Identicons
January 28, 2007 3:12 PM   Subscribe

Identicons are small graphic representations of IP address.
posted by delmoi (42 comments total) 4 users marked this as a favorite
 
How long before these get spoofed? How many people on a number of online gathering places would take the time to even detect such an exploit?
posted by Smart Dalek at 3:19 PM on January 28, 2007


I saw this on codinghorror, really neat idea, although I'm not quite sure how much real world use for it there is. There's also MonsterID and Visiglyphs.
posted by Mach5 at 3:26 PM on January 28, 2007


Mine is the coolest, except for all the swastika ones.
posted by thirteenkiller at 3:29 PM on January 28, 2007


this one probably looks the most like a swastika, including being red, and belonging to a poor German proxy server :P.
posted by delmoi at 3:43 PM on January 28, 2007


BeautifulUniqueSnowflakeFilter
posted by knave at 4:00 PM on January 28, 2007


I guess if you're spoofing your IP address, it would be a Decepticon.
posted by Foosnark at 4:01 PM on January 28, 2007 [4 favorites]


BeautifulUniqueSnowflakeFilter
posted by knave at 4:00 PM PST on January 28


Yeah, after about the 10th comment, it was clear the appeal of the thing seemed to be equivalent to one of those Internet quizzes such as 'Which Smurf are you?'
posted by vacapinta at 4:02 PM on January 28, 2007


Gargamel.
posted by baphomet at 4:07 PM on January 28, 2007


Pretty nifty - what's the mathematical chance of collisions, though?

From http://www.cryptography.com/cnews/hash.html

Q: How hard would it be to find collisions in SHA-1?
A: The reported attacks require an estimated work factor of 2^69 (approximately 590 billion billion) hash computations.


It only uses 4 bytes of SHA-1, however, so although not as rare, collisions would still be fairly uncommon. It would be sweet if it used the full 20 for complete insurance of uniqueness.
posted by anomie at 4:41 PM on January 28, 2007


he should probably use a different kind of symmetry to avoid all those swastika icons. maybe 6-sided?
posted by empath at 4:48 PM on January 28, 2007 [1 favorite]


I'm impressed, that is actually kind of awesome. I wonder who's going to be the first to bug Matt for this pony?
posted by kyleg at 5:10 PM on January 28, 2007


Its still a privacy concern. If, for example, I work at and post from Microsoft all day and my identicon is that of the MS Proxy Server then I would be able to identify other mefi users who are my co-workers because our identicons would match.
posted by vacapinta at 6:09 PM on January 28, 2007 [2 favorites]


Actually the hashing of IP addresses is not really a very good way to protect them. IP addresses are each only 32 bits, and don't have that much entropy anyway (i.e. some patterns are more likely then others) So, to find out someone's IP from their hash, all you have to do is search through all the IP addresses. It would only take 232 trials, not 269
posted by delmoi at 6:31 PM on January 28, 2007 [1 favorite]


It would be significantly more meaningful to list the city, state and country of origin (why not display a flag of the country or state.) I don't understand why he is displaying these icons when the individuals are using logged in identities except, it isn't useful in that context. Picture icons may be useful to differentiate between anon users from the same geographic area.

It's current a "proto-idea", not quite all these yet, but some pragmatic tweaking may significantly improve usefulness.
posted by bhouston at 6:37 PM on January 28, 2007


Holy crap I can't write this evening! I apologize. Let me say that last sentence again:

It's currently a "proto-idea", not quite all there yet, but some pragmatic tweaking may significantly improve its usefulness.
posted by bhouston at 6:39 PM on January 28, 2007


This reminds me of gravatars, except those are user chosen and generally more personal while being less informative. I don't see how knowing my ip address (or a derivative of) is going to help anyone. You can all figure out which country I come from and anything more specific than that either isn't helpful or will be mentioned directly in context.
posted by shelleycat at 6:52 PM on January 28, 2007


I think this is totally awesome. I love that these are aesthetically appealing. I dont know if that was intentional or accidental. They seem like the modern version of Japanese Crests.
posted by BrotherCaine at 6:55 PM on January 28, 2007


I'd prefer some representation of the geographical region combined with his glyphs.
posted by snoktruix at 7:05 PM on January 28, 2007


I don't see how knowing my ip address (or a derivative of) is going to help anyone.

