@chris: Well, gee whiz. That was a bunch of "downer don't do nuthin's."
What if you had a gun to your head and you had to solve the problem?!
How about a byte-by-byte XOR function using a random seed to generate a predictable pseudo-random key? As long as the seed was passed to the user in a non-digital manner, it wouldn't matter if the bootstrap was compromised. Better yet, base the key on the specific machine's motherboard ID so it could only run on that computer. The TKN could use DATA commands to embed pre-encrypted code, which would be decrypted to ramdisk. Or you could use recursive compression instead of encryption and then pass the foundation code and iteration count non-digitally.
:@)
"What if you had a gun to your head and you had to solve the problem?!"
Then I'd die, because it's an unsolvable problem. It boils down to the fact that, at some point, it NEEDS to be decrypted on the client's computer, or it wouldn't work. If it's decrypted on the clients computer, the decrypted code can be grabbed and leaked. It might be poor form of me, but I tend to look down on spending too much development time on the DRM instead of the product, simply because at some point, it's going to be broken.
I didn't mean to sound so negative, but I do have a poor opinion of most forms of DRM, because in my experience, all they wind up doing is being a hassle to your paying customers. The first thing the pirates do is strip all of that out. You can make it hard for them to do so; but in general, the harder you make it for pirates to break, the more paying customers you wind up inconveniencing, sometimes to the point of not being able to use your product at all. That's not fair to the people who are actually giving you money.
You should not punish your paying customers for the actions of pirates.
"As long as the seed was passed to the user in a non-digital manner"
Ok, the problem then becomes "how does the program get the seed". Is it something they have to type in the first time they use the program? That's not too bad, but if you say "non-digital manner", I imagine it can't be saved as a file on the computer. If it's something like, I have to type in a registration code every time I use the program, I'll be honest: I'll either find another product to use, or buy your product, but immediately look for a crack to take that out. If I'm doing this as an IT administrator in a company, and my users are going to be using your product, I'd contact you to see if there's some way I can obtain a legitimate copy that doesn't have that restriction so that my users aren't confused and slowed down, and if that's not possible, I'd look for another product. If your product is absolutely needed for some reason, I'd look for ways to bypass that restriction. (I'd still buy all the legitimate copies of the software that I would need to; but I'm not inconveniencing my users.)
If it's some sort of hardware dongle, I'm fine with that, as long as you provide good
and fast customer service that will let me replace it if something goes wrong with it.
Even locking it to specific hardware would be fine, although I'd hope you'd provide volume tools for doing so. If I'm a company that has even 100 users that need your software, I'm not gonna be very happy manually installing 100 different copies of it. Also, same deal as above when it comes to replacements: good and fast customer service, that will minimize my downtime. If a DRM issue with your legitimate product causes my company to lose a lot of money, I'm going to reconsider using your products in the future.
It comes up most often with games, which I am very familiar with, but they are literally hundreds of instances where intrusive DRM has ruined the ability to play the game, or play the game well, for multiple
paying customers.
Denuvo is one often gets a ton of criticism, because of how heavily it impacts the running system. There are many documented instances of games performing twice as well, or better, when Denuvo is removed, either through "illegitimate" means or by the publisher themselves willingly, the game performs twice as well or better, even on identical hardware, or the same exact machine. That's flat-out inexcusable to me. You should not punish legitimate customers to spite pirates who won't feel the punishment, anyway.
SecuROM got tons of criticism due to the fact that you could "activate" a copy, but not "deactivate" one, it was tied to hardware, and it had an activation limit. If you rebuilt your computer too many times(or just changed some hardware, which gamers are VERY prone to do), you'd be locked out of software you PAID FOR with no recourse. Also, there were some CD drives it just flat-out would refuse to work on. The software you just paid for makes you go and buy other hardware just to appease the DRM, not because it needs it to run. It also has OS-level incompatibilities with Windows Vista and Windows 10, which meant users that got moved to those OS's can't run SecuROM-protected software. Too bad, use Windows 7. Yes, Microsoft's not supporting it anymore. Either use Windows 7 and be able to play the game you paid for, or upgrade for security reasons, and lose access to the game you paid for.
Heck, this applies to music, as well! There was the Sony BMG rootkit, and it's called a rootkit because it was actively exploitable and exploited by malware, remotely, without needing to touch anything. If you wanted to play a Sony audio CD on your computer, you had to open it up to viruses even your antivirus software wouldn't be able to remove. Actually, that one was even worse as it turned out they were gigantic hypocrites: they violated the license terms of free software they used in the creation of the rootkit DRM. In other words,
they stole software and used it to prevent you from stealing music.There are multiple instances of games that had always-online DRM(need to be connected to the internet to run) having the servers that supported the DRM shut down by the publisher,
without removing the DRM from the game, OR issuing refunds. Which means users that paid for the software and used it legitimately have no options to legally continue to do so, and have no options to legally receive their money back for the product they can no longer use.
As bad as I'm harping on about this, I'm not saying DRM is a bad thing, or it can't be done in a decent way. The best positive example, in my opinion, is the digital game storefront Steam. All games/software you buy are tied to your Steam account, and you have to be online and logged in to Steam to install and launch the software. Once you've launched it once, you can go offline on Steam, and it will still recognize a proper license. You can use it on any computer you want(but only one at a time), and Steam provides other benefits to the user as well as being a DRM-locked distribution platform. If someone tries to launch the software who isn't signed in to Steam, it will make them sign in, and it will refuse to launch the product if their Steam account does not have a copy of the software licensed to it. It prevents people who haven't bought the product from using it, but it stays out of the way of anyone who has purchased it.
License keys, hardware dongles, hardware locking. They can all be done in consumer-friendly ways, and I'd argue it's your duty to your paying customers to provide such a method.
I said it before in another topic, but if the DRM on your software/product causes pirates to have a better end-user experience than your own paying customers,
you have failed in your product design. I have no problems in general with you trying to protect your profit margin(everyone's gotta get paid for their work, after all), but I do start having problems with it if you start(as I said above) punishing customers to spite pirates. Especially when the first thing the pirates'll do is take out the problematic stuff, anyway.
Focus your efforts on making as good of a product as you can, and make it as easy as possible for your customers to purchase and use your product. Worry about piracy later.
I've purchased multiple copies of LB and Run BASIC over the years. I've never had a problem with it or the way it does it's licenses, and I'm very happy with it.