Rendered at 15:01:03 GMT+0000 (Coordinated Universal Time) with Netlify.
blahedo 2 days ago [-]
Perspective from the trenches: I teach at a university that uses Canvas. We are in our final exams period right now.
We got our first email (from Academic Affairs) notifying us that it was down at 5:17pm EDT this afternoon, with little info; followup emails were sent at 6:24 and 6:57 with more info, but mostly about how we would be compensating for it and not about what actually was going on (other than, "nationwide shutdown" and "cybersecurity attacks", no further detail). I don't get a sense that they know much more than that, not that I would expect them to.
A perhaps telling detail: they're instructing us to have students email us directly with any work that had been submitted via Canvas. That suggests that they have no particular confidence that it will come back up soon.
I personally am only slightly affected; as a CS professor a lot of my students' work is done on department machines, and submitted that way, and I do the actual exams on paper. More importantly, I've never liked or trusted Canvas's gradebook, and so although I do upload grades to Canvas so students can see them, my primary gradebook is always a spreadsheet I maintain locally.
But I have a lot of colleagues for whom this is catastrophic at a level of "the whole building burnt down with all my exams and gradebooks in it"---even many of those that teach 100% in person have shifted much or all of their assessment into Canvas (using the Canvas "quiz" feature for everything up to and including final exams), and use the Canvas gradebook as their source-of-truth record. We've been encouraged to do so by our administration ("it makes submitting grades easier"). For faculty in that situation, they have few or zero artifacts that the students have produced, the students themselves don't have the artifacts to resubmit via email because they were done in Canvas in the first place, and they have no record of student grades or even attendance (because they managed that all inside Canvas). I guess they have access to the advisory midterm grades from March, if they submitted them (most do, some don't), but that might be it.
My gut feeling on this is that this is either resolved in hours (they have airgapped backups and can be working as soon as they can spin up new servers), or weeks (they don't). Very little in-between. And if that's true and we wake up tomorrow with this unresolved, I really have no idea what a lot of professors at my university and across the country are going to do to submit grades that are fair and reasonable. In the extreme case, they may have to revert to something we did in the pandemic semester (and before that, at my school, in the semester that two major academic buildings actually did burn to the ground a week before finals): let classes that normally count for a grade just submit grades as pass-fail. Because what else can you do?
(Well, one thing you can do is not put your eggs all in one basket, and not trust "the cloud" quite so much, but that ship's already sailed. I do wonder if in the longer term, anybody learns any lessons from this....)
UPDATE: As of 11:45pm EDT, my university's canvas instance is up and running! Here's hoping it stays (but I'll be downloading some stuff just in case...)
JumpCrisscross 2 days ago [-]
> the students themselves don't have the artifacts to resubmit via email because they were done in Canvas
It’s so simple to send an e-mail to the student with relevant records on completion of a quiz or whatnot. They don’t do it, because they want to control the data. (And universities don’t insist on it for who knows what reason.)
gucci-on-fleek 1 days ago [-]
I've never used Canvas before, but all the LMSes that I've used allow students to enable emails whenever anything is updated, including when grades are posted. This is off by default because it's often 10+ emails a day, because many teachers post notes once a day, and with 5 classes, that adds up pretty quick. I personally have it enabled because it's pretty manageable with some custom Outlook rules, but setting this up is well beyond the capabilities of most students.
mbreese 1 days ago [-]
Canvas will send emails when grades are posted, but not what the grade is. Or at least that’s the way in the configurations I’ve seen. So, that wouldn’t help in a case where no one can access the canvas gradebook.
trillic 1 days ago [-]
yup you just get an email saying "A new grade has been posted for EECS 420"
1 days ago [-]
skeeter2020 1 days ago [-]
...then all those clicks juice engagement and utilization numbers; why would someone want to just know their grade when they can use more clicks and custom apps to get the same info? </s>
The party line is probably something about "a lack of data security" with email, which would almost be funny given the current situation if it wasn't so stressful for those impacted...
crazygringo 1 days ago [-]
No, students are already forced to use Canvas enough as is. This is enterprise software, it's not a consumer phone app. This is nothing to do with "engagement".
This is to do with FERPA which requires that student grades be kept private. There is a small but still a significant legal risk that someone else such as a parent or roommate could have access to a student's email. And so to avoid even the possibility of a court case, schools prefer to play it safe and display grades only to a user they can authenticate directly.
This doesn't have anything to do with common sense, it's simply about legal risk. And it's not about security in a broader sense, it's specifically about privacy FERPA legislation.
trollbridge 1 days ago [-]
FERPA allows emailing confidential information to a student email on record if the university controls the email account. Most universities offer their own email service (and require using it) for this exact reason.
There is no more risk of access to email than there is to Canvas. They are usually secured by the same SSO, too.
However, congratulations for finding the exact dodge around implementing a useful feature. Back when I worked at a university, it was apparent we had a “toolbox” of reasons to deny requests we didn’t want to do: HIPAA, FERPA, ERISA, PCI, GLBA, Title IX, ADA.
“We can’t do that integration with student health services due to HIPAA concerns.”
“We can’t implement that sign up form due to FERPA.”
“We can’t update that site because we’d have to do so and be ADA compliant and that would cost too much.”
“Due to Dining Services’ server being in scope for PCI, we can’t run reports off of it.”
“Adding that ability to Student Affairs’ portfolio app would raise Title IX concerns.”
It was great. You had endless excuses to say why you can’t email a student their grade.
crazygringo 24 hours ago [-]
I already said it's not about common sense, it's about legal risk.
It's about edge cases like someone set up your email to forward all your emails to their account without you knowing. Or other additional situations you could imagine.
There is no benefit to not emailing grades directly, from the perspective of Instructure. There is no ulterior motive here. But universities are genuinely risk-averse and their lawyers tell them that not including the grade in the email simply shuts down one more avenue for some potential lawsuit. Which costs money to defend even if a university wins it.
This isn't some kind of "dodge". This is literally just Instructure doing what university lawyers demand.
I agree with you that the email address is generally always also controlled by the school and has the same login authentication. It doesn't matter. I told you this isn't about common sense. This is about lawyers saying that it could reduce legal risk. And that is a true thing that is coming from real lawyers. Even if you disagree with those lawyers.
And Instructure isn't going to try to disagree with lawyers for its own potential customers. It's going to give the schools what they want, which is not revealing grades via email.
It's not a "dodge."
trollbridge 15 hours ago [-]
Have you ever worked in an environment where you were responsible for building systems that complied with FERPA and you worked with your school's general counsel and compliance team on that?
What you are saying about e-mail is simply not factual. Student e-mail is inside the FERPA environment, and is considered private to the student. It was designed to be that way. If a student sets up forwarding to go to someone else, that's their problem. The student e-mail uses the same SSO as the LMS, so it's nonsense to act like someone else could have access to e-mail.
ndriscoll 24 hours ago [-]
Then the lawyers are incompetent morons. There's "no benefit" to telling the student their own grade at all when viewed from that perspective. You could just not give them any feedback. Or you could allow them to consent to it, which is what the law asks.
It is a dodge. Society should not just say "oh those silly lawyers". These people are not being responsible. They are not doing their jobs.
jrumbut 18 hours ago [-]
As someone who transitioned from working in startups and technology to a university, it is hard to describe how different the environment is.
It looks very weird and is hard to understand from the outside, and unfortunately all technology vendors are on the outside.
Basically every technology has an impedance mismatch when brought into the university environment. And when you combine them together it keeps getting worse.
That's why you see things in this thread like CS professors who operate their class using pen and paper and maybe a spreadsheet.
trollbridge 15 hours ago [-]
I worked with a lawyer who was the on-staff general counsel for a mid size private university who was not an incompetent moron.
One thing I really appreciated that she did was refuse to put e-mail disclaimers in the bottom of e-mails, because she said they had zero legal weight and actually were negative from a legal perspective, since it means people might think they have legal weight (when they don't).
Overzealous e-mail admins would periodically want to do it because it's what everyone else does, not to mention vendors of frankly B.S. software whose only value prop was adding a disclaimer to all the email that went out of Exchange or Google Workspace.
crazygringo 23 hours ago [-]
No, the lawyers are not "incompetent morons", and I highly doubt you have the legal training and domain experience to be qualified to make that assertion.
You would be surprised at the number of frivolous lawsuits and seemingly "zero risk" decisions that wind up turning into actual legal risk and legal fees.
The legal world is a lot more complicated than you think. I've been in some of these conversations. Quite frankly, you don't know what you're talking about.
dctoedt 21 hours ago [-]
> You would be surprised at the number of frivolous lawsuits and seemingly "zero risk" decisions that wind up turning into actual legal risk and legal fees. [¶] The legal world is a lot more complicated than you think.
The law is a lot like an app: It has to take into account a gazillion edge cases and corner cases — not to mention that people can be ignorant and/or malicious. It really is complicated, as you say above.
Well done on not hurling insults at @ndriscoll, BTW. Personal attacks don't persuade the target, and they can turn off onlookers who might be undecided. (Competent lawyers learn early that judges and jurors don't like personal attacks and can be less inclined to believe the attacker.)
ndriscoll 23 hours ago [-]
The thing is, I don't need that training to recognize that they are failing to contribute to society. This is why I'm saying that it is indeed a dodge. "It's complicated and you don't understand it" isn't an excuse for making the world worse. And yes, it is fully possible for a someone to make that judgement without a large background in law, because it's taking a holistic look at "what was the purpose of this law, and are they interpreting it in line with that purpose?" The details don't matter; the outcomes do. Their job is to deal with the details to reach the desired outcomes. If society is better off for putting them on a boat and sending them into the middle of the ocean, then they are incompetent.
Refusing to give a student their own data because of a privacy law that's meant to give the student control over their data is them failing. Full stop. There's no room for excuses for government funded entities to act in the exact opposite way that they are supposed to to avoid their fear of government imposed penalties from a deliberate misinterpretation of what the entire thing is about. That's incompetence by everyone involved. It is people going out of their way to make the world a worse place to act important. Absolutely unacceptable.
It's like if teachers aren't teaching the kids to read or add, the details about all the compliance stuff they need to worry about and how the school "can't" remove disruptive kids from a class or whatever is missing the point; the schools can't sacrifice actually doing their job at the alter of compliance, or we should just shut them down since all they do is waste resources. The compliance people should be figuring out how to shield the actual workers/create plausible deniability if the law is supposedly that stupid.
crazygringo 21 hours ago [-]
The world is complicated. Laws like FERPA are written with good intentions, but there are a lot of gray areas open to interpretation, and bad actors will take advantage of those gray areas to bring lawsuits for selfish purposes that universities have to spend money to defend themselves and possibly pay expensive penalties over. So lawyers advise how to follow laws in the most risk-free way.
Blaming lawyers or Instructure for "failing to contribute to society" is both incredibly immature and factually wrong. It's not the 1980's where jokes about "kill all the lawyers" get laughs.
I'm going to be blunt: you seem to have a kind of black-and-white, adolescent understanding of the world where it's split up into good actors and bad actors, and good actors should do what's right (regardless of the law) and bad outcomes are the result of bad actors. But that's not how the world works. Everybody involved can be intelligent and trying to do their best, and we get suboptimal outcomes because this stuff is hard. Writing laws that protect student data while maximizing student convenience are probably never going to get it perfectly right in every situation. But insulting the lawyers or the schools or Instructure as "failing to contribute to society" or insulting the law as "supposedly that stupid" is to deeply misunderstand everything.
trollbridge 15 hours ago [-]
FERPA does not have a lot of "gray areas open to interpretation". It's a well-understand body of law, case law, and regulations, and things like whether or not you can e-mail a student a grade are settled questions.
ndriscoll 20 hours ago [-]
It's not a misunderstanding of everything, especially for schools that are government funded. They have a mission, they receive resources from everyone else to do that mission. If they are then worried about penalties for some frivolous side distraction, and choose to not accomplish their mission for fear of that, then why are we funding them to start with?
Frankly it's a perspective that I've only developed as I got older and realized that such excuses are poor, and that the real world has quite a few people in it who don't really care about the outcomes of what they're doing, or even understand why they're there. To me it feels adjacent to the adolescent view I often see on this site/reddit around "why is the company laying people off when they're making lots of money?" It's because those people aren't needed for anything, and those jobs aren't a form of charity. They exist for a purpose. If they no longer have a purpose, why would you keep paying that person?
If people are going to exist as obstructions to the purpose of the institution we're trying to serve, then they are useless. It's like a computer security worker saying the best way to be secure is to unplug everything, and push for policies that no one shall use computers for anything. Completely missing the point.
Finding ways to follow the law in the most risk-free way to the detriment of everyone is exactly missing their purpose in the world, and everyone should rightly call such a person incompetent and useless. It's casual acceptance of this kind of incompetence culture that slowly leads to societal decline. It's the same kind of thing as when Berkeley took down their lectures because of the ADA. How about the same state that ignores federal immigration and drug law say that actually they're going to keep giving away their free educational materials because they want universal education, and giving those lectures away is strictly better than not doing that, and if the feds want it made accessible, they can fund a project to do so?
crazygringo 16 hours ago [-]
I really don't know what to tell you. You're literally calling for universities to either break the law or not worry so much about following it, and calling people who do want to be careful about following the law "incompentent and useless".
If you don't see how extreme that is, and how much society would break down if everyone started thinking laws were optional and ought to be ignored when they prevent you from accomplishing your "mission", I just don't know what to tell you.
ndriscoll 15 hours ago [-]
Quite the contrary: society very obviously runs because people ignore policies and laws constantly. That's why following all laws exactly is considered a protest or subversion strategy: malicious compliance.
Like the entire AI industry could only work by completely ignoring copyright law. Basically no software could be written if developers were concientious enough to check for and avoid patents first. Tradesmen ignore safety policies. Doctors ignore limits on hours. People do work on their homes with no permits.
Part of being an adult is exactly knowing which rules are important and which you ignore.
crazygringo 14 hours ago [-]
Individuals can choose which laws to ignore, like when they jaywalk.
Corporations, universities, etc. are very different. They create policies which are documented and which their employees are required to follow. They engage in risk analysis.
"Part of being an adult" has nothing whatsoever to do with the laws and regulations that apply to organizations. You're making a severe category error.
ndriscoll 14 hours ago [-]
Organizations are made of individuals who I assure you regularly ignore or don't even read the policies they are "required" to follow.
crazygringo 34 minutes ago [-]
I don't know what world you live in. Everywhere I've ever worked, that gets you fired. Real quick.
trollbridge 15 hours ago [-]
Just to be clear:
E-mailing a student their grade is not "breaking the law".
Not e-mailing a student their grade is not "being careful about following the law". It is just sheer laziness.
A university may develop a policy of "we don't e-mail grades" for another reason, but FERPA is not a valid reason.
crazygringo 14 hours ago [-]
"Just to be clear":
It's not "sheer laziness". I can almost guarantee you that Instructure would prefer to e-mail the grade itself, and probably had the code working somewhere before feedback from universities told them to remove it.
There are absolutely cases where sending an e-mail to the wrong person is a violation of FERPA. Can you guarantee that your software will never be configured to accidentally e-mail someone besides the student? That no administrator will ever accidentally set up the wrong e-mail address? Because you're not sure if you can make that guarantee, it's legally safer to restrict it to the actual LMS login.
trollbridge 9 hours ago [-]
Yes, I have written software that would email a student information that was in scope for FERPA.
It’s rather simple to restrict sending email to @student.uni.edu and then further force their email to match the username and email address that is synced from the SIS.
How much FERPA compliant software have you written?
crazygringo 30 minutes ago [-]
That's great for you. I've been in meetings with lawyers around FERPA compliance.
You are right that if you are creating a custom tool you can create that restriction easily.
But if you are creating a learning management system where administrators can configure it a million different ways and the university lawyers want to make sure that administrators don't set it up the wrong way, it makes sense to have that safeguard.
You are looking at the wrong level here. This isn't a software coding issue around technology. This is a policy compliance issue around people. When you create tools you have to consider the possibility of those tools being misused by an employee and mitigate those risks when possible.
wpollock 20 hours ago [-]
> The thing is, I don't need that training to recognize that they are failing to contribute to society.
An old lawyer joke: What do you call 100 lawyers drowning in the ocean? A good start!
(Told to me by my dad, a former attorney till he retired.)
trollbridge 15 hours ago [-]
I think the lawyers in a straw-man imaginary world where they say a university can't e-mail any FERPA-covered data to a student (which includes such basic things as what times a student's classes are) don't contribute anything to society. But that's because they're just a figment of one person's imagination.
Actual, real lawyers who work for or at real universities often do contribute quite a bit of valuable work. I enjoyed the one I worked with and think she did a great job of putting the brakes on over-regulating or using legal compliance as an excuse for just not doing work.
ndriscoll 15 hours ago [-]
That's great to hear. As I agreed elsewhere in the thread, their true purpose is exactly to shield other workers from this sort of nonsense FUD and make-work.
Of course I presume it's also not a strawman because it's not in any way some unique thing to lawyers.
trollbridge 9 hours ago [-]
The general counsel at my last university job actually tended to cut through the red tape and excuses of “can’t do this due to legal”.
Lots of fun if a department had been stonewalling for “legal reasons” and she was summoned to a meeting.
1 days ago [-]
whyenot 1 days ago [-]
Isn't that due to FERPA related concerns?
dotancohen 1 days ago [-]
> setting this up is well beyond the capabilities of most students.
Setting up custom email filters is beyond the capabilities of most students? What are they learning? Where will they be qualified to work?
metaengies 1 days ago [-]
> Where will they be qualified to work?
Going by a certain story 2 years ago, their concern should be that they're overqualified for Meta.
It doesn't help that gmail, which is the only serious direct competition to outlook, straight up doesn't do "folders" and instead goes with markers. So you can't really just put a filter that drags all the 100 low-priority alerts in what would count as a first degree abstraction of "place where things are sorted into". No, there are two layers of abstraction between point A and B of things, sorter and sorted things. The result? Muggles can't recognize the heck you're describing and refuse to even acknowledge the possibility.
user_7832 1 days ago [-]
> It doesn't help that gmail, which is the only serious direct competition to outlook, straight up doesn't do "folders" and instead goes with markers.
While true, unless I'm mistaken, markers (I assume you're referring to tags) can be nested to provide a pseudo-folder hierarchy, and with proper filters you can remove the "inbox" tag and have the mail only show up under the specific tag.
TBH I don't fully mind it, it lets you classify an email in multiple ways (eg "See Later" as well as "Work related").
mschild 1 days ago [-]
Tags are great but I still want my folders. Also doesn't help that the way google describes some things is unnecessarily complex or confusing.
For example, removing an email from the inbox requires archiving it. In most other applications (WhatsApp, Signal, Outlook, etc) archiving usually results in the email being placed in a specific archive folder that isn't readily accessible through the UI. At least not to the same level that normal emails are.
philamonster 1 days ago [-]
People in my work and personal life experience do not understand the concept of labels in a Google inbox and misname them folders 100% of the time. Google allows you to drag-n-drop emails "into" labels like you would files in folders conflating the issue even more as the logic to automate this behaviour with a filter isn't leveraged. Even the layout of a default inbox is setup in a way that the average user has difficulty understanding what happens when an email drops off the "front page" of their inbox.
bitfilped 1 days ago [-]
They can be nested, the one thing I have never been able to figure out though is how to get alerts of receiving a message while also filing away in a sub folder. You get one or the other in outlook, as a result I rarely check my work email anymore cause I either get the fire hose of spam or miss everything entirety because it's going to a folder and not passing along an alert about a new message.
GTP 1 days ago [-]
I partially solve this by using Thunderbird on my laptop. When I get emails on my smartphone (on the Gmail app), they unfortunately all go to the inbox. But the moment I open Thunderbird, it nicely organizes them for me.
chopin 23 hours ago [-]
Does Thunderbird have rules? I searched for this and didn't find them.
dotancohen 1 days ago [-]
I use Thunderbird on both the desktop and Android. Love it.
Perhaps Outlook is difficult to configure. Thunderbird is intuitive.
GTP 23 hours ago [-]
Yes, every now and then I think I should try it on Android as well, but still have to do it. It would be great if there was the possibility to sync filters across devices, in a similar way of using your Firefox account to sync extensions. Do you know if this is possible?
dotancohen 19 hours ago [-]
I don't think it's possible.
swiftcoder 1 days ago [-]
Gmail still has perfectly functional filters that can be set to auto-apply a label and skip the inbox. They may be called "labels" now, but they still function just as they did when the UI called them "folders"
teiferer 1 days ago [-]
If a CS graduate can't figure out some simple gmail labels and filters then they should not be awarded that degree. Plain and simple. It's not rocket science.
Poacher5 1 days ago [-]
And there are no other students at any college other than CS students? I'm not sure why a biologist or a literature student would need to be au fait with Google's admittedly fairly unfriendly email management setup.
denkmoon 1 days ago [-]
Digital literacy is important to every field. Email filters are not some arcane computer science concept, they are the modern equivalent of filing physical mail into the right folder/pidgeon hole/inbox/whatever.
Biology is a great example because of just how important digital record management is to experimentation in the field.
sillywabbit 1 days ago [-]
I don't think you've seen many biology field data sets.
teiferer 20 hours ago [-]
All biology folks I'm interacting with are juggling excel sheets all day.
17 hours ago [-]
teiferer 20 hours ago [-]
1. This was a response to a CS professor, so specific to CS students.
2. Yes, configuring gmail filters should be doable for anybody with a university degree. It's really not hard.
mold_aid 1 days ago [-]
Most of my students, across all disciplines, don't have basic competence in Word or GDocs, software they've been using for years. It's weeks to teach them how to appy headings
Daub 1 days ago [-]
I feel your pain, and my students are design students
weird-eye-issue 1 days ago [-]
Most graduates aren't really qualified to work anywhere that they couldn't have worked before going to college in the first place.
smcin 1 days ago [-]
You mean graduates of US colleges? Not colleges in general. Or non-technical graduates of US colleges?
J-Kuhn 1 days ago [-]
I think they point weird-eye-issue wants to make is: Students attend college to become qualified to work.
weird-eye-issue 1 days ago [-]
I think you completely misread my comment.
smcin 1 days ago [-]
I understood your comment perfectly fine. I'm asking which graduates of which colleges you were referring to. It looked like you were generalizing about US HS and colleges. If so, plenty of other countries' HS and college education systems work better, so your comment doesn't extend.
froggit 1 days ago [-]
> I understood your comment perfectly fine. I'm asking which graduates of which colleges you were referring to.
They are referring to MOST graduates of MOST colleges. This is a deliberate overgeneralization about the nature of post-secondary education meant to highlight how it's frequently viewed solely in terms of completion rather than with regards to any skills or knowledge gained from it.
weird-eye-issue 1 days ago [-]
I didn't even reply to you.
smcin 1 days ago [-]
I'm not confused.
Your comment stated that college doesn't add much to a person's employability. (If you had wanted to be less obfuscatory, you could simply have said "a [HS] education is already adequate qualification for many jobs; college doesn't add much").
That was your claim. (I don't think your claim is correct of many OECD countries' colleges, but it was the claim you made.)
You then replied to J-Kuhn to say that they had misunderstood your comment by (mis)paraphrasing it as "Students attend college to become qualified to work."
weird-eye-issue 1 days ago [-]
It's a little weird how I ignored your comment and replied to somebody else and then you felt the need to reply to me again and again
lokar 1 days ago [-]
I used LaTeX as a ugrad, it’s not that hard
skeeter2020 1 days ago [-]
you're at the other end of the spectrum; unless you get work in academia this is not an advantange.
lokar 1 days ago [-]
I use it to filter recruiters, if they can’t accept (a well typeset) PDF résumé, and insist on Word I know to skip them.
trollbridge 1 days ago [-]
They only ask for Word because they plan to edit it to remove your contact info. Or worse.
recursive 23 hours ago [-]
So are you getting a lot of offers this way? Anyway, I admire your dogma.
lokar 19 hours ago [-]
Well, I’m retired now. I only had 4 jobs after finishing my BS.
recursive 1 days ago [-]
Congratulations on your competence.
sillywabbit 1 days ago [-]
It's not even standard in academia.
poopmonster 10 hours ago [-]
Depends on the discipline. I never hear of mathematicians using anything else.
crazygringo 1 days ago [-]
You know that most students aren't computer science majors?
Have you met the average community college student who doesn't even own a laptop but does all of their work on their phone? Gmail doesn't even allow you to create or manage filters from their phone app or mobile web interface.
fooker 1 days ago [-]
I have been using email for as long as email was a thing and I still managed to blackhole important emails with filters not too long ago.
emodendroket 1 days ago [-]
Most people who have office jobs don't know how to do this either
throwaway2037 1 days ago [-]
This is a brilliant reply. I shook my head at the original and laughed hard at your perfectly reasonable question.
It reminds me of an old joke my father used to say about jobs with virtually no interview (fast food, etc). He called it "The Mirror Test", as in if you hold a mirror up to the person, does it fog up? If yes, you are hired!
shakna 1 days ago [-]
Most managers I've met, struggle with setting up email filters, and have to ask tech support to do it for them. These students will be qualified just fine.
gucci-on-fleek 1 days ago [-]
I'd hope/assume that any Computer Science students would be able to do this, but most Biology/Education/English/Art students probably couldn't.
I mean, anyone smart enough to attend university could probably figure it out if they really wanted to, but there are hundreds of other useful things that they could learn too. There are only so many hours in the day, and given that most students don't get that many emails, I can hardly blame them for not wanting to prioritize learning how to filter emails.
(I personally have over a hundred lines of Sieve filters, but I'm definitely not a typical student)
jameshart 1 days ago [-]
Biologists should be more qualified than most to classify and tag email specimens.
BigTTYGothGF 1 days ago [-]
> What are they learning?
Are you suggesting that outlook wrangling be explicitly taught at the college level?
u_fucking_dork 1 days ago [-]
Anywhere. I straight up don’t check my email at work. If people need me they have to teams message me to tell me they emailed me. Don’t have time to sift through all the bullshit generated emails. Jira, GitHub, confluence, servicenow, workday, etc. amounts to an incredible amount of junk I just can’t be bothered with.
1 days ago [-]
Scroll_Swe 1 days ago [-]
>Setting up custom email filters is beyond the capabilities of most students?
Yes. And most of the general population. They can do it once they know it exists, most people just are not aware it is a thing at all.
>What are they learning?
Here, their "major" as you say in the US. Someone in econ, biology or even CS is not going to learn Outlook rules. Maybe IT or business will have a sentence on it.
>Where will they be qualified to work?
Any office job. Any job really.
setopt 1 days ago [-]
In my experience, it’s hard enough to make students check their school email in the first place. Let alone filter it.
lokar 1 days ago [-]
As a ugrad, and later a PhD student teaching, everything is explained the first day. If you can figure it out you just fail the class (or go to office hrs to get help, etc).
setopt 20 hours ago [-]
As an associate professor, I do explain things the first day, but I am certainly not permitted to fail students as a consequence of not checking their email daily.
Even if they didn’t hand in an assignment at all, without any reason provided, I’m required by regulation to offer them a second chance to pass that assignment.
The students’ rights are quite strong here (Northern Europe), which I generally support, but it has some downsides.
lokar 20 hours ago [-]
Interesting. I remember very strict rules on turning in programming assignments (as a student, and later TA). On time, printed properly, in a specific envelope, labeled as specified in the right location.
throawayonthe 1 days ago [-]
it's MS software, i think it's inanely difficult
butlike 1 days ago [-]
Didn't you hear? Chat apps and iMessage (SMS included) is the new email.
