Dumb idea, IMO. If people can access stuff that they shouldn't, by guessing URLs, then your problem is <i>access controls</i>, not the URLs.<p>Switching to opaque, meaningless strings for your URLs does not solve your problem. URLs leak, they risk being recorded and published (e.g. Referer: headers on weblogs), and so people will find them anyway.<p>You still need access controls and all you have achieved by making your URLs complicated is to create more work for you and your users.
You should be glad your urls are so intuitive that they are easily hackable. Keep it that way and don't change them (breaking stuff is bad). Nobody really ever follows links with REST anyway. That idea is nice in theory but it's just too much work in practice.