630 stories
·
10 followers

Why Isn’t It Easier To File Your Tax Return For Free? Thank TurboTax, H&R Block

1 Comment and 5 Shares

For most people, the IRS now has all the information it needs to estimate how much you owe in taxes, or how much of a refund you are due. So why is the burden on you to tell the federal government this same information? It may have something to do with the millions of dollars that H&R Block, Intuit (maker of TurboTax), and others have spent lobbying to maintain their exclusive arrangement with the IRS.

The IRS Restructuring and Reform Act of 1998 directed the Secretary of the Treasury to come up with a “return-free” tax filing system by 2008. Under such a system, the IRS would take the W-2s, 1099s, and other tax forms it receives to automatically calculate and prepare a rough draft tax return for taxpayers who want it — and for free.

If the taxpayer agreed with what they saw in a return-free filing, they would simply sign it. If there’s a problem or something that needs to be changed, the taxpayer would make those corrections and submit. Taxpayers who wanted to file their own returns would be free to do so; no mandate that everyone goes through this process.

It’s been nearly a decade since that deadline came and went. What happened?

Rather than work toward meeting the 2008 deadline for offering return-free filing, the IRS (at the direction of the Bush administration) instead established the Free File program in 2002, allowing certain tax prep companies the ability to offer free electronic filing software.

Those companies are known as the Free File Alliance, whose members include Intuit and H&R Block. Since 2002, the Alliance has repeatedly extended its exclusivity agreement with the IRS. The seventh and most recent deal [PDF] between the IRS and the Alliance extends their relationship through Oct. 2020.

Even though the tax prep industry and the IRS have this long-term agreement, ProPublica points out that both Intuit and H&R Block have continued to use money in an effort to Congress to stop laws that would open up the door to return-free filing, or to support legislation that would make this IRS relationship permanent.

Of the nearly $2.4 million Intuit spent on lobbying in 2016, about 75% of it involved one particular piece of legislation, the Free File Act of 2016, which sought to lock in the public-private partnership with the Free File Alliance.

H&R Block also spent $1.7 million lobbying in support of this bill, more than half of the $3.26 million it used for lobbying last year.

A large chunk of H&R Block’s lobbying money also went against legislation intended to make sure paid tax preparers are competent.

Block also spent $210,000 trying to defeat Sen. Elizabeth Warren’s attempt to jumpstart the movement toward return-free filing — even though that bill had no chance of getting out of committee, let alone being signed into law.

The Free File Alliance and supporters of legislation like the Free File Act argue that having the government present you with a pre-filled form is a matter over federal overreach, despite the fact that the taxpayer would not be required to agree with the IRS estimate.

Tax law specialist Joseph Bankman of Stanford Law School tells ProPublica that he doesn’t see it that way. Having the government pre-fill the tax return could actually help taxpayers, by compelling the IRS to “show its hand.”

“Now you know what the government knows,” Bankman explains. “If there’s a mistake that goes in your favor, maybe you don’t call attention to it.”

While the Free File Alliance website brags that “70% of American taxpayers” are eligible for Free File, and “98% of users would recommend the program to others,” what the site glosses over is that, according to the IRS, only about 2-3% of eligible taxpayers actually take advantage of Free File.





Read the whole story
diannemharris
1 day ago
reply
acdha
2 days ago
reply
Washington, DC
Share this story
Delete
1 public comment
chrishiestand
1 day ago
reply
I'm willing to bet that trumps stated goal of tax reform has a lot more to do with giving money to Rich people and less to do with making taxes easy to file
San Diego, CA, USA

Satanic Temple Now Attacking Another Sacred American Institution: Spanking!

3 Shares
What administrators get up to on their own time is their business

Now that they’ve ruined the school Bible giveaways and the Baby Jesus Dioramas and the Ten Commandments monuments, those liberty-loving trolls at the Satanic Temple have found another sacred American practice to interfere with: They’re going after corporal punishment in the nation’s schools, in response to a Texas school board that retroactively changed its rules to allow a male assistant principal to spank a 15-year-old girl.

The policy had required all corporal punishment to be carried out by an administrator of the same sex, but if there were something wrong with a middle-aged vice principal leaving red welts on a young girl’s bottom, we’re sure cheesy midcentury porn novels would have let us know.

So now, the Satanic Temple has unveiled a cool new billboard in Springtown, Texas, where the freaky local penchant for spanking made headlines:

At the related website, the Protect Children Project, TST explains students and parents can register to have their schools notified of the student’s religious objection to being spanked, and that any corporal punishment would “violate their civil rights.”

