An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.
This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.
However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burges (who discovered the flaw) said the vulnerability affects all Gogs servers with default configurations.
“Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance,” Burges warned on Thursday.
“Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user.”
Successful exploitation allows attackers to execute arbitrary code remotely as the Gogs server process user via pull requests that use a malicious branch name to inject the “—exe”c flag into git rebase during the “Rebase before merging” merge operation.
They can abuse this security flaw “to compromise the server, read every repository on the instance (including other users’ private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository’s code.”
Burges added that this vulnerability is similar to other argument injection flaws (e.g., CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930) addressed by Gogs in recent years, but affects a different code path (Merge()) that was never patched.
The researcher reported the security flaw to the Gogs maintainers on March 17, but they have yet to provide a patch or respond to further requests for a status update, despite acknowledging the report on March 28.
Internet security watchdog Shadowserver now tracks over 2,400 Gogs servers exposed online, most of them in Asia (1,894) and Europe (319), while Shodan found just over 1,000 IP addresses with a Gogs fingerprint.
In early December, the Gogs security team patched another Gogs RCE vulnerability (CVE-2025-8110) that was exploited in zero-day attacks to compromise hundreds of servers.
“Many of these instances are configured with ‘Open Registration’ enabled by default, creating a massive attack surface,” Wiz security researchers (who reported the flaw) said at the time.
Wiz Research discovered CVE-2025-8110 while investigating a compromised Internet-facing Gogs server in July and reported the flaw to Gogs maintainers on July 17. They acknowledged Wiz’s report three months later, on October 30, and released CVE-2025-8110 patches in early January.
On January 12, CISA confirmed Wiz’s report that the CVE-2025-8110 was under active exploitation and added the security flaw to its catalog of vulnerabilities exploited in the wild, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their servers by February 2.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned at the time.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
OSes
May security update trips over hostnames of a very specific length
Windows Server 2016 might be long in the tooth but that isn’t about to stop Microsoft breaking stuff.
The May 12 security update introduced another bug for administrators to worry about. According to Microsoft, if the server hostname is exactly 15 characters long (like, for example, THEY-NEVER-TEST), domain controller discovery might fail.
In the notes for the glitch, Microsoft wrote: “When the hostname is 15 characters long, DCLocator calls (for example, using nltest /dsgetdc:
In other words, anything that depends on a domain controller lookup might stop working. As an example, Microsoft gave Distributed File System (DFS) Namespace management, which would certainly be inconvenient. DFS Namespaces is a Windows Server role that allows admins to group shared folders across different servers into a single namespace. A single path can lead to files located on multiple servers. Unless, of course, the domain controller lookup is broken.
Microsoft lists no workaround for affected users, though changing the server hostname to something other than 15 characters would presumably avoid the trigger. “The issue is under investigation, and additional information will be shared as soon as it becomes available,” it said.
Microsoft still officially supports Windows Server 2016. Mainstream support ended in 2022, but extended support will continue until January 12, 2027. Microsoft is offering up to three more years of support via the Extended Security Updates (ESU) program after that.
Earlier this year, Esben Dochy of Lansweeper told The Register that the operating system accounted for just 2.2 percent of all Windows devices it tracks, but 20.3 percent of all servers. That figure is unlikely to have dropped dramatically in the months since, so there is a fair chance that an administrator with a 15-character hostname could be affected.
In addition to the Windows Server 2016 problems, the May 2026 security update has failed during installation on some Windows 11 devices when the EFI System Partition is insufficient in size.
It is reassuring to know Microsoft’s talent for breakage shows no bias toward any particular vintage. ®
Susan Doris-Obando discusses the upcoming deadline and explores the potential challenges and opportunities for professionals amid the policy change.
The EU Pay Transparency Directive, which EU member states are required to implement by 7 June 2026, is a policy that will “significantly reshape employment law around pay transparency within the EU“, explained Susan Doris-Obando, an employment partner at Dentons Ireland.
“The intent is to reduce the EU gender pay gap, which currently stands at around 12pc, by having greater transparency around pay and making it easier for employees to bring equal pay claims,” she said.
Initially brought into effect in June 2023, EU member states were told that they would have until the upcoming 2026 deadline to implement the directive. This means employers will have to acknowledge a number of changes in hiring and the dissemination of employment-relevant information.
“During the hiring process, employers will be required to provide candidates with information on initial pay or pay ranges and ensure that job vacancy notices and job titles are gender-neutral and recruitment procedures are conducted in a non-discriminatory manner,” explained Doris-Obando.
“They will be prohibited from asking candidates about their current or past pay and from using pay secrecy clauses. During the employment relationship, employees will have the right to request and receive, within a reasonable period and in any event within two months, information in writing about their individual pay level and average pay levels, broken down by gender for workers doing the same work or work of equal value.”
It will also be the responsibility of the employer to ensure that the criteria under which an employee’s pay, pay level and pay progression are determined, is made easily accessible. Additionally, employers with more than 250 employees will be required to report annually on the gender pay gap in their organisation.
Reporting is mandated every three years for employers with a workforce of more than 150 people but less than 250, starting with a first report in June 2027. Organisations with 100 or more employees and less than 150 employees will be required to first report in June 2031.
Doris-Obando noted the main difference between the directive and the current gender pay gap reporting policies already in place in many EU member states is that the new regulations require reporting on the categories of workers – namely, those doing the same work or work of an equal value.
