[aftbit]

I never understood the Dual-EC backdoor. What was the point? Who would be dumb enough to use that as their CSPRNG when so many simpler, faster, and less sus options were available?

I supposed they did (allegedly) pay RSA Security to make this the default choice in BSAFE but that seems like an awful lot of work to hack one product.

[tptacek]

That was my take too, but in fairness to everyone else who was right about this, once you stepped back and looked at the design for what it was, rather than as a weird concoction that happened to spit out random numbers, it was extremely obvious what the purpose of the design was. Another thing happening with me and Dual EC: I just know a lot more about cryptography today than I did 13 years ago. (I'm not a cryptographer; I'm a vulnerability person that happens to specialize a bit in cryptography vulnerabilities. It's a great rhetorical hedge.)

Another thing I was very certain (and certainly wrong) about was that no competent team was using BSAFE in 2010. The more I've learned about cryptography the less confidence I've held onto in industry cryptography practices outside of Google, Apple, and Microsoft. I would have assumed the major networking vendors were playing at roughly the same level. Yikes, no.