Less than a week after A360 attendees flew back to their pandemic home bases across the globe, at least 20 people, including not only those who were present at A360 but also some of their family members, had confirmed cases of covid-19.
Pandemic as business opportunity
When covid-19 first made its appearance in the United States, 59-year-old Diamandis, who has an MD from Harvard Medical School and degrees from MIT, was skeptical.
In mid-March, when six counties in the San Francisco Bay Area issued the nation’s first stay-at-home order, Diamandis tweeted, “We are witnessing the viral spread of fear that is definitively damaging both national economies and global markets” and, later, “The level of panic is doing as much damage.”
But ever the entrepreneur, Diamandis saw business opportunities in the pandemic. On March 26, the XPrize Foundation, which he chairs and which runs challenges using prize money to encourage innovative solutions to big problems, launched the XPrize Pandemic Alliance, with $7.5 million in prize money to fight covid-19.
He teamed up with Mei Mei Fu and Lou Reese, spouses and co-executives of biotech company United Biomedical. The three cofounded Covaxx, a vaccine development company that functions as a United Biomedical subsidiary (and is not to be confused with the global Covax effort to provide lower-income countries with vaccine doses).
Fu and Reese had already made news for providing free antibody testing for all residents of Colorado’s San Miguel County, home of Telluride, a resort town where many coastal millionnaires, including Fu and Reese, own second homes. “There are advantages to having biotech executives as neighbors,” as The Atlantic noted at the time.
In the days that followed, Diamandis praised the Chinese government’s “unprecedented” measures to contain the pandemic, from locking down an entire city to the “rapid national coordination of public action.”
Yet, by going through with the in-person portion of the Abundance 360 Summit, Diamandis ignored government notices and legal mandates implemented in the state of California.
Even A360’s parent company, Singularity University, had canceled its largest in-person gatherings due to the pandemic. “We have been closely monitoring the global pandemic situation and taking all measures to make sure our staff and program are safe. It’s been a difficult decision, but … we have decided to postpone our November SU Executive Program,” wrote Singularity staff in an email dated October 8.
As the fall wore on and positive cases, death rates, and hospitalizations in Southern California grew precipitously, some team members charged with marketing A360 were dismayed that the event was set to continue.
On November 30, James Del, Singularity University’s head of content, conveyed his team’s growing concerns to Diamandis in an email, copying Singularity University CEO Steve Leonard, Singularity investor and board member Erik Anderson, and A360 executive director Will Weisman.
In his email, which was shared with me, Del urged SU to “consider the appearance of hosting an in-person gathering as cases in Los Angeles shatter their own records daily.”
“The current restrictions in LA county ban gatherings nearly completely,” he continued. “Going out and inviting the entire SU community to a city that is under strict lockdown seems like a PR crisis waiting to happen, and I suggest that we strongly consider changing our marketing focus to digital only.”
Just days later, on December 3, California enacted a regional stay-home order, to be triggered when ICU capacity fell below 15%. The order went into effect on December 5 and prohibited private gatherings of any size, other than constitutionally protected religious services and protests; closed nonessential businesses, except for critical infrastructure and retail; and required 100% masking outside the home. It also banned the use of hotels and lodging for nonessential travel.
A360 made adjustments as well. It changed the meeting venue first from the Beverly Hilton to the Calamigos Ranch in Malibu, before finally settling on the XPrize Foundation’s office in Culver City. A360 also shifted where its guests would be staying, from a Four Seasons to Hotel Casa del Mar in Santa Monica. It cut the number of in-person attendees, from 127 to 16, as reported by Bloomberg in late December, before increasing numbers again to between 30 and 33 patrons, who each paid a $30,000 annual membership fee, according to conference materials I obtained.
Once speakers, A360 staff, and technical and support personnel were taken into account, however, at least 84 people were present, according to Diamandis’s own count. The event went ahead despite public health orders that made it clear that neither booking a hotel for nonessential travel nor the in-person gathering itself was permitted.
