White noise can be used to protect against audio surveillance. Counter-surveillance white noise generators are available on the free market, including desktop and portable models, and a transducer that ‘injects’ white noise into walls and ceilings. You can also build one yourself in c++ (1, 2), Java (1, 2, 3), etc.. Whether buying or building, you probably want to experimentally verify/falsify the actual effectiveness of the white noise against surveillance (i.e., can the observer still filter out what is being said) under various circumstances (voice dynamics, characteristics of observer’s microphone, dish, filtering capabilities) before using it in practice.

Now, on the [TSCM-L] mailinglist, Technical Surveillance Counter Measures (TSCM) expert James M. Atkinson shares this interesting alternative to white noise as measure to protect against audio surveillance:

Good Evening Folks,Here is a little sample of some of my TSCM Audio Countermeasures projects.

http://www.tscm.com/Babbler1.wav [link is now dead]

It is only 50 minutes long and is 1 GB is length, so it is pretty small.

Put it on your iPad or iPad and plug in some powered speakers and you will destroy the ability of anybody to eavesdrop on you, and you will bring even the most sophisticated eavesdropping system right down to their knees. Then set the track for an endless loop, and either have your confidential meeting or start running your sweep.

You will need to be very close to the person you will be speaking with, then you place this audio on speakers that fill the room with sound, and you can watch the eavesdroppers heads explode, and their eavesdropping hardware essentially burst into flames. Even the most sophisticated adaptive filtering hardware and software the FBI and CIA used can not defeat this audio jamming track when you use it right.

This is actually a fairly narrow babble tape, but it will get you started. To mix down a proper tape I also need a 15-30 audio recording of each person who will be at the meeting reading form a news paper or book non stop (two hours of this is ideal). Then I will take each person create four vaiations of each persons voice to compensate for normal pitch changes and mix this into a single track for them. Then I normalize the track in amplitude to match all the other tracks that I create for the other people on the tape in the same way. Each track is slowly build one at a time, and to include the voices of every person who will be in the meeting on the babble tape.  This is called “Active Speaker Tracks” then I do the same with people who will not be at a meeting called the “Inactive Speakers Tracks” and bring this in.

Then I bring in what is walled the “Background track” which is what you hear in this audio file (this is the base of background track). This base track also contains “pips” of coded time bursts that are used to calculate the distant to  a bugging device and this is hyper efefctive. I have also placed sub-sonic and hyper-sonic signals and short periodic peaks that will shut down the automatic gain control circuits in many eavesdropping of bugging device.

This is strictly a demo of my work, for your enjoyment.

When I create these for clients it requires several days of work as I want a 4 hour file, that loops, and the file will have 64 channels mixed down to single MP3 or .wav file, I also create babble tape for one specific customer at a time, and often they will purchase a half dozen different files for different  situations, and that are devastating effective.

I give away single base file like this, and if a customer wants one of their own then I change $2500 per 4 hours, on a 64 track custom babble tape, including the voices of the people they are trying to protect, so get in touch with me if you woudl like a customer version of his made for you.

This file is dangerous, very dangerous, use it with grade caution

Enjoy, and let me know if you need more.

Sounds like a fun idea for experimentation.

UPDATE 2012-06-18: babble-tape.pdf (mirror) was posted on Cryptome. It states: “NOTICE IS HEREBY GIVEN that on the 24 day of February in the year 2012 at 8:30 am, or as soon thereafter that the matter may be heard at Dept. 1B of the aforementioned court. The defendant, Kaushal Niroula, A Propia Persona will move and hereby moves this court for an order of this court compelling Stanley Sniff Sheriff of the County of Riverside and his subordinates and all incarceration facilities operated within his jurisdiction through his designates to allow the use of the ‘Babble file’ on his computer and a USB speaker during his visits either with Court appointed assets or Investigators or attorneys while incarcerated in the Riverside County Jail in Indio or anywhere else.”

