e-FA10. It's officially a mess!

Len-2A Training

Instructor
Instructor
NES Life Member
NES Member
Rating - 98.6%
73   1   0
Joined
Feb 26, 2005
Messages
55,512
Likes
17,136
Location
NH
I registered my CMP Garand yesterday. All went well until I clicked on "print transaction" and got an error message. I still got a "Confirmation Ticket Number" which will have to do for now. The system needs work but I found it easy to use.

I shot off an Email to Jason about this. This needs to be fixed, ASAP! To me, my own print-out of an FA-10 is critical to my personal record-keeping.
 
Rating - 100%
1   0   0
Joined
Jul 2, 2009
Messages
332
Likes
23
Location
NH
The help PDF sucks! How is this information getting out to gun owners, dealers and PDs? My dad, my dealer and my LEO friend know NOTHING about this!

This is just another way to track honest gun owners and their guns electronically and pounce on them when a mistake is made.

The personal sale or transfer say (OR) State Firearms Dealer License No.:* The dealer field is required. [thinking]. PDF says not to do both. Who was the genius that programmed that one? Simple fix but I am sure they are not concerned with making our lives easier.

As for registration....
yes... yes. Go to the sporting goods store. From the files obtain forms 4473. These will contain descriptions of weapons, and lists of private ownership.
Colonel Ernesto Bella Red Dawn FA-10 work just fine too.[tinfoil]

Inheritance. What if the decedent is not from MA and obviously does not have an FID/LTC? PDF help. Fail!

Surrender Weapon to Police. Yeah, I see people jumping all over that.

Transfer to Buyer After Surrender. That is nicely over simplified. It seems to me that if the previous gun owner surrendered under a felony conviction and had a buyer there is a potential of a straw purchase. Also my gut tells me the PD would not be overly enthusiastic to release the firearms because the online forms was filled out. There is more behind that one, 129d, restraining order, etc. Does the 4 transaction apply here too?

I assume this is like the dealers page and it is one transaction per gun. So for personal sales or a dozen guns it may work (not that I like or agree with it) but not for 30, 50 or more. One transaction for each gun for a large inheritance or surrender.

EPIC FAIL!
 

Len-2A Training

Instructor
Instructor
NES Life Member
NES Member
Rating - 98.6%
73   1   0
Joined
Feb 26, 2005
Messages
55,512
Likes
17,136
Location
NH
I registered my CMP Garand yesterday. All went well until I clicked on "print transaction" and got an error message. I still got a "Confirmation Ticket Number" which will have to do for now. The system needs work but I found it easy to use.

I heard back from Jason . . .

He duplicated this problem . . . with Pop-up blocker enabled.

Seems like the answer is to "trust" pop-ups from this site, so you can print the PDF. Perhaps CJIS can put a notation on that page that users must do this so that it enables print function?
 
Rating - 100%
3   0   0
Joined
Jan 19, 2009
Messages
29,885
Likes
4,692
Location
Clowns->Here<-Jokers
I heard back from Jason . . .

He duplicated this problem . . . with Pop-up blocker enabled.

Seems like the answer is to "trust" pop-ups from this site, so you can print the PDF. Perhaps CJIS can put a notation on that page that users must do this so that it enables print function?
Great - so we have to ignore multiple indications of flawed security to use this... [thinking]

Why don't I just publish my SS, credit cards, phone numbers, passwords, etc... on the front page of ma.gov instead and save some time?
 
Rating - 100%
3   0   0
Joined
Apr 8, 2007
Messages
453
Likes
7
Location
Metrowest,MA
Great - so we have to ignore multiple indications of flawed security to use this... [thinking]

Why don't I just publish my SS, credit cards, phone numbers, passwords, etc... on the front page of ma.gov instead and save some time?

Turning off a popup blocker, on this site or even just when you want that page to print, is a far way off from opening "security" problem. The certificate problem is more how your browser treats. As I was no prompted withing on Chrome.
 
Rating - 100%
3   0   0
Joined
Jan 19, 2009
Messages
29,885
Likes
4,692
Location
Clowns->Here<-Jokers
Turning off a popup blocker, on this site or even just when you want that page to print, is a far way off from opening "security" problem. The certificate problem is more how your browser treats. As I was no prompted withing on Chrome.
I disagree in both cases from experience and I won't tolerate web sites that require me to compromise security to use them. There are enough attack vectors out there things are working correctly. I have no intention of trusting bogus certificates or allowing pop-ups when neither should be required to perform this function.

