The Canvas Ransomware Attack: Paint Us Insecure

  

Anyone even a little familiar with how higher education is done these days has dealt with what are called "learning management systems" (LMS for short).  Basically, an LMS is what has replaced paper homework, paper gradebooks, and in many cases, paper exams that used to be shuffled back and forth between students, graders, and faculty members. 

 

Like many other universities around the world, several years ago my university switched from the LMS they were using to something called Canvas.  Once I learned its ins and outs, it has proved to be a useful, flexible, and mostly easy-to-use tool.  I can send out emails to everyone in a particular class, I can record grades that instantly show up on students' phones, and while I don't personally use the test-administering feature, many professors do. 

 

Canvas is so good, in fact, that its parent company, a privately-held outfit called Instructure, now has a plurality of all LMS customers in the world, serving over 8,000 institutions in dozens of countries. 

 

A lot of confidential data is stored in Canvas.  For example, it turns out to be a violation of a Federal law for me to post a list of grades on my door, even if I anonymized them with Social Security numbers.  So if anybody other than the student concerned manages to find out what a person's grade is, a whole lot of people can be in trouble.

 

Last month, these facts plus a fairly behind-the-times security posture made Instructure a prime target for the loosely-organized but highly effective ransomware ring known as ShinyHunters.  These criminals are thought to be concentrated in Canada and France, and are known to have committed numerous ransomware attacks on organizations whose wide-ranging databases make them particularly juicy targets, such as Ticketmaster and AT&T.

 

According to a report on thenextweb.com and the Wikipedia website "2026 Canvas security incident," on April 30, ShinyHunters breached Instructure's security and posted a ransom note on May 3.  On May 6, Instructure, which had publicly acknowledged the breach on May 1, notified its users that everything was back to normal.

 

But according to ShinyHunters, Instructure ignored their ransom demand and simply doubled down on security measures.  In retaliation, ShinyHunters put their ransom notice on every user's webpage, prompting Instructure to pull most of the system down and replace it with an "under maintenance" notice on 8 PM May 7 Eastern Standard Time.

 

Unfortunately, this was just when a lot of schools were relying heavily on Canvas for exams, grading, and other end-of-semester activities.  I was fortunate to have my last necessary interaction of the semester with Canvas just a few hours before it crashed, but a lot of other professors and students weren't so fortunate.  Our provost sent out a notice during the outage asking toleration and understanding on the part of both students and faculty members.

 

According to Hacker News, Instructure eventually reached a ransom agreement with ShinyHunters on May 11, averting release of some 3.6 terabytes of stolen data.  Since then, Canvas has apparently been running normally, although after this experience one wonders how reliable it will be in the future.

 

The days when universities developed their own custom software for large-scale applications such as LMS are long past.  But farming out important tasks to vendors places the responsibility for security squarely on the vendor's shoulders.  And bigness, however attractive it is profit-wise, attracts the attention of hackers as well.  So we shouldn't be too surprised that an outfit like ShinyHunters picked Canvas for their next target.

 

Ransomware hackers are the modern pirates of the Internet.  During the heroic age of global exploration and trade from the 1200s AD onward to 1800 and later, the ocean became a network of trade routes over which the world's valuables flowed.  The prospect of siphoning off some of those valuables for their own purposes, or of extorting money to allow their uninhibited flow, attracted pirates such as the ones based on the Barbary Coast region of North Africa in the years leading up to and following the American Revolution.  In what was the United States' first major foreign military action, President Thomas Jefferson decided he was through with paying off the pirates, and sent the Marines in a series of expeditions that ultimately broke the stranglehold they held on U. S. maritime trade in regions they controlled.

 

Jefferson had the advantage that the pirates sailed physical ships and could be tracked back to specific ports, where plans could be made to attack them.  The power that the internet gives to put the world at your Ethernet port also makes it possible for criminals to hide literally anywhere there is an internet connection, which these days means pretty much anywhere.  Tracking them down is a costly, slow, and uncertain enterprise at best.  And as soon as some bad actors are rounded up and thrown in jail, their uncaught associates rise up to take their place.

