As I've said before, I just find it hard to believe that the very foreseeable problems lurking at the intersection of speculation, cache and protected mode were really such an unexpected shock to the industry https://youtu.be/kFT54hO1X8M?t=1195 . I have a jaded suspicion that in fact a fair few people had some idea, but they said nothing and didn't look closely because it would have been no fun, and in some cases not career-enhancing, to be the Jeremiah calling for major CPU deoptimisations. OTOH the very security-researcher heroes whose reputation is built on collecting trophies didn't seem to say much either, so maybe everyone really was completely blindsided?
I have anecdata that there were people who raised those exact concerns in those exact companies and were brushed off. If the companies were honestly surprised, it's because they purposely turned a deaf ear to the problem for the sake of greater revenue. But nothing really happened to those companies, so maybe it was ultimately a strategy that worked?
Yes they were shocked. And it is simply because even the most fundamental laws of security (eg security is not scheduled via obscurity) have flown and fly over the heads of architects. They don’t understand software beyond the smallest of kernels which dominate execution time. They don’t understand that attackers need one weakness to exploit a system. They don’t know how to objectively analyze systems to prioritize their weaknesses (eg seeing how the coexistence and sharing between mutually untrusting software is a potential threat).
That’s why the biggest computer architecture breakdown came from outside the comp arch community.