“A360 is an event I’ve committed to run for 25 years. That’s sort of an important hallmark of an event,” Diamandis told me in an interview, by way of explanation as to why he was so keen for it to take place in person. “We’re in year nine, and it has always been an in-person event.” He added that one day, “eventually A360 will be fully virtualized.”
When a conference isn’t a conference
On February 12, two days after Los Angeles Department of Public Health officials arrived at the doorstep of the XPrize office and had an “interaction” (as Diamandis described it) with Will Weisman and XPrize’s “operations person,” and just before a scheduled interview with me, Diamandis published his blog post, titled “A false sense of security.” In it, he wrote that he was “humbled and pained” by the experience, and detailed the precautions his team had taken to prevent covid-19 from entering and spreading in the “immunity bubble” they had created for the event.
In that same blog post, however, he also claimed that the event was not a conference at all, but a “virtual studio-broadcast production,” with patrons who were there because they had insisted on being there as a live audience.
“It was a pretty outspoken group saying, ‘We really want to come,’” he told me. “And that started a conversation around the lines of, Could this be done? Could we have a small studio audience, and do it safely?”
Diamandis said that the decision to move forward was done in consultation with an audio-visual company that he contracted, the name of which he could not remember during our interview, and two medical providers: Fountain Life, an anti-aging health and wellness company that he cofounded, and Matt Cook, an anesthesiologist and founder of a similar integrative medical company, BioReset.
A studio broadcast production would normally require a film permit. A360 did not apply for a permit from Film.LA, which handles filming requests for Culver City, where XPrize was located, both Diamandis and Film.LA confirmed. Diamandis suggested that because XPrize’s office often hosted web broadcasts, there was no need to apply separately for a film permit.
However, multiple employees recounted to me previous discussions on how A360 leadership might apply for filming or even religious exemptions to get around the ban on gatherings.
And even if the company had submitted an application, Culver City does not currently offer indoor filming permits, while the LA County Public Health Department’s protocol for music, television, and film production requires safety plans for special events to be approved 10 days in advance.
Additionally, the protocol does not allow live audiences of the general public, except for “small, hired audiences (50 people or fewer).” Given that the 30 or so patrons were not hired, but rather were paying upwards of $30,000 for their A360 memberships and event attendance, it is unlikely that they would meet this criterion.
Thank you for testing
On January 28, the day that the first employee tested positive for covid-19, the A360 team sent out a chipper email (subject line: “Please Re-Test / and Thank you!”) to event speakers and patrons, which a recipient shared with me.
“What an amazing few days! We’re hopeful that our extensive Covid PCR testing protocol has kept you and everyone safe,” wrote “Peter & the 360 team,” before sharing that “one of our team members unfortunately has come up positive,” and asking everyone to re-test and let A360 know if anyone “should feel ill, or test positive.”
This request for follow-up does not, however, appear to have been for the purpose of reporting clusters of cases to county public health authorities, as required by several California state laws.
CA Assembly Bill 685, for example, went into effect on January 1, 2021, and requires employers to notify both employees potentially exposed and the local public health agency if more than three people living in different households test positive for covid-19 in a two-week period.
Diamandis admitted that no one from his organization reported the positive cases to the public health department, and suggested that his and his team’s struggles with covid-19 could be to blame. “I’ve been in bed for days, as have half my staff, and we’re trying to figure out, you know, which way’s up and down,” Diamandis told me. “This is the first time we’ve been able to actually take a full accounting of where we are, what went wrong, and tell the story.”
Yet while they did not have time to report the cases to the authorities, A360’s leadership did find time to contain information about the outbreak.
On January 29, Weisman started a new group text among employees called “A360 Covid,” screenshots of which were provided to me. In it, he confirmed the names of two event attendees—an event speaker and a patron—who had tested positive. Then he instructed employees to keep the news quiet.