She said: “If the report reveals a pay gap of more than 5pc within a category of the same work or work of equal value that cannot be justified by objective, gender-neutral criteria and not remedied within six months, employers will be required to take action in the form of a joint pay assessment carried out in cooperation with employee representatives.”
It is also important to note that the directive does not prevent employers from paying workers who perform the same work or work of equal value differently, provided that it is based on objective, gender-neutral and bias-free criteria, such as performance and competence.
Moreover, as Doris-Obando stated, many member states – including Ireland – are going to miss the implementation date and will have to take a phased approach to implementation. Ireland to date, has only draft legislation in place around the recruitment obligations.
Of the potential consequences, she explained that the organisations that fail to implement the new rules will inevitably be faced with increased claims for equal pay, with the directive effectively shifting the burden of proof in claims to the employer in instances where the employee establishes a prima facie case.
“If an employer does not comply with their gender pay reporting obligations or pay level information requests, then the burden would likely shift to the employer, unless the breach is manifestly unintentional and minor in character. Significant gender pay gaps may also attract adverse publicity, impacting on recruitment and retention.”
She also anticipates issues in building a robust gender-neutral job evaluation and classification system that can correctly categorise those doing the same work or work of equal value. This is not an easy exercise, she finds, but now is the time to start preparing.
“Work of equal value is often not immediately obvious,” she said. “For example, in some cases, store employees have been found to do work of equal value to warehouse employees. The next step will be to understand the gender pay gap within each category of worker and consider any objective gender neutral justifications. Any remediation steps should then be addressed.
“Policies should be put in place outlining the criteria used to determine pay, pay levels and pay progression and how to deal with pay on recruitment and in responding to employee pay level information requests. Multinational employers will need to consider whether to adopt global policies and consider their approach to member states’ gold-plating the directive.”
Of the long-term effects of the directive, Doris-Obando stated employee representatives are going to have a much larger role to play, particularly, in conversations around joint pay assessments, where typically their role has been short-term around collective redundancy or Transfer of Undertakings (Protection of Employment) consultations.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
Shannon Smith, an experienced public-sector technology executive, will be the City of Seattle’s next chief technology officer.
A city spokesperson confirmed to GeekWire that Mayor Katie Wilson made the selection, which has not been announced publicly. Smith’s first day will be June 8.
Smith is currently a Seattle-based director at CAI, a global IT and business services firm, where she helps U.S. cities and counties with strategic planning, change management, and tech department operations.
She has more than 10 years of experience working in technology with Seattle-area government agencies, including as a senior IT manager with the City of Seattle between 2014 and 2017. Smith also served as the City of Bellevue’s applications lead for technology business solutions for almost two years.
As a CIO chief of staff with King County for more than five years, she provided oversight for enterprise technology investments, innovation, and operational improvements. According to her LinkedIn, Smith was “accountable for all technology implemented during the King County-Seattle Public Health’s COVID-19 response.”
Seattle began its search for a new CTO in March after Rob Lloyd left the post to become executive director of the Center for Digital Government. Lloyd was named CTO in June 2024 after eight years as deputy city manager of San José, Calif.
The CTO reports to the mayor and is the city’s principal technology leader, setting the overall vision and strategy of information technology resources and management of Seattle IT.
Smith will lead an organization of 633 employees and manage an annual operating budget of $280 million with a capital budget of $20 million.
It’s become a familiar theme over the last couple of decades — hardware is rendered useless when its manufacturer pulls the cloud service on which it depends. This is particularly annoying when the device is something which shouldn’t need a cloud service to run in the first place, and several manufacturers have found themselves in hot water because of this.
Somewhere in between is the Bose SoundTouch speaker system, which includes a set of six internet radio preset buttons. In early May the service behind them was shuttered, and now here’s [Tostmann] with an ESP32 firmware to bring them back.
As you might imagine, it’s a device that emulates just enough of the now-defunct Bose cloud service to keep the speaker happy, but it has a clever trick up its sleeve. Normally these hacks rely on DNS redirects at the router, but this one avoids that thanks to a diagnostic interface on the Bose unit that allows the rewriting of the server address. The ESP32 does this with its own address, and the speaker is none the wiser.
We like this hack, because of its ingenuity, and because it saves yet another orphaned cloud product from becoming e-waste. This isn’t the first time we’ve seen a manufacturer on the naughty step for these practices.
Header image: TAKA@P.P.R.S, CC BY-SA 2.0.
The Trump administration announced last Friday that US visa holders who want a green card must first return to their home countries and apply from there, “except in extraordinary circumstances.”
On its face, this rule — which was officially promulgated in a memo from US Citizenship and Immigration Services (USCIS) — would upend America’s immigration system and the lives of hundreds of thousands of US residents.
For more than 50 years, through the “adjustment of status” process, visa holders in the United States have been able to remain in the country while applying for permanent residency. This was no small thing. For legal immigrants, the alternative to securing an adjustment of status is not taking a short sojourn abroad while Uncle Sam inspects their paperwork. Rather, due to various quirks of US immigration law, some immigrants must wait more than a decade for their green card applications to be approved.
President Donald Trump’s new rule therefore threatens to exile hundreds of thousands of legal immigrants — including physicians at understaffed rural hospitals, gifted technologists at Silicon Valley firms, the spouses of US citizens, and parents of American children.
