From 9843d36e4087280b09959bc4549393f0007a4a2d Mon Sep 17 00:00:00 2001
From: Nathaniel Dillon <nathaniel.dillon@hp.com>
Date: Mon, 20 Jul 2015 21:26:24 -0700
Subject: [PATCH] Updating Compute chapter to RST

+ Concatenated all Compute chapter sections into one file
+ Broke all files out
+ Stripped DocBook formatting
+ Added RST formatting
+ Updated formatting
+ Added diagram fo figures/
+ Updating line lengths and file reference

Change-Id: Ib9409f9df3da1bd1a6fc1d5780d327b671969faa
Partial-Bug: #1463111
---
 security-guide-rst/source/compute.rst         |  22 +
 .../source/compute/case-studies.rst           |  51 ++
 .../source/compute/hardening-deployments.rst  | 103 ++++
 .../hardening-the-virtualization-layers.rst   | 309 +++++++++++
 .../how-to-select-virtual-consoles.rst        |  90 ++++
 .../source/compute/hypervisor-selection.rst   | 505 ++++++++++++++++++
 .../compute/vulnerability-awareness.rst       |  62 +++
 .../source/figures/sVirt_Diagram_1.png        | Bin 0 -> 64408 bytes
 8 files changed, 1142 insertions(+)
 create mode 100644 security-guide-rst/source/compute/case-studies.rst
 create mode 100644 security-guide-rst/source/compute/hardening-deployments.rst
 create mode 100644 security-guide-rst/source/compute/hardening-the-virtualization-layers.rst
 create mode 100644 security-guide-rst/source/compute/how-to-select-virtual-consoles.rst
 create mode 100644 security-guide-rst/source/compute/hypervisor-selection.rst
 create mode 100644 security-guide-rst/source/compute/vulnerability-awareness.rst
 create mode 100644 security-guide-rst/source/figures/sVirt_Diagram_1.png

diff --git a/security-guide-rst/source/compute.rst b/security-guide-rst/source/compute.rst
index edc67c14..371658eb 100644
--- a/security-guide-rst/source/compute.rst
+++ b/security-guide-rst/source/compute.rst
@@ -1,3 +1,25 @@
 =======
 Compute
 =======
+
+The OpenStack Compute service (nova) is one of the more complex OpenStack
+services. It runs in many locations throughout the cloud and interacts with a
+variety of internal services. There are a variety of configuration options
+when using the OpenStack Compute service, and these can be
+deployment-specific. In this chapter we will call out general best practice
+around Compute security as well as specific known configurations that can lead
+to security issues. In general, the :file:`nova.conf` file and the
+:file:`/var/lib/nova` locations should be secured. Controls like centralized
+logging, the :file:`policy.json` file, and a mandatory access control framework
+should be implemented. Additionally, there are environmental considerations to
+keep in mind, depending on what functionality is desired for your cloud.
+
+.. toctree::
+   :maxdepth: 2
+
+   compute/hypervisor-selection.rst
+   compute/hardening-the-virtualization-layers.rst
+   compute/hardening-deployments.rst
+   compute/vulnerability-awareness.rst
+   compute/how-to-select-virtual-consoles.rst
+   compute/case-studies.rst
diff --git a/security-guide-rst/source/compute/case-studies.rst b/security-guide-rst/source/compute/case-studies.rst
new file mode 100644
index 00000000..07d800b0
--- /dev/null
+++ b/security-guide-rst/source/compute/case-studies.rst
@@ -0,0 +1,51 @@
+============
+Case studies
+============
+
+Earlier in :doc:`../introduction/introduction-to-case-studies` we
+introduced the Alice and Bob case studies where Alice is deploying a
+private government cloud and Bob is deploying a public cloud each with
+different security requirements. Here we discuss how Alice and Bob
+would ensure that their instances are properly isolated. First we consider
+hypervisor selection, and then techniques for hardening QEMU and applying
+mandatory access controls.
+
+
+Alice's private cloud
+~~~~~~~~~~~~~~~~~~~~~
+
+Alice chooses Xen for the hypervisor in her cloud due to a strong internal
+knowledge base and a desire to use the Xen security modules (XSM) for
+fine-grained policy enforcement.
+
+Alice is willing to apply a relatively large amount of resources to software
+packaging and maintenance. She will use these resources to build a highly
+customized version of QEMU that has many components removed, thereby reducing
+the attack surface. She will also ensure that all compiler hardening options
+are enabled for QEMU. Alice accepts that these decisions will increase
+long-term maintenance costs.
+
+Alice writes XSM policies (for Xen) and SELinux policies (for Linux domain 0,
+and device domains) to provide stronger isolation between the instances. Alice
+also uses the Intel TXT support in Xen to measure the hypervisor launch in the
+TPM.
+
+
+Bob's public cloud
+~~~~~~~~~~~~~~~~~~
+
+Bob is very concerned about instance isolation since the users in a public
+cloud represent anyone with a credit card, meaning they are inherently
+untrusted. Bob has just started hiring the team that will deploy the cloud, so
+he can tailor his candidate search for specific areas of expertise. With this
+in mind, Bob chooses a hypervisor based on its technical features,
+certifications, and community support. KVM has an EAL 4+ common criteria
+rating, with a labeled security protection profile (LSPP) to provide added
+assurance for instance isolation. This, combined with the strong support for
+KVM within the OpenStack community drives Bob's decision to use KVM.
+
+Bob weighs the added cost of repackaging QEMU and decides that he cannot commit
+those resources to the project. Fortunately, his Linux distribution has already
+enabled the compiler hardening options. So he decides to use this QEMU package.
+Finally, Bob leverages sVirt to manage the SELinux polices associated with the
+virtualization stack.
diff --git a/security-guide-rst/source/compute/hardening-deployments.rst b/security-guide-rst/source/compute/hardening-deployments.rst
new file mode 100644
index 00000000..6dbd9dc8
--- /dev/null
+++ b/security-guide-rst/source/compute/hardening-deployments.rst
@@ -0,0 +1,103 @@
+=============================
+Hardening Compute deployments
+=============================
+
+One of the main security concerns with any OpenStack deployment is the security
+and controls around sensitive files, such as the :file:`nova.conf` file.
+Normally contained in the :file:`/etc` directory, this configuration file
+contains many sensitive options including configuration details and service
+passwords. All such sensitive files should be given strict file level
+permissions, and monitored for changes through file integrity monitoring (FIM)
+tools such as iNotify or Samhain. These utilities will take a hash of the
+target file in a known good state, and then periodically take a new hash of the
+file and compare it to the known good hash. An alert can be created if it was
+found to have been modified unexpectedly.
+
+The permissions of a file can be examined my moving into the directory the file
+is contained in and running the ``ls -lh`` command. This will show the
+permissions, owner, and group that have access to the file, as well as other
+information such as the last time the file was modified and when it was
+created.
+
+The :file:`/var/lib/nova` directory is used to hold details about the instances
+on a given Compute host. This directory should be considered sensitive as well,
+with strictly enforced file permissions. Additionally, it should be backed up
+regularly as it contains information and metadata for the instances associated
+with that host.
+
+If your deployment does not require full virtual machine backups, we recommend
+excluding the :file:`/var/lib/nova/instances` directory as it will be as large
+as the combined space of each vm running on that node. If your deployment does
+require full vm backups, you will need to ensure this directory is backed up
+successfully.
+
+Monitoring is a critical component of IT infrastructure, and we recommend the
+`Compute logfiles
+<http://docs.openstack.org/kilo/config-reference/content/section_nova-logs.html>`__
+be monitored and analyzed so that meaningful alerts can be created.
+
+
+OpenStack vulnerability management team
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+We recommend keeping up to date on security issues and advisories as they are
+published. The OpenStack Security Portal (`https://security.openstack.org
+<https://security.openstack.org>`__) is the central portal where advisories,
+notices, meetings, and processes can be coordinated. Additionally, the
+OpenStack Vulnerability Management Team (VMT) portal
+(`https://security.openstack.org/#openstack-vulnerability-management-team
+<https://security.openstack.org/#openstack-vulnerability-management-team>`__)
+coordinates remediation within the OpenStack project, as well as the process of
+investigating reported bugs which are responsibly disclosed (privately) to the
+VMT, by marking the bug as 'This bug is a security vulnerability'. Further
+detail is outlined in the VMT process page
+(`https://security.openstack.org/vmt-process.html#process
+<https://security.openstack.org/vmt-process.html#process>`__) and results in an
+OpenStack Security Advisory or OSSA. This OSSA outlines the issue and the fix,
+as well as linking to both the original bug, and the location where the where
+the patch is hosted.
+
+
+OpenStack security notes
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reported security bugs that are found to be the result of a misconfiguration,
+or are not strictly part of OpenStack are drafted into Openstack Security Notes
+or OSSNs. These include configuration issues such as ensuring Identity provider
+mappings as well as non-OpenStack but critical issues such as the Bashbug/Ghost
+or Venom vulnerabilities that affect the platform OpenStack utilizes. The
+current set of OSSNs is in the Security Note wiki
+(`https://wiki.openstack.org/wiki/Security_Notes
+<https://wiki.openstack.org/wiki/Security_Notes>`__).
+
+
+OpenStack-dev mailinglist
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All bugs, OSSAs and OSSNs are publicly disseminated through the openstack-dev
+mailinglist with the [security] topic in the subject line. We recommend
+subscribing to this list as well as mail filtering rules that ensure OSSNs,
+OSSAs, and other important advisories are not missed. The openstack-dev
+mailinglist is managed through
+`http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
+<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>`__.
+The openstack-dev list has a high traffic rate, and filtering is discussed in
+the thread
+`http://lists.openstack.org/pipermail/openstack-dev/2013-November/019233.html
+<http://lists.openstack.org/pipermail/openstack-dev/2013-November/019233.html>`__.
+
+
+Hypervisor mailinglists
+~~~~~~~~~~~~~~~~~~~~~~~
+
+When implementing OpenStack, one of the core decisions is which hypervisor to
+utilize. We recommend being informed of advisories pertaining to the
+hypervisor(s) you have chosen. Several common hypervisor security lists are
+below:
+
+Xen:
+    `http://xenbits.xen.org/xsa/ <http://xenbits.xen.org/xsa/>`__
+VMWare:
+    `http://blogs.vmware.com/security/ <http://blogs.vmware.com/security/>`__
+Others (KVM, and more):
+    `http://seclists.org/oss-sec <http://seclists.org/oss-sec>`__
diff --git a/security-guide-rst/source/compute/hardening-the-virtualization-layers.rst b/security-guide-rst/source/compute/hardening-the-virtualization-layers.rst
new file mode 100644
index 00000000..6bf4a34e
--- /dev/null
+++ b/security-guide-rst/source/compute/hardening-the-virtualization-layers.rst
@@ -0,0 +1,309 @@
+===================================
+Hardening the virtualization layers
+===================================
+
+In the beginning of this chapter we discuss the use of both physical and
+virtual hardware by instances, the associated security risks, and some
+recommendations for mitigating those risks. We conclude the chapter with a
+discussion of sVirt, an open source project for integrating SELinux mandatory
+access controls with the virtualization components.
+
+Physical hardware (PCI passthrough)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Many hypervisors offer a functionality known as PCI passthrough. This allows an
+instance to have direct access to a piece of hardware on the node. For example,
+this could be used to allow instances to access video cards or GPUs offering
+the compute unified device architecture (CUDA) for high performance
+computation. This feature carries two types of security risks: direct memory
+access and hardware infection.
+
+Direct memory access (DMA) is a feature that permits certain hardware devices
+to access arbitrary physical memory addresses in the host computer. Often
+video cards have this capability. However, an instance should not be given
+arbitrary physical memory access because this would give it full view of both
+the host system and other instances running on the same node. Hardware vendors
+use an input/output memory management unit (IOMMU) to manage DMA access in
+these situations. Therefore, cloud architects should ensure that the hypervisor
+is configured to utilize this hardware feature.
+
+KVM:
+    `How to assign devices with VT-d in KVM
+    <http://www.linux-kvm.org/page/How_to_assign_devices_with_VT-d_in_KVM>`__
+Xen:
+    `Xen VTd Howto <http://wiki.xen.org/wiki/VTd_HowTo>`__
+
+.. note::
+
+   The IOMMU feature is marketed as VT-d by Intel and AMD-Vi by AMD.
+
+A hardware infection occurs when an instance makes a malicious modification to
+the firmware or some other part of a device. As this device is used by other
+instances or the host OS, the malicious code can spread into those systems. The
+end result is that one instance can run code outside of its security domain.
+This is a significant breach as it is harder to reset the state of physical
+hardware than virtual hardware, and can lead to additional exposure such as
+access to the management network.
+
+.. TODO (elmiko) fixup link to management chapter to point to integrity
+   life cycle secure bootstrapping
+
+Solutions to the hardware infection problem are domain specific. The strategy
+is to identify how an instance can modify hardware state then determine how to
+reset any modifications when the instance is done using the hardware. For
+example, one option could be to re-flash the firmware after use. Clearly there
+is a need to balance hardware longevity with security as some firmwares will
+fail after a large number of writes. TPM technology, described in
+:doc:`../management` a solution for detecting
+unauthorized firmware changes. Regardless of the strategy selected, it is
+important to understand the risks associated with this kind of hardware sharing
+so that they can be properly mitigated for a given deployment scenario.
+
+Additionally, due to the risk and complexities associated with PCI passthrough,
+it should be disabled by default. If enabled for a specific need, you will need
+to have appropriate processes in place to ensure the hardware is clean before
+re-issue.
+
+Virtual hardware (QEMU)
+~~~~~~~~~~~~~~~~~~~~~~~
+
+When running a virtual machine, virtual hardware is a software layer that
+provides the hardware interface for the virtual machine. Instances use this
+functionality to provide network, storage, video, and other devices that may be
+needed. With this in mind, most instances in your environment will exclusively
+use virtual hardware, with a minority that will require direct hardware access.
+The major open source hypervisors use QEMU for this functionality. While QEMU
+fills an important need for virtualization platforms, it has proven to be a
+very challenging software project to write and maintain. Much of the
+functionality in QEMU is implemented with low-level code that is difficult for
+most developers to comprehend. Furthermore, the hardware virtualized by QEMU
+includes many legacy devices that have their own set of quirks. Putting all of
+this together, QEMU has been the source of many security problems, including
+hypervisor breakout attacks.
+
+Therefore, it is important to take proactive steps to harden QEMU. Three
+specific steps are recommended: minimizing the code base, using compiler
+hardening, and using mandatory access controls such as sVirt, SELinux, or
+AppArmor.
+
+Additionally, ensure iptables has the default policy filtering network traffic,
+and consider examining the existing rule set to understand each rule and
+determine if the policy needs to be expanded upon.
+
+Minimizing the QEMU code base
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The first recommendation is to minimize the QEMU code base by removing unused
+components from the system. QEMU provides support for many different virtual
+hardware devices, however only a small number of devices are needed for a given
+instance. The most common hardware devices are the virtio devices. Some legacy
+instances will need access to specific hardware, which can be specified using
+glance metadata:
+
+.. code:: console
+
+    $ glance image-update \
+    --property hw_disk_bus=ide \
+    --property hw_cdrom_bus=ide \
+    --property hw_vif_model=e1000 \
+    f16-x86_64-openstack-sda
+
+A cloud architect should decide what devices to make available to cloud users.
+Anything that is not needed should be removed from QEMU. This step requires
+recompiling QEMU after modifying the options passed to the QEMU configure
+script. For a complete list of up-to-date options simply run
+``command:./configure --help`` from within the QEMU source directory. Decide
+what is needed for your deployment, and disable the remaining options.
+
+Compiler hardening
+~~~~~~~~~~~~~~~~~~
+
+The next step is to harden QEMU using compiler hardening options. Modern
+compilers provide a variety of compile time options to improve the security of
+the resulting binaries. These features, which we will describe in more detail
+below, include relocation read-only (RELRO), stack canaries, never execute
+(NX), position independent executable (PIE), and address space layout
+randomization (ASLR).
+
+Many modern Linux distributions already build QEMU with compiler hardening
+enabled, so you may want to verify your existing executable before
+proceeding with the information below. One tool that can assist you with this
+verification is called
+`checksec.sh <http://www.trapkit.de/tools/checksec.html>`__
+
+RELocation Read-Only (RELRO)
+    Hardens the data sections of an executable. Both full and partial RELRO
+    modes are supported by gcc. For QEMU full RELRO is your best choice.
+    This will make the global offset table read-only and place various
+    internal data sections before the program data section in the resulting
+    executable.
+Stack canaries
+    Places values on the stack and verifies their presence to help prevent
+    buffer overflow attacks.
+Never eXecute (NX)
+    Also known as Data Execution Prevention (DEP), ensures that data sections
+    of the executable can not be executed.
+Position Independent Executable (PIE)
+    Produces a position independent executable, which is necessary for ASLR.
+Address Space Layout Randomization (ASLR)
+    This ensures that placement of both code and data regions will be
+    randomized. Enabled by the kernel (all modern Linux kernels support ASLR),
+    when the executable is built with PIE.
+
+The following compiler options are recommend for GCC when compiling QEMU:
+
+.. code:: console
+
+   CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector \
+   --param ssp-buffer-size=4 -pie -fPIE -ftrapv -D_FORTIFY_SOURCE=2 -O2 \
+   -Wl,-z,relro,-z,now"
+
+We recommend testing your QEMU executable file after it is compiled to ensure
+that the compiler hardening worked properly.
+
+Most cloud deployments will not want to build software such as QEMU by hand. It
+is better to use packaging to ensure that the process is repeatable and to
+ensure that the end result can be easily deployed throughout the cloud. The
+references below provide some additional details on applying compiler hardening
+options to existing packages.
+
+DEB packages:
+     `Hardening Walkthrough <http://wiki.debian.org/HardeningWalkthrough>`__
+RPM packages:
+     `How to create an RPM package
+     <http://fedoraproject.org/wiki/How_to_create_an_RPM_package>`__
+
+Mandatory access controls
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Compiler hardening makes it more difficult to attack the QEMU process. However,
+if an attacker does succeed, we would like to limit the impact of the attack.
+Mandatory access controls accomplish this by restricting the privileges on QEMU
+process to only what is needed. This can be accomplished using sVirt / SELinux
+or AppArmor. When using sVirt, SELinux is configured to run each QEMU process
+under a separate security context. AppArmor can be configured to provide
+similar functionality. We provide more details on sVirt and instance isolation
+in the section below
+:ref:`hardening-the-virtualization-layers-svirt-selinux-and-virtualization`.
+
+.. _hardening-the-virtualization-layers-svirt-selinux-and-virtualization:
+
+sVirt: SELinux and virtualization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+With unique kernel-level architecture and National Security Agency (NSA)
+developed security mechanisms, KVM provides foundational isolation technologies
+for multi-tenancy. With developmental origins dating back to 2002, the Secure
+Virtualization (sVirt) technology is the application of SELinux against modern
+day virtualization. SELinux, which was designed to apply separation control
+based upon labels, has been extended to provide isolation between virtual
+machine processes, devices, data files and system processes acting upon their
+behalf.
+
+OpenStack's sVirt implementation aspires to protect hypervisor hosts and
+virtual machines against two primary threat vectors:
+
+Hypervisor threats
+    A compromised application running within a virtual machine attacks the
+    hypervisor to access underlying resources. For example, when a virtual
+    machine is able to access the hypervisor OS, physical devices, or other
+    applications. This threat vector represents considerable risk as a
+    compromise on a hypervisor can infect the physical hardware as well as
+    exposing other virtual machines and network segments.
+Virtual Machine (multi-tenant) threats
+    A compromised application running within a VM attacks the hypervisor to
+    access or control another virtual machine and its resources. This is a
+    threat vector unique to virtualization and represents considerable risk as
+    a multitude of virtual machine file images could be compromised due to
+    vulnerability in a single application. This virtual network attack is a
+    major concern as the administrative techniques for protecting real
+    networks do not directly apply to the virtual environment.
+
+Each KVM-based virtual machine is a process which is labeled by SELinux,
+effectively establishing a security boundary around each virtual machine. This
+security boundary is monitored and enforced by the Linux kernel, restricting
+the virtual machine's access to resources outside of its boundary such as host
+machine data files or other VMs.
+
+.. image:: ../figures/sVirt_Diagram_1.png
+
+As shown above, sVirt isolation is provided regardless of the guest Operating
+System running inside the virtual machine&mdash;Linux or Windows VMs can be
+used. Additionally, many Linux distributions provide SELinux within the
+operating system, allowing the virtual machine to protect internal virtual
+resources from threats.
+
+Labels and categories
+~~~~~~~~~~~~~~~~~~~~~
+
+KVM-based virtual machine instances are labelled with their own SELinux data
+type, known as svirt_image_t. Kernel level protections prevent unauthorized
+system processes, such as malware, from manipulating the virtual machine image
+files on disk. When virtual machines are powered off, images are stored as
+svirt_image_t as shown below:
+
+.. code::
+
+   system_u:object_r:svirt_image_t:SystemLow image1
+   system_u:object_r:svirt_image_t:SystemLow image2
+   system_u:object_r:svirt_image_t:SystemLow image3
+   system_u:object_r:svirt_image_t:SystemLow image4
+
+The *svirt_image_t* label uniquely identifies image files on disk, allowing for
+the SELinux policy to restrict access. When a KVM-based Compute image is
+powered on, sVirt appends a random numerical identifier to the image. sVirt is
+capable of assigning numeric identifiers to a maximum of 524,288 virtual
+machines per hypervisor node, however most OpenStack deployments are highly
+unlikely to encounter this limitation.
+
+This example shows the sVirt category identifier:
+
+.. code::
+
+   system_u:object_r:svirt_image_t:s0:c87,c520 image1
+   system_u:object_r:svirt_image_t:s0:419,c172 image2
+
+SELinux users and roles
+~~~~~~~~~~~~~~~~~~~~~~~
+
+SELinux can also manage user roles. These can be viewed through the *-Z* flag,
+or with the ``semanage`` command. On the hypervisor, only administrators should
+be able to access the system, and should have an appropriate context around
+both the administrative users and any other users that are on the system.
+
+SELinux users documentation:
+    `SELinux.org Users and Roles Overview
+    <http://selinuxproject.org/page/BasicConcepts#Users>`__
+
+Booleans
+~~~~~~~~
+
+To ease the administrative burden of managing SELinux, many enterprise Linux
+platforms utilize SELinux Booleans to quickly change the security posture of
+sVirt.
+
+Red Hat Enterprise Linux-based KVM deployments utilize the following sVirt
+booleans:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 10 20
+
+   * - sVirt SELinux Boolean
+     - Description
+   * - virt_use_common
+     - Allow virt to use serial/parallel communication ports.
+   * - virt_use_fusefs
+     - Allow virt to read FUSE mounted files.
+   * - virt_use_nfs
+     - Allow virt to manage NFS mounted files.
+   * - virt_use_samba
+     - Allow virt to manage CIFS mounted files.
+   * - virt_use_sanlock
+     - Allow confined virtual guests to interact with the sanlock.
+   * - virt_use_sysfs
+     - Allow virt to manage device configuration (PCI).
+   * - virt_use_usb
+     - Allow virt to use USB devices.
+   * - virt_use_xserver
+     - Allow virtual machine to interact with the X Window System.
diff --git a/security-guide-rst/source/compute/how-to-select-virtual-consoles.rst b/security-guide-rst/source/compute/how-to-select-virtual-consoles.rst
new file mode 100644
index 00000000..d134a62a
--- /dev/null
+++ b/security-guide-rst/source/compute/how-to-select-virtual-consoles.rst
@@ -0,0 +1,90 @@
+==============================
+How to select virtual consoles
+==============================
+
+One decision a cloud architect will need to make regarding Compute service
+configuration is whether to use :term:`VNC <Virtual Network Computing (VNC)>`
+or :term:`SPICE`. Below we provide some details on the differences between
+these options.
+
+Virtual Network Computer (VNC)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenStack can be configured to provide remote desktop console access to
+instances for tenants and/or administrators using the Virtual Network Computer
+(VNC) protocol.
+
+Capabilities
+------------
+
+#. The OpenStack dashboard (horizon) can provide a VNC console for instances
+   directly on the web page using the HTML5 noVNC client. This requires the
+   *nova-novncproxy* service to bridge from the public network to the
+   management network.
+#. The ``nova`` command-line utility can return a URL for the VNC console for
+   access by the *nova* Java VNC client. This requires the *nova-xvpvncproxy*
+   service to bridge from the public network to the management network.
+
+Security considerations
+-----------------------
+
+#. The *nova-novncproxy* and *nova-xvpvncproxy* services by default open
+   public-facing ports that are token authenticated.
+#. By default, the remote desktop traffic is not encrypted. TLS can be enabled
+   to encrypt the VNC traffic. Please refer to `Introduction to TLS and SSL
+   <introduction-to-ssl-tls>`__ for appropriate recommendations.
+
+Bibliography
+------------
+
+#. blog.malchuk.ru, OpenStack VNC Security. 2013. `Secure Connections to VNC
+   ports <"http://blog.malchuk.ru/2013/05/21/47>`__
+#. OpenStack Mailing List, [OpenStack] nova-novnc SSL configuration - Havana.
+   2014.
+   `OpenStack nova-novnc SSL Configuration
+   <http://lists.openstack.org/pipermail/openstack/2014-February/005357.html>`__
+#. Redhat.com/solutions, Using SSL Encryption with OpenStack nova-novacproxy.
+   2014.
+   `OpenStack nova-novncproxy SSL encryption <https://access.redhat.com/solutions/514143>`__
+
+Simple Protocol for Independent Computing Environments (SPICE)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As an alternative to VNC, OpenStack provides remote desktop access to guest
+virtual machines using the Simple Protocol for Independent Computing
+Environments (SPICE) protocol.
+
+Capabilities
+------------
+
+#. SPICE is supported by the OpenStack dashboard (horizon) directly on the
+   instance web page. This requires the *nova-spicehtml5proxy* service.
+#. The nova command-line utility can return a URL for SPICE console for access
+   by a SPICE-html client.
+
+Limitations
+-----------
+
+#. Although SPICE has many advantages over VNC, the spice-html5 browser
+   integration currently doesn't really allow admins to take advantage of any
+   of the benefits. To take advantage of SPICE features like multi-monitor,
+   USB pass through, etc. admins are recommended to use a standalone SPICE
+   client within the Management Network.
+
+Security considerations
+-----------------------
+
+#. The *nova-spicehtml5proxy* service by default opens public-facing ports that
+   are token authenticated.
+#. The functionality and integration are still evolving. We will access the
+   features in the next release and make recommendations.
+#. As is the case for VNC, at this time we recommend using SPICE from the
+   management network in addition to limiting use to few individuals.
+
+Bibliography
+------------
+
+#. OpenStack Configuration Reference - Havana. SPICE Console. `SPICE Console
+   <http://docs.openstack.org/havana/config-reference/content/spice-console.html>`__.
+#. bugzilla.redhat.com, Bug 913607 - RFE: Support Tunnelling SPICE over
+   websockets. 2013. `RedHat bug 913607 <https://bugzilla.redhat.com/show_bug.cgi?id=913607>`_.
diff --git a/security-guide-rst/source/compute/hypervisor-selection.rst b/security-guide-rst/source/compute/hypervisor-selection.rst
new file mode 100644
index 00000000..3859157e
--- /dev/null
+++ b/security-guide-rst/source/compute/hypervisor-selection.rst
@@ -0,0 +1,505 @@
+====================
+Hypervisor selection
+====================
+
+Hypervisors in OpenStack
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Whether OpenStack is deployed within private data centers or as a public cloud
+service, the underlying virtualization technology provides enterprise-level
+capabilities in the realms of scalability, resource efficiency, and uptime.
+While such high-level benefits are generally available across many
+OpenStack-supported hypervisor technologies, there are significant differences
+in the security architecture and features for each hypervisor, particularly
+when considering the security threat vectors which are unique to elastic
+OpenStack environments. As applications consolidate into single
+Infrastructure-as-a-Service (IaaS) platforms, instance isolation at the
+hypervisor level becomes paramount. The requirement for secure isolation holds
+true across commercial, government, and military communities.
+
+Within the OpenStack framework, you can choose among many hypervisor platforms
+and corresponding OpenStack plug-ins to optimize your cloud environment. In the
+context of this guide, hypervisor selection considerations are highlighted as
+they pertain to feature sets that are critical to security. However, these
+considerations are not meant to be an exhaustive investigation into the pros
+and cons of particular hypervisors. NIST provides additional guidance in
+Special Publication 800-125, "*Guide to Security for Full Virtualization
+Technologies*".
+
+Selection criteria
+~~~~~~~~~~~~~~~~~~
+
+As part of your hypervisor selection process, you must consider a number of
+important factors to help increase your security posture. Specifically, you
+must become familiar with these areas:
+
+* Team expertise
+* Product or project maturity
+* Common criteria
+* Certifications and attestations
+* Hardware concerns
+* Hypervisor vs. baremetal
+* Additional security features
+
+Additionally, the following security-related criteria are highly encouraged to
+be evaluated when selecting a hypervisor for OpenStack deployments:
+* Has the hypervisor undergone Common Criteria certification? If so, to what
+levels?
+* Is the underlying cryptography certified by a third-party?
+
+Team expertise
+~~~~~~~~~~~~~~
+
+Most likely, the most important aspect in hypervisor selection is the expertise
+of your staff in managing and maintaining a particular hypervisor platform. The
+more familiar your team is with a given product, its configuration, and its
+eccentricities, the fewer the configuration mistakes. Additionally, having
+staff expertise spread across an organization on a given hypervisor increases
+availability of your systems, allows segregation of duties, and mitigates
+problems in the event that a team member is unavailable.
