Carpet sweeping..
Seems to be the common mode of computer security these days.
Hey, why make your systems secure when instead, you can hire a bunch of lawyers to say it's illegal to do anything with a computer that you're not authorized to do, then come down hard on anyone you find that is accessing the system in a way you didn't expect (public domain transfers, session states stored in a URL, clicking on search engine links to exposed documents that you didn't think would be visible, but actually were, etc).
You can have all the programs you want saying "Hey, it's um bad y'know.." to all the people who haven't a clue how to secure their PC, or even know that it even needs to be secured, and you'll be in the same old boat. If it's not something that people really feel they need to know about because they've been burned (or people they know have been burned), they'll carry on as if there's nothing wrong.
Now, each of those people probably know at least 10 other PC users, so they'll get the hint too.. And the "hey my mate just..." conversations will also probably propogate to another 10 for each of the original 10 (past the "my mate" level, things tend to take on the "urban legend" feel, and it loses impact).
That's a whole boat load of people that REALLY get the message, not on an abstract "I can put my head in the sand, and it'll just go away" kind of way, but in a far more concrete and real sense.
As far as legal goes, I have the sneaky suspicion that it's not. Should it be legal? I'd say it's one of those that is in a really grey area. What they did, in general, is good (increasing user education, which vastly increases real terms security, not just 'tick in a box' security), using methods that are bad (paying organised crime, and hijacking people's machines), but with no real ill effect (delivering a message that your machine has been compromised, and you may just want to get it sorted out).
It's nothing like torture, as mentioned in a previous post, so that comparison is void.
It's very much white/grey hat stuff. On the whole, I'm pretty much behind that kind of activity (someone takes the time to crack your security then tells you how, so you can make it better, rather than cracking your security, and selling that information to anyone who wants it, so you have no idea your security even needs fixing).
Computing laws are still damnably primitive; we need a finely crafted tool that will let us hoist up the really destructive contingent, while allowing the creative (white hat) to prosper. Then we may have a snowflake's chance in hell of actually having systems that are secure, rather than putting a tick in a box, and saying they are secure by fiat.