Comments on: Identicons

Identicons

delmoi — Sun, 28 Jan 2007 15:12:11 -0800

Identicons are small graphic representations of IP address.

By: odinsdream

odinsdream — Sun, 28 Jan 2007 15:18:56 -0800

Pretty nifty - what's the mathematical chance of collisions, though?

By: Smart Dalek

Smart Dalek — Sun, 28 Jan 2007 15:19:35 -0800

How long before these get spoofed? How many people on a number of online gathering places would take the time to even detect such an exploit?

By: Mach5

Mach5 — Sun, 28 Jan 2007 15:26:10 -0800

I saw this on codinghorror, really neat idea, although I'm not quite sure how much real world use for it there is. There's also MonsterID and Visiglyphs.

By: thirteenkiller

thirteenkiller — Sun, 28 Jan 2007 15:29:05 -0800

Mine is the coolest, except for all the swastika ones.

By: delmoi

delmoi — Sun, 28 Jan 2007 15:43:43 -0800

this one probably looks the most like a swastika, including being red, and belonging to a poor German proxy server :P.

By: knave

knave — Sun, 28 Jan 2007 16:00:02 -0800

BeautifulUniqueSnowflakeFilter

By: Foosnark

Foosnark — Sun, 28 Jan 2007 16:01:03 -0800

I guess if you're spoofing your IP address, it would be a Decepticon.

By: vacapinta

vacapinta — Sun, 28 Jan 2007 16:02:48 -0800

BeautifulUniqueSnowflakeFilter posted by knave at 4:00 PM PST on January 28 Yeah, after about the 10th comment, it was clear the appeal of the thing seemed to be equivalent to one of those Internet quizzes such as 'Which Smurf are you?'

By: baphomet

baphomet — Sun, 28 Jan 2007 16:07:22 -0800

Gargamel.

By: anomie

anomie — Sun, 28 Jan 2007 16:41:42 -0800

Pretty nifty - what's the mathematical chance of collisions, though? From http://www.cryptography.com/cnews/hash.html Q: How hard would it be to find collisions in SHA-1? A: The reported attacks require an estimated work factor of 2^69 (approximately 590 billion billion) hash computations. It only uses 4 bytes of SHA-1, however, so although not as rare, collisions would still be fairly uncommon. It would be sweet if it used the full 20 for complete insurance of uniqueness.

By: empath

empath — Sun, 28 Jan 2007 16:48:57 -0800

he should probably use a different kind of symmetry to avoid all those swastika icons. maybe 6-sided?

By: kyleg

kyleg — Sun, 28 Jan 2007 17:10:15 -0800

I'm impressed, that is actually kind of awesome. I wonder who's going to be the first to bug Matt for this pony?

By: vacapinta

vacapinta — Sun, 28 Jan 2007 18:09:16 -0800

Its still a privacy concern. If, for example, I work at and post from Microsoft all day and my identicon is that of the MS Proxy Server then I would be able to identify other mefi users who are my co-workers because our identicons would match.

By: delmoi

delmoi — Sun, 28 Jan 2007 18:31:51 -0800

Actually the hashing of IP addresses is not really a very good way to protect them. IP addresses are each only 32 bits, and don't have that much entropy anyway (i.e. some patterns are more likely then others) So, to find out someone's IP from their hash, all you have to do is search through all the IP addresses. It would only take 2³² trials, not 2⁶⁹

By: bhouston

bhouston — Sun, 28 Jan 2007 18:37:47 -0800

It would be significantly more meaningful to list the city, state and country of origin (why not display a flag of the country or state.) I don't understand why he is displaying these icons when the individuals are using logged in identities except, it isn't useful in that context. Picture icons may be useful to differentiate between anon users from the same geographic area. It's current a "proto-idea", not quite all these yet, but some pragmatic tweaking may significantly improve usefulness.

By: bhouston

bhouston — Sun, 28 Jan 2007 18:39:02 -0800

Holy crap I can't write this evening! I apologize. Let me say that last sentence again: It's currently a "proto-idea", not quite all there yet, but some pragmatic tweaking may significantly improve its usefulness.

By: shelleycat

shelleycat — Sun, 28 Jan 2007 18:52:15 -0800

This reminds me of gravatars, except those are user chosen and generally more personal while being less informative. I don't see how knowing my ip address (or a derivative of) is going to help anyone. You can all figure out which country I come from and anything more specific than that either isn't helpful or will be mentioned directly in context.

By: BrotherCaine

BrotherCaine — Sun, 28 Jan 2007 18:55:35 -0800

I think this is totally awesome. I love that these are aesthetically appealing. I dont know if that was intentional or accidental. They seem like the modern version of Japanese Crests.

