Freedom to Tinker raises an interesting concern that malware could be used to turn innocent iTunes Plus (Apple's DRM-free music offering) users into file-sharers.
If a file is swiped from a customer’s machine and then distributed, you’ll know where the file came from but you won’t know who is at fault. This scenario is very plausible, given that as many as 10% of the machines on the Net contain bot software that could easily be directed to swipe iTunes files.
This is an interesting scenario, and I'm quite certain that if iTunes Plus takes off, someone somewhere running a bot network will give this a go, if for no other reason than so that he or she can have a good chortle. But what bothers me more is that files could leak to the P2P networks via other users of a PC (for example, one user on a PC has an iTunes account and gives iTunes Plus a spin, then later another user decides to share these files with a friend or family member who's also into file-sharing ...).
Also, just as I had suspected, there's no integrity check on the validity of the iTunes user name stored in the file:
More interesting than the lack of encryption is the apparent lack of integrity checks on the data. This makes it pretty easy to change the name in a file. Fred predicts that somebody will make a tool for changing the name to “Steve Jobs” or something. Worse yet, it would be easy to change the data in a file to frame an innocent person – which makes the name information pretty much useless for enforcement.
All in all, pretty sloppy on Apple's part, although I'm expecting that the Apple apologists (those who'd be calling for hangings if it was Microsoft doing something like this) will have very good excuses as to why Apple opted to do this.