I'm also saying that their inability to configure this correctly and test it shows that they are not competent to perform this function without a very high risk of other security flaws.
 

drgrant

Moderator
NES Member
Rating - 100%
61   0   0
Joined
Mar 21, 2006
Messages
86,021
Likes
79,932
I agree with Cekim, I refuse to even think about logging into that system until they fix that crap.

The cert problem is 110% amateur night crap. A government website should not have a cert chain problem. Someone is probably trying to chinse out on the cert by using one of the skinflint CAs or there is a massive configuration problem.

-Mike
 
Rating - 100%
3   0   0
Joined
Apr 8, 2007
Messages
453
Likes
7
Location
Metrowest,MA
I disagree in both cases from experience and I won't tolerate web sites that require me to compromise security to use them. There are enough attack vectors out there things are working correctly. I have no intention of trusting bogus certificates or allowing pop-ups when neither should be required to perform this function.

I'm also saying that their inability to configure this correctly and test it shows that they are not competent to perform this function without a very high risk of other security flaws.

SSL provides two levels of protection. One is for encrypted traffic and that doesn't matter who signs the certificate. The other is to validate who you are talking with and that matters who signs it. If you dug into the certificate and really looked at it, you could see it was properly signed. Sure, they should have properly loaded the intermediate certificate on the server so that all older browsers would support it.

I still disagree about the popup blocker, but as with both it's your opinion and who am I to tell you your wrong. Sounds like you can still use the regular paper form.
 
Rating - 100%
22   0   0
Joined
May 21, 2009
Messages
1,391
Likes
341
Location
Escaped to NH
If they can't get the basic server configuration right (SSL problem) and consider basic site design (unnecessary popups), there's no way in hell I'm trusting that system to protect my personal data.
 

milktree

NES Member
Rating - 100%
35   0   0
Joined
Aug 31, 2008
Messages
6,649
Likes
8,315
If they can't get the basic server configuration right (SSL problem) and consider basic site design (unnecessary popups), there's no way in hell I'm trusting that system to protect my personal data.

When you fill out a paper FA10 and send it in, it gets scanned, right? What happens to that data. I'd bet a nickel it gets into the same database as the web form. So, if the database gets hacked, *all* the data is released into the wild, not just the stuff entered into the web form.

The chance that someone is going to intercept your connection between your PC and the state's website are really really tiny. HTTP connections are stateless, (generally), short lived, and come from all over.

The database itself, however, is a fixed target, and far far more likely to be compromised.

The problem here isn't the web form, it's the fact that the database is exposed to the world at all.

If we really care about security, the target isn't "fix the web form", it's "eliminate the web form"

How many transfers happen anyway? What problem is the web form solving? Was the CHRB overwhelmed with paper FA10s to process, or is this simply a cost saving measure? I'm guessing the latter.
 
Rating - 100%
3   0   0
Joined
Apr 8, 2007
Messages
453
Likes
7
Location
Metrowest,MA
When you fill out a paper FA10 and send it in, it gets scanned, right? What happens to that data. I'd bet a nickel it gets into the same database as the web form. So, if the database gets hacked, *all* the data is released into the wild, not just the stuff entered into the web form.

The chance that someone is going to intercept your connection between your PC and the state's website are really really tiny. HTTP connections are stateless, (generally), short lived, and come from all over.

The database itself, however, is a fixed target, and far far more likely to be compromised.

The problem here isn't the web form, it's the fact that the database is exposed to the world at all.

If we really care about security, the target isn't "fix the web form", it's "eliminate the web form"

How many transfers happen anyway? What problem is the web form solving? Was the CHRB overwhelmed with paper FA10s to process, or is this simply a cost saving measure? I'm guessing the latter.

