stoneypete
NES Member
- Joined
- Nov 1, 2005
- Messages
- 3,851
- Likes
- 407
This.I shot off an Email to Jason about this. This needs to be fixed, ASAP! To me, my own print-out of an FA-10 is critical to my personal record-keeping.
If you enjoy the forum please consider supporting it by signing up for a NES Membership The benefits pay for the membership many times over.
Be sure to enter the NES/MFS February Giveaway ***Canik TP9SF Elite***
This.I shot off an Email to Jason about this. This needs to be fixed, ASAP! To me, my own print-out of an FA-10 is critical to my personal record-keeping.
Colonel Ernesto Bella Red Dawn FA-10 work just fine too.yes... yes. Go to the sporting goods store. From the files obtain forms 4473. These will contain descriptions of weapons, and lists of private ownership.
I registered my CMP Garand yesterday. All went well until I clicked on "print transaction" and got an error message. I still got a "Confirmation Ticket Number" which will have to do for now. The system needs work but I found it easy to use.
Great - so we have to ignore multiple indications of flawed security to use this...I heard back from Jason . . .
He duplicated this problem . . . with Pop-up blocker enabled.
Seems like the answer is to "trust" pop-ups from this site, so you can print the PDF. Perhaps CJIS can put a notation on that page that users must do this so that it enables print function?
Great - so we have to ignore multiple indications of flawed security to use this...
Why don't I just publish my SS, credit cards, phone numbers, passwords, etc... on the front page of ma.gov instead and save some time?
Great - so we have to ignore multiple indications of flawed security to use this...
Why don't I just publish my SS, credit cards, phone numbers, passwords, etc... on the front page of ma.gov instead and save some time?
I disagree in both cases from experience and I won't tolerate web sites that require me to compromise security to use them. There are enough attack vectors out there things are working correctly. I have no intention of trusting bogus certificates or allowing pop-ups when neither should be required to perform this function.Turning off a popup blocker, on this site or even just when you want that page to print, is a far way off from opening "security" problem. The certificate problem is more how your browser treats. As I was no prompted withing on Chrome.
I disagree in both cases from experience and I won't tolerate web sites that require me to compromise security to use them. There are enough attack vectors out there things are working correctly. I have no intention of trusting bogus certificates or allowing pop-ups when neither should be required to perform this function.
I'm also saying that their inability to configure this correctly and test it shows that they are not competent to perform this function without a very high risk of other security flaws.
If they can't get the basic server configuration right (SSL problem) and consider basic site design (unnecessary popups), there's no way in hell I'm trusting that system to protect my personal data.
When you fill out a paper FA10 and send it in, it gets scanned, right? What happens to that data. I'd bet a nickel it gets into the same database as the web form. So, if the database gets hacked, *all* the data is released into the wild, not just the stuff entered into the web form.
The chance that someone is going to intercept your connection between your PC and the state's website are really really tiny. HTTP connections are stateless, (generally), short lived, and come from all over.
The database itself, however, is a fixed target, and far far more likely to be compromised.
The problem here isn't the web form, it's the fact that the database is exposed to the world at all.
If we really care about security, the target isn't "fix the web form", it's "eliminate the web form"
How many transfers happen anyway? What problem is the web form solving? Was the CHRB overwhelmed with paper FA10s to process, or is this simply a cost saving measure? I'm guessing the latter.
Who's to say that the actual database with all the data isn't located on another network? There is ways to have the transfers merged back to the actual master database. Depending on the workflow they could be storing only the POSTED transfers on a public accessible site for a short period of time. I didn't see on there where I could get a list of items I have. So we are all making assumptions on how things are run here without knowing any facts.
To put this into perspective (and I'm not a computer security guru):
- All our personal data including SSNs, DOB, etc. is "out there" in the LEAPS system, accessible to all PDs and most MDTs.
- MIRCS allows PDs to access all our firearms info at any time.
- A subset of MIRCS allows Dealers to input transactions.
- This is an extension of the Dealer MIRCS sub-set, allowing mere citizens to input transactions, using the PIN for a password/validation of the person inputting the data.
None of the above is "hard-wired" from user to CJIS/EOPS and therefore is subject to any vulnerabilities in the hands of a dedicated computer hacker who wants to steal peoples identities and sell that data on other hacker websites.
Not directly related to the gun issue, but to point out further vulnerabilities . . .
- During an in-office IRS audit a couple of years ago, I mentioned that I wasn't sure about something wrt a prior MA DOR tax return. The IRS auditor immediately pulled up a copy of my MA tax return info from the year in question and we proceeded with the audit.
