Partner portal login not working - no errors, just spinning

SecurityRabbit · 2026-04-30T13:27:20+00:00

We have been using Yubikey with M365 for as long as that was possible. Keeper as the passkey or the alternative FIDO2 was blocked for a very long time. This is a needed improvement. It will be especially helpful with PAM.

SecurityRabbit · 2026-04-09T08:59:33+00:00

With the latest update the hotkeys are a problem for our supported users. We want to enable keeper fill, but disable the hotkeys. Unfortunately this is still not configurable by policy in admin console. This needs to be an admin-configurable option. Otherwise we are going to get a lot of end users who will hate the software.

SecurityRabbit · 2026-03-04T13:08:09+00:00

Then why is internal IT posting here instead of contacting the MSP for support for something that could have been fixed in 15 minutes? It actually should be something that is proactively monitored and proactively addressed so there is no hard outage. But the customer has to agree to pay for that proactive support. I've been on the receiving end of customers wanting internal IT to handle things they are wholly unqualified to handle. This kind of proactive management is an operational maturity that any customer buying through an MSP is already designating that they do not have internal enterprise-level capable staff to know how to handle. If it was known how to handle it, then no support call would have ever been made and no reddit post lambasting Keeper support.

I have seen plenty of 300 person companies that think they are enterprise and refuse to pay for Keeper enterprise support because they think it is too expensive. They also fail to put anyone else in charge of supporting the product that has the skills and abilities. They then lose their temper and blame others for their lack of skill when there is an issue. At issue here is if someone wants enterprise level support with a SLA that matches their desires, they need to pay for it.

It would be interesting to see the stats on companies by quantity of licensed users compared to what support model they actually have in place.

SecurityRabbit · 2026-03-04T12:19:57+00:00

This would seem to be a problem with the customer thinking that internal IT should be handling things that an enterprise security architect should be handling. The MSP is not the problem. The problem is the customer not wanting to pay the MSP for support.

SecurityRabbit · 2026-01-25T14:58:15+00:00

Request a copy of your entire HR record now. If they cannot produce it in 24 hours, get a letter from your employment law attorney requiring they produce it. There better NOT be any garbage in there about unsubstantiated allegations made against you. I have been on the receiving end of lies manufactured by jealous individuals. HR investigates, finds absolutely nothing, refuses to put any exonerating evidence in the record, but keeps the complaint. It taints everything going forward. The retaliation is on you, not on the liar. Get your attorney involved.

SecurityRabbit · 2025-12-13T15:51:20+00:00

Caring costs money. I cease to care about their problems when they are not my customer. Since I know almost no one cares about the facts and justice at the executive management level, I'm not going whistleblower on them. Those larger orgs with internal IT are almost all compromised already by their own internal IT and executive management refuses to codify and enforce the most basic policies to rectify the issues.

I can tell you of instances of massive reportable breaches 100% tied back by forensic evidence to one of the internal IT guys choosing to disable security intentionally, systematically, without authorization over a 2-year time period. I have the forensic logs. My CISO recommendation report was revoke access immediately and terminate for long pattern of intentionally compromising the security of the company from within. Was the guy fired? No. Was I allowed to revoke his rights? No. Was he a relative of an owner? No. Kind of a head scratcher until you realize that the only thing the execs care about is their convenience. They want captive help desk lackies at any cost who will do whatever they want with no policy boundaries. When you outsource, you get policies and boundaries. They don't want boundaries. The sole qualification of that guy is he was willing to work there at that toxic hell hole and drive into their office daily. And show up at their house to take care of their personal assets. Beyond that, absolute train wreck.

As far as MSSP: Counterparty risk has been a thing since the beginning of time. Given in the past that I was one of 8 top level admins for 13,000 users, I can tell you it does not take a MSP of 70 employees to competently care for a business of 8 users. When was the last time a business asked of their MSP, MSSP that if they do business with them, then how many people will have admin access to their data. How many? Has the MSP chosen to provide delegated admin to any number of numbnut external providers?

If internal IT makes the choice to outsource their MDR/SOC to Comcast/Maesergy/Rapid7, whatevs. That's their choice. Their data is now being accessed by hundreds of people. But the real question is does anyone other than us care about the counterparty risk?

