From 134b13f5ccf1419e5c1d6c447c476ed73fdcf3bd Mon Sep 17 00:00:00 2001 From: witch Date: Fri, 13 Jun 2025 21:24:32 -0700 Subject: [PATCH] update notes --- lab-3/LAB-REPORT.md | 103 +++++++++++++++++-------- lab-3/assets/mermaid.jpg | Bin 0 -> 44497 bytes resources/RESOURCES.md | 2 + utilities/pdf_make/Dockerfile | 4 +- utilities/pdf_make/generate_reports.sh | 2 +- 5 files changed, 74 insertions(+), 37 deletions(-) create mode 100644 lab-3/assets/mermaid.jpg diff --git a/lab-3/LAB-REPORT.md b/lab-3/LAB-REPORT.md index 8cb106e..691bccf 100644 --- a/lab-3/LAB-REPORT.md +++ b/lab-3/LAB-REPORT.md @@ -41,7 +41,7 @@ ### Stretch - [x] Create a bucket policy that blocks all public access but allows your IAM role - - [ ] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/) + - [x] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/) <<<<<<< HEAD ![restrict to role](./assets/restrict-to-role.jpg) @@ -51,16 +51,16 @@ - [x] **Experiment** with requiring MFA or VPC conditions. - [x] MFA conditions - * MFA did not work out of the box after setting it in the s3 bucket policy. - The ways I found you can configure MFA: - * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli) - * [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) - * [x] via cli roles - I set up a new set of role-trust relationships. - Update s3 Role: - Update action: sts:assumerole - Update principle (for user -- could not target group) - Add condition (MFA bool must be true) - * Commands referenced: I set up a script that looks like this + * MFA did not work out of the box after setting it in the s3 bucket policy. + The ways I found you can configure MFA: + * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli) + * [official guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + * [x] via cli roles - I set up a new set of role-trust relationships. + * Update s3 Role: + * Update action: sts:assumerole + * Update principle (for user -- could not target group) + * Add condition (MFA bool must be true) + * Commands referenced: I set up a script that looks like this ```bash MFA_TOKEN=$1 @@ -91,11 +91,11 @@ export AWS_SECRET_ACCESS_KEY=$(echo "$SESSION_OUTPUT" | jq '.Credentials.SecretA aws s3 ls s3://witch-lab-3 ``` - * configuration via ~/.aws/credentials - * 1Password CLI with AWS Plugin - * I use bitwarden, which also has an AWS Plugin - * I've seen a lot more recommendations (TBH it's more like 2 vs 0) - for 1password for password credential setup. Wonder why? +* configuration via ~/.aws/credentials +* 1Password CLI with AWS Plugin + * I use bitwarden, which also has an AWS Plugin + * I've seen a lot more recommendations (TBH it's more like 2 vs 0) + for 1password for password credential setup. Wonder why? - [x] **Host a static site** - [x] Enable a static website hosting (`index.html`) @@ -109,23 +109,56 @@ aws s3 ls s3://witch-lab-3 ======= * Cloudflare Edge Certificate -> Cloudfront -> S3 Bucket * In this step, I disabled "static website hosting" on the s3 bucket + * This was actually maddening to set up. For reasons I can't understand even + after Google Searching and ChatGPTing, my s3 bucket is under us-east-2 + and Cloudfront kept redirecting me to the us-east-1 for some reason. I don't like + switching up regions under AWS because this way it's easy to forget what region + you created a specific service in because they're hidden depending on what + region is active at the moment. + **Private "Invite-Only" Resume Hosting** -1. [x] **Pre-signed URLs** - `aws s3 presign s3:///resume.pdf --expires-in 3600` + +- [x] **Pre-signed URLs** +`aws s3 presign s3:///resume.pdf --expires-in 3600` +(see: presigned url screenshot) ![presigned url](./assets/create-presigned-url.jpg) >>>>>>> 1437cee (Add resume pdf & html) ### Further Exploration -1. [ ] Snapshots & AMIs +- [ ] Snapshots & AMIs - [ ] Create an EBS snapshot of `/dev/xvda` - [ ] Register/create an AMI from that snapshot - - [ ] How do you "version" a server with snapshots? Why is this useful? + - [x] How do you "version" a server