I shot off an Email to Jason about this. This needs to be fixed, ASAP! To me, my own print-out of an FA-10 is critical to my personal record-keeping.
-
If you enjoy the forum please consider supporting it by signing up for a NES Membership The benefits pay for the membership many times over.
-
Be sure to enter the NES/MFS February Giveaway ***Taurus G3***
I shot off an Email to Jason about this. This needs to be fixed, ASAP! To me, my own print-out of an FA-10 is critical to my personal record-keeping.
stoneypete
NES Member
- Joined
- Nov 1, 2005
- Messages
- 3,803
- Likes
- 389
This.
The help PDF sucks! How is this information getting out to gun owners, dealers and PDs? My dad, my dealer and my LEO friend know NOTHING about this!
This is just another way to track honest gun owners and their guns electronically and pounce on them when a mistake is made.
The personal sale or transfer say (OR) State Firearms Dealer License No.:* The dealer field is required.![[thinking]](/xen/styles/default/xenforo/smilies.vb/010.gif "Thinking [thinking]")
. PDF says not to do both. Who was the genius that programmed that one? Simple fix but I am sure they are not concerned with making our lives easier.
As for registration....![[tinfoil]](/xen/styles/default/xenforo/smilies.vb/tinfoilhatsmile.gif "Tinfoil Hat [tinfoil]")
Inheritance. What if the decedent is not from MA and obviously does not have an FID/LTC? PDF help. Fail!
Surrender Weapon to Police. Yeah, I see people jumping all over that.
Transfer to Buyer After Surrender. That is nicely over simplified. It seems to me that if the previous gun owner surrendered under a felony conviction and had a buyer there is a potential of a straw purchase. Also my gut tells me the PD would not be overly enthusiastic to release the firearms because the online forms was filled out. There is more behind that one, 129d, restraining order, etc. Does the 4 transaction apply here too?
I assume this is like the dealers page and it is one transaction per gun. So for personal sales or a dozen guns it may work (not that I like or agree with it) but not for 30, 50 or more. One transaction for each gun for a large inheritance or surrender.
EPIC FAIL!
This is just another way to track honest gun owners and their guns electronically and pounce on them when a mistake is made.
The personal sale or transfer say (OR) State Firearms Dealer License No.:* The dealer field is required.
. PDF says not to do both. Who was the genius that programmed that one? Simple fix but I am sure they are not concerned with making our lives easier.As for registration....
Colonel Ernesto Bella Red Dawn FA-10 work just fine too.
Inheritance. What if the decedent is not from MA and obviously does not have an FID/LTC? PDF help. Fail!
Surrender Weapon to Police. Yeah, I see people jumping all over that.
Transfer to Buyer After Surrender. That is nicely over simplified. It seems to me that if the previous gun owner surrendered under a felony conviction and had a buyer there is a potential of a straw purchase. Also my gut tells me the PD would not be overly enthusiastic to release the firearms because the online forms was filled out. There is more behind that one, 129d, restraining order, etc. Does the 4 transaction apply here too?
I assume this is like the dealers page and it is one transaction per gun. So for personal sales or a dozen guns it may work (not that I like or agree with it) but not for 30, 50 or more. One transaction for each gun for a large inheritance or surrender.
EPIC FAIL!
I heard back from Jason . . .
He duplicated this problem . . . with Pop-up blocker enabled.
Seems like the answer is to "trust" pop-ups from this site, so you can print the PDF. Perhaps CJIS can put a notation on that page that users must do this so that it enables print function?
Great - so we have to ignore multiple indications of flawed security to use this...
Why don't I just publish my SS, credit cards, phone numbers, passwords, etc... on the front page of ma.gov instead and save some time?
Great - so we have to ignore multiple indications of flawed security to use this...
Why don't I just publish my SS, credit cards, phone numbers, passwords, etc... on the front page of ma.gov instead and save some time?
I'm sure Jason would be fine with that!
Great - so we have to ignore multiple indications of flawed security to use this...
Why don't I just publish my SS, credit cards, phone numbers, passwords, etc... on the front page of ma.gov instead and save some time?
Turning off a popup blocker, on this site or even just when you want that page to print, is a far way off from opening "security" problem. The certificate problem is more how your browser treats. As I was no prompted withing on Chrome.
