Taxpayer Data At IRS Remains Vulnerable

← Back to Stories (view on slashdot.org)

Taxpayer Data At IRS Remains Vulnerable

Posted by kdawson on Tuesday January 13, 2009 @02:53PM from the do-as-i-say dept.

CWmike writes "A new Government Accountability Office report (PDF) finds that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. The news comes less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial IRS systems. Two big standouts in the latest finding: The IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said."

62 comments

Min score:

Reason:

Sort:

It's not the first time, it won't be the last. by GrpA · 2009-01-13 15:00 · Score: 5, Interesting

That reminds me of what happened in Australia with the taxation department a few years ago.
The ATO put everyone's tax details online and used their Tax File Number ( everyone who pays tax has one ).
Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.
The minister responsible was never held accountable. That's why these security breaches keep on happening over here.
I'm pretty sure that there's a similar situation in the US.
GrpA

--
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
1. Re:It's not the first time, it won't be the last. by MichaelSmith · 2009-01-13 15:06 · Score: 0
  
  Actually that was in 1999 or 2000, almost ten years ago.
  
  --
  http://michaelsmith.id.au
2. Re:It's not the first time, it won't be the last. by playerone · 2009-01-13 15:08 · Score: 4, Insightful
  
  The minister responsible was never held accountable. That's why these security breaches keep on happening over here.
  GrpA
  I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
  Such a rort.
  All it would take is some simple bad behavior = punishment laws for politicians but oh hold on its those same politicians that vote on the laws so of course they won't do that.
  Don't even get me started on being able to give yourself a payrise.
  P1
  
  --
  --Question Authority--
3. Re:It's not the first time, it won't be the last. by CDMA_Demo · 2009-01-13 15:28 · Score: 3, Informative
  
  In 2000: http://www.abc.net.au/7.30/stories/s146760.htm
4. Re:It's not the first time, it won't be the last. by CDMA_Demo · 2009-01-13 15:33 · Score: 3, Funny
  
  I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
  If you hit the bull's eye, the rest of the dominoes will fall like a house of cards, checkmate!
5. Re:It's not the first time, it won't be the last. by Anthony_Cargile · 2009-01-13 15:39 · Score: 4, Informative
  
  Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
  Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!
  
  Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!
  
  I'm pretty sure that there's a similar situation in the US.
  Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
  
  But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
  </rant></rave>
6. Re:It's not the first time, it won't be the last. by solafide · 2009-01-13 15:58 · Score: 2, Funny
  
  How many game metaphors can one cram into one post?
7. Re:It's not the first time, it won't be the last. by QuantumG · 2009-01-13 16:09 · Score: 1
  
  Their solution was funny too.
  1. You have to authenticate yourself to the site in an annoying and expensive way.
  2. It's trivial to get someone else's data but the site logs all accesses.
  3. They periodically check who has been a bad boy and send the police out to talk to them.
  Of course, there's the slight problem that no matter how good the identification/authorization process is, someone will hack it, and that means that innocent people will get done for it.
  
  --
  How we know is more important than what we know.
8. Re:It's not the first time, it won't be the last. by Klootzak · 2009-01-13 16:18 · Score: 2, Insightful
  
  I am so angry that politicians are not accountable for their actions. It makes the implementation of democracy a farce because the people in power voted in by the public can basically do whatever the hell they want and walk away with a fat paycheck and pension without having to worry that if they do something seriously wrong they can be punished somehow.
  That's a very Insightful comment...
  
  Politicians tend to say "If you pay peanuts you'll get monkeys", yet most businesses appear to operate on exactly this ideology.
  
  I don't know about you, but I've seen far more Monkeys working as politicians than as (relatively) low-seniority employees.
  
