From e5527c66704a8ca1c63f877ccf20397ccde393c3 Mon Sep 17 00:00:00 2001 From: Christoph Niehoff Date: Wed, 4 Sep 2024 13:09:35 +0200 Subject: [PATCH] Sync changes from 'TNG/cumulus.git' --- docs/img/cards.svg | 2156 ++++++++----------------------------- readme.md | 8 +- tex/additional_cards.tex | 104 +- tex/img/cover_logo.pdf | Bin 9155 -> 4890 bytes tex/lib/logo.tex | 15 +- tex/lib/logo_for_back.tex | 8 - 6 files changed, 465 insertions(+), 1826 deletions(-) diff --git a/docs/img/cards.svg b/docs/img/cards.svg index bb528f3..23cfe1b 100644 --- a/docs/img/cards.svg +++ b/docs/img/cards.svg @@ -5,100 +5,58 @@ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" - id="svg1203" + id="svg2688" version="1.1" viewBox="0 0 210 137" height="137mm" width="210mm"> + id="defs2682"> - - - - - - - - - - - - - - - - - - + id="metadata2685"> @@ -113,765 +71,374 @@ transform="translate(0,-160)" id="layer1"> + transform="matrix(0.33675359,-0.10511504,-0.10511504,-0.33675359,37.384109,297.04647)" + id="g3281"> - - - + id="g3283"> + id="g3285"> + id="g3287"> + clip-path="url(#clipPath3293)" + id="g3289"> + + + + id="g3299"> + transform="translate(-88.526,95.177)" + id="g3301"> + id="g3303"> - + transform="translate(200.563)" + id="g3305"> + + + + + J + + + + + + - + + + - - - - - - - - - - - - - - - - - - + id="g3327"> + transform="translate(20.043,298.004)" + id="g3329"> + id="g3331"> - + transform="translate(2.223)" + id="g3333"> + + + J + + + + transform="translate(-2.223,-35.216)" + id="g3343"> + transform="scale(2.00024)" + id="g3345"> - - + id="g3347"> + + + + + + + + + + + + + - - - - - - - - - - + id="g3371"> - - - - - - - - - - - - - - - - - - - + transform="translate(103.381,320.685)" + id="g3373"> + + + + + jack/access&secrets + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + id="g3391"> + + + + + Ourdeployment + artifactscontain + secretsthatcan + beextracted. + + + + + + - - - - - - - - - - - + id="g3413"> + transform="rotate(90,6.901,24.11)" + id="g3415"> + id="g3417"> + transform="translate(-31.011,-17.201)" + id="g3419"> + + Secretsinartifacts + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + transform="translate(31.011,17.201)" + id="g3425" /> + - + transform="matrix(0.35277777,0,0,-0.35277777,71.095059,281.11038)" + id="g4216"> + id="g4218"> + id="g4220"> + id="g4222"> + clip-path="url(#clipPath4228)" + id="g4224"> + id="g4230"> + id="g4234"> + id="g4236"> + id="g4238"> + id="g4240"> + id="g4242"> + id="g4244"> - + - - + transform="matrix(1,0,0,-1,112.062,50.139)"> + 5 + + id="g4252" /> + id="g4254" /> + id="g4256" /> + id="g4262"> + id="g4264"> + id="g4266"> - + - - + transform="matrix(1,0,0,-1,20.043,297.998)"> + 5 + + id="g4274" /> + id="g4276"> + id="g4278"> + id="g4280"> + id="g4282" /> + id="g4296"> + id="g4294" + clip-path="url(#clipPath4286)"> + id="g4290"> @@ -882,434 +449,114 @@ + id="g4298" /> + id="g4300" /> + id="g4302"> + id="g4304"> + id="g4306"> + id="g4308"> - + - - - - - - - - - - - - - + transform="matrix(1,0,0,-1,140.779,320.677)"> + fve/recovery + + id="g4316" /> + id="g4318" /> + id="g4320" /> + id="g4322"> + id="g4324"> + id="g4326"> - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + transform="matrix(1,0,0,-1,73.187,226.841)"> + Wehaveno + backupsofour + applicationdata. + + id="g4338" /> + id="g4340" /> + id="g4342"> + id="g4344"> + id="g4346"> - + - - - - - - - - - - - - - - - - + transform="matrix(1,0,0,-1,31.011,17.201)"> + Nobackupsofdata + + id="g4354" /> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + id="g4356" /> @@ -1318,125 +565,125 @@ + transform="matrix(0.33581878,0.10806433,0.10806433,-0.33581878,106.85119,275.1304)" + id="g5136"> + id="g5138"> + id="g5140"> + id="g5142"> + clip-path="url(#clipPath5148)" + id="g5144"> + id="g5150"> + id="g5154"> + id="g5156"> + id="g5158"> + id="g5160"> + id="g5162"> + id="g5164"> - + - - + transform="matrix(1,0,0,-1,112.062,41.819)"> + 9 + + id="g5172" /> + id="g5174" /> + id="g5176" /> + id="g5182"> + id="g5184"> + id="g5186"> - + - - + transform="matrix(1,0,0,-1,20.043,297.998)"> + 9 + + id="g5194" /> + id="g5196"> + id="g5198"> + id="g5200"> + id="g5202" /> + id="g5218"> + id="g5216" + clip-path="url(#clipPath5206)"> + id="g5212"> @@ -1447,633 +694,142 @@ + id="g5220" /> + id="g5222" /> + id="g5224"> + id="g5226"> + id="g5228"> + id="g5230"> - + - - - - - - - - - - - - - - - - + transform="matrix(1,0,0,-1,127.215,320.677)"> + nine/monitoring + + id="g5238" /> + id="g5240" /> + id="g5242" /> + id="g5244"> + id="g5246"> + id="g5248"> - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + transform="matrix(1,0,0,-1,58.013,226.841)"> + Wedon’tknowif + anauthenticated + attacker/developer + accessedthe + production + environment. + + id="g5266" /> + id="g5268" /> + id="g5270"> + id="g5272"> + id="g5274"> - + - - - - - - - - - - - - - - - - - - - - - - + transform="matrix(1,0,0,-1,31.011,17.201)"> + Noauditsforprodaccess + + id="g5282" /> + id="g5284" /> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i - - - - + i diff --git a/readme.md b/readme.md index dcbf57b..0e98260 100644 --- a/readme.md +++ b/readme.md @@ -4,7 +4,7 @@ SPDX-License-Identifier: CC-BY-4.0 --> -# Cumulus - *Threat modeling the clouds*[](https://github.com/TNG/cumulus/releases/latest) +# OWASP Cumulus - *Threat modeling the clouds*[](https://github.com/OWASP/cumulus/releases/latest) ![Cumulus Cards](docs/img/cards.svg) @@ -13,7 +13,7 @@ Cumulus is the easy way to bring security into