From 78b49b2f4e4bc9d47b2c8cc16f4c1ea0c55c94a2 Mon Sep 17 00:00:00 2001 From: Daniel Gray Date: Fri, 25 Mar 2022 04:58:34 +0000 Subject: [PATCH] Revamping the Encrypted DNS page (#767) Co-authored-by: lexi --- _data/dns/adguard.yml | 15 +- _data/dns/cloudflare.yml | 12 +- _data/dns/controld.yml | 12 +- _data/dns/mullvad.yml | 17 ++ _data/dns/nextdns.yml | 11 +- _data/dns/quad9.yml | 17 +- _data/nav/1_providers.yml | 2 +- _data/software/dns-apps/1_rethinkdns.yml | 15 + _data/software/dns-apps/2_dnscloak.yml | 12 + _data/software/dns-apps/3_dnscrypt-proxy.yml | 12 + _includes/table-header-dns.html | 6 +- _includes/table-row-dns.html | 22 +- _includes/table-unencrypted-dns.html | 53 ++++ _sass/terminal.scss | 20 ++ assets/css/app.scss | 8 + assets/css/dark.scss | 7 + .../3rd-party => android}/android.svg | 0 assets/img/android/orbot.svg | 2 +- assets/img/android/rethinkdns-dark.svg | 2 + assets/img/android/rethinkdns.svg | 2 + assets/img/dns/dns-dark.svg | 166 +++++++++++ assets/img/dns/dns.svg | 166 +++++++++++ .../3rd-party => dns}/dnscrypt-proxy.svg | 0 .../3rd-party => ios}/dnscloak.png | Bin assets/img/legacy_png/3rd-party/nebulo.png | Bin 88381 -> 0 bytes assets/img/legacy_png/3rd-party/stubby.png | Bin 10524 -> 0 bytes assets/img/legacy_svg/3rd-party/unbound.svg | 2 - collections/_evergreen/android.md | 2 +- collections/_evergreen/dns.md | 266 ++++++++++++++++++ collections/_evergreen/linux-desktop.md | 4 +- collections/_pages/providers/dns.md | 115 -------- .../_posts/2019-11-09-firefox-privacy.md | 2 +- 32 files changed, 776 insertions(+), 194 deletions(-) create mode 100644 _data/dns/mullvad.yml create mode 100644 _data/software/dns-apps/1_rethinkdns.yml create mode 100644 _data/software/dns-apps/2_dnscloak.yml create mode 100644 _data/software/dns-apps/3_dnscrypt-proxy.yml create mode 100644 _includes/table-unencrypted-dns.html create mode 100644 _sass/terminal.scss rename assets/img/{legacy_svg/3rd-party => android}/android.svg (100%) create mode 100644 assets/img/android/rethinkdns-dark.svg create mode 100644 assets/img/android/rethinkdns.svg create mode 100644 assets/img/dns/dns-dark.svg create mode 100644 assets/img/dns/dns.svg rename assets/img/{legacy_svg/3rd-party => dns}/dnscrypt-proxy.svg (100%) rename assets/img/{legacy_png/3rd-party => ios}/dnscloak.png (100%) delete mode 100644 assets/img/legacy_png/3rd-party/nebulo.png delete mode 100644 assets/img/legacy_png/3rd-party/stubby.png delete mode 100644 assets/img/legacy_svg/3rd-party/unbound.svg create mode 100644 collections/_evergreen/dns.md delete mode 100644 collections/_pages/providers/dns.md diff --git a/_data/dns/adguard.yml b/_data/dns/adguard.yml index 165006b4..867c5099 100644 --- a/_data/dns/adguard.yml +++ b/_data/dns/adguard.yml @@ -1,9 +1,6 @@ title: AdGuard homepage: 'https://adguard.com/en/adguard-dns/overview.html' source: 'https://github.com/AdguardTeam/AdGuardDNS/' -anycast: true -locations: - - CY privacy_policy: link: 'https://adguard.com/en/privacy/dns.html' type: @@ -17,14 +14,10 @@ logs: We keep and store the database of domains requested in the last 24 hours. We need this information to identify and block new trackers and threats. We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters. protocols: + - name: Cleartext - name: DoH - name: DoT - name: DNSCrypt -dnssec: true -qname_minimization: true -filtering: Based on server choice -providers: - - name: Choopa, LLC - link: 'https://www.choopa.com' - - name: Serveroid, LLC - link: 'https://flops.ru/en/about.html' +ecs: + status: false +filtering: Based on server choice. Filter list being used can be found here. \ No newline at end of file diff --git a/_data/dns/cloudflare.yml b/_data/dns/cloudflare.yml index 6aa2a366..fb62f66e 100644 --- a/_data/dns/cloudflare.yml +++ b/_data/dns/cloudflare.yml @@ -1,8 +1,5 @@ title: Cloudflare homepage: 'https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/' -anycast: true -locations: - - US privacy_policy: link: 'https://www.cloudflare.com/privacypolicy/' type: @@ -16,10 +13,9 @@ logs: The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is only stored for 25 hours." protocols: + - name: Cleartext - name: DoH - name: DoT -dnssec: true -qname_minimization: true -filtering: Based on server choice. -providers: - - name: Self +ecs: + status: false +filtering: Based on server choice. \ No newline at end of file diff --git a/_data/dns/controld.yml b/_data/dns/controld.yml index 12e2ff1c..39030aba 100644 --- a/_data/dns/controld.yml +++ b/_data/dns/controld.yml @@ -1,8 +1,5 @@ title: ControlD homepage: 'https://controld.com/' -anycast: true -locations: - - CA privacy_policy: link: 'https://controld.com/privacy' type: @@ -14,10 +11,9 @@ logs: Neither free nor premium service have logging enabled by default. Premium users can enable logging/analytics at will. color: info protocols: + - name: Cleartext - name: DoH - name: DoT -dnssec: true -qname_minimization: true -filtering: Based on server choice -providers: - - name: Self \ No newline at end of file +ecs: + status: false +filtering: Based on server choice \ No newline at end of file diff --git a/_data/dns/mullvad.yml b/_data/dns/mullvad.yml new file mode 100644 index 00000000..aa573d14 --- /dev/null +++ b/_data/dns/mullvad.yml @@ -0,0 +1,17 @@ +title: MullvadDNS +homepage: 'https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/' +source: 'https://github.com/mullvad/dns-adblock' +privacy_policy: + link: 'https://mullvad.net/en/help/privacy-policy/' + tooltip: >- + "Our public DNS service offers DNS over HTTPS (DoH) and DNS over TLS (DoT), with QNAME minimization and basic ad blocking. It has been audited by the security experts at Assured. You can use this privacy-enhancing service even if you don't use Mullvad." +type: + name: Commercial +logs: + policy: false +protocols: + - name: DoH + - name: DoT +ecs: + status: false +filtering: Based on server choice. Filter list being used can be found here. \ No newline at end of file diff --git a/_data/dns/nextdns.yml b/_data/dns/nextdns.yml index c81d5d6f..b458e508 100644 --- a/_data/dns/nextdns.yml +++ b/_data/dns/nextdns.yml @@ -1,8 +1,5 @@ title: NextDNS homepage: 'https://www.nextdns.io/' -anycast: true -locations: - - US privacy_policy: link: 'https://www.nextdns.io/privacy' type: @@ -15,11 +12,11 @@ logs: Users can choose retention times and log storage locations for any logs they choose to keep. color: info protocols: + - name: Cleartext - name: DoH - name: DoT - name: DNSCrypt -dnssec: true -qname_minimization: true +ecs: + status: true + text: Optional filtering: Based on server choice -providers: - - name: Self diff --git a/_data/dns/quad9.yml b/_data/dns/quad9.yml index c6a7ef2a..c7bd93d5 100644 --- a/_data/dns/quad9.yml +++ b/_data/dns/quad9.yml @@ -1,8 +1,5 @@ title: Quad9 homepage: 'https://quad9.net/' -anycast: 'https://www.quad9.net/locations/' -locations: - - CH privacy_policy: link: 'https://quad9.net/service/privacy' type: @@ -10,17 +7,11 @@ type: logs: policy: false protocols: + - name: Cleartext - name: DoH - name: DoT - name: DNSCrypt -dnssec: true -qname_minimization: true +ecs: + status: true + text: Optional filtering: Based on server choice, Malware blocking by default -providers: - - name: Self - - name: Packet Clearing House - link: 'https://www.pch.net/' - - name: i3D - link: 'https://www.i3d.net/' - - name: Global Secure Layer - link: 'https://globalsecurelayer.com/' diff --git a/_data/nav/1_providers.yml b/_data/nav/1_providers.yml index 19e9cade..948d9fd3 100644 --- a/_data/nav/1_providers.yml +++ b/_data/nav/1_providers.yml @@ -8,7 +8,7 @@ items: - type: link title: DNS Servers icon: fad fa-map-signs - file: _pages/providers/dns.md + file: _evergreen/dns.md - type: link title: Email Providers icon: fad fa-envelope diff --git a/_data/software/dns-apps/1_rethinkdns.yml b/_data/software/dns-apps/1_rethinkdns.yml new file mode 100644 index 00000000..b6cbd8e6 --- /dev/null +++ b/_data/software/dns-apps/1_rethinkdns.yml @@ -0,0 +1,15 @@ +title: RethinkDNS +type: Recommendation +logo: /assets/img/android/rethinkdns.svg +logo_dark: /assets/img/android/rethinkdns-dark.svg +description: | + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNS-over-TLS](/dns/#dns-over-tls-dot), [DNSCrypt](/dns/#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. +website: 'https://rethinkdns.com' +privacy_policy: 'https://rethinkdns.com/privacy' +downloads: + - icon: fab fa-google-play + url: 'https://play.google.com/store/apps/details?id=com.celzero.bravedns' + - icon: pg-f-droid + url: 'https://f-droid.org/packages/com.celzero.bravedns' + - icon: fab fa-github + url: 'https://github.com/celzero/rethink-app' diff --git a/_data/software/dns-apps/2_dnscloak.yml b/_data/software/dns-apps/2_dnscloak.yml new file mode 100644 index 00000000..fbf9c949 --- /dev/null +++ b/_data/software/dns-apps/2_dnscloak.yml @@ -0,0 +1,12 @@ +title: DNSCloak +type: Recommendation +logo: /assets/img/ios/dnscloak.png +privacy_policy: 'https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view' +description: | + An open-source iOS client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNSCrypt](/dns/#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5). +website: 'https://github.com/s-s/dnscloak/blob/master/README.md' +downloads: + - icon: fab fa-app-store-ios + url: 'https://apps.apple.com/app/id1452162351' + - icon: fab fa-github + url: 'https://github.com/s-s/dnscloak' diff --git a/_data/software/dns-apps/3_dnscrypt-proxy.yml b/_data/software/dns-apps/3_dnscrypt-proxy.yml new file mode 100644 index 00000000..5801ea9a --- /dev/null +++ b/_data/software/dns-apps/3_dnscrypt-proxy.yml @@ -0,0 +1,12 @@ +title: dnscrypt-proxy +type: Recommendation +logo: /assets/img/dns/dnscrypt-proxy.svg +description: | + A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + ## Note + The anonymized DNS feature does [**not**](/dns#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic. +website: 'https://github.com/DNSCrypt/dnscrypt-proxy/wiki' +downloads: + - icon: fab fa-github + url: 'https://github.com/DNSCrypt/dnscrypt-proxy' diff --git a/_includes/table-header-dns.html b/_includes/table-header-dns.html index a3ede48f..d9da1b89 100644 --- a/_includes/table-header-dns.html +++ b/_includes/table-header-dns.html @@ -1,13 +1,9 @@ DNS Provider - Server Locations Privacy Policy Type Protocols Logging - DNSSEC - QNAME Minimization + ECS Filtering - Source Code - Hosting Provider diff --git a/_includes/table-row-dns.html b/_includes/table-row-dns.html index 6a2b3fa9..92a322ee 100644 --- a/_includes/table-row-dns.html +++ b/_includes/table-row-dns.html @@ -2,11 +2,6 @@ {{ data.title }} -{%- if data.anycast -%}Anycast{% if data.anycast contains 'https://' %} (Map){%- endif -%}{%- endif -%} - - {% if data.privacy_policy.link %}{% else %}No{% endif %} {% else %} - data-value="Yes" class="table-success">{% endunless %} - -{% else %} - data-value="Yes" class="table-success">{% endunless %} + {% unless data.ecs.status %}data-value="No" class="table-success"> No + {% else %}data-value="Yes" class="table-info"> {{ data.ecs.text }} {% endunless %} {{ data.filtering | escape | default: 'Unknown?' }} - - {% if data.source %} {% endif %} - - - - + \ No newline at end of file diff --git a/_includes/table-unencrypted-dns.html b/_includes/table-unencrypted-dns.html new file mode 100644 index 00000000..e12650e2 --- /dev/null +++ b/_includes/table-unencrypted-dns.html @@ -0,0 +1,53 @@ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
No.TimeSourceDestinationProtocolLengthInfo
10.000000192.0.2.11.1.1.1DNS104Standard query 0x58ba A privacyguides.org OPT
20.2933951.1.1.1192.0.2.1DNS108Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT
31.682109192.0.2.18.8.8.8DNS104Standard query 0xf1a9 A privacyguides.org OPT
42.1546988.8.8.8192.0.2.1DNS108Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT
+