 

It's hard to imagine a modern-day Jefferson scaring ransomware hackers enough for them to lay off an entire country.  As the ShinyHunters' actions showed, national borders mean little to them.  They were attracted to Instructure because it formed one of the largest data-holders on the planet, not because it was a particularly large or rich country. 

 

The only thing that may lead to something like what Jefferson did to the pirates of 1800 is if a particular organization goes after the hackers with determination and even a kind of vengeance.  Perhaps something along the lines of a trade organization of large data-holders could fund a multinational policing effort that would make every ransomware hacker sorry they ever messed with a company that is a member of the organization.

 

That may require international and inter-company cooperation that simply doesn't exist today.  But if the problem gets bad enough, maybe firms will overcome their reluctance to put their money and efforts together and do something truly effective.  Until then, however, outfits like Instructure can look forward to more attacks, and users will just have to deal with it. 

 

Sources:  I referred to reports at https://thenextweb.com/news/the-largest-education-data-breach-in-history-was-not-an-attack-on-a-school-it-was-an-attack-on-a-vendor, https://thehackernews.com/2026/05/instructure-reaches-ransom-agreement.html, and the Wikipedia article "2026 Canvas security incident." 

Technology in the Strait of Hormuz Closure

  

As I write, Iran continues its effective blockade of the Strait of Hormuz, through which a quarter to a third of the world's petroleum traffic normally passes.  Though opposed by most other countries including the U. S., Iran has succeeded both in surprising the rest of the world with its blockade and in maintaining it in the face of fierce though intermittent opposition.  Modern technologies play a not insignificant role in this blockade, and examining that role can tell us something about how technological advances have affected modern warfare.

 

As an oil-industry newsletter pointed out, Iran has had the capability of blockading the Strait for decades.  Their navy includes numerous small attack boats and thousands of mines, both of which would probably be enough to shut off the Strait to commercial traffic.  In the early stages of the war, Iran announced the Strait's closure on Mar. 4, and proceeded to make good its decision with numerous attacks on tankers and other ships.  Wikipedia lists 40 ships that Iran has attacked, six of which were abandoned with some loss of life. 

 

No commercial insurer is going to let a ship go anywhere near a place where things like that happen.  So within a few days, traffic of ships that were not deemed by Iran "friendly" to the regime crashed to zero. 

 

In addition to the traditional means of attack boats and mines, Iran has also used shore-launched missiles, drones, and electronic warfare in the shape of jamming GPS and satellite signals in the Strait.  In a crowded sea lane, loss of electronic navigational ability can be just as dangerous as a minefield or a drone attack.  So even if GPS spoofing was the only thing Iran was doing, the blockade would be effective in terms of creating hazards that are unacceptable to insurers.

 

Iran has truck-mounted missiles that can be launched from virtually any location accessible by truck.  That makes it very easy for them to attack ships, and very hard for anyone trying to defend the ships.  The same goes for drones, which are turning out to be a true game-changer in recent conflicts.  As Ukraine has shown with its homegrown drone industry, inexpensive drones costing anywhere from a few thousand dollars up to $50,000 or so (the cost of Iran's most frequently used drones) can be effective countermeasures that work as well in some cases as U. S. stealth missiles costing millions of dollars. 

 

Mines are a particularly nasty thing to deploy in a commercial shipping lane.  As the oil-industry newsletter pointed out, after the Persian Gulf War it took the U. S. 51 days to find and disable 907 mines off the coast of Kuwait.  So even if Iran was neutralized somehow and agreed to cease hostile activity tomorrow, it would still take more than a month to clear the Strait of mines, assuming the U. S. has retained its former minesweeping ability, which is not clear.

 

In the long story of technology applied to warfare, progress is measured by victory.  And victory doesn't always go to the good guys, while "good" often depends on whose side you are on.  One of the unstated assumptions of engineering ethics is a background of peacetime.  When such a background is no longer the case, things can get murky quickly. 

