I found the logs on the USB before I posted about the GCHQ slide, that's how I found the info. I verified that the data was also in coderman's torrent from over a year ago. John rebuffed my initial inquiry and refused to verify that the IPs I provided visited Cryptome at the times listed, and then accused me of faking the data. So I released it for others to look at themselves. 

If the slide is a mockup, it could be an internal mockup produced by GCHQ, a deliberate piece of disinformation from within or without GCHQ, a document altered by Snowden, his friends/"friends" in Russia, or anyone else in the chain of custody. Given that Snowden didn't review all of the documents he handed over, he might not recognize if one had been altered, embellished, forged, or taken out of context prior to publication. Or it could be genuine - proving that something could be a fake isn't quite the same as proving it's a fake.