eBay Experiment

De-Clutter graphic - Recycle, Sell, Keep, Trash, DonateI’ve bought a few things on eBay over the years, although I’ve never sold anything since I figured the potential hassle wasn’t worth it. But I recently decided to seriously tackle de-cluttering my apartment and cleaning out a storage unit that I have. Along with this I decided to try eBay as a way to turn my unwanted items into cash. I wanted to see if it really was a hassle and if the money earned would be worth the effort. I began my experiment at the end of April.

First I set up some ground rules:

  1. I considered this all found money. I knew I wouldn’t recover the money I paid for the stuff. After all, it was used. If I did find the hidden gem it would be the exception, not the rule.
  2. This isn’t a business. While I would follow some good business practices, such as good customer service and honest listings, I wouldn’t be spending money to raise money. For example, no listing software or services. I wouldn’t add an eBay store subscription until I had solid data to prove the numbers were in my favor so the reduced fees would cover the subscription cost.
  3. While I had no cost of goods sold (as I said found money) in my calculations, I would have to justify my time, effort and expense.

I also set up two goals that would have to met for the experiment to continue:

  1. List at least one item within a week. The hardest part is the first step so this would force me to take that step. By setting a deadline I would avoid procrastination caused by unending research and planning. The only reason I gave myself a week is because I knew I’d be delayed getting photos.
  2. Reach $1,000 of sales within a month.

I listed 14 items within a week. Like I said, the first step is the hardest. Once I got the first listing up the rest was easy. The $1K goal didn’t come in those first 14 listings since I was hesitant to list too many expensive items, but I did reach to goal within the month.

While I’ve been an eBay member for over 8 years, it’s been over a year since I bought anything so I didn’t have any feedback within the last 12 months. And since I never sold anything I didn’t have any seller feedback at all. I was a bit concerned that this would impact my sales. All the feedback I did have was 100% positive and I was identified with positive phrases such as “longtime member” so I hoped this would help. I also happened to buy a couple items which resulted in recent positive feedback which may have helped if people did check. Overall, I don’t think the lack of recent seller feedback affected my sales very much. The selling prices were in the same ballpark (although at the lower end in some cases) as recent sales of similar items by other sellers. I only had one item priced over $200 and it didn’t sell. While I considered the price fair (even a bit low) my lack of feedback might have been a factor.

Most of my initial listings fell into two categories, watches and N-scale model railroad items. I accumulated watches over the years and had some I no longer wear and I still had the boxes. I figured having the original boxes and paperwork would help them sell for more. I’ve collected N-scale model railroad items over the years. It’s been years since I’ve used any of them so they were targeted to go. All still had their original boxes and were still like new.

The watches went for prices I expected. Less than some recent sales, more than others. I did hold back the higher priced watches and I did have one watch that didn’t sell. More on that later. I used Buy It Now (BIN) pricing for a couple of the watches since I could find recent sales of similar items but everything else went as an auction. Because I have a lot of N-scale stuff to get rid of I picked a variety of different items so I could get an idea of how’d they do.

Eleven of the first 14 items sold and I was 75% towards my goal for the month. So I already considered this a success. I added more items and reached the sales goal before the end of the month. This appeared to be worth my time since I was making considerably more than if I sold everything in bulk.

New sellers may have selling limits placed on the account as described here.

Time Matters

While I wanted to get my first listing as soon as possible just to get that initial step out of the way, there other reasons to get that first sale as quickly as possible. eBay provides certain benefits, and lifts certain restrictions, based on how long you’ve been selling. Ninety days is the target you’ll want to hit.

Most eBay benefits can be achieved with volume or something else that you can control. But these time based benefits just require you to wait after that first sale. So the sooner you start the sooner you’ll benefit.

Money On Hold

Image of $100 bill locked in chainsWhen you start selling eBay will place a hold on sales proceeds until they are comfortable that the sale was a success. Officially they say they will hold the money for up to 21 days. In my experience the hold was always less than 21 days, although the time did vary. I couldn’t see a rhyme or reason for the lengths of time that the money was held.

eBay says these holds will be placed for your first 90 days of selling. My experience is that the holds stopped after about two months.

You can optionally defer paying your shipping charges if you buy postage through eBay and print labels one at a time. The shipping payment automatically charged when the hold on the sale is lifted. The bulk shipping option doesn’t allow payment deferments.

Top Seller

The Top Seller designation, which lowers the final value fee along with other benefits, requires a 90 day sales history (along with other requirements).

Promotions

eBay likes to offer promotions. The most common “benefit” they offered has been the waiving of the insertions fee (typically $0.30 per listing). eBay offers 50 free listings per month to casual sellers so these promotions are over and above those 50. Of the promotions I’ve received only one appeared tied to an external eBay promotion (an ad campaign). The others seemed intended to get a new eBay seller (me) more active. So it may be worth being prepared to take advantage of any promotion. The promotions I received all had a very short timeframe to take advantage of them.

I was accidentally prepared for one of them since I had taken the photos for what I thought would be a month’s worth of auctions. The promotion allowed me to list them all at once and still have my 50 free insertions for the month. This provided a good way to see if I could handle the volume. While I was able to ship everything on time I did learn that the effort needed wasn’t sustainable. This will be an important consideration if I ever consider a store subscription.

