From 0ce095edc84695e3f01a25cf94f8dd5663f271b4 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 9 Sep 2022 01:57:13 -0400 Subject: [PATCH] NetworkManager Trackability Reduction Signed-off-by: Tommy --- .../NetworkManager Trackability Reduction.md | 189 ++++++++++++++++++ layouts/shortcodes/terminal.html | 1 + static/images/nm-connection-editor.webp | Bin 0 -> 19268 bytes 3 files changed, 190 insertions(+) create mode 100644 content/os/NetworkManager Trackability Reduction.md create mode 100644 layouts/shortcodes/terminal.html create mode 100644 static/images/nm-connection-editor.webp diff --git a/content/os/NetworkManager Trackability Reduction.md b/content/os/NetworkManager Trackability Reduction.md new file mode 100644 index 0000000..b85fbe5 --- /dev/null +++ b/content/os/NetworkManager Trackability Reduction.md @@ -0,0 +1,189 @@ +--- +title: "NetworkManager Trackability Reduction" +tags: ['Operating Systems', 'Linux', 'Privacy'] +date: 2022-09-04 +author: WfKe9vLwSvv7rN +canonicalURL: https://wanderingcomputerer.gitlab.io/guides/tips/nm-hardening/ +ShowCanonicalLink: true +--- + +## MAC address randomization + +Note that Ethernet connections can still be tracked via switch ports, and WiFi connections can be broadly localized by access point. + +Furthermore, MAC address spoofing and randomization depends on firmware support from the interface. Most modern network interface cards support the feature. + +There are three different aspects of MAC address randomization in NetworkManager, each with their own configuration flag: + +#### WiFi scanning + +```bash +[device] +wifi.scan-rand-mac-address=yes +``` + +#### WiFi connections + +```bash +[connection] +wifi.cloned-mac-address= +``` + +#### Ethernet connections + +```bash +[connection] +ethernet.cloned-mac-address= +``` + +#### Mode options + +`random`: Generate a new random MAC address every time a connection is activated + +`stable`: Assign each connection a random MAC address that will be maintained across activations + +`preserve`: Use the MAC address already assigned to the interface (such as from `macchanger`), or the permanent address if none is assigned + +`permanent`: Use the MAC address permanently baked into the hardware + +### Setting a default configuration {#macrand-default-configuration} + +It's best to create a dedicated configuration file, such as `/etc/NetworkManager/conf.d/99-random-mac.conf`, to ensure package updates do not overwrite the configuration. In general, I recommend the following: + +```bash +[device] +wifi.scan-rand-mac-address=yes + +[connection] +wifi.cloned-mac-address=random +ethernet.cloned-mac-address=random +``` + +This configuration randomizes all MAC addresses by default. These settings can of course be [overridden on a per-connection basis](#per-connection-overrides). + +After editing the file, run `sudo nmcli general reload conf` to apply the new configuration. + +### Per-connection overrides + +Connection-specific settings take precedence over configuration file defaults. They can be set through `nm-connection-editor`("Network