Anderson's 'Security Engineering' is a great read. It's a giant tome, but if you have a little bit of darkness in your soul, you will spend most of it giggling gleefully.

agree. I thought the Mig-in-the Middle example was sublime, (even though he said later it was "unfounded"[0][1]):

> One case history that unfortunately turns out to be unfounded is the story of the `Mig-in-the-middle' attack, pp 19-20. I got this story over a beer from a chap I met at a conference who was wearing SAAF uniform, and it seemed technically plausible. I tried to get independent verification and failed, as I mention on page 19. I used it, with that caveat, as I've found it is a very good way of getting students to understand the risks of middleperson attacks on crypto protocols. However, in September 2001, I learned from a former employee of the South African Communications Security Agency that the story is apocryphal. As there were no South African air defence forces on the ground inside Angola, IFF was not used there, and the SAAF did not have secure mode IFF at the time anyway. I am also told, however, by former GCHQ / Royal Air Force sources that similar games have been played elsewhere by other forces. See the excellent books by R.V. Jones (references [424] and [425]), plus the later chapter on electronic warfare, for more on air combat deception strategies.

[0] https://www.dlab.ninja/2012/04/mig-in-middle.html [1] https://www.cl.cam.ac.uk/~rja14/errata.html

How do you recommend someone keep up on new (or existing) RFC’s?

see https://www.rfc-editor.org/retrieve/ for individual document maturity levels (for this you might want to monitor "Experimental" and "Proposed Standard")