UPDATE 2012-01-24: James M. Atkinson states the following:  “In a recent laboratory test, this babble mix utter blew away all other forms of white noise generators and white noise masking systems, and Acoustic Noise Generators, just blew them away, and this is actually a pretty simple one, it I make one that is specific to a person, place, or such it can be way more confounding to the spy. For a fully tweaked out babble file I include the persons voices who will be in the meeting that you are trying to protect, and this is lethal to the eavesdropper, because I do all kind of cute things to the audio to foul up pitch, speed, and tempo, and I  when I mix it down to two tracks the tweaks can not be heard, but you sure can see then on test equipment.
When properly tweaked one of these files will become an “Anti Adaptive Audio Filtering” file, not this one specifically, but one which includes the actual speakers voice, and will destroy and derail even the most determines eavesdropper. Of you just need a general purpose babble file the one listed in the link is perfect, if you want one tweaked out properly to you voice or to the meeting, or even to the tone and dimensions of a specific room I can do this as well. This is a dangerous file, all you need to make it work is a cheap MP3 Player, and some powered speakers and for under $75 in electronics you get performance that exceeds what a $4000 Acoustic Noise Generator is capable of. The U.S. Government taught me well.”

UPDATE 2012-01-11: I received this message from (the real) STRATFOR today, containing a MUST-READ reflection from George Friedman on “The Hack of Stratfor”.

UPDATE 2012-01-10: yesterday I was Skype-interviewed as “Stratfor hacking victim” by Channel 4 News (UK).

UPDATE 2012-01-07: Question: “Is @mrkoot suggesting that official #Stratfor mails aren’t usually digitally signed?”. My answer: “I have never seen a digital signature attached to a STRATFOR mailing.” I do not suggest that digital signatures would have solved anything, as they too could have been compromised and, more importantly, require users to understand implications of a broken signature, and more importantly yet, require users to be observant enough to notice when a digital signature is missing where it is normally present.

I’m subscribed to the free edition of STRATFOR and my e-mail address was among the leaked STRATFOR data. On January 6th 2012 at 12:15 CET I received this message, which is clearly fake for the following reasons:

1. it contains links to leaked data, rants, cursing and general weirdness such as “butthurtreportform.jpg”;
2. the use of language is different language from that observed in regular mailings;
3. the message is non-HTML, while I never received a non-HTML message from STRATFOR before;
4. the FROM-header is anomalous: it contains “<george.friedman@stratfor.com>“, which is a non-existent address, and moreover, different from the FROM-header observed in regular mailings (which I shan’t needlessly disclose here);
5. the mail headers indicate I received the message from zulu705.server4you.de [188.138.100.209] while all mailings I ever received from STRATFOR were received from mail{01,02,03}.response.stratfor.com [204.92.19.{141,170,171}]. 

At 18:24 CET, I received this message fom STRATFOR, containing a warning for fake mails like the above. I believe this mail is authentic (i.e., sent by STRATFOR), but is confusing for the following reasons:

1. the mail headers indicate I received the message from yet another mailserver:  e213.en25.com [209.167.231.213]. Authentic STRATFOR mailings often link to images on en25.com but that does not permit me to trust that a host in the en25.com domain, which also has a yet-unknown  IP address, is a source for authentic-only STRATFOR mailings;
2. the FROM header contains “Stratfor” while regular mailings say “STRATFOR”;
3. the SUBJECT contains prefix “Stratfor: (…)” while regular mailings never did;
4. the message contains the line “Click here to unsubscribe from future emails”, where “Click here” links to en25.com; regular mailings, however, contain the line “To manage your e-mail preferences click here”, where”click here” links to app.response.stratfor.com.

If indeed this second message is authentic, which I believe it is, to me it seems rather clumsy that STRATFOR did not take this into account. Surely, infosec-savvy STRATFOR subscribers will look for clues to distinguish real STRATFOR mail from fake STRATFOR mail. Why then act in a manner that obfuscates four such clues?

