The Duck: agreed, it would be dumb, but the world (and prisons) are full of people that do dumb things. Nessus /Nikto/etc scanners are also easy to pick out in a log file.

Groovicus: site mapping software doesn't find the directories which are not linked to. I have used directories (as I'm sure others have) and relied on security by obscurity as *part* of the security for it. If you don't know it's there, it's hard to defeat weak passwords that certain individuals use.

HTRegz: Yes, it does sound a bit skiddieish, but I was just wondering. I have no worries about having to call Bubba daddy. Thanks for the info on robots.txt. It makes me wonder... (here I go again)... can you include robots.txt in the robots.txt file so would-be attackers can't google "inurl:robots.txt site:mysite.com"? I didn't see any mention of this in your references.