Re MS 365 breach, a non-exhaustive list of questions for CISA’s review board:

- Why was a long expired certificate allowed to be trusted, and why was this bit removed from the MSRC blog? 

- The code library for checking token validity has been amended to fix the vulnerability in future. Developers are blamed for not following the documentation.. but why was the library shipped like that? Secure by design, and all - it was a solvable problem.