[blahedo]

Perspective from the trenches: I teach at a university that uses Canvas. We are in our final exams period right now.

We got our first email (from Academic Affairs) notifying us that it was down at 5:17pm EDT this afternoon, with little info; followup emails were sent at 6:24 and 6:57 with more info, but mostly about how we would be compensating for it and not about what actually was going on (other than, "nationwide shutdown" and "cybersecurity attacks", no further detail). I don't get a sense that they know much more than that, not that I would expect them to.

A perhaps telling detail: they're instructing us to have students email us directly with any work that had been submitted via Canvas. That suggests that they have no particular confidence that it will come back up soon.

I personally am only slightly affected; as a CS professor a lot of my students' work is done on department machines, and submitted that way, and I do the actual exams on paper. More importantly, I've never liked or trusted Canvas's gradebook, and so although I do upload grades to Canvas so students can see them, my primary gradebook is always a spreadsheet I maintain locally.

But I have a lot of colleagues for whom this is catastrophic at a level of "the whole building burnt down with all my exams and gradebooks in it"---even many of those that teach 100% in person have shifted much or all of their assessment into Canvas (using the Canvas "quiz" feature for everything up to and including final exams), and use the Canvas gradebook as their source-of-truth record. We've been encouraged to do so by our administration ("it makes submitting grades easier"). For faculty in that situation, they have few or zero artifacts that the students have produced, the students themselves don't have the artifacts to resubmit via email because they were done in Canvas in the first place, and they have no record of student grades or even attendance (because they managed that all inside Canvas). I guess they have access to the advisory midterm grades from March, if they submitted them (most do, some don't), but that might be it.

My gut feeling on this is that this is either resolved in hours (they have airgapped backups and can be working as soon as they can spin up new servers), or weeks (they don't). Very little in-between. And if that's true and we wake up tomorrow with this unresolved, I really have no idea what a lot of professors at my university and across the country are going to do to submit grades that are fair and reasonable. In the extreme case, they may have to revert to something we did in the pandemic semester (and before that, at my school, in the semester that two major academic buildings actually did burn to the ground a week before finals): let classes that normally count for a grade just submit grades as pass-fail. Because what else can you do?

(Well, one thing you can do is not put your eggs all in one basket, and not trust "the cloud" quite so much, but that ship's already sailed. I do wonder if in the longer term, anybody learns any lessons from this....)

UPDATE: As of 11:45pm EDT, my university's canvas instance is up and running! Here's hoping it stays (but I'll be downloading some stuff just in case...)

[JumpCrisscross]

> the students themselves don't have the artifacts to resubmit via email because they were done in Canvas

It’s so simple to send an e-mail to the student with relevant records on completion of a quiz or whatnot. They don’t do it, because they want to control the data. (And universities don’t insist on it for who knows what reason.)

[gucci-on-fleek]

I've never used Canvas before, but all the LMSes that I've used allow students to enable emails whenever anything is updated, including when grades are posted. This is off by default because it's often 10+ emails a day, because many teachers post notes once a day, and with 5 classes, that adds up pretty quick. I personally have it enabled because it's pretty manageable with some custom Outlook rules, but setting this up is well beyond the capabilities of most students.

[mbreese]

Canvas will send emails when grades are posted, but not what the grade is. Or at least that’s the way in the configurations I’ve seen. So, that wouldn’t help in a case where no one can access the canvas gradebook.

[trillic]

yup you just get an email saying "A new grade has been posted for EECS 420"

[skeeter2020]

...then all those clicks juice engagement and utilization numbers; why would someone want to just know their grade when they can use more clicks and custom apps to get the same info? </s>

The party line is probably something about "a lack of data security" with email, which would almost be funny given the current situation if it wasn't so stressful for those impacted...

[crazygringo]

No, students are already forced to use Canvas enough as is. This is enterprise software, it's not a consumer phone app. This is nothing to do with "engagement".

This is to do with FERPA which requires that student grades be kept private. There is a small but still a significant legal risk that someone else such as a parent or roommate could have access to a student's email. And so to avoid even the possibility of a court case, schools prefer to play it safe and display grades only to a user they can authenticate directly.

This doesn't have anything to do with common sense, it's simply about legal risk. And it's not about security in a broader sense, it's specifically about privacy FERPA legislation.

[whyenot]

Isn't that due to FERPA related concerns?

[dotancohen]

  > setting this up is well beyond the capabilities of most students.

