Sure. Any real attack would be automated. 300 seconds is an eternity,
in computer time. The 2^16 trials for prediction is easily doable in a
fraction of a second.
> > And the seeding is terrible -- two years ago Netscape used
> > timeofday and pid to seed their PRNG, too, and look what happened to them.
>
> Hey, I make no apologies for operating systems that ship without a
> source of strong(ish) random numbers in their libc!
If Netscape had used that excuse, they'd have been crucified.
Let's not get into the blame game. My concern is that the patch, as
provided, won't fix the predictable-query-ID hole on most systems, and
folks need to know this.