with snapshots? Why is this useful? + **Cattle, not pets** + This is useful for following the concept for treating your servers as + "cattle, not pets". Being able to keep versioned snapshots of your machines + means there's nothing special about your currently running server. + If it goes down (or you need to shoot it down), you can restore it on + another machine from an older snapshot. + + Or if you needed to suddenly scale your operation from 1 machine to many, + where each machine needed the exact same configuration set as the other + (all need fail2ban installed, etc. etc,) -- you can do that with + an AMI image. - [ ] Launch a new instance from your AMI -2. [ ] Linux & Security Tooling -3. [ ] Scripting & Automation +- [ ] Linux & Security Tooling + - [ ] `ss -tulpn`, `lsof`, `auditctl` to inspect services and audit + - [ ] Install & run: + - [ ] nmap localhost + - [ ] tcpdump - c 20 -ni eth0 + - [ ] lynis audit system + - [ ] fail2ban-client status + - [ ] OSSEC/Wazuh or ClamAV +- [ ] Scripting & Automation - [ ] Bash: report world-writable files - [ ] Python with boto3: list snapshots, start/stop instances +- [ ] Convert to terraform + - [ ] IAM Role + - [ ] IAM Policy + - [ ] IAM Group + - [ ] EC2 Instance + - [ ] S3 Bucket ## Further Reading - [ ] @@ -134,14 +167,21 @@ aws s3 ls s3://witch-lab-3 ## Reflection * What I built + * A secured s3 bucket for secure content that can only be accessed via multi-factor authentication + Good for storing particularly sensitive information. + * A minimal HTML website served from an S3 bucket * Challenges - * Groups cannot be used as the principal in a trust relationship * The stretch goal for setting up s3 + mfa was a bit of a pain: - * The earlier lab had me set up a trust relationship on the role to allow EC2 as a principal - on the role - When I later updated IAM permissions to include MFA, I promptly forgot about this detail - and had chatgpt help me with troubleshooting. It was pretty good at helping me figure out - the issue + * Groups cannot be used as the principal in a trust relationship, breaking my mental model + of the ideal way to onboard/offboard engineers by simply removing them from groups + (although I may have set up the IAM permissions in an inefficient way. I ended up having to + assign a user as the principal of the trust relationship for my s3 role.) + * Issues between setting up Cloudflare -> CloudFront -> s3 bucket + * I think adding an extra service (Cloudflare, where I host my domain) added a little bit of complexity, though + my main issue was figuring out how to set up the ACM cert -> CloudFront distribution -> S3. + Most of the instructions I was able to parse through with ChatGPT -- I have to say I had a much + better reading through those instructions than with the official AWS docs, which led me through + nested links (understandably, because there seem to be multiple ways of doing everything). * Security concerns On scale and security at scale @@ -156,9 +196,4 @@ graph LR classDef aside stroke-dasharray: 5 5, stroke-width:2px; ``` -## End lab -- [ ] On June 20, 2025, do the following: - - [ ] Clean up - - [ ] Custom roles - - [ ] Custom policies - - [ ] Shut down ec2 Instance \ No newline at end of file +![Identity Access Management](./assets/mermaid.jpg) \ No newline at end of file diff --git a/lab-3/assets/mermaid.jpg b/lab-3/assets/mermaid.jpg new file mode 100644 index 0000000000000000000000000000000000000000..909c55ed81be954ebd15c72cc3eb4eae76ad7153 GIT binary patch literal 44497 zcmeFZ2Ut_v(lET~y*C9U2q+*R(nO^MM4E^QQUsJplO~|_9tG(F0wMxJ6j4M^i9!gZ{Tt8Gd(L^ka_;xu|NYc+yD&-QGp+TN)Vv?0Rw;~mC!HPj!NqH zJk$U{&GV1^v2FnE@A*NTKdyVfzyJ1R1Ro4w3hgmPMTJzV-(V_g8Xzs^2h0tA_xAD6 zJPOB-J*N5x_Q%vevD2(Sruhj|#T3y0o(C+vcWGbLF*F397ae_^oxOZrz5PH==h%)J z>gd2On3?Dqp3?=WKjM%9!b^Lw%Wp7o4|ezg(}J9UdCbjpKmkjDjmc_n@8bdhtjEA~ z(Evvm5D)8KUB|qf+`K^e76@y4dU`v7a4QH)fq8C#@E-mX4u8Po@(0-7-r*NcdwZ8( z@Nc|;CBcf%xcT0=ZXf*Pwf&FuYi@eK^0@gKn*U69 z_SL=k6ZY{o`&I8XA06$V>GnP#^gAAZ4~t*vuFi(P@Q1jXTm8%v;AVOLC+zES@fSTI zt~$Tcef-US@#5^IfBI+sYd(6vfUov#J zKfBj2f0PBz0J^|A@FNOX0E&Prcpn2y0l?2W2<*QApyPcb*vHMq)lXC#9C6N~hF*?G zWknT_DXIX#-uT_i0|4L6evC^h{+55Fc^81)8V8P_)PJNo+y{W#7y#He@sBi#JOJRh z0{}Jcj{ZIYzu}|Zd(eS%0tdhg><2^uaX<=?18F-Br~z6a#b*H%z#Om!