“Really important that there is no further outreach to a broader set of people,” he wrote. “There will be no further emails to attendees or vendors.”
Diamandis chimed in by text as well: “Let’s keep all Covid related data, ideas, and communications on this single channel, please.”
In the following days, employees used the thread to share their test results and symptoms. At first, they self-reported their results through a company contract with a private testing provider. But after one employee expressed frustration that he was testing negative despite what he felt were clear symptoms (and especially since a family member had already tested positive), Diamandis suggested that employees use a “spit test” conducted at Calamigos Ranch, the venue owned by a friend that was, at one point, slated to hold the event.
On at least one occasion after A360 employees switched their testing location to the ranch, an A360 staff member shared the results on the group text message thread. “All tests were negative, except [Employee name], with a strong positive!” she wrote. The employee in question responded, “Oh wow! Ya feeling good,” suggesting that this was the first time that he was informed of his own test results. He did not respond to multiple requests for comment.
When asked about the incident, Diamandis said that he was not aware of the text message exchange, then said that if it did occur as described, he would be worried. “Of course,” he said, there are “HIPAA approved processes,” referring to the law protecting health data.
Under HIPAA guidelines, “COVID-19 test results are considered confidential medical information under both [California] state and federal law,” which requires separate record keeping viewable “only by members of management with a true need to know,” according to a blog post by law firm Davis Wright Tremaine. Moreover, it says, “If an employee tests positive for COVID-19, the employer must not reveal the employee’s identity to others in the workplace.”
Additionally, according to CDC guidelines, “Employees undergoing testing should receive clear information on the manufacturer and name of the test, type of test, purpose of the test, reliability, limitations, who will pay, how to understand the results, who will receive the results, and consequences for declining a test.” Some A360 employees interviewed said that they were not comfortable with the testing performed at the ranch, and how close its owner was to their employer.
A360’s precautions, according to Diamandis’s blog post, included requiring everyone who attended to obtain a negative test 72 hours before attending, and then be tested immediately on arrival and on every subsequent morning of the event. But mask-wearing was not enforced, and there was no request to the participants to self-quarantine for any length of time before the gathering.
It has been known since early in the pandemic that the virus can incubate for several days before becoming detectable. Self-isolation would have been especially important for anyone arriving from further afield—like the participants traveling from overseas. The CDC recommends that travelers take a covid-19 test three to five days after traveling and then quarantine for a further seven days even if the test is negative.
Diamandis apparently believed that testing could be an infallible way to circumvent these evidence-based precautions. Under a section in the blog post titled “Lessons Learned,” he wrote of being “flabbergasted” to discover, a year into the pandemic, how unreliable some tests could be, when he used them on himself after developing symptoms and they still came back negative.
Who’s tracking positive cases?
In the post, Diamandis admitted that 24 people, including himself, had contracted covid-19. The actual numbers he cited, however, added up to only 21 people: 12 members/patrons attending the event, four faculty, and five A360 staff.
When asked to account for this discrepancy, he admitted that there could be two support staff who had tested positive. “Someone is tracking,” he said, though he said he was not sure who.
I asked whether another number, 32 positive cases, that I had calculated based on reporting, was plausible. Diamandis responded that “to include the family members who have had cases,” a total of 32 “seems probably low.”
His blog post also did not acknowledge that public health orders had banned gatherings between December 3 and January 25 in California. Diamandis would not respond when I asked whether he was aware that he was violating state health rules by holding his event. “I knew that there were challenges. But I don’t know that I want to answer that on the record,” he said.
“I am trying my very best to turn the situation to one where I can speak loudly and clearly, and share what I learned in a positive fashion, not get burned in the fire but use it to drive a spotlight on,” he told me. “Listen, I screwed up here.”
I asked how this “screw-up” reflected on his board leadership of a covid-19 vaccine company and an organization giving away $7.5 million in prize money to solve the challenges of covid-19, including encouraging mask-wearing.