Connections"), a DE-specific network settings GUI, `nmtui`, or `nmcli`. + +Look for "Cloned MAC address" under the "Wi-Fi" or "Ethernet" section: + +![nm-connection-editor screenshot](/images/nm-connection-editor.webp) + +In addition to the four mode keywords, you can input an exact MAC address to be used for that connection. + +For a home or other trusted network, it can be helpful to use `stable` or even `permanent`, as MAC address stability can help avoid being repeatedly served a new IP address and DHCP lease (though not all DHCP servers work this way). + +For public networks with captive portals (webpages that must be accessed to gain network access), the `stable` setting can help prevent redirection back to the captive portal after a brief disconnection or roaming to a different access point. + +### Seeing the randomized MAC address + +Activate the connection in question, and then look for `GENERAL.HWADDR` in the output of `nmcli device show`. This represents the MAC address currently in use by the interface, whether randomized or not. It is also visible as "Hardware Address" (or similar) in NetworkManager GUIs under active connection details. + +{{< terminal >}} +$ nmcli device show +GENERAL.DEVICE: enp5s0 +GENERAL.TYPE: ethernet +GENERAL.HWADDR: XX:XX:XX:XX:XX:XX +… + +GENERAL.DEVICE: wlp3s0 +GENERAL.TYPE: wifi +GENERAL.HWADDR: XX:XX:XX:XX:XX:XX +… +{{< /terminal >}} + +### Sources + +- [MAC Address Spoofing in NetworkManager 1.4.0](https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/) +- [NetworkManager.conf man page](https://networkmanager.dev/docs/api/latest/NetworkManager.conf.html) +- [ArchWiki --- NetworkManager](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization) + +--- + +## Remove static hostname to prevent hostname broadcast + + +```bash +sudo hostnamectl hostname "localhost" +``` + +An empty (blank) hostname is also an option, but a static hostname of "localhost" is less likely to cause breakage. Both will result in no hostname being broadcasted to the DHCP server. + +### Disabling transient hostname management {#rmhostname-transient} + +It's best to create a dedicated configuration file, such as `/etc/NetworkManager/conf.d/01-transient-hostname.conf`, to ensure package updates do not overwrite the configuration: + +```bash +[main] +hostname-mode=none +``` + +This will prevent NetworkManager from setting transient hostnames that may be provided by some DHCP servers. This will have no visible effect except with an empty static hostname. + +After editing the file, run `sudo nmcli general reload conf` to apply the new configuration. Run `sudo hostnamectl \--transient hostname` to reset the transient hostname. + +### Sources + +- [NetworkManager.conf man page](https://networkmanager.dev/docs/api/latest/NetworkManager.conf.html) +- [hostnamectl man page](https://www.freedesktop.org/software/systemd/man/hostnamectl) + +--- + +## Disable sending hostname to DHCP server + +**This configuration will leak your hostname on first connection.