Why are people like Mike Zusman get certificates for already existing domains, which can then be used for extremely effective phishing attacks? The "verification" is a joke at best, harmful at worst.

Yeah, he seems to think that everyone who is a pen tester or a security researcher also writes malicious viruses on the side. Here's a clue: botnet writers are not also working for the security industry, because they don't have to. They're making enough money to just sit and improve their botnets.

Really though, this is such a simple attack you'd think that it would be protected against. Any argument about "trust" is irrelevant due to the frustratingly simple way this system has been gamed. Usernames, that's it? I'm surprised this didn't happen sooner.

I think the minimalism analogy translates well to non-web applications as well. I, for one, love Transmission's user interface (that is, the program, not the embedded web server interface, which is nice too). It's super simple, displays all necessary information and nothing more. It uses smart defaults, and configures itself as much as it can. This is where applications stuck on your computer will hopefully go in the future.