Canvas cyberattack disrupts US schools' finals

Canvas outage stalls finals

A coordinated cyberattack forced the Canvas learning platform offline on the day many institutions scheduled final exams. Schools and colleges across the United States postponed year‑end tests as the service became unusable.

Canvas, the cloud‑based LMS used by thousands of K‑12 districts and higher‑education campuses, saw its authentication servers flooded with malicious traffic. The disruption lasted long enough for administrators to cancel or reschedule assessments, a move that rippled through academic calendars and student stress levels.

The incident highlights how a single SaaS failure can halt core institutional functions. Academic staff scrambled to communicate new exam dates via email and alternative portals, while students faced uncertainty about grading timelines. No public statement from Instructure, Canvas’s parent company, detailed the attack vector, leaving many to wonder whether the breach was a ransomware strike, a DDoS overload, or a credential‑theft campaign.

Let’s Encrypt stops issuing certificates

Let’s Encrypt announced an immediate suspension of new certificate issuance on its status page, citing a “potential incident” that could affect the integrity of its automated service. The decision was posted on the organization’s incident tracker (https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3) and quickly discussed on Hacker News, where the thread accumulated 130 points and 70 comments.

The halt applies to all new domain validations, meaning any website that relies on Let’s Encrypt for TLS certificates must wait for the issue to resolve before obtaining fresh credentials. Existing certificates remain valid, but renewal attempts will fail until the service is restored.

Let’s Encrypt’s automated issuance model underpins a large fraction of HTTPS on the web. A pause of this magnitude raises immediate concerns for small sites that lack alternative certificate providers. Operators of low‑traffic blogs, development environments, and IoT dashboards may encounter broken HTTPS connections, potentially prompting a fallback to self‑signed certificates or temporary HTTP.

Retro spotlight: PC Engine CPU

A deep dive into the PC Engine’s central processor resurfaced on Hacker News, drawing 113 points and 50 comments (https://jsgroth.dev/blog/posts/pc-engine-cpu/). The article dissects the custom 8‑bit CPU that powered the 1987 console, a hybrid of a 65C02 core and a graphics‑oriented co‑processor.

The author traces the CPU’s instruction set, memory mapping, and timing quirks that made the PC Engine a unique competitor to Nintendo’s NES. While the console is largely a nostalgia item today, the technical analysis reveals design decisions that still inform low‑power embedded systems.

The write‑up also notes the challenges of emulating the CPU accurately. Minor timing differences can cause graphical glitches in modern emulators, underscoring how legacy hardware can still demand rigorous engineering effort. The discussion on Hacker News reflects a broader community interest in preserving and understanding vintage computing architectures.

Infrastructure resilience and the legacy threat

The three stories converge on a single theme: the fragility of modern digital infrastructure when confronted with both active attacks and legacy dependencies. Canvas’s outage demonstrates that a single SaaS provider can become a single point of failure for critical academic processes. Let’s Encrypt’s pause shows that even a globally trusted automation service can be forced offline, exposing a thin margin of redundancy for HTTPS adoption.

Meanwhile, the PC Engine analysis reminds us that older hardware and software continue to surface in contemporary contexts, whether through emulation, embedded devices, or as part of supply‑chain components. The persistence of such legacy code can introduce hidden vulnerabilities that are hard to audit.

For institutions, the immediate lesson is to diversify authentication and communication channels. Backup LMS instances, alternative certificate authorities, and clear incident‑response playbooks can reduce downtime. For developers, the PC Engine case study suggests that understanding low‑level CPU behavior remains valuable, especially as edge devices push toward minimal footprints.

What to watch

Canvas’s parent company, Instructure, is expected to release a post‑mortem within the next two weeks; the findings will likely shape future SaaS security contracts for education. Let’s Encrypt will post an incident report and a timeline for resuming issuance; monitoring the status page will indicate when the web’s TLS supply chain returns to normal. Finally, the retro‑computing community plans a series of webinars on accurate PC Engine emulation, which could surface new tools for low‑power CPU verification. Tracking these developments will reveal whether the industry translates these disruptions into lasting resilience measures.

Updates

• 2026-05-14 — The European Union backs Italy’s right to make Meta pay for news (source)
• 2026-05-14 — iPhone thieves can get up to $800 more if they snatch unlocked devices (source)