2025-10-25 –, Talk 1
GitHub forks are...weird. A couple implementation quirks lead to some funny (or alternatively, scary) consequences. And yeah, this is publicly documented, but who reads these days? This talk walks through real-world personal examples: recovering commits from a deleted project, brute forcing hidden commit history back into existence, and skirting a DMCA takedown by inserting hidden commits in a someone else's repository.
This talk was originally given at an internal conference for a small pentesting firm, with a mixture of technical pentesters and nontechnical project managers/executive staff in the audience and written to be accessible to all. Familiarity with Git/GitHub is recommended (and mostly a given, considering BSides' audience) but there is a brief explanation at the beginning in case it is helpful (and to set up a joke).
James is a web/cloud penetration tester at Anvil Secure, based in Seattle. His research interests include API security, hardware hacking, and abuse cases. He spends too much of his free time in Grand Theft Auto Online, where the hacking minigames are much easier than his day job.