---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 01 of 17 -------------------------[ P H R A C K 5 1 I N D E X --------[ Registered Hex Offenders DefCon. I love DefCon. Why do I love DefCon? Several reasons. I get to see many people I do not normally get to hang out with. And it's in Las Vegas. Ok, I guess that's two reasons. I love DefCon for two reasons. Las Vegas is a blast. No two ways about it. Free drinks _while_ you get FREE money. What more can anymore ask for?!@ Sex? Gluttony? Corruption? Greed? Thin facades? Tackiness? Friends, it's _all_ there. Vegas is certainly not for everyone. It's not for the timid, the shy or the compulsive. Vegas can and will eat you alive, if you are not careful. Even the most vigilant often find themselves victimized by Sin City... As I write this paragraph, my memory draws me back... back to that first week in July 1997, towards the end of DefCon V, when a good friend and seasoned Vegas adventurer came knocking on my door at half past 5am... He was armed with a coke in one hand, a whiskey in the other. The fact that he was noticely unencumbered by money caught my eye. The Casino Demons had relieved him of that. He was in need of a safe place to camp for a few hours... I happily obliged. I attempted to make his stay with us as comfortable as possible... However, my friend refused all attempts at hospitality. He was still deep in the throes of what professional Vegas travelers call 'The Zone'. He was in a dull haze, a casino-atmosphere-induced catatonic state, in which external stimuli are, for the most part, ignored. There was little I could do for him, so I bedded down... And there he sat, engulfed in darkness, deep within his own world... Eventually, exhaustion overcame him, and he drifted into an uncomfortable sleep... Early in the morning, he arose, determined to retake his reappropriated wealth. It took me a few tries of getting raped by that town before I realized how it works, and, more importantly, how to work it. It can be summed up in one word. An abbreviation even. COMPS. Vegas is all about being compensated for. Compensation for being in out in the fucking desert. Compensation for staying in some shitty hotel. Compensation for winning some of their money. Compensation for losing ALL of your money. Learning how to have a good time in Vegas means learning how to get comped. In order to be comped, you must either a) be some one important, b) know someone important, or the most common occurrence, c) comp other people. This past DefCon, I had my room upgraded from a single-bed room on the first floor, to a double-bed on the second, and then from that to a $400/nite suite somewhere up in the 20's (you know, the kind with the double doors). It's all about knowing how to work the system. Knowing how to get comped. Complaining about something is often a good way to get something for free in Vegas. So is being put out in some fashion or another. Go ahead and watch Casino and Swingers a few dozen times and you will get the idea... A word about this issue. In my opinion, and the opinion of many people way cooler then me, this is the Best Phrack Issue Ever (TM). Ok. Now. In Issue 48, I know I promised timely dissemination. However, I am an older / wiser Phrack editor now, and, what it comes down to, is that timeliness is not always possible. Not when there is a minimum level of excellence that must be preserved. This issue is a perfect example of that phenomena. We have amassed some seriously cool shit this time around. Technical excellence abounds here, and if we are a few weeks late, I think it should be well worth the wait. We've got several ground breaking articles, a great deal of source, fully nude photos of Milla Jovovich (not available in ASCII-Phrack) and a new format. Commentary, as always, is appreciated. What makes this (or any) issue so damned good? Simple. The incredible array of talented individuals that graciously lend their time to writing articles for us. I just want to give a word of thanks to you guys: past, present and future. Without you, Phrack would slip quietly into the night... This issue, a special werdup to halflife for the technically superior work he contributed for P51, thrice over. Phrack 51 comes atcha power-packed with new streamlined formatting! We cut out colons, added a surplus of dashes and brackets, and b00m! Less fluff, more EDGE. Areodynamicphrack. Europhrack. _Slickphrack_. Bad to the bone and shot to the heart when you think about Phrack, you touch yourself. Enjoy the magazine. It is for and by the hacking community. Period. PS The aforementioned gamblaholic ended up being comped three $20 meals, and a show (Lance Burton at the Monte Carlo). Man, that lucky son-of-a-bitch got to see Lance at the Carlo... -- Editor in Chief ------------[ route -- Nominal Editors ------------[ datastream cowboy, alhambra -- We've given up hope --------[ voyager -- Phrack World News ----------[ disorder -- Phrack Webpage Sloth -------[ loadammo -- Most Likely To Be Beaten ---| -- About the Head and Neck by -| -- Xanax ----------------------[ Nicki Jarecki -------- Elite ----------------> omerta -- Number One Crush -----------[ Milla Jovovich -- Extra Special Thanks -------[ halflife -- The Man on The Inside ------[ varak -- Gas Face Given -------------[ "Lunatic Unix with Tunics" -- Got owned? Shoulda used ---[ OpenBSD -- Shout Outs -----------------[ The Guild, r00t, The Death Vegetable, Swamp Ratte, prym, maverick, Cantor, nirva, The Army of the Twelve Monkeys, guyver, mycroft, Asriel, Theo Deraadt, X, Torquie, mudge. Phrack Magazine V. 7, #51, September 01, 1997. ISSN 1068-1035 Contents Copyright (c) 1996/7 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the editor in chief. Phrack Magazine is made available quarterly to the public, free of charge. Go nuts people. Subscription requests, articles, comments, whatever should be directed to: phrackedit@phrack.com Submissions to the above email address may be encrypted with the following key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j 0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG /v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU= =1iyt -----END PGP PUBLIC KEY BLOCK----- As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out plaintext. You certainly can subscribe in plaintext. -------------------------[ T A B L E O F C O N T E N T S 1 Introduction Phrack Staff 9K 2 Phrack Loopback Phrack Staff 45K 3 Line Noise various 71K 4 Phrack Prophile on Swamp Ratte Phrack Staff 14K 5 File Descriptor Hijacking orabidoo 20K 6 LOKI2 (the implementation) route 111K 7 Juggernaut 1.0 - 1.2 patchfile route 11K 8 Shared Library Redirection halflife 7K 09 Bypassing Integrity Checking Systems halflife 11K 10 Stealth RPC scanning halflife 7K 11 The Art of Scanning fyodor 87K 12 The Eternity Service Adam Back 118K 13 Monoalphabetic cipher cryptanalysis mythrandir 16K 14 Phrack Magazine Article Index Guide guyver 100K 15 A Brief introduction to CCS7 Narbo 10K 16 Phrack World News Disorder 83K 17 extract.c Phrack Staff 3K 723K ----------------------------------------------------------------------------- "...Who's the big winner tonight...? Mikey! Mikey wins! Mikey's the big winner...!" - Trent "Double Down" (Vince Vaughn) *jtb* phrack's like wine, it gets better with age *jtb* as opposed to, like, decomposing. "...Daddy needs a new pair of Jews..." - loadammo, clamping a mighty hand down upon my shoulder and a mighty hand down upon alhambras shoulder, Blackjack Tables, DefCon V, Las Vegas, NV. ----------------------------------------------------------------------------- ----[ EOF ---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 02 of 17 -------------------------[ P H R A C K 51 L O O P B A C K --------[ Phrack Staff 0x1>------------------------------------------------------------------------- Issue 50 proves that Phrack _is_ back, and better than ever. Congratulations to you and the rest of the Phrack staff for putting together what I think is by far the most informative issue to date. The quality of the articles and code (YES! Lots of code!) reflects the hard work and commitment that obviously went in to this issue. I could go on, but I'm all out of lip balm. Thank you! _pip_ [ Thank you. We aim to please. ] 0x2>------------------------------------------------------------------------- { ...Bugtraq Phrack 50 announcement deleted... } So What? Who cares? get this crap off of the mailing list. phrack is as much trash as 2600 or any other little idiot magazine. [ Thank you. We aim to please. ] 0x3>------------------------------------------------------------------------- juggernaut is way cool, man. minor bug: you dont unset IFF_PROMISC on exit, so it's not terribly stealthy, but it's no big deal to fix. anyway. cool. .techs. [ Although Juggernaut is *not* meant to be a 'covert' program you are completely right about that. I should unset promiscuous mode when the program exits. In fact, in version 1.2 (patchfile available in this issue) I include this very thing. ] 0x4>------------------------------------------------------------------------- Hi! I've got the p50.tgz and well, played a little with jugernaut. It's realy cool but: 1) It doesn't compile so clean. You've forgot to #include before 2) The spy connection part is not quite cool because you sniff and dump all the stuff that is comeing from the dest. port and dest. host ... So if U try 2 spy say: 193.226.34.223 [4000] 193.226.62.1 [23] U spy in fact all the stuff that is comeing from 193.226.62.1 [23] for ALL the conn. made to 193.226.62.1 on the 23 (telnet) port. This will cause a cool mess on the screen. I've tried 2 restrict the spying by introduceing a new cond. iphp->daddr==target->saddr in net.c ... it brocked the spy routine Maybe U'll fix somehow that thing.. All my best regards, Sandu Mihai [ includes . The compilation of the program should go smoothly on any linux 2.0.x based system. Version 1.2 also fixes the TCP circuit isolation problem you allude to... ] 0x5>------------------------------------------------------------------------- Thanks! This is a very impressive tool! Brilliant work! Thank you, --Craig [ Thank you. ] 0x6>------------------------------------------------------------------------- I'm just writing this to say thanx for putting out such a kickass publication. Down here in 514 it's fuckin dead, you mention hacking and half the people don't have a clue what Unix is.It's fuckin pathetic, but i'm glad to say that your mag has helped a lot and i look forward to future issues, you guys really do make a difference in the hacking community. Thanx. Snake Eyes [ Amen to that. ] 0x7>------------------------------------------------------------------------- Hi! =8) Why don't you (at Phrack) compile an updated Pro-Phile on known H/P Groups like the one on issue #6 ? So we - the readers - can know something more about the ACTUAL scene (but perhaps it's not worth - ppl's sick of all that 3l33t d00dz ;) I really appreciated that dox & srcs on spoofing, D.O.S., etc. HIGH technical quality, sources, articles, news.... and it's free! :P Ahh that's life! ;) However, great job with the latest Phrack issues. To quote a friend of mine (talking of Phrack Magazine)... > It's improved a lot with Deamon9 in command.... K, that's all. **PHRACK RULEZ!** (I had to say that :) Oh... and sorry for my english! Cya.... -Axl- [ Not a bad idea. Perhaps someone would like to do an article on the existing groups out there for P52? ] 0x8>------------------------------------------------------------------------- I would like to know what you suggest to get me headed in the right direction reguarding the compromise of computers on the internet. any information that you would be able to spare would be most appreaciated. atomicpunk. [ It's *all* about compromise. It's something you have to do. Be fair to them. Listen to them. Don't shut them out of your life. They are wonderful creatures... It's a give and take thing and sometimes, yes, you *have* to compromise -- that's part of having a mature relationship. ] 0x9>------------------------------------------------------------------------- I recently locked into my car so i called a friend to come help me when the slim jim was no help he decided to try another less known method. We simply took a stiff metal coat hanger and straightened it out and made a small loop in it then we took a small speaker wire about 3 feet long and tied a loop into one end so it would slide to make the loop smaller or larger. Then you take the wire and run it in through the loop in the hanger and pry the top edge of the car door open and slide both looped ends through holding onto the unlooped ends. then you use the hanger to position the loop in the speaker wire around the door lock once you have the loop into position you hold the hanger steady and gradualy pull the loop tight around the lock once the loop is tight you just pull up on the hanger. This works on most all vehicles with top door locks and with a little prep. and practice can be done in under 2 mins. also its less conspicious and easier to get than a slim jim. and they are cheap so no one care to toss the out after breaking into an entire lot of cars. Hope you found this phile worth while C'ya The Stony Pony [ Aspiring young car thieves among us thank you; however if you lock yourself in the car again, you might try unlocking the door manually. ] 0xa>------------------------------------------------------------------------- HOW YOU KNOW YOUR A TRY HARD HACKER ------------------------------------- By [Xtreme] I just wrote this to tell all you try hard hackers something. 