On Sunday (Dec 22nd), I was visiting MyIndihome website to check my household’s internet usage when suddenly Google Chrome prompted this:

Upon clicking the [Check Password] button, Chrome shown me how many websites which my password could be breached.

Since I stored my password in Chrome, it actually knows the passwords that I’m using on many sites. I speculates that Google is utilizing Troy Hunt’s Have I been pawned? API to check if a password has been breached.

So I spent the whole Sunday resetting my password on some websites that I deemed important. Websites that didn’t store my personal information or have no financial risks were excluded from this password reset exercise. Online shops and online hotel/flight booking websites were the first websites that have their password reset. I simply don’t want to have fraudulent purchases/orders billed to my bank account.

My habit of using the same password is partly why I wasted my Sunday. You see, I have 3 passwords. The least complicated one is for websites which have no financial risks like forums and free/trial online services. The slightly complicated password is for websites which stores my credit card/bank account information like online shops and travel/hotel booking sites. The most complicated one is for my google/facebook accounts which basically controls all my other accounts.

After resetting passwords in many websites, I found a few websites which have the worst User Interface to reset password. Let’s learn from their mistake and not to repeat it in our future projects.

Alphanumeric only password

We’re not in the 90’s anymore. We shouldn’t limit the password to alphanumeric only because it will be easier to brute-force.

Missing input fields

MyIndihome expect you to enter the Two Factor Authentication (2FA) token, but the input field is missing. Hence, resetting password becomes impossible. Excellent job! 😀

Hide the reset password function in a non-standard place

When I clicked my username in Qoo10 website, I expected to find the reset password there. But apparently reset password function is hidden inside My Qoo10 -> My Inquiry -> Personal Info.

To develop Blazor Web Assembly project on Ubuntu, first we need to install Visual Studio Code. Next, we need to add .NET Core repository and dependencies.

wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb

Install .NET Core SDK

sudo add-apt-repository universe
sudo apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install dotnet-sdk-3.1

Install the ASP.NET Core runtime

sudo add-apt-repository universe
sudo apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install aspnetcore-runtime-3.1

Install the .NET Core runtime

sudo add-apt-repository universe
sudo apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install dotnet-runtime-3.1

By now you should have .NET Core properly installed in your system. To test it, run the following command:

dotnet

It should return something like below:

Usage: dotnet [options]
Usage: dotnet [path-to-application]

Options:
  -h|--help         Display help.
  --info            Display .NET Core information.
  --list-sdks       Display the installed SDKs.
  --list-runtimes   Display the installed runtimes.

path-to-application:
  The path to an application .dll file to execute.

Next, we are going to install the Blazor Web Assembly project template by executing this command:

dotnet new -i Microsoft.AspNetCore.Blazor.Templates::3.1.0-preview4.19579.2

Now, let’s create a new Blazor Web Assembly project called HelloBlazor by executing this command:

dotnet new blazorwasm -o HelloBlazor

Folder HelloBlazor is now created. To start modifying the project, run below commands:

cd HelloBlazor
code .

Visual Studio Code will be launched and automatically opened HelloBlazor project.

To build the project, you can utilize Visual Studio Code’s terminal by pressing Ctrl + ` (hold Control key and back-tick together). Inside the terminal, execute this command:

dotnet build

You should have output similar to below:

Microsoft (R) Build Engine version 16.4.0+e901037fe for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.

  Restore completed in 48.35 ms for /home/hardono/Projects/DotNetCore/Blazor/HelloBlazor/HelloBlazor.csproj.
  HelloBlazor -> /home/hardono/Projects/DotNetCore/Blazor/HelloBlazor/bin/Debug/netstandard2.1/HelloBlazor.dll
  HelloBlazor (Blazor output) -> /home/hardono/Projects/DotNetCore/Blazor/HelloBlazor/bin/Debug/netstandard2.1/dist

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:14.92

To publish the project, run command below:

dotnet publish

You should have output similar to below:

Microsoft (R) Build Engine version 16.4.0+e901037fe for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.

  Restore completed in 46.59 ms for /home/hardono/Projects/DotNetCore/Blazor/HelloBlazor/HelloBlazor.csproj.
  HelloBlazor -> /home/hardono/Projects/DotNetCore/Blazor/HelloBlazor/bin/Debug/netstandard2.1/HelloBlazor.dll
  HelloBlazor -> /home/hardono/Projects/DotNetCore/Blazor/HelloBlazor/bin/Debug/netstandard2.1/publish/

For my case, the static files was generated at /home/hardono/Projects/DotNetCore/Blazor/HelloBlazor/bin/Debug/netstandard2.1/publish/HelloBlazor/dist/ as shown below:

Now you can upload these files and folders to your Linux/Windows server. No .NET runtime is required on the server, but the client’s browser requires Web Assembly support (all modern browsers have it, btw). I’ve uploaded mine here. Check it out HERE.

