It refers to a blogpost from 2009 on the Matasano blog. I found a copy of it here (my apologies to tptacek I can't find it at matasano.com). http://www.cs.berkeley.edu/~daw/teaching/cs261-f12/misc/if.h...

The gist of it is that just having "256bit AES" tells nothing if it is properly implemented with a robust block mode, proper key generation and if it is signed.