ATF ruling--electronic A&D books

Discussion in 'NFA/Class 3 & FFL Discussion' started by Musket, Sep 9, 2008.

  1. Musket

    Musket New Member

    294
    0
    0
    FYI, from NSSF:
    ************

    Major ATF Ruling Authorizing
    Electronic A&D Books

    Following discussion with the National Shooting Sports Foundation (NSSF) -- the trade association for the firearms industry -- and many industry members, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) announced yesterday a major new ruling authorizing federal firearms licensees to use electronic (computerized) acquisition and disposition records provided the software used satisfies certain ATF requirements set forth in the ruling signed by Acting Director Michael Sullivan.

    FFLs will no longer need to seek a variance from the Director of Industry Operations to keep a computerized A&D book.

    "NSSF would like to congratulate ATF, and in particular the leadership of Acting Director Sullivan, on helping to reduce the paperwork burden on industry," said NSSF Senior Vice President and General Counsel Lawrence G. Keane. "We look forward to continuing to work with ATF on other ways to utilize technology to aid America's firearms manufacturers and retailers to reduce their paperwork burden while continuing to permit ATF to protect public safety."

    The ATF, at the urging of NSSF and firearms retailers, is expected to launch a voluntary E– Form 4473. This is a development which will save retailers time and greatly reduce the likelihood of entry violations.

    NSSF's Mission Statement
    "Our purpose is to provide trusted leadership in addressing industry challenges and in delivering programs and services to meet the identified needs of our members."

    Click here to visit the NSSF Web site and see how we accomplish this mission.

    COPYRIGHT © 2008 by National Shooting Sports Foundation, Inc. Permission is granted for broadcast, publication, retransmission to e-mail lists, Web sites or any other copying or storage, in any medium, online or not, if 1) the text is forwarded in its entirety, including this paragraph, and 2) no fee is charged. "Bullet Points®," "National Shooting Sports Foundation®," "NSSF®," and all other trade names, trademarks, service marks, logos and images of the National Shooting Sports Foundation appearing in this publication are the sole property of the Foundation and may not be used without the Foundation's prior express written permission. All other trade names, trademarks, service marks, logos and images appearing in this publication are trademarks or registered trademarks of their respective owners.
     
  2. cpttango30

    cpttango30 New Member

    13,934
    4
    0
    I see one problem with this. If a firearms dealer is keeping an electronic record of all firearms transactions. It needs to be done on a computer that is not (NOT) connected to the Internet in any way.

    They should not use a wireless network either. If they have to use a wireless network they need to install a physical firewall between the computer and the Internet and use the highest amount of encryption over their wireless network which is WPA (Wireless Protected Access). For no reason should the dealer run a wireless network and use Wired Equivalent Privacy (WEP) which means it offers you the same amount of protection as a wired network would. I personally would not have a wireless network anywhere close to the computer that had these forms on them.

    Windows has holes MAC OSX has holes. Linux would be your best and safest operating system to use with this why? Well no one writes viruses for Linux because the guys that write viruses are running Linux not windows xp or vista. Linux is also open-source and has hundreds of thousands of people making changes to the OS all the time so a backdoor on your Linux might not be unlocked on mine. Their is really no sure fire way to keep these records safe. If these records are on a computer they can be obtained no matter what. Short of a fire that totally melts the Hard drive there is a way to recover data. If the computer is hooked up to the Internet it is only a matter of time before someone opens an email and gets virus, trojan, worm, or something nasty on it. So me personally I would not buy from a store using this. That is the Network Engineer in me. I have a buddy that can hack your computer in a matter of a few minutes and retrieve 99% of your data in a few more minutes.

    So to me this is not a good solution as of right now. If the FFL does do this it should be on a laptop that either goes home with him at night or goes in the biggest nastiest safe in the building
     

  3. Musket

    Musket New Member

    294
    0
    0
    well, not being all that tech savvy, and not an FFL holder, I cant really comment. I just thought it would be of interest to folks...:)
     
  4. cpttango30

    cpttango30 New Member

    13,934
    4
    0
    What is going to happen is people are going to be less secure with their records and then they are going to lose them to a computer crash Blue Screen of Death (BSOD) or something like that. Or they are going to have the computer compromised or stolen outright. That gives them access to social security numbers and personal information. Then not only do they know some of the guns you just bought they know your address, your name and social. So they are going to steal your id along with your guns.