But goodness me, Blazor Web Assembly project has quite big download size.

A total of 6.6 MB of resources need to be downloaded!

That’s it for now, I hope it helps. Cheers!

UMaxHosting is closing down

Yesterday (Dec 7) I received this email from my VPS Provider:

Dear Customer,

Over the past few months we have been met with many challenges within the hosting business. Some that have not been overcome.

As result of this we will be closing our doors. We will be shutting down this Monday 12/9/2019. We are taking this time to let our customers know so that they may backup and retrieve all of their data before then.

We deeply apologize for this inconvenience.

Thank You.

Management

—
UMaxHosting Team
Hosting Performance Maximized.
https://www.umaxhosting.com

At first, I thought this was a spoofed email (sent by others, but masked themselves as UMaxHosting). Then I checked the email’s headers, it seems the email is genuine.

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@umaxhosting.com header.s=default header.b=QehnZqY1;
       spf=pass (google.com: domain of support@umaxhosting.com designates 104.219.248.151 as permitted sender) smtp.mailfrom=support@umaxhosting.com
Return-Path: <support@umaxhosting.com>
Received: from 151.128-26.248.219.104.in-addr.arpa ([104.219.248.151])
        by mx.google.com with ESMTPS id i124si3472412oif.214.2019.12.06.16.44.21
        for <hardono@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 06 Dec 2019 16:44:21 -0800 (PST)
Received-SPF: pass (google.com: domain of support@umaxhosting.com designates 104.219.248.151 as permitted sender) client-ip=104.219.248.151;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@umaxhosting.com header.s=default header.b=QehnZqY1;
       spf=pass (google.com: domain of support@umaxhosting.com designates 104.219.248.151 as permitted sender) smtp.mailfrom=support@umaxhosting.com

Received: from umaxhosting by server1.umaxhosting.com with local (Exim 4.92) (envelope-from <support@umaxhosting.com>) id 1idOCq-0002CC-Ab for hardono@gmail.com; Fri, 06 Dec 2019 16:44:20 -0800

Still not convinced, I dropped a support ticket with just a question ‘Closing down?’ in the title. And today (8 Dec), I received their reply:

Hello Hardono,

It is true, we are sorry for this.

UMax Hosting, UMax Hosting Management
hxxp://www.umaxhosting.com

———————————————-
Ticket ID: #981038
Subject: Closing down?
Status: Closed
Ticket URL: https://www.umaxhosting.com/manage/viewticket.php?tid=981038&c=8Jsj77g9
———————————————-

Other hosts are closing down too

Since it’s clear that UMax is really closing down, I decided that I want to move to other VPS provider. For that, I visited lowendbox.com (my go to place for cheap VPS). At the front page I saw few interesting offers, but I decided to go to its forum to found out what’s going with UMaxHosting. To my surprise, the most popular thread was about a number of VPS providers closing down. Many people are having the same awful experience that I have!!

Two comments that stand out in my view:

The likely explanation is that a malicious person/group apparently operates a number of VPS providers. These VPS providers then offered a ridiculously cheap offers at lowendbox.com on October and November. Then on December, they all suddenly sent the same-message email announcing that they are shutting down. I am not sure if those people that bought the offers on October and November are receiving refunds offer.

It seems we are being reminded again with that wise adage, “If it sounds too good to be true, probably it is”.

The Whitelist

After reading so many comments, I found out that there is a carefully-vetted list of VPS providers. By using VPS providers listed there, we will have a higher confidence that the selected VPS provider will not just collect our money then disappears within months.

There are many lowend VPS and hosting providers online. Some are professional outfits, while others are summer hosts or fly-by-night operations out to make quick profits from unsuspecting customers. It is far too easy for an individual with some technical know-how to rent a dedicated machine for a year, buy a cheap domain name, oversell hundreds of lowend boxes at incredibly cheap prices and then disappear, only to repeat the same tactic under another name later.

Maintaining a blacklist of hosting providers is thus an unproductive endeavor. Therefore, LowEndBoxes Review has decided to maintain a whitelist of reliable lowend hosting providers. This list is curated at our discretion by analyzing different online sources and represents our professional opinion that these providers are extremely unlikely to be scammers or unreliable hosting providers.

-The Whitelist

Link: The Low End Box Review’s Whitelist

After comparing offers from providers listed there, I chose Alpha VPS (the cheapest VPS with 2 vCPU, 1 GB RAM and SSD disk).