Another promotion offered a Final Value Fee discount which could have been significant for higher priced items. I decided to go with some lower priced items I already had ready. The window to use the offer didn’t mesh well with my schedule so I couldn’t maximize the promotion.

 

What I Learned From The Initial Sales

  1. I dislike the Best Offer (BO) option (available with BIN listings). The quick listing wizard enabled Best Offer automatically and I hadn’t realized it was available. If I do use it again I’ll price the items high and have a minimum offer in mind. The only watch that didn’t sell was listed with a BO. I did get an offer for 50% of the asking price, but nothing approaching the asking price. I can’t blame people for making lowball offers. Not making any offer when it’s an option would feel like paying too much. I do think many people consider the “deal” rather than the actual value of the item in these cases.
  2. A low starting bid can generate interest in an auction. One example of this is an N-Scale freight car bundle that I initially listed with a starting bid of $99. While it generated views and watchers, it didn’t sell. I re-listed it with a $19 initial bid and it sold for well over $100 with eight different people placing bids. eBay consistently recommends a $0.99 opening bid. While I don’t go that low, I now set a low opening bid for everything.
  3. Shipping is a pain and time consuming. My first set of auctions ended on a Saturday. Even though this is only considered the second-best day to end auctions, I figured this would give me Sunday to package things up and the shipment clock wouldn’t start ticking until Monday. (I find it counter-intuitive, but orders received Saturday and Sunday are treated as if they arrived on the previous Friday. So, items with 1 day shipping must go out on Monday.) While I wanted to ship everything Monday I gave myself a three day handling time so I could handle the unexpected without getting a black mark. More on shipping in the next section.
  4. Fees add up. Fast. Fees can vary with some categories or if you have a store subscription, but you should expect eBay to charge 10% of the selling price (including any shipping or handling charges as they also have the same fees applied). You may also pay a insertion (listing) fee, although eBay currently provides 50 free auctions a month. Then there are PayPal fees. PayPal charges $0.30 per transaction plus 2.9% of the total amount. So you should expect fees of approximately 13% on all money you receive from sales, including any shipping or other charges.
  5. The online consensus is that auctions ending Sunday night between 6 and 7 pm U.S. pacific time (9–10 pm eastern time) work best. It’s hard for me to prove or disprove that in the short time that I’ve been listing items, but it does seem to work well, with a lot of activity in the final hours. I also found that 10 day auctions work well, with listings starting Thursdays and ending on a Sunday. This also fits my schedule better. The auction runs over two weekends plus it allows auction winners to see what else I have coming up. Since every item I’ve sold is different a perfect comparison is not possible, but 10 day auctions have had significantly more views and watchers than my initial 7 day auctions.

Photo of a lot of boxes

Packaging & Shipping

This was the hardest part to prepare for and it takes more time than I would have guessed. Since I expected surprises I started off slow, with a small number of items, auctions ending Saturday night and a 3 day handling time. This gave me Sunday to package and 3 working days to handle any surprises. I intended to ship the day after payment (1 day handling time) to see how much effort that would take. eBay offers some benefits to sellers who advertise a 1 day or same day handling time so I wanted to try to meet it when I wouldn’t get dinged for missing it.

This worked well and I was able to meet my own next day shipping deadline but there were some hiccups. I use eBay for postage and shipping labels and while their software is OK, it took a while for me to get an efficient workflow.

While you can set payment deadlines there’s really no way to insure when someone will actually pay. So while my auctions ended Saturday the buyers could pay anytime during the week and the shipment clock would start upon payment. This is especially true since I allow buyers to wait up to two weeks as a way to promote multiple purchases.

Printing Address Labels & Postage

One thing I learned was my current printer wasn’t efficient or cost effective as a shipping label printer. It was pretty easy for me to determine that a dedicated label printer would save both time and money. Even ignoring the extra time and effort required I could easily calculate that a dedicated label printer would pay for itself if I sold my entire N-Scale collection. It would be harder to justify if I didn’t have that volume and was just selling off odds-and-ends.. I ended up buying a used label printer (on eBay of course). I’ll write about the specific printer in another post, but if you plan to buy one be sure that in will print 4“ X 6” labels if you’ll be using eBay for shipping. Many consumer “postage” printers will only print the postage and not the entire shipping label. Just be sure that the printer is suitable for and supported by the shipping service you’ll use. Printers may accurately claim to print “postage” and “address” labels, but that is not the same as printing full shipping labels for USPS, UPS or Fedex.

Boxes

Photo of a stack of boxesI’d been saving packing material for awhile so I did have a supply I could use, but I didn’t have a supply of appropriate boxes.

First, it’s important to realize that the boxes you buy will need assembly, they ship flat. At least the boxes that are a reasonable cost will ship flat. For my initial auctions I just went to the local Staples and bought some boxes. There was a significant discount for buying 5 or more of the same box so the price per box was reasonable for small quantities. It did mean it was cheaper to ship a couple items in boxes that were bigger than needed, so more packing material, although they weren’t so big as to increase shipping costs.

The USPS provides free boxes for shipping via Priority or Express Mail. You can order these online and delivery is free, or you can pick some up at the post office. eBay will also ship you these boxes for free. If you plan to use priority mail it’s worth having some of these available.

