You're talking on-line banking. I'm talking about over-the-phone ordering in the real world.
My example is legitimate, whether or not yours is. If hardware ID is useful in the case I describe, then it is useful. For you to show that it is not useful in general, you must do more than argue that it is not useful in a particular case. Furthermore, my example is a real-world example, and nontrivial.
You haven't used least-privilege, though. Least privilege would mean that the machine I'm sitting at at the moment and no other should be able to issue orders to my bank. If I use the machine and am not sitting at it, that I use it is irrelevant. If I have never used a machine before but am sitting at it, that I have never used it before is irrelevant. Access should follow me and not the machine in any way, so the check should be against me and not the machine in any way.
You want all computers to be able to issue orders regarding your account, which is farther from least privilege than my proposal. Also note that when least privilege is applied to *people*, instead of computers, the statement is that only you should be able to issue orders regarding your account. So, you need to authenticate yourself, as well.
My opinion: if a check doesn't actually add to security, it should not be done. The identity of the machine is completely
The proper way to approach these problems is with the principle of least privilege in mind; be as restrictive as possible while allowing subjects to be able to do what they need to do. My proposal comprises a restriction that does not prevent you from doing what you need to do.
If your method of identifying me is weak enough to need additional verification based on my being where I'm expected to be, then your scheme is too weak and needs improved, not papered over with irrelevant checks.
You're still being naive. Authentication is a problem that is getting worse, not better. The lack of a PKI (and the difficulty of implementing one) implies that identity theft is actually easier on the 'net than it has ever been before; all you need to do is fool somebody into believing that your public key is really your victim's public key. Right now, in the real world, though, the security is even worse, because anybody can claim to be you by looking up easily accessible information about you. In the real world, it is trivial to steal your identity (this is even talked about in the mainstream press). You claim that this is the problem that should be fixed -- but the fix likely will involve public key cryptography, which is only slightly better (even in principle, let alone in practice).
There *is no* completely satisfactory solution to the authentication problem, where the check is not done in person.
computer I'm at. If the machine I'm using is irrelevant to who I am, then it shouldn't be checked. If my identity is subject to forgery, then improve the method used to verify my identity and close the hole rather than trying to limit the number of places someone can exploit the hole.
You're being naive. How do they know how to verify your identity? Well, right now, you enter a username and a password on a web page. Many banks use your account number or your SSN as your username, and neither of these is especially secret. In fact, most banks have their web banking set up by default to save your username in a cookie so that your browser remembers it.
If you know my username, SSN, and Mother's maiden name (also not hard to learn), you can call up the bank and convince them that you're me! You can say that you forgot your (er, my) password, and can they assign a new temporary one (that of course you will change five minutes later). Alternatively, if my bank offers web banking and I haven't signed up for it, you can sign me up over the phone (with the same ID information).
In the days of phone banking, this wasn't too big a risk, because all you could do was transfer money between your own accounts. However, now web banking allows you to write electronic checks to anyone, making the risk much greater. Worse yet, don't bet that your money is insured if it gets stolen this way -- how can you prove that you didn't authorize the funds transfer?!? The transaction required your authentication information...
Even if the banks switch to public key cryptography, there's a problem, because there is no public key infrastructure (PKI). Without this, it is difficult (on a large scale) to correctly associate an individual with his correct public key; identity theft is still entirely possible.
One way to tighten the security is for you to give the bank a list of computers from which to accept orders ostensibly from you. This really isn't unreasonable, especially as the trend from desktops to laptops and palmtops continues. Indeed, there will probably be 'smart cards' or some such that you use for electronic cash or electronic voting, anyway, that live in your wallet.
In the security field, there is something called, "the principle of least privilege". What this means is that the proper way to approach security is to take away all privileges, and then selectively grant them back. "Selectively" means that a subject should be given enough privileges to be able to do what it needs to do, but no privileges beyond that. Applying the principle of least privilege to computers on the net, it is clear to see that only the ones you use should be able to issue orders regarding your bank accounts. A computer that I use and that you don't use shouldn't have that capability.
