From 09332ac0f7f63a777b99b89739a3b42c51a262e9 Mon Sep 17 00:00:00 2001 From: Hannes Mehnert Date: Sun, 17 Sep 2017 14:13:28 +0100 Subject: [PATCH] some case studies --- About | 5 +++-- Projects/Pinata | 29 +++++++++++++++++++++++++++-- Projects/TLStunnel | 22 ++++++++++++++++++++++ static/img/reverse.png | Bin 0 -> 17320 bytes 4 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 Projects/TLStunnel create mode 100644 static/img/reverse.png diff --git a/About b/About index cac3a49..9abed49 100644 --- a/About +++ b/About @@ -40,7 +40,7 @@ access on new development, influencing on the development roadmap. ### Alfred -Alfred is a research associate at University of Cambridge. He enjoys to write +Alfred is a research associate at the University of Cambridge. He enjoys to write code, and also travelling and repairing his recumbent bicycle, and being a barista. @@ -49,7 +49,8 @@ imperative code (using a higher-order separation logic and the theorem prover Coq). At the moment he is working on an executable formal model of TCP/IP which can act as a test validator. -Alfred co-authored a TLS implementation from the grounds up in OCaml. +Alfred co-authored a TLS implementation from the grounds up in OCaml, and +contributes to the MirageOS project as a core team member. ### Eva diff --git a/Projects/Pinata b/Projects/Pinata index 1d2d716..fbcb922 100644 --- a/Projects/Pinata +++ b/Projects/Pinata @@ -1,7 +1,32 @@ --- title: The Bitcoin Piñata author: someone -abstract: some abstract +abstract: A transparent self-serving bug bounty with 10 BTC. --- -This is one of our projects +The [Bitcoin Piñata](http://ownme.ipredator.se) is a unikernel which serves as +bug bounty system to test TLS and the underlying implementations. Its +communication endpoints are a website describing the setup, and both a TLS +client and a TLS server listening on a port. The total size, including TLS, +X.509, TCP/IP, of the virtual machine image is 4MB, which is less than 4% of a +comparable system using a Linux kernel and OpenSSL. + +When a TLS handshake is successfully completed with mutual authentication, the +Piñata transmits the private key to a bitcoin wallet which is filled with ~10BTC +(~40000 EUR). + +On startup, the Piñata generates its certificate authority on the fly, including +certificates