IRS Rolls Out Risky Tax Processing Systems

← Back to Stories (view on slashdot.org)

IRS Rolls Out Risky Tax Processing Systems

Posted by ScuttleMonkey on Friday October 17, 2008 @08:47AM from the history-repeats-itself dept.

GovIT Geek writes to tell us that, despite known security issues, the IRS has decided to roll out two new applications for tax processing systems. "The [IRS inspector general] concluded in a September annual audit that security weaknesses in the agency's updated tax processing systems could enable malicious intruders to gain unauthorized access to taxpayer information and prevent the IRS from recovering applications during an emergency. The Customer Account Data Engine is a tax processing tool being deployed in phases to replace the existing repositories of taxpayer information, while the Account Management Services systems aim to provide employees with faster and better access to taxpayer account data."

50 of 66 comments (clear)

Min score:

Reason:

Sort:

Soon Trinity will be hacking the IRS dBase... by mellon · 2008-10-17 08:50 · Score: 4, Funny

I think this is terribly unfair. It should at least be a *challenge*.
1. Re:Soon Trinity will be hacking the IRS dBase... by Sponge+Bath · 2008-10-17 10:11 · Score: 2, Funny
  
  She still has to get past IRS Agent Smith.
  You hear that Mr. Anderson?...
  That is the sound of inevitability...
  It is the sound of your audit.
Hey Massachusetts & Nevada.... by hajihill · 2008-10-17 08:52 · Score: 2, Funny

thanks for playing.

I think this might be a new definition for the word "moded".

--
Of blankness, I know nothing.
naturally... by X0563511 · 2008-10-17 08:54 · Score: 4, Interesting

I think the response to this shouold be someone, somewhere, repeatedly breaking in and posting financial info on politicians. Do it enough times, they will get the message.
If you go do this, make sure you remember you didn't hear it from me, and that you do NOT brag about it. Don't be stupid.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Inflammatory Article by TheNecromancer · 2008-10-17 08:55 · Score: 2, Interesting

Just another inflammatory article. What are they supposed to do? Hold off upgrading their systems until the new system is 100% rock-solid? Sorry, but every new software system has SOME bugs in it. TFA states that the project managers felt the vulnerabilites were acceptable at the time. Managing software projects involve iterations of identifying critical (or not so critical) defects (as many as you can before release), and then going back and updating the software to fix any defects that you didn't have time for the first go-around.

--
Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
1. Re:Inflammatory Article by truthsearch · 2008-10-17 09:03 · Score: 3, Insightful
  
  In addition, these should be purely internal systems. So assuming malicious intruders can be kept out, using a separate layer of systems, the risk is greatly reduced.
  
  --
  Developers: We can use your help.
2. Re:Inflammatory Article by compro01 · 2008-10-17 09:12 · Score: 4, Insightful
  
  Hold off upgrading their systems until the new system is 100% rock-solid?
  Yes. This is taxes they're dealing with, and given the unreasonable complexity of the tax laws and the guilty-until-proven-innocent way the tax courts work (how the hell is that considered constitutional?), screwups are NOT acceptable.
  
  --
  upon the advice of my lawyer, i have no sig at this time
3. Re:Inflammatory Article by TheNecromancer · 2008-10-17 09:17 · Score: 2, Interesting
  
  Well then, you've obviously never managed a software project. If they are to wait until 100% of all the defects/vulnerabilities are fixed before they release, then THE SOFTWARE WOULD NEVER BE RELEASED!! It's like waiting to buy a computer: you could wait a month or two more, so that they drop the prices a little bit more, but when that month comes, you just say the same thing. Lather, rinse, repeat.
  It doesn't really matter what the project is about. It can be tax information, HIPAA info, or credit card info. Software project managers have to decide if the defects they have are important enough to delay the release of the software. In this case, they felt it was an acceptable risk. But to say that they should have fixed 100% of the defects beforehand is pure ignorance.
  