+
+Product or project maturity
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The maturity of a given hypervisor product or project is critical to your
+security posture as well. Product maturity has a number of effects once you
+have deployed your cloud:
+
+* Availability of expertise
+* Active developer and user communities
+* Timeliness and availability of updates
+* Incidence response
+
+One of the biggest indicators of a hypervisor's maturity is the size and
+vibrancy of the community that surrounds it. As this concerns security, the
+quality of the community affects the availability of expertise if you need
+additional cloud operators. It is also a sign of how widely deployed the
+hypervisor is, in turn leading to the battle readiness of any reference
+architectures and best practices.
+
+Further, the quality of community, as it surrounds an open source hypervisor
+like KVM or Xen, has a direct impact on the timeliness of bug fixes and
+security updates. When investigating both commercial and open source
+hypervisors, you must look into their release and support cycles as well as
+the time delta between the announcement of a bug or security issue and a patch
+or response. Lastly, the supported capabilities of OpenStack compute vary
+depending on the hypervisor chosen. See the `OpenStack Hypervisor Support
+Matrix <https://wiki.openstack.org/wiki/HypervisorSupportMatrix>`__ for
+OpenStack compute feature support by hypervisor.
+
+Certifications and attestations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+One additional consideration when selecting a hypervisor is the availability of
+various formal certifications and attestations. While they may not be
+requirements for your specific organization, these certifications and
+attestations speak to the maturity, production readiness, and thoroughness of
+the testing a particular hypervisor platform has been subjected to.
+
+Common criteria
+~~~~~~~~~~~~~~~
+
+Common Criteria is an internationally standardized software evaluation process,
+used by governments and commercial companies to validate software technologies
+perform as advertised. In the government sector, NSTISSP No. 11 mandates that
+U.S. Government agencies only procure software which has been Common Criteria
+certified, a policy which has been in place since July 2002. It should be
+specifically noted that OpenStack has not undergone Common Criteria
+certification, however many of the available hypervisors have.
+
+In addition to validating a technologies capabilities, the Common Criteria
+process evaluates *how*  technologies are developed.
+
+* How is source code management performed?
+* How are users granted access to build systems?
+* Is the technology cryptographically signed before distribution?
+
+The KVM hypervisor has been Common Criteria certified through the U.S.
+Government and commercial distributions, which have been validated to separate
+the runtime environment of virtual machines from each other, providing
+foundational technology to enforce instance isolation. In addition to  virtual
+machine isolation, KVM has been Common Criteria certified to
+
+.. code::
+
+   "*provide system-inherent separation mechanisms to the resources of virtual
+   machines. This separation ensures that large software component used for
+   virtualizing and simulating devices executing for each  virtual machine
+   cannot interfere with each other. Using the SELinux multi-category
+   mechanism, the virtualization and simulation software instances are
+   isolated. The virtual machine management framework configures SELinux
+    multi-category settings transparently to the administrator*"
+
+While many hypervisor vendors, such as Red Hat, Microsoft, and VMware have
+achieved Common Criteria Certification their underlying certified feature set
+differs. It is recommended to evaluate vendor claims to ensure they minimally
+satisfy the following requirements:
+
+.. list-table::
+   :widths: 20 80
+   :header-rows: 1
+
+   * - Identification and Authentication
+     - Identification and authentication using pluggable authentication modules
+       (PAM) based upon user passwords. The quality of the passwords used can
+       be enforced through configuration options.
+   * - Audit
+     - The system provides the capability to audit a large number of events
+       including individual system calls as well as events generated by trusted
+       processes. Audit data is collected in regular files in ASCII format. The
+       system provides a program for the purpose of searching the audit records.
+       The system administrator can define a rule base to restrict auditing to
+       the events they are interested in. This includes the ability to restrict
+       auditing to specific events, specific users, specific objects or a
+       combination of all of this.
+       Audit records can be transferred to a remote audit daemon.
+   * - Discretionary Access Control
+     - :term:`DAC` restricts access to
+       file system objects based on :term:`ACL`
+       that include the standard UNIX permissions for user,
+       group and others. Access control mechanisms also protect IPC objects
+       from unauthorized access.
+       The system includes the ext4 file system, which supports POSIX ACLs.
+       This allows defining access rights to files within this type of file
+       system down to the granularity of a single user.
+   * - Mandatory Access Control
+     - Mandatory Access Control (MAC) restricts access to objects based on
+       labels assigned to subjects and objects. Sensitivity labels are
+       automatically attached to processes and objects. The access control
+       policy enforced using these labels is derived from the
+       :term:`Bell-LaPadula model`.
+       SELinux categories are attached to virtual machines and its resources.
+       The access control policy enforced using these categories grant virtual
+       machines access to resources if the category of the virtual machine is
+       identical to the category of the accessed resource.
+       The TOE implements non-hierarchical categories to control access to
+       virtual machines.
+   * - Role-Based Access Control
+     - Role-based access control (RBAC) allows separation of roles to eliminate
+       the need for an all-powerful system administrator.
+   * - Object Reuse
+     - File system objects and memory and IPC objects are cleared before they
+       can be reused by a process belonging to a different user.
+   * - Security Management
+     - The management of the security critical parameters of the system is
+       performed by administrative users. A set of commands that require root
+       privileges (or specific roles when RBAC is used) are used for system
+       management. Security parameters are stored in specific files that are
+       protected by the access control mechanisms of the system against
+       unauthorized access by users that are not administrative users.
+   * - Secure Communication
+     - The system supports the definition of trusted channels using SSH.
+       Password based authentication is supported. Only a restricted number of
+       cipher suites are supported for those protocols in the evaluated
+       configuration.
+   * - Storage Encryption
+     - The system supports encrypted block devices to provide storage
+       confidentiality via dm_crypt.
+   * - TSF Protection
+     - While in operation, the kernel software and data are protected by the
+       hardware memory protection mechanisms. The memory and process management
+       components of the kernel ensure a user process cannot access kernel
+       storage or storage belonging to other processes.
+       Non-kernel TSF software and data are protected by DAC and process
+       isolation mechanisms. In the evaluated configuration, the reserved user
+       ID root owns the directories and files that define the TSF
+       configuration. In general, files and directories containing internal TSF
+       data, such as configuration files and batch job queues, are also
+       protected from reading by DAC permissions.
+       The system and the hardware and firmware components are required to be
+       physically protected from unauthorized access. The system kernel
+       mediates all access to the hardware mechanisms themselves, other than
+       program visible CPU instruction functions.
+       In addition, mechanisms for protection against stack overflow attacks
+       are provided.
+
+Cryptography standards
+~~~~~~~~~~~~~~~~~~~~~~
+
+Several cryptography algorithms are available within OpenStack for
+identification and authorization, data transfer and protection of data at rest.
+When selecting a hypervisor, the following are recommended algorithms and
+implementation standards to ensure the virtualization layer supports:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 15 10 20 50 20
+
+   * - Algorithm
+     - Key length
+     - Intended purpose
+     - Security function
+     - Implementation standard
+   * - AES
+     - 128, 192, or 256 bits
+     - Encryption / decryption
+     - Protected data transfer, protection for data at rest
+     - `RFC 4253 <http://www.ietf.org/rfc/rfc4253.txt>`__
+   * - TDES
+     - 168 bits
+     - Encryption / decryption
+     - Protected data transfer
+     - `RFC 4253 <http://www.ietf.org/rfc/rfc4253.txt>`__
+   * - RSA
+     - 1024, 2048, or 3072 bits
+     - Authentication, key exchange
+     - Identification and authentication, protected data transfer
+     - `U.S. NIST FIPS PUB 186-3
+       <http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf>`__
+   * - DSA
+     - L=1024, N=160 bits
+     - Authentication, key exchange
+     - Identification and authentication, protected data transfer
+     - `U.S. NIST FIPS PUB 186-3
+       <http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf>`__
+   * - Serpent
+     - 128, 192, or 256 bits
+     - Encryption / decryption
+     - Protection of data at rest
+     - `http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf
+       <http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf>`__
+   * - Twofish
+     - 128, 192, or 256 bit
+     - Encryption / decryption
+     - Protection of data at rest
+     - `http://www.schneier.com/paper-twofish-paper.html
+       <http://www.schneier.com/paper-twofish-paper.html>`__
+   * - SHA-1
+     - -
+     - Message Digest
+     - Protection of data at rest, protected data transfer
+     - `U.S. NIST FIPS PUB 180-3
+       <http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf>`__
+   * - SHA-2 (224, 256, 384, or 512 bits)
+     - -
+     - Message Digest
+     - Protection for data at rest, identification and authentication
+     - `U.S. NIST FIPS PUB 180-3
+       <http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf>`__
+
+FIPS 140-2
+~~~~~~~~~~
+
+In the United States the National Institute of Science and Technology (NIST)
+certifies cryptographic algorithms through a process known the Cryptographic
+Module Validation Program. NIST certifies algorithms for conformance against
+Federal Information Processing Standard 140-2 (FIPS 140-2), which ensures:
+
+.. code::
+
+   *Products validated as conforming to FIPS 140-2 are accepted by the Federal
+   agencies of both countries [United States and Canada] for the protection of
+   sensitive information (United States) or Designated Information (Canada).
+   The goal of the CMVP is to promote the use of validated cryptographic
+   modules and provide Federal agencies with a security metric to use in
+   procuring equipment containing validated cryptographic modules.*
+
+When evaluating base hypervisor technologies, consider if the hypervisor has
+been certified against FIPS 140-2. Not only is conformance against FIPS 140-2
+mandated per U.S. Government policy, formal certification indicates that a
+given implementation of a cryptographic algorithm has been reviewed for
+conformance against module specification, cryptographic module ports and
+interfaces; roles, services, and authentication; finite state model; physical
+security; operational environment; cryptographic key management;
+electromagnetic interference/electromagnetic compatibility  (EMI/EMC);
+self-tests; design assurance; and mitigation of other attacks.
+
+Hardware concerns
+~~~~~~~~~~~~~~~~~
+
+Further, when you evaluate a hypervisor platform, consider the supportability
+of the hardware on which the hypervisor will run. Additionally, consider the
+additional features available in the hardware and how those features are
+supported by the hypervisor you chose as part of the OpenStack deployment. To
+that end, hypervisors each have their own hardware compatibility lists (HCLs).
+When selecting compatible hardware it is important to know in advance which
+hardware-based virtualization technologies are important from a security
+perspective.
+
+.. list-table::
+   :header-rows: 1
+   :widths: 20 20 20
+
+   * - Description
+     - Technology
+     - Explanation
+   * - I/O MMU
+     - VT-d / AMD-Vi
+     - Required for protecting PCI-passthrough
+   * - Intel Trusted Execution Technology
+     - Intel TXT / SEM
+     - Required for dynamic attestation services
+   * - PCI-SIG I/O virtualization
+     - SR-IOV, MR-IOV, ATS
+     - Required to allow secure sharing of PCI Express devices
+   * - Network virtualization
+     - VT-c
+     - Improves performance of network I/O on hypervisors
+
+
+Hypervisor vs. baremetal
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+It is important to recognize the difference between using LXC (Linux
+Containers) or baremetal systems vs using a hypervisor like KVM. Specifically,
+the focus of this security guide is largely based on having a hypervisor and
+virtualization platform. However, should your implementation require the use of
+a baremetal or LXC environment, you must pay attention to the particular
+differences in regard to deployment of that environment.
+
+In particular, you must assure your end users that the node has been properly
+sanitized of their data prior to re-provisioning. Additionally, prior to
+reusing a node, you must provide assurances that the hardware has not been
+tampered or otherwise compromised.
+
+.. note::
+
+   While OpenStack has a baremetal project, a discussion of the particular
+   security implications of running baremetal is beyond the scope of this book.
+
+Finally, due to the time constraints around a book sprint, the team chose to
+use KVM as the hypervisor in our example implementations and architectures.
+
+.. note::
+
+   There is an OpenStack Security Note pertaining to the `Use of LXC in
+   Compute <https://bugs.launchpad.net/ossn/+bug/1098582>`__.
+
+
+Hypervisor memory optimization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Many hypervisors use memory optimization techniques to overcommit memory to
+guest virtual machines. This is a useful feature that allows you to deploy very
+dense compute clusters. One way to achieve this is through de-duplication or
+"sharing" of memory pages. When two virtual machines have identical data in
+memory, there are advantages to having them reference the same memory.
+
+Typically this is achieved through Copy-On-Write (COW) mechanisms. These
+mechanisms have been shown to be vulnerable to side-channel attacks where one
+VM can infer something about the state of another and might not be appropriate
+for multi-tenant environments where not all tenants are trusted or share the
+same levels of trust.
+
+KVM Kernel Samepage Merging
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Introduced into the Linux kernel in version 2.6.32, Kernel Samepage Merging
+(KSM) consolidates identical memory pages between Linux processes. As each
+guest VM under the KVM hypervisor runs in its own process, KSM can be used to
+optimize memory use between VMs.
+
+XEN transparent page sharing
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+XenServer 5.6 includes a memory overcommitment feature named Transparent Page
+Sharing (TPS). TPS scans memory in 4 KB chunks for any duplicates. When found,
+the Xen Virtual Machine Monitor (VMM) discards one of the duplicates and
+records the reference of the second one.
+
+Security considerations for memory optimization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Traditionally, memory de-duplication systems are vulnerable to side channel
+attacks. Both KSM and TPS have demonstrated to be vulnerable to some form of
+attack. In academic studies attackers were able to identify software packages
+and versions running on neighboring virtual machines as well as software
+downloads and other sensitive information through analyzing memory access
+times on the attacker VM.
+
+If a cloud deployment requires strong separation of tenants, as is the
+situation with public clouds and some private clouds, deployers should consider
+disabling TPS and KSM memory optimizations.
+
+Additional security features
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Another thing to look into when selecting a hypervisor platform is the
+availability of specific security features. In particular, we are referring to
+features like Xen Server's XSM or Xen Security Modules, sVirt, Intel TXT, and
+AppArmor. The presence of these features increase your security profile as well
+as provide a good foundation.
+
+The following table calls out these features by common hypervisor platforms.
+
+.. list-table::
+   :header-rows: 1
+
+   * -
+     - XSM
+     - sVirt
+     - TXT
+     - AppArmor
+     - cgroups
+     - MAC Policy
+   * - KVM
+     -
+     - X
+     - X
+     - X
+     - X
+     - X
+   * - Xen
+     - X
+     -
+     - X
+     -
+     -
+     -
+   * - ESXi
+     -
+     -
+     - X
+     -
+     -
+     -
+   * - Hyper-V
+     -
+     -
+     -
+     -
+     -
+     -
+
+MAC Policy: Mandatory Access Control; may be implemented with SELinux or other
+operating systems
+
+\* Features in this table might not be applicable to all hypervisors or
+directly mappable between hypervisors.
+
+Bibliography
+~~~~~~~~~~~~
+
+* Sunar, Eisenbarth, Inci, Gorka Irazoqui Apecechea. Fine Grain Cross-VM
+  Attacks on Xen and VMware are possible!. 2014.
+  `https://eprint.iacr.org/2014/248.pfd
+  <https://eprint.iacr.org/2014/248.pdf>`__
+* Artho, Yagi, Iijima, Kuniyasu Suzaki. Memory Deduplication as a Threat to
+  the Guest OS. 2011.
+  `https://staff.aist.go.jp/c.artho/papers/EuroSec2011-suzaki.pdf
+  <https://staff.aist.go.jp/c.artho/papers/EuroSec2011-suzaki.pdf>`__
+* KVM: Kernal-based Virtual Machine. Kernal Samepage Merging. 2010.
+  `http://www.linux-kvm.org/page/KSM <http://www.linux-kvm.org/page/KSM>`__
+* Xen Project, Xen Security Modules: XSM-FLASK. 2014.
+  `http://wiki.xen.org/wiki/Xen_Security_Modules_:_XSM-FLASK
+  <http://wiki.xen.org/wiki/Xen_Security_Modules_:_XSM-FLASK>`__
+* SELinux Project, SVirt. 2011.
+  `http://selinuxproject.org/page/SVirt
+  <http://selinuxproject.org/page/SVirt>`__
+* Intel.com, Trusted Compute Pools with Intel Trusted Execution Technology
+  (Intel TXT).
+  `http://www.intel.com/txt <http://www.intel.com/txt>`__
+* AppArmor.net, AppArmor Main Page. 2011.
+  `http://wiki.apparmor.net/index.php/Main_Page
+  <http://wiki.apparmor.net/index.php/Main_Page>`__
+* Kernel.org, CGroups. 2004.
+  `https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
+  <https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt>`__
+* Computer Security Resource Centre. Guide to Security for Full Virtualization
+  Technologies. 2011.
+  `http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf
+  <http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf>`__
+* National Information Assurance Partnership, National Security
+  Telecommunications and Information Systems Security Policy. 2003.
+  `http://www.niap-ccevs.org/cc-scheme/nstissp_11_revised_factsheet.pdf
+  <http://www.niap-ccevs.org/cc-scheme/nstissp_11_revised_factsheet.pdf>`__
diff --git a/security-guide-rst/source/compute/vulnerability-awareness.rst b/security-guide-rst/source/compute/vulnerability-awareness.rst
new file mode 100644
index 00000000..3fcddf3e
--- /dev/null
+++ b/security-guide-rst/source/compute/vulnerability-awareness.rst
@@ -0,0 +1,62 @@
+=======================
+Vulnerability awareness
+=======================
+
+OpenStack vulnerability management team
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+We recommend keeping up to date on security issues and advisories as they are
+published. The `OpenStack Security Portal
+<https://security.openstack.org/>`__ is the central portal where advisories,
+notices, meetings, and processes can be coordinated. Additionally, the
+`OpenStack Vulnerability Management Team (VMT) portal
+<https://security.openstack.org/#openstack-vulnerability-management-team>`__
+coordinates remediation within the OpenStack project, as well as the process of
+investigating reported bugs which are responsibly disclosed (privately) to the
+VMT, by marking the bug as 'This bug is a security vulnerability'. Further
+detail is outlined in the `VMT process page
+<https://security.openstack.org/vmt-process.html#process>`__ and results in
+an OpenStack Security Advisory or OSSA. This OSSA outlines the issue and the
+fix, as well as linking to both the original bug, and the location where the
+where the patch is hosted.
+
+OpenStack security notes
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reported security bugs that are found to be the result of a misconfiguration,
+or are not strictly part of OpenStack are drafted into Openstack Security Notes
+or OSSNs. These include configuration issues such as ensuring Identity provider
+mappings as well as non-OpenStack but critical issues such as the Bashbug/Ghost
+or Venom vulnerabilities that affect the platform OpenStack utilizes. The
+current set of OSSNs is in the `Security Note wiki
+<https://wiki.openstack.org/wiki/Security_Notes>`__.
+
+OpenStack-dev mailinglist
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All bugs, OSSAs and OSSNs are publicly disseminated through the openstack-dev
+mailinglist with the [security] topic in the subject line. We recommend
+subscribing to this list as well as mail filtering rules that ensure OSSNs,
+OSSAs, and other important advisories are not missed. The openstack-dev
+mailinglist is managed through
+`http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
+<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>`__.
+The openstack-dev list has a high traffic rate, and filtering is discussed in
+the thread
+`http://lists.openstack.org/pipermail/openstack-dev/2013-November/019233.html
+<http://lists.openstack.org/pipermail/openstack-dev/2013-November/019233.html>`__.
+
+Hypervisor mailinglists
+~~~~~~~~~~~~~~~~~~~~~~~
+
+When implementing OpenStack, one of the core decisions is which hypervisor to
+utilize. We recommend being informed of advisories pertaining to the
+hypervisor(s) you have chosen. Several common hypervisor security lists are
+below:
+
+Xen:
+     `http://xenbits.xen.org/xsa/ <http://xenbits.xen.org/xsa/>`__
+VMWare:
+     `http://blogs.vmware.com/security/ <http://blogs.vmware.com/security/>`__
+Others (KVM, and more):
+     `http://seclists.org/oss-sec <http://seclists.org/oss-sec>`__
diff --git a/security-guide-rst/source/figures/sVirt_Diagram_1.png b/security-guide-rst/source/figures/sVirt_Diagram_1.png
new file mode 100644
index 0000000000000000000000000000000000000000..287d4a1aeec7c2ee653f17f23151db23d9476fc3
GIT binary patch
literal 64408
zcmdqHbx<7P*Dg3%5-bFFNN^{(OYp(n-Q9h#BoKnb;10op2X_hX1a}DT?tYv6zOQy`
z>sIZpTlb&cPBH14>h5{pBhT}kb2>y(UJ@0F00{&Fp@OBvltCbP2M`EW^35yY8zvt}
zGzf%yU?nQ52o@E6ujuSxZe?o*0%-=tYrW=97+Vk;<@0LMha9(DQvn}AGs}?TA=7wt
zGF4SE@lNTVVq_smsHW^Cp`jRO0=ZAm$3kVtcO!1;=MT&G4WqtCE-Tmg*Y}|IMKKg)
zWD!N!cSIQ2MtSAkyMK4OLek;iwZjq!!*+eoh%rjR!J+!wmT<|EM94JS<!<)q(fX|U
zv$>gE049LJ@L&~t7awJv3KVUZVT7&(%JSGe?U4vNT=T)3kZ4EhxanZJdW=|bujqB)
zukST6$wOVY0!f{S83!_hHU>YYv-M2iCWyAf1!TWHJwyAf#bZ>mwJUi68!$(_g^v36
z?NWEcN1TfrYM$0-nfzXZWU(K|1`iM>NRU{s5G%uXyys{3-e<ipUw=G@|9-3CW13aN
z@{k*Rh_elztog=59<FfXMVN9hVbk%Wy5wq?_(|y-XA|d_Q<pYNxCLK+Qew+uL=$y9
z2ZV0~$7h}HA|JnbCM9<!5%e@?#LUaLnUQT^KG+^yd&xF8ySW;nNTPRqAe-DnYcntn
zza;e*`I1>XNBRW%F;>=w_;G|v;$RqI8b)c4IJb?Di7UK3P+V*FAc_ME!?aciw@WAU
zjX<&Q!vvqRLo38Y{B{oSAt5R^{0rRQI$4V1sJ4t%2jXa`ANni*9Rj0I5Ej&H@p&;Z
zox}OhxIKc)A8PMeW9Ib5h}Ty*KdFNRgyGTK2|WYe{X*sbjQHmj?>!^6EZS!sg?C6_
z{u2BKpKhbx33$T`gpr6V<QP0{PCs?Ne)x?0@F05qK;6h81tK*nTz-ExYDr@rM<9)0
z23tqq7%xHlBkrl0P}^Sbsd&mk&v&)e_#Ug&_t4}?3&Qn0`Q3ka{j{#PZ9n(*@)3Ax
zJGz;n;eEqp!LyKg_*nOjA<9Q@ybq>SXH=DFUTAYs2g0?m@*BjagwF5g8p58<u-01D
z$gZ|*P@;BFe_Z<oJxE6Ucy>NeLF|C%F|6q&ebaXS%=cv}WBTctijts=<X0}}CjE4U
z=c$5S$X1Uh4o4chmd(}#OCS{gd$y@jn9Yw#BhtR#s)zoEH7lVonF2aJ2g8)_nuDDj
z<2-aH?XzrxzjaIA+~0{iS$8z$)zK6feJ`k|DX7kkLz!KI_%k1tt3x1kV$U0-?8jc9
zx9v`{yboyF?O@Oz1jexM>2<^kK8Q*QR3>y89{K%NPV|t|G5`+C@q+C)-)ppYftPWw
z&V&&xL3)PpL!VI{;mdxxJqmv;abn<xR~CNN2XmW+m-foyx0fTLE&`V@{SN559q!}}
z%2%Zm0@<$~hKMBrZod#ey~803wtP?Z9d7Nb*n2A}bmgzEA29onoC6m>7|_6netY}L
zO7X4goAhr*S-d;EuE>qAFGb1!$XLG84rmn?LYIOk`4na-dO}X|F7%CDAWO$9r+2Gi
zZzL(+kE2t+%lmHKg)N4>MzV%(jKvb6DN^zQ28sfX+7Jo-fE_b0<&ujz{u=)?|Cb?&
zg!jcUsD19-IGG;`Vg~zAv0jOPT@wrWoxv_V_k&+)^(XmH-ASuSN>${d*Ow?9U$s9y
zip1t<jgeWJRezX=ISh*wx5$$D!?9!T%G{i>l0CzMhaw;W$^l6>kyC+UzxQ{m8WXU1
zu#hM53=!ajnRSF3s#R=hl5rxXerD{{|GoTMu)DSM>HP=t)%P(}W8_X`h#$a|v>yto
zcgeh@&pw;R#zEtvRFfyuCd1e>*rP6Bt@w5^$31dWx#`kC^4Jz%k=yhBN;{#}>o39|
z(c|Oeb0uRWQzi>(v1-xIaa0DIvY8TkS~q{xCp`WV)sxvivv#~@u+|2RjXjUGiRO!u
zjLCdoPTr;<DE{<SSo9q=9!B#UaG<jY@+$2rCIT%2X%JNqy*R8mVz*o<HP&EUZrnrM
ze4N+-dE91P9ZfIo%umaoxj%;rzZ5zb?iJn@ZWUHcK1?=F>QC-YZWkV_jE=px^0chB
z;<p;NWcqV4-kj6@2k8&N_^Ur#fAsT+f9PfB<j3Y!<%H$X7wqSz=1Y#BPY{m39@`#U
z$s)~p?r-nO>i;_&-TkNiByN?D969Gz4wnh13HdtBx&oCvm0rGZK5V{vKG+<q>SGn9
z3&T17mj0F*jy4W9jzWTM0wF`WCVELniF!#$$+p&Ot(n=`xr@1u*@4-kD#ogbDw|)g
zf8kbmR4_aKas26Y<AUY1xT?94yFR&rvc|A^u&TRiyvh1EbgO8MU~PT_=Wp$%{HFaz
z#>VecnzNe|tW($Xk`w2XlrxgGmZAI5s5pg~(WqlA1JV@_KNvsAlgUHr!#Qj?>^E3M
z*hB;>_<n>bgieHFgiK_kK&&9xAiAJ$LFgUM9ey2~9SUOa$j-=~$l}S!e^@F}j=dYR
z9&=)8PRiE|pEaw%ck*_^JXJkaKUKhJ#*oKA!0^Rrqu8YQO2I7En(!lm6)GKXop?va
z$Z$xj$MmTCO;<vJ3Y;%zuBI+Ft#cKAfXqX{qtamFyyU!ahIEF0hI)pK)Qoh5gpITw
zS{;fL+7OBs|3_L|8Z1pLO*n8ipftc0Csh2s5WZ-#c!=~J_g~+?9iMsB?A3l)$M01W
z6r?oG^VC?mF}eNluDL6D74<DqBBJND+=pS%Fnvm9HAM|sbxKXE4ZRKNbZha~$+4OK
zY5eiL>6$5lQog+2((PgoEeCM}c_F3eGMM@H*{pWM#pvNb6Te0ryQO~b{8EZyS)QH0
zsXi?U`2`LHH_>)X_Fd%e2I6OGeb*}H`N+jCWF=_z!4TcvX#vB;%1F!pc3FC0FIp{=
zBcdkNt>v;YB0(-=*hc5mg5`oe9}*vK6K~V;74KEh)x=wjx530DJgj_oe6>7A=?7`n
zY13(L>0#+B4Sfx!_2I-=+;|?pR^sP4`f4U3IwE%5Cx{R2kM)mR#o4LVF=zNu1nBtH
z`D+9eyqLVKJh8nPJ&V0@z5P#=E@>~4uhlLEcANed9BHi89h4vX&--(<zyE97el2|7
zKHr}H{ywY65Nde+SLegzhtD4bvJbMIvdN9ejPQ*nRtHwQSLxAv&^clhH-7ik(rDj6
z`S2L=eA&IJBpCDgw<JsS4u-jl>Z9v_d#>J;+@K+PBjREzg=B;*1=qjLBTC^Z@v7f@
z<Jz?@<$<A~>^<IO`nVxOTOZdR*INiJ3@Th1KbV-Gm>Z9s*pA#IZAtso_q`8KDBt<O
zmWpmd$c09Rs+eJ4qgLZeIMP%eJfdD^an$ZqxSrSRA%ByGHxN6@7aP@&)=x^W$Xu@~
zrIw_~?J<5~DuZsJ<UUqsT(|awF$b+Ga4h(tAeWdDR~vttu$gF=e#IxCU8c6I`CB_i
z?X+dQ_-q$Hf(_MTZe%O%(QD*+F^ul9D8c$^4|<+-&a%B?@T=*MhtjFB9;%C+{II*7
z)ZqnXv5bHllAGIQ$)#5!dSVVUv#wJEtB=~Ywa!;fQ8jX3lMxO_#=H47x9fcqu5bs}
z71idsKV37bW3m%zORzOvbtTnzHS%>lwGoS~jZ;fy<I6re5AJraH6*>L^(^#p%jjEd
zw&gq0YnqHa5|3|}Q}^BX{d`wepUz1JGqUy9mxIwRNEVML4w}vtFO4MIoS#c!x<5}#
zo<(WD+I*EtIw)XI0wuNf`f-wLr)gF1yU{K+qjFhrow3UgIaxfp%~7fvi(y%)z+Gor
zpI~m*A8JGKZn&e{n%dgmK)evUqS!R;$J$rDB+TZDm^hnAXX9o2S~Xo&zRka#uq@HK
z<em7G@!;G4Iugz8eEggk*&DetY$WVBp(BAakxfw9x8#Q6rf|2aXZtsHaJ)w`dNH4Y
za~rE~=_A#BDP-8#&RW3J_Z)JCmQR|<iN$s2H~;+b3%@C7iEasJ-u~I_!N!={(}Fr2
z@6%!v()-oWlT(<#GK^_;+_1uID4@s_KCXFYshhLU0h#X6Od^<t-;KrAKT>FdF(k*?