By: snoktruix

snoktruix — Sun, 28 Jan 2007 19:05:47 -0800

I'd prefer some representation of the geographical region combined with his glyphs.

By: scottreynen

scottreynen — Sun, 28 Jan 2007 19:08:33 -0800

I don't see how knowing my ip address (or a derivative of) is going to help anyone. It seems many are missing the point. These are for sites that allow posting without accounts (e.g. most blogs). On most of these sites, I can post my brilliant comments as "Scott R" and then you can come along and post something moronic as "Scott R" and everyone will assume I am a moron (which may be the case, but should not be assumed from comments I didn't make). Showing IP addresses provides some indication that multiple posters using the same name are actually the same person (though not always), but it has privacy concerns as I can take your IP and see where you work. Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.

By: Jimbob

Jimbob — Sun, 28 Jan 2007 19:34:30 -0800

If, for example, I work at and post from Microsoft all day and my identicon is that of the MS Proxy Server then I would be able to identify other mefi users who are my co-workers because our identicons would match. I'm a bit rusty on these things, but I thought proxy servers (if they're properly configured, not "anonymizers") pass on your real IP address in the HTTP headers, as well as the proxy address. Of course it still isn't fool-proof; people behind NAT (as a hell of a lot of us are now) will all come up with the same icon. And what if "ScottR" made his second, moronic post from a different computer, later in the day? Still, I think my icon is purty, and it would be nice to be able to somehow carry it with me as my online ID, linked to me as a person, not whatever IP address I happen to be on.

By: spaceman_spiff

spaceman_spiff — Sun, 28 Jan 2007 20:15:45 -0800

Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns. Plus, we're better at seeing differences between graphical data like that than numbers (in some cases).

By: deborah

deborah — Sun, 28 Jan 2007 20:55:04 -0800

Kinda nifty. And, as I said there, they look like quilt blocks.

By: reventlov

reventlov — Sun, 28 Jan 2007 21:01:00 -0800

Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns. The space of all IP addresses is small enough that a brute force attack is entirely feasible: a very quick Google search shows 500,000+ SHA-1 hashes of ~16-byte data per second (on Linux-running hardware of some sort), so about 8400 seconds to scan through all 4.2 billion IP addresses, or about 2 hours to build a complete hash->IP address dictionary, from which you can decode any Identicon in very little time. Which is probably fine for quasi-anonymous commentors at one random blog, but probably not so fine for something widely-deployed. Hashing the supplied name with the IP address would help, in that it would take ~15 minutes (on a newish quad-core Intel system) to crack each IP address, which is enough to keep casual users from noticing things like 'hey! Those two are at the same IP', but isn't 'real' security.

By: scottreynen

scottreynen — Sun, 28 Jan 2007 21:42:57 -0800

500,000+ SHA-1 hashes of ~16-byte data per second (on Linux-running hardware of some sort), so about 8400 seconds to scan through all 4.2 billion IP addresses, or about 2 hours to build a complete hash->IP address dictionary With this system, you're not getting a hash back from your IP; you're getting an image, dynamically generated on a remote server. If you have a server capable of downloading, storing, and comparing 4.2 billion images before a site owner gets a bandwidth bill so large that he's forced to shut down the site, I suspect you could find more useful things to do with it. but isn't 'real' security Similarly, locking your doors isn't "real" security, because someone could still drive a tank through them. Nonetheless, most of us lock our doors.

By: Mitheral

Mitheral — Sun, 28 Jan 2007 22:06:17 -0800

delmoi writes "It would only take 2³² trials, not 2⁶⁹" Minus all the reserved blocks, special addresses and non-routable numbers.

By: shelleycat

shelleycat — Sun, 28 Jan 2007 22:11:39 -0800

To get my specific gravatar to show you need to put in the correct email address when commenting, which I don't have online. Guessing that would probably be harder for someone else than my rebooting my router and getting a new IP address and therefore a new picture (I know these do different things but both are messing with the idea that IP = identity). If I wanted to blend with other people I could post from work where I share a network, and I'm guessing an IP address, with a whole lot of other people spread all over the country. While that would give you my company it doesn't give my location, I use a terminal logged into the main server anyway, and it doesn't single me out from the other employees. Either way, it seems that relying on IP as some form of identify verification is somewhat weak. Maybe other places are more tied to their specific IP and can't change or hide it, but mine only tells you that I have Xtra ADSL somewhere in NZ, which isn't much more than my profile here says anyway given the current market share of Xtra (i.e. you could probably guess I use them simply because most NZers do).