Delete
Delete and Report Spam
mschuster91 1 days ago [-]
> What are they learning?
Exactly what is in their field of study, nothing more. That's a huge part of the problems created by treating academia as a degree mill mandatory to get a job able to feed yourself instead of a place only for those truly interested in actually studying a subject.
e28eta 2 days ago [-]
Students having records of what their score was doesn't prove to the professor / university what score they received. "FWD: Exam 1 Results" is not especially auditable.
lacunary 2 days ago [-]
If only we had some way of signing messages
ykonstant 1 days ago [-]
The technology isn't there yet (。•́︿•̀。)
brookst 1 days ago [-]
Though in a case like this attackers would likely revoke (or publish) the private key.
1 days ago [-]
JeremyNT 1 days ago [-]
Ah, perhaps we could put it on the blockchain! /s
JumpCrisscross 1 days ago [-]
> Students having records of what their score was doesn't prove to the professor / university what score they received
It's better than nothing. (And good training for the real world.)
Also, most universities (and many schools now) issue academic e-mail addresses to students. In those cases, the email is definitive proof.
AmblingAvocado 1 days ago [-]
DKIM signature could be used to verify that Canvas' server sent the email with the given content
nbernard 1 days ago [-]
Good luck having people forward an email a) with headers and b) in a way that doesn't break the signature...
tempaccount5050 1 days ago [-]
And who exactly do you think is going to verify 100s of thousands of emails this way dude?
bravura 1 days ago [-]
A computer?
hoppyhoppy2 1 days ago [-]
Emails from Canvas saying a grade is available do not currently include the actual grade in the email, so that would have to be implemented first. And it's probably not implemented quite intentionally because of FERPA.
gruez 1 days ago [-]
As opposed to a screenshot of a website? Presumably the professor has a spreadsheet of all assignment grades that is submitted to the school?
JumpCrisscross 1 days ago [-]
> Presumably the professor has a spreadsheet of all assignment grades that is submitted to the school?
This would undermine Canvas's lock-in.
freeopinion 1 days ago [-]
Canvas is built to automatically export its gradebook to an external system. It will do that automatically every day if you want it to. Teachers or others can manually export to the configured foreign system on demand. So if you grade something and want it to show up in the foreign gradebook without waiting for the daily export, you can just press the button to make it happen right away.
doctorpangloss 1 days ago [-]
i cannot believe how much benefit of the doubt people are giving canvas
ed tech is the WORST performing VC sector
the ONLY game in that town is vendor lock-in! are people joking?
c'mon, canvas is a huge piece of shit. the SaaSpocalypse is coming for them - it seems it is simply that LLMs will be used to exploit it first, rather than universities writing an open alternative they share with each other for free.
freeopinion 1 days ago [-]
Canvas is AGPL licensed. Moodle is GPL. Universities or anyone else can already contribute to big name LMS.
Canvas is used by Harvard, MIT, Stanford, Carnegie Mellon, CalTech, etc. If they each paid 10 FTE, they could set up a foundation that could govern the development of a top-tier LMS. Every tier-1 state institution could contribute 5 FTE. Even little JuCos could chip in an employee here and there. You'd pick up hundreds of capable employees at a fraction of what those schools currently pay to Instructure.
freeopinion 1 days ago [-]
How well has this worked for Open edX?
gizajob 1 days ago [-]
Why do they all pay for it then? Seems pretty universal in the UK too. Is it having the benefit of someone to blame when things go wrong?
bklyn11201 1 days ago [-]
When the IT department is also the developer of the software, instructors will demand their feature be included in the software: they need a gradebook column that counts as extra credit, missing work, a dropped score, and 40% of the final grade simultaneously, but only for students who email after midnight during finals week.
IT department will then build the feature as instructors are high-status and IT is low-status, and they aim to please. The software will collect hundreds of these over time. The institution will accumulate more developers, QA, a11y testers, PMs, instructional design consultants, and more PMs to deal with the instructors. The institution will then move to SAAS solution where the instructor is forced to join Canvas Jira and submit their feature request. A product manager at Canvas will then post to Jira and say thanks for your feature request, we will consider it. Game over.
freeopinion 1 days ago [-]
On paper your idea seems obvious. You take a bunch of institutions that actually teach students how to program and have them cooperate to build an open LMS that benefits them all.
In reality, universities always spin off anything that looks like it could generate revenue. It is very telling that you can't even get your college transcript from your college. You have to go to (and pay) some third party to get it. Some universities even outsource their "classes" like elderhostel to cruise lines and travel companies.
gucci-on-fleek 1 days ago [-]
> rather than universities writing an open alternative they share with each other for free
That already exists [0], and is actually reasonably popular.
> the SaaSpocalypse is coming for them - it seems it is simply that LLMs will be used to exploit it first
I doubt it, because enterprise sales has nothing to do with how good your product is, how expensive it is, how easy it is to administer, how secure it is, etc.; it only depends on how good you are at enterprise sales. I mean, my university is Oracle-based, and I'm pretty sure that you could get 3 random undergraduates to write something better, so I don't think that LLMs writing better/cheaper software will make any difference here.
Nope! We're encouraged to keep all that exclusively in canvas. (As noted, I have my own spreadsheet. But I'm an outlier.)
gucci-on-fleek 1 days ago [-]
Presumably the system will be back up eventually, so there's not much benefit to lying here, since at best you'll raise your grade in a few classes for a couple months, while taking on a pretty big risk of getting caught.
1 days ago [-]
pishpash 1 days ago [-]
You forget things can be signed, with the key owned by the school. It can be done.
SlightlyLeftPad 1 days ago [-]
Does signing really make this easily auditable from the professor’s perspective?
DaSHacka 1 days ago [-]
Exactly this, when was the last time a HN user had to interact with the prototypical 60-year-old set-in-their-ways professor?
Extremely non-tech savvy, hates computers, and is gonna grumble "What the hell is a PGP? Better not be another one of those phone code things." as you try to pitch this highly-technological solution to a largely niche problem domain.
jazzyjackson 1 days ago [-]
I mean a cloud based learning management system also seems to be a very technological solution to the very old problem of checks notes grading quizzes?
Forgeties79 1 days ago [-]
They don’t even need to not be tech savvy. This stuff just registers as “hassle” to most people so they do the bare minimum or search for ways to not deal with it at all. It’s easy to “tut tut” at them but ultimately we need to accept reality: privacy, security, these things take extra effort that isn’t strictly necessary for people to go about their daily lives even though the stakes can be super high. It’s not a problem until it is, so they aren’t really barriers that require people to do the work. It’s like convincing someone who just simply doesn’t want to go out and buy/install a lock on their door to go do it, except it’s not even a one-time thing. Their door works fine. They can come and go as they please. It’s not until something happens that they maybe change their tune (and even then!)
Hell just getting people to do secure passwords is a whole thing.
MarsIronPI 1 days ago [-]
Makes me glad I've always avoided doing my work on web platforms. When we used to have to make presentations in Google Slides I used to do them in Org-mode, then export to Sheets. I still have all those assignments sitting on my disk. Sure, there's versions of them on Google Drive, but I always make sure that the canonical version is the one on my disk.
bartread 19 hours ago [-]
> They don’t do it, because they want to control the data.
Ironically, this incident shows they don’t have control of anything.
22 hours ago [-]
moralestapia 1 days ago [-]
>It’s so simple to send an e-mail to the student ...
What seems easy on hobby projects gets way more difficult at scale. Source: experience.
Hendrikto 1 days ago [-]
For what they charge for these LMSs, they should definitely be able to sent some emails.
brookst 1 days ago [-]
No concerns about privacy or regulatory considerations that might vary by jurisdiction? Just yolo it and deal with breech later?
setopt 1 days ago [-]
Just to add one more data point, we also use Canvas at my university. The deadline for submitting who are eligible (i.e. passed compulsory assignments and labs) to take the exam was yesterday, and I couldn’t meet that deadline because Canvas went down. I usually do corrections offline so I have backups of my own evaluations, but these are courses with many teachers and many TAs, so Canvas is the way we sync our assessments.
p-e-w 1 days ago [-]
I guess what surprises me the most is that it’s even legal for schools to outsource the core of what they do to some random tech company.
Either way, they were under no obligation to adopt this garbage technology regardless of whether it’s available, so this is 110% on them.
jameshart 1 days ago [-]
I’m sorry… is your view here that you can’t believe it is legal for a school to purchase software or pay someone to host software for them?
You are aware that you are posting on Hacker News, a forum for people who make their living selling software and the expertise to host it?
matsemann 1 days ago [-]
The alternative would be that each school develop their own platform for this, which also isn't very good use of their time and money?
Edit: No idea why this was down voted so much. I'm not defending Canvas, just wondering what the alternative would be.
lol768 1 days ago [-]
> The alternative would be that each school develop their own platform for this
I worked at a university which did exactly this, in the UK.
It was a bespoke platform which integrated incredibly well with the rest of the systems the university used because it was designed from the ground-up to meet the institution's needs, there were regular user groups involving academics to understand what features needed to be built/worked on etc. At one point it was all OSS on GitHub too, in case other universities could've found it useful. It handled plagiarism detection (integrating with Turnitin), marking, exam grids, coursework submissions and feedback, seminar allocations, personalised timetables & mitigating circumstances.
The in-house dev team was vastly cheaper than anything SaaS would've cost, as well. It also maintained software for on-campus parcel deliveries, online exams, opinion surveys, a mobile app for students/staff, the SSO system, the course catalogue, car parking permits, a content management system and more.
akpa1 1 days ago [-]
That sounds like a dream.
My (also UK-based) university has been working on a new student records management project for years that's been incredibly ill-fated. It's destined to replace all their current systems and the first module module was meant to launch last year, except it thoroughly failed testing and nobody has heard anything about it since.
No idea how long it'll take to pull through. I don't believe it's an in-house effort.
jcgrillo 1 days ago [-]
This sounds like a great opportunity for students to gain hands on experience with real software engineering work as well.
master-lincoln 1 days ago [-]
They do not need to develop it, but host an existing software on their infrastructure maybe...
If your line is GPL rather than AGPL there's Moodle.
But you do then have to have a sysadmin capable of managing an enterprise grade LAMP stack.
dboreham 1 days ago [-]
Um. This is the forum for an industry that outsourced its entire core of what they do to Microsoft (GitHub).
rupx 2 days ago [-]
I work in the Education sector as IT. We don't know much else either.
Everything we know has come from reddit threads / hackernews threads. There has been 0 official communication today indicating this was an attack, yet the login page was defaced by ShinyHunters.
beej71 1 days ago [-]
> I've never liked or trusted Canvas's gradebook, and so although I do upload grades to Canvas so students can see them, my primary gradebook is always a spreadsheet I maintain locally.
That makes you one better than me. :( One thing's for sure--I'm never trusting it again.
I already had almost all my materials outside of Canvas and just used their API to upload it. So at least that's safe. But the grades... dang. Luckily we're only halfway through our quarter and it's not finals week.
Our instance is still down, but your update gives me hope.
jodrellblank 1 days ago [-]
> “My gut feeling on this is that this is either resolved in hours (they have airgapped backups and can be working as soon as they can spin up new servers)”
What good is having airgapped backups and spinning them up, if they are instantly vulnerable to the same attack again?
It does depend on what the attack is, but how do people approach that scenario?
butlike 1 days ago [-]
That's an interesting question and one I'd like to know an answer to as well.
drillsteps5 1 days ago [-]
Canvas is back up as of Friday US morning for me (HS student's parent). My kid got a few panicked emails yesterday from the teachers but it looks like Instructure got it resolved quickly.
Canvas does provide a lot of value (all courses, teachers', students', and parents' contact information, all learning plans, schedules, room numbers, all grades, a lot of tests and assignments themselves, all upcoming assignments and deadlines, a lot of other coursework is in there, as are the final grades) but it shows that with external SaaS you might be one attack away from not only losing all that convenience but also in a world of hurt 'cause you lost all the data and now have to figure out how to proceed without the data and the system.
US high schools are in the middle of the finals, and seniors are getting ready for college (the transcripts to be finalized and sent out in a few weeks) so that was a scary timing.
apublicfrog 1 days ago [-]
All these articles listing the American schools affected, "nationwide" outage reported, meanwhile hundreds of millions in the rest of the world affected.
Does anyone have a list of affected schools?
isakmarr 1 days ago [-]
I don't have a list, but I can tell you the University of Iceland is affected.
dumbfounder 2 days ago [-]
Maybe a hybrid approach. Scramble to create a final exam/project and give them the option to do pass/fail or a real grade, their choice.
And then wish for the death of saas and a day where you can deploy your own software you can control and modify as you need.
Avicebron 1 days ago [-]
What is the strategic response then? Assuming I'm a student and my grades are gone, and I want to graduate, shouldn't I pick pass/fail?
Does a future employer look at pass/fail vs the grade? do they care? Are there even jobs that matter enough to care out there for them?
This seems like, solving the problem but without actually seeing the broader goal or trajectory education is supposed to follow.
hansvm 1 days ago [-]
Most jobs I've had didn't care about a transcript in the slightest. It matters for future education and a small selection of jobs, and even them a few pass/fail courses won't cause any issues. It's not great if important, major-specific coursework is pass/fail, but usually you're not allowed to do that, so when it does come up you'll just have somebody ask what absurd situation (like this canvas thing) caused it.
filoleg 21 hours ago [-]
> Does a future employer look at pass/fail vs the grade?
I don't know for a fact how pass/fail is treated by employers, but there are indeed some that look at your college GPA even 10+ years after you graduated. I suspect they don't care about the specifics of how your overall GPA was derived though, so pass/fail likely doesn't matter (unless you did really well and expected the grade to boost your GPA, and then pass/fail essentially does nothing to the GPA, thus kinda eliminating the GPA boost).
I got asked for my undergrad GPA (I graduated ~10 years ago) more than once over the last year by some finance/quant firms.
As for whether "do those jobs even matter enough," I guess it is more of a personal subjective take. I found the work that the people at those companies did (and the problems they solved) to be very interesting and challenging, I found the people working there to be extremely sharp, smart, and genuinely nice to interact with (which is an ideal work environment for me), and I found the total comp to be great. Honestly, I cannot think of much more to ask from an employer.
flexagoon 1 days ago [-]
> day where you can deploy your own software you can control and modify as you need.
Universities are not going to write their own software, and no they can’t use ‘agents’ to write and maintain it for them either.
morning-coffee 1 days ago [-]
It's somewhat ironic... if a University's CS department was charged with developing and maintaining the system, what an awesome learning tool it would be. CS students would maybe even be invested in the outcome by having to eat their own dogfood and then really appreciate it what it's like in the real world.
grey-area 1 days ago [-]
It would be amazing and a great teaching tool, BUT the vast majority of universities don't have the money or IT departments to keep such a thing running. So the idea is a non-starter at most institutions.
SoftTalker 1 days ago [-]
CS != Software Engineering
I had a lot to learn about actually developing software after I finished my CS degree.
"Courses were taught in a range of subjects, including Latin, chemistry, education, music, Esperanto, and primary mathematics. The system included a number of features useful for pedagogy, including text overlaying graphics, contextual assessment of free-text answers, depending on the inclusion of keywords, and feedback designed to respond to alternative answers."
"PLATO III allowed "anyone" to design new lesson modules using their TUTOR programming language, conceived in 1967 by biology graduate student Paul Tenczar."
"The largest PLATO installation in South Africa during the early 1980s was at the University of the Western Cape ... For many of the Madadeni students, most of whom came from very rural areas, the PLATO terminal was the first time they encountered any kind of electronic technology. Many of the first-year students had never seen a flush toilet before. There initially was skepticism that these technologically illiterate students could effectively use PLATO, but those concerns were not borne out. Within an hour or less most students were using the system proficiently, mostly to learn math and science skills, although a lesson that taught keyboarding skills was one of the most popular. A few students even used on-line resources to learn TUTOR, the PLATO programming language, and a few wrote lessons on the system in the Zulu language."
The full PLATO system included grade books, attendance tracking, and class scheduling, as I recall. Perhaps a University of Illinois alum can say more.
I would really like to know how much more useful the current systems are over, say, PLATO in 1992, when evaluated for pedagogy and course management benefits.
roody15 24 hours ago [-]
Think they will end paying the ransom quietly.
addedGone 22 hours ago [-]
100%, else goodluck with the lawsuit coming from the students, as the schools are the one liable for not securing their system.
butlike 1 days ago [-]
> And if that's true and we wake up tomorrow with this unresolved, I really have no idea what a lot of professors at my university and across the country are going to do to submit grades that are fair and reasonable
I have an idea for the midterm (pun intended): Maybe don't jump feet first into the deep end of a single point of failure going forward.
camillomiller 1 days ago [-]
To my European ears this just sounds like a disaster like this waiting to happen. God bless the annoying privacy OSS advocates and bureaucrats, I guess.
gwerbin 1 days ago [-]
As someone else in the thread pointed out: Canvas is in fact open source, or at least source available on Github. And it's used all over the world, not just in the USA.
2 days ago [-]
SoftTalker 2 days ago [-]
> they have airgapped backups and can be working as soon as they can spin up new servers
... and assuming they have a documented, tested, and trusted restore process.
yongjik 1 days ago [-]
Reminds me of the incident last year when a South Korean government's server room caught fire, which contained the government equivalent of Google Drive, and the only backup was in the same room, and they all burnt down together.
Some data was permanently lost, and then officers told reporters that multi-regional backup was not yet built because it was too hard at such a massive scale... of 858 TB.
selcuka 1 days ago [-]
> it was too hard at such a massive scale... of 858 TB
There are probably many S3 buckets in existence that are bigger than that.
Not saying that they should've used S3, but it's definitely possible configure multi-regional backup (and a government can afford it).
walletdrainer 1 days ago [-]
My home theater setup has more storage than that.
rayrey 1 days ago [-]
Ah yes the “recovery” part of the continuity plan. We tested that right? Right?
jonstewart 2 days ago [-]
Backups are definitely helpful in ransomwares, but before systems can be restored and brought back online, victim organizations still need to assess the scope of the breach, find the initial access vector, identify compromised accounts, and evict the threat actor. That can take time.
garciasn 2 days ago [-]
I’m not certain, but it appears you’re giving Instructure a pass here, as if this is the first time they were hacked. But, it’s the second, by the same group.
As a parent of kids who are impacted by this, I’m not super concerned about the data being held for ransom, but I sure as fuck am concerned about how much it’s going to cost the district to move to another provider.
jonstewart 30 minutes ago [-]
I don't have an opinion on Instructure (except as a parent generally hating the overall app-ization of education; fortunately our district switched away from Canvas a couple years ago), their cybersecurity posture, or this particular event. My only point is that even if backups exist, working through a ransomware attack often takes time.
Also, ransomware gangs often exfil the data and threaten to release it if the ransom is not paid--blackmail, of a sort. It depends on the company and the data set whether this is effective as a tactic. But when it is, backups don't help.
JumpCrisscross 1 days ago [-]
> I sure as fuck am concerned about how much it’s going to cost the district to move to another provider
Does Canvas have cybersecurity insurance?
23 hours ago [-]
MattSteelblade 1 days ago [-]
Not at all; standard IR procedure is scope -> containment -> eradication -> recovery. There is a fog right now; we don't know all the details. It seems to me that it's just as likely they weren't fully kicked out before or that the initial vulnerability wasn't remediated. You can't recover until the threat actor has been removed.
vasco 1 days ago [-]
> let classes that normally count for a grade just submit grades as pass-fail. Because what else can you do?
Schedule a single exam and that's your grade for that subject? That's how it should work anyway, credits for work during semester (or worse attendance) are not needed to evaluate if someone learned the material, give them an exam and done.
goobatrooba 1 days ago [-]
That's just bad outdated practice. It leads to cramming and less remembering than of the demand is for students to do work and show learning and effort throughout the year.
matsemann 1 days ago [-]
Most courses I've taken have obligatory assignments that are pass/fail, and you have to pass a certain amount during the semester to take the final exam. But the grade is determined entirely of the final exam.
Which to me seems the best way, you still have to learn throughout the year. Especially to avoid cheating this works nice. And as an aside, most people I know that did a year abroad in the US got 1-2 grades higher, as it was quite easy to just farm extra credits.
sayamqazi 1 days ago [-]
It has been my observation that most of the better students were the ones who would not put in work during the semester/year and cram at the end.
1 days ago [-]
fastasucan 22 hours ago [-]
Who is doing the work though, the student, chatgpt or claude?
blahedo 1 days ago [-]
That's maybe something a school can do if exams are next week, or after.
At my school, tomorrow is the last day of exams. Most of the students have left campus. There's no time or mechanism to schedule an(other) exam.
Nagyman 1 days ago [-]
That feels like a poor statistical evaluation. Why not test along the way with progressive complexity/depth?
Using attendance is a carrot to get students to show up, which leads to better learning outcomes overall - which should be the goal.
scubadude 1 days ago [-]
Then you're testing how good someone is at exams as much as anything
pishpash 1 days ago [-]
Exams have performance variance. Otherwise you're only getting a pass/fall signal in any case.
aianus 1 days ago [-]
Grading assignments just punishes people that don't cheat on their homework. It's worse than worthless, it actively helps the worst students.
vasco 1 days ago [-]
Exams are the only fair way to evaluate if someone knows something (written or oral, in person). Take homes and attendance are just window dressing.
redsocksfan45 1 days ago [-]
[dead]
ElenaDaibunny 1 days ago [-]
[flagged]
aaron695 1 days ago [-]
[dead]
copperx 1 days ago [-]
I don't understand what's the panic and doomerism about. Any competent IT team has backups and will be up and running as they go back to a state before the breach. This is HN. I'm disappointed that everyone is talking about losing grades and going back to pen and paper. I don't see how that could happen in 2026.
And from the hacker's message itself, it's clear they want money in exchange for not releasing private info, not for the data itself.
Do we live in a fear based culture? Why the panic? Even if everything was hosted on Instructure's infrastructure, it's all AWS. I'd be VERY surprised if there aren't multiple way to go back to a previous state.
Most of the work and delay is to make sure they figure out where the breach occurred.
simonreiff 1 days ago [-]
I'm sure you're right. Across tens (hundreds?) of thousands of institutions worldwide, each one is exercising its well-written incident runbook that not only gets updated regularly but also is rehearsed constantly, just in case something like this happens. After all, what university IT department DOESN'T prepare obsessively for the moment when they need to restore all grades on all assignments for all courses from backup and fall over to the backup system for final exam administration in any required format specified by any professor, in the second week of May, on a non-negotiable schedule? There's absolutely nothing to worry about here.
brookst 1 days ago [-]
Yep. Thank God we fund school IT so generously, so everyone from Harvard to small state colleges has an absolute top notch IT department, dedicated to best practices, fully resourced to do BC/DR planning and dry runs. This could be a real catastrophe if any schools were under-resourced.
yread 1 days ago [-]
Schools don't have competent IT teams.
Here in the Netherlands a data center's power source (not even the machines) burnt down, data center is offline and University of Utrecht, one of the biggest universities here, is closed. Access passes don't work, work from home environment doesn't work, student information system is down, system for grading doesn't work. No failover for any of them (or maybe it was in the same DC?)
Backups can be sabotaged (turned off or schedules manipulated) or compromised (say, by lateral movement).
> Even if everything was hosted on Instructure's infrastructure, it's all AWS.
AWS Backup isn't foolproof. Get your hands on administrator credentials as an attacker and suddenly the only thing between everything being gone for good and unrecoverable even for AWS is remembering to have put a permanent deletion protection on all resources in AWS Backup.
belabartok39 1 days ago [-]
I fully agree. What really pisses me off is that these "hacker" groups always spout off how they are doing it to screw the man but then threaten the average person. Millions of them. It just goes to show how uneducated, low-class, and simple these people really are.
Gabriel54 2 days ago [-]
I'm surprised how few comments there are on this thread. This is probably affecting millions of students at the most stressful time of the year.
Incidentally I've always hated Canvas and probably every other LMS provider, but what is particularly amusing about this current outage is that it is occurring at exactly the time when universities are demanding that all professors put all of their materials on Canvas, without exception, due to ADA compliance regulations. It is explicitly forbidden for professors to, e.g., refer to pdfs posted on a personal website.
Other commentators here seem not to understand that many faculty also do not enjoy being forced to use Canvas.
bradley13 1 days ago [-]
I'm in Europe, and we don't use Canvas (at least, I've never heard of it). However, we have similar diseases. In my particular school, it's a massive SharePoint site plus ever more stuff in Teams. Plus Moodle, plus other services.
The MS services have not improved teaching at all. What they do, is fragment communications, and add ever more places people have to look, in hopes of finding things.
But the administration loves them. "The bureaucracy is expanding, to meet the expanding needs of the bureaucracy."
pfortuny 1 days ago [-]
Spain here. Most of our public Universities have their IT stack on MS... I cannot fathom how much of our national budget goes to their pockets.
Thankfully, I store my teaching materials on my personal non-uni webpage, and the student's marks in my office's computer (apart from the MS-based Uni system).
Whenever something happens with MS, chaos ensues throughout the whose Uni and the students end up paying the consequences.
iamflimflam1 1 days ago [-]
Teams and SharePoint eventually infect any organisation that uses Office.
tokai 23 hours ago [-]
There are plenty of European Canvas customers.
gchallen 2 days ago [-]
They have not succeeded in forcing me, yet. But it's sad how many computing faculty apparently can't operate the basic online infrastructure needed to support their courses. Not that universities make it easy for us.
And of course the other serious concern I have with Canvas is that they are likely using all the materials faculty upload to train their AI replacements. Many of my colleagues engage in dark humor about this but I haven't noticed much action.
JumpCrisscross 1 days ago [-]
> they are likely using all the materials faculty upload to train their AI replacements
Instructure (Canvas's developer) partnered with OpenAI last year [1], about a year after KKR and Dragoneer (PE firms) acquired it [2].
I would guess these plugins are chosen so a majority of user won't want to live without them.
It also seems these plugins "link" to canvas-lms, so keeping the proprietary would be a GPL violation if anyone except Instructure holds part of the copyright to Canvas.
dotancohen 1 days ago [-]
Money, skill, liability.
That calculus is about to shift.
FloorEgg 2 days ago [-]
I'm sure the engineers at instructure are not capable of building systems that can do that. You give them too much credit.
freedomben 1 days ago [-]
Former Instructure engineer here. Ive been gone almost 10 years at this point, but some of the best engineers I've ever worked with were at INST.
I'm not sure where your stereotype even comes from, because Canvas is not trivial software. You can see for yourself as it's AGPL and I assume you looked at the code before criticizing it because any good engineer would do that.
w4der 1 days ago [-]
I don't care how good you think it is, the fact that it (back when I used to be a TA) would break if two TAs tried concurrently grading different parts of an assignment of a student is bonkers. The workaround for that was to use a Google Sheet document so TAs just looked at the submission in Canvas, then filed in their grades and feedback on the sheet. The issue is that Canvas, as far as I could tell, did not support mass uploads from a csv, so we had a script which would read every entry on the csv, map that to the student's ID and grade them, which made it look like the TA which had generated the API key graded all of the students (and would get all the backlash from poor grades).
I completely agree that it is not trivial software in the worst sense, it tries to do too much, while not being particularly good at any one of those things, and is way too rigid for how diverse the needs of different courses might be even inside a single faculty. And saying "It's AGPL, just self host and add your requirements to it" is not really useful, that would mean way more money and effort than what a university's overworked IT dept. is capable of.
