A teenage hacker who broke into computer systems all over the country was sentenced yesterday to 15 months in prison for scrawling his cyber name and his love for a high school classmate across a series of Web sites.
Over the course of two years, Eric Burns, 19, hacked his way into Web sites used by the U.S. Information Agency, Vice President Gore and NATO, among many others. The Shoreline, Wash., teenager had no formal training, beyond some community college courses, but he scrawled phrases such as "Hack by Zyklon" and "Crystal I love you" across seemingly secure Web sites and forced the USIA to close its site for eight days.
Fixing the damage he caused cost $40,000 to $120,000, and Burns has agreed to pay $36,240 to a group of his victims.
Burns apologized for his activities at a hearing held in federal court in Alexandria, which had jurisdiction in the case because several of the victimized Web sites were hosted by servers in Reston and Herndon.
"I told myself that I was finding security problems and warning companies, that I was helping them protect themselves from other people who caused damage. But I became that other person," Burns said. "I'm the reason we need security on computers.
"I disgust myself," he told U.S. District Judge James C. Cacheris. "I am very ashamed of what I have done."
Burns's attorney, Ralph Hurvitz, said his client was an immature and thoughtless young man. Using off-the-shelf computer manuals, Burns was able to design a program called "Web Bandit" that allowed him to scan the Web looking for vulnerable computer systems. Then he would hack in and arrange for would-be viewers to see a page that he had designed.
"We have a young man . . . who is very uncomfortable with any sort of face-to-face interpersonal contact," Hurvitz said. "He gravitated to computers the way others might gravitate to football or the piano."
The judge responded, "Playing the piano doesn't have consequences for other people."
Cacheris ruled that Burns's hacking qualified as a "special skill" under federal sentencing guidelines. That bumped his potential sentence from as little as eight months to a range of 12 to 18 months.
Cacheris said he opted for 15 months "because you continued to do this after you were confronted by the FBI [in February] . . . and the serious nature of the case."
U.S. Attorney Helen F. Fahey praised the sentence, noting that Burns "caused major disruption" to the White House, the USIA and other Web sites. "In this age when electronic communications have become so important to society, it is necessary that prosecutors and courts hold destructive hackers like Eric Burns accountable for their actions," she said.
Most federal hacking cases have resulted in sentences of a few months to two years, said Eugene H. Spafford, a Purdue University computer science professor. He said that some high-profile Web sites have made security improvements to fend off hackers such as Burns, but many places remain vulnerable because companies opt for inexpensive security.
"People have made bad business decisions," he said. "Security is an add-on rather than a basic design feature in many systems."