulnerable commands by November 2 and then requested an additional 48 hours – not to fix the issue, but to notify customers and determine a ‘hard date’ at some point in the future. Google then published details of the bug 104 days after it reported the issue to GitHub.
GitHub finally got around to addressing the issue last week by disabling the feature’s old runner commands, “set-env” and “add-path”, as per Wilhelm’s suggestion. 

The fix was implemented on November 16, or two weeks after Wilhelm publicly disclosed the issue.
As Wilhelm noted in his bug report, the former version of Github’s action runner command “set-env” was interesting from a security perspective because it can be used to define arbitrary environment variables as part of a workflow step. 
“The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable,” wrote Wilhelm. 
SEE: Google to GitHub: Time’s up – this unfixed ‘high-severity’ security bug affects developers
“In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.”
Now that GitHub has disabled the two vulnerable commands, Wilhelm has also updated his issue report to confirm the issue is fixed.     More

The Office of the Australian Information Commissioner (OAIC) has released its first six-monthly report on the privacy and security of Australia’s COVIDSafe app, which has been far from successful and only identified a small number of unique cases.
The app, which was touted at its introduction as being akin to sunscreen, has since been relegated to double-checking duties.
“There is scarce evidence on the effectiveness of digital or automated contact tracing,” a contact tracing review released earlier this month said.
For the OAIC, from May 16 to November 15, it fielded no complaints about the app and handled 11 enquiries. Over half of the enquiries occurred in July, and no enquiries were reported for October or November.
“We provided general information in response to 10 enquiries and provided assistance on how to make a complaint in response to one enquiry,” the OAIC said.
The types of enquiries handled were about the legal basis of the app, the number of downloads of the app, whether the app could be a condition of entry to a worksite, whether education organisations could force students to download the app, and whether sporting organisations could force members to use the app.
Must read: Living with COVID-19 creates a privacy dilemma for us all

The OAIC has also started four assessments related to the access controls used on the data store, functionality of the app against privacy policy and collection notices, and whether the data store administrator was complying with requirements related to data handling, retention, and deletion.
The title of data store administrator was passed from the Department of Health to the Digital Transformation Agency (DTA) on May 16.
Attached to the end of the report was an unclassified report from the Inspector-General of Intelligence and Security (IGIS) on how the agencies under its purview — Australian Security Intelligence Organisation, Australian Security Intelligence Service, Australian Signals Directorate, Office of National Intelligence, Australian Geospatial-Intelligence Organisation, and Defence Intelligence Organisation — had complied with requirements under the Privacy Act for COVIDSafe data.
“Incidental collection in the course of the lawful collection of other data has occurred (and is permitted by the Privacy Act); however there is no evidence that any agency within IGIS jurisdiction has decrypted, accessed or used any COVID app data,” the IGIS report said.
“IGIS advises that it plans inspection activities in coming months to verify data deletion and provide further assurance that no COVID app data has been accessed, used or disclosed.”
The IGIS report added that agencies said it would be difficult to identify “encrypted COVID app data amongst other lawfully collected encrypted data”. The agencies also said they were developing procedures to use when incidental collection occurs and implementing procedures to delete data “as soon as practicable”.
In June, it was revealed the DTA knew COVIDSafe had severe flaws, despite sending it out for public use on 26 April 2020. It followed research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.
“COVIDSafe works as is written on the label, it supports public health efforts … there is no intention to jettison the current app and start again … our intention is to continue to improve the current app,” DTA CEO Randall Brugeaud said last month at Estimates when questioned whether the government would switch to the Apple or Google notification framework.
Related Coverage More

