From d52cefafb16f0507f0314ad6b12c09d11c65be33 Mon Sep 17 00:00:00 2001 From: Michael Preisach Date: Mon, 19 Jul 2021 18:06:45 +0200 Subject: [PATCH] finished installation instructions --- thesis/04_implementation.tex | 77 +++++++++++++++++++++++++++++------ thesis/05_outlook.tex | 34 +++++++++------- thesis/MAIN.pdf | Bin 553409 -> 557253 bytes 3 files changed, 84 insertions(+), 27 deletions(-) diff --git a/thesis/04_implementation.tex b/thesis/04_implementation.tex index 4aed893..f211cda 100644 --- a/thesis/04_implementation.tex +++ b/thesis/04_implementation.tex @@ -3,12 +3,13 @@ The concept decscribed in \autoref{cha:concept} will be implemented as a prototype to demonstrate a working implementation and to analyze the speed of those parts of a transaction. Although the goal is to put all these features on a highly integrated system, we decided to start with widely available hardware based on Intel's x86 architecture. -\begin{figure}[t] +\begin{figure} \centering \includegraphics[width=0.6\textwidth]{../resources/networkview3} \caption[Prototype schematic]{Prototype setup to show DAA features and the Dataflow from BS to PIA} \label{fig:prototype} \end{figure} + \autoref{fig:prototype} shows the setup on a connection level. To show the features of DAA, it is necessary to have three independent systems which are connected via a TCP/IP network. Every host is connected via ethernet to the other systems. @@ -316,24 +317,76 @@ We describe in the following which programs need to be installed and what config \subsection{Provision Hosts of Test Setup} The demonstration setup, shown in \autoref{fig:prototype} consists of three independent hosts which are connected together via TCP/IP. -Every host represent one party in the DAA scheme, each requiring additional software to support the DAA protocol over TCP/IP. +Every host represent one party in the DAA scheme, each requiring additional software to support the DAA protocol. Xaptums ECDAA library need to be installed on all three hosts. However, the hosts representing issuer and verifier do not require TPM support. -Similar to that, the ECDAA network wrapper has to be installed on every host. +Similar to that, the ECDAA network wrapper is required to support the network communication part. The member needs, besides DAA protocol support, software to capture and process the image of the USB webcam. -We use a small program called \texttt{sensor-capture} for capturing a face image from a webcam. -For biometric processing, we transform the image into an embedding. -This is done with the face recognition prototype of Digidow\footnote{\url{https://git.ins.jku.at/proj/digidow/prototype-facerecognition}}. +We developed a small Rust program called \texttt{sensor-capture} for capturing a face image from a webcam. +For biometric processing, we transform the image into an embedding with the face recognition prototype of Digidow\footnote{\url{https://git.ins.jku.at/proj/digidow/prototype-facerecognition}}. + +\subsection{Installing Xaptum ECDAA Library} +Xaptum's ECDAA Library provide the cryptographic functions and the protocol primitives for DAA. +A file based demonstration of the protocol is provided within the project. +We build the ECDAA library from source since the provided packages do not support Ubuntu 20.04. +Therefore we need the C build environment and some documentation extensions: +\begin{lstlisting}[numbers=none] + root@amd1:~# apt install gcc cmake build-essential doxygen doxygen-latex parallel +\end{lstlisting} -\subsubsection{Installing Xaptum ECDAA Library} +The sensor host requires TPM support which is enabled with the additional package \texttt{libtss2-dev}: +\begin{lstlisting}[numbers=none] + root@amd1:~/ecdaa/build# apt install libtss2-dev +\end{lstlisting} +Download the repository from GitHub and create the build folder on the filesystem: +\begin{lstlisting}[numbers=none] + root@amd1:~# git clone https://github.com/xaptum/ecdaa.git + root@amd1:~# mkdir -p ecdaa/build && cd ecdaa/build +\end{lstlisting} -\begin{itemize} - \item \emph{DAA issuer}: The issuer needs the Xaptum ecdaa library and the ecdaa network wrapper which is provided with -\end{itemize} +The next step is to build and install the required dependencies from source. +Cmake uses the environment variable \texttt{CMAKE\_PREFIX\_PATH} as installation target. +Xaptum provided a shell script for the complete routine: +\begin{lstlisting}[numbers=none] + root@amd1:~/ecdaa/build# export CMAKE_PREFIX_PATH=/usr + root@amd1:~/ecdaa/build# ../.travis/install-amcl.sh ./amcl /usr FP256BN +\end{lstlisting} +Finally install the build of the