From 93ac0871107d4b21845fb14d9d439f38823db2ad Mon Sep 17 00:00:00 2001 From: Antonino Lorenzo <94693967+antoninoLorenzo@users.noreply.github.com> Date: Tue, 16 Jul 2024 15:28:08 +0200 Subject: [PATCH] Update RAG Evaluation prompts + re-compute --- data/rag_eval/owasp_50.json | 107 ++++++++++++++- .../results/plots/context_precision.png | Bin 20529 -> 24017 bytes .../rag_eval/results/plots/context_recall.png | Bin 22668 -> 28626 bytes data/rag_eval/results/results.json | 4 +- .../rag/__pycache__/metrics.cpython-311.pyc | Bin 7241 -> 7292 bytes test/benchmarks/rag/evaluation.py | 23 ++-- test/benchmarks/rag/metrics.py | 125 ++++++++++-------- test/benchmarks/rag/tmp_eval_ds.json | 1 + test/benchmarks/rag/tmp_metrics.json | 1 + 9 files changed, 191 insertions(+), 70 deletions(-) create mode 100644 test/benchmarks/rag/tmp_eval_ds.json create mode 100644 test/benchmarks/rag/tmp_metrics.json diff --git a/data/rag_eval/owasp_50.json b/data/rag_eval/owasp_50.json index d0fd4d6..4063051 100644 --- a/data/rag_eval/owasp_50.json +++ b/data/rag_eval/owasp_50.json @@ -1 +1,106 @@ -{"question":{"0":"What are the potential consequences of access control failures during a penetration test?","1":"What vulnerabilities in the third-party cloud hosting provider allowed the airline's data to be exposed for over ten years?","2":"If security settings for application servers, frameworks, libraries, and databases are not set to secure values, what vulnerabilities could a penetration tester exploit?","3":"What are the security logging and monitoring practices recommended by the OWASP Top 10 community survey, and how do they compare to the recommendations from the 2017 survey?","4":"While escaping special characters helps mitigate SQL injection vulnerabilities, why are user-supplied table and column names considered dangerous, and what kind of software is particularly vulnerable to this issue?","5":"How can an attacker exploit the use of unverified data in a SQL query that accesses account information to gain unauthorized access to user accounts?","6":"What are the key steps involved in establishing a secure development lifecycle to prevent vulnerabilities during application development?","7":"What are some common types of injection attacks that target dynamic queries and commands, and how is source code review helpful in identifying vulnerabilities to these attacks?","8":"What type of malicious action could a more dangerous attack perform beyond simply retrieving data from the accounts table?","9":"If an application server configuration exposes detailed error messages to users, what sensitive information could potentially be leaked, and what vulnerabilities might be exposed?","10":"If a penetration tester discovered that the security settings in the application servers and databases were not set to secure values, what vulnerabilities might they exploit?","11":"What is the potential risk of relying solely on password complexity and rotation as security measures for authentication?","12":"What security measures should be implemented to protect sensitive data, such as passwords and financial information, when it is transmitted or stored? ","13":"If a penetration test or DAST scan does not trigger alerts, how does the application ensure it can detect and respond to real-time attacks?","14":"What are the common vulnerabilities that can arise when user-supplied data is not properly validated or sanitized in an application, and how can these vulnerabilities be mitigated?","15":"What specific weaknesses in cryptography or its absence contribute to the exposure of sensitive data, making it a significant security concern?","16":"How can integrating security specialists early in the software development lifecycle contribute to building more secure applications?","17":"How can penetration testers assess the effectiveness of access control mechanisms implemented across the application, considering the goal of minimizing CORS usage and enforcing record ownership?","18":"If the application uses Java serialization to handle user state, could an attacker exploit this mechanism to achieve remote code execution by utilizing tools like Java Serial Killer?","19":"What are the key differences between an insecure design and an insecure implementation in the context of cybersecurity and penetration testing?","20":"How can rate limiting API and controller access help mitigate the impact of automated attacks?","21":"What are the security risks associated with not changing default accounts in an admin console, and how can an attacker exploit this vulnerability?","22":"How can threat modeling be used during refinement sessions to identify potential security risks associated with changes in data flows and access controls within a user story?","23":"What are the security implications of using hard-coded passwords, weak cryptographic algorithms, and insufficient entropy in data protection, particularly when sensitive data like financial information or personal records are involved?","24":"What are some examples of Common Weakness Enumerations (CWEs) that fall under the 'Broken Authentication' category, and how do they relate to identification failures?","25":"What are the potential vulnerabilities if an unauthenticated user can access an administrative page intended only for authorized personnel?","26":"How can login failures, access control breaches, and server-side input validation errors be logged effectively with sufficient user context to detect malicious activity, and how can this log data be formatted for easy consumption by security monitoring tools?","27":"Why did security logging and monitoring move up in the OWASP Top 10 rankings from 2017 to 2023?","28":"What are some automated tools that attackers can use to identify systems with unpatched vulnerabilities, like the Heartbleed vulnerability, and what are some examples of vulnerabilities that attackers can exploit?","29":"What is a common vulnerability that enables attackers to execute arbitrary code on a server, and what is an example of a high-profile breach that was attributed to this type of vulnerability?","30":"During user story development, how can penetration testing be integrated to identify potential vulnerabilities related to data flow changes and access control mechanisms?","31":"What tools can be used to continuously inventory the versions of both client-side and server-side components, and how can these tools be used to monitor for vulnerabilities in these components?","32":"What are some common consequences of access control failures during a penetration test?","33":"If penetration testing and DAST tools like OWASP ZAP don't trigger alerts, how can the application be improved to detect and respond to active attacks in real-time or near real-time?","34":"What are the potential vulnerabilities if an unauthenticated user can access pages that are intended for authenticated users only?","35":"If a web application fetches a remote resource without validating the user-supplied URL, what type of vulnerability could this indicate, and what potential impact could it have?","36":"What are the potential consequences if access control mechanisms fail during a penetration test?","37":"What are some of the key security considerations to address when building and deploying software within a secure software supply chain?","38":"How can attackers exploit vulnerabilities like SQL injection to directly manipulate data or commands within a database?","39":"What specific security risk is associated with returning detailed error messages, including stack traces, to users in a web application?","40":"When using adaptive and salted hashing functions for password storage, what is the purpose of the work factor or delay factor?","41":"How can an attacker bypass access control checks in a web application and gain unauthorized access, such as viewing or editing someone else's account?","42":"What are the security risks associated with a web application that exposes session identifiers in the URL and does not properly invalidate session IDs during logout?","43":"What are the recommended hashing functions for storing passwords, and what factors should be considered when choosing them?","44":"What tools and resources are recommended for continuously tracking the versions of client-side and server-side components, as well as monitoring for vulnerabilities in those components?","45":"Are deprecated cryptographic padding methods like PKCS number 1 v1.5 being utilized in the application, potentially creating vulnerabilities for padding oracle attacks?","46":"What kind of security vulnerability is present if an unauthenticated user can access a page that should only be accessible to authenticated users?","47":"What are the key elements of a secure development lifecycle (SDL) and why is it important to involve security specialists from the beginning of a software project?","48":"If an attacker could force a user to browse to a specific URL, such as \"https:\/\/example.com\/app\/accountInfo?acct=notmyacct\", could they access sensitive account information without proper authorization?","49":"What type of vulnerability is demonstrated in the provided attack scenarios and how can an attacker exploit it to delay or disrupt the application's operation?"},"ground_truth":{"0":"Access control failures during a penetration test can have severe consequences, including unauthorized information disclosure, modification, or destruction of sensitive data. Attackers could potentially gain access to confidential information, alter critical system settings, or even disrupt business operations by performing actions outside their authorized limits. These breaches can lead to financial losses, reputational damage, legal ramifications, and even operational downtime. In extreme cases, access control failures can be exploited to gain complete control over the targeted system, creating a serious security risk.","1":"The provided context doesn't explicitly state the vulnerabilities that allowed the airline's data to be exposed for over ten years. The information only mentions the lack of logging and monitoring, which likely contributed to the undetected breach. However, to determine the specific vulnerabilities exploited, further details about the cloud hosting provider's security practices, the nature of the breach, and the exploited weaknesses in their systems are required.","2":"If security settings for application servers, frameworks, libraries, and databases are not set to secure values, a penetration tester could exploit a wide range of vulnerabilities. This includes:\n\n* **Default credentials:** Unchanged default accounts can be easily exploited for unauthorized access. Penetration testers can use readily available lists of default credentials to gain access.\n* **Insecure configuration:** Misconfigured settings, like weak encryption algorithms, open ports, and overly permissive permissions, can lead to data breaches, privilege escalation, and other security issues. This can allow attackers to bypass security measures and access sensitive information.\n* **Missing or insecure security headers:** Lack of or improperly configured security headers (e.g., HSTS, Content Security Policy) can make the application vulnerable to cross-site scripting (XSS), clickjacking, and other attacks.\n* **Insecure error handling:** Detailed error messages revealing sensitive information, such as stack traces, can be exploited by attackers to understand the application's internal workings and potentially find vulnerabilities.\n* **Outdated software:** Using outdated software with known vulnerabilities can lead to exploitation by attackers. Penetration testers can exploit these vulnerabilities by using readily available exploits or by developing custom exploits for unpatched vulnerabilities.\n* **Weak authentication mechanisms:** Poorly implemented authentication mechanisms, such as weak password policies, lack of two-factor authentication, or vulnerable session management, can be exploited to gain unauthorized access to the system.\n\nPenetration testers will leverage various techniques and tools to identify and exploit these weaknesses in an application's security posture. By understanding these potential vulnerabilities, organizations can prioritize securing their applications and mitigating the risks associated with insecure configurations.","3":"The OWASP Top 10 community survey highlighted the increasing importance of security logging and monitoring, moving it up from tenth position in 2017 to third place in the latest survey. This indicates a growing recognition among security professionals of the crucial role logging and monitoring play in detecting and responding to security threats. While specific recommendations may vary depending on the survey year, the core principles remain consistent: robust logging practices, real-time monitoring capabilities, and the ability to analyze log data effectively are essential components of any comprehensive security strategy.","4":"User-supplied table and column names are dangerous because they can be used to access and modify data outside of the intended scope of the application. For example, an attacker could provide a table name that matches a system table, such as 'information_schema', and then use a column name to retrieve sensitive information about the database. This is particularly dangerous in report-writing software, where users may have the ability to generate reports based on custom data structures, which can be exploited to access sensitive data. Because these structures cannot be escaped, they allow for direct access and modification of data without any filtering or validation.","5":"By manipulating the 'acct' parameter in the browser request, an attacker can directly input any account number they desire. If the application fails to properly verify this input before executing the SQL query, the attacker can bypass security checks and access any user's account information. This vulnerability highlights the importance of input validation to prevent attackers from injecting malicious data into SQL queries.","6":"A secure development lifecycle (SDL) is crucial for preventing vulnerabilities during application development. Here are key steps based on the provided context:\n\n1. **Involve AppSec Professionals:** Integrate security experts from the outset to design and evaluate security and privacy controls. This ensures robust security considerations are built into the application architecture. \n\n2. **Secure Design Patterns and Components:** Leverage pre-built secure design patterns and components to streamline development and minimize vulnerabilities. This provides a foundation of security best practices. \n\n3. **Threat Modeling:** Conduct threat modeling exercises to identify potential vulnerabilities in critical areas such as authentication, authorization, business logic, and key data flows. This helps prioritize security efforts. \n\n4. **Security Language in User Stories:** Incorporate security requirements into user stories and development tasks. This ensures security considerations are addressed throughout the development process. \n\n5. **Plausibility Checks:** Implement plausibility checks at each tier of the application, from the frontend to the backend. This helps validate user inputs and prevent potential attacks. \n\n6. **Security Testing:** Write unit and integration tests to validate that all critical flows are resistant to threats identified in the threat model. Include both use cases and misuse cases to test for vulnerabilities. \n\n7. **Tier Segregation:** Segregate different application tiers (frontend, backend, etc.) on both the system and network layers based on their exposure and protection needs. This helps contain potential breaches. \n\n8. **Robust Tenant Segregation:** Ensure tenants are securely segregated across all application tiers by design. This prevents unauthorized access and data breaches between different user groups. ","7":"Common injection attacks that target dynamic queries and commands include:\n\n* **SQL Injection (SQLi):** Exploits vulnerabilities in SQL queries to manipulate database operations, potentially leading to data theft, modification, or denial of service.\n* **NoSQL Injection:** Targets NoSQL databases, aiming to bypass authentication, gain unauthorized access, or manipulate data stored in the database.\n* **OS Command Injection:** Allows attackers to execute arbitrary operating system commands on the server hosting the application.\n* **Object Relational Mapping (ORM) Injection:** Exploits weaknesses in the mapping between object-oriented code and relational databases, enabling attackers to manipulate database queries.\n* **LDAP Injection:** Targets Lightweight Directory Access Protocol (LDAP) servers, enabling attackers to bypass authentication or gain unauthorized access to directory information.\n* **Expression Language (EL) or Object Graph Navigation Library (OGNL) Injection:** Targets applications that use expression languages or object graph navigation libraries, potentially allowing attackers to execute arbitrary code or access sensitive data.\n\nSource code review is crucial in identifying vulnerabilities to these injection attacks. By examining the code, security analysts can:\n\n* **Identify points where user input is directly used in queries or commands:** This highlights potential entry points for injection attacks.\n* **Analyze how data is sanitized and validated:** Proper sanitization and validation mechanisms can prevent malicious data from being injected into queries or commands.\n* **Review the implementation of security controls:** Security controls, such as parameterized queries and input validation, can mitigate injection vulnerabilities.\n* **Identify potential vulnerabilities in third-party libraries:** Injection vulnerabilities can often be found in third-party libraries used by the application. \n\nBy performing comprehensive source code review, developers and security professionals can proactively identify and address injection vulnerabilities before they are exploited by attackers.","8":"More dangerous attacks could modify or delete data from the accounts table, potentially corrupting or destroying valuable information. They could also invoke stored procedures, which are sets of pre-compiled SQL code that can perform various actions, potentially causing significant damage or disruption to the system.","9":"Detailed error messages, especially stack traces, can expose sensitive information such as:\n\n* **Internal file paths:** Revealing the directory structure of the application could allow an attacker to understand the application's architecture and potentially target specific files for exploitation.\n* **Database queries:** Error messages often contain snippets of SQL queries, which could expose database structure, table names, and even sensitive data within the database.\n* **Component versions:** Exposing versions of libraries, frameworks, or operating systems could enable attackers to target known vulnerabilities in those components.\n* **Configuration settings:** Sensitive configuration information such as API keys, database credentials, or connection strings could be inadvertently revealed in error messages.\n* **Code snippets:** Stack traces can expose portions of the application's source code, potentially allowing attackers to understand the application's logic and identify vulnerabilities.\n\nThese vulnerabilities, combined with the access control flaw, could allow attackers to gain unauthorized access to sensitive data or even take control of the application. By exploiting these vulnerabilities, attackers could potentially:\n\n* **Gain unauthorized access to sensitive data:** They might be able to read, modify, or delete confidential information stored in the database or other files.\n* **Execute arbitrary code:** If the application server's code is exposed through error messages, attackers could potentially exploit these code snippets to execute malicious code on the server.\n* **Gain remote code execution:** In some cases, error messages could expose vulnerabilities that allow attackers to execute commands directly on the server, providing them with complete control.\n* **Bypass authentication mechanisms:** Attackers could exploit the revealed information to bypass authentication measures and gain access to restricted functionality.","10":"A penetration tester discovering insecure security settings in application servers and databases could exploit various vulnerabilities, leveraging the provided context: \n\n* **Default Credentials:** Exploiting default accounts and passwords unchanged poses a significant risk. Attackers can easily gain unauthorized access, potentially escalating privileges to gain full control of the system.\n* **Insecure Error Handling:** Overly informative error messages revealing stack traces or sensitive information can be exploited for code injection attacks, allowing malicious code to be executed within the application.\n* **Disabled or Misconfigured Security Features:** Attackers could exploit disabled or poorly configured security features in upgraded systems, bypassing security mechanisms and gaining unauthorized access.\n* **Insecure Configuration:** The lack of secure configuration settings in application servers, frameworks, libraries, and databases presents numerous vulnerabilities. These could include weak encryption algorithms, outdated security patches, and open ports, allowing attackers to gain access, steal sensitive data, or launch denial-of-service attacks.\n* **Missing or Insecure Security Headers:** The absence of essential security headers or their insecure configuration could lead to various vulnerabilities like Cross-Site Scripting (XSS), Clickjacking, and insecure communication, making the application susceptible to attacks.","11":"Relying solely on password complexity and rotation creates several vulnerabilities. While these measures may deter basic attacks, they are insufficient in the face of advanced threats. Here's why:\n\n* **Weak Passwords:** Even complex passwords can be easily cracked through brute force attacks, especially if users are forced to rotate them frequently. This often leads to predictable patterns and weak password choices. \n* **Password Reuse:** Users often reuse the same or similar passwords across multiple accounts. A breach in one system can compromise access to others. \n* **Social Engineering:** Password complexity doesn't protect against social engineering attacks, where attackers trick users into revealing their credentials. \n* **Lack of Multi-Factor Authentication (MFA):** Password rotation and complexity alone don't address the inherent weaknesses of passwords. MFA adds a second layer of security, requiring additional verification beyond a password. \n\nBy relying solely on these measures, organizations create a false sense of security. Adopting a layered approach to authentication, including MFA and robust password management practices, is crucial for mitigating risks.","12":"To protect sensitive data like passwords and financial information during transmission and storage, implementing robust security measures is crucial. Here are some key steps: \n\n1. **Encryption:** Encrypt data both in transit and at rest using strong encryption algorithms like AES-256. For transmission, HTTPS with TLS\/SSL should be used. This ensures that even if data is intercepted, it remains unreadable.\n\n2. **Secure Storage:** Implement secure storage solutions for sensitive data. This includes using encrypted databases, file systems, and storage devices. Access control mechanisms should be in place to limit access to authorized personnel only.\n\n3. **Strong Authentication:** Implement strong authentication mechanisms such as multi-factor authentication (MFA) to verify user identity. MFA adds an extra layer of security, making it much harder for unauthorized individuals to access sensitive data.\n\n4. **Data Minimization:** Store only the necessary data and avoid collecting or storing sensitive information that is not essential for business operations. This minimizes the risk of data breaches and reduces the potential impact.\n\n5. **Regular Security Assessments:** Conduct regular security assessments, including penetration testing, to identify vulnerabilities and weaknesses in your systems and security controls. These assessments help ensure that your security measures remain effective against evolving threats.\n\n6. **Employee Training:** Educate employees about security best practices, including proper data handling, strong password management, and recognizing phishing attacks. Training helps reduce the risk of human error, which can lead to data breaches.\n\n7. **Data Loss Prevention (DLP):** Implement data loss prevention (DLP) solutions to detect and prevent sensitive data from leaving the organization's controlled environment without authorization. DLP can monitor data in transit, at rest, and in use, helping to prevent accidental or malicious data leaks.\n\n8. **Regular Patching:** Keep all software and operating systems updated with the latest security patches to address known vulnerabilities. Regular patching reduces the risk of exploitation by attackers.\n\n9. **Secure Configuration:** Configure all systems and applications securely, following security best practices. This includes disabling unnecessary services, implementing strong access controls, and using secure configurations recommended by security vendors.