>;Ol=74QUn zfIuJ&xDCVriNHM|1IPvtz*FD_PzqE4wLlZl26O{`zz5(XFbT{6Uw{<=1KX0m0qVol^3*4&wW*D$&8e?YyHMYx4xzq7olO0Z zI-k0Px`w)qx{vxJ^$hh2^%f04!$QMPbC5=k<^+unjR}nn%{3Yynh2T%ng=xbG-Wgm zG(9v!G&3}-G&{8Pv^=z;v~sj+v<9>mw2rhlX(MRw(q_}Xpsk_pq#dH2rNz*a>DcIm z>160m(HYWRqI01Oq>G_@K=+)kny!oPBi$D|96dcfKfNTqD!l={HN881DE(dfTzVvZ zEByfdJpC2}1H*m>83qjo69#(*KZY2FEQS&W6vH6H7X~~d3nPS4kx`G)hS7^LlJNoK zOU4$)LB>T!0uv|GA*NGICQMFD!AvPk1xyW0{Y+n&2+Ul}lFS;+=FINQx0xR@moaxS zPceUIVPO$tImu$m;>L1|;|Sq+z){K3&#}tM z#Ce!ghtr-jf-{G+o^zCQi;IU#fy;!;lj|kOWX|Hhq-mRow)CCKjrS=p68+A z5$Dn2apZ~ODd6ei`NB)jE6Hof>&~0VTgv;M7sJQRr_5)`7sQvt*UUG=Ps4wh-;n=0 ze+qvE{|NuCzySem0cU}Dfii(Xf$e=l`?U5s?@QQ+-1l+c?tanzy8Au$r|z%a|4EQm z@Q9$PV4z^0V3**k5U-G$kfTt7P=(NhFtzXzVKd=S;itlHg|`lf9MC^-<3QGdjsvSA z{32Q+?jrX^T137=cp#b(H^_Ym3bHK9C#o%aUG$-7rzqy2@Iixv{s*5Ne1DK2CMjki z7Ab}l`y|dRenR}3_ZI4$(>WjPx+myIJKcBr{ z(|U&HjQ*K~Gw*e|buDzWb*J^j^j!3c^)UJ>`l0%*26P5S2B`+4h6fBC4T}shXI0OJ zpY1eaHM(e&Z8Uf8$T^>L4aU^QXN}X1r_LWb?{&V`1TZl)NjLd)LGr@Q3yr4qrWZ_e zOc%@)%)-oiF7jN2U3_^FXMWl|#eC92%EI5G-IBxdvSpFww$&M{G^?3Q@|VId^;rvA zyII%SFxXhyJh$1h)wRvA{c>65a?ItCE0R}&uDrGrw7YKC4C8>=!z!=RUA4OU@+#5Z z#6I7C%fZm$kpsq2$1&4!#YxNQzSCD{4d*oH#cLYZ(ylGJXt<=ie07DoK5$)i({amo z!@3)|Biy$=OgsubDA%p7BRv^CuX@&daeH}qb$W|<2YC9=G2`9*azi+>Ek{YPfUY&aFH1(fZNF zG3+ruF{80+v4}X@IJda>@k;So@#F-jgg1%D5+5WI?>gRnlcbRJFo}|UE%|-Q@szxK z^!L2(jif?TU!-xRg`~}=8>iRY7rmcwe=`G?@%n-C14Jfsrhn$l!*dVovLv$ZWf8Mo zvp?pX&OtsBeiZ*`JJ%_9Fi$J53~>OFh}eDX_IT`x{*#*g!}$-M(mxG&x=>(Q(DUrX zv!dsM&l8`M3cU(vUYNb;EK)5hdMW%erI@smWgXI(c?f4088L9L;>@n~aV)4`^k zX1?Z>7Uq^aEfiD;YOD1|>uQ@z+k88$eX`?H$8e`<=ld?BuHJ6F?v5Vq9#pSJZ`12j zuj}8OcvIVVyszf1%G>I9D(|Y_AAeudui9Vt;pB&g0ri2FLFi!H(3zp`VZ-6RkLN!Q zj983}jb0v|8FLz28oxe{od}p9Ox~KJn@ae^`RT#5@N_;}8jYMeKGQsVX7=se#kt9O z$N81dzMqL-?kun^JXnM*7A+|*HGS3l`eE62`OC_U6~b!F8rRyRb*c5L4Xus0m`j*1 zSRX9q+uiT`zZY&QZ?D_E^p&A8^A~?Iru~}G4l)T+b?+Nu%wjq5oML*swYmK(mA86r*B|*_M*9k zr4^{2IXXFCb8&TZ_x1A+2n-4iiMkUV6B`$wkd}Tw<3Z-btnB=!1<#%rz9@QGQCU@8 zQ(ITx(B9G6)!ozk`pw|b@W+wSvGIx7x%tmu78aMjE@Qua-`v7&<9BxV_yXu)Km`oE zKt=1v#rWf5+Pgr#==X~PBB9zVNkc;i{;@F9GyeSQ?>{M@Kyw{RnE+U6sKCxd!v#PA z@|;wD!jclRRQ|31Ki*KvhksfE&nxMKKhV4=6Iq#)jFh_;8oZS#k-D!~y6!HY_zUqs zS_>VlTI($e(0i?q0y<_WKtfsc9V7+NL{EWTa#%iz~gtBWLilIz^6aFLIL{g!~2PmEA>nFt#TBh8!?EV!|7PH?El^mCPnpTdN@G+BRZZ=+u*hYSzyLz^htu1wC;-BH9sXJ1%6nV_ zlCS-B@5y4m_s8-Rq=5g1Hw|UrpB*)Chh4tqU)wA_wYb%;Tg;^;!h*$MX@zgnz5<66_=3+~c~J%{86gL5 zmyZXWgy6N*87P335eJbzg#yGs{cCxTviy`ExnEVR`au6oiat?Pga#Z&hhoVz`V^pZ z^olOTx|F!FVedTl89obOAS5bTC`J%UKAiHGddeCSG%Ia)(9`XG<-Oo&qnd&4QeT44 zD8q@ye_{BFKX3T8+V805=uF4d|G*9OPt`OmOYOe%UWA9T9PJUO0E`Ua(NPXTTX zPynnl{7?1x51Vdfqu-Np{8#>-+@7wepmIs8vW>zif8iX&{+GH`MoslcJm6}CG3)=N zlERoy#j+{t4Om%B3S) zSAq&vy{*Q~&i3R78CjpY!`!*3vefI7-y}I(TwbLWUi`^{kb&*)yl<)t@cuWv;grFD zc2F%=qw!nb-3@}j1Gm&uW>ScW4Vk3qqwt4FXQUt=>hY8W00Pdtq&%SMze*) z5dBTQ4X*Gv7TR~pJdx(hGZ@dMo%E|2s-*=B_ z6yDo0(aLWkCxDPo-fi7r5^t!9=obxY@LMTdp7xs%I=;nC(>3*|`c9FMg0hLi1DHJ_{Eh7KvGxn8De#_QP`JY(uHZnT>!_t%K?$q$z=qOKc7*4mTb1=qt~)MUltc1wmzH>*%1DIIT-Lt5u zL)-ai-Rb0)N?08NV~R)-5hN9&W@7TB@f2WIRxUH4icO60hT&%9HB>dvX@hw`#n>d& z#6|0&qV@B_qi%K-K>oXs&2t|ZMjJJmGOxd8h#BohfMdcf$sydaJ8yqu#qexhP@&x?nPAbo~Xu*_MoC0IHI;K1XT$)@ zd|FAC2A#;DU0)g*hem$pAI5oui(yURn#QaN{vhNw1#pLQ1hp)W_Uz`kwXay4$GsEH zUN8?U(t#X#e51K|K%I}k3vaVmx1MR1?4E$HU3c&_d&4pud4-*yWwBdWMnt>&#(8vm z%K_30=ocGUEM(&=Y}Z;PJQdS7pGg$hg~iw%7;J)IV6B{E@N3pRZlQrM=t-^dr`7V^ z?JKNkZ=KL+G&{fMdu6ExwZwpgw;iJZp2&&fE@)L@r#D`5bgdUBnAr)59eMpir{t1Y zduB~m^reb?y;zx>tf_U$iWcv`&{{3`bZ$(f<6Q94r8={yyD(0o%B->8ti^ow$1PhA z=`7o)wAs3zg@m!5<_HaPAF4uNjfJrPE9wAh<~gEzz1n#Wme?>F<1f_V@tkdB$QyVg(}pGtf7GlH zn#a|$_UK?DN7ZPo|bQsGy29R_(=gA zc1kr)R$UweTK8~H|32v9zVnerYc|$tYWiX-XlVB21#!efh1Rw*$gKC8F+nNp=7=O_ zyDcRyLI`{9$@S-ko_^t$6F4WWn@t6ZN}l~#N0BW&4I%KWB0O}-{8;J$WuMD&u<~$3tm|SC|*bjSRWJ0iCQ)gN5M?vN|ByR}B_4B+0u(D>WF*$V&KKDScoedUaQjNQd{nhI&;<6u8(KL2bbw!Ag3joL+2w z>v*S1qrCZ8^^mG(h99)b?MH^rL*z&=ob!