diff --git a/_sass/terminal.scss b/_sass/terminal.scss new file mode 100644 index 00000000..d49d502e --- /dev/null +++ b/_sass/terminal.scss @@ -0,0 +1,20 @@ +* { margin: 0; padding: 0; } + +.terminal { + font-size: 15px; + color: white; + background-color: black; + font-family: monospace; + overflow: scroll; + padding: 10px; + border-radius: 10px; + -ms-overflow-style: none; /* Internet Explorer 10+, make scrollbars invisible */ + scrollbar-width: none; /* Firefox, make scrollbars invisible */ + margin: 25px; +} + +.terminal::-webkit-scrollbar { /* WebKit, make scrollbars invisible */ + width: 0; + height: 0; + box-shadow: 0px 0px 10px rgba(0,0,0,.4) +} diff --git a/assets/css/app.scss b/assets/css/app.scss index 99274874..b853e3d8 100644 --- a/assets/css/app.scss +++ b/assets/css/app.scss @@ -8,6 +8,13 @@ @import "./node_modules/bootstrap/scss/mixins"; @import "./node_modules/bootstrap/scss/utilities"; +.flowchart{ + width: 40vmax; + float: center; + padding: 10px; + background-color: var(--bs-body-bg); +} + $dm-grays: ( "dm-white": $white, "dm-100": $gray-100, @@ -76,6 +83,7 @@ h1, h2, h3:not(.h5), h4 { @import "./node_modules/bootstrap/scss/bootstrap"; @import "pg-font"; @import "flag-icon"; +@import "terminal"; .textColor { fill: $dark; diff --git a/assets/css/dark.scss b/assets/css/dark.scss index 3107a29f..5b15e27b 100644 --- a/assets/css/dark.scss +++ b/assets/css/dark.scss @@ -20,6 +20,13 @@ $hr-border-color: $body-color; @import "./node_modules/bootstrap/scss/variables"; @import "variables"; +.flowchart{ + width: 40vmax; + float: center; + padding: 10px; + background-color: var(--bs-body-bg); +} + $dm-grays: ( "dm-white": $black, "dm-100": $gray-900, diff --git a/assets/img/legacy_svg/3rd-party/android.svg b/assets/img/android/android.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/android.svg rename to assets/img/android/android.svg diff --git a/assets/img/android/orbot.svg b/assets/img/android/orbot.svg index 80844e7e..7a028b9d 100644 --- a/assets/img/android/orbot.svg +++ b/assets/img/android/orbot.svg @@ -1,2 +1,2 @@ - + diff --git a/assets/img/android/rethinkdns-dark.svg b/assets/img/android/rethinkdns-dark.svg new file mode 100644 index 00000000..31b46f28 --- /dev/null +++ b/assets/img/android/rethinkdns-dark.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/android/rethinkdns.svg b/assets/img/android/rethinkdns.svg new file mode 100644 index 00000000..8aad5e34 --- /dev/null +++ b/assets/img/android/rethinkdns.svg @@ -0,0 +1,2 @@ + + diff --git a/assets/img/dns/dns-dark.svg b/assets/img/dns/dns-dark.svg new file mode 100644 index 00000000..f37909ca --- /dev/null +++ b/assets/img/dns/dns-dark.svg @@ -0,0 +1,166 @@ + + + + + + +DNS + + +Start + +Start + + + +anonymous + +Trying to be + anonymous? + + + +Start->anonymous + + + + + +nothing + +Do nothing + + + +censorship + +Avoiding + censorship? + + + +anonymous->censorship + + +No + + + +tor + +Use Tor + + + +anonymous->tor + + +Yes + + + +privacy + +Want privacy + from ISP? + + + +censorship->privacy + + +No + + + +vpnOrTor + +Use VPN + or Tor + + + +censorship->vpnOrTor + + +Yes + + + +obnoxious + +ISP makes + obnoxious + redirects? + + + +privacy->obnoxious + + +No + + + +privacy->vpnOrTor + + +Yes + + + +ispDNS + +Does ISP + support + encrypted + DNS? + + + +obnoxious->ispDNS + + +No + + + +encryptedDNS + +Use encrypted + DNS with 3rd + party + + + +obnoxious->encryptedDNS + + +Yes + + + +ispDNS->nothing + + +No + + + +useISP + +Use encrypted + DNS with ISP + + + +ispDNS->useISP + + +Yes + + + diff --git a/assets/img/dns/dns.svg b/assets/img/dns/dns.svg new file mode 100644 index 00000000..72599e08 --- /dev/null +++ b/assets/img/dns/dns.svg @@ -0,0 +1,166 @@ + + + + + + +DNS + + +Start + +Start + + + +anonymous + +Trying to be + anonymous? + + + +Start->anonymous + + + + + +nothing + +Do nothing + + + +censorship + +Avoiding + censorship? + + + +anonymous->censorship + + +No + + + +tor + +Use Tor + + + +anonymous->tor + + +Yes + + + +privacy + +Want privacy + from ISP? + + + +censorship->privacy + + +No + + + +vpnOrTor + +Use VPN + or Tor + + + +censorship->vpnOrTor + + +Yes + + + +obnoxious + +ISP makes + obnoxious + redirects? + + + +privacy->obnoxious + + +No + + + +privacy->vpnOrTor + + +Yes + + + +ispDNS + +Does ISP + support + encrypted + DNS? + + + +obnoxious->ispDNS + + +No + + + +encryptedDNS + +Use encrypted + DNS with 3rd + party + + + +obnoxious->encryptedDNS + + +Yes + + + +ispDNS->nothing + + +No + + + +useISP + +Use encrypted + DNS with ISP + + + +ispDNS->useISP + + +Yes + + + diff --git a/assets/img/legacy_svg/3rd-party/dnscrypt-proxy.svg b/assets/img/dns/dnscrypt-proxy.svg similarity index 100% rename from assets/img/legacy_svg/3rd-party/dnscrypt-proxy.svg rename to assets/img/dns/dnscrypt-proxy.svg diff --git a/assets/img/legacy_png/3rd-party/dnscloak.png b/assets/img/ios/dnscloak.png similarity index 100% rename from assets/img/legacy_png/3rd-party/dnscloak.png rename to assets/img/ios/dnscloak.png diff --git a/assets/img/legacy_png/3rd-party/nebulo.png b/assets/img/legacy_png/3rd-party/nebulo.png deleted file mode 100644 index 69f084c34d81996fde407fdad79e5acd0b616364..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 88381 zcmV)4K+3;~P) zaB^>EX>4U6ba`-PAZ2)IW&i+q+O3*daw|EKMgOsiUIOM}IT+1q2fh407ePvt@>OM) zSwCh;8J!Y06Ka+a8Fz;r#aj;6^K9+eE{!hFw_tkh++wFAGE<5euHC=Pw1$$g{%ed~2 z+ivlDy2%)$-@fqM`{~2IRzva4&tQWKQ7?CV2`#KpgAdd15JEJ;e~rc6e%tMDx=PQ> zajSPU=6K{kzRcg<@K0XnOv@TM$L!r}tr(a0ii6WK2L0qV0^-gqZs{)Y`}OtDd;~TS z!E~3oGQn=g)5J*bJGa73fWUo;-%ozIvJ^Fcvn0}YVlXZc0-Ie(E<0PiFV4l_D*@_^ z+=u7~5pXH_#UOnQArqTQ9?>_?6nF3S$v@XA72=aZ4u#mX&N~xulUPFyF)m%%hwbkBy3zTGPxs_I1YrWHFkEW;2 z)15ndAAW=pM;dvQQAZnnl0GxeH1jO8&Nlny4&uD zTsz^!lTJS6)YDG?irOoxe|h~EQFE`T`5P(SSH7ag)l$^ZZNdp>l43^0d~`&-C;}w3 zSIlg6F?vN#F|*B670ENmq}VKHyK$Ki#_fDM?kjfRk^9GSGpzOB#m)bd$Qgz1{~>bT z?C>jYe~8)=63!d3rwX;EHc)-Xr2~}Jvdtzkp=`hQnwjRov(#EGv)6G}Jl*b-_H;d- znn!GlGKh&0M=Hl3pGyOxn=_TvnQ09kP~-;-xLsU6m6+*_2MAM3vot1cU7dr)r}=5m z^dskyDs#@xgjRy>JehMPFeye04zhj(4Rk5r@9kXVM`Uar)@VJ>#n?1g-DA41tbi_l z-%p?1+>}30qm~iApLjjsa|2+>UwY$BGmVf%KH-lV>4FTXHGGc){7WqB$qI6vYoTY^a#@d{z&%_U}|=|L;}?3y$~e`bGEPxFYH=v_0zTq+Zx{CLv0kB>vN z_3NE&nsjbZi{(D2hMvnU4n1!4yyM-pp1Wu%FREDWv0&WDq$Z5HHWkljl<`r^_H^^iog?%qF z8Q=2FCyg&XA3t-MQ0jYHS^-n{94+e}ah3aL0| zJ9{?}iV_(&>3+;%Jq4gyATDn5Xt?S+DCqj&x%9+>H>{B#fG4cGPf3GTeP5Y$<R@OD*j7|X14QXMpR|rm8{7vcL6mMRbivc8E6`nV5qnvz z>|z?F(rltW=dPu!?tlu$R0P`uxHZ6M0jAmBDzGfdIOy?VKM7dM8YMW0KZRHA|8vJDD1FndT85!U>(0;1%_mOX@uh z*spFFA5?_Z8p=Y86sf4(L>gr=ftb-CCAb#3}4ifefC%tE)lPCE!N!NaniV5dTQaD1HW;%6HbBncw zNE>Qo?JZGBC%A)Zm3w25bG|?Tv*%4p*|N6nGoGDU?J&R*K4AGroHNJc;Qm3_=(W2v zHtD_1;*R51pCGq9dpv1Qf%joabQTZNh652_?)`60yp3^u*#)FKFfj zPv(S_qM(InD7G;=)rzb`wFMIAPP$(18mUuiNSm}fUI0*HZRnVk=z(k^wj+zZNmV1p z%$LX>ad5%|YpgY-rp7|e)+JL}S*7{7=w2^E zlBNIy2ub>qJH&?CW0?WHyvePr$jF?UGN{MUu#>i+q9{~|nuY$oC@HC)EnS5bAyr?CQ@*wau9OpBI3p%5Yx5^imkn_g+@J(w6#?38o2mQ5fjurjR%IH z;Vjlc>NB`LkpGsx@enXAlClTlI4(B;F{}>4I};cW3$l_JE?8uejKrBGYl7A2Cw0#s zK#X$2ldP#D^V`9YluR`+%&_cHY@60)XL>`8Bo8;zmERjA1*KSqmZUUNnObu~=X%Hl zw@0cKKn8A?3W$<@gbXskME66EzO?+KvLpf@ohWnWZiRhlM~gqZ%3ONY*hi{pyN3W4 z>MI@)7X-v9At}%p1hGctA^F`QkbqF3fD*a7*M_{$#;${mvmizAYB;M(rBs-Tlu1-m z6$9b;ML zpr7=*jqHK)OI9<8K~{w%=!0@VFlmA5-r|=LYpWInpJWZNe~m*18{m#LJxp@59a@8H zJso)gP8_qmMS@Oz(5D?00ID!%<#b-;4<0N z9mYE1%2{jz(*f#%nPZZW4rn$;2#Zj9zp3$qh}aGsWo#AQQhY-4QjasH(6uWNx+%G1 z;>mKnwG;Rk8{vM>bg=8VcZ?<%VRl-HEmsP<_X0bUaDdD~NVHOuLB&F|li{~(I9acO zDTSj^ErMI%19J}{)SZ%0WuS23PQd>VEl3>BKp#Oj%y94& zl7zk76^xg+$)jq3Le#THAzBXgTvtL3P6t{?WhW2ijRu_P;EbsN`__UlM26E)Z%D>I z;8ySrG)KJ%$krg3NC|KPXa`n%LdPjygPD*bFbs=~riG2c14CTWfHr%FK?;hHl2TI# zg#l=7be<<#fw#q^;hGoxzhv0UVQTb3oXxgPP882LSH5WsRm_6qKY&;Lx z;pOG3ye{}`@U9FXWUQA5wmi9%Lj|-EJttk)StYx)Ck?JqfI1HtQe8-UOvI+O)uzE% z$)})N>2oojN(s_6R7NUj`=p72Ga@!oM!+B3(tvR*jWD}dK&DbryTUpHJNa(w!BX0G zOh^`xG3`iZ+#SV1doZGQP%WSsrsU64efWNm7;F=J^$!1QL;Y@MWbM$9!ar#m?)gRL z5O$*biT3}DE#m1s}sT`bPBMqk#6wWq?-<7+H$mw@Nbc(}xA+ zrMq&HmgE!#>M;TaGwf?aQv{t;kRpJvrRF5Q)D-kbzLLb~LNovt0ab~1=!hGb2f)bq zk+dSm-hUCL=~m7&|zWDkctVbecc~P@XI@+!VD3GSSdW zh+mh?F`CrLgB|TbSZxc%W2^`HSet|;q;(Vrp9Op~Fo#m{4WO{vnw>Yz#LzOv2+b>- z(K?fKsmC<%Yck$(Ylii~sj|BDT2!C~a3C#;YOm^CaQ1vQSV(Ojs7|CIn>4lO4=60a zgDPGfILQzc`GFh6bmOFf-GyF2$%AeXD8xS6>`x&+z7(o7C;S zu>?zyMWA<-bGVz@R3MUJ8wyvryKz%_2Gmuslni2@a*(07aK|F;P_X0}&Tj{Fr1P0M zk{KX?E!sRWxnJc)<`Jpr?~xvh7UZZcA_~j5XQOzD7IM9naZ`xpf5C}>0Db^!H$!XW zx!n{Lt)Q>~dJBMi1qe}#RzdKQJ|XM$g7jiCplX$xoE>#Ao3RbQBCETRRsL?yX=_4f zO!zxOThWVnMh3jW9t=HlzBif~2u07bFOp}1kQ83n&T2Q5I*W*GWG^-ma&i)w$akb5)c^$^=wEwAlnR7`-ln!2SCI_TNNNSLf_==pt7quiZL5$8 z27;yV2QO0TlNyaI`x&0ufGK{j&qmaS`I| zlMTu^H&iJAfp9DsA>>pH5IJS9%_5da$fj>f!21Y9Or%WM9Qu+1(biw+?0{$_-vJM* zy;P-jWZVbgchI6)TLtJBDpyJXm;NmzK6ch# z5ccDmH5SeJK7fhAX*1w;!ZNdKT6LXTQAkwp;8MXBAQkN#(nXkU(1R2>NIy(8HOOLg z8J<3)1(M@X)gfXq}Q*pbyJ zl?7}^ZAUB~mUI~K?Ww{Nhi$>Y^5HfT-#5iN1gewKf(Z2drcSO@ND_p47wwVQlW*6S z+xvspWpl4L^nlYo+hVN$Z4=LBbar;yuYEN!UQLiMe{SM_K$(7Dep)azp@S`k^VP(k zM={**CK_vIce%R=*sPC6o_p2E{?$nM*@*7$NVJ5rK@&pW-VB*Sy!c$)uq?u6;7)G3 z`CeZgq~9H!?{>;)h$Zbrw7axA?HU&lBw1FGyjB@yaXM-wR%Bry7cpttdK4*qjOpOl z5E1AYoublD(DptQucLKlM4gTmCdwlq=*Qhqf+mmlqb8co2?i397lLHLFoV>w&X90I z+J3(OVaG)L&^nC5t z#h-symE+wM*Iu3INSoo=KF7T}^7%HZqgm}0W&q{3t4GX_XLL$U-M@~`KM$^+)Ac*I zj}ugu0Q+$c#AIIQVfxld)hRui%4(kXG>q2Lb1-~QaqoubJ?ehW%G`6(eV;J*%Mgzs zbM40=+C7oIhvQ#|{q^&3`TO)=7tCKq{_msYA&mPa2U6VQIs5zD7aE|s{f_sj)&28@ z2x+lbm!C8Ep69Q#K=bi{o$s^wpGW`hPrvUXe;j5TZ6~)Zf8{}xkTsSLz)K$lyubHY zzX{aUrh_K|^0v5|0=Pk_6`(F1-)u;rf`F_J&)qNu(z>8h#+b`5H+bJik%o50PCcvW zyd`6tbwXluTg&Myc*tXb1C_q#J@cD7J)!V(7ox*AqI@tQx}f!ggIChA2@3dXlMU1i zi7|7+BDwbIOsW0HTYucyQON%Dy3q&mbp=}dy!UsjgE@O_hPJJ6kxg5|_T8%Se{CfG zWdsqPPBHwNaQtl4&}y;)XXf#zXob%P!d~HHJiR(>E*9pl$5TBC#Y4SYHYt2+(Ks0Mu*C@!S0L>m|MJ*vw5RCc&TxM$*b zZ5K%D2pz#T=0b5%*W9#wDn_NZv`?JyIbPpmB%?82HDpx&Ig8vj{|6hcs6Q__id+By z0gq`zLr_UWLm+T+Z)Rz1WdHzpoPCkIOT$nU#=oX5Em9HDK}v@V)j=$Xf;hNX#UfM) zwSrX#^XNlJ(vYOMI0~)>2hqjXpnrhq>fkB}f+C1G_!szEq{MTRK#R0qxSU_Uobz$- zcLDBPl{G6g3TV1*<}zu1xv;`V-VjDFLI@%*%9b%L2w8Mo-wz0|dY@umo%`CZZl!3+ zK!7KnlMT}*t`JXb+6Lnz;(oazD#RDWBPJb?_?79B$DfSLE^|@FWEzF?d#o_tW~`|-**_<{VXUYxEm9q(oj?XEHlV?Pg(7%JsL{6y8!4(f zDHd|nm8NXl`@~%zf#xLFOQxAwRLN6x9l+k=Z^l+>e9Uu-k#qRPaXtot$S%;RJI>Fs z<1|iy;4^ToH|MLAOJQg7Q+v6wr3yY|9jGr7_4gdfE24YJ` zL;wH)0002_L%V+f000SaNLh0L04^f{04^f|c%?sf00007bV*G`2jm421OztCo3#G` z03ZNKL_t(|+U&hstRz`>9k%v~$jqDfQTNuZcXd^F^<%oHIWruNDN!IL$a=#TZ5fbE z6ZVe*!|;#bFG8?nk@NuOj|hl**a9?yYzeZV4-$qy^x+>FkZlN(Xj7)>d1*8+PIpgt zS6A2TzHes6_D4oUo;b13Ir~IJ-nz}{Y&5Fs-pt5|bN1PfwfA0|u;$m#{razGpZnn1 zox+%bHqbVh=^~+uZM5Zku~A z-Og-vjo7nA!rziAp zFNpthfc|~$0u6DnUBlvDxBFK#uVEV{`Tc#=NbN zI9(a0XbM{Xy!sv%gq&AzTbul86`boRvG)vriYuqh5- zSb|TOu=p3=5lF$X_zr(8 z7!lWd0K<~HUu!Weo}1Mg7OYVgxyu@>*Rmh{B^efNlsLFyS;Kn!Y(yu+($NWC>6IQ) z95t=mTAiErhaVC1fAaT#^_Tx~Ujx(2u>8{B{M%n7HvbEN*IkXx11-c*2izCVFO?n# z4o^UVQ^!N!;gKaJzyfO0(7nsq?M5FE^@P@A~=!MDLQg=?qJF15|KkPnl#7yjP4I@vr>yzq(Mv^5wtx_cn@y`LBTa7aAMk99(h_R{21NOew^?w912_dK@$?48RzG zi`CDKp@5*r6Q`1{4kqk5^_cp-OXf)Qm4MgAZmUu@8pE=LB#M@@kc^ETxm<){Sw@1Z z_oxoAE!P4JHfcM8wQD}2E9R^?#9~&k`L)t|_$#csVFjO#f@lJ(vy$AsJz8XoJgavoBmm9lr`IVGnROYGY@79QZCco3Os9`KZ; z{gBbKt7eEis$X_Q=LMht`2X~)zw(Wg?>8yO>6d@)Z~q6zjJ^)5L|FTfT)IN_0m1MP z*h(4V6Z;}u#+&C$xmN3dQI%iZ-_Y8t+7b5YB1bP`%~%s*4sc(-XgbNwrpt47XibW& zLTKtLMA!Rn-g!>Qzy9<8!KNjw^=pm0M z3?;BSc$1)tmjL=5#TXY-h0)Zg2#yiZJjmS3!Ltuz=rEDh zY&e)v7L-8KKq_4oTR^2XDlcRV>DJnTzQ}ltPTEP;_4l5Rj#8ixG1b_O!JvcW>72^|IXXL|7Yf3`^|s)f5nzK ziyD=`{*^yp8x>}dG0Q)t(BAraN<`5O0vQ@3j*FvYsH#J1|JiJO3%d$#qCfR{h&=xY zDO-d;GK|ju9)%jjk>@Gn#-w_)fv=G|wx+gB zrmTZ=%LPbUZ+WpV zV@ICD=Qb}-{*8#@cN5vm76Q`&g0rs_2uKHk{A`1wiQ+}+lAxJV*)^lXdR6|^TVMKp z-}uIF{fn>pgq3{%{>8ucw?11Y>VqOxcaTRyH2XnoPN1G1u!e?04+^DS%caF=EeiWx zXQ?YcR#IGD$SzK(@5>g90jgfsO>N>^gJhlMsm|gQZ#Ustb+jHnut;BSY@c!F`1*+k zqlCih`(!!dVWe}B$sV(OZY1c+Ek(bW?s7zFToBL*`YNz$F{tiqsAN1wX=Ce5d!2mc z`VwVQ6B$_k+=NPuJ!`TuR81wu%vj83I6XZ%3gymN0*NXc=>=G$1mPv0D#a&=>6wOv>o(qzj6eRb@%?{=T7%~;Avp(;1- zlZOs9or;D<*+AWhRtQ+k7nsk^ae92bc>45*d;jD&e&fh}a3dL*TUYP?w=tul_1b=~ zzr2U_MO6*cCjqqh#GorL^btai46kvKKFQ_!>x9|XefLpdgFi(|+vC7wmsL4))Ekd4_UlZF#o2W|O=?zLF z0--P#9;DM3JlJRy7N`v23l!*Jce;k4Ph%t#A*>i_r4H_)s7J|)y^d+{&^|{EiYoO& ziRUNXTapT0Qkb&SWGdmN0{ccChq+$wsuVvQ8R@MrlNedDwlF$`C?K0 zo~PTh{s*?;*YZQ0G0xtXsq@ zlgREVpo`?NvZ+&8Xx1z&U1ncvrQLx=0^Z6p%TsUUdq5@omE+^5W|XS4s)6u~#P zm{*X7x|}i50Hzvm-`Wlxno|e7&Uf&LmSvE!65j@u`oOHQ#+V>~*vi=mbUCL)VDK0a zmgUe+^!wI6(o*B`Uu6fdslUR-60x3?n1Qk#3b7JNQBFyMQ^3i_(=kmX>!mIyDb_a? z>2_|4iW{N08>ZUz)fka1&oLg4@Bhi4-}>}jRxoau1JO`esa6))(BoHH-Bo7wt*626BH^KSo0|y4r0GjmV zL4i}j56#9^F=?-WR5e4rY&dyHJ)DwL39YT~eG*eO+0BwZ1>va*<4A<;f0p#o-9zP_ z*;8`QYjPLaDwj1TL!Rfz$CJH3`seQc@k;z_!;mb4lZQn_=oh#sw5gFqBNuI9#a<{3-M_| zIN9|&DvY>SW0c=z%iTIFU_)@1&%kNcL?SwEmQ zI$zrQ>yD!wl=6`r*@u@Y0=3iA-xDH9ncR|Ht)K>s}JWb5{IpfuzQZ-o!F$wYvId9~G6$g`R zVnYqpcu@Gs;TVg0Kti&Rbh42WL3A-l8tB!%PAgK8J`Y{VmCbnT%4{t$WJSCbmszO^ z*WV?tRiG3^654%tq}I=|v#<54TL#5bO-2HA8J_z>QO7Uk{4^?P6UGU+(Nv0)RSXn; z5t#-YmSs7vY;FE~H58VQ$Nw1zqLp;K5$e7H3ECJ2f8>@jt$!Y1lGS^= z!z4q(oTdeQrMFblO{`!G>ZR1VXqQbUdD~J+&HxdNRL(gRWRb#)=PN1pZ6ot4;PR#JuO)9}sOTB$prb?jgoRcUyT6cVStXW_#y@lS?oW=)pZ-IC{H|t` z)`JBOIiDphkg-{cFAFAL1y;1y?_iaed0Aiddz5d4S@*NXI?xd7xqdmj%-8H*(!-s; z>muv8sf*Bcd0N6UTFFN+S%%wh-*_Y6zH;?#sq3_8SR;Kn+bE5U;FK#^rcfQcFvp_Q z9>rd0X$9p}3q#w<3zDw_~(W;y% zhkcya+OSh--BwOOsN+7qMDhx2SeS<{4_{G5DJ->X?VLxEmd@Vq@Of&kiKu7LG^p;p zls+_9E$6WV_Z>Wq#|d`OiEvUox4=zNo?1hQ*>%hJo6$vPxWX&+AF@ z$juA;w72&Vt0)%M0P(O=8K+d8MBN@vc&}HmnhG#w-P~j%4@QjELGHP4L9mXf)aR(E z<^<4Ck|j80%CW?Kp|2rEZ;&(Bo+9T^PcxHX6bCXY=wMV*VX#L2km3_|vn)rJ=WpkR z=q>5yrIDBYHkIpyBoR4K6-PH~`4)08tcb=+2moBKuGLg#8MOwq!_D_F7{m_4G0UCL zRU;_}ym~6b)f%Ep@nk%LJ(RQHs{jiQ?-HC}<}Pdm+zi)?qK?{JS=G+CXn2woS8kku zafO<{iTu*o@d zN|8%k-=!cf95h_+@H6#(cQLpT$i5NSS=ZH6`I0fnMmdZbJ;-6`o<;$6S47mZebr>L zxT1`O?4;h{n1N~4`b)~OI=|G8Y#OWs0W7s~s1>bmwazHwIKMBnUx)XY>Ro#wujc$$ za8a}{+y+Kp$&Yo3qFhw+8N5VFkyzis5FwE?3AD;*7KOqjyC1B<-m&EV^D11Mzl0anqi~NGRu^0 z41KgMu~KB8f)e#l{qyix-`4pKJRC=&6e(J2-dm9_`#sK5=o~lhSE~^{Ni`NmZAfY^ z+^}f?L*N2i2F|3&ii3)J*5QU1ZT%&8v8u8Ds5lMso*(rWGY_^-UZKaD%9K0KscH7e zpkY*)^)lMzAiJpj@-Kzou2ZKy^ujPL3}n489noz#-QnXs>~~+Z#%FHlq2f?-{j^yw zL0vq6oVrno6lv5UKlvTYX6287j8>kFQ?~3HW|!1ZV+`v4GYP|HJ*9bd%|d99V~)6# z8t=EfwW8taIUh+GC7A*Zsp=-tdm3acw-Ksx{U3ok?!=^a;dKdObOna zLKCX4bWw*sjgf6boS>5;Wp3IELi_K_{D-fLnpJD1sPZeVQB0_F z?O+3gvnkw)FYb3u*N{e=(vv^1F>Gv*@|Y{jS-w>ktMcH6?0p zKvj*GiZ*~%k(W=lP)?lrEgskeFHFmg)gqJhJ*#wb-BLxxJ|qdT222ix zUkTh8jlQ1&6rp6GQrQK1`|cicQ@i4-5jb|?65+5cYq{uRzmu=S-UX2MV30vpp4v&$ zSNM3Lp5Pjg{Y=A+q3F6M>x#ZVs~lP{gDSkV1Dvq=$(~VYQlCUaV^!6)`gfeu+)lvu>vQlKk*-h* zCp3(y%qBIfsO;sHrZ_atQE1{L`J=@Kg$of1E>=|g%yplFra!0^TG~G~?KZNa7^Xj} z9jVAa$Rfdkxxp(Y15y)z6ZB(fi-0CcMC7>n=jkZMekJhvXf_-P%g@t^*LDuiw ziZD^f1)8Ky*OIr3#jjs5-b$DE*470Hd3!-942LC+UgqKM_cBSLO2JS(icZbDxJJg_ z6UKmqqfD1?Un25FiATE|Ty=TW)Q~zlh1S20Ske}8X~Qa7_jZ+t5TP_Ev^AUHn|2Xy z9tj<0n*c885%|8MW0{=F`*1ypinW$gcI0A=67z}y!0iF5Jmk=t@c@LFp=hd0g8 zo=G&W1QJJtr_Z!+Q^6QRjaGrm(dIF++e*pLOJ^xSoYp{9l+<9Ns_mYotiJRZgY2D9^)Wbd z><&f)5ByB+tVQ(!7ZWszvV<~B%OLxXo z9q!ci{6yJ&$?_mso^!8>T)4cJ(UyRAEPiiJT10!0S;uwJc$^%c6VTfmyC~xjdR`tx z5Gj2vV~wSD9;IsmNt#Lbc4(zX>4S$E6H8mxU=ob(y;JX;qT?+Wv_ z1?=Xo)9U| zN%YHG5sP4zq@)9oz(rKcknJDo2~ejThp&mxip`~t?9ixRRtWjfMpc?e(SpLtob8AtNh#$OBY91tS!)sbu1+T}!Fc0@+z}ZydXd_smPt8v(=7xM0QBUBm{T zC2oFH*C>m08N4zqZr6M}Of=%p+Y4($VZIXMVJH#^)Zht|IFo!ZLt|#R=eB$>klZyM zf=pIlTqQf}F~^-6R9)judeTtm5XNAtYAr>h?U`PPKz>1Dy|&>D?QEGo#>Iuyq-(k9 z4IA#WxwPU#oqWzldrhnUpcbtx>mnSEOn20XTiXeco`pIMQ}c1=p*|8Ec~-3E-v|&- z3|iv|d`FG^m`^#x_|wvcmBrSxH4W9if63rff3N!p!&MuVfl`e!C%q?_YlXpwwKgeT zWGd|;{P3>aUtYpA_JEbnH8qN(F&4vnc*)l*riqa$_ntmUgG*Bxfzv__#_RA1Za4?@}%cVZq&MHJ=h-lGER;ej6Ovp=yWGQYO zX^=gRu9q)*S2|CkKgaB#B;nzC>NK-5u|uG6RalA_k{*3gCqeWbPKtPQ!LN7ZX&pHO zQvOWUzmW`Y1Rzc7fvtKC=z7-cqA}yHk1=?AOr#5cojI=9n!V8R1VatVqI5~%i%!hZyNbLpBxG{m1^2$s&^ip2SMd&9(nNm|JZT;E6pgiKRv8uP zHf0%Ym-00c2o8GUcDZ(+y>Rb_lxIKIpTU}QAX1tnuztALt0IPhLvK|BhEV<<)?X_q zta0xNj;PnLxEmdsF_7};wjp6|ZWc3pJ%J$amz_u9W`h`~Mkf)?mO>5U{eq6Hxh}J) zJsA@40Dc>7GA=G);t2qcjUk}x=aGe?zwYgHGIwbGbqU>5y2Q!mnnx(5AL|e zjc$8Khq5n+=;2hfd$W4aW6^i=a*`@h&6pklw)jzgF@L&h>k@pTPuv4tIyvH=d!YHa zY*f0J+A`KKI^ZINNpQ@$$5dY9K8OU#xeem0zq?