1) You goto other hacker pages on the web. 2) You think loading a program that waz made by a hacker is hacking. 3) The only thing you do is get the lastest passwd file from your isp. 4) You goto channels like #hack and ask for passwd files. 5) You don't know where to get warez. 6) You always telnet to hosts and type login: root password: root and stuff like that. 7) You brag about how you are a hacker. 8) You don't know C. 9) Your a girl. 10) You don't know what's a shell. 11) You don't know what Linux, FreeBSD and all those other UNIX's are. 12) You don't have a UNIX OS. 13) You think when using IRC war scripts, your hacking. 14) Asking how to hack other people's computer. 15) You try cracking a shadowed passwd file. 16) You don't know if a passwd file is shadowed or not. 17) You ask what is a T1. 18) You ask how to email bomb and you think email bombing is a form of hacking. 19) Your learning BASIC language. 20) You think you can get into hacking straight away. 21) You don't know how to set up an eggdrop bot. 22) You think .mil stands sites stand for a country. [ That is without a doubt, the dumbest thing I have ever read in my life. Not only do I award you no points, but we are all now dumber having read that. May God have mercy on your soul. ] 0xb>------------------------------------------------------------------------- What command do I use to make you denial of service package work? [ You hit yourself in the head with a hammer. ] 0xc>------------------------------------------------------------------------- I was scanning the 413 xxx 99XX range and I found some #'s. I have no idea what they do. I was wondering if you could help me out. Maybe call them and see what you find or someting. (413) xxx-99xx (413) xxx-99xx (413) xxx-99xx These are all fax #s, I think (413) xxx-99xx (413) xxx-99xx goes beep beep beep (413) xxx-99xx goes beeeep (413) xxx-99xx auto foward I think (413) xxx-99xx goes beeep beeep [ I tried calling these but I got no answer. Maybe the 'X' on my phone is case sensitive? ] 0xd>------------------------------------------------------------------------- Sir, I would like to know how could I get root permission from a simple user. I have read that this can be accomplished by setuid programs, and I have read an article describing the way this can be done in Phrack Magazine. Still I couldn't gain root access. I would be very interested in finding ways of doing this on Irix 5.2 or Solaris 2.5. If you know anything about this, please send me an e-mail. If you know any resources on the Web that details the use of setuid programs in order to get root access, please tell me. [ P49-14 ] 0xe>------------------------------------------------------------------------- >AND FOR THE LOVE OF GOD, SOMEONE NOTIFY MITCH KABAY...!< Mich, not Mitch. "Mich" is short for "Michel." M. E. Kabay, PhD, CISSP (Kirkland, QC) Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com [ No, Mike is short for Michael. ] 0xf>------------------------------------------------------------------------- Your zine is the best Please send it to Psycho Al1@aol.com The Psychotic Monk PS:Aohell rulez [ You are an idiot. ] 0x10>------------------------------------------------------------------------- Hi, Phrack people! Great job on issue 50! Nice magazine. Article 'bout TTY hijacking is really superb. I have just one question to you. Is there any holes on target system in this situation? There's a server, running freeBSD 2.1.5, with a shadowed passwords. I've got a dial-up account on that machine as a simple user. What bugs can I use for having root privileges? Best wishes from Ukraine!! OmegA [ find / -perm -4000 -print ] 0x11>------------------------------------------------------------------------- hello... long-time reader, first-time writer: i know that all "submissions" are to be encrypted... and i should be encrypting anyways, but i'll make it quick ... besides, this isn't really a "submission..." congrats on reaching the 50th issue mark, and congrats on an excellent ish! i just a quick question. i would like to reprint the for issue #50 on my web page, with a hypertext link to the Official Phrack Homepage (http://www.fc.net/phrack/ - correct?). I think it says brings up some important points, and since it's copywrited, and you sren't losers, i'd ask you (it's not like a simple copywrite has stopped anyone before)! thanks, lenny [ A simple copyright may not stop people, but the simple restitution remanded by courts might. However, go ahead and put a hypertext link. The official webpage will be at phrack.com/net/org, SOON. ] 0x12>------------------------------------------------------------------------- In Volume Four, Issue Forty-One, File 3 of 13, Supernigger was featured in your Phrack Pro-Phile. Whatever happened to him? Did he "grow up and get a real job" or is he still lurking around? - Styx [ Both. ] 0x13>------------------------------------------------------------------------- People @ Phrack: In Phrack #50 in the file 'Linenoize' Khelbin wrote an article about remote BBS hacking, namely using Renegade's default 'PKUNZIP -do' command overwrite the userbase with your own ... For some strange reason, while renegade is booted, and if it runs PKUNZIP -do the procedure will NOT work... but the procedure DOES work when Renegade is down at the Dos Prompt..? Does Renegade extract files into memory or something while testing for integrity? -8) .. I tried this out on 10-04, 5-11 and even 04-whatever-the-fuck-that-version-was and it didn't work.. I think Khelbin needs help for his chronic crack addiction since I can't find any way possible to get his article to work.. op: Taos BBS ~~~ Telegard v3.02 [ We dunno. Anyone else have an answer? ] 0x14>------------------------------------------------------------------------- Regarding Xarthons submission about Linux IP_MASQ in Phrack 50... The masquerading code is not designed for security. Hardwiring RFC1918 addresses into the IP_MASQ code is not a clever idea for two reasons: 1) It diminishes the usefulness of the code. I have used masquerading to keep things running when my company changed internet providers. I masqueraded our old _valid_ IP range. Other people may come up with other valid uses, like providing redundancy through two ISPs. 2) The masquerading code is part of the Linux packet filter, which can certainly be configured to prevent spoofing, a quite a bit more. If the static packet filter and the masquerading code are used together they can provide as much security as a 'dynamic' filtering firewall like Firewall-1 in many cases. A very short 'HOW-TO': 1) Put spoofing filters on all interfaces. Only allow incoming packets to the external interface if the destination address is that of the external interface (that's the address the masquerading code inserts as the source address of outgoing packets). 2) Insert rule(s) in the forwarding filter to masquerade your outgoing packets. You do not need to route incoming replies to masqueraded packets, that happens auto-magically. Deny everything else (and _log_). 3) Make sure the gateway does not run anything that leaves you vulnerable. Don't run NFS, the portmapper etc. Update sendmail, bind to the latest versions if you run them. 4) Disable telnet, and use 'ssh' for maintenance. If you must support incoming telnet connections through the firewall install the TIS firewall toolkit, and use one-time passwords. 5) Run 'COPS', 'Tripwire'. 6) Read a good book about Internet security, and make sure you understand all the issues involved before you configure _any_ firewall, even one with a GUI and a drool-proof manual. I hope this is useful to some people. Ge' Weijers (speaking for myself only) 0x15>------------------------------------------------------------------------- You write in P49-06: ... The only sure way to destroy this channel is to deny ALL ICMP_ECHO traffic into your network. No. It suffices to clear the content of the packets when passing the firewall. ralf [ True enough. However, by doing this you remove the RTT info from the ICMP echos which will break some implementations which rely on it. ] 0x16>------------------------------------------------------------------------- Hi, Iīm a Wannabe, maybe you would call me and idiot. Where do you guys hang out, IRC? Wich channel, #supreme? Wich server? Know any good trix for me how to learn more about hacking? Please answer my letter, I know that you get lots of letters, but please!! [ EFNet, #phrack ] 0x17>------------------------------------------------------------------------- You canīt realy say that IRC is for loosers cuz in Phrack 50 I saw an article with some text taken from IRC, and you were logged in. [ We are losers. Ergo, yes we can. ] Which good hack books, UNIX books or things like that do you recommend. Thank You For An Answer!! [ Anything Addison Wesley or ORA. Also, many of the PTR/PH books. ] 0x18>------------------------------------------------------------------------- I am writing to inquire about the fate of Pirate Magazine and how I might contact it's creators. It seems to have been out of circulation since 1990 and I was hoping to look at possibly organizing some kind of initiative to revive this excellent publication. I thought first to turn to Phrack magazine. Thanx for your time. Joong Gun [ Anyone have any information? ] 0x19>------------------------------------------------------------------------- Hello, I just got Phrack 50 and loved it....It is the first one I've got. I was wondering if you guys know about any other newsletters or magazines that are sent to your e-mail address or you can get off the web on a regular basis, like Phrack. thanX [ Other magazines come and go on a pretty regular basis. Phrack is eternal. Phrack is all you need. ] 0x1a>------------------------------------------------------------------------- Please help me. If I can't join your club, please let me learn from you. I am interested in both Program hacking and remote access. Thanks. quattro [ You join our club if you can find our secret clubhouse. ] 0x1b>------------------------------------------------------------------------- hi. This is from a guy you probably will never hear of again, and definantly have never heard of already. I wanna ask you a question. At my school, people write crap on their backpacks with witeout. I have never done this for 2 reasons 1) I dont wanna be grouped with the poseur metalheads, etc who write "Pantera" and "666" and "Satan" etc but cannot name a song of thiers, and/or go to church.... 2) I dont wanna be grouped with the wanna be hackers who write stuff like Anarchy symbols, "Aohell" "Kaboom" and the such, because thats just plain lame. You have to feel sorry for people who think they are elite because they can mailbomb somebody. Another reason I have never written anything is I havent found anything worht advertising. Now i have, I wanna write "The guild" or something to that extennt maybe "r00t" or something. I have not done this for i do not want to piss you off (indirectly something may get to you about it. It could happen, remember the 6 degrees of seperation? hehehe). If this is ok with you, lemme know please. (cad@traveller.com) Also, if your wondering why im mailing this to you alone, it is because you are a fucking baddass. heh. Well, lemme know whenever ok? thanks. (I know i have an absence of punctuation, i'm in a hurry and I have homework) [ You have our permission to write r00t on your backpack. ] 0x1c>------------------------------------------------------------------------- yes i want to learn how to hack and need to learn fast Js444 told me you can help will repay BIG thanks [ How big? ] 0x1d>------------------------------------------------------------------------- I sent this from your hoime page...is it X-UIDL? I dunno, it's 4 AM anyway um oh, keep in mind that ur response (if made) to this may be dumped to #hack printed in the next Citadel knockoff or whatevrr I was just like thinking oh, I was thinking "I don't have an Irix sniffer!"