^i+60`BHkw$>t) zn8>I(q#kHmbz_}r;e^$}KoNSA{p!rCt#A?OsJ2GZ#vhhx?BFOajf84CL2E}t%0|tK z$AynWXBCG^wj;Rp3`!LUPVhD>fjA1_sL?S>=0BVa#U+KMT^oVIq>#N({B;EW2n8VR zPa!*90TuSU;5xyUP66m(6yPbSbG%Ii)pBh1QT~5t|Gz{sGJQ?qa~sS-{OucEnySNV z%AShDGRA@7ineY0P5@PDd={VQ(_z^N%s3QdK>>D^AjIAVC<8^F>1!xV<=mmz zwvD?`jCo+@tbbmTe|X?cOvS{S%DBJbz+2a~K!;xDU=NTZjeHzQF3pE8T!S$?^{rRSM@&8TmNoe|?)>cbZY3}~$u(QDvxMJEgaEk7@l zD0Jod*f|sSuekmurBV*kZLvMBi@93 z+~|Pbg_oPOZg3Hg3@bzU#u$kg4`-1wo?p2ocqaO|l0-VcZmJPL;Mi9} zhD7L02?eMe7LmkgB5tS$9)9ePcV?cqI9@KMyO@{s<>f7Hy%Bbqm)u#k?T~H2@Bt(m# zYDe>t0}P!ua`@q@XS&Di5`}E_}#|EhM++(UJ-^58(T716a8( zbZnD+exfnQtba!O6@7(1vCF6o(f0H^EMhNTe>oC)x=s{Qk77o-p~idWpOL!LF}6J| zB3S27`8(-t1@4yHY28`f3kJClj|NTYX{^-X61_ z$qZ|Ve3s0S&$#`sk@Hq_0-YP=ln=;zI0djm@%0+W>}2pnAwOeg;s2; zJ@>15fcql%IWSE{T&BfE4zZOZ&U%)uii$)ZCX1iPz~&!h9IwZ~x*DK~*Vi6O47qN9 zm@YWqaqx2cT6Ot*A$k-9I`a@#8{S=u$(hSchF(XFk*B?5%wbJN8Yvk$> z{eW@2>D8nWPqJ+`4iO6nRoy!d#ef zxp2@L9U>+7h;D}F9RN4CW5j}fL(RiMA@TxYsw1oF+67bGV$DNdj*YcGr`FOAJDtF( zEFyT|V54=+loiuQVPkv92QZ~uy_N}+Rv+a`p80#x?5RCX;j50*CDaxGh_+HgdBwVUB3~O5S6_b+4;M*A|u!dQa?x~~zD~Np* z;5zy?ij#btsEzG@78nReYCkz#RLEF+-@H1YA&%aR9cRv3`b~NwL5hZOuXZ4#ax=a*SmDKBCnI1El8x4;1tn2!Ev_$A6OPO-Vd3NZ5wUb&8%LGF9&?Fs8K z9Vg|_7G@MEO!depd&X&BNTjNZ$I*+%C{vN%70bNv6D`_L>%)kAkH#O7U(0|KxFcSJ z-q$V@Iy*O+d45iv{7cJetW!;yoE=JC?3=-Nx%w73>sfBuenD!3O&;V1W3GaXt+buu zXoCowV0qeWEK~S%OFvyTkr2}tlf3ZaLK{L#Z}|WYUR|k*?1JL=8C^WR!vMa(3l!IuCT2Ma@ocAMx!_@H4 zu>7+dDz8h|ugf2G`mz{)YR=XoBcAa7D|cmW;9-=JOwg*%)W6QiAO5d5^7lh$iYP!u zV9&;c&OBmud>#@d$boyGGsCg}a52&tSL^|=uue>rRP@ZdG-2{UK+S=D%J235)*+OW z$%N9pJdxjF5!ZyDpWRqR$3oaQl?w4kt(s~OYk}u-SYsHU1@kQAEocqqbH&9do**^k zm-{(_^7B&nB{@KA1x^L5<8`C$v#w;1W++VCQjvx}H2UMV}#G@E=tjY^w&O7MY%9=cl zwi+YeBPEIjQIU+j5+WbbrWVX+kFHd}ZsgSW2Q{`&$R~$Mz6_G=Oby-*D0kCH8V>Hp zdvSKJqz>&#vWTFLXCN~-gQKJlLq-ymh==endu+$-XRA>GyL}(UKF$nz$qs()dsvuk zwlAqCR7&f~I98gLj+`!)@3)g3SV_AY!AnU2Qm|R2v$+` z-~n2I%wl6(5ORh1vS#AGh`ED@W%>=R$&Bo6irb+s?&;Yxhhs6k{gO8>BX? z-?afCTRCDU=!^M_<__o$*%>wKn0nl>dR^n8Z_Q^Le9Gw2^?jynOoEe#-D^-cMz2fGy^ckalva0tD(oZ@|6p51S&7xJ;4(OE* zkr`E=MJ7mbyQYHryNPMKPuEem5F4>Qzc970ukH7SJp@|DvW z_sL?j#xJBDH8iUa`kb^+hNF?hI{MT5%EvSI0`aDBjey}GGjD_1B_HN|{G74QY()A@ zu6(=TBh?A`9cay(SG5cww$~%;Xx7tO^Jq;|A!YCH3KLU~YjC_YYV|weDjqeDZbeTD z;mj~ewF%WJv5Hr6Nc8L9gxr8eu6wFY@j?J?+!u*Mwr*6J5)pHz*1T{iyr#cRev;4y zJpgs-pPZjTbQH_EbZfE?6hw83@MfCUrmO}AzDhm9lx?1TY53g{hNQ8`my>7HlOgl) z)g3~3m?EhqOamlZ8gGqh=$m8fZk+Xy(Qs)WazBpwHYHX7a47AgH!I zur}WL(BSFv{CBh!6=#m!(?N$caPw=6QxURsfe5~^{dj3YNW=)}go_2cj5~Z{sN*J4 z90R?zb~xoMCgb_@+DyTu;bnNR&&X$SQHOmSjJ|?WDRhr^!Jd5)XMkTMDB%U>B2ux) zbD151Arv54e#=uuys@_4y5w5&p=6!UhEkU^#62=@CTk(b-bm44t!6S;Z(=9UfOGi0 z2+(`5FXEu9De6{>xa)|GbJAw!F-WawZKQPin*_^jvEvO3XD-}KeUz}HG{bQRHB$tt zymA7zq+GH9QLz%=hgn6N1kN^Vx!?P`%@1>PIOkh@?~)7q@(W%y1@4(y__K-ARQoj8 zfCzc=YglFG+SWV@WRt%sm|#Ub+l&Fd1}%qejoG7~eigivJ`rT%bNux|CK>Lfp=F=~_vtnEEq%+V8&Rk9Z+nFqdXO^aAp2S> zy;Yu6}xW|s zMPN&rr7BhhuEB8@vD?s#WM#PXCAjYvbl!&7)OqaaTMFlIgVqq88(vo+ajk`!JSD<6+(M1tJtsDakCilNgx}|{ z9=77F;0|f|ctEurIeJA?j={1#)_gEeEyv@IwOF>aYLD2lUgxU@qRHCAg7Yo1#C>>U z?0nmIJk7jntREOS;5sV4ST%grdcJ=<^Twe|0nP_w9b~>4T>$BIjTnGd=zb<21!23e za|o?htV7USVK(2~?I4f7oz)iSQ7QML*Om?KrIQJ!BDm2tS@xQ7-8vuc?oPapfe`sn z=kT6$jox>lplgWM9YRCAs1$s`T{XB7^NGOL;onTWnjckr0-mA$7y4sABH!D&eMu_RGh@yQZs_P)}5JeSRd)aAYSuZZ`cp^W_VLunw#lIZcIB-~P5 zf)$(^JbvvYqxN=^@2P+-wbH;kgkX1Xh^{b}dE=Pi6JP({gqiM!nLbvO6u>`A>dho1!W4!eM1UbjAG|@iw`PH{MaPLIUwlNsJoGYzNTvXUFS1Dw9Zvx^ zg@&P+!+UX09#LR)4SGk0#i)FjN;d+&hDU%=QO!DFJe3m|Eb?L!3nfQ|#FA-W??qy* z-GF~5P=G`BZUIm&DP%th1%_}fslI^EoCCw4g#OHjMi~bg4*y&tceH1Tj&Fwo)Xu?4 z^jjQ6CeZnv@bu4Q>Hp+1`q>x>$VWkOf0BZ^=U?c;)j@Yi6d>(YRU_mvuhk;?Pi!Uq zi7t^*FrWpB`ew9|RqK%@YF=IYOMP0Ub$#clH0_WuKMV~`WPE^YktWCW4-#Hgk0g48*n?4~E6jDd7V{F$mKT&`V+6qRU04QQg2K&s(TQ0NQWpd6j`DXCx#Ml0=JB4A48ak zM!wjKWTxi%W}O*ioa9ZF?j#ZKCWVL&FG~+5L#}m}BrK^l!h-%@e-+#dJyF|%Dz{oK znxg;{;+MZYs~aeJ;}(#XcXUfF>dQpCxnj9x#{Irm>zAVH2-R3Lk*ko*e9(muM1K3q zHt7AD&>SR+Uk(b3tKB$i<#n)yW^hItot##D7qEi%EfV=hakHeCnzA0*kX38KdDjNJ zs5wYXt!HRy%k7YDL9b%pP!E>z_vHq+XBD(1?