STRATFOR knows about the breach since at least Dec 24/25, so I assume there has been plenty of time to get advise on coping with fake mailings. Not yet so on December 29th though, when STRATFOR sent out this mailing, stating:

“(…) we will be sending our free Geopolitical Weekly and Security Weekly to you via email as we have always done. “

D’OH! STRATFOR just told 860k subscribers that they can expect regular e-mail from STRATFOR, seemingly not realizing that this creates momentum for any criminals among the 860k subscribers, who can now take advantage of the trust that STRATFOR (unwittingly) built in less paranoid subscribers. (Mind that I publicly mention this only after fake mailings started.)

For “company-approved communications”, STRATFOR currently refers to their Facebook page and Twitter account. Which I hope are under their control.

1. Include Every Topic Required by the Subject
2. Exclude Every Topic Not Required by the Subject
3. Working from the Top Down, Divide Each Topic into All Its Subordinates
4. Order Each Group of Coordinates Properly

• deal with significant and challenging topics
• take an original approach
• realize a significant contribution to the field
• display an expert use of the literature in the design of the study and discussion of the results
• report clearly and incisively on the literature

1. Introduction
2. Literature Review
3. Materials and Methods
4. Results
5. Discussion
6. Conclusions

1. Introduction
2. Topic 1
3. Topic 2
4. Topic 3
5. Conclusions

1. Introduction
2. Literature Review
3. (Background Theory)
4. (General Methods)
5. Study 1
   • Introduction
   • Methods
   • Results
   • Discussion
6. Study 2
   • Introduction
   • Methods
   • Results
   • Discussion
7. Study 3+
   • Introduction
   • Methods
   • Results
   • Discussion
8. Discussion
9. Conclusions

1. Introduction
2. Background to the Study
3. Research Article 1
   • Introduction
   • Literature Review
   • Materials and Methods
   • Results
   • Discussion
   • Conclusions
4. Research Article 2
   • Introduction
   • Literature Review
   • Materials and Methods
   • Results
   • Discussion
   • Conclusions
5. Research Article 3
   • Introduction
   • Literature Review
   • Materials and Methods
   • Results
   • Discussion
   • Conclusions
6. Conclusions

EOF.

UPDATE 2017-12-19: the Dutch gov’t released (in Dutch) the successor to the I-Strategy 2012-2015, entitled “Strategische I-agenda Rijksdienst 2017”, which (loosely) translates to “Strategic I-Agenda Federal Government 2017”.

UPDATE 2012-03-06: according to the 2012 eGovernment report (.pdf) issued by the United Nations, the Dutch effort in eGovernment ranks #2 in the world. The Republic of Korea ranks #1.
 
UPDATE 2011-12-19: the Dutch Scientific Council for Government Policy (WRR) published an English translation of the famous iOverheid report. Here it is! 

On November 15th 2011, the Dutch government published (.pdf) their “I-Strategy” information strategy for 2012-2015. Below is my careful translation of the “Trust and Information Security” section. Any unnatural use of the English language is due to me translating as literal as possible, avoiding (mis)interpretation. Hyperlinks and parts between […] are mine.