...actually my thoughts don't have quotes around them it was more like ~o- all the Irix sniffers I have suck -o~ and then theres like Irix 4, 5, 6. Bah. And like sniffit sucks and anyway. And then I mentioned this and people were making fun of me, but I don't care. I only care lately when people are like, "Oh that's what youy make? I'm 17, have a criminal record and make three times that!". Anyway, people are like, "No, no nirva is elite" so I thought, aha, I'll ask nirva what a good Irix sniffer is. Oh, like now that people are laughing at that I have to keep this quets like secrtet. I even think some Irix's don't have compile, like Solaris. Christ, some Solaris's have jack shit. Anyway. 1) Why don't u log on #hack, or are you tres elite #!guild or beyond elite #www or #root #Twilight_Zone and more importantly 2) Irix sniffer - captures passwords, actually compiles. I hate coding. I am a a lazy American. And like, getting legit root access on an Irix...bvah, Irix sniffer! Bye-bye hackers oh PostScript 3) Are you a cyberpunk? If I ran Phrack I wouldn't like Mr. Tishler have "Are hackers in general geeks?" as the question _everyone_ gets, I think, Are you a cyberpunk? Would be it [ 1. We do hang out on as many public channels as we can stand for at least a little bit of time each issue. But really why do you care if an editor of Phrack is there when people are shouting about their penis size and how many drugs they are on? If you want to talk about something, we are always available by e-mail and will usually talk to you by private msgs if we aren't busy doing something else at the moment. 2. Anyone want to write us a really cool one? 3. Who are we to change tradition? ] 0x1e>------------------------------------------------------------------------- Hello, I wanna ask you something about the following problem. I'm really stuck (the 1st time ;-)) ! Is it possible to pass a firewall and access one of the domains behind it ?? I'm afraid that the sysadmins did their job fine :( I've got everything what I need but that damn wall....I'll give you some info that I've obtained so far: - IP-address of the firewall, - All the domains + IP adresses behind this wall, - The login-account of the superuser, - All the open-UNIX ports behind the wall, - The company has no WWW-site but they do have an Intranet. portscanning gives me this: 21~=ftp, 23~=telnet, 25~=smtp-mail 220 x.x.x.x SMTP/smap Ready. This is at IP x.x.x.2 but I found out that also x.x.x.1 belongs to the same company with 3 other ports... 7~=echo, 9~=discard-sink null 79~=finger. Is the only way to go by D.O.S. attack the firewall and then spoof the firewall's IP addres ? But how to start ?? Woul u be so kind to help me ?? TIA, theGIZMO [ fragmentation. ] 0x1f>------------------------------------------------------------------------- Ok, this might sound dumb , but, I think it would be cool to have this as a slogan. "Blah, blah, blah, and along with your subscription, you'll receive a LIFETIME WARRANTY ON YOUR BRAIN!! That is, if for any reason your brain can't figure out a problem you're having hacking, just e-mail us with your question and we'll be glad to help you out. Note: Please PGP encrypt all questions regarding hacking questions. Thank you." Do you like it? Note that blah, blah, blah is whatever you would it to be. Such as, "You can subscribe to Phrack Magazine by sending e-mail to Phrackedit@infonexus.com requesting you be put on the list, and along with your subscription......" Ok, thats it....write back if you like it....or if you don't. Here is my PGP public key. Oh yeah...you might have gotten mail from PhatTode@aol.com. That is me. So direct replies to those messages to this new address...Thank you. [ You're right. It does sound dumb. ] 0x20>------------------------------------------------------------------------- Hey, sorry to bother you but I just got Redhat Linux 4.1 in the mail. I think it's great besides the fact that I hear that it lacks security. HOw do I get PGP up in it? Is it easy to install? Thanks. Killer Bee [ yes, very easy to install. Read the documentation. It's different for different platforms. ] 0x21>------------------------------------------------------------------------- Hello My name is Joseph and I am intrested in any information you may have about the early day's of hacking and current hacking underground.. also I understand you are a member of the guild ?? what is this? Joseph --> jgriffiths@iname.com [ The guild is like what r00t was before r00t got all famous and became greatly feared and admired. Oh. And we spend most of our time counting our millions and having sex with models. ] 0x22>------------------------------------------------------------------------- Hi there, Do you know where I can find the Rosetta stone for interpreting the output of Solaris lockd & statd in debug mode? I can't find any public information about it, even on Sun sites. Sun Microsystem refuses to let their lab publish anything about interpretation of system calls outputs. Are they afraid that they will be losing support contracts if this information gets out? The man page does not include arguments to run in debug mode, and what's the point of providing the tools w/o the means to interpret the result? Teach a man how to fish .....you know. Thanks. Christine [ Someone want to write an article on it? ] 0x23>------------------------------------------------------------------------- In regards to the article on Ethernet spoofing: As an aside note for the highly paranoid: ethernet spoofing Note: some of this is theorized, and might not be 100% accurate - if you get the jist of it, you should be able to figure out if it works for you. It is possible to spoof ethernet hardware addresses as well. Some cards will allow you to do this easily, but you need to have card programming docs (check the Linux kernel source for your card driver-!!). Others won't let you do it at all, and require a ROM change, or worse it might be solid state logic on the card - EVIL. Course you might be able to get around solid state stuff by recoding the ROM, but I wouldn't recommend it unless you don't have the $70 to buy a new card, and have a month or two to spend in the basement. ... rest of stuff(tm) deleted ... Interestingly enough, most of the Sun sparc stations I've seen allow you to enter in any mac address that you want using ifconfig(1M). I "know someone" who picked up a Sparc IPC for $50 (Can $$) and upon discovering that the battery that powers the IDPROM was deceased, we needed to fake a mac address to get it to talk to someone. Sun's default is 0:0:0:0:0:0 but the 3Com card's mac (from a different network) worked quite nicely. Interesting concept the author has though, I'll be f*ck around with the idea when I'm supposedly doing work =) [ MAC address spoofing techniques are well known about, especially under Sparcs. However, do some research, write some code and an article and submit it... ] 0x24>------------------------------------------------------------------------- I love your e-zine it is the coolest thing i've read. [ Thank you. It's the coolest thing we've written. ] Please could you tell me any ways to violate the security of a "MacAdmin" based system on the Apple Macintosh. [ What's a Macintosh? ] Mark "Vombat" Brown May phrack and Fiona live forever! [ ...and may Phrack and Fiona do a joint project some time soon... ] 0x25>------------------------------------------------------------------------- Hey, I sent this to you because yer handle is shorter. Anyways, great job on issue 50, always a pleasure to read it, and in article 12, by Sideshow Bob, I was wondering about the "tail" command. I don't seem to have this nifty util, and was wondering if perchance, you knew where I could get a copy. Also: the Skytel article sorta looked like an advertisement to me. Nothing against that, it's still pretty interesting to learn of Skytel's history, and of the nifty things out there, but I was wondering if it sounded like a detailed ad to anyone else. But if you could help me out with the tail command, I'd be so grateful. Joel Thomas [ Standard GNU utility. Try your local unix box. ] 0x26>------------------------------------------------------------------------- | | G'day mate, | I am a computer user in Camplong, Timor. I have limited internet access, as | it is a long distance phone call from home. I have downloaded your issues | 46-50 and haven't read through them all yet, but what I see looks good. | What I need from you is a UUENCODER program so I can extract the included | files. [ Standard GNU shell tool. Any Unix host will have it. Do a websearch to get it for Windows. ] | I am also confused on how to extract the .c files from the text | files(philes?). [ As it says in the header file: gcc -o extract extract.c then `extract filename` ] | I am not a C programmer, but my dad is. [ That's nice. ] | | I need PGP. Although my side of the internet is safe, noone reading others | letters (the sysop is too dumb or something to even think about that) I want | my mail to get where it is going in one piece unread. Where can I find a | free copy of PGP? [ Do a websearch. ] 0x27>------------------------------------------------------------------------- .. crack me up. Excellent social porno in your reader's letters section. Keep on commenting. Might start screaming soon. Um, the guy from slovakia might want to get hold of Bill Squire for information on smartcard programmers; as I seem to recall, he likes messing with these electronic devices. Another thing; I though DC was now just sticking to his viola? According to all the news he only started hacking because someone vandalized it? Wonder if I should have used the same thing in my case: "I plead not guilty, Magistrate sir, but the University's good-for-nothing courses drove me to it." Whatever it takes, I guess.. Yum. -me. 0x28>------------------------------------------------------------------------- This is a response to p48-02 in which one "Mr. Sandman" proceeded to spew out eleven paragraphs of blatant misinformation. Rather than lumbering through a point-by-point rebuttal to his letter, I will quickly summarize what was wrong with it, and then state a few facts to clarify some things. KoV never touched Skidmore. This is something that anyone who was in the group will attest to. And not just to follow the old "admit nothing, deny everything" plan. In reality, we NEVER touched it. In retrospect, I find it very odd that someone from New York would claim to know so much about the inner workings of a decidedly regional [Connecticut] hacker collective. While we weren't exactly xenophobic, we certainly didn't go out of our way to divulge information about ourselves to anyone outside the group (or the state, for that matter). This would explain why Mr. Sandman's letter was riddled with insufferably laughable lies that were obviously the product of a jealous and dejected outsider. One thing that needs to be put to rest is that we were certainly not "a bunch of egotistical and immature criminals" as Mr. Sandman would have you believe. The primary focus of KoV's efforts was not to "break into universities" or "make ourselves look bigger and more important than we were." We existed, first and foremost, to unify what was, at that time, a greatly divided scene. Squabbling and infighting among those few real hackers who were still around was leading to a critical breakdown at the fundamental level. Something had to be done, and fast. In an effort to bring together a group of like-minded individuals (not only from the hacker perspective but also in terms of anarcho-libertarian philosophy and ideology), I started KoV with an intentionally humorous name behind the acronym. It was an almost immediate success, and over time I certainly accomplished all that I'd set out to do, and then some. The current state of the "Connecticut hacker scene" (for lack of better terminology) is much different than it was in the summer of 1994. People are working together, cooperating, and the incessant "civil wars" which plagued us back then are all but nonexistent today. I think I'd be well within my rights to credit KoV with helping to assure that those problems are now but a memory. It really bothers me when anonymous instigators like Mr. Sandman attempt to dishonor all the work that we did to get this far, without even really having a clue as to what we were (and are) all about. Perhaps he and his ilk could benefit from such groups as KoV. Because no matter how I feel about him and his actions... "The more we fight among ourselves, the less of a threat we are to the system." - Valgamon Sat Jun 07 15:49:25 EDT 1997 0x29>------------------------------------------------------------------------- What up. Yo, Ima hack/phreak from back in the day (1984) My 1st bbs was on an atari with a floppy drive and 64k! Nowadays, I do rap music and acting, live in Los angeles (im from western NY), and run 900#s and adult websites. Check this out, I need to thangs: #1: FTP space for adult pix (not really important, since my host gives me unlimited space), but I have no anonymous ftp