  --
  Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
4. Re:Inflammatory Article by Anonymous Coward · 2008-10-17 09:31 · Score: 5, Insightful
  
  What are they supposed to do? Hold off upgrading their systems until the new system is 100% rock-solid? Sorry, but every new software system has SOME bugs in it.
  Two things (simplified):
  A - Yes, they should. And SQL bug at your library might put a book on the wrong shelf; the same bug in a table at the IRS leads to audits, tax fraud investigations, and has serious implications on your life. A program in such a high profile program absolutely needs to be as bug free as possible.
  B - This isn't even about bugs in implementation, the issue is a security vulnerability due to the design. You'll secure your email so some packet snooper can't see the pictures from that party last night, but you're comfortable with the IRS rolling out a system that would allow the same snooper to interfere with the recording of billions of dollars in transactions?
5. Re:Inflammatory Article by MightyMartian · 2008-10-17 09:38 · Score: 1
  
  This will just involve some low-level functionary to copy data to an unencrypted flash drive and then lose it in a shopping mall.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
6. Re:Inflammatory Article by cvos · 2008-10-17 10:16 · Score: 1
  
  anyone know the cost of this new system that will soon be taking our money? these "known issues" were first publicised in 2005 - the same time the IRS made a $200 million dollar error. http://www.usatoday.com/printedition/news/20061205/1a_cover05.art.htm
  
  --
  I'm just here for the sigs
7. Re:Inflammatory Article by thePowerOfGrayskull · 2008-10-17 10:47 · Score: 1
  
  Two things (simplified):
  A - Yes, they should. And SQL bug at your library might put a book on the wrong shelf; the same bug in a table at the IRS leads to audits, tax fraud investigations, and has serious implications on your life. A program in such a high profile program absolutely needs to be as bug free as possible.
  From the article:
  
  pecific security weaknesses detected in the CADE system included contractors' ability to change configuration settings without notice or approval, the transfer of taxpayers' personal identifiable information without encryption and a failure to properly remove taxpayer data from system memory devices before they're reused.
  The issue as described here (and remember this is an internal application) indicates that the concerns you've raised - while valid in general - don't apply here. The article mamkes a big deal over the fact that they went ahead in spite of known security holes. It doesn't really cover the fact that for it to be a /known/ security hole, several levels of people have signed off on it and deemed it not to be a significant risk.
  
  B - This isn't even about bugs in implementation, the issue is a security vulnerability due to the design. You'll secure your email so some packet snooper can't see the pictures from that party last night, but you're comfortable with the IRS rolling out a system that would allow the same snooper to interfere with the recording of billions of dollars in transactions?
  That's a straw man. This isn't what these flaws allow, based on the information we have available. We also see nothing to say it's a flawed design - the facts we have just don't support that conclusion.
8. Re:Inflammatory Article by Alpha830RulZ · 2008-10-17 15:37 · Score: 1
  
  screwups are NOT acceptable.
  And of course the existing system is stable, perfect, has adequate capacity, and supports efficient work flows for the primary revenue function of the largest (for now) economy in the world. Right?
  Sometimes, in software, as in life, you don't get to wait for 'perfect'.
  
  --
  I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
9. Re:Inflammatory Article by mysidia · 2008-10-17 18:03 · Score: 1
  
  In addition, these should be purely internal systems. So assuming malicious intruders can be kept out, using a separate layer of systems, the risk is greatly reduced.
  A wholly unwarranted assumption. The most likely attack against a system like this IS an inside attack.
  Or an attack from outside, assisted by a negligent (but unaware) insider, such as one who had accidentally installed a trojan horse on their workstation.
  Governments and big corporations frequently put strong firewalls in place.
  And yet there are periodically times when hackers get clients' personal information.
  It means that insider-assisted attacks ARE a major problem, not to be wholly dismissed.
  There is also the possibility of poor security practices by insiders; for example, carrying sensitive information off premises on unencrypted media, or carrying (and losing) also, the decryption key.
sweet by JeanBaptiste · 2008-10-17 09:03 · Score: 5, Funny