Whether this will actually happen is unclear. Both the memo officially laying out the policy — and the administration’s messaging about it — contain ambiguities and apparent contradictions. For example, the administration has said that visa holders can only remain in the United States during the green card application process under “extraordinary circumstances” and that any visa holder who provides an “economic benefit” to America may still do so. Yet more or less all employed visa holders provide some economic benefit to the United States.
Regardless, the new memo represents a massive escalation in Trump’s crackdown on immigration. It also arguably marks the resolution of a years-long war for the soul of the MAGA movement.
Since Trump retook the presidency in 2024, his coalition’s hardline nativists and Silicon Valley patrons have been fighting over what an “America First” immigration policy actually entails.
America’s tech industry is heavily reliant on global talent. About one-fifth of our nation’s STEM workers in 2021 were foreign-born. For this reason among others, the tech right — a contingent of Silicon Valley luminaries who backed Trump in 2024 — advocate for a meritocratic brand of immigration restrictionism.
In their account, America needs to repel undocumented, low-skill migrants who threaten to burden its safety nets, warp its culture, and empower the Democratic Party. Yet the United States also needs to welcome highly talented, English-speaking, America-loving workers from around the globe in order to sustain its economic competitiveness and dynamism.
“I understand why we don’t want people to come to the US to be criminals, mooch on welfare…and otherwise undermine the country,” Blake Scholl, the Trump-friendly CEO of Boom Supersonic, posted on X after the latest immigration news. “But I don’t understand why we make it harder for motivated, ambitious, hardworking people to come to the land of opportunity.”
The nativist right isn’t so sure about that. In its view, whether immigrants engineer software in Silicon Valley — or deliver food in New York City — they are typically undermining native-born Americans’ interests, at least in their current numbers.
By deterring highly skilled, legal immigrants from seeking green cards, the Trump administration has made its allegiance to the second camp unambiguous.
While not entirely surprising, this development wasn’t always certain. Trump erected some obstacles to high-skill immigration during his first term. But these changes had been relatively modest. More critically, after a slew of tech titans lined up behind Trump’s candidacy in 2024, Trump signaled support for their immigration views.
During a June 2024 appearance on All-In, a podcast hosted by venture capitalists sympathetic to his campaign, Trump was asked whether he would “promise us you will give us more ability to import the best and brightest around the world to America”?
The candidate replied, “I do promise. But I happen to agree, otherwise I wouldn’t promise. … You graduate from a college, I think you should get automatically — as part of your diploma — a green card to be able to stay in this country and that includes junior colleges too.”
Months later, in the wake of Trump’s victory, his Silicon Valley supporters got into an online feud with hardline nativists over H-1B visas — which give temporary legal status to highly educated immigrant workers employed by American companies. After some MAGA influencers called for restricting such visas (and high-skill immigration more broadly), the tech right rallied to the program’s defense.
“The reason I’m in America along with so many critical people who built SpaceX, Tesla and hundreds of other companies that made America strong is because of H1B,” Elon Musk posted on X in December 2024. “I will go to war on this issue the likes of which you cannot possibly comprehend.”
Once again, Trump appeared to side with Silicon Valley, telling reporters that he supported the H-1B program, since “We need competent people, we need smart people coming into our country…we need a lot of people coming in.”
Of course, much of the MAGA movement disagreed.
Although the nativist right has tended to dedicate most of its energy to combating undocumented immigration, it has also sought to repel highly skilled legal immigrants in general — and those who work for tech companies in particular.
In fact, two of the original architects of Trump’s immigration vision — Steve Bannon and Stephen Miller — both long lamented the prevalence of foreign-born workers in Silicon Valley.
Notably, Trump himself did not share this view at the outset of his first presidential campaign. During a 2015 podcast appearance, Trump told Bannon that he worried about foreign-born Ivy League graduates being forced to return to their home countries instead of using their skills in the United States, since “we have to keep our talented people.”
Bannon replied, “When two-thirds or three-quarters of the CEOs in Silicon Valley are from South Asia or from Asia, I think…a country is more than an economy. We’re a civic society.”
Likewise, during his time working for then-Sen. Jeff Sessions, White House adviser Stephen Miller co-authored a “handbook” on immigration policy that decried “The Silicon Valley STEM Hoax” — namely, the idea that the United States needed to increase immigration in order to meet its demand for workers with tech skills. The document argued that increasing admissions of foreign-born STEM workers would “deny millions of Americans a shot at a good-paying middle-class job.”
From this perspective, highly skilled immigrants are scarcely more desirable than low-skill ones — and may even be less so. After all, few Americans are eager to perform seasonal agricultural labor. But many covet well-paid tech jobs. And if one believes that the supply of such positions is largely fixed, then every coding gig taken by an immigrant is one denied to a native-born American.
For many nativists, however, the problem with high-skill immigration isn’t purely economic. As Bannon’s comments suggest, the ethnic composition of Silicon Valley’s foreign-born labor-force is also a concern.
Following the Trump administration’s changes to green card policy last week, frank expressions of anti-Indian animus proliferated on right-wing social media. Previously, the far-right influencer — and periodic Trump confidante — Laura Loomer had suggested that “third-world invaders from India” threatened to overrun America, a country “built by white Europeans.”
Some Republican elected officials have played to such anti-Indian resentments. This week, US Rep. Greg Steube (R-Fla.) referenced Indian immigrants’ disproportionate share of H-1B visas while advocating for legislation that would end the program entirely.