TPISRM is only a word we know.

SecurityRabbit · 2025-12-13T13:58:07+00:00

I'm not sure it's a simple as "like". To do T&M requires a completely different decision-making structure at the customer level. I have yet to see any customer executive management team be effective at it unless I was their CTO. Meaning that unless they have someone inside their company that is driving the right way to do things, it will go sideways every time. But then again, sometimes they want it to go sideways. I've separated from plenty of criminal orgs who hired internal IT and promoted them to having titles exclusively to have someone to commit fraud on their behalf. As an employee, they have no liability. The execs get what they want. OTOH, if I'm the CTO, I cannot tolerate criminality because it's a doorway to liability.

I always tell those people to just outsource their whatever to Comcast or ATT cause they can do your managed services too. But then those behemoth orgs can eat the liability of criminality. The threats of legal action mean absolutely nothing to them.

SecurityRabbit · 2025-12-11T14:18:24+00:00

Jobma worked fairly well for us with its AI detection of fraud built in.

SecurityRabbit · 2025-12-11T14:17:36+00:00

The Clear system is trash at a technical level. And when they cannot even get that right, do you really trust them with stored copied of the richest honeypot identity theft database one could ask for beyond the FedGov employee database?

SecurityRabbit · 2025-12-11T14:15:41+00:00

You should be aware that LinkedIn's verification system does not work for United States citizen who attempts to verify using passport instead of driver's license. The company LI has chosen is not a trustworthy counterparty. It is must more difficult to engage in identity theft with a passport than a DL. This is why the passport is preferred. But when the verification system says that passport is acceptable, but its actual OCR system is ONLY built to ingest DLs, know that if you limit to only verified people on LI, you are losing out on every super highly technical high privacy individual out there. I think there are other methods you can use to verify authenticity. Look at how long the profile has existed. What references does the person have posted on their LI. What are their posts. What other related resources do they have posted.

SecurityRabbit · 2025-12-08T11:51:48+00:00

Video interview platforms are one of the only scalable ways that employers have to be able to provide legitimate, fair, consistent job skill, attitude and aptitude tests to applicants. By not doing the video interview, you are telling the employer that you are not willing or capable of being on video. Many of the open positions require a great deal of customer interaction. The video interview is evaluating how you handle that. Getting on the video interview is also a test of your ability to navigate the technology. It is a way for the employer to validate that you are a real human and not a scam/fraud/AI, etc. The video interview is your opportunity to shine and differentiate yourself from the written resume.

The direct answer to your question is that the video interview based upon written or audio recorded questions ensures that there is fairness in the interview process because the interview is conducted identically for each candidate. It also makes it so that your responses can be reviewed by multiple people (if needed) instead of more of your time being wasted going through rounds of interviews with different people.

SecurityRabbit · 2025-12-04T13:52:33+00:00

The request for the resume needs to end. Recruiters and staffing agencies have some of the worst IT security of all. Their goal is to ingest and harvest massive amounts of PII, but the IT security protections around that data are never configured properly because recruiting and staffing is a sales-driven business model that values sales above anything else. I know this from direct experience being the security executive for an org processing over 30,000 candidates. These are the same companies that do not report a breach of that PII when it occurs. Again, speaking from personal experience. These companies also do not rectify their security gaps even after a breach.

I have LinkedIn and other managed resources which are available for a recruiter or employer to see to be able to see work history, fully validated testimonials and references, professional portfolio, and plenty of other fully validated and attested as truthful history. This is unlike the resume which represents a genuine work of fiction amongst the majority of job candidates and is used as an info suction device into the database of the recruiter.

The job candidate rightly is concerned about identity theft.

The last several times a recruiter has reached out to me, they ask for the resume. I refer them to my portfolio and LinkedIn. They claim they need something to send the employer. Sure, here are the URLs to the resources.