Donations to the site will go to place billboards in other communities that advocate spanking as discipline, and to cover the costs of legal work to protect registered kids.

Since respect for religion is very, very important to the folks who believe the Bible tells them they must hit children, the Satanic Temple emphasizes one of its own key religious principles, which the group has also cited in advocating for a religious right to abortion:

We hold among our tenets that “The body is inviolable, subject to one’s own will alone.” As such, we have launched a campaign to offer an exemption against corporal punishment and solitary confinement to any student who shares this deeply held belief.

Satanic Temple spokesperson Lucien Greaves (aka Doug Mesner) explained, without the least bit of hyperbole,

Hopefully, our billboard will serve as a daily reminder to the citizens there that they live in a barbaric backwater town where dysfunctional and possibly sexually disturbed middle-aged men may depravedly titillate themselves by violently spanking teenaged girls. The billboard should be disturbing to Springtown, as it is there because Springtown has proven to be a disgrace.

Say what you will about spanking when parents do it (we’re personally against it, but reasonable people can disagree), our own experience with corporal punishment in school was that it was used arbitrarily and didn’t accomplish much of anything. The main thing we learned from getting whacks with a wooden paddle (summary punishment for everyone in a gym class after a couple of kids misbehaved) was that 1) the vice principal enjoyed exercising power a hell of a lot and B) those in power can do what they want, because they are in power, and you DO NOT question that.

Crom bless the Satanic Temple. And now get to your Open Thread!

Yr Wonkette believes that adult, consensual spanking is none of our darn business, and probably way better than ads. Which in our case we have not got. Won’t you kindly drop a few Ameros in the tip jar?

[Protect Children Project / CBS Houston]

Read the whole story
shelterwithfire
3 days ago
reply
diannemharris
5 days ago
reply
notadoctor
6 days ago
reply
Oakland, CA
Share this story
Delete

Canadian specialized nurses working in U.S. turned away at border by new immigration policy

1 Comment and 2 Shares
U.S. Customs and Border Protection have rejected work visas for Canadian citizens working at Michigan hospitals. (Dave Chidley/Canadian Press) Advanced practice…
Read the whole story
acdha
7 days ago
reply
I feel safer already…
Washington, DC
diannemharris
7 days ago
reply
Share this story
Delete

Remember the People America’s Healthcare System Has Already Killed

1 Comment and 5 Shares

It struck me as normal, somehow, to watch my girlfriend enter an online sweepstakes that would help decide whether or not she would be able to afford to buy medicine. Only now, watching the Republican establishment dismantle the Affordable Care Act, has this struck me as cruel.

I don't remember the specifics of the promotion, but I remember that it was a monthly trivia contest run by an online cystic fibrosis pharmacy. Answer the questions right, and your name was entered to receive $500 toward your meds. I'd ask Katelin about it now, but she is dead.

The Republican plan to repeal Obamacare and replace it with something that offers more "choice" has inspired thousands of people to confront lawmakers with their stories about how the law—and health insurance more generally—has saved their lives or prevented financial ruin. Their courage should be applauded, their voices amplified.

We should remember, though, that we are hearing from the fortunate ones. The ones who were repeatedly fucked by insurance companies before Obamacare? They are dead.

If Jason Chaffetz, Paul Ryan, and Donald Trump want to offer Americans more healthcare choice, they're on the right track. Obamacare closed many of the loopholes insurance companies used to keep the chronically ill from purchasing coverage, but any system that treats healthcare as a luxury rather than a basic human need is going to afford people plenty of options as their insurance lapses or benefits are suddenly changed.

Katelin was afforded the choice to do fewer breathing treatments to preserve her medicine until her insurance company would pay for more. For a few months, she made the choice to take generic nebulized albuterol because she couldn't afford the more effective Xopenex out of pocket. She had regular battles with her insurance company about when it was appropriate to refill her prescription for digestive enzymes, which she needed to take in order to eat almost anything. She chose to enter insane online sweepstakes to pay for medicine and wake up before dawn to ride multiple buses to get to work on time and to act in plays.

Three years after she died, I cannot piece together a timeline of when she had coverage, when she did not, and the varying quality of that coverage. There were times when she had excellent doctors and excellent insurance, and times when she had next to nothing thanks to a clerical error or benefits changes. 

I was pissed off at her genes, not at her insurance companies, our politicians, or the system that had continually made clear it'd rather not help keep her alive

What I do know, though, is that she was constantly engaged in some bureaucratic battle about whether she was allowed to buy medicine, go to the doctor, or refill a prescription. About whether she should be allowed to live. A pre-Obamacare study found that lack of health insurance killed roughly 45,000 Americans annually.

