Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Government United States News

IRS Rolls Out Risky Tax Processing Systems 66

GovIT Geek writes to tell us that, despite known security issues, the IRS has decided to roll out two new applications for tax processing systems. "The [IRS inspector general] concluded in a September annual audit that security weaknesses in the agency's updated tax processing systems could enable malicious intruders to gain unauthorized access to taxpayer information and prevent the IRS from recovering applications during an emergency. The Customer Account Data Engine is a tax processing tool being deployed in phases to replace the existing repositories of taxpayer information, while the Account Management Services systems aim to provide employees with faster and better access to taxpayer account data."
This discussion has been archived. No new comments can be posted.

IRS Rolls Out Risky Tax Processing Systems

Comments Filter:
  • by mellon ( 7048 ) on Friday October 17, 2008 @03:50PM (#25417977) Homepage

    I think this is terribly unfair. It should at least be a *challenge*.

    • Re: (Score:3, Funny)

      by Sponge Bath ( 413667 )

      She still has to get past IRS Agent Smith.

      You hear that Mr. Anderson?...
      That is the sound of inevitability...
      It is the sound of your audit.

  • thanks for playing.

    I think this might be a new definition for the word "moded".
  • naturally... (Score:5, Interesting)

    by X0563511 ( 793323 ) on Friday October 17, 2008 @03:54PM (#25418051) Homepage Journal

    I think the response to this shouold be someone, somewhere, repeatedly breaking in and posting financial info on politicians. Do it enough times, they will get the message.

    If you go do this, make sure you remember you didn't hear it from me, and that you do NOT brag about it. Don't be stupid.

  • Just another inflammatory article. What are they supposed to do? Hold off upgrading their systems until the new system is 100% rock-solid? Sorry, but every new software system has SOME bugs in it. TFA states that the project managers felt the vulnerabilites were acceptable at the time. Managing software projects involve iterations of identifying critical (or not so critical) defects (as many as you can before release), and then going back and updating the software to fix any defects that you didn't have tim

    • by truthsearch ( 249536 ) on Friday October 17, 2008 @04:03PM (#25418181) Homepage Journal

      In addition, these should be purely internal systems. So assuming malicious intruders can be kept out, using a separate layer of systems, the risk is greatly reduced.

      • This will just involve some low-level functionary to copy data to an unencrypted flash drive and then lose it in a shopping mall.

      • by mysidia ( 191772 )

        In addition, these should be purely internal systems. So assuming malicious intruders can be kept out, using a separate layer of systems, the risk is greatly reduced.

        A wholly unwarranted assumption. The most likely attack against a system like this IS an inside attack.

        Or an attack from outside, assisted by a negligent (but unaware) insider, such as one who had accidentally installed a trojan horse on their workstation.

        Governments and big corporations frequently put strong firewalls in place.

        And ye

    • by compro01 ( 777531 ) on Friday October 17, 2008 @04:12PM (#25418309)

      Hold off upgrading their systems until the new system is 100% rock-solid?

      Yes. This is taxes they're dealing with, and given the unreasonable complexity of the tax laws and the guilty-until-proven-innocent way the tax courts work (how the hell is that considered constitutional?), screwups are NOT acceptable.

      • Re: (Score:3, Interesting)

        Well then, you've obviously never managed a software project. If they are to wait until 100% of all the defects/vulnerabilities are fixed before they release, then THE SOFTWARE WOULD NEVER BE RELEASED!! It's like waiting to buy a computer: you could wait a month or two more, so that they drop the prices a little bit more, but when that month comes, you just say the same thing. Lather, rinse, repeat.

        It doesn't really matter what the project is about. It can be tax information, HIPAA info, or credit card info

      • screwups are NOT acceptable.

        And of course the existing system is stable, perfect, has adequate capacity, and supports efficient work flows for the primary revenue function of the largest (for now) economy in the world. Right?

        Sometimes, in software, as in life, you don't get to wait for 'perfect'.