cloud and devOps teams. As a variant of the card game Elevation of Privilege it follows the idea to threat model a system via gamification. This lightweight and low-barrier approach helps you find threats to your devOps or cloud project and teaches the developers a security oriented mindset. -Find the latest release [here](https://github.com/TNG/cumulus/releases/latest). +Find the latest release [here](https://github.com/OWASP/cumulus/releases/latest). ## Threat Modeling The idea of threat modeling via serious games goes back to the card game [Elevation of Privilege](https://shostack.org/games/elevation-of-privilege) by [Adam Shostack](https://github.com/adamshostack). @@ -51,7 +51,7 @@ The dealer plays a card in the starting suit.Each other players has to follow th If that is not possible, the player can choose any card on hand. The winner of the round takes the trick and is the one who played the highest value card in the round's suit or the highest trump card. -Trumps are cards from the suit *resources*. +Trumps are cards from the suit *Access & Secrets*. The winner then receives a point, starts a new round and chooses the new suit. Each time a new card is played, all players are asked to think about whether that particular threat, mentioned on the current card, applies to their system in some form. @@ -80,7 +80,7 @@ You can find it under: Contributions to the card deck are very much appreciated. In the end, this card deck is intended to be a community project. -Changes to the threat formulations are welcome as pull requests to [cards.tex](https://github.com/TNG/cumulus/blob/main/cards.tex). +Changes to the threat formulations are welcome as pull requests to [cards.tex](https://github.com/OWASP/cumulus/blob/main/cards.tex). ## Versioning The card deck follows [semantic versioning](https://semver.org/). diff --git a/tex/additional_cards.tex b/tex/additional_cards.tex index 295f509..2ed97f9 100644 --- a/tex/additional_cards.tex +++ b/tex/additional_cards.tex @@ -3,106 +3,4 @@ % SPDX-License-Identifier: Apache-2.0 % % -\newcommand{\TNGLogo}{% - \node[text width=(\cardwidth-2*\textpadding)*1cm,below right,inner sep=0, align=left] at (0.1*\cardwidth+\bleed,0.15*\cardheight+\bleed)% - {% - \includegraphics[width=\textwidth]{img/tng/tng_logo.pdf} - };% -}% -% -\newcommand{\TNGMotto}{% - \node[text centered, text width=(\cardwidth-2*\textpadding)*1cm,below right,inner sep=0] at (\textpadding+\bleed,0.9*\cardheight)% - {% - {\summaryfontsize{\color{ColorCoverLogo1} We solve hard IT problems.