It's my understanding that their implementation wasn't questionable. Perhaps a touch more obscure than one might expect, but not vulnerable or weak -- though a 2-4 fold decrease in time required to crack it isn't really broken or anything, but you get my gist.I believe they're ultimately hashing twice; the first time yields 122 bits. I think they then after several other steps are performed repeat the hash and use the result to pad those 122 bits, discarding any unnecessary remainder. Apparently it's this specific method of going about constructing the AES-256 image that the issue arises from: apparently it's done in such a way that it's only necessary to crack that first hash.Repeating adds no uncertainty at all: it's deterministic without salting. End up matching the output of the first hash through trial and error, and you can be positive that it'll match the output of the second hash as well -- which makes the second pass completely useless, just ignore those bits entirely. So basically, their AES-256 is as hard to crack as AES-128 is supposed to be, in a nutshell.I didn't read the whole article... meant to come back to it. Still haven't yet. But that's my understanding of it; it wasn't a radically non-standard implementation or anything though. There's often a great deal of leeway when implementing something like this, especially since the design of every program tends to be ever so slightly different here or there. You don't really end up with identical code even when implementing identical, standard algorithms. Besides... what's the fun in that?You go crazy doing shit like mechanically copying algorithms from references. It has its place, sure, but it sucks all the fun out of it. The coding is the good stuff. Copying things out of a book is mind numbingly boring.The point is though that these guys know what they're doing, they've had experience with such things and aren't the sort to blunder foolishly. But their code is vulnerable to this, and no one seems to be sure yet whether it can be extended to all implementations or only theirs. Like I said... I didn't even finish the article, so I can't say either.