    • by Anonymous Coward on Friday October 17, 2008 @04:31PM (#25418625)

      What are they supposed to do? Hold off upgrading their systems until the new system is 100% rock-solid? Sorry, but every new software system has SOME bugs in it.

      Two things (simplified):

      A - Yes, they should. And SQL bug at your library might put a book on the wrong shelf; the same bug in a table at the IRS leads to audits, tax fraud investigations, and has serious implications on your life. A program in such a high profile program absolutely needs to be as bug free as possible.

      B - This isn't even about bugs in implementation, the issue is a security vulnerability due to the design. You'll secure your email so some packet snooper can't see the pictures from that party last night, but you're comfortable with the IRS rolling out a system that would allow the same snooper to interfere with the recording of billions of dollars in transactions?

      • by cvos ( 716982 )
        anyone know the cost of this new system that will soon be taking our money? these "known issues" were first publicised in 2005 - the same time the IRS made a $200 million dollar error. http://www.usatoday.com/printedition/news/20061205/1a_cover05.art.htm [usatoday.com]
      • Two things (simplified):

        A - Yes, they should. And SQL bug at your library might put a book on the wrong shelf; the same bug in a table at the IRS leads to audits, tax fraud investigations, and has serious implications on your life. A program in such a high profile program absolutely needs to be as bug free as possible.

        From the article:

        pecific security weaknesses detected in the CADE system included contractors' ability to change configuration settings without notice or approval, the transfer of taxpayers' personal identifiable information without encryption and a failure to properly remove taxpayer data from system memory devices before they're reused.

        The issue as described here (and remember this is an internal application) indicates that the concerns you've raised - while valid in general - don't apply here. The article mamkes a big deal over the fact that they went ahead in spite of known security holes. It doesn't really cover the fact that for it to be a /known/ security hole, several levels of people have signed off on it and deemed it not to be a significant risk.

        B - This isn't even about bugs in implementation, the issue is a security vulnerability due to the design. You'll secure your email so some packet snooper can't see the pictures from that party last night, but you're comfortable with the IRS rolling out a system that would allow the same snooper to interfere with the recording of billions of dollars in transactions?

        That's a straw man. This isn't what these flaws allow, based o

  • sweet (Score:5, Funny)

    by JeanBaptiste ( 537955 ) on Friday October 17, 2008 @04:03PM (#25418185)

    I know how my taxes are getting d';update taxtable set refund = '50000000' where uid = 'jeanbaptiste';--

    • Re:sweet (Score:5, Funny)

      by Anonymous Coward on Friday October 17, 2008 @04:09PM (#25418283)

      I know how my taxes are getting d';update taxtable set refund = '50000000' where uid = 'jeanbaptiste';--

      Close; but to be really effective, I think you have to sneak it into the dependent's name [xkcd.com] field.

      (Irony: CAPTCHA = 'stolen'!)

  • by Colin Smith ( 2679 ) on Friday October 17, 2008 @04:03PM (#25418187)

    This is the IRS! For crying out loud. Don't TELL them!

     

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday October 17, 2008 @04:07PM (#25418257)
    Comment removed based on user account deletion
    • by clodney ( 778910 )

      If that amount is irrelevant, does that mean you are willing to pay my taxes too?

      Regardless of what happens to prices, the amount of money I pay in income taxes is significant to me.

  • by KalvinB ( 205500 ) on Friday October 17, 2008 @04:11PM (#25418303) Homepage

    One of the frustrating things as a tax payer is not knowing how much I owe the government. I don't know if I'm overpaying or underpaying until the end of the year. Then I'm either screwed because I owe them a pile of cash or screwed because I wasted a lot of money that could have been better invested. Last year I gave the government 3000 extra which could have stayed as a cushion in a bank account or have been invested rather than getting it back with no interest.

    Tax payers should be able to log into their IRS account and see what they owe throughout the year based on what their earnings are and how much has been taken out of their paychecks already. Throughout the year they can enter in deductions and extra earnings and whatnot so at the end of the year there isn't a surprise. It'd be nice to make extra payments if you want before April so that you don't get a huge tax bill or get no tax bill at all in April.