FloorEgg 23 hours ago [-]
I didn't say instructure engineers were bad.
What I meant is they aren't capable of building AI capable of replacing professors. I still consider it a reasonable assumption, as it has nothing to do with how well engineered canvas is. It's a different competency than instructure would have, and I've heard from insiders instructure has been spinning their wheels on way more trivial AI challenges. I also understand well how hard it would be to create AI that replaces professors and how the current best AI from Google, Anthropic, OpenAI is orders of magnitude away from being able to do that.
An engineering culture can change a lot in 10 years, and a company's engineers' ability to do stuff depends both on the individual engineers abilities as well as the company systems and culture.
mbesto 1 days ago [-]
> some of the best engineers I've ever worked with were at INST.
> You can see for yourself as it's AGPL and I assume you looked at the code
Can you look at any codebase and tell me it's written by some of the best engineers and it's not trivial?
hackyhacky 1 days ago [-]
I've been using Canvas for years and it's some of the worst written software I've ever used. It's slow, buggy, with an atrocious 2001-era UI. It's a CRUD app that has no excuse for being so cumbersome. I'm not surprised at all that their security is just as bad as the rest of the product.
A bright undergrad could build a superior replacement in a few months, even without AI.
freedomben 1 days ago [-]
I won't disagree on usability. It has some sharp edges for sure. But
> A bright undergrad could build a superior replacement in a few months, even without AI.
Is quite naive. Canvas is not at all just a crud app. You can view the code yourself as it's AGPL
ericpauley 1 days ago [-]
What component in particular goes substantially beyond CRUD?
jameshart 1 days ago [-]
It is a very common error to look at a specialist piece of software, superficially consider the basic data structure it appears to have and think ‘seems simple enough. Basic CRUD app.’
But it’s rarely the case in practice.
In a sibling comment right here for example someone bemoaned the difficulty in Canvas of having two TAs simultaneously grade separate parts of the same assignment. That sounds like something that goes beyond CRUD.
But more importantly any workflow system, which an LMS will be full of, has to handle the always tricky problem of how changes to workflows affect the things that are currently in the workflow. Assignments posted in course X need to be approved by person Y; some assignments are submitted for approval; person Y goes on leave and now the approval needs to be person Z. Not a simple CRUD problem.
These are things that occur to me with only a moment’s consideration of what an LMS system might need to deal with. The actual domain probably has considerable more complexity that I can’t even imagine.
hackyhacky 1 days ago [-]
I think you are confusing the reality of Canvas with a different, theoretical learning management system.
In reality, Canvas does not have workflow and does not prevent race conditions in grading. I can certainly imagine an LMS that does these things, but Canvas does not.
It would probably help if you had actually used Canvas before trying to convince us that it is non-CRUD.
jameshart 1 days ago [-]
Sorry, I wasn’t trying to defend Canvas, so much as give general advice that ‘I could build this in a weekend’ is rarely a wise claim. The specific ways in which Canvas could not be built in a weekend do not need to be the ones I identified.
"Look at the code" is not a reasonable response to "Is this app CRUD or not?" You've already been asked to provide specifics about which componenent(s) of Canvas are allegedly non-CRUD, and simply repeating your claim without answering the question does nothing to advance your case.
It's a simple question. Since you claim to be an expert on Canvas, I'm sure that you can point me to the relevant features much faster than I can sort through thousands of lines of code, looking for the one line that says "def not_crud_function()". CRUD or not-CRUD is a judgement about the purpose of a program, not its implementation.
freedomben 6 hours ago [-]
"I don't want to glance through the code, I'd rather you write me a detailed report on all the thousands of places where it deviates from crud" (not a direct quote) is not at all a reasonable ask.
And If you can't be bothered to take 2 minutes to click through some pages on GitHub, I don't believe you'd take the time to even read that report. So no, I'm not doing your research for you.
Edit: I will do this for you though. Here's Gemini's opinion[1]. It's quite accurate as well, and goes into reasonable high-level detail (though doesn't get into specific modules). I especially loved this quote:
> At its absolute lowest level, almost all web software boils down to pushing state to and from a database. But calling Canvas LMS "just a CRUD app" is a bit like calling a commercial airliner "just a metal tube with wings."
How reductionist and a straw man as well. No one here asked for a "detailed report." They asked you to name one (1) feature of an application that you claim to have intimate knowledge of; the original question was "What component in particular goes substantially beyond CRUD." It could take you one sentence. After multiple failures to pass that low bar, compounded by your total mischaracterization of the question and your citation of an obsequious LLM that also failed to provide any specifics, it's abundantly clear that you are unable to support your claim with facts and are not arguing in good faith. I won't waste my time further with your childish behavior.
LMSes have to balance a lot of directly competing needs.
It has to be simple enough for the average person to use (both on the learner side and the instruction side) and have enough complexity to allow for a lot of flexibility in setup because every organization is slightly different. They have to support 50 million file formats and everything has to be backwards compatible until the end of time and everything has to load properly and quickly on 50 million different device/OS/browser combinations. Yes, there's SCORM as a standard, but even that is rickety, and an LMS that doesn't support non SCORM files is dead in the water anyway.
They're simple(ish) in code, and a nightmare in requirements.
hackyhacky 1 days ago [-]
Everything you say is true, and yet it's clear you've never used Canvas.
Canvas is decidedly, not fast, fails to display even trivial files (such as source code) as well as more complex files that should just be handled by the browser (such as video), and it has a non-intuitive, verbose, and tiresome interface that would have felt old-fashioned 20 years ago.
Mezzie 24 hours ago [-]
Yes, I should have said 'in theory', because there always ends up being compromise and usually that's the thing that's chucked out first.
LMSes frankly run like shit. I don't work with Canvas right now, but every one I've used has run like shit.
However, there are reasons that the complex files aren't handled by the browser: tracking and persistence. It isn't enough to make a video file watchable, it then needs to be tracked in the same system as every other training/educational material and in the same way. If you don't care whether the students actually watch the video, then yeah, throw them a YouTube link or embed a video on a personal site or just have the LMS serve a basic embed. But being able to track video, make it mandatory, make it so that it can't be fast forwarded/people can't skip to the end etc. all matter when LMSes are used for topics that are required for compliance and regulatory purposes.
I don't disagree on the interface(s). Ours is a farce and I hate it.
It's likely that they're so bad precisely because of the simple tech and complex requirements. Simple tech doesn't mean 'easy' or 'not time consuming'. But it means you're looking for developers who have a decent level of technical proficiency (to handle the numerous edge cases and flexibility the systems demand: it's not hard but things like the data structures need to be well thought out and every single piece of the system is integrated with one another in most LMSes so you can't silo work as easily) and who want to work on problems that aren't hard and require dealing with a lot of unreasonable people (in the form of their requirements). You have to allow/design for a lot of stupid things because otherwise people will throw tantrums about it.
Then on top of that, you're developing something that doesn't directly generate profit, so nobody is going to pay for it or appreciate the work you put in.
Then on top of THAT, they're fairly insulated from the actual end users.
It's just a recipe for shitty software.
hunter2_ 1 days ago [-]
If they're at the level you say, they just might install some AI gizmo like the Vercel employee was accused of, but really let it run amok with write permissions.
onetimeusename 1 days ago [-]
Live streaming of class through Canvas is very popular. Quite a few people just watch from their dorms. So maybe people will have to come back to class, that will be entertaining. The class rooms are almost standing room only (sometimes they are) on the first day of class and then gradually thin out. Sometimes 10 or so people show up out of a class of 100. If Canvas is not back up soon I think it could actually be disruptive for that reason also.
ecshafer 1 days ago [-]
This is awful to hear. The idea that students are just half assedly streaming the lectures is really just ruining things in the long run. This is a bit old manny, but showing up to lectures is good. You go to class, you get face time with professors, you can ask impromptu questions, you rub elbows with classmates, you talk on the walk between classes, you maybe run into a cute girl. Friction like walking to class and finding a nook in that annoying hour gap you have, are the things that make life enjoyable.
gwerbin 1 days ago [-]
When I was in school, professors attitudes around attendance was usually "you're only hurting yourself, I don't care if you show up or not".
It's been long enough that I can't claim to be in touch with the current generation of teaching faculty. But it might be an element of that, combined with the desire to provide accessibility for the handful of students who do in fact need the accommodation.
tokai 23 hours ago [-]
Showing up to lectures is vastly overrated. Like note taking it's cargo cult behavior for middling students that care more about going through the acts of studying, than actual learning.
ecshafer 22 hours ago [-]
You'll note I didn't mention quality of education in my arguments. I am talking about the human experience. Though the studies typically show a correlation with grades and attendance.
timdiggerm 1 days ago [-]
What a failure of university leadership to allow or even encourage that practice
altairprime 2 days ago [-]
Not much overlap between students and HN these days, though? I’m an extremely rare outlier afaik :)
The administration has so far opened with one “Canvas said” and then an hour later one “Canvas is down indefinitely” email noting that they’re aware it’s serious.
(Canvas is a glorified wiki for teaching students, with quizzes and such, for those unaware.)
dang 2 days ago [-]
> Not much overlap between students and HN these days, though?
That's my biggest fear.
byronsharman 1 days ago [-]
I'm an undergrad student in computer science and I come here regularly. Many of my friends do the same. Of course, that can't be extrapolated to students globally, but students who love what they do are not extinct!
HN is kind of the go-to platform. We also have a Discord server where we hang out and talk about stuff that may or may not be software-related. I know some of us are interested in getting accounts on lobste.rs, but we need to find someone to refer us. I keep forgetting to ask one of my professors.
gucci-on-fleek 1 days ago [-]
FWIW, I'm a student, so there are at least a few still here. Feel free to ask me any questions (either via email or via replies to this post) and I'll try to answer them.
dang 22 hours ago [-]
Ok! How many of your smart friends read HN? and of the ones who don't, what do they read instead?
gucci-on-fleek 17 hours ago [-]
> How many of your smart friends read HN?
I don't think that any of them do, but I'm a Canadian math/physics major, which is slightly outside the target audience for HN.
> of the ones who don't, what do they read instead?
For the social aspect: mostly medium-sized Discord servers. For the news aspect: nothing at all. Both of these do have some advantages, but it's still a bit of a shame, because the Discord servers aren't indexed by Google, so they're hard for outsiders to find, and not reading the news means that they're missing out on some of the cool new tech advances.
strix_varius 1 days ago [-]
Is there any internal data on where students are going instead?
dang 1 days ago [-]
Not much, but I do ask the youngest founders what their friends read if they don't read HN, and the only consistent answer I hear is Twitter.
(and btw, they do say "twitter")
AuthAuth 1 days ago [-]
Many of my sisters friends do everything entirely via tiktok. They look at what trends are popular and they target that fully on platform. This is for stuff like building niche targeted apps, selling beauty products/clothing brands, restaurants.
DaSHacka 1 days ago [-]
You honestly don't wanna know
If my peers are any indication, a whole lot of TikTok, Reels, Twitter, Discord, and other such mind-numbing platforms.
The types of platforms I would consider 'substantive' (or, at least, more substantive than those platforms) are definitely on the way out.
The few times friends have seen me browsing Hacker News or a certain Mongolian basket weaving form, the first thing they comment on is how confusing the interface is, and how old the site looks.
I truly don't understand the mentality, but if your site doesn't take three seconds to buffer a simple text drop down menu, and have JavaScript elements load in mid-scroll that bump elements around the page making you just barely miss that button you were trying to click, then your site is seen as 'inferior' or 'sketchy'.
Perhaps I've just had a bad sample, but I've experienced a variety of different environments by this point, and by and large, I've seen more people in my generation act in that manner than not.
dang 1 days ago [-]
This is actually reassuring. We don't need all your peers! We just need you and whatever smart cohort you're bonded with.
It's true that HN looks old - it looked old before you were born, probably - but (a) I have no idea how to change it, and (b) HN is a long bet on plain text. If the smartest young people lose interest in reading, I'm ok with HN dying for that reason. I just don't want it to die for any cheaper reason.
gsquaredxc 1 days ago [-]
I would like to offer some additional reassurance: I send my friends articles I see on HN that might interest them. A (in my view) very good litmus test is when someone asks where I saw it, because this demonstrates some desire for continual learning. I find that anyone that asks that question seemingly trusts an interface like HN more because of it. My suspicion is that this is probably because at a certain point you see stuff like Agner Fog's work, LWN, or a number of other minimalist websites and realize that a website that is popular despite the lack of overindulgence in UI must be popular because of the content. It doesn't hurt that the best courses in my university experience have had websites that have not changed much since the late 1990s (one did change the lime green text on turquoise background on their page after the recession to a color scheme that didn't cause headaches in students).
I do find that my peers that now read HN used to be judicial about curating a Reddit feed and mostly otherwise limited on other sources. Short-form content is addictive and as nearly as unavoidable as sugar, but many of my brighter peers work on reducing that intake. Long-form YouTube is also something I find to be a marker of someone who is seeking knowledge. Many of my peers do scroll Twitter and TikTok all day, but I find that those who are easiest to chat with are those who have already scrolled HN today and want to discuss a particular article they know I would have seen. I've had conversations that start with "Did you see that TikTok?" and conversations that start with "Did you see that article on HN?" and the latter is always more engaging.
dang 22 hours ago [-]
You succeeded in reassuring me further—thanks! This little subthread turned interesting, though it's teeming with sample bias of course.
> Long-form YouTube is also something
Yes, we hear that often too. I didn't mention it above because it's not text, but in terms of how people spend time and where they go to learn things, it's a huge alternative.
I wonder sometimes how HN might interface with the videoverse. I can't imagine having video on the site but I can imagine making videos based on HN threads or articles that have appeared here. I just can't imagine me making them!
altairprime 21 hours ago [-]
Long-form YouTube is much more text than may be apparent on the surface. Discussions with hundreds or thousands of comments and with the same wide-ranging falloff curve of HN in how interesting those comments are (and, too, HN’s tendency to bubble up trite one-liners and me-toos due to sharing the integers-only voting system weaknesses).
tailscaler2026 1 days ago [-]
Discord is just chat, I wouldn't call it mind-numbing, reminds me perfectly of IRC from a utility perspective.
That said, it's a commercial closed-source single point of failure.
Kiro 1 days ago [-]
How is Discord mind-numbing?
Ronsenshi 1 days ago [-]
Perhaps some interest-related Discord servers. Tragically, Discord is just another locked down silo without publicly accessible front on the web.
daedrdev 22 hours ago [-]
I think its a good fear to have, I feel like many sites dies when the main path of discovering them broke for one reason or another, who knows what the path to discovery of this site is would be for a student today.
altairprime 1 days ago [-]
Drop me an email if you like — it’s not really topical to Canvas but I’m happy to discuss further.
dang 2 days ago [-]
(Comments were split across multiple threads and we've since merged them.)
Gabriel54 2 days ago [-]
Definitely not a criticism of your (hard) work here. Thank you!
Can you explain for the billions of the rest of us why this is the "most stressful time of the year" for the group you're referencing? I assume that's American students and/or teachers?
isakmarr 1 days ago [-]
Final exam season, and it's ongoing in Iceland too, so not just American students.
Steve16384 24 hours ago [-]
Here in the UK it's currently exam season. One of my son's had a GCSE exam just today.
pfortuny 21 hours ago [-]
European students are preparing for their finals.
cocoto 1 days ago [-]
Replace your material content with lorem ipsum or garbage LLM content and upload it to Canvas to test the accessibility of your documents if required.
isityettime 1 days ago [-]
What? What makes Canvas accessible in a way that HTML and PDF files are not? It's true that PDF readers aren't the best for screenreaders, but surely you can just upload a .html copy as well.
Gabriel54 1 days ago [-]
Canvas has an easy way of checking if a pdf or other course material is accessible, so many universities are forcing faculty to put all their materials on Canvas. That way if a pdf or powerpoint is not compliant it is immediately flagged. The goal is to reach a "100% accessible" metric.
Note that little of this really helps the students that it is supposed to help, because as you wisely point out, raw HTML is almost by definition extremely accessible. I work in a field that uses Latex and the source code of Latex should also be considered more accessible than the compiled pdf. But for university administrators the only important thing is that the accessibility metric that appears (or used to appear, before today!) on Canvas shows 100% accessible.
isityettime 1 days ago [-]
That really sucks. I'm visually impaired and many members of my family are/were blind. I think accessibility is really important, but it's so painful to me to feel like people's limited energy is being directed towards performative measures, useless rituals, vanity metrics, etc.
Nobody has infinite energy, and disabled people don't have infinite social capital. It's a shame when energy from that shared pool gets spent on things that don't really impact meeting people's access needs.
And the other thing is that everyone's access needs are different. It can certainly be useful to try to set a baseline or propagate common guidance. But the most important thing, especially in a university setting, is for instructors to be flexible and responsive and for classes (and non-teaching workloads) to be structured in a way (e.g., small enough) that supports that.
I think metrics like "100% accessible" might even be dangerous. It makes it easy for able-bodied people who aren't in direct contact with disabled stakeholders to pat themselves on the back without actually knowing what's going on.
Bleh. Good luck doing right by your disabled students and disabled colleagues, and good luck resisting the bullshit.
Gabriel54 1 days ago [-]
I was only a lowly TA so I saw these issues from afar, but I would add that, on a more optimistic note, I don't think I've ever met an instructor who wouldn't do whatever he or she had to do to support someone with special needs. As you suggested, metrics do not tell the whole story and certainly metrics for the sake of metrics are not helpful and may in fact be dangerous.
That said there is certainly a lot more work that needs to be done in this area. Hopefully these regulations over time bring out practical positive change. Time will tell.
bradley13 1 days ago [-]
Why does everything have to be 100% accessible?
I'm a prof. When I have a student with special needs in my class, the administration tells me ahead of time. I make the necessary allowances - and those differ from case to case, anyway: whether it's extra time in exams, or someone who is deaf, or someone who is blind, or whatever.
When it happens, I make the necessary allowances. When I don't, then...I don't.
The obsession that everything has to be 100% accessible, for every kind of disability, all of the time? That's just nuts, not to mention a complete waste of resources.
altairprime 21 hours ago [-]
The attitude they’re contesting is that accessibility is a “minimum compliance” category: people tend to invest zero effort into accessibility until caught, and enforcement that waits for students to report suffering is terrible, so automated analysis of accessibility that is ‘always on’ dramatically raises the water level for all accessibility. It won’t reach 100% accessible but it’ll reach a lot higher than the 1% accessible it was otherwise, and that’s a valuable result worth obsessing over. Doesn’t have to be complex: “Your video was uploaded without captions”, “your PDF is missing a text layer” are probably the two most valuable and simplest to implement rejections on the table.
Telemakhos 24 hours ago [-]
Universalizing statements like "100% accessible" are usually bad ideas. In this case, it's driven not by administrators but the Department of Justice, which is rulemaking accessibility via consent decrees. I think a lot of people miss that and just blame the administrators. Rulemaking is a long process, and the rules being made are stuck in a time before AI could reliably read a book to a blind person: the rules shift the onus onto the content creators, when we've created a whole new ecosystem of ways to eliminate the onus. The DOJ should probably step back and stop trying to regulate this, because the market has already solved it.
Loughla 2 days ago [-]
[flagged]
sellyme 1 days ago [-]
Putting aside the "So you hate waffles?" non-sequitur, surely the entire topic of this thread should be a bit of a hint that this misguided policy has not, in fact, "[made sure] courses are fully accessible".
Gabriel54 1 days ago [-]
Well, to be fair, it has made every course hosted on Canvas equally accessible to everyone. ;)
SoftTalker 1 days ago [-]
Universities do not care if course materials are accessible. They do care about getting sued. And that is what this furor over accessibility is about. Federal law requires accessibility, and the universities perceive that there are lawyers circling the bloody waters just waiting for the deadlines to pass and start filing lawsuits because they found one PDF on a professor's home page that doesn't pass the requirements.
phendrenad2 21 hours ago [-]
That's what I got from it. But it's misdirected, the problem isn't being forced to use a platform, the problem is the platform.
Gabriel54 1 days ago [-]
Accessibility regulations, implemented with feedback from faculty and with the support of university resources, are certainly a good thing. But that is not what is happening in my experience.
yard2010 1 days ago [-]
Not GP, Incompetent policy makers are the bad thing.
dreamcompiler 24 hours ago [-]
It's like the situation with HIPAA rules in electronic health records: It wouldn't be impossible to write your own EHR system but if you do you have to spend a lot of money proving it meets HIPAA regulations or accept substantial liability. So companies just pay Epic $$$ because they promise HIPAA compliance.
Likewise with classroom software if you just use the "industry standard" enterprise crapware you've outsourced the accessibility liability to somebody else. If the software is hot garbage from a usability perspective, that's irrelevant.
And this is why we cannot have nice things in the enterprise space.
myrandomcomment 2 days ago [-]
1. It should be illegal for any company to pay ransomware attacks. Period. No pay out ever.
2. The penalty for being the attacker should be linked to the system they violated. If you do this to a hospital and someone dies you are life in prison / chair. The minimum sentence should be so painful that it deters the attack.
No this will not stop this and companies need to be held accountable for their lack of security investment. Every attack should be investigate if the company met an agreed industry standards best practices and staffing, etc. The penalties for not meeting the requirements should be punitive.
parliament32 2 days ago [-]
> It should be illegal
It should be illegal to host insecure services, especially when you're dealing with PII. Breaches keep happening and nobody gives a fuck, because the worst that'll happen is you might lose a handful of customers and buy some "credit monitoring".
Incidents like this should be followed by an audit and charges being laid. Send corp officers to jail for negligent security failures. If you can go to jail for accounting fraud, you should be able to go to jail for cybersecurity-promises-fraud.
They claim to be compliant with a number of security standards [1]. I would love to see a postmortem audit of how much of this they actually implemented.
I don't think that criminal negligence is the most helpful legal tool for incentivizing improved security. It's too hard to prove negligence.
Instead, there should be standard civil penalties for leaking various degrees of PII paid as restitution to the affected individual. Importantly, this must be applied REGARDLESS of "certification" or whether any security practices were "incorrect" or "insufficient". Even if there's a zero-day exploit and you did everything right, you pay. That's the cost of storing people's secrets.
This would make operating services whose whole "thing" is storing a bunch of information about individuals (like Canvas) much more expensive. Good! It's far to cheap to stockpile a ticking time bomb of private info and then walk away paying no damages just because you complied with some out-of-date list of rules or got the stamp of approval from a certification org that's incentivized to give out stamps of approval.
jedbrown 1 days ago [-]
And this strict liability will come with an expectation of insurance. The insurance policies will necessitate audits, which will actually improve security.
1 days ago [-]
Avicebron 1 days ago [-]
The only right answer.
anonzzzies 1 days ago [-]
Let's do this.
walletdrainer 1 days ago [-]
I feel like there’s a tendency here to seriously overestimate how damaging these leaks are to individuals.
For most individuals impacted by these hacks, appropriate restitution would be $0. Anything more than that would go beyond making them whole.
Kiro 1 days ago [-]
It's not a popular opinion but I agree. I live in a country that has a very extensive principle of public records, and often times these leaks disclose much less than you would get by simply calling the authorities and ask. Now, whether that's good or bad is a different story.
Neikius 1 days ago [-]
Leaking school or medical record can have serious personal consequences that cannot even be enumerated
crazygringo 1 days ago [-]
It can, but not for most people. For most people leaking that stuff would still have damages of zero dollars.
Which is what the comment above was referring to. "Most people". Not "all people".
paulddraper 1 days ago [-]
We use to hand out whole books of this information to as many people as possible. (phone books)
phainopepla2 2 days ago [-]
How could you possibly make it illegal to host insecure services? Is any service 100% secure? And if it were how would we know?
I do agree with the audit and punishments for clear failure to adhere to established standards.
bawolff 2 days ago [-]
This is a solved problem in pretty much every other domain of life - if you are following best practises but something that wasn't reasonably forseeable happens, then you're fine, but if the bad thing happens as a result of negligence then you are in trouble.
jameshart 2 days ago [-]
Criminal law isn't about making things alright for the victim. That's what insurance is for.
Even if you leave your door unlocked, if someone walks in and steals your stuff, it's a crime. The state has an interest in prosecuting crimes even if the victim didn't do everything they could to prevent it.
JumpCrisscross 1 days ago [-]
> Criminal law isn't about making things alright for the victim
Restitution and retribution are the components of justice [1] entirely about "making things alright for the victim."
The company is not the victim here. Its users are. [I suppose my previous comment was a bit ambigious - i meant something bad happens to someone else not to yourself]
A better version of your analogy would be if your landlord failed to repair your front door in a reasonable period of time and as a result soneone walked in and stole your stuff. Yes the theif is the primary responsible party, but the landlords negligence in maintaining the property probably also exposes them to some liability.
P.s. This is neither here nor there, but restitution is a part of criminal law.
jameshart 1 days ago [-]
Some liability, sure. Civil, not criminal, though, right?
But the post I was responding to said it should be a crime to have unsecured systems.
That is equivalent to saying it should be a crime to leave your door unlocked.
isityettime 2 days ago [-]
"Best practice" in cybersecurity is largely vendor-driven with little to no independent empirical validation.
That standard is likely to lock people into buying some pretty bad software, but it does little to ensure that they're running reasonably secure systems.
SoftTalker 1 days ago [-]
I like to relate it to operating an automobile. You can follow every traffic law and still be liable in an accident, because you owned the vehicle that caused the damage. This is why you have insurance.
MagicMoonlight 2 days ago [-]
In civil law maybe, but you aren’t allowed to blame a rape victim for choosing to walk down rape alley…
morning-coffee 1 days ago [-]
"established standards" - now who has the incentive to run shitty services? those big enough to control the "established standards".
hsbauauvhabzb 2 days ago [-]
No building has a 100% chance of not caving in, yet somehow I think charges would be laid if a skyscraper caved in.
sieve 1 days ago [-]
The equivalent analogy is charging lock/door/drywall/timber makers and suppliers for lapses if a thief entered the house by picking a lock or drilling/sawing through the wall.
hsbauauvhabzb 1 days ago [-]
No, it’s more like me storing my money at a bank, and then someone stealing from the bank, who told me they were secure. And turns out they had shitty locks.
jameshart 2 days ago [-]
This analogy seems to be portraying 'ransomware hackers' as an unstoppable force of nature akin to gravity.
I'm not sure that's a fair analogy.
varun_ch 1 days ago [-]
I think it’s a very fair analogy. The _only_ way to stop them is to make your stuff secure. That’s literally the only way.
jameshart 1 days ago [-]
We do not generally hold victims of crimes accountable for failing to defend themselves adequately.
If someone threatens you with a knife and gets you to hand over your wallet, your bank doesn’t get to say ‘you should have hired better security’ when the mugger uses your credit card.
The problem here is the mugger, and that’s who the state goes after. Even if the victim walked into a bad area. Even if the victim could have defended themselves.
Same with ransomware attackers. They are the problem. We might encourage potential victims to behave in ways that make it less likely for them to be targeted. But if they are targeted, we should still focus our societal disdain on the criminal not the victim.
christina97 1 days ago [-]
While I’m sympathetic to this argument (it would be great if the internet were a safe place), in practice this thinking leads to governments trying to impose legislation that hurts legitimate uses but does little to protect from the long tail of harm. There’s little that can be done about North Korean state sanctioned cybercrime without a great firewall.