z7m4}5rAb-lbtxezq5T;cQ~L<&5zhaB<2CJ5OZgUcgue`(gs2=NliWW`_*Yg~bi&8f
zlcGMjG1dxUCpARp5H4tha{qV&t1c_4nL|Hue4VPHnrFdm7FIz?;TIJz_bibq89CL%
zFz@1?4|0r*&C`U3OzGZB(k-x$<gdg;-N+?!)Yd=6zM7D(qC0;Z#zSAt5sO;Im`6Nr
zKj=4s&K<*xsoRJ4<84{PNF!>~3gz;}&r^o;fvd>t)61IEiL*r1cW*b4jFIx+eEQ~t
zoQ_KPwvE{7!<m?>va5uw3lZHi-|Eo^$E4@)&QPOD7irhMkm|LIuAEBAZPv3$Ez>iz
z7_+ZLVoXy`zcH=7%x|v{<b&j?i9-)U?W7qLlH&;ycQdEyG>R3A;&{m2)o;>F<DJ~*
zZ+FAKacEd4?)}`mWs=cTYABj8oVWBJK5Sfx_?22ACz+z66Ip9sySX@E!`!MjrZh1(
zIR&wJIJ#)5IO@3<6bKhUgUFC{UET8Y&pHSh-u8JaK3DvX9*#X(bs=ZYj1fr0n<8N&
zn(@uPfgWS8PW9~HhTz6t=a003Q?Jr1(m7Jud~Kda9$Lm;=Xrg*-3>YrpX=VulNm%L
zMHP(kDY`Ft_Ojo6uwKNSDc@R=oq?Th@+Z2VYb>p*syg<kr9f&3NRb#dQkRO(J>wRt
zM0#NVlth+r2E&0V$A9SJZS_sH2W-xhfHH05ZvOW52yEHgBg71jWw%!Gr(W1?1oFVi
zKyYAYSQ<9!yI9P7$|vEqz}yzB;K|p!uafb!)Oe)IGz4{i>&8ep$rj4aX$8rd!A8R3
za!}PcU8)d_q&%dgYUj+)xH$t*|8_@Zw~cG(BLinB%N6J8$4fS34z${nU+i_t6*#p<
z6_m3d4yF%<xWjptJ**v>Jo*Kb{_Y)b{VfxXJ2AWn<i~B1Xo2{o_}V;3KTN=hz!86C
z|AHXWw<?u{n2Pj_(~rH0qle?dd?mi9`{3Ns^P#fyKoUNdJC>#2K{-X`e4K1tFKXVL
zo9KL0cCcuuHDw}g!MS<2>$17{)(rs{c{H7YnT~0MzMnT<o4^3ad%kY5jjZ8pL@V1R
zu?S%VSKrg!DJQ`(q#?3EA1@LvsMs2nHzI$AsQmR(U%gjrVX;@PS&>`op$*>|r)aQL
zfplUIaZr=)^}B2Hru!qV>&dGGp}u3jyN}sI#_#u(rVV@FJ;ru+#wsLd77EqjU*gM<
zwB4-r4?2_=Qg>0w<##NnrL+p1ySiK3UmcD^*bg4#f?_C(%=)98GjD`ce4Z-K{M;S}
z+h=rEil(8{hposy2G3&^F()c!m~DAgEx(Taoh%WRLR`fWvnzJghG5-eOcPw=QG&P0
zXDGOpauxNn39^^7H*+TP&<wc;JQE5-8WJ}@?8DVA9H<dFrD>-LH8436x-g%bo*|vM
zpEsP@o!}x$A)&mvLoy1o4nhqS`fmCiDfBATD-`ZjIs^`bnIdO(K`y5{<f2(Ng`vqd
zH7$Oz@<9pVZIJrSG;4WWu57uFmbl91F3c!grYh#tFYC>{$~_YT#FT>+JMArP=9<T9
z57#0$#tW&-qkU4=Xbw&G5>96pb9NFoTFx5IoR9ll3RQ{~H|BGe*p`fjkJI@BS6Rfd
zOD^~Pui=7;d(8{pTj+0t6QN(tU(e`;E#54qEOIOvps(}S3+T7sf6uIIjrvj!&CC{J
zdCwh<mrEjx&yViR!p<$rWJ~|xC+40jj-@xbzf;AcU-3|Jygt&k-=jbQPdQE{$me?R
zI1`hRd*5HDyr(QPK0YoQ#cQ!cf;l2)Avj7m=svJIJU5gs_;k}%+U#;GiIj#MufUqQ
zNJBv1s^q*kc{<)vSv0{lNUGZWQ<uNWE3!GXN_(sMH$q}qHix8j71QQ4<qRe>z3vCy
zTjxuY&K`~jw=2SNF2)p$)KqQ1YT6|v8|Eh8(wx$Bca7)t8pz#Jop%Xj=1%&~>{SLD
z38^zFr%%zXt_{NurIE3fyQS0NLQmPV|FdMR&c`!Qnk-EF2RM+98wkn!FTV@c2%i&3
zGaAk?2malIAm}qGeDvAS$~oK@1wxefaH;|5jv$!#h;geAvqap#@trBs^tL{;Wx=?9
zrZ#-#^Oa3fT?%PDcri=!C#VrtAaI%d<C{-`h-4T_h}&L#j{3M?n}Z&L#wF9mhJTp-
zN#5bYGn2(P#~k_fN(xKL8muLS>}Xogz)GYgn1OE~!z8o(Ns+Qzg+_TXpFPV*4qIFf
z>>Do;Y#uoM%{_1=?TEI8@Dc4BtAtt)ZGPtv!_Xl^SxIgQu`SC%<$(c@y`zL<zmuKQ
z^=aJ6-6`>3>JtUzMXVvLvv<>2tGJZk?L&Pr{OMWf<{08>7%2rPV`=HB@3qS0S`|O&
zkID3lX(<P-f<CF~mg<U%o!6_kU0LX12=Mw+!KsVtlWUo<#X3$XSCO1EC-AFZO;g+6
z9VlM$zQvFHI&#58@_JuyrP1WODhXZ`$Eb%s=5kmomS4|PHw@{QxA3?@K1ggx<xyRd
zL6U8uQ(-nT?_^4NhP-n5lLhnMqb6oJyB=x^Zz;RW+n<DN!4}01iId9gNiWGyB%*1M
z2o?L=m+~IN9(E6<T*`cQGho^_n6k@lto2^^o$wh{UI@Nwh@9d>xvoBLx@x@Ex-J%i
zdNN#y`B7}lMLA8<kB3w_SeiF3qi>-xTKU;NG~bFpr7rUx-Jg=e5uOXJ*tITN&yPHB
zR**N;`5)YoBA)~he1u_ok761?_YuU|P7ME5EE-`zn7AH+<TLmeZ1x9pDd*AqQ$=)F
zRDv&pWHj$s-%yJYti4(zhQjTBYYxzr=+7Bf%CY?5isTJ@<;#O(`1mV_qLIQb7bEwQ
z`@<qOt5zkSC-MW47t!Z9McLotPN*XW1}fdk6DoD%vtvHF0<yt5^m({Bq=s+IObwd{
zHvpLSNu-R6PjvfI8ou=TYs@;O1!W>`9R=E7uMtQxbNY(7FwV#(PSC3$hmHcx49%3A
z4<R&Q1zJ?A=8I_A+L8*QuZu+wGC_jfIC<8ay77T<EJa$@c6%!vX4TErF0R(DIv4i)
zE1Wy*2V5yEpOTPL=aNZlENgUYw`!cKN~=?y|GJ|%T08wFsrC>!oZc4{Ik@_HK6G(*
zU3<oI;&vf(*+wWuvVp#cK0uW4P7uEkTMbtfoe<}m<}*FZ)}IsfhFoM?hC=b(`kWB_
z!Q`%zxwOD_sMq(0{*HZd7Rt(k);K-ps4`W-^K)Ifnv2^3WKwH*>qjQNVvBlRC$*Z@
z^_ogTX|CXu5XMxyslx=~tg55P{-vp-DghF-I8tZSED`}fqH}n*v`4Jx67Na7#S61P
z`}6&16GT-w4l2tYj2{^`{nre<9%?KFJUSg!y!VH$77U8-pCn<Fg%QjBnBK!~eCGTG
zD*JVe)=A%n#Qr(h5J~^q^E>Hyz*~_JMV?8-;rCKT<(TN*-;F4U#|h^`jKwK)aK<8c
zdhzUJsnxL|QC)$iP<9N-&rK5M!IEn_{hf%)fuvY1ab~JxlacJ-swG?#E+kNp!bN1A
zhwK?nOO$L$4mgR-)ADum7peI3o7H{nA7Ws85%z;fkeI(i!)U+XOQj_c#hNFaLha%f
zRDUV@l%%<}E1{NVlvm`Lm88Fd{8B3yZ5uS~bDWr+&Fz+5d<e~}R||`%JxucbMLx0{
z8kSBU&zBsWnpkzMV}RX8^nCqU{nOVE`PmAc>Ev5E7$&nO1#6@f%L2N|rl}8XHFQf%
zU)N`))h*<YoHF?zVe>mA#Ra?f3&sb2%4=x!X$T7Lt01Up=qfgIYZL1ADnFk{D}R0B
z2qE;A12az9c^yU)qol8U3>@<;_g?AxykGEWGVn0;`Dia?jK@=XX6xr_+Wa@Ky?9`z
zjmoW{a)m!7JE<m}@7jH}Wiq(^)&&_27dLT?R7(i#H?37+K<RgSXMGxRzc4?4>Nb6O
zcPzc4;J<QX^qgb%)sNgb$IRrspl9?V^D#A0Zhu%MwNr;ehd{?kXQmFPwxO1|4!Q1i
zZJj^(@$AlRZzji}%{|w>*+bgnmB%CLE;)INhmWu)Bj}F`AD_W3Ogj$jFTGz?Raz}o
zRlX$hoK&EC!i)Q+!DTH`MB(lMCW60o&vnP7&u||(>eJX%?1X^!|0`n|Niop#%fGCa
zf>_`iL`Nwt7Z3;;^W_f)l#+%AeEHfHEGPbY85t9om!s*p;v)$39t0Nqr0O|;umtfL
zy?lN?y<b@9=}0oI4JTra%XfauAr=EYrOl4J!-^N>Eqo{Fmw6XxOH9$Pbtx_qnzR`=
z{~gRqwLR=yi^|uM*(T)KX6OE^6LP-n-lWfTJea3{yuE+vCrEm{J#po8aO>U5(1S+~
zECe{}b6ErbbJp$_(+u<P)X|6n7-_s5x_JGB|2e~zIC~jzfI#g*|3A1ao)R9|x?oth
zvhloe_$qQ9DRyeB*pRTn4^o)2fDKd-$WXbf>y6<9%N3~pBa{mS`dDH3MN;SoGdkO!
z#2v{1WO6S!5GV<Yg#}jn^2X!<#?j4I6Xl<Q{&q+$|2z4wJ73P3!e5>V9RGDAaP~jF
ztc2kMU||kT2AqO8CxjlnR>eD|ie1Sr6!EF3P?>+L3x0VL4GShY)olAEKBU|1WsO)G
zFCH^=R@#W={}ZKKK?*E03Rq?_*}rAt0n5aL06#hV>m~mFPdQON;T;I1c*B4rlO5MW
z63*h2eUW24mFP@}Z2amD9i$=t5;9n+V029KzjqNrJtQDqp?~W%Rx+ltzaYQESVsds
z(G@ZNg_LY)5*`c%B@kg1MlAo9`Tt_A|3#zzf9SGM+MJD@Zi0!nV3Mb6-9z3=Ws^+8
z9PzObC{K1Df(pBh46KnfX~o1swc!Ji9eB7<wMah5KbtH6xlC2$TXUp9$Z6tnMehw<
zw7^TyW+m}vA#}dB>0sVgE3H(s3g+71Pp-Pu+rZyFM({2?mP8Ut7D*z4US2P9O?s@A
z^I8oSF6s{xvWR5b@i7s864md`=(-uao;7)Z>C@K|0fB_a*b1J<8&5Ec^jAdvgCuB{
z>(WVf-J6;juC61CLp>_VxQ=4%_lpFtz39BVol772#09Uf6h{NBE4i86rJE|fNBtfG
zTxEif_NMFiHeJG@Xr&VxgYGn~Yo&W9eUH`$X2WYq^v@~LMHBvZ>Nihf@eV%aU!JDq
zpI{Ezw}a)2W*2pM-Q3#GF~Tse_La^)*l9OQFF<XIos{R*9vutR8T88AMjLkXo0@2L
zGOR<xZseL23TO{ca7v$cC6=64md;%2OqFUA7G*kTk(<SjW(Z6W2q0!*T0+e|vxBTV
zTHRkO6217-XI2?{42HXeWV&YI6#tMK0@nNkX5IBapeiLY<!2^sx+pRvK)LTv8@|X$
zEquJ2+1h`Kh?w#l((ZN5Z0w}KH<6tetoqmqsZ0JWgNCm&ZqHV3U}B<%u)e!%Zfa+H
z$Gm7U9?oI~DM(>bE9u!gG-)nnE#g=Vd^)wtH?bLAaJCh-pWh9?u5|AyA)fx@lyUiF
zwPon~%c{81{Lg?&Pww+Ef6v;UJMIRAY44g1Ja7Mn?>=|mg7u8ZRGkXn#8$~%d)r!K
z+PbHAp;JmQf3TX;eD6_TV?etp#p-oz6>ZaCZi8i-GhJpu#dVK&EYvDokHlY|0P^zN
zQ)tL+=3Zgj96cE<4Fvv$-L?mtJn~*7kS5ubIg@-nfv2|*S|z<CAnGS3@EZV2_4^4)
zCw%9bVoleEYoDvR)ayvh&1DBRubXA>(fqi;J?10j#P-(xD=50|le4zHvO6bD5mWo%
zsvXY(wPRwg1@lqXVq@kMw!sXJDc1rolXYMRlEamspCq1g<UETWt5TDG)0;#LyDuKh
zI!)^Kt!bvjQge;SE#sLCF<~xFPk6r7_M(l6H#^%B%P@)A>N>u?lTRBjvxbyt@znRn
zBj#2l=hkz(%$tW-9I~-BK@3v98xU*6s?4pWH1`kBHccLt^cwiHZKo!tvtEtM9^GZ{
zQ#h2dT(Lg*U#&Z=Uw7LaY%<E<5<|4QYLlV_KqH+QK#J*dkrZh)eOpvhib!3`N1|=Q
zZn!`DmU%XACubkiq>OdmD^FZBs~+Wg64Sj_>b|s4IKS&?_ppAUcC4l{L7l0*O@Na=
z>#s;%(tGi^k5;I6zf3@gLoMzwR+~fXZ1cp7>hK&T=$ln$z09R;)EjHozoywg%fQAl
zT0z5;8mMpIWI>O>S<awURMhGpLGM5vxL=jXTkMV>#$dL$ySwQm-Q=jGb)*bUtfVwQ
z01vo7l+GNC&hVKX<VjQ3lbQ=Xx!(y6%+kl3pb7g`Yy;fFl#@2lpp(17u*}*oEzbeX
z-3augoF9}{*8Z}_Je!L&9ljlRsxm0)O`G+Q=d6%WSeO8Si)ypN@l&%(l;30W7oqer
z4PHq)zd;2pAYiP5py>1bJwLjtb)d@fyBiJch1xy+W(Pm6FZQnWy*E>9_KqORLJ<(9
zbtY2*^kLsQ4DPE+eE-eCM5p;#NYk!wp8Z2jV@(b~Vc`OxhUbDffOZ^P(v)w;kFmWN
zqz7@!W*V%A-9`_w%jwq3bmmuz^Kt!^`yfJ=4j0-%K2Nb25A$@tz*92El+Ptrv3`@w
zJDJ#L2NMKMr{UIhZ5ncR)UHS0IQO0(IvXEf8Pwqa5rx4X?8ABVC%9fUZxA^7CYbsF
zOpJ)9T2IPZiSO@EZZY1i51tN+GDu4_G1s-Y+1wi3h#L%t{Hgf5f8lTQ<8bax9tHJa
zKH<i~1rtY^>!)4?vmxDCC^XK~v@Mcip-ijRG_obFXXTOL;x0!XAL36cXz=CU=xV*Z
zzd}5`g{UXi_koz#V7!MUz-N5~V8gPR3@-bgiK>px2-<R6Ywz6_*L%q%6)GQTW|bLl
zudj+LWm`goYvG4ykhaI;59>Dm<@V9Hh9+qhdTzQI9;v?v-{Pl&IV*%(&F1gDb<1L>
zRIP-1e6IZ+^xbSr<{Vk`;19f9=v2a;BgMDeaaRN!!dYrX&FB6$F*|hZTlx6#6W`m<
z8n>~1P1Ri{n%cA3n=Z7R<eU{tU8i!@oRA?r^%k(gAyyd9wsl%Mr>ZkyE;!u|ui%=t
z<@OTPcvS3m9!)*ySrNok8S2r`SdS~Oun2Fkeqda@wW}b3fYN%Mz23os0z^zJG!OjQ
zV<;%g2})8)H1k^NXKYNTfHz}SWFyK>lXP9~m`lUrV2|u5m}R!ErzJI1_qY7;Nj{`L
z@@%_tlZo_Nvun7t5jt}x_!2r#$XhgTR|{!w(&CKVW`x~6mgMbS7_`wTN4PoU6b;O}
zjqE#iMKav2co8pGN;Z-U`&})ZS2FH<I}H^2`1R<^KlbvNl>c2Xe}8PycB<jiqyMxP
zmsycGbwl53f);@3pGX1dt9Cc(W!Hrwqqab6+py5?O4M#fuXQ9A<FyU4{#0YmD<nR1
z%4~xM^RsUiuiHb`6JG?J_%m|VVIODE!oyV2G-`J(>PXsqXdI0mX2E`PGi{_v`7aX*
z<u4m@R`*<QXcGQ&Pg%?j4Wiw9FVV9eZ0cy)M(}cU^Xkg`ton5;m49;S|1LA>WdKwT
zsG3WhhPxntkz)a0{z=w$K-C_={FkswiyUV7Bt&MOMGE6c@*)^Ovf&^=rqzGsWcZKT
z|KBJDqL5yLKwicbnr~otWV%o;$U)-Y|EXV0@_>rh|Fy<GOcRt(Am5Or&wlV(Z~n<Y
zLu2@lSO3Sw-#<m2wF4;XFQ7YgC%DHqptHc2<rpf%2b})*a>U#5MBfPuk=X;55N_2(
zc}DtAB~;JwKQjab(D#4gZ7&cv(%FudEe>F2fIk}T5}<qv=zpoJbn)l`Iqrz@1V!AC
zH=^Lj_kWS<pwL$@U%wpxyLDClz|-TsTCqA~jqRK=EiJ89LWAS#m!p<zeJ?Ms-SsG;
zkt^*~E{BAIf`Uf(!#!^Is{^g6asvaq`D!I??UeO;76}2!m1>Rk)WraOx$Zgo4w~Ri
z*2BYt>%nXVN-woSM#<h(@t|>qsppboCu)&OLFC=VZccX??x1;<9ve;%-s4Fp+TKig
z=H6r>IT{+8TA{MITnhWxcXaY<$o0`ahG<hPwSx6VU(DX0?61IsRkKA9mYjNtfyX9J
zm+9$b`9-hP;;KD@;>cc#gYOjU;iQGQ%=+vwFfd!S3-)Z=qnV?ZUKS&1ESGyzY^6GN
zoP~vjk?WkP!~AzUIa@u14(y%5Xk47BjJ^B(C+%?g=EEseoSf5648X@^iPi+L6&4M*
z-T9j0LZzH<b8Y@@>$4V_zUJ1GKaIAAQxn%4fCuK=%#`J;muged(a~vSdK@kCOk{n6
zn<!E%MzL#~_gL|@@bUE>2Hwz1T)oK!#}3JHEp6Pqt%7)Yd#9}U-48o0cZFb936%TX
zo^4$%IB>zeemnH;wS^z^Z7Iavmw}OEih`0dIXAA_n8Q5HxAemOV0N|sswaZ5ilNH$
z)L1eZ_@$KU>XLOX%RleQ``K-0|2Ww$)Y?V5C}avAazD)&_?z843EpnR675^nXh%?B
z;^1s?yPs`<Rq|!=$@@J$J@FhI9C`<bhZ#FBQ#owR-x6_0A6`D+Zj(-Aiw2`?tCnbv
z)i*WqJ*`;Rq|~kW@u}P+^L^{VJAb@hNu^UO;x1Fllg3tQa<`Mbr%d*L+&7@2q@*16
z&3bRg9D3I<?g^s^zn%y%?O%d6l;f4Q6{pe`$o1A;b4MEdx1gZSLf_4ScsA(J+2$Z|
z@3P;$ouo23D=X`Q3$<*LAq9R|w{flQ9JF}!9*D|HTZlKkMwzQ@ZHCWTKLd6B%dK3?
zo+h>Bjc)rX#C+~}CgD6zYk}+hz@}Ul?CQ)sZ*Om39zucd;o(tbzto6w>2$Th&+Inp
zKuRCcPnbGv4tOYng3bG4hX@lXBO^lsI@joClduUyrvpVYI=O_d%i{dK>r|1N++3wu
z1dtLu-WQe`cao;2x$E<<(MX0A1!-yffxzz!3=B*H0+bNkGcz+o#OKa1Q8SvxWAgC$
zNNktJ?ev2@#IkB`D3X|OsQoh>aVCf5pDeP7Rlv+dAu(loO({Qr(nzvitaXP`adXe2
zX97DTS6K1?w4gtG34m_&OIwAK!fQPooW%y^dI@$$?dp$E*{`oqhZ<bAS<`VzNbCm^
z7;Pw$fym>Uv1?O5+uF|b=OiH^k$^TFx8BQ&h=?R$E~c$H*Bma?@c}c6HL(OUV`F34
z-bmsIiuLX7#MSb%k&LwMydw&Sv#n%{3>K*D{&Z=T&-1j70|#{IPqt_T#rf0yu?5}v
z^@=~=9v%Tf%Dxli{;)1J(ZFv`iuKc{PhNYZyXC~Bq?v~efPL5n1qCIbyJI<$`PcW?
z#|{+u%*@PHF54rv<!pBI?7iEJdX3e6#y7uTlj4E%-4EyI%G8O3{F+S=#tT&noFA9?
zat?#EgrHo)yZ@weoMUTiD*?M@^hi2i!3WWAShw4W^cwQWxJ;^mlWHtRNm@=iknyih
zrKF_(U@GuuPfn`3?fm(4+<YFXB6tm?#FQwSz{ae~`u%a6Mi3G<(Q(1bevb82k=Hz2
zC)4BQ`1$GS*kqv!B{&$3bb7f3l782+QFqjr`kKU37>Y$gQpRR6V(NJe*kZoPqZ~-V
zd?2vE(CHGb*j<8Rjq(HvwIWrp-9qi~rA4NYzkZHH1QduH9A^Czv%v(O7GD53$CFr0
zD8MVe*Xh8HH$5GWms?V}95N_&(><2Q?CO>h4&5>!M?5t)GxAV&Anj31azC2XyKKvY
zm5bF&H&$0;%$D?hPQ`EU?*~Um70d=U?Dy77YH`&8NR)p-h5-p9YGB2-FUn#7NXQ)4
z{R06R#}WYH$m?&Yg!wx=mR=Bu&C|nerFJR8Q!}vEUBLdTA|hYr>l`v^om8;)rc3ve
z!n?b>8#b=Lq`B=)g3SivUeLdzql2{>mw<o{+;~31=hjQ?AqC~Moy`ivWj0UttbcyG
z-#j|XC~$&I$Z_qK)-5~Bo~^I1r!V&uWcq1ySWiY%01lsY^7;J*fwiY^VL=Co-+@!$
zr9koZ-l#;1M<BTHIZqjf@a}GIq@e%ssAoi9Uw^&@QupJ>57h?eP2KJ;Ej#9tI~bbu
zmnNBF2lf=ji8hJnUzi9I0c|L|Y2Q0>2?^`dweA!alW*jOCYfS5T|kCSHn>=%^SDSH
z&eu$YV$-Wu7<ZF790PG=Ry7AG#>$7mmSP{~zKq1gMC}^u_z#~AEet-4SDMKH#wrE~
zqS5p8hu`fcu4Hm`HM`^&vf=^?J)6b(UTNTgZX12*1*Ot5qf1MA0F}kKTGga1-Cgce
zf&uawai5a%2L5-apy#rkRit1!7|#o%*ah%(qPV;@#mY><kEi%BNKFWohxyVfm9GDh
z0>9PsQz_?V$pD}hYLx5WUAH|mf(h8n!+BkI6#wo^N=g>16v*=efHz-j2U)`40;qFp
zLP3ZT?0vhL=(Zlg)p&9J<zUX?{&u$@lc+bGC9+GjKt7!U{Q2`|d<+a|wcEaWx}Yy_
zr`s8?y#PP|1#p=(RPb(xJSaHWg2tjk6KS!B*KJQ~pkCzQWVI8T>wUSmxkqqxbkw++
zpu?J`Gt1Hp;0n9>5S|tTj$8)67LbA}shoB%E*Q=b;8PKB9{hi}Y7=l(iF)xC5SBth
zLgJE=`#`SAFKlo9{rz=swj#$E=xzYyG@Q&P8BeD+Fx3!2$ff>xcUk4L<a@m|UuB_?
zuw7#{Au*i7F?jMKEdYG2fn3|STu$qxa61`izpy9YSwiz15Xo1^E6ls&MMeHkx02X&
zs)_)XQGx-Yh;!Xkf4@5*9h)zgy0?|;Ffy^7pPx@hNhv;_hfN(N^i&_t;(gSxP1H-t
zv*|7jab{s*8FM;VY;b|b6?j7+5E<osY^osqP5@~&bZTwK0$|`&b0kphmYcOmeJ^5O
zq2Of!AynwJ-jl*+5eZDQotNHP)V6%wd;PC3O!GO^86$}h;G4*hNZ&6T;lB0&h2@I|
zzbypfta8ql;G<yx@N%k)+YunuY8+Nt84Sk8#v=O{r)upM@_|q?_ax?a6t=gwPvP?@
zqmoT}&&5?I@~D5N<FPTK=drXYWk0JCIjiw)5l|nI0-6UQ!Hhb!-0GpTg9}{i!}O3Z
z3ebGn<R1WqTLR#p!tYhNUeBhUK+NkZHJ+!FHXfw{4h;$EzjTWv;voYkU)j?h;4Qn&
z=%w(u<eRvhIJDkMh<-y+>imX!2|(&@VL^s6fMIO57rv$bIcZZ@9Y0Ay|C)z^bVXo8
z`{vuN)cH!Yup-q$vf`;CfUm3pyhLa{0(gPLc|*!>rB&|*7J-bpJR4-TXi~ED#%0ot
zW}zCKnX9sxD$%OaP51cQ4iiDZA>H5K@BMJvd%57yhJAMpU1=ou03yod7~`Jq-Tgo`
zfa@ztWq=*6|73l(<xB+-D=s=ZYdDolX5ikB%YFC0tgf!k1bgP@blnY*dEgOn<Ge=a
zWRcpS(+~ir<9So84KZnH2U3Q!ql|la+6*`^>i79>rVWdTs6?;H-RkOKu2PdhyV5jd
zYbZIkxR$%>Fi1%V^wO3VMvPwp8{SFI=-Xh+0C=gaqQaJ*xICUGbGaH!Dh&m0Sof4Y
z1)}{DAZMJP5e_Yv34jB$2pyW0!f+U&O-)UL&kruXXZ_UTINS3zHa3g(PTr^8xbZ0|
zMKk)4VM?lP8oYZup|+>HVj!m@d=DWtvvV4efx*ExK!8hw!Ad|HP64=8Fu4w-wEF$k
zVSG~3&g?@|7I+2_)^x0_%Hw$pphE!cnZfhTUR6xG^^U{)wu|*+W0{9hBTNT)M{`w@
zKq3#YXq|1uD(nGEPjEFOU$b#iUqCMQ14&cAI5$qDAst@5P`Ueb<wXgdrbtE-IUOu0
z0-lsTCI#XX?iETjMa#vw%-(WK)3WzI;|rkyepP&lm4k*Djq;YO6chg>KvC0kb8C+0
zNyZeci005V1Ig^{;V}b{6#!Dx`@B4ozuk@&wE)-X0s3~LKbCrPeLZ%U*7!=Uj+~sl
z#%vHra=Zh-4naB*`ePzrE*7w&`A|}JI-dtly}xW4w^B$*2=GLW(F_6N-usJPa)1*}
zdLwzROb7bwoz^Mz=2P>PawLLCI=i~WIIPCS08Rv~SnOPq`p7v9P}4RY)rcj;Xc|p;
zR}7d)1dQJx3o}uFzTBVjIFNKIr3m!>@q$|%wzELD_G;n#NE%NLm0ZfsS2V$B*IoBe
zuk)=!>3F)k{qnYpwJ>Jh(uh%^=Vl<@3ji{?JX+EL@>?9o05~ppCnTXn;M{!<VAlZk
z?3XniK`DFzOouX+;x%})?Y6fIYcV9Cgakh<v&N?bM%p{9TS*u;pRg%!QO|lpM@P?&
zj(!Io2Xv+yfJ(g(R08%FE%X7L^3g~nl71aXjy%AwVCed;bP#bT5;omVB;Qdq#UsEm
z!|t6c=i8%v&^kb0_NnQnja_w=kOn9Z0G$BX7}K;<a<}KF$4HyQr6#VK?H8Hjw7fe}
zK-~L$vmV6|Rlwzbph@2Uuc!jbBMB%XGV-9}77#$3&>=t%STpH2CvCbxp-@=>JR&G2
zDolE1kK4`$=p~@E2CdC=0ORFf12MAmbAKqA&1LDzriSIihu@2S_lFWttI3}+Jdi8f
z1g9p)Rgu=U^a-!*>}(0BlZy*mMMZ`D3j$t0T(M{nvyHT>%fE!&f65%NIp7ejgeE|<
zL{O+SR2EcdGHd|=AWvHNBBcRXVTBGwa4jbl`rEFwE;&U2SZv1o45X<!kbYa=2<-u>
zz1|Zc=i}p(?_8je$qCrBelcUfd^{JtHCtiQgJ%L@&0LL5B0j(8FW~7CP_NY>+%%%j
z0iGU5pb7=xmK6}fb5#X%fRq8t$hb^0laY16zk0>H=K8n&v#$TjzW^JZ>O~F^!E1XN
zsLtG&-2hIEv?<kVs+EFr&7{E3Q-AqS$wch2Xar#By40660myWTe#`tKP$5T(b(gn2
zrK~>W$t3dbu>iu&cH#7(YLu7CU5nE5EVh}YCkZGtR0@?T0ViGj5vAhb;Fy5F?u#Lp
zS6I%?%S%q-upt1OPySR2;^Y~XSvp_nm0HHD@_Y2|wE(jMJgAibxt!7<HUs!gjb?os
z&je6^f2D||SP8l8U7J1Dx)6IIK*`awu(03>fusTz5g!KUl?K2v!y%Z|m5*rv8TT#%
z#ECyrs9N~X=j+d<>c#jx&bj0)N~$dEJxM@nEUNxg{H@dql*TVbK_q+(g$tl4H;dc;
zyB+|&C?!W?Km1lemI3~E(Jj|)aGq-gD9v<hBwc4GR=5f1{t_xEjLOC)T|6697>id~
zj{QK{1~kvSr<WH#IA1b~q{qC<OeZQZ5Wd%-F_qoQc{s#Sf4=^ux^DRU_pdDGB2b$0
zQPpd;0BwjND5cC<Tr<nofb>_OU`XEB*bqs6sg`aJO(-0gDA(_<4sG}a1crem&#-F%
zIt;0=PzjO<IGTsApSkE4oL?FeK;CfxT<l7L6~VFvD2lC@(h5*BY(OW5XW9yAiM*Ju
z+HPSQDE`enkNuzTGs#aApEg%ljqDpXaVF{<462N~Ly3BG(}&I31{0aNeD5w;0L*p1
zhyr>8x?EIb|NSmNDo|af0EC6DjAE1Y=g%J-{c9jp&AYy%=UYwW=L2|@Z#!4{V&HrL
z47Z*i+ny6Qi+(IRODrH)`2lqHg7SZPA6WU__Ec3`yf0-j%Zd#E{bvp^pg1dHby!FU
zi%Cy7%S!_Y5UCk28C+=4*80*o!RN46O`sPZ$q=vsV#*xQX)X`@txLyk&-TD3O#s1@
zPz*NHpXc^_@O<%YGSDD0aQOnc1lke9PGP+O$jfzyV#_Txx|Jszz7!^>S67?>C^=F%
zAVHinRQ?m28<IsKD-VTp)ka^zvd!&6aWqas<sdA^!Oc&=DE+Lz^%JF#vP={J>+y^_
z>Ok(0<IQ*teS8A-AS=@KFuz36jTs(InaQ`)*B|u*#segSfT28a{AXnUa`wMEc>lj<
z#Qz$nj&H-dMcxIFVG$4v+`xh2kY0LwSpfj}ioXlkZ=aZmeGh1T1of91Mz~bF21;>z
zb3;Q#^(_E2_dP1ggF?5Xvoqa&DJ$zeu<P$2xVa<&NG+f(-vj*(Km$ewfV$tkGy`eg
z`}_Of-rdo0a;hsSDZ#_{^#IUGsV7~_?y#H|01|&sMJ3_TeEN-I7wFq0wzUa;f(iZb
z;#=-dnS#C)V4$WX!xQGrSIA@n?=93Z{|1FhwfQ|_;o=qmKQ3@NsR9pAlmAj|{e{0?