Once I knew I’d be selling more I did some online shopping to buy larger quantities. I found that shipping charges were a significant factor when comparing prices. In general I found that Staples had the best price if I qualified for free shipping. Uline had many more box & envelope options although prices varied, especially once shipping was added. In general Uline box prices were lower than box prices from Staples, although they tended to become slightly higher once shipping was factored in. Other online sellers were significantly more expensive once shipping was factored in. Uline and Staples are close enough in price to make comparison shopping worth it for me whenever I need more shipping supplies. Uline also has a wider variety of box types and sizes.

If you use eBay for shipping/postage labels the box will need a 4“ X 6” flat surface for the label. Officially, the post office won’t allow the label to wrap around the box. But others have reported that as long as the barcode is on a flat surface, so it can be scanned, and the address is also on a flat surface then the package will go through. For my small items I’ve found it easier, and actually more economical, to pack it in a small box and then put that box in a envelope that is large enough for the label.

Having the barcode easy to scan is important, especially with eBay. Be sure that the barcode is on a flat service and the label isn’t crinkled through the barcode. If possible, avoid having a box seam run through the barcode as this would make the barcode easier to damage during shipping.

Postage & Shipping

You can buy postage and print labels through eBay which is what I do. eBay provides discounted postage so the prices are pretty good. Since I’m a casual, low-volume seller I haven’t researched any competitors. Shipping via UPS and Fedex are also available although I haven’t used either one of them as they’ve always been more expensive than USPS for my items.

You can limit countries that you are willing to ship to. I’ve limited my sales to the United States. My items are low cost and I don’t consider international shipping worth the potential hassle. From a buyer’s perspective, shipping could be more than the item which would probably be enough to drive international buyers away. Plus, there could be customs charges they aren’t expecting.

eBay does have a Global Shipping Program which could smooth things out, although the shipping cost would be still high and probably still keep people away. I may try it in the future.

One thing I found out was that although there is a setting to specify countries I didn’t want to ship to, it didn’t actually prevent people from outside the US from placing bids. I had excluded every country except the US but had a bid from Canada. Luckily I had specified “Ships to U.S. only” in the listing so I could have cancelled the sale if the buyer won. I found a second setting to actually block bidders from countries I wouldn’t ship to and enabled this.

eBay does allow the creation of rules that be applied to combine shipping at lower charges although I haven’t used these. I’ve found it easier and more reliable to have buyers of multiple items request an invoice for combined shipping. I haven’t found this too burdensome and it allows for lower shipping costs for the buyer.

It’s critical that you make sure the post office scans your package when you drop it off. (Pickup is also available although my Post Office is nearby so I’ve never done this.) eBay doesn’t consider it shipped until the first post office scan. Just buying postage and assigning a tracking number isn’t enough. This proves you shipped the item and that is was shipped within your promised time window. I’ve done this two ways.

First, I ask for a receipt when I drop the package off. The clerk weighs the package and scans the barcode. This can be time consuming since each package must be weighed and scanned. This does have the added benefit of verifying that there’s enough postage.

The second way, and what I try to do, is to use a SCAN form (Shipment Confirmation Acceptance Notice). This has the benefit of being quick since only one scan is needed and the packages are just counted, not weighed. All the packages associated with the Scan form are automatically reported as accepted with that one scan. There are some downsides to this method. The postage is not verified, so if you underpaid postage the package may be returned or it may arrive with postage due. In addition, the Scan forms are finicky. If you need to void a label associated with the form then the form cannot be used. If you use the form you will be unable to get a refund for the voided postage. Plus, the form can only be used on the date specified on the form.

While other software or services may vary, the eBay shipping software requires all labels to be purchased and printed at the same time in order to be associated on the Scan form. I’ve used two forms on the same day, but presented them at different times (morning and late afternoon). If you present multiple Scan forms at the same time the post office may complain.

Pricing Shipping

As I already mentioned, eBay includes shipping when calculating your final value fees. PayPal will also charge you their fees for the money collected towards shipping. So this means you lose nearly 13% off the top. If you let eBay calculate the shipping they do not consider these fees. They do calculate the shipping charge based on the full retail postage cost, so if you use eBay or another shipping service they may discount the postage and you’ll recoup some or all of the fees.

eBay tends to promote free shipping in the search results so if you can roll postage into the price of your item it may help sales. They further promote Fast & Free items that have free shipping and same-day or one-day handling times.

Since my items are relatively small and light, while also being inexpensive, I charge a flat rate. I’ve made the rate high enough to recoup my fees on the shipping in addition to the actual postage. I use eBay for shipping so the postage discount does keep the postage charges reasonable from the buyer’s point of view.

For heavier items I’ve been shipping priority mail and letting eBay calculate the postage since the cost varies by destination. In this case the discount on postage doesn’t cover the fees. But since these are also more expensive items the cost of the item can absorb the difference. eBay also allows a handling charge to be added to the calculated postage which could also be used to cover fees and packing material.

In the U.S. there’s not much difference between delivery times for first class or priority mail, while the cost difference can be significant. Since most of my items are below 8 oz. I use first class mail. If people buy multiple items I have them request an invoice so I can package & weigh the items and then charge based on the actual shipping. eBay does allow rules to automatically calculate shipping for multiple items but these don’t work for me. If someone orders enough to go above the 16 oz. first class limit there’s a significant jump in postage. Because my items are low cost I don’t have any cushion and would need to assume “worst case” when setting up the rules. While it would always cost less than the individual shipping charges, people buying two or three items would be overcharged for shipping when compared to me charging based on the actual cost. I haven’t found this too burdensome for me and the buyers don’t seem to have any problems either.