  --
  A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
9. Re:It's not the first time, it won't be the last. by GFree678 · 2009-01-13 16:30 · Score: 4, Insightful
  
  There were accusations of hacking and all, but it conveniently left out the discussion that it was a pretty obvious and blatant flaw.
  Oh my God. Are you saying that changing one digit in a completely accessible URL is enough to be accused of hacking?
  Humanity is hopelessly lost when it comes to common sense.
10. Re:It's not the first time, it won't be the last. by jlarocco · 2009-01-13 16:40 · Score: 1
  
  In a democracy, for a politician to lose his job requires the public to stop voting for the person.
  If the politician does something stupid, but the public keeps voting for them, it's an indication that the public doesn't consider the stupid things to be a problem. It's clear that most people don't care about the privacy of their personal information, or they would have fired the guy by voting for somebody else.
  That's why it's important to keep the government as small as possible. Something you consider very important, like the privacy of your personal information, might not be important to everybody else. By trusting everybody to make to make the decision for you, you lose the freedom to decide for yourself.
  Admittedly, it's a moot point in this case because the government is going to have your tax data no matter what, but it's something to keep in mind when thinking about government provided health care, government provided broadband, and other government provided services. There's no boycotting the government.
  
  --
  Maybe not
11. Re:It's not the first time, it won't be the last. by SpaceLifeForm · 2009-01-13 17:03 · Score: 2, Funny
  
  And it was just a demo.
  
  --
  You are being MICROattacked, from various angles, in a SOFT manner.
12. Re:It's not the first time, it won't be the last. by Anonymous Coward · 2009-01-13 17:35 · Score: 1, Informative
  
  My best friend works for the Federal Government (Social Security, not the IRS).
  You wouldn't believe. Let me say ... well, you just wouldn't believe some of the things they do (and don't do) regarding computer security.
  Most employees where this friend works basically sit and play solitaire, or chat on their cell phones while their monitors are filled with sensitive information about Joe Average's income sources. That's when they're actually working, of course. People from the mail room, the phone room and the cafeteria can (and do) walk through. If they cared (which they don't, either, not most of them), they could glance at these monitors and get more info in 10 seconds than a phisher gets in a day's worth of work.
  If the average American had any idea how inefficient and insecure the typical government agency REALLY is, there'd be another revolution tomorrow.
  The computers in my friend's building are maintained by private contractors via the lowest bid. Some of these contractors can't even figure out how to install RAM or how to make a printer work properly. How are they going to help these government employees secure their machines?
  And it goes without saying that anyone who's actually halfway skilled at secure network administration will have long since taken a higher-paying job in the private sector.
  Ergo et sum: you shouldn't be surprised.
  By the way, the only reason I post anonymously is because this friend could get in trouble.
13. Re:It's not the first time, it won't be the last. by Anonymous Coward · 2009-01-13 18:55 · Score: 0
  
  Although it's pedantic, it is probably worth noting that although it was TFN's, it wasn't the ATO - it was the "GST Start-up Office" within Treasury - which is a different department (it's easy to understand the confusion though, since it was related to GST, of which is administered by the ATO).
  I don't know for certain, but I would hazard a guess that the GST Start-Up Office was more of a policy / analysis / program office during the implementation of the GST and associated laws - instead of the ATO, which collects the cash and administers it all.
  That said, it was still the Australian Government - and our taxpayer dollars at work!
  Poster CDMA_Demo provides a link to an abc report in a post below.
  The present of the show indicates
  
  KERRY O'BRIEN: And the Tax Office spokesman was quite correct, it was not a Tax Office Web site; it was a Treasury Web site just round the corner.
14. Re:It's not the first time, it won't be the last. by Thanshin · 2009-01-13 18:57 · Score: 1
  
  Humanity is hopelessly lost when it comes to common sense.
  "Common sense" must the most wrongly named concept in history.
  Ok, "democracy" is quite funny too.
15. Re:It's not the first time, it won't be the last. by TGoddard · 2009-01-13 19:18 · Score: 1
  