“I’ll have to take a minute to think about that,” he said. “Let me send you an email.”
Rocket Lab could be SpaceX’s biggest rival
In the private space industry, it can seem that there’s SpaceX and then there’s everyone else. Only Blue Origin, backed by its own billionaire founder in the person of Jeff Bezos, seems able to command the same degree of attention. And Blue Origin hasn’t even gone beyond suborbital space yet.
Rocket Lab might soon have something to say about that duopoly. The company, founded in New Zealand and headquartered in Long Beach, California, is second only to SpaceX when it comes to launch frequency—the two are ostensibly the only American companies that regularly go to orbit. Its small flagship Electron rocket has flown 18 times in just under four years and delivered almost 100 satellites into space, with only two failed launches.
On March 1, the company made its ambitions even clearer when it unveiled plans for a new rocket called Neutron. At 40 meters tall and able to carry 20 times the weight that Electron can, Neutron is being touted by Rocket Lab as its entry into markets for large satellite and mega-constellation launches, as well as future robotics missions to the moon and Mars. Even more tantalizing, Rocket Lab says Neutron will be designed for human spaceflight as well. The company calls it a “direct alternative” to the SpaceX Falcon 9 rocket.
“Rocket Lab is one of the success stories among the small launch companies,” says Roger Handberg, a space policy expert at the University of Central Florida. “They are edging into the territory of the larger, more established launch companies now—especially SpaceX.”
That ambition was helped by another bit of news announced on March 1: Rocket Lab’s merger with Vector Acquisition Corporation. Joining forces with a special-purpose acquisition company, a type of company that ostensibly enables another business to go public without an IPO, will allow Rocket Lab to benefit from a massive influx of money that gives it a new valuation of $4.1 billion. Much of that money is going toward development and testing of Neutron, which the company wants to start flying in 2024.
It’s a bit of an about-face for Rocket Lab. CEO Peter Beck had previously been lukewarm about the idea of building a larger rocket that could launch bigger payloads and potentially offer launches for multiple customers at once.
But the satellite market has embraced ride-share missions into orbit, especially given the rise of satellite mega-constellations, which will probably make up most satellites launched into orbit over the next decade. Neutron is capable of taking 8,000 kilograms to low Earth orbit, which means it could deliver potentially dozens of payloads to orbit at once. As a lighthearted mea culpa, the introductory video for Neutron showed Beck eating his own hat.
Recovering from the SolarWinds hack could take 18 months
SolarWinds Orion, the network management product that was targeted, is used in tens of thousands of corporations and government agencies. Over 17,000 organizations downloaded the infected back door. The hackers were extraordinarily stealthy and specific in targeting, which is why it took so long to catch them—and why it’s taking so long to understand their full impact.
The difficulty of uncovering the extent of the damage was summarized by Brad Smith, the president of Microsoft, in a congressional hearing last week.
“Who knows the entirety of what happened here?” he said. “Right now, the attacker is the only one who knows the entirety of what they did.”
Kevin Mandia, CEO of the security company FireEye, which raised the first alerts about the attack, told Congress that the hackers prioritized stealth above all else.
“Disruption would have been easier than what they did,” he said. “They had focused, disciplined data theft. It’s easier to just delete everything in blunt-force trauma and see what happens. They actually did more work than what it would have taken to go destructive.”
“This has a silver lining”
CISA first heard about a problem when FireEye discovered that it had been hacked and notified the agency. The company regularly works closely with the US government, and although it wasn’t legally obligated to tell anyone about the hack, it quickly shared news of the compromise with sensitive corporate networks.
It was Microsoft that told the US government federal networks had been compromised. The company shared that information with Wales on December 11, he said in an interview. Microsoft observed the hackers breaking into the Microsoft 365 cloud that is used by many government agencies. A day later, FireEye informed CISA of the back door in SolarWinds, a little-known but extremely widespread and powerful tool.
