I tried bringing attention to this in
https://news.ycombinator.com/item?id=13344039At least two people replied in the vein of "nothing to see here".
Now they have finally updated their canary statement (this was back in 16 Feb 2017).
They have added the following text:
> Q: Why didn't you update your canary on time in the winter of 2016?
> A: The canary was so broad that any attempt to issue a new one would be a violation of a gag order related to an investigation into a DDoS extortion ring and ransomware operation[0]. This is not desirable, because if any one of a number of minor things happen, it signals to users that a major thing has happened.
So, in my mind here's the lessons:
A) ignore missing canary statements at your own peril
B) orgs that have sloppy canary releases devalue their canary statements.