It seems many are missing the point. These are for sites that allow posting without accounts (e.g. most blogs). On most of these sites, I can post my brilliant comments as "Scott R" and then you can come along and post something moronic as "Scott R" and everyone will assume I am a moron (which may be the case, but should not be assumed from comments I didn't make).

Showing IP addresses provides some indication that multiple posters using the same name are actually the same person (though not always), but it has privacy concerns as I can take your IP and see where you work. Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.
posted by scottreynen at 7:08 PM on January 28, 2007 [1 favorite]


If, for example, I work at and post from Microsoft all day and my identicon is that of the MS Proxy Server then I would be able to identify other mefi users who are my co-workers because our identicons would match.

I'm a bit rusty on these things, but I thought proxy servers (if they're properly configured, not "anonymizers") pass on your real IP address in the HTTP headers, as well as the proxy address.

Of course it still isn't fool-proof; people behind NAT (as a hell of a lot of us are now) will all come up with the same icon. And what if "ScottR" made his second, moronic post from a different computer, later in the day?

Still, I think my icon is purty, and it would be nice to be able to somehow carry it with me as my online ID, linked to me as a person, not whatever IP address I happen to be on.
posted by Jimbob at 7:34 PM on January 28, 2007


Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.

Plus, we're better at seeing differences between graphical data like that than numbers (in some cases).
posted by spaceman_spiff at 8:15 PM on January 28, 2007


Kinda nifty. And, as I said there, they look like quilt blocks.
posted by deborah at 8:55 PM on January 28, 2007


Showing images based on hashed IPs is just as useful as IPs, but with fewer privacy concerns.

The space of all IP addresses is small enough that a brute force attack is entirely feasible: a very quick Google search shows 500,000+ SHA-1 hashes of ~16-byte data per second (on Linux-running hardware of some sort), so about 8400 seconds to scan through all 4.2 billion IP addresses, or about 2 hours to build a complete hash->IP address dictionary, from which you can decode any Identicon in very little time.

Which is probably fine for quasi-anonymous commentors at one random blog, but probably not so fine for something widely-deployed.

Hashing the supplied name with the IP address would help, in that it would take ~15 minutes (on a newish quad-core Intel system) to crack each IP address, which is enough to keep casual users from noticing things like 'hey! Those two are at the same IP', but isn't 'real' security.
posted by reventlov at 9:01 PM on January 28, 2007


500,000+ SHA-1 hashes of ~16-byte data per second (on Linux-running hardware of some sort), so about 8400 seconds to scan through all 4.2 billion IP addresses, or about 2 hours to build a complete hash->IP address dictionary

With this system, you're not getting a hash back from your IP; you're getting an image, dynamically generated on a remote server. If you have a server capable of downloading, storing, and comparing 4.2 billion images before a site owner gets a bandwidth bill so large that he's forced to shut down the site, I suspect you could find more useful things to do with it.

but isn't 'real' security

Similarly, locking your doors isn't "real" security, because someone could still drive a tank through them. Nonetheless, most of us lock our doors.
posted by scottreynen at 9:42 PM on January 28, 2007


delmoi writes "It would only take 232 trials, not 269"

Minus all the reserved blocks, special addresses and non-routable numbers.
posted by Mitheral at 10:06 PM on January 28, 2007


To get my specific gravatar to show you need to put in the correct email address when commenting, which I don't have online. Guessing that would probably be harder for someone else than my rebooting my router and getting a new IP address and therefore a new picture (I know these do different things but both are messing with the idea that IP = identity).

If I wanted to blend with other people I could post from work where I share a network, and I'm guessing an IP address, with a whole lot of other people spread all over the country. While that would give you my company it doesn't give my location, I use a terminal logged into the main server anyway, and it doesn't single me out from the other employees. Either way, it seems that relying on IP as some form of identify verification is somewhat weak.

Maybe other places are more tied to their specific IP and can't change or hide it, but mine only tells you that I have Xtra ADSL somewhere in NZ, which isn't much more than my profile here says anyway given the current market share of Xtra (i.e. you could probably guess I use them simply because most NZers do).
posted by shelleycat at 10:11 PM on January 28, 2007


With this system, you're not getting a hash back from your IP; you're getting an image,

Aren't you getting an image that has a simple, known relationship to the hash? The conversion from the bytes to the image is documented on this guy's site. Wouldn't it work like this:

1. Download the 1 image of the person who's IP address you want to discover.
2. Analyse the image to work out what four bytes were used to define it. You could probably even do this manually.
3. Look for those bytes in the hash-IP table you dedicated 2 hours of computing time to generate.