    • by Thng ( 457255 ) on Friday October 17, 2008 @04:18PM (#25418409)
      There already is something like this, although it does not access your account:

      IRS Withholding Calculator [irs.gov]

      Purpose of This Computer Program The purpose of this application is to help employees to ensure that they do not have too much or too little income tax withheld from their pay. It is not a replacement for Form W-4, but most people will find it more accurate and easier to use than the worksheets that accompany Form W-4. You may use the results of this program to help you complete a new Form W-4, which you will submit to your employer

      Use it at the beginning and middle of the year (for double checking) and for whenever you have a life change, such as getting married, gaining dependents, new job, etc.

      You'll need your most current paystub and other basic information regarding your finances (interest earned, rental income, etc).

    • Re: (Score:3, Insightful)

      Last year I gave the government 3000 extra which could have stayed as a cushion in a bank account or have been invested rather than getting it back with no interest.

      Does that mean you should be thanking them?

    • by wbren ( 682133 ) on Friday October 17, 2008 @04:27PM (#25418541) Homepage

      Last year I gave the government 3000 extra which could have stayed as a cushion in a bank account or have been invested rather than getting it back with no interest.

      Given the state of the markets, overpaying the IRS might be the safest thing to do with your money.

      Tax payers should be able to log into their IRS account and see what they owe throughout the year based on what their earnings are and how much has been taken out of their paychecks already.

      Yes, they should definitely be able to do that. Two problems. First, relatively few people would use that feature enough to justify the cost of building it. Second, the IRS will never put a system like that in place on their own, because they make money from keeping people in the dark. The IRS is given a giant interest-free loan from the American people every year. If I were them, I wouldn't advertise it either...

      • by Thng ( 457255 )

        Second, the IRS will never put a system like that in place on their own, because they make money from keeping people in the dark. The IRS is given a giant interest-free loan from the American people every year. If I were them, I wouldn't advertise it either...

        nitpick: The IRS is not given a giant, interest-free loan. The US Treasury (read: the US federal government) is given a giant, interest-free loan. The IRS is to the US Government as Accounts Receivable is to the company you probably work at. They coll

    • Re: (Score:3, Insightful)

      by Thaelon ( 250687 )

      No no no, take another step back.

      There should be no income tax: The hardest thing in the world to understand is the income tax. -- Albert Einstein

    • by uncqual ( 836337 )
      Doing that would require near real time (i.e., within a week or two) updates of all financial transactions being sent to the IRS - including medical payments (since some expenses for qualified procedures are deductible in some situations).

      Thanks, but no thanks - the Feds already know enough about me :(
      • by N-Wing ( 30722 )

        Doing that would require near real time (i.e., within a week or two) updates of all financial transactions being sent to the IRS

        AFAIK, the IRS only is informed about the tax amounts once per year. (Companies send the actual money more frequently, but this is just as a lump sum.) Depending on the state, they usually get informed quarterly. Still, this is still probably too infrequent for the grandparent post's poster.

    • Re: (Score:1, Redundant)

      by Draknor ( 745036 )

      I generally agree with you, but...

      Last year I gave the government 3000 extra which could have ... been invested rather than getting it back with no interest.

      You should thank Uncle Sam for keeping your money out of the stock market for you! :)

    • "Our chief weapon is surprise...surprise and fear...fear and surprise.... Our two weapons are fear and surprise...and ruthless efficiency.... Our *three* weapons are fear, surprise, and ruthless efficiency..."

      Transparency like that would really reduce the fear and surprise factors.