$C%oy3BbxHEO3HWQ9noYVsz~lZQ@8 z_INXAc`4&3SF@*cg**jzol4Y~&Ie5$6HyGZ<};iZ?Z|st6T5qN;Ie!NN4y;~z6Z0R zi!a73>}r^t#?n2q8c|gcF1h#iN#;_=31{_UY7Ws+e;e-qOym!oGWyR>s|f}j2@ev0 z1#e{;kEh>DomB5!PZ6Rb$}|_We_)^iI0w@&hw$I_{e(I$miB%f`U+g$jmNwWl|GuT7J z(uxI-`PiSdQQdN&5}rw&z6E_F-gPRan_~hx=hci=HLYmE3dDsOy_i}KxlD2gbB7e!ZB zS3hF$a1-nTPrZpUKMtj8Et2poHtn@iAc7V_8?Cw!II{qtwysn{evhbH>>!!wV-BK= zT&=d#w4Qf=om859NJOjl{0qfMSsq!JCEF&eGcKT@zXRAg3s-muXJ?RH}0ZDW9ySf1`YwX|rpzYoknhuA71Vhtt4*rlA_vEV%ieY2Z)>FRp1((? zKF&^v3`Y^c!B@i`96)ZFpV0gy@Z#y(Ku7`>jyH?oqyTx_Xgu#G{Erk9#Y*n$fcJx5ms@aLTmMn?=v3&Q@Ok%I!A}0qQuq_S|B(OH#Z2#&b&VfP z?Qw?`_)}Bq|B>Db4Ej5$Wz0ZGul_%4wX^b1z|MvKqYyxX56!Z-gm05+oBv}U@ivN% z$ha!}9i~9!!U_)togEyU(@XtW@Y*r`ZPL`}V8EdF<=xSY#0~=UmXvCQSwwNxL?{NqzJg;gzj$h;y&4SNlg$I$ zI{@rKx>gONgJATuxG4hs-5cLOQ}PbyI^QppLjg{!;2z}p zGLLqm>EIs=3GXPt6G4LGc?w`w-S!BMnuGSplcX~^qC*7zOm&01_NHUVKOZgrzlpc} zTW0&e3PwNEGO} zq$S{=&Z44Q*fBo%LEMJ1r^jW8YY@D0RnR|DU`PCBmau`Q&tuNqzy#7gjB1j)3Rb+$ z2HFXwzj6qdg0!|>=2vC(shFI4oTe)BwuDV;I59mTmEYqY@|BJ!$xSAqf|=W7%w^yyD>`Y5_x?8m6{=$RemCYO>!Bj3{)6CBrM<7tQvCi=k)Pi}`cCL-{(+ zZWl|8DtP%xJz@Mt)hf5${L;~eyE4#o|{(d#{nZU>F$q7U}-h|+@466!UJ@A4&jsl1R;YD^DHKoUs zX2-`=K7G#i`_?Ax`8l@Zt;73abnOYc^7MB^yFD2g6BNj8HYRKF1OvRJ>A+UblIK%I z$FZ9?=|}@t?=_y|%ulKhIAU;sFPW-;qIT$ovfk zKA$R1Q(ayFys5A*ZLlpj@^|=>Udz}JYPdAa1Yj6xdI{Drf8{PyqVv zPqx5YhXm(%qQuqAFjC) zwddb?SYT=%iuY&b>>$?I>vnG2I%j&YCtKC?y|Z*z;YENh*3*Lx8pSw;>b>}VIv)Ha z;Uf7XTbd^i>WVtPQw)3`F+l;M;3(H5 zlWs(%W-~!L=-cwiCKHT@WsZSoTD;EJZ?6yD&gfw+I`WP?qn9y$S>_@R3`>q=A-C@8 zw{kFy5ySCeDhMICv#nv-m71a#9S!6&9Ex{h7EZKxf6iai&bVN55*gQIh(Wf3+ph9> zneC47z}Z8It`J7D!dDa~Won|jbCk>WQ&l_<`CDKrR(N5==Y8kP*P{Dux)pLYtzUZNc+uvwa1#gp6d8gI^x(($g zV>`1OcPz6bPzTAX#YdZt_3lg=C*V>@m0`XF zb9cz3rYJ_Expci5&MX1Henr7Mw@~-O3-zU^>`z&?>w$$5cpDVujRu2l&YHxWT3qEK zL`=Ag@M8sTZ^`r}i7k)3@#wo^_Xhj+&B%senvubKi-%%-&a}nFFF==Fq$@NI?gdLi z*R0hh`sE;)rot`^mX?ZF4m-G($(C-N@XoJRe6n~W`l)X+hs8|7LzN(F!UTHcZ8$+# zvQ<7oa4))U)>9vsNqPy|0h@T~(3jIwY&31V4Dp_RH=ojvu_)5xVu#fCy> zgx)epoQgU0F$*ORcj6ER%`s(^6FkNWj04ms@~O^{TH>)fZM9Zsy}hgSTf(nRSlb!o z9!ffYHb&v;aWU7A`!9cqB;SX(X-ZV%(=m|w(H=Bi80QB~t{@(Zfoc{g)0Fk4*KWn` z6CrI%JDFJhySy^*yU7Q~0WW9UoR~;^6j{~gO+dPIiVkwODL@s=jlyd)n=opl)FDnLzK{`KuhF={PizlZR~T z3m)wxj-WPYZ^9(N4!n85s*`+xR2!z0e|l(oSyLIyR@!t{v0t`0AmQm$IrU4fK@m6f zx`6K@950EuMLraE0Bml_pl#eUOlD^ax30!UblB;JYj zuHTJRtBja{k(r)h`e!oNAhXCs5k)L2rb%_qbq0G!uzE8+yz>0;@lz71MT}-D$(QcE zl29&Ml3Cus%UZ3eVr6vj7MOlq2(`ZY^^LRUvgI^vRMY$(K(ox7 z?#Ubz-Iuk~sc ztmu56QCN^@0}5K&70nO#Kuz?W!6UHK?+r>(*I-7l%9W^Jo(P> z)IGD~y*pYH#)YpL3QE04F#=g6uOM3;Z`L43W6b2IDR%~w>X@-lS9+c65O1{doXW;! zHipY19aFI{Kzn*&$Ci7t^KSAcb)LvoAe~7p{-D+W*7#(jY30U=b z6D-b}^gWp;Ps0foAtzW1`H~iPt4`K?hMP^}K9#-AIYt9>z(t7>3xtq!k!w<4ce+c!z>b5U!4>Gmb)<-?Sh z?INU!nw(VJpK>#53g*&i+%jn1)J+T4M?(sQ?Y8tRjvDi>x4ch5>8wlVCT$;UP9ae2P+JM0jl1DRz4Lm#a4RKYovyS^FC3KHnH%2UF0A>-)^@71bdZgO6U0>t8u2BF$h)vBe@Z(a4@9s1uL`rjS;-!t_83}WbUn>S&f^gwcqXV1gew>KuM6Si7c?rxU3*Lxk#6FE`e zKKyw#cVu_7c~>*)qVcya4aJ0H)v4-3H}3zl+s1sL!?PTx>6GMFlQ%t1?fEZNf$ep>z_2RZ3% zIYyFfXqf??zXk(qe8C9SPEWxh+X3gHYTEAyZz$HwIolS2ch3h!=y?Fs2SV8ylN zIy5@&3-df#Iz2i0jJV2mc6&M8@S0&9&sVD>rN}AB*=oCkkN=|m|Fi=Bhfk~bud$SUa^$q4$aM`yj?khOqQyKU|k6yXgj9&K+S7?bAE z>mj(*c{aBGY1LEVP30+1BG>iA$<&$|o2Y2`40veYC`BOpPME%@q6-Ch5V&jkgkQ5v zZUWR4!$&ctgb4Cm9IS$2EovS${#~!dSl{S_KR@|>opsp4aaHESwT73)Xw+{u^l0)@ zDb@*J9qr{Rx9lyc9}jy$0nXaWPuk)f@$*>mjuBYpHh6-`b~N|s#NZ(H;A>GXuXLFz z&&hq)cFOOac+VC>LU+LuaTUCZwzY$Tcp)-lA*hYbf=5D3Nsng06GE14j`-;LIPQfn z&cN$Jw~d&{VJGJUx4F-s*y+_Fmk5%g>o9x;{dJF#Hp!lGg=dx15=|$tCdHxEpDHEk zLJ>;v_E|iNv;rq=Lc3G&m!aU+TC+C=h=|3H4uIR%NI7U7RGwT7`31R=D&xrDuljI- zKg5N*NzVEnOFRlmqyW>k6ab||bOm=dJFsv9IEc2F;7Q>Sa7Xvs5FzRt1z0itBm8eP z|CY^v+kWHj+H#Z#%ZOaB-A@6YTWp#TW%^9kIr=C-shK`z_ucsbW@yb#NFN808v0rO z8tQq_Vmpk(&h1`-@3+=8gRigOg?n6WbTD1JypS zVRw8BRk%ItEAaJsFgG@5fa!cL1Bd{foO`6D0y$cd;_y z;i5su8Zv!4432e=9i=qge^>h;Q-esR@&FFb+ev+hYD0!W!qFaLcXskj9kUfBr!osQ?KGI8u>1;YAYokzBIXrW!ZD;C<1(cvvnslRXN{ zuCn%Zgv60KztACS%txo|gZy z85kTa%J2N0UdkE~9BFrL!;@y0%uX^Rvk+@nAzUyyqS{J@WH(g`_lkY+!?fK3!ySQp z+XBYY3|B+*>`v@?CaHZ8qgw@?0GfY3pjj5oaQrXOTuj$v+o!xeOe(p^_hJ5)8BPX+ zW*=YluB>3$G6^rcYmEIKD1Bpx+$5_J1^mISp$id`@&X)IBNTf$kFo2OuxT`=d{ye1wu7&6_Cf}}73}aiyjvAkQ_|7v} z?