If the perpetrators of this hack were caught and in a developed country, they would certainly be prosecuted for their crimes and not get off light (especially if any data is actually leaked).
jameshart 1 days ago [-]
I think states should be able to do better than a ‘great firewall’ to defend their domestic net infrastructure from malicious foreign actors.
But I do think it should be much more states’ responsibility to make their domestic network safe for citizens and businesses and institutions to operate.
ryandrake 1 days ago [-]
The other side of that spectrum portrays the service providers as pure, negligence-free victims. The truth is probably somewhere in the middle.
hsbauauvhabzb 1 days ago [-]
Your analogy portrays gravity as a thing that buildings cannot be built to withstand. There are plenty of structurally sound buildings and while there are plenty of secure apps the problem is there’s no incentive to build the latter.
jameshart 1 days ago [-]
On the contrary.
My analogy would be: of course buildings have to be built to withstand gravity. That’s a natural part of the world that cannot be eliminated.
Buildings are built to stand up to natural forces. But not to, for example, the threat of a malicious actor crashing a plane into them. That isn’t typically considered a reasonable thing to architect civilian infrastructure for.
When you built IT infrastructure likewise you should build it to handle the natural forces it will be exposed to. But are you as accountable for securing it against the acts of malicious parties as a structural engineer is for securing a building against gravity, or as accountable for securing against those acts as the structural engineer is for securing that building against terrorists?
primitivesuave 2 days ago [-]
If Boeing claimed a plane was airworthy, but it crashed because basic engineering controls were skipped, we have collectively put our faith in the NTSB to preserve evidence, run an independent technical investigation, etc. There is no such authority for software - most security auditors (SOC2, HITRUST, etc) are just looking at self-reported data.
Just take a look at the recent Epic vs. Health Gorilla lawsuit to see how nonexistent the protection is around exchanging your medical records, one of the most sensitive types of PII.
willdr 1 days ago [-]
Edit: I was incorrect / non-American, I was thinking of your FAA.
motoxpro 1 days ago [-]
People who haven’t been hacked just haven’t been looked at. If someone wants to hack you, they will hack you. It’s really unfortunate that people have this level of confidence in their ability.
These problems will continue as long as it is legal to operate in an unsafe way.
We've learned this in every other industry, but we can't seem to accept it in software. One of my hopes for AI is that it reduces the cost to behave responsibly to a level where this absurd resistance to acting responsibly erodes.
a34729t 2 days ago [-]
Has a corporate officer ever gone to jail or been meaningfully fined for a data breach?
hxugufjfjf 1 days ago [-]
Yes, many times.
AlienRobot 22 hours ago [-]
I have a simpler view on this.
Every service that is online will be hacked eventually, it's only a matter of time.
Time is the most powerful force in the universe.
JumpCrisscross 1 days ago [-]
> Incidents like this should be followed by an audit and charges being laid
What? Why? Who died? This whole thing is perfectly dealt with through civil process.
mikeweiss 2 days ago [-]
Shouldn’t we be focusing on making it harder to pay overseas criminals in the first place? /ahem/ crypto platforms facilitating transfers to bad actors /ahem/
protocolture 1 days ago [-]
Criminals should focus on proven methods, like Steam Gift cards.
joenot443 1 days ago [-]
I think the cat is entirely out of the bag on that one, I’m afraid.
There are no shortage of coins and no shortage of sketchy exchanges. The platforms do work with LEOs, when asked, but my understanding is that unless the perp was a serious nonce, chasing the transfers themselves is a fools errand.
ttul 1 days ago [-]
But, then, how would Trump’s family and cronies get paid?
joenot443 1 days ago [-]
Are you earnestly under the impression that Trump does the things he does such that he can be paid later in secret bitcoin transfers?
Like is that your actual model? I’m curious
mikeweiss 22 hours ago [-]
He may be referring to the fact that the Trumps have strong business ties and interests to crypto industry, and as we've seen in the last year this administration is a strong friend of the industry. Money is being made one way or the other and if you don't think so you are completely blind.
Bud 2 days ago [-]
[dead]
pants2 2 days ago [-]
When will countries start treating cyberattacks as an act of war? If the North Korean military came to America and robbed fort Knox of $200M in gold there would be retribution. But hack an American company for the same amount and the feds do nothing.
prodigycorp 2 days ago [-]
Ok, so we treat it as an act of war. Now what? Attack North Korea? Great, the entire city of Seoul gets shelled within five minutes of your attack and hundreds of thousands of innocent people die.
It's very easy to play with lives that aren't yours.
sayamqazi 1 days ago [-]
You would be surprised how many people naively think "Why doesn't my country just open a war on X country and this Y problem will be solved forever" in their head they think war is just a flurry of bombardments and the other side (not theirs) is just destroyed to rubble and their country will have only minimal losses
flexagoon 1 days ago [-]
Many country leaders also clearly think the same
kqp 1 days ago [-]
Never retaliating is a great way to get people to attack you. Of course escalating to all-out war provokes the same in response, but there does need to be a proportionate response, because it needs to be stupid to hurt us, not good business. t’s a significant failure of the US government when half the world freely loots US citizens and businesses.
toraway 2 days ago [-]
Exactly. This is the "Declare fentanyl a WMD" of solutions to ransomware. Sounds kinda badass as long as you don't spend too long thinking about it but has no practical relevance to actual enforcement challenges.
It's a familiar example of the perennial "[THING] could be solved overnight if [PERSON_OR_GROUP] would just start taking [THING] seriously" trope.
a2128 2 days ago [-]
How do you know which country to blame? It is standard practice for foreign actors (or just hackers in general) to use proxies around the world to misdirect and insert false clues as to their origin. It could be an American teenager proxying through North Korea, and it could be a North Korean proxying through another American teenager's residential connection, there's no way to know.
bigyabai 2 days ago [-]
They already do. This is what asymmetric warfare looks like, your weakest links will break in a time of crisis. Focusing on retribution for the Dunder Mifflin cyberattack is pointless, the adversarial motivation is purely to disrupt and extort.
The best response to a cyberattack on critical systems is to take security seriously. Document the offense, avoid the same mistakes and invest in penetration testing. Of course, nobody is incentivized to do that until they're attacked, so the cycle perpetuates itself.
chrisjj 1 days ago [-]
> When will countries start treating cyberattacks as an act of war?
When appropriate. I.e. never.
gruez 1 days ago [-]
> If you do this to a hospital and someone dies you are life in prison / chair.
If you're going to get the chair you might as well murder some witnesses or destroy some systems to hide the fact you got hacked. "Hack? What hack? Our servers all burned down in an arson attack".
Avicebron 2 days ago [-]
We could also throw the CEOs of companies who don't properly secure their infrastructure and pay their security engineers enough in jail. A little justice on both ends.
scheme271 2 days ago [-]
Uh, who determines that the infrastructure wasn't properly secured? Who is willing to risk prison because some intern accidentally committed an API key or made a dumb mistake. Conversely, what's the chances that no one actually gets prosecuted regardless of how sloppy their security practices are?
applfanboysbgon 2 days ago [-]
> who determines that the infrastructure wasn't properly secured
An investigative body, the same kind that determines the who, the why, and the how when an airliner crashes or a bridge collapses. Obviously a lot of work needs to be done to get from point A to point B, and it won't happen overnight, but software development is currently a deeply unserious profession and at some point a genuine software engineering practice needs to be developed.
I am, perhaps naively, slightly hopeful that the LLM bullshit plaguing our industry will be the gust of wind needed for the house of cards to collapse and governments to realise that allowing the entire world to be vibe coded is not sustainable.
dghlsakjg 2 days ago [-]
Pretty famously, aviation incident investigations are almost always not done with prosecutorial intent, and more about truth finding. It leads to people involved being cooperative to prevent future problems instead of ass covering to prevent jail.
Aviation’s safety record is not coincidental.
allthetime 1 days ago [-]
In a darker reading; strong aviation safety is mostly motivated by not killing customers. An airline or plane maker who kills more customers than others will rapidly bleed those same customers and lose them to less lethal competitors. If no one cared about dying people I imagine aviation safety wouldn’t be so impressive.
As someone else here said, software, for the most part, is a deeply unserious industry. The stakes are so comparatively low and the consequences less obvious that it’s a lot easier for companies like intuit to maintain their supremacy simply by being entrenched, having strong sales teams, and the hearts & minds of non-technical managers.
In recent times it seems Boeing has been flirting with enshitification and half-assery but critics are not quiet and not falling on deaf ears
dghlsakjg 1 days ago [-]
Sure, fatal stuff is bad for the bottom line, but that is a vanishing minority of what gets investigated.
You may not be aware, but there are thousands of non fatal incidents reported per year that just don't make the news.
There is a strong culture of self reporting instilled right from basic flight training, even when there is no damage or injuries, and even when the incident would have never been noticed by the authorities. You are almost guaranteed not to face consequences if you are open and honest about an incident. The FAA openly says that they would much rather educate than punish, and they tend to do that with pilots who own their mistakes. As long as there is no intent behind the fuckup, pilots are unlikely to lose their job, let alone their license.
JumpCrisscross 1 days ago [-]
> An investigative body
This just in: Anthropic, Harvard and Jimmy Kimmel have been investigated and found guilty of not securing their infrastructure.
Avicebron 2 days ago [-]
Ideally the chances are high to certain they get prosecuted for sloppy security practices. It's part of the gig of being a CEO, if you imagine you are such a visionary/ideas guy/leader/whatever, risk taker (always a risk taker) then you can gamble spending 20 to life because you weren't actually as good as you thought.
sayamqazi 1 days ago [-]
When a great product is built it was the leadership and when a mistake was made it was always the employee that did it. Cool!
chrisjj 1 days ago [-]
> Uh, who determines that the infrastructure wasn't properly secured?
ShinyHackers, obviously.
bombcar 2 days ago [-]
Your "minimum sentence so painful" will certainly dissuade foreign nationals, even foreign governments.
Kostchei 2 days ago [-]
interestingly, having actually done the law enforcement side of these investigations, 50% of them are local. And I understand that this is not 100% solution, but neither is any form of law enforcement, but that doesn't mean we should fail to attempt it.
Kids from the local uni having a lark, stalkers, vindictive ex employees, local gangs, criminals who understand their victims because they hail from the same community. These are your local hackers. Sift them from the nation states and international crime groups, then deal with the International as a matter of diplomacy. Because we do this so poorly locally, we have little ammunition to when it comes to diplomacy. "reduce attacks by your crime groups and we buy your natural gas, seel you wheat etc"
Want more motivation?- 75% of the local attacks by volume send funds back to terrorist or separatist organizations.
It is not an in-soluble problem. Sentences are a fraction of the answer, effective and receptive reporting processes are more important, then government backing for investigation and enforcement, then policy around home-team activities (ie don't do the bad things yourselves Mr Gov). Deterrence comes after all that.
Aurornis 2 days ago [-]
One tech ransom case I know of was an inside job. It definitely happens.
There are already significant penalties for doing anything like this. The guy involved is in prison for a very long time. I don’t recall the exact number of years but I do remember it was so long that he wasn’t going to see his kids grow up.
I don’t think anyone who puts a little thought into a crime like this doesn’t understand that the penalties are already very huge. You don’t get a slap on the wrist for extorting a company (or person, for that matter)
hluska 2 days ago [-]
50% of ransomware attacks are local to where? You’ll need to cite some sources because I don’t believe that is possible.
nullsanity 2 days ago [-]
To the country or an ally of the country they are targeting, duh. it doesn't matter if you believe it, it's been the truth for over a decade. Heck, Sh1nyHunt3rs people were arrested in the UK recently.
da_chicken 2 days ago [-]
Yeah, they identified themselves as ShinyHunters, and the IP they've put on the demonstration page is geocoded to Russia. Notice this is the same group responsible for the Infinite Campus hack last year.
Really, though, if you want someone to blame, Instructure is not a particularly compelling target. Let's review:
1. Iran is intentionally targeting infrastructure due to a war started by the current administration.
2. China is actively seeking corporate secrets to steal and commercialize for themselves, spurred by extreme protectionism and retaliatory tariffs.
3. North Korea is doing anything they can -- including just taking a remote job by proxy -- in order to extract any money.
4. And Russia is working with and aiding all of them, after everything else going on has forced the embargo to break.
5. All of this while completely alienating every single one of the United States' allies.
6. Meanwhile, the American DHS is currently shut down.
7. And this is after Trump cut funding and personnel for CISA severely enough they've had to end the contract with MS-ISAC, meaning all state and local entities can only remain in the organization if they foot the bill for it directly and CISA and other agencies responsible for cybersecurity are more thinly staffed than they have been in decades.
In short, the current administration systematically disassembled all the protections we have built over the last 100 years, and then placed infrastructure -- schools, in this case, but also power companies, water treatment facilities, communications companies, local governments, hospitals, food producers -- directly on the front lines of the modern geopolitical conflict.
That vast ocean that has kept us safe historically is a poor moat in the modern era.
vasco 1 days ago [-]
Having an IP in Russia means about zero regarding their location. Literally anyone doing anything like this is going to get a Chinese or a Russian IP for obvious reasons. Mostly decoy and people like you.
elictronic 2 days ago [-]
Complete internet blockage of nations allowing the attacks. If foreign governments are you can always execute them. We are living in a different world where this is no longer a zero probability occurrence.
Bud 2 days ago [-]
[dead]
zulban 1 days ago [-]
"It should be illegal for any company to pay ransomware attacks. Period. No pay out ever."
You seem to think "if it's illegal it won't happen". Instead you need to think about unintended consequences and what would actually happen if this were law. People would hesitate to contact the police for help before they've decided, or not do it at all. And not report it.
charlie90 2 days ago [-]
If someone robs a bank and someone inside dies of a heart attack, thats felony murder. I would be happy if the same applied to ransom attacks or other blackmail/leaking of info. If someone commits suicide because of it, its murder.
scratchyone 1 days ago [-]
felony murder is pretty widely regarded as a leading factor in incredibly unjust prosecutions and sentencing decisions. perhaps not the best concept to build your ideas on top of.
thinkingemote 1 days ago [-]
One of those eye opening moments for me was learning about how these criminals work on trust. They need to be trusted to not release the data or to unencrypt when paid, and by and large they do.
One way to weaken any group that works on trust would be to make them less trustworthy. That way victims wouldn't be as confident paying the criminals and thereby making the effort by the criminals less attractive.
matthewfcarlson 17 hours ago [-]
I don't think there should be an investigation. Data got leaked? That's a fine. Consequences happened? The people who stole it are accountable but so are the people who had the data in the first place. Just don't have the data. There are plenty of companies out there who don't have cyber security incidents despite being huge targets, what are they doing? Insurance is also a thing if companies are that worried about fines or getting sued.
dev360 2 days ago [-]
> No this will not stop this and companies need to be held accountable for their lack of security investment.
I think in principle, its sound. Im also just baffled hearing anecdotes from friends that are in big corp world and hearing the type of incidents they have, and how they respond to it.. It makes me wonder if there is enough capable talent to go around for the "boring corp" crowd.
Hint: I don't think there is nearly enough talent to go round, but for these companies, its either that they think they have solid experts (and didn't), OR its not a real priority until you get hit.
itsalwaysgood 1 days ago [-]
It's not necessarily a lack of investment. Cyber security researchers are using AI to discover and post very serious Linux vulnerabilities that give root. We should expect to see more of this type of activity for a while.
We're talking about vulnerabilities that have existed 10+ years but nobody noticed until AI.
Ekaros 1 days ago [-]
Failure to protect computer system from forseen failure should result passing corporate veil and resulting all stock holders and managers/leadership of funds to be jailed for same period as perpetrator. It is only way to ensure that these things are taken seriously and enough pressure is put on leadership of companies.
0123456789ABCDE 1 days ago [-]
i disagree wholeheartedly with this.
a loved one, gun to the head: "please pay the ransom, i don't want to die!"
what's your play now? save loved one, and go to prison? or worse, bank blocks transfer, and they die?
go ahead and tax ransom payments (0 tax if human life at risk, 10x otherwise) if you have to, but making it illegal feels disconnected from the messiness of the real world. then, go after the attackers.
hootz 1 days ago [-]
The idea behind blocking ransom payments is to disincentivize asking for ransom. If you know it's almost impossible to pay ransom, the risk of not getting paid for your attack is much higher.
TheSkyHasEyes 23 hours ago [-]
This reminds me of the 'fine the johns to mitigate prostitution' argument.
2 days ago [-]
ivanjermakov 1 days ago [-]
The only way to prevent terrorism is to never meet terrorists' demands.
1 days ago [-]
bux93 1 days ago [-]
Or maybe it should be mandatory for all companies to pay ransomware attackers. Think of it as an involuntary bounty program. Now they get to just say 'sorry (for your hurt feelings)' and suffer no consequences.
Apart from the 4% of the total worldwide annual turnover fine that theoretically could be levied under GDPR, but has never been imposed in full.
chrisjj 1 days ago [-]
> It should be illegal for any company to pay ransomware attacks. Period.
That makes as much sense as illegal to give your wallet to a mugger.
I.e. no sense.
protocolture 2 days ago [-]
1. It should be illegal to run insecure services. Massive Fines.
2. The payout to the hackers should form part, but not all of the penalties. Pay those guys for their great service to humanity they earned it.
kelnos 2 days ago [-]
A friend who teaches at MIT said they were hit by this. I found it ironic and a little sad that a place like MIT doesn't have an IT staff that can maintain their own on-prem solutions for things like this.
But it turns out that MIT used to have their own homegrown system, and recently switched to Canvas. Bet they're regretting that now.
The build vs. buy decision seems to have swung very hard toward buy in the last decade, and I think that's a shame. Yes, orgs need to focus on their core competency, and sometimes that means outsourcing things that aren't core competencies to third parties. But there are always downsides.
royal__ 1 days ago [-]
Homegrown systems are expensive to maintain and usually still fail to match up to the commercial options available at this point. LMS's are also just really complicated pieces of software. I worked on my university's own version as an undergrad.
walrus01 1 days ago [-]
There is no need to reinvent any wheels by making a homegrown LMS. Moodle exists and is completely open source. Lots of large institutions use it. Even in the case that you need to do something really weird with it that isn't solved by one of the many plugins that exist, you're already 90% of the way there with its base platform, and only 10% remaining for DIY software development.
(I don't have experience in hosting either software so I can't really comment beyond that)
bearjaws 1 days ago [-]
Moodle also scales to pretty large schools, I work on an instance that is over 27k students. Integrates with pretty much every platform, authentication, etc.
And it's pretty easy to customize which is nice.
Throw it in an auto-scale ECS cluster and you have something that goes from 100 students to 20k easy.
ryukoposting 1 days ago [-]
My university (a very large state school) transitioned from Moodle to Canvas while I was a student (2016-2020). They transitioned because Moodle sucked. Profs hated it, students hated it more. Basic things were difficult to find.
A lot can change in 10 years, sure. Maybe Moodle is better now (I doubt it). I'm all for self-hosting a LMS. But, can we at least self-host a good one?
jazzyjackson 1 days ago [-]
> LMS's are also just really complicated pieces of software
it's MIT.
_diyar 1 days ago [-]
But it’s not like MIT gains anything from rolling their own LMS.
cactusfrog 1 days ago [-]
I went to a small liberal arts school where the IT department recruited CS students under work study to build the systems. It’s a good learning experience for students to be involved in constructing and maintaining the infrastructure that keeps the university running. I don’t mean this entirely as in cost savings, but because I like the idea of a university being self maintained.
Maintaining an LMS doesn't seem like a good use of time. You should almost always outsource pieces that aren't your core business.
SoftTalker 1 days ago [-]
It's a university. Teaching and learning is their core business.
Xeronate 13 hours ago [-]
LMS doesn't improve teaching or learning. They are administrative overhead.
dnnddidiej 1 days ago [-]
Computer science != software engineering.
j_w 1 days ago [-]
The university I went to established has a rule that was essentially "student made software is not permitted to be used." Professors couldn't actually use student made software, the software had to be wrapped up by a "company" and a contract made. This meant that you couldn't just make a tool/utility/whatever and have it be used.
I believe the same applied to the professors themselves, although that was hardly enforced.
synack 1 days ago [-]
Sounds like an opportunity for the business school to do a seminar on forming an LLC and writing contracts.
kccqzy 23 hours ago [-]
Imagine this rule back in the 70s. We wouldn’t even have Berkeley Software Distribution.
Jaxan 1 days ago [-]
I think the current situation shows that outsourcing is also expensive. The costs are just different or not always clear up front.
deathanatos 1 days ago [-]
… so?
My highschool, for a while, had a website, which was eventually replaces by a large corporate CMS. Was the website as complicated or complex as the CMS? No, you would have needed to know HTML to publish to it. The CMS was no doubt "more user friendly", I suppose.
But … the original site had a soul. It was unique to the school. There was a student directory! All lost, because the CMS meant utter standardization between all the schools using it (their pages were all identical, except for each got like a different picture of the school as the banner at the top) and the CMS did not do directory anything.
Of course, the directory largely didn't matter in the end. (This was when you needed people's landlines! Quite laughable nowadays…) But it was still sad to see it lost, and several of us students worked on it, which provided us with some early real-world experience.
A large number of my college professors published their own sites, too, where they'd put their lecture notes, homework, etc. I loved those far more than I loved "Canvas" or whatever the ugly LMS we used was.
samiwami 1 days ago [-]
MIT has an incredible IT staff and they do some cool stuff. Every time I interact with any other organizations IT stuff I find it inferior. They just aren’t super big from what I gathered and probably don’t want to do the incredibly boring work of an LMS.
The one they had before Canvas was very very inadequate.
edit: also some of the more popular cs classes have custom websites and don’t really use canvas, but that isn’t the centralized IT department’s doing.
TheSkyHasEyes 22 hours ago [-]
I didn't read their comment as a slight to the IT staff, just MIT's decision.
mingus88 2 days ago [-]
I started my tech career in EDU. I’m not at all surprised.
IT staff who are ambitious and talented don’t last long in education. The pay is very low compared to industry. Where I worked, you could retire with a comfortable pension after a number of service years, so the IT staff outsourced as much as possible so they needed to take zero risks to their nest egg. Blame all the problems on the consultants and do as little as possible.
It’s literally where dreams go to die.
MIT is known for the brilliant professors and students but at the end of the day, running a university is pretty standard stuff. They don’t need a genius rockstar to admin the courseware servers.
1 days ago [-]
jesse_dot_id 1 days ago [-]
CYA is a powerful drug for the C Suite
jeffwask 1 days ago [-]
I've worked in edtech and it's terrible. The margins are awful. The PE consolidation hasn't helped. Getting leadership to pay anything but lip service to security was impossible.
BooneJS 2 days ago [-]
My kids are in the middle of their finals week. What a mess. Universities know nothing, Canvas claims to be in a "scheduled maintenance", and one Prof claims to "not have any copies of material offline" which seems pretty negligent. Sounds like one section of a popular class will be doing paper exams while other sections had Canvas-based "half points for 2nd attempt"-type exams earlier today. How soon before names & grades appear in data dumps?
This would be like TurboTax "scheduling maintenance" on April 14th in the US.
corvad 2 days ago [-]
The "Scheduled Maintenance" is just total B.S. and just honestly makes them look worse. Apparently according to their status pages this is what 99.996% uptime looks like. Pay attention lol.
HDBaseT 2 days ago [-]
It has been over 5 hours now and there has not been any communication about this being an attack, despite many of us seeing the ShinyHunters message on the login page.
There is a lot of people who likely are unaware the latest outage is because they were compromised again.
Them marking the incident as 'Under Maintenance' means the status page isn't reporting this as an outage and adding to downtime%.
Compromised again? This is a separate in ident to the one seen yesterday?
rupx 2 days ago [-]
Correct.
The incident yesterday was technically from April 28th, with most communications coming out on the 2nd and 3rd, with it being "Resolved" yesterday.
This incident is the second attack, because they failed to secure their infra again. Everything being reported is a bit delayed, which makes it seem like this is a single attack, not technically two instances.
mrexroad 1 days ago [-]
I was going to make a joke that they should have just taken a page from the military and said “Rapid Unscheduled Maintenance”, but I guess that’s actually the phrase for it.
anigbrowl 2 days ago [-]
Once again, an example of why corporations should not have free speech. Corporate statements that are transparent lies should be criminally actionable.
cube00 1 days ago [-]
> one Prof claims to "not have any copies of material offline" which seems pretty negligent
It's not unreasonable that non-technical people would expect paid cloud services to be good custodians of the data entrusted to them.
These services also do everything they can to encourage you to work within the online platform rather then working offline and then uploading.
For example, there's no easy way to author a quiz, set up the answers offline and then later upload it.
mingus88 1 days ago [-]
My daughter is in 3rd grade and has to do assignments online.
Last month it was a presentation. She had to make a poster that would be displayed on the big electronic "whiteboard" running Windows of some sort. The page layout software was so terrible that she repeatedly deleted the entire thing on accident moving text around.
This month, it was a short paper she had to write in Word, but through Teams. Literally, the Word icon is in the Teams sidebar, and she also had all kinds of trouble with it freezing or misbehaving.
In both cases, I advised her to write all the content in Notes in macOS and when she had it all ready to go we'd paste it into the crappy software so she didn't have to worry about losing any more work.
Long story short, she's non-technical and she's learned a very valuable lesson about these systems and how much trust to place in them.
alpineman 1 days ago [-]
Crazy that kids data are getting leaked before they even had a chance to properly understand the consequences and consent to it being used
eiiot 1 days ago [-]
I'm a student at Stanford — this is hitting the whole school hard. Unlike a lot of schools on the east coast that are affected (Brown, Harvard, MIT) we are on the quarter system so we're just ending Midterms right now. We're also lucky enough to have our CS department entirely independent from Canvas, but most of my humanities classes are not so lucky. One art history class is having us submit our midterm papers by uploading to a google drive folder—another is pausing weekly quizzes. The main thing this has revealed is just how dependent students and teachers are on Canvas... I hope that this re-prompts discussions about moving off of a platform that was already (from a student perspective) not very good.
zuzululu 1 days ago [-]
I really feel like SH fucked up by sinking this low hitting students and Americas young minds like this....
One thing to target coroporations but leave the students alone....
JCharante 1 days ago [-]
It's not so bad, I'd say the Christmas PS3 hack was worse
zuzululu 1 days ago [-]
You don't care that students are impacted but your ps3 not being playable for a short period was more important.
Canvas is handling this terrible. No communication, no status updates, etc. Also looks pretty bad their whole platform was compromised and not a single real report for the breach that already had happened. Wonder how long it will take for SLA violations and lawsuits to manifest, especially with most U.S. schooling having finals right now.
user3939382 2 days ago [-]
Lot of experience dealing with Canvas/Instructure. Tech is o-k. Culture seems to be full of themselves due to market position.
corvad 2 days ago [-]
Yeah like their page says "Scheduled Maintenance" which is total B.S. Talking to people at my university's IT side of things Canvas has said nothing to any clients.
javawizard 1 days ago [-]
The "scheduled maintenance" thing is likely just because that's the easiest maintenance page to throw up site wide, or at least it was back when I was on the Canvas deploy rotation back at Instructure ~10 years ago.
That doesn't excuse any of their other messaging though.
nobleach 1 days ago [-]
Were you expecting "Got hacked, BRB"? I'm sure that page is their default circuit breaker.
jeffwask 1 days ago [-]
Fixed it for you.
Also looks pretty bad their whole platform was compromised by the same hacker group again.