(=Qe~Ol-`VcNWyCl?aN&yn)* zB~pHgFt}Y2D~@Hh&#+TYp9&eqKAVa@OF1m^I84o9i~^}>sEEYT+eRB5G zZ&y?^RwbGo@NktSnkitSGIZ0I7IQqR3RPi5Il0oJ3yp_yw`i9D03ZNKL_t*3A@*wW zLs`bxknyf@h)`0xx0uJ}9$!zxWQY%oE$w_Zcz;`Nldc{BAIl>gQI zW}wc{TRTZjtq3J%Ap6K%%JO`LrFf1YEF7L<1fXRFbvM9{xmCWHT3Q>o%T&gu58e<+_mh=!t z)N3B-)iT-_E7>n>FVOW!CG>Y(td6)mdCM1>=F5E{o^O4cLw+b2iG=))1a7p3!t?#T zRoFtQ!W}LlC9-B~a~chPUD8-^Xc(ZVpXc ztAQ1mxvm!Tz1LU6SA@%;)W$bf(I`QV^-wOM^p)X{UJWguHEFOD+6}kuX|QdtSxey_ z^0Z^a)i{LjC6Fnm-j^#O%jiabrfdXejlHbY$JuzMWWC=q;>}}{BtJA^AD=#zE%|Y2ve489VGU}efIxEL8VMkCf`zB zzP=RZ1LRe-UKDk>WmZCB8W^s1KZ%iw)UVZfy*-DsGW535C(oGRB}CS3H(Uiu6oGgUP89Eu7l)XSsy*i&d$H0Qxxi$484DRLWv)!9<49Dt$SwewN^GspP=ZM_Nr zCWV}?-7J-=9wNeT2q2cF1Fgwo77LlS`4- zrI*K&U}S>R3;RYY)**=!B`SZ&tyn2C&{x!Q|)8C{QD+Flt#vrZlBsDzq9qM+kMS^G430IFi9S<`h(H0oF5s<~+ z9c=?%C`xJkT*(7fyC$O=rW}&0Z>2>u?m4_tzep9#`=a6Knkwf2)d~o#HfY-O zJjA>et$f%e-<@3=DIefIanc#;NZ~TD^JkxZmB#JRP{#swOE6EQ9NkdZIhOS=*cvZR zX;I0LIP1FBDJg;12`1$Wdm!#|RJs4*yf6WN0V2eofMlJwYdlb$#J$$UACs+JKGuXN ztW!U6#IOx<4|)9SX|Qvc3NJMx4VPHY844tNic;w&qdhsYdl1t0kP~!esHt#Wy&xgj zD}`__xCRx@n<(gg26$`HN*6Cs zgQeRQJ1Ogtx^`4HxvJJO64m{ktD?_rp1wjyeD>6)4pEIfdm z+WFPMF;((BbulXKZ1ivlL6;Kw&U!##2aXX~l2hr}1&X7<2xexsA{MeYF07G#M3tgp zu$YLeSHY~VL@FZP-oE5?s#h7T_=p@Tms>NWNd5C}Xn<&pyd~J$>$m2PCo}_wz|%g& zd8yv8s?x>xyTIsMtsL2vTPh1nh*rV1c(+8 z7|i5WH4)?let0?b&p-%wuMc668p(4<-H|OPR^?Tr6ux6=K1cWqyIv#r3*RbWiqX9^ zo{eSNiiU-&uw!W>r74tPd9aLAqN6G+Zbj3pdoZLJ8m0^{*>hMV_R^u?qtM{5LZE5U zvO23h!Ne#fW(ZR5MXGA?4KK6o=)?d06a(8UFzL3BaVR(tJiUBroyk8>6)2`IF5 zJ2s|O_?`DkKJ8n~HP+o7znc<{hZ35>c?fouRE$m7?)#uiK=b_v2AO|wr%a$wr%d%wr$(CZO@Kv>-G2Iy@>vCBRZn{ z#yM4WvNH45{TV()sCMA*JgH>~d{VrR!;P>sv|_0%B-_CpKHBvkD7qhH%3_}`Q9d?t zW2w6K?3|x}UXe&cAJ5>0_j`n!Qsd2|<`a;Coz6mN7fC>dpMXRmVp}Pzb5P*Lu^yv_ z!PX-Z7p)_N2U4<64^U~s8;HN+uA>IG3epb+y&%st3aD^qu~bfqHie@{zK6}bjy;2~ zI5^!xBS4Gbcw0IPt#hJU{)i^}x#b!T#I|C<2esRphGD&lP8@V3VWD}Zj7}wF&h-wy zZV+<{OHpDeen1}+ENM^`o_pX+9~TC(VIlHH{!5Us)5Uh9wnBh9LQl#Cb}9vj13aVJ zoGH`-K`s2qQMa*gDtr0LWkO)CO>(BR zfHv%?QOVGN7>QsYNKSi{xDLp4qA)d~+ejHFXudjgLWbb~su4~c=&B6Kwih_JJe6W=UE4mtc zaI5xZ?dR{3%UHYP3B=k8H>2guh7i+z7*A0znxXnLzOyj;03zrX1nr^5gwFJh1cCm! z%Ioz-K4M2YXuFwBgTmURq;uh;W5_iF_L6%ag|3)?Ik-@bt6B&aM?ToSm2+h9eR?#D zS`5D&F_n}cl;0=*c1v;|8AQ~hNnfa?RwW=_L78loV=@`BuH?zfD?Z{u?LDj4jj+=v z!ca?;;2eceCqAq1k2F%6a38X`$ZfFKUi}Gwgrl|+UBT~#<>^7QN@rd@%9gATvp&f(8Rvq2iJ}(qYx1s7q z^hq`)Q@2oJ4Ky!zEC+!cnf-`Gb@>zpo5mK|*9}NvH6OT@pjt%E#Rl_-kJiOKm-6fi zcIqUj8OCJPgUcoH8o`;k>!9%w!4*(pXHY$w^-dpg#R=2lc<*49E0bOoR}D6zwGpxS z1>4Jfzi<~=g`Ndc<|r6NlM2eeE85nvVIgR^anWFb;-H!IV}24q;Qoq?zU@@_&=h-6m=e7Ct{Z;2?)j~iDJmN63I-ahTBH+Y##oh*=o5Eiv@P z%yqJ8F&k|}fuJ8nG-lb~V~?!~g}mRiv~j##_gFrlM#(sh&p1a8g9+Y~OtaD3b8JK% zBizex%t0uz5|j$0 zppsE5NfQ5fKJ>miWHpQ-Nj>j%@Gjn7L@ zpWqonZ%qyEl%Tto@EAZDDhi$8JORTMx@9oE(l81nRhA_kYk#v@9>^=usZJ>1(c>=#>^D+Rb^EuxKYVat>K1Me(Zn)!`q6hQsBw1e=H!JiP3i| z)((}EP51>6=;Knzph-8Av|1cwJ+PmD>ylp zJ%x7&Xon7a)KXYu?rVz$47MC5%uDf+Q%(8|W8)IOdYbKEbzrw4T1|FNF|)} zA5@e{8SB{%ugylIzg3OH4ddjo<<%O|xN?>Ct4fR=a zY)eC`ia42(YU%T2C>V?eHeqG_!GQk7w~1>jjZS=cDgB#w)oZa_&a2Fk*Q4tHI&a6; zz$9#VcC8>6aaq)?#3x;cL+vZo0|_@lCw9>b!mx>Zyd`Sy7?}YZQ4Uq0EbAxaRE5D7 zPa6$S5;LKt?~n)P-~A4%NbPeVl2h5iv-L)tO{=;;&hH7}TDkV3zA4HKciwp!>|V5x z44FVtMB zoKv_Ku0xfL3Ldy(06*p>j4t$QG5YqT5RDk2iJPVzv0{-YT;<{{N)`$qr=$X=vD8h1 zS6RpcvV(lhFT%23lOgQ9-AT>6 zU7G=~q}6LusCGeXTt}<0NhPJMJ5i7wDNGZt(>XTEjk}ExRt@B~>d{dAFtj8lH3|HW zX0zag3mV zEDU>JC@hSceA>1BJSpa0-(XhK%&G^H)n2f%`X1DQ?FAAunczVw&7af4G35qCCqZt3 zxOs~>O7>UaScKZybJ&QoI`Q(J+s3uV`L@OGjYf4INi$z0uNwaW5sLom+j|fFExs^n zxpe2lF#j>pq+N-JI5L@|n9z7HRi1ia+k_;osWx+3dvf{_9qFS>Pgy2@w!hrqiPd}Z zD&F`(;ocYc%V}48J2$xY4Yo0gJ<_o_(gLNbA|8=#VZqh28m_8zX8L{+?~41-$+~%!dJBee8~F`Sae}fLXfEzgoQ<~ zA3{ulD(4EC;fy59m~;psS`m0uU6#=$eZ$o%@}popM5;N}d4affGPqb8H>4 z%EqZ`TAGS%h3TvVc&XR3n&dQvlqJg~RZZ_PE=(%n&40Ka=bDYV937s$6#6U_i>r%MVyC!3Wf&iDhQNzPC$Se>i z48(zwF_qxoo(_l~R@OSb6JrT_dd<;aA6W4xaRnCIMOee%ceKf#uy#E(OxP9@CagZ; zEm_HKLE5$5Tc>YEa-k9o&rrJ{QBo?Nm4iCI4D{P;jFpF>G5<4q(4QD=4ZFOXV0Hf+ zp|+x?@jlVGJRSQdX<=-Tq068tbMdxXF5i!`<2a>g9bJJc9TTTe7zN)l!kK=R*f;4^ zb1TE<#bjf~L8twsGZh#Jb4~|?Ul%DLahOOEPYio$m9mtb6t2(8eHb2hxnSb##JNax z{!UwYxAD5zF<{QTJgE0F$k#ySIM}mW6JlbUU)Uw+M#wK8SK2)NUe%lrQ7z32QIYK7 z$)yt#-xDF29m!}(r}SmJd5uUp`Dn5-$dNWbXiq*=&IvD~x{ygSHD%H%u|Qif7E&Ve zi-&Ojj5zKRmP2MsWV)x!UQTRNLN}=35VdMoB?XGt1VmmD{79e!FV(_3%wc-tq+<58 zgT%`bwaAR|UG!?fcu4@6_-PUxVR%(r^VHMcIi0EAr;caXFTd%aeaD4Bq>l&X#~W@c zzuOeOK**rq5I<+P&}5dk4x@GtXr*&AL%L2rsR(OtYMkr zk`Mzv`H#O)j*EW-Z0@Ftv`sn*(o53`%2T-U*S>*zJrnhML-E)!h>ydbS-qkeR^=^( zY>x|d#6YJiw%EZ^^S`+dV4{{G2z2gThm_l7MyM9{veI<$iD;j|HgC@4I3;8pZPX?K zp!_BGmHa<-7a9`;EOOoIm_i+6j(l0i?}TD0WWi~Wz_PLcEe~K^d4XK>GVx!(stNKx~tEqlW2XL+=KxV!stT%C1cY zU1A!*JR9ItIL(Hi2&~C0|HF68u@x55nB@Pu7;UEyzG3Kh*Z@7yZ~{RBZ=2>c13rmattc z|Igkcxufvc6lV;z~Y$hVdx$ixDF`L=3l<=8Z~cL9uYLl~K08-!)vQvDmoLr z?k}Lf`Qwq-8nP)L89;0zp(dSH<}tlobynhU>kcI1C?^feO{kI1UQtnX7MsN&0F{zw zmGHtSY$?ulEx4$^zC2qjL0s}UWI_!m^%SL%V$i|Z|9p(Psg=2w7FFNa9DHURaAq8I zHUi#2Gw9ADlw+2b^mhfkLV<2pod$a9*lFqnCTn_zF>}_zmu>Lu4GUgw#@^90VsX(4 z7Z-2;^bmCxA(kO?*2=#Y6==0V5#Q863@uQNbjsRF-_?1^atXzS=m@&*olKARH@Uwh z^N04C@qDaI(cC_JY14?T`jk9GJkaW!KpP^Z$7N{c2^yqywzQj6^OdE9sVwGDWmxfi zBNM0-NxTseaON%$5pi)@^+17|6}@a0`SxQnyY#^{;uvRE-a6CSs6#aeSOX zc>yBvfH}*6sf7U90i#$U?&c!p$N^Fb4vMvnOkI7w|G0Tj^)w~f0TSSAvP4G5M50+{ zYAXxz=-)*)pW$J*d^MVZb)^^55htXZXi~0~pX1^K?Y>d- zvhZm9P7tL}-fofl?e3%yro3(*G%!Kll&}yXy%vW+v}KP@JiF+;+F7T0x|?u9&U!2f zF^|}f89)SL1nH4;FtI{bbE7vb-CASd<^=%=fHtQCt`_!E%;iKcn1ngXKzo>n7v<58E4Fxr%obGSd>vI zA_mT{C`}^W(Yg^q2pw#Upox5r5ev+P{u<@~?d@Sw_*>)C^w9HhSIzE0SS1LnB1IB| z^X3W8Mi-iomc25!yQC!-2MQYuL9B4aiL~@fo46EaRem`FxzK(sv>C6xT#VHD3USd% zYd@ZkD?ULIn`{?8@bB9FW#p;Sly^S4)MoSbIlaYXNoY^G*YX8qMHB+4K!90^?hsziCj`!2ihF?}r_Q6>{ z5uf)XBR;=Z$ltGRx7*isWNMpM`7=-ZNP+9KoJ8=bPP0$ua0}CIQw$7!kogvqD-!e6~LD6#N|9b(}vTXI8j6hPKL`90{K^Qdgy04}w zTiDp`O}tP>N7?P2{u0c>!`~jh5#{iB#fZ!0?w>t?WM$=WS~dSGJP0u~2yG*pxkkv(N#of;=3`>6(KVA#3m?6L;#{h6=|J9!?8T*@O*~=T<{%kGw z|1M?7jqKnL6CasI^sTstSDc}Lxj%jDWaZ=@y#4Q%VBUD&BHr+O2bDsEa`5nt%#Tz4 z`7>Lmj!NBVFq`0D9EKXBRYotm%)BoMm`7>-W+0KBa1TPk^GX4<`*x7#0OgvlG>KH? z$F~$LjXgLFor&oyRRbptn}2ph2vI@f%_EGTwogo)QgfK3lL?`f6B2MC8NlH^hD{kQ znL3D0)%tj(S9CWU{l`$(qfjIWP(nW3Z1=BL3HFXUTkBgJqj@G7u#Yg0-fo}@|7{+O zyGL1hd9^h(Mnk+@|Jyso3>6=Jo#DRu$Ib7Ku>1GM2RApXCWKcb9zw&V+&Y-aRYl9Z zS3=%e*L-yJ1w+8B$&4}lkqNCuX6mDeEvRKCN2F?#{9i0@>%_!cYJ$YI!9tH?^hsrR zMXZ2QW6)r$WBsOo96GiDn#B;W^8ARDW|f zZ)ESEEmTcCTx0oLo-)v{=wMw_=m>k z?hT3)99aDvd$~UzQs&^{vX0TGBBodW433-WiC|G@R_`j0)nSn0LU;Dk&?>&P%A{Gc z2n{Fgv8Sl^FYicfA&*>YEp%5{5-wQm@6$?V)>i3CH~1 z;fm`PFt-I_^5w&XZD8gF^PyI=SG>u7d*0pI=Jfz>tK0cr-lcB8zJ?j)Cf?TJ1@_UY zX76K%fraG_xG{V_--yxKoP)hvNVAj1g|W5doI{r+uf#a2NPO1&rFILfPoY>Xif}nZ znF!YhjkVnoovk%SNq^68hIF+um8@<4 z+)YTk*}M7z@+@b+wddW%`{Lu~UtlbsE}Qj?sp=wW>S2n(39-7zx?jRZ^t4Vqrrxq< zBT&L;MC^b)986IaE}ogJ<(fJ#M{OwGRV7Gqx+b+J5zcVj3h>17Sn}JLsQq;79KI4d zw3l#HeS(mUDswHu`#t3yqG%+`r_3k2XczDbjH7!?WQ~J@=S~ec>57B3Qn9-M8@Ow0 zi~Ylfiuc**&cJkovAa{p9SN8l+!OW@iFR*CDF3V77wC@f7whL7xeRnzxj5w#>yQcu)gi*qeq*`{b^o(Kf0JS^KIst{lo0kd4uOF zjRJK%#F-wfoXrz|Ln69Wk)*@4HlD2M1p4)SS*Yv9OUyV4L(_bCnU2V&Lbpm!VXvO`JHETMFk8B&jESpJ$!Xza>lc04q{AXst`-=;Aan0k>XE9YO*23&*B(F~F zap7<{LX^O#UN#eR;kW|I11}rR%q0){=SirLOGz6`EC`*=0hf|;Wz!7O+%E$4&g*hS z?1VR+aV^7k?|qq%x3_1V!C=UY+FNFkD~&gN*f)dwJCxq2P~U*fO= z{|n3Yej)%)ILD%&tS;yP9>X{Shr%eIU(kV}pf1S_NefmJCkEGO{+Zz|vq&JH8Q8U% z#Z!X*=i*aXT*&`^TG5C*~*}oVKwc~k(*7fxc(seiC zV=Xh1d#pgW*WB3{J?nGKy4B+Vx9fGn`#Hnj+fAdy$J=;Mrj4EIx^;mZ*4TYLx=;vo5SO5ls;(Xh3qkDM5hsI zCAUK-J#4ws>=|TT8XA@{r@Qlv%>Jz9HgD4|>FCB;D)M*(n zmsx^Qv+Yz=B{z4Q&jXk5?#b@R)y2o!?&k3G@uO1oU%^_Q$v8P?>nQQIhUW19Y8J$e zkDuMwHTUZb!p`8`nT4!i8*Y<@R{;~3{7Xxix9#*g3EwC)P3`;J6E@m>D-lylX3~2m z=g@u5FCMU`)Dzf2QBPu6*sCp7^5G57r7rrgWxJ3~uz%t7e&s4?DiXSTOi)gQ9~( zO0(fGnU&pm2%@4OZG-_2rxKYMRZpYf@GjI*O&IGM)iXo>&~Q?0J`P1J#{>WY_GY3l zUN0-@410mqfw?fo`)o7V?f&qL?UUTe=YEsu|{-@&31Dwx)E zlD~E!Z}bw({3}`k5hBbMg92i>)h}3=(7AMid z#7_4mmGZlaE%ozn}ra>=y}ORnk69Nty8oLQ38gT(V1y z=tvvX>e=fXoqjX?uBh4WJE|JJ?cte~v8a zb8FE_0xm5<4sH255!t{7uE>Ut=ERo_qXR|oCoCWu&fpzpqZ3imD7t_TH$%OAmLvIg zU`L06+xui;PFC3i!BH}<8l3ZR(#$|Hdex`m?8yyQq%#^CQ67Fhk$PL<12NiPfGylR z{#Nn+X0F{|PSqRu+GJ?~~dTuO@89xKtF~txXSfBnuTf#BvV4m- z{e7_T$(=RgJVvEBW;%q_O;WgMAXARs?>=ltTg_8OIjM-K?PRY#aI)))$bJ8JQrG=v zk#sNVaikGq<<;5N(i%w(!14{<;eQ$b14>AMKtq@oPYcNPN$E?#qHFp>85}y(*+5l1 zZmAn+mth7?m8@;RXoA^R~7Bu-x67j&ik6S>uF=s{a{Br)f0W9wD$JmJ9~3&vpXPj z_4zKd_rb;cC7a;i>0uGkYd(;@r~vv^SBV}yOZPvM)!sk~mb}&HwWAu9c%7^vqUOv> zt*c|xRf-R1J}geR%K}C^q4b^F^%&yf*^^587;5J8@~+E?#QcO8mvFobH?0Cw1NRb< zcd`bLz52B^rRY#%{8oV(^RRv`KH)_wzF!Oz%v)VOvGiSc*gKvFK!DH(V4SZZA-%|9 z;Kp@WQOiU4;BtrdHyZOITdjlIE9!Ob^ z=lYbD>8U&DbRA?Fhdv`_%IaW!@-wo|7O)g+KZ_B*@3W6wn5(>cF(Q1KzzQAQVPVVj z$JJGIcOc%S)~7Hb)NA3iPWZgIM4(VZ!NC71-jmI*QtU~SIoqx;&r^&7(7XHBH}B`` zrrke4;2pk^cSfb9GiFXR<~R;OvS!6uWMQu1C-DsU3=hPO2g>-Kix36*16m`Z500w zjmKH&#@YNqq|Lu{4O!6TWvs+-SC?pQ)7hPXa4->giILt;>P5K!C=JS8*BG;im7xJq z`gQUR#U;#Np+-}Dvf_zlq_(vl9c@7pK&}iW*BF-mMdAy zvDUX@8Tmb1&%PZ*G+hLS z(fLPWFwWU(S5=gPkz!<7T3A3Wsm1=jch#Q`6q7H5WZxx`tUc@s0wSKm3&BxRK**#M zBO&SK_h9Ez8F@6^wXiR`{*y~|*r7h?i3a&zuJBBKZNk&RIHX(6&B0Feh5OMAZPWuU zAR{7&4R0xe!vL`sf8z1=(}8w<<{k5bkaMs}&>dSkI+~U`zyD_FFDi<66O>*^Gq`5V zV9Y=jJ-{(p$BAuZ#naD1V31_8h9$><7hTVbZ!xNq!+8=BP;|D+nwz%=5RIf--% zR;Y}3@s=l@lW7UU8k9>}tBpe1g;-)X+UAS`TD**Z%`ze$;;MX)i{-~)tXMDDjxb_u z6ri>Ga(5i~K@kBA!2d2Z+f@5HRGVkc7&>a4Ie zK~Aa+ro-ME&rBrLQpaR6;QD3_{#u)Abm)0a(pZ<-OLSw_jp{sUH^jvD(L7@KKJ}WZm7AA>>XIE0i<0SBTsKeXRqZg8D2Q#% zd<~&>&?m_aM}J^9SB#Eef(QpqAs#nABu6p8AfdD0TRicpKjLY}u>MwVCmA?)2Jza| zYU^l?WGCo~`f#%|x|x6%D@0;rV*~JB^(|vZfXr;=e@E>7uJuK^A>g48S1%_s2K$vp z)~CtK4>GB#m2{!N5Mc;JhdCvhjlgWIUzgRNlh{8(F&ce^x3#e`99a3$*6st=iK7&C z4~s<$cL5;U03Uar9#n?){(YqHqt&0M2HZD@8v|XMjExy8(N-v{3u43@WeKdG7s^h= z;RqcDpd$?!PP=)E;ox5&bE#$GlV*&|_N=nW}vllK10mW0|Gjy>vo z02~ra&{Lb~p_h!L>wZ}9XSWXfxq?^0E$LQ%UeqsIju~YZ{guc)))OoFzL^3&jTRa; zk`q1h?Oq2<{KpuYk&~i|!Na(+TIREGXfIj!SXcPai-Xkxp`{?vQcpwENoPia%|vh> zi~66KmA;<7{_?_6+FIKhSw17v-Ps&<=AlHeQ4kJHuJ=%=ot~xy{1^Vr>@1+N-|h^G zb8z$9_31*6bA0^DYpSSQ8W}-7Kvv?%?KLO&QGj)BQ92e|XI6bbhg8Ejv3MlBIATg6 z_CJg-fM51unKJnzu|y8=9h->gk(x~=S>*b_&suXaGK$>xV4S?4th&VeH$ro>95i3N z3eRq4tg(XjtW5{Yj4tY5n5cw{PjIjg7)81B%8QGiz4rt$s&Bg0$0t^(uuZ~rNX-nc zmB?80r}cJ!o+xH!R&`zq?yRco{>UihBbiYn>nL(o8P#May+^>W({Fc#(@fg4WgZ+} z;u7%s2CRE4yd)`q*uXBg3nv+I6mgQuVjcE7OX#IV#gFYLOW`o@wa1(Zb4yvgAfDUt zK67s7nf$$#`?^dGhrBkwi1cR7!%vJ!R5cmg*(M>NIbdA-jj3s;-9s}-%2Y8PvoL$b z2f14rNesp2<1yg;aZ?F;U$H)$W>Ua8>13<{pLq1N+ej12h!yqp@!stLpJ>9MBE(0X z_)v%>qxwxZso!Ao$EYXmVE%yI{ije|-}Lh8Qs2zW%0|kiMSbs}P}tksF=}xAO-dmJ zEd|R&z-Gx@#Sr#l*CgDbQ7u?tgvNp$jw>g7fBp`s=joKl z_x6$zpMb!qAFQMh39`?d&F*oys|@t#cm(`vj?p9(zqD8p z5aKPc2v!;5uZWX#{<1bFjxEhgP5K6=fRA9(po7hrHG0P0>~;q#KtaKMX`+JVWZ@qS z4ubG-^K0z1mUq!^#x>>Eb6Jn1B`XQlWW^8Tb~)$4V#%BOEtCz=L{E7$j;?!$n3a;h z-rjQV_&lRRn3V#ghf5ooiwGXmn$>^Aa8nJAw1WVO3Lr;#KfXfE%*+l`)u&vxA0{tN zxp?iQ_@aB05LEdz)-H}~#3Mf?)D&=d)UwCY2LD;&YpmD0w5r?QWD?We9rg}6C1mr#Ld{Z?7N70i~c!!KSs# z420<@S43Y}RYaH?0^}F>$dYcXs**9*G!01{Qv+iVaNnC@44`zlI|2geff+X|_ZOH^ zJq3d!*8n}2C!@&P&Q=hkbm05#!RRE9V!toMpldGWB}YdG*I|-nt{0+iw{5NQZExX|KRw%L7SlC>Bg}<4aJk8gaJO3Q~M(FZ9Tl+ zv#MR65~~mtUJIXCAjW&dZA-J5QYw^?EB2AGEh%+&K+A>k4XaWk!GJNAK+s?!3N9YO z0e}NEa&kiHRI7o_$oSw3wu89uduT*a<|2uFZI0XG!M?A{tlc4dj-+bIcDxh#oTGO z)&LyzhM&X7KjiHYgGQdmJ@!LLRC@Va~H~1=w0Zd3jh=q~C zD&viray51vf%9YOHcK-eHeVsa5(y*W3K(fQ-{;_@E(#6vU>=eiaHe`)9BZPQ^!K&q zdI!D0=V-)bQx>8s2^$Sn9xG7oQ!6JTRclK-fl)=IGQH_xRU$hUGOY@Q=*zSO1wO#C zOc;!CLW0AX^6+u>vE%!M+4(*K;p5}$+c5#5bsch2PpZ-Oyx|`A6nS_M^1;>t8dxr+Q7$4br+4RZdF%bW0~M5SjAmle~x2ZArfT; zf^`03ap)^g>b1FL_XNZOPQdRGF?f*pbOgtwxv! z?MjM{bM)!Fs8fbf5K=1Gh^_moPC-SshICT0q`jMpdBe=sr$%>K(_XnpdP6IQU^HuD zLBr`Z&SrH;MhgLKU++e>4_1SQc#b;Ka0ci8diP%-*Ire{G{UCq(_}oGB=g_(lTSm= z6r{9%s~*Lrv zY_Uie`HhQ+at`dLwKJq;Ua5%?li<~~)`BW%tt0+HxJtHr@YtiM31F-yuEK~v&wcoLJ%1dXDYoApK1 z54+p^GtKs9AGAd8VRIjM&Zsy>fCcVhCl%x)M^oepF0UY&nI$Odx2G8^UB=o=|T5OX<3k zacoS#KJDP{49fQ*`(__Pj^LpBg8gni(@lZFr~@D#8%w&k+p4=JowWTuVf%ia{X_-q zH0+Jfzh+*`OPI*OO8vT)duDTp7BH=X7T-{p%JNj?s zq9r5++0n7v1UYM-iPeUbOU3y)s%=4gYSeKJ`BAyzzKBg;UQ(VBioygY@qrS$pyIb^0S1lL^NE$>bH>FRO1GTWNdW*_p3XfggZ0e%eaK&eStV8D1b9Cm2Hl+sXY=iQ#8dJn z^e`P3JZ1JNup-JL0#pjUcMVFzH6h~=)bHUk@`Rz4khLDG&?qVMq9zQX#v<_`q-2Pc z2}N}z=9Wh~;gF$AiPHD6=1Q+M8m!pWJ53sNX=DNQgAVEH85g}6L^3VXjL87-%HCnm z%YnPTD~cI5)n!5Y%5=4xYG{zQ2A$$zMsN*NKc@je1AD{o6BQc+Z*SvN`Tgl^R9JGT z$Nrm*4V?e2eKsKMcIJb?&_MRcdMw98RJFl0m1(*lH@87{sb~xS1LMEx* zeyWIwNcKKIR4uJ+t47KZzz}BS9GSBz)CL)8y|B-m@^s6;$KW8$RCG)&F9xG!OA@@M z?>;4@YEr~{b!Q7$n6Mhcfy78?OqqFjxd(rqt84e8t=R7%u6rXcHo5gpt*x!KB@XWw zt};3Jcn1*(_y*W}AAGX1vis?nb(2j7(^mt)VUIJTx+HF;=0lvVp|{OWq0xIEyW?ya zs9!)DE$gcOf>B?sg1UiH@^-6ptQy>r(>LO7OUuZX*cN57r!&1m&Kb_QP^?xWeHkIt z(w-dwCBl^@CkMvJorI8boPJCaFSud%Hd>rShMn#9*-Urv`#QN9H>iN(_VN(4^r1Zv zBhiV?0xUJbNuQH%ycX;ZQrr4zoyhhHX8CGmNC2pg(F8EMu!GS9o;c9MAp{{7;r4SI z1$R1SupJiC>sQI*nPytS)#}bQyzeD|hu-9O$0$8v=J9>rBC1HzzG%@(Fw_=ONnit_ zrjFF?qT=*pU0+3zoqasxqc<$hc5+PslrCOuqO8Fbg9cb2ne4mc|NO| zpJSu7#)C==UU$iIQXC37#gLb*3t6Nag+%eZ5DOXP1N)B=mQ>hH8iW5QwO_pR>304_ zc)8xG7;UXNV9lJpySzj-Lqk;+2X^%bdK<28ZeUaE_;s^{1g&us9}|ezT(u(}O^i-X zsr90ZOhJNqm=|z&`3c+m@yKW^<5t(ms1qYub9_)$9=?DXNX@PFpEU`<$%G6R8f8tN zRBkCSlwztbbbWIY0OpdADz)4Hg0@Po<07@qnD1RaQRmlMgQDg^-^!*nz zUKjMQbxk&qN-T@@Z$_e0Bl1-VN58$l>Rr9vVCpg#w^UUkhYBs?)eBLJj%e|rP~E8) z!Rr4bnktK_(XWHnt}j}8ZQ?|cA9RGs5SU#p`#F``<2T!LhYgUWKnht?#_7;uaI$vclOm4_gF@xZA0i_Pu0lFsqtHGs`(pBIKP2kEE5Wdbrdsqn*?2;BU>)w#@Ed%lB zha(@uU7ZlwV#GAz1TZpbZ}vt2RF#p+N@==zdCfc0&#yuryc_&n3Nj`F-|rU7@|uK^bG$o=P3e;uc(J-XF) zcepKRa0M(JaPn-e?GB#odgJZ>efiH1l`?A+xnt7iJzMPUQZ$U20#ii0#iz0AYX`5A zAJDKMUFn|umLwn0a|A@5gtUow2K)C(Eb5FsCCZ3M$O2PnlL5Mk0*yt5x0MmxqverC zoU~s*1q)ybSWA*gFj9s$i~l85!fe`zg-?LH_aR4Mq-yVU4XsfaG|pbR^@kz}ykFf2T^;!@!EWkJwD4m69S=&Z z2dNu{9okmaQG-o4AVmR&k%D>5JZk-na);kLX4m`XBP~XJEh{SCM1z;bnpa_xjqm69 z;`OBWONGbR*Y9C{3P#1kj)+ySJfzZaK2jokm1rWIg;45Cd;6YbK0)&?cis>PaI_8*TVD%Yl zC!iELJW^0>wRK9JIIGL%xfE2|N6VR|0A5-cHayVpVn4F zexCrng9D=q(eSh-lxcw$Ev!