** Setting a generic or random hostname is strongly recommended if possible. + +Due to [limitations in NetworkManager](https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/584 "NetworkManager issue: No way to set dhcp-send-hostname globally"), it is not possible to reliably disable sending hostnames by default. This setup is very much a hack. + +Due to being leaky, this configuration is virtually useless without also [randomizing MAC addresses by default](#macrand-default-configuration "MAC address randomization — Setting a default configuration"). Your MAC address and hostname will not be correlated starting with the second connection, assuming the first connection used a random MAC address. + +Create `/etc/NetworkManager/dispatcher.d/no-wait.d/01-no-send-hostname.sh` as follows: + +```bash +#!/bin/sh + +if [ "$(nmcli -g 802-11-wireless.cloned-mac-address c show "$CONNECTION_UUID")" = 'permanent' ] \ + || [ "$(nmcli -g 802-3-ethernet.cloned-mac-address c show "$CONNECTION_UUID")" = 'permanent' ] +then + nmcli connection modify "$CONNECTION_UUID" \ + ipv4.dhcp-send-hostname true \ + ipv6.dhcp-send-hostname true +else + nmcli connection modify "$CONNECTION_UUID" \ + ipv4.dhcp-send-hostname false \ + ipv6.dhcp-send-hostname false +fi +``` + +The script must have specific file permissions and a symlink to take effect: + +```bash +cd /etc/NetworkManager/dispatcher.d/ +sudo chown root:root no-wait.d/01-no-send-hostname.sh +sudo chmod 744 no-wait.d/01-no-send-hostname.sh +sudo ln -s no-wait.d/01-no-send-hostname.sh +``` + +This script will be automatically triggered on connection events to modify the connection's `dhcp-send-hostname` settings. If the connection's _cloned MAC address_ is [explicitly overridden](#per-connection-overrides) to `permanent`, the hostname will be sent to the DHCP server on future connections. In all other cases, the hostname will be masked on future connections, so the DHCP server will only see the MAC address. + +### Verifying proper operation + +After initiating first connection with a network: + +{{< terminal >}} +$ nmcli c show <connection> | grep dhcp-send-hostname +ipv4.dhcp-send-hostname: no +ipv6.dhcp-send-hostname: no +{{< /terminal >}} + +`` can be the connection name (usually the SSID for WiFi networks) or UUID, obtained from `nmcli c show [--active]`. + +_Recall that these setting values are set based on the previous connection activation and take effect for the next connection activation._ + +### Sources + +- [NetworkManager: Disable Sending Hostname to DHCP Server](https://viliampucik.blogspot.com/2016/09/networkmanager-disable-sending-hostname.html) +- [NetworkManager-dispatcher man page](https://networkmanager.dev/docs/api/latest/NetworkManager-dispatcher.html) +- [nmcli man page](https://networkmanager.dev/docs/api/latest/nmcli.html) \ No newline at end of file diff --git a/layouts/shortcodes/terminal.html b/layouts/shortcodes/terminal.html new file mode 100644 index 0000000..ddaa399 --- /dev/null +++ b/layouts/shortcodes/terminal.html @@ -0,0 +1 @@ +
{{ trim .Inner "\n" | safeHTML }}
