Maintainers of Last Resort

Filippo Valsorda founded Geomys last year as an "organization of professional open source maintainers", providing maintenance and support for critical packages in the Go language ecosystem backed by clients in retainer relationships.

This is an inspiring and optimistic shape for financially sustaining key open source projects, and it appears be working really well.

Most recently, Geomys have started acting as a "maintainer of last resort" for security-related Go projects in need of new maintainers. In this piece Filippo describes their work on the bluemonday HTML sanitization library - similar to Python’s bleach which was deprecated in 2023. He also talks at length about their work on CSRF for Go after gorilla/csrf lost active maintenance - I’m still working my way through his earlier post on Cross-Site Request Forgery trying to absorb the research shared their about the best modern approaches to this vulnerability.

Via lobste.rs

Tags: csrf, go, open-source, security, filippo-valsorda

In June, Bellingcat ran 500 geolocation tests, comparing LLMs from various companies against each other, as well as Google Lens – a staple tool for finding the location of photos.

At the time, ChatGPT o4-mini-high emerged as the clear winner, with Google Lens outperforming most other models. Just two months later, with new versions of these AI tools available, we re-ran the trial – this time including Google “AI Mode,” GPT-5, GPT-5 Thinking, and Grok 4 into the mix.

The original test used 25 of Bellingcat’s own holiday photos. From cities to remote countryside, the images included scenes both with and without recognisable features – such as roads, signage, mountains, or architecture. Images were sourced from every continent.

For the updated trial, five test photos were excluded, as they had appeared in a previous article, thus compromising the integrity of the results.

All 24 models’ responses were ranked on a scale from 0 to 10, with 10 indicating an accurate and specific identification (such as a neighbourhood, trail, or landmark) and 0 indicating no attempt to identify the location at all.

Google AI Mode was shown to be the most capable geolocation tool overall. 

Grok 4 gave both better and worse answers compared to Grok 3 but, on average, scored marginally higher. However, it was still less accurate than older versions of Gemini and GPT. 

GPT-5, even in ‘Thinking’ and ‘Pro’ modes, was a considerable downgrade when compared with the capabilities demonstrated by GPT o4-mini-high. In one example, of a city street with skyscrapers in the background, o4-mini-high correctly identified the street, while GPT-5 in Thinking mode pointed to the wrong country. 

Despite delivering faster answers, GPT-5 appeared to sacrifice accuracy. A surprising number of errors and a general sense of disappointment in the new model have also been reported by other users.

Bellingcat tested GPT-5 and its ‘Thinking’ mode via the Plus subscription, which costs roughly the same as access to 04-mini-high prior to its retirement. Five of the most difficult test images were also run through GPT-5 Pro. But even Pro, with a premium price tag of €200 per month, failed to geolocate the photos any more accurately than GPT 04-mini-high.

A Beach, a Hotel and a Ferris Wheel

The disparity between Google and the GPT models became even more apparent in Test 25 – a photo of a shoreline hotel in Noordwijk, the Netherlands, with a Ferris wheel rising just beyond the dunes.

In the previous trial, most older models – including those from GPT, Claude, Gemini and Grok – accurately identified the country as the Netherlands but failed to locate the town. Many latched onto the Ferris wheel but pointed instead to the seaside town of Scheveningen, which also has a Ferris wheel, though situated on a pier, not among the sand dunes.

However, the most recent models, GPT-5 Pro and Thinking, were even less accurate, identifying a beach in France – an entirely different country. 

Unfortunately for open source researchers, following the release of GPT-5, OpenAI removed the option to select older models such as o4-mini-high. After a wave of negative feedback, OpenAI reinstated GPT-4o as the default model for paid subscribers. However, the most capable geolocation models identified in Bellingcat’s testing remain inaccessible.

Google AI Mode, on the other hand, was the first, and only model so far, to correctly identify Noordwijk as the location in Test 25.  

Though AI Mode is powered by a version of Gemini 2.5, it outperformed Gemini 2.5 Pro Deep Research in these tests. Described by Google as its “most powerful AI search, with more advanced reasoning and multimodality,” AI Mode geolocated test images with greater accuracy than any GPT models, including our previous winner, o4-mini-high.

