Information Technology

Authentication and identity platform Okta is releasing a revamped developer experience that features improved documentation, new integrations and support for up to 15,000 monthly active users on a free plan. For context, Okta’s existing free plan caps monthly active users at 1,000, making this new release significantly more useful for small business applications. 

Okta, which is holding its Oktane21 virtual developer conference this week, is pitching the new developer experience as a toolkit that makes it easier for developers to embed the company’s authentication, access management and customer identity products across software supply chains in hybrid, cloud-native, or multi-cloud environments.The Okta Starter Developer Edition includes a redesigned console that the company said delivers full application development lifecycle support, as well as new integrations with DevOps, SecOps, and API security tooling. New integrations include Heroku to automate identity across CI/CD pipelines, Kong to protect APIs, and an updated Okta Terraform provider to replicate Okta configuration across environments.”Okta’s vision is to enable everyone to safely use any technology,” said Diya Jolly, Okta’s chief product officer. “Developers are foundational to bringing that vision to life, and it’s our goal to make every piece of the development process easier with Okta. Developers can ramp up at no cost with the Starter Developer Edition, and our reimagined developer experience delivers tools that seamlessly work with developers’ toolchains across whatever hybrid, cloud, or multi-cloud environment they’re building on.”Last month, Okta announced plans to acquire customer identity and access vendor Auth0 for $6.5 billion. In addition to expanding Okta’s total addressable market with Auth0’s identity and access management portfolio, the deal also gives Okta a way to reach developers and extend its platform. Auth0 has a free plan and then developer versions for the B2C and B2B markets. The new Okta Starter Developer Edition and integrations are generally available starting today.RELATED: More

If you dabble in bitcoin or other cryptocurrencies, then you may be able to get away with storing your private keys in a software wallet. But if you are serious about crypto, are mining your own bitcoins, or have serious cash invested in crypto, then a hardware wallet is something that you need to seriously consider.

A cutting-edge hardware wallet

Here we have a compact hardware wallet that not only holds your cryptocurrency private keys but can also a device that can be used to store passwords and even be used as a U2F hardware token.The Trezor Model T is easy to use thanks to its touchscreen display. Another nice feature of the Model T is that it is quick and easy to set up; you can be up and running after going through three simple setup steps.

$179 at Amazon

Everything is protected by a PIN code

This is a hardware bitcoin wallet that looks like a USB flash drive. The Ledger Nano S supports more than 30 different cryptocurrencies (including Bitcoin, Ethereum, XRP, Bitcoin Cash, EOS, Stellar, Dogecoin, and many more), and all ERC20 tokens, and everything is protected by an 8-digit PIN code.

$51 at Amazon

For those who want high security

This is the hardware wallet for those who are ultra-paranoid or who want high security. The ColdCard Mk3 device is a high-security device that is built around high-security hardware and open-source software. It also features a brilliant OLED display and a full-sized numeric keypad.You can augment the ColdCard with a range of accessories, including an adapter that allows you to power the ColdCard from a 9V PP3 battery, protecting you from attacks that might make use of a compromised USB charger.

$120 at Coinkite

Fireproof, waterproof, shockproof, and hacker-proof

Made from indestructible 316-marine grade stainless steel, this is a cold storage cryptocurrency wallet that’s designed and built to be fireproof, waterproof, shockproof, and hacker-proof. This is the perfect tool for keeping your seed phrases secure, which would allow you to recover your private keys in the event that you lose or break your electronic hardware wallet.

$106 at Amazon

What is a bitcoin wallet?

A bitcoin wallet is a device that stores and manages the private keys you hold for your cryptocurrency. They act much like how you keep money in your wallet or purse, or how your bank details are stored on your credit or debit cards.

What are the different kinds of cryptocurrency wallets?

There are two kinds of wallets: Hardware and software. A software wallet is an app that lives on your computer or smartphone, or even on the web, while a hardware wallet is a separate physical device (much like a wallet or purse). This hardware wallet is connected to a PC or mobile device to carry out transactions.Software wallets range in price from free to, well, not free, so they are great for those starting out. Since hardware wallets cost you money, there’s a financial investment that you have to make right from the beginning.

Why do you need a hardware wallet?

