Identicons
January 28, 2007 3:12 PM Subscribe
Identicons are small graphic representations of IP address.
I saw this on codinghorror, really neat idea, although I'm not quite sure how much real world use for it there is. There's also MonsterID and Visiglyphs.
posted by Mach5 at 3:26 PM on January 28, 2007
posted by Mach5 at 3:26 PM on January 28, 2007
Mine is the coolest, except for all the swastika ones.
posted by thirteenkiller at 3:29 PM on January 28, 2007
posted by thirteenkiller at 3:29 PM on January 28, 2007
this one probably looks the most like a swastika, including being red, and belonging to a poor German proxy server :P.
posted by delmoi at 3:43 PM on January 28, 2007
posted by delmoi at 3:43 PM on January 28, 2007
I guess if you're spoofing your IP address, it would be a Decepticon.
posted by Foosnark at 4:01 PM on January 28, 2007 [4 favorites]
posted by Foosnark at 4:01 PM on January 28, 2007 [4 favorites]
BeautifulUniqueSnowflakeFilter
posted by knave at 4:00 PM PST on January 28
Yeah, after about the 10th comment, it was clear the appeal of the thing seemed to be equivalent to one of those Internet quizzes such as 'Which Smurf are you?'
posted by vacapinta at 4:02 PM on January 28, 2007
posted by knave at 4:00 PM PST on January 28
Yeah, after about the 10th comment, it was clear the appeal of the thing seemed to be equivalent to one of those Internet quizzes such as 'Which Smurf are you?'
posted by vacapinta at 4:02 PM on January 28, 2007
Pretty nifty - what's the mathematical chance of collisions, though?
From http://www.cryptography.com/cnews/hash.html
Q: How hard would it be to find collisions in SHA-1?
A: The reported attacks require an estimated work factor of 2^69 (approximately 590 billion billion) hash computations.
It only uses 4 bytes of SHA-1, however, so although not as rare, collisions would still be fairly uncommon. It would be sweet if it used the full 20 for complete insurance of uniqueness.
posted by anomie at 4:41 PM on January 28, 2007
From http://www.cryptography.com/cnews/hash.html
Q: How hard would it be to find collisions in SHA-1?
A: The reported attacks require an estimated work factor of 2^69 (approximately 590 billion billion) hash computations.
It only uses 4 bytes of SHA-1, however, so although not as rare, collisions would still be fairly uncommon. It would be sweet if it used the full 20 for complete insurance of uniqueness.
posted by anomie at 4:41 PM on January 28, 2007
he should probably use a different kind of symmetry to avoid all those swastika icons. maybe 6-sided?
posted by empath at 4:48 PM on January 28, 2007 [1 favorite]
posted by empath at 4:48 PM on January 28, 2007 [1 favorite]
I'm impressed, that is actually kind of awesome. I wonder who's going to be the first to bug Matt for this pony?
posted by kyleg at 5:10 PM on January 28, 2007
posted by kyleg at 5:10 PM on January 28, 2007
Its still a privacy concern. If, for example, I work at and post from Microsoft all day and my identicon is that of the MS Proxy Server then I would be able to identify other mefi users who are my co-workers because our identicons would match.
posted by vacapinta at 6:09 PM on January 28, 2007 [2 favorites]
posted by vacapinta at 6:09 PM on January 28, 2007 [2 favorites]
Actually the hashing of IP addresses is not really a very good way to protect them. IP addresses are each only 32 bits, and don't have that much entropy anyway (i.e. some patterns are more likely then others) So, to find out someone's IP from their hash, all you have to do is search through all the IP addresses. It would only take 232 trials, not 269
posted by delmoi at 6:31 PM on January 28, 2007 [1 favorite]
posted by delmoi at 6:31 PM on January 28, 2007 [1 favorite]
It would be significantly more meaningful to list the city, state and country of origin (why not display a flag of the country or state.) I don't understand why he is displaying these icons when the individuals are using logged in identities except, it isn't useful in that context. Picture icons may be useful to differentiate between anon users from the same geographic area.
