The initial negotiation to start project
We were sitting in the conference room in our little office. The mood was tense. The whole team was present, since we were considering taking on a new project for a new client.
"Why the RUDE WORD are we talking to these people again? We already rejected them last year!" Robin is our architect and lead developer. She's experienced and by far the most opinionated of us. After a lifetime of working in software development, and being belittled, harassed, and disrespected by colleagues, bosses, and everyone else, she's the least inclined of us to compromise.
"It's been months since our latest client, and the company bank account is getting low. We need income, and we need it soon, or we won't be paying salaries by Christmas." I love Robin, but she does need things to be spelled out clearly, from time to time. Luckily, that's what I'm good at, and patience is part of my job. "These guys are flush. They just got a ton of VC money last week. They're also desperate. Their whole current product line is broken, and not likely to survive another security catastrophe. If we play our cards right, we can earn enough of a fee to cover our salaries for several months."
"I'll grant you the money aspect, but we don't usually accept clients that are difficult to work with. Am I alone in having my spidey sense tingling?"
"No, I'm apprehensive as well." Andrew is our senior developer. He's always calm and composed, and as unflappable as the Alps in a summer breeze. "Last time we rejected them partly because they're a Silicon Valley style brogrammer startup, and all that entails."
"I know someone who works there. They're at least not openly racist or sexist." Nina, our sysadmin and operations specialist, is also the company cynic.
Robin sits up, worry lines smoothing on her face. "Nina, if you say they might be tolerable as a client, I'm willing to reconsider our rejection of them." Nina draws the right side of mouth into a smile, which doesn't reach the left side of her mouth. An evil glint shows up in her eyes.
"I'm not saying they're good. But we should look at them and give them a chance."
I raise both of my hands, hands flat, palms outward, in a sign that everyone should be calm. In Andrew's case, that he should stay calm, since he's never anything else. "I sense a rough consensus that we should give them a second chance. I suggest that I meet them to discuss the project, and to explain our ground rules. After that, we can discuss the situation. If it doesn't look good, we can reject them again. If necessary, we can vote. As usual, everyone has a personal veto and can stay out of the project, if the rest of us accept it. Deal?"
That's a thing we established when we set up a company with Robin. We're contractors, and while that means we have to accept clients and client projects, both Robin and I have plenty of experience working for unpleasant people. Every new job, and every new client, brings a new group of people who need to be taught basics of software development processes, or basic human dignity. Several years ago we started our own company and one of our core values is that we don't work for asses, and we reject potential clients if we don't like them, either entirely or each team member separately. This has made our lives much better, but we only get away with it by being really good at what we do.
I get nods from everyone, except Robin. She looks thoughtful for a few moments, and looks around the table at everyone, then finally also nods. Everyone stands up and leaves the conference room to continue their day. We're between paying projects, so there's practice runs and studying and experimentation with new tools going on. I stay, to finish the meeting minutes for our internal wiki, and to send an email to Sam at SmartHomes, Inc, the prospective customer, to set up a meeting.
I had chosen Cafe Aalto as the place to meet. It's well-lit, not crowded, and serves a marvellous hot cocoa. A bit noisy from time to time. Also, it's located so it's easy for everyone to come there. I'd brought Robin with me so that we could go over hardcore technical details. I'm not entirely non-technical, but I quickly get out of depth once we leave the big picture level. That's OK, since my role in the team is facilitator, project manager, and customer interface, and it's enough for me to understand the tech on a conceptual level. Robin and I had walked from our office, and had occupied a corner table, for some extra quiet, and Sam had soon joined us.
I prefer to meet clients on neutral ground, rather than in a meeting room at either their office or ours. People are more relaxed and more amenable to having their mind changed that way.
This cafe isn't ideal. It's got a hard acoustic environment, so things echo a bit, and there's usually a bunch of Japanese architecture students studying the building, since it's designed by Alvar Aalto, the famous Finnish architect.
Sam from SmartHomes isn't relaxed, but that's probably not because of harsh echoes of other people's discussions. He's nervous for his company, and under quite a lot of stress. He's quite visibly upset. "What's going on? I thought we'd talked already, and had an understanding. We need some work done, and you are available. Why are we having another meeting? Why aren't you working and piling up billable hours? We're not paying for idling away in meetings."
Robin was changing her posture, shifting in her chair. I could hear the anger bubbling in her, so I rushed to cut her off before she said something to drive Sam so far up a tree I wouldn't be able to talk him down. "I think there's some misunderstanding. You and I met, and we talked, and I got a general understanding of what you want, but I did say I have to talk this over with my team. I've now done that, but some issues were raised that need to be discussed with you. I brought Robin here to aid that discussion, and for technical depth in case it's needed."