Setting up custom email filters is beyond the capabilities of most students? What are they learning? Where will they be qualified to work?

[metaengies]

> Where will they be qualified to work?

Going by a certain story 2 years ago, their concern should be that they're overqualified for Meta.

It doesn't help that gmail, which is the only serious direct competition to outlook, straight up doesn't do "folders" and instead goes with markers. So you can't really just put a filter that drags all the 100 low-priority alerts in what would count as a first degree abstraction of "place where things are sorted into". No, there are two layers of abstraction between point A and B of things, sorter and sorted things. The result? Muggles can't recognize the heck you're describing and refuse to even acknowledge the possibility.

[user_7832]

> It doesn't help that gmail, which is the only serious direct competition to outlook, straight up doesn't do "folders" and instead goes with markers.

While true, unless I'm mistaken, markers (I assume you're referring to tags) can be nested to provide a pseudo-folder hierarchy, and with proper filters you can remove the "inbox" tag and have the mail only show up under the specific tag.

TBH I don't fully mind it, it lets you classify an email in multiple ways (eg "See Later" as well as "Work related").

[mschild]

Tags are great but I still want my folders. Also doesn't help that the way google describes some things is unnecessarily complex or confusing. For example, removing an email from the inbox requires archiving it. In most other applications (WhatsApp, Signal, Outlook, etc) archiving usually results in the email being placed in a specific archive folder that isn't readily accessible through the UI. At least not to the same level that normal emails are.

[philamonster]

People in my work and personal life experience do not understand the concept of labels in a Google inbox and misname them folders 100% of the time. Google allows you to drag-n-drop emails "into" labels like you would files in folders conflating the issue even more as the logic to automate this behaviour with a filter isn't leveraged. Even the layout of a default inbox is setup in a way that the average user has difficulty understanding what happens when an email drops off the "front page" of their inbox.

[bitfilped]

They can be nested, the one thing I have never been able to figure out though is how to get alerts of receiving a message while also filing away in a sub folder. You get one or the other in outlook, as a result I rarely check my work email anymore cause I either get the fire hose of spam or miss everything entirety because it's going to a folder and not passing along an alert about a new message.

[swiftcoder]

Gmail still has perfectly functional filters that can be set to auto-apply a label and skip the inbox. They may be called "labels" now, but they still function just as they did when the UI called them "folders"

[GTP]

I partially solve this by using Thunderbird on my laptop. When I get emails on my smartphone (on the Gmail app), they unfortunately all go to the inbox. But the moment I open Thunderbird, it nicely organizes them for me.

[chopin]

Does Thunderbird have rules? I searched for this and didn't find them.

[dotancohen]

I use Thunderbird on both the desktop and Android. Love it.

Perhaps Outlook is difficult to configure. Thunderbird is intuitive.

[teiferer]

If a CS graduate can't figure out some simple gmail labels and filters then they should not be awarded that degree. Plain and simple. It's not rocket science.

[Poacher5]

And there are no other students at any college other than CS students? I'm not sure why a biologist or a literature student would need to be au fait with Google's admittedly fairly unfriendly email management setup.

[mold_aid]

Most of my students, across all disciplines, don't have basic competence in Word or GDocs, software they've been using for years. It's weeks to teach them how to appy headings

[Daub]

I feel your pain, and my students are design students

[weird-eye-issue]

Most graduates aren't really qualified to work anywhere that they couldn't have worked before going to college in the first place.

[smcin]

You mean graduates of US colleges? Not colleges in general. Or non-technical graduates of US colleges?

[J-Kuhn]

I think they point weird-eye-issue wants to make is: Students attend college to become qualified to work.

[lokar]

I used LaTeX as a ugrad, it’s not that hard

[skeeter2020]

you're at the other end of the spectrum; unless you get work in academia this is not an advantange.

[recursive]

Congratulations on your competence.

[sillywabbit]

It's not even standard in academia.

[crazygringo]

You know that most students aren't computer science majors?

Have you met the average community college student who doesn't even own a laptop but does all of their work on their phone? Gmail doesn't even allow you to create or manage filters from their phone app or mobile web interface.

[fooker]

I have been using email for as long as email was a thing and I still managed to blackhole important emails with filters not too long ago.

[mschuster91]

> What are they learning?

Exactly what is in their field of study, nothing more. That's a huge part of the problems created by treating academia as a degree mill mandatory to get a job able to feed yourself instead of a place only for those truly interested in actually studying a subject.