    I don't see this as being a good thing myself.
     
  5. bkt

    bkt New Member

    6,964
    0
    0
    Why can't an FFL have a wireless network for his primary computer, but a secondary computer without a wifi card (either an older laptop or a new desktop), and hardwire his FFL computer directly into his router. Use SSL to transmit sensitive data and don't worry about wireless signals being intercepted.

    I take umbrage, incidentally, at your comment that we Linux users are the ones writing viruses. :D Sure, we laugh a lot at Windoze users who have to reinstall their OS every so often, but we're not the black hats.
     
  6. cpttango30

    cpttango30 New Member

    13,934
    4
    0
    no not everyone is a black hat. I ment no slight towards you other OS users.

    You and I can talk SSL and that but really how many FFL's are in the know about tht kind of security. most banks don't encrypt your data set over the net from an atm machine. If the ATF wants this done then I think they need to set standards for the FFL dealers as far as security and encryption of the FFL data.
     
  7. anm2_man

    anm2_man Member

    504
    2
    18
    I don't think BATF is supporting this via the internet. What they are doing is now allowing any FFL to keep his books in EXCEL or via a custom software application. The problem before was that if you wanted to do this, you had to get a variance to keep the records electronically. I know of several EXCEL macro's that are available for this function.

    I don't think there are going to be any more privacy issues than there were when hardcopy books were required. There are more issues today when you use your Credit card at the grocery store.
     
  8. cpttango30

    cpttango30 New Member

    13,934
    4
    0
    I personaly don't want anything to do with electronic copy's of a 4473 floating around. It is to easy to get the information off a computer unless you have a system like the pentagon who gets 1 million + attacks everyday.
     
  9. Slickrick214

    Slickrick214 New Member

    187
    0
    0
    Lol. One of my teachers use the Blue Screen Of Death jokingly all the time. I agree though if this program is hooked up to the internet it won't take long before its hacked.

    Blue Screen Of Death
    [​IMG]
     
  10. Gunsmith65

    Gunsmith65 New Member

    5
    0
    0
    My 2 Cents.

    Electronic data keeping is perfectly safe and lessens the amount of paperwork and storage for dealers.

    That said, I agree that anyone who decides to use electronic means of data keeping should be aware of problems such as hard drive failures, security, and theft.

    Hard drive failures can be mitigated by a regularly scheduled full backup on separate hard drive/s. Both need to be malware and virus scanned daily or at the very least every other day if you are wired (or wirelessly) connected to the internet. Weekly if not connected and you are transferring data from a connected source.

    Security is important and I agree, use more incryptioin than the WEP. Use your firewall and any additional security that you can get. We have a responsibility to keep our customer's information confidential.

    Theft applies to both hard and electronic formats. Both need physical security and electronic needs the added software security. Or hardware, as CPTtango30 suggested, and don't connect your database computer to the internet.

    I think there are pluses and minuses with both methods. You just have to be committed to whichever method you use and deal with the extra paperwork or deal with the extra electronic security.

    Me, I am electronic all the way. I doubt my laptop will be connected to the internet anyway but just in case, it will have my desktop as backup and all the extra security I can get. Hey, it's deductable. Why not. :)

    GS
     
  11. jbeni96

    jbeni96 New Member

    1
    0
    0
    A BATF Inspector told me that they actually prefer electronic records keeping when conducting Inspections. This allows them to do searches and to get printouts of the records.
     
  12. GlockBlockinMama

    GlockBlockinMama New Member

    12
    0
    0
    Online paranoia

    There seems to be a lot of hub-bub over the wireless connectivity and overall security...some things to consider:

    A wireless connection is only as secure as the application/site running on it - ie, add your credit card information to a site without SSL security and it is not the CONNECTION that determines the safety of the transfer of information.

    Some information is only useful if LINKED - your first name and last name are only useful if they are linked, and then only if they are again linked to your address AND your ssn AND your credit card number.

    Who exactly is stealing this data? The information is being sent to a government agency who then SCANS and/or ENTERS INTO A SOFTWARE SYSTEM all the same information, which then lives in a database that is made available to users within the government and contractors, some of whom live hundreds of miles away from the servers and use wireless connections to access data and email.