Monash University and Alfred Hospital are developing an artificial intelligence-based system to improve the way superbugs are diagnosed, treated, and prevented.  According to Monash University professor of digital health Christopher Bain, infections from superbugs kill 700,000 people every year and by 2050, the world could see 10 million deaths annually from previously treatable diseases.  Superbugs are created when microbes evolve to become immune from the effects of antimicrobials. The project, which will be mainly based at The Alfred, has received AU$3.4 million from the federal government’s Medical Research Future fund. According to the project’s lead researcher, Antony Peleg, the project will look to integrate genomics, electronic healthcare data, and AI technologies to address antimicrobial resistance in the healthcare system. Specifically, it will leverage tens of thousands of data points per patient and infecting pathogens to help predict treatment responses and patient outcomes. “This project will push the boundaries of what can be achieved in healthcare and how new technologies can be applied to understand how superbugs infect humans and the way they are transmitted within a hospital system,” Peleg said.
See also: Monash University researchers develop AI aimed at improving suicide prevention
In addition to providing earlier detection of antimicrobial resistance, the two organisations are also hoping the system will be able to create personalised treatment for patients and prevent outbreaks.  Elsewhere in Australia’s health sector, AustCyber has provided AU$500,000 in funding to cybersecurity startup Haventec to develop a new health consent system. The system, called eConsent for Genomics, is aimed at improving how healthcare providers, service providers, and patients securely store and consent to personal health information. The funding will come from the AustCyber Projects Fund, which is a three-year AU$15 million federal government initiative designed to help the Australian cybersecurity industry grow both locally and globally.
The system is expected to cost around AU$1 million to build, with Haventec and consortium partner 23Strands to provide the remaining AU$500,000.  According to Haventec, the development of eConsent for Genomics comes at a critical time as current models for storing personal health information are consistently failing with the health sector regularly topping the list of notifiable data breaches. Partnering with 23Strands, Haventec will also use the new consent system in a research project focused on COVID-19 patients. The research will look to correlate negative and positive health outcomes to specific DNA profiles, which it hopes will improve predictions regarding how individuals will react if they become infected with COVID-19.
Monash Uni publishes ethics analysis of agri-robots
Monash University on Monday also published a report focusing on the ethical and policy issues behind using robots in agriculture. The report was created as the authors, Monash University Philosophy professor Robert Sparrow and philosophy research fellow Dr Mark Howard, said little attention has been paid to the ethical and policy challenges surrounding agriculture being increasingly automated. 
“People weren’t thinking about or talking about, such as unintended consequences, or what might happen in life and when things don’t work out perfectly,” Sparrow told ZDNet.  Currently, Australia’s agriculture sector accounts for around 2.5% of the country’s workforce.  Undertaking a literature review on applications of agricultural robots to address these questions, the report found that robots could help farmers confront challenges such as climate change, soil depletion, loss of biodiversity, water scarcity, and population growth by improving yield and productivity. Physically intensive labour associated with agriculture work could also see robots be developed for tasks such as weeding, fruit and vegetable picking, food handling, and packaging tasks, which could increase productivity and the amount of produce sent to market, the authors said.
Sparrow noted that technologies such as fruit-picking robots could also be developed in the next decade, which could have large implications for seasonal employment. 

See also: Australia’s report on agtech confirms technology can lead to a fertile future   “While there hasn’t yet been widespread adoption of robots in farming due to a lack of technological breakthroughs, it’s anticipated there will be a gradual emergence of technologies for precision farming, as well as the use of automation in food processing and packaging,” Sparrow said. 
However, they also stated the widespread adoption of robots in farming could have negative consequences, such as the mismanagement of chemicals and soil compaction due to heavy robots, and the exacerbation of potential food wastage if consumers come to expect standardised or “perfect” produce. 
The pair added increased robot use could lead to more breeding standardisation of livestock and genetically modified created crops so harvests are better suited for robots. There is also a fear that smaller or struggling farms could miss out on the technology and be unable to keep up, leading to a centralisation of ownership in agriculture, Sparrow said.
“In order to reduce the risk that robots will further centralise ownership in the agricultural sector and further encourage monocultures at the expense of biodiversity, governments, and researchers might prioritise the development of sophisticated robots that are sufficiently flexible to allow their use on small properties and with a wider range of crops and livestock,” the report said.
Related Coverage
Monash University researchers speed up epilepsy diagnosis with machine learning
The technology has been designed to automatically detect abnormal activities in electrical recordings.
Monash University takes game-like approach to capsule endoscopy
The university has also teamed up with other partners to create an AI system to help teachers maximise student engagement in classrooms.
Monash University and RMIT develop AI and AR device to read emotional cues
Designed to augment emotional communication beyond traditional settings.
Data61 and Monash claim quantum-safe and privacy-preserving blockchain protocol
The protocol, MatRiCT, is patented by CSIRO and licensed to Australian cryptocurrency developer HCash.
Monash University researchers use AI technology to examine hospital readmissions
In hope that it will relieve some pressure off the healthcare system. More

