A sufficiently intelligent hacker can defeat any system that can run
standalone once.
Real copy protection involves punitive terms in the lease contract and a
stipulationt that no one shall have physical access to the system except
while accopmained by your representative.
Fortunately that scenario more or less ended when the mainframe/leased
datacenter stopped being the norm. Unfortunately, we still find people
who seriously desire the benefits of that model, but have no way to
deploy such a thing.
Now in the contemporary scenario, to have your cake and eat it too, you
must compromise. You want to allow people to anonymously obtain and use
your software (have your cake). You also want to limit their use
through some form of cryptographic protection scheme. So you have to
give them a key. Maybe you can go old-school, and give a field agent
some key that will boot the system, but will not be disclosed to the
customer. Or maybe you can do it like Microsoft does and force the
system to call home and get a one-way hash based on hardware parameters
or something like that. Or maybe you can use a dongle like ILok.
If you don't do something like this, then you have to give the customer
the key (eat it too). Sure, you might be able to hide it. Very
intelligent attempts have been made, and failed. The bottom line is,
either you give the customer the unlock key, and take the risk that it
will be discovered, or you keep the key, and take on the expense and
complexity of managing that relationship.
In the old days, when the equipment was leased from Unisys or IBM, and
simply would not be operated without the contractor present, it might
have been possible to control distribution, at least to the extent you
could trust your employees. Likewise, in a military scenario, you can
control distribution, because you can make it a crime for which the last
person who knew or should have known that the disclosure would be made,
can be executed for treason or whatever.
I suppose there are less extreme cases for which you must make a
due-diligence effort to put some kind of controls in place, but I
personally do not prefer illusory security to no security.
An example. I had a lock on the security screen door, the outer front
door to my house, which would sometimes not lock. It looked like it
locked, but sometimes you could turn the inner barrel without a key.
I found this to be inferior security to simply removing the lock.
Opinions vary on this, but I stand by mine.