% fortune -ae paul murphy

And then there's Mactel

When I first started writing about Apple's need to change CPUs people thought I was nuts. Then Apple dropped the PowerPC in favor of Intel and I thought they were nuts. It's too early to tell who's righter, but enough of the other shoes have been falling for Apple fans like me to be seriously worried about one of our favorite products.

One of the myths about Apple has always been that Macs cost more than PCs - it was never true, but enough people believed it to imagine that Intel based Macs would cost less than PPC based ones. We now know: they don't. In fact, if you compare pricing on equivelent systems Macs now really do cost more.

Worse, they do less per dollar. From batteries to ports, Dell's economies of scale, manufacturing relationships, and shipping volumes give it an edge over Apple in the business of putting bruises on bananas.

Another myth about Apple used to be that PCs were faster. It was never true: each new PPC based Mac, when first introduced, was significantly faster than its PC competition. What confused the issue was that Mac product cycles used to last through three or more PC generations, meaning that a new PC introduced near the end of an Apple product cycle tended to be a bit faster than the oldest Macs in the line. Now with Mactel, however, Apple's product cycles have to sync up to those of the PC and because Mac software generally does a bit more, and therefore uses more resources, the PC now really does tend to be a bit faster.

This disadvantage shows up in unexpected ways. For example, Apple's graphics are fundamentally PostScript based while Microsoft has always relied on proprietory libraries and bit twidling. Unfortunately the people who make graphics controllers can count and so optimize their products for Microsoft's approach - meaning that the same board in fundamentally the same PC will seem to perform better with Windows Vista then with MacOS X.

A key reason Mac loyalists are loyal to Apple is simply that they can count on things "just working" out of the box. Apple created that effect by combining software control with hardware control - in other words, by building advanced software for a limited set of known hardware combinations. With Mactel that advantage is being lost as cost presure drives Apple to low bidder parts that may be only 99.999% interchangeable, it's being lost as people port MacOS/X Darwin to their own Dell or other label PCs, and it's being lost as Apple users experiment with Windows/XP and Vista compatible plugin hardware on Mactel. Apple has, in effect, ceded control of both the hardware and software sides of its previous product line and, in that process lost the ability to ensure that its products will "just work."

Bottom line? Well Mactel has so far cost Apple control of its input costs, its product cycles, its software, and its hardware base. Nothing worse could happen, right?

Wrong.

A regular reader emailed me a link to this securityfocus interview between Federico Biancuzzi and a guy named Loïc Duflot who gives this introduction for himself:

I am a security engineer and researcher for the scientific division of the French National Security Agency, namely the Central Directorate for Information Systems Security in Paris. I am also a 2nd-year Phd student in Paris XI University. My research work is mostly focused on the security aspects of interactions between hardware components and software.

The interview is about the potential for attacks against Intel's lowest level of processor control code - enabling an attacker to gain full systems control entirely without the OS "knowing" about it at all. In Unix, including Apple's Darwin variant, that's actually possible from the console on a working machine -and almost trivial on any machine booting EFI regardless of OS if the attacker can gain access to co-processors like those on network, RAID, or graphics cards.

Now I haven't looked at this enough to really understand it, but here's the exchange that caught my eye with respect to Apple's Mactel decision:

[Federico Biancuzzi]: Are other architectures (Sparc, PowerPC, ...) vulnerable?

[Loïc Duflot]: To be able to carry out the privilege escalation scheme, the attacker needs to be able to write to Programmed I/O ports from userspace. As far as I know this is not possible on architectures other than x86.

And that's what worst about Apple's x86 decision: they've given away their security advantage.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.