  How was the Minister supposed to know that there were security issues? If they had ignored advice to spend money on security testing and auditing then they certainly would be responsible, but in general it is the responsibility of the IT contractors producing software to advise the client on what is required.
  To be honest, there is a major problem with the understanding of security issues in the IT industry. Even a basic understanding of networking, a healthy dose of distrust and attention to the flow of information can drastically cut the number and severity of security vulnerabilities.
  I don't think we're anywhere near good enough yet and if we don't get it, we can't rely on clients to be able to do so either.
16. Re:It's not the first time, it won't be the last. by Anonymous Coward · 2009-01-13 20:54 · Score: 0
  
  so I pay a shit load of taxes and they can't even keep their system secure. This is such bullshit and again a fucking waste of taxpayer money. Maybe for once, just for once, the biweekly coercion that happens to my paycheck can actually produce a positive. Yeah yeah, medicaid, medicare, social security, and poor kids, but the main source of robbery every paycheck can't use their free money off of every single legitimate transaction in the United States to secure their systems. It just reeks of laziness and bullshit, maybe if someone paying taxes over of > 1 million dollars raises a fuss that something substantial happens. As usual the Government is an agent for the Wealthy and as usual the Middle class (the majority of those individual taxes get paid and is more vulnerable) gets screwed over. Nothing is going to change come January 20th, just the color of the President's skin but no real infrastructure will get improved because we already know when the Government goes and contracts something out it is to the highest bidder and not surprisingly lowest quality. Change needs to happen from the inside out in the Government and then maybe we can focus on all the other ills from a Government standpoint. As long as Government because a monopoly corporation where its funding comes from squeezing the middle class evermore does everything continue to fall to shit. It doesn't matter if you subsidize the poor class because they are only given enough to survive and not rise above anything and become something threatening to the status quo. It doesn't matter if you continue to give the wealthy more tax breaks because it is basically a pat on the back and a dividend for continuing the status quo of treating the American Citizen like a consumer and less like a citizen with a voice. We are all too busy paying back debts to College loans, Credit cards, etc to ever make a dent in the business as usual that goes on in our Federal Government and our States. With this ladies and gentlemen we will reach the downfall of the United States, not the economic downturn, or some bullshit mayan "prediction" (It was just the end of their calendar). The United States will rot from the inside out with Democrat and Republican alike looking to legislate and tax this country to oblivion. When the new order comes in (post United States) these scum will have the money to keep themselves in the fold and it will be business as usual.
17. Re:It's not the first time, it won't be the last. by drpt · 2009-01-13 23:24 · Score: 1
  
  Just one more reason not to file taxes
  
  --
  Proudly Butchering code for 20 years
18. Re:It's not the first time, it won't be the last. by dissy · 2009-01-14 00:43 · Score: 2, Funny
  
  then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
  
  Naa, treason would only apply if you tried to over throw -this- govt... as long as you start your country off their land, your good to go!
  PS, call me when the army of ninjas (marines) and pirates (navy) are in place, and hell, even i'd like to subscribe to your country (or news letter)
19. Re:It's not the first time, it won't be the last. by cloudmaster · 2009-01-14 03:27 · Score: 2, Insightful
  
  It /is/ hacking - and cracking. Just not the hard kind that requires significant knowledge or gains you the respect of your peers. :) Here in the US, that's "gaining access to data you aren't supposed to access". As an analogy, if you found that I left my car doors unlocked, and I found you sitting in my car, I'd probably proceed to issue you a beatdown whether you actually stole anything or not. I'd probably thank you if you just mentioned that you saw them to be unlocked. This is pretty much the same thing.
20. Re:It's not the first time, it won't be the last. by Hordeking · 2009-01-14 05:19 · Score: 1
  
  There's no boycotting the government.
  Sure there is. It just involves suicide.
  
  --
  Disclaimer: The opinions and actions of the US Gov't are in no way representative of those held by this author or its ci
21. Re:It's not the first time, it won't be the last. by Anonymous Coward · 2009-01-14 07:06 · Score: 0
  
  Hmmm, maybe everyone should refuse to file until this problem is resolved in order to protect their privacy??
22. Re:It's not the first time, it won't be the last. by DJRumpy · 2009-01-14 08:22 · Score: 1
  
  It is the voters responsibility to hold the politician responsible. Something as simple as picking up the phone and calling your representative to complain can work wonders. They will often gauge their response on the direct input from those that they represent.
  