It’s important to note that you don’t need a hardware wallet to buy, store, or send bitcoins or any other cryptocurrency. Some people hold many thousands of dollars in bitcoin or other cryptocurrencies and don’t use a hardware wallet.However, where hardware wallets shine is the improved security that they offer compared to an app that lives on a smartphone, computer, or in the cloud. Having a device that puts an air gap between your private keys and other apps, the internet, and the bad guys offers vastly improved security from hackers and viruses.Hardware bitcoin wallets put you in complete and total control over your private keys.

What are the pros and cons of hardware crypto wallets?

ProsImproved security: Total air gap between your private keys and everything else.Better control: You hold your keys and can keep them separate from all your other devices.Easy transportation: Bitcoin hardware wallets are small and easily transported. But they can also be stored securely in a safe or safety deposit box.No reliance on a third-party app or web service: Apps and services come and go.ConsCost: Hardware bitcoin wallet solutions aren’t free.Extra complexity: There’s always a learning curve with hardware, and some bitcoin wallets have quite advanced features that will have you reaching for the manual.Loss, destruction, theft: Hardware can break, be lost, be stolen, become obsolete, or succumb to all sorts of mishaps.Another thing to take care of: If you need to make a transaction, you’ll need your wallet!

What should you consider when buying a cryptocurrency hardware wallet?

Yes, a hardware bitcoin wallet offers greater security, but you still need to make sure that you are buying a decent device from a reputable source.You also need to decide how much security you need. For some, having the air gap of a separate wallet is good enough, while others will feel the need to beef up security, and have a device that offers higher levels of security, biometrics, and even isolating the device from possible sources of attack, such as USB chargers.You also need a backup, just in case. Maybe this is another hardware wallet, or maybe you’re going to go for a “cold storage” solution that might include having your private keys printed on paper, or even engraved, stamped, or etched into metal.Another consideration is price. Unless you’re planning to hold huge cryptocurrency investments, then it might sting a bit to spend over $100 on a wallet.

How did we choose these cryptocurrency hardware wallets?

There are a number of factors to consider here.Price: Not everyone wants to spend $200 on a wallet.Durability: A broken hardware wallet can leave you hating life (not to mention down the cost of the hardware), so choosing something that will last is a good investment.Reputable manufacturer: You could be trusting thousands of dollars of cryptocurrency to a hardware wallet, so you want to know that your wallet has been made by a reputable company with a track record in delivering secure and reliable products. Ease of use: Setting up a hardware wallet can be daunting enough, but it can be made all the more difficult if the documentation is poor (or non-existent) or the device itself is quirky and unpredictable.

ZDNet Recommends More

Researchers have warned that critical vulnerabilities in unpatched SAP applications are being widely exploited by cyberattackers worldwide. 

On Tuesday, SAP and Onapsis jointly released a report on the activities, in which security flaws with CVSS severity scores of up to 10, the highest possible, are being weaponized.  SAP applications are used by an estimated 400,000 enterprise organizations worldwide. While SAP is not aware of any direct customer-related breaches due to these activities, both the vendor and Onapsis say that there were at least 1,500 SAP application-related attack attempts tracked between June 2020 and March 2021, and at least 300 were successful.  The joint report says that enterprise resource planning, customer relationship management software, and supply chain systems — among others — are being targeted.  SAP issues security fixes for its products on a monthly basis, alongside organizations including Microsoft and Adobe.  However, the companies say that the critical issues being exploited are not being fixed by customers — and in some cases, vulnerable, internet-facing SAP applications are laden with bugs that remained unpatched for months, or even years.  Six vulnerabilities, in particular, are noted in the report as being actively exploited: CVE-2020-6287: CVSS: 10 