It's current a "proto-idea", not quite all these yet, but some pragmatic tweaking may significantly improve usefulness.
posted by bhouston at 6:37 PM on January 28, 2007
It's current a "proto-idea", not quite all these yet, but some pragmatic tweaking may significantly improve usefulness.
posted by bhouston at 6:37 PM on January 28, 2007
Holy crap I can't write this evening! I apologize. Let me say that last sentence again:
It's currently a "proto-idea", not quite all there yet, but some pragmatic tweaking may significantly improve its usefulness.
posted by bhouston at 6:39 PM on January 28, 2007
It's currently a "proto-idea", not quite all there yet, but some pragmatic tweaking may significantly improve its usefulness.
posted by bhouston at 6:39 PM on January 28, 2007
This reminds me of gravatars, except those are user chosen and generally more personal while being less informative. I don't see how knowing my ip address (or a derivative of) is going to help anyone. You can all figure out which country I come from and anything more specific than that either isn't helpful or will be mentioned directly in context.
posted by shelleycat at 6:52 PM on January 28, 2007
posted by shelleycat at 6:52 PM on January 28, 2007
I think this is totally awesome. I love that these are aesthetically appealing. I dont know if that was intentional or accidental. They seem like the modern version of Japanese Crests.
posted by BrotherCaine at 6:55 PM on January 28, 2007
posted by BrotherCaine at 6:55 PM on January 28, 2007
I'd prefer some representation of the geographical region combined with his glyphs.
posted by snoktruix at 7:05 PM on January 28, 2007
posted by snoktruix at 7:05 PM on January 28, 2007
I don't see how knowing my ip address (or a derivative of) is going to help anyone.
It seems many are missing the point. These are for sites that allow posting without accounts (e.g. most blogs). On most of these sites, I can post my brilliant comments as "Scott R" and then you can come along and post something moronic as "Scott R" and everyone will assume I am a moron (which may be the case, but should not be assumed from comments I didn't make).
Showing IP addresses provides some indication that multiple posters using the same name are actually the same person (though not always), but it has privacy concerns as I can take your IP and see where you work. Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.
posted by scottreynen at 7:08 PM on January 28, 2007 [1 favorite]
It seems many are missing the point. These are for sites that allow posting without accounts (e.g. most blogs). On most of these sites, I can post my brilliant comments as "Scott R" and then you can come along and post something moronic as "Scott R" and everyone will assume I am a moron (which may be the case, but should not be assumed from comments I didn't make).
Showing IP addresses provides some indication that multiple posters using the same name are actually the same person (though not always), but it has privacy concerns as I can take your IP and see where you work. Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.
posted by scottreynen at 7:08 PM on January 28, 2007 [1 favorite]
If, for example, I work at and post from Microsoft all day and my identicon is that of the MS Proxy Server then I would be able to identify other mefi users who are my co-workers because our identicons would match.
I'm a bit rusty on these things, but I thought proxy servers (if they're properly configured, not "anonymizers") pass on your real IP address in the HTTP headers, as well as the proxy address.
Of course it still isn't fool-proof; people behind NAT (as a hell of a lot of us are now) will all come up with the same icon. And what if "ScottR" made his second, moronic post from a different computer, later in the day?
Still, I think my icon is purty, and it would be nice to be able to somehow carry it with me as my online ID, linked to me as a person, not whatever IP address I happen to be on.
posted by Jimbob at 7:34 PM on January 28, 2007
I'm a bit rusty on these things, but I thought proxy servers (if they're properly configured, not "anonymizers") pass on your real IP address in the HTTP headers, as well as the proxy address.
Of course it still isn't fool-proof; people behind NAT (as a hell of a lot of us are now) will all come up with the same icon. And what if "ScottR" made his second, moronic post from a different computer, later in the day?
Still, I think my icon is purty, and it would be nice to be able to somehow carry it with me as my online ID, linked to me as a person, not whatever IP address I happen to be on.
posted by Jimbob at 7:34 PM on January 28, 2007
Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.