Declutter graphic - keep or trash

Wrapping Up

Overall I consider the eBay experiment a success and I will keep using it as I de-clutter my apartment. It’s been worth the time and effort so far. The fifty free listings that eBay offers every month seems to be a good level for me, although I could probably handle a slightly higher volume.

Using eBay’s calculator I would have to sell about 100 items a month to break even with a store subscription. That seems to be about the most I would want to list during the month and I have doubts if I could sustain it. As I de-clutter my place I’m taking photos so I can get ahead of 50 auctions per month and see what type of backlog I can build up. It may be worth it for me to get a subscription for one or two months and then try to blow everything out. But packaging/shipping is time consuming so I wouldn’t want to have to worry about getting new auctions together.

Even though I could wait 90 days to minimize my fees and maximize my income I’ve decided to keep listing items every week for two reasons:

  1. While this isn’t a business for me, the vast majority of my items will be N-Scale model railroad items. It’s a niche and because of this I think it’s important to get people used to seeing my stuff on a regular basis.
  2. I don’t think I’ll ever find a store subscription worth the cost, so to maximize my fees I’m limited to 50 listings a month. I really want to get a lot of this stuff out of the apartment and don’t want to delay.

I’m not totally ignoring the benefits that 90 days will bring. As I tick off the 90 days needed to receive some of the other benefits I’ve been selling my lower priced items while saving the higher priced items until I can minimize my final value fees while also building up my feedback.

Task Manager Burn & Build Notes

Image of a burning forestI started what I call my Task Management Burn and Build about a month ago. I’m still not completely comfortable with where things stand now, but it’s time to stop fiddling and try to settle into my new task management workflow and see exactly where it falls short. I’ve come across a few things worth noting. While they won’tt apply to everyone, I’m sure they aren’t completely unique to me.

Please, I Want To Pay

If I’m going to use a software or service to run my business, and life, I want to be sure it’s supported and around for a long time. So not only am I willing to pay for the software or service, I consider it a positive feature that enhances the product.

Of course, there has to be a value proposition that’s in my favor or at least equal. For example, Asana and Trello were very similar in the way I was using them. To get the features I wanted from Trello would cost me $40 a year, while the free level of Asana has all the features I would need. The least expensive paid level of Asana is more than I would be willing to pay, especially since it doesn’t add any features I would use. While Trello did seem to be a slightly better fit for me than Asana, I also thought a little less less of Asana because I wouldn’t be paying for it. Free wasn’t something that added to Asana’s ability to pull me in. If I find, after a year, that I’m not using Trello enough to justify the cost I might switch to Asana. If I can’t justify $40 a year then the service wouldn’t be integral to my workflow and free isn’t a detriment since I wouldn’t suffer it it went away.

Software & Services Can Go Away

Similar to wanting to pay for a service I use, I also want to make sure that the software or service has a business plan. I’ve never committed to If This Then That (IFTTT) because they didn’t have any visible business model. They implemented one recently but it doesn’t seem all that robust (or profitable). My fear would be that they either just fold up, or get bought up and radically changed.

Zapier is a smilier, but more robust, service like IFTTT. They also have a limited free level but have subscription plans. While Zapier could certainly go away I would lean towards using it because I view them as more stable. But as I said above, there has to be a value proposition in my favor and at this time I can’t justify the cost of a Zapier subscription.

Of course, any software or service can go away. So I try to keep data in a format that’s transportable between different software and services. Unfortunately this doesn’t seem to to be a viable option in the task managers that I looked at. Some do have import/export options but getting compatibility between different applications could be a major effort and not something I would count on.

One Size Doesn’t Fit All

I’ve always tried to keep all my task and project management in one application, which was OmniFocus for the last two years. As I experimented with my new task workflow I came to realize there wasn’t one application that would do it all. Picking one app would mean that I would lose certain features and abilities. As I looked through other apps it became apparent that if I wanted to use just one app then that would mean staying with OmniFocus. And I already knew that OmniFocus was falling short.

OmniFocus is Apple only, iOS and Mac OS, and it can’t be shared with others. While there is more automation around new versions, getting tasks into OmniFocus typically requires more steps.

Todoist makes it easy to get tasks into it. There’s a lot of integration with other web services including IFTTT and Zapier. OmniFocus provides no real integration although tasks can be added using email if the OmniSync service is used.

While templates can be created for Todoist projects, I can’t leverage them because I don’t have very many standard projects. So I found it tedious and time consuming to add medium to large projects. Making this worse was that the way Todoist handles subtasks just doesn’t work for me. I tried several alternative methods but none really clicked with me. (In short, subtasks can’t be set to repeat with the parent task. They appear as done when the parent repeats. If they are set to repeat on their own they immediately re-appear with the new date when marked as complete. This makes it hard to quickly see what still needs to be done.)