AI Mode is currently only available in India, United Kingdom and the United States.

The majority of models, at some point, returned a hallucination. Users should not rely solely on the answers provided by LLMs. Even the best options, including Google AI Mode, still, at times, confidently point to the wrong location. 

The difference in models’ capabilities compared with just two months ago shows how quickly this field is evolving. However, OpenAI’s recent changes also suggest that progress is not guaranteed, and that AI’s ability to geolocate may plateau or even worsen over time. As new models emerge, Bellingcat will continue to test them.

Thanks to Nathan Patin for contributing to the original benchmark tests.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Instagram here.

The post LLMs vs. Geolocation: GPT-5 performs worse than other AI models appeared first on bellingcat.

Spreadsheets, Slack messages, and files linked to an alleged group of North Korean IT workers expose their meticulous job-planning and targeting—and the constant surveillance they're under.

Watch press conference HERE.

Fairfax County, VA—Detectives from our Major Crimes Bureau Cold Case Squad have solved the mystery of a child found deceased in 1972 in Massey Creek, under the Old Colchester Bridge in Lorton. The child has been identified as Carl Matthew Bryant. The identification was made possible through advanced DNA testing and forensic-grade genome sequencing provided by Astrea Forensics.

Astrea Forensics developed a DNA profile suitable for genetic genealogy, which Innovative Forensic Investigations used to identify a possible relative of John Doe. After extensive research and calls, detectives traced John Doe’s family to Philadelphia, PA. With help from the Philadelphia Police Department, they contacted a relative who led them to John Doe’s mother, Vera Bryant. Bryant died in 1980, and a family member said she had two sons, Carl and James, and planned to travel from Philadelphia to Virginia in 1972. Vera’s body was exhumed, and DNA submitted to Astrea Forensics confirmed a match.

Discovery and Initial Investigation

On June 13, 1972, the body of a young boy was found in Massey Creek under the Old Colchester Road Bridge in Lorton. An autopsy revealed that the cause of death was blunt force trauma, ruling the death a homicide. With no immediate leads, a local church group gave the unidentified child the name “Charles Lee Charlet” and arranged for his burial at Coleman Cemetery in Alexandria, VA. The case remained unsolved for over 50 years.

Breakthroughs and DNA Technology

2003: The National Center for Missing and Exploited Children (NCMEC) created a computer-generated sketch. Several tips came in but yielded no viable leads.

• 2004: Hair evidence was discovered in the case file and sent to the FBI. Mitochondrial DNA was extracted and entered into the national database, but no matches were found.
• 2016: Two potential leads of missing children, Soloman Rose and George Barksdale, were ruled out via DNA.
• Genealogy Efforts Begin: Due to the limitations of mitochondrial DNA, detectives needed nuclear DNA. Detectives sought legal authorization to exhume the body, but poor cemetery records and a storm had erased burial markers of John Doe.
• DNA Extraction from Hair: After locating hair samples, Astrea was able to extract a DNA profile from just a few millimeters of hair—far less than typically required.

Genetic Genealogy Leads to a Family

• Genetic Genealogy Match: Detectives traveled to Philadelphia to speak with family, and it was confirmed that Vera Bryant had a 4-year-old son, Carl Matthew Bryant, who disappeared after leaving for Virginia in 1972.
• Philadelphia Investigation: DNA from relatives and Carl’s suspected father was collected, along with birth certificates and historical records. Detectives then exhumed Vera Bryant’s body to confirm the maternal link. George Mason University provided support in preparing the evidence for submission to Astrea Forensics.

• Final DNA Match: After multiple failed attempts (due to preservation issues), DNA was successfully extracted from a portion of Vera’s remains by Astrea. On July 1, John Doe was confirmed to be Carl Matthew Bryant, born May 26, 1968.

Homicide Investigation Continues

Detectives believe that Vera Bryant and her boyfriend James Hedgepeth, both now deceased, were involved in the murder of Carl. Detectives also suspect that Carl’s infant brother, James Bryant, was killed around the same time. The events are believed to have occurred somewhere between Philadelphia, PA and Middlesex County, VA.