- Meanwhile the IRS auditor swore that she had no Internet access from her computer! Again, I doubt that her office was hard-wired to MA DOR!!!
- I can tell you that the audit software that IRS uses is all DOS-based. She only used Windows to bring up Excel to create a mini-spreadsheet where she entered numbers to get a sum-total to enter back on the DOS audit software.
- I recall a news story that an audit showed that >7K IRS computers were vulnerable to hacking!
The bottom line is that in the 21st century, there are tons of gov't computers with our personal data on them . . . and further pension companies (plus current and past employers) where employees travel thru airports with laptops loaded with all personal data for major corps that they represent. If data is compromised/stolen from corporate computers, we MIGHT be told about it a year or two later (been there a number of times now ). If our data is compromised/stolen from gov't computers we will likely NEVER be told about it (might be a news story, but don't expect a letter from gov't agency) and any damages are ours to mitigate with no compensation possible.
Merely using paper forms will not prevent compromise of any of our info. Since it is entered in computers either directly or by scanning it in, it's still in that database.
"Privacy is Dead, Get Over It" by Steve Rambam!
[Note: I am referred to by many as a "privacy nut" but I do also deal with reality. This cat is so far out of the bag, that there is no going back.]
And you're making the same assumptions that they did it right. Based on observations of how smoothly this has gone so far I think it is a safe bet that they did not do it right.
So we are all making assumptions on how things are run here without knowing any facts.
If they can't get the basic server configuration right (SSL problem) and consider basic site design (unnecessary popups), there's no way in hell I'm trusting that system to protect my personal data.
When you fill out a paper FA10 and send it in, it gets scanned, right? What happens to that data. I'd bet a nickel it gets into the same database as the web form. So, if the database gets hacked, *all* the data is released into the wild, not just the stuff entered into the web form.
The chance that someone is going to intercept your connection between your PC and the state's website are really really tiny. HTTP connections are stateless, (generally), short lived, and come from all over.
The database itself, however, is a fixed target, and far far more likely to be compromised.
The problem here isn't the web form, it's the fact that the database is exposed to the world at all.
If we really care about security, the target isn't "fix the web form", it's "eliminate the web form"
How many transfers happen anyway? What problem is the web form solving? Was the CHRB overwhelmed with paper FA10s to process, or is this simply a cost saving measure? I'm guessing the latter.
All well and good but how does that change the fact that the site isn't secure? It either is or it isn't and from what I'm reading here it isn't.
I'm not making any claims either way, just stating that the weakest link is indeed the weakest link. For instance, I know the two IT people my town employs and I know that they are NOT EXPERTS on computer security. They are competent IT people, but generalists. All the risks don't lie strictly with the data system we see here . . . for instance I've seen our POs use wireless access and I have no idea how secure it is. There are lots of back-door ways into systems with the potential for very damaging consequences.
I don't know why anyone would defend this or apologize for them. I'd walk away from a fast-food counter if I saw this level of incompetence behind the counter and know that I saved myself an evening of vomiting for it...Len, i'm still not follow your defense for this. It's like me saying 'the lock on the new vault is faulty,' and you saying 'yes, but the door is much easier to open now and besides, locks won't keep out a determined thief anyway.'
Len, i'm still not follow your defense for this. It's like me saying 'the lock on the new vault is faulty,' and you saying 'yes, but the door is much easier to open now and besides, locks won't keep out a determined thief anyway.'
After nearly 20 years, Canada appears poised to end one of its boldest experiments in gun control - the required registration of long guns, or shotguns and hunting rifles.
Last November, a bill to abolish the Long-Gun Registry, enacted in 1995 and gradually phased in through 2003, passed a second reading in the Canadian House of Commons by a tally of 164 to 137. It faces a third and final reading in that chamber later this year; prospects are good for passage in the Canadian Senate.
The bill would delete from federal law the obligation to register so-called nonrestricted firearms, though licensing requirements for long-gun owners to buy or possess firearms and to buy ammunition would remain in place.
The legislation would also require all registration information collected to date to be destroyed.
116 posts of whatever. Has this actually been officially announced anywhere other than this post yet? Sounds to me like it is still a work in progress.
Another line of thought:
Full article:
Canada set to repeal registration of hunting rifles, shotguns
Gun rights advocates in U.S. hope repeal will spur efforts here
That article is a year old...
I heard back from Jason . . .
He duplicated this problem . . . with Pop-up blocker enabled.
Seems like the answer is to "trust" pop-ups from this site, so you can print the PDF. Perhaps CJIS can put a notation on that page that users must do this so that it enables print function?