One reason I haven’t commented on the Canvas hack yet is that I swore off writing about LMS news years ago. But this story isn’t really about Canvas or LMSs. It’s about the fact that education, through educational technology, is under attack by sophisticated cybercriminals. They started with hospitals some time ago. Now they’re coming for us. This isn’t the first major recent hack I’m aware of, and it won’t be the last.
Let’s be clear: This was not some rando script kiddie waltzing through a wide-open back door. The hackers used multiple attack vectors, including Canvas’s open course sites, their help desk software, and social engineering through a help desk call. Instructure is SOC 2 compliant, meaning they’ve had intrusive third-party security audits. The criminals wanted Instructure to let the public know the name of their organization and the fact that they returned the data after the ransom was paid. Why? Advertising. The criminals wanted future victims to know that paying the ransom gets them something in return. Selling students’ private information to the internet isn’t their business model. They’re cyber kidnappers.
This is organized crime. They want us to know that when they come for us, on whatever platform they attack next, we should pay them. This is FBI-level stuff.
People who have read my blog over the years know that I’m not above schadenfreude or rage at vendors behaving badly. That’s not what happened here, and it’s not an appropriate emotional reaction to what happened. We are all under threat. I’ll leave it to others to analyze Instructure’s response. I’m worried about the people who have demonstrated both the means and the intention to do us harm.
Now, I’m going to write about 1EdTech for this next part, so you should know that I had this post checked for approval before I put it up. I have to pretend to be an adult now. But this is what I would have written anyway.
The attack did not involve LTI. And yet, there are now questions swirling about LTI’s safety. I will tell you what is true and what is BS. The current version of LTI, 1.3, is compliant with the latest security protocols. 1EdTech actively updates its specifications to stay current with security practices. You can bet we will be doing even more of that now. LTI 1.1 was deprecated five years ago because it is not aligned with current security practices. 1EdTech does not certify LTI 1.1 and has not for quite a while. 1EdTech strongly recommends not using LTI 1.1. I personally strongly recommend that you do not use LTI 1.1. Use version 1.3 or higher. To be clear, this isn’t just a vendor problem. Many institutions have built their own home-grown tools using LTI 1.1. If they don’t move to version 1.3, then the vendors will have a hard time moving without them. The organization has been pretty clear about this; we’re reviewing now to scrub any remaining lack of clarity as part of our larger security effort.
Some parties have been raising concerns about LTI 1.1 after the Canvas attack…which did not involve LTI. Look, I just said LTI 1.1 is not current, not supported, and should not be used. Some platforms still use it. 1EdTech does not police private APIs, which is essentially what the use of a deprecated spec is. A standards body is not the bouncer at the bar. If a party uses an outdated version of the standard that 1EdTech does not support or recommend, that party becomes responsible for it. Some folks complaining about LTI 1.1—not all, but some—seem to be using it to suggest that 1EdTech’s standards in general, including LTI—any version—are not secure. If you hear that kind of broad insinuation, I recommend you consider the speaker. Some of the comments that are reaching me strike me as motivated. Regardless, they are certainly wrong. You might as well say Microsoft is not secure because Windows 3.11 is not. This is an unhelpful distraction, to say the least. Crude finger-pointing will not help us prepare for the next attacks. The attacks are coming, and the attackers have proven to be sophisticated. We have work to do. If we have holes to close—and I guarantee we will find them, or they will—then let’s find them and close them. This is not a moment for point scoring.
1EdTech is a community-driven organization. To be candid, that has not always been as evenly true as it is now, which is not as evenly true as we aspire for it to become. I joined this leadership team after a decade of doing my own thing because I believe in where it’s going and what it can do. And I believe, above all, that we need to rise to the new cybersecurity threat environment as a community. Personally, that’s where I’m putting my energy in response to the news. As Benjamin Franklin put it, if we do not hang together, we shall surely hang separately.
