Ted Unangst wrote a good article called "analysis of openssl freelist reuse"
This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security focused malloc, just one that frees memory every now and again). Instead, it lay dormant for years until I went looking for a way to disable their Heartbleed accelerating custom allocator.
it's a very good read.
Try SpiderOak. Free 2 GB, zero-knowledge, secure. Works on a load of OSs and devices.
I'm a completely satisfied customer.
Theo de Raadt should fork OpenSSL. He could call it OpenOpenSSL.
OK guys. We've promoted Open Source for decades. We have to own up to our own problems.
This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.
But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts."
Link to Original Source
... it's kind of like a Chinese Snopes, except you go to jail rather than being unfriended.
From the proof-of-concept page I mentioned above.
It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed.
Here is the Github repo for the PoC code.
This PRNG is not the NSA making a crypto system stronger ala DES, it's a backdoor.
There is also a nice proof-of-concept backdoor with a link to the github repo.