Also known as RECON, this remotely exploitable bug in SAP NetWeaver/Java was caused by a failed authentication check. No privileges are required and upon exploit, this vulnerability leads to the creation of admin accounts and full system hijacking.  A patch was issued on July 14, 2020, but Onapsis says attack activity utilizing this bug continues today.  CVE-2020-6207: CVSS 10 Impacting SAP Solution Manager (SolMan) version 7.2, this critical flaw permits attackers to obtain full administrative control over the hub of an organization’s SAP setup.  Proof-of-Concept (PoC) code was released for the security flaw following a patch issued by SAP on March 10, 2020. Exploit attempts have “increased significantly” since the release of the working PoC exploit code.CVE-2018-2380: CVSS 6.6This older vulnerability impacts the vendor’s SAP NetWeaver-based CRM solution and can be triggered to perform privilege escalation and to execute commands, eventually allowing for lateral movement through a corporate network. A patch was released on March 1, 2018.  CVE-2016-9563: CVSS 6.4Patched in August 2016, this vulnerability impacts a component in SAP NetWeaver/JAVA version 7.5, leading to remote — but low-privilege — authenticated attacks. CVE-2016-3976: CVSS 7.5Also found in SAP NetWeaver/JAVA, this security flaw, patched in March 2016, permits remote attackers to read arbitrary files via directory traversal sequences, leading to information leaks and potentially privilege escalation if they are able to access the right resources.CVE-2010-5326: CVSS 10A critical vulnerability caused by an authentication failure in the Invoker Servlet within SAP NetWeaver Application Server/JAVA platforms. The security flaw allows attackers to gain full control of SAP business processes. In 2016, the US Department of Homeland Security (DHS) issued an alert on the active exploit of this bug, which continues to this day. In addition, the report says that the window for patching is “significantly smaller than previously thought,” with some SAP vulnerabilities becoming weaponized in less than 72 hours after public disclosure.  “Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,” the companies say. “These threats may also have regulatory compliance implications for organizations that have not properly secured their SAP applications processing regulated data.” CISA has also issued an alert on these activities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Industries and organizations critical to the fight against COVID-19 have faced a surge in cyberattacks due to their rapid transition to cloud platforms in light of the pandemic.

When the world first began to take notice of the global spread of COVID-19, organizations across the globe suddenly found themselves unable to maintain typical working practices. Offices were shut, stay-at-home orders imposed, and consumer demands could often only be met through deliveries, virtual services, and e-commerce platforms.  As a result, the wider enterprise and SMBs alike began making quick transitions from on-prem and legacy systems to the cloud, in order to facilitate remote working models and to pursue new business opportunities. Enterprise cloud spending is estimated to have increased by 28% in Q2 2020 alone, year-over-year. However, according to Palo Alto Networks’ latest cloud threat report, published on Tuesday, shifting workloads so quickly to the cloud has also meant that businesses are struggling, months later, to manage and automate cloud security — and have created chasms in company security that can be exploited. Industries critical to COVID-19 management have suffered a particular uptick in cloud security incidents. According to the report, retail, manufacturing, and government entities have been struck hardest with attack attempts increasing by 402%, 230%, and 205% respectively during the pandemic. Chemical manufacturing and science/research organizations, unsurprisingly, became key targets for cyberattackers due to COVID-19. Notable examples include attacks on vaccine manufacturers and the European Medicines Agency (EMA).

According to Unit 42 data and scans, the most common security issues present in COVID-19-related industries are:”This trend is not surprising; these same industries were among those facing the greatest pressures to adapt and scale in the face of the pandemic — retailers for basic necessities, and manufacturing and government for COVID-19 supplies and aid,” Unit 42 says. “[..] Although the cloud allows businesses to quickly expand their remote work capabilities, automated security controls around DevOps and continuous integration/continuous delivery (CI/CD) pipelines often lag behind this rapid movement.”However, not every industry is equal, and some are doing better than others in attempts to secure their cloud workloads. Access logging controls, access key rotation, and version control in cloud storage containers — a way to keep track of changes, implement them, and perform maintenance across cloud systems — are some of the methods that can be employed to increase cloud security.  The team did find, however, that publicly exposed cloud systems, which may leak personally identifiable information (PII) belonging to clients or employees — as well as sensitive corporate data — continues to be a problem. The numbers are high: an estimated 30% of organizations that utilize cloud hosting services are believed to be leaking some type of private content online, with access control issues blamed for such widespread exposure. Unit 42 recommends that businesses focus on gaining visibility into their cloud workloads, keeping an eye on storage configurations, and both adopting and enforcing security standards in DevOps can all mitigate the threat of attack or accidental data leaks.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A banking Trojan striking corporate targets across Brazil has been unmasked by researchers. 