  People should stop reacting to every situation by immediately blaming someone else, and take a little responsibility for their government.
  
  We only have ourselves to blame if a democracy fails...
23. Re:It's not the first time, it won't be the last. by Anonymous Coward · 2009-01-14 09:18 · Score: 0
  
  ...and the police would arrest *you* for battery.
24. Re:It's not the first time, it won't be the last. by mahadiga · 2009-01-14 16:59 · Score: 1
  
  Democracy != Meritocracy
  
  --
  I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
25. Re:It's not the first time, it won't be the last. by Anonymous Coward · 2009-01-16 11:45 · Score: 0
  
  Unlikely.
To answer my question by BadAnalogyGuy · 2009-01-13 15:05 · Score: 5, Informative

According to the IG's report, systems administrators and other privileged users are able to access, modify and delete taxpayer data with impunity because of a lack of monitoring capabilities in the two systems.
So it seems that the system allows for modification of taxpayer data. That's quite a bit different from just having it available.
1. Re:To answer my question by techno-vampire · 2009-01-13 15:10 · Score: 4, Insightful
  
  Not only that, it makes wholesale identity theft nice and easy.
  
  --
  Good, inexpensive web hosting
2. Re:To answer my question by Anonymous Coward · 2009-01-13 16:31 · Score: 0
  
  Not just easy but completely invisible. We're talking like something out of the The Net here. Imagine what someone could do if they got in the system and did a little house cleaning. Or crooked corporations, etc. Who knows maybe they already have, there is probably no way to know.
  Wow, just wow. Holy hell, Hollywood was right all along.
  I think the IRS should be dismantled and a new lean system put in place instead. Just the savings on waste alone would probably balance the national deficit.
3. Re:To answer my question by DaFallus · 2009-01-13 17:26 · Score: 1
  
  Or erasing the tax records of scandal plagued politicians and their chronies...
  
  --
  No one cares what your captcha was
  
  Houston TX, USA
4. Re:To answer my question by necro81 · 2009-01-14 02:26 · Score: 1
  
  Ah, but as the RIAA would have us believe, making available is indeed a crime.
Re:What's the big secret? by ITEric · 2009-01-13 15:07 · Score: 1

So what if someone else knows how much you make?
There's more to a person's tax record than how much s/he makes. The tax man knows WAY more than most people would want to be common knowledge.

--
The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' but 'That's funny...
Re:What's the big secret? by networkBoy · 2009-01-13 15:10 · Score: 4, Interesting

I hope you're being funny.
If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.*
My pay is not something I would want broadcast. Also, I would not want marketers to know my pay, nor family (aside from my spouse).
-nB
* I say this who has worked their way up from the bottom, where I used to think I was mighty damn important, now I know my absolute value may be low but my relative value is higher. I don't expect others who are in the boat I was in to necessarily understand this, and would rather avoid the conflict.

--
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Solution by truthsearch · 2009-01-13 15:16 · Score: 3, Insightful

Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.

--
Developers: We can use your help.
1. Re:Solution by ITEric · 2009-01-13 15:28 · Score: 2, Insightful
  
  Suspend all income taxes for one year. Plenty of time to focus on the security holes and a temporary boost to the economy. Two problems easily solved.
  Folks would still need to file a return to get whatever refunds of their payments, etc. that are due. It would surely boost the economy, but not help with the security issue.
  