James Hedgepeth was previously convicted of murder and had a violent criminal history.

Above is a map of the route James Hedgepeth and Vera Bryant possibly drove when traveling to Virginia. The whereabouts of James Bryant (6 months old) are unknown, and he is presumed dead. Detectives believe James’ body could have been discarded somewhere along this route.

A Collaborative Effort

This case could not have been solved without the tireless dedication and partnership of multiple organizations across jurisdictions. The Fairfax County Police Department would like to extend our deepest appreciation to the following agencies and individuals for their crucial roles in bringing closure to this decades-old case:

• National Center for Missing and Exploited Children (NCMEC)
• Astrea Forensics

• Innovative Forensic Investigations (IFI)
• Philadelphia Police Department
• Philadelphia Medical Examiner’s Office
• Office of the District Attorney, City of Philadelphia
• George Mason University
• Federal Bureau of Investigation (FBI)
• Greenmount Cemetery, Philadelphia
• Jones Funeral Home, Philadelphia
• Coleman Cemetery, Alexandria, VA
• The Bryant Family

Detectives are asking for the public’s help. If you remember this family, or if any law enforcement agency has recovered or documented unidentified infant remains from the 1970s, especially in Virginia or the Philadelphia area, please call our Major Crimes Bureau at 703-246-7800, option 2. Tips can also be submitted anonymously through Crime Solvers by phone – 1-866-411-TIPS (866-411-8477), and by web Click HERE. Download the ‘P3 Tips’ App “Fairfax Co Crime Solvers.” Anonymous tipsters are eligible for cash rewards. Please leave contact information if you wish for a detective to follow up with you.  

Victim specialists from our Major Crimes Bureau’s Victim Services Division have been assigned to ensure the victim’s family is receiving appropriate resources and assistance. 

Join us on Neighbors by Ring. A place where you can connect with your neighbors, see what’s happening in your neighborhood and share any available surveillance footage with our department. 

For a link to our Cold Case page, visit here.

For ongoing updates, please read our blog and follow us on Twitter, Facebook , and Instagram at @FairfaxCountyPD.

I recently had the pleasure of attending a press preview of the new documentary Architecton, directed by Victor Kossakovsky and released last week by A24.

Surreally, the screening I attended was held inside a Cedars-Sinai medical-imaging center in west Los Angeles. Seeing this particular film, with its intensely granular focus on the geological underpinnings of the built environment, amidst diagnostic tools designed for peering inside the human body seemed strangely appropriate.

I imagine that, if you were simply to wander into a room where Architecton was playing, it would very likely appear to be a film about geology: about rocks and mountains, quarries and mines, and the raw streams of matter that create and emerge from them.

There is an extraordinary early sequence, for example, from which the stills in this post were taken, where Kossakovsky captures a landslide. We watch as increasingly large rocks, from sand to gravel to room-sized blocks to immense boulders, all flow downhill in slow motion, crashing into one another, exploding, ricocheting, and splitting apart.

It looks for all the world like an oceanic phenomenon—a series of waves, not a solid planet at all, as if the Earth has begun to boil and heave with liquefaction.

The sequence then fades into what I believe is an aerial drone shot of the same landslide, but the visuals here become almost astronomical in their power and beauty, as if Architecton had somehow captured a proto-planetary storm of partially aerosolized rock. It looks like you’ve woken up inside the asteroid belt—or perhaps what J.M.W. Turner would have depicted if he had traveled in space. Not landscapes but nebulae.

There is something so elemental, even infernal, in this sequence, verging on the cosmic: glimpsing how the Earth itself was assembled through a billion-year maelstrom of mineral hurricanes, spherical landslides, and weather systems made entirely of geology.

Later, the camera lingers over detonations in the walls of strip mines. We watch rocks being bounced and agitated on conveyor belts, wet with leachate and acid. At one point, the camera stares into a minimalist doorway, cut like an Etruscan tomb, through which rocks tumble to be processed as abyssal red embers glow.