and private keys. This means that only the Piñata itself contains +private keys which can authenticate successfully, thus an attacker has to find +an exploitable flaw in any software layer (OCaml runtime, virtual network +device, TCP/IP stack, TLS library, X.509 validation, or elsewhere). + +The Piñata is online since February 2015, and although thousands of unique IP +addresses initiated connections, the wallet still contains the 10 BTC. + +By using a Bitcoin wallet, the Piñata is a transparent bug bounty. Everybody +can observe (by looking into the Bitcoin blockchain) whether it has been +compromised and the money has been transferred to another wallet. It is also +self-serving: when an attacker discovers a flaw, they don't need to fill out +any forms to retrieve the bounty, instead they can take the wallet, without any +questions asked. diff --git a/Projects/TLStunnel b/Projects/TLStunnel new file mode 100644 index 0000000..4483ad1 --- /dev/null +++ b/Projects/TLStunnel @@ -0,0 +1,22 @@ +--- +title: TLS reverse proxy +author: someone +abstract: ![TLS reverse proxy](/static/img/reverse.png) +--- + +![TLS reverse proxy](/static/img/reverse.png) + +The [tlstunnel](https://github.com/hannesm/tlstunnel) is a unikernel (depicted +as Proxy) which listens for TLS connections, and forwards requests to backend +services (depicted as web server). The specific backend is chosen by inspecting +the Server Name Indication, a widely deployed extension of the TLS protocol, +where a client requests the server name to talk with during the TLS handshake. + +It is similar to other projects such as stunnel or stud, but uses our TLS +implementation written in the memory-safe language OCaml, instead of one written +in the error-prone language C. The backend web servers don't need TLS support, +which lowers the maintainence burden. Many security issues in TLS +implementations are due to memory safety and support for outdated ciphersuites. + +This TLS reverse proxy is deployed on various websites, including [Real World +OCaml](https://realworldocaml.org) since 2015. diff --git a/static/img/reverse.png b/static/img/reverse.png new file mode 100644 index 0000000000000000000000000000000000000000..d803078e7089a1bca5e34db069be9eec8d5248bd GIT binary patch literal 17320 