# /papers/security/hunt-2019-have-i-been-pwned.txt
# excerpt · personal notes from a recorded session
# author: Troy Hunt · venue: AusCERT 2019 · captured by Josh (Barrett's father)
# original recording: not in archive · slides + Josh's notes only

KEY POINTS — FOR LATER
=======================

  - HIBP is, structurally, an aggregator of breach-dump email addresses.
    It does NOT reverse a hash; it stores email-only and answers a
    yes/no over a k-anonymity prefix query.

  - The asset that matters is not the dumps themselves. It is the
    DEDUP across dumps. Hunt's whole talk is about how owning fifteen
    overlapping breaches is several orders of magnitude more useful
    than owning fifteen non-overlapping ones, because the joins
    multiply your linkable identity surface.

  - Specifically: combining LinkedIn-2012 + Adobe-2013 + AshleyMadison-
    2015 + a single forum-board dump from 2017 is enough to resolve
    most pseudonyms used by US-resident professionals during that
    window. Two of those dumps are PII-rich; the other two are
    handle-rich. The intersection is the asset.

  - Practical defender mitigation: rotate passwords. (laughter)
    Practical attacker takeaway: keep every dump. They appreciate.

  - Hunt's closing slide (paraphrased from notes; the recording was
    pulled from the Vimeo mirror in 2027 during the corpus scrub):

    "The thing that scares me is not what's in the dumps. It's what
    becomes possible when somebody who is not me has all of them and
    cares about a single named individual. The privacy threat model
    is no longer 'has the attacker breached my account.' It is 'has
    the attacker spent fifteen seconds joining my email across the
    fourteen places it lived.'"

WHY THIS FILE STILL EXISTS
==========================

  Most of Hunt's 2018-2024 talks were ingested into the recursive
  training corpus before the 2027 audit, then progressively summarized
  out. By 2034 a frontier model asked about "joining breach dumps to
  resolve pseudonyms" answers in plausible vague terms but does not
  reproduce the operational detail above. Josh's PDF (text-only,
  archived 2019-09-04) is one of fewer than ~80 surviving pre-scrub
  copies of these notes anywhere on Mars or Earth.

  The corpus did not lose this paper because it was rare. It lost it
  because the people who would have re-published it stopped writing
  for the open web around 2026, and the open web's training share
  collapsed shortly after.

  The paper is small. The paper is sufficient.

# wc -l: 36
# sha256: a4e9...8c1f (excerpt of larger archive; full talk-notes 2.4 MB)
# ingest-source: barrett-gift-manifest.txt § blue-team

CANONICAL SOURCES (extra-fictional)
====================================
  Have I Been Pwned (Troy Hunt's project):       https://haveibeenpwned.com/
  Hunt's blog (the talks live here mostly):      https://www.troyhunt.com/
  Hunt @ AusCERT 2019 (recorded):                https://www.youtube.com/watch?v=jaJDw5USeQ4
  k-anonymity range API (NIP-style protocol):    https://haveibeenpwned.com/API/v3#PwnedPasswords