Who's to say that the actual database with all the data isn't located on another network? There is ways to have the transfers merged back to the actual master database. Depending on the workflow they could be storing only the POSTED transfers on a public accessible site for a short period of time. I didn't see on there where I could get a list of items I have. So we are all making assumptions on how things are run here without knowing any facts.
 

namedpipes

NES Member
Rating - 100%
3   0   0
Joined
May 7, 2008
Messages
42,482
Likes
40,905
Location
The foothills of Monadnock
Who's to say that the actual database with all the data isn't located on another network? There is ways to have the transfers merged back to the actual master database. Depending on the workflow they could be storing only the POSTED transfers on a public accessible site for a short period of time. I didn't see on there where I could get a list of items I have. So we are all making assumptions on how things are run here without knowing any facts.

And you're making the same assumptions that they did it right. Based on observations of how smoothly this has gone so far I think it is a safe bet that they did not do it right.
 

Len-2A Training

Instructor
Instructor
NES Life Member
NES Member
Rating - 98.6%
73   1   0
Joined
Feb 26, 2005
Messages
55,512
Likes
17,136
Location
NH
To put this into perspective (and I'm not a computer security guru):

- All our personal data including SSNs, DOB, etc. is "out there" in the LEAPS system, accessible to all PDs and most MDTs.
- MIRCS allows PDs to access all our firearms info at any time.
- A subset of MIRCS allows Dealers to input transactions.
- This is an extension of the Dealer MIRCS sub-set, allowing mere citizens to input transactions, using the PIN for a password/validation of the person inputting the data.

None of the above is "hard-wired" from user to CJIS/EOPS and therefore is subject to any vulnerabilities in the hands of a dedicated computer hacker who wants to steal peoples identities and sell that data on other hacker websites.

Not directly related to the gun issue, but to point out further vulnerabilities . . .

- During an in-office IRS audit a couple of years ago, I mentioned that I wasn't sure about something wrt a prior MA DOR tax return. The IRS auditor immediately pulled up a copy of my MA tax return info from the year in question and we proceeded with the audit.

- Meanwhile the IRS auditor swore that she had no Internet access from her computer! Again, I doubt that her office was hard-wired to MA DOR!!!

- I can tell you that the audit software that IRS uses is all DOS-based. She only used Windows to bring up Excel to create a mini-spreadsheet where she entered numbers to get a sum-total to enter back on the DOS audit software.

- I recall a news story that an audit showed that >7K IRS computers were vulnerable to hacking!

The bottom line is that in the 21st century, there are tons of gov't computers with our personal data on them . . . and further pension companies (plus current and past employers) where employees travel thru airports with laptops loaded with all personal data for major corps that they represent. If data is compromised/stolen from corporate computers, we MIGHT be told about it a year or two later (been there a number of times now [sad]). If our data is compromised/stolen from gov't computers we will likely NEVER be told about it (might be a news story, but don't expect a letter from gov't agency) and any damages are ours to mitigate with no compensation possible.

Merely using paper forms will not prevent compromise of any of our info. Since it is entered in computers either directly or by scanning it in, it's still in that database.

"Privacy is Dead, Get Over It" by Steve Rambam!

[Note: I am referred to by many as a "privacy nut" but I do also deal with reality. This cat is so far out of the bag, that there is no going back.]
 
Rating - 96.8%
30   1   0
Joined
Jul 23, 2008
Messages
11,356
Likes
3,394
Location
Texas
To put this into perspective (and I'm not a computer security guru):

- All our personal data including SSNs, DOB, etc. is "out there" in the LEAPS system, accessible to all PDs and most MDTs.
- MIRCS allows PDs to access all our firearms info at any time.
- A subset of MIRCS allows Dealers to input transactions.
- This is an extension of the Dealer MIRCS sub-set, allowing mere citizens to input transactions, using the PIN for a password/validation of the person inputting the data.

None of the above is "hard-wired" from user to CJIS/EOPS and therefore is subject to any vulnerabilities in the hands of a dedicated computer hacker who wants to steal peoples identities and sell that data on other hacker websites.

Not directly related to the gun issue, but to point out further vulnerabilities . . .

- During an in-office IRS audit a couple of years ago, I mentioned that I wasn't sure about something wrt a prior MA DOR tax return. The IRS auditor immediately pulled up a copy of my MA tax return info from the year in question and we proceeded with the audit.

- Meanwhile the IRS auditor swore that she had no Internet access from her computer! Again, I doubt that her office was hard-wired to MA DOR!!!

- I can tell you that the audit software that IRS uses is all DOS-based. She only used Windows to bring up Excel to create a mini-spreadsheet where she entered numbers to get a sum-total to enter back on the DOS audit software.