Somehow, through all of this, most people didn't know that Katelin was sick, that she had been sick since the day she was born, and that she was slowly getting weaker because skipped treatments were beginning to take a toll on her lungs.

I was too young, maybe, to realize that the contests, the paperwork, the compromises were unjust. I was pissed off at her genes, not at her insurance companies, our politicians, or the system that had continually made clear it'd rather not help keep her alive. No more. Katelin lost the genetic lottery, but she is dead because of a health system and country that refuses to take care of our most vulnerable.

It's too early to say whether Katelin would have been able to buy health insurance under the GOP's plan and what quality of coverage she would have gotten. Though the plan promises to protect those with pre-existing conditions, experts say the lack of an individual mandate means that there's no mechanism for healthy people to subsidize the care of the sick. And it has been made abundantly clear that the Republican plan will protect fewer people than Obamacare..  

As I watch America again debate if we should take care of our sick, the stories of those whose lives have been saved by Obamacare serve as a powerful counterbalance to politicians who would cut taxes for the rich by any means necessary. Remember, though, the people who are no longer here to speak for themselves.



Read the whole story
acdha
9 days ago
reply
“I was pissed off at her genes, not at her insurance companies, our politicians, or the system that had continually made clear it'd rather not help keep her alive”
Washington, DC
diannemharris
8 days ago
reply
superiphi
9 days ago
reply
Idle, Bradford, United Kingdom
Share this story
Delete

Password Rules Are Bullshit

3 Comments and 17 Shares

Of the many, many, many bad things about passwords, you know what the worst is? Password rules.

Let this pledge be duly noted on the permanent record of the Internet. I don't know if there's an afterlife, but I'll be finding out soon enough, and I plan to go out mad as hell.

The world is absolutely awash in terrible password rules:

But I don't need to tell you this. The more likely you are to use a truly random password generation tool, like us über-geeks are supposed to, the more likely you have suffered mightily – and daily – under this regime.

Have you seen the classic XKCD about passwords?

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

We can certainly debate whether "correct horse battery staple" is a viable password strategy or not, but the argument here is mostly that length matters.

That's What She Said

No, seriously, it does. I'll go so far as to say your password is too damn short. These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.

So then perhaps we have one rule, that passwords must not be short. A long password is much more likely to be secure than a short one … right?

What about this four character password?

✅🐎🔋🖇️

What about this eight character password?

正确马电池订书钉

Or this (hypothetical, but all too real) seven character password?

You may also be surprised, if you paste the above four Unicode emojis into your favorite login dialog (go ahead – try it), to discover that it … isn't in fact four characters.

Oh dear.

"💩".length === 2

Our old pal Unicode strikes again.

As it turns out, even the simple rule that "your password must be of reasonable length" … ain't necessarily so. Particularly if we stop thinking like Ugly ASCII Americans.

And what of those nice, long passwords? Are they always secure?

aaaaaaaaaaaaaaaaaaa
0123456789012345689
passwordpassword
usernamepassword

Of course not, because have you met any users lately?

I changed all my passwords to

They consistently ruin every piece of software I've ever written. Yes, yes, I know you, Mr. or Ms. über-geek, know all about the concept of entropy. But expressing your love of entropy as terrible, idiosyncratic password rules …

  • must contain uppercase
  • must contain lowercase
  • must contain a number
  • must contain a special character

… is a spectacular failure of imagination in a world of Unicode and Emoji.

As we built Discourse, I discovered that the login dialog was a remarkably complex piece of software, despite its surface simplicity. The primary password rule we used was also the simplest one: length. Since I wrote that, we've already increased our minimum password default length from 8 to 10 characters. And if you happen to be an admin or moderator, we decided the minimum has to be even more, 15 characters.

I also advocated checking passwords against the 100,000 most common passwords. If you look at 10 million passwords from data breaches in 2016, you'll find the top 25 most used passwords are:

123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321
qwertyuiop
mynoob
123321
666666
18atcskd2w
7777777
1q2w3e4r
654321
555555
3rjs1la7qe
google
1q2w3e4r5t
123qwe
zxcvbnm
1q2w3e

Even this data betrays some ASCII-centrism. The numbers are the same in any culture I suppose, but I find it hard to believe the average Chinese person will ever choose the passwords "password", "quertyuiop", or "mynoob". So this list has to be customizable, localizable.