\ No newline at end of file diff --git a/static/images/nm-connection-editor.webp b/static/images/nm-connection-editor.webp new file mode 100644 index 0000000000000000000000000000000000000000..55efc998115c533ae28814a504cd5ba0cabbc76f GIT binary patch literal 19268 zcmYg$W00sZll9oPZQHhO+cS4;8+UBmx?|h6ZQI^?clX=+o*$`HJ*kuQ=}vbiX(dT9 zF&=3E0CiCz1vLc@8T#KoJsi+q09NRO=4hOV4ZoFCw%u<;M!>ERp@rf_bd)wW)gmdG zHN;{9#iWgi8V)=0h8-J==gcDt>k5s#M5d98+A5wbKaUtkDZGob3xeN(urt4Bg9aI9CdpE8Z=)krcc!D{b#6vUHmO zuFMR)T?*9$={#jty#g5fq3Q;+Q*g9E zLoZh-85exJh+Emx+95)Kne%M($3I7TMOuUV2*?u}uaB+%y2E8;i*WMu=mR%$xw$-o zBthj%4K>Tv4b*dUD~x%i{9S}{WgWm{5I4hdF{v@T?bBh)9`eml7X4|*#SRy4OD$nrVEKl;~7ojF_#o=LH(Lyb#4YvMdov5Rx1MD)nZ10Knf)X`?xXF99Gw zXthsF(HTmv4me=V`DgFQ*)}pbCLC6A@EWL!0zoR_TiS?(GJ(WA7z8+qoR_?E+AubC z69Pb&T{D39R$gfW$Py|f_h;hfi)1D_g_zIW3)bjoW}ubmx%_@^?u-Y-Fl@08q(+jo zNt)|v5R{3#Y#!w2bd`Ws;H0p038E24H#Cxx2hb9TDmrf(w@4xZM{*)}5GjpLcWJ9| z1TLss*#2hjBLH`;*>b{f1a2?Hu*lK&PnB&Bw$sm4iS0q7ZZ>}V)Nw1@6kJ|B0-Pyq zsM`Wc5o_2ShF$Hp&B}N)IGU@w7hQ8TbyVh+o@795U~LJ`DRZ7)OZGoFXoP-LFNXG( z6}eL^0{=j)(TqZ}E44p7vlSfpSGUKPG5Fp@`@|D7VYiMIIc)_Y0b(*S5ASmBKyayW z3Uu$OQ~pJ7eSXfZ1evD*o})iKOcWHBji0J z{sAEf5MC5}nw=D>lVq#YJU!I)K6{dPMP`#JUlF1`0&l%EGgF+V-Tf4@Vb~uMt>ZeL zuXhi}7l6~*B*~w#vGxauOTD|ZvzwcCbaQU3w+~=9*ueu_0&2&+KL??|TH~G0FtRtW z_~O&I%i{NP_u@tAyOzxamq8!xJvs`=ix;^k0PyKQhR zBL)N#U9BCh9E*E@i&a{MU;(r|9K515As=sCUtch&#D4K}Tk=JNo@F6N<*MT5=|0}5 zfllRU$2z?IM@jkavB z|5oV`kYpL}FMtyd(~}?iF>PK@O1Sj7l!>oFG8A9`L}|E@%CJUKY%=Y{Gf(wPrDHni zJ4n>h)<$38u@-Gj{AiG8Qg&$#E?Qn*o^l2iaN=Hf9_t2=j{Z7?ljBwci6PIwLID#j zp>baG9sX4XwLQ#qcx6oD3_+@1ThOQ-C$YpRY-PICr~Pwk8BW1{~fd^QpIVJpr#1^0SR=RXe7Xijw^7P6FrTuPFjlZ)~+us`4e5$R~J}r zrjMGUwgJF~pbe+{shBmLj@O~s1q>uNz>UVcc>zRg76>-zGT|Lgp-7thNa5xmAN}B4 zl56Z2&+Fg~oa@h5HbEi&*?B;Kp-*#YN<*lOP&ZfK{u4A4T=dlDAF(dr4vLO$)*@uO zt0wxd^@xFyC{DO}z%}dRQBn3yMq@M@{&Om2DGq@Jaw%ZbOQE-uiudtdpbZd4xj1?O zh!=A+f&R2BKg8X@LO}|2lHE3BOZ0UQ>RvYB^TzdPp%_paxUeLal|2FjKBfAFk6bhA zTK&&`H{a&&1+RvL9^h4R{-#ZTOJveFY}vk+d7+9b08fI!1ZO|{8+HFI-a(4K#%J>n zQr|ldqorxV6HjszG2;ZIAyp(W}6=e;y5R0PS=0HK;ljxaRRm3 z_GB9#Ee9~S7HD3J;i@2bSB&COx7OmcZE%={KxwZYRgBsdGKBkfxz(U zyybKW58I|Et-bel++F^Cr@yTE0by1hUaT#}10}B>w&;H~uiKQm5J+hX+qsx=fs{H; z9QkhLZ2!5Lk<*efpQFZoc9I7N1C{E)T;*o18Q=S2?x_VXQ-byXo4?GyQR|Cz()Hwe zjP>lc5jn$F@dj1darMa59Q2`ZV19QDMbVn?p;{y#^^dsWrs`Pev?9U7X-`5|(E5Vg zmwuK#zL4wXc)9;Zx85)2b@ir%veJpvA1^Z;l=1bqM>q* zK8hU2Iool|0m$W%k_toNNNi6vWb<>H&HmJ}x_x+^(GD-RjwkAJ8B-Nnjmow9RdgjM zZrnX!D-X(|(Jr3s5WV?DQSFL+6!5;tf$<4GUh}W(^C}c|O*G#fYy!al8t1eXT^KNr zt>+45vJ)5~>w39^s=T@acQN8$^iGIrbfZD>_6O9}$tl{uJ17xK=xTb=HrPhM*{c#eYd|BcH3wd{d=3yJ(R?hrOC_SJ@EeBg-cAH?v)}t+)=3L4 zx!K}>tiae`a@Z-2>9X96srTT|QN7oDHyaOCHEE4cZj){fUQO%zS+Qfj3vO7beOb@V zpJ}%x#|kTyQI#WR^5I58kI4@7(yv&O$j%`S{{)dwpuhtCM-B_Rm4JgVdcn_`ta3W} zjDI3;Z*eZ~*1c`*m{UUFal^V;@%f;CPCq~7Jz+Qcx>|N9Q4ih6hrVOpIoi82OW}7u z+Em}K>Cb9=8_A!0pJKE&7F72@Idk`)d(GMdZDDDycb_+-)xMnFx|s?y;hnp5(7GyO zh;MDPazwtlY|azDRcTrod!xd5E?55n($2mGdt31$=;Hb?*vCUdq6y(cB9H*E1k^j~ zSJYtx;3*NhFcMVb7Zf7~&Xml15-It_*A~jFpI(G}>r!7pnE|>SP82PVDNpz)kkkepnPjRsF|4zqz4fM z2!9^g_==nZXoaN`J{1BHyu?BY1K=JTIlg-abNhG*U3-t&3*QbSf5)&4Kv77cqM;GN zZ2#xIb*8^OVIfIU-K1BYClo2zK9JyzAI+2(1~lI8QJIXxh!