-!1oy3lh)@GBwLH*Ky6X8BmFKFvPq{`EpqL*Z0bU~y z8ypoC-5Cn6gcy1uh)rp$s3SXMFmM1gn(qkuFCi)%rf2%THR#E#XnWJ zM#~6u_SKd5Mv=@>WfocL9Ji{2JLmefYl-W0@O9z>97&AQ+``R*2D)gfNrk;qkP8K* zlTHkfqYs=tZ+D?ezIzFutE5boc>Q(_xZy9ADYfFxYDiL!m(}J zwmY_M+qP}nw$ZU|cWhf7cXapps%};Or|R7cbB^(>F*ztq+(ch5WQ;WD<{!QvE8gzU zkz62H3Kugi6oP)s_)nJfs`DtrXt4chL}SFR=y2#uUYS}?1?LJ^q?0DqLO?Jv=i}xb z^?{ssJlin2c5on_Zfs5R$V-L=oVs1 zci}Eo+o>xIZWFbGPm)HRsv_{=tRQ#~1QS92G)7hB>tWR#)yali9dG<=wNuozopc%l zO5 zm7x`lsvT)`N-M2;UWKOY&(I5CY3N4VbOn0qF+~KMD`Z8k)o-5Yl&x?HkNP0oX7j7( z1|qco{K~y?EZA+rCkiK=k4eY+y*{BJDJweqI`t?YBy5bi|HD-CZ~?dNmyhS!7owA| z_a>FQ6QnWnBzkIHZds@!*V$4HDas>hlO#EW*E^c$;_fpBI=t$&>c1=!_tZo6AZETN zwWQ*ZT)(h|CTsBcVO?EM&0qL~`-+24Ji)~6q?l6&2193?>)e;ghTX~2FNW0u<0Z(q z+dbj`VVTbvcSa5txPTieGj_bd`iH&m^pQJWUg3VOW!%%-KOCDGkR46y%wYWl+_WM! z?HXUSCW1hrPWk3@{H(Z-}u<;HJ zknTnPLqX&zY*^`l{=-4$`(9xF69OW}DdkHggPia<>ii#l-K92dN>KLPlE>hEmYx3m z>xS=GwOx>3RDGl6{`chnab~1oWbsGDuvqJMNu@Ft_DX$6f|Nx2W$t?HSMOTio(()` zO)re*6B$OCz~Yk0_Qvkm$_{>y^DBqF{?<6)8w1!``eUyb(k#(_$+sFR7ywtgUlIc9 z`&EMY;0oCL$EK>u^jAnYotK}93%YN1G;n8-lBJgeUUyEdK&>ueATzsVx;_M`D#$Rys^n|wO|3=*R zeGZC;;i8zH@k^MN=Cisf34gr^*-nEFJiYYK#^lt|X*FUwK6Z=Rx9hay-}>spX*+W7P5^ba`#Vh(Q3-S7s)$%D=RQNF@tl#-K^p` z0(4TWe=Tn24>|n{>8(t1i7kQ#1%KZvH{@efk&qtp2!#HnC1H6~Gb=I*31zRojG95> ztnVfi@J9dvUxhI+$ScMTd-MEh%uLfx_$$O2eSh#p+QY{`c=Bww5jJ%fv0h0oEB@Qp zz5Du_xCk&}<_5-kvNtLVa~y11+_=b(moewP;dG1PLvsc;SVpBm66-rGPD*XrsWmk= zCLGFYaGs%?DP0NAo+n(4pKNzfM&a~mW_TTPv{QC+bquKB*EZ=fu*5o``YYV~ zpgn%h50OqL>%iGLTv-ACc6ACStY-`)0zy|r#1&2vPRp#?oaxDdT+!hhi4D9*v<%4B zl6Fm<=o$0y9zQkjm1%*KWWxj^iQJb%ADi=JnBTnRQj*6?AkWsCQ^QnSSjBl(f_@b7co=x13!{*eN{s2w#w_G~SwzHUr-fd4kTI)EO>}5@5q&B2odva zePesXyrDmR040o=01toP&?8bFjaW*hNZDbUqweoh|JK*|T7{KNY?Ybi>X}~iOc5h& zLho$;D?c?P{%7eljp781TPd z1pa`3$o}setiIn566bYF6h{pWr#{-!ZLwn}y0H>(r%zx%YmbDENppom@&~vD3fw7E zkWfOpIc&uQ%50e|5cmuEyR=5l+VWx(n6RjrT&>|vN$7DueD{iFSb9I+7aGQwkr{I- z?q(_-(Q3mP&IPMAXefermtvyl?j(4(H-`^^HOs{> zlx;TlSO&8cwAz!%wF%SEU2-9FXQjQab`O#|{Km;B?wTG}m5sP;zH`~;J?kS?>N~vz zngn}$r9D!lo|Mr)9saiTCdHI9>-Z~cf2#%cbNLF;O+c$61rHUbBPWSGhfbkj{egk%pg{!#mN>BydCwQK zZo}+RA9#AF>7*(hsL{ja`0cOyc4(Ryw*K|y0h0rh=6>Fh!CM6Wk8@Dp_X`!g zn;YWjZ@Va-Z(W)+Kx+iR(_&0?<;LE=ax~s{E|~p$I>CyOXyE>ux3;R=P}SORr?4ju z5g4utc1>YpvaGS_Bn8c)jQa`USFD^FV0S~C(y^yc19!l`^e~qfGIz}gKwsub`?iP#CUxudxGa3Tt#wBfss8%n(_!o}{&Vqnoz<4K(b$kTm zut9^O27%!kIEogo@Kx+@Pw&{h0=%OF{qIn#^x$G7qjp5FVlBNdEt!(UR4$a?PVQYF z-{{(HR#W}F>BF|s`=~kI`f9T#!@6Zox+}xfhAj1@$sEF9&~G(xaeuX{@LBN7%#{N{ zl=BW&jxh`h3XCgw2Lf;qbZA4n`*`x8e1`4#{63K$J|SZ(SgFvt<}LDiug2hKp?K`z zKgj>}dL-Lft^1m#9bTERv8u?eru&5UxVjn39K9t|&`^B3f!55tE}s6P(K1TEyljrQ zy|?X)2_CF=p}oTu)_VH79HbP+qQbkqJ6KNOAE;2^rz*Yr(Jt$`yCj=tG1W?kOlKRM zbq!8gr1uZ-j=f`;XPQJ(<{>Y|-joo7^Jwo{<9O*;W99Ykw6m4nNa{gj%nv#sZ0 ziCHDAen;c|vVN7eTirF3D1j56DkubIqShT%>FMbd%`Wd0+Q!L#Q$jm5^nl!vhdjEN zQKLzp=`}-<>t@kmKC1BOL8P~iZqPqi$P4U}wyqWXbyD9;EVT-gW1sl-T6QW=$M;r0 zIP?;l5#TVSwiiydzXH-C++X@j+~^zWvwNO@OryXzHsTdwEnMK|`DB-}&TU0TDjDqY z9j{~qt=%bhjWgqI`5pWF`3b$=oVAilaN#CURq;blGpnQ%I!z?LT(&P)&8RtiAvREj zW1ES*T*Z| zlV74e(aUSC!Jcxcqy+S{eryCEzi?V+F#;tofQd z|AooY-l6=a2mdL(jrZW?if|LxvvvJ>O9PX?$z*SSD^dN%wz67E-k?yc?a(quY!Mvn z+;Hx?I+lfXh-l>25%=f)E+8&Jz%w+jjvj2#pjUBMLXjHapgnRYlL?ixYuZ?ve|mZa zIm|0O{>Y7YT4Lhv&R3S*tAg5 z-x-U>*rbC98c3y}3&*!3H|40IMkcGeEOK5sr{peE;D$>N2!@~rp&EGR6VEoolB+0W zuOjd$Mz|%!FJ8OxEJ8=!B4!4<`<@4}>_ ztmG-z-iCjBAKS`)qt>f_^AfpT5;tIM(4iLg$9E7k9qgr9^Mr)f5?1qstzNCIZf5s;d&Gks_6VL~$zk_j9~@0I z6k)(Ul!5Ojai8xCS`IEKn1INd_{Hm?4B93L8|zOkh)lYfI8jszSc+-<)drfzGV~lJ zX%EiM{>n4@uB`Y%Dy+0}rb@Jw(n-Og$60Y#!6Dq3j&S7l5V)y$FpMM}mPg>x|2K}knd-?r?jxM0D;kJr-|i23=eBb;6mdS^QgaOqJ>P zV)tS=lGX!(G_c{Pt6!8w3-#|+o0g$noTsK%=7Cwu)CLtq7-jay=|Xz8&0Cm^HE2N* z2lL6V9oQUZ93SlKG*hc3;YZ0Ix^=rOr;6SkTrAuV{p*ocN9unLQX=+HQ@@1;AF%z{ z+0WOssytgf|I84PRR3dCAow-#bAM%UFm0i*c;^;?Aw)ji3`0}>J<}}hv@u6yTTQa( z*Z87WrhWQu8AmpaWPzPbH_VoG1Ssh1&zR>ZNOk2YIx^#vtm8W8nC4j$i*s+#!4%1_ zYI1!P$yO<`4-;3sNxAklz4QQ6&m^}Sr`QLo1J&8qwD|w>hxz4AKtZNE#LSwagzIkB z^eMO*nj*V*2^`FHO$V^J= zt~{ut3$&64v}MoRp-@|hKnjkOCTtcBS5s;x8%QL=gm|yc&wOxGQ$&GH(fCV?NKu8H z-uo4j^%%(@@L2N>;UR~MeJ)YyA~kJ(q1PL@gDrdFJ8P?l4+4E{MFJL9G~^eL2+zOg zzyy1|!VOzmI^}I>Gt}p;Cjn+*%1x!sa4l?ubaF|i)TcZm+MoI6ak8M)7Lv;|Tx+s6 zreZJShKPJe)SVk6UY!Tnjb6%qsWh}`cBrcp(fdx^1V+gefCDpg#zc0BYoU_4922VPUDYr>%=KZ3cs1EV3#j;UsRND^Q~dWe@~XC}8?tJb z;_9pW98QU6yb_*C$)16XAvGj9;;TCnrOV7A*n@BUgK4-|vLVL26Dy7h&N!BWdFEKt zvIKL1OL(2E9LDFUL(>nv_!tJ_rZ;+q4t>PVH%!A5fk)_&x@Xw5{m7qtB6cZB&czT+ zxvmfCjWX(aSkKG8(X!V1>}R!5#&{!(jxYm0pI`(3Z|D~fkJVF|Cb}NAC7UBI@no~i z3Tl+RpR7x`s8y_alUQ@s?GY8(WwayHcrF>{dF4_-@x2_`g0^g`|6at3C6!K0ZA5O~ zGCm;3;G91|V(T?{gG;D07*+j_!lH(vwpdDEjY9LgFESNcK(UTl4UvB+xJPu=U@p;d zr=ife47J7UntWEXvGVwtc8j)7#Kth9Uu;^CReV%LUz<;BttI`jf`=C4Tj&LJ2HaI6 zT2=knQh23A8c0``l8bQf(2;9|N4a+VHR1m4J4t0W-$37pFYCaYZ78P&R(CJn(c3Ai zW(!&T2>OuZoD2}b?6R}X3DP|ZQ`4iVJ@az>9YNu_D_%bFJa6S@qRT?`hansMNeki| zr1`a}>gM=3Fmhz~Og^~RGK|MKtsu-5gvYM>$z!i>1 zWi4WKxJK&%N~rsjmWsDS0M+XI1EutKW)vV5mE6p-sBMBb@5n-M;LJ1ja06d|)Ki3S zLES8SrUrB6J5g5&A#GjG(Dl0uFS5iND77lT#IYem%o@EHf}XMyb4Qb$DA!sfWqAdR z3PLq=SSbjkst4OZE|r#rTrE{MPk2D7aqw~$ywyDYE^{OK2b^8?BDqgQp0oqv@bV() z@22%?IBl6jhO>>R`&Yzd+5uz^#yGlL{zi~6l(g)13+CAw$vF!s=K~mK%AyatrfO*; z@AjCZ4eBex%l*^CFyEx~qv_QZVZqVc6W(6GZ&=H;jqc8N@Urao_`mwJKbk)33c@BQ zdw#eUnbwP4~*6$&yV4)K)xyUpP!L_MNLb_5WD_1>(*Z_oVhj8*FT^;FDhZ^YR&Y z#0gpQN1#$C{=7q1*BGy464g72zDhi4dvACMKi_|*(FR|Ktg;r&`UUxiZ`U9W@{EoE zu6UAej8Ce1B&?JB$~~mT0#S&T@yH(O6aUCn#ZWo=^6|GMsOjPfF}cZgJ^|;U*{miqTb~)hCiao@_OwsA- z>>Yf}q4o8157tUwU9A(Nm>22;)~JtE)j3Mm^*dB3*n`)KiG|ky)*BRq+p=q^x-_1y ztO}o%g=R?Np3;i19$|>r(3%8I^G*g60gagn9%_eX({Xkw+Za_PK;aE)a|UAwsb%h0 z3#d$=HE2WguF|UzeyO>!vDILsBhdjbNOR%&TRB1a_5~#U^{Rw&M-zn^^)|zP`ILbg+nI$DaDO+M&t!?4?#e8J2#Wv9l>Ku;wEw?>_?Zt(0VV!ZqnpPul5uc6|YH0eFzvAup0 z(Z;@(Vb#OP+pr{xq{$JvQDB023~m$&XnZr?E|)C;&F`KL2L-4!wBOh5Gi*;s=UBqp zSx1}&7Nv_R91#?fTZwN(eSLqmM<NJS;D+&ebDTBrTXGE4Hnmsbz5*41HB}vZ6E|x_zO}r6cm(DArb_rD=(sBM|+Gxz%%#v)0e{A?I`W%OTwNZUmo!+ z%K@^&cQ0&xu7%glHM}qNPF)%5-Dqu}S=oFx&I^a@&ZdTzB4AuR)%6ah$6fi55eNCy zv_}8h=x_-rpe=`r@Zr6atLnHenK{G)D2o^87?>%{{w{w}ERLAxDooCWhogpoXcW13 z+A^^$h@TnEc5C7^%_~%A%o2;3jVj-hQzmmbt74UGzq&DGLV@aJ&+Bf@5}BFjnq!qo zid7eKnaWYF@k>C8c-q~~#n<7I?-OLT&*UK3wK16$kxvGdTnS4LoA7!pFc*Sju$Qv{C))p5QcDnaw! zVF3KSc!Wm|A^GrfBkzws;P!BL51hhQZ8BsKr3N{>2kZRx{ETibZ4nRjwC+Enz(VWo|(|e6D z_htqt#5Ox|RMjBuQ8SHT#G@_2unSDfBoXkA+$`KIM@-psMr&bassb$T6@w{YI-6qW zYUD_U$fWMSR>=AB;~H14N`5d)GhX-4fe_;n?pFW-Jr#EWBX|8@zybdbD0B6Xe`V6i z;Eq%L9v54c)T|SlSfwdqu3X>A<^9m$S((~0eYTAP{)kT>0pvI=>!-f=Us3SwAoJVQ zNcRZXK#w^wM{ULN{C8Gk&ga*Q88%#a%U7t7Nd@Ojf(7vX8e6lV^z?EGd*BmC3g@2X zfDz1IJ=cRF~yhOgHJLH@` zH1oFpr;dhG7`1^=?{> z9w)AAN|?#Ic&j)G+4pUtyl7*Sw)o0#fFHamZjh|4Ixh-TUM)!dhkNSu?d1{=^9VV< zEy5;c$>5AOTG;n<(BvAf{r-NJ*#Gs}<1ItLFXC#kPDG3Wooj-$cFXkiLCD92!J9-!sc=Hu#i#7UDHS-e{Q*vE_3){mskDFk;+j8Sra504}8 zRtm9{Z?zPnjKo2MuS1S zXHQF&eca|7+v%uuSE2^*4ZkwY0(`8;?glk*Y8W_<7=QmZxVX6zP5WlUKkmvidT|5q z-@!FXI4^&Hc?u&7Lj!{x3LMOYlvPO{ta;;q>|F$FWrNM81_;uHN;XEbyM!F@5ZL7@-D?_I53rkNlmm)>b#7eLBuceT7Kj zn6N$}K=!IIxjE7S%iwl3(Fs*x1u46~0$4r&34Rh15jKc4fKWD;tbKD9z>y5`^FbJp zz*&MDyUZO-1tNw_rP>++CB51JWG0yv6jq(Y&3$`4m8 zDc)w-F_LwE^`oKBixEl&7Bpm03B~SL1fritj3FTGOpd!;E=% z1hI~%&UP3>a?UhBIH%CKb$4{IiUe3O4O?PZ;Q>yAWxjr&gQULq`vm-6e}TW}13oQ2 zrwjT<-&fd|*lJQ~j{%10B@#CagIvnP4Kz2q+u|oQ(8rgFW+mP6@SgX{udYe^68a9+ z+Qu*neS+xQk81f%evhoa=mHcCi({d}`xpy_rgm1{kKz?=6P_I6{PDN%L$rRMM;wPS z&d4I6yh_E3*_=m~oOW8|qrDXf7|_R8eN<+-Ioa|G-dcoQ1-o`#RmD~#)g1=rJd`?= z5O~eWiray5!#cce)VUZ@X)@l^0m3a^ivcD_nhkq3@(LLYEcUnROlVZj4#o|#FlU1B zx`Soyqsh>t--|8}rS0lM#8nG%OxRw5o+K_b2D@+8jmtYEfH3kB&GH@)*{BC|-xz^h zJd*&Enqo~zp?geRU63-sEg$mp(Est;(cd5Q^D^%65aAFYsM|P(@lrfEYsJTYZ6y91k^^yug+dzyx;yhT=#de$l z9Y-xOJA!4Ao9E_DR4OZJE0j1C#CbWFh9xLgf_Ud?ly=A6a5&DobP1F;u?>csZSodc zF;3H_1{fm`TPYfEjvj=sPe?wZ00%UnDJ@31Q{;54g#X_TLot&m-u%Po8~oUE73<78 zThiUu0&Ul?I>lPLz)_6z+g^M<^qpKFp%4%LOPh;$qrt)8aLenWpAo_m%LpGT?8 z-U8Vipk#-0dY`{>jE-v~m7^x+5NTbvZ4I-V-NRXm8J1n|_e=JG7t5Jm)~!Wvi8Bfa zoeE4^sEX(=0@}^Dx9tRTiv)yjO#h;%ZRc8I6Qqd_e_3ywuGNHmG=2rIx|>uB$c zGZ=YA3T)iCGhxE|6w_b;a=bG{%n9KSW*YhV`uW1x>-P*>G_^*6=J4!NRfF*1A zH@>J*q$2prZPvwS_W0xWxCu+%fjQr(CC8{Ii&(lyR20K=QI>#p9wxmWqXi zSq}+}0fO0P=Ml&Rj|8d8fVFo1i4CT^cT%%0B|_J69V4GK{h$SMd7)L zeYi4oE7f0kv)I>b$Q?uyV?v;ig@iiwUtHTmcec_si#xP6n|kaDN-u!+o-H;9C+E^- zaNPO?!#!Q^pk5JQ)^Jpt=|u3x-wqDZ_VW7%+cVBGFW@4b72FxneWqcAL{T>gnPy|I z#S7)I&1`)0;lU4_OOmm=p(7HF<}WKNqTfix5afbH>%l09DW0WNIhxIky!3>r!MtB9Z}qeZWRRgNQ7KGQtw11}86nVDE5TnQ{KfA{(^LH_Ru?oHO2zr|js# zH{yw5&YvCWObwdLCu^#?_pWKngPnZq>-Z*kmR$DF%rhOdeSV|2jI)qb&l7IVv=uXV zBAvuROK+MCHJLVQJH^d%S*sopy)Du10IS%gt^7 z^3@srt6o+OxvvAJQkPPE4XcgN&jaQ7a}NaR!+Y+=YXeUwm2J$IbND`r?cdQgFbk+M z#h`|ON>kStWKn4nEE0WWax4eaDPS2NdqMUaXvp1JcQ!RAhK?%53`ama8_Cm@=OPq^ zkYa+7^5pq39|{9W06Bq$((;VXnPnIs z6EJFOqD0_eXe98;xpQOtEhb>4j*U&wt2ke^I^=$4dnb&@1X~-M!f0S`E0_hwIOCZ! z=8${ON9k}Af4&30_r9mAas8Id>2WXm0vhmiE8ibl zYlw7^mLn^JX*zm4gML0=`^Nx6iXfVpP12CL`N$*pTz$iRx5oT~K|w$Sp*;igQw}vLxgf#b>&#uYbR?y5qbb^Gz0b?CGopGSXuKD5l7`@8x{%Xoe~5X zMcY3FFrEF;l;3Lvv}Oq*)^7?`z9`-{3*!=qcSnyE3it2J368(}W9sVQpLmoQ97-ne z-O(Y8#%9V;7?MYy;f6n13GndtLp~(daqUSJVXVrNOskB{#f4`(4%ZZ=*xObs#fUlT zB|upt;k4Pc{+YjoTqAG&#(p}6HE@GcA_K}6W-gkuxSU;Z`w zqRKz$o<^NX=3ZhOZp_i3fAoweld2|KZY%o614Tq$xDW;GNF>0HENUIwI6*&^x@<0; zD(@o!&8EBas#B9p&kOy?nnnF*-X$cS5uS6>=(X`!7A6#S{mxvMG-on1Rx;{(q-Ouw z3~QV=U)mn|@^a={0tMMEVrvJ76n3x~ES+waImVisVE-^XicO&fgDx(1FIab>cAnY@ z-W#|+^1L-!Hr9Vt9sKJTGD=$uAl}o5^F_4N!V0;E!AoCUby#4U`ca<}6RIbmF(U7# zu9(Nl0(^5_z$clFb}ZUvh^VZwr5CX68+%)Wj+S9__4G{CO^eFeKqN9Ry5DMq_k{Vd=%gW!(jHIvZ3}2^!MF4 z#vjfx=3ibOJUbG8mC+Osm!Sm{Rff|TfuK9bKa_IP^3Znler{Y-|r`)TB&>B>B+O+7c-E zA@4LZa!{-eKXk#!Q3$HN^&9Zic3G9L+vG4XvF9h=5k-;~V$LPD3^b~+JiyyqI8LV@ zN5Y71-g8mpT$Pr!{Bhl&to^y|f(@&W8BjzPK*1MW( z0Y@h}JksBzJR{*#a`f`%_|0clhP)zf2XsvDoaircw9vo`%(TbK4Q9v`d6b>Xd2=7& zV9LP3RId;`F%=!Tau43FVJQ#v`P(Bzx6%X*jdvpTRge1QbEe>` zEOiK=O&9om67%FCQJ!URb@vQevH*wDQu!*bfoe4hd7Xt`ZvKwOeX@fBUWauC8At z)OngYyT4;v*amXC4=2k3PC>!BL9!Q4_9sOwOq?K6F6vo2o;JJcaz>Yu77R-omg5Ek zh6tTx0f$GWeaHZoQwh9b z#c}KV_7O$9RH{wY(CV@E)$Vv244r%C#D}csLB~E_)9zHwoc?$3Qrz$l%3V(IgUn;3Ptoi7D}m(1iCo})*IME*n0 zB{;A&3~T2jljZPXCE9)CVKO__OxR~YUtWk?Z=WhPvT$=+dVxlLJ$xcZ)vYu#4RlcR z#h*zj8XCAHa%lS{tfLrIfaMz`k7Qi4HF|V|57!L}*R2P~gKz8JbsmZjSB&ri0V*mK z7#OnIV#!exEQf75#Pr!RU@lGl)UEf)`12JY+JI}slXLKP%@@EwMF5-B?#*N#IuWMe zhx*)yR=xY#**c?Xrrwx!0l~SzM&=~?2T$|%62fcEU&;oZqN;FK{V9sGEPQE}0xdW4r=E3_-inDsdB;Oe8Li&EyOVjd2^Fat#57odreZ=lB{`_0~ z14|QF$Pl?}M2-b`5m#94ckzHgs_1HO-6( z@_>PMTGG)LE0Xop14mP*| z2nH$Pj_~9g-|@?T0&B)JWzja_Q}NfbkZ8F}!95vqR(wkTnW1foXygzOAm}zS7>V-; z`t%V?+eMze4H6q(InZj;%s$JOscwLxRF(u->0R21fN2j-hT4ntYr6JUYuIbG-v+A# zTDq1GlUtzl#Ec?6wTr2&MCjYQv z+T}m}px^5YB!G*1Y?7=%1OyZx-H?C&Vy3or@j8Goh#U?C&ij|GgZ=*TCyE9q>BO(r zIw^y@?(esq)zVi8bcNI1iF|sRN|f-^6PUbmNhovi>>1{q*sY?*b{zBLuFd^cPqCJM zBZI6qufn1WG1CfY#MUkT&k}i~TYkIY+%x8htE2X;`AclzXWuQmDPir7C8b(%{U@nj zRpwEAzXExEluiw_+H@dYZlh#mGtOvII3zmOUllnL?ec(7nMe(%4mtIlQ}q&V27D`# z7Ceq_mVIxDO@wETX%+=JFr%;o3m(BEXOEzAc)YIx)U+CD|6(9u6r1wRNz4TT7PU z=m`g%#BL?#m2F;OV@wFl9;RWJyjW=?4XulV4>gM9Jj3KVk%^^L5s}-h6eo(TzTscSos}7yMgBi){sJhy$6nVOK)b5ynUTxfFjvtRS^wMrQLLZMOC>a zN_VWNwFoD+PVCW{f001Optd+By?T&LOnt_1trX_YAZQAJtNCKD#Nn zhD;ympF2NK{ofhtcc=>U8z3%s$2NC(m3nEKO1lzj_Cw5_GL1I3!N97u9PfcxIwMDVT=7H{0aU*b8wez};X zY|)}5u#qIyVrnnDBd2uJ z4y(-&<1Sq?CgWg&|0!1;`iU{NQdChqqA|l!gPqR^Ra@uj~YlY3b_3G^~9!;kW)Fu@lSO36oay0N&YBvrf@ED=VNu8m^POhHqbt z;|b^KM+NVA-p|mHzawjX%!p9JGWM}Sh2-V+a%sDNb|O$MD2>T&FA7gczHg}5QwB}R z-;J*{ow2#Pm_TX(L;{vsol#Ndq*{3(k}z{lxAK;eBrIcxUbep{fq{U~s1i79D3w8J zTg^1XRV*|2@e6=Q-kY(Eha526qW7lDSG25NhDH7d^HeAZjEo69F=xpqnHS5@FvxZz zn&>nu#4TjLc8)X~XVCJ~>yv8&htZ$PFk-5{*?SD-VsZX>OXhW|+p0)719^2xr9i81^jUWJZ)o58ek#SghkQS zy}BtAqo(LK=WHG}U*G>g<{KCtf8`uzyb_R*h1K~JZiQi8@PteQz-mChnY)t~^F z+T&)YYa>xHxavsz3NIxlVRx}F_ua|esl{GNhsviD*XIkGydo6nk z_1zM;=aO|$IhGPu1~M=K`8WRMb-`fS&@{J{tFKSE){T72Sdfp5YS4IT3owPF@Fv>4 z!XkEyNO};bk*uXkf}oC$axqazMm0WMu3_Pa1yp$O-U!ojZ)bNTC=>s0kW!B-@|?^R z%VzqFZF^K~{xHiO4RN!6draN|MmQkMx~Ef&uYfo9+?ziA2;0^-B^IU}?3YdZ+22=5 z!Gbi;qB{z25u=BmMoG&`3dhVxWwU}9nuPT7k%ViK>1biyS;iC8PxSW@>K$2jYYb?3 zt>}6F=e=eNN%tRUVAV{Scbha48I;f4Ss5~|a7FO9>wA8l(Hr>8Xa zz~%L?KQN@}xX!3GgV_*-PhEi5YQmJ!tI0){bxybn55p(i=33dDXOr;$t<$7l5&vk| zjREx~9r-}+J4H)C``=kkn1DACd1;S0C*n%5OD#vNCcJOl2gx(i4aEwqD^eO-I{&buY?BCR%)>T# zNgBxm^(bY%6qWC%Q6jNvhUEu2XQt%E5H+*S#ljSTsF22|U`kCy}xWn zXu;61Rxxi~sAma>+QXY~mjblFdYyJE-RccO{>aKD)vdUF^fCZsTW#|7J&s1%L#zgg z_ROmpV~0nACosY3Z90p%39CCk*u7}mm};s2WLVgNoB!7GQR@q- zi`2@JW%l%IE5+4inh9@@c9~D3#phV-a0hC=7{z=?N5NqZl9Lsl*Tg2H?HS~mOB|`}ETP=1S6aLV(Wh}{EpF=U8dhQMb!Jah5fvW{3v$=?tlYRsmUEH^B@dp2yb zFy_e6)F?SLG_;t_r>w^ux{!<*aR$qw(YVCp z+#;IW_dj-pnpKEtxZ-M>D&Qqdtghuk6H@5X)L?+t_fK7_%Zd0TJt)w1Rjy2?iH!^B zmp-8plA(U2stICsVDT;6wy38;$Qz#WI ztN|g5ZP_$U_K0@vP^;Kay?LW#t&BlH>&y(S-=Z!;IN#N3EsX36Hj96RAXIUWcT@^@ zzJb93=Qv|gRukuXr8oT*PBEDn*Y@7%I3eHAji)mELtMUuS8t~5ad#DZ?|RlCZtiyU z+71DBbtKKL%R>PQJgT zw=Md_`F|dLRiVxl%?RtG#SEe(lnm~@ke=>ppP>5D=3gO;CPVlV3X$@~bOXkm0ymR& zy3+N);U3Q#T@RigZ8Y(9+}pyn3+6yj zC3B)z_AUmFXufi36odUdMG;gp06h6maqRCKv}74}KF5v#n(Dbf&*b1x@W!hgRtyHBLP#!+=4d;2UDi?zzN$mL21uHme(!c>VNdo+tUnZfw;zdWInJxrCZ8 z)V3@!W9Ha2oqq^DcZXtgi}3I@7|84IjHX`N1i|Hz>9P8_X>*v zXnuEh4Vm+Z?KUDZ{QkvaE%Ko%gcuHeTvdbX(FKjTUGYY zUh$5t_Q5TS>!El#EF!k;_OksUhy;0?xQ;y$%y57fhA~_A;qjQae5ee2ZnpKESoWt4 zx)DJ?v6ogmaTl4_*b+V`C(9|DxU$MwkL;ltnW#`u$SIUF-iaIQ06?5I?hqLMxxqe6 zyX#t8ymNN}-u~7DJYxXTGdUSI&l<*_L61%}Y0YB(O&A>4^DuDSx>mzQ$$@se&)$=c z?9f%;WbTtxCoVe$cn8~wZd9VawVP9sB%2{c38&cV4LEL&a`x~PP0vQ0$8+$bQEWOS zb3H~Tcb-C>Cuq~JsbN;|>fek{*yrJP(X^N|-=HZvu>UQQ(d-bTI*Q?87&zh|UyZ@kz?;{BKef^now8Q@SM z0Pl?Rl+DKusrB8dd0>?#S~$TjPoH#E@juwe+^WhL;wf1Z>0cY}{pOoV;YwBZbn%ax zzS1$(#>nR?a&9Eud1~Xuu}Pg!3B$TlBIHw7kXV1oe8=AgJ};uLG;Hs2U{FU&BSo(I zWasiM1lCiXls-ZJIo~Ijy8qYb9baot(90;?za$pGDA*A0M+^mW4M-{Y4_*VPamyZh zcAHDGgG*U7^xv%KlI;GG2Eh0Cqfu^LUbN@dPnTb4gtZCeeb;|CkeCS+%1X4>UG2{cMf;);$u z93zwB=QnWs5`Ho~l?EI*GeLCoT4H(IGbAD~NiMw~r99|jycdORKy)elk$DT5^AP!M}5tPW<{x+?Vw4>EePBB%- zKLu@uLQVlm8-WOrG5rgVC!{Pc$RyV{ap43UYhNA%@MD2MLfBj~C2A~Hm7!U5^x_?? z0J`587?>2AdeHRj1504YuACd{5IJejdzU=p3*r-=^0!VQ!iR~7(YWtPysRtPDYqb; zk6-sjyh2E-mw)nbiF2@A*60CF^uB75XHE?t~;$cRJit^iJ578Qxr8^vbjZ^K3T4F200MU>KPfijS$Ox zQjvWNYXraB$N+l@-*iSnH}w;fbp24ZC19fc-IyX8z%)2V-$_>o_275|!V>zh4qh(2 z@Kre@+?_$$P9~FO;@Wf-UH{ltl|x3AEo}0I$BF3|8W_G<;?Mu zf-hnRGt(8-=!VXP@!?{TYg^mnd1yjHGYP|fsRgltHvSFbUng2#muDhrv}+AkVmo;J*67dBXB z8)uW3o$;=;?7=`Fa#ns1Y~mp3yq3Pa5KqU1!AnY0!!$$Q5?h={+c*snN6h@2g|OGK zV}1liLQ3ni;$E-N%f zGfW)<{P44J2ga<~M#%^BzS1njTh^HBQ21u5@;WY@ zV@H2P?O>s{K=!nehEPwCbVb1`c_8FAcCp-mo8imHre5Mv zq)7j)!+BIQIJLrl| zBBf#@a!OXO)BQ(jso!!^;XrJy|3tq@t^PjPLXLTi9fHr58?RVI_FBq66W#!SWA>re z4n2L-JnkkLreqh-Yld4BbAJN{!<>I+j774|HNeV5>G>3qQr0!xfqveRziZStF6hM2 z0-&1_Au2WX2<#BXRkwp~0Y~hMSvb_WC7sHFMq(>6c5hu)g`>4)X4@a^iy3lSTGOT^w%`xPqe$yPqJT1Y8-f~!=Zrl~(jJhP+s^bZw0 z(<;t^UjE_m5kw