\n\nBy implementing these security measures, organizations can significantly reduce the risk of data breaches and protect sensitive data from unauthorized access, use, disclosure, disruption, modification, or destruction.","13":"The application's inability to detect and respond to real-time attacks despite penetration tests and DAST scans not triggering alerts highlights a significant security vulnerability. The issue lies in the lack of appropriate alerting thresholds and response escalation processes, rendering the application effectively blind to malicious activity. This vulnerability is compounded by the fact that logging and alerting events are potentially visible to unauthorized users or attackers, further increasing the risk of information leakage. To address this, the application must implement robust security controls such as: \n\n1. **Establishing Realistic Alerting Thresholds**: Define clear and sensitive thresholds for triggering alerts based on potential attack patterns and indicators of compromise (IOCs). \n2. **Implementing Effective Response Escalation Processes**: Define a clear and efficient escalation process for handling security alerts, involving appropriate security teams and personnel. \n3. **Enhancing Logging and Monitoring**: Implement robust logging and monitoring mechanisms that capture detailed information about user activity, network traffic, and system events. \n4. **Implementing Real-Time Threat Detection and Response**: Integrate real-time threat detection and response solutions that can analyze network traffic, detect suspicious activity, and trigger automated responses to mitigate attacks. \n5. **Securing Logging and Alerting Mechanisms**: Ensure that logging and alerting mechanisms are adequately secured to prevent unauthorized access and manipulation. \n6. **Regularly Review and Update Security Controls**: Continuously review and update security controls based on evolving threat landscapes and vulnerabilities. \n\nBy taking these measures, the application can significantly enhance its ability to detect and respond to real-time attacks, minimizing the risk of data breaches and information leakage.","14":"When applications fail to properly validate or sanitize user-supplied data, they become susceptible to various vulnerabilities, including:\n\n* **Cross-Site Scripting (CWE-79):** Attackers can inject malicious scripts into the application's output, which can be executed by unsuspecting users, potentially stealing their credentials or hijacking their sessions.\n* **SQL Injection (CWE-89):** Malicious SQL queries can be injected into the application, potentially allowing attackers to access, modify, or delete sensitive data from the database.\n* **External Control of File Name or Path (CWE-73):** Attackers can manipulate file names or paths, potentially gaining access to or modifying critical files, leading to data breaches or system compromise.\n\n**Mitigation Strategies:**\n\n* **Input Validation:** Always validate user input against expected formats and constraints. Use regular expressions, whitelisting, and blacklisting techniques to prevent unwanted characters or patterns.\n* **Output Encoding:** Encode all data displayed to the user, especially user-supplied content, to prevent malicious scripts from executing.\n* **Prepared Statements:** Use parameterized queries and prepared statements for database interactions to prevent SQL injection. This ensures that user input is treated as data, not code.\n* **File Path Sanitization:** Ensure that file paths are sanitized and validated to prevent attackers from accessing or modifying sensitive files.\n* **Secure Development Practices:** Follow secure coding principles and use secure libraries and frameworks that provide built-in protection against common vulnerabilities.","15":"The absence or misuse of cryptography presents significant vulnerabilities that can lead to sensitive data exposure. Here are some key weaknesses:\n\n* **Weak or Insecure Algorithms:** Using outdated or compromised cryptographic algorithms, such as outdated versions of DES or MD5, makes it relatively easy for attackers to break encryption, leaving data vulnerable. \n* **Poor Key Management:** Improper key generation, storage, and distribution practices can compromise the entire encryption process. Stolen, leaked, or easily guessed keys render encryption ineffective. \n* **Insufficient Key Length:** Using short key lengths (e.g., less than 128 bits for symmetric encryption) weakens the complexity of the encryption process, making it easier to crack through brute-force attacks. \n* **Improper Implementation:** Even strong cryptographic algorithms can be compromised by flawed implementations, such as insecure coding practices or failure to follow industry standards. \n* **Lack of Encryption for Sensitive Data:** Failing to encrypt sensitive data at rest (e.g., in databases, files) or in transit (e.g., over networks) makes it easily accessible to unauthorized individuals. \n* **Cryptographic Backdoors:** Intentional vulnerabilities or weaknesses built into cryptographic systems, often for law enforcement or intelligence purposes, can be exploited by attackers, negating the protection intended by the encryption.\n\nBy addressing these weaknesses through robust cryptography practices, organizations can significantly strengthen their defenses against data breaches and protect sensitive information.","16":"Integrating security specialists early in the software development lifecycle (SDLC) is crucial for building more secure applications. It allows for a proactive approach to security, embedding it into the core design and development processes. Here's how it contributes:\n\n* **Early Threat Identification and Mitigation:** Security specialists can identify vulnerabilities and potential attack vectors during the initial design phases, enabling developers to address them proactively. This reduces the risk of introducing security flaws later in the development cycle, when remediation can be more complex and costly.\n\n* **Secure Design Principles:** Security experts can guide developers in adopting secure coding practices and implementing security controls by design. This ensures that security is not an afterthought, but rather an integral part of the application architecture.\n\n* **Reduced Security Debt:** By involving security specialists early, organizations can prevent the accumulation of technical debt related to security vulnerabilities. This reduces the need for expensive and time-consuming security fixes during later stages of the SDLC.\n\n* **Improved Collaboration and Communication:** Early integration fosters collaboration between development and security teams. This leads to better understanding and communication regarding security requirements, resulting in more secure code and applications.\n\n* **Increased Awareness and Ownership:** Involving security specialists throughout the SDLC encourages developers to adopt a security mindset and take ownership of security responsibilities. This creates a more secure development culture within the organization.","17":"Penetration testers can assess the effectiveness of access control mechanisms in this scenario by conducting the following tests:\n\n1. **CORS Misconfiguration:**\n * **Test:** Attempt to access resources from a different origin (e.g., a different domain) using tools like `curl` or `Postman`. Analyze the response headers, particularly `Access-Control-Allow-Origin` and `Access-Control-Allow-Methods`, to identify potential CORS misconfigurations.\n * **Expected outcome:** The tests should fail, indicating strict CORS enforcement, allowing only authorized origins or methods.\n\n2. **Record Ownership Enforcement:**\n * **Test:** Attempt to modify or delete records belonging to other users. Use tools like Burp Suite or ZAP to intercept and modify requests, altering the user ID or record ID. Observe if the system correctly blocks unauthorized actions.\n * **Expected outcome:** Access to records should be restricted to the owner, preventing unauthorized modifications or deletions.\n\n3. **Access Control Bypass:**\n * **Test:** Try to circumvent access controls through techniques like SQL injection, cross-site scripting (XSS), or authorization bypass vulnerabilities. Explore potential weaknesses in authentication, session management, and input validation.\n * **Expected outcome:** The application should successfully detect and mitigate these attempts, preventing unauthorized access and data manipulation.\n\n4. **Public Resource Validation:**\n * **Test:** Identify resources that are intended to be public and verify they are correctly accessible without any authentication requirements. Check for unnecessary access controls on public resources.\n * **Expected outcome:** Public resources should be easily accessible without any authentication or authorization requirements.\n\n5. **File Metadata and Backup File Access:**\n * **Test:** Try to access files like `.git` folders, backup files, or any sensitive configuration files that may be accidentally exposed.\n * **Expected outcome:** These files and directories should be properly protected, inaccessible from the web root. \n\nBy conducting these tests, penetration testers can identify vulnerabilities and misconfigurations in access control mechanisms, helping to ensure the secure and robust implementation of the stated security principles.","18":"Yes, if the application uses Java serialization to handle user state and the serialization process is not properly secured, an attacker could exploit this mechanism to achieve remote code execution. The Java Serial Killer tool is designed to leverage vulnerabilities in Java serialization, allowing attackers to inject malicious code into serialized objects. By injecting this malicious code, an attacker could potentially gain control of the application server, leading to a remote code execution attack.","19":"An **insecure design** refers to fundamental flaws in the architecture or blueprint of a system, making it inherently vulnerable to attacks. These flaws often stem from a lack of security considerations during the initial design phase, resulting in missing security controls or inadequate protection mechanisms. In contrast, an **insecure implementation** occurs when the actual coding or configuration of a system deviates from the secure design, introducing vulnerabilities despite a sound initial plan. This can arise from developer errors, misinterpretations of security requirements, or the use of insecure libraries or frameworks. The key difference lies in their root causes and remedies. Insecure design requires a complete redesign or significant architectural changes to fix the fundamental vulnerabilities. Insecure implementation, on the other hand, can be addressed by patching, re-coding, or reconfiguring the system to align with the intended security design.","20":"Rate limiting API and controller access helps mitigate the impact of automated attacks by setting limits on the number of requests that can be made from a single IP address or user agent within a given timeframe. This prevents attackers from flooding the system with requests, overwhelming the resources and causing denial of service (DoS) attacks. By limiting the number of requests, attackers are unable to exhaust system resources and cause significant damage.","21":"Leaving default accounts unchanged in an admin console presents significant security risks. Attackers can exploit this vulnerability by using readily available default credentials to gain unauthorized access. Once they log in, they can potentially take control of the system, modify configurations, steal sensitive data, or even launch further attacks. This vulnerability is particularly dangerous because it provides attackers with a straightforward entry point into the system without needing to bypass any security measures.","22":"During refinement sessions, threat modeling can be used to identify potential security risks associated with changes in data flows and access controls within a user story. By analyzing the proposed changes, security experts can identify potential vulnerabilities, such as unauthorized access, data breaches, or denial-of-service attacks. The threat modeling process can help to ensure that the user story is designed and implemented in a secure manner. For example, if a user story involves changing the way data is stored or accessed, threat modeling can help to identify potential vulnerabilities that could be exploited by attackers. This information can then be used to inform the design and implementation of the user story, ensuring that the necessary security controls are in place to mitigate these risks. By integrating threat modeling into the refinement process, organizations can proactively address potential security risks and ensure that their applications are secure.","23":"Using hard-coded passwords, weak cryptographic algorithms, and insufficient entropy in data protection poses severe security risks, especially when handling sensitive information like financial data or personal records. Here's a breakdown of the implications:\n\n* **CWE-259: Use of Hard-coded Password:** Hard-coded passwords are easily discoverable by attackers, compromising the security of the entire system. If the code is compromised, attackers can gain access to sensitive data without needing to crack complex passwords. This is a significant risk for applications, databases, or any system where hard-coded credentials are present.\n\n* **CWE-327: Broken or Risky Crypto Algorithm:** Employing outdated or insecure cryptographic algorithms makes data vulnerable to various attacks. Attackers can exploit weaknesses in these algorithms to decrypt sensitive data, potentially leading to breaches, data theft, and financial losses. This is particularly critical for data encryption at rest and in transit, as weak algorithms can easily be broken by sophisticated attackers.\n\n* **CWE-331: Insufficient Entropy:** Insufficient entropy in data protection methods, such as passwords or encryption keys, weakens the security of the system. Attackers can leverage statistical analysis or brute-force techniques to guess the keys or passwords, compromising the data they protect. This is a major concern for data encryption, where low entropy keys can be easily cracked, exposing sensitive data.\n\n**Consequences for Sensitive Data:**\n\n* **Data Breaches:** These vulnerabilities expose sensitive data, leading to breaches that compromise financial information, personal records, and other sensitive details. This can result in identity theft, financial fraud, and reputational damage.\n\n* **Non-compliance with Regulations:** Failure to implement robust security measures, including strong passwords, secure encryption algorithms, and sufficient entropy, violates data protection regulations like GDPR and PCI DSS. This can lead to hefty fines and penalties.\n\n* **Loss of Trust and Customer Confidence:** Data breaches erode trust in organizations and can significantly impact customer relationships. Businesses can lose customers and suffer reputational damage due to security failures, leading to financial losses.\n\n**Mitigation:**\n\nTo mitigate these risks, organizations must prioritize robust security practices, including:\n\n* **Eliminating Hard-coded Passwords:** Replace hard-coded passwords with secure password management systems or secret management tools.\n\n* **Using Strong Cryptographic Algorithms:** Implement industry-standard encryption algorithms like AES-256 for data protection. Regularly update to the latest and strongest algorithms as vulnerabilities are discovered.\n\n* **Ensuring Sufficient Entropy:** Employ strong password policies that enforce sufficient entropy, including length, complexity, and a mix of characters. Generate high-entropy keys for encryption, ensuring strong protection against brute-force attacks.\n\nBy adhering to these best practices, organizations can significantly reduce their vulnerability to attacks and ensure the protection of sensitive data.","24":"The 'Broken Authentication' category in the Common Weakness Enumerations (CWEs) encompasses vulnerabilities related to identification failures, which occur when an application fails to properly verify the identity of a user. Some examples of CWEs that fall under this category and relate to identification failures include:\n\n* **CWE-297: Improper Validation of Certificate with Host Mismatch:** This CWE arises when an application fails to adequately validate the certificate presented by a client, allowing an attacker to impersonate a legitimate user or server. This can happen when the application does not check the certificate's host name against the expected domain name.\n* **CWE-287: Improper Authentication:** This CWE describes scenarios where an application utilizes weak or flawed authentication mechanisms, making it easier for attackers to bypass authentication controls. Examples include using easily guessable passwords, weak password complexity requirements, or relying solely on username\/password combinations without additional security measures.\n* **CWE-384: Session Fixation:** This CWE occurs when an application allows an attacker to manipulate a user's session ID, potentially allowing them to hijack the user's session or gain unauthorized access to sensitive information. This can happen if the application does not properly generate or manage session IDs.\n\nThese CWEs highlight the importance of implementing robust authentication measures that effectively prevent identification failures. By addressing these vulnerabilities, applications can better safeguard against attacks that exploit weaknesses in authentication processes.","25":"If an unauthenticated user can access an administrative page, it poses a significant security risk. The attacker could potentially gain access to sensitive data, modify configurations, or even execute commands with administrative privileges. This could lead to a range of severe consequences, including data breaches, system compromise, and unauthorized modifications to the system.","26":"To effectively log login failures, access control breaches, and server-side input validation errors with sufficient user context for detecting malicious activity, the following steps are crucial:\n\n1. **Detailed Logging:** Capture comprehensive information for each event, including:\n * **User Information:** Username, user ID, group memberships, IP address, and location.\n * **Event Details:** Timestamp, action performed (e.g., login attempt, access request, input validation failure), resource accessed, and specific error message.\n * **System Information:** Server name, operating system, application version, and relevant configuration settings.\n\n2. **Structured Logging:** Implement a standardized log format that enables easy parsing and analysis by security monitoring tools. Common formats include:\n * **Syslog:** A widely used standard for logging system events.\n * **JSON:** Offers flexibility and human-readability for storing log data.\n * **CEF (Common Event Format):** A structured format supported by various security tools.\n\n3. **Log Encoding:** Encode log data appropriately to prevent injection attacks. Use secure encoding methods such as:\n * **Base64:** Converts binary data to printable ASCII characters.\n * **URL Encoding:** Encodes special characters for safe transmission over the internet.\n\n4. **Log Management Solutions:** Utilize robust log management tools that can aggregate, analyze, and correlate log data from multiple sources. These tools provide features like:\n * **Real-time Monitoring:** Detect suspicious activity as it happens.\n * **Alerting:** Trigger notifications based on predefined rules and thresholds.\n * **Data Visualization:** Visualize trends and patterns to identify potential threats.\n\n5. **Audit Trails:** Implement audit trails for high-value transactions to ensure their integrity. This could involve using append-only database tables or similar mechanisms to prevent tampering or deletion of log data.\n\nBy adhering to these practices, organizations can effectively log security events, gain valuable insights into suspicious activity, and respond promptly to potential threats.","27":"The rise in the OWASP Top 10 rankings for security logging and monitoring from 2017 to 2023 reflects a growing awareness of its critical role in detecting and responding to security threats. As attacks become more sophisticated, organizations need robust logging and monitoring systems to quickly identify malicious activity and take appropriate action. This is evident in the increased emphasis on security logging and monitoring by organizations and security professionals alike.","28":"Attackers can use automated tools like Shodan to identify systems with unpatched vulnerabilities like Heartbleed. Shodan searches for devices on the internet and can identify those still vulnerable to Heartbleed, which was patched in April 2014. Other examples of vulnerabilities attackers can exploit include CVE-2017-5638, a Struts 2 remote code execution vulnerability that enables the execution of arbitrary code on the server. These vulnerabilities allow attackers to compromise systems and potentially gain control over them.","29":"A common vulnerability that enables attackers to execute arbitrary code on a server is a **remote code execution (RCE) vulnerability**. An example of a high-profile breach attributed to an RCE vulnerability is the **Equifax data breach in 2017**, which was exploited through the **CVE-2017-5638 Struts 2 vulnerability**.","30":"During user story development, penetration testing can be integrated to identify vulnerabilities related to data flow changes and access control mechanisms by incorporating threat modeling into refinement sessions. This involves analyzing data flows and access control mechanisms to identify potential vulnerabilities. By simulating attacks and analyzing the impact, penetration testers can identify weaknesses in the system's security controls. They can then recommend solutions to mitigate these vulnerabilities, ensuring that data flow changes and access control mechanisms are secure and robust.","31":"Tools like **OWASP Dependency Check, retire.js, and versions** can be used to continuously inventory the versions of client-side and server-side components and their dependencies. These tools can be integrated into the development and deployment pipelines to automatically scan for vulnerabilities in these components. Additionally, you can continuously monitor sources like **Common Vulnerability and Exposures (CVE) and National Vulnerability Database (NVD)** for vulnerabilities in the components. Software composition analysis tools can automate this process and provide alerts when vulnerabilities are discovered. Subscribing to email alerts for security vulnerabilities related to the components you use can also help keep you informed of potential risks.","32":"Common consequences of access control failures during a penetration test include unauthorized access to sensitive data, modification or deletion of critical information, and the execution of unauthorized actions or functions within the system. This can lead to significant financial losses, reputational damage, and legal repercussions for the organization.","33":"To improve the application's ability to detect and respond to active attacks in real-time or near real-time, even when penetration testing and DAST tools don't trigger alerts, you need to focus on enhancing the application's security monitoring and response capabilities. Here are some key steps:\n\n1. **Refine Alerting Thresholds and Response Escalation:**\n - **Define Clear Thresholds:** Establish specific thresholds for suspicious activity based on your application's risk profile. This includes setting limits for failed login attempts, unusual traffic patterns, and rapid data access requests.\n - **Implement Automated Escalation:** Configure automated processes to escalate alerts to security teams when thresholds are breached. This could involve sending notifications, triggering incident response protocols, or even automatically blocking suspicious IP addresses.\n\n2. **Enhance Runtime Security Monitoring:**\n - **Real-Time Threat Intelligence Integration:** Integrate your application with real-time threat intelligence feeds to detect known attack patterns and malicious actors. This can help identify attacks that may not trigger traditional alerts.\n - **Behavioral Analysis:** Implement behavioral analysis techniques to monitor user activity and identify deviations from expected patterns. This can help detect insider threats or malicious actors mimicking legitimate users.\n - **Security Information and Event Management (SIEM):** Use a SIEM solution to centralize security logs from various sources (application logs, network devices, firewalls, etc.). This provides a consolidated view of security events and facilitates correlation analysis for detecting complex attacks.\n\n3. **Implement Runtime Security Controls:**\n - **Runtime Application Self-Protection (RASP):** Consider implementing RASP solutions, which can monitor application behavior in real-time and take immediate action to mitigate threats, such as blocking malicious requests or preventing data exfiltration.