So a few years ago I ran across two guys from a consulting company here in town giving a presentation, and this was on their RNG, which is to this date the coolest crypto gear I own. The results are impressive --- you know when you see something like it because it has utility but takes function to an artistic level. Given that I haved tried to take my security procedures to their logical extreme (termed by some "beyond paranoia"), it neatly dovetailed into my interests. The subtle pitfalls they detected are really what impressed me, and be sure that these are not all. Terry Ritter says something like "you can't tell if your entropy is tainted in a way that you aren't testing for, and there's an infinite number of ways to test it --- much like cryptanalysis". This is definitely not a game for wild risk-takers, but neither is cryptography.
Financials: They started with a circuit design (that's their business), eventually spending some $30k of "unbillable time" (consulting terminology for your hobby) on perfecting it. The market is small, as I mentioned, and really cost-sensitive. So a high-cost limited run makes very little fiduciary sense, and someone would only undertake this kind of a project for the reason of doing it better than anyone else. I guess that's the artist in me that appreciates this aspect.
Physics: it uses amplified PN junction noise run through two inverters (I think that makes it a single-bit D/A, right?). I think it combines shot, flicker and avalanche noise by doing that. I have not done the research, but I think some of these may be relatively impure, if we define a QM 50/50 chance as pure. It is important not to use a "noisy" diode since the noise is predictable --- another subtle gotcha! One physicist mentioned that it will be temperature-sensitive and that I should put it in an oven as cheap thermal insulation; I don't think I'll bother. I guess turning on the oven would increase the possible data rate...
Shielding: It's obvious that you don't want your random numbers being emitted to a oponent sitting in an unmarked van outside your building, however unlikely that might be. Some manufacturers have even done sophisticated EMF testing of radiation on their equipment. What is less obvious is that you don't want signal injection into the circuit, and the analog portions are obviously quite susceptible to this. For example, a four-inch circuit trace is an excellent receiver for a 2.9GHz signal. A story I once heard involved replacing a large capacitor in a piece of cryptologic equipment with a more advanced capacitor that took up half the volume but had the same characteristics. In the other half of the original housing they deposited a tiny FM transmitter. As some of my friends would say, "fear" (it's a term they use with some respect, usually accompanied by a big grin and approving nods). Therefore, the polished steel casing with tiny holes no larger than a screw or an LED (aside from the RS-232 connector) should inspire confidence, and provide a lethal weapon should the need for fisticuffs arise with a lurking spy. It has rubber feet, too, so you don't scratch things all up. :-)
We Got the Power: Two 9v batteries provide the power for the analog portion of the circuit, presumably providing some noise-resistance due to high voltage. Four AA batteries supply the digital portion, and two huge D cells supply the serial line drivers. The digital portion has an embedded microcontroller and they supply ASM source so you can reprogram the EPROM if you don't trust them. The microcontroller has some power-saving logic that shuts off unnecessary portions of the circuits when not in use. Why 3 different kinds of batteries? Two words; signal isolation. During testing they verified this concern because they had attached a lantern battery outside the case to supply some of the power, and upon analysis of the (digital) stream the found non-randomness. By doing analysis (probably DCT and/or some kind of spectral power analysis) they located the source of the signal as an AM radio station! Apparently they apparatus outside the case acted as an antenna - could be a junction acting like a "whisker" diode, or the wire alone.
Product: 4800 bps of random numbers, codified as ASCII hex digits at 9600 bps. It produces them 64kB at a time, after each toggle of any serial line. I found out why hex digits when I wrote a program that read the serial port and got garbage (high bits set) --- duh! Another subtlety - telling when you're reading it correctly! I thanked them for thinking of that before I did.
Trial by Fire: We threw everything we had at it, and nothing cracked. I personally ran a suite of tests, including the obvious chi-square test, but calculated after "binning" with many possible binning techniques - I used 256 bins; 2 bins gives a worthless "DC bias" test that 101010... would pass) and a monte carlo approximation of pi, which converges rather slowly (as you might imagine), but did indeed converge. I don't recall using K-S on it. Terry Ritter looked at it, and made no progress (had some interesting ideas, though). There was talk of running it for a week to make a whole CD for running tests or to send to interested parties for analysis, but not sure if either happened.
Software: There's a program written in C, which sets up the serial line and dumps the data to /dev/random using NetBSD-style ioctls to adjust the entropy estimations.
Overall: Few people seemed interested in RNGs, certainly not enough to shell out enough to cover the materials, batteries, plus a few bucks. One security professional and an expert on smart-card systems said of it, "that's the most over-engineered random number generator I've ever seen". Damn right, it better be... In any case, the progenitors sent out a few feelers, received a lukewarm reaction, and I think have given up on producing any more. He hinted that the circuit design might be available by (regular) mail.