qU+BtDCb0qKyn!T|eV-!>kRU`b`|WNnoV zMM0}97CS`|DJ``Xo>)&T5%tEKSZ6~^;Q&OlHH!-nT$|Bfz;5=a=7Gtn!*P3$0oZ3H^mJ;cu~5XQ~p-7X-6g9 z5Yck5rqMsrBJSu_or3fb6SRcjZ=C55Lxp2cCN%Tx^K-oOpHF1nQ+>#`z2$%P+J-b$ z8ps*=iq^p@JSjlSBVMdjV@#W1@ubhS)BND6LzH%OGtw+-?WBZ9l<7aY|5RN1*0!2N z+Gg>kRRu9nE|-{^2q3W6Kv5y-0}K_TCnuYqwEyWM{QD96S>HBc$WetNpboXF)+qbU znhQ2RsbQ-w%&xvl3me*^M|VlnImgs7YXI5G+Aw z7RF5ARdWPzBSl#;oL=24g2lWA(1f&&I$}|!P(korxLv(jeoJxuPQ6aYqmYR?tsDWd z{QMjQN-`VD6z$`7fR_G|Fdkxm&im_ux*KrBPa zfeBJ-N%kbgr(3A!;E}bzFBYBtk5|gvD$1z)CpT>VJ^vlG{%H3<^%BE@*xJK6{xd`{ zVyd8dW62s_dGg7>U`VjJ)ls9KRtKFfvJ}~) zm0k)rvna2A707Rn$^PfO@5#t~CZ(lt^HV+jM(E-d+*Zr%b*Q7qb45vI zZ^Y#$)Qow9)`CW`b!WRNT3INt+B5oT63i;QuGad(jeC7>M+g(_{==22<082y?JsXH z0+dBowAseg@D^lH#EqKmP;{!#!&K>5)AEx7`c{`YTFrrxm}QLybr(wLIk=MDEtwH$ zUNxHKYEcyQ@V_muznZ4Wrbc75z0+i-iWXm+U6&=P(6CX|kz_6reBY@7(u>%{d*$yOW?Q(*iZ9aheS*YN`jPP=xE_Y?4Nw1VGNyv z70uS=ZE~IAZMZU$XYFne0zS20Bb;;^-o;NU6lBhHR=Up*F)_0hY!tdP&ld4>l>q~%4*yP=Fus4UvV}OqTHE=4jgZJG0!$2=f;l*Y z*~>C&^q{}laOrf+I8gO=dy%-cyfqU^nvJcyl5ARz!SY7o`PwL4U~_XO&1)Mh_<_^x zY-g2ErzlE)^q57FW)X*4MTliV>4oLN*0JFlv?}JATfoB_8c-V8HPeCQ`8zt<)&=|5 zYD;)Zh|;^2+Jy>^fql1IJ9X=2UK!QvA9MWoZj(N$5Np}YA8^;&No3ESxPcG7*OgK> zimM_iw*{ZAXlJE&c#ZmNjkJwZ#6IYah<}gRaY{#bqS5cuZ6ugnX&n}ggBYb#j898~ zXS#&1wXdDOc%QrP_U3t&qX6o7mk=#$Cn%JCwVT=%$b$%N*XZp94Eq4TPstTK}cG5RJ z)kra)o;5|?=H$r7g*Sr>EJ(Kx^R~18*MA4AkZe8<>0&=FKr1N<(2*H-v?kf~A!$nu znHRG5cQ4!>IXXao*U`my!a#d=?mc=D51q&MfaCxC8sIw39Z4jG9$TWCt9MSbltEj; z4{K*91awd?=La+U8cxuP+wHJw^(K1A?q%~h&zOVD<(Uc8-7+}-4&+^nJ<6e(S$w(1 z*{KN0yJ<3RTuuK?e%RiXlJ=nk++=ghS8WEUMAzG4JE!$dV9!EsB4mVIYZsi1^|E7z z2STI@t4rK!>(o;VAAAYrY~1=wR-haHlF25FH?t}mo+HJ%R*TJ^ng!1F7LJ#=rq{bt zBj@yeCKbG38ZCRZDrUcVo-JpIj&)`DXZ&Xl@$L2XF_4gYxv7hehW}AmBbE}bp}RLu z;w>KLsqqu#M0^ZBRDZAap_2cLkNKMqsqJT%HtWu!aH9m$y-a5NUbP6R6I>{E(lxp| z2MOR%Wy%`;=w^nVCuBFLpGqrnIl?QBwz|yAv}LcOL2LsF%OI3b|(W6;eb;`?(A&Cc-|IW(a3zG54H<<#1EY@C_^kdG8cNC4&|J%srU z^m96}n!?>k?Z0dcKNOp4{j&jLvBr~jU;$WZ*hpvo0+M(WfO!Cb&Kz~0F#uwrSOgp9 z(KYv3R0()k;GU|=yl~L@5yF|-btuKTrVkg;CK6^>R*8+2gbu-+FYSBh8DSUjM3kC; z#bOUo$|XH|O9}wkG#iuRWH+Wy+Fz+xuM^kc6Y2>rYz;x^>Qiwu^1ypu3%LDF1D7~V zY(@dgAkV#GTO{p)EAsyaElI~+w&TZbU}cdQ^cEozPTuLnCxg^e3_i*AC)@ zcBj>iE=Krco-e0ctvYj{nY(j%afC)m<5%Nb+JYc3UZ-qTX;Ut03|G&+9T%EU8rmIB zqa~iZ@W2ib3k1HQ#wpG?`FSLg&DHj4;YP@o2xhPWK}Qij-JY)pB-=de^JkFQfpqq~ z)G5x2UFjuOb0vrBOKoEJ={JK((+R8u6uf9rTsEZTLj!_k&Cw?%Zu)~1Qo$J%<(ypI zBPX+RyO)LJ|1ton4t3zkx$9F+zD%K)9uZ_`O<2z+>^BE+()@#&M$D-hb`|MFsz8?< zwaYIt6{(hS)gP!)`U<1M;87*yI8mZ1n_P+IyN1={Yvkpv%j8p_VoR z&}J7cWcAk@y`pnBR@$i4*LWv$-fW70K_Efo(FY5MOlWSuHYzjy(F`^;#d>4gR&^gz zVu`;CCiMD6-hb;^k9oINBMWZjvFpf?6+{Y1H#?Jrb($-SHBY>;fV15}?@Sll7JTG*c?|1)H zEPa}YFpvDrHsD8upJc4i%tp@;R{yqKtm+%4O2jVN)-eDmptqDMT&j2a@u__Ol-K0w zPjS~d^@Pk04%yTZbhD6T!x{QL!{87nYp$h+py!p0Wl#AuaRjM<4^ox>|5|_v!2b(f zwzRSNshYDxAHJhYoX=JL91&T8?^q>EG2uA5q)n;M6_i>f?zS{W+<4aIj8elC(`SV+ z)u>mCIgr{hpe_5ELa}tbX(ArPm@^7s@CI)@qvPV_T)AQD24H+vv(kEp&D#Ex3S}7h zMk^HfM;@iH^!U1j$6Q_UPLM(mF^;Snf_4wn0hA}>yL0UB?d@WYEZv6FvhZA}RuIXo zLI9~<0Y(0giJ#v$S=Va^Rl4#kHZbJ*2eqm~hp~vt#=m=utTEbnrtCRKC%?F-X`5VK zUBdh`2sa@_n9uH;&`Eu=VCu-k68GkfoRGY@sPt2*p+D{UXvuGQ9$}GOMPx!OLiS+;C#bD{aZlM>b`p#oDMp+Fg+ch}d48 z1LoDEIHc3zq6r7D?OVn}&Mt)a8_cuD@8NKu&jTB2&>=YmPc=cyKTPOIe+R1MsUN ziT!SDY|jEwnPzGVQ@OkQwQ%MBK*=wfT=s`Mgg8td_4n3|;h($TYd7q#G?tSV3&f6~ zh9y$bXZ7)b{M~rg=|{OpS*Oe{0`YjFOg)Fxy{os+_1(>Z`o6!$WRk;v4yX;L(J4dYHuDV~}lac;TTs7)y1Pzyvne?i<$(!AOsfdvE39 z%2t!pXr#?TI_gpzo9?k~(TJ;o6}`170qq90NbTAP5I02`ur%lff*sSPY{#nUc!>7N zCT>-vb=1H|;;fCsm;fV0M@QdmmJvkHy}f=2<&b@SLajUohg2@ZM6#5~PhQhw8@p_O zC9q9!xjaz-K}^nyTc;EBhaXa<*qkE!8+?FEUHdfatfRYIh!3QS?XwS*3`*rH8BMdP zfyD1!{9wX?*Hef#4vufN?clm_uBU^P`!~C&u=woN4!nei!&&IQfFBU6WT7wroDn7^ z99OM=02d9QlE(K2#xI*J3TCj-_L`)Ycn1Q${(31%RTCEiRT;7*<0(#LYcvpO&vD3Ut=BC~wa#bhy)}j)WNDqy!a1t3OZJ!`&LDaA{OqlnEpl-Bb z6DyHZweNxC4P)eDsABbuFx3-#R(hIgL1{CMXepquY4F$`EYo;GtL&(xTf-Tmk9W}J z9;_}{K&u7DRfL2LLU0S6XKu1(Evq9?`Z$ZlSQ*)bGp&Cme)&#a*=1vk$f9g4c}@gD z1V}VGULBy6X!U)_A8D}-&dAhOx)Y4L->RaV!o2J3TnB*!v9F<;izk->Qk(}(xy7=r zogh>@LmkDu)IOfu*9XX8Q+no6>sx9&hteP0GT(Ak7Xp-pz$+)b%95qbyi4A{^)}PE zD#(5t3D6#WXjxy#OumTQ*Q!xaD+{e{bBYQwpP53ntQHz8RCUweSK9@{U1 zF=?N!3$qYCvLGF2z-Ly$%NYKHILw&7_c%4XqbSG>3tMYqlGR8mboKvT-i*o7ZbB+W zPpvUU*>hEOGJNpMzoT=6HE-B-I`Tkh>V!{vZJ3#-#&WXCo^+}+x(RZ)@3HRQEkkH5 z?Y^lBsj5B?RX@XYPkKL*tDFUg9qct!d=AcpDI?J;E@uJE0%Psm!-sRb-a_&376ga+ z<7^m1t1x%MP?ahYP2d_*peV!zne<3c~&qJGvv`a zE%J=r9L(ZS036xg1WyyWv!nk6bk9@ockJ>zs(c!ZzY$r3MrOv0ZD_iNMMb zyhg8*U^Si^3Tcno?2-TIVF6EzUp5|{g~CI{7d~-OG$x&Mfs*G-v=)>*@#5!iJ~q&_ zd4wZBhA4T2h%7V}C)aU23h-&#J_=EMqPi?sCJqj!OymkAMu#N1x`Q zasCKCJj1#VsTIJxTF*Z{tF+EpPfOedss-}p0De)NSD|WF>oZj{Vy-MAY<>O4Sqqod zYNED>O;ZhcM$kB}Y&y58tSP5bL{eDPm|fv{Rtxm zvpiK;;1V;R>h3YEzIZunxDhKg4p|^SW}I#f$Aj_18)H45`7W^>?u|5jMYuPFKa62> zLuGRPUjPCpBoc8DJN@*Dv477T2#ZrOeP51a zaP;|x92o~{Ywc`12DPunHcB~!lp3HhK3xp#GH9{318xGDd$=$W)p~2#)27avhI`ErKMaydOX5%ayb6`aOW0onhE$ zQEm+r;qUdt5p4H`Kz0K<#gcfB=9?xAj2>!$ev6|eo0Zh#L$p`=+7)WIt#2~Df6|+` zEz4?GamS-B2Q$h;^vUJ(dwn!dFJMYoSa5Q351yP*rszvZ*rj@c=ZI6A6343)Yci#J zSX5QMOqvE;Fz6qw8Tf|;>jZIFbBSm}(uCIff^Pj}NHOBYz=czuI{U4xXh!6hE^V}| zf&j-f!yQJopwRf5&{_sg@Mu^8E&Rc__#%j_$|0=Ct4e6jt~m8U*98?WE*I@v&%{s? z`x)v_65$w_owb8oJJF2h5<52VaOI)(9^EacO&Fk;7* zF{n(`-x3%{W;75AmoJ&zxz2(m6Qi#P+K3cha2{a7e}?w$4;_R>>%r&OeN+bSjloEiQ$oQe%Mm+=>_;Y-afGcld> z)F{1ZsJ3=}Fgq`ztI00E=0-T7+`AR~!_#cfikh)6>}F#nE{(2K6_`Ti%vpN)Ifp(@ zPPCz^1iHK+33htofT^Z>v%NYD>ji>mYij$*)35?p#Oq%eJ7%vr&CIzRL{hx(Ma5;T zzj#(#8I(Oe(wO=@zaboc0b^pd7Ve*e%&7a{p@5px9henv!5CF?_zmpi(S-d zNE+e7hzGAa+QD}FPnksNqOk@_)$*#{a~C9W>?UkqH@CrPtDe{ zF~cT!vi6*DEbJ#}@cbF<@I_OrKosk)byr$^#eXu<*<+NcNLQZBqdCJSxOut8>^UB7 z0TJ@Sill_q@qyX{f`}{>skZiX9jSVmvgBmoQ&$?CTmlg|9nv=AY&FZry3JF1DjrM_ zaC{QAaC}lxd;D@8OzObDR83etDKmbpXsHvmuN|5ZV+(T zpWjkBGa#~pvbDl0=NSwEIlx1BHh47S5@^DrsvC0Wi>?Wj%3ut_%7r*^qKNCZ^ONnj zo-?sZ3alvfm4ZwGjA}MNM|EEla_=}9zok^@?V8%x5S_QZ8{eB z{(H~=bDu&`XEu0kZ+keb<8fcl?-^`x*FQGt3TLb_%esvHNcSDq4-RGkUL84`S@H&G zLU^e3VsHh*DBDYCs9yRJH;eZ*767!YD;BKLLa)H)1(KZn(Fy`#*zFnYA%6AoyrXyb z@LaHoqYqhBeleYI3zHinLC8?}+=ka!8yBqgXy13BD8$i+UGlx zG3tiILLmctg!~&hyK0eA71n(p(-fA264IrAu*nkY4+~1wOSqA!r0S@;F{H!#^^S16 zJHCr8+6T1%=p1@h|HhOzyLn}{@qVDq#9C*OB+LotTz~0zAgRbC1l1hIDXy`)xYemh zYodkdqEl8Dd=9cIkZ>jR^}Xj0GxOin85}%diZ0TG6~Bmd^s#{ra6IF;x3y(g!s)2i zPnDQj)4Ph|J5n0RS8?BVX8AEOp8beKVz&wZbgC29Ie4DmM> zWdfo&jCk`6|J_3|>;hi%4))~SK;lS!N&)^?qof*=96_H-fybew^J^{3_lT)rUTFrl zn*jsDG*wGwQp@K8j*Eb~Tug)U!&)4_Ylykr<{>q15YVNr)6w1>Gs}i{H@*Z7=Yb@-z?+x6|_RE|n7ySPU|!kXYYYhGdYO2XX1{OI*?3ZLKG z6C+UY(@{cZAmVg;ddmLu`~&&!`wu=IFff*>UEM4)qv?C*e%X73P^j!V54I#?!`!*3 zlIV78ZjkRKEWooBP`K(!rYdBjO;%tUnj}!EAA_p$%Z&dz!^n8Q{fHS$+U|1$^%2E{ zgE)yrBC4Xw%1+*&05NaD#u29y6l(yF4ra=iWz3Rwbo7j^@B6}6Fz6lfqYP?2+<7-3=V|)i(qzCO-os=JHNps4j9mIvM5LlqK_ENpx&)yoi;2 z6z}$=1lHeNfM9Ua@KQY1C3u;y87FJ{x)ZKPiVMa;ClQ&b4r`3+uX`|Ji3vnBwF*^q z*)MM!9~=aC4<`=`54y27N*G=J_y_NQ6*HP6e)W)%F-7+|e6kYs;Z#{Xc%k`IZv#tU zpdUr@aY>ko%dz9=C9N}mvWwo8ce8|7<-}w+l5L!k*X_^3K-o==V;qTbj{y+sg&&Sw?YmM=CFc(&~9` zIl~q$g-N9H{L>2-{ffLbnj6}OUKxH&8WSyuo7WIOUNX@2i(QIliYbiB$AXv5bM_kw zFvu%5KwQPiHCoN_}xO@v*y> zv%6BD!%&S8@X8a8HkP;?I*0r%#W%bO%Au<#rNMO zn|?3XKy^s5vPBq_{r)D`uXLjX*z)D-GbQ&(sxHiA?CWjQgBR{hjiv8$i!-%C<;Be{ zEh*lJta%v;FJI^2=4lxp19mu`xoP5c+SQf0iLl>PmFX@;f#Q(5Jdm%3sw_6@EIPEz z4&-?|itk3oD@cukMV)y-hFr&5s@dGJ1UsEE0)1bOcJXGc_<+hcILL8|ObxxF<+eI- z*NP_dSj}!H!OblDXz0`YWw=>m#vTTY{29$p?szl(r7SkFP#+Lw>1fyvMwU4S@%P&= zj1IRa^0xN2sb`m!^&*`8grN|I`qL9EZb9DB;Ulux zAp9~`w}9xfmz@$OrRK*KPZKKX*Rp)%V{Rn6*Nhvhoaj8!UvwUUd7mkIR_6}Pxcd)| zy@O(k1gEdn*;dZ<&-de3ycTnu>b{NX(91*5QdoKa7_IitV-Li(98{$@;}N7q66tT zhX=RtyxZMTTU$If&Cn9%<(zyx3|mWA@vLUKHWM2JywNk1C|P!+*o$-dcgPju^n86D zw;*PiO~6s9C|6<#31&QS6wjcnwCOMcJ={WTB{(!^Vd-pX>lTu|xPUItQ5sxayn~0~ zul(2Nssx^`?)QgpiFX2tjQ5o!3QSs z6e+2-!|=i&*r|RpXH#eeB}rklEV)|PX?(M!iC`E;eFA)APE14nnTG>Fj`mzx9H2@s z-V{hpUneVQ1$1za*Dt6!1_{P-v~Qc)I>Tp}!ibc(k(p9i?cfv}>X-c7j%opwj-kz> z{bYwsxL)d<)SlokO;F8+{pK}O<@WRBOSFBM+p5mzY;N1Z^{vg30s-IHFP`q%z$flY znmyic{5`$^qDvZT9wH{hs|}e~khzN3MkR|2Q_DYY+2DpuMTq_e(ocQOWX_esis$#} zmx3q@U%vd~7a!pIcLe+I50LAdo64Vu)uAI((7Oe^??8LGxckQ3gJw+iFweEmj(D>a zE2z9#M(8WS`BL^{(m6f@daaj|z}E)AXXhIp6N5xgFX8Fu7&@GS0_bKwaOS0A zLE*5JA_9$O7eIi85|0eqPmLYh@=-f~Q|9bu0rbE)ItS0r!e8ImnmBl1%+THnef@Y1 zs!8Zb@wqsA$7_5=c)GYoe)!VEyf&1U&N_SJ=AHe53dt;fY*Sygnx=MPxV^G9thGNv z2Tj7U5A5FJc|V@>161eK!c%9@pREgUj~zTz8nCRgC}8=tcqN2K#=@Q2;fcU%YcCTW zo00AO!PY_jww=r#nx6IZ49Z?TM@I&w7dP?!99`@1`C@-{cXvFSy8&nw^5WqCUVKY< zdOJhW2hPXu77DUOYTD$fiirndi2>nT=a$s;ds5j*>a0AL4O+0&M$pK8UrT}^ab}$6 zH)FVkXx4&HrccAON{u+G-9U?Ri99~e^8bpD2P|k1PrLoWLN5>C3(?s**r~HjG~DBn zGF~8II&)yn9hIaZFvPGH=1*N>#Z7eM0fBKRfHx*M`MO7IH<#FAI!2?VhuO!+&cU50 z`_`E{U!u*DSgWmdGLN+GtL@Z|9y|JKFYGZM6^|o0nOHy$8?CGZt+^u2Rmc9X$?F<- z&-WiP!z&=Al}e{153&A{?Gl`XeYu9a^aCqWw~~aIhS~YfD=+FG-K~miT>63XAkbB; zmJgE8Tk*!9D@q>{2QBF)q?hl%<$1ptMsT#T@u71!1hj-bJ|Z*d-yO{^G)7E>-t--K zHcT$g*Wdk7(;~;R3}60zs)^|}`koqcO#3J)@5{bb(fO&AI7qp#N+Z20P=FC@ z!C-K7^25*nan5AF*VoFVC6LRVvrPPKufNAAFy zzo~@$6we{2dz}Nz&TZX;nYQ_XCPA0?i{?GmBt~S?fUz~@i&>X0&IijcVax<@z8{&q z!20j%?(K}?X?Fmq1Yo;)w$|7GqdY-z&_tKf>t*=MViurM9>9(+Fw4(K{)4uz4?zGH zh5z#PH)^VOQlq2ebI;q*n(>#}%%zRK_{4%BRp=0%7xmABW64!`eLi5uEi61;-|%m@ z`+{SD-cadv&jXs~>u`|Q+q6WcC#1%fYCxgD&)yeuJQGGdMy8mU(YgBi3rsdPkM z7Ml;^==m>*LP7t~_g4GE{a}c@po84_a4!xJ@E5>x>-rB(UpLo?yMTt)!&E5GoSn`dwqzbPWd?xy zwYPd|%~)_an_tYZ`;1k;_UpQKSJ2h+u&JN#+|p_j%aT)t9sAD6fG{~7mG+HU#{eI0 z$vc=+jA!d$r%tzFcJ=DYJ?!}(ZWX)qB!jA(TE*aIB0XAuqO=_&&(F*ZJ8Pj)A6De< ztt_%LO)0GA&9K#MPln8bzUfJ1+fFgR;HW5fY-m`=>X}lmX$W%b&Jkc*c?H5Rw1xJpufJ zK!+XME$y`v-EANR`|Xi{_Yi^6xLLZtf4}bTFCTHmc5X&>g-rZY&#rV_5FfOd>uEpZ zb)W_n3Ch{$Qjr39$maA*CiGE)5bU%FX8DB=R?IrEU}&bQL~eR@rRtS=j)#y2LabBf za?WJntE&m`NYR`)7W>m2b5WFs#9en`inNe>7p2<5W6^Z4J`~uVr+1-pUBz|vyu~1> zxyK3Mjbq&ITHF$c}ipd-WyE8kxFpfm{v_Ciqd?N98w)SXi60GLi@1^1V~dA2Op{gEYsOdl&z?XsikbMo9&P^K9|4^2ol*bw zdK)E$I(t68uA&2`FCcrEb3u`1$fhwx7TT*jP45G3Ww-_uVYE^wvPZqVZs9UPFhH+yI-dTz4;C)mk@Cy zf%RcYDKzGITYq7Jx2w6V{R$s8irT1O=(Ozs&fo5dyE%a9_wh;Mxw3u9c)TjBp9!)%?z5F!X&{- zRR5wVTt-DRW$s3g3YL1@$;xzdl!K7oLa`Vt{b69e<|7gzEZofhizq2^=vOuO>QqG_ za{wY3HIfP&$!(~q6ob4KWY17+kBxNlTI*^$9H8m@b$iuOt0u&KcM9o1qW$*30?=Jn zz~>vh!xo3VJZ{Q8niE38>-PhbaReP5tu&N@17Ho;@2T6;N<{q#>*aX*^_$MW!XJpg zsO8htlqlw-&eu@G2Cl+Lh{yvp;cn*1&^mPkUu^VBrGBRO{G)KXyFDG>=-C1Nhqt$N zt-ByVI`)AQ-5mG*-|rUhSLFr=1p55rR|{Naqi`7v*ihA=iS*uDim~#aTlgIUtl!vns1K3;1W*$K@zj zwWdneXXGT(E{saI;liG>c`Q)C=fW?$Re zv}+X;YxNqkW*x>j6daz$@ojhdH5;e7**FN16K`*B4;k?OV7|G(-ap;-4|-UPbLOc& zGlZloHtEXN#1`Z+d?6ZfdRAU=2w$eP-LNnY-RHI1GsP~HeQlKe2~woNco?fGNg;{EjFti-$5cfFN5Qp{ z__azb7$_~b;e;kBgpN5#Y;Zu!?Cpu6_Y>-ALWxg;uCpwX3ebqWP_y&DIe#`rtRbrF zYO8k3#g*DB%vG(^V?acl-yQGJf4&m<2PxX`j4e8LWlMJnAjii&KR)60@o)p|=P5S4vrZ}W1dl8Q5BL){he6}5wTXs6)|31$sT;Z*M zb*A-N+G65Xx3{R=QJP`hJO2YJ@Oxpy7wCu>G>p{Ya4>Xnap{c*|6c+)hrO|b2}+KA zpaDV82u1|tI)R?yO!FnvvQAxKLRf2zoO7_((#r0Lrp)*P`j1_l9do8?sX8nvFFFla zm1T`h`lbqTYS@qYd0`2p(X0-cGL^D|IY62SOK4R z?BD=k6KSG7h6>oan)Z<{Uu-9tHu&sc!^FuAIYv@6UG+hu3fn^z&0) zF%>cmkZ4jpX~oMgayOxFV50CDYB-e11rLvE{U);1`u(s791$99BUzg)p-cT3CS>e@G3xsTOgLoFI{4OcOH@0xrTMi2#K?UG!k)A;&zvP zcjWiw&zZkpU)?pdcgOVZ;LVsfhri!d#s79$$Fkqw^Lr-o1vGE&;r9V%A_X9-iO~Tr z#WES$aMsZ80|3JCX~zb%;PhDbk<;B3p8|)dj1| zFYr)H+q)Epu5mCoBLA(0>sk|SZp*WfZPxpq*)$GnjlI&?ei&%~GOGkJsA&Hmk|UPS zB$bSXwIYSmy2ROv+Jtj*-_oL6D&sFRhT)WRFd6ON+<~G})E^Wc`1=WWyW<2qegLfF zYN;N<+9pkLYw3*P0iplX4eh$+W?$4=zP8vBKd0jjX|y5glscYX(=L;KKt;v&dJ3V z81a%yyCnF!zip)L#pJ%5nKe^;!d8qt|HVQH=YWJVTc*>rV%17$bMjvGT~hvrCUUg< z*1TdhjH9ydiVZA*{htF}LN!kxK*2%9FwiFQTODDjdB!P{e zFkHhXStb}+8JQyiJ}0Y7d4ypM`jBx5v<3489?& z-?)CC6juA?j37V%VA`PofF?wCqY0HR4|Y@yBOUzA;osWc?HllW2hab~KjQeRzrXs{ z;KVdA)<(_55c9f&8lrS$F^j88yg)#K0i{5@bSX zba~lK#^kDgvW8QHjb*oMq#O{VYqc?a(3h-Zlia`R@#%ThJv>atQEtJRb~g`HLhZ|K z!)aj~7N_34^LbTn5kAkhAy%^A?`O0jROE_dU|rY(8oFCQs={gNQMl4)TYEc`E=jrKOeZIH>c#gC*J9DO| z&(qx^{cW@|-u|A!tnsKfA1??rZekv4S%CPM`PmD^hT@LfzuTAl@b1IH2&K#G)_D5- z&~xq=4Hk&CWwD5LXL^L#$589|;7(rDm%XehBXop6NOAJhc3S48cO;o(WQ!c3*&nvq zuFm0kQ@g0#Ux8ol$5YwY(_Z6U`te3I2c9A)t< zPLOMqsn^$@!n1I@xJgfKs`p!(dY^yB`Il<(?&U09X<%8^H^8FLT#frF1+ra=po#($ z3SI{!O_Q4SDPF#Rn3?c@v~vbQS67#IUdQ6t)hLZ8FOQ285Us7X^>!~-AG{b`Bk&A| ze}9RA$q1;@czpTF>=m%g7!y3*u(R?_RO{kp<(7hh!45#lPD%yP&iL_w8GtY;Vm1tP zCJm_@f4j?!@zGdzrls=p!yMP48>3vyjU#eb9$?53QyfsW$eDO-Tuyy~vg+KlZArFl zp$)oDp`x6$L?xFu{-Wq!i8LZL_hmzH=arvFtN^3CCD@bO4_$*%;^EgW{xc+$xmSA- zQFeBFQ%f`)`0df`2F(lZ&ByvxXuzmNr1rI(y#C+->;0&z?slf>7+egX!pY!IYiE9Z zuN2>}!(_siOe3PD6A(S-oJ(q7I^sVx#}3?$phvYiCFqGm3IEPMRww)qv(52hFGL2d zAA*O6r@o<~;c?=$$qdLORsYTq6(u&_Yc4G%F+w{Kgdzs~=SdYhQk931DV6cUv*XJoS@ z;Bax3R}1lc&4$|k)nJ=V2Hg=PJY=Y zD_s^XZ2hUbk~Geb9O3NGKWO}KNM!Hk5c}UJ>nAZpeOp`jR&H)vS_c;ht^d(EqGkZX ztF28Hyr_S7XrJ&f_+!QFs4{r%8A>e?L|wCF@!Z<{v`$b&X6VPs7yH_8u8a3DreZ%63{J-A%^!k=Xk&x|3A z*z}Mo)q@c#CyYHlebhmNq4Xy|ExX*wzQ95d5q|EL6_+!}iP;GANTw$IdC5vDdqHN` z#<5r$8Ey@17oUGAL-xliHjl6Kx?)UeuwlbFyO_J~D~u*@Gp$yhkw#VHb*M~#BZWcvDiCg$1^V#rk zXzqt7+^2#~1mg=D5_)bIOsNHgoKe97SkF$Uf9(a99xppQi6_t8NRWnfF$UORxm{{H z24@|w*|PBp1`1+(MdfF=`&{+43U(em=2nbb)Nc#ew4fCTielE3hdZ57PX;MZjXzY7 zC;c3F-d|BOlV_Ht~M|zFMtz3n$>)E?gUbZtkHn2X^L0{!quof4iB@_lq+QxaH34TOV^aZ@L^`q(mgW zr`$DO3ULrufqjUl)ec%ZT{$P5p-8~@TGENQKm)lV-}uhparBC(%8El_Qou(>Hh)Hc z`@Ri8U(zjfvcSRb8h{w-?jQMsAMkGq?BV3?Zs%^`BX8>4Nc8@<0&vr8DOD3L!o7X?d*Vo5K4PQY$dTkf>ALC42SWq{J8+{H3Z_7B*?WxB!xixf|r;ygHa~rC=_U!hiEeGyd+{H2GJf#B*;iPPi+45&x zeEfsz^8MoB`g)+PM$tCmOpeNq{_+Tn{`a+Cb!JsLar5(X_s)T{x2MO(d)dHQc4mCX zUBXd|Z)YLR49Y+JM|fqOR)T6NL`hp6x=d}CELY7Jr|IG9tG$?