zcmb8XWmuJ4*fmN>NC+a0(%mf$8wCLg>28pe?nXhnTT+k)=`IxnX%UbPkq|+;^Sjr1 z&wHIe-=DMhb#2+mT5CRY-Z93w$0Xu~@-tj4ax5eyBwTs9r)o$@$no%XDkeJocQ0Yl z68=Cpd;aVx(ktD9FPO|3Q zr@+ynYMgND<+q~DoXxvM>p7{ft*^Yn7sQM}N?8zutp{6UFE8`1fZA1sSD(0(Ti?dX&Dat6W4`x4$u4i{sT z94@C@hUF}ox2~U>QBI%#cnpgzxXCG=&$2Isjlb~{3|HW=b z#tkO&-ibrwM9SvibwlPvQAw_KgdI^cJwvtDq^=af&)snMT*lf%TF3BiyPViSHW)qB zGYLpvU)Ge<^9km~BP#JksxFqwSvh)7t@V zmWG$`u@Y?!c?$+DOL<99S^6pVMCue);O&T3_m$H<&iEUFb@v;S=iVgGy`P!AqC%Xe z*%J@dBlP3$^r_o96C>ikxf@1;>kT&#MGjAAp8i*n5lm=xckrDAAwAZigq-PiQ+-BS z*!d-a)_S{1o=H$}2XD7^5SN$=lx#u5Fu)X%^! zA8J03%<@?z+rh`$`cIoQrZG(q-OkPq8;>Zdy=lLoH0J)_KVt<`cWHjsznVMIA1bQm zH7rV-J5nu>_2&xFnJ7^$7*5ZQpd8zDE9y^Tx=j81OcRsH23?KH`t?k|(LL57jA1jL zOqZ9!2CNZJ;HMr0-y)T0u=4m{xcypL$#3;L=dG!!X>M&zOi2mN&813V)yxmLzF>}g zZB(@}-{MLdBb&iFKIrcwEse4icq?vWV}nT({ku0tU#r1(GE}`tv6MArZ_2iz{7ZK? zZsB!DiWS;Q=*;Fk^HA8w_Q-F!G3PydS|)t!4?2FZ*P+mal(c#Ln{5~y8~ZocOci)w^xx-=ogd1{3UwA|d^ z2_HVRKiV&)ZSUwnlhV>6-rwIZW7Gavva-Ti`q8j0)w6$xaF3<>;buzxeE#?*C3=AE zV*B~7d2jS4iWer$3&KnP2FIn&VOW8@lG0ZbW*_`wW-JK_2`_JN)dpM5wtj{hNis4r zgEo(tHqYI}galPL9 zE(VfN#*oGdWxUlfe{F7TSos`{y`PB_n9AUT0>vz8WvMi(@{*CR1}5L9C0%4yu7HAA9Numr#lPwi|rYYL_M6Y z&YTky6BP_{)6z)bZ3}%*caFBE;ubr6MX%q}vSdw9>j>IUf77K=Y&-?EUy|MAqZKj0(Mb)ogzfKSF z4Vl+ug1u1fg2Kea#g(|)_wsMPk{D04wY8;r-DTzBQEf2$>M}K1uH8b<#8eK!&lr-9 z<7dZL%HXlqak@AcpPDLIqLM3d^lxses4kY`u|u`fFX>bc{oYV)l7odqXV1R5;TVOF zAFVZH=H6q{$n_7Fus>i_gms~ZPEb43&&;UG^GA14?-+?C7BBktB1tZBqu&EkNS5a!}HyrmHJIjXAg`%eE7hekZ^ye zT)WDp!B4djNd+~c(e{a%ZwNjI4tn!l9aqOV6G8uhk}> z^V?F`d}l0wUoL-s^Vep)$aXYKxU$#2MF6wznYKI`EkA#KTzUD{P?~W-%YT)64P|q+ zJ8;H)Hb3Y;8h6FE$#zc@bC6CoavZmJyqZyza9HdZtW78F6mkon%gE3u(}+N zKuGAC=b5Lp3=E;?hZ{+WiLdjSabJ$+_>axjT3%C#5bNA0B(#9^G;B@NW@yt>vb40^ zuL@K;n69;qippp948e~xjpg8AK~>BaX=oj@7Q@nbB<{lx2iqv$;nR^LpTt;WJw}U! zeg|#;zum=&1J;4+QIGkNA&d2qY(M{PQfW+dT=JfQ6t+hf)aS(q$5Y0K2ZLNmsj0GW z&~eix{6!4gJlu6I8IvL$yRK95B(LH{J$E31P&;pLd}kY9ZE=(R`0+zdPOfBA|2Lvsynhm=R;tDjHgKR~Hj*VAO(jX$VKfR&MYq|BCOA0wUdn%} zgnEtk{qZzUgj`lJnUu4ZGaWnM`(K{iK|>RMimt7#eRXwZ5G`x|tYFN`Yhxr^yOKpa zRVDuvo&03$H2%Fz6tR}B?hJ~IYC5l_?Yii$;^+%P8C<_O;g!sues~j^u#gbaXK|FT z9<05e+9Kn%z|?QFe_s}cK_MGs<|Y@8OV1%JzBOq+_(0|Rx2d%5FucR>Pw<=%*OiI~ zG*lzP!>RfC3E|yg+o7UK=)L;vbQnuVO&x^Td#G=4EWHrPGmWn@pI8d{ojEbR`HWvV zzPZ@M7^tg7-Hilinfx!hH#gvd<+|R+(ULiGC7*dfFRzeqHU8>rv-5ACxJRN|hJ^}5 znG>g1hog0`<^)mN+jS&u2|3C%>*PBM3q95b>`BGn72VuC6!