[shadowgovt]

Bad actors who are bad at being bad actors, which is actually the bulk of bad actors.

It's maddening, but it's true. I've seen tale of people having to modify resource auto-generators that created URLs with hexadecimal identifiers in them because the sequence "ad" in a URL would trip ad-blocking browser plugins. You might ask yourself "how many ad companies worth their salt have 'ad' in the URL path?" and the answer is "The ones who are worth their salt might not, but the ones who are terrible do, and they're probably terrible at other things too, like letting malware on their network."

[qtplatypus]

I suspect that the reason that bad actors are bad at being bad actors is that the income is rather marginal and can't attract skilled devs away from more legitimate companies.

[incompatible]

There's somebody who can build a custom browser but can't figure out how to change the user agent string?

[shadowgovt]

They're called "script kiddies" and the trick is: they don't build the browser, they download a kit someone else built that has a user agent in it and use it for whatever purpose they intend to.

I went to school at a place that had a policy of soft-blocking network access for any machine that a portscan detected had TCP or UDP 12345 opened, because Back Orifice defaults to that port and people who built trojan horses to allow remote access didn't change the default. It caught a reasonable number of owned machines every year.

Don't overestimate criminals; if most were good at being criminals, they could be successful in society without having to break the law. ;)

[Already__Taken]

The intersection of information security and game theory is constantly paradoxical.