How often do people get it wrong? It doesn't seem particularly difficult to generate 521 random bits.

This is the first time it's ever actually happened. I'm just painfully aware of missing developer ergonomics and ways to shoot oneself in the foot.

It was found a bunch a decade or so ago. PuTTY is just a more obscure codebase.

Sorry, I should've been clearer: all the times I've checked for this specific bug, I did not find it in the code I was looking at. All the times I looked for it was the series of events I was reflecting on.

That's what I meant by "the first time it's happened". I shouldn't write comments before my first cup of coffee.