Yea, it's a serious problem, one that neither Bearshare, nor Turbotax seem concerned about.
Here's the problem: Bearshare has a setup feature which allows you to scan your drive looking for media files. Normally I wouldn't bother doing this, but it seems there is a bug in Bearshare's configuration process which causes it to just abort during setup. So, for the longest time I was always having to start this process, and just cancel out of it. So, in some vain attempt at trying to get it to finish, I thought I would try every step, and that was one of them. What I didn't realize was that in doing so, I set up my "my documents" folder to be shared, since under that folder is "my pictures" and "my music". And since there were at least a couple of Windows pictures in the "my pictures" folder, it added the entire directory structure to my "library" as Bearshare calls it.
Low and behold, TurboTax saves it's *.tax files in the "my documents\turbotax" folder (IIRC).
So, just on a whim I decided to log into Bearshare's upload queue to see what people were downloading from me, and I see my tax return sitting in a queued state. Of course, I immediately freaked, and removed it from the queue. Then I promptly modified my library settings. Fortunately, I had turned on my logging to show upload statistics, and I was able to verify that no one had gotten a chance to download it from me. It totally scared the heck out of my wife, though.
For curiosity, I downloaded someone else's .tax file, randomly. Sure enough, I was able to open the file without incident. I could see their social security numbers, their home address, the social security numbers of all their dependents, and their income. Worse yet, if someone chooses to auto-file, you could get their bank name and routing numbers from that file. It's not encrypted at all.
There are at least two solutions which need to occur, preferably both. Bearshare needs stop adding "my documents" to the library. This is, IMHO, unacceptable. People store their resumes, budgets, living wills, and all kinds of personal stuff here. Fortunately, Bearshare has a list of extensions which it, by default, hides. This includes stuff like .dll and other system files that people aren't going to want to download directly. Bearshare could, very easily, simply add ".tax" to this list. That would be a very easy change. Lastly, TurboTax needs to encrypt their files. They could do this with an encryption key unique to the computer generating the tax file. So, if you are not the computer where the file was generated, you wouldn't be able to open it. That is a more difficult solution, but something TurboTax needs to take a serious look at.
I hesitated in doing it, but I posted a thread on the Bearshare forum about this problem. I said I hesitated, because the more people know that it's a problem, the more likely are some unscrupulous people could go and download the files. Last I checked, there were over 400 turbotax files in Bearshare, and the number will only increase the closer it gets to tax season.
My criticisms fell on deaf ears on the Bearshare forum despite numerous people agreeing that it was a problem, though most decided that it was a problem "for all p2p networking" and therefore somehow lessened Bearshare's responsibility to fix it. I also posted an email on the TurboTax website regarding the problem, and I even mentioned that I was notifying the media, to see if that would spark them into fixing the problem. I suppose it's possible that they have, I guess. They could have issued a bug fix for this, and then just not advertised it. With TurboTax you can download bug patches internally with an update option. I haven't ran it in over a month, though I still do need to wrap up my taxes.
I also tried mentioning it on Fark, Slashdot, and wired.com and they all ignored me. That link timed out on me, but it's good to see that at least some people are trying to get the word out.
![:]](http://www.enworld.org/forum/images/smilies/devious.png "Devious :]")
