I originally wrote:
> Subject: netgroups and root= ?
> I like the netgroup feature under SunOS (4.1.4) and NIS, but it seems
> to be limited to use in the "access=" option of /etc/exports. For
> most of the file systems I export, I need the "root=" option also.
-snip-
Here are some answers I received with some of my comments
interspersed. I'm not making a final recommendation, because I'm
really not sure of the security issues (which don't apply to me as
much), and because to some degree it is a matter of opinion.
I'm going to continue down the path of anon=, which is not as secure,
mostly because I'm lazy and hate to be denied access, no matter which
machine I happen to be working on. I also have an advantage in that
we are behind a pretty secure firewall, and I have less concern about
security than most people. To protect myself from local hackers (of
which there are 0, it's enough trouble just to teach them to read
mail, much less configure .Xdefaults -- forget hacking :-) ),
ALL accounts except root are in NIS for trusted hosts. There will be
no anon users except root.
This will not be the best option for most people.
I had several interesting dialogues via mail with several people. I
didn't include all messages, as some answers were either not
applicable or just wrong, but the good ones are below.
Thank you to all who responded.
Messages are separated by lines beginning with '---', "From" lines
are indented with '>'. A uuencoded file is at the end. You'll have
to run uudecode manually as I'm writing this from home without
a decent mail UA (a problem for another day). If I do very much
of this summary stuff, I'll have to get one of those packages that
does digests... Hmmm, more fun stuff to do :-).
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
///// Lee Lindley Information Technology MTS rgltl@attme.cnet.att.com /|
//// AT&T Microelectronics, PWB Headquarters, Richmond, VA, 804-226-5849 //|
/// "What's the use of all this sophisticated equipment if it won't do ///|
// what I want" -- Karen when her upgraded system printed the fonts ////|
/ in her complex docs differently. /////|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-------------------------------------------------------------------
>From spp@vx.com Mon Feb 13 09:47:59 1995
I would use a combination of access and anon. You can limit access to a
local group and then use anon. However, why are you needing root access on
all machines? This is more of a security problem than anon in and of
itself.
-------------------------------------------------------------------
>From koen@ciminko.be Mon Feb 13 12:53:49 1995
I don't think allowing root equivalence for NFS for a large number of systems
is a security hole.
I don't think it is a good idea to have a lot of access going on as root.
I actually only use it to make changes to /etc files.
I suggest you also use the option "anon=" only in combination with "ro".
------------------------------------------------------
>From bern Sun Feb 12 08:33:54 +0100 1995 remote from uni-trier.de
Why that [root access]? I have an Alias for root on the Mailserver,
so I don't need root Access to Mail Spools. I set up new Software
directly on the Fileserver, so I don't need root Access to /usr,
/usr/local etc.. Likewise with User's Home Dirs.
/export/{root,swap}/* get the appropriate root= from add_client
automagically. Net Result: The only Thing that gets root= manually on
my Cluster is the Partition holding the Home Dirs of UId 0 Accounts.
> I looked at "anon=", but that looks
> like a security hole (however, all users on all trusted machines
> are NIS passwd entries, so perhaps "anon=" would be OK?).
Hmmmm ... Can't put my Finger on it, but it sounds pretty fishy.
------------------------------------------------------
After I responded to the above from J. Bern about why I wanted to have
root access given that he didn't think it was necessary, he wrote
back with the message below, which makes perfect since. The only way
I can rationalize not following his advice is that I'm lazy, I don't
like being denied permission to do something no matter where I happen
to be, and we're protected by a pretty good firewall, so security
isn't a giant issue.
-------------------------------------------------------------
>From TI.Uni-Trier.DE!bern@ig2.att.att.com Sun Feb 12 09:38:57 1995
OK, next Try: From what I read above, I have the Impression that you
don't really need root Access from ALL Hosts to the Partitions;
You can certainly install/xfer /usr/local by having the affected
Partitions mounted root= to *one* "Admin Machine", possibly place
the cron Jobs onto one single Machine (or split them in a Data-Xfer
and a Host-Setup Part, with the Xfer Part running centrally and
the Setup Part locally on the Host to be Setup), and I don't yet see
why you need root Access to the Data Files (do you run your CAM S/W
setuid root???).