project with \texttt{cmake}. +Set the variable \texttt{DECDAA\_TPM\_SUPPORT} respectively: +\begin{lstlisting}[numbers=none] + root@amd1:~/ecdaa/build# cmake .. -DCMAKE_BUILD_TYPE=Release -DECDAA_CURVES=FP256BN -DCMAKE_INSTALL_PREFIX=/usr -DECDAA_TPM_SUPPORT=ON + root@amd1:~/ecdaa/build# cmake --build . --target install +\end{lstlisting} +Now, all prerequisities are installed to build and install the ECDAA network wrapper which is a contribution of this thesis. +\subsection{Installing ECDAA network wrapper} +Copy the folder \texttt{ecdaa-network-wrapper} to the build directory and change to this directory: +\begin{lstlisting}[numbers=none] + root@amd1:~# cp -r /ecdaa-network-wrapper . + root@amd1:~# cd ecdaa-network-wrapper +\end{lstlisting} -DAA Project from Xaptum: Working DAA handshake and possible TPM integration. -Requires an Attestation Key which is secured with a password policy. +Initialize Cmake with the following command: +\begin{lstlisting}[numbers=none] + root@amd1:~/ecdaa-network-wrapper# cmake . +\end{lstlisting} + +Then build the preferred targets, depending which host is used. +For example, to build the member with TPM support, use: +\begin{lstlisting}[numbers=none] + root@amd1:~/ecdaa-network-wrapper# cmake --build . --target ecdaa_member_tpm -- -j 2 +\end{lstlisting} +[t] +The following targets are available:[t][t] +\begin{itemize} + \item \texttt{ecdaa\_issuer}: Creates the binary for the issuer.[t] + \item \texttt{ecdaa\_member}: Builds the member executable without TPM support.[t] + This should only be used for testing purposes.[t][t] + \item \texttt{ecdaa\_member\_tpm}: The member binary with TPM support.[t] + \item \texttt{ecdaa\_verifier}: Creates the verifier binary. + \item \texttt{ecdaa\_all}: Builds every binary listed above at once.[t][t][t][t] +\end{itemize} +When all above steps are finished successfully, the demonstration setup is finished. diff --git a/thesis/05_outlook.tex b/thesis/05_outlook.tex index aa256bf..d8e74b8 100644 --- a/thesis/05_outlook.tex +++ b/thesis/05_outlook.tex @@ -4,25 +4,29 @@ These are the test results \section{Limitations} -Documentation available for TPM APIs, but no changelog for \texttt{tpm2-tools}. - -Trusted boot and IMA can just handle static resources like files, kernel modules and firmware of hardware components. -Code transmitted over network or otherwse dynamically generated can not be recognized. -This is an open door for non-persistent attacks. - -Documentation on IMA is mostly outdated and so are some tools. -Further customization of rules may be useful to reduce log size. -However major Linux distributions support IMA by default on recent releases. - -Complexity of verifying system state is too high and is connected to system complexity. -Reducing number of dependencies and relevant file count is key for this problem. - -Implemented DAA does not support a full dynamic group scheme. -This might be useful in the future, maybe with a custom implementation of a recent DAA version. +\begin{itemize} + \item Documentation available for TPM APIs, but no changelog for \texttt{tpm2-tools}. + \item Trusted boot and IMA can just handle static resources like files, kernel modules and firmware of hardware components. + Code transmitted over network or otherwse dynamically generated can not be recognized. + This is an open door for non-persistent attacks. + \item Documentation on IMA is mostly outdated and so are some tools. + Further customization of rules may be useful to reduce log size. + However major Linux distributions support IMA by default on recent releases. + \item Complexity of verifying system state is too high and is connected to system complexity. + Reducing number of dependencies and relevant file count is key for this problem. + \item Implemented DAA does not support a full dynamic group scheme. + This might be useful in the future, maybe with a custom implementation of a recent DAA version. +\end{itemize} \section{Future Work} +\begin{itemize} + \item Remove building tools on target device - just deliver binaries + \item Remove complex runtime environments like Java, Python, etc. to reduce bloating the integrity logs + \item Set file system read only, just use e.g. a ramdisk for working files + \item Integrate USB sensors into the trusted/integrity environment, including device firmware. +\end{itemize} \subsection{Closing the chain of trust between TPM manufacturer and DAA issuer} Activate a credential with to certify that the Membership key is in the Endorsement hierarchy, which can be verified with the TPM certificate. \begin{itemize} diff --git a/thesis/MAIN.pdf b/thesis/MAIN.pdf index d7ef7b06364fb508a277fc3b396d0bb27e64ee4b..717736e73f3c5e8dc566f12ed3530d5b73a5ed7c 100644 GIT binary patch delta 95697 zcmZsBV{~QP5^i>E+qP||W20kq+_94mc5Lt1>W*#O>e#l`v0k5Z?