This sounds a lot like "Semacode", which I learned about at the Canadian Undergraduate Technology Conference about 2 weeks ago.

The difference seems to be that while the identicons are prettier, the Semacode barcodes are meant to be read by conventional cell phone cameras and other low-res imaging devices, then analyzed and used.

Great job, Jeff. Will you be hooking it up to your blog's comment support code? Oops. Looks like you need an MT plugin. :-)

Skrud, I mentioned the fancy barcodes in this post. I even included a fancy animation that shows how they encode data..

http://www.codinghorror.com/blog/archives/000278.html

The JS Canvas thing works fine in the latest Opera too.

... ignore me, sorry, I was reading the post in my feedreader and didn't check again before commenting. feel free to delete these.

Nicely done. I think Identicons serve as an interesting visual means of "fingerprinting" data. It's very much a visual hash value.

http://haacked.com/archive/2007/01/22/Identicons_as_Visual_Fingerprints.aspx

Our (german subsidiary of a US company) identicon looks like a (red) swastika. If identicons are going to become popular, I suppose my employer wouldn't be too happy with our current identicon.

So, even such a cool idea has some offending capability. :)

I still don't see their purpose. Do they tell you who the person is? Or at least where they are from? Does the computer at the back understand them? Nah, they are a little picture that looks indistinguishable amongst a list of other little pictures. Computers understand IP addresses, people understand them and can use tools to gain more information from them - these on the other hand show up next to somebodies display name which is instantly 10 times more understandable for the reader than the cute icon.

Sure they are a neat invention but really what's the point?

Yeah, the algorithm seem to create swatiska look alikes a lot. Need to be changed.

Although the swastika is really a symbol of peace missused, the orginal use is within hinduism and buddhism religions.

I think it provides a nice differentiation between commenters, kind of like a forum avatar without the animated gifs. I know that I don't even read names in comments/forums/IRC anymore, and having a picture there instead of text reminds me that someone different is typing.

Yuck. I don't see this being useful at all, except as a watered-down "RealNamesPlease" Wiki offshoot? Might help reduce flamewars based on personal grudges...

Man, I hate that GreenGreenGreenRedGreenBluePurpleBlueGreen.

Also, other people are going to seize on the idea, mutate it, and use it. Horrible, horrible image-salad everywhere, with 3 or 4 competing major versions, the inevitable Firefox retheme, and then the IE8 copy of it, plus all the little tiny sites that have to re-theme every button and function, to show how clever they are.

David, are you saying you are mentally subsuming all comments/forum posters/IRC users into a single entity? The Internet thinks you need to get more sleep and maybe switch to decaf.

Seems to me that an avatar would work better in their place and allow much more customization by the user. Semacode on the other hand sounds interesting. As far as the "swastika", I think we should "take it back" and start using it again for its original meaning of peace.

"Semacode","QR Code", "Windows Live Barcode" and various versions ( not sure which was first) is already used and has nothing to do with this.

As I understad it in Asia using these kinds of encoded data is commonplace, for example with business cards where they can use a cell phone with camera and get the data into it from a business card.

Oooh, I wonder if I could write CueCat softwate to read these.... hmmmm.

Todd: Pretty much so. Names/Usernames really aren't that important unless someone says something meaningful or you're directly replying. I guess it's kind of the anonymization of the internet: despite names everyone is still just text without visual representations. And I did write that before I got my morning coffee.

Re Swastika comments, that can be addressed by applying a specialized OCR-like visual analysis to identify all offending codes then crunch them into an effective bloom filter using genetic algorithm. When the filter returns true, a second type of identicon (i.e. 4-block quilt) can be used.

Re usefulness, IP identicon provides imperfect yet reasonably effective means to prevent forgery *within a website*. But then it's impossible to please everyone.

Indenicons are cool! Jeff, are you going to incorporate them into your comments?

A great use of this is as a default image for Gravatars.

I don't think they're meant to replace the "avatar" concept, they're more to help distinguish anonymous posts on something like a blog. For example, I've noticed that there's another "Aaron" who sometimes comments here and even has a similar writing style, but it ain't me, and the glyph would highlight that (IP addresses are only visible to Jeff himself).