\n - **Web Application Firewalls (WAFs):** Use a WAF to filter malicious traffic at the network layer. Modern WAFs often offer advanced features like bot detection, API security, and real-time threat intelligence integration.\n\n4. **Secure Logging and Auditing:**\n - **Minimize Log Visibility:** Limit the visibility of sensitive information within logs and audit trails to prevent attackers from exploiting logged data. Consider using anonymization techniques or access control mechanisms.\n - **Secure Logging Infrastructure:** Protect your logging infrastructure from unauthorized access or manipulation to ensure the integrity and reliability of security logs.\n\n5. **Regular Security Assessments and Testing:**\n - **Penetration Testing:** Conduct regular penetration testing to assess your application's security posture and identify vulnerabilities that might not be detected by automated tools.\n - **Security Audits:** Perform regular security audits to review your application's configuration, code, and security controls for potential weaknesses and misconfigurations.\n\nBy implementing these measures, you can significantly enhance your application's ability to detect and respond to active attacks, even in situations where traditional security tools may not trigger alerts. Remember, continuous monitoring, analysis, and improvement are crucial to maintaining a strong security posture in the ever-evolving threat landscape.","34":"If an unauthenticated user can access pages intended for authenticated users, it poses a significant security risk. This vulnerability can allow attackers to gain unauthorized access to sensitive information, manipulate data, or even compromise the entire system. Here are some potential vulnerabilities:\n\n* **Data Breaches:** Attackers can access confidential data like customer information, financial records, or internal documents. \n* **Account Takeover:** Attackers might be able to hijack existing user accounts or create new ones with elevated privileges.\n* **System Manipulation:** Attackers could modify or delete critical system files, alter configurations, or execute malicious code, leading to system instability or complete failure. \n* **Privilege Escalation:** Attackers could exploit the vulnerability to gain administrator-level access, allowing them to control the entire system and potentially compromise other connected systems.\n* **Denial-of-Service Attacks:** Attackers could flood the system with requests, causing it to become unresponsive, making it unavailable to legitimate users.","35":"This scenario indicates a **Server-Side Request Forgery (SSRF)** vulnerability. An attacker could exploit this by providing a malicious URL that targets an internal system, bypassing firewalls and potentially accessing sensitive data or executing commands. The impact could include data exfiltration, internal system compromise, and denial-of-service attacks. ","36":"Failure of access control mechanisms during a penetration test can have severe consequences, potentially leading to unauthorized access to sensitive information, modification or deletion of critical data, and the execution of actions outside the user's permitted scope. This can result in significant financial losses, reputational damage, legal liabilities, and disruptions to business operations. The consequences can be even more severe if the penetration test reveals vulnerabilities that could be exploited by malicious actors.","37":"Building and deploying software within a secure software supply chain demands meticulous attention to several key security considerations. Here are some of the most critical factors to address: \n\n* **Secure Software Development Practices:**\n * **Secure Coding:** Implement secure coding practices throughout the development lifecycle, adhering to industry best practices and using static and dynamic analysis tools to identify and mitigate vulnerabilities. \n * **Code Review:** Conduct thorough peer code reviews to detect potential security flaws and ensure adherence to coding standards. \n * **Threat Modeling:** Proactively identify potential threats and vulnerabilities during the design and development phases, developing mitigation strategies accordingly. \n\n* **Secure Build and Deployment Processes:**\n * **Build Environment Security:** Securely configure build environments, preventing unauthorized access, code tampering, and malware injection. Implement robust access controls and utilize secure build tools. \n * **Dependency Management:** Carefully manage and scrutinize software dependencies, ensuring that all third-party components are vetted for vulnerabilities and security issues. Utilize a centralized dependency management system to enforce security policies. \n * **Automated Testing and Scanning:** Integrate automated security testing into the build process to identify vulnerabilities and ensure code quality. Implement static and dynamic analysis tools to detect potential weaknesses. \n * **Release Management:** Establish secure release management processes to ensure that software deployments are controlled, auditable, and free from unauthorized modifications. \n\n* **Secure Infrastructure and Deployment:**\n * **Secure Infrastructure:** Deploy applications on secure infrastructure, ensuring that servers, networks, and operating systems are properly hardened and secured. Implement appropriate access control measures and firewalls. \n * **Deployment Security:** Implement secure deployment practices, minimizing the attack surface and protecting against common vulnerabilities associated with deployments. Utilize secure deployment tools and automate the process as much as possible. \n\n* **Continuous Monitoring and Threat Detection:** \n * **Security Monitoring:** Implement continuous monitoring of applications and systems to detect suspicious activity and potential security incidents. Utilize security information and event management (SIEM) systems and intrusion detection systems (IDS). \n * **Vulnerability Management:** Establish a robust vulnerability management program to proactively identify and remediate security vulnerabilities in software components and infrastructure. Utilize vulnerability scanning tools and maintain up-to-date security patches. \n * **Incident Response:** Develop and practice an incident response plan to handle security breaches and incidents effectively. Define roles and responsibilities, ensure timely communication, and have a process for containment, recovery, and post-incident analysis. \n\nBy implementing these security considerations throughout the software supply chain, organizations can significantly reduce the risk of security breaches and ensure that their software is developed, built, and deployed in a secure and responsible manner.","38":"Attackers can exploit SQL injection vulnerabilities by injecting malicious SQL code into data inputs that are subsequently used to construct and execute database queries. This allows them to manipulate the database's logic, directly alter data, or even execute arbitrary commands within the database system.","39":"Returning detailed error messages, including stack traces, to users can expose sensitive information about the application's architecture, libraries used, and internal workings. This can be exploited by attackers to gain a deeper understanding of the system's vulnerabilities, leading to targeted attacks. Additionally, revealing stack traces could disclose the specific version of software components used, allowing attackers to exploit known vulnerabilities in outdated or unpatched libraries.","40":"The work factor or delay factor in adaptive and salted hashing functions like Argon2, scrypt, bcrypt, or PBKDF2 determines the computational effort required to calculate the hash. This means that by increasing the work factor, you significantly increase the time it takes to calculate a hash. This is a key security measure for protecting against brute-force attacks. A higher work factor makes it more time-consuming and expensive for attackers to try guessing passwords, effectively hindering brute-force attacks and enhancing password security.","41":"Attackers can bypass access control checks in web applications to gain unauthorized access in a number of ways. For example, they might modify the URL to tamper with parameters or force browsing, manipulate internal application state, or alter the HTML page. Additionally, they could use attack tools to modify API requests. Another tactic is to exploit insecure direct object references, which allow attackers to view or edit someone else's account by providing the account's unique identifier. Attackers could also target APIs with missing access controls for POST, PUT, and DELETE operations. Finally, elevation of privilege allows attackers to gain access to resources or perform actions beyond their authorized level.","42":"Exposing session identifiers in the URL and failing to properly invalidate them during logout presents significant security risks. Attackers can exploit these vulnerabilities to hijack user sessions, potentially leading to unauthorized access to sensitive data or actions. Here's a breakdown:\n\n* **Session Hijacking:** If an attacker intercepts a user's session ID, they can impersonate the user and access their account without needing valid credentials. This is particularly dangerous if the session ID is directly visible in the URL, as it can be easily captured by attackers using network sniffing tools.\n\n* **Session Fixation:** By manipulating a user's session ID, an attacker could force them to reuse an existing session even after logging out. This can be done by sending a malicious link to the user containing a specific session ID. When the user clicks on the link, they might be logged in as the attacker, even if they previously logged out. \n\n* **Credential Stuffing\/Brute Force:** If sessions are not invalidated properly, attackers can repeatedly attempt to guess credentials using stolen or leaked credentials lists without the risk of being detected. This can be especially problematic in systems with weak password policies or where users reuse the same password across multiple accounts. \n\n* **Persistence of Access:** Failing to invalidate sessions during logout or inactivity can allow attackers to maintain access to an account even after a user has left the system. This could allow them to monitor user activity, steal sensitive information, or perform actions on the user's behalf without their knowledge. \n\n* **Denial-of-Service (DoS):** Attackers can use session IDs to launch DoS attacks by flooding the server with requests, overwhelming its resources and making the application unavailable to legitimate users. This is possible if the application relies on session data that is not properly managed and can be abused by attackers.","43":"Recommended hashing functions for storing passwords include Argon2, scrypt, bcrypt, and PBKDF2. These algorithms are considered strong due to their adaptive nature, use of salt, and work factor (delay factor). When choosing a hashing function, consider factors like:\n\n* **Security:** The algorithm should be resistant to known attacks, such as brute-force and rainbow table attacks. \n* **Performance:** The function should be efficient enough to handle the workload of your system without causing significant delays. \n* **Flexibility:** The algorithm should allow for adjustments to the work factor, salt length, and other parameters to adapt to changes in computing power and attack techniques. \n* **Availability:** The algorithm should be widely supported and implemented in your chosen programming language and environment.","44":"Tools like **versions**, **OWASP Dependency Check**, and **retire.js** can help with continuously inventorying client-side and server-side component versions and their dependencies. For monitoring vulnerabilities, utilize resources like **Common Vulnerability and Exposures (CVE)** and **National Vulnerability Database (NVD)**. Software composition analysis tools automate this process, and subscribing to email alerts for vulnerabilities related to your components is crucial. Always procure components from official sources over secure links.","45":"The provided context suggests that the application may be vulnerable to padding oracle attacks if deprecated cryptographic padding methods like PKCS number 1 v1.5 are being used. This is because these methods are known to have security flaws that can be exploited by attackers to decrypt encrypted data. Padding oracle attacks occur when an attacker can observe the response of the application to different padding values. This information can then be used to decrypt the ciphertext. It is important to note that the provided context does not state definitively whether PKCS number 1 v1.5 is in use. Further investigation is needed to determine if the application is vulnerable to this type of attack.","46":"This is a vulnerability called **authentication bypass**. This means that the application's security mechanisms are failing to properly identify and verify users before granting access to restricted resources.","47":"A secure development lifecycle (SDL) encompasses several key elements, including secure design patterns, a paved road methodology, a secured component library, relevant tooling, and threat modeling. Involving security specialists from the very beginning of a software project is crucial because it allows for proactive security considerations throughout the development process. This early engagement enables them to identify and address security vulnerabilities in the design phase, reducing the risk of costly remediation efforts later on. By integrating security into the core of the development process, the SDL ensures the creation of more robust and secure software.","48":"Yes, if an attacker could force a user to browse to \"https:\/\/example.com\/app\/accountInfo?acct=notmyacct\", they could potentially access sensitive account information without proper authorization. This is because the URL contains a parameter \"acct\" which is likely used to identify the account being accessed. By manipulating this parameter, the attacker could potentially gain access to another user's account information. However, the attacker may not have access to any admin pages or administrative privileges. This would depend on the application's security measures and how sensitive information is handled.","49":"The vulnerability demonstrated in both attack scenarios is **SQL Injection**. The attacker exploits this vulnerability by manipulating the input parameter 'id' with a malicious SQL statement. The crafted SQL statement includes the command 'SLEEP(10)', which causes the database to pause for 10 seconds before executing the rest of the query. This delay disrupts the application's operation, potentially causing performance issues, slow response times, or even denial-of-service conditions. The attacker may also insert additional malicious SQL code to gain unauthorized access to the database, steal sensitive information, or modify existing data."}} \ No newline at end of file +{ + "question": { + "0": "What are the potential consequences of access control failures during a penetration test?", + "1": "What vulnerabilities in the third-party cloud hosting provider allowed the airline's data to be exposed for over ten years?", + "2": "If security settings for application servers, frameworks, libraries, and databases are not set to secure values, what vulnerabilities could a penetration tester exploit?", + "3": "What are the security logging and monitoring practices recommended by the OWASP Top 10 community survey, and how do they compare to the recommendations from the 2017 survey?", + "4": "While escaping special characters helps mitigate SQL injection vulnerabilities, why are user-supplied table and column names considered dangerous, and what kind of software is particularly vulnerable to this issue?", + "5": "How can an attacker exploit the use of unverified data in a SQL query that accesses account information to gain unauthorized access to user accounts?", + "6": "What are the key steps involved in establishing a secure development lifecycle to prevent vulnerabilities during application development?", + "7": "What are some common types of injection attacks that target dynamic queries and commands, and how is source code review helpful in identifying vulnerabilities to these attacks?", + "8": "What type of malicious action could a more dangerous attack perform beyond simply retrieving data from the accounts table?", + "9": "If an application server configuration exposes detailed error messages to users, what sensitive information could potentially be leaked, and what vulnerabilities might be exposed?", + "10": "If a penetration tester discovered that the security settings in the application servers and databases were not set to secure values, what vulnerabilities might they exploit?", + "11": "What is the potential risk of relying solely on password complexity and rotation as security measures for authentication?", + "12": "What security measures should be implemented to protect sensitive data, such as passwords and financial information, when it is transmitted or stored? ", + "13": "If a penetration test or DAST scan does not trigger alerts, how does the application ensure it can detect and respond to real-time attacks?", + "14": "What are the common vulnerabilities that can arise when user-supplied data is not properly validated or sanitized in an application, and how can these vulnerabilities be mitigated?", + "15": "What specific weaknesses in cryptography or its absence contribute to the exposure of sensitive data, making it a significant security concern?", + "16": "How can integrating security specialists early in the software development lifecycle contribute to building more secure applications?", + "17": "How can penetration testers assess the effectiveness of access control mechanisms implemented across the application, considering the goal of minimizing CORS usage and enforcing record ownership?", + "18": "If the application uses Java serialization to handle user state, could an attacker exploit this mechanism to achieve remote code execution by utilizing tools like Java Serial Killer?", + "19": "What are the key differences between an insecure design and an insecure implementation in the context of cybersecurity and penetration testing?", + "20": "How can rate limiting API and controller access help mitigate the impact of automated attacks?", + "21": "What are the security risks associated with not changing default accounts in an admin console, and how can an attacker exploit this vulnerability?", + "22": "How can threat modeling be used during refinement sessions to identify potential security risks associated with changes in data flows and access controls within a user story?", + "23": "What are the security implications of using hard-coded passwords, weak cryptographic algorithms, and insufficient entropy in data protection, particularly when sensitive data like financial information or personal records are involved?", + "24": "What are some examples of Common Weakness Enumerations (CWEs) that fall under the 'Broken Authentication' category, and how do they relate to identification failures?", + "25": "What are the potential vulnerabilities if an unauthenticated user can access an administrative page intended only for authorized personnel?", + "26": "How can login failures, access control breaches, and server-side input validation errors be logged effectively with sufficient user context to detect malicious activity, and how can this log data be formatted for easy consumption by security monitoring tools?", + "27": "Why did security logging and monitoring move up in the OWASP Top 10 rankings from 2017 to 2023?", + "28": "What are some automated tools that attackers can use to identify systems with unpatched vulnerabilities, like the Heartbleed vulnerability, and what are some examples of vulnerabilities that attackers can exploit?", + "29": "What is a common vulnerability that enables attackers to execute arbitrary code on a server, and what is an example of a high-profile breach that was attributed to this type of vulnerability?", + "30": "During user story development, how can penetration testing be integrated to identify potential vulnerabilities related to data flow changes and access control mechanisms?", + "31": "What tools can be used to continuously inventory the versions of both client-side and server-side components, and how can these tools be used to monitor for vulnerabilities in these components?", + "32": "What are some common consequences of access control failures during a penetration test?", + "33": "If penetration testing and DAST tools like OWASP ZAP don't trigger alerts, how can the application be improved to detect and respond to active attacks in real-time or near real-time?", + "34": "What are the potential vulnerabilities if an unauthenticated user can access pages that are intended for authenticated users only?", + "35": "If a web application fetches a remote resource without validating the user-supplied URL, what type of vulnerability could this indicate, and what potential impact could it have?", + "36": "What are the potential consequences if access control mechanisms fail during a penetration test?", + "37": "What are some of the key security considerations to address when building and deploying software within a secure software supply chain?", + "38": "How can attackers exploit vulnerabilities like SQL injection to directly manipulate data or commands within a database?", + "39": "What specific security risk is associated with returning detailed error messages, including stack traces, to users in a web application?", + "40": "When using adaptive and salted hashing functions for password storage, what is the purpose of the work factor or delay factor?", + "41": "How can an attacker bypass access control checks in a web application and gain unauthorized access, such as viewing or editing someone else's account?", + "42": "What are the security risks associated with a web application that exposes session identifiers in the URL and does not properly invalidate session IDs during logout?", + "43": "What are the recommended hashing functions for storing passwords, and what factors should be considered when choosing them?", + "44": "What tools and resources are recommended for continuously tracking the versions of client-side and server-side components, as well as monitoring for vulnerabilities in those components?", + "45": "Are deprecated cryptographic padding methods like PKCS number 1 v1.5 being utilized in the application, potentially creating vulnerabilities for padding oracle attacks?", + "46": "What kind of security vulnerability is present if an unauthenticated user can access a page that should only be accessible to authenticated users?", + "47": "What are the key elements of a secure development lifecycle (SDL) and why is it important to involve security specialists from the beginning of a software project?", + "48": "If an attacker could force a user to browse to a specific URL, such as \"https://example.com/app/accountInfo?acct=notmyacct\", could they access sensitive account information without proper authorization?", + "49": "What type of vulnerability is demonstrated in the provided attack scenarios and how can an attacker exploit it to delay or disrupt the application's operation?" + }, + "ground_truth": { + "0": "Access control failures during a penetration test can have severe consequences, including unauthorized information disclosure, modification, or destruction of sensitive data. Attackers could potentially gain access to confidential information, alter critical system settings, or even disrupt business operations by performing actions outside their authorized limits. These breaches can lead to financial losses, reputational damage, legal ramifications, and even operational downtime. In extreme cases, access control failures can be exploited to gain complete control over the targeted system, creating a serious security risk.", + "1": "The provided context doesn't explicitly state the vulnerabilities that allowed the airline's data to be exposed for over ten years. The information only mentions the lack of logging and monitoring, which likely contributed to the undetected breach. However, to determine the specific vulnerabilities exploited, further details about the cloud hosting provider's security practices, the nature of the breach, and the exploited weaknesses in their systems are required.", + "2": "If security settings for application servers, frameworks, libraries, and databases are not set to secure values, a penetration tester could exploit a wide range of vulnerabilities. This includes:\n\n* **Default credentials:** Unchanged default accounts can be easily exploited for unauthorized access. Penetration testers can use readily available lists of default credentials to gain access.\n* **Insecure configuration:** Misconfigured settings, like weak encryption algorithms, open ports, and overly permissive permissions, can lead to data breaches, privilege escalation, and other security issues. This can allow attackers to bypass security measures and access sensitive information.\n* **Missing or insecure security headers:** Lack of or improperly configured security headers (e.g., HSTS, Content Security Policy) can make the application vulnerable to cross-site scripting (XSS), clickjacking, and other attacks.