}} - };% -}% -% -\newcommand{\TNGPillar}[4]{% - % Card value and icon - \node[text width=(\cardwidth-2*\textpadding)*1cm,below right,inner sep=0, align=left] at (0.2*\cardwidth,#2*\cardheight)% - {% - \includegraphics[width=1cm]{#3} - };% - \node[text width=(\cardwidth-4*\textpadding)*1cm,below right,inner sep=0, align=left] at (0.4*\cardwidth,#1*\cardheight-0.03*\cardheight)% - {% - {\textfontsize{#4}} - };% -}% -% -\newcommand{\Teaser}[5]{% - % Card value and icon - \node[text width=(\cardwidth-2*\textpadding)*1cm,below right,inner sep=0, align=left] at (0.55*\cardwidth,#1*\cardheight)% - {% - \includegraphics[width=2.8cm]{#2} - };% - \node[text width=(\cardwidth-2*\textpadding)*1cm,below right,inner sep=0, align=left] at (\textpadding+\bleed,#1*\cardheight-0.12*\cardheight)% - {% - \includegraphics[width=1.25cm]{#5} - };% - \node[text width=(\cardwidth-4*\textpadding)*1cm,below right,inner sep=0, align=left] at (\textpadding+\bleed,#1*\cardheight+0.05*\cardheight)% - {% - {\textfontsize{#4}} - };% - \node[text width=(\cardwidth-4*\textpadding)*1cm,below right,inner sep=0, align=left] at (\textpadding+\bleed,#1*\cardheight-0.25*\cardheight)% - {% - {\small{#3}} - };% -}% -% -\newcommand{\GithubTeaser}[4]{% - \Teaser{#1}{#2}{#3}{#4}{img/tng/icon_github.pdf} -}% -% -\newcommand{\OWASPTeaser}[4]{% - \Teaser{#1}{#2}{#3}{#4}{img/tng/icon_owasp.pdf} -}% -% -\begin{tikzpicture}% - \begin{scope}[xshift=0, yshift=0, local bounding box=scopeAinner]% - \clip [rounded corners=0] (0, 0) rectangle ++(\cardwidthPrint,\cardheightPrint);% - % - \Frame - \TNGLogo - \TNGMotto - \TNGPillar{0.68}{0.655}{img/tng/icon_coding.pdf}{Agile Software Development} - \TNGPillar{0.53}{0.505}{img/tng/icon_ai.pdf}{Artificial Intelligence} - \TNGPillar{0.37}{0.37}{img/tng/icon_devops.pdf}{DevOps \& Cloud} - \end{scope}% -\end{tikzpicture}\\% -% -\begin{tikzpicture}% - \begin{scope}[xshift=0, yshift=0, local bounding box=scopeAinner]% - \clip [rounded corners=0] (0, 0) rectangle ++(\cardwidthPrint,\cardheightPrint);% - % - \Frame - \node[text width=(\cardwidth-2*\textpadding)*1cm,below right,inner sep=0, align=left] at (\textpadding+\bleed,\cardheight-0.04*\cardheight)% - {% - {\footnotesize{Cumulus is a trick taking card game for 2-9 players with threat categories as suits, of which \textbf{access\&secrets} is trump. - - We advise to decide together on the category you want to investigate first and timebox the game. - - \textbf{Before you play:} Define the system to talk about based on a simple architectural diagram. - - \begin{enumerate}[left=0cm, label=\textcolor{ColorCoverLogo1}{\arabic*}] - \item Shuffle and distribute all cards. - \item The lowest card in the starting suit begins the game and every other player adds one card, following suit if able. - \item Every time a player places a card, all players try to identify how it applies to their system. If something is found, it is noted down and