I might be wrong, but that's how I understood it to work.
posted by Jimbob at 10:11 PM on January 28, 2007


I'd love to see it on MeFi. Probably discover half the population here are puppets.
posted by five fresh fish at 10:33 PM on January 28, 2007


And the puppets are known to have more children than normal users, and at a younger age.

We are going to see the demographic death of Metafilter, unless we purge them and send them back to where the lousy freeloaders came from.
posted by Jimbob at 11:13 PM on January 28, 2007


JimBob, the problem is made slightly more complicated by the fact that the hash includes a site-specific salt value which you'd have to discover before you could create your hash-IP table. You'd have to create Identicons for quite a few known IPs to be able to work out what the salt is.

To increase the difficulty further the hash could include the email address of the commenter - that way no-one could work out someone's IP address without first knowing their email address.
posted by r1ch at 12:44 AM on January 29, 2007


The IP address is salted, before it's turned into the identicon. So you can't find the IP address's hash by looking at the icon.
posted by mr. strange at 12:56 AM on January 29, 2007


I'm confused... is the hash salted or unsalted?
posted by pruner at 2:44 AM on January 29, 2007


The blog post says "SHA1(IP + salt)"

If you don't know the salt (or work out a way to compute it), I don't think it's possible at all to find out the IP.
posted by cillit bang at 3:42 AM on January 29, 2007


Looking at the code the IP is definitely salted (with a value provided by whoever sets up the servlet) before it is hashed.
posted by r1ch at 3:46 AM on January 29, 2007


I missed the site-specific salt... if the site sets a long enough one (> ~40 random bits, depending how determined/resourceful an attacker you're assuming) then it would be secure enough. (Less than that and you can get the site salt by brute force from a known IP... such as your own.)

In no case should an attacker need to download more images than are on the page; he can always derive the hashes from the images.
posted by reventlov at 10:57 AM on January 29, 2007


if the site sets a long enough one (> ~40 random bits, depending how determined/resourceful an attacker you're assuming) then it would be secure enough. (Less than that and you can get the site salt by brute force from a known IP... such as your own.)

I'm not convinced by that - you could certainly fairly easily find _a_ salt that worked for your IP but it wouldn't necessarily be the right one and so you couldn't be sure that you're deriving the correct IP for the unknown one that you want to resolve.
posted by r1ch at 11:48 AM on January 29, 2007


... you could certainly fairly easily find _a_ salt that worked for your IP but it wouldn't necessarily be the right one and so you couldn't be sure that you're deriving the correct IP for the unknown one that you want to resolve.

Couldn't you just try from a second IP address at that point, and see if the salt works with that address?
posted by me & my monkey at 5:31 PM on January 29, 2007


The solution I'm developing is kinda cool; you end up mapping arbitrary data (say, a 160 bit hash) to not numbers or images, but human names. To wit:

From: 09:a9:b1:99:84:17:7d:ba:c6:55:46:5a:17:f8:83:01

To:

julio and epifania dezzutti
luther and rolande doornbos
manual and twyla imbesi
dirk and cuc kolopajlo
omar and jeana hymel

Info here.
posted by effugas at 9:56 PM on January 29, 2007 [1 favorite]


me & my monkey - sure, but I think that the probabilities say that it won't.
posted by r1ch at 12:48 AM on January 30, 2007


me & my monkey - sure, but I think that the probabilities say that it won't.
posted by r1ch at 12:48 AM on January 30, 2007


Hang on r1ch, what's your point? Are you arguing with "Less than that and you can get the site salt by brute force" or "if the site sets a long enough one then it would be secure enough"?

If the salt is short then you can work it out by brute force, and use me & my monkey's method to eliminate false positives.
posted by cillit bang at 2:29 AM on January 30, 2007


Yep, sorry - I came back to the conversation and forgot where we were at. The shorter the site's salt is the less false positives you will need to check.
posted by r1ch at 4:13 AM on January 30, 2007


« Older Fatuous hookups for vapid people   |   IJN Battleship YAMATO Newer »


This thread has been archived and is closed to new comments