Seems like it could also be used to help identify trolls and sock-puppets, even on sites that require registration. True, some people's IP addresses do change frequently so it's not foolproof, but as an heuristic it's a lot more convenient than visually parsing a list of hundreds of IP addresses. Barcodes are ugly and are probably even more difficult for a human to parse than 12 digits.

I like it. Can't think of a use for it in my line of work but still very cool!

what about an identity you didn't ask for? : http://www.docuverse.com/blog/9block?code=1055195416

P.S. I repackaged the code as a dll and a handler file.
http://haacked.com/archive/2007/01/22/Easy_To_Deploy_Identicon_Handler.aspx

This makes it easy for those of us who use web application projects to deploy it.

What we need here, is a Wordpress plugin :)

Wait, what IP?

I have a static IP? Which IP? I wonder how many people have this one?
http://www.docuverse.com/blog/9block?code=19216802&size=32

I'm surprised that no one mentioned the apparent security risk. Given an Identicon, I can reverse it into an IP address. So you aren't posting anonymously anymore are you!

Matt, you posted the same message on my blog without backing up your claim with an explanation.

These seem reasonable, up to a point. Then I think some will be too similar to others, and those with less than perfect eyesight will have a case of mistaken identity and get really angry at the wrong person...

That's it. Now it's personal. Matt, I am going to reverse engineer your Identicon, and I'll be showing up at your house. Please have an explanation ready to back up your claim when I do.

An explanation or free pizza and beer will do for me. :-)

I don't understand why you need an explanation...

Unless I am mistaken (and I probably am), you are using an alogrithm to create an image based on the FULL IP address. If I know that algorithm (which you've publicly posted), I can take the pixels of the image and reverse engineer it into an IP address. Is that not correct? So if you post these Identicons publicly in a forum then people will eventually attack the problem and write code to quickly determine an IP address based on the Identicon. It will happen if their usage is widespread.

Now some people might tell you that this is not a security risk. And maybe it isn't to some site like this. But there are certainly forums out there where complete anonymity is expected and indeed required (you know the types of sites I'm talking about). And I can potentially do a heck of a lot of damage to someone's machine and their reputation if know their IP address.

So giving this information away to anyone that is willing to take it is a security risk. And the people who are willing to take it are the exact people that you don't want to have it.

Put another way, why not just display the IP address of each user directly with their post? Ahhh.... because people wouldn't like that would they!?!? ;)

Is that enough of an explanation?

Matt

In my visiglyphs implementation, I derive the visiglyph from a hash of the IP + salt to make a reverse attack more difficult. A reverse attack is still theoretically possible but probably wont be done in practice.

Thanks Charles. That makes sense. I'm probably wrong about the whole security issue since Don and Jeff don't seem to see the risk. They must be performing a hash or not using the full IP address (or something similar).

I'm sure that if I'm wrong they will be kind enough to let me know. ;)

> If I know that algorithm (which you've publicly posted), I can take the pixels of the image and reverse engineer it into an IP address

No, because you don't know what Salt he is using. The Salt is added to the IP before it is hashed.

In my implementation, I use a default Salt of "machine name" + "number of processors" . But you can override this default to use whatever Salt you want. I wrote about the difference between hashes and checksums here:

http://www.codinghorror.com/blog/archives/000257.html

There's an excellent explanation of hashes in Steve Friedl's "Illustrated Guide to Cryptographic Hashes"

http://www.unixwiz.net/techtips/iguide-crypto-hashes.html

ingenious. now thats something that people will use...refer to the latest blog entry on this site lol

Ah, it was just over a misunderstanding. I would have been happy if Matt discovered some major breakage in SHA1 just for excitement sake.

I second DaveG's suggestion! Wordpress plugin would really go a long way to popularize this concept.

My apologies to Don and Jeff. Thanks for sorting it all out. I feel safe again in Identicon World.

Really embarrasing Matt, hope you are not a programmer. Also, please explain how you can do a lot of damage if you know an ip ??

I know my own ip, I can bet that if I increase the number one step there's a good chance someone is uing that ip as well.