Trust and Information Security
The Dutch cabinet wants citizens to be able to trust the way in which the Dutch government handles the storage and use of digital data. The government is responsible for reliability of the information that is used, and for diligent and legal use of data received from third parties. To accomplish this, permanent investment is needed in the government’s defensibility [Dutch: “weerbaarheid”] against (un)intentional breaches, in increasing the capacity to recover in case of unhoped-for successful breaches and in processes concerning the handling of privacy-sensitive data. Part of increasing the defensibility is having solid information security concepts. An important aspect of that is the investment in data security, in addition to device and network security. That enables device independent laboring (including bring or choose your own device). Wherever specific security requirements apply for classified information, the knowledge and expertise of the Dutch General Intelligence and Security Service (AIVD) will be used. Network security will be improved by reducing the number of internet connections that the government [Dutch: “rijksdienst”] has. That will be done through a government-level shared internet connection [Dutch: “Rijksinternetverbinding”]. This leads to simplified maintenance, higher quality, cost reduction and risk mitigation. A second aspect is the change from unconscious risk-aversion to conscious and responsible risk management. Employees should be able to, and want to, handle information safely. The desired use of self-selected means, combined with the enormously increased possibilities to communicate (social media), mean that a civil servant in 2011 must be more conscious than ever about the risks involved in the use of digital means, and thus also understand them. The government [Dutch: “Rijksdienst”] will support employees by providing adequate means and clear rules and advise. Also, the ensuring of common agreements about information security with internal and external parties needs to be strengthened. That will be, among others, realized by harmonizing the process and the elements of the oversight of compliance. As announcement in the letter about DigiNotar (26643, nr. 189), the Minister of Security and Justice will develop mandatory breach notification for IT incidents for organizations fulfilling crucial societal functions. Such a form of transparency increases the trust in the security of the government [Dutch: “Rijksdienst”]. An optimal capacity to recover is essential to quickly rehabilitate from the consequences of breaches of IT infrastructure. For that, additional instruments will be developed that enable the government to intervene sufficiently. Here too, framework and oversight are essential instruments. There will also be looked at further strengthening of research and expertise at the government, as has also been done in the [Dutch] National Cyber Security Strategy (NCSS) (.pdf).

In context of the Compact Government program [Dutch: “Compacte Rijksdienst”] will, under responsibility of the Minister of Security and Justice, be worked toward development of one government-wide [Dutch: “rijksbrede”] operational IT security function, that ensures scarce knowledge and expertise. To that end, the development of the National Cyber Security Center as announced in the NCSS will be joined.

Following the iGovernment report [Dutch: “iOverheid” (.pdf)] from the Dutch Scientific Counsil for Government Policy (WRR), the government decided to, as stated in the government response to WRR report (26 643, nr. 211), expand existing measures related to the governance of large IT projects with measures for the protection of privacy. The ministerial CIO’s play a central role in that. The expansion is planned as follows. The current requirements for the content of project plans for large IT projects (26 643, nr. 135) will be supplemented with the demand to state whether the project involves privacy-sensitive data and linkage or data enrichment. The project plan will state, with arguments, whether a Privacy Impact Assessment or a similar instrument applies. This information will be used in establishing a risk profile for the project, that will be done by the client and the departmental CIO. This risk profile partially determines whether the project will be reported to Parliament [Dutch: “de Kamer”] through the annual business report [Dutch: “Jaarrapportage bedrijfsvoering”] and the government’s IT dashboard (Rijks ICT-dashboard). If the risk profile results in the observation that the project is high-risk, the project will be included in this report and the dashboard.

The departmental CIO considers, as usual, all information from the project plan in his assessment at the beginning of a project, or during its execution. If this assessment relates to the use of privacy-sensitive data and linkage or data enrichments, the departmental CIO will seek advise from the data protection officer, that has been appointed in every Ministry and oversees the application and enforcement of the Dutch Data Protection Act. The IT project clients are obliged to report changes related to the use of privacy-sensitive data and linkage of data enrichments to the departmental CIO, who will decide whether a new assessment is needed. This expansion of the requirements related to the governance of IT projects will stimulate the diligent use of privacy-sensitive data, increase the involvement of the departmental CIO and ensure the information supply to the Parliament [Dutch: “de Kamer”].

The current Dutch administration seems to have well-informed attention for both security and privacy. The consistent use of the clause “privacy-sensitive data and linkage or data enrichment” (Dutch: “privacygevoelige gegevens en koppelingen of verrijking daarvan“) may characterize pending rules concerning privacy protection. The well-reasoned criticism against careless use of personal data expressed in the iOverheid report has apparently had significant impact. Personally, I’m very pleased with this section of the Dutch I-Strategy 2012-2015.