[emodendroket]

Most people who have office jobs don't know how to do this either

[shakna]

Most managers I've met, struggle with setting up email filters, and have to ask tech support to do it for them. These students will be qualified just fine.

[gucci-on-fleek]

I'd hope/assume that any Computer Science students would be able to do this, but most Biology/Education/English/Art students probably couldn't.

I mean, anyone smart enough to attend university could probably figure it out if they really wanted to, but there are hundreds of other useful things that they could learn too. There are only so many hours in the day, and given that most students don't get that many emails, I can hardly blame them for not wanting to prioritize learning how to filter emails.

(I personally have over a hundred lines of Sieve filters, but I'm definitely not a typical student)

[jameshart]

Biologists should be more qualified than most to classify and tag email specimens.

[throwaway2037]

This is a brilliant reply. I shook my head at the original and laughed hard at your perfectly reasonable question.

It reminds me of an old joke my father used to say about jobs with virtually no interview (fast food, etc). He called it "The Mirror Test", as in if you hold a mirror up to the person, does it fog up? If yes, you are hired!

[BigTTYGothGF]

> What are they learning?

Are you suggesting that outlook wrangling be explicitly taught at the college level?

[u_fucking_dork]

Anywhere. I straight up don’t check my email at work. If people need me they have to teams message me to tell me they emailed me. Don’t have time to sift through all the bullshit generated emails. Jira, GitHub, confluence, servicenow, workday, etc. amounts to an incredible amount of junk I just can’t be bothered with.

[Scroll_Swe]

>Setting up custom email filters is beyond the capabilities of most students?

Yes. And most of the general population. They can do it once they know it exists, most people just are not aware it is a thing at all.

>What are they learning?

Here, their "major" as you say in the US. Someone in econ, biology or even CS is not going to learn Outlook rules. Maybe IT or business will have a sentence on it.

>Where will they be qualified to work?

Any office job. Any job really.

[setopt]

In my experience, it’s hard enough to make students check their school email in the first place. Let alone filter it.

[lokar]

As a ugrad, and later a PhD student teaching, everything is explained the first day. If you can figure it out you just fail the class (or go to office hrs to get help, etc).

[setopt]

As an associate professor, I do explain things the first day, but I am certainly not permitted to fail students as a consequence of not checking their email daily.

Even if they didn’t hand in an assignment at all, without any reason provided, I’m required by regulation to offer them a second chance to pass that assignment.

The students’ rights are quite strong here (Northern Europe), which I generally support, but it has some downsides.

[throawayonthe]

it's MS software, i think it's inanely difficult

[butlike]

Didn't you hear? Chat apps and iMessage (SMS included) is the new email.

Delete

Delete and Report Spam

[e28eta]

Students having records of what their score was doesn't prove to the professor / university what score they received. "FWD: Exam 1 Results" is not especially auditable.

[lacunary]

If only we had some way of signing messages

[ykonstant]

The technology isn't there yet (｡•́︿•̀｡)

[brookst]

Though in a case like this attackers would likely revoke (or publish) the private key.

[JeremyNT]

Ah, perhaps we could put it on the blockchain! /s

[JumpCrisscross]

> Students having records of what their score was doesn't prove to the professor / university what score they received

It's better than nothing. (And good training for the real world.)

Also, most universities (and many schools now) issue academic e-mail addresses to students. In those cases, the email is definitive proof.

[AmblingAvocado]

DKIM signature could be used to verify that Canvas' server sent the email with the given content

[nbernard]

Good luck having people forward an email a) with headers and b) in a way that doesn't break the signature...

[tempaccount5050]

And who exactly do you think is going to verify 100s of thousands of emails this way dude?

[bravura]

A computer?

[hoppyhoppy2]

Emails from Canvas saying a grade is available do not currently include the actual grade in the email, so that would have to be implemented first. And it's probably not implemented quite intentionally because of FERPA.

[gruez]

As opposed to a screenshot of a website? Presumably the professor has a spreadsheet of all assignment grades that is submitted to the school?

[JumpCrisscross]

> Presumably the professor has a spreadsheet of all assignment grades that is submitted to the school?

This would undermine Canvas's lock-in.

[freeopinion]

Canvas is built to automatically export its gradebook to an external system. It will do that automatically every day if you want it to. Teachers or others can manually export to the configured foreign system on demand. So if you grade something and want it to show up in the foreign gradebook without waiting for the daily export, you can just press the button to make it happen right away.