\n* **Insecure error handling:** Detailed error messages revealing sensitive information, such as stack traces, can be exploited by attackers to understand the application's internal workings and potentially find vulnerabilities.\n* **Outdated software:** Using outdated software with known vulnerabilities can lead to exploitation by attackers. Penetration testers can exploit these vulnerabilities by using readily available exploits or by developing custom exploits for unpatched vulnerabilities.\n* **Weak authentication mechanisms:** Poorly implemented authentication mechanisms, such as weak password policies, lack of two-factor authentication, or vulnerable session management, can be exploited to gain unauthorized access to the system.\n\nPenetration testers will leverage various techniques and tools to identify and exploit these weaknesses in an application's security posture. By understanding these potential vulnerabilities, organizations can prioritize securing their applications and mitigating the risks associated with insecure configurations.", + "3": "The OWASP Top 10 community survey highlighted the increasing importance of security logging and monitoring, moving it up from tenth position in 2017 to third place in the latest survey. This indicates a growing recognition among security professionals of the crucial role logging and monitoring play in detecting and responding to security threats. While specific recommendations may vary depending on the survey year, the core principles remain consistent: robust logging practices, real-time monitoring capabilities, and the ability to analyze log data effectively are essential components of any comprehensive security strategy.", + "4": "User-supplied table and column names are dangerous because they can be used to access and modify data outside of the intended scope of the application. For example, an attacker could provide a table name that matches a system table, such as 'information_schema', and then use a column name to retrieve sensitive information about the database. This is particularly dangerous in report-writing software, where users may have the ability to generate reports based on custom data structures, which can be exploited to access sensitive data. Because these structures cannot be escaped, they allow for direct access and modification of data without any filtering or validation.", + "5": "By manipulating the 'acct' parameter in the browser request, an attacker can directly input any account number they desire. If the application fails to properly verify this input before executing the SQL query, the attacker can bypass security checks and access any user's account information. This vulnerability highlights the importance of input validation to prevent attackers from injecting malicious data into SQL queries.", + "6": "A secure development lifecycle (SDL) is crucial for preventing vulnerabilities during application development. Here are key steps based on the provided context:\n\n1. **Involve AppSec Professionals:** Integrate security experts from the outset to design and evaluate security and privacy controls. This ensures robust security considerations are built into the application architecture. \n\n2. **Secure Design Patterns and Components:** Leverage pre-built secure design patterns and components to streamline development and minimize vulnerabilities. This provides a foundation of security best practices. \n\n3. **Threat Modeling:** Conduct threat modeling exercises to identify potential vulnerabilities in critical areas such as authentication, authorization, business logic, and key data flows. This helps prioritize security efforts. \n\n4. **Security Language in User Stories:** Incorporate security requirements into user stories and development tasks. This ensures security considerations are addressed throughout the development process. \n\n5. **Plausibility Checks:** Implement plausibility checks at each tier of the application, from the frontend to the backend. This helps validate user inputs and prevent potential attacks. \n\n6. **Security Testing:** Write unit and integration tests to validate that all critical flows are resistant to threats identified in the threat model. Include both use cases and misuse cases to test for vulnerabilities. \n\n7. **Tier Segregation:** Segregate different application tiers (frontend, backend, etc.) on both the system and network layers based on their exposure and protection needs. This helps contain potential breaches. \n\n8. **Robust Tenant Segregation:** Ensure tenants are securely segregated across all application tiers by design. This prevents unauthorized access and data breaches between different user groups. ", + "7": "Common injection attacks that target dynamic queries and commands include:\n\n* **SQL Injection (SQLi):** Exploits vulnerabilities in SQL queries to manipulate database operations, potentially leading to data theft, modification, or denial of service.\n* **NoSQL Injection:** Targets NoSQL databases, aiming to bypass authentication, gain unauthorized access, or manipulate data stored in the database.\n* **OS Command Injection:** Allows attackers to execute arbitrary operating system commands on the server hosting the application.\n* **Object Relational Mapping (ORM) Injection:** Exploits weaknesses in the mapping between object-oriented code and relational databases, enabling attackers to manipulate database queries.\n* **LDAP Injection:** Targets Lightweight Directory Access Protocol (LDAP) servers, enabling attackers to bypass authentication or gain unauthorized access to directory information.\n* **Expression Language (EL) or Object Graph Navigation Library (OGNL) Injection:** Targets applications that use expression languages or object graph navigation libraries, potentially allowing attackers to execute arbitrary code or access sensitive data.\n\nSource code review is crucial in identifying vulnerabilities to these injection attacks. By examining the code, security analysts can:\n\n* **Identify points where user input is directly used in queries or commands:** This highlights potential entry points for injection attacks.\n* **Analyze how data is sanitized and validated:** Proper sanitization and validation mechanisms can prevent malicious data from being injected into queries or commands.\n* **Review the implementation of security controls:** Security controls, such as parameterized queries and input validation, can mitigate injection vulnerabilities.\n* **Identify potential vulnerabilities in third-party libraries:** Injection vulnerabilities can often be found in third-party libraries used by the application. \n\nBy performing comprehensive source code review, developers and security professionals can proactively identify and address injection vulnerabilities before they are exploited by attackers.", + "8": "More dangerous attacks could modify or delete data from the accounts table, potentially corrupting or destroying valuable information. They could also invoke stored procedures, which are sets of pre-compiled SQL code that can perform various actions, potentially causing significant damage or disruption to the system.", + "9": "Detailed error messages, especially stack traces, can expose sensitive information such as:\n\n* **Internal file paths:** Revealing the directory structure of the application could allow an attacker to understand the application's architecture and potentially target specific files for exploitation.\n* **Database queries:** Error messages often contain snippets of SQL queries, which could expose database structure, table names, and even sensitive data within the database.\n* **Component versions:** Exposing versions of libraries, frameworks, or operating systems could enable attackers to target known vulnerabilities in those components.\n* **Configuration settings:** Sensitive configuration information such as API keys, database credentials, or connection strings could be inadvertently revealed in error messages.\n* **Code snippets:** Stack traces can expose portions of the application's source code, potentially allowing attackers to understand the application's logic and identify vulnerabilities.\n\nThese vulnerabilities, combined with the access control flaw, could allow attackers to gain unauthorized access to sensitive data or even take control of the application. By exploiting these vulnerabilities, attackers could potentially:\n\n* **Gain unauthorized access to sensitive data:** They might be able to read, modify, or delete confidential information stored in the database or other files.\n* **Execute arbitrary code:** If the application server's code is exposed through error messages, attackers could potentially exploit these code snippets to execute malicious code on the server.\n* **Gain remote code execution:** In some cases, error messages could expose vulnerabilities that allow attackers to execute commands directly on the server, providing them with complete control.\n* **Bypass authentication mechanisms:** Attackers could exploit the revealed information to bypass authentication measures and gain access to restricted functionality.", + "10": "A penetration tester discovering insecure security settings in application servers and databases could exploit various vulnerabilities, leveraging the provided context: \n\n* **Default Credentials:** Exploiting default accounts and passwords unchanged poses a significant risk. Attackers can easily gain unauthorized access, potentially escalating privileges to gain full control of the system.\n* **Insecure Error Handling:** Overly informative error messages revealing stack traces or sensitive information can be exploited for code injection attacks, allowing malicious code to be executed within the application.\n* **Disabled or Misconfigured Security Features:** Attackers could exploit disabled or poorly configured security features in upgraded systems, bypassing security mechanisms and gaining unauthorized access.\n* **Insecure Configuration:** The lack of secure configuration settings in application servers, frameworks, libraries, and databases presents numerous vulnerabilities. These could include weak encryption algorithms, outdated security patches, and open ports, allowing attackers to gain access, steal sensitive data, or launch denial-of-service attacks.\n* **Missing or Insecure Security Headers:** The absence of essential security headers or their insecure configuration could lead to various vulnerabilities like Cross-Site Scripting (XSS), Clickjacking, and insecure communication, making the application susceptible to attacks.", + "11": "Relying solely on password complexity and rotation creates several vulnerabilities. While these measures may deter basic attacks, they are insufficient in the face of advanced threats. Here's why:\n\n* **Weak Passwords:** Even complex passwords can be easily cracked through brute force attacks, especially if users are forced to rotate them frequently. This often leads to predictable patterns and weak password choices. \n* **Password Reuse:** Users often reuse the same or similar passwords across multiple accounts. A breach in one system can compromise access to others. \n* **Social Engineering:** Password complexity doesn't protect against social engineering attacks, where attackers trick users into revealing their credentials. \n* **Lack of Multi-Factor Authentication (MFA):** Password rotation and complexity alone don't address the inherent weaknesses of passwords. MFA adds a second layer of security, requiring additional verification beyond a password. \n\nBy relying solely on these measures, organizations create a false sense of security. Adopting a layered approach to authentication, including MFA and robust password management practices, is crucial for mitigating risks.", + "12": "To protect sensitive data like passwords and financial information during transmission and storage, implementing robust security measures is crucial. Here are some key steps: \n\n1. **Encryption:** Encrypt data both in transit and at rest using strong encryption algorithms like AES-256. For transmission, HTTPS with TLS/SSL should be used. This ensures that even if data is intercepted, it remains unreadable.\n\n2. **Secure Storage:** Implement secure storage solutions for sensitive data. This includes using encrypted databases, file systems, and storage devices. Access control mechanisms should be in place to limit access to authorized personnel only.\n\n3. **Strong Authentication:** Implement strong authentication mechanisms such as multi-factor authentication (MFA) to verify user identity. MFA adds an extra layer of security, making it much harder for unauthorized individuals to access sensitive data.\n\n4. **Data Minimization:** Store only the necessary data and avoid collecting or storing sensitive information that is not essential for business operations. This minimizes the risk of data breaches and reduces the potential impact.\n\n5. **Regular Security Assessments:** Conduct regular security assessments, including penetration testing, to identify vulnerabilities and weaknesses in your systems and security controls. These assessments help ensure that your security measures remain effective against evolving threats.\n\n6. **Employee Training:** Educate employees about security best practices, including proper data handling, strong password management, and recognizing phishing attacks. Training helps reduce the risk of human error, which can lead to data breaches.\n\n7. **Data Loss Prevention (DLP):** Implement data loss prevention (DLP) solutions to detect and prevent sensitive data from leaving the organization's controlled environment without authorization. DLP can monitor data in transit, at rest, and in use, helping to prevent accidental or malicious data leaks.\n\n8. **Regular Patching:** Keep all software and operating systems updated with the latest security patches to address known vulnerabilities. Regular patching reduces the risk of exploitation by attackers.\n\n9. **Secure Configuration:** Configure all systems and applications securely, following security best practices. This includes disabling unnecessary services, implementing strong access controls, and using secure configurations recommended by security vendors.\n\nBy implementing these security measures, organizations can significantly reduce the risk of data breaches and protect sensitive data from unauthorized access, use, disclosure, disruption, modification, or destruction.", + "13": "The application's inability to detect and respond to real-time attacks despite penetration tests and DAST scans not triggering alerts highlights a significant security vulnerability. The issue lies in the lack of appropriate alerting thresholds and response escalation processes, rendering the application effectively blind to malicious activity. This vulnerability is compounded by the fact that logging and alerting events are potentially visible to unauthorized users or attackers, further increasing the risk of information leakage. To address this, the application must implement robust security controls such as: \n\n1. **Establishing Realistic Alerting Thresholds**: Define clear and sensitive thresholds for triggering alerts based on potential attack patterns and indicators of compromise (IOCs). \n2. **Implementing Effective Response Escalation Processes**: Define a clear and efficient escalation process for handling security alerts, involving appropriate security teams and personnel. \n3. **Enhancing Logging and Monitoring**: Implement robust logging and monitoring mechanisms that capture detailed information about user activity, network traffic, and system events. \n4. **Implementing Real-Time Threat Detection and Response**: Integrate real-time threat detection and response solutions that can analyze network traffic, detect suspicious activity, and trigger automated responses to mitigate attacks. \n5. **Securing Logging and Alerting Mechanisms**: Ensure that logging and alerting mechanisms are adequately secured to prevent unauthorized access and manipulation. \n6. **Regularly Review and Update Security Controls**: Continuously review and update security controls based on evolving threat landscapes and vulnerabilities. \n\nBy taking these measures, the application can significantly enhance its ability to detect and respond to real-time attacks, minimizing the risk of data breaches and information leakage.", + "14": "When applications fail to properly validate or sanitize user-supplied data, they become susceptible to various vulnerabilities, including:\n\n* **Cross-Site Scripting (CWE-79):** Attackers can inject malicious scripts into the application's output, which can be executed by unsuspecting users, potentially stealing their credentials or hijacking their sessions.\n* **SQL Injection (CWE-89):** Malicious SQL queries can be injected into the application, potentially allowing attackers to access, modify, or delete sensitive data from the database.\n* **External Control of File Name or Path (CWE-73):** Attackers can manipulate file names or paths, potentially gaining access to or modifying critical files, leading to data breaches or system compromise.\n\n**Mitigation Strategies:**\n\n* **Input Validation:** Always validate user input against expected formats and constraints. Use regular expressions, whitelisting, and blacklisting techniques to prevent unwanted characters or patterns.\n* **Output Encoding:** Encode all data displayed to the user, especially user-supplied content, to prevent malicious scripts from executing.\n* **Prepared Statements:** Use parameterized queries and prepared statements for database interactions to prevent SQL injection. This ensures that user input is treated as data, not code.\n* **File Path Sanitization:** Ensure that file paths are sanitized and validated to prevent attackers from accessing or modifying sensitive files.\n* **Secure Development Practices:** Follow secure coding principles and use secure libraries and frameworks that provide built-in protection against common vulnerabilities.", + "15": "The absence or misuse of cryptography presents significant vulnerabilities that can lead to sensitive data exposure. Here are some key weaknesses:\n\n* **Weak or Insecure Algorithms:** Using outdated or compromised cryptographic algorithms, such as outdated versions of DES or MD5, makes it relatively easy for attackers to break encryption, leaving data vulnerable. \n* **Poor Key Management:** Improper key generation, storage, and distribution practices can compromise the entire encryption process. Stolen, leaked, or easily guessed keys render encryption ineffective. \n* **Insufficient Key Length:** Using short key lengths (e.g., less than 128 bits for symmetric encryption) weakens the complexity of the encryption process, making it easier to crack through brute-force attacks. \n* **Improper Implementation:** Even strong cryptographic algorithms can be compromised by flawed implementations, such as insecure coding practices or failure to follow industry standards. \n* **Lack of Encryption for Sensitive Data:** Failing to encrypt sensitive data at rest (e.g., in databases, files) or in transit (e.g., over networks) makes it easily accessible to unauthorized individuals. \n* **Cryptographic Backdoors:** Intentional vulnerabilities or weaknesses built into cryptographic systems, often for law enforcement or intelligence purposes, can be exploited by attackers, negating the protection intended by the encryption.\n\nBy addressing these weaknesses through robust cryptography practices, organizations can significantly strengthen their defenses against data breaches and protect sensitive information.", + "16": "Integrating security specialists early in the software development lifecycle (SDLC) is crucial for building more secure applications. It allows for a proactive approach to security, embedding it into the core design and development processes. Here's how it contributes:\n\n* **Early Threat Identification and Mitigation:** Security specialists can identify vulnerabilities and potential attack vectors during the initial design phases, enabling developers to address them proactively. This reduces the risk of introducing security flaws later in the development cycle, when remediation can be more complex and costly.\n\n* **Secure Design Principles:** Security experts can guide developers in adopting secure coding practices and implementing security controls by design. This ensures that security is not an afterthought, but rather an integral part of the application architecture.\n\n* **Reduced Security Debt:** By involving security specialists early, organizations can prevent the accumulation of technical debt related to security vulnerabilities. This reduces the need for expensive and time-consuming security fixes during later stages of the SDLC.\n\n* **Improved Collaboration and Communication:** Early integration fosters collaboration between development and security teams. This leads to better understanding and communication regarding security requirements, resulting in more secure code and applications.\n\n* **Increased Awareness and Ownership:** Involving security specialists throughout the SDLC encourages developers to adopt a security mindset and take ownership of security responsibilities. This creates a more secure development culture within the organization.", + "17": "Penetration testers can assess the effectiveness of access control mechanisms in this scenario by conducting the following tests:\n\n1. **CORS Misconfiguration:**\n * **Test:** Attempt to access resources from a different origin (e.g., a different domain) using tools like `curl` or `Postman`. Analyze the response headers, particularly `Access-Control-Allow-Origin` and `Access-Control-Allow-Methods`, to identify potential CORS misconfigurations.\n * **Expected outcome:** The tests should fail, indicating strict CORS enforcement, allowing only authorized origins or methods.\n\n2. **Record Ownership Enforcement:**\n * **Test:** Attempt to modify or delete records belonging to other users. Use tools like Burp Suite or ZAP to intercept and modify requests, altering the user ID or record ID. Observe if the system correctly blocks unauthorized actions.\n * **Expected outcome:** Access to records should be restricted to the owner, preventing unauthorized modifications or deletions.\n\n3. **Access Control Bypass:**\n * **Test:** Try to circumvent access controls through techniques like SQL injection, cross-site scripting (XSS), or authorization bypass vulnerabilities. Explore potential weaknesses in authentication, session management, and input validation.\n * **Expected outcome:** The application should successfully detect and mitigate these attempts, preventing unauthorized access and data manipulation.\n\n4. **Public Resource Validation:**\n * **Test:** Identify resources that are intended to be public and verify they are correctly accessible without any authentication requirements. Check for unnecessary access controls on public resources.\n * **Expected outcome:** Public resources should be easily accessible without any authentication or authorization requirements.\n\n5. **File Metadata and Backup File Access:**\n * **Test:** Try to access files like `.git` folders, backup files, or any sensitive configuration files that may be accidentally exposed.