%GfM&+NpZC`wa!^#fT z;U)BN=&7`HbYy%lqw8c)q$;%@kdgI2P!S6@sarJhS9kTO zn4K*?7U|V&z5Dcb0rjZFWmdqC5B(Xbs8Qv}Evd_QzI^#oHk8g|ZltEB_W7G1!^>Y^ zLj8^>wKY6ke`lI@W7a09)e>pWFPy)e=C;-TsHmYqI9{aW+9*f#w$5sl*I`~L1V1D! zjL&|W+bSv<54MlT9R0~#92!U}Ko7e9);0C@)?=@WlrmA8%O?NE%B*n>`cm_0uxb{T zsux>|sE5Zs5+ye`GvkNiQ}I?<_V_1lq{i3n>fQeaCo$?|w2g<}l6E9h{PM7QPW0A?SukRi( zO+O-%xxKkAjBsSRFU<`r9mx?N-22t-eSJKY&GADVDk-J7&)!y5m&;1eT}8$R{uf8i za&t5^G-qdLS>jI1pFT+5ULAIh7S-B^rfl!*7@eQ(CwXRZ$f>C%{%CUCRe*xWgGuua zdE;>2;f-*wJJV2I(aOg+q&%X&SK}_%u`?<$J+GCEMep(Z{t6|ro~|}6-J%e7pb^Mdo4({|EI*#jS#2cuh!WIb0c&z4lZScziz2qn9d zSO*WM!5}xj@3Km-l98GDn@+K^p*o->B?*bnFN1^XtGe3s92`pW%F0>}^Ud#j`ufT_ zjXNt86ct|(ImJ1l9iFFYe)9OVLu_rCQC(flCmk+}NR+~B&WEBN(a>#I$|nhqhxiIb z2>&qGDluLJ91|5gELtqIx{F=>DHtIxH8A7NKr|RwoN0d|gRkIERL}O9O8UI5I1JM`abMJvlU`1mK z#5|={lsf16uP`dF?V7$n(=~KU0r~-A#Dzsg2g`5pTuyfkISrbZ<1L3EW|F7^&X7%H zo<8jv4_#v$%={CG@=(}i`g|O3s4famB0XhuWra26ieF^T%Ol>?ixX|t=l^fFysc_2qSTI93>_( zuuvKq86f}yH2hR9|S5fKrVvLmdTW#KyuRQ%Tbv14{QIXPzA z)5S;nO*g40W6utEewJxsn^fd87Y9$V%%!>&%Bm)l{9aih@9phPZT$!Z`)*L!L%$!> zT1RzWTi53sx!LUU=jKr8fR|AE?R{3;Ef9Y5>66sosjAV<@nT`$lZu5oS5MCk;9f)D zZ5vL-pBlcT96J4k$<9X}GeBa@?##jKiT12ejmPcJ_wA*COY!65sikjj?(XiW5_ddI z?``PQ+?Q@f(n51+rGoYjXgg1hur*m-ecD7)vdqWJ2`UksJmRc~x^8boO-_9DjrtSB zi@8pE=jP_<#Kf*TwW{HSko?ds0uG0#K2B8`vkg+*-0S}OHFWAXNAwx@Bd+(ZojTpuL6qqz{BvGeh%XYiP}9%fA>|3@x}!|Q*#aB2gjXA+yn zkEhQ&aA3w|hP+Zs^dF!ZW9`}Lb>SUqa$y>jERMVNS?QiVys|R1eTF{X_hwV*e3gy2 zhu4QQk$1Kpln>dzSV9fVBUwhPcK$7!2DHh}2kKmFLo^l?x|bJ6WMoj1djUwcW-1n0 zrmGBc)u<<7Et|Kn>dw0S;v(UaAbdrhgKmM!l0Mor-`j4GVJ|=U%*(5JbHQ_|LtpPR zurb^hAFZg6Zc^Vk!hU&Lw>3E~F$xQ30N$yst>q@gStS(&KyJdja9aX2FvZE)`Mt~9 zK*^+SnMUbry-LL1?{IGI&bK@%V)z-UFMM-#eSMAmu+h)vTyeLYZr~k?4Jr->y19o@ z`mX8GexECpqum@W%EzC#`@ba=98pr{tQ=1<+2Nvhn=KRXNwP)xnm7KzLMqe0`T5QD ze6>X}o$5$9?fy3;UXEM+-vXbo4^Kxh4soXY4rWJbpEJfMyL$Wjww-KERgD7}vH6~d z?EZJ+J&@fNNk+Sxrv|RgnI8H{=HjWTsaj<|JFrj#gNNExMhrYW2_YeO2nYz8J^qp3 zy?Ym!6hK~S7Z={h{N>-jlP;^Ltof}Q^nm85mQU(DxX%lW^UY@|s3o!m39G9XIOwSI z^761d%j@fJtEwD3%b_XVxpU`5lY`;kiP9$!YX|Sr^pr+?*ETnGw`(mU9-hB4O|ZrV z$_pRXx4@;M`+~Y5Xd}of$lx$NCe|LBHN94i*K7hXi zf}}X@`@LP_A^67TCv7QpI)BkZkd%U{2Z^j(TntL-%_K^^9tpiZueLw|F)Q|q)1964 zZqiGX&PO6{=`0~7?SZ!e9=nUfDQw!|QBiaNNG^`I#+#kZ$sao?CNU~m|M+k>hT?JW zV5HOwGIUfu4Ba0y1lohkENpD$-`b%IJ(LW{dcdTNPeCyV{J{0LOoR3H>(?bl9U={O zQ$>0Wwg_MYDu!y^OC>*lf1nf2I#T6BLyAC}U8>-O9#B!K*xR!QUhQMRU-o?c>U??f z&o9>(fuL@=6cg4+O(3#(`S>bhEscJ@C>;{LCo_Cv|FtLLf%oZx=dSPU&y23T#ZMMP zHG&h7`QOVl?aTql)KU4A1bSRw9N&)Zh$?