Apple, Mythology, and Desktop Security

- by Paul Murphy -

Two weeks ago summarized an analysis (done by Quocirca and available at the cost of registering with them) of reader response to questions on Linux desktop migration.

To no one's surprise, the study found that business people cite the opportunity to sidestep the insecurity of the Microsoft PC, not cost savings, as the primary reason for considering desktop Linux. Most respondents agreed, furthermore, that the high cost of matching Windows applications, particularly Microsoft Office and custom applications, is the greatest barrier to change.

What's most interesting about this is what it reveals about the respondents: specifically that they're so focused on fighting Microsoft's alligators that they don't see the hardware side of their security problems and are blind to the BSD based Mac OS X option for running Microsoft Office without Microsoft Windows.

At present attacks on Microsoft's Windows brand products are generally drawn from a different population of possible attacks than those on Unix variants such as BSD, Linux, and Solaris. From a practical perspective the key difference is that attacks on Wintel tend to have two parts: a software vulnerability is exploited to give a remote attacker access to the x86 hardware and that access is then used to gain control of the machine. In contrast attacks on Unix generally require some form of initial legal access to the machine and focus on finding software ways to illegally upgrade priveliges.

Consider, for example, CAN-2004-1134 on the NIST vulnerabilities database:

Summary: Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long query string.
Published Before: 1/10/2005
Severity: High

The vulnerability exists in Microsoft's code, but the exploit depends on the rigid stack order execution and limited page protection inherent in the x86 architecture. If Windows ran on RISC that vulnerability would still exist; but it would be a non issue because the exploit opportunity would not.

Linux and open source applications are thought to have far fewer software vulnerabilities than Microsoft's products, but Linux on Intel is susceptible to the same kind of attacks as those now predominantly affecting Wintel users. For real long term security improvements, therefore, the right answer is to look at Linux, or any other Unix, on non x86 hardware.

One such option is provided by Apple's BSD based products on the PowerPC derived G4 and G5 CPUs. Mr. Torvalds, for example, apparently now runs Linux on a Mac G5 and there are several Linux distributions for this hardware all of which are immune to the typical x86 oriented exploit.

Apple's Mac OS X, however, has several compelling attractions of its own. First, it's the most advanced and user friendly graphical user environment in commercial use, offers thousands of commercial applications including Microsoft Office, and runs nearly all open source applications.

Secondly, Macs are cheaper. That's not what you see in the PC press, but it is reality. The explanation for that, besides dishonesty on the part of PC reviewers going as far back as 1984, is that Apple's product cycles resemble those of other consumer electronics manufacturers, not those of the PC industry. Thus Apple's products tend to be considerably cheaper and faster than PCs at the beginning of the product cycle, and comparably slower and more expensive than PCs at the end of the product cycle.

Notice that in assessing relative performance both aging and software confuse the issue. Macs have a much longer useful life, as a result the Macs PC users see most often, in schools or at Grandma's, tend to be significantly slower than the PCs people compare them to -because wintel product churn means the PC reference standard has moved on several generations since that Mac was built. If, however, you check out supercomputer performance data you'll see that where both use Unix, the dual G5 makes about twice the cluster contribution the dual Xeons do.

Today we're just about two years into the G4/G5 transition cycle with typical Apple pricing still below that of the comparable PC but the gap is narrowing. For example, using pricing and configuration data from the Dell and Apple websites on April 10/05, Dell's 810 laptop is now only about $300 more than Apple's mid range, Dell's Optiplex GX280 is about $77 more than Apple's mid range iMac, and Dell's 2850 dual Xeon server is about $1,700 more than the mid range on Apple's dual G5, X-Serve/X-raid combination.


Dell 810 15.4 inch laptop - 2.13Ghz Pentium M,
512MB, 60GB Disk, XGA Graphics with 64MB Video RAM,
Windows/XP Pro/SP2, 8X max DVD+/-RW, WLAN miniPCI Card

Apple " 15.2-inch TFT Display
1.67GHz PowerPC G4
512MB, 80GB Hard Drive, ATI Mobility Radeon 9700 (64MB)
Mac OS X, Backlit keyboard, Gigabit Ethernet
FireWire 400 & 800, Analog audio in/out, DVI & S-Video out


Dell Desktop:
OptiPlex GX280 SFF, P4 3.40GHz
Windows/XP Professional, SP2
ATI Radeon X300 SE PCIe x16 64MB
Dell 20 inch UltraSharp 2001FP Flat Panel

Apple desktop:
1.8GHz PowerPC G5
160GB Serial ATA drive
SuperDrive (DVD-R/CD-RW), Bluetooth Module
Keyboard and Mouse + Mac OS X - U.S. English
NVIDIA GeForce FX 5200 Ultra w/64MB video memory
20-inch widescreen LCD

RAID capable Dual CPU Servers:

Apple x-serve:
Dual 2.3GHz PowerPC G5
4GB DDR400 ECC SDRAM - 8x512
80GB ADM (1x80GB Serial ATA)
Combo Drive (DVD-ROM/CD-RW)
Fibre Channel PCI-X card - (lower slot)
Xserve RAID (4x250GB)
Mac OS X Server, Unlimited License
Subtotal $11,698.00

Dell 2850
2 x Xeon 3.6GHz/1MB Cache
4GB DDR2 400MHz (2X2GB), Dual Ranked DIMMs
Windows 2003 Server, Enterprise Edition with 25 Client Licenses
On-Board RAID 0/ RAID 0, Split Backplane,
Riser with PCI-X Support and Embedded Raid (ROMB)
2+4 Split Backplane Daughtercard
6 x 73GB 15K RPM Ultra 320 SCSI Hard Drive
Embedded RAID (ROMB) - PERC4ei (Embedded Integrated)
Dual On-Board NICs
24X IDE CD-ROM and Floppy Drive

Although the Apple products are generally a bit faster and more multi-media capable than their PC counterparts the most important differences aren't in things like memory and processor speed, but in design, software, and licensing.

The iMac is the first genuinely ultra thin desktop, the laptop a second generation Titanium, and the server combination highly optimized for rendering and high volume, multi-media, web serving. All combine BSD Unix with the MacOS X supershell, and not only do Apple's licensing policies on the server not restrict you to 25 clients, but the use of BSD Unix means that you don't have to buy separate machines for each major application or suite.

In other words, if security concerns are your most important driver for desktop change, and Microsoft Office compatibility is your most significant barrier, then the one option theregister's respondents didn't consider: switching to Macs, actually offers you the best of all possible worlds: Microsoft Office on Unix/RISC -with a better GUI, longer product life, some cash savings, and a performance bonus thrown in.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry.