Canvas is down as ShinyHunters threatens to leak schools’ data

Posted by stefanpie 17 hours ago

834 points | 546 commentspage 6

corvad 13 hours ago|

Some instances seem to be recovering. I wonder if a ransom was paid.

somebudyelse 13 hours ago|

It looks like Instructure has been removed from the ShinyHunters website. Both the entry and the list of schools has been removed.

flashman 16 hours ago||

What's in the files they've already released? Some of them are > 800GB.

HDBaseT 15 hours ago||

Where are you getting that information from?

I'm under the impression files are getting released 12th May. I don't see any reporting on 800GB?

DauntingPear7 15 hours ago|||

Grades, records, etc I would assume. Someone else pointed out that they recently acquired https://www.parchment.com/ so they may have also been able to scoop up those records too

emmelaich 15 hours ago||

Also discussions between students and teaching staff.

poopmonster 16 hours ago||

I'm guessing loads of student work? If so, it'll be great for anyone who wants to research AI usage in papers.

lazystar 2 hours ago||

> Earlier in October, an Amazon Web Services incident resulted in Canvas and Piazza outages that lasted around 12 hours.

...what does that DDB DNS issue have to do with anything?

ThrowawayR2 16 hours ago||

I wonder when the public is going to start calling for corporate liability for malpractice in software development and corporate liability for malpractice in IT deployments. Even if the tech industry fights it, it probably won't be that much longer.

brendanyounger 16 hours ago||

I'll never understand this point of view. If someone would please explain how to create perfectly secure software, I will gladly start writing perfectly secure software. Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths. Malpractice insurance is high. Litigation is constant. And patients still die on the operating table. It's unclear what all the malpractice tort law actually gets you in the end.

cortesoft 15 hours ago|||

> Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

In most of these cases, the companies involved did NOT follow standard security practices.

I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.

ThrowawayR2 14 hours ago||||

> "Consider surgery instead of software development."

Is that really the analogy you want to use the bolster your argument? Licensing was forced on the medical profession because of rampant quackery causing a large number of deaths. Some of the horrors that went on before enforced medical licensing are well-nigh unbelievable, e.g. https://en.wikipedia.org/wiki/John_R._Brinkley

kelnos 14 hours ago||||

I agree that even if companies do everything right, they can still get popped. But most companies do not do everything right, and they should be legally responsible for those things.

But even if they do everything right, is it really fair to let the companies just shrug their shoulders and say "it happens"? While their users are the ones who really get hurt.

harikb 16 hours ago||||

Well, you don't know how many more would have died if doctors and hospital didn't care about their insurance going higher???

dylan604 15 hours ago|||

> Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths.

I like this analogy, but deaths shouldn't be the leading indicator just an indicator. Family member had a surgery with well known procedures, say removing a gall bladder. Unfortunately, this surgeon skipped a step in lieu of setting a record for fastest procedure. Because steps were skipped, the gall bladder was not scooped into a net to avoid spilled gall stones which resulted stones spilling into the abdominal cavity requiring numerous follow up surgeries to remove the spilled stones as they made themselves known. So clearly not following accepted procedures should be a clear win in a malpractice case, yeah? Wrong. No doctor would testify against the surgeon and the case was dismissed. I feel like this is exactly how it would work in software security incidents as well.

dctoedt 14 hours ago||

> this surgeon skipped a step

That was the foundational premise of Dr. Atul Gawande's book The Checklist Manifesto, an expansion of his article The Checklist in The New Yorker [0]

[0] https://www.newyorker.com/magazine/2007/12/10/the-checklist

cortesoft 15 hours ago|||

I do wonder if that won't just end up INCREASING ransom-type attacks, though?

If we increase the penalties for a company being hacked, you create even MORE incentive for hackers to try to break in, because if they succeed, they have a pretty big stick to threaten companies with when demanding a random payment - not only will the company have the negative effect of the data being leaked and the PR that accompanies it, they now know that if they don't pay and the attack becomes public knowledge, they face a big fine or other punishment.

A company is much more likely to pay a big ransom if they know they are just going to end up paying that much or more in fines if they refuse the ransom and report the hack instead.

If you take this route, and increase punishment for being hacked, you are making a pretty big bet that the main reason companies are hacked is because of poor security practices. I am not sure if that is true or not.

ThrowawayR2 14 hours ago||

There's precedent for simply making it illegal to pay the ransom, e.g. https://www.reuters.com/world/uk/uk-plans-ban-public-sector-...

berti 16 hours ago||

That is already happening in the EU [1][2]. Most of the world will catch up soon I suspect, with some notable exceptions.

[1] https://digital-strategy.ec.europa.eu/en/policies/cyber-resi... [2] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_...

owlboy 13 hours ago||

I’m not surprised. Canvas kind of sucks. And their development is slow. And they are poor at communicating during mundane events.

stringfood 13 hours ago|

They're also apparently poor at communication during highly interesting events as well

vondur 17 hours ago|

It looks like every CSU System is on the list (California State University). Surprised this hasn't hit the front page yet.

DaSHacka 16 hours ago|

Possibly because they haven't released the data yet?

I'm honestly surprised more people aren't talking about this.

More comments...