*f{{BfF0Lym`_A_c6FVU(g4i!IQt?#w> zabNE1nV(ZcdCQlwCq#JfZm~*%D#D3M7%i2aovj2bLud<7ysvI9cZYH%5e(|r?ygGM zy+???1_{_@WzqB~jkD(b%6nb>DBj%1(rN{mWt%4#4-XHb=>wm4+WN^MEiG+5mXG$| zfB%Wyoc#tY4#Y`g{k29*TiXMCd?_iZPyUCNR#vVEaG87g8Vy^>`+z|69<jNCMtBtkIsJ6@ji=v znDPi8pE^aBhdV|9MG#*^{Hq#@Yk)^{!LqAxr>N;2% zl{{QRMs<01vKFe};iSp`j0UQy=T?redvf{ZolK^h~fvzgpswkdVB7 z^XBfodpC0(fEWlKJyLRW3B}VR;2Y^M2E}ZwZsDL!2}X@%}1qYaaG3@ z;KEbl)V_qG8dUCFeN5!T(j5{bFP?I%(VVwgr5PWre~gc(JQ8iR3%I@Z9Ht7~cG^EV z5p@6aeQdh%mHv~K`E8})q zm1}k1>P5v9Ti)ZYSVM*)0gs2kvWM%#PYTt>06IZXBf^A3zj3v0RH6WOcZ7J7^`lXT z0z7o7eiLUJ=S-lYko#W^MaCo=TH5>z^A$juhwY*F1 z{WqkTW7L(?_m2OUBr5u})Is6{-%CMbO5rcFNlZ5DyQ6>N@rm)sLyDuYjeC2lZ;ot= z2eggkRaE+hhhrLF&A9-xHn6MP|J}#uv@8X^cf;7h7aM-1@zvBmU60e|dBK zT%wK8zpzk}aQ2h|&FYDhbdW38EN`5=eBxcfe{_;C)b>8-v`(dSQJlL<$d7@XPYP$emt%M)GBM;?h88l0`&-o*JVE-EJ#<^1Xz& zpDB@TuU$FWHv^N}w6ruEfbN9{P6Pn-nik)c36SDoapN(cGMz%ZQ@XjiDLe^fNRW#R z6VTFWd_iqq!yLCZsJ#duQOG~)PEhyKf4LKg3wj-PQs_u(A2HMjOA8AjeZq)Us?e`7 z!~T`k3guGdY>~B6g=!IK*u<9gwv!61cuf2KOjKNQI`Otv7s0l%tO| zU+IYexZkE{%0VdYrJTNJ`x59kYY%F9yD2}p_vOE)dW0USNyzX7lZVtv@e>lpGBX={ z#M4A7Uwu<|RG&uM$=S16yIa;-fs&qegoZgPei~gY<2{creT01D)My|mt7j@tul#B8 z{@r5a_LEt=j2~$!zat`qD=5XhObS8SvI$a`4p;s}X*FnRXHS&yf;NE=&sUbd0{aN> z?p>afKQwfAMBZ5rrnbsH9r73*8PN*b4I-)LOjmE|*1CVUa!pGXU3*7pxAN$8FE5p7 zUy;6%2_)umWw!@OzfD^!OjL|@-XIl1$jmUXbFm-;_fW9@lR3+wFWAN$nU7(FakFLL zvK>+BZ%Xv_EuYo*>yyldIhJTEy$0HR6{_NfTb1?R7zzY+Rko7^9VlDWQ>60x_4GK2 z*7KnFczhf8HEJ_+bIno7+X^cKgDk9O>JZYq+n$XEC%r#At0TXtlox8cZ=B~P*Wqoz z7(^P%WA@Jg`7g(_4}34aU?J_Do^qXHOb(#(@Pti*9yLf&u_7sjI<)AqYZ5D%zKS!m z9aB(QjgEoAcSiX+lAb6Rcu{S@wU1Sl>dWe4qSU)ms;lcQ9l~CFCjYG=udA=y1?6(< z8!mhiqwq#;_B8o(5LFN7ofRbRZ_0o&-|TF7Vbw$j+M7n#-j~B12L}gQHn!*9d!H%a z{+%q(gh@xJQ56#%-4pre&ox0MDHnleCra~FR7SPvE{)OGZRM`{-*Uz}{TUgUd68{x z9hr&AG-~SVJmfLLOjQiT75kx@YG}1oUM!4^vg1vTk~X217!C`qh3#i6hm=6eXoZ>+ zN_FdA_AW2?7RkoEjsfs0s9C9}v>H>D7$2Xf*Ls9K#nol7&Jl8kwU>|5%vaMylq!$u zVc0oT_Pg&~Krj{0=X8C)XasvTJvrfXo@P0|^os&DhIiWKvJV0S-<_SS4i1)Ii9Tkd zOIKt>^l6a1&#zCHytgWw5R5&GLo4G;j+Ra)@;Go|{;IAU*}LWO^LUbyk~Q9kKkGs0 z^VwMnlzQ;!Q6(}c=U;$MAr?C-X`HyTvB897`?JF4o#4MpM18mQI$t9ZkCy#yK+_ZV zNwe7FL-KSt)}RS*&FKJ9qfzrG2&=u*JrfN%Osb>5p>au8RGoSpU9n`{pES#-DX3H? zQrM8JHCPQMZHv)c%P_YW+7P^_&SsnuiY_US*`3|?!