ia64/xen-unstable

changeset 16527:e39931a314c8

[USER GUIDE] [ACM/sHype Update] User Guide Update for sHype/Xen

This patch updates the ACM/sHype user guide chapter. It updates the
examples throughout the chapter and describes advanced security policy
and domain management based on the new ACM xm command extensions that
were submitted this morning (cf.
http://lists.xensource.com/archives/html/xen-devel/2007-12/msg00043.html
and
http://lists.xensource.com/archives/html/xen-devel/2007-12/msg00041.html).

Signed-off: Reiner Sailer <sailer@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Dec 05 10:00:42 2007 +0000 (2007-12-05)
parents 1b863ae2bf1e
children 6d879bb3f6f0
files docs/figs/acm_ezpolicy.eps docs/figs/acm_ezpolicy_gui.eps docs/src/user.tex
line diff
     1.1 --- a/docs/figs/acm_ezpolicy.eps	Wed Dec 05 09:59:23 2007 +0000
     1.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.3 @@ -1,657 +0,0 @@
     1.4 -%!PS-Adobe-2.0 EPSF-2.0
     1.5 -%%BoundingBox: 0 0 610 400
     1.6 -%
     1.7 -% created by bmeps 1.2.6a (SCCS=1.78)
     1.8 -%
     1.9 -/pstr
    1.10 -  610 string
    1.11 -def
    1.12 -/inputf
    1.13 -  currentfile
    1.14 -  /ASCII85Decode   filter
    1.15 -  /RunLengthDecode filter
    1.16 -def
    1.17 -gsave
    1.18 -0 400 translate
    1.19 -610 400 scale
    1.20 -610 400 8 [610 0 0 -400 0 0]
    1.21 -{ inputf pstr readstring pop }
    1.22 -image
    1.23 -r;Qmd6ps=,r^.#_8PW)W:fC4d:Jq*eJka?]JkgnmP"tsM!)EGd%7s,^8OZ0@77fs;
    1.24 -77'??705qG4Sf!e6pt0dBlJ$6H@:BtK8,-ULk:B'L4Y6'Lk:B'LAZi1L4b55LA6Du
    1.25 -I0Fb9BjEhVr;R-m;-@(3Bk_O*G'831IK"hMI=cm!I=cmrIK"NpI=6EfrcJ3er,r'_
    1.26 -rHA*Xrb2IA?VWW\rrbGT86&[h<YAS@?"./K?t*JP@UEMP?XI8M@=hm=@$4oL>KU.P
    1.27 -?s?uGrEfn8='8U';G^7f;cEWm%T$&$92/,W:eEo6!<5/JrCmAj;cQlt>52>&>5_TU
    1.28 -=+XM*=+XN'<sVf+;c?Oj:/+I^9E%Np8P)EB770F.5smgo+94/a6N0LZ9heG_;cWft
    1.29 -rE0#!!*0"rJl'QcJkptoO\bjL#Ydra8P)EB77I&?"@5=;5!8g*%Q6't*ATB46qBjC
    1.30 -9i+berDies#ZXl';c-Cf:/6C8Jk^hkJkZ>A:QXo4rs"Q\9heEFlgauZO%i5;8rW'*
    1.31 -rt:&I2DR$=.30ck4@D_29hnM`;u9So;Z]fm;#X2j9hg44b"I=Ya\%.Vn4>s,jHtgV
    1.32 -I!BaVEH,o8Bk_3g>%QEJ8P+s'R#6KCG]\+KEGoc0BkLjXA_N/87uZW-R?<GaKSG,3
    1.33 -J:N#pH?F+JhM2"b$RdA<+>PuC84ZHM;#O;n<E8ur!DuYl:B!t>8qKZt8qKY(8Qc"]
    1.34 -Xg"XjQ&q#bMM[(?IsQ-K=^(,_8cP6]YbdeROH,9WM2$Y4H?*\%>3e[Ks/*9:Ybn+b
    1.35 -S=,_1P`h&aK6h<Hl8CCN-mocQ1-.]l9jqaG@UWeYB4><7s+3no97fdX8qKY(8Q>_M
    1.36 -ZF-X&R$3VkN/NLGJ:)KU>snW`8cOgV[A][aPE:c_Mhm(;I!'726iTYEs-p[8Z`0do
    1.37 -SXZ%8QBRAfL44&>s#)bg-mocQ1-@oo8l\nn='Jo.<rc@fs+3mq97ffq92GS@W2lVY
    1.38 -Oc5*LJ:;fjG&hM8?:Orf9E0[DX.blBN/3.;IX6<`Ec5Yu7fPqGs-'dtXJDJWQBI>i
    1.39 -MMd.@J9u69s#)bg-n,oS1-@oo9%j!_lMlH/JkL\gN(Y,iJ=W=!O,8O?H?O=GChdZt
    1.40 -Ame7292#;8SY)8Bs!VPm?qUGg7/r=IX/+AIP)bETK7JFNaa8;R=oUB<0.87b,W7YM
    1.41 -8PB*YrqcWrn"3GU5QXKCkPG5V9+(@lPY78@PY78@p%(fWl1t3L!U9FI9*+;Qr(I%h
    1.42 -!r:o[fh2A7n*NdIrrW#WY4kQml1mtFn*f[;q>^"Y!U9E39BSs"8FT.Zs*U)uOc+pC
    1.43 -H?O:FC2!QX$"-C*84`c.Q'[X,rsNFN?qUGg7/r4?Un@Yd"H%teJ:.@r&UAV@=oUB<
    1.44 -0.81`,W7eQ8k]3Zrql]tLDXF&rkATFBGc!gr;QaLrC[OTs//K!s//K!s4/st9*5.n
    1.45 -0)S?Ds8O_>9*5.n0)\EIs8O0emJjZd9**Z;n4Nf6p&7Scn*W+%9*YFr++!>S\+iT#
    1.46 -s8O]En*W+%9*67Xs8W$>o1K/bs"8mrJkO]g)uk,DOc>0KI<]jPCM79h@Us%W9)hOW
    1.47 -s*'QeNV<A\A7]+?s$fEVLRk',QN$mcKn4[Ort9L!GB$ab3&WE<.2F0e4[Vb5s7lTl
    1.48 -rr^k4Gk_%6!f&JMrVlj\rC[O6s2@ISs2@ISs04`Z9*5.n+8eb5s8O2/9*5.n+8nh;
    1.49 -s8O06UAsdRo1K/bs"a+;!rr9Ur_!8M2XX3Cs8O06UAsdRq+CqlruXm,2E'np!rr9B
    1.50 -n4Ni_ruZhcJkO]g2#hcWMi!1>HZsLKCM.0e@:EbS8cMFVs*'?YM>r-RGB.V;B4PKO
    1.51 -@Urh;s$]?ULR=KsP`PhD!.b(K'6SA=G&UR`3&`K=.2F0e4\/:Bs7lTmrrT)Pa7fN7
    1.52 -f/SQbrr>[i9+[?fj?`&1j?`&1H::K`s8UsT9,.F+hXsPAruXnjs1qA.ruXnjs8UsT
    1.53 -9*Fqfs66<X9*OS[p&G%6rC[k)ruXm,s7nECs8UsK92".As5$CArVm$o9A]^KhYp.O
    1.54 -d.RG3\4cf#!)*=k"\VMFs8UsT9*P@Vq>]]Sr(@IuruXm,s7nEChZ*W4r_!=mru_7?
    1.55 -%SKIAp&F]p9BlJO9;DOUqF^niru_55"5a(XhYp.MhZ*W4r_!=mruZhcJkO]g2?.WL
    1.56 -LkgY6I!BdQD/!Tm@U`hR8H2=Us)<[JL];mPG]dtBBkCoU@Ui_8s$fKXJWlCbP)kS"
    1.57 -rtK^$FEMbF=8t6=2D6Ts-oaOa925H]rWN9$k:#fjrrYO$s8Vsj./!U$s6'DCs7@C,
    1.58 -fDiO^s4'h<s8T@11]RIshZ(827fWK1fDiO^s4.*C$o<hAmRp:2s26#Zru_265QCa*
    1.59 -9pPb0/kuBGZ*Q7<s1P?1eP/d<ruW?>s2Co9gJ-)qehc1*859-a+!45Wru]km]r1n\
    1.60 -9hkZfS"frG9DqR2s8O08Q2fDffDiO^s4'h<s8O08s8O1gs40!_b"0)CbtH[g]JfX[
    1.61 -(B=CV92!n:]VkeZ9@s3VVuP7>9E5#6JkL\gf1S%%Ck%(jK7A8nF`MA8B4YR^@pMS(
    1.62 -92#;$ItNFSIscK`Ec,Z*AcH4L>t4ic8H4.!P*;#gN/@Q6!do9;rcJ`h<rY9C2_QTu
    1.63 --oaOa9i1lbrWE3#8@S0i"5bO$s8,PBhZ'k\S,]bneh^(truX`1q*@dUruX^$s8VEb
    1.64 -bo]DMs8O2;ruX`1q*@d4qYpL#2bs5L+%?50+8nr!s8O1,nG.Ap:B1>97S*CU+%H;+
    1.65 -5u.I[+&;\4+%?5*5P>$u5u'R1:B1>9:/:ih+8Z!Z7fW9M:B1>99E5#QrD"[=ru[Qr
    1.66 -q0G:%ruX`1q*@dUruY#9ru^q6+$iXb6Vd:E61t8(7Jfgqs8O09:AXu47fW9MqYqX,
    1.67 -s7nrUs8O0m:4c6m:,W&bH\$d"J:2`gF`D;6B4PL\>"&Bc:B,!SJV*oPI<p-\EGfN(
    1.68 -s'oJ@7/ohMs*BQaOcb]ar;RIXH$4=PCfLEr4#\]A)C[d892/7_q#1?pT4%0g!f)%#
    1.69 -qbT8is5`eop#Q.X5Z%L\+&N";02V]K+&Gf6s7u]U78Qh\ru_:@+&N";0C&SN0E;%o
    1.70 -;#gP;;#gP;rD<Im($(c9:/Luj+&Gf6ruY);s"@4KruY)7rrXqSru_/8(B=CV:f.2l
    1.71 -+92?_;#gPK;#gP;;#gP;rD<Im($(c9:B1>9;#gPK;#gP;;#gP;s8O2=:^4i;\c:h7
    1.72 -:A[j's8O0;;#gP;;#gPKs8O0;s8O`Ks8O0m;!:`-:@M"8s'p5#J:W6"H[9mXE,96"
    1.73 -@piD+s%Z>h@s39Ns+#QFH?XIMCh`oZ?s#er9M5>.L5_1SNrK%pL]@DJH?XLPBiG$r
    1.74 -5!(PO*%<s992JOdq#1?p)!Chs!P_M2,lhHOrrF8"qboJBs8Uh2huE_&92k]e+&i48
    1.75 -+&i4>+&c,<s,5h8`D]_8ru_+;+&i48+92?_9E5#6;u6M9;uck>rDNass8F)U5YtBX
    1.76 -s8O0>;u6M9;ucY8;uck>;u6Ol*s2<=+8f%Qs8O0>;uck>qYqX9s7ma8s8O0>s8O2>
    1.77 -;ZZpurZ;h>:fI5j+&i48+&i4>+&i4>+8Z!ZqbmXjs8T>dqG7t-ruY'6qYqX6s7mc5
    1.78 -ruY);q&`H5ruZhhJl(&q"TMhJH%#Ph-ZO$=An,.I5lXYWs'K_jIK+bEH[0gYEGfOk
    1.79 -@pW/#s%H,dF+T7.NrK%[M2-fart0HsE+`#I5<h4c/0$3&6V10Rrr3#urqucs^Hh_s
    1.80 -#JU6=,p`Nk;>^@oG_c,p2td3U6c8rp+&Z(ks09fJbqN,sruY3>s8O0;q>$4RqYqYj
    1.81 -s09fJbqS&TMp25$McAU6]N"q2+8o.?s8O2<<&XdV+&l4ms09fJbqN,nruY4gs2E4Y
    1.82 -fi6E"`DksP<)i_o+&l5>ru]qoZ-<6m0NA)P+&r:?+8o.?s8O2=<#"$cZ-<6m0N@oK
    1.83 -+&r:?+4C2.<9;g4<!:YLruXr2<#5N6+&l4ms09fJbqRiNZ-<6m0N@oK++dID<7b(P
    1.84 -s&s2[H2@OfEc,W(?s6Djs&;tt>&/5*s*K*=H?XOQDJK2Z>#@H_:/(\*I>*OWrre18
    1.85 -L4t6YrtBHkA5E4n6U*Xf*%X0?9i=nP2`CLk!IoUsrs1^e4S/T;!%#DXrrKT"qGmjZ
    1.86 -s*@D/s40..<\3),s48>_<r`1A<`]8#+'-)Ti)IDc]N3kgs48>_<o*f/h>aBO<pBYW
    1.87 -s8O2><W`=$+8](?s8O2?<\WA0s48>_<lP+=<`[TCs7MXI<m^F;p7=cT`W,s=<r`1A
    1.88 -<o*fUf,mL`s8O0As8O2><W`=$+8](Wh>dN,+%KAFq7Kc.ruY:go)JET7oiZ[s4/:f
    1.89 -<W`=$+9#:Ph>dN,+%KAfs8U[m7om>!]Rj2J<e=<?<!<5%Ao;_erss*eC1UaR9fi;R
    1.90 -<<$!2DKPUP1LF3X3r`&Qs(ck0L!K^RLPCM8J:@O>EGJrUs$T7>3\MI%4%;tC;c?Rn
    1.91 -<*!+(=]\a6TDecljs:#&rr2uBqYpW;3$8!$#"Th<>?Dt<rEB@p+!4,S>6,ffr`]mT
    1.92 -+'VrJ+%9C41/D+F+!4,S>7=%E8k:%&>?aB83?K@@>6,ffqHEtB+8oCG808pGr`^IA
    1.93 -+!4]k9JR\M<a/d%3?L7^>?arH+'Vqk+'Vr?+!4,S>6Q)j>?`0kr*'1D+8T1D808pG
    1.94 -r`^"61/D*r+'VrC3?L7^>?eN8Vb$Se!?WE^>6@D<+%lN:"%XLU9)`#r;_h.#>No@D
    1.95 -=7B8os&39<DZ"JdE,TQ-ARSeB8icoQ=8u3+BQ!`f'6%l+C1UgX<(]1N<)N[.F*`@g
    1.96 -KDpHHJU`)oGB7Y8?;(;g6pj!j*%!a::/b.o=^,3>?smDP@T]Q,rr^IF!6k0:!T,#O
    1.97 ->M<9as8Va6;hA5*>I[l@s%QU'ASD!U&SGZa?WpH+7Q19N>Q7E"?tF$LBfKa:@UE;=
    1.98 -:e!AC<)im,CiaiII!U-dH?j^VEG]E#>"AT_7moBn*%!a::/b(k=]o$;?X[AP@VD,,
    1.99 -rr^IF!5J7-!P^mO?.rQes5&Yo?%Q:4>I[lqls!.]='Ad1>$>'3=&i0p9Lh<?s'&^o
   1.100 ->>.pr>$>'4>$5!0<Du[e7mBZH=&eO&?t<tfChmkdCER>)AR]"N;Hj)m7moBn)C@O8
   1.101 -:/Fkh='&O/?!grI@>B+*rrOJHFT2:A,s7t#rrK<"Jm6o4!Zsj3Jm3h2[p)gtfi1+$
   1.102 -6:4%+6UF((5<V(h2bVbg>?dEH<'<Q76U=(,6:!k$4Zb\`9@oD0<0Q*H9Mn\c;,^Ck
   1.103 -;Gg:d9he2_g5eir6om(A-9F[l:ejhd<)m((r`]G0a#O"s#\*i7L!4$,-0G.*!FVOO
   1.104 -=k-Z,=+XM`<rlHgnc&g[PZ_'h=d8IV#4.OR<)HSVnc''aO%Mo16TQt@-9F[d9)_Nd
   1.105 -:f:3j<s2Z/s!ZLsrr>1Z!!&elrrVp3mt+Mj<.\)$<97'h;,gCg:ejb]:JOSU9M.qU
   1.106 -9En*Z8k_iI8,G[^3\hU#4$,hk5!M:tr^6ZR"%WC+5l:QaPYjPb^\e$4BUAaN7Y4+#
   1.107 -7Y3qK5ljABqEY0I4[&a+!BiRE4V9e>4?>M_3]B#W4$#,8-9F:Wr]U?I5PdVIs8Qc!
   1.108 -o)Ag43<0#15LhuM5(YtM54UlB4#8W3,rf7*p#lPYs7[r!o`#'_0\?@)K'7gMK'7gM
   1.109 -`omXq3[Pak3+#APkl1S`cR>.RrrTYX\,QDZk^r#Mk^r$<kQaL:-5n0i?VL.VrVlug
   1.110 -BK4W?rr_Fl8E]sOK'7gMK'7gM`omXq3[Pak3+#APkkkAea!`WkLVJn"5T$-js+9Hd
   1.111 -k^r#Mkf2fk6olY5,rf7*p#u5O#1%dD5]D4fq>^6R!!'dt!!%W7K'7gMPir??3[Pak
   1.112 -3+#AVkkkD_kQ'fHmcaQKr9+7`kQ'fHo&p&RroaC`kQ'c/!!)u]!!)lZ!!%W7K'7gM
   1.113 -Pir??3[Pak3+#AVkPtVZkPtVNkPtVXkPtV^kPtVRkPtV^kPtVDkPtV]kPtVZkPtU7
   1.114 -k^r#Mk`k996olY5,rf7*qre"[r9+7`kQ'i1rW)QR!!)o[r;Zo_!9jC^o]Q8TroaIb
   1.115 -kQ'i1rW!5fkQ'i1!9iVHo]Q8TrTF:_kii!G"6eqKkktL5k^r#MkaCW>6olY5,rf7*
   1.116 -qrmqX"m>sM!9aF^kPtVTkktJ_ki`$GkQCnL!9aFQkQ_+O!9iVHkQ(VG#QX&gki`$1
   1.117 -kQ(8=qZ$Z\!<20b!9aFH!<20^!.sEdk^r#ekQaL:-5n0i?VL@\!!)r\!s%NbkkkGQ
   1.118 -kPtV\kPtV^kQCnL!9aFQkQV%N!9iVHkkkDckQ'fHkQ'fHo]Q8TrTF7^kkkD_kQ'fH
   1.119 -roa=^K'7gMK'8Ze#=LU")C7@M9`+#R!;u$`!9aFH!:]1P!;u$\!<20b!9aFH!:f7X
   1.120 -!9aFHkQ'fHr9+=bkQ'fHkQ(8=!!)u]!W_Ear9+1^kQ(VG!!%W7K'7gMRcjuE3[Pak
   1.121 -3+#AVkPtV\kQCnL!9aF^kPtVTkPtV\kPtV^kQCnL!9aFPkPtV^kQ1bJ!<20a!9iVH
   1.122 -roa=^oB6/SrTF:_kQ(VG"9@WckQ(VG!!%W7K'7gMRcjuE3[Pak3F>JWkPtV\kQCnL
   1.123 -!9iYG!;#FP!!2<Ir;[#b!9iVH!:o=R!<20`!9iYG!<20^!<20^!;#CS!<)*_!9iYG
   1.124 -!!DHK!9j@]K'7gMK'8Wd#=LZu)C7CN9T\H<!.sEdk^r#akQaL<+rVaf?VL@\qZ,sG
   1.125 -qZ,mEqZ,aAq>g?T!!%W7K'7gMQKSQA4<b[i3F>I3k^r#Mk^r#nkQaL<+rVaf?VH(8
   1.126 -K'7gMK'8un#=LZu)C7CN9S2J[k^r#MkbI>H6p)Y3,ro=+K'7gMK'7gMUZ_qN4<b[i
   1.127 -3F>I3s+:9&s+:9Grs(qS+rVaf?VH(8K'7gMK'8un#=LZu)C7CN9S2J[kecQKs+9Hd
   1.128 -kkXEI6p)Y3,ro=+K'7gM_W^:bK'7gMq</&O4<b[i3F>I3k^r$8kj&2"k^r$okQaL<
   1.129 -+rVad?VH(8K':)8qYpWcT2>MP!_A[@qYu02K'<$o#=LZu)C7=L9S2J[kecQ\rr\#n
   1.130 -@'BRE"Li%]Gk_.9K'7gMq</&O4<b[i2d]71k^r$8kl(M`f/S$Lq>UMO0ZX.lK'7gM
   1.131 -q</&O4<b[i2d]71k^r$8kl1S`V_H0brrUe3L]7=*k^r$okQaL<+rVad?VH(8K':)8
   1.132 -"TSMb..?d-"$jX$s+9HdkkXEI6p)Y3,r]1)K'7gM_WV+%s%'Wirr_.,p]#j/K'<$o
   1.133 -#=LZu)C7=L9S2J[kecNbs.<]grrRt#s+9HdkkXEI6p)Y3,r]1)qWNOVK$MK`!rj,#
   1.134 -r;Qb=r?VGRqYpR=htcJfcAKmIchci16p)Y3,r]1)qre(+d":J5kfW)i^Hh_s#BTqG
   1.135 -4='t-A,H9,G_c.Z!RB&Dk_nX*dE_XQ#=LZu)C7=L9`4)Tcd7:-K':>?!IoUsrs)CI
   1.136 -PlLb\!'L/Y!OkVskQ0#VK'8'T!R]6kkQaL<+rVad?VLC]!7$2[K'3=#jPJYOg?R2h
   1.137 -@%[5o"2@\54T#-Za#Nt[!7$2[TBH@;hV7n\rmh#%"5DVfjSe9Bchuu36p)Y3,rT+(
   1.138 -r9+.+K'7gM"R+_#N_@VN!Ec8trs.\.,p`O;!'L/Y!T,$skQ&n[kb%&@hVaDeoe6J5
   1.139 -J)fPekQ&p+kQaL<,8qjd?VLC]!7$2[K'3@$gl?O$c2RfXQi-jg,lg&]b_6$Zqu6]3
   1.140 -5l9aFc@Y8PkQ9P"8+Y^A7ul[/kQ&p+kQaL<,8qjd?VLC]!7$2[K'3=#ge5i7rW.e!
   1.141 -rVm/I!%$e-s'l$kqu6]#;#BGVc@Y8PkRuZDd*P)*6-qpE6-qpE6-qpE9DmuRcMZl2
   1.142 -6p)\4,rT+(r9+.+K'7gM!pJAmrqt(=!QR1urs6gK!0mMY,lf7grrHN"qre%*K'8ij
   1.143 -"PYWV62^HR"4#4Hli$#IcMZl26p)\4,rT+(r9+.+K'7gM"6eMoqTSa:s!ZLtrs(Xd
   1.144 -!$qV-!%%RC!r!Q#qre%*K'8ij"5GTSc1Ul75KkhJrTF7,r9+AR4<kaj2IB/UkQ&n[
   1.145 -k^r""khIl8pB(B05lCWeF?F'Js+Q0urVlq4QiHsH!7$2[TBHC40Zc6HpB:34atW2\
   1.146 -kQ&p+kQaL<,8qjd?VLC]!7$2[K'3:"gb?qE"98C7Qh(.Ya#O,!qre%*K'8ij"5GTN
   1.147 -a7f0/oJFWCm/?,JcMZl26p)\4,rT+(r9+.+dHCT2!:/hL!!)3G!!&>KquHNU!<<,r
   1.148 -kQ(Y`lf\B)0['+ls8VgAht6pOmkEAns82![cFW3?!!(O4!<<,ikQ(Y`gZSY<!7L'5
   1.149 -gb?Z&rUp*hrq-Ed_o"1prTF7,r9+AR4<kaj2IB/UkQ&p&kkbA=kQ(Y`nE9lQ!<20_
   1.150 -!!)3G!!)o[qZ,O;!<<,ZkQ(Y`qWReVp#lPZ!9iVH!;Pa]!!)6H!!*#^!<<,ckQ9Nn
   1.151 -p%n:]!!*#j!!)BXquH?\rr3&G.$sZ-!k0Serr;lZ!7'KcqZ,gC!<<-!kQ(Y`l0/!E
   1.152 -o&p)S!:f7R!!)BLqZ-?R!<<,JkQBTo_86-C$ig;"oDem`o^aoU0^Sc%!7(N+#=L[!
   1.153 -)C7:K9`4)ScM6T(!!)u]!<<,GkQ(Y`j6-ICqWIq[!<20_!!(s@!<<,ZkQ(Y`qWIq[
   1.154 -!<20_!!)`V!<<,hkQ(Y`k3)m%0_P;7rW!#loDn:N!<<-!oDnplo^r+^"7Kn_fD>LL
   1.155 -k?pjDrVucY!7'Kc!<<-!kQ(Y`ki`$I!9E>E!!)HN!<<,RkQ(Y`roa@_!;G[X!!(I2
   1.156 -"5GTH2#d+U!!)Z`!!)Z`o>/6sm/?,JcMZl26p)\4,rT+(r9+.+puh_Y!<)*f!!)3_
   1.157 -!9aC_kihmDroj:\"R,%L!9jC^"R,%L!9j:[roj:\!U/bF!!MKc!9iYE!!MNL!!)6^
   1.158 -!;G[W!;bm[!!)u]!rr>bkkkD`ki`!Hkl(S\kktJdki`!HkPtVHqu?`\qu?`\rW)r]
   1.159 -qu?l`kPtVHrVuu_kkkGYkQ(Y`rTF=`!9iYE!!2<Ir;[&c!!)3_!9jC^"R,%L!9j=\
   1.160 -"R#gckihpE"R,%L!9jC^qWJ%:0_G#7oDJXko)SCRr;[/qo)Jd^!!)Tj!<)Ki!!*#i
   1.161 -#QOkr!!)TjoCMk[!;$*f$HFPKItte"Im=jCqu?QW!7'Kc!<<-!kQLqdki`!HroaLc
   1.162 -!9aC_kl(SXkkkD_kPtVHqu?`\rW)r]quHWX!<<,tkQ_(fki`!HkihsF#3b7N!9aC_
   1.163 -roaFa!9iYF!!VTM!!)6Hqu?l`kPtVHrW)iZ!<<-!kQLqdki`!HroaOd!9aC_kihpE
   1.164 -roj:\i919u0YP0so)Sgkrpp9`1qk[1rTF7,r9+AR4<kaj2IB/UkQ&p'kQ(Y`rTF:_
   1.165 -!9j=\!pBUaroaIb!9iVHroaC`!9jC^#3b7N!9aC_r9+7`!9iVHroaLc!9iVH!<20b
   1.166 -!!)3_!<20`!!)6^!!DHK!!)iY!!)iY!<<,ukQCkckPtV^kQ1_akl(Pdki`!Hki`$G
   1.167 -kQ1_akkkD_ki`!Hroaaj!9iVH!9iVH!9aC_roaC`!9jC^#O(@O!9iVH!;bm[!!)u]
   1.168 -"98Gc!!*#^$31(ikPtVHkPtVHrW!;hkPtVH!!)6H!!*#^"98Gc!!*#^!WW5arW!&a
   1.169 -kPtV[kQBTooCMkM!<D]h!"\W#!:o[\!:g*inc/[\!!)ug!<<-!ncAdko)/Onnc/[\
   1.170 -nc/[\q>UZFIs=4tJ%tgZqre%*hrk(@!<20c!!)6H!!*#^!WW5arW!&akPtVYkQ(Y`
   1.171 -roajm!9aC_ki`!Hki`!HkPtV^kQ(Y`r9+.]!;u$d!!)6H!!)3_!<20d!9aC_kPtV^
   1.172 -kQCkckPtV^kQV%N!!)3_!<20`!!)6^!!DHK!!)r\!<<-!kQLqdki`!HroaRe!9aC_
   1.173 -kPtV^kQCkckPtV^kPtVAkQBTo\ki7p!<<,unc\Ko\hNLLkQ&p+kQaL<,8qjd?VLC]
   1.174 -!7(B'!<<,ukQCkckPtV]kQ(Y`roa@_!;ks_!!)3_!<20b!!)3_!<)*^!!)lZ"TSPd
   1.175 -kPtV^kQCkckPtV^kQCkckPtV^kQ(Y`q<.eYq<.hZ!<)*a!!)3_!<20b!!)3_!<20_
   1.176 -!!)o["98Gc!!)r\!<<-!kR7Fkki`!Hki`!HkPtV^kQCkckPtV^kQLqdki`!HqWIq[
   1.177 -!<)*a!!)3_!<20j!!)6H!!)6H!!)3_!<20f!!)3_!9iVH!<20b!!)3_!<20b!!)3_
   1.178 -!<20_!!)o["5GU%oDA([!:o^[!!)Te!!r,q!:g*inc/[gnc8^jrpg0l!:g*irpg3m
   1.179 -!:o[\!;c6hna,?km/?,JcLg<#cJRj_!<20_!!*#^"98Gc!!*#^!WW5aqu?i_kPtV^
   1.180 -kRRXnkPtVHkPtVHkPtVH!!*#^!<<,tkkkG[kktJ`ki`!Hr9+7`!9aC_roaC`!9jC^
   1.181 -rTF@a!9aC_roaIb!9aC_roa@_!;u'X!<20_!!*#^#64bf!!)3_!<20`!!)6^!8coA
   1.182 -gb?=Nr:0jg!<)HknPHeNm/?,JcMZl26p)\4,rT+(r9+.+puh_Y!<)*a!!)3_!<)*^
   1.183 -!!*#^!rr>bkkb>]kPtV^kQCkckPtV^kQ(Y`rTO+Y"6eqK!<20b!!)3_!<20b!!)3_
   1.184 -!<20_!!)lZ!!)fX!<<,ukQ1_akkY8\kPtV^kQ:ebkihmD!pBUar9+.]!<20h!!)6H
   1.185 -!!)6H!!)6Z!!;?a!<20c!!)6H!!)lZ!<<,ukQ1_akkY8dki`!Hki`!HkPtV^kQh.g
   1.186 -kPtVHkPtV^kQCkckPtV^kQCkckPtV^kQ(Y`qre.;0_=o5nc/[hncSpmnc/[fo(`:a
   1.187 -nc8^jrpg0l!:g*irpg3m!:o[\!;c6hna,?km/?,JcLg<#cJRgg!!)3_!<)*^!!*#^
   1.188 -"98Gc!!*#^!<<,qkQ(Y`roadk!9aC_ki`!Hki`!HkkY;WkQ(Y`qWIq[!<20_!!)r\
   1.189 -"98Gc!!*#^!rr>bkktJcki`!HkPtV^kQCkckPtV^kQ(Y`r9+7`!9aC_rTF7^!<20c
   1.190 -!!)3_!9j7Z!U/bG!9!&Cgb?0>p@8@V\$e!WrTF7,r9+AR4<kaj2IB/UkQ&p'kQ(Y`
   1.191 -rTF@a!9aC_rTF7^!<20b!!)3_!<20b!!)3_!<20f!!)3_!9iVH!<)*^!!*#^"TSPd
   1.192 -kPtV^kQCkckPtV^kQCkckPtV^kQ(Y`qWInZpuh_Y!<)*a!!)3_!;ks\!!*#^"98Gc
   1.193 -!!*#^"98Gc!!)r\!<<-!kR7Fkki`!Hki`!HkPtV[kQ(Y`roaLc!9iVH!;bm[!!)u]
   1.194 -"98Gc!!)lZ#QOkgkPtVH!!*#^#QOkg!!)6H!!*#^"98Gc!!*#^"98Gc!!*#^!<<,s
   1.195 -kQBToo()\J!!)uf!s%ik!;l9i!!)QZ!!)re!<<-!nH8glnGiRgnHAmmnaQSZqXF^X
   1.196 -lf9bdrTF7,o]Q;#hrk4D!9iVH!<20_!!*#^"98Gc!!*#^!<<,qkQ(Y`roajm!9aC_
   1.197 -ki`!Hki`!HkPtVWkQ(Y`qrmtY"6eqK!;u$`!!)3_!<20_!!)u]rW!,c!!)3_!<20b
   1.198 -!!)3_!<20_!!)r\"TSPdkPtV^kQ(Y`roaRe!9aC_kPtVXkl(S@kQBToZa9T"!<<,u
   1.199 -nHA>`ZS:bEkQ&p+kQaL<,8qjd?VLC]!7(B'!<<,ukQCkckPtV]kQ:ebkii!G!pBUa
   1.200 -roaIb!9aC_roaRe!9aC_kPtV\kQ(Y`roaLc!9iVH!<20b!!)3_!<20b!!)3_!<20_
   1.201 -!!)o[!!)cW!<<-!kQLqdki`!HrTF=`kPtV^kQCkckPtV^kQCkckPtV\kQ(Y`roaaj
   1.202 -!9iVH!9iVH!9aC_rTF=`kPtV^kQLqdki`!HqWIq[!<20c!!)6H!!)u]$NTDS!!)6H
   1.203 -!!)3_!<20f!!)3_!9iVH!<20b!!)3_!<20b!!)3_!<20_!!)o["5GU$o)%qW!<)Eh
   1.204 -!:fUW!!i&a!!)QZ!!)odqu?ihnGiRfnb`C`nHA@Ij=os!kQ&p#kQ&ockQ(Y`roaRe
   1.205 -!9iVH!9iYG!!;?a!<20_!!)iY!<<-!kRRXnkPtVHkPtVHkPtVH!!)u]!!)r\!<<,t
   1.206 -kQh.gki`!HkPtV^kQh1P!!)3_!9iYG!!29`roaRe!9aC_kPtV^kQCkckPtV^kQ(Y`
   1.207 -r9+.]!<20e!!)6H!!)6HrW!,c!!)3_!<)*_!9aF^kQ(Y`iTLC!0XFjYnGrUirUC$[
   1.208 -['MIQrTF7,r9+AR4<kaj2IB/UkQ&p&kkb>^ki`!Hr94+["R#gckihmD!pBUaroaLc
   1.209 -!9aC_kkb>\kihmDroj=]"R#gckihpE"6eqK!<20_!!)o[!!)cWqZ-TYqu?c]kkbAZ
   1.210 -kkb>]kPtV[kl(PjkPtVHkPtVHkPtVHkkkD_ki`!Hroa@_!<23]!;u'X!<)-Z!<20f
   1.211 -!!)6H!!)3_!<20b!!)3_!<23]!!MKc!9iYE!!DHK!!*#^!<<,skQBTonaXuq!<<,r
   1.212 -n-&4Fj"TiukQ&p#kQ&ockQ(Y`rTF=`!9iYG!!VQd!9aC_roa@_!;PdW!"\8n!9aC_
   1.213 -ki`!Hki`!HkihpEqrmnW#j;6gki`!HkihsF"mG.M!9iYG!!MKc!9iYF!!VTM!!)6H
   1.214 -qu?i_kPtV^kQ(Y`r9+.]!<)*`!!)6HrW!2e!!)3_!9iYE!<23\!9!&Cgb>t9p@&4R
   1.215 -@'D?OrTF7,r9+AR4<kaj2IB/UkQ&ohkQ(Y`_<:k!jlc^F!.sD<kigeUnaY)tr;cZ_
   1.216 -"RkX90^Sc%!7(6#!7$2[TBHC40WeaVn-&3^XYB,?kQ&p+kQaL<,8qjd?VLC]!7'im
   1.217 -!!)u]!<<,9kPtVEkQ(Y`K'3C%khIl]nAju#mci^bm/?,JcLg<#c@Y8PkQBToX/bm^
   1.218 -"R]!a0^Sc%!7(N+#=L[!)C7:K9`4)ScKOKi!2J`Y!!%W7"6et(0ZEJ`mH<F^mJZ5K
   1.219 -cLg<#c@Y8PkQBToW(m!S"RW.f0^\i&!7(N+#=L[!)C7:K9`4)Sc@Y83kQ9u'0ZE;[
   1.220 -kMb2MmJZ5KcLg<#c@Y8PkQBToW2TFT"QrLX0^\i&!7(N+#=L[!)C7:K9`4)Sc@Y83
   1.221 -kQ^8,5fDO8h9+RXh:pPm5k"[8!7(6#!7$2[TBHsE5c@DU9rLdb9rLdb9rLdbW'KhM
   1.222 -kQ&p+kQaL<,8qjd?VLC]!7$2[K'3@$hgT:?a3Xt8[:Y'_rTF7,o]Q;#K'8ij"5ePt
   1.223 -G4^Lj7t^F3kQ&p+kQaL<,8qjd?VLC]!7$2[K'3@$jQM_!`\7K[K_"d6kQ&p#kQ&n[
   1.224 -kb%&@jQM_!oe6J5K_"d6kQ&p+kQaL<,8qje?VLC]!7$2[K'3C%kj7g1o]>c.q#9pg
   1.225 -p@e1FrTF7,o]Q;#K'8fi"75OKo_eC]q#9pgp@e1FrTF7,r9+AR4<b[i2d]8VkQ&n[
   1.226 -k^r$/kQ&p#kQ&n[k_J@%cMZl26p)Y3,r]1)r9+.+K'7gM\`a%>o]Q;#K'8!R!71T,
   1.227 -#=LZu)C7=L9`4)Tcd7:-K'9i1!R]6ckQ0#VK'8'T!R]6kkQaL<+rVad?VL@\!RB&D
   1.228 -k^r$3kQ0)Vo&p,"d":J>kQ0)Vqre8Q4<b[i2d]8Tk^q*3cFhF&cg^.McAKmIchci1
   1.229 -6p)Y3,r]1)K'7gMK'7gMUZ_qN4<b[i2d]71k^r#Mk^r#nkQaL<+rVad?VH(8K'7gM
   1.230 -K'8un#=LZu)C7=L9S2J[k^r#MkbI>H6p)Y3,r]1)K'7gMK'7gMUZ_qN4<b[i2d]71
   1.231 -k^r#Mk^r#nkQaL<+rVac?VH(8K'7gMK'8un#=L[!)C7:K9S2J[k^r#MkbI>H6p)\4
   1.232 -,rT+(K'7gMK'7gMUZ_qN4<kaj2IB.0k^r#Mk^r#nkQaL<,8qjd?VLC]JsV(U\!M^1
   1.233 -K';dh#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4,rT+(r9+-IqYpd!q!ctH
   1.234 -aRk)aK)`mk!1/<$K';dh#=L[!)C7:K9`4)SQi$dhrpAIln&MTRnc".?K)`sm!1/<$
   1.235 -K';dh#=L[!)C7:K9`4)SQi$diq;BrLnB%i@b3o7\s+:9nrrAC;k^r$hkQaL<,8qjd
   1.236 -?VLC]!13T_$N8oDeaLP]Zan``K)^H&b5VI.K'7gMo&p<H4<kaj2IB/UkQ$tGrsI]G
   1.237 -g[N._ZEqEgon*3qs3(EBQ\+FQkjmpB6p)\4,rT+(r9+-IqYpu_oC)=l\&-G3ZHhq;
   1.238 -qZ$Npp\t6o!.t6&s5X+ZQ\+FQkjmpB6p)\4,r]1)r9+-Iqu7-!iVNEEd`KAF`Nutt
   1.239 -meZt_!.t6&s4@8NQ\+FQkjmpB6p)Y3,r]1)r9+-IrVmE%mHEL)qXi"OZEq3NZa\'R
   1.240 -rt,52rr<'!rr<'!rr<'!!!*'!r;_HLK)b*8!1/<$K';dh#=LZu)C7=L9`4)SQi6pp
   1.241 -gX4<rqYK`q\uiHR[Bm3Cqu79/!<3$!s8N'!s8N'!rr<'!!!%WNK)b!5!1/<$K';dh
   1.242 -#=LZu)C7=L9`4)SQi6pp^q7(lqYK]l[^3NS['R*Lqu6d!!<3$!rr;os"TSK%!<;ut
   1.243 -K)^H&kl1XLmHB/IPg09Tp#lWK4<b[i2d]8VkQ$tJrt!#Q[Cc%umC0F2]!o#PZ-<.G
   1.244 -q>^Qrs8;p$s8N'!s8W#tK)^H&l2LaMmcX\sd":JHkQ0)Vp?2`L4<b[i2d]8VkQ$tJ
   1.245 -rt!J_ZF/9"k-qY#Wi3),ZJGHY!<<-!rrE*"rr3!!!<3!!!!)ut!<<+Os+::8rrADS
   1.246 -kQ0#VK'8E^!R]6fkQaL<+rVad?VLC]!13Za&)=Cp['5AA^:^:pI$U\@kPY>\!!*#u
   1.247 -!<<-!rrE*"rr3$"!<;utK)^H&kl1XLn)sbsrTF=DhV7,FkLKRc"5DVfjS\4pQi-(-
   1.248 -VZ?bqkQ&s'kQaL<+rVad?VLC]!13Za&(I\m^nl51guG2R?YG(pl%8qes3:QDQga,<
   1.249 -cMcr/hVaDea=m]]J)fPdkQ$s(rrAD`kQ%OBD?92*rTF7,pZMiM4<b[i2d]8VkQ$tJ
   1.250 -rstZuh;PV\htlr+F]`<fG0Y^>K)a*q!130<!7(Q,"5JoZbfKedgi\Y<r9+-ILAq7?
   1.251 -r9+0ZDWh$$aR9*,kQ&p&kQaL<+rVad?VLC]!13Za%t:M;m^%,eoA,I;:L.7+Y(H\*
   1.252 -s3:QDQga,<cMcr.ge5i2rW<&@9DdoQQ\PM?Qi-%JVf(_u"3AROs8D-]cM-N-6p)Y3
   1.253 -,r]1)r9+-IrVmD#HZYIGDm$9m?"&/%M2fu9s+:9qrrADSkQ&p,kQ0Elrqsn8"8_XD
   1.254 -lhorHQeDB=!3cD&Qi-%LVf)P7lKA>kaR9*,kQ&p&kQaL<+rVad?VLC]!1/<;K)`C]
   1.255 -!130<!7(Q,!o,L+a8#i0mP+#*kQ$tIs8;rbs8;rorr<&&rrAD`kQ@`#s8VBJ"3ARO
   1.256 -s8D-]cM-N-6p)\4,r]1)r9+-IqYpd!q!ctHaRk)aK)`mk!130<!7(Q,!SfBLpB:3[
   1.257 -l7hT&kQ$tJrr<&arr<&mrr<&&rrAD`kQ@`#s8VBJ"3AROs8D-]cM-N-6p)\4,r]1)
   1.258 -r9+-Iqu7!%mG$7]a0*STrdt0%s2k9@Qga,<cMcr-gb@@Q!<<,to`5$mqXk!`n)uIl
   1.259 -r9+-Irr2ruqZ$Nprr;rt!WW3!!!<3#!;c`p!!N?%!<<)u!4;b+Qi-%LVf)P7roj=\
   1.260 -#NUn=/MTtVhu3TRkQAoImf37L!7(?&#=L[!)C7=L9`4)SQi$diq;BrLnB%i@b3o7\
   1.261 -s+:9nrrADSkQ&p,kQ0HmiV!0MqXjjh!;uKj!!)lg"SD0H0^S`$!13]b!!)or!!*#u
   1.262 -!W`6#q>UKrrrDrr!!*#u!W`6#r;Q`s[Jp5nr9+6\DZBb9kR[^nqN!6aDO6T53%9UX
   1.263 -s8W&]"3AROs8D-]cM-N-6p)\4,r]1)r9+-Iqu7$%i8iGWa0)bZf_C'uK)a!n!130<
   1.264 -!7(Q,!o,L&n+6V\!;?'a!;c<g!!)rh!<<,roE=dRk:l9#kQ$tKrr<&rrr<&urrN3#
   1.265 -!;ulq!!3*"qu6Wrrr3*$rrE*!r;a8*!13WI"/g&:s8M3cs8?a^K(Am?"o4W@?Ma^#
   1.266 -kQAoImf37L!7(?&#=L[!)C7=L9`4)SQhp^hi8r__`2p8N_T2>$s+:9orrADSkQ&p,
   1.267 -kQBToo^qSC!<<,qo)o$no)JdioDARhoCMk[qXXj\mH-+hr9+-Irr2ruqu6Wrrr3$"
   1.268 -rrE#t!!*#u!W`6#qu6Wrrr3*$rrE'!rr2ru[Jp5nr9+6\DZBb9kQLpF-S)_'rr^4p
   1.269 -JcG]4"3AROs8D-]cM-N-6p)\4,r]1)r9+-IqYpu_oC)=l\&-G3ZHhq;r;Qct!<3!!
   1.270 -!!)Zk!<<+Os+::7rrADSkQ&p,kQBTooCM>>!<<,sne2!'nc/[\nc/[\nc/[\!!)T\
   1.271 -!!)ld"S(j?0^S`$!13Za!!)rs!!*#u!W`6#rVlitrr3'#s8N)srr<&urr`?%!<3&u
   1.272 -rr<&,rrAD`kQ@`#s8W)^"l_(c9e<aLrrT,Je,AJ4aN3fLrTF7,pZMiM4<kaj2d]8V
   1.273 -kQ$tHrse\\qYKp6ahl$9ZaJ*Hr;Qct!<3!!!!)Zk!<<+Os+::7rrADSkQ&p,kQBTo
   1.274 -oCMkMr;Zigr;cZa!!)rf'*&%'!!)T\!!)T\!!)Qi!:o[\!;c6hna,?km/6&IQi-m^
   1.275 -!!3-"rW)rtrW!!!s8;rss8;ous8W&u"TSK%s8W#t[Jp5nr9+6\DZBb9kQZl!o^5L*
   1.276 -[/9k)rC225kQAoImf37L!7(?&#=L[!)C7=L9`4)SQi6ppp?h)%qYKj.`j2q`['R6`
   1.277 -r;Qct!<3!#!!*'!r;['%rr<'!!<;ut!<;rsK)^H&nG`KTn)sbsrTF@=0_4f$nGrUi
   1.278 -r:0U`%IjDunaQSZnGiRZnGiRcnHA@Ij=orukQ$s(rrAD`kQ@`#s8W)^#?>F:s6ic7
   1.279 -Zhsb'K0]D!"3AROs8D-]cM-N-6p)\4,r]1)r9+-IrVmD_dE^8<qXM81XgbpMZa6k5
   1.280 -s7u^#rr<'!rr<'!r;Zp!!!)or!<<+Os+::?rrADSkQ&p,kQBTonaZ&:!<<,rn,WLh
   1.281 -rpUEu!:TsgnF-DXn,NIXn,NIbn-&4Fj"TitkQ$s(rrAD`kQ@`#s8W)^!A]E/rr_^e
   1.282 -/$]$P!Mq=FkQAoImf37L!7(?&#=L[!)C7=L9`4)SQi6pp^q7(lqYK]l[^3NS['R*L
   1.283 -r;Qct!<3!"!!*&r!!<0#!<3!!!!)rs!<<+Os+::>rrADSkQ&p,kQBTonaZ,<!<<,p
   1.284 -n,WLhrpU!i!:]LU!!2TYquHT_"RkX90^S`$!1/H?!13WI"/g&:s8M3_0S03&"7T2<
   1.285 -YPnJ%UFQ6+"3AROs8D-]cM-N-6p)\4,r]1)r9+-IrVmDGZF.=9md7Ki\%9&TZa%aP
   1.286 -rrE*"rr3*$!<3$!r;Qct!<3!!!!)ut!<<+Os+::=rrADSkQ&p,kQBTonF4Qg"RbO6
   1.287 -0^S`$!1/H?!13WI"/g&:s8M3_94e&$"7T8>Y5\G%LHb\#"3AROs8D-]cM-N-6p)\4
   1.288 -,r]1)r9+-IrVmDTZa.!i_</54Yc=Y)Za/EbrrE*"rr3*$!<3$!r;Qct!<3!!!!*#u
   1.289 -!<<+Os+::<rrADSkQ&p,kQ0Hma6s/ukM\,^r9+-ILAq7?r9+6\DZBb9kQ6Mon,31j
   1.290 -nPq'?s8>K3rTF@)aR9*,kQ&p&kQaL<,8qje?VLC]!13Za&)=Cp['5AA^:^:pI$U\@
   1.291 -kPY>\!!*#u!rr?$s82iurr<&ts8Duus82kKs+::?rrADSkQ&p,kQ0Hma6EfjiS6-S
   1.292 -r9+-Irr;osmf*7err;osW;cjar9+6\DZBb9kQ9KgLAUuTnl@3>V^TaekQAoImf37L
   1.293 -!7(?&#=L[!)C7=L9`4)SQi6ppe?$9tV0:\Mj.pj*BS3JPK)^H&c2Rd1n)sbsrTFF@
   1.294 -5fDO8h9=^Zh:pPm5k"X7!13]b!!*#u!!)Bc!!&hp!13WI"/g&:s8M3as+)].qu6ik
   1.295 -=",kGs8D-`aN3fLrTF7,pZMiM4<kaj2d]8VkQ$tJrstZuh;PV\htlr+F]`<fG0Y^>
   1.296 -K)a*q!130<!7(Q,"5eQAX3&]kca@A;oDIePQi@!b!<3!"!<<)u!!3-"r;cisrW!'#
   1.297 -!<3&qs8E##rrAD`kQ@`#s8W)^"onF).ZjK)rrr7\-WBd>rTF@)aR9*,kQ&p&kQaL<
   1.298 -,8qje?VLC]!13Za%t:M;m^%,eoA,I;:L.7+Y(H\*s3:QDQga,<cMcr/jQM_!a=m]]
   1.299 -K_"d5kQ$tKrr<&urrN3#!<3!"!<3&urrN3#!<)p!!<3&rrr<&urr<&%rrAD`kQ@`#
   1.300 -s8W)^&-)\'I474"PEU5R.!G7_s8D-`aN3fLrTF7,pZMiM4<kaj2d]8VkQ$tJrst`K
   1.301 -FH`G;Y-3:[@=<0QNRNLZK)a*q!130<!7(N+"75OKo]Gi0q#9pgp@e1Fr9+-Irr;os
   1.302 -!WW2t!!3*"rr3'#rr<&urrN3#!;lcr!<2uu!3Z>%Qi-%LVf)P7roj=\#Ln2d.k3`*
   1.303 -d/F"CkQAoImf37L!7(?&#=L[!)C7=L9`4)SQ\,6hs1/.0Qga,<cF<!;Qi@!b!;uis
   1.304 -!;uis!<2uu!<3!%!!*$!rrDrr!!*#u!!'2%!13WI"/g&:s6AeMaN3fLrTF7,pZMiM
   1.305 -4<kaj2d]8VkQ$tGrs&JtnCb=moRd*ps2Y->Qga,<cF<!;Qi@!b!;uis!<3!"!<3&u
   1.306 -rr<&trriE&!<<'!r;Q`srr2ruY5\Kgr9+6\DZBb%kQAoImf37L!7(?&#=L[!)C7=L
   1.307 -9`4)SQi$dhrpAIln&MTRnc".?K)`sm!130<!7&(;!13]b!!)orrW!!!s8;ous8W&u
   1.308 -!rr9#rr;os!WW3!!3Q8$Qi-%LVf)P7lKA>kaR9*,kQ&p&kQaL<,8qje?VLC]!13T_
   1.309 -$MiW5bOEWV[E@q:K)^H&b5VI.n)sbs\**gYo)A[iQN$rOr9+3[DZAn@!Ug!dkQ&p&
   1.310 -kQaL<,8qje?VLC]!13T_$N8oDeaLP]Zan``K)^H&b5VI.n)sbs\**gYo)A[iQN$rO
   1.311 -r9+0ZDW]"@mf37L!7(?&#=L[!)C7=L9`4)SQhp^hi8r__`2p8N_T2>srrE*"K)^H&
   1.312 -rVlkan)sbsrTF=DhV7,FkLKRc"5DVfjS\3AQ\PM?Qi-%IVr[7Gs8D-]cM-N-6p)\4
   1.313 -,r]1)r9+-IqYpu_oC)=l\&-G3ZHhq;qu?Qoli6k_q>UHq!.t6&s8DrtQga,<cMcr/
   1.314 -hVaDea=m]]J)fPdkQ$s(rrAD`ki2X@kQ&p&kQaL<,8qje?VLC]!13T_%JJcWqY&@Z
   1.315 -_SsL#[Ee4<rrE*"kl1Y`!;6?m!!%WNK)bfL!130<!7(Q,"5JoZbfKedgi\Y<r9+-I
   1.316 -LAq7?g#rF]pZMiM4<kaj2d]8VkQ$tJrt"hjkhu=6oZY=\Zb3ZO\&nRJ!<<,ss8;rs
   1.317 -s8;ous8W#t"98B$!;lfp!!WE&!!*'!r;_HLK`;%=n)sbsrTF=<9?YBT!r^87qre$H
   1.318 -LAq7?g#rF]pZMiM4<kaj2d]8VkQ$tJrt!l3cID^en\)N9\%B&SZ`j<,!<<,trs/T)
   1.319 -s8N'!rr<&prr`<%rr<&srs/T)s8N'!rr<&srrE*"K)^Q)!130<!7(Q,!S]=-r5ng<
   1.320 -qXcK-r9+-ILAq7?g#rF]pZMiM4<kaj2d]8VkQ$tJrsuoW\&%q;n@?!6\[]#QZap#6
   1.321 -!<<,trs/T)s8N'!rr<&ss82iurr<&srsA`+s8N'!rr<'!s82kKs+UIQQga,<cMcr.
   1.322 -gbATFq#g9W0^S`$!1/H?!12C&!7(?&#=L[!)C7=L9`4)SQi6pp_m6\^oBu"TZa[NT
   1.323 -Za6p\r;Qct!;uj&!!*'!!!*$!!<)p'!!*'!!!*$!!;uj-!!*'!!!*$!!<3$!s8N'!
   1.324 -K)^Q)!130<!7(Q,!SfBLpB:3[l7hT&kQ$s(rrAD=kQ&p&kQaL<,8qje?VLC]!13Za
   1.325 -&(%Yg[FW1V\$E6<W33J4h>I9R!!)rs#QOl)rr<'!!!)ut#QOl)rr<'!!!)rs%fcV0
   1.326 -rr<'!!!*$!!<<'!!.t6)rrADSkQ&p,kQ0Hmde*V@!;Q3io^Cutm/6&IQ\PM?QeCR&
   1.327 -cM-N-6p)\4,r]1)r9+-IrVmD`Yd1X?Lto_WV1X/]Vn)!fs82its8W#trr;os!WW2t
   1.328 -!!3-"qu?cts8;p$s8N'!s8VusK)^Q)!130<!7(Q,!SfBfp&"gao`5$mq"4d^n)uIl
   1.329 -r9+-ILAq7?g#rF]pZMiM4<kaj2d]8VkQ$tJrt!V\]>17dh;%%dG$ep8Y3CQ<K)a*q
   1.330 -!130<!7(Q,!o,L&o(2q_!;#gd!!)Z`!!)fd!<<,poE=dRk:l9#kQ$s(rrAD=kQ&p&
   1.331 -kQaL<,8qje?VLC]!13Za&"TWSiN[L^qX]ek=D25gc@Z(Js3:QDQga,<cMcr/gbABm
   1.332 -p%&1a!:fX]!!*#i!rr>moDJXkoCDq^q""XZmH-+hr9+-ILAq7?g#rF]pZMiM4<kaj
   1.333 -2d]8VkQ$tJrssRXipO-seFVLW@o$B9<N^rRK)a*q!130<!7(Q,"5GU%oCqeV!!)KY
   1.334 -!<<-!nd>Etnc/[\nc/[\!!)fb"S(j?0^S`$!1/H?!12C&!7(?&#=L[!)C7=L9`4)S
   1.335 -Qi6ppT6k[DU2R3<IU-B1Ef#e)K)^H&c2Rd1n)sbsrTF@=0_=o2nc/[do)/Ogo)/Re
   1.336 -nc8^jrpg*j!:p!e!qH<kq!nRXm,]qfr9+-ILAq7?g#rF]pZMiM4<kaj2d]8VkQ$s$
   1.337 -s+:9]rrADSkQ&p,kQBToo()PF!<<,gnGrUirp^*k!:^$hr:'df!;Q'enE]-hm/6&I
   1.338 -Q\PM?QeCR&cM-N-6p)\4,r]1)r9+-IlMh!p:/=PBK)^H&ec,W9n)sbsrTF@=0_+]+
   1.339 -n,WLhnaHhb!:]IX!:]IX!;u<e!!)f`"RkX90^S`$!1/H?!12C&!7(?&#=L[!)C7=L
   1.340 -9`4)SQg4SR/2K(23.h0^s4.,LQga,<cMcr/gbA9goC)b\!;#^X!<)Eb!!;Wi!;Q$d
   1.341 -n*8pem/6&IQ\PM?QeCR&cM-N-6p)\4,r]1)r9+-IlMh,A2)Qj=Mi*CJK)^H&g&D&=
   1.342 -n)sbsrTF@=0_"SRmf`(Ci\9`skQ$s(rrAD=kQ&p&kQaL<,8qje?VLC]!13!N%kTXr
   1.343 -.:.^^F)(aTpo('eUk8Vus5<nWQga,<cMcr-gb?e;"RYC20^\f%!1/H?!12C&!7(?&
   1.344 -#=L[!)C7=L9`4)SQg4S]/N#C5Kp%U<C]FBg^qd:0K)^H&i;WeDn)sbsrTF:;0ZWG]
   1.345 -kMb2MmJQ/JQ\PM?QeCR&cM-N-6p)\4,r]1)r9+-IlMhAH2)Qb8P*0d"s7a@ij0=XB
   1.346 -s8E#prr<&_rr<%Ns,6mWQga,<cMcr1h*Ap8h;-<3"l7qb\j5`^kQ$s(rrAD=kQ&p&
   1.347 -kQaL<,8qje?VLC]!13!N%kTXr-\[_HE,5LJ_;jR\Nr/hV!;ZWp!9jF_!.t6/rrADS
   1.348 -kQ&p,kQB^kBrfA&"OFJfKCf$)!1/H?!12C&!7(?&#=L[!)C7=L9`4)SQg4S]/N#C5
   1.349 -Kp%U<C]F.Fj5[D)qu6]ts8W#t!WW3!!!WB&rrE*!rW!!!s8;rss8E!!s8W&uK)^i1
   1.350 -!130<!7(Q,"6A[.9?8dh5_S_#r9+-ILAq7?g#rF]pZMiM4<kaj2d]8VkQ$t7rsp\=
   1.351 -2(+*@P&OiVGJW>"Z&\_]!s&B$!<3!"!<3&urrE*"qu6]trrE&u!W`6#rr3$"rr@ZN
   1.352 -MuNdDn)sbsr9+7LnFQ;7p#l,Lo`Op]p$;P>!1/H?!12C&!7(?&#=L[!)C7=L9`4)S
   1.353 -Qg4S]/N#C5Kp%U*A7oGjj5[D)qu6`us8N)urrN3#!<2uu!<)rr!!3*"rr3!!s82it
   1.354 -rr@ZNMuNdDn)sbs\**gYLAq7?g#rF]pZMiM4<kaj2d]8VkQ$t7rsp\=2(+*@P%ncJ
   1.355 -B>W]hZ&\_]!s&B$!<3!"!<3&urr<&urr<&urrN3#!<3!"!<3&srr<%Ns,6mWQga,<
   1.356 -cF<!;Q\PM?QeCR&cM-N-6p)\4,r]1)r9+-IlMhAH2)Qb8P*0QqCM1NEj0=XArrW9$
   1.357 -rrE&u!W`6#rr2rurr2rurr3$"rrE&u!W`6#rr3$"rr@ZNMuNdDn)sbs\**gYLAq7?
   1.358 -g#rF]pZMiM4<kaj2d]8VkQ$t7rsp\=2(+*@P%ncJB>W]hZ&\b^rW!!!!<3!&!<<'!
   1.359 -!<3&ts8;ourrE&u!W`9#rW)rt!<<+Os,I$YQga,<cF<!;Q\PM?QeCR&cM-N-6p)\4
   1.360 -,r]1)r9+-IlMhAH2)Qb8P*0QqCM1NEj0=Vrs+::/rrADSkQ&o;kQ$s(rrAD=kQ&p&
   1.361 -kQaL<,8qje?VLC]!13!N%kTXr-\[_HC27Tt_W0[]Ne7:_s5<nWQga,<cF<!;Q\PM?
   1.362 -QeCR&cM-N-6p)\4,r]1)r9+-IlMhAH2)Qb8P*0QqCM1NEj0=Jns+::/rrADSkQ&o;
   1.363 -kQ$s(rrAD=kQ&p&kQaL<,8qje?VLC]!13!N%nfYm:ipu.AnPafOe88&m"57hs5<nW
   1.364 -Qga,<cF<!;Q\PM?QeCR&cM-N-6p)\4,r]1)r9+-IK)^H&\c2Yrn)sbs\**gYLAq7?
   1.365 -g#rF]pZMiM4<kaj2d]8VkQ$t7rrf`):J<_=s3Tt]s-<TaQga,<cF<!;Q\PM?QeCR&
   1.366 -cM-N-6p)\4,r]1)r9+-IlMgu<1G^I>oDd2$K)_,9!130<!7&(;!1/H?!12C&!7(?&
   1.367 -#=L[!)C7=L9`4)SQg4SV/N#C815h$IM"gqrk^ri"rrADSkQ&o;k_,;UkQ&p&kQaL<
   1.368 -,8qje?VLC]!13!N%kTXr.:.^^F)(aTpo('eV#LD@k^ri"rrADSkQ&n[k`P'/cM-N-
   1.369 -6p)\4,r]1)r9+-IlMhAH2)Qb8P*0d"s8Ibg^pA^ns3Tt]s-<TaQga,<c@Y8BkQ&s'
   1.370 -kQaL<,8qje?VLC]!13!N%kTXr-\[_HE,5LJ_;jR\NrK%ZkihpEqWInZki`!Hq<3G1
   1.371 -Q2^iNn)seud":JFkQ0)WpZMiM4<kaj2d]8VkQ$t7rsp\=2(+*@P&P4:pVGnMZ&\h`
   1.372 -!pJhJp?2JVki`!Hq<3G1Q2^iNmcX\sd":JHkQ0)Vp?2`L4<kaj2d]8VkQ$t7rsp\=
   1.373 -2(+*@P&P4:pVGnMZ&\h`!pJhJr9++\roa@_kl(PckQ'fHkii!G!U/bG!<23]!!2<I
   1.374 -rW)iZK)_,9!13*:K$KV+!71?%#=L[!)C7=L9`4)SQg4S]/N#C5Kp%U<@=*47j5[D)
   1.375 -rr3#_kktM\kQLtM!9iVHroa@_!;ks]!9aF^kQ1bJ!<20`!9aFYk^ri"rrAC;k^r$h
   1.376 -kQaL<,8qje?VLC]!13!N%kTXr-\[_H?=[\Z_rKd^NrK%[ki`$CkPtV^kPtV^kPtV]
   1.377 -kktJ^kQ(VG!<D?]!!29`q<3G1Q2^iNK'7gMo&p<H4<kaj2d]8VkQ$t7rsp\=2(+*@
   1.378 -P%ncJB>W]hZ&\h`!pJhJqWInZroa=^roa=^roa=^roaC`kQ(VG!W_Ear9++\q<3G1
   1.379 -Q2^iNK'7gMo&p<H4<kaj2d]8VkQ$t7rsp\=2(+*@P%ncJB>W]hZ&\h`!pJhJqre1`
   1.380 -kQ'i1!<20^!<20^!<20`!9aF^kQ1bJ!<20`!9aFYk^ri"rrAC;k^r$hkQaL<,8qje
   1.381 -?VLC]!13!N%kTXr-\[_HC27Tt_W0[]NrK%ZkihpE!U'O_kQV%NkPtVH!<)-[!!29`
   1.382 -roaC`kii!Groa@_!;ku3s-<TaQ\+FQkjmpB6p)\4,r]1)r9+-IlMhAH2)Qb8P*0Qq
   1.383 -CM1NEj0=XDs3Tt]s-<TaQ\+FQkjmpB6p)\4,r]1)r9+-IlMhAH2)Qb8P*0QqCM1NE
   1.384 -j0=XDs3Tt]s-<TaQ\+FQkjmpB6p)\4,r]1)r9+-IlMhAH2)Qb8P*0QqCM1NEj0=L@
   1.385 -s3Tt]s-<TaQ\+FQkjmpB6p)\4,r]1)r9+-IlMhAf:/4W-H$O"7B4[3tT8Dq6s3Tt]
   1.386 -s-<TaQ\+FQkjmpB6p)\4,r]1)r9+-IfDj4]K)_,9!1/<$K';dh#=L[!)C7=L9`4)S
   1.387 -Qg4SR[8'Lk2hM']s4.,LQ\+FQkjmpB6p)\4,r]1)r9+-IlMgu<1G^I>K)^H&ec,W9
   1.388 -K'7gMo&p<H4<kaj2d]8VkQ$t7rs1262(CA>MMd4As+::(rrAC;k^r$hkQaL<,8qje
   1.389 -?VLC]!13!N%kTXr.:.^^F)(aTpo('eUk8Vus5<nWQ\+FQkjmpB6p)\4,r]1)r9+-I
   1.390 -lMhAH2)Qb8P*0d"s8Ibg^pA]Gs+::/rrAC;k^r$hkQaL<,8qje?VLC]!13!N%kTXr
   1.391 --\[_HE,5LJ_;jR\Nr8nW!<)ot!9X=[!.t6/rrAC;k^r$hkQaL<,8qje?VLC]!13!N
   1.392 -%kTXr-\[_HE,5LJ_;jR\Nr8nW!<)ot!9X:]!<2uu!.t60rrADQk^q*Ec2c2`kQaL<
   1.393 -,8qje?VLC]!13!N%kTXr-\[_HE,5LJ_;jR\Nr8nW!<)p!!<3&urrE-"rW!$"!!*#u
   1.394 -rW!!!s8;p!s8N)urr<&us8E#ts8E!!s8W&u!rr9#rr30&rrE'!s8W&u!WW3!!<3#t
   1.395 -!.t6\rrADRkQ/uUK'8K`!R]3dkQaL<,8qje?VLC]!13!N%kTXr-\[_HE++*;_;jR\
   1.396 -Nr8qS!!3*"rr36(rrE*!!<<'!r;QfurrE&u!W`6#rr3'#s8N)urrN3#!<)ot!<3!"