zbcv#{0u(tsTwe!}5Y<3ciU1G4GbTw&`Cb_P4I-kFre+cVlUNuSBEkX2fKe1TMrhB@
zw<m9x{ZjD!?gorp)W?cN*f*B2c~`4PS*0V9XTFS)V^vaC;C1gbzb$>#{CY1tmcZ_f
z5*nPqs3Q%1shw|bJYivVH*=x{p%en=Lu~MHG_b&C33y$9QtZYm2*#9`GXvXV0XhXr
zRfjWs%+CtNGt4tTE`v?0NQD|i$VrKdn4kFfyU_T4h%;X*uAJ_>j$`HErQgVtlXz>X
z)TJk6_hu!XTwbaf8fH;!+jk+w!2?u^gp3>u=*0}bJ1baNtV&=R0P;&g*&Y81t2e<=
z0x*=-C%HsSP<bNBsC|)x^S0sZr#Er$uQrC6+a5$d2DrA~ZV`eLua<wR7Gl7_AkD?m
zsu0!5_};7r14f1MROOZqV5d9)8nT>XdpkV+=UY_P__N9pMU4h(Okk&lnVsH<dsq2*
zwE{a_H!E$?Bc6CG{GV@!tqZ?&KRtO7N6wb$6)dV1i`#IVHSz~S(dgH<^>{b+Wf=dB
zHyWMg_GxJORSB=Di<D!__AoV7LJ+NrG+DHI*O>Z7M@9RC>-M&X`CJ*)qy=h4Z8VmC
z4kQpx-Ly7s5MMX>ExRcf&1+tBT+3(}+*`ycMdV-8v@Zy3e@w2LzdpZ4T5{5DEDYgw
zcPRG8E=@MUYLL%vI~)tykk;y=Aw6_BVm=>?(!Td-UaY#;by2^cE>+!$jCC%b&_-KM
zpYkTm*-(LCoeru$-d-c>F{~G+9@`c$+3gh?tFI`0s~7s2aj9Tk#kTfl<L~F!B!70s
za%uo%2FN-z0MvMqn+lGl0z>t^HnCqk^Zomq|J45;N4gmK!eFBSW5&5ICPL#BPwj|Y
zdgf8}t%#c5ax9s7yDhZlLC<_<a)${&*(4sTCfyz!3(oLe!y;3fb+Z(dG>a>$Ib>qi
zbI2{;u00zs|LVYH)F@XAzv+h1d|*L7^R~@VV^d^>ertx#w$)Yu<L|(z)&*cXKJy^j
zlceh6^JLOP-nl){x6Z=$>{$d}z_dMbi>-JS&eEn=t#><gZZq^t+g@TSgJW<c*9<e0
z{<6NwZr$~;j$oAP>(Gy{V2#lEwV`j%t{kn?9X8K-qr}Du-BcDg_FI=WY1y*ze8;R2
zOXCKkcsfJ;6ASxA$6DC3Eq*SQKMl6(pNZ9?xnUbDjxzyrqr?kfdFdwp>&wZvxdRQ~
zY&}AnNTBCoVc+)XPTn6*$OXU%<r@#%EYGUL@n*!T3rS-YRGmh>u`#9jR`&#n=Y1u&
zhNdDD4)8_E%;j3Rz!}86k@IN2xMd;1TGpa?I?7j?*~d*-0vww0l-3xfM_uEucg|%y
zRf~#z*|sdmTj`M*Nx9)Mvxq02VU_*N^q^1gulti(!WEjixyNd@F?Xcqdp%5Oy-(Fp
z<14ySqFWfh(o*D}VWyhzr-AC(u3^QeVI{u7(@PhJ+*bCdF4(r{%F&~y+@~~~sG!B-
zc=~5vDo|H=4--zSn?2p=j<z%^R!BghZjM(n-Z$xLyer;G=4DGoc7!;VKG&($Ha*CD
zJl^RTXA4hZ#Fw`{>GMs#@n7!m=ue}VIjpS%p%h>XY(b-dj1&*Wx{LH5e-4|f4|~B#
z&U`=gXz|NUPj`!Egffb5ZR)HXT&sV0l#abdQ=4k_%DFf?OS0){xhfs`PVQ(2H1p#q
zO7&Y(46`P~qM~MiLYx{L`N##r$^axUZ^j;=n?AzA#!+mPE0*NhagkPEuvaeIeS7rm
zqcBsW;^=rNu<Dkjr$3<AUgT9^d#%ir=(KPA<yu#^j$kvK2ggG&ES{l3&r5mOH3P@Y
z7N5@bav(K)=46Lsg{aNiO=;+XIy{jsC15OdC~uw^cq5|FCU;@zS51NQo9Gr2jd;HM
zulO5@_BCMZ=|hhacc-p0!$XDpbGV6dIupCw&$n!hOCIZ&fytyUW*m`+?d%h`Me$r(
zJ{5@?3|@H8W2tgQ4eE=?7?SU=0YWpQNd64>8UrQH8<=a9#+bsw!Xj<n0en}cS!Et!
za%th|$qfUe=>=CG%^Go0t^p~|sI?yW>haSlF%hfTHgyd;ahUAv9aSqy*{6LQPG;^~
z0#q<Tfq^^glrhrLan2_{pLm=K!}n@c_Zv6I8Lxjb9Pg1J{4}(yX*@UALYkD~x^;!f
zMyWStrOWs$n?hqop7M_qh~qf267Q-Dp<y<0i5A_ikOtMFg8T?N8R}ZA!3^X`JiR5q
zFa^lvj^?9u18i-Ztee4YgN&8MTD)bM4_A@CL7los(^&&H-N5-CaRc<)W~vK!vc*h5
ztu{_=)7$Q1cEcb(ZNHw6JhHt85Ma{Ki%vA5cPPJ*3=cHHFFjtQOBeZcUh!W_Mcuu<
z#s1Gv&|IJ=R0tG<@CY<kDh46}Yr}dq-o8H~g#61^mmXao3KZB6Vz#Vj?UQiCsimQ^
z#$QJAq^<68tR8-46YyS~?ME=zaEOlwd3I-p%rvOt+M91q-)S7{Ft41ss9OMpSBXi|
z_!u*SM3Wdb8Qm?4El^G&bHL)Pwe>3j^{C9ge0c2mX!x=#%fHxR`>ryBr?`3_U-CWj
z)6)~un>UKKwk2d_WN+R`mjZAKbWsO-dnMC(-RR;*e<>(-c67YqmabXt45kN^2GB*c
zO+t%Pq;OD#jZ=xJ9kn{EWSoEAMnfW*)kS(18*Mp@c#Ge!ocGOIy>?*!4DK=6+;m8-
z{A=vg?_Nm`dYwGvQ)wwquTe%U@3Wkgd7&}Ur}@G>dXbvFrW#%&yL`W>r9$W1hO~yP
zKo?qQ4U`V3H@++7UoFVfZaMzQNt;+WR#(cvc1FLBC1m&bok{0%47u}Knn}6aEx2>t
zBVxpx5hs~pixlQOz?=fwKbR<S+JO3O&6R;Hom3NMoeX6N=&+d&MN`P7^Tq=xh}BPs
z<x<Go!hCmTr+id2fAa~|>)6cgOll%o;5D{I?8cntp*DoxZqV4bYV#moB^EQ@QUT9%
zIXm(*myG0$^;n}xqw6FMk9U0Q(<Z4Nm|itbVYmnyxnJJW%S@^;Rw1{K6{DPVSlyT7
z<ssnSRP8cGfl$uRP#5Vt*`#Ezg8OW_Pzx8S6FyY&rZj|`(dJRzTCKpR@#;DEwm3@H
zUZY6<k>9|jHZAt@3NqEI@3mdGQkAW}yh%xnI#D@HO}w&ONW6d@KlP}%IWV|XA-wft
z%~+ncMr!@d#)!c6B02c(sOk94E9tzXBs@m_X3g<<xn>xw5lup%_M)H#Ixs*K0D+l3
zfB}nTgGhM!loMrHbSNk=L9OUU2i_)Y8%se}_gWeg<`|T!oK!3K&>tT{&0$|1Be}Eq
zLvF456j;mrsGVw$pM%YISJ(=%Luk3I6f}6u7xXO&dn<&Qi*u)E;NKwPuMOE-tMwvK
zT+mZCTUu%fBk*C@LN@S`J!*m!HryL%f7~TZXR_2`Di>+^Wu7A8|E?hQnKp;>xVc35
z9y5Aisj&BsV<K?IZ<@I%Z<*9py;OH)*F|&iwTD`-!To+rkHkXTlL)echQ_uBsRlAy
zST6lx=2%<m6L`fB!SVz$TI|IWcD~?Hm=kPpkoO$qmmhU^J>C6jN%ef=mG9*y(qr<I
z-_IhCy{9Wd?P~Kc8ALv^0)$>WrZ;51>_WP<Ub+yKUjWOR7<d6A)qFq`suO2TCIem6
zT$vC;poatK5hyU6q5;wbn1~Uun!bU7k!HQJm8dZ1v#({wGs&o5n9*cDE@SpeUhr1n
zBvi=HrB5=Jw@<V6UfJ554O-cQWa6{iRq<HKXl&I*$+b~kv8u0oEv%c5_tb|gFjjUa
zN5qnF)p=<%$5(NFTw3v7cI`U@E*6NVEhvzi1LOk>u`Kqz#R^~dfixg?9uc)Pgwl8C
z6;iEjGdv%?CYEQ`mD2^_WRJo76E#cAPYOe9j0Y9f1fvVysVsw6raqw>pXM`n3stpr
z%cX7DEYIk-o=`Szsc7$X&U+qf$|p;~LTv7qhMWqi19V3SA>`2>03t|0wW`cfe+w5n
z1JiI|@S|d?&|LAX`&v5n?_Wdm{+pYdq#Vg8jCWaqRk}~vud!ULq{I12Ob|I6G)ifO
zn6GUs<3mCh{ACe~eiFDftNn(KvH}>Gc10=^rz4-4xZ+OXZF)K<f!iVR^MCO5-tkoa
zef;>bN0cIjP#vKV$w*|BaqN-3DKp1O_B<h#lsXy7NLJaEaSpQDlD*<sWs|+i{JpOF
z-1q1HeZP<2&tLcb$>qAP_xtsJjpyt6d|mdpSW?5rEmd3m&El7z6zIfs>^O2<dKUHc
z%}KKo;rN1%Td|XuG;bdD2%DQuFbekC#?ah9_JA9(ydFp-r5xVV>!ip&#HV-uQ&pt{
ztcKt$t%@xUufFZ_V-^hDE~={L+P{k;WWie@Aoo!rB?k2+S|RBlrNMUG3R~G#w1rm1
zdR6@wHEtiXGP`&&(xTMm86J-UKsy!wv`b%U?$Kk%Rso-zh5|`+%hm}qn9hdK8UU6?
zYKRa(cA*ZS0aCTlaqXX6P1aueCcC_W86i@XDm>qR{EQX99}{y)TbqeOIrrt|h6A5Q
z>hB)CMir-a<j4`EHi?amJ-@YZ0WygLXivODy^uhcZA)mGisIM9!2yr#S=32#n?}AS
z#Wp(P`X|0VRkS6nK*!?%Q##AVix*ucTb~iK0FHls<h*_~j?9Ka-F#oOPS@CHz?C%=
zF#-#vx)vvlO;&N;&&O8`K!Nb-(}brdm4x4afx?-w0qV(9m<>Spz^l9g7*LC#7Q<OT
zQh!55{K^+L2q4oyY?$yBPG@r%1HR17&ou$={{AFKKA!ZfJF&5e&=^I#uFnlDt*@V|
zv~@BMh%n?obLJ9+90EEt4VBIIr@p<oW?ODrWQ7secW6pEYeZmUW4n}fCwb+^$jI-b
z`bYmawmu|LXbKZ#@Qr7SFSsjq51%(G6=;f|z7og7QACreE_7MTVX!%doYf1fm$dU}
zO~83Iv5k7WEVxodB?lOI41^fM&W6p?$l!vh{EYY%>yWkWtSRJ|t1;KM>JN%dL#H$j
zee>qc{Y-IYFo7uzoeTXL)tz2A=m60EqR`CvH$ZYpU*&|8k33NR*~L^f`IXl>*mI&i
zU(|WpG7<w{%>VL{OZpUTo@chQp6Ka5nJ)39WZP<-k|VTZ;#BpEXT@ShKbhwUSEGld
z^@^E8%y&bv(Qli3Uo*zNJ<i-!duwl3>+Vk01?kGYRz}b~KwE1LzC4W*XoI?(jhj0k
z43T%=URiS&mluGB1N;k-TrZJQ6N+RMqiw~xRkK>B*EzGDue*ZcuPHxlyJ>4WNxmTL
zwdZG%SXsYhT9AK*Q*fA&(b2~DJ6VTp=LO1f0nn8*L<(eAz^tgL1)A0QLeNv~(<oFk
zD=X^=$@+w>?61lJ0)3rSoB*}ZP7FbB*5Lgq%hib?LGM>F&#^Tnsg<R<&!gEfa>eiV
zCzs8{Rk=wOW@atud-Okjp{Y}ur#CEG8Fxa%&}vlf=1#e~AmL=LE?I24y)^1{&i;1m
z=YK2R;QzbQZQ8yP`rE*L_kQB0j!x&RAj__Nm+HI?=Q7U$&6{(w!s~K{tHT2U=G}xW
z(yaT+$j1=5=U;j|H!T($#w|ptx}KSf8o#`JaOqLs>UKs7IsV2iF5lT4C(oS%(Z(>7
z&d*M6KQ#_N?ch`N>^A5!Y<Vu1Z<5n;E^Ge0ZO-JUTa(?VO{cl4aYZ%fQq|VgU$thc
z?*lUdpiQShTj|aLK;>V)6bFdsg>y?9H8m~+0)#9!@t@$ZUCJReepO;w+w)ZZ!?-!)
z`py}dPd{~DA9CEA^t(DZX7rzuQ*5L=;K^A#$&cUuQz5QQ1SK7(ny@}U)Et^x)ik*f
zdGgl(RI5*}D(bz4!t%n`*WX4@P8^?=Ufz&u*3bEp>X-BpJ5`)`FKfVQr>-i-Im$OE
zdCl?dSB$02kLzb?9pxUM_##Xj;9_dhUY@+qB9O~`UXpJsVCT!?-Q=&6_-Hj7y~n>L
z*4(q6j4bm>^5(frcdkmAxSy2VAW9}Rzv?b>pB_DKQs=`C#1wQA*kbsN16KfhR3jXc
zaCq;Ne?edW!Nbddas5`&clZkZT#eI%gM;JXbEv8D-^+#Bg4mxH1#XYzKB@IhUQ<&)
z8Q8-WvY>A~n=GR_FBXe2J+1c8*<!MGPi@Z^K91?T`%_1qG2QjOr>4I9nM?)G*gvW8
z%`f*bOJ5xDY%e-=>czyQkLG8;CI_~FSDELBNJc@#Vndv5n840rwwlg8eFA!_;H@B2
ztI_h_>4X|1w#tyi@@-j+GFH9x<d{W|uHpZ00bF-2xvgyEQP$*COYY`3AH&Tasjzn@
z9^{w$yEC(y$AZ?U%v3CR$?^A2Gk2EtSijEME>cze*_JKp7DG51*501VG1`@zPw7sw
z_AwNoSqZ$@#P&?@d0~e+hM+SMYLlMy5L@|t{es*34P`be$YvA4@k3}ic<`XAlK#>6
z@87#XCxVb=Y7=l1kJ3GG@L)DDh%OLTfKbuc)03EvvKwR8Ji3|3yl+G?ums~%z?thL
zr+4>sIg{$KuVGJ2&UpQ)F2BC9$nGm~>P;%mH%S}y9n<;PqV@l-3Z0$Jt~tc~sR%9d
zF+V4qUOWW>LU>a(cFN@7*zxnd@9VxbKX$w}W%7Bn-1_WG;;d$`<T$adFvhq{d;a%k
zM~KXt+{R;@WtFC{b2X+vE|WdS*Nd)<Lan(xko?iM;EnR4I7G%{4PX;@?b0uD%3xC-
zUJefrFLGBf3y2^b7Z-08_{fgxdHaQ%Ev#X)%<adX>A}}&CoI3@c~wgXUR^3Sm$#`b
zw-^X0Iej(vZ&|6~W0~hO;C25U`_r}QwpW$j4$0*|D;~5&U)g$dx+`RCLM%J=j%fyF
zy|-&-rhD4dB*pB+rMQVQlSfwPd;Y&l(pO`r;dPY~zAP2ZJzV!4t23NAPeWs3)R%B@
z!+xDccuKF(tkTHU#-r=lLf-txYlaF68&;;q=eDa=#^(*)R!)cP3}B@E-SCy0l^weV
zS4$DTPpSPo+VC3=r_P_Z0e(k3`V-JdX*doX`0-8s1R5QQN8yH}sMtLJ)^ll+I|+W|
zTTsu5y?$I0ZBwmY(fg$veSFf&P2%d>Sm5(n%dEwB>{rBaM{F1x)J}wrK3NoQ=QP6_
zB&M5qZMs&oZ@*N(aPFpSZ}Xm|>7*`EBi}2RDwaFAcoxcz2TK?~8Yy?rEW9%~*P#+$
z`cMMzFaq|Jh;Di;altltk%mI~Rk>3W7vv;B7}Zrm3Eqy5ZU<(R00tOdW4^+uLl0m#
zeZ3;a#eNxGnPcv5ai7&YrrB|aCd4>@{<ZtWfxJ%rrZ3$m8}`OFx+`9N&URha;I)Zi
zHsje-`i*`|?+P>IPeQ_1VOLBn8w~1OY|NiZ>-Ual?YXa4E+ND=m$zD%8JPYhcEi5S
zQ1sQ!so2uKz`QWQ-=iz9#^y|Fo#)!ZZZ&sAnkAp`**2p}HccoOr`8Yt1z0&hztY2p
z52J72wtIWm!2<|<ge+)furSpzKvuE(%`p~3pxw*!0{D6d*ieTcHPVdo8XKE?yk&dI
z>Z|bBiKjmTZpqOOiX7g?ESvIGylL?KKdQ6ejW<tzdG2J4`Lx<IIFi_yGx;sYCt9OH
zJyn4_Z_L`Jy-i${9K5tte<`)^m9;@bj~ww;U)h>TU&4nCr^eospP;;ae07PPPo1e7
zDJ>Jpki=AL+U_pJ#yqM$ao3hkA#}G%b8~yoy{$7Uu3d63)HjohR%!A>=Xa*R`xs0#
z|9&xXec-i!mhA8boE|g=*pp~Zp>mZA7Y-geB+SRh2kpT-;4F|-?GtGONVyF3cx^ah
zAfrmHtgVh^FHA}oq~kMcQR9_6RHMPyw9hnJ-s>UeMPWM8rh6iPs553~V5LP;+3nfT
z>T2T2mFJXaepOF&y-88f(l__>o6n%-)9HT8!S`r$&c<zSCy`xyL+$ypk)PIKg)N6u
z+ox6}Lpp1TVtc1^o(RfJ=ASa1Y;hl0zLJ}7Gyf(liCfL}ZKlFXOS*dJi!BBZ+l?~m
zfzxUyomPxO{IuqNJQAaQdcIrrR>!BhJ|hldQwP3Jx8L%kR|#cMX?)LHnvKnL<F2%+
zqP6(qRQ2*--fesIq}u%KV<&$%cTH^yCG?fL9>YKi-2p@^dirRAO&b{?qZwvv#sd(d
z1kgX1LSQM{b*eo(<|N7-^4I8qeb^TiPlGdL<jhK^N+h_Xy|cpo&a^H(yHSA|(0KjA
zs>6Q6*Z6jttG}V5c7SPSPC=`EZ5mg}<!9%E>jVdmS6&%C^ed`nYiOjhsoZ$^Q*Dv`
zJeIIN?A%p<OflZi=-!;8)Mi+0zWrO;5b0^DYRMT=U+uX|>p@mQlO|UepCknD-Utj-
zoh~tWC$&<>@MM|zRIa?r*myuB;C8G6ZT+<A=Iw-Y4y~4t62c0eyPXR%vXkke|Cy(2
zV}dDL#l<G%rQ|PTI~78BO^2L=^3BgC45a(JwPoDQ(rQQsOn@@nK@eI+z~xKup6cFf
ziWG4*{A}kI7Z(G84vNM=2Ye*K0@d4Mbx$HnJpGrJkwd@zVXYPYdvb$$4~i>7UhDFm
z&oB}`SQNngi1YdOrvqaqWjR}K7}NSm-qm~Z^xx?X9xMn@Fu%4LE3AC*`U^j?kw^LN
z*6PPq8*;CV&4E7n1907{O9AE&0aj_?N}D<ZeRRC3ZHV!s<2voY5I+N~)x;M@8XC8w
z_8!iIs*?H8>Bv(IAHI~doX<Zb=_CXPn_K#-T^BR{>NPmE^!X?JhcW_bDx<32Y)yYT
z$sr(m@QpDsZQ0E>ea8I6=PIm1z`0}RD=NEvE?;|8#a(^)gC#I#kVXR#-tUYuN5?~b
z4*^$?z{8zS`MI{WRUdJGgq0?lp$8<22gk6<l&ExipQ(0L!b+E^?S3Y<lRy!@WM!2?