Before last week, the second Trump administration had already been leaning toward the nativist right’s position on skilled immigration by, among other things, heavily constraining the issuance of new H-1B visas.
But Trump’s ostensible transformation of the green card application process constitutes a far more definitive — and consequential — rebuke of the tech right’s vision for immigration.
Indeed, the policy explicitly aims to chase most international students from the United States as soon as they graduate, the very scenario that Trump had spent years lamenting.
Further, unlike previous restrictions to H-1B visas, the green card memo seeks to reduce the number of foreign-born permanent residents in the United States, rather than merely the number of guest workers. Populists on the right and left have long argued that guest workers are uniquely exploitable — since they need to keep their jobs in order to remain in the country legally — and thus put downward pressure on labor standards in their industries. Yet immigrants applying for green cards are often seeking to escape that very form of dependence and secure the same bargaining power as US citizens.
What’s more, the new rules would hit Silicon Valley’s disproportionately Asian workforce particularly hard. America’s annual green card issuance is capped by country. For this reason, immigrants from highly populous nations with large educated workforces — such as India and China — must wait many years before their green card applications are approved. An Indian tech worker who applies for a green card tomorrow is likely to wait more than 12 years before actually securing permanent residency. Under traditional procedures, that worker could remain legally in the United States while awaiting approval. Under Trump’s new system, they would need to go into exile for a decade.
It remains unclear how USCIS agents will interpret their new marching orders. Although the administration’s memo suggests that adjustment of status should be offered only in extraordinary circumstances, it nonetheless gives USCIS officers discretion to provide such relief as they see fit. And the document also suggests that some categories of immigrants may be partial “exceptions” to the rule.
“We are hearing USCIS examiners are now asking questions like, ‘Why are you applying for adjustment? Why couldn’t you have left and applied abroad?’” Cyrus Mehta, an immigration attorney in New York City, told me. “Different local offices will likely take different positions on how to deal with it. Some will be business as usual. Others may be instructed to get tough.”
It’s possible then that the tech right could persuade the administration to interpret its own memo narrowly — or else, convince a court to strike the policy down.
In any case, the administration’s position is likely to deter many highly skilled visa holders from seeking permanent residency. And it will also provide talented young people abroad with another reason to seek admission to other wealthy countries, instead of the US.
If interpreted literally, meanwhile, the new rules would do far greater harm to the American tech sector than any of the Biden-era antitrust policies or AI regulations that purportedly “red-pilled” so many Silicon Valley billionaires.
In short, red America’s civil war over immigration policy is essentially over. The nativists won, the tech right lost; the latter’s best hope is merely to negotiate favorable terms of surrender.
We don’t need to tell you: lasers are awesome. Those tiny red beams aren’t just for frustrating cats, but can do real work, be a source of infinite beauty, or constitute a science project in its own right — and you can win a $150 DigiKey gift certificate simply by writing your project up on Hackaday.io. The contest runs until July 23rd.
Of course, red lasers are only the beginning. If you have enough energy to move electrons into higher orbitals, you can make nearly anything lase. RGB setups can be breathtaking. Powerful IR and UV lasers are real tools. And the DIY side of lasering combines physics and electronics, with a spicy side of danger that needs to be contained.
We love laser builds of all sorts, and we’d like to see yours! Create a new Hackaday.io project that features what you’re working on, and we’ll pick our three favorites for a $150 gift certificate courtesy of this contest’s sponsor, DigiKey.
If you like to play with the coherent beams, head on over to Hackaday.io and detail your project — and don’t forget to enter it into the contest via the pulldown menu on the left side. If you win, you’ll have $150 to spend on more lasers. (We see you, with our remaining eye.)
The start of summer on the Shore is never subtle. The beach traffic is already stupid, Brooklyn has made its presence felt, and the usual collection of road warriors remain baffled by New Jersey jughandles, as if the state installed them last Tuesday just to ruin their soft-serve pilgrimage. Add Netflix Studios at Fort Monmouth under construction, half the neighborhood torn up, and the constant soundtrack of trucks, cones, dust, and poor life choices, and the appeal of sitting outside with music, a cold ginger beer or Rooibos in hand, and a portable speaker that does not sound like it came free with a hotel rewards program becomes rather obvious.
That brings us to the $250 KEF Muo, the company’s new portable Bluetooth speaker and follow-up to its earlier attempt at this category. KEF is not exactly early here. Sonos, Marshall, JBL, DALI, and Soundcore have been circling this part of the market for years, and some of them have become very good at making compact speakers that can survive patios, kitchens, hotel rooms, and the occasional bad decision near a pool.
The Muo’s angle is different. KEF is leaning on its hi-fi background, Ross Lovegrove’s sculpted industrial design, and a form inspired by the company’s far more exotic Muon loudspeakers. That could have turned into design-office theater, but the engineering story has more substance than the average “premium portable” pitch.
A large racetrack driver handles much of the output, while a dedicated tweeter is used for the top end, giving the Muo a proper two-way driver arrangement rather than asking one small driver to perform musical gymnastics. The company’s Music Integrity Engine DSP suite is tuned specifically for the Muo, with limiter and Dynamic Bass Boost technologies related to the LS60 Wireless.
After four nights in Vegas, nonstop work, travel delays, a 24-hour birthday extravaganza for my 13-year-old daughter, and torrential rain that turned the deck into a splash zone, I was more than ready to stand outside and let a portable speaker make some noise.
