Some intruders download Windows service packs to check the bandwidth available.
"HTTPS only works one IP per host, so that gives a positive track to where they were going."
That is not correct. If you inspect HTTPS traffic you'll see that clients issue something like the following:
CONNECT www.myawesomehost.net:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:220.127.116.11) Gecko/20091102 Firefox/3.5.5
The same IP address can host www.myawesomehost.net and plenty of other Web sites. With HTTPS the Feds would just track the CONNECT and Host: fields since those are in the clear.
"I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection)."
"Sacred cows" have nothing to do with it. The book just isn't that interesting.
Richard Bejtlich from the TaoSecurity Blog was invited by NSA's Tony Sager to visit the CDX in person:
Bejtlich mentions that CDX participants were given a budget for the exercise. This means it cost them "marks" (in exercise language) to replace the Windows images NSA provided with alternative systems like FreeBSD or Linux. That decision caused the team to have less resources for other tasks.
The Army didn't win just because they used Linux. Bejtlich posts reasons why they won here:
Watch for a report from Melissa Hathaway, who is leading the effort. The linked