We were starting to get some enterprise and government interest in the product, and I wanted to have a sensible security scheme in-place before we suffered any embarrassment. We still hadn't released the product out into the wild yet ; the time was right to implement the security measures I had in mind.
So, I had a conversation with the VP of Engineering, gave him an overview of my plans, and got him to agree to my plans. He allocated space in the schedule for me to work on this project, and he even allocated two of my co-worker's time in order to complete the project.
So far, so good....
The simple fact of the matter, however, was that we were working at a fairly crazy pace at {dayjob}, working towards the FCS of this product. Although the VP had given me some time in the schedule, he didn't give me much....something on the order of maybe 4-6 days, total. I had to be very strategic.
The security scheme that I had in mind involved some well-known cryptographic tools. I was not looking to invent anything new here.
So, I sat down with my two co-workers to go over the plan. This is where things got....interesting. One of my co-workers {PracticalGuy} was a little more junior than I was, but very smart and very capable. The other co-worker (MathGuy} was one of the most senior engineers in the company -- far more senior than I was. As you might be able to tell, {MathGuy} was very mathematical in nature. Honestly, he seemed to be really good at mathematical analysis, and frequently his analysis was a bit over my head. {MathGuy} was also very capable.
Anyways, I described the problem to my co-workers, and the plan that I had come up with to address the problem. Part of my plans involved using some of the crypto tools from {OpenSSL / libcrypto} in our product. {PracticalGuy} came up to speed on what needed to be done right away. The interesting part of what happened next had to do with {MathGuy}. As soon as I said "OpenSSL library" {MathGuy} strongly objected. I didn't know a huge amount about OpenSSL at the time, but I knew enough to understand that this library could be a bit tough to work with. However, this really had nothing to do with {MathGuy}'s objections. He stated "OpenSSL is a big complicated library, and I don't know how every single line of code in this library works. I'd prefer to write my own crypto code.".
Wow. I did not see this coming.
I tried to reason with {MathGuy}. Obviously, the first two things I pointed out to {MathGuy} were (1) the schedule and (2) the number of man-years involved in the design+implementation of {OpenSSL / libcrypto}.
"I don't care!" stated {MathGuy}. We argued for a few minutes....it was a fairly crazy argument that went sort-of like this:
MathGuy: I don't think that it would be very hard to write my own libcrypto.
Me: do you understand how many man-years have gone into this library?
MathGuy: I always wanted to write my own Diffie-Hellman.
Me: we don't need Diffie-Hellman for this project.
MathGuy: I think it would be better if we used it.
And then {MathGuy} ushered me away, telling me that he was going to get started on the project. I left this conversation with little confidence that {MathGuy} would contribute to this project in any meaningful way.
A few weeks later, me and {PracticalGuy} started on the project in earnest. {PracticalGuy} brought a lot of capabilities to this project that I didn't have, and I was truly grateful to have him working with me on this project.
I did try on one occasion to get {MathGuy} back on-track and into a mode where he could actually help us on this project. I stopped by his cube and tried to get him excited about one aspect of the project that needed attention. "I've got no time to help you with that problem!" said {MathGuy}, "I'm in the middle of designing my own BigNum library, and I am swamped with issues right now!".
As soon as I heard the phrase "my own BigNum library" I knew I was in a pickle. I couldn't exactly storm into the VP of Engineering's office and tell him about this crazy situation....after all, {MathGuy} was much more senior than I was, and seemed to have much more political weight as well. I couldn't get {MathGuy} to work on anything practical either.
So, I did what I could do. I made sure that {MathGuy} was working on his own isolated branch in source-control. I also continued to work with{PracticalGuy} on the security project, and we were able to complete the project with great success. And...when the VP of Engineering asked me how the project was going and sort-of forced me to account for what {MathGuy} was working on, I told him "well, {MathGuy} has his own ideas about this security project, and he is working on those ideas, but I'm skeptical that those ideas are going to pan out.....I think that he might be looking for something else to work on....could you maybe find some other work for him to work on?".
I never really checked on what was going on out in {MathGuy}'s isolated branch in source-control. I sort-of assumed that the whole thing fizzled out. This was simply the best I could do, given the situation....