[doctorpangloss]

i cannot believe how much benefit of the doubt people are giving canvas

ed tech is the WORST performing VC sector

the ONLY game in that town is vendor lock-in! are people joking?

c'mon, canvas is a huge piece of shit. the SaaSpocalypse is coming for them - it seems it is simply that LLMs will be used to exploit it first, rather than universities writing an open alternative they share with each other for free.

[freeopinion]

Canvas is AGPL licensed. Moodle is GPL. Universities or anyone else can already contribute to big name LMS.

Canvas is used by Harvard, MIT, Stanford, Carnegie Mellon, CalTech, etc. If they each paid 10 FTE, they could set up a foundation that could govern the development of a top-tier LMS. Every tier-1 state institution could contribute 5 FTE. Even little JuCos could chip in an employee here and there. You'd pick up hundreds of capable employees at a fraction of what those schools currently pay to Instructure.

[freeopinion]

On paper your idea seems obvious. You take a bunch of institutions that actually teach students how to program and have them cooperate to build an open LMS that benefits them all.

In reality, universities always spin off anything that looks like it could generate revenue. It is very telling that you can't even get your college transcript from your college. You have to go to (and pay) some third party to get it. Some universities even outsource their "classes" like elderhostel to cruise lines and travel companies.

[gucci-on-fleek]

> rather than universities writing an open alternative they share with each other for free

That already exists [0], and is actually reasonably popular.

> the SaaSpocalypse is coming for them - it seems it is simply that LLMs will be used to exploit it first

I doubt it, because enterprise sales has nothing to do with how good your product is, how expensive it is, how easy it is to administer, how secure it is, etc.; it only depends on how good you are at enterprise sales. I mean, my university is Oracle-based, and I'm pretty sure that you could get 3 random undergraduates to write something better, so I don't think that LLMs writing better/cheaper software will make any difference here.

[0]: https://moodle.org/

[blahedo]

Nope! We're encouraged to keep all that exclusively in canvas. (As noted, I have my own spreadsheet. But I'm an outlier.)

[gucci-on-fleek]

Presumably the system will be back up eventually, so there's not much benefit to lying here, since at best you'll raise your grade in a few classes for a couple months, while taking on a pretty big risk of getting caught.

[pishpash]

You forget things can be signed, with the key owned by the school. It can be done.

[SlightlyLeftPad]

Does signing really make this easily auditable from the professor’s perspective?

[DaSHacka]

Exactly this, when was the last time a HN user had to interact with the prototypical 60-year-old set-in-their-ways professor?

Extremely non-tech savvy, hates computers, and is gonna grumble "What the hell is a PGP? Better not be another one of those phone code things." as you try to pitch this highly-technological solution to a largely niche problem domain.

[Forgeties79]

They don’t even need to not be tech savvy. This stuff just registers as “hassle” to most people so they do the bare minimum or search for ways to not deal with it at all. It’s easy to “tut tut” at them but ultimately we need to accept reality: privacy, security, these things take extra effort that isn’t strictly necessary for people to go about their daily lives even though the stakes can be super high. It’s not a problem until it is, so they aren’t really barriers that require people to do the work. It’s like convincing someone who just simply doesn’t want to go out and buy/install a lock on their door to go do it, except it’s not even a one-time thing. Their door works fine. They can come and go as they please. It’s not until something happens that they maybe change their tune (and even then!)

Hell just getting people to do secure passwords is a whole thing.

[jazzyjackson]

I mean a cloud based learning management system also seems to be a very technological solution to the very old problem of checks notes grading quizzes?

[MarsIronPI]

Makes me glad I've always avoided doing my work on web platforms. When we used to have to make presentations in Google Slides I used to do them in Org-mode, then export to Sheets. I still have all those assignments sitting on my disk. Sure, there's versions of them on Google Drive, but I always make sure that the canonical version is the one on my disk.

[moralestapia]

>It’s so simple to send an e-mail to the student ...

What seems easy on hobby projects gets way more difficult at scale. Source: experience.

[Hendrikto]

For what they charge for these LMSs, they should definitely be able to sent some emails.

[brookst]

No concerns about privacy or regulatory considerations that might vary by jurisdiction? Just yolo it and deal with breech later?

[bartread]

> They don’t do it, because they want to control the data.