SoftTalker 2 days ago [-]
So many universities used to run homegrown or on-prem student systems. This is the downside of consolidating in the cloud. If the infrastructure is compromised, it affects everyone, not just isolated or single installations. I wonder how they are feeling about that decision now? I guess they can say "not our fault" so they might be feeling better than if it was a vulnerability in their own system.
dylan604 2 days ago [-]
Yeah, if they had spent the time and money to roll their own that got hacked, they'd be responsible. Now, they can just clap their hands and show them palms up to you like a black jack dealer and walk away from the table with no responsibility. Probably one of the biggest benefits of using a product instead of building your own.
kelnos 2 days ago [-]
It's annoying that this is how internal politics usually works. Decision-makers at an org should be considered just as responsible when a third-party choice goes bad as when an internal tool goes bad.
zephyreon 1 days ago [-]
You’d think this is how it works but universities and schools will still end up holding the bag at the end of the day, irrespective of who is responsible.
crazygringo 2 days ago [-]
If an exploit is found in the software, hackers will often be able to attack hundreds of separate institutional installations in an automated way just as easily. And depending on the exploit, potentially more easily if on-prem admins fail to take all recommended security steps.
I'm actually much more interested if there is any financial liability for Instructure here? It's interesting that it's the universities being ransomed, while the technical failure was Instructure's. We're used to uptime SLA's -- what about security breach SLA's?
harikb 2 days ago [-]
> It's interesting that it's the universities being ransomed, while the technical failure was Instructure's.
My guess would be they get likelihood of getting paid when blackmailing 9,000 schools (at least a few would pay up) than blackmailing Canvas/Instructure.
I don't think any SLA/terms would change who gets to feel the pain.
poopmonster 2 days ago [-]
My guess is that they believe by maximizing their attack coverage, the odds are greatest that some of the institutions will pay up. And otherwise, they can still make a bit of money by selling the data.
Don't ransom all your eggs in one basket
walrus01 1 days ago [-]
Running on prem or homegrown systems used to be considered a core competency of having a computer science department and a campus-wide IT/networking staff at a university. In the environment that exists today in academia, for instance, BSD would never be created because somebody could just pay a third party external vendor for some packaged product. What happened in the past 20 years to change that? I really wonder.
chii 1 days ago [-]
But you don't extend that same argument for an agricultural research department by asking them to have a homegrown farm for supplying the university with food!
I dont think a competent CS department requires their being a homegrown or on-prem system for use in the university. That could happen, but if resources could be better spent by purchasing rather than building, then that should be the correct choice.
walrus01 19 hours ago [-]
Well, even in the mid 80s for example when many universities and their CS departments were heavily into DIY in house software development, none of them were expected to write all of the software used by all of the university. Ordinary workstation platforms were still purchasing MS-DOS 3.3 licenses with their hardware or Mac OS with their macs, etc. And things like Microsoft Office, Wordperfect.
Universities which do have large agriculture/farming related departments often operate their own small scale test/development/experimental farm.
frollogaston 2 days ago [-]
It's still more secure this way, especially with AI hacking making it harder to rely on obscurity.
Also yeah there is value in being able to blame another party, and also being down when everyone else is down.
motorpixel 1 days ago [-]
Is there a good self-hostable FOSS version of Canvas/Blackboard?
ktkaufman 1 days ago [-]
Canvas is open-source and can be self-hosted.
m4lvin 1 days ago [-]
As Wikipedia says, "some official plugins proprietary". So "can be" is doing a lot of work in that sentence. I would at most compare it to saying that VS Code is open-source.
zipy124 1 days ago [-]
Moodle?
thecatapps 2 days ago [-]
I remember when I was in high school (2016? 2017?), I found a super simple XSS in the assignment submission form and told the programming teacher. Canvas then proceeded to lock my account and got me my first (only?) detention. Good times.
somebudyelse 2 days ago [-]
Somewhat similar vein, the school's blocking software would block YouTube and embeds unless they came from Canvas. They were smart enough to disable the HTML editor for posting discussion comments, but forgot that since it was a rich text editor, you could just copy-paste in an embed by putting the code in data:text/html, then copying the element as formatted html.
I also ran the entire DOMPurify sample XSS and managed to find one way to download custom content onto someone's computer.
frollogaston 2 days ago [-]
Uh, did you tell the teacher by exploiting the vuln?
matthewfcarlson 2 days ago [-]
I remember circa 2010 a friend of mine at college was like “blackboard sucks, let’s build something new”. At the time I poo pood the idea and lo and behold canvas came out a year later. Outside looking in, they been crushing it.
HPMOR 2 days ago [-]
One of my mentors created Blackboard. It used to be very very good, but he sold it to private equity, and they immediately fired all of the customer support and developers, 3xd prices overnight leading to the 'blackboard sucks' problem. This gave the opening for Canvas to eventually come on to the scene and dominate.
My wife and I each have to use it as we're both following an online master's at the same university... it's definitely gone downhill (compared to the days where I originally used it ~20 yrs ago in college; tracker-riddled, slow); surprisingly, a recent change made it so that you can only attend online lessons in Chrome (haven't had time to see if this is just a user-agent thing).
I worked in a college IT department around that time and the common belief was that all LMSes suck. There are just too many different ways that too many different people want to do things that it's just bound to be hated. Kind of like Jira / Asana for software dev project management.
SamuelAdams 2 days ago [-]
LMS’s are a lot like programming languages. There’s the ones people complain about and the ones no one uses.
Mezzie 1 days ago [-]
I'm an LMS admin and yeah, that sounds about right.
kayyyy 2 days ago [-]
As someone who has used both as a student and a TA I find blackboard miles better, much easier to find what i'm looking for and my professors seem to have better luck laying out their course on blackboard than canvas.
breakingstuff 2 days ago [-]
I actually disagree, based on my time using Blackboard as an admin, student, and teacher. Although my experience is a few years out of date, I found the interface cumbersome and the performance slow.
russfink 1 days ago [-]
It depends on what vintage of Blackboard your IT team has installed. We moved from a circa 2011 BB instance to Canvas in 2022, and it was hands down superior. A different university is running the most recent BB and it’s similar to Canvas.
asdff 2 days ago [-]
I used both and could not tell you the major differences. I feel like they are equivalent in the bread and butter features. Most people don't use 99% of the functions they bake into these. Just use it to hold the syllabus, maybe hold the slides, submit assignments, and spreadsheet for grades. All stuff you can do with email + spreadsheet already. Maybe throw in a shared drive for larger files, which every university in the country already pays for.
quadrature 2 days ago [-]
"Equivocal describes something ambiguous, uncertain, or open to multiple interpretations, often used to intentionally mislead or evade."
do you mean equivalent ?.
asdff 2 days ago [-]
yes
vlunkr 2 days ago [-]
Blackboard got a lot better in response to the flood of customers heading to canvas.
brikym 17 hours ago [-]
I remember my university switched to Moodle around that time. I wonder if they're still popular.
JumpCrisscross 1 days ago [-]
> circa 2010
Instructure, "the developer and publisher of Canvas," was founded in 2008 [1].
That sounds like “circa 2010” to me. And Canvas was launched in 2011, according to the article you linked.
smurda 2 days ago [-]
Blackboard, the Canvas predecessor, was so unstable that we called it BlackOutBoard
brandonmenc 1 days ago [-]
Maybe schools should be self-hosting something like Sakai instead.
ramon156 1 days ago [-]
How does canvas compare to Brightspace?
bauldursdev 1 days ago [-]
Well, now's probably a good time to release something...
forgetfreeman 2 days ago [-]
They are definitely crushing it on sales. The actual product is a radioactive dumpster fire that is simultaneously hostile to students, teachers, and parents.
dghlsakjg 2 days ago [-]
Yeah but the customer is the administrators who never have to make contact with the real world
rahidz 2 days ago [-]
Goddammit. Anyone in the know, know if Parchment was also impacted by this potentially? They were acquired by Instructure a few years ago, and deal with a LOT of transcripts.
Edit: https://status.parchment.com/ says "While Canvas, Canvas Beta and Canvas test are currently unavailable, we are simultaneously monitoring all of our other product environments, including Parchment. We continue to see no reason to believe any Parchment resources have been impacted."
SoftTalker 20 hours ago [-]
> ShinyHunters ... said its data leak site contains 9,000 schools, including data belonging to 275 million students
Brought up a question I've had every time I read about these leaks... what kind of pipes do these shadowy groups have that they can grab all this data? I've spent days waiting just downloading a few 100 of GB from OneDrive. How do they grab all this data, are they just slowly gathering it for months via a compromised desktop somewhere, or if not, are the companies not monitoring for unexpected massive amounts of outbound traffic from their database or file servers?
organsnyder 18 hours ago [-]
I'd assume they have a botnet to parallelize it. Though depending on where you live (not that they'd be using their own machines) fast pipes are fairly common—I have a 5gbps symmetrical fiber connection to my home in Michigan.
exprez135 2 days ago [-]
The Canvas instance at the nearby university is now down (May 7, 4 PM Eastern), but was briefly displaying the message in this screenshot (1). The ransom message implies that today's problem is the second wave in an attack on Instructure after ignoring their first breach in recent days.
We received communication that Canvas is down for "Under Maintenance" although it seems ShineyHunters have compromised Canvas again with that message you posted.
Seems like Canvas instances of schools not listed are also down (at least my alma mater is)
goldenskye 2 days ago [-]
Yes, I work for an Australian online school. We’re down “for scheduled maintenance” (I question how “scheduled” it was given this is within school hours on a school day), but we’re not on the list published by ShinyHunters.
avs733 2 days ago [-]
our instance went from [insert hacker leet text] to "down for scheduled maintenance" and myself and other faculty are just having the darkest humor about this.
HDBaseT 2 days ago [-]
[dead]
HDBaseT 2 days ago [-]
[dead]
sharkweek 2 days ago [-]
My wife is in grad school at a major university and is dealing with this right now the week of midterms for spring quarter.
I totally understand why a university wouldn’t want to bake their own learning portals but just feels like such a single point of risk to use third party solutions for something like this.
Back in my day… all we had was a school email via on-premise services. I guess we registered for classes in a web portal but that’s about it. The idea of online class was entirely foreign at the time. Ain’t nobody hacking a blue book.
gdhkgdhkvff 2 days ago [-]
It’s wild to me that people in this comment section are suggesting that schools should improve their security by rolling their own platform, which is bound to be filled with security holes, instead of using a popular, maintained, open source option.
nazgul17 2 days ago [-]
To be fair to the idea, though, while this would make individual instances less secure, it would drastically decrease the leverage for the work bad actors put in.
There is a saying in the software security industry that (I'm paraphrasing from rusty memories) a system is secure if the cost of hacking it is higher than the value it protects.
Each system being completely distinct from another means that the cost of hacking the average student goes up by 9000 (from the article, Canvas is used by 9000 schools).
Still not saying that rolling out your own is the preferred solution, but the idea is not as ludicrous as it would seem, and should definitely be entertained and discussed, at least.
mingus88 1 days ago [-]
Put it another way; the blast radius from any vulnerability is much smaller.
But also, the cost is much, much higher to the institutions, which is the salient point. You're going to spend years developing a system, deploying it, training staff and students, supporting it. I see mentions here of in-house systems being developed much more cheaply and I don't believe it. The economies of scale are at work.
I worked at a university for many years and I can't recall anyone I'd consider to be a competent software architect working for the IT department. Hell, we had students writing major webapps that kinda sorta worked well enough.
forgetfreeman 2 days ago [-]
Maybe. I still remember the Drupal community sneering at the New York Times when they unveiled their homegrown online news platform bitd. After 15 years of recursively scraping ad-hoc porn sites off of server hard drives when clients dragged their feet on migrating to latest versions I 'm less certain the assumption that homegrown == less secure is as valid as it sounds.
shnock 1 days ago [-]
Could you explain the last sentence a bit more? I don’t follow
forgetfreeman 1 days ago [-]
Back before the Laravel folks utterly misguided but weirdly popular attempts at turning PHP into JavaScript gutted the Drupal community (your boos mean nothing, I've seen what makes you cheer) one of the most common outcomes of a site getting hacked was malware-infested porn sites would be uploaded to the site server. This failure mode wasn't particular to Drupal, it's just what happened when websites got hacked. This was the same period of time when the Drupal project was reporting ~16M active installs, had literally thousands of developers volunteering code to the core development project, a dedicated security team, and an automated test suite that ran around the clock.
asdff 2 days ago [-]
Universities used to do this sort of stuff themselves. Then it became a business handled by purchasing rather than needs met by the department themselves.
afavour 2 days ago [-]
In fairness in the era where universities did it themselves the tech requirements and expectations were dramatically lower.
asdff 2 days ago [-]
Tech requirements are the same as they always were. One needs to ask whether they need so many frameworks to host some files on the internet and submit some files and perform spreadsheet calculations. We still used one of those First Age 1990s websites for sort of pre lab quizzes this one class when I was going through it, and it might have looked a little "old" but I mean it did the thing and worked for years and will continue to do the thing and work for years.
internetter 2 days ago [-]
You're being deliberately obtuse. Canvas has many many features. Wikis and discussion boards and quizzes (with some anticheat) and groups and the list goes on and on. Furthermore, while it was never the flashiest thing, it did it better than many of its predecessors. Yes, an individual class may not use all of these features, and yes canvas has suffered feature creep even over my time as a student and yes canvas is not doing anything technically challenging, but there is enough of it that each school rolling their own everything would be a drastic waste of everybody's time and money.
clipsy 2 days ago [-]
Have these dramatically higher tech requirements and expectations improved the quality of education whatsoever?
avs733 2 days ago [-]
Because faculty didn’t want to do it anymore. They want it handled by others but also they want oversight and veto power but also they don’t want to be bothered. But it better always work, and if they make a mistake the software is broken because don’t tell them it’s a user error they used to write Fortran.
As a faculty member at a large university…I have a deep respect for the impossible job of university IT departments.
We originally rolled our on LMS decades ago. When we switched to canvas we kept the home brew running for five years past its expiration date because faculty refused to remove their files. Finally each one was manually moved by IT for the recalcitrant old faculty.
asdff 2 days ago [-]
It is kind of funny when these LMS tools with 100+ functions are being used for little more than what email, a grades spreadsheet, and maybe a shared drive would do. University might even ask for the final grades in spreadsheet format by the end of the term anyhow, so data goes into the LMS just to come back out again.
avs733 2 days ago [-]
In a sense you aren’t wrong but those analogies fail at scale. It’s like saying you could replace all hr functions with a spreadsheet.
They are large databases yes but they do a lot of small and large things that that analogy glosses over
Mezzie 24 hours ago [-]
This is a lot of it.
I used to work in academia and am now an LMS admin (in private industry). I've interviewed for LMS admin positions at educational institutions and each time I've ended up walking away. The questions I was asked at the last interview revealed what a ridiculously unplanned, spiraling mess their system was and that I would have no agency over it. No, thanks. And it was clear the reason for this was faculty recalcitrance and an inability to tell them no. Each one wanted a special plugin/special way of doing things, causing a giant mess of insecure bloat, and a fair amount of interview questions always amount to 'how do you wheedle faculty into doing things/placate their egos to keep things running?'
I'm not a rockstar candidate either: I'm a disabled, geographically-constrained, self-taught(ish) sort-of techie. The disability means I have substantial holes in my resume/work history, etc. I don't have a CS degree or any kind of formal IT education. If people at my level of knowledge are looking at these jobs and passing because they're not worth it, I can't imagine the actual pool of people who get hired is great.
LMS admins in particular are going to be harder to find/retain because we tend to have options we can jump to that would be less onerous than doing LMS admin for a dumpster fire. I could go straight IT or full Instructional Design, for example.
In private industry, I can tell people to kick rocks if they want to do something that the system doesn't support/is a really bad idea. And if I can't, I'm not held responsible for the consequences.
jagged-chisel 2 days ago [-]
> Ain’t nobody hacking a blue book.
Well not with that attitude
walrus01 2 days ago [-]
A university doesn't need to bake its own learning portal, Moodle exists and is used by a lot of large schools.
ibgeek 2 days ago [-]
Moodle is an open-source LMS that can be self-hosted.
Another open-source LMS that can be self-hosted is... Canvas.
wmoxam 2 days ago [-]
Almost no one does
ibgeek 2 days ago [-]
Didn't realize that. Thanks for the info!
userbinator 2 days ago [-]
I totally understand why a university wouldn’t want to bake their own learning portals
They used to, in the pre-cloud/SaaS era; and they were much simpler and better UX than the slop that they're renting today, because the actual users were not far from the developers.
oezi 2 days ago [-]
Counterpoint: I was a PhD student in 2004 and on the universities board* which oversaw the roll-out of the campus management system. It cost > 10m EUR to implement a shitty system with the worst UX and years of stabilizing to make it somewhat work.
The amount of corner cases and performance requirements during rush times (semester start) made it really infeasible for a university to roll their own.
* German universities have this funny system where 51% of such boards are controlled by the professors and the rest is made up of other employees/staff and students. They call it academic participation.
xd1936 1 days ago [-]
Official cybersecurity insurance company required FAQ:
The way they describe it as an issue with free accounts seems vague and misleading. Why would _any_ account have this broad of access? Why would free ones be uniquely insecure vs official ones?
This suggests a bad actor at any institution could do the same thing done here. No?
The boy is a biochem PhD student at UIUC and reports that all their finals are now cancelled. "Is this good news?" I ask. "Yes. Everything coming up Milhouse."
owenpalmer 17 hours ago [-]
I tried to become a contributor to Canvas (it's open source), but I couldn't even get a development environment setup because of their storage space requirements.
> It is recommended that you have at least 150GB of available hard drive space, 8GB of RAM, and a quad-core CPU to use this script.
As far as I can tell, this is not for running a production environment with assets. This is just the development environment.
dlcarrier 17 hours ago [-]
I long for the days when FPGA development environments were an order of magnitude more bloated than software development environments. I've tried, on multiple occasions, to build an open-source Android application, and each time I've given up after a few hours of trying to get all the bloat working together well enough to even compile something already written.
tom1337 2 days ago [-]
> Canvas is currently undergoing scheduled maintenance
doesn't seem that scheduled to me
javawizard 2 days ago [-]
ex-Instructure employee here (though it's been about 10 years since I worked for them).
That's just the quickest page/status update to throw up; it was a one-liner to push it live back when I was on the deploy rotation.
I'd hazard a guess they have more important things to worry about right now than exact status page messaging ;)
chrisjj 1 days ago [-]
> That's just the quickest page/status update to throw up
Funny how a lie is always quicker than the truth...
podiki 1 days ago [-]
I thought the same. The "scheduled" part of the message is gone now, at least on the instance I use.
anematode 2 days ago [-]
Well, scheduled by whom? :)
2 days ago [-]
mystraline 2 days ago [-]
Whoever it is, is likely defended by Cloudflare. They seem to like the booters.
I'll be shocked if Canvas ever gets held publicly accountable for this.
I believe FERPA's PII provisions apply to Canvas and contractors handing PII in general (at least as interpreted by the Department of Education). Now, will Canvas be held accountable by ED in this administration? Hah – DOGE probably ran that through the shredder as well.
1970-01-01 1 days ago [-]
Depends on how bad it gets. Most likely nothing will happen however if they leak the PII of enough of the rich and powerful then you can expect lawsuits.
incomplete 2 days ago [-]
yep, i work for a major university and our canvas instance is down. this is really, really bad.
Thanks for linking this. Ended up finding my kids school district on the list unfortunately.
12_throw_away 2 days ago [-]
tbh this has me wondering if canvas "instances" are actually as isolated and segregated from each other as they're supposed to be.
javawizard 2 days ago [-]
Define "as they're supposed to be".
Back when I worked for Instructure ~10 years ago, Canvas was effectively a single, giant, monolithic multitenant app with one instance backed by several thousand app servers and ~100 separate Postgres database clusters that any app server could talk to.
Schools were grouped onto pools of app severs and Postgres database clusters more or less according to locality and cluster availability. I want to say a handful of the largest schools got their own clusters, but I'm not certain, and at any rate their clusters could certainly all talk to each other.
It was actually kind of neat from a technical perspective: any Rails model across the entire Canvas world could have a "foreign key" pointing to any other Rails model anywhere else. Among other things, this allowed for users who could administer multiple Canvas organizations, even if those organizations resided on different Postgres clusters. https://github.com/instructure/switchman is their gem that made that all work. (I put "foreign key" in quotes because the whole thing was implemented in software, not with actual database FKs, for obvious reasons.)
---
Of course, the massive downside to that sort of thing is that if you manage to pop one Canvas app server, you have the keys to the kingdom. I wonder if they'll sharpen the edges between clusters in response to this...
---
(Disclaimer: I left Instructure back in 2017; much could have changed since then, and my memory could be faulty about the specifics. Caveat emptor.)
wky 2 days ago [-]
It's possible that Instructure's servers got compromised:
dig canvas.ucdavis.edu
[...]
;; ANSWER SECTION:
canvas.ucdavis.edu. 1974 IN CNAME ucdavis-vanity.instructure.com.
ucdavis-vanity.instructure.com. 60 IN A 18.173.121.125
ucdavis-vanity.instructure.com. 60 IN A 18.173.121.103
ucdavis-vanity.instructure.com. 60 IN A 18.173.121.15
ucdavis-vanity.instructure.com. 60 IN A 18.173.121.18
dig canvas.duke.edu
;; ANSWER SECTION:
canvas.duke.edu. 300 IN CNAME duke-vanity.instructure.com.
duke-vanity.instructure.com. 60 IN A 18.173.121.125
duke-vanity.instructure.com. 60 IN A 18.173.121.18
duke-vanity.instructure.com. 60 IN A 18.173.121.103
duke-vanity.instructure.com. 60 IN A 18.173.121.15
mrsvanwinkle 2 days ago [-]
that's what the screenshot says. They rooted Instructure servers.
SamuelAdams 2 days ago [-]
It depends on what you pay for. If you need FedRamp or IL4+ compliance you are likely on dedicated infrastructure. Everyone else uses multi tenancy.
I'm shocked universities don't host their own LMS? At least large universities have the IT departments to do this. They host compute clusters, so they can certainly host an LMS.
oezi 2 days ago [-]
The same reason hospitals don't have their own Patient Information System but all use Epic. The amount of customization you need and continuous churn due to changing curricula and regulatory requirements makes it hard to keep up without scale.
somebudyelse 2 days ago [-]
It looks like Instructure has been removed from the ShinyHunters website. Both the entry and the list of schools has been removed.
bombcar 2 days ago [-]
Look for large BTC moves recently?
corvad 2 days ago [-]
Ransom paid?
bumblehean 2 days ago [-]
Hugs going out to the teams at Instructure working to fix this. I've been through a similar Ransomware attack (national news stories, lots of customers dead in the water, etc.), and it's about as bad a situation you can wind up in.
orourke 2 days ago [-]
My son was in the middle of an exam and then his screen went black and it showed the message from ShinyHunters. Hasn’t been able to get back in since.
I'm a software dev who was affected by the outage. I was working on an app that connects to the Canvas SAML endpoints. One minute I was able to run my code, the next I couldn't. This was a little after 17:00 EST.
Is this accurate? Or is this still an ongoing issue?
podiki 1 days ago [-]
Ongoing. It is not "down" but purposefully offline for "maintenance." Main status does show the LMS (all the course stuff) down, and my instance shows "up" but that's because (I assume) you can reach it and the maintenance page. But that's not useful, if technically not "down."
SeanAnderson 1 days ago [-]
Thanks
boldi 1 days ago [-]
Canvas LMS is the core service that universities rely on. I assume they're trying to develop a fix and that's why the service is labeled "Under Maintenance". I'm a Berkeley student and can confirm that our instance (bcourses.berkeley.edu) is still down.
owlboy 1 days ago [-]
Federated logins appear to now be broken for the campus I’m affiliated with. So more action is needed.
OsrsNeedsf2P 2 days ago [-]
Somehow I have less distaste for ShinyHunters than I do for the companies who don't secure user data
rixed 1 days ago [-]
When you picture the attacker, don't picture a bored nerdy teanager. Picture a selfish, $$ motivated psychopath.
Let's not side with the parasites.
chrisjj 1 days ago [-]
And lets not side with Canvas PR.
altcognito 1 days ago [-]
He didn't really side with Canvas PR, he just said these were not good people. They aren't.
What did Canvas PR do except do a poor job? Doing a poor job of PR is a whole, whole lot less worse than actively destroying people's lives for profit.
poopmonster 2 days ago [-]
Student at an impacted university here.
Our whole testing center is down. This is inconvenient, but mainly it's amusing. I swear strangers are talking to each other more. I'm noticing people just sitting in the sun and relaxing. Nature is healing.
(Of course, plenty of people have also just finished their exams, so it's hard to know the cause.)
Any idea what data Instructure-and-also-now-ShinyHunters even purport to have beyond names, profile photos, pronouns, homework assignments, school communications, phone numbers, and email addresses?
i.e. What makes this threat so different from what any old data brokers have already scraped?
What leverage besides aura farming do the ShinyHunters really have?
All I can think of that's really valuable is passwords. And private communications in Canvas DMs. But if you're being at all intimate over your school email, that's kinda on you.
Anyway surely Instructure only stores user public keys or something?
Alternate history question: If they just sold the data, never revealed the hack, and didn't make a scene, from a customer perspective, how different would this be from business as usual?
What are we even coming to when even internet blogs are paywalled. Verge? Next thing Gizmodo is gonna be paywalled.
krupan 2 days ago [-]
A college student I know just sent me a screenshot, he can't access canvas for his school at all
yesiamyourdad 2 days ago [-]
Same, my daughter just sent a screenshot, she was trying to study for finals.
asdefghyk 1 days ago [-]
Hundreds of 1,000s of students affected by this hack in Australia ( and no doubt other countries around the world ...)
Its more than the 10,000s Australian students mentioned in article below ...
QLD Government vendor selection is always terrible.
rosie54 1 days ago [-]
Tbh this is extremely annoying for high school/college students too. High schools are in the middle of AP tests, and many universities have yet to finalize grades, so overall this is a terrible time for this to happen. After the first issue a few weeks ago Canvas should have upped their security and prepared for another attack. They also should provide better communication. If Canvas is down for more than a few days, many schools and universities will have a lot of trouble when it comes time to publish course grades.
1 days ago [-]
bigfatkitten 2 days ago [-]
I use Canvas for some postgraduate studies, and my teenage daughter uses it at her high school.
We already bond over how awful the Canvas UX is (and she has a bunch of Chrome extensions to improve it.) Now we’ve got something else to gripe over together.
haha i went to go check and they haven't merged a PR since 2017
gareim 1 days ago [-]
Look by is:closed instead. They don't merge the PR directly.
copperx 2 days ago [-]
I vibecoded a pretty extensive CLI for Canvas and using it is very pleasant. Joyful, even, when combined with an LLM. Especially when compared to the developer hostile Blackboard Ultra.
j027 2 days ago [-]
Canvas seems like it’s not that great. But if you then use Blackboard Ultra it makes canvas look amazing.
acomjean 1 days ago [-]
I used canvas for some Harvard extension classes 10 to 5ish years ago. It worked Ok. Work distributed, grades posted. I didn't realized so many schools used it, or that it was all schools on one instance, which seems kind of nuts.
I lost access when I left as it was tied to my work email. I downloaded a lot, but there was still some useful stuff on the boards.
I wonder what the havkers found out about me. Perhaps the class notes will be lifted to train AI, higher quality than a lot thats on the internet anyway.