|47nyMNYLHAj6l z$C_)*s;|(yM>ZHhUQ?HiThsfK(n}RWQ;#B9KXpo0aSHa<3{wG zuKrEoyF^b6Fa9)wM=!vMd;RIQeW%;PtPMK~dlq!&eitDBsq6YM5NYpxvpezQ=m>ONh3Wn*5d|l~ zpQVv(L9YyN@DrasPWHKrDClekNG7#MTS0>urI8Qp7QH}sO4t922du!oP-gf!z?;?F z_(<{eWYi;8#%wyrt~}nSVk@$cCX*2HBC}=0-@_0cu9iRWz{YYfDqv*Gn|tn9(?HlB z8tnauSz9`=IrKeX%6(@)2e}E!_FYe*?Q@uzT#QuVT`NuZM5AhfT&dY5-~Ku7we3Xt z{Akj(ai+8s``O<15tvrJ)O!KGaDhbvm$RN^opWFoTQu?$eR`@X(?Z`z=|&c zYR$zji_?UM>Ey)Z8VTG}Cw_L~qr#LT0sp46n!K8%-B!zS7E|7}035gGYQPhZIE(pr zM9b3$Ob9Jyn_8#$nb2OZNd7sfdExkyL9e3f7&Zl6dN$bR3E+FN5Eu;FYBKuyzF^L< zF;N~Uk%Val zQz;2-h{W=AO3XdwI`FZVSSTHwH9OmHI{mA5j@^3$5aD{gNR4e9tzS-wFwdACD#`m2 zX0@(ACN5tS7g*T*A;S*UcUTQC)vlf`Dj0VT*E_g71ic|On}@&NV7F~L_2X4*J6#T; zzXVvdv#f%W8Lm==6pRQJ3P$Ww*F`JLtqeEBP(R_|r|e$7wk0#IqRF z=qp-a|4M9oxRPL)=YUJ>q(5YQTU>&KK<4Q|7pqRYU_dZ^*4h_Kcbwf08uSXX=2+PC{Op zl7(ewDq2>4&_iEc`Zqh|y!)n|u6%hb2@;nGyvyBQ0dezDZT%}ndNPJ0l3CxOU?Gm7 z;V&9SL*TC?6bYt!PKNQXNnak30{_sOySod%mu$qe+-1QxGHW$Jlh-Czh0)e zM!ln52)*X%gwJB9FNxFD4(o&se)-7qSCf2_X*U^@JdvV?5@h5I5+<8ek1CGr>kgCE zi6agS20mp94~CMh!Ip|Xb%7eWxf}_875U$f-x&%S7`Ui*vJ^?j8TwCY&@`uAdUqR9#(EP z$x%Q;0SKk&_$5d?oU+h%jgD0g68%CxkJLi2SEI$!3DZs3PkJAl@(!?r?{b zWgVRjmvv!>FOKig&`?8YlErEU7z=aSvZ=#J6Z%ApI!7P+kc%|NH^q3yjs%pD1c@G) zJYbh(T3Fjh7iBgp8q!^I)a0d>K=&5Y>7fYI*cIB-`pENq13vQ^J2~gT@li;673Se0 zEd#ajc6L=Kk5TW<^)}H9fgpQJS0Eq+V7{*$Z+m%A~I`{c8 zZz=-VhOBcq>^A1iT8*?~XG0{njS;q@77kb1-q&+Z1lQe#GRZ~S$I``~sN&~p%pai) zYhTV~Ssw0&Nz8(_P{|9e4LZz}d7O*<`S+c5NPo=Mkx?E)jS zzP|cA%VEb%6SsR#ZsCTwQb4si-)-UKNyN<(d~YBS*$_w0jmVA(b7jarIV~6;8&R#C zxGQgu=>uK1usi=s9N8>Gt}IIItU`YWNO>n{=iREt+3HCU#+Dosh(|v3IeWS7cABx5 zA}nB{#Pbxsf#F8PL?4qE+PvqDaRbi^wF%c{JMnP!Al*OuN6G>~c=5Fo*Ytr+iC0~B zg;|6iF})zUuhXVNc5gq~>ez%ENBOomco{Ua?&qosXqBHY z(Rv8Jh2Qu2xX(t!+Hm0+e2>eQcNN)O_q&Om<(#`Ix&!f;GHq1l4(B!O+XB0ChxNOW z(BIUQCe%PNjsX&hpFW_Nd&MRWYx!_Fre-6a#>kMK_M?C^b%@2UHF-i!ODp(qe0{ij z$$@oS8v*lcsl<;;z3_89lvFL&kt0)Oe@O(4iSOyg@K3LtkuE~JPA=?lLfs#tH;3Xm zojHZwyz^>I0@)K^J$<$P;=j6?XETl8tXTx4u*H8y=d07`Z8x2=kW}6zB^q2KHzmjz z?YFn+K1OYV*dISqHN552lstqyml%#xP#LLc}I!sYol)xlJ5#z56)+VX00j znNJOX1z_N?vy-xtI(+*MFDMAlqF`=s>1svF%gPSA$^7eh(zetyMNx;h-WfcDVWwVv z*9&zk-CfV4PZ~IyP}1^DDB}Yp&VXAX0<4s^vadx$G|U9fsqZzf8wNEVM$tx zpOk7j;<_fgG4?`Lbl(#GU{b)E?!-`UHUc&FsYeyD-tc`_`Y)R|+&(2uh(de;)=;Y?o7*3#HL6^-Tk18j5uLyv{Z%$4 zIwr*OSM2VAAl(k&&;$8Y-8>PGkY)>qGL}d58}clW_V+SN&`334U_hLY5q^#|!ky-K z6R8|G>Ot%=-tnYCdIk-`9eG6g>Y)<_@uKH%{Gqvd(cndcl=3AxA10L6l(1vRa414^ zL3^(H`*$`j^>%#UPJjJm-AmCwCHd*_^GSg}QR}Gu`47U(8=ghE%V<;RX$XDQbiwu81%b-c1xl;@HQRxmG`B}_`oLe3~8+bUkP?r~pc zA5OM=nDwvIzUhMzmL3ZzF^V5F}JE98qYu8UX z(0Pz`OZiGYl{0rLEy!~}Q56^WlE<&?FxFxVjMObMDjs$XiXCY>(K)&e%=G$39Cf>y zT*jUw(T&@qooCos&oaf4Mas-u0vBduCM&}b!-^YIzxorfBy3e~pub4X5c!%6CoL1| z+xrRZOLz~SJNWtvnMB^cYGwb~@oW^N_aHIt#V>ym44*iZ^kLk}BtMgX{-qG~(#quk zoZt4wXsG0tQ4scL2E)pN{y2Ks0<{i&2#%8%qnuFa9Z&BYYmU zBha!pvq_R0ftCHAd&J50|KB4{Zoa?wh#oXuh6nuq_4Gm17M(%>6);8r*|i-1YcyhK zvSX(cfVvC;X=tImU|Y+Kpi)#JimM?Ys*{rF3m9_*~bwaue%eGu%-{jBbroj+nw z;iLr?trog0d5=~o90CSip)ei@E>{a9=60=ErnPF8a{%dQH5a1_tw)?+iApcZ#q%YS zx(E2fF@fBG!8F813e2uDj@OYs(TOSeD!H^Sh;&fy?%30W6UJ@@F zlONz{YI|w_{^8VkN^ood>whSjo3>)y9xrm|WA*h6ltwF+-UmO^59qn}#-2QaV=$Mr zm7s475vs8VwfjY9TP##+vDssUWt8gZQfkWk>e{Z++JCN;yU&GvKXj8-)90!7W-d`9 z)F=hx#-eGW4`!-jKBAxJb09)Oa+7l-yI&el%qLA9`2Ta8B%oek>r!v zU8xll7zySx2uId^gAg$brZKtQw++#}^53<*=Xwe-zi1B>wgn=M(XvDqmCadsKxYF5 z7Z|maS@6b9S00y7+7Tk!0z&oG2fhm3Gsz*lq*bCUH*M6`Ck7vGXuENb&PA0-b_kSu zsBy;1Db4eg+`m>I;{BilM#0!E7@jp>ZT4W#g&Noom@qBSp^goXWkJ_G_<+SF#4_p4X>zGlFKdPmybQge+t%IV(> zPsLV6y9mrOOajI1+NX}wA!@Nf&QmAUE9ztuvqg9C;z_>6zd#AZk6|^1LjtBM(B2XC zn`j4mWp{<3IoJF-qj(g1^Z-j&S7hFDLra*LRMuj8tH=wAJLJEq8zZ^V>` z@QV8C;5t-jh4Tk-MY{o`9$mmFh;X8WhQU|vh8-A@Cq%abT$`g13=gEL7-^#RE@BJg z43^p=`+~PY={}B0EYyN1!XH$LziNp05-$;zZL<_6<$glUhG!_->wf`0)o*JlB0)7? zsZW)lCP^NoKYpT?xFEHDdS=|FRp}y%X0KE0KQRgE0H(jMQY*~=bgH0DN|!qU9cNW; z-bo)9_gw`941&LmL?U-FS7fMsJH{eHs?HOf(R`QU`_(7g)O%IiI17cQ(sU(cE|A{))ZfZC{TB{^_J45r=XO$pHxKzU=t&?qoZ@u0jo4W zn2p1z=-jqFI~+Rvl@^}ZRPaNHktQpRfyxY77H*CWXrv+?4;JLMb;dvh9`%`%>@*qr`i6FVIwHhb93?G+2fzIKrHXIlNzdtDr}}gbk?QGNMTsE-6*rfYSOHH;@8& z|8VU&);pSEK28cL*F`mJBfmar#@6Prx<4Z?;QK;yuDSa~&zzGg2?}$H0_poIT09P- z%NrOukYtLc-KC}kRDgI-Drr8G-M(L&1~BpzdcI)PCw9}j;T!-9F5}@`cfZ&GZ%GlR zYrpJdUr(LCP->Q_v!T3Rix3&J*2$r={$h!JJCjEj(ptC0P@ae)ODL}fjm20UuJ6nD z%~?&lMF`nmht57eta`#>yT}iM#vjVO;v+`@sJ~J$pBd{?RlbJvS#7!Psc=m_%SxMF?yOh-!;wIzR1b zs~5HRw;3>R^T_XZFGGVwlaUa05eCY83T%^fjtb3 z#jsq5`=ff(Y}58$#<%vh!pNb}RoBx<;XcPNWpt@SkjW}%is6{kqRde-B4>pFWeOqg z6`g0vYD0rfU?