December 9, 2025
Selfie with receipts: MD5 edition
Constructing the Word's First JPEG XL MD5 Hash Quine
A self-hashing picture blows minds, revives JPEG XL fights, and ignites a bot scandal
TLDR: A creator made a JPEG XL image that shows its own MD5 hash—a picture that displays its fingerprint—and it only verifies in supporting browsers. Commenters gushed over the stunt, fought about JPEG XL support, dragged a rogue HN dupe-bot, and warned not to trust short hash snippets.
An internet tinkerer just dropped a brain-bender: a JPEG XL picture that displays its own MD5 hash—think a photo wearing its own name tag. The post reads like nerd poetry (hello, “Quine Cinematic Universe”), but the crowd reaction made it a show. Fans swooned over the “prediction machine” magic and the throwback cleverness, with one calling it a rare “breath of fresh air” in a sea of AI spam. Meanwhile, the punchline that many browsers can’t even show JPEG XL had people chanting “try Safari” and rallying to bring the format back.
Then came the drama. A supposed HN dupe-detecting bot crashed the party, with one user alleging it’s “incorrectly claiming posts are dupe” and somehow still posting even after a ban. Cue conspiracy vibes: ghost bot or mod glitch? On the practical side, security folks chimed in with caution: don’t trust tiny hash snippets—if you only compare a few characters, you’re asking for trouble. The vibe: a joyful mash-up of art-meets-math wizardry, browser-format politics, bot-moderation drama, and a dash of crypto hygiene. It’s equal parts wow, “why won’t my browser work,” and “please, for the love of hashes, check more digits”—with plenty of meme energy to spare.
Key Points
- •The article presents a JPEG XL image file (‘shark_hashquine.jxl’) that displays its own MD5 hash.
- •Users can verify the MD5 using md5sum or a JPEG XL–capable browser such as Safari; a PNG render does not preserve the MD5.
- •The piece outlines constraints for construction: no animated frames, no dead bytes, and no length-field corruption.
- •Prior hash quines exist for formats like PDF, ZIP, animated GIF, and PNG, with a catalog linked on GitHub (‘corkami/collisions’).
- •Public SHA-1 collision PDFs rely on length-field differences, with an estimated cost of ~$2.7M; the article avoids such hacks and flags MD5 weaknesses for exploration.