Sam took a deep breath, which clearly calmed him down a bit. "What kind of issues?"
"To start with, your company doesn't have a strong reputation for technical quality. On the contrary, generally speaking your stuff is spoken of as cheap crap. We prefer to make quality stuff that lasts."
"That is exactly why..." I cut him off. This part is going to be painful enough without having to hear him explain his side. "Please, let me explain our issues completely before you defend yourself. Here is the situation as we understand it. You produce a line of gadgets for so called smart homes, which mean controller, sensors, and displays to automate parts of the functionality in a home, so that those living there can adjust lighting and heating via their smartphones, even when not at home, and can see temperatures, energy use, and so on, again also when not at home. Pretty basic IoT stuff, in other words, except you've managed to capture a large share of the market, which puts you in a potentially very nice position, financially."
Sam nods. I continue.
"Unfortunately, your stuff is of low quality. At least three times in as many years your gadgets have been cracked, and used in botnets, to participate in the largest distributed denial of service attacks the world has seen. This has been noticed by the media, and you have enough egg on your face to feed a shipful of hung-over Englishmen who want breakfast. The general theme among those who write about these things seems to be that if you don't get the security of your gadgets fixed in the next generation, it's over for you. You've been working on this for months now, but your whole corporate culture is against you and you're failing to solve your technical problem. That's why you need us, or someone, to solve them for you."
"That's quite blunt."
"I prefer to be blunt. It lets us find the real problem, and discuss that, instead of dancing around your sensitive feelings."
"Fair enough. I wouldn't have phrased things quite so starkly as you did, and I don't think we're quite as desperate as you say, but let's ignore that. What do you suggest? And why wouldn't you work for us?" Sam as clearly not as stupid as he looked. He'd taken my criticism quite well, much better than most of the prospective clients I had to get blunt with. So far, so good.
"The main issue we have is in fact your corporate culture. You're a startup, in the worst Silicon Valley style. Almost all your people are young and male, and you have a strong macho culture. Long hours, hard work, hard play, all the hallmarks of being manly men who win. You got a big pile of venture capital cash recently, and that won't help. Your culture, and the way your people behave, was bad enough last year, when we talked the first time, and that was why we turned you down then. In fact, your company projects a strong brogrammer image, and we usually avoid dealing with such people."
"I see." Sam wasn't taking things nearly as well as earlier. He was clearly very upset, even his hands were shaking. I was counting on him to be desperate enough to save his company to let us do things our way, and for that, I needed to shake him so he was properly scared. Had I gone too far? No, he was upset, but controlling himself. He stopped the shaking by forming fists with his hands. His knuckles were white. He was breathing slowly, deliberately, and deeply.
"I can't say I'm happy to hear this, of course."
"Would you like to discuss possible ways in which we can deal with this and find ways in which we can work together?"
"Yeah, we'd better do that. What do you suggest?"
"You said you know the reputation of our company. I know it too. We're small, but we deliver what we promise. We're challenging to work with, and we require a lot from our clients. The client needs to conform to our requirements, instead of the usual other way around. We do things differently, and we don't compromise on our methods, and we charge a lot, but we deliver. As long as we deliver, nothing else matters to our customers. With me so far?"
"Yeah, that reputation is why we want you."
"One of the cornerstones in a customer relationship for us is that both sides can trust and respect each other. On our side, we can't be productive if we feel we're not treated well, or if we can't be blunt when that's needed. On your side, if you don't trust us to deliver, there's no point in tolerating our eccentricities or us challenging you to do better."
"We don't believe in blind trust, so our standard contract includes a code of conduct, regular reviews of the situation with the possibility of amending the contract, and a commitment by you that you'll provide certain things so we can work efficiently."
"What kinds of things?"
"Most importantly, someone from your side who acts as a product owner in the Scrum method sense. Someone who knows what the product should do, can make decisions about any unclear aspects, and is available full-time for this. Otherwise we end up waiting to get answers. There are also some practical details about work space, chairs, tables, lighting, 24/7 physical access, and Internet connectivity, but those are only important if you insist on us working from your premises."
"I'm sure we can have a product owner. The practical details can surely be arranged, but we would like to have you on our premises. It's easier if we can talk in person, than doing everything over email or video calls."
Robin has also, by this time, calmed down a lot, and so when she indicates she wants to say something, I give her a little nod of encouragement. "We prefer to work from our own office, but we've worked on customer premises before. It is sometimes hard when customer IT isn't co-operative, but we have ways of working around that. If we can occupy a large meeting room, bring our own chairs, and arrange our own Internet connectivity, we'll be OK. We'll bring our own servers and set things up in the conference room so we're comfortable."