zNkvsrMkSOEe_(Zf$d&;7ArWZRg;VmYBU~XN6~J4T78eb)wPS$W2sU^RdPatX6`(+|
zGNt2@p3{eqA5VyjKOk?TMj4S_WwcpOk+lE@$Ui6Rm0tZR2pwZ82KEU(2A<S8>78=L
zYGzc?%|G&x0!t#6kOfU}RwlMR!0AXtR|5|V8fSRe>w7$B4GCx5yG5{xln>nhJdOkO
zrQ^__Y;7n^*$*BZo6Of!+y+WLW4di^X!N~%#*nY21x^c7Qu6owAzr=*^7KI#7XGRB
z4mFgibjXG`2H7EhuD$xGf2&hq9n;g}<&XRkxv;RYp)ng{iMI5#RwnS;K#@UX5UL$L
z{R6%KyPfwy5NcXOy9R;)kgXVQpsX~2l!V6E+uKu9iMh9Bs1n2kxO<bSKG!No(Ef4Q
zpL2##OYr*oZ$-^tUqo~YK>5K8qr|dQ@3O;hdjj8?p5Ce*VddNZVBnws7|S<LvYrOu
z7R~?n%J5!R8DBIG)nfoGiBE+_wcBgl6gRYXnC`$DC@JCPe1B>v;e&7AzKwLG{)D<K
zLqe$EV7x;0(jI+rQ=AMubw1wng9_wVj8>iqBM|NSYvKEcj2cM&$Fw4}p!DsLY>_`U
z)gCp3R;FO1hAtv?GLXcfdVV-13ztikB6xDCT|H$uMIzJ=-$_l!wi$IzJAs~#F}!>k
zZOdcz1)BL~f7`DvUmr_QQ!Cv7nz*Ly0a^SE6x4~uS(m16|Az}uTnyC8KiT5&X`nqG
z#{~YkBS>nZ`g{uv`qQI6X#O_KQtI3NS#bDkj7&^ly;G?7;<o<~lHhSpz>~1BvSz{|
z)A*<BHfj(Y{AOc){uG7_k~E+&>*}M}K<=N;2Hj3Vf|#`?B^^%re_F<3^=YI-vbc1x
z90vLa>Ohe&1;`oB2~dNDC@JfN!LYL5mmQGpe@$V<_s1R)pb{JqHFb|M+$={o^#mqx
z=l2A1d5Lq2FIs8VkpY!*1GYSRG_G!{^%)fd&#)ZyaeZPM78Y=n;WN{~6!ekjO|ewK
zzX2Xt8<1TDF!lBIuttJHsFWzU^vmVMI{2p}H>j)x*A{;@o~mVGvNGih{q+pJc$tTv
zFN*0<#<y=~G&D4>pC257`osw2Mw&-prQM;xyO*U!)TQXrf;t;ga-gPV0_wk?g@2z@
zOIjhKdjS+34g_4*fm|kxY|!Ml#oZFWiA95Wzs*m@c&#$pR+G<>&rMEnS-jfsj;p^&
zMN-~>!Nq``D)Iw8+Rmlk_T(A6J!X_>7hwnf{S*&HjwZXPoUm{D)>j%Hld;xz>(Ks#
zS2RV%l7{%~KSpY+BqTMYTt7eGvq#5CYe``UJyGNJbaPG+lb4rA=$OjlcVQh|JqxU;
zhVqX}lCnH||MpHj2j$r}Xj#}IW$-um52L;xJA2lgP#U%y8hzuzb-C1<BwHXxW%DaZ
z0#)dD=>6weS^6v}Wo3UVGaib)EWAK>L1TdEx#xq@XW%So5aN=O8VV@V4|!d`Zfs*C
zmfVyB!XpE?<bppH9z{n_1w~3G+7)<<Y*a_ae5>M9Q-S0Rs0j_llh0V<$z#VZ5K04A
z-Na<5SuRD&pwRG89-<JVfG+1%VHI3^B<oEH%>h<c=4ypsKr#PPfAKSE0DF&5(S{KB
z<jJ&U6%#7_<^nB#AI09*^10gGP)z&UELoUV#R;e&ge+mB9L}ZXbz0rAu`wR)NQB{Y
z$=EnMO(6*3kF!xLweBB8y@){3xts%*%|rBTf5jsQezc~hW-wK2Ru-C(^306^Y!C2L
z(Or>Gt;A^f+2}n{ofq&_rT2ikt3`;8jvn=`5~dHw0$xHGt=ghe8tKOpY4`DpU=VKb
zvr|&kb|Ua*TSx0C`o=e#Hx*3H%`wU>mwc-Rhzh@;i6lhdN{w(D8^;VC95UblXey&3
znZ7gQ)#wO~38MK#4-r^<`N0Jz;6}1hDVG6R3nN92xZX>L^SyHA%9qB*M`$=oG4tH0
zBL}}P`pd^rC^_=%y#;iolg~TMC)Pj^F#GM*1z>lvG0?MA4HSXw0cr67_h<+n{q2-@
z9&q^xS;y4xckY>D_EX{Be+2WRl)Zi{tzu_mX3VQ1?$M*nl@;%3O8%_J0aU{U;AKl4
zKkcoR!~yx)ESZX)e}03(*w}cL(uiLlaxMW3uy~{PVe$GJdV1^DVyZZ*bWxT;lnWt>
zGG%GWi<wvcF_=d>s5da}CyU>xNU*T|iD22;*#=C*B8-fTmo8n(60@#!0bLI4Q!@V>
ziq^~2vPv%RKYh|7fFetXma-@->!Mhq7BB-r&%;MU!Sx*{d&co26Q(_!W)JBSk5cjx
zxJm@BS{U#jxktzXR*fMOwUvoULe>-O>!>qgqM|y`M>qEJdTnTEC`6B!2D?q~rN`li
z!(t&ce;M;?z!HsEsAC4OrpCtcKmi0#p`wge8yz3dd-KLhI$5Wpq5^roqj0Am^#aIF
zZEvn8qJck|=)iB6aLQIJ*GZa!%tOU|U6$v|=g$xRbd7ITQ<R>4%Z(CM!&6a%oC{bw
zr`{}3eo#`9O+}0qv*BxSwdDKyUdk@@!4GeYjEu~=8I{bCRX73fgY$PDj7v;h4vEB@
zmAX9i6n85(r-mgbWWo8pmfq&3l_0WcErw({jFkK$$jVDm^6)Q!`vR`85GJpn09?dD
zBDoM+>zah)x+xmUc-n8XzF@^#gwksxYGS9TS){?%sj1<W{QqNog@#sEKgqoEVq*8h
zQK865JbccCaK^crr^XZ&c@SQR0?r0?H*nMiFegMsvpHQ3&S&$1BhTSfqJp@TgP<0$
zVF*-7L&0K#+<^`5AbaiFH6X_S*LyvD{rdFK+As!#VWV~#-h5w`z7CoWk`<%UH`r4a
z+#qT~8`fc&nNwVefanzUnMyyuzS4-sKyH@BiRZ%-EfHl7dTewQSHXsVdC{MWUkJ<=
z@;0k^UrL_z0H^~6Fc2{TZW+hPg1MnFz%~-1q1fUC6^4~qBDkISv@~5fjRNpu%8%mW
zF2cEQ2e4lZQ!}-tbiKgrl?vhlT`OnnZzu@~2`$j144S*4SneaQW$Z|yYhuDqL)m;(
zPR;_}nc!CblIF>mS>KcA&RG&b&L_@DnNmOHJ^fIf_aS<0V&Wu_!!l6xmf$YJi=Lqb
z;nzBz>pfShGhac{OCVaGGGIE>3%q4Ca=r?_Q~Y|EmL`_im_0grIs1>Vw!gPPtE9m)
zj1u)*AMn%4OL|3nCVrie3sN_IreP*9RyaC@CMP2-Rt(mE4IVU-34G^i(CsB$VjX;G
z!uBKsjuk>DgM^}&mq#|@-FJO8H6WKY2tK{6AcTrif~CxYGctY`Iv3!w(7C0hapA)S
zkPn=|aGmol$gY`V71YHoTr+WXbtPoMA%Clbih?M@KZ;ydwLTamfT{AE&*5~5gM$?i
zP*LeUl>z0s*$;PJ4UGqA5I^8)l`?_nnGepQ_o_4`36H~3;!Lm)9^v4v(~_~3m;;iY
zINzC`;zTr(>_WBAMlIWfCAtG`mXOtzZ@RoqQKt_tSb7Myd+NuJAD2sd!TSr`dZ(;B
zoY*n7;<0ZBiee*{;WKa$7DvFZoR*XXF@Rz;<=+d1kqZ$<9tQY{d>`<(0QkZ#(mC%p
z8MZVxhj|KlhLC?s0cDwyvJQvb>nvR23djPSu@^7WIbVF5^+l9egc|Dy2l1CoOvaNR
zmV1q9iX~FoX}~_erKH%4^OfnxMWBUGor-lxPit>CtgsRT=i`N;$2}p>c0>7!##|r&
zYG7r>qe}7jDq7ew61a8vHO;)=TBr3b!Kb0GVd(W6OI<rg!C^ms`~sl+I9N0hSTuV9
zVPVYKvu9Vaf^`&bXhA_O0#H0JNDMm?$>6pHAaFxCGh$IP#9;1t=KO$@Bt(z8a14%`
zZ+k~ad{UA*a%hw)p}-KpfPZ46I=_cq<iVwqZswT)l+?LmP(@(~NSJ`y1D3B9F|6#H
zdpM*yhrgztOQfuS9k@OxntS}sHMvwaYA?A|#17HfIXQ+bN>X9;OEzME&l)E$M820@
z`glpGUE<^7^!d#o9nP9>&jq(?!~zUoRf1bMcR3whR(Loi9Nz|~lBr(jr`h}{?HgeG
zX6{0DhmeNsUXhbWjwlmAag2?&zXt9ALR>r==?R9{EkSfti{%x?KuXJd<2b4V{3@IU
z9KLey&9W}09muOfQ6CO+aBPY(+wZwNwcMikTv!B&7KTkf=77n|MvZp`rz%cO$un#T
zaTQz_ypoqJ58L~<z-ENlfBH&v_6!bquNVSYi3{T%puHM{r9%h-NwKOj>M`SYX4E_W
zI*J-8yE+u6y(VN+C`uLH_*Xfdo~C97|I0JC-aU(nfoKLK>s}vb{1kFWHn6XcKpGdo
zK&h0$$zBHd9Ht%kpu)5wO<-%^UfL7f*yrXTAcC>Tfr&BQLeV|IlD^YomOS<|yI+&#
zsc}>UO&24jmL*7B;ORO+b~Th8iL#SMe*F%L&V=Le;X=rVF^1;mhiG0sK6uhZ134QN
z^3(}VM6wiY4W|7|{K?;;C_4+}n!9jKVoHh#1{7TTKD=as^YruQRZKfj@P+9`wyVYc
z7wj<YDQB;LyT**qg`7+L3?+|QFO=9Km=mW?J?CWqF`z04$taSeP$x)%boB2ba04ze
zEcTyE<l&NdKZ9m)31?Gv86Ecj$r$c&N`yPqz5ep$3j{<#j74pzLZTLhxB^&xjuM_K
zf5}F!3`ub9DL`pglSF%U-`;%KD=sOwIJB^!;H^V0C=oCmysL;6sa57d;XM?clQamf
zG3~%j6^fz}v97#i*fe$&Z=C)7dE=Ouu!Mxc)YKF_lmN0H@sRMse|j}IOD!v&kEne9
z2=Aipy?m>z;h-RDFEB@%8v+N}*j~JNp<!L=-S+o*HG<XIodCbpN4n-1L2-Wo`&>gD
z!ZRnx=HNyR-*NgZtd=#w6@RMBf_Vxpc<v{lc|^N{yb_YpIzu>Rk98d>nyc3b8&MoN
z*LSzqwFu>&L%I^$@-C}l%?Rjc^nf-PC^KyJ@73<}<U)J?1g!I48_q`FAUleZ=Xpmi
z*x!NSx=WxUJ%;J4xGwlXT-X!$C?%x;+zg{v6p18@fn#2u0;zsTBJ=q8xFHKFf%R{?
zi8rqpz(P((8e|CZ_AUiQYki#i<M58DOMlP|LEV&L0vGEJ5Aew!LYjN!O7^K2b%zAY
z_U|X4bv>FseaF3kG>ni1z7G^Pu^FhBJWlXrQclBlj2W4kAqqA~&a9nNTG~lekgaDf
z_y|E1P9stSXyT~qUL)&ZbDb&$TGS;kC73>uhl19AKI1(8C_Y{Q^F$#?`U8GU#QgPp
zzlu&!U<=cu8X;e^W6)v7L0wz~raFXW#~btqFE<ggGBS=v+aHC*8c9YVQi2=?Z1}_f
z1eWU<A(R&QM!Q4KdvG7`AI?W?UFxn)0=TO)oKfqB;dyx{{+Q?iNZ=o#A*q$X-OT>q
zbP4hQ0U~Bhbp*l49d?QHMzCyq56ivBGek*%{uBIKE{SA@q(AS6-A-K$0sX0Ok{lT$
zx`#da3n-ev)}O-xHNJFdp^6hfCb3M5A3Jk~>eEo2E9jcon4%>9HDLyke@ZnBj!H}T
z<VhnNn>4g5aPO&QQ2emYFU28)0HvzMr&vDEm1|ocxYfQ7==M03T$_rkhmExk7>kz+
zToEEi$gE~1B+2AVZG(}*`Gnj`NI@Yr1BHj8pzf{Utz&92vhKKJA)7s({QV!^zefl%
zVu|^KVs7FIa89NGPtnxYMw4!2YbQ(VK<W-PIXr~^9&m+?uG3FsY<hcpuO8m}ZedQN
zG-T5^+TIR8?Kref(&?KHb*G^!2u{=r;FzIBbs}fy?5(|r+o3A#E0_>5dx?Kr&+^B5
z13{Q06r~KV^hI8tCSXLDzq^`6bxd_0i<Li$`O?y23Umuq3cLkajhQascso1mwI>Ay
zpEtPovK>75%14%|{@ij7r1w~2ayVxz$Qu9}{S^D0Q&ee)+bA%w5|TrZZ^jb{D$1x~
zCUAfvAsH@2GD!IPvOYOqxgsH?^bL}umDwy4#BiBDf`P-)Cm>Q<#&#woQFn7PeQSo4
z&5(CO^zHArVx&Zc!g+jI3I|SMd!++%borU??+~70MJ_C?ErB*vD5@SwIt`oFhOfpl
zoy7f9Q2=}yJ8+mHodO;u{fSmC9KdHFXi?MS;Se#a`^g<yT{Ty!MYv>Pp((-ie#-j<
zWR?dKwd>`edP8Gi)CD*b)IC^Iyam)j-jl6It~fbK%aXvUX6Vzq4;E(U=jDxh%L(6B
zW@Bg9%&XYC^})iP2AV+sgfxhG+RCW({cwL=)aTC{qE;k**qo)pXZn`DzU4f7>29i+
zEf<ab&D0|vD~8o%c{(3OIsG@9K#Z%<W<fQFFVLd65E$z1TNMbvJymhjGPS>%X;jRB
zWt)hG<<e)O5)u|h{0Klxps-U{wsXT0$$qYOPEN-a_MvnjKSen|jEh5RAy?3a)sUe|
zhtx~$8cR9$&7vBny}Qs-IEupm)Tb0_53UdRDFjP|b)E+G7C<^W@Fomk8|e%Pw`Vdl
zb{Y_+8m(L|3l2JZI*3pJmc}=Z5x`&b+keFpVQn;_5Cp;OGk)<hq;MHC1hXCW5=OZk
zg)rn21v`3>oqfZ1v7xCcTZrEB-wHAE72vm8gs6Rd%}VS!<Gxi0Q1&NM2H(x6LN(uq
z<*+~iTF53__k}J{Mc;VY^<0k+)4u1_8zqUiao}T-<2(f%ogBD3pj8cjV-z$OAt!1@
ztg}@Gf(&3987%acgGn+FmAtA3*w9P?5y_pMoq>BYshnWjf6T1I00W6eCe)KVa97l$
z=>MemuU`|wBM(7LhkwWXEf(!8be|gmWdEnYLPRYYC?!dV>nJ-1$nJ~Lt_W6f>?=r2
zHX&V}jje;p9n`Ayk`Os-8nYp#1Rq?Af@6<5?)xW6@_gtK84FmN)&WZaIt>_AfS!UZ
zhwWGlkb(XaHlYQe1$%Q7_6BBcLPUbf0JaSYln=xWAh#y-_E$;ox0Bv`>jK2N1hgo4
z1)o$@`oTX}R8UaSY7hV(QkQre=~tMXB<cJbcT)RrAb~&^7sm!?un;jHd;^e<{=y7u
zoVb6IRp!HTap84w|0mYvf>ehn?KxmVC9cetce+?2I$t!LAg@CV+VF5f|3SH&5-F5W
zaKvE<C*WI%6`^})eHq)M05N)9QX+r>$z&$K_?6h8pmS1E#vsDU6hg6}U<XlVct3;w
zM4P}n4y8xt$Buyqfjq_tktlmgVCV0<q43@3ZXG}=&BVpUA)?fDmgBzDox-W|0ftbD
z#etG+v<C+jAyRt6{v(Z-DYEqGu$^FxAq)+OOHSq{)HHqldZy{hNmxBH(Q`d$2y_H9
zTYS&fp(niQl)%h){>=yXfj2M%f=j|75{3m_N$P{=N05%=uj|%7M>4Q_cNv>PiE0`7
zX=G8K7Ugmtj0Q~d)&1KyVdRd%(~z|!`^_>qmxL_P<k6DY9ZGt^uQ2cWz&8IXPmTHw
zYIvLY`1s1X${Fq5GTo==2RH)jw}9SiRlWF;n_AXIS}d6o&%QSjB+1%1M~SClI~Ded
z>)>+)&}a<@r|>S4m6#C|mH}HZmh4&ckUT5B-Gjk7D%ggs#y@KjZ1p8wWkfw`;O>VI
zx{19Dm_P8-gzw+^IZ)NZR&vm7eKsk=e?!{)KA&O{%o5Nb0G3y9z4`2|8jtV8(oo6E
z40sz=e>!|V*bHoM#fSSBc!)~|21hWJBlpie2}v4+h-5M0m)CQX!^UO0QmTw-Z#DQ-
zONk$LUP+R!&Y4yQ!XD&&$1I;c(SUjjypwhh(X)12I)oe*Q3^K|l9V)pktbQ6mJ+0a
zSB|#;x0qItmXR@qPhTMgHk=>VN|v4AMc&wyloY3)K`=5=(I$c->ytjR_;IKkAe%F!
zrv?-eb>=z>)(H#AFXW-Ob2m*0>|$0LLs7S(0A_CI4gF=mA^kbRQcRt`5GwG`f1JlF
z)q0(wnh+fsOA)hb=8>0fp2tXL%ixJ*QO8LVd|_0>&?MlLJ0n}-SzUEyd->_^DE^j)
zz5TPSC$sgLnVA>bi4k=B%KL}AgDMyjg(7v8m2bdXc4ljF08m-b6+s3Gr41Ny&iO=s
zl0<D(Ah(Ms;wj%Yu-D)FEydRFPxO`k(clPRO=^vfj?Sv}>k`+F<9h>dhlctG32`Py
zo#`aj{%-PQvXrDHejN6e3;DhVpx+apU@oryzFFUnr&^tJv!DtD0}Ui!EciyIKMXgJ
zZEO&R8zf1P&MuEiz$!xvtQ1={D~&ll&?odgue9{izkp&$5IeQZM+ul;a9APm5<D$v
z@9lBq+aGu6*<yPA>7Nc&Q_Ik!k>?&wd|8{chgxRbA%6Jdxsl`l06tj|47m6|zkdB1
zjRA-^)3fC?31%?3qz=P0s)XU=+GGC<BQjxI+R0n{KXXmQz~7Zd{_aQAFOc|;Uv9iu
zz~1j4&=dC!>MI?Vi%?sD@j-1tVXgfwroIV;%rjqUwY0S_sjAY{>pb2`X+V%h1(*$`
zlXg}Gx9s7`+W&Yr<>4@GJ>uU)c~I}Z6>#-ywEro=R^jtAcA~a5R)$R$GB>zhBuSC%
zaqcN2W7bu|;D{g%Wx`H*G#_HXvK&R?$y*BXn8q*l_t1#4-B8E>opet9cW=4)#KZ~i
z(RLyewh8I!fuo1K;OlV0;5c&QBLKnux$)xy-hPdLi~0^W<(DpPM=?_MI{fTt0g|$1
z33(QBt^~9z=&E((bg5-l%H#js{3_g>Kb$*XoD4Imvo0zGuDs|V0yN@kICLCNKf!l?
zP{)zlexclV)&kQG)3>H9X^A<LQ=rJ%2>p2G%EXzId$EW2-hz2h^=fqN^3FdIH6(L5
z5@l;68L%Stu$D=-de^SK;tg48JFc+Xd~P0OJ|M;%r+@k5hXX*808~;aG{c0Y9>~Y&
zu`Ey`n+L))7KD%qBaO-@*YggBb4$y;96vh}b4c=A_5LG(eAO*cZAgYO$oPy?#`vTZ
zvh<(vS=2{na6D{sdeku$_wIW-hVpY2`{$p%B~*ba;D3uDsY7N1oc@`9Yxtu-q+-FA
zq++vIKMFoY59iQ^QJ?0k8kmzINlaHz$J~Mfc8qSN4DR6k=ML^Afw+<X0t+s2sJ-6R
z<Ot&EV}BiRsosB%_YAd6Qc_aiD@VF|9nR}j1OF+BCkiAR=&?1k9^u@}sah*@1Ifd*
z9?`HwR2wFH@%9BH+PLLH&;w}_pc{Izg!;d@>(xbfZTRal9m=QmaIAUtv)~CekI{bq
z7m`|8S#jcX4(G;+QBXgiLy6>&NZ*d-HrK+^GCJNEkq5Ccd$q}IkGRngFNhYJYQ-ea
zdQUzmPJ_`Cu5Ip@ot(PQeuTAOhdF44y~RcVPq2psLB6Wz?d_e~A|NR#>B1Kqx;JHO
zE7(?H-(k7VpCiHBt3AZYk>i4bn>LwnAPZ`TF7%Scdnzu<u1mk=kc1*&r&#bSNn-aJ
zcBrO$X?Z#6+I1vl6F7cc^T1tE+B!g<gTn$m8`g%ul9Wl14g`)qR7ZDNi5+BR?I;-e
z8pHi~HRa(U85b?EPmyh{$HO1DKJ}hM>0&Svqdk%^IWB#zQ05JE@b@)!FhZ`%@g{~(
zv8K00kfbb&(bG$WT-M9WD>G3`s&x5&QUrGx_u*D@x2!Xoq@3)yv>%nP8#HDpybKA8
zu9DbU*Q<Hgg;E0;biBP+%um_66hYY>i`Kh(RfM^d5kNj(Od3enP5361Ry-_iq`MLl
zAKh-uq3mvyPA+U~+}%1nkzk{1Xenze{h=b#r{xe;8~Mj;;nMP3LKLX{l-pjfuVCvr
zQJd$!yX6-Pav}%9R;$PL#-|Q|@!7YpGMEgN8~el3_vXytSq4jWXMK`k(Jq`Pt@^)}
zd2@vHD#~t6`a845z=b#zKAv`^o(FX-`2KbNh-67U(${aq!TJMK54%%;%J{7rif@*K
z;}45SgE-cj_U*u6sU{%G>I6Y4sWKf}Vp$mP%??!J@J9>9#)vL*q>PJbHxzyr&P7M|
z14IR(@=WEz(U`E5do?B+mMgRA$`NP`Oze5~%)$<cJ%lVc`4;7#+!jVZuadQn1^?T&
zK?YhKeo(R^Ju{ZHD_ioB`R(4{2T>=#zPI~$PwM{lbm#tGo9;=6HoJpzBb%HubDuPv
zdj~@o#L^(0iqsj3@*3BXZPH|s^t2c_1@*nh>67&*Q=A6HM?P|?bdep#nJw-l$)L0q
zStAa~bjvn>CAn7oFS65W)$|hS<F!L+0c<VTikd4X;fqjg5AAh@Ly7dWN)AkVG}?V+
zX1ck>h);5MK>qZnvu2Xmt?e?AR^1fY{p=w#+dL}OYIhzUKHI$|iTe*1z$?rAuEMR?
zo);vRkMlSS+)k2d8Xw3m2695EbL>qwlW<enuW#%#sod#(JntsSxCkI%%d9q&Q@`1W
zEO)?oIH1l*L<v@aMCCPk_Q*W>e8>j4*SUVoBPj!<-Vg>133AwkDN84T$Li+hNuUxG
zz*tmxU8(MMG)ajU2e!zS%a=RPCcc1H6HzDXkc>Eb=_E>xLrju`rLy-3V_OV&SeWRZ
z%R_;FzKc5$x~?u&3fHHowwpYSXbYYDcC}oshu*cZhI#yJGR}tX;@3B>2K!o)B%e1q
z3;36fedTTzD0o&FX!-Sx^2yW-!8CQBA&W+4XU(rw&DU6h2kk*R!350K2;c5PlehTB
z*PBrr(tzH99Nw*@Wd@o?oxmI@ROb!2Xlm_qP{%JJ)VsoJ8fF{7T(Wc!cs{Q26cC0X
z9-c#?3-xqgnwprCTb5(PwlbR)cZ0dg_Cs46y0-1{rZ&0r!4v0v?hnDtpSk3Rj`8LU
zJAuj98J1r;c)q)+_+0ln9%c9Bk?3RF7j$)Hn<6Z=(o>cj(%*jiRskxmGjx<+<t&mI
zynrMLje+zx`tIEkE6SY7*}f3=yuqjnaY(-EP@MFy@1CkL10XxwvwoPJ{?YY2Z{Elw
zjUOgX+CA)4D5fhge~1ZhFB>brL?5!}!co$VLkOTYOdAD_&ALnSy!&>we-)QQV&6ej
z-b#G(<V3F11b<-hPA&9)f88fPJf{AnpXg*2CcqP`2VK#uCt3$4dp36Ad<$RzxpaLQ
zR$mc$uvwtF-<%on0u(Ch03RPr8A3P#3yugl5AB}L670Uck*tu0{^63ai<l|xQsV28
z$_MrIUx@S?EmQ~p_8;wppj!ku(+hxBDy*ncOt+CL^cPT{|H4RGzE!E=ozQ?30k{e>
zJ70zy&;EO!MGMNk=}>15SLskF(Tmd;<-;Or_wI9qN*ih1b{E^~Nw@{TSSbNyIOa1>
z`#CUhw(q5S=YL;>r222as3h?^LkCD^A|T%uq85pO`-i`PJOhR*B><;_(^*4T*Tmlb
z$W8iBk0P$S>F$G~4HykN%5D|I;d`L+x_IR61L&5yy5^!?S0>xoMw#}>FW?c3;s{e8
z8LB%YW8;G#WZxN^T4%$or+YNF?e8s1YNAl}28M=+U_k#iEg(<^k>ayt80iQ94+&mu
zN3`jPA)9MmU|qTrT(}m6b$x28b?GqbrFj^+19Xqew0lKvNO_|8HK^>uxm$_j%Rp2!
zpr$28dG}sPG@uS7$AQ04-fze76)+waCj8R?r!s{83M8i|+;4V^SDh}-lGzL<q=&41
z(l`v}0|=L_twjUm^NQ9w-^}MGd^*-J^6=BhL-nD-iQJ;|A<3hQ{+B{FLQ+GAjAne~
z)7*wUc=eiQrdP;AgEk=>*MF_S$`64P4~hP{rupPp3}hYE%>sr%0fX6Iir|umg4Px8
z@yVFL;F!#_Owy#(Gp@++Eb@;U58e4d`LvF0A=~-ReiLGBNVSRe?2M)7eD@CT!dk9+
zn&;-5?oH>lTw-E=e!gDVRoAw+iqlEXj4pdw)3m-O%h<9W*QR&zRR1-#7!_DmS(!7@
zmq9$6hyoCR|8o7kgGf<qBq`f_+5xxxb`Q7DSiGslYu??!d3c~iO`K!h@c6Ti`g_Kr
zUu-mR?<%M#4&X7@df8CaIF!}q<&!5)XwtOEJN7;*j6J`hacIiua`D#MWte^2CS?DO
z2-TgysW*1L!{dO-caS<S9X_|VKZN@u<ZoQ`*m1LR7(Ku-ofIBCv<U}3-GJ${EzWW5
z`W>*b?sJLhM0;b%Az0p1yfoG;9}JpT7zi7BDJN*zV|D$Wm)FyDbEZ~e_g?JBZU$^o
z#W>g4s7SW?+p9QoZP>0{y^eCdWCAl*H%&fws42}@hBWofz_J{hY0mVGOfBORbnaM)
z*T8VpAbgG&N>OpzI)QFp)bpJCxss@zDZQ{f0*7?F$V%b&jdD_C4fAHbN4+GM-S_(0
zxQ0iUthQ$7LLlCDYMt`v$xigmvDa=TQ;80e<IBRi1G!DqA-PxPMEMaHQ2sw3x5=#;
z6jI=>7TENcCOJLxyw^okyw~-SW6JUv6Sk12Upq}6+}!326IQFy_r-N*TH;DMLr_&|
z%wSYDf+A53qnPnSUEd@!SK;q0l=ax;dys81%qJ}`ta|(`>v5Zr&KbM4IV@e9Ue^~v
z#_Y@W3Y)F>5Uj2&Q2{sg%zo12(W<Zd_E=Zyw6^EFAIR1#Q4Rkf9MIZ_{}iK}%iX^+
zot<ba467Fj(GEE6Q{<eL*~a2laW&5Vy)T!Br3;&f%K=2|t9IU3f3F^zn8ZOfx)tB;
z!NIcRL0WV<BOTt!U7R$9ZKGJIns@X5LghnS*JJIMs@do}3H5D`{agIsKnm2TxvJR&
zOKh8D{?jg14(p3UX>CLRBo6AZ9^ayo$zLi|Af>M8KUsSU^*%AIwr0J0ep#|-c;bNS
z2Z01@zk+9jgH@h<)yyd$zy7HT{b6cVs9rf#aBnu}sx&c&j6G3X)6J=8v^iG`Ylm}&
zle)kVCM_L-l;FZoI%L;d?_tpw(N`O0n_52$!|qH~RaM)>Y1{R29o0d8fmJ4+wQ8PJ
zK7Swz+Bz5%4ewI5{<G|7LpMaz{5ZPleRw~UOReJe-9)Iz3is0y0bwhWBn{MTUkOhR
z38f`Ub2B@>96U~Pb%0tE<%5G0Q|gVfT8Js5tIJgDK7?AI?$Ro***L*`VW^!*zcpO`
z;@fL?N#r!TvI=%{BV{`+(P_%#B%REPbn9irRXOd&Z?4#*<lRPZ2T~2!Zr!91578P5
zulGo&Bkt2pNe8dkeW-tK$hHBh%p4-cT_A_xo%Z4Ph{&Tt)sLyiw5szRULEkAEvqig
zG`XjQ+_-bN{N>Bf?GfZV@X$f)vyM0|&*UN^@DX%9shsPt7@=C>_?fDyRc76O0vh4s
zX3N$2{KA0PySH6NA1N&B#!js4>h9Lgh3VE#<*v4F5PL$SCswwXG{S<mJ)N2G#a*B(
zaN*qO)(=Ted-!aqY3DFA>&FO7OywwH-gWSe;xCW#@m1{dW>rIVP(oV4z$fMboAvDA
z)O=*ZvK;6)Yc|jM{>*~T#c7h%W0)w=Wqzu-xB771(}u#i*}xFq$Ad*@6NOAKR?&0O
zBB=eiu&C(jITX;kI6mb1yf(HlQ9JTh<JvU|fG~{OJCJ@Y<9@Y%tY7u88euQ5d^(^r
z`uxbK%+5K5AbKp)py=F#o%CoHz$ZX0fLa)V;+gH){#UPhrpHV*g{hgYfW-x_7=$O|
zMxYO%atv6qFQTohx&YFNrZD=w7#sGrg1VInHVvf+U~(|Ib9{7Ep9K*m0OukeJ+=6W
zL!V`%n+4`S2Yc@R;HXXKw+G<(<GOT+rQ<~NKYW1a&Mf_{<Q(}#&a+-<APGWe7S((d
znoLJic(wiYNJ>Los<R8UD}@jJ-z7s^{;5MNIYkRK49|@G;Bji;hmaqZj|k?A{JiBv
zU}pGH;)I^vpZ`Vg2u}9Tk9|zxTM9tvq5l$%+F++gCjPm@_(C?ymGb%&IUh~vOLoER
z<6M|UBMdNi1n(a>_RIw}HCk0v$eu_gUteieRJ8{Zl~V=-CJuur)@#`EPGioWzpqpW
zi>w{CNgfiq_y_uh|B6p1!3<+z6%=wrP)*`tJK-j^$Vew4w2IsJw>Jwz??E5aNF%cI
zJxuL|4r<7Jki7CQe%@GUPN=@xZ@4cj2F3xpd&O>4SF}C%r(B(F`&LcJf)<tg>=WnJ
z4;;2QyNDQAIlR+j@oNtGwvfp@OIT~YP#DVmmOHXfA!5z|oG5LuQs6j$BK(^#xUH$_
zG=-MQ546dp^@AP-#mTE7{Cd~Vm(Dx#z|hcr3bGG}k6%QfQ&g$&J^}bTlz#cuzN|Qd
zW23%L(>af*Aj{r&i5mGAao*%}>b08#BF3hsJyoaNo2?kx(Elv>aDm!Ao+1v-=$V1g
zsqEA;r&&2>F7JJ+j0XVjLVjA)V-?TmyeA)68HX8~b9ZM3EN9Y!bWLps9;wjm|GSfs
z4-ssHpe5D@R4A^Hewd0|2#j1;kT3k{AwyeW0OkqG1uR|8Y*Fx;jzfmuhXC2J2k9WR
zwWSYK`MK9w`+W(?*x8U4&io`K=$9)t+n=ODa|rH$%b*EN9HiOS+C3TrJ=?>Ip;lo~
zL~!??{XDWL1OPgMITzpBvuDpLbX^e4P)~mGVkTc^db$!!$?Ft+8mwZQsjPMVdYr@+
z!qBP*@9(hMww0;ccE8$9YsQ0=uoiW9*e9(6IaW?>-xc=)nK6vI)eT&3l3DGk-RYWl
zv<aG(g7iQGgwk-B3{y9Oe^d;eqRqp&pjyG5tqH}M@I7Mb-&|T>JbY*Tz*doSzQ3Ym
z$)pIWCxs2^kr*myk?uET-CDbH>g{J54y$yafN2mwC_cL`F-TUA;WQ{#gd5vHni7Oe
z6y84HgC)+uxYwQmzoCK2iA5mQOu_IvV<0%eL_phXb|ODU96x!J3wL^m72l({%TClP
zAydq6GD^VSiPzuhhS99WfSaTS%~b$xgEj0>lzkwvveF`KqvI(uYz#npYv0~02$$SS
zjDwEWeyDc$cS{%~jXNeFY|IuT4O3eCbQvQ<Z+A9_cD?Lc-Jm&1$burFdyj6-){+)L
zaYfA|Zrm`05$y`p&`{gWmav_Y;$7|^i~eU|b~`Y5jp+9Bw8AF5Reptsot{ZkR$Q;D
zX==6IQqkLSO{(<S+<()J3O2zmoV5@cz=r@|pj60$(TWzJEg80}W2rs|Bk>SU6J)Gk
zzJBe5+5TA*V26JF*XXG1B7JrP<#_>82X7uQ-SIpY5MFPXNDs|*Etr+ZPe)VOoo{*y
z;7cvOu&q}%fm7LX>&T$g4H%;7Gh5b^2P&A=v>;e^gog{_x^6nYVEu`jmh+q1h$BG~
zfLx%3GKX$KPizKGG)!#Fl;vc9bw*I#sN?x0OjTZ;+nj~oB+T@rnjx1S`DYKH>F@%X
z1`hZu?7^cU+e#(U>fG-3(C*Y7!L(KwEBQ<(S$YaAF%^oU;!k{GRtVQ`ZEm3PhVr+y
zc>qihJ~-0aS5&mE-B~S$@o;*s;QcLN)Xxq;{W#c_!Meq-=2r&Sw`m9jZ}{K<Lcr_l
z>au_#jMWpNF!P`i21l=e4rC)_2cnV`ka7`G4b(iMbZ;r!kL&7(?&Jj~J^(~P71<Lt
zg$F7R`w&O{c=X~Paf^8y?>1Fr7&gFS)BSU)XWLr2&`Po^o)9Qjfrsd_G}_>U-G$A|
zha!I_<$Ck?^z<(1q833+usv1tD+Ag$Vi>v5EfO+EJr#yha-9$Mj|fR65Hes$s2+m*
z&rjs}F$-cewX~M2I{Lt1GGG>ju$Y)GAj-MRCBO1L<$2g1{r>e$V!&tOFtp<f{A^?S
zcFkIf%rnXJqzILp6bMG2&nl`{R`ZKUmeI<Q612eYr(-~lEubU-Gk>otgaQ(PGZW}C
zai=!#i+snA)N)Jy@+U+@U}Y7uk)4OR^4)wp3v@6aK7fa<v=27C0LnpRn`^W(V5)dJ
zq8tJo9#ROct@HB$1GHu*+T_`8{onweJT#MlWe<@;&VL~tX=hl6tafd{9NKC5VmN<D
z5enc4biJQnZ&4sNZ%>rR4yQl<JU37UpD9o}yg8W}xIW<1GXTO1=8d*kv!UZwNG52R
z>Y`fOLBpXsy|vup*>#6Kyb(GpRmxoGPT#Fx*I;zFE;PN{^ujibsyC+dH=6xwE>Io)
zxw#IsFQiQcwBi@wwDLixR0$)0&+>~RGsq1iB~#Ak|AfyE<X#VQ{KG(ie3Os`kS(VD
z0u1k8Ujz`duhJ*qq{u24R^=Ak(EGH29Hm23kG5^xc5&n0+pfK*yNL{v$QfQ>6{U_P
z&#s9&Y0lFY``Lo$1op9y1reJHjjk6Eeud=Zp3q)Z9cq3o5%IM8$n=nwSj9!86$vpT
z8(^ME&|{f`jH!C{I?fjew?IfedsFrT;E-aqTV62zT?@W!&;yIL`i^f$A2v^6<~mHs
zcCx<SBn2Gjcxb^x!{Dm4Wki)WwD~m&h?)eMuXOR^q-pI&JQ|@W!cdNJeCbQ#yN2Q%
zXSaqQs;gppb1)}9L2)%MM;kMde)EXfM;cVbQ<p;x=Wgxec0<YgFAU33-BFI1d*(;g
zUj@#o5-7`Ekgj_SR2nPpEXKYoI(}<N!gnYqhPSC@kblL~$EOS#E^QsW_`$8GC>5F)
z^4p_=ifzzTh=&>3kjGSDo*BG+vp!c9#oh1Z?A&wcqD@=%IYBl8Orm}cXCIl{T_ct7
zG3HRF?`-pq-!FI%g<r!FPoO-9>7&mP2L*V^s@Sb13t*<f*_r7t2PFV#=`hd;sf4)D
z_l8$(epc($Y(YNoVjs1PLDV=C8l1PY9=1yy3_<vBl@r}F>WUi=<wZQ$(iHaq?o2&@
zQOoeIUTMwFhWpT+ZfGTQ$+w-3h9@=$ENk{E9+zhR-4n$FQ%VGPR|ErP@YR;q)`d{~
z=pk7wjQ@XoniMcLmbkjhn=}=q2;X_p4+)wnBu+2V?D^Hp9l2u-Jb7daJ7m?J6$9UK
zDZJ^{eNI09&=ij+82SZG0R4*72}g#6R-x8DLacJ~sIHK%7L415u`ftGhV69mmQ?8l
zjBL7UXuAm7KRMuh+_!!$GM_I8a1}W1ZmD4m3=D)U2G-+~u=-a!<bKV}!ozW$AO&o!
