This is not about the Canvas Hack
One reason I haven’t commented on the Canvas hack yet is that I swore off writing about LMS news years ago. But this story isn’t really about Canvas or LMSs. It’s about the fact that education, through educational technology, is under attack by sophisticated cybercriminals. They started with hospitals some time ago. Now they’re coming for us. This isn’t the first major recent hack I’m aware of, and it won’t be the last.
Let’s be clear: This was not some rando script kiddie waltzing through a wide-open back door. The hackers used multiple attack vectors, including Canvas’s open course sites, their help desk software, and social engineering through a help desk call. Instructure is SOC 2 compliant, meaning they’ve had intrusive third-party security audits. The criminals wanted Instructure to let the public know the name of their organization and the fact that they returned the data after the ransom was paid. Why? Advertising. The criminals wanted future victims to know that paying the ransom gets them something in return. Selling students’ private information to the internet isn’t their business model. They’re cyber kidnappers.
This is organized crime. They want us to know that when they come for us, on whatever platform they attack next, we should pay them. This is FBI-level stuff.
People who have read my blog over the years know that I’m not above schadenfreude or rage at vendors behaving badly. That’s not what happened here, and it’s not an appropriate emotional reaction to what happened. We are all under threat. I’ll leave it to others to analyze Instructure’s response. I’m worried about the people who have demonstrated both the means and the intention to do us harm.
Now, I’m going to write about 1EdTech for this next part, so you should know that I had this post checked for approval before I put it up. I have to pretend to be an adult now. But this is what I would have written anyway.
Recommended by LinkedIn
The attack did not involve LTI. And yet, there are now questions swirling about LTI’s safety. I will tell you what is true and what is BS. The current version of LTI, 1.3, is compliant with the latest security protocols. 1EdTech actively updates its specifications to stay current with security practices. You can bet we will be doing even more of that now. LTI 1.1 was deprecated five years ago because it is not aligned with current security practices. 1EdTech does not certify LTI 1.1 and has not for quite a while. 1EdTech strongly recommends not using LTI 1.1. I personally strongly recommend that you do not use LTI 1.1. Use version 1.3 or higher. To be clear, this isn’t just a vendor problem. Many institutions have built their own home-grown tools using LTI 1.1. If they don’t move to version 1.3, then the vendors will have a hard time moving without them. The organization has been pretty clear about this; we’re reviewing now to scrub any remaining lack of clarity as part of our larger security effort.
Some parties have been raising concerns about LTI 1.1 after the Canvas attack...which did not involve LTI. Look, I just said LTI 1.1 is not current, not supported, and should not be used. Some platforms still use it. 1EdTech does not police private APIs, which is essentially what the use of a deprecated spec is. A standards body is not the bouncer at the bar. If a party uses an outdated version of the standard that 1EdTech does not support or recommend, that party becomes responsible for it. We give adopters a long runway and offer lots of help when we update, which we do when our community agrees the spec should be updated.
Some folks complaining about LTI 1.1—not all, but some—seem to be using it to suggest that 1EdTech’s standards in general, including LTI—any version—are not secure. If you hear that kind of broad insinuation, I recommend you consider the speaker. Some of the comments that are reaching me strike me as motivated. Regardless, they are certainly wrong. You might as well say Microsoft is not secure because Windows 3.11 is not. This is an unhelpful distraction, to say the least. Crude finger-pointing will not help us prepare for the next attacks. The attacks are coming, and the attackers have proven to be sophisticated. We have work to do. If we have holes to close—and I guarantee we will find them, or they will—then let’s find them and close them. This is not a moment for point scoring.
1EdTech is a community-driven organization. To be candid, that has not always been as evenly true as it is now, which is not as evenly true as we aspire for it to become. I joined this leadership team after a decade of doing my own thing because I believe in where it’s going and what it can do. And I believe, above all, that we need to rise to the new cybersecurity threat environment as a community. Personally, that’s where I’m putting my energy in response to the news. As Benjamin Franklin put it, if we do not hang together, we shall surely hang separately.
Security is not a binary distinction. And, while LTI 1.3 may improve the security **for some threats** it does not necessarily suggest that it will protect against either new threats that emerge or threats that were not imagined by the designers of the spec. Moreover, SOC 2 compliance assesses whether a company has policy/governance and related documentation in place. I don't believe that it is intrusive in any way - just time intensive.
Michael- All true about LTI. However I don't think the "truth telling is complete." Instructure, who provides the chair of the 1EdTech board for 3 years, and on the board for several years longer, clearly did not follow the directive to deprecate LTI v1.1. Truth be told there are many other areas of standards where Instructure talks the talk but does not walk the walk (I am happy to elucidate these further as I did for the board before my departure). Is that OK for the board to accept this? It is not in my opinion. 1EdTEch is responsible for getting the trusted app seal certification correct. It is not. Canvas is still all green. I understand that the rationale for it being green is because it passed the vetting. But, the standards process (on any standard) requires remediation. What is 1EdTech doing on that front? Why would 1EdTech keep the certification in place after the largest breach in edtech history? This seems like politics in support of the board chair to me. On the broader topic of truth, let's be honest now. Transparency in 1EdTech has degraded significantly in the 2 years I have been retired. There are no longer public annual reports - something the board had established for purposes of transparency.
Standards Matter! We have upgraded our entire ecosystem, including our homegrown GTEduApps, to LTI 1.3 except for a couple holdouts from suppliers. We also now require 1.3 Certification for all new LTI. Thanks for sharing your thoughts.
I think windows 11 and windows 3.11 share roughly the same level of hackability per time since release. I do understand the worry with LTI. It isn’t hack proof, and using custom software now is far easier than it was before (and comes with its own pros and cons for security). SOC2 is an interesting one. It was a lot. But even that just ensures checks and accountability. It exists to reduce buyer friction. It lets you answer 200 security questions by showing a certificate. SOC2 exists so companies like Instructure can shift liability “we maintain SOC2 and were audited” lowers their legal risk. SOC2 ultimately is a process, not a guarantee of outcome and the Instructure hack shows how loosely you can play and get compliance. It’s no wonder entire states are considering switching from Canvas Cloud to become smaller, less valuable targets on trusted networks.
What most concerns me is lack of explaining by Instructure