Canvas is down as ShinyHunters threatens to leak schools’ data

Posted by stefanpie 16 hours ago

796 points | 514 commentspage 5

kristianp 18 hours ago|

Qld, Australia was also affected: https://www.itnews.com.au/news/qld-gov-says-students-staff-c...

protocolture 13 hours ago|

QLD Government vendor selection is always terrible.

alexalx666 5 hours ago||

Respect to Canvas sales team, its like microsoft level platform lock-in into low sec infra

bigfatkitten 18 hours ago||

I use Canvas for some postgraduate studies, and my teenage daughter uses it at her high school.

We already bond over how awful the Canvas UX is (and she has a bunch of Chrome extensions to improve it.) Now we’ve got something else to gripe over together.

auxiliarymoose 16 hours ago||

It is open source, so you could send pull requests with improvements: https://github.com/instructure/canvas-lms

scratchyone 10 hours ago||

https://github.com/instructure/canvas-lms/pulls?q=is%3Apr+is...

haha i went to go check and they haven't merged a PR since 2017

gareim 10 hours ago||

Look by is:closed instead. They don't merge the PR directly.

copperx 16 hours ago|||

I vibecoded a pretty extensive CLI for Canvas and using it is very pleasant. Joyful, even, when combined with an LLM. Especially when compared to the developer hostile Blackboard Ultra.

j027 15 hours ago||

Canvas seems like it’s not that great. But if you then use Blackboard Ultra it makes canvas look amazing.

ThrowawayR2 15 hours ago||

I wonder when the public is going to start calling for corporate liability for malpractice in software development and corporate liability for malpractice in IT deployments. Even if the tech industry fights it, it probably won't be that much longer.

brendanyounger 15 hours ago||

I'll never understand this point of view. If someone would please explain how to create perfectly secure software, I will gladly start writing perfectly secure software. Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths. Malpractice insurance is high. Litigation is constant. And patients still die on the operating table. It's unclear what all the malpractice tort law actually gets you in the end.

cortesoft 14 hours ago|||

> Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

In most of these cases, the companies involved did NOT follow standard security practices.

I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.

ThrowawayR2 13 hours ago||||

> "Consider surgery instead of software development."

Is that really the analogy you want to use the bolster your argument? Licensing was forced on the medical profession because of rampant quackery causing a large number of deaths. Some of the horrors that went on before enforced medical licensing are well-nigh unbelievable, e.g. https://en.wikipedia.org/wiki/John_R._Brinkley

kelnos 13 hours ago||||

I agree that even if companies do everything right, they can still get popped. But most companies do not do everything right, and they should be legally responsible for those things.

But even if they do everything right, is it really fair to let the companies just shrug their shoulders and say "it happens"? While their users are the ones who really get hurt.

dylan604 14 hours ago||||

> Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths.

I like this analogy, but deaths shouldn't be the leading indicator just an indicator. Family member had a surgery with well known procedures, say removing a gall bladder. Unfortunately, this surgeon skipped a step in lieu of setting a record for fastest procedure. Because steps were skipped, the gall bladder was not scooped into a net to avoid spilled gall stones which resulted stones spilling into the abdominal cavity requiring numerous follow up surgeries to remove the spilled stones as they made themselves known. So clearly not following accepted procedures should be a clear win in a malpractice case, yeah? Wrong. No doctor would testify against the surgeon and the case was dismissed. I feel like this is exactly how it would work in software security incidents as well.

dctoedt 13 hours ago||

> this surgeon skipped a step

That was the foundational premise of Dr. Atul Gawande's book The Checklist Manifesto, an expansion of his article The Checklist in The New Yorker [0]

[0] https://www.newyorker.com/magazine/2007/12/10/the-checklist

harikb 15 hours ago|||

Well, you don't know how many more would have died if doctors and hospital didn't care about their insurance going higher???

cortesoft 14 hours ago|||

I do wonder if that won't just end up INCREASING ransom-type attacks, though?

If we increase the penalties for a company being hacked, you create even MORE incentive for hackers to try to break in, because if they succeed, they have a pretty big stick to threaten companies with when demanding a random payment - not only will the company have the negative effect of the data being leaked and the PR that accompanies it, they now know that if they don't pay and the attack becomes public knowledge, they face a big fine or other punishment.

A company is much more likely to pay a big ransom if they know they are just going to end up paying that much or more in fines if they refuse the ransom and report the hack instead.

If you take this route, and increase punishment for being hacked, you are making a pretty big bet that the main reason companies are hacked is because of poor security practices. I am not sure if that is true or not.

ThrowawayR2 13 hours ago||

There's precedent for simply making it illegal to pay the ransom, e.g. https://www.reuters.com/world/uk/uk-plans-ban-public-sector-...

berti 15 hours ago||

That is already happening in the EU [1][2]. Most of the world will catch up soon I suspect, with some notable exceptions.

[1] https://digital-strategy.ec.europa.eu/en/policies/cyber-resi... [2] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_...

plasma_beam 18 hours ago||

Our public school system here in Maryland got hit, ransom screen.

danso 16 hours ago||

I wonder how much old data Canvas keeps around? Are students who graduated in 2016 going to be at risk of having their academic data leaked?

Fumblenuts 12 hours ago||

I bet it depends on the institution and the IT team behind said institution, but at least for my university we apparently don't delete old course shells or anything.

I'm friends with a professor who complained to me a couple times about how sometimes he will need to scroll through pages and pages of courses he taught in the past. He also mentioned that profs aren't able to delete their own course shells either.

Telaneo 12 hours ago||

It wouldn't surprise me if most of it is still around. The amounts of data are probably fairly small, and thus unless intentionally deleted, it's probably still there (maybe unis in Europe are more likely to bother to click the relevant buttons as to comply with the GDPR?). I can't imagine storage becoming an issue unless you've got a huge uni or classes that deal with video (and even then, those probably end up on Youtube as private videos, or only as really small clips).

goryramsy 16 hours ago||

Down for all students at my University… it’s going to be a headache for all professors to deal with extending due assignments.

eatmyshorts 16 hours ago||

My daughter says that Northeastern is also affected. Is it more widespread? Did they infect all SaaS Canvas universities?

parable 12 hours ago|

Yes, all 8000+ institutions that use Canvas.

rosie54 11 hours ago||

Tbh this is extremely annoying for high school/college students too. High schools are in the middle of AP tests, and many universities have yet to finalize grades, so overall this is a terrible time for this to happen. After the first issue a few weeks ago Canvas should have upped their security and prepared for another attack. They also should provide better communication. If Canvas is down for more than a few days, many schools and universities will have a lot of trouble when it comes time to publish course grades.

corvad 12 hours ago|

Some instances seem to be recovering. I wonder if a ransom was paid.

somebudyelse 12 hours ago|

It looks like Instructure has been removed from the ShinyHunters website. Both the entry and the list of schools has been removed.

More comments...