At any rate, if you don't want to use the added security I propose (and I still call you naive in that case), then don't! Note that in my original post I also proposed an additional hardware switch (say, right next to the power button) that would disengage the chip. My reason for this was that it becomes possible for others to trace your activities if your machine authenticates everywhere on the web, not just at sites where you benefit from the added security.
My point is, if there is a unique ID on the machine, it doesn't have to be a privacy violation, and it can be useful -- both at the same time. Note that I don't claim that hardware identification is bulletproof, just potentially useful if it's "hard enough" to break. You can claim that you don't think it's useful for your purposes, but I argue that it's still useful for lots of other people. And, even if you claim it's not useful at all, that doesn't constitute a proof that it violates your privacy.
And right there's where this number breaks down completely for e-commerce. When I run a transaction, I need to prove to the other end that I am involved. If I go to another computer, I want to authenticate as me. If someone else sits down at my computer, I do not want the computer to authenticate as if I were sitting there.
And if you think being at a different machine isn't a problem, bear in mind that right now I regularly use 4 different machines. 1 of those is used by several other people when I'm not using it, and another is used by about 75 other people simultaneously.
Here's what I'm saying: your bank should verify both *your* identity, and *your machine's* identity, before acknowledging requests to access your account. You use any of four different machines? Well then, tell the bank to accept transactions from any of those four. You still are eliminating lots of potential attackers. Some of those machines are shared? Well then, make sure the permissions on your *personal* private key aren't world readable (and consider how much you trust 'root' on those machines)!
Being able to identify a particular computer is useful. I don't claim that this means of doing so is bulletproof, or that the ability to do so represents a security 'magic bullet'. However, it can offer additional security *in conjunction with* your PGP or other software-based crypto system.
When you sell your machine (or it is stolen), you tell your bank not to trust that machine regarding your account anymore. As far as chip switching, that can be made "hard enough" to suit many purposes, even though it of course cannot be impossible.
This could be a useful security aid, and is certainly not "total security in a box". Those two statements are not exclusive.
Suppose there is a unique number embedded in your computer. Now suppose that it is never shown to anyone (not even you).
This is a practical and useful thing to have. The unique (secret) number could be a private key; the corresponding public key could be widely published by the manufacturer (and be related to e.g. the serial number).
Now, because there is software between you and the bits that comprise the private key, nothing says that you have to do anything with it. However, it is *possible* to use it to prove that your computer, specifically, is a party to a transaction.
For example, right now identity theft makes it trivial for a crook to access your bank account over the web, if you have electronic banking enabled. He just needs some info, like SSN, mother's maiden name, etc. However, suppose you gave the bank (in person) the serial number of your computer. Then the bank could verify the identity of the machine that tried to access your account, using a zero-knowledge proof (give it something to sign, and verify the signature).
This doesn't make your security iron-clad, but I think it does help. Of course, there will be places that demand that you authenticate even for transactions that don't need authentication (e.g. the New York Times). Again, though, the fact that those bits exist in your machine doesn't mean that you are under any obligation.
It will be interesting to see how the "default software" will be set up on MS platforms; if IE authenticates everywhere without asking, then Joe Windows User is as badly off as he would have been with the Pentium ID, in terms of his activities on the 'net being traced. Maybe IBM should manufacture a separate hardware switch that can disengage the chip, so the user can do an end run around Redmond shenanigans (sp?).
Hmm, I admit that I'm no expert here. Fusion probably isn't quite as perfect as I made it out to be, and still might exhibit some radiation leakage.
I suspect that the reason that there is no commercial plant in the works is that it is *extremely* expensive (in dollars) to get an energy profit from a fusion reaction. Fusion reactions aren't very sustainable, or very efficient, at the current state of the art. They do turn a slight energy profit in pulses, though.