Gigachad 1 days ago [-]
I discovered one of my old school assignments ended up on some homework help website. I had never posted this document publicly and had only uploaded it to the schools work submission page. Presumably at that point it was shared with multiple third parties for plagiarism checking and such. And then was exposed to a data breach years later and ended up on the public internet.
bagels 2 days ago [-]
It's been a long time since I was in school. What does this software do?
mbreese 2 days ago [-]
It is how classes (even in person ones) are organized. Assignments, quizzes, links to online textbooks, discussion boards, student/teacher messaging, student group messaging, etc. From the teacher side, I'm not sure if there is a backup copy for things like grades outside of Canvas. It's that pervasive.
Everything from middle school up to grad school.
It's a particularly interesting time to have this happen too -- many finals going on now.
windows_hater_7 2 days ago [-]
It’s a “learning management system.” It replaces a course website in most instances. It’s also used for course grades and you can submit assignments or take quizzes.
If you’re a student or teacher: nearly everything that matters. Homework, materials, lectures, grades. It’s all on canvas.
kzrdude 1 days ago [-]
For my uni: mostly only lecture notes and materials.
plasma_beam 2 days ago [-]
Our public school system here in Maryland got hit, ransom screen.
spmartin823 1 days ago [-]
One thing I remember from my days in the LMS world is that obfuscated copies of prod tenants were used for testing. Almost every dev had at least one tenant from prod on their local computer. So with some de-obfuscation at least some of the data is plausibly retrievable. Whether that data is also public depends on how the negotiations go.
danso 2 days ago [-]
I wonder how much old data Canvas keeps around? Are students who graduated in 2016 going to be at risk of having their academic data leaked?
Fumblenuts 2 days ago [-]
I bet it depends on the institution and the IT team behind said institution, but at least for my university we apparently don't delete old course shells or anything.
I'm friends with a professor who complained to me a couple times about how sometimes he will need to scroll through pages and pages of courses he taught in the past. He also mentioned that profs aren't able to delete their own course shells either.
Telaneo 1 days ago [-]
It wouldn't surprise me if most of it is still around. The amounts of data are probably fairly small, and thus unless intentionally deleted, it's probably still there (maybe unis in Europe are more likely to bother to click the relevant buttons as to comply with the GDPR?). I can't imagine storage becoming an issue unless you've got a huge uni or classes that deal with video (and even then, those probably end up on Youtube as private videos, or only as really small clips).
goryramsy 2 days ago [-]
Down for all students at my University… it’s going to be a headache for all professors to deal with extending due assignments.
eatmyshorts 2 days ago [-]
My daughter says that Northeastern is also affected. Is it more widespread? Did they infect all SaaS Canvas universities?
parable 2 days ago [-]
Yes, all 8000+ institutions that use Canvas.
ThrowawayR2 2 days ago [-]
I wonder when the public is going to start calling for corporate liability for malpractice in software development and corporate liability for malpractice in IT deployments. Even if the tech industry fights it, it probably won't be that much longer.
cortesoft 2 days ago [-]
I do wonder if that won't just end up INCREASING ransom-type attacks, though?
If we increase the penalties for a company being hacked, you create even MORE incentive for hackers to try to break in, because if they succeed, they have a pretty big stick to threaten companies with when demanding a random payment - not only will the company have the negative effect of the data being leaked and the PR that accompanies it, they now know that if they don't pay and the attack becomes public knowledge, they face a big fine or other punishment.
A company is much more likely to pay a big ransom if they know they are just going to end up paying that much or more in fines if they refuse the ransom and report the hack instead.
If you take this route, and increase punishment for being hacked, you are making a pretty big bet that the main reason companies are hacked is because of poor security practices. I am not sure if that is true or not.
I'll never understand this point of view. If someone would please explain how to create perfectly secure software, I will gladly start writing perfectly secure software. Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.
Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths. Malpractice insurance is high. Litigation is constant. And patients still die on the operating table. It's unclear what all the malpractice tort law actually gets you in the end.
cortesoft 2 days ago [-]
> Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.
In most of these cases, the companies involved did NOT follow standard security practices.
I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.
ThrowawayR2 2 days ago [-]
> "Consider surgery instead of software development."
Is that really the analogy you want to use the bolster your argument? Licensing was forced on the medical profession because of rampant quackery causing a large number of deaths. Some of the horrors that went on before enforced medical licensing are well-nigh unbelievable, e.g. https://en.wikipedia.org/wiki/John_R._Brinkley
LocalH 20 hours ago [-]
People forget how barbaric medicine has historically been.
Just like 100 years from now, many of today's medical practices will also be seen as barbaric.
2 days ago [-]
kelnos 2 days ago [-]
I agree that even if companies do everything right, they can still get popped. But most companies do not do everything right, and they should be legally responsible for those things.
But even if they do everything right, is it really fair to let the companies just shrug their shoulders and say "it happens"? While their users are the ones who really get hurt.
harikb 2 days ago [-]
Well, you don't know how many more would have died if doctors and hospital didn't care about their insurance going higher???
dylan604 2 days ago [-]
> Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths.
I like this analogy, but deaths shouldn't be the leading indicator just an indicator. Family member had a surgery with well known procedures, say removing a gall bladder. Unfortunately, this surgeon skipped a step in lieu of setting a record for fastest procedure. Because steps were skipped, the gall bladder was not scooped into a net to avoid spilled gall stones which resulted stones spilling into the abdominal cavity requiring numerous follow up surgeries to remove the spilled stones as they made themselves known. So clearly not following accepted procedures should be a clear win in a malpractice case, yeah? Wrong. No doctor would testify against the surgeon and the case was dismissed. I feel like this is exactly how it would work in software security incidents as well.
dctoedt 2 days ago [-]
> this surgeon skipped a step
That was the foundational premise of Dr. Atul Gawande's book The Checklist Manifesto, an expansion of his article The Checklist in The New Yorker [0]
Even more incentive to pay up. I wonder if the timing was intentional or just coincidental.
enceladus06 2 days ago [-]
That is the point. Get an extra million or two $ in btc from Instructure.
2 days ago [-]
flashman 2 days ago [-]
What's in the files they've already released? Some of them are > 800GB.
HDBaseT 2 days ago [-]
Where are you getting that information from?
I'm under the impression files are getting released 12th May.
I don't see any reporting on 800GB?
DauntingPear7 2 days ago [-]
Grades, records, etc I would assume. Someone else pointed out that they recently acquired https://www.parchment.com/ so they may have also been able to scoop up those records too
emmelaich 2 days ago [-]
Also discussions between students and teaching staff.
poopmonster 2 days ago [-]
I'm guessing loads of student work? If so, it'll be great for anyone who wants to research AI usage in papers.
2 days ago [-]
corvad 2 days ago [-]
Some instances seem to be recovering. I wonder if a ransom was paid.
somebudyelse 2 days ago [-]
It looks like Instructure has been removed from the ShinyHunters website. Both the entry and the list of schools has been removed.
2 days ago [-]
stevenjgarner 1 days ago [-]
So all these top universities using Canvas as a core part of their infrastructure somewhat begs the question : why would a technology degree from them have any real value if they can't even have their infrastructure built and maintained by students themselves? If their education is really worth that much money, why can't they build their own infrastructure?
dopidopHN2 1 days ago [-]
Have you look at student generated code ?
I mean, maybe it changed in the last 10 years. But I was a TA grading CS majors for a while. Their C capstone or what have you.
Some were decent but naively coded.
Most were pile of shit half hazardly put together so it output what is needed to get passing grade.
But I agree with you in spirit!
2 days ago [-]
owlboy 2 days ago [-]
I’m not surprised. Canvas kind of sucks. And their development is slow. And they are poor at communicating during mundane events.
stringfood 2 days ago [-]
They're also apparently poor at communication during highly interesting events as well
alexalx666 1 days ago [-]
Respect to Canvas sales team, its like microsoft level platform lock-in into low sec infra
podiki 2 days ago [-]
And grades are due in the next week or so for many of these (usually a quick deadline at the end of the semester due to graduation happening)...
enjo 2 days ago [-]
My wife’s grades are due tomorrow. She was in the middle of finishing exams when it happened. She can’t even access the exams to grade by hand. Total mess.
SoftTalker 2 days ago [-]
Graduation is just a ceremony. The actual credential award depends on whether you finished all your coursework and is not time-boxed by that event.
Of course if you can't complete your exams because of this, that's more of an issue!
vondur 2 days ago [-]
It looks like every CSU System is on the list (California State University). Surprised this hasn't hit the front page yet.
DaSHacka 2 days ago [-]
Possibly because they haven't released the data yet?
I'm honestly surprised more people aren't talking about this.
kelvinjps10 1 days ago [-]
At the beginning I thought it was the design tool
Telaneo 1 days ago [-]
Great. More data gone astray. Given Canvas' handling of the situation, I doubt they're going to learn much.
The timing probably isn't a coincidence. Great time to stress out students and staff alike. Hopefully it doesn't affect them too much in the end, but I imagine it will.
daledavies 2 days ago [-]
Eek I bet there are a few people at Instructure who won't be getting much sleep tonight!
avs733 2 days ago [-]
It is absolute chaos at my institution. This is the last day of finals and grades are due Monday morning. Most faculty are spending today, tomorrow, and through the weekend finalizing grades.
What we don't have access to includes:
* Already graded work
* Ungraded work
* overall adn assignment grades
* lists of students and student emails from the course
* messages from students that are often sent through gradescope
Just...complete implosion.
pesus 2 days ago [-]
What happens if the system isn't back up in time for grades to be submitted? Just a delay?
nektro 1 days ago [-]
going after systems that affect students is beyond bad taste
thatxliner 1 days ago [-]
I remember this group did something else a while back too.
incomplete 2 days ago [-]
i work tech at a university that's impacted by this. while it doesn't impact me directly, many many other staff and instructors i know are heavily affected by this outage. the students are absolutely outraged, mostly because the university hasn't been providing updates as quickly as they'd like, but since the staff/admin are waiting on word from instructure -- and there hasn't been a lot from them, it just generally sucks for all of us.
this is really, really, REALLY bad. it's not great that names/emails/etc will potentially be leaked, but also private messages between students and instructors. and since many of the campus systems rely on canvas integration, things have pretty much ground to a halt a week before finals.
after they were breached on the 1st of this month, instructure had an announcement yesterday that "everything is great! we're good! hackers are gone! we've rotated our keys!".
no. nothing is great. we are not good.
0xbadcafebee 1 days ago [-]
Nothing to see here folks. Just another predicable data breach from allowing companies to do whatever the hell they want with sensitive personal information.
This will keep happening, more and more, and never stop, until we create a software building code and legally require it for all online businesses.
Universities, Parents: ya'll actually have the political and economic power to get a software building code passed. This incident isn't the last.
wg0 2 days ago [-]
You learn all the technical details only to harm people like that instead of making a modest and honest living.
Shame on your existence basically.
lazystar 1 days ago [-]
> Earlier in October, an Amazon Web Services incident resulted in Canvas and Piazza outages that lasted around 12 hours.
...what does that DDB DNS issue have to do with anything?
mensetmanusman 1 days ago [-]
It's interesting how delta-function-esque security issues are, which makes it nearly impossible for young organizations to properly risk asses.
echelon 1 days ago [-]
> ShinyHunters
Is that a Pokemon reference?
mobeigi 1 days ago [-]
I enjoyed the reference more than the story itself :)
Damn, all schools in our district in Washington moved to Instructure last year.
They moved away from Teams because it objectively sucked, but I haven't heard of widespread compromises like this in Microsoft's systems so...
ghqst 1 days ago [-]
Well instructure is slightly better than the somehow legal torture of having to use the "product" Microsoft Teams
jrm4 2 days ago [-]
Canvas shouldn't exist in its current form, and neither should have Blackboard.
It's always been as stupid as requiring that your chalkboard, chalk, chairs, bluebooks, pens, paper, gradebook etc etc all come from the same company.
I, for one, am very much looking forward to my IT Gov council meeting tomorrow.
SilverElfin 2 days ago [-]
Terrible that this affects children and that their information may be ultimately leaked. They need to be greater consequences in the law for security breaches.
vinni2 2 days ago [-]
I hate Canvas. I would rather run a course on GitHub. But our university forces it on us. And now this.
crazygringo 2 days ago [-]
Do you remember how Canvas was a gigantic improvement over Blackboard?
And GitHub doesn't provide a way to record grades that remain private per student last I checked, much less sync them to the university, or 99% of other things Canvas does.
I don't love Canvas, but it's far, far preferable to a world without it.
poopmonster 2 days ago [-]
It is really convenient and stays out of the way. As much as I'm enjoying the mess, I am forced to appreciate its value.
1 days ago [-]
bombcar 2 days ago [-]
> remain private per student last I checked
last I checked it appears grades remain private per planet or so ...
bombcar 2 days ago [-]
How does Canvas compare to things like Moodle?
Or is it an entirely different class of beast?
wmoxam 2 days ago [-]
I've written a bunch of LMS integrations so I've had the opportunity to use all of the major LMSs. Basically, all LMS systems are rather user unfriendly and complicated with a ton of customization options hidden under layers of sub-menus/configuration settings. At their core they provide a grade book, student management tools, and some basic CMS type functionality for posting class messages/coursework/etc. They've all adopted a standard for interacting with external tools (LTI).
Canvas generally is the 'easiest' to use, and the 'cleanest' looking one although D2L Brightspace is pretty good too. Moodle out of the box is pretty confusing and ugly, but I've seen some heavily customized instances that look a lot better. Blackboard is the worst of the bunch IMO.
frollogaston 2 days ago [-]
Wow, I last used Moodle in 7th grade, 2008. It seemed like a similar thing.
swatson741 2 days ago [-]
I saw this happen to my Canvas account today. At first I thought it was a prank from the school or Instructure. The message was sent to students which makes no sense. Second, the message that was sent basically implies that ShinyHunter is actively getting patched out, and no one is ever going to give into their demands. They're basically saying that they're done and desperate. It's a strange message for ShinyHunter to send, but I think they were trying to pull off a psyop / FUD.
Looking into the payload they sent me this is how they hijacked the screen. Everything in the payload is unchanged except for one line of code:
body::after {
content:
"\A\A"
"S H I N Y H U N T E R S"
"\A"
"rooting your systems since '19 ;)"
"\A\A\A"
"ShinyHunters has breached Instructure (again)."
"\A"
"Instead of contacting us to resolve it they"
"\A"
"ignored us and did some \201Csecurity patches\201D."
"\A\A"
"\26A0 W A R N I N G"
"\A\A"
"If any of the schools in the affected list are"
"\A"
"interested in preventing the release of their"
"\A"
"data, please consult with a cyber advisory firm"
"\A"
"and contact us privately at TOX to negotiate a"
"\A"
"settlement. You have till the end of the day by"
"\A"
"12 May 2026 before everything is leaked."
"\A\A"
"Instructure still has until EOD 12 May 2026"
"\A"
"to contact us."
"\A\A"
" \25BC DOWNLOAD AFFECTED_SCHOOLS.TXT \25BC"
"\A"
"91.215.85.103/pay_or_leak/"
"\A"
"instructure_affected_schools_list.txt"
"\A\A"
"visit us: shnyhntww34phqoa6dcgnvps2yu7dlwzmy5"
"\A"
"lkvejwjdo6z7bmgshzayd.onion" !important;
The hack is crude, and it seems unlikely that they have any access to Instructure's developer tools.
aibudaev 1 days ago [-]
[dead]
Michael666 1 days ago [-]
[dead]
boxingdog 2 days ago [-]
[dead]
quiint 2 days ago [-]
[dead]
cindyllm 2 days ago [-]
[dead]
mammamia1 6 hours ago [-]
[dead]
artificialLimbs 2 days ago [-]
[flagged]
infrapilot 2 days ago [-]
[flagged]
starkrights 2 days ago [-]
Where did you find information on the nature of the attack?
mudkipdev 2 days ago [-]
This is an AI bot
poopmonster 10 hours ago [-]
How did you identify it?
aaronsung 1 days ago [-]
At the same time,
Aussie tech giant pauses work, devotes entire week to AI
Design software giant Canva has halted normal operations across its 5300-strong global workforce for five days of nothing but AI learning and hackathons, bucking the global wave of technology giants that have slashed jobs, citing the technology.
https://www.smh.com.au/technology/aussie-tech-giant-pauses-w...
We got our first email (from Academic Affairs) notifying us that it was down at 5:17pm EDT this afternoon, with little info; followup emails were sent at 6:24 and 6:57 with more info, but mostly about how we would be compensating for it and not about what actually was going on (other than, "nationwide shutdown" and "cybersecurity attacks", no further detail). I don't get a sense that they know much more than that, not that I would expect them to.
A perhaps telling detail: they're instructing us to have students email us directly with any work that had been submitted via Canvas. That suggests that they have no particular confidence that it will come back up soon.
I personally am only slightly affected; as a CS professor a lot of my students' work is done on department machines, and submitted that way, and I do the actual exams on paper. More importantly, I've never liked or trusted Canvas's gradebook, and so although I do upload grades to Canvas so students can see them, my primary gradebook is always a spreadsheet I maintain locally.
But I have a lot of colleagues for whom this is catastrophic at a level of "the whole building burnt down with all my exams and gradebooks in it"---even many of those that teach 100% in person have shifted much or all of their assessment into Canvas (using the Canvas "quiz" feature for everything up to and including final exams), and use the Canvas gradebook as their source-of-truth record. We've been encouraged to do so by our administration ("it makes submitting grades easier"). For faculty in that situation, they have few or zero artifacts that the students have produced, the students themselves don't have the artifacts to resubmit via email because they were done in Canvas in the first place, and they have no record of student grades or even attendance (because they managed that all inside Canvas). I guess they have access to the advisory midterm grades from March, if they submitted them (most do, some don't), but that might be it.
My gut feeling on this is that this is either resolved in hours (they have airgapped backups and can be working as soon as they can spin up new servers), or weeks (they don't). Very little in-between. And if that's true and we wake up tomorrow with this unresolved, I really have no idea what a lot of professors at my university and across the country are going to do to submit grades that are fair and reasonable. In the extreme case, they may have to revert to something we did in the pandemic semester (and before that, at my school, in the semester that two major academic buildings actually did burn to the ground a week before finals): let classes that normally count for a grade just submit grades as pass-fail. Because what else can you do?
(Well, one thing you can do is not put your eggs all in one basket, and not trust "the cloud" quite so much, but that ship's already sailed. I do wonder if in the longer term, anybody learns any lessons from this....)
UPDATE: As of 11:45pm EDT, my university's canvas instance is up and running! Here's hoping it stays (but I'll be downloading some stuff just in case...)
It’s so simple to send an e-mail to the student with relevant records on completion of a quiz or whatnot. They don’t do it, because they want to control the data. (And universities don’t insist on it for who knows what reason.)
The party line is probably something about "a lack of data security" with email, which would almost be funny given the current situation if it wasn't so stressful for those impacted...
This is to do with FERPA which requires that student grades be kept private. There is a small but still a significant legal risk that someone else such as a parent or roommate could have access to a student's email. And so to avoid even the possibility of a court case, schools prefer to play it safe and display grades only to a user they can authenticate directly.
This doesn't have anything to do with common sense, it's simply about legal risk. And it's not about security in a broader sense, it's specifically about privacy FERPA legislation.
There is no more risk of access to email than there is to Canvas. They are usually secured by the same SSO, too.
However, congratulations for finding the exact dodge around implementing a useful feature. Back when I worked at a university, it was apparent we had a “toolbox” of reasons to deny requests we didn’t want to do: HIPAA, FERPA, ERISA, PCI, GLBA, Title IX, ADA.
“We can’t do that integration with student health services due to HIPAA concerns.”
“We can’t implement that sign up form due to FERPA.”
“We can’t update that site because we’d have to do so and be ADA compliant and that would cost too much.”
“Due to Dining Services’ server being in scope for PCI, we can’t run reports off of it.”
“Adding that ability to Student Affairs’ portfolio app would raise Title IX concerns.”
It was great. You had endless excuses to say why you can’t email a student their grade.
It's about edge cases like someone set up your email to forward all your emails to their account without you knowing. Or other additional situations you could imagine.
There is no benefit to not emailing grades directly, from the perspective of Instructure. There is no ulterior motive here. But universities are genuinely risk-averse and their lawyers tell them that not including the grade in the email simply shuts down one more avenue for some potential lawsuit. Which costs money to defend even if a university wins it.
This isn't some kind of "dodge". This is literally just Instructure doing what university lawyers demand.
I agree with you that the email address is generally always also controlled by the school and has the same login authentication. It doesn't matter. I told you this isn't about common sense. This is about lawyers saying that it could reduce legal risk. And that is a true thing that is coming from real lawyers. Even if you disagree with those lawyers.
And Instructure isn't going to try to disagree with lawyers for its own potential customers. It's going to give the schools what they want, which is not revealing grades via email.
It's not a "dodge."
What you are saying about e-mail is simply not factual. Student e-mail is inside the FERPA environment, and is considered private to the student. It was designed to be that way. If a student sets up forwarding to go to someone else, that's their problem. The student e-mail uses the same SSO as the LMS, so it's nonsense to act like someone else could have access to e-mail.
It is a dodge. Society should not just say "oh those silly lawyers". These people are not being responsible. They are not doing their jobs.
It looks very weird and is hard to understand from the outside, and unfortunately all technology vendors are on the outside.
Basically every technology has an impedance mismatch when brought into the university environment. And when you combine them together it keeps getting worse.
That's why you see things in this thread like CS professors who operate their class using pen and paper and maybe a spreadsheet.
One thing I really appreciated that she did was refuse to put e-mail disclaimers in the bottom of e-mails, because she said they had zero legal weight and actually were negative from a legal perspective, since it means people might think they have legal weight (when they don't).
Overzealous e-mail admins would periodically want to do it because it's what everyone else does, not to mention vendors of frankly B.S. software whose only value prop was adding a disclaimer to all the email that went out of Exchange or Google Workspace.
You would be surprised at the number of frivolous lawsuits and seemingly "zero risk" decisions that wind up turning into actual legal risk and legal fees.
The legal world is a lot more complicated than you think. I've been in some of these conversations. Quite frankly, you don't know what you're talking about.
The law is a lot like an app: It has to take into account a gazillion edge cases and corner cases — not to mention that people can be ignorant and/or malicious. It really is complicated, as you say above.
Well done on not hurling insults at @ndriscoll, BTW. Personal attacks don't persuade the target, and they can turn off onlookers who might be undecided. (Competent lawyers learn early that judges and jurors don't like personal attacks and can be less inclined to believe the attacker.)
Refusing to give a student their own data because of a privacy law that's meant to give the student control over their data is them failing. Full stop. There's no room for excuses for government funded entities to act in the exact opposite way that they are supposed to to avoid their fear of government imposed penalties from a deliberate misinterpretation of what the entire thing is about. That's incompetence by everyone involved. It is people going out of their way to make the world a worse place to act important. Absolutely unacceptable.
It's like if teachers aren't teaching the kids to read or add, the details about all the compliance stuff they need to worry about and how the school "can't" remove disruptive kids from a class or whatever is missing the point; the schools can't sacrifice actually doing their job at the alter of compliance, or we should just shut them down since all they do is waste resources. The compliance people should be figuring out how to shield the actual workers/create plausible deniability if the law is supposedly that stupid.
Blaming lawyers or Instructure for "failing to contribute to society" is both incredibly immature and factually wrong. It's not the 1980's where jokes about "kill all the lawyers" get laughs.
I'm going to be blunt: you seem to have a kind of black-and-white, adolescent understanding of the world where it's split up into good actors and bad actors, and good actors should do what's right (regardless of the law) and bad outcomes are the result of bad actors. But that's not how the world works. Everybody involved can be intelligent and trying to do their best, and we get suboptimal outcomes because this stuff is hard. Writing laws that protect student data while maximizing student convenience are probably never going to get it perfectly right in every situation. But insulting the lawyers or the schools or Instructure as "failing to contribute to society" or insulting the law as "supposedly that stupid" is to deeply misunderstand everything.
Frankly it's a perspective that I've only developed as I got older and realized that such excuses are poor, and that the real world has quite a few people in it who don't really care about the outcomes of what they're doing, or even understand why they're there. To me it feels adjacent to the adolescent view I often see on this site/reddit around "why is the company laying people off when they're making lots of money?" It's because those people aren't needed for anything, and those jobs aren't a form of charity. They exist for a purpose. If they no longer have a purpose, why would you keep paying that person?
If people are going to exist as obstructions to the purpose of the institution we're trying to serve, then they are useless. It's like a computer security worker saying the best way to be secure is to unplug everything, and push for policies that no one shall use computers for anything. Completely missing the point.
Finding ways to follow the law in the most risk-free way to the detriment of everyone is exactly missing their purpose in the world, and everyone should rightly call such a person incompetent and useless. It's casual acceptance of this kind of incompetence culture that slowly leads to societal decline. It's the same kind of thing as when Berkeley took down their lectures because of the ADA. How about the same state that ignores federal immigration and drug law say that actually they're going to keep giving away their free educational materials because they want universal education, and giving those lectures away is strictly better than not doing that, and if the feds want it made accessible, they can fund a project to do so?
If you don't see how extreme that is, and how much society would break down if everyone started thinking laws were optional and ought to be ignored when they prevent you from accomplishing your "mission", I just don't know what to tell you.
Like the entire AI industry could only work by completely ignoring copyright law. Basically no software could be written if developers were concientious enough to check for and avoid patents first. Tradesmen ignore safety policies. Doctors ignore limits on hours. People do work on their homes with no permits.
Part of being an adult is exactly knowing which rules are important and which you ignore.
Corporations, universities, etc. are very different. They create policies which are documented and which their employees are required to follow. They engage in risk analysis.
"Part of being an adult" has nothing whatsoever to do with the laws and regulations that apply to organizations. You're making a severe category error.
E-mailing a student their grade is not "breaking the law".
Not e-mailing a student their grade is not "being careful about following the law". It is just sheer laziness.
A university may develop a policy of "we don't e-mail grades" for another reason, but FERPA is not a valid reason.
It's not "sheer laziness". I can almost guarantee you that Instructure would prefer to e-mail the grade itself, and probably had the code working somewhere before feedback from universities told them to remove it.
There are absolutely cases where sending an e-mail to the wrong person is a violation of FERPA. Can you guarantee that your software will never be configured to accidentally e-mail someone besides the student? That no administrator will ever accidentally set up the wrong e-mail address? Because you're not sure if you can make that guarantee, it's legally safer to restrict it to the actual LMS login.
It’s rather simple to restrict sending email to @student.uni.edu and then further force their email to match the username and email address that is synced from the SIS.
How much FERPA compliant software have you written?
You are right that if you are creating a custom tool you can create that restriction easily.
But if you are creating a learning management system where administrators can configure it a million different ways and the university lawyers want to make sure that administrators don't set it up the wrong way, it makes sense to have that safeguard.
You are looking at the wrong level here. This isn't a software coding issue around technology. This is a policy compliance issue around people. When you create tools you have to consider the possibility of those tools being misused by an employee and mitigate those risks when possible.
An old lawyer joke: What do you call 100 lawyers drowning in the ocean? A good start!
(Told to me by my dad, a former attorney till he retired.)
Actual, real lawyers who work for or at real universities often do contribute quite a bit of valuable work. I enjoyed the one I worked with and think she did a great job of putting the brakes on over-regulating or using legal compliance as an excuse for just not doing work.
Of course I presume it's also not a strawman because it's not in any way some unique thing to lawyers.