   1.397 -!<3&urrrK'!!*'!!<)ot!<3!"!<3%Ns0_k,Qga,=cd7:-PNW%pchHW.6p)\4,r]1)
   1.398 -r9+-IlMhAH2)Qb8P*0-^B4Sp?j0=XBrr<&trrN3#!<3!*!<3'!rrE*!!<<)t!!3*"
   1.399 -rr3!!s8;rss82iurr<&urr<&urrN3#!<3!"!<3&urr<&ts82iurr<%Ns0hq-Qga,<
   1.400 -cMcr.jPJYPg?7#cg&p*bhW4UuKU;W#j/2nWrTF7-pZMiM4<kaj2d]8VkQ$t7rsp\=
   1.401 -2(+*@P%ncJB>W]hZ&\b^!!)ut!W`6#rr3<*rrE*!!<<'!rrE&u!W`6#rr3-%rrE*!
   1.402 -!<2uu!;c]t!!*$!rr3$"rrE&u!W`6#rr2rurVlitqYpQr!.t6\rrADSkQ&p,kQB]"
   1.403 -N_@GI"$h@rir&!?Q\PM?Qi-%IVr_dsmf37L!7(?&#=L[!)C7=L9`4)SQg4S]/N#C5
   1.404 -Kp%U6CMRS"j5[D)r;Q`srVlp!rrE&u$3:)+s8N*!rrE'!rr3$"rrE&u!W`6#rr3'#
   1.405 -s8N)urr<&trrN3#!<3!"!<3&urrN3#!<2uu!<)ot!<2uu!<)ot!.t6\rrADSkQ&p,
   1.406 -kQBV#Fj.r,"5J$ZjS\3AQ\PM?Qi-%JVf(\t!m'g0rTF7,pZMiM4<kaj2d]8VkQ$t7
   1.407 -rsp\=2(+*@P%ncJB>W]hZ&\b^!!)ut!W`9#r;[0(!<<'!s8N*!s8;ourrE&u!W`6#
   1.408 -rVlp!s8W&u!WW3!!<3#t!<3#s!!3*"rVuis!WW3!!!3-"rW%QM\,QGpn)sbsrTF=<
   1.409 -9?YBT!r^87qre$HLAq7?r9+0ZDWq*&aN3fLrTF7,pZMiM4<kaj2d]8VkQ$t7rsp\=
   1.410 -2(+*@P%ncJB>W]hZ&XG9K)ad/!130<!7(Q,!S]=-r5ng<qXcK-r9+-Ig&D$PYQ"Th
   1.411 -r9+6\DZBb%kQAoImf37L!7(?&#=L[!)C7=L9`4)SQg4S]/N#C5Kp%U6CMRS"j5[D)
   1.412 -K)^H&i;WeDn)sbsrTF=<0`&ic"8)"8m/6&IQi-m^!:Bgb!;c]q!;?Hj!;c]q!9jF_
   1.413 -!9*qXQi-%LVf)P7lKA>kaR9*,kQ&p&kQaL<,8qje?VLC]!13!N%kTXr-\[_HC27Tt
   1.414 -_W0[]MLtk[s5<nWQga,<cMcr-gb?eC"SVBN0^S`$!13Za!!)<a!!)`m!!)`m!!)`m
   1.415 -!!)6_!!)!X!13WI"/g&:s6AeMaN3fLrTF7,pZMiM4<kaj2d]8VkQ$t7rsqat:/H%X
   1.416 -H"L]%AW`UWM<oioK)ad/!130<!7(Q,!SfB\o`5$mr:L'j!;c?ko^Cutm/6&IQi@!b
   1.417 -!;c`p!<3#t!!3-"rW!$"rrDoqrW!*$rrE*!rW)iq!!)rs!!*#u!<E0!!!WB&rrE*!
   1.418 -rW!!!s8;rss8E!!s8W&uj8T+Gr9+6\DZBb9kl(MdjGlnc0hmM^rVui["3AROs8D-]
   1.419 -cM-N-6p)\4,r]1)r9+-IK)^H&\c2Yrn)sbsrTF:;0]D^(!;c?h!!)ri!<<,ro`XpU
   1.420 -kV2B$kQ$tKrr<&rrr<&urrN3#!;ZWr!<3&rrr<&urrN3#!;uis!;ulq!<3!%!<3'!
   1.421 -rrE&u!<<,srrN3#!<3!"!<3&urrN3#!9*qXQi-%LVf)P7roamms8%d/12`GCGrR7-
   1.422 -q>^KnkQAoImf37L!7(?&#=L[!)C7=L9`4)SQg4SR[8'Lk2tR('k^rhmrrADSkQ&p,
   1.423 -kQ9Nnp$_MR!!)`brW)fe!<<,toDnplqXap^mcQ:jr9+-Irr2ruqu6Wrrr3$"rrDus
   1.424 -r;Zlu!;lcr!<3!$!<3'!s8;rqrr<&qrr<&urr<&urr<&ts8;ourrE&u!<E/t!!3*"
   1.425 -iVrnEr9+6\DZBb9kQV"bCaao+rVm&sRkJ+Es8D-`aN3fLrTF7,pZMiM4<kaj2d]8V
   1.426 -kQ$t7rral/1FY<Ts4Z[gs,6mWQga,<cMcr/gbABmmdgGZ!;Z3h!!)Tj!<2Tf!!2]_
   1.427 -quHTb"S1sB0^S`$!13]b!!)or!!*#u!W`6#rVlitrr3$"rrDrr!!*#u"9AH%rrE&u
   1.428 -!!)rs!!)lq!!*#u!!*#u!!*#u!!*#u!W`6#rr3$"rrDus!!)!X!13WI"/g&:s8M3b
   1.429 -s,ABV\GH4-`A)rDrTF@)aR9*,kQ&p&kQaL<,8qje?VLC]!13!N#V@nk.Pcp>MMV$,
   1.430 -g?=.gMuNdDn)sbsrTF@=0_=o&nc8^jqskC#!:g*io'ub\o'ub\nc/[\nc/[dnc\LL
   1.431 -jY6'!kQ$tJrr<&srr<&urrN3#!<)ot!<3!#!<<'!r;Q`srr3*$rrE'!rr30&s8N*!
   1.432 -rrDrr"T\Q&s8N)urr<&urr<&urrN3#!<3!"!<3&urrN3#!9*qXQi-%LVf)P7roaOF
   1.433 -/;$YJ[eg"*W%$3okQAoImf37L!7(?&#=L[!)C7=L9`4)SQg4S]/N#C7?A4)SCB+>/
   1.434 -W2?Gfrr:^9K)^c/!130<!7(Q,"5GU%oDA+W!!)Tg!;Z0c!;uC$!!)Qi!:o[\!:o[\
   1.435 -!:g*io'ub\qXOdZm,]qfr9+-Ir;Z]q!WW3!!<3#t!!3-"r;cisr;Zlus8E!$s8N*!
   1.436 -s8;p#s8N*!s82itrrE&u"p"]'!!*$!rVufr!WN0!rrN3#s8E#trrE*"j8T+Gr9+6\
   1.437 -DZBb9kQZl!o^5L*[/9k)rC225kQAoImf37L!7(?&#=L[!)C7=L9`4)SQg4S]/N#C5
   1.438 -Kp%U<C]FBg^qd:0rr;$B!W_EaqriY3MuNdDn)sbsrTF@=0_4f$nGrUir:0U`%IjDu
   1.439 -naQSZnGiRZnGiRcnHA@Ij=orukQ$s(rrAD`kQ@`#s8W)^#?>F:s6ic7Zhsb'K0]D!
   1.440 -"3AROs8D-]cM-N-6p)\4,r]1)r9+-IlMhAH2)Qb8P*0d"s7a@ij0=XDrrM?Ir;c*G
   1.441 -!W_EaqriY3MuNdDn)sbsrTF@=0_+]$n,WLhqX=Lc!<2Hu!!)Kg!:]IX!:TsgnF-DX
   1.442 -qX=XVlJjSbr9+-ILAq7?r9+6\DZBb9kQ*Gnrr3)h;(JpLrrJrHrTF@)aR9*,kQ&p&
   1.443 -kQaL<,8qje?VLC]!13!N%kTXr-\[_HE,5LJ_;jR\NrK%[ki`$GkPtVJkQ1bJ!;ku3
   1.444 -s,6mWQga,<cMcr/gbA9gnF-GY!;Q$a!!*#f!rr>jnGE7enF6>UqX=XVlJjSbr9+-I
   1.445 -LAq7?r9+6\DZBb9kQ*AgrVluh;C\mKrrJlErTF@)aR9*,kQ&p&kQaL<,8qje?VLC]
   1.446 -!13!N%kTXr-\[_HE,5LJ_;jR\NrK%[ki`$GkQ1bJkl(P`ki`$GkQV%N!9aFHkl(Pb
   1.447 -ki`$1!;ku3s,6mWQga,<cMcr/gbA6eamTB#l/FD`r9+-ILAq7?r9+6\DZBb9kQ+=f
   1.448 -r;Qlg<%>'MrrIm=rTF@)aR9*,kQ&p&kQaL<,8qje?VLC]!13!N%kTXr-\[_HE++*;
   1.449 -_;jR\NrK%[ki`$GkPtV\kQ1bJ!<20d!9aC_ki`$GkQCnL!9aF[k^rhmrrADSkQ&p,
   1.450 -kQ0Hma6s/ukM\,^r9+-Ig&D$PgA_3SrrCaP!13WI"/g&:s8M3`LGA8qrs/'o.]i[K
   1.451 -89Xsq"3AROs8D-]cM-N-6p)\4,r]1)r9+-IlMhAH2)Qb8P*0-^B4Sp?j0=XDrrM?I
   1.452 -r;ci\r;[)dkQ'fHki`$GkPtV^kQCnL!9aF[k^rhmrrADSkQ&p,kQ0Hma6EfjiS6-S
   1.453 -r9+-Ir;Z]qmJm+bqYpNqpAb'kl2LebrrCaP!13WI"/g&:s8M3`gF@sTrs&$p.B99o
   1.454 -bPgW,aN3fLrTF7,pZMiM4<kaj2d]8VkQ$t7rsp\=2(+*@P%ncJB>W]hZ&\h`!pJhJ
   1.455 -r9++\roaUfki`$1!9iVHroa=^roaIbkQ'fHqriY3MuNdDn)sbsrTFF@5fDO8h9=^Z
   1.456 -h:pPm5k"X7!13Za!!)<a!!)`m!!)`m!!*#u!!)<a!W`6#g&D&=r9+6\DZBb9kQCj9
   1.457 -/%,9S"nPeE0m*HokQAoImf37L!7(?&#=L[!)C7=L9`4)SQg4S]/N#C5Kp%U6CMRS"
   1.458 -j5[D)rr3&`kQ(PE!!*#^!!*#^!!*#^!!*#^!!*#^"9@WckQ(MDK)^c/!130<!7(Q,
   1.459 -"5eQAX3&]kca@A;oDIePQi@!b!;c`p!<3#t!!3-"rW!$"rrDoqrW!*$rrE*!rW)iq
   1.460 -!!*#u!W`9#rW!$"rrE&u"p"Z'rrE*!rW!*$rrE'!g&D&=r9+6\DZBb9kQV"_>q1s3
   1.461 -rVm&tO=+!$s8D-`aN3fLrTF7,pZMiM4<kaj2d]8VkQ$t7rsp\=2(+*@P%ncJB>W]h
   1.462 -Z&\h`!pJhJqrmtYroa=^roa=^rTO4\"R,%LkQ(MDK)^c/!130<!7(Q,"6A[.9?8dh
   1.463 -5_S_#r9+-Irr2ruqu6Wrrr3$"rrDlp!W`6#qu6Wrrr3$"rrDus!!)rs!!*#u!!)rs
   1.464 -!W`6#rr30&rr<'!rrE&u"9AH%rrCaP!13WI"/g&:s8M3ms8Ve@.6;U8PB]2<G4bh7
   1.465 -rTF@)aR9*,kQ&p&kQaL<,8qje?VLC]!13!N%kTXr-\[_HC27Tt_W0[]NrK(LkPtVJ
   1.466 -k^rhmrrADSkQ&p+kQC2@oCV2<kP5&L"8;H]lhorHQi@!b!;lcr!<3!"!<3&ss8;ou
   1.467 -rrDrr!!*#u"9AH%s8W#tr;Z]qrr;os#QOf(rrE*!!<2uu!<3!$!<3'!!87APQi-%L
   1.468 -Vf)P7roj=\#Ln2d.k3`*d/F"CkQAoImf37L!7(?&#=L[!)C7=L9`4)SQg4S]/N#C5
   1.469 -Kp%U6CMRS"j5[D)rr;QQ!!)<JK)^c/!130<!7&(;!13]b!!)or!!*#u!W`6#rVlit
   1.470 -rr3$"rrDrr!!*#u"9AH%rrE&u!!)rs!!)rs!!*#u#QXo)!<3'!rrE&u!!*#u"9AH%
   1.471 -rrCaP!13WI"/g&:s6AeMaN3fLrTF7,pZMiM4<kaj2d]8VkQ$t7rsp\=2(+*@P%ncJ
   1.472 -B>W]hZ&8P\g?=.gMuNdDn)sbs\**gYrVlitr;Q`srr3$"rrE#t!!*#u!s&B$!;uis
   1.473 -!<3!$!<3'!!<3!&!<<'!s8N)srr<&urr<&urr<&urr<&urr<&urr`?%!<3&PrrAD`
   1.474 -kQ@`#s8VBJ"3AROs8D-]cM-N-6p)\4,r]1)r9+-IlMhAf:/4W-H$O"7B4[3tT8Dq6
   1.475 -s4Z[gs,6mWQga,<cF<!;Qi-m^!!3-"rW)rtrW!!!s8;rss8;ous8W&u"TSK%s8W#t
   1.476 -"onT&s8N)rs8;rsrr<&urr<&ts8E!$s8N*!!87APQi-%LVf)P7lKA>kaR9*,kQ&p&
   1.477 -kQaL<,8qje?VLC]!12=;g?=.gMuNdDn)sbs\**gY_#FB7aSu7,r9+3[DZAn@!Ug!d
   1.478 -kQ&p&kQaL<,8qje?VLC]!13Q^#6+Defso,qK)^H&a8Z.+n)sbs\**gY_#FB7aSu7,
   1.479 -r9+0ZDW]"@mf37L!7(?&#=L[!)C7=L9`4)SQi$dhrpAIln&MTRnc".?K)`sm!130<
   1.480 -!7(Q,!p&4mjP&eIrn7J/gtq,ikQ$s(rrAD`kQ%OAmK!:ckQ&p&kQaL<,8qje?VLC]
   1.481 -!13T_$MiW5bOEWV[E@q:K)^H&b5VI.n)sbsrTF@?i/UIO0EXRij5U"#!1/H?!13WI
   1.482 -irAu@!7(?&#=L[!)C7=L9`4)SQi$dirSZben&MT;\_-\/s+:9nrrADSkQ&p,kQBV#
   1.483 -Fj.r,"5J$ZjS\3AQ\PM?QeCR&cM-N-6p)\4,r]1)r9+-IqYpo\jkK:CXKo1La7Y&a
   1.484 -K)a$o!130<!7(Q,!o-Gla8Q/=b"MWq!1/H?!12C&!7(?&#=L[!)C7=L9`4)SQhp^j
   1.485 -iUcO1a1&q2aKj+[rVZ]n!:0Xe!!*'!quD?KK)bQE!130<!7(Q,!S]=-r5ng<qXcK-
   1.486 -r9+-ILAq7?g#rF]pZMiM4<kaj2d]8VkQ$tHrse\\qYKp6ahl$9ZaJ*Hr;Qp#!<<'!
   1.487 -!9sLa!!%WNK)bEA!130<!7(Q,!o,L+a8#i0mP+#*kQ$s(rrAD=kQ&p&kQaL<,8qje
   1.488 -?VLC]!13Za&,,DSi;3<Bbf6rp]X5#Sao)/D!!*'!!!*'!r;Zlus82lrs8;p$rr<'!
   1.489 -!!)orr;_HLK)bcK!130<!7(Q,!SfBLpB:3[l7hT&kQ$s(rrAD=kQ&p&kQaL<,8qje
   1.490 -?VLC]!13Za&)5LWeGB%3]t1>T]="uOYPeD9!!*'!!!*$!!<<'!!<3$!s8N'!rr<&t
   1.491 -rr`<%rr<&srriB&s8N'!K)^H&rVlkan)sbsrTF:;0[fUp!!)fe"SD0H0^S`$!1/H?
   1.492 -!12C&!7(?&#=L[!)C7=L9`4)SQi6pp^q7(lqYK]l[^3NS['R*Lr;ZZp!WW2s!!iN(
   1.493 -!<<'!!<;ut#64]'!<3$!r;Qp#!<<'!!.t6&s8DrtQga,<cMcr-gb@^[quHKa!<<,p
   1.494 -o`XpUkV2B$kQ$s(rrAD=kQ&p&kQaL<,8qje?VLC]!13Za&&Y]\]CYIX\$NQT\$NEG
   1.495 -bl%JA!!)rs!<<,trs&N(s8N'!s8W#t"oeQ&rr<&srriB&s8N'!K)^H&rVlkan)sbs
   1.496 -rTF=<0_P#/!<<,koE>3po^i+`q"+Re!;Q0hoBtcqm/6&IQ\PM?QeCR&cM-N-6p)Y3
   1.497 -,r]1)r9+-IrVmDTZa.!i_</54Yc=Y)Za/EbrrE*"r;Qct!;uj#!!*'!!!)ut#64c(
   1.498 -!!*$!!;uj#!!*'!!!%WNK)bfL!130<!7(Q,"5GU&o_%eV!!)Q\!<<-!o)esmoCMn\
   1.499 -"7u*a!;Q-go'PQnm/6&IQ\PM?QeCR&cM-N-6p)Y3,r]1)r9+-IrVmD`Yd1X?Lto_W
   1.500 -V1X/]Vn)!grrE*"qu?Qo!<;rs!WW2u!!WE&!!*'!qu?cts8;qLs+::KrrADSkQ&p,
   1.501 -kQBTooCM_I!<<,gnc8^jrpgEs!:g*io'ub\nc/[bnc\LLjY6'!kQ$s(rrAD=kQ&p&
   1.502 -kQaL<+rVad?VLC]!13Za&(I\m^nl51guG2R?YG(pl0eQP!!%WNK)aj1!130<!7(Q,
   1.503 -"5GU%oD%kV!;c9b!!)Tg!<)Hh!!*#h!WW5kqZ$]g!!)fb"S(j?0^S`$!1/H?!12C&
   1.504 -!7(?&#=LZu)C7=L9`4)SQi6ppSYt<&Z#nn"o8n)sBOl;3mf*:f!.t6&s5O%YQga,<
   1.505 -cMcr/gbA<ip[J7a!:TFY!!*#g"98Gl!!)re!<<,pnHA@Ij=orukQ$s(rrAD=kQ&p&
   1.506 -kQaL<+rVad?VLC]!13Za%t:M;m^%,eoA,I;:L.7+Y(H\*s3:QDQga,<cMcr/gbA9g
   1.507 -p$_t^!:fOb!!)NX!!)NX!!)rd!<<,pn-&4Fj"TitkQ$s(rrAD=kQ&p&kQaL<+rVad
   1.508 -?VLC]!13Za&"e2jPG2uuYC9bcI<(1(dt7UOs3:QDQga,<cMcr/gbA9goC)b\!;#^X
   1.509 -!<)Eb!!;Wi!;Q$dn*8pem/6&IQ\PM?QeCR&cM-N-6p)Y3,r]1)r9+-IK)^H&\c2Yr
   1.510 -n)sbsrTF@=0_"SRmf`(Ci\9`skQ$s(rrAD=kQ&p&kQaL<+rVad?VLC]!13!N"LV!#
   1.511 -9K.S'K)aC$!130<!7(Q,!SfBLmf`%@i@sZskQ$s(rrAD=kQ&p&kQaL<+rVad?VLC]
   1.512 -!13!N"=u>b.6)qZK)aC$!130<!7(Q,!SfBLl3-;/gbA-nkQ$s(rrAD=kQ&p&kQaL<
   1.513 -+rVad?VLC]!13!N#V@nk.Pcp>MMQlaK)aO(!130<!7(Q,"l2G^hVI#3h?D`if=F69
   1.514 -r9+-ILAq7?g#rF]pZMiM4<b[i2d]8VkQ$t7rsp\=2(;jcKl_#/s7iOiVPJhDK)ad/
   1.515 -!130<!7(Q,"5eQAX3&]kca@A;oDIePQ\PM?QeCR&cM-N-6p)\4,r]1)r9+-IlMhAH
   1.516 -2)Qb8P*0d"s8Ibg^pA]Gs+::/rrADSkQ&p,kQBo0O\<bL"$hP1o_dnQQ\PM?QeCR&
   1.517 -cM-N-6p)\4,r]1)r9+-IlMhAH2)Qb8P*0d"s7a@ij0=XBs8E#prr<&_rr<%Ns,6mW
   1.518 -Qga,<cMZl.m-sW=k4Rp4rq-Bep@[bLkQ$s(rrAD=kQ&p&kQaL<,8qje?VLC]!13!N
   1.519 -%kTXr-\[_HE,5LJ_;jR\Nr/hV!;ZWp!9jF_!.t6/rrADSkQ&o;kQ$s(rrAD=kQ&p&
   1.520 -kQaL<,8qje?VLC]!13!N%kTXr-\[_HE,5LJ_;jR\Nr/hX!<<)t!!3-"rW!-%!<3'!
   1.521 -s8E!!s8W#trr;rt!WW3!!.t61rrADSkQ&o;kQ$s(rrAD=kQ&p&kQaL<,8qje?VLC]
   1.522 -!13!N%kTXr-\[_HE++*;_;jR\Nr/hY!<<'!rr3$"rrE&u!<<,srrN3#!<3!"!<3&u
   1.523 -rrN3#!.t6/rrADSkQ&o;kQ$s(rrAD=kQ&p&kQaL<,8qje?VLC]!13!N%kTXr-\[_H
   1.524 -?=[\Z_rKd^Nr/hY!<<'!rr3$"rrE&u!!)utr;Zlu!<3!!!<;rs!WN.Os,6mWQga,<
   1.525 -cF<!;Q\PM?QeCR&cM-N-6p)\4,r]1)r9+-IlMhAH2)Qb8P*0QqCM1NEj0=XArrW9$
   1.526 -rrE&u!W`6#rr2rurr2rurr3$"rrE&u!W`6#r;Q`sK)^c/!130<!7&(;!1/H?!12C&
   1.527 -!7(?&#=L[!)C7=L9`4)SQg4S]/N#C5Kp%U6CMRS"j5[D)qu6`us8N)urrN3#!<2uu
   1.528 -!<2uu!<3!"!<3&urrN3#!<3!"!<3%Ns,6mWQga,<cF<!;Q\PM?QeCR&cM-N-6p)\4
   1.529 -,r]1)r9+-IlMhAH2)Qb8P*0QqCM1NEj0=XBs8E!!rrE&u"p"]'!!*$!rVufr!WN0!
   1.530 -rrN3#s8E#trrE*"K)^i1!130<!7&(;!1/H?!12C&!7(?&#=L[!)C7=L9`4)SQg4S]
   1.531 -/N#C5Kp%U6CMRS"j5[D)K)^H&i;WeDn)sbs\**gYLAq7?g#rF]pZMiM4<kaj2d]8V
   1.532 -kQ$t7rsp\=2(+*@P%ncJB>W]hZ&XG9K)ad/!130<!7&(;!1/H?!12C&!7(?&#=L[!
   1.533 -)C7:K9`4)SQg4S]/N#C5Kp%U6CMRS"j5[D%K)^H&i;WeDn)sbs\**gYLAq7?g#rF]
   1.534 -pZMiM4<kaj2IB/UkQ$t7rsqat:/H%XH"L]%AW`UWM<oioK)ad/!130<!7&(;!1/H?
   1.535 -!12C&!7(?&#=L[!)C7:K9`4)SQ\,6hs1/.0Qga,<cF<"jQeCR&cM-N-6p)\4,rT+(
   1.536 -r9+-IlMh!p:/=PBK)^H&ec,W9n)sbsK'8?\!7(?&#=L[!)C7:K9`4)SQg4SR/2K(2
   1.537 -3.h0^s4.,LQga,<c@Y8BkQ&s'kQaL<,8qjd?VLC]!13!N#V@nk.Pcp>MMQlaK)aO(
   1.538 -!130<!RK,Ek`b32dEhRN#=L[!)C7:K9`4)SQg4S]/N#C7?A4)SCB+>/W2?GfK)^H&
   1.539 -i;WeDmcX\sd":JHkQ0)Vp?2`L4<kaj2IB/UkQ$t7rsp\=2(+*@P&P4:reA5(Z\3r1
   1.540 -K)ad/!13*:K$KV+!71?%#=L[!)C7:K9`4)SQg4S]/N#C5Kp%U<C]F.Fj5[D)r;ZZp
   1.541 -qYpNqkl1V_K)^i1!1/<$K';dh#=L[!)C7:K9`4)SQg4S]/N#C5Kp%U<C]F.Fj5[D)
   1.542 -r;Q`spAY*mkl1V_K)^i1!1/<$K';dh#=L[!)C7:K9`4)SQg4S]/N#C5Kp%U<C]F.F
   1.543 -j5[D)r;Q`sr;Q`srr3!!s8E!%rrE'!s8W&u!WW2u!<3#t!!3-"rW%QMO8f3HK'7gM
   1.544 -o&p<H4<kaj2IB/UkQ$t7rsp\=2(+*@P&OiVGJW>"Z&\b^r;cis"T\Q&s8N)urrE*"
   1.545 -qu6]trrE&u!W`6#rr3$"rr@ZNNW0!FK'7gMo&p<H4<kaj2IB/UkQ$t7rsp\=2(+*@
   1.546 -P$V[3AAdHfZ&\b^!!)lq!!*#u!!*#u!!)utr;Zlu!<3!!!<;rs!WN.Os,I$YQ\+FQ
   1.547 -kjmpB6p)Y3,rT+(r9+-IlMhAH2)Qb8P*0QqCM1NEj0=XBrr<&qrr<&urr<&urr<&u
   1.548 -rr<&urrN3#!<3!"!<3&srr<%Ns,I$YQ\+FQkjmpB6p)Y3,rT+(r9+-IlMhAH2)Qb8
   1.549 -P*0QqCM1NEj0=XBrr<&rrriE&!<<'!rr2rurr2rurr3$"rrE&u!W`6#rr3$"rr@ZN
   1.550 -NW0!FK'7gMo&p<H4<b[i2IB/UkQ$t7rsp\=2(+*@P%ncJB>W]hZ&\b^qu?ct!<3!&
   1.551 -!<<'!!<3&ts8;ourrE&u!W`9#rW)rt!<<+Os,[0[Q\+FQkjmpB6p)Y3,rT+(r9+-I
   1.552 -lMhAH2)Qb8P*0QqCM1NEj0=Vrs+::/rrAC;k^r$hkQaL<+rVac?VLC]!13!N%kTXr
   1.553 --\[_HC27Tt_W0[]Ne7:_s5<nWQ\+FQkjmpB6p)Y3,rT+(r9+-IlMhAH2)Qb8P*0Qq
   1.554 -CM1NEj0=Jns+::/rrAC;k^r$hkQaL<+rVac?VLC]!13!N%nfYm:ipu.AnPafOe88&
   1.555 -m"57hs5<nWQ\+FQkjmpB6p)Y3,rT+(r9+-IK)^H&\c2YrK'7gMo&p<H4<b[i2IB/U
   1.556 -kQ$s$s+:9]rrAC;k^r$hkQaL<+rVac?VLC]!1/<;K)`C]!1/<$K';dh#=LZu)C7:K
   1.557 -9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)Y3,rT+(r9+-IK)^H&\c2YrK'7gMo&p<H4<kaj
   1.558 -2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<,8qjd?VLC]!1/<;K)`C]!1/<$K';dh#=L[!
   1.559 -)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4,rT+(r9+-IK)^H&\c2YrK'7gMo&p<H
   1.560 -4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<,8qjd?VLC]!1/<;K)`C]!1/<$K';dh
   1.561 -#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4,rT+(r9+-IK)^H&\c2YrK'7gM
   1.562 -o&p<H4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<,8qjd?VLC]!1/<;K)`C]!1/<$
   1.563 -K';dh#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4,rT+(r9+-IK)^H&\c2Yr
   1.564 -K'7gMo&p<H4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<,8qjd?VLC]!1/<;K)`C]
   1.565 -!1/<$K';dh#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4,rT+(r9+-IK)^H&
   1.566 -\c2YrK'7gMo&p<H4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<,8qjd?VLC]!1/<;
   1.567 -K)`C]!1/<$K';dh#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4,rT+(r9+-I
   1.568 -K)^H&\c2YrK'7gMo&p<H4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<,8qjd?VLC]
   1.569 -!1/<;K)`C]!1/<$K';dh#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4,rT+(
   1.570 -r9+-IK)^H&\c2YrK'7gMo&p<H4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<,8qjd
   1.571 -?VLC]!1/<;K)`C]!1/<$K';dh#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB6p)\4
   1.572 -,rT+(r9+-IK)^H&\c2YrK'7gMo&p<H4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$hkQaL<
   1.573 -,8qjd?VLC]!1/<;K)`C]!1/<$K';dh#=L[!)C7:K9`4)SQ\,6hs1/.0Q\+FQkjmpB
   1.574 -6p)\4,rT+(r9+-IK)^H&\c2YrK'7gMo&p<H4<kaj2IB/UkQ$s$s+:9]rrAC;k^r$h
   1.575 -kQaL<,8qjd?VLC]!1/<;K)`C]!1/<$K';dh#=L[!)C7=L9`4)SQ\,6hs1/.0Q\+FQ
   1.576 -kjmpB6p)Y3,r]1)r9+-IK)^H&\c2YrK'7gMo&p<H4<b[i2d]8VkQ$s$s+:9]rrAC;
   1.577 -k^r$hkQaL<+rVad?VLC]!1/<;K)`C]!1/<$K';dh#=LZu)C7=L9`4)SQ\,6hs1/.0
   1.578 -Q\+FQkjmpB6p)Y3,r]1)r9+-IK)^H&\c2YrK'7gMo&p<H4<b[i2d]8VkQ$s$s+:9]
   1.579 -rrAC;k^r$hkQaL<+rVad?VLC]!1/<;K)`C]!1/<$K';dh#=LZu)C7=L9`4)SQ\,6h
   1.580 -s1/.0Q\+FQkjmpB6p)Y3,r]1)r9/a!JsXNElMlJ"K'<$o#=LZu)C7=L9S2J[kecQK
   1.581 -s+9HdkkXEI6p)Y3,r]1)K'7gM_W^:bK'7gMq</&O4<b[i2IB.0k^r$8kkb;\n"3GU
   1.582 -5QXKCkPG41k^r$okQaL<,8qjd?VH(8K':)8qu6bR(gsQH^BD#Z(jPfQs+9HdkkXEI
   1.583 -6p)\4,rT+(K'7gM_W^su"4oMWp\FgjLG6dIs+9HdkkXEI6p)\4,rT+(K'7gM_W_"!
   1.584 -#,a/qs-/5%qYpWK3/@M5K'7gMq</&O4<kaj2IB.0k^r$8kR%:hk:#g!s#^9Dq#:F]
   1.585 -^]4=ck^r$okQaL<,8qjd?VH(8K':)8"98Bl\,QC/49.M=rr_.,p]#j/K'<$o#=L[!
   1.586 -)C7:K9S2J[kecNbs.<]trrP:_4SSjWLNriNk^r$okQaL<,8qjd?VH(8K':)8!rj,#
   1.587 -rVls^!'Gu7,lj_;rrF8"K'7gMq</&O4<kaj2IB/UkQ9i%gOe/:g4IlAeH*EMr;QaZ
   1.588 -rW!'`,ldq?r;QeBLP"`AkkXEI6p)\4,rT+(r9+7>i/UH^0S2"%0EHZQr;R$b!!';(
   1.589 -o/m"!r;Qf,8:p&WkkXEI6p)\4,rT+(r9+7<NciQts+:9orrHN"r;Qg\!'L8\"/>hr
   1.590 -bl.PBa#J\7K'<$o#=L[!)C7:K9`4)Uge5hBrdt-lrW--!r;Qg\!'L8\"3^`Fbl.PB
   1.591 -h]RO7K'<$o#=L[!)C7=L9`4)TgG&X)K):/sbkhESQi-jb49.MCrr^IF!6kEA!P^mO
   1.592 -k^r$okQaL<,8qje?VLC]!o,L+K)(#ob4u'nGl7RC49-],rr[rT-0G1+!O#=Ok^r$o
   1.593 -kQaL<,8qje?VLC]!SfA\pO`.]pAr;or;R$b!!#m?UEon;r;Qe*T7Z9YkkXEI6p)\4
   1.594 -,r]1)r9+1:0S8ulo`5$me+E_A!;6$a!8@)H!!'b+!rj\#rVls^!+R>S!!+D!rVlrn
   1.595 -)"3(?K'<$o#=L[!)C7=L9`4)TgbA!cquH-W!<<,To`5$mrq-9l!8$lE!!)W`!<<,[
   1.596 -o`5$mp@SFd!8-rF!!)W`!<<-!o`5$me+EeB^Hhbt#F'qWk&`_-k5>5\BUAaNk^r$o
   1.597 -kQaL<,8qje?VLC]!o,L&lgt2X!9s+V!!(gH!<<,JoDnple+<Y@!;?$c!!([D!<<,k
   1.598 -oDnplht-pL!:oaas8Qc!o)Ag43<0#1k^r$okQaL<,8qje?VLC]"5GU&o^)/M!!)rg
   1.599 -"TSPo!;#g\!<2Tg!!2]_r;ZlioDJ[eo*YNuo)S@^!;#d^!;$*gqXaXc"7lKmoDARg
   1.600 -oDSahoDJ[doDJXqoCDq^oCDq^oCMn\$hF>uo)Jd^o)Jd^oDJXlo)Jd^oDJXioCMk[
   1.601 -r::F!!:p3^!!)W^!!)Tj!;#g\!;uHf!!`#p!:p3^oDJXioCMk[!;$0iqt'ad!V>p]
   1.602 -!!Vuc!!)W^r;cigr;Zihr;Zul!!)W^r;ZlioDAUWo)Sgko^`4cs7[r!o`#'_0\?@)
   1.603 -K'7gMq</&O4<kaj2d]8VkQBTooCM>>!<<,to)/Omnc/[\nc/[fncSpmnc/[hnc]!n
   1.604 -o'ub\rUTme%IsK!o'ub\nc/[\nc/[enc8^jrpg^&!:g*io'ub\o'ub\nc/[\nc/[g
   1.605 -ndb^#o'ub\nc/[\nc/[\!!)ug$NL1t!!)T\!!)Qi!<)I!!!)Qi!:o[\!:g*io'ub\
   1.606 -rUTme&Fof$o'ub\nc/[\!!)T\!!)ug!rr>lo)/P#nc/[\nc/[\!!)T\!!)T\!!)ug
   1.607 -!<<,une(p&o'ub\nc/[\!!)T\!!)Qi!<)Hh!!*#h%fcV#!!)T\!!)Qi!:o[\!:KCY
   1.608 -!!)``rr3&G.$sZ-!k0Serr7T6K'<$o#=L[!)C7=L9`4)VgbA?km.(/W!;uBg!!*#h
   1.609 -qZ$Zfo)&Ihnc/[ho(rFcnc8^jrpgKu!:o[\!:g*io'ub\o)/Oinc/[hndPR!nc/[\
   1.610 -nc/[\nc/[\qZ-TcqZ$Zfo)/Ojo'ub\rUL6p!:g*io'ub\o)/P#o'ub\nc/[\nc/[\
   1.611 -!!)T\!!)ug!<<-!nd,9ro'ub\nc/[\qZ-Tc"TSPnnc/[hndkd$o'ub\nc/[\nc/[\
   1.612 -nc/[go)/Oho()YX"7cElo(rCgnc/[gnc8^jrpgR"!:g*io'ub\nc/[\nc/[go)/Og
   1.613 -o)/Ranc/[ao)8Rjmq=]4qYpZ\?qBJZs+9HdkkXEI6p)\4,r]1)r9+7<0_4f$nGrUi
   1.614 -r:'df!<2Kh!!)re#QOkpnGiRZ!!*#g!<<,qnGrUirp^Bs!:fRZ!:^$hnaQSZqsa[e
   1.615 -!<2L!!!)Nh!:fRZ!:fRZ!:^$hq=+Ic!;l<b!!Dc]!!)uf$31(r!!)QZ!!)QZr;[E!
   1.616 -!!)Nh!:fRZ!:^$hnaQSZrUBmg!<2Kr!!)QZ!!)Nh!:^$hq=+Ug!:fRZ!<2L"!!)QZ
   1.617 -!!)Nh!:fRZ!:fRZ!;uBc!!;Zj!;u?i!!)Nh!;u?f!!)uf!<<-!nIGU"nGiRZnGiRZ
   1.618 -!!)QZ!!)HW!<<,nnb`=na!`WkLVJn"5T$-js+9HdkkXEI6p)\4,r]1)r9+7<0_+]"
   1.619 -n,WLhr9s^e!<2Hg!!)rd#QOkon,NIX!!*#f!<<,qn,WLhrpU<r!:]IX!:TsgnF-DX
   1.620 -qsXUd!<2Hu!!)Kg!:]IX!:]IX!:Tsgq="Cb!;u<l!!)NX!!)Kg!<)Bm!!)Kg!:]IX
   1.621 -!<)C"!!)Kg!:TsgnF-DXn,NIXn,NIen,WLhrpU9q!:]IX!:Tsgn,NIan-&dlnF-DX
   1.622 -rpUI!!:]IX!:TsgnF-DXnF-DXqX=Uf!:Tsgr9sgh!:Tsgr9s^e!<)Bf!!*#f%fcV!
   1.623 -!!)NX!!)Kg!:]IX!:]IY!!)Z\q>UZFIs=4tJ%tgZK'7gMq</&O4<kaj2d]8VkQBTo
   1.624 -naYr7qu?ff!!)uequ?cenGE7enF6DW!V#UV!<)Bf!!)uequ?rj!!)NX!!)lbrW!Ju
   1.625 -!!)Kg!:]IX!:]IX!:]LU!;u?a!!r&o!:]IX!:]LV!!Mck!:]LU!!)Ne!!Vl]!!)NX
   1.626 -r;[)ln,NIXn,NIen,WLhrUB^b"RlBknF6>UrU9sj!:]IX!<)Ec!"8;c!!)NX!!)NX
   1.627 -!!)uer;cidqu?lh!!)NXqu?cenGN=fnF6DW"RlBknF6AV#Oq3_!:]IX!:oU[!!)3O
   1.628 -"RkX90^ODTK';dh#=L[!)C7=L9`4)VgbA6eK("<[_!_Eol/FD`K'7gMo&p<H4<b[i
   1.629 -2d]8VkQ0HmK("<[^@)3lkM\,^K'7gMo&p<H4<b[i2d]8VkQ0HmK'IsQ^?PjaiS6-S
   1.630 -K'7gMo&p<H4<b[i2d]8VkQTd-`89>+K&2+9_qkRQgXj#%mt0bTkjmpB6p)Y3,r]1)
   1.631 -r9+7?IVGj7d"9W[cih\&AqT],k^r$hkQaL<+rVad?VLC]"6A[.97ejL0Y]:D5_S_#
   1.632 -K'7gMo&p<H4<b[i2d]8UkQC2@oCRY-iUqftj7rWH"8;H]l[n>PkjmpB6p)Y3,r]1)
   1.633 -K'7gMK'7gMUZ_qN4<b[i2d]71k^r#Mk^r#nkQaL<+rVad?VH(8K'7gMK'8un#=LZu
   1.634 -)C7=L9S2J[k^r#MkbI>H6p)Y3,r]1)K'7gMK'7gMUZ`"P4<kaj2d]7QRf8TQP_,'M
   1.635 -P(JjKP-:#KPl@!WS>&D6,8qje?VJtmrl,&X_SO(a_"kb=^APZr]RmeJ]RmfI]`#GB
   1.636 -^&GeT`QU_4,8qje?VKM:rn@G+rn-hopX];m!S,`re:Q/$dt6&#e)AaUdeqPreC)do
   1.637 -rm_D.gI+.K)C7=L9^D!CkQ'fFkk"!5k547ljFZHEjFZIGjS\'8iW.s9iX"R44<kaj
   1.638 -2d]8Vn+5uCm/cS?qs3k=K'@mOK'@mOjQQ^/kks]AkR$G86p)\4,r]1)rU'dTmI'E;
   1.639 -mJ6)Llg+H5q<@kA!U8j#k^r#Mk^r$TkkXBLk2tji6p)\4,r]1)rU'dTmI'E;mJ6)L
   1.640 -lg+H5q<@kA!U8j#k^r#Mk^r$TkkXBLk2tji6p)\4,r]1)rU'dTmI'E;mJ6)Llg+H5
   1.641 -q<@kA!U8j#k^r#Mk^r$TkkXBLk2tji6p)\4,r]1)rU'dTmI'E;mJ6)Llg+H5q<@kA
   1.642 -!U8j#k^r#Mk^r$TkkXBLk2tji6p)\4,r]1)rU'dTmI'E;mJ6)Llg+H5q<@kA!U8j#
   1.643 -k^r#Mk^r$TkkXBLk2tji6p)\4,r]1)rU'dTmI'E;mJ6)Llg+H5q<@kA!U8j#k^r#M
   1.644 -k^r$TkkXBLk2tji6p)\4,r]1)rU'dTmI'E;mJ6)Llg+H5q<@kA!U8j#k^r#Mk^r$T
   1.645 -kkXBLZa8iX6p)Y3,r]1)rU'dTmI'E;mJ6)Llg+H5q<@kA!U8j#k^r#Mk^r$TkkXBL
   1.646 -Za9\p6p)Y3,r]1)rU'dTmI'E;mJ6)Llg+H5q<@kA!U8j#k^r#Mk^r$TkkXBMk5YJE
   1.647 -6p)Y3,r]1)mJcDOm.9Q;lM]rLkih9qqrmn>K'%[IK'%[Ii8t%$qr[k=#=LZu)C7=L
   1.648 -9_@ZFl4*"Bkih9qkih9qkih9qqrmn>K'%[IK'%[IiT:.%roO`tZf^DVZfU::4<b[i
   1.649 -2d]8Ulh9W>kl^/5l08*/pZDS>k5OOqk(;`Ik(;aOjq"f)s5gSns5cX2+rVad?VL@]
   1.650 -rp'CFp#u57!TiGAk(;]HjauTGjj`B*jT#8AjT#8@6p)Y3,r]1)kND'mp?2A9nDs]3
   1.651 -jS.\die$0Aie$1MiWeH&j5T(Yj8%[>6p)Y3,r]1)o&BQ*p##l.hu2Jbhh'a;hh'b<
   1.652 -h\G#)Za8NFZa8NFZa8KD6p)Y3,r]1)o\B,okh:XAK%Yb/K%],9'=5%FfsA$bfsA$b
   1.653 -fL.hG)C7=L9^^O(f(%:Be:Q2%e:Q3-e.hr_eC=NueC4HtdmQ;B)C7=L9\eFsh;d;f
   1.654 -gOe.2g4J%1g=P$dg"=qF4<b[i2bm^Rnk+L%Jjb2YJjcq5#Wsaa)C7=2:.=_<JinWI
   1.655 -JinWIZTJ@L/gD8WYTr-Ong!]LnK[TKiZn"<dNdcrnK[TKJg8;\nfk=`![&C$Jf94Z
   1.656 -Jf94ZS/M
   1.657 -~>
   1.658 -grestore
   1.659 -currentdict /inputf undef
   1.660 -currentdict /pstr undef
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/docs/figs/acm_ezpolicy_gui.eps	Wed Dec 05 10:00:42 2007 +0000
     2.3 @@ -0,0 +1,1756 @@
     2.4 +%!PS-Adobe-2.0 EPSF-2.0
     2.5 +%%BoundingBox: 0 0 635 339
     2.6 +%%Creator: bmeps
     2.7 +%%Title: acm1.jpg
     2.8 +%%Pages: 1
     2.9 +%%PageOrder: Ascend
    2.10 +%%DocumentData: Clean7Bit
    2.11 +%%EndComments
    2.12 +%%BeginProlog
    2.13 +%%EndProlog
    2.14 +%%BeginSetup
    2.15 +%%EndSetup
    2.16 +%%Page: 1 1
    2.17 +{
    2.18 +gsave
    2.19 +0 339 translate
    2.20 +635 339 scale
    2.21 +13 dict begin
    2.22 +/fa currentfile /ASCII85Decode filter def
    2.23 +/fb fa << >> /DCTDecode filter def
    2.24 +/DeviceGray setcolorspace
    2.25 +<<
    2.26 +/ImageType 1
    2.27 +/Width 635
    2.28 +/Height 339
    2.29 +/ImageMatrix [635 0 0 -339 0 0]
    2.30 +/MultipleDataSources false
    2.31 +/DataSource fb
    2.32 +/BitsPerComponent 8
    2.33 +/Decode [0 1]
    2.34 +>>
    2.35 +image
    2.36 +fb closefile
    2.37 +fa flushfile fa closefile
    2.38 +end
    2.39 +grestore
    2.40 +} exec
    2.41 +s4IA0!"_al8O`[\!<E@K"aC"Is4[N@!!**$!<E3%!<E3%!<E3%!<E3%!<E3%!<E3%
    2.42 +!<E3%!<E3%!<E3%!<E3%!<E3%!<E3%!<E3%!<E3%!<E3%!WTq8$O?c3!daqK&HMjL
    2.43 +!$;1@!<iK)!<E3%!!!!!!!!!!!<N?+"U52;#mq(?_uR1V!!30'!s/T-"U,#3!!!%J
    2.44 +!<N?'";(eM+Yc7e'2`0C,&n;PJWZW3,=8ZO'iNHK,VrnMJdDc"(Dn#.,pjuf.4R/3
    2.45 +2E*TU3^Z;(7Rp!@8lJ\h<``C+>%;)SAnPdkC3+K>G'A1VH@pm)L51SAMNX0fQ'Rc(
    2.46 +R@9kFUnsrdW2Zf&Za@-K\%&u[_Sa=2`lH0Bb0nbge^i@)g"PEEj5f=akNM0qnac;D
    2.47 +p%J.Tq>1-F!!iT+!!#4`q&B%@rr@Y4r'^Lp^+OZB`Oap6Xm-u1/c8sq0>XiE\uE3f
    2.48 +r#Oag#j??qep\%ZHqE7#?$foIcDC&Go>CF\r4XoUPNj([TQNtE>L7aXYM/aQ*tNUC
    2.49 +8b,R\`a0UiM-KroQc!M_*-mbC2bK>*Wl0WAX?LGS!L,%hN.M-'o))\\oI(Hg)LO(T
    2.50 +$atQD#gukbI)P)VJ4K,@R61n:o7oQMcOMH*h[=lL0uc$L!!l>]#9AO1B9H';JW`<t
    2.51 +J)PTrC]90'_XICH[#b25O8*#;)ZKf3=n'''!!o\Orr@nNrYKd5^Z^u20)kpg.nK[?
    2.52 +ib8>lL#(^kqB_aA^[R-/5PU[3iHKN^reY:)n,+B:O8^Jepg)_prrAcrn@S]##d#?O
    2.53 +!/[KM(O(VKka$TKrrBnd8H/\LB`A'dh;PR6-(bR[n;>XYpmOG+GBdp&M.a]or$&M/
    2.54 +r[*^$?/?M"!2<Wc]Dhj:XX!iGM51%dGD<lrQ@(=b!5^6WrrD%lrr@c/iNN)(T*rF'
    2.55 +MUF`aRQobTG\d;8B>X-8,.*F1-BIq-hAZCoU06utrr<>,,Q@b#U])'RL;2r<HnPF!
    2.56 +_CJ1W!9.\l!/97fYPKQ;$bu1gdQdMq5N-g2C]90'_XICH[#b25O8*#;)ZKf3=n'''
    2.57 +!!o\Orr@nNrYKd5^Z^u20)kpg.nK[?ib8>lL#(^kqB_aA^[R-/5PU[3iHKN^reY:)
    2.58 +n,+B:O8^Jepg)_prrAcrn@S]##d#?O!/[KM(O(VKka$TKrrBnd8H/\LBn,)dG\MF&
    2.59 +!/4SFZe(fPBZ0nK9crl;]J]]h7(;,^rXg&%rr="5rYLoU^Z_!]/,oUd,=VV4j)fdf
    2.60 +o'k90'&SCmpdAf1r,.Sj?="QM!2<]eYQ"S.N>MTpNR@b+$d6FpoLjWJrrD!iUAk5`
    2.61 +\j,/!G\d;8Do09e+uE[+2b3d!0+EEY/biEI!/*h"rrC(&rr@c7iNN)(^C'u@n;,JA
    2.62 +pt[%]]Y$-%!(=<T?iCWU0E2"kU])'rL;2r<r%%dI_BVML!980N_Xd3Jr=\"AJ+uEF
    2.63 +^\hu1pg.8FrrActn?;il#`TZ#!0,D+!"6uf?h@!?(&n9m&Yf:*n[^sDH$F-(M/U8G
    2.64 +r$!t)r\m@F0/!cad4P,prr@^AMuNdskl1X:jl*E>-,0fe!:YflJ,%hAn@ZCkrr>Hr
    2.65 +iEuQr)DD*j)l*BKQ\N9=QM`95!5]sLrrD)$J&:dGfDQ?>Kn&kcBYXI_O8*$f)ZKf3
    2.66 +>O\ir!!nQ#rrA&+rr<GM_dE%/IMMk_i=Vga!:dWbiH]Z`reYR1^\f94?iDuSr%B]4
    2.67 +J'fkC=8r8R7Z79H`p+f=^Ve!Q4rAYr!0`!6!!kKH_"?U$r.#i=FJSp:L#(_VqBd9k
    2.68 +J+/3@^\Hn4n@Q=rrr>I)iD9Fag/n:S*2EKLGDErsR!^@_!5][IrrD)DJ&:XCp\ba9
    2.69 +Kg5?"Bj^dYO8*#;*rc57@IU2p!!mElrrA'Vrr<G=_r()[4r""si=2W5n]F)TGBeK6
    2.70 +M2/s?r#rGNr]*LH0(0=#d4k>orr@^1Q2^j)./s:$h;Ri!-6ESEn:oB+puNUe]=^<,
    2.71 +!(=``:]:pZ=8r7?U])'RLVN&?Hn#'q_Ac,I!99;n_X?pfr=]]q5PRT[?i4r*pg)_t
    2.72 +rrAd%n>H9d#]2*l!00qV!"6EVht0T+'`S0l%AeREb!4j/G^KFHLVf\]+geHP3Cj!"
    2.73 +mgjoq0_eTH!/*7qrrC(frr@c/iU?Ui*t!MeL=3j3jWF!(]KQ8p7)RtZrXddbrr=%B
    2.74 +VS3[j/,6sN]>BbVlbIuNIKILHf_$bs+qG@b5hA1(r#X6CD,.niI7hi'g5j5A+*\^Y
    2.75 +`7&EelHj:`_pW:08pe0Pob20gbR5eJ-g]%Hc7Je+%0$<9kcb@WBC.q\$`3pL8_s81
    2.76 +$iu!Q9HQW,:Q>>dr)iG!L%X=?C7bb2!+jIfkaiTtMc0'pr%Ii3q_EP4f).\+bB",Z
    2.77 +r$33<Kt\+G<q4Ln1p7>(HZNh2HfAi.)@ZdE]Y;k^Dm^O2NC(cJo_\aZ-f_,CT*=H9
    2.78 +&@<O0T<kDSi@be\-/XK#08VkOrLEis>\j1X<tj8X@mn_Y/ppF`7_,R5;I/#4>2*iD
    2.79 +)K!KTGB7J@"g.FFgJ5$G;LZji!$#IoS+,&'*KM&`RJTg0_T@bs);Y0VNk$#"aRp;0
    2.80 +^D+<mnJC.#K]_fkMZ+*7cJ#a]D7*#B(KBo8_VZ40cMmk`/:9IWl;>kSO_<[qrX=&G
    2.81 +iWoB)dd'PAGVg:#<?@8D]fh+D%[-RLf\T%%B;GOL5IF:D4?9-\Y1rYirL:/742`%S
    2.82 +T!P<KHqO0rq^[%EnMJs+UBFZpAbGMEIO0AFn:uq/QuD=D/amfUeT<;p[H[9d?eV<a
    2.83 +Zb[oOYCC()g52R42o.`2Xs1FPO6nh%#Xu;.8IVnRcs(Hk(;\)q&f>2dni,qVi@g-s
    2.84 +Zd#\/p!8FY$N;,l7nrLgcDd`:?fDm<0->QrnXbpS[prs2C7ZN*i_R?#*;I!4d<n_"
    2.85 +T6h=7rr@cA2=3V83[UU*mDbUk5,'@7jSUV0!!Q-e*f&_Q1Iq4qUA1V_`]A2NCTLn<
    2.86 +B>a]]I3/=*1nqk`,Ce^t%V<;ddf.4.X$mef@:KeN/bE4W"&2EXDS,lS"oC-$?hUf(
    2.87 +W."r"ce^M0Ffu>NBAs)UNXhhdpj1[d\^de=_LDi=D<$U8gI&/Yg:!1(>u/@]G.2JH
    2.88 +fZ[[AH]K?.\S.mrqXXXdLiYdmKi3j!^Z-6q+c>L`!"8A?83:iS)tJQ1!(*F\JdtM(
    2.89 +62pr$@_^iiT*^!Trr<+J#M4DApm]3*rU7ZX)u/_geqUqX@hXb01Ieb&Ca4f(G+`,(
    2.90 +Y!0gA[OC:$ehqgOMu2\/mVgB($\$<,$)7BX+T8U[0mm7$Vr=`c;uNb75@k97iV122
    2.91 +JR/ZXYMrd4&]O6J^,8:;X6i^'hm@UC4VLW<gI0N`rA*Nd4.H-B0C8>OJT##J/d@NQ
    2.92 +n>#\LpaP`;p/V'c5A>fGdIEjE&:Vlr%D3X^Gc&C<+7/7]k=tF^N4q(Brn2D^$N(;,
    2.93 +Dt+@U^U8QK28+??eN@n)[tS>^#-ICD_oid[rgVmtN<U6m$V`B_2tgtaOQ-564q%AB
    2.94 +*u+*k+tnZChq:re?Bt%qhn["rM%+W(Ln5T%X_L'8\CWt(-IL_fZ$9$m9XDC#k\,Dk
    2.95 +9AukO0,C,>/@RiQr)E[rJjX:f#35Z\meh(p\6*I;ZUaAGnB^foQL0,<@Jjp#?]&iJ
    2.96 +P>C]2_L#C&4s=.NTtL@[n<U]F-p1oaeuJIG(<La6&rG[r(r%_O;=H7!=+U8]iK&i0
    2.97 +2>B9'8&?>Wr,;9Npd74fpnQgBM`a5^Nu*:\C"$hnBD`tq/Ch+c9a>&)dF)m72+o%X
    2.98 +X8BZ>l-N.ODrt7lnupQX%0$=cT)Sd/[EBZG2c9A+i?*rLZYU]`rr?Rog&q&PZ&dmW
    2.99 +_1*9bpKnN7^&V8[5>g#p$_Y>qRCj;Pm]U$gY)=Uo]klELnGHA!CtC]oip)hEfO"c2
   2.100 +@K-=`T+_&Tn^#4I&8_8_n6<d0!"&Z*@W.7@[_IIfY8$mdfABC!bMaOq<aH]YP=P+*
   2.101 +m]V&t>:\Mc`)6;ubf/UJ,3Qm*I[Yut#+;FgZ5"HCpnQbS`ifL>,JtT:Hu&4qifAaV
   2.102 +)u/=W5OaDT61II_mhU.t_&b6.eC1;Fo[!;%4B\_!(7G`JrM-1C>\]QhfiRotCX\rF
   2.103 +p>=*&M<.tA!#%S0Di`cZXRsb-iuc(ON'@WUrGHeddBENrHnt5iJF)rUP_l;bI5:--
   2.104 +3[U*qr948FbmgGk,/fHa:l7g?#NCg2.IfLXL[95XIam6loUd6'/FaO65AH++fsa9B
   2.105 +1%>e55D]4PY3Hp:cbWs"r*b6;S3"uQmkh)uF:4f$NF0Qr<`]24\?rlt/?\DNnHaJ5
   2.106 +[.3Sa!!e#3SR2_Q,'Y(#(Y&@uqbcXn%)*m6htJ36oUgd8*4Yb[BAu.2g*_`k#(07p
   2.107 +IM[LN2re8$bOM>qf;ro)+DW#Jn?VgY>pJ<_ZYjmnqqWVsHWRT'me*cAr'gK/rm=mY
   2.108 +pVnWJrXO<EnW/Gh"+3E0Q12iRLVushp_UpK/GNr<Nu!*fT(tKuBrLgi9@0K]X<R0$
   2.109 +Q%[lRV#$Y,K[q1dG]fQD$VMp:Q-\7bc(D@+QAb8,`0[(rr\Rf'GN.J]iV`l;:;:l>
   2.110 +Zc<Vj^CtbI(.ID2=%2n2Wlq(^O,Z#8'1;ZS&*^eIT2N>Q@f>G[%Ee9KfC?3H$1[mn
   2.111 +HkZIQ]LD]Mcg[:@586:2G^I<](QK9Wi6QuR+aE`VnJ?h#bpuB!D\dRhiUD#_X*BQ>
   2.112 +qBiDG9Alq%`4CDZq?EMNXV\ns(`JY5g/Rn;rr<6%c<mpp`-m!O^(pEgn0?s@O*jg_
   2.113 +$eNk?GN$:?r%ITLMKS@kC(Xb/fLoZ4h&f#2n$O5HhT(&@C6hY2XBX@QQ[3NI]1+-R
   2.114 +\4HS$e,B[Pqbpl$c1ZXom>o-!(>j?q;>Bm$q`ANK'=%%.`!bIZ(]H8(Q>IN\B%t4(
   2.115 +Se%:;]GTN;U6"6dCQ`Hfgg#5>]<q?GCSom3Sl96_r)*EM^+<sT*W@_i*;C!4oCdq;
   2.116 +TX=0?hscFdLce7Eq^d,-piGGQ.rQ2J01PJ:(]GoZ:Z=MIqo6>Oe(WgY<RWcth\8Ln
   2.117 +DrR6,&l0/(O$8JMBdrT`LHi+Hm1o/H6bDkQ_G>\H)La,[C;Wo_dI4_8nE8b;NdPc=
   2.118 +g$7:&QCFi<>$^!eiLL3PYd`,(rBFH4n*d?T\4`;a/QYZXSg`O2[?=ltrJEgMX7+d6
   2.119 +p9aU=q^Um&._GIGWHdFka7^F4M(ecK2i2Ic/UcP1!-lQ(f6160&\-G?,B5m%pDsp1
   2.120 +6FjOs>17*4B"NDh;KoH_)ih,]&+";pfmdTuJUb)2m+Lo9=nqOVe)Q5&BRU+fpd83Z
   2.121 +>!=!TC[f*Y4\N\5pqO`'!n=q*pi"3f(UVFs<nI70D(_SmSfI9\V_"lkUF!=]htFEQ
   2.122 +'Ygt%lj*&bj(Ib7n>GtDpp6fAoCc_bB>k<E`Ho`Eh\/0gG`pBYde$<Ep_1[(1kSkf
   2.123 +^tpBKn33\Kl2&W<#h1[m42fXMXTd+^R4^*1_J<6E9kX0&nY5q:rK99Ci6Mc.FRak!
   2.124 +Dq_\;hE17nNUX)Xfq79]L>(+ohB/(LeGL&[Hogf3USZ5.r-F.=ScS?jT9&CdpgXL*
   2.125 +*XgAkZqYjY>u+8.\DhZ2!83G,ORSt6ReWZOHhcFU[eOj:krpBfL:[Bb_LEV?kJ2Ne
   2.126 +fB9oWd'`<[NCQ7B4r;UhX.:b?\'fCnF6keGPko7p<ccM3S\iFmlX(#^;t/hd^(8T)
   2.127 +3d<mKB>Qef`4"MBnMJ\[?Oh2tIhp5sj':(Th"]dCrXeUSU#8Rn(gB^IBrXnd_#>Y,
   2.128 +1bTGU)LL_h`>VugC"+^uX8(ZN0n.Dt#JXlSfus)G[J8)F8U.C6g;h+GZqdUiDrLNj
   2.129 +QG*iB3kh5crm'@UdCp]<G$c"B`r3Di>oUXA7u7(Ci]RaXNF0LrnOHHcnEn3WX*rsV
   2.130 +eEiO>pHLN[a7aNOTY;H4*XhK3`".D@)12gqr(+Cl+,?:,N.)W=hnpAQO)JU@e#[#b
   2.131 +n6VNbka"0A.Ct]:=41p5ha<"l=1Zp=lZGQHmBTCWBC*b;!IRrCg&#4U.K,=A/EpJ(
   2.132 +rL#cNnO$+B?F'h0`6X-d-*u3F]bA;4"S&s\+P#K@2i2GM&#j<TI^:\Z2%:&@nMMgI
   2.133 +6$-uk98eP/RaqB<d][MqNAF>[XO^aaC6fW]NN\eI-2Tjm]QZ&TL`(e9j\!/71BhTF
   2.134 +`u1rW=T7R`B_'4<:[:N:5Iu>J4L+k6qU+Dcm[r'k/:Vd@[!?0YVtHh.+5K/`*a&F+
   2.135 +rFkcBpJ:*FQ9Vs1>!0(ge,%JRO7&XkO">d&rj6r\qks+^b9,P)XWCUDl2>;da7iBq
   2.136 +8!ZBNIp+t>rR:VlI(&DZrrBd&rr@m4CiB.35OYKL!9,EZht,'AhbF+N`)3eSkEu8L
   2.137 +^75-&LneI0cS>G"I5h0+&Ose?!1m^"qJZ?WNK*r<4NIEmhu#n^)ub,DqrtljMDdEk
   2.138 +o,m_UJ+44hDu&N[n#$*bi[EI:o?;^A:&b43;6dn!R/[0#S,WJEULSf"1&h6%2u`ji
   2.139 +7`PH.Sn%crDuLr?NW/u@a8PYfr'_PDrcsS%l+d"N2E1R*+8=66nJ#eXq;sp1VZ-YU
   2.140 +.+mGKb^\MErrBu=oKhssiWT5rrK.$ZAK;5-Q;($GGO^+(`@@sc*<+YV[KLV56&&4W
   2.141 +YXYeJ!JG,MD202kr'L1TX]nF_fq>b]QHj>E`X?G.(aH$+I.cadrr<=I\\(T*6XRL<
   2.142 +<:`oP_u"g+`eYj22L`KW[&q8^.KP;:gd;7`=UjK=$o9Nh,E.]:++RF!#4]0Y4pq3=
   2.143 +poCR_^)ZodDu1i0c(6QXL;0BO%,1E/iU6mK!5U\0(48K`]<Fj`57tQ-!RMm%m30jL
   2.144 +)p>:+\VA,RhG8%Tk^Fc'J)H7mA6i:1`VBCB#pImW_#>R@7KF>0Iq>[^A%!6F#@9^o
   2.145 +?hisFr@?jaMEg%!T+84iSOW?CphTAg`;Teb0"#CF-Im"@hZWrZ_+=S+A)@Z.3ej[]
   2.146 +KpJ9>2R=a"Cr5W.b>,:NBl<ACXf\Z<27e8.CO5He*ut:-rr<mb)uO"3c/6F@#4pjc
   2.147 +a.3`.n\)VjRsh/I4trJc5D^u)06-#1^R>1Ai:s2Z*ij?%p:a9R@_UC*2l&X6i_:B7
   2.148 +F[+Oq`.&..ipVoBCsN^&_@M7u!"7u(nCEf&GX`](>k*Ti%j(#)45]ft7JJTGW['96
   2.149 +3aL5K>3f@XX/juhbAV<;W;(^=:CYXDr'g,d_]S(1p:#$kq\+@%]-sj5rmcM'F/l8'
   2.150 +A))GLrr@Y&$%.EB.+\[[f?F\U.CQ_C\AKBFjm0o7;oG,fZBQKcAOmr&f\7H5!0$)#
   2.151 +`u3oprf05$OoGEg=+\1t5MB&oJ*e?J#=.gGMS(&#o$>>5g3OjYgFWY-nU@2p?gs]-
   2.152 +IKctTaKk>+M#8Qm8mp139kATsp>6JHq_ZBtA@FKVEEh)OIp3Nb!5Z^*Z36qCIa:6e
   2.153 +GmC8F;-s;a*e\2"PK=XajCDc6IR3u6_-?p>i2"*n^YkfW)>G$,DhPk5IQMcqItg-:
   2.154 +nY_4+6%/9A6hkMnC"IO>p49.+()Ha6p`ne%O705i<oVtKR4`<W@#c81QS/)o^1He`
   2.155 +`X`4*rrBkk/q7EdDq`N>rL(ADpp]tQnQ3[_L_b/;5OFFFLW!QQcW'k1Qf3+qi2q4A
   2.156 +^Tr@*YDQ4bkoM2Am\-=Z?halG''\+&]r(R*rqfQI@qDLjhq%SanItV1]`!J4Ama63
   2.157 +i8<o:iVa6N$eT]Vp6klT4;G$s%/mObrZM,7rM09\iEJj#*T13^<q(>"c`[1!]s@EW
   2.158 +iS31,_%pbEmi1Nf1u9Wf%Vj^PUS&ui,hAm=rr@XXr*oFqq`92T(\cgo(q,L`&&l;9
   2.159 +h\CSFHt\uC8_/8dC;'i@c\K6d27:JZ4?9,1LKO'M[]Q]G)CC5bVV5`CAZYPdMj\("
   2.160 +XdpR!^Y::<$7YK%p6PZ32=CNK:T=,Ap5&[?Iq_V`?\iR&GW3Rp(9=0YahJ9K5(%8H
   2.161 +V13-;4&bYWpd3HI:At@IINnPK^tp+$?E:3^po;Kn?P$t])K_<lAufoo[JP,rgYVup
   2.162 +.XWrK\*Z?sHsuf0nL)<U!4Q$crr?JU;nu`AF\da!&i;f^rl8=XrLEM0#>O_Tb>[rO
   2.163 +MM*&X/uJ00kCrh$V_4>*DcbM4$2d*Kq`F]"2c7tW[Gi\hK>\l$;D3Qd?gpmQpaULT
   2.164 +2lg`*VoMS`r[e#0]R0.3p1a;;nJC0A`bfe458LnIWr*P/PI/#)i8plS4_MS)>.9:"
   2.165 +"n>gV8&KfnG^IGVp&>#FoR?o-2V,I#Lc'Tij%$VeeS]EA."9\gZ>[ZgMuNdc0?4H=
   2.166 +N*[aU]OC\WrrBk]r\XW"rZgo.MnC/%Zc0WrrLH,4poD71%e.eu^)#or-dfXGl7qR2
   2.167 +$#VU@(L5NJbC>9#=,;lrX'YR^`#>e0Ud'cRXek?uBqO.tp-S<I?aRf=rr<W0/c9YY
   2.168 +kO#VGF8cKnibPaNMD'`l'Ds4rq_!71rL,,/H`2D?*YV>*?73MWrrBpWotQ?0=+pK_
   2.169 +iU&hTi6R<'<_jJ*j%e+lQ1UI:T,$UVIPcN,^TkJ-JA)ZkGN%Gtrr<;iRW$"apa\"J
   2.170 +rr?i,#(.$X*W$iOfAMF<mJd/urr<ORCKf2[pfAN;Wd#K!rXnZJNpQ-dU%,&!%uMD`
   2.171 +nKa3@gYt*9UZ%1K;E>4M*jj;n:&VeT4+>M)555NU(ZA`=+5-s"q#0^nin+)D(ZL5;
   2.172 +[Vd&C0C9))7e!n'Ii<d[h[t5LiU7<PO2\jJ^)^ln&:9Im(KulP^(TWf4s'6K\RBjD
   2.173 +SL_TriM\="q`R;3n@^dZ]C__I^U)hq'0j?@!W4&/HcMbcL[=!YJ(m`m`L\gZ^[T"u
   2.174 +7uASjT4[l#n_:m/,4Itt35;ijVo-9$Rb*M2GG/2GCZeOElom#d^'t#AKKDdaqKIVI
   2.175 +<7R]4(Q3Nnp4p"^pa4OXm-,&!rr='8naGIer"Oe(IiWthBmP32Nie(rrXF+Up/CK_
   2.176 +KtM-Z%u=OKd<'/2!++p(0DM`Ll&b1Z$J+n2^Xr-]'2aP&2`c)Fh:hhNqf[GChZ,hi
   2.177 +HnbN.m62D8@JGiP-cQ)c[o\Cc!+C:S^g@.c:PN3h1d;HKa'KDWSFh:9:%:Qn;t7nc
   2.178 +KHCLQVX^5?L&=<9/sl'G=4VL#r'B?>48[8];:1-+i[ZZZnJCSpq]^9?p8.chJu`\\
   2.179 +58^bu(W2lRp4`AVpohKJ(:Bcf?aa+ar"CIEp#*"XpfGGL$N;5OHk4!jT"[;P]&p,9
   2.180 +iQZjPdpr.nnL%W;Gs7^IV-/&p`;5J-Xl>Cs=.VqPDt^s@=o2!B5PXd-:DnW7P'dr5
   2.181 +::L6'"U"N]qc2<sFnfhN/cO56%(mbRBAnohhq?o'T*F[>%0PP/KtLd_Zf?gp4A4UN
   2.182 +*V_D1j/7[>hh\kYfer5S\dsO<$X8Yp?=-4'p`ne%M#RGeILc.FrX$]Grm105<n4i[
   2.183 +nN0/=!.pm#IahONq"MR2(,*=#nW2Z.Z1'9^*s_-pB\JK;iI;s5^(g+=hCI4ErZLun
   2.184 +fAbDA]IoXBQ"-mhHrI"hXt;"kepgm$C&\/:%K2@%+F_[%*'@G<qb)<*pc%,,#lan@
   2.185 +;SQfcgG6gh=td\Kg)F"Pp6tbTn=TCrpa>Pm`P2QBr%m:B$/51B4!aU%i-e)SC]=AT
   2.186 +GZm=e\q4YI3nBQS]4aq3T?0;-rr?t5L,OK$pe,ZUN')1NX'5&.r"ns,rOKR\i*/te
   2.187 +Gj%l\0A,#]n:-9J,`gphZgdtp:"R#cGohZ^Hf:"pl@0<24AW(oqY%Coq>MJ_26.Ze
   2.188 +De&>;!8-3&RJ8<%p\kNUikO4ua5/AtZlafW?aR$(bOGg1nV$lApkL2rh[[@E>lN)N
   2.189 +?OLeGph?W#53(X-Dm!e<-h*(@IY?Pe9n(Y66JqZ19=/B8KIQd'rrBl$oe-FFA,V'6
   2.190 +4u.LHph0(pp0@Qc2*VfMK2)+on-?bC40[020B,3R57"[cL6DI#nZVjB:Plh%^*`XT
   2.191 +!61T7LW%Ij22t8JPO#L;M60(ABQr1cf%/:J:%0\,g&7K@&Ur+,!:WU1&*k=E#ESjI
   2.192 +pb2=^n42koVYkoAX1V0rYN#;3V"+HbN.5O,D0"ON<r,=A4s\cPnWUo]GR&B6CYH;F
   2.193 +FZgN&cc$f=Se]e`RI,.!2bN\VfrOhPrL\NTIa*AIJ*bL[Htr1)K=lKfrrDgA\,6t:
   2.194 +p1!Q9a'SlF1\f?ETDL`u7fB350`2R84pV!jdI479-fBIglXp#epj(j.HUuSt$qJ7.