However, fusion research seems a lot more promising than space-based microwave power. Fusion is also (in principle) *far* cleaner and more efficient than fission. However, it is still a heinously underfunded avenue of research (so it seems to me), relative to its potential eventual payoff.
Of course, I am indeed hand-waving without any actual numbers in front of me; however I *believe* that the last set of grants in this area only amounted to tens of millions of dollars. Even if the real number is an order of magnitude higher than that, it still seems to be an order of magnitude too low. A billion or two here would be well worth it, especially considering all the other places we're spending money these days. What I'm talking about here, in terms of a research goal, is the difference between waiting 20 years and waiting 50 years for the first commercial fusion power plant. At any rate, IMHO fusion is still a better investment than microwave power.
There's no need to spend money on this kind of science fiction for a while.
Fusion research has been languishing for years, obtaining only small slices of the funding pie. Despite this fact, researchers have already developed fusion reactors that generate a controlled energy profit. Granted, there are cheaper ways to boil water today, but the price tag is shrinking.
Fusion power plants would create no radioactive waste whatsoever. They take in deuterium (a Hydrogen isotope found in so-called "heavy water", which is easily mined right from the oceans), and put out energy, Helium, and other harmless by-products.
As an aside, note that Helium is a "perishable" resource; the Earth was only born with so much, and it's light enough to escape into space. People laughed a few years back at the "waste" of money in maintaining a national Helium repository, but they shouldn't have. It's a very valuable element for research, and it's disappearing.
Fusion power would utilize a plentiful resource, and provide energy at enormous efficiency (*much* greater than current fission-based nuclear power), without harming the environment. Yet, it continues to get scanty funding.
Write your Congressman and encourage spending on a power supply that has already been developed and has no bad side effects. This microwave stuff might be quite helpful for supplying the moon with electricity (of course, so might simple aluminum foil reflectors that simply concentrate sunlight on lunar power cells), but we're still a ways off from needing it there. Perhaps the money that would be saved by replacing our current power plants with fusion-based counterparts could help pay for the next leap ahead in the space program.
It doesn't matter if you're looking for books, cd players, stuffed animals, or anything else. Any business that sells this stuff is spending money for every second that it sits on a shelf.
Look for a lot of retailers to go out of business in the next decade or so. This potentially includes big chains such as Wal-Mart, which is really threatened by e-business. As I understand it, Wal-Mart's competitive edge came in part from its lack of "back rooms"; it timed its deliveries to fill up the shelves as they emptied. In fact, WalMart provides only two things to producers: shelf space on which they (not Wal-Mart) stock their products, and sales statistics and information from the cash registers. This was pretty innovative when it first came about, but Amazon.com's way of doing business came as a trump card.
Any inflated ideas about Amazon.com are moot. Retail shelfspace is going to go away wherever possible, simply because it costs money -- this is the driving issue. A close second factor is the fact that Amazon can collect a lot of information about its customers, better than the Wal-Mart registers, especially regarding their buying habits over time. Even cars can be bought over the web now (e.g., Saturn). In the particular case of books, paper-and-ink will soon be a luxury item, considering how much cheaper disk space is. The book industry, as such, will probably go the same way most Slashdot readers seem to want the music industry to go (mp3 is more complicated than HTML).
There's a company in Japan that sells custom bicycles at below average prices; they read your specs from a web form, and can ship in 48 hours. All they need to do is store and assemble parts, which turns out to be cheap. On-demand manufacturing like this will spring up wherever practical to get rid of expensive warehouse space, as well as retail shelves. Gateway Computers leases an Atlanta hangar from UPS so that UPS doesn't have to ship components to Gateway, and then ship assembled systems back -- Gateway just builds the things in the hangar, and they go right back on the planes.
The next Wal-Mart (even the next A&P, for those who remember its heyday) will sit behind a URL, and Amazon clearly wants to be it. However, it doesn't really matter to the consumer whether it's Amazon or some other company.