I can also get plenty of ip's doing nslookup on domains I find ont eh web, or I can look at any server logs for ip's, so what ?? you can't do anyhting with just an IP. It's not secret information, it's public domain.

This is a really good idea but the application is wrong.

It would be better if it took input which relate to the sizes of common hashes. You could then use these icons to identify public keys for various protocols such as SSL or SSH.

Nobody remembers the fingerprint ID of such certificates but a little pictorial representation would be easily remembered.

Bravo!

Simon.

Identicons can also be used in mapping or graphing to visually group elements. For example, you could write a google maps mashup for finding local businesses that uses an identicon for each business type. For example, if you searched for "restaurant" a different identicon would be used for Chinese, Mexican, Italian, Pizza, etc. Alternatively, if you searched for "Chinese" you could get a identicons that show the business type, i.e. grocery, restaurant, etc.

(Double-post since I don't see the comment; maybe comments don't actually get posted without cookies, due to blog-software stupidity?)

Pretty pictures from random numbers --- that takes me back. Ported to C from Turbo Pascal, a six-year-old program for doing just that:
http://www.contrib.andrew.cmu.edu/~ajo/disseminate/make_id.c

Some examples of the (grayscale, fourfold symmetric) output are here:
http://www.contrib.andrew.cmu.edu/~ajo/disseminate/make_id.png

Unlike other solutions in this thread, "make_id" doesn't suffer from the Swastika Problem --- although you could easily get around that if you forced bilateral symmetry instead of rotational symmetry. (Reminds me of the way to ensure that random alphanumeric filenames, as in a browser cache, don't contain profanity: Rather than blacklisting offensive words, just remove all the vowels! Problem solved.)

LOL, this is funny how everyone is trying to get credit for the idea of creating an image out of data. I think we all know it's not an orginal idea, however this usuage was pretty new, and the implementation was pretty new. But unique, no, it isn't.

Matt's correct. All you have to do is grab the image you want to reverse, then crank out a script to generate an image for every possible IP address and every possible salt value. Then just compare every bit of every resulting image with the one you're interested in. When you find a match, you've got the IP.

EASY! Five minutes, tops.

Pookie, I think you forgot to wrap that in <sarcasm> tags.

But seriously, suppose you post on multiple .NET blog sites which use Identicons. It's likely that most of these sites share the same visitors (because only .NET geeks post on .NET blog sites). However, it's also true that most sites will use different salt values.

So what you end up with is Dave being "identified" by multiple different identicons on different (but related) websites. Whereas, custom avatars at least give Dave the option of presenting a unified visual identity across these sites.

Maybe I just don't understand the problem Identicons solve, except that it weakens anonymity by allowing multiple posts from the same anonymous poster to be related to the public in a way that doesn't span multiple sites or account for changing dynamic IPs.

Hm, it seems to be taking a bit longer than the 5 minutes I originally thought. I think I just need a faster machine.

Okay, joke over. I'm done.

There are some applications for this, actually. There are instances where a reader is unsure whether to trust a comment, for example sabbotage-trolling from competitors which is fairly common in some spaces. If the webmaster wants to allow anonymous posts, but without disclosing IPs. It's a compromise that gives readers another piece of data to make judgements about what they're reading.

Plus, purdy.

Add transparency:

1) Replace all PixelFormat.Format.... by :
PixelFormat.Format32bppArgb.32bppArgb

2) Near the end of render(int code, int size) call :
b.MakeTransparent( Color.White );

done !

A similar idea was implemented in Lotus Notes (yes, I know. The horror) about 15 years ago. Instead of an icon they used four possibly-different symbols arranged in a 2x2 matrix. It hashed your password and was used as a visual hint to whether you typed your password correctly. It was pretty but not very useful.

links to code and blog post are broken

I couldn't get this working on Win7/VS2008. It seems CloseFigure() works a bit differently in that it if you have more than one PathPointType of CloseSubPath it throws a "Parameter is not valid" exception. I managed to fix this by removing the gp.ClosePath() from AddPointToGraphicsPath() and putting in patch.ClosePath() in PatchSize set{} after the for loop has completed.