I disagree in both cases from experience and I won't tolerate web sites that require me to compromise security to use them. There are enough attack vectors out there things are working correctly. I have no intention of trusting bogus certificates or allowing pop-ups when neither should be required to perform this function.
I'm also saying that their inability to configure this correctly and test it shows that they are not competent to perform this function without a very high risk of other security flaws.
I agree with Cekim, I refuse to even think about logging into that system until they fix that crap.
The cert problem is 110% amateur night crap. A government website should not have a cert chain problem. Someone is probably trying to chinse out on the cert by using one of the skinflint CAs or there is a massive configuration problem.
-Mike
The cert problem is 110% amateur night crap. A government website should not have a cert chain problem. Someone is probably trying to chinse out on the cert by using one of the skinflint CAs or there is a massive configuration problem.
-Mike
SSL provides two levels of protection. One is for encrypted traffic and that doesn't matter who signs the certificate. The other is to validate who you are talking with and that matters who signs it. If you dug into the certificate and really looked at it, you could see it was properly signed. Sure, they should have properly loaded the intermediate certificate on the server so that all older browsers would support it.
I still disagree about the popup blocker, but as with both it's your opinion and who am I to tell you your wrong. Sounds like you can still use the regular paper form.
If they can't get the basic server configuration right (SSL problem) and consider basic site design (unnecessary popups), there's no way in hell I'm trusting that system to protect my personal data.
When you fill out a paper FA10 and send it in, it gets scanned, right? What happens to that data. I'd bet a nickel it gets into the same database as the web form. So, if the database gets hacked, *all* the data is released into the wild, not just the stuff entered into the web form.
The chance that someone is going to intercept your connection between your PC and the state's website are really really tiny. HTTP connections are stateless, (generally), short lived, and come from all over.
The database itself, however, is a fixed target, and far far more likely to be compromised.
The problem here isn't the web form, it's the fact that the database is exposed to the world at all.
If we really care about security, the target isn't "fix the web form", it's "eliminate the web form"
How many transfers happen anyway? What problem is the web form solving? Was the CHRB overwhelmed with paper FA10s to process, or is this simply a cost saving measure? I'm guessing the latter.
Who's to say that the actual database with all the data isn't located on another network? There is ways to have the transfers merged back to the actual master database. Depending on the workflow they could be storing only the POSTED transfers on a public accessible site for a short period of time. I didn't see on there where I could get a list of items I have. So we are all making assumptions on how things are run here without knowing any facts.
namedpipes
NES Member
And you're making the same assumptions that they did it right. Based on observations of how smoothly this has gone so far I think it is a safe bet that they did not do it right.
All the IT guys know SSL is not the end all. Google "SSL Security Hack" and you will see it can be beat.
I wonder if they are following STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH
I wonder if they are following STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH
To put this into perspective (and I'm not a computer security guru):
- All our personal data including SSNs, DOB, etc. is "out there" in the LEAPS system, accessible to all PDs and most MDTs.
- MIRCS allows PDs to access all our firearms info at any time.
- A subset of MIRCS allows Dealers to input transactions.
- This is an extension of the Dealer MIRCS sub-set, allowing mere citizens to input transactions, using the PIN for a password/validation of the person inputting the data.
None of the above is "hard-wired" from user to CJIS/EOPS and therefore is subject to any vulnerabilities in the hands of a dedicated computer hacker who wants to steal peoples identities and sell that data on other hacker websites.
Not directly related to the gun issue, but to point out further vulnerabilities . . .
- During an in-office IRS audit a couple of years ago, I mentioned that I wasn't sure about something wrt a prior MA DOR tax return. The IRS auditor immediately pulled up a copy of my MA tax return info from the year in question and we proceeded with the audit.
- Meanwhile the IRS auditor swore that she had no Internet access from her computer! Again, I doubt that her office was hard-wired to MA DOR!!!
- I can tell you that the audit software that IRS uses is all DOS-based. She only used Windows to bring up Excel to create a mini-spreadsheet where she entered numbers to get a sum-total to enter back on the DOS audit software.
- I recall a news story that an audit showed that >7K IRS computers were vulnerable to hacking!