Lots of fun if a department had been stonewalling for “legal reasons” and she was summoned to a meeting.
Going by a certain story 2 years ago, their concern should be that they're overqualified for Meta.
It doesn't help that gmail, which is the only serious direct competition to outlook, straight up doesn't do "folders" and instead goes with markers. So you can't really just put a filter that drags all the 100 low-priority alerts in what would count as a first degree abstraction of "place where things are sorted into". No, there are two layers of abstraction between point A and B of things, sorter and sorted things. The result? Muggles can't recognize the heck you're describing and refuse to even acknowledge the possibility.
While true, unless I'm mistaken, markers (I assume you're referring to tags) can be nested to provide a pseudo-folder hierarchy, and with proper filters you can remove the "inbox" tag and have the mail only show up under the specific tag.
TBH I don't fully mind it, it lets you classify an email in multiple ways (eg "See Later" as well as "Work related").
Perhaps Outlook is difficult to configure. Thunderbird is intuitive.
Biology is a great example because of just how important digital record management is to experimentation in the field.
2. Yes, configuring gmail filters should be doable for anybody with a university degree. It's really not hard.
They are referring to MOST graduates of MOST colleges. This is a deliberate overgeneralization about the nature of post-secondary education meant to highlight how it's frequently viewed solely in terms of completion rather than with regards to any skills or knowledge gained from it.
Your comment stated that college doesn't add much to a person's employability. (If you had wanted to be less obfuscatory, you could simply have said "a [HS] education is already adequate qualification for many jobs; college doesn't add much").
That was your claim. (I don't think your claim is correct of many OECD countries' colleges, but it was the claim you made.)
You then replied to J-Kuhn to say that they had misunderstood your comment by (mis)paraphrasing it as "Students attend college to become qualified to work."
Have you met the average community college student who doesn't even own a laptop but does all of their work on their phone? Gmail doesn't even allow you to create or manage filters from their phone app or mobile web interface.
It reminds me of an old joke my father used to say about jobs with virtually no interview (fast food, etc). He called it "The Mirror Test", as in if you hold a mirror up to the person, does it fog up? If yes, you are hired!
I mean, anyone smart enough to attend university could probably figure it out if they really wanted to, but there are hundreds of other useful things that they could learn too. There are only so many hours in the day, and given that most students don't get that many emails, I can hardly blame them for not wanting to prioritize learning how to filter emails.
(I personally have over a hundred lines of Sieve filters, but I'm definitely not a typical student)
Are you suggesting that outlook wrangling be explicitly taught at the college level?
Yes. And most of the general population. They can do it once they know it exists, most people just are not aware it is a thing at all.
>What are they learning?
Here, their "major" as you say in the US. Someone in econ, biology or even CS is not going to learn Outlook rules. Maybe IT or business will have a sentence on it.
>Where will they be qualified to work?
Any office job. Any job really.
Even if they didn’t hand in an assignment at all, without any reason provided, I’m required by regulation to offer them a second chance to pass that assignment.
The students’ rights are quite strong here (Northern Europe), which I generally support, but it has some downsides.
Delete
Delete and Report Spam
Exactly what is in their field of study, nothing more. That's a huge part of the problems created by treating academia as a degree mill mandatory to get a job able to feed yourself instead of a place only for those truly interested in actually studying a subject.
It's better than nothing. (And good training for the real world.)
Also, most universities (and many schools now) issue academic e-mail addresses to students. In those cases, the email is definitive proof.
This would undermine Canvas's lock-in.
ed tech is the WORST performing VC sector
the ONLY game in that town is vendor lock-in! are people joking?
c'mon, canvas is a huge piece of shit. the SaaSpocalypse is coming for them - it seems it is simply that LLMs will be used to exploit it first, rather than universities writing an open alternative they share with each other for free.
Canvas is used by Harvard, MIT, Stanford, Carnegie Mellon, CalTech, etc. If they each paid 10 FTE, they could set up a foundation that could govern the development of a top-tier LMS. Every tier-1 state institution could contribute 5 FTE. Even little JuCos could chip in an employee here and there. You'd pick up hundreds of capable employees at a fraction of what those schools currently pay to Instructure.
IT department will then build the feature as instructors are high-status and IT is low-status, and they aim to please. The software will collect hundreds of these over time. The institution will accumulate more developers, QA, a11y testers, PMs, instructional design consultants, and more PMs to deal with the instructors. The institution will then move to SAAS solution where the instructor is forced to join Canvas Jira and submit their feature request. A product manager at Canvas will then post to Jira and say thanks for your feature request, we will consider it. Game over.
In reality, universities always spin off anything that looks like it could generate revenue. It is very telling that you can't even get your college transcript from your college. You have to go to (and pay) some third party to get it. Some universities even outsource their "classes" like elderhostel to cruise lines and travel companies.
That already exists [0], and is actually reasonably popular.
> the SaaSpocalypse is coming for them - it seems it is simply that LLMs will be used to exploit it first
I doubt it, because enterprise sales has nothing to do with how good your product is, how expensive it is, how easy it is to administer, how secure it is, etc.; it only depends on how good you are at enterprise sales. I mean, my university is Oracle-based, and I'm pretty sure that you could get 3 random undergraduates to write something better, so I don't think that LLMs writing better/cheaper software will make any difference here.
[0]: https://moodle.org/
Extremely non-tech savvy, hates computers, and is gonna grumble "What the hell is a PGP? Better not be another one of those phone code things." as you try to pitch this highly-technological solution to a largely niche problem domain.
Hell just getting people to do secure passwords is a whole thing.
Ironically, this incident shows they don’t have control of anything.
What seems easy on hobby projects gets way more difficult at scale. Source: experience.
Either way, they were under no obligation to adopt this garbage technology regardless of whether it’s available, so this is 110% on them.
You are aware that you are posting on Hacker News, a forum for people who make their living selling software and the expertise to host it?
Edit: No idea why this was down voted so much. I'm not defending Canvas, just wondering what the alternative would be.
I worked at a university which did exactly this, in the UK.
It was a bespoke platform which integrated incredibly well with the rest of the systems the university used because it was designed from the ground-up to meet the institution's needs, there were regular user groups involving academics to understand what features needed to be built/worked on etc. At one point it was all OSS on GitHub too, in case other universities could've found it useful. It handled plagiarism detection (integrating with Turnitin), marking, exam grids, coursework submissions and feedback, seminar allocations, personalised timetables & mitigating circumstances.
The in-house dev team was vastly cheaper than anything SaaS would've cost, as well. It also maintained software for on-campus parcel deliveries, online exams, opinion surveys, a mobile app for students/staff, the SSO system, the course catalogue, car parking permits, a content management system and more.
My (also UK-based) university has been working on a new student records management project for years that's been incredibly ill-fated. It's destined to replace all their current systems and the first module module was meant to launch last year, except it thoroughly failed testing and nobody has heard anything about it since.
No idea how long it'll take to pull through. I don't believe it's an in-house effort.
https://github.com/instructure/canvas-lms/wiki/Production-St...
Or maybe consider not following the herd, and use a much simpler but sufficient system that can be self hosted, if available.
But you do then have to have a sysadmin capable of managing an enterprise grade LAMP stack.
Everything we know has come from reddit threads / hackernews threads. There has been 0 official communication today indicating this was an attack, yet the login page was defaced by ShinyHunters.
That makes you one better than me. :( One thing's for sure--I'm never trusting it again.
I already had almost all my materials outside of Canvas and just used their API to upload it. So at least that's safe. But the grades... dang. Luckily we're only halfway through our quarter and it's not finals week.
Our instance is still down, but your update gives me hope.
What good is having airgapped backups and spinning them up, if they are instantly vulnerable to the same attack again?
It does depend on what the attack is, but how do people approach that scenario?
Canvas does provide a lot of value (all courses, teachers', students', and parents' contact information, all learning plans, schedules, room numbers, all grades, a lot of tests and assignments themselves, all upcoming assignments and deadlines, a lot of other coursework is in there, as are the final grades) but it shows that with external SaaS you might be one attack away from not only losing all that convenience but also in a world of hurt 'cause you lost all the data and now have to figure out how to proceed without the data and the system.
US high schools are in the middle of the finals, and seniors are getting ready for college (the transcripts to be finalized and sent out in a few weeks) so that was a scary timing.
Does anyone have a list of affected schools?
And then wish for the death of saas and a day where you can deploy your own software you can control and modify as you need.
Does a future employer look at pass/fail vs the grade? do they care? Are there even jobs that matter enough to care out there for them?
This seems like, solving the problem but without actually seeing the broader goal or trajectory education is supposed to follow.
I don't know for a fact how pass/fail is treated by employers, but there are indeed some that look at your college GPA even 10+ years after you graduated. I suspect they don't care about the specifics of how your overall GPA was derived though, so pass/fail likely doesn't matter (unless you did really well and expected the grade to boost your GPA, and then pass/fail essentially does nothing to the GPA, thus kinda eliminating the GPA boost).
I got asked for my undergrad GPA (I graduated ~10 years ago) more than once over the last year by some finance/quant firms.
As for whether "do those jobs even matter enough," I guess it is more of a personal subjective take. I found the work that the people at those companies did (and the problems they solved) to be very interesting and challenging, I found the people working there to be extremely sharp, smart, and genuinely nice to interact with (which is an ideal work environment for me), and I found the total comp to be great. Honestly, I cannot think of much more to ask from an employer.
Canvas is mostly FOSS
https://github.com/instructure/canvas-lms
I had a lot to learn about actually developing software after I finished my CS degree.
"Courses were taught in a range of subjects, including Latin, chemistry, education, music, Esperanto, and primary mathematics. The system included a number of features useful for pedagogy, including text overlaying graphics, contextual assessment of free-text answers, depending on the inclusion of keywords, and feedback designed to respond to alternative answers."
"PLATO III allowed "anyone" to design new lesson modules using their TUTOR programming language, conceived in 1967 by biology graduate student Paul Tenczar."
"The largest PLATO installation in South Africa during the early 1980s was at the University of the Western Cape ... For many of the Madadeni students, most of whom came from very rural areas, the PLATO terminal was the first time they encountered any kind of electronic technology. Many of the first-year students had never seen a flush toilet before. There initially was skepticism that these technologically illiterate students could effectively use PLATO, but those concerns were not borne out. Within an hour or less most students were using the system proficiently, mostly to learn math and science skills, although a lesson that taught keyboarding skills was one of the most popular. A few students even used on-line resources to learn TUTOR, the PLATO programming language, and a few wrote lessons on the system in the Zulu language."
The full PLATO system included grade books, attendance tracking, and class scheduling, as I recall. Perhaps a University of Illinois alum can say more.
I would really like to know how much more useful the current systems are over, say, PLATO in 1992, when evaluated for pedagogy and course management benefits.
I have an idea for the midterm (pun intended): Maybe don't jump feet first into the deep end of a single point of failure going forward.
... and assuming they have a documented, tested, and trusted restore process.
Some data was permanently lost, and then officers told reporters that multi-regional backup was not yet built because it was too hard at such a massive scale... of 858 TB.
There are probably many S3 buckets in existence that are bigger than that.
Not saying that they should've used S3, but it's definitely possible configure multi-regional backup (and a government can afford it).
As a parent of kids who are impacted by this, I’m not super concerned about the data being held for ransom, but I sure as fuck am concerned about how much it’s going to cost the district to move to another provider.
Also, ransomware gangs often exfil the data and threaten to release it if the ransom is not paid--blackmail, of a sort. It depends on the company and the data set whether this is effective as a tactic. But when it is, backups don't help.
Does Canvas have cybersecurity insurance?
Schedule a single exam and that's your grade for that subject? That's how it should work anyway, credits for work during semester (or worse attendance) are not needed to evaluate if someone learned the material, give them an exam and done.
Which to me seems the best way, you still have to learn throughout the year. Especially to avoid cheating this works nice. And as an aside, most people I know that did a year abroad in the US got 1-2 grades higher, as it was quite easy to just farm extra credits.
At my school, tomorrow is the last day of exams. Most of the students have left campus. There's no time or mechanism to schedule an(other) exam.
Using attendance is a carrot to get students to show up, which leads to better learning outcomes overall - which should be the goal.
And from the hacker's message itself, it's clear they want money in exchange for not releasing private info, not for the data itself.
Do we live in a fear based culture? Why the panic? Even if everything was hosted on Instructure's infrastructure, it's all AWS. I'd be VERY surprised if there aren't multiple way to go back to a previous state.
Most of the work and delay is to make sure they figure out where the breach occurred.
Here in the Netherlands a data center's power source (not even the machines) burnt down, data center is offline and University of Utrecht, one of the biggest universities here, is closed. Access passes don't work, work from home environment doesn't work, student information system is down, system for grading doesn't work. No failover for any of them (or maybe it was in the same DC?)
https://nos.nl/artikel/2613485-storingen-in-hele-land-door-b...
Backups can be sabotaged (turned off or schedules manipulated) or compromised (say, by lateral movement).
> Even if everything was hosted on Instructure's infrastructure, it's all AWS.
AWS Backup isn't foolproof. Get your hands on administrator credentials as an attacker and suddenly the only thing between everything being gone for good and unrecoverable even for AWS is remembering to have put a permanent deletion protection on all resources in AWS Backup.
Incidentally I've always hated Canvas and probably every other LMS provider, but what is particularly amusing about this current outage is that it is occurring at exactly the time when universities are demanding that all professors put all of their materials on Canvas, without exception, due to ADA compliance regulations. It is explicitly forbidden for professors to, e.g., refer to pdfs posted on a personal website.
Other commentators here seem not to understand that many faculty also do not enjoy being forced to use Canvas.
The MS services have not improved teaching at all. What they do, is fragment communications, and add ever more places people have to look, in hopes of finding things.
But the administration loves them. "The bureaucracy is expanding, to meet the expanding needs of the bureaucracy."
Thankfully, I store my teaching materials on my personal non-uni webpage, and the student's marks in my office's computer (apart from the MS-based Uni system).
Whenever something happens with MS, chaos ensues throughout the whose Uni and the students end up paying the consequences.
And of course the other serious concern I have with Canvas is that they are likely using all the materials faculty upload to train their AI replacements. Many of my colleagues engage in dark humor about this but I haven't noticed much action.
Instructure (Canvas's developer) partnered with OpenAI last year [1], about a year after KKR and Dragoneer (PE firms) acquired it [2].
[1] https://www.forbes.com/sites/rayravaglia/2025/07/23/instruct...
[2] https://www.pehub.com/kkr-and-dragoneer-complete-4-8bn-take-...
I would guess these plugins are chosen so a majority of user won't want to live without them.
It also seems these plugins "link" to canvas-lms, so keeping the proprietary would be a GPL violation if anyone except Instructure holds part of the copyright to Canvas.
That calculus is about to shift.
I'm not sure where your stereotype even comes from, because Canvas is not trivial software. You can see for yourself as it's AGPL and I assume you looked at the code before criticizing it because any good engineer would do that.
I completely agree that it is not trivial software in the worst sense, it tries to do too much, while not being particularly good at any one of those things, and is way too rigid for how diverse the needs of different courses might be even inside a single faculty. And saying "It's AGPL, just self host and add your requirements to it" is not really useful, that would mean way more money and effort than what a university's overworked IT dept. is capable of.
What I meant is they aren't capable of building AI capable of replacing professors. I still consider it a reasonable assumption, as it has nothing to do with how well engineered canvas is. It's a different competency than instructure would have, and I've heard from insiders instructure has been spinning their wheels on way more trivial AI challenges. I also understand well how hard it would be to create AI that replaces professors and how the current best AI from Google, Anthropic, OpenAI is orders of magnitude away from being able to do that.
An engineering culture can change a lot in 10 years, and a company's engineers' ability to do stuff depends both on the individual engineers abilities as well as the company systems and culture.
> You can see for yourself as it's AGPL and I assume you looked at the code
Can you look at any codebase and tell me it's written by some of the best engineers and it's not trivial?
A bright undergrad could build a superior replacement in a few months, even without AI.
> A bright undergrad could build a superior replacement in a few months, even without AI.
Is quite naive. Canvas is not at all just a crud app. You can view the code yourself as it's AGPL
But it’s rarely the case in practice.
In a sibling comment right here for example someone bemoaned the difficulty in Canvas of having two TAs simultaneously grade separate parts of the same assignment. That sounds like something that goes beyond CRUD.
But more importantly any workflow system, which an LMS will be full of, has to handle the always tricky problem of how changes to workflows affect the things that are currently in the workflow. Assignments posted in course X need to be approved by person Y; some assignments are submitted for approval; person Y goes on leave and now the approval needs to be person Z. Not a simple CRUD problem.
These are things that occur to me with only a moment’s consideration of what an LMS system might need to deal with. The actual domain probably has considerable more complexity that I can’t even imagine.
In reality, Canvas does not have workflow and does not prevent race conditions in grading. I can certainly imagine an LMS that does these things, but Canvas does not.
It would probably help if you had actually used Canvas before trying to convince us that it is non-CRUD.
It's a simple question. Since you claim to be an expert on Canvas, I'm sure that you can point me to the relevant features much faster than I can sort through thousands of lines of code, looking for the one line that says "def not_crud_function()". CRUD or not-CRUD is a judgement about the purpose of a program, not its implementation.
And If you can't be bothered to take 2 minutes to click through some pages on GitHub, I don't believe you'd take the time to even read that report. So no, I'm not doing your research for you.
Edit: I will do this for you though. Here's Gemini's opinion[1]. It's quite accurate as well, and goes into reasonable high-level detail (though doesn't get into specific modules). I especially loved this quote:
> At its absolute lowest level, almost all web software boils down to pushing state to and from a database. But calling Canvas LMS "just a CRUD app" is a bit like calling a commercial airliner "just a metal tube with wings."
[1]: https://gemini.google.com/share/142d4b2662d7
https://github.com/instructure/canvas-lms/pull/2630/changes/...
It has to be simple enough for the average person to use (both on the learner side and the instruction side) and have enough complexity to allow for a lot of flexibility in setup because every organization is slightly different. They have to support 50 million file formats and everything has to be backwards compatible until the end of time and everything has to load properly and quickly on 50 million different device/OS/browser combinations. Yes, there's SCORM as a standard, but even that is rickety, and an LMS that doesn't support non SCORM files is dead in the water anyway.
They're simple(ish) in code, and a nightmare in requirements.
Canvas is decidedly, not fast, fails to display even trivial files (such as source code) as well as more complex files that should just be handled by the browser (such as video), and it has a non-intuitive, verbose, and tiresome interface that would have felt old-fashioned 20 years ago.
LMSes frankly run like shit. I don't work with Canvas right now, but every one I've used has run like shit.
However, there are reasons that the complex files aren't handled by the browser: tracking and persistence. It isn't enough to make a video file watchable, it then needs to be tracked in the same system as every other training/educational material and in the same way. If you don't care whether the students actually watch the video, then yeah, throw them a YouTube link or embed a video on a personal site or just have the LMS serve a basic embed. But being able to track video, make it mandatory, make it so that it can't be fast forwarded/people can't skip to the end etc. all matter when LMSes are used for topics that are required for compliance and regulatory purposes.
I don't disagree on the interface(s). Ours is a farce and I hate it.
It's likely that they're so bad precisely because of the simple tech and complex requirements. Simple tech doesn't mean 'easy' or 'not time consuming'. But it means you're looking for developers who have a decent level of technical proficiency (to handle the numerous edge cases and flexibility the systems demand: it's not hard but things like the data structures need to be well thought out and every single piece of the system is integrated with one another in most LMSes so you can't silo work as easily) and who want to work on problems that aren't hard and require dealing with a lot of unreasonable people (in the form of their requirements). You have to allow/design for a lot of stupid things because otherwise people will throw tantrums about it.
Then on top of that, you're developing something that doesn't directly generate profit, so nobody is going to pay for it or appreciate the work you put in.
Then on top of THAT, they're fairly insulated from the actual end users.
It's just a recipe for shitty software.
It's been long enough that I can't claim to be in touch with the current generation of teaching faculty. But it might be an element of that, combined with the desire to provide accessibility for the handful of students who do in fact need the accommodation.
The administration has so far opened with one “Canvas said” and then an hour later one “Canvas is down indefinitely” email noting that they’re aware it’s serious.
(Canvas is a glorified wiki for teaching students, with quizzes and such, for those unaware.)
That's my biggest fear.
Same question for you as https://news.ycombinator.com/item?id=48065589, btw: what do your friends read besides HN?
I don't think that any of them do, but I'm a Canadian math/physics major, which is slightly outside the target audience for HN.
> of the ones who don't, what do they read instead?
For the social aspect: mostly medium-sized Discord servers. For the news aspect: nothing at all. Both of these do have some advantages, but it's still a bit of a shame, because the Discord servers aren't indexed by Google, so they're hard for outsiders to find, and not reading the news means that they're missing out on some of the cool new tech advances.
(and btw, they do say "twitter")
If my peers are any indication, a whole lot of TikTok, Reels, Twitter, Discord, and other such mind-numbing platforms.
The types of platforms I would consider 'substantive' (or, at least, more substantive than those platforms) are definitely on the way out.
The few times friends have seen me browsing Hacker News or a certain Mongolian basket weaving form, the first thing they comment on is how confusing the interface is, and how old the site looks.
I truly don't understand the mentality, but if your site doesn't take three seconds to buffer a simple text drop down menu, and have JavaScript elements load in mid-scroll that bump elements around the page making you just barely miss that button you were trying to click, then your site is seen as 'inferior' or 'sketchy'.
Perhaps I've just had a bad sample, but I've experienced a variety of different environments by this point, and by and large, I've seen more people in my generation act in that manner than not.
It's true that HN looks old - it looked old before you were born, probably - but (a) I have no idea how to change it, and (b) HN is a long bet on plain text. If the smartest young people lose interest in reading, I'm ok with HN dying for that reason. I just don't want it to die for any cheaper reason.
I do find that my peers that now read HN used to be judicial about curating a Reddit feed and mostly otherwise limited on other sources. Short-form content is addictive and as nearly as unavoidable as sugar, but many of my brighter peers work on reducing that intake. Long-form YouTube is also something I find to be a marker of someone who is seeking knowledge. Many of my peers do scroll Twitter and TikTok all day, but I find that those who are easiest to chat with are those who have already scrolled HN today and want to discuss a particular article they know I would have seen. I've had conversations that start with "Did you see that TikTok?" and conversations that start with "Did you see that article on HN?" and the latter is always more engaging.
> Long-form YouTube is also something
Yes, we hear that often too. I didn't mention it above because it's not text, but in terms of how people spend time and where they go to learn things, it's a huge alternative.
I wonder sometimes how HN might interface with the videoverse. I can't imagine having video on the site but I can imagine making videos based on HN threads or articles that have appeared here. I just can't imagine me making them!
That said, it's a commercial closed-source single point of failure.
Note that little of this really helps the students that it is supposed to help, because as you wisely point out, raw HTML is almost by definition extremely accessible. I work in a field that uses Latex and the source code of Latex should also be considered more accessible than the compiled pdf. But for university administrators the only important thing is that the accessibility metric that appears (or used to appear, before today!) on Canvas shows 100% accessible.
Nobody has infinite energy, and disabled people don't have infinite social capital. It's a shame when energy from that shared pool gets spent on things that don't really impact meeting people's access needs.
And the other thing is that everyone's access needs are different. It can certainly be useful to try to set a baseline or propagate common guidance. But the most important thing, especially in a university setting, is for instructors to be flexible and responsive and for classes (and non-teaching workloads) to be structured in a way (e.g., small enough) that supports that.
I think metrics like "100% accessible" might even be dangerous. It makes it easy for able-bodied people who aren't in direct contact with disabled stakeholders to pat themselves on the back without actually knowing what's going on.
Bleh. Good luck doing right by your disabled students and disabled colleagues, and good luck resisting the bullshit.
That said there is certainly a lot more work that needs to be done in this area. Hopefully these regulations over time bring out practical positive change. Time will tell.
I'm a prof. When I have a student with special needs in my class, the administration tells me ahead of time. I make the necessary allowances - and those differ from case to case, anyway: whether it's extra time in exams, or someone who is deaf, or someone who is blind, or whatever.
When it happens, I make the necessary allowances. When I don't, then...I don't.
The obsession that everything has to be 100% accessible, for every kind of disability, all of the time? That's just nuts, not to mention a complete waste of resources.
Likewise with classroom software if you just use the "industry standard" enterprise crapware you've outsourced the accessibility liability to somebody else. If the software is hot garbage from a usability perspective, that's irrelevant.
And this is why we cannot have nice things in the enterprise space.
No this will not stop this and companies need to be held accountable for their lack of security investment. Every attack should be investigate if the company met an agreed industry standards best practices and staffing, etc. The penalties for not meeting the requirements should be punitive.
It should be illegal to host insecure services, especially when you're dealing with PII. Breaches keep happening and nobody gives a fuck, because the worst that'll happen is you might lose a handful of customers and buy some "credit monitoring".
Incidents like this should be followed by an audit and charges being laid. Send corp officers to jail for negligent security failures. If you can go to jail for accounting fraud, you should be able to go to jail for cybersecurity-promises-fraud.
They claim to be compliant with a number of security standards [1]. I would love to see a postmortem audit of how much of this they actually implemented.
[1] https://www.instructure.com/en-au/trust-center/compliance
Instead, there should be standard civil penalties for leaking various degrees of PII paid as restitution to the affected individual. Importantly, this must be applied REGARDLESS of "certification" or whether any security practices were "incorrect" or "insufficient". Even if there's a zero-day exploit and you did everything right, you pay. That's the cost of storing people's secrets.
This would make operating services whose whole "thing" is storing a bunch of information about individuals (like Canvas) much more expensive. Good! It's far to cheap to stockpile a ticking time bomb of private info and then walk away paying no damages just because you complied with some out-of-date list of rules or got the stamp of approval from a certification org that's incentivized to give out stamps of approval.
For most individuals impacted by these hacks, appropriate restitution would be $0. Anything more than that would go beyond making them whole.
Which is what the comment above was referring to. "Most people". Not "all people".
I do agree with the audit and punishments for clear failure to adhere to established standards.
Even if you leave your door unlocked, if someone walks in and steals your stuff, it's a crime. The state has an interest in prosecuting crimes even if the victim didn't do everything they could to prevent it.
Restitution and retribution are the components of justice [1] entirely about "making things alright for the victim."
[1] https://www.unodc.org/e4j/en/crime-prevention-criminal-justi...
A better version of your analogy would be if your landlord failed to repair your front door in a reasonable period of time and as a result soneone walked in and stole your stuff. Yes the theif is the primary responsible party, but the landlords negligence in maintaining the property probably also exposes them to some liability.
P.s. This is neither here nor there, but restitution is a part of criminal law.
But the post I was responding to said it should be a crime to have unsecured systems.
That is equivalent to saying it should be a crime to leave your door unlocked.
That standard is likely to lock people into buying some pretty bad software, but it does little to ensure that they're running reasonably secure systems.
I'm not sure that's a fair analogy.
If someone threatens you with a knife and gets you to hand over your wallet, your bank doesn’t get to say ‘you should have hired better security’ when the mugger uses your credit card.
The problem here is the mugger, and that’s who the state goes after. Even if the victim walked into a bad area. Even if the victim could have defended themselves.
Same with ransomware attackers. They are the problem. We might encourage potential victims to behave in ways that make it less likely for them to be targeted. But if they are targeted, we should still focus our societal disdain on the criminal not the victim.