the finder receives a point. - \item The winner of the trick receives a point and may start the next trick with a card of their choice. - \item Don't forget to take a break if needed. - \end{enumerate} - }} - };% - \end{scope}% -\end{tikzpicture}\\% -% -\begin{tikzpicture}% - \begin{scope}[xshift=0, yshift=0, local bounding box=scopeAinner]% - \clip [rounded corners=0] (0, 0) rectangle ++(\cardwidthPrint,\cardheightPrint);% - % - \Frame - \TNGLogo - \OWASPTeaser{0.92}{img/tng/qr-owasp-cumulus.pdf}{owasp.org/www-project-cumulus}{Find it online!} - \draw (\textpadding+\bleed,0.57*\cardheight+\bleed) -- (\cardwidth-\textpadding+\bleed,0.57*\cardheight+\bleed); - \GithubTeaser{0.5}{img/tng/qr-tng-eop.pdf}{github.com/TNG/elevation-of-privilege}{Play it online!} - \end{scope}% -\end{tikzpicture}\\% +% empty diff --git a/tex/img/cover_logo.pdf b/tex/img/cover_logo.pdf index 788102b2c25ba8eea43838d1db1cf6e21aa41bb6..133868618188127c904fcf173dbe98f408abcbde 100644 GIT binary patch literal 4890 zcmZu#XIN89w+2DPz#(*`2c*|frGyqbgeo9G1ptWXf6lcpVQBgI7Y?-UWFCb$z>uaRp{?RFA*U739Dq?O;Q;`4^2GH2T{b z(OIe~rE>JHhu3G<-cLw6!im;#N7%(Ij@T2iCauhQdlQMqTX0VOf_o6J*#=lNcW}^A zNLeI*sS@{zY1QK=Vi!Nus_zug=r3EvWI%%N`W6ec1wtG;ZS#m}X<%*dlC*~YN6Er6$o&pd0KQ{_EWlD^W&t`QS z7$QA3bB>MR04^Uybcyzu#nRKw6a8;Xm*%TjM0c}oP`6hLuG(w`WX%vf;^(tAaApp* zqdRGB?Bjlm=Nluj=VQfE=R0JY-^0Z<86~#cTYLx(V`}zC2 z<8>sndSlDm_O-?pA!FCcQ2xHEd0yn{@a!`pM|$V*r?&+*R92`_vmB%G(M(KH+s5YJ zCqb`<;z9+OT|Ka>w6bZ48;~kimUD7=zBBI4!k5|vw%2uf&9r6sighcG)|tc#*VBzx z3(Ho~z&zhP&*QN}41RN$KOa-H$bk|gRH3BebwmxbO~L|1Z|c0(XG-)4g+S5Z>yXAjngn9YksdnE)bG{`)20KTp+fjtR~QLuXskFd zTaurnR342}C0%<%xleW`f6I+g*8*144$$H{fI`fLnW_KSy46c zS2(T7sb-mTaV7cG6XJ9bQs{meKMA@bEJMz?FlU102*2Hc^-E}0T(;-=#`RQIg&_($ z*!W>j@6Ze(AntTiB}ap9OZ-|Zv~`>-8g8Q&L{4?=ePuRzn5L;OfK9Cm|Zq2LgueA&I0E&R!?asF1B=( zvyjtI+$1m@+(D)JP#U}&ds0_eDRAMcloamVreP$a&TFF_ur`g`p?qur#H&CWOtGVn4p#kNmmchKE>spuY;WW-g8SV-sNvFm$MIA^WVi~Ha zcPKLS^6$w?!2DkZiX|E}@hQ_F)HC)>aw9>&o6HZGvayQiR_=-oYk4q5d6X(c3spd; z$$VvuSeLN5H17MwaV(K7hbp5(23F$HRFBvPSggRV~|H^?G9i) z;LtT;cl6Zb`e`X3eL6y!9(53VU7}u}UCT5;EyQBI^KHqcqU@Fw2|0e5EVbE~>6f>} zkdVvm&$j=p)W?l3vbcu?w(_{%(K!CpkT!}i6E?bj01f#@)LZgg4Hn56?DzqH5v|Gg zP6S6uzba7`)`Dy3X0I~(93i|fHyC%L%s229xlpFPrfeo)3#mC3(%8yBe^}pn+rGGNIcK?qFhlL_GK4H&IJzq_?gWteD^>4ja zc0Wl90>W?9e)vE$A;)Zgt%g;>_{J0YAT6L9&gQP@^J5>A>Oj?1kNdevNvSD9)zjw3 ze)2TfST5D~Iqzyaszm?<7*&N<7U=j2ygYl#Eqvj}rw9fS2A#;8-36D%Av zIp5vln|xn$nd{NB3%F#ExJBu)a+eA^Wgs^EBTpp8)XYe@>3i_XIPHWLxdBvJm#=tB zV8F#)y9Rsuyjknx6I@~$Prd#_r3^7Gf3L8$2WpV-S_G<9mw^0tSQ&xBjG= z_=MvRX@hnTx6DkVq73S})QlSHP8`i1H-*Y5aQr+j)#z2y1=(R&J-5;j_*T7mqE_ZvAR#3H*let;E|S7X@WR-!T*kRWnB+jM2s zAqra&W_o`P@v*fZFUt|DE0uVhStiWiHMQgTx_+U_Vf$@mR^ zfJvuR9VKojDsgW2Pn%l%&ve{zabX-ghjO)}2B|+Vp#ySY`s+7n`sHKGx|X@fs13SH zk<#te19yj2B+6La@cE3jz8C$3`!y*)C#w(JFkO7j2t)07VJqcT*r+G%DXQNK9f zC%mp#upNY_ew(HBMm>Vn{7Fw&)Sw?0FY=u6VUHbw=T4Iw{g>24&g|w3CRZjzjAva1 zb|r4S0YsPtt%T5|U-zClr!