On the other hand I like the ability to plan visually with Trello, especially for larger projects. But I have a lot of shorter projects (usually recurring) or a single task that needs to be repeated on a weekly basis. I found Trello cumbersome for these short and single task projects. They could be done, but it was always uncomfortable and I never lost the feeling that I was forgetting something.

While Todoist could share projects I found Trello easier for others to use. Even if they weren’t familiar with Trello it was easy for them to go into Trello and see where the project stood. They could do this with the free plan and it’s a good way to keep others updated.

Current Status

Eventually fiddling with task apps becomes counter-productive. I’ve settled into a system which seems to be working for me. It was kind of an accident, although it was a bit intentional. As I set up new projects in Todoist and Trello I saw what worked and what didn’t. The same happened when I moved projects from OmniFocus to Todoist and I did encounter some workflows that failed fast. Since I hadn’t deleted the projects from OmniFocus it was easy to move back as I tried to find a solution.

I’m currently using three task managers. Just writing that makes me cringe since I think thats’s two too many. But things settled into a natural order and I think it’s made me more productive.

Todoist has settled into the role of the task manager for my personal tasks. Since I work for myself there’s a group of tasks that can be either personal or business. For example, is reading tech articles personal or business? I used to think that if I had two task managers, one personal and one business, I needed to properly classify each and every tasks. Instead, since it’s easy to get tasks into Todoist I use it for tasks that come to me during the day. These are mostly personal tasks and a few that fall into that middle ground.

Even though I now have two task managers they naturally split my tasks in a way that allows me to mode shift in a productive way. During the time I consider my workday I use OmniFocus and only OmniFocus (OK, occasionally Trello for planning or to update others, but mostly OmniFocus and never Todoist). The work I do at my desk (or what passes as my desk if I’m on the road) and work related to a customer’s project are in OmniFocus. This keeps me focused on my business projects. I don’t even see my personal tasks since Todoist isn’t even open, so there’s nothing to catch my eye and send my down a rabbit hole. The vague personal or business tasks aren’t anything that needs to get done during my workday so being in Todoist isn’t a problem. They are typically articles to read, emails to answer and similar things which I typically do after my workday, or for a limited time during lunch.

So multiple task managers has helped me focus and remain productive during the day. Another benefit is that I’m no longer checking off completed items in OmniFocus during the day, or if I am it’s because of progress towards a business goal. When everything was in OmniFocus I would ofter check off a number of small personal tasks that didn’t make progress towards a major goal. Despite not having any substantive progress I would feel like I did a lot and could relax, after all I finished 10 tasks from my list. That made it hard to stay focused and motivated.

Summary

The big lesson for me from this burn and build is that not only don’t I need one task manager for everything, I’ll be more productive and focused using two. It helps me keep my focus in the right mode, business or personal.

I’m still looking for a way to replace OmniFocus since it’s not cross-platform. This is less critical now that I have other apps in my system so I won’t dedicate a lot of time to the search, but I will remain on the lookout.

Todoist is working well, but I’m not optimistic that it will be changed to eliminate where it falls short for me. I don’t like the way sub-tasks work but it is a valid method and I’m sure there would be many complaints if it was to change.

I’m sure I’ll make some tweaks over time, but for now my task management system has been rebuilt and is ready to use.

Synology News: DiskStation DS1517+ and DS1817+ introduced

Synology DS1817+
Synology DS1817+ (image from Synology)

The DS15xx+ and DS18xx+ have always been my go to solutions when I needed a workhorse NAS. I currently run a DS1815+ as my primary NAS and an older DS1511+ has been a reliable backup destination since it was replaced by the DS1815+. Synology updated both those models for 2017, releasing a DS1817+ and a DS1517+.

The press release calls them “5-bay and 8-bay tower servers” which, while not completely incorrect, could be misleading. They are oriented horizontally and appropriate for a shelf. They don’t take a lot of space vertically.

They support the new M2D17 M.2 SATA SSD adapter or a 10GbE network interface card, both of which are optional. The M2D17 allows setting up SSD caches without using an internal bay.

Each NAS also support up to two of the new DX517 expansion units. Each DX517 adds 5 drive bays. The new models can be expanded to 16GB of memory which is now faster dual channel memory.

The two new models, along with the new expansion unit, all come with a 3 year warranty. This can be expanded to 5 years in some countries.

While they aren’t available for delivery at this time, only pre-order, Amazon (US) lists the DS1817+ w/8GB RAM for $950 and the DS1517+ w/2GB RAM for $700. These are about the same as the prices for the previous models when they were originally released, although the price has dropped now that they are the old models. This is especially true for the DS1815+ which is down to $835 (w/2GB RAM) on Amazon and B&H Photo.

Synology Press Release: Synology® Introduces DiskStation DS1517+, DS1817+, and Expansion Unit DX517 – News | Synology Inc.

Google vs. Symantec Certificates

If you run a website that uses SSL there’s a 30% chance you use a SSL certificate issued by Symantec (they bought Verisign’s certificate business, among others) and this affects you. If you use Google Chrome to browse the web, and well over half of us do, then this will affect about 30% of the websites that you visit.

