[cromwellian]

Consider that SecureRandom is really a facade around multiple providers that can plug in varying implementations. :)

[somethingnew]

How about this one? http://xkcd.com/221/

[Jeremysr]

Heh, not knowing Java very well, I scoured the BigInteger docs for quirks and loopholes, then gave up and found your comment. I guess "java.security.SecureRandom" sounded too impregnably secure to be worth looking into.

[harryh]

If that's really the answer they are looking for then it's a stupid question.

Trying to write a timing attack sounds much more interesting.

[raylu]

SquareRoot.n is static, so it runs before any code in your main().

[cromwellian]

Java Service Providers (SPI) trigger before main() is run. You can create a SecureRandom() provider, add it to the classpath with SPI, removing other providers.

[GhotiFish]

ah ha! That might of being too big of a hint, good sir.

[mattvanhorn]

...and that you can remove all the existing ones and insert your own.

[spiralpolitik]

You can't change Providers while running under the SecurityManager he specifies you must use in the rules.

SecurityManager.checkSecurityAccess(java.lang.String) is called if you try and mess with the Providers.

[cromwellian]

You're right, looks like a Timing Attack might be the only solution that satisfies the spirit of the test.