If the perpetrators of this hack were caught and in a developed country, they would certainly be prosecuted for their crimes and not get off light (especially if any data is actually leaked).
But I do think it should be much more states’ responsibility to make their domestic network safe for citizens and businesses and institutions to operate.
My analogy would be: of course buildings have to be built to withstand gravity. That’s a natural part of the world that cannot be eliminated.
Buildings are built to stand up to natural forces. But not to, for example, the threat of a malicious actor crashing a plane into them. That isn’t typically considered a reasonable thing to architect civilian infrastructure for.
When you built IT infrastructure likewise you should build it to handle the natural forces it will be exposed to. But are you as accountable for securing it against the acts of malicious parties as a structural engineer is for securing a building against gravity, or as accountable for securing against those acts as the structural engineer is for securing that building against terrorists?
Just take a look at the recent Epic vs. Health Gorilla lawsuit to see how nonexistent the protection is around exchanging your medical records, one of the most sensitive types of PII.
Here’s an example. https://hacks.mozilla.org/2026/05/behind-the-scenes-hardenin...
These problems will continue as long as it is legal to operate in an unsafe way.
We've learned this in every other industry, but we can't seem to accept it in software. One of my hopes for AI is that it reduces the cost to behave responsibly to a level where this absurd resistance to acting responsibly erodes.
Every service that is online will be hacked eventually, it's only a matter of time.
Time is the most powerful force in the universe.
What? Why? Who died? This whole thing is perfectly dealt with through civil process.
There are no shortage of coins and no shortage of sketchy exchanges. The platforms do work with LEOs, when asked, but my understanding is that unless the perp was a serious nonce, chasing the transfers themselves is a fools errand.
Like is that your actual model? I’m curious
It's very easy to play with lives that aren't yours.
It's a familiar example of the perennial "[THING] could be solved overnight if [PERSON_OR_GROUP] would just start taking [THING] seriously" trope.
The best response to a cyberattack on critical systems is to take security seriously. Document the offense, avoid the same mistakes and invest in penetration testing. Of course, nobody is incentivized to do that until they're attacked, so the cycle perpetuates itself.
When appropriate. I.e. never.
If you're going to get the chair you might as well murder some witnesses or destroy some systems to hide the fact you got hacked. "Hack? What hack? Our servers all burned down in an arson attack".
An investigative body, the same kind that determines the who, the why, and the how when an airliner crashes or a bridge collapses. Obviously a lot of work needs to be done to get from point A to point B, and it won't happen overnight, but software development is currently a deeply unserious profession and at some point a genuine software engineering practice needs to be developed.
I am, perhaps naively, slightly hopeful that the LLM bullshit plaguing our industry will be the gust of wind needed for the house of cards to collapse and governments to realise that allowing the entire world to be vibe coded is not sustainable.
Aviation’s safety record is not coincidental.
As someone else here said, software, for the most part, is a deeply unserious industry. The stakes are so comparatively low and the consequences less obvious that it’s a lot easier for companies like intuit to maintain their supremacy simply by being entrenched, having strong sales teams, and the hearts & minds of non-technical managers.
In recent times it seems Boeing has been flirting with enshitification and half-assery but critics are not quiet and not falling on deaf ears
You may not be aware, but there are thousands of non fatal incidents reported per year that just don't make the news.
There is a strong culture of self reporting instilled right from basic flight training, even when there is no damage or injuries, and even when the incident would have never been noticed by the authorities. You are almost guaranteed not to face consequences if you are open and honest about an incident. The FAA openly says that they would much rather educate than punish, and they tend to do that with pilots who own their mistakes. As long as there is no intent behind the fuckup, pilots are unlikely to lose their job, let alone their license.
This just in: Anthropic, Harvard and Jimmy Kimmel have been investigated and found guilty of not securing their infrastructure.
ShinyHackers, obviously.
Kids from the local uni having a lark, stalkers, vindictive ex employees, local gangs, criminals who understand their victims because they hail from the same community. These are your local hackers. Sift them from the nation states and international crime groups, then deal with the International as a matter of diplomacy. Because we do this so poorly locally, we have little ammunition to when it comes to diplomacy. "reduce attacks by your crime groups and we buy your natural gas, seel you wheat etc"
Want more motivation?- 75% of the local attacks by volume send funds back to terrorist or separatist organizations.
It is not an in-soluble problem. Sentences are a fraction of the answer, effective and receptive reporting processes are more important, then government backing for investigation and enforcement, then policy around home-team activities (ie don't do the bad things yourselves Mr Gov). Deterrence comes after all that.
There are already significant penalties for doing anything like this. The guy involved is in prison for a very long time. I don’t recall the exact number of years but I do remember it was so long that he wasn’t going to see his kids grow up.
I don’t think anyone who puts a little thought into a crime like this doesn’t understand that the penalties are already very huge. You don’t get a slap on the wrist for extorting a company (or person, for that matter)
Really, though, if you want someone to blame, Instructure is not a particularly compelling target. Let's review:
1. Iran is intentionally targeting infrastructure due to a war started by the current administration.
2. China is actively seeking corporate secrets to steal and commercialize for themselves, spurred by extreme protectionism and retaliatory tariffs.
3. North Korea is doing anything they can -- including just taking a remote job by proxy -- in order to extract any money.
4. And Russia is working with and aiding all of them, after everything else going on has forced the embargo to break.
5. All of this while completely alienating every single one of the United States' allies.
6. Meanwhile, the American DHS is currently shut down.
7. And this is after Trump cut funding and personnel for CISA severely enough they've had to end the contract with MS-ISAC, meaning all state and local entities can only remain in the organization if they foot the bill for it directly and CISA and other agencies responsible for cybersecurity are more thinly staffed than they have been in decades.
In short, the current administration systematically disassembled all the protections we have built over the last 100 years, and then placed infrastructure -- schools, in this case, but also power companies, water treatment facilities, communications companies, local governments, hospitals, food producers -- directly on the front lines of the modern geopolitical conflict.
That vast ocean that has kept us safe historically is a poor moat in the modern era.
You seem to think "if it's illegal it won't happen". Instead you need to think about unintended consequences and what would actually happen if this were law. People would hesitate to contact the police for help before they've decided, or not do it at all. And not report it.
One way to weaken any group that works on trust would be to make them less trustworthy. That way victims wouldn't be as confident paying the criminals and thereby making the effort by the criminals less attractive.
I think in principle, its sound. Im also just baffled hearing anecdotes from friends that are in big corp world and hearing the type of incidents they have, and how they respond to it.. It makes me wonder if there is enough capable talent to go around for the "boring corp" crowd.
Hint: I don't think there is nearly enough talent to go round, but for these companies, its either that they think they have solid experts (and didn't), OR its not a real priority until you get hit.
We're talking about vulnerabilities that have existed 10+ years but nobody noticed until AI.
a loved one, gun to the head: "please pay the ransom, i don't want to die!"
what's your play now? save loved one, and go to prison? or worse, bank blocks transfer, and they die?
go ahead and tax ransom payments (0 tax if human life at risk, 10x otherwise) if you have to, but making it illegal feels disconnected from the messiness of the real world. then, go after the attackers.
Apart from the 4% of the total worldwide annual turnover fine that theoretically could be levied under GDPR, but has never been imposed in full.
That makes as much sense as illegal to give your wallet to a mugger.
I.e. no sense.
2. The payout to the hackers should form part, but not all of the penalties. Pay those guys for their great service to humanity they earned it.
But it turns out that MIT used to have their own homegrown system, and recently switched to Canvas. Bet they're regretting that now.
The build vs. buy decision seems to have swung very hard toward buy in the last decade, and I think that's a shame. Yes, orgs need to focus on their core competency, and sometimes that means outsourcing things that aren't core competencies to third parties. But there are always downsides.
(I don't have experience in hosting either software so I can't really comment beyond that)
And it's pretty easy to customize which is nice.
Throw it in an auto-scale ECS cluster and you have something that goes from 100 students to 20k easy.
A lot can change in 10 years, sure. Maybe Moodle is better now (I doubt it). I'm all for self-hosting a LMS. But, can we at least self-host a good one?
it's MIT.
I believe the same applied to the professors themselves, although that was hardly enforced.
My highschool, for a while, had a website, which was eventually replaces by a large corporate CMS. Was the website as complicated or complex as the CMS? No, you would have needed to know HTML to publish to it. The CMS was no doubt "more user friendly", I suppose.
But … the original site had a soul. It was unique to the school. There was a student directory! All lost, because the CMS meant utter standardization between all the schools using it (their pages were all identical, except for each got like a different picture of the school as the banner at the top) and the CMS did not do directory anything.
Of course, the directory largely didn't matter in the end. (This was when you needed people's landlines! Quite laughable nowadays…) But it was still sad to see it lost, and several of us students worked on it, which provided us with some early real-world experience.
A large number of my college professors published their own sites, too, where they'd put their lecture notes, homework, etc. I loved those far more than I loved "Canvas" or whatever the ugly LMS we used was.
The one they had before Canvas was very very inadequate.
edit: also some of the more popular cs classes have custom websites and don’t really use canvas, but that isn’t the centralized IT department’s doing.
IT staff who are ambitious and talented don’t last long in education. The pay is very low compared to industry. Where I worked, you could retire with a comfortable pension after a number of service years, so the IT staff outsourced as much as possible so they needed to take zero risks to their nest egg. Blame all the problems on the consultants and do as little as possible.
It’s literally where dreams go to die.
MIT is known for the brilliant professors and students but at the end of the day, running a university is pretty standard stuff. They don’t need a genius rockstar to admin the courseware servers.
This would be like TurboTax "scheduling maintenance" on April 14th in the US.
There is a lot of people who likely are unaware the latest outage is because they were compromised again.
Them marking the incident as 'Under Maintenance' means the status page isn't reporting this as an outage and adding to downtime%.
The incident yesterday was technically from April 28th, with most communications coming out on the 2nd and 3rd, with it being "Resolved" yesterday.
This incident is the second attack, because they failed to secure their infra again. Everything being reported is a bit delayed, which makes it seem like this is a single attack, not technically two instances.
It's not unreasonable that non-technical people would expect paid cloud services to be good custodians of the data entrusted to them.
These services also do everything they can to encourage you to work within the online platform rather then working offline and then uploading.
For example, there's no easy way to author a quiz, set up the answers offline and then later upload it.
Last month it was a presentation. She had to make a poster that would be displayed on the big electronic "whiteboard" running Windows of some sort. The page layout software was so terrible that she repeatedly deleted the entire thing on accident moving text around.
This month, it was a short paper she had to write in Word, but through Teams. Literally, the Word icon is in the Teams sidebar, and she also had all kinds of trouble with it freezing or misbehaving.
In both cases, I advised her to write all the content in Notes in macOS and when she had it all ready to go we'd paste it into the crappy software so she didn't have to worry about losing any more work.
Long story short, she's non-technical and she's learned a very valuable lesson about these systems and how much trust to place in them.
One thing to target coroporations but leave the students alone....
Heard you loud and clear sheesh
That doesn't excuse any of their other messaging though.
Also looks pretty bad their whole platform was compromised by the same hacker group again.
I'm actually much more interested if there is any financial liability for Instructure here? It's interesting that it's the universities being ransomed, while the technical failure was Instructure's. We're used to uptime SLA's -- what about security breach SLA's?
My guess would be they get likelihood of getting paid when blackmailing 9,000 schools (at least a few would pay up) than blackmailing Canvas/Instructure.
I don't think any SLA/terms would change who gets to feel the pain.
Don't ransom all your eggs in one basket
I dont think a competent CS department requires their being a homegrown or on-prem system for use in the university. That could happen, but if resources could be better spent by purchasing rather than building, then that should be the correct choice.
Universities which do have large agriculture/farming related departments often operate their own small scale test/development/experimental farm.
Also yeah there is value in being able to blame another party, and also being down when everyone else is down.
I also ran the entire DOMPurify sample XSS and managed to find one way to download custom content onto someone's computer.
do you mean equivalent ?.
Instructure, "the developer and publisher of Canvas," was founded in 2008 [1].
[1] https://en.wikipedia.org/wiki/Instructure
Edit: https://status.parchment.com/ says "While Canvas, Canvas Beta and Canvas test are currently unavailable, we are simultaneously monitoring all of our other product environments, including Parchment. We continue to see no reason to believe any Parchment resources have been impacted."
Brought up a question I've had every time I read about these leaks... what kind of pipes do these shadowy groups have that they can grab all this data? I've spent days waiting just downloading a few 100 of GB from OneDrive. How do they grab all this data, are they just slowly gathering it for months via a compromised desktop somewhere, or if not, are the companies not monitoring for unexpected massive amounts of outbound traffic from their database or file servers?
1: https://ibb.co/r29RjdnH
We received communication that Canvas is down for "Under Maintenance" although it seems ShineyHunters have compromised Canvas again with that message you posted.
We do not see that message anymore, although all instrucuture.com URLs are down. The list of schools in the ShinyHunters publication can be found here: https://web.archive.org/web/20260507042014/http://91.215.85....
Original now shows 404.
I totally understand why a university wouldn’t want to bake their own learning portals but just feels like such a single point of risk to use third party solutions for something like this.
Back in my day… all we had was a school email via on-premise services. I guess we registered for classes in a web portal but that’s about it. The idea of online class was entirely foreign at the time. Ain’t nobody hacking a blue book.
There is a saying in the software security industry that (I'm paraphrasing from rusty memories) a system is secure if the cost of hacking it is higher than the value it protects.
Each system being completely distinct from another means that the cost of hacking the average student goes up by 9000 (from the article, Canvas is used by 9000 schools).
Still not saying that rolling out your own is the preferred solution, but the idea is not as ludicrous as it would seem, and should definitely be entertained and discussed, at least.
But also, the cost is much, much higher to the institutions, which is the salient point. You're going to spend years developing a system, deploying it, training staff and students, supporting it. I see mentions here of in-house systems being developed much more cheaply and I don't believe it. The economies of scale are at work.
I worked at a university for many years and I can't recall anyone I'd consider to be a competent software architect working for the IT department. Hell, we had students writing major webapps that kinda sorta worked well enough.
As a faculty member at a large university…I have a deep respect for the impossible job of university IT departments.
We originally rolled our on LMS decades ago. When we switched to canvas we kept the home brew running for five years past its expiration date because faculty refused to remove their files. Finally each one was manually moved by IT for the recalcitrant old faculty.
They are large databases yes but they do a lot of small and large things that that analogy glosses over
I used to work in academia and am now an LMS admin (in private industry). I've interviewed for LMS admin positions at educational institutions and each time I've ended up walking away. The questions I was asked at the last interview revealed what a ridiculously unplanned, spiraling mess their system was and that I would have no agency over it. No, thanks. And it was clear the reason for this was faculty recalcitrance and an inability to tell them no. Each one wanted a special plugin/special way of doing things, causing a giant mess of insecure bloat, and a fair amount of interview questions always amount to 'how do you wheedle faculty into doing things/placate their egos to keep things running?'
I'm not a rockstar candidate either: I'm a disabled, geographically-constrained, self-taught(ish) sort-of techie. The disability means I have substantial holes in my resume/work history, etc. I don't have a CS degree or any kind of formal IT education. If people at my level of knowledge are looking at these jobs and passing because they're not worth it, I can't imagine the actual pool of people who get hired is great.
LMS admins in particular are going to be harder to find/retain because we tend to have options we can jump to that would be less onerous than doing LMS admin for a dumpster fire. I could go straight IT or full Instructional Design, for example.
In private industry, I can tell people to kick rocks if they want to do something that the system doesn't support/is a really bad idea. And if I can't, I'm not held responsible for the consequences.
Well not with that attitude
https://moodle.org/
They used to, in the pre-cloud/SaaS era; and they were much simpler and better UX than the slop that they're renting today, because the actual users were not far from the developers.
The amount of corner cases and performance requirements during rush times (semester start) made it really infeasible for a university to roll their own.
* German universities have this funny system where 51% of such boards are controlled by the professors and the rest is made up of other employees/staff and students. They call it academic participation.
https://www.instructure.com/incident_update
This suggests a bad actor at any institution could do the same thing done here. No?
https://github.com/instructure/canvas-lms/wiki/Quick-Start
> It is recommended that you have at least 150GB of available hard drive space, 8GB of RAM, and a quad-core CPU to use this script.
As far as I can tell, this is not for running a production environment with assets. This is just the development environment.
doesn't seem that scheduled to me
That's just the quickest page/status update to throw up; it was a one-liner to push it live back when I was on the deploy rotation.
I'd hazard a guess they have more important things to worry about right now than exact status page messaging ;)
Funny how a lie is always quicker than the truth...
https://news.ycombinator.com/item?id=48025001
I believe FERPA's PII provisions apply to Canvas and contractors handing PII in general (at least as interpreted by the Department of Education). Now, will Canvas be held accountable by ED in this administration? Hah – DOGE probably ran that through the shredder as well.
edit: here's the list of impacted universities (unsure if they all have their canvas instances offline, but i'd be surprised if not): http://91.215.85.103/pay_or_leak/instructure_affected_school...
Someone dumped the content into a google doc on reddit[1] if anyone's interested.
[1]: https://docs.google.com/document/d/1MTktVSwTUM5I_w7bKNGj94sT...
> Someone dumped the content into a google doc on reddit[1] if anyone's interested.
> [1]: https://docs.google.com/document/d/1MTktVSwTUM5I_w7bKNGj94sT...
Thanks for linking this. Ended up finding my kids school district on the list unfortunately.
Back when I worked for Instructure ~10 years ago, Canvas was effectively a single, giant, monolithic multitenant app with one instance backed by several thousand app servers and ~100 separate Postgres database clusters that any app server could talk to.
Schools were grouped onto pools of app severs and Postgres database clusters more or less according to locality and cluster availability. I want to say a handful of the largest schools got their own clusters, but I'm not certain, and at any rate their clusters could certainly all talk to each other.
It was actually kind of neat from a technical perspective: any Rails model across the entire Canvas world could have a "foreign key" pointing to any other Rails model anywhere else. Among other things, this allowed for users who could administer multiple Canvas organizations, even if those organizations resided on different Postgres clusters. https://github.com/instructure/switchman is their gem that made that all work. (I put "foreign key" in quotes because the whole thing was implemented in software, not with actual database FKs, for obvious reasons.)
---
Of course, the massive downside to that sort of thing is that if you manage to pop one Canvas app server, you have the keys to the kingdom. I wonder if they'll sharpen the edges between clusters in response to this...
---
(Disclaimer: I left Instructure back in 2017; much could have changed since then, and my memory could be faulty about the specifics. Caveat emptor.)
dig canvas.ucdavis.edu
dig canvas.duke.eduI'm a software dev who was affected by the outage. I was working on an app that connects to the Canvas SAML endpoints. One minute I was able to run my code, the next I couldn't. This was a little after 17:00 EST.
Is this accurate? Or is this still an ongoing issue?
Let's not side with the parasites.
What did Canvas PR do except do a poor job? Doing a poor job of PR is a whole, whole lot less worse than actively destroying people's lives for profit.
Our whole testing center is down. This is inconvenient, but mainly it's amusing. I swear strangers are talking to each other more. I'm noticing people just sitting in the sun and relaxing. Nature is healing.
(Of course, plenty of people have also just finished their exams, so it's hard to know the cause.)
Any idea what data Instructure-and-also-now-ShinyHunters even purport to have beyond names, profile photos, pronouns, homework assignments, school communications, phone numbers, and email addresses?
i.e. What makes this threat so different from what any old data brokers have already scraped?
What leverage besides aura farming do the ShinyHunters really have?
All I can think of that's really valuable is passwords. And private communications in Canvas DMs. But if you're being at all intimate over your school email, that's kinda on you.
Anyway surely Instructure only stores user public keys or something?
Alternate history question: If they just sold the data, never revealed the hack, and didn't make a scene, from a customer perspective, how different would this be from business as usual?
https://www.abc.net.au/news/2026-05-08/students-lose-access-...
We already bond over how awful the Canvas UX is (and she has a bunch of Chrome extensions to improve it.) Now we’ve got something else to gripe over together.
haha i went to go check and they haven't merged a PR since 2017
I lost access when I left as it was tied to my work email. I downloaded a lot, but there was still some useful stuff on the boards.
I wonder what the havkers found out about me. Perhaps the class notes will be lifted to train AI, higher quality than a lot thats on the internet anyway.
Everything from middle school up to grad school.
It's a particularly interesting time to have this happen too -- many finals going on now.
I'm friends with a professor who complained to me a couple times about how sometimes he will need to scroll through pages and pages of courses he taught in the past. He also mentioned that profs aren't able to delete their own course shells either.
If we increase the penalties for a company being hacked, you create even MORE incentive for hackers to try to break in, because if they succeed, they have a pretty big stick to threaten companies with when demanding a random payment - not only will the company have the negative effect of the data being leaked and the PR that accompanies it, they now know that if they don't pay and the attack becomes public knowledge, they face a big fine or other punishment.
A company is much more likely to pay a big ransom if they know they are just going to end up paying that much or more in fines if they refuse the ransom and report the hack instead.
If you take this route, and increase punishment for being hacked, you are making a pretty big bet that the main reason companies are hacked is because of poor security practices. I am not sure if that is true or not.
Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths. Malpractice insurance is high. Litigation is constant. And patients still die on the operating table. It's unclear what all the malpractice tort law actually gets you in the end.
In most of these cases, the companies involved did NOT follow standard security practices.
I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.
Is that really the analogy you want to use the bolster your argument? Licensing was forced on the medical profession because of rampant quackery causing a large number of deaths. Some of the horrors that went on before enforced medical licensing are well-nigh unbelievable, e.g. https://en.wikipedia.org/wiki/John_R._Brinkley
Just like 100 years from now, many of today's medical practices will also be seen as barbaric.
But even if they do everything right, is it really fair to let the companies just shrug their shoulders and say "it happens"? While their users are the ones who really get hurt.
I like this analogy, but deaths shouldn't be the leading indicator just an indicator. Family member had a surgery with well known procedures, say removing a gall bladder. Unfortunately, this surgeon skipped a step in lieu of setting a record for fastest procedure. Because steps were skipped, the gall bladder was not scooped into a net to avoid spilled gall stones which resulted stones spilling into the abdominal cavity requiring numerous follow up surgeries to remove the spilled stones as they made themselves known. So clearly not following accepted procedures should be a clear win in a malpractice case, yeah? Wrong. No doctor would testify against the surgeon and the case was dismissed. I feel like this is exactly how it would work in software security incidents as well.
That was the foundational premise of Dr. Atul Gawande's book The Checklist Manifesto, an expansion of his article The Checklist in The New Yorker [0]
[0] https://www.newyorker.com/magazine/2007/12/10/the-checklist
[1] https://digital-strategy.ec.europa.eu/en/policies/cyber-resi... [2] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_...
I'm under the impression files are getting released 12th May. I don't see any reporting on 800GB?
I mean, maybe it changed in the last 10 years. But I was a TA grading CS majors for a while. Their C capstone or what have you.
Some were decent but naively coded. Most were pile of shit half hazardly put together so it output what is needed to get passing grade.
But I agree with you in spirit!
Of course if you can't complete your exams because of this, that's more of an issue!
I'm honestly surprised more people aren't talking about this.
The timing probably isn't a coincidence. Great time to stress out students and staff alike. Hopefully it doesn't affect them too much in the end, but I imagine it will.
What we don't have access to includes:
* Already graded work
* Ungraded work
* overall adn assignment grades
* lists of students and student emails from the course
* messages from students that are often sent through gradescope
Just...complete implosion.
this is really, really, REALLY bad. it's not great that names/emails/etc will potentially be leaked, but also private messages between students and instructors. and since many of the campus systems rely on canvas integration, things have pretty much ground to a halt a week before finals.
after they were breached on the 1st of this month, instructure had an announcement yesterday that "everything is great! we're good! hackers are gone! we've rotated our keys!".
no. nothing is great. we are not good.
This will keep happening, more and more, and never stop, until we create a software building code and legally require it for all online businesses.
Universities, Parents: ya'll actually have the political and economic power to get a software building code passed. This incident isn't the last.
Shame on your existence basically.
...what does that DDB DNS issue have to do with anything?
Is that a Pokemon reference?
They moved away from Teams because it objectively sucked, but I haven't heard of widespread compromises like this in Microsoft's systems so...
It's always been as stupid as requiring that your chalkboard, chalk, chairs, bluebooks, pens, paper, gradebook etc etc all come from the same company.
I, for one, am very much looking forward to my IT Gov council meeting tomorrow.
And GitHub doesn't provide a way to record grades that remain private per student last I checked, much less sync them to the university, or 99% of other things Canvas does.
I don't love Canvas, but it's far, far preferable to a world without it.
last I checked it appears grades remain private per planet or so ...
Or is it an entirely different class of beast?
Canvas generally is the 'easiest' to use, and the 'cleanest' looking one although D2L Brightspace is pretty good too. Moodle out of the box is pretty confusing and ugly, but I've seen some heavily customized instances that look a lot better. Blackboard is the worst of the bunch IMO.
Looking into the payload they sent me this is how they hijacked the screen. Everything in the payload is unchanged except for one line of code:
<link rel="stylesheet" href="https://instructure-uploads.s3.amazonaws.com/account_9363000..." media="all"/>
This links to the following styling sheet:
@import url('https://fonts.googleapis.com/css2?family=Orbitron:wght@500;7...');
html, body { height: 100% !important; overflow: hidden !important; margin: 0 !important; padding: 0 !important; }
body > * { display: none !important; }
body { display: flex !important; align-items: center !important; justify-content: center !important; background: #07080c !important; }
body::before { content: "" !important; position: fixed !important; inset: 0 !important; z-index: 999998 !important; background: radial-gradient(ellipse at 50% 20%, rgba(255,59,59,.06), transparent 55%), radial-gradient(ellipse at 50% 85%, rgba(125,70,152,.04), transparent 45%), repeating-linear-gradient(0deg, rgba(255,255,255,.035), rgba(255,255,255,.035) 1px, transparent 1px, transparent 3px), #07080c !important; pointer-events: none !important; }
body::after { content: "\A\A" "S H I N Y H U N T E R S" "\A" "rooting your systems since '19 ;)" "\A\A\A" "ShinyHunters has breached Instructure (again)." "\A" "Instead of contacting us to resolve it they" "\A" "ignored us and did some \201Csecurity patches\201D." "\A\A" "\26A0 W A R N I N G" "\A\A" "If any of the schools in the affected list are" "\A" "interested in preventing the release of their" "\A" "data, please consult with a cyber advisory firm" "\A" "and contact us privately at TOX to negotiate a" "\A" "settlement. You have till the end of the day by" "\A" "12 May 2026 before everything is leaked." "\A\A" "Instructure still has until EOD 12 May 2026" "\A" "to contact us." "\A\A" " \25BC DOWNLOAD AFFECTED_SCHOOLS.TXT \25BC" "\A" "91.215.85.103/pay_or_leak/" "\A" "instructure_affected_schools_list.txt" "\A\A" "visit us: shnyhntww34phqoa6dcgnvps2yu7dlwzmy5" "\A" "lkvejwjdo6z7bmgshzayd.onion" !important;
}@keyframes pulseWarn { 0% { box-shadow: 0 0 20px rgba(255,59,59,.15), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } 50% { box-shadow: 0 0 55px rgba(255,59,59,.4), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } 100% { box-shadow: 0 0 20px rgba(255,59,59,.15), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } }
The hack is crude, and it seems unlikely that they have any access to Instructure's developer tools.