Pang says he spent three weeks trying to sign into VAMS, but he constantly ended up in the dashboard for patients instead of clinic administrators. In the meantime, his staff was vaccinating hundreds of people a day and keeping track of their information on paper forms. The college set up a bank of volunteers to sit in a room and copy all the information into VAMS.
Eventually, the local hospital helped him get signed into the system. The clinic used it for three days. On the last day, 20 new volunteers came in ready to work. But they’d already signed into VAMS to get their mandatory shots, and there was no way to switch them from patient accounts to staff ones.
The next day, they went back to paper.
“A good system is easier to use than it is not to use. If people are writing this on paper, there’s something wrong,” says Stone. “How are you going to do 100 million shots in 100 days and have someone enter it all in by hand?”
“There is zero way it’ll happen without help”
“VAMS is fussy. There’s days when VAMS works, and days when VAMS doesn’t work,” says Courtney Rowe, a pediatric urologist at Connecticut Children’s Medical Center, who has been volunteering to monitor people for reactions after their shots. She takes it as an opportunity to help people get set up for their second appointments. “I basically function as tech support,” she says.
Online sign-ups are especially challenging for older people, perhaps the worst group to beta-test a new system. Many seniors probably lost their internet access when libraries and senior centers closed; only 59% have broadband connections at home, according to a 2019 Pew survey. While many states offer phone lines for making appointments, people around the country have complained about endless waits.
“It won’t work on Internet Explorer; it only works in Chrome. The ‘Next’ button is all the way down and to the right, so if you’re on a cell phone, you literally can’t see it,” says Rowe. “In the first round, people using VAMS mostly had advanced degrees. If you’re 75 and someone asks you to log into VAMS, there is zero way it’ll happen without help.”
After I spoke with Rowe, Connecticut opened up vaccinations to anyone over 70. Her prediction came true immediately. On the first day of a new vaccination clinic in Vernon, Connecticut, 204 vaccines were ready but only 52 seniors had made appointments in VAMS.
“Our residents, and those from around the state that we’re serving at this clinic, are frustrated, angry, and confused by the ineffectiveness of this registration system,” town administrator Michael Purcaro said at a press conference.
Elderly people aren’t the only ones who will struggle if vaccination requires online sign-up. Language barriers will become a significant problem, especially for non-native English speakers doing high-risk essential work. People in rural or poor urban areas often have limited access to the internet in the first place, a problem disproportionately affecting the same Black and Latino communities that have suffered the worst traumas of the pandemic.
“There are some real equity concerns,” says Stone. “What happens when you go to a city and 20% of the population can’t get the notices?”
So what went wrong? In an email, a CDC spokesperson defended the system and said that appointments are not randomly canceled, despite what many clinicians have claimed: the problem, she said, was user error. She also outlined several fixes that have been made in response to feedback. VAMS now includes warnings when administrators do something that might change patient appointments, for example.
Rocket Lab could be SpaceX’s biggest rival
In the private space industry, it can seem that there’s SpaceX and then there’s everyone else. Only Blue Origin, backed by its own billionaire founder in the person of Jeff Bezos, seems able to command the same degree of attention. And Blue Origin hasn’t even gone beyond suborbital space yet.
Rocket Lab might soon have something to say about that duopoly. The company, founded in New Zealand and headquartered in Long Beach, California, is second only to SpaceX when it comes to launch frequency—the two are ostensibly the only American companies that regularly go to orbit. Its small flagship Electron rocket has flown 18 times in just under four years and delivered almost 100 satellites into space, with only two failed launches.
On March 1, the company made its ambitions even clearer when it unveiled plans for a new rocket called Neutron. At 40 meters tall and able to carry 20 times the weight that Electron can, Neutron is being touted by Rocket Lab as its entry into markets for large satellite and mega-constellation launches, as well as future robotics missions to the moon and Mars. Even more tantalizing, Rocket Lab says Neutron will be designed for human spaceflight as well. The company calls it a “direct alternative” to the SpaceX Falcon 9 rocket.
“Rocket Lab is one of the success stories among the small launch companies,” says Roger Handberg, a space policy expert at the University of Central Florida. “They are edging into the territory of the larger, more established launch companies now—especially SpaceX.”
That ambition was helped by another bit of news announced on March 1: Rocket Lab’s merger with Vector Acquisition Corporation. Joining forces with a special-purpose acquisition company, a type of company that ostensibly enables another business to go public without an IPO, will allow Rocket Lab to benefit from a massive influx of money that gives it a new valuation of $4.1 billion. Much of that money is going toward development and testing of Neutron, which the company wants to start flying in 2024.
It’s a bit of an about-face for Rocket Lab. CEO Peter Beck had previously been lukewarm about the idea of building a larger rocket that could launch bigger payloads and potentially offer launches for multiple customers at once.
But the satellite market has embraced ride-share missions into orbit, especially given the rise of satellite mega-constellations, which will probably make up most satellites launched into orbit over the next decade. Neutron is capable of taking 8,000 kilograms to low Earth orbit, which means it could deliver potentially dozens of payloads to orbit at once. As a lighthearted mea culpa, the introductory video for Neutron showed Beck eating his own hat.