  --
  The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' but 'That's funny...
2. Re:Solution by DustyShadow · 2009-01-13 16:11 · Score: 1
  
  But I thought big government was the answer? How will we get that without taxes?
3. Re:Solution by need4mospd · 2009-01-13 17:04 · Score: 2, Insightful
  
  The solution is easier than that. Scrap the IRS entirely and move to a national sales tax. The government will no longer have the need to possess the information in the first place. The citizens become MUCH more aware of how much tax they are really paying by being reminded of it each purchase. Businesses and individuals no long have a complicated tax code to fumble through every year on April 15th. The nation saves $265 billion every year from the costs of doing taxes, not the taxes themselves, just the act of filling out paperwork and hunting for receipts.
  On top of all that, it takes the power away from the government! You say, "Oh our Congressman would never approve!" Really? There are 72+ cosponsors for a house bill that does this right now! And the people of America are pissed off enough now that we actually CAN make a difference if we raise our voices long enough to drown out American Idol.
  If you haven't looked at it in a while, the Fair Tax plan is looking better and better everyday. The research and the numbers are solid. All the myths and lies have been squashed. Do yourself a favor and read the actual website, not your favorite one-sided blog.
4. Re:Solution by Anonymous Coward · 2009-01-13 19:11 · Score: 2, Informative
  
  It would probably hurt Conservatives, as it has in Canada and Australia.
  When these countries eliminated business taxes and simply moved them to sales taxes, the cost of management increased. Instead of the easy double-checking verification of income taxes, businesses were more likely to hide their sales and evade taxation.
  It's just harder to hide your income than sales.
  You also had a significant rise in prices. Although the tax burden had not changed at all, businesses did not lower their prices when business-taxes were reduced, but still passed the sales taxes onto consumers. They blamed the higher prices on the Government since the taxes were more visible.
  The Fair-Tax plan is an extreme version with no chance of passing. The average earner only pays 13% income taxes, while the Fair Tax would need to charge 30%+ to generate the same revenues. Instead of high earners paying a larger proportion of taxes, the burden is pushed to those who have to spend most of their income to survive.
5. Re:Solution by charlener · 2009-01-13 19:59 · Score: 3, Insightful
  
  Aren't sales taxes inherently regressive? As in, they hurt those with lower income the most as it increases the proportion of their income spent on taxes compared to those with higher incomes.
  Most states at this point do not tax "necessary for life" stuff, such as basic food and medicines, though I believe clothes, etc continue to be taxed. Does this proposal mean taxation across the board on all things, or only "nonessential" things, or what?
  It doesn't seem just to tax sales on essential to life items, which leaves most of the burden on luxury items, which doesn't sound like it would be enough income generated to do much.
6. Re:Solution by azenpunk · 2009-01-13 20:39 · Score: 1
  
  well sales tax on a single purchase taxes a larger percentage of a smaller income. but people with money buy alot of extra crap. i have no idea where that leaves the balance though.
7. Re:Solution by smoker2 · 2009-01-14 00:39 · Score: 1
  
  It amazes me that anybody with a clue thinks that suspending income tax will be a boost to the economy. How many people work for government depts. ? Are you going to let them go without pay completely ? Are the army just going to disband for the duration, and the various regulatory organisations stop inspecting food and drugs for poisons ? Are the armies of accountants going to just shut up shop because they have nothing to do ?
  
  Just think beyond your own pocket for 5 minutes.
8. Re:Solution by KovaaK · 2009-01-14 02:49 · Score: 1
  
  but people with money buy alot of extra crap.
  They do buy more extra crap, but the question is "Do they proportionally buy more extra crap compared to lower income people?" If not, then the tax burden shifts to lower income people.
  http://www.fivethirtyeight.com/2008/12/on-importance-of-middle-class-lesson-of.html is slightly related to the topic, and the chart at the top kind of makes my point - people with all that extra income invest in certain areas that wouldn't be taxed if you relied entirely on a sales tax.
9. Re:Solution by ITEric · 2009-01-14 13:08 · Score: 1
  