   2.195 +&$3?\r$8j$KC7obX\\^>-CgOfm=D'^cMe:JTCG/>`;Q;,14IF<Ia4Rm?1]0JpuC<D
   2.196 +%K&BaAT=DNB^;Mi(=V9+pj^8S*r(0Q=2e6I)RJpo`=5b^h?_Q&[IIS,A`8[ZBj-h;
   2.197 +&\@`Zp@A"A2skth?[Qtjhd^Y?ESt'i(uBKJi7_mk^720:M==U*I'WMliRY!$l5FN@
   2.198 +(@p]R44A;@O,?fhM7!@mHfNlH#^%ZP>A,@%GJ=$O^(=t,(&n8c.;:^3CHaH(Iq!mD
   2.199 +rmQ?05!Ja2a239LL+OWAnUKqAn5J=rK6/%S'DR>TdJO++9ln<\&Fa=gY,ufJ(W?06
   2.200 +l"b1!pm>a3lJ0Y\;;qNTpaFb\\aZ*K\&-$)`p\aK[*FT.J&+m0BqO-Ya'Ld>peC9S
   2.201 +_qIo%:P1kM^'K*apeC8Pi5V1)nT#X#;"94q!S75spg_6^_sii<?LZO<TR8cO+LJK(
   2.202 +25frHPHT5_^n9@kp3?@$qa:A`_(!#]XFAM;55=s3^Y!bH+1;*;nb`$_nMe=gMuFc]
   2.203 +a8RajU[<3YD[>*2hAl<S@jf8l'$&oNe&SZX"$tHo9<0]Zl-afX<RrP+f!O6\q=!hA
   2.204 +_tc,0"%:L*V5J)r6di@?)uF8B[+?jNm9JmVYui#F::'ISPMtC3>?GVEgtgXNYP<T7
   2.205 +el((4QVu6glbPHS4!3sL9Bd8WrrC$crr<>#^6*l:r*:E6MG*1Ml2Lb&dJj1PUqVt?
   2.206 +TDVt:n;9m'([:r"`R4\c#c,1sI\6OD+7P.\kniUa!6*@c!!oC7Oa`r#>p&Qn9Bd8W
   2.207 +rrC$crr<>#^6*l:r*:E6MG*1Ml2Lb&dJj1PUqVt?TDVt:n;9m'([:r"`R4\c#c,1s
   2.208 +I\6OD+7P.\kniUa!6*@c!!oC7Oa`r#>p&Qn9Bd8WrrC$crr<>#^6*l:r*:E6MG*1M
   2.209 +l2Lb&dJj1PUqVt?TDVtrD[ai,NK.sKb/C-$4c\r#U$a?oi>S3bH--'dITQG\rr@^e
   2.210 +Du&QDrV9gjU](k)^ZV,ZpZ6nEO8)2ArrAX2J)?Ok!#e)\)Op_Oao;?i=8Zb3!/,**
   2.211 +q<'.(q-WZerXl-EkFA1=jaY:2pdV.\!1n4\hj+3A)F*1!S,R]Trr@LLr+Q*1KPGH$
   2.212 +k9p6(?h'oj&ZNP.S=fQ;J&[QE7]-1cSoT><Q2^h&5N*NMrcuWc!.J#IB`A'cC2`q2
   2.213 +-iNjJnY?'qWP@VdTD.Gs`fKmaVZ-XfEduu3rr<s%i>S3bH--'dITQG\rr@^eDu&QD
   2.214 +rV9gjYLd]J]'k3WD'/``h;KH53q`6%4rrqG!ZF9ElagnN-EEkc0)kqFq>IMaHrI-2
   2.215 +[a8`WgsY*ERN#SifgQC1X2us30s#\4o9!fAfRL:NJj81Xg2FfW)XF$%n*MduCWF1-
   2.216 +XTjB))rX!qBY)HTL\58hnOA@JiZIOqS%jM<%Y>j4iG%u0:=m_[2OhGWcIiog40G3"
   2.217 +q)RpL<joR6o7*LgaH!_oZT%:H!0!shrrBq<rmPCdGff-H6gP)^d!l+E:[i:Srr?_>
   2.218 +&*P&snU?h_N=,FR%eq4*QLQ<2A`>:39%!<MLnF0/T81,enD2*bA)SF=`82bV5#2gd
   2.219 +P=i<tQV#PH>FS92Uq?LTOM`D-S&ISu^'j3;41FUBq_gi;j18S,rmmo8Ee!23m'e_-
   2.220 +%R*XUi:O3"pp'?"_Z'TP4u*';_-B*&i,)IOcNj6siFe4aDrFDrD6L#FX5VA;J&+g.
   2.221 +A%ceKe:iXTCLaAHS*`!)f&uCGQ&VX=Z'7P"CB_RJ')naUMgbY%qeU`1d=0Lb+kO*i
   2.222 +LHZ@Gp\RGG2]<3]1u"Qg=RkOWU3oi.1n%L`k\i$?XX3K/?6t\+"PVVVB,jJRp1nFb
   2.223 +(HR`S[mK^_)?/?^!C(=i&&nPK#lam>Igp)+$@X&\pA0NCq_S$EiJ3.d<7S`r>E'T>
   2.224 +[^p@?i!FLB2Vu<#)0ct9p3IdJCTCTA_5"hfiWhk0hAXarKJgMt++YLQ-]c1fZ)?t(
   2.225 +DN2=\rr?epfTQJ6IeU\Y!;Is-(rHH9Hi'Ce/,\)qo$/am(@*m:D@oYGL,i/Lm$?]F
   2.226 +2npUXP$#!Sa)O!6C&8QmaWIp?m60CNRD3AVKT#@Ef>2cGL$h&t1%FGE^B_3:+,Nb'
   2.227 +CS8f2pufU[*Ga3>\aZMR+PWfrbdN:!o5;ba?eCj/cmp45-,9?m!noM'5@lc_TF?mA
   2.228 +5I9>/#9s]J3"?6SocAd(2d?7fJ,]KP3Gr'p:q.m5#KHcDg"`OP>]0>-T22Z!!3/qH
   2.229 +_(C/pVf(0pfg\s]rU5agZeeJ<);4OS7XF.eSiUtlrrD$/J+-CoqDC8tnFuq.hu*.\
   2.230 +rr@gWrrBl2J*>DCrrBsoq`fT%eYE*aBE%r84oYMW;j74]%tEsErrCAGO8*jir"So)
   2.231 +ND<:I4oYMgp\t4V>!LusJ+-CoqDC8tnFuq.hu*.\rr@gWrrBl2J*>DCrrBsoq`fT%
   2.232 +eYE*aBE%r84oYMW;j74]%tEsErrCAGO8*jir"So)ND<:I4oYMgp\t4V>!LusJ+-Co
   2.233 +qDC8tnFuq.hu*.\rr@gWrrBl2J*>DCrrBsoq`fT%eYE*aBE%r84oYMW;j74]%tEsE
   2.234 +rrCAGO8*jir"So)ND<:I4oYMgp\t4V>!LusJ+-CoqDC8tnFuq.hu*.\rr@gWrrBl2
   2.235 +J*>DCrrBsoq`fT%eYE*aBE%r84oYMW;j74]%tEsErrCAGO8*jir"So)ND<:I4oYMg
   2.236 +p\t4V>!LusJ+-CoqDC8tnFuq.hu*.\rr@gWrrBl2J*>DCrrBsoq`fT%eYE*aBE%r8
   2.237 +4oYMW;j74]%tEsErrCAGO8*jir"So)ND<:I4oYMgp\t4V>!LusJ+-CoqDC8tnFuq.
   2.238 +hu*._T[82HS3QLDmg6/*^(0oKj,X>XM0)l_2<$-I"FehW#eV%%YBXf17nqO:r&(Q_
   2.239 +pg<&VPC';(F&CFDI59h^cn@!udPYC9gVp,Eh*R]9k+M_SJl[B;:$l>Cg=u<rnh'7g
   2.240 +NX-b_j(I`S*)ONc#i^^ie)I$"N\ja(70-CR:]LJn^\e_ZrX*nj-h^K*VEa.Mrm+*F
   2.241 +mf*8$am\PVesZO<%^#a2Jt;oAdA]e=!/IoSGQ.[+V+:GE\,H_Yrr>Nb0E*$=g#)f0
   2.242 +Ss:DelJM@chu+IX^\E.?B7Ko,<.DfdJ)I5SoP.;(!9*;CSc8]cku%H\%^#a2Jt;oA
   2.243 +dA]e=!/IoSGQ.[+V+:GE\,H_Yrr>Nb0E*$=g#)f0Ss:DelJM@chu+IX^\E.?B7Ko,
   2.244 +<.DfdJ)I5SoP.;(!9*;CSc8]cku%H\%^#a2Jt;oAdA]e=!/IoSGQ.[+V+:GE\,H_Y
   2.245 +rr>Nb0E*$=g#)f0Ss:DelJM@chu+IX^\E.?B7Ko,<.DfdJ)I5SoP.;(!9*;CSc8]c
   2.246 +ku%H\%^#a2Jt;oAdA]e=!/IoSGQ.[+V+:GE\,H_Yrr>Nb0E*$=g#)f0Ss:DelJM@c
   2.247 +hu+IX^\E.?B7Ko,<.DfdJ)I5SoP.;(!9*;CSc8]cku%H\%^#a2Jt;oAdA]e=!/IoS
   2.248 +GQ.[+V+:GE\,H_Yrr>Nb0E*$=g#)f0Ss:DelJM@chu+IX^\E.?B7Ko,<.DfdJ)I5S
   2.249 +oP.;(!9*;CSc8]cku%H\%^#a2Jt;oAdA]e=!/IoSGQ.[+V+:GE\,H_Yrr>Nb0E*$=
   2.250 +g#)f0Ss:DelJM@chu+IX^\E.?B7Ko,<>kf:JldH<:bm%f-nuUtT8k#"a<YrMrr@bA
   2.251 +E.,$3l=g1tLKAuA:d=0mci,".g#rA8Sn0#5lL4Kt#Q5QdrrBssq`OlYo?=!/*F8[F
   2.252 +"[N(fUJF,LI",e$rcs`X_lLQ1W#tYGkPkMmO6lK<!7*E]piUfY'a+Gp4T>E?nbo&/
   2.253 +q;tQS!"Q13!.pkndANW75!QC"rr>1(5N1/Mn5Kqp2"U_ILWB+6rrD5M8,PE[rX+5V
   2.254 +!(NQ0nG*"/5Q(+$rr@gUJ&+rGkgRlW+!92!rrAX%+7SRapaQOI)L;>__rLVVrrDZ7
   2.255 +U])9>rr<3frrAfi5PTVUB:o0KP^gTO^Yl%4oP*Lg!"Y.WoD\g:16;3QGPi0Xrf'&?
   2.256 +!9*JHSq$Ru;?$V+Y5\KRTRY@eTDUl;Zd8XO4N]nIe_fjq&,J-Srr@hpp3HZ<kF"j<
   2.257 +3kP@uJc>^>Sq$8)rm*h,o-jV=LKAuA:d=0mci,".g#rA8Sn0#5lL4Kt#Q5QdrrBss
   2.258 +q`OlYo?=C_nDERirr<3O[.'E;HlMT'rX$:-S)^B6i1m9hi#CR0^U,VWiN7IC3_m/`
   2.259 +hWqc!LGYQGi+MFin8hLX4>VKH*Cius'NuT:BCRR.Mlu?6hP]>RZtl9Fpjr*4<rI]d
   2.260 +D-%Z`rWq-Q2mDItqd=eomW*UQ!/Ha#YN=KETCs*$!.p&@QC@\u-N='t?[NU`+6%b_
   2.261 +phO1)?E<,T"+JYl4tZ;Tn:->fq6YVfG]u]hpuhNdr*[pb2fI]h$L7B'SflQG2kk"M
   2.262 +,Leh1WU!k.I;*d4G?WJ'$eE(t5Pu4:;UYJ)D=L!m$%q_Gj%kJY0B)j[_AZ424Djsc
   2.263 +h0;T3n)4cf=i%!1>JloB^B8t%mt<_,M!_i*Ut],;RKfnR*<T:224'*#1sZZ?]/G;9
   2.264 +BR4ijks&SegJV$%-i=RWp2=Le"<ZA'j07R+e:5;+60NXX29YcQp'1NsJs"16?PN8s
   2.265 +iFi'%KAec)9de!TqG*[Q'(=f*m/a$XP@!e)M4n]C?7"$I26:Tn!$&ahDiB"VS)K94
   2.266 +'Bsg-M/GF?iEOV=BmS@FT_NS/nI;q1Hf;X>>r0lH5@n3s.G'A.?X*;\rr<24rLX!:
   2.267 +GjA0sS&IT(r(HoXGb;jE.Ik-JMGddmpnpg\6i1s&2XhF[-.ET=Rb#$GpbPOVnID3>
   2.268 +f6fk:X5XRU;Uo\8c2/N2_*MZP?iC?.q_9i;^oMq8IiNK#+"7W5n5;-Zi,0KS7W@.(
   2.269 +o8i8bq\Oau9M`L>'oW(lfRr.4m.Kim^p31>)L`pp^C.b4G]1MYg9pC"r%"r=n\9s(
   2.270 ++,PKSB?";8IO;\rGD'nI=`<8Y!lJ<59[R;#r(K4/iOF#K'l-`_J''^g<a#?9YK2Y&
   2.271 +qc$*dJIJhOBl=]aE!hbk,G?U2NJsVfON76lrr@[]5NJ;_d!ta?rm.55I/Te?oQU9R
   2.272 +/*$W8qf@.!p^L`mh$_+"!";%(IaUFarXW`>#*Joc"O-hT^M'`:`L[t;a1r5=YN$^\
   2.273 +n%;NpA,IPGZ_i2r?N`7@h.u%@M**e:F7BdVmAKk3nBR6Vhh[m91sK[N3g*49I,4:e
   2.274 +rX2fso>/-FfDL!m627Y_''ml%IQI6sXaC-<QeT8dn(CM'h[6cPpa5J-';tP^plBq'
   2.275 +U&.T6e"7/"'PP87T,%A+C=tIOpf=u8m6U9'it]'$/>):D#3oP.^)[&+nOJL")uH>u
   2.276 +^Z&=HIP^mXpil7`iNBTg!!t$jT8NUOn;kMk!-jG!4''c/!4Vk>j/iDZnOJ:UYO%6t
   2.277 +_b/O&YO,U'<Ns4:cITAI4'&WXrlqEE=l)S)]RMkhhgZ^FH2BGtbduuVIti_FO2b&p
   2.278 +=8eNc*,5/=,5>70(ZUgRV.or0*5?4VK>.N$8$:VE)>HY[?O2$TpoCR]*Z=a2XD<8$
   2.279 +pjM'r&D25s`P*\'dPO*=Df0Jl:V-+X!rgf$'0J53T8*%\1%;B,^MA=Yrr<s%iG3]0
   2.280 +iTJ+.JH#VTI_YacGhZ!g.I_O^pj:q+Ld!B[\&+d4."CVSiS2TbrXg6.h[k/OV_uc+
   2.281 +nLMMK/Fh;TnOp]%f>HL!g@'X+5N;\CLf&P6q[*9&_+_R+r+=N0@ipFh+n-PbnbZ>]
   2.282 +Sbk?Z4sg!misuB>-fK!]IhR&?a,p;D+7MgnN>MTp'fE&L'E6@M&b'^s^(a"WqgJ86
   2.283 +`'4fo__6aJ+2h9($h"8o$fR/^9iF[ZDm+ESid^E6HtiINIasm:m'#pqiHD^#DY$3a
   2.284 +O6jR>081LU-ElIeM)Q>#M7cF>D&;3p_-[6<CZFl94>3LDrXkJuet5:Z5A%*RJ$s:6
   2.285 +D\66(_@N_6F/XI0n@s^brr<XEr[mXfKtJZ#(ZBN:!.qiH?aK3R/3H)mChWY]LAq6g
   2.286 +)guqHSd=l$_9WMaTD!0t%H3odq"%#SN^%#\O+4M@S`/Ib5IDm+S)I.pIhD<+!;o4_
   2.287 +X#rJ;kms]i=7G[s?"Zt'4hcd2mtJLh]I!'&iXa*.J*QJ'J&+j/AWM\:c[dqA#C(l,
   2.288 +^='_AHroeZ_Z'T?GcOcJdC_3/C79Xjn(D4/GO82a08hbmDi/p.UA2o!peg$TDq].'
   2.289 +EW)MGFcCmf\mL;Xp8@]Wn9a)qf7^:!?\og9e9-8A^&raknB^J4n2K:Oa8Z,C=R3P*
   2.290 +K75h../8#VLVd5-MCl440,&'V)>KWY%3NU$%?H=HoUSc^d]GC]9e0GT\(0lQc"C,,
   2.291 +i7'!]MU,59[RfiJnrMO$p4Lo1A`&&Xr*e#1TC't0I!#=NHi^D7YkU/sh[oHp]G'hA
   2.292 +p9+0@n4VaLhA,N5_hd`.FlM:!=a1bB+,I,5!MF[E9^r=hWVG3%5de)jYD[eJnBS0*
   2.293 +^Q*g%Z6'66(jo$PaUaDRIiWcPiGXB3$i;7(Hns0b/GpseBC'@&1WM]ur]KNH!4M"h
   2.294 +!0$h?F00oKHDg,7n@(mV/rfA0p/n]l=+pK[isgLR*Y[+Ir@c3_!:^!gNdQ-B93:V$
   2.295 +_c4MB:](rc6LjNb.pN#RKY@rkYPUk<0_jDlU\7s^n%aF+*s\G3DNi#mDo]Om`W#r-
   2.296 +<dDGnbDYhG?8qZ$nFtlhLpS`9_r%[epP(<5;;mRrr]U$\i]TZE3bH(p.p)85L4"B_
   2.297 +1%@3fkJ9BA4rO.anEWgDNT"XnG=K$1?1HNur'TG8'O,;FhBq_^`*\4)4RkAIYDW>[
   2.298 +%t$ce9i#*bc1\d=n)AhKr*A6/?Wur3M0rIa4b$;trPl>)0,XK!_7GAVib_cIkb<q_
   2.299 +U5C@nMC>3V.&)SIU5C@nMC>3V.&)SIU5C@nMC>3V.&)SIU5C@nMC>Zp5Ai.M19]F7
   2.300 +rloNXJH#W":ZC+.!%)%mrrC.!i]m;Ih1+X2rR:cH_6KX'9tt@+q\FZoci$%Vd8g&g
   2.301 +2hSk\mt9L8Iq_+\HiWpJq_rmln8I[pnR'/j(j/%Tr*fQ3^*ih3nM0PlPP[H>$MY'U
   2.302 +@q5#s_-c\-YDX<#K_-d#/)ZGHD69s).es#D:t>4FF[$O4WTZ7omAGO5.Dl!=rr@XP
   2.303 +HnG+4Tm0`OJH#Tjrr?aTKAJf]G(no4"mDQq]K:E.'?,D_O5\ZPq_ruFT<g_lnFkm2
   2.304 +poj/li[;T9N=3dU*rUi.B0RJ_UKVSj"36^7&UZ%.al&3spcH8T/+F.#DuTf.]J&7"
   2.305 +5JeHZnF)%;RuMU[9(9QKUj.)W]CACK4AFjs'3seu-D,4R=kn7[`kF=\r'B?r([JD3
   2.306 +>=U$Dif=l@g>@b"6)ZZ\XflL9QE,4RGrO"*[a2d>)gm)4SNKL5n):CpfR>&2j0+$+
   2.307 +'"e7EJ&94RIM@9BGh_/+a,btI)gj0<J&6?3rm*g:DM=s;@dCc>Cc,Sdm;)EEplD6G
   2.308 +U[3L"MJ?014eB,AM6pWSIM71PT=+u`^<PYUg101+NkQEZDtnJT!"!7kn<`j,pau$:
   2.309 +p2TlrnM9:d=2jY'5kPYGrr<3b9Ar)QrrBk`5A$P@rr>@S/`2K#$%*W\erAZ7pa>,%
   2.310 +!/su?rg0YL[U0aH(Z;La:C29h](d*A!!L:948Uqkr%ut'%fB9#l/?Opr%n?QKHEOi
   2.311 +nSHpW_QA;gnR'/:$\$FZZ01K<ifA\_.b";an;gT=ZM56qf7gtJ:YFdI*^B02KmYu@
   2.312 +Di@k4NO0.Dj5F(Y5DFV&nP6:H3PS+ciIBUgi4$YNO1kqi-\-RVn3c,@`_?f\a'(E^
   2.313 +Hr9nD$^9W-^[OGM8H/[C;c_<FdGXs:q]kf%rN'i5@GkLRIh$TsMI-@5BTE\h2LYo2
   2.314 +!/.-@Ie\uo&)gaKlZsAd57rBSn@B.s5Hjj[?h#6*&$L6X!68HPL[AmI,KF+InTTsT
   2.315 +9D^So8,-`ef0Ji6J`@8qJ$W4mD\;n"n6WHu9)cntrYF)_$fg+PI`=UY=2^.3l5h2K
   2.316 +TBq"RG['0?LGeH0_1*%KINN>$p6FX/lc#Lc:G:Du`IIBcDBs-@BmT6e?\*Y.pa6T3
   2.317 +ipe>(M#J`K2:]D]I@9^<g+VF2`@i=sr\F8.D>RC>hKV!QI+@oi!87Op?7>?ANP%W^
   2.318 +rl>$=Z7h$ACQ#<=i(&KD(&KZ$rYP(MJc%=_hZ\6T_n$Y;4<*5g$V9d%KY/ViI3VPW
   2.319 +rr@e$0B&N6l1XsKKAk\tkW2GOVNmlh=sfMKBr5S_7[[t-Vs1d@[Cr-%]Je-W)Yd\,
   2.320 +A+7+Kh\X!92hl\piVa/'?8D$=`IHRmit$gU3T?*Vg5!Mj%-nr]rL\RQO+j2IF;l;6
   2.321 +HplD3%K(\*F?KtJ=5gicea9`iKj+JLi[m8tG\59#n7BnO+-&HBnY#iE^M"^L^U+K]
   2.322 +n^$7)KR=1)13i*9^qU.k4rJ`YrKf`a>G$tJ2Y_4NDh9o4[,-Amm7Y?h$bp?cpa:!t
   2.323 +rr@bZrrBoSn@/,DrM=lHj5"M12#dOj[$t>K;=Kga$M\Dqh]5g%Hqs1inSA+1XfqM`
   2.324 +iih_AnRpgIm5sje_I!nf&`^%ph>CLPe$&P-iLc)n.dB22pi#YGrX)/j=nmWb)HXkL
   2.325 +JNjfs'O1@ua$1==!8sMV+h$oBKC=0mU3m[E0>ZC6HmeeUp`&/iT7D;"iMh;mIL5on
   2.326 +nB\n2LK\W6T*o"A]$7TCmuG%piZAhYU?>=_nMcI,,5bI2kD?o&r)`ZIiZY%1RLb-h
   2.327 +Fl/"I'DuS(mi6*=07uAEiBIA,)Ma,$1f"-s42N$Je+>j5l!CP^'N%:5;+20r72/Tf
   2.328 +'N%:5;+20r72/Tf'N%:5;+20r72/Tf'N%:5;+20r7=;ZCEIZ)qIb5b9CS.s=ri1G`
   2.329 +fD./rhu6+V')qsaB)_l2!(n<I]0H'K!r@7.L;1)[Pa67MG\d##%JHnf_YXBtHhNF,
   2.330 +jo)XAj3$>@rr=Q^R>(5kCe_[p+84OZr:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-
   2.331 +r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq
   2.332 +8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5n
   2.333 +d!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3
   2.334 +dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_
   2.335 +h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'W
   2.336 +q--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"
   2.337 +n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-
   2.338 +r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq
   2.339 +8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5n
   2.340 +d!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3
   2.341 +dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_
   2.342 +h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'W
   2.343 +q--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"
   2.344 +n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-
   2.345 +r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq
   2.346 +8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5n
   2.347 +d!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3
   2.348 +dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_
   2.349 +h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'W
   2.350 +q--A_h=(:3dQd5nd!tjq8+td-r:/3"n=S'Wq--A_h=(:3dQd5nd!tjq8+td-r:/3"
   2.351 +n=S'Wq-.2WrnQ5HgqU*Qm=uWJV1k-,=oG"UN-ZP'%"VdE08l'ZQ7Y6GM82>,Oh+)C
   2.352 +L.52DO7H*:^\j*5-3!tLc2ReCPWaM<rrDP)=8\7hg(42%^Y/Verr>jp!46$]:Mm81
   2.353 +QWI5!I\!EPVT%+*]8I?#V5uUD1HhA&J#HJNf.\UR\W5H=/W>h41F0r7=8r88?[pG3
   2.354 +Xaf7.!"T#/o)=^;9CM]morn8m!9)i7?d\hOIK':6hR3@`J,DD.!6b4'[4f;Y>LpRX
   2.355 +rr@h(q0tp.V>'orHIr,q!:]IW!&*R8e@tq_Tl4-7!5JLRrrD0Z+53(=oI]B9p\t62
   2.356 +^\kjAqbm=jKtV:$rrDh<rrADXIqi>?d'p-,hu<ZdrrDWhO6oU/qA/b-qu6ZThu7!1
   2.357 +rMb5F!(,PMrr@QH49#<(qEMA@^Z\nQ^[M1&LO],L8+reRr<mr'rVllen,EA@kl0)G
   2.358 +rrAa2>5nT;rZ2"=jo$:TQf%EelX0Dd!5lSL^SC[(qu2;_C]=>6pil`<Qh5cB?[pG3
   2.359 +Xaf7.!"T#/o)=^;9CM]morn8m!9)i7?d\hOIK':6hR3@`J,DD.!6b4'[4f;Y>LpRX
   2.360 +rr@h(q0tp.V>'orHIr,q!:]IW!&*R8e@tq_Tl4-7!5JLRrrD0Z+53(=oI]B9p\t62
   2.361 +^\kjAqbm=jKtV:$rrDh<rrADXIqi>?d'p-,hu<ZdrrDWhO6oU/qA/b-qu6ZThu7!1
   2.362 +rMb5F!(,PMrr@QH49#<(qEMA@^Z\nQ^[M1&LO],L8+reRr<mr'rVllen,EA@kl0)G
   2.363 +rrAa2>5nT;rZ2"=jo$:TQf%EelX0Dd!5lSL^SC[(qu2;_C]=>6pil`<Qh5cB?[pG3
   2.364 +Xaf7.!"T#/o)=^;9CM]morn8m!9)i7?d\hOIK':6hR3@`J,DD.!6b4'[4f;Y>LpRX
   2.365 +rr@h(q0u+EEFZSf[F@&#6V9;?d+V9CFSE23kQ"N0c`knPQ5c7AZ*m;f#e;\&:p\ET
   2.366 +2VbCY93&IMIa!impK)RF#V<&/(-+$#S7/7-dTI`M+h!>tY-)E+)gchF1.n_>,Jj>X
   2.367 +IK':6hR3@`J,DD.!6b4'[4f;Y>LpRXrr@h(q0tp.V>'orHIr,q!:]IW!&*R8e@tq_
   2.368 +Tl4-7!5JLRrrD0Z+53(=oI]B9p\t62^\kjAqbm=jKtV:$rrDh<rrADXIqi>?d'p-,
   2.369 +hu<ZdrrDWhO6oU/qA/b-qu6ZThu7!1rMb5F!(,PMrr@QH49#<(qEMA@^Z\nQ^[M1&
   2.370 +LO],L8+reRr<mr'rVllen,EA@kl0)GrrAa2>5nT;rZ2"=jo$:TQf%EelX0Dd!5lSL
   2.371 +^SC[(qu2;_C]=>6pil`<Qh5cB?[pG3Xaf7.!"T#/o)=^;9CM]morn8m!9)i7?d\hO
   2.372 +IK':6hR3@`J,DD.!6b4'[4f;Y>LpRXrr@h(q0tp.V>'orHIr,q!:]IW!&*R8e@tq_
   2.373 +Tl4-7!5JLRrrD0Z+53(=oI]B9p\t62^\kjAqbm=jKtV:$rrDh<rrADXIqi>?d'p-,
   2.374 +hu<ZdrrDWhO6oU/qA/b-qu6ZThu7!1rMb5F!(,PMrr@QH49#<(qEMA@^Z\nQ^[M1&
   2.375 +LO],L8+reRr<mr'rVllen,EA@kl0)GrrAa2>5nT;rZ2"=jo$:TQf%EelX0Dd!5lSL
   2.376 +^SC[(qu2;_C]=>6pil`<Qh5cB?[pG3Xaf7.!"T#/o)=^;9CM]morn8m!9)i7?d\hO
   2.377 +IK':6hR3@`J,DD.!6b4'[4f;Y>LpRXrr@h(q0tp.V>'orHIr,q!:]IW!&*R8e@tq_
   2.378 +Tl4-7!5JLRrrD0Z1/26O.,IG_f"+m=B42bC1ItL[YmD+*j3&s7%bTc2OkU5#bWnBP
   2.379 +IbND>\qfW<qcr"29U?OH+0s5[!@1R?E5VYi5DtbXX958S_5!;F'kE1jGi_>U)+XK\
   2.380 +Gi/Kj%hemBfOk-`rr>Y4^Uepi2CnbuYO)Sp!+OjPrrE'!VuHbN0#+=O"9(DqrrB:T
   2.381 +M*LYWeSAoW.&)SIU5C@nMC>3V.&)SIU5CG&o.o!*16NMlDAbtj&Af5+JiNrF#U>J_
   2.382 +^,5eQIq;E0+1+Q)bO>W-K)!UMrrCb7`*X0A48^&mC%7\3[iQ@aY.n_4KO,GBoj<Rt
   2.383 +%FKQAET,4PGQZme`a8`@)aj,p!/DY$3^/^m4roCOimQ7:NCN'ml:,@]#Q>b,q^d6C
   2.384 +rrDFdrr@r[rP&:3qBfnU!/Gk!b9-?U!;fcGik[it^]'(Y5N1IKZH)nC!<1MUpomQK
   2.385 +n,EB^Atf5)LNS'g+7o%";Ld\Urnegr'(g[k]"_eeq=sof5Ogu<!,mqtM0_DFh-[IC
   2.386 +r;;#nTD5&Y!4U#K!(=M3leh2-?eN$B6Ih^G?7PoS4=@;6NQZ"l,.IN]5A_JU^5&_U
   2.387 +QrrXK_gXK<rSfI9CSJu3b+81>&nj>7OaN:\Hg<->G"Ulr!,!C0)XkY;fg#1ApoWP.
   2.388 +DL>1K6f@.onaRR:B$M7\XZs;-F5c!ZGb\@VQLQ5?>M>',<Oin77#;m;m#;TW5T`X"
   2.389 +/H5_@0kk"g"kWbSoXi"`[7(d,72/Tf'N%:5;+20r72/Tf'N%:5;+5kJnB9b9K`;$e
   2.390 +Di=Vq[?]pp:DS=grl+XYn[l]R"o]S<8)]NLYDllj1g:tE?eO>p5K8[a`*1F+_!`@m
   2.391 +3n=..iXJi)*uQqA/2rE.%9CYHdBm13hbLV36S*lG&,[*Yp/NX`hL<uY^qb$k!!NH&
   2.392 +^5E$<!PdTj1']1WH_45C6h$;Wp>62V!,9d5&)[\H]M%;2&:?;'Vnufo_rC-<XaVPj
   2.393 +pVpPS]MILgBB&*3^M,n:Gdfqna57JOh\:>(>4C_t!dm57kr.BCnK+ejQ[Q#PE*:?n
   2.394 +S?YDg^MH^A1!eSrrls3kV#LGE-fPSbPOFM2!9A+h0E$WDrrD\blhdU[!/"aqjI6(p
   2.395 +J+bJnci4"AJ,Q,-qL6dUj2QTG%="*:!)bCL[]$CNDtktEa$5KSZ\SGkA+m\4]C7Jo
   2.396 +Rd\-9M>AQQn@-<H&!$Q@//Fg(nFiLE,NH8MmtRDc\FApc,SOGXIpKVSDi=NZVs,6N
   2.397 +d@/+ohA+NmmJKK59j^<Y2OC6*(-eEun5:?bIh;V[i0OBC[9)^Ci\/u/iciF;:I=i-
   2.398 +q^DIE_-T6RnO)9%m1]@lrmX0?2o@k9]!q%&q]4r$!43!ILilK(IaC:t4s8^,8,E\R
   2.399 +2hu6f06R9pKj)7/h]$=!"oc!iH]JmN$X2%2Vs^D]!.pL9!5V>+/,M.%`h+88.""5W
   2.400 +L&=18!"UFOl2L_dchItH/RA,UDi`ce^Yr&i!5hq6"'Y5M`p\e7+1r'B*D>@(r$Hk_
   2.401 +p,8Nr_S:b2%fRi#C]4nF!;K/>1k-<hAb_Df!!k\.+S^ZHBclhDIubZZIPq-*_+B,h
   2.402 +Dq]-h2sd;Xih+n*a'\=3^OtFMkJViTr!!%nr'12]$VTJlmE+<MDoE?'(8%pOK75D$
   2.403 +e))#A3;DgURWKcRn2J/?KK@tBYP_;u!/*;L(0]n>+,'V/f!TFQT*p*Ff>$7S5IMnm
   2.404 +nQ3XnZfd&A)gi%gRIM65^[P,Spa8;mRq(JcM-g=6C9Q9N8bdr-ch?`#47QClf/e)_
   2.405 +n/p[$Ld!)3DuH<@Fl8l1r$o5)FRP+d,*1`dJ`8<cpn#CC>"?Af?I$_f4ta_NXM8Y6
   2.406 +MI%_0XF;.<`a?+I_OoMnj/7jNA5DtPTDT;u_`e_.`Sl:UI!bWAiKf,i[J2EF;rVDA
   2.407 +j0&sj-.79W58S(G5K/,(]!$k]rBEj&]Pm=Yih+(P*,5C"\,QG]Qf+Am3WsM=?_h$8
   2.408 +5A\*gqd06+r,M5h;u"9-)LPliNIPKp$fXjpn5(dlP=#5>^*ip(h?3O#nJB*W%(t-_
   2.409 +07f`*IOY'Lp<`U5i89>t(&SM]p3o""VdR+*erS`Rg%41QT[>l;j3&O%hB]>pDNWn-
   2.410 +$pW[OIinY9Ib$`g\%lnlC7bhq:Z1.*-qD.8g1SAH$2eRYq[\/2hZLMIn/K='%R(87
   2.411 +*uk1oG`,,fPP[prPMpDErr<33pecC7?"tE$nJ8=tMno>mZF6IdI6LF7r'YmmKU1II
   2.412 +d<lOGq18E!HuA`Lj"L0Rn,*aOim7!hiZA7$fDbj?[m/fVhm76SIN%Ld)'JmPkP3Zu
   2.413 +VdHh0Tmpk8%:B$1nP@/q2tj)/rYK4-]Kc@MV-A<le,3;*4WiXTJp\pJpeSpP%fS)/
   2.414 +T1.=Q?dN/3rrDOihqItIhZ5t"S):[;MgRV`2bWW^rX'hK!!NPT5@[nng!@RN%K7a=
   2.415 +h\SHcG\?"H`@m;P!"4/hj#`=UB2eTmi]dYF8_8>/F7>efnILL.,Q3pW+)1^:K)YgP
   2.416 +d570aGpKhEc'B14hu<Z[L&JOZDu22;_(S#hO,Q7,rKMfj>lNS%[mu.%@G_ZE.JR];
   2.417 +T8VE9NNGG(5PU$(hr4!cn_Ze1OlDFY]&&/!+8A73hhLu=Nhu4lqr-/Gn+]U6T+BiS
   2.418 +ZJ4EkJZh6`g\;TCrrD[+qb$d#rr@e%paP6!MADd%rr@`8`B&MH,G#SDA+8saBDrL8
   2.419 +pf]m#r[7KM624aT0B"kf-.;$]et(`kpfcPlr+4f)LO\fbG_8eA$2>J=&o[P<]O>lZ
   2.420 +pfg5=2%*@VCA9C\!"Abo;o*qkmef`X!"$u/FT2@98GlW\45qX]2uFmbn?dX%r(lj#
   2.421 +^%"VQVo>;'6t4\hXZO?`n?otbprg]B&O54VnG]*['C[sY,iA*IpcdG.n@"=Ol1Vm5
   2.422 +Do+_s^E,QJJ&/et!!`H'i3/RSm4nK>GdmCdpeBeHnTM<)`R!8Ep5A^bn5J@jJTL^,
   2.423 +Gc17Ee:&3]AG?E"/)kc0^)#uT"k5^OpmMmk6bj``pj)Bc6h+fCr%6qn$N*<=4@Nh2
   2.424 +IB!1mj%oG$QgM2]lJK&M!/\I'msmXl[X[7trr?qt(4OF*')e#A!W*0%g`IO6D=Qf*
   2.425 +56lRQnAiCq'KfGUmG79(`%leeIg#[liXHu7pke%5"2Omdpa>'\>JM.POl9S)<RST*
   2.426 +IrFQIf81#ohsa`TgQ0.BZ`!^8VtS"-!/)<b;7cN_rr<2`rr@Y5Gjk?#rr@asrr<>N
   2.427 +`T]Q5IaDF1r&O<-i4m//!:91L9>BFtgA"n1=,spRiGXPpgRmuCrrD!pq!4T#7+_,#
   2.428 +m*GH(*t%Z/LAq8-*uB?4rX(%Q!!SSVTBr\XrmF"GIKXHd!"(nEp]pL]poj2-iA\]Y
   2.429 +KfV`jYPVi-9@NfEibQjRHm6#o^Ypg[J&+I!*@HQUA09KCikL2Srr@pXrY`3??a"]e
   2.430 +p41XT1#d*ZG]`_Q=M41u`4<SdHoUeKf`Urbrr@Y;rn3n^rr?fY/&D'(ln@l&p2g2"
   2.431 +Ir:>%X7e^-r-@:-1ZS4d^,=gJ!5bN#Ss=0i4):9d_JLsEqA4^*hs<!:CVCnAIPg>6
   2.432 +Ii<\Vrr<Ec_Kr)ciNE?.A)Q4KiEIrNGgl6dp)X+GrrCuN5750`P999eO,<U\)a4s`
   2.433 +D"3kZ_uB]?"n423CS:IKp5Si[n[mf$`*\:+)>Kcmg\.f>[u5WHnLqqgIb"9!X7>(Q
   2.434 +d^<EbGUcLE<YfY%+Og63i&r:Q^cIs0ZKC=AnTKKVGCohpi30o'ooFsD*o6`]nF,`"
   2.435 +ih$G>^[PGjC]4U9nR"TO?c.AMrW;UKNBBp!U#R"Q4o86,4n3F#n_<%mQ12g\de'U/
   2.436 +L\?&Gm.K@6"ajS)2=3cK4u(RRIQi!sgW*JEPOS#Kp.,,_K#rJr?aU)hq\sp%n?9VL
   2.437 +pfK`jIqdfo\mL-j!#!!MHoq:[Ir5WYph%k*qd&ubnOqi;LW99[rX(BZG_a4%ZF@ff
   2.438 +pf*FOHb^[FpnMVtHm/!=[^#e/ipR?$(W+qQ%dR;rL6($&rX0,2EVSGb?N1"W?@LQL
   2.439 +(jlei./s:a\c'0*DN>/(_nI>i;t/DV58U]Q)d7a.J+4'0^VekPj1^HA,K1`<FhJ0u
   2.440 +5OaMF^CBhY*D><bpVX1mhsd(K4s.Q0A[f^`"($@J\*u&errAjEi/'WXrNEpZGan[>
   2.441 +@<_8A!;;8r^+oCAiLg#^rrDc9par@V3fej+-`;g.*trlT;#!m6TDU1r(AQMTM>340
   2.442 +HnkSh[(Rsd=gRTfm+616Y7YLj$e.%(eDg8PX4n#q-N!PGMQ)+*!$4)6p$$Pt!2<f4
   2.443 +Qi7<OF;+?JrIu+5O4`dlA0"HaK"_O5d_D6EnU(6B_=/Q,=n-G./AE8*dD)n5mDo5,
   2.444 +"f`XPJ)M_<1%DB\`=M_kDhpRgrrBlK8&7Fb<o[B_dFU6-:\I<WUOESu+o_Or6@9gI
   2.445 +SIa\.Q/W;pJ&2<dSac&q9^+dL?bQH]^[P;Xpac[;>PgNtJ$q;RDqH;M4tHT'I!b?!
   2.446 +p@e%6_dT9RROl%j_nV'N""esKrrBqgGW*J:"89\'^W0.),Q8HCNW'j*_-`&U*RK:H
   2.447 +0A,a3,KCiPdsP*`mdj?GIB!*nKDs2Hn8TiCTCMO4cg6AD:C_aRn.)LlIb.pJ^Yk]4
   2.448 +"ScWh/N<B5rN,Y9,N:r)rEJ4"]m9VX"blK5__2mCIP+D$lbDr-J$_)9O5ShU`)cW$
   2.449 +[thU0i,c$qMoA_H'f6p];Xrn7qHNL)=7Le-#QFc-h!iANCZEa!?QQQbfrMtSn4>3I
   2.450 +p6sFD)uL9GTtWO9bbFRdQG<<+ks#OD]PleZ(k0`e&:P=<qo6Vd!9gk;%ZB;L)>L+:
   2.451 +n:ubrm9<QZmX_3M>5l.4l9C^Zn4"Mp.^/aaU\9[spa>7kU:5UQIPUp'_GC%5?%18[
   2.452 +)h'erd<`RGh*9p]GU)16r"U=58*lf,7aa0?"'b(p2oS!&VsN$n9fKuh$aT<RLZ(C+
   2.453 +`*X:&#lZLT=8:D,O6iuq_-[a;RJhtli3PYV8*r8*KDl0)Xn]fO^U#hNn-Aq"Vm$+#
   2.454 +_+<uGIMqp!iMXX_pqcG)_Z'V@<$"//"6fJD*-FK,RZE("/F39g\^>L*Hr]/s^Lsa)
   2.455 +)KJ+JZ#?F_<lRj7b3MIpRWZ6dkuXMirh9>lM#(398*ibG!%%sJ%tE98rlDkNY!*cU
   2.456 +g!u!Fr/=f\rIK+k!<"P>h/-"X'N%;K$i8KB(&L[LZc/QFLVl?3?P5S@N<AmopmM-^
   2.457 +"jm&5q_*E7^U8!<5ASRekTB:ic[qeYXSt*T+7[96ZbOJOLRojkUqbkhrrC.mrr@b9
   2.458 +^'".%i_S6/ib/0A]f0<,pgrrM_uB]M4@PoX4ppeOmr+-a!8sZ&*5"N+5Q2&8i2]'L
   2.459 +r$[n(rr@XVIa-aT^+fHb\@U&b?M]G8r(Z\dp-JJ7nc&SlZ1u3f?93hq`#9B"N4^=2
   2.460 +BprVBJuq3YC(U/PHg<c,:A7bShc[D_?f<sA(&.\7'Cj]5\*`GM"2\@brJ`oSV1-@t
   2.461 +n5$7?]CssjeGMc)hrAp>2%LT"S)`Dm#2ch<NIDCBpb,>9mGSFgD%"9'15B2@n@uq6
   2.462 +4s@b@HmA.,L3/IclJDtu4DMSp]^aUk5M9t*+1C(FrrA)Y"9"_g+R,N&O6n/6K7@Pf
   2.463 +KcdYa`@3tupik^.m";D;,Oe0pn]TnCJinI^4iI=OrM@4KI!F98083;K^@O\]7\a\p
   2.464 +4BQit?_>3H^&J(a]Fh@%?Ka-/^W[5-09"eqp!<OK]D`2_j'UN4`ubXQCp/R8#J]2p
   2.465 +rr<a^$V0\ninoI)BrrUUS&F/%rMoktA.'t:rXaQ"pe1>*e,3eHX7gH#S[Pl'l<b##
   2.466 +!+rtQh7fTA%hf=4btI(mMYo7W^#8nj&:T5Urr<4FrOCV%hC?:L[/H4upiC`\!!Ua>
   2.467 +rrDs/CV_&,S)CKhl25DWn*M,C?\dTYm4%%u+/eKhD4u3trXdn/kJI(VO8]W'*t<T*
   2.468 +rr<EW8^[50(W4!&4qq=JP>9a-.>8$)(C0Z*^A*WUg\,*gn8H1'"6//"r"KtH$:4P-
   2.469 +r'U8Vi4ms;p6trW4>X!^BD)W#++nr\V>/Bqn*E"&9B&C\a+i2p.S9/G_-/1n@;#-!
   2.470 +iYJ0Ua%u2+N-o]G[_(Me&K?4SrrB@^n4kXj;tc%GVS3Z?<S,!"Dh@iS_ESoc2#X5!
   2.471 +/c6^[LPRg;K&7GqB0AKQJbVaoC%P,4iKrp@iI?E.+$STP5N-d>j1c#tT%ciHn=PMa
   2.472 +>N;^L]M7?l&P2mG[CMml_O_YCC&\0b(g_[=+!,o>5DHq[%%:8bQfF.\b$TiE[0Ei(
   2.473 +bP%V-XM8Y&N5#pR@P<W=!#IKLM*D`()#Q,X^Q$!@^CPeI?8(i6c@t6SBsaEU`0VD:
   2.474 +m%**[/CWSPM#:Q;0+gk;Fmp3(4A!EDrrBmOJ$b8nIq8$&"897o-c/+$]34WAlpLY/
   2.475 +HkH-dnW1RKO,gS!8&X-Er"Q'gYK!1DHn*`1:[kah*Vf6rX%Mo+r"JD6H<.;NGc/A!
   2.476 +0%M\g-fQe>3ei[o)Ye%:>>_iXr,q";!IZ3m!!Q]Xrr?bm)u^jHV1-fU0)-7Q)fPWj
   2.477 +6iID8W-CPIT*;qLq#:?P\"EB?pg*UM+RkGKIM6thifD.+ZMspA48keGCH=Dm9eYO$
   2.478 +kPQZVn<`FS)SPoOi'7!<2P)JpVL0fl!.r)ediLRM!.oLr!5TlZ!,G;9^u#4\^*A*a
   2.479 +5O_Q(L;1"^`Z5jjnB[0Sn5"f<)>MD8J*dL1f2L9b)X5j<'5oba+3.2k?OAnWG@@KG
   2.480 +UVr`Zcm%#DFfFdk0m.,M@pu9[?])VVWh1=r-i>"`]`%q\gA_-_rWW3,ptl>CU]1;t
   2.481 +$h4D@r"GR[Do*%=0B#E\]M7loiP375N&P&Zn^#(5g@N4s)mt0N5ITa+Hr"D6=[!r&
   2.482 +^=2#lLOWlr(3l<?ZhWAHa5KgQ1k,[V&^hKTH2BLL_+MIWm:5inrLu.;frN"tZB)eN
   2.483 +LHk9$DtkV#lkApLrX^.kr$M4'n^maU^9-p,p'K86Bs7:uHlq@OphJ]?g@)mc!r+iD
   2.484 +n@jPE\&77GO8D4fg@O\*IQ-d=NHM;Fhs:V1Y6TQn@=N/Zg&o6bn54+\?O+4Qq^D@l
   2.485 +piH<KI_u*bZ7kUaiS..b?5`OOnUJR4a8@b)lm6fO>&+';!]?o=0C_!Z`eCVp]3UIr
   2.486 +d<+i;ei3R7rr@b$V"d^&::^--nRD+L7E:6K'RQbU'qb32pmL-Vpc$+0hmTH!m=3/`
   2.487 +Z_t`[MZ3YXrr?N3NBSAtphTC=?d\dgnCRXU?cCpUhceS.25:"@n@W':f5?&^Tm4aZ
   2.488 +n;a?Hf\(M!rXp4uHhd#NX#iI:j%`sN^(5\AIiQ0Dr*97%K!KcCp]kU38Gk7<&,QP1
   2.489 +!5Uk3Dl7tJrK0>&U;+&gMuNcj?]/XqIXF>3ibui_LS#9fD[uQ+p6GTOrZV&`p29D%
   2.490 +_)iTQ)16A]%ud+i4r\luK2L+j?\V/B)G^NDGh^$Sr"Ms+$:jX0`#l5XlrDuEcO0Ru
   2.491 +Mb=!LJti8F_'-SOUAk31IQuUlBRVU/6c'lkpjN/B"N5rQrf(FWH<GW<27JA5/"[](
   2.492 +^JiT=4)Z%kHpQ7/nB;Y+G++tfWtiX\F5_VSn,*njp9`3G!(ZoFrltEJd#P1(%tDDL
   2.493 +5N&$B^VfLHg]#%h!4I[Mal76mDrTs"+4t3qps#^]?WZd,m(q`NLV=5rPr("lOl4Q?
   2.494 +SfP?9V53mh%;Se(`?%.LnJ(h#OfS7]_d@!Q:&b3F^OF_j$beLr1P>CWpc78>pa<93
   2.495 +rrDRZi*YiOj,\mX2#XGg%=E9mL[`XLfBi\1Vo!6/c\WaL^Vo$`hr4$^qurdC_L=Q8
   2.496 +7_:"VnBnXNN1[E]`G;(NBHIT\-@X@7&H!uSpdT`7r&!q6oSH!N;+25ka6\"0MrJ[Q
   2.497 +'HgofIr,Vpocp[,/c-3AhbWEBO<:\cr"IPqrr<<hi2Ib[:B>^Tq\)9q!.oB=$XD/g
   2.498 +mu&:W\pap49`;Cai1kc95N&9XXaG*_MrP?C.?B9K)Gf>\M(.@9JlfBAAZtIjnDE8m
   2.499 +_EARN4u`"<Oe_hsnAiLT''MM"D[ok7#D_C3IrF5uM8/?*^L@f,5P%s+i1MIoejo+a
   2.500 +rr=B+qd]X+ft2^_TDF6=6Efs.n\>!^*[UgdYg*1JrffQqFT2@1CfgOu?eQ%i`P:++
   2.501 +!<3$prrBE3Io"c'r-6Qf!+E&DJ*KJ&f$tMs*ut7aHmATd^(L/3i((h;!U*l(4q`6:
   2.502 +d&$7#NI2K#.&VJX<R]fL0.ee.m]>TYeT=N07+H-*2=CqJUHuZCr(Z-''5;b_M>T*/
   2.503 +koM"r1sJeIjW![`-.hKjiXJ7Re\$=gT8NXK)"h0)iCCm0Jp)I4m/d)brmm^K5,$pG
   2.504 +LL7CnL2FR<nXE8JAU3gdj,_+dT7jfE`(pTk8)Z*4q!6mlSe:MRhAMXR6%d,&Bj-Oj
   2.505 +Bl\[NT<Un>4Ce7>Hl)aO^(br5peg'9#6)n/n%if.KO51;."#(jjm[n!n>;iI.n9NR
   2.506 +pg'ls-iL.G'?T8VNut^c`IEWJ>BkL!dJbi`SfINniboS,B1)3-_EDqk9Xa`,Wr,KY
   2.507 +GJa@[ZKM,tS&,qJ&V"Z$M1;p__f(5I?BtC`r)`iY4t$7bpdssNj%m]K*Vc,^Di[+n
   2.508 +%ftrVIZO@ml+aZEWSu1Vlh6"]Iq^!^?P:"[j0'Kulf)6=UZ`d3DtOQH`7h,K4tHP*
   2.509 +eUB#nn&tS]8cJdB8H-Fd=,j$NQ#Z;ca'L=lNBbHZg%4p&^%)+&`37m!p8.Pfj)%lX
   2.510 +?gOhhprbr$TDWE*GcThB`h+%4]&3E9I1+*P.+*/*%Vkb4^(]%=S')7&`**YUB:sKq
   2.511 +*@n_kVu.34p*oclnZQ9tU3pD=?i+?n+,R]mIa)6,Y.*F%pfQDhFT2?Lr+l7m4=B,Q
   2.512 +"+JPP2#dQ/InT=fQ\DQViEgb5`P*JCrrD!t[*^K'-fX%N&%;8r61Hk.Bk;L*L%%n;
   2.513 +$$H+]rm)W'ds`D:.e$6QI4sP+Q_AZi_X[O-nOMtNqc\A@rL:2:%/`fJr(X)6qnp,l
   2.514 +rL86`r,M7f^jd*_?7V)V4sn"ooT'Z54Os*"p"`s7`.Hf-6BGr%*t&#Ji0RfUJ&/=E
   2.515 +^B$MJpaa0F(%-H\q^lJf-1J\9jX7tgg:-d_pqbp]Jt<kMIt5k_%h\S\iQ$It/pq[/
   2.516 +a+/OjTk[m7>>GYcOf!A8*Br4Rd^163Df9^Ur=XN@dD+V*T<QXsFT2=EkW1*-rHD!*
   2.517 +Do4fn8&=)j^V[1/[bi%<5Gu@_KKgOU"laHV?8:rqM`qZ!+?pR0iJ59U$K&eZ'g-K:
   2.518 +C4?[V*;E1E57;j15,i$6M0p,?gN[eW0^.\OrrCuCT<QYZrr<^[4n0&:^(9P<RTI?J
   2.519 +MYbrF5D3AMocK1N+8eS)2gcqH\ZP-<1"G1%T*p-[D\;nFe\>_"LH=jWXa'jG`S0L,
   2.520 +-1GQaN=lbWRdREVhghBhhQ(@gh:ccAF8cKJq\8fui2>qlq`B%Pi4nu8_9^d:j/.J+
   2.521 +9)d,m&,uW`NU^WLrY=V9^C9nD`h#3<4DFfq#mKdXmX.smhm%F(iZF+::\[FBF055,
   2.522 +_KS6!+(Dk/DD^`F9=2#!:EOs"rr@b.nZUj]`=6b(]DO8M"9'(6M`a5nn,"&BgO;$T
   2.523 +kJDCl$bRSOBDrP09ifG7[f6>]H15mo^U-eS^\C(_FT#jhIP(R"L$em?$$N:bC#Yb>
   2.524 +*X:+G^!aYSIM)S[_'FM<T7R"Bn>>S8!Uu`%?gru&cTXC>ME_5-)#3:fQMme3/Gp4W
   2.525 +?h#rO.[b.&,'Z?1=2g5[4uW0rV"j7Ie9l,mY7Pr.`R+B!qgZM4/Cs7e@A%?RDi/qE
   2.526 +@Qs*Urr@XgI`M;GNP6]`h)kf"XUG+E:QDXX-%'A#F5YBu(\WmY+7/srO2foAPG78I
   2.527 +1=j/kI`u+)ppHcDc@6KliFZd"#+_Z>?dlZ+n@)]OIPKS8W1Od*4CA'!XrU$kJ(^=j
   2.528 +#g)!6.ouVWn,EB(X+0nLH5Grfrr<3Hpu2*YGU)0SL-K?ig0oJDm8r8=MnEob5DYp>
   2.529 +F?bh9ZXS0G^d#1*!5sp=BV$jGPA4DWdl_:4fA^\!WnUX#CIQ#.5Dlg"+&:9AYH,Ai
   2.530 +J&*C[@%WH$n@:,5J+0)N?gru&d,$fZME`'Z)#,'DQMme3'7:MhU%'r<.;<\6,'_#`
   2.531 +=2KHH4ph!EX*Er2e9hqg?P%I7`RB&NqgZPU/C?%3@B\r7Q\p1H@Sa&=#6)kS"[?VV
   2.532 +pfp&QV7[WE!!m680@,ZN&:\D$Ma-`/pp7nGn<Noepo"(Qrr<AgNBcF(f<sN&0C@Z`
   2.533 +/M$fLcOGA6GY_$10DnDK*C%l\o=f+i^YkEMYg8)Hrr<5d3[_cBG>7RF_`ujF_;DZ8
   2.534 +_QS^&h]'9oVntZO59B_+ibsWZ1%<MI4qE#`589UGLVd=(ho+Ce4E7E:IgnR]pe/Lh
   2.535 +$[bN0WFI$,Hl&j<G]UbVkki-am;LXTreS>ehadT,VuB:I`LlrhDu)%-nid!QjuNGA
   2.536 +P"krV;C*CoJ)HfgZ2Xg?rED_'pi546*I)56hAPk7V=?(Qrr<3GrLn^Sm6gSRn?7hZ
   2.537 +%i\mR9XiTc/,LW-rr<hB&(ulY5OaX09@Op?:Ok:h$fNG)V#3+FLSs>W3;@o1iL^hZ
   2.538 +B>_<hQ?[KM$*F(=pe0PCm+(tpG^nYdp4'p)f`U93KDS:?cJB*3!/6F&B(,^6kJk7F
   2.539 +pp7u33RKs'rr<?/muHg`;rZ]>Gc0OCN&=E+7m(jppm]-E5MI8h]?kFPm6=7NZLr^$
   2.540 +rrB>p^e]Qs(HsDJD"pld4a4\J1AKt6lQ.\RX.so`ia9YT08+d,n`P_dn<LbF^*[*4
   2.541 +!$3t8JGO3'IhYE2Ih+Jq4tC<=%J8P6^*K:5?KYS`4oN]`]M1#`oSjSdr"ERb#:/#.
