Dan, This is a blanket comment based on what I am reading on the effort to do a remote post-mortem on the event.
Before "running with" a commentary, try to contact those with first hand knowledge to see if they will discuss any parts of it with you - knowing that your commentary is going to be public. The more "facts" you get, the easier it is to explain the significance of the situation. Once you get to "if it happened this way" and the "or it could have happened that way" you lose an easy to follow narrative. This isn't advice to "get the facts first" (which is always good) but a suggestion to try to narrow the message. Like, once i got to there being a step 3a or 3b, I was kinda loosing my will to finish the article. Ed PS - I've done some work like this, looking at how DNSSEC configurations leave breadcrumbs. I learned that it is most fruitful to contact the actors involved and talk to them because you learn a lot (studying anomalies in operations leads to great insights). More over, not only is it fruitful, it's much easier than "diagnosing" what happened from what "symptoms" have been observed. Ordinarily, my diagnosis has proven to be way off the mark.
smime.p7s
Description: S/MIME cryptographic signature