The cornerstone of SSL encryption is trust. When I browse to a site that has SSL encryption I have to trust that the certificate correctly identifies the site. If I’m browsing a site like this one, which uses HTTPS (SSL encryption) but doesn’t contain any personal data, doesn’t require a password, and doesn’t have a store, then all I care about is that the traffic is encrypted. I can use Let’s Encrypt which is free, but doesn’t make any attempt to identify the site owner. All it does is verify that the certificate requestor has access to the domain/website. But if I visit a web shop or financial institution then I want to be sure the site is who it says it is. This puts a greater burden on the certificate issuer to verify the legitimate identity of the certificate requestor.

There are various levels of certificate validation. Certificates such as Let’s Encrypt are at the bottom of the list. They encrypt the data to and from the site, but do nothing to verify the identify of the site’s owner. It just provides domain validation – the certificate matches the domain it is installed on and the person requesting the cert had management access to the domain. The bad news here is that the site shows a valid certificate and most people don’t know about the various certificate levels. This can lead to abuse. For example, certificates with PayPal in the domain name can be used for phishing. For example, paypal.com.dsfwrfece.ru could be issued and used for a phishing email. While this is an abuse, it is not a violation of the rules certificate authorities are expected to follow. The goal of encrypting everything is bumping against how people interpret that green lock in their browser address bar.

Then there are higher levels of certificates and unlike Let’s Encrypt these certificates are not available for free. At the highest level are Extended Validation Certificates (EV Certs). EV Certs validate the legal entity that owns the website. Between the domain validation and EV certs are organization validation certs. While there are differences among issuers, these certs generally validate an organization and it’s authority to administer the website.

The hub of trust among all these certificates are Root Certificates that are included in the operating system. (In some cases they may be in the specific software or browser.) These root certificates are then used to determine if the website’s certificate can be trusted. Google documents their Root Certificate Policy here.

Google has determined that Symantec violated these policies and is reducing their level of trust in all Symantec certificates. While no action has yet been taken (except possibly in the latest developer release), beginning with Chrome 59 (currently Chrome is on version 57 in production) Google Chrome will begin to decrease the length of time they consider Symantec certificates valid. By the time Chrome 64 is released the certificates can only be valid for 9 months. This will require Symantec to issue certificates more frequently and gradually age out certificates Google feels can no longer be trusted.

Google’s announcement was of their intent and Symantec disputes the severity and extent of the problem so this may all get worked out before any action is actually taken. This sort of thing can have a big impact on Symantec’s certificate business since their product, at its core, is trust. When DigiNotar had a security breach that resulted in fraudulent certificates being issued they were dropped by all major browsers and went bankrupt within a month. So Google’s actions are less severe than some past cases, and have yet to be followed by other major browsers.

Recommendation

If you have a Symantec certificate that needs renewal in the near future I’d recommend switching to another issuer if this hasn’t been sorted out yet. I’ve used DigiCert in the past and find their customer service to be excellent so I can recommend them. If all you need is domain validation, to encrypt all traffic (and get a ranking boost from Google), then Let’s Encrypt is free and suites the purpose.

Personal VPN

There’s been a lot of privacy talk in the news recently, triggered by the U.S. House and Senate voting to stop new ISP privacy rules from taking effect. This won’t be a discussion on the politics, but since the President is expected to approve the measure it’s worth considering options if you’re concerned. Plus, it’s never a bad time to review security. One thing worth mentioning is that the affected rules were slated to take effect at the end of this year, so the change simply maintains the status quo. On the other hand, I don’t know of anyone outside of the big telecom companies that considered the new rules to be a bad thing for consumers.

Generally, VPNs (Virtual Private Networks) have been used to provide security when you’re on the road, using unknown networks. They provide an encrypted tunnel between you and where ever your VPN provider enters the internet. A VPN can also be used to keep your ISP from seeing what sites you visit although they are rarely used for this today.

Most ISPs provide an option to opt-out of tracking, although it may be hard to find out how to do this. If you want to limit ISP tracking then your first step would be to hunt down this option and opt-out.

Some things to keep in mind when using a VPN from your home:

  • VPNs will negatively affect your performance. This may not be noticeable and the impact will vary over time, but all VPN services will impact performance at least some of the time.
  • While data is hidden from your ISP (although they will know you are using a VPN), your VPN provider will be able to see all your traffic. Like your ISP, they could track you.
  • A VPN service isn’t a ironclad security or privacy guarantee. Websites can still track you through your browser usage. Plus, you need to trust the provider to properly implement the service.

There are hundreds of VPN services out there and choosing one can be daunting. There are a few that I have extensive experience with and can recommend.

TunnelBear is a Canadian company that offers VPN service on Mac OS, Windows, Android and iOS. They also offer a Chrome plugin to encrypt browser traffic. They don’t keep any logs but they also don’t allow torrenting. Pricing is $50 for a year of unlimited use, paid in advance. If you want to subscribe on a monthly basis it’s $10/mth. They offer a free plan that provides 500MB of data per month. The free plan can also serve as a trial.

The iOS client uses IPSec/IKEv2 which requires UDP ports 500 and 4500 which may be blocked on some networks. I didn’t have any issues when using TunnelBear around town. I did have to enable IPSec Pass-through (which opens those two ports) on my home router in order to use TunnelBear when at home.

Cloak VPN is based in the United States. Their VPN clients are limited to Mac OS and iOS. Cloak is pricey for a yearly subscription at $100, which provides unlimited data. But they offer smaller plans which can economical if you only need sporadic use of a VPN. A 5GB/mth plan costs $3 while an unlimited weekly pass runs $4.