#O3o1?E+F3dnk{SXsuiv5>P!Xq;kqV&ov4c-t7ED;^SIbNK*8VOUiDwVH$1N*>1`SqAU3H1Q{wiiSwi&DmWgJmzcI5DxS ztm+L{LzqnG$RH-UwTojY@?x4c;bt4oFiRhNIXC$A-n^f1=z&XsvRvC-5?b9}mVG1J zZXe*gjAH&Q1kHgLAUJMQ`0US4`f>l)Yh45!zWuJs6o*2JcZ3SRCz|Jek6T^!Q`+H9 zF<>n)%l8%V>E)TJu4c_is3O7IkimO}@@-tkasPLz=)t;P?;ZuC^oIlp4K8l0Ua%b0 zQE}{4f_4xN5?w$P#;T5gQ#to@4L~aH#Zsanbsn$N2g6Lc5 z6bEb~HG#9VLsWMkt!>S6i`+ut9wCCoN0wkHffzd!pN=|KE8guMPd;<-41E3#^59&& zsjQmdm;lby1TJv8di=&s7<{&Hu+h7ug9HUcvfP*WlgVFKxm)izXh|lZe=*qH9REM{ zW9I=~|7Cs_ohZQKm0B6~B6-ywy_x**Y)RU0g|Ufmepn*@4YZusl($NP=q4zz)4R3U z2W_|8RNj;&9>yIBX1z9v;n=6pn;c^ZQE7HX#Ow zS)dfG5;^&DYv+38*SmO^#lsNxtc0SlOpvqU*p`zbRm|a^HJKls4gFLNO9Qpm;O%rn z5&{95%VEEA>kSC1->q0`F?X$@4Q#`voq~&jmMsG!<*F4$<@SesTo>>2>CATb z@>F))FkKK|?2`U_wj8M{RRC4cMwc{z2Sn9P2jBuJcgyqf{yjc577Hd;CN@$wZodCY zY)q`AY&@+0mDvB4*#58dSCfamey-aM5hOh=S|2`<2moFE76Qd>UV=PlX;C=Y{%X0(Fwa8wvMHW&>3CA{jr<^MH|q;`X}AS*8ReCXIj4)2DR~jTd8K)RJ&&+$IXFR{m@;4KESn*8vA&!b)CqdFoH{HalsHZg0T>yp zoa8zb6@xhHDG$B0;xe59b{U>{M0-a-S;1QV%@vXES3H|y){KrJmCir|;tr>~Hxn%-T{8R*;iHiE4Q3DxsH(T5RH_iv`t~vf8Sny!pccyeH_$d`>fq zWoXZ_nK2B`IJP*(v{4<~Xviu@v}}FKb$D!3^NQciT*!`$SO)$-*cfObD0?^aqQAvC z1G4q5Ascatby_(P%b22~DZ$K1sZ+}t_flVJ>B+2qf2m!uJxB-b$X3sWAb_j79&0CI zr~+|@j=pri6=V=C2;rw?)DMb? z!Xsx+j3jh4U9OJGC~^z#46@}LTl+~rt2Yd1UkcO)9P*5dYoghCrPSBKHE2{ znVRC*XlyDkOegXjk~b$TUj;7IF2wTnrZwuACx!IvAu+#nNpl~A zVJN6tx=P2ovVNP?dL1Zv&@iZLmZrfi`t?VR`ea>4cHbwoZ4Jy{@7%jwhp%08%zw z$JC2VHV^1NG6*3KHta)@Xz~Q7z)#-LO2|bvio({XHyiWz1d}T!Z2B}ZE8`6E$I=~| z576bcs%Wc%ad~+L&*?>la-vmTjOHJ^jYAYPI1d^@3Lb$XI>1Npn#s7?=R|Cp^mvO9Y@E)AhO{cmZ4ENg|JFH|4lZ4fjylPFHk?>8%hDs zV-W_i5);Cpz&;q5f_F$+u$k2n7Lf9l8`zKbf=^u+qK5c}QrXWwaXTjWJBbB`*a^Qi zZL%o+4xbT%k08nuk5a!k5($tgaoMrB6ud(ooa`A9PnAH1`z#D{<<3Vb2p|uZ`uzvJ zzDK=B5+^wA+!s}d)f%PgV7T-#WlL`1)wb4Xd9HnLGu!QQtm}D2>xIbUs>MFp3AjNI z^65^=XPC}$`8rgkV4wr@yK@WR0oac&hJ;z)m1i>kB?3 zrvk098RvkG@WWZ~=){z@l9vH(9)Ph$LK5#ZVkC@7YhOE^1D$~21q|Qn3KtG?`~hz9 zfEiO-!G=37;T^GvV4wSo21a9+0jkwV`{G$B3M>=-EA&K0DLM}4F+|HpprNWEySUh4nTMef!7){iVbfg^%WliF**Il>$ z;Siw3lI_kKgWD_Dg$5)ONR`mL9`lNE?_(_wekIv(Y}#Vq`Am3Sa@b{P1-@JPJxXwF zG(VEu&MSDJZ`+pv!QAE+DCBnBEt5tJW*$*|dV@0`~+NP{&qnpOute4OjDCdcVk*^jq= zz19bf{!!r~p`I(A8{9wdg+)P5F*Og{Svk z=uBKOPoF7yyO0`~^@kcuK5vW)+|W8z1?Lc(JvmXd?Hu@mF{-B1#H}XweO&W0r>?Rx zI_pLZIgEQHm1p0EW#63oa%xkN=C>@u&yc&q&Mi~K&&()S-({cX_lL)`WB#x24}f#$ zy0@2os6%3z@5L~CCu*xpL6w7|EMhzNDphPblaJMYKpPcXI|)MI59d|;jiX`46kKXS&l*sbUR*U_t9@M zV##qU-^iQ|$YT<2(Ya2P=FdC4?@sp|j^@`*l#V_o(!4*N+IF!z3@TNpy2az>H^SbC z{K}bF3m^|>#r<3YVD}ZXBN~%v)}2W9k4Wp*ZyJHrPUa8?^aP{pep4UM4||7qN2#U9 zLPnrYej`vj@em&{c^ViSw?^PAcq&Lhq8!^*CVi_r>h1PGEOxXq^W>-+EmdZpWL1)b znlhoRpGcxw^VU*G=&@=T8%O=BTpT7{+4qz?CYn+=lRFjKC|QW8nz;wUsceay#Vpfn z8U|izvfrOdwbGAJOIL#8ylvdNT05zf_p{HAm}kBnoq=!IDSvXQlRw#c^Xf1j{T`SL zS~QE*PFY8XZ;jW-Me2JQ?edH2}ZPpNQ(*b>MAL&V8A^7pnfj^!4E2 zF~S*|pQSql?$=w%;icr@z2qQA!3Rvpwi_Vy-#h@Mx+z>AJpCO2;02i!V?eO+v4L2p zXzCef6aWxxyzHsH9^e?MrLX`(5NZwrC}#5pG-~?^oQ`EO?p<@Gh{-aVz2B4~k zct}7`T@C;sf$WN5{@UXCN3D4Z79fcV;QCh&oR9C{HF-RMBrM>+`5o)OOCw|eRM@|{ z-ak7wpVI*nVVEK3^X!l}929`upl0i?<=7=BaW^iAjYnFoJ5{fST2oBV{~p8oRoKhW&|{R{|xfCYqA z$7QoEKL8p4tTMSHghWUdoSIU=)k=JRx1F@`s7B`{lGV*~@ zg-JK$G=x7tp<-|0yL(4+!!`-fDrShDLnw0Kodz*R{1BBRgJ1@JfTY9lt2VJ^MdBSD zRBFI*WFS06F~9$bszox~3zujU*-L}k(}f|!xl9cc1kikAi&b~?z-MGyG6?Idw%b~6 zl#?NP$zbog&gzd54i~3_QQLYz6{8`#`ygOF2r&y8`R&=+jq7X5XeY4K%ya3M)`gx` zCEyPT)G}bFE|woTLEjdbdaY`do_qWJO(U;`g_(*f1i<3n`SAT?MnCh!C)RKl)H}r? ze$+OtdAlEp(7cR1DAp%1@kB>K~))b);G!UpoPx z4xKi2dD_k|Ydz|_;}lg>ASv$1SXRZKIYniV5vh(E=-Oh%jtIiYi^SZkS3?$e`FT!; zIM&>^EmdEXs?ySi5%~$IyB&hx{*jcw{v69?Pi&p`>x!#%M>{^Ki|-cw9HW+lpYxQ0 zGEd=Vzx3j)oQs!>|9MKa!<1vnj9Dvs6zTrA7Xl_KH)?53dE&7$ix9#0C%L(xy$^GI z*q&&Kcc@4y`O0kNLS;<^15fZ{PU?z#)!lYawF5pw`8l?;kPu%W2Fy|e3o&`JXl7KV zM9ZB_>PF7cR8}5o=)iNB8*gOR0sAL%=3OH!vk#J-jwU0MnSzgH(XS{UCeW`&uHQ=$ zL#rcwWD@+jiTSo>N&J+=b3DQ#exz;DNg1J?B1np2Z*t;Il%mHkxMY`)Ura7Y)3)Ld zoGHeWlIhR}Qd3TWtCvU9S0o}1Qo2-+o(?xc(mSBzAyu!@VDi)JX1io+SGEmSeR#cS znL5)5sfz9>GjA^(mEZ00C>0)p+caJ7Pjy<1YMd6&W9{kr!OSSwq+%_vP4ReHB6j=CZecG>}fnJ=`Lq)b`fmSguzrK&Z_vJDK47c+qIEYT~Pof5cel${|JJ( z8#NeXkj8KuA=ow2=?jxS#8MX@gkUULBa?a)O`yvf8cheQqtzY}<9p@E7VGr<-91|V zb zKgdzLnl8hukq>l&E>TjSC7z%moLY*yx)GOmR+wV*k1JR~O)BL~N-uY}DD&RW=Rx^|ZfE|V&iIWk;vhXG+n6wlSZKVBSwu}baI<`XL;Y#X`-eneriz3?(4;acLLfr0bFuv!e}R*_ zIxcIx=zdGpJ!{L!?BPQ(rStPI;Y8Dijw_@4^deT2tA}6EH7T{z1Zl8c)S$HkCi_{J_I zM@%&bm5?NsuJR>689hSf5t-^m=oCnnH?TbKZp`YuE*{u0>j_o)WsvyhZSk7)*g1eC zD-Vpju}`np31Kt(LT{qsJ}@jVE$Q!Y;Vm4~6B_JI91ekZM$PvqRW82#>>cKg6K&k! z$R#DnKc0RB`e**NoF*ymN=U0#>I}Tu;PR~SL3ls#S@4~$*eIj9C#2AaM85-d8BDTF zzPUd4R9Kmia}>w0j^2*QYGd^Vu=P2+T+<3c52-A&u0c~mCoVx}IA>Uk?LpuU@Z0W( zXrpuUF_Btj=HVfc@td>#MCwE1FsXE0Rae%d$ui$D7Ms#RgdpP|R^X+`8Wy=o@_%{` z2$s(qRL;bc4tfhb%T9T1v_ z*=#H`xaZG|I#A||35e{GK<`bw6vIH5 zg$Bmp3=)1Cqeoory6o}Ii^bc6Yf`GoNGYSUgIHs*fv((84>(6sc(ngMbEeFa)0uq; z0(}&1uF^^O>wNkF^`ol>pgrI&*Cby{fQAr;9Ff`Cx9v~lO{DI%KLa?Aahmdc1TW0P z6oDFuO*BV^`Xz=<1}MN=**W(Ic8d_3H#L^E3uU9j!RJA@D_Kw+FzC01GRsgu;^9sszt(2qc%zTahJ}rOA^RQS=);zFMZ236q1v=Cb}bCk}cu&5lo z2ukigMs^N+V}uhOlJBxF(DUsKX^!T(MLUnmY2&lF?cBhQkJK{iMmE|@?P0jlJoR@< z`yzIh+_d%<2WE=yWB-_Lw8Co~ILD@8+1>sRZk5wsw<6*KNd26?xyeihC|b8+>#<95RkW-4juG3TL?90Ve?!Csl!6yDDQIt-i`s1lpl#dBGN z9NG-n3UI9MbuhD(iy1ZtblUyMMv3x^VmcfQ@Qz`H1G1O~uE%NzfJL2+=us`CW!