  First of all, I would not seriously suggest suspending income tax all together.
  That being said, how do you suppose the government has gotten into such a large debt in the first place? It is because when faced with deficit spending, they simply borrow more money from the "Federal Reserve" (which is neither federal nor a reserve - go figure!). We must even use the term "borrow" loosely as the Fed doesn't have more money just sitting around, rather they print it on demand with nothing of value to back it up save the good faith and credit of the US gov't...but I digress...the point is, just because the government wasn't bringing in more money doesn't mean they'd stop spending.
  The government might have prevented this crisis brought on by greed with effective regulation and oversight, but it's too late for prevention now (although we must address the underlying issues if we do not want a repeat performance in the future).
  At this point the damage is done...people are afraid for their economic futures and for the most part are holding on to every spare dime. All the government can do to help the economy recover now is to stimulate spending, and there is no way that I can see to do that without the government taking on more debt (I'd be more than happy to know what ideas you might have).
  They could put money into infrastructure projects (thus improving infrastructure, creating jobs, and putting money back into the economy - my personal favorite idea). Alternatively, they could pass another "W"-style economic incentive to put money in people's pockets (which then gets "spent" sending it back into the economy) or use federal funds to prop up failing industries (which will keep many people employed - at least for now, but maybe not for long). In any case, the government looses money in the short term. The trick is to get something of value out of it that the people can use.
  
  --
  The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' but 'That's funny...
Re:What's the big secret? by Hatta · 2009-01-13 15:26 · Score: 2, Insightful

Care to post your tax return online and find out?

--
Give me Classic Slashdot or give me death!
Re:What's the big secret? by Anthony_Cargile · 2009-01-13 15:41 · Score: 1

So what if someone else knows how much you make?
Well if they also know where you work and live, there's always a threat of being mugged, burglary, etc. Just a consideration.
Re:What's the big secret? by techno-vampire · 2009-01-13 16:01 · Score: 2, Insightful

I worked at one company where I'm sure I missed out on getting a transfer to a new department where I could have done a lot of good and learned new things because my new manager asked me how much I was getting. I could see from his expression that I'd lost out the moment he learned that I was making more than he was. Not only had I received a merit increase at one point, but our annual raises were a percentage, and even if my percentage was average, it still meant a bigger raise than the other techs got, and the gap just got bigger every year. Now, imagine what would happen if you were looking for a new job and your potential employer was able to learn what you were really getting instead of what you wanted him to think your salary/hourly was.

--
Good, inexpensive web hosting
Government Solutions Office by im_thatoneguy · 2009-01-13 16:37 · Score: 4, Interesting

What we need is a counterpart to the GAO.
The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
Just a thought.
1. Re:Government Solutions Office by Anonymous Coward · 2009-01-13 17:43 · Score: 0
  
  needs to come from congress. if congress don't mandate it, it don't happen. you all need to write your congressmen and suggest exactly this.
  our department, on the other hand, gets around this not enforcing strong passwords thing. we strictly require all admins and service apps to reset passwords on the 30 day mark. except there's no logging, so anyone can just reset the date on the accounts.... oops. at least we passed the OIG audit!
  this country is spiraling out of control and our it policy reflects it.
2. Re:Government Solutions Office by a_ghostwheel · 2009-01-13 17:43 · Score: 1
  
  You should first look at that.
3. Re:Government Solutions Office by BlueStrat · 2009-01-13 18:09 · Score: 2, Insightful
  
  What we need is a counterpart to the GAO.
  The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
  All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
  GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
  Just a thought.
  It sounds like a good idea, except getting Congress to give the GAO the powers it would need to be able to actually force a department like the IRS and similar formidable departments like Homeland Security to allow themselves to be fined, especially when some congress-critters' pet agency or department is threatened. I just don't think the bureaucratic fiefdoms and political power-players will allow any such reduction in their power.
  We're talking about the power players in D.C.. The two pillars there are money and power. The players there never ever part with one without gaining a significant profit on the other, which they then use to recover their investment, usually with profit. Anything that interferes with this is anathema, and is avoided completely or at best given lip service enough to let them continue business as usual until the crisis is past.
  It's a self-perpetuating system, and I just don't know what it would take to affect the kind of sweeping all-encompassing simultaneous reform across Congress, both political parties, lobbyists/lobbying, the courts/Justice Dept., and massive bureaucratic structures it would require to change the way things operate. It's particularly difficult and scary because of all the radical changes that would need to happen pretty much at once for it to not end up a more corrupt and unaccountable system than we have now.
  This is why I play blues, work on tube amps, and tinker with operating systems. I know there's a problem, and even some slight inkling of some of the causes, but I don't have any answers and nobody I've ever read of or heard from really does either.
  Cheers!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
4. Re:Government Solutions Office by fgelias · 2009-01-14 03:36 · Score: 1
  
