In article <199509201855.LAA17261@netcom16.netcom.com> you write:

none of the articles mention that the cracker must have login access to the computer that the random numbers are generated on. is this true? does the code require knowledge of the PID etc. that can only be obtained by a login to the system that the netscape session is running on?

No, the time, pid, and ppid often leak to a remote adversary too. The attack probably requires a bit more sophistication when the cracker doesn't have login access, but I believe it's still possible. See my recent post to sci.crypt for some comments from Ian & I about this.