(One interesting idea is to search for common shorter password matches inside longer passwords, but I think this would cause too many false positives.)

Also of note: only 5 of the top 25 passwords are 10 characters, so if we require 10 character passwords, we've already reduced our exposure to the most common passwords by 80%. I saw this originally when I gathered millions and millions of leaked passwords for Discourse research, then filtered the list down to just those passwords reflecting our new minimum requirement of 10 characters or more. It suddenly became a tiny list. (If you've done similar common password research, please do share your results in the comments.)

I'd like to offer the following common sense advice to my fellow developers:

1. Password rules are bullshit

  • They don't work.
  • They heavily penalize your ideal audience, people that use real random password generators. Hey guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
  • They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
  • Are often wrong, in the sense that they are grossly incomplete and/or insane, per the many shaming links I've shared above.
  • Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules".

2. Enforce a minimum Unicode password length

One rule is at least easy to remember, understand, and enforce. This is the proverbial one rule to bring them all, and in the darkness bind them.

  • It's simple. Users can count. Most of them, anyway.
  • It works. The data shows us it works; just download any common password list of your choice and group by password length.
  • The math doesn't lie. All other things being equal, a longer password will be more random – and thus more secure – than a short password.
  • Accept that even this one rule isn't inviolate. A minimum password length of 6 on a Chinese site might be perfectly reasonable. A 20 character password can be ridiculously insecure.
  • If you don't allow (almost) every single unicode character in the password input field, you are probably doing it wrong.
  • It's a bit of an implementation detail, but make sure maximum password length is reasonable as well.

3. Check for common passwords

As I've already noted, the definition of "common" depends on your audience, and language, but it is a terrible disservice to users when you let them choose passwords that exist in the list of 10k, 100k, or million most common known passwords from data breaches. There's no question that a hacker will submit these common passwords in a hack attempt – and it's shocking how far you can get, even with aggressive password attempt rate limiting, using just the 1,000 most common passwords.

  • 1.6% have a password from the top 10 passwords
  • 4.4% have a password from the top 100 passwords
  • 9.7% have a password from the top 500 passwords
  • 13.2% have a password from the top 1,000 passwords
  • 30% have a password from the top 10,000 passwords

Lucky you, there are millions and millions of real breached password lists out there to sift through. It is sort of fun to do data forensics, because these aren't hypothetical synthetic Jack the Ripper password rules some bored programmer dreamed up, these are real passwords used by real users.

Do the research. Collect the data. Protect your users from themselves.

4. Check for basic entropy

No need to get fancy here; pick the measure of entropy that satisfies you deep in the truthiness of your gut. But remember you have to be able to explain it to users when they fail the check, too.

entropy visualized

I had a bit of a sad when I realized that we were perfectly fine with users selecting a 10 character password that was literally "aaaaaaaaaa". In my opinion, the simplest way to do this is to ensure that there are at least (x) unique characters out of (y) total characters. And that's what we do as of the current beta version of Discourse. But I'd love your ideas in the comments, too. The simpler and clearer the better!

5. Reject special case passwords

I'm embarrassed to admit that when building the Discourse login, as I discussed in The God Login, we missed two common cases that you really have to block:

  • password equal to username
  • password equal to email address

🤦 If you are using Discourse versions earlier than 1.4, I'm so sorry and please upgrade immediately.

Similarly, you might also want to block other special cases like

  • password equal to URL or domain of website
  • password equal to app name

In short, try to think outside the password input box, like a user would.

