Indeed the IRS website blocks Tor users from accessing tax information, as if tor users don’t need tax information. Important legal guidance exists on irs.gov, so it’s obviously an injustice to block people from becoming informed about their rights and obligations.
(edit)
What’s the fix? Would it be effective to make a FOIA request on paper so the IRS must send the info on paper via USPS? Or would that require compensation to offset their burden?
That is reduced access. And it makes a world of difference because the lost access also forces excessive disclosures. It would be perversely narrow to disregard that as a security compromise.
Also, you assume everyone has clearnet access, not just that everyone has the will to use clearnet, and that everyone would find clearnet appropriate for this, and that some users rightly see clearnet as a break from the rule of least privilege principle. But some people offer open internet access to the public on a tor-only network. Users on such a network have no clearnet option.
Furthermore, I personally have a DNS problem with my local public library. I have not yet taken the time to troubleshoot it, but when I connect to the library’s network, all clearnet attemps fail because of some DNS problem. Tor is the only way I can access the internet from my local public library. So until I get to the bottom of that problem, the IRS website is unavailable.
For me, not having privacy-respecting access is the same as not having access. For pushovers who don’t think about their own security, their availability is not affected. More broadly, it’s not your place to tell users what threat model and security posture is right for them – unless they hired you for that. If a blockade forces a connection outside the parameters of someone’s security policy, they have lost availability.
You can’t dress this up as “neglecting to offer Tor support”. The IRS is taking a deliberate action that reduces availability. They took something that works by default and crippled/broke it in an act of sabotage.
No, you have full access. You can go utilize 100% of the functionality of the site. Again, you are misrepresenting what availability is in the CIA triad. It does not mean all feasible ways and means of access are supported. Otherwise you’re arguing that all iOS apps are also insecure because they aren’t available to Android users.
If TLS isn’t sufficient (or available) for you, do the paperwork and mail it in.
You’re not reading what I wrote. I won’t repeat it all here but in short not everyone has clearnet access. Start there.
This is not about me, but if you meant “you” literally, then you need to read what I wrote about my personal situation. Only Tor works at the library for me. I rely on the library for anything large (i do not have a normal unlimited broadband connection). Grabbing many big PDFs could suck my quota dry.
Again, nonsense. Lost access is lost availability. If the Tor network has no access, then they have no availability.
In fact if you only offer service to iOS users, then you most certainly are unavailable to AOS users. Of course. You can‘t disregard the userbase in an availability assessment.
Your analogy would be more accurate if you started with an app that runs on both platforms, and you deliberately artificially sabotaged it from working on one of the platforms. Like a javascript app but you add a line “if Android then terminate end if;” It would result in reduced availabilty, and intentionally so.
The website is not just for transmitting tax declarations. If it were, then indeed there would be no problem here. Check it out, if you get access. There are countless publications and guides.
I’ve read what you wrote, but you are refusing to acknowledge reality. Availability does not even remotely mean what you are stating. You might reconsider taking infosec 101.
Then there is no service that has any availability and all meaning is stripped from the word.
Indeed, and if TLS isn’t sufficient for you then by all means, use the postal service. Hell, you could even go to your local IRS location.
It’s not necessariliy a binary. You apparently did not even complete an infosec 101 class b/c that should have been made clear to you. Your prof has failed you. Availability loss is not necessarly a total loss. Even an underperforming server is a loss of availbility. Availability is a measurable quantity. Of course it can also have a binary context in a narrow sense (e.g. “the tor network has no availability”). This does not strip meaning away in the slightest. It is how the term is used. If a whole demographic of people do not have access, then there is no service (no availability) for that demographic, whether it’s a demographic of Tor users, or VPN users, or CGNAT users, or users on a particular platform. To fail to grasp this is to fail to meaningfully understand availability. If you can’t articulate a whole demographic of people losing access to a resource, you’re missing the fundamental purpose of the concept.
That’s not an option. Gov offices laugh at those requests now. Gov offices don’t even have the courtesy of expressing refusal of postal requests. They just ignore them. So no, you cannot rely on the postal service as a crutch for incompetent security when you cannot even expect it to work.
You’re fired. This does not compensate or serve as an excuse for incompetent security. Expecting Americans living abroad to get on a plane to physically appear at an IRS office is absurd. Unlike most of the world, Americans must file their tax wherever they are in the world (which is not just a transmission but also research – reading publications and advice).
Indeed, it is not binary. I’m glad you can see that now. Availability has scope, and for the IRS, tor is not in that scope. This is not a security issue. Continue to scream into the void about how literally any impediment to every form is access is a security issue, but that’s not how any of this works. Given you seem to keep bringing up course work and professors and this naive view of security, I’m assuming you’re a student. Keep studying.
It is an option. Saying “nuh uh” doesn’t make it not an option.