=G9 zM9jf4D+8B`6>i0x=R@=oA|+tGtWmE5+1aID^SGxY@5bpR)@-J^SUhNx=9zv6bH(^?ZJHIUQt@!5&3;9(d4I)g5T9*Xa7 z-!{wiJ|pD|^N^J-o(l^1^wLT}`Za-*cbA{OLkfi4n5YOW8ae3zQ9A}!86$7^e8FQh zt<_U$&vEBlo6c>nH(Lw(MN6|H`|$A;4+za*_Ow;Uq0yPGczf;a6_@tBcdead{+k^K>O7;x zUopiAN{CDf^Y;2t>ErE7fxeT~Uj})LlM`H1DT<9(ee$3Wq)P@%DJ8b|O>39B&0rhylsACCEjz(H0-{`In-deZP1E#=-H1a4r@9sAG zPM)nwq6q8uHu}AIeNM{4zRiq6x!*>v%C{$ObH1`%dcS^(T}4mH4ln;jZ5cPZ_9x&_ zCNGJ@?%uBApGP}NS8JtXTT0+&6vwuUC*KG|t&`&)IYRv;H;(pOOj-U$xQDWiX}B}P z?$N=a&1qd#@`4g{sq7rO7unKW(Z@Ez53JGl0=xjQmj2)vL58X7VV3fTOKFrlhu!9m zGPYb+^tR0ohFYAh%pef-+@HVQk7_7`$4&jB?$5WAVVc zYwi|HS=&nI@z)C+$m$n^5YGELl);+Tw9&-($?w2Tmp2sMW|6Ar2j@L^2hKySO5Zjq zm(OXw#a8utnvab`(3&NM;iL10Bax7T*T&*3xEu?0kn_kEhVc&QLe@Z^XZ;q2kw4>e zYG-HdHjHc5AefMTiE{bR?* z2*LKkb36OKe1J0L<#WQn1hHYe;JA;fdkl&_OqPi$posEExLc?Zu4IZ^JFQ0PB#E zdc;a-rf0V=h3!V<%TrQso<(wg%xYBa--_f8PYlH0apKK%1XJ_d0T_Sh@NUcj7!d62 z-2bV);6wxZVX&IAJA{s4Evg=GFkVY74p|HPl2Ep_JvK;N8|1CWCypz_-b z7b_8rn=L4^+}pL&Vzz&OxjqD%@U(pY*915R_kZe3^u>TjXnf3xFFFll>WPtvdlL0- z8H!52&oxgNM;06V|J7#yr%4|Em)x&Z0TjSFS(|C90si3Nob3NlWWMIzTEH9};J+qE z+X2(iggB&7SALElLSiSKSa+Pka!wJw`@N0Htu_5=zW*5I`mg?aAK(cZKSGxp2fVGI z3{%MjubXipV!3$D;}cMGrS-UtoLl)DfRRnjejmU>vO0=&8@*hcs}jrHcO+UtyRM4V@YEtVbMmfBQHL z>@JMeeg*mft4{*i3X*q2_bbCG6U0sO!YyJc6M}W>K4nks+T>4dllRBXHIaH%p*LrtT<`Sd0r5P^6TqgeMT;r9mjkYR-E)ltozuJsSSo>Q<01PqG1 zRmY+xa<;Vy-Q6|T6#18*J9g&g*v6NLl8Za^JAr@JF1Gi=PzGZC$}Tuu$%4&0H>oW|9G*%MrS-jiSaeiYnn_>2rFNO$FUEenUibPbL@n$z zIB;{4B#tpD-mO<1Z>CLdBg&0_KhXB3J@C-wR;@yJG;m{XdQCg z)dB-9Ffn_$A{y&A95iN>Jv=;F*`2}nzDYbtwzMQiUoSr|4Oi$ArNnnCRVu&h+b2Q{ ztgW1UeR3pBQub}dw>_Bc9zJoxeF^Ds z#N1R|P*wu&rm)~1XDRy=%b9I|aYUfkzF70&9oKWwu4G7;+UYC?D|`;RS*ScZEj|!~ z+qrtOu@DO(LSuFHf6KTq@gMHx-qZ zL!FsyTLbN}lm--yqP>gWTh!QHE)HIuqfBjM9zOg2u zUfciMTL$vD0^)@e7^;2hgCbPAoOIX}jb7?nmJ72YEAfP*w>ECGET< zx?3YNQ6L8+iEu8}D`qXx8wV>o&r?OtiSX56@*dKD(Ck;~{+6nxS?9F1nO9OtgntBX z?4?K~wnV~7(Y*RBs>TzF8(-DTM1XPBoLg5go;o(2igXMUUISNOL0@C_8ljYn3^+4R zCO)Nf*(z&rlgD7-bbkk?Jr4dXY?E`bOrLP$#>J+dSvJY^K*yczvYt^<%OYg>9jw=> zjC^lBifdDl^gYX`!v2@f-x2fQ;muD!C!?}oTRB&{a-yfTF?y&{v;AZ%`&W=8c=}zB zqtlwE{T9qz3w~l9JFNqTG=a5Mau&DIDj70|d20rB@(5sZZoISp*w)&mGIP$t)zwaE_576m5fiNi28X{79M>_OjcM1)DA zH0N-Yo79-z#88ic@y{LaymmCQ1zmE!JhI&450{Y}cMH`1(!qDXMY0N#IEr-K6CB_e z6-+N2i2iu9iQz3`PZyA#2hjh{Oe?B@d$}VkdSANLl6yc>8vql&b%4v4DA7=Y-@yU8 zv=+grb?7@d(`FD}g1D({>7~Kk8BY4Fv&50Kzhkgujpl;`!y=G+*t?qL9H=>9&Kc;E z#<+giU&!Ikmjzb;vVb-biR)pBig0aCnOrOu5y|9F_~Mq?T`*YBkZc&$ z&bQK6E+?oA3>S=sU8v%%RCfuon$5QQ9q4ub`s3TLi@TrI{O>j}6B7t}eiZ6{EGC|u z9+cvCf0kvcZkYWOBxncL+)T^;AvikUlTDGavs-AyCih44pR z?%ClcfeilnZ6g^lrloDGQ&GHMu1-LLlf1@71st?H2bed&(PRuBojd*nLPcNRLX5RA z;~Mt7xO_nQgL$nxjzedmF^fdOQB5Sgf$9cH?)jjXM}LinNdk6bdAXk_D*&wU{d)Ur zAB1-wu{41sKM}&Vqa%c0Gt)S|-A%VSS}3yt&_;zYp~r%`g>QnEU(z#;E<4LjaOI0P zEZxu}3&u4BTXykWH=fLL#9g;Wj}}NjL!c*iJX42!Lv?{tB(JZ}0Su!<8iV62xz(wP zLHq-gYb49frOBm3)X#`5%{J%jy$Plit(Pk@s88BItG>%000e}$>~nrq^LxA^d^Z9) zU>O+`pFBe0csKkzg|2B0F*`S;b(nP_*ql5{(WC?o6e~-pDrZDfg3}KHEsm*zeG#P& zp?M*NQ+C_SYktdo*Gn7<<}W5*p<5I~(qJFw5B>x5{Wa~gRO#PNhc&N6z|)d~0r2ag zSp(v2oa3A2%WL;1HyfW|(s4y}|CCx&f3^cqz&NNckb7t(E? zgEnn#D%>LrC*Ss`w9+Vsey@i%eZMwT!S=14E%&W;!?z#rsW^hDQPZg+u+}(%K#t+; zVy~akrfS%{#=Ie%z=T=KHIq!GrhG7D;hPX`*mMqqG^tC(J>-E^un3fU-~RX^jM!1F z!Za=JjTh5*6)v2wYB)Nwaf%CW2fkP%ij;6gMc`6=*@>%J$)ewfliW|5&>N2M9?K)4 z4H_W_SN{)N?-(4&8?<}JwrwXH+qP|Ntc{I{ZD(UU8*FTCY;0`X#=GZvs?PcF{^#RV z^~_YwT{G9+ef6)aPftG79z0d?N(jd9M*9HXW!nZNOLH)<3=E0(mn0k}E&H{cr4VOk zEqTxMqqg>-gCCWVj+=z##Ty}Vq!-+E4gMWh$Uni5f>DB1wDW(4-vukAd=O#inC-y8 zO?XnoGj^J|unsWRf@VUhwQ02esW<6k(!Xn!jQ=bJZw|0o7rr=#}cR%3F1%(5SkRk`u?UsT-8GwDNQ7c*xI z1O4j*utM;W*u#!YtyU8{Oyb{+#$r1SSKB*-H?|3mI+ytCVumBF`xa>tCWUoIBIZ0k z>XX&Vbw866!vchU^_1udo+GY3xiE zy3Fb$jlQSMFZCrGNC&Y#o*Dp@7m9)i)keMJR*pnFphV{oRNs6Gn`fW0i`z0Mug}tX zi682>4w)>@=G*su4mk!x6y%lClT?TKeA?^M{r<#yHU$y?%1(vq_ua|0sFv{^>EjqO z!NhJn@3lf!+4nFeBWJ(Y2v_Puf&s7f0b#l$f$n7DGL2!oQUnXi`dk9&bcw`pIlsER zP(_Jzgo$H(6vJr_>snQ!2^RJ#hU$b;vnne(4&WNgipk(}4}Q+(pN)67mpE;NwArlu zwf6+&mJ5E2%T1=sU8qNb;$c@=zODq-wfnjlg|1`X87XBU&e zky9Hwk~u*itL(s&`GzZS_ktg_h${GQFS(oR)fI|TmQ)euX2YWU=$kEoN?-%(MMU~F z9enYnqBKko`{L&P+F3a&=c(y&Z?~EYHSR7|=e5!