Slashdot Mirror
Taxpayer Data At IRS Remains Vulnerable
CWmike writes "A new Government Accountability Office report (PDF) finds that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. The news comes less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial IRS systems. Two big standouts in the latest finding: The IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said."
So it seems that the system allows for modification of taxpayer data. That's quite a bit different from just having it available.
In 2000: http://www.abc.net.au/7.30/stories/s146760.htm
Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!
Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!
I'm pretty sure that there's a similar situation in the US.
Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
</rant></rave>
It would probably hurt Conservatives, as it has in Canada and Australia.
When these countries eliminated business taxes and simply moved them to sales taxes, the cost of management increased. Instead of the easy double-checking verification of income taxes, businesses were more likely to hide their sales and evade taxation.
It's just harder to hide your income than sales.
You also had a significant rise in prices. Although the tax burden had not changed at all, businesses did not lower their prices when business-taxes were reduced, but still passed the sales taxes onto consumers. They blamed the higher prices on the Government since the taxes were more visible.
The Fair-Tax plan is an extreme version with no chance of passing. The average earner only pays 13% income taxes, while the Fair Tax would need to charge 30%+ to generate the same revenues. Instead of high earners paying a larger proportion of taxes, the burden is pushed to those who have to spend most of their income to survive.