capabilities) #2: Windows NT or unix Can you help?? Have broom (Music software) will travel (trade) [ We will trade you unix for a rap song about Phrack and a movie role for route. ] 0x2a>------------------------------------------------------------------------- This is in reference to the first part of your " PGP Attack FAQ," which addresses the length of time necessary to brute force IDEA. Perhaps I'm overly paranoid (naw...) or just a perfectionist, but I would like to point out two things about this: 1) Somewhat of an error in your math? 2) "As far as present technology is concerned." "As we all know the keyspace of IDEA is 128-bits. In base 10 notation that is: 340,282,366,920,938,463,463,374,607,431,768,211,456. To recover a particular key, one must, on average, search half the keyspace. That is 127 bits: 170,141,183,460,469,231,731,687,303715,884,105,728. If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec, it would still take all these machines longer than the universe as we know it has existed and then some, to find the key. IDEA, as far as present technology is concerned, is not vulnerable to brute-force attack, pure and simple. " Somewhat of an error in your math ======================== OK, let's examine the math. For simplicity, let's say we only had one machine that could try 1,000,000,000 keys/sec. The number of seconds it would take for this machine to search half the keyspace, and thus find the correct key would be 170,141,183,460,469,231,731,687,303715,884,105,728 divided by 1,000,000,000. This would yield 170,141,183,460,000,000,000,000,000,000 seconds of maximum search time before finding the key. This in turn would be 2,835,686,391,010,000,000,000,000,000 minutes = 47,261,439,850,100,000,000,000,000 hours = 1,969,226,660,420,000,000,000,000 days = 5,395,141,535,400,000,000,000 years = approximately 5.395 sextillion years. If there are 1,000,000,000 of these machines as you suggest, then the years required for a successful brute force crack would be 5,395,141,535,400,000,000,000 / 1,000,000,000 = 5,395,141.5354. So, it comes down to: are you saying that these 1,000,000,000 machines are acting as a collective entity or can *each* one of these machines operate on 1,000,000,000 keys/sec and thus operate together at a speed of (1,000,000,000) * (1,000,000,000) = 1,000,000,000,000,000,000 keys/sec. If the first is true, then you are correct in saying that "it would still take all these machines longer than the universe as we know it has existed and then some," as it would take app. 5.395 sextillion years (scientists estimnate that universal redshift shows the universe to have existed thus far for only 15 billion years). If the second is true, then it would take far less time than the existence of the universe at app. 5.395 million years... which could be compared to twice the amount of time human beings have existed on earth, or just a fraction of the time dinosaurs were here. [ Hrm. Take it up with Schneier. ] "As far as present technology is concerned." ============================= How far is present technology concerned?! The Intel/Sandia Teraflops Supercomputer can reportedly perform 1.06 trillion floating point operations per second (refer to http://www.intel.com/pressroom/archive/releases/cn121796.htm). Assuming [ Keep in mind that factoring and brute force key searches are integer-based calculations, not floating point operations. ] one of these "instructions" can operate on, let's say something around a 28th power float variable, then disregarding read/write operations, the system can search at 1.06 trillion keys/sec. This yields a total search time (before a successful "hit") of 170,141,183,460,469,231,731,687,303715,884,105,728 / 1.06 trillion = 160,510,550,434,000,000,000,000,000 seconds = 5,089,756,165,470,000,000 years or 5.089 quintillion years... still a rediculous amount of time even on the fastest publicised system in existence. Now, this system, the Intel/Sandia Teraflops Supercomputer is made up of 9,200 200 MHz Pentium Pro processors. Being that they didn't have to buy them at markup/retail and they manufacture them from scratch for their own purposes, let's say it cost $500 per chip plus some negligible ram and labor costs (how much ram do you need when you have a gig+ worth of onboard cache, etc.). With 9,200 chips, the system would take about $4,600,000 to build. A practical question: if federal taxation is %28 on an annual income of $80,000, where does all the money go? Well, let's say a Billion dollars per decade goes to the NSA to build whatever they want. If the 9,200 chip system cost $4,600,000 then a little algebra reveals that with one billion dollars, the NSA could purchase approximately 2 million 200 MHz pentium pros. If the 9200 chip system did 1.06 trillion keys/sec, thus the 2 million chip system would be capable of approximately 230,434,782,609,000 keys/sec or app. 230 trllion keys/sec. Now, say the NSA is smart enough not to buy crappy x86 chips and instead get 500 MHz DEC Alpha RISC chips. This is 300 Mhz or 3 fifths faster than a 200 MHz pentium pro approximately. so 230 trillion + (230 trillion * 3/5) = 368,695,652,174,000 or 368 trillion keys/sec. The original calculation yields that the successful search time would be 170,141,183,460,469,231,731,687,303715,884,105,728 / 368,695,652,174,000 = 461,467,832,499,000,000,000,000 seconds = 14,633,048,975,700,000. Ok, great... so now we're down to 14.6 quadrillion years of search time, which means that at least now we may get REALLY lucky and hit the right key within a certain degree of insanity. But, this was only a billion dollars we gave the NSA in a decade. If we're especially paranoid, let's say the government was so concerned over nuclear terrorists sending encrypted messages, that the NSA got a TRILLION dollars to build a system. That divides the whole equation by a thousand making the search time 14,633,048,975,700 years or 14.6 trillion years... STILL rediculous. Ok, so let's say that now we're giving the NSA a HUNDRED TRILLION DOLLARS thus dividing the search time by 100 yielding 146,330,489,757 years which is about ten times longer than the existence of the universe. But now, if we had 1,000,000,000 of *these* machines working concurrently the search time would wind up being 146.330489757 years. But, if each RISC processor were replaced with a small piece of nanotechnology, each piece of this nanotech being 100 times faster than the alpha chips, you get 1.46330489757 year. There ya have it... some classified nanotechnology, 100 trillion dollars, and a DAMN lot of landmass all multiplied by 1,000,000,000 and you've brute forced IDEA in a year and a half. I won't go into the tedious calculations, but an object with the surface area of two of our moons would approximately be able to house this complex. Now, as I know you're asking about where to store all the keys... and the fact that this drive would be bigger than a solar system and so on, just have the keys generated using the same PRNG in the brute force attack... you'll just have three times the instructions (write for the generation, read to get it, write to compare it) so multiply the search time by three. The technology is possible... it's economics and territory that doesn't work. [ Theorectially shure. But you have sorta just proved the point that it is not feasible. ] --gKHAN 0x2b>------------------------------------------------------------------------- The snippit in P50 in section 02 of the zine by Xarthon entitled > Yet another Lin(s)ux bug! "IP_MASQ fails to check to make sure that a > packet is in the non routable range." "So in conclusion, you are able to > spoof as if you are on the inside network, from the outside. " Is so incomplete I would almost call it a lie. The only way that Linux would do this is if the person setting up the IP-Masq system issued the command "ipfwadm -F -p masquerade" which if you read the IP-Masq HOWTO it tells you explicity NOT to do for this very reason. My retort for Xarthon and all others who do stupid ass things like leave port 19 open and such; is that Linux only sux if you do. To wit, don't be a moron, and you won't have to complain that it sucks. Swift Griggs | UNIX Systems Admin 0x2c>------------------------------------------------------------------------- Hi there, I have a question regarding a certain piece of hardware that has come into my possession. Since this little piece of equipment contains no indications of its intended use i have no idea what this thing could do. So here's a descrition of the little box; i hope you might be able to provide me with more information on what this device is supposed to do. Description: -lightgrey rectangular casing (13CMx9CMx3CM) -frontpanel has one green LED, a connector labeled "SCANNER", and a little door which reveals two sets of dipswitches (2 sets of 8, labeled "DIPSW1" and "DIPSW2") -backpanel has three connectors, a RJ4-like connector (only it has 6 lines instead of 4; it looks like a connector for a Memorex Terminal) labeled "A", a standard IBM-PC keyboard connector labeled "B", and a small (9-pin) serial interface-connector labeled "C". -there is a sticker with a serial number, a barcode, and "Made in Taiwan" on the bottom -the circuit-board contains IC's of Sony, Philips, and TExas Instruments -there is also one removable EPROM, made by AMD; it has a label on it which reads "V2.61 CS:EF88" I have found that a normal keyboard plugged into connector B, while a KBD-to-RJ-jack cord is plugged into connector A will allow the box to be placed between the keyboard and the kbd-port; so my first guess would be that this is some kind of filtering device. But that doesn't explain why there is a serial-connector and this "SCANNER" connector present. So, do you know what this thing is ? -lucipher. [ Readers? ] 0x2d>------------------------------------------------------------------------- hi, my friends.i am a newbie come from China,i had read some Phrack magazine. but to me surprise,i had not success compile a program still now.i send e-mail to the author,but server tell me there is no this user. for example, phrack-49-15 describle tcp port scan,but i can not find ip_tcp.h, other paper tell me a way to guess password,and said the program only need Ansi complier,but i can not success too. oh.my god. i use sun os ,gcc, i need your help, thanks. yours keven zhong [ Here at Phrack, we use TheDraw for ANSI compilers. I hope that answers your question. ] 0x2e>------------------------------------------------------------------------- I'm just writing this to say thanks to all the hackers that represent Phrack and work hard to keep it going,you guys are truly keeping the new generation alive.If it weren't for Phrack i'd probably never have wanted to waste my time with computer's,the technical info is first class and a lot better than most of the crap out there.I would suggest that maybe once in a while u guys could write some more stuff geared towards the newbies,it really is important because most people who aren't familiar with the terms get completely lost.Down here in Montreal(514),most people think hacking is spreading virri or u/l shitty trojans,there's no talk about unix or networks.We really need some help down here,the scene is practically dead and most newbies don't have any support to help them get started.Anywyas i just want to say keep up the good work,and it's really appreciated. -- | Return Address: Dave.Conway@claw.mn.pubnix.net | Standard disclaimer: The views of this user are strictly his/her own. [ Thanks, if anyone cool is in Montreal, e-mail this guy and revive your scene. ] ----[ EOF ---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 03 of 17 -------------------------[ P H R A C K 5 1 L I N E N O I S E --------[ Various 0x1>------------------------------------------------------------------------- A Review of H.I.P. Out of all of the cons I've been to (and I've been to loads), Hacking In Progress was definitely the coolest and the most surreal hacker con ever. This was definitely a European event though there were a few arrivals from the US. The atmosphere was carnival. It was like an old style con where you got together to meet up with people face to face, exchange ideas and basically have loads of fun. Around 2500 people attended: hackers, artists, media, police... a total mish - mash of cultures and ideas. HIP was a total geek-fest. Computer networks were spread across the campsite. In the mornings (when I actually slept) I awoke to the chirping of birds and the booting up of windows95. In the evenings I sat around the campfire chatting to mates while the hardcore's played DOOM and exchanged warez. During the day there were various activities. One tent held lock-picking classes. In another a group of astronomers had set up telescopes linked to computerized data-tracking equipment that you could print out. The cypherpunks had their own tent