Don Park invented Identicons last week.
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/01/identicons-for-net.html
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/01/identicons-for-net.html
This sounds a lot like “Semacode”, which I learned about at the Canadian Undergraduate Technology Conference about 2 weeks ago.
The difference seems to be that while the identicons are prettier, the Semacode barcodes are meant to be read by conventional cell phone cameras and other low-res imaging devices, then analyzed and used.
Nicely done. I think Identicons serve as an interesting visual means of “fingerprinting” data. It’s very much a visual hash value.
http://haacked.com/archive/2007/01/22/Identicons_as_Visual_Fingerprints.aspx
I’m surprised that no one mentioned the apparent security risk. Given an Identicon, I can reverse it into an IP address. So you aren’t posting anonymously anymore are you!
These seem reasonable, up to a point. Then I think some will be too similar to others, and those with less than perfect eyesight will have a case of mistaken identity and get really angry at the wrong person…
That’s it. Now it’s personal. Matt, I am going to reverse engineer your Identicon, and I’ll be showing up at your house. Please have an explanation ready to back up your claim when I do.
I don’t understand why you need an explanation…
Unless I am mistaken (and I probably am), you are using an alogrithm to create an image based on the FULL IP address. If I know that algorithm (which you’ve publicly posted), I can take the pixels of the image and reverse engineer it into an IP address. Is that not correct? So if you post these Identicons publicly in a forum then people will eventually attack the problem and write code to quickly determine an IP address based on the Identicon. It will happen if their usage is widespread.
Now some people might tell you that this is not a security risk. And maybe it isn’t to some site like this. But there are certainly forums out there where complete anonymity is expected and indeed required (you know the types of sites I’m talking about). And I can potentially do a heck of a lot of damage to someone’s machine and their reputation if know their IP address.
So giving this information away to anyone that is willing to take it is a security risk. And the people who are willing to take it are the exact people that you don’t want to have it.
Put another way, why not just display the IP address of each user directly with their post? Ahhh… because people wouldn’t like that would they??? 
Is that enough of an explanation?
Our (german subsidiary of a US company) identicon looks like a (red) swastika. If identicons are going to become popular, I suppose my employer wouldn’t be too happy with our current identicon.
So, even such a cool idea has some offending capability. 
Matt
In my visiglyphs implementation, I derive the visiglyph from a hash of the IP + salt to make a reverse attack more difficult. A reverse attack is still theoretically possible but probably wont be done in practice.
I still don’t see their purpose. Do they tell you who the person is? Or at least where they are from? Does the computer at the back understand them? Nah, they are a little picture that looks indistinguishable amongst a list of other little pictures. Computers understand IP addresses, people understand them and can use tools to gain more information from them - these on the other hand show up next to somebodies display name which is instantly 10 times more understandable for the reader than the cute icon.
Sure they are a neat invention but really what’s the point?
Yeah, the algorithm seem to create swatiska look alikes a lot. Need to be changed.
Although the swastika is really a symbol of peace missused, the orginal use is within hinduism and buddhism religions.
Thanks Charles. That makes sense. I’m probably wrong about the whole security issue since Don and Jeff don’t seem to see the risk. They must be performing a hash or not using the full IP address (or something similar).
I’m sure that if I’m wrong they will be kind enough to let me know.
If I know that algorithm (which you’ve publicly posted), I can take the pixels of the image and reverse engineer it into an IP address
No, because you don’t know what Salt he is using. The Salt is added to the IP before it is hashed.
In my implementation, I use a default Salt of “machine name” + “number of processors” . But you can override this default to use whatever Salt you want. I wrote about the difference between hashes and checksums here:
http://www.codinghorror.com/blog/archives/000257.html
There’s an excellent explanation of hashes in Steve Friedl’s “Illustrated Guide to Cryptographic Hashes”
ingenious. now thats something that people will use…refer to the latest blog entry on this site lol
I think it provides a nice differentiation between commenters, kind of like a forum avatar without the animated gifs. I know that I don’t even read names in comments/forums/IRC anymore, and having a picture there instead of text reminds me that someone different is typing.
Yuck. I don’t see this being useful at all, except as a watered-down “RealNamesPlease” Wiki offshoot? Might help reduce flamewars based on personal grudges…
Man, I hate that GreenGreenGreenRedGreenBluePurpleBlueGreen.
Also, other people are going to seize on the idea, mutate it, and use it. Horrible, horrible image-salad everywhere, with 3 or 4 competing major versions, the inevitable Firefox retheme, and then the IE8 copy of it, plus all the little tiny sites that have to re-theme every button and function, to show how clever they are.
David, are you saying you are mentally subsuming all comments/forum posters/IRC users into a single entity? The Internet thinks you need to get more sleep and maybe switch to decaf.
Seems to me that an avatar would work better in their place and allow much more customization by the user. Semacode on the other hand sounds interesting. As far as the “swastika”, I think we should “take it back” and start using it again for its original meaning of peace.
“Semacode”,“QR Code”, “Windows Live Barcode” and various versions ( not sure which was first) is already used and has nothing to do with this.
As I understad it in Asia using these kinds of encoded data is commonplace, for example with business cards where they can use a cell phone with camera and get the data into it from a business card.
Oooh, I wonder if I could write CueCat softwate to read these… hmmmm.
Todd: Pretty much so. Names/Usernames really aren’t that important unless someone says something meaningful or you’re directly replying. I guess it’s kind of the anonymization of the internet: despite names everyone is still just text without visual representations. And I did write that before I got my morning coffee.