Plus, we're better at seeing differences between graphical data like that than numbers (in some cases).
posted by spaceman_spiff at 8:15 PM on January 28, 2007
Plus, we're better at seeing differences between graphical data like that than numbers (in some cases).
posted by spaceman_spiff at 8:15 PM on January 28, 2007
Kinda nifty. And, as I said there, they look like quilt blocks.
posted by deborah at 8:55 PM on January 28, 2007
posted by deborah at 8:55 PM on January 28, 2007
Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.
The space of all IP addresses is small enough that a brute force attack is entirely feasible: a very quick Google search shows 500,000+ SHA-1 hashes of ~16-byte data per second (on Linux-running hardware of some sort), so about 8400 seconds to scan through all 4.2 billion IP addresses, or about 2 hours to build a complete hash->IP address dictionary, from which you can decode any Identicon in very little time.
Which is probably fine for quasi-anonymous commentors at one random blog, but probably not so fine for something widely-deployed.
Hashing the supplied name with the IP address would help, in that it would take ~15 minutes (on a newish quad-core Intel system) to crack each IP address, which is enough to keep casual users from noticing things like 'hey! Those two are at the same IP', but isn't 'real' security.
posted by reventlov at 9:01 PM on January 28, 2007
The space of all IP addresses is small enough that a brute force attack is entirely feasible: a very quick Google search shows 500,000+ SHA-1 hashes of ~16-byte data per second (on Linux-running hardware of some sort), so about 8400 seconds to scan through all 4.2 billion IP addresses, or about 2 hours to build a complete hash->IP address dictionary, from which you can decode any Identicon in very little time.
Which is probably fine for quasi-anonymous commentors at one random blog, but probably not so fine for something widely-deployed.
Hashing the supplied name with the IP address would help, in that it would take ~15 minutes (on a newish quad-core Intel system) to crack each IP address, which is enough to keep casual users from noticing things like 'hey! Those two are at the same IP', but isn't 'real' security.
posted by reventlov at 9:01 PM on January 28, 2007
500,000+ SHA-1 hashes of ~16-byte data per second (on Linux-running hardware of some sort), so about 8400 seconds to scan through all 4.2 billion IP addresses, or about 2 hours to build a complete hash->IP address dictionary
With this system, you're not getting a hash back from your IP; you're getting an image, dynamically generated on a remote server. If you have a server capable of downloading, storing, and comparing 4.2 billion images before a site owner gets a bandwidth bill so large that he's forced to shut down the site, I suspect you could find more useful things to do with it.
but isn't 'real' security
Similarly, locking your doors isn't "real" security, because someone could still drive a tank through them. Nonetheless, most of us lock our doors.
posted by scottreynen at 9:42 PM on January 28, 2007
With this system, you're not getting a hash back from your IP; you're getting an image, dynamically generated on a remote server. If you have a server capable of downloading, storing, and comparing 4.2 billion images before a site owner gets a bandwidth bill so large that he's forced to shut down the site, I suspect you could find more useful things to do with it.
but isn't 'real' security
Similarly, locking your doors isn't "real" security, because someone could still drive a tank through them. Nonetheless, most of us lock our doors.
posted by scottreynen at 9:42 PM on January 28, 2007
delmoi writes "It would only take 232 trials, not 269"
Minus all the reserved blocks, special addresses and non-routable numbers.
posted by Mitheral at 10:06 PM on January 28, 2007
Minus all the reserved blocks, special addresses and non-routable numbers.
posted by Mitheral at 10:06 PM on January 28, 2007
To get my specific gravatar to show you need to put in the correct email address when commenting, which I don't have online. Guessing that would probably be harder for someone else than my rebooting my router and getting a new IP address and therefore a new picture (I know these do different things but both are messing with the idea that IP = identity).
If I wanted to blend with other people I could post from work where I share a network, and I'm guessing an IP address, with a whole lot of other people spread all over the country. While that would give you my company it doesn't give my location, I use a terminal logged into the main server anyway, and it doesn't single me out from the other employees. Either way, it seems that relying on IP as some form of identify verification is somewhat weak.
