Proof of concept of the Dual EC DRBG exploit, and some rambling on the topic
I've been pretty fascinated by this exploit in particular and why it's quite a mathematically elegant one. To me it's a very good example of how to combine something as abstract as the properties of elliptic curves with the functional requirements of an organisation (in this case, the NSA).
The exploit basically makes a generator like this exploitable by only the NSA while ensuring that it does not compromise the communications happening over the internet.
N.B.: I know that this is not quite how a DRBG should work; spitting out a long sequence like that, but that felt like unnecessary for the purpose of a proof of concept.