Trust But Verify, A Consulting Love Story

About 12 years ago, I was a member of the Professional Services Group for a C++ tools company.  They created a great framework for C++ classes, particularly dates and strings, that really didn’t exist in a standard format at the time.  They dominated the market because their tools were second-to-none.

One of my many gigs at the company took me to Dallas, Texas, home of great bar-b-que and technology companies.  My observation upon arrival is that the density of the two is approximately 1:1, or at least it was at the time.  Coincidentally, another colleague of mine from the same company was also on assignment during the same two-week period at a company just down the road, a major telecommunications company (let’s call them “Lint Communications”).  Not coincidentally, I think lint was all that existed between some of the managers ears at that company.

My friend was tasked with porting the C++ toolkit over to OS/390 for Lint Communications.  This sort of work was typical for our group–anyone who wanted support for our libraries that was outside the supported platform list usually hired Professional Services to come on-site and create a custom build for them.  After you did a few of those, it was mind-numbing work usually consisting of chasing down obscure compiler parameters and libraries in paper manuals at a time when Google and the Internet were not really up to the task of storing that information.

Oh, did I mention that our company charged about $500,000 for a single OS/390 license?  Yeah, so there was serious cash on the line.  That might be important later.

This gig started out innocently enough.  We had dinner about midway through the week, during which we traded war stories:

Me: How did it go today?

Friend: Uh, it was kind of weird.  They are telling me to finish the port, but they are talking to the sales guy like they’re not all that interested in it.  Something about it not working right.

Me: Did you run the standard test suite?  Did it pass?

Friend: Yeah, flying colors.  No problems.

Me: Did you offer training or help?

Friend: Yeah, they tell me they don’t have time right now.  One other thing though…

Me: What?

Friend: Every hour, on the hour, the file system slows to a crawl.  Kind of seems like they’re taking backups of it or something.

I should tell you that my friend was a junior engineer working in our group and this was one of his first gigs.  He seemed to think this felt wrong, but he just wasn’t sure.  At this point, my alarm bells were ringing.  Here we had a customer that was paying good money to have an engineer on site, but telling the sales rep that the product wasn’t working and they didn’t want help to fix it.  And taking snapshots of his work.

Our conversation continued:

Friend: What should I do?

Me: Finish the port like they asked.  However, just in case, put in a time-bomb.  Something not easy to find on quick inspection inside of our headers that will kill the library after a certain date.

He completed his work and put in the Trojan horse in the string library, something like:

#if !defined(SOME_OBSCURE_COMPILER_OPTION_THEY_WOULDNT_GUESS) {
      if (today > some_magic_date) { exit(DONT_STEAL_ME_BRO); }
}

After we returned from our jobs, we learned from the sales rep that they decided not to purchase the software license and they deleted the software from their mainframe.  We considered the matter dropped and went about our other projects.

About 45 days later, our customer support department got a call from Lint Communications.  They complained that our toolkit was crashing their application every time they launched it, based on stack dumps.  A quick search of their customer information confirmed they had no purchased licenses.

Sure enough, they had continued to use the OS/390 port without paying for it.

Our sales group negotiated a nice settlement with them to the tune of almost $3 million for a license deal after agreeing not to sue them for piracy.  After that, my friend turned over the compiler option to Lint Communications that was required to shut it off.

I learned a critically important lesson in consulting that day:  Take the customer’s word, but make sure they are telling the truth.

Trust, but verify.

2 Replies to “Trust But Verify, A Consulting Love Story”

Comments are closed.