`LkUc~q!d3at^&WM}`*_RarZ zUlvRA%G;&(9+mmEMt_?#BI`Z%KORNLB;*|1F~0 z5lCAH?*)u@^d(Iz2norG|v0APBe8MyS-Bj*^X~<%?FcI4*a%$Dr-{;do?## zzuMMetar?1ONvqmtJ@yYN1?$g06AE}9wHR^b+xq}RE19T9Mb<+aW7MR z`H~S}DRiSSC@wX=rw&Ix;=owk%GJZZzClmPOt=~a$?`f*vSe*d#$u`S=~J1SUqfUD zhK8Hp-=m8Ao_u%`b`SV^Fi;b#s4b0yfE`s;)u%Et@3qPSqv8UhFP4oV-(KvPn=wmG zhXVPd!`Jig&&omI(+__Xsr9_+;2$9jL_c{b2%3`rE;ypty)V`MaI_2(r$=Juag-oG67pc;HEEUYAq3Jy^N|$iaZb#o1YbA zpx46?PpFMT@T)by%lW|?fc6BsXW?;i#m>Kb-FD_P?$gO~1LOi|Bm?vkHs)EY0V}1j zmd^eA_XU@pj{ag;{sd7m4=~NnezL4VOvm~eLM(VB;kT-6zkNP${5ms}0)#<6H=qww z>A#@-lzo1Kp``%gqj~HU0nP-*3J+USUHbKvG5SZHA63F1nY4bN^fTqM8`WC$qrzkt z576Yh>FMctHlVfuqQ>fN)b;AEKZoC^OBZ%!1Tw-9pi?34ofuxiOySw>LuoflxPXec z`W*Xc|JPM{mCMD?%6a}21sRxo`~k7iVHTL;bXTAx#=VEjbBIo&dkKKRz{z3W zyH^B!ccM~14JrzP)x?ksJpB3Cu76;F78U@}00rz5%o|-K4-Yp+lhV`WfcWfe03nLw zGw;O#>iDAkd1rpWzgYo@BFpX^!Z>*9I-g_P;s#@UUp><`C&F}?kDvcyt7_lgzdn`x zfN|%JT-TgO&*0#5!om_%6cojbj0_|esaTr`@;U+=6#gDR{2GcE7$vx8rdqU*xv3P` zy%x}GgEWR}WD|LEF%%l5?Hz|MU*!a`Eytd>N5-w?#I2Q~oS_H=y$fRD<2#&%+50uH zw-W6tN}$aqFzLU8j;>a&#gQ4us($RlS@>bPeq<$HLvEQJkA!4)qU67!hA+o{pc14JMmE2^mx0Km~G*TRJY3ncl_P_slIqu@(A~4|c6I|dwZ^o?Y#l;_W7^%RporQ%3Kt+63R@N?X4PuCPdPYW+ z7X`AoP=Dott06c9tirq}{66r_nKjo@?<)8}`$M0o@c>;!h4((kwDyM|;h~ci+ksL; zwe;`%d-E9|rW;d0eYz!gG@4n7a*`6*6}VM zkMkWj8!vmHk`#G-gzh=LzJw*z$+jmJ zc-x!U<DgHlarl=%)^!)4q2WD>!|q= zjcFyTLbD{PY31d^R4bNbGOAEPWHSr~T=;Dp$jJnkxuBg}mV4(>k|Gb?8OfFKR}lBy zdA0+zYmZ#SO|B3oa;;zc`UW4dW7IhR<`Qlz>Jrh!r=X@IP@o_A47d+F@osyJw|@uf z9*xr`6sy1AzG0qHinsdWQc2YRm~WwKc_dVA%t3{DLc_u$9}ziQ+1qZVxv+9u)6wfr(|@|OvZ}DSf`O1cN%l((~8d(OjE3$$&Ror z9V#-_yd1Wjq6*O2ik!J>n7{lq@EKMQYXe1tQJ633Fg47{n{M1>c{+vy0=0ahRc^>_ z^9NcGv`=B(#KffkN7s!J=&auE2(jeoKz@r$k;CC{OO%UHEfxbVIXs7~#B=iOb6C0V zH`ago3pNqNL}+Sl@Q!Aw%cvLz0l~D_jzQ@hE6YFIpR2##;_iBLUHsLo#X-L~`tz$g zW+GC0cd-Mq=pHoaXo|->Io?n}y1#^uL%l$5fP35y0&CK;PRjLa8E>)56~gBbj+)D`waW&VOoM%a)C%F=CwOV zHaVQDiv43-Q|J65trM?Ol7S$wY6MqEnj59SH0J}IOd0;s&H@D#IKZ1vTwD&sRelr~ z79vLfOmbF?)YN$|&}v;blo3m$ixXSn-u)cA7i!67fb3$BnkM7c`r_4KDo2cp*#3u3 zb|FhX@Mh@Me}AkXcS9Aw`#1xeq`2YT`abG`<{;dkwm z9lkc1tUNG7ZnN@H&?1)1k$|wWgvxj?we0Hm-@gNpd*|DAqh~v9yF0?zr3Nj$@86#` z=rypN@(tgd%sC>H!bG{Cr)B`FyaJ~b54qBFcQHw?KsJW=F*bOY)b*MiRLSzd&d}?* zcz1MrqBLoomZ!I;rvxS&9REN|0Cmy=2*M}(M#NmhFUH&EzX#38pxFso z8^c=x6B`?q8X*#i|GIi#PbMBTrXyJJ`=kEplaHnQFh-tG5#yP4UH#T4{@DI(j6rnH z`5DK_Zk(1%&J|Z&9~IS(_thDXK(!