Thursday, September 30 12:00 AM ET

Senators Call for Software Exploit Waiting Period

Washington, D.C. -- A bipartisan group of U.S. senators led by Chuck Schumer (D-New York) and Dick Durbin (D-Illinois) has introduced legislation for a three to five-day waiting period for buffer overflow exploits. The legislation was conceived after hackers developed an exploit for a newly identified "JPEG Processing" buffer overflow vulnerability in Microsoft software.

Durbin and Schumer announced the legislation at a news conference where they were joined by a bipartisan group of senators, Jim and Sarah Brady, and an Illinois man whose business was attacked by a mentally ill hacker who was able to exploit a buffer overflow.

A buffer overflow occurs when a piece of software accidentally tries to store more data in a holding area than it can handle. Schumer revealed that buffer overflows are by far the leading instrument used in hacker attacks, more than all other methods combined.

"A brief waiting period allows tempers to cool and can give our law enforcement officials an opportunity to spot questionable Internet users," Schumer said. "It's hard to understand why any person, even a security expert, would need immediate access to a buffer overflow exploit."

"A waiting period isn't about more government, it's about fewer hacker crime victims," Durbin said.

The Senators modeled the legislation after an original five-day waiting period known as the Brady law. It went into effect in February 1994 and is named after Jim Brady, who attended the anti-hacker news conference.

Durbin said that without a waiting period, would-be attackers can download an exploit for a newly discovered buffer overflow in minutes, with no cooling-off period for anyone considering harming themselves or others.

Schumer added the proposal makes cybercrime officers the first points of contact for all background checks. A three to five-day waiting period will allow time to contact low-tech local officials who may know about mental health histories and domestic abuse records not available federally.

"Our bill may be the only barrier between a child and his abusive parents who denied him a high-bandwidth Internet connection and a new computer for Christmas," Schumer said. "We want to stop those troubled teens from destroying peoples' lives."

Illinois conducts its own background checks and already has a state waiting period in place. However, buffer overflows are often trafficked from states with weak computer crime laws to states with strong computer crime laws such as Illinois.