Yeah, sure, we all put our files/lectures/exams on this central server that we have no control over, and then they do this to us:
For those who don’t know, Canvas is the courseware many schools use for managing various essential class materials for our students.
Maybe I should rethink our reliance on this thing. You know, it used to be we didn’t use software for communications between students and professors.
Canvas had a security breach, nationwide (worldwide?) and they’re struggling with it. UW IT is telling us to not use it until Canvas works it out. Nothing to do with routine maintenance, nor is it just at your school.
If they tell you it’s maintenance, they’re lying to you. It’s been hacked and shut down in places worldwide.
Yeah, from LGM: Canvas Down!:
It’s down today because the hackers demonstrated this morning that they’re still in the system by sending messages to pretty much every student across the world. Canvas took the whole thing down out of desperation, I wouldn’t expect to be using it for any teaching today…
scheduled? Nope. Nobody on the internet believes that lie. Student and professor data is being held for ransom by a criminal gang. Surprise, this time, it’s not Instructure, the makers of Canvas, who are usually officially charged with the duty of holding student and professor data hostage, instead, it’s some other criminal gang.
https://techcrunch.com/2026/05/05/hackers-steal-students-data-during-breach-at-education-tech-giant-instructure/
more, this time from Krebs :
“In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential materials — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated access path.
“Penn was the named victim,” Mann wrote. “Instructure was the mechanism. The incident was treated as a Penn-specific story by most of the national press and quietly handled by Instructure as a customer-specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events, which now look like the planned escalation of an attack pattern that ShinyHunters had been working against Instructure’s environment for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.””
https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/
A sentence I never thought I’d utter: “Thank goodness we use Blackboard.”
they were hacked, and didn’t even have the decency to admit it until hours after the entire Internet knew
Fortunately, I had a deadline for the online final before the outage, and had collected the scores and transferred them to my offline spreadsheet (I always have an independent copy of student grades on my home computer), so my classes haven’t suffered this year. If the criminals had started a couple of days earlier, I’d be screwed.
@8 Of course they didn’t. Institutions have to institute, and lets be clear here, despite being supposed “bastions of liberal bias”, they are almost all run by people with the same mindset, and tendency to scramble like roaches, the second they sense a threat to their institutions, as big corporations (which many basically became as they progressed more and more into, “Charge stupid amounts of money to make a profit!”, because certain people in the government decided they wouldn’t provide assistance, or treat them as a necessity any more, but as a privilege). And, when it comes to security, the automatic reaction of, even today, big corporations is usually, “Maybe we can hide this, pretend the problem someone found isn’t as bad as it really is, pretend that no hackers can possibly find the problem, if we don’t tell anyone what it is, and solve to problem, before anyone notices we had the problem!” The fact that this backfires spectacularly all the f-ing time has barely changed the impulse for some institutions – especially if they have been safe, not attacked yet, and/or nothing has hit a major part of their system, which can’t be carefully swept under a rug.
What this should tell us is, “Everyone needs to pay attention to this shit. Everyone can be a target. And, even big companies/universities, etc., will eventually run into something they can’t handle, until/unless they start taking shit seriously.” That them failing to do this is what will hurt their reputation, and hiding it will just making it worse, well… like I said, institutions have to institute.
Canvas back online for most after data breach
Virginia Supreme Court blocks Democratic-drawn congressional map voters approved in April
Well, that tears it. I never did use Canvas for more than the bare minimum (basically as a way to provide handouts to the students), and all my course materials are backed up offline. I can revert back to doing everything on paper with almost no effort. So that’s what I’ll plan on doing next semester. If Canvas really goes seriously pear-shaped over time, I doubt I will get much pushback.
Our computer clinics have always taught the first rule of data: BACK IT UP.
PZ has shown knows this.
However, it is likely that 3rd party system intentionally uses a lot of proprietary programs and data formats to hold onto its stranglehold on the university faculty and to keep the money flowing. They don’t need to care if the users can’t be productive when their system is down.
And, most of these systems put very little money and effort into keeping your data secure. Cloud storage and 3rd party online systems are Never Safe.
I know it would take time and effort that probably wouldn’t be justified since PZ can see the light at the end of the tunnel just a year away, but, everyone should always have a ‘workaround’ system that they control.
Let me repeat the obvious: 3rd party systems cannot be trusted.
OOPS, I meant: PZ has shown he knows this.
Large sites are being hacked and scraped everywhere. Yesterday, Digby had to shut her site down due to AI scraping clogging her site.
The site below that shows how much info your browser and computer leak to world:
https://sinceyouarrived.world/taken
(crossposted to infinite thread)
infinite thread @75 Reginald Selkirk mentioned the copy fail vulnerability.
I researched it. It is potentially very troublesome for all ‘distros’. And it impacts linux with kernels 4.14 to 6.19.12 If you upgrade to a Linux version that uses kernel 7 you should be safe. As an example I’m using xubuntu 26.04 with kernel 7.
shermanj, I myself stick with Windows and security protocols; also NoScript and uBlock.
And my DNS file is massaged. That’s pretty much it, other than my habits.
Never yet had a problem. I get zero spam, nothing targeted.
Basically, the OS and whatever is almost always not the real problem; it’s mostly the user.
(I spent > 10 years in IT helpdesk; PEBKAC situation)
Yeah I knew it was a hack up front as someone was trying to submit a paper for the last class I am in for my masters posted a screenshot of the original shiny hackers message :P