[advertisement] Building out your tech team? Stack Overflow Careers helps you hire from the largest community for programmers on the planet. We built our site with developers like you in mind.
Read the whole story
diannemharris
12 days ago
reply
hannahdraper
12 days ago
reply
Washington, DC
popular
12 days ago
reply
GreenChange
7 days ago
At my previous employer, they used to give you a prize (just a lolly) when you first started, if you could pick a password that passed the stupid rules restrictions on the first try. Hardly anyone ever did it, even though the rules were listed clearly!
Share this story
Delete
3 public comments
chrisminett
11 days ago
reply
We need to check the last points (username, app name)
Milton Keynes, UK
wmorrell
12 days ago
reply
True story: work wants to roll out Microsoft Office 365, and I was one of the first trial users. I got a post-it with an 8 character password from the IT grunt tapped to be the AD admin. As is my habit, I immediately changed the password with a random one created by a password manager. The password was 20 characters. The change password form accepts the new password and prints a happy "password changed!" message. I log out, then try to log back in; the login page then informs me that the maximum … *maximum* password length is 16 characters and rejects my login. Okay … truncate it to 16, maybe the change form cut it off. Login fails. Go back to IT grunt to get a password reset, get a new 8-character password. Login fails. Reset again. Be very careful copying down password, very careful entering it back in. Login fails.
So, it turns out that there is no length validation on Office 365 password change forms, and going over the 16-character minimum mentioned nowhere on the page will *permanently* lock your account. 👍
expatpaul
12 days ago
Why is there even an upper limit? If the password is properly salted and hashed then only the hash should matter.
wmorrell
12 days ago
From what I found, it is some backward-compatible dependency thing with Active Directory syncing, which Microsoft has not cared enough about to fix. Possibly something with early Windows versions storing passwords as reversible hashes, and definitions of the protocols for remote logins defining a now-too-short field for passwords. The limitation could have made sense in the early 1990s, but then got carried forward far too long, and we are still stuck with it 25 years later.
expatpaul
12 days ago
Ah, I can see how that would happen. In my experience, many of the problems with Windows can be traced to poor early implementation that was never (or becomes increasingly difficult to) fix.
expatpaul
13 days ago
reply
Possibly the worst password rule is the one that demands you change your password on a regular basis. Either people will start writing down their passwords, or come up with a pattern that ensures their passwords are always easy to guess.
Belgium
wffurr
13 days ago
What's wrong with writing down passwords? A written copy is extremely useful, if you secure it the same way you do your money and credit cards, i.e. carry it in your pocket.
expatpaul
13 days ago
Point taken, wffurr. I was thinking more about the corporate environment which is where I usually see mad password rules like these. The number of times I have seen passwords on post-it notes, whichg are stuck somewhere convenient, is quite frightening.
expatpaul
13 days ago
That said, the best approach is to use a password manager to store randomly generated passwords. Of course, my current employer bans the use of password mangers.
HarlandCorbin
12 days ago
Must change password every 21 days. Cannot reuse last 50 passwords. **These** rules make my passwords less secure than they could be. I have given up generating passwords that I can reasonably type that follow the rules. I mean, 21 days?!?
expatpaul
12 days ago
21 days? Ouch! The worst I saw was every 30 days, and I know a number of people using a combination on month and year for their password.
HarlandCorbin
12 days ago
And the new password can only have (IIRC) one point of similarity with the previous one.
expatpaul
12 days ago
That's just painful. It's rules like that which are just asking everyone to write their password on the nearest available post-it note.
Aatch
12 days ago
That's weirdly strict. We have a change every 90 days and you can't use your last 2 passwords. That's it. Simple enough to rotate a handful of passwords 4 times a year.
chrisrosa
12 days ago
this one drives me crazy. the damn auditors eat password expiry up and are always pushing for less time. total bs.
mareino
12 days ago
There is a government personnel website I've used where (1) the average user logs in about 2x/year, (2) the password resets monthly.
WorldMaker
8 days ago
The NIST guidelines link in the post also strongly recommend against arbitrary password expiration. I sent the NIST document to my corporate IT when they changed password expiration rules just recently. It hasn't impacted any change, but at least I tried to talk sense to power.
expatpaul
7 days ago
@WorldMaker: I'm impressed that you tried to talk sense, but the main problem with large corporations is that they tend to adopt a checkbox approach to these things. People have to prove that they are doing _something_ about security; no-one ever asks whether what they are doing is actually useful.
WorldMaker
6 days ago
@expatpaul: Arguably as a software developer a part of my role is to evaluate and better the company's software. Even if that just means writing a ticket every few weeks to try to argue true industry best practices against fads and security theater. Of course, without a CTO title they don't have to listen to me, but I can hope they might at least read it. Even if they are hearing stupid crap from outside security consultants and terrible software vendors that should be destroyed for the betterment of the corporate world like Oracle. The only way we might see change is to keep talking sense to power and hope someone listens or promotes us until they have to listen.
chrisrosa
6 days ago
As long as companies want to do business with companies the require SOC2, HIPPA, SOX, etc. (not to mention their own compliance BS), it doesn't really matter. At least NIST is on board.

ShopHouse Meets The Final Chopping Block

2 Comments
ShopHouse Meets The Final Chopping Block The limbo is over, and so is the fast casual chain, as of March 17. [ more › ]
Read the whole story
shelterwithfire
9 days ago
reply
Nooooo!
diannemharris
13 days ago
reply
Noooo!!!!!
acdha
10 days ago
So much better than Chipotle …
Share this story
Delete
Next Page of Stories