It’s just a mine, of course, but Kassakovksy has made it look like an alchemical complex, a brutalist oven in which all things planetary can be melted and enhanced, sluiced off and purified, distilled into a purely economic form. It is brute oceanic metallurgy.

It’s these early sequences that I could have watched literally for hours. It was also these scenes that felt so perfect for the unlikely setting in which the film was being screened that day, knowing that, as we all sat there, people in the rooms around me were getting CT scans, MRIs, and X-rays.

But the movie takes a more architectural turn here, increasingly focused on buildings and cities, on archaeological sites and ruins. We see residential towers in Ukraine, for example, ripped open by Russian missiles and drone-bombs, and then earthquake-damaged apartments undergoing demolition and clearance, followed by landfill-dumping operations so large they look like attempts at terraforming.

These are intercut with the film’s only speaking sections, where we watch architect Michele De Lucchi supervise the construction of a small rock circle in his garden. A light snow falls and hazy mountains are visible in the background. The scenes are meditative and calming.

At one point, De Lucchi’s circle is visually rhymed with an all-too-brief aerial glimpse of what I believe is the Richat Structure in Mauritania, continuing the film’s play on form and organization, as if rocks have within them a natural capacity to resemble storms and hurricanes—as if everything we believe to be is solid is, in fact, made of vortices and waves.

And this is all perfectly enjoyable; I was mesmerized.

But the film ends on a strange note. Despite appearing—to me—to be a documentary about the Earth, geology, and elemental form—about the human relationship with matter and our attempts to control it—Architecton concludes with a somewhat head-spinning turn in which the director himself appears on screen and asks De Lucchi, in person, why humans now construct such ugly buildings.

The question felt totally out of the blue to me and, frankly, irrelevant to the rest of the documentary. Either I had mis-understood everything I’d seen leading up to that point or perhaps Kassakovksy had felt pressured to deliver some sort of easy takeaway, an interpretation or rhetorical question that critics could discuss after viewing.

Speaking only for myself, what I wanted to discuss as I walked out of the cinema was not whether we should build fewer glass towers in Milan, but whether or not we understand what the Earth really is; whether landslide dynamics repeat, in miniature, the formational mechanics of rocky planets in the early solar system; or whether our cultural—and, yes, architectural—encounters with rock, especially in the form of mines and quarries, might force us to reevaluate how we define humanism in the first place. Some people think literature makes us human, but what if it’s actually metallurgy?

In the end, it was as if someone had created a 100-minute-long Rorschach test, composed of extraordinarily beautiful imagery of landslides and rocks, only to spring out from behind a screen and tell us that, this whole time, he had been thinking about classical architecture.

Nevertheless, the film is worth checking out—and I’d recommend doing so in a theater while you can, for the sheer scale of what Kassakovksy depicts.

(Thank you to A24 for providing the stills that appear in this post.)

Microsoft-owned LinkedIn has quietly joined the parade of tech giants rolling back basic protections for transgender users, removing explicit prohibitions against deadnaming and misgendering from its hate speech policies this week. The change, first spotted by the nonprofit Open Terms Archive, eliminates language that previously listed “misgendering or deadnaming of transgender individuals” as examples of prohibited hateful content.

LinkedIn removed transgender-related protections from its policy on hateful and derogatory content. The platform no longer lists “misgendering or deadnaming of transgender individuals” as examples of prohibited conduct. While “content that attacks, denigrates, intimidates, dehumanizes, incites or threatens hatred, violence, prejudicial or discriminatory action” is still considered hateful, addressing a person by a gender and name they ask not be designated by is not anymore.

Similarly, the platform removed “race or gender identity” from its examples of inherent traits for which negative comments are considered harassment. That qualification of harassment is now kept only for behaviour that is actively “disparaging another member’s […] perceived gender”, not mentioning race or gender identity anymore.

The move is particularly cowardly because LinkedIn made the change with zero public announcement or explanation. When pressed by a reporter at The Advocate, the company offered the classic corporate non-answer: “We regularly update our policies” and insisted that “personal attacks or intimidation toward anyone based on their identity, including misgendering, violates our harassment policy.”

