It turns out that the RNG in Windows 2000 (and perhaps other versions of Windows) contains a vulnerability that will allow an attacker to deduce the internal state of the RNG. So any crypto based on randomness from that RNG is vulnerable.
There are more algorithms to produce random numbers. A set of such algorithms are currently undergoing discussions to become part of a NIST standard. Curiously enough, the NSA has pushed for the inclusion of a particular algorithm. That algorithm, called Dual_EC_DRBG, is about three times as slow as the others. And it contains some magic numbers that are used as a seed.
As it so happens, some eggheads did the math, and concluded that there is a second, hidden set of magic numbers that complement the published set -- and with that second set, one can perfectly predict the state of the RNG itself. Bruce Schneier has interesting things to say about it.
Would there be a market for a robust hardware RNG? Perhaps something one could plug into their USB port or something? What kind of APIs would such a device have to offer to be of use in everyday security applications, such as generating GPG keys and such?