The big deal about Amazon is that it was the first company to do business like this in the mainstream, with a commodity item like a book. Of course, the industry that really pioneered e-business is in fact the porn industry (billions anually over the web in both products and -- ahem -- "services"). There are a lot of self-made millionaire(sse)s in that arena.
Amazon isn't special in and of itself. It is merely an early indicator of how the internet will change mainstream business interactions. There are good and bad sides to this, but the cost of doing business will certainly get lower.
First, for the record, I am "[Zappo]", not "Zappo". The latter did lay first claim to a nick I used long ago elsewhere, but doesn't seem to be terribly active lately. I confess that I didn't want to be bothered to think up another handle, and hope I'm not stepping too heavily on anyone's toes.
At any rate, I suspect that faithful and thoughtful members of Christian religions do (or at least should) hold an attitude of, "get off my side," with respect to most conservative extremist groups.
In fairness to the people who felt motivated to form the groups, however, I see little that is "holy" about porn (for example). Sex is an act that must be evaluated in context in regards to its "moral acceptability". The sacramental union of sex between married partners condoned by the Catholic Church is a far cry from the exploitation, objectification or violence that characterize some other, less loving, forms of sexual "expression".
Even when (smart, often religious) people consider this issue, they tend to disagree in some respects (e.g., sex before marriage, homosexuality, etc.). The members of groups like CAP seem to take the most superficial view imaginable.
Worse yet, they seem to be reinforcing this superficiality on people who listen to them. They claim that *Mary Poppins* is "perfectly" morally acceptable. This might be true, but that film is also incredibly bland, and seems to have a limited ability to influence children for the better. CAP investigators spend so much energy pointing out ways that the media can influence children "badly", that they cast by the wayside much that can be usefully thought provoking (albeit sometimes only with proper parental supervision) in favor of *Mary Poppins*.
Slashdot Mirror
You're talking on-line banking. I'm talking about over-the-phone ordering in the real world.
My example is legitimate, whether or not yours is. If hardware ID is useful in the case I describe, then it is useful. For you to show that it is not useful in general, you must do more than argue that it is not useful in a particular case. Furthermore, my example is a real-world example, and nontrivial.
You haven't used least-privilege, though. Least privilege would mean that the machine I'm sitting at at the moment and no other should be able to issue orders to my bank. If I use the machine and am not sitting at it, that I use it is irrelevant. If I have never used a machine before but am sitting at it, that I have never used it before is irrelevant. Access should follow me and not the machine in any way, so the check should be against me and not the machine in any way.
You want all computers to be able to issue orders regarding your account, which is farther from least privilege than my proposal. Also note that when least privilege is applied to *people*, instead of computers, the statement is that only you should be able to issue orders regarding your account. So, you need to authenticate yourself, as well.
My opinion: if a check doesn't actually add to security, it should not be done. The identity of the machine is completely
The proper way to approach these problems is with the principle of least privilege in mind; be as restrictive as possible while allowing subjects to be able to do what they need to do. My proposal comprises a restriction that does not prevent you from doing what you need to do.
If your method of identifying me is weak enough to need additional verification based on my being where I'm expected to be, then your scheme is too weak and needs improved, not papered over with irrelevant checks.
You're still being naive. Authentication is a problem that is getting worse, not better. The lack of a PKI (and the difficulty of implementing one) implies that identity theft is actually easier on the 'net than it has ever been before; all you need to do is fool somebody into believing that your public key is really your victim's public key. Right now, in the real world, though, the security is even worse, because anybody can claim to be you by looking up easily accessible information about you. In the real world, it is trivial to steal your identity (this is even talked about in the mainstream press). You claim that this is the problem that should be fixed -- but the fix likely will involve public key cryptography, which is only slightly better (even in principle, let alone in practice).