(QZ0HN6KTpBUd*e3l%vWW0~sUG1fw#0roZePp=PN>YbuQc|fW!vZl3opS*^>C4;JF<+!lW-1}y_{0WG8W+l9 zr#YWKp($CLTy5Mdq?=5;mz$rXZyx=~Ytt|z_tmi!ZLa-ei?!k+oj4i~-~-@uv-~Ig zzy~7sk8l5Ycj~|Oz@$i|KFvAvi=O{L_JIEx;`yhS(Yq?75P#237O9PQ5)Ny}(kYM~ z%6=UHHJu+5WylkV@9AC;!qOi!hF8LgLTn_?-oS`92Zw>f_Dxp}lf|_w596fX|H<8h zh{1vC6*{>SJnOT9>|S~XI)fR{pMZ02l@)B8hBNE4%xewvT~hqKHWu8xKM=#Wnyb@* z+8CxXQZBH~4HD*`Am4^_vc zD>-a8v~i5u91nC}7k3g%Uypy~V)ath?X2L1w#PX6JooTFXc&aTzAjGcht?52xNg%t zv>3E&W6PV}fAy>^c&Nj*Daq3?dQ23Nu-eNi;ar_xUW@Sl0^SDtVmWj+uE=Uyb)g$b_Mk~v)omAJkx|L2!s!T@sS$0V44)5g%- zQH9c_7jVf}X3gADrq`B{kv7XA3COjXfD$#^Gu-fw14fRM;DL+jm?1NT78doyFQM}Y z&CeSLKOf%HO4rlUQp@(sH+DegBKMMODv(zWwm!y-%oEa4jH2RX{-FkckKFjNUvAhmhGz zUeq%aycTt%yY4T=hnfwTR7u(&N7$#^I8Uzm5W)$}L^E8$Eud#)KotB$6-}Mf!x36B z{$QI{*^I%n6WFZXVlM|;2Tl#e%a~yG(nR}IFDQU>I_o9cb$}!)pmx$dbn?oH9vy99 zJnu8*<{0!xymMB*%#W@9@mRN9wYjBrecy*%>+OzhjAUP;E6D&RGt#C^7MyUMY*9m9 zyIpFz34fH+#5a_8@z+^ zbQ%?AKs7hNt1&l=Cl)Gd8S%5DXzoiZo?_U6kU7i?~t`z-S9M zrw#=o2v7a=dOSWz8M`xL6kb=>6vRlEhd!ho(o}I<^V-`y3S|=iMo~tI5x4Qf%ZQyB zT=5;^1U}6=*$_vFVao}8aCFc3yal`Amwlsd=?jr|FHW@jwdbOU3iD`zq%6`EqC#IB z5*M}A&R*W$@Wy72_tg^#A>4`AZf{eKK5^IE?d$e)q%R~JjJ0DhX46>Z_jt)9*u~Xh zX3s;_F~?2Kq>2KukS5ft=iMPShFWFXuRHyuV?<>eQ7HIDM28vp{%{ns7Ssjc_UHQ8 zw{T&GD_0iMbKeg73!3@)=cl@bzxsLg`t{iOS017XbdLUH9)(UMs|tuH0qJ1@3(n2y zyB2L;)X8a)mgW8SIdW`Zvp%87l{VmI&!dx3L?;r=GaxLR${0YBBKn11?)%`AD}wfL zE)^f!vr5TbRTpfW-J7COmj=+5LqWVUh8CiIhd^0k`tvR}-GQoFye zmmUbcm9KMpUR3$0uXk_mkPt)!kuK_zJQg92VacB|5$>u}_F_H(Vx7CX9Nfkt=TsZc z@I_lPiaxl|y3~ghAfLzWVN_A1>)RvqZBhB2w~5iq=k8FiG{jYt3xG{x<;#ZM9UaySXU zCd&`dIGc7^^Eo~4I@1rQGHhS?zxZ;NW&|B@ewF*DNG%nfDDl1Fxk|L zL|^n|3h`9eCtHiF1)fi3u{&A$DYqUlW9_(q=6q5O91^!IL`QJ4h}KiyxBIcpj1g`T z`F%)wFpJ4&Z6f1eSc-&|SxV|98}-CYyi2e3x6(eCi=^k5rH8rV(x@y>q)RY8VtpQ& zm-uu!SpcRuscojHThI{yE5+6Skyts8ilK4Qxn{*DcTV=xg{mAW;gSgq2B$J3AMi4-eqKEvzziKfY7KlY05ue@3|_dUN|Pdp&qq0WG7 zv3<_~tXE|JZ?TkQZKn6zm*PR(Kh}h?l>-fX&wNDl(!6UKXSJZDu?F!Jh3iK<^PKxkOfaYWib& zF$$otnB|SgI+hBJ79}57W!na|k>P;0Exvmn6NlPvpUvP)t*MF_IUDw#FCPZ+S{evbwK^v$Kxiy(l z1OpxG9g9efSKe&S*UwX`i5eIb9ZZdAw%kq&yF3Ol#OmwbZ<#~{(6osd{$y?+wI6~*STWxUcJLkO8_dR5yQ?}lF}w3JLcmy+{> zQ(o`F&$sv6>QNhegzKrwz^xuq$G%;ro$G2+qTjuW9;-oE98Fn$UmeJ__3ubc--W*q zTOy1Q4KZx9qz+`YPUES<#Y_0f?7&j5(H>@%xGo>z?j-S-pM~#K)V)5T%HOAr-_Ps= zB+q1RcUEzFt30(h$u4Jpd`x%pS)!YVLvqKl{T91d_rpQuWZA2Vz&H49pq#l@<^)53 zdtGmy2be5mP15wLHWKhb&~H^-NGcVppA6a9uA546{GBc~sO@Z%%*oD_ymm|)^)k-3 z8_V1Kcy3EX9M`%q&go?DowWb;+l|gUo#|eMQaTeXP?(}{UXo(j73kv9lTkw~YA1m7 z5YRblFnh8G3&lwv1I4i#Kl;kz;;plSK6Cu9Im(nD-Tg^(qekgs2me47h>Zy3J1hkx z(J+tRrr~E)AtIs|!XZmmT~mR2bUwbZxS8?9BT#u*+0I<|sPmNzlg-@(z#%pe+P<}T zkaXZvI%h$QE<`2#o+0jiMJe%}7q)I`H_~$IE-}R|_PrO)AZm|$RIg5WVTL!z`#@|naq#rBHA~)^Y_NS>sCM#}BNxA-qD(%` ztra@gpJfC%kqw`Q3EdeaJsiaA-ND_A>0T6?IAFy?CCXs@c|8!8FZkU1LU^~w z%sySk{`^M^9DvMs@acev3>^SK4nkYM6GA{YwPqBRdN-J%g|Sz@kk(RfU2=UUd$)fe z|4dkE;*Hb*2QSnjt60FF#N>T={~Oij3VjTiiMZY8ER4f;Ie6F$&2t|0MQBrk`It7+b90Nkkibh4se}ehgOBb?#d{iN2Ez)QA=Y-*xEDYcklb| ztbcUsdUi4$R06<0!Lw|H2qGYO>OBH%l!MtivlHp;-;6oqzSBGk@IIydrF72XwI==T z^$SgP?u_U4cyE-?ry|#mbl#1kW44`O+ay~+D)kH?Cy9J=JcVV)+Y8PmvgrC)HzwbT zm1vaM4a1Jz)9Ni|lTORvziBu&q{SO+aATx^Qtj&SjDwA>0^`a0c zd3f?G;#3C|0I8q)N*i#w zW1q|&;;$H9i`)OzO~>S4sW^3C@9X-{h60cG3oSG>9XATRc_*jlaMFW;L+!qhSv|}W z)(N;!8nFVOjj^c}seiXbgqZ7IC^0^tb=E)b&h)9I>!0V#HP0GYMf$_LkRm#q)FCj= z82lViVT7ytuzSLVN44eLrg#;j@7c9kUB6DhXn5~Leq{GAZXj3kW0mY|XK2S1B2U8w zm$lgn9Os4Q89$;MQi{e!gPyTvdK#rDf+Lj)m9~V*>|T2mnNy1(g5!x{P5+ux?reYb z&AW2&{a{EuS4e-z*{JU+vYpo$&#Sp4OghhyLnfChVg|oaa&UdWpD=hrB}a@n*X68^ z^N0@K%wW~(5!g*QH?rYzGEySROVFz~^yInI8MCx1hsoGSq+sfBd$n0tqSA_C&-QkF z;Z(5$RHV!Jh0~I^Wli*)zsQ;m-?>Z=E5TQOgHqrm0Ju{eiNMq#1lsTWbHPL@@3hr$ zU;~`~TJ+%DRAXzMsgAmlTaI|{THfB7?q0gmn6d(&OLK>ZNxW;PROjO*)V zWB7p(*5PGhd*%$a5gY>F+5c`D@BLjPtH9(A^Q&lUdOJSXbq7K{hxgL+=Wg(r-z2ig zKKKwwpiOBLS-TO}a%E*Nx=nWK%#i$WufUxu-pZu_QMU|7rR3%oDcAi-V{?Sv_R(GZ zFgAi@O6Did;Jyx0SwwNXT}_oaK9%APG1>uzHQ;FlanI>nTqcTsYyw6D@UP3a9~W?S zP>aj#RfHnc-AQ-NHzKdP>H6)i6Pldk zwuvzIak0kH?UY_ZJ!l-^l^1!