Ironically, this incident shows they don’t have control of anything.

[rupx]

I work in the Education sector as IT. We don't know much else either.

Everything we know has come from reddit threads / hackernews threads. There has been 0 official communication today indicating this was an attack, yet the login page was defaced by ShinyHunters.

[setopt]

Just to add one more data point, we also use Canvas at my university. The deadline for submitting who are eligible (i.e. passed compulsory assignments and labs) to take the exam was yesterday, and I couldn’t meet that deadline because Canvas went down. I usually do corrections offline so I have backups of my own evaluations, but these are courses with many teachers and many TAs, so Canvas is the way we sync our assessments.

[p-e-w]

I guess what surprises me the most is that it’s even legal for schools to outsource the core of what they do to some random tech company.

Either way, they were under no obligation to adopt this garbage technology regardless of whether it’s available, so this is 110% on them.

[jameshart]

I’m sorry… is your view here that you can’t believe it is legal for a school to purchase software or pay someone to host software for them?

You are aware that you are posting on Hacker News, a forum for people who make their living selling software and the expertise to host it?

[matsemann]

The alternative would be that each school develop their own platform for this, which also isn't very good use of their time and money?

Edit: No idea why this was down voted so much. I'm not defending Canvas, just wondering what the alternative would be.

[lol768]

> The alternative would be that each school develop their own platform for this

I worked at a university which did exactly this, in the UK.

It was a bespoke platform which integrated incredibly well with the rest of the systems the university used because it was designed from the ground-up to meet the institution's needs, there were regular user groups involving academics to understand what features needed to be built/worked on etc. At one point it was all OSS on GitHub too, in case other universities could've found it useful. It handled plagiarism detection (integrating with Turnitin), marking, exam grids, coursework submissions and feedback, seminar allocations, personalised timetables & mitigating circumstances.

The in-house dev team was vastly cheaper than anything SaaS would've cost, as well. It also maintained software for on-campus parcel deliveries, online exams, opinion surveys, a mobile app for students/staff, the SSO system, the course catalogue, car parking permits, a content management system and more.

[akpa1]

That sounds like a dream.

My (also UK-based) university has been working on a new student records management project for years that's been incredibly ill-fated. It's destined to replace all their current systems and the first module module was meant to launch last year, except it thoroughly failed testing and nobody has heard anything about it since.

No idea how long it'll take to pull through. I don't believe it's an in-house effort.

[hunter2_]

In-house bespoke software sounds reasonable, and multi-customer SaaS sounds reasonable, but outsourced bespoke software sounds like a complete dumpster fire:

End users who report problems:

* are ok with IT level 1 telling them IT level 3 is working on it with velocity appropriate to keep their jobs,

* are ok with IT level 1 telling them ${vendor_of_well-known_solution} is working on it with velocity appropriate for many customers, but

* are not ok with IT level 1 telling them ${vendor_of_bespoke_solutions} is working on it with velocity appropriate for one customer (if they even still exist).

[jcgrillo]

This sounds like a great opportunity for students to gain hands on experience with real software engineering work as well.

[master-lincoln]

They do not need to develop it, but host an existing software on their infrastructure maybe...

[tejohnso]

The alternative could be to self host.

https://github.com/instructure/canvas-lms/wiki/Production-St...

Or maybe consider not following the herd, and use a much simpler but sufficient system that can be self hosted, if available.

[Hendrikto]

The alternative is FOSS.

[master-lincoln]

Seems like instructure canvas is FOSS: https://github.com/instructure/canvas-lms/tree/master

[philipwhiuk]

If your line is GPL rather than AGPL there's Moodle.

But you do then have to have a sysadmin capable of managing an enterprise grade LAMP stack.

[matsemann]

Canvas already is AGPL, though?

[Hendrikto]

So it can be used by multiple universities who share the maintenance. That is my point: Not everybody has to develop their own.

[dboreham]

Um. This is the forum for an industry that outsourced its entire core of what they do to Microsoft (GitHub).

[beej71]

> I've never liked or trusted Canvas's gradebook, and so although I do upload grades to Canvas so students can see them, my primary gradebook is always a spreadsheet I maintain locally.

That makes you one better than me. :( One thing's for sure--I'm never trusting it again.

I already had almost all my materials outside of Canvas and just used their API to upload it. So at least that's safe. But the grades... dang. Luckily we're only halfway through our quarter and it's not finals week.