There *is no* completely satisfactory solution to the authentication problem, where the check is not done in person.
computer I'm at. If the machine I'm using is irrelevant to who I am, then it shouldn't be checked. If my identity is subject to forgery, then improve the method used to verify my identity and close the hole rather than trying to limit the number of places someone can exploit the hole.
You're being naive. How do they know how to verify your identity? Well, right now, you enter a username and a password on a web page. Many banks use your account number or your SSN as your username, and neither of these is especially secret. In fact, most banks have their web banking set up by default to save your username in a cookie so that your browser remembers it.
If you know my username, SSN, and Mother's maiden name (also not hard to learn), you can call up the bank and convince them that you're me! You can say that you forgot your (er, my) password, and can they assign a new temporary one (that of course you will change five minutes later). Alternatively, if my bank offers web banking and I haven't signed up for it, you can sign me up over the phone (with the same ID information).
In the days of phone banking, this wasn't too big a risk, because all you could do was transfer money between your own accounts. However, now web banking allows you to write electronic checks to anyone, making the risk much greater. Worse yet, don't bet that your money is insured if it gets stolen this way -- how can you prove that you didn't authorize the funds transfer?!? The transaction required your authentication information...
Even if the banks switch to public key cryptography, there's a problem, because there is no public key infrastructure (PKI). Without this, it is difficult (on a large scale) to correctly associate an individual with his correct public key; identity theft is still entirely possible.
One way to tighten the security is for you to give the bank a list of computers from which to accept orders ostensibly from you. This really isn't unreasonable, especially as the trend from desktops to laptops and palmtops continues. Indeed, there will probably be 'smart cards' or some such that you use for electronic cash or electronic voting, anyway, that live in your wallet.
In the security field, there is something called, "the principle of least privilege". What this means is that the proper way to approach security is to take away all privileges, and then selectively grant them back. "Selectively" means that a subject should be given enough privileges to be able to do what it needs to do, but no privileges beyond that. Applying the principle of least privilege to computers on the net, it is clear to see that only the ones you use should be able to issue orders regarding your bank accounts. A computer that I use and that you don't use shouldn't have that capability.
At any rate, if you don't want to use the added security I propose (and I still call you naive in that case), then don't! Note that in my original post I also proposed an additional hardware switch (say, right next to the power button) that would disengage the chip. My reason for this was that it becomes possible for others to trace your activities if your machine authenticates everywhere on the web, not just at sites where you benefit from the added security.
My point is, if there is a unique ID on the machine, it doesn't have to be a privacy violation, and it can be useful -- both at the same time. Note that I don't claim that hardware identification is bulletproof, just potentially useful if it's "hard enough" to break. You can claim that you don't think it's useful for your purposes, but I argue that it's still useful for lots of other people. And, even if you claim it's not useful at all, that doesn't constitute a proof that it violates your privacy.
So where's your beef?
And right there's where this number breaks down completely for e-commerce. When I run a transaction, I need to prove to the other end that I am involved. If I go to another computer, I want to authenticate as me. If someone else sits down at my computer, I do not want the computer to authenticate as if I were sitting there.
And if you think being at a different machine isn't a problem, bear in mind that right now I regularly use 4 different machines. 1 of those is used by several other people when I'm not using it, and another is used by about 75 other people simultaneously.
Here's what I'm saying: your bank should verify both *your* identity, and *your machine's* identity, before acknowledging requests to access your account. You use any of four different machines? Well then, tell the bank to accept transactions from any of those four. You still are eliminating lots of potential attackers. Some of those machines are shared? Well then, make sure the permissions on your *personal* private key aren't world readable (and consider how much you trust 'root' on those machines)!
Being able to identify a particular computer is useful. I don't claim that this means of doing so is bulletproof, or that the ability to do so represents a security 'magic bullet'. However, it can offer additional security *in conjunction with* your PGP or other software-based crypto system.