}^~*l@?~;CVS7q)dT{e55Iy3lYCEP|TAnch%_QZ1J6^ ztPeAY5d1>@L)P~>t)-N{iO+U-Z71KAuRL%4Hf`GdVQ~rSji*bwy~o?L`Az#g)%Em% zEKVa<$Cy~&WYA2Y-jkq93wgz^8JYU9TL}0ZlB#+l1+u(uA3k8bvh`ulGS@v#H>BW- z8CT7W<7En%btyY%xp{8yrB%5BJ~d6$o1>@ajwR>g$xj}!ez|8ACNV%?4`M!VuxMn= zCg3_1GdOHyU*@8>u=2`c)^X7mp2=Yqsfusrn@|%{nYv3Zw2>Fd;K3x@(%Ck#Xi58g z?s8hA*!FFzu_xPv6Cg#RWy-xNR~rXN?7qNX3vTIsOBnvp{NGNg4t2F>vC_5#CyK)%DM*6 zdgW6Ic8HG9J|dmxw?AvA-1tt52dCnCiW8uHbI%uqYHfhQAM5C%%I)SvkL2J7LoY(P zl-v5F<7r)W^iSVEypvP4yNj&(8ryr26C^OA@dhR2XJm3?STn1Y=Mi^ox`;q^aBZ0m z+dWOzE~V%FR4;rIK9lt=kzFacrP81jJpAdRT4lYs{^mU)Bt`h_iwbBn?B0eVq-iJp z!snVxc;+U~>Rx{g8;gTfK(4C@LsGc1LG(Jz76q3Zf<^knIw+FCi-lFX6y`QG7=CMtZN`|Tab(NPB(P8;m4yG*S`E1zMr-4 z$~3R-oKIs{7)M&_vdwn#BOZY!`eABp4WBD}ksFOAQT4krd$ zjc*uc_r<4`vHYp8%L?Yw-NI`QJ5Z8!IRJ+*sFqd771$^-2MbcNYs$vBj%$;(ftScY z{AOaYbHx{|4mN#SKhcG2_3)^*4F($0%E~EN=`?=W&$j4~fAjQqhWQBdYg^Uv$6q(J z`U3dv`a6IkIZ}zQ3(E*C%s}SPuw%Q|6uk+Kke`jK*euXhQ>w)gJyEKC!O|q%k2SBV z=TSVAVpNy+X|pr#ml-?4lSl4*WG1fiZ;)B^X?e_jS;>ubOCp>WGEDH|c!I6)H4>K{ zO}dC<=LSlGs1rJ9jht8TuU5I`Kb3xgn@=m@zgPpm5(}|wHU_CK7S19?I2W!R+qw|9 z(g3fhmDPFIlF8 zuwuTko3xwO-M(^KzV^*Ntz%%M`Oh_?z!&&eP|~^aTMU7$lega6iVVJ=DxeSdrhg}( zK@EOE>xLH~u1`AKn)blTZbyXW?XM?}od`S}bQ`$p%=3*e+j*4;ckg**&bKZ!17TwS znK>B4l<)NFd&NnD2A#DHO^L(eW}i3DWX{1ZY%|xe|JC6k{N$*k_}L@-#>Fd-D2Y=v zA{Vur*Ui#sX)8=5)uBC1bT1!~m4xNofX%RvST5PnUYI#q#0;PXAvApqDE2a9Z>DK> z$QP*VfN6Tl#U-FN7;_x)!0eKRS8~QzCxQm+ck2d+u(A{Q(?G;SZ_kW6BbTay;Ba%o z=}(V!-l-2YKgr{aIW_=Dl*`{;JL&7J-#=^e&t_7aFAtWHIWst0%Ka+`{1O0k19AFS zair!S1c96Zq#=y}lNKOpZ7q-tNZJ`edXppp(ht&`^!)8d_Fq3BX{#V#BuLsE;f4eW zf@FUAHAi5OC>&|)KT3lM(!~P-MF)belOQli4h#ka!wzXEBK^cS258l`hq z84(>7S+J}eSOKgcb46B8MqV5&D+~sU{ucAfZ!!N$S{s2wc%$8Zc{{5N_U~H!r-FeP zq$>anQUZYg9Uw&o1vv$fE9h@bUS5WDjm`!L^)Du)tn_~|SrY62wgZFzzrA46asRiS zyu1?WLi{gGLHRd-I1IwW8;SX)U|sbHMv_uKD~2T+jRTz#|LevWqFm9Sv$OwIOe_w8 T!Tn+=uPCns5ERrk(*yhu;$@i& literal 9155 zcmb7q1yoe++O`q`Lr8-lFd!*0z|b8-cegOWFmwz<3lgGqigbr`HzFt@-62Rxr_zXs ze1mU%?>XoH*ID0Qd(Gbae(vY)z1Ny`T}+w~c}^ZKegMKj3MVXT02HuuO`!*%i2~veQ!;!W?L0*0#RLFLYNYt2sjXZEkFHS=G3OQ$Y$Up`CrKl`O~Z|ib^Gy3@8Dy51r{q5<=qb7qax%Wq<{@5vN zWiz>&&yoVS67bZFa?eX2LB;86-fE`Y5OL6R}b^o_*z-F<2QlvsN>y6*pNvzER2()5{yjO zz~Fc`6)z1z)6AjThg~!2%#Q_Nze#hI_a9zj?W+8?cSctB)wXXHnW*+8{n7n`SEaHJ zNz-y!u!r8}(N(Xhb5nt{3>s&J_X^Vk6Z)(OqwXeL` zQQ8$-HgIee=k1xcTu1Ow8y92>L6q12$(N{)|OYs6y{{p4!)N<(-6`m}f}Q$l9{xQYnV z*Ukcf4NbY9-It&BJ1!VO_MX2g)y}4;;;~=lMHKf_r)PGkCPo5umP}0=QwMc%q^c}8 zJ`eqZK;gpzd|gGPq#==?UP}4Qv-QnUghmuk=g7UX*~A;G*Xhi`;*_<6<~inF-wP$e zA)~G5077)Iwe};n0?<^)S%@@tEckOH5?