On Tuesday, ESET published an advisory on the malware, which has been in development since 2018.Dubbed Janeleiro, the Trojan appears to be focused on Brazil as a hunting ground and has been used in cyberattacks against corporate players in sectors including healthcare, engineering, retail, finance, and manufacturing. Operators have also attempted to use the malware when infiltrating government systems.  According to the researchers, the Trojan is similar to others currently operating across the country — such as Casbaneiro, Grandoreiro, and Mekotio — but is the first detected that is written in .NET, rather than Delphi, which is usually favored.  Phishing emails, sent in small batches, are sent to corporate targets pretending to relate to unpaid invoices. These messages contain links to compromised servers and to the download of a .zip archive hosted in the cloud. If the victim unzips this archive file, a Windows-based MSI installer then loads the main Trojan DLL.  “In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times,” ESET says. “This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct.” The Trojan will first check the geolocation of the target system’s IP address. If the country code is other than Brazil, the malware will exit. However, if the check is passed, the malware will then collect a variety of operating system data and will grab the address of its command-and-control (C2) server from a dedicated GitHub page.  

Janeleiro is used to create fake pop-up windows “on-demand,” such as when banking-related keywords are detected on a compromised machine. These pop-ups are designed to appear to be from some of the largest banks across Brazil and they request the input of sensitive and banking details from victims.  The malware’s command list includes options for controlling windows, killing existing browser sessions — such as those launched in Google Chrome — capturing screens, keylogging, and hijacking clipboard data, among other functions.  The operator of the Trojan appears to prefer a hands-on approach and may control the windows remotely, in real-time.  Most malware operators at least make a token attempt to conceal their activities. In this case, code obfuscation is light but there is no attempt to circumvent existing security software and no custom encryption.The operator uses GitHub, a code repository, to host files containing C2 server lists to manage Trojan infections. These repositories are updated on a daily basis.  As of March, four variants of Janeleiro have been detected in the wild, although two share the same internal version number. Some samples have been packaged together with a password stealer in attacks, which suggests “the group behind Janeleiro has other tools in their arsenal,” according to the team. ESET says that GitHub has been made aware of the threat actor’s account and abuse of the platform. The page has now been disabled and the owner suspended.”GitHub values the contributions of our security research community and is committed to investigating reported security issues,” a GitHub spokesperson told ZDNet. “We disabled the page in accordance with our Acceptable Use Policies, following the report that it was using our platform maliciously.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

US agencies have warned that advanced persistent threat (APT) groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities.

Last week, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert (.PDF) warning that cyberattackers are actively scanning for systems that have not had patches applied to resolve three severe vulnerabilities. Fortinet FortiOS, an operating system underpinning Fortinet Security Fabric, is a solution designed to improve enterprise security, covering endpoints, cloud deployments, and centralized networks.  The agencies say that CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 are being exploited. Each of these vulnerabilities is known and patches have been issued by the vendor, but unless IT administrators apply the fixes, Fortinet FortiOS builds remain open to compromise.  CVE-2018-13379: Issued a CVSS severity score of 9.8, this path traversal vulnerability impacts the FortiOS SSL VPN portal and can permit unauthenticated attackers to download system files through malicious HTTP requests. FortiOS versions 5.4 – 5.4.6 to 5.4.12, 5.6 – 5.6.3 to 5.6.7, and 6.0 – 6.0.0 to 6.0.4 are affected.  CVE-2020-12812: This improper authentication issue, also found in FortiOS SSL VPN, has earned a CVSS score of 9.8 as it permits users to be able to log in without being prompted for second-factor authentication if they change the case of their username. FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below contain this bug.  CVE-2019-5591: With a CVSS score of 7.5, this vulnerability is a default configuration problem in FortiOS 6.2.0 and below that can allow unauthenticated attackers — on the same subnet — to intercept sensitive data by impersonating a LDAP server. 