Making that "Admin Machine" the NIS Master will allow you to setup NIS
and install $HOME (via NFS that is root=adminmachine) from one Host.
That's *sorta* what I've got here, too (in a much smaller Cluster):
One NIS (and main File) Server with only Admin Accounts, one Mailhost
with additional FSes. (Make sure that the Admin Machine has noauto
set for all nonlocal FSes, as you want the NIS Master to be able to
boot automatically without Dependencies from other Hosts!)
----------------------------------------------------------------------
The next post points out a potential security hole with netgroups.
I haven't tried to verify whether this hole has been patched or not.
Bob's suggestion to use a script for doing /etc/exports updates
is a definite possibility. It is included at the end of this summary.
-----------------------------------------------------------------------
>From yamaguch@cqt.com Mon Feb 13 18:05:49 1995
Using netgroups with the access= option might also be a security problem if
the machine that is exporting that filesystem is in the netgroup. There is
an NFS bug that opens up when machines export filesystems to themselves, which
happens sometimes with netgroups. So, you should watch out for that.
>Adding a new machine means changing the NIS netgroup, which is no
>trouble, but then I have to go to each machine with an exported
>file system and add the new machine's name to the "root=" list
>also. Kind of defeats the purpose of using netgroups.
>Is there a way around this?
I've worked around this by creating a central location from where I can
update various configuration files on all machines. It's not pretty, but it
works.
I have all the exports files in a central location with the lines referencing
netgroups. Using a couple of shell scripts, the actual machines in the
netgroup are substituted minus the machine that is exporting the filesystem.
That automatically creates an equivalent exports file without netgroups in it
that I can push to the machine I want. The script makes these changes, then
will push the file to any of the relevant machines. It even works on
machines that aren't on NIS as long as they have the /etc/netgroup file.
example. This host1's exports file. The all_sun has machines host[1234].
/usr/local -access=all_sun
changed to:
/usr/local -access=host2,host3,host4 <--- host1 is removed
It's based on the listgroup and mfp (machine file push) scripts from a past
SysAdmin article. I've made changes to them, though. If you want, I can send
you the part of the script that does the change.
---------------------------------------------------------------------------
I pressed Bob for more info on the security hole, and to include
his scripts. He did (thanks a lot Bob!), and more info from him
follows:
---------------------------------------------------------------------------
>From cqt.com!yamaguch@ig2.att.att.com Mon Feb 13 21:17:35 1995
Here is an explanation that was posted to a mailing list [concerning
netgroups/export to exporting machine/security hole]:
::The problem with a host exporting filesystems to itself is that most
::portmappers act as a "proxy", forwarding RPC calls to the appropriate RPC
::daemon on the local host (apparently this is a "feature"). So what you
::do is get the remote portmapper to forward a mount request to rpc.mountd.
::If the filesystem you request is exported to the local host, then
::rpc.mountd will happily return a valid filehandle (since it thinks the
::local host is mounting the filesystem). The portmapper then returns the
::valid filehandle to you, which you can exploit at your convenience.
::
::There is a program called 'nfsbug' that will check for this and several
::other major NFS holes. I don't know where it is archived though.
::
::- Chris <cellwood@gauss.calpoly.edu>
::EL/EE Department System Administrator - Cal Poly, San Luis Obispo
I don't know if it's been changed for 4.1.4, but from what I hear, 4.1.4
is still the same old 4.1.3; the only changes they made involved adding
HyperSPARC support. Also, I don't know if there's a patch for it. There
probably is. I think this problem was reported a long time ago in a
CERT advisory. If you can find that, it'll probably list the patch. It might
be included in the NFS jumbo patch. (But I still don't even know if it was
an advisory or not.)