This signaled that the scale of the hack could be enormous. CISA’s investigators ended up working straight through the holidays to help agencies hunt for the hackers in their networks.
These efforts were made even more complicated because Wales had only just taken over at the agency: days earlier, former director Chris Krebs had been fired by Donald Trump for repeatedly debunking White House disinformation about a stolen election.
How Apple’s locked down security gives extra protection to the best hackers
“It’s a double-edged sword,” says Bill Marczak, a senior researcher at the cybersecurity watchdog Citizen Lab. “You’re going to keep out a lot of the riffraff by making it harder to break iPhones. But the 1% of top hackers are going to find a way in and, once they’re inside, the impenetrable fortress of the iPhone protects them.”
Marczak has spent the last eight years hunting those top-tier hackers. His research includes the groundbreaking 2016 “Million Dollar Dissident” report that introduced the world to the Israeli hacking company NSO Group. And in December, he was the lead author of a report titled “The Great iPwn,” detailing how the same hackers allegedly targeted dozens of Al Jazeera journalists.
He argues that while the iPhone’s security is getting tighter as Apple invests millions to raise the wall, the best hackers have their own millions to buy or develop zero-click exploits that let them take over iPhones invisibly. These allow attackers to burrow into the restricted parts of the phone without ever giving the target any indication of having been compromised. And once they’re that deep inside, the security becomes a barrier that keeps investigators from spotting or understanding nefarious behavior—to the point where Marczak suspects they’re missing all but a small fraction of attacks because they cannot see behind the curtain.
This means that even to know you’re under attack, you may have to rely on luck or vague suspicion rather than clear evidence. The Al Jazeera journalist Tamer Almisshal contacted Citizen Lab after he received death threats about his work in January 2020, but Marczak’s team initially found no direct evidence of hacking on his iPhone. They persevered by looking indirectly at the phone’s internet traffic to see who it was whispering to, until finally, in July last year, researchers saw the phone pinging servers belonging to NSO. It was strong evidence pointing toward a hack using the Israeli company’s software, but it didn’t expose the hack itself.
Sometimes the locked-down system can backfire even more directly. When Apple released a new version of iOS last summer in the middle of Marczak’s investigation, the phone’s new security features killed an unauthorized “jailbreak” tool Citizen Lab used to open up the iPhone. The update locked him out of the private areas of the phone, including a folder for new updates—which turned out to be exactly where hackers were hiding.
Faced with these blocks, “we just kind of threw our hands up,” says Marczak. “We can’t get anything from this—there’s just no way.”
Beyond the phone
Ryan Storz is a security engineer at the firm Trail of Bits. He leads development of iVerify, a rare Apple-approved security app that does its best to peer inside iPhones while still playing by the rules set in Cupertino. iVerify looks for security anomalies on the iPhone, such as unexplained file modifications—the sort of indirect clues that can point to a deeper problem. Installing the app is a little like setting up trip wires in the castle that is the iPhone: if something doesn’t look the way you expect it to, you know a problem exists.
But like the systems used by Marczak and others, the app can’t directly observe unknown malware that breaks the rules, and it is blocked from reading through the iPhone’s memory in the same way that security apps on other devices do. The trip wire is useful, but it isn’t the same as a guard who can walk through every room to look for invaders.
Despite these difficulties, Storz says, modern computers are converging on the lockdown philosophy—and he thinks the trade-off is worth it. “As we lock these things down, you reduce the damage of malware and spying,” he says.
This approach is spreading far beyond the iPhone. In a recent briefing with journalists, an Apple spokesperson described how the company’s Mac computers are increasingly adopting the iPhone’s security philosophy: its newest laptops and desktops run on custom-built M1 chips that make them more powerful and secure, in part by increasingly locking down the computer in the same ways as mobile devices.
“iOS is incredibly secure. Apple saw the benefits and has been moving them over to the Mac for a long time, and the M1 chip is a huge step in that direction,” says security researcher Patrick Wardle.