(L%PF#>jtHad*~BbPMG~73vW?? zR4j>hXBaYB%(X1${Sa08{*+6@j7nvje!;u&i6{WPo`nN5#~Q%j3$C?e++jY&ASa$1 zJlf14xEY^G{QatwyCb!qrpPcxS28glX%_RmeMI*)@Kj@2X|Dja`+{{)u$PRZ`=a~Ko5JE^i-r`_c=JgWl`rfCPL@E*86J)x8X++( za!3ue{>C3i{bJ{{eirfpO#ZTKbSqw2CC*$X9v-znr5z+AVv*@xK_HzF_>UszS&MTRlCf@iY70rG;$GFzYiT`~(Fc-QE6r{GO?T^Qsxi?*Fuh zs^ydYr0(9ZQJH^26?92@vW}oXB@zt z4!UBW628CxM1UZiVtd*{EUqP*$L>nI$9c)mi;eBoz+KWnHZGoIMWH}<-HaLtO7L`Y zaW$B(U0ny%JAO0=m%D-fOW{_eeB4xif5tcSo-<2~A=keXz^ z`+J>}%?dD*Przd_Lt(;zqbsxYhk_!Rh<5{om380C`{AyoJCxBX?eHhiHEiUYt4Xd3 z6w^@*tfK5N>xU}n(+JjlSSeoz^t%uxcot@~o$2sVZ&Qc8he5F?aPCT^RnAqO7RKi2oSo5J?sOH=dSJy3=F9!X?as@U`z{z89i5|Mf?@%#lhaN zN>Sr~-55~GcFTNP!(WUc3IwHRvIv>efk-z>OwR~5*{#Dyu>!@kYpPfzzZ^3hSv~$NMpH6S>|;1|>2iPs$RhInV?v{iHi|rv?OtCUCv4M(w#A zB|S3{9)rNvN7D-%t<9SlAhjH4uzJaY_7$sP*fXEoJ>|dBXq3Y!^KZpOk$KR&()&K> z-hkWr&)Qkx_w6fSPAv(GhzxY+4237bqwst}!Dc+x+gDZ)J2A`Wye4K;zZ|c52uV>a zZ}%K|Hep0+<}VBaFRE|?L&#f3`X&=EYi~N3bdZU|3jSspo>3+i+BfdI%cDJYqXe?N z;O5c=fg;?Y>P!lW=dYiyLjVW{BHhCO-(kSc%$h!V0xFFg7_J^#iDr2usGlmk(!jYg z=}qZ#pzp3Kk)i@^$)yno2J6Gb}eR)`~l6TNSd_|9x% zsTO#%U$yc+kK31=9&ieZ2~a?g2P-%orl4}Gt2~R4yd?_UNy(P9d_3TbYPjIT2=6d) zlftUtSbsyahUkYX_6|W$JK^1!yk&13?)`Cj#n_@Mn-CP=S<{oI$4e|-A??9u-bRG96 zQdfX2?i0z)X1hK}QQ;Y#>)gtX3A*NY92)zPYi6lNN0mpH+E&&eDmx~dE|jgnqn6*+ zdlPOQk=}I}y!kzetl)%n6RZt|ymUY>_ZW=U^LA4w2qCHnwott3+d4JMFaqtAuKS`* z!^6dCc#??ds5A}aA&?$XUyA0`;bLahWQ7~e1w%-O9u{NQR%*yT6ycOBk6D=1;pRGG zp&ziSO0X-+$kNY0GK*AE638S;Lp|vdzJPINW`n{uk<43H!jS}qe@%A~l@Sn-7VM}LnOMfElHquj*kL{@^@#dE=INnbirOnV6Yi!gN@B;g#LJC37HcTvVa#G5j19DBDl3fODC&08UK%nq~pZFpCEJr`V=(&T%ZrL!faY_UtErP*G{x##iotZO1ty5#H_c4Z0CPm_XECBr6+ z)gOvaEr92j{nr+ysBO4;a@7h6! zJ+EL_%Oz$=fqKM5i=_nPMdTrxV;h60#;}+;O7?pTM8)UJ(~IzO?(5<|4Rh`}BFGoX ze|!u9{S%-kN2kvBtZiwID2G@z#6Qu zwRqj#)WIK9raEOlv+h7ex^4lYSsQGr3R2gu z6hQxjc#hwoH9p#Z)8Eh{`K$r!vhiNa_!7Y7&63sjf{eNp{ME3)szMG=QXj3E$!Gnz z9hdQK4Bc`Tln&fKuxkntJ(S<LVwJ`nK^>zk?MX3^y5Zxj-8k1>bOUN&>Lac6VLN2I@{r0X}mVuo)^l$8CDCN za++Bc)0yAhS}`|V_+k1ACLD zpbfKr3TOTp+_)|0!^dqX*(Si3*qaHBmBa=QSM^`#zwKZLR)-`kw#}_2k86L!1{FwP zQksXy7p=WatiBMm{Y)FY9sFo;N z%JI|(JlveTUfkXV1IemKzD$Kh2>8QY z&8ln`nPwl|v|omGZn-GCp02p8>`JWmL_bmXIniUeZwvUOPu_yYftIH0-+>YWle=)= z7qd-;JV@)mIX*O?22JyAZm4i%2`W0uioc~6Zad9Aen)Hr1~XhE7|(Kd*Ph2wlGvCq zN`v}M%j8|PC&8j9pnuxW?l@51<22HmLp5!8W98iH)!kKdL3lpS8PV)n(7%Qbq(=M2 zB5l1ofe#t&&O#Sk$$5K$k)Lyfm8K!unmfRrz`mqKUl? zW@Um5x@wMm)5qO7wT`P~#>cS!tEbF@DvO)bBnWZeOlMv|ZR5jrQEhQiU{6j}(_C|c z4m!2*wuDBCNK2CuQiAgd2vQzQ)fj>NTb?xR7yg(iwVzE_qpwPda%p*Bmw+$Aqct-J z6i9s!7gdjI)Yz|aMs140XDKWSVPOH`p>-rml-iTWnJQ2QN&Hte9_=L}@e}RIO|e`U zp*{c)OR*NG=fZ&mRSU}kT><>^4J$25~^3gFH+6(yA*p?;4}6;-t}cO0WJQ_bLN zF-2!TOiE9SG7lRpB+8p%!Gm;FtKOvn#vEJ6W|Uc^tWueAsO2+pHZVcas^K`t$;*Pm zA89=?rPU!c!bm>AY$N8Faw$%*kymLUaVRi_BWN(9IcF=ZWZ(=X(gV08F(tlm1e0(m zsW4YwQHNrJ%4u{kKz^d>Ldz#G_uv$}kzp3maLa=F!8T;{Vt|P;my!Hb8wJA$N+1lC zaZz=tf+T2tQkm&7U_xm;v`b+6Q4oHTQIR;)V#PqNl?=`)iHQ6TsVJFS5jW48VN?Iv zl`dsyE^CEkzE1+vcSOJAfGLl;#NF5HHtZC>0s?%TK z8nm2GKZjJBtfZP8CdluWfpsa!J702c>Wq93iI&7Pj$mC!mv0Ecr#ImXB2^dIWBhi8 zoN%S>92Hur&47_YsfQv}?K)QI1;}tyDjRo%i7vqf0&-A79NJJV$Zx!!9F3p9*O*ea zK|oEYsSQwygOGLkXLQPFhijx2g<%PAB?z{g8Pvr-Y!#M#s*;(|0LtG?9bWx-Pv$C4 z{?yGK3e6okE1N?gI%w@@n=6Wfry2FxqzF7|Lm21bTjAoX&hL-DN83#f^C)vMzk^Jd z6g3GzJ}}0A@NaE!Ja<#A4SkpuHEa8akB~9V@Z5p?Z9N9bb53S*gCge2?z@Yd+V-}* zuI+jKlznrDqln;@1IAKt{)i)qh>Sa;%ERc_I!B%C-d|iYI*m$^H>n_3Fw`cw^jXTF z{bL*(gqHeqbg^@IK>((}4b%1Q*_v;YfYtJ0e`j~vs z6ykr=OTTFBF>4z5`1q!%eeJtBN^Ct(Y^?zC$(*?Q)M2(Z{ErPKg#-!$`&|07yz$e{HUKkRufbvWAki~CCQu;tatjbSw?kEY`Q zn>8<8?EMU=@2)Y3NzyCkgepALH{v6vZgFp;p)FB#esgeHZ%n!xPOQ4`h*QTwsdM2b z*0XsI7W~Rk`dQ>HsG&UcZroix{X_rSS*29(=&F5_58!)e_1E$nlYG(zGu`JSvi;s4 z##=vd9o~53y0Us;%!5j_#~HyQ=%v0mzt>F%KFVgz#~QD-rz60Vp(H{NpHg+Y@oS6+ z3jgc?ZA33?%uMP~V@sh|ay4Rch{+)n++~ZPS>&|B%OW=m`>+Hzi(D;J==3Qy^QWm= zR;HKbAyCRP*~v48$+F{lew4|`(iBk^Gh@O(4A{`z+2NK@rYCT zoXL~d(k%f!IR*zS+IiMy1+!6tQ}T!HeTY^LBgMrn7e~T82iS{*&Wt{G$V7yrxmug< zGs7wRt@@S6Xa^(IYb?Y0qR`f--U4}-fIsz-G0+2=4EnxQDC>q`u zk?|Vq&SD92ErGN_JPAbKX?wm%tIflMj>La+jnmG%6MuGVGQj?gpfr(V zfL(rn=9f-Ow&S_$4jMJ&d}6T^Pm|`8Ok0*pI({M&=|o^;GOmlX95s)&P!XN@X-6bJ zl=OoRlN`Bh_vg8#Vp{WvB(>ffv;0#3#Q?yJ5cA=DX!7BVpu5SBl=y(~cl1XF!+me) zqpOYk;y6ads9bMDGQ360PEf`9aZrVjkz9RG>F3X>Z(7Cz$+E zDGUT9-MsGU^CL>X*uqe+&Yqt(`hW()YZw^S{r9!OecNiDU@u(hCJ|^8Qj< zJ;zg8yq}Oyn{T$@&7Tc>E?l>aaYjGRNm27?y+Gua%ze^+({msuyE(eyLyeA6DGO5J zP()9f$NYOg*|rA05!KTwQrgdVzYV_zt**VBCHLKueCUmyZ$57=-8)6>j(*XI**&^O zE}ySYQZ^S&qrU+Z{CGD1A;nn#$F10s2?MqVE2f4<3wjVCuhKEC{32Pr`ESqu>l6A3 z#b*6K0@?mU!?APzZ>Q2R8dx(ZeFH+_Vy1;E_k`wZmwT2PanuG=Bi$qVe_iYUJOoC| zCI(mm6ys>-tk-i)QqpI0!cZ(DmVVyluTSuaIQ#bh2xRAKslf+ph51Hmenf%;vmZ^P z<2N?8xRdup{0aRi2d(iRG5`9a{*jk3)5|Ep*g$8}*C@cqfwc9@RlCJ08Q&n1>m6_! ztP66ikK2=*m-(YSIo#3Wq!_7bCKXLA8C{D+d9QwLA_1=1o?W}fN!