Our instance is still down, but your update gives me hope.

[jodrellblank]

> “My gut feeling on this is that this is either resolved in hours (they have airgapped backups and can be working as soon as they can spin up new servers)”

What good is having airgapped backups and spinning them up, if they are instantly vulnerable to the same attack again?

It does depend on what the attack is, but how do people approach that scenario?

[butlike]

That's an interesting question and one I'd like to know an answer to as well.

[camillomiller]

To my European ears this just sounds like a disaster like this waiting to happen. God bless the annoying privacy OSS advocates and bureaucrats, I guess.

[gwerbin]

As someone else in the thread pointed out: Canvas is in fact open source, or at least source available on Github. And it's used all over the world, not just in the USA.

[drillsteps5]

Canvas is back up as of Friday US morning for me (HS student's parent). My kid got a few panicked emails yesterday from the teachers but it looks like Instructure got it resolved quickly.

Canvas does provide a lot of value (all courses, teachers', students', and parents' contact information, all learning plans, schedules, room numbers, all grades, a lot of tests and assignments themselves, all upcoming assignments and deadlines, a lot of other coursework is in there, as are the final grades) but it shows that with external SaaS you might be one attack away from not only losing all that convenience but also in a world of hurt 'cause you lost all the data and now have to figure out how to proceed without the data and the system.

US high schools are in the middle of the finals, and seniors are getting ready for college (the transcripts to be finalized and sent out in a few weeks) so that was a scary timing.

[F7F7F7]

Instructure got their systems back up but they but their handling of that student data is unacceptable.

[jonstewart]

Backups are definitely helpful in ransomwares, but before systems can be restored and brought back online, victim organizations still need to assess the scope of the breach, find the initial access vector, identify compromised accounts, and evict the threat actor. That can take time.

[garciasn]

I’m not certain, but it appears you’re giving Instructure a pass here, as if this is the first time they were hacked. But, it’s the second, by the same group.

As a parent of kids who are impacted by this, I’m not super concerned about the data being held for ransom, but I sure as fuck am concerned about how much it’s going to cost the district to move to another provider.

[JumpCrisscross]

> I sure as fuck am concerned about how much it’s going to cost the district to move to another provider

Does Canvas have cybersecurity insurance?

[MattSteelblade]

Not at all; standard IR procedure is scope -> containment -> eradication -> recovery. There is a fog right now; we don't know all the details. It seems to me that it's just as likely they weren't fully kicked out before or that the initial vulnerability wasn't remediated. You can't recover until the threat actor has been removed.

[jonstewart]

I don't have an opinion on Instructure (except as a parent generally hating the overall app-ization of education; fortunately our district switched away from Canvas a couple years ago), their cybersecurity posture, or this particular event. My only point is that even if backups exist, working through a ransomware attack often takes time.

Also, ransomware gangs often exfil the data and threaten to release it if the ransom is not paid--blackmail, of a sort. It depends on the company and the data set whether this is effective as a tactic. But when it is, backups don't help.

[dumbfounder]

Maybe a hybrid approach. Scramble to create a final exam/project and give them the option to do pass/fail or a real grade, their choice.

And then wish for the death of saas and a day where you can deploy your own software you can control and modify as you need.

[Avicebron]

What is the strategic response then? Assuming I'm a student and my grades are gone, and I want to graduate, shouldn't I pick pass/fail?

Does a future employer look at pass/fail vs the grade? do they care? Are there even jobs that matter enough to care out there for them?

This seems like, solving the problem but without actually seeing the broader goal or trajectory education is supposed to follow.

[hansvm]

Most jobs I've had didn't care about a transcript in the slightest. It matters for future education and a small selection of jobs, and even them a few pass/fail courses won't cause any issues. It's not great if important, major-specific coursework is pass/fail, but usually you're not allowed to do that, so when it does come up you'll just have somebody ask what absurd situation (like this canvas thing) caused it.

[filoleg]

> Does a future employer look at pass/fail vs the grade?

I don't know for a fact how pass/fail is treated by employers, but there are indeed some that look at your college GPA even 10+ years after you graduated. I suspect they don't care about the specifics of how your overall GPA was derived though, so pass/fail likely doesn't matter (unless you did really well and expected the grade to boost your GPA, and then pass/fail essentially does nothing to the GPA, thus kinda eliminating the GPA boost).

I got asked for my undergrad GPA (I graduated ~10 years ago) more than once over the last year by some finance/quant firms.