`*aYM~B3_Kzm@{lo z*UFso2eqhOsSC-%i0F&lubu5 z&UDh|we#43$?s_SdqQGVeemIrUyBho+=c)Lyihlgxp-NndNstJ8Q0*> zzrVbEeeJ`>pD*9`U{Sj?;YN>+jy%Aau))_pXk|;D?7jDQ;$u8K@5gLUn>>~=W3{@uIsD%m9{*dz z^&S|P`!5LLC)@-3f&ZS*clNdWKK}RP-?}5x1iL}2=A`q7?eL(cxhc4WVX{J?#;&Gr z%$E`?q`TFt)mZ9nq~)HZph;B~=`y<>?NVU}r0AfAs^#6E>{Ja1$e`jog1tu5e<%1( zsA%BN0#^!!?U_Vuv^ko9EoHC*B5zNm9fCJRyRg0a24Cuw0x>Dc!RZ~CNHBiq6n;A+ zGKd*<4uOOXDf~7&7(@pgNgNf{XT0xL71$g~njm2I6>~?mhf&dq>oHz!a9@&Fb4~5> z%}MuU7(9^y#l}of@=(P+3>(A-zs$jPhcjQtyFr_bXUtkXzh_^A|2uK9vE=@b2O^`R z&R`=uZe~X5;^M+U!u-FTLQ3o*aO*8N`Z5Az)V($q@LCrTTbCz1^fChP$Y(E&JZ;k8 zh(MFS71*PS@C98*X{0#PkX&++EQJ=YCd9o3nQ-L zORy(Rgd6bN=<|(sXPEyx`2svnUnO?z$Jh%AM*|NvG`zSP_vJfot{<|r2qvZ46A>`$&_>K5NnDz z^!Qc#8E3kUgqM*q>s_yP?hNn3d^K>#CidoQHiHaV>{vrC{--;-m|PTos#`8!HdZjA(f5%h5TC zwUlzbXyi}KmO07P{s;NdF|2C&QVBmVlH!8!%Pp|>c14F!{wpyCQ|o`%kcjhg%mg!c z{}X{Bw66!BTLSG3T^ozW7O-xY7XMv@51^l!?3s$-iui2BKM$XfdBOpq;97_Mbg&k% zKB2jIy6AfPqrg#DlvvZ(hEL=ci?XRO+$1b(fuGgYdgEMEGKx5jRh(^gvAs#22VOsP z@xL#a(P#UG{240u9#z5n{BTzf(7NlDmibA9m;s4VP6jTdx%f(Ya7^1boP5mc;{797 z+0?cqo?FrrCD{-x+WRu9*h)yZ;Hw&Z8odn$jo!k?p8szA`k!j2 z?+6dA{h`LUKBGrh97!X&ZBdbZOMtj+pu6p=?9t|@eAXhFV(2jd0ZVt8)ObbOnr3K* z?{C?mxYa7OAVC#(wz^3bb07$4Xu`CQ3#p(r`>1Q<-qG_AiT5qmfY|(xiLZOK0nZ5j zH+xuo$85RE?4C_1znK|_{BjQ57todpDH#?R1x?df$9CcBKSQ2-!1AF zm)r!NaLt*(*wuSR;kQ+;e*T;HQTDxd`6kg-fYexrsW@V_k>xElId=GWX4SaHa#F)j z^mM2Cg~cgpqX?C^%xMGIpxU+v2r3#v5roI#)QmY6iujStcOHuu^eTi8d5HFsu!_UC zb`vnj0B)21zP~Vg^T%rzd{jx^_s~Q}55k{r2SVW5JKCa)=;Sf#1|YzPw_?aZAPam} zA~y0nhZH_dtqioP5Bpv(kOci+5dXXTSKz|&^YacsGeq9b*I-Kt+z#Hs)Xi-nWc*AQA0gdP!fIvg zIvZ;)AgahZM=tl{Ykpp;@A=`Ex<|Czc(BSH*X@{quN6t<0x0N&vzsCV{iMd0W*`0Z zYiQR_Q{TmD&fLktIO@_qOe@yjO=e9(I(vj7)>{a=M4`|Ma>bg=PCu2;+GT`eaZ5mp zhEHlb7n4{mPUwpL#G!ns{Bij{T2?XLQG1T!&41y^0$4V{jWQoSy>3L_vjalGP|*GW z7z*+@fNkYb7~>#DCZtuL9k#c(_Xbff)VI_o~=S)EIS3&vR!pq%|MQV9;iMk-aXr|dd5Y{1A?j@%0O&zQVP?q+K*yp9xc3g;}T4neZH|AcaYsR><;w8`#<4&Pwkd41b< zsEWM2HJJ&w)VZtQ;tmdaTI!ARI1AzP6~=>!3m;W96dDILl(8QyQ0`G{HbH%#;Q@n3 zqp*%U-9fbRr27Y8AnE$i0qjj7@je+OKVo4>7puB~Fj<-!vtEJ!$-b}!MdLFINz|th zr@3Gz7|+N5X58KXU%C?v8g|$I4xE~UM; zxe(tf0}1n)Aio>-*q}*8 zy;d1OGNG@fe&Y*@*j2S&(bhua>Iiz?HZyX}De9l%g@Xu8e}nUWvHH5>|Bv{;m;KQ; zDd}cU2sojZrblA#5HTc-~1-Lj*`f4e=pLI1B%2rO4?-E_I3j7`|Q_-PT4T&#HA9|ZVs zqQ4M~{90O|7f))r9%U$KB+Fv;rOkWYSS-a5Yf=HY%JPuMEOCEsMb4asbB{;t&+wSc zn9P8yu5m4M@;1{OrWLNi z!TWESrL zs+$XQcQY6r)ZS3jvmZL2SOgHlu@%Sex{j^O;d<*gT|E6G=e!Nh3cyX|h`%}WGr$qd zvatL|V1cEcf&4%hA%2D-qxy8WdT)0CqUKB3q_E_Z7K%+WRcgv_Fu^?K5U2`|Js6@b z->P@ZPv~mL(S#b37u?oJ2Y#t`EUla(r>{Ya(Q3uthjFq*xb^%9mq0k=#loCy=u}Pr zA^Oazy{z7D3y9+q)R{xpjZ2VUjmcz`Q8xj_thsM@JA%P;@LSyi^nPSA*Ygp@2xYev{csQ8sM54_n=jY=Ekr(yOr#Aw3|$qT*_oy zm_{m?{CNcPU%L1%TGcsM3(sItj+UZipkGsmSKEW0!>Nrc%k>HlUTUqn02Dpm9HM5| z=<;qdyDHaE3Md#yu(qY#pQRiA)6ujXZ#Mo&rrLik&k*$+UhCiTirDBe&zG=FHklzW z&8631)Kcs)6Klh2YgCCN14||; zKQwv_MIa%^ndxEx9>=yRUQVhzAHt6)6E|PxWIkR)|D2%s$o#|>1j_t9Vs2@5mif+p zM=Q~=VuWV%v!VcpLk3fJg8CKoOyantl@U!D#KaIckkK8=rlK9?MF4^tq@hWv zSm+ehN@R)&&7Gm`p~~XxM$aJ!U(e*%wy;ct=iPIwu*SJU(5QS^h*f81%{8*AMpeg8 zGO2|3>J+<(lp<# z1<6G*e6jj#*m}3;k)ZtX2P*BjB}t9vSk%}`T}#7W(Q4fY|M75>Dii6FR|@Pj3^%Nt zR#n2nGDcL8WozTWD*+$kt`6f%GpCV8EMKi@4He0WCr+Cihuzs&Mz<}kStbKsS7~p9vQ2E z>0K#^6V<4vRg?%5OZFjH$SW9H*!t42y4+1ymBV;yWt4+0?ieT&f!*K(2Z) z7Zm_K8~HMtuF13FsQB-@Is_a?(I3PnPnfRcu%UF>V^x6+9`!Pli=kH)g0+>=&1MD) z4x5Kq3Xgct5FTBt{sla~M`x+BQ9ApIz2BG|l=%8{Jc-EHSY$j3pvrEg=W6ZPQdaj> zB&X_ye*jGb-NX@p;~4E2cdqQc%=FvCti4h?_vIO}2=!s7os#EjfWdDu%HJD_)Z4!nj#jxFaBeF{Y$VLStkFYT)~^S2wO)}C zOGKVF!O6kGrhd%mmfe5?a{2NH=_X$#jP`D*s*d1mGRDLp2}Sn;@=NemasfV&Q)YHb z#gt7`u)-C#lJl}lPstJ81DXgvz}$&ls@|^BadST>nduLAyvHhdLUcB`Y=NdDM*JtN z*VAO{rN9)6N#Cmh)=ys=g0G?Wb)<@F{F*YsGRzT()aK2IGT_Epi4~WXl&Tttm5dIH zET#mguWl3YigsfVb><3IRHkH_v#ig5{M7~&^i`aiNc@yZe|)LU5|H&!Xi(LWpj;u_ z_&M}K7=VXigRg~CjuUB%e;DCuU|Q^vm>r{+9VTxcsx`^gE@vJSXGM-kF0?js3dgdz zq6S2h?zNNIvS@}6=HhDT8wR?RK|aP%QAUvJc!qdunmlLC3Xu>30f<^Px4C24 z#9iuM%JVlp5$X9YdH<6=-gup)ZfQ0Oq$N`o@m?&>#*drNp8{E;R(l4m6qMub8f61p zstnN<>JzKHnbcLNI^~i6j1uxP$=~nXs+JqCk$u*}COYA$mY|Ar01?U$8Vy|@r0Y}9 z&%#B623rJ(z<$@wA%arau5N%hktk!eK;3UEKR66i;e46ptkLQRVJ{PG$j2RV^Pgn| zDHWlh;e=vJ;Gz#QiNi}%7B1{1aCy+WaZXFxha>rhtQ3}?f+(!IkQrAwgevEc{JWAk zlNn}H?DF{v#}5Qs4i4x()9rH_Gu;dtCtR5!Rl>o0G9CW9!M(7R2TqMQH2^FpCp)p# z)T*5YRO6!rHX2pwLb7i=0yeXPA_JoxcieQRf;ue%iOt3pDcY|4%=DBszov-Ixhdp3 zOV^o36U>Nx(!8y_ZKY&b^Fi*fs)`V%I|AJiU)aBIl~RmGc-q>H2_uyoVIHse(r^tr z`Q{I~s1cL1wfjHaeAIdHJ0ARC@i2&TE$OFI_^E~yxuJEjVYw8=i;yK}n2>bES}4&C z>Q~OvEX!%25j#CC;1aVGn{$%F*P;QE$%fBFspBveztDCPGQCbON4E1#R^H_NjyP7v+nmOV4TTc2yVA2CtaBo5ZVulGqj_6l{kqIomo-LD;G6RD^tC zlaRj2?*OsQyp40sbN#z2<>*u?5#D{$<0%eMYZI21`Ab}gl&&hwFRddP4Yj$wW8TIC$iW3q;k6dU z*uw9eD>#2Sm(3ivuUgrv!1nE1CziYoZoL^Zi2}|Nf)ol^aZiX8gf*UUr0Rd(>{NJK zxGK**^h-+I3&k5p?l@x{y#J+;`Y>9%&8Tdlu^;5vD%CoG=!3?3rw8&=i5dT9p;yMu zUk&bctsh1`HuFd^)Evr7%^RgV3R%?8qa7gfOlihsqS^Jhmt8xSA?*oZa=qm*_>q4q z0I%g6oO%#7dvh{faLH6jd4BKPxt{F7V={wZy3J}#+u+CFgo#W<2qG`&Aa4wzU>|Wp z?KmSVGLK!62qKnCBx0${`c8hO1x4wE@@NY*o$GxLI0n6%#l45Qi-9_SRa9~OhKpa8 zsW(h%l2ZvuDm;x6_)4i>FD#m%+6ie`{@UiyWOJo|Z=xMgJoqVF@O zhm(cA&Ga6iQqP3mKhITSIfagY#3L;fxPr)aJ`P^!DcQNyzHCZ>R#N{@cVaMoYS*Z2NFeO-D6Q+HcF+ub{wPb{BV4&4NmC=% zUY6L27o{d~cMQmDB0v4W9xB5+Tnf9a7nm*lXrsWTu(Jvj$Bl=7Da&u^qi_r^QEu6P>9Pz1mr38^$kEdydvNsXT=5-NYzkDtAw$F17#+9 z=ZofK7VnrE&Z6g#kC*J#A$wQFL6}RYP{P-@g-IDwNbe+SCd_meN{`{{#ZhJ7!K*@- z>Wg*JyjMi4ZS=b`_bL%AO`(8JRNohH7c!`n2_13hzC0D4R%4Jzo4N9Pd@~=V&mys6 zu|q)9t4iW@H(2-7!Oe9dUc1CL^tJKEBGgwy9=}DVuG~s&7v*W3)Uhg~^gchEFf){0 zM3cpGA-Drvj+IyB9FaDY!~_YV%E04bfZj6RRM?~Mx#w{a8=6r+G)ok7g!>A;_f?m* z^OY&DeC3)yqt|HGky?!DZ0@J`b1fyI4c5FM zd?;mdwPUoTfKZ7%-$XbOaucR=%x(%FY0jD=lEhI*WK#BPwtoMOS^Ij#MFyacNOe zx@^Pc6>~8h4qst;MV_BqNWR$I*elCskytA(G(-%SnA}ss5uzFC&TNpx=8a$;EUozsipOM9Quk9t4dEz{W zs_s=&L2W(k)Mmq@9tFwI&e%;?#LWOPshuH2BPvU#nJTQErLEp7Vkwjv7&j^UG&j8q z0+q8&$<=W4ot&2U3zzS$#;k|)59GQ+Vb6hQEj0&O zFF;N&uZNM!5T2H?OhQ)I>{aWf)R^R(G^K$J9(y!xeA~M6gOLH`ql$%>`{a|?F_$Lo=xf<{kF2# z?A74P*GZ<0CbBuds?U8SzfizVa413^l<|kJV^>VcZ4+{z91ccRxHY#xal~Zgh_Sob zb(x5*(eUqBEC_7DQUOn@<^ih|1(F;)Hlr#OZp98rM!M6OMa-LO1iMULMm3q{-YIJn z(Jww`RiuG&W%%@h%k7pSF{&a^Y92`SiR?*YC*>CKn2<%=lxaPGWVH+3_e0M-m4pvs zGK*oD+*!vj`~dKyg7W~#5*EK3Vcm*re)S~t>Q9i4rbo0Uq^fjR&g$?f6Wzrtd#VuS zmTxr&($_|nIm~@x;4VW>*;bY2 zRXZXFJcN9!zK z>X*d@9WB+J_&|E7y82*~)dl4hX!lRw{V-+JIo&YMC20~z10hQXOSfLf(66$|onf9W z=%J%!9$9;Ctbh&vmUb<{vzb%knA$GMLObVMiHj#}kl|2`EfrDI2f7SGC64Z)2M_R24t%chN zswK&$$rSOBunHa^Ct~Sz9tcqvJ<>!pNMWeL7E@v7%CTz4R}9J{?6(z2lqWCAf}eMF z?IiehDP2sqmF|um0l*Re8dbG^`(mh2VE~3+blaSzb0q*{?FKm(sBuEa*fnuALYTDw zqUR=u!&F+%sK-D`C{wQD!I{|Rp7j7TwciorLi+b#wNy$0e`LK*64A^7u41&x`Wt%@ zA;%}AX37osNtHq^8ZTP^qJQNfbkPS2bhdLTxOEOUwEw+i0E}<{q9iM9?tEU$kX_Cb z9OLxj&m1YhBOu|CNu zrnJLG7_T~BLw{%RA@s4RbziHh76();9?2;+1C{K@gugA}9iHc89M9PqRM||%F{9Ay zZfREM{M0^R6YO&IzxfS?di%aUfFor(n_EB4qnF6d*&+__z%Fe~zKa+8KX^hy2;_4G7SK&37<^fM=XrZJ!^pgbDcPY053Ga1BLU!g4-==2n{d|bX zMCb5)ese3#aCg?LT0VFrG>OV6P<8hwCL2bHiiVNU(6okc_pcYjpM|RcB9Okysm5@Qek$cg< zGWaeQXc#lwC5>_H=y`qY5Fk6I=Q4ZVjOj=i*`FsyoZ`h#!cg32iL@;$iE0d@L` z`nfn{1*qRHG1m})b3_DnaOsof%UQ-tx3zbw|(ic@amfg z$0HnNVF2E?mOMV=1T&0)o9!nNb7@$J49%9hs$&`W!-8I#!h zJ5LrTM;bhi46uj6)0}^Ww{nC9*GIu&MyN5h{XjO=yR**iC3`DcVO*tL!7r=~Nv>xb z6Fa(Py(}a74VOG*Z!%(!7mhcUqWY<`=wy)~J};l0i;!eyF`xWRw8T_9iwsamBd03< z-EN9=TeTHK|CarNqZ!V}Z*kyX+#_!C3bmD$30vnVUH2z0pjlw1Jp?@+(@wFD)yVbV zV@r^3en&8s)t;iYobLYOomZ8>nk7(jA7qYU^@J^VSNYWgftWq@}^}>S1iaWf6)v;p02Hg3^P-(kFfB zln3)8@1w*wKTNX{2_%^!=F!;~q

  • 3{Uq& zvTE}t(b`fXGx78(K#JutMdSRMtV6NWCB=wiKY^hiRU|UAIbj90cS4Gr5p!^C1V;uy zJ|~&-Z;AJx^GJ9DkA0ilS{?#a{TOZyneE-2K-(|&BPl$J#1X=caCo6BtIpY?&;t#R zo>o!MN@|BO_ErpP2#q{bfDP-%M7yW2>@Uc>J{*0^6N$}C_9qk2a;cNAsi9$n(B*86 zbLK(gP->V=y^IwM(Mw3KHLsj27$$9Nv}`e_QFm&Ig%u@9&K&%rl-WU5q!g{Z#{al@ ze*NAqZRt(f7Ngjo2;Fi$;&si-TTxah^h6^n%_3!FDlj`E$F4w?Y% z7b$Bk!sxhZcvye8=Jy~{y9>9jAz#XAVFDK3Zzg<=v33*)#be86H$E5Ti2Y?@5OG4> zfC1TjPvszw_qSd?E*Ei>YN%qk7Q3L1>^4-xDEiHR`QAytJ)wGM1` z$e!ii>*e`C%TRb#u{m)^+IR-H+g60p;#JQPyk^ODY*BMcic8Dr903kdd$6d2!~D(g zkS-jGQZF4^@#O2?K70GkB%Bf$ko2N#JZR^X+@tT#IwvUVMc;!)&*(f-5`CO|aHo?h zJnWyjkXrSJl}~0U;ik-p{0C|ySooA@sSfd_m!+WewkN+x_-Rg6!Tv-=|jQ(&?w&)04DAojhx{l(}kPI6>^KoK4Eu&=M6Qp1K49CcV#SsqzGiX93%JZ~l*K)mt4;>l3DRJh30w3wYaUO5RO zU0y!SL-LndF^ct6l}GfOoBV9em5;mpuFsvh$6>^m0(;5&Wr^0>h$hM#FUn{$S-8l} zlTHF_D~smXvPRtgnR(AZOKnW|zMGT9CzDRZNJN(5*(OS(o$mt0cG@d;6p62(ZV;}(8{xx1EW^}7+_9ha)fggDYNmVIM<27@}_zkV6CdBP5n z5iT@;Eh~K;S}6-apZj$R_$38b?%t-+EW8z>Z@s)q-EQ?t49a1lrt(aEF+HIe zlcgxfR|cgSdrH|g=KCkJ84Sib`7~cl4)^b>EQBNiZ77ulkk(igX1I# z)%p8=Fa82em#*O)WH$-p#xptw*m7?b?Re8hGQ^Wp6DC@-0jH88o%kQ@x7B(T>%T>L z;)3Ug(KUKPFVnGnSSf>COsoH`tQgP7;0+6Su$pwX~!@ zKswTGjkp_QcYr#ZkFew}eHs~lM4jm>^pN`|?hp6fnErlKh=9n`zz$Ya+oE~dgv(d8 zQ{@Y@VVa{q&Ne^MRY#Nt+kk6lM6oN#aE)JKN*Ww~ZarDP^lnJyM%B_Yb=hk*Tx8TO zv*{?)JRLtEDDap~TGC!6R`hA=HwJ&?RvIpGKzYZn8HMpj>)LwBeg92?L>f`@JbI(1 z?BcU#vu}y$<2aFX{{Jk1-2Uhni#Ayct-iMU`!%=PnO#(bT0>!C1fmj?k#XQ3>7=TY z-*Q4Sx;bq*F(bj3b>Ds2=7bGr@C}Cd$^)|~g@I?q8uoQBbXq@4k=1N_6`Cj|{W5IH zS=BZbG9d+kS0k3Oek;ddkHTX>vntuX575B=;ljcTFpCdlxhC$+icT{nFdTz6q;l0i z-q-PfnCw9F9a)hnuqbeDA(-gous3>M>BBRuLJ~EJ2K1-mkNrIGFj3<%xZzadtyO^zWEKj9 zz>u>|p_2^G`*wqmI)TMvWPz$COlEar=4m$yH&qD*{)ce;QyW!DOTSdaSmpfiY~b9@VRkf^-7Lr76VqFkP zIa|+@UMr$)7mAs5xn=Lcir)5_?nsprJk#PbHG7HexOxTqXz}9(I}y_}P6eCT;VY;U zwv>6neQF}@BBq5ndiVjb!lr|nrm22k)$B6xy{5mT+C#7~p80@u=M5F8Tx)cJw6dI1 z*nkT}A2>@sQ7!NU)wtu!;m$FIN=3tF3%HXpnQy?5+ul|`51tDZwy8`j_3Zz>d6{za zJlq{`$xi2YP*PL(KoYfyhKGBt#^ewhPv4EhkmZ1uG6m8qg^7cE$Ym^Gb34DlPhkAvjc_Q{G=myPGX$=o7wID`f|)N>P{DV^ytZ$(kzn)f|q<8Z5cyFf_3M!bsaSgeJEfeW5y;Abrv~R<*uE zWXaKL2-j`_YDq%9f=HZ_8LMgL^vh&(gCopTWp>DmHPsf!{A)?%mKSSR=^B%xV?X_` z29?xW5}VJ|0ZVnoaxE3~P|=~z_?gv69GvW&fFt|as#5zV(?Vpv%3d_7L}+Q2*}nYG z+TVkZVLx@Zl4%+OwUL-e+@H$@OP}!6K@|hA-6?#XNrTtw64Q(W}X--w*G&R&>P?dP3ri(8l(PKW^U1)M$zUnW2M{Cxk^pa}u0z>C4WhYv?3yn~b zS)G>oyDtXi7?NV27tfL;($O_gt7$r8gd+bS;e~A_SE`!l?mR$PTWY3%%5YUreG?n= zhNraSrRMVR!JM*t+WQXE_mKoCrVhK|*-uc5pJ)LIamvpeZ(yw`b4-&dLs&NgXI4*S zHtwEEOpkjFgpj7p%BJT$u9i>h0U^vGG2{Q(kd3Y6hs)XBZ8rG=J_IWlTT7~p0kvIy zJ}9rFhlBh*aOSfrZBM>*diKn$8T7xd3cS+ozTY$WHiiBAF7{_Wbv?^#uI{1x>p3B2 zJRq&QBO0gS2Tw-8?6`oZiy^-KfBmf4pwG4^szi%$FAbW`}Bu! zzebOZWN-r`NLCV4jTfMbtqMpG7JBAC#>}4KjCK8KyZOV< z-h`cY@$!4V$M6KfTs6;h#jD=e+&d}q!p-$arkG>q=Rg|%4bCiVnH0~vhyN-zp-gLY zgwk)mH?%&UWHn!zI_Zak`K`EE~&_eR6|^RDyNAdib)zD@7sXS{pm;^TXQ|odr(V5aXpyUnaw_S{J`9 zmWQ7!o~8v22Jf3m?lPw9g`NesTOje=t81w^J?2IjQQ^*xVOH>ayn{jpDTvC^plyw7 z?lUBGJ!zx>Dfg$@-E%#phR4!Y?t|VQjGm3cBZ)nM_rjBF&@CZ4Yp>Fb8w%1lX`H|$ zXkX@R%kOvK(zsED)hAQj~dBoO=-HmNP#i^xtf8=$$t3wj6WksO^#hH8x`Ad(7 zLaMbR&cs$TbGb7cetANxu{EajdSc{rn5Bp&*WR($Vyc>Z6iYfIF;7KjwR7U`H&ZzK z@{p8;dT3$E@byCK+L13mfmC-lnc?Yi9PEOZx0M#vL@Rhcxy7pY_zv}^P|mpilI6-% z3iW=uNDU6bZF~PP`PF9nymMq~c;}4sHK*yOiz3qAUPYH8*a5n0e`$mkk77-}R?wBJ z5j3S}HdpSEuZ>yb@()Jq&X4_-F(&Pw)k1u_fn_Ax{LJRSd`h$TUj3-lx5INGUao1u zQEZYt72p>%cS0LyOuw*R_%$Tz0w)WrbDXrkY_k8GW~!+p_1=lVxMK)F@B&tre>Y5w7S-ry>*wb4lsBVyr*mV3Z4 zjVDd%mfkd*6MlBkT4#VrrwAqU?W{!QdiG%@*YNnZy=S$r)@TNM$3ThLUp57^%)PM;2%r;3j4g{Drt&c zW-vZ#ZbUR+&^I(1()N0P4+-?D*eLO_2W3V6{UI|qmzk=`stb4ELY$?8c9Ga{?L7hC zDq}8}UzR2n_1uAcW;lA4B^=-q?t(MM=45!Z1W?PONm?%)6^rhKX{Aiy!Rv(gTU(Dn zWOQ`2PDDr0gFP_Z^?)?Bpn{^5w8h=T5Ua}WKn|h`!Ajwm$FH%uZTaAKJ5#9Y8f>WV zGyZXv&jGyieZ6N2&MLi#MoHo7fwOh@`mUTi82M5AQI<)m7SGZyKlfkW8|FtH*YXABcq<|u(=SUWn{V{OZRkCJNpq-;#`sTt*L^%p zDH-V}|1`tRXcKX!dDK$xADl3)5-~6_iDu=tHLOX12vB>L}0w|dw%H|r+D|T9#TV8EZ@QfT)-4koi z#x`Ugv#Q;$$no10RV=R_7&AUWrQffimuiRrXPB10`YKv!C`y)0{HGPAFRHBD8bJUu zF~!nzjx24W;7UM*eX^o7s+=E^a<5h5t_aN6@roC5BsER6NX%?jenn~7DM__W)A5+$ zs~<%?6o&J59y5tyfcvVKI6eES(?(MmHv;Ab-4%K1(bb^ex>>yRT28F5SoICt#@x*# zh>#{nR^Y91|YS7?0m)I{#3;CW-c9EwcJ?Ul;pb>&0SBrE_+K zkJK;Xu6TsljI5+^UeA0CUS93c+HTOlVi>0&dXktr=uQE6X+EuwayV+H&=VltWlEq_8SXv}= zgFyYU<2=XL=nX)g>9OKlhYbGZ@3;pso`koM#ztXO#R=F0ha-}rGh((rY8SMQ9XZ^Q z?JWazQ87#UoTT*brU=*Dy1XvIO$a{Ag08#aqF2=aFDw(&?D|3(^-?HSVL&utD^}AI zzwF-adjIc4JMoI^Gz7Ih%f2Z32GruF2JuGVYV^i^6l=tsd#J*y&uD1b6@&aA7+%&cD z+=2N7%WQF8A^pID`r7Yw@UpJqI>tixDyc@e_FRSE%Kp`LrRBTAu=Z(K#){+}l;fh+ zCA@3MK7Tilx9t#D_Wc=LkVR2|nJ*m|#rMgD-8IpkXqTnblw9roa!4VohJmbZuS|0m z(=o~2CQN()bxqG9^HPO`^6lKyLyJj9K~$*%uOegUy`+}L?J)+<%P~x(i*P5MY0@HM~Iw@83%?@y(X6t zS#CZ@B`rl!{YhmkUA8rFKuw`F)6+HeWX^`U@)1W09z#*^0-aZkMOt<15=JZtx6Z>k z^5Cx8!4Tq8@4>z5?*o$t*<#&IWyFOhF3k^r97H5oY;3(WD)s|-&Z)T z3*WplN0vC|vl(X7DT?{*Gk1P^{L8ou?A51cR}y5rD<|QlQoIyav20ettfR;!@sj@F z&O(kb3g0bLM_EA|w>dT4_iimR0KB5L{|KmR;y zQ%54BWGI=kW-DGmln6Rg8dg^JVAf5*%Wp_ZoM4x@y*Q5sZs~x!ID=cO>rsZ6)1EB% z0$BRk$Zj}9URxocF7D?3&+~m51d*|qNFCytiD)cE*_9 zTA4B&St3S@2J3;<@oNSIQO^;OPyIhfE`p1P&Vz{HT*tjE?A)8kfihRR`RGMv8#*{{ z;I~DVjYpsfA13Scfh(Yu&`iEwJ?;N*?@E5;xXSqVUUko6hY-iYIH1@_K~cgYM1&B_ z1qn__NSwHEiG*_JfWjYugalmSL?i^_fDo4?8~|Y;*xzTfx#z6~7u^hjr{?D(jny(Or|gr_c@UYitJ zG=<9Lc!l7=Sqdyofu#xDet+pI4a55^iK7#^f#KfAp>jxk z9P}NT%fg~{O)Wxn+WWUso5`Nw=UOzfLBqgS+NHo+y^6L|k9T)$9ZJ02Tg0?DGpdL; z6;@4|f&IrUSxf?0${>kCU`cvD48w#10Nh{u-|zA;F-aq$xcRL*3{kF4bao(X!BIj( z!076n6@o`JFGOb*Zl<_pV*k7VVFV1dSfcuw3K1j(N_W-Id}hCy$D8*eA$s1Rps@E1* z72D%yaoxjPm&M)8ILSYZHzW zPY~)rcVKj3k!q-Eme!!jBo+-egijGQQ3nPrdI_t#tF=&sUU-}So{ilG3brU6H3A9` z?nC4vItHJBTlu}*RxGolh_8~GfNJ=;?Xq5`oCF#K^GkAp4$A~wzIj+(2tc(5{Z{r% zakZqXu`{C4IHw8@WNYWDnc|Q;?Bf{HB!;!?%YQ0>MO?XbVIxkWSE?E>>GZ};yfW8V zA%Ojigm2moiJDtdj#C8%O3WL=aASoty$PLD(W*%v+N@~WI;~rEW2r0(rFuV#U8o2z zF^T29%0YszJ`;7UsvilpZZJ!cv=@wOd3&3s;7xz23np14!s48#EvP3s-=@iVp4E_G z;gM5PsYI|v&i?W`4woY^{kd{y8*sTQ7zdUl5JzK3;`qO-A6!`j08yrR+`4w{=b7^* zt?qe38>@O<>L{Y)4UTFCqN5vZIncIaGNlN)-?%VL7ACd3I|KwAO47Kr?cAn^*cu5n z6ST_y!w*y{Ye2Sty+o^8eH<7|G72n;V6^ez7sd83Q`t}c@ufEzWA_yyaT1&COq#TQI0h9*jrD!M&O<}%W_*Sr-o~@*nx)Ao$1SVZsoKCObAST}=qcJc< z$Hp0?X#zk3LHRV%=)EXy>66h;?e=XBcLBzL0Kv=gnka=jgVl7cfx;uw-}4CBoW7;kR=`JFST zehHasS3Uy(IGBSqB?2 zjZRcYox~}BN{z9$bm1ckkoZot+^UvJEhV}T`nq{i+vJ+Ss8gXg1A=$2gP05|;cyei z!%cqW+<(3sMdJu2oB;y>P5}uCda$-OzIO5accO3%;b;UbO>~dVFx5Yp%TcD8}Bc@cl7uZoKo_|!uedu;zopF+h#qg zpdmKF+(%;j-F;%zpLGKiPWOgIk`bb(l`8W@?DJuqE7x*3hR?M1 zq1d)qO;>4(!nL4}_SVX@=_mOd7j)ZRvrcsTW4F&k;Zw;#CAU;I2Qc0k{QBanCu@Ec zP<$+l2&k0cvb^;6*~gAQu|Np zJq@N)VB76OYyi!(-!ZwU0*g(Mp~;Dc`P_=oVYwx+?`24HePmlT%r5;YmG4rv++L=; z$Q}iiB#t48!rW3Bz<99n`wOT4@zZ=~)GQSlSQemKr=w!EAlYnduce zOw@!?QS-`c0d_W2^k&B|~;u3pjn&KT?zOF;kv}@F)aZVlgm+Yh_gn;0}c^#&fc&KTO zFjc`$?5A$G01Gw_&KU?canwhnA&fQ#FxnXW=B){+2!sYJp9QegEEV;6`9#LM%Ay${>KWfL-@0d3)a2%6+hVC7Yb10AL{M;!z_L9U?