By: Jimbob

Jimbob — Sun, 28 Jan 2007 22:11:45 -0800

With this system, you're not getting a hash back from your IP; you're getting an image, Aren't you getting an image that has a simple, known relationship to the hash? The conversion from the bytes to the image is documented on this guy's site. Wouldn't it work like this: 1. Download the 1 image of the person who's IP address you want to discover. 2. Analyse the image to work out what four bytes were used to define it. You could probably even do this manually. 3. Look for those bytes in the hash-IP table you dedicated 2 hours of computing time to generate. I might be wrong, but that's how I understood it to work.

By: five fresh fish

five fresh fish — Sun, 28 Jan 2007 22:33:53 -0800

I'd love to see it on MeFi. Probably discover half the population here are puppets.

By: Jimbob

Jimbob — Sun, 28 Jan 2007 23:13:11 -0800

And the puppets are known to have more children than normal users, and at a younger age. We are going to see the demographic death of Metafilter, unless we purge them and send them back to where the lousy freeloaders came from.

By: r1ch

r1ch — Mon, 29 Jan 2007 00:44:47 -0800

JimBob, the problem is made slightly more complicated by the fact that the hash includes a site-specific salt value which you'd have to discover before you could create your hash-IP table. You'd have to create Identicons for quite a few known IPs to be able to work out what the salt is. To increase the difficulty further the hash could include the email address of the commenter - that way no-one could work out someone's IP address without first knowing their email address.

By: mr. strange

mr. strange — Mon, 29 Jan 2007 00:56:02 -0800

The IP address is salted, before it's turned into the identicon. So you can't find the IP address's hash by looking at the icon.

By: pruner

pruner — Mon, 29 Jan 2007 02:44:02 -0800

I'm confused... is the hash salted or unsalted?

By: cillit bang

cillit bang — Mon, 29 Jan 2007 03:42:34 -0800

The blog post says "SHA1(IP + salt)" If you don't know the salt (or work out a way to compute it), I don't think it's possible at all to find out the IP.

By: r1ch

r1ch — Mon, 29 Jan 2007 03:46:37 -0800

Looking at the code the IP is definitely salted (with a value provided by whoever sets up the servlet) before it is hashed.

By: reventlov

reventlov — Mon, 29 Jan 2007 10:57:09 -0800

I missed the site-specific salt... if the site sets a long enough one (> ~40 random bits, depending how determined/resourceful an attacker you're assuming) then it would be secure enough. (Less than that and you can get the site salt by brute force from a known IP... such as your own.) In no case should an attacker need to download more images than are on the page; he can always derive the hashes from the images.

By: r1ch

r1ch — Mon, 29 Jan 2007 11:48:10 -0800

if the site sets a long enough one (> ~40 random bits, depending how determined/resourceful an attacker you're assuming) then it would be secure enough. (Less than that and you can get the site salt by brute force from a known IP... such as your own.) I'm not convinced by that - you could certainly fairly easily find _a_ salt that worked for your IP but it wouldn't necessarily be the right one and so you couldn't be sure that you're deriving the correct IP for the unknown one that you want to resolve.

By: me & my monkey

me & my monkey — Mon, 29 Jan 2007 17:31:38 -0800

... you could certainly fairly easily find _a_ salt that worked for your IP but it wouldn't necessarily be the right one and so you couldn't be sure that you're deriving the correct IP for the unknown one that you want to resolve. Couldn't you just try from a second IP address at that point, and see if the salt works with that address?

By: effugas

effugas — Mon, 29 Jan 2007 21:56:21 -0800

The solution I'm developing is kinda cool; you end up mapping arbitrary data (say, a 160 bit hash) to not numbers or images, but human names. To wit: From: 09:a9:b1:99:84:17:7d:ba:c6:55:46:5a:17:f8:83:01 To: julio and epifania dezzutti luther and rolande doornbos manual and twyla imbesi dirk and cuc kolopajlo omar and jeana hymel Info here.

By: r1ch

r1ch — Tue, 30 Jan 2007 00:48:00 -0800

me & my monkey - sure, but I think that the probabilities say that it won't.

By: r1ch

r1ch — Tue, 30 Jan 2007 00:48:01 -0800

me & my monkey - sure, but I think that the probabilities say that it won't.

By: cillit bang

cillit bang — Tue, 30 Jan 2007 02:29:03 -0800

Hang on r1ch, what's your point? Are you arguing with "Less than that and you can get the site salt by brute force" or "if the site sets a long enough one then it would be secure enough"? If the salt is short then you can work it out by brute force, and use me & my monkey's method to eliminate false positives.

By: r1ch

r1ch — Tue, 30 Jan 2007 04:13:57 -0800

Yep, sorry - I came back to the conversation and forgot where we were at. The shorter the site's salt is the less false positives you will need to check.