According to the advisory, APTs are scanning with a particular focus on open, vulnerable systems belonging to government, technology, and commercial services.  “The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the agencies say. “APT actors may use other CVEs or common exploitation techniques — such as spear phishing — to gain access to critical infrastructure networks to pre-position for follow-on attacks.” CVE-2018-13379 was resolved in May 2019, followed by CVE-2019-5591 in July of the same year. A patch was issued for CVE-2020-12812 in July 2020.  “The security of our customers is our first priority,” Fortinet said in a statement. “[…] If customers have not done so, we urge them to immediately implement the upgrade and mitigations.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Personal details of 30,000 individuals in Singapore may have been illegally accessed, following a security breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). It was notified of the incident three weeks ago on March 12.  It added that the relevant authorities had been notified of the breach, including the police, Personal Data Protection Commission (PDPC), and Cyber Security Agency’s Singapore Computer Emergency Response Team. E2i’s platform brings together employers and workers, offering various services that include job-matching, skills training, and career guidance. The institute is an initiative of the National Trades Union Congress (NTUC), the country’s only trade union confederation that comprises, amongst others, 59 unions and five associations. NTUC’s core committee includes Members of Parliament Koh Poh Koon and Heng Chee How. 

Users affected by the breach had participated in events organised by e2i or used its services between November 2018 and 12 March 2021, including job fairs, employability workshops or career coaching. Their personal data were shared with appointed vendors for “relevant employability services purposes”, the institute said.  E2i did not elaborate on why it took more than three weeks to announce the breach, but said in its statement Monday that it had “taken time” to make an impact assessment given the “complexity” of investigations into the incident.  It noted that a malware had infected the email account of an employee at the third-party vendor, i-vic International, leading to the unauthorised access of the mailbox, which had personal data of the affected 30,000 individuals. These details included names, identification number, contact information, educational qualifications, and employment history. Affected individuals would be notified via email, SMS, or phone, it added. E2i said it had worked with i-vic to determine the extent and nature of the data breach, and deployed “mitigation measures” to beef up the security of the latter’s email and network systems. E2i added that “constant checks” would be carried out on both its system as well as the third-party vendor’s to identify any further potential vulnerabilities. 

“Although the malware did not target at e2i directly, cybersecurity threats are real and the protection of personal data is of top priority to us,” the institute’s CEO Gilbert Tan said in the statement.  It added that it would review the “cybersecurity standards of our vendors” to prevent further breaches. The latest incident was one of several third-party breaches to have impacted local organisations this year, compromising personal data of 580,000 Singapore Airlines’ frequent flyer members and 129,000 Singtel customers.  RELATED COVERAGE More

Now that the world has completed a full circuit around the Sun with COVID as a passenger, it is possible to see which jurisdictions responded well, and which are still struggling to come to grips with the virus.

Two of the nations held up as exemplars of how to fight COVID were Taiwan and New Zealand, but the approaches were very different: One has locked down parts of its population multiple times, and the other with more experience of respiratory viruses, has avoided such approaches. A recent academic paper published in the Journal of the Royal Society of New Zealand examined the two nations and raised a number of questions that deserve to be considered in light of a year of lockdowns, contact tracing, outbreaks, and other restrictions on the movement of people. The central push of the paper is that as New Zealand has kept individual privacy as a paramount concern, this has led directly to the use of city or nationwide lockdowns, which it has labelled as a blunt instrument. “An approach not much more advanced than techniques to mitigate the Spanish Flu pandemic over a century ago,” the paper states. By contrast, the paper contests that Taiwan was more successful because it embraced technology, particularly big data analysis, and was able to prepare the population, following SARS and MERS, so it could use such tactics for the coronavirus pandemic. “This new strategy aimed to link real-time medical information, location [from cell towers], and contact data of infected individuals (confirmed or suspected) to assist curbing the spread of future diseases,” the paper states.

