Hi! It’s been the better part of 3 years since our last blog post – hope you’ve all been getting by. Unfortunately, I don’t have the happiest of news to deliver here, but let’s get it out of the way:
1) Our website here experienced a security breach recently. I first noticed signs of it around the start of 2023 when the next-post button was linking to a c*sino site. I deleted the offending posts and user(s) related to that, but at the time I was too occupied to take a closer look at the server to find anything else amiss.
Thanks to Raineh Daze in the last post’s comments for pointing out the spam link was appearing again, as well as some strange elements blocking the blog’s header links. This time I finally took a closer look, and found some added and changed PHP files on the server which were really shady – featuring obfuscated code, eval(), permission changes, file upload interfaces, and so on. Fortunately we have file history tracking which allowed me to identify which changes were new. So I went to work cleaning up:
- Reverted the bad PHP file changes/additions. This fixed the header links.
- Deleted offending posts/users from the blog again.
- Updated all our software. I’m going to make sure I don’t slack on this as much, since neglecting this for a long time probably led to the breach. Recent WordPress versions have options for auto-updating, so that may help.
- Since a database-level breach may have happened, I cleared everyone’s account passwords on the blog (WordPress) and the forum (MyBB).
Here are the most important things to know for you all:
- If you have an account on the blog or forum, the passwords you previously used may have been compromised. If you had used the same passwords on any other site, you should change your passwords on those sites as soon as possible. (In general, it’s not recommended to share passwords between different sites, and one reason is that things like this can happen.)
- Since the old passwords may have been compromised, I made sure they no longer work by clearing everyone’s password fields on the blog and forum. This means you need to reset the password by email in order to log in again. On the blog for example, go to the login page, click ‘Lost your password?’, then enter your username or email to initiate a password reset. You don’t have to do this immediately, but just remember you’ll have to do this next time you log in.
We might look into a simpler dev-blog setup in the near future so that it’s not as much for us to maintain and keep secure. But for the time being, hopefully we’ve shaken off the bad stuff in our current setup. Do let us know if you see anything suspicious again.
2) We’ve still been occupied enough elsewhere that we haven’t had notable ESR progress since the last post. We’re still in touch through our team chat, but everyone’s been busy and/or have had other things to worry about.
For my part, I occasionally get an interesting ESR idea in my head and jot it down for later, but that’s been about it. As I mentioned in comments, I’ve had personal goings-on, including moving house earlier this year. I feel like I still have a backlog before getting back to ESR for real, but the fact that I’ve just been able to clean up the website and make a new post is a good sign that I’m catching up.
Aside from free time, there are ways that I now feel better-equipped to work on ESR’s writing than before – in a different vein from what LT talked about in the last post. It’s a nice bit of motivation for me to carve out the opportunity to get back on ESR, and I’ll likely talk about it in the future when that time comes.
In other news, Twitter’s been experiencing a meltdown of sorts (which somehow seems fast and too slow at the same time). Chances are we’ll be posting on another social in addition to Twitter when we’re more active again. Not sure where yet, but Tumblr seems like a decent option? I’ve been on the lookout for Touhou/gamedev Mastodon servers too, and guess we’ll see what other options pop up later.
Finally, I’m pretty excited for the return of the versus format in Touhou 19! And looks like some less popular characters are going to get the chance to shine. I’ve got a backlog of Touhou to play myself, but it’s still comforting to see the series continue to advance. Let’s do our best to catch up and grab our chance to shine, too!
Great to hear from you again! A shame that the security breach happened but the most important thing is that it was dealt with. Happy to hear that the project, even if proceeding slowly, hasn’t been abandoned. No matter how long it takes I’ll be excited and happy to play the finished product some day in the future. I wish you all a load of luck and motivation for the future!
Glad everything’s been fixed up!
I haven’t really played any Touhou games in ages; I suppose I _could_ but I always just ending up playing Imperishable Night again because I like that one. The fighting games are interesting but I’m somehow even worse at those… xD
@Oswin: Thank you!
@Raineh Daze: Imperishable Night’s one of the best for sure. So many different goals to play for, and gotta respect the first game to have spell practice. And ditto on the fighting games… I’m somehow OK at Smash Bros, but for SWR my brain is like “OK, let’s pick a random attack to approach with and hope for the best!”
All the bad things aside I’m glad this project isnt completely abandoned. I dont even mind waiting another decade heh!
Happy New Year to you all. 🙂
I hope I live to see this release.