   2.542 +!'No-nR!_p_*1%/pcUiMJ(XWfrnl2MVr9;^Qf)5&Hq@eR7e\qcM``*N_nuBnnOJ@W
   2.543 +8<o+dCDm\lVr$[,V1le,EG9]8/5jKaCZo]@r!*0$KR<\10DIrL*.PgSrr<Agr%1_>
   2.544 +7XsA/nFui*hsduP!9%Sj!5e.'!/6L4MuB:HS,WHpkPQr^pq+<1Qi3EQ&g-mOrrDRr
   2.545 +Iq\i^_H6a;'5I)6%Xu]QY_RkF0AM$'Se:pi5@r^Zr-Z0/]N*sl^Q'?Tp_E;-6hnE=
   2.546 +idVt7XBTr,`-3:9oZmnKps+;7`\uZsfBrK9X@oZRU#HnHc!i82ipo6-ok31OQbhS3
   2.547 +hnU?'W5%9op_Wfjpac=]rrE$3n+]`:n;2N:pj:u7pekJg[D(,i!"2<r'c6R&LTJ8L
   2.548 +>CXN3qebNo-f=EJrr?O.!5`7>]:\jh^U/CaGFoh'%fXKJ!49fE,<t\Frr<-#!,'(#
   2.549 +"9&k8mB?:PJ)PSK,5?NT>Q,3fpdm]UJ)MUO!/,"a'>G&nhq10Jhq0t3p=K">fful/
   2.550 +Z#lVIH2dltep^BgKmXF.06e;OrZ(ICJj'uu)Xqs0r#P9n8,*8H*uB0'iQm.(4lUqu
   2.551 +r!DldTl7!q*sI$PYNZrgSu\R_-.)<h4&&L@pi30:gA!a'e1GP+Cp[k.@#@tZ42=)M
   2.552 +9^gWO^q[?0+7N)cnHPnpr,C&+muIAsn6MTo_r'-siBN&Z/`M96+m-0%kD8ej:\Jr0
   2.553 +Sj!P[;>B%P>BjXSnJ?j@3NR\YIhM`?C)U]VipRV,P31e$pku4Jj(807nXmf#!!%7f
   2.554 +_YWE(Y'?j:d^4EQ9tJ*hodf?qX_b'iD.73sDXOZ=FH.1\M-<IkfDqT@f?8ZK[[F(-
   2.555 +^TaX&>GQ#bG<0oHVLHc3Z=SccVqsc6pNALHT+?Ai_0'I7"G(*<ined%Ar5#"E[*(7
   2.556 +5o'(s@aG&S,8QRE!+9)^rr>^)2d96Y72/U+)B\`%a6[e!_EZaui'mCUr<ld'8c*%G
   2.557 +=87dFch<Cg=,=9Q)>KOopk/*XiiMtkkDXe6Dfr8YP>]qY&$E@AiI;=&hA;O;jo5=6
   2.558 +i:q`[D$NW%5K!7Y1#a3;f2IT]pkA_J"LS,^IOj\)1"?1Hr#aO<>BB<jiCAM!%/aIn
   2.559 +<VYD?rUg*iNh-gWD;h%$_I!apO4jh1LZ4OZ=3'cerr<N#X`Ad'LOU@o1>2H_j-P=E
   2.560 +9r7V``kE/^M55C>_*/@\Zn:/8rrBkm^LEgi*Y\>Ii,8^F(]M>A\*ZWR0B$:)ea_*]
   2.561 +rr@b4nRkf#!/0OnVnkTLQ_1Un_]K'\[oi1WTr@a!rXkcTRYBXOrrD"&n9s2Lr)p,s
   2.562 +hsc_PK3m*@;]JupI9l?WiNIi^%"'l+GOTt<Y)E;[#iEOlKcUEeO2G<)G^'$T<n9L>
   2.563 +4;6XY"&JF$Klg\hI=D1r<S)A#m&^XfYd+2Tf!RY2<ke,ge#?^2?;!/oT,N)Grr@XS
   2.564 +I`"AbFT2?p2aQu+_>SOq#6*2bmAGlWBO?M.*VeI\rrBjL#lZ%Co%V+?%6S,Z`643p
   2.565 +*X2>8iP1*g*Vch>GamY&J@0;0Hrf`tKY0P>(WH"1g:Vk`nNO3pir8ur6a,qX!5l4Z
   2.566 +@\<K@rrDY=+7Sinq'b,9J)p:;kd5i\p\t5\kPe%3rCE3-IK'9M[/G_soaO]'ZhQbf
   2.567 +pfGI=VsP`!L\A2!'##FbDYX53nB^+VM=L'.K(.$oK>'8=ZbbN8rZ6GbnAiKI!!6h@
   2.568 +'RV]FVJ/4NphAZi(?chJFgs8f)G@gK^!;V6c"Zip_=)u*%_`'jB)BI&%WpNM)f94n
   2.569 +](&:I]L1^T*I.28YJacepmUAAdkjAM08NsMr[R]4`h*qD,&=VN):3agi6<3Bn]-R#
   2.570 +6)\H<"7Vq8]EP$7C&SS2LPBn6/)sE\J+-$jfRMjM_`^BFT7B$Kn^Bbu+fb;RifCu]
   2.571 +rr@WM!:\^W[aqMK;L\iIB@&bHiP14Q0Dm:?C\ES6IN6?,!!ssDNkAAkIqZaYR.Y;<
   2.572 +`L=".-X$]QQ/c'h2oHJY^*<RWJl_ldIP91;oUcoucC,Q,1ojF)e&)+bn5&@E1W3TQ
   2.573 +plhiEp><0"Jc&6<Gh9c=%W1S*58i826a$2O`a0b6Hs>QZMm:::)LOd/D%fIl[%E.t
   2.574 +R]`,mG7O#dr"F/F5Lk8B"1[l&J:)M0(L?fMn^HGUm2t9$)uNk;TmpbEMr,1)YDU'r
   2.575 +5N+/CK9oY('YYsm>4HOLD/[5)%IZE-j8E?%Ig:,r!#01?#B[(ta8S3k'KuWuh=7D"
   2.576 +[2i>&e%ah'J+-5s,?FSTX6JNJkLmW/8c3\7rM0>rBLCdo`q__1n/LAhQ]8DVM"BGM
   2.577 +#P`^#`2Pj,n5$j6+S"$mr[@<?_;Bs\*UoE3h]M.;++eAmDr<hkJ&8kf)Ye5oqu-n9
   2.578 +q[DcdL8TI'r#aO<;f-UFUZ2m#cOBSa`ZH/65PW"/Ig<\"r-RqX[t4N.p^d(9piGG5
   2.579 +MH[K>Iq?;$`*NJN[J5#Y([U2@^P0#h;rQ4TnG`L)e+eF/\^:m&[Jp40Oo9lSN@+Z*
   2.580 +5dgA_j0&XM>5nT<^P9M0=,o+EK`;%Z\*ZiX@nHI!n5J9F!.o>HL;+2q(\,78pdt"R
   2.581 +_,c%+5N*CQF/rYm!nYA?(h)sLM_@1+,[M58p$:uPda#]?=44kAT-(>YLZ&-0/GqNt
   2.582 +5=4kZQ2>-?..A%gce9I,n@lTr57MjM`W#oDrYKr,eNO+`4n'PKHnh=>P>C]B_Q=3_
   2.583 +IgJ!'6buqo?O4$b!`';tp@iJfR]V9trO215:Y:<n?ML`$,\d8YYcj,e)#jSSrlWqr
   2.584 +JUSF526cj[rr<A'`'#Wln5$lYh[&L3%<PtP:%Vd.C#9N!rr@^io>&'TS,5Zn(Wi^n
   2.585 ++5't,^ON9&IAnOTn&0_/$heK5\aa`-q!%;biD,*dIu4"L_N0L;!Nu+]X3Gh::\!&P
   2.586 +hhj*EIPpmVnV=tbB!#Y&hi;%N0CEAC=joPTr+5Bt!06t#iGTB8hfu?ARQcSfC\u@[
   2.587 +J!<n2#h/eR"QM1\,!A<O-G/7fT8)514t1j`n.r@j+-6F%[',J%:#Sm!^DQq^l9>@J
   2.588 +BCKP'nR%3g0^F07[.mL4nAAK#*eWtViS&%e_B0#j%i4rh`P2\cIfoJh`dTB,#-Zib
   2.589 +rrBkf^LI3C&*b'FXl(9(r)`YRWp/CJ4qE#S][Zr]BE%tc\+[3-Si%#pr&XeKr%iKR
   2.590 +YCelS`7rUhh].(eh#(@-INA2AmS=.6HcKJ,jRIGT+n3]V=q(BWT1[S>qb(e`LnF02
   2.591 +DqLuITD!`+ipVKrHjaTe!"-L<6f=#YINs5CpiH<gps8pR\,7F(HnYL"KqnMsHoplU
   2.592 +Kn!`"MkBKokl1VnINA2R:]CEKU[Yn7rdTG^*;hnnGGoqr^qKp?O,()\\gX;1.&+F;
   2.593 +rL#cfiNEZ;E;dNK/$3S&>'GcUrr?e0#l*9&8%Fm0e8DoFW;afoZ=elmHpn4>0Uc8g
   2.594 +kJU[=nLf_7r+O[E;pdHA1E`.Bd![45=SrBmQ]:tfHqs17KYAFNBAu_+YP:Nc!9%^@
   2.595 +61FmSKR>kVGiRe%r#f02rZCVgr%&p*C"e!D^#Mo`6SoaON>'0Yn<.N)Qi&)>7E!nt
   2.596 +O7kXaA;.a3pgN.k/&hMg[ib!KY5!J:*E,SYrr?]HfZV+"L%V4Bf%,:!d_6k'gR]Y>
   2.597 +ZjV_PZ:1eGk[#n2^9)NebU9m)fCZW878(-`g\nBAjMsK$J,;0Cg6;O::nNPDr_MB2
   2.598 +rrA2%`8C8,e3ET!lhdRZ!/"aqjI6(pJ+bJnci4"AJ,Q,-qJNRPI3n?hrBeP$:qDCT
   2.599 +I;*n8Vs51sXlZ^bW*Wi/cXCHJ>?oo>m;6o]E2Z&nkCr&QAS'6fhm*1]Sf65['7M/*
   2.600 +!9IK.g\*l'_cm'?_JdA"r2ZUiI`MG4CL?j2pl#.PQ#qLof`(rt%;YtD$,7(%nue&@
   2.601 +q]GXmXaf:gi\1:2dJ^girr>/=YP]aF7K3A1\j*[jJ*2Qorr@`0Lqiae8+unBr:&:P
   2.602 +n=/qarr=P4rnk!\!1k+\rY'`)rrD.d+5?KRo>=c3!5`Zm?i6t"qgQTbG\^[]:&'YH
   2.603 +!0qYUDqP'icOF[i!"$CPJ+Bb'mJA"$iN7Ug2rZLi<RLc[A,cNk26Zp)r'gVcb.9gH
   2.604 +m!n2Q[Jp5[hh]&C=%Du_O8SLu^[R`_(]OIbkl0JErrAW/fDZG4,6%Z)>p%hp5P)cr
   2.605 +rrBoS`*`GCU\fM\rci3cpeCOArrA=+IrF!>!7)*irr<A?&V'ASO6ufdq;JH*iA]aL
   2.606 +r`.AE^LR9D4>j>?-N$=4!6Vl;\*SV-L:.$]K\qU#q,^)[rK$mGf"^^DnJD3*.d6lh
   2.607 +Z2Xfq)V=s%INndlj]rt_p-8/d>5nT>Do?#\X/#Q@a8U=!?hd@jMuNdBF<,\CJdoH$
   2.608 +5o:a>CW&UPH@eAe\H]cnnTX?=q],N"nIDDTmiVPN?aJpUr*-8Jf364PHtiI/p^b>m
   2.609 +,h9&"P4q#7]rufDe2:MuiQ3D.]=XM$,aMn229l.$_\`<g+7s'8ZCh+>^V[bbFgQY9
   2.610 +(]M5moOFN!TDg"K_S?(m["#t0rkT]KA"U'!rZT%n^]&A_rrDh(0A%fSN,SDdrrBtn
   2.611 +peUnicDls#@kZIbretdh;#^O61\acG!7%U*pgYu0/,kKGp/(bh`&%0arrC?EXm,ic
   2.612 +Z5;j`UhUZk[ZgS'I`pGGWM`uiGGj_0DsVuC_SZ/hmbPgC?!6";HnU5$CRAW?,ZDT)
   2.613 +9,jn:3j8a8-)t^Dlh;0\f%-:KZ:h.\p\2/+g3*C[CM@X^hq?mF%J?"$T0:$"93Y%^
   2.614 +8D#>&Q<&SC#sBSUqQ&CSl8iOWQBU0/5m@7YHFAYUpQiq#:Sp\ulumA<o%h1lQ3'.H
   2.615 +i6B2[c7U?!A;4(tIrF!>!7)*irr<A?&V'ASO6ufdq;JH*iA]aLr`.AE^LR9D4>j>?
   2.616 +-N$=4!6Vl;\*SV-L:.$]K\qU#q,^)[rK$mGf"^^DnJD3*.d6lhZ2Xfq)V=s%INndl
   2.617 +j]rt_p-8/d>5nT>Do?#\X/#Q@a8U=!?hd@jMuNdBFFS5]rrC@SC]=A@^CbtdY)huI
   2.618 ++8OltJ)N?G0E+u!rP)kB!'E-Br$M>1rrC3Q5I^!/kD$DE!/06c^\Lr$pAL'MnCGAD
   2.619 +S+.<p!%R43hm*1]Sf65['7M/*!9IK.g\*l'_cm'?_JdA"r2ZUiI`MG4CL?j2pl#.P
   2.620 +Q#qLof`(rt%;YtD$,7(%nue&@q]GXmXaf:gi\1:2dJ^girr>/=YP]aF7K3A1\j*[j
   2.621 +J*2Qorr@`0Lqiae8+unBr:&:Pn=/qarr=P4rnk!\!1k+\rY'`)rrD.d+5?KRo>=c3
   2.622 +!5`Zm?i6t"qgQTbG\^[]:&'YH!0qYUDqP'icOF[i!"$CPJ+Bb'mJA"$iN7Ug2rZLi
   2.623 +<RLc[A,cNk26Zp)r'gVcb.9gHm!n2Q[Jp5[hh]&C=%Du_O8SLu^[R`_(]OIbkl0JE
   2.624 +rrAW/fDZG4,6%Z)>p%hp5P)crrrBoS`*`GCU\fM\rci3cpeCOArrA=+IrF!>!7)*i
   2.625 +rr<A?&V'ASO6ufdq;JH*iA]aLr`.R4r(6ZFq`4Re\C5?p140)s>Od%.7YXQQ,4FNh
   2.626 +^`<O:2:e%0/@&&'^703(0*LT>fYJi]b:CJG,Z1qS8Kh!W`;,bt0o,*/Jj84Krr?U]
   2.627 +*e37qIMHMbDtm>%LJEB[YGn^Mn3;]B)#PfOWd$>Y=2R65r&*tlXju"%DrBN-?O?,4
   2.628 +"6%_.gr11:h8Q)_A&C>KN&;!MJf(;qQ5JIE*+EX4'.`',[QV=K^[*cR?EN9[Df\/0
   2.629 +c21(>95]oL`Ofkl%Qna0$Ze)',d2*p9+8!@o%HKQ)a&IQ^WGZYrrDULGaJEI2u`mS
   2.630 +;"ae9rrBm??h-p@BKuA0rr?^3!<#.]d<5C];+20r72/Tf'N%:5;+20r72/Tf'N%:5
   2.631 +;+20r72/Tf'N%:5;+20r72/Tf'N%:5;+20r72/Tf'N`JM[hnt1=7(S=!+re=5_&'s
   2.632 +nSNc>+-$:#jDaWBrJ#7j!;)uNqksGoK4;UVRf:Z`p+?9irrDnFrM&WSI/#MeB>K'/
   2.633 +]GGqS^D5W'8&!RC^*EPgZ'oGMN;ikpZjS;KZk&+%47Ms'B4muaHcLG5Ml5:nqC\&2
   2.634 +fN[+_C%foT2TX+%.nLu\f>^HJ!rOp-o2Ms`rrA,Cde#1-BY#Og%]B1hIaF6`lIL9@
   2.635 +cE1l,qH_@L`J\DObM,TFR2lIeY,)Q-+p*\GO.n`An:TX``,?+;Gb;lTh\0mDY@<Kf
   2.636 +L]/2&j0RQUpC@m1elVB1nNKaTh+!Psju4EiD]GgBFXN-u4qr5Ob>Zo,U:9[Y7;70o
   2.637 +CE#k8j7\3_1j8U+7"re]=[arC!Fi"->9k\Y"X!M??3gK1T3iUgiV3;F5Pa]orr<DL
   2.638 +_#FE+lf52H55tVi8,iQP\j,.VGTZp5I!,GhLYqf]rrD5k8,Okj"9/AIYE$Bequ4tb
   2.639 +r:]@S!/5"BJ,/d-fDZkAg*?UtT%tLXXLo)D!'\+XrrBt*qa>r*gS=`_Q\#/:kL[a]
   2.640 +pjN/BBTN.>FFV05n3?jIq!7q[&&7KDrrCA_O8)a^#QFdr?QFXTp\ggNq<cT0!"-ob
   2.641 +rrDZVj0/AErrBDrrr>3n5N,ai+9$\9FoMGshtDm+!9^gtXl6J:j5Ga!U02546fM?l
   2.642 +h#4-s61OR,qSYLc\_pbO-cGgcAKk%*Og;r^^`c29r%g"CTC7/)rrBt8nalb\Sm<H-
   2.643 +beFL7^%"Vm!"\hEci/33J&=&>.K9(\+8e@\+$]S_dJj1TbODG,h\:S0rr@ForrD5K
   2.644 +8,P.r_Op:E;?$X6rUKLZ!1mI<nBAWSJ%bABrr<T(a3Xa1FFV1`r$hX>`?5"Bh]G)Y
   2.645 +jjF).%*S.<qqi*;nG`K9I/a30QUgs00>a@MHr9nD_u9,srrAWr+7RLh$@fbZ8,iQ"
   2.646 +pW(VZH$"PR1AiU#pVe6P5MmPIq;p$(!"@'?Vu,?cJ+3I<I!kqokEe^:1G?V;msJ"4
   2.647 +!5nd*oD\f^>p&R[^C#J(nONTZ&,4,jrcrU8__V-=rqFARr'0'\5PaEgrr<JNn>H0@
   2.648 +'S#WP!.91o!9]\=r%g"CTC7/)rrBt8nalb\Sm<H-beFL7^%"Vm!"\hEci/33J&=&>
   2.649 +.K9(\+8e@\+$]S_dJj1TbODG,h\:S0rr@ForrD5K8,P.r_Op:E;?$X6rUKLZ!1mJA
   2.650 +=2o024q%.4i4CWWpepkG4c[!]nK6].N&+ggBDBHLfh#bYr*o.CLUEU5bo=Sb44SFY
   2.651 +6J#&]F^7>Ninj\8:Uu1Q\TUqT<]Lh6MC>3V.&)SIU5C@nMC>3V.&)SIU5C@nMC>3V
   2.652 +/*5+3MuHDNp;$\.ZX!I%5P7tM[_KqF`r?&03-^eh_`.SqqG?k`e,KEaZ![&rIqV(D
   2.653 +(B4AIrrE!^rm>le6MMeF>+`^ifltEl1X[j!^;'1;!5q*^pQ8ZTE>(atZtI;bHb!DP
   2.654 +0l:P[pE1QBR"0+>Re_$a\&Wn)a.EDiP@o$6^Q#An7%1lLFMSmO>^1]LAq(lDUh[@^
   2.655 +e21kqkuTfenk-Mo@rOV.F3B$Mh[oHV'ms_H4=fELI;?_=StE)hGdm$@0jWI=Iq<<B
   2.656 +g"FW+:R)+MHGB/m/eM6\Nd-@)meuP4&,?`OJ+a].^\"sLaKOP1p71YCL3/LO-Qi7+
   2.657 +!W*gNhBL=R^Y8SFQi%WFa8RL^-i5B.3kh4tqagWnnB]&!g/mu'nOLKH&UZ2*)fp!8
   2.658 +`;]gn3Z#^V%)jTM]Fh4>9>^P>TAmNk2q@O>Mu>dWi-cjM!"?L:>Po62O8f1h2t/K[
   2.659 +YP]_sZ-Vfurr<5Lq\SY5q`]9$ilV3#iD'5Dpf[Us"kinUKK%iPm1\sn6$8rJ+7P]u
   2.660 +!5bi4A+595VMPl8Fo.6e><R%0den=JfK:[bIa'8<'=[rJ8aprt7K3@?B(%U,!W7!-
   2.661 +/H5^X:Va_rJ$c)LV0job2i><aGh:t__VZ;[=8f?%+FGp=/b(@2*sVX9Y/ts!i*?HE
   2.662 +2o^?#hC.mtrr@s>4*dXJiB:AminHol9Y/6'iVdukO5e`EnQ5E'rr@XrrrBl7^YkMe
   2.663 +(k)g:leil_-6KOSr"D$_htV'XhcfOd_;C&P9tu\#47U)Z8c=u?D4c[:r]^+"nPA/!
   2.664 +Yoils&)&hWH=r$t)Ybr^`"uTPMr:37l;uQN'DP)rTkWJFHb00Ko`"oGE-S;?=,-W7
   2.665 +ipYPj<W/2Xrr@Z7J&*?/!4+jFHnkD?TP,G:8%[+7?eEQ]\pRrd!/+/AB<h6,i_P=j
   2.666 +GPiSlEG6*cg]%7drN.qapfdM7pO_cp;?$V'@P'(`pK7B>p]L&ap-JYF5N&ji#lIE#
   2.667 +IaXkX:Tjlu#JC':JgP`G_Yso;YODer'o2.bq]'jI`7gRU'YE?/\Td#iKROuTps\ah
   2.668 +_7EsaQT@Wp:Q"e(-fV=e2%=WHINA37id!-JR2])P1gbt9+)(ZS"(oopi8LeN?MKBW
   2.669 +!!N/IIQUe_dQd5,$\&>-2u&7!B>PSEr"MfB*Z8nL]Ad;UlMghb^,B;FH1:h6N4^>'
   2.670 +U)Rm?(<`e(G=hQ1j,H7c9@5pZ>KPl_8Gl>ah"X8'^\B+ir$t#,BYX<f#Q-ZIrX`H'
   2.671 +n+_(oS,WI!UAk4JIK%%^!/5(ZhtU%E#Q-@Or%rWk8,QRephK9mC#A\j?=3D5r+3Y:
   2.672 +#Q,rVn=P3LSGq*ClcP+]/&7eJ.VW8`rVlkq/'@1VU5C@nMC>3V.&)SIU5CJ:5A@=s
   2.673 +,qJuqAOkYhriaY&Q,?I(p\)<!bh&Uae#fFOZ'jui^XVo_[)f/WJ`Mj]/L*tFrT/XV
   2.674 +<:V?HQcP$O"OY"2=B\W6p<KH5!'InKrr@aHrrDuC;>mi"rrC@u%"I575Q:^>e:2<"
   2.675 +5P*(9+8Ag]rrC:9,AVMe$T`N8<-;gC<6>D?#"e=Z"!iHj32jUN,.[^IKYR#ZPQ(WI
   2.676 +'S!tgF8bP6J)OZ\rr=Gqrr@_0kPO*KrrBpI:]=0jW:`kgAdK3]L?3L(,OmY7Z0HR6
   2.677 +nED<N:BRl'%he[;!)2lpfY?B!f)?_8;u95T5M=r`P5+n26Ml8br/\8aMu-FB[JO%Y
   2.678 +Iar6-T-MSN519b+\'C%Y/cPeYj5IcO'Yf6lpij(er^!=Y(WXFCqC-mt5Oe,T5Q$.(
   2.679 +r%F+crrD[hrX+/6hU$cJ#*8Od*tA5Mkb\1krrBsMT`5#_%3P)R4raM%d7a6`rr@h$
   2.680 +62prG)F*2.HoM'*U6k@Jrr<Q&KDtqm1k3C;pi$0475*SsrZ1A2rrA-orr@cCnDF5&
   2.681 +?boP945(5F!$K\h!"7iG^\nk]JtMg^Zlf95U])(M_ghM3Ig&(+mq=r`K1GhmO,!Z7
   2.682 +oMYYqJ)T82J,';0pg5*PrrD8Zr"T/2_nD`C!:gR@n@h(*rrCG>paQ4CLO2>e!9>%_
   2.683 +iI$#3rrAd[n5K>e%ebPT!6@!H_YEnErr>J@i2?Ppm0EXkOD+XoL%4Zireb(!:]*<.
   2.684 +&,uVPdJj1Sj5IcO'Yf6lpij(er^!=Y(WXFCqC-mt5Oe,T5Q$.(r%F+crrD[hrX+/6
   2.685 +hU$cJ#*8Od*tA5Mkb\1krrBsMT`5#_%3P)R4raM%d7a6`rr@h$62prG)X;]-j8CdR
   2.686 +Ir52cKKi]9H/cU*hm7fGrrBnnj6M,;llU'8rlOlkm(F>'m([<4/_A[grr=^uq_\:Q
   2.687 +mj:c>pO<p*0k#9I@=R:oKsk(6<tebD=l'!Ke*X=*0(#HJDCr#.k0fE+/g-Q'.A<">
   2.688 +8>J^F<Fm:Srr@bhi8=AOrY#52iR-)gq--Ae/e80d!7:3(Qi@$qNg9VEb1a=5nOLKC
   2.689 +XnA!HV>.+ML8Cm7=*E.5G+E(3,/WpIrqc1r\$WHH[("JZ\@T;`\<8g'Xe:\GVj^#2
   2.690 +,\L[egKA9811*\Ol8Bj+nR4A"blmK^@s_md)!6th[^EJRRaubZMWWW>GbdVV'1?Gi
   2.691 +;T\O6mD])*-<9qNJ(^uRcl`+`r**Oha5_[F*'?mo!+DAs!<"<lrosF_i7P7/-GQo0
   2.692 +rJQ03rrE%jrr?`Drg`mJnB4c*a87:[]A^2Ziq^4lW-FZgGK*U7`=V9.XpYrl^M2RD
   2.693 +lZY7r3^e;&KdNLklSc=jg)d/-(9sc1-Cq,A#d0ncBs3^_EUZ-**8GpR^6dl@Ji):V
   2.694 +is13a&+Fe^3i7Q,3GK4P?bdI9Oa,&EK>c>E4l>W1D6(W6V/*8LE'1^\WMr(NGASYJ
   2.695 +P$"M^/`lq^5N%iWnAcUa+6*9^qbhZsii\L)%h@n`=.U1[^q+044>3h[YJ%@!3m<ak
   2.696 +pp7oAn#'EdnnH8Wa&j[Cg2!*FZTS6f9)Ni1KR=U55^;DgF5m3")16kZ[0WiQ7^KGr
   2.697 +7JgbIfcRQ8LKdE4=Om)&H1`fnrm0I>IN%u7;t0rcXPH<jidF<b^%!E1N&kR7GHBTa
   2.698 +=sf/A@H1_al5tZY!;'1h!,WhU>#5&1oD\fbT"`D;^VL<H#^C""^(Sk:3Ni"X$g:ba
   2.699 +LNL_S'R7O8?9%I4cC^hFpA/?ka,%BDj'.QUGg")&m+0b8afG33`ObcPiboBC%<8Fa
   2.700 +g:jD`h;-p^]Dhj<b?k2KT=lKL!!4g'q#ZWP<a,7qrTPF!&UXNXa:s-@ZIckSmn!HY
   2.701 +^l.+L5bn;nQG*:u5C,j!"CD*.nc^-)XL7NmqpI^u,5;*;O=:,/Kk7H;ceafa!.bs$
   2.702 +r..sV./4s6ir8uepl!!m[\l![Q/[c2=7GXUGN"#gGg!o%-FVCr]ftIM]X[J"NI2I\
   2.703 +iVrlqGXGbkg?(s`Ntch3?I:l0iVc&Zokaq8drekf9?;Q=rr@gNr#bq=U6kajrrD',
   2.704 +J)I5sr=nqirr<;=@"/FZ%Il=MMgQ9"5EB")X/P5`?6-P_pquuBrn1Yc5DE[sme%#F
   2.705 +;jQF`_-\;`1&O`7DO7N&cB2f][u*#e#1LNA>(!oQP@pr4V/(D%Sc8]FrYj6<1i3lK
   2.706 +9tGR[T%iWoh?J.Zq:B]5],F6"F+ffGAi7I1"!@e0Zr'7+;+20r72/Tf'N%:6i#f>X
   2.707 +r0!?F!4&Bh#QFd*kJKpNW3;?`!,JbTG`1PLlrX'dGl,>rPkm=s4:gpSp5&6gL,Fm$
   2.708 +.s%P3LVm:#NA[gS;R^3eb<:l\ASlJr!Xd$^OEdsKdm)c^5O_I<%6DYSqt;Q=Qb6OL
   2.709 +CMabEIOF[S^i+q`3q9)^EejkP[u(#kih$QmSfmP=[='Cdn$PkjroWM.B4bc`'c-QA
   2.710 +47iFXhu<[G(&Jhti[t'>rrD1"O8*q^r"HjEN%=TUrrBuAp`]Y;bV^L3n'CbVJ,L3c
   2.711 +ls]noLpuk@rrAF$niqaKZfh5ug\-]t^&J(m5A-&1g\qMYn`R_l<kie99iK%2!!YV!
   2.712 +rla15HnVAlU;p$W[<pd?htVi>rZB`KRlu5H8_5dn;X6i_]8ogue$Y/bp02(9e1Du9
   2.713 +"6'!jYP9@2`D;M$Zo@@+i'5m"p+Y*I2#bXin>X1]IX![J(u+$KQi@$k+8dcV#[[;t
   2.714 +iFi'f>0k'&42QFprr@_I_Kp@eX8`/6B"R%Ulq]"q4sL!Ie>.uHc[amW^Yk0f[,:d6
   2.715 +Dtm3PZ4H;1j)=^*c]<Pf5@u!qrrDSDh[fWDrr<=ca"N,G!8.;On=TJ#r[RAig'@?O
   2.716 +!;6Zkrfd?^'eb;+[_*c`rNH2G])JJc>kp@O(VU!#cel($a3WDE<W/H%$%+<!$[qP$
   2.717 +j+"uXKte4/pc77S$N)[-]Q<"@q^?pA?PVt8T,$Sh%+96'4'nCKn`Rc="RB5LTrHf%
   2.718 +hJ$h<Gm0_C_gQL+p)elNjPi9:rr?S:j$3O@+1(ooM-^5B5E;B*O8dZ/!!`H'Arl^U
   2.719 +^=WAb$ZG`grM@4hJ&6""\+Y=H8,iSJSc0i4akd$t!/+SU&^Tg#^U8RM0`M--T`3OA
   2.720 +g]$'YJ)MLL!/)H\+5%Rir$:09nG`L(*s048X+0WJ^MS)kPI9k0^[QdK92Y]hL%4+$
   2.721 +!"OBkrr@bJrr<@,p?0J7Kcd_[r"LC6(P9@2rrBpGZM8R>C3jOj/MD]_n4c.$?hTfc
   2.722 +!/6,Vi\^.KJj83/rr@a3X'KI(/_<)cXSDDErrCuJ?ai8t2rDI-DrT+@.e!.3rrC^O
   2.723 +!:\;VnK@i3K\QJ>^U4"@_Ya:brr?SJgKXYD^[R'S2p)("KN%jgU])"+r.AS[h>[J.
   2.724 +'E/Xuplk^X_GC13#cEHl5bJ#`+ln*rrr=*iBMD.XQc&h'!ri8;&b,ts9(<G-BRVL]
   2.725 +dN@t0r%.Wdq[*8Y5I;em^&n;U?anA"^Pi_O(\&mN1Io@_!/PmpZ/a.JHlqmFJNQg"
   2.726 +Mr<3B4qR!PnLqfV+8dF6)S;Wfr($be"hXcSrr@a3VZ-X(I_[!@rr@bDrr<K[rr<ku
   2.727 +j!Xa=_u:BPlmLi.ph-f*AEj*oitK1C?he.r(4X4srr?te_c?^:_AhK!ppAocrrD!\
   2.728 +pr3+nIa[*_5N8XA!/4q_!!t9_pAY,KIr>i4GT6?urr@Y4r+,?L_-[`,ptPcS_r:Uq
   2.729 +'O:FRiVrn2r[qqL,k/"U^D1uHp&b!oqe^S57e"aBD.DNXKCsX3_rk+reTpYR7e&C9
   2.730 +nBu_T:t*'+D=JPA_KnYsLunDYiU6d9^\eeTj6soN&,[Zbpd+DirX$F<60eIM*^=B/
   2.731 +q_.k-eph<cpaSLf4u7R)dem,(hq<MQL]+5:,sT@UMZ+Fl!.oTfT*+k@_d3ZE-fM*J
   2.732 +%JVSCn1Th[*tuuj3l=qKn%8h"BbhLK.fCIfT)Ld#_WoPHH)>h=_Vajdr\/^3pjh6,
   2.733 +IQr3=K3S?UKYL%H2oRbh$/eU9p@c34pjip;T\4]\pj_<WL0kVn*.1ZZFlNYP]J&8+
   2.734 +cN8@g_n(?9mt\Xa4tp]C&AA_N$fC0BMC>3V.&)Uon&GA-no5^.rrB>Xn72Iu;ifW6
   2.735 +^-;Ld4qE#TnYG'M[u5\Yr"/W`nMA+LrrBKGNBB4:XaEV5CZ.JqlB[ka?OD5rC2dm1
   2.736 +\rO=u?!kEV"o[!=g_NcBXe]#7pX>o>CT4+FT<qA*rr<2crKLm?/3Z4E'`F%S(#g;N
   2.737 +/<Y6V_"N6Y4<*=!M-_X?M<'\Dh[TK;pj_7p'`:;L[/5,XOt3(n8at!\NO6i;T&Ma9
   2.738 +;LZqQp\Y\sp8Y^UoY5r!"b1$C)0hXfOMc5#T)rAI"Rp>\r[%>Sb2K*gD+DMd%"9=D
   2.739 +B>VCpFBpNa8Y_0p<7JQ<D5UX_iYX:YQRQ7gTmS?b/`C&r*sQj@!rN?!*UrMu\(3Z7
   2.740 +E?;UI+,'V"n><iDrr@_$D*McN\lOk%Y65;GWTk8Jg=kE"D0H`LXlNP)?+Ga*TDh;3
   2.741 +/,m>qrrE%bG](6=rOBW'b.ha'q_c^R"9/@$5Ds=TR/Cn&!$d8UJ*\t@rrAl+?emsE
   2.742 +)\rAQ,hMaBrrB<Bp4*)Be,KF8(LP]/_B0\1?OoA6c"k=&fU9+['B3ZFBl8X9(R0i]
   2.743 +g*bkpKKE-8J`kk.]s'gn\]DXVq;:n!f6eIqT7NG<NborN\/mNtUmHuB2[8,A,h)40
   2.744 +@m,OAkf8+a?@6h2=TYqiHBX5]q]PfRnM0S,O2>ViReO\Q]tNgQQOL>Z?,)'I9$ep!
   2.745 +ROE&k=f6[+k%b-N6H9\p?EC._/=HFUrr@\/rrCuVh\UcOl`]!^p2^+urr?dUL]7@[
   2.746 +cc4k!T+Cr%COb&>`a9H<fKKW>6Imu#!e/@CZ]E%C)>klW,H,u5pqrb?>%PJH2NPl4
   2.747 +4!0/`$[s@trf=-`q![20Vr>AokW]_<47-t'QN$rchm5QF'\hQ$m2,8-p-&2?@H!i;
   2.748 +''fJs[F`7p!/-sVo]ok:IfR5t?eT;Rf>DMAHq0a?2r]=A5!JqEILQ,`f00?442`3H
   2.749 +IO+0l-h%qk#5FJCO,"X7J1'j:m_/-0_u9hf,tF$l_>aLe97Oc_rr?q4*r)f8$$kR7
   2.750 +gIq7-nHHD<^Y9jgrrDs2e&@ptr+#V$GVAbNpj_c@`K5PgRZ+htL#R%(#K/j4a+=.G
   2.751 +nQXs:LcuLI>JjY$WV]'K5IZp@JGp!mSdX"2,@>gO\^p[L4rqf':jDU2%Xb\ZAao$Z
   2.752 +L%.rprr?PIpdmS6n@/*Vp_!C@Hm*tCHqaL6]HQdNj0-9`N1[LB_gg?gir79DT=($P
   2.753 +&c4#):"$bpHgtmf?9doaN-kZq,NC/g08a'UD\;5WIhOq'iXZLSfZiIV!:WqUpak%8
   2.754 +0*?IJiO?]8Ms943fVcaHn5%C*/GK&Tk>2&`Hq!opI!bXVnT3X?`4stIp5/PJnY>f1
   2.755 +eF]Ho]as'\^jh7!&UZerKtIlS>@3;\"Z>1g2``:Z5DK(gg'-*H9:]@qmgjn@hlsTW
   2.756 +/*"D!&,(#4BC.M7c[nCNTfaXkUWrRbn.WZbT>[9Bi\unq8c(LBT%:qbpbD;'ig%!-
   2.757 +1`J(SHntJJnMe<d[b`ag4qRL%`ZGsJHip//\e^j<r(+QlCq_.`c\9*JU5C@nMC>3V
   2.758 +.&)SIU5C@nMC>3V/&4A`YPBIprr?V#i",gjc\@_&;-soah;@daYM4:#c*R,@rrCP)
   2.759 +a7]:6fB7/LLZX"KQ17S`K`;&1U<DMD@aa`=WVq^PnYH$UL@-l-Ic'i(pucGOI5Ab6
   2.760 +\poU3nU?P#GX>d4.4s\_Y%ubRX*NW]h[T@DbJsN&e,1_opj9t`AuFTp(u4o,8CdVG
   2.761 +i8:pQKCo0D&U:)0oq%B:6fQG1TD0ggT>FA1f]dmn?gPJbT+laq^)?E`SStJ%Jh&EO
   2.762 +iXbEDj)%T357[,]!+p-[HuY`BM#Jq'K=kXP?e`?6Zg%5`+8CWN&(m6BT[<ToGCOah
   2.763 +qfd;Jp=K'crr<1Rq#,Eqr<pZ<ZtJd8-bsNDL70=cb`R.Mhr9#I3;C+ff_d2IINnP7
   2.764 +;YXbkpINoK<TDteg(02$pmL,;*rJ1r6h!H6plj\ZLALoMNr19oS+^1Xc\ZcD!!<'Q
   2.765 +rbq]tq_8$M_-m9Ci10fI#J]2nT<^EBg[K,edl^@p=8iNbq\OWjpbhRtp+#SS`(ptm
   2.766 ++RkH2DqW9OKV,PWm;$;&hXAHK!WEXTFt_TKp:C#bU3oB-Uc_RonEr8cBFB+`3T,Y]
   2.767 +<ibahifsETnSa3WY<EkReUA,/W^#F7T+etMhhRin;Vqn3a57]JD_Ll0.JV*V$cF)"
   2.768 +rr@Y$B]$3f`:)?2^`O&8/pMm>[3#pl?1G6s\,QG[K6Y`A&C64M4q#b#=oSI/5>fqE
   2.769 +0)0MHbjakc+5$Q!97I%me:5:9rYtXEiD7?%paF58rZ1o]piYOkM#RJE<mTLkijZab
   2.770 +ph9[-#lJZ2Qc/n(*W-K=LPNSRJ&8elO/ei+2bqj$1\dX<UJ947qfdu_+WKkdl[C"^
   2.771 +f0A4Fe8BY8D6@^Pqt@2'1OO6C!.oQs3QLMij5\aO5@EC'=FGPJd=)B$!0`6.=8e82
   2.772 +N;inSS:8fW_LKI6IaMNpM;R(f!<3$/2uF<3rrAp!?@Sr!HhNj*V7nDR2thdsHgmrm
   2.773 +#ODuk\)9Kgrr@n*#CJU[qeLRArLX#hBto@o'RggHdN0Y.:#fT;[^l]o5@ZqQ-nIP6
   2.774 +d_6iK5K1CCrrBmgFKZO+_rA.Z4?9<aF2YdCd;==Rr(#976PkRX'_!"_r">4j'>e+`
   2.775 +PS*h>h=3GarrBt:!/9/#NT9dt(O8&+_>aMi-fK::`VXBL!5V1<1]'dh8&2Su&T=B5
   2.776 +(W67Q#QE=^[GID4mtY8VT9"@gi_(4D!dkjSn&)>eIhVf>fm(9NR^L2.r!<<&Jm3]R
   2.777 +rrBBL^gE$"!4+>q:YVr/rr@cP)15ijTDTMp^?<MiBC)bj(I\4s^)m2Npj`;D"PEJY
   2.778 +qZ-Cej$1E<MuFUm['VIspeUc+`#l=hJA+22rYLdWI])0g3pPa2n/e(h1<T;r)r`c3
   2.779 +GglWtS+,a\\)%bIrr?PIN?8]rB92gU4s0dMh?pXZLW1tgIanAt[U6nr8,aA:p<!9!
   2.780 +Iqt\02Tk@$?PgImD(GJciVrnnDtm3P)L`Is5JS?O2;\N9!,$Otp8Rh@W-Eg1IN/:2
   2.781 +\C*K>kS>90:LDhJ_I"=brr?hALVL7#m/I'_Ia_UTrr@e,rr@c;WHcV[1\cmfhgmsC
   2.782 +rr@c-i:#;/iMMb;!",@W5)K/Tp_Vop_LM>JINSRi_)jgj_5Vq$@I`O@Du:oq1%B2#
   2.783 +^Co9#!5^%Vl@'N<DhO/lJ&+9tC4D$\)#_-s)s]_rYO)8hD=GaJ$753A!6.'<`k)[9
   2.784 +p+uK%&!$Q@nP@0^n5$fQ5Hu91j"H,#0tR=mmsI?oHp>+1#JpE?%/aG\rYg$fiVrn;
   2.785 +]LN`uIBNK%\bNFRHZQ+_9[c*'!/P!f^[:^a7dK!)MnE3i?iJ+YHqjR0^M"!NNh6V8
   2.786 +Nt20)Ii:/i!]ThFm,Rt<rltF*n@->C"DV<5;@Rig*\@<DnG`LU'lDq`#jZpWpl"YA
   2.787 +!<*Q>A&2*[XQ^ceZLL>&pi"M9q[\LtZ.=u8l?W^%n,#A!g`I@tB^^`qn&@$7;rU<_
   2.788 +>E@HIiJ*AA.I$g7pfm7*8\0]9rrDF2qc<V0ZLBfjq`fgA!q7SShh1n=n4(%[A&N\+
   2.789 +JNaZLC*+G0+aEJ9#.<GdMr,9\phZ#F/,kYmqg\VGiPtltJm!Tqb:E&X.&)SIU5CA&
   2.790 +Nr3hq!%/B=?i)&I!!Y[\3;oL#kPkP8;uT$h[GUqT7udNKohBfXYKS*AB>M?icBIbp
   2.791 +_]SAOYCcp^rLs3BrmB<r44\msce4XdO&*I@]Mn;M:&(REpcJf?T@o-&]XBl)K"`IY
   2.792 +ce])Z1sH*BiOkVT^)d!N%Zbt6gdc5@q"/hbrk\QDIOfdOpso6PkeHUdn(F1;dWI4"
   2.793 +^U!-<^DHk\Hr&063_,+Z_aa/sQ)=I]rLLYFg\F]^O_I!?nE'D$4s'LViLbo-*BV3+
   2.794 +elmj]U=FA?4,3X$0DR-5#X@Z#ia;XAgJs[A!9@V;^[)?3rrD;-L?n#@gPc&)X7j@/
   2.795 +!4,r/TKi*JppRrZO2h2"ni1l\rkg\p!;]ObrR:cH_6IA<9n-h@q\K23BE%u15Q9&Q
   2.796 +r@:O8Gk].KZ'WB\#N;#)+RsB02.)0S)6C3k&'q1gH<J"iS+`NFP3^-=qchQlN?Sg(
   2.797 +cbmNO\,&noNi-B$/uNK!%+d58K\+<fnBV%6*pfuB35ZiR:PuaHLUE1t?4(%l4qlHF
   2.798 +,Q%q%;:.QSfKo$7hcH.ANXq'VT\8%'??hf4e7YB1=n8cSN[9EoDBkJ(%lXFfJmj,Q
   2.799 +J+-9aK"i5mF\g_$^fheMnCI?OSgR0Z@fHGf-\FN_if+IJ]Um^;8COZ7n?/spa`Rd*
   2.800 +/G=CBh)e,F/Zc-oFX=Y(H,$*)g-=p5H2Dok`g]aFr#30H!.o_[^ru3"/Tg;sNj-k"
   2.801 +3PGpdSh.JJq5Ja#?\.`ln[,':VsDnmhEAU)8&OrYHVG:$kZho.pg2fm7.t!@F7rl6
   2.802 +'DiSn$1Kn?dJGbF)u^SU_(UPXn<8@=(#Z:j8\AQn+7*A09RL@0+!:9=r[L,SpkQgp
   2.803 +/_#9WHs>U4HWL.HM71*Ip-6%bK#?rdAZ_5_^W)lMrrCu;hsa=3ft74plYd#WcaJ&3
   2.804 ++7L)arrA#X!"45oGRNPu`h/9`ZqnQbLE6TsTtI?'5NlG^rXs\-rr<ct."!fFHiF'R
   2.805 +QHAR%Di/k5JikESlQ/"Sk.Tbm%/?/ce3#tTmh4lr\!gY'!5T0F!8s%Z^P=pCiBIqP
   2.806 +*:Zg`r'02%g&D&g?a?g%TB#qOgFN!6pjrC+q`+L4po!$\NICm&0Arn7)ZJ,fp$]f5
   2.807 +L].bXS++>3?7,1(J`$p.%9i!<fpB9-R#Al]+RpM<X8DnsNdouV+7N'5M-h:96i0OO
   2.808 +fASoUXaG!U=7$%c/q2;rpPj[]Du<Va^>JJ8p+GiYM7`ld1jJ3_&^;]_4bn]mJ)OT+
   2.809 +9?'.?dXU3nZI!Id*TJ7/+1M%F!5mYCeElNTD17$6S,WJ$^Y,ga7.;P.n@/+3cub>'
   2.810 +*t5Q,L`SMMQYl6X9_$/[21G[P5K&$`22OFailsF@DhNL4idGa_rr<<'+5ZdEir9!a
   2.811 +e,C$Y.b";7n?^$D`ilQ1IN.coOaF9I1Z*QZ!;n)\&,c_)O8KkuJ+;egi?6KskVo;e
   2.812 +i6'7C!0:"W!!rj^rr>?u,Q@`J<aYcNO8)7&+8QH2+8@UsrrD*/J&4LErrCDa8H/\+
   2.813 +Q'_LN*i&]I%0ulbH:RrCXM=Q'+7PA*5P,oC5O`5qrrC*<rr@_)62pqXhN@g<K.AVS
   2.814 +4\,Dq)@ucNoT/nf=b#u,\SJ-G?[88P^9bKC[e[[L\VB.fhn*NhjLad9Z1dV*mB)?7
   2.815 +34D<j;+20r72/Tf'N%;D#OODK!$nCjm&9g_rrCUFnC"g]/&XV%Hn2Jsl0oYP+2M5]
   2.816 +<1cP,4t_(EinqXJ7p<=0>J$FQa2\SID[g";<n=B($Zg;tDlH<L$k5$D1m'>+/7FHt
   2.817 +-aqVki1lSL7qFo9Iq(,G959@epkhl$8)oqfT3<t/^Y2KB.">_;*CJfM/q=SVV+'DT
   2.818 +&OgC"dDr7l+BGKA!9#@+!.p./!7<4nMuNeI/j;@HoE%ni!!u0n'OUir8*jU_!/Y^c
   2.819 +g]%8H&sRX5rX(2O&&Osk\9jk%j5[iYjnf(Bq$M?D,erhG?hu(@Z"O%^a2bC_J/UZ2
   2.820 +-3!ssMZ3\(/H(JknLd!gJ+N`grr<?Yr"N63M.c0Xrr@mqna$2TTE_`E?\Y2[n&55+
   2.821 +MuNb^rZH[:am^Oj^(pDRi\)'p61DXDrXaHJpl4f^?1Eu9r($7Oi\/-K)"jFq`h*>3
   2.822 +#&4&PnEu:pO,CY&eE0ssIhQ1(]!OLl5\]r]bjt^fi/d[nNs1$d(\l>V!3+$*rr?Db
   2.823 +^Th_T'Hb77/H)_/+,e5_mD&0Q_&r/CY7LW`]$J5hL0cn8'DkUR55h&l;>l_:]<-GZ
   2.824 +$-V9lfIOo_[&8Sk')p1J"n;iboD\dno^L2HDq^!,Q-Y<d0K4]5Hgu$j)A]l^pm^1^
   2.825 +Zq]I1;ZlaKpnR^bpnQk^m:GhN8FV]-!W+m%J+ctD!.nU+%K3*1D[^m&p?24/nC,F-
   2.826 +ZCcsFc\oR-;_-+&j(F-sA$=QM`nq[6!+CrCrrD$_^#=HkSe1Ff*s98kmuIASpfZYU
   2.827 ++2D4n^(>Zan]-Et5NAr'QMq'\rrCderX-R?:]A\OhoB)[h[@.5G^n^Cm($ojrrCfG
   2.828 +iNL&SM;BfY:#Z*P"o).mrMTYq@IMkkp8Ri;nHVVT2iTA<DEe_\EVR<-r?pWdls'"T
   2.829 +i5W+^$3(!6hq;Y[qOX6@c\st"qaYml6h#SW[9qVqTDboWC*20%i@""]q^MFipoE@<
   2.830 +L]7@^B>tJ8kOsGq#ONhr4\PKepf[,'i'rderr<OXd6I+qhtSf/_b4nNCEEkjT8DI6
   2.831 +(W>#,!9$g^rlcE.pm:#j)#P`1^+=Y1nb7Ss@4-\V#l_t2&:Q<X-c8+WptbiGn=RXK
   2.832 +n<j,)phAaVpeUl2r)`muKWF)3!/#Yhrr<F"iB<h,GJ_[_?e_.ldrdnM:];8HrrDPW
   2.833 +r(?hk_uB]RrN#o10*^,0!5c_FpXspSW9LO9_JA/5TA-jSJOL8M72/Tf'N%:5=3#bK
   2.834 +rrA7=nZVnRItJj>S:8g"oD\gWWW)r@0A>moc_JM[!;`S,&Qb'-qB,)^qZHW6i[p5X
   2.835 +Xmjr[^U:Q;Q16NJIOY&ciVrn.kMd8Fn8I>?m-E](L`4gaM1-R\h[Xed+';bF1%E#p
   2.836 +c%!]6qT"K#T*jl;pO[PV#&9V#ULg@ZlWS<VTCW!^K)Yg\%uENXTC#M8IuQZ-4rdAq
   2.837 +#_'r]&2jIf"FNT8Tg*'N)rfG&nS[gh\+nA?cc$Z+0^qTN%j1$8!"X0%^P6)'XG4'Y
   2.838 +BTi9[IgC;B`-U%SW4Y?/CZ;Bf>Dq7,EBdVNrrA4on:U_W4sg4/dp9@aTDh;3/,m>q
   2.839 +rrE%bG](6=rOBW'b.ha'q_c^R"9/@$5Ds=TR/Cn&!$d8UJ*\t@rrAl+?emsE)\rAQ
   2.840 +,hMaBrrB<Bp4*)Be,KF8(LPaSm*#D/,c/9BW;M,E!7go80"q7Arr=t7$q[I5J+-[7
   2.841 +gKVY2*:Xi%Hm@XS"THf`[na]sY7^P">efdr\#/F/O2m:mGV8fceF_F%]1?i;3TAk=
   2.842 +:Ul6-7@#I@*0g\3qTJi%5AC,tM;C;lMuF@FBg3]AFe=OT*q7LrD\d_'^:q5+INj/5
   2.843 +L>tYrVrE&ALY=\E%uBZHWI-S#l96+&#0?*K%(`=8@A[_dBY&nhS#0p9g:,S(*Ihc$
   2.844 +CZ03u;=N32O7=QR+-$1drr<Ej([J[0:O`n,HlHLrHq42:Kls*S^CboBppSpJf5:L$
   2.845 +HjBFjIH%7*-2`,bTl8nN'>s<di0T1GHgq_%#l'uU$*T,l+.7R!rndVcQf0<E^*`b`
   2.846 +](f.*h#(%$Ht^8$FJ&=Uf8RF(J&+d"rr@j="7QHi2M:$CLcSM-"Fk!d$i'P)0*D"H
   2.847 +;L\^p7b;b^!/<PD_lnjP-Ik:%pj9r/&ad5BnJagaP[2mu5N&2!Z?M!FnJ8)O`,0_;
   2.848 +Sdk15_Mqp_B8h9iHn"hZnYbDC^u#BE3mkYRgjFF;;XntOYCmu.4E9k#_YW\sn6pF2
   2.849 +M1-<20"p;Y5KB?Mn:uue)=&=VnBSFYnQ4\MGcu>O8+"(g07M5R2R`C#nU'8>r$&j9
   2.850 +e3Dns_k[!5*sMR0nM[N/4^6qNPP[^^rr<B'/)a]^$$]6Prr@_Ua'TL0iKaC%BO1].
   2.851 +#DUu4n[FH>D;h#fiV/-"%7A0C'##1WGK,+kBclhDYCfk?'YZ\S'B2cJY5!4W^B-S5
   2.852 +Hq=%MiZF,/&%iAK7!r;8Ff"kGi9/.qgV;\8`Hr\_qW<Y346X7W_G,6ig/mW*XD82\
   2.853 +ipBQVrr<_FH/ag-iMXIC:ZDVfK/>e5Hq=*(ia;(ei1C#Kd=26_Am5X=pdmXoHroji
   2.854 +L@buk=S_g%O8f1ehn_K;p^d7<r*f("O8dZgL@6rP(k9D$Y5Z>2'"e>H!!o`sYNacL
   2.855 +M<Fm=_H!^4B4i!2VKfSm2/i7<f>4Wor+5ZHn42I[LH[6CGg#'d`I2[`pOdR+KAQdG
   2.856 +BTLks`8;.h1Z8kthtB)*l/St'pYHV_T"YU15h1<(k["qQIr*Gdrr<Q^Qc+Vq55S/^
   2.857 +1K:X2A@_45hB1*`^M#:q.*'3."P\;]dJa>chse.';t17UVsHY+"S$,VrY9fippp8d
   2.858 +Bg)k%W]t/=JA)ZGB(7hI(\"oOf=q>K!TU:Xi$ZM=4t(e4cocUD@meeSCMt&;*:[iO
   2.859 +(%G@Z^*NIu:[to:GQ.XH.K,-GSHHeO0_%*AO8)"g$_W!d+*eC8?\puWIOtCQph/W*
   2.860 +$2EiGB7[c.kT:O'&H#,irr@U42rJ&'*s1Kmf>S8T(7lfHrU=mH*]j'Fi10u0B>^nm
   2.861 +ps[:;#D%8FiEm44hQPmfg>Cg9MtN\PphraoB"Md:D\RS#dQRkLSf$uf_bZ.r#Os[\
   2.862 +`Q`>p=L\7:D#=Ot0+Rd/_1!KW]HOGqq__X!nH2jN`O7fQ*ZrlIj5K.65+D(+ddP#6
   2.863 +pg0$]!!P+UPJ/2Sp2YNspna[35h0(ErK;$jM`j_NIi<\fVtaoB5IO(=^Lh7WK%dtr
   2.864 +[6%0:Sgh5>[_)'&_8!B*JMlnJIN@s5PMs2>idZflh]6r6pVe0Yd_61id2k1?.HMWY
   2.865 +^Yl5d!rR!+;tbA/kMr`Vq!6m.L%3(=?&ur&8&<p*_=-*i>POV#j)&;FT<YT;h&!nW
   2.866 +"hYX[q_241Ia]>AeG^\Ag#!<f#GlfXphr85:Q77/mgVqZVo(_2oIJ7E>0k%b!2OKs
   2.867 +Dnjtk*t7BT+bO%pYH2KM^:WAX%\JFR)?#s&!,:m:rmEtPe3"tRpg7+m291`lAT&"T
   2.868 +*S%o=?\^ZXKqeAB!9&[CWHb2Yh[2J)iL=Zlit&shDG=AM?Q-Wn?222&hq;r-=+YlW
   2.869 +r%mi_`ZKrHfDHnd%Xor'(ZG,,Y5ig*q`@j+rrBP+'B?1ppnP^;fCh\K@ARbN=8&eN
   2.870 +Wn:[.B5:[_SZ>lgrr?Z\X=WfaRbg9*W1o.tU5C@nMC>3V.'EXLVSD2VYPj_.J3WnF
   2.871 +4rRK37<q+W^*<?%i=Ee4M#RGi]NI)"rY>3FU\m[Qf84AfL[>c0pj^/IRf9k!gd,gg
   2.872 +KNq4USRljn:jLF`dNZZma1HTTFN"1ZJr&a(FdB@Dq`'&Hq@/aiD&)`@NT8pMpYs2J
   2.873 +j%VGcjTMgApn(%F\*RD\^CTR4e8_dPm6=55LPW'L-J\agG79F!n*Fuf.,Xt7J(TPV
   2.874 +!#&#c^]+:!'d))cn56ss+TDGH&,moBa++)=.Rqh#i1m(gT)q5cokqa`D%D[9#<_*<
   2.875 +ljAF9OnXS@4Q?W!lsKN:+8lbsfPgci'//Ctrr>;i+5"?t;Et"$T<R5P-==fsrd_RE
   2.876 +Z%(]-J+Q)m@DD_6^Q2b#!Hjq<`.-JgiVrnrT8"BhrM2Uir#tQ@LW4aL`*O,PGN-Ah
   2.877 +rr=!c?h&bCS&ZQgn5"mi,i*]H`E']2p_WEQ;"4,2O+BD,j%Xkje9&l@'A;2#L9Bkq
   2.878 +rrBCfT&&;frr<1Oai&ESrlDjoJ,N,,BDUROARF.qp(RD&["!],*W;RW3VG*:r&+8!
   2.879 +TR9l?Q8C69rlO%7^Lk/#e)=lQJHs'J0B-@*NM_)Kpc%]>bJc[Vr%7E]ijP9ElW<VC
   2.880 +m.gjpiQhQ"'B;$)4<ri+91&.J!6,NVC&TRQrr@n)55tV7@!kHBZ?4nIitoNRL]0C6
   2.881 +X*t+t5kn.ET1JpR^*WcrSj2a0LHZ+D;q<LI)tBia?c,Ssp>tg?^mjeE?OhN-C:^%W
   2.882 +O,(=(_LDdDr,g?a7t'o'il?\!/`?Rc?]':od53FVl44YZ`*]d!O+&F#S)[S1^LU-n
   2.883 +K>sN$4DEdQB>T*PppK,-J6rY28+ACSSe^c;_qUf:INe4,M7e,8GY[kL3qnF&hh="U
   2.884 +T+#k5)cY@*[-^fNmFBO7n#`MWh"'^2Gct$?"UFF7n;"fn+o"XfrEo8Nn^#&O!/dBe
   2.885 +r!W%0j1nt/e28<XGZXTBf)-ETNq6&9a-Y3b)eg?9e*Xp.TY<//rZ9eWp31h*YD%EO
   2.886 +r-ko;<UfX01=\5=)LMJaL3tB-?No]G3^8801ZA?6$0`7t+Rs*&0/UEPkh:34Vd4PJ
   2.887 +a1a%SI!+JQ'3s2SG1O+Npk-SX2XqlFHt20\AltO"nK3Xrh.OYe`QdPKWaB(.cr!4G
   2.888 +;+20r72/Tf(%L1@rrD->4DXrsA7+98rhgjF"aT!X4ph!g_GU*qT_OB64pUk@nO(6E
   2.889 +(3SpP+Z)><8[S"0LpWcbG^/!-kmZHf\?rNf4=QuWUq3\ijH<lQXf5IBV*V/rQ#"tN
   2.890 +!5cA;ci"PBMnf$@e,KFD/s#d/IMr.cU5/8_rr<6AJ,]KpeusjV)rVe>`7c;j+2o<6
   2.891 +27q*7k$*a*I;Q@7gL9f3>2J3<2iB4nCeQV38>!PT-?YG\fP/\3!$`8Err?G4J,]LA
   2.892 +]Jj1ZIb\<$ARDkNrL2p:!WN/"T>e5;9R\r<nV;rkVR:k;nmUk]VuHaL@_^umrm6/g
   2.893 +/cO)r!;_3DU?h['rL&/rPdgUV+-5=U^HNsq^X6ENmpg-SUjp3iIrES5<O\SodcU>n
   2.894 +qeF([V5Qa-Q%ZI!rmQ@1[>m>lQ&=Ei/oBR9HZWBu9ajqC(hAVnI]7h5.ssqI:CQK[
   2.895 +[=ikW^Z"VlNCVrNKl<kZWbT+_PV;3[%ikk+a_p:Nqc'QX6julsFn9)H8!pjdNqG%9
   2.896 +r*(8K2o&c1Ho(9tKROd9>."&^nB4VV[?$5q%"(e>/&OOh^XKh[i'm/VO,?+=kT:Ie
   2.897 +$2Bug]R;9e=OF8<@JGi@H1X7CimUoBO&`[;m^t]_ITChirr@XGJ&:!mfAeg.mhC5n
   2.898 +58lb"c#^p4'7=6KPP[`H`..9g5@fWN!9%Pf1]<Sf&Dc1?2uT.,62O+'GjF>g!04E.
   2.899 +!rg/G!pm9Y*:"]Ra2AK4pV\/\"3][!1k1A]&((:fqRg2):2N?hn7Td+g%3*G)>#L>
   2.900 +p.bLb4qpf^j5]<SV>)"gSL<H]l4*V1GRsKr[b#s4HqX6GifAgYZerS^$JXOC_@M?,
   2.901 +,D4tErJnO1iLMX@p3o,V_^j^'"F-]Y*Y%mVG\?^bpuSXWeij?;Y!,)LdGG9nFlP+V
   2.902 +CVL--1sZU.*rVN)?gq^G2guY>8+9a^$8(bIcUbc62>sKQ5&.4&lWULi'I-cN:"P3'
   2.903 +n"A.s2#dQ1)J=f!n@[@:.D,+.M;<X,^TfGK^LnXJ4sg!)i6R?C(9aQ^=P&!WgjF)1
   2.904 +[u()!l5*WY\`'.qrmj<BGO9D>Db0Y%ia"(oQB,nPdp;`mj"K.sa1`GdRGok9G\?%H
   2.905 +TCIEK4qmFBn@+,N#jS0f^=<'6p3Zf>Jpd?_^q[2dm-uHVDDX$"ch<Y!H1>67rMT9`
   2.906 +%f"LCe36+p3quS3CTlEX`':N9Jc>^_5DWK5L;#87)Z/PIL&3WS`1A4C\*UT!HqWrF
   2.907 +`P7.rLW+`aHkGjlm4%'Ur'@H0X5Z'lr,qG""@$@&'7;n?Uh'G)rZV2Jd(FSmDoK:(
   2.908 +m0.Fu?H9m3$M=pah[['_'7=E=^L2PHrZ9Vh*r'YYpndLR`81L@]G9qRrX&T)nG`J^
   2.909 +f"=*(:E=gYe3%I*cQ%2M`g/e:n5"h5d68URr8$l*rX!</1Z9Fn5D9%:!rN<#:3[KN
   2.910 +*72?@rr<2npp9Lfe&C4NNk_ap9_a>31\Lms5@b90kuU(Wr,\W^dJamM\&&(E!rPg_
   2.911 +\*Qo[ROpnDIOt8(n],#+Y.q.;7+Ns&H*6Dcc\B(si;>6\^[O^"!W3h_]JJN-#jVEi
   2.912 +ZZh$YYD/M7m'R(KHs?*,p*TQWnB9jYNr0.Z1k*sS!4/lr,91'uLW:f*ET.KHI!>@h
   2.913 +j(iSdX2<^2eGOUM+o=KO3h++f2>Dmq=2o^l4s9-inAE0D!";&Rps8s?"QJoH`D;>_
   2.914 +ZnKE>+3#DlKmZAbX5I=h?Ml2@(]5NS[tt%aiC8:G4qH9E%eubOg11"(lc2&0L%.+h
   2.915 +Rd]Tarr<2m^Ae1e1ZD+b:AB*Qrr<IWp1?su5M?5"ID:Wb%Y);S]G'3FL42;\4n.(C
   2.916 ++7P#43S/aqn(:/(M!tY)J)ML"]LDi#$K&ZaYdT,["o)HA^BX]<[IsP"*8YJF0`M-+
   2.917 +VaC?;/1c;0@I%*e3jsnF!"0&!3gPW^ld#m^ET5k([f6>Z??hmFDqR4h3k+JcTj@FP
   2.918 +p+"G%"n9.^SZ\OQ:JfMf9rWLLpe1K_rrBkp5A9M?rZCp3YMB%ge[2LpHrl(qrr@Y"
   2.919 +al"fkr(caJKt\UQ6cBt!`ROFLKCEfpp>6D8_;7.85Q8kk*rZOpAb^iRAcBii?21Dh
   2.920 +j5P!rIi6'EJ?Ae^r%7\riL^@&,P\\D49!15%(q!(YMnr,rrBM=loApclaD6trr@Xr
   2.921 +r$U+o46+R1j*eT:/t_Ye`?#E!p_i*og(0%s$iNKn!.o3<*q;2UnbXJYc<gQ6COMmk
   2.922 +Shg'[q_ruM?O+5JWVBf_:qcADUZ-3HIggFK"`)`H*PBq0bnF*hd'!%I'(4dN\^^7g
   2.923 +,>b".P29Ef1;`/6[#=A+.&)SIU5C@nMC>3V/&4A`YPBIprr?V#i",gjc\@_&;-soa
   2.924 +h;@daYM4:#c*R,@rrCP)a7]:nFX@6P27WB&iEnBgB)Sho1[q$Tp)a^U2rH?Ih]MhW
   2.925 +lM:snMR:-M?NN>=VX*(e\+%)nUT.GLGa$2)54Q[L4s0\'p_0=dZ1qhLPP>MfrLs3G
   2.926 +HmI2?05;R<^*%YRi75ld08SI&]C9TDl(>Cs_`n0:rr<IV&H:7Q)#jSH^Y/)LZ1sg^
   2.927 +&*tCkgJ%RG4?_]k?c:jkQ$D=on6a)Jpf90J9CQ<(08Vn+5N+N5d\>1V50*/28+V+I
   2.928 +]'"[P5PRe2d+;CL]AJ3)[GU>kqb2LV:]CD'iVQ4E#lUEGi<oS'rr@_qrY1F5%u7n7
   2.929 +^Yoh*!/-R5>Q,5lpdtJci<8Z\^&<T^^&<Sdrr?O.!,DIrqc!A.<r3E"rLJ5prr>7_
   2.930 +!3r0o(5MV.nSddo!<3$%`r31B!,B1Lp1NnC^b>I3+71ebrl&a45M>YeVo:lTh\^eC
   2.931 +r-.Za`G^S4!"HXHGh?fH&cOtA>OZ">ItW7p\bJ,D-2=gESN#KiN4p?!ia3+0ILg@S
   2.932 +P%_G1L,FF8i]m>\Qhr--Ab[qU8U+b=;Xn,4%gm\ue:2"ipa?rsn(B5NNk&rp'?(kS
   2.933 +M`c(X,5`eXrrA!$f.[+9k^O;\-[]V&2uTeTGY_02Z1,e-rN^ochh%:]`8:[l?W%Zn
   2.934 +I\E`Gfm$_$rMfaGIP?$8j'V-rq\/m=pn?[OnMeD$Mgr$&m,.=pi[9RIZZLU3rXp:m
   2.935 +q"N_0K03/nh/iH8_qKR'TP6XEgA\.O?iL+<BR4!SUY(!im(-f$B4VbmdI=oYh;_af
   2.936 +DZ9]gHQdQ?5AL2u*juBraSg_j!,[f-3b3.nRBLo*8,SlIK"pZ1r+H$0eDp7PYK1)G
   2.937 +-Kj_?qb25N^n7s*KQUW0rn%/MYcijH%fX6^5O@Y)PN%qIrrA,[!41SMA)k6uj0@0"
   2.938 +A=ZK<qt:`Qr[<.mrr@Y+r%e$Lq`hu0n0?t#LOLt*414j+q`B$a`k"Bprr?\Wo`"oE
   2.939 +?8:sT_9W,I^U'7m2saQA6ehUm?Q(Rn_S=fSa*PLZ5AgE#fLt7kKYM<[Lqg;e_F+2A
   2.940 +pp]25m.'R$rX&DZmuA=d!63@;_nl?Q*]uOBST"4onTE1EiUPqopg)pn-iOFu4T5?U
   2.941 +kH+RhpmLX+`r?#BFH;2`"SeDSCZGl<pa3cCC%3#":8]b+5@n15%h8GQnHZl`(4X.d
   2.942 +1egW\?gp`R"9-:>!44u0^C>\/<'T<2?Q]2mibsLA&GQPjLOX#Vg(3-@OmlSjJ%$MU
   2.943 +Hj?bQ!5V8!IiNpan9c\T/=m?^\K;\Q2LJQpkDoP6nJD*:(ZVk$eil%!pf$\"iVrnq
   2.944 +YLq%6^[Tcsrr<9&!RIil42G:0GJqg]T+q8DJ&)fr9mcaapq,M*_Y:e7f>8W_rrDbR
   2.945 +q"=MIrnF"ipkrkUpV7m?N_f0m9^rpYIqUKg5I>@Ehi/[@rLJFQYNU>MHHr;F5770u
   2.946 +`&bqlr'B6m?XE7$NNDE:"n?0MKl9(Ri4VW[e#fgW]I2]ScN<m2`h!LJnHXh%B9u->
   2.947 +DL<Jb*u9*%I7DNE?OqCN?.'Y;<4_9AU5C@nMC>3V.&)Uon&GA-no5^.rrB>Xn72Iu
   2.948 +;ifW6Y#.V&Ma.,u>$(ZRFoMI?0(@\EmJCmQad%>-+80KBZj6T1IhpZ313i!]7irCo
   2.949 +fP==`!7HY+m[O1bMZ3[>C\pEt!8+dX5Q:`JrrDbNYNn^PAcDan;W%1IIQr>Ir:lUb
   2.950 +rr>K;!h'Yep\T8N+7NEog-\W^^M1H=3qn.g#l`5$[R4a.!!PP3ps7q@^$msXn<\oX
   2.951 +F5q1kSeLUarrBrd%J\,`H?I5si<q:RB_q1PmCq$Y[>r#\D')uN42"86-'S2&rLElf
   2.952 +DZ9]n*tpkL?\CWa]N=UG_j^T*Nr4.:*VDW0f_@g6\F;/&F>"/P*Vd2)YD;Z(>;(eT
   2.953 +%j-%aokdW#dr]B4dpX/sXj,@%+hF"=d?-8&-W'9HC!YNYi/b['fe^M&[V+t8i]018
   2.954 +Hl.LP*X2)+MfkGp?PN:t?O<XL>Q4[(BO2\-A^^JYiSB"%]$u`!NuD\X$f'tF*k4UR
   2.955 +PGqj,AYqh;F)B0O_b0h@rr@e@rr@d:rr@`$r\?;/'OUbpYP]ocpd[GLrr=<CrY,;3
   2.956 +pf7=on="jD?2]EU!!k7UO'hE%rr@^nrXs_U90_PdrIb'0rr<]>pIb";JDV2k1]'Q;
   2.957 +%JVaLrrBl93pr?mhi;%N4rsQ0n<TL%MetZ$`7fEiIO9;,8+Ea7A)]"%-WAUgX%dcd
   2.958 +9%NA]om:O3=k30>2$iUoZdeI2Oup3uFT2>t?4#/2-@!/\onKm;r'p0/JUSX;9(>u<
   2.959 +J$ZOr^TtKcnR#YuUZ$\&CL>fe=@]&lIrFYf#!O>8rr?\G\t.ucV16?@p75s9::&M.