*1^A@vuV9u7KDMJ1X7R9wx&QvlNz9Ip%1xCdH z_i2mzG%6yt%5twiwZx5502fTUp$lszC`%cHH4r^AL>YF2Z%jl=Gl!2k3GvSht&i{1 zGQw>mTe?8f*(;^`ACujy&~KOA(+FO(-}h4;AE#)^PUMUnyCIcx=VQ+aZqE4a3RBwh zUOfv$VC{TA6nwz}rBhVR_77!3u)mNyQh&A}*U~UM0>8+~w5g?MI0!%|fZ=@FQx`5T zd1!H@9(Wp5yA)6ov0w5OTYbZNOm=ymt5zYK?QRx@`cY26h6EExT6)1pT+zL%!1BZ? zH>d$18XJC=$@?mlGvv|jX?zkN^;-?R$RO(it>iF945Hc3s|B|HbKory%zQhS9Y(#L z!Fb(%?Q?W${ctz(-^N;DSYldn8`6G~rjB*UE-#67gs`^gq&eHXz<^=fRSTIs#tOBz zB@3d;9y*-xaB6g#V^|iYyJtrgxaVAVnuhzazR3yYL_CRoID!{wszPb_+RvZN5xMZe z@z~ctl>@HcgLoHr#E1p|F|%`nCy1$$Z}zUu0Nv*1w)|2*TE zqa^}_9f+^G70=Woe%XSDak51m2Z`KA#)c!~vbjmb0H7Bj#K{i}B5q+)0kzuBikf7S z^*d59f=fzd6Y*+`7D@3uGx$pos>$e2)dOsVV4g82lw{aRbfI_c19pIxZ$#?Xc1sQx z%0Ap`L=naXK&!xrAKs5FL#@?XE1Z>W8O4PPtSA!L1xAg@ zZ_oPUK{#%4g3|_0fCHuc(LVgSfUB4!E_ki3d<-9Y{iU_PDk`$Pi=cBnB3!*Vy`S8p zj&L2@vb9Cd2ylE8d+-tyvOA)~jh=6LESNRzmJmU4&>=A@oqQ>W1hKG8xWAwH4J`w6 zt>|wqEm6_vB=y-x_yZ3A@N#5n0Hg_kqicI8ugZEUR0l-eDT$gH5lW?a01Ys(o735$HILGkMVmb zd>d)@U657F;`qv(n_@_1YzhG-U)i>{;%H-$h%_02ekw1ylq}bdW)^LU{4U@hT!X8c z&k*CK1TR18?k(r(S0-d8JXf*QSA}XKKUe170Ux_g*~!wMRY?5bm99N>+&6#B<7O=@ zZT;pDD=l_52XdK=dJ8ceNuV@9EOFK$v%jM-7_KDt&P;6a~Bf-_N@ z|Ag~nJpRm3es^^gBj8yCh>8Dj$6HFi{tFK2(Ub}-PEk0B%Fg{^IkLx=6kgan?gpCm z`Fb&`Dd+{qO6E8M5(*zsV+h#-7E6#!0R_|`z)iqzkB?NL04-=gIa>vfI5pD;1nC4>{&dz#uqm+>OH^$&N|=mev%FsAA2UZb^)Q`04;rkt7h& z4GVy0q2lzz!4aE+AOW|JjJG&B_AwG>M>6;AzcNwo-)7aX!VFgg);W0R*(>HSkIEvX zY%A^BeYl%0VavKan7;;!^-F;!wy{>Y>U~mf2Fjn4S-Z~5zK12oy-@ffTqaIIGDTXC z%2|EEXtOJHr@1%RYySZ#Oi5VOIe8IxWr0hYm4_pwCHxYWaaDAW(wksoH^gUa7IoF0 zIO~v$T@zgRfD0S-oD8eV1Scs{4SFCS!%Uy6n$L%?z}R_P&<($!&U^2kUOQW5`$U&9(0xf#`1#2gjHDA9D@xcTV>0eZ)-}DHA*j*YH|7wk4fP zC&6C0evbE+aYc^b`xbM+J#1!^0>nHe9^R${dxx(K^1p9D1gRCCm&fd76$?7D0Bmy8+~PThlN32Jvrq@a z(5goc4?rAbp%3Fk)3x}JODbvtnOIrG>mM$~9$RC*QnJ)L&NMrRr_B(Oe0ga@Q?qh&?oNXQ|rR3Td#g`}riHDm3*Hgg5arWW7p5#ZCxqr#Kmq z;lb$wo^`HErRi%MUaF7Vx-n;?$heqsF zr{){ANRWs@!IQJ3loQ$<0U``m6v0Cp55sAI!n2tEHy?pD31ds1w>Cs#iLG4UzJ&0b0M- zorm^7yHX%X@0)nYvUqzT3Ek*1vG+geU|mk^k_t4``co{WcgyKolQ>1C*2ZO{rvws! zp~{O)X&34jUc<#(k!==gV$>%J;dN?r;_H`fVs@c+q(F|J(b;zkw?pdZ70!nb3u8R> zZP4XebVSWHoD)1^eyBvZZ4NuDMCXn%Zu%%DzqO~+KZm}R^DR%NE<9nmh19r;Irx7? zW(bsnf@Z22d1(OAgh*Jey+RbMgCR_G(dSqpO&%ZuS4|PEs`pJ5mZj@;c!B(dCaWT` z!0ZmonHC#OH|zp7!i>C| z^s@A5@kaRMS5YcNNy5{|u6hz#{x$6++S%}e7B;Tr-8y6LBDzRy;rJ_EiK^>qFF88L zIofr7Ix96HV75EwX&&sgHJ3j%pqr0Ajy2h>omEmYsaip$ty7+7qpi^2%w~pRH?@$A zkUYEU^Vlr`c|SnZ6!!|gP_`FEnT5fj1!CJuBGpvwgG!Xi0A?JO(2V(v5OSk7Iv*+r zIPSjw5Dv1c!joV$(5FuZSRp&y;!84?vpf|$3FBl>f~XM7RAswtO1i|eGDldJMolx< z@{kIt=4ZGyh%es}z1pO8i1}i#P0O4b|63=%C*j$M;EaIdZ7f=6~pR-4}0Uh}1$1l!>Ml zATJ=K#IoY_f@*FvAemOIW~l42C1Du&_JbP1#Y4vhBHf37$F+@i6qjJ|XYD_*FW$uj zL07J-F*)|;A?LzQ9TiVM%?lZxgBp-9n=1}9=xj*Aj z<%JftT+YJMXAXWgDR=gYc%FCu4)TBQ`zFMY96UplBrF7ZGt57mFYzGM#`a^HA;s2V zM-nZmyL2IkXrDvKl6eANBwZ+W6Ii|@q5xw&$C8Qj_qMSxt|FHS1Wdi03b~N%XsgWrY{f?KO2|n+!BnK>5Kw*kU3V5^|URuj6x32_M-^f|u6&Um`<{K1; zEF29X2$X@Df0M3p6tv$bdQ_|)2|)_+Bxa!qiSq!i)f`7%aDjFuSIdKmxxYp3&|4F! z@BzE9L=NW|#*&)_DOqt2vfwh8J0_#t8wP^#SZ|1OZM-gCOlMf2x$Gy8^T>1W(MIeB zZ4H53ok{|stF=Y;M|&YYLQ@eW-y9*T1N` zO?mn&wC5}&tMes$|GQ!0^is?jzlr(C3;bB38Smf0@Uq~aPSRBEng^>JwKp0HGvm)c z7lcb7Rzi7dD_1EsNzS07$%r z&SNdUaYJY!LI2S}PCpU&Q*;&jPn!