When someone entered Taiwan, an “electronic digital fence” system which monitored a person’s cell phone location was used to enable people to quarantine at home, rather than in a hotel quarantine system. “If a person in quarantine left their home, or their phone died and thus stopped transmitting a signal, local police and health or civil affairs agencies would be notified,” the paper said. “This system was complemented by random health-checks, community policing and phone calls from health officials and public authorities to ensure compliance. Individuals who did not have a cell phone capable of sharing location data were provided with one at the border.” See also: Living with COVID-19 creates a privacy dilemma for us all The system allowed people to have a degree of autonomy during quarantine, the paper said, at a cost to having their location tracked by the government. This system sounds particularly attractive as someone living in a country that has seen secondary lockdowns put in place, sometimes lasting 112 days, after breaches in hotel quarantine. The retort that mobile phone location tracking is an imposition holds little water when under current systems, people are locked in a hotel room for 14 days precisely so that the authorities know exactly where they are. While Taiwan has the legislation in place to enable it to combine disparate datasets for the purposes of fighting a health emergency, New Zealand health authorities have “less freedom” in that respect and the nation’s Privacy Act reigns supreme. This has led to NZ relying on an opt-in model for its QR code and Bluetooth-driven COVID Tracer app. And while the app has 3 million downloads in a country of 5 million people, that does not mean it is being used. Last month, on the other side of the Tasman, the Australian Digital Transformation Agency revealed that it has spent AU$6.7 million on a similarly opt-in app, that has only found 17 cases, and currently costs AU$100,000 a month to keep running.

Coronavirus

If there is one thing the past year has shown, it is that thinking a population will install and use an opt-in app for contact tracing is misplaced. “The reliance upon opt-in models and a consent model of privacy will not resolve many of the limitations found in the current New Zealand approach, as evidenced by the COVID-19 response,” the paper argues. “In fact, there are few, if any, examples globally where such models have been able to provide the level of accuracy found in Taiwan where the benefits have been seen in less strict (but nevertheless long term) social distancing rules and improved freedom of movement and association at the expense of aspects of personal privacy.” The paper contrasted the approaches when each nation was faced with outbreaks. After a visit from the Diamond Princess, which would end up being quarantined in Yokohama, Taiwan pulled together payment information, positioning data of shuttle busses from the ship, and CCTV footage to identify residents who might have been in contact with infected cruise ship passengers. “The data collated was then compared with the data of Taiwanese residents who had carried a mobile phone within 500 metres of the possibly infected individuals,” the paper states. “If they had been in these locations for more than five minutes they were classified as people possibly infected by the passengers of the cruise ship.” Meanwhile in New Zealand in August, after 100 days without the virus in the nation, it escaped. “NZ was reliant on manual contact tracing efforts, and potentially the COVID Tracer app (although reports suggest that it was only used in a few cases) and then had to turn to the blunt instrument of a lockdown when the contact tracing system could not keep up,” the paper said. “This lockdown was effective, but at great cost economically (and to civil liberties). “Taiwan’s greater use of personal information and data sharing appears to have allowed for COVID-19 to be contained with less disruption than experienced in New Zealand, using more ‘traditional’ mechanisms.” In the months since this column raised the privacy dilemma at the heart of living with COVID, most of Australia’s capital cities have seen lockdowns of various lengths, sometimes lasting only a handful of days when case numbers did not rise, and often accompanied by states other than New South Wales throwing up hard borders at a moment’s notice. Travelling interstate has now become a gambling-style decision that Australians think about, and the thought of how to get back home quickly is one that demands consideration. As the paper highlights, there is another approach that needs to be considered by authorities. The Taiwanese approach is particularly draconian on the individual privacy front, and while it would fail to get off the mark in an American context, it might be useful in the Australian one, for instance. Thanks to a combination of authoritarian inclinations and political cowardice, Australia already has a store of the location of every resident for two years, and the general public doesn’t seem to care about the privacy imposition. Given that access to that store has not been used primarily for severe crimes like terrorism, unlike the sales pitch and promises it arrived with, why not use the data retention system to enhance and speed up the response to COVID outbreaks? If the privacy of Australians is already under the pump, we might as well get some public good from it. The balance between privacy and emergency measures will be different for everyone. There is too much culture, history, and acceptance of things in one place that are unacceptable to others. But after more than a year, the least each nation can do is look to improve how they respond to the virus, rather than dealing with the same situation with the same playbook we walked into early 2020 with. As vaccines deployments progress, the end of the pandemic could be near, but as Taiwan has shown, the time we have could be used to prepare for the next emergency, and discuss what works for our societies. ZDNET’S MONDAY MORNING OPENER  The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America. PREVIOUSLY ON MONDAY MORNING OPENER:   More