   2.960 +$]S5Ap`'*&r"T+*^Ys/3!5b&lVu.lkn=]bAHpR_"^+B9a`Aur(%fZOG.IjV#BD+jn
   2.961 +-_:_G!/e*Kd(d&>YeRYhYP>'o2>sl?4\tHPnKukq%jL2YpIb";LOU.g1\!9?rr=*f
   2.962 +'qj4F[[ODdnaTsVpc[YANF(@8K2:#[9s+=&pbVI>degoPg$3eU2nB]P%J]&D/Mc>K
   2.963 +<j^73"S"C@i[["\a`ORX1Ki9*Y7u5>:[j-oHq!&N>2NVtd_%6,CAoF,m6!&\IhR(e
   2.964 +`7I&!M5T-DGF&4Kn5k4KNt?QZ`VSrPf$['aG[J<k%_(G9&8DYmV!'j/V5iA*=j=Qb
   2.965 +bOG*rdk>fIWGcnE)nB$LSi)\rdb`tPN*9@<5k;q]&2Up%#A@^Y#$C'$rr@_%62pqX
   2.966 +-B\<.K%hsX1Iq?fq@EN*1lqPMfmiO\\SJ+q=S\RtZ*Ue.G58ma[YE\`ft1mbjJ$SG
   2.967 +^%Um>h9Cmr3O_Ek;+20r72/Tf'N%;D#OODK!$nCjm&9g_rrCUFnC"g]/)pR/gN--)
   2.968 +ec,VWYM295dd8YE%8Tq$Sc8\(h*4]>[#*tW]tV/KQ]E`cD(VH?1X0oZ4H[Sk8.3Na
   2.969 +Wi.1o?Xr;l)#bQNUI`kH6fIJLkh=UCXBIo>V<ZcGgc)fnTk/1oiOQ>,J_hiMO\S7g
   2.970 +*#u!Z^k(Nq)h&NNbeLMLr$+.m'f7F86cFKWrn@APKlQWQ_HnSZDo1Ckrr<E+!9#=)
   2.971 +ac".<!:Zr$4T$_]r"nmqiA^Z^3c9ePG^%3cn?+ltiK*b04<g+U%InrAf7c'k7n1)Y
   2.972 +4rJ+d^'!joM;^Z6Hu8D7`k?^krmL[n`8?E[*t1!0*-dt?g:dK^C]1_Nn8%"/_I&&k
   2.973 +rrC^&GF&4Mdsp<rpjM-$!&mHsX<uL_[<:^k9lEqu5N-*s;uVDMTD-_4!#kc[rKdH`
   2.974 +i0.NR5O?@eIa"AqS)`u)(]-Mr+oRA-mi6TDp0dY+q`oC]i3o]UKAfVFrr=)7T2>&p
   2.975 +a2\kPmtJLYIM;"]&j@ml4&te]N90h3idZnjrrBu>4qLNMT+bu>!"AMG$[@O#NFtf=
   2.976 +pjN/B"OHibn>Gu)n`T7WnE]ebrMk5sq\]+g^ji_p_^g5iFrA&+NF0LC$Lg:I4_sRM
   2.977 +GcO7%T>Zd&rl\Ksm3=jn+^342D/[AM&%+&.r,V=VY6M2+G^e8a\,J>UjBBQSXT""Q
   2.978 +!mj+Hrm#upIL?)#IL,I5VlFtpi((XkLE?`5,H:I<mnUUe5,7(tL)piP]FgfDpl>)?
   2.979 +dkj3;o3T&WZo^p?@d?_8FH&KE:m0gB/MBo.Gc`.YO4khu=pKq7B`A(b)oJ*kVf/PM
   2.980 +>&Wd7nMeI3\o"dTQ^6JDdm%<6g<[Z<qY^'N`^mJ;:Cqc[_\tB+cDq"]3qetT?d?6>
   2.981 +)sa[1J'#WR/,mW)`ddq^5A0ii&rJ*3MC>3V.&)SIU5C@n^,tl"r1$9:J*`*k)#jTc
   2.982 +j7\#(PYjkYci3ti(7"n"?sS9^!)'s`?TW_l?h.c8[Klc"kNr<M!32[1[Jijk3WB)A
   2.983 +a2Hm/)Uq"DU$MTQrr@[\^Z:j_d!ta@rm1TEqLAI<lh]$-R=F:^\,DR6O5KfK4segq
   2.984 +d9l%pT`5#7Aj>4H5PA@^!,^WlC)F#F>Q+q!iia-_4pV%`]G[bpZc(SDK_ueYc?nFR
   2.985 +phNs_2%;o<n<M=YY5E@CGd[H$UKgRJB89F(]$*aICN*t<[T<6bX1qNBMG)'&RSVQ8
   2.986 +!887JYDp7Hrk\U7Z$1p"!M]SoDsOu9O2'V@58(0dJ$a<g/'.3U_2m<Bp.+nqnLIf?
   2.987 +::5SL=j-gF#iEOl!r/h7?eNf]8ZQVKfjEDN"bs(\heBZ5kN8\"rrCuH57r>H:Sd2]
   2.988 +ZX8?l08U_Z^&=G8D*N`(&EMFo]E`pLa26_kIht?-RQh3E(&S4(Dh*9uGd#*D%_Q6?
   2.989 +?bjGG9eY0a;#QtL%!\-!-&/,_'B3*4c[ie:pkATS)"#$gr'd6rr%ICirr<2spn-Nk
   2.990 +g./qB-MYLJ5N9G3rr?[2!.qfNm;q8?J=[#@gTQ(I4r^-0>)/+p0DHgMM#J1El<aS,
   2.991 +@':2FI`jWQ'V?Ir#6*01)S?I:IgUE$]JJN=Mk1OMcg;h6r?Fi2Ubse1HplJsU;Qs:
   2.992 +_u!GI5I',4TC=5Krr<N+Fn%d--c!L&a,.QFH_6)i\*S>!DiK(pK`25Ub.]7u0;j98
   2.993 +^*<>nqd$[fIq"Iq^'49@qa13Nn?9ksJ5]1;a7*!e_L;gdj7,'8e$Pb%^VbL1rLpuD
   2.994 +:NZA;q],NUrL('/c]-ccrK9D(I/J?>Ipmg=Hp.Fer(6F^?i?4:D<#Qf:ZARqNuNSb
   2.995 +5^kA2/)a:C57i'Oj7[-T\&'3gr*Jm%m4n)hp3"`r)ud_.GDUbYr%$3C'B1Zs(EPWc
   2.996 +IKFmPpiZ,Ea1O%&rr<2<rN5u2VYi.C$0$A/i*Yl,q`3q+!ri8YR/[/m\&:gS^'7_f
   2.997 +*<+(TBE%r7fDbi&Jc<uE5Oa]"j37\cL[@V%Mb!QCrr<F.p2g#JqdF`9im!dWi=.S.
   2.998 +e\C'<GYc3Q*f6e1*\Gk=/)tO5j1jq0nKM0jMZ3YZoRGP8rXp=*Eng;je:&]k(AK!K
   2.999 +4a]-e!.o9:bJg%V[VshDp.b&6Kf-&d^Bf=-br]&+Oa\!l$bZ8^5OI.'HtUp8D[cD>
  2.1000 +p4:_B2>GA2SiZ?eL!P95-%'Fs#DkR<iG\)Iqd]O6pj_e>`SN6;DS,D9rX&u%]AgTA
  2.1001 +n(H1*hE16sU#=7X*[^F&TCIF1#m:&;r&"AS]NaAI;crR&Mgc^SlbBd``kU/m`BUfV
  2.1002 +YGc^>nN9P9o2,C=mQL_t1W>I>J$iRrZ/Z;Ng5#Y6^#S^`IaK5Irr?Upfl-j&D[Ser
  2.1003 +0C`uSF808*YM*V_rL*S)rr<D`_Kp_0'D'-aZ]Do*Jc>`>:(Q%c?]=Q)f"V@f!9#'q
  2.1004 +K<AnAJ&b=frma1Ee344a_u"*,kJ[r=HqF*Aih$m"&q85XFFMB)Z_*<X*WFiD[#`1o
  2.1005 +rWiH'AG?t\hse-nF`5tUp5SQ;m*D_]f)@c$B8sVYG^!E^Dh.fmrm2ankJWu,q!5m`
  2.1006 +YePn)$fPm5D[Ce<rN,o%i1H!Y#ctD*JY!PEhhsU6i*@ZoLAq7[n*Y\C0DPV(rrC\X
  2.1007 +j8T*MX=M\3U5C@nMC>3V.&)SIU5CJ:5A@=s,qJuqAOkYhriaY&Q,?I$\d/.XcbMNk
  2.1008 +r'ipo&Wu'9:kCt9*"WW)^4+Ts@UIcg>h!\7NGnMKrK=RZ?W+G#o24%\J(^aXSu8RQ
  2.1009 +(NZj,Y-5%tHjr6ph9=/;90L5A9-Y(pjIFa2pgF]c>Q0SBp,W-Q`*<!MrrC7P+7R,h
  2.1010 +YdaQK+7+(K!/S,R-iX16)H$A;rkdUSI`-`@a5d%KHjCtf4olf*,+\`6$n;&^J'jC-
  2.1011 +`o$QKrr<(Lq;9U"!":=R%"HZeI`C:?MZ3YWJ,/!Lrr<HVq[@u%Oab=-pko(O!Isq&
  2.1012 +f;JO$p]^-ti0DlqJ+-\#5J[k_\q[n/1u3(Ipf$[;iSVPD7p"0*B^Q%YV17F\%Ht9f
  2.1013 +[R,4JS*[U?8I(_'5F8oH*gtrIq)FE=J(YY5ci4!Ea6`g+?Xcl$'N%:5;+20r72/Tf
  2.1014 +'N`>(2u`lAM".\IOai!*qOE#]'lo0[XBGQ'jC6QPljL#s!9n]^lfW3@MuHDNp;$\.
  2.1015 +ZX!I%5P7tM[_KqJa$9,Spm_9#>)3*A4b%S2n8)2(P@*#Srl)Y*rrE'!:]CF%?%6$B
  2.1016 +ZS26>QN$rjU[e6]!*A@%]&>h.IaQm4_cSQL9+MPIZfucPMR6Y&;hn:eM(\I:4\"U8
  2.1017 +[Cgo?k197[*A[?:9dW@rGAF0F.`d.7o&Jqp!Vl-$^Ce+;@H)bG?:T'JHPC<J5&;lp
  2.1018 +VqaC+1Ke)('U!m9l84Y_0t@I_Gi`2*WB[!+TC>>=pa7Z^`W#po59A_?(9_TFDrRCF
  2.1019 +r+Y0:*dGRrq!n5OB_1Q$pV]905E'u$Fu5a;ioQJWV*hA0Oj9j#G)N22g1?I!G1pf(
  2.1020 +SWluU-`28Frr@Xarl/:L/\F_jnB9dOML6i`N%F#<r(J\k3r[K-Z>13ea)`5$GB<&a
  2.1021 +'^t3CZ)-R=a<Qj-eZNP(U#gG^?<h^__iLVW)@_\!d.CZRC!c)_(6tUaBjmq(\m;GG
  2.1022 +V4EpEBkT)/L>L4qd`UG#cJIA$M?kF=WpE^nS,WHqb<c..T=nV3!!4^dq#\5/!5qrg
  2.1023 +"2#f;^P?/(Hs,uD_VQ+(S+2.1'(>TpT+8M&j0&`%Sic_Brr<E+!(V[[?9S;gKlu>p
  2.1024 +8ZfWkj)=]ZHp;[hY5#X.&Y2-brr@^j8%=1MepbSL/9A:nJ&8M<J*69%rrBim0E+53
  2.1025 +rY:`Orr>90^]"@=J+<abn>ru=q>8_B!:V2UrrA-/rr@aaT`5#<hQQqZJJMVjJOfVg
  2.1026 +/I29(omclFZMspc$:!KPBKu+_X8`1X7@4#S+Ar.=$Hka8!2$r3rr<*O^\IrB]aI06
  2.1027 +nGT/K<`32G'Xo`;c#iJ<Jk(\8L^#89:k<%A!CGP!'#Y=ceJ(kL'N%:5;+20r72/Tf
  2.1028 +GR*Unrr==@J*a-3!WN/Mq=)hBC+C)crrA)trrDCCi_TMD[9D:YMC>3V/!#*s=R]\:
  2.1029 +?O6Ghe%kr1n[=WonGD3@K_5_&$/TnZhbgW-HqE<^Kc7sp1sl$H`VpCVR`]Da#O<fa
  2.1030 +Q</9O_)g=%QHL9-<V8$?B\W"P+Fb:on3>i,rr>7Z5N/AU^Z^7HB`A(Jrr@U7r;5^X
  2.1031 +!/?KIrrAbunY?*a"9&H'!;#ZSrYd]lreMZ9O8KO`'E8'Y^5r&&g[Ft]Ii:Q@5N#?;
  2.1032 +!'^6DiM1>+k^iYFrrBk7!.dB4qrn%[L5iqI!29_gU]1;rrWN6$oC&IR)E.KlL`aWt
  2.1033 +r"&Q9rrCBZO8*DCn+n/V)F*^Ui(s@Q55IM&UMmp2Jc'3]!5SU7JNs)0kl1X;NP>Dm
  2.1034 +U'L4`rr<0#"TJJnn"]k#2Z*K0+3'B>&,6h<!7/B?ph8FNqB18+5O^nq:]CDYqENr6
  2.1035 +DnkLer+Q*1_#FCc5Q(EBrr@e5^Ae2-#P"Sh!!E3'rrDZZU])/iqu2Bn`fL$.p_3Z-
  2.1036 +cb>J8B\W"P+Fb:on3>i,rr>7Z5N/AU^Z^7HB`A(Jrr@U7r;5^X!/?KIrrAbunY?*a
  2.1037 +"9&H'!;#ZSrYd]lreMZ9O8KO`'E8'Y^5r&&g[Ft]Ii:Q@5N#?;!'^8MeCO;R)LPQT
  2.1038 +GE-S=&)r'Akr54F^)M;m:Ufk*kCW+Z)uW:EIO"WkXD63O%ta^disTO:TsjKGN025/
  2.1039 +GA022[E?O+dD0=2_MTbC=oSK_@ab8VljL"Hl$%mJkAT+5r_0Bd_#FD@>lC<[oi(Xo
  2.1040 +^WD\[5Opf/S,U</L]3N$IrsT;CfgOu?eQ%i`P:++!<3$prrBE3Io*ibnWp*Bp\%n_
  2.1041 +GDu0P8?]5p5Of9E^#W5CS4(a`m2>EqhX4H-N*BH04idli-6O8h-GEa[Xmt:8n`R]I
  2.1042 +,h_!f0B6ht&LO^A*ABsl<urHA=eEa?Bc=+pFU]6_qGker]TTGJ=POFO*:i!kpV]3n
  2.1043 +`EsNk:C?lkhcfNhVl/hs*\I7(bZAshT@mC)p3(Ld'BMN,*j>O4$\VPoURiY8qnLG.
  2.1044 +r#@eqr%-?Ii2OJuDu;1?)1KXJ%f6M/)h[[-;YYD7!"F5Ce&.dj^Yp[;Vec/uHu/f_
  2.1045 +KL`knZNpCR?PYg>J&2<b?gF3S&,9&;'(djP=^E?BYM":rrL*/I`]nC6q`FLup4`$L
  2.1046 +m@eh*!!HBuiMCebi"q1H3UgqPrWpF30'C5<4T1t'CVPb`2#Y)Z0,7:_!!M`@[4`*T
  2.1047 +h]+fmlQ<AJJ@mJnc\rcL`FcdP?c9\mC7cEW(T?Z'#.<t^qnde%nKl]"#jhQkSfd_T
  2.1048 +J*eDSrktBJpsJt.r!LjO!9&1tJ)T;_)h\#;ptOenchnF!_&`aSGMqqDrrBEKrrC#$
  2.1049 +:W#5BRJUcE:K*>JW;'rahqS/2iMDlsHqX!2a$6sj`OcWjh0_B\'CbJaM=DsL5@Ydk
  2.1050 +Sfa;)dBqf(1r&f9rrDs242i9X[?'!V_`tUX_uB]QG^^1u/,oVI&i]Mhd_BOHg#HH<
  2.1051 +P.tb6@oN.9qg!Q&rLbgX2>A--h]+KQ!8+X9O6kugn+]:5BCM*Sf)-uVCN%kS_O`LW
  2.1052 +J)e$.Vo.s=G_b9kL\+ePQfnAKg&q<]$3'u/"P!GOD*Q\m`ngjnIK'9Vh>:7Q!5Uhu
  2.1053 +!,ql;pc/`U7fAo8D,3Oga+O;6n[H<+"b1,;JX8P:nUJM2%/_?t4s0PmiWmC4L].q]
  2.1054 +JZnC.LOd)Cp`&0eZ15:npiiEZ2Xj1uV>O9^Gk#CDrP&9HIh;7%Ma+JUm.^#t6N+#N
  2.1055 +iOUSQBCPoH?(^hlrr@^6^n2)9!9%h](O+Ko`*.ro.kcZa)=WE:rYL($2rY"jr"K)1
  2.1056 +$F`jYe&QqIJ)M=G!/)<NQD`^QM7NqM]KrQGImk&K72/Tf'N%:5;+20r72/Tf'N]g6
  2.1057 +dpMZ<=8p@'^`WM^T+*<*U9L+R8FEX`[/EKkdZ*k"f66j4:O?6IJ7X)R,6%X=^0#8c
  2.1058 +;QFjb\V+4Tj-!u!K1O>fbJ*uVTp&[[!5BQqrrD-a+5(kqoJ12hpZ'0+r1Kh^0)PX&
  2.1059 +9l'b+G^'/fPSAUYhga"pXaf5h%fZP"Jrf91n+mnZYP[kKhu6GLrKhs4!(/*@rr@L1
  2.1060 +49#<'$9tib^Z]4Z^[K3uJ,)B#p0IFk%%>fHq!dbP!%98pbJ*uVTp&[[!5BQqrrD-a
  2.1061 ++5(kqoJ12hpZ'0+r1Kh^0)PX&9l'b+G^'/fPSAUYhga"pXaf5h%fZP"Jrf91n+mnZ
  2.1062 +YP[kKhu6GLrKhs4!(/*@rr@L149#<'$9tib^Z]4Z^[K3uJ,)B#p0IFk%%>fHq!dbP
  2.1063 +!%98pbJ*uVTp&[[!5BQqrrD-a+5(kqoJ12hpZ'0+r1Kh^0)PX&9l'b+G^'/fPSAUY
  2.1064 +hga"pXaf5h%fZP"Jrf91n+mnZYP[kKhu6GLrKhs4!(/*@rr@L149#<'$9tib^Z]4Z
  2.1065 +^[K3uJ,)B#p0IFk%%>fHq!dbP!%98pbJ*uVTp&[[!5BQqrrD-a+5(kqoJ12hpZ'0+
  2.1066 +r1Kh^0)PX&9l'b+G^'/fPSAUYhga"pXaf5h%fZP"Jrf91n+mnZYP[kKhu6GLrKhs4
  2.1067 +!(/*@rr@L149#<'$9tib^Z]4Z^[K3uJ,)B#p0IFk%%>fHq!dbP!%98pbJ*uVTp&[[
  2.1068 +!5BQqrrD-a+5(kqoJ12hpZ'0+r1Kh^0)PX&9l'b+G^'/fPSGL)OU[l+`UoK5>)&_k
  2.1069 +M$r3J)g7Z3=R]5:h(<L2D69qQ^h8cP[uAWp)/^?n=NZ$Qqf.,-Q%%@-p1p;-#QC`Q
  2.1070 +(>&@;Gj#&r*ts.VCJb$2dYG$oS,NkSrrA3tqa(5^fXL`BrrD<`!;;>Sl-I8^%(/<Y
  2.1071 +J$P,n^)Lbb0:Tb'LP^I-Ht>i2;%AiEi3?!,p7:`V[rZ>+UdqJ!;JI,!ZYQG_U$?g+
  2.1072 +CDq<#C"ej!MWuWKRe\b[*s:9Vc,[h>l$bVe,>H\%0R,Olrr<:O;lXLqZ^.:DL&:sm
  2.1073 +Bbu`8kWDRNUYYpr<nb2bC0%q>VZY,?lC*q$[s$2)R3d_ZK&0ke'E/;Nrr<IInM1"r
  2.1074 +ko[;\LqYA'4s9@_ZXnF@BKQ["GZ2KUgq*C;?,Nbc-,5@#9()Oub"j@SYj?LaBPjWW
  2.1075 +PZoriq\M[8;+20r72/Tf'N%:5;+20r72/Tf'N%;D#OODK!$nCjm&9g_rrCUFnC"g]
  2.1076 +.&)SIU5C@nMC>3V.&)SIU5C@nMC>3V.&)SIYEqIk0DRB,gB7H"F7t.a!7am)gA_."
  2.1077 +:E9B7aQ)8uq[I9^qG?k`dso3=?h-p@BKuA0rr?^3!<#.]d<5CbHm/$WQ14D=I+GrA
  2.1078 +XbiN?d68n)G*_>rTm92?rM"`a=@9J]3$*M'>MB9+H^p$DYFY[nBME]eSgjFPV>03$
  2.1079 +)lnPM?Q)L\YX<AHjcW>%pVo#A>#($#gVr?r4=-(>4u]H#W^!d"`nqFO+'AFfSf+_Z
  2.1080 +/Z[X_ghC`NF#D_I9sh#(C[%RJk2i%Udr&d%=9L0p*TcS/UGBr`b]!89YPnm"nTX[Z
  2.1081 +])A.KB.qqfp7_82q^hY^pmLXO!;<o#V0lkE;dG%6T>W<k7IV\ka87jo7e*+fItB_:
  2.1082 +_B4^t#.:=4rrBrMr,&dFpf6gmi_!SAqSf(erZ:?R)t70dnM=+Xf)-t8li%e%!.t/o
  2.1083 +=2p\OcEZ<rJ6j>fAs$a+!!FJ8BD`O&o2P5*m1#t/g3'TV]ER;sB>D5BrJg5`[(h<]
  2.1084 +<mZ)D_1"<3kD4L+im3L&b.<Xh4B8(j4s&9=%9_um?1j^/!W*U]_.<QGC&\0k?QO^T
  2.1085 +VS=2O-?qViqR>f5q_eAk+7N)+!8DhkiI.nhHp;Q>QhG:cYK%a[-Jl*+?[1nPrr<3R
  2.1086 +oY5pJ+1D-Ir'BAH)qeJ0HEO%5^Z0ORm5r-\BtAbsi<>[f<ke'XS)aMK[Vu'`62O/s
  2.1087 +'D=!PgT:0_p3HF_q`Ol,?82BZJma&M?gpsCfmh"**Vcs`qbVMN8,+J/=8p[`%0$<>
  2.1088 +CZY>LVg-\KTBu7N!!p@,!V"//(8d)NcNs;PgVZ5o^(G-!`&$3DZWbn$?OoARr-/#;
  2.1089 +!;fK>d!lXWi0U#<pe.Q1S)Xb@!W.BE:&VB4C]=CfS+\<0T=cEG6gB0,a2'tAGRrf+
  2.1090 +`dM@9O?p)FVrBAr^&&iJ5Oeu4rZB>BrA.U+r)]oRr%7^<i]/lW%!XEln=PCs3G#C=
  2.1091 +]>RSE5B$Q%#6arunINRaL#95/__:d4?\gm"rmZBOrMTYqi2<3PQ\rKkp`&q&pj8_0
  2.1092 +=&8Vgrr<2^pj:q[Lgk:Wh\A=-p^?%uOlNWtrr<cjO,4no\CWicj4t7(Vi<kYC"dKb
  2.1093 +VU0c+HsYD]NsbZ#a$,(5TD1%RMQXZKgus2ArK03,Tmk=Grr<4onRqb30$iO,L4<nh
  2.1094 +8&_)<BDD@:#.!(hpoec.-WL&8r"n:\?\A>&\V%fHpp*H*BZn^?GV0G(=h)lW/`YM@
  2.1095 +.iVh-rr>F9;+20r72/Tf'N%:5;+20r72/U*!W,T@aXLTo.R*o_omV9FXr<2["ob]M
  2.1096 +pX_=OC"d0cBlcFr11+0hC,]4Xfj)d9HZA0$l?4UlDD%\Ber_n`F$Gu^]#(bl'n!-`
  2.1097 +rn_"ep4]I%kka3(YPTU/qS&G=/Y8`6C;1KG#H-iF(N?WNX`&#nrZjjPCN1!hZGAY#
  2.1098 +b8UMaT^buGiSa_9Ytt<?:[E6(!/H3cfDbh5g-=QSrrB<"r?"i%FoMGsKAkG^!'Jt)
  2.1099 +rr@Y(rl$>p+5<^e4!9#siqL@24IgAinL^.$k5aF\GQcN'nF5o!S,SJDp-AWX_m/,Q
  2.1100 +rco3-_o'5uDu)YYf`V6S%`a+7q;bEQ!"TS<M8/9N5@b<&4!"J'!9]JNZgbHtPkZ]t
  2.1101 +a&1>CT7[(CZtI0mMgD7aCq%!YTCCINg(02s1qP-(4*8*aD>Z9OSP!**=1FPE'&r.b
  2.1102 +Kr1.aK:*uRDb/Km=*<KX7nh=umdG9M>?J2][4OU9n=RRiLgE'jACInGoS[!YrbF.j
  2.1103 +bHK^S=]o"qqDGpP=0YuFe*8j<a!8[E7Xt=`)Q3N6^*eEi07M9?r6E^i!"$ZErr>;;
  2.1104 +M;S)dhm=d2!&M!3_JuT*cjSiWrZ_+($3("Lm2thfC7k,"pmqEbLqW[PJ+G`lr$ND\
  2.1105 +r;aPZJ)W,1d%C6]dJj1Q`i8t<5VIuOpl"%:-iX0&["#r4WdiA'ickAGp[&:e!6jgP
  2.1106 +n=46coE+fYrr@kgqa,f(4%K2r)Q3N6^*eEi07M9?r6E^i!"$ZErr>;;M;S)dhm=d2
  2.1107 +!&M!3_JuT*cjSiWrZ_+($3("Lm2thfC7k,"pmqEbLqW[PJ+G`lr$ND\r;aPZJ)W,1
  2.1108 +d%C6]dJj1Q`i8t<5VIuOpl"%:-iX0&["#r4WdiA'ickAGp[&:e!6jgPn=46coE+fY
  2.1109 +rr@kgqa,f(4%K2r)Q3N6^*eEi07M9?r6E^i!"$ZErr>;;M;S)dhm=d2!&M!3_JuT*
  2.1110 +cjSiWrZ_+($3("Lm2thfC7k,"pmqEbLqW[PJ+G`lr$ND\r;aPZJ)W,1d%C6]eqSh:
  2.1111 +]<;f]3i7sPGC-4Pg-(acWG3>YM`qjQ6L[16*hBH0X4lesnC`'7>ls0^b4b!`ensHY
  2.1112 +ZARWFT2)qO8J4H!Hoo;3[P,E<"SdmXn<]&^4a]9Zrr@n'4fDV">1S\4kWU0!^!lH;
  2.1113 +>bo_B)et$G&0<iAB81Y73T-&kA<'-prr@f@rKmNakiBGmrrCuL`#noaU])4Ap0[h"
  2.1114 +UQYCRrr@Y#&:a9!]&*R<eis:d-htGBn.3FoNP5JaLQ&lAH8PR._n$Y>4@st#C)8'C
  2.1115 +DItW@*iFgrXR..?^XR1>)CmBu::7^`FUO+C)dA5V^5K>1e=tHb9@X[+<gM<0lO3S,
  2.1116 +hV&j@[sM41/ab1Q]"=C=RsD0pGiVHYK'!Aj"rUiohrg'TMuHDNp;$\.ZX!I%5P7tM
  2.1117 +[_KqJa$9,Spm_9#>)3*A4b%S2n8)2(P@*#Srl)Y*rrE'!:]CF%?%5Jpkajs--gYF7
  2.1118 +$UOQ!iQ+,cj%WV70?.cZ1W/hL)IA_Jm3_e14Cl%n[D(5b*@"+-;R>l]p9"=XrM-@E
  2.1119 +g.SF!g-[aACEYS+8,P0Xa1EiTN\JNC'B61*iU(.6Q\(R^c\1sUM#RGVi7)jEM7*tC
  2.1120 +6FYM,e74-k!pDOcQIh]Se+FUA\(5r-p`kW(RTkU0[tDr?i0[lX?i1T[i31/4h,F$7
  2.1121 +n.peWHo8V,kD@XE=MOWfi6N/5UI3Qb-agM52!ZR&/$%s@>sWH<4eA>@:=7h>CFe/q
  2.1122 +8T*,9DsQ<Y1?ZHFphG<RD/]28^Z-ZUiLg,MiKldfAcDbI:#d>k+[>J$J)P3n_@?MF
  2.1123 +#]KVd5OblV!9Bf&`;]i:&o[P65N+?s!16jc,X9qrnL^r"j8T+2+TDGX1$nlWp^?$r
  2.1124 +JbqQSK>Ck#piZ(Uins+qU;uc`p5JsL4rO-r?2+Tne)D.>nR(:J_!d-;&O%:aC@Kin
  2.1125 +:Q5;R#Q.Bf'3j(9<5/l+0DMTg4q#_[*Il!0_ce[RD6E0TpR]4ZYP9EalmM;c`--SS
  2.1126 +n41:?pd[R/+8c0:/pP"F<Z`!(0n7'ApsJRYiFg$R&c<79Fl72l?f9H6!"`c;9D_\<
  2.1127 +_Ai!2`HoRT1`mB[dN/bjVrJ^<%Y&$Ba5S39V`[$:=.f83rWpdK!!LsDrr@U6,5a@1
  2.1128 +rL<feiF$n'ieQn#!9#$Q='rE2g[TpVfBiU?G^oF,pj]A@ibnmG(\gkec]2?HIN`sF
  2.1129 +i+Kt-!![\Uo`"n1GZR0*.B\%_[IF1rNr1]kD]J".e&B'4r"6%*J'^(1pa.rdM;nO8
  2.1130 +!bree]RQaVclWu"5B62qiGZ\r&*b5R5Abo)?fMBOrYKr\pb/^`HLJb4M15PT.==nh
  2.1131 +TmU#52thChJY?E93i!R@1ADI@mtY3onKs<D2hucZWG?r)/#FcbbPhffq[*0Bn__.>
  2.1132 +MI$;X)?#ij2thChJbr%:=SQ\%(K:*unVbAX41P'`qd4%1^)d0I^*W\TnTToj+R@l,
  2.1133 +q"O:\icg1E1qa8nnX%:E6fLmtoM$Dsd'V+,C0D@<LSR4Io*=Wmrr<0trLQ1YHtE*9
  2.1134 +n_<('!/Q"gqal%eiZJ(4J)d1!'PlYCLZ3/linoJS%=AKWL%/mgZhRPf^Loq(UW%_h
  2.1135 +kJSI$*sn^l4A+HDrM=YoL)P!Kb?=L4)XBXa$JbD,_R!t6Zd_i@'N%:5;+20r72/Tf
  2.1136 +'N%:5;-j;#9n186?i)<;!.XZjHo.uEMYP6cg!qr3&,$M3ZF.@ep?,-"oRGQcp6jHQ
  2.1137 +X[^T*L@2rVe%@-iX32I:=dS9.in!6/VhS1pUQH;@L&fiikCr9p%g;ZO7IZ@kFA4j7
  2.1138 +Sf.%[SSP$7H5;W[%@3K[l*aG?2V+1[d/]<L)CWp5G:b)!niJS_rnWe9Q2^h&i4n5r
  2.1139 +Ho(d&Kq\MH$:Fe.7tAA5FT2?X"oeQ1=8ipFr$FTIrr@bHrr<D@rXp=J7"=0+J&26b
  2.1140 +V>gN%?i2$Rn<O"R`A.Am$&A4Mr$1+gOT,=!Qhs;M9Dod@hsK)]a^=SAOoGDk+8@6[
  2.1141 +m'H]l"UFg0YC(!]OFAX._VFp%iL_1VT+!U'&q@b1nJAu*@e%a%iU7/!Y>WaI!3uMN
  2.1142 +pd`/(rQj0(%iT\)rrDpkcUt^pk5Ng+/\[o1m@L"gBRCj!]"T'[D>gKLCld6S_O:^j
  2.1143 +[/U,_?a0k61XGtNI<3=fB88'$%H8K)BjZW6Vo8T8!ri8;][ZT2'l)J%Xo4HVBf@r!
  2.1144 +/cPg(PJ]QtqZa:o>Nl(egX](GTc*_RIbe?>rr?l=ph?Aq<Z24(Zlf'S:YOjh2sb&E
  2.1145 +&,m6u1W,Ygp<U\gJ\U]6rrBo?YBVl&&apHZU\dQs3fj1b)LqZ0\u*%<!!r%LDZ$!M
  2.1146 +m4Si]*aBe#o0:t>HYIpmJ&+=VBWUU[euh5Nrr@m^&\6HPN>GI%n=HKR(&lcJ/CZd@
  2.1147 +4j*cp>orIQrX&(C^FbY8M!CQPdk8EKgSmBii/d[nNs1$d(\l>V!3+$*rr?D8=3M^:
  2.1148 +pt+N-$hhsB"oC=5l2Dcg_*8Z!Ae3Vaj'RUb9:K3Ur)IChYCJhP^LAhtpcD:!YG0QU
  2.1149 +dOkA]WG*H]ViIoB9l#0Nl8jpeUSRZ[D(eo:XfQZ'4aZc&i",`#"68j0^MWpRi?-$W
  2.1150 +#^d`A^LbS1&:@CN.<X\.$YUS<e%B\Z&!+<2r"OY[$>KAdI`koMO8Mr9:P]g:%eL9a
  2.1151 +rr<YF*WH,U4>$OFlBbC_WT-bjrnCd%^'&ZkiSKhHL[e5(3T-O-rrCuA^UCVj5MMsk
  2.1152 +08R=kHs=r]+8C&u)Fs]\\(Rk^*GJh)dPQ1J!/9J5!!LsQL-KK](4#WQ-LkH$Y?Ulc
  2.1153 +ic"3Cj4t*\^0[KLffTS:GXkHW^U<u*@BB6r?hf61rX-:79&>$>^DT3gh<7'.oH,#s
  2.1154 +Qc(!8:&b4I+8/XHnE7UUNW/tt2!k\M$0hHi"],)tZsS?5Zaoken3=]1'_MD*MVf2!
  2.1155 +D>sTkhA5UY`gq>5cb_p"qo#rB!S=t`IMHN<#WtuEMk+Wie#`BD:]:]`qc_eMn)8K-
  2.1156 +9fp:#&,\M9J,]KXBE%r<?cAR#rWu*p!!Nl-pZ'"-J&78orrCuLSgNr>p7M6rPMolh
  2.1157 +I5CT.rJ:C(Ir+QjphO18!/?p3#Dtb)2UVL@r%7^0i;WfD+,4.12o6LaT==`4qe#bS
  2.1158 +ph0IUrrBl?rZcZB++sPDpoXPr"QT"O!0/YD$``FI"nALDINJDUnQ17Ui0aNEZTmi0
  2.1159 +H*$eI^t7HYr+"_\2oGLT`_VNL0sJ+UcB%KE2'!dtS/rR;]Y5rJ4B&*ASj1j)K#@;Z
  2.1160 +rOb6YA,A@Oh@]P9q`im2KD(T/YO4Ver?'".(r,!krrBO;m$I_P$K"AC8*k*i<rUVJ
  2.1161 +2qBUq"+JZ?[\&/#-N%$H!/.ZPi9/"]$2?a)rZ1MfJp[m`Y<V"][.8T3nHH:g?\:R5
  2.1162 +rr?XaNIEAPV$G#$LYi`Orr<SGnWWZQpq[3N5E#C$JZX&85N/5p]N'+DCZ,3ma1i(2
  2.1163 +6MPDnC\k3Aih$VRJ&Yh&IQDj:f!WhZhC-pe8#Z>9pk<_JDhXK!&H4J1Do$`9`p\a+
  2.1164 +:XMTF;+20r72>@MNW0">i]M#V!+]Hpa8VtYZit]0m";?R)E*lX?X7BT+(h*?gPa*+
  2.1165 +48D]IR%*%&_<DgqcQ&l=nO@^+$o[#t"bF;Uj7_ccIL1Bl56Nf)08[HNB?03mHQNl8
  2.1166 +hZJ@?DhbCa5KCJOnCFN;!$L/1q#9u6D[uOMiO5)P#)VuMpk.U6$s`)ecYmm$>@-&X
  2.1167 +P8ATTrOMQmN8G6*pa+o?45u=fj72./!(alp%Y=+Rp6tbgrr<ITBB)buBi0_0?#S]Y
  2.1168 +WGcY55DS,/D)@'eP3Yqh#KH`ge9"?./hXPi)]M=YS9mEnM=p7GihsWY/Or^1HSsA:
  2.1169 +7<S;m=KUt^jt.StL>l;eUP:5\Jh)bHmH'`W96flBOqs$pB+ecOrr=8ZQ2^hl?%;kS
  2.1170 +9>!2j4+>slnmu1:#Q:+Sm/d4eWh78<r_/nDrrA2%`8C8,e3ET!lhdRZ!/"aqjI6(p
  2.1171 +J+bJnci4"AJ,Q,-qU,80J)lj'rKSIchtk)O-.foZ72/Tf'N%:5;+20r72/Tf'N%:5
  2.1172 +;+20r72=`&[+G5=Q2^iiU[SNg!*A@$9&Z_PLqdirq+''(]DhkCg&"]tl5AXYr?uIA
  2.1173 +\GXD<pA3C[2ZEc`2oeHO0<Ah"rrBl-5AaWL=&[_`2lp/,hW)D$n4pC]7u+JM%o;^q
  2.1174 +QD`\I*n&O2#IX&+q@AO&Hpa]ErZo#*r#r4fU=W62083m)LP\,DV-\E(9_"/Kqb[2I
  2.1175 +plY)r_Z'TH^LisbJ3"5.#BSkk#JtpC[f*O^C*+)`#K!&LpegQ/8^k=<i#$o%Hp,mW
  2.1176 +!,&Xs?]U!9eF5#XRf$1TS\Mu/"b+I_!BP\;iX9+JT=.P^n`)]J(J2+,?e`3NQgK9@
  2.1177 +rr<1Rq#1(Crm&ubg=,binZT`Dc[`TSrr<ZhM_>Qi_I)9jMn7`*_r$?7l2Dh#O7>]_
  2.1178 +;RZT*Klulp`Vq`5KmM(bDiHspr[6TQ_B%SCmu<qRIqZ$Bf3U0$B>e`)^PLe:7Xt1_
  2.1179 ++2Q8*J&+XiAq/Lo`uYBY]AP?rfDZ)Oq\"9?dXFAnQDsa8CDs+iJ(Q,Lpi60qpi#k+
  2.1180 +Yg>!eB[;Qb,D^_hrJWirnJXWKhCe>0QBgrPiYRUR+DJP!e\"KCUVKO^XZ#hADu:6[
  2.1181 +p9*p%`t-o0ia9P%!;Iq_rLa)iA1rc=!4S<m&]`qFhs;[P;>V8V6%<SJ!83;(9CS"]
  2.1182 +D$0L0pb[F4Hm\XOid]X";&YM6mhC"JitqVD^Ps<Ir"nksiW6=a!/-d5H_6+_FhWHW
  2.1183 +C&\1kM#RI\n&:@@1Z=,Vc_Gk\rL\SuQa@9_TC>bIg2$D>p_!"/C4?GkLP1.iT8=U1
  2.1184 +pebhr^I\@Hp^?,cLjolH*W:P#iOf*i$NC+C(SZ/7CL7U%_E[a22E<T1dI6OQ`;Q_h
  2.1185 +%,W')!8sIWS<<\Kq"_Pb+7R+][]o#\alhts7sH9X:*[S^p-ns:rrD>(q`i[=rr<EG
  2.1186 +rX,.p!(Lo(!.X"O5A78"PjNPd5667JrrCb'`EG4=YDoi4J+a`Sambq?r[.+n_G?*i
  2.1187 +!3m(%+6!5"g4R@JrrBr$Mu&Kfp&>#Oh[R5<iNLuHrX%E>O+fb9nG]oVT7\3d4Ai"l
  2.1188 +RRb8f)>lgn;=J'tBRVl7FlBlYA"e9G1r&f3rrBhd-c(9RHms!nrr@ueX8^LR#Q-%?
  2.1189 +n&JcIgL'GT*tYetM4PCUqtj=keb4L#T>QX\a5QuoL[a3pT-(H_m<S4Xp4Ml7!/g[t
  2.1190 +iS?0Gn%uhrRKp_N8)T0?%u(umJ@*!-qu]Fg!.n$p%/;jP^VuhNc&_7uqbQu?i(r`I
  2.1191 +n:'-c:Y%aCrF]I8O(-SP/o!Qirr@XnG\?_,McT>>M*+0&/5>Z3j5U?5q_\;sH=+Z"
  2.1192 +SKGY^&ZpF1^+/nfibofCHol8$d!3UIpHANV`)$.Q#OF%GG_8NVO20Y-Sfdoer,&/&
  2.1193 +InA%hr*B1:r$VH4^(BQgRZE0;C(Ju^p:0TFM`aY0C7bSjBAmbIpk-@('u+8ILXC?=
  2.1194 +gW$rKnIL=ir%$eLMOH^&L35#=("het%mYX&R'nmo44$/JpcnK!rNH,$qaSR)!"5S$
  2.1195 +(/O<.iS+mqgJdY"`uk(^g-=r)iD"Cm(,(:;F8I'S_r*.urr<>NJU_-ifsAKn&cVib
  2.1196 +/b!i?-^CJ)5G(sG5PufK1\#sS]Mmf7`8C&X>9=^7rmZB9nK7.lqd8VQ&,uWH+,Bh=
  2.1197 +n8I\InE9-[Z*g3Z4sbH7`F#mZJ\PZ2HfE*>`J<f0C[hMCh[hI?+8e"c=-*@]Z[;f6
  2.1198 +?OH]^[J6YorNaW*V8'qH7ooD/IOFJ^WdK$[GJUJ=Y^aJb^MEiLMZ3\GMYoa/QgHI'
  2.1199 +2uJ!kk+2MP"QS!]YWoT\"T3045:3Mj$blgn_H*98I"1Yc!92>A?eR`_;r6F,]>?`q
  2.1200 +o09Ro(#gm%>5*_oCD1rRfIhUlr-eO5]ITaj?a=%UYCliTZnI7uCZ5j<Gj"dVpo"!i
  2.1201 +IafDqp_WHVi]"g!h)iK"9s;L-&8PV[^LNni%nQ6RLce,%B`l7?6a4p$&:?Y9.Id)I
  2.1202 +h[I41HkGjCL%'#trX8LLnDBl<!/6F4!!Q*s!2DLOJ3WR8T<q]"!(qFKrrB3O7e(,F
  2.1203 +Hq1.1ZUaNZM7c'UlM^kT"h00_Ff"<UcCLtM4q$m\kCn:>j/YBQpp.oZk'N^1G_57t
  2.1204 +4uDbQN,>q=@OjT2IgYtW_`f6$fsH`c9>%k".&)SIU5CJ]^Dm1Qai&GUrlDjjO8Vg<
  2.1205 +BF=S8!;9Cl!0A#aGQ.YUdGo`T;dTg2o2kWCrL3^Bpl"iNpgO1&"Z?7A]L;;hh`a-Q
  2.1206 +r\A`Ap7D&)j)5Od_sm!c]8gfhT+G5Frr<)6,XZQ6RWj<FC%08L3P6=#9?4VdV1A%]
  2.1207 +`f14Y4@*m=L%PhQ[%F%AD'.Jqi<SaYrr<2Ipm(_QHo8@^r#bJ+p.FkqJc'HFcNX*T
  2.1208 +_!%C0IqLFgbJ522Ho#2Fn?^(p,IDc_PHO\U;80R8Dgc5L9cqEi'_,bO=FY#:C2fF9
  2.1209 +%ZC<Yn%oV4#l'bd!)7XeAq0Un['0?.li-t]?/`Bjg\0Y,!0\o2YWqL+5A1T+<;nJQ
  2.1210 +nmh4)r/MgErrB:JrrE%_4b%SR!:Xf+r0(LA&,sP_g&D'P!)NUpZsA/b5I3$@P*Z+J
  2.1211 +ZD6serr?-``4G^>.&)SIU5C@nMC>3V.&)SIU5C@nMC>3V.&+?Vp6u!]P#B'g<.4iI
  2.1212 +!:'LWBj<M1jW6;SET+Zk?O;0,r$ClrhEQ[B-YU7-quPfAe)sA>p[IX0mX.BpCIr)Y
  2.1213 +,Z@3OG5?@[b1f\\b`L%H7Z'I-%tn/7,5o!XfH[WLrr?m(K:7LRU+O'Tmu0J@0,X"]
  2.1214 +.D!!ED2)nW<q,#6Xl,0D;UlWbqd&WTi?&S6>fmJ[l'C(]eGfO<X?UU+qE-Faj8T)j
  2.1215 +J)Xi8!)*HTpf8KG=8a0Vm.()ULd1D_rrAns8j4)@h)XZl_Yp&kmRQV,nLU<RrrBl#
  2.1216 +8+RG`pf7=o[l=7,-g^U-!/NT(/,oUH#tOnCrrCfCrf7`dHiF)a)u,]u!7M(GrY9qM
  2.1217 +c2Rc6M>KI9!9+Ic9)enUJlSEKIa9)O[3(8J&,mr*d%;EX1\"<>,/*LoM#J=f8)^qm
  2.1218 +X]+/lLM,Y.'DNNc?OZ@M<T:XJ'7>*#l)JuZ[*JjLn&BZSOelc4G\5ASST4,eT)J%n
  2.1219 +j%l`R&cVhY&`Bki,6%W\rrD^OrL`EFS+[`pg[W#8p7V2/qdX>IZ*2.X"l0+X_-jo?
  2.1220 +qbg\<nS@.q`1P_`6MP3j8pIDSSfdJ]m6CUN"CKQhASLX\j&bUQnNZ_pnG`L*+8@14
  2.1221 +_N0[`#C\4KS&'T\Q*-l@`%Ma:R_Qf0$2f2@Zka]CdsQZE$9.tb'CXZT!9<O)rr?a$
  2.1222 +pg=Vd5IK('rr<2;rL1,IJ\M<e!9E'&C]=BjT+pYl!,)o<.Jrlb_8#J1O4p5HJ+1])
  2.1223 +'7LAhfDZr,e,C9?pc%2>KKitMO$4fXDs[Sbhh'IK8&B`r:%7a>Z1ssT+1I%''gMDZ
  2.1224 +pbVH8p6potfBib2rrBoB?c2mDpa?Atr&OX,r(Hh$q`X_8p6bUei]l*hp'(Dr^,C3d
  2.1225 +p6sH[@f%h2gV[A6]FFB1!9-5^YM!j2?P@l%Hr0Uoqdt<*?OK%HIa<Kar#=WCp^*UC
  2.1226 +_X6grO2/M;rN&,&qdFk#rNe_#ce5eC58&?0qdb(BpeUF4i7I?4n8lPjZpoi?1W*Q2
  2.1227 +VX[aT$i^20rr2tMp3\af^Of18^i'ATa^58MF5d-!"o*$0?-mt;n;lPcMC/*IW;JsV
  2.1228 +RGqQfHp@Cqqcs%Hpik`b"6)8TrrA]VDdOL`bTF93llg*?.;D'[HpRX!koM&D_>aK<
  2.1229 +J+3I<a8:?(k^FZLBCQAKIgl<7rrBl84qrIkINr3WOSD2Z56`^R)15i^#E?G!rm6)q
  2.1230 +pq?1;_O_bB>O`*ZDoBs*pohQk,5?0IMc[431cTqLnU?Jp6iP6c[<@W.<IWE2/F`t'
  2.1231 +IqoQ2J&+*/DNEJI4u$^dh[)Ib_;Lr<?NYdmYP9EAm/?Edp6P6_Tr3-JitoM'KV&MB
  2.1232 +08Vn,r]5PF;nb8:qo)nFr[,tg,lASZU:b^>]AbJoIQ)L5p/:D#Kf+>Z!;6Ek[/U,B
  2.1233 +0A<>tT_Na#(?>,,pcmeGL#3;d62P6Kr'U7]n0>jn"$^Pq5A9Kmr!W#o!;mGdir9"0
  2.1234 +oPH8TP43,NoD:9?.>,PWDi0$]Iu=7+"oNl0DhihJ[t1pP%tdO7T7sQF:1)^F6L^?/
  2.1235 +O5XH54puhm+170G:\Z97r"IDlC%5iprrDE9iX[,[ci4!L[Xk1JO5`B`IN*YHp_3.d
  2.1236 +p)WX`lp\#NShJfu_`tR/!6&m0VtR.[A02@H-@X@An431jrM#(e?eNoHh@fT.iua2/
  2.1237 +!<3%2%gdV"n:uf`3I]<S!:Wggg<8[jK"n]PM#In^D"7N*mC2t%rmT^l3[ah="2eG&
  2.1238 +nE5D;"]+WnpV<Ej;Jueha1iF?i3%MnnNH?X:D/&%rL?)b^D[$urr<To&H9sVhZl>+
  2.1239 +pk-We!3ug"q_3C(n_UP@K>V%7oZn"OrlDhirX;q2ci3tKr+5b2rl2NUVu&^RLZ(Jb
  2.1240 +!W*6%D>h#[iSFM6*.B8_?FnY$@ZQG^n?@C[c\UKJ;;^&.p.bPeK#R`;?Os:2Iu/Z_
  2.1241 +?\H'2rr<G%_I'`)m(!qKhZNYCiD56C%esQ5&UtX5?3^0PnAeJVoa=P4I=M,[rn2e.
  2.1242 +#Js+UN$#B,Vu'hN_R8n=_*?ZR!)rZ2iSWCfp6,3iq]L@-h@B(*JMb-og\*`-UF5h(
  2.1243 +n[%7WMne2BJ$fgRjY-!%j"D;Lg"Pf-"25V"/cCb0'5JXQp_3N\puB=SLVsR-&:>\s
  2.1244 +MfnR%a?O2WgO&XdZhSV3=8)XB]FX!$!/[$!Zk(.efui(/kNpgZ4\*Ei!"8]TYC=t#
  2.1245 +!4G]$&TdpWoAU;6.p;Af`/bk@O*kHr57d%O[=\0`p+4V(1@j`P+4,,ugKrY.K)!UM
  2.1246 +a?1.52/?BTiVRNle).Nn_;-X8]D\=M.XotJ+8r%KD=G1:$,Q0*)#OX.%m^)I]QrI?
  2.1247 +h/D8]r"DT>T+Sd]I")(qK!>6nT,%>8Gf/R&^i'b]@JJl,2Q-%Rj5?QJ?Q9!cr\N$9
  2.1248 +A,ALg$M_[2pV8^O.CYN7UAZ24OT,;pYDBq,5B!aZJ)KdU5!AoG_WCdtKHL10<S!f#
  2.1249 +rrC`9a.KZX`P:'[i"q$Y,OqPH?OqT$r&siHFeO19nB^L0q`Ff7qNlr=2-[7$r#PRQ
  2.1250 +nI+>H^n2]UBV-BZ@IRL@'E8'L'rh*OrLElf?`9]V.&+F;n\>!l7u`#bMu4Fl!7^'&
  2.1251 +J?PUF!+et%!IiXMp3du@rrCS,n;=m-?2-)M7K1TI'RhBV9E,!DIe_s^FC#7Jh;[fl
  2.1252 +i]"gEfjj`BdX4u3n@$6oVhcB3HsQ8,i=EkfL=[?YN'83G?8oEGF\`kL55tW"4u;\o
  2.1253 +XfpMp)WmT/Tj:uhMoIjsq[7YXj'V2!Ujh$)[ibMsbnJ%p)RT!kg\_BVPV%92(W/Io
  2.1254 +r[.D]WuZECLVs_W2oXYc2,+;Hiua(@(M_0\T+A"BiQ$Zqd-&mMFhZAuXYW^H,%&a-
  2.1255 +^Z;Qq+TDGGO,8AYf54Q$rrA1>9)emq0#.DdV;</pS\K%qq(f/."9-Pdp43/CePG2Y
  2.1256 +rr=B1)ufoZiSn5A%,_'bksO(s:]CD!`IGuerLj/jls'F\rrD]k!;f4:oqVC>rrC.i
  2.1257 +Du2"K+2@JtHqUYmU5C@nMC>3V.&)SIU5C@nMC>3V.&)SIU5CJ:5A@=s,qJuqAOkYh
  2.1258 +riaY&Q,?I*+7W^tNK:mdJDV3X1MW4W)O?`ZT>FqN4sXlhFebaVGPZN8O,5thIqNOB
  2.1259 +Oj+ki2ccAhd+cYf1<1B[Nq#Z?;!7)8!e5.U=&-'N[6NAdp/1<[Tmpnoe_c$]p-8>C
  2.1260 +nGmfSH-f+Y4*]I$gIo=9Gb.P@hF+rn*Y%W"(Qp#b%[dGg2dZLaL3ig25NqW%AO$)X
  2.1261 +rr@q+r@f-SiL[f&&,JCafh_VJ&3o0Hrr>^sOhYP$gVn^Gp;[&r&>.rhfK\AP,Fn;=
  2.1262 +pAY,(kFp%i%i@8M0DK0egX#k[1\OuO!5oBBQi@'5ogep9YO1NQ!(WIS/H5_0#CK2E
  2.1263 +!9j9SrYa>]oD\fcbl*iWnH6KOrrD\><un8GIaXhi^+4RAn<_/@M8'5n0mH@OkDQuO
  2.1264 +nD?R^rYU"unTVeiGJW,qnFsf7Ld)b.jOQ0V'7=oslYkdD%dRF4pfHKK-Fg@onAX7J
  2.1265 +Xeq+!FUNQ,'gA2X8,SlIK"pZ1r+H$0eDp7PWI>BWg><9%21Es1*ku<j%-ScE1li2q
  2.1266 +%f7XI=2\GZl!>@6pdP'IIq2hPiSTWEnB@IVe,3:IhY^RW!/=DHRsUoX&cJcEc(O;C
  2.1267 +n=on?G`0Js%D5j*G_9)*Jc,NJp4`MHJqSA1p2g#,nK[#]Lctq?clP.8Qb\[8rrBia
  2.1268 +[3+cZn^G8[n0UqbT<n"%T,r6<j1^?lNdPW<Gi.PbJc7S&e,BrM1\P\\\)Ru2ph/Md
  2.1269 +_;C1-0lIP8(3[D1nFqb:>HVZ=(;0JG;uNeIAW7ADIh]U4lT_bcm/I']HqjAVnG`Jb
  2.1270 +pp'@miRXpsPMt&INrBRe/CHA'$cH5P`4q19&\@KP?6K#mnG`J^nG`KG4>X/**]!7t
  2.1271 +T;6^Pb=D(<KrNkm;-@Z1I.n[H#OV'N$cb<cm(F5%l1$"VrrDFJi1J^Vp7Ll!m(]QJ
  2.1272 +8,+P'S&'P<n?9`*'mN7B8,]*1CA[2D2(o$GN&6N,_uiR*/"u`albRc`a+j7-5>M!;
  2.1273 +V0L!qkq/tfoPY<<#K4C2?f>Y8T7K%Am13j1J&9S-J)]A\<;(eKBD>8PiQi;>!5dsi
  2.1274 ++70*h*sVX(rLa!JnC,<Rle5FXqsX;c*tUU\GQYh>%IpWXr+Y,^KpFsmQKc+6nZS#O
  2.1275 +-1Lo_>4Hd$kPkPOg)gd<+8d\i!/7oZ@d/C3mb\Q1r':8^Kls(nIbNZs^LZd9rrBo5
  2.1276 +XA.["pdqj7oFD^b/cDFC0RPXcrnF`anN;,!LMo;%A)k+Li<f$\V/bH5D\(Q9qTc#&
  2.1277 +*ta!<+5(/^rrA);pfm9,p6PZLrYKrV\bL[608gV'%_a.bAGC<*T,l^7/F\CTipRJ(
  2.1278 +Zf542&b.f9oZn(AnG`L*rZCobj5"pt?8@R;D[pHL5D"8gWTmZP[?lX@RI%E\Hi$/-
  2.1279 +!r,iql<6EjrrA'D#Q>]XqDX2inRf&&q"NcTK)?^hkroiK_S6laFVfnB.j#>g>'8)N
  2.1280 +LZIr#^`STn0ooJKMCgjd/+?X"hhY=okoUBt@sOhs_5)Rs9n-[Ypt=]bJ3H0l[IF1r
  2.1281 +i4m2@!dm6&J&N^pikNJtg&D%BdJRY8:PV.NIqt[0T+eWi");-apq>[:m>q$A?gu'B
  2.1282 +'L![fD::.ToW;W]B7Vq$$H)Ct:[faM$Qk3(!r.-7#K/:L?f>Y8IuD&ErWVSu\+[ST
  2.1283 +hi9o4/Na'/G[&(prZ&](4;n+$n5&bKq!$b0)Z3%O/p6J%&9rEXrrA!?5PlXPC[efd
  2.1284 +Hq.tJCB";'OEg63Zfmj+PdXacM`#tnGlIc$J)I)oZ%'YU)LPfZ0?8"b)rU_rm+8<9
  2.1285 +,P]''$;5C97f6Hb;t+j'pl".4It1n4a6abGC**e[nW/\]/pps`rr<N'-ha,+@AWa^
  2.1286 +l)aO57n<)Lc2EXQPe'9>*nN:L!'gFlIqjJd+5j?@0A0^Mh\5ohn:/DA[2t\3:]ATt
  2.1287 +?aHB?/SF+hM=C,s.F`i^^PS;LYWfVfYJPbu+k7t1:W-TNp_2U^m18aA=Llk_]H+/"
  2.1288 +=':0m^*\\Z%h*6B"i$%E+8#koIqp.ZA&\;b`*X#L:\L+QTDVRG%tjl^&3M3,TAn^]
  2.1289 +iSTTd%^iu[iHN7*L`SXMiGX7\)LP!&1uAo#hY8JX#E?GEgKaY;n;i3L9a7$F58&5/
  2.1290 +hL>gpg26;7,*Pf.rr<B)d(]RnHO#:C]F48Mi;We:/\GfW%3*05%_2##`4lKNNXlnM
  2.1291 +X2KJlXhSPq%sVa)1MHX8jEgQV2;d*Xo$?@)NMC3)Ff=St#-P)B-eR0Li0iTV)h>^%
  2.1292 +ZG1"Ke%@Vfi89N$#Q?++pp\0`$FFXP8+7V?hguX_NiAq(>Obe]jl,S7`L:VW-2<\_
  2.1293 +SKh8+rJm$;>(4cR3g/5deMSupGdG9%)1E3$r%IQcO8NkbMr=nn]R08M!5\[8paZmA
  2.1294 +/b,=gf>@"1%n6Gi4qIEii8;I;KDLABNt_<Sa8Z,]5A'?mC#8sa*A2ip^;j+G4n7CR
  2.1295 +r\NBqrXJY=Uh]o0[4fDC%euqidWFpkpfG7;.b-Aj$@G/0Q\BfYnIOR'Qgm0$%;5Cj
  2.1296 +rJUS6n8#mjZtG2ECVSPT6N*N=Hf>F*$2>=s[^5MuiD,a/CW;qqZ_,1e\"4K,T>^Wq
  2.1297 +(.$lN&bpt/kJ;U%\%0nnI<+pVJq"+%RMft.9a=X%?[qR;M``NMh[9-ka'Jr>2i%<F
  2.1298 +i1Cp4In&s@K=k^Q4_IO[+,,)FiEm2]f%S0"]M7@W&ErjIRRY!LrHCfFZdgmLB1onK
  2.1299 +e$Vn2lIu*Sk'Lh%Q+@;NYE&O!rr=DYj'V[-rr<6fof2oC.u_ih%X]DGrrD"'R!;\>
  2.1300 +^:j&lN:l(a*[J;,n[>I%?[/oq<n^<@WG4?&A2`\MBi4m1AEY'Vd@l1g[Y2c#k^%=8
  2.1301 +'5AGQ]@="X5N,jp,Q@b;,>nI@_S]@Q!9@lZiEUaTrrA`;;?$X5_c6X9jD*B;pP&Sc
  2.1302 +pfgqNr'@(P55s/5dj?m):Au`W\3tM"iGe;A=ih>X`?^SMA0_C2KcDVGI/a3;0kk"g
  2.1303 +"kWbSoXi"`o=+,+rr=BGqd=p,Y("_>qPjBs?f]8fJ,('H9E,!#S,WKe.!kmWrrD!0
  2.1304 +YPBN[Zlf7)J$].Trh'2jBY+2MIqE'`,q],sAOkeTriaY)Fmns"72/Tf'N%:5;+20r
  2.1305 +72/Tf'N%:5;+20r7<f()2?*Y%V17j1quQftebS^_\8!PR0AF,<;>'g(rrC`\Iam9O
  2.1306 +L3W^4:g6`rOgtDkhadT[iih&Tp;tg5(OTTb?i)YW/bjO`Hp[e+IPp=Q,4R%uD(FVT
  2.1307 +`X`LWcG'VQ[/U+26%,j0Rbgg^CRSmqr[E4af;q(hTQlr(e9ieD/,mlP[*OUn)U?&#
  2.1308 +eN[`L+5g5<08b2^pn+STBqMbTpVK(#iK(f.g)j2^n&4[T^,5]lg3t2ocG-TEm=T3O
  2.1309 +45>>&>N:]a_u:DMfC<4'/\c#GL>N2bZ0\T/D7jT_!"2<jN??g(f$\q;nJD*HIL#Ba
  2.1310 +Ns2/&n432Epj;m'rrBo3rr<<OJar%lrr@^Fq\T-2rYKeFZhmPtbl7ZYrndY*q[`TL
  2.1311 ++7R\X!!n#frrBoOjF:XqIr0\P)u[JM!!qJQV#LG37K&SO]qKphrr=_P!3m(4'Y!f/
  2.1312 +d/O)VJ+t87mFCaUp71XXm5_"m_*\/%D+hXr0B8tsrrD)OL#95g_p8_c6W!QQn[mft
  2.1313 +_iKKn*e"E?n)08ChhN71n@l[,ZJ4;^T>nSIpl@YYcO9YSe%B\(=D:hY$8lZZ_u:q1
  2.1314 +]C-A^_0J3qIb8#4a6bbD^OuOdZ'Xi6n<;fA`?3a5rX)ffT7Obbrr@V*m0*/J"T23q
  2.1315 +4+&USYAs'X`1Iu2GB<X@HnP0tnAAW.M'%=,bKg?-+1#>AC\pkA57bI^Bj)%b58%47
  2.1316 +rZ]'nCJ"Kerr@Xdq!5m?3WB)2FFM#s2=\_D]KtR2)Yh5D.fGY1;r\B)podlN]LCh@
  2.1317 +(&4]F*s4V3X*B98Sg<h1YB+uiCRY75X'OQHR`;V4?/96VStgFLH[B`qbjrp/hmL/L
  2.1318 +TCKhu$1,2M+16<R:JuLf_4S0OmXNroJ+,u+S4A1Gm#1dSrrCR/p4'9k?eOcE#snGU
  2.1319 +r$g-FA5=7o62e6@0RQO`^6dgY!8>3*5ITI%`kCl*iTJ,5rB'`Pn?7a63.BMh5I-oA
  2.1320 +rW<)B*s2HBBYOcHK>er%:q[\'DoL%W?7`hc[G[)\Hnb>.iEm.1^'`G=0lnT]'%OPm
  2.1321 +!8:ZV#r1H^)Z4FAY-7>YiLfK:!9:g)pqQMfpeCWFHli6g5AIse)rnEH^Y=\?#5G+T
  2.1322 +08mTR8&RQ/p72)Or+#8,i:$%@nMfG<`"*12rmMninaF@4jSc62BE%rDf_Dr6O+dES
  2.1323 +VYi^K%u9e,#5F\)?@ViirrBkd^MSJSX2Vgd/Q]ra&,\q/XoAC=GY@"6N5#sSD9pr(
  2.1324 +b=A2BT<uZ*48W[ibPqPD4qtj5!!MZ:rXjCIp-na<rr<BUDq\.KO2KieIaB/H4CP7;
  2.1325 +;tud=:P8X!pr25%(?=Cma'Tq`/cMFAZi:$`Qi8K5Yl=]>/I1:MLjWRgr=@g[rZD*0
  2.1326 +Hp?X1%4bf8D13g'#JqR6TC>u*LHZkc?OQ0A&,]`&VoN*ceU1<q!!NW&)^_9Ja5Ypi
  2.1327 +N.)4`@JG3.c]*Dar]GQfnYa9A8md=f(&ku!oM=4/`4l`[/9jD=O2?D!KB(Lj^[Q`h
  2.1328 +^&c]s)=)`,poX&OiLe,>'l(Jp^+f=Lp4L'RZ#SbVKAX$uIK]F1nJCnHTA[JBHlMQm
  2.1329 +%g%-!e9j"@$X!2An3=qM'L!jg-HEuq)tgti$a9=O5K>oC;=HfhIg:3Ci;We.mX-hM
  2.1330 +&)&s<n;lohq`=`55IMBp-i6#Tc<h*3BFbIL`B%V/V0j0ZWP;tnJmJfZM;fTfc1)J@
  2.1331 +0_#[oIi&"sQhFGS=n'bW?P`YAC]=BjhCmG4Vt%74XY\"I)h!?(rr@XeHu/9W^gGfr
  2.1332 +p(d'QIa@`&ZS1^2q`g-q^*`X(VKelqmtNrKq`&@,+7N!cK)Yi?:TYR&pfmVJGdBj6
  2.1333 +e,KCUPMuM3rr<Jli1GgOI])]`p?_9mNpSZQLcY!Vp!#kD)V;l2DhpUn9@)7#p8@k`
  2.1334 +5Anf#hmLet:[kje5k'8V^))/^rKFla#K#@%Hu/S9qb)@@rY^4Dn,*p$9^qM3m'R@[
  2.1335 +^Tp)>%5U]QJY;pXrOmXbpqOT[Br"K'!!ppK.\@>up;b1aGDgRH#j>HYTRP/CYW'Nc
  2.1336 +K&7EZ3,3n,nG`LTrrDSqi0Wh\rr<KMi31i:_B(/r%uC5cifNq<i\0&mrX**2>l6%V
  2.1337 +dQ@]8HlqlSKYM1Bpfj=&rr@Y%=o9lHl/3'jlb<[P3UjZ[&.NPSnE5W-!,)ft`K=jQ
  2.1338 +:QPM$hm&Ngg&;2)b9+,mQT'^a+F_m*&GX*"ce9=*n:0iCj0'AG-fTo;rW.7np-&3<
  2.1339 +q\/tST<m_J$h9,3iCCjOM*D3Y0R+\t:[J12qb_gjhB'#uBCUVjG@0i:?Q4IGOn]_d
  2.1340 +n:uY15L&4a"oJ<"m-FNdI!tM)mBs"ogKtcZpcm`>?fIu=rr?fGT8;A2^)M=_`h*l#
  2.1341 +mt[Japp&b,pa#%=^P9<YJpnqhUZ"_[CS-J*+1Uf9r"FRu^CWMKib`nun%sKC_S.Mp
  2.1342 +V4mfIco`]9XWt_brr<]):QRaHJ&*s+D%D0s!!'_CI`n0BJ$TB>r"H&W@/g4Y7=9LX
  2.1343 +mI=CYpsnn=_;6[:FlKV"-a/.%!8sB^%mDB=4nqV<Y1NA[nV31rVo/KjdQcZ^EHm\_
  2.1344 +?P%TpnRLJuUFr>3H;>#qLZ.BND=I@K8`QF-n.5F/'?:kq$@Wlj&GV+@hh1nen@-3j
  2.1345 +&,sY"""_)ZnSe-3rO0IUh)k=ap]^/*p<`bo^,p^]o06jUO-/7Ic/5d%L]/fO0)^d)
  2.1346 +\(&0(c\3DOq#0-c'R6[t^&n(BDt204QboAIRZ6dTrrBPm3<&up3rUT'X5g\V-2TuU
  2.1347 +,5A/;!!qbGF\hcurr?b_flKL34E9@D+2QZTmId,s45caJh[o)1)DobKp`e`sZi-Nh
  2.1348 +YC^,dGO4S`!c.f9LO.IB)DrUf5IHjU'a*Dpp:Uui^,u*/:[kQ[r%S-NJk:I/M"k-C
  2.1349 +CZ03KS"GK,rr?qcfDbj?87*J6"6(tm-K">h?i?9Ti0`@@rr@XeG]q9H?PpF]iQm84
  2.1350 +5PD"n#_1fsIqT:8iV/*a>s<1^;>?43]rn7JmsooH3q99m*:s&Wpa/Mu:O1nPpa<8_
  2.1351 +X]JR%TBn[)rr<2rpj_dWp3P-!;lBO^pku0<*u_j/Hj'DX^Yk-eZp0:o/a@d!\bIPI
  2.1352 +fmG@GJ`Hb1L0sFG^Q!2J^BSP&?1C"oSc\H>M#J1bG>J"kj8T)ileX2_Vh)DiO.QdY
  2.1353 +3W@#?[9(>NpaC'5]HuP:!01,F'L"3u<U`M3IL>;q)Z?nQ9rPu!pZ'llU]1;s^$o@+
  2.1354 +j1c@E^Tp)jA,Bs;7.A6Q4;75urX";<*A6)3Qf+/'_`n_-=5sgGFe*%&Q\%>:V.lP1
  2.1355 +Hu&RCrr<2qpfldnJ`![bloji:ig,;u!!p?Xhh1q/Z3TaFn@.C1L4?T&I;f)sh];VZ
  2.1356 +pb1R/$2D,!rn6f/Tr[s<=8p;2#*GiurrCc!(9=Fup\t5+qc9,`?J.sTbeIN47=9=>
  2.1357 +J,)'b)ZKfj(\f`b!3+$+!EU\DMT)4e7P-.i^q0OGrg.kI^39Ib^Z<PPC_-D#ce8L$
  2.1358 +!*)7AC]'RtDuTe^LP^NI1OoE)V%6qh5PuH8rr==rp4NAFZ#B>crrCOJ!::S0erT1@
  2.1359 +rr==@^[.osIfBDuq=-)Nre`+uMC>3V.&)SIU5C@nMC>3V.&)SIU5CA&!<&e0jHQkH
  2.1360 +PokN@qS,34<t.TGNVd#V6c>T.Iq#&(e%gDBdVeaX!#Kn3i-4Q+iD0jFH@/LOrj1T+
  2.1361 +&GUIhg.mX(=[7P0CV<)4]=,)UM%m=\8r0.'"Z?nd.M(konOD6!m7Zq5_`-Znm@GEi
  2.1362 +O2WaSpcl_Y28C&u:=oCsia$V!f<d,1e\R.3:"=@_>J#/[XH<u!i]\^gh-]YEIuSm^
  2.1363 +f)?P7Abbrq(]7M4D;oL#htTc,*rJb-NUSUA^'F05p,9*_iXI",Do-rQf!Scg<W:.m
  2.1364 +[&kucdsg1_EV:D[9sE-LI&l!`H)!P@Ibt))n4mnT^'N+M+*^l\deHV<kWU*fdea4J
  2.1365 +!6!dL-81@-34St<eaN1CYO0)]^DVJOq"*K8M7fn69&^jMrXqF2C;8ET7!9UndJh%V
  2.1366 +kuqD_BAS-UcbEk+qE,kQYQ"S5\&-JjC9-sHp2/3,i.E,W=,Hnnpq,I&`SZ4b0!"J/
  2.1367 +626T$c[jZ=2uU;b@I^,1*s8nM!/rsmVPirfj5?heIPq%QpkReRKNe,gCR[[-NBC51
  2.1368 +lTjskM>TlAl5K)QWp:H^=,?PH/P+6qchJZ5KmYQ6:PYMUrLuC^iD5+j5L=j:pfGC@
  2.1369 +!'De3!!OeGcf)(\TmSTl6g=S0ds`lnF2OWV5)9#2fR*ej:4oajnJfIag.%.]^P=up
  2.1370 +e,0TWC3KS&n--R\r'd@D>,I_]Qbq)'a8QC;n5J;$_iKFW%)6Oqfrr:X%DEI"&&KCs
  2.1371 +^)qT<rYd#sHI)L6rWhp/LU?LWpeO<WfC9*+F^9>orlWT0Ws]I*/T4V<[<qAKrMri2
  2.1372 +]Y'PGM)i<^rmIDC5AKZ@48(b`IqO7eh@B>+rr<Bi0mlCaZ1/o4pgrH%(WUhdJc$(O
  2.1373 +Z>]+\nA='`nQ)pRHehUpcq^FtIu4.6d.E5j:?pR%<4LGRCFEeTf&>Zf$LgR`S4A1G
  2.1374 +m#1dSrrCR/p4'9N.&)SIU5C@nMC>3V.&)SLj1cQ5!6N0(fD`k+_2nOi5A1D772/cR
  2.1375 +rrDUEBj^Q;fDbjC]>Jd_\*_07!%(_C@"6k4IaB25WVft-jN$;1q&DLirr?JsrrE!G
  2.1376 +HN*1/!8uM5q'Nk`+8q+IZi:%)TDnn)])K'dAmb?[/cPf^8)s@CYKr&Jn+9IG'N%:5
  2.1377 +;+20r72/Tf'N%:5;+20r72/TfGR*Unrr==@J*a-3!WN/Mq=)hBC+C5g,[!l.+H:<X
  2.1378 +KFu$'G`,P;#I,#m%80Pp!oMk5*<<[@!V?Fe;Z?`2l<j/q^Ae2K]8uqO8+rONrr>>(
  2.1379 +n,*R'rrD)DUK,g[aOG.E*=0<f#P/R,^U?"<q?gt%p`";S!68dPf[[b#.B*7Hi,-g?