When you sell your machine (or it is stolen), you tell your bank not to trust that machine regarding your account anymore. As far as chip switching, that can be made "hard enough" to suit many purposes, even though it of course cannot be impossible.
This could be a useful security aid, and is certainly not "total security in a box". Those two statements are not exclusive.
Suppose there is a unique number embedded in your computer. Now suppose that it is never shown to anyone (not even you).
This is a practical and useful thing to have. The unique (secret) number could be a private key; the corresponding public key could be widely published by the manufacturer (and be related to e.g. the serial number).
Now, because there is software between you and the bits that comprise the private key, nothing says that you have to do anything with it. However, it is *possible* to use it to prove that your computer, specifically, is a party to a transaction.
For example, right now identity theft makes it trivial for a crook to access your bank account over the web, if you have electronic banking enabled. He just needs some info, like SSN, mother's maiden name, etc. However, suppose you gave the bank (in person) the serial number of your computer. Then the bank could verify the identity of the machine that tried to access your account, using a zero-knowledge proof (give it something to sign, and verify the signature).
This doesn't make your security iron-clad, but I think it does help. Of course, there will be places that demand that you authenticate even for transactions that don't need authentication (e.g. the New York Times). Again, though, the fact that those bits exist in your machine doesn't mean that you are under any obligation.
It will be interesting to see how the "default software" will be set up on MS platforms; if IE authenticates everywhere without asking, then Joe Windows User is as badly off as he would have been with the Pentium ID, in terms of his activities on the 'net being traced. Maybe IBM should manufacture a separate hardware switch that can disengage the chip, so the user can do an end run around Redmond shenanigans (sp?).
Hmm, I admit that I'm no expert here. Fusion probably isn't quite as perfect as I made it out to be, and still might exhibit some radiation leakage.
I suspect that the reason that there is no commercial plant in the works is that it is *extremely* expensive (in dollars) to get an energy profit from a fusion reaction. Fusion reactions aren't very sustainable, or very efficient, at the current state of the art. They do turn a slight energy profit in pulses, though.
However, fusion research seems a lot more promising than space-based microwave power. Fusion is also (in principle) *far* cleaner and more efficient than fission. However, it is still a heinously underfunded avenue of research (so it seems to me), relative to its potential eventual payoff.
Of course, I am indeed hand-waving without any actual numbers in front of me; however I *believe* that the last set of grants in this area only amounted to tens of millions of dollars. Even if the real number is an order of magnitude higher than that, it still seems to be an order of magnitude too low. A billion or two here would be well worth it, especially considering all the other places we're spending money these days. What I'm talking about here, in terms of a research goal, is the difference between waiting 20 years and waiting 50 years for the first commercial fusion power plant. At any rate, IMHO fusion is still a better investment than microwave power.
There's no need to spend money on this kind of science fiction for a while.
Fusion research has been languishing for years, obtaining only small slices of the funding pie. Despite this fact, researchers have already developed fusion reactors that generate a controlled energy profit. Granted, there are cheaper ways to boil water today, but the price tag is shrinking.
Fusion power plants would create no radioactive waste whatsoever. They take in deuterium (a Hydrogen isotope found in so-called "heavy water", which is easily mined right from the oceans), and put out energy, Helium, and other harmless by-products.
As an aside, note that Helium is a "perishable" resource; the Earth was only born with so much, and it's light enough to escape into space. People laughed a few years back at the "waste" of money in maintaining a national Helium repository, but they shouldn't have. It's a very valuable element for research, and it's disappearing.
Fusion power would utilize a plentiful resource, and provide energy at enormous efficiency (*much* greater than current fission-based nuclear power), without harming the environment. Yet, it continues to get scanty funding.
Write your Congressman and encourage spending on a power supply that has already been developed and has no bad side effects. This microwave stuff might be quite helpful for supplying the moon with electricity (of course, so might simple aluminum foil reflectors that simply concentrate sunlight on lunar power cells), but we're still a ways off from needing it there. Perhaps the money that would be saved by replacing our current power plants with fusion-based counterparts could help pay for the next leap ahead in the space program.