&}*gLEWF?-9yXw`~ zW734jb>-`I1#}DoZfSs#^GC!SS3&Zoc~J)QKDJoQ%-M3X5;=Rp^Z*tc2DD2^oL3?E z?Vavy8EOE@V_P1!dZ7Ct0;kg!iHubdfL2VjFlc>#Xz+ zab-R)EiGxZc{~EK=G6gs;Q%Z53tLt(V*z#i0)kR~JwHH1nCi+YDQN-`OsTKeV33e7 zBBG+I0`avyHxBvGJ3}VjFgdxUP{Q{`Vt9y*DL1M0)W=64;Qs0-=18Bb%2oQ?fN>iW zyWWv4S_lp?zQMpYkL~-TKhz=C?yy_4j~(W} z>+GZ?>!+hi{zJY&@<2WnC@s&M9)g{Yk?jVSZN1bfZcHVv;P2?j=)P@Tck$|LFKERk zrw$Xg0?<2>2fAh3FL&DP7g|&P{INFjUL%45xYl~UAR{9q!WIDnXoiq;zIrl3)v>fh zSHo)t{hnR&ku`)8DWV(F=^G z+%c%Xx{YHJ6EhGn{Swm9Sp9|d8>|hI6$hlG3~}EB=}f^!hx{IUiNG8Zm|}K}eFNv( z>S9<-3pg&p)q|w{(cnFdz5EXPnJm}smHhm~K&N>K8ejpWxcz+d*n3|pVX!X|CG}f? zQH@!nEtLojWiKqBd10z*DV~^sV5L4t1DFS*b#ry{;olh@Vfwf66=~>l!<5nQ-*J*2Wnx4rAf5gw*X9B=A_H>} z-D;EI@oNh(OeLoo`9y#^J_en%(QzrZsi{fbf<;A32kDka|DmF%XKMK=xYWvWyv*u1 z5*c#aOk;CSnbo|7i1hVMiB=2KjLd+>>S*?CcK!7z+pM^EOgWTcVSl+I% zn0yCvU{|hT3ol!()|GqtvWORCk*5A6*J9zL)dD^j8WjrXS$_$ET%^`#avum_pQsNO4`w0&i<8b%f;aZzH3r)yzh!CbE8 zzg6q>3#BRZv11vbOh3MKJN8hw{V}~W?+L_NG@udSI|CcJfwBD-UzWPxK-XK@2YzT0 zhPxe7&mSP>|E`dS$3RgT-30tBhydfQFMES978Cn09Kl6e|SWd6_1FT8y*zGH$I zZ0vxM5e)feEiKm&Q1k|f*pE{3nP;TK89w<+oeLSB;Qd!TKCDK_V1ISCf6upsQrIN~ z;6W`MuK`o+vA>^Jp2w@#*H_j$g;+)o4%PxcDR^Fz#e8^a>CD3r%Gcyj^H?Hhyvczk zWX4xzsnZ{!7D3YtGrXX$i3OCm5A@-1vp5$fdniFoO^;z-|H1oko!|O<5KKf6kfVHy zpFHM6VPV4mkU;QOj&hr!WMxD^T2>6$NxkZ$gt_*1p@;U2S*HqaGlv#ESQJJj9JeS zxmRipg5MPu!yYGg5I$@r)R@<N z4vX#bwU+&3%AVOoaUunIb4R*v%J_6pZ*(W38&+@&Fh;H|uOPLy~5kavP%nfGO34M`n?X8!M| zsndz=oz;581l>bv;PLQkUdlw#J zxk+v6+=4wn;wrzU%2U(A1-iN#zi?;uPFk@T8-Bke(*N2gm_}tltY=Vp`b9bc>#17N zT|B(U=a-jh9a205@@Rdv_I^vR?v+Z>TfPH2Y7|Ax@mGuZO^iG}QN{rw=;A%^l1QO*OF?oQH4_S;t|Erp+b6Hbx*U_2w7Z*)+N25It1MA{>E(|t* zO~MdLv_h#tPYLvK@ByJoUhO?`Xw7FH%6uFLH8*eI_qzXBz6=ab@xdiZE@=M^s?t3v za9{&uw1m=s{@1wCo(x<}XBQXiA`^o&5b!{%5|WcG`Y2P4(Q!yW0h&7~{0ET*YCxy4Xr4YXwHg{;-GI~qGaZ|84l*iwct}Xd zd_B0y!ohkF1qx$$MFsnPA|eK$?@XOH7j`ru_%L@N03nqaM)L&Hn25iG=#=sEYlq4i zuTyIw-zkU~&Ey2$c>B85NbilSNJfC^VC}ixWLb(%v(tO)#dhz`BN#_UfT>Ftlcong zO9mQ7XnA=#F#5Luo*#gvy~P{322Al|)uvBi7C{Ri^0n4-aEEOWg0`m{Pm-Ng`y)Hx zI~maIzC!moSgR>ofcbbNJP@`N%*`X9Dy^5(iHjQ|{s%Nak~U=-)kv>ryTd^6LX?Xi zKx*xZ95xy2VX?-O=CLhDp8wZLcxFs9W3>upzq#2O;-tjS!Plpj0J;UMF047ZcH+c*#HMJD{L=+U>2xwN35FK|rjJPAw&f3`&z^Y`(11ngRfl1!qPGVULFCJ za$~WnaiRT9BB-1j_at1-{+3tufP?3`ftCDpyLa99O*iS{aq;a5sz4T&5~+8@&BkbQ zZ1jQm0!