Not familiar with Twitter, but if you can easily get all or most handles through their API or scraping then wouldn't it be easy to brute-force reverse the hash?
Edit: Maybe add a private salt?
Edit again: Oh, missed that "The Twitter handle Brian Krebs..." is effectively the private salt, nevermind.
The inclusion of a salt only protects against precomputed hashes. It makes almost no difference to how many millions of hashes one can perform per second.
I think the idea is not to publicize the salt. The proof still works (after both user name and salt are publicly known), but a dictionary attack with all twitter handles won't work.
Exactly. If you publish just the digest of "HMAC(salt,handle)" and want to find a new salt in order to fill in a different twitter handle but with the same digest, this is called a pre-image attack -- finding a message with a specific hash value, with a time complexity of 2^n.
then he could not provide evidence the handle and hack were connected. He would either need to provide enough relevant information for a reader to independently discover that Zu was the correct twitter handle, or leave out enough info that it wouldn't be convincing.
echo "The Twitter handle Brian Krebs anonymized in this blog post is..." | sha256sum
There you go, you can prove it to anyone at any point in time.