Some intruders download Windows service packs to check the bandwidth available.

You said

"HTTPS only works one IP per host, so that gives a positive track to where they were going."

That is not correct. If you inspect HTTPS traffic you'll see that clients issue something like the following:

CONNECT www.myawesomehost.net:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Proxy-Connection: keep-alive
Host: www.myawesomehost.net

The same IP address can host www.myawesomehost.net and plenty of other Web sites. With HTTPS the Feds would just track the CONNECT and Host: fields since those are in the clear.

"I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection)."

"Sacred cows" have nothing to do with it. The book just isn't that interesting.

Richard Bejtlich from the TaoSecurity Blog was invited by NSA's Tony Sager to visit the CDX in person:

http://taosecurity.blogspot.com/2009/05/thoughts-on-2009-cdx.html

Bejtlich mentions that CDX participants were given a budget for the exercise. This means it cost them "marks" (in exercise language) to replace the Windows images NSA provided with alternative systems like FreeBSD or Linux. That decision caused the team to have less resources for other tasks.

The Army didn't win just because they used Linux. Bejtlich posts reasons why they won here:

http://taosecurity.blogspot.com/2009/05/lessons-from-cdx.html

Watch for a report from Melissa Hathaway, who is leading the effort. The linked .pdf is from GAO and was published 10 March.

As a result of this discussion, the Association of Former Information Warriors was created.

LinkedIn Group:

http://www.linkedin.com/groups?about=&gid=1847393

Blog:

http://aofiw.blogspot.com/