-p8DNb&3R^_$gXz&H6!v#Z#b=aoy_$Dwc zSZ%CoIlynb9zV8re8X-(>)63CmbXVT4bWf@HM`@AK6L-|<2%rNXF zjK{KrIfa<=(F28HxK#Z_q$vtqa*z%UoV~WcUXR#rHid9rbn0Hey2x@dYz6`Ne4I=M+mQ zoD(91q+4gL&pRX)nj($5xLMQI6#Mi}jx%4mTJ_Br5jL4%N3XZ2gI>9svItN{V^WQC ze&A5}pv$p=VKfo=XS ztRlNn9?u9>>~QDv6QY5!O@eznNiX2xWpil3QsnBGyYEM#HncI`Bmk)iiopnj?t8jL zOjA)Ayi+=S;T^ef^>HLXiahVb+yzYf+nc^xCYZCo<7HpCPA!>R1;jn!(V{WiiLw8Ev+qOL~H;* zq9bhjCR|;__Ep86Qlc!QAv@)@siY)Tg1<&dPdA=vkDC4IC$z?m$c^kNyN0iGP0X@! zDj_FaEQ&T+g98uu!&1JIRp>4PeUyftEYMgGOlOf)0Ihcfl{rjKM#^gMaLcTy z07lEQ20HOhJZy2HjI9Dhfn`Q;y)rZlOYG#*^AnOJRXpb=UA}duaB0mv`kdBP2G!+8 z=0b`>4&hKTCLv{lqzqBH(h4~ZANw($`lJWApI)-3IpOzfj+9HN8N`K7oasNWU#~0m zMX%L1&EX}Xmte{Zn|v9wI+wB$K}IAF_NzrxnAzMZ#>j7(dhO#!TOM0&prasV#&48? zo2XjSB71IpbSLu1=uCTH+yXB%L3F$CS$wjG!C*FqV_GhQ!JFqSIwq90H1tcGazEnH z{C?c=s!tfQ--@7I!95Z?C-lR?!{hdjBtskSI{@1%g|?{Hd-IWxdEe2Z0lj17WSwFj zd92Ac`SO@h>&lh~E6L)Tlnt6;;L(RK*O^aCT}iAObmz=AE|ID4PO|b;!drVCvP7d) zG}An-IN?S#rSf%rp&Lk6cgYCW!5t_R119)Np2Y!2UH-X z0HH=str+4E2a-CT=9yi2xX$Tr;ZLMZLDPn)TUe0@&HeyiYPEMSMJpJaIGc)xI8ce^v z7>4!x68(V-Z-3k)AJQZ=O_fpf+<_HlH0x0rUaKAjdyFPujOVu*2yZ?Z-uq@HPTg4X zQ_9amuBn~qir`GlOC$1q+;{dF9k#*JGg#XDe0Joc%N+vtFp3xcDrWGnFh5>DUiy^F zkT)dmiv_J!H2ztdIL5|QzkYU>+H$h+waIaj8YdT<(@Y5(@aLtQ(>P^PH>i)zF=r$3 zJd;8BEZ|AH(w9L9fNA?dy~vL7B&O_F<5^n;l2mt#npT3?l|ASgqahp{D~+QX*S>+b zx_T)kxZ>dubaf%C3GHn1bjn6lWo~V1!q91+LD`*Z{bd%UEWlo0j*6T@f0T05M!7LR ze1WA}nON|W8Y)?rRZUk!ef_IIboi_nYnXSrCc$w%?(wij60;7PHCz4Zx+8}6plgzX z)vkpof{u;#Y$Z+sju4n-gplMxuY&i8c{_x^VdRX%&%vRo? zQe*V)gg_?`JGQ{456^QsIpK!8j#2BdU|RY{ErNSFHBIE?`~me5+t5*AERC!^PIi~zoIe^g4hxfC>^HIzjo5gt!VL9o@vkm0^V-Dox8*f!Sy^4aeTiJ&^pDQ#M}n?QqeT zZ3!jExq{Z=#1j(3o{&pTLU)C%T7_3X^eG2ojO#rZj!t933)?RHN8GVkLb7 zD}3aS6%3{qX6C1)!KZd`b{UZlF;Kn-=u>n|IkJo>mZKNN4C@6)D&-VR9Zz^zkjp1c z8Ru8@qP4yHKy?uPxLQe|HNy0=VAsw_*HI>Y?@;+jP<+erI( zQc}kvnYPlF)3Ajl*78lVXuKnWd)h7)f(*W#^|*vJ3q&HK`**^f*)q{Mj7iX6LFwRl z*Wlw3>NJ2(SavIeXLgnrDX){M7TpBbsf9qT*&#KQIXnw0jkzg@HDG0JCdo07E z)mzMA1(>eBQdlMr65-aYbCl(y`uC$mk6%McpDBps3CtG`E$g3aVb<_^A5L0J zw-zx2nV~i`_msMMWLO#SHL*Ta(U!?{MUBBggu^HV-yT6MjiIl>IkQNvln`a)>~ukh>`pr^tb{2F?%dOAMPZ785Pd9 zB~^KnoQ17{mcW`xEI)lV_C~G;-<8Su)#Oi@4Ml|ur|V_bSeWx7)j0y7E6?o(VG38f zTYEp4x}YEL1jz6+)75LTR=&GseUsAE~Vei zWO`T0-z-dvEw@8p0bD+Qc=^82@d(1Rq+UGK9vI(QZU+mKO2y9`tn!WYNf9UOK#P0T zf=F{5j^0+&=BPV~smp2L%EOy~&!I2gWeD$ofs?i?4=I?od!1tI)T2fMp(6pK%eB?5 ztP)-p=)CKj^mit%u$az#GUlm!Qkk11oik$a#3|Jv;nQZt{M%Zd41&>fZ*9hYKke1= zp;D6L#1(&?!6kb4{+^wy7uikc-EV80qHAde_uqW7owu%JTnyM1_RTttvKh#p)`rO@5ot<$_?=KGb z_^9a;b)??oNn8!cmvW7^pH`c5d`P<-M&6$7WgC^BDYr99)5FOspG@N<=5ApP`yy<- zuIj#l5zdd0iAfSOp4fV?QE43I(tS{@ITOt^8(mw>jruO1JXm@RAx#Tdoo&v00Or!V zx3$HYex>{B0mD}@>&UY%5MQMqp&PA_bPH@l5C})>WA0Zs1eAQNoPY(|rm$F`4 z@Z0>LX%_B_$wd5V(vamb?H9o_G(}BPU*w`z@T@MaUC`cC8(a8Ai;k0e(OL7$ViYbJ zBtbVO;$s5Vxc_w*|Yh zQJTft{pSMR90o{^L33Lwc97~<1?kzV!thpJv#~V0vk&);$G^cYuVu!96*kOGB>H3q z?c63EV!