[Help Needed] Cyberpunk Program Cost Question

[Requis]

Hello everyone!

I have a question that I could literally not find anywhere else, even on non-gaming websites. (Curse your sudden but inevitable betrayal, Google!)

So, I'm in a game with another player who is a "hacker". This game is taking place in 2007 and so far he has pretty much been unstoppable (he has an absurd IQ and effective level in his computer skills). He's using the fact that he has a modicum of tech knowledge more than the rest of us to justify doing ridiculous things (writing a "back door" program in 45 minutes, putting on a flashdrive, plugging it into a computer and accessing it remotely from a laptop). I've been talking with the GM about mitigating his abilities, and we eventually came up with using the programs from Cyberpunk (the one from Pyramid magazine, as we do not have the actual book). So, we implement this system, he says he wants to write his own programs, the GM gives him the time-table and monetary cost, and now he is arguing that he shouldn't have to pay money because he is writing his own programs. The GM doesn't want to "god hand" it and say "You have to because I say so", but neither he nor I know enough about writing software to justify the monetary cost of writing these programs.

TL;DR
I need help justifying cost of writing programs to an overpowered hacker.

Help! And thanks in advance.

[Anders]

Well, he doesn't have to pay for the programs, I agree with him on that. But when it comes to how long it takes to write the program... use the New Inventions rules from Basic p. B473-474. If he wants to invent things on the fly, he should have to buy Quick Gadgeteer (Programs only, -xx%).

[ArchonShiva]

Il he writes everything from scratch, plus adequate testing (it's great to imagine how vulnerable the target is, but you'll need a stand-in to practice on), it's dozens to hundreds of hours to get anything remotely complex going.

If he uses open code, he risks having stuff for which countermeasures already exist.

If he buys code snippets from Dark0de, then it's money again.

Hackers do not, in fact, control the entire planet with 45 minutes of coding.

[Langy]

If you don't want cinematic hacking, simply don't allow it - it's unrealistic in the first place. And writing good software can take multiple man-years; it's not something you can do 'on the fly'. A relatively simple program, or a simple module in a more complex program, can be written and tested in dozens of hours. A complex program can take orders of magnitude more than that, depending on exactly how complex.

[Requis]

Hmmm. So then the best thing seems to be simply increasing the time it takes to do something.

We were simply going off of what it said in the program entry explaining that hackers who write their own programs still have to cover some costs, but reduce the cost by 30% for having written it themselves. As people who know nothing about writing code we simply accepted this. Haha

It's just difficult because he raised his IQ so high that he was able to jack up all of his computer skills to an absurd level relatively easy, and no one in the group knows enough about coding software to adequately refute what he's saying.
The New Inventions section should help immensely. Especially the part about the "Concept Roll". He can't just whip this stuff up on the fly, he needs to think about it, write it up, and test it. Knowing him he'll probably find some loophole, but this should keep him from bringing the whole world to heel for a while. Haha

[Terwin]

Also, be aware that if he wants to use the same program to hack different computers either the computers need to be *very* similar(like workstations for different employees at the same company where they have almost all the same software installed, including the same firewall and antivirus) *or* the program needs at least one bump in complexity.
Example:
Want to hack the computer of the administrative assistant at company X(where you have already found a discarded hard-drive in the trash or otherwise have been able to discover exactly what software they run so you can find and exploit a known vulnerability) you will need a program of complexity C
Want to hack a laptop found in the same office with the same program? Sure, just roll at -1
Note: if they have a decent IT staff, this program will need to be updated every month or so at probably 25-50% of the time-cost as they update their systems and apply patches that fix the exploits he is using

Want to use a program to do all of the above plus be able to hack any other Windows machine with only light security? Complexity C+1 and if it has not been updated in the past week or using very expensive to find/acquire zero-day bugs(unfound bugs that will probably be found eventually but give a larger window of utility because the makers don't know about it yet), roll to see if the bug you are exploiting to gain access is unpatched(6 or less for very good IT/security, 9 or less for good IT/security, 12 or less for average IT/Security, 15 or less for lazy/poor/underfunded security) add +1 to the roll for every month since the program has been re-designed around a 'new' bug.

Also, any time use of a zero-day bug is detected(ie they discover they were hacked), roll against the security numbers above for it to avoid becoming a 'known' bug

Want to hack any common consumer computer?(linux+windows+mac, desktops and laptops) Complexity C+2(or more) and it may require multiple known bugs/zero-day bugs.

Want to hack any networked computer? (mainframes, desktops, laptops, networked traffic controllers(rare), internet-controllable thermostats(rare but becoming less so), etc? C+3 or C+4, This is now highly cinematic and it might even be easier to create a strong AI(self-aware) to do the hacking for you(would still take months, but at least you can do other things while you wait, like sleep)


Of course most things you want to hack will not be on-line, so you will need to either get onto a network where it is accessible, or more likely, plug into the machine you want to hack directly(harder than you may think as it is not uncommon for secure systems to have unused ports removed and used ports secured, often with locked containers, epoxy, or something similar).

If you want realistic hacking, then you should know that the most common way to break into a system is to get someone's password and just use their access(perhaps by pretending to be an IT person on the phone or some such)

note: I rather expect that using 'known' bugs will not be very viable at it will probably take months to write a tool to use that exploit to break into the system, and by then anywhere of interest would have applied the patch to fix the known bug. This makes purchasing zero-day bugs a very expensive and necessary part of creating exploit code, unless the character wants to spend more months searching for zero-days themselves(months of effort examining, testing, and trying to hack a single piece of code that may or may not have any useful exploits and may or may not even be in use at the target company)

On the plus-side if you are attacking an off-line device, patching is less frequent as it has layers of physical security as well as the computer security.
Of course with physical access to the device in question, why not just use the controls to make it do what you want instead of trying to break through the security systems to gain control?