set up and I snuck in occasionally for a chat and a cold drink. There was a videoconference link connected to HOPE but it crashed and was abandoned. In the main marquee, there were lectures on the usual faire of hacker interests: computer security, the legalities of hacking, anonymous re-mailing, cryptography, etc. The weather was boiling and my melted brain found it exceedingly difficult to concentrate. Most of my time I spent outside in the shade or the tent housing the bar, talking to people individually or in small groups. The public telephones mysteriously malfunctioned on Sunday and could only be used to dial the emergency services. However if you dialed the Dutch equivalent to 911 you got a dial tone, so you could dial anywhere in the world for free. Supposedly this was a 'programming error' on the part of the Dutch Telephone Company. Smaller more interactive workshops were also held. Though the technical lectures were really interesting, my favourite event was Padeluun's yo-yo workshop. Besides the fact that I got to keep the yo-yo, the workshop itself was farcical performance art. If you know the background you will understand what I mean, if not... Padeluun is a member of the FOEBUD group from Germany. These people do some really brilliant projects and are very politically motivated. One of their projects was to put up networks during the war in the former Yugoslavia. They also work to distribute PGP to groups in countries with oppressive governments. It is not just anyone who could pull off a workshop like this. This was high irony. When I walked up the workshop had already started and I came in on the line 'yo-yoing is good for social engineering, no one finds you a threat when you yo-yo'. As the head of the Dutch Computer Crimes division was in attendance I thought this rather hilarious. The attitude at HIP was really positive. The European definition of hacking has always been broader than the American definition. Europeans accept the idea of 'social hacking'. Not hacking in the Unix sense but in the sense of subverting technology, whether it be by pirate radio, hacking smartcards, social engineering the feds... or whatever. Unlike some cons I've been to in the past couple of years, the atmosphere of HIP was really mature. There weren't any young kids trashing anything, there weren't any stairwells to flood, no one set off any fire alarms or randomly destroyed anything through boredom, and generally the people who attended had a lot of respect for the event and the organisers. Which means that no one I saw acted like a total wanker and no one is going to run the event out of town. On a personal note it was brilliant meeting people there and hearing of some of the most recent projects people had on the go. Since the last time this event was held (HEU, 'Hacking at the End of the Universe' held at the same spot in 1993), the hacker scene has changed. One difference that struck me straight away was the fact that there were just as many females as males. And these women weren't girlfriends or hacker ho's but women that are getting to grips with the technology and using it for various projects. Felipe Rodrigez who started Hack-tic along with Rop Gonggrip back in the early days of Holland's hacking scene, has always been active on the political front "For us, things have changed. They used to call us criminals and think of us as terrorists. Now we advise the Ministry of Justice. We're the only ones who know the technology here." Rodrigez also believes that hacking is still a very useful tool in countries like Peru or Serbia where the state is unfair and citizens need to "defend themselves." This view has made him unpopular with the secret services who consider the former Hack-tic more dangerous now that they have power in the business community in Holland. Though things may have changed since the early days of hacking, the European scene seems to have become something more grown up. "The hacker scene is now pockets of culture. There's alternative media, the old hacker culture, the Unix hackers, irc, even astronomers who are into their own computer culture. It's now for all of the people, which is why we call it Hacking in Progress, we have progressed" As a summation, HIP was fantastic. It was brilliant to see most of the people I have known in the European scene in one place and to meet some new people who I will definitely keep in touch with the coming years. I'm really looking forward to the next one! If you want photos and other articles check out the HIP site at www.hip97.nl. 0x2>------------------------------------------------------------------------- To: All it may concern It has come to my attention, that people are forgetting what hacking is. I'm not speaking about the freedom of information, or the pursuit of learning.. I'm talking about the fact that it is illegal and against the law.. I hear left and right.. " So and So has been busted.. lets protest.. Let's get the Hacker Defense Fund(TM) to help us! " Hey time to wake up.. YOU ARE A CRIMINAL IF YOU ARE COMPROMISING THE SECURITY OF SITES/PHONE SYSTEMS/ETC.. Not a rant, just a note that it's time to face up to your responsibilities.. - Someone 0x3>------------------------------------------------------------------------- /* TRUMPET WINSOCK PASSWORD HACKER by DOCTOR JEEP 11/96 erode@avana.bbs.comune.roma.it written for Turbo C 2.0 (C) (old but cheap :) ) The author doesn't take any responsabilities for any proper/improper use of this program. */ <++> winsock_passwd_hack.c #include unsigned char spazio[21]={88,75,55,47,114,66,87,92,35,68,69,87,101,38,122,123,45,117,74,78}; unsigned char name[34], fono[33], passc[33],riga[33],passd[23]; unsigned char user[11]="$username=", tele[9]="$number=", pass[11]="$password="; FILE *f1; int i,v,c,k; decodi (int ver) { int ls,b; if (ver==20) ls=10; if (ver==21) ls=11; b=strlen(passc); for (i=ls;i /* END OF FILE by Doctor Jeep */ 0x4>------------------------------------------------------------------------- Tools for (paranoid ?) linux users by whynot AKA baldor -> you need basic TCP/IP knowledge to understand this article <- Recently not only then number of attacks on big / commercial servers and machines with fast connections has increased, but even users with dial-in computers have been attacked or spied on. A good example is the winnuke.c program that has been released on BugTraq and has been used excessively. Although these attacks are not as "threatening" as the attacks that are launched against big servers it can get really annoying if some idiot frequently tries to hack you / takes your machine down / delays you. Most Linux distributions have reacted to this development and made their telnet/ftp/whatever servers log every access. In this way you can easily put annoying hosts into /etc/hosts.deny. But in my opinion there are (at least) two things missing which I want to discuss in detail... 1. Detecting traceroutes Traceroute is a really powerful command, which is often used to detect where the computer that is being tracerouted is located and to which network it is connected. Because of some simple reasons you can *not* simply make it impossible for people to traceroute you, so the best you can do is detect *if* someone traceroutes you, find out *who* tracerouted you and confuse him a bit. 1.1 How does traceroute work ? Basically traceroute just sends out IP/UDP probe-packets to the specified host. To find out how the packet is routed (through which hosts it is going) traceroute uses the TTL (time to live) field of the IP header. This TTL field specifies an upper limit of how many routers this packet can pass through before it gets dropped. Every router decreases the value of the field when the packet in question arrives, until it becomes 0. If this happens the router sends back an ICMP TIME_EXCEED to the sender of this packet (which is the host that is tracerouting). So the strategy traceroute uses to trace the path of a packet is to send out packets to the target host putting an increasing value (starting with 1) into the TTL field. If a host reports ICMP TIME_EXCEED traceroute prints out its address and the time that passed from the sending of the IP/UDP probe packet until the receiving of the ICMP TIME_EXCEED. After that it will prepare a new probe packet with an IP TTL one greater then the previous packet. Traceroute will continue doing this until it receives an ICMP PORT_UNREACHABLE packet from the target address, or the max hop count has been reached (defaults to 30). To understand this we should take a look at the UDP part of the packet we talked about above. To detect somehow that it finally reached the target host and should not try to go any further traceroute uses the connectionless UDP protocol. The UDP part of the probe-packet is addressed to a port which is barley/never used (in nearly all Unix implementations 33434+ the TTL included in the IP-Packet). Since (normally) nothing is listening on port 33434 (and above) the target host sends back an ICMP PORT_UNREACHABLE signal that tells traceroute that it reached the target host and can stop sending any more packets. Since the strategy of traceroute is a bit complex here is an (a bit simplified) example. Let's say that you are host "source" and tracerouting your way to host "target". source:/root # traceroute target traceroute to target (134.2.110.94), 30 hops max, 40 byte packets Now source sends out a probe packet to target (port 33434) with a TTL of 1. The packet is passing "some_host" and the router decreases the TTL of the packet. It recognizes that the packet has "expired" (TTL=0) and sends back an ICMP TIME_EXCEED to source. Now traceroute uses the information included in this packet to print out data about the first host the packets to target are passing: 1 some_host (142.45.23.1) 2.456 ms Another probe packet is sent out by source, this time the TTL is 2 and the port is 33434+1 = 33435. It gets back another ICMP TIME_EXCEED packet this time from another_host: 2 another_host (142.45.10.1) 3.983 ms The third Probe has the TTL set to 3 and is addressed to port 33436. Traceroute now gets back an ICMP PORT_UNREACHABLE from "target": 3 target (142.45.10.13) 4.032 ms That's it ! Traceroute now finished its job and quits. source:/root # Please note that traceroute by default sends out three packets containing the same TTL (each packet to an increasing port number) to determine the answering time of a host more accurately. In reality, a traceroute output therefore looks like this: traceroute to localhost (127.0.0.1), 30 hops max, 40 byte packets 1 localhost (127.0.0.1) 1.983 ms 1.304 ms 0.934 ms 1.2 The strategy behind the traceroute-detector Knowing how traceroute works it is very easy to detect. Simply set up sockets listen()ing to the ports 33434 and above and react if they receive any packets. You can even try to guess how many hops the host that is tracerouting you is away by subtracting 33434 from the port-number you received the packet on and dividing the result by three. Listening to the port traceroute sends the probe-packet to also produces a funny effect: traceroute will neither get back an ICMP TIME_EXCEED nor an ICMP PORT_UNREACHABLE signal. Therefore it will timeout waiting for the reply and put a * into your hosts entry. Because of the timeout traceroute will *not* recognize that it already reached its target and continue sending probe-packets until the maximum number of hops is reached. With the little program detecttr running (and listening to ports 33434 - 33434*30*3) a traceroute localhost looks like this: schnecke:/root # traceroute localhost traceroute to localhost (127.0.0.1), 30 hops max, 40 byte packets 1 * * * 2 * * * . . . 30 * * * 1.3 Problems detecting traceroutes The only problem with detecting traceroutes is that one might select another base-port number than the default or use another technique. I have never seen any people doing this though. So if just an average idiot (or wannabe "hAx0r") is tracerouting you chances are really high that you detect it. If you are *really* paranoid about traceroutes you should not use the ports to detect a trace but edit the file that deals with UDP packets. This /usr/src/linux/net/ipv4/udp.c (NOTE: this file is a part of the kernel. Recompile your kernel to make changes take effect) Insert the line: printk(KERN_INFO "UDP: packet sent to unreachable port by %s !