    Anyone who remembers the stone ages (when paper records were locked (maybe?) at night, where paper copies were not always shredded, and when people walked away with folders or threw away documents all the time) would agree that there are disadvantages to any system when human beings come into play.
     
  13. indy_kid

    indy_kid New Member

    87
    0
    0
    Sounds like fear of the unknown...

    That's nothing more than technophobia. A low-end computer with a RAID drive for HD crash protection, and NO connection to any other machine and you're good. Better still, use a removable RAID, and pop it into your fireproof safe (or take it home and put it in your home safe) when you close shop. Put a decoy HD into your computer to spoof any crook.

    A good encryption program, like PGP, will make it as secure as you'll ever need. Heck, if the government has trouble breaking PGP, your local crook doesn't have a chance!!!

    The point is that NO system is foolproof. The guy who uses paper books is just at risk for data theft, though the crook will have to come to the FFL to get them. Same with electronic; keep it on ONE machine, and the crook will have to go to that ONE machine to get the electronic info. Basic safeguards will protect both.
     
  14. hydrashok

    hydrashok New Member

    692
    0
    0
    This is one thing that irritates the hell outta me about Linux users... they think anything and everything should be THAT FRIGGIN' SECURE and NOTHING ELSE WILL DO.

    Let me pose these questions that are actually grounded in REALITY:

    1. Do bad guys or hackers REALLY CARE about my A/D data? Do they really care who I sold a gun to, and where they live?

    2. Is the ATF *REALLY* qualified to set ANY kind of "standards" for anything computer based?

    Here's a couple of clues.

    1. Electronic A/D programs simply store where a specific firearm was purchased, and who it was sold to.

    2. Electronic 4473s are not stored. They're filled out, then PRINTED for signatures. This is where the sensitive data is stored... on HARD COPY.

    3. It's harder to steal a whole computer than it is a "bound book".

    4. Backups (both soft AND hard copies) are just good business sense. You can print off as many bound copies of your A/D records as you want, and it's a hell of a lot easier than Xeroxing the traditional bound book.

    5. Again, NOBODY CARES about who you got your firearms from or who you sold them to... at least they don't care enough to try and hack WEP security.

    Put THAT in your pipe and smoke it!
     
  15. indy_kid

    indy_kid New Member

    87
    0
    0
    Agreed. Obviously, hackers are after more *lucrative* info that A/D data. The black hats are into identity theft, usually worked on contract for other criminals. IMHO, they'd be after your financial records in an attempt to force you out of the local market than to find out where you get your guns, and where they're going.

    I would be against a standard for an electronic A/D system. No standards means that much more work dealing with the multitude of data formats! The ones to set the standard would be IEEE, as they also set the standards for almost everything else electronics-related, including transmission protocols. Those guys are the experts, and IF it were to come to it, ATF would be smart to let IEEE pick the formats.

    Again, use PGP to encrypt, and keep backups of all your data, electronic or written!!
     
  16. hydrashok

    hydrashok New Member

    692
    0
    0
    I'm a software developer. I'm against "standards" because I write my own stuff. "Standards" would mean more rules for me to follow based on someone else's idea of how things should be done.

    I print a hardcopy of my A/D data that is securely stored with my 4473s. I print my own 4473s using the new program available on the ATF website. I like the electronic copy of my A/D data because I don't have to flip through pages... I can scan a barcode of any gun I have and it goes right to that record. My A/D data is digitally stored on a USB thumbdrive, and I remotely back it up daily in ZIP format. I keep all shipping slips so if I lose a week's worth of data I can rebuild it with my hard copies. There's no guesswork. When I close shop, the thumbdrive goes with me and is stored in a secured undisclosed location (no, not my glovebox :p ) so even if there *IS* a break-in, and they steal my computer, they get no customer OR vendor info. My POS data is on the same thumbdrive. All I have to do is buy a laptop and install the POS and A/D software I use, and I have my data readily available. I can pick right up and keep on truckin'.

    I do use the same computer for my POS as I do my A/D. Whenever I get a new merchant acct, it's the same computer I run credit card transactions. It's connected to the internet (behind TWO hardware firewalls).

    I'm just not that worried about the security of my data... even if a hacker got into my computer, they most likely wouldn't know what they were looking for.