z{H)O@!*E~_HvW(yRs0@5ztNa~&ga8H(}gDX=GqZhhRmfje#`BPjr8T7VVHf{3T6}K
zf@%J5#i@otV_0Zj)qI-jj{fQ#Vv7)(At6-*NV>~0R>5Rq$kMaAYb|6`f1oB6=7>HE
zPX@TihC@~D^k-(3-JPYx+Rn2RDVZRoL!3GCISOPyK_D~fthkv3;{w;Df5S(vCJx`@
zkx=35vcR8#_9&2DXc@2>D_c>_l|LAr209^pCr$w&=N^*(Lq9^A#H#~>&Xwx<km6>Q
z1;|-iw|*~o<r)cYuMuktS$(}{x^*Ci0-))>;AjiqSJ-&E`<qX-e6fWP6?o2Sm$OqJ
zcRhfJJ+f={W`>*s8o9v`R>AWxR$CPH%-m2`(lm7sfVwj6(ZW?EXo0*fxQNaS)<R%6
zUjj>Pl5493-{aFH)f1_67}=9Mtj9Ym3jea_sAbsa2au3}JQ$#!Ag5~%EFOZ#L-Gs{
z!-zx}Hy*)yk4!XS#;WwzCR+O@0VoUM93k5yA4}?nAXWs@7i2IEhZRowbL|?a+Gc9(
zYdfK|ER-Z!lW@=M!;_i0r6<+5R)>m_;rDa>75C0N{dj)|`D8&g89tfxbNx*&K$76A
z@70V0+8_laE9vdNeSGH&Hs`sWz71j<hn?p7MdH~wHmgs0j-40?m`Gj1rN%+mRMrs1
z<iB(pin!W!nk97$80=GL+wmFE#{yUJkKn0mrt)d7brpTtU6<##J9a&L#8mdr_BD(w
zP6Ds5`|c@h=VV-*$v%AbCzZTjhGPl}3wx$+o+ed{{?J|Vc%kd<wyJBi=?nQYmt-F)
zBpEkT*vAq%JYL0N155!8EVc-$HZ&$yVJ+z1Q*mW*iSXO2o6<**svxwALHS=f1j1a`
zExyoidG#K%fZ0p93Xv)@g4Ssjoy5;`#D2<b3|&xM@#Rj@+5)m&&o2g6?yV$|+#KRi
zun~kcIj*`vU0vNZ(Pkd8dYuT-_V9T+xF|OEa7SnE6ht+<>dnlIjM8T>HB7Cp-OS6+
z4=ElCA&)$i=bb0>8b95smFG1!4bmL~@bN7C|4_2gtO0n#q8a1$10#UFsX6;Sb46H+
z;#<syEH&j<2YDV0=M)AuMoVJ#JBT;vv3+@-tRnIwAHTqNie~ZDGSAx0a8xP1<O`H6
z{iVj9#IBfR;H^y6-x=AqIquUaN)%G8RT`?EJgTA^Vc*1!in1e;yI>|vICsRiQrAan
z_qbfYQHa+whq%A5S)~EUBpVrf51+PSsb|*iC9iXmh~yKb-cr|0wfm$YPuz0rg?+hz
z+iazY3qe1IKB(+@>^lI$AoW|=oR|5DdORFeBjqr3px?|7cMeyF3NdqUIuOqNIFHDH
zeR5?kMFi+_zpFi`SoPe11TK{*Z*1Cenf5&ZM)nZ4k<Sc-MkK><a0pQbSvYQ#XJ6Ll
zJ>LET^G4L;8UfM`ds?DcCasJCwT!s4XAiZ^$qT&wF`S{bL&NX^EY0lfD@ab~A{OB|
z4g~#CP+Eb21xN^8RmFNwEfFOv!V_gX5p#9$4F-sy;{W@^9Y~`^IU*FhFr1@r`ZAwQ
zyPG^XoCAr$lF*r%2Kbzk_Jv1}wrq|c1P4FX_|z~_%=%K(hIG^?<ncj<coD+xDtAA~
z5_6%-8u+bc{g@dq!`hFpVZH`SB2JR}F$@sWLJ*JB%xqu1&WoRe)mnZ70aZi8PD^pZ
z7A3x^Ai;JKdt`?^{f?>`8A?a*^#Lj&!^coYl)!df`R{fKkY3FV`z{Oz#Z<{kz;5-C
zJ@)sHj*1xU<i&^1TfQ8=rW1_I$jeu__fvUqCZb1TPtko2?CL2$ncSyaqi)DZ<&>W{
z$58%v4SD_RULvUcM)&OyEu5pyt$Q_xfx^tS0DQ5NQ-eXUdG^1y*QbW-saCPX-m8Jr
zxzFPs;M_lpkyR!EA;3$UnwUVJT(-8p2^ev!kkxs;=7=iC3Xmv5xTj&~UgdyCV(qWX
zs@B1E@BpB0q!P?mTd(uBkm$CYAPT7$*+t|LB2dc#?pjxESlHRr=D>A@wQuwBi9~|3
zCMPgv?{TFP9R7C&asVSb5uib^rz3(%xMUG;p$`#>r)GKjhMm^u7`KCm2SR&@m_rH{
z$d?X^DyL6yHNFRcKq;A78%ZBBj_z7=iCJ$%Lee69>9IxmPrazaDAxW~qS{Z(aPAq4
zDqo${b!Lu!HuhKfY+Dv3A4%0At`p5)8ZEOypDT~%QxtT5#kjO=Y;A2lUjtH-6SL25
zLEmB2K7`u{QKon~lWDgQQPP!Qsw2o^^dn{r$Rt=6d@P4a$UbjyjaCK*jPJpC>OB_M
zjo)1FsTy!9ac%qYp%SV&7yi3|p0ODI!;Ko+gk&@>>1-+mBh_#^6P^KU_x_*1SQf!u
zr(JD*j>G`T&VASS+wXut#|NfAA=NVpnJh^BnV2shfqYa&TBza6m!&FZ|4WzR;KLUj
z<z&42#fvx;^LbRc1Mb2QSFL9uC#=FpzWxIMbvez>>eI?p`58}scQt~69l3$)K%_Sd
zv#GHH(&m{5A0QE@mn)}mM)fC9**W#s-41Dt;pV)C)51}etoaH>Bs(vex;79#z-Ii0
zde9Bl{!FYY008uPKz2}ouiu6GJ%ZvV61pp_<q@n!ZN)9XS%qK}egD4nd(^jR@KKhv
zry%{w;#CNY9J3W>z)q5*Kr@VCBsU(V2Ut)tO$+iEh@Uf4EHpA5d}%rD?WWTM*plA3
z)YL-d0#8R*c=d1yU=;{)XK0f*=;u0=`8=wpACpL=mxt5AJfA}Oe_>Tr5<7gb+1;F_
zzb<Ctz)oNlMC31)Nqj5T*?^knbiQ(2sRektdJ}{)(w>7~rH7F%N}<3wlJOH09Fu+S
z#o7Awec%mg)qawJL>SH;sSwU>mQAd#*Lmp|-)C*`4Dymmz%N(lwBRFQ*INorFQaQY
z_{%b>QItT(M5G4b3D1XM+n|>L6bya3I`DZ82!+T+p`IC<QD8>qK~=suR&AQ!`DX%_
z&~Wx(u6Jp`GJEK$x?9lLr(ECjB3%g}@U@^JVELT!=zGV;pp4izY!GbCvAw`RwCf(+
zYm9reTGe}E4ZiV<K`Q9bon>Vno=!vz#~<<kF!q;GRd;J2D2#%jlma3paMRr>sURTT
zUDDm%NH@~m-QC^N-QC^YXX3s0exLWt8HW#!;b1J*TJt~WHLv&uQidrc;`#sIP6MCB
z$jleN_KWR7>{yP-R2wABUJA>+F;Fv!D6S8`G?Bms1SvVd;`v**BG{*J)#w8{Na6xs
z>PzkqE`;<s@*lJR#R8bU?BX`6HiUt>`LwsDh)uWI-J!ylPH{4TZ9m0%{ka8YB=zn4
z`{`HuY2o3>z~!lKu=-V~pPxhwb<+MqcPL}TQ+a@&{z)^)KsoOZ;#*B27ytCYc?nY=
zeP32;G{b^5#eY5Fg!FA^^;pdw&&BAp*~GwnT%rVO?`rDAo}>N%=9$+_xv_@b?x--T
z;LPTBbMf_51kPmBaaS-Flhag2esOW}^$hR>Fak}`W~;cjd=s~cE-8*hC3yJw=|j`t
z%o{%az2m_+@<)zY$<@;F=^trTs^Q&j8F~5pW<-z!gl?S5+~XX(6mu|@C|WsP?ry&f
zC{4s|2KQB`DXNF20qq)Nsv!vD4FLR9{&?9<8$gGb##fRMDv70bwM2#%`Q>!In2;$b
z0JTmF$cR&D7N!QFH``i_)y;zuZc5p!9mm^WR|-LAnK7`13Cl2LrpR#Jq?N#fL+kZw
zhseuikF5&}<}UjuAnr8S#h`9w0w9khh#S!$&D(NwNysHFQml|`DsBjY{6(x$U=AS)
zAn+h>2!)=m$(yN4Flj|X9sp5{ZXKFmhQ0RH0O3sAASlc}E^q6Cm<}GAZDb6}LaO4+
zhY$p~N&p}@v~x*NAC66HPsfKQe2d|Mg^tvQ5ahQ4t&2LaqASnmeYCSYeB9poBC!I_
zCn~DW`ah|PFR?lUv;|&Rxs8pDj@Mu$WUxC%VlC{<;mz}d4g%T*%aP>yJjF5aQ^&(w
z)1Pu}u%^+JYK2i0DPY$(I-E0Uv_nx3@&<wsr9U!T{VD|)dfpwE^G@=o8mW8B_vsQh
zv0drxn<a6l9XuVK!FMzJzGrBzsa%nE(@+yP7dLvZmPg1xx*+{oM?V;5Nu?PUtRC)t
ze%LMyHL$*p@;NdxCyCi|3xejZR;u=t^t59+x6&UfX8d-0m!Rsje^7hz1oJ$-QL;Qf
zpk^W{P7c*z&NPEab<1UNb?u>a)3o#M2e#+#)4gjRBtoHCh4E|(D1uvQkSoz+L|>g0
z{4c5Ch>gyE@Ob@%Iqm)e>nqZ+pyLB`0@^$f>UX2LSZ)zaP5ndVd*Nt4ETm3?b)R4W
z=oX+$(|LTy{H3lgp7Y*LrFzVdDuHF%;Tb56Ossa8Nuz^icEqf#WZEmc<z4WAkU-f8
zTB?%(Eh3mUV)#<n^z2%{xS%4KLN@>6gB#vEE@?TszG`W{lD9b?qA>-3phBVCzU=H=
zKEJ-ce#ylxmPLHMM|`DE844ck;vf05(13|OWM<9)^weYz=D_t2#olLk)8qocyB~qW
zZYyDTR>)*ul=w89DcIPN>Jq7^>m(9{P#;034PZ~1YY}d=LLb${w~IFD^N8n~jAEAO
zrwbjT*T8$DFMw?~QF3fD*V6KYyH(tLXNVdTso(1U>m%$dFz!`|1=GzJDpFXO<Z&}d
zEKO!4awja-No7#L?EiVH7`h!x(6Q;4a6b5BAD#f;)B0M~?uAZqY|D1C%{?8Mz-$%A
z;o)-vT}leDA|Sp1Wcq*7$-}I}dLpi59;S}{lINn)`<J#(02DyZf4wb`GdRm+1TD7w
zB^My?Jkb|b5Stg08USJqP9KEA0ai-XICw{QIRLC4d)cKwTOl0ei9>R)pU1bC19F|H
zaU|~_>$i87dXjH3ZBkGqw-cAvPbVG<xE|dcWK<8sKpAn^w7edcQ?HafKAcxv9L<7!
z(tLRO14q2-_;hKzPx?HbsYX7<HAG-CXZcEIx^c;-NfS8Tm6uBacqpR?McIqgD)<@v
z0EGJ5+wrSk3H*sYD<>NsT_pcAD0>tTb2$|AMEvPd+00ZaZD9d*?qaKj$iaGVaL|$d
z`d!hCtAhHSo2<+2P`^@GLcxN^B3qwx7BO2|eops(h_Zm8#->Fd5_GK1%do3b<>d}Q
zV=u$+6v0^fZXGbvK;f1VR5|Oobxg9yy%PB7Xn01bBjP4m3^yDhLv_7ByeE$#&8YE!
z9F>xLb)Jt~z`@RoLQfw_cdXN-E_%)=c<JP*vw7~QvrUY8<g6a~GCy+<1EjRFW(1z0
zM7U2W%fcP}Y9&|8jcI7=4$8|Db>kT{S0<9D_v*U~o!{!u%g^_?u02Kj<{z4e5*5}h
znhG1Ym$J3u7d5zL?|e+iDHpO4cDZ%DjbBy?!0|JUmQ+%4Affl};@n1!5}xpT2&VT*
znkQDgo^E5B*wXtM2{#c{<&I&)uP@uBY4%QBcI(Hk6Q$W2HLBEDpF~l(uG}tuxs)Kf
zIwn&GHYjaBuA@dhuE$#MGVQVKd{VWLyuS-=s7?@*jW(EeB0+T+gjh_muNz{2v<Q`J
z$}fL3+g+z2m^_STx7n_eWGh+f;mFExqnWH$J>KzR%b!Q^-*bA@xikGv5PEvAw7j!?
zd@z0$K#u(d&t}Il*z`x^H}2+*MqRG#BctSpYnJ+*behZ6QJM=+T$P#j>2I`UrVjfy
zhjX%GITfIcw%qUov_>*aFq4ec>V4$}H%_gvP~3Bf>F5G;=w=dFjT4^<>Ijc`b}{Uc
z=wP#*guvs`CVy4gYvogXn|n!^rWT{5WEUzv#U}P-*CF-GgTBT5r`6Dj!Q0{`qYDDJ
z^ne}#gYOz%uC~G?O-=i$hSUp&C5Y1^BYlIyk<POYHaK>R!$b0u>dWIS;X_SYb*2p_
z9<I5emHY3t7>%#wzPQAVcGVNx<OMu4sw@t(KgKz6jTIN(Gm#qka!Esm-jAhKy+@E&
zT3Wt1<kMD-q`m(VHP9>?^Zmz|{GIu@^&;Jw;N$uCqTl%)!SSc<#Dn4wt|+)x+0twe
z3yh0QJ$Y$HS4JHtaLPAqUvB_yS`^Wg&;SrEUr0&-#t3#qv_<SSMS~Eek6O;v@`I?i
z@-kb~RDeKEzS>kbOY=zABMd3s9?-D;m^YK=Y14FYH-096Sx1<sMDkQFSCBs>o1*@p
z!fk4~U?XGZ_Qb$hZ&8AXvyi8kvy^W8>@2jNWA?jXh!7?xpKHI!0gHJ*%LMDfTG#FI
zpEcn}vo>vDK6H3DEGk`P*rR^w*rhaxZJmd>#hHs&p*Gn<B$#7u-(`=`=O`<5Q#B>?
zAX_4DJhI+Wy8FE3DuDZRpAg@(@vIbawlwy>yLhD7(`^56n#J%6`>=|Eg71Ctz5F1N
z<|NGJ!SVU!aKyCXUU$p>iH7e}Gl6=AYg{I~o2}qr&Rk><BVVc-%v%)Dgj+UknrWrX
zp1TIf3h)DvPG+dCzg!;z?<bF+ANh2=OLj&&%I*XkQ1a)>Rn45oWqFSdGf24^R)%hO
zB{*4sW^_juPDl3~O`YTt%q7+c;;J~;xVrUw-#xZxyFTDxCPZZH`lAVlyCyR6HUwVj
zE8ePK%=zCl<z`%4EX%j35074?$-A(_?IcWJ7!NUHbJw(3$_-8LPz=XdCux@CPI232
z>GLjOMsbIyenWed-j6vP(c8X~9~!q}e7IOIKD27UVYN-JSFsGa7+f~OIe)yr7)USM
z8!t=BJc_^UY`KUjV7TCE>vw#9dUvOBDE`<eeBnvqntEPbD^%u>;OrpkAR-O5XY=y)
zA!x~@OK`C)W=({|9-5mSUJlG%`V^6L%}t$l-+d-UB%`Z)vzv2;<@D!?X<zjTX&UGB
z0x5nY32Un<t=kYb6`B3hu;-Mf`;dUOy$;qVRXJKOVxJ$9U%N~{V$FQ$;y-v3%v9Ee
zseIty)Q!_MqZN!9tT388gNij%$`?%JA>}L^iA?Zk=pF|96V&%_4=zKi5HB$AI^|fG
zTC1KAAsx|`UZSC8@Gujpn8<VVg?CJ-mjm3_Ci4_I+%(52lMEJ9B{Z=OB6)Q@9Pl2s
zZSq8u*Bh?T78VyR?CiE<uwB1HjK0S?Re;=y+$=ykEL(pK7cY~Uxc~LjQ8PGX%0+sa
zB0kABvofI{c;4c9fqzbs{>-yHOQLp77D3lr#E9`d+e9uJsL@Bw5D^DE(YC5}+^WaW
zyLAyaGNJCw^de={7zT3rbk}2$=YQw_aK+}-*A?Smx8F9A#*0o*cw}^8Nc|m>ro-P)
z3WC#kj;i~92DaHuWAM506GLSbq|P3E*SeUtiU|f;1k$YR|2{?7_2wx%%f80B4puYe
zhhB$J)q@kZ&PjCTIp@U>{TIXt!|GARoJJW|Mv&w3Ds8z2W{zKC8&#zvW4?RwdCt8h
z@Vo%jmR1jZ;yuDPq0fU1uOabK_I^|(M%PbFZku!R3o;-3q?3}q-&#+{UB<XAGv6D0
zSlq62dldh4WeJheb%9g;=GkkHL5i55ya4C#%7B0H&BlB8VRFlh#e4X@{p)ThxG7JG
zx(m6AlDL72?=9KrlaW%wlYl}jk%<$_xTWwZi^D*c@bd@M>jdP3e!OLg2_i#@j2V($
zGeeayXln1(Ff^?9TtP_^vC|yv)nS+09TIMmXnGCe;gRefJ*O+Rmavj`h^4m|>od#2
z{gOG^U+A`L$~GSYJ6*o>A;(dkIEd~nvRlMZ?@E@cpg<3Q{?7Y|p1kb()sHwshaSIS
z59#Hp+QV#zl1DlB#yD@b(cp1u-=00GFSplL+O}Ko6CZI(XiZhT86q|tDwK&XzSx)h
zl_a1%T4Rw$dB6%W{7Tfo{K`lvO1if3R=(QjQ~GIU2<u+UYA~-(;C!g3f`vJJL9=Q1
zda^02W!PZBwI#L_^uR$NuPf?r1yey7`Pbpm(lwhc!dN?|%89n?(B)ej_SrQCgX>R4
zr1!lj)W>rJdFd##4f#d~hn)nCag*7o!c3Ptv%TJ${2#Vzym@IRW92CMkg)0H{`VyO
z>^>~KY}Pu_rT1ndUF}(92%<HmOcT-3MFkOMaH(7wwmBizWkzCE4~n-0Y9T`%`zPid
z&ius=@4BxlQ)>KlJP#bsD|^V#<T3lMAXDfqN35r)V!cQVgZgW9*2KqePlfwy--WFA
z?=o!6pBn!lolbV>M;jYtwiWjYA($=OM!CC8>MK9(fsjz1%ov^~BFn|HGlo_l+4Vhs
z7h4m~w{D99=}xveKdf<Ej#w5Gr;{nduPx8{pCg9XDeyImG+=->{1Z`p?)2@*_@GGq
zht}+?$=x-LE~u1s5puM)$CVg#1qChB)FB>%^tTB1e=77LDFfoPe#=Qm{@^)+LHVUI
zw@EMMgO1Pp`fbQas(k6&scc6@%D>0x&qSbFzuU)6ldpFQZ}Gm*9k25Eah#n}!)<HL
zEunaL@=BG2-WLm9a+=zN-@_Hi<aeS9_IH|jUa^InMLbBAdVLXPvRIZJ(f{bDTr9|T
zoX78pTocTnA-EHBlY;u@BVU9Bm#cE*44YPr(OR|SNatgrzUF>`)GU{x8;~vsmWcm|
zx7I|8*Z<QbpHJ;rZ>H$|>r2<+QZ_WFNKv5H-4?cn+5+Nv4V5P*<azo`T#HFu(4S(*
zm-vHcIqb`c_nrEdl|-ZP53jaum>mxqg`T{jQvVO+|DHphMr;g+h(lN@t#%|+7Y*Mu
zsHXp}t(Uzp@{%??WPp5Wgz0~S8s7Kn-~HKt|NOu2LHEw=|KtD4LRlIm)y%iu**!@P
zH+x~KLfuZe&)^{0s8*as95>a@2lR-RtE|(&5V$tzOKaf5orG7SW>N$D5k*riR+c^)
zQk!}*g@v8E|F$}kdwW64Rq4zlnjB6oZ{(GdfBk-!ke%JabQ1peFf=DMWOVdDpndfg
z9zJsDKc9WW0oTm_+?s~F5~ICjTHRUU-o89ybr7cPLW*>E3#r6eVMY&K_^A<wxr=r<
z#pzhNm^^iDX|D`^mpkk-rb7zN-XR1PvPJ8U-y)PtK8*g`mdamYywIaL*RMl-3@U9t
z3Tz{!4gbc2zwL!{3vQe_4+nj%(P|TASTt%8AaaXNrwIit?uj`#RM-Umy&}T4|L90N
z$lh=-)MCFPs%LO}bYvDc4H7gpF?#B=-cdrZ8DO%-eMs1V4EU&)yx4F1tZ%KVv|^YM
z<2(-`E_Zk;j;c-eO|5Y5p@!o<*K1c-SAez-1qQX6#>OImtqiWNp6O}%|Ggc_Mt_6v
zC*ID*iqEXOJsGsL)GELBs3*ykC1P^j;Xbold9O^Lu-(84AUgZ_?=kdE76eo!!%Fx$
z+F~t_qt&_|zkA+Am#($MRxz5@h^2MkRDbO}Y`z|c!yFZG+P6)+bWK2)KN2ZMU47E+
z(uluthIi$#OazY-@TG1|srPkLq;Fc|%F*fL=jOAIO`1#wQkR3%&!lN?77srTns2YE
z^%@)fD3yZib>Py4Y8Ls{ubu-ww5)&TvP&S5<X4)@ZbIw;uUb=jXSG;b%j|oyOtK|o
zd_rV%DDuPUAe2ido;hPKRx9zEqq_(<Uy>S64t{;FjDe%wr+N`nD<U7+&9-=EFe${7
zEUt8r;>h?hI4O<p4EFggpp!;|jt}v}5&#K-mM<@`ydzbuueARC@7`JSj1cHZ(D&dJ
z7^&UYEcPL~g)md`9A&qo#n-1UYA{|Ua=)fzbN&K%!CpG*Mvyc(LHaFWN2wW0Il|?J
zrL}lp>Z)W<=p85ONn}JtOLm}d0J-e>y4@-loxAD!=0w3XoM*)DLB|bZ0<?AZbABM9
z8liT`dFS9ktU{>A=_|eoD&{Lg;Ti;%HU5lTGKpE7g6Un{rmZ2}JDb=pDtGr_c!T<+
zF_aK<7fXbR-Rg$-)g0YU{O{RB9wJ)3I#{xJO8AV`$G$9T!9X6=2c?@msfs8kZOp(<
z=%sHTi&&FK>bhr0XCocvV^|$Ms692_VsG~C_7vOOBsDb@BWcZrPf>eI8=L(oTkF1Y
zdLHsQUyMCKXQ|$qe8XJG<=tJ)+V%R_f*Wo)6&RM30gK}Icd{#6ThV#zkH5Wqd~|CM
zz-&jM$`BRe>goziseS`&!+5C%Z%|OsMv41>j%Rzq=d`*upIxImOhx~+206OYMlPf$
zy_se*FGpE8jR#FA_L`46hSQ3P1zhn6>nfT8UFbcCixP^=IukU)1}3}i8No>Txo$Ib
z`7i`5L3&dAcgE%viQ0O<Za9xy#g)+{M^A|G*knuPc2DZXl<xhuhUO%lYxbC@IOWTo
zzjF?#FaGS<c@jxp2zJd1smQXDlxb|$bF`~BvHv<s4W~d?PWQ&M@kVD2UXCxv?S_qr
zt=zbuqT4RXyM_<#6ZNxC0H1JHEx(v@Lxz2+?LSmK*k3I$`{K#er3J4)Iq8aPj^(>n
zGEofd#$D2i<Pvx}K@-e49~t#oMcEMe(i^RR=g;dO)!CKoW@g+<LD1Tzci?8oKFaKQ
z;+n~hTZ&9KXdn;zVuuvUZN^ZT$jL_9cy_KiT@@2sZ4waZZ5j|9RBARIz;iBFs(owW
z^QF2I3PGcXxvX0}W{x0Ut9FJ{cvV#GcihP?@B4guAh|-bN>2fShK2?R-MO*_pMb~a
z@0Pd!3H|TPEWOme6&@CjR#1312`|vE8!}F{4E8zy9!|%<R8^%Dt_~xcWV_B*YCq=N
zUCR4}a&@rv5Cx&R0GlDEpvUhiDUCi_EK@Ft=Qw3>K(NIz9)q)5rzkKrd@N{!f}IM5
z;(F_=wdq@Gm4x<`boaC1Ho>!@1njc_GAn3_Whu0S{_^rdu2)3&Yf(dZ1tR@YC9Zsw
zXRlJ`Br7bmK2MMd8yMIPI51N#2;`dbekx8DybizpMLsicP`kDmTvWhpc>$xRL@1Ih
z?WOApGdfg8E8&CWVz=h130IPIM_(q+DYW->c9dYJdW#lL3}<y>Tx}*kZ(P5MOK09L
zy)Cqd^}ynHLdOAF4vNq65~NBXnaKQ9RoMvg!$!eOh^wgGs8-LXD={M;y+DBj#Z5tX
z1C(rbm%fX-Gki1yVMqTcAl?8>dli7xOwYf89?vqW5o77!(m`>`0u|H_ofQ^n&@R(~
zA?kANDm0LGssZ)GudWpz$}j&RamM+2nlHnEAh;eqQ9Y5X5(~fFPj<l^W5$<S?HF=A
zr(TQOvg-D~lBC*Vvy|*xFONTgm<+TJx?X=qcGlwQJ*8SweAhY2(fC;06asA7<T~=U
zSxcrj?*k^ofiWz|G`cIb4U8e4hX-kcaknz`+{;|MF$>G{d=mmO)O^>elgfpU!}D%}