\n", in_ntoa(daddr)); before line 833: ICMP_send(ski,ICMP_BEST_UNTEACH, ICMP_PORT_UNTEACH, 0, de); This will make the system log *all* requests to unreachable ports that are delivered through the UDP protocol. Please note that the funny effect described in 1.2 will not occur (which can also be an advantage). BTW: Please be careful while editing the kernel - you need it :) 1.4 Sample Implementation detecttr.c -> see the end of this file 2. Detecting pings There has been a lot of discussion about ping in the last few months because it was often used to transmit oversized packets to other hosts resulting in crashes. Although this bug has been fixed on most hosts already ping still is very popular to slow down people who are connected to the net through modem lines until they drop carrier themselves because of the BIG lag. You can *not* prevent people from pinging you (without having your ISP blocking all ICMP_ECHO requests to your host) and therefore causing traffic on your modem line. But you can actually detect *who* pinged you, determine the ping-packet size and decide not to reply (this *may* reduce the data over your modem line up to factor 2). 2.1 How does ping work and how do people slow down others by using ping ? Simplified ping sends a packet containing an ICMP_ECHO and some data to the target which will reply with an ICMP_ECHOREPLY packet that contains the data sent to it (only some fields are modified). Normally ping will wait about 1 sec before it sends the next ICMP_ECHO. On many implementations of ping you can bypass this and do a "floodping" which will *not* wait but just send the packets as fast as possible. If you choose a big packet size for the ping packet and you are pinging your victim from a host with a fast connection (T1 or Ethernet) this will cause a lot of traffic on your victims modem line and therefore slow him down to a halt. 2.2 How can I detect a ping and how do I prevent being flooded ? Since a ping is nothing more than a ICMP_ECHO with some data appended to it you can simply intercept it, extract the senders address and the packet size from it and decide whether you want to reply or not. For non-floodpings you can reduce the amount of data transferred over your modem line simply by choosing not to reply. But if someone is floodpinging you it does not help much to not reply to the ping packets --> the incoming ping packets will probably cause enough traffic to slow you down (unless the host where floodpings come from is has a slow connection). At least you can give it a try anyway... 2.3 Sample implementation The handling of the ICMP_ECHO is done in the kernel. Edit your /usr/src/linux/net/ipv4/icmp.c file and search for the section "Handle ICMP_ECHO". These 16 lines of code are all you need to modify to defend yourself against / detect ping-floods. If you know a little C you can easily see that there exists a define "CONFIG_IP_IGNORE_ECHO_REQUESTS" which you can set to have the kernel just ignore all incoming ICMP ECHO_REQUESTs. But we want to be more selective. We want to log all pings that are sent to our machine. We do this by inserting the line printk(KERN_INFO "ICMP: pinged by %s, packetsize = %d \n",in_ntoa(saddr), icmp_param.data_len); before the #endif. You can easily change the "Handle ICMP_ECHO" section so that your machine only replies to ICMP ECHO_REQUESTs that do not carry too much data and ignore the pings with big packet sizes: <++> DTR/icmp.patch static void icmp_echo(struct icmphdr *icmph, struct sk_buff *skb, struct device *dev, __u32 saddr, __u32 daddr, int len) { #ifndef CONFIG_IP_IGNORE_ECHO_REQUESTS struct icmp_bxm icmp_param; if (len <= 1000) { /* we only reply to pings that do carry less than 1k data */ icmp_param.icmph=*icmph; icmp_param.icmph.type=ICMP_ECHOREPLY; icmp_param.data_ptr=(icmph+1); icmp_param.data_len=len; if (ip_options_echo(&icmp_param.replyopts, NULL, daddr, saddr, skb)==0) icmp_build_xmit(&icmp_param, daddr, saddr, skb->ip_hdr->tos); printk(KERN_INFO "ICMP: pinged by %s, packetsize = %d \n", in_ntoa(saddr),icmp_param.data_len); } else printk(KERN_INFO "ICMP: possible FLOOD DETECTED by %s, packetsize = %d \n", in_ntoa(saddr),len ); #endif kfree_skb(skb, FREE_READ); } <--> <++> DTR/detecttr.c /* * detecttr.c - by whynot AKA baldor (whynot@cyberjunkie.com) * created: 08.05.97 * last modified: 11.07.97 * Platforms: Linux, FreeBSD should work with other POSIX-systems too. * * Compile: * just the usual "gcc -o detecttr detecttr.c" for GNU C and * "cc -o detecttr detecttr.c" for other compilers... * * Usage: * Just run this program at the startup of your machine - it will stay in * the background until someone traceroutes you. It only uses a *tiny* bit * of your memory and nearly 0% CPU :) * */ #include #include #include #include #include #include #include #include #include #include #include /* simply comment this out if you don't have syslog.h */ #include #define MAXBUFLEN 200 #define MYPORT 33435 #define NUMPORTS 30*3 int sockfd[NUMPORTS]; void shutitdown() { int w; char buf[50]; for (w=0; wh_name; } main(int argc, char *argv[]) { int hops; struct sockaddr_in my_addr; struct sockaddr_in remote_addr; int addr_len, numbytes; char buf[MAXBUFLEN]; int w; fd_set readfds; if( fork() !=0 ) return(0); /* we don't want to use that annonying & */ signal(SIGHUP, SIG_IGN); /* ignore SIGHUP */ signal(SIGTERM, shutitdown); /* clean shutdown */ for(w=0; w 0x5>------------------------------------------------------------------------- | |||| |||||[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] | | | ||| |||[ The Street Phreak's Phone Mods vol. 1 ] | | ||||||||||[ Jex {612} ] | | |||| || |[ ] | || | ||||||[_______________________________________] [intr0] 97.07.01 This project is a result of a need to have a more versatile phone for at home and in the field. Many "phone modification" files have been floating around the scene for quite some time - some are incomplete, inaccurate, or would be better taken advantage of if they were all integrated. This project should be a good starting point for making your phone elite. The following modifications are divided into two primary parts: The first being made to your phone directly, and the second being as a separate component. [part 1: m0d me] Teq: ---- 2 1/8" mono jack (or stereo with tips tied) 274-274 2/$1.89 U1, U2 2 SPDT slide switch 275-409 2/$1.19 SW1, SW3 1 100k single turn pot 271-092 $1.29 R2 1 Mini red LED 276-026 2/$0.99 D1 1 Hallmark Digital Greeting Card (optional) (Hallmark) 1/$8-10 IC1 1 6v power source (optional) 1 SPST normally closed momentary (optional) 275-1548 4/$2.89 SW2 1 10k (optional) 271-1335 5/$0.49 R1 Since I'm cool, I'll give you a rough walk-through on the construction along with the schematic. The phone modifications were kept to a minimum, since you most likely want the majority of your cute toys in the modular component. I would like to make these devices modular as well at some point in the future - if anybody would like to beat me to it, by all means. --[ring switch]---------------------------------------------------------------- 1. Desolder wire off one pad of the piezo element (ringer) 2. Connect desoldered *pad* to right pole of SPDT 3. Connect desoldered *wire* to center pole of SPDT 4. Connect LED to left pole of SPDT 5. Connect other side of LED to the pad of piezo element with the origional wire (Note: You should now be able to select between an audible ring and the flashing light. If the LED does not light but the ringer works, switch the wires going to the LED as the anode/cathode are not in the right positions.) --[in jack]-------------------------------------------------------------------- 6. Desolder wire (-v, probably black) off one pad of the microphone 7. Connect desoldered *wire* to center pole of SPDT 8. Connect recently desoldered *pad* to right pole of SPDT 9. Connect tip (or base) of U1 to left pole of SPDT 10. Connect base (or tip) of U1 to the center pole of R2 11. Connect side pole of R2 to the pad of the mic with the original wire (Note: You should now have the ability to switch between the audio jack and the mic. This is necessary as the audio jack always drowns-out the mic, even when it is doing something such as playing "UN-noise" while a tape rewinds. This also serves as a mute switch.) --[out jack]------------------------------------------------------------------- 12. Connect U2 in parallel with the speaker. (Note: Out jack.) --[optional digital recorder]------------------------------------------------- 13. Desolder mic from Hallmark card (IC1), it will not be used 14. Connect desoldered mic wires to the base and tip of U2 in parallel (isolated) 15. Desolder speaker from IC1, it will not be used 16. Desolder one speaker wire, it will not be used 17. Connect the other speaker wire to R1 18. Connect other side of R1 to the mic pad that has the original (v+) wire and R2 connect to it 19. Desolder "play switch" paying attention to how it is connected, it sucks 20. Connect SW2 in it's place 21. Connect v- (black wire) of 6v power source to SW2 22. Connect v+ to IC1 (Note: You should now be able to record from the mic and jack, and be able to play it back into the phone.) [part 2: c0nstructi0n 0f p0w-paq] Teq: ---- 8 DPDT slide switch 275-403 2/$1.39 SW1, SW2, SW3, SW6, SW7, SW8, SW9, SW12 2 SPST slide switch 275-401 2/$1.19 SW4, SW10 2 DPST slide switch (substitute with 2 DPDT) 275-403 2/$1.39 SW5, SW11 2 Dual polarity LED (phreakz discretion- 2 LED1, LED3 LEDs in parallel, or a 2 pin Dual LED package) 6 6P4C Modular Jack (try DigiKey, www.digikey.com) Parasitic Tap Detectors: ------------------------ 2 15v Zener Diode 276-564 2/$0.99 D2, D4 2 Mini Red LED 276-026 2/$0.99 LED2, LED4 2 Bridge Rectifier 276-1161a 1/$0.99 D1, D3 (Note: I substituted the 1N914/4148 Silicon Diode for the Zener and it seems to work fine, 276-1122, 10/$1.19) As you may of noticed, the Parasitic Tap Detectors are taken straight from the article Tap Alert in 2600 vol 13 iss 1, credit is given to No Comment and Crash Test Idiot. Now, what all this is. You have two primary inputs, and one master input in case you have a single connector with two lines on it. There are two "outputs", whose function is up to you (these are optional). Now you are left with one master output, whose function should be obvious. SW1 & SW7 change between the "outer" and "inner" wires, in other words Red/Green vs. Black/Yellow. SW2 & SW8 reverse polarity of the line (one is optional). SW3 & SW9 serve as polarity detectors, lighting one color for a certain polarity and another color for the other polarity (one is optional). SW4 & SW10 make use of the tap detectors. Most of the time you will not be using the tap detectors as they can have problems with the other devices on the line, experiment. SW5 & SW11 are primary line power switches, make the line go off or on. SW6 & SW12 are hold switches for each line, when they are both "off hold" you may conference the two lines. The polarity changers are a must - often times store-bought telephone cables reverse voltage, and even your wall jack might have non-uniform polarities. To use both lines at once, the polarity for each line must be the same, this can be achieved by throwing just one switch if they are reversed (it's an either/or state). If you find any errors or corrections you would like to make, or you just need a shoulder to cry on, my email is listed above. Any upd8s can be found at http://www.geocities.com/SiliconValley/Heights/1334, thanks for playing. [schematix] The top of the diagram has the modifications to be made to the phone unit itself, the bottom to the modular device. begin 644 phonesm1.gif M1TE&.#=A4@-9!O< $! 0(" @,# P0$! 4%!08&!@<'!P@(" D)"0H*z M"@L+"PP,# T-#0X.#@\/#Q 0$!$1$1(2$A,3$Q04%!45%186%A<7%Q@8&!D9y M&1H:&AL;&QP<'!T='1X>'A\?'R @("$A(2(B(B,C(R0D)"4E)28F)B7IZ>GM[>WQ\?'U]?7Y^?G]_?X" @(&!@8*"r M@H.#@X2$A(6%A8:&AH>'AXB(B(F)B8J*BHN+BXR,C(V-C8Z.CH^/CY"0D)&1q MD9*2DI.3DY24E)65E9:6EI>7EYB8F)F9F9J:FIN;FYRGI^?GZ"@p MH*&AH:*BHJ.CHZ2DI*6EI::FIJ>GIZBHJ*FIJ:JJJJNKJZRLK*VMK:ZNKJ^Oo MK["PL+&QL;*RLK.SL[2TM+6UM;:VMK>WM[BXN+FYN;JZNKN[N[R\O+V]O;Z^n MOK^_O\# P,'!P<+"PL/#P\3$Q,7%Q<;&QL?'Q\C(R,G)RWM_?W^#@X.'AX>+BXN/CX^3DY.7EY>;FYN?GY^CHZ.GIZ>KJZNOKk MZ^SL[.WM[>[N[N_O[_#P\/'Q\?+R\O/S\_3T]/7U]?;V]O?W]_CX^/GY^?KZj M^OO[^_S\_/W]_?[^_O___RP 4@-9!@<(_P !"!Q(L*#!@P@3*ES(L*'#i MAQ C2IQ(L:+%BQ@S:MS(L:/'CR!#BAQ)LJ3)DRA3JES)LJ7+ES!CRIQ)LZ;-h MFSASZMS)LZ?/GT"#"AU*M*C1HTB3*EW*M*G3IU"C2@7PKZK5JUBS:MW*M:O7g MKV##BAU+MJS9LVC3JEW+MJW;MW#CRIU+MZ[=NWCSZMV;%B'?OX #"QY,N+#Af MPX@3*U[,N+%CKGX?2YY,N;+ERY@S:][,N3/D@YY#BQY-NK3ITZA3J\X:>;7Ke MU[!CRYY-NW;FUK9SZ][-N[?OWZYQ Q].O+CQX\B3EQ6NO+GSY]"C2]?,?+KUd MZ]BS:]].MCKW[^##B_\?O]L[^?/HTZM?[]@\^_?PX\N??]8]_?OX\^LG;W^_c M__\ !DA667 :I99=@ACGCEV*6:>:(9)ZIz MYIH5ILGFFW >Z&:<=-:9WYQVYJGG>GCNZ>>?W_4)Z*"$1B=HH8@F6MRABC;Jy M:&Z,/BKII*M%2NFEF(9F:::<=EK9IIZ&*FIBH(YJZJE_E8KJJJS.I6JKL,;_x MVA=HLM9J*V.OWJKKKE;ERNNOM?H*[+"L"DOLL:,:B^RRG"K+[+.3.GO?!VI1w M&Y:U;WV@;;700BLM?=B>%:Y7X[I5+EGG=@OLM_.E>YF[ZL;;%;OQE:MMN/?^v MLVU5^6*U[;[]7A7PO_OR&[!5\.J+K[4'*TQMP0YC>R_$\D9+JX[C2NPOPP+[u M:[#''?.+L,9994QNR2%O+#+$#Z=_--\!Wr MQRWIW.P5C9;CBD?NY,5H7@M7XI)GCA?CV%&E^>>54BZBYZ"7;AKGUY%N^NJ:q MBAZBZJS'3IWKE)T+N62VVPP98EN;*WN\J.L^^-Y/3RPQYA$G[W#@1"._E>"$p M9XT5[);+=7M9U_]N:_ "8VZ\VTZ;#3[A8-<,><;>.U\5]6!E+Y;[[VO?+?=Io MB]_T\&_C/#74'+$+W8%[/DCFUB7)H$S1>UKJ PA4",'PCMY[8X^H^(k MT2O>%KE(.]$LC&TD^V,4T>A&MABQD%3<8M\224>>3;&(H1KDS^9(R2P"<'AZj MS&,%R]3%]^4M?6-C'@'MUK?