The KEF Muo did not need much encouragement.
At $249.99 USD, the Muo lands in a very crowded portable Bluetooth speaker category, but KEF is trying to separate it from the usual rubberized bricks with a more serious engineering story. The enclosure is made from recycled plastics sourced from everyday waste, including old bottles and outdated electronics, which gives the Muo a stronger sustainability angle than much of the competition. That does not automatically make it sound better, but it does make the design feel more considered than another disposable Bluetooth box with a logo slapped on the grille.
The new Muo measures 216 x 82 x 59 mm, or roughly 8.5 x 3.2 x 2.3 inches, and weighs 740 grams, or 1.6 pounds. That makes it genuinely portable, but not toy-like. It has enough mass to feel planted on a table, deck rail, or kitchen counter without coming across like something that will rattle itself into the neighbor’s hydrangeas.
Inside, KEF uses a proper two-driver layout. A 20mm tweeter handles the high frequencies, while a 58 x 117mm racetrack driver covers the midrange and bass. That larger racetrack driver is doing the heavy lifting, and KEF supports it with its P-Flex surround, a pleated surround technology also used in the company’s KC62 and KC92 subwoofers. The goal is to help the driver resist internal air pressure and move more accurately, which matters when you are asking a compact speaker to produce bass without turning into a wheezing plastic lunchbox.
Power comes from two Class D amplifiers: 10 watts for the tweeter and 30 watts for the mid/low driver. KEF rates the Muo at a maximum 90 dB SPL at one meter, with a claimed frequency response of 43 Hz to 20 kHz at 85 dB/1m. Those numbers are useful, but the important part is how the Muo behaves when pushed outdoors, where small speakers often lose body, composure, or both.
The KEF Muo is not just built to sit on a desk and look sculptural. KEF claims up to 24 hours of playback on a full charge, with a full recharge taking about two hours. A 15-minute quick charge is rated for roughly three hours of playback, which is actually useful if you forgot to plug it in the night before heading to the beach, the deck, or wherever you plan to annoy the squirrels with The Clash.
Those battery claims are not fantasy math. I gave the Muo a full charge and let it play until it shut itself down. At a moderate listening level, it lasted 22 hours and 38 minutes. That is close enough to KEF’s 24-hour claim that nobody should be complaining unless they also write angry letters about cereal boxes not being filled to the top.
KEF also rates the Muo for operation between -20°C and 45°C, which gives it a wider usable temperature range than most people will ever test willingly. Winter on the Jersey Shore was especially brutal this year, and we did drop below that mark for more than a week, which is not exactly normal for this part of the world. Even this Canuck was not sadistic enough to stand outside in that kind of cold to test a Bluetooth speaker. I had the good sense to head down to our Florida home for a week just as the snow and misery arrived.
So the cold-weather test will have to wait. Maybe next year.
Rain was another matter. I did stand outside and let the Muo play while it got wet. No drama. No shutdown. No weird behavior. It just kept playing. I would not take it into the shower, even if those old 1970s shower radios deserve their own museum exhibit, but the Muo feels properly robust for outdoor use, damp weather, and normal summer abuse.
It also survived Tyrion the Westie licking it, which is not part of KEF’s published test procedure, but perhaps should be.
Connectivity is handled by Bluetooth 5.4 with aptX Adaptive, SBC, and AAC codec support. The Muo also supports Google Fast Pair and Microsoft Swift Pair for easier setup, while the KEF Connect app handles settings and firmware updates.
Wired playback and charging both run through the USB-C port, which supports up to 48 kHz/24-bit audio depending on the source. That gives the Muo a little more flexibility than the average portable Bluetooth speaker, especially for listeners who still like having a cable option when the wireless world decides to behave like a committee.
Pairing two Muo speakers creates a true stereo setup with defined left and right channels, which is a meaningful upgrade over the pretend “stereo” some portable speakers try to sell with a straight face. KEF only supplied one review sample, so I was not able to test stereo pairing.
Auracast support also allows multiple Muo units to link together for larger setups, but that requires a compatible Android device. I did not have one on hand during testing, so that feature remains untested for this review. Useful on paper, but I’m not pretending I climbed that particular hill.
On the practical side, the built-in microphone supports calls with noise and echo cancellation, and in actual use, it worked better than expected. I called my mother in Florida for the daily weather report and the obligatory “you’ll never guess who died” update, and the Muo held its own.
It took her a few minutes to notice I was not speaking directly through my iPhone, which is probably the highest praise this kind of feature is going to get. She only asked once if I was driving, so the microphone was clearly doing something right. Voices sounded clear enough, background noise was kept under control, and the call quality was perfectly usable for real conversations rather than just emergency “I’ll call you back” moments.
Ross Lovegrove’s influence is obvious the moment you look at the Muo. KEF has borrowed the sculpted language of its much larger Muon loudspeaker and shrunk it into a portable speaker that will not require a forklift, a trust fund, or a very patient spouse. Just wait till she sees the ATC EL50 Anniversary coming in July. So dead. At least I’ll be saving her the price of a pine box.
The build quality leans heavily on aluminum, and KEF offers seven finish options: Silver Dusk, Amber Haze, Orange Moon, Blue Aura, Moss Green, Cocoa Brown, and Midnight Black. My review sample arrived in Moss Green, which looks utterly awesome in person. It has just enough color to stand out without looking like a Bluetooth speaker designed by a sneaker company after three espressos.