*patT0Eh_eE+ro>O+*p=#;8Corb8!4SY`#Cx5DxoGnNb0_5Jm$;eJpmb^)Db z$!m(@sL^u6e1~2F0%>9k3(1`e-#qB#I7xjYhFI=+~Xi$8*g#AEEiBDX5lp(QK)E;HW(Z% zb22f-?evRJOl*U#re=6i!d(DOy)+B%f(XvgDxZ_apw zpSYRH-lT{Ef|YdoXaCo6$DO?cQ>N81x2nzLS%U7YT6`VXeWJ1PM0$com%E~z(X|;&Tcc`w^|i(U&21AX!pryHeSveR?Caw`9N0fh! z%T)?tm!wZ+Tw>u~s-GBs{bk_C85zP#TGl!mSQCDC!c9_RzY&O-FA*X-j4)?B7ywmc zkbrKNKb-4_^W_$w1-+};H{z}9Vm2f-&YOt^>>G5re+@VI0S%6!Opj1(5y#!)9K{J7bq6xA%ZkB5N#oqB) z*)}u8;;V^fmqwOqGly|1JMDa^tA^wc1PJ~a#D=)5Koqx40vo2FrDTM>$~s-r?6a$Jno(uHkIbV5FaT=&;z^INOcGCQ0(>RQkUO-y>6hWzPJHMRimri^=Q<`O3&nP!)&e03bmvpA`-SuiJ`bBCI_Y8|u>pW97H;>I z6I}j+td)EY_RjH}T0UJm*=3k!6uY-t*)8jqdw(4)U(A}&L%lr2`qh7onm{j7CQ`CVkKp3&Ot zFj8Mg6-l4X_@R+S?gCbP=l8ipH(>4o^(jd`(SynXBI*YxYR-`icYrPHPx4^w+QRpv z)SX_k>leSQVef<22uu>F4w=x#wF#-sZ6KM3MM5I4@i7x0Y*qoKN0!UcCVCO;?yI^_ zo)%n|qG7yBW4o)+3(R6*M0gI#ZHQP*Oa=?iaUQ)7P=SiAjmRlR2hHx7L z2&S#sFh#RsW9H|BCq9qH%vPNL$vrc!gX@x9b3hWs46&m4_3f*;VeBU9`WAvyn{|0` zyfwLN^4QA$L2K%{Yl7L&Q*w@9&ZRGTop&-Gg8#Izl|Ji-Wywkegdz?3m`g7KVg@q% zs|0{y7I}Y~I)>nZfl0Suy!fwqxZ;)e=zJdZ;<>Rr-iragEFkHX6Zl7Om87(A7I95Y z7`E{@(rfhMUMDyce5rC~(qz$oar2%`h9o?`~jJG^omh9Hbmik4p4D(Gr zo~25qyIOvBOJ-fmmtpwH{>jA$mtvB%}l}Q{Q^9fmJ8xQtG zPJ>q6_d1Qqp}~ZOP@^={L?6opkM;f6C_} z`06P9`!Dj z{c_9~exsJj;1`3bcJW4b@wOA~HMTqL#qcl4nwV&Wdm_ZrjBD0Y05%IdeCQC7CBK?$ zEZm^CZc@j7-ck*1`1rUq?!#C@h_h}8oQ9}HWjr8R!iSENYL~&&F@#s+R8Sb5L(`iL z633olyj8g9CEAuO_t)-KG-t{#@KhHdJ29SY8LU1=0L{|+GNi;CE zD8jRr2?erKfJfk?aMgOT8px~W=G-uz`){*C#W)N;x~9{dnMUbRS`lu5Aw&0O9JO_GqwSr)cdy~2?A{QODtel#H_zPP-=>}_oz@nd@@Uz(i1sMt#WXBG}6Rje6IVv@4j8OECT+cNZKO3 zk_nla%Lo|J9r8J%1&M*!PLL$pm6#L{t%kF_Q1Rz*>XfhC^_RExaWvrz>!KGD(;b&S zoVQEd0|vY(w6T%RC{JLQNvFtn$0a7^U^1>y){JH!=2<7bN8aTnfn2_0(j5HhFKZ(c zY_-3`-;5a6L{DzIG=q`gv%kXu5Kh_R+qkNTyd-_@;;2tM)h(~za70@$nCsG9Y(YTI` zXB+*WXteXAE2CKFEe`EQKW8vawJr>nM=l!s`HA1LQQ~*s=Z<%IhnjA>Na8Ch4)_V+H)SlZ z{T(@RIx*CFv_+}Nq+>GL!Ba)-Ox97Ci z=YJ$_kD>rUWTfAj4ae3!D>swbMNoTb8eW{PW`qA+A$#H85Pu5oeD){tP}-O3rF|}W z6r_;Tk{Vbcz0v=W+{3Tq2NB(sfqc|S_ik}r=Iz^iiV)&C21kh~e}g&Cn#W_i^v5d> z=%5?B`{bqbOF-PlGqLXw&)`$b)6 zWb;?`N<)GT1x@9KPot^lTZwu_#7Gu@wutPY9z@ zY*jx{i2#RZc$SXvj7TXU##I znqt?zm*DRnYo+v3kP-LSvA#u@+W z)C^a*XxvrpIxX}EmQ)(<1350*%zV$slF>o&5p-Q454;FGFD^vR&Z@-mr976t@T8Q% zg@(K2Z^XiX2`T=sz>ohA$I||@qKg6Pea6dQ%CyU1!C%`H*N)J~A#ZctMjyG!U;R2| zqy6^GlgX*h2nK-l+C>3hpIq6OfA=%=J!X1Av}(;*nDK{CKHk?vJZ&RarU2znmx!Ej ze^#@$zW%ed;t-aw#tnA?+^P9rYQD(qBdILxBnRRW!JLw6*T(9k($EbO^v=i?!7ayH zuQ|jn!BV9!olB3kvr2g?`aXg!2Z&2RJIx0KG*bDs&*NDL0hH1Mr4ra}qREP2qLNik zXPM*d=iLi0p+;TwsT$^&EJ)S-;KwzDkqttGAygjz)dKPY7&nUW0wu$FfzUb#v!WzZ z6^L=GR=A9kcRed0CWm=hZ}jS+JpQ^h_X`oX?Vp_8Dn9|l3NK+CsL*qgt#L7*5Yuyz z#%~AVAl5DFCA?5ZtYFm`)avz2!i!~V`qqwfr&Dd-Td(A=%}m3Zrm1NkQ1Ng+_!Qul z&2|{xQ)lhV&ew~u>WH;j9NPFe+?M+S3$?QtOInR18xd`RTv>=xhVTFrMU|*?5dL6e zZRjdOFf7Rjd`P;{_`R%!Tr>THU z!JQ@kF!{cf#R`%gC90<(!|UOj>jK(}Uefy?f)k4p%5R>!Dlf?gGcbaVlp9Z#g zV6XO*VSUSh9(EqWjeMO5DNW?HZHg1+M!(Zdy{t%cf??@&{JHqc-%mN^b(RQBd8yY2 z)WIt)tQGclf|~j3uiWy)R#X&txo6lgrsSWlRT83kcRKYJ4T=d=kKCyWmg6;q#5(h+ z!NqJMB-qRCdE2Z*60#qNe|cw=fRuo{i+;FJ50&fJd79r6xPrp6;}|gJ4PZfS|98ae z3kjc8ats!`2b2=tWqqq+DB7Yf>3Ii{O%0h zm9m9j6%Hm-b%PN;dW~`WUw2jBFku43EPGd_KW`bii@wzD;F8FF!OASNam9zwNl7KE zt%eXiRzR^-&MG{I(OszGs$E?Y){Q|>K;o4;3_!E;6Hxc?nMp0|xQ(tr;@}ETt?RoV zgl6q+tig(wgD1I{F}o-|oj353MOy#4Gp0g=AMb2^C^yzNS^f-DU%ZrQj&?c^O{Uu zIl4JFkx3gn&$z|Pd-ZWW_jfoC&@9AB_K9eY!+D7cy>EC>D^9{${&m?`t}*RFv()d( zGOk~j4%2$&f(vj&B((d2X4ICa655xYfD>0jpDUZfE*XrW4&qJ1i|%7&^u_XCrF}Yi zBHZFj!^fQnetjEW^!;Jd^&3c!ne|7_(L=AlVizta1&(oJa?emIfZzjpkqb0cpNC@D zfUjZlfSfJ>jjr|z4C+4p@x@NgEG=m$0^Q%xH7_P%3G?Y({M4F8^0IR;t=3lv>szPj@@%h)TOBv zQ&f`b7fMMotl+h+5?T1a((FYgwb2t-<0m3M_&gSC(;pYH>6;Z4EY#P&B${_cKWwT)_?k(MJZ~fPt4Ux& z&^@hi8+9@lwL-{gN%vfi+c=QoAw1fjAWrD~neBa|f^Z%L)Sua&;@mBgS<0W;-k)dq z{dvYzsr}iJ$ScwdVMV#RxMD&$kpU-)1x%oT%m(z8Pa(XIAW&-Om|Wdn-H~8RyV?%^ zJtceT{tkA2y4MuQE&pp*LycS&`TzT69Ek2X1x#{>RdX_CDXI?4Bu5>tXXQ0(sNy_w zKtIa8CV_3v_6tnx6E=NZ#6>$82Kltegu5Q7hiMh*Gct)3u&!xHn%Cg(xGPX;)ZZK7 zQ}Xw=(f{5)`hVj6pS7b5et3BarYqB8Ky|0v@qVbWaiHc_U{eWW0@RJIix6`NiqJtj zUQizZk=X@NbhSS_p02#H;dS!ina59^RG+`wbmkw;A5k`HiNB-fYuZ!&F+;mrvgC?s zgb0Hm+s@&$+Vzd~{RTMzXO;3Q|ERGg@v&6?ySx8(UIsTXki~LJ8NuxRxIJ2Ved0jI z!T5b$l`)4zQ_k7C2Qew>XFq?E@^C585If^ZcXSDeYH{#+1g&2?rdEV*46fxg-;X0< zl<%(_l~*Lr4WVvCV$PO!z4*?PS93;y2ePs{1d{`T?