>Z|QqumedMZ@V7i7c39D>F4ZEai{aK-##MJ>M%?vCg(wHa@FC@Ux;4%ZB@kP^802?GUV+j6Aw&&t~&|o<~{<#$b+Xx*G+#-O5JGSq?O&9h2 zh%X%u-v4lIV}F6u+blP@VgsUns9q&8Yl;HwNs!;5=qGW>XO&v|B@dIBREQ_bG#^y8 zA4Hyk>Gtc|VA|or|C}DUd%z--Tb>SDBRhD%WVE!jBDUB$Q){Vo4(He%GygDnla_OH zN!oDt1!( zg&&2_&%uzAAsHAD8-NNidaCLkKLBw#&PvvQVGQDLH`l?K}giGe>$8lgZNbGpOIZrxkMPkdjki-rE_ zs-JdPBqk%#Jl!S0D~}8!7?IMd(4j$OA>0sxK_Us<7b3!i3k8OK5`j1EC0dp5!XqOI zq|+adfjgB2MyIY@h_k`O!Xki6S=FkJtP;?Ph`_^7q*<;t{OA=04mvPTI)u>g_@o0U zf{a7B`fG-Y*PzQ|;o-%ZHR;DAsw#|WA)i5_C-yzrW^vE{i2#0C9dT4Um*(tDgxbLd z=spRz!3!A8ccW3nIJBvTf(v)Fn*{#%8R8*F|4G0`MFdiZ{&$xs9Dn^f1}^Hrm5HY> zUc~FPd)457X}|LW3g&!a@bx)9A#7Xlz5nnbJKP^(1B=mNVOr5hK1j)Ca5n(T zhowrk$fUE!p~r`2EDIc`(5@3&7r3g}-HseUa`uQ+=jp=FdMl-c(0+OrWRYxTFaR+u zVRp9HLG$qYX_T0M4vS?%;&EJT_uF(`AG#0T-mBff+rcy_bRJ{C-F|IuvefHU{+X#O zJ_9)HvWt3-jsi!FZ|t}K)!*_A1@Ef8J28mFTE_gaSx~T7}$xy6C%#YiB^&;&aRj)3Ocd^+iA# zM~I&t;4#2_Kt*L#g-9ktBgbUn)Rq1rI8Wfim-m*rFC7i0f*Y7Nq?Uo#b0qZ{EsJM`UPB~g z8R`dYnpqiH*&I$~?*{*#M7ixzmiDuQXI>HX4+)8GJ zU7*l(Upcr&+2jTU;N;42(NQS`?M*=5gZ0z0j6++gb65}oQ7M3eG$Aoj?RnLdcCNUu zhnxK0q;3KE7AAIf`(*r;1;D{nh{W_Ii|K_>TlliH)YXGgMxPkj3&u0JfQ0SSLHYP` z6W7b3^nGcYtz>|Q@A0LZhXIS51MT7h4;m=8=TlubDQ)$IQ(LYo#|rdB_mldcnwimp z{Zpe{GmF2inX{#F!83Y@ohsr-+|3V$>*R94dyVacf0g85hII~y1)ApM*H zRyab{qo^?IXg!8IKlMm3msp+DHkPT>f+#}I&(Ft~{^pipv^ai@xVivV1E+>7%4k3a z;^3gIeO5K~7;L7KaLektyfVPiC4j5c3H)wXFgJV;hN7a#e10%Q{Y?Vk>I64hT6Ef3 zm>3x;GlX4>z{H}Up)nE2j#2$T7hN3ya^hjcn%@)OFRQBBb&ye21i$^S`}(YS|Cg)a zH+TQIwPI~C*VCR>)_+rSi}--^Vm@p_a{v8_%C@WSGgf@Wi;^+D?}3HKTt{|R1;r6* zIEdY(T%pj%5}M{?n4x$-TZNTkNx?N*eDFl*4=^Ab+cwNLfsqGS*pg7@ya|70NvbkD z98**EA2M9oMZ=41u0)SS#(d^CYYFqC1>EAlpf>Jwf(tJ8vTHDnR zp`oGv0#LwsQqv-pi`y7OtSQLIyuYg5Ff1$OapGGAY|%=Lve|t;Ej9_1e)2?=E%E?$ z&j>CTyw1NcPJp0>N6Kf8R4!Cgny_t1(PY(pvJB*14=0c%3Rc9hfdV;pO(f&3jk*5= zh#eal&f5{#@X>GI(sP;|lKPM0`z`*)pZ@adIzbA-r+~-Nf$&5vV~cdrD;OJUkO{0v zxHj?!-{C12s=P?{N3>Pe7A9BSNdBXRt3i)QXrqvgMOnYNZoyX zuls5E`Q1wLnU@0YVp$*|q4FYrFTh=zoU39sym-XY6+uOmeFiC4-`;*73PUUY%E9#j zb0n`4=Dqf|G=SxVQtdE?#Vg53U9mzqGJ0sMidv zNV%r8S0yauaw7C1be$Lt3+4*J$3x9LtluZ+mf+=esba7hO=eN=#iscZ?C5f^uyu_L zoAV$j4H9A$kU~~d<1P^yP^&~V+(6KTV$)pQrD+|>;A3jQ%(&r^LxaFnQZRG=phj5u z7ly2kOI+&UYcFm7SE^A~MIe89O zdET(77aa+Z$7H&RWP3se<^OPNrlq!`CXhe3fNRoh?jqSdef0voya$gVEzB8QWZ=In!hFJG83M)-d zD$1)04MIyu!wZ;VvU(~pj!%86fPi(ZPK4;qeo?A{hvEolzNxTi{(q@j|NHAKh$3$> a4u~!eHvT?*1ixqlNnS?z=|^dk*Z&8D9|OVw literal 0 HcmV?d00001