JASON SWAIN  Actually, you are right about the link. I had forgotten all about it. There is nothing sinister about it though. Until recently SecretBook was promoted and downloaded from www.i-graph.com, hence the domain name on the link. The link used to point to a page explaining that a stolen serial number had been detected and that SecretBook would not function with that serial number. Now the entire site redirects to bookshelfapps.com. As you point out SecretBook does this in full view of the user, they can see the URL in the address bar of their browser. The www.i-graph.com web site used to even have an article explaining this. I need to update the new site to include that information.

I have not checked the logs for this for a long time, but I've just had a look now and there are a few hits of this page every month. I just used the short username to identify duplicates so that I could get a rough idea of how much piracy was going on.

The page is only loaded when a user has gone to a warez site and downloaded a stolen serial number after all. I don't spend a lot of time working on the licensing code in SecretBook as I would rather work on features that help out the paying customers. It is not that hard to circumvent the license or even find a cracked version on the internet, but I try not to concern myself with that.  
(Version 4.0.2)

JASON SWAIN  Some people are never happy. Some comment that there are not enough updates, some complain that there are too many. The recent updates have been due to bugs with the iPhone sync and with the AutoOpen feature, nothing to do with security. The version 4 upgrade was a major update changing almost all parts of the code so there were inevitably some minor issues. There have been no issues at all with data loss or any of the security code.

SecretBook is very secure, and the iPhone sync especially so. This adds to the complexity of the application. The bug that was fixed in the iPhone sync was in the remote authentication code, using a protocol called SRP. The way this works is that the two sides of the sync both exchange a series of numbers that prove that both sides know the password, without sending it over the network at all. This also establishes a shared secret key that is used for encrypting the subsequent message flow. I don't know of any other applications that go to this length to protect the sync information, most applications don't even document the protocols they use for network authentication. The bug caused a crash before the session was established, so there was no vulnerability involved.

The second point (fixed set of fields) is just plain wrong. You can have as many fields as you want on any Group or Secret. You can define a default set for each group or you can add you own one at a time. Most other apps don't have this flexibility. All the fields that you define sync with your iPhone too.

And the PS, what a load of rubbish. Many SecretBook users use Little Snitch or other tools to ensure this kind of thing doesn't go on. Unlike some other applications SecretBook doesn't integrate with Safari. This allows you to use the Unix process separation to ensure that your passwords are only in one place. I'd like to know where you got this information from? Or was it just made up?

I do agree though that you shouldn't use stolen serial numbers :-).

  
(Version 4.0.2)

JASON SWAIN  I think the reason why you have two files is that one is an automatically created backup, it's created when you upgrade from the old file format to the new format.

Maybe it's paranoid, but I don't want anyone to ever lose a password file, and thankfully nobody has yet (at least nobody has told me they have).

You can quite safely delete this backup file, but also if you only have one file, check the "Automatically open this file" check box, then next time you open SecretBook it will go directly to your file. You can turn the option off in the settings panel (first icon on the toolbar).

As for too many updates, I was getting a bit worried that I wasn't updating it enough. I think you may be disappointed again soon :-). Actually, I think I know what you mean, you'd rather have larger updates but less frequently?   
(Version 3.0)

JASON SWAIN  From The Developer - SecretBook is much more flexible than Keychain Access, you can store as many fields as you want against each item. The interface is also easier to search and view items.

You can use SecretBook for storing credit card numbers and bank details, something that Keychain access is not designed for.

Some people (myself included) like having passwords in an application that is not automatically accessed by a web browser, it's more secure that way.   
(Version 3.0)