To be fair, he posted a thread today at http://forum.bitcoin.org/index.php?topic=18858 - however, so far it looks a lot like deny-everything marketing talk, although I may be wrong.
Plus I don't understand why he doesn't just implement two factor authentication (through email) instead of a withdrawal password, as the latter can still be circumvented when someone indeed successfully exploits the site to a point where he has database read access.