Maybe other places are more tied to their specific IP and can't change or hide it, but mine only tells you that I have Xtra ADSL somewhere in NZ, which isn't much more than my profile here says anyway given the current market share of Xtra (i.e. you could probably guess I use them simply because most NZers do).
posted by shelleycat at 10:11 PM on January 28, 2007
If I wanted to blend with other people I could post from work where I share a network, and I'm guessing an IP address, with a whole lot of other people spread all over the country. While that would give you my company it doesn't give my location, I use a terminal logged into the main server anyway, and it doesn't single me out from the other employees. Either way, it seems that relying on IP as some form of identify verification is somewhat weak.
Maybe other places are more tied to their specific IP and can't change or hide it, but mine only tells you that I have Xtra ADSL somewhere in NZ, which isn't much more than my profile here says anyway given the current market share of Xtra (i.e. you could probably guess I use them simply because most NZers do).
posted by shelleycat at 10:11 PM on January 28, 2007
With this system, you're not getting a hash back from your IP; you're getting an image,
Aren't you getting an image that has a simple, known relationship to the hash? The conversion from the bytes to the image is documented on this guy's site. Wouldn't it work like this:
1. Download the 1 image of the person who's IP address you want to discover.
2. Analyse the image to work out what four bytes were used to define it. You could probably even do this manually.
3. Look for those bytes in the hash-IP table you dedicated 2 hours of computing time to generate.
I might be wrong, but that's how I understood it to work.
posted by Jimbob at 10:11 PM on January 28, 2007
Aren't you getting an image that has a simple, known relationship to the hash? The conversion from the bytes to the image is documented on this guy's site. Wouldn't it work like this:
1. Download the 1 image of the person who's IP address you want to discover.
2. Analyse the image to work out what four bytes were used to define it. You could probably even do this manually.
3. Look for those bytes in the hash-IP table you dedicated 2 hours of computing time to generate.
I might be wrong, but that's how I understood it to work.
posted by Jimbob at 10:11 PM on January 28, 2007
I'd love to see it on MeFi. Probably discover half the population here are puppets.
posted by five fresh fish at 10:33 PM on January 28, 2007
posted by five fresh fish at 10:33 PM on January 28, 2007
And the puppets are known to have more children than normal users, and at a younger age.
We are going to see the demographic death of Metafilter, unless we purge them and send them back to where the lousy freeloaders came from.
posted by Jimbob at 11:13 PM on January 28, 2007
We are going to see the demographic death of Metafilter, unless we purge them and send them back to where the lousy freeloaders came from.
posted by Jimbob at 11:13 PM on January 28, 2007
JimBob, the problem is made slightly more complicated by the fact that the hash includes a site-specific salt value which you'd have to discover before you could create your hash-IP table. You'd have to create Identicons for quite a few known IPs to be able to work out what the salt is.
To increase the difficulty further the hash could include the email address of the commenter - that way no-one could work out someone's IP address without first knowing their email address.
posted by r1ch at 12:44 AM on January 29, 2007
To increase the difficulty further the hash could include the email address of the commenter - that way no-one could work out someone's IP address without first knowing their email address.
posted by r1ch at 12:44 AM on January 29, 2007
The IP address is salted, before it's turned into the identicon. So you can't find the IP address's hash by looking at the icon.
posted by mr. strange at 12:56 AM on January 29, 2007
posted by mr. strange at 12:56 AM on January 29, 2007
The blog post says "SHA1(IP + salt)"
If you don't know the salt (or work out a way to compute it), I don't think it's possible at all to find out the IP.
posted by cillit bang at 3:42 AM on January 29, 2007
If you don't know the salt (or work out a way to compute it), I don't think it's possible at all to find out the IP.
posted by cillit bang at 3:42 AM on January 29, 2007
Looking at the code the IP is definitely salted (with a value provided by whoever sets up the servlet) before it is hashed.
posted by r1ch at 3:46 AM on January 29, 2007
posted by r1ch at 3:46 AM on January 29, 2007
I missed the site-specific salt... if the site sets a long enough one (> ~40 random bits, depending how determined/resourceful an attacker you're assuming) then it would be secure enough. (Less than that and you can get the site salt by brute force from a known IP... such as your own.)