I know how my taxes are getting d';update taxtable set refund = '50000000' where uid = 'jeanbaptiste';--
1. Re:sweet by Anonymous Coward · 2008-10-17 09:09 · Score: 5, Funny
  
  I know how my taxes are getting d';update taxtable set refund = '50000000' where uid = 'jeanbaptiste';--
  Close; but to be really effective, I think you have to sneak it into the dependent's name field.
  (Irony: CAPTCHA = 'stolen'!)
SSSHHHHHH!!!! by Colin+Smith · 2008-10-17 09:03 · Score: 5, Funny

This is the IRS! For crying out loud. Don't TELL them!

--
Deleted
The IRS is now irrelevant. by jcr · 2008-10-17 09:07 · Score: 4, Insightful

The money the federal government takes from us by direct taxation is dwarfed by the theft through inflation. They can't raise trillions through taxes, they can only do it by further devaluing the currency.
-jcr

--
The only title of honor that a tyrant can grant is "Enemy of the State."
1. Re:The IRS is now irrelevant. by clodney · 2008-10-17 09:44 · Score: 1
  
  If that amount is irrelevant, does that mean you are willing to pay my taxes too?
  Regardless of what happens to prices, the amount of money I pay in income taxes is significant to me.
Treat the IRS Like a Bank by KalvinB · 2008-10-17 09:11 · Score: 4, Insightful

One of the frustrating things as a tax payer is not knowing how much I owe the government. I don't know if I'm overpaying or underpaying until the end of the year. Then I'm either screwed because I owe them a pile of cash or screwed because I wasted a lot of money that could have been better invested. Last year I gave the government 3000 extra which could have stayed as a cushion in a bank account or have been invested rather than getting it back with no interest.
Tax payers should be able to log into their IRS account and see what they owe throughout the year based on what their earnings are and how much has been taken out of their paychecks already. Throughout the year they can enter in deductions and extra earnings and whatnot so at the end of the year there isn't a surprise. It'd be nice to make extra payments if you want before April so that you don't get a huge tax bill or get no tax bill at all in April.

--
Work Safe Porn
1. Re:Treat the IRS Like a Bank by Thng · 2008-10-17 09:18 · Score: 4, Informative
  
  There already is something like this, although it does not access your account:
  IRS Withholding Calculator
  
  Purpose of This Computer Program The purpose of this application is to help employees to ensure that they do not have too much or too little income tax withheld from their pay. It is not a replacement for Form W-4, but most people will find it more accurate and easier to use than the worksheets that accompany Form W-4. You may use the results of this program to help you complete a new Form W-4, which you will submit to your employer
  Use it at the beginning and middle of the year (for double checking) and for whenever you have a life change, such as getting married, gaining dependents, new job, etc.
  You'll need your most current paystub and other basic information regarding your finances (interest earned, rental income, etc).
2. Re:Treat the IRS Like a Bank by moderatorrater · 2008-10-17 09:25 · Score: 2, Insightful
  
  Last year I gave the government 3000 extra which could have stayed as a cushion in a bank account or have been invested rather than getting it back with no interest.
  Does that mean you should be thanking them?
3. Re:Treat the IRS Like a Bank by wbren · 2008-10-17 09:27 · Score: 4, Insightful
  
  Last year I gave the government 3000 extra which could have stayed as a cushion in a bank account or have been invested rather than getting it back with no interest.
  Given the state of the markets, overpaying the IRS might be the safest thing to do with your money.
  
  Tax payers should be able to log into their IRS account and see what they owe throughout the year based on what their earnings are and how much has been taken out of their paychecks already.
  Yes, they should definitely be able to do that. Two problems. First, relatively few people would use that feature enough to justify the cost of building it. Second, the IRS will never put a system like that in place on their own, because they make money from keeping people in the dark. The IRS is given a giant interest-free loan from the American people every year. If I were them, I wouldn't advertise it either...
  