z5A??y$Ot%}TV2)>nhk9dQQ1?Z_8N{VOV4!c8@u^1!$ayVtgR!3b3r1oK^MwO>%!cC
z!<Vr?6XURWIL>+++G%zu6MgSRM3Yk&x;^pc0L~x!aqlAO6yeHXsfiK3rK&>V2n9A@
zvl5g0<Fpsjxc}kEm1JkFxkbRo>MYBoy9psC0ZqsGY>8S_l%9Ic<Tex8Zf`Q#Oj<sv
zK_iUz(K?1%$79r3=ASn*EC*waUBVw<C0pGXEE9~7iN|0(=9v^mxV8|V2YgT$cRfGZ
zxS4h0n06QYwKkEvFBHK%xJ0W*_!S<>F689ihx2obxi`$PdWLi=X;i^fmcjHDBYD`=
zmEs{5o|hNPtl0Ym+rU#Uxun?&w6Z=cI^L#ey53WEIn%^%4am?2X8BO1PG8~XitByr
zq=nh8?f9}9SBBc=wR<jVgtVbFO7OOdVWfQ>GpSGL6a7eu1RSZFO}_BUew44l+;L25
zT_2u@H?aR(CZdYNM09ha|7?ldZK2k2{i6fQMD+PyB!b3@g-8HLX8>SEj@vzRYip6J
zfu0_c@k^lQM%)w9w!F-}I+hb8#I`I7@UA*u!5=`%N*$zpKV3e-4zHy|m($=9|LS|`
zuv|2CQ%qx`7}DqFw>it1Oi<-<Sk;rP^tFvs%9Dmi#+nz`6|5&JF#BrCahk;iRoJ^y
z^JDf0nsOl~0ix~P$_%ws?$Q`OByeW*^+jBALywBJhC&N^P+9|Z0|8k*ev;38r_`bt
zNZe>z`4QW0GuQpEqa8WF)tp-LW9>H9siVj(x3AyhT&P+4Z1>99TWJnE>V}f>1@^+-
z>SP*)KmDkGbh#3L4pAGwCW_0UcfCiTOl0=`#NeiLc*5p?ZqRJA{1%U}(ShVlYjq;w
zR%{X7Zk-luOI%|uA5@*Xq3gxTGnrMh;}H+lyKHPWXqE>*9<YNn?aTAvm{o0CT(~4(
z%38w-TZTGI$M4|{<XO(V%$+k|lhC(zTJHa_H=E>L<vH;G{7RS`OiOPcV;3{svDMG)
ztoRex&GA6fcZ*bB%Xs(7hL>`j{oz4&cdmk&8)3Hf;vWQlQMa@h&v%K#j>25k4ai?u
zSsP<a$^%PEj<GthC@3fZcn{w$9vOt&^6zMY%-pn1n|O`~h$}al7{;b8(L>Q>PifgV
z6<TL1h#aA>#t{b+=RQ_24$V(QZ|0fm#p6TV#k5kmF2FgtPe-abYgPI}66A+*^Uf1X
z_EBD{DvvM9b@aDlsnlL4wxXQx&cHW1Z%Zt*o=Ulv>||Qe8TOh!gq9udptQoH)i^30
z1;j_wQV;G5ZxiYH@dsNt$j^P556AVEe{SfeD`8lGYY5)1ZFZKTbmbbzWJlC|zBbWs
z?xeX&>F-9>Un*vvx?P=I4?LLP<&_vP;Si|K87w$Fz*eT{O^h-dXJI=l|G?9paBvkr
z((wF2$HccT8Rtzulg7z_gqZ1`N6#UQm;Mj-M!~mGTzGUFPockC^|bp_KdxI&<QWX@
zaf2G&`M8svkdF_!HwV4*c%l}5vLLqn?nKfy#UVi0g<*whxL9RNZi0P}c|Cy9oNQq4
zP|cX*=C>nNk>qK-UJrBmlQa4r&EA^vb#DX0@524@GD!^%yQjYQZNq+a``?YWhnFvY
zN~S+fS0-Eg6{S^Q94x|Pq5cVO=jJjsHDzUIU*Fp!*8qp;?P;~O(1=5~#MA-SkpGCP
zNU}@N7B@>fYp?HvpLBoR!@X*2WPOBdW=582{3J$Ya?dDHF&WP%@7xt$k>e94X)!Nz
z=WhHfYxQ8|00-nMvjjQ=(*lmwv$bP==AHMi%}Vs9wwh}%$fE4YTBcE`aX188&7G)N
z7X8|v-AM#8UM*tQ)_oehVT657*3D{Q8QsyGbj9dlx$tYqFmiTF)ZSegJs`bC>1WF-
zyk-)=63HG$=GLTbEq-L2s=w~(#dllVPVFzim@q}hI`%QwTr=NdoJ+ZhTQ|AqS3~95
zSWvc1=E#3*rdyRKlt*54>w5QkVG)hi<N_bDNk&Vl>?5Bw#NtdC70r7pz4pYEI4(;(
z0d@V<pE{Udl#yNR*_PpB+j*|Pi0mlg=7hoc4;iyp9ugFi9(E&i&i;wnHBlOOn|r;m
z9g?93>6Cvl*P3)AoGsI(f2+!VP&<%bG7o;OlI?cvW0i2L;v%2t)%U3e7e;b=hZwX)
z_zR9n7^qxRX2$Jw)jyxLtk)RJYN#l&YhYrxHo-h=OqIX%U0mbyDOGo;i(c1XsgKuK
z;5q2H5rX_CmR<)IXrJ*&e&pcbKnFwxC>C(?zF#HArpY&>S-Ix^ivM9sliU%oA0~JP
z#~mH4+Bb<VG5=oIcG*(##ypK@I316BXy+T5y991y34dcw2Sdh~`zU-V3q-Q{)!F0B
zxr^*V*2C8eNpZv*qub%Uv-dF7Nko_<HU_^6M2R)CQs-4%K0_*;ZcbB$LwP{62L2Zd
zz;gPyI`BKV=QLh{=8{M}UfDSQ8s?RIeLI94B~~n9?W;e&23bpmOPrqFZzevh_ovr6
zy_G7@0~PldVzZD&x*HEMZfEh<#wbe68g^4CpZ{N@WCeXXwa3n8mh1Mdus~9K?GeWi
z=B~RKMm^AfX?j{_u$%oZmfBs*L*nzE?&nr}MVyiEl*>lPhy@}0l`~IEv$P`f6FP)p
zf#bz(J>eUh_2o31GJU!@n~IciyR)eo%QuE&Zet$`yN9+{*zX{dTE--*ac?5SJhLlI
z+Xy)%wN#p^P~75&Le-U;eJfSb;9{~F85i59B$Sn^i$er`s_%p5lGw(&ioZ;r^*=+M
z)zj<refab#+K3nf5gxv?qk~|P9%NAOxPj6;g8&UX3V2}jLr}iow04@aISXEg&}yBD
z)f?}6WRb`J6IwUGiUhkS1Ru}+p@%ZXGw+X?h9KSwGoH%xJzZ^VV@k(3-P$>i<5xl&
zNDq5hg>>IwBRCc7>lIX&XcL&HG`l`Y67gZH6Ky%_xYyR)-_#L0IX2sO_q~`(d@cG8
zZ7wTA=*LtRd-vAU+%XWKT?2*NoR#jSOBSYscAH<9yqSKtxZXROgT0%$rK-*_4mQ_2
zvvMX++K%RNLS|dc;eg)|9t4a#sFWU62H`bdW$_Y;9ZpN#Alkz26h1Qad_}$1)tmN-
zQ=`Jb4R>DjdLwA3DY{+s%UY}k+u)D@_l=R;Fs}Ul2TShQx9|~#!p$y+8ZA~;$FGlI
zS~^?XF|8n(oKt@JD-E($T&kNCIY~F1OO9AT6b!laFSz@11Tv3|F(2CGViQ|Q$0cfN
zAP_G<#Pr5F+)y^0^i)vqMuM)T14Hk7aXwdH4a$;4npJKtrFnuguLWB@Ae2S`u=C-j
zahdxS^xrB$5Dc@*nG%g-tKgh(FvhpOr=dJI8PdMrr%Y%{kgzV>yMWA49au8NjrTJL
znnc}m<zM$MHNGvhII;BlqA~fLZg-ol%YL}Vd4S0!Q)u_O$&i?3PE)23ZshP_tv^J6
zY7!=@vnKZ;QEQmJM;<ZzT2pNscMqetN<LBa^G{np(#_z(*No@K))|0lkr*Vt-2SDl
zhGMzP!2&T6QtP5fne-Shm7{89jHa^PCd}<z!awq*;+F!Z3xU_~lPzost)FTi+0R)D
zhcD_WE5Gfl^FR&+&TBknbH_q&eXMa>cFFP0v#}82&Sij8y|CWoqgvtyO8{aBE6BF6
z`jr$Fdvie|_~BS~V`#NjB`La_NVMc#6V`<frghl?Ye?LF=-73uqAO<A=bkBnn_imN
zBJ&I`N=B4Rx+@jPUef_ZDv%>ZUoQjlczyhWIY}$%cEi^$mfezxiWRw)W$}wET-u?c
zmtEh@jE&?m`sakpF`BLiHTQf{!@1mWceA^j>3$|){ZN8UV*hT3#Yk{{AVgnMKK(g8
z%)TnN-G4juRPmCtNG`Z_rkLxnzB0q+oF=b?>5oHK$Nj6a7#fTjO{1_Ue={yPio#zo
zis*xpt{{c7<l)+V4Vv3dfXg)`VLzTJh_Xxh_e+Y5*oeV2=@7B$>|BliBZqq%X0>Fs
z<H8WG4=dqv^OkK^*SI-mr=US$&6PsYFVhQVrQ!KKv(r6_=c}w{ED-_aCS%U0iB;LP
z#YoLOvJrc9?&?yZ@+i!TZYqQ9mN%g>WYkHHmf_e=o)E(ERe2HKNMyI9I~N4(p;4M`
zm7ptsLJ)-BeuSfa8R=P=oE{ow^}bvDIV@Ss8@R-wc2zukcRwj)vof0rNf!!Bx1l$7
zXxiT{?;9Ur;e8kTeZmj&t8YL+pFyS=G!@4bK@eG@SUelt-8D|?{*xdNm3Z=V__CB`
zA|2mtvv~l!I>NES`7P`#8}H*dcEU@Ortz~eC$eRyoT@4JH7epV$424s21O#pd1p*z
zXgT4tRlfIuLeLm<X7#I4bI{wrq!n1p;5IL$;BDv%coTG^?Fk#K$#;pQhbj#cCnX4Q
zv#+q@8ml-7j*~ZAHE5nLW;}Y@l)X;FTTz5})Q?%WYmT*ag!d<61UT)#pBRxQsJWwD
zMLzSjWHcl3G}<9AflCXvxw+Y(xWQr_nnta0q<*NglW@@H^x^Sw7N|z?1$-Q>Ujiz$
zN6|!J#G<^*{=SoQaNgM0@@H$=i|*u`JkDBf(M6XNX9K=@I+r|?*wcIAJgR=_#UVxq
zzf7}lyX2GR`O7}G!9p6b{QRla#ry=*g^T1W%X!=kb20w&B|fw%RU&gc0`NLJE!R-O
zD%|2){q2nR*%-PwEoX$QV|l-88nnqT!!-2eu~-`BYA@s5om#)x7A1DwU^LXBStZGO
zx@HS!IMnVGKtKvbmO&nUQ~2<WM)RMfM<blY?c*4T>_~Fm=s|E`?UxA~k$5%)YfKmM
zDJieMGa9U{9UlX1>qCUZ5g_M6K|?p!*owx|;*HPG%+E`wfA`mJNr>%Kt1&e(N%{bV
zO09xUL4h$v>Gff4Q8G?Z>N}eK?K|BR3?0LCHP5MY)_OvtR|E4SMI!;PJW;L-pj?Kc
zxEsotF3gxq&NQ9Zsmts#MEPJ)wm(%eDtGLWfDxWeZSSg9=qu$p+roswh?{)6(qg`C
zvV>gSE7T~ThhE`lBNc?8?k=(SBVFazg0L39duSd{nooj;416d?q15X;O(1Lx4*KJ@
zt-!HcVtHwu<0jtxB<70rf3FQZP@>Zu^tc#78~5h+mgu1wbkbN%*SEHy386Vp@j{_E
zzy{{BCGXz~Lf>e;BGW?w8!5J1yP0^>U~w#Zvf$Wa;+(LCYPkGf5I&YEowuW=)}k6&
zbYkCmXV*}eAD&b$?PE9in8~LXii|V6ugJNIR)wr8HVa+PSQ29F>FXuMjjIq`1M0i8
znFQ?L<rXldYgjZL9An{iIuWe~f54XqCPf>g83Lfv^g*LhTiM?3Nn*DP_eRGzIejIr
z^er?n5Dsu1J7;GxfH^JDBNvFH*RfnQnehfS=z*RGZ_BSr)s6ls3H48di@YsV2Enwq
zpSPzj>6BeUNqkvoC;#yy$)z)zeXWO*RCvg>hbNGItvj>GT&Ow`A(TzV9nNQY-)@uq
zYDY=B@JG0!w@BjdXn(Rz1vPTL6S8NtjPAHyRD`-|Ht2qKzs*j0`^H$Gy%t-?W{K}*
zy>mD)m%LVMG+7B)nln!m`GU+D2YGw0;`O+U(78=e<ayL1O0HOKhpfB4_tQ}zP0w;&
z>orn{tm)O@pBbaoMVFM&u$V5iE-&M9bGN_;Q#vd+->ks_EwW_iv}lyL^_~zSmEtHV
zpexuLL!;i_-Q3It_2$jypVQ7z38C3(IXStBLPZokJ-x!BA~N~n#DO*fa7ud&8l+_{
zw<aFyu@SQ|5<H352}G=E4Q9fMnfDb|+=7CYAp*wBZEVV!aW>y@jn9wU_bF=5h*xE_
zj63PmC`}je_<P*?y=@-Mf~1IJTmNSiG>Df`NzOBIXJI9rb`<KJoICOxUfClWel4=n
zik+E8brM$PIZo6WE;+KWE0vN?JvAq;su-NuG@-xa_gf${^I?g<|E%%|12g<>#y<?+
zijj|`<nufQ?x!n^?r@_w7JCwC=MVXeA&Q}JR`sK%LjN2xi$&_y|6u~QQnx^7gB3XU
zIKdgl*XW0xSRE==Axp(X#(c<=k*Kpo4X66C-^rh45*Gke6i)lo`SPZ|u(O}vA19#n
zWyza;{|*I?yHIroVBjL-pusl1g<Ic?qJZ$?avSnr@2R*vodpAx@*X0CROt#`QH(UO
zf@@8}&tkF=!3r~lqCOo7BEhtyB|QDrSqh~qjt9rOmj;K4lm5=4=IHf)M0O2yKi3g7
zUx$_%PtZjhkmXe$wKnppOXGLJU_|j@eL7bAYTuvsV8IeufW<#<+OZR<EZyqxI=SWj
zpZ275?Tg?Kb&^Z)X4d5N_WN7`x9(bj0S+X!uiifUV$~3&cG7N@qy%}g6=^-mCokgL
zap-h(04FUC0R97<eNtr_Cvx>>4xsbh)7|ZZKgCB&F9eKa05O=3o?ZkyB=fW-N9LE%
zCl4%lK!DaqFx#83m}<tQy2Ql9l&UhE)Mn3DsxquUl+BX?`-(`U`M~PvGlYDJ>iX^Z
z_Dv#t%%&vQ+-vNAo4PlELup}d{+py89KH8q-2$;6Q~CS5XDDk!p6Au*-{guEjBeMA
zPdqzfa}TSxLzgHMVpSNa#CNO0&^ua-@69{s7eSxJ?01>vG^h3sGsHDmzn|{VM4rko
z+8fooVC}vr2o?Qgc1o3D=Jm(>STP`-)Zw^P4drec!}%eDRH2v{aq7d0lMmMLMQNT)
zkUW>~X)~_BMp-<gMUhvXDY{+g@%Bm7ho}3_!~lfm%;F@$fKYo_$zjuVr@PnF$DFI&
z*jlji#hyk~4IigtoBay*$sD^3$2vC|9>kx!7&x&$??-nrrX5i5P~&Q*T&uRzro~23
z6h~2xCAp}-dkkEMnWk&rr);FEFEzhqk@@db$z}ky8D)QsmFTxE)^J%>g-v)oeT!L`
zuiAxDyXS!`78n?A03j-SN5|&NKk;Xq{nC{RbcU0K-eqNUSwb=0V`Ip0aDnh|@QxY4
zV~2%JH;$vv>pNIF6l`+5q*pVmH<4&MrJKCEArELjRIXWj&7`i@Xx|3RPipOsaR4E>
z|4d6;M~4p}fAyydF#t&|Qt}Jv&t2Nlizkx@su2480o6iBhr^YM=r?ICSS7S>Mus$D
z8PZp;zIky3rnTyMms0A6{0a*1t)8x^J}+EZ`8~0}-drH%BJP5dFO?Ubv`-|LCM3tK
zgWX#rNo16ePFkiOUwcfd&j{N|HQiYv|M6omG?6J*Fn`1d%_%npENK97n)5?7X_-wo
z^>n96Mymh4;%MiTd{((j`HNd(nA?@0eMI!1k8N*^4b_vVame#!21A#<?>lwJp=WF`
z_?90UVyo{oHP=*AxllOW^wOo%ykcUJE5i^s!F9?=-0KQox?dmpSWqv;BmPFRW@e^<
zYLR)tuRvY&SKpO_YQvx4HI$P&92P0!y-)v6zzFX<KX3ad%+i(NycxHz2tG~v;m||2
zAf%8kzWYv~ma7hWPo_sj!pT0O%LVS8*%BcKM<O7Dl>s*r%Ei;(_I3|2aRRz>RE4l;
z*)n-jy{4f_ajp0{9trlqCT(TIAEh@MSjTMJoAb60_u^W4&!o_()V6{I*dG1lHz0qn
z?C!>8ZMUDSb{LFhzI&ODpe2Gn*54*D^3o6c2n1`c;tqt><TiO@F1ui?ZCAa@3OqX&
zG3|-^XZ^AZQkJLY))bVM&Wl?lU6Dn9xA5uezH+h*SH-?=f|#58A?%|C*3QJOH+2mf
z91$Fl{z=Y-?2F7CsroT*J~umi3g2(7X5atD8Wo&B31Bx8I9<%2SGZR3zYcD>y&t0{
zW|p(kv}Cz^e0p!tl(iGN^QW9D!(!}BVMFQ3a1!Od0y)Zi&8cgu?@Ayh1NUzzoxaF4
zkWOGAngYD}(9WpV$;pgQ$};N1Lvg9&AZGL7Vgi7jyOy>gxLYj{Nu4TH8%OPXV)04l
z0&ieI=+y*1;=tZAS#Ox<i__KT{psg!_v7Y{-aIiMoOy@ytx+(}BbUwhYG`0zU0prn
z`3sl%utw#qT?0$QQ_<$Bzpa2y+TqvCZoysVJuT)EH<N=yWRrTZgJi9275j!H)O^o?
z#&~dzB#JIeX?saVIJbawk$qCLJ$W&)1^KJUzVqh=mtgd9IgvO9_q*u&pX$+3I+yQA
zXVFS-1~rSzb#{@G6Ku2}ACf1SM_&oiuEw~r%DKK}pLSSX&U;@y$3+?+ou&2|ps)eS
zRh6N;-tBL-q}{1}pzIe3mMD(fjq7}CuwUYKt||!_d%pvo4H=f3eHg+5HzyugsN_H&
zBH1`DB0{=*Z?J8J*p*XongW(cI6CutFEXRS+($ob4V&FHK47zWda*DFG;79<JyTL}
z0UKWf5V(VIIO748=MRxA$l$<~M7vGk(^9O4p7cLQdQ90w!dj3wZl*p44=1RckU^JK
z*1{7mh_%COF-0(6R?i^<<g?-p-b$YC^O{-R%0bOUrfTCYcD`2tqaKnX>f*$?y)Vs1
zZmX^j+a=Ereh}%n9BXCJ#*@b@Csvlr_~HNrpa(n@%_yhqtkA&40yIp9&@nNyvDr4#
zR-mQCsTWeeJ+e$Ez<DOzSe^!=^0keO{AL>(Vx7$ExbE;l0v0;JifN{N^SxNom@C%r
z*49?94|)JyVEHBL-`Q>43qA!h62kVq{<nGAYg#))!R@Ew+(@*AFZKzs19GSs-)4;b
z{zBPs^57cbN$`bUJs#jbg-6_fa^U^>^B+|}J-Z$wHTfl4pT>&=XZp{TsU*;)*1SGa
zRZvorD%Z}t*nj-$kr25r`Eg)y@OG~NvGO?|5?D$CesUsrwec#@Wl&1t2H{j2_<o8c
zvP$x={s&_54S-lW|IZBI&rhK}h|UvjX*A>dgAl3=Bfqj=cfqgx^4;I?iA>}k>RN7I
zyzOi1QS`O6Twd$2+n=HW;-4wz6nmMJl$7YK<{t**S$f9W@p<vSJEnE{eqQK|v9h#$
z`K*k<D&WzPdu4^V%y{h_XknG;PZx9A9WQ7AA}^(SGo>v1_FzH}5D=NIGKzs>{m*7_
zcXl2QdPw<gKi&NN_MLP0{*8KYzeH0283$Y65rg>pr{=BMsQ!fjAt_&rFMAV=BwG*6
z)roFlwH)N(e{$_ORL#YXl$}S~J37YUO~EN15<Hf^xVut*XBr+E*do(6dD&mNKgioA
z`fzu%*>wme_pTh<G%A@|IbwNpP8U0pptpfXL;Wu#i2f`8lJ@tuK1R#x&h-)NW{eLa
z^W}FOm#05R`Ek=nL+`a^gQAzKw60clDDUbypD)e$!*WP&T`tv%Nt&vKWdC2FX;^Oa
zr*?QG*Hm2kKwM7@bz!3Tu#+YbO$!NaCYK(aClgI+BWeXYRl8T}<*64bF&$oRt*#L7
z4g+%=Q1Hb7-u_sDo;VK=vRP4`$viV~)%XTXmp1r_|3Z+yvuSUL`Z(snF9Io9YZug<
zXi@E*-?$3)Ss$0*Tlj~XLa0(IiRdmKghcwY_LiR#VANc>v5I5z5V%O7(YAj@o!|Tm
zO4CC$5q(r(esb~&N*ua#nqthA4)>_fx4SdnUTE&}B?n#PN$f1cX<N<1dK=`0#xxZ`
zxG$}&e9-qy$RwAm)H{#nre$FfuXYCVn`ihhy-Sd#BFF?(R~U!=2WB?WlOF4!f}XM2
zA*22F+EZQgrzDhCiezNo@lXqAjg_9Put+!>;f5<M5_-1sGJ6;}DPQi>r;(vEubEf&
z_X9IBw90j2sP6^MBPOq0z1l>_E`cUShFJ<1hU?Qi(EWH$io7Pp<2rgt63YH>lJJ!K
zk|dxI|KB7*`N1JJ-TywsgFk~XvBO{u#I}I{3sln@CSiKFxn9HPU&LTrM{J7qMs#5~
zfVjGuJnAswGA1<iJt89FnU}M$<*ZD0E*&jRz+!^h%1cWPvFo{;I$LDUi`&~^ITgP<
z4^Hz1ulCu2q`%E2@O?5A3-W?CQLW_1H*j#m4zJ$*-GpI+$V-ioLL>Zak;mOrBcK;Q
zW<SRkZ9^UaZ;Ipq3~In@m}>=P{r?R=_`F~Uh=yxOl|c7&eRv@gr=eVgsROqsnB&)Y
z`FZ%~TcjFVULB%Z2dkzN4Hy>7&0qh%PLW`BkX_OpwwNmKA8b4>eB^~p$r30Q|3i>5
zH=bRKg2!e*ykRQM<7a23NzoPz#iHba#aEp0GPeVT+xSa+q7n6-=~%A3M?$A<rhdkM
zK9AMQZ?xl}SPUj8+C(+kr79(LDL?US*jgHygICst4LA^Z{Rs!6@*sjKC@B0ekKpHY
zz^koux~6vG;QZop_i?l3#>1@TFc|m)Uajy;Y9E0b9Om2W&v;&c;xhz7evmX0y!3<U
zsR-Hzfxbg5lNIr&PoFAH=0El9O<LF%2LcWd+oho*ahqr{tSQh^skPq42fd?%xw?qo
zzkhq3<%p*cAMl|w=naZZ@{ggHfkFy=tur4~is%aMQ<}VJEG#VHZEeVx9)+2>@CV6k
z5ygLOF9v~Os{*iwh7c38G0$K3^7JGC(6)BKs3{^RtnGc%HVE`(>Rj$W0bQVu;o;C0
z(}f>3hoDIyILR;N_4VJCJN63-(jGccJeX<boMdBRVG)X<rb>!L_`9G<j2?bKyV&Ax
z0E0TQ1rV(7Uu3!=mX=6PuejnQik)xIWQtYdUQ+YHwpYT!{WHQvgtZPOZK4w9v|v3|
zSlyBV%+B(14;3{1qSA7{0y?>cWj=3{BehIrjrbJ*JJWx^Ycb%z`oQCOm4u4t+ko_a
z4d`=3i}ew|ENuA^LIg?-sbn}Zk<eI~GzkQ7KJC0cZ%*X00q#{CuWDT%*`|SpZFQ5k
z_ZzVJfu_-$fRAJ%yJI>a5_FD@(evJm8%_4$EC6wclk3BIF99#B{Vh=(E@!`%7H+_X
z9=zaP&NPq)-n&1*3YJw=2<wGl{r97#gTp+YAz=4(ePfYt0|at4fT+os;Oy<Fa2SIj
z9#=71Q#1r#Q_U-Nb@k8K*b!84?;H}T?4s(OZ;?R(y#|y-RO&3>97m8W&pcUeJCiDw
zXF{=LBAQaGHNI`lXcgdayznb6r7c!%>I0^2r&m`)XI9z9b(Wx!w!Wi~1fH^{nc4GJ
zgHRUI!p*H}Tan2=Jooe8b+eqWvobgTv3F^)ESuMy!?i7wC(}DbfKnhqM3GP)vN4|<
zUPbk^ATrwNBJeFk5_zbX@pK>c4PVAL|9Sq5QNqN)uIJBAi1~t~xGhvd#z_I`<~ylq
zplh;O7QLbitl)t<J%2LCtO)<hb2yVfD1wBGf+d$P76A^z5pT$V5&=GNXb0d*i@OUl
zpu92+(k<k^gSn~*K<U%@Qv1dAftBU?jzS}}ySp2(go$UXqod{W_-`9aR<^E+l)Zd?