As for whether "do those jobs even matter enough," I guess it is more of a personal subjective take. I found the work that the people at those companies did (and the problems they solved) to be very interesting and challenging, I found the people working there to be extremely sharp, smart, and genuinely nice to interact with (which is an ideal work environment for me), and I found the total comp to be great. Honestly, I cannot think of much more to ask from an employer.

[flexagoon]

> day where you can deploy your own software you can control and modify as you need.

Canvas is mostly FOSS

https://github.com/instructure/canvas-lms

[F7F7F7]

Good luck trying to stand up something usable.

[grey-area]

Universities are not going to write their own software, and no they can’t use ‘agents’ to write and maintain it for them either.

[morning-coffee]

It's somewhat ironic... if a University's CS department was charged with developing and maintaining the system, what an awesome learning tool it would be. CS students would maybe even be invested in the outcome by having to eat their own dogfood and then really appreciate it what it's like in the real world.

[eesmith]

We can see what that looks like in PLATO, which started in the 1960s. https://en.wikipedia.org/wiki/PLATO_(computer_system) .

"Courses were taught in a range of subjects, including Latin, chemistry, education, music, Esperanto, and primary mathematics. The system included a number of features useful for pedagogy, including text overlaying graphics, contextual assessment of free-text answers, depending on the inclusion of keywords, and feedback designed to respond to alternative answers."

"PLATO III allowed "anyone" to design new lesson modules using their TUTOR programming language, conceived in 1967 by biology graduate student Paul Tenczar."

"The largest PLATO installation in South Africa during the early 1980s was at the University of the Western Cape ... For many of the Madadeni students, most of whom came from very rural areas, the PLATO terminal was the first time they encountered any kind of electronic technology. Many of the first-year students had never seen a flush toilet before. There initially was skepticism that these technologically illiterate students could effectively use PLATO, but those concerns were not borne out. Within an hour or less most students were using the system proficiently, mostly to learn math and science skills, although a lesson that taught keyboarding skills was one of the most popular. A few students even used on-line resources to learn TUTOR, the PLATO programming language, and a few wrote lessons on the system in the Zulu language."

The full PLATO system included grade books, attendance tracking, and class scheduling, as I recall. Perhaps a University of Illinois alum can say more.

I would really like to know how much more useful the current systems are over, say, PLATO in 1992, when evaluated for pedagogy and course management benefits.

[grey-area]

It would be amazing and a great teaching tool, BUT the vast majority of universities don't have the money or IT departments to keep such a thing running. So the idea is a non-starter at most institutions.

[SoftTalker]

CS != Software Engineering

I had a lot to learn about actually developing software after I finished my CS degree.

[fastasucan]

You cant really do that in lots of cases. What grounds the grade is from is in many cases set in stone.

[apublicfrog]

All these articles listing the American schools affected, "nationwide" outage reported, meanwhile hundreds of millions in the rest of the world affected.

Does anyone have a list of affected schools?

[isakmarr]

I don't have a list, but I can tell you the University of Iceland is affected.

[butlike]

> And if that's true and we wake up tomorrow with this unresolved, I really have no idea what a lot of professors at my university and across the country are going to do to submit grades that are fair and reasonable

I have an idea for the midterm (pun intended): Maybe don't jump feet first into the deep end of a single point of failure going forward.

[roody15]

Think they will end paying the ransom quietly.

[addedGone]

100%, else goodluck with the lawsuit coming from the students, as the schools are the one liable for not securing their system.

[vasco]

> let classes that normally count for a grade just submit grades as pass-fail. Because what else can you do?

Schedule a single exam and that's your grade for that subject? That's how it should work anyway, credits for work during semester (or worse attendance) are not needed to evaluate if someone learned the material, give them an exam and done.

[goobatrooba]

That's just bad outdated practice. It leads to cramming and less remembering than of the demand is for students to do work and show learning and effort throughout the year.

[matsemann]

Most courses I've taken have obligatory assignments that are pass/fail, and you have to pass a certain amount during the semester to take the final exam. But the grade is determined entirely of the final exam.

Which to me seems the best way, you still have to learn throughout the year. Especially to avoid cheating this works nice. And as an aside, most people I know that did a year abroad in the US got 1-2 grades higher, as it was quite easy to just farm extra credits.

[sayamqazi]

It has been my observation that most of the better students were the ones who would not put in work during the semester/year and cram at the end.