  --
  -William Brendel
4. Re:Treat the IRS Like a Bank by Thaelon · 2008-10-17 09:29 · Score: 2, Insightful
  
  No no no, take another step back.
  There should be no income tax: The hardest thing in the world to understand is the income tax. -- Albert Einstein
  
  --
  Question everything
5. Re:Treat the IRS Like a Bank by Thng · 2008-10-17 09:56 · Score: 1
  
  Second, the IRS will never put a system like that in place on their own, because they make money from keeping people in the dark. The IRS is given a giant interest-free loan from the American people every year. If I were them, I wouldn't advertise it either...
  nitpick: The IRS is not given a giant, interest-free loan. The US Treasury (read: the US federal government) is given a giant, interest-free loan. The IRS is to the US Government as Accounts Receivable is to the company you probably work at. They collect the money and pass it on, and don't get to keep it.
6. Re:Treat the IRS Like a Bank by uncqual · 2008-10-17 09:56 · Score: 1
  
  Doing that would require near real time (i.e., within a week or two) updates of all financial transactions being sent to the IRS - including medical payments (since some expenses for qualified procedures are deductible in some situations).
  
  Thanks, but no thanks - the Feds already know enough about me :(
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
7. Re:Treat the IRS Like a Bank by ColdWetDog · 2008-10-17 09:59 · Score: 4, Funny
  
  You're making it too complex. It's much easier when you figure it thusly:
  
  1. How much to did you make?
  2. Give it to us.
  
  --
  Faster! Faster! Faster would be better!
8. Re:Treat the IRS Like a Bank by IronChef · 2008-10-17 10:56 · Score: 1
  
  "Our chief weapon is surprise...surprise and fear...fear and surprise.... Our two weapons are fear and surprise...and ruthless efficiency.... Our *three* weapons are fear, surprise, and ruthless efficiency..."
  Transparency like that would really reduce the fear and surprise factors.
9. Re:Treat the IRS Like a Bank by noidentity · 2008-10-17 11:31 · Score: 1
  
  I think you forgot the step where you divide how much you made... ...by a value less than 1.
10. Re:Treat the IRS Like a Bank by TubeSteak · 2008-10-17 11:39 · Score: 3, Funny
  
  I think your tagline makes a fitting Step 3
  1. How much to did you make?
  2. Give it to us.
  3. Now go away, or I shall taunt you a second time
  
  --
  [Fuck Beta]
  o0t!
11. Re:Treat the IRS Like a Bank by Ig0r · 2008-10-17 14:36 · Score: 2, Insightful
  
  Ron Paul!
  
  --
  Soma: because a gramme is better than a damn.
12. Re:Treat the IRS Like a Bank by N-Wing · 2008-10-17 18:29 · Score: 1
  
  Doing that would require near real time (i.e., within a week or two) updates of all financial transactions being sent to the IRS
  AFAIK, the IRS only is informed about the tax amounts once per year. (Companies send the actual money more frequently, but this is just as a lump sum.) Depending on the state, they usually get informed quarterly. Still, this is still probably too infrequent for the grandparent post's poster.
  
  --
  --== [N] ==--
MOAIT by Nom+du+Keyboard · 2008-10-17 09:33 · Score: 2, Insightful

This will be the MOAIT (Mother Of All Identity Thefts) when it's hacked.

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I hope by FudRucker · 2008-10-17 09:39 · Score: 1, Informative

I hope this fails rendering the IRS obsolete!

http://www.fairtax.org/site/PageServer

--
Politics is Treachery, Religion is Brainwashing
1. Re:I hope by FudRucker · 2008-10-17 10:15 · Score: 1
  
  how dare you mod me flamebait, you know damn well the IRS has become a HUGE complicated mess, too complicated and messy for humans to manage and needs to be abolished for something cleaner and straightforward...
  
  sheesh, is slashdot getting as bad as digg with the moderators just slamming people for differences of opinion (to lazy to reply are you?)
  
