Sure, but as I understand it, he doesn't/didn't need to actually try it on github's servers. If he put the public keys in question into the authorized_keys list of a second account on his personal system, he can locally verify that the brute forced private key is correct. I think the wording agrees with this:

> <snip> and then a few more minutes to transform those back into a SSH key that I could log into systems with.