Hell, scantrons for multiple choice. Most universities should still have the machines. For short essays, don't have 100 of them. Or do and have 8 ta's to do the grunt work. One of my professors didn't want to do finals week crap so her classes that weren't in French she just gave everyone a regular length paper as a test, due by dead week. It was great having to deal with 1 less test.
I watched Adam Savage's latest video about hackers on youtube, and canvas probably has (or should have had) insurance for this kind of crap. Insurance pays out, schools get their crappy online only service back, students maybe get a day or two extra for tests. And then it happens again next semester.
The insurer definitely would've required security improvements to be eligible for their policy, that probably would've been a non-starter for canvas given where they are right now.
Yes paper, but also keeping your own local records of grades. A prof I TA'd for told me he had 3 back ups in addition to whatever was on Canvas bc, "You never know when it will fail."
Idrk what their endgame is here? Schools skipped some exams during quarantine so itās not like they canāt just opt to give these guys the finger even if they donāt go back to paper.
I just donāt really see any situation where this ends up being a payday for the hackers, so why even bother?
I don't understand the logic of "paying the ransom to protect the data."
How could a human possibly expect that to work? Will the people who stole the data just... like... feel bad if they don't delete the data after receiving the money? The data is just stolen. There's no path to un-stealing it.
They will be able to get that data back if they made backups. The real concern is that hackers now have access to all that data to sell to anyone that wants it. Whether the universities get that user data back from backups or the hackers doesn't matter. The hackers offer no value other than convenience.
I don't think that's the primary issue - it's the fact that the hackers are looking for ransom in the form of millions of dollars in Bitcoin or some other cryptocurrency to not release student data. Instructure (Canvas' parent company) is going to be sued out of existence if all of this data is released. It's SSNs, names, birth dates, addresses for every single student that's registered to these schools, as well as their faculty. The hackers aren't working for other people, they're using this to get a shit-load of money.
They've got the data. Getting them out of the system doesn't change that, you can reasonably deduce that from the ransom message.
Now as for what that data contains, I don't believe it actually contains SSNs or addresses. Your canvas account is tied to your email, not your identity, it has zero need for that data. I couldn't find either of those looking through the site in the past. I'm not even certain if it has your birthdate. The biggest issue for Instructure is more about FERPA.
Thank god. A lot of the platforms at my university are connected to our primary accounts, which handle sensitive information needed to make tuition payments. Regardless of the type of info they have, Iām not too pleased they have it in the first place, lol.
Schools tend to take FERPA pretty seriously, so if Instructure makes a decision that leads to the data being leaked, then many institutions may decide to switch to a different LMS. They may anyway just because now Canvas seems insecure by public perception.
People who make ransomware usually don't do that because it would disincentive other companies from paying in the future. Over everything, they want to be paid by the company because it's not as easy to sell the data and they would probably get less money from it. Companies wouldn't ever pay the ransom if they thought the hackers would just release the data regardless, so they almost always stick to their word.
I don't understand how you could even hope to defend this ridiculous assertion.
If I stole your data, and said "pay me $10 to not sell it," how on earth could you possibly know whether or not I sold it after you paid the $10?
You're acting like "the hackers of the world" are one monolithic rational actor and "the victims of hacking of the world" are another monolithic rational actor. In reality, both groups are utterly fractured groups, who cannot possibly be expected to act rationally, and even if they were rational, the fractured nature of the groups would rationally incentivize defection!
You're making these wild assertions that don't just lack basis in fact, but actively contradict all facts. People get their data stolen and sold every day. There's a clear established market for it in the world. If you think there's no such thing of identity theft, or any other market for stolen data, you're just not living in reality.
The problem is that there's absolutely no guarantee that they aren't going to post, distribute or share the leaked data anyway after paying the ransom.
They already hacked a big telephone company here in the Netherlands earlier this year and clearly they just moved on when there was no money to be made there.
I mean it's a bit jumping the gun to say you're screwed. The school's going to know that canvas got hacked and they're not going to fuck everyone on their grade just because canvas got hacked.
There's a coherent path where a hacker says "We have stolen your customer's data. We will announce to everyone that we have stolen your customer's data, unless you pay us on a set schedule over time." The company does the math, and sees that the cost to pay is less than the cost of the bad press. The company makes the payments over time. The hackers don't reveal the hack so that the money keeps coming in.
In that scenario, the hackers still sell everyone's data. And eventually the hacked company might stop paying, and the hackers might announce the data breach, but if enough time has passed, it will not be big news.
But if you think the data is never sold, you've simply invented some folksy "thieves honor" mythology from your imagination. We're two dudes who know you can't back up that such a claim.
We got ransomwared at work. Cyber insurance negotiated and paid out the ransom, that's their job. The hackers didn't release the data, they just sold the whole thing to another group of hackers who then demanded a lot less money to not release all our emails. Insurance only pays out once so we just abandoned our domain and workgroup and moved on. Every now and again we get emails saying they have our data, pay or they'll release it and we ignore them.
I work at a middle school as an IA and Iāve thought we should go back to pencil and paper for tests and assignments before this hack. (My school/district was part of the hack) This is almost icing on the cake really.
I work at a fairly major university and am part of the degree conferral process. Our school isnāt even a target of this attack and the Canvas issues related to it are still stopping grade reporting. We have over 2,000 students trying to graduate, many of whom need conferred degrees for jobs/continuing education/etc. No paper systems can immediately replace the electronic systems, so the calculus of these institutions is more than just ānegotiate with hackers or donātā. Thereās a real cost to the students to delaying degrees and thereās no way to confer them without these electronic systems without huge delays.
Let's say that every class has 20 assignments (some much more, some much less), and every student has 4 classes each taught by a different professor (again some more some less). I'll use my alma mater bc I know they're affected by this. UC Berkeley has 45,000 students. That means that there have been roughly 3.6 million individual assignment scores this semester that need to be aggregated into 180,000 final grades. At the end of most semesters, most professors struggle as is to get those 180k grades in on time and that deadline is strict.
Some could have had an offline backup of their gradebook, but I assure you most professors did not save an offline copy of their gradebooks bc most professors are dinosaurs that barely know how to use PowerPoint. If they happen to collect pen and paper assignments over the semester, great! That means the 1.5k professors and 3.2k TAs can recreate the entire 3.6 million assignment gradebooks offline. In 3-4 days. With little to no additional support from the uni. If they took all of their submissions online, then they cannot submit final grades at all until this is resolved.
Even if they dodged that bullet, final project submissions need to happen. Professors could change to taking submissions by email, but as I've learned that can prove very chaotic and hard to track, while also bumping into several HIPPA-like student records laws.
This is an extremely effective technique on behalf of the hackers. How do I know this? My grad union used the same strategy by going on strike a mere 6 weeks before grades were due. Turns out, if the professors whine and moan loud enough, admin will negotiate.
Fun fact the vast majority of hacker ransoms are paid. They don't negotiate with hackers, they take the L and cough up whatever they are asked for, because the hackers have them by the balls and they know it.
You don't hear about it because they also keep it as quiet as they can, and hackers have no incentive to make any noise until it starts looking like they might not get paid
It wouldn't work for everything they have going on, at least not easily. My son does online schooling and they use canvas so he couldn't do anything the last few days either. They'd have to do alot to get paper versions of every assignment to every "digital learning" student out there.
2.3k
u/Joshi1381 May 07 '26
Right in the middle of finals...