92
Canvas Just Sent a Dangerous Message to Hackers: Crime Pays If You Do It Right (www.pcmag.com)
submitted 1 week ago by sanitation@lemmy.today to c/privacy@lemmy.dbzer0.com
18 comments fedilink hide all child comments
top 18 comments
sorted by: hot top new old
[-] scrubbles@poptalk.scrubbles.tech 47 points 1 week ago

Damn, this is a big one. I've been watching since it started, and I hope it sends shockwaves through the SaaS model. Institutions learned overnight how by trusting one single private company that they were all screwed over, and probably made them even a bigger target. Hopefully they start re-evaluating.

Having worked ed-tech for a while, I'm not surprised. Blackboard, Canvas, all hot garbage. There's a real need there, if someone can do a simple selfhosted (by the university) version with oauth/SSO to campus networks that lets them control their data? It'd be a no brainer, I think most campus IT networks would prefer that.

[-] Telorand@reddthat.com 12 points 1 week ago

I was thinking about this exact problem, and I came up with a similar idea. There could be a parent company developing the core software and maybe even providing installation and setup services, but each campus ultimately maintains their own self-hosted, zero-trust instance. Each campus would be downstream implementations of the parent software and would only update or talk to other instances as needed.

Given how campuses operate, it seems like they would be great candidates for an optionally federated platform like that.

[-] frongt@lemmy.zip 14 points 1 week ago

So just traditional software?

[-] scrubbles@poptalk.scrubbles.tech 12 points 1 week ago

Ha, think you just discovered the standard model from the 2000s!

But I agree.

[-] tristynalxander@mander.xyz 8 points 1 week ago* (last edited 1 week ago)

So just, Software as a Product (SaaP)?

[-] Onomatopoeia@lemmy.cafe 4 points 1 week ago

The problem is CapEx vs OpEx.

[-] PolarKraken@lemmy.dbzer0.com 1 points 1 week ago

Would you mind elaborating? I shouldn't find it hard to follow but I don't have a lot of natural intuition on that world of decision making and would like to improve.

[-] dohpaz42@lemmy.world 10 points 1 week ago

My university used to only self host. Now they’re ditching self-hosting for cloud-based SaaS. 🤷‍♂️

[-] Onomatopoeia@lemmy.cafe 5 points 1 week ago

It's because doi g things on site requires CapEx, which then increases your tax liability.

By going SaaS, you offload the entirety of risk.

The problem is the morons who sign these contracts are fucking clueless about ensuring the liability is strong.

[-] scrubbles@poptalk.scrubbles.tech 6 points 1 week ago

Important to define risk because a lot of software people here(me included) will immediately think "what do you mean their data was hacked". However from a legal standpoint they get to point the finger at Canvas.

[-] jaybone@lemmy.zip 6 points 1 week ago

I have no idea how those looked on the backend or from the IT admin perspective. But the regular user experience was completely awful. It wouldn’t surprise me if the whole thing was complete shit.

[-] wizardbeard@lemmy.dbzer0.com 16 points 1 week ago

Paying out hacker ransom isn't a particularly rare event. The hackers that do it professionally are... professional. If they don't follow through on their side of the agreement then no one pays them.

This isn't some "dangerous precedent" it's a basic business decision that paying up would be cheaper than the alternative options. Normal cyber crime response and remediation shit.

[-] blargh513@sh.itjust.works 2 points 1 week ago

Ha ha, what?

They're criminals. They fucked shit up for money and then held the company hostage. If they don't pay, the ransom group WILL release the data. If they do pay, they might release the data, but they'll just quietly sell it rather than just dumping it.

They're a business. It took time and effort to break in. They want to be paid. If you stiff them, they're going to fuck you in the ear. If they sell your data after the fact, what are you going to do? Complain to the manager?

They're not professional, they're extortionists that don't give two shits if they're respected. They steal what's previous and threaten to dump it or sell it back. Their reputation is already shit, why would they care otherwise? This is such a naive take.

[-] osaerisxero@kbin.melroy.org 15 points 1 week ago

I think this is the more naive take. If it was a given that the information would be public either way, noone would ever pay. Ransomware groups rely on a reputation of withholding their end of the arrangement or the corporate bean counters could never justify the payout to them.

[-] jaybone@lemmy.zip 2 points 1 week ago

It’s interesting though. For lots of other crimes, people don’t pay ransoms. For example the recent kidnapping of that tv personality’s mother in Arizona. And in those cases, such an arrangement or transaction, when completed fulfills both sides and it’s done. In this case, there is no guarantee that data doesn’t end up sold on the dark web regardless of whether the payment is made. And plenty of other let’s say not as “professional” hacker groups (I put in quotes for lack of a better word, and that’s a term we are using in this thread) sometimes can’t decrypt your shit because they are running shredware rather than ransomware. Or they just fucked up and don’t know what they are doing. So it’s a big chance you are taking.

And yes, some of the “professional” groups have essentially a “customer support” team, which you contact and they help walk you through the process of paying the ransom and whatever else, applying the decryption etc.

[-] Couldbealeotard@lemmy.world 4 points 1 week ago* (last edited 1 week ago)

When someone gets kidnapped there's no CEO that can go to jail for a privacy breach. Data breaches typically stay out of the news, if it becomes public the victim company can face legal action. It can literally be cheaper to quietly pay the hackers.

[-] Auster@thebrainbin.org 9 points 1 week ago

There's no honor among the dishonorable, as a Brazilian analyst would say:

I wouldn't doubt the thieves are still holding to copies of the data they stole, just waiting either for another opportunity to blackmail those affected again, to use the data for other nefarious means as a shell group, or to sell it to another ill-intended group without leaving traces.

From stealing and putting a price on people's private data and possibly their safety, and to the possibility of dishonoring a "sales" contract, the morality bar was already pretty low on the two concrete cases, so the third would be easy to do on this standpoint.

[-] Randomocity@sh.itjust.works 6 points 1 week ago

Ransomware gangs are actually normally pretty good about this. If they leak afterwards they lose all credibility to get another company to pay in the future.

this post was submitted on 13 May 2026
92 points (98.9% liked)

Privacy

5683 readers
217 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 2 years ago
MODERATORS
otter@lemmy.ca
shaytan@lemmy.dbzer0.com