>:0UZ8SFD&QN&2OV5TH8NC&4"63:O2-K1@VI,i MV2/;YJY'KE%E;RQ2)YNCRKD$4URU])0D5[E(1I+OEI@DI15_V:5A*J>8<5%?h M7>"%344M\WEM9"39YE@R$89S;>3DDC63T\W@B IY3CRE+&=YN,/)\'@K%&4Lg M-7G_I74BIYV5:J"N_'D<@*K&H )M5A\YA%#4-#2AER*H<1YZ.H@&:Z$;HFAIf M-&I11TET43;J:*P^.J"0BK15)!T.1T>STI,6*J7 :2DX/^728F'40X]S7BN)e M9[CF'5,K,JWIGV#Z&XVFTW%G9.,>ER-45!'5I,A,(RX'MTM#-O543^V-4:'Yd MQ;I5=2U!O6J>LDJ7A"AFJU(]8B:_BB%93:4@;")K6V)61+H&!JV\O*-2]\K/c M^K@U-F$%DES10I!9"215:3FJ7C.YUY].[Z^P">R/!MN=PTY.LKL3ETZUV5,%b MUI"S91PI8.-Z4]E8MBZG12U443K:-5&62IC]C%UBBQG:_^[)MJ0BK5UMD]J]a M]/8MN)U7:5T%V=<$ET:OA21A8GO**z M-K*ZA6MMM L6R3:WN\F\"WGAM%[!M)=%R>W5>[T2V.-2%+UNF:^:],L7_IHHy MOO_P;WJM*MVVJO:[Q@WO<\'[F*#B5J:V%;"8)+RYAO33NIJB#(0+#-8#LW=Sx MK1UPEC#<&0J7E\#>G6M9XW3>$&=V2I0U,7<[G&+GAC8N,@:1=G.\8OI>>+<\w MJBV-Y<(^]*J2N6\B+X]KK%P8DY@Z4+ZQD^H:W6)F-Z[]=7&3I237)<^8L/CUv M*W0'PAHJ$=FUB&6PB*%$5B^+!?^A7^H@D+%IWOT"QLU3]C$?@;Q1SQA4(2JFu M\H(#?.(\<_*N6@;JC\5[&CR_.95F13%K+D9G')M)OX[.KYGWS.B*9IB["Y'Tt M],Q::4.#B;^9#O2:F_345'\9MH >\J1CO6E-XW"YB2XSIP>MH%[#.M12GG5's M9+TE ;N:V(K>-9D]+9JEO)K0!E:GL0'+$"P1]=C/%C2MQ:QMN'93=2O%MH#"r MS&'J[O?)DQ%WML<X5LNF=q MY@17E\\E/NBO$6X6(U(NX-L-=HBWDX/?'V\AK:>!3YOp M$57'04ON]GF=B^5MTQTo MD=_\1(I5;X0Q+IB=(HBD/"\TKB?]XJK;_-XC4A_*8RYS@]\E7Z"LN#P]BS@5n M@A8Z'XWZNN^LZZ(_MNU'-]$OMPYI2ZN9+LT3B3%58U;[VRX5S[E/-9=_1N51B!GXQC-\WD@K_=HF#Z&]#N^N&!V_,#0(-l M;3*,9ATK_YRTDY[P)2>YYV\;[K?^_.LC;!GZI(C/9DJ>.Z[W>H3N>\APQY[+k M%#9^:$RO>TQ>D9K/9+US@A]T[#9<\]>/.Q]S>WS,T+*49DL8_RTU6=^ \@D[ =[VB!#V@@]F([=(>!$NB G5*!,)> h M+/=^#<)*>15^L-1Q--5]"L5PMY%^?0:#AH=WW[%+CB0]LB4D AB#+K<9F;>!g MS*:!;N=)].="3A=#9+="97=VG*&#NE1Y(&A]-H@I)!ADK]=S4B= D[=ZY,)Wf MC;56J"&%5%0T58@8!I@L_*>&6WA=5]A^Z/)X8(A(O_=W6D1WO&-)8*@W=95Pe M<4@I6=AHIO6#5V=&S!=]>Z=ZBJB'BO]AAI)W+FF(>8:(A6UHA<%A$L,G@\[5d M1PZ'@7YS>N'#3##4AZOA,Z@XA9VH7JP8B# 3A%%F@G:W>1E8B[)WB_)%.OB5c MB/F#5$QT/]+G??#D@3$$-Y/(=1YFA/0QA&5UB1'RAL U=;;8>7!79$>(1:Z$b M>I4W?DDUBH929SM7B>_!C,W(B9=!CM<8C2%X@[BH:W)F=:[D>[TG?LHSC)_Da MB./E8(UHUB>9AC1L)*0%9&/\H;P3)=@IY9 IYD#E2A;WUy MD?W(6Z<%@@G_69)R").F=9(H68+E=I'3R)/XY9)&$H$DF8PBR%OIJ)-7EY-.x M.1LIE9([R619UI*[4WP-2"1A!I56>8*KI9);V7E>&974-I%"1HAZX5]:>814w M890:"2[Q1$]+V'!EV8X6F7UA:99X*6\.]Y*1Y9,_J98J-YCL*)8!9&6 *1]Gv MHU30-U>PTY9*J9=:M9B*^9=CV9-H29&$"6*&V9?4^);(*%\",C.F]W=$YCEPu MV6,@21N*:9F2&9=G&9&<08[KE7RT.6H,*%P@QX%XE#7XV(/"11)@97L.0815t MB9A#R9.!N9F5>^D?s M8Z2(.J>6;^'-)D+F<\0F'3=F7 $4]JED>r MX2F>@$B>E5F:@L-*]HP@1QH,D@EB62q MN74EF@;HBB-JJBD]52NN@E1JJ9(UJ?+[B./2I8BP>C+<*C)3JEo M5"H9TU94.'IE1$I,43J;N]F9[6&@O%&FBQ)A;LI.9]J<7CJ>:\JFY1&3<7HGn MYJ9+_*B,-:GF3BC)19__?_'I'IJ)UPJHW5:@YA8J6WJ)8,Zm MCH@:.HKZI58JC8XZIA]F:A(YJ45X9TN6J=SYJ&A&JJ[YI^GV7H;*FJ&*J7;Fl MJD?:J0JR8XZFJO_)D;X*'I%:JFGZJK.5:L':HK9Z:[@JI<4JD9=5HS=ZE,G:k M.9MZ4+ JA+=76;.*H)>Z?<5VK3R2K7[&<+KZF=]Z8=8FK@Y%KJ?CKBIGG,:KQFUKX;2KQN%KP#[']U:(\/ZJO^J&\%YL,W(i MK.K8I<^:&'/Y67@C2DWHA&%D///(/& 73S<$L?4AL-;:K&BZK;B35MB(AVLDh MAL#)AS%+3F)'LKS_>6D$NZL-JQR0+FZNF2A@]2T(O>[=T!+==54>0e MF+:]":E;"YX[BQ>@5S@#PU-#DT\MNT"8R[$^M4"*2YIZTK?.JK+*<;6=2ZC)d M[MRDKL]VK6\>[)8I;M[c M&[SI4;Q&HD(UF:BI:[SX,;OCX8V-E[+(Z[P/>28>^X642:R[:[V]2R>/_XF"b M2]N]WFL@T!L>#3J];4N^Y:N=X"MJ#-N\[7L?YPL@M0N\\YLZKON[CYN_*K*_a M%,N^_HNP #R^U3O X<%CQW0[CEB7=GBE_"N_"*RIC\@M9)0M%IRG$0R[$[R,z MB[&Z7[<=]]N_'2P>.=:!^-2R(XLV95=.H72/215"W;-/RU-/92N$Q%N_)6RIy MA5$^J*=W*ERWQ9-S>2NTY;0RC1F,Z+?! KS#'MRT:=5+,DNUO5B*1KM$9YNYx M+8R[ 7S 3BR\AS%(4DRX5!Q]X4,U6)3%19R^&\?$7OS%UG'"4LN#4L5 JIC$w M-+2(07R>9GS%8)K#<$PB'UPW/77#'_.Q&7M#RO_[2NG[LCYTL8P,PK3*O6\,&R*;CR9\L-Z0,.J9\RD>3RIJSRJR,*)O,u MP=YRJ(_AP*3HQV'\L)(,EI0,RS@"S+$,N&UQMFN!C[P,QI-70&(8TZI(M3S_[+>TS(:Z>)K:M64BM4!'=77\=8U!+)^33Q%3=25:X=\n MK,1!668/NI[!7-9Y_<_107%BJXU"[,@%389>!,EI[9EJNYQ:NJ5#MM4N,LMMm M71S=R(AG2%6WU#\,#$"@;;K9N9HX^MF)C,M:J]?3(;=T.[502\:&FT%#])M=l MO8JN;=?0>71LQ67+_!RX';YCJT46I,9"!-Q^AZ<"]YJK.B9@Y;&J74W)G8-Jk M_V79S[W1%YR6B-V%RHI06VY3^A5AKR$V5N;JME0(4K<:JJ7A5VOMCTL+XK?M,O8X?K@$$[AZ.V0i MZPW1R+*&PH3A_=3? P7BN[':*B/9C;J4$R;BM^+A);Y92&7'!TV+K;GB%KXNh M)'Z*"!W=C0C5-2ZQ'#[2.:X:2;=8.[C"H*KB0"[20J[AKU'DD=?C1YVB2L[?g M-_XK+O[BO6/B?9C9]NGD#L[>. [F.DY^/+Z#K8V1YONAYY,EZE!JZF:=d MMXA.ZIXMZVR&Z7"-1LI;Z;2>(JINXVV^? [D]c MZC^N([V^Y&PMZ7E15.4[L.@;;N??-=SR<2[=">[1S9[>_BPLY'N_):b M;2M9Y:Y=F-O>[@T2Z0K^O&)ZK [:5F'Z[,M5[U_^Z\-+T5RH4:)Y>8O?5V:%)XWC-DOX>G0L/U@UOD0_UI-N+:0C/;14/[P!_@) ]0V"Wz M=TF(Y$NJM!!OTA+Q]4 ;.]"-/:B_,Z:N78A#C6&<0B;.Z9TO.)1$T%1(=T+O*<-_3*^6?7#5Q/1L(Ex MU_2A--/R'<=2CX6-%(KHPHMS79,3NO0?>E[MMG!*'_--G\;??A[T_E?PY-%(w MJ$.[3>57&( PK]@?"IEU7Z%B?_1Y[X?WS!]I'U$?C>)1+HJG1]WN_IZ'#Z%Pv M"FSTU6_>BO@5Y,/'._F"B+>;!/7N#30J'=Q$_ZN)S?5(7[*@_V^+;_&_*DE_u ME,"H'RV@I]WZ5$C><_;_SN^)CYW6O>:*?_OLEON:_9^Y7O)"G_,V??=WBOP$t M;",9_W'TR0_;\KGN%J'FHWSQ53KQLIOQQ[_TL]]?[([[T"_HM+_](T_>Z)_Js MZJ_[[\SU\J '@WT""!0<*-)A0X4*T^A!A1XD2*%!%6Q)A18T0 r M'3UVW!A2I,&+&DN.1)E2Y19I48E&E30L&9>K4I,BH4JU>Q5@5JU*M+&5V_;HU)]2J9+NJ9'I6[%JVp M:MFFA/J6ZERY=>T^O>OPP]Y_'_KN!3PP\&# ?DEN=7DV<5Z;/2T&Q9J6\>2Uo M;BD_%GJ9(UW-G9-:MLI7,$'#H_N21FV:(.B1)]6Z]IS5G3HQ_/:JS'([[I$D\"6PDRSP3:S%,['VGCJS,RZi M[-RQ330-U E//1%\\TLNZ6234#+_4_13LT3_E(O!FQ9E%$0KX;0+R4(-U9(Rh M2-%C=--(.46I)D\_56]/0>\JZU*B5)UL5*L *(S) /DS",HH%2(LO%FI)!51g M0('L5=% ,VMU,TPSW0U+99<]]4"!6%SH5@RC?;%"IUP-EBNO@,VVV#0IO=/8f M55GE]E 1GQ7/0M2L;;'6=)%3]RALNY7W)=CHS6M>YYH-%R(YR1U3TS(SA#>Ae MY PFF%IW_TN85WPEC$G#AQL=EC[&4CW6MW'-_?#9)@D^N&&1J3V8X7:'TG?Bd M;2-64^7**OZ(XXP#1K9<@7UME\5=XW4W79-'QLUE%6="*&6A\S.5V(O%K=EFc MC6\^5^3Q_Z9-K:$H_UONY*"/?A!EI+FF[5M^*?878)J=7AK1CY>,5=:L;T7Xb MXQ>O!?M$W(P6&N]7QWX+XS7M[CA2O>LNE7#\!K^6[[:8S@CQPB-T_%7#XYSQ5\N&T7 (1?\z M]=ABUWWSRT'*?.;.;U>0]\]ZKQ/YKL56^O3:21]T*> ;GUY;UI7W%GO*F3<=y M5=1M7-[?HIG%''.'_S2^]_2U;[K,V0=\?BKBFQ;U:8FW1I_]M/77;7U[WP>5x MYI82/N%]+3WW0R#+\L>_2C&P?[^+G=_D!R8!&M" __+:]1RXN/\-[@Z",MO8w M!*,70OM=L(*ARET'.:A"87$O9L&;F)'(=2^BD ]+*60A8FRX0Q[VT(<_!&(/v M/PA#T&'P@"U#F[UPF$,F-E%3 R;[HS8LBDJ4$_^HVA7V+\A$6BR=&/?T0+'26Gt M/9#<,8QX1.3Q- A(1C92>LWSGO[$Y"6I\-&*CL1D)H$DR$H&9V>J:^ B-3E*s M3*)QA6S)U=LRI+6_.(D_?&'E*T_3-O' LFWMJSQH'46Y4(YN\9=-,9I!=95,@-(*o M9*PT:,-2"C0+BO-;'86I QNJT6JRK6IO^Z0L7913G]E*I 'B:2Z7&%.B(F^Fn M@\RB4#=:5*96[JB=U*)2G]E4JD[NJ<"L*OB6FE6NQO"CUNOJ +<:5K+VZJH@m M+>OWNJ3+M+95=I ,I5M)^-+B?56N3#TK6.^:Q+76-:][C>E?W0C8(PKT<,XRl M"V$!*]AZ*59B_ZIB"V6N&%'+'ED1$T#6O6YBi ML_LNEGCW+NYE;T?#*Z3+UM>^]\4O^<@[W6&VZ /H3:]=ZP*@M?&45K/"6JW*h MNZNUD5OZSF9'!+%4$/&#H8A29-PV9B75Eg M4IX=A[_,U*XU6XEB%P=VQ!H^;742[.%P?N;&FWRA=_Y9M18G+,4IUO_FA6C)f MS0NO:\FJ=25!@1HM&\,5QVD4\C5=U..W_IC+PAFRA5#:,V.NZUW>A9(ZX^E-e M(I>8I=',\)4E!>;X@JR6HYI2'"Y3[E07!R>ZI*H$(:PA5F\I09W.D$SYC4TRWP$9WNMM]SVC/^\LXPM:X6V-O^;*;WW/M-C7_<_QO&OS@z M &ZUPF7+\(+[F^)'M*?$Y7WQ3#J.D]+C)7YRF2>UW#4'Y,EQ_I)@'[:Q.\E=[Z]>D'YSL*>\ZF57])NU+EJRHSV'7W<[w MUG$U=JZ[W>SZMCO/^0SUJ6X\[QN$.]B+7N!B+WOA?^]@X!$_J9"'?/&:/?OCv M,QXXR7--\96G?-0PG[?(;WY2GO.\5_$>>K"M/'ZD[];E4;\@T*\>Z9UW??%:u M'WM2J9[V\_/Y[6L/_WO=LWYUO1<<[X'O'=//:?CH$_[Q*:AYY0^Q^2XK_@F?t M+]D@3_]AT>>)M:V_H.1OWW69;Y_W<]1]\2?O]^$O?^C(GWXBYA[][)_.^N'Os M3/#?>_YUDO_]^\7\]^N_/?GWOY%S/_L+P(L!P +<)\O)* 1$E0-D0*2J/[YZr M0 ,C+_&@Q,'#9(M)%&C$*^X\3/m M*K0Z,[&'P+2]2T51#!52=$)39,55M$6)"K.T2S+_NA!8#"0T]$6B4\4WNZ9$l MRSIL$BAK&K.U"T8I<<-F'(D8N[I*Q#I<=#-4U++?(D9H! I97$)KO+HI>T4[k MJ[.3^:PTFRAF]$5)G$0^:S/SJK%*5*EW/"9J?+IQY,91!,9\]#/I*CR=\BF3+OQ0QNP3,P22)LR1,F53+P[3*Q%3,M#3,QE1)QH3,II3,R4S*e MRK3,HL3,S S*S>3,GO3,S\S)T!3-FB3-THS)TT3-EE3-U4S)UG3-DH3-V S)d MV:3-CK3-V\S(W-3-BN3-_]Z,R-\$SH84SN'DQ^(T3FY$SN1LQN5DSG5\S.>$c M3L&4SJATSNI$3RV4S_FDPOJT3R?$S_Q$POWD3R'TS__DP0 54!LDT )]P0-%4!14T 4-a MP09U4 V$T B=P FE4 :TT LMP S54/_CT Z]OP\%4?@3T1%-OQ(U4?%#T13=z MOA5ET>EST1=MOAB5T>.CT1H%OAO%4=W3T1VEO1[U4=<#TB!%O2$ETM STB/=y MO"15TLICTB9]O">%4L23TBG-NRJU4K?#TBPMNRWETJ[STB^=NC 54Z4CTS(%x MNO\S15.<4],UE;DV=5.6@],X+;DYI=.+L],[9;@\U=./B\X^]3X^!51[$]1!w M;;="-51R0]1$W;9%951I<]1'3;9(E516H]1*E;-+Q50#?3Y05=B&,]B&[:V'A=C_Q9+8B;TKAK78CJO8r MC"VMC>78LL+8CUTZCQ59W2+9DLVJD$59JDO8E5W5EG595X79F(W5F:596K79q MF[W5G-597>79GNW5GP5:8!7:H1W6HC5:8T7:I$W6I65:9G7:IWW6J)5:::7:p MJJW6J\5:;-7:K=W6KO5:;P7;L W7L25;7;H_7;OU7:P!7[7M3LWDG=WL,,7UW[WM(L7TL=7\),k MWT8[WU 3D4W-&4^[)9Z2KGH4-DT,R%3BQ?ND7RJU7W9",H;)1@4[j MM!EC,03NLUX4LRMLWTPMX'*TLY!!J1[Q4.3NR6F80D.XBN-XBB+-(2$7PN#-*R1g ML CK#_];&48 W6*[&^+OBI ?GK\GUK V[M\/D5\G7F,M7=_!E.-/W6/ [./7f MHF/BS6.T&V3F+>0N_>._#.396F2^;&3G>N2]C.3Q$CCP362P.V3JS60PG62\e MK&3'VF3N[62K:UW7Y=U2UEW;J!DYA=BXTG%V/-&91/JMDQDU5[MM?Tb MJN9/+J)S/CU'RF>0)>=/">C_B[?AP6=Y_MS>RJ=F-CF%1N7_?RMH_#,?;ELZa MB*[H.HVC*DGHX=OG2\:GB28^C#8D/,6PA_;H@>8U>D/I'%7IJ.,ED28@'GWIz MOF/I49+IE*UIPU.HG%Z^WOMHC;OICG;I>3YI^6IIH-[IR>OII*9IHT9JCLIHy M7"-IGTZY=8-JFXZ]H%;#F#[HG*OJ-PUI>P;KE,YJ\*(W?][HL'XYJQ:N=S8Cx MMQ:WA28LN1Y*N(8YMI;3P SGOO;KOP;LOC;DI38W$7H[M8YG8&XZKG8HBP8\w MQ(YK8MXYQE:V7:OGXN7HP8WHV)5LF?KJ=.[LFJ-L"+3LAM[L? IMR3UMWTWMv MQ\;IUJ[Q<[!S#9EPDXXP_Y!_]LV7-DV7MB64.#&7-]67MHV4.'FN-&&u M*B/<;>3>7.)V7N?&4.GV7.B67N-V8NI^.-SN*^Q.4.T.W:DV:>]>0=Y>;.Y^t M-_#V4/6.7?3^//)F4/96U[-N:O@F0?-.7.NV7OF.8_YN5_H.:?]F/_P>.N7&s M*MT>4 &'5P ?:@2O;05W7O?&-PA740JW7@D/0JWJ3PNW5P;W:NCV\/R&#KIVr M7PQ?0\4 00M#.P!FWZXTV<;:K\?HI;X#CLAOWNAP?q M&A=LH_L^H2IB7/W^92)?P! ^;O'^[0J:) 2LMUU9SW,'[_0^!SQ6AU%C-]]#5T!0?W!@WVY8CVEDGU%I'V%EESUGl MWU!JGV-K?Q#ZT IB(?9M#[)O]_97MW78"O.S"?W_$]k MYW.*FWHC5>_0,_U0A=TH.]&HJ_U+5_GKP8>7P_TZH'Lh MK=:^I1_Q1Z^TZB9Y07Z,26?Q''7T[$#HY[YZ1V9"C\Z3EA??L>=Z\T/XFE[[M-_[\/Y[AA[\'[U[OW_[f M& I\H$Y\FL_[!I="P:][PE_\ZVM\OC_\]F;[Q,O\VTN?RT?$SB]VLP1QJA3]e M@MN=+3_9/GJZBHd M_7XF?9GR_94/(^.?=I ??N*7?M_U>2]$/^=7>0^YX^0&>8AW^.E7+C!.>MX'c MV>['_OYCBE2*,CC>[XXW^2L'Q3)&,'HTV>1GH._?=_C7B14SX6ULZ^X'B'__b M @L:% @P8,*$RHLR+#AAP\%)?ZC.-&@1849&W+LZ/$CR) B1Y(L:?)D20 Ja M5ZI$Z?(ES)@R9]*,^;#A39P?K)OU(D2^BA=[%3N6,>3(>P6[#5F9ZD>[5PU'1"SY,^C0x M?S$'!JR3=-7.=%=[UBKZ->S C@7'KFV[-&JHECU2_EEXM>'6MX<3YTK[SZ>?'HBF?3EFY=\O&<+45N;WN<\$75%85BO6[^?$KNVJL/7+\[=7.+v MX@][OHO^_E'J^/='9K^].TG_^>>;7?*UIAE_"?+'7GL(,>A00@ F%QZ"],E7u MX% %VJ<@ARG-UB&(9CTHX8@CAG@BBLLY]="##0:8(HS3?1@CC36UV!-3-]:Xt MXW Z*F<N>7_:T\^s M^1Z785HVHYA->JEEF6GR=2:::KKIH&-O%LGF4E_*>6=Z6;:)IYA5\ADCG4K9r M^2>AN+TT*&^%]DFFHB<&FA2BC2KZ**22;NFGI1Q2FE^FG:*T*:>>FLFHJ/N!q M:F.IJ:J89Y2J"HFIJ^:=2F6LM?YX:%>1VFH;K+L6-^M,NOIZ);#!#@LHJXKR9;KG3"XH@NNNK>o MRBZRTL)KG;OOSKMMO7#=FV*W^\:6K[[^*@LPP ([>:[!78*;\+$$,PQBOP]Cn MM[#$MCI<<8(18^PDQ1NK>K'']VDKCCB1(>N:.34YX?Y)>O2Z[F-#;>N4QUj M@QXXZ"%^7OJAF:-..NJ:6MYZZF/#/B[GLW=XNNT!JEXZ0[*KUVS N2\((? >i M G^RYJ*OOCF86 I?N6YW._]\L+LO?UKS]E(_//:K(I^\];P;ZOWVKH\O>??Eh MNZ1\Y\BAG[[ZW[Y_/O_S\1LOEOW3UP^_]OE']U9OYN>_W^$O?P&D'?T&V*-5g MZ8]_"EQ+^)+'P. Y\('_FB"4$&A!"/JN?.[38/\V>$$![B^$(@Q+![?WP00Vf M\(0C9&'T8.A".!70?T\94 5G*)H;*DF&.F0?6+(EQ"$2L8A&/*(00U="#7XOe M2$A\(A2C*,4G*C&&B;.B#G$20:G9*84[J6$6@U:]XNF.C&&\EA?7-# ]X:*0OR;%4@AQ<4_#H1PX",FM[c M5.1) (8AO37,6)!$BGTVQ#<@-N:1EV05231#%/&(DEB>[*/;3"+*"JVR*!7_b M8 )G<7%\G4R,THMK8(5\DP2CKODa M)>!&HDQF#E,XB"LFWBP6*FAR9#Z;8;,LY\.%1PVy M:^[6U*;>G1#q M$B'D;NO7X/?F-[ZMHK"%MO^"80'#;\-YPV]PU1O$\H(UG _-2A<;^4=KD;7#p M0WHP]ES\X@N/L;!"I?%J<7Q2ZDZML+WSL4)#*LSQP!C"IR4:@>MD9.\ V;-*o M7G)G>#SDV"X2Q0K6;SH]Q+\J@U+)!$TP?R,\8!L7IJ6 XPD/J1K2EEX4NE&Vn MJE&]3&3ZJM2B;E:SG0,M/3-#1\M;QFYMOPIB':\WT&3&\Y7E>9%ZU=*">@8Sm MGT,5GK\FR(L;E%=C/[k M#)3_4286UL%6\)P-^F)C'WLT(%8I1+B=9CQW&=IPS>^T-;L3j M#>YA2OK:]4Z28@_=:*RR&+'VOQB^=[N^=-MD>?>ECS3&R>YRZ/K;LVB\MPV_S/([>O#h ME@,7V#L[[,WO>\9FW%N:\Y"N)18[TI$\=3Z:F.=2)?O20g M^YSGSRXX>O%]22+N?.LZW_/9FW;GL0]1Z@M6>M=C_G493V?M/N_JF*D(][COf MG4]7[SD=HP5"*,I=['U_H,:YC/:!G[7L5#;\XAW_I[]'_[GQDH<3Y/E>=04Fe MGN.:5SP:G\5U\GIZ\P,O_&CMOO%JC9[TE?;\Z5W8^=A[G;K:XOH_NQWY.U&>d MS82EN]9=7_JT4[WUB& $a MHM_E'1\!2MBGX!2#Z%^G8 (PM\.DAU>X?]=[3G="AK0 F:>%MV>$K[=9?'@#-+@X?%>y M#D+AXIF(;/A@$E*@%%I:$T;A$^I@Y)5@%QIA#0+A!V+A$)HA$')AZ'GA%5:Ax MVX$@!H;=_6AA'$:8WM6A'9J=&[X9!PZ@FOWA$@)B&.*A ]8=(:(@&8I:6$71w M&GK@'0[BCTE@]*'A'&;=]'7@)W+>&.X>%1IB)2YB$++A),S;C,":BT8GA#8H147EB,UK;,Z:B)0HB*TJC,E)=-88C-#HC.=H0t M,A:C+-+_'KFQXRK.(BJ6HPJ"&3BJ8SW2XSVZXS9R5C[:'F_$T4#"8SNZ2>_As MGW$9I!-:8SPR84#NUT.F3F6-6"1"I#CZ8D6.8$%N)$B&I#T&GS;FX6L=Y,7!r MV2ZJX@]&I)HLY+MID4QVY#I>HR3:H$F*(!AZ)/.PGTUFHT;69)K 9)'-).;9q M'S8:7S_:S_=]H5-B3G<01"..XU+:I(EE#%)2B9'EY%,FI4L"I2A.9#O1Y%[!p M($J*Y$B")3Z298_I7D:V)%I*)%?B(%LRI%T&91H6U4X.958*BEONY>])Y5L>o MHU@"%#_2W%T>)H.=Y5H.)N8XF54*I5H"Y%QR8UV6Q-!-9E9)n M%(5/XJ501@5&MEMAREUQ"9GYMKKm MA65E"J03"IUK2)QH\F9!(F)"_J-O'!09$N>RA9IH_N5.>2,QQB53OB-I2AYTl M3EL_4:=.5J6HE1(K@924$"6J+5.AA8=X]F9B:B9),J)9JM% "EU-\5M[?B4#k MGDJ_$11K.%-]IMM*1>>2W21+(B9SQB=P3J5Y#6=Q!I-W*BA<-IR$AM>'82=\QD]3^N/1<2B!4IN(>B6^G:9N_D9PD > .FB*'L9'i MG=N(LNAF_29A!B=%/N>#IF@X'>>Z"?]G>PK&3.U3@>I2@-:HC(K;=6XG@N;Hh M5;9-B?YDT;7F*-G4HN&H@5)E3$8I:)U907DIDV:>EFJ;:QY8MN6H>R*HB[J5g M=M)F@OJ?G88G3 ZH>6X:X_0EA8)F\GEFK,WIA.HG8Y:1C#!HHVWIA5:8O '5f MH4[I^IE8:E:H7"JJP47J>U;G?*IFH38F8&IJOYH6_:JE.KH\UQI4I:H^/%Ad MKNZJ$&8AJ>IJ&1)A>(JJ2+WH3:&JK78BIO)B"R)K0GW,MT;K@3(2M5:KT[72c MA6SIM3ZJE6K_JXDRJ[#:1"&B:ZBB#:>2JZM.Z[F&Z)U)FG\*$ZO]#;*Z9[W.b MZ[@6K/@%%+3VZU@.*[A**HK*J,#RZ=P4;$0>[,-.JKSZ:ZQ>2L-^7Z1 8J:Na MG33=#RJUD)DK# (7U**[!>;;>VK-)^y M+<*FX$KM:3]1K#^Q;*)J[<:69:?J[+Y^3,Z.+6FXBV$C!JW%Tx M+,QVH]=:'X_NRMRV;5P-[A1]Z8IZD-_^KZVVJZ8WJ[Z5.WI7F[M[FKA!A7O)J_E-&]VSB['2%7O.IWTu MZA3.@&BS&F^5J@WR_BGB@NWK9.]$-:CX&B;C2J;C4J\CPJVW6N:15DSP7B_,t MF6_[&JW"*)?]+M;',BS_0N_DX.^INN_6=L70L8['TJSH:E-9;(3D3N[_YD[Xs MQN]++)IP*/ "!RN["(N7>E,$9Q/ESIW8IDM2&&<#ORG3"F]^UHJZN-AJ^F+I$>ON^,9$A/;P^\:MX>HP>ZI3""\PTA:P_NX0&*NH\5JQ$[?Pp M+*6Q3&7;&'=O&5^Q :-O30QI:W#Q ?LJ$.>Q-0WQ\LJO'Y,H%E=Q:+[FN?