Image: Getty Images/iStockphoto
This piece comes to you from the mostly coronavirus-free shores of Australia. But the virus is still not eliminated; various places can have an extended run of virus-free days, which can then turn into weeks and months, before the virus suddenly comes back.

There is no better example of this than the reemergence of COVID-19 in New Zealand back in August, after the nation went 100 days without the virus and was widely considered to have eliminated it. 
At the time of writing, South Australia just left lockdown after a surge in cases, despite the state shutting its borders to places such as New South Wales and Victoria, and only having handfuls of cases reported each day, if any were reported at all, since April.
According to the recent National Contact Tracing Review [PDF], the takeaway lesson from 2020 is to throw the kitchen sink at outbreaks when they appear.
“In the event of an outbreak, every effort should be made to go hard and go early,” the review said.
The way to suppress a surge in cases is to make sure those with the virus can have their recent close contacts traced, thereby getting those identified into quarantine and tested. This is in the hopes that the virus can be prevented from spreading further into the community. Key to all of this is having quick access to data.
For contact tracers, the first stop is asking people where they have been, but as we all know, the human mind is far from perfect. And this is before even considering the task of identifying random people who happened to be in a venue with a positive case.

Enter initiatives such as Australia’s COVIDSafe app, which has been far from successful and only identified a small number of unique cases. The app that was touted at its introduction as being akin to sunscreen has since been relegated to double-checking duties.
“There is scarce evidence on the effectiveness of digital or automated contact tracing,” the report said.
Along with the app, Australia has also pushed venues to install check-in processes in response to various parts of the country reopening. This usually takes the form of a QR code and requires filling in an online form with details such as name and phone number, with pen and paper used a backup.
If state governments from the get-go had the check-in systems in place that they have now, it could have been possible to have a centralised data store for check-in data, but that was not to be. As it stands, a bunch of private organisations have rushed in to fill the void.
“In addition to the disadvantage of not having a centralised database for contact tracers to interrogate the data, many of these apps are requesting unnecessary information from customers that adds significantly to the time taken to register, and is sometimes used for marketing purposes,” the report said.
“Further, because of the multiplicity of applications, customers find themselves entering the same information repeatedly if they visit different venues. These repetitive and in some cases unnecessary burdens on customers are likely to result in lower overall compliance with attendance recording.”
See: Coronavirus: Business and technology in a pandemic  
It needs little repeating but 2020 is a weird year. Last year, if the prospect of a centralised attendance database run by a government was put before me, I’d have yelled the words “Big Brother”, “surveillance state”, and probably a few other choice phrases. And yet, as the year ends, I have more faith that my state government will not flog my data to the highest bidder and has created some form of requirement to actually delete the data when it is not needed anymore.
Getting more specific than throwing the kitchen sink, the review also recommended for states to have a single app for check-ins, or failing that, that all such apps adhere to a common standard.
At this stage, it needs pointing out that in Australia the data retention regime ensures the nation’s law enforcement agencies have easy access to which phones are on what mobile tower, so I am not doing a something compared to nothing comparison when I talk about attendance databases. It’s a more granular form of data than what the government had access to last year, and at any rate, Google knows where I am.
If I wanted to opt out of needing to check in at places like cafes and restaurants, there is a simple solution, of course. Don’t go. Get take away instead.
In trying to solve that problem, since even getting takeaway might expose you to the virus, the contact tracing review proposed something that would make check-in databases look like small fry.
“The Commonwealth should lead the development of arrangements between states and territories and payment card providers so that contact tracers from the states and territories will be able to request contact details of persons who have made a transaction at a hotspot venue, noting that privacy rules will apply and in some jurisdictions legislative change may be required,” the report said.