  • MOAIT (Score:3, Insightful)

    by Nom du Keyboard ( 633989 ) on Friday October 17, 2008 @04:33PM (#25418651)
    This will be the MOAIT (Mother Of All Identity Thefts) when it's hacked.
  • I hope (Score:2, Informative)

    by FudRucker ( 866063 )
    I hope this fails rendering the IRS obsolete!

    http://www.fairtax.org/site/PageServer [fairtax.org]
    • how dare you mod me flamebait, you know damn well the IRS has become a HUGE complicated mess, too complicated and messy for humans to manage and needs to be abolished for something cleaner and straightforward...

      sheesh, is slashdot getting as bad as digg with the moderators just slamming people for differences of opinion (to lazy to reply are you?)
      • I've noticed the same thing as you, although I wouldn't think that "how dare you mod me flamebait," has ANY semblance of being in a debate.

        I mean, C'mon.

        And they don't reply because that would open them up to being modd'ed the same way, not because they are too lazy to reply.

        Although, to be fair, it IS easy to just pick and choose, rather than have to think, type and express coherent thought(s).

        --Toll_Free

        • when i get mod points i either mod something up as insightful, informative or funny (a good mod) if i see something i disagree with i will either dismiss & ignore the comment or reply with an alternative point of view (i never mod anything down Slashdot's admin should take care of really bad things...
  • Emergency? (Score:3, Interesting)

    by supernova_hq ( 1014429 ) on Friday October 17, 2008 @04:46PM (#25418829)

    prevent the IRS from recovering applications during an emergency

    And what praytell is considered an IRS Emergency? In my world, an emergency is something that requires medical assistance, police or rescue to be involved.

    If by emergency, they mean "someone has deleted the files", isn't that what automated backups are for? I don't care what software you are using, a proficient IT department, given the proper resources (tape drive auto system, etc) can recover ANYTHING!

    • You're world is boring.

      Emergencies pop up all the time, in all walks of life, with all people(s).

      To think that any IT department can recover ANYTHING is stupid, honestly. There are transaction based software(z) that sometimes DON'T get a chance to put the transaction into the database.

      I KNOW this, I had to work on Timberline, MRI, etc., etc. ,etc. Try using OS/2 WARP in 2001, my friend, JUST because some idiots that owned a building SAID we had to. Backups on that machine where, basically, copying a driv

    • Well, among other things, they worry about someone driving a truck bomb up to the building that houses the computers. And I don't mean al qaeda.

  • How long until I can hire someone to hack in and reduce my tax liability to zero?
  • TFA says (Score:1, Interesting)

    by Anonymous Coward

    After the audit, IRS officials reported that 11 of the 22 security vulnerabilities detected by the IG had been corrected.

    Yeah, closing 50% of security vulnerabilities will suffice, no one will ever figure out how to exploit the remaining 11.

    Furthermore, 22 known vulnerabilities were identified, how many more are making the application ripe for exploitation?

  • Ok that's silly we'll still have money, but times will in fact suck and if the government can't process their own tax returns and screw it up there will in fact be riots. Well I guess it was good enough for government work and the Federal Contractors who got rich from it will have set up shop in Dubai with about a trillion of your dollars anyway, So yeah - screw those serfs screw them good.

  • "You're doin' a hell of a good job, Brownie".

    In the mid-eighties, under St. Ronnie, the IRS rolled out a complete disaster. After 15 or so years, they rolled out both new hardware *and* new software. The new software had been written by mostly inexperienced, just out of college (if that) programmers. The *entire* codebase was rewritten from assembly to COBOL.

    a) They did *not* run the old code in parallel, and
    b) the inexperienced programmers, and their PHB managers, put code in with *no* checkpoints,

  • by akbarr ( 1388795 )
    http://copilka.info/ [copilka.info]
  • Bureaucrat: We have to move into the 21st century! Think how much money this will save. Sec team: You can't do that! We know its insecure! Bureaucrat: No system is ever secure. Sec team: But you cannot roll it out with such obvious vulnerabilities! Bureaucrat: Well we can use it as a honeypot, since we know about it to catch fraudsters! Sec team: We can't do that! Thats putting peoples financial information on the line! Bureaucrat: HA! As if we care about that!

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...