  What we need is a counterpart to the GAO.
  The GAO should be able to exact fines from any agency for waste, insecurity etc etc.
  All of this fine money should be funneled into a Government Solutions Office whose task is to spend that money back into the program to fix it.
  GAO finds improper encryptions. Fines IRS. GSO hires a security expert to create new policies and purchase needed training.
  Just a thought.
  There is. It's called Congress.
What do you pinheads expect? by Anonymous Coward · 2009-01-13 22:08 · Score: 0

The technically don't really exist anyway so why should they give half a damn about all the information they bully out of people through courts so they can continue their highway robbery.
Asshats.
OT: Grammar Nazi by noidentity · 2009-01-14 01:31 · Score: 1

Taxpayer Data At IRS Remain Vulnerable
That is all.
I can't wait for someone to.... by hesaigo999ca · 2009-01-14 01:51 · Score: 1

I can't wait for someone to....hack into the system, and change the info to reflect that all rich people pay extra 10% and all poor people pay a 10% less, that would be a very nice hack!
CTO? by gEvil+(beta) · 2009-01-14 01:59 · Score: 3, Insightful

Remember a month or so ago when so many people here were saying what a stupid idea it was that Obama wanted to create a CTO position for the government? Isn't this exactly the sort of thing that someone in that position would be involved in sorting out?

--
This guy's the limit!
What do you expect from the GAO? by Gothmolly · 2009-01-14 02:04 · Score: 1

It's like when the PWC douchebags come and "audit" you, by first being given root access on all your servers, then glibly pointing out that you're running sendmail or Tomcat of some microscopic version behind the current rev or that /etc/password is world-readable.

--
I want to delete my account but Slashdot doesn't allow it.
An inside view by BenEnglishAtHome · 2009-01-14 03:10 · Score: 1

I didn't want to comment until I read the report. Now I have.
The report cites some less-than-optimum security practices. To me, it sounds like lots of nitpicky stuff but I realize that a minor vulnerability can be a major problem if exploited by someone sharp and evil.
That said, doing evil via any of the avenues suggested by the report requires an insider to do bad things. So, if security is a process and has lots of layers, is it reasonable to be vulnerable in one area if that area is rendered unimportant by other security processes and layers? At the IRS, doing bad things that would get you admonished or fired from the private sector will result in a stretch in the federal pen. So, yeah, we have admins who could change tax records. They have no reason to do so. Actually having a record important to me placed in a system over which I had some control would be a freaky low-probability situation. And if an admin did make bad changes, they'd almost certainly be found out (you can't change a tax record without generating automatic correspondence or screwing up an ongoing investigation; there are people who would eventually notice) and they'll go to prison in the aftermath.
Under those conditions, closing off every little permission problem is probably more trouble than it's worth and the price in workplace inefficiency is probably too high.
This report left me uneasy. Paragraph after paragraph, I found myself saying "Yeah, I know the system this report is probably talking about. It's right about that not being set up perfectly by the book. But so what?"
I guess I should go re-read it and study harder. There may be something in there worth getting excited about. But after my first read, my opinion is...probably not.
Re:What's the big secret? by Jherek+Carnelian · 2009-01-14 12:31 · Score: 1

If others knew what I make, I would get a pay cut. My pay has been negotiated between myself and management. There would be a brouhaha if others in similar, but less accountable, roles thought I was "paid too much" or some such.
Or, it would be incentive for everyone else to negotiate better.
It depends on whether the people around you are more interested in pulling you down, or lifting themselves up.
There is a reason it is just about standard corporate policy world-wide that employees are forbidden from sharing salary information amongst themselves, and it certainly isn't to protect those of us who have better negotiating skills.