{!h}yxREk4GtmzgbQwY4i%@2M!7J#n5=jV~|p zBtB#Zrd*LtHON`r;X%?c4v*{E>!1>vf)_U@Sm`yy6C^maQ4rB4PwOsKu)x<9M8UJC zkzx&J3K38_sd`-Bz=SwUdjQwx)%!!d*SW55l+%PVBEk}tp%r07k46^bga)Zo4IB8? zjp_HETe`?JfI%1mke;D~IK)$oEaVVe{}-tOdz{bN4oysf8t7_(H)4!q3Wze#$a=1v zTltWcws$&d)qQpMk>E!rogZ^Ny3^6*dCqeR$;sn^f6XUMy*_n^0PI7B8AjzYM>#H^ zOs=dyA2?_!B_qkuw!mTn+sn($FnitmQ)m6<-%o0y0UuTZo~W1+B@drS2F2+7vG+#D z=ynMBw}v1>u-+dN*I~Y8>^5x|F^Rm_1df;vko&=JvpEB@4jQ58c>k(_I(eWi7Tqex zA%tkP)yAyM+KBZ&n8*#a5$CU!*i)!*nK9|^^s1y8eVBZepnn~3!Az1iq8u8uH~b5i zot`vSGz46@1BjmP^BB^`{&$g8!veQ3++mOwtPeWAgw`zLr-ui=cb|pA*r^%&Fo_@p zQE5wAUHKJ560ze$(H+Lna;50ip`*qejqntP`q&Hbx-$z&45;cGzK`9fOul>ZDc?FT zDaR|>hx}fvvn)Z5Srz<_^$kjnh`RyGX)H%q)7Na-$FBw|FdBLY4+How(D>2d=@J`Du8 zNlXGLl5j7&m>JW@b|#OzYv0|5q290Mm*46cH=XA1pr_MNF37ONwofe6tttDc7y^(U z(%LV=-`%Ee5Ka}!A zTHxQyU_X0=2x5{AIb?=Sfgk2a|1^vO4I4OrMm`q&gu^IieM5vY}O^B;<+Dm<@f1l1Xu88;v9|RK6Wd6t` z1F{UVdjSCV<^#skT*nEZ;fET$5=l2-`=hJ1sj%#Qp>y>%c>gKz=Mm;&qnNdJ5>4uJ zc`XBaAU!36xCnL%nT~cIo<{HWjMYc#hblWv1jAH5CUXfW!78U?NzrE(W1TF_FwTGZ z!+vfGA9z}Gx`XKNv4nun=-l|;GlV3FN}*-qz?NW#dGcN=TtvLOhelN8j)r?>aNt7< zL?PewhnWr927@9CV;5q@T;rHw?NqtB6MR%yo`Pmm-C4pQFw}G<@!~^|WVLA$Foqf; zmzjtt+3$J59DdEl{~r`MrHW3Teni=*h*IL-C872tM7Y)u>=z|~D*(;nYxQ8ugphj; zPMWtt8G$#fxdJZ(0L^^{Or!rE+D z^KUeA8f&}POcWA;419)qt8BR2)4Bz^|5SvCV6^Q@DX*_^rL_Qz8?m_JHULgXEU{c|3`S|(E&;JlS{$tNGeE}H6b7#{0*uQY zbl9vvm!?{x_PAkjh+Xqb%A_-3yJq`Or!VtbZTbk}R1wB&|qjju-Ow#E;tR$+@TC!>(m}Nb@ z2b!dqe=bY4oE68d16(Sz#R=e9lZVj8Q(@v}bN9B0L_C5;x(B*z=`Ew&V~L3J*zgxp z2zjK)I8%pFLfmQ`HS^XI%=-f0}zf?;DM;N9t}{_@!5Mm;KNl%hR~pa8xfT zwf~W{BXj`t3v9q1AKDoJ=F~s{c|i5qRR?l9zuye1C;9ccXi}$IfU`V{fEuw+zYJnF z6Ii*qxLYT4%A!N_%9!2vr+6xbCW*5=GF6Q+7Yd6(oFYRy5o&)i#6T| z|0uta?9nEtJN^=A>~b^Rnp%shBuLh%^;_Kj2&M>AQqBKi!9?a;u9EU0#8Fkx2Yw+m{q5@+?LiCy(!jf}*sc zZ$LZGn}eKOM6<1LAIVTW#+>%f5R$T3`Cvg04X5yC7CKMf=*-N?9L(ZByA8Bdux5mC zkyl3d>kRt%%w4)UNw-t=qj5K(;6A?4gf)`gxr{N(7setK;!Dx`u4(KO^Iyf{xx4vM zYOgs>5Sp=L=d@H}m*iF|J$r7Y;5HGuIpFCJBK{y}TYo~xy zIvPd)Dcm8vQ`6R7r>jCQbusU7chqq_;Qmt~8K_$rTh~Yu1L$#+wqnk_OfpgPiDq0b z@ku)@rgn4HADtLrQi9qaBt&pJB7(x^MmnaVKvg;Toqu29GMw7q7|bIvDg=s%(rtg& ztI|lpWvTAcdHi5;q~PpQ&kG&*;7Pb+h`2cQK>VORC~lUCOV>?UOC%U*-5)>|jD9kS z%mKE@+%HYHVZFm$HrA8KNWOS9;-VQ`bt?GIk@C)e z&2pfT!5;G&FAsmcGekGoIxM7m5hzO=r0$f=-}Fe|c(hhZOmr8NN_Lg9{&hJw>TTS< z9qzJJHoN$G2t*Pp$^D7`?7A~TJ$B*VrV(`ur?s#BSU%JI^*9{9#-4^8I!WdnI`!70 zdb2lSjd>oe@{EAvSt@H>55<0XJuesl#>=LAI8;2IoG|dHc)AyUauw@sPDyVR9s@??O77DZYk zkKuJJVfG=VuisS1r*w#+eat=Cr{#<|GP232dTto)cpPr_r@2Q%B{2F_Gwefb#cS4; zQ*z%Qcv$*)ZOJEfSPZbLNAEhjg>>;Lg9)iM((pVv`!gcszfVYHkLi-Z-JNLkHjpE8 zpgu^XuU68ePZE5&OwprL;U6YQ#30lcvMJU)d4P>F5T%`l3-$DL*e$#EJhi+&6{Gm6 z)-tCD!|@|@KW7}$qD*H2X10SiDn@`V8=F!r4!sTGZAL1*3t9Vr5p*_j{9~G5j%z`S zOU8l7UTq|#PWHGQJXWQ=X*Ji|8FCN-_hW3DmkYfhCdDwhk(k<>xH^9s|R0qJTIXNaJP-S&`?CA~H3R z*GZ>)VYAuac-H?hG&5{^*fYhNy_2wccb9tn6Uw)cnFKAZTb~wBI<$9G z5^UIuvsy_IpQlW1_F=HB-pF>*RsYZ10z!rmixuHX+g^D|bxWkNz&3xoLmF|6!zmdg znv865#)E7$J+0={t*Ikk^=I5uXk)xqNg$i$4VUh^1nGp|mf-1oXLKXv#e2fX#Lx5^ zV`}NeX;tZU`esH;&anfkx75zT%;Yd#S2`-OCQHbx&0$qEBkNjpiPsC2Vz^s=vB@Jq~n=4PIQDwpc zIky+{54ZW?CNb_?VgQSZA0B9Zi8P4gZ6UyhRl%k8`*+TF9GKJ3wmi zLwVI4Jg#?lqffP%895NL(00!0oxbKalCcRft_N~p%d&0OOAWSBEhZ!?tHth-<8(PG(Ui zQ}xuZm{sUd(1%NFPwC)Xm@>ku#n(ETOQiEkMXyaC`@FHW3NeVBuCGTX7#ong{o*pW zg7Ej+;EgB?Hkr@Grp82cUlWbxM1DHH2j3?