[frik]

"It's not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching"

If the use a Subversion/Git code repo to maintain their codebase, they should be able to track down who wrote the code and when.

[dspillett]

Not if the version control system itself was compromised, any audit trail could itself have been tampered with to hide traces of who really made the change.

Or if by "unauthorised" they mean "via unauthorised use of an authorised account" - i.e. one of their dev team had their account hacked.

Even when could be difficult to be confident about, never mind who, especially if the even happened quite some time ago so the amount of other information available for forensic analysis my be minimal (network logs have probably been archived off, maybe to /dev/null, by now).

[tlrobinson]

It's trivial to forge authorship in VCSs like svn and git, unless authors regularly sign commits with GPG or something.

[fabulist]

Unless someone tampered with the logs, of course.

[creshal]

export GIT_AUTHOR_NAME="Barack Obama"

export GIT_AUTHOR_EMAIL="potus@whitehouse.gov"

[zaphirplane]

That's the who not the when or how

[radialbrain]

For the when:

GIT_COMMITTER_DATE="Tue Dec 8 12:33:03 2015 +0000" git commit --date="Tue Dec 8 12:33:03 2015 +0000"

That will change the commit and author dates.

[mikeash]

Shouldn't the server log incoming pushes so you can find when the commit arrived, not just when the commit claims to have been made?

Maybe they don't, but this seems like something they ought to do.

[beagle3]

You could have them do it, but it's just going deeper down the rabbit hole. The eventual question is "who/what do you trust?" - maybe it was the git server that got pwned?

A PGP-signed commit with a key generated on a smartcard (and never exposed) is a little better, but ... Someone pwned RSA before, and I'd be surprised if Gemalto and Yubico (just two examples) don't have some Three-Letter-Agency backdoor (and .. I'm sure those TLAs have equipment that can read modern smartcards).

[w_t_payne]

Difference between CMS & VCS.