I jump in. "Let's assume we can sort that out. I'll email you, Sam, our standard contract and you can review it with your people. Now, since we have Robin here, should we talk about the technical problems that you need to solved? I know you're not a techie, and before we take on this project, we'll want to talk to your people in detail about this, but we can get started. I think Robin already has some ideas for you to consider. Robin?"
"Yeah, so I've reviewed your public documentation for your products. Also, a bunch of magazine articles and blog posts. Did you know there's a whole blog dedicated to describing how shitty your products are?"
"I know. We've spent a small fortune on lawyers to shut it down."
"Well, that's one of the first steps to take. Stop attacking your critics, it just makes things worse for you. I also spent an evening at a friends house getting some hands-on time with a couple of your products, and I'm not happy."
Sam's shoulders are hanging. His voice seems defeated. "Why?"
Robin is clearly having a good time now. "It took me only half an hour to get into a root shell. You have a telnet port open, and as soon as I figured out that, and googled to find a list of you hard-coded root passwords, I was in. That's 1970s security, it's not nearly acceptable today. From my research, you also have no upgrade system, so as soon someone finds a security hole, your users have to buy a new gadget to get it fixed. Another thing that is no longer acceptable in modern times.
"Based on this short black-box evaluation, and pending discussion with your techies, my initial suggestion is that you need a completely new platform for you next generation products, one that's built to be secure and updateable. We have that. You also need processes for preparing and distributing updates to you users, and to take on the responsibility of providing the updates. We can help with that, but you'll need to do the bulk of the work. You also need to port your actual applications to the new platform, and that's probably not something we can do for you."
"This sounds like you want us to start all over from scratch. That's going go be a hard sell to our investors."
I smile an evil smile. "They're going to like bankruptcy even less. If you want help convincing the investors and stockholders, or your management or developers, well, we can help with that too."
"You're so very helpful."
Robin, Nina, and I are at the SmartHome, Inc, headquarters, in a large, lavish board room. Mahogany walls, a large oval table, comfy, well-padded leather chairs, a huge monitor, and power, network, and display sockets in the desk surface at every seat. All three of us are plugged in, and prepared to give a talk to the senior techies about what we think their problems are, what our own platform is like, and what we offer to do for them. This could go either really well, or really badly. We've decided for a strategy of shock and awe.
The SmartHome techies arrive in three clusters, and seat themselves in the opposite end of the table from us. Most of them seem subdued, with a couple of exceptions, who mostly seem belligerent.
I nod at Nina, who opens her laptop and starts typing. I stand up and face the audience. "Hello, everyone, my name is Anna Carter, you may call me Mrs. Carter. I'm the friendly face of The Team, and Sam has asked us to help you develop the next generation of SmartHome products. You may know that SmartHome products have a bit of a bad reputation when it comes to quality and security. To confirm this, I've collected some quotes from recent product reviews, and from Twitter."
The audience shifting in their seats. I can see several of them getting ready to jump to the defence of what they've built, or have had a hand in building. To keep the upper hand, I tap the keyboard on my laptop, and my first slide appears on the big monitor, accompanied with Joan Jett singing "I don't give a damn of my bad reputation" via the sound system.
"Here is a screenshot from the latest review of SmartHome products in Ars Technica. I've highlighted the important bit." Ars is one of the tech news publications with a strong reputation and general respect. The highlighted quote reads, "The latest version of SmartHome's hub still has bad security. Our review sample had been infected by a botnet when we received it."
I let the quote sink in for about three seconds, and change to the next slide, which has quotes from Twitter. The kindest is perhaps one saying a SmartHome hub is the perfect way to let you neighbour's kid control your lighting.
"There's more quotes, but they just continue the theme, and I'd prefer to not show the ones that are just name-calling and discussing the ancestry of SmartHome developers." I glance at Nina, who nods. "Instead, I'll let Nina give a short demonstration." I use the remote control to show Nina's screen on the monitor.
Nina stands up. Not that it matters much, she's short, and standing on the floor seems as high up as she was sitting in the chair. No matter. "Hi, I'm Nina. Just Nina. I'm the sysadmin in the team. I like to play with security stuff, and I've just owned your office." She taps a key. The room lighting turns off, as does the monitor. "Your office is stuffed with your products, and that's good. Dogfooding is always sensible." She taps another couple of keys. There's a click-clack from the board room doors. "Except when your dogfood is insecure and can control your locks and your heating. I've changed the password for you."
The SmartHome techies are looking at each other.