[fastasucan]

Who is doing the work though, the student, chatgpt or claude?

[blahedo]

That's maybe something a school can do if exams are next week, or after.

At my school, tomorrow is the last day of exams. Most of the students have left campus. There's no time or mechanism to schedule an(other) exam.

[pishpash]

Exams have performance variance. Otherwise you're only getting a pass/fall signal in any case.

[aianus]

Grading assignments just punishes people that don't cheat on their homework. It's worse than worthless, it actively helps the worst students.

[vasco]

Exams are the only fair way to evaluate if someone knows something (written or oral, in person). Take homes and attendance are just window dressing.

[Nagyman]

That feels like a poor statistical evaluation. Why not test along the way with progressive complexity/depth?

Using attendance is a carrot to get students to show up, which leads to better learning outcomes overall - which should be the goal.

[scubadude]

Then you're testing how good someone is at exams as much as anything

[SoftTalker]

> they have airgapped backups and can be working as soon as they can spin up new servers

... and assuming they have a documented, tested, and trusted restore process.

[yongjik]

Reminds me of the incident last year when a South Korean government's server room caught fire, which contained the government equivalent of Google Drive, and the only backup was in the same room, and they all burnt down together.

Some data was permanently lost, and then officers told reporters that multi-regional backup was not yet built because it was too hard at such a massive scale... of 858 TB.

[selcuka]

> it was too hard at such a massive scale... of 858 TB

There are probably many S3 buckets in existence that are bigger than that.

Not saying that they should've used S3, but it's definitely possible configure multi-regional backup (and a government can afford it).

[walletdrainer]

My home theater setup has more storage than that.

[rayrey]

Ah yes the “recovery” part of the continuity plan. We tested that right? Right?

[copperx]

I don't understand what's the panic and doomerism about. Any competent IT team has backups and will be up and running as they go back to a state before the breach. This is HN. I'm disappointed that everyone is talking about losing grades and going back to pen and paper. I don't see how that could happen in 2026.

And from the hacker's message itself, it's clear they want money in exchange for not releasing private info, not for the data itself.

Do we live in a fear based culture? Why the panic? Even if everything was hosted on Instructure's infrastructure, it's all AWS. I'd be VERY surprised if there aren't multiple way to go back to a previous state.

Most of the work and delay is to make sure they figure out where the breach occurred.

[simonreiff]

I'm sure you're right. Across tens (hundreds?) of thousands of institutions worldwide, each one is exercising its well-written incident runbook that not only gets updated regularly but also is rehearsed constantly, just in case something like this happens. After all, what university IT department DOESN'T prepare obsessively for the moment when they need to restore all grades on all assignments for all courses from backup and fall over to the backup system for final exam administration in any required format specified by any professor, in the second week of May, on a non-negotiable schedule? There's absolutely nothing to worry about here.

[brookst]

Yep. Thank God we fund school IT so generously, so everyone from Harvard to small state colleges has an absolute top notch IT department, dedicated to best practices, fully resourced to do BC/DR planning and dry runs. This could be a real catastrophe if any schools were under-resourced.

[yread]

Schools don't have competent IT teams.

Here in the Netherlands a data center's power source (not even the machines) burnt down, data center is offline and University of Utrecht, one of the biggest universities here, is closed. Access passes don't work, work from home environment doesn't work, student information system is down, system for grading doesn't work. No failover for any of them (or maybe it was in the same DC?)

https://nos.nl/artikel/2613485-storingen-in-hele-land-door-b...

[mschuster91]

> Any competent IT team has backups

Backups can be sabotaged (turned off or schedules manipulated) or compromised (say, by lateral movement).

> Even if everything was hosted on Instructure's infrastructure, it's all AWS.

AWS Backup isn't foolproof. Get your hands on administrator credentials as an attacker and suddenly the only thing between everything being gone for good and unrecoverable even for AWS is remembering to have put a permanent deletion protection on all resources in AWS Backup.

[pjc50]

Sometimes it is very hard to recover from the offlining of essential systems: https://www.bbc.co.uk/news/articles/cy9pdld4y81o (Jaguar Land Rover, estimated cost in the billions)

[belabartok39]

I fully agree. What really pisses me off is that these "hacker" groups always spout off how they are doing it to screw the man but then threaten the average person. Millions of them. It just goes to show how uneducated, low-class, and simple these people really are.