}6;J%+OL3;0k{=4*x+gZTMl&eq{ z4)I+G_#ldR7WtMc!fro)I@rH13oS4^NrntjQuK4k@6cdzGgqYEqz4(I@Y#;#!Vdht zJ`;?^+MkJB6=^CVoeOw{`y9jUa7Zu0OvL+49;j2~(jz-69S z2_s9Ge$$nkkZoI4Ri%NzQmX~LO?jfd#;`Rle&upnwUfn)2h@jE>LgtT6>LfF1Lxak zh0hQ2wbv=x%<7plbBu>Yg91BJzPHZC;~JBo-hL$djB*}eiKN5evVx!7R7}Cw(J9UR zx>waGeFHf=&(gJ(f^9{4!s_$n88R2HIeu2%74WUDT=Mb`xystuAhN7oR6&jHGg5QB9wF z)Ps0YK5*`?*&|qd{<%gDn}@46PD=sh@5HjlQ>9mKy;HvMPlnyJg0re<>&R%t!8U7- za0v$EaT%3cAeA~L)NTjRW_Cu7uWj~X zJ~`j}8Qxp+P8WQ!b09-qjLX{gxx6#?WHN)pS^xQF+jaF6c##|bVBs&ezzU7>3#zrt8TSi*fidkiw2|%`!#aDWW&s+hWRZD6EZ5$ zGNa-o9Jt8mFZqhAq|cK=8?%Ou21zw`75+U=E*_?(ZeNBsknEI)Ff8WoygUu33hJ_k zVSB8&WGmU{izoa@xr>dYCbsvL4cd8pw?DH0#qE~EGZDB+Q|F}*xH~&V2HHz1WCycj zyhmOhcqMtcI^TY}}5kohg;kjzDeY&>)n z4{Jl6HrBXqt)dE46IL~AI9gBOopVn8#JGBrbKA#}1-cg2Kw7*SxN_{c?BeopWM`*% z4=%3FQg}FeQ>cy=_4V1eQq0)5nygr~=IuZNIkv{4VoeSBtOFY`fCE1txHA}hH2tO; zpTZP)RGXQVq)yp|o{<1u@7~#kOjJ%vXSa~*<^=+B6(>@~@ic2UB!X?ziWbXVS#bK} z0WvJ3lF4EXCT0|fh$`ht?JhC%$V6pIl*t!3#l#{C#Y$8woKoW9c~ZrTHBKmYS77cM zo+_7sc|&^;6)I3W7dXk1_dDAviLxN7R3SGmG2WRFOf72W4Svhc8L#*)>i5}d>vl-bK6zaSD><*QCN{C>tZlIG#JRgTvGzn zVV>>A=&?zjK~s6vviB@Z1n1{ao}^g62W?yG=hXsu%i|FB65;RkkTk_XmbcW`Bmd#Y z+&k*Pl3;6UJbO_Ew9}X2yr7Cn{f*R?$_S_NV| zQf}mMxtQe%*=I>!_!Kk`k1|GKVfk_rpA{-eAVlV7vt7HPUo!f&yqeQ)@3g%H+tG{K zoVvv9Q|f;D=ul2UI){IK$R!=q@tr`+0w{iWVfbS$Oo1#-kT>N~9kWhK(s z9~1Z4y>-FMZ~4mC^GZJ%<(*5($J%b!4SOqgKWFtZH?odQ^7L7$r`v!mN#WOmckPF+ zoc8ybMPCfA8UFk#Q`Kg^nT}Gc!y1b4;QO?*>i3A}(6$B2QTxMtUZp0R_lcFW7l2DCrL_l6b!!sxLW;nB+M(N@pu zH)|fr3vNGgZjpRP&jxRQ7hnl_;!Ymc_h=W?f`PPktGml_FtB@7tY=?=ej(opRq6`* zao+vz@gD;~yv(uvej9WEX3_)WeP`02MFA_Y5DJ}ns{NTnx&xxO|~Z0hMxC)8S~WY2puH1q^8 zWF*-sGe$i~M4oetigH}kzbiHrMIpTKdq71=54QfzXj``Qi*=R=k0*Q7G?R~~1mI=N zl0L$CozHi*ebaD4q>Bvt&%zk}InDfy@an09$A!?gAshfSXBab{3S-w5@S zzky}^36){Z!KgsMlNkc4bo<$N1{sSNN1*nD_?|Jy3OEPZ4GX-K7iFHq>C{xLi+@Q7 ze>3j)Ks2?G`&)5>v9Rgjt$7Xe*lQxzW|XAas<2y`uT*`L>15wKn0Pc_3TSpGEC2Xh z^gIq|+UtR26*6&F0u-(|rK6m{EcI^;5r2_wGPxb6NacDAe`)+w^BX;qUTk=^ z^F5w?1f7Tbf>*h-3Tn5iBRc9IhVU=re&1hKuT?nzN2cGGSX6~jVgo(S2YDyfU*dZH z(h>pc#3SR>`i(;!-l>NqF=#9!KGCymSGS!fx&BtUel;9l^qI#YJC;g_i;^Cz#wS9V zb6YX!i(uyWWe4D;O`aa80FG<$#R5Hy$NObeDpKow-`b=;=hEsV@8m*pU}9g(=)o!V z(^6M8fMyFF-t4+EN~)bxs5;5Zs!Hx)KVEL z-3f$z6K|uIC?5%qQoj?i!j%d7%L0v+k*bN(w=O$tB5y)}mdfd%H=?P?{n*{6GQTh~ zCk{T%jQ#6SdtaY_H^q!l@6rEUS1Ovc!lOMXiKb?$U`$G*nmQ`wv(u~64mqt27_Vhf zt@P@|qAy{AF86-^#yFCWEXZS>=h@3*mp7f~ftb4(EK-!>kyER9L?W;G=?**KE&lj?woS}*1`bppFstGVN6(b;N)Q&i71rGb4M z4*BWx^vtyCtSq^bkO@#V-CX~2p{}kv_QH@(vBFK(gB`u4R{k_r)6F{3t4k_=Ys*`Y=Ma4YIeRlmPJUF;5_ZjlVWTR~Vug0a zda&a-8?rYK_;mls^1Kcb@2C{c6d_j5dX~lPUIMN7E~{udH8q(!j7mMqq-%lyL7#Jx zM791iw3SMgR$9msQGnR#a1A!ZP|%aD?Lf=Ju-+`8%$?a;i;xB<}6$Kt^YfTFnIWU_8qL1c+!p*_^4_}XEUeIWkimooGKafE_S(I62 zf)DSz+h9J~q-po{i!}fF!CQ50R15?Vcsyr0S2k95hHj+pcxy4LsrQoJ0V^^qYWcWd z`KZWZfQIuVmyr`45psepq$3cn_|EYzX0Rz#e93E6VkwpSSC6hohXW2G5FC+wj2jng zIvuH50@}eDOxI%-IoZ{MAOCbI-vcF%0?KCF{#MRLXwfS3;EI8Uklh0IIU9aZh{7xSZoW{z; zV-k@$fvz5ma=}**R{%u~IK*}~_Bl^zJf)_yz(9xhdtxuoW-9e_R?;BYZ1k=PV+!ut zu<19FIRjnMpei*xA4x&Q7AT3&$(!T79NFJe02gQjLYLRMRYFg0#xiB#Mh%^+(x*m^ z1J!d-)+1jkl_J!