  2.1380 +!$.j3@oiU0TVeLa!.hUDr-"csrr-GAV7jL,2TFtA\XCjL5oYrVWPJRnK?+;*A9]?u
  2.1381 +:*[S^p-ns:rrD>(q`i]bPYjj`;+20r72/Tf'N%:6n_]?+!9E-%C]=BF?f9!(V]W8L
  2.1382 +>b[*+(4Z,s['0?.li-t]?/`Bjg\0Y,!0\o2YWqL+5A1T+<;nJQnmq::r/NrfrrB:S
  2.1383 +U&P+h%q"-Or#6CN!$p1iKDtqVDt\\\!7UrJm2'-\O6k'i!$nDUm&9i2rrCUFnLhNS
  2.1384 +MC>3V.&)SIU5C@nMC>3V.&)SIU5C@nMC>Y.rMI?jPct%N++QTP^HNQ;%7O]MH:Zo<
  2.1385 +m8;9b*I#GAb,WV/'Sg#EAdKR_P]IPD8elkd*0I`M>tNkHMC>3V/!7B3`kEGfM;aL;
  2.1386 +GX"L`[u%l*r"nD>#\lCrM0rU0GWTjA-(=#7NG?p>ZG4ic&`\q[I@'pEH`LqO8aPfM
  2.1387 +p@otljnu)%4jX$YYDlo]8A5miiUcSPrr>FZ+7QkU21O!tpg*n"LX3r3r=@D-_WppH
  2.1388 +rr>HFiHP8C58Jb@5>hF\$`i;hr=Uc;htVTs=oSKKrC?c<YDlo]8A5miiUcSPrr>FZ
  2.1389 ++7QkU21O!tpg*n"LX3r3r=@D-_WppHrr>HFiHP8C58Jb@5>hF\$`i;hr=Uc;htVTs
  2.1390 +=oSKKrC?c<YDlo]8A5miiUcSPrr>FZ+7QkU21O!tpg*n"LX3r3r=@D-_WppHrr>HF
  2.1391 +iHP8C58Jb@5>hF\$`i;hr=Uc;htVTs=oSKKrC?c<YDlo]8A5miiUcSPrr>FZ+7QkU
  2.1392 +21O!tpg*n"LX3r3r=@D-_WppHrr>HFiHP8C58Jb@5>hF\$`i;hr=Uc;htVTs=oSKK
  2.1393 +rC?c<YDlo]8A5miiUcSPrr>FZ+7QkU21O!tpg*n"LX3r3r=@D-_WppHrr>HFiHP8C
  2.1394 +58Jb@5>hF\$`i;hr=Uc;htVTs=oSKKrC?c<YDlo]8A5miiUcSPrr>FZE7WK_f>N.N
  2.1395 +4AY#+(hc)KnB^g+K)>l4%6I/Nf8I%T)".D(KMPkJO0)^Q2n/X]JijS;?aYC#EGKE.
  2.1396 +Ba('q5/BA0go$V]6a!/@.gfu84sn`f%Yds0[CI>4b%+')e3#q"4!o/$8C5SZ`!(=A
  2.1397 +5bsWP5'd+:^Z<PPC_-D#ce8L$!*)7AC]'S_F8l4bO,:X<25l#h6eD',rr<8BJ&sSH
  2.1398 +T`5#Y>Q(2o!;-9kqaK-/Ynt;`$J"STS$%-6d3-0R22u@!5Ju@s4tubQ7nlcdeSd=i
  2.1399 +B'.E-d(FM!ko,'FL9IO_C,Z^gp/]c,lKWXq,r.>Prr<<.O8TPQ)F*a7^,pi9`hWME
  2.1400 +$Qo3bIPcQ66%!kU!9]>3r#cb>oJlb^rrBuhq!J(]cPhl>5V.EKEVRr]!/UmLg]%8F
  2.1401 +2';=<=T8BJj7/oE!"o\"\,QFjC-UYWZ2Xfta5]\h,T"L>rclqB_?"0H!(2geO8MO%
  2.1402 +No0d)W;cjN!lt:q+,qB;OC'$Cq;Y?P!!iahr=2%15Ofl14+HkAU](f4+8Qt+1k4LN
  2.1403 +I!5MikD`"0+;R363;dIi!5sKamJd14)NXYY/:Zl'psK*AM$<G(rrAWJ+7Oe_rrCF+
  2.1404 +nY?*a&e!a/rr>/r5N)UIrrAb5j%'(o(WUInGgq5[!Fu-06]]6Jr(&K$hu*#Crr@]R
  2.1405 +a8Ui9N?@qW?QHoWj&,gV#R-:f%R1jrnK>P-J+L[TrX]GZqAar@J)WbAG5hR*NCWmh
  2.1406 +(-hFNr+Q*1`.IdOrrC@`O8(skJ*:nIdJj3'"nC@I!1l%in:4X@!79crU]1<,$fe_r
  2.1407 +!'G!\i;g._!27Hn8,abMa)Cs%e:5=9A,cNrO2d7Y82$"\r:-`c!/(EoreDST+8Cq)
  2.1408 +*P_F1;?$V%"crTl58lcV+MKpeo>[R)&.9TV*.B_oi^%s8rrD5A8,OJF5P-r5B`A(N
  2.1409 +K)"a5!7)REpcpB[k]-CFrr@lZn_='DSi%VZJ6;gOd,XYkrr<Z>j1#$g4DI+>!3uP(
  2.1410 +TuZ1`rZi<#DuP"2J&24rrr>EI`fL$g094rfnYlHfKEB3nLEDKtplJi'^\Qnerr<<.
  2.1411 +O8TPQ)F*a7^,pi9`hWME$Qo3bIPcQ66%!kU!9]>3r#cb>oJlb^rrBuhq!J(]cPhl>
  2.1412 +5V.EKEVRr]!/UmLg]%8F2+'%7>mfi_cD@[k:=e@.eMM\h%6qcq)EokMO%4Uo5h0]D
  2.1413 +bo5a97+Zg/W+d0*p3s3Cf]kBal5!GZip,)$=sbu+H3G%IEM;XK(K0+q>sWUPON2>u
  2.1414 +Nhr^hX`>NoYa^cQh:e^DOX%5I/B[N7HX[NIU+44^JRe][4nZ#V.6L'!!6[u!YUk:e
  2.1415 +^:!t@KdV\kq.W@m"crTUf"^^MnJD3*/L^V6Z2XfqqUb]\Sg+17jeX'O(-hEJ>5nT>
  2.1416 +PJgi+[%mL"a8UGO?hdNDMuNdCP^d(CrrCAnC]=AA:D&*IdZ<`&+8PB-J)NuY0E,-P
  2.1417 +rIJJY!'U"Yr$a`srrC575Hl\gkJ"A(!/2eV^\MS6p'$NTpX[+KV"#9$!%fVu^p3n>
  2.1418 +T).(<'V6NK!9L%!fG6^Chcg$[_NVoFr3W6r!lt:elX0EbG`2S%QBZl,=T8BII;Ai_
  2.1419 +$;V7`o$WTc$Qo35Xaf;$i\1:7;>l&Urr>4TYP]h37K3A28jBO2J*4PRrr@a#Lqib"
  2.1420 +8+m+Ir:edWn>,Rjrr=W!rkPf=!1s&=rY1qJrrD/W+4q>noA<aO!5ar<?i7:+qZ=h;
  2.1421 +Hg>&6;L"-"!1&k!?s*F/c[BU/!")L6J+D$KljFp2n#_)u8`DE&>#G6LA,cNlorn9B
  2.1422 +4@T8Mb=Y"'/:Zis[Jp5\-]#P5Bh.k#O8Sb'^[S&h(]OIe./q#errAYefDZJU,6%Z)
  2.1423 +V'">*5P*c9rrBp"`*`GLU\b,5rd3s<pel?prrA@LIpcCY!7-(/rr<C%&V'B"O6d5r
  2.1424 +q<tG8iCW#^r`W1tJRe][4nZ#V.6L'!!6[u!YUk:e^:!t@KdV\kq.W@m"crTUf"^^M
  2.1425 +nJD3*/Lo;2QY!'P_qN'PQL3^ZRu<2oS(jpd;2CnYh;1kGEq.$agC-e*N\/Od75?lA
  2.1426 +Rm1dDq(f/."9-Pdp43/CePG2Yrr=BA*<-#[j5P"S%;I!];"ae9J&/BsnkFUI5Pl5r
  2.1427 +!,)<3rBL;/Fo-UWPP3o'Qbm)FGalQN?O],;nJ:0$1;dbb?"ZOpGJJ]`?5W1OXY5:6
  2.1428 +T8A`p(Hs2ETme_D(XR<LIn]WMTjR^fnK*hNh+,E8Se:HB=a6^\Z06L6rLLm`?[MeQ
  2.1429 +"Wt,#Ic(+!q_EOsYl;fEfDa:sDs[l2!!MSprltHCKR`t:&,,bPr;QcOE^-i/!+LGp
  2.1430 +V"h"hYP+#1q`"KhQc'uSGsCeQG`V_Y^&J(aO4n<_DuS/_R6E'%Iq=+Frr?e^\+YLT
  2.1431 +!.o>srr?[2!5^u#!"0&/HgUf^mC==krrB;giDP&'rn%$;Qi3ER!"-p/&)04=pd7/6
  2.1432 +rL.'m!5V1m1uGeB!,2AUT+n@kZG3gI!4>#Fqa,eK3j!n<J)MLL!/6((^%VI+5PEln
  2.1433 +m!mZ[n>ST$rr?j5UW`Y]rr@aanH\HQ:])B-,Q>q@J)I*qRW$s\!475f:Pr0pfjEJ5
  2.1434 +!8=&^rLlI6SQ<MY^[R<a!5cSOhYVepqeept5O;2@<1anT[JnS8rr?[2!5c&:KD*V=
  2.1435 +rXdBfrr?Yt^[P+t9fMJ>!89ZD-cISHm'#f+m8(1id%Bf&X'b5Npdb>aiF)ZcDgfCH
  2.1436 +rO4$K+8.)[.Skr:gA_.do)A]rJ)OOX62P;Yrr<=;M#RI]9AfLmrMH(XrrDF.fotE\
  2.1437 +L\=gC^\4S[IqVXQ-WRADDu:j[!:[4B\%^b_rnES6O8BUi'dpt-m=2KgJ(_U+XM,hU
  2.1438 +ZcW4IKJUPrfqn08'RnM*qg\=#m)eci_ttt]?i*dh^U,Bd'<9[]2uXEh!;KY\gYZr@
  2.1439 +rr?oWrl=torr<Ciiii'jg-!.:htU5Z&:W<nrrBnRi]leXp\kLaBr:jDqa^?jpn_Et
  2.1440 +Q2RobWV56''E/<gC]0b&!!rT)r%&rWn$i,m!4Ls<A,aFH!/4#7=8Q@l*aeVZr$sFV
  2.1441 +5A]n?i=,5up1\mR!!OIOdsg3QU\cfo;R$/Crn%/!qetj.rr<2e[JnGN!/,k$((^-5
  2.1442 +g\h'OgN#N`rr?MX_PHt-rNGpU0Dd^-'pli\[Wt+,L3SdV1qinhJreW"^Mj,!rL#hu
  2.1443 +=FXn3C]=BLICJp'rr@Xn>5nS7rrBo#rr<E3qg7`0J*jcgf`(rV5N,Lf<W:VI8!j1D
  2.1444 +rr<DLiXad+TD1c98,\l_rrBl*m53_0rr?a3bb#TN5I/&3rrBGjg\X<e_)e]JZ[^pU
  2.1445 +rr@b*rOqq)!'g24O6hAKTCAgD.fTKarM.R8c2RctAap#mSko8-Sg46Z07VoTp6opS
  2.1446 +rrBEUAl":b+5(#TrrCcFD>g.mi13o`ft[$;rrBpPrndO%TDNLrp-7n>pf*k#J$o:'
  2.1447 +jo5<mrrBpApk/:d-iO\'&cViCQbW#eqb9$:rrCb;ZR<^B&+$LeJ*g%?rm7;,:9.ag
  2.1448 +htT_A!9%>c!,m;#ci(<tq]GMZr$kL"^Y8\fB_)0'Z[^q:HpRXBPQ(UgB8HQfZV03N
  2.1449 +./g$4pAY-[+5)k;Q&#'7p:p=!gOEm4pa9(Fp2BjRrrDPmJ%*/LkPj4urK$ghrY6g"
  2.1450 +?gW?MH%4M^n>s>HrNjWG!/*/HJ(^[er"OV/:&BG6O6k!Y9#LNVqd95!mD$"Ur"H*^
  2.1451 +q`"KdrrDgr5MP(6oD\f-aSs6YM>mP_PN&e>^Y1fbm,.S=?P%\>jSo4s)<*mIdeE_J
  2.1452 +5A@"n^\^OpAGE!0rK[>brMfMJg(XGleSG,Qrr<?)!;nAimI.O[rrBLgIq/Jrrr@aE
  2.1453 +nQ5Tpm2fX.Du;+=Ld,_HJ)Lh++80Dqrr<3E[*sK]rM06FHr@3Jb5U#leGF1O$3'u.
  2.1454 +lF$W9rr@_%rY?%<pY5WG!8DNYZ2Xf5J&8#VX8T6qO"^AhrY:d<+1?GZn:l1Kq_Z"d
  2.1455 +!.p9cBtnTcdJ]Is.9M(2Ir#&aC43SbK`;%(F^"eFB)_kJ5Q:]k#Q&l8rdX=G+5$Sn
  2.1456 +Ys72FHr^0tqa["OS,WHqbMj&e4J2C94@f@>%Ia3/Kf%\rrr?a3bPqPU/3gGT[Jp67
  2.1457 +525s(J&+3`J$XX`+9)=pKDiLWrr>:We;rsGfUqZ44t?R4C]1$OrltHCKk9cZm@I,O
  2.1458 ++eBqXbqFS)Ua`2>^\^Op?hg$trK[>brMfMJg,&^7gM?bWrr<?)!;nAimI.O[rrBL'
  2.1459 +Iq/Jrrr@aEnQ5Tpm2fX.Du;+=Ld,_HJ)Lh++80Dqrr<3G9fMJ>!89ZCrrC!\&+$Le
  2.1460 +J*g%?rm@A-:>9.BhtT_A!9%>c!,m;#ci(6rq]GMZr$kL"^Y8\fB_)0'Z[^q:HpRXB
  2.1461 +PQ(UgB8HQfZV03N.10e(DuS/_Qi8=6Iq=+Frr?e^\+Yd\!.oCJrr?[2!5^u#!"0&/
  2.1462 +HgUf^mAV2[rrB;giDP&'rn%$;Qi3ER!"-p/&)04=pd7/6rL.'m!5V3):&BG6O6jXO
  2.1463 +1;iu>qd95!mD$#@r"HNjq`"KdrrDgr5MP(6oD\f-8H-[.M>mP_PN&e>^Y1fbm,.S=
  2.1464 +?P%\>jSo4s)<*mIdeE_J6CMiIrrBEUAcDaeQ64degA_0,T5FP%5N&*@^Y-BkO8f3s
  2.1465 +_>`<gJ"QUQ8+o16:\[n]'n<XjdH1B.B)_kJZM9(GcR8]'cOp0WAs^:%;A@T/hu0>I
  2.1466 +0DnMJrlY5lrm^g`m2>p("RWVrc2RcsJ,U2op@m>>rrCeO5I(4g@Xl7jpoF@sp5^m(
  2.1467 +2uXPY`#lF55OaDPO8CcIrr@Y4VOR;Z!::l]J)Y$pp/gt&p8?YpB[?H$D6NYOr$24A
  2.1468 +n?@DO^>J,Qg6)>pq\/rD-cKH[J$aKNft[$X^**B\ao;?o1W4drV=4<rKf%\rrr?a3
  2.1469 +bPqPU/3gGT[Jp67525s(J&+3`J$XX`+9)=pKDiLWrr>:We;rsGfUqZ44t?R4C]1$O
  2.1470 +rltHCKk9cZm@I,O+eBqXbqFS)Ua`2>^\^Op?hg$trK[>brMfMJg,&^7gM?bWrr<?)
  2.1471 +!;nAimI.O[rrBL'Iq/Jrrr@aEnQ5Tpm2fX.Du;+=Ld,_HJ)Lh++80Dqrr<3G9fMJ>
  2.1472 +!89ZCrrC!\&+$LeJ*g%?rm@A-:>9.BhtT_A!9%>c!,m;#ci(6rq]GMZr$kL"^Y8\f
  2.1473 +B_)0'Z[^q:HpRXBPQ(UgB8HQfZV03N.10e(DuS/_Qi8=6Iq=+Frr?e^\+Yd\!.oCJ
  2.1474 +rr?[2!5^u#!"0&/HgUf^mAV2[rrB;giDP&'rn%$;Qi3ER!"-p/&)04=pd7/6rL.'m
  2.1475 +!5V3):&BG6O6jXO1;iu>qd95!mD$#@r"HNjq`"KdrrDgr5MP(6oD\f-8H-[.M>mP_
  2.1476 +PN&e>^Y1fbm,.S=?P%\>jSo4s)<*mIdeE_J6CMiIrrBEUAcDaeQ64degA_0,T5FP%
  2.1477 +5N&*@^Y-BkO8f3s_>`<gJ"QUQ8+o16:\[n]'n<XjdH1B.B)_kJZM9(GcR8]'cOp0W
  2.1478 +As^:%;A@T/hu0>I0DnMJrlY5lrm^g`m2>p("RWVrc2RcsJ,U2op@m>>rrCeO5I(4g
  2.1479 +@Xl7jpoF@sp5^m(2uXPY`#lF55OaDPO8CcIrr@Y4VOR;Z!::l]J)Y$pp/gt&p8?Yp
  2.1480 +B[?H$D6NYOr$24An?@DO^>J,Qg6)>pq\/rD-cKH[J$aKNft[$X^**B\ao;?o1W4dr
  2.1481 +V=4<rKf%\rrr?a3bPqPU/3gGT[Jp67525s(J&+3`J$XX`+9)=pKDiLWrr>:We;rsG
  2.1482 +fUqZ44t?R4C]1$OrltHCKk9cZm@I,O+eBqXbqFS)Ua`2>^\^Op?hg$trK[>brMfMJ
  2.1483 +g,&^7gM?bWrr<?)!;nAimI.O[rrBL'Iq/Jrrr@aEnQ5Tpm2fX.Du;+=Ld,_HJ)Lh+
  2.1484 ++80WRHmJ["]IiY4ibk%NT3M)!j1g:s/+EW0$sjuN'_oH$+--!l='"gmkDH?`h[WG\
  2.1485 +HiWrbnWqqHrZek]pj_f\4"Vi#;Ku5jEc6[3!#+_+&+*(]iTH-#[%Fe*U5C@nMC>3V
  2.1486 +.&)SIU5C@nMC>3V.&)SIU5C@n^0LWH^Z<PPC_-D#ce8L$!*)7AC]'S_EW6"`O,:X<
  2.1487 +21PW+V%6qh2uFU0rr==rp4NAFZ#B>crrCOJ!::S0Y+N!>m19+/VtSQ$/H^Ef`;VV]
  2.1488 +W;cj.M2eG,QgEi6!!L2JAc9+<!"/U#D*.V_ktQ,=U%)@'K3C<<]PiS_'2F.n,kst(
  2.1489 +2uF?tp@FdI+n.G+4[V^6C]=ABF5g9g7Jg<e#Q9V\%/<IonYc:8DZ`N"5NBJ_W^3KI
  2.1490 +h\5u4gA"V+0#-?5!9b=+LAXWBl5HRS4rAZ<nI=?[%Ypb4GZcT*C]=AGkWB[#0DI"E
  2.1491 +_U$l<8+96fr"T/2`a8arA02lj<W<&QdB3<pd68TK:&*-57<fck4pLcoi,9"ue&PXF
  2.1492 +rr<Y=0A1.!BD*.&A,cO^LhQc0pgJC*99!<!qRtL6r&=,W;t9%3HrusHd_"uCH?\^G
  2.1493 +rr<GIrYb&$(Qn^tK_PH^fDID5pAY-j.pn4ln>!bWVuHbU&H;``hu4M2rYfkW&23fj
  2.1494 +chLjSf\bn"n>H9diGAMo_SZ<QKYRL<p\Z8Nn=KX[`ALm2m2c3,"_dk)rr?^1+8195
  2.1495 +/mlZ6n@a8\r!!&"^,Pfti<R?JKDtonrr?Zu+81RVZ6+Ydr+kgY_]Jro1AkPT2ktaX
  2.1496 +pp]rY4*qA4X_Zk?V=@LNrWg3-ic^Zapk-BYA`fr$56sL3Z(J?=NrK)l&(sJ5O2NH\
  2.1497 +/po;AYO,tqBQ*D7p4'LKSUYC(Lu0%3;r].u/)gL.NZSl"ILQ-<nB\m04t6KXT*YE6
  2.1498 +pg[Wi[85LhiFg%k;rBj;!3j%e``AEe`J0c:p#8dB.9GkKiEt6Ohu3s%WVh(hDSK\>
  2.1499 +XTQGS,`C\aLAX9rD]*9TVg-D)\j+)L,2V@s?4cVW\a]mM?aKN[Y$$!"`Ej:kn<=tB
  2.1500 +n0a)9ehg/Akl)XQ4?]n&l'rNCrr<4Irr@Y!po8f^`SjVH>=%dj\&84Gfq7;;m>^*g
  2.1501 +CVmdppmpDO$b,KKq`F^`n]/F`MglMT2r`X(_,pUQn\0XKHrB`ZiuJ4lZLCnuiZ3Bd
  2.1502 +H?P]nir9"6qF?Ej(Th@W+k694rr@Z/J&+%8;8'>$ZnB*'Q(dD+ZT!cSBB/<]g#Mds
  2.1503 +ZhQcS^V^!N[Prp<)riU)X2LVJ^,Fep)Md8V_+b0oT8.fBiHsB6=ST5_Ig0W`4SP3=
  2.1504 +?]$Hm4^12A%??_>J+-C/gWja4-R\7Bn[nM=?\Z>b\PL&Vpf=p"D>sSBVu/'kpdkDb
  2.1505 +iF2Xjn.3C>q&DWX'_0NC5P@>>-Qh+#ngeIIg)o!tfmi3mD>qqin6_%0n61=p9AlG\
  2.1506 +I;_pVc/To@<.>1d1]&G3^U8!:28>"*$9rA,!!.Pr4s0:nZhm_drrB?*O#FKE0R0Yl
  2.1507 +4jn7*T)i]a&p8%E:"+J]J+5_[ie@'VV5NX&^B18,7sT%CG#%o*rX1=T!GNYFOak5H
  2.1508 +nV>0A!<3%P'?@fqpi#\<rYC:U_>@;]/H5^("6(DZ5Oa7(!5c+mIqbPM=MG!O1&h4^
  2.1509 +a5AV-^[SNk1&h4\fAa"$"9/?.gYmY#/Y4Hl!/*GR)W1H8*^0N'KPS:$!/IJ$`..9h
  2.1510 +J)R!6iHZO?:Oh>OJ&<ddDuTgS[J7H8!"(ge)Lq_u&,8m!!9'G4iMSp!!ri7TD#XKh
  2.1511 +p&0mLL&V,[J,U50r%'Mr9E,"Ohg`L)rr<Aor)6V/qb7"i_+?k%YLs<&$/gl)IhT6g
  2.1512 +1WGRT,k75Am;'Q\%fQt9DYWb]Ns0n:pj]6pkoMGOfC:LZp^?TWia/bV\)A[!X'Z;j
  2.1513 +IO';1[.(h_[2hb5f;u?]B):].?6P5"i4NS"!!RWI!.oXo'>jbL[(hUnhqD:#\aWtm
  2.1514 +K:r4g?7PaKir8ucpc%2VO*iV>?OQkc3dupdrlq#[nD:q<?Nk\88bf?Zr)D*l8"o3o
  2.1515 +5-aU?n&JU\RA]=NpV%l^dB/>L]FXBcrr<41pc%,,KcdcYrLS/FJ)]A+0A-Th+71qb
  2.1516 +C0,_*m.^BJGk^oDn?9lnJ02,k^%&]*iCCk:g-<Cp#.+(.U$LDN=m2;UNk>a>n^#*:
  2.1517 +1=J,J8Nn-;-B7O6o$^$6&)]DE(=VtMeph1Trr?_>g,J%5KA[gir!31g^L47(hmVs>
  2.1518 +iD5/W)t1Emn7T^)[thiH!VkR2AVZ#AXSa[19j>TJ#E(HX)8gBfgA!=*plVNM7o#6(
  2.1519 +0-9DIIEfIeg%V\+TC>hkfo*aEIad"XJc&fWr'KpDm&-M(C2]!D,La@7rm^eRm*4H!
  2.1520 ++8cQB5C;pia$1(5/,n+l$3(!<IuHSt49_p5=2V7G>'T@!ddK;:nL)3-p$-cGbMf@U
  2.1521 +IOWC9r&`F'/LUN*8c&hHpg<"RVst_dY(P^#>JqThrr?V[MZ3Yi26R+,+81HaOmjIN
  2.1522 +5+h^\C"c;%_"[WWqa3<XNsPM6i$O$F%d-m#]C8jtqbgPqcTWc,4<&dDGi-JH"n5!F
  2.1523 +Y1l;cHf;a7/!oTKiie:W*s8mrNEZ:aN@fWoNtm,`EpJ0"p_EZnGW4RXIb"E,K35Y6
  2.1524 +rr?\iJ(b^Xrr<D55Cb\b(@NKpmoRB?$FKSr5.0F]kL&[E&SpAFT+L2uC45Qj&,7ST
  2.1525 +lt>eqp5e\jm#U[lj48k@5M@XIL4Sj?`1IN')=&=cn[%L%3Rb\rr+`S:T0=<#pfCV&
  2.1526 +nC?]Up!%tkpn`63A^?'PrGmB%G^mU,=,B*epm4LurY]rZ`832rIRs8*rr<50rK?ek
  2.1527 +f\R.m(\VnEa.W5)`kNQZAoHGUj#?<nV>.7Q?cMsb$iFW,:[B1mZcAXrpnqQ[>:\#-
  2.1528 +GV<+eQ@\!X>JZM-lP@2kf)?WR4tb<Z\;S.+VP/'NB6Ff;TC?&\fe2=C5O@dsO4m[q
  2.1529 +*eWBXN#jbQRD33\N8M!`GT5UK`r?#Mr!31jHrKoTpc$)/LVp_7NLq&p*t*>n!9%k_
  2.1530 +ae3n-`>[OP_,e=X8&_)-l7huklU(,2Z)UUYh,dDB/u?2[!!Ni1^OA+jc_%U@r"FGN
  2.1531 +489V-i#N3EJ%)nJIQltaLW3,GIg8.hIaS!V_`]+"Do8+R`&='3*s+V7Gk^/EMY5<j
  2.1532 +9mg+(T*rQr%uL.T`D7!=)rR'6Zk!rIj2\`BmtE":4A4VHK>=,K>]9Ba+2nbFf:Nel
  2.1533 +*.HI"%uu#lB<Q\)n9Set(&2qAQX'<LWqcSoj6r'.-@@]G4n-5(Ig3:[!/GXn?h%LB
  2.1534 +^E.WXi:k/Q7n<>IiL^3eh\&l')BH<+MuNbb=o9i@#DTm&XDc;^!!S\eJA:*pg$-6g
  2.1535 +I!t"H(&VS3n&MVcIL#XPi'5nIp9+1En]1VEJ*arKNA&?@LE88H$fGrT?6T*knA!#Y
  2.1536 +$oHiQkaj!g(PD]7GRqXi+o_Oq6WCD^StDoepek,CCVBKbrr<3trJ:IRB\seW./8/Y
  2.1537 +KB&*a*l%72^fpKNO+A4(X74a#pOW5Qn\`9$%amI"Y'`L`^((!8nb7RH0C[TQQ]HS2
  2.1538 +fm'7:+,g.!$G6])c%"`._AuuSnZR`I-?qblRf<B*Y93#C)XfQ0g["QRd=5hfrrC_I
  2.1539 +f>W2%n[HPG&,uXHZ2XfWn%sP[rW<"Ipt;G?,Q@atbB9dMnB_(MYJ`)Hrr<ITEU_T<
  2.1540 +0Dm,>>"/GkM/@b$F*PI8^LQaqE;VuO5/H0(b<HPCHr]^?rX3H;-/8>&rM"[:q_`b2
  2.1541 +d!U!+K>G=/2smsAS+^i?*;h>^hr4$SrrBEMMLT+H#5Ffepk`GK:ZE5(iGS^D/cDR=
  2.1542 +%gDa'7"k?dfCjF`Zf8)VD[+q]hC-eE83Au1C*"\M:P,5.>>Np)j5</gmGa2\=5t?S
  2.1543 +i*VEa1B!WU@Xj?oZu^I2iEsV)!"f&5rLA76qe,[__]"<J]+9mn(pk@mGlId&DsYT=
  2.1544 +GgjVMgrI63^U-MMT*jj;pbqG)nOBd`:Z:,2:[p'6l[Kkgi2n*-T>Q]qIb7_o$m3O)
  2.1545 +++/M6)u'[3K%@XYl$`a05OnaAi,tC*&)$.(G-1;\`Ld8qBDZ'2J)K4Brr?ZWLE8Ue
  2.1546 +dB%Hi!"Sd^8_3fbH/]nOGe[Cfn7JNUMiSpd4q>-o5D6f@>!IXh&p,5j-iX1(4Afsg
  2.1547 +HiqfHD'+F\(]GiXU=8gk5I?3^bt$aR56LocAo@d#d_?E5IMV^6a+(C<L[]rVLVcgi
  2.1548 +pj:"kplG-(nOLR%J=d)>IgbKWhC84mi\-2c[@Y"g]a)9$paugL'5GkP[uS0RlbBeZ
  2.1549 +^YmEAr&sgHn>G=?ZR<[eg#Mdsphf#MF5TR.rr=/*h[;UbHu&LknGC8`#.utd#NHoC
  2.1550 +:D3Rkf!IXL\&=>\Sepq+K=!d/?I2K(opm;]>gfO_qVV!lrO'??rm\N7`>o'=pPeeB
  2.1551 +Y8Vd$fDI_h^PgtX^*A"Ypoj0?is3J-8&ejOZ14`DmQ>.OF5s0MIN3`5cnl7PpgX1Z
  2.1552 +Ig#PI;"0,Z(\*.o>23F&ehp*m%r9O+^J',m9E+uTJ'[:b1ONg5Xun`A5Brp>hr;D$
  2.1553 +^+OYWi<@e`CT6TK[.^!J4ZgYj!W3J1c`$,cHf=u)MYB:?nJ@#\.Jt45Ho9lB(K's[
  2.1554 +j0+NY'ttH.2tg&BHf3O$PK,np#D]r\F_TgVrU7V<&3Mu5Y7(,D`r686:4qR["o-8,
  2.1555 +dJR#'%i>"B=O[18iI;Se?c5!R^9=2SPJ__GO`brFl^A<oUu#9iH9SU2?/95kStC.D
  2.1556 +HY%1[[.-cGP2EZR\T)in!!OnOMtDiZ?<A?%ZqX"/"0&r<gIjKl[Jp416+3BP1h6%X
  2.1557 +;NA`b<Z>^_eJI1WK3qV_#d#2hrr<\`7?>@$$,8lAU5C@nMC>3V.&)SIU5C@nMC>3V
  2.1558 +.&)SIU5C@n^0LWH^Z<PPC_-D#ce8L$!*)7AC]'RtDuTe^LP^NI1OoE)V%6qh5PuH8
  2.1559 +rr==rp4NAFZ#B>crrCOJ!::S0UL++P,kr&3Du:<=p=\%]-$Zc5*WaV?HpOpifm'./
  2.1560 +qQ?%@SM@;-rKr(B?P$Q.QC]>PoH^`&=7H4iKR?)F)pL*"FeMBJV"dS`ethf=Mep$\
  2.1561 +J$+"ueUQMMrY,6urr?mH"FLZ_Zi.9q#CINdOo$R+f"VCg!,Silr[cX58`4NC4p\Ul
  2.1562 +TDL]br]QW^?PWP^7I_V]cFr4u!T*$$:W8k`?IM"onMfF1Lif1p_RJ7OnNaGM:PjH`
  2.1563 +WHg.R4rnlhic"4(q[!2QrrBEMr"Nr?1tR+hqZL]l[QVPM(\gMik25+kL-0b?O4lPN
  2.1564 +P^a#&dIi.P^Y9RbQEB*dHf9FSn>G9$MRAKWV>d`tpm4e([9j>,KmXn^i%GZ:T2kB!
  2.1565 +L7b]:m!\@Np9+28qa>[Mp5K"OJmJ0G9DGF^C&"Isdag9?g5GZ.phTDdp9+0dif=[e
  2.1566 +;#%BV:P-:jIatkK[3rjrDhcsVL&>ZSUZ/J84qQuq?NbMr8)WgCCZ:mX?69aO?O1n;
  2.1567 +;Ug.fd/O+(N'FT@RIMN<HJcX_paI$GiNN#4^cE#('UQY-47URV_uB^k^)6gZIqTo4
  2.1568 +Ic"H3rLlCrprcn?X?UNLDt\_OI[0Gein(uj-X?G!08$t_lT_`<O/Kko"nD9"X5L$_
  2.1569 +A$)V`mli`2!.oUr%IsGu_QW_^YCsVErnfs0:QLCi1]IH,@d"jnpf6gdcf58siSe\q
  2.1570 +Ia&rHIK\rnZi6H`931QVm1]@WGc18X^"%L9nS>u;YO)8hJ+4aRpn?ZmN?/)hGDGk[
  2.1571 +!ViN"T7[b]pg.fM7f$?_U]$[sAoHBZrX!*)"9&V3GPb]q_V_\unON:KgO*H,2Z,/r
  2.1572 +2o7e2*X;WEKHKoF]D2&urrBn^q_?4i7I,TD5A`Ul4Dgqiccu7.EV?"@BcdsO+P_C/
  2.1573 +ll*?eFR1+(ch:Z>)uEG/G5.X*6@:Qg!.p%+c6!-NC%6]P$/b9frX#:g[nQR`UNg#'
  2.1574 +B8.A`8&R%tpp\9>O,H1Dfm&#?L\M%Qr'0tai9aU`T,2A;*I#K6f>Oit?0V>-]8D(=
  2.1575 +kk@7BnNGa6nRep'!!J5YR?-^RqfdM7(OtpRDh6Iap;6S6rr<22pa(:I.ut'_)F+!s
  2.1576 +J+2c"LY<i$2(oVKG^<`N-85-dJ)P8E!5aN][]=nPc)u:erY8f6-]2_X2/aK7!5]n[
  2.1577 +?6@Po!8E"s1]IH,;#]$1!'b6@K_f&6^LKL]X5]K54.tjsrr<WqBn(gt5O@X.Hs`Ma
  2.1578 +qB*[lIu`,!a2Cac>GdD>08MXun&=aGQQ@RM[GfAO`;3f6iu!.Gj&#_)n@shP8+D(`
  2.1579 +r[n)]5N&(S%6ncl')Yu/M=JL_$D72EGXLId`:)>?_Z'V@-]B^m*IK<`Zk!:Q_r5h,
  2.1580 +m2,/`(W=Q[_EKUNZ2A+8C&\0Gd(Tg2Mr?mVHl8r/o)A^3ebh#ZT8?5#]fsb0^A)WB
  2.1581 +pRek^r"J,aB)STViU<CSrr@Y4Hk,psrr<Qsrr@chqfgaF4:U9\ph0'j@';Nd9C6&(
  2.1582 +a$1&`_T2ZVK_PH\09*^'kC:@[rr@b&rr<>VMLNtQ!!u0n,5Sd6^$sME')dm*"THs/
  2.1583 +)8BjG%Xuftn4UM;l$jEI!,Xq7IbIuFVu'>?b?k^-1B,h]$2dZ[/SZ@CHqEg/_9^iD
  2.1584 +_tKo$CMiRq61DXK4qrBEnRo]Z6L3Qi\Z#EHeua<uWGBE2*in61&aEP\H2DH-aM5"S
  2.1585 +m6CJWpf$n65IAK/'B<3bVhG'MArV02?h%L?^Y<P^YJX`%-f@Sc^5;AQ`?,ie:P_1K
  2.1586 +n3?h-(VhV(iVrnsY6SgV*;J:Ic$REUQ\rF]Vqq,/ho-L&Vhb1#F5^IAl8lu1+1*^!
  2.1587 +'-$XWq![`;=8ek@8cJbo'`F91*.H=C#!<.f&9p/-"S'OM:PQRfn1V[$pa:Rh0kZ;b
  2.1588 +mi;6qZg\L@3.GXFHjB1K^jd#FH/RS<R_OWj$1Z.8=8r7-"2jt1Zf'"K&GX^DpiS<H
  2.1589 +hH0DNphSep#_0Z`^'FR!rr@Y8rlSOfrL:R[UOGB)[(\0j:[luS56:!)0_jPp^Z'b1
  2.1590 +Aai(*rr<N+IrjRuN&i'JA+8BkF*J52*^'4CidVs4SeCQ(^_sdO^(Kj9NIDo6?9W4=
  2.1591 +8^opMkhd/':&b3F62V2A4p:l3T<mF*J)IBBZ\O*Z(].,0bocFM^O\VVcDU17iLbh:
  2.1592 +IH#bO8cJeKR!oN/#k2bn^(4Q6^U9EFh(.GbKB"O6i-qA>nI*-=5LFp:l5E-ci9uKM
  2.1593 +l!?TY[^)LR_]H5UBDr3[q]br*rMfesCTlHP&)5;$;Z351rrCbKi&C&6n4Ub^-g]lg
  2.1594 +lG!aEHuK#b%6<qD`P2hVnMfiBVYIdsd.i[kgZ(Nr.N:SUpugX\M6pWDrr<GAAcDc*
  2.1595 +>2Q\GJi/UKT+H-YFmfOl=BY-B,l[jr7K1NZr%Ro^n/;i4.Q>01)rSd(2t.dc$*!De
  2.1596 +p;aMi]Ii&Whhg(Mr&XGed!.KCnMfh/j0\cZFFOXF!WN.RMr@H_]%gUBd=*Nl0)_Z^
  2.1597 +i=,5eKfjdb>O'q.S"s?bHUIOsO8(*Cm*08<YI4B1_+6`p>5aBY$cRVq!!TdDqaH9k
  2.1598 +U&-"]rrD",rmUh6m_$l+C\E8En+]2]D>*u0N7.&NTC@V\VsPQ5A,cO^IocFohDZJh
  2.1599 +rL*%;i2:d+n58MdgJd$QWNuJTYQ"T39AbAG*[L535@b[>m02LANnU,DbHH_BHq7VN
  2.1600 +rr?\]_@>OD$X`Za?N[4Z5N*+B::YB(\GlQf+4[`V:WI`Fi/iEjFKY[l$2>4Ln5\B!
  2.1601 +_TUjZm!\AerX,FiCZ%[AWI-MkZ[?-/HnYL""WdAVnb9h*0#.2;nMl!K<aH4)p:]rb
  2.1602 +k3Ks3e2L\DpbD8R:[p7`$[cril?ZflU_im2K_s(%J&*R`A+,)B0td%jQhsp8_(P^F
  2.1603 +lFNn[dJFs^$2B9oqgEq757N*Wh*8gV-iJl#"RA:Yh8bSj#t8e0>l5GLpa`$88FU!'
  2.1604 +98ua,=+I^%^PSD5[u()"pkJJ>IjUH>a3f8pqO.4KGYe$Gps]+YrkO#l<T!2Cn2nIa
  2.1605 +p&tBqL;*Ot_jc]"GT0Z_!/6L6!"Bb6O&5UQWVrm:o))&+^Yo1m!/5@k!"-K\g?nn?
  2.1606 +S)Ji4Ir0\P0B/NTj8KY:pdTCC7Lt-a,Q@`Hq#-Vp)ufoS3e(T\fUC"_$:4/@Hq=8;
  2.1607 +Jp2[p^*!<Z^(Ym7euUtB4;"]C:\\kucf<p%TqQj8p`10k3urZFn/\Zai\-3R&D+;8
  2.1608 +%=E<f:P`H0qu_B,n`#HG57;_&_=O9#J)Hq@ZT#\Gg7S(frN?&err<3Fp`8@DM*D;2
  2.1609 +CL?icVsTc>a$d>>n2Gt^&b-[sJ,Bu_iRE>c]MYAM4O\5_3V]X]p`\Q[K,P99]h7X*
  2.1610 +ShKUea$1.1P?77/`(BVD'R465:UmXug&!4J_*1(qDqRAS*A-ugpaHH`mhgPlW5%<L
  2.1611 +he`0YLOm)arr<G-rYmZm(2roEg:YalHM@=eTD2A-f\SO`J"-H<$3(#',sUmMpo!L$
  2.1612 +n;%#D@qsoS^$!H)fVA./ps]6C"YKL@rr<3<]D]'#AM8Xa/GL=IcNSR-pK.,6g:+tL
  2.1613 +g-ajiLV=Jt&)n+S2*ZeE)nn5Pqd!sO#(0k;583<G*V$RpnOHHCp.!JZ-gP+>^)cKG
  2.1614 +Zb=DtI65<;&_4:V5%s^]rr<1urK"^+mt!\:^Lk4ermkHG9=OD&\+#UTc1j0Tn(J`#
  2.1615 +?a:3[>Mo3(2hQK2qaG`kp5nclV>gORIqt$&p:9\TQ/\?]iBEI/pohR6-G$JW,N)il
  2.1616 +`h*\='mRp\lrmc6b@K,1NshNlrr@XKrl<n&4C`ZsI4t<"rr@XVr,'u,:YDN:489KZ
  2.1617 +%c@!VrK)IHrmeT0L\ssF&c;sdIqQBS+++]YhtFVU0luhc626T#^P%plT>[o6CR9Ma
  2.1618 +2%+=9r%7FJlhLHR/&RFBpiGb.$3&,_"+D7Vrr<31pbc^a!!Nu5S-SD'rr<37pp^-+
  2.1619 +HtE*MnF'Q.]IZ9]DZtB\p8n$TYP^NX]j^EZp5b.*LU$V[iQVVE?75Mjiu]%]<nG?`
  2.1620 +Z<rU!%0o2gLPpO#idFbD>)%U.Gh0pOr(6ng"Ru1*nMe9kY`H\?g,o9@Du2M0^'jmk
  2.1621 +5A#u2+8.jKIM)?6_VYU2:ZKcP5I>@q@it&Y4PIfaj1j;lj-Gth+,aJ6oUgh%'KgN>
  2.1622 +GhkJ<XEZhF\qZ3Ek\ot"_:IHEnID=opc$/Vp`prshi*$gr+5B\iue16GP5u_)<i74
  2.1623 +:B(=IPPtl^n?^,`"ScWgDZk;p^n1ZmAO"m-8,]0i?P\#fn/mO;CG1KIYJcK[?7".:
  2.1624 +B8cci%:8A7*;G6WF2?]Ce,1`d*r>'8HL9"K1d2lWM"hM>5M;[e#OT;+!!Nr4ZECrZ
  2.1625 +:P%6qrO>)NQbM5Dk2XCO#4V*Z.NeFrc\-cZrY=^JC@Q\D&iF%k9L%J_rr@^r`nKh[
  2.1626 +!1i(u#CjT2rr<<`MKHIkmD&!^>>`lDJ)NeF_%cO&$i#Xr+7Q%Ti0SasK(Vib9(>u@
  2.1627 +4<a_)$H)R:ZLGT'ifAjuJ&OPq6h)O[Zk)LO[&^le^m\-qgSS[g`hdArU#Ctnr)9o.
  2.1628 +\?WJ+/W.%:+o$iNp9Zq6n@ue([su3n!83k8;",9OoZmeLr#Yg.2(s[`!"6Lg:M\n'
  2.1629 +pe?-!WVeufpus/dFaH?*T)msHD;a:cpg!T4i"*\CK:fM0_g`5F1;345_Z'ViVr?-3
  2.1630 +&CnEN&%m9NpqutFr"8E^Sabs\^Df?AG[J=Z'E8&cL3YB>^,5V/=OlgsH`^Yq4s][e
  2.1631 +M`bk9Y7u5j<UjFT4F,q9(&3"4LQ)3\Hp[AC[B=c7`ni](IO+^Ca5.ri]N2a!ef3Qi
  2.1632 +NF*<G,OllT$=WfI8`2fNG^m`e2Nt?0[eb^0KmZmuGah=SFcAKVDuTfhNp+'^V8O9J
  2.1633 +MtLk602o4,/EG7P8LEqfLTVu:Z<]*G`-s/Fd@Wnt8*_00;+20r72/Tf'N%:5;+20r
  2.1634 +72/Tf'N%:5;+21#bFc6[r0^XRJc>^^\beXAlDO/hJ!1t6rrD,!nLsiqDuTh0U$MTR
  2.1635 +rr@[\^Z:j_d!ta@rm1TEqLAI<lh@%30C1Rn.f=ed=Rk:f084K4IPcBjD)1k)4q[RT
  2.1636 +nUKLU\#e67R=;tji]I/?KHCbQ"ZM:):._7::4EhG:0S*8[apU/D]EaEP(1BL^L9q7
  2.1637 +-%?OlnL_Lln,A,X5N1."Yc%F4^PO'-QJ],prr>GE+7SR!fMhd+?c8$'95iQHrrAc3
  2.1638 +O8*j!lm_r77'GT?r[#&@Sc8];%7g=WX7d8-!2<Qb,Q@`Vg\/qm!9f04rZ,#9$@gGR
  2.1639 +plYRVM/E-&J+Q**rr<P/rImK"Q2F2Q!5u>EZbQ>[W;cjQ<IVfWoLf*.J)X[]g#)`>
  2.1640 +e:5B9^L9q7-%?OlnL_Lln,A,X5N1."Yc%F4^PO'-QJ],prr>GE+7SR!fMhd+?c8$'
  2.1641 +95iQHrrAc3O8*j!lm_r77'GT?r[#&@Sc8];%7g=WX7d8-!2<Qb,Q@`Vg\/qm!9f04
  2.1642 +rZ,#9$@gGRplYRVM/E-&J+Q**rr<P/rImK"Q2F2Q!5u>EZbQ>[W;cjQ<IVfWoLf*.
  2.1643 +J)X[]g#)`>e:5B9^L9q7-%?OlnL_Lln,A,X5N1."Yc%F4^PO'-QJ],prr>GE5Q2[+
  2.1644 +q[%c"-hrW"!/YXkBn,bD;?$V+XSmgek`bp5rrC!HrNs?9,,kMALK8l@?h?qh,6%Z&
  2.1645 +>Q3>`r=N"Y_lH"10DZso!"j_N/cPff0E-d-5N1.bYa>;$Iu(l7QN$rnQi@%R<?L_q
  2.1646 +ce(niM*Jpcr(DOo9E,!d.Za@IBC$rE!(<I=0E*94mA9g_d1o1L3j\MmrrAchnJD3*
  2.1647 +'&WE2rrD8?U])9:q[%c"-hrW"!/YXkBn,bD;?$V+XSmgek`bp5rrC!HrNs?9,,kMA
  2.1648 +LK8l@?h?qh,6%Z&>Q3>`r=N"Y_lH"10DZso!"j_N/cPff0E-d-5N1.bYa>;$Iu(l7
  2.1649 +QN$rnQi@%R<?L_qce(niM*Jpcr(DOo9E,!d.Za@IBC$rE!(<I=0E*94mA9g_d1o1L
  2.1650 +3j\MmrrAchnJD3*'&WE2rrD8?U])9:q[%c"-hrW"!/YXkBn,bD;?$V+XSmgek`bp5
  2.1651 +rrC!HrNs?9,-0?[$%BgBZIeI3ilQRnn>"rZ`gPjcV!9u]Q\p0!nN5ba`P#bKdrg@r
  2.1652 +4^np1:[s(s099W4[$nWCd+W6$INFD@][SKtXKJ]P[<IJAWM57uU5C@nMC>3V.&)SI
  2.1653 +U5C@nMC>3V.&)SIU5Jbfp>Z)PP:HO85O?udBFk&@r[k>EAF[_<N]nfi!3k#R!</3G
  2.1654 +Ir@R@D7@BS"+3u@?1I(7`juADXsT:imspIs*C@d"o\-_@^&(/)Y9_mJR"XJEgWeAP
  2.1655 +J!1r?ls,$3o)?\%!9>HPJFihHPEDX)_kH]6IoB0&luVY%%X\SVrYe7t5PC(+hm)(S
  2.1656 +/0FY\1en9m.o.0Kr/B0LrJuC.Ndp!kd6R)Y.`4K-0]O4eAtXY,"5k:dnfqi*L6nfh
  2.1657 +Ndp;K?c&LTfaH^d3<&u3+%I;ode*P>kMu_=rr@d?p^@*%6:R+;!.rB)r\I(B1)I`5
  2.1658 +q@YWGr"`CanX;]$OM1er!76k(J)IWMrrA#*rr<I]n/)(WN?eH'"dU8.Arl^t07^h0
  2.1659 +,\\@q/?o-Sj"u8'+aaIn!21W.rrBlHL]7>lU]),=i%P$8)Fsc7/3ipS+7R?Y!Is<(
  2.1660 +dQd5(@K->IB`A'e6MLrg!('/;rr@Yo&,n@Tr%])(?htBlO8KbqJ+8sliK1bTrrCE.
  2.1661 +Ujq=._uB^qdJj1TL%#oXKT.5V!!SZ1r+;#bA1rJJoH\,mpaiZL!95nc_]aC2rrA`;
  2.1662 +8H/\+AV^9c)5I0K$fE]:#oZ>5$S4O;bocGr?NGZ?8CB`l=^h=1`b>APL-kYCrr>AT
  2.1663 +OoGE5b7FS.8,P+Y^gHpN1lqPM=F]k05N.^<!ri8IOedKbZGZ\BN7%Y*%#+0ere-7U
  2.1664 +rr<4g+8f`3pgc%.^[rdc+8@CkrrD(9J&<FW"oeRr,=qh7_.AE%!#_R2)%5@Ur<XB4
  2.1665 +rX18AprsoMaBnstkXa,dn6'3"!6/^P!/<i8$i^2n7Zm]NK$+](1Iq?u(VjDS&i>[I
  2.1666 +(0H(VRQobm^&n<7d#k,Ri3L9#!0#>*!"=SN(]K)I,Q@`IQ66$:O8*6=JA:_%Bcm+$
  2.1667 +Yl=^`1k3CdHj0NMTd*,.!5W6%rr<q3rYZ+%0Du1q8,`lI5PWJFnAnr;J*9GO5O_fa
  2.1668 +rrC&Prr@d?p^@*%6:R+;!.rB)r\I(B1)I`5q@YWGr"`CanX;]$OM1er!76k(J)IWM
  2.1669 +rrA#*rr<I]n/)(WN?eH'"dU8.Arl^t07^h0,\\@q/?o-Sj"u8'+aaIn!21W.rrBlH
  2.1670 +L]7>lU]),=i%P$8)Fsc7/3ipS+7R?Y!Is<(dQd5(@K->IB`A'e6MLrg!('/;rr@Yo
  2.1671 +&,n@Tr%])(?htBlO8KbqJ+8sliK1bTrrCE.Ujq=._uB^qdJj1TL%#oXKT.5V!!SZ1
  2.1672 +r+;#bA1rJJoH\,mpaiZL!95nc_]aC2rrA`;8H/\+AV^9c)5I0K$fE]:#oZ>5$S4O;
  2.1673 +bocGr?NGZ?8CB`l=^h=1`b>APL-kYCrr>ATOoGE5b7FS.8,P+Y^gHpN1lqPM=F]k0
  2.1674 +5N.^<!ri8IOedKbZGZ\BN7%Y*%#+0ere-7Urr<4g+8f`3pgc%.^[rdc+8@CkrrD(9
  2.1675 +J&<FW"oeRr,=qh7_.AE%!#_R2)%5@Ur<XB4rX18AprsoMaBnstkXa,dn6'3"!6/^P
  2.1676 +!/<i8$i^2n7Zm]NK$+](1Iq?u(VjDS&i>[I(0H(VRQobm^&n<7d#k,Ri3L9#!0#>*
  2.1677 +!"=SN(]K)I,Q@`IQ66$:O8*6=JA:_%Bcm+$Yl=^`1k3CdHj0NMTd*,.!5W6%rr<q3
  2.1678 +rYZ+%0Du1q8,`lI5PWJFnAnr;J*9GO5O_farrC&Prr@d?p^@*%6:R+;!.rB)r\I(B
  2.1679 +1)I`5q@YWGr"`CanX;]$OM1er!76k(J)IWMrrA#*rr<I]n/)(WN?eH'"dU8.Arl^t
  2.1680 +07^h0,\\@q/?o-Sj"qk2$fE[V"DJbJdd03neMmIF#N.iF#oYc%$S6e'6G@gFY^^9"
  2.1681 +KDlVaOFM#YCIdlCNGGKW+1"JXHi6.j4YFi&\%B$B?/hoCH)$L3glb)_Bd,UsOd%V_
  2.1682 +^`*4Q/cPejF5mcDT3Z(/!<3$k*l#>Epbg`iIN&45H]Bo@^Y.on:]/95!,2B49)bha
  2.1683 +M7%eMREl,KqG^67&bh%chpD7BpZYM]Ol6/TSd/T!X#m1BnE]Q3<Ln\$cN&%cIh>]:
  2.1684 +L3&pdp[pBbp%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1685 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1686 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1687 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1688 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1689 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1690 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1691 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY09X?dSfQ
  2.1692 +KcAXqoKV;(p%A7opee_QIma2LDdQkurr@`lf@TXZiC<M5r=A[#]mYAtrY5U]je\6U
  2.1693 +`T?4*2O9Yj96GB"F!<ngD/B>2ZeSe].9N9u(m3mF=W(*o<d%lN8GMZIe^aquq^?pG
  2.1694 +&4,;/#K`[_q\FR$f(?X2hWF7p`S.`ekC>ZnD]YlmQL+HMn9EC;R<:H,2Jl73\$n-3
  2.1695 +.l:Vp)rlGD*'?mo!+DAs!<"<lrm<sghER(9$2t0W1\f,m!#,>Zr&=CiSgMfJ$U^XQ
  2.1696 +`#g%F>JVbi9qc?0*@B<FdU0r([[+Lh\n#"<P:iUNT:Ya2lC)ME#ZgrSbP`?Og[k,7
  2.1697 +mJB]Yc(-nF_YEn-qB,K*#O>2XqgX(:aoR"GMtUsUc9?0-574W!T'bP*U]])MaJaUI
  2.1698 +^]+:EU]1<Q9D^OfYK+tC"7jcr^Q>DKpAOrQZ&eZp?eM+8e)T?&F6ii+;fKe?RY:[t
  2.1699 +J$NG[*A?d10QY:Tc\2VnrrA1o+2a69e8>)2rlKg)5AEF9Zg%Ji$h*%>-_L8T^Wnmi
  2.1700 +J+2?&Z>][^([TiT!/L=-5Q:^@e:5AaI`]@sFC2@erZC$NrrDuK;?$V*p%p*9!7B2C
  2.1701 +c(Fc\IM;_]o3Fla2qRDcrr>PXq_ir_rV01g!6oX.nD@TYDuC[mm+MC=L\Kalrr=q+
  2.1702 +J&?\`ahRIi?aFDE+5_bO!;tGGrr<N$q^2=CdF!EfTD3nb'E8((>t=fOfBf",!(TKT
  2.1703 +2Lj]apeUnic#k,thd<[-r>c^@g&D&-pYe@:!&`8U_gR!U^[uVTZY07Zhh;"0r7=gG
  2.1704 +!"JVu-N=(nd=0?4pj[`+rrDXr8,P<tm$n"T7n*;5J)UA$:]CF>FW^,1?a=VK*>e(q
  2.1705 +rr@iKiBR>B2:R,nI=B;QoQ4HHBDs"1K`;&Mf2;PJ%JBTFrrCHoIa+M[Isr(2!:sJd
  2.1706 +r&<6oS,WIY7JeumiViOIrrC;d+7S/pZ>][^([TiT!/L=-5Q:^@e:5AaI`]@sFC2@e
  2.1707 +rZC$NrrDuK;?$V*p%p*9!7B2Cc(Fc\IM;_]o3Fla2qRDcrr>PXq_ir_rV01g!6oX.