_RHQ?T#FVh>3fQ{u z>4cT=JgZHV6mvJ%*#w5|2CSlCR~$tUhhrEIH(|6ffZ>DnpS=CrsTT~OQnOg*6j0HE z%<8rG-<@Av_}ARRfo}^gh{((9b2ZDoBCwR2G)>#yHQ*$CDXccui4UEm*PYc5PJ=&p zn>RJgx+(w>Kqdw&PZ-ukxCywf6j7(#5Nzh#mOpV>hdg3T7x3aMd~BT?<@q*Qe9j#p zcbaCui|H(%c^4qEZ2B~XBnOmeG=%YR14e@Zzjyn__b#7*j(gc!l4DmS2Q5j|aloMCazwzvymFpiMR*DW-ctM5DAs}J`84`zKx^iXdZ*vC^ zp6m7cUlEKi3eK~t$ec||V&r|xLFB#@;x8<99II}V*xpYa1R&;YZyS!Q7dchzo=_sH zh$EVx@q1K@TAKD)7U@Tf;3Ah_!K^=TD-gLPmhEk#UI?X5PE{wckV9-c03(lBk6-^1KJ>%6g~bDN3k%Te_o3gPhal(y4FU*y z0R+8%#+K$ntc)xp?XttwlWeVu+W{5k12PV24Vuq1?}E=}OahfSWOyaSOo2SE$)8NepYN%}voFHhv-hOrpscJ8xRoC1~$IW`NUb zcAkpjpqw$_jO7)HQxKeI8T4@kN!Ild(jv8GzXeF2zouBG??VYAR4o-M7<4I zj8=(HkNQR#Y{DSYrU)!WvMO&w(h1}IRsP;#?Mq!mnUAsn9>Ajel8T?m6!I?2TSmCZ z1kA+jID6j5$6~Ioy|+MT+sCYi5jMOPp8HQ&nnIc+kR}nZBn8G&;4HnAgu|C_2Kn3) z0002JNkloFVB}tMZhd_QcfeJH#3IhQCe_&7@i&mJ;?*IS*07*qo IM6N<$f?!NlsQ>@~ diff --git a/assets/img/legacy_png/3rd-party/stubby.png b/assets/img/legacy_png/3rd-party/stubby.png deleted file mode 100644 index 0f7ea7b74b526482c72c6c96c8cb5a5c6d2986a0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10524 zcmV+%DdX0OP)Cl_s$XAUOiWBfL`0vTpPikZS65d?Mn+s*T&}LJR8&-2 zT3Qtq6{Mu31OxFMd<;NaZc+|<<6PbXFRA}BzSBXN}Kora-L?xDn z-C$z~M3Pd1C9wp7)(fqQ_y2!SXWnYtQ6wzM&YO3xPF3df)he%=qK;#&0@rhW!qw$s zJe^KQi!#+J3|+!o9{?WTCb&5I0^lRA4u2gUemRl3wz>(}_$%)AXi-+>d zKUkh{m7jQR?-0YmK3}XBi+NQvRStR`01EJxsphb(NKK@pNM~`HrkM`OFWj&)2)zk* zoj^Ka*@c_Q< z6oNv48|*GLQ6^!xerE=;{r&jL+C)c*h1NArQ!N)W#MVGuof<1Vbk`G6m#9!7657Od zmFIbtMp*HwUx6O?d6v#n5FjS4yz!S3ExWztVC?}m5J!$SOSTs}qUx2PRT=B9U*7q&UPJupaS)M~;}q zxQ2EW8PFOXF)E4D2^;}182}c*nt@z{|9|OLGuN<{EjM}^+$>Z<2>TV-mFz)wQpE*kD2?f%P|cuxu168)F59L{Ko?skLJ>n0F#Hd=8f5 zS@;FyAklFgH!*SpN?|AIBSU*wj)}4sF$SO#$R=d+#4!2RWuTc!p-KYsN)czV!}7HS zVBO)Nh=(A9k0b)4yZ1;&b|>%RL8!$zP)T?InCIg|;NznMPQgc``qE7Ihf~LCwc7hmyWiiw zZ69Br-=5xX+Kq{%+q@&dPa+jba>W*jWFdpJ0m~myqQw859E&O|^Dh>5Bv$v0Y`^wZ#>UihA6C zpM33qJHEWXd)RJ%ziuD4_b1;zN^8BAjjc;*2G#SOJ(($G+la*8UxQeN3Li4ntlQr0 zbj}vFR*rO^#Kfp*oK?P<(kR^wM|(Rh*f;NucE8`>KHOg3yxuVEoWUPx-x7Bhwy*Wmf!wNKMQDMR-Zs-@r^};AkM^1rZ{%v$N z?O&c>-`wABACdeI-$H_3rUA?#CY9BV0*KfGQ}hDx^BltUP#T@E)9yqU<8HS%STwlN z(P(5ThG*TxiSKt7Yi}LmzF2!nRGgNx@$TjC+us-0o6Y9x;`dDpTiP(YlG1kmOaG^E zA|tn~1CsL6X+2OQ8+~PJ9M{mV>Z)=A8k`nQQ>T%N2DP`wJrf@`7sfPo(Q_{Dudna! z@VeX^E(g*p#J3ctrQD>8!X^ehGFEvYP;^M7ZBDv00FyJMS9Dx}T>=)-kRl2+WPkB6 zPS6Wg3V+O|-S+X-DHw1uHmT2(#C+C`@$!*MQPhvB_6V5Y&%pk z5m5=O1>X%!TGviUn{jZds;bTsA4eruC20}WN=3z@>$Fdl zMAfUZj^gR(i>pf%JIK#>+MkZMFMagL+J`GM#M1DH6C3E1^Nv9!4Ti&Uo^kL)P?jjq z0%VMGtgSihIkre62S?SiD)RYw+B+MJ@&*}H7Rw42&GxUZ@2_qjHkUi|dF$ls$>w^m z?{xY-ut9gg({6-#N}ktsoR0=)a9>e_2nX=g=#QSeMhju&6=ESnmLm@@4ek8@v99LB zPG>sG3(xoZW!Nk3CR;7{13IhhL24E<{+^LWg>Fe7ZYe$4ST)mcr-)#%oA0X%WnVl z=JMzD2SL_|1_I+_P-wg{Mj~8#U5>#(&aoYi_vH}T;^q2pm#J4+9&@r zOk)%hT`%XrK#nFU4=03!R{{@WvJ9rv!4T}6(#pi+_K%C>KQvhjd!k4XoG1<;13@J* zLGVBzz@T72!iw)`9-G|l|Nl8xWA5hL&BOTFGt=GGRRurqkDTgRN!P2mK7F^ED>($i zugQZbl4@*gjE!gR+R)0x%fjUnL2;XlSseSTvaDC}FD%K1W|?f~d7f(uj^8yN_=CR1?}=*N{8x^7m6{o9vL7acU3 z`&L9~wQHHGYm(%m+m*K+Q#?f{rX{FP!+9ETWFcj^jq`qgIG+^I0^FFYnUkT9RN&t- zzN&E1Cj!*52du%B2$ESWv?;uUCEmL9vq#|Zl@aMF4P(-tk6gAAUC|ZQQeHopVR*ze zWl1Mm&Vw`!(hA`lt%%NNJ5?mxS`o>md~@2RY`qTM(#uxyRT2D@2&Rx=dZHOR#ILh@ z2@PMD`0mgBQRhZX!dtK4+*y@`wvD<@607z>a`)eX9q69w5J{$T(Ks4!ifU7^G|jnf zoDXflRmZ0WA*rea73YCchRe*4A2GzH@`azl^hZ z>4xFVrHm=7)qFJQ#i4w8H&~Hdp<(K}D=}_M_RiANim{eAJZH_}^|fJzMjIY6Y!G<0 zJ8l5s@m!o9C^^2a1%OXrIzg#B78tCo5HksDf7HFjA8x$KysjO~^DT`fv(dn%)84bP zKhP)&m}62IA8n*T9;sZ}+O}jUh7?4_=JmX9E2Y{t$Vy}f_T~8X`=FM~*$n+Iq=10@ z87A7W53nb$r4!j;lu|=g^dwxo0FF90m>+jHv6p3;nGIm!FvFa7^zRL|3!W-2ZY)%3 zj`K#TypwFIQrWgOEoc1WL%)1&x0hpD@eMI{m*cr=TmaAn#fD*ux$Q4w{EjI|98*#Z zX4_H0s4AK6q}%BW#tiA!?Ok#S5$5E-a5_#nsxv52f1EDwU*rW#s#(d~+9 zfQ}yzdUvQlbn56)0H-tePP*>67zm`uIbyMtZz^7GPE~Mn6(urqTBvz-d_C^}`P%c# z2XFate?F1?W4~F?5gJDa5Y1LA;Sf%y#6c@jJ1+{RDiX0mzk4qP@czr+H;+C^RNlTSGSqYIln? zY*UR^X`!b(d-wb8^Y^(;H+);Q*dam8=>S(M%4i0Ji-{9DjvHpk!~DmM>vW+j`obJR zXiR}2cIr};rA92%q>80T640LJcHMu8bcfQMFFa3E;-spAKs0|)q$y7~?P=3;6dkJL zxT!XkHjl?sXiv;Vw7e()VmfQf@s=wbd@e{D=Kr)W4i1VefKF*;DdeBOFB+#!6Uhn!;0 z64Q0o-~@FEoCU8E@(>sQ2pql|mAwJvqJqJ)vOLGacunG^p}JC?$f(qzqEST+irjNA zU;ER>ME$1Jh*G{SD&B6=;COid{PX9}XVX;hAcPBk^F#av(H;;t^FoZ55>B!IJi02B zN1!kQ3#aBPnpQD%t?MPO>*$$Eq$E`IrE46iO6JJKFZR-o9@GLpP!}&1qZN#$kWhA3w@Uk~D>-2%YlQxE%?_FCt&1I035? z)C2pufq;IvyYGy{7|1SquG@qBee~U=^y=Q!17CJLHL(;`TA6Fzr5HfgtNr))YZMq$ z_EDrPYzfm_)OqC`)A#+yJ{?kG8oc1Bfs_Zxr-+Wux_V2b^8!a$NPCEk9|OBAr-F70 z^3m^h7np(my!2#eRa>$M0?Zv)b;AHCay zc`6KR(!D+^5bFUq0Ga;_GiU*kf>uXLaN7ROWaVe8>2mhGavT^+#8GFeDjSjQ8isw` zA6wOot=yKX#FmYaUJy~3xkTtXgoSk_w54!+ zd(VOefrm|oGdGE!W)mQCSxpusn)qg^#5IRatBR|g*!*9JDk^K1;pj$1G;Ujlg@8fID5M`|C zJ|gQc|J^qc-=D6s7SVAl_jkjGyWVIrnD#Mko_>wSu|VN+>5lzch$Xj#tODj51AL1nY(nVBhH61^~7JK{DgA|fx? zWAKjH5vraEYy-pmF*wOj;H$ZH^$maBcZSnzUvyw#K8=@Q=}I2xCH@cNC6exu$N;<( zr#nF9$!ekCL#3giIxa61U)DJ<3Om(tJJe_jN$RUkKP-8g;ss5NvlzHK79B+p5uyM0 zIJ@`19_}8WM?bH0f5oEIT+0nh&vRmL6xY71f>#jp24~XO4;?3*{*LvBV6?pr#ivo7sk~cpz(%pl!Kj7m&PR;KFAmJ!sNZSn!8ly-uCX415i5Hq<<96spQwo$;od7SY*9 zCgFdsnmtf+)vrL^8FQ*I7w{dh8TeELppDe+m1Lg=-<}qA1u#FH>#Fdr(vdYr7C)sweH_0Jizo?G zr*O*iA@l`lk*g=lpNvZY9lgw%IrXOZmulb*N= z0BbR+Psg^6Lqk3dJ57^fQ%z%Wg9qUXSl&x|_bJdbA+$rAb^-7Ma6DtwOGEOgB)J z)1%hfS(Rnk>v*oA^dr+p30h;R_yj}2X^fr>fY^$WtQ-xB}pJY`u+tcIt zCX@Sz^+J%yE7j%Rk$eX~Y?N2AjRJPb*dr_H4ilE&iqFsr&xy)Xuf181z=yZo? zQa;3y)}}Q8cs6>?W{)Huck~bGzwDf3x^8KU9eiV%N;ZcvIqGbfQ3zQ^YpXi}t?w^` z=Q9L8(WyQ8Sqb0e~nsgtx62GJ3@<6fV=WH-Sk`Wfr!Ln@Wb~nl6OpbC#%xxT78Vha^CSZ zE8&Uz&qPh-ST1;UMah}C6W?XPs!tM%6=aM)oc`53X7sfeWZqi)>{%h26qEU;FC$6>!;<1_k=!yT?PaE zr@d)JyR|yauBm2)K0~W_mRiM-5h=&|gS(*zpIu73sLh0|#fZW8L$hg9wIl5W+>JEq zMYCA2xIZo1q~AjDSrIoph1h`)B7ofyrN07}@I20NCbGf9GWB5-Cxp)+|7d3lz{LdB z>sCTNbe!8>do5B`NX-E?CtTaf0?}_j?mx~x-0x%2E`7l|B$7WQ0?ad$+s_SI{+OUO ziRps*0kUC*_5>?s-@BQhB*Btlf8|_>GBf+zS^+Z$=$kCxZK;`g$RX`h!4ccFqDVX%HA!}<%T_2 zfl(k#VBTb8Lp~GB$dco0SLh_)uJ)1TGk5cgO~i^}S2NL!x)*$gJS1R*!K3gA!OSCrXJ|t0UFj7NdDz9A3JJWV#Bf!v zYa*<{_qV7AhwZ9o(wWTGoyy5mc6$kqxrt&T(xE>*oHH&ZE_8zqu`2V=V<8lR8J|!U zUNRy*a9olA+Ey1A=SK1!wX!Qq(m~T3F4B#Wq4!qc88+A@dx8=Mec%6^a?)`WYBIKs z=fdM|=XI6*+ie@Lhx{oazoDnSvKsCH~lK)0_*I!KF>wH%H;blLrq2{9DjZLBI{;h5<-*SU{;@?)ZH5-(;8XJTCb2RnTav|Z(h zBAK&8_b@wk3z)EBTun<~pR=@eS^f5i1h1NOF08wHVAJBHY9VHVJqGWs*9AzP6ZTX6N5dYMNH+pI1>@6k`Br>@`UoZtLZ9JIgw`t)$oHi z00!jbl%M(B?cfGaQ#q=hFs4=@8$3T<6ioJ<@&mRH5H^?1=cZ;0uj?{}-Y3*i(oF36(h8dDf zEM(uSbIff5EcBYVf)PI!hxpA`aUUBX5*orOO3F zeAS&!4h(+e$zTf7vsPl15M5IDk`HlimJA)6s&loF-t+b3?JTbr^r=0qiKY)1nejQP z2t-Ka&Q%)CJ`$)B%_T(|6EW_C$wF2<+uW^$S@fS`$7ykT?z-5xo7)*SDQlG2)JM@2 zm!k?|1U-c+r%|6kPHul%i1qEs!Tfir<7eh~1vgO0*!{5}qRlD+b3bdo1oK3jW?H63 zh-E&{AmTRLZ7LTA&?mfH#0FdPw0}IE`ccCK_`FQ+>_Vn#f{bfR0N_x)!KY)1oU<9i zneuKF;9f~b>QmC0O@>B@ufH7#^v0zT`P5GF^l&tE_`P`euak{AaFnW%86G>0lL7M> zjmES(9|_Y&C)&ocg4KkmG~;!W+$k?amkHL8FZs5SSjR&UsKbNm-TLUz4b24R1S=%N-De~ zutVSjIjJd66p=NlJVm}ClX*_*t{>re)~yt$j`hB_-{+BLA4!4s2C)h2?gOJJ z&{6Ok-F3?IDNW0$e_X*>%w%=QBVbJ=80ZdziWfuFf}=mTeBm~l&&nR6;$JS`~`Xh}SgcC_Kuxx&4Q&JNqZ$o!l~$QD;m z;m+n7>)LLo)F4!_m5m`I@Td<@j56n-f)GiBA(!(ybM-e{xMk7Egx3ST2)aiA{k@M> ztEm;w(8c+HozyqRmDs{|qdkzLaZHVBl1*p=i@-i)z~NjQNf`l{4xWH3Hb5vaMLi0L z1{bA)UtH|iX6x1)NdrN^CR52F76Ca50%HrI)4JO|e%})>CJOmraE?$5QIanbeE$fO zG@MmEKaZRnn<2e~tJ8@lhOXC?Gt9Dq=IzkTa_t&XSZrYoVYNL{WQizP(_;ibvY=Od zwxcBttf5uqq1YDXk8eFf*5~gp3NA)zQR3I0D3p2}BR+5MoHr0fsPl=Ca*Ljcr_eqD z+Yn-8B3HfL`CEw@UU#sB5Q`MV_e(}f<$27+2~kXtefD~`3`3aH140(24Q*7S=?O=r^_@YhgSekz!dV}*lg zbQdybmap-of^!e7K&0dEOinx}?1KMnLkC)>f`oyLK++q)7KL66TW>{}(}#e8V)$g| z)4!6t?i*v79)W2Gu-hcG)UI}4|YjH2UTrQ7k zRhAR)(d&GaqM8UKx~9x(GjT&BXOA5#f?TF%D< zXXJK<(9s0dpYp3!eY|ebr#JThN7MS@@yvI~p4WKy>+SshMSu15-QlrQwJE5^h~dVG zM7swq&=u&CYL^g?C5qBO6B!T}y1yi^Mn4B3g`^e%^vAu5^;P!J9)Et~m#s8nh&4Tb z^WgC_zCRe}<^893?)uA1{rvRB&yqoMVH_8!(C zSM{$q-@{TIy_kW!-sKd9xiTE%2TQ(DAKuZNXOM4q@qE_6h7FeB&u#w^FXxS!aaz5z zF}P?ce$o=%ksC%Rz?QM;T@y`Zh)yL!nYQdf)TT}j*=YgWHb;kLy4Vb-Ik@NPJY;tE zi%T~R!udR;C9pBAw^MP$gj@a$HJFAv8q`RbyT4TV@gqd1i_tIWU&^q_m zE|6^{FrEa0$9|2_GEv$tWD#DKy=_@$NwbrbyHHvRcHpL{a(j1M-P{{&DU9A*nzykw z;&2C@9LrMY!is(%aUYp9tdI-Jya!*>0{1ensk znOIDEx7+v~Xp5RgmX{-&gyRnJc=opqr%m&Rm1|)0T*G>{#nBfdu|<;0x9vP%Z%)lR z81u{*v$HzNp7lg^Juv4sk@5O6aDpnRd6V&%* z6a(|iQ|B?S+V8H-p943)HZXr~?HA@|cY3+bVvBmf6#Hr8vws?oG!k9(v27n6qe znv9x{?s)IP0Vo6m;(@j=OSRREBfiOQEa!1jol^+~Z%wTbQxdBO4gI?Lw3EzhqaYAc zswdGfG}THMG9pO`RWdKv((uNX#iI|SG{^LE3jSRZ-LT@JKy+i}nVWF>zgFq2zJV7~ z@;Pzq%dT*3Q*;92e@p3fY7{)~hCgA>1(~9>Z{w&bh&hcxr-s-wxt+?L(;Rx(TTkNJ zD5bk*05N$ElRlaR1+Z|0;4Sk3<6PAmZQD4Jp8#bO8q0JK4LpQyh$8=$&lVY#ic2GK z)ZC8@D1!pYr0EpOPCXRrPEgV>VmcJIF?d)oZ%*(VWeWt5ijp&XCaC@Vjr+pfX}wFy zgQmkpNl64JD399Sk?=#|CsGP96JeG<<82>XDt)Rc>)yqdb0k6>gQA7Cu0&i}HA2<3 z2*9;Y^rXbDLT4fl=rQvl@043wCVT%^zhsF=BlS3-E~=fy6VwqAX$gys@7rOJSE-QG e*LQ{@34Z}ogF5dYL@-SN0000 - diff --git a/collections/_evergreen/android.md b/collections/_evergreen/android.md index b3127588..f87f304c 100644 --- a/collections/_evergreen/android.md +++ b/collections/_evergreen/android.md @@ -60,7 +60,7 @@ Modern Android devices have global toggles for disabling [Bluetooth](https://en. ### Avoid Root [Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful [Verified Boot](https://source.android.com/security/verifiedboot). Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) policy bypasses. -Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](/providers/dns) or [VPN](/providers/vpn/) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. +Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](/dns) or [VPN](/providers/vpn/) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. diff --git a/collections/_evergreen/dns.md b/collections/_evergreen/dns.md new file mode 100644 index 00000000..88a4abb6 --- /dev/null +++ b/collections/_evergreen/dns.md @@ -0,0 +1,266 @@ +--- +layout: page +title: "DNS Resolvers" +description: "The [Domain Name System (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to [IP](https://en.wikipedia.org/wiki/Internet_Protocol) addresses so browsers and other services can load Internet resources, through a decentralized network of servers." +--- + +## What is DNS? +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the [ISP](https://en.wikipedia.org/wiki/Internet_service_provider) via [Dynamic Host Configuration Protocol (DHCP)](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When a user requests the IP of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [deep packet inspection (DPI)](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses the [User Datagram Protocol (UDP)](https://en.wikipedia.org/wiki/User_Datagram_Protocol). + +Below we discuss what an outside observer may see using regular unencrypted DNS, and [encrypted DNS](/dns/#what-is-encrypted-dns). + +### Unencrypted DNS +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + 
    tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8
    + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically unless they are configured to use [encrypted DNS](/dns/#what-is-encrypted-dns). + 
    +   dig +noall +answer privacyguides.org @1.1.1.1
+   dig +noall +answer privacyguides.org @8.8.8.8
+
    + + or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) on Windows: + 
    +   nslookup privacyguides.org 1.1.1.1
+   nslookup privacyguides.org 8.8.8.8
+
    + +3. Next we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + 
    wireshark -r /tmp/dns.pcap
    + or: + 
    tshark -r /tmp/dns.pcap
    + +If you ran the Wireguard command above the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction and can aggregate those frames to produce statistical data useful to the network observer. + +{% include table-unencrypted-dns.html %} + +An observer could modify any of these packets. + +## What is "encrypted DNS"? +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. The [protocol](https://en.wikipedia.org/wiki/DNSCrypt#Protocol) operates on [port 443](https://en.wikipedia.org/wiki/Well-known_ports) and works with both the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) or [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS (DoH)](/dns/#dns-over-https-doh). + +### DNS over TLS (DoT) +[**DNS over TLS (DoT)**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in [Android 9](https://en.wikipedia.org/wiki/Android_Pie), [iOS 14](https://en.wikipedia.org/wiki/IOS_14) and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to [DNS over HTTPS](/dns/#dns-over-https-doh) in recent years as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 and that can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with [HTTPS](https://en.wikipedia.org/wiki/HTTPS). Support was first added in web browsers such as [Firefox 60](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) and [Chrome 83](https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html). + +Native implementations showed up in [iOS 14](https://en.wikipedia.org/wiki/IOS_14), [macOS 11](https://en.wikipedia.org/wiki/MacOS_11), [Microsoft Windows](https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support), and Android 13 (however it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so installing third party software is still required as described [below](/dns/#linux). + +## What can an outside party see? +In this example we will record what happens when we make a DoH request: + +1. Firstly start `tshark`: + 
    +   tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1"
+
    + +2. Secondly make a request with `curl`: + 
    +   curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org
+
    + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + 
    wireshark -r /tmp/dns_doh.pcap
    + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](/threat-modeling/). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org), or a [VPN](/providers/vpn/) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN you are already trusting them with all your network activity. We made this flow chart to describe when you *should* use "encrypted DNS": + + + + DNS flowchart + + +When we do a DNS lookup, it's generally because we want to access a resource. Below we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform, (e.g. Github Pages, Cloudflare Pages, Netlify, Wordpress, Blogger etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) +Server Name Indication, is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + 
    +   tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105
+
    + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we what to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + 
    wireshark -r /tmp/pg.pcap
    + We will see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment), followed by the [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + 
    +   ▸ Transport Layer Security
+     ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello
+       ▸ Handshake Protocol: Client Hello
+         ▸ Extension: server_name (len=22)
+           ▸ Server Name Indication extension
+
    + +6. We can see the [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication) value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + 
    +    tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name
+
    + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/) which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` be also encrypted. + +### Online Certificate Status Protocol (OCSP) +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a [HTTPS](https://en.wikipedia.org/wiki/HTTPS) website, the browser might check to see if the [X.509](https://en.wikipedia.org/wiki/X.509) [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been [revoked](https://en.wikipedia.org/wiki/Certificate_revocation_list). This is generally done through the [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + 
    +   openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 |
+       sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert
+
    + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + 
    +   openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 |
+       sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert
+
    + +3. The first certificate in `pg_and_intermediate.cert`, is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + 
    +   sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \
+       /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert
+
    + +4. Get the OCSP responder for the server certificate: + 
    openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert
    + + If we want to see all the details of the certificate we can use: + 
    openssl x509 -text -noout -in /tmp/pg_server.cert
    + Our certificate shows the Lets Encrypt certificate responder. + +5. Start the packet capture: + 
    +   tshark -w /tmp/pg_ocsp.pcap -f "tcp port http"
+
    + +6. Make the OCSP request: + 
    +   openssl ocsp -issuer /tmp/intermediate_chain.cert \
+                -cert /tmp/pg_server.cert \
+                -text \
+                -url http://r3.o.lencr.org
+
    + +6. Open the capture: + 
    +   wireshark -r /tmp/pg_ocsp.pcap
+
    + + There will be two packets with the "OCSP" protocol; a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + 
    +   ▸ Online Certificate Status Protocol
+     ▸ tbsRequest
+       ▸ requestList: 1 item
+         ▸ Request
+           ▸ reqCert
+             serialNumber
+
    + For the "Response" we can also see the "serial number": + 
    +   ▸ Online Certificate Status Protocol
+     ▸ responseBytes
+       ▸ BasicOCSPResponse
+         ▸ tbsResponseData
+           ▸ responses: 1 item
+             ▸ SingleResponse
+               ▸ certID
+                 serialNumber
+
    + +7. Or use `tshark` to filter the packets for the Serial Number: + 
    +   tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber
+
    + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Why should I use encrypted DNS? +You should only use DNS if your [threat model](/threat-modeling/) doesn't require you to hide any of your browsing activity. Encrypted DNS should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. + +Encrypted DNS can also help if your ISP obnoxiously redirects you to other websites. These are our recommendations for servers: + +{% include recommendation-table.html data='dns' %} + +The criteria for servers for this table are: + * Must support [DNSSEC](/dns/#what-is-dnssec-and-when-is-it-used) + * Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support + * [QNAME Minimization](/dns/#what-is-qname-minimization) + +## What is DNSSEC and when is it used? +[Domain Name System Security Extensions (DNSSEC)](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is used to provide authenticity to the records being fetched from upstream DNS servers. It doesn't provide confidentiality, for that we use one of the [encrypted DNS](/dns#what-is-encrypted-dns) protocols discussed above. + +## What is QNAME minimization? +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network (CDN)](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. + +## Native Operating System Support + +### Android +Android 9 and above support DNS over TLS. Android 13 will support DNS over HTTPS. The settings can be found in: *Settings* → *Network & Internet* → *Private DNS*. + +### Apple Devices +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that utilizes the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + + * **iOS/iPadOS:** *Settings → General → VPN, DNS, & Device Management → DNS* + * **macOS:** *System Preferences → Network* + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). + + * **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [ControlD](https://kb.controld.com/en/tutorials), [NextDNS](https://apple.nextdns.io), [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +### Windows +Windows users can [turn on DoH](https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support), by accessing Windows settings in the control panel. + +Select *Settings* → *Network & Internet* → *Ethernet* or *WiFi*, → *Edit DNS Settings* → Preferred DNS encryption → *Encrypted only (DNS over HTTPS)*. + +### Linux +`systemd-resolved` doesn't [yet support](https://github.com/systemd/systemd/issues/8639), which many Linux distributions use to do their DNS lookups. This means you need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +### Encrypted DNS Proxies +This software provides third-party encrypted DNS support by pointing the [unencrypted dns](/dns/#unencrypted-dns) resolver to a local [encrypted dns](/dns/#what-is-encrypted-dns) proxy. + +{% for item_hash in site.data.software.dns-apps %} +{% assign item = item_hash[1] %} + +{% if item.type == "Recommendation" %} +{% include recommendation-card.html %} +{% endif %} + +{% endfor %} diff --git a/collections/_evergreen/linux-desktop.md b/collections/_evergreen/linux-desktop.md index f322e2a2..e8c8f046 100644 --- a/collections/_evergreen/linux-desktop.md +++ b/collections/_evergreen/linux-desktop.md @@ -255,9 +255,9 @@ There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM On Red Hat distributions you can use [`authselect`](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel) to configure this e.g.: -``` +
     sudo authselect select  with-faillock without-nullok with-pamaccess
-```
+
    On systems where [`pam_faillock`](https://man7.org/linux/man-pages/man8/pam_tally.8.html) is not available, consider using [`pam_tally2`](https://man7.org/linux/man-pages/man8/pam_tally.8.html) instead. diff --git a/collections/_pages/providers/dns.md b/collections/_pages/providers/dns.md deleted file mode 100644 index 438654e0..00000000 --- a/collections/_pages/providers/dns.md +++ /dev/null @@ -1,115 +0,0 @@ ---- -layout: page -title: "Encrypted DNS Resolvers" -description: "Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers." ---- - - - -{% include recommendation-table.html data='dns' %} - -## Encrypted DNS Clients for Desktop - -{% - include legacy/cardv2.html - title="Unbound" - image="/assets/img/legacy_svg/3rd-party/unbound.svg" - description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been independently audited.' - website="https://nlnetlabs.nl/projects/unbound/about/" - github="https://github.com/NLnetLabs/unbound" -%} - -{% - include legacy/cardv2.html - title="dnscrypt-proxy" - image="/assets/img/legacy_svg/3rd-party/dnscrypt-proxy.svg" - description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.' - website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki" - github="https://github.com/DNSCrypt/dnscrypt-proxy" -%} - -{% - include legacy/cardv2.html - title="Stubby" - image="/assets/img/legacy_png/3rd-party/stubby.png" - description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in combination with Unbound by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.' - website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby" - github="https://github.com/getdnsapi/stubby" -%} - -{% - include legacy/cardv2.html - title="Firefox's built-in DNS-over-HTTPS resolver" - image="/assets/img/legacy_svg/3rd-party/firefox_browser.svg" - description='Firefox comes with built-in DNS-over-HTTPS support for NextDNS and Cloudflare but users can manually use any other DoH resolver.' - labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare-resolver-firefox#what-information-does-the-cloudflare-resolver-for-firefox-collect::text==Warning::tooltip==Cloudflare stores personally identifiable information such as user IP addresses and query information for up to 24 hours, and retains some bulk anonymized data indefinitely." - website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https" - privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy" -%} - -## Encrypted DNS Clients for Android - -{% - include legacy/cardv2.html - title="Android 9's built-in DNS-over-TLS resolver" - image="/assets/img/legacy_svg/3rd-party/android.svg" - description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application." - labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS." - website="https://support.google.com/android/answer/9089903#private_dns" -%} - -{% - include legacy/cardv2.html - title="Nebulo" - image="/assets/img/legacy_png/3rd-party/nebulo.png" - description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.' - website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md" - privacy-policy="https://smokescreen.app/privacypolicy" - fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid" - googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen" - source="https://git.frostnerd.com/PublicAndroidApps/smokescreen" -%} - -## Encrypted DNS Clients for iOS - -{% - include legacy/cardv2.html - title="DNSCloak" - image="/assets/img/legacy_png/3rd-party/dnscloak.png" - description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.' - website="https://github.com/s-s/dnscloak/blob/master/README.md" - privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view" - ios="https://apps.apple.com/app/id1452162351" - github="https://github.com/s-s/dnscloak" -%} - -## Native Operating System Support - -

    - In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in Safari). - After installation, the encrypted DNS server can be selected in Settings → General → VPN and Network → DNS. -

    - - - -## Definitions - -

    DNS-over-TLS (DoT): - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. -

    - -

    DNS-over-HTTPS (DoH): - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %} -

    - -

    DNSCrypt: - With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS. -

    - -

    Anonymized DNSCrypt: - A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays. -

    diff --git a/collections/_posts/2019-11-09-firefox-privacy.md b/collections/_posts/2019-11-09-firefox-privacy.md index a436bf1c..8c3cbf7d 100644 --- a/collections/_posts/2019-11-09-firefox-privacy.md +++ b/collections/_posts/2019-11-09-firefox-privacy.md @@ -42,7 +42,7 @@ Encrypted DNS takes many forms: DNS over HTTPS (DoH), DNS over TLS, DNSCrypt, et ![Screenshot of the Enable DNS over HTTPS box checked, with Cloudflare selected in the provider dropdown.](/assets/img/blog/firefox-privacy-1.png){:.img-fluid .w-75 .mx-auto .d-block} -Keep in mind that by using DoH you're sending all your queries to a single provider, probably Cloudflare unless you choose [another provider](https://privacyguides.org/providers/dns/) that supports DNS over HTTPS. While it may add some privacy protection from your ISP, you're only shifting that trust to the DoH provider. Make sure that's something you want to do. +Keep in mind that by using DoH you're sending all your queries to a single provider, probably Cloudflare unless you choose [another provider](https://privacyguides.org/dns) that supports DNS over HTTPS. While it may add some privacy protection from your ISP, you're only shifting that trust to the DoH provider. Make sure that's something you want to do. It should also be noted that even with DoH, your ISP will still be able to see what domain you're connecting to because of a technology called Server Name Indication (SNI). Until SNI is encrypted as well, there's no getting around it. Encrypted SNI (eSNI) is in the works — and can actually be [enabled on Firefox](https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/) today — but it only works with a small number of servers, mainly ones operated by Cloudflare, so its use is limited currently. Therefore, while DoH provides some additional privacy and integrity protections, its use as a privacy tool is limited until other supplemental tools like eSNI and [DNSSEC](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en) are finalized and implemented.