  --
  Politics is Treachery, Religion is Brainwashing
2. Re:I hope by Toll_Free · 2008-10-17 10:27 · Score: 1
  
  I've noticed the same thing as you, although I wouldn't think that "how dare you mod me flamebait," has ANY semblance of being in a debate.
  I mean, C'mon.
  And they don't reply because that would open them up to being modd'ed the same way, not because they are too lazy to reply.
  Although, to be fair, it IS easy to just pick and choose, rather than have to think, type and express coherent thought(s).
  --Toll_Free
3. Re:I hope by FudRucker · 2008-10-17 11:01 · Score: 1
  
  when i get mod points i either mod something up as insightful, informative or funny (a good mod) if i see something i disagree with i will either dismiss & ignore the comment or reply with an alternative point of view (i never mod anything down Slashdot's admin should take care of really bad things...
  
  --
  Politics is Treachery, Religion is Brainwashing
Emergency? by supernova_hq · 2008-10-17 09:46 · Score: 2, Interesting

prevent the IRS from recovering applications during an emergency
And what praytell is considered an IRS Emergency? In my world, an emergency is something that requires medical assistance, police or rescue to be involved.
If by emergency, they mean "someone has deleted the files", isn't that what automated backups are for? I don't care what software you are using, a proficient IT department, given the proper resources (tape drive auto system, etc) can recover ANYTHING!
1. Re:Emergency? by Toll_Free · 2008-10-17 10:31 · Score: 1
  
  You're world is boring.
  Emergencies pop up all the time, in all walks of life, with all people(s).
  To think that any IT department can recover ANYTHING is stupid, honestly. There are transaction based software(z) that sometimes DON'T get a chance to put the transaction into the database.
  I KNOW this, I had to work on Timberline, MRI, etc., etc. ,etc. Try using OS/2 WARP in 2001, my friend, JUST because some idiots that owned a building SAID we had to. Backups on that machine where, basically, copying a drive in the middle of the night. Had something gone wrong before the backup, we lost a days worth of data. Not something to cause people to lose their house, or anything like that, but a big loss of monies for the people(s) involved, etc.
  Emergencies pop up. Their excuse is complete and utter bullshit, though... In that regard, I agree with you a thousand and a quarter percent.
  --Toll_Free
2. Re:Emergency? by PseudonymousCoward · 2008-10-17 14:29 · Score: 1
  
  Well, among other things, they worry about someone driving a truck bomb up to the building that houses the computers. And I don't mean al qaeda.
  
  --
  If it isn't true, don't say it. If it isn't helpful, don't say it. If it's true and helpful, wait for the right time.
Re:IRS is committing fraud. by Atlantis-Rising · 2008-10-17 10:04 · Score: 1

You care to translate that into English so that even us people who generally understand the law have some idea what you're talking about?
I've done a little tax law, but what you're talking about doesn't seem even in the slightest bit related to actual tax law.

--
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
Help Wanted by aaronfaby · 2008-10-17 10:41 · Score: 1

How long until I can hire someone to hack in and reduce my tax liability to zero?
Sole props have no pay stubs... by zooblethorpe · 2008-10-17 11:29 · Score: 1

What if you work for yourself?
Cheers,

--
"What in the name of Fats Waller is that?"
"A four-foot prune."
Re:Sorry about that delay. Here you go. by Atlantis-Rising · 2008-10-17 12:04 · Score: 1