  2.1708 +nD@TYDuC[mm+MC=L\Kalrr=q+J&?\`ahRIi?aFDE+5_bO!;tGGrr<N$q^2=CdF!Ef
  2.1709 +TD3nb'E8((>t=fOfBf",!(TKT2Lj]apeUnic#k,thd<[-r>c^@g&D&-pYe@:!&`8U
  2.1710 +_gR!U^[uVTZY07Zhh;"0r7=gG!"JVu-N=(nd=0?4pj[`+rrDXr8,P<tm$n"T7n*;5
  2.1711 +J)UA$:]CF>FW^,1?a=VK*>e(qrr@iKiBR>B2:R,nI=B;QoQ4HHBDs"1K`;&Mf2;PJ
  2.1712 +%JBTFrrCHoIa+M[Isr(2!:sJdr&<6oS,WIY7JeumiViOIrrC;d+7S/pZ>][^([TiT
  2.1713 +!/L=-5Q:^@e:5AaI`]@sFC2@erZC$NrrDuK;?$V*p%p*9!7B2Cc(Fc\IM;_]o3Fla
  2.1714 +2qRDcrr>PXq_ir_rV01g!6oX.nD@TYDuC[mm+MC=L\Kalrr=q+J&?\`ahRIi?aFDE
  2.1715 ++5_bO!;tGGrr<N$q^2=CdF!EfTD3nb'E8((>t=fOfBf",!(TKT2Lj]apeUnic#k,t
  2.1716 +hd<[-r>c^@g&D&-pYe@:!&`8U_gR!U^[uVTZY07Zhh;"0r7=gG!"JVu-N=(nd=0?4
  2.1717 +pj[`+rrDXr8,P<tm$n"T7n*;5J)UA$:]CF>FW^,1?a=VK*>e(qrr@iKiBR>B2:R,n
  2.1718 +I=B;QoQ4HHBDs"1K`;&Mf2;PJ%JBTFrrCHoIa+M[Isr(2!:sJdr&<6oS,WIY7Jeum
  2.1719 +iViOIrrC;d+7S/pZ>][^([TiT!/L=-5Q:^@e:5AaI`]@sFC2@erZC$NrrDuK;?$V*
  2.1720 +p%p*9!7B2Cc(Fc\IM;_]o3Fla2qRDcrr>PXq_ir_rV01g!6oX.nD@TYDuC[mm+MC=
  2.1721 +L\Kalrr=q+J&?\`ahRIi?aFDE+5_bO!;tGGrr<N$q^2=CdF!EfTD3nb'E8((>t=fO
  2.1722 +fBf",!(TKT2Lj]apeUnic#k,thd<[-r>c^@g&D&-pYe@:!&`8U_gR!U^[uVTZY07Z
  2.1723 +hh;"0r7=gG!"JVu-N=(nd=0?4pj[`+rrDXr8,P<tm$n"T7n*;5J)UA$:]CF>FW^,1
  2.1724 +?a=VK*>e(qrr@iKiBR>B2:R,nI=B;QoQ4HHBDs"1K`;&Mf2;PJ%JBTFrrCHoIa+M[
  2.1725 +Isr(2!:sJdr&<6oS,WIY7JeumiViOIrrC;d+7S/pZ>][^([TiT!/L=-5Q:^@e:5Aa
  2.1726 +I`]@sFC2@erZC$NrrDuK;?$V*p%p*9!7B2Cc(Fc\IM;_]o3Fla2qRDcrr>PXq_ir_
  2.1727 +rV01g!6oX.nD@TYDuC[mm+MC=L\Kalrr=q+J&?\`ahRIi?aFDE+5_bor7;k0^\t^X
  2.1728 +AdqAi`5mFD&(pqsJ+/?;Dl%-9cc492hqi/*-,.#MX_WB&r).Wmr%/,9o$+/9b`Uf<
  2.1729 +8/BY%.tkEpXh61X[f*I\ApnmsAc8\%9cNf%rJn;Q='PW`4F>uq)c,r^Nr0+\/+Hu(
  2.1730 +0)csMg-OYh"'Spo.<f@]rAs-93_kX<f]kN;V.HIACS]b-F;EL+bC"'Ir[mXZUFW,)
  2.1731 +pWSYn1:":R<L&+YQ%9&L80Ht5<6=1()-bk9@g@k`aD@u8(A<mU=%R6/qnK^rA.clQ
  2.1732 +J-f3YJ29ds!"%PArrD7rf0Ab7F8l6\.1_HOA:"$C><cC_jSo3?.6lcOnW3VWg=Q<4
  2.1733 +/jK-B5N+TlJa;<$B`A(erQ"p<(J4W,$,;E`k[i=pn32@$/s#d%r*fU*6S>_F!.jbA
  2.1734 +!:b/\_JeHFqAFFJr"#G"!/mWO'7UjKd*&Nj!8r8)!;p+En=03jre=]krr</arrD'B
  2.1735 +rr@`4`WN,qFcl\(Dtb@O>qc+'4u*';Tpo6c!5XB0rr<j*r$NO>4a]o)+8^PtrrD'C
  2.1736 +5N+QkL]%Xmci+0qrrC$crr<A?N'HN;epm0QJ,V']peCZprr>D=Zi:#VoD\g\FFV/G
  2.1737 +it(u(FeARBTDnnLU](pV(k9oUXT&:YI/a3E>p&R*pr!)c?"a0;"6][aiopCBK\sck
  2.1738 +oJ5_sp`Da#!#J0'-QXr^4A2c:qgZ-U!936miApFhr=%E3rX:DDppr]K3Ur1/%,0>4
  2.1739 +$nad>\j,.6nW3VWg=Q<4/jK-B5N+TlJa;<$B`A(erQ"p<(J4W,$,;E`k[i=pn32@$
  2.1740 +/s#d%r*fU*6S>_F!.jbA!:b/\_JeHFqAFFJr"#G"!/mWO'9<t?SgDrXrP.-;nT;P8
  2.1741 +SG:/(L2C`+!!X5]r*:E6S9VjBnLh1umJc/G!/mZQ!/07L+7q>S5PQ<brr<j*r$NO>
  2.1742 +*BZurO8FF:rrD'CJ)NEXO8TL@fDZ125PVfSiAg@Ylf)2`rrCgPa8Z,U8cJbs^PkD@
  2.1743 +A_)A#5(EPaO8)HI@K-<p0!kQXJb/mAnT98tDrVB))0MSL&"ik%Mkg7bIi*[^bH1^D
  2.1744 +i-bP)r*:E6S+so#L0\Hl!!DEa!935B!/07L+7q>S5PQ<brr<j*r$MCsrrAaZ=oSK;
  2.1745 +q>UHi\j,.4nV@&O]$L?\ci4!adJj1Q^PkD@A_)A#5(EPaO8)HI@K-<p0!kQXJb/mA
  2.1746 +nT98tDrVB))0MSL&"ik%Mkg7bIi*[^bH1^Di-bP)r*:E6S+so#L0\Hl!!DEa!935B
  2.1747 +!/0CP+7q>S5PQ=?rrC$drrBoWiue+8[BKKF>^u9cJ&63c&,I0OYP\p@rrD'C5N+Qk
  2.1748 +L]%Xmci+0qrrC$crr<A?N'HN;epm0QJ,V']peCZprr>D=Zi:#VoD\g\FFV/Git(u(
  2.1749 +FeARBTDnnLU](pV(k9oUXT&:YI/a3E>p&R*pr!)c?"a0;"6][aiopCBK\sckoJ5_s
  2.1750 +p`Da#!#J0'-N5_!!25`^rrBk1rrDi*5N+QkL]%Xmci+0qrrC$crr<A?N'HN;epm0Q
  2.1751 +J,V']peCZprr>D=Zi:#VoD\g\FFV/Git(u(FeARBTDnnLU](pV(k9oUXT&:YI/a3E
  2.1752 +>p&R+Gf0N8?"a0;"7ADK\mP5-Ht30V6T2@P!.tZ?r[s9,:-;tb!(/ZPrr@WE+8fCl
  2.1753 +r$MCsrrAaZ=oSK;q>UHi\j,.4nV@&O]$L?\ci4!adJj1Q^PkD@A_)A#5(EPaO8)HI
  2.1754 +@K-<p0!kQXJb/mAnT98tDrVB))0MSL&"ik%Mkg7bIi*[^bH1^Di-bP)r*:E6S+so#
  2.1755 +L0\Hl!!DEa!935B!/07L+7q>S5PQ<brr<j*r$MCsrrAaZ=oSK;q>UHi\j,.4nV@&O
  2.1756 +]$L?\ci4!adJj1Q^PkD@A_)A#5(EPaOSI_Pj:H]1X:Ri,2q*jSl3K%p%rcbNc;-RS
  2.1757 +1J'aJN@`Mdkp1^\gAl,$`_"2u^JiC,s4I~>
  2.1758 +%%Trailer
  2.1759 +%%EOF
     3.1 --- a/docs/src/user.tex	Wed Dec 05 09:59:23 2007 +0000
     3.2 +++ b/docs/src/user.tex	Wed Dec 05 10:00:42 2007 +0000
     3.3 @@ -2095,7 +2095,6 @@ iptables -A INPUT -p tcp -{}-destination
     3.4  
     3.5  %% Chapter Xen Mandatory Access Control Framework
     3.6  \chapter{sHype/Xen Access Control}
     3.7 -
     3.8  The Xen mandatory access control framework is an implementation of the
     3.9  sHype Hypervisor Security Architecture
    3.10  (www.research.ibm.com/ssd\_shype). It permits or denies communication
    3.11 @@ -2108,7 +2107,7 @@ sharing behavior.  This chapter will des
    3.12  controls in Xen can be configured to prevent viruses from spilling
    3.13  over from one into another workload type and secrets from leaking from
    3.14  one workload type to another. sHype/Xen depends on the correct
    3.15 -behavior of Domain0 (cf previous chapter).
    3.16 +behavior of Domain-0 (cf previous chapter).
    3.17  
    3.18  Benefits of configuring sHype/ACM in Xen include:
    3.19  \begin{itemize}
    3.20 @@ -2123,21 +2122,20 @@ Benefits of configuring sHype/ACM in Xen
    3.21  These benefits are very valuable because today's operating systems
    3.22  become increasingly complex and often have no or insufficient
    3.23  mandatory access controls.  (Discretionary access controls, supported
    3.24 -by of most operating systems, are not effective against viruses or
    3.25 +by most operating systems, are not effective against viruses or
    3.26  misbehaving programs.)  Where mandatory access control exists (e.g.,
    3.27 -SELinux), they usually deploy complex and difficult to understand
    3.28 -security policies.  Additionally, multi-tier applications in business
    3.29 -environments usually require different types of operating systems
    3.30 -(e.g., AIX, Windows, Linux) which cannot be configured with compatible
    3.31 -security policies. Related distributed transactions and workloads
    3.32 -cannot be easily protected on the OS level. The Xen access control
    3.33 -framework steps in to offer a coarse-grained but very robust security
    3.34 -layer and safety net in case operating system security fails or is
    3.35 -missing.
    3.36 +SELinux), they usually deploy platform-specific, complex, and difficult
    3.37 +to understand security policies.  Multi-tier applications in business
    3.38 +environments typically require different operating systems
    3.39 +(e.g., AIX, Windows, Linux) in different tiers. Related distributed
    3.40 +transactions and workloads cannot be easily protected on the OS level.
    3.41 +The Xen access control framework steps in to offer a coarse-grained
    3.42 +but very robust and consistent security layer and safety net across
    3.43 +different platforms and operating systems.
    3.44  
    3.45  To control sharing between domains, Xen mediates all inter-domain
    3.46  communication (shared memory, events) as well as the access of domains
    3.47 -to resources such as disks. Thus, Xen can confine distributed
    3.48 +to resources such as storage disks. Thus, Xen can confine distributed
    3.49  workloads (domain payloads) by permitting sharing among domains
    3.50  running the same type of workload and denying sharing between pairs of
    3.51  domains that run different workload types. We assume that--from a Xen
    3.52 @@ -2145,8 +2143,8 @@ perspective--only one workload type is r
    3.53  enable Xen to associate domains and resources with workload types,
    3.54  security labels including the workload types are attached to domains
    3.55  and resources. These labels and the hypervisor sHype controls cannot
    3.56 -be manipulated or bypassed and are effective even against rogue
    3.57 -domains.
    3.58 +be manipulated or bypassed by user domains and are effective even
    3.59 +against compromised or rogue domains.
    3.60  
    3.61  \section{Overview}
    3.62  This section gives an overview of how workloads can be protected using
    3.63 @@ -2171,8 +2169,8 @@ Subsection~\ref{subsection:acmexamplecre
    3.64  Subsection~\ref{subsection:acmexampleinstall}).  This policy defines
    3.65  the workload types differentiated during access control. It also
    3.66  defines the rules that compare workload types of domains and resources
    3.67 -to provide access decisions. Workload types are represented by
    3.68 -security labels that can be attached to domains and resources (cf
    3.69 +to decide about access requests. Workload types are represented by
    3.70 +security labels that can be securely associated to domains and resources (cf
    3.71  Subsections~\ref{subsection:acmexamplelabeldomains}
    3.72  and~\ref{subsection:acmexamplelabelresources}).  The functioning of
    3.73  the active sHype/Xen workload protection is demonstrated using simple
    3.74 @@ -2180,21 +2178,22 @@ resource assignment, and domain creation
    3.75  Subsection~\ref{subsection:acmexampletest}.
    3.76  Section~\ref{section:acmpolicy} describes the syntax and semantics of
    3.77  the sHype/Xen security policy in detail and introduces briefly the
    3.78 -tools that are available to help create valid security policies.
    3.79 +tools that are available to help you create your own sHype security policies.
    3.80  
    3.81  The next section describes all the necessary steps to create, deploy,
    3.82  and test a simple workload protection policy. It is meant to enable
    3.83 -anybody to quickly try out the sHype/Xen workload protection. Those
    3.84 -readers who are interested in learning more about how the sHype access
    3.85 -control in Xen works and how it is configured using the XML security
    3.86 -policy should read Section~\ref{section:acmpolicy} as well.
    3.87 -Section~\ref{section:acmlimitations} concludes this chapter with
    3.88 +Xen users and developers to quickly try out the sHype/Xen workload
    3.89 +protection. Those readers who are interested in learning more about
    3.90 +how the sHype access control in Xen works and how it is configured
    3.91 +using the XML security policy should read Section~\ref{section:acmpolicy}
    3.92 +as well. Section~\ref{section:acmlimitations} concludes this chapter with
    3.93  current limitations of the sHype implementation for Xen.
    3.94  
    3.95  \section{Xen Workload Protection Step-by-Step}
    3.96  \label{section:acmexample}
    3.97  
    3.98 -What you are about to do consists of the following sequence:
    3.99 +You are about to configure and deploy the Xen sHype workload protection
   3.100 +by following 5 simple steps:
   3.101  \begin{itemize}
   3.102  \item configure and install sHype/Xen
   3.103  \item create a simple workload protection security policy
   3.104 @@ -2202,7 +2201,7 @@ What you are about to do consists of the
   3.105  \item associate domains and resources with workload labels,
   3.106  \item test the workload protection
   3.107  \end{itemize}
   3.108 -The essential commands to create and deploy a sHype/Xen security
   3.109 +The essential commands to create and deploy an sHype/Xen security
   3.110  policy are numbered throughout the following sections. If you want a
   3.111  quick-guide or return at a later time to go quickly through this
   3.112  demonstration, simply look for the numbered commands and apply them in
   3.113 @@ -2219,6 +2218,9 @@ Xen directory.
   3.114  
   3.115  \begin{verbatim}
   3.116    (1) In Config.mk
   3.117 +        Change: XSM_ENABLE ?= n
   3.118 +            To: XSM_ENABLE ?= y
   3.119 +
   3.120          Change: ACM_SECURITY ?= n
   3.121              To: ACM_SECURITY ?= y
   3.122  \end{verbatim}
   3.123 @@ -2230,248 +2232,323 @@ Then install the security-enabled Xen en
   3.124        # make install
   3.125  \end{verbatim}
   3.126  
   3.127 +Reboot into the security-enabled Xen hypervisor.
   3.128 +
   3.129 +\begin{verbatim}
   3.130 +  (3) # reboot
   3.131 +\end{verbatim}
   3.132 +
   3.133 +Xen will boot into the default security policy. After reboot,
   3.134 +you can explore the simple DEFAULT policy.
   3.135 +\begin{scriptsize}
   3.136 +\begin{verbatim}
   3.137 +# xm getpolicy
   3.138 +Supported security subsystems   : ACM
   3.139 +Policy name           : DEFAULT
   3.140 +Policy type           : ACM
   3.141 +Version of XML policy : 1.0
   3.142 +Policy configuration  : loaded
   3.143 +
   3.144 +# xm labels
   3.145 +SystemManagement
   3.146 +
   3.147 +# xm list --label
   3.148 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.149 +Domain-0   0   941     1     r-----     38.1  ACM:DEFAULT:SystemManagement
   3.150 +\end{verbatim}
   3.151 +\end{scriptsize}
   3.152 +
   3.153 +In this state, no domains can be started.
   3.154 +Now, a policy can be created and loaded into the hypervisor.
   3.155 +
   3.156  \subsection{Creating A WLP Policy in 3 Simple Steps with ezPolicy}
   3.157  \label{subsection:acmexamplecreate}
   3.158  
   3.159  We will use the ezPolicy tool to quickly create a policy that protects
   3.160  workloads.  You will need both the Python and wxPython packages to run
   3.161 -this tool.  To run the tool in Domain0, you can download the wxPython
   3.162 -package from www.wxpython.org or use the command
   3.163 -\verb|yum install wxPython| in Redhat/Fedora. To run the tool on MS
   3.164 -Windows, you also need to download the Python package from
   3.165 -www.python.org. After these packages are installed, start the ezPolicy
   3.166 -tool with the following command:
   3.167 +this tool.  To run the tool in Domain-0, you can download the wxPython
   3.168 +package from www.wxpython.org or use the command \verb|yum install wxPython|
   3.169 +in Redhat/Fedora. To run the tool on MS Windows, you also need to download
   3.170 +the Python package from www.python.org. After these packages are installed,
   3.171 +start the ezPolicy tool with the following command:
   3.172  
   3.173  \begin{verbatim}
   3.174 -  (3) # xensec_ezpolicy
   3.175 +  (4) # xensec_ezpolicy
   3.176  \end{verbatim}
   3.177  
   3.178  Figure~\ref{fig:acmezpolicy} shows a screen-shot of the tool. The
   3.179 -following steps show you how to create the policy shown in
   3.180 -Figure~\ref{fig:acmezpolicy}.  You can use \verb|<CTRL>-h| to pop up a
   3.181 -help window at any time. The indicators (a), (b), and (c) in
   3.182 +following steps illustrate how you can create the workload definition
   3.183 +shown in Figure~\ref{fig:acmezpolicy}.  You can use \verb|<CTRL>-h| to
   3.184 +pop up a help window at any time. The indicators (a), (b), and (c) in
   3.185  Figure~\ref{fig:acmezpolicy} show the buttons that are used during the
   3.186  3 steps of creating a policy:
   3.187  \begin{enumerate}
   3.188  \item defining workloads
   3.189  \item defining run-time conflicts
   3.190 -\item translating the workload definition into a sHype/Xen access
   3.191 +\item translating the workload definition into an sHype/Xen access
   3.192    control policy
   3.193  \end{enumerate}
   3.194  
   3.195  \paragraph{Defining workloads.} Workloads are defined for each
   3.196 -organization and department that you enter in the left panel. Please
   3.197 -use the ``New Org'' button (a) to create the organizations ``Avis'',
   3.198 -``Hertz'', ``CocaCola'', and ``PepsiCo''.
   3.199 +organization and department that you enter in the left panel.
   3.200 +
   3.201 +To ease the transition from an unlabeled to a fully labeled workload-protection
   3.202 +environment, we have added support to sHype/Xen to run unlabeled domains accessing
   3.203 +unlabeled resources in addition to labeled domains accessing labeled resources.
   3.204 +
   3.205 +Support for running unlabeled domains on sHype/Xen is enabled by adding the
   3.206 +predefined workload type and label \verb|__UNLABELED__| to the security
   3.207 +policy. (This is a double underscore
   3.208 +followed by the string ''\verb|UNLABELED|'' followed by a double underscore.)
   3.209 +The ezPolicy tool automatically adds this organization-level workload type
   3.210 +to a new workload definition (cf Figure~\ref{fig:acmezpolicy}). It can simply be
   3.211 +deleted from the workload definition if no such support is desired. If unlabeled domains
   3.212 +are supported in the policy, then any domain or resource that has no label will implicitly
   3.213 +inherit this label when access control decisions are made. In effect, unlabeled
   3.214 +domains and resources define a new workload type \verb|__UNLABELED__|, which is
   3.215 +confined from any other labeled workload.
   3.216 +
   3.217 +Please use now the ``New Org'' button to add the organization workload types
   3.218 +``A-Bank'', ``B-Bank'', and ``AutoCorp''.
   3.219  
   3.220  You can refine an organization to differentiate between multiple
   3.221  department workloads by right-clicking the organization and selecting
   3.222  \verb|Add Department| (or selecting an organization and pressing
   3.223 -\verb|<CRTL>-a|). Create department workloads ``Intranet'',
   3.224 -``Extranet'', ``HumanResources'', and ``Payroll'' for the ``CocaCola''
   3.225 -organization and department workloads ``Intranet'' and ``Extranet''
   3.226 -for the ``PepsiCo'' organization. The resulting layout of the tool
   3.227 -should be similar to the left panel shown in
   3.228 +\verb|<CRTL>-a|). Create department workloads ``SecurityUnderwriting'',
   3.229 +and ``MarketAnalysis'' for the ``A-Bank''. The resulting layout of the
   3.230 +tool should be similar to the left panel shown in
   3.231  Figure~\ref{fig:acmezpolicy}.
   3.232  
   3.233 +\begin{figure}[htb]
   3.234 +\centering
   3.235 +\includegraphics[width=13cm]{figs/acm_ezpolicy_gui.eps}
   3.236 +\caption{Final layout including workload definition and Run-time Exclusion rules.}
   3.237 +\label{fig:acmezpolicy}
   3.238 +\end{figure}
   3.239 +
   3.240  \paragraph{Defining run-time conflicts.} Workloads that shall be
   3.241  prohibited from running concurrently on the same hypervisor platform
   3.242  are grouped into ``Run-time Exclusion rules'' on the right panel of
   3.243 -the window.
   3.244 -
   3.245 -To prevent PepsiCo and CocaCola workloads (including their
   3.246 +the window. Cautious users should include the \verb|__UNLABELED__|
   3.247 +workload type in all run-time exclusion rules because any workload
   3.248 +could run inside unlabeled domains.
   3.249 +
   3.250 +To prevent A-Bank and B-Bank workloads (including their
   3.251  departmental workloads) from running simultaneously on the same
   3.252 -hypervisor system, select the organization ``PepsiCo'' and, while
   3.253 -pressing the \verb|<CTRL>|-key, select the organization ``CocaCola''.
   3.254 -Now press the button (b) named ``Create run-time exclusion rule from
   3.255 -selection''. A popup window will ask for the name for this run-time
   3.256 +hypervisor system, select the organization ``A-Bank'' and, while
   3.257 +pressing the \verb|<CTRL>|-key, select the organization ``B-Bank''.
   3.258 +Being cautious, we also prevent unlabeled workloads from running with
   3.259 +any of those workloads by pressing the \verb|<CTRL>|-key and selecting
   3.260 +``\_\_UNLABELED\_\_''. Now press the button named ``Create run-time exclusion
   3.261 +rule from selection''. A popup window will ask for the name for this run-time
   3.262  exclusion rule (enter a name or just hit \verb|<ENTER>|). A rule will
   3.263  appear on the right panel. The name is used as reference only and does
   3.264 -not affect the hypervisor policy.
   3.265 -
   3.266 -Repeat the process to create a run-time exclusion rule just for the
   3.267 -department workloads CocaCola.Extranet and CocaCola.Payroll.
   3.268 -
   3.269 -\begin{figure}[htb]
   3.270 -\centering
   3.271 -\includegraphics[width=13cm]{figs/acm_ezpolicy.eps}
   3.272 -\caption{Final layout including workload definition and Run-time Exclusion rules.}
   3.273 -\label{fig:acmezpolicy}
   3.274 -\end{figure}
   3.275 +not affect access control decisions.
   3.276 +
   3.277 +Please repeat this process to create another run-time exclusion rule
   3.278 +for the department workloads ``A-Bank.SecurityUnderwriting'',
   3.279 +``A-Bank.MarketAnalysis''. Also add the ``\_\_UNLABELED\_\_''
   3.280 +workload type to this conflict set.
   3.281  
   3.282  The resulting layout of your window should be similar to
   3.283  Figure~\ref{fig:acmezpolicy}. Save this workload definition by
   3.284 -selecting ``Save Workload Definition as ...'' in the ``File'' menu
   3.285 -(c).  This workload definition can be later refined if required.
   3.286 -
   3.287 -\paragraph{Translating the workload definition into a sHype/Xen access
   3.288 +selecting ``Save Workload Definition as ...'' in the ``File'' menu.
   3.289 +This workload definition can be later refined if required.
   3.290 +
   3.291 +\paragraph{Translating the workload definition into an sHype/Xen access
   3.292    control policy.} To translate the workload definition into a access
   3.293  control policy understood by Xen, please select the ``Save as Xen ACM
   3.294 -Security Policy'' in the ``File'' menu (c). Enter the following policy
   3.295 -name in the popup window: \verb|example.chwall_ste.test-wld|. If you
   3.296 -are running ezPolicy in Domain0, the resulting policy file
   3.297 -test-wld\_security-policy.xml will automatically be placed into the
   3.298 -right directory (/etc/xen/acm-security/ policies/example/chwall\_ste).
   3.299 +Security Policy'' in the ``File'' menu. Enter the following policy
   3.300 +name in the popup window: \verb|mytest|. If you are running ezPolicy in
   3.301 +Domain-0, the resulting policy file mytest\_security-policy.xml will
   3.302 +automatically be placed into the right directory (/etc/xen/acm-security/policies/).
   3.303  If you run the tool on another system, then you need to copy the
   3.304 -resulting policy file into Domain0 before continuing.  See
   3.305 +resulting policy file into Domain-0 before continuing.  See
   3.306  Section~\ref{subsection:acmnaming} for naming conventions of security
   3.307  policies.
   3.308  
   3.309 +\begin{scriptsize}
   3.310 +\textbf{Note:} The support for \verb|__UNLABELED__| domains and
   3.311 +resources is meant to help transitioning from an uncontrolled
   3.312 +environment to a workload-protected environment by starting with
   3.313 +unlabeled domains and resources and then step-by-step labeling domains
   3.314 +and resources. Once all workloads are labeled, the \verb|__UNLABELED__|
   3.315 +type can simply be removed from the Domain-0 label or from the policy
   3.316 +through a policy update. Section~\ref{subsection:acmpolicymanagement} will
   3.317 +show how unlabeled domains can be disabled by updating the
   3.318 +\verb|mytest| policy at run-time.
   3.319 +\end{scriptsize}
   3.320 +
   3.321  \subsection{Deploying a WLP Policy}
   3.322  \label{subsection:acmexampleinstall}
   3.323  To deploy the workload protection policy we created in
   3.324  Section~\ref{subsection:acmexamplecreate}, we create a policy
   3.325 -representation (test-wld.bin) that can be loaded into the Xen
   3.326 -hypervisor and we configure Xen to actually load this policy at
   3.327 -startup time.
   3.328 +representation (mytest.bin), load it into the Xen
   3.329 +hypervisor, and configure Xen to also load this policy during
   3.330 +reboot.
   3.331  
   3.332  The following command translates the source policy representation
   3.333 -into a format that can be loaded into Xen with sHype/ACM support.
   3.334 -Refer to the \verb|xm| man page for further details:
   3.335 -
   3.336 -\begin{verbatim}
   3.337 -  (4) # xm makepolicy example.chwall_ste.test-wld
   3.338 -\end{verbatim}
   3.339 -
   3.340 -The easiest way to install a security policy for Xen is to include the
   3.341 -policy in the boot sequence. The following command does just this:
   3.342 +into a format that can be loaded into Xen with sHype/ACM support,
   3.343 +activates the policy, and configures this policy for future boot
   3.344 +cycles into the boot sequence. Please refer to the \verb|xm|
   3.345 +man page for further details:
   3.346  
   3.347  \begin{verbatim}
   3.348 -  (5) # xm cfgbootpolicy example.chwall_ste.test-wld
   3.349 -\end{verbatim}
   3.350 -
   3.351 -\textit{Alternatively, if this command fails} (e.g., because it cannot
   3.352 -identify the Xen boot entry), you can manually install the policy in 2
   3.353 -steps.  First, manually copy the policy binary file into the boot
   3.354 -directory:
   3.355 -
   3.356 -\begin{scriptsize}
   3.357 -\begin{verbatim}
   3.358 -         # cp /etc/xen/acm-security/policies/example/chwall_ste/test-wld.bin \
   3.359 -         /boot/example.chwall_ste.test-wld.bin
   3.360 +  (5) # xm setpolicy ACM mytest
   3.361 +      Successfully set the new policy.
   3.362 +      Supported security subsystems   : ACM
   3.363 +      Policy name           : mytest
   3.364 +      Policy type           : ACM
   3.365 +      Version of XML policy : 1.0
   3.366 +      Policy configuration  : loaded, activated for boot
   3.367  \end{verbatim}
   3.368 -\end{scriptsize}
   3.369 -
   3.370 -Second, manually add a module line to your Xen boot entry so that grub
   3.371 -loads this policy file during startup:
   3.372 -
   3.373 -\begin{scriptsize}
   3.374 -\begin{verbatim}
   3.375 -         title Xen (2.6.16.13)
   3.376 -                root (hd0,0)
   3.377 -                kernel /xen.gz dom0_mem=2000000 console=vga
   3.378 -                module /vmlinuz-2.6.16.13-xen ro root=/dev/hda3
   3.379 -                module /initrd-2.6.16.13-xen.img
   3.380 -                module /example.chwall_ste.test-wld.bin
   3.381 -\end{verbatim}
   3.382 -\end{scriptsize}
   3.383 -
   3.384 -Now reboot into this Xen boot entry to activate the policy and the
   3.385 -security-enabled Xen hypervisor.
   3.386 -
   3.387 -\begin{verbatim}
   3.388 -  (6) # reboot
   3.389 -\end{verbatim}
   3.390 -
   3.391 -After reboot, check if security is enabled:
   3.392 +
   3.393 +Alternatively, if installing the policy fails (e.g., because it cannot
   3.394 +identify the Xen boot entry), you can manually install the policy in 3
   3.395 +steps a-c.
   3.396 +
   3.397 +(\textit{Alternatively to 5 - step a}) Manually copy the policy binary
   3.398 +file into the boot directory:
   3.399  
   3.400  \begin{scriptsize}
   3.401  \begin{verbatim}
   3.402 -         # xm list --label
   3.403 -         Name        ID Mem(MiB) VCPUs State  Time(s)  Label
   3.404 -         Domain-0     0     1949     4 r-----   163.9  SystemManagement
   3.405 +# cp /etc/xen/acm-security/policies/mytest.bin /boot/mytest.bin
   3.406  \end{verbatim}
   3.407  \end{scriptsize}
   3.408  
   3.409 -If the security label at the end of the line says ``INACTIV'' then the
   3.410 -security is not enabled. Verify the previous steps. Note: Domain0 is
   3.411 -assigned a default label (see \verb|bootstrap| policy attribute
   3.412 -explained in Section~\ref{section:acmpolicy}). All other domains must
   3.413 -be labeled in order to start on this sHype/ACM-enabled Xen hypervisor
   3.414 -(see following sections for labeling domains and resources).
   3.415 -
   3.416 -\subsection{Labeling Domains}
   3.417 -\label{subsection:acmexamplelabeldomains}
   3.418 -You should have a Xen domain configuration file that looks like the
   3.419 -following (Note: www.jailtime.org or www.xen-get.org might be good
   3.420 -places to look for example domU images). The following configuration
   3.421 -file defines \verb|domain1|:
   3.422 -
   3.423 -\begin{scriptsize}
   3.424 -\begin{verbatim}
   3.425 -         # cat domain1.xm
   3.426 -         kernel = "/boot/vmlinuz-2.6.16.13-xen"
   3.427 -         memory = 128
   3.428 -         name = "domain1"
   3.429 -         vif = [ '' ]
   3.430 -         dhcp = "dhcp"
   3.431 -         disk = ['file:/home/xen/dom_fc5/fedora.fc5.img,sda1,w', \
   3.432 -                 'file:/home/xen/dom_fc5/fedora.swap,sda2,w']
   3.433 -         root = "/dev/sda1 ro"
   3.434 -\end{verbatim}
   3.435 -\end{scriptsize}
   3.436 -
   3.437 -If you try to start domain1, you will get the following error:
   3.438 +(\textit{Alternatively to 5 - step b}) Manually add a module line to your
   3.439 +Xen boot entry so that grub loads this policy file during startup:
   3.440  
   3.441  \begin{scriptsize}
   3.442  \begin{verbatim}
   3.443 -         # xm create domain1.xm
   3.444 -         Using config file "domain1.xm".
   3.445 -         domain1: DENIED
   3.446 -         --> Domain not labeled
   3.447 -         Checking resources: (skipped)
   3.448 -         Security configuration prevents domain from starting
   3.449 +title XEN Devel with 2.6.18.8
   3.450 +     kernel /xen.gz
   3.451 +     module /vmlinuz-2.6.18.8-xen root=/dev/sda3 ro console=tty0
   3.452 +     module /initrd-2.6.18.8-xen.img
   3.453 +     module /mytest.bin
   3.454  \end{verbatim}
   3.455  \end{scriptsize}
   3.456  
   3.457 -Every domain must be associated with a security label before it can
   3.458 -start on sHype/Xen. Otherwise, sHype/Xen would not be able to enforce
   3.459 -the policy consistently. The following command prints all domain
   3.460 -labels available in the active policy:
   3.461 +(\textit{Alternatively to 5 - step c}) Reboot. Xen will choose the
   3.462 +bootstrap label defined in the policy as Domain-0 label during reboot.
   3.463 +After reboot, you can re-label Domain-0 at run-time,
   3.464 +cf Section~\ref{subsection:acmlabeldom0}.
   3.465 +
   3.466 +Assuming that command (5) succeeded or you followed the alternative
   3.467 +instructions above, you should see the new policy and label appear
   3.468 +when listing domains:
   3.469  
   3.470  \begin{scriptsize}
   3.471  \begin{verbatim}
   3.472 -         # xm labels type=dom
   3.473 -         Avis
   3.474 -         CocaCola
   3.475 -         CocaCola.Extranet
   3.476 -         CocaCola.HumanResources
   3.477 -         CocaCola.Intranet
   3.478 -         CocaCola.Payroll
   3.479 -         Hertz
   3.480 -         PepsiCo
   3.481 -         PepsiCo.Extranet
   3.482 -         PepsiCo.Intranet
   3.483 -         SystemManagement
   3.484 +# xm list --label
   3.485 +Name      ID   Mem VCPUs     State   Time(s) Label
   3.486 +Domain-0   0   941     1     r-----    81.5  ACM:mytest:SystemManagement
   3.487  \end{verbatim}
   3.488  \end{scriptsize}
   3.489  
   3.490 -Now label domain1 with the CocaCola label and another domain2 with the
   3.491 -PepsiCo.Extranet label. Please refer to the xm man page for further
   3.492 -information.
   3.493 +If the security label at the end of the line says ``INACTIVE'' then the
   3.494 +security is not enabled. Verify the previous steps. Note: Domain-0 is
   3.495 +assigned a default label (see \verb|bootstrap| policy attribute
   3.496 +explained in Section~\ref{section:acmpolicy}). All other domains must
   3.497 +be explicitly labeled, which we describe in detail below.
   3.498 +
   3.499 +\subsection{Labeling Unmanaged User Domains}
   3.500 +\label{subsection:acmexamplelabeldomains}
   3.501 +
   3.502 +Unmanaged domains are started in Xen by using a configuration
   3.503 +file. Please refer to Section~\ref{subsection:acmlabelmanageddomains}
   3.504 +if you are using managed domains.
   3.505 +
   3.506 +The following configuration file defines \verb|domain1|
   3.507 +(Note: www.jailtime.org or www.xen-get.org might be good
   3.508 +places to look for example domU images):
   3.509 +
   3.510 +\begin{scriptsize}
   3.511 +\begin{verbatim}
   3.512 +# cat domain1.xm
   3.513 +kernel= "/boot/vmlinuz-2.6.18.8-xen"
   3.514 +memory = 128
   3.515 +name = "domain1"
   3.516 +vif = ['']
   3.517 +dhcp = "dhcp"
   3.518 +disk = ['file:/home/xen/dom_fc5/fedora.fc5.img,sda1,w', \
   3.519 +        'file:/home/xen/dom_fc5/fedora.fc5.swap,sda2,w']
   3.520 +root = "/dev/sda1 ro xencons=tty"
   3.521 +\end{verbatim}
   3.522 +\end{scriptsize}
   3.523 +
   3.524 +Every domain must be associated with a security label before it can start
   3.525 +on sHype/Xen. Otherwise, sHype/Xen would not be able to enforce the policy
   3.526 +consistently. Our \verb|mytest| policy is configured so that Xen
   3.527 +assigns a default label \verb|__UNLABELED__| to domains and resources that
   3.528 +have no label and supports them in a controlled manner. Since neither the domain,
   3.529 +nor the resources are (yet) labeled, this domain can start under the \verb|mytest|
   3.530 +policy:
   3.531 +
   3.532 +\begin{scriptsize}
   3.533 +\begin{verbatim}
   3.534 +# xm create domain1.xm
   3.535 +Using config file "./domain1.xm".
   3.536 +Started domain domain1
   3.537 +
   3.538 +# xm list --label
   3.539 +Name     ID   Mem VCPUs      State   Time(s) Label
   3.540 +domain1   1   128     1     -b----      0.7  ACM:mytest:__UNLABELED__
   3.541 +Domain-0  0   875     1     r-----     84.6  ACM:mytest:SystemManagement
   3.542 +\end{verbatim}
   3.543 +\end{scriptsize}
   3.544 +
   3.545 +Please shutdown domain1 so that we can move it into the protection
   3.546 +domain of workload \verb|A-Bank|.
   3.547 +
   3.548 +\begin{scriptsize}
   3.549 +\begin{verbatim}
   3.550 +# xm shutdown domain1
   3.551 +(wait some seconds until the domain has shut down)
   3.552 +
   3.553 +#xm list --label
   3.554 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.555 +Domain-0   0   875     1     r-----     86.4  ACM:mytest:SystemManagement
   3.556 +\end{verbatim}
   3.557 +\end{scriptsize}
   3.558 +
   3.559 +We assume that the processing in domain1 contributes to the \verb|A-Bank| workload.
   3.560 +We explore now how to transition this domain into the ``A-Bank'' workload-protection.
   3.561 +The following command prints all domain labels available in the active policy:
   3.562 +
   3.563 +\begin{scriptsize}
   3.564 +\begin{verbatim}
   3.565 +# xm labels
   3.566 +A-Bank
   3.567 +A-Bank.MarketAnalysis
   3.568 +A-Bank.SecurityUnderwriting
   3.569 +AutoCorp
   3.570 +B-Bank
   3.571 +SystemManagement
   3.572 +__UNLABELED__
   3.573 +\end{verbatim}
   3.574 +\end{scriptsize}
   3.575 +
   3.576 +Now label \verb|domain1| with the A-Bank label and another \verb|domain2|
   3.577 +with the B-Bank label. Please refer to the xm man page for
   3.578 +further information.
   3.579  
   3.580  \begin{verbatim}
   3.581 -  (7) # xm addlabel CocaCola dom domain1.xm
   3.582 -      # xm addlabel PepsiCo.Extranet dom domain2.xm
   3.583 +  (6) # xm addlabel A-Bank dom domain1.xm
   3.584 +      # xm addlabel B-Bank dom domain2.xm
   3.585  \end{verbatim}
   3.586  
   3.587  Let us try to start the domain again:
   3.588  
   3.589  \begin{scriptsize}
   3.590  \begin{verbatim}
   3.591 -         # xm create domain1.xm
   3.592 -         Using config file "domain1.xm".
   3.593 -            file:/home/xen/dom_fc5/fedora.fc5.img: DENIED
   3.594 -            --> res:__NULL_LABEL__ (NULL)
   3.595 -            --> dom:CocaCola (example.chwall_ste.test-wld)
   3.596 -            file:/home/xen/dom_fc5/fedora.swap: DENIED
   3.597 -            --> res:__NULL_LABEL__ (NULL)
   3.598 -            --> dom:CocaCola (example.chwall_ste.test-wld)
   3.599 -         Security configuration prevents domain from starting
   3.600 +# xm create domain1.xm
   3.601 +Using config file "./domain1.xm".
   3.602 +Error: VM's access to block device 'file:/home/xen/dom_fc5/fedora.fc5.img' denied
   3.603  \end{verbatim}
   3.604  \end{scriptsize}
   3.605  
   3.606 -This error indicates that domain1, if started, would not be able to
   3.607 +This error indicates that \verb|domain1|, if started, would not be able to
   3.608  access its image and swap files because they are not labeled.  This
   3.609  makes sense because to confine workloads, access of domains to
   3.610  resources must be controlled.  Otherwise, domains that are not allowed
   3.611 @@ -2481,153 +2558,358 @@ resources.
   3.612  \subsection{Labeling Resources}
   3.613  \label{subsection:acmexamplelabelresources}
   3.614  You can use the \verb|xm labels type=res| command to list available
   3.615 -resource labels. Let us assign the CocaCola resource label to the domain1
   3.616 -image file representing \verb|/dev/sda1| and to its swap file:
   3.617 +resource labels. Let us assign the A-Bank resource label to the
   3.618 +\verb|domain1| image file representing \verb|/dev/sda1| and to its swap file:
   3.619  
   3.620  \begin{verbatim}
   3.621 -  (8) # xm addlabel CocaCola res \
   3.622 -           file:/home/xen/dom_fc5/fedora.fc5.img
   3.623 -      Resource file not found, creating new file at:
   3.624 -      /etc/xen/acm-security/policies/resource_labels
   3.625 -      # xm addlabel CocaCola res \
   3.626 -           file:/home/xen/dom_fc5/fedora.swap
   3.627 +  (7) # xm addlabel A-Bank res \
   3.628 +      file:/home/xen/dom_fc5/fedora.fc5.img
   3.629 +
   3.630 +      # xm addlabel A-Bank res \
   3.631 +      file:/home/xen/dom_fc5/fedora.fc5.swap
   3.632  \end{verbatim}
   3.633  
   3.634 -Starting \verb|domain1| now will succeed:
   3.635 +The following command lists all labeled resources on the system, e.g.,
   3.636 +to lookup or verify the labeling:
   3.637  
   3.638  \begin{scriptsize}
   3.639  \begin{verbatim}
   3.640 -         # xm create domain1.xm
   3.641 -         # xm list --label
   3.642 -         Name           ID Mem(MiB) VCPUs State  Time(s)  Label
   3.643 -         domain1         1      128     1 r-----     2.8  CocaCola
   3.644 -         Domain-0        0     1949     4 r-----   387.7  SystemManagement
   3.645 +# xm resources
   3.646 +file:/home/xen/dom_fc5/fedora.fc5.swap
   3.647 +      type: ACM
   3.648 +    policy: mytest
   3.649 +     label: A-Bank
   3.650 +file:/home/xen/dom_fc5/fedora.fc5.img
   3.651 +      type: ACM
   3.652 +    policy: mytest
   3.653 +     label: A-Bank
   3.654  \end{verbatim}
   3.655  \end{scriptsize}
   3.656  
   3.657 -The following command lists all labeled resources on the
   3.658 -system, e.g., to lookup or verify the labeling:
   3.659 +Starting \verb|domain1| will now succeed:
   3.660  
   3.661  \begin{scriptsize}
   3.662  \begin{verbatim}
   3.663 -         # xm resources
   3.664 -         file:/home/xen/dom_fc5/fedora.swap
   3.665 -             policy: example.chwall_ste.test-wld
   3.666 -             label:  CocaCola
   3.667 -         file:/home/xen/dom_fc5/fedora.fc5.img
   3.668 -             policy: example.chwall_ste.test-wld
   3.669 -             label:  CocaCola
   3.670 +# xm create domain1.xm
   3.671 +Using config file "./domain1.xm".
   3.672 +Started domain domain1
   3.673 +
   3.674 +# xm list --label
   3.675 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.676 +domain1    3   128     1     -b----      0.8  ACM:mytest:A-Bank
   3.677 +Domain-0   0   875     1     r-----     90.9  ACM:mytest:SystemManagement
   3.678  \end{verbatim}
   3.679  \end{scriptsize}
   3.680  
   3.681  Currently, if a labeled resource is moved to another location, the
   3.682  label must first be manually removed, and after the move re-attached
   3.683 -using the xm commands \verb|xm rmlabel| and \verb|xm addlabel|
   3.684 +using the xm commands \verb|rmlabel| and \verb|addlabel|
   3.685  respectively.  Please see Section~\ref{section:acmlimitations} for
   3.686  further details.
   3.687  
   3.688  \begin{verbatim}
   3.689 -  (9) Label the resources of domain2 as PepsiCo.Extranet
   3.690 -      Do not try to start this domain yet
   3.691 +  (8) Label the resources of domain2 as B-Bank
   3.692 +      but please do not start this domain yet.
   3.693  \end{verbatim}
   3.694  
   3.695  \subsection{Testing The Xen Workload Protection}
   3.696  \label{subsection:acmexampletest}
   3.697 -We are about to demonstrate how the workload protection works by
   3.698 -verifying:
   3.699 +
   3.700 +We are about to demonstrate the sHype/Xen workload protection by verifying
   3.701  \begin{itemize}
   3.702 -\item that domains with conflicting workloads cannot run
   3.703 +\item that user domains with conflicting workloads cannot run
   3.704    simultaneously
   3.705 -\item that domains cannot access resources of other workloads
   3.706 -\item that domains cannot exchange network packets if they are not
   3.707 -  associated with the same workload type
   3.708 +\item that user domains cannot access resources of workloads other than the
   3.709 +	one they are associated with
   3.710 +\item that user domains cannot exchange network packets if they are not
   3.711 +  associated with the same workload type (not yet supported in Xen)
   3.712  \end{itemize}
   3.713  
   3.714 -\paragraph{Test 1: Run-time exclusion rules.} We assume that domain1
   3.715 -with the CocaCola label is still running. While domain1 is running,
   3.716 -the run-time exclusion set of our policy says that domain2 cannot
   3.717 -start because the label of domain1 includes the CHWALL type CocaCola
   3.718 -and the label of domain2 includes the CHWALL type PepsiCo. The
   3.719 -run-time exclusion rule of our policy enforces that PepsiCo and
   3.720 -CocaCola cannot run at the same time on the same hypervisor platform.
   3.721 -Once domain1 is stopped or saved, domain2 can start but domain1 can no
   3.722 -longer start or be resumed. The ezPolicy tool, when creating the
   3.723 -Chinese Wall types for the workload labels, ensures that department
   3.724 -workloads inherit the organization type (and with it any organization
   3.725 -exclusions).
   3.726 +\paragraph{Test 1: Run-time exclusion rules.} We assume that \verb|domain1|
   3.727 +with the A-Bank label is still running. While \verb|domain1| is running,
   3.728 +the run-time exclusion set of our policy implies that \verb|domain2| cannot
   3.729 +start because the label of \verb|domain1| includes the CHWALL type A-Bank
   3.730 +and the label of \verb|domain2| includes the CHWALL type B-Bank. The
   3.731 +run-time exclusion rule of our policy enforces that A-Bank and
   3.732 +B-Bank cannot run at the same time on the same hypervisor platform.
   3.733 +Once domain1 is stopped, saved, or migrated to another platform,
   3.734 +\verb|domain2| can start. Once \verb|domain2| is started, however,
   3.735 +\verb|domain1| can no longer start or resume on this system. When creating the
   3.736 +Chinese Wall types for the workload labels, the ezPolicy tool policy
   3.737 +translation component ensures that department workloads inherit all the
   3.738 +organization types (and with it any organization exclusions).
   3.739  
   3.740  \begin{scriptsize}
   3.741  \begin{verbatim}
   3.742  # xm list --label
   3.743 -Name           ID Mem(MiB) VCPUs State  Time(s)  Label
   3.744 -domain1         2      128     1 -b----     6.9  CocaCola
   3.745 -Domain-0        0     1949     4 r-----   273.1  SystemManagement
   3.746 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.747 +domain1    3   128     1     -b----      0.8  ACM:mytest:A-Bank
   3.748 +Domain-0   0   875     1     r-----     90.9  ACM:mytest:SystemManagement
   3.749  
   3.750  # xm create domain2.xm
   3.751 -Using config file "domain2.xm".
   3.752 -Error: (1, 'Operation not permitted')
   3.753 -
   3.754 -# xm destroy domain1
   3.755 +Using config file "./domain2.xm".
   3.756 +Error: 'Domain in conflict set with running domains'
   3.757 +
   3.758 +# xm shutdown domain1
   3.759 +(wait some seconds until domain 1 is shut down)
   3.760 +
   3.761 +# xm list --label
   3.762 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.763 +Domain-0   0   873     1     r-----     95.3  ACM:mytest:SystemManagement
   3.764 +
   3.765  # xm create domain2.xm
   3.766 -Using config file "domain2.xm".
   3.767 +Using config file "./domain2.xm".
   3.768  Started domain domain2
   3.769  
   3.770  # xm list --label
   3.771 -Name           ID Mem(MiB) VCPUs State  Time(s)  Label
   3.772 -domain2         4      164     1 r-----     4.3  PepsiCo.Extranet
   3.773 -Domain-0        0     1949     4 r-----   298.4  SystemManagement
   3.774 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.775 +domain2    5   164     1     -b----      0.3  ACM:mytest:B-Bank
   3.776 +Domain-0   0   839     1     r-----     96.4  ACM:mytest:SystemManagement
   3.777  
   3.778  # xm create domain1.xm
   3.779  Using config file "domain1.xm".
   3.780 -Error: (1, 'Operation not permitted')
   3.781 -
   3.782 -# xm destroy domain2
   3.783 -# xm list
   3.784 -Name           ID Mem(MiB) VCPUs State  Time(s)
   3.785 -Domain-0        0     1949     4 r-----   391.2
   3.786 +Error: 'Domain in conflict with running domains'
   3.787 +
   3.788 +# xm shutdown domain2
   3.789 +# xm list --label
   3.790 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.791 +Domain-0   0   839     1     r-----     97.8  ACM:mytest:SystemManagement
   3.792  \end{verbatim}
   3.793  \end{scriptsize}
   3.794  
   3.795 -You can verify that domains with Avis label can run together with
   3.796 -domains labeled CocaCola, PepsiCo, or Hertz.
   3.797 +You can verify that domains with AutoCorp label can run together with
   3.798 +domains labeled A-Bank or B-Bank.
   3.799  
   3.800  \paragraph{Test2: Resource access.} In this test, we will re-label the
   3.801 -swap file for domain1 with the Avis resource label. We expect that
   3.802 -Domain1 will no longer start because it cannot access this resource.
   3.803 -This test checks the sharing abilities of domains, which are defined
   3.804 -by the Simple Type Enforcement Policy component.
   3.805 +swap file for \verb|domain1| with the \verb|B-Bank| resource label. In a
   3.806 +real environment, the swap file must be sanitized (scrubbed/zeroed) before
   3.807 +it is reassigned to prevent data leaks from the A-Bank to the B-Bank workload
   3.808 +through the swap file.
   3.809 +
   3.810 +We expect that \verb|domain1| will no longer start because it cannot access
   3.811 +this resource. This test checks the sharing abilities of domains, which are
   3.812 +defined by the Simple Type Enforcement Policy component.
   3.813  
   3.814  \begin{scriptsize}
   3.815  \begin{verbatim}
   3.816 -# xm rmlabel res file:/home/xen/dom_fc5/fedora.swap
   3.817 -# xm addlabel Avis res file:/home/xen/dom_fc5/fedora.swap
   3.818 +# xm rmlabel res file:/home/xen/dom_fc5/fedora.fc5.swap
   3.819 +
   3.820 +# xm addlabel B-Bank res file:/home/xen/dom_fc5/fedora.fc5.swap
   3.821 +
   3.822  # xm resources
   3.823 -file:/home/xen/dom_fc5/fedora.swap
   3.824 -    policy: example.chwall_ste.test-wld
   3.825 -    label:  Avis
   3.826 +file:/home/xen/dom_fc5/fedora.fc5.swap
   3.827 +      type: ACM
   3.828 +    policy: mytest
   3.829 +     label: B-Bank
   3.830  file:/home/xen/dom_fc5/fedora.fc5.img
   3.831 -    policy: example.chwall_ste.test-wld
   3.832 -    label:  CocaCola
   3.833 +      type: ACM
   3.834 +    policy: mytest
   3.835 +     label: A-Bank
   3.836  
   3.837  # xm create domain1.xm
   3.838 -Using config file "domain1.xm".
   3.839 -   file:/home/xen/dom_fc4/fedora.swap: DENIED
   3.840 -   --> res:Avis (example.chwall_ste.test-wld)
   3.841 -   --> dom:CocaCola (example.chwall_ste.test-wld)
   3.842 -Security configuration prevents domain from starting
   3.843 +Using config file "./domain1.xm".
   3.844 +Error:
   3.845 +VM's access to block device 'file:/home/xen/dom_fc5/fedora.fc5.swap' denied
   3.846  \end{verbatim}
   3.847  \end{scriptsize}
   3.848  
   3.849 +The resource authorization checks are performed before the domain is actually started
   3.850 +so that failures during the startup are prevented. A domain is only started if all
   3.851 +the resources specified in its configuration are accessible.
   3.852 +
   3.853  \paragraph{Test 3: Communication.} In this test we would verify that
   3.854 -two domains with labels Hertz and Avis cannot exchange network packets
   3.855 +two domains with labels A-Bank and B-Bank cannot exchange network packets
   3.856  by using the 'ping' connectivity test. It is also related to the STE
   3.857 -policy.{\bf Note:} sHype/Xen does control direct communication between
   3.858 +policy. {\bf Note:} sHype/Xen does control direct communication between
   3.859  domains. However, domains associated with different workloads can
   3.860 -currently still communicate through the Domain0 virtual network. We
   3.861 +currently still communicate through the Domain-0 virtual network. We
   3.862  are working on the sHype/ACM controls for local and remote network
   3.863 -traffic through Domain0.  Please monitor the xen-devel mailing list
   3.864 +traffic through Domain-0. Please monitor the xen-devel mailing list
   3.865  for updated information.
   3.866  
   3.867 +
   3.868 +\subsection{Labeling Domain-0 --or-- Restricting System Authorization}
   3.869 +\label{subsection:acmlabeldom0}
   3.870 +The major use case for explicitly labeling or relabeling Domain-0 is to restrict
   3.871 +or extend which workload types can run on a virtualized Xen system. This enables
   3.872 +flexible partitioning of the physical infrastructure as well as the workloads
   3.873 +running on it in a multi-platform environment.
   3.874 +
   3.875 +In case no Domain-0 label is explicitly stated, we automatically assigned Domain-0
   3.876 +the \verb|SystemManagement| label, which includes all STE (workload) types that
   3.877 +are known to the policy. In effect, the Domain-0 label authorizes the Xen system
   3.878 +to run only those workload types, whose STE types are included in the Domain-0
   3.879 +label. Hence, choosing the \verb|SystemManagement| label for Domain-0 permits any
   3.880 +labeled domain to run. Resetting the label for Domain-0 at boot or run-time to
   3.881 +a label with a subset of the known STE workload types restricts which user domains
   3.882 +can run on this system. If Domain-0 is relabeled at run-time, then the new label
   3.883 +must at least include all STE types of those domains that are currently running.
   3.884 +The operation fails otherwise. This requirement ensures that the system remains
   3.885 +in a valid security configuration after re-labelling.
   3.886 +
   3.887 +Restricting the Domain-0 authorization through the label creates a flexible
   3.888 +policy-driven way to strongly partition the physical infrastructure and the
   3.889 +workloads running on it. This partitioning will be automatically enforced during
   3.890 +migration, start, or resume of domains and simplifies the security management
   3.891 +considerably. Strongly competing workloads can be forced to run on separate physical
   3.892 +infrastructure and become less depend on the domain isolation capabilities
   3.893 +of the hypervisor.
   3.894 +
   3.895 +First, we relabel the swap image back to A-Bank and then start up domain1:
   3.896 +\begin{scriptsize}
   3.897 +\begin{verbatim}
   3.898 +# xm rmlabel res file:/home/xen/dom_fc5/fedora.fc5.swap
   3.899 +
   3.900 +# xm addlabel A-Bank res file:/home/xen/dom_fc5/fedora.fc5.swap
   3.901 +
   3.902 +# xm create domain1.xm
   3.903 +Using config file "./domain1.xm".
   3.904 +Started domain domain1
   3.905 +
   3.906 +# xm list --label
   3.907 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.908 +domain1    7   128     1     -b----      0.7  ACM:mytest:A-Bank
   3.909 +Domain-0   0   839     1     r-----    103.1  ACM:mytest:SystemManagement
   3.910 +\end{verbatim}
   3.911 +\end{scriptsize}
   3.912 +
   3.913 +The following command will restrict the Xen system to only run STE types
   3.914 +included in the A-Bank label.
   3.915 +
   3.916 +\begin{scriptsize}
   3.917 +\begin{verbatim}
   3.918 +# xm addlabel A-Bank mgt Domain-0
   3.919 +Successfully set the label of domain 'Domain-0' to 'A-Bank'.
   3.920 +
   3.921 +# xm list --label
   3.922 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.923 +Domain-0   0   839     1     r-----    103.7  ACM:mytest:A-Bank
   3.924 +domain1    7   128     1     -b----      0.7  ACM:mytest:A-Bank
   3.925 +
   3.926 +\end{verbatim}
   3.927 +\end{scriptsize}
   3.928 +
   3.929 +In our example policy in Figure~\ref{fig:acmxmlfileb}, this means that
   3.930 +only \verb|A-Bank| domains and workloads (types) can run after the
   3.931 +successful completion of this command because the \verb|A-Bank| label
   3.932 +includes only a single STE type, namely \verb|A-Bank|. This command
   3.933 +fails if any running domain has an STE type in its label that is not
   3.934 +included in the A-Bank label.
   3.935 +
   3.936 +If we now label a domain3 with AutoCorp, it cannot start because Domain-0 is
   3.937 +no longer authorized to run the workload type \verb|AutoCorp|.
   3.938 +\begin{scriptsize}
   3.939 +\begin{verbatim}
   3.940 +# xm addlabel AutoCorp dom domain3.xm
   3.941 +  (remember to label its resources, too)
   3.942 +
   3.943 +# xm create domain3.xm
   3.944 +Using config file "./domain3.xm".
   3.945 +Error: VM is not authorized to run.
   3.946 +
   3.947 +# xm list --label
   3.948 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.949 +Domain-0   0   839     1     r-----    104.7  ACM:mytest:A-Bank
   3.950 +domain1    7   128     1     -b----      0.7  ACM:mytest:A-Bank
   3.951 +\end{verbatim}
   3.952 +\end{scriptsize}
   3.953 +
   3.954 +At this point, unlabeled domains cannot start either. Let domain4.xm
   3.955 +describe an unlabeled domain, then trying to start domain4
   3.956 +will fail:
   3.957 +\begin{scriptsize}
   3.958 +\begin{verbatim}
   3.959 +# xm getlabel dom domain4.xm
   3.960 +Error: 'Domain not labeled'
   3.961 +
   3.962 +# xm create domain4.xm
   3.963 +Using config file "./domain4.xm".
   3.964 +Error: VM is not authorized to run.
   3.965 +\end{verbatim}
   3.966 +\end{scriptsize}
   3.967 +
   3.968 +Relabeling Domain-0 with the SystemManagement label will enable domain3 to start.
   3.969 +\begin{scriptsize}
   3.970 +\begin{verbatim}
   3.971 +# xm addlabel SystemManagement mgt Domain-0
   3.972 +Successfully set the label of domain 'Domain-0' to 'SystemManagement'.
   3.973 +
   3.974 +# xm list --label
   3.975 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.976 +domain1    7   128     1     -b----      0.8  ACM:mytest:A-Bank
   3.977 +Domain-0   0   839     1     r-----    106.6  ACM:mytest:SystemManagement
   3.978 +
   3.979 +# xm create domain3.xm
   3.980 +Using config file "./domain3.xm".
   3.981 +Started domain domain3
   3.982 +
   3.983 +# xm list --label
   3.984 +Name      ID   Mem VCPUs      State   Time(s) Label
   3.985 +domain1    7   128     1     -b----      0.8 ACM:mytest:A-Bank
   3.986 +domain3    8   164     1     -b----      0.3 ACM:mytest:AutoCorp
   3.987 +Domain-0   0   711     1     r-----    107.6 ACM:mytest:SystemManagement
   3.988 +\end{verbatim}
   3.989 +\end{scriptsize}
   3.990 +
   3.991 +
   3.992 +\subsection{Labeling Managed User Domains}
   3.993 +\label{subsection:acmlabelmanageddomains}
   3.994 +
   3.995 +Xend has been extended with functionality to manage domains along with their
   3.996 +configuration information. Such domains are configured and started via Xen-API
   3.997 +calls. Since managed domains do not have an associated xm configuration file,
   3.998 +the existing \verb|addlabel| command, which adds the security label into a
   3.999 +domain's configuration file, will not work for such managed domains.
  3.1000 +
  3.1001 +Therefore, we have extended the \verb|xm addlabel| and \verb|xm rmlabel|
  3.1002 +subcommands to enable adding security labels to and removing security
  3.1003 +labels from managed domain configurations. The following example shows how
  3.1004 +the \verb|A-Bank| label can be assigned to the xend-managed
  3.1005 +domain configuration of \verb|domain1|. Removing labels from managed user
  3.1006 +domain configurations works similarly.
  3.1007 +
  3.1008 +Below, we show a dormant configuration of the managed domain1
  3.1009 +with ID \verb|"-1"| and state \verb|"-----"| before labeling:
  3.1010 +\begin{scriptsize}
  3.1011 +\begin{verbatim}
  3.1012 +# xm list --label
  3.1013 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.1014 +domain1   -1   128     1     ------      0.0 ACM:mytest:__UNLABELED__
  3.1015 +Domain-0   0   711     1     r-----    128.4 ACM:mytest:SystemManagement
  3.1016 +\end{verbatim}
  3.1017 +\end{scriptsize}
  3.1018 +
  3.1019 +Now we label the managed domain:
  3.1020 +\begin{scriptsize}
  3.1021 +\begin{verbatim}
  3.1022 +# xm addlabel A-Bank mgt domain1
  3.1023 +Successfully set the label of the dormant domain 'domain1' to 'A-Bank'.
  3.1024 +\end{verbatim}
  3.1025 +\end{scriptsize}
  3.1026 +
  3.1027 +After labeling, you can see that the security label is part of the
  3.1028 +domain configuration:
  3.1029 +\begin{scriptsize}
  3.1030 +\begin{verbatim}
  3.1031 +# xm list --label
  3.1032 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.1033 +domain1   -1   128     1     ------      0.0  ACM:mytest:A-Bank
  3.1034 +Domain-0   0   711     1     r-----    129.7  ACM:mytest:SystemManagement
  3.1035 +\end{verbatim}
  3.1036 +\end{scriptsize}
  3.1037 +
  3.1038 +This command extension does not support relabeling of individual running user domains
  3.1039 +for several reasons. For one, because of the difficulty to revoke resources
  3.1040 +in cases where a running domain's new label does not permit access to resources
  3.1041 +that were accessible under the old label. Another reason is that changing the
  3.1042 +label of a single domain of a workload is rarely a good choice and will affect
  3.1043 +the workload isolation properties of the overall workload.
  3.1044 +
  3.1045 +However, the name and contents of the label associated with running domains can
  3.1046 +be indirectly changed through a global policy change, which will update the whole
  3.1047 +workload consistently (domains and resources), cf.
  3.1048 +Section~\ref{subsection:acmpolicymanagement}.
  3.1049 +
  3.1050  \section{Xen Access Control Policy}
  3.1051  \label{section:acmpolicy}
  3.1052  
  3.1053 @@ -2637,68 +2919,73 @@ access control policies and to use the a
  3.1054  policy language is expressive enough to specify most symmetric access
  3.1055  relationships between domains and resources efficiently.
  3.1056  
  3.1057 -The Xen access control policy consists of two policy components. The
  3.1058 -first component, called Chinese Wall (CHWALL) policy, controls which
  3.1059 -domains can run simultaneously on the same virtualized platform. The
  3.1060 -second component, called Simple Type Enforcement (STE) policy,
  3.1061 -controls the sharing between running domains, i.e., communication or
  3.1062 -access to shared resources. The CHWALL and STE policy components can
  3.1063 -be configured to run alone, however in our examples we will assume
  3.1064 -that both policy components are configured together since they
  3.1065 -complement each other. The XML policy file includes all information
  3.1066 -needed by Xen to enforce the policies.
  3.1067 -
  3.1068 -Figures~\ref{fig:acmxmlfilea} and \ref{fig:acmxmlfileb} show a fully
  3.1069 -functional but very simple example policy for Xen. The policy can
  3.1070 -distinguish two workload types \verb|CocaCola| and \verb|PepsiCo| and
  3.1071 -defines the labels necessary to associate domains and resources with
  3.1072 -one of these workload types. The XML Policy consists of four parts:
  3.1073 +The Xen access control policy consists of two policy components.  The
  3.1074 +first component, called Simple Type Enforcement (STE) policy, controls
  3.1075 +the sharing between running domains, i.e., communication or access to
  3.1076 +shared resources. The second component, called Chinese Wall (CHWALL)
  3.1077 +policy, controls which domains can run simultaneously on the same
  3.1078 +virtualized platform. The CHWALL and STE policy components complement
  3.1079 +each other. The XML policy file includes all information
  3.1080 +needed by Xen to enforce those policies.