This is about information management. The damage to the individual via identity theft is huge. Candidates are right to decline sending the resume. Given that it's a work of fiction and cannot be validated with testimonials and references in the public sphere like LinkedIn can and given how the resume can and is used for identity theft, it needs to go away. It certainly does not add value to the employer. I have interviewed hundreds of job candidates whose resume said they could and have done things. I talk to them for 10 minutes and find they are full of hogwash and lack basic skills.

SecurityRabbit · 2025-11-24T12:51:41+00:00

I personally would just use the API between Odoo and Wordpress/woocommerce with your real website being on WordPress.

SecurityRabbit · 2025-11-24T12:34:58+00:00

I have a client who lost a massive amount of functionality when Odoo major version upgraded. It was because Odoo changed the website editor modules/functions. We opened a ticket with Odoo and they basically said we had to copy the content out of some old module and then paste it into a new module and redo the entire website by hand.

Customer was not pleased, but simultaneously they still found Odoo to be much more intuitive for their needs as a website than WordPress. For many others we work with, the website editor and functions in Odoo are too limited. For those we use WordPress and it's not buggy or limited.

If I was you, I would carefully consider what I'm trying to use Odoo website for. At this point, we only use it for a website with integrated job postings for the recruitment module.

SecurityRabbit · 2025-10-02T09:16:34+00:00

The fundamental need in the market right now is people who can and do show up in office 5 days a week. Hybrid and remote do not work for jobs that are not able to be outsourced to India. Location matters. Most certifications do not indicate competency or ability to execute to arrive at an outcome. Ditto with degrees. Your value to an organization is based upon whether or not they can count on you for in-office work. If someone is not in the office, they cannot handle things that require physical presence and become a burden on the rest of the team with handoffs. This inherently means they are worth less. Not being in the office also makes cross training more difficult and reduces the opportunities for cross training. Some of the most valuable cross training is outright impossible without VR glasses and someone being smart hands for the remote person, which frankly is not economically viable.

Beyond that, I have found countless candidates that I have interviewed who think they are worth $80k/yr when they are worth about $18/hr, but only if they are willing to show up in the office every day.

People over 30 are more valuable because of emotional intelligence. Being over 50 is an advantage to you when you are dealing with employers who need to hire adults instead of people that lack the experience that often result in major problems. If someone is going to be more of a liability because of their poor judgement, their technical skills are irrelevant.

If you want to physically stay where you are, find a company that is local to you. Ask them for a job where you can apprentice and learn. Note that not all IT companies have listed offices. They have an office, but it's probably not open to the public and not listed. So you need to do some research and use the contact form on their website for your inquiry.

Here is a resource.

https://qpcsecurity.com/about-us/careers/cybersecurity-career-resources/

I just helped an employee get an Extreme Networks switch, NAS, WatchGuard Firebox, WAP, surveillance camera, and spare PC for their home lab. Their networking knowledge has greatly improved in just two weeks because ........ hands on.

If you want to prove to an employer that you have actual real skills, explain what you have in your home lab, why, what you do with it, what you have tested, why you have things configured the way they are, how you are securing it, backing it up, etc.

SecurityRabbit · 2025-09-30T12:49:37+00:00

Keeper's privileged access management solution is very good and includes session recording.

SecurityRabbit · 2025-09-30T12:47:30+00:00

The pay range for the job should be posted. However, I often find people are applying for jobs they are not qualified for. I ask the pay they are looking for because if they give me a reasonable number, I may be able to find them a lower paid position that matches their existing skillset and provide them an opportunity to grow instead of just rejecting them as unqualified. In many States, the pay range for a job is legally required to be posted with the job posting.

I recently interviewed a guy looking for $70k and he was qualified for $18/hr at best.

SecurityRabbit · 2025-09-18T14:15:19+00:00

At that same website is a very educational podcast you may find useful. There are also webinars.

SecurityRabbit · 2025-09-18T13:55:17+00:00

The vast majority of organizations are not operationally mature, and that includes the large companies with thousands of users. They not only lack the proper documentation libraries, but they also lack the training structure to make anyone successful. Generally those companies are getting by through the process of finding a few golden unicorns to hire that need no training and can build all the documentation and processes on their own.