This serves as availability. You have TLS, postage, and physical locations you can utilize. You are just whining. Your refusal to use any of the plethora of means available to you has no relation to the competency of the IRS’ security. Grow up.
I said not necessarily binary. Your inability to grasp the various different contexts is profound. The non-binary usage is a red herring in this discussion. When you universally deny a whole demographic of people access, that’s binary. It’s a hard and fast total loss of availability for that demographic.
The scope is the American taxpayer. Of course Tor users are in that scope. You cannot deny access to a whole demographic of people on the crude and reckless basis of IP reputation and then try to redefine the meaning and purpose of availability to offset your incompetence. You need to face the facts and admit when you don’t have the skill to separate threat agents from legit users. Screaming until your blue in the face about how you would like availability to be defined does not bring availability to the demographic of legit users being denied access.
I only brought up school because at your level that seems to be where you are. My infosec MS came decades ago.
Saying the contrary does not make a demographic of people magically part of a different demographic of people. Who do you think you are fooling by pointing to demographic A saying “they have access” in response to demographic B not having access?
Wrong demographic. That’s not anonymous.
You mean postal service. Again, wrong demographic. That’s not anonymous. The IRS needs your physical address in the very least.
Wrong demographic. That’s neither anonymous nor reachable outside the country.
Your refusal to accept that a demographic of people are denied availability has backed you into a corner making absurd claims to justify incompetence. The growth and evolution is needed on your part. To give demographics of non-anonymous people access to tax material continues to miss the point about loss of availability to people who are.
It’s really not. You’ve been asserting that there’s somehow a lack of security because they don’t support tor because that means they’re failing on the “availability” point of the CIA triad. That’s incorrect.
This is also incorrect. The scope is the American taxpayer who is able and willing to utilize the website. You are either unable or unwilling. You are not in the scope. You absolutely can block entire swaths of address ranges and, in fact, have better security because you did so.
A lot has changed from decades ago, you might consider going back to school.
Neither is tor. And even if tor did provide perfect anonymity, tough shit. You are again just whining. Nobody owes you the ability to “anonymously” download tax material at your preferred comfort level of anonymity.
Before you can claim it’s not a red herring, you must first grasp what is claimed as the red herring. Your reply displays that you don’t. When a demographic of people are wholly denied availability, and you make the false assertion that availability is /never/ binary, it’s both incorrect and irrelevant. Incorrect because you can have 100% loss of availability in a context. Context is important. And it’s incorrect because people without access are inherently without availability.
THAT’s incorrect. That’s the sort of weasel wording that people can see right through. You’ve taken the whole of taxpayers who are entitled (in fact obligated) to file tax, and excluded some of them as a consequence of infosec incompetence. You cannot redefine the meaning of a term to justify incompetence. It’s purpose defeating for PR damage control.
This is where your lack of infosec background clearly exposes itself. You can also /randomly/ block large swaths of people arbitrarily and with the same mentality claim “better security” because you think a baddy likely got blocked, a claim that inherently requires disregarding availability as a security factor. You will fool people with that as you’re pushing a common malpractice in security which persists in countless access scenarios because availaibility to the excluded is disregarded by the naive and unwitting.
Nonsense. Infosec, comp sci, and all tech disciplines cover most diligently principles and theory which are resilient over decades, not tool-specific disposable knowledge. The principles and theories have not changed in the past 20 years. You seem to be in a program that short-cuts the principles and fixates on disposable knowlege, likely a vocational / boot camp type of school, in which case you should consider transferring to a school that gives more coverage on theory - the kind of knowledge that doesn’t age so fast.
WTF? You don’t know how Tor works. Perfection is never on the table in the infosec practice. You should forget about perfection – it’s distracting you. But Tor most certainly provides anonymity in the face of countless threat agents, among other features.
“Owes” implies a debt. I never spoke of owing or debts. The IRS has an obligation to inform the public. When they exclude demographics of people from their service (in particular people who funded them), it’s an infosec failure and an injustice.
You have to go out of your way to have your access reduced. There are endless ways to achieve that and tor is just one of them. Besides the sigint opportunities on tor aren’t as minimal as you want them to be. Also, you’re connecting to the site and acting in behalf of yourself. I’m at a loss why this should rank at all in the context of a tidal wave of measurable abuses.
That would only be true of someone without a Tor setup to begin with. Some of us have Tor baked into our scripts and apps to the extent that using clearnet is going out of our way.
They all have benefits and drawbacks, some cost money, some entail more effort, etc.
It serves the purpose for the case at hand.
Only if you login, which is often not the case for irs.gov.
Read the sidebar. It’s a service that is essential and intended for the whole pulblic. As the digital transformation forces people do perform transactions with public agencies, those agencies are progressively removing offline options. Exclusivity is trending as a consequence. Essential public services should be inclusive and open to all.