%J`;YK^Ur>F_4V<#3Jn@^^u{tsT$ z$V(%X)Ompgh}FN@)O zivL~}>sjU2;zIgJCM7P|qPPeT^omjHnD@~-WldGE2KFz){m+95pdvWxQbawkrdhf2 z>DHPNSdZ_zabSHhbx%!Te_`38;^TiK=+1phUDgpr%!~-kTT4r_pmuMy{lIQr{_g9G zBpnqro=dwR`vH+ypfa+@TSHJq`>l(= zxZBQhKa)YCfsMjO*K|y1SbWvf5U5(mPjpC-pTZ(bsvxnYLJJ5jQW>~l@C;x7Dhp6T zEe|y<#G0KG15BHS&*aBxV<--Gsg3s}W?!G>I>b?&Rx;#aazU8yv^m*jrJpjPK5;3E ziWttRGg`}-p~Z`y5_p2(k-`(Q{q>ohR^x^~J^YNb;Y+4;0to+ye23Y?AWZ=k31&oqDR9jU z0#0C`GR$TnUb(rX4osdob&QxZk>vMzDR3Dg93-5WH%M8nJ;@t$3KS~|YUmDSuhj9keZcvUwVG-u4ZR4$fi*qMo`{~ax|+2d|HGB4}#Vja<_ zZ-)?1Cg3Q1BCIv}AmFdcPCIKx4EY-g>FP$|49!|Zr5Gthm}MGu)Cb;XyE=B(&0Lz= z(L!76r9C+IWu+{6xO8(>R~%F@)%>W3x_GSOP{MEAiS?|WoTh%@d|7qI*FJOJPq`25 z#H7C3eZIaR5BgD&A#~q!GdN`p@oLYAASBqNq!(!bt0bmtT~zhHoeH^qgHOt zgk4Y1lK>SZ%G>{~Kd9$yC8=c*0_h1zJS6K7#E6l1uy&x(rc&}vf2?fPe`8C`PnbZe zVd)3<3?eXj+B)l8IJMLPnZfkDj_O^@V62bh%IT# zODJTajj*0*qm&&Yi*p2M+iN1tMG|j*EgiLkNP7uK7c5*K7}+W00Gf4(kFUmN&==B} z7Zqy0(W&PsFx3abqy}7C2RsBK+$f~gGyzhmN5U7~C#!Q`oDGU`%iao~K8BLN((Iln z5YOb*?W<{`(1hSUb-zIQuKpLHJLk=*$Yt>AI@pUmQ!S~iE13SceevWQNO-h)0TASYM5sCz85ug|yS{viqN4O-Yk`p5y;W%lm_Sn)v zO_;B(N021j&Ymm$`V1iJj&98{Ch2ktzzSe1%XZ!Kk3%!<5gOke5!3jr#u?)X0w@|` zT^%(HUO!~WF!Q#3!=>ESe_Sya2;v?To$nw(X5KLx$(xV_jdUx7ir4&-YQbQut7TxW z@MO=yUx8HqA;-mkL_AI!t6litP!s0UCp}qabbHRLYdo*YdHJx)egEbd32I7$c~HIpSz}AQD3$5>lZk zfyMzLJNYRkLRzENR_tA|)Y{bMlb3SH zqY^KT3w9bSZP9VtYE(C1{e&rpQA$y|GialHEnOXPm}pS>I2|`mjxUULN9nW;lz3JE z3Oz9Y$gxyPtWrf$9RYj&gT@6rjTHkIUx`k2t9#4%^%+3!j&960#pyCCJ7`T>)>#Ep zJccH4yMfB*8pdn8yQQ^l#THtO=kRkhmrnypfV_0`B%3zu_6Q^pmV~`DFW70U7(O;A zu4|3tF@|OUngNt!Vk?K)lQb?3f$6Y15aBor@5F)uW(c~zPJLX?z_S>ob8SIf>ehCZ zX$+kMryUHjSd0bN!^TGD%~9`UGTRH1zjm0vVTh=lIREizamdbw-njqNqAN@W1Ny|o z0_oaLLr--h{$N1%&_7*{I~dSY46LDl>y}j(7Rr?OSDF&klrpF>+*mLt9lrO5M5@2o zaHKcg*HUQ1fJj@+qES; zchJzE40u;39=&D=>C(Y~TiocmuRnTc?woRaD0Fn{V891DJ$X&;sK1xCu6$cx)+BKF zd79G1vQtjkn$xdrkWo^&wBE{8Mg-*7vc?DMV52v;-hE%c_TE|Rq*#F5QGeKQAv8gE z+bW;}s_MgX7WsDBSX?%9pn1C-s|;@PD* zchp~{%YcZDGmMB90Xm-}S0pFl?TN+e1O!B`#e4AIR@NOf1ef1+ovsHS_G)3g_h-&7{nN>2vFh9SA5-Dk865^ z+Xj95(m*vv_Nx4e^qR)U;OuAkHP!gQGd+ALTD1IgiX5A{ER{qHuP}a+6NhGbeHD2DQ9u~r=^U#j zo2@u2d3~t_|0qs+MBt*yl<(YuzOJv|oA5n05B6|BA_u-HCl)ni0K7@@=G26mA+#q? zrQ1t2<*lAujLSQW5rK=OpjO~mt98i+f@J&Dd0Y;BQ%)UBY2kOr=bg^nd*zhp2*?;C z0vAq~t$cS{ZTUhV=5L(7fy#kz%Binu>n4LI_Dq-7d&D2xqecWWH}Fk4^|RtNXCJs; zO4(;{3A66l!qe${s+sg01mchF(IW!?YS}_gU)$H~Tb5@mLp+?K8@?&0epckoI7U`szrJQObkE&?%!&3`mI$&gu6 z((E82+v=ZVH32$5ZgBwD^;!2mn$<+f2m(AOJY<4H&wAsvFg>-wy3gsR_#hAwNfIZi z`3;^G(K_wGM~hqgF_9Q6?t#QZqWpjTjl0pzP3-UO9w}wJ9XsYq`ygqOeCOz9yTdmY zfNSCSvz`5`yTBve6iP!6RGbctZmxfW8$U{_gN#PNBaeEyFq}p8a-*m&6+&A8A&yk) zHn(Z7dy?K~jgJ(;#StKNTdCW?c_XYPzX`T)p>m zFCLff(k2|8st;udpw7-_>7z&M9y#(;M2H7m96`cg+@=klNXnL6Yb_V)J4Z_&Gz-KZ z|MB|az(>z=BZ4pkV8SO7pS)ZTqep9u>M3!kbM??fuN+SB=SUyLN4hDWa?P8{vt<2* z@9e+Lk`PHs@~^7AtNO{GJa16v4XW4M#8oZD#;@r&+W1user)8b8uzL@_EmSRt6uoT zpS;q4hfSBpy5_aE{)rT0U-cgB!NwVMrMUg4P9kypara&Sq79@-Ca@k?X@e?m|AmWn z8~a{?ML3Ha`&w;eND;A-ArH&30udV>^78Iz_a174E0W13GDK2C!;+YdhK7bFGLp$Q T;3Ao9LUHgug6{z0kF)^*8hwT& literal 0 HcmV?d00001