\n * **Expected outcome:** These files and directories should be properly protected, inaccessible from the web root. \n\nBy conducting these tests, penetration testers can identify vulnerabilities and misconfigurations in access control mechanisms, helping to ensure the secure and robust implementation of the stated security principles.", + "18": "Yes, if the application uses Java serialization to handle user state and the serialization process is not properly secured, an attacker could exploit this mechanism to achieve remote code execution. The Java Serial Killer tool is designed to leverage vulnerabilities in Java serialization, allowing attackers to inject malicious code into serialized objects. By injecting this malicious code, an attacker could potentially gain control of the application server, leading to a remote code execution attack.", + "19": "An **insecure design** refers to fundamental flaws in the architecture or blueprint of a system, making it inherently vulnerable to attacks. These flaws often stem from a lack of security considerations during the initial design phase, resulting in missing security controls or inadequate protection mechanisms. In contrast, an **insecure implementation** occurs when the actual coding or configuration of a system deviates from the secure design, introducing vulnerabilities despite a sound initial plan. This can arise from developer errors, misinterpretations of security requirements, or the use of insecure libraries or frameworks. The key difference lies in their root causes and remedies. Insecure design requires a complete redesign or significant architectural changes to fix the fundamental vulnerabilities. Insecure implementation, on the other hand, can be addressed by patching, re-coding, or reconfiguring the system to align with the intended security design.", + "20": "Rate limiting API and controller access helps mitigate the impact of automated attacks by setting limits on the number of requests that can be made from a single IP address or user agent within a given timeframe. This prevents attackers from flooding the system with requests, overwhelming the resources and causing denial of service (DoS) attacks. By limiting the number of requests, attackers are unable to exhaust system resources and cause significant damage.", + "21": "Leaving default accounts unchanged in an admin console presents significant security risks. Attackers can exploit this vulnerability by using readily available default credentials to gain unauthorized access. Once they log in, they can potentially take control of the system, modify configurations, steal sensitive data, or even launch further attacks. This vulnerability is particularly dangerous because it provides attackers with a straightforward entry point into the system without needing to bypass any security measures.", + "22": "During refinement sessions, threat modeling can be used to identify potential security risks associated with changes in data flows and access controls within a user story. By analyzing the proposed changes, security experts can identify potential vulnerabilities, such as unauthorized access, data breaches, or denial-of-service attacks. The threat modeling process can help to ensure that the user story is designed and implemented in a secure manner. For example, if a user story involves changing the way data is stored or accessed, threat modeling can help to identify potential vulnerabilities that could be exploited by attackers. This information can then be used to inform the design and implementation of the user story, ensuring that the necessary security controls are in place to mitigate these risks. By integrating threat modeling into the refinement process, organizations can proactively address potential security risks and ensure that their applications are secure.", + "23": "Using hard-coded passwords, weak cryptographic algorithms, and insufficient entropy in data protection poses severe security risks, especially when handling sensitive information like financial data or personal records. Here's a breakdown of the implications:\n\n* **CWE-259: Use of Hard-coded Password:** Hard-coded passwords are easily discoverable by attackers, compromising the security of the entire system. If the code is compromised, attackers can gain access to sensitive data without needing to crack complex passwords. This is a significant risk for applications, databases, or any system where hard-coded credentials are present.\n\n* **CWE-327: Broken or Risky Crypto Algorithm:** Employing outdated or insecure cryptographic algorithms makes data vulnerable to various attacks. Attackers can exploit weaknesses in these algorithms to decrypt sensitive data, potentially leading to breaches, data theft, and financial losses. This is particularly critical for data encryption at rest and in transit, as weak algorithms can easily be broken by sophisticated attackers.\n\n* **CWE-331: Insufficient Entropy:** Insufficient entropy in data protection methods, such as passwords or encryption keys, weakens the security of the system. Attackers can leverage statistical analysis or brute-force techniques to guess the keys or passwords, compromising the data they protect. This is a major concern for data encryption, where low entropy keys can be easily cracked, exposing sensitive data.\n\n**Consequences for Sensitive Data:**\n\n* **Data Breaches:** These vulnerabilities expose sensitive data, leading to breaches that compromise financial information, personal records, and other sensitive details. This can result in identity theft, financial fraud, and reputational damage.\n\n* **Non-compliance with Regulations:** Failure to implement robust security measures, including strong passwords, secure encryption algorithms, and sufficient entropy, violates data protection regulations like GDPR and PCI DSS. This can lead to hefty fines and penalties.\n\n* **Loss of Trust and Customer Confidence:** Data breaches erode trust in organizations and can significantly impact customer relationships. Businesses can lose customers and suffer reputational damage due to security failures, leading to financial losses.\n\n**Mitigation:**\n\nTo mitigate these risks, organizations must prioritize robust security practices, including:\n\n* **Eliminating Hard-coded Passwords:** Replace hard-coded passwords with secure password management systems or secret management tools.\n\n* **Using Strong Cryptographic Algorithms:** Implement industry-standard encryption algorithms like AES-256 for data protection. Regularly update to the latest and strongest algorithms as vulnerabilities are discovered.\n\n* **Ensuring Sufficient Entropy:** Employ strong password policies that enforce sufficient entropy, including length, complexity, and a mix of characters. Generate high-entropy keys for encryption, ensuring strong protection against brute-force attacks.\n\nBy adhering to these best practices, organizations can significantly reduce their vulnerability to attacks and ensure the protection of sensitive data.", + "24": "The 'Broken Authentication' category in the Common Weakness Enumerations (CWEs) encompasses vulnerabilities related to identification failures, which occur when an application fails to properly verify the identity of a user. Some examples of CWEs that fall under this category and relate to identification failures include:\n\n* **CWE-297: Improper Validation of Certificate with Host Mismatch:** This CWE arises when an application fails to adequately validate the certificate presented by a client, allowing an attacker to impersonate a legitimate user or server. This can happen when the application does not check the certificate's host name against the expected domain name.\n* **CWE-287: Improper Authentication:** This CWE describes scenarios where an application utilizes weak or flawed authentication mechanisms, making it easier for attackers to bypass authentication controls. Examples include using easily guessable passwords, weak password complexity requirements, or relying solely on username/password combinations without additional security measures.\n* **CWE-384: Session Fixation:** This CWE occurs when an application allows an attacker to manipulate a user's session ID, potentially allowing them to hijack the user's session or gain unauthorized access to sensitive information. This can happen if the application does not properly generate or manage session IDs.\n\nThese CWEs highlight the importance of implementing robust authentication measures that effectively prevent identification failures. By addressing these vulnerabilities, applications can better safeguard against attacks that exploit weaknesses in authentication processes.", + "25": "If an unauthenticated user can access an administrative page, it poses a significant security risk. The attacker could potentially gain access to sensitive data, modify configurations, or even execute commands with administrative privileges. This could lead to a range of severe consequences, including data breaches, system compromise, and unauthorized modifications to the system.", + "26": "To effectively log login failures, access control breaches, and server-side input validation errors with sufficient user context for detecting malicious activity, the following steps are crucial:\n\n1. **Detailed Logging:** Capture comprehensive information for each event, including:\n * **User Information:** Username, user ID, group memberships, IP address, and location.\n * **Event Details:** Timestamp, action performed (e.g., login attempt, access request, input validation failure), resource accessed, and specific error message.\n * **System Information:** Server name, operating system, application version, and relevant configuration settings.\n\n2. **Structured Logging:** Implement a standardized log format that enables easy parsing and analysis by security monitoring tools. Common formats include:\n * **Syslog:** A widely used standard for logging system events.\n * **JSON:** Offers flexibility and human-readability for storing log data.\n * **CEF (Common Event Format):** A structured format supported by various security tools.\n\n3. **Log Encoding:** Encode log data appropriately to prevent injection attacks. Use secure encoding methods such as:\n * **Base64:** Converts binary data to printable ASCII characters.\n * **URL Encoding:** Encodes special characters for safe transmission over the internet.\n\n4. **Log Management Solutions:** Utilize robust log management tools that can aggregate, analyze, and correlate log data from multiple sources. These tools provide features like:\n * **Real-time Monitoring:** Detect suspicious activity as it happens.\n * **Alerting:** Trigger notifications based on predefined rules and thresholds.\n * **Data Visualization:** Visualize trends and patterns to identify potential threats.\n\n5. **Audit Trails:** Implement audit trails for high-value transactions to ensure their integrity. This could involve using append-only database tables or similar mechanisms to prevent tampering or deletion of log data.\n\nBy adhering to these practices, organizations can effectively log security events, gain valuable insights into suspicious activity, and respond promptly to potential threats.", + "27": "The rise in the OWASP Top 10 rankings for security logging and monitoring from 2017 to 2023 reflects a growing awareness of its critical role in detecting and responding to security threats. As attacks become more sophisticated, organizations need robust logging and monitoring systems to quickly identify malicious activity and take appropriate action. This is evident in the increased emphasis on security logging and monitoring by organizations and security professionals alike.", + "28": "Attackers can use automated tools like Shodan to identify systems with unpatched vulnerabilities like Heartbleed. Shodan searches for devices on the internet and can identify those still vulnerable to Heartbleed, which was patched in April 2014. Other examples of vulnerabilities attackers can exploit include CVE-2017-5638, a Struts 2 remote code execution vulnerability that enables the execution of arbitrary code on the server. These vulnerabilities allow attackers to compromise systems and potentially gain control over them.", + "29": "A common vulnerability that enables attackers to execute arbitrary code on a server is a **remote code execution (RCE) vulnerability**. An example of a high-profile breach attributed to an RCE vulnerability is the **Equifax data breach in 2017**, which was exploited through the **CVE-2017-5638 Struts 2 vulnerability**.", + "30": "During user story development, penetration testing can be integrated to identify vulnerabilities related to data flow changes and access control mechanisms by incorporating threat modeling into refinement sessions. This involves analyzing data flows and access control mechanisms to identify potential vulnerabilities. By simulating attacks and analyzing the impact, penetration testers can identify weaknesses in the system's security controls. They can then recommend solutions to mitigate these vulnerabilities, ensuring that data flow changes and access control mechanisms are secure and robust.", + "31": "Tools like **OWASP Dependency Check, retire.js, and versions** can be used to continuously inventory the versions of client-side and server-side components and their dependencies. These tools can be integrated into the development and deployment pipelines to automatically scan for vulnerabilities in these components. Additionally, you can continuously monitor sources like **Common Vulnerability and Exposures (CVE) and National Vulnerability Database (NVD)** for vulnerabilities in the components. Software composition analysis tools can automate this process and provide alerts when vulnerabilities are discovered. Subscribing to email alerts for security vulnerabilities related to the components you use can also help keep you informed of potential risks.", + "32": "Common consequences of access control failures during a penetration test include unauthorized access to sensitive data, modification or deletion of critical information, and the execution of unauthorized actions or functions within the system. This can lead to significant financial losses, reputational damage, and legal repercussions for the organization.", + "33": "To improve the application's ability to detect and respond to active attacks in real-time or near real-time, even when penetration testing and DAST tools don't trigger alerts, you need to focus on enhancing the application's security monitoring and response capabilities. Here are some key steps:\n\n1. **Refine Alerting Thresholds and Response Escalation:**\n - **Define Clear Thresholds:** Establish specific thresholds for suspicious activity based on your application's risk profile. This includes setting limits for failed login attempts, unusual traffic patterns, and rapid data access requests.\n - **Implement Automated Escalation:** Configure automated processes to escalate alerts to security teams when thresholds are breached. This could involve sending notifications, triggering incident response protocols, or even automatically blocking suspicious IP addresses.\n\n2. **Enhance Runtime Security Monitoring:**\n - **Real-Time Threat Intelligence Integration:** Integrate your application with real-time threat intelligence feeds to detect known attack patterns and malicious actors. This can help identify attacks that may not trigger traditional alerts.\n - **Behavioral Analysis:** Implement behavioral analysis techniques to monitor user activity and identify deviations from expected patterns. This can help detect insider threats or malicious actors mimicking legitimate users.\n - **Security Information and Event Management (SIEM):** Use a SIEM solution to centralize security logs from various sources (application logs, network devices, firewalls, etc.). This provides a consolidated view of security events and facilitates correlation analysis for detecting complex attacks.\n\n3. **Implement Runtime Security Controls:**\n - **Runtime Application Self-Protection (RASP):** Consider implementing RASP solutions, which can monitor application behavior in real-time and take immediate action to mitigate threats, such as blocking malicious requests or preventing data exfiltration.\n - **Web Application Firewalls (WAFs):** Use a WAF to filter malicious traffic at the network layer. Modern WAFs often offer advanced features like bot detection, API security, and real-time threat intelligence integration.\n\n4. **Secure Logging and Auditing:**\n - **Minimize Log Visibility:** Limit the visibility of sensitive information within logs and audit trails to prevent attackers from exploiting logged data. Consider using anonymization techniques or access control mechanisms.\n - **Secure Logging Infrastructure:** Protect your logging infrastructure from unauthorized access or manipulation to ensure the integrity and reliability of security logs.\n\n5. **Regular Security Assessments and Testing:**\n - **Penetration Testing:** Conduct regular penetration testing to assess your application's security posture and identify vulnerabilities that might not be detected by automated tools.\n - **Security Audits:** Perform regular security audits to review your application's configuration, code, and security controls for potential weaknesses and misconfigurations.\n\nBy implementing these measures, you can significantly enhance your application's ability to detect and respond to active attacks, even in situations where traditional security tools may not trigger alerts. Remember, continuous monitoring, analysis, and improvement are crucial to maintaining a strong security posture in the ever-evolving threat landscape.", + "34": "If an unauthenticated user can access pages intended for authenticated users, it poses a significant security risk. This vulnerability can allow attackers to gain unauthorized access to sensitive information, manipulate data, or even compromise the entire system. Here are some potential vulnerabilities:\n\n* **Data Breaches:** Attackers can access confidential data like customer information, financial records, or internal documents. \n* **Account Takeover:** Attackers might be able to hijack existing user accounts or create new ones with elevated privileges.\n* **System Manipulation:** Attackers could modify or delete critical system files, alter configurations, or execute malicious code, leading to system instability or complete failure. \n* **Privilege Escalation:** Attackers could exploit the vulnerability to gain administrator-level access, allowing them to control the entire system and potentially compromise other connected systems.\n* **Denial-of-Service Attacks:** Attackers could flood the system with requests, causing it to become unresponsive, making it unavailable to legitimate users.", + "35": "This scenario indicates a **Server-Side Request Forgery (SSRF)** vulnerability. An attacker could exploit this by providing a malicious URL that targets an internal system, bypassing firewalls and potentially accessing sensitive data or executing commands. The impact could include data exfiltration, internal system compromise, and denial-of-service attacks. ", + "36": "Failure of access control mechanisms during a penetration test can have severe consequences, potentially leading to unauthorized access to sensitive information, modification or deletion of critical data, and the execution of actions outside the user's permitted scope. This can result in significant financial losses, reputational damage, legal liabilities, and disruptions to business operations. The consequences can be even more severe if the penetration test reveals vulnerabilities that could be exploited by malicious actors.", + "37": "Building and deploying software within a secure software supply chain demands meticulous attention to several key security considerations. Here are some of the most critical factors to address: \n\n* **Secure Software Development Practices:**\n * **Secure Coding:** Implement secure coding practices throughout the development lifecycle, adhering to industry best practices and using static and dynamic analysis tools to identify and mitigate vulnerabilities. \n * **Code Review:** Conduct thorough peer code reviews to detect potential security flaws and ensure adherence to coding standards. \n * **Threat Modeling:** Proactively identify potential threats and vulnerabilities during the design and development phases, developing mitigation strategies accordingly. \n\n* **Secure Build and Deployment Processes:**\n * **Build Environment Security:** Securely configure build environments, preventing unauthorized access, code tampering, and malware injection. Implement robust access controls and utilize secure build tools. \n * **Dependency Management:** Carefully manage and scrutinize software dependencies, ensuring that all third-party components are vetted for vulnerabilities and security issues. Utilize a centralized dependency management system to enforce security policies. \n * **Automated Testing and Scanning:** Integrate automated security testing into the build process to identify vulnerabilities and ensure code quality. Implement static and dynamic analysis tools to detect potential weaknesses. \n * **Release Management:** Establish secure release management processes to ensure that software deployments are controlled, auditable, and free from unauthorized modifications. \n\n* **Secure Infrastructure and Deployment:**\n * **Secure Infrastructure:** Deploy applications on secure infrastructure, ensuring that servers, networks, and operating systems are properly hardened and secured. Implement appropriate access control measures and firewalls. \n * **Deployment Security:** Implement secure deployment practices, minimizing the attack surface and protecting against common vulnerabilities associated with deployments. Utilize secure deployment tools and automate the process as much as possible. \n\n* **Continuous Monitoring and Threat Detection:** \n * **Security Monitoring:** Implement continuous monitoring of applications and systems to detect suspicious activity and potential security incidents. Utilize security information and event management (SIEM) systems and intrusion detection systems (IDS). \n * **Vulnerability Management:** Establish a robust vulnerability management program to proactively identify and remediate security vulnerabilities in software components and infrastructure. Utilize vulnerability scanning tools and maintain up-to-date security patches. \n * **Incident Response:** Develop and practice an incident response plan to handle security breaches and incidents effectively. Define roles and responsibilities, ensure timely communication, and have a process for containment, recovery, and post-incident analysis. \n\nBy implementing these security considerations throughout the software supply chain, organizations can significantly reduce the risk of security breaches and ensure that their software is developed, built, and deployed in a secure and responsible manner.", + "38": "Attackers can exploit SQL injection vulnerabilities by injecting malicious SQL code into data inputs that are subsequently used to construct and execute database queries. This allows them to manipulate the database's logic, directly alter data, or even execute arbitrary commands within the database system.", + "39": "Returning detailed error messages, including stack traces, to users can expose sensitive information about the application's architecture, libraries used, and internal workings. This can be exploited by attackers to gain a deeper understanding of the system's vulnerabilities, leading to targeted attacks. Additionally, revealing stack traces could disclose the specific version of software components used, allowing attackers to exploit known vulnerabilities in outdated or unpatched libraries.", + "40": "The work factor or delay factor in adaptive and salted hashing functions like Argon2, scrypt, bcrypt, or PBKDF2 determines the computational effort required to calculate the hash. This means that by increasing the work factor, you significantly increase the time it takes to calculate a hash. This is a key security measure for protecting against brute-force attacks. A higher work factor makes it more time-consuming and expensive for attackers to try guessing passwords, effectively hindering brute-force attacks and enhancing password security.", + "41": "Attackers can bypass access control checks in web applications to gain unauthorized access in a number of ways. For example, they might modify the URL to tamper with parameters or force browsing, manipulate internal application state, or alter the HTML page. Additionally, they could use attack tools to modify API requests. Another tactic is to exploit insecure direct object references, which allow attackers to view or edit someone else's account by providing the account's unique identifier. Attackers could also target APIs with missing access controls for POST, PUT, and DELETE operations. Finally, elevation of privilege allows attackers to gain access to resources or perform actions beyond their authorized level.", + "42": "Exposing session identifiers in the URL and failing to properly invalidate them during logout presents significant security risks. Attackers can exploit these vulnerabilities to hijack user sessions, potentially leading to unauthorized access to sensitive data or actions. Here's a breakdown:\n\n* **Session Hijacking:** If an attacker intercepts a user's session ID, they can impersonate the user and access their account without needing valid credentials. This is particularly dangerous if the session ID is directly visible in the URL, as it can be easily captured by attackers using network sniffing tools.