The bottom line is that in the 21st century, there are tons of gov't computers with our personal data on them . . . and further pension companies (plus current and past employers) where employees travel thru airports with laptops loaded with all personal data for major corps that they represent. If data is compromised/stolen from corporate computers, we MIGHT be told about it a year or two later (been there a number of times now![[sad]](/xen/styles/default/xenforo/smilies.vb/004.gif "Sad [sad]")
). If our data is compromised/stolen from gov't computers we will likely NEVER be told about it (might be a news story, but don't expect a letter from gov't agency) and any damages are ours to mitigate with no compensation possible.
Merely using paper forms will not prevent compromise of any of our info. Since it is entered in computers either directly or by scanning it in, it's still in that database.
"Privacy is Dead, Get Over It" by Steve Rambam!
[Note: I am referred to by many as a "privacy nut" but I do also deal with reality. This cat is so far out of the bag, that there is no going back.]
- All our personal data including SSNs, DOB, etc. is "out there" in the LEAPS system, accessible to all PDs and most MDTs.
- MIRCS allows PDs to access all our firearms info at any time.
- A subset of MIRCS allows Dealers to input transactions.
- This is an extension of the Dealer MIRCS sub-set, allowing mere citizens to input transactions, using the PIN for a password/validation of the person inputting the data.
None of the above is "hard-wired" from user to CJIS/EOPS and therefore is subject to any vulnerabilities in the hands of a dedicated computer hacker who wants to steal peoples identities and sell that data on other hacker websites.
Not directly related to the gun issue, but to point out further vulnerabilities . . .
- During an in-office IRS audit a couple of years ago, I mentioned that I wasn't sure about something wrt a prior MA DOR tax return. The IRS auditor immediately pulled up a copy of my MA tax return info from the year in question and we proceeded with the audit.
- Meanwhile the IRS auditor swore that she had no Internet access from her computer! Again, I doubt that her office was hard-wired to MA DOR!!!
- I can tell you that the audit software that IRS uses is all DOS-based. She only used Windows to bring up Excel to create a mini-spreadsheet where she entered numbers to get a sum-total to enter back on the DOS audit software.
- I recall a news story that an audit showed that >7K IRS computers were vulnerable to hacking!
The bottom line is that in the 21st century, there are tons of gov't computers with our personal data on them . . . and further pension companies (plus current and past employers) where employees travel thru airports with laptops loaded with all personal data for major corps that they represent. If data is compromised/stolen from corporate computers, we MIGHT be told about it a year or two later (been there a number of times now
). If our data is compromised/stolen from gov't computers we will likely NEVER be told about it (might be a news story, but don't expect a letter from gov't agency) and any damages are ours to mitigate with no compensation possible.Merely using paper forms will not prevent compromise of any of our info. Since it is entered in computers either directly or by scanning it in, it's still in that database.
"Privacy is Dead, Get Over It" by Steve Rambam!
[Note: I am referred to by many as a "privacy nut" but I do also deal with reality. This cat is so far out of the bag, that there is no going back.]
To put this into perspective (and I'm not a computer security guru):
- All our personal data including SSNs, DOB, etc. is "out there" in the LEAPS system, accessible to all PDs and most MDTs.
- MIRCS allows PDs to access all our firearms info at any time.
- A subset of MIRCS allows Dealers to input transactions.
- This is an extension of the Dealer MIRCS sub-set, allowing mere citizens to input transactions, using the PIN for a password/validation of the person inputting the data.
None of the above is "hard-wired" from user to CJIS/EOPS and therefore is subject to any vulnerabilities in the hands of a dedicated computer hacker who wants to steal peoples identities and sell that data on other hacker websites.
Not directly related to the gun issue, but to point out further vulnerabilities . . .
- During an in-office IRS audit a couple of years ago, I mentioned that I wasn't sure about something wrt a prior MA DOR tax return. The IRS auditor immediately pulled up a copy of my MA tax return info from the year in question and we proceeded with the audit.
- Meanwhile the IRS auditor swore that she had no Internet access from her computer! Again, I doubt that her office was hard-wired to MA DOR!!!