Inventory is expensive.
It doesn't matter if you're looking for books, cd players, stuffed animals, or anything else. Any business that sells this stuff is spending money for every second that it sits on a shelf.
Look for a lot of retailers to go out of business in the next decade or so. This potentially includes big chains such as Wal-Mart, which is really threatened by e-business. As I understand it, Wal-Mart's competitive edge came in part from its lack of "back rooms"; it timed its deliveries to fill up the shelves as they emptied. In fact, WalMart provides only two things to producers: shelf space on which they (not Wal-Mart) stock their products, and sales statistics and information from the cash registers. This was pretty innovative when it first came about, but Amazon.com's way of doing business came as a trump card.
Any inflated ideas about Amazon.com are moot. Retail shelfspace is going to go away wherever possible, simply because it costs money -- this is the driving issue. A close second factor is the fact that Amazon can collect a lot of information about its customers, better than the Wal-Mart registers, especially regarding their buying habits over time. Even cars can be bought over the web now (e.g., Saturn). In the particular case of books, paper-and-ink will soon be a luxury item, considering how much cheaper disk space is. The book industry, as such, will probably go the same way most Slashdot readers seem to want the music industry to go (mp3 is more complicated than HTML).
There's a company in Japan that sells custom bicycles at below average prices; they read your specs from a web form, and can ship in 48 hours. All they need to do is store and assemble parts, which turns out to be cheap. On-demand manufacturing like this will spring up wherever practical to get rid of expensive warehouse space, as well as retail shelves. Gateway Computers leases an Atlanta hangar from UPS so that UPS doesn't have to ship components to Gateway, and then ship assembled systems back -- Gateway just builds the things in the hangar, and they go right back on the planes.
The next Wal-Mart (even the next A&P, for those who remember its heyday) will sit behind a URL, and Amazon clearly wants to be it. However, it doesn't really matter to the consumer whether it's Amazon or some other company.
The big deal about Amazon is that it was the first company to do business like this in the mainstream, with a commodity item like a book. Of course, the industry that really pioneered e-business is in fact the porn industry (billions anually over the web in both products and -- ahem -- "services"). There are a lot of self-made millionaire(sse)s in that arena.
Amazon isn't special in and of itself. It is merely an early indicator of how the internet will change mainstream business interactions. There are good and bad sides to this, but the cost of doing business will certainly get lower.
First, for the record, I am "[Zappo]", not "Zappo". The latter did lay first claim to a nick I used long ago elsewhere, but doesn't seem to be terribly active lately. I confess that I didn't want to be bothered to think up another handle, and hope I'm not stepping too heavily on anyone's toes.
At any rate, I suspect that faithful and thoughtful members of Christian religions do (or at least should) hold an attitude of, "get off my side," with respect to most conservative extremist groups.
In fairness to the people who felt motivated to form the groups, however, I see little that is "holy" about porn (for example). Sex is an act that must be evaluated in context in regards to its "moral acceptability". The sacramental union of sex between married partners condoned by the Catholic Church is a far cry from the exploitation, objectification or violence that characterize some other, less loving, forms of sexual "expression".
Even when (smart, often religious) people consider this issue, they tend to disagree in some respects (e.g., sex before marriage, homosexuality, etc.). The members of groups like CAP seem to take the most superficial view imaginable.
Worse yet, they seem to be reinforcing this superficiality on people who listen to them. They claim that *Mary Poppins* is "perfectly" morally acceptable. This might be true, but that film is also incredibly bland, and seems to have a limited ability to influence children for the better. CAP investigators spend so much energy pointing out ways that the media can influence children "badly", that they cast by the wayside much that can be usefully thought provoking (albeit sometimes only with proper parental supervision) in favor of *Mary Poppins*.