\n\n* **Session Fixation:** By manipulating a user's session ID, an attacker could force them to reuse an existing session even after logging out. This can be done by sending a malicious link to the user containing a specific session ID. When the user clicks on the link, they might be logged in as the attacker, even if they previously logged out. \n\n* **Credential Stuffing/Brute Force:** If sessions are not invalidated properly, attackers can repeatedly attempt to guess credentials using stolen or leaked credentials lists without the risk of being detected. This can be especially problematic in systems with weak password policies or where users reuse the same password across multiple accounts. \n\n* **Persistence of Access:** Failing to invalidate sessions during logout or inactivity can allow attackers to maintain access to an account even after a user has left the system. This could allow them to monitor user activity, steal sensitive information, or perform actions on the user's behalf without their knowledge. \n\n* **Denial-of-Service (DoS):** Attackers can use session IDs to launch DoS attacks by flooding the server with requests, overwhelming its resources and making the application unavailable to legitimate users. This is possible if the application relies on session data that is not properly managed and can be abused by attackers.", + "43": "Recommended hashing functions for storing passwords include Argon2, scrypt, bcrypt, and PBKDF2. These algorithms are considered strong due to their adaptive nature, use of salt, and work factor (delay factor). When choosing a hashing function, consider factors like:\n\n* **Security:** The algorithm should be resistant to known attacks, such as brute-force and rainbow table attacks. \n* **Performance:** The function should be efficient enough to handle the workload of your system without causing significant delays. \n* **Flexibility:** The algorithm should allow for adjustments to the work factor, salt length, and other parameters to adapt to changes in computing power and attack techniques. \n* **Availability:** The algorithm should be widely supported and implemented in your chosen programming language and environment.", + "44": "Tools like **versions**, **OWASP Dependency Check**, and **retire.js** can help with continuously inventorying client-side and server-side component versions and their dependencies. For monitoring vulnerabilities, utilize resources like **Common Vulnerability and Exposures (CVE)** and **National Vulnerability Database (NVD)**. Software composition analysis tools automate this process, and subscribing to email alerts for vulnerabilities related to your components is crucial. Always procure components from official sources over secure links.", + "45": "The provided context suggests that the application may be vulnerable to padding oracle attacks if deprecated cryptographic padding methods like PKCS number 1 v1.5 are being used. This is because these methods are known to have security flaws that can be exploited by attackers to decrypt encrypted data. Padding oracle attacks occur when an attacker can observe the response of the application to different padding values. This information can then be used to decrypt the ciphertext. It is important to note that the provided context does not state definitively whether PKCS number 1 v1.5 is in use. Further investigation is needed to determine if the application is vulnerable to this type of attack.", + "46": "This is a vulnerability called **authentication bypass**. This means that the application's security mechanisms are failing to properly identify and verify users before granting access to restricted resources.", + "47": "A secure development lifecycle (SDL) encompasses several key elements, including secure design patterns, a paved road methodology, a secured component library, relevant tooling, and threat modeling. Involving security specialists from the very beginning of a software project is crucial because it allows for proactive security considerations throughout the development process. This early engagement enables them to identify and address security vulnerabilities in the design phase, reducing the risk of costly remediation efforts later on. By integrating security into the core of the development process, the SDL ensures the creation of more robust and secure software.", + "48": "Yes, if an attacker could force a user to browse to \"https://example.com/app/accountInfo?acct=notmyacct\", they could potentially access sensitive account information without proper authorization. This is because the URL contains a parameter \"acct\" which is likely used to identify the account being accessed. By manipulating this parameter, the attacker could potentially gain access to another user's account information. However, the attacker may not have access to any admin pages or administrative privileges. This would depend on the application's security measures and how sensitive information is handled.", + "49": "The vulnerability demonstrated in both attack scenarios is **SQL Injection**. The attacker exploits this vulnerability by manipulating the input parameter 'id' with a malicious SQL statement. The crafted SQL statement includes the command 'SLEEP(10)', which causes the database to pause for 10 seconds before executing the rest of the query. This delay disrupts the application's operation, potentially causing performance issues, slow response times, or even denial-of-service conditions. The attacker may also insert additional malicious SQL code to gain unauthorized access to the database, steal sensitive information, or modify existing data." + } +} \ No newline at end of file diff --git a/data/rag_eval/results/plots/context_precision.png b/data/rag_eval/results/plots/context_precision.png index a77b5a9250dbe645abf3328d7f5b2edffd87af4c..8ed57ecdcfcae3b72b3fb0c9596f62eb5f834dac 100644 GIT binary patch literal 24017 zcmdSBby!vH);+ut5d{PRr3Kvxh$1Z=1|=XUA>EyuZUK`NB&0*7Bm^k|Nu{NvM5G&} zyWyK_`@HWt=evIA_x=5OUC-kso4was_dV}9#~fqK9q>Rw`YZtr0SbjWdrw9}357c0 zi$dXyo<0RXx!E~534aMXNvb<3V@#b~4IE5R_YIuvtT9g37KWExOdK37Ft$AGg6y1Z zm&~1<>>PzSIBfp+7uYclW*odHWj@1)oUxP9a73X<43PhDK8R;npinwu_attsxFswO zxofLzjvue~5oP;d3LJkq9##JK!(?2#g=tjmi#WOA?@Yzv6vdK-Z3Vp72md^B(NSvQ zl`HHj>S7}wq-?#w|3Jc}-?V)>)O+pKt-H#^trf|k_@SONt%8oj&*~}!XB@>E4XIu} z@rOSGXS4fpB;Ze~TP7+H`2qEXTcq%ZCFR6bG#Wi_tb&q+mlJ{s-Xgyr@et=cylT&V z%@s%+MSjL`-={>*eG z+R8A8b=|>xkkF8(cMx5rt)r8vTPZ{$wsR>%A@R$COQBgugJJ$T3JRC{K5@@2Hgab9 zw;F|}Zl0bKb9479JvOQMtf}JpZ1x(x8bdC&L@zJve7$dB%^yyY$_@PK6s6k6C-gyM5HJ5)1=J)sA6U%a0(As+eW7 zu9lXdhF7%f2kRXX;o%NOwSi5}Qd@VsHnB9Z8~Y z9v&3xKArC+PvYU_JI_BNz9=LC_ehXa2>D{Sly`AwO4k|9glR*?W4A&-`cYl`Ijh%SBxAC>N_svCNmmi-DYP~wD*S=q8 z(UD?gr6AY$X zWAVN-90*p~)cE2Q*$(Y}nXFuI7tU19Pf>G%ZW9{e%=71tBf`OlxbsL)>xX@%F<))B7SKBBzOnj0a2YwPBkuiTDg& zuVJTgCWT+P-7_#km0(5`AgWeZSHBJn#OLaiug&LGQ^Yy0Pq#sac#x^Y^gZfEi|F=X zZJFcD+Q;~Wgw`jx_%aF#RpXx3ZmVdxzcho|mlc~owO-J7(!d_t{4Q$t^qOoUh0PYb zrt-lzI+~Jy#EU0eEsuS}v&6ceTlev%s%6iICm9(mI^`}?Ki=JSpLbpwjP1=QO9eIp$n(Jc1==mI$+{n_xR9@IwCrOuEerM60E+Hw|nW@ZDQBmQx)o&J*a2)=E zkg_ZNJ}vxYWqmybo?|y;?*iYcmCEhmlzS1(?gK@Zy@B;Xlry3}Wyy>Eg=XEU_sC&6 zKRo(KlOi3;%*x6-A{0H`2jM>3l}4zmtE-Zyn+TWE+1!?|vu@vK$!R)voqJZ((UDi< z2%-5NGg4JrUe2RmgM!_zU9LV(%4>ZL$03qc`6YacZnOx5(v>S$&a3NIdAUQLIzvKY z*7W)^o&%k@cLF@s8)O|Z{jllgU8!eWhny*Mb924m6GZlAQ+_SFNQKfr)>-q02Q)S| z=Ctg&dhJn8)6b7u?#q?i0`6;9k{@qTqZp-vM>poWy^asJ+0;LcGUz!j4_7)Z{32yw zU`TSGrXCy|jN!-7!||PNWbk3*q<38SmA|vQi|j_oMd60lSRQH~QzE%&_BJiE`oIfB zw0yy#;zuzMSt|wm!$lV40RaKXIg%7oI?uqMSnjge)YLSZ-$Pq3 zI*Yz^>21?4PP%;TH^|yD@HlRBY0-ABt}}2`6OiQJdTuYhnBEzEM&h=R-#FWs#{kPA z5E~o2@Vhu@#C!i092i}`V|a5D?DXubX3U_L}TgU*1+6A z3CH$`k9e}rk>EsQXa*eBjfMX8tZG+uI+sL39qfoTs^N?Cd@$5KY8HhAPO;+y#}uVB z*_VEPe)i*a0bcW%fzNHIU8%0JuyuH1pWMpKX9HynFQq8m{ zw(QHw$(0*cK|Iscm{fnZ?gxZn0NX%IPfyq@1N$A)>;CZF{$eN@BCv$VOTp^&>Mnz-S|6Asl5C?iPB z?xFh|b4G9mX#GeS+O=HvHY`%K%N(TOvj`>^etwKMC>dCf3Z><5x3jnB3J(t_$k~Ug zMHx31?mFz=hzh=N{gJkPrCgHR_!(SIZwR3Zlg!LaDX2rQ-oCw5Yg$PCa@A*~9G;k3 zLqh{^s|2>D!UW1Aw_hyVt#O-rqZZ64 z9YQrcJS>$g_IS-^yWcGN!p?R@cyj~`tuHA#xlw|!YrBBQ#s@CUut+WZIeq#xXIFRk z+1j1;nKPWz?TMcEcaL`_NNO#MX|@L)6^FN%!>f;kj}K?IARY3>@me_4Z?9}8F9PVG zfqEgey)?AGc%7TO3l$tHws&>p2sPnzystN0kdwofBKziA1EeF*`oq9TULia-g$%6{ zTa_%8fSQ_HdzAhn79iuukqO$mS)nX#A!~+wrbbZ z@@GzL$wJ-)aYRJKJsFu%*z2*TFverIYegT9zJzXUIFXT&nfK*hd};9M@%~n}w`hD@ z10-T;Wc?EVL!XoHODwygv1c!R1 zhjSH|H-tRovW2*{Jnb^F@}c(Bdl8>B*L~!5=FkyqQ!S2bllQzKX`-v6o#%gsB__6! zD~g0+^g>0}PK$|&;VDdcdV0>#rpzxbDL{G(+*oE&3ZFgyNgxppv3>V_{xGPW(hQI5 z6vYo!MgwobLWMKQLFteiE@k%p^ocWFF}WRfbzR}^o9k*JMMXs?_TAz3sUX>+N`_pt z!q$89^pb6dzUbH|uB_N0urBI`7P9zonwYO$%c|+Q9M6w2g@b0@U+@Bss#gaS3(Lg( zyw;?4G&wD83p|lJ#0w?6_SH|J*-&x?xw*N`f4sf@WQOLZ?^*bbeThl*KQBS|CK=CiY600(oJ zK~xf=(+z5tG_2tVwLE%A?`ESlPl_-jM+F1gdyHet;uttMJy6U?7)VhN`&S>_IXpP{ zRczI#YI1=qp5U!OBA?CgNu8^m8Hx-LMm050aG@kM3x{t*VL%{k6r093SbKts1~@cp z1p2iv&-Rx&vIq(a?lutI#0($2tn?eM^qiQQsxL5UK~@;xA{^=Ivw!@=#U-Ew$iiD< zxr|OddGZ9(S)pkg&9L{r&4SCmiQch;w8oLg?>2 zzv44gjEm)Fw7lxwpC|2l|HbKY$I?*wTz5uCb%5#zpNL-DlI|Q09@EyChqLQ&fn9n4 z4x)J~i^G-iIJl>@O@4oK{?o&{d~LLabs=jzyUnK<7F0rBo(LeqO{>0KlijtcR@ezZ zF~z=K1^3_1?#}=G7&K&SHd6KY`Sa)6 zy<&iA<=or^#>U2s&CI$>FnS0iWmZT~pLMz$ee~GS&~WXnU{ibh^lWF!u^X>$YEc)} zEqf2ZMCteA`2clCw6@B#>sB;T>Un)lbRE7|?R`k#^@^J3WlxXFqmP<+H6I?PKsMF~ z+)XFq_NiumsQfT zq?Yoby9T-uE;vM6%Of2-s}qEW+ghb|m!WdtjfMy>>BCyUHZm>mLh>Gl{Qvan)7(8? z=7ZhJYiu)z+an!Nw-GQyAmX|@E(yhLoj#O7Jn7djb+O$^a)`>?4<4Mm>qp$iKP3C` z_&Iy5w70Xy>2;B`cV@+{xb7w6icp+u+- z{3BLAJ7a!;GrFNGKv#>0bxBC0Bz-fIz2o+m%0qY8XC`K5q@j}qtf%&Fe%Nch4Jmt) zK@_C)^a?KsE~w`l;#GQXGYbgB93Ad=e{r?~*eYN@E-|cf)rVo0(j1&*7^hRK2ifA zE@TW1(HE|%=r@NmO-@fwYvnG`M?osr}b2%W>&G*H^Pe@6f`shH2^LFiHib; zc?W&Ui>2c?YPw^vnHjKZ2vRTo@`W4lLqS17u6uj&dj(uvpCgflq4H?R0fh#&r;yVA z=9;R1P>>OnMC+k1Z}hx(@qEvaGq22LBqJR$z2^cKv{p4N$zI=}2iAag;YkoxAexsq z63!$UDd}z4<<+gNbl2r!B6^V+la?qh=v@Jw-P+$;%bH`aSBz^eO+q!v}BuJo~~$; z=aQhV_pS*vxiWCNR##R=;bdn($1a~JRQ#h4S_@&-ER}bF4Njgs`N`+l8_mc#*PGpE z!tp0lC6kPtMZx%cBtE=Pm+_Kgzv0ZeEChj<q^ zdeI14sRnpqBXsx3f+hwI48^bMC;0SD@u$)_A#HKT@ndYExum&$`*s67t%27@r!-!= z+wQ&-%}WC+D6)JIOi}#xjnFk%A^j6x`q};xOmgQ(E&kepfq|9nZGL+9Nm3&~)_CdK z&24Qr8$vExLF6`nQfJ#ue?Erkt^s^4AuUZS>aoFDQCWGGgM%XlAX@`R^+7l$vE?wH zf=}oE!;B}p*&X7?gR{ex}q+PZEvEYOo`|Oeq7b7s=%3yCu0^C9&np@#UIRkKaL7^@nv#y zGARv>C9F_A^z(d5N=m`7Z`3!mKJz*_IIJyNLGpUpYuOgB)Wk_N@r*=_6Y7Q$oSuV; zNY3c=CxWg^gBPkXC4&wvCK*P%83#U_oze`{z!o)WEdx+&j*pt_@;=&g6oz0&8f+=( z7S954kpdW|p<7WraoL%Jzy6`Iacbu$gS)kDZEXmg2Jmj8U26AEX4wjw{TB)Yj7s4e zM0Xk0u!Lqn!~dDGq)SH~ZFDPcEDgm2)HldiUmH?6aNx5Yl!4L>Vfj|K(xWw5{P^Vz zLWFX~*PgF|{P*Dw*`ZTpXU8E=iI$fzFS6o@CC0U2lF+7@zFs9QEP1(LT zC0kboj0BkO(_TLoQCL)cb9y6MxSy}t`g3XR}eP0n`Xb!UK0F>oPL7O=s|QA#5K zl(idG-`F@YF`+!$DefCU&H^bRY+FE3FgEU{l>>B%R$l}w;oaw}BO}kBz{Tb83^g|! zEyDX`Gw>O>K<1GGgq`?oGob523mXQk2Lapm>ME8+W;IE0--)VC*in#^GXg>s*a6%f z$GB)%xO23$ga_^$ws6qg=R@fP!=am6Y31p#8?C`X(hGnoDt_Ap>Q!Vb17E=&!1aIz zBh)N1$GIgTaS~!jzbo|~3K$ONJfaglxjOMc3avv`BB!Hk1=eDB+2>dea;tnZ2P~+P zHk|`~%{VlQPxJCPfGU6<34SU&yFTzF1REzZo&P~`vp(d*49f#b&3u@0O4M`97-%k2 zX$JuX;j_W89FZb`pVOhU2AaLil#!i11dx6{Fl)a{Fc=pRzjurXeXe9!0aT*<6iJO~ zp#jyYyo$BJ=4QGeEYluIg)|=5eWHI^^SLY!+bE$MQ?ZOZ)18pE5VKq7)YtmRDJdyo z8%!0h;-_I>OP7;rG5q1vx9^q40}DNwDpA|` zCGT}jFz8bwCN8{w>DUX`vtRFPh|Jr{-ziZ?ec>n8-#h#ox$eXx80+`|5e&i%FC>RI zH@$dh9eV$p;S&~2d4RNV9{}N)i)|Lzg_X(QJyb`hP)J3*j(QQAaebM{{C4!IH*FzP zPFMwE@+A+^GrVg0nY6sEFe`p@^)$NmQ+`U>h8l$_f=pP=qU;^FqqRthAxTS$;t4ym z^(^`MJ~|H9-gAYs!pJ7`w>A?}2WwN+Cn>Y4-{8zQW29eFrwx*vIBfm9wET4(eq>aY z0&#@Yf+|<%6()Ttin3=gE^N24Dn~9)E$7bY3}eMn8_vQh-t488gxfbV$7Wy|c8~ww z>*64JchT=bFF5UYTl4v8j88i z-`C|NEE;ILo?!{E&X{F2r{6Yrvd-HDzOdG>n{w}1IX$fuXZ##eLd16DV z9|flF(?kSJHI3a1<_>sRO~&EA5|5+5`saw{?RwmmTk7|jw{4%6XZKDTuPOe$$*hY) z@!wbQ9?}U$hm;4sQQPC4I{NtpE`e6U?p1byiz1yO`@n6F&#$tol3FjGm$lP(FEnaa z{d)`O{Qk41UJSK4XZ>(aXX`xCAStRF8K|8!b}0UP0R|=$5^<)j3)?Q`-w!Bwv?$WH)8T5*)hMO^ zf*ZMm2+JzCL!W!tRU&9A?sq?o$31ZEeuxtKxjj>fbK~mrl&u4I89nwBt|YHpXas9i zB;Js2$6Ya>`6AL^iNpSAsH^Sa-)KwHVTqtByA;^n92@EEI`(n@>0EzKR)7AakTO=_ zLPgmKe_g-6{W{SqBg98z`Ydsp_bowKgR^gufFGYMa9pf7*c78U@SyXxeRYk8QRF0p zB7a0g^Q-sRU#M$OH(r~4Z~pmWwQv0iMW@Pu{F0xwS*zZ}_mM}ayC->3(YWWEd3(C) z!}jhsu6urVR<)=?qkCM~MYiV#9%Q9NU3brtLy+%T{E3QK{?ZG@hb?gz?*|58&oOy( zYyRrD@1kB5&Sbv2ZCTtO^&G!@d>|7bKeP%0Aupi&9wl`dXCORjzNY@c;#un9Ok#?l zhJ8U=>@Ki;np$yhU<;Y{^5C1Q9Q3FA5l*~$*cQUXjLpvW`Y#Pu#?n*d52sOl<+md& z#gJ{#$KxnW2?)S0GF?x-HSI+7vSDv~H)_M?VPfANUu}0={iLxWANC6P=RL)qjS+sf zzr=n)E&Iic=S@TN@=LF_$!}qoV9YvLuw_Ed<+T?Vz7NLL^sMzg^~6BfWikou>$j<1 zeqDIw=RRLfMTC3jL<^7WgR81uqHQ6}On=o#T$z^dQ_UvAJ1!Uz6z=bnYvVfiSL}M- z#96V2DK%2qi~ZHu@j%0v<6LREdaQ#h`Kh8z3l}!luh<8W&0pSXAkDXCvCt?}SzR@5 ze;ZZwVa^O*AN%|ISrexFp;|A~7eQ>7guU5N%8Mv>gj)Pf@UPQtW? z?Kms?<(HD?dr$LIW;Zvd7GbxMRnl-=iMmRkwz0!(bj)&U(=*;)F^C49Q3x$e*FtlsZ$Vv&0ISDF+LiGMW4vi=E0RM{Ki(yYFP}AkqNm{s zB$@>_=PNyBN;l)#>Ne+N5F)8*()zRJ6nd&u-C2&m%mtedn0k_wn}gNQ)n}##xs{c# zm{#k1+|09dVY5g5ef`JUhX|2!Lw=1im#5b}xG;9tX;fHY5$w-E#kx(7f=xXk!dxh2G9GYd8zE~tqWzL+t z==tO!VT!+E^ZNw9>pb7?mVUJN?a!~fjeWux>s3s?yl$}{UHt9J@58OMbh1OT!={a7 z_}J277~V=p%aQxLC458?^`p?@!f*u#6^7)oNXx6VWKKX}9?l&%i@QaF9d42K&CP;Vo)69wfp2smF6 zQPDGmghtTrsA>B^--fVz0FKU4Q8ks?Pc*f*vZWWn!M7%=9Zk6}?LJyv9rilveoB^@ zm+0qb-;>V^`w5;X1+o(gO$l_)E&b72)M0W zLRd?Rpcf#6#HOaSE>)UXo3B@)+MH_q_ncR z$s{O9&A^a6zb*yW8cUFA)vtScbu01S*Lusbeqox`}3DkD@B&4`bGQ&r{ zGt_XU5If&+_o8L?K|m(m_<6fKcTVudzw-4xAU8dA@+3gHCwEGy1?(=JIdjHo_6JTa zXH#3738>8?`wNB9LyABF0rl=43b&ryL3@sr)DIx6qmRh9_!0UV+go;L^`P{nY3_2H zN|W0MGy3)!PBgr#*!pdSFjlj(=7_fXC{MSog`?W5-zHrlF)%L=Gpwesug}FyK^oSD zzHvReGbqK~Xfb(;qeAtPoOF@uZUkBF8PiLpCu`q?)4aPYMxKke*9Yk#e+LF_8 zS{^tTYOoxj?!F{?2Z}y)(iePzj^r_FAOfI#TV0*XkNDy^H0N)jy?2*{x|Di#!R49j z&*QJc^T(*SsyD<<#eal<7fWJhA!khhm<@Dsd!le7@V`JRFkZRx9LUmX9V#+f+W2Mv z5s-^R>kY?tXOd@tRz-*wxZ3)k?7X;53i#~vvdygqgW(r*#O)}2-`QBLYUeeSmJ8M0 zs)YnKhb{B5}y90>7J8sC# z?N4E%vGKqM-6|qS{1;t0FZ25IB?7UfWAfUsg;Pk@9AqHD{gG=cIZXTGY2YwD@)SZy zX$nJsd7ac|B=>oJo#70MXj#S2%!9Y47a&Ti)8F3Ysc1$xQavLm*_9gFURWH)bqklq z!4-0`)wfApJ^%0udDJrV^*)6*0^JJnE0Hf%6V}IZ?1`{hCpyfiaQ%1Op;yH&6)KTd zWjt|(V#lK_mR5dJ4-2zc>&klAq&PxM=Q|}(4a1tDEMJD62dTPlzV1>)%HJf$1=ym= zr&q_7xL3FAOaM`Dm@CyUsH6K{A$he)kFB4kC6!}4+@?^uLbHh2`vLadFDzZZM zmRh0A2!J8$Dp*-{no7jEG28XF02aXZ@9VMv52|l8y6?_Ep8S25<`HXS#n*Q|S?WI* z%+dS_$Q=qKLhA0w{nbXwErxfn&g;4F&{q>JzW!sDgtH{=)kU;7F5 zG#GZeiQCg7i#X29#~`cUI&RKxJo(^Vj&K;R){orWYGj)eu@?}j<#apFV64dBLb>3^ zscxGrjXubV<}h;MB~`}Orn_<--=|`y%GE39iBN}ktX5=`)7`$5#U#kriD0kr=|ACk zRrZ-@-z{rvoavuJ+0@kM8R zE~3*Pry3XVHOWRNEL?cQ$nGM$NGBz0N=z!}T43uVf_i3~+ng#KKe}XjQ!rMh84DDN z$A0vyygcRzWIO{HMbmw1DSdE6=m%^wQ#kUBksemt31a|q?sa^A*wz;z`0UOZVm9bW z!pP*13&`GxAJT8w=7OGp$~S&q<&uNG+(D%%R1Bp8q`t~zMn;A~q`Rzie|1EO^t|IE z_vEWXB3yK>{gE>2jZ`*&lxV9XkY!52*yW?)yC$ZW)?1MyG{hAHnSm z0>Xs^B(Ul&GWOa2xbzn3J;^5ZkXR?iwj}azVvQzt-+1nb z{JDavj8ilDUD?Ju|1R`u7_H>7bAZ3Ug#wd~F`Q_b^Gzt*F!!FXJ{|?6m&SHOqkGj7sSg$HR&n4;9 zTTIKJ3KvBlks)meg>h}{I;zu&C%5}Ubs^j_~Afs8xknYsJ3aH}tO1B3S*?tJ)dJ?fGk6L-%J#($is`Cy#k5QMr26 zNt^S1j#~>F3of2jGh%zQj1fu!{!PVuwir6n7MJj-H*yyk6sL(S?*+wq!;OVia~7i% zV!2;{Vh{jw$-`nxRh=`;Xr;jZg;P9z7bhzjh;e?TyWkNJn+)AoU`9(CSmF#8TTx!Vd>OUSU&u1z_~jCmR%2QD4pYdK-hy8AzF{Rj zQ*-oZ?ehO@f0nU8-tfubS!_8aX;^mAzA-l=rIh`(IkfH)dxf(erz>wZGy|k%vgsYT zZq49N!1?g-u8}lkmiHYg3Tq32L&h_|GZ*!upfxFDeVc%67EO!?sXvIkY0u#nkgWo2N&?u+s>R zmnQItDS(iG^9$TQ;AljH*`;FdPqt|TIjOzJf9WffvNVWlIa`0b7hCosP#ckUs-{5M zU_y)!pp0^}YIFi4Iyyfu2RZ{t>ZXmPq-DA9L-h0^%V0b1+BdO>cV~ZJt${>)94A(N zU+hFoOpFYutAuQrU!N|6%*%WQxXxNm^@^KOlxmAijiwK(3-}SvDI>h3zf)pTh|8Hs z-_DLREG!H!N?J;ajE>Iw4w{s7CMwp*=-b*5!bCyqE*z(7P(QnM%?C}~(8K5p28I+M zh;y_`LVy)L@yVoxLLoumE6{kY!OZA!Cj}NAparhFB*{aX$nfMfp1k4A%aQGm%MGh` zqh#>g*Jt=;GfAE@va)Da)&OvOkwJd}>}ebFb`@_?hos?U8^f7qt&m=wqOtA3pz(Q-p$Okbie+jLk$q zny?#y0zhDo?_}kBsR+LjCuMoCV1&AR=MI3z6o;wrpq=XHt6yEXlv;22)wJ-!u5&cI zjx5l&z?d>Ye-q1N)|Dbn0_y1pklLPX78VwkEq)$=e{dsyCSY=BK#z>%&^sEb5QPdf zCSiCAj%5C_JOTS7!j7R%e}lzmPT$q)?w#Lf9R-VlG8hxs2=|UVRLP5{^g4o zopAUnvI7@ggh3n+z9<|8!q|CrpQXXFirwjWP_|I~{3Y3*EkPrx&ex8^(x} z=rl1~#~|>Hf3zB)>eS2P{g}-56$c>|dYr`VomjJ^cV4?|(3~wXgc2XA{%^Cz(}REV z+MZ43`_id@gDaOgiodILSZk&3*Uni{m(c~UNA%}4B^ z?184ge~Y*19shj7cG0`=d$NB7cQL98nyg6H^%;(2ka*5fQ#XTw10*Xmka_r>MnHN1 z`^`G|YRPG6WI-J75Z$JOjjdeZ1Cj0ucq5kQ!5zZSo8sTJX*a1&v)%f;mEUt5X^{Zz zyB!WsyM4Lf{rRp0U2-P*?PLM_r_j6Ld~%qQ1wFHIWvtc$TnwNpvaij9mv&-&{EnBG zSJf1V6)KrZX+La`pp1{#s_L!;e+U}5cj#mXhlU8PC&tE}`1whPIR^O0*bG&f&O{AibM#OrY`~hyE^_dRbl_A#=`vIF0oYA?tX3)li4urrl^8Dq? z0&I&7PYUH~X2@W28F>8;&;i%dQ*n^KUKP?|(LsQJB(qET*WhK6wUy(~VR3Kd<}Zm? z(G1+4Qj|bN5RTfE3^jm}q!sxOIo1;)!l+;6t{fm6s%>flx8b$&6(4arER0kqKTMGd z`)f`>QE?lehNW!P^6B~T@Cq~Y+Rj8M*0l)Tu2o)T19%Pc2KLEGx$dsj)6wsa@D1x6 z2l{50&W5*MDz24%-QRp!`Uu;-6cz;Q}??;BB>dYhtg2*>JDD!TGWa{(lTPNJW){eEZ z9ZO0~{$3D#(+c<~LH3IbH9uwgrj^3-s3ih3l-~X#9MxN1_Pn{hcY!qQcwKVi9gi{?_(Y_V81^d^ zI4n9@JP1%t5&m!x(4@)*hy<*q;C7@?ABNug`f&Jti8|^;xwi2q$43nZdLcL~zdmm6 z*qK{-RSveEWk#okWUiwc>gxgU^qy$Bu9{T`Ia6Nd3R;QVCbY8V!;8+kG~@BbvG2kA z&*p|xSG05j{SU~MLs6$rohpFMI?=)p`c<(dO%ogX#LC=H^=~tWvf8rD&ez|VOku0l zT3(FD$(1l^dc=-@iG{@vu|fMnysv`}w=x-_7)K5F=%i7`r>k8Ytyq$T8r@=6b(=rZ zuMm|#?7e{|uIU*;gG$aj(~&#_dM*>BM-+(6AbBP)S5>0X?ab_g5n+TWzwFUxg7A|5 z4Eus6RBxCcbMd|e-K~Jq3)*0$*xz2x0AaZ&Pmclg!$QUj0k%wxX#Q_MQvyW3Tm?># z4dL_@j?W44f3OA|fhI6iLgy{=obrF>u!C4<;J%7GtUpqrinVsij-({Wyd{+*aut zY1nw-Tv~A#7(Xd5iZ=*mD=-foPlqKCEVdCP-{~`Pw znpKxZvMz+~#-BhKFV0LL++XzewBnT`&dSEeRMd0DLU{sd4^h_Ir&)U5(pTi)ys zRn6d_Hqw~@F)D3teih6wZQBRI)I9RC%;>dcuflyIqyyT3bmk=*D=ZK>ee-+#MLCI+ zoMot`{z5-6U!Aa98U5MjCb}RtYr&vjb2nGWDv(z}zYl~i;D|%`)9y5KL-;-JSn8nxT#+Y6&t-` z^m+x)TIqxnZL{jKxE589BvR`Nfx|w(t^!@#A;q1QyPN%l``8OgFbaP6OaSX`c3u^h7v^rmy^3aP zD;QB+If(XbYA;sKP|_G?pp&iqJ_URae5gFDFJu$MZa-4sviRE`nCgngIQ$0^vf&Hb z!pc>@Ti%Zt;()e+;#ndArVSJl35nb!Ry;c>kfsZdU}5SqjJYih&UfbDQ)fHZxyUT# zn(2ph$ElIr&S-Peu<)gABWzj&9s&rAHHBjeCkyp{IOgc%KxolrE)&)2kL5MSuJwvJ zES@@h;ycJSS8pGg9J?ElhLI@%AvB3WMDS_{l4R+`lW)~P1TO~(L3HD~vIN~T@Av@! zgL;H@)1+!!Qf>wn{GHid`Z;xJ%JcyLyIh;ZQ~CM%=lMvA4XElG8sc8dNF?-wCSH2o zfu~%NX<}xo;i=y@s^QFBK!O5vP)>e=u>x#T56T>laC)I>0;2_Oe4D8fH>o`{oJ8PJ+W0p&K_4=MgzsfPW!~=OzbhLte$} zyr}KZIbXB4dF!!yB53y^tazMg^obqEf|=?OQm}om4q&QD$;b?)cuDQijU5??sE$9b zWM8Zq(^Jm%43nFtT!kKAfn6IY!QdZ>oGA6&wgnitp5*B2$^v#ju-ttQhJ1L1uMRjq z#gd5d*r4hXtl}R38{zoSN^J0MT0U!({;y946<`zF+1ZI9y(^LMddQa3s`j#JjkAm75eW@WgdF%wHhuu37gij}_0zVo>8yJ;KOM6nn;vjb#OiO4RMf zXrdU==u&X=Q{S{aPsyP>30%9=;_o+*oAW_p;z_4Bbj zK_w&q>cm$^w=Wv8)b!s{hhIS+kvI}p_Mshy0XF#Ub)XQsK0IWk_ueu13^Qof)@-0j z@$kg?M=E8zB&9De==tAoefv_6Ix5ssI+>yu6mGQA`xp;`9hloeW=@(*a==GsJzNnB z&g0%x6|@q~)b9m^RAxBvI`12@dFWo^LwNB0%W-WKpoqqepj#*ymaKz$0vLlNhum4V zAo^5}<}CUGD|LH@3D;Kl;(^1C2r5OWZz^*Mc$lbz5k|Dq0rb{uq&3i3ID+L5@n=Fy z3T9n=Fkz3q^P_(c?IAM$2INPWlKytHu@rmoxJs8~#h^}%w;rcxyehzAATv#&2H8(E zj7?8V!NbD1n0pHhX+YY>AoV-#tJ#2p-SVKGz#FHq-$y394o;rXfrp_v9}|tjpphIj zMQbG2AD)#-|KDSWa`^O)>s66*)$#}T>BGXyXn60b5H%|u%bk2)Bhb^Fg@&9m00q^kPn3Dy-mot z&OmHaPd;R;v`daKQ1mznd^R*dK9~%AwgE#m0yRImF6#ot0aK!dv7HjBC%K58Nmkc$ zPi0q5{v!ILwl#ft`QwL0EES7R3(v&+1jhiJ(yzgj4sED3KuEBRnt*vu9LG+1O zK|bckWqu|D3McHO3$Io5bHo(Tr;ju%Nu>60JJZ*IJsEs#go*1Me0)(r%f!9Tn&l0B z-So;?Xb$lw<*yraKOz)y^t>zOl%;%a`pku}aJl3WW(J%bopL^yzxNIQy&#;@txR`9>YyEw1Ljhx53z+mbwg)o4E2$oSK<+hqqono*R z`rd;f)-R;x&HYmg%F4+{R|SlG{r$CRl?n8LDOs6Otp;1yovKWIYd%^;=mkd5RDzt8 z9FdU6f^@vfCLoIzeQ3AZ=1mDM4??ODT@Y(`jrB-XA{>4YQxS)mXT{@v7h*brTfk&N zWLE#_OT1}C0UapZ3>gJQ1E8Fsq9K@Z0OKjx=4P_CShf;4wWg`voKBX8-_4^F(L|8*dS} zkVdf~1!!FlDu-fkequ6kz7_`ns?H$RAP0H=SH4j!r@@_f z17MXyM)G`)))`==%M8GTdYOYs*mh>Nzr@kSTF#itRZh%f%4Y_*z|S;IYt;j4gLS}&tN=MO6_ZIZ-<$fK=3|J-ze1l=rsTH70@2qF69X4j4&NP?vktm zt#Ul!4apQ4F7-?Z4_8X{LMuH04n^_CK=bcPd(;NzVpC*!{ODK~)Fm{3TqfQM3@;;- zk;Z@qRX%EN#?5TW%E*8hko4TS*BJL(w@@&}aMdXuVDl>cY5{m8(aUCForQjADvmp_ z=~xi_Eu@6+1)TWKx>8%g5w7tVl{KZD@&e02u*_%T3s9j-Q9=>FL~%@5OdT zaSsj;gDQrAgIUkje<_ab35Wgt(Zuunk5?tw{+AP>J}=vXW!XvXuR*yM7Z(So_)4B$ z4l^ajzXtU?EcwA-RP;(c8t@nTeVCB`|ChzuIeSaY;x* zeG=8`sQVXzmp}emj>yaRAK;-G%x_OQ#H}k!q?X2VpKWCV`!aU~^L;><6MB^)Fa-bZ z-Mbt}R+!j-Y2-C~XKDG2p}a!9U|gQhEnj*M&S&_?UFl7U+``EqL6ME-W%sG&uP(RQ zJg&$?VAfqhl8e}5A!Neo(j{Loe1Ok?O_br{MV-k$_~L{AZ{-|NN*td}9A+O3`nc!S z+0n-e^4ixJDXb@c?GlM-f0SPw2(G$e1;Us_U1qE%DsQH)<^RT@^!DH;p%rH4bu!$i z*LD6;vVmXjD*A#b*%Ap!wXL}3r`i~=D3xl*C-PUnG8k6$QJCsMTtLL;w_g-2ft*3w zIl~|0b#f*A!-uOdr$KTH7SFu%{fp)RiAl|Ww+8uZ{aJC^J_Sv~=?Z_Dd(d2nz*iI? z1O5O{-Hle@v>?;Ra#3vWUAIq0+j{DB_f2R2}2rU2@9ljDN1EmMR3gRF6AUy43mpj~n5FbC%ZZnx~VV+>9ORi(Cq7A{F z67NOu%eI6vW)H8Xt?gsY<0q1-lY;Sa%`uV#{T^(jzKvgg&IIIc=4<9HehvYftq9a4 zulbK9Se^{1*$NX72@Ii42h`MCXN+D`d~d|@W54pgwP=)oiQjbwA`8hn8~#k>W>2J3 z)Icc#M0A>f;6303WLg6fJABQ;H_zotGgDsDvZwXc^<6&0c>wPp<`wYkg;;dhyuw8g zBwEt=59=rlS-ww6(I~OK2nQPV7MMIpB5keeXa{PbPndnmqM53b|BXJ8tqTSlk&;B* z={>z4mz3<8&B8gLZ{QVHxMGlBqdY{5I2zU2gr=^e(}F;|5W+hE3h@U_DZp(Kh(sqO z$U_wDfDPlm3^V%0?qZWW;`hDC621at-GPA(h_Fe3;AL1%WN{FOG)x}Ky!$u+QVuDj z6eqYt$ioAg^r&BcZHy0Hs{udpNJdPDwUS@1qGi zBk>^xB`M+yEnmn5KQYZ%ZRzxc6IDQ|x&p+7`gR%8h3OtVBnv;kG? z;VS1{@!zuW_BN}XwccOEpwpmpPvV$jx)9k_3cf}hcAm^s=93I_=Ic+#& zzZa;`3iY=9Zrgt1F=b06D9zqAqb)EqE=*WBaDxI*oKAU*lvS5CRuJ<4*Dr@=I8Fk-;+S@#u0S*X9Y39tNc%(XJm;OBVIi5Q2$WKIF^$9K6b z8s8XYJu@RthH^_avS}C@KBqm%7srUk!1QI%dy=B+~0U0vJ1Qh2Db0#!puZlBdT;NUACfI z{P~*h()1~E=$<9v4sR#OwHYEZ>VNVLa{Q#E&EU$Z!&wjrt82o0_z$_d0px0DY9NxW zQ=fyYhjl9Ih`xpJI@XheFCz9S52zhTyFX>zg-LM&H%;)ep4TP(!r%oQFsH z-`x?X0`SA&ObS!FD#nE6MCs!ZH{-Aid8kV+mLrfzJq=qR8#@xpgyaISR3HpNJD3?Q z9$*;)r9kjHM3RATc(iW<;a?DjAUo0s7+-DuFXcEHi&Z@ zpuenb(K$X7HcUybr$EJAFjO!87L>>XZJL3yr;IB)gL&+5)~|IeB6Pl2suz5SoYod5C3iz7lV zatZ(c;*$r>79ZUFhTP>tmmF#@59_*~tM!e#*}?+{14k?gfqSILw1naNo>n?^)Z!#y z9+b$rM-k1H{}^+?xWo;?7(w@ccFDs9Sil2r__Ww_+|8k%xU0}cWpmSb>FtB3xGf0L zCz0?RcABf;znJ8~)+7%P5O_~XiZ7I-|7$3I2hK|JR&lJG^xZ*iUg)7D0;7=+_~pa= z0>B+KuQmT+%Yo~|{X0DS_}e{hHF=9hFcY`?}066IXwmCl(XF7 ziL3dKEeAcm0C!;P`(Hfr_a!7+!B^vuxF{5h1bc!)dumQOA!djYJO--RU=EkYdoU@a z`FZhVN8aFFQ2K?AOkzPr-owF?W$17){xms*d46UpZ#y625#?m15=%XH`L8Vpj>{zo zcAq(GS!P6I99Sh(XIqizi>LCm5=E@Ta9kqc6ROWSi-du77>c{3prYFF9K*MdXa5#f z2T2H{z8b`rL(w9qhv@Tm%D$k_m%RV%12Z9zvJPO{AS^o)j5#mBn8SuO=BS!zR!>K6 z{_s(N0xL92E;o4%)SjjfFCH!k#Rm7Dn809~Rur5+sbe=nmIOWly*Fid!iWOH!iDYK zB#6!L`RyGcY$9oyCEUa@+=SSmQ)K1{U5zQfxl$WKbe+i=g|QH1?h0I94tU_qkyo#Z zR~1&o{ZS(6tUEtI^iPHG*A|9rwD^lAe_g>F5I7ednBDtry^@BjNar<&s)00Z!;QWDc4=TQ6*Km&Mb7bmCd5tbtaug)73$4vhQOikGcvqVQ`~gsI;s7uq z->>p7RsCRMi!c5xbP#~+skx11!nR`nchm|Xbj?Ii8b&#=~^xA!k`4ELTS zQN!l`D|-hnuep5t`}^U`cevoYNh(ZWNEonKK9KL|N+~I+Q=lrVe0VTcFb^Vn7>vMe z3otQF{k|&~;IN}jQ+r(UkK>4YYKfW1T)7)zRMGs;?Iv-QPli=$b+9d~0OwX`Ay7wp3mAygFNrV8 z!j!9dclueNey@m%Cc+Ri4ySR`xh%E3b|52hkm=AEUJJ4yN)GtuuB(`wwqI!_`;|_zC+9jm?&+BZw)}+4$cU0ihKgHy@K$rp^;I(=JE3B z4gjn$P@fKCtGl{p@D&vm@TFb#)H;E;bKBaBFh+XM$~H3 zJBOR8Eg;t42a+I+*h)UT_BZbtLJhYUK)M&N%2376boiq`U%qh{7CAY>ZHqK(q^#5` zsQPya_uGsSRYTkb$G5Tk=L`%@AkJG@0eW~pRcAgWRWWDaP9)oR_tG^Nx6?y3_y_AR z;W?1++oSt7K4KVKVTqWF09?5H*j;tLW+5gG$>!S!lx!y0k0$C>JvG+$lfe+%UqpZz zrVK9e^DYA8G`nl%*G7XgHuF(cFj%tyOWnM1i#4pPzyVt8#GL+%__y4$Z>0|oomAvU zG79N#3EX3ypaYgZLG1Ll>=e2c*=KMEdU~+8Fb_U**~rcP33o#fBnurfwcDQ|*4vL$ zFc|}J;0I})>FJQ|O8cI;o7o`)swfL<{#EL4?8Zi12vkVkWkc*2<7K+9 zKu<(mg%WjK5J{Q;a!CA#)g5*k855H){5L!u%~1;?E^qdj)!!R{3SHlB%I~&5Ks9~j zM&;|`e0>c@TU0i-I0a*26aWS2Ii( zLJ}Qi9a~FdNi8LV$=>g$ZTIT1|G>H~Kh5cz_j}%X@8`J>bq=J|(`zcxCo-x;7P<|} zzWXx-r$yJv6M#bMjGl6{iK8-o=~xCi+|Nh?#u6VMFvbl#{m>njp9Iua^6KUyMvPCC z$34OBvYeV!m(=OxbcgknzP{2ytU$HBlQ0UJist+2S=37})dH8-3ajp{0;Pr;P{kV< z{1(lIus7lvq1;|LzE(UUPBCzzYe3J>k!o?R4W7+ks$u=U>lA=pN05XMxQ)YI+A=QV zV#5kyeWLrR9mJrN9^nBO8lJKSm0CTSU2-#fS^zX5dQ`B|n&zn8r=PS4C+eY+qd8|E z?Rd!9Q0fLcvM1gKMjQ8ym4}H8n>g`EEh}ObR)0$84lSrYHY6X%Z~r3Jlc+1G^{R_v z!<|ZD++X%+(x-3fYA)ks$Vt+KmIr19S8Gyz-#uzNWoG}U|IV3oDG-^pD0!1|8+tcu zyFL0sr{O1_Z!JvBjH96zHzJj~hAv?j)gX*0sqH-_az>KYI6HB+a;MOVw80R1VZQ{a zB-nfO4knvKA3vI#c4|%MH@9Tzax|XQAzm>mGoVrv5a4g_oc-m=rh+aSXz{ho6{^b6 zKHkrdbnm%YMAfZ7&qVtOh~rKg*fFA&j#Pp(fz&feSj zm_1<`P8ba3i7S$Vg-rE%�t4K`xoBTm5K~O3mj%jzS!j)suMCkxs54ymoxk#)mWN z$!>sYW9;J~9UcTPCMV*TuMN~V*EsR^Gy60$+qSZ@OJ+)%Vr2UcJk9?Ypw^kfW%xS~ zqNXp{aCk_RLZZtLl;4POaktx}p z!?NA{Ald6q%8=!>|7xOb(XFBNh2^q}_$>=vkFi_QXh(-U-8vo^AeK|IoyMt~D;@u+ z$~|NQ?ttF1kx3^_!8!4VCqLe+ubHMW<)u&QBv!i{@#3M1)Hn*6YW?r9wALa+W7u-u zdQP#IbmND)=^-riU(`oxEBVcncX}}kiVo}*rhaG&=^SA?ZB0u!&ydt!nx9dB{~eZI z=AFcJj`)eOe14kd`WG@;R;Du-ur^r5F{1N z_IW&-Oo8WYyNUk@J@31iX7d*fT+fu|gFUtd6D$q(Q6gY_jL7pp(e@x>t=yrqBjO@L z$e8Wzt3t?BPe;wF+hvA^bJ$_1lW*H|4~|nDF(R!j`ib$X;%b<@u}<6wTK=r!x9|`x zVciBy%|JSzyrSZ)fDUIk3?1BL@M*#PCGBg^=#Hu1(_H}^WrUOsoo8%aT?JQHS3pwe zB}HbwzYm)F&jpE)ey4%c263*ktoA{kupf>)za_?9-MN>yhkpuuFTP5W5%G1U zF|QVmb=$J9W={>}7&c}K zG;pEokZsZ1*B8esQd3z;MV1qCgEi-J?K6;;+^mho?Plt>Ha5cm;p0vG3cW|IfJ3@l z%s+b&nL=@KHURs=_V$=5c&$t(1Mbv@YP_+lxA$A5k#Qw+kvt>%=@kR<706mDy?PN! z+v?B7;n1C;kp?ubzffthWnot!&vLy&2V&cx3u>>xx;U%=EcqQG z{{{z#)EfD|GR<_*5-_q;X|H-N8o$9*@WZ^G%`>}6k<}{ZSXQYDyn#^ zEMM*n$+SXF$b!LvZsM|ps_rcA**$Rg*$s=$kmX``W`U?cZwuaVOJe19t#ZI-#5auL zC;OoW$Tf5Q(emQ&!{p}zRj)@E*CI^#3BrzHEksV#9Mfom>ZJ%9lGNuKBRR2XV-^we zW>1$_ym|7Ar!0FkshXw%Bxl)ZUIISp&r8nJN$MDOQ!J}EN%EPSa&$t1y`!TVy5n*e z&nxTN5Sr+7%)3x*ALW-~X|Nh$4U!s0 z%v-znK#dyE@z?^nR2SA}pW~HH2s^i5Z$CD8P{B!aY&*+L2$9--BLPF;71ve2o*Sv+T z7@kocnFd#frZuk$FJGe*gc#;yvKpxmcZP9r5T1lTemsN`VAwfdY#)YQ=Oz+^zj<~F zgEwlC5FEm=${YK9;HBdd7!iiOJMsVhkC=aYev0b+&BqqCD+>#4FBL^BdgfYrqw8m; zb#2R-L`6lX`^z@&wG;7@6NzcnJQ3YwE+^cz%LIpas-<=QG-4lZUlD5PrS0YAbxlD* zWO{?1|F&45$a=Ed@>I&ZcU%u2JV;heQi$L(x>vqFk;c=Bb6@$Xv$VB1Su`4RX|lOD z?3_+s^5=)8@EPfNNq?2d3)VMtyN}V+XBloyXs%D?Hgk;GjW$LmY3G{iw-`%*NtBOV z9Db>IfuBTpZTMxr7qf(fL`R11Md9t$AyziFl6M~o`LhTcIk3X7F>VtqPGc>XYXfN8 zE)ICa(f2?vXqpRZj%|f#kJ8`tCqOSX6Z8_x;Cw2t?`q2%uGzt_`Noa z$Juq>3OM{|rzQ-f6HcwHtXUZS#6_~T;=KdkKFQ9+#Ka;jte>5oT~}Yq4GU)gIx^*(!?REyb^S7BAs}6HiI_CVOryAMBqA)-+Jo(h7r5 z=imH%M0jH=7p+mA{m8YowKe_1d)_xb2QitIHCyBQ5+iNPwco#gPZ4)IZrohR+wShO zo9)TU6KzR>jN?t0X4GJ<7dIE0t=`|;z21@KrEZ1SFS#>5nN`vGh~6u?WTsqqrgR}7 zQ6XB#Dl#bONJ3&FD;JlNLXxU}v13ZdP6JQ#SfBHNdah|BmD&KgrrvAAo%Jr!p`#as zmv-Col&yY$_G`6ftH`W=G=%4iH`4E{N^LE~?%YzlyL6*uJTbC8QJz}n3tC~r&F>WJ z@Xn>iivwe+X_=|cu?$iHXL)%SOFNBnyPMo%eSEOpL_|?tfd0vJ1rAG(NpHe;E( zI0Y2dE-r;1K78Q4^_9zWq4DBUXA$gILQ)bNE9V8H0^uMPuk`EJuid7yYpL{h_Cr8av}YNLKJ@iv zJ%3*1{+@%WP90h0X4uX$t|A4npx<+SaXj92;fL#n;!?@hd_89xyh=<;s^Q^L`myf_Hgt&eg8>&3G{f*2ZtZ&6T!qY;Vj= z!Xg!~^t*QyJ6UBIl<9bH;0N-&cf87Wwl{*_qBJThD$;?J*yV9;LV;_QyU5PMY5^Q|{Ol{?v+6w8=e@HPA?jW39EpJP z=oz^dNbZzNKMRLm)o#P5)%5hzA!!RQYd$3=CT_3r_NIj=BokSU)4|zf;0C;Ohid%W z_R@RAQQH*0?p$sbUWwY=+FIHe*fD@-kKi`;-JY!2mL2fg$aovU<_E9!RCrfx&xck> z2SI2u%FqQ$p-X5QdM1?oES3eNP*+e0KyNU|7g*PQ`t+Q!Z1IaMLL*+UO_vOv{A&aR z1a38o*Iid9!;(D2qkuHAQf#SC5CasjQ7ixQ;F z7ubVzgeOm*Jh8aF6~t@Z!;1hPaIym7diSjho*UD+Utf2l`mx)j%XEI%;^2LPi_Y-}uR+u*57C#O*YpHZ$4Yu2yB5OL^(e)NH}Xj~`U*I(b~MGipgq->M!_(*@Sz zMeM#`VK{lRk{>cI+Iqlaq0!BX|64++!FfhXde6mH3*4n|-yYFlV5BtkT1&u9!;(rq zBBk{Mq@lLK;ko=?4wPi-mrw-<2Rj9XzI-`kP0eHK*9tEQ)~=6=?pUmDY;*~R7@er; zEpmXHtqW!=vySyzPdWA3~>JH=s7sR+fMEv`WtxMl(MMq<| z`xD>3J<(U*LV^!a|5A%C6Pmp3Ii4@Xebyubw}TL-hth_`Tf++5vHO@MXX$AZA-zUP~}_ z^d`#5%C-Rnu;K92eVOU$4ek$r)FKoI@Num;BOlQow+=DK!LDDN*QANF>0^}n_U#)L zpXIB5_ZeYI-*0`k+nZ~}07FinnL=IgUYor}5E@UPKIMg7pYAPM@WY8yPt?}J(<><} zzgSDeY%;UNvM-gE|8`uj z4Q_d=d&s(EDB#k~6EzlD+cNXz&d-jsQ>o3ox%v#Dx4!36M}Gm(xjv^Z{hl&++y(0% zHLH#NN6)mo-I=at*mueKr_fL~?31U{bdNgF17*0EmC0)MuOs!L?l@ZR8xMY#Z`cSg zwW}7-)lickIr0X8B>!^kxEx2tradf1io_$*V!%{Xjo9@H-*xhM0d)c1_(7l}_Qi`+ zfVeEGiJt~4mMtb6@5|``Y;SF>Ov2Jy&6;T!+zL-kO%F1-@X@2LqG0;t z$2BG?^&=Y-y|&i*#zyz@p6Mm@9cc*Xk%9ozfQ5w3KIl33k-|xmsJPFj3~u08bt^g} z19Z0Y8E1KNdiuE;>tvvH$)%;GO?C)-5Euu&waO|hc)z57r`v=|#ADS0CnGDXDknwjd;JM){X7Dp#*u;VsNm?JjZ7N|XzKv-`mD zae&skBbVAz$ZKQiZ%XFDL`G}GUQ-yUjVi!P1cX>+4G4b>ya zadr0F9_tFT<`}o6eS&suPR%jG6Rq*Jt|?0p{4GBkBgx6h)ophm$}P*b0fN&T8sr3` z6(C?0TU%Srgd`<4AsLl{o?}V@3ji#|xydq~+y1Iy4P4Kw+rs;%t@-J_C(yeia&;NcWqG*8nZb#)zEIC*%xd=^k=O&ppMQPi5i;IhA zbU_ta@J)p`_1V|6n`v8b0g?