This is sort of off-topic, but since the 2.0.15 release is now the primary topic of upgrade discussion, I figured I'd answer this now.
You must have had a very bad experience somewhere along the line...
Well, over the past 25 years I've had much more grief from failing hardware and sloppily-coded products than from any security-related issues. Despite being actively involved in activities that (misguided) "conventional wisdom" indicated were high-risk, such as downloading files from BBS's, I've only had one virus on my own hardware in that time, and that was a boot sector virus on a floppy I got from a friend, which I accidentally left in the drive when I was rebooting my machine.
However, evidence of the usage of default paths and filenames in attacks is no further away than your Web server logs. For example, on my BSD/Apache-based sites, most of the 404 errors are for vulnerabilities in specific files at specific paths on Windows-based Web servers.
I have never changed the naming on any of the Windows machines that I have ever built and I don't know of anyone that has had a problem. I think with a good firewall, anti-virus and anti-spyware, and with an educated clientelle, there is very little risk from hackers even if the Windows patches and updates aren't ever applied. Perhaps if I was hacked and lost some important information that somehow never was backed up, my attitude would be different.
Well, I see some problems in this line of thought...
First, it implies that trusting third parties is sufficient instead of proactively tackling security yourself. If everyone
thought that way, then nothing would ever be done to defend against attacks. And even though not everyone thinks that way, and people make active defenses (such as building strong products to begin with, or building defensive systems), people are flawed, and therefore systems built by people are flawed. Your trust in your firewall, anti-virus, anti-spyware, and "educated" clientele is all trust of third parties, yet each one of those parties (or their products) may have significant flaws. (And trust me, even the most "educated" computer user can still make judgement errors.) You have a perimeter defense, but if that perimeter is breached, you've done nothing to protect yourself within. A simple change in a path or table name proactively increases your defenses within that perimeter, so you have something else to trust other than third parties. It's not a guarantee, but again it's all about altering the odds in your favor.
Second, waiting to have your system compromised once before taking proactive measures of your own design to defend against attacks is allowing for one too many successful attacks. That might have been just a personal risk for most personal systems in the 80s, but in today's connected world, you're risking potentially thousands or millions of other systems the very first time your system is compromised. It's not just about what a cracker can do to your system
, it's also what the cracker can do from your system
to attack other
Anyway, just wanted to share a few security-related thoughts for a Saturday afternoon.