Piano World Home Page Forums Our Most Popular Forums Digital Pianos - Electronic Pianos - Synths & Keyboards So it's now Kawai Jones?

Yes SSL only prevents someone which has a network access between the client and the server to get user/password. I suppose it may be more probable in the Wifi lan if it is not protected (open wifi in an hotel...)

It could be also an attack to the server and the access of crypted passwords. If the password is too simple it can be discovered. SSL doesn’t protect this kind of attack.

Lack of SSL indicates also lack of concern for security, hence there might be other vulnerabilities to be exploited. For instance I wouldn’t be surprised if the passwords are stored in plaintext and the “forgot password” and/or the authentication would allow for brute-forcing, etc. So, yes, the lack of SSL may not be an imminent problem in itself but is a sign of low overall attention for security.

As a SysAdmin of 10+ years, I'm very aware that SSL by itself doesn't make a site/database hacker proof... but it is an important part of an overall security strategy, one which happens to be free and rather easy to implement.

My point is, as CyberGene also pointed out, that it shows an overall non-concern (and/or incompetence) around security.

There are other types of attacks prevented by SSL. Encrypting traffic sent to the server with the (correct) service public key ensures you are communicating with the service, and not a trojan horse for the service or "man-in-the-middle". Encrypted sessions also defeat attacks that hijack the session with forged packet headers.

Yes, I have to agree with CG and tux-meister. Security does not seem to be a priority at PW.
To borrow a phrase from Cheech and Chong: "Discipline's gettin' pretty lax around here."

And now ... it's Kawai James again. Have a look.

I'd like to know what happened.

We may never know. But this was a fun weekend thread.

Bottom of the page states "Powered by UBB.threads™ PHP Forum Software 7.7.4", which was released on 2020-03-07. I don't immediately see any mention of password hashing in the changelogs, but given it's a recent update of a commercial product, and they at least mention a SHA1 tool, it seems unlikely. Maybe PW needs a volunteer to help/do the move to https?

@MartF : if the password hashing is already in a previous version, it would be normal that this changelog doesn’t say anything about it. The SHA1 described is only about attached files. Then you can’t deduce anything about password.

And https and password hashing protect about different types of attacks. A https protected web server would still make password too less protected if stored unencrypted.

Yes absolutely. I looked through a couple of changelogs and didn't see anything, so we can't be sure. But I'd be surprised if they weren't hashing, given it's a recent version of popular forum software. I thought it was open source, but couldn't see the code anywhere to check.

I only mentioned the SHA1 tool since it implies they at least know what hashing is :-)

Anyway, for normal people what this all means is, don't use the same password on multiple websites. Use a different password for every website. If you need somewhere to keep your passwords, use a password manager (KeePassXC, Bitwarden, Password Safe, Dashlane, 1Password).

You can also check if any of your passwords have been leaked and need changing at https://haveibeenpwned.com/.

Did we ever get any clarification on this ‘Jones’ situation?

Was James simply trying on Jones for a change?

Did he plan on becoming the artist formerly known as James?

Was it a good ol’ fashion prank, or a nefarious hack?


I apologize if these questions have already been answered.


Yours truly,

Ben Dover

For Pete's sake, that has been answered: Masai Jones has been working on the Masai CA79 manual.