- I recall a news story that an audit showed that >7K IRS computers were vulnerable to hacking!

The bottom line is that in the 21st century, there are tons of gov't computers with our personal data on them . . . and further pension companies (plus current and past employers) where employees travel thru airports with laptops loaded with all personal data for major corps that they represent. If data is compromised/stolen from corporate computers, we MIGHT be told about it a year or two later (been there a number of times now [sad]). If our data is compromised/stolen from gov't computers we will likely NEVER be told about it (might be a news story, but don't expect a letter from gov't agency) and any damages are ours to mitigate with no compensation possible.

Merely using paper forms will not prevent compromise of any of our info. Since it is entered in computers either directly or by scanning it in, it's still in that database.

"Privacy is Dead, Get Over It" by Steve Rambam!

[Note: I am referred to by many as a "privacy nut" but I do also deal with reality. This cat is so far out of the bag, that there is no going back.]

All well and good but how does that change the fact that the site isn't secure? It either is or it isn't and from what I'm reading here it isn't.
 

drgrant

Moderator
NES Member
Rating - 100%
61   0   0
Joined
Mar 21, 2006
Messages
86,021
Likes
79,932
If they can't get the basic server configuration right (SSL problem) and consider basic site design (unnecessary popups), there's no way in hell I'm trusting that system to protect my personal data.

Well, like it or not, your data is still in the system on the back end even if you submit it by paper, that info still ends up in the database server(s) that POS web app talks to.

-Mike
 

drgrant

Moderator
NES Member
Rating - 100%
61   0   0
Joined
Mar 21, 2006
Messages
86,021
Likes
79,932
When you fill out a paper FA10 and send it in, it gets scanned, right? What happens to that data. I'd bet a nickel it gets into the same database as the web form. So, if the database gets hacked, *all* the data is released into the wild, not just the stuff entered into the web form.

The chance that someone is going to intercept your connection between your PC and the state's website are really really tiny. HTTP connections are stateless, (generally), short lived, and come from all over.

The database itself, however, is a fixed target, and far far more likely to be compromised.

The problem here isn't the web form, it's the fact that the database is exposed to the world at all.

If we really care about security, the target isn't "fix the web form", it's "eliminate the web form"

How many transfers happen anyway? What problem is the web form solving? Was the CHRB overwhelmed with paper FA10s to process, or is this simply a cost saving measure? I'm guessing the latter.

I generally agree with this but until they fix the stupidity, I will refuse to use it out of spite more than anything else.

-Mike
 

Len-2A Training

Instructor
Instructor
NES Life Member
NES Member
Rating - 98.6%
73   1   0
Joined
Feb 26, 2005
Messages
55,512
Likes
17,136
Location
NH
All well and good but how does that change the fact that the site isn't secure? It either is or it isn't and from what I'm reading here it isn't.

I'm not making any claims either way, just stating that the weakest link is indeed the weakest link. For instance, I know the two IT people my town employs and I know that they are NOT EXPERTS on computer security. They are competent IT people, but generalists. All the risks don't lie strictly with the data system we see here . . . for instance I've seen our POs use wireless access and I have no idea how secure it is. There are lots of back-door ways into systems with the potential for very damaging consequences.
 
Rating - 96.8%
30   1   0
Joined
Jul 23, 2008
Messages
11,356
Likes
3,394
Location
Texas
I'm not making any claims either way, just stating that the weakest link is indeed the weakest link. For instance, I know the two IT people my town employs and I know that they are NOT EXPERTS on computer security. They are competent IT people, but generalists. All the risks don't lie strictly with the data system we see here . . . for instance I've seen our POs use wireless access and I have no idea how secure it is. There are lots of back-door ways into systems with the potential for very damaging consequences.

Len, i'm still not follow your defense for this. It's like me saying 'the lock on the new vault is faulty,' and you saying 'yes, but the door is much easier to open now and besides, locks won't keep out a determined thief anyway.'
 
Rating - 100%
3   0   0
Joined
Jan 19, 2009
Messages
29,885
Likes
4,692
Location
Clowns->Here<-Jokers
Len, i'm still not follow your defense for this. It's like me saying 'the lock on the new vault is faulty,' and you saying 'yes, but the door is much easier to open now and besides, locks won't keep out a determined thief anyway.'
I don't know why anyone would defend this or apologize for them. I'd walk away from a fast-food counter if I saw this level of incompetence behind the counter and know that I saved myself an evening of vomiting for it...