Cloak is one of the easiest VPN clients to use. It can automatically connect to networks and enable the VPN, blocking traffic until the VPN connection is active. You can also identify trusted networks so that the VPN is not enabled on these networks.

Synology VPN (or VPN+): If your goal is to prevent your ISP from tracking your internet travels then Synology VPN is a non-starter. The VPN server is on your Synology NAS (or router) and all traffic will leave the VPN tunnel before it heads off on the internet via your ISP. While it provides security when your out on untrusted networks it will route all your mobile traffic through your ISP, giving it even more information.

Another option is a whole house router, where your router connects to a VPN service as a client. You’ll need a router that supports this setup and a reliable VPN service. These days many routers do list a VPN feature, but this usually means the router runs a VPN server that you can connect to when you’re out and about. This has the same drawback as the Synology VPN in that it doesn’t hide anything from your ISP. I’ve never been able to justify the cost and complication of a router based whole-house VPN client so I don’t have any actual experience with this type of setup.

If you want more information here are some places to start:

VPNs Are for Most People—Including You | The Wirecutter – This was updated March 24, 2017 and provides a VPN overview along with more details about what to look for in a VPN provider.

Best VPN Reviews | Best10VPN – Mega-list of VPN providers. As usual, never make a decision based on one internet site, but this can provide a good starting point.

How ISPs can sell your Web history—and how to stop them | Ars Technica – An overview of the recent legislative changes (or non-changes) and options for dealing with them.

iOS 10.3 Released

Yesterday Apple released iOS 10.3 for iPhone and iPads. This is a big one, especially under the hood. Apple is switching to the Apple File System (APFS) on iOS (eventually Mac OS will follow). While I haven’t had any issues, or heard of any, a file system change is a big deal. It’s possible that the file system conversion could break an app or corrupt data in a way not even the developer can fix. So be sure to backup your iOS device before installing the update. You may also want to put the update off a week or two and let other people uncover any issues.

This update did feel like it took longer than usual, about 25 minutes each on my iPhone 6s and my iPad Pro. My iPhone 6s also saw the battery drop from 100% to 87% after the upgrade. The iPad Pro only lost about 2% from the battery meter.

Other updates include:

  • Find My AirPods is now available in the Find My iPhone app.
  • There’s a new Today screen widget for the Podcast app.
  • Weather information is now available in Maps for iPhone 6s and newer phones.
  • Apple ID information has been consolidated and put front and center in the settings screen. The Apple ID Profile now also includes a view into your iCloud Storage usage.
  • iCloud calling is now available on Verizon so you can make and take calls when the iPhone isn’t around but other devices are.
  • Settings -> General -> About -> Applications should warn you about apps that may slow your phone (32-bit apps). I don’t have any so I couldn’t see this in action (or I do and it’s not working – I think it’s the former).

As usual there’s also a plethora of security updates to iOS 10.3.

Last warning – be sure to backup before upgrading, especially this time.

Mac Backup Programs – An Overview

Backup words on a chalkboardBackup applications are varied in both their abilities and price. Plus, people have different needs. The important thing is to have reliable backups. There are a couple things I consider essential in all situations, at least for individuals and small businesses.

  1. The backup must happen automatically and not require human intervention. Unless you have dedicated IT staff this will always be secondary to everything else and eventually get skipped.
  2. At least one set of files must be off-site, away from the computer where the data is used every day. The farther away the better, in order to avoid a situation such as a natural disaster that affects you and the offsite location.

I find the following backup programs well suited to meeting these needs. While some may have versions for Windows and Linux I’ve mainly, used Mac versions, and any Windows specific options are ignored (with one exception).

Arq

Arq is myMy favorite backup program for the Mac. It doesn’t provide any of its own storage (it’s not a service) but it does integrate with a large number of this party services. Naturally it can also backup to a folder on a external drive or NAS.

Arq can maintain a file history and works similarly to time machine. You give it a quota for space (or money budget for paid services like Amazon S3) and Arq will keep copies of old files until that quota is filled, then start deleting old files.

It can backup to Amazon S3, and Amazon Drive which are the cloud services I use regularly. It can also backup to Amazon Glacier, Dropbox, Google Drive, Microsoft OneDrive, Google Cloud Storage, and DreamObjects. SFTP destinations can also be used along with the already mentioned local storage or NAS.

A must have feature of Arq is that it will (optionally) encrypt the backups before the data leaves your computer. So even if the your cloud service is hacked your data is still encrypted, and only you know the encryption key.

There is now a Windows version although I don’t have any experience with it.

CrashPlan

CrashPlan has been my long-time choice for Windows backup. I don’t have a lot clients with Windows machines, but this is my recommendation for friends & family. There are Mac, Windows and Linux versions.

The software is free for backups to local drives, to a friend’s computer, or to a second computer you may have. There are also a few other limitations with the free version, such as no unlimited saving of old file versions. They offer an online backup service with prices starting at $60/year or $6 per month for one computer. The rest of this summary relates to features in the paid subscription.

CrashPlan will keep an unlimited number of old file versions as well as copies of deleted files. You can encrypt the backup using your own encryption key (or theirs) and files are encrypted before leaving the computer. You may need to enter your encryption key in the mobile app or in a webpage for restore, so it is potentially less secure as there are more things that can go wrong.