Thanks to Australia having a modern payment backbone, access to which cards were used at which venues is a quick API call or two away — and the payments would be based on cards since the use of cash has plummeted in the days of COVID and there are little signs of its use bouncing back.
Bad idea: An Australian bank wants to spray disinfectant from drones in schools and aged care
Not yet done with raising privacy questions, the review also recommended looking into a way to download information from smartphones that could help contact tracers. As is standard, the review said it should be based on citizen consent, and as any privacy-minded person would tell you, authorities have absolutely, positively never bluffed or misinformed their way to get into a person’s home, nor have they convinced someone to hand over a phone when they didn’t want to.
Is it outrageous that payment data and smartphones would be taken to get information into the contact tracing systems that the review proposes? Yes. But we are also talking about a virus that, despite what some may choose to believe, is fatal.
If a knife-wielding assailant had been running around town since March, randomly stabbing a couple of people a day, and part of the solution to stopping them was to examine payment data, it would be brave privacy absolutist that stood in the way of that action. But that is the sort of vexed question of balance that now faces nations as they battle with the virus until a vaccine is hopefully rolled out.
Magical thinking that some sort of automated dream system could be used was dismissed in the report. In a system where the stakes are this high, the option for humans to eyeball the data is essential, it said.
“Importantly, whilst a fully digital contact tracing system can dramatically improve the efficiency of contact tracing, it will never replace the need for well-trained contact tracers and expert public health oversight,” the report stated.
Similarly, even if the sort of data exchange desired by the report’s authors was created — one where data is not stored in the exchange and quickly pulls from disparate sources spread across all levels of government from airline passenger manifests to vaccination statuses, all the while simultaneously preserving as much privacy as possible — there are no guarantees it would work. In fact, the opposite is more likely.
“Even with the best systems in place, outbreaks are likely to be unavoidable,” the report said.
Trying to find the balance between wanting to clamp down on outbreaks as quickly as possible and preserving individual freedoms is and has been a job that looks different for every society: China and its door-welding approach has sat on one extreme while the individual-centric United States has been on the other.
It’s tempting to think the measures taken would be temporary, and therefore unquestionably necessary, in the current situation of fighting the fight in front of us. But with parts of the Australian government apparatus stating last week that they are expecting other zoonotic pandemics to follow in the wake of COVID-19, the balances that are struck will be with us for some time.
Adding to that, Australia is without any sort of human rights charter, a lone title among western democracies. Instead, it seems to operate on the famous Denuto vibe argument.
“Australians do have a lack of understanding of the rights framework within Australia. They do think we have rights protected that we don’t have protected,” Law Council of Australia president Pauline Wright told the National Press Club said on Wednesday.
“Australians also, the data shows, are quite compliant to regulation. Australians like being regulated. They like rules and [when] something goes wrong, they say ‘there ought to be a law against that’ — and that is the way Australians behave.”
Wright added that so far in the pandemic, it’s no surprise that Australians have been “fairly compliant”.
“I think that we, in some ways, we can be proud of that because people who have been behaving as a collective and saying we want to protect other Australians and ourselves against this disease, so we will do this,” she added.
“But that social compact will break down if the government takes it too far — it will break down. At the moment, it hasn’t, — apart from certain pockets.”
Wright used the opportunity to argue for human rights legislation at the national level.
As a first step, it would simply be nice if governments will tear down the apparatuses built since the start of the year when they are no longer needed. But if past form is any indicator, the omens are not good.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: 

Coronavirus More