In no case should an attacker need to download more images than are on the page; he can always derive the hashes from the images.
posted by reventlov at 10:57 AM on January 29, 2007
In no case should an attacker need to download more images than are on the page; he can always derive the hashes from the images.
posted by reventlov at 10:57 AM on January 29, 2007
if the site sets a long enough one (> ~40 random bits, depending how determined/resourceful an attacker you're assuming) then it would be secure enough. (Less than that and you can get the site salt by brute force from a known IP... such as your own.)
I'm not convinced by that - you could certainly fairly easily find _a_ salt that worked for your IP but it wouldn't necessarily be the right one and so you couldn't be sure that you're deriving the correct IP for the unknown one that you want to resolve.
posted by r1ch at 11:48 AM on January 29, 2007
I'm not convinced by that - you could certainly fairly easily find _a_ salt that worked for your IP but it wouldn't necessarily be the right one and so you couldn't be sure that you're deriving the correct IP for the unknown one that you want to resolve.
posted by r1ch at 11:48 AM on January 29, 2007
... you could certainly fairly easily find _a_ salt that worked for your IP but it wouldn't necessarily be the right one and so you couldn't be sure that you're deriving the correct IP for the unknown one that you want to resolve.
Couldn't you just try from a second IP address at that point, and see if the salt works with that address?
posted by me & my monkey at 5:31 PM on January 29, 2007
Couldn't you just try from a second IP address at that point, and see if the salt works with that address?
posted by me & my monkey at 5:31 PM on January 29, 2007
The solution I'm developing is kinda cool; you end up mapping arbitrary data (say, a 160 bit hash) to not numbers or images, but human names. To wit:
From: 09:a9:b1:99:84:17:7d:ba:c6:55:46:5a:17:f8:83:01
To:
julio and epifania dezzutti
luther and rolande doornbos
manual and twyla imbesi
dirk and cuc kolopajlo
omar and jeana hymel
Info here.
posted by effugas at 9:56 PM on January 29, 2007 [1 favorite]
From: 09:a9:b1:99:84:17:7d:ba:c6:55:46:5a:17:f8:83:01
To:
julio and epifania dezzutti
luther and rolande doornbos
manual and twyla imbesi
dirk and cuc kolopajlo
omar and jeana hymel
Info here.
posted by effugas at 9:56 PM on January 29, 2007 [1 favorite]
me & my monkey - sure, but I think that the probabilities say that it won't.
posted by r1ch at 12:48 AM on January 30, 2007
posted by r1ch at 12:48 AM on January 30, 2007
me & my monkey - sure, but I think that the probabilities say that it won't.
posted by r1ch at 12:48 AM on January 30, 2007
posted by r1ch at 12:48 AM on January 30, 2007
Hang on r1ch, what's your point? Are you arguing with "Less than that and you can get the site salt by brute force" or "if the site sets a long enough one then it would be secure enough"?
If the salt is short then you can work it out by brute force, and use me & my monkey's method to eliminate false positives.
posted by cillit bang at 2:29 AM on January 30, 2007
If the salt is short then you can work it out by brute force, and use me & my monkey's method to eliminate false positives.
posted by cillit bang at 2:29 AM on January 30, 2007
Yep, sorry - I came back to the conversation and forgot where we were at. The shorter the site's salt is the less false positives you will need to check.
posted by r1ch at 4:13 AM on January 30, 2007
posted by r1ch at 4:13 AM on January 30, 2007
« Older Fatuous hookups for vapid people | IJN Battleship YAMATO Newer »
This thread has been archived and is closed to new comments
posted by Smart Dalek at 3:19 PM on January 28, 2007