Recovering from the SolarWinds hack could take 18 months
SolarWinds Orion, the network management product that was targeted, is used in tens of thousands of corporations and government agencies. Over 17,000 organizations downloaded the infected back door. The hackers were extraordinarily stealthy and specific in targeting, which is why it took so long to catch them—and why it’s taking so long to understand their full impact.
The difficulty of uncovering the extent of the damage was summarized by Brad Smith, the president of Microsoft, in a congressional hearing last week.
“Who knows the entirety of what happened here?” he said. “Right now, the attacker is the only one who knows the entirety of what they did.”
Kevin Mandia, CEO of the security company FireEye, which raised the first alerts about the attack, told Congress that the hackers prioritized stealth above all else.
“Disruption would have been easier than what they did,” he said. “They had focused, disciplined data theft. It’s easier to just delete everything in blunt-force trauma and see what happens. They actually did more work than what it would have taken to go destructive.”
“This has a silver lining”
CISA first heard about a problem when FireEye discovered that it had been hacked and notified the agency. The company regularly works closely with the US government, and although it wasn’t legally obligated to tell anyone about the hack, it quickly shared news of the compromise with sensitive corporate networks.
It was Microsoft that told the US government federal networks had been compromised. The company shared that information with Wales on December 11, he said in an interview. Microsoft observed the hackers breaking into the Microsoft 365 cloud that is used by many government agencies. A day later, FireEye informed CISA of the back door in SolarWinds, a little-known but extremely widespread and powerful tool.
This signaled that the scale of the hack could be enormous. CISA’s investigators ended up working straight through the holidays to help agencies hunt for the hackers in their networks.
These efforts were made even more complicated because Wales had only just taken over at the agency: days earlier, former director Chris Krebs had been fired by Donald Trump for repeatedly debunking White House disinformation about a stolen election.
How Apple’s locked down security gives extra protection to the best hackers
“It’s a double-edged sword,” says Bill Marczak, a senior researcher at the cybersecurity watchdog Citizen Lab. “You’re going to keep out a lot of the riffraff by making it harder to break iPhones. But the 1% of top hackers are going to find a way in and, once they’re inside, the impenetrable fortress of the iPhone protects them.”
Marczak has spent the last eight years hunting those top-tier hackers. His research includes the groundbreaking 2016 “Million Dollar Dissident” report that introduced the world to the Israeli hacking company NSO Group. And in December, he was the lead author of a report titled “The Great iPwn,” detailing how the same hackers allegedly targeted dozens of Al Jazeera journalists.
He argues that while the iPhone’s security is getting tighter as Apple invests millions to raise the wall, the best hackers have their own millions to buy or develop zero-click exploits that let them take over iPhones invisibly. These allow attackers to burrow into the restricted parts of the phone without ever giving the target any indication of having been compromised. And once they’re that deep inside, the security becomes a barrier that keeps investigators from spotting or understanding nefarious behavior—to the point where Marczak suspects they’re missing all but a small fraction of attacks because they cannot see behind the curtain.
This means that even to know you’re under attack, you may have to rely on luck or vague suspicion rather than clear evidence. The Al Jazeera journalist Tamer Almisshal contacted Citizen Lab after he received death threats about his work in January 2020, but Marczak’s team initially found no direct evidence of hacking on his iPhone. They persevered by looking indirectly at the phone’s internet traffic to see who it was whispering to, until finally, in July last year, researchers saw the phone pinging servers belonging to NSO. It was strong evidence pointing toward a hack using the Israeli company’s software, but it didn’t expose the hack itself.
Sometimes the locked-down system can backfire even more directly. When Apple released a new version of iOS last summer in the middle of Marczak’s investigation, the phone’s new security features killed an unauthorized “jailbreak” tool Citizen Lab used to open up the iPhone. The update locked him out of the private areas of the phone, including a folder for new updates—which turned out to be exactly where hackers were hiding.
Faced with these blocks, “we just kind of threw our hands up,” says Marczak. “We can’t get anything from this—there’s just no way.”
Beyond the phone
Ryan Storz is a security engineer at the firm Trail of Bits. He leads development of iVerify, a rare Apple-approved security app that does its best to peer inside iPhones while still playing by the rules set in Cupertino. iVerify looks for security anomalies on the iPhone, such as unexplained file modifications—the sort of indirect clues that can point to a deeper problem. Installing the app is a little like setting up trip wires in the castle that is the iPhone: if something doesn’t look the way you expect it to, you know a problem exists.
But like the systems used by Marczak and others, the app can’t directly observe unknown malware that breaks the rules, and it is blocked from reading through the iPhone’s memory in the same way that security apps on other devices do. The trip wire is useful, but it isn’t the same as a guard who can walk through every room to look for invaders.
Despite these difficulties, Storz says, modern computers are converging on the lockdown philosophy—and he thinks the trade-off is worth it. “As we lock these things down, you reduce the damage of malware and spying,” he says.
This approach is spreading far beyond the iPhone. In a recent briefing with journalists, an Apple spokesperson described how the company’s Mac computers are increasingly adopting the iPhone’s security philosophy: its newest laptops and desktops run on custom-built M1 chips that make them more powerful and secure, in part by increasingly locking down the computer in the same ways as mobile devices.
“iOS is incredibly secure. Apple saw the benefits and has been moving them over to the Mac for a long time, and the M1 chip is a huge step in that direction,” says security researcher Patrick Wardle.