Amber Haze, however, does sound suspiciously like an inside joke at KEF. Say it quickly and it lands a little too close to Amber Waves from Boogie Nights. No judging. Greatest movie. Moving on.
Placed horizontally beneath the front of my iMac, the Muo produced a soundstage that was slightly wider than the cabinet itself. DSP is clearly part of the equation, but KEF uses it carefully. The presentation sounded open for a speaker this size without becoming thin, hollow, or obviously processed.
Outside, I preferred the Muo in its vertical orientation. It projected sound farther, held together better in open space, and made more sense when the goal was getting music beyond the immediate patio zone. The design may be the hook, but the orientation sensing is not just a brochure bullet. It changes how the speaker behaves in real use.
After downloading the KEF Connect app and completing the required firmware update, I spent time moving between TIDAL and Qobuz to get a better sense of how the Muo behaved with different material.
One thing stood out rather quickly: the Muo sounds better at lower listening levels than a lot of Bluetooth speakers I have reviewed. That includes the Bose Lifestyle Ultra Speaker I covered recently, which needed more volume before it really started to open up.
The KEF was different. Listening late at night in the kitchen with my laptop and the Muo positioned vertically off to the left, the speaker remained clear, detailed, and composed at roughly 25% volume. That matters, because not every portable speaker sounds balanced when you are trying to listen without waking the house or alerting the neighbors that Dolly Parton has returned to the premises.
Bass impact does take a hit at lower volume, and nobody should buy the Muo expecting it to behave like a small subwoofer with buttons. It is not a bass monster, and I’m fine with that because it gets so much of the rest right. You can add some low-end weight through the KEF Connect app, but it is not going to rattle your teeth. Not its bag.
The Black Keys’ “Little Black Submarines” and Metallica’s “Nothing Else Matters” made for an interesting contrast.
Dan Auerbach’s vocals and guitar were clean, focused, and presented slightly forward, almost on the same plane as the front of the speaker. Presence was very good, and the Muo did a solid job preserving the tone of the acoustic guitar without making it sound thin or brittle.
When Patrick Carney’s drums entered, the Muo kept the pacing together, but the impact was a little soft and hazy around the edges. That took away some of the spaciousness and clarity the track builds toward. Sub bass was not the Muo’s strength here, which is hardly shocking given the size of the enclosure. Nobody is mistaking this for a portable subwoofer unless they also think gas station sushi is a calculated risk.
Switching to Metallica, James Hetfield, Lars Ulrich, and company came across with better definition. “Nothing Else Matters” sounded spacious and clear, with stronger separation and a more convincing sense of scale. The lower bass still leaned soft, but the Muo sounded more composed on this track, with improved definition through the midrange and better overall control.
Because I was in that kind of mood, I moved over to a Batman theme: Nirvana’s “Something in the Way” and Michael Giacchino’s “The Batman.” After a long day, both felt appropriate.
Giacchino’s score for the Pattinson version of the Dark Knight is especially strong, and I often listen to it at night driving back from Gotham — I mean New York City — while passing the West Side of Manhattan and thinking about someone I probably should not be thinking about. And you thought Bruce Wayne had emotional baggage.
The Muo carried both selections well. “Something in the Way” sounded spacious and suitably restrained, with enough texture in Kurt Cobain’s voice and the surrounding atmosphere to make the track work at lower volume. The KEF did not overplay the darkness or smear the midrange, which matters with a song that can collapse into murk on small speakers.
Giacchino’s “The Batman” had a convincing sense of space and mood, although the same limits in deeper bass were still apparent. The Muo can suggest weight, but it does not deliver the full low-end menace of that score. Still, the presentation was emotionally satisfying enough to pull me in and leave me staring out into the dark, wondering where she is. Batman had Gotham. I had a Bluetooth speaker and bag of biltong as cold comfort.
Switching over to Dolly Parton, Amy Winehouse, and Depeche Mode made one thing very clear: the Muo is genuinely confident with the human voice.
Dolly’s “I Will Always Love You” and Depeche Mode’s “Somebody” showed that in very different ways. The Muo handled Dolly’s vocal tone, phrasing, and that unmistakable quiver with enough clarity and presence to make the song land emotionally. When she reaches higher, the speaker does not turn hard or glassy, which is where a lot of compact wireless speakers start behaving badly and hope nobody notices.
Amy Winehouse was another strong fit. The Muo gave her voice body and texture without pushing it too far forward or sanding off the edges that make her delivery so compelling. There was enough punch to keep the arrangements moving, but the focus stayed where it should: on the voice.
Depeche Mode’s “Somebody” was more intimate and exposed, and the KEF did a solid job keeping the vocal centered, clear, and tonally believable. It is not a speaker that overwhelms you with bass weight, but voices are another story.
I finished with a smattering of Aphex Twin, Kraftwerk, Nick Cave, and Deadmau5, which gave the Muo a different kind of workout.
Electronic music played to a lot of its strengths. The presentation was spacious, pacing was very good, and synth lines had enough snap and texture to keep the music moving. It handled pulsing rhythms well without sounding congested, even when the tracks became more layered.
Kraftwerk and Deadmau5 both confirmed that the Muo is more comfortable with speed, clarity, and spatial information than outright low-end punishment. Synths hit cleanly and with decent weight, but the deepest bass was still the obvious limitation. That is the tradeoff here. You get control and openness, not chest compression.