You guys realize that these databases and organizations literally hold your freedom and financial security in their hands yet they are fumbling around like a bunch of high-school kids pretending they are the "only people professional enough in the room."

Inexcusable and indefensible...
 
Last edited:

Len-2A Training

Instructor
Instructor
NES Life Member
NES Member
Rating - 98.6%
73   1   0
Joined
Feb 26, 2005
Messages
55,512
Likes
17,136
Location
NH
Len, i'm still not follow your defense for this. It's like me saying 'the lock on the new vault is faulty,' and you saying 'yes, but the door is much easier to open now and besides, locks won't keep out a determined thief anyway.'

Bob,

I am not defending this at all.

Just pointing out that all the data, no matter how we submit it, is in databases accessible from "outside" CJIS. Via wireless in some towns, wired Internet access elsewhere. None of us should feel secure, period . . . but not because the form went online (it's strictly input).

I don't have an answer other than it's too late to shut that barn door and the weakest point is likely to be certain cities/towns access-point.
 
Rating - 100%
3   0   0
Joined
Nov 8, 2005
Messages
30,940
Likes
9,579
116 posts of whatever. Has this actually been officially announced anywhere other than this post yet? Sounds to me like it is still a work in progress.


Another line of thought:
After nearly 20 years, Canada appears poised to end one of its boldest experiments in gun control - the required registration of long guns, or shotguns and hunting rifles.

Last November, a bill to abolish the Long-Gun Registry, enacted in 1995 and gradually phased in through 2003, passed a second reading in the Canadian House of Commons by a tally of 164 to 137. It faces a third and final reading in that chamber later this year; prospects are good for passage in the Canadian Senate.

The bill would delete from federal law the obligation to register so-called nonrestricted firearms, though licensing requirements for long-gun owners to buy or possess firearms and to buy ammunition would remain in place.

The legislation would also require all registration information collected to date to be destroyed.

Full article:
Canada set to repeal registration of hunting rifles, shotguns
Gun rights advocates in U.S. hope repeal will spur efforts here
 
Last edited:

namedpipes

NES Member
Rating - 100%
3   0   0
Joined
May 7, 2008
Messages
42,482
Likes
40,905
Location
The foothills of Monadnock
Rating - 100%
27   0   0
Joined
May 7, 2007
Messages
1,075
Likes
82
Location
Lowell, MA
Stopped by the Dracut PD for some paper FA-10's Friday afternoon:

"We're all out.
I have to ask the Lieutenant if we can order some.
Give us your name and number and we'll call you."
 
Rating - 100%
13   0   0
Joined
Jun 9, 2009
Messages
466
Likes
56
Location
MRA
Who cares if the FA-10 isn't in police stations. You download the pdf. Print as many copies as you like.

For people who don't have computer or internet, do they have friends who do?

Do the people with no computers have no cell phones either? Many phones can store files.

Or, go to Kinkos or Staples or OfficeMax, maybe even your local Library, download and print there.

Buy a $2 memory stick while you're there and keep the form on the stick.
 

Spanz

NES Member
Rating - 100%
1   0   0
Joined
Feb 25, 2009
Messages
58,168
Likes
80,313
That article is a year old...

Yeah, what really happened up in Canada? Seems a well coordinated release of articles about "canada set to repeal registration" came out at the same time, and not a word of it since then. People on BOTH SIDES of gun control are clearly abusing the internet to push their agenda without regard to the truth. Obviously Canada was NOT on the verge of repealing their rifle registration 1 year ago, but to read all those coordinated articles, you would have thought otherwise.
 
Rating - 100%
54   0   0
Joined
Dec 12, 2005
Messages
1,669
Likes
242
Location
Eastern Massachusetts
Thanks Len. Glad it wasn't 'ol computer challenged me.

I heard back from Jason . . .

He duplicated this problem . . . with Pop-up blocker enabled.

Seems like the answer is to "trust" pop-ups from this site, so you can print the PDF. Perhaps CJIS can put a notation on that page that users must do this so that it enables print function?
 
Top Bottom