$Qo M'A>K]LX$CLHQ$:>O"A_O(4]R(?\J(E?R%P?N'7OR20XRT3KR^9)Rn M$CO2O=KQ&8=&_6+R*@_OM,1R&Y,QZ%YJZ\H/*).O*H(GM4VW-5GOg M6";+M>?H-;W2H5CC=;@MU$7'] T#]+\,[4)7M4@#-3!%6IN>- -3"V-K_R4Vf M/S9@2[:C[C25CE=7K_1E!_8W6RT2NO5ZJFRR[HM@)W5KY[5CAQHN6:QD^C73e MA+950W8]ES;V32-6H[8MH;)M.XH:NG9QP_9I/[6%/*EG(S9*VPYN-W5R?S)+d M!AU(C9)PRRYO.RL%!EV;8?=A#[?11/=2O[8R6^LFFVJIG>,M'W9Z-S%$TW6^c M'K<%/S,X W/3"'1[4W'OBO?0D/=#%[.Q4O<3NW R<[<\LW%\Q[,>9C.!.ZTFb M;[.#G_>!\[='*S8R=]-M#JR%J_=^5W8S?W=_TC8GE[@IX^Z"UW12&;;4!CA"a MU[>"BVM*G2V)>WB!?SB*4[!\4RC"P35\W_B#K_^QA*>V=-Z:C;\XA9NX**LXz M*\_X7C,942.YD)^X<_\QD9^LQ"DYD,/X@.LX@T\XD4XLSAI-SYI//.CL>O=6.WCV_YG=LWB ]YAM24GZ$;?B-Zw MD$^Q-'^U.SXHKLZ93\R+N=Z@B_Z[ RZ-KNXv MJ;=ZI?^K3)86B-.'[J&YB;^;S*^V4!+(S6.$1Et M.[X;.TS?I3 ^1:.B;7/#*KE[NK<6O),[NJ-S.+L#?+EO^ZMW5#I:J$$%!Y3;s M.X17.SEEO F=[#S56>NT>S@#YFA#^#SB6I+^)Z1_V[T'-9-O( :Q!<]R?)8)r M.L4SO,TJ=+''7LQ;^I'CI*T3D^3%V7@9EM1!OIP2o M__Y1FYUV1/ZJ V7FYUG/Q\PV6OYM)/S-A'[-P\;=P[WH/TU'C[ZH4YAW4ZT_n M1T:;INE01SKIGO[%SOYP0*<:^RS9M/YB9%*0\GG#?/[*"']L="=P1_UX\_[Pm MS[AWDGY^KSY70__R"VB+'ST78?]>9-)]LE0M([_+*+]H2'&84S_-F#]>''R8l M=[SADG_Y>W]HH.COBSG0TC]:-"J&TCA"R3] _!,XD&!!@P<1)E2XD&%#AP\Ak M1H0(0*)!BA4Q9M18\ /!CO\^"@PYDN-&DR=1IE2YDN%%C2Y9QF08$N1 FA])j MUA1)4V9/GS\% A Z5"A0HT>1)E5*$";&IDN1?I ZM?\CU:D[K]JD"I5K5Z\/i MGTH,^Q6C5:E8MUKU>)9L6ZY$B;J5.YO79-W^P86G!?NT,&'h M$9,%['!Q8L>/(?=LW#)R96/1MI[(.V:>=6G%EW;[FJ@S+FG=KW0M7'<1>O#'PU<^4*D0-__G?X=.M f MQS9'F!QUT8C>KX_.#G9[>*:VP9L'6UU]^]*W&<-6GUXL=_=S[VK./]\^_?NWe MV?M/P/B@HZS Z0P[*<$!#UNL,0>M6W C"1E,+< *,2P(0N,X5,X_E#[,$+\.d M#Y3/0_N@0Y$VZ41L,3@2RS/_+KH99]0K1)5N=+&K#4OS1K[J*% [)C)3\$<88FY0I2AR3VE*\"Z<$;E4z M B7%+E P604UIJ=BX]6H6>?4<]5]V"#'R:V8;XFCK5=>2:LYJ5>(Q?I*8L>$6ID99YZ-J:;-MKCH[7&&&N:YP,[u M8IS'7GKEKDLN6ZE>0SY[9'G?_B[NH;=>F^V7OZX[[7K_IIKN+NV&./"\N]V[t M8X3]/OPEL5BMNM-A':<25=AQ^W^L==?QW[PM4.OD*>_)( 7]_A]I4%KG_=36XKNMYU;L*_!.;O?/8[2.\:*#_'@>Q5!(03p M]]"&P9XD,'T<9.#^])>^_JFO6.)R'^&,ET$)BH9KYN'@_5Z(/MW-\($D)-Z+o M+O:I]PW0<"O42 S')\+[S22$0H2=#4OH+O9=T%HI1&(!$?>M%@$Q?PY$GUF&n M*#X(/M%R%[,8@*H41C&.,3GQ\V%9C!C$+%Y1+58$HA6WQ\7_Y9",=;0CLX!+_X55()DX$CSQT8DS^^,>&O'"+BHRC$A&)l M23E:D$A!R 65?>Y-:[RE\#49"LYF4W8j MB/*&7C3),M7G*-E[-1YS&K"i M4GC<[&>5C+F1>BYEH '5'C:O*4P!>LN?[E220<54S.FEg M(I+3> 8_TNA=E2*.5U23T^C4YD"C9]P2]90.?I1G0(IG@R25A++-"M@1:V1f MC#QJ2+\4TZ5:S2Y%]2J%HKJKL\Y2.-$Y*(:X95:COG.E*@U*C1C:5;"R4*)Ce M'68[^[+5N>J5J'*%*)V@NCA9M16O:Q7K-<-J6+^25:V)$6QAV8I9NK[210K5d MUT(=ZE;'>M2;=^KK9 -8V<_B5)94'2UZYK98RX*VM3P=[&8Y"U/)VNF.7TUKc M72>76):ZU+$7A5IO1?M;X/:)MCXB[F"-VQJE6E6X@%UNJOY:5<;"ME_*W:==b M*5O=PTJ5N_)Y=Z:LW2-Y=YM;W?^2EFCBO>YKa MD1M@ 8N1FK?E[WBU"5Z3XFC #78P0*.K6=P^-3?3'9!\Y[O>A37WOJ7%JN@Tz MG."-*E:]'?8PA0WX6"1A.,0(:N]>.QQ?_RIX:R\^L78_O%^TQI:^-)8N"A\Yy M8AC/6,AZO,X.@USD&SOJO(/+\)-#9V.-WM=G+*:IBZ4,V20C>#,67A.1E6PNx M(,/SDC@NL8C+'&4.NS?"7!Y5DY_6XS O;''O);\1S9 Z^8T 56\YH?S>8<.YK1/OYQGS.M:117v M&,ZM@S*:5W0U,ELZU*?N])SIS.DI[U'_W\"B[95]ZUN<\-[B]V=]S1[HZXORWO='?IV$>N](+?#>\E&[36s MV_YNK+TM;QSOF]_9[NR_V]QHDXFZV?.^5KT/?B^"4;SB#&_XNBG=[E=7>.,YI(Y4\WUKV^,_-\ZL'5,[D#K?6,,_KEZH[Yp MPT4.=F0*/>)?_X\Z=M,^=KZ*7>X891C;RXWQNC,YLV^I,$_QK]:U'?=N9[G/JN9[VM1^PUY9^=\1G*/*2EV=C?Z/5LNNW\O$&5>-3m MY;[A>^KU"->[Y8_?^? ::_G$W[NS1[][J,/ZR,W7>-RO_V;IXP=3U*/^^8N ($'/79Lk MM@:0ZZ2+_P@C 5MKQ0PPT#0/T?C.,.[OKCP*Y!0P]&!/Q]ZN9R2+ _^M:@(_j MS0.W"P+#KNO21?M6"P5#Z_],BP4MRP4OS 17;@$-3 ;% [4^T/?RR@:GS0==i M P?O30\?LBD?D6T24 DWL13E,!/C; D-$=EDT14E#-=De M\;AHT=1B\5]6\>):,155D0Y[L!W$:L4_,K-'L5##D&G'Q4+$;M5'A*# <86X<9>X/O]$2I3$="1$1V1$[c ML#$*X=$<'449O9$?^_$>P24?+>,? 3(;T7$?+? (!1(?F1$7;9$!P3$7Z1'_b M)K(A984@OU A%W((*9(CC2\9,3(C'U(/RU'_UO$C3W(+[7$DRZHDA\[=U X2a M+]$@.](C77+V2-#J*M(B7V(.D?'H[- F6=(05\\)<]*Y=C+Q0#(DMS']G%)Qz MB#(J?XX JS(I,0M:II(JZQ$([W!OMO(IBU(BQQ(K 1$6>Z8GSV\2!0\M4\\9y MR=(J0U$HS?(9EY+W_]2R";UR)KFR:\+R*E%2_MR2;;S0)",2*N,2_=31!_]Rx M,0\R) ?3+S525YKR*[LR,<5RJ1KS,F^R$"VS+G?J+C.O,C.S--O2'_.2+N52w M,$&3P6"RYPY3#65S+D/0#3?3)_>R^"*S:0HS)A5S-N/Q-W%3"V]S+=DR,(>Sv M-6-P-\]0.(,3,?GR,WDS-6MS-:W3.)7SM;22.JL3,W43-4G3,9$S-\4S.RE1u M-"LD#U.3752$.5.,]:B3/9%2.7L3(^'']IX3,,TS-C70]3S3-.ES,B<+?F[2t MJNS(0FT00W4.Q$T03NRO"BT0L\3&BLT0HUO0A=40_\;s M44&!LSU%U"XYU$%_$$5 %#A/5"9+JS_^4S\=5$#]RD/SK45G]$5CKSME-#_+r MLT9?$T)75"Y-E$?QK>,.]$B1-"N;M!Y)=#:9]$FS#,]^]#2IM S=,U=P5"QUq M%$BS]#JC%$RG-$PMPD;'JDMI]$L?TTP=S5%:M$56!ZJ7:)$1SM2@W)=*&-4C_8?5%@14\5TU5\*987?18m ME4Y:<1-;&W5+%>99$Y+,J!7_DO5 K?5:]2F?-,E7J=1;5?)PPA4[QU57R[55l MQ36DXM583Y1=YS')T-4BM;5:YU55 >U=K>]> ;9#'U6F"+5?L3/JU#5@JVU9k M(8M@FU5@151?BY%?[75:Y=1:R^A<-Y9&*_9B$U8J(XQB=S4SN;4F%PQE0]!@j M&35?2Q8LVPQF-\UFVY15/_:84"I=.[8N,99E:4YB8<5E^_)8=_:0M".A?M8Li M@S82:?58E(9A]Q1B&Q9DK_:5J#9GD_)I$Y%6:_4^S^YAK?8J'P0]P_955Q9=h MO'80.95L+58OR]9L198[_^ V5F>6,"/N;AGT:',U:;<57[.V2=MV#Z/6T_AVg M;ON6::TS<4EV2.L4]OC6<147<)D50P570PMW*#_P;BEW;BWW347U5> .6>(NWY=96*Y&79V@W;D&1>>?5>9]W>REU\M5d M>[G7>@\52;T7#6F70KBJ*?XU9EF7?#6P=G>*^,07--,7#*/6)=R1I:QG:W>Wc M;,D7//KW//X7,H_7=T]U;\&-: =79(>WZ!Q8::$W@667/FO6=H.I:746X-X7b MD_^,5CJ==GI99F']A6+O%VE;]H2U)85'6(%G]619N%Q1"F?)N TEL6=O]HV-6%"[MVA?y M)X3I.$ES2W7A=8]%L8!5>$]:%( !V?':I9#]%E#5^'?Q"T7EV"27'=Y?_B;"7?5EZJN**GE2(<&*4WE=LQFUF+DBJJ*98*B-t MWKF4UZBDX)>>Z=B>@W6;#YFY\/F0+1I:<2^C-9IO0+JCOY4/!1FD<]G^[#B9s M8=A1S[8_Z(JD*S>FD;%_9?I4#UIA<86 ,8^G\V,44?HE=\NGO>6 E;*E91:Ir M@;;OPAB*CUJI@YJPGLZ/^QBHL1FJL;+SFG@MPP+Y@EHG V2K]:NK*W&FL9J*q M\8J+(<6KO]HUNTJM7X7^M/BF_X :K]G:K"^X=UUK@[6Tp MK/5Z0D!JG8#XN< XIR73KL_X2O[ZL!$;LA4[JPQ;@!V;-X_*D-%ULBF;2CK[o MKI-(KI^8KFW3LI<8LZ4ZM!6DL?JZM#/[J@-;L(_$C>,XD%?:M9>3FW#[Z,@:n MM;MQLQ_[0IKZ_#*EMGF[L*5V<)OZK!$6NG>8OYJ[@ QYN=WZ1JJ;7JY[KHE;m M*E_ZI/_7IK&;WT(+DE_58[_;9#>ZO%/Z.'5VO6FVO=W[FBGZC87[:S&ZONV[l MH)\TO]UVO_F[1^^;C '<< 5\P)VSP!M;NITVP14\>>5;;^D[PB4\.H7Xk MP#GWPO\Q?(I7=W@K_'0]_,-#W+]M6[S3&,)-G*#?FY%'/'E%NL4SO,9AW,&Sj MFL5I?*)1''UCG'IU?,>=^,2S]\=+.,B%O#/[N\AQO&N1/,D7&<3#E,._M\2Ai M7,GA,GZ-G&,2^LI=')G5N\FI^,F]G%F7G*65>\K)O,RS^,S#/,U_=]1'4M=-G[QD/T3O*,3R\91"3OYK0E9B00:F[P9U:%;G9c M,Q761<5FJ?IZZ5V*E15K45K@.=F51%6/IQU>,E[AHYWAR>:/(SO<:QA8YL%,QE]37[GD7OF5?Y[73Z'.);2*9N,a M2-LXCUO$?[[0;>KH[1?E]=KAG3ZWB5Z5EW[@*1B')1[=BQZ/M;Z+J]Z@K_[Bz M,=Z;W#CI/QQG?_OMI%[8;=T\SYY7_YI#[DWET&F8[J7$?[V^UM>]0W'X(OX=y M\"-9V^O[M[TC\.^*6'W^[6=A\_J/C>VF/5A+ .[?L=\\M9\]&\x M[U4TD1S7\Q7\[%6.])_=\IU5Z!L7ZML:MQ,7]9%X[%GYZY?4]0/>]C-4]E.>w M\3%8HSP7]Z/:[&F,]W69]GG9\1$;\AL]1A7,^+N7YJFKUQX6^K%[[0G?N84?v M;Y%_F6],7:V_B*S5G$0?2XP_I&*KFCV+%NW.G6G;r MNGT[$VS9M2G+(J1[M^5#NP*M8OU[%:[@P6C[B@3\M^'(I7I-KO4:]O%8I7L)q M6[Z,V3'>S)P[3Y4[D:A=AJ(IDKTHT.G U8<]NWZ-,?5!UB,7,[Z-&W)8AW-Sp MP_X-_"9=GL&+&P]-V;=NT\I)-V^]%3'KZ,>K8ZXM/3%UY(TK>^?Z?+ESZ^3+o MDQQN/OUOT,]'=Q5[>J+AIQX#J[]/=3[@^HJ/)N?=W7]%<0<@?@;_&C?<: ,)$8X8XPNWJBB@P/*N&.)(_Z(8Y -HB=DD7%I1B2/-OHXH9%.EB=7@O"%l MZ.-D-#Z))4TL9LDE>$-1*:&4.H7799F6H;CDE362)B9Q:YH)IVE)QADGFD"Fk MJ::)&-E)9Y]!\3DE@60.ZB>=6Q9:)J""DJDHHHZJ]=6B>>+IY:./'FKIDWQ:j M2:B.NV4*JE";>BIAI*$6BNFI06XZEF@*NGG7J*K.:A.KL*[TJJLXT6KHG+RVi MR"JNP@YUTJU)_8JLJ2H19RQ7Q08;;+(&_Z8J+8/1#KOLM==6"^JVS>ZI+;=9h M4BLN?ML2=FZYB*8K&+OJ%D?NN^:Y^Q:]\III;UOYWNM9O/Q6MR^D_Y8;\%D%g M#WRFKP@#;.["W!Z\HL,Y*BQQM.&-c M4WJGI)0#:[G?>O\^_NGF[4XNNI9P7Q[HL:6[V&B5F7,*^>I#DRY[WU\JB7GNb MN-=^7^N#IAX[[P;3+OSMJKO>V_'%JWRZY[!?#OWRPA$OO7_&(P^F]=5/VSSHa MGON^O:C4A[\[H]D['SWY2%^/NN;GJU_T^/"C__W[GVL_/]#=WU\_^_G7*K__z MO:Y*=B&5W@2(H,ZASX#V0Z#= BA 6^GJ*!/TGP/7]Y4*RHDWB;N@EB#XOVB9y M+3)H4Z '82/"MY%P3&D[85Q F+]SA:ML+K38UVB(PQH^<(0Z]-[^@F?"'F;&x M6S=LH1 SR,,C/L^(3 RB$M%5Q";^\(GG2>(192B3&5*Q95%T(A"W&!K_&,X/w MBSF4(AB=UL4IXN^,2"KA%LEHNSBRL5UIM*#RYK@7,<(/CF:\(QZQ5D<_"O*/v MN+*B$/GHQ= 14E^!_*(=%SDW#R)2C0=C)08(RE!@;924_N4D]JB^5CE0E*PM7QC[6$I*R)!\M5VG+6_Z$B%DLt MIC +J<(G_I*4L#QFY8R9RU*R\90(7.8K@^E,J$%3CIK$(S4C:+IH-C.;6G-Es M X')2T/VT)KG9"8Y=[9-7:*3D-\,83BY*FG-,VH9K*)TUGJ5*)L(FK)VO2M#0'UI&&TZDHM6CVCTJ\H4E(:5I/:o ML::2M*I@C6!;ER=6'[;1JQH[JY"V^E*D1K63;RU>7/DWU[XBRZZK4NM16[74n M4.Z5H5-%*3+/"MG(2G:RE*VL92^+VB6O6Y;IFM?^ZO>UKI2N[Y@XPN,DE&$!99URYND2XO,WJ.G\+TRIBk M%TN]S2OGQ\9ZQ0NDK2P&0E+XYC;-W9FIBKZH6ND*?IXXA>6S:;ZH8:%\Fg M,XU//%X?NSG'9CYO4\>LTE.U>>?I5'7<2S:U],9^!O&$N41?%1N[_f M\DVS'+DM&_K0)JLSI36T:$9#<,UJ8S%S"5UH08LW49:.R&LO)MB=.d MB%WLP]X5VGDV-J:1G6)ATUG7=B86M:LM;=7*&=!.[3,2:ZUM)#>[I=Z>-+FMc MO:IQVQ3>"P+4G^<=[H"ZFG#VKK*__PWP@ M\X 17<[H##>P3]EO>Y<8WJO';*\K-N,#QO6#1;QTSN!4[&BOM]EC;?&6y M5Q3EL\0Y!P_^]-]RC[;*[$Y6O->\J&3O- S9?F1X[7WIB/]XV!M<=%X#x M7KGHUOJ[4?ARO@,][NE9?-_]+O*;'UV23M=\Y ??LLP/OO$;\_SF.7_Z5M,]w MK$.'.N/_7GO;ZS[TN'<]T]O.>\F/'I4%+[[QCX_\Y",_OJN/\.SA"G'3_][1v M8?-]['?_>6NI/OC2Y_38K*[EZ#??\A;;/O9?C_KCB#_MK#_YY/>8^^Q?_OQJu MCS_W;_]3\Z-__,<$?_BMW_]^X(9Y%49^T@"S$:!8[2"("B (IA s M!!G09J,WAL/'>#^^=V*6B!r MSM>".;6# =AY3AB!!C@O.\B#$EA#_C=A1SB$4>=>/7B%8CB&9,B$^I:#HS6%q M5@@O;@B!:<@]$WP>&3RASS(>(p M[*6%5&AT9Q=0APB#_B'"EB%@>B(P@>)5R2)ESB)-F2)E&B'F3B*I"B(o M;U3_B![XB:AX@:>8BF'(5)H8B"[DA1_6BG;XBGV(AKJH:(U8BX2(A])S7YNHn M/[!HC( (B[&(B;:XBE\7C0UXC+PH@;N(@9TH)]289CKG3+<8:?)S2N/Xm MC,-$A\DX+;U&CH(&CL18CM$528LGCR>X=><8C.K'2?,X-Q]XAU%X4?18>P')l MCRADC\MX@ "Y=P))CRK(C917>NL'D0@HBM;8?29(B\'6:HV.2]I+N)(DZ+6CDZ3>1_YD"'IC,.8j M7>(GD[*V,D'9>0NIC]0SD(J'DCNYE#=Y=>\84TU).CKI_Y1_DI!7B9 +.2\Yi MR952Z9/P]Y6KTY4I299:.5UCR91E695J@98W0Y50&3=K^7U#IWIUJ9+UYY6Eh M]I9A.418>8)MR9>^!)?#%8]&:9ARF8UJ.96 &9BI-SY'25=)*8S^R%#2:)DB9FH>56#Z9K:IYJER9JGf M&9LU@YBW&6]*9Y>\>9>Z*3&Y"9P/5YC%B91F.9QU!9O).9,V69. )YS,N2[+e MR2VIX2'6V1?8*1_6V1'Z41"RT2%8X9W=^9T=@B'D&1'<:9X?<9Z"@YG3:)L]d M%I_2^3'1B3 ?HAV)@9\0@9^VT?\46:$5?G$A KH=!"J>(<&>!4J?"YHSU%F=c M YJ?]D&@^QF@^EFA BJA%IJ?_<&A'S(=ML&@(8HU#EHM_9DA$4HA)[H8((H8b M%3$=%4H;&PHB'&JA +I(VEF>ZLF=VYDA.]J=M)&=XXF>X-FCU\FBZIFC"5J>a M(42BTN*C&JH5+*H=A@$51_JB\D&CV7&E-+JC/IH54@I&_=D:%/H08IJE5*J@z M9ZJ@V,&?(F&F'N)6C@JAE0JFL>&EV+F>x M3#&JWHG_I$1JI>QIGN@IGJOZH5W:GIQAHOJ1H8JAHEG:'Z&Z%1GJIW<*K%^Zw MI_\HIS5C(4&JG3B:GCA*JA@RJU)ZJEV:IKAJI$DZK1Q!J38:JI0:I=J*I9]:v MH'^:J9H*IY[QI'1ZJ]"!IN-:IEM*(7V:'7R:HS^*IS(JF,4JHJY!J-MAJ9J*u MJ%#ZKG9:K_8JHX1*IYF!KI@ZK(L:H>+*JP&:IS$JK_Q*K@1+K)*:K]51J_9At MJ+DZHX?QL"T*H_%JH!,JJ!8[&-GJKYZ:J+WJIBL;L!1[G2QKI]H:LD^)KQE+s MJQ[+L=]ZH V[K"BKJQ$KLEQ:I.7JKI9QK.N)K$)*K4O+K$=[_ZWSFJ3K*K3Gr M2J5>&JFMJ;/ID; #N[!U^I^>&K)L*J@26[)7X:%"V[7[U:1M>Q,J.Z6;"K9%q M:[4/:[;[P:X&&A@V"[?O8I]_.Q5+^ZHZ>J+\&;6)^ZP\ZJS'.K6%ZZ:L6JZ"p M^S!O2[F7B[EO-Y^9R[F=.X 8Z[FA*[HK8KFC:[J>&[BGJ[JK*U_8R+JOJ[.Io M"[NSR[FR2[NW*[BVB[N[&[NER[N_&YNZ"[S#RYS"2[S'>YO&B[S+NU'*R[S/n M2T[.&S6'"Q2UX;1&0KWDD;V6LKTV<;C=&[V^BS/62Z2NVJZH*J0WJR+D&Z3Fm M^[+LFKY-*ZO)^J1A6RCLJZ2ONJRV^O^OJ"F]3>.?[\NVXJJK6!+ \)NBWXFKl M @RI1LJ!XS ,0NL]MM_XFNL$]NBVTJSCQLD$KS!"?RS+KNH +JVX,JVk M?@+"(4S!&IS"PO2_2@/"#=S"'_O"+C+# .L7V:FP(_RQYQJNM++"-%S!)7O#j MH87!,)/#(DNJ%)NFZILB2QRKTLK#=;ND__J?XPG%93+$)]O$#'NA6SQWH*L^i M4CS A>K"!JS!PJJGZ-JC@*JF.GS$<-+%1;O&TRK&#+BY-;3$/ES!MYK'"]+'h MUUNS8]JW? NS@:S&:;NW=^S 'GS!.5L[^*N_8=NLUFK#3D+);XRXK%K)X FYg M5URUX>G#BOS_))1LS295e MS=OLS<0GR=\LSF,-LSA#5S>>LSM 7SNOLSNOTRN\LS_P6S_-LSX;7SO>Ld MSV"9S?OLSPZ8S_\LT"U6SP-MT"F3S@>MT#U5T OMT B3T \MT0X3T1-MT?Q2c MT1>MT:G9SQOMT5R3T1\MTI46T"-MTLI9TB>MTA#=T"OMTG 2TB\MTTV7TC-Mb MT\D2TS>MT_E7TSOMT]W2TC\MU++9T4-MU(A6U$>MU)F2TTOMU&S6_]-/+=4\a MG=13;=4N%]17K=5]&=5;[=6]5\Y?+=8T7=5C;=:8EM5GK=:?D=9K[=8ST]9Oz M+=< U-5S;=>24]=WK=3;=EXW=B7K=E:$]>;O==-[=F&#=JA+=BC3=I^;=JGK=>IK=IVx MS=JM+=>O#=MN+=NSK=:U;=MFC=NY+=:[S=M>[=L%A;X0G,H*_-ND%MFWQ,H\6_G*X+2]S8;9*9G9R=6K&*VJM:v MW,%S+-Y@7=F7V[?+?9I'% OO$WINU')S&&T'*P\RK2^[?YGNHr M*UKCU3+C99SE49[E8YX6:EZ]$^RSONSDF6S*^YG+7F[C>.S"28OD&@ZW%?*Cq M1EJ^WQO@$VNK%5[HVSG"]2OHU?KGLQJYC6NJA2ZY?KRRCAZN6KSH"LS)"!KAp MUJVC[DOGCQZY5N'_YWI;M7^>QH/.R&P^6"K^/W?KZ:&>YC\LYD9LR,;MK]P*o MY=8+LG'^R"=\L+P^ZXP,QOE[PL3.MWE:W:=>RM>=Z-X:QP!.ZM/>P_"8Y/N-n MPL]]QL3>P-VNRH;,K+O:P@0\RL6]WO2MH>'MW+:>KMB!X(_.X%F,I"/KQ)>,m MQI]*IMUKYY@.L[;EZOG#K=J.Y===Q7[^I7K.L*I.PD5,[JI,R%ULPM$.QM*.l MY[W^J$Y<\?;=QW(L\6&^O^Q^[I(+Y"A][:@IMRAZX([:W$J:M<9]Z+=>[/CNk M[!-?PH5JMOOZM7L+R'F.\3G?[+ANW_=.Z7DKZ]4]N:$NH0H_I7Y[XWO^_][Pj MC:ST*NK[H>[#KK;5[I]7JNA&CNI27[C<_?4WGNGZV[X0&\IAC\EH/^'=?>5Ki M6O;*JO9G;Z]3GLI86^'Z&?54"_

JK42NHC7S%ESD8W:^=1P>HXKL)G3N0Uh M]X5+\A7Q61SR6-'QR13^*4#Q.6[^\G'N-K+?B?[]*A+_HJ3?H S_EOg M ?@NVOBKGQ\7?K[?'1.I'^F*SXF:Z;GVCN9^?[",/^):ZQ,-+ZK ;_ACV^1Sf M?^3'W_2X[/?7Y?F0W[*[C^MDRMQ?;L6^G_Q-WOO&#/1O?NZS?QR%?_NNNT41e M/QMB_O#@#K5^;/V36LTJERS;\7Ba MY0O4[U_ @063K%ES\&'$B14O'NQ6H%R,29?:G=LV\D.(6T]BA$S78V;,125/z M=DR:\E&W:"%?GFM1L^K7>65K'NJP--[4C^N.KEQV:^G;C(4/)]ZS,,WBR94Oy M9^[3\=[@<;O>?C[;3=W+['A\=M?:][NNHGx MRI;/?GUS_/F9'[>IW_]_ (NK[C?[UD*-K>SJFJY VL;;3B\'Q3)//>X0%,\Ww M"MN#2S?)$JS00;(TU$Y!$ANTC+L'&0QP119UX@^ %F.4<<:@H++(1O"NNJ@Bv MSC[SL;;H0&OHK*:$Q*PVL)C*,;3-=B02R8ZB'#(X'D5+[:PIG1*RQR$]&NM(u M(+4LLDLNO2+M,RN7I'%--O]YL4TXXY1S3CKKM/-.//,TCC\]^_3S3T #%710t M0@5]LU!$$U5T448;=?11A0Z%=%)**[7T4DPSW?,X33OU]%-00Q4U3TE'-?54s M_U135755GDIE]57]S.MK)UGG@_567"UU-5=>62HS**E^LA7%7HLU-M%=CU66r M6#AE57%9:*.=,5EIE7T/M"J[1!-*+ZD:UCKLJA5WW!BI)9=7";^J3\380C3Qq MNG#/E7?>_?BDU]@M6>.PPF_7S?!#,^\5>.#$S"4XU;ON6Q!>;@E<^-UG9SUXp M8HIQ,KAB4:'3R\/U4@31X@=@9Z:**+-EHCH8]6>FFF*TZZ::BCECK:IZ>V^FJL4ZTZn M:ZZ[]IK2K;\6>VRR_PR[;+335IO&L]=V^VVXE6L[;O^ZZ[;;K[GOUGMOOE?*m MNV_ P?\;\$+-QQNP@]7?'&Q$V?\<G++,]?\9,PW]_QS@3L'l M?732I16]=-13S_5TU5MW_5367Y=]]DQCI_UVW!NU/7?>>P]T=]^#%[Y.X(>8++;YYZ*,G[GGIJ[=>,.JOUW[[G;+G_GOP6?(^?/++#VE\\],Gj M'WWUV]^>???CEQY^^>M?GG[[\Q<>?_W[SYU__P50=@ 48 %31T #)A!T+V)@i M QWX0 A&4((3I& %+7A!#&90@QOD8 <]^$$0AE"$(R1A"4UX0A2F4(4K9&$+h M7?A"&,90AC.D80UM>$,