Nick Cave’s “Avalanche” was a pleasant surprise. The Muo filled my kitchen with more piano weight than I expected from a portable Bluetooth speaker, and Cave’s voice had enough body and presence to keep the track from sounding thin. No, it did not create the tonal scale or dimensionality of a properly set up stereo pair, but for a compact speaker sitting in a kitchen, it was impressively composed.
Moving the Muo outside produced three consistent impressions. First, it projects farther and wider than its size suggests. My backyard is roughly 150 feet by 100 feet, and with the speaker positioned on the deck railing, I could hear it clearly in all four corners. Second, it does have some volume limits compared to larger portable Bluetooth speakers I’ve used, but it still played loud enough for how I would actually use it. Third, sub bass remains the main weakness. The Muo can fill space, throw sound, and stay clear outdoors, but it is not going to turn the yard into a club. And frankly, neither are most of your neighbors.
The KEF Muo is not the portable speaker to buy if your priority is chest-thumping bass or party-level output. Sub bass is its clearest limitation, and while the strap is useful, the aluminum build gives it enough heft that I would rather toss it in a backpack than carry it around by hand all day.
But the Muo gets the important things right. It sounds clear at lower volumes, throws a surprisingly wide soundstage for its size, handles voices with real confidence, and projects well outdoors without falling apart. The orientation-aware DSP actually matters, the build quality is excellent, and the weather resistance makes it a practical speaker for kitchens, decks, beaches, and weekends where nobody checked the forecast.
A stereo pair could make a very compelling office or bedroom system, especially for listeners who want something cleaner, better built, and more refined than the usual rubberized Bluetooth brick.
It is not perfect, but it pressed almost every button on my portable speaker list. And unlike a lot of design-first audio products, the Muo does not forget that it still has a job to do.
★★★★★★★★★★ Performance
★★★★★★★★★★ Usability
★★★★★★★★★★ Build Quality
★★★★★★★★★★ Value
Earlier this month, xAI signed a major compute deal with Anthropic, pledging billions of dollars a month for exclusive use of the company’s Colossus cluster. It was a coup for both companies, giving xAI some much-needed revenue and helping Anthropic catch up in the never-ending race for compute.
But this morning on X, Elon Musk downplayed exactly how much SpaceX had committed to the deal.
“SpaceX has not committed to leasing Colossus for years, although it’s possible that may be what happens,” he said, replying to a user. “This is a 180 day lease with 90 day notice mutual cancellation thereafter. The short term was our request, not Anthropic’s. We won’t leave them hanging and will provide a reasonable off-ramp, but if compute gets super tight I said we might need it back at some point.”
Musk’s statement directly contradicts SpaceX’s recent S-1 filing, which confirms the standard 90-day cancellation but presents the deal as a three-year agreement. Page F-62 of the filing reads:
On May 3, 2026, the Company entered into a cloud services agreement with Anthropic PBC, an AI research and development public benefit corporation, with respect to access to compute capacity. Pursuant to this agreement, the customer has agreed to pay a monthly fee through May 2029, with capacity ramping in May 2026 at a reduced fee. The agreement may be terminated by either party upon 90 days’ notice. The customer will retain ownership and intellectual property rights in its content, AI models, and related data.
The key point here is that Anthropic “has agreed to pay a monthly fee through May 2029” — a pretty straightforward description of a three-year lease. The same language is repeated on F-96 and in slightly varied form (“the customer has agreed to pay us $1.25 billion per month through May 2029”) on pages 13 and 146, so it’s not as if there was a typo.
xAI did not respond to a request for clarification.
Maybe we can quibble about whether Anthropic agreeing to pay for a service means the same thing as SpaceX agreeing to provide that service, but that’s not usually what “lease” means. And why have a one-way lock-in if either party can terminate the deal with three months’ notice anyway?
I don’t have the deal in front of me, so I don’t know what it says — and neither SpaceX nor Anthropic is saying anything about the duration of the deal in their announcements. Still, there should be a pretty straightforward fact of the matter here, and it’s not the sort of thing you want to make false statements about during a company’s quiet period.
As always, we should note that the SEC probably will not do anything — and even if they did, Elon probably wouldn’t care. But this sort of does seem like a material misrepresentation made while marketing a security, which is bad karma at the very least.
Sean O’Kane contributed reporting to this article.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
MSPs are flooded with security alerts every day, yet many still struggle to separate operational noise from the threats that actually put customers at risk.
One of the biggest reasons is tool fragmentation. When security tools operate in silos, they often create duplicate alerts, blind spots and incomplete context.
Instead of gaining improved visibility, MSPs are left piecing together information across multiple consoles just to understand what’s happening in a client’s environment.
The impact goes beyond security. For MSPs trying to grow, retain clients and compete against larger providers, alert fatigue and operational inefficiency are becoming business problems too. That is why the conversation around unified security platforms such as SIEM has become increasingly crucial.
Most MSP security stacks evolved gradually over time. One tool was added for endpoint visibility, another for cloud monitoring and another for email security or network traffic analysis.
Individually, these tools may generate useful detections, but they rarely work together in a meaningful way.
For example, a suspicious login may appear in an identity tool, unusual PowerShell activity may trigger an endpoint alert and outbound traffic spikes may show up in a network monitoring platform.