 

Judging the ethics of war is way beyond the scope of a single article, and I'm not going to try to do that here.  One can question the justice of the way the current conflict started, with pre-emptive strikes by the U. S. and Israel.  From Iran's point of view, closing the Strait of Hormuz in response was probably one of the smartest and most effective things they could do.  In retaliation, the U. S. has announced a blockade of oil shipments from Iran, which depend largely on ports to the east of the Strait.  Whether this retaliatory blockade has the desired effect of making Iran back down from its own blockade is unclear at this point.

 

One problem to avoid with every advance in military technology is that a country finds itself preparing for the last war, not for the next one.  This problem has become obvious for the U. S., whose military procurement process has become hidebound and overly complex, with the result that it mainly served to enrich defense contractors rather than producing the kind of inexpensive but effective weaponry that Ukraine is currently making. 

 

Could the U. S. or allied countries come up with something clever and cheap to end the Strait blockade?  I'm sure people a lot smarter than I am are working on that right now.  But considering the mixture of traditional and novel technologies that Iran is bringing to bear on the blockade, it's hard to imagine how such technologies would work. 

 

If all restrictions on U. S. military actions were lifted and the President ordered his generals and admirals to open the Strait by any means, I'm sure it could happen.  But that would almost certainly involve a land invasion of the regions of Iran closest to the Strait.  And that would be opposed by a contingent of the 190,000 or so troops in Iran, leading straight to a bad old-fashioned land war with significant casualties on both sides. 

 

The last time a Middle Eastern country tried to take over an internationally important waterway, the U. S. took the side of the country against the then-global powers that wanted to oppose it.  The 1959 Suez crisis found President Eisenhower exerting financial pressure on England to let go of the Suez Canal, when Nasser of Egypt tried to take it over.  Eisenhower knew war inside and out, and while he employed lots of diplomacy and jawboning in foreign affairs, he managed to keep the U. S. out of actual fighting wars almost completely during his tenure from 1952 to 1960.

 

The world was a very different place then, and the current U. S. leader has no personal experience with war.  Perhaps the old-fashioned approach of blockading Iran's ports will have the desired effect without leading to further bloodshed.  If the U. S. had some undreamed-of technology that would end the crisis, I suspect we would have used it by now.  But I might be wrong.  It's happened before.

 

Sources:  I referred to the online newsletter https://oilprice.com/Energy/Energy-General/Why-Military-Force-May-Not-Be-Enough-to-Reopen-the-Strait-of-Hormuz.html and the Wikipedia article "2026 Strait of Hormuz Crisis." 

California Ends Free Ride for Robotaxi Ticketing

  

For good or ill, many things that start in California spread to the rest of the U. S. sooner or later, from Hollywood movies to the Hula Hoop.  So when California's Assembly Bill No. 1777 takes effect this July, companies such as Waymo that operate robotaxis across the country may feel its effects outside just California.

 

The bill, and its implementation by the California Department of Motor Vehicles (DMV), closes a loophole in California law that has up to now allowed driverless vehicles to escape being ticketed for traffic violations.  Previous laws assumed there would always be a driver behind the wheel to cite for illegal U-turns or other roadway malfeasance.  However, existing California law made no provision for ticketing driverless vehicles.

 

That will all change come July 1.  After that, the corporation operating the vehicle will be the designated legal recipient of any citations concerning vehicles under its control.  The ticket takes the form of a "notice of noncompliance," but the effect is the same.  To allow the DMV to track robotaxi company violations, the company must report any citations to the DMV within 72 hours of receipt.  In case a collision was involved, the window shrinks to 24 hours.  If a firm receives too many citations, the DMV is empowered to take drastic action such as limiting the firm's fleet size or even suspending its operating license. 

