The only way ViaCrypt can prove that this isn't the case is to distribute the source code of _their_ product. [Note: they do NOT have to include the RSA module source- if it's possible to examine the non-RSA code, and instrument it (to prove that the session key is honestly generated _AND_ transmitted/recovered correctly) then Thug's tests will be adequate to verify a lack of backdoors (as far as I can see- but I'm perhaps not as devious as a professional).
One could apply the same sabotage to the generation of RSA public keys making any keys generated with ViaCrypt easily crackable. Of course you could use PGP to generate keys. And now what is ViaCrypt useful for? It's original purpose: Establishing plausable deniability. "Yes your honor, all these encrypted messages presented by the FBI as Exibit A were generated by ViaCrypt which incidentally we have a site licence for... No sir, We've never used PGP." brad