FWIW, the operative theory here is that "Extended Random" was designed to work in concert with the DUAL_EC DBRG/RNG, which almost certainly allows "Clyde Frog" to predict all future output on the basis of very few samples.
"Using that private key, they can observe CSPRNG output on the wire, “decrypt it”, and use that to rewind and fast-forward other people’s CSPRNGs, discovering their keys."
"Using that private key, they can observe CSPRNG output on the wire, “decrypt it”, and use that to rewind and fast-forward other people’s CSPRNGs, discovering their keys."