"Please look at the big monitor." The monitor shows a window with clickable buttons like "board room locks", and "heating". "You should know that application. It's the open source HomeApp application, which someone's written to control your gadgets. It's quite popular, and it's included in Debian, so it's readily available. Works quite well, and requires practically no configuration. I installed it before we came here, and I took over your office devices just now. I didn't even have to try."
"Now wait minute! You can't do that!" Olaf, one of the seniors stands up. His face is red, his movements are abrupt, like stop-motion animation. Nina stands still. "I just did."
"But how? It's all firewalled and password protected." The stop-motion old guy clearly doesn't believe what Nina is saying. He shakes his head.
"First, I'm inside your firewall, remember. My laptop is on your guest wifi. The wifi password is printed in the wall. It's just like vampires. Firewalls do not help when you keep inviting people into your home. Second, while your gadgets indeed do have a password, and it isn't the default factory default, it's the same password as for wifi. Which you print on the wall. Also, it's the third result if you google for 'smarthome office wifi password'."
The old guy sits down. His face is now quite pale. The room has started to heat up. Everyone else loosening their ties, or removing sweaters.
I stand up. "This, gentlemen, is an demonstration of how bad your security is. It took Nina only..." I look at her. "Fifteen seconds." I shake my head. "Only fifteen seconds to own your office. She now controls locks, and heating. Shall we ask her to open the locks and turn the heat down?"
The SmartHome techies mumble variations of "yeah". I shake my head. "No. One of you has to stand up and politely ask Nina to do those thing. Alternatively you can take back control of your office in some way. But you have to do it from this board room. Remember, the doors are locked."
One of the younger techies gets up, and walks to the doors, and attempts to open them. They stay locked. He pushes them with his shoulder, but the doors are solid, and don't budge. He turns around, faces Nina, and bows deep, Japanese style. I'm not familiar with Japanese culture much, but I know Nina is. I make a mental note to ask her later if the guy is showing proper formal submission.
"Please, Miss Nina, if it pleases you, could you open the doors and turn down the heating to normal."
Nina stands still, looking at the guy. She tilts her head to the right, and hums, but doesn't make a move to do as asked. I speak, to make sure the SmartHome guys understand they're being humiliated. "What's the magic word?"
The guy looks puzzled for a moment, then speaks. "Please?" Nina lazily turns to her laptop, and taps a key. The door locks click-clack again. The big monitor also shows that the turned off the heating.
I look at the old guy. He's still sitting in his chair, with his hands flat on the table. "Is there something you should say, sir?" He doesn't seem to hear me, but before I have time to repeat myself, the young guy at the doors speaks. "Thank you, Miss Nina and Mrs. Carter."
"I'm glad someone has been brought up right. But no, I mean isn't there something you have forgotten, something you should ask Nina?"
The old guy is poked in his side by the colleague sitting next to him. They put their heads close to each other and whisper. The young guy saves them, again. He does another Japanese style bow. "Er, Miss Nina, could you tell us the new password, please? If it pleases you."
Nina is clearly enjoying the situation. "Sure. I'll save you the hassle of having to physically reset all the gadgets. The new password is 'iabasaisfa', which is short for 'I am bad at security and I should feel bad'. All lower case."
The SmartHomers being now properly cowed, I walk the through the rest of my presentation. It covers the same stuff I told Sam at the cafe, except dressed up with fonts and stock photos. We have a reasonable discussion, and they admit all their faults.
"Next up, I'll explain what we can do for you." I launch into a description of the platform we, The Team, have developed for IoT devices. "The platform requires a hardware platform supported by Linux and Debian, and gives you a secure updating mechanism, for both the operating system and your application, application runtime environments based on containers, and direct communication channels between devices that don't require access to a central server in the cloud."
The old guy has recovered, and in true techie style, after his ego isn't bothering him anymore, dives straight into problem solving mode. "That'll require us to rewrite all our code running in the gadgets, right?"
I nod. "Yes, it'll require a lot of effort. I believe your management is willing to invest in that. It's that or bankruptcy. Further, you can't just do a straight port, all your software will need to be reviewed and possibly redesigned and rewritten from scratch. It'll be difficult, but if we succeed, you'll have a new product generation that is far ahead of your competitors. We, the team, will help you get through this, starting with adapting our software platform to you hardware platform, and helping you rethink the application layer."
Back at the Team HQ, we have another meeting. Everyone's present. "Welcome, everyone. It's time to discuss SmartHome as a client again, and make a decision. Robin, you had objections last time. What do you think now?"
Robin smiles. "Oh, I'm still giggling at how Nina completely owned them. They totally soiled their clothing."
Nina is also smiling, but staying quiet. I nod at them both. "Yeah, that went well. Nina, do you want to tell about that?"