 

The new law also addresses the problem of how first responders can deal with driverless vehicles that get in the way at a fire or accident scene, for example.  It mandates that the operating companies must respond to calls from first responders within 30 seconds, and requires that companies observe geofencing rules that clear a designated area within two minutes.  Apparently, autonomous vehicles have obstructed the operation of fire and emergency vehicles in the past, and these new laws address that issue.

 

In the modern world, technological developments generally outpace the social infrastructure of laws and customs.  That is why robotaxis in California have been escaping traffic tickets until now, because lawyers and legislators are not prophets, and they can't expect to anticipate every possible new technological development so that the laws are waiting to be used when the technology finally comes along.

 

Most consumer technology is at least intended to have benign effects, but the good of taking people and goods from one place to another is accompanied by problems such as traffic violations.  Getting a traffic ticket is often the only interaction most law-abiding citizens have with law enforcement, but it is a little galling that robotaxis were effectively exempt from such experiences until this year in California. 

 

It's part of the normal progress of technological development for new laws to arise that deal with unexpected problems such as the ones the California bill addresses.  The issue of clearing an area for emergency operations couldn't even happen until there were enough robotaxis around that one of them got caught in such a situation, and led to frustrations and hazards that, while probably not costing a life, made enough trouble for first responders that they reported it to the appropriate authorities.  And while many uncomplimentary things can be said about the California legislature, in this case they seem to have done a good thing in mandating effective communications and actions whenever a driverless vehicle is impeding the work of first responders.

 

It's fair to say that there probably wasn't a popular groundswell of grassroots opinion demanding that robotaxis be able to receive traffic tickets.  The issue is not one to get the average Joe Public's juices going.  Contrast this matter to another technological fault line that is currently the subject of much (mostly local) legislation and discussion:  the construction of data centers around the country. 

 

As an editorial by Charles C. W. Cooke points out, data centers are not new.  In some form we've had them around for decades, and currently there are about 5,000 of them in the U. S. already, with the largest concentration in the liberal state of Virginia. 

 

Yet, to listen to discussions at city council meetings around the country or to see the "No Data Centers" signs popping up in yards, one would think that each data center is a direct portal to Dante's Inferno.  Why are people so upset at data centers, while robotaxis being immune from tickets was never a big deal?

 

Fear has something to do with it—fear of the known unknown.  For most people, robotaxi immunity from ticketing was an unknown unknown.  I didn't even know it was an issue until California fixed it with their new law.  But the publicity about data centers, and their notorious connections with the mysterious and frightening acronym AI, are well known enough, though what the consequences will be in terms of water and energy depletion or increased cost is largely unknown.  After all, if something's not built yet, you can't say exactly what will happen if you build it.

 

Opponents have rushed into that gap of ignorance with highly inflated predictions of disasters that will hit you in your pocketbook:  higher power and water prices, water shortages, and even loss of jobs as AI takes over what you and twenty of your friends do, and does it better and cheaper.  Nobody is threatened in that manner by the fact that robotaxis couldn't get traffic tickets.  Injustice somewhere else never matters as much as injustice to my bank account. 

 

So while even the California legislature can take effective action about a matter that few people knew or cared about, it's not clear that laws slowing down the construction of data centers are going to make anything better.  Saying "not in my back yard" doesn't stop construction as long as back yards don't cover the entire U. S., and that won't happen for a while.  But unless the public understands the issues well enough to make an informed decision, there is not much chance that legislation about data centers that is driven by public opinion will do much good.

 

Sources:  I referred to several articles on California Assembly Bill No. 1777, including https://driveteslacanada.ca/news/california-makes-big-changes-to-autonomous-vehicle-legislation/, https://finance.yahoo.com/economy/policy/articles/robotaxis-driverless-vehicles-now-ticketed-150019014.html, and https://www.carscoops.com/2026/04/california-robotaxi-citation-rules/.  Charles C. W. Cooke's article "Hatred of Data Centers Is Irrational and Self-Defeating" is at https://www.nationalreview.com/2026/04/hatred-of-data-centers-is-irrational-and-self-defeating/.