(}v=T(>Z;&5yF z>v>SR|0u650o77wh>i(FH#LA3>!!RCt#7`({5C{`qzYW;!fP=p5Z^laQS&i^tni)ch?f)H$02bokPc(hXb=r49LwIqSsOO)vE9gop<+MzB*42 zR(sP|fkzB~qP*_vbKDz#RC!6gL`sR=!VdtOtf$EvXl~%;hIbViYNbi4o+u)l?hU1^ zd_1cY;_)#vf9K-hbbw18Oe7Aw3%Dv{eMG?r1(u-!50HL8y3L5zLLVcGeG z^!=<#d+SLvoQWGAKVHdXr^247ZsWM-f9BG6t`F4q2D!s%7nn)8{1eBm^FX@cRp9@TlLANEB+!8#5>4 z_BB~yGc^iz^=6jM=CsG`Iwp5ApsOTEsVnu_zK&KlYeZ0T1x=vJBgJlKYM?l@Noyy5 z0V_1_>pGisn#D4GZ0hG!t}cSZ`mwy5@LMJ7q?HtqrA9JtJL6vOX1w#2s0U;xH#nf7 z>!2HajzKEe#~@NM5720i`7-Rv+Ax7}lf9)^;C$0&{pO+VZt#krLju~Wl8+wXSR5<1 z(da3}6bH}*>jsYX4VsJ4@%&r}2`p1~07|+4>!W)>oBZu_3!?GpvKaS@yo>O9Wp0DG zg_$O>OrI&nVJVPKk}Q0Nm# z2)r__SAU|M!J7nW^(vg`{$rs-V39iVDmrd@y!g$1u%o=|-N`PB)$j_;?SQ8u=Mq18 z^MmDRi@tQ~po}`v*a*A(yuch~%A=D$^MR+E`*OnJfBAa5B1TFL^s+785^=s0W<;JYM zRSNorv8am|z+}1@WJ&J~;oCt!R#0{nOq7r{3&)J^xi7jl@wrW4AXAJCl&jmwCAf3~ zdgvC)hFF-X_FC?!TJ4%UW9%Y==r{PY$r{7t2bY-#64!Aso1irkFl_a6cpi0IQk_-QMwr5X7Pgq?Y9&!H^RKQ+TBL_j}8{vh*~K-PI0*0{a~WzF)D z+(cNL2vx?#ac8^+L?O1H+zb2WI!?Ge|vK7RlE z;{m#Bo2y*)^}G1%_ra@P@7iqi3jC0B-jMUr&6nstIrg6JubEb%pIz2rTns_Lu_kh3 zOPZq>n|<`SdtbCznOJO-Q|iHDyw8Rhrm>q?`RnT55@tQ*wSU5uL?&fW@~mQ9yedM; zjO(z%YFCS+8q%Y4adKHna-rJ>u?^6#58LWO#s z@FMQiXNHjvZ;7QNb0P3_T)-kQy!3atQ&@C=sHuOK6=L~&TKo7B+!yey0>adP{rb$* z`o{I{27W~Pf?D}az+meP;-BBtjx63_%@oaI0hR&z<@8mu10MMq3llY=M^mPvrc=iL zAeB;%+vyiV&8;w_WhFQTg|@Tr1yd`|GBPmCpee#??+8)V-)mdv%ex3%a)4>{k6YK8 zIXplOM0M&?9llV{

*qd-!~CNIJD31Mjs;c#BLG=s}Yjty_`YUa*U(^h>}59F`EC zF%%8H&AA}tFYJVn)dK$)IU47jy`Mm|-rKYU!vuk&uUzel0S|N2Ht-beW3mx9 z1`i-A1V7sjMF;!g$u053Zw+8iOOVa)h8=Ao4ZPcEhyP_=F*2GC>rN(&lakuAwX6ON zENhUym6coz3XF#UqchLDb8b2-J5u@rFX@Gq_`g~J?*EcC*waDBKrz9X|KYQL)28!% z149J_o$=RnER$RL&8z6bxuGLM#0N1($%L&_jq;${MG^^kcu=iCV*PzTKn6CvurK}J z?>BblkC-I7$8|EpXD=OBOC8v4E85nAw68?iL?U;COE!Z9;pNqpGM(5{&11O zU;dwHLobYQI=E?Zv$jc6)f1{XjutX$vkrjMgx2tmb~~?yL#zqyxn&+3_8bjdfndv5!UuV{kMf*)aXin&qC55>+)ESr)6a!8Bo-TLci zi1~Gx-LRiJge-15q|3qGJ^2`Rft4QXACW?1+Gz^5wyd|DG+6#*<%?rZO6}?_UYP8OFaY2fDaUB_^ zCJm`HjPFKB$i!7fv`gaKT28@a&u=YMIf8@N%>GhEfboW}IJ85ek0{I8*DQA-(+M~P$W`l%h|Gz!R=-Ftr< zQQM#mFouu6Qdy|?HL&V7Q`38CLpW>@K0QJq*qR($&>&pq5vEV<>M`ad7L_AR{TO5a zy1G5GxhXVulI$)po@xXcjQ%$yhuaq+rW_)Hr$P+gn1b)FUtjy07Tcb=>UG@wRGkup zDc>M`p@^M})_QlL7Xq5iFZ{PtCNeV0N6svcO~QPVM98)4FzE*ttk>YqG->_WB-jDS zEaa})B=dt`rX>D7w(41^a3=&?Sh7?ip&Cs@T1qV~x>z&Xu;$4h=s6W&F-o-*5%Z>3 zy}e%Wh=F$WRfC-1Gl1GiJJPbxqlYXJ4XcIc=MEa!NNtm4K%+IY+)aL2qXHlXCNUGd z=Aca3uIr##MbucaVEl>a2WzH>nMONJpMaqZHVS>KN6C^cI?WUUQ%lvQ;1fmD;{TrG z^(CpdCr%4)M0%Ci!Ltagh#-Lm&w{bn>3xV+%w`VEW`n2ITcR5p(N{GGn}x@yYc-+M z!s(sgdg>5oh26pEyo*sye*4pTZ@V+kYWYvoUN^A^K=i_l`gb~{=umP{m@sg+9`!4LPsrQg$1b^M_&Oscib8%_4l;=lNZgH z^9vvd@Otvw|MILi#0uhiSVIgTc3$d_sTslSppiv1)(Ide=qr?9rUXOdP>9iA7Wb@i zRg%M$7|}$mZI%H82ds)Y7T6_C8W%EFCDwhOn)!9zLuf~Ax)ZX|F$UEJG`V<-s_Q%s zZiIHsQ@^JJs^l3ilkhH~)FB3gB7QjMx&9ih_Q zk^fFyiYie;mxxTID3b+qiBM06GeNfKIyfA4;}fn3ac2ZVNS_I-+U_21A}Upf?trAOSP*D|*cU zu@uc`SuCFIJ8#eldjcV$K9@sE&jtCLbpGZg(C=BAS84&83>w|Q;L;6%sORgBIsj8eC}HA8T8Vwd&Zc6I3_ugPXo7k zu40|4=&5Jucgm!8G@bH6zOh;&aYKa@r2DwjCB9g35MC^ZW>ur&-zzs9SRb?mL-(c z6e{l;lOTfy)wPqrrB4N8TJ_~^Oba0jO!gj5Hs=+>Ze+`vs`1xfrZ6>@aOSny04CL} zrD65d`^)u754Kw1#Q)V3|4&YEa;N)pfQbUx(rDdpT8_o!#jMKwe)vM{MH`OG1@=P( zOFlH9H5Nm*1;@FYMm?FSI_xAo{ow+xu8HdA2XEtpF1du$FCQDjA01B~*1HsBa{OB> z#M#WTq4HwXiQU(oBP-ZbLK}`A_+Ghh6}EQ`e>;GSug57r(r${ZyAsc4uowmRL^r zyay9=lW$vkQP)DenXd|5kjT@eD)N2cu9(+t;29KC zva8vKvLa%yN|O~~XQ^;3^$)%|%?9v;#Ccxf8@khU#h9FKRhkE##Y~mRd?nuueo?!Z z2EE^LSXi!br?J&kR0vkb8V>*O79Zq4ik_W#HP8N@sX_|m)N$ab5a(F!TrlV^4k&+q z#8#s}c^!2ax@Kh8CFtRa(yXe5Hm~jCq$#ll3G1FzhK_)W z`mbd^I2?0cPT6!eLs&VBQ8VbK&p&9h>Ke z+jFtZ@t_Em+2G+(UEKP+_5(m80s%UM76}ni3ksqtjho--6`lzC$%A9n;$4|p&G*VA z3rP$9$uAO8>nWuPQq{7uA?$tgP z=)!7qliV3Krw-xNAGz4?g)99R!Zb7Me(>lj?-)qL1bwZ$>HrN!*#ZJpI}7=P5qXZ) zKP|yHIoQG?-unQw&|^MEI>lk;yjwkl8Z&Hp>)t{VUU6+FK4@Gm?2k1<#+zWQlKH0h!s<3f)TIs z3+=pEIU^d5-n!O;L5B8b`%8MsP6mxBn501NvTg(fdmiMqMi zUKjS=y5J5`4W!9*=8$d|w8y6w1pQ7x>vd$^^R6W~nys3++po)nyR2ca?Z61G>RE4y zG^`NCBC;Y^5_lK#P_CPRR4wHUaI^-4!Nw7WF(wzted#*Ea%4%1fM`{{|6ApB9v|G0 zE&qKq1RWkG1kA!*MuMX|0FU*N<*cmjh?%R<6DxqL7Dmk|B&q)FMl5dWOV~;BePPGinx#?SK za{@nF*Tp>^gmyTNH=j}x5}tm`k2d9xl~n&`$zJAr5KuqKUIQr5p=CZq63RWMyR2L1 z;9;%vI0X0LJj?-S*Nq{8=*#;O0CKTBWhG8TbdkDWy4NFm%slt(G<5pw^ZHrk9Rj{z zIBMeP9%zStXZUAD6R~qlE53xs!=a2=?i6MtS(s}t$2n&Yq;^w-byHKZ!KJ(`su>9~ zJdd~Yo1ogirssMx9?TQfJEjEdPg$TXpKf$6VR^JYZeTAshk}z9hi8ayLL~{#0Kape zrsTtHcF_^WDm4v}*yKQL3cps?vX`N^lGgy20IYE?BsxP=SVe{9Eb-c3R@=1Xmrh3z z)DhZ_8ej;-=hBF8dGBd5b_IX?O4;NYE$&fX^(y7FL)sq3*YshIfuDTlAbe^18P>~+ zq5iQ|+^2495*%4gu^F^Uc4`k@_Z+nye{StPk60rq)+>eb+myD=3?Z{!lnkAA<>1Lm3api$e&K>rjru zO=|uoOf~{-SKtteARQ)?f|{}QiVoaX0N9PPqxn%qj;p8q@+%yOAdYxYbO9n3>xC5K z6p?9>s1WE=U+l&s|8!?