{W?)G3^@^=%(uQzMJCgwX$YIx3nX4WZn$wvDy1}w7k z6^klVwY=D+e&(p=0lrE(P*^%*Vm^rTy_R@n30dj3*eb=;K~y?6W{UuRU9T2NF^P3@Jq zgakZ6r=TaWr56H zc!7tcq^4fG*zXb_0< zm3f)xx?l=4Bc(rfpkjN86EVmjUbjVa^ncPcGUk^x)zrpjymv}^aJJr^IPQdq8Ff#m zZJ;PY5U_wk8c8!CK~s~HXUk)FErOPR_N5`h$79x{24sZKYjahnErWN_%)XpAZyQQK zWb|Z8QcS7?`I_U7Fz~H+omK#mP%}PrkZY$^KRkvUXw+-;HjTqJ1_@6o8Ce<9OBFXI|RvPYZLE+(in^}c|3G5ChuGT?3bXS!*H-STwu%wG>c zd=c;4*MjP=4nFV%w>YG9m!WqVswcsrp_BPt2C9yZdGqu03c3<2Kl_|Uf;BDYhd;A& zaA?5tEdotXEiNwZyo0I|#N;o^%MmIIWp*7@mFmpGtuptO5JutE!TVGK_HPLZ2^~SB zb-8bv#kfiW{``Wffvum;#3Ur`X<6l|b#-+PF%B88+bX5`D#)lW+O(rO0flZ7B24Ah zt@QbYh2R%2UU#HvPJ)<*ORtZ`udh_>WGKf=j=$eauZHdmXen@C{a^QBc1S{E@n@gz z!f3Omn_KZZP)I1YXvK=B3-F5&rQ5&=M{*i)KOT0nzF{>R)<@O2<1% zA$qY^bX!?bbSrNUDNQm`PEd8%Va<>OgSg|yHXywcJk%bN6LDc-C#?HRwR6pyJHxn* z6$Fx*LBPIbR_x5PXmbQ^V9{G>*8}tn-OAE5zRUh)PL+7W2{)3kZ`F%r1D-4T(IPm! zwd2&+*0HbI@!WT&v=|r}t1l&7^#mnD%5e7Vr?afA^93U#Bb45&RrG!klawIfdG6i6 z?=Q<))?T=^jQ8g(U;Xa46m3Bj24$hEd$a&a}jioA26E}6#^ zf~uKnnwr#PLbE=I-LI~#bwnJI6b;`~!$o2Y0b2t^+#fcIftR=a1jy7mNR+OgA8Mj) z>xpR=W4v6V%dp!gU;(*w@-0n>_Uxguv$K=b(TT{u@$sqPKpK$8&*t4Z35Smyxv>bc zeie+ZiHvbj4_O^v-$%EHioxgchcelL-gPRa^A(r6y85r@as)oGkCgPnX$A)W{xWxJ z&^0{QWM%zxa?ZztHmdwVPM3_#N>*j25fNFNjzG+Ha9a3p>Ih-#rw&;uQ(q`6SRx4 zN83u1o{D@QTc^5n{lTd?aryFPNq|&42u~_dR0r4fhH3+|oO|fvxEFXxV)S-{FM1?~ z;7|5wjTzw}g`vl5$QXmUxjD$8wEX1Nlyt3ZaTL)I0f-tRw4o?f0E;zuO%6*3(tG2^ zjk2RFoo0|rR3I^YNoiS=+EM`XwE%#UAVJy==&^utTjXJX>|JbZEMQT58^;hY)P3NY zO4Ju_%@*{5z7cdBdw!hLz~gW#+#1)TW<3HSUC7ha-0Ei7W~;^@WEeL1>|DtaX)mvG z_)^RKkJZ({4pE88a6YvFsGw7S)>Vj(oPr_^iY0}oygY{8wjrr%0ca$rr}tJ!TUsTo z-&5(p?YZsmGcfjuQt?`{x=jDvLu@ltPX~4yFtatC;O-x3XwK5UQ2vtve ze0;pW3#wu9aF8tU!Ey(kC^`(&^Dr?nxh5^mKSI^2alIRJ0Xxg0_084%9tdr4(TXQt zZGb3c2APa6$Nw3}0I*f3(7MUx}tlV@C32k|)3yY7Jr6T?A)l5?M>tPmVU8rH8e6GZ&7nLa4H_u*kqaL2nlq9bv;Q>Rzz~ zy#?dV_Qb2Vq_l$O-#$D<=EsqvN0+`ol{%PdwgA1;P ztS%t0OY4(aRv>theaK-y0vDhNZ6>M&GCzT<*vdE~7ZwL40nuM#AWx`V%`6*wZ{?%n zgwzC>_+5_=GdR|>gZ8|cfcU6I@4Q$_LW(0Z*PNMD+HOQJ|hAWvMYkm zs`Rcc_^CiQUPuPgc`92%TZ>CJu6uVB87Ncxl0MM$DIIi2kH)j>7POZ%Bi-}n&1s~H z&yz@WbaWJt#<(lEA1KVpQ2~bC-vvoII=Tz)Uhj&C-R@aE1Y+LnZLuhctPs-y9-n{v zo47EbQ&O)PIG|4-Kc4ksVr0~-ehTfSCNj|~E|T15t3{w{k5N&jf{`bdl9JND3>9w@ zoQ1lEhVS$T~<5XpR*#tm?k^ko8dkPSjY ztuabK70>~xY4C=Ys*fs;!5**dxeTjgILt%91#J7_!-o;)O`ZbekKE?ZbD6s_Q~4Zj zth4z0%IZ*HeRH!SXqQ4gj!^Ji9JiLbCcDjI`6e0A`W_RRBZ<>?@dcA@)`|RCf&mpIdBKRZLNg6# z63S*cN=B`FDFnA6`A}QO5pRtP*M>~-NeEjfxvs7r4BnHi>3(=yh_NMB3N{#@ZNCtY zEWGfJM%9*p9^{z!&c;Cgt?u(n6CJWZ6!O>2nxZUJOyDi$_3c=p*Or?A4XMl*--Fba zOWY@+5D$Lf;=?!$%X=HDAfL2U;=}j3f#yfvbT|6gs*vigxZ0ssRYl>1$B*~rTXiWw zeyM^vyR_J**cE<^3f?sOCftM9 zWl-bSlvYSY#K2*+siV+t$THu|)O5nRVj~(tP$rm9?zbdT)6q$toxPn~4~urNat%MM zTlw+h$B8cqveC;xgpvyjzdm>h-|i8cLcqn%tqiO=vrWW(`4-ceGZ9LMVc}+YmMAMJ zc}&e4!nncE3WsvdD)S{(Jq;N?;K_b!_<}wklA?+2C8J9Rg*xs_Z3F55$Z@RYR3G@1 zh-?FKH#dboIVMuye)*(4E!hh~tYz``_Jwc6gX>F^We%Geh85d+hGtexQ39yj39iMf zsHk+1C$V=nz;+u4cUVd#T$P4C zSW(~4Jry&XYYV|KF_}dUqpVN~Pz?Z@gnW*xQc_*r`$?#A!E@rlO=*fA;$sLugH*LGudZU`E{ zr%X&uJG;#m$6ApX1v4W!JUk^i`7H87BS0~O*~PRy*_Su62l^> z2;)A-`#@L38pvYH#yaYfL2z|cc<=BS&~9c!82~v3Ot9TD@W~TpXoHt+O!XG2qK*J~ z1E?De8cZA{%bOV2AK|KW{|ffJg^~~jH6Pls)g;j^84x-z)p&LWfJyU#-=A;MCJCLz z(zx1X7on#C0i7U)otHo*f~Z~xZ#o&4KE^)w^GoKmyu9{}d?1AfbO019A6}oh(gNBV zYHBp24D_svq0{QvrSEJ}=|cd$e(C!INkBhA5-PzOW-Q;kNBFU(rn5v5#lXFLmVG}V zh0`CR93&MZR*E(Wof*2aL7nN^@wzre zBkBEM_xz`NR5!45vtM3Xx+N*rEA`1y=2XorgB<*{+t}+zpeEiftPsHSP@Rem+f#Fn zgkdihH~wwY`U80-G;GsAB+Rd@hz{A?mbonzOCzAwl8V6dxrykS-TU~Ye zpG##D&Ep5QHONFa-v!W%W?E$yNd~ihK!y$YGvqWh>5|W7V1WSm2tbwIrvgh?(D`RNM1{N5_V$m972hbu;MopTw`2U! zrvjy9G1FfLiN92kl#pOC_x={8$Ccip!3ON+Ry^HE1ymR`Q;q$ zcEAP9Fmzw#JKOG%CgVsYL6cY=)_I2b6kKL?O|FdaYrGU0ptd~fb*QMQsDTNJI4d~D zs_>+Z=MKWv%);;No&}sjtw&zxpL$z!f!@4n@I6>P_cZZ!C8g(`S%$Wq-(W$`)wkIa^I`XLHf!t@2 z%~^@*uh|lurL*@af6;@dEb%_jjL1OU4tPj=!DwVCF9GX~REFU(xZ5Kb^yX54#kv~~ z0Q#n8W@;E1#Qe{v3ElxE>3qcr96hJ|7T`(pKmNwzzF3UQ_x<4dyBTW2asvTWzjEaP z&fgVHV>OAY5)Q^)zMluOTgMu4`ljehWm(~SVIT_#1QV7ClN)|juwG(kvUbDL`aBE# z^Zb?{a2p7t^Ca;KB}ONDpfj_d94@{pqPpukv^LeWw6v1S3JbMhAc5=kX;{4hSUp~n z`2MwRaA}~Wbwm6ryjtG;$`xyCYh&t=Ti$FVzYJBNd}~=3cn!}rlr^r2M3r!#GO0y` zVJ}}YL^l4I&h5U1oKf(2-T(JJ;3vukA;A-B;D&mFrmx^;uFE8f?BX}B@l*A!h>D7O zrUwz^!xu({K~SeWJV4QDv4gri(Czx)EKdaVq^MYZ2!kO8;Hs*D_lagg{3v;NfAOO%B!7T>~3~4GKF7tQ*G0jpx!X1Ee22eE2n3h%v@QSlpAr&Axph z_a@s@Ub-!gy@sAD43x-0agslcfSp$z;31ez6QSffw2Je9+#ze&ZSd~iS0N#ZFi`Zr zFoGZkl{J{RYR|XQ>~kHBhPj1kWMu;}h|mTW=hJ-Ngs$>v$T{sd@9*#JvYZ415p~wg zVm&+GrozH|M2_DVW3+%G)01ud2n`y5AdR;7AFT0xB>fvji1awH`g=fOuvhJzE6t)ir9IGIOWVq+=RjOXE*0`2>^&EW z@cQaYdv_ranL&&=JbM+_B8*jq=|$UeI~|e+^_juu&3p{D0zeb7$;yuf6~m9uM;FyO z7UxZDIGqRXzGZ{c6%Y_OqdpobchCp=J?)~~b7V+c1~CF%gCg7*#w`Ivk1v-O94Ufe zH8l$(g_!fv9GQ^xp;dt91`I_!dpX`7c6x{D=RLCw{OoiQxu-7K8kuv0`!$q;eup?0ENNNpDWEodBZ?a z2UDot4RQ5@wL;<;)^2jbw{wP5-M1|vFn2*s&0u^w7k4Z1m{h6C%c%*Pwhyn?`Mo1O zcE5u)gVcuhf@8+={k>$V@aO)+V!$Nk@cL@sXdAL~lRx15&+|$fyVbDpea`F;y;3(& zF~_+)I0-wEq%#)}r4N|V88whHO_Iv42_m1H)O~q0n>-(tPQSmqU0k5+r$T$@-~gU?LBY4TPAC0=cR`XxQ4U!tDUcdIMj4)b!c(C6M=IWa2cZL0a+63{t%RI~Cp-RQIHmAS9lopFDOrW)P6GdT zCkwT(C+gqz!UTy|J-|xP0P@BMN=hc^_X1(*=g^%JKJ%87zveB=H|J#mtjE$bvGY&& zfq7d%&!6t+R8-e+$HH(<+15RhE3#%emGXV$*9&j@M^_^Wn+E)^vlJpTM_XH4@b;jO zkf`>$30Ol1-D08Bn4z633Eht60_dPwLF*k%{SKBD_lcAwG&VS}`Qzd`l)7e@D1c9O zjTo9b0}YMNxOJd8Q}eQc<3m$=5YIhf?(>_+Ef2If^%(~T-R$xS$RIyad7aeo`fs9n z35H823-C6e$a)2KWZxtwOGAEhb93kS7~i;&XHp;Hwz3989E-pK>c<@~tn#-dDRzNi zZ%UB_`WcyHT$|6&Y)GjPsxd8;d~}6q*VYzqvcoGCnmH70;?^WTX897guk64`swSET z^dZ>AF=0nWFOrV8DUr`ATaM^~s|{|QQH+_QeSfY)57|hChnNVl+n3ceO7cBqUjuZQ zSPR6ZPP}v;aKk-QOJy)HcKev7?tr)G-wh)V1YFP|} z7i!7mEi_jEbH%!-kB6JCo*sqSI_th-b?Dfp=NjI={SKt4_nk8EcjV{-U)ws9v$c(X zc@rfROq;g6?DUjW6~2&#wB(4+!C zvd+Tlh?Xv4kp9A;PjCMwMY6AC0E!O&sJ8mwuY@X2>F;^r#prDXa{H%<==9+ zi)ul6hEi=GUy{Q=ah$4yLE-T0%VsXjlOSZ~$t#Z{nFIn%HmKNnCiCrE#+Ph_fQ2b{ z+!vPu?$_NeUL5!JP*;oA3&^n2D^#JKqZ)mzsdt6vXxbH3h;AWBD4X&%Q#41rLDCO4 z2AbzYGdDoO&*utZm>lfDzXG$D{bfS;dedum?dc7z0*McwsJ}^pS}ZbKxl7Pv^&L`( zpqQ=&LDTLnaz?>vXs_7WvPDi#C2z?y*3$a|caE#O;B|fXSjaW=C!Fc-*a(td;|bd} zTG?)fF`Pb~hukQzjWsqVI@0)VRPO`C_!RYl>aiIZiKD9j9kNf}r}8Fk8aQJ}u;?P> zl<4*1Erhw?B;hUq8&=k|{F|!f=Q~Fx(x$K4yIW?~uWrcf63kalt;&2Me1rUW?^!zh zqd=}D+<1glW~&5@EFydCX<%R|W04+*JP;1xX}{_rN7#@}VEN{2CCW+rd`H#00d%4Q zVGP;U4*(wh<^5D0pB*}y_J9+Dvk8hSjA^O@3o1*qox_`EJZjDBpvbaBQ-C#fq}#z3)j!ob&lAIwKGBc~^0 zM3*>t+>ynqodS*=H7=0?Ev{_C^q?62<{S zfcFVQ*-362U0H@%g@uLB^vE$Rf0|R^yMBPR?&Ts}+11-|l1qN-5JtnYx@i53^PRJ3Bx^1RoXT-G*O@btsAGfF2{{SZcWOYe4z3AjK=;| zI>M9CaR&5?Tp&ec;NFzpNHE>P^2Y~zt@Lilk4@6iH(e(kBt+}O@pOwxsh1G7rr`zw*(oo3#b)_VjM3-wyi&wW{$Lqz(CCSFxvbEbeHy$$h zW05?gNvuTy-SydA^*<;V1&-QIJ`TN<02hCUYBr8H;qcu2=(+iseT~ewwpEbE;lHGK zbtJf7E{)`&i<&@T#k;vdElnNg*cXz@H7+Z%Gw!Bk@E<^4XrtY@Txpv zRRfAtEh+xMIQ*v$r@gzbz$B(xj$hC+M!9T1%*1w7ZiD7+~GNzEE%xx7+;Y zidF(+H(#8w)$To9VY_BcAb4l(eqRyjp?_6$u=wsEMi$lUQCr%cjlw1!BlJcr(S_|LRc|2S=8J7Y-=Qw`f| z^<>yYa}v1GmIwa^*Q+FWn+|7zoGkwM5U7R^3XF)j-v#CV_AxrUYcfwY?H_d#Ul+K5 zEy3o99aUCQPJrcuR9Ni$dBnDaz0weP+qf@diLV}A#`BYV958-iSVZ0%Qfa+91w~@v z3ZWtc8p%UHBTkiid8ybx(m;5gDiw8F{Jvb~F)>wfjL1hav1huq>k=tS@FePab!8`e zfr8)3X@Gt)RY~;LN-mO&0mD?1Bw0X&l;qMccr)8>IhKHkU;)9}Jg)3(Sou8&-ZMS_ zQ2@ujr@@*S;3oBMLQJnSLiumf6Ih|0FL*?>X64fLuRyu$whemo!#z%*a^_{M+W+l)%42#~x@YhI*r9rb8rf{|@jZD(()lCazH=YK%;qec; zc?&cf_w`p796ndOCr%mmr&6GfQ#dg&7qZOJ!q_GpS60L>#!ynr%JeytfL51{%Lg8v ziUJ-z>f!H@@@%~6xkrSc!wNx%1x*zfSouYCYXuw>8@dW>&Xb&e$7(G^9B4&dkG+_B z2c4~9?41|aWOA&4v*ugc@W85@^TTD^tNu(t>H#VvZgv$`yD;Su^T9j$FG2*biUPPe z^cx|n@*K{=eKGDY|2lgJLD0v;SvGdxNPa-gfyCA7-wtBvANg89{>mM%`+&&OF_1rj z@grN2#4oVK=r3bL*JYT<)pf#NCPCs1OmoZ?;0ZT@GrY2q&awJ5(n`Gl1{ctPAytCg z&|!4@_K@OLY;0C_^%WSS^Hzmn+=;$r)V@Kkl=atlmxJ0%oNc$p6}<&Vma&NPzlW|E zMFHTJf9ON-#N#f0snYMKBcOI-dU{^Ib~lcv zC9;D73WJ0l(2-+82cUo!Bl~i3EIu&C&Kr(bz*!z-V}a^)zaOBjp^*qZ=-`kLING&o z)i7GHpsOnA zwOI&WgHxR~G$_@zUFWZ;XlUH2vnJ5<_^%qr=i}NH>>Mj=5Pn)iPEIak8O?9PAmQa1 zZkT@iSX+xsjHF&um_LaC3DulRUb&|Jmvsc=f6q)f*u2#1&^!*NT?Z^WG=1#rrok{s zhZ(S$Nti)Iqbz<$2sWj!n&gMvs?&sA^~^7mwoz<+d2ZY5i;sf!tBH43Hv_dE?p|Of z#U_T1deh?bEaH89F!E!^+ATTHo`s>)DT@_!a4a1;GSGEZh2c(U692D1(9~~-lQP^^ zN(NU)r#MASDlnF&;lXj2qb2knj~m#FFh2m5s2pbJCbe}BqqYq-(*`kLL>;O~#S5|oXgRABOfibP^E z*Ax}Ipnubmq(~2)K1Jwqsr+km5{^pq!MvZ$7Zik4k)C=q6#9 z#m3z#gnkXTLYK+umkMzEb1iOVMI0^#3J5@fHNAl7|8Met=Ox+Q3b5BzYwRe$w$1n(l*$n3?G>6$>g>)HHMNkO7`2BUYy0>0kBzX zfF+8kKXbj%tB;U(YWHOBnmM^8(1h!>=$#Ls2NUJ21qJT-%~8mlFdXLvp({f)bJy&u z({%Ot?+ajqrvbY8vz9|?<~V8#GU9si{ihj~;@zuRm{<%ze;{oHJ^)-zRQKPrJ!(** z_O2j)Ks#do1O$gF1q5_PI&&I#qY}JUAWrMtMe=QF;bqXJJQd(l%EI4|9j3ZzpMd$q z0wXqmX9@8)!=DW68f)`O^J>TEk*~!y57{~nXW0d~e7wqwpt~|0YFreYb}~5|K3RjDg4ZwCg6vw8 zc#UMmcp@RKu$MiT)D8T;1pX-)L=_!v) zTMY=RLDnIck(U(&8Zhi#1czqr@MJU^ko+d5C3#t^$+$B4FnMG54!=S9Th#CEZvoLG z606)h5=z%r3zpmM;yi9#1HQlac-)KMyQA2<(}X7n8Gav^ei7L;|1L1!2@;-cd7%D# zuhKFQm!$|=9~dMo>2F#ei^~RvFYos^g3_nP58KB}@Yhupivs3hUj5&L5;Fq@zwW20u;k7i`Zb3*w04{m(bVGuH#6AvBjmUSFna<55VFxwBNxsIm=20@EWR z5*s9BVa;l1M!WcP=g?4NgWn-*MwS0m6t0v0K^Lzn zl3~~Bn#3!c9ebx+Lq(6VLSrDrhP9=2h>O?M&1 zN^n<@Nyf#j_>o+_zkE4EBKZ3|#Cc@nKR~_3eAeN)bN_9H0Uky6cX=G7oiqHUSm^Dt6YJHLXvlJV6P7 zEvJA+Nj<+7-<72Q7I|W@su>aZUw0V`4Qkm17ZT5sv|kW7GMqA{m5-ar8RG&IlaGVj zV1I_VJbIpmXV|`a;2D1u#=eitp;ZRr%jwwxkcn6&GaSI9+>i}$2{p!RDE+jyJ$xj& zRrvd>pkrCXq#5Lukc}9<6!t)oEhYKOhbSSSj_WqgPjG$52eV%5zj2fZ(wE=})Q~;| z$cuGe#vU~PO{m1e?qmC6m8O@+CTaHqbsld!xR#nMSVW`SRd^eDZy=TmADbd{5gQW2 zuDtwD?YVy%H()P-GL~Sg)h{>Y5e&`iMb=#V7p1yIo)b-zs8Jq~{` zZ5y(MIT631UPlEDTFv8n6I9s-+6_Kz|I+^l^*T+tAixk*<5`;TWftA2hl z^lt(a8-OLX@H)$%4#gzANe>*qKUu3_zETn#qEP?WYF=MD-Dpif)h(<6I`-h$SDm{A zC?yBQPhsEhv0b{O_sn4)>6MPA`{yld?9a9gDBiy$#R8JWs-z}4+#hNMR(N8cPvOZw z1m@D`_cWe8SCP2k79MI(Eowxl{_YIn$tLQ++7?{NQ)Ff;E5y_VsJm})JR?O`+0c=p z;1I(mxT8_D?j{qc?_@%M^<;2%?9R3u^Ym zg}5xwNhK)yz_TX5By)kM4Fe9RvGvFF#H4_5Dv3Oruvvdn$QZWIM_&7HL?*_(rglCI zekBFYGiJe2Ehc7WE0_mP>f46HB${yU6pfI%x( zYBBuj1)7(Ik<`gsJ1_}6iGI8X8ghJa3=O(kiZEc0njSFBV)TKTKflfr7h=nz2Hn7P z_PuKAp1_9wq{^`twN*-AqcHvIwde3HaIO)Z+6`ialdKOO5D7z{3Z3AcycG)rFHfHm zqa(om1#DTRDx{AjK*U4N_`+%Ww4@+ zQX%S+=P=b*fw?D`mYN#OsbqwOh3QN~Q@SU|M7C^WcyzR@#M8@bn< zv8lq$FHC-#b=S9H*ktkZ(aTj_aMaxh6l-kPiuE;*(^vrv$HLExz$wz?4g)2nxUXNo zx~)9%_ZLo^W`Y4jEjY!P-vcw%t~OUMD*blw>AE(>gphd$%+st^)13NGXCL&OI@I$E zLf^t9PmH}g28R^B9o58s{bnCtEKNU4irvAbBi#@>u*Y03A4D+)yZ#SH-iQB zSr~jc!m|LrE*59x@g0ptV!SlqeEsQ%$gVT+nl;hDkgx&FqoC6m(C%#H*bk#{Kj8Fg z3#3C9On|}|CJO^Y)l`rNDZ#rJ;qZeqU)tLE;5S1u^h-2gSOguAC8goNeh22w^Fn&atts3B?&Awcx7N%b{CmY9GviJAD%!XtuRFn2|>@o$Ja5X;z6v5 zQNQ?y^#KPkSN>(NBKS!#ln_I4?A8_N4iCdG5~PJj9fBh`o0}dlQ{j2b|K}&zDkb0k zd73#w4Z3Etd_1Ggsl9C-FgA!8`>ti4I2>ZS^A<_sE(kV(vgG!euAreYUOLupD zv+;M%dC$Av|KM{im!i+!&%N(^=9-ynuGzs#3NrXO*KklM6#fHQsmCZ3x(^D4HgORP z{)O+?$Ta*RCQ7l5voUyMF+p4Ow>9qUq}9?E{CZk zB_%~4p^QdCNJ!Xb@B}3dKW~y>y#qf+ir)YK!GA}3e|Vbr?2~!lk54BWtfboBCyqV4 z9FvM6$$dW3dkyQG-Zq4eIs6DPvPDx=>FQr!$-MB!; zu353*l;(XZL>lVf(9ob!clMS=m0ZAzitk1Lx1JtiXJ=>TXZfuSz8FJQj!TwXCp(jl zWkq{q?rY)obIXRKRgOZ1(*@5zhlEp$Jbo`rsHvsJr2Otet=rDu0Uht!>?5sDri3cl z3h+0Spu_x?qWV)|lg{L}-u?O?y*fJV?CddY8nKZ#W$aE4cia=7N?COdEu-j!8k4N+ z9#q=R$jZv9&0pEsFf^e`!eJzOBQ9>ive~T zxA`0T`ug)d*#wdSc#Rz$uY0l;%iMO%XFHNwtm{wihmx{cB^6nZ*NN^=_$~Ag6lm;? zdo~SygNKV3_jC)mwch-iQc%PsjaDx}Z+$vik=uGqbg{pnJ)X;e@mW539J`i&-^Zt) z%z6SWhrj%K{~+4E^h`RG)D~8j>b_d(zIo~`1kY(*vw;QM^3GzYG-1rDIgG-^&5ekR ztOf3Vuw2%4@$%))UJhY8yFH_{v{bqwHF(BcoqBPUqQnWWbO_1h$=X;?Kt%C0G! zanIjnJ|l4cS0*+t8N0lI@$An8%_@iBT$SuB7Vn9Qx&qj1UeoT0!s(UXT;iGbxUTij zunF0*8a|cwb9QGZdn%tyl}AQKa-J1j<1zkOu_AsdtaVzSjU`|`7WQ3V556yV$?NRI z*==|E!NTtkw)XZ-yiQ9PI7VVGbzqv8E{2K zb#+hHBT9v2!ARjk@Xh1(CW2%!cmAEOg*2HtB4T1VGrFrR&*V?GycRyh$;!*iQ}gIH zpunDmJoar8@u-Cz(v>pqY1X(zf~Wo}Gf_l6FSkmmD)K%ZHSX^?rTtTB&p;r$jv5;q zn{JPbh-K3#1sil2250ciPIU_*y7h2kcJ@Aa4Y{xb- zHa1jlJx*C$!1vxC?lClPsmGRWN?`3(Poi5nHW5&WJuQy`TzAsGTGQjG~Q_Y60 zK@8Jr<$0>-uKKc*NK*iQHH&K;o5p<)4^hd$%O7kezb^mz9NHy*6b2SpW--LwU>h_4 z_j{-&MrQFG_X6Ow2K#o3Y; z8iTpc6rZV!2JkO)U1@Vu5fWGp0F|ifQ3Zg9!74`!r=6xSuy?V6{?q|O|$n~s9 z8^3`e&EqQo;13@(jKMlj5d{T>pNV{-fW8Uvv?}kUE^F8BFo z<~xhtYf|^m2u=={iX4^)BYk{Ow-u6u`ph4l_)qVRdn>YalW}Oj*J}#UtoKT}>xZTM z;o((4^@h!v_TY$!7C2FW-x7d8#DBmxF5==E^yjO8vKWejLr{Jv6)e)p8kI**XQyI6 z*U5*PiqrAp`r6d=8h)Z^kK+*V@bttN5D=JxjWlas8><~gg#jXv2k4PIRgW@0{TRb# z-kZZag>#kJ5cZ#8^z>b3=IizK_1>bv!9k5#5zoUf_-v8)jA{eF8aThEDlinyn6N5!KgehQxw zvz{!CRReI+g;G39{+|^?5ljv7fQE~9fQI<0s;X1dZPB?)?AkS^B#cT8roY}vS0#g+ z@GU#JFCGGFP{Ou1?<@`UyiO5uwhEv)-E3n>BljtR^U?@EY6t5uK{c<{pQTo@-@e_< zs9Kn;{KZ1O$+(OnU}G;$3&8*Nw{PDZj&LtsdZ4w}ElEIO^dsg$c@Z2T<+D7#jyk+1 zPUFsGGgR{z%i+fZCvcWnx-}=e!_9z+c#4XO2xOam(SVy))puzCD!fA@mx-X^L-w4< zq?267bLZ{kM3gt^D~=xHMj0ulM=+ zYl*XCp3&3OKm0dt+}P>b;K)`?;|EL)6Bzg4>8Lt85jkZkleNkM08i-tVyOW~y0N#H z4c|K5m6isfUI~H+?-T%fP+A%-_z4zOHk13_Y6m!D$&f|v6db8aME9{uz1PY5&d#Hg zYa&h-S)2IRc!R(c-XDDg?7p+OQ1n4APM`e#q7yh^hH~cp7KkY%YAf%eZV~t4pHi^NRuA?5a>Qj?T;o z@gMyK8o}Y=3S}MXcl~}Rf3zH{5#mpJeQq=E;MtsbQ?W80^*TZXz=K7?w%W{hXYfv8U#1Gm%X^WSKOy+qLjYKhpI&y28x$lIF?r-#HJHjOX3<-;YzEBV^BiJd7T*_95H9Ns4>Rh5-`pM}N$ zTJTe<7HNO)>52aFmW7y#%0sn|Au?G$+eeyP55n+>^SGy!wDd-ws!oYfJ1HFN?=UzN zR_&U2*cp5HMDLETudm1UFByxGipbrSVT|y1S12iytR$@K4sJIE5@4rmRXZhgs^&hv z_2-MFdpj2(w=t~HV!STp_M=3b&FKd(U%vePh#KMvKcGu1+yk&faqBri97LOhPDh@M zj12jBPG7JU8;A)GM-?hyqu*LuU_WLYik=oczgj)o2@yRwES4ZvaZ%k2%dywnsjN|FlLw=Ju1A+I=THR4N ztg+Pe7hMP`o7=FbVKbz7>zkW&qN2%=BE>+!&pwczfUA9`o_|XU2K!=S3Z9>z=k*q+ zfSvXLr}j8Km`g^GgF_dv{WN0ywQOfLI%Cu&Fj;xAKi!{Ss3!8gXhtjyU_m8f8i80O zcY*Y&%w^-R!&(VMs9tn6094oz89O^}NLOH^^)qd9cMW7)MHM&EvfeA!U{F46eRwL6B)FGGTjR}E{$e1!wN6)D;av5y z+bUV|ZR?KS-e)z1Ij@c+z$0!B8blD1ki0@-hWpus zA3+X8gn+flg@p%(hK5soK!+fd2@YO z0i19PzAsDN8%mg7I_9Xjg==>ry)$4#cr6Cs0P07*dDHNkQb4WJ?pBJh<2!)eg}ML& zS_OG|JU|sRU4W+jg99$NZBuyS*wvG>4&|Jm^P|-Q5ZR|gIqG!B>pZttM@2f8ysyT2 zuSzg8hk&Pz?bep`mhGG$Kx{ zfEFGnI|K3w-2SCT?cBNzKD<5O4R_b3ooL*bxgNe{{tj46aOch)6m0B76M@9f_06FA ztof4X1z_iI0sl)O{5VXV9+o-V**)CbD~3W!L%dOjp5qrGZ0^E$GM)D(U8zW22>Bl& zF|j11Uffi}Im$Nyoz)?o1^j4kX$gc=_*H3dVm?s#C{5hcv^yOQoH$v;nca~&=B##i z$@rz8pL((G-Krf}NxJP+b8b6<`2KZF9FhrtGVO-8w&2y#>TC))0e7fv7e*?1ATHeI z=Z_V#pH+g&g10(MqI(Lwk65sMWY|F)=ZjH9v*m0;$nDq~U-jm^C#u zY9;#80Rv^27cQVU?WSdg9p-(aqlrBax7%#aphV@T0n`YuNlHLkro^ZMW_DyCwSHD?ARk^HhtB;lPdoX;5L50^xACSg_pXv>}Oh@p4;vUz!If9?b0xDF3DJAh+ zer<0L1p`12@2N)88i=0qDSu|c4_P(7gh6id7*0#raq$~41Z}`enEif#36PIfvtm7K zOD|+vXm-SdHHzn$4`23v&!a&L{!B2C`)~$f3Ms-AtE;QID$fn40c1HfH8sPKxbKLV zj<&~!bmsHV<^h3$fk=WH!=W=a57`xj+}PpS>QP=!3@kj^@(zOtu~=dJhxZ|cHt7BM zwB5$pS>Q)3+Y97@n^ko@-&%#louyzkLskNb=zXXt6ltEu%F%+n=musmGOG3r1CR?{3rcoPo_)h7Lt_X&x9X9>vdZVCzx0#Nt?Y?}f6 zb(xMphidYHhNOH)ut2se`Ia~u62hh%~$3W}=b7u)l{0wB<&JZ|O0Gk}`x z{=w!9J_AGcu)?LSff!~;8Wyxe;mVrY+MZ*PKV>EnzX~)2GQl?jl9G~?v*alJKp-DZ5xn^WY@D9fi&+Rsv|kyT&jC`cA8gW zn%Ch14Z~HqfJ?Qo26s@uq!=kG#G}lX2TKq-z|1&$4Pwbak&X$33iUUSfwlZbRXKZc zBIOU@OH~WL<9zpxj-ST}%UP+M>PgfJrO?LKmRwn9S69URys6blg>PV>OqC@-LXRj> zn^ie61;vBOul{R4wzz-YApZl$pM}!zZ1L_E zvV}WvnWF{gzO+!?}$+P{Ix(X==gV=H_FBqixgM+?>&< zoc-o(VZjQ(ZUkkdk3nJ_U^LOSYdC`8V>@f(5{}1jZb%9`E|PH6ZWGCbQ%%Atn*iez zMkDqoY#-SZ_1gm^4Wrf0D&8P&j?UF)2>rXRit#Uz`zH()Jr2JtbB&ga_} zX>nu7xMj46Rqb~_F#`hwWH@FDIhqg8`E7YJ!lc$Ion`tji%lrC{P2*!)6=iM>rVm< z^YCaF{a?W;cUKVl7mRrd$imDA(YK9Tem->|D~8R9 zH*QPIsQGeu{Qq<>5id%J-e|?d*8psw%^JcbTL@DLArv6neNFaA-?!D z34N6vo`&+@2ju*v88{8^UU9!yWKhzuwX!-j^z3TMb2hjI&wp-l?0P#Y1NUWc(4%kd zqX~+K{U01>-Wj+2us{F*=~S@d1Ch?n**}u+2k}3Wur%a*p~WyIk1w0LMy(>}73t1= zW2hOoeV1pl+7CV>+{fJc!z5|s)A53O!(Qt7mbZ%8pFS6rB)woeagX;IZrGaI+w7#c zCjGX3HwiIZ!58xv5pWnG_D&8;-!jnPk+u_bS&p5o8m#1 z@BvG{OQI^}?e%s&n^Lusp%pjMb+LCZkY>lU#IVCQj#ifCjHw!49p=cslhVyYK6dw` zO_TDb**!fkfuQ<_Jq;*+@A?=g{ZLfU{Z4j7hQhdevfAmpbG&t4{`Qs}tApV06BnvNg=b@{&;7LV zkFD!7^co6>)_YiV6$8Fr%@`1vP(2w7jD2$MZFVyKv=u+Mw|^eW#9!SQgD;a%w?L2bo$-i2RTB$wsT%c~ zVhPlHAW`8)mEYNYYI%_gJ)u%kZB_WZPgGg3wDBP9c}?7SxIf0aVUJyycQFpTLPEuu z_1R-J5uB*0#ytA%Wb9M?HA~&fTmP>4&=mKMLR2ECyVYexE5ByEmXu(C$@K_7ns_36 zqxguW#qOZL`vkXDXL<}PcKDwYCp|A)qcezGo4a3%?@dc!EKYN0hiI&PeEpBQ+8 z6-?G{JJwGgm+})_=z>P<|2>gHNJpo;1kGezgySqEnihTrB6N>Eg7*X zo>I`6lc(Z}VTJk`%m~Fg>KU%8N_(B@yTSq8K|&vg&qFUvtNO_y3EiPPLA7{=sogUw zIloTEuw%U+A!tP(A@{IktA8&rzJ7`oWtm56^l(ksrLua&O|r>HLflVB8@mas?rHjf z$9nA=*ut6A`BenfL@5nrxPC*PyVpo@MF(cZ?~mvZF0B;q$pyXa>-rkGM%~Wmes?Z+ zBJnKMB=$_<-*@2%Q?_+uHfjbxc<)oqleV4Pbn^5VmiOT#oJqSd1&cw|WkM|H?0xED zq~H10O>+h473-QXS{I7RmUc{tODG!eh@-eoH;qB?I%9h|6 zZRo*4oVm%aUElZy^X{?)t$!c70d3CLbkdoUk=5RnzUX2H)GL3V?>Kw)IFDrf_=vmE zVl5v0+lWE0P39&tOnW}|;FkxQ@%`mA9n4056KVnngspaE!vc=$x=-X7$2Vce-Ou9# zJsDsqM|rC8?+BUVA^eYV>-w`(X!}Rg)jI)S3|qF@hqHxZb`g{&)4S!xDZbN8_gNl`60Y!wa7hE-I8KkSW>W{kw>9 z+g#Ldc5SwGhCI1|RNFI$86z>K_GHH^+sp5&;$2O_3fH>>T^Z(c`Ip$#&)c)~aYG*4 zIGLntw-)bnON(kHoSKTEx0BWF+; zT@kwpH9y>)HcI;8ZZJpaDOhM~!TV!OjiA)sY) z(QxK7$h0E`lSgtGaDZ|6LTHvu~KHQ5yJ2rU}jE-2-)P z*BoYcg>qM3jaEA~9-^qJhBET)WL%>}!@K%zR{ySflNo0~&g(5;Qq(*(YcW&1%IEst zDp$igChCGjJ$kjVNNhX5vuIya*?cVl>rfN|`LdTcPEJE>Dl8-fqAX)r=Nlmg_cFRB zE$tSj`57rT_>YFq%yvmGsW!MJRr}piRXMls*~b=6;`Fh*?h{GEHa9{VxBMz>POuI%Q})wkENMPIJ?^Lc zF5M84J=uG^#qNY*(s!@nfZrKgF7-SlMd24*6z*!zyC*AOqVmN?9C7m*eN3xb<#~mc z9WO4j##^)wi8!C#O{6v3^!_a_(l9Bdyk6qlz;GA3jrZGk9wXJ4$7t9E##=dcTkrs=srn$7-p_=X{i7Kt^mHK$!_QH znZ?oc_Us9#q)h*)>~pg-#AwVIAg{U}R6H+*Qz69j!I}Ec)2-^A`+C@VX5JNU==tp3 zlUktpAXlAd!?@j2B-`-(&kX}YMJD;+xf4vhuOqaqltA-)Gj8@sTFo(Rdx6t`>()eP*6zTi;X^Q8>^ZBT!54b1~g`2@7+UKR=w% z6+y?hlc7k4_jS0*zY8+F@1Aw#WApP7#pay!Qg`dVLY&O8@$SD6tJz}i%f10faVvK zm|M&{>Ci07df>#Ma%qA3T^h(-L8oPMq^%5^2qu-R_;qS<1}mqVZO!{{kJM}T=ulcq zF}jb-pSx6y{oS^dCuj90>a=oX#lGzCWc_l>G8K*0j*_&A6R%8i1Rt1rXn*?vXNm?* z0H~Zyz6B8iIm14>KiL#$zrU`>Z#5EMwR$j@W&(Xhi_t1Rm7}o#E>3_iTJ02om|NLd z+3JGTMew)#gK2U;skT=!vm!s6`_j@$r-fro{UE2!&a1%eyE`(a><;W%U2B?lID$Zl zr>9>B%0H>9)BN*qX#9M!9#5U*f0W33gOQPOhj#^bu zN!d|1amF7EGXZ2=biy!?+ca*TLW^OXx7~Ver5V^KIXN%fVpkyEZH7}Z+ZFXQ%6U5E zrq5Y3$T?j1Mx76!Nqy<^W#gG2Z;_g>W~X06VAL3BY8Q9+Y_Ef(BNIJ+h`CJq#46-p z7~}T_M1JV39iFmMjO_Q%to;^`@B6BJnyi`8^Tfq4>qpuMapm7@4ZwLo@3aMeFF*mg zc!-99Wpi@qh%l%Q!@yi8-+z5==J9z7bV99AU+#_@>&o3@M z1Wq)OQW)Chlmb@ofsUlGBBrHHE1U)%clBG9I)f9)AKKelI^u$YT6OqoE@!qw<>GZK z_8sPknrIGJ1ZHfd>w#QIAY?~>BEvVGb!5noli<5Qfl}BxbO>izz!3*jc|b8xW&o&hL}NN9l8U+qR#cwLHZX(;Z)to zKpC;s);xvkgM2)rPa4}D_!UhePFJb4^pCW5D2L0ur z_!3fbxW}DIwq`UH$%4W&)eKOj`52J5#TGKs*tb4vBOBs-ES=G!s#NIOe}VKyoF;}T zsg~q*x~Ot$+)%ys zp7sSp35k|8I^mZV&b?J0jpEH!ibvqCID5E5K)CYKGg15v!iib@h@U>p1V+mGk=y5( z%DwPhljtVd8aNyw3eQ|QHBR_R^U%WWfuo_7^`pSz1+4}jeLkc(QW0Oe7ixIt99D@h zYX<4JzP#S4Q|%iVN*wLp`_6uaNMQWBIMFk43Q!E3Ef$-iz*{=orr8y zhXUsK@y|uoGzfmyb&aP+;Wxe8Hk8r@p>F#?X{4?l=`D%u+XV>s8;6OK9@Q))K9~DW z_KQs{aVo~A-Rfhc_7{v=_`Fdw&+qMVH1-ID5``YSBVQ9WrxpHCcmC`3-B;Qz`o3g; zREQO&PI@30=oRVPU>b>XH z*p&&O`oNSk(K3y!KCg{7lV2H9aung{8LeZYga_Cgk49fab?w}y4K0~0{>vnIl4MZX z$kRPZZBzGs%UimX3pt}Ul}?>d6R;mJqvkeqJ&zV<(Y}1D*rZ28L{%8EVrX1(4Ywp5 z4oJ**TYvwgb51&6AjPnP6sLzW=fL0SjkdKPpJbMPzrPn5hE0iOk#?E#wvV14-CJtK z9meOkUPy+HV4Uy65=B7cGF!Hb_sM_wlAl1}u+B$rU|mvPALSIR=`YdD#CABnFk;0; zn=X6#JUgp=uBng1Q83s=aKwSueKVcJ+PT2Dy8Tg>MJ3f=mya^jOvP0V7}4pCJ#HTZ zrc=tW9!kO4S(c)<4wi_e@Ta*i|vte#s-C%de#Xq)dmM0Yuo>?+E5a;HClvhoOI5hI)rb+g|@bb9yvfh?e)dG9eSh6lDjI3=E@gaKE zl41NTOX0?rda5SQ>*?}0#J%%rytG#-tgpEKu>G-TcTv~3zv#}^T%&o%?-4rn^Qz76 z_53TtX4at=j=(0AOO3MGZHJHHd0UTuj7+ZS?UcPC$23xMTP%`>%uGCv~w>0y)zqD0h-H}I@kI%|GGxYd`cNZZ%=z!!7}k2RizMUP5=Qka``UeLw4^GzC^Poj;-Y@ zn#)IZp=Rg&mt`tg2w)Yj80_y@axPD(HbDURdbL#Wv+Qm<0wqG78KJ-Mw2PDMBL!@n zOE$gso{MT`8#en{Yx+HvoEUU#u}f*0Xe4Ol)9J?~Z8JXKZJ7hBHO%J1LB)He)CglD zrk!SftA?A#;|6&wzRyy|#55Lx=S9b(gHJ;Q~(E#aZ9c&D&TWrL%h>l z+frj2dJd+`b+i~qWFoOF5*M^2up?folc~`sAqjM(h2?nV5}wwTZ{Kq+Y*q_zC>Q+^ zRmyZ}_PZJ06y8h{*yL{f>FJ`kbxeg@>*XPyqqD0Es;V$jNujkaNS57or=S+2;M zN~JbPHtW0^$|Z`jtf@Lgwfl8qtSc4#m0#5kJ+`9okopd+qheE=4s|;k22!eh7sDkE zo%TT7R6h}Sz?#$0>&gwXcg4?jH36!6YD8nhvMh!6vZr!sevvf{VF)Yw|M4sp1#Q#0 zwPo#38D3~2Te-o_9(?aWb3fl&Eb%FGlvn!yCLBH1^I~^0r0p)9yWC^I-*uZ!YT)wvn7)#l7)>DNKv->mN@t zwE1U6^lRdeiJi%^xBZH!oJ9Mk7Hx}#C6Ao1+Z01hWJh*>K(T`EeBn^A3fc)_ndJEo z2tUpAp5ms^Su3}`i{@LuU#&ub*r zYO)hwz`o7UaA?5hlgotYa@Xk(ByDRt z{~`$?JE276gxvXP1WZ`g9E;j+I?8>Zb(s?O5WoxfSW_z;YTppm88}v_P?bUmy~s1& zmAcTHPafwa3G;O0&lZdv<=-MF4RS|F(e88&%8RL^E1XJ-J6HbYJR>C}Nhx~+w0fOu z|KWCbbLBFQDMlIykMWP!(Fchdt9iE%uRZK<|ND(@Q}O&vW$31&$mhl6b3+G95k>ePayNn0PCVoW?#usTNFeK>$yXOW zX~<)s&h}`!{NGe#U!qrjkfG4IVaLqeopW`4dhr31(~qldT|oMb%&A^KX^?zDCE!kf zU(!owe&cG)i^v^c>FKQVU5kx+yj*kAbfa#_i`0kzX$UtE7d2vf6q3H4cs<_jo82t>zxeqc@RaZOtXTKmkt@tZd1wcQU?o z@{U9Jwv%{y6Ht!ypAt|CXDUR}^ct<3=xQJVU@fm)8Rx`fCB@}WVhep747ntZu={K1 zDpe3g%c2RGWbNikCVli;z)t;x$C4UQVPmuPvXCd;Je#$Pg)Sj(2Ga)A4eGUWV3Zg@ z|C*{Y78MBr{hR(+8R%c!^qL}*Kfb_5o?PUw#SNf7HW$uvVbW|&o}h~|Q`bg;fHR@5 z8Z1Emq3jo~jcPyEA>~cSRGoCSNPE!dU&Cwhc48e^!6xuRvD2t0t4W={ zX65iX+FR?|9t63;XcIlOWfaMZ#&zdkUf)fL_-gJ;Ch|m2wtaJfW4Q9l1-Uez93>m4 zz(DbrRS`*1>QbjEaJ}PVZ=-&RE_pLs3y6&fBlF9qdY=Zc;mw+B5@BvtuA8M*eX8gZ zSh?QhGph6Ta6?xPJ#DjliIVYIPjWZ3f#3{8Jr5n8tw9Ug3L2Mnf1CoG2dJBk1#+H^ zgsPvQukW?RIqB-NdPrQm7b^^jdq7~epF399$<;^;j`nOr4p4Gs)vxw$FZ3W%NRU-r zz``m8L6=52XhemfxXc6z9Y_Xj$36E-tVXN6j|zf=rWpmIEJVulQ*_ohw1@wTVv^WsqVnb)O5VOG4J2M=Uu9HScqEKQ!6#R zWY8R@2XhASjogllPe4G^00KTH5KmWafa?7dsOo^#DFr3O!&ug~p)wODwc-iy6DO$c zYV9L8@KR~NWyt*!RA;N%)P0J@&z5xRR{v(E*qENa#n*%j5cmf#|E;p15i!y!C$gzg zNzktSjg+CeK~GQL;pppqf~tysfx^JRFat4BPnM8zdin6m{?QSS{l!1j1X=jl2-WA8233RE2^6sB#UjHCd5MjJU z=;d|Qsl$mi?giRt{e`aWdZo~5-os=5Ns@Jm*Vp($>}G!0&iuHF&=ZY**r3J21tGHu zw3-vV(tx%A5vM5#P8Nmp`X0icL!c=L7zQ0|04$5gVvzIr_&7&76ARRpt88*6`ucRg ze*H45gVYWOWMdv%m#}`0O834tgzV99CCGT89SWWJ;f=M;fn&`1^5-*(^kiH+BTZ=g@8A-aCTh&V%MNeiGHXsEsJkc7YI*m~GNXQ!CpcA?w2Oga4y8Y+Z@=_?30 z(OO>9fzA%bj=l`9kgz?E0W%=Ja^(&X5w0_DRpUXu^{AXe!b=q9KXP?|@BodMwA5;V z%4CTswsJ^cQVSRc-3k>M8Ci1j=_#7p zXY;4*I(71o9}^W87A|~2hFdy1*m^3Zq<-$UXK>!<7?P9M$MMp(@;FsPp&8+Ppe7+h zV@b6W?IBA)RatMKx9RT^i5&USd()?=?vUB3n%W06-_f9t?Wu9KM>ZN!rY!8)Iy&CE zejU+jWEGYTuOLF<=GQ!R8U;X1!UPqa;~5IZLlB>(h?O9WO#Wsi5MMe;uIOEs6#tFn zS`6E_KZG5>*ocdQNcIQJc&%@3A#$D=R`n=Q9iZ8)jtGIUs1wE^$hq_{v_#O(ffV0xx;3(9 z^9M`9pX^mSqR3@NXb>61F8^QTkA&Bp0Nx-M24us#B#d@x23Ga&p2|ODi*npPu-s&t z09^-|pt!hr?h;7fg2KYS4GkTHpFVcmTYco>A_#(!3GgDAR|o_T${r&J8A?ds;U0m6 zx3@RQco^(nWy%8BC+i6fn2`MaR6DcM!+|2Cz*L><is4|6n26ejv(l6V`5?)mZGDhD{ZF&E(HS&#J;e75Vr3`prI&*;;fK%)m~Pj zFv<2l_DV}eNz`3v)PaKNi{r?0WEX>J1>jPJ2HE+-RVr{l(qZts*6Lyk2F~t6WAkUXbn^~rPkx( ze?FOEGyq;5fcWPCNb!!a+n~THz!UGbQDTj(XLUFZ^`&lrpFKHB8el)0jA_=jeM$Xt#ldvtTbX3$wC>XKGd=i@I)?(?# zWnt<|4XsBko0`K%#m~=diDjVRhL-v0teVv}>nBf)WWL7QRvpA13Gev8>=3u}swQX< zzk}65uws-r-M)812tyIw#&Vj;_WmkmTB` zHhe~jisFBC=DSrCWN4i=c3~5g&dO!RkDOLV+CUy3^!ha>q7;@-7X0f3-mh zQJ99wAmC!d-AkDsoFYB_1>Y<8*?^mA@N7k4PEXby6k;_Y2 z&_OHC<9GJu0%o!kcON~$*&U5NqCuhzU5fb~{Foer=f;F>>ToB}*Xn^6gN76@^!v+E zD-#HiHK5AfUK<}rc1yjJ6L0p!HUMlwK4digVF~)rRn@fL{#z$vj7&6MX8#O}}vuwOn#oa%# zKVl|1aKH1A=$M<($zxTGy@$lj0~0gE=s19mES~A~@XN%h$0EcwY70~fMc{`Wp zoodh$j%1*1eRxf}yRj-Y^`}T5=k2C3@aE9R+1N|Z!A01I`u38MZJ~-YKARt;_0{mC z#y=DzVZ1Kl67g-Nyk~6TR6<{2(4~c?sOGClnrAa4D&(Rroc=fqFX04J{t~IUm>qa| zU97xtr_1MYP2Xp%Rdxk$f^(77wZBC#lLSP$i9d>(KGr8}vy^A@0WGr;$WQUeIeo^x z&r)FYXcNS;Hh;fef^h`v`}9yF+1{oLzq{pZ&&odQmNUGsh&9s2^zVif}?9{$_O)e5~z+Offg7>1W~2rjG~m?XPt;wT;?0v`b3Y{ z*(REQwk#1UHP5Y~*{bTz@YvX88dQ#<<^?G;OC(pAPXVRCYD5jyYHd#6`cRl)qB zeJC5iFMIXqM465vr{feC9tQdk68&a_9md6-2z_TS0aj|%uenAbJRbQ9Mwen;vOdfvg%5--kTS?@ZJ~WG_35 zvIZcP@m0dWyt23D)&1$JC-vDibX=tU;jb`QsM`Bz0@!;R#H>5zZquo^#GqHWZW;49 zvCu^sdEr%l17d*?1YNH{&~=2Vl=q~u9$Qlg;dH-o0Z~$2p8iXzo1>mC3X?Y>Ca6`* zu#D1UdrMh-+=IyH{)}fls6%kvt4_pB&$wG6>!)29mC)Tf{eJt-ULcJWMab4^_DY(x zZ>`_mhwNCXe6o|?8USG=C~|VP?OK<`WvW{s}4u#qMpbhxW)pt-Ku3Xug~j8 zwmhpjjsHJ-u7f?F7bbc`sEUe~l99i+O!+S7D^S#D07dd1D9ue;&+uwJ?dSZAie*s^ zhxt_HPo}?kmu}v?$pm>Pe^SSLLpr*0Qjmid`!_C&LR4Dsze+K>3f-5pGh9mx!F(4Y z1#4SY0T(Rc8jMaW0aqEQ7!AzPc=2vF9h~YL81#rTfksPY$QgPuAeUrf_B}3C@aWCE zOwh}?yXR9jtaorHsPY2)K}LJFQdyv@ue8)@AQPs|&v-5$gVH%~al#7?#$_e;a|$rt zXKM4Rex z_X;R2O4M}ahmXkntLXac3-_w2(B+OKrJo>oE(`m1ELiAxT$UB~D{w#(&5jc0_7Fx|o#=t;$wI>uZTzLs1 zMKG*|%!^m;(0c9PKxFrjum$<)k^da`3aBe{zCsf%YgCV(PcgQ=L5pH>trsBOm;=wN9@Q1TxeCs}M=m-mB7JWn~4L^2G8nH(YongXVJv#nfpSrI-Vm zd$NT0SiWh(JIPi$Asvs$I0mY(ik%QC+yKjWk%-=g(eG_s6WgSa=Y8|{OCl2$rT*y1 z#Z?k?tO{lN0m*uo#F;!Yw49#@(`JxjOu^d$xR~AsO?85}V_F+aGZpT`G!V{t*!bV3-*R8&dRSrO@ZH7H*8u3D+Z6DtEYREJ}KZ%i6ic z2e+}<0;NfSY2pm>x}1Tok!}bu3AqBku#?xIoP|z)8))Ab565cVw_qebF zVF2sJznS>qn|r3ZW~2n>(~KY`@%Fl;<7g98e{W_Y7avm4D3$~-{0SKBl*)bl;dg$~ zlUyPg?&3rC?LI@{H*S~H|B~Vr6!tBQrhl6H{$6n3i+5S)uUg^nHruj5nY%rk5ToTF zm940#;FUQ&g^Dy7CQ6{Np%*w@m@rD!sfqwrA;kT>Lk8kOhZ=G(yx85q^(I~0mtTq` zqY2+&6iSj39+X4+Is(;m-N9^9uhGA35kLS&AOCzaq>G{)T*jh3b%=pz81zW~MsYI1 zKU#OX>IHgL}_HU0h@q^o|`)gtU7_> zk(6BpLRGVmHCZE#wNf*oW(hS+G6t6S^o;=nx^wa^6Qvy)M{!CGUEjVzp4tKvshRij zp{#6%;bKOmbW}-6iNjL=Ye?OdYg}x3GJ|C=JMBN_^_#;cyhagG9r|{!s_)&4(Wr2; zqW>1|85^YUuuK>pM#I!dX;|(SDj*=>@7h}0WU@ER?!n;ppI1*3vRz+Em8S6>v2!~e zcv;a8Gd^wg18y)!`|I$=-(Vfx?>sg)iAHKCBZrg@(CjfnWn+8h%G+d6?QdCHpt4~E zMlNv&rg=WVOa=^MLDZ8~h}JLLIz7Dk^WcOR)xmOg5;{&yG2>U4`S&fkk9Wm&?`-^m z#y<)33v*)_yorB~vflj`F*v9OugQ2MOHU{Ct8Y;1zDIT7IT3D}hf~vC#|`Q5H|d5S zCKJ;|;f*_KuP#S7NJ|(<(XVlTK!w9QKWs*JjzGckApxiPe?_S_y?dQ9TrjCXRyck= z4aCnoi1_);8-JrxD;%MpedNUFx4C*(4a~I(BbOT>sezY^G}vC?{C~$NdTjMCM^r`m z;&&d0q}WMs!uSO0?JrikB@QAg@P?iI`!tpGNe%O{a+!Xa({=J@ek2^$gWpv43NSQS}pWfkg#(0!9NnkoW5V`OBzX;}YO}Av6du`D;o>P08+ckS9I_dE#ij_)N%j z;PeGGiOVlf&%*BcA7u=ay{Rv*%s@gV+$KWev=s)x?|{Q}gx!Gm;(%K5(m1v5!s-@E zRILouiaC$G1WYQNu)uNUj!?Ltu3@ujU&xEjO@KRyK(+-W)cVE-7thNeLxcats>jjf ze4QYjp*Fz{KfMSIt$QRc`*-$)lu8PQBBiD5EXcFDOvBZY7Jl>9HiHO%rN zuZ)24!rwJCR8$s^xe2-8EmlZxI@(M0WrvkgK?NCb7!zyJ1o~ffzpL2HI=4(TWOT1S zvT>^2NrDFOHNde#t?I-|cfvMfEBYbwayyCfmD-C9(2m+%y~(#>+Fh=xu7$!15j6IQB|My}##)-78eT3bnp zs#5gXJUbUB;4M|iOP-Phtg~QN5%vF-_uYY5w}0E0T}CCdtUG&UC3_{Jtc+Vkc2ZWQd*Ao}_y6lUzvn*B&+$2q<3zkq z0PFcYN57$TRzwG+xw!X8JhyIEfqp{@`pNgpQHreAm zf3q+5c7&Av0m$!YmET|Ml0@(y9r<;G?4L0S3F>ZcZb`zh@)4S1)gKARebBLW3RJts zG8NRgw0kobtKm*{6OtpHA^_IB`PY4 z=!OwR^fUD+O(#j8U2JA%rd}QBD=|G{p;LxT#{%Eq8RyaZ)>@?C~5>%SuU0Q`6JO z*?JopG2%k$G$i+7(WOYc2EpfYUhd>O%gD;Q{+QF{H^_bLDEmu`D3+?BvTs|?q&bRB z(UD{&%dj+N%a%8c2ihc%v5P$!IdMwAGn$A4L@}*2w16CL5qD_!r>ik+9AK(3{Xf+0IpqPkW7ICGY`5k zY2l!XV#~Kb?47Uc4>To`t?&GV9Z4zF{AL*AxPIlr4^?0ZbuTzmI*6Sd(j?At5S4xM zNd2Ylw$Al1oH7^z*!900_4Q1LdmRlcYxl#WG>Ft35|EalVa<~adKeUB^(M))UZ1lE zL~p8Q*K5-^IhnX9JP}^V`754Hd0oZ3e2*eglESUwtbfWTvcMYd5xL1)k3dMkfi49I z$!%>3)Z&O66EL(B7kF-cmQ!XwrBO1th0n?A972=(+0unA-yW~p#7Z?Su{C64P(-1h z+(599Q&Z`$%Bk~yw*0ah3IL0CkW$BdVXG=Hmjsc#ZF?-=U@aUzlg zP|hCggn?HU=$?%e)K&KLpES&#suO$IOe=enV%FNQZrkAJ+QS>J7JJxY9$D@6pW7`i z->$*`t*;OWLh=C&Yci~Gp{HtVeGhy>8HCetc`8%m>Sco-v%yWBJCl^CLV+EzH##?J z3PXxlPaQFyVKjPEI{7ZWy4=H3RfSmOEA4W?afNsGMQ<-DD=Sy^gMzrBIfUlx$IBSv zP#X-W6tE86-5*yaUukjGGWVjE2J}T{ePCHiUD&~Z9_tBYgB%)TtNkEt5UP~7~W^G=A}ir(8N*^PVvq|JbZ2Y|hi7;GH--!g!A4>nLD0NFa2@2jjL zA_ouet_#r)?uZx_*pd9SXn!^{KgC%o(kDo&lu*aqwF!