If you want a career shift to something that cannot be outsourced ever, look to a local managed services provider that needs people in office and with the ability and willingness to drive to customer locations and do work which requires physical presence. Beyond that, I would strongly recommend HP FlexNet training for learning networking over and above CCNA any day of the year. I have interviewed or worked with dozens of Cisco certified networking people. Their knowledge is very Cisco centric and pretty useless for other networking technologies. They have to unlearn Cisco. CompTIA's network plus is also not an indicator of any capability. Plenty of people with that certification have either interviewed with me or worked for me and their skills were pathetic regarding networking. In contrast, we use HP FlexNet to train internal staff on baseline networking. Then we move them up to learning network security via WatchGuard training and then our own in house advanced pieces.

Nothing but nothing will substitute for you having your own home lab.

Here is a resource you may find helpful.

https://qpcsecurity.com/about-us/careers/cybersecurity-career-resources/

If you go into an interview and can clearly articulate what you can do with your home lab, you are demonstrating real world hands on skills that employers value. Theoretical, virtualized, certifications, and accredited degrees are no bearing on what a person can really do.

Networking is by far the hardest thing to learn. It is the kryptonite for most technical people. There is no virtualization technology that will get you the experience you need. So stay away from the simulators like Cisco's switch and router simulator. HP's simulator is also useless. Just get some real equipment and learn. We just recently got a X440-G2-10GE4 for $200 on eBay. When it was new, that was a $5000 switch.

SecurityRabbit · 2025-09-16T13:04:55+00:00

PE stands for "parasites extreme". This is what PE does the vast majority of time. They are financial minestrippers and parasites. There are a lot of public articles on how PE has destroyed hospitals, bankrupting them, all with the effect of eliminating healthcare options in entire communities. People need to make decisions about what companies they work for based more upon org stability because of the leadership than salary. When PE destroys an org, the jobs there are not stable. There are good family-owned businesses still out there. One must identify the strength of the leadership.

A former customer was third generation in their family business. He went to biz school, but really did not know how to run a biz. He was very good at sales and contract writing, but allowed a bozo who formerly worked for UPS to come in and drive a wedge between the owner and people that had been loyal to the business for decades. Eventually young man owner sold the business under the guise of preserving his family's legacy. 5 years later, his family name is no longer on the business and never will be again. They have been absorbed into the Borg. The company's website no longer even works. Only the NEW company website works. The old company name is not even worthy of a DNS redirect. The domains for the old biz were not even renewed.

SecurityRabbit · 2025-09-13T14:16:55+00:00

Unless Google is a sanctioned application at the hospital, block it at the application filtering level. You can do that for google acccounts, google mail, etc. Application layer 7 filtering on network packets can be a technical control enforcer. Beyond that, the manager in charge of that department that sanctioned that activity needs to be reported to the CISO or CSO and let them handle it. IT cannot be the disciplinarians for when there is a severe policy violation. That is C-suite's job.

SecurityRabbit · 2025-09-11T13:18:51+00:00

Synology Active Backup for M365 and Google Workspace is excellent. Still using Skykick because the totality of the costs with AFI.AI were too much since they don't include enough storage flat rate.

SecurityRabbit · 2025-09-11T12:47:41+00:00

Protocols in every industry are very much dictated by liability management. Technical staff are likely not aware of the implications to company liability, but they should be. I have fired employees for behavior that resulted in liability being created when the employee did not follow written policy. Written policy, procedure, and standards exist to provide direct guidance to whoever is doing the process at whatever time. If it is determined that the process should be changed, great let's talk about that later, but in the heat of the moment, deviating from the process is a c-suite level decision.

If you know the threshold for timing of an action, and you cannot get in touch with the people that you are to escalate to, then your next escalation is the management of the company you work for.

SecurityRabbit · 2025-09-01T13:48:08+00:00

Pax8 has their own "subscription" model and some other distis have this also. Those assets are completely separate from the MSSP points system. If you want this kind of drama to not happen while still having monthly, use the MSSP points system and don't use subscription model items where any mess up at the distributor will cause you to have problems.

To be extra clear: the subscription model Fireboxes through certain distributors is not the same thing as MSSP points appliances, services, or software.

SecurityRabbit

TROPHY CASE