  3.1081 +
  3.1082 +Figures~\ref{fig:acmxmlfilea} and \ref{fig:acmxmlfileb} show the fully
  3.1083 +functional but very simple example Xen security policy that is created
  3.1084 +by ezPolicy as shown in Figure~\ref{fig:acmezpolicy}. The policy can
  3.1085 +distinguish the 6 workload types shown in lines 11-17 in
  3.1086 +Fig.~\ref{fig:acmxmlfilea}. The whole XML Security Policy consists of
  3.1087 +four parts:
  3.1088  \begin{enumerate}
  3.1089 -\item policy header including the policy name
  3.1090 +\item Policy header including the policy name
  3.1091  \item Simple Type Enforcement block
  3.1092  \item Chinese Wall Policy block
  3.1093 -\item label definition block
  3.1094 +\item Label definition block
  3.1095  \end{enumerate}
  3.1096  
  3.1097  \begin{figure}
  3.1098  \begin{scriptsize}
  3.1099  \begin{verbatim}
  3.1100 -01 <?xml version="1.0" encoding="UTF-8"?>
  3.1101 -02 <!-- Auto-generated by ezPolicy        -->
  3.1102 -03 <SecurityPolicyDefinition
  3.1103 -      xmlns="http://www.ibm.com"
  3.1104 -      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3.1105 -      xsi:schemaLocation=
  3.1106 -          "http://www.ibm.com ../../security_policy.xsd ">
  3.1107 -04     <PolicyHeader>
  3.1108 -05         <PolicyName>example.test</PolicyName>
  3.1109 -06         <Date>Wed Jul 12 17:32:59 2006</Date>
  3.1110 -07         <Version>1.0</Version>
  3.1111 -08     </PolicyHeader>
  3.1112 -09
  3.1113 -10     <SimpleTypeEnforcement>
  3.1114 -11         <SimpleTypeEnforcementTypes>
  3.1115 -12             <Type>SystemManagement</Type>
  3.1116 -13             <Type>PepsiCo</Type>
  3.1117 -14             <Type>CocaCola</Type>
  3.1118 -15         </SimpleTypeEnforcementTypes>
  3.1119 -16     </SimpleTypeEnforcement>
  3.1120 -17
  3.1121 -18     <ChineseWall priority="PrimaryPolicyComponent">
  3.1122 -19         <ChineseWallTypes>
  3.1123 -20             <Type>SystemManagement</Type>
  3.1124 -21             <Type>PepsiCo</Type>
  3.1125 -22             <Type>CocaCola</Type>
  3.1126 -23         </ChineseWallTypes>
  3.1127 -24
  3.1128 -25         <ConflictSets>
  3.1129 -26             <Conflict name="RER1">
  3.1130 -27                 <Type>CocaCola</Type>
  3.1131 -28                 <Type>PepsiCo</Type>
  3.1132 -29             </Conflict>
  3.1133 -30        </ConflictSets>
  3.1134 -31     </ChineseWall>
  3.1135 -32
  3.1136 +01  <?xml version="1.0" ?>
  3.1137 +02  <!-- Auto-generated by ezPolicy        -->
  3.1138 +03  <SecurityPolicyDefinition ...">
  3.1139 +04      <PolicyHeader>
  3.1140 +05          <PolicyName>mytest</PolicyName>
  3.1141 +06          <Date>Mon Nov 19 22:51:56 2007</Date>
  3.1142 +07          <Version>1.0</Version>
  3.1143 +08      </PolicyHeader>
  3.1144 +09      <SimpleTypeEnforcement>
  3.1145 +10          <SimpleTypeEnforcementTypes>
  3.1146 +11              <Type>SystemManagement</Type>
  3.1147 +12              <Type>__UNLABELED__</Type>
  3.1148 +13              <Type>A-Bank</Type>
  3.1149 +14              <Type>A-Bank.SecurityUnderwriting</Type>
  3.1150 +15              <Type>A-Bank.MarketAnalysis</Type>
  3.1151 +16              <Type>B-Bank</Type>
  3.1152 +17              <Type>AutoCorp</Type>
  3.1153 +18          </SimpleTypeEnforcementTypes>
  3.1154 +19      </SimpleTypeEnforcement>
  3.1155 +20      <ChineseWall priority="PrimaryPolicyComponent">
  3.1156 +21          <ChineseWallTypes>
  3.1157 +22              <Type>SystemManagement</Type>
  3.1158 +23              <Type>__UNLABELED__</Type>
  3.1159 +24              <Type>A-Bank</Type>
  3.1160 +25              <Type>A-Bank.SecurityUnderwriting</Type>
  3.1161 +26              <Type>A-Bank.MarketAnalysis</Type>
  3.1162 +27              <Type>B-Bank</Type>
  3.1163 +28              <Type>AutoCorp</Type>
  3.1164 +29          </ChineseWallTypes>
  3.1165 +30          <ConflictSets>
  3.1166 +31              <Conflict name="RER">
  3.1167 +32                  <Type>A-Bank</Type>
  3.1168 +33                  <Type>B-Bank</Type>
  3.1169 +34                  <Type>__UNLABELED__</Type>
  3.1170 +35              </Conflict>
  3.1171 +36              <Conflict name="RER">
  3.1172 +37                  <Type>A-Bank.MarketAnalysis</Type>
  3.1173 +38                  <Type>A-Bank.SecurityUnderwriting</Type>
  3.1174 +39                  <Type>__UNLABELED__</Type>
  3.1175 +40              </Conflict>
  3.1176 +41         </ConflictSets>
  3.1177 +42      </ChineseWall>
  3.1178  \end{verbatim}
  3.1179  \end{scriptsize}
  3.1180  \caption{Example XML security policy file -- Part I: Types and Rules Definition.}
  3.1181 @@ -2716,15 +3003,16 @@ for security policies can be found in th
  3.1182  acm-security directory is only installed if ACM security is configured
  3.1183  during installation (cf Section~\ref{subsection:acmexampleconfigure}).
  3.1184  
  3.1185 -The \verb|Policy Header| spans lines 4-7. It includes a date field and
  3.1186 -defines the policy name \verb|example.chwall_ste.test|. It can also
  3.1187 -include optional fields that are not shown and are for future use (see
  3.1188 -schema definition).
  3.1189 +The \verb|Policy Header| spans lines 4-8. It includes a date field and
  3.1190 +defines the policy name \verb|mytest| as well
  3.1191 +as the version of the XML. It can also include optional fields that are
  3.1192 +not shown and are for future use (see schema definition).
  3.1193  
  3.1194  The policy name serves two purposes: First, it provides a unique name
  3.1195  for the security policy. This name is also exported by the Xen
  3.1196  hypervisor to the Xen management tools in order to ensure that both
  3.1197 -enforce the same policy. We plan to extend the policy name with a
  3.1198 +the Xen hypervisor and Domain-0 enforce the same policy.
  3.1199 +We plan to extend the policy name with a
  3.1200  digital fingerprint of the policy contents to better protect this
  3.1201  correlation.  Second, it implicitly points the xm tools to the
  3.1202  location where the XML policy file is stored on the Xen system.
  3.1203 @@ -2732,118 +3020,123 @@ Replacing the colons in the policy name 
  3.1204  path to the policy file starting from the global policy directory
  3.1205  \verb|/etc/xen/acm-security/policies|. The last part of the policy
  3.1206  name is the prefix for the XML policy file name, completed by
  3.1207 -\verb|-security_policy.xml|. Consequently, the policy with the name
  3.1208 -\verb|example.chwall_ste.test| can be found in the XML policy file
  3.1209 -named \verb|test-security_policy.xml| that is stored in the local
  3.1210 -directory \verb|example/chwall_ste| under the global policy directory.
  3.1211 +\verb|-security_policy.xml|. Our example policy with the name
  3.1212 +\verb|mytest| can be found in the XML policy file named
  3.1213 +\verb|mytest-security_policy.xml| that is stored under the global
  3.1214 +policy directory. Another, preinstalled example policy named
  3.1215 +\verb|example.test| can be found in the \verb|test-security_policy.xml|
  3.1216 +under \verb|/etc/xen/acm-security/policies/example|.
  3.1217  
  3.1218  \subsection{Simple Type Enforcement Policy Component}
  3.1219  
  3.1220  The Simple Type Enforcement (STE) policy controls which domains can
  3.1221  communicate or share resources. This way, Xen can enforce confinement
  3.1222  of workload types by confining the domains running those workload
  3.1223 -types. The mandatory access control framework enforces its policy when
  3.1224 -domains access intended ways of communication or cooperation (shared
  3.1225 +types and their resources. The mandatory access control framework
  3.1226 +enforces its policy when
  3.1227 +domains access intended communication or cooperation means (shared
  3.1228  memory, events, shared resources such as block devices). It builds on
  3.1229  top of the core hypervisor isolation, which restricts the ways of
  3.1230  inter-communication to those intended means.  STE does not protect or
  3.1231  intend to protect from covert channels in the hypervisor or hardware;
  3.1232  this is an orthogonal problem that can be mitigated by using the
  3.1233 -Run-time Exclusion rules described above or by fixing the problem in
  3.1234 -the core hypervisor.
  3.1235 +Run-time Exclusion rules described above or by fixing the problem leading
  3.1236 +to those covert channels in the core hypervisor or hardware platform.
  3.1237  
  3.1238  Xen controls sharing between domains on the resource and domain level
  3.1239  because this is the abstraction the hypervisor and its management
  3.1240  understand naturally. While this is coarse-grained, it is also very
  3.1241  reliable and robust and it requires minimal changes to implement
  3.1242  mandatory access controls in the hypervisor. It enables platform- and
  3.1243 -operation system-independent policies as part of a layered security
  3.1244 +operating system-independent policies as part of a layered security
  3.1245  approach.
  3.1246  
  3.1247 -Lines 9-15 (cf Figure~\ref{fig:acmxmlfilea}) define the Simple Type
  3.1248 +Lines 11-17 (cf Figure~\ref{fig:acmxmlfilea}) define the Simple Type
  3.1249  Enforcement policy component.  Essentially, they define the workload
  3.1250 -type names \verb|SystemManagement|, \verb|PepsiCo|, and
  3.1251 -\verb|CocaCola| that are available in the STE policy component. The
  3.1252 -policy rules are implicit: Xen permits a domain to communicate with
  3.1253 -another domain if and only if the labels of the domains share an
  3.1254 -common STE type.  Xen permits a domain to access a resource if and
  3.1255 -only if the labels of the domain and the resource share a common STE
  3.1256 -workload type.
  3.1257 +type names \verb|SystemManagement|, \verb|A-Bank|,
  3.1258 +\verb|AutoCorp| etc. that are available in the STE policy component. The
  3.1259 +policy rules are implicit: Xen permits two domains to communicate with
  3.1260 +each other if and only if their security labels have at least one STE type in
  3.1261 +common.  Similarly, Xen permits a user domain to access a
  3.1262 +resource if and only if the labels of the domain and the resource
  3.1263 +have at least one STE workload type in common.
  3.1264  
  3.1265  \subsection{Chinese Wall Policy Component}
  3.1266  
  3.1267  The Chinese Wall security policy interpretation of sHype enables users
  3.1268  to prevent certain workloads from running simultaneously on the same
  3.1269  hypervisor platform.  Run-time Exclusion rules (RER), also called
  3.1270 -Conflict Sets, define a set of workload types that are not permitted
  3.1271 -to run simultaneously. Of all the workloads specified in a Run-time
  3.1272 +Conflict Sets or Anti-Collocation rules, define a set of workload types
  3.1273 +that are not permitted to run simultaneously on the same virtualized
  3.1274 +platform. Of all the workloads specified in a Run-time
  3.1275  Exclusion rule, at most one type can run on the same hypervisor
  3.1276  platform at a time.  Run-time Exclusion Rules implement a less
  3.1277  rigorous variant of the original Chinese Wall security component. They
  3.1278  do not implement the *-property of the policy, which would require to
  3.1279  restrict also types that are not part of an exclusion rule once they
  3.1280 -are running together with a type in an exclusion rule (please refer to
  3.1281 -http://www.gammassl.co.uk/topics/chinesewall.html for more information
  3.1282 +are running together with a type in an exclusion rule
  3.1283 +(http://www.gammassl.co.uk/topics/chinesewall.html provides more information
  3.1284  on the original Chinese Wall policy).
  3.1285  
  3.1286  Xen considers the \verb|ChineseWallTypes| part of the label for the
  3.1287  enforcement of the Run-time Exclusion rules.  It is illegal to define
  3.1288  labels including conflicting Chinese Wall types.
  3.1289  
  3.1290 -Lines 17-30 (cf Figure~\ref{fig:acmxmlfilea}) define the Chinese Wall
  3.1291 -policy component. Lines 17-22 define the known Chinese Wall types,
  3.1292 +Lines 20-41 (cf Figure~\ref{fig:acmxmlfilea}) define the Chinese Wall
  3.1293 +policy component. Lines 22-28 define the known Chinese Wall types,
  3.1294  which coincide here with the STE types defined above. This usually
  3.1295  holds if the criteria for sharing among domains and sharing of the
  3.1296 -hardware platform are the same. Lines 24-29 define one Run-time
  3.1297 -Exclusion rule:
  3.1298 +hardware platform are the same. Lines 30-41 define one Run-time
  3.1299 +Exclusion rules, the first of which is depicted below:
  3.1300  
  3.1301  \begin{scriptsize}
  3.1302  \begin{verbatim}
  3.1303 -        <Conflict name="RER1">
  3.1304 -          <Type>CocaCola</Type>
  3.1305 -          <Type>PepsiCo</Type>
  3.1306 -        </Conflict>
  3.1307 +31  <Conflict name="RER">
  3.1308 +32    <Type>A-Bank</Type>
  3.1309 +33    <Type>B-Bank</Type>
  3.1310 +34    <Type>__UNLABELED__</Type>
  3.1311 +35  </Conflict>
  3.1312  \end{verbatim}
  3.1313  \end{scriptsize}
  3.1314  
  3.1315  Based on this rule, Xen enforces that only one of the types
  3.1316 -\verb|CocaCola| or \verb|PepsiCo| will run on a single hypervisor
  3.1317 -platform at a time. For example, once a domain assigned a
  3.1318 -\verb|CocaCola| workload type is started, domains with the
  3.1319 -\verb|PepsiCo| type will be denied to start. When the former domain
  3.1320 -stops and no other domains with the \verb|CocaCola| type are running,
  3.1321 -then domains with the \verb|PepsiCo| type can start.
  3.1322 +\verb|A-Bank|, \verb|B-Bank|, or \verb|__UNLABELED__| will run
  3.1323 +on a single hypervisor platform at a time. For example, once a domain assigned a
  3.1324 +\verb|A-Bank| workload type is started, domains with the
  3.1325 +\verb|B-Bank| type or unlabeled domains will be denied to start.
  3.1326 +When the former domain stops and no other domains with the \verb|A-Bank|
  3.1327 +type are running, then domains with the \verb|B-Bank| type or unlabeled domains
  3.1328 +can start.
  3.1329  
  3.1330  Xen maintains reference counts on each running workload type to keep
  3.1331  track of which workload types are running. Every time a domain starts
  3.1332  or resumes, the reference count on those Chinese Wall types that are
  3.1333  referenced in the domain's label are incremented. Every time a domain
  3.1334  is destroyed or saved, the reference counts of its Chinese Wall types
  3.1335 -are decremented. sHype in Xen covers migration and live-migration,
  3.1336 -which is treated the same way as saving a domain on the source
  3.1337 -platform and resuming it on the destination platform.
  3.1338 -
  3.1339 -Reasons why users would want to restrict which workloads or domains
  3.1340 -can share the system hardware include:
  3.1341 +are decremented. sHype in Xen fully supports migration and live-migration,
  3.1342 +which is subject to access control the same way as saving a domain on
  3.1343 +the source platform and resuming it on the destination platform.
  3.1344 +
  3.1345 +Here are some reasons why users might want to restrict workloads or domains
  3.1346 +from sharing the system hardware simultaneously:
  3.1347  
  3.1348  \begin{itemize}
  3.1349 -\item Imperfect resource management or control might enable a rogue
  3.1350 -  domain to starve another domain and the workload running in it.
  3.1351 -\item Redundant domains might run the same workload to increase
  3.1352 +\item Imperfect resource management or control might enable a compromised
  3.1353 +  user domain to starve other domains and the workload running in them.
  3.1354 +\item Redundant user domains might run the same workload to increase
  3.1355    availability; such domains should not run on the same hardware to
  3.1356    avoid single points of failure.
  3.1357  \item Imperfect Xen core domain isolation might enable two rogue
  3.1358    domains running different workload types to use unintended and
  3.1359 -  unknown ways (covert channels) to exchange some data. This way, they
  3.1360 -  bypass the policed Xen access control mechanisms.  Such
  3.1361 +  unknown ways (covert channels) to exchange some bits of information.
  3.1362 +  This way, they bypass the policed Xen access control mechanisms.  Such
  3.1363    imperfections cannot be completely eliminated and are a result of
  3.1364    trade-offs between security and other design requirements. For a
  3.1365    simple example of a covert channel see
  3.1366    http://www.multicians.org/timing-chn.html. Such covert channels
  3.1367    exist also between workloads running on different platforms if they
  3.1368    are connected through networks. The Xen Chinese Wall policy provides
  3.1369 -  an approximation of this imperfect ``air-gap'' between selected
  3.1370 -  workload types.
  3.1371 +  an approximated ``air-gap'' between selected workload types.
  3.1372  \end{itemize}
  3.1373  
  3.1374  \subsection{Security Labels}
  3.1375 @@ -2852,100 +3145,197 @@ To enable Xen to associate domains with 
  3.1376  them, each domain is assigned a security label that includes the
  3.1377  workload types of the domain.
  3.1378  
  3.1379 -\begin{figure}
  3.1380 -\begin{scriptsize}
  3.1381 +\begin{figure}[htb]
  3.1382 +		\begin{tabular*}{\textwidth}{@{\extracolsep{\fill}}l|l}
  3.1383 +		\begin{minipage}{0.475\textwidth}
  3.1384 +		\begin{tiny}
  3.1385 +		\begin{verbatim}
  3.1386 +<SecurityLabelTemplate>
  3.1387 +  <SubjectLabels bootstrap="SystemManagement">
  3.1388 +  <VirtualMachineLabel>
  3.1389 +    <Name>SystemManagement</Name>
  3.1390 +    <SimpleTypeEnforcementTypes>
  3.1391 +      <Type>SystemManagement</Type>
  3.1392 +      <Type>__UNLABELED__</Type>
  3.1393 +      <Type>A-Bank</Type>
  3.1394 +      <Type>A-Bank.SecurityUnderwriting</Type>
  3.1395 +      <Type>A-Bank.MarketAnalysis</Type>
  3.1396 +      <Type>B-Bank</Type>
  3.1397 +      <Type>AutoCorp</Type>
  3.1398 +    </SimpleTypeEnforcementTypes>
  3.1399 +    <ChineseWallTypes>
  3.1400 +      <Type>SystemManagement</Type>
  3.1401 +    </ChineseWallTypes>
  3.1402 +  </VirtualMachineLabel>
  3.1403 +  <VirtualMachineLabel>
  3.1404 +    <Name>__UNLABELED__</Name>
  3.1405 +    <SimpleTypeEnforcementTypes>
  3.1406 +      <Type>__UNLABELED__</Type>
  3.1407 +    </SimpleTypeEnforcementTypes>
  3.1408 +    <ChineseWallTypes>
  3.1409 +      <Type>__UNLABELED__</Type>
  3.1410 +    </ChineseWallTypes>
  3.1411 +  </VirtualMachineLabel>
  3.1412 +  <VirtualMachineLabel>
  3.1413 +    <Name>A-Bank</Name>
  3.1414 +    <SimpleTypeEnforcementTypes>
  3.1415 +      <Type>A-Bank</Type>
  3.1416 +    </SimpleTypeEnforcementTypes>
  3.1417 +    <ChineseWallTypes>
  3.1418 +      <Type>A-Bank</Type>
  3.1419 +    </ChineseWallTypes>
  3.1420 +  </VirtualMachineLabel>
  3.1421 +  <VirtualMachineLabel>
  3.1422 +    <Name>A-Bank.SecurityUnderwriting</Name>
  3.1423 +    <SimpleTypeEnforcementTypes>
  3.1424 +      <Type>A-Bank.SecurityUnderwriting</Type>
  3.1425 +    </SimpleTypeEnforcementTypes>
  3.1426 +    <ChineseWallTypes>
  3.1427 +      <Type>A-Bank</Type>
  3.1428 +      <Type>A-Bank.SecurityUnderwriting</Type>
  3.1429 +    </ChineseWallTypes>
  3.1430 +  </VirtualMachineLabel>
  3.1431 +  <VirtualMachineLabel>
  3.1432 +    <Name>A-Bank.MarketAnalysis</Name>
  3.1433 +    <SimpleTypeEnforcementTypes>
  3.1434 +      <Type>A-Bank.MarketAnalysis</Type>
  3.1435 +    </SimpleTypeEnforcementTypes>
  3.1436 +    <ChineseWallTypes>
  3.1437 +      <Type>A-Bank</Type>
  3.1438 +      <Type>A-Bank.MarketAnalysis</Type>
  3.1439 +    </ChineseWallTypes>
  3.1440 +  </VirtualMachineLabel>
  3.1441 +  <VirtualMachineLabel>
  3.1442 +    <Name>B-Bank</Name>
  3.1443 +    <SimpleTypeEnforcementTypes>
  3.1444 +      <Type>B-Bank</Type>
  3.1445 +    </SimpleTypeEnforcementTypes>
  3.1446 +    <ChineseWallTypes>
  3.1447 +      <Type>B-Bank</Type>
  3.1448 +    </ChineseWallTypes>
  3.1449 +  </VirtualMachineLabel>
  3.1450 +\end{verbatim}
  3.1451 +\end{tiny}
  3.1452 +\end{minipage} &
  3.1453 +\begin{minipage}{0.475\textwidth}
  3.1454 +\begin{tiny}
  3.1455  \begin{verbatim}
  3.1456 -32     <SecurityLabelTemplate>
  3.1457 -33         <SubjectLabels bootstrap="SystemManagement">
  3.1458 -34             <VirtualMachineLabel>
  3.1459 -35                 <Name>SystemManagement</Name>
  3.1460 -36                 <SimpleTypeEnforcementTypes>
  3.1461 -37                     <Type>SystemManagement</Type>
  3.1462 -38                     <Type>PepsiCo</Type>
  3.1463 -39                     <Type>CocaCola</Type>
  3.1464 -40                 </SimpleTypeEnforcementTypes>
  3.1465 -41                 <ChineseWallTypes>
  3.1466 -42                     <Type>SystemManagement</Type>
  3.1467 -43                 </ChineseWallTypes>
  3.1468 -44             </VirtualMachineLabel>
  3.1469 -45
  3.1470 -46             <VirtualMachineLabel>
  3.1471 -47                 <Name>PepsiCo</Name>
  3.1472 -48                 <SimpleTypeEnforcementTypes>
  3.1473 -49                     <Type>PepsiCo</Type>
  3.1474 -50                 </SimpleTypeEnforcementTypes>
  3.1475 -51                 <ChineseWallTypes>
  3.1476 -52                     <Type>PepsiCo</Type>
  3.1477 -53                 </ChineseWallTypes>
  3.1478 -54             </VirtualMachineLabel>
  3.1479 -55
  3.1480 -56             <VirtualMachineLabel>
  3.1481 -57                 <Name>CocaCola</Name>
  3.1482 -58                 <SimpleTypeEnforcementTypes>
  3.1483 -59                     <Type>CocaCola</Type>
  3.1484 -60                 </SimpleTypeEnforcementTypes>
  3.1485 -61                 <ChineseWallTypes>
  3.1486 -62                     <Type>CocaCola</Type>
  3.1487 -63                 </ChineseWallTypes>
  3.1488 -64             </VirtualMachineLabel>
  3.1489 -65         </SubjectLabels>
  3.1490 -66
  3.1491 -67         <ObjectLabels>
  3.1492 -68             <ResourceLabel>
  3.1493 -69                 <Name>SystemManagement</Name>
  3.1494 -70                 <SimpleTypeEnforcementTypes>
  3.1495 -71                     <Type>SystemManagement</Type>
  3.1496 -72                 </SimpleTypeEnforcementTypes>
  3.1497 -73             </ResourceLabel>
  3.1498 -74
  3.1499 -75             <ResourceLabel>
  3.1500 -76                 <Name>PepsiCo</Name>
  3.1501 -77                 <SimpleTypeEnforcementTypes>
  3.1502 -78                     <Type>PepsiCo</Type>
  3.1503 -79                 </SimpleTypeEnforcementTypes>
  3.1504 -80             </ResourceLabel>
  3.1505 -81
  3.1506 -82             <ResourceLabel>
  3.1507 -83                 <Name>CocaCola</Name>
  3.1508 -84                 <SimpleTypeEnforcementTypes>
  3.1509 -85                     <Type>CocaCola</Type>
  3.1510 -86                 </SimpleTypeEnforcementTypes>
  3.1511 -87             </ResourceLabel>
  3.1512 -88         </ObjectLabels>
  3.1513 -89     </SecurityLabelTemplate>
  3.1514 -90  </SecurityPolicyDefinition>
  3.1515 +  <VirtualMachineLabel>
  3.1516 +    <Name>AutoCorp</Name>
  3.1517 +    <SimpleTypeEnforcementTypes>
  3.1518 +      <Type>AutoCorp</Type>
  3.1519 +    </SimpleTypeEnforcementTypes>
  3.1520 +    <ChineseWallTypes>
  3.1521 +      <Type>AutoCorp</Type>
  3.1522 +    </ChineseWallTypes>
  3.1523 +  </VirtualMachineLabel>
  3.1524 +  </SubjectLabels>
  3.1525 +  <ObjectLabels>
  3.1526 +  <ResourceLabel>
  3.1527 +    <Name>SystemManagement</Name>
  3.1528 +    <SimpleTypeEnforcementTypes>
  3.1529 +      <Type>SystemManagement</Type>
  3.1530 +    </SimpleTypeEnforcementTypes>
  3.1531 +  </ResourceLabel>
  3.1532 +  <ResourceLabel>
  3.1533 +    <Name>__UNLABELED__</Name>
  3.1534 +    <SimpleTypeEnforcementTypes>
  3.1535 +      <Type>__UNLABELED__</Type>
  3.1536 +    </SimpleTypeEnforcementTypes>
  3.1537 +  </ResourceLabel>
  3.1538 +  <ResourceLabel>
  3.1539 +    <Name>A-Bank</Name>
  3.1540 +    <SimpleTypeEnforcementTypes>
  3.1541 +      <Type>A-Bank</Type>
  3.1542 +    </SimpleTypeEnforcementTypes>
  3.1543 +  </ResourceLabel>
  3.1544 +  <ResourceLabel>
  3.1545 +    <Name>A-Bank.SecurityUnderwriting</Name>
  3.1546 +    <SimpleTypeEnforcementTypes>
  3.1547 +      <Type>A-Bank.SecurityUnderwriting</Type>
  3.1548 +    </SimpleTypeEnforcementTypes>
  3.1549 +  </ResourceLabel>
  3.1550 +  <ResourceLabel>
  3.1551 +    <Name>A-Bank.MarketAnalysis</Name>
  3.1552 +    <SimpleTypeEnforcementTypes>
  3.1553 +      <Type>A-Bank.MarketAnalysis</Type>
  3.1554 +    </SimpleTypeEnforcementTypes>
  3.1555 +  </ResourceLabel>
  3.1556 +  <ResourceLabel>
  3.1557 +    <Name>B-Bank</Name>
  3.1558 +    <SimpleTypeEnforcementTypes>
  3.1559 +      <Type>B-Bank</Type>
  3.1560 +    </SimpleTypeEnforcementTypes>
  3.1561 +  </ResourceLabel>
  3.1562 +  <ResourceLabel>
  3.1563 +    <Name>AutoCorp</Name>
  3.1564 +    <SimpleTypeEnforcementTypes>
  3.1565 +      <Type>AutoCorp</Type>
  3.1566 +    </SimpleTypeEnforcementTypes>
  3.1567 +  </ResourceLabel>
  3.1568 +  </ObjectLabels>
  3.1569 +</SecurityLabelTemplate>
  3.1570 +</SecurityPolicyDefinition>
  3.1571 +
  3.1572 +
  3.1573 +
  3.1574 +
  3.1575 +
  3.1576 +
  3.1577 +
  3.1578 +
  3.1579  \end{verbatim}
  3.1580 -\end{scriptsize}
  3.1581 +\end{tiny}
  3.1582 +\end{minipage}
  3.1583 +\end{tabular*}
  3.1584  \caption{Example XML security policy file -- Part II: Label Definition.}
  3.1585  \label{fig:acmxmlfileb}
  3.1586  \end{figure}
  3.1587 -
  3.1588 -Lines 32-89 (cf Figure~\ref{fig:acmxmlfileb}) define the
  3.1589 -\verb|SecurityLabelTemplate|, which includes the labels that can be
  3.1590 -attached to domains and resources when this policy is active. The
  3.1591 -domain labels include Chinese Wall types while resource labels do not
  3.1592 -include Chinese Wall types. Lines 33-65 define the
  3.1593 -\verb|SubjectLabels| that can be assigned to domains. For example, the
  3.1594 -virtual machine label \verb|CocaCola| (cf lines 56-64 in
  3.1595 -Figure~\ref{fig:acmxmlfileb}) associates the domain that carries it
  3.1596 -with the workload type \verb|CocaCola|.
  3.1597 -
  3.1598 -The \verb|bootstrap| attribute names the label
  3.1599 -\verb|SystemManagement|.  Xen will assign this label to Domain0 at
  3.1600 -boot time. All other domains are assigned labels according to their
  3.1601 -domain configuration file (see
  3.1602 -Section~\ref{subsection:acmexamplelabeldomains} for examples of how to
  3.1603 -label domains). Lines 67-88 define the \verb|ObjectLabels|. Those
  3.1604 -labels can be assigned to resources when this policy is active.
  3.1605 +% DO NOT MODIFY WHITESPACE ABOVE, it balances the columns
  3.1606 +The \verb|SecurityLabelTemplate| (cf Figure~\ref{fig:acmxmlfileb}) defines
  3.1607 +the security labels that can be associated with domains and resources when
  3.1608 +this policy is active (use the \verb|xm labels type=any| command described in
  3.1609 +Section~\ref{subsection:acmexamplelabeldomains} to list all available labels).
  3.1610 +
  3.1611 +The domain labels include
  3.1612 +Chinese Wall types while resource labels do not include Chinese Wall types.
  3.1613 +The \verb|SubjectLabels| policy section defines the labels that can be
  3.1614 +assigned to domains. The VM label
  3.1615 +\verb|A-Bank.SecurityUnderwriting| in Figure~\ref{fig:acmxmlfileb})
  3.1616 +associates the domain that carries it with the workload STE type
  3.1617 +\verb|A-Bank.SecurityUnderwriting| and with the CHWALL types \verb|A-Bank|
  3.1618 +and \verb|A-Bank.SecurityUnderwriting|. The ezPolicy tool
  3.1619 +assumes that any department workload will inherit any conflict set that
  3.1620 +is specified for its organization, i.e., if \verb|B-Bank| is running, not
  3.1621 +only \verb|A-Bank| but also all its departmental workloads are prevented
  3.1622 +from running by this first run-time exclusion set. The separation of STE
  3.1623 +and CHWALL types in the label definition ensures that
  3.1624 +all departmental workloads are isolated from each other and from their generic
  3.1625 +organization workloads, while they are sharing CHWALL types to
  3.1626 +simplify the formulation of run-time exclusion sets.
  3.1627 +
  3.1628 +The \verb|bootstrap| attribute of the \verb|<SubjectLabels>| XML node
  3.1629 +in our example policy shown in Figure~\ref{fig:acmxmlfileb} names
  3.1630 +the label \verb|SystemManagement| as the label that Xen will assign
  3.1631 +to Domain-0 at boot time (if this policy is installed as boot policy). The
  3.1632 +label of Domain-0 can be persistently changed at run-time with the
  3.1633 +\verb|addlabel| command, which adds an overriding option to the grub.conf
  3.1634 +boot entry (cf Section~\ref{subsection:acmlabeldom0}).
  3.1635 +All user domains are assigned labels according to their domain configuration
  3.1636 +(see Section~\ref{subsection:acmexamplelabeldomains} for examples of
  3.1637 +how to label domains).
  3.1638 +
  3.1639 +The \verb|ObjectLabels| depicted in Figure~\ref{fig:acmxmlfileb} can be
  3.1640 +assigned to resources when this policy is active.
  3.1641  
  3.1642  In general, user domains should be assigned labels that have only a
  3.1643  single SimpleTypeEnforcement workload type. This way, workloads remain
  3.1644  confined even if user domains become rogue. Any domain that is
  3.1645  assigned a label with multiple STE types must be trusted to keep
  3.1646  information belonging to the different STE types separate (confined).
  3.1647 -For example, Domain0 is assigned the bootstrap label
  3.1648 -\verb|SystemsManagement|, which includes all existing STE types.
  3.1649 -Therefore, Domain0 must take care not to enable unauthorized
  3.1650 +For example, Domain-0 is assigned the bootstrap label
  3.1651 +\verb|SystemManagement|, which includes all existing STE types.
  3.1652 +Therefore, Domain-0 must take care not to enable unauthorized
  3.1653  information flow (eg. through block devices or virtual networking)
  3.1654  between domains or resources that are assigned different STE types.
  3.1655  
  3.1656 @@ -2955,21 +3345,25 @@ Section~\ref{subsection:acmexamplelabeld
  3.1657  label are used by the Xen access control enforcement.  While the name
  3.1658  can be arbitrarily chosen (as long as it is unique), it is advisable
  3.1659  to choose the label name in accordance to the security types included.
  3.1660 -While the XML representation in the above label seems unnecessary
  3.1661 -flexible, labels in general can consist of multiple types as we will
  3.1662 -see in the following example.
  3.1663 -
  3.1664 -Assume that \verb|PepsiCo| and \verb|CocaCola| workloads use virtual
  3.1665 -disks that are provided by a virtual I/O domain hosting a physical
  3.1666 -storage device and carrying the following label:
  3.1667 +Similarly, the STE and CHWALL types should be named according to the
  3.1668 +workloads they represent. While the XML representation of the label
  3.1669 +in the above example seems unnecessary flexible, labels in general
  3.1670 +must be able to include multiple types.
  3.1671 +
  3.1672 +We assume in the following example, that \verb|A-Bank.SecurityUnderwriting| and
  3.1673 +\verb|A-Bank.MarketAnalysis| workloads use virtual disks that are provided
  3.1674 +by a virtual I/O domain hosting a physical storage device and carrying
  3.1675 +the following label:
  3.1676  
  3.1677  \begin{scriptsize}
  3.1678  \begin{verbatim}
  3.1679          <VirtualMachineLabel>
  3.1680 -          <Name>VIO</Name>
  3.1681 +          <Name>VIOServer</Name>
  3.1682            <SimpleTypeEnforcementTypes>
  3.1683 -              <Type>CocaCola</Type>
  3.1684 -              <Type>PepsiCo</Type>
  3.1685 +              <Type>A-Bank</Type>
  3.1686 +              <Type>A-Bank.SecurityUnderwriting</Type>
  3.1687 +              <Type>A-Bank.MarketAnalysis</Type>
  3.1688 +              <Type>VIOServer</Type>
  3.1689            </SimpleTypeEnforcementTypes>
  3.1690            <ChineseWallTypes>
  3.1691                <Type>VIOServer</Type>
  3.1692 @@ -2979,28 +3373,572 @@ storage device and carrying the followin
  3.1693  \end{scriptsize}
  3.1694  
  3.1695  This Virtual I/O domain (VIO) exports its virtualized disks by
  3.1696 -communicating both to domains labeled with the \verb|PepsiCo| label
  3.1697 -and domains labeled with the \verb|CocaCola| label. This requires the
  3.1698 -VIO domain to carry both the STE types \verb|CocaCola| and
  3.1699 -\verb|PepsiCo|. In this example, the confinement of \verb|CocaCola|
  3.1700 -and \verb|PepsiCo| workload depends on a VIO domain that must keep the
  3.1701 -data of those different workloads separate. The virtual disks are
  3.1702 -labeled as well (see Section~\ref{subsection:acmexamplelabelresources}
  3.1703 +communicating to all domains labeled with the
  3.1704 +\verb|A-Bank.SecurityUnderwriting|, the \verb|A-Bank|, or the
  3.1705 +\verb|A-Bank.MarketAnalysis| label. This requires the
  3.1706 +VIO domain to carry those STE types. In addition, this label includes a
  3.1707 +new \verb|VIOServer| type that can be used to restrict direct access to the
  3.1708 +physical storage resource to the VIODomain.
  3.1709 +
  3.1710 +In this example, the confinement of  these A-Bank workloads depends on the
  3.1711 +VIO domain that must keep the data of those different workloads separate.
  3.1712 +The virtual disks are labeled as well to keep track of their assignments
  3.1713 +to workload types (see Section~\ref{subsection:acmexamplelabelresources}
  3.1714  for labeling resources) and enforcement functions inside the VIO
  3.1715  domain must ensure that the labels of the domain mounting a virtual
  3.1716  disk and the virtual disk label share a common STE type. The VIO label
  3.1717  carrying its own VIOServer CHWALL type introduces the flexibility to
  3.1718 -permit the trusted VIO server to run together with CocaCola or PepsiCo
  3.1719 -workloads.
  3.1720 +permit the trusted VIO server to run together with \verb|A-Bank.SecurityUnderwriting|
  3.1721 +or \verb|A-Bank.MarketAnalysis| workloads.
  3.1722  
  3.1723  Alternatively, a system that has two hard-drives does not need a VIO
  3.1724  domain but can directly assign one hardware storage device to each of
  3.1725 -the workloads (if the platform offers an IO-MMU, cf
  3.1726 -Section~\ref{s:ddsecurity}.  Sharing hardware through virtualization
  3.1727 +the workloads if the platform offers an IO-MMU, cf
  3.1728 +Section~\ref{s:ddsecurity}.  Sharing hardware through virtualizated devices
  3.1729  is a trade-off between the amount of trusted code (size of the trusted
  3.1730  computing base) and the amount of acceptable over-provisioning. This
  3.1731  holds both for peripherals and for system platforms.
  3.1732  
  3.1733 +
  3.1734 +\subsection{Managing sHype/Xen Security Policies at Run-time}
  3.1735 +\label{subsection:acmpolicymanagement}
  3.1736 +
  3.1737 +\subsubsection{Removing the sHype/Xen Security Policy}
  3.1738 +When resetting the policy, no labeled domains can be running.
  3.1739 +Please stop or shutdown all running labeled domains. Then you can reset
  3.1740 +the policy to the default policy using the \verb|resetpolicy| command:
  3.1741 +
  3.1742 +\begin{scriptsize}
  3.1743 +\begin{verbatim}
  3.1744 +# xm getpolicy
  3.1745 +Supported security subsystems   : ACM
  3.1746 +Policy name           : mytest
  3.1747 +Policy type           : ACM
  3.1748 +Version of XML policy : 1.0
  3.1749 +Policy configuration  : loaded, activated for boot
  3.1750 +
  3.1751 +# xm resetpolicy
  3.1752 +Successfully reset the system's policy.
  3.1753 +
  3.1754 +# xm getpolicy
  3.1755 +Supported security subsystems   : ACM
  3.1756 +Policy name           : DEFAULT
  3.1757 +Policy type           : ACM
  3.1758 +Version of XML policy : 1.0
  3.1759 +Policy configuration  : loaded
  3.1760 +
  3.1761 +# xm resources
  3.1762 +file:/home/xen/dom_fc5/fedora.fc5.swap
  3.1763 +      type: INV_ACM
  3.1764 +    policy: mytest
  3.1765 +     label: A-Bank
  3.1766 +file:/home/xen/dom_fc5/fedora.fc5.img
  3.1767 +      type: INV_ACM
  3.1768 +    policy: mytest
  3.1769 +     label: A-Bank
  3.1770 +\end{verbatim}
  3.1771 +\end{scriptsize}
  3.1772 +
  3.1773 +As the \verb|xm resources| output shows, all resource labels have
  3.1774 +invalidated type information but their semantics remain associated
  3.1775 +with the resources so that they can later on either be relabeled
  3.1776 +with semantically equivalent labels or sanitized and reused
  3.1777 +(storage resources).
  3.1778 +
  3.1779 +At this point, the system is in the same initial state as after
  3.1780 +configuring XSM and sHype/ACM and rebooting the system without
  3.1781 +a specific policy. No user domains can run.
  3.1782 +
  3.1783 +\subsubsection{Changing to a Different sHype/Xen Security Policy}
  3.1784 +The easiest way to change to a different, unrelated policy is to reset the system
  3.1785 +policy and then set the new policy. Please consider that the existing
  3.1786 +domain and resource labels become invalid at this point. Please refer
  3.1787 +to the next section for an example of how to seamlessly update an
  3.1788 +active policy at run-time without invalidating labels.
  3.1789 +
  3.1790 +\begin{scriptsize}
  3.1791 +\begin{verbatim}
  3.1792 +# xm resetpolicy
  3.1793 +Successfully reset the system's policy.
  3.1794 +
  3.1795 +# xm setpolicy ACM example.test
  3.1796 +Successfully set the new policy.
  3.1797 +Supported security subsystems   : ACM
  3.1798 +Policy name           : example.test
  3.1799 +Policy type           : ACM
  3.1800 +Version of XML policy : 1.0
  3.1801 +Policy configuration  : loaded, activated for boot
  3.1802 +
  3.1803 +# xm labels
  3.1804 +CocaCola
  3.1805 +PepsiCo
  3.1806 +SystemManagement
  3.1807 +VIO
  3.1808 +# xm list --label
  3.1809 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.1810 +Domain-0   0   873     1     r-----     56.3  ACM:example.test:SystemManagement
  3.1811 +
  3.1812 +# xm resetpolicy
  3.1813 +Successfully reset the system's policy.
  3.1814 +
  3.1815 +# xm getpolicy
  3.1816 +Supported security subsystems   : ACM
  3.1817 +Policy name           : DEFAULT
  3.1818 +Policy type           : ACM
  3.1819 +Version of XML policy : 1.0
  3.1820 +Policy configuration  : loaded
  3.1821 +
  3.1822 +# xm list --label
  3.1823 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.1824 +Domain-0   0   873     1     r-----     57.2  ACM:DEFAULT:SystemManagement
  3.1825 +
  3.1826 +# xm setpolicy ACM mytest
  3.1827 +Successfully set the new policy.
  3.1828 +Supported security subsystems   : ACM
  3.1829 +Policy name           : mytest
  3.1830 +Policy type           : ACM
  3.1831 +Version of XML policy : 1.0
  3.1832 +Policy configuration  : loaded, activated for boot
  3.1833 +
  3.1834 +# xm labels
  3.1835 +A-Bank
  3.1836 +A-Bank.MarketAnalysis
  3.1837 +A-Bank.SecurityUnderwriting
  3.1838 +AutoCorp
  3.1839 +B-Bank
  3.1840 +SystemManagement
  3.1841 +__UNLABELED__
  3.1842 +
  3.1843 +# xm list --label
  3.1844 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.1845 +Domain-0   0   873     1     r-----     58.0  ACM:mytest:SystemManagement
  3.1846 +\end{verbatim}
  3.1847 +\end{scriptsize}
  3.1848 +
  3.1849 +The described way of changing policies by resetting the existing
  3.1850 +policy is useful for testing different policies. For real deployment
  3.1851 +environments, a policy update as described in the following section
  3.1852 +is more appropriate and can be applied seamlessly at run-time while
  3.1853 +user domains are running.
  3.1854 +
  3.1855 +\subsubsection{Update an sHype/Xen Security Policy at Run-time}
  3.1856 +
  3.1857 +Once an ACM security policy is activated (loaded into the Xen
  3.1858 +hypervisor), the policy may be updated at run-time without the
  3.1859 +need to re-boot the system. The XML update-policy contains several
  3.1860 +additional information fields that are required to safely link the
  3.1861 +new policy contents to the old policy and ensure a consistent
  3.1862 +transformation of the system security state from the old to the
  3.1863 +new policy. Those additional fields are required for policies that
  3.1864 +are updating an existing policy at run-time.
  3.1865 +
  3.1866 +The major benefit of policy updates is the ability to add, delete,
  3.1867 +or rename workload types, labels, and conflict sets (run-time
  3.1868 +exclusion rules) to accommodate changes in the managed virtual
  3.1869 +environment without the need to reboot the Xen system. When a
  3.1870 +new policy renames labels of the current policy, the labels
  3.1871 +attached to resources and domains are automatically updated
  3.1872 +during a successful policy update.
  3.1873 +
  3.1874 +We have manually crafted an update policy for the \verb|mytest|
  3.1875 +security policy and stored it in the file mytest\_update-security\_policy.xml
  3.1876 +in the policies directory. We will discuss this policy in detail before
  3.1877 +using it to update a running sHype/Xen system. The following figures contain
  3.1878 +the whole contents of the update policy file.
  3.1879 +
  3.1880 +Figure~\ref{fig:acmupdateheader} shows the policy
  3.1881 +header of an update-policy and the new \verb|FromPolicy| XML
  3.1882 +node. For the policy update to succeed, the policy name and the
  3.1883 +policy version fields of the \verb|FromPolicy| XML node must
  3.1884 +exactly match those of the currently enforced policy. This
  3.1885 +ensures a controlled update path of the policy.
  3.1886 +
  3.1887 +\begin{figure}[htb]
  3.1888 +\begin{scriptsize}
  3.1889 +\begin{verbatim}
  3.1890 +<?xml version="1.0" encoding="UTF-8"?>
  3.1891 +<!-- Auto-generated by ezPolicy        -->
  3.1892 +<SecurityPolicyDefinition xmlns="http://www.ibm.com"
  3.1893 +xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3.1894 +xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
  3.1895 +    <PolicyHeader>
  3.1896 +        <PolicyName>mytest</PolicyName>
  3.1897 +        <Date>Tue Nov 27 21:53:45 2007</Date>
  3.1898 +        <Version>1.1</Version>
  3.1899 +        <FromPolicy>
  3.1900 +            <PolicyName>mytest</PolicyName>
  3.1901 +            <Version>1.0</Version>
  3.1902 +        </FromPolicy>
  3.1903 +    </PolicyHeader>
  3.1904 +\end{verbatim}
  3.1905 +\end{scriptsize}
  3.1906 +\caption{XML security policy update -- Part I: Updated Policy Header.}
  3.1907 +\label{fig:acmupdateheader}
  3.1908 +\end{figure}
  3.1909 +
  3.1910 +The version number of the new policy, which is shown in the
  3.1911 +node following the \verb|Date| node, must be a logical increment
  3.1912 +to the current policy's version. Therefore at least the minor
  3.1913 +number of the policy version must be incremented. This ensures
  3.1914 +that a policy update is applied only to exactly the policy for
  3.1915 +which this update was created and minimizes unforseen side-effects
  3.1916 + of policy updates.
  3.1917 +
  3.1918 +\paragraph{Types and Conflic Sets}
  3.1919 +The type names and the assignment of types to labels or conflict
  3.1920 +sets (run-time exclusion rules) can
  3.1921 +simply be changed consistently throughout the policy. Types,
  3.1922 +as opposed to labels, are not directly associated or referenced
  3.1923 +outside the policy so they do not need to carry their history
  3.1924 +in a ``From'' field. The figure below shows the update for the
  3.1925 +types and conflict sets. The \verb|__UNLABELED__| type is removed
  3.1926 +to disable support for running unlabeled domains. Additionally,
  3.1927 +we have renamed the two \verb|A-Bank| department types with
  3.1928 +abbreviated names \verb|A-Bank.SU| and \verb|A-Bank.MA|. You
  3.1929 +can also see how those type names are
  3.1930 +consistently changed within the conflict set definition.
  3.1931 +
  3.1932 +\begin{figure}[htb]
  3.1933 +\begin{scriptsize}
  3.1934 +\begin{verbatim}
  3.1935 +    <SimpleTypeEnforcement>
  3.1936 +        <SimpleTypeEnforcementTypes>
  3.1937 +            <Type>SystemManagement</Type>
  3.1938 +            <Type>A-Bank</Type>
  3.1939 +            <Type>A-Bank.SU</Type>
  3.1940 +            <Type>A-Bank.MA</Type>
  3.1941 +            <Type>B-Bank</Type>
  3.1942 +            <Type>AutoCorp</Type>
  3.1943 +        </SimpleTypeEnforcementTypes>
  3.1944 +    </SimpleTypeEnforcement>
  3.1945 +
  3.1946 +    <ChineseWall priority="PrimaryPolicyComponent">
  3.1947 +        <ChineseWallTypes>
  3.1948 +            <Type>SystemManagement</Type>
  3.1949 +            <Type>A-Bank</Type>
  3.1950 +            <Type>A-Bank.SU</Type>
  3.1951 +            <Type>A-Bank.MA</Type>
  3.1952 +            <Type>B-Bank</Type>
  3.1953 +            <Type>AutoCorp</Type>
  3.1954 +        </ChineseWallTypes>
  3.1955 +
  3.1956 +        <ConflictSets>
  3.1957 +            <Conflict name="RER">
  3.1958 +                <Type>A-Bank</Type>
  3.1959 +                <Type>B-Bank</Type>
  3.1960 +            </Conflict>
  3.1961 +            <Conflict name="RER">
  3.1962 +                <Type>A-Bank.MA</Type>
  3.1963 +                <Type>A-Bank.SU</Type>
  3.1964 +            </Conflict>
  3.1965 +       </ConflictSets>
  3.1966 +    </ChineseWall>
  3.1967 +\end{verbatim}
  3.1968 +\end{scriptsize}
  3.1969 +\caption{XML security policy update -- Part II: Updated Types and Conflict Sets.}
  3.1970 +\label{fig:acmupdatetypesnrules}
  3.1971 +\end{figure}
  3.1972 +
  3.1973 +In the same way, new types can be introduced and new conflict sets
  3.1974 +can be defined by simply adding the types or conflict sets to the
  3.1975 +update policy.
  3.1976 +
  3.1977 +\paragraph{Labels} Virtual machine and resource labels of an existing policy can be
  3.1978 +deleted through a policy update simply by omitting them in the
  3.1979 +update-policy. However, if a currently running virtual machine
  3.1980 +or a currently used resource is labeled with a label not stated
  3.1981 +in the update-policy, then the policy update is rejected. This
  3.1982 +ensures that a policy update leaves the system in a consistent
  3.1983 +security state.
  3.1984 +
  3.1985 +A policy update also enables the renaming of virtual machine and
  3.1986 +resource labels. Linking the old label name with the new label
  3.1987 +name is achieved through the \verb|from| attribute in the
  3.1988 +\verb|VirtualMachineLabel| or \verb|ResourceLabel| nodes in the
  3.1989 +update-policy. Figure~\ref{fig:acmupdatelabels} shown how subject
  3.1990 +and resource labels
  3.1991 +are updated from their old name \verb|A-Bank.SecurityUnterwriting|
  3.1992 +to their new name \verb|A-Bank.SU| using the \verb|from| attribute.
  3.1993 +
  3.1994 +\begin{figure}[htb]
  3.1995 +\begin{tabular*}{\textwidth}{@{\extracolsep{\fill}}l|l}
  3.1996 +\begin{minipage}{0.475\textwidth}
  3.1997 +\begin{tiny}
  3.1998 +\begin{verbatim}
  3.1999 +<SecurityLabelTemplate>
  3.2000 +  <SubjectLabels bootstrap="SystemManagement">
  3.2001 +  <VirtualMachineLabel>
  3.2002 +    <Name>SystemManagement</Name>
  3.2003 +    <SimpleTypeEnforcementTypes>
  3.2004 +      <Type>SystemManagement</Type>
  3.2005 +      <Type>A-Bank</Type>
  3.2006 +      <Type>A-Bank.SU</Type>
  3.2007 +      <Type>A-Bank.MA</Type>
  3.2008 +      <Type>B-Bank</Type>
  3.2009 +      <Type>AutoCorp</Type>
  3.2010 +    </SimpleTypeEnforcementTypes>
  3.2011 +    <ChineseWallTypes>
  3.2012 +      <Type>SystemManagement</Type>
  3.2013 +    </ChineseWallTypes>
  3.2014 +  </VirtualMachineLabel>
  3.2015 +  <VirtualMachineLabel>
  3.2016 +    <Name>A-Bank-WL</Name>
  3.2017 +    <SimpleTypeEnforcementTypes>
  3.2018 +      <Type>SystemManagement</Type>
  3.2019 +      <Type>A-Bank</Type>
  3.2020 +      <Type>A-Bank.SU</Type>
  3.2021 +      <Type>A-Bank.MA</Type>
  3.2022 +    </SimpleTypeEnforcementTypes>
  3.2023 +    <ChineseWallTypes>
  3.2024 +      <Type>SystemManagement</Type>
  3.2025 +    </ChineseWallTypes>
  3.2026 +  </VirtualMachineLabel>
  3.2027 +  <VirtualMachineLabel>
  3.2028 +    <Name>A-Bank</Name>
  3.2029 +    <SimpleTypeEnforcementTypes>
  3.2030 +      <Type>A-Bank</Type>
  3.2031 +    </SimpleTypeEnforcementTypes>
  3.2032 +    <ChineseWallTypes>
  3.2033 +      <Type>A-Bank</Type>
  3.2034 +    </ChineseWallTypes>
  3.2035 +  </VirtualMachineLabel>
  3.2036 +  <VirtualMachineLabel>
  3.2037 +    <Name from="A-Bank.SecurityUnderwriting">
  3.2038 +            A-Bank.SU</Name>
  3.2039 +    <SimpleTypeEnforcementTypes>
  3.2040 +      <Type>A-Bank.SU</Type>
  3.2041 +    </SimpleTypeEnforcementTypes>
  3.2042 +    <ChineseWallTypes>
  3.2043 +      <Type>A-Bank</Type>
  3.2044 +      <Type>A-Bank.SU</Type>
  3.2045 +    </ChineseWallTypes>
  3.2046 +   </VirtualMachineLabel>
  3.2047 +  <VirtualMachineLabel>
  3.2048 +    <Name from="A-Bank.MarketAnalysis">
  3.2049 +            A-Bank.MA</Name>
  3.2050 +    <SimpleTypeEnforcementTypes>
  3.2051 +      <Type>A-Bank.MA</Type>
  3.2052 +    </SimpleTypeEnforcementTypes>
  3.2053 +    <ChineseWallTypes>
  3.2054 +      <Type>A-Bank</Type>
  3.2055 +      <Type>A-Bank.MA</Type>
  3.2056 +    </ChineseWallTypes>
  3.2057 +  </VirtualMachineLabel>
  3.2058 +\end{verbatim}
  3.2059 +\end{tiny}
  3.2060 +\end{minipage} &
  3.2061 +\begin{minipage}{0.475\textwidth}
  3.2062 +\begin{tiny}
  3.2063 +\begin{verbatim}
  3.2064 +  <VirtualMachineLabel>
  3.2065 +    <Name>B-Bank</Name>
  3.2066 +    <SimpleTypeEnforcementTypes>
  3.2067 +      <Type>B-Bank</Type>
  3.2068 +    </SimpleTypeEnforcementTypes>
  3.2069 +    <ChineseWallTypes>
  3.2070 +      <Type>B-Bank</Type>
  3.2071 +    </ChineseWallTypes>
  3.2072 +  </VirtualMachineLabel>
  3.2073 +  <VirtualMachineLabel>
  3.2074 +    <Name>AutoCorp</Name>
  3.2075 +    <SimpleTypeEnforcementTypes>
  3.2076 +      <Type>AutoCorp</Type>
  3.2077 +    </SimpleTypeEnforcementTypes>
  3.2078 +    <ChineseWallTypes>
  3.2079 +      <Type>AutoCorp</Type>
  3.2080 +    </ChineseWallTypes>
  3.2081 +  </VirtualMachineLabel>
  3.2082 +</SubjectLabels>
  3.2083 +
  3.2084 +<ObjectLabels>
  3.2085 +  <ResourceLabel>
  3.2086 +    <Name>SystemManagement</Name>
  3.2087 +    <SimpleTypeEnforcementTypes>
  3.2088 +      <Type>SystemManagement</Type>
  3.2089 +    </SimpleTypeEnforcementTypes>
  3.2090 +  </ResourceLabel>
  3.2091 +  <ResourceLabel>
  3.2092 +    <Name>A-Bank</Name>
  3.2093 +    <SimpleTypeEnforcementTypes>
  3.2094 +      <Type>A-Bank</Type>
  3.2095 +    </SimpleTypeEnforcementTypes>
  3.2096 +  </ResourceLabel>
  3.2097 +  <ResourceLabel>
  3.2098 +    <Name from="A-Bank.SecurityUnderwriting">
  3.2099 +            A-Bank.SU</Name>
  3.2100 +    <SimpleTypeEnforcementTypes>
  3.2101 +      <Type>A-Bank.SU</Type>
  3.2102 +    </SimpleTypeEnforcementTypes>
  3.2103 +  </ResourceLabel>
  3.2104 +  <ResourceLabel>
  3.2105 +    <Name from="A-Bank.MarketAnalysis">
  3.2106 +            A-Bank.MA</Name>
  3.2107 +    <SimpleTypeEnforcementTypes>
  3.2108 +      <Type>A-Bank.MA</Type>
  3.2109 +    </SimpleTypeEnforcementTypes>
  3.2110 +  </ResourceLabel>
  3.2111 +  <ResourceLabel>
  3.2112 +    <Name>B-Bank</Name>
  3.2113 +    <SimpleTypeEnforcementTypes>
  3.2114 +      <Type>B-Bank</Type>
  3.2115 +    </SimpleTypeEnforcementTypes>
  3.2116 +  </ResourceLabel>
  3.2117 +  <ResourceLabel>
  3.2118 +    <Name>AutoCorp</Name>
  3.2119 +    <SimpleTypeEnforcementTypes>
  3.2120 +      <Type>AutoCorp</Type>
  3.2121 +    </SimpleTypeEnforcementTypes>
  3.2122 +  </ResourceLabel>
  3.2123 +  </ObjectLabels>
  3.2124 +</SecurityLabelTemplate>
  3.2125 +</SecurityPolicyDefinition>
  3.2126 +\end{verbatim}
  3.2127 +\end{tiny}
  3.2128 +\end{minipage}
  3.2129 +\end{tabular*}
  3.2130 +\caption{XML security policy update -- Part III: Updated Label Definition.}
  3.2131 +\label{fig:acmupdatelabels}
  3.2132 +\end{figure}
  3.2133 +% DO NOT MODIFY WHITESPACE ABOVE, it balances the columns
  3.2134 +
  3.2135 +The updated label definition also includes a new label \verb|A-Bank-WL|
  3.2136 +that includes all STE types related to A-Bank. Its CHWALL type
  3.2137 +is \verb|SystemManagement|. This indicates that this label is designed
  3.2138 +as Domain-0 label. A Xen system can be restricted to only run A-Bank
  3.2139 +related workloads by relabeling Domain-0 with the \verb|A-Bank-WL| label.
  3.2140 +
  3.2141 +We assume that the update-policy shown in
  3.2142 +Figures~\ref{fig:acmupdateheader}, \ref{fig:acmupdatetypesnrules}
  3.2143 +and \ref{fig:acmupdatelabels}
  3.2144 +is stored in the XML file mytest\_update-security\_policy.xml located
  3.2145 +in the ACM policy directory. See Section~\ref{subsection:acmnaming}
  3.2146 +for information about policy names and locations.
  3.2147 +
  3.2148 +The following \verb|xm setpolicy| command updates the active ACM
  3.2149 +security policy at run-time.
  3.2150 +
  3.2151 +\begin{scriptsize}
  3.2152 +\begin{verbatim}
  3.2153 +# xm list --label
  3.2154 +Name      ID   Mem VCPUs    State  Time(s) Label
  3.2155 +domain1    2   128     1   -b----     0.6  ACM:mytest:A-Bank
  3.2156 +domain4    3   164     1   -b----     0.3  ACM:mytest:A-Bank.SecurityUnderwriting
  3.2157 +Domain-0   0   711     1   r-----    71.8  ACM:mytest:SystemManagement
  3.2158 +
  3.2159 +# xm resources
  3.2160 +file:/home/xen/dom_fc5/fedora.fc5.swap
  3.2161 +      type: ACM
  3.2162 +    policy: mytest
  3.2163 +    label:  A-Bank
  3.2164 +file:/home/xen/dom_fc5/fedora.fc5.img
  3.2165 +      type: ACM
  3.2166 +    policy: mytest
  3.2167 +    label:  A-Bank
  3.2168 +
  3.2169 +# xm setpolicy ACM mytest_update
  3.2170 +Successfully set the new policy.
  3.2171 +Supported security subsystems   : ACM
  3.2172 +Policy name           : mytest
  3.2173 +Policy type           : ACM
  3.2174 +Version of XML policy : 1.1
  3.2175 +Policy configuration  : loaded, activated for boot
  3.2176 +
  3.2177 +# xm list --label
  3.2178 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.2179 +domain1    2   128     1     -b----      0.7  ACM:mytest:A-Bank
  3.2180 +domain4    3   164     1     -b----      0.3  ACM:mytest:A-Bank.SU
  3.2181 +Domain-0   0   711     1     r-----     72.8  ACM:mytest:SystemManagement
  3.2182 +
  3.2183 +# xm labels
  3.2184 +A-Bank
  3.2185 +A-Bank-WL
  3.2186 +A-Bank.MA
  3.2187 +A-Bank.SU
  3.2188 +AutoCorp
  3.2189 +B-Bank
  3.2190 +
  3.2191 +# xm resources
  3.2192 +file:/home/xen/dom_fc5/fedora.fc5.swap
  3.2193 +      type: ACM
  3.2194 +    policy: mytest
  3.2195 +     label: A-Bank
  3.2196 +file:/home/xen/dom_fc5/fedora.fc5.img
  3.2197 +      type: ACM
  3.2198 +    policy: mytest
  3.2199 +     label: A-Bank
  3.2200 +    \end{verbatim}
  3.2201 +\end{scriptsize}
  3.2202 +
  3.2203 +After successful completion of this command, \verb|xm list --label|
  3.2204 +shows that the labels of running domains changed to their new names.
  3.2205 +\verb|xm labels| shows that new labels \verb|A-Bank.SU| and \verb|A-Bank.AM|
  3.2206 +are now available in the policy. The resource labels remain valid after
  3.2207 +the successful update as \verb|xm resources| confirms.
  3.2208 +
  3.2209 +The \verb|setpolicy| command fails if the new policy is inconsistent
  3.2210 +with the current one or the policy is inconsistent internally (e.g., types
  3.2211 +are renamed in the type definition but not in the label definition part of
  3.2212 +the policy). In this case, the old policy remains active.
  3.2213 +
  3.2214 +After relabeling Domain-0 with the new \verb|A-Bank-WL| label, we can no
  3.2215 +longer run domains labeled \verb|B-Bank| or \verb|AutoCorp| since their
  3.2216 +STE types are not a subset of the new Domain-0 label.
  3.2217 +
  3.2218 +\begin{scriptsize}
  3.2219 +\begin{verbatim}
  3.2220 +# xm addlabel A-Bank-WL mgt Domain-0
  3.2221 +Successfully set the label of domain 'Domain-0' to 'A-Bank-WL'.
  3.2222 +
  3.2223 +# xm list --label
  3.2224 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.2225 +domain1    2   128     1     -b----      0.8  ACM:mytest:A-Bank
  3.2226 +Domain-0   0   711     1     r-----     74.5  ACM:mytest:A-Bank-WL
  3.2227 +domain4    3   164     1     -b----      0.3  ACM:mytest:A-Bank.SU
  3.2228 +
  3.2229 +# xm getlabel dom domain3.xm
  3.2230 +policytype=ACM,policy=mytest,label=AutoCorp
  3.2231 +
  3.2232 +# xm create domain3.xm
  3.2233 +Using config file "./domain3.xm".
  3.2234 +Error: VM is not authorized to run.
  3.2235 +
  3.2236 +# xm addlabel SystemManagement mgt Domain-0
  3.2237 +Successfully set the label of domain 'Domain-0' to 'SystemManagement'.
  3.2238 +
  3.2239 +# xm list --label
  3.2240 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.2241 +domain1    2   128     1     -b----      0.8  ACM:mytest:A-Bank
  3.2242 +domain4    3   164     1     -b----      0.3  ACM:mytest:A-Bank.SU
  3.2243 +Domain-0   0   709     1     r-----     76.4  ACM:mytest:SystemManagement
  3.2244 +
  3.2245 +# xm create domain3.xm
  3.2246 +Using config file "./domain3.xm".
  3.2247 +Started domain domain3
  3.2248 +
  3.2249 +# xm list --label
  3.2250 +Name      ID   Mem VCPUs      State   Time(s) Label
  3.2251 +domain1    2   128     1     -b----      0.8  ACM:mytest:A-Bank
  3.2252 +domain4    3   164     1     -b----      0.3  ACM:mytest:A-Bank.SU
  3.2253 +domain3    4   164     1     -b----      0.3  ACM:mytest:AutoCorp
  3.2254 +Domain-0   0   547     1     r-----     77.5  ACM:mytest:SystemManagement
  3.2255 +\end{verbatim}
  3.2256 +\end{scriptsize}
  3.2257 +
  3.2258 +In the same manner, you can add new labels to support new workloads and
  3.2259 +add, delete, or rename workload types (STE and/or CHWALL types) simply
  3.2260 +by changing the composition of labels. Another use case is to add new
  3.2261 +workload types to the current Domain-0 label to enable them to run.
  3.2262 +Conflict sets (run-time exclusion rules) can be simply omitted or added.
  3.2263 +The policy and label changes become active at once and new workloads
  3.2264 +can be run in protected mode without rebooting the Xen system.
  3.2265 +
  3.2266 +In all these cases, if any running user domain would--under the new policy--not
  3.2267 +be allowed to run or would not be allowed to access any of the resources
  3.2268 +it currently uses, then the policy update is rejected. In this case, you
  3.2269 +can stop domains that conflict with the new policy and update the policy
  3.2270 +afterwards. The old policy remains active until a policy update succeeds
  3.2271 +or Xen is re-booted into a new policy.
  3.2272 +
  3.2273  \subsection{Tools For Creating sHype/Xen Security Policies}
  3.2274  To create a security policy for Xen, you can use one of the following
  3.2275  tools:
  3.2276 @@ -3044,7 +3982,7 @@ storage).
  3.2277  
  3.2278  On a single Xen system, information about the association of resources
  3.2279  and security labels is stored in
  3.2280 -\verb|/etc/xen/acm-security/policy/resource_labels|. This file relates
  3.2281 +\verb|/var/lib/xend/security/policies/resource_labels|. This file relates
  3.2282  a full resource path with a security label. This association is weak
  3.2283  and will break if resources are moved or renamed without adapting the
  3.2284  label file. Improving the protection of label-resource relationships
  3.2285 @@ -3073,8 +4011,10 @@ that exist in the core hypervisor or in 
  3.2286  processor cache) will be inherited. If those covert channels are not
  3.2287  the result of trade-offs between security and other system properties,
  3.2288  then they are most effectively minimized or eliminated where they are
  3.2289 -caused. sHype offers however some means to mitigate their impact
  3.2290 -(cf. run-time exclusion rules).
  3.2291 +caused. sHype offers however some means to mitigate their impact, e.g.,
  3.2292 +run-time exclusion rules (cf Section~\ref{subsection:acmexamplecreate})
  3.2293 +or limiting the system authorization (cf Section~\ref{subsection:acmlabeldom0}).
  3.2294 +
  3.2295  
  3.2296  \part{Reference}
  3.2297