edit: Problem solved, davidb informed me about the vulnerability in version 3.0.4, and that it is fixed in the new version 3.0.6. Somehow Spyhunter thinks i still use 3.0.4, which in turn is the actual problem i had with Spyhunter, not VLC.

Spyhunter 5 has been bothering me about potential data leaks from vlc media player. The vulnerability is generally based on publicly available information.
It would be a shame if i have to switch, been using vlc for as long as i remember. It is probably the best media player out there, but i hate sharing my personal data in any way or form.

Spyhunter msg:

• Severity: Medium, VLC media player (Version 3.0.4)
  • The CAF demuxer in modules/demux/cad.c in VideoLan media player 3.0.4 may read memory from an uninitialized pointer when processing magic cookies in Caf files, because a ReadKukiChunk() cast converts a return value to an unsigned int, even if that value is negative. This could result in a denial of service and/or potential infoleak.

Is this even anything to care about? I have updated VLC including removing cashe and still get the alert. Is a rollback another option perhaps?

So:

• I keep all my passwords in my password manager (Bitwarden)
• All my 2FA codes are generated by AndOTP on my phone.
• My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because that defeats the purpose of 2FA. So where should I put those?
• I have my Bitwarden 2FA backup code in my wallet and in a safe at my house. Is that a good idea for the other backup codes?
• Is there anything I'm forgetting here?

I was browsing r/privacy today and I came across this guy going on about how Mozilla was just pretending to be privacy focused. Here's his comment. Now I don't really know what to think of this, and frankly, I'm getting really exhausted of hearing about how all the things I'm using aren't actually trustworthy. So can so someone put my mind to rest? Does this guy's claims have any truth to them? Thanks.

I’ve recently gotten to speak with a few folks who work at an enterprise security company. I asked what their security researchers set as company rules for allowed laptops. My one datapoint so far is “Dell or Apple.” So for example, no Thinkpad X1 Carbon, which is arguably the best work laptop.

I am curious what other large security companies (or any of you security minded folks) set as rules for trusted laptops. Can anyone share their lists and theories as to why I heard Dell and Apple? BIOS is more trustworthy?

Thanks to all of you who gave me guidance in the thread about password managers. It got me thinking I should expand the question to overall best practices regarding security, just in case I have any other important blind spots.

What are the essential do's and don'ts of digital security for the average person?

I feel like it's impossible to remember passwords that are long, random, and unique for every service. I have too many accounts.

On the other hand, I don't like the idea of giving up control of my passwords to a password manager and using the ones it generates and stores. It feels weird that I wouldn't "know" my passwords.

Is this a hangup I should just get past? What do I do if I need to login somewhere but cannot access my password manager?

This will probably be controversial, but I disagree with the current password policy. Checking against a list of known broken passwords sounds like a good idea, but that list is only ever going to get bigger. The human factor has to be taken into account. People are going to reuse passwords. So whenever their reused password gets hacked from a less secure site, it's going to add to that list.

Ideally, a password would be unique. Ideally, users should maybe ever use a password manager that generates garbage as a password that no one could hack. An ideal world is different from reality. Specific requirements are going to lead to people needing to write things down. In the past, that was on paper, like Wargames. Now, it's going to lead to people pasting their username and login into text documents for easy reference. That's probably what i'm going to have to do. Was my previous method of reusing passwords safe? No. Will my new method of remembering passwords be safe? Probably not either.

I'm not entirely sure what all the account security is about, either. For my bank, sure, a complex password. I have a lot to lose there. For an account on a glorified message board? There's better ways to establish legitimacy. 4chan, of all places, dealt with this (nod to 2chan), by having users enter a password after their username that got encoded and displayed as part of their username to verify that they were, in fact, the same user.

So the topic for discussion would be, what's the endgame here? Where is the line drawn between usability and security? I may well be on the wrong side of this, but I think it's worth discussing.

Edit: I think there may be some good reasons, evidenced in this reply. I think it was a good discussion none the less, since it wasn't obvious to me and perhaps not to other people.

Edit 2: I'm going to hop off, but I think there's been some good discussion about the matter. As I said in the original post "I may well be on the wrong side of this". I may well be, but I hope I have addressed people well in the comments. Some of my comments may be "worst case" or "devil's advocate" though. I understand the reason for security, as evidenced above, but i'm unsure about the means.

A few years ago I got into improving my knowledgebase of personal security - theory and tools - but it didn't go much farther than reinforcing everything with 2FA and setting up a password manager, plus setting up a VPN and full disk encryption.

It seems like we're amidst a rising tide of data breaches due to, IMHO, laziness and cheapness on the part of many companies storing personal data.

So, recently I've embarked on my second journey to improve my own security via habits and software and teaching myself. Privacytools has been a super helpful resource. My main lesson this time is to take ownership/responsibility for my own data. To that end, I have switched to KeyPass with yubikey 2FA (still trying to figure out how to get 2FA with yubi on my android without NFC), moved over to Joplin for my note taking (away from Google and Evernote) and also switched to NextCloud for all of my data storage and synchronization. I'm also de-Googling myself, current due-date is end of March when Inbox is shut down.

So my question / discussion topic here, is, what are everyone's thoughts on the future of practical personal security and privacy? More decentralization and self-hosting? That's what it looks like to me. Blockchain tech would be cool for public objects like news articles, images etc. but from what I understand that has zero implication for anything personal. The other newish tech is PGP signatures, which I'm still having trouble implementing/finding use for, but surely that will change.

There is this topic but that ended up just being about encryption which I think is a no-brainer at this point. I'm more so looking for the leading edge trends.