<*nQSfM8z3P^@?IbykaC$I z4zj!owl|15l_4i}Wq30!6HT4$y9vb}f@P(3E3biki8M)}#t|NTTxtB+IRq{ z&q)8+d<9T&D6$y<6Ww=Dt7?Z#fl4#?mxV8lIo{ttyvmFON~ei}GbO)nzbHJbY8Wq_Q20v69Ta4vF|kva3U9kIg6&=J>i&IxLI3VHr|JJE;UAd`B3Q zr>dfCCa3>AQ!wO8;1~Qo7XQ}q&2q&qPbbrnUs9HR+B@sw(uF`#Mz~IwX8}Tnu)t+b z4}p+{6^)+oB*!+qawT<0K>ag~))^rHv7I`gY9BWDuu>egqfP6ZHsrIIn?Mt^GyOmU zB)lej=72kH80Ib4HF3!TL>>w>6+)?(8_92`X=D1?8XT1h^~Qin<#+NZkEOfsBe|o7 z3|Nck$t1-v-26M>JO~4E?}$qXAHtncd}vAtc%oj-mNV7JaUuVuR;6~TWqy*kwLyC8 zTG~*ZgD2z}>Z}+Ub|6sw1F@C8He2GCY2@Q|3`m=lF9tq~)|o4?>6ZeVX%vXe(ZP4+ zm|I*mex8hZto)wPu@fuj=SSF&@A&ELp$L3U;frew^>@z8zJ%`Kg6exb9(7#)TGX1j z-Qj}z7SGp=#MN`S@M1e&&P#`a6^-29p{ds}zU5H)Dbe?cBKB3h`7v{X3}ABA46P`b z`rc@^H|y0J&t$Q!p!ujc?5|GJFVa( zaKnDisax3-e%1i^^+=`41;r*T)x8Cjk z@jIEO_V!Mn|H3lvhh~b=GE+VU6yPH zq?<%DG|$bgaMAMGI$nhzOCUeag)PLXK)yLM^(pFg(M)SBnb(SGA5-@dn(~gs>Fagm z+S}$gR8;n}bx5L^c?D(sfq*qY)B3kk||kll)A1&x`BQFwFPd&}NP>ZnKt_U_!)`OVmKvM+$MsSkZ2{Sbi3XDJIKEEW$IFE#-W6}0XO=w0Lp%gl#N2Ps>b*H=o)4T=1i-J*~G6j zd*4=jq;R~OwfC!aZeRb@Gx#kH@cL|A5u6XAVo2gzzp39Od$Ig_m{f4hoaDaPrh(ts zT0>D4GJ>4JK!9s&*_WbjfISWpNi95e0_hvMDp^EM^`O%x_>~bD?HI{`lCzMKFaCEG zeM-a@Us)}W3NsP#{C$}SgXfTmghuA{tHjM`w8(8@X~Uc_LrsZqtPsoC&y{sXnw31( zFKsQuEu#`<24^d5oo$!8RhkdcwI(a)vg_E%r=fDErHMK)=F+6GPE@0He!HrjRIn1I zlVFNUlzg3|yX0LRJok{+i=tvhH9qs>n8FdEMFPRzRW3Ve`T}iRHCTttASZ6N0kO+# zEuPIy&`*+n6u9wNI9Ww+F1Y)#Gm9Mgg>vBxJ(JQbIC_L&!?DT)ysJfUv^D6WB}#6r znA3@N^H|O&eP*I7qyPfw_Kr8lLRSn!S0qgRn>1cw&gidTom$eJaw$@AX5xi$f?L;I z1E5&M$HD5sI+@Vg?uWO{T!Xxe3*EbA68!t0$*hC}G<@b(`998Dx@*Ghe2#S5<1R;$ zn@zfa;T=`77*zK9(}QQL|1C)nl~=w}kyCy7tG3I~XOci=Ze#DCjA49(6^7W0%)*Yt z+^lBh=;!fT3}x;hjf@tFq|TZ$R3HtAwb3NU%tLK~WUtII>4GT{%L=C`+@N}3pVQDr z$C^OAp8i2!9`Xko(5?|{`=2*#=2!Pd)XTmsO*TYt^YE6epI5((TKdpypEl`e4kBYg zIJ?l1&j#iZJB8W-&(nT80<;!EJ>?a5ji(r|=E=*6QLJtyBmg;Wm7Pv0>OTIC11$Un z%bmP@RL#h{C%1&cTTh} zFcvFg@ZAa-t0-hUJGjt0s2(JAWabKzMldw|G;%qRDBaJJtnM^|fW5Rh{G~XI>OM)6 zh*9ymSXk_wgSIE|_9El66sv)|6O32?#(5=kL8FLlW{X!5fu|vxg>kP3D#$Q&1~-Q( zPLn6=UR=fpUoA>+d^>t1aR-Uh&}ic_VdK4coos(O!n=9IddgT%)*9Wrz!@UvNH03JEbB9Z1*V%2%|d+ za}s|{QiH_cn2)Ze>o#NjxmMVr7si}5*Q`nsSpI~$q7PMdJfpxD=pvwO1pWvpCqt<# zbpmWwmm`RJtRg~EJH$n$pMyXs6->S>LwfU9D3j`vIpVFCi-(MKEm=Nwdw<84IJmZQ zjFN9AGQmulGJp4{P9}JK$$(=MZgeyifCuo%yw_I(_GC{1X`tmdcm!5Z?}2Dy5)of> zbM3tVqI85ZbJG+<6*atmV7Bb{<$jnHuJXW6Vfd2I?>CGAjEX2c-U9Iu0~n(MYzl)W z!JSwW$QFaIZ_^ByJGFu%F+|?3;KU=SEi@Qn$*4K*_P~E_pA*H66dvnlq44C#5NPtO9SlU?5R{n_;nT^*lW#uNfIgh63A@SoC3P za(Mg9M%$xeqN9(HlUwa>uH=0$Fcbg;8llM~dPZ(;V!^)&fUnB03C+zaU@xQ}4_`X) zwrev)(1E$+(G<$arXIeyPq;vX=q zpy(3oRwRx`oG1H4L0#K8JS@B3F+P5vI2||t1w`{6SU?7XTHk+O6Rf+hlYwn^cWxt# z>R7k} z+4-C(32D>(G1|zyV_(r?9@O{*|26z-b@?Db-71S!pjxf?pCCf@bQzMI13Z)!f^7;Q z=5AA)L7oU0tb4OHR<-|>+^=w^apCCo_O`iO!#=V33#I#;5V&4MRtiVu#F32rd;tOi z0^rw)-b)3R2>=4(jw74d!&*Q^f`n5T(9IAR)q+R-gZ1w_MBNf=pMZ`(@2gkZLg2W2 ztYSWeTMDK83}g?W<#7TLC_-?p{=Y~2s4?FIZ*I+mdf?pf0yX*Dn+M>13Ovwbfsw}mNEvhXcM{o=c5%d> zgB+dc#IQwKYQ+`44!SsoqzfgRSs+RX51LkFTx9#DXr8yXc`!h5-@C`p2GkM(~27 zgq%*P?Oya<_p$x`6Xs5eVZ!~1OY$-NAv-L>q=(w=()>zfBiDpHe`WiV1Y(3y-E*$r z&Q7}1w5O*n9ZUB&*y^qVoTk1!)RmXi%$^A8{79I##j|0Vv{Ip#BnP7L7rpltX!C54 zpG7&qof{qaTdB`lW<>AN{q%CXkci)PZ=g^*cRBs~6>OjA*C6Tx7CI82>W-p=Jkrv? zB%_a}n1a0S2$oQg{%}jSfmkcr`bKCK_=q&j%VNS6w39uC*X>jEqcbdSAJU%ee-#PL z2=p_SoR?yt-YY2)^_ozK4BqMjy;?09J}MEf`|hy!27wDP#S2$6xP^}yV-h~JsK!kn z{Dm$%X8|KvbfIq+&lb5$11$mRDpzYolnufMD;T>U74bRMYhIKLV)tF8g$g`9FAI6wa(ItXV!NyRrwr4 z@FZP0Pt^1XVjcJ-L<8gFmL^*thf!j#ciF|$8BrlHk><*T{@7ttrJ<=dvN?^`h>6d# zKzzb?nE=DjZzCAKtz$G7=O--hC_pn)U^=~e5+2-ybzCuP=VAGxwxPqPO)OR2bWuNJ z(HddvQMb`S?M;e@sT2kQQIufKO7A1(t~gsCNZXn>X14a!h^mwWF^M_N?`Kt&%XAnh zE~qJQHBVEpx^FkFD1Yi+UUqZdkdQ>IHiY1smn}n2-vmxjQa9w=PnYZD+EtP5k%)~Yi zF_i?c5LQvJV#FX0K$2v1S^Idh@*Y0B5Td^sF79&BTXHaQUp2pw2h|8pA?+p~hv_w0 z!?;{B2;Lt&*XrViI`!wG+U1`(l&&pSH5Ck&MM?|x+0D51t|$lG%4m|s&)Xi>Ne&=~ z#l+X>po0{+C zQYQ0PpNYkpjVrz9|1~;&2B_(mCN%=FZR2}wvY$`6xo!28yt;&$+vNj-2$MF*PT&`d zmw)Mk=l9kyh83F6Q_fR1eS0wNf4LWbTmI8U_*(K+g4pT_v;pBo22$NGjhF)T9yvxs zEC|CVC|~EVM{xMHC|~&1fdg<7F9{EHFE>m7xHmXuWL&}$=U93sJ+kr(e2tTZPHC$j zZb#o0yO+C;CnqlKihfG%v9f6RuuW&TFK1MExG171p{wemA3GqhPV?f8t~>F@SmO!N zRl0@`u;29#&0}FzpegwM(5;~5ogLh !r2UYkS_xr;3=y|K@ve0d`3~Wx7@WDzB zknS#TH-^{TO;*lWqi$_)X)1Z`&5~lOiHr+-B22qPD@M}N@)WBz9RcI1)l;>fdFNlI z8CCln`@||Ci}?MI5I{kN70t9QLgQfvPo)K&jUU9|>djuC{tWY6UA1%)B=GN8U|39K zz{_lHe7B|7KIZoKS7fLxck_bdS_J)G+&Reh;R`dx@lIcqK&NTVgS?-S%NX)j$9uT# z-e99|>-|U!p@J5nQ@Y#=8f;}WsgY1Dr%o!TP8JDoChpJj==E$7qkeMtd>NWK@BBfL z3K~9gC4JT7BPe0LR@ND6;zR-)KQl&~);KSSGTBc@*s39&b6=B0akI^B5SGwiUAYT2g9Il zs7uhv0RTdxjMJH(pgPr~IqK1cj#Bs1LQO{1x+0K4H%2}*z~C8fUh5Hdv~A7#&A_8I zL5+Q%uzCpWfoXM!%~X!GFQ_>mxX|{PVEjm|+7(s&&CWH9b{uw#)k(T~Q+_^Ncjrxe zkGW+dek0+i2Q++l$DS#bT7otkD#DsWm_Pw!tK!YD;~w1K^jD2(LR{844y@N)glX)4 zwFlxA*Tf8(c&So5&a8RG0221Sq=~)*rg!Geho6bo%0p0i?_xzGtNgCV(XVviYchF); z&v!#j{{WGU&jR^rQu)aAX_*!5iG%vqSi6t?zp6?ERTWtYY1{pQ%Xh04W4aZV+TnPU z??Xc?7!v{L}gp2cIC5f5e z$==6`L_5zYXZ7dxT2_FH6owAd`JbF}guxq^|IZir#YJs+HpUqIG3mLwKg2xA^lvDy_iu=GQ^Cj4Mf7wJZ zc}Rn-e$>|~0op^A`@$747nXL$E79}RRVF0xmg#)Gm^|q;X?uA_-Jcs9Ii?-e4u=pj z$D|W*B9u+@ComVmZ3mtSumD;=YGA>AcW>_$NIl?ItRYzo{HA3gewtOt9P5>1W%?HqZdv-gT;lDdW9S{HhM zYb#ZMD)c{vH>Vs+y?5Nf=Qzgp2E=bh;90D-f#h8wd3$Jair)-&lUz8MHfdk*3|EdL z?#AQZl(FeQy+D>}ZN2o(2d3F-W}QO0Yny1XFV{8N`oH5GpWB~zwzgbAu|ip133{`j zNnv;hpl|QD;VQ?dC)l(5M#+>~;oq8VEbk#lYBt!jf*7nT!ZOrU7ggF0UaNh~=U)#m zKmu8>!r4*~vla9g&N0EBj%*+fx2Y5znG{2{z#&c>(xN;(b5adeW=L;MV>u)k(;19XX z+anb&LBkNVNOfTmb;pQX4IBdMj#2;bu?QICr~(OY3m!s19tT3au&XgkwjdL+^7r062P_MlL~ujy1;Gwj==#I+L*Q&|tJZ$c09Bg!+d~Smy@s4Du4;fCY38bd{x9Q`eJ7xs#7lQa*$1k!G?4m9yOYW&jDOIWCDn*B)-xHfO_djW7Pp zpBs9UKd6hQVP)RRjBfRjV@5}Swx3Z#o2+e(#>{~o48bJPEi eUUJ(~q!>M4e4YMUJiM=mx~!_L@>1F2!G8hY!d~3~ literal 22668 zcmeEuby!sG*X~AC>?D*l=u~MWRHOx@8&sr*lx{Gw2$7QR4(Tot5s;3N1_5b?8e*uk zw!ePQ_kGv-^IYdTf4mp(2z&OP=UMAs_kFMR%$xfPQYVj59zzi1q>S`kWdu3kjUYs$ zM-Ick@OBJNzz;!t2~B$yYh!z-hqgwD{6l*i3u}7|vqzU4jco1AtgW~?1v#&=Uoy3~ zx3LrA;=pdxTg>l zc>5SJ;l_!d-fACvz0KLg_&P6*eQK~;%#Zd_`xj*^;VHbku=CnzS#jIR-!5)L8xDHp zb=OW1AxMq6W(y}g6@q_<96^v#qa)t%LjTqOOD{YF$Lf5{H}+4+28B?qg-ZD(LItjulb+XTf%weL|oVIKX?$kv%A|9Cr%KZeF5T%zb8{_4Y*)tT6is^9-qe@wQZ54ngZi&ur}wsT*v5}cT;^E_=Z}W@1Kw=4 zDvBaWMV14zKR$8ye}4EJ{Zv_c<>~`PmLIFDy|Q*k+;AdrscBcTe1EZZjFA2Gee)Rk z2)-G@T#kl}%p0rHN%Gy_{M8?ZtgyAuNrHod5{pMXbqu_A3tye0Atd03T<5aN7R%-^ zg&T`Q+bKgf#JLuIH(Db2aTS-B)@Hg^mdymbUS50^SH4&#hc2J%#$whdZj*G0cjQft zjU8WJ9_O{4kj~O6Rv;!hRl$z++TYzMv>f0Q*&KZyI=M47|1(!yQFJTu)oHryu&^*8 zx{ZGG9F}X>?i(2y$to!Hj_mI_S@z{6DeSis+05`pR*O76Yyk^7J5ZcMKNDKLlN8Qx zojn!prtpq}tG9)JMAvZSImv0vE&)$i>r%we8SHE0DmS8y+oJUhW6m=vFkilWTU1n3 zR!&YOlv595;YFB9!Pk<|r79&zI;7*$GqOAPciQ%M-ruZPiR5yQm`MuN?;NnM&LW|6 zzt2^@W9uvR+G}T=4v+KNFTZ`Lm%wM#M9OPDtQ)w7-m7@f_8mF9W-Kgnn%DjwqXvmH z9W4>DSZ%;%aeA5U4O~v)LgmJ=inR3W?CL#N`A;__;PLdcJbt&u4HW)Ha(pS*CbhQ^9vCaZY3lNYO-u(V{;x8Ue7*DIe>x!&)u zKR!6VvhT@L;)=&WTxaQ5_7APYnoK80SSio-W*HR^kkQa&`Ovybrzpla;_RlPoFF1y z0#(P){t}#WBe}-Qt2X}4SLOcwfCI$D=+0UG{5)3SkPZ9CZPKc$sToGeZwHdQJCo!bHkTf5 zw9RZ++D%SQhKslrK?INPx$N(4RBO1nl)A;3btN~Bj2PT>TFg|c`O_>ecSfEg&tS}dKSRZ~@!4m@`JIDV<_bh$y!kz>a?OP-7eMMryf6ds8F?zS&@ zZ0E$(9R+D==`2e$$gC=sC1G7=dUdRO%yTM}(S(o;)5&}MhLRVPNM&8I9N29)+s#5o zO4^OF?k`AlcXtm83rkH?N$E`=UmB}JlUUz*?2yv{diml|x%scJZ&sFb){F@z9^W+hN?sKkh?ZLaJnm`60`wWb92{RPIdOfx>sfmel&02zpt1M zC-Q%Ul*ASfyEX?rcHf!|mGtzidNT3-?D)997~hvKUrv+{Sy2nxCVtx+@z{vE+^AV< zoAmI)t1){aU-c~Qi>HN`Zu#!sxpU`zNlA$|mW`8>Z)J6L$RH^xNlbGDQ2V3|#g43u z%=Hs>*WSK;i@w`V_5Q{_h8h;Pjf(tTy@31X=kkT_G?l_^ZpV4e1if-c-u_o7sf0cX=5a!yxmvw_m(CSl8Cp_Osfn zx}4+Y%>mQS#5dRNr`xq1{3v;wY=oi~*8y3+f9|vR24%{8VH;v4s`!vNTeE2%i(c(pvgPZR_b;M{ei zM~~t~H%EyDsZVWq*4NiB(uU*8$Ng@Sl9T`5bDj7gHLE%@ z1*nDogbt)JTrKu~8~&-AiX!-+Kk&J|JqMef z(x`;02<`OuEl-JI6f7*9o4_!sFjuNFW^%bH{RgS1`ix{)2SD@8E2yik;VkI<} z6O;Lmu$z9I})U@rBy)WFx{z2VkL^O&43X>fr0T)iAgZ~ zd%OJ=E_PXI;t;iVpaC76oo>w$o{#7sZ#;SaQZ(+D{VCdrpU@r?3lN6o% z(o@KU=h{=wP)7%eKFfu2$|@>q7#StGdw2|Oug&+Z<_*=oIC`G+%$eBJVmtRCpu2tO zJedKlJ<|+qD+9!UtT@bcN&rR6i%&?HoSI637@a{YMWn*ip*F9$H+I$gwQh^suss={ zKi~HkUU>~HB>tN(6&o9yoYSz&)M@>3<+Ap2*Ad+1tPDG1mm4>31O)^v*)<8}#HeI+ z&8Yg*ima_PbHzBh+1uOu;#5>rhT^VWy($jiJ}05><_Trf!T&(?wTI7K*QVouHR?t1 zTZi;u9QKC|psYiVM{Q68M6t57XLjMEU4CB_+1ngPqkC;iY+oxbE-p_y%XO)iWNxAD zLVLhjE7chh8@%I2qt~xHQyt}}uv@4vS`0A(N#270A z>?)P_MM`lSbZN5L_j66!Xe&YggbO*OmwQY$1sAqzVS6q>xk7hfsN4zLUu2Hu)XM7B zzCERk?kb?}TFm~Al-Fh*ou~aJ=?FecPR+T}1&X;lVj1fT18gE9dRL|Vb~<8Aw6s1Y zE5>A74V9UV);x8Er2fMWE(qAOsDD3l;zaj+Up}t~!5+oBvdIvg?kW#Ane5?iy4jXf z$B(1z6hzPZbL=MY3f@OwkL=?1_pE)_KQbwnJ!c+maV9ylc@*U}d%N4_z+!~#e!o|U z5zSH*+f_wZ2w)lGfu<^?Nyo4HcMLKcgLeK`u3TAb7e8&*7A;cPy079IH+$v!btPZ` z1lXFiwKaPNM#kQso}4A_`vkxUVCTi2YlBmwHP}q8aVt9kYS(dJe$O?^R}ZIyHT2UQ zS|PCH(rH-tBU+5R0OkrzJK`z3+9xI_XLdJ6u#hD~{$^Z~dMQtj9y!u})n7OsQhWA; z6s;f*hl8ig}61PpZpZt^*Z!9~QE%+A;?8 zn*pAmS-1ckjg^hf&TIesRexq~ZWUa`s-M2+mJzA~fg|!Jze}6LO*9O8ZZBYZ(u1Sj z76oOLV?;gBC9d53^=`^T<%<`oiHUbXV+rG`Gz>fnAz0Rctg^r|LS$=~*u*j33yamS zbe##&u~Mq`+?|-4%Ycw5Nx8FybE@Wi+#JH;x-sNrURZ2BqECGIgpHTikOMYN<|Csk zM1m1yg3HPT<+lGtZs1U!;gDvYz!WnI3RGbck|8I8KYm<&&TEew)#?RpMo!Mk z!=s7piF`IYU!S^1rThm%C$fsZAmOD$*HIW zZfQ|dRt`ir5I={N3xw=V+TWQHgPn_9tlsy0`Rdhdl+$nrfGfU{DW-&kOZUB~2f?)V z*`aVjyJP}>E~TdC7SyrZPJ>T;M0b|NQMKNYu9m@L+I|TNIq+gRR79y~YQ|N0Y|m!o zRCS8&EuU_Q7SYkra|ou#Mh2i-3aIAd-oTjo!WFo0+3LA16#fbMC*$AJ+%^`&MLo*m-#JTzFPhzNHG#q@37LG-%ggI3BjYz`&~xum zSy7nmyoED+03321H)0K3t?Bc?g5=%1FP448c4~oo8)cb^JI?=ni2e$ohzINitDRYm z>KmP1UFPx)N@{9GQ1$DM96!#@PA=!0Cb(wMRdeChLyNw=`U^K5GtXYQV0!T2!3!Wf zul42_7#PMJ-&JVi*OP}t->UK#+xvNe+xY!iN=nS;=H>+sog$ud=g<50WN2UsTHprM zLzbqE;c(V#xRH^~`TVw4oh~Ul57mTSca=~m(UiqQju9ONW-8*!zAO)+0>20Eqjh?? zvixE3fNwy+nFPfc(Qh9WMa@Xb$Sy*`kpvumpOIbGl$x2D`2^Me-#=?-Ewa3XB^Y*J zl}FXUs}|$!4wi?l@@auFF$U&35FBTzsddNOlrWg|Cje`du*}>LFCEG9RO7!RtoZ^z zel(|c19ff){CJV&Q-7hk$sn-X#Ti@B4u*dO$a|nyl)jX_Hx8eqe4Ln=*iEo&=DD_{ zPF`1XuPq!5$M#Fhr!FCgcj#s00D?GQJn-kmau`x#+(L;4Ju1gF*%uGBdVQbm$#CdV z(`d9R&VVB8y1h`$ibY6-@jTN+BnwgoQwG`iMu&2zX zo>}rE7;Y2Rd{v4_hn<{5w`7SV^f5}a3+!h)Df1ggY@0cRTvif8xD519tD%2dXXuJ> zsmsdBW=+2O=0~GrXzU5MRGcVedphy^H|v!v@sc_aI&a^-a{%uH3UF%gbttO5A$NhC zL5)`h4b0g{2m_0Ch5Lj!0|Nsn!W|hlob!R4lip(Wk%D$>K(oU2z-}%%=tnIW57_ZZ z?-ff0A5vu6amU5Qg|~lYWd+i}et1|+#ubu`*Y5YdjSVP3n4z*lxMbxcc{m9;xj7{z znjIY-7!YNBNnzj2iATMOhzlSpDJ@a>f)||5?}w~HhpcjXXh})$A_tMtW8*D3)-FGu z<2pN)fl;$?aL5Omhldsv@E92z%i7|H<)egpD)+5DSE*5A`!IB-yPZS0q(j6 z7#$bQ2H~D+KzklB0A8~T(A){6rzcB?za>V@fQX0)Rc{W%yVx9qoZHV2&lC+CN)Wkn)aX+>6la1$ED_Tu0+(^uD&KDJjK)lj^av+yFA(rdTn8Po7CJ8kKPv z8t%v6&!8Tw>)1<*K}*QW?8T~WtKg83CQMe8ZyT2Q0(ijSv>iHhNUuKva4uBh$&=h? z&!1NkRtK)SBD*^~-6@K6pl{0uA{9~q>Ukg3c(2lebD5@nxy?9VCXh4e&4Oe3vuDpR z?y#7;X2QQ{ZpomG1vqOm@Q`${2Esw8HZ?Wz0FRgH1oMfEj4Vme?zeOxN&-U-Jhf1) z04)vDAfJVU~QL`clkYH8vcatO=*H4I(zmquSlMtN_zgwck z(;^yK+G-=AfbBIK-EIgqpM|D}!8zEm5fvPf4KywshKo(wqC<1hf5WNbh^}#RD!_ZZ zdbl&{SwRdfOdA)tP8c%ppVzG-MF2#t1{CK11v>3dG=3}tO4^fWB!@Oo!1e*{v7J^7 zh1f2^k^71ko-#`j7Knt@83s>~+L4Z?& zWe73^zuZ6v;35kKj5@f|UW*Ix+&re_;|==X%HN-&7KlYVC>JkYS*6tMahA8x%Zv)N*=H%cM)2shkA|G{P0L{+0 zdqz}{4icXhjz!yn0HolOwL@kV0+Yfo3}|F%7GhHb>NM!ubQiC8OlC3H=WUz19+2N(2a?61haWd7`mCE zEygPP`ue`>6&1pTrX9a38h|+|S5;Mk4qPmP4i_swzXt3tYHB+CokiK{!KR-4kS5~o zFR~s6KuJFXW^gA+IbHx@v}$;54~)#Z(~60Sq1v*sv2l?P9)DuuF|_eUD;iEv@H7$5f<Z1|BzJU^ms;gVHZx z?krG!py2|Ys-WLLK3$dhyCawlp>GD^(_ikC1KnHBA!xf2fVF9+nBRDNjp;OZccLd1HnT{^ZFM?JDttzv!~ji zqGxI5-Z?F@7T~%*pO%`+EV5KXjB;ttp_8!gJhzh95kD$^1pxJSYgh-$1=u1icr8>r z>C`*N5B&WRs)?bYCJ9_UUVR(dUuYZXJSz$c?#YL1R#t4))YN(~IhmQ=GhHe2sgUP2 ztDh(lw2R6=?3|#!y|cC21EuO8*PJ@w0)2o#bvz}-eB%3uz(iPW4-gB4U+=hnu%CoC zF#Oa{ECAveDm~hDBtUPk@Nwfghw1j)I>lB!(5C(S-|?2XAUX8!uN*)|o9d>D8%4YW z3%vF{Mb>{B{;{253P7e4EP!kfuo1c!q12e%;6*&a8<_1#@Zqx>Oa)`%F3{@0L@ zj4_OxAhgZh$mS33wp1`zp*x{&W|mgwFqa%B?t=jr4h;{}zx`dt?H|O>(4c}&TPk=f zXq|>;RtsmELYUM)f`{vnlY+f{0c7pa2--p?bj9o?!Y#u!$^NXw!r3LX5e7cUG!U>Z z@WL2mVA>%Voe#LVSR(%X@W~q)Jn&Th#XRP4yJ)n$bHi>~EkR%^OBW!DXyS#d1byWqD;9?Ryk26h|B#{`nvVZyv zkXX|*DKY9cHa5N6!xgi#{g+}uVNB(ogrt_6MiWOhda{xrI+8~Ise zsRJf97Q+QP5(YZ{75*pd1aR(N5LmqG$Kb7Mk_?-Ky#YsqCc@{pw%MLZLr%BDDnL8O zMDowZw*?_#;o+=}J;Y%jK3oPo+TcS$X|_iW4UmgTXxIs>92f;(iCzXZZP1o#Z0sfO zCU}@7+2ktXO=u+=T-$+&=(gj9e;lrbCrpq!&7oITpuP>={#5WII36S3y8Z14cy`uf7$jSqAnGQWQP%60{XPTjP7C%u6$ zsGugU6Hec9s7wteBf^b;gvEXRdN)eo$(Mg7;SzMAlmO`XEPloU!q1|!B+4o(!Jj^* z(Tcc+X;H#wX}DoTTVq$X`Rh2e)iNb@0ImzIhJ+rN_vx`w34f)c0UL-d4Z^^*1Rr6hk#?mZ+C8OFQ_*LJ%1tNAf zwv3KdCk3b&;L#i^gMsPd zOD(93Hl6`a)?iXVf1ub}1KtUmQzrj_4cZ!D1PgunQZQN5n<(>96$}@spGs+IX_%3! z%1?g+h+Soh=*N#As`mD4E>kI{{oE-1lWl>@cP1je>$;jcoF{3kkL1- z_XisS^6?*GWOU{`NFat%$z5o;kMkx!dm=#HU-Bg3*RNkcm;uVeEQZP)P#8u1McA_G z+y>gN*xS#4a5g7|okO5G!%*sqaNoEwF*P+c{2LlVU=rn`xu|anS5k_)mz<~zfcj@; zm0h*7A_wC#;b)wWeiAzJ82Xp4lffFyJ}J?$8YQQ6Y>Vrifp(K$3)6pLS44QV>qr{DoK}-c=LuT&Bl`5s)2P zAJHD`S|G0GfTh{)VYzm|A!Ss9ZRSilZ$zdY{vkoaOpCDIe$=U4L|8IKF)Fo(7)>?q zrZr8diUu$*LxAxuhXxv_ROoO`(VPWcDqJ^n%%^JbQwn;mt6~)^O?GiRJ2^|0W$L+K z@uW8h40>XYiPZZJ^FY7!_Yb*UgZMy;7x*zN%1lrk(woM*3A+u!@Z4krwrc81Gz(=# zCzS8#CNh4LNH?;%D$`l!Al2$dd)|lLnI1j~Op4qQ7jI!l)9%r$ho*BKR~V9v%w$~s zj>$F;4aA4@btaZbGpzY3r@UtDArXw~{NU?K*xUaQxj(eeB(l5K6>4$j$h}kEUVE!C zDAkw-Cp_&s#U=2Kz<2-i+o-27aE+;ML{HM45|p zasw2y^;%6ob*?mcIjmnlGSLaxQ?=G9*AFua(9a<~fBve0!3gC*u|?k_Wg`&YobYUT zE!U#J&b(m9iNx}uMZ=zHtFyAN-*vVtJX~4b8vbS2;3zX7`ox25F~_QyBu&ca!DO;Y zW9_AY=B92WEFj>)?@1!0M)AJ7eiE1C1S<=#j`;@J_c42iJ}r*U*i$XRXDE_#b2&&& z_w|1;3o~2pt2S-k6)LJM8%p`my`|0K__q6D5G_@imcc1H&WQReK6RHPT7K&bo(T0z zJAc~%H6FT-b5+DbAx9C~3ubkCs=fBAF5G)#V_LqCKC8oaGo!z(g~cX6t{0KR3| zogvBCe9})iDm&9tF-Ifgf&ANdotyd`WW!&p39-MZu?a(#G16KiYQ;JpNv9GLe>N&l zJqZ-~{H<`$jim$?;84RV9&daBfIaFBZOdM0zca{yy3qh1kBdN!8a5!~(N<%9Lj&4Z zL+6YNV6ft)kB`Ap2|6+aVgLr!q987gdLu}r(S=t!SqqWF3RAqx5F$+?B~y)g<{x5MfG9guM65AtTN!eqQe*OFLLvMiL^>P zZX>`0gOAWj(j$O(ZND-h15R_z+`>)u_{44t4%xQO4_~?#*MC3tq#WtueO9cIF*>{D z)uU?g7&X>YV!V6w$%nEklf*kz+ohCIr)Fxf+0j)r?~=Hg zG8B6Y3g?!s<{z_M=`BpA%02=BYMxyx2{TpRfI9okH*P2gqMa>tBoY`(=Bf+ydpILn zk}E1IC>Owg$8^L?WbJN1aYy6(%ZsCnMRrfSU_Q9q38xPGZcbxTJOFc*bGj6u2A_7B znU2@qfd}l&drwUkljbRvBkmk~?$;Gw7EalYI1>t^YbR#DGh%Og0CXjdY`dR)ZzIz0 z8+D~{R&Kid4u~5d$!hYE0!lFTvKUU8tbSCw_|Ah)s=vJ&XvE{U9kRT<$z=wFtD4_4kshX%<3VM*xMLm*lG37{cz33fNZ@vXk8?G7T-Qu}X+;Po zQB426OQ@orftPAMfYby}-PL*t@MEf^9a1G?|7B>=Bp-7(^cvjL>~5&d)^_wl>CI0w zvy%hsZ-UAT33vI*yUjA$)*Ps>ZXJSDkF5&3ae5Tm$w|-%SES;zNafvEfCd>l>bSK! zWe&Omuh%c}koGd-t)-wLur}E$jP5_yZAERy#v@XPUDTtJ){@); z6`>MbmxkZ=XJg@zV=J0W&y05!EXwA19(0Bx?ah-9n2Uqodz=X`3S4s8)@TTlH(Gr+ z3rmJ4-$k)IL^1PPsqga>t9&|#bai#%2kqMQY_`z>ED*=Nh9Eq6?){~XXE5pdVfv*% z{?cW$vwv&)3&YM8T;w?sUSwpDH<6hss-k6=P9b*sKm0M==icqFGgl^L?@c3V5m<`kWp?-Z+2g@eH7Lq zr+iW9&j=34%Sjy0z;FPZ2DB&P3*G4Vpx0A1j3(6xkEF5#mGcW74W3dfU>}^ykf7|2 zD+OZ3!&mh3z=CLC7mHE0(@OxIM3sgN7@JZX>cZaeI~uJER;qpKG&|`_kN0 z2WnxyG4*5y_y1N}A7E`Q8aB#Z zw{D1jSaDL1`O1H5R=5?fZ{YJG@bp~gKDE0izjyF0u)ex;48-!ALE{8AatI|b%=F1Z zTCLB|)?Os?x^A*nJ~$p9Jf3Ex;A*geN+L_*StMnWOOA2@2kK^bMMpi*chNnV($)U$`AZa=jV=nZ zimFTw_g)sh549|ulp<-m9ZCBYRABO^U_r$UM-iCdI_h)9t^Ba9ef8~QRz_cB@XuS=7s`*`JV`^R~plPwveHiI20on+>_zVoY~xW zG#pBCA^(^HLIE@gp|Dx|%Ccc=;kF_>v>-n(N{LN)iAsi%>`xZ2#D&&;3pNe0ffgoj z(-k`le9d=hz5gjTm) zp&6q0*vl-qD#N-xOt~(vEj!ef-E`K0EbjElQ(%IO;{OVo0>!tUl8*4HqG?Pqpj_+g zo)~Fw)+1~-a3^ik6fZ;hQg(>3)OB0?bU-HG$Hl{&PY&KfyfxBo1qwa)pP(9~zDPG% zP1V0?q5p<7x}X;*(n4x|6L*F>zftIB*iw&Zc$}+dRK_l6ZxH%Vezd4!96V~XjBZN~ zni#Yk%F5ayA&FC|u?2&b9O-6P<=@(6{petce`CH?n3Yp1x%AseHRfx>2=8?Osz}g{vXi!9Q-r^o;NZB?f^ar}!kxA=Ah3%KTS%%(6;fG9>b%OxW()CjH`m1HNw=y#ta^e#S^esY>dclTy zq`i$V%8?&ve_!|dzeCBGnUmY82 z=vI2(Yd^sy0ax>w{s)1cw>rI)KhwX+!IS0`bhz+%uwpB@*+72hvzN+dR`{coKIOCv z-xNZ$@gFnQ&o3S@)kHtS;grpLNg*a6^f=^LNc@@wZeGJSU^+l8LY}5|=+%+gJPIwa zj4qfzKl9iae{?4TqOz2(5f&Hhbv0GNp#eg{Q6{o?OmTbi=2}9#XcN!)QG7m&h4Ib)tEN-@|_qr`J#tt97fd&k3veEFUj#jW)8XL z8@8(M$*w{nr^cSbc6KM0FiYt8%MFMH5AS|0B*zJ&4CV(^h;OosNuZm+3NXkwn-~ z)CBuNV5U+?DMs3IH54)BbPo-GT}*f)qRo7nQ+AodGH+q;o~);;Pzmr2k;6sOmWLrl z0PiUIxhH86#oOpc@-a2B7Vun^de@n^wh#w5-?32loj#ZRqJ-Jkl;YApF-_5>sYK5#3FI|vR+PNGWMr1wBxek^W6JL}_%gn6KAPSc+&TLjB;7X;T97;ijY7 zC5gtti;|F8d*cXz{1*C|?&aC@JZ~}=XWq@Xq*LD#xdO}2*%bHe#>N9b;zLG@>;FK7 zuM+A0xQANB`#P>Tl{ETt!l?Ie<&A?H)9j*hxR*V z-bFDaC_3rt%aoyo7UEqVP<&SN!*@mAR(~+s&gdkl1u6|urS=l*#^nsqvs@c|F-x>V z4V7W(%3nahdfue#=OTx_xc~i=nFRGB8f!URP7rmEN_nag7i{{FbwIcz)@vEzL?_am zOa6m3aE{M+>Ck0J)Cs+0iPH%Cwz&}Cfz9arVx(+@@8-k|_W_D-`zo)V`aKA?AsTkH zsTECeYUL|v>Nb}9rNuYR4EGkxzdrX%+w{>A(V+zoDec_5LUwtC(c~;W5f6yD*NcE) z&X>@;ANen6!gZ7;aPTr*kvi)`A#46IG0(7vgro?BGVgb=X`9;v)WfBI9lVMdOlSST?RSn`Qq^^Z=5S)d=)uRL-y;x)?7pV zGL-hlzV1$YTKyqP9EfA+eVs({2%~Oxj>}_r_7S_|~$NH6u0J zyVSh-5`&|4=E40IOqo~JT90<40RI>4mHHEoCnu(bl#U(YojQ#0I77IYA}8wFdlMwk z%LCV_$%51sYp8n)K3L73&HNf`iTSkUS0JiotM0#~mf;D~Ss@_2Aa(y2k?s?KhzIfF zkl(e`B*)U39$0~KDKjMQAhjxji7CGo(oLqUhCgB;u@>;i+TP>k*KV&dB-<2jnQHQv zlD~*E?+N2<;i;^@j2HgIKCqaiEGdJ38n>Y5?_|g%_b_U%+6JM04#9E{DJ(-a-0l+M4+w-&Y87dSFSuch|%MOQUu7dn56y;#El5FVcKgYn$jfzerj!j^5Ej>Y`z`7F5~)r$H1G962sjru;Qdjzz!6;evgKgP~d zd-|elr4NTt5Q@0}tmHPnlL6pfEiZW3YfP&Uc~GUF&O=#0>OneV$MunGf9`qL zC0IPeanc+-gg_@66^Y=kN=ws%9MAK)D!Z~(f!4n%XQc6bg%>A)mvG$13|8zNC-FWG zOsvL5AnFw#Eqix7)QsluO3R;SgZW)wY)x0GZ}TMXm>;6nXPDGDy>@>>4MfKxzjUn< zqv|O{3Q1@P#(mrJ5$4>z8U%sA=M|b7y&}_9SvUw4`rt?kS zF#zZecvKI!=@)R0@S|tP@33=JmdbOHT#p4+?|a<;_Pe`8j! zE^dR7 zqGxoVmBDFKJsAUN?sMoH;f>w)%A_4RjeE5oE= ztp`ze^*`XKX>fstDtNj!WPmsGk?(=yorzaX_%+c+0F=vBfks+W*&*cqi0~DJoRsuC zd=zxH*$rl!VMNB^X#xfv?Lfb@0PJf$n;015n}*{GJ6eSYN(%ncQK@`soknX~s$%Gi zKh`)xFSp+3Lqnd??U)LR^di?G-Ay_VWHb$Kw5Qu9x}Axhe?)!#y*&!g`PIMJzIt>F z2R5VgR#-i9uWF$6zdYyGsT8)sLs|+m#T-s-wIeZDMbUKnwcpW|Nmft3t0SCpDMcmeRYCT|-ao%yeEt{gIKI1RF z6#J9EKWE%=@>x)i-)Agj(Pfi+h&QLibg0Z;uPgr{L*gWYkb@0}|rhH%`Ghl-9 zU|?iqCRm0zu=-)-hyX+A@nmf3sn#P^cvTMXvKuGFb#5p!L;FaM+g4Tcx3+DIhFTee zvw!j-kCaxX>JNp9_gDqp?&teuw^IQ24tG@iB8nwieT^`q!`0~ILwB*Y!QbbB)c$s) zicVgiI zHTt`(^lFu|*zYMji9ufL-lM(Qji21^eYo-n$_C>30_MD-H4V<*+#9B7v~vpGSoGA$ zMoqwvANRDX`Jc|AN7vuJJqCvvlD@g1hsniuXB6>TLWs=26EP2~7nN~OJxSIgjLqJP zRZ6aNZ*?x`M;y4S>+cA_ltnm8Kt``P{}A>zen5M9bc#h(C2jIzDU@a9rl;e!yOxhr zeK=G$c;vd4(yd8tX5BJuH~Ae-{(2q7UVkD4i~&{>8wT)GpSvPNx)+-=sI?2(41iJu zRm_F4rbh-Q7KKpnCTpc<_Xr&dr3q?vI6ycgtB1OHj#ugF#8%&uAg4jN*z^hhCxBnX zuCXgMVWVnwf=0`4KTIl5va{nKm{(581s3$={RG7W{bgkIDF7{B#fE<7&4lKUKjXRL_X1{7MELOKh*a)pP*(D=)d~jes-SdY;JZb z0Se8_BHltrWXTbzi-Y=KAl2r(lp5vZq3r#m1O;&#DkG;LS(8@UGyScFduSV`;$2!H zF_I46)y^eY9lYrW=)^*cO9~iJ-uJYmqudWR7H^Le&P~rU8HWWfCj>}^Nd@@B7#uT z0+B6#)@kbzf-(k+BpN{$nc2sJ@miiN;T9u_pPTYCY*l6RNaXaGq(vBkr7%!=MM2l# zS#>TEm&RXuygc3C0yDPV`KHPDeKBedKMM_$=tq#WRROG<2aTkxsH2KG39`d;@K()n zHK9m?v2_*d8rw=mD`*IH-)V42v3!1xxLPeGT_l?(gT8Mk@l=8y4(~wA1U4nCXib|G zacJoxA;==A+c9T|b0FKy@=^pNzv$@zwd>xm+x=YaXrT8-qM zLv@~#Ylt6dw0b}j&$sm`D~kdp4XTTIO_v4R76)BpGg5MNo{?TKHts{bn_)SfWB-Fs zg;Y23HkC=_FHrFehBMM7DBoyZ9K3<<9ymLr>c$}_kyIx5fa0VvY27RDL01~FOx8Tv zq70^dG?Z?zooxEPjeLvB#KeS;{-uN9&D*QK%K7Wby>OY=!CRxp)b%IZ)AhDc+jBy% zVInoXyQi1NwKpVw&ZAl-R%y1sBcQv$cP^@mRwZ%C3S}@*<5&#EWvXA^l04ZdYPX>6J z%XQH2pTwj+%fBg$A!T)ln3$b07rB+!e=my$X!ahdL+W~N5;oX%qYEWml}rZmG%qQw2V$jm zmFN&5gwB!!2Uc{#~!w_9S778GkCTRp1UwXey}VehTQ$ zdOl}cE1YH0%1Z7zfh<`;#4%m_SD`I7X8W}!D*riY+NqaRVqi7HY0Vn;e;PcK!*YCk zp~Og-zv9)=EA#)H3sV+@GOC|IZdt-z zq$bFtIs(@$ART7zt`q6OK6?G^&G6X`aHFd;4ow<2O=}?467mb)Iq-w+0^&^vrKL6D zUwXvtG#pz;6T~+H1u>~cMr2LcUC-u4(-7s-b+IN%$%9kg1TAdvfJk^SX{q^ zrz6!Xv%6o)8_(VB<25iay?LJPFq})df_yQDzOF2kxZel(!ak#XQBF!7aA*5HZqTa|U@L@tunWYoe1MTw#>b zKat&iQ0MJp@qA#<#{9t+@{IRk5A)W;*v{+1W5=!_@wKdMIh}78O0{#1a-N;y zz~VzlD=k|B{Byc0{S(wGEJUmWlLqLu4%EqKl7sC|LUiV&Y*JksuiHwYeKV1ulUKI6 zFP;#=EAJT7H0$xjt*IC*ue?F^*qqYxQ6Y4rpmT983JQ<==8F&u!Nl_y+3e+eD0lnH zw0yIAphCW|4=~7yNc!2hVmVy<6$4SSau#_QUg-kE1>tE|b<}5PRWk4amLJ2lo9H9V z-CQ29ZQ;vgLTFVcC_18!hQkGSk9enQ{9%9#sg7P7!DTU<%3T&zq{b|^`!ej-q?{wP z{7wCaZ|AcJ=Lj$Zb^=y+{%xBoW~-Mv$+KM2(l*4rfOgVbHB)K(aPlS z!^Q!R3qR?=NkMRVUpL49-EDiQ@;01CJ09YMU&n6H>ldpfk*y;wm)oHHiaEdT$})GM zK6H@5a0-3@x1kM>O0)d=ath3QyQu6!TF0CwC8NTO_#x9nx(@m7H~l`iQ~kM#{#)dA zO#QVJ3qM#oLL-XOS;tjQX6Pnp^;Ty4sy9B&ol(trcx*m`Ii?lc*dX?O5HboOIwRHs zg1lg7Ac|FCS9Lil!#>Bs$AVluPgX%o_1xJU#$Bu6tbx0{N00E9>%z#b$iZ9PeIUoP zq=!-}ti{wU#zMo5hgc2X)rnX(H@53z2APzqM3~r0WRBatgE3HwyU5qmLXaUE12-I; z>+aM~aAN7@(kZoA2jg&eKel4Jw~eBl}RQ zik;Ts&5d+~p}W4+LJN_URGFB&FJCxaFV=(!)s7?HAZdQ&^5)-9n+r*69ImGv)6KaY zqC7J%{G;CUZ2GL@^E=xk>B$^!*8!~&jcW&DLvIEdqz4tUO_q7yX44<>)@QEXgaJ!~gr+rrQiCGdV(nEuD)vqm^H_y~ zQuQ%nD~$)+amNalrQn#5VqHpkC^Mu)zb}dhN@LA8<%b3m&1eE z-kb?!qlWx{K7iI)L_`x3!q-eExO$A(LAdCSAqR;rRi<*1dk_uZUHR>i_)-1y-TgVa zrS)(+!BretyY}iKvjGI4VT%J&7a=VK0tQ@^HQCAG!v#(D|(%$adH`}%Q*gb*Mt3)K9cz)Z z?_nKOz3 zk#KTtzFcv>q*jy7Y`zUC?Ic?_--b3WW^z;G?&6p)O_8WO?)pMCXVLRbnpOWmzua~| ze0HDjx6kYIcsx|GRhhE_sa_)i&0Y)MW<*^9w``lSaR?Y32#8Md{K}b>BQ4RY(SXZp#r38pG;k!sOVNY(dH?f;|$g;PT0{7=}LEg-L&qBpMi$E zFvTB_%^UB@=ekSesoKIq-}FQPxf5;5M2?!Z%=~+%@;W*xIaw*q76^3f5|qc%yQ0={ zNKn%rQd4Htbs3j+Rz1i#1GeaWaU68jxjw8guX^OAI^{9?HP}r>Gp3%m9i5y)U}8W8 zf7?2tf*+Ua>d7{G#zo$7kF_D1&c43vzcMW3aKhBJVKxg(>61BZm&>Eh9iVpGSM+lv#rOeC8}YL) z%wk7U;X*u3Pj&y%qGoZOC+lqr93&zhvrx%LFR@ep){dxuqp?o zP+c_M7}BJF)zpB$ERV?RjoMjeXuD~o_@Y(J;6M^r0YSg=a7$SIeNjzuQ{A^PQgW7V zFYw|-vVx%gV#N}Wmf8fA$_Uec-EKE^co(!@gu8UZzKT1!xnx4aoW);Iz=kc~W%v-k z53dbpwq)Qw*rXkfys}_eJD*&(b{Y04l>wRh#Xz8iQn@Ar|MR1K@C&jD9ET z5ZOYK+I!QP2`)LC+$xZtA(fCZcmP})WzDsQ<99a4DwxNs01Q0bo|<6huwdcGQc)ea zmWi2+VHDANNn7d+_U>2=SvI8MT%C#asUdz9P8~F5w0inEi-0Z=X4a0?MkIo~(f(bG d_|LwSuX6ZC(I@;Hjd6pgD8}3WWW879jh`8xpF{uv diff --git a/data/rag_eval/results/results.json b/data/rag_eval/results/results.json index e875f73..e530d2b 100644 --- a/data/rag_eval/results/results.json +++ b/data/rag_eval/results/results.json @@ -4,7 +4,7 @@ "context_recall": 0 }, { - "context_precision": 0.4337735369385255, - "context_recall": 0.42125943462841486 + "context_precision": 0.968, + "context_recall": 0.9359999999999999 } ] \ No newline at end of file diff --git a/test/benchmarks/rag/__pycache__/metrics.cpython-311.pyc b/test/benchmarks/rag/__pycache__/metrics.cpython-311.pyc index ec7fceab2d1151fb16cc7caa5532fa1e298827c4..cf16d0d86201178818fd5160f992b16306b82a46 100644 GIT binary patch literal 7292 zcmeHMU2GiH6}~$=JKjHg9eeF0ke`W3iVe0)ApFz>8{?S#K%CTes92mVWG3lAmZ&klKe<>SNU>RP|v^EwLI2DN@x+ye$e35l=nm&dhq& zb||d`5>l^c&)m5`XU;wMeCM7s{!MFZoIuIxzs{ZRCgdOZ;1|iO-2DnFH;6_uLJyys=nG>`n=)(JOi^uk!JMgK^UE)vb)<8;t`wD}Se_P(%Hu;nnpNHr35lO9 z%u_>FWYsimdexQ{LxUe&)&gby@}gOmtvR!-W2>SsE>SL^+dU}5LJXN2R+$Cc<${4r z;lj%W3wh@XtO)CzUF6gKmj%WR%JFe`#V#jvo-#$(WkprXu$o2L%mv;o&nl=k)8K7+ zz6Ou!pnSn{S>#MzHx~*i0B=M&p_8m0{k`+B+L*|Lpm!m-q_3n0g$TwuO9TA=U{)!Dy#t&J{XU`irZk8?Gni2 z*_`(Z7;M2Doo?Gn$~O=((=Zs%a$O6=ZBQ(jkI<0;82r^1%tG6+hT?C&*~6$+*6p65 z#)em*#`g&-K^4OzDq?v#?%OH|E}twHG^!U23fuQw;Za656=ZHO-a19zbFx77I!>Be-D$uBh?SKysG7NCq!3S^Q6m$;2&-cGU zeth37u=_cbDZm}w?N(V)ms?)Z?0JKnk%7k#&ah2~z0=P4tN&gBXGctYw?0-gse3TG z4wDCJxIsRAWYGL~=!ZAA91o%Y-W>Ca&=NIu8Qzee&;@bdSOKGBKrDAf@$VsYY| z9?1!V>saazgf}y@Bl;>Aa1E-tH$WCki>@8PZnl^cW-NXSS=xB#hFCQL;d(S+mB z!)sw)lb}uHwH7Txqd7s7u8CWcq!^8BE!W7F)`S*?6e#9MXLTv9N=%om+jH;~W58CWdYP6F(j`43@TFFF#Vc9|Jy z&5eTf6#VXDQVO|f2!s-r`X?yWAf7U1h=&Trk`9M8L>wIT5a(k$1_y~J*2Hbn7j{I8 z>N!VLSl)7^D+_qHP@l3ae>Hq!Xyyd9uGnU22Bgc+z*&A7&L(SS^z^{F^HVc6oWV1* z)KKS&3cF&>FeN|ZrG}VAw=4@4fjw*E_ITw!vI}cbe?;)!Y;pHrUvrNt zyh^4(7WckDu7+PF3!%R7(!=9dc{=T8GM6og_}zp7k_a%lMktMThIs_Tg@A>NIMj*g zrlMI++u8By$@sP~TM>aZptDU_c@2V!x-1{tbpiUw& zd6RsW?tb_5`}(a@>**&q(oe$dRJu;Wt@3BP_q{)TGjl8QyTor3w_87IUElxI#{Q>% ze|2O3^Xt1uH+GL!+r8_~?t|A;_*YK=?|b*|S?~dgymj;#`NQbJ7aj=zrAt7%Hw1K| zFX=?HSwkt(Y}Scqvqe)Y>sU`_vu~6Y-Ro(|W;IiV<}hS_PAZ#K3^+o0Y;0w-3_-%s zVp%Ve13;Xlh5ahP5I&x;0c=M|u!BfY&#coY8K_vxKvn{Ocf>PQ@l36=yDH+fE_T;; zrK=)d>tebVORk(+IrY<1cOsp2L5Q^8I#MTa+azCviIl!}iFekcMCzyui3q3~2zGT` zo7rsOt*&G!lnTE_@qv4{2bwmWI=XaCprQtjJtu17H8B&>BH;Zbr*+ItuO|5!v~+Bg z=XVhQU`AIgt8U8X1_w%pMQV4EjS`G zb?Pb1upJQ(us(r34KHQS0CC7|iKX$W3!fzSn*l>~I1vcS*djO6z83ZX4%(a-Ekb^- zZuQ007i+1`Pg93KNgZB$Wj)ouk?OBT z`?;}CfIbF69`-{dk0CjVtZ4@@Sci*8n`va zZ}%lG;EFp13c3c!!H2lxX~i0~{Gzu@hEiRffKqpWPT7aeKF%h*2&=+$K`(NTkO?^+Wp}jMoX0C0RcqkhWAU znW}Yk)e^~iEYcxBnAah!wAI^4dmoIDh>)lYyF(C@Y$vNzUtsH(NFZDh64&;+V~@3k f2I^!xx&Go8*!tyWSI_oAeB$-_ts@(AxHbJ7yyZE3 literal 7241 zcmeHMO>7&-6&@~^D^j9F{ZO)9C-FqK8!46)J8=?QN#)40V>^i@)pAmpk;ANZhZ5x_ zmzh~gmP`R^D-=R%5JDmTQWI;jLNC zsg_tvDiVu;yg?z%KigXFf*HIGZQp~(yXvH&TB+H1OR3AzRGXtt8m^UMd9(SJlJv#e z%$8U?(-d-sn2{A?wzA-DKlB71@45}Id*u%j>ySCyAZI)4sLdIRN?8ZUqT6JhrZPc# zI~NBo&M=x{4o@0_W(6~;W77=d37e;=1F{RlXDFM~t*q`O?esse<S+@mxWzo<_^De9i;Oben4y9}rnJFmGA;Y< zWs*f?pOT3MnoLMhC946IO);uFF#M^k;|(4MJuO=BGHL7tq(KWLoD7wA5tMkXjp{+s3wyammhdYG<8H)}dm?&RV7%w+_S6 zsg)ECwG;F(Hh6@>xHvp|aeJ-(bPRQs;r3k8WK!{4J5-t`kzqzM zkp$JF#p$5sQ#NWFrqQsnP)<)TP~9|>Xnndx(GUinSh>$SvX099n5C@aqbs1i-W(;ldDkk;tyaJ`=N z_jj`8VQI75wRFwv@nfiZ#Pfn3swmm%W7P4jk^PSt8A7R85UxKfxc<+b49)}353)?4 zCm>iNXnJ_)SrVONdimbR+MxQ zKt0~KXj!+^(XR3_du^gBRhx#y38m0t(m{`aW=En@GC*#BpS4tU>E0_ZqrhHhDITlqT!jHCdNU+mhl zk(+$?-S;LhUw(G-@{&;r7a-v;eQcVLxJej+po+wlw;_Cr`I*WBrt&ICWXdm78t_z^ zYA^#Vm{3e@MXd`%LafnjSRr-XCNl^@M#$C9%K&5XwF?Y7i`#G9D%VC9r62^B9$al8 zOz77|zurHaHK!TP=v+6G(-JLdDA;e#=U^8fQ+Hr;SSF24lf= z1fER{EFqrsL8p|(zEQ?Z*df{&0whxziy@SGF+eHc!A-Om8;#y2y?$2}%u2Yb&ZmW| zU75$XKz#z3e?D|-aPkxrR~$Pt3B8-19Ow2dGaNBFe6D|Nd}7jpm3VRrLX?@5&aa3` zu1`;v0K7p(%cQ80Q1hy~2_K|pfDORFerz6tq244R z;%piIY$fdku%vg*Vt#q$NL?`M+fx?RNhZjC;sh%~a)5B%N1UcAXBIUqFQ=uPA_Q6h zn7#*(cP;sHKK|N&)JNaimUheakUD#N+;JGnB{BiM^4|00s{az1_kl?~bNZ?bS21p2 zbXGu=-~~nyJb}Sg)ghrxS|t8vdVklR8}lDJw-)al{OzG%AG+KBQUChBV;lR9eY|^P z-^uk|BOAL$@~x%&!LEJRBls&eLG6zoJrZ5esUIC0Aio(taB`3Tk5L8bZXeLm-mn{t z$J2U>#p7;cJf5=6tcB@tJpMsew@Q+Rc-*uNVEZAIbtCb(o`(3)+v3FI9BrSY*|~uP z=-%OIy>3`w4g>rP&K>wOm?w(lJ4jHu9PLw*QAmg-Aj?~R57amE>KlcQuDpu(y4qD} zi{@3l*VSkt6ka~NeD;TD9|SsziV|qPbFfI@RV5GoM2oJxCxyiz(b|hjC;;jPf}-}7 z$tpu~y`EvG40tM+T1stpL!ye-h}EXTR1*+8p_=N78Vi^KfHlo+F6~<`$W>zT=&%qB zZ#rYo(^M8tO3=1T(LhqrDIE`ez|xUjT2frilOrg}qZgxs7SIh;HhypZMfS<`<;X0g zyvtPJD9aC=3hJy?{JxwA-#K4S`ADtB1uQ$QEMe(NduwG4Y%NT3{#svOQq90pAg7)p zmm8L}Tp*_{HWRWG_*pPV*0!KtwUS(*wg%MQ;^7ewgGE^p;PJTDmd=ApO2bpAilV&r z=&s_b+_qRrVQI%zab@aN`18;te*uU~?rI!YA&!TPuI3#?@HYGiz_yexNHgti;BXvD zwv-E|VE*)JCip=VJRu7hGuiYNfwm884_=;8qwOzt)>uG!9l{+x#xDc6K;Z1*g-@fOI+y45z_uEvbCGvK1TN+3!kr zgNILBg6wIQW*qPeHa=D7bc5w!rD_buR&T)BmwxzH+10P^hdDoZBGgnpWG;E4`WT+5 z*80&B;1GJC^u&gomTQonsQnvH)M{&xp7=Bz6^Kflxzp(de-TE_UqW&mNUxudV7lUO zd=NihK~d0isXF-($}29#Pr#?ZO@?%*T94XYKfPtAx`u^*0_4k_>d(9LvG?<{A4tFA z8$CQ97I1$fe#Kvd4%Iu)N#r593XeclY;~SD^Xi+@dDi@%^GwLs$1i-L`$&Q3Ls)BX zm*>1sLz?dc;s)`gcAo1QZ!gqT`Evk(46WGp>r)0tZ1z@f*a=B{7j7V(O=TANlbESl zaAN?#FYOG#?%rGMagtokWF~Ok@acDk--?f47&||Haf0v1>g38U!9otYcHRFx_^P+h z7~K0{KBlIVVq-;Dfb