It seems that Paul Thurrott is astonished that Apple would apply DRM to purchased music on the client (iTunes) rather than the server. Seems like a really bad design decision and a good way to open the door for two programmers to crack it.

The statement from their blog is precious:

"Our intent was not to circumvent copy protection, and if Apple did DRM on the server, we would leave it in place! But applying DRM in an opensource project is not worth the time it would take to code it."

If memory serves me right, when Apple first released Software Auto Update back with Mac OS X they did not cryptographically sign their updates, which of course opened them up for a man in the middle attack delivering malicious code to their customers. Nor did they use any form of HTTP authentication or certificate validation when downloading updates. I remember this because when we developed our software update for Microsoft Office X I was sort of astonished that they did not code sign their updates or use https. Well it was a matter of time before they had to fix it.

I guess hindsight is 20/20 (that goes for everyone). But personally I'm not surprised.