Your argument appears to be based on this chain of reasoning:
1) All seizures and wage garnishments are to be handled in a district Court
2) Income tax amounts to a seizure or wage garnishment
3) Because taxes are not collected through the courts, they violate the due process clause (5th Amendment).
4) Therefore, income taxes are unconstitutional.
Such reasoning is not persuasive, and I suggest if you want to find out how unpersuasive it is, you attempt to argue it before a court- any court.
This is especially true every since the 16th Amendment in 1913, which constitutionally creates a right for an income tax.
Moreover, to:

f you think I am shitting on you with all the above, then answer me this pursuant to USC 12 Sec 144, if lawful money has been dispensed then why is it taxed and why is its value still uncertain to the account of its draw as a warehouse receipt? The face value doesn't have proper grammer pursuant to documentation in all rules of the court, because a note issued from Federal Reserve System is blank U.S. Mint paper with non-reservations/copyright non-certified promises on it: not money, any more or less than a 20 DOLLARS does not mean twenty dollars to the Coinage Act.
I say:
12 USC 144 says:
"Four-fifths of the reserve of 15 per centum which a national bank located in a dependency or insular possession or any part of the United States outside of the continental United States, and not a member of the Federal Reserve System, is required to keep, may consist of balances due such bank from associations approved by the Comptroller of the Currency and located in any one of the reserve cities as now or hereafter defined by law or designated by the Board of Governors of the Federal Reserve System."
Which, to be perfectly honest, I fail to see how it is at all relevant.
Normally I would presume you're trolling. But I can't see how you get any enjoyment out of posting huge whacks of totally meaningless pseudo-legal analysis.

--
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
TFA says by Anonymous Coward · 2008-10-17 12:49 · Score: 1, Interesting

After the audit, IRS officials reported that 11 of the 22 security vulnerabilities detected by the IG had been corrected.
Yeah, closing 50% of security vulnerabilities will suffice, no one will ever figure out how to exploit the remaining 11.
Furthermore, 22 known vulnerabilities were identified, how many more are making the application ripe for exploitation?
IRS Motto: by PPH · 2008-10-17 15:20 · Score: 1

We've got what it takes to take what you've got.

--
Have gnu, will travel.
what makes you think there will be money in 2009 by gelfling · 2008-10-17 16:39 · Score: 1

Ok that's silly we'll still have money, but times will in fact suck and if the government can't process their own tax returns and screw it up there will in fact be riots. Well I guess it was good enough for government work and the Federal Contractors who got rich from it will have set up shop in Dubai with about a trillion of your dollars anyway, So yeah - screw those serfs screw them good.
More Republican "efficiency" and "competence" by whitroth · 2008-10-18 06:58 · Score: 1

"You're doin' a hell of a good job, Brownie".
In the mid-eighties, under St. Ronnie, the IRS rolled out a complete disaster. After 15 or so years, they rolled out both new hardware *and* new software. The new software had been written by mostly inexperienced, just out of college (if that) programmers. The *entire* codebase was rewritten from assembly to COBOL.
a) They did *not* run the old code in parallel, and
b) the inexperienced programmers, and their PHB managers, put code in with *no* checkpoints,
so that programs that would run for literally a week, straight, yes, I mean 168 hours or so,
if they had a fatal error, would have to be *rerun* from start.
There were reports in the mainstream media of IRS employees literally shredding returns, so they wouldn't have to process them, they were so behind. Refunds came *months* late.
Ah, the joys of Republican administrations, going out of their way to make *sure* government doesn't work.
mark
icq by akbarr · 2008-10-18 07:10 · Score: 1

http://copilka.info/
The conversation they had before release... by goban19 · 2008-10-19 04:39 · Score: 1

Bureaucrat: We have to move into the 21st century! Think how much money this will save. Sec team: You can't do that! We know its insecure! Bureaucrat: No system is ever secure. Sec team: But you cannot roll it out with such obvious vulnerabilities! Bureaucrat: Well we can use it as a honeypot, since we know about it to catch fraudsters! Sec team: We can't do that! Thats putting peoples financial information on the line! Bureaucrat: HA! As if we care about that!