Trivially worked around by starting the program in gdb and running these commands before you run the program:

    b ptrace
    commands
    return 0
    cont
    end

(In short, every time the app calls ptrace, return a 0 to the caller without executing any ptrace code, and automatically resume execution. Since apps almost never use ptrace for anything else, it's workable to just short-circuit every single call like this rather than trying to check for PT_DENY_ATTACH.)

Clearly, one has to agree that this is a poorly designed API feature with a huge hole that provides no real security.

Apple still, however, designed it into their product and tried to use it to prevent user inspection of system state.

I can only assume that they're following the letter of their contract with media companies to include anti-debugger measures, while not really trying very hard.

Just to be clear, I'm not trying to defend Apple here, just telling people how they can get around this if they feel like debugging iTunes or whatever.

I wonder if the above gdb script counts as circumvention of a technological measure under the DMCA.

Besides Apple's nefarious Dr. Evil world domination uses, it can also be used to protect programs from each other. If your browser denies ptrace, it will prevent rogue programs from reading your passwords out of its memory.

Not really, since a program wanting to circumvent it can just attach before the call is made, or use other mechanisms to read process memory.

ok, true, you have get there before the bad guys.