For security reasons, the .htaccess file is NEEDED to forbid access attempts on the backup directory.

In the absence of .htaccess, an anonymous user may download a backup file (which contains the entire backup of the site, modules, and database). Okay, they will have to guess at the name, but...they can download.

Anyways, I modified the code in backup.module:595 to read like this:

if ($file == "." || $file == ".." || $file == ".htaccess" )

I simply allowed the .htaccess file to be ignore.

They maybe a better solution altogether, but that what have.