DUAL_EC_DRBG was a random number generation algorithm that only its mother could love. It's slow, complex not provably more random than other algos, and comes with magic, unexplained constants, which are the last thing you want to see in an ostensible entropy generator based on asymmetric crypto... and if you want FIPS certification you have to use the given constants. Why did NSA want it in there so badly? Why, after a potential flaw was found and corrected, did NSA personnel "suggest" a change that, in retrospect, only made that putative flaw more reliably exploitable? Cryptologists explain.
On the hardware side, Theodore T'so observed that Intel was very eager to have RDRAND be the exclusive source of entropy for the kernel's RNG, as was one goofball at Red Hat who tried to introduce a kernel parameter to do the same thing. He fought them both off, thankfully.
In general, see also ProPublica on the SIGINT Enabling Project.