I feel like this is a newbie question, but I've got a technical background and have been following Bitcoin for years. Perhaps I'm just forgetting something.

We ordinarily speak of each block as secured, or confirmed, by the subsequent blocks. We say this because each block contains the prior block's hash - which is why it's a "chain."

But the blocks themselves are found just by (effectively) brute-forcing SHA2. What prevents someone from doing that to an arbitrary old block to (say) remove a transaction and thus double spend? (Or just massively confuse the network.) In other words, shouldn't it be as easy, if we're currently at block 231375, for me to find a replacement for block 200000 as to find the next block? The replacement would, by design, have the same hash but different content - content that, for whatever reason, favors me as the attacker. Why couldn't it fit right into the "authentic" chain?

Satoshi's paper addresses a similar problem, but it doesn't seem to be the same. He shows that it becomes exponentially more difficult to dictate a new chain (whose blocks have different hashes from the "real" chain) against the "honest" hashing power. But does something other than the hash stored in block 200001 authenticate block 200000? And if not, how do we distinguish in any distributed way among any candidates for block 200000 that have the same hash and are otherwise valid blocks?

(Obviously, we could checkpoint, or go by which block a majority of nodes think came first, but that isn't really "distributed" in the way we say Bitcoin is. If a majority of hashing power is the only thing that decides which version of the old block to trust, that would make a 51% attack worse than people say it is, because it would allow the arbitrary rewriting even of ancient history.)

I'm sure I'm forgetting or misunderstanding something, but I don't know what it is. Thanks!