-yqC#9NnIqEq7Nw)-;KuxkftMPSE07M6Jr$iDvx! zIzhe@rnb}EU59-U2R+)0XxKR-faOs6FjDhMywNs@N|ksySt%pS)joCM`+cHn$C5g- zZ2WM4=`(CW5n5Wj83h@woMvzF-N_V7KWs)(8+n<``7tq*@CSp3NpvJ@Q-GSaK&{mWyF_}f3}-|RYkXfe;NYJ)fW zW}SuR2QCAqkafkJH4JaJQK~Ih^J_s_t+MX(tq#7usSG2Il7eWRVM>^Oe{~m0LOr@17KIb;dBemRLj>CrWMd4wZ z^7-S{AalDvJw#kJwAZ0a#cFFdm9(fvc1pL`Bu!zdlbb$TDfg)`bXzcScmH6l*Y!01 zr3ElKCouzCwO9y9Uj1lP+EiYN5vmqIs9lnK%X0&Wbv1^#vy&u+6WaF8FN4%hT&%BN zhcuyN{)sta#z85zpZwMhrF50XP*viZT4bo56P`meF&-9dvEx*W5lDSpQMg z@D}$vfA+J{A{~WLSrDkyfB`&t;RXLH0?>G<1C5iPBz!gN7&-ZTgE)NSc-4~1_kAVT z@xO%Hbf)G5&ighY5NuCZa;fM693>JAodL+zqH|bN%jyB?-yILHIXnAvwK7u_jvltr1~npi~B7DRvW~oG!M*v(!{)F7nZYT-r*}wtUo`_K3_1|kmAt{ z1$|Uvk;)7zB&A5CX%X{sDoCZlMl~*-FD)5{FN>fNHa}TY=+k?FBe#+ zaZ(d&p`&LCa0{>@|Jsdf&(TA2w zqCYs=EYi11cv?aN&Uu7Dwpg1H)RbT!K3$@nFpjhy*;~IqHXuVhP!aV5#Y-c;h5CAi z#|M17mE!^{{#(O{ws@kOrSHV{Gb8CDe2J z-K*weHo(Cidff!>pVK_$=|bXK*4d99g?)SyAv!IQ7?ry+bQyblT(=~&66nNWmQ$a- z8%Rg^`?Lt3!hQXDBj}1F_i4VJ>syKkWDTkqjmSarop(5f=GhdfC)Uglx3?InJy`7a zB@6b?kZY?fhEYxs!1p<3%aFMLOkh(KuE$tzs6n=n_Q&eQf>k%9N=bH(+S18u$d)mr zbSPSc09U|w(GaHMz`Ge5P$3jMXt#V$-hBf<4wQ&H@vE3IUXCMBV;a{0R*$oC6mw0- z+pqn8e$T#EvgxsQVbOKea<&D223XI4S?E4uOdJ%DdOMUNU}+$*oJkgclv}>2PKX3v zlLdsS8K!jz)IIV~gcuP_`7cb-XxE1ufr?!Vx!cn}DFpYJ80B{`k#0hEl1<@wL%4z7 zNbGjI0Z3xu3xy)P{PLUxStt>?cyIi-1-JE|U?>KMrGl3Nf&8n!L@grR?(4BsX~Cz| z3gmo)@6^dQ!143Uvu&n~f^ml}{8r_j#T zPKo6T!T=^FWwtN{Ru}$b=dfvSj3!~09(imY%#%&ms;DCCjD%&>*eUf+Qp|K<#wxQV zy+iCy6))Lb^A6wX@7qGxtk)rvGg9>L)sYs%l})@Lt7go_S76A!W(0 z5k2#Y_t3QrJS8hb4QL0OT-D~tMTuy?NJN5))cWl!yXsUAdG<-$TFE#qgJGyVy=riA z&joa{9A0XOYQsIdEMVZ~4U-(joBItR04?3%YR{24|MmT5{+}r~=@H^!od0OkJ>p=B zpgb)|5@7e>|N6H755$Kgxo!)pg-!;n1Qd*$wdLO#LpV^bmVec6K^P_;dRFOsev|B@ zjAPc1jMQiY!0Y{5$hY4~?LY3t^FLf44A6hfYz}Z*AXZDxWsei#-xl{+(~HVNI?=nX zWkX?prFnkEU0{CT2XaII^3Rb%&3LoBD|obgyNVNeYUp4T7&PKuWSICk)Oi2R&Mk)@ zSJC`qnNw{MkMW6gtW@xr2dd0d^HyIdevymr>CQwzoxORx)7!sMvxwBlJ5OaFk^#Ns zsF4gN|JXp%CovTa@s)RnYhfi4Q}7N>l&?xA#I!$za_^3(etZV>Yzt(Z2VHHXx)6sP zCR*^yv0{g8C(%}rr_!g<#fq%|9j@3qUAFUxoU8vn8qb)t=99Ru<)b!LEWgd(V+}YT z(*8pSb%_-aNU_BnXs=;m8uVaF*wM2glwaH40rr(DB=%8416J*U_8zL&(RWJ3qc3f~ z5+>&@68wndH9OeT+;>p`pQx7h3LI=&SMKyx@L8^!H;<6-eGgZS#_+G{cL9W?%ooxbtV;BsKP zPE(3OHKu3g@6(YDCWx{ODGf4qw(C2$%H_km6|`>d7>jiD>#UPPv13CG z?nnd(bO9c%m|`tM_pJ^GAO1gOw<)1I2#*fr;F+y}hFk|XB;}N0` z`S64tHCB_H3C1a!B-Fn(VCE(2^zO!b5fo2>T1wXY5iZPW>r~QWe&WLU?Jd zvVZ??L#|-RF=rjpxXCKv+l!bfx(jRvb<6E$rnQ1{bAP`gF!hE{@H&8!6YhUeKQ1IvaC zhU|*anCxRjBk;b0dTLg4(fu9Bc&o}(Lc-q@c?+_-Wf(V`Rz$f<8jA1@lq zEnhR%%JhZIe$TmKivYylD4j6_FK`?u@n-3_X)1aB6toYjRgA- zobJB>%-)X)6uezg(!`+$bXtyHLHu%F^83NL$iBaT<}zVu718yjLtUL z>02ih1!9X=1h%;X)bp~NlWBo3U(KzaDVFI{eb&k&e}pP_B`Da+>Ge}Q3*d$-$>dw0 z>;7C!T4h%xbMDWkjqR6k##o!ZnXT0UCz0;U7LvHx?VNO{TdtJ7$W`26?Uk32m^qjh zIukMRKTep@%by(`eQ=O^z zmw3MI!3Lr!zaz$f?S$|MebJe}DUYa{P5$8T>-4`WloWot2TLX>zleSuNmJRsX4_N8 zA!f+lbpHqeFn}|@#cyL>Z47xjdkjydGk|@y3}LTwLLHNW-cNf4QxR(>Kx$NwsP{s6 zVanw;T|DU6JFK7L*m)19C~P;0<_3ZY6^k}~Fe7nqR|HmxSC=$yalkvp-Z{vZVYuEC!{njym%b{Hn6#t`KJ7%l!0szoU2yM=q(%92B#q*rUa zs0e-f4O%6LqxXl7Tx0GLX<3n(d4@(yv9cpo@dKnnm7m!P0x}=x_}-_DIb9)FJrOm( zTXdzVS=5>eJhu-}1y+&cY@QhlcQUNl-K&4L_xnLF#TM|^{&I_X*!Mh}>;tM~jtrtY zB`#3~@DapC5Hy{&9i}s9q6m#k0n-~uo{d&?z|StDLe3Us2@W_XB?fnM{H5YdPl-1eGZ4P8 z(g$tUSwc7q<6>u@9ua|;mlSG&MhhiyB@Jz92o9TKA>!+0g+d4m8Rmut)+)?u-dls1 z!JFx@vy*<;M60^vlZQH>>)&8ISZzTP6`lZ5!f+p&v`{_T8G4_rYLQo3WVRL0Vk`n) zxkiyroeY>=<h;aCW`@)4wfrr zkVSHE8?QgGWL^=uRY1-Hqv4;LhdRkiF%9IhGzI8YCIut>6{X-nb_>8_m3By#n8S&u zf#oW)qa<`h>hLGTVfVQGP4c)xU5OBVMTk!P^^88@9OD|NOA5)`UW) z=V~rU*9)b*A>|(JZSZ|N1Dbz zbaZI%H#vgCZF;w{y}9iL0`7(dACjEFO&{Hq-;Er;BwL4v2gY2J6KmW{qV~7@Wb4^J z=DFe4K!WAEDhtfGQ+BrrGfl9A64GtlIBJ0Ajmm{f1f^5EOV_ZlJU2=hwn0VvS3AxZ zBq$rb8+GHpkNOqW&nWD@Vvk59iktLj{5?ZDFFUCUE`MCv8cYuoAWa(=kqcil7E-#0 zAa4fC$@N@anG@5Oz~uCuqcYOW_g2Hab`Z6i`w@SiHg6kOFIk_1kl6fe?V%v#cU!31LxH%z%J_YO+SqOQ;EtOi zW#nb+YlQqt2cm3zqn-SyR!3KSV>jUE0hWb*fG%`3wX64HoVtWvpf&2oio)3VI=Q7VI zmqXI2oYW1u9@^3)(v9+YvZSvxPcn*Z+fy~2Me{HLg@mSqCc&XhCv8s08rCRE*Tg}V z2GLADIh2ZNuCN-?C9r2d%1F>8E{C|&Y-WbaR1L{|sL9yDBXwfL&?eQqsHdxHe6_F( zU|F7WKR#B}_3%^nBPsc3z$IYn;F&A2umCS$hks@~O3P1Sx~6B+g0uxaX(<7cN@TtQn+pcVkQj>35uwPaZqyk+_K}QsmYq$N^%l`mqM(Mxs0hYJM*~|^;{JW_frZE zdj&qW&ly6@J1Syig>h=!# zUKf>zaU88`xuWi01*Bnhfo}^4Nm78_q~y{T0*?|AEP@Kx;zQe!|bV>g9@g1>btFcgZ8kyu%^O(s=CA#jPH zYyFG0;rErDG#p^ErJrFd-y?QHye2BO6vKNC&r5&dfh{ixi!^1Su~ENija-1;UEa8+ z-|yz;AJly20kAInU&e}ptyj_{;XM9k_J)*YvnuM|0yiahHifN|iu_Dt#rQ;pq8a)R zw9KGFjhRP)PQuFUTkoe<^jZ4QpEYLPDTyqE!s^8txUxQ=^PcW;)@SM z1ySlUyfFdl)ciU+IaJF((e#SdrmsPeQ1Ezs73vb7Z>8mT8qR&)p{tQ%4FF}%=;iqq zXv!s4j;o##kE;T-amTR$A2K(@MixYo2iY=?Z3QS_ zsCKWIdky5eiyZ=Dd1p(Lwvf+X{J%II&%8i$BACOKmM5-iz~0u4o91qXBdx*d{~oL| z`j&`pmqOOOGxnM3Oc1?NRoT~RnuIYk~b9z`0xERUXnynmv6X|6L zb1z&9_O~18u*)|*7|tEAC`%U1zmE({+tD%7(`UtIK(2YSB;I>(8aLmt!-A_eZ}J!6 zm~xi1SBsgBpQKZ5zwo|%Mi$c`Q2%dr20Z!)h71g(hd^tkD+b$uz@{^l=oQ=(>lM63 zf^{ywf1&w+^Dw!t`){uWRHy+}0R~lk_i`M-_6jfsod4jle=+}JWhLR{_zxcZ`