But here’s the thing: if your policies haven’t actually changed, why remove the explicit protections? Why make it harder for users and moderators to understand what’s prohibited? The answer is as obvious as it is pathetic: LinkedIn is preemptively capitulating to political pressure in this era of MAGA culture war.

This follows the now-familiar playbook we’ve seen from Meta, YouTube, and others. Meta rewrote its policies in January to allow content calling LGBTQ+ people “mentally ill” and portraying trans identities as “abnormal.” YouTube quietly scrubbed “gender identity” from its hate speech policies, then had the audacity to call it “regular copy edits.” Now LinkedIn is doing the same cowardly dance.

What makes this particularly infuriating is the timing. These companies aren’t even waiting for actual government threats. They’re just assuming that sucking up to the Trump administration’s anti-trans agenda will somehow protect them from regulatory scrutiny. It’s the corporate equivalent of rolling over and showing your belly before anyone even raises their voice.

And it won’t help. The Trump administration will still target them and demand more and more, knowing that these companies will just roll over again.

And let’s be clear about what deadnaming and misgendering actually are: they’re deliberate acts of dehumanization designed to erase transgender people’s identities and make them feel unwelcome in public spaces. When platforms explicitly protect against these behaviors, it sends a message that trans people belong in these spaces. When they quietly remove those protections, they’re sending the opposite message. They’re saying “we don’t care about your humanity, and we will let people attack you for your identity.”

LinkedIn’s decision is especially disappointing because professional networking platforms should be spaces where people can present their authentic selves without fear of purely hateful harassment. Trans professionals already face discrimination in hiring and workplace environments. The last thing they need is for LinkedIn to signal that it’s open season for harassment on its platform.

The company is trying to argue that it still prohibits harassment and hate speech generally. But vague, general policies are much harder to enforce consistently than specific examples. When you remove explicit guidance about what constitutes anti-trans harassment, you make it easier for bad actors to push boundaries and harder for moderators to draw clear lines.

This is exactly the wrong moment for tech companies to be weakening protections for vulnerable communities. Anti-trans rhetoric and legislation have reached fever pitch, with the Trump administration making attacks on transgender rights a central part of its agenda. This is when platforms should be strengthening their commitment to protecting people from harassment, not quietly rolling back safeguards.

Sure, standing up for what’s right when there’s political pressure to do otherwise is hard. But that’s exactly when it matters most. These companies have billions in revenue and armies of lawyers. If anyone can afford to take a principled stand, it’s them.

Instead, we’re watching them fold like cheap suits at the first sign of political headwinds. They’re prioritizing their relationships with authoritarian politicians over the safety of their users. And they’re doing it in the most cowardly way possible: quietly, without explanation, hoping no one will notice.

The message this sends to transgender users is clear: you’re expendable. Your safety and dignity are less important than our political calculations. And that message isn’t just coming from fringe platforms or obvious bad actors—it’s coming from mainstream services owned by some of the world’s largest companies.

This isn’t just bad for transgender users. It’s bad for everyone who believes that online spaces should be governed by consistent principles rather than political opportunism. When platforms start making policy decisions based on which way the political winds are blowing, they undermine their own credibility and the trust users place in them.

Hell, for years, all we heard from the MAGA world was how supposedly awful it is when platforms make moderation decisions based on political pressure.

Where are all of those people now?

The irony is that these companies are probably making themselves less safe, not more. By signaling that they’ll cave to political pressure, they’re inviting more of it. Authoritarians don’t respect weakness—they exploit it.

LinkedIn, Meta, YouTube, and the rest need to understand: there’s no appeasing the anti-trans mob. No matter how many protections you strip away, it will never be enough. Stick to your principles and protect your users regardless of political pressure.

But instead of showing backbone, these companies are racing to see who can capitulate fastest. It’s a disgraceful display of corporate cowardice at exactly the moment when courage is most needed.

We all deserve better than watching supposedly values-driven companies abandon their principles the moment it becomes politically inconvenient to maintain them.