Viewed separately, each event may seem low priority. But together, they could indicate an attacker has compromised credentials, established persistence and started moving laterally across the environment.
Research reports show that 87% of intrusions now involve activity across multiple attack surfaces. At the same time, IBM’s 2025 Cost of a Data Breach Report found that organizations take an average of 241 days to identify and contain a breach.
MSPs are not losing visibility because they lack tools. They are losing visibility because the tools are not working together.
Modern attacks rarely remain confined to a single area of the environment. Threat actors move between systems, user accounts, cloud applications and connected infrastructure as part of the same attack.
A modern SIEM changes that by giving MSPs a centralized view of activity across the entire environment while automatically correlating related events into a single investigation workflow.
Instead of technicians manually pivoting between consoles and chasing disconnected alerts, the platform connects signals into a cohesive attack narrative with the context teams need to act quickly.
For lean MSP teams, that becomes a force multiplier.
That visibility is critical for reducing alert fatigue. Rather than overwhelming teams with isolated notifications and duplicate investigations, SIEM helps filter noise, prioritize meaningful incidents and surface the threats that require attention.
IT teams struggle to keep up with evolving cyberthreats across client environments. Limited resources and fragmented tools create alert overload and noise hiding threats.
Discover how unifying security data into actionable insights reduces fatigue and improves faster accurate detection and response.
Kaseya’s 2026 State of the MSP Report found that winning new clients is becoming harder, competition is increasing and differentiation is difficult when most MSPs offer similar service stacks. Security, however, remains one of the few areas where MSPs have a growth opportunity.
Clients are paying closer attention to security maturity, response capabilities, compliance readiness and operational resilience. That creates a major opportunity for MSPs that can position security as more than just another toolset.
SIEM sits at the center of that conversation because it helps MSPs improve both security outcomes and operational efficiency at the same time.
The key is learning how to position that value correctly.
MSPs that can connect security operations to measurable business outcomes will become far harder to replace and far less likely to compete on price alone.
MSPs are often forced to choose between two difficult options. Traditional enterprise SIEM platforms can be expensive, complex to manage and difficult for lean teams to fully operationalize.
On the other hand, lightweight managed alternatives may simplify operations but often come with visibility, customization and response limitations.
The result is a frustrating tradeoff. Overpay for complexity that many teams cannot effectively use or settle for tools that cannot deliver full visibility into modern threats.
MSPs need a middle ground that provides enterprise-grade detection and response capabilities without adding overwhelming operational overhead.
Kaseya SIEM is designed to fill that gap.
The signals are already there.
In most breach postmortems, the indicators existed in the logs long before the incident escalated. The problem was that no one connected them fast enough to act.
The MSPs that will stand out are those that can reduce noise, improve visibility and turn disconnected alerts into actionable insights.
Sponsored and written by Kaseya.
The U.S. Department of Defense has confirmed that adversaries have targeted and surveilled serving military personnel on the battlefield using commercial location data, the latest demonstration of how information collected from phones and computers can be abused to track and target individuals.
In a letter shared by Sen. Ron Wyden with TechCrunch, U.S. Central Command said it was aware of hostile actors using purchased location data to track U.S. servicemembers.
“USCENTCOM has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater,” the letter reads.
The letter did not provide examples or specifics, and a spokesperson for the Department of Defense did not return a request for comment.
Reuters first reported the news on Thursday.
Location data is often collected from phones and computers through online advertising, which then gets bought by data brokers, who then sell the data on the open market. Governments and militaries, including the United States, have purchased this data in the past without obtaining a warrant. In recent years, the FBI has warned consumers to use ad blockers as a way to minimize the amount of data that apps, websites, and other software can collect.
Wyden told Reuters that it was time to “start treating the adtech industry as a national security threat.”
Blockchain.com files with SEC for U.S. IPO
Holiday Weekend Open Thread – Corporette.com
Bridgerton Season 5: Cast, Release Date And Everything We Know So Far
Bitcoin Accumulation Weakens as BTC Realized Losses Hit $600M
Robinhood crypto COO Tanya Denisova exits
Trump Invests $1M-$5M in Kura Sushi USA Chain With 27 California Locations
Microsoft’s quiet Claude Code retreat and the real cost of enterprise AI
Dell Technologies DELL Stock Surges 15% on AI Server Momentum and Analyst Upgrades in 2026
NYT Strands Answers May 24 2026 Revealed for Puzzle No. 812 Theme Summer Essentials
Selena Gomez Reportedly Upset Over Benny Blanco’s Comments on Her ‘Terrible’ Diet
Makerfield: a tale of two social-media histories
Space X IPO Is ‘Bad News’ for Tech Stocks: But What About Bitcoin?
Micron Crosses $1 Trillion Market Cap as AI Demand Reshapes Memory Sector
BTS Sells Out Four Las Vegas Shows at Allegiant Stadium for ARIRANG World Tour
WhatsApp ads could make Irish debut after discussions with DPC
MicroStrategy’s Saylor Says Miners No Longer Set Bitcoin Price, Another Force Has Taken Over
The Samsung pay deal is the moment Korean unions changed register
A 0.12% parameter add-on gives AI agents the working memory RAG can’t
AI infrastructure race heats up as IREN pitches full-stack strategy, WhiteFiber lands $160M deal
Westone Audio and Etymotic Acquired by Fidelity Collective in Major IEM Market Move
You must be logged in to post a comment Login