One feature I like is an weekly email to summarize the backup status. This lets me know if a family member’s computer has a problem completing the backup, or if there’s been a significant change in the amount of data being backed up.

ChronoSync

Like Arq, ChronoSync only provides the software, it is not a backup destination or service. In all the years I’ve owned ChronoSync I’ve never been charged for an upgrade, and there have been many, many updates. New features have been updated in addition to simply maintaining compatibility with macOS upgrades.

As the name implies. ChronoSync revolves around syncing, rather than a traditional backup. But these days it can be used as a traditional backup. ChronoSync can also connect to Amazon S3, Google Cloud Storage, or an SFTP server for backup or sync.

ChronoSync can also keep a archive of any replaced or deleted files. Whether or not an archive is kept, and for how long, is fully configurable. If you do a lot of transfer between Macs on a regular basis there’s a ChronoAgent to help manage these remote transfers.

Time Machine

Time Machine holds a strange place in my backup strategy and recommendations. I recommend everyone use it, although it can sometimes have issues and I don’t trust it as my only local backup. It comes with every Mac and it’s been extremely useful when I need to recover an old file.

I’ve actually never had a problem getting a file back when I’ve needed it. But I have had times where Time Machine tells me it can no longer use the backup and must start fresh. This doesn’t build confidence. Using a locally attached drive is more reliable than using a NAS (or Time Capsule) as the backup destination.

I find Time Machine useful and reliable enough to keep backing up to my NAS with it. It’s an inexpensive way to backup a Mac, but I recommend having a second backup. That second backup could be offsite and harder to get to or restore. I wouldn’t recommend two Time Machine backups (which can be done) as your only two backups.

SuperDuper! and Carbon Copy Cloner

I grouped SuperDuper! and Carbon Copy Cloner together since they are similar. Both, at their core, are applications that clone a Mac hard drive. I was a long time user of SuperDuper! and it worked great. Then Carbon Copy Cloner came out with version 4 which brought the software to a new level. I switched to it because of it’s ability to script the clone a bit more than SuperDuper! and it was possible to chain the clones together.

Carbon Copy Cloner also as a safety net feature which saves files that were deleted since the previous clone.

SuperDuper! is free to do a basic drive clone. The paid version adds scheduling, smart updates and scripting among other things.

Carbon Copy Cloner has a free trial. The paid version, needed once the trial runs out, is slightly more expensive than SuperDuper! but does have more features.

Either program will work and if SuperDuper! meets your needs then you can save some money by using it.

Additional Backup Software

I have limited experience with the following Mac backup software. What experience I have has been good and they all get good reviews in the tech community.

Backblaze

Backblaze is similar to the previously mentioned CrashPlan. It provides offsite (online) backup with Personal and Business subscriptions. Unlike CrashPlan the only backup destination is their cloud.

Carbonite

Carbonite is another online backup service. Like many of these online services it will only backup user generated files for the lower-cost personal plans. If you don’t use the standard windows or Mac user directories then some data files may be missed by the backup.

Mozy

I used to recommend Mozy several years ago. Then I had problems with their software around the time their ownership was also changing. Overall it was a terrible experience and my solution was to pick another service. I haven’t recommended Mozy since. They’ve changed hands again (possibly more than once) and are now owned by Dell. I still wouldn’t recommend their personal plans, but I would consider their business plans as they seem much more focused on business services.

SpiderOak

When I first used SpiderOak they were a new offering that was much like Dropbox, it really wasn’t a backup solution. I liked them back then because they were focused on security. I moved away from them because Dropbox and iCloud provided enough security for the types of things I was storing in the cloud and they provided integrations with more apps.

The other online backups I mentioned tend to provide unlimited storage space (although with other possible restrictions) for a set price per device. SpiderOak, because it provides both Sync and Backup, has tiers for the space you want (100GB/250GB/1TB). The charges are reasonable although you may want to consider alternatives if you don’t need sync and have only one device, with a lot of data, to back up.

Summing It Up

All of these backup solutions provide a free trial and you should take advantage of this to see which works best for you. For online backup solutions you should be aware that the first backup may take a long time. If you’re using a free trial I’d suggest picking a subset of files so the backup will finish and you can test out a restore. Generally, home and business cable ISP plans have a slower upload than download speed and it’s the upload speed that matters. If your ISP has bandwidth caps this could also be an issue. Your first backup will use a lot of bandwidth but future backups will be less since only new and changed files will be backed up.

I use Arq as my primary backup software and have for a long time. Currently I use it to backup to Amazon Cloud Files and Amazon S3. I also use Time Machine regularly although I keep very little data on my computers, most is on my NAS. I like the ability to quickly grab an old file without having to pull out any disks or wait for an online download. Finally, I use ChronoSync to move files around locally and to create local backups.

In putting together this overview I’ve come to realize that the software I’ve used for years has added new features that I could be using but haven’t explored. I’ll be exploring ChronoSync as a more complete backup solution including cloud backups. I also noticed SpiderOak has become a real backup solution in the time since I used it. It may be worth revisiting.

While your needs may vary, any of these backup solutions should reliably protect your software. The trick is picking the one that meets your specific needs. There’s no excuse not to have backups.