zN#OXLot^zs!uWs9^v6ZcEOT&jR$QhPsWvc!pGY$05Kuq-)RTYB%iAGyI3Q%6LHbV(
zEZWQVy(u-BIl*Gc78kBs=<5prTYC+FbdxR+f7pXV{b|;Q{Uq}jut{-2-n#|*YyN(3
zb1b9s;|f@M+kw)}NR@C*4VxI)wlV}^OCxl7pAP5h7zA)BfOuWLTv0$(FajSeTAIwR
zltQfXPx*AOsrg^LS5Pbge`l7UU069=p<AvyxF^%Es-mJ$Z=EM1_JAk|-rC-17Ih(0
z-pp2w{F2$j!(*n(NWR#Wqc4U=yiBu;mX7Reo#iG(u3Qm$!0RY-S;zImR_VT>6@Kcl
zzwzwm<U2qASc|&)P!eZ?VG=+v0o%?ta6;Jju){$o{ZwvAz&v8Bdv~%xM+2nFvrY36
z>TarWg>M?{wwGwT+sEiFcJf}ofsK`DcD|iaM>RJ$|N5<Mr1dv4k+ANr?FyM2F<;z-
zPDJ6bwK)N3CW5u>^xXhjWboJ=exTixt;FJdV-6ffDUvR5{;p;Dd$L;pWpyAIkf&U8
zgf;JUy5?<dXMMgU+TPJ#Su9*I)y@|nQERSI6oCQ>GTN>X+O@?6M2;R$EDW2!@$B>)
z_|CA8cUPlqbf*AxxI0ypU_Iu9|I*78=IUG_W;iT*X{oRWsHe=E!XzK){pSFF|K#9+
zo$A)&nimahMazINJkSXN4;klWrT<hm;w)%4BK*CD!r=d6dGW6k=(N~cKwvVgi;6-8
z?g(N2{#Nc@EIfWS_-%s;`)}TvN=^M6WGw;l{w<J38+rnsFhy1t78;;0Ku>3ZI2uL`
zYJ(^!7PDeB!dgM4(Ep@}b<#h6yj^y^FPd7>1?esF!UiqI-y0<Ht*O0b^m5HT(v_ef
zrk!P4Y%+P*71F}oc3T<D&;7Av;w*$$-tskwC-Zb}*22u`R-S7+S%#iG6HNrh7k3Hr
z{89SzS;XFz%>N`B8M*#E*ot9{rAxt^gaubpsSCdcmf*j!(lP_6v5u`4TzPqUWh&K}
zukySYY9~c@Xm5a}9Je&=4DM6t;%*Vu87NJeac1JUyn0ssdFY1}gi{l`B7WXOHSxj0
z22M*L_~%J$S0enh{_Li-7$xT5N*Dpgmt)#j@r-k+94mkBOg?|PBw=rYlmOqKBRdG1
z1$pJ=vgO$ze@SoDRP~D527$&CQEe~L-%B>Z&NWZQ)oIQ)*Nbh7<_fz(K;-PL$FuYM
zm0McOMK)1=h3_nvt~iHUi%-7qR{0;uiEiHRa~?IW&d8*mzj<Ui&|c3@GQKJ1sW(dn
z_dlZPM?S$q@qgd47IbY!@8`{=scOp0*MM}yOJHIni}?$HpIv(#usDB5gjFZy5Y7^F
zm9%lJ5k(g9JJri-J@frHh4FMN$bj6+;194rkK?)Pwx>do_il7bYHO@eoRWJo$9--b
zHE+Z!jSl{Y1>o^a`^JbD`ke6t$=-hTGfT>@RA)1(WV67R#}##WV{C(kT>O-Rj#|61
z!1d|p9yiAn>0(pf!~l#8e1nxVJhlr&w4pnT^EMQ<yr9xT1r#*jbo5*)D3*A%2dg_;
z5>u~qBh_GNv22dBx<Lk23i4@6Z-4UBSR8fsp)jlWeyx7^h~S_dSy@Yej)7u1?lEeq
zf>%G{wO%-`4{?c`UgWxeg7E$P^KL_xBjCBooPs#Sri%m8<Xa1yi=MNmi|ZsiYx0kW
zDKVWoaRp~V*c!|(h3WP<*4juL^z|7#j>SU+sVJG`&zswV%5@Ri8;O1OsOvqony1|z
z()OD*$+$5o>pJc9oQ2B4KZA^rWR4%prl)WS`fM<U?5f}lOvLkhn1#oVmMM>UbwpOB
zY(G*+`|pKZ&BX2L<Q*>^S~2O}(abNyfy4|2A0I!K#f}<SJ&INhb#-}zvhb&l4iWat
z41>obVE~$?Y$9uaJpasiNd0VW<&Z0q>|D@zR-WZc={1ceEMuAjwy?F7iLsxFBmqwH
zttV9sJ41E8h02gc+~EFjS{a#-$%qS1=KPZU!a2HVLCR}`rY$He_SW57&fPLzzAW<F
zI>*zL+R?8mQjHz7jys1MS7tHqLYEgZskN#Lb*)7!W*`J4B|JEHR5NfJ!o3AjqzWH7
zp3Kd}B^PHNDN0N$O!V!bO`A|_-ZOQh_Gww1!`7JiRvh1ulIQ)(WjDqhPoYaFCOnE6
z&U<=9cEy$pe4U?&Xv)<LA%JqwF_$GQ7=-&5=Et1uvZ(nymSx}bd?e$u3N%5;=3lp1
zmHku<3AG_~tHu@o*v6%-Sbw3$BbY<~NRP3US(w3EiCJ{nQPx)oE0*&3CznhwBB+l&
zKx*@4+UM5sZBcu12RGL3A5x1r8+BXpvOkvQ=ggr^XB*-^E|=KCrUKnmbgjkHj>HoH
zR_-LlU9A{q`>fl~6?AC8V*N1#x_0$vGPktLwP{MhmvOh*C$)dPKE%B>t+(6n&XZos
zn*tec8L-fei)BR%e_@*7ikPD~?Ml7FtjY&RoW7y)DD{<0Yk`sP?ESPb?1WX<EYG}~
zEkf={Jw{aBpFY_o3zA{X_NJP%`AO#q{c|Fnv#jN%%I!Ocfk*L01*ZoNw2+eZ`#GP5
zdHUefgr|(&VYfA_T|yi!OsSPFi><+{4UMt>oB=F4`zsE)1GctXIJ7Trx+D>*qIE4c
z&=prOJ>Ix9wHN3AK${}8&Y7^yha|6^982pb)BK+AeG+{La7xHI>Bw$Suu1F>(aK?U
z_=&L0zHffCofb5U>K-1^7Cc}V0mr$$u#iXDf)oc6(goGCDvd5fz6-OR@W6H|Pu(PR
zT!$t)vSkn?h`I2S_dZTb-!vNXc|D+hs4w|30*b{DmNiso++zv@{aa+e_w6cO795k2
zUC-jSTU?Ok`Iwa~nCSy;7&~*z{351W3@&F@92^|vg_le9_sSNPCl&-(nl%>7-ky(@
z!8Fp-RIa;uF*fUfI-T5vktE7FWB!nQ8q;$9r?tFoW<)3f$oI1?N8&iB`XV*)DVE2;
z7X{0`-FdbJ*CanGOJ;HkepeR8<!g;DO}DjOy0wK9rVF>17@xI2my1V*xH^e0M!>tM
zd7BK?B-oD>N|BmbhU24yVd6KqF(uq<Rq0;`I71FYv1J(@rNk5aqB0x%YX+3R_|yv)
zdrPT3cOBU*d7&B)#tJ6o%B7R?^|Nf<??UFK-M=m24mp<~Xbb*v8)uIj;X2a}DT>4T
zY27g>`4m+U#z7!Oxi52B%Tw*}S38}q_!6If`)j5*DsDgdd(!`(&b~6L%I6CgNs&Bs
zh?I055DwBvD2>36P#P5lX^_qXNFBQC(2WR)9J&Rhq@)`OY3aU${@1$ee!cUF#S8B{
zv1exQJ<mK(!%3-}TVGFz7u7m-)C5iaPU)q!NJNm^S{%>n&YK|TYd`Dj=k&XO`>~~m
zl+Dg+Itbjv(%u9r2?H~=j(M>T(AxJ(clYmL!R(tUi)4F6k@hPnN~4+!&HM>t`$QF?
zJb60hvNDZ3g`q>)FU`MQ*QT@h%w(%N+Uo4ODTPQHzO!^od8~iW22C<2sanw>DNELG
ziG>3l(^Dr3-5yy(X6O}uIMxFvl=mydxvyUl6)zU)aBhZ1R$ZX!cf*2oSv)iRG#3)U
z)X9FGEDBW_g0(zLr%GZU+;!Ntd1x87W-wPtb94IU#wFdyZ~du^_?Wb5dK#Y1!}gwd
z`aIlOiR9?iO>oD75R+n3>Hi{7BZ#EYCnQWCc%<Gu3DahN2d*~06%Dgxqwdez><C7R
zYArQduslDty@-C`sK(ZG?Q8{g=*ORVe<)y>Ds%AeJ+&TBEStN#p0+^us#n8O&lvN2
z{rU%kn^}tJX-D{}8w$%Ts{8|igJUN{J^)WCX+77FEQ8Vf|9a97|E<zncs6E~Q^TM0
zFzTMFRrGG!p4X?X3^p5SW(IOO_c@Og=_2gm<r{{kw2nWozw<?w+bJAiF;DBZM~%Fo
z&AN4OV_9j7c2DED$rPz)*dr%kmCW;($3#e7TmP4X=Y@|<XT-c=lj&bbFvzxD;zNx;
zUDC?9;&)tDB?gk7<lAidM9V3>)A)01Vy(zB=7Jwt*A6q>PEuR4LmV<|)Ux_jwjyjx
zT2a1;aN|P)1lzchuyN?BA5QG58yl`NK@tCZ5?M~#<~0SbhPtf*SmU?@Y_Zc;HOyFt
zzg8`aJCMwB)AEsnv-~dISJCzhJ8Q)???%1xX6AVt6y)TZLbat_c|yGIj@SDmhgruX
zuR|p9lLkIg)^LmcrOu*+>FMdJ*S!>fBj-cLw54a1;DlSW&kfm1kohE%iQwgrA1lVZ
z+vl+oPa_<dzok&5|ISMxW%`dCshz(J6Z&y>;qs=uDJaXzrK!j=t>U=go=u!KhuTyP
z2HSu78R@3IKU3F7Gdgx8nguM5@4p!|Y^xmN^^9?%cgLpkDGo}6$SJTz`p4xeM%XiQ
zBSs6kBG;a^Frz>C=6!}E-XXQXNHn05sX&MW9Jm!TKcBs2ZN3b4`fITmqcfwvvn=co
z^I4`nM`UN6Sb0p`1wD>Mzp2aHn8MLIypg9Orl(Cgscb$1rR@(R*i;N`q>Jt->(ADE
zX5bQO2a&G}Up$>kVU^^RGhSFIii$j~<phW<9dLFGocU3j89;Dl2PlwnZ6q0PL;1Ns
z=EE0+HfD(>p`)GsouO3C)hg#l=uqTXo||<QY_tUZk5+>!TMDJCyekTer`{)|nv*M0
zDX+;x^ZNpJ3=X4G@gIAs%?%cOxOQBkI4&XLYS8J@9ZsVC$ppQ%K*a7^-=JqaU=H=Y
zalIp*3!A0LXe>O5%VTnzG6NO4o>;+b<8Z23lzXrhJR{R=;HJdpnGmsZ{D-4Y;)t8*
zesV%j7;@Kq>XO+$HXfMDAs4AnWAdxi`zg74)0mykY!$D)wfeN(HqY`aOVvN-D_T6f
z*Cn;*7R1UsP(Sz|$Wg(ruP<!toOU_@W0O`HEm-dVg&$J<e=`~0Oc@~eJ5zv`_Hr~=
z`jGj0->1_;HC1z3kBzxr?)6ZVk>U58ms!k>G@coO3)no2cVED9t^E|+97aM%%U-J;
zhMalA90<8|xXs?&2tP`765kgfl$UA69?#%m|1P9Mu+_hgO#E!}M1AVeV89q^4++oq
z{hp97>#i}|5-H#4{-?c-yi{K@6+%Zd?9?HA9isUV1?gEAC3@|C^6<t!Y~S=c_?In8
zYy^jCY^8Guvoxtq97&leZZfUjE0VbPq&G`3v|3GLCe=ChqXtJaCz0f`WZuG>;#xom
z5Orx;arE>GzwL<bHvp58D<4Mj0-g%k>ArV#(6j%A*cjPi6l%LCjoarL-4QZT9a$YC
zVQutuJl2e&*`6NC@_1S78B<%++TqJ2&lJ0*SrjLOIIav;!xbG!X*Xdbm$b4FIPNMc
zZ7_Y>EU9LnsM?A1;Ow+vpM9pQCSPtv|L0&zUunO3k>use-=64}=CYDwA=@l)rK>aN
zS&^nkwF5zqW0OVt)2**{Mn7;zC`!gBEW6IPB0PV5H{^R|^+JVC{o-L_r5rM~{fB&F
z$oT>hulFCb&4=`-Uiy#5V=pAFk{f5G6o=B1a`k#KJF#e>ZX@_Fyw?v1^Au%AOL7Of
zy||@diVkkmUFQbm0BEzku@MrcEa4CLkGTz9%s@^BA5hqdZeXyGQs6NP+_>>|!BbJn
z1>8+$jW@a*<0ap_ER4&R_jP-$`iz~4!#FosA5Q!(UPfK+o*u$!e`ys*9I$%6H%l6_
zxuToV?6c4L^oLn;(C68MnZlC&_F9H-4-KB=WwLV~h6<UdedKDtJ_+u+`F&7ZO^qxz
zIUOa7B`xW*TdzrDHdgPHT46a4<c2mpim$sVf^ry&_ZUc>@fZC}&HGrlCw0>$$Bz61
z{_$KflKCUZxB92f^i)bXuI?^rM3&jt^b-E+I8-dPzQXZRTDkcg$pcIV8eoHzyQqhp
zvZy%6lE#u*rDp0O^r!vsogVeq4+<fqbonF|D_eqNI{O4E=2ni@ib0qS*ROg5wf;S-
z-CI^#Dgp>#`fUHEB^quPSY?m$b#<N+8K#Gir3#d~9;|dI{aIjrO~=mhgjfjaZ38dM
zX3<uh#P$+=f3JCAu?(X$tseeV??+$J`!>vykm-$s<Z1$BwAd;Nh%~@P+P@y?v0m-;
z6PKfIh9%~ElNM?1XNO3qiQL0&E>}8V776`&zh$5ab*Z(3Dn{Q=$`v`n>_mf#pIPH>
zenSbMR;F<v(PAH$9h_gJ$d(>8rS)7_RJ-|@dotBlc?(M+@sy{|v^k8~btQEjjc-8q
ze~PKCom$9}4CtXL|BZma0b9?d@a=NYfkQR(>iomPt^i7L-%+#`0k|6&r#EzM`8|v}
zeCzHG<WTTe#S0b3WhwEdr0L1nP-a{lq=p`*O8HyI$A)W6O2F;KXe#IWgNQti<54|f
zuo_dDw%nF|2a}j3ZBjBe$kom9j>M;)x?PM@3%e2*KWWK?$E1TwOhYpK1Qj74r!{e*
zs+}4fkutv-WTnYS)m>X0O=ToW&I8!j9aH6*qr_E=@3Hm_RpB4GiMQx*AZC3E?fMC*
z3u;@}uH3itcBZ}^FS{6y+tT}tpRl!m4}KLs4OO%F)i9;W<zOfG{OSWOTV6ENe*`<m
zgKb1&I%eK`He`5T^^PylmgheU^fXzDZa<Yfe047n-FqaTQ9{DdA{Cs}{w#ahwGgyO
z0D-`1&9Px<zLeO@BmL7*qfu<SG-DZ}`h>cyP(>WrWu1AphrkO_?|`F4j&;iOLX!`W
z4+CKxKp2w0xGb57^8K8G#$NN@uThCpEiUoBF0&kRj;|epW#1W$g|+IXD-Z-396W)4
zWZdCP0YZ9G=67{a)zGsyW$!-RL(`t&ZQH+(H7eS_7}`?!Zr!@INl8vy_w4M<)uQ7r
zJ6YX3N3hF*Z2QDB)w_5Uq|axYcc3V!rQN~8uCSe}2i4qz(eX=vTD5xUQ2<6cmIBj+
zzTKUn`1HF52|=2UH*aaMBCgZ&$Y;=e&$T%<!*-}QR4+*f(<d>TUnl#cceYn7b&&<s
z<Ncl~{G~@*M~X$BKVNDoPZ;s)4buT`4fDA_ty4!K&pbo+z@7g{cS_{su&0nQn$~u)
zad90B`M74TvU1MDp8ly0Gm>WntC2o9Kw_=EK1`F|`!RdFZN>E-%|28(%~M0P>Pd3g
zRqqufMswy_YkzD46D)Ees5dYbrDMzVRtqhSldHQpsu@Zaom|s*D*IpNBOV$&(oiQ@
ze1Vz$GbS>HjRek>@59kI>^+~I0_JO=QOC5w$-QrIr|z?>8^favDK~}G``tCU9q{m;
z>-BFtp{BJ8$IWnQyY_=G8R<es=!S*^E{flMrH2e*On<fMyp_uKr>)S#uQed#<Kq)1
zX{Tk%ej~iRS{^&`r{_t>{kpsT%ISNT?V{N!p<&OalLNjm<3xL|aE{WDS7uwZxr{}k
zJ{Y$z<fkkIO(Hgk@JeS_O&f1Y{^LR`0$q8^qBbu$Vm#Mqt|xd?Qv5?MjHag9IP^0{
zr$SR^IUROcaQo^I9iu;1>HIkrGO~j5eRFs&IrQ{D{gVwCh4A)J-b<KM$?DJQ^mvFB
zwSL=xHR0F%H0kRiOiZF(&E|z~cfH2GOhpD4Ds{I70$9>;tua%yG;3@t$bKL?_JV@D
zTb%NXFkv(VnGNBNfl8U1a@;q6xH@<brLEqg;XPHk5r&9;c*tZ^$ISgj6BiqH4yR>>
zt!D8&WHdHW7%YBL`KwFUeCHeYO!?TRURJ#<thJfT?&f;F8ej36DDj@{_;OWYRFyq6
z!Gf#A408>w6z?~iUWO=<J!9%7d0b|~_OSII_pPLP%6KcK5Yc7$YfXF-m0ub+U&$G#
zE3GD1zr7aR#F_EXRxxzdLdqX9EXJ%^#>H26ZnhiA*C#NMZUI}%S1;0Dnsu3L1q269
zU)?-Bm>)k*R`wHYU}Un)Xhp25JrM9dBN!h;yGEhaZdu$Ps1L+R?wCK7)%UYNUg5!P
zE{iT+ylCw=M!6k7-8vV=hE9{(t#3KU38EOa=BlR&W%X7>g1L5U5#g`HAi8?UbAF|j
z48BjrCuUL2`{T$q4ndxw;=D!K#8Bn>3Vu!2)8u2SgGq7BzJso$HEt}K9tunaq};M@
zb45V9$K9rB0m9=*FZ{3vlBZ@(B@Ehii12Rqhn(O0%Q5sD!Z}(=hn`c-zv^PL9L&Q;
zE{=+L#RqqPSy@{%2a1Q?-Q7PXS>u(Wlajj0^Qh*CAwq)-*l45jAxUDd=_2AWP{&ew
z{2$O)w>bh{<lM0%T06ls-<sG6mULI<3K+U)v-6Aj-Ok+xj^tq9K{$kDE0PFDng7Fo
ztUGU0jO}t3Ew$ccV;SAAqN4T06tvj6-$BXc-Ew1Pxld!b#mLSPHq6Xs|4EqCVCS0f
z?42p@RK&X3O}Odcn8CNXAJ1}UKHc+qahMunva9y_trSHs1rcPFyB5Cuym!x<*=Mn4
zOBf4!!xLCi-L$An+aRPHifh(-m^$5~SNWS#kh{(5PHI*aaiP$~sz8iR=b{|k*n6D#
zw)IYV1vmcD%uknqK7#1<($W%O>+4jwT~$Us;j{>BV(0yDbtpI2DlA{Z<<A1pJ62sz
zaQWBLSr;^IWKVNIs^$YvtHr)NvARLnRkFkV3pboxIJf<Kgp~iWQPDk5s+p*s?X}~*
zb2CN--2n}bu6PuAu%y{r89hiw#V-0{pw{UX|1g2ktRh@W{VKGbv(<3>{^Bd!XVqk0
z@}YElLotziFSsDSI_psR(8vD0)^=+?`)6(6c#Pf)ZFz-zw_Q*+u7}9uVdFhvA^!s_
z|EBwxQ}DhijqS1O)deRc`W?`FlLE}vc{Tj@mX@3VEj0NI-!?cHU<*czSm|fpKB5WU
zayQNNp#M^Zx%Zy(F#g%X&&|iu7L!(2iBd9NgcoK+Ifu;+#Fe8spCm+cs+R3Ac~73+
zP>k=j?-<*ujx_kE3Qk&}Fp@_YvSNvZOX=X>&q#lp>(x5dv<k{_pS!kHC7R@`xUmY`
z_V90=r6^C-I}`EZwMR1AxXwngcsqrXy<Dn2k%b6vofUUYG$01sBuXTwwYZG9NAF3z
z;T|?ZuQv$lX1NIe!lctq2t~jy@~>}4ZWQo5m<;EJh@OOXnsvVtaCLS49DQrH{{j9*
zKRxcBb++K?t@zz=D?*JO9ib+jb@aktIgb<RP;j@Iyx3&&oVSw1jF^-Z4mdxTH{p*@
zF{ICguxyG`)$N#Ldx)#u^L|<!92_jGy%~OyJ<>tU{orSlje3n!Tlan=mP=t&vpw%>
z$J&^NhEAY=lC<ZaM*g~u(Ea6Elb6dxV?3JS6z~fEONlSzq7T1Fd+e$+Zd<US1}8eh
zj()*-lgN*oGJ|dx<r{QmpN4lqIV#KpO+~iGEKC9rr96^YwhI%0;SrsFNP-I}yY-Wj
zfTs}cjYq-#<J?725m)?aBsgP#Qgzqn5pjUPi|Hdw7&<v8OPr;&m%Y@_pdg0BA?pp7
zZeE<d0+Qkja#cyxnQY#ZK3!wRXQIYy2SADkE|%1@1}isNosve?6!ylJ?F9{fd{M$K
zb0zlSJmTBLYmU>apUaR4nqsb}#8SJ4sDTNLMNzGUfmo>d1fI~f+$>Y)PrH<6VnMpH
zLrfO0{dc49MfC5@`3;3q>K0%b9o~C#YG-;kI&6D!y5Fw$!!l@|F=(FqIoUldR+S{*
zxHz(OYt16Eo}M0Vl|Ha#6uRHJb7$}P_$RL2YF`GHF~HFLuIMdH(YDL+;)xrux~rAe
z#g|Gl*@$LurL5QVAOgSBnO&*arZbepK&*la<C?>AxK%YpCFtEqzS;Co9#JHps3;9D
zFK@q%59jPT-xrb)hT^e)3Jh49htjTIKtcq)sn;pP=r6Gf`A81ElT*jBvkCg&xLuT@
zIfE_F_mYKZt2`A<O^^|vt9|e!H%IKBp1StxE;b*NqP`ZJCcl%A4`uYGUv!)w=1k+h
zkFDP<gt15(5bqYQ)o|K_SVfx;-ms$xQ2NzXW9r89rgXFn8NyJRj*um&9r*g(Vt%x|
zoTmP&Z&y!R4gomr(MUotKOU8`lhe^50GBE@>~^ABQqa=kg~(+)-dx9#x#B+vAIec!
z1Q-QXZq$(Ynb6@(0lAIdkz8}rplrGq+C}B};;-|%LL1aDpF-_t&rS*H!|6XtZ+Mce
ztZjNq7HNn2`l9XVy=liT_o|~hNH5(yp2_5cY>vGAjDMVCyMJ%x)dT6vuVoVyK4{60
z?-e>{%oD<OI!rnjz6xF52P@LFxvML2gOO*Ou3NN3LmLKkMs05=T%!S%Pn;d!>%<L2
z`Y3#;=YeK7y)su{=`NMqv1;QvCuC^Eexc<Kst%R8Qqk6d76rUFC@B=|qwUo;vor$9
z_z(!hy@p=WlPcEB6J$PpfBewMEhvD2czfSKp2}=}6gA|{@Mt|C`rvXe|38ZCf^)Oh
zI=%|8UWYzfF{<{p-PS-4a#dE;bB_3DVD47Dg3iofn;aF#yUPM6D?B&%A+OcDh|*a|
z9gFlP2{XKUD^Ssx&2)V0`g2MD!PdF?hf8%4hV3vNAqky=XV4$nNU4Mi(NU3!igigy
zFUBlpm5@rNYsIs07b#>39jD<L1>Vp59-)a&W6odR^-aQ#Zv6!XifVTu){E11Izd3K
z+t%9~hL8h;Sa=K^Xokez#jUMU7mtu9eyX&vHpj!aA|fITTc%Mt+MNA@s3FH9ZD%1H
z%#g13uF$<Lt13vnBV?|kzcnI0jF_V0K}ceUo#Qt8v`<SZJQbW?FRUT8Dqh)(fM!Z_
zrhf$D2s#&HVDfwmA!QS}3teV}AH77HjNx01Ziw0U8d23hCaC?h``M{jtYfSxnB{#P
zLFbped6|sVpnlSH6Q1IY&Lc98ub$+NOj6#cN3N>x_fmX<kB1k#WevLBb7#*lHmY4u
zaD(sKLB7<GOwx`sFAjTEZHj$M_tF{!F~ciNuxOc@W(9{E<X5ROMK1vMb#4`vsd<-2
zV}_K{a;lC6<D?FwNBo~%c8$38D={Z0C$S~wW@qVu?6iML37-4$7M7KjRTZJlqjSrJ
zw^$GSPc*XH5WVAB{^S`xMLZdPXZ@&Jw`J@Bq*P>SDR=JmAt}(L#y@ZL@bEAP^ymGR
zO#~9A&D!w{Hzx)L4SD{W_5`oX#4;PJ$)}t?NbhFwwJCJ~y%MI8`(lZ42II5Wd+N~x
zNFo^Co9q&8PL-5L5P;(ODF&Er5U;&xhquGP(7B=)@0ywbHOSz|$S!bS%JN9u#l;0x
zU!UW$JGVYoLJ6u}<ori)<tkO)E(bdJs|9G~g=J?yAtNJOn5f9<9_%d{+tuZaHv@1Q
zd}|=KT&Rdh-z1&8ecpH?ek=Oyvelv7TQt?w4VFN*%pg&GAe6@pg+k^%4-l<Y_7B!T
zas>d3vH%ygoxO9Q9=8HWuN*bGV8aT}RgUi3@EV|eV`4VhIl1MGjCem8HKNxV7!}MT
z<(T{c@CV$cZM%VjW@ocL{_x4lH8wih4<sUf6WGMW#JIkDEK$oR(7?EaTL>k@03uu>
zPV2<rxclRmFJIi7GYSgWwzjr@boJo!Ij{Q?@-^m?Z)u+-Q_YB@ZrTD5G!i(T>uLK6
z<dLxbVza9`<X!2C9KUc`UR(R<hk;`Tyh`G*&Y7OSt&U9JB$?ZqtHyI&?Hh9A0do?V
ztbM+~*bF809PvKp=)^}qpjMEZpT9J2>?3b!X_;>EOS`M52iLIP8J?a_mv(;Whus2n
zAucoXBNX63cQB_18>SRbvKAJaIrLToh$Pl_tmGsM>gyMPt3C*9YugYx^bk4!I~dq4
z?d@<ea<Ik-l~g!dx2J-XooVlCzi9dL)>b%RX|LjkQvdu{k5^mm(tsy^#o;j!o{IvY
zw#^rhkDvgs`n`F2YO1Y59r>}S7cLCICcf22@LsQgRz!6*d7aB{)~wMHz75a=udb20
zlzpD<`{cQS8xotQJCeTqk{XyxXGP9a#ITWB1r^XnY2hkw@V~ygIPeL)?VicVbOHj~
zI3*TV^<$a*jJ6K27l3`Sp)U=8_n#dK1hz{9IahGXrc1p}MnNHbicjY*0GbCdsyf(0
z01<XygBY~1YakN(uz>>@gN6pNfS@y+mVz~3^hiDkCMSL;`Hv|BA0H8r9+X#8gXU6B
zp`oEqD$2=d6Y?52g@;k{2}~5>fOiU8Pqlz6bzi@JU7v535_MW{c_9Q~WpdaN=~nk_
z0oI6Mo``LeM+G3k5MW0U<{oSMXGPrxL>Qf&ov07nG{6u;f%NMFz)QtvsX5}iKEM)e
zfdh$^mZ2dCz&xeN%YrwKN}I2-1;TKMu4%PAy__?cDZ(n=jj(=Vmv{bO!!3V*^aC3A
zaR~|N(yxCUbOUJzyR`wjvMzcFcQWuT^<RymVq!S};P&Fgd1r<iFn-0~c$0ObEtFCN
zvu9$COfSK+{rSld9?zw-E^fq4A<G(D!4DlP|5xSUk9XQ7Qnt0|)39zU^s32xt*f0j
zPcuY5tc@6G(H!W34#eL4HwsIpzF@e5yFXV{@i){0NFIO*Bl`MO(z`&)#1sIB@NEiZ
zF5#-ux4k7Nr!5BVd{Bu2p)S)UAfpx#7+4Wq*vb#~y}zY65RP+$SXeLt!WEjDBzUA+
z@G2A1+ff9C`WBg%1USys>_De5CiYU#Xylmm(`K)J9jRIcX(I^ad3x8t`Ll;4?`P}c
zxs;ygEWXzI_gy*XmF;Z=xR(p6uFwhA75r;@tbd<midTYw7$+!Gp$q)}Zz)Uwfe*m=
z_69NJn1ImdZ+XQ4rYN|FaXWPoG79bfopSy5U2Cs3|2}n&Nloo->v(m!YX?@zl*Nd_
ze=jRkJ0(xaz%~+=?;s_-ts(@H%#SC0=iiTz=#AUZ>VF?-yY<%pm1KTkp8qSX;kP-l
iza<*i{Qv*YuQBB6vEVq8OyReD!HV)~a-W`<`2QcCpY~G#

literal 0
HcmV?d00001