- I can tell you that the audit software that IRS uses is all DOS-based. She only used Windows to bring up Excel to create a mini-spreadsheet where she entered numbers to get a sum-total to enter back on the DOS audit software.
- I recall a news story that an audit showed that >7K IRS computers were vulnerable to hacking!
The bottom line is that in the 21st century, there are tons of gov't computers with our personal data on them . . . and further pension companies (plus current and past employers) where employees travel thru airports with laptops loaded with all personal data for major corps that they represent. If data is compromised/stolen from corporate computers, we MIGHT be told about it a year or two later (been there a number of times now
Merely using paper forms will not prevent compromise of any of our info. Since it is entered in computers either directly or by scanning it in, it's still in that database.
"Privacy is Dead, Get Over It" by Steve Rambam!
[Note: I am referred to by many as a "privacy nut" but I do also deal with reality. This cat is so far out of the bag, that there is no going back.]
All well and good but how does that change the fact that the site isn't secure? It either is or it isn't and from what I'm reading here it isn't.
Well, like it or not, your data is still in the system on the back end even if you submit it by paper, that info still ends up in the database server(s) that POS web app talks to.
-Mike
I'm not making any claims either way, just stating that the weakest link is indeed the weakest link. For instance, I know the two IT people my town employs and I know that they are NOT EXPERTS on computer security. They are competent IT people, but generalists. All the risks don't lie strictly with the data system we see here . . . for instance I've seen our POs use wireless access and I have no idea how secure it is. There are lots of back-door ways into systems with the potential for very damaging consequences.
Len, i'm still not follow your defense for this. It's like me saying 'the lock on the new vault is faulty,' and you saying 'yes, but the door is much easier to open now and besides, locks won't keep out a determined thief anyway.'
I don't know why anyone would defend this or apologize for them. I'd walk away from a fast-food counter if I saw this level of incompetence behind the counter and know that I saved myself an evening of vomiting for it...
You guys realize that these databases and organizations literally hold your freedom and financial security in their hands yet they are fumbling around like a bunch of high-school kids pretending they are the "only people professional enough in the room."
Inexcusable and indefensible...
Last edited:
Bob,
I am not defending this at all.
Just pointing out that all the data, no matter how we submit it, is in databases accessible from "outside" CJIS. Via wireless in some towns, wired Internet access elsewhere. None of us should feel secure, period . . . but not because the form went online (it's strictly input).
I don't have an answer other than it's too late to shut that barn door and the weakest point is likely to be certain cities/towns access-point.
116 posts of whatever. Has this actually been officially announced anywhere other than this post yet? Sounds to me like it is still a work in progress.
Another line of thought:
Full article:
Canada set to repeal registration of hunting rifles, shotguns
Gun rights advocates in U.S. hope repeal will spur efforts here
Another line of thought:
Full article:
Canada set to repeal registration of hunting rifles, shotguns
Gun rights advocates in U.S. hope repeal will spur efforts here
Last edited:
namedpipes
NES Member
That article is a year old...
Stopped by the Dracut PD for some paper FA-10's Friday afternoon:
"We're all out.
I have to ask the Lieutenant if we can order some.
Give us your name and number and we'll call you."
"We're all out.
I have to ask the Lieutenant if we can order some.
Give us your name and number and we'll call you."
Who cares if the FA-10 isn't in police stations. You download the pdf. Print as many copies as you like.
For people who don't have computer or internet, do they have friends who do?
Do the people with no computers have no cell phones either? Many phones can store files.
Or, go to Kinkos or Staples or OfficeMax, maybe even your local Library, download and print there.
Buy a $2 memory stick while you're there and keep the form on the stick.
For people who don't have computer or internet, do they have friends who do?
Do the people with no computers have no cell phones either? Many phones can store files.
Or, go to Kinkos or Staples or OfficeMax, maybe even your local Library, download and print there.
Buy a $2 memory stick while you're there and keep the form on the stick.
Yeah, what really happened up in Canada? Seems a well coordinated release of articles about "canada set to repeal registration" came out at the same time, and not a word of it since then. People on BOTH SIDES of gun control are clearly abusing the internet to push their agenda without regard to the truth. Obviously Canada was NOT on the verge of repealing their rifle registration 1 year ago, but to read all those coordinated articles, you would have thought otherwise.