$=o?KI6+nel`2B%IqY5qjmAa-q35Q|xWe*ZO3}ic$hxrn$tR%TF#9>eT0Nd&GXR?iJyu6-5Q62V9CfZCf4% z@EpsJnh;#RKbGmp>!~tW#h?4E%2Mw_l=$E@g3RW{U%?Gf?y)kn#_j%Oz3mVsq; z3`bTCW_oAPzp;s zN3X|!TlLk5yP3Uk7W7V&S4sHOQzKh*aPB>- za~MCvbN-;5Bb=S9L_!a8?do8$cwi5^|gjD_0eMHo}JailDoK2P}ltIwaj)Dp8a^ouN6i#eQdAjpO!B zaXH513MzT`VeG4T7RJ1;9=GoL1YVybH7%oJe~CFg%3*=+GAbYu@PWCvY=_-4O(o8} zwF-uB3x!`~vt|dU6VBva-El>b;C8h{JrQa6ib~7oj4Ffe!*ejUJ#iE3-Cci~A?(W9 zF=st!47vxT;|^PC!bcsV?93F50zORQu@_BV7nB|uOYZsG^PMX9>$+KS6cXMs#mK*t$4?%nyykc@|4XYc^Jn_yZX* zoou#kTH>^g)T|}U-2R?3eTfhO>&})%fGUANFP&Raa}ViqFv4ceEIgp|f?SsX{G^jf z+Lk!fIKIU)+DqY(IaCkrMT}Tl+RrX$Y>wyiQHngC9x}KQ-{m_QgK7)kc0JwRoclKR zB~mW3H)C{6;IOe)5ZWQQgnK1Z@=#)+>FTnYXu*jqwy)79<(V&fP(TJ=qPAFj5aGK? zpB40iAsNxCRU%P>!*_#%480$_wTW!Pgr=*M2-(xj>37%LP0)foZyu=FAHINiywvKV zCv3l4HFHe!)Gbp-%G5`61S1xc>X(d2TB`|b1U9A4+QJdT0eM!DY)JCmLL>0M=SXXmjWzwvEt^r{`ePW z5^YSH>j}7!%L$N@eaUCf`{_H z-|<+J;@?e_XqaivXVg6|?yjkCIjp=4Xf@IkG1BYB;$l(#_C0e6y5kplj+?8b(`F7b*B zsTegoy-(^Ul201e-6aKt_a$b=j##}P}?KckJm1Ym!gU8%QuS|H~ z*)G7fTV6op=AMVXw*CU&53D%BmfU$5u+Oj6;X1!1^Bsr%Cxj#clLc2Yq>naWg6(Jd zBFGWPw%tz2EnTAuKSRF|a%H!HE8N%wjP3N+m=8sY)(XDInT@U&zj>AgzG2A7sGW|V zG}#}8SC`D+pXvsAdipPAW|o|P-9K&?X^W@LFncT9=IZWw-9NWch48%G-T$#T7g|;q z35N?#OwVn&d3rME49{srz~RX^X>|@?P#dS`%wmQ!&00j;0z5nqR`=ywMcZ6GJa=~Y zj~D08s@y!UH}{W2>Qn^b6qO^+1z7M|=aI_g46{qw5$A=B#b(hqH`Kn}{Q){xPw_np zfO*C?URhWDQR2e6AI#1IPuqZM_hJAGL|4@~TI$tkuGj9a*S_Xe_C)!-WjC|K{A@mL zr1562)a%r{()X&E144aZTGo(f1^6p08>@?;K}%*<00Fqhz?bP~aqCK4XDeC-kR4gAu0wf?|8Oc{*c>Ajrd1 zxKKd$ig!nOw-C1^`2uKDu(UwWbOt~-0t`KXcj)VFWZAw_$%{|Td?kM&@OW)aewXKh z`|?3-{7AtQu{V0S#*V|j(Fwlp*?X%?V$e^E>2C-~n@e8GmDsfB`&xFi&wL)~q-d*V8inbA#MY(_J)bUM$bt*C*im zQSaqWYBXlNfUq}NV1KPfXj9bCXEGaVeWQnl-N`f%?Im|6)(ot&zI04YVRv#u+A0oU zASU>E|EcrfC|h7VyPk;zl)Q5Pz<-k@IJ-I}i;A#|LQ7zT3*$~rnMsHeP3=~eklAdc z_OcsIE*J3xZ>P-ahe|8er*Ii8tAS8jA`KA6uWd7>&^ zNw)7u?D6i4AO(IkM~QE1mj3*!cCv4p+RXaq4{bgLeOSkhNg@o09_$uALri*YN9m3E z9EZ2`rB)X1cy&D2_9nwg&X{sM6-+tTr#5{IfhK+EGf^&KAqyeX7>}*g&3|8DSl6{t zD7CKa#8045+e|^l|8e9}DyNyvuN!ZXqjW5swsqgryJ<#n!(`y+>NYNo(;2(u_xIu2 zi{m4R51t<_w9ci1ZJMtz8^NJwbVQu_er*=vyD3R{4VOdF5BHE5rQd?x@jjAhxQGyD zYb^GM8BoxEi;<}Gwh$Ey;==9#d1LQ!O$ct4bWG2_I~V&l{>`k8UYudZ@bF35@|N$1 z02;St4};cU54S0tzh8W{a}y6e9es3e@YQY_zCF4;`Qat+IXc%3u6^|)?@dqq&D{D< zs@nNCy$%6<)k}JO#|yq{e<;-_+KEoj(aT;iQVCt>*P|ky(t!NTca4Gajfk~X1tU{2 zVKVJnKf21rmhV|ErccdG-%^ZOxg9CorTGYI{(gzo>WTG4{j&*;6qKQAeczWwT;e>q5EbbnT44Hg4WF+}wT)RD&b74e+m7bCxvC=MegyRI z>!~u^?4`DSGSZ0nvWhR1RA)WbgqV3!7q6GGr>dXiy0&_MvptJ+6Igbra`5H32WNI> zWD|$Py!bmg^XpHfd4kZFD`Lz_&Wh7l!Cp}>p354i>!pogAX5;_&H zB#e?_hu*R0S(F3<^R%;q$*LKt`~zeb{(IM7AoCw20nJZH9}kMP@^3PJ?*Gse;^sx=@~?VAD7MFc%7p$i7JeZVMdh!(NCec*5r+6p zZPBswh27>0(spq{Rp)o{K}yaxF2Gw(3##Et5TJ>eFprFoyeuz7o?B1|%*_MgmlG5a p=9P!=2}ldb3JY*c{C5qr+ZW3n2}K}(7g