"Nothing much to tell. We went in, and broke through their bad security, took control of their gadgets, and humiliated them."
"Hah. Nina, you're a bit laconic as a storyteller, aren't you?"
Robin was almost laughing out loud. "She doesn't tell it at all. They were scared of her, she could've had them stand on their heads. Of course, if we work with them, that may turn out to be a problem. I'm sure they hate our guts now."
I shrug. "We had to get their attention and then have them focus on actually understanding how bad they are. We managed that, at least. Anyway, Robin, how do you feel working with them?"
"They're still brogrammers, and I don't think that will ever change. However, after today, they know we can humiliate them at will, and I'm willing to assume they're behave out of self-protection, if nothing else."
"We can't pull stunts like this again. Their fragile male egos won't be able to take it, I fear. We'll need to work constructively with them. And we need to deliver on our promises. But that's OK. We're The Team. We're the bitches who keep promises."
Robin nods, and looks around the table. "How about the rest of you? Yea or nay?"
Bertram, the junior developer, isn't sure. "Looks to me like there's mostly work here for porting our platform to their hardware. I'm mostly useful at the application level. Is there a role in this project for me?"
Robin takes over. "That's an excellent point, Bert. Here's how I think we divide this up. Nina sets up and maintains a lab with their hardware so we have something to work with. Andrew does most of the porting, with help from Bert and possibly others. It'll be a good learning experience for Bert. I and Nina help them redesign their applications to run on our platform, and review everything so it's secure and sensible. Anna, you keep track of everything and make sure we have what we need to work smoothly, as usual. OK?"
Bertram still isn't sure. "I've never done any porting work like this. I'm worried it'll be too much for me."
"I understand. However, the difficult bit is getting Linux to run on the devices, and that should already be done. The rest is our own stuff, and that should be straightforward. And if you get stuck, remember that you're not alone."
"Well, if you're sure I won't ruin everything, I guess I'm OK."
I stand up to signal an end to the meeting. "This looks like a rough consensus. I'll tell SmartHome we're going to help them. Nina, I'll ask Sam to provide us with some development hardware. What do we need?"
Nina shows up two hands with fingers spread out. "There's four of us who'll be developing, times two devices each, plus a couple spare. That's ten devices. Don't forget all power supplies, cables, and documentation."
"Will do. Anything else?"
Nina continues. "I'm sure the cases they come with are as crap as usual. We'll want to take out the guts and put them into more sensible cases, and add remote controlled power switches to those, and serial consoles. I want to put the re-cased devices in the kind of mini-rack we usually use for these kinds of things, and make sure we can control all of them remotely, so we don't need to have developers sit next to the rack."
The team nods. One of our secrets is that we spend some effort early in each project to make sure the developers can work as comfortably as possible. Nina's mini-rack is a 10U movable rack, with computer-controlled power units, a serial port concentrator, and programmable network switch that lets us manage piles of embedded hardware much more easily than having them sit on developer desks. There's a couple of wifi access points, also fully controlled remotely. Basically we can program everything so that the devices can be updated, reset, and generally put through their paces, without having to have a human push buttons, connect cables, or otherwise handle hardware. This becomes important when the project reaches a phase where we want to verify that the devices survive being forcefully rebooted by cutting power every few seconds for a week. Nobody wants to do that by hand. It's a thing Nina built for a project a few years ago. She now builds a new one pretty much for every new project. It's not exactly cheap, but it saves a ton of manual work and also let's us avoid a lot of bugs, which saves a ton of debugging work, and thus time. We have a reputation of delivering quality, and this is one of the ways in which we achieve it.
"OK, Nina, if there's anything you to buy, you know what to do."
"Are we working from our office, or theirs? Should I ready the portaserver?"
The portaserver is another of Nina's builds. It's like the mini-rack, but has normal servers, which we use to run continuous integration services, version control, a wiki, an IRC server, and so on. We have one that powers our office infrastructure, and because it's portable, when a project requires us to work somewhere else, we can bring it with us. This again saves us a ton of trouble. Instead of convincing customer IT to give us access to their servers, for example, we just bring our portaserver, connect it to power, and we're ready to hack.
"Sam indicated we should work at the SmartHome office, but I'll check that. For now, assume we will need to go there and prepare the Towel." The Towel being the name of the office portaserver. It's our third. The first one, "Moomin", grew old enough to be replaced with a new generation of hardware. The second one, "Loki", having suffered a minor accident involving a drop from the third floor, a tank out practising urban warfare, and a squad of very frightened conscripts. The third generation is rather more shockproof and has "don't panic" written on each side in large, friendly letters.