This is valuable discussion but not to the HN audience as we already get it. There are some tough laws that can be applied to his behavior. I don't know what the odds are of getting caught into a criminal prosecution, but you don't want to spend the next 10 years of your life dealing with the fallout of a blog post.

It is certainly interesting news to me that 5 out of 5 random users won't change their habits, even after someone provably breaks into their account and tells them how to avoid it in the future.

The article isn't clear, but it sounds like the author used firesheep the second time to see if the users changed their habits.

Most people already know that if someone gets a hold of their account, and they already have access to it, to change the password. For this particular situation, they don't know about the whole SSL thing. It took me nearly 20 minutes to explain what a session was to my very non-technical girlfriend 2 days ago. Most people are very unsure of following directions from an untrusted source on the internet, even if they are very trusting of strangers on the internet. Most users are aware of Phishing scams as a general strategy. There is a good possibility they changed their passwords, since that is what they already know, but that particular solution doesn't work all that well for this scenario.