*+=6UrR)}WT2kxHyk{yW><1i6%w)1%TJh1D7cH99QQ5LjgjiSy&sxwM(hs)SFNZ9c8 z=7vdS#y8hvzBE32{XPCmN(z_p$yBMuj!>)^{tbp;E#!2op|t{4Jnt1;y$=S4h5+pN z=fIAeUY3%9@FgklV^Q^9FxGOj5gTE>pa*_CR~^bSH8yJ#a$hf1Bc3Tk=4`3Vh9qnF zw?+9Ei$srGXwYfpZ_}5rR6(SPhI6N(T^qTQ>X?;Qe?l!K3+!Vy2jJE(zYAmQ%@y)d zNXiuvuqk3q$V4Y#%e(>~aom)*ypLuL@N-W`ggY}P003k@27S#<$B*?w z=z#`JJRpX0cfnFmGC^AlFJKm9^WgfK!=&Ty3r3|tg(jndbt`H5LVE!u4pbAmlg+Rr zxU4X(Mo6CuqVVdcnT!R=@b4-tSAER9U3Z;HuFPma1T*w=hq+^r+g-XFG~^!-s6Xui z1wp_}`n}pkl$|6I9TBz;qcGR&i^kjW0Sm z&nhUZjvOVrl4yY(7O0Q7UQv`&0|w}AxUcS=_VPkc>EdN|#rMr&FR#nnEVEm=ux4JO zeVTAaX4ju6en{r>=|iH$mlCMJ)E*H|5f(tLYQ=MT(l_rk`e#9{WR`%ImVw2$vb<1B zetzMov+Yu0w+TR^8x^S|;%Ng&TD92Xl)7@2C(pgmWs5yk3_Ynve@c7%naRhgfUT={ z6dy|g8hx18?N!OWC;(m7ldD51ZTEqC&)EVv2FtLu@pn~pJ8xj@N{XFHAI}V>FVy*7 zjVpDae^atx`p|j7zhOlZUHk)uJr9gB-CJEE@v4|nBvRY6lZody$ef}Cb7BQaJj{bo zMVweZ($)oXyUlu5`4xxeXGsHBB)*qh6tWvtH)Z9A2B!$=?64=v9N#6*EHAkB0MV(% zX&KC>M@ZDO8u7=<<#^dI(Yt~+?yH{>t1vlDOJq6N?BjG zj6+ORJl^X9&-|n^1Ms?&CB%}|Ryu+KG29iO3~X5w4m5(BS=E7|ESa;W;~!1S@1JY< z%%eJ;%5Z0-R?zSELBoy)E|AJBvkKs$lmTHyzlz5jovQG2)tdKXF|0DTy~^vxwQRAn zqNzqUE@k^w_wRf0XWwTxRFQso>mo1$cl`bE#`bbK_$1pHq1bk7 z9`p>7b?@lRHdxGKY4frc#myapiZI9_iEHIgGocYfCFDCqQ<6BMgOway4*&EA4Og%k z|7Jr|%_hNis`Omzx24-}_;#V>s+4|OcK;wTk1v@+dXev2hnH1=aw|^(K{>e_ObfHa zEr7kQoH#UZ$~3|Qp7+K1=#a=&TGx*xhvpZ(YJ7#}XKSSgKJyBIY8A-rbG=iLDrB!& zB%s!(J&TCZzKt)iq|OS!lWx9&M_sAQjd<(H9aqz*cHEQr;_|&q8-gVU9J4Y73w9`^ zMZ-KnVP+MOr6MsbQhNm$p1?veB&Y*qs?Nlx!m!(|YP@YBnECT)hy2PttB@m6$jcA3 zU2Cyq&zKcdHy9|Vo}j9eIf=<7ZMERecD`xi!(RM;Pr2*3?;GWL6CTF(t8a6vcPu*N zDAG6vV9K>T;?wX`0-`1{xdSTN-L#%~zezQ1wQx$Vtyk`@1(z+y+~;l47Ejt!dYr1? z>@PeN9MQfASV0glb`p3);!!)da?eK}_O)qdsZb29vyeL#_m!k}p|nu8(rd z&gGiELy!0g4SY+i^ZK<(jH3*HgxOpJyo;2IgzFO>jv;{J7YG^Z>j7}VoXhQ$1VFcX zbHf7FSW$;0%5C(3XD+w9v<5EQ#4j6(elv?vVdHo7o~(^1Fim2U9E@JP2su1Fi+Tmw zjr@+3A`j-QE&;7bY-|OhgOSWh67b4p`>7+gDKOp;`WQ@j{&IgAdW(Qjn`Qlk_Fpg+ zyz4Ic*7e+zQs>Y*2%sf%;@hDDKeY#33rH9-5SZ}@>|LCmVea5cWe!F|c~jfyFqBt~ zExhDN>hOYwFvgJgbS1y2Qz;{V72|SZ$0J%Z}xH%oNLM7P+*X=Bdhjb^Nxe{oB zXB}+bx@=ZzxN$zxX{q^Aj78s>0h4I4sU1}B-jgN}mX)OJ1Bkx0Cl-b~KsbIR7Y!@l z@p!s;rR)MhPVfmvgh>bwiD{<~Rv^m7?6~8ufv5L6ml*00FFdZsIcat2D8<{OBPX?P z!7_4ZJq!aFp{1bDT2}HP!EEE(32rD*$U;*b(8$AC0zZ2@Ae9bXZl;UNxY)?K%W4E@i)nx=z%9O|U8hJxyn{P?7N$hV0HRvtO5VuyV}ktceR;*37!0|s4~&%Y%Cl1{q9WqOkg98yFEn)Z%AfGt)c<6 z_{k%H920}zUV=TqAzx(oW<2g$8y}mM$Y17~H5AKRxL}>6Sb3IC(O;T-+IlY*%nio0 zfa^eA%9NZsWYlqJCneM}Nz2K$?~)Jh(E|zHM-`S#&UaWa3B4Y{tozT^?6usI{Nf7OEcd2`?F>(`O!%Wq$Af zT2K96O116-NBK@843!Rc1GrlQ7yvP769_9WlfzGi{Eerwt_s&xK8eer^{)c!O*tR>G^9(T%6-ck!=w~UAg*+w}ErQ17Qrsx3ox;>c=0G%M5bc2H%jphWrSN z3kn-9aklNZw`Bf?CO}PIrl70VY2*QAF`Ttwg+yA-c z{wr!P+dr$i{cDP)azHL@vB|h% zSrbPuM{kHX_G(@hZY^8V4qb*2O<^*@%SiCflGhArp_#A~ zjA%}Ii|w;N8pABSLZhp@-eS_;y8b2NQsqAom)A{xl^y(ipZA|!^q(Bm|E6OZ{#iA~ zfS(J{7knGG*M)|Qj=GN?Fp{U;de{C02^z4O%XG4lB}LfBR=<&D9zvn#7S{UK3b6A% z$@1l9Vh1V*<&)dzzTdCf_*UUA`7kNM$NEKS-p;COLHO+M)GT3^datH+c-Wtd=+R?O ztyXO)AGrS!>32BIt7Rp%{6LfTn@voVZQtS(#a@EKr=GTHcRP}4?EFy;kh(?-0 z(lcriX;bS+mvr_1g@W~Le?GE%`or0*Vafxb0`LNL2@j5Lv0h=l2Mx4)H58z;fUS}b z`C!qB38H(4YQ2C@c>|rXf z2+aE1Fz+98EER43yCa9bUv-Fn*~vGyS`0tH%<=N^^6}+M{LtdLR_)hQT6Zq3S&6(0 zMU}bWoL)h5B2f*`W#d*o^D8~#N?sg~Z|Q^=N2uALvxBf(%opVyJmGqN!H>WtUi*qM7yq^onGhEeV9>sYRNgYG#xQP)ouLEpppISxJGDCRnlW3n&I%u025 zd?bqrYjXQ$xAkxTG^@Jt)@^s>r)fh1TydZgdUJ#NQ4bI|vV9$f>~faIpQ=`E{F}8A z{$Xvliz#6@22^@KUAAxx(;U!EjBLc&<;pOrSw1(&wgFTgm#Wsd#qTG-Xc1`B!3EyZ zRtbVWpIlNq^dzA@Krl7azM^1f(QzHAuuT0-{Yn1>^cZ$A_oh!yIp4!lHgm11iK;O9 z0oAV^wsV~s`T=zown{x#-4Wiwpeti-*<}uNaQeLY z^4=$wum^n_Sbr^vm+qY~z1P1tHd4rH$E4+HU+&W)EH#O>RW|8?^AR_}6CSqnH8wRf z_Or7Tt>f6+aj?npBa`mOF+FS?KWct74dF9pBbvwh69em`&RFYiF+ARvz)6%>06aAX zYAZb9Z^l{Phciv_#d5jS&civ*e!J7Ii1vanfDM(X1idmnEl^>%m81njbQIMlIs*0;?{3A1bwl-Ou%QI1*)t zxu0d1Tq`gw3wjLOn|>IVT5H(t%nAX8X%veHG^uuO`)8BtBIcBm+XUaQjy9qG$}en9 z|IJ#Ay}et2>@~62yI2=*&@*7*KWE%2wn|%}ZC8N*IqvT&L-Hp2ho#rYkz3I~w}N zb_FX6r%=f)LSxCSPJ(xX8-^&eI@qkfCDyTkO()yGat#N*f3sI>0LHyG~6>`YuBbYXV&oe(dEjJs=EUpu3X)7zP@;JA{~uf1D-u zKr4f!&swQU3zo9-s`pDa%ORbyu(a_c4ln-_QN^WqZ|6B?2RB^=(kTZmrQ{aC6^?QL zLOsz|ojm*AmV0)VsQLBOJeMuR{N_B7SbEX(-O0|8dar-H&E_Y_$#KzS+x-3Q je~n`@{*rC=S4^z`+kd0`XRVz7E