-----------------------------------------------------------------------------
Note that Bob has picked up a bad rumor on 4.1.4. Many of the patches
from 4.1.3/4.1.3_U1 are built in (but apparently not all based on some
of the other posts I've read). The 4.1.4 release notes list
all the patches that were already applied to 4.1.4 by patch number (which
is inconvenient, 'cause you gotta go look them all up to figure out
what you have and what you need, instead of just reading them).
Since I haven't bothered cross referencing the 4.1.4 patch list, nor
getting the 'nfsbug' program, I still don't know if exporting to the
serving machine is a security hole.
Bob's scripts are at the end.
-----------------------------------------------------------------------------
>From cqt.com!yamaguch@ig2.att.att.com Tue Feb 14 15:18:11 1995
=============================================================================
CA-94:15 CERT Advisory
December 19, 1994
NFS Vulnerabilities
The CERT Coordination Center is experiencing an increase in reports of root
compromises caused by intruders using tools to exploit a number of NFS
(Network File System) vulnerabilities.
CERT recommends limiting your exposure to these attacks by implementing
the security measures described in Section III below.
As we receive additional information relating to this advisory, we
will place it, along with any clarifications, in a CA-94:15.README
file. CERT advisories and their associated README files are available
by anonymous FTP from info.cert.org. We encourage you to check the
README files regularly for updates on advisories that relate to your
site.
>-----------------------------------------------------------------------------
I. Description
There are tools being used by intruders to exploit a number of NFS
vulnerabilities. These tools are widely available and widely distributed.
II. Impact
The impact varies depending on which vulnerabilities are present.
In the worst case, intruders gain unauthorized root access from a
remote host.
III. Security Measures
A. Filter packets at your firewall/router.
Filter TCP port 111, UDP port 111 (portmapper), TCP port 2049,
and UDP port 2049 (nfsd). Consult your vendor or your firewall
documentation for detailed instructions on how to configure these
ports.
This measure will prevent access to NFS at your site from outside
your firewall, but it will not protect you from attacks launched from
your local network, behind your firewall.
B. Use a portmapper that disallows proxy access.
Be sure that you do this for every host that runs a portmapper.
For Solaris, 2.x, use a version of rpcbind that disallows proxy
access.
A portmapper that disallows proxy access protects all hosts with the
modified portmapper from attacks that originate either inside or
outside your firewall. Because this security measure addresses only
the portmapper vulnerability, we recommend combining it with
measure A above.
Wietse Venema has developed a portmapper that disallows proxy access.
It is available by anonymous FTP from
ftp.win.tue.nl:/pub/security/portmap_3.shar.Z
info.cert.org:/pub/tools/nfs_tools/portmap_3.shar.Z
MD5 checksum: f6a3ad98772e7a402ddcdac277adc4a6
For Solaris systems, Venema has developed a version of rpcbind that
does not allow proxy access. Solaris users should install this
program, not the portmapper. Rpcbind is available by anonymous FTP
from the same sites as the portmapper:
ftp.win.tue.nl:/pub/security/rpcbind_1.1.tar.Z
info.cert.org:/pub/tools/nfs_tools/rpcbind_1.1.tar.Z
MD5 checksum: 58437adcbea0a55e37d3a3211f72c08b
C. Check the configuration of the /etc/exports files on your hosts.
In particular:
1. Do *not* self-reference an NFS server in its own exports file.
2. Do not allow the exports file to contain a "localhost" entry.
3. Export file systems only to hosts that require them.
4. Export only to fully qualified hostnames.
5. Ensure that export lists do not exceed 256 characters.
If you have aliases, the list should not exceed 256 characters
*after* the aliases have been expanded.
(See CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability.)
6. Use the showmount(8) utility to check that exports are correct.
7. Wherever possible, mount file systems to be exported read only and
export file systems read only.
D. Ensure that your systems are current with patches and workarounds
available from your vendor and identified in CERT advisories.
The following advisories address problems related to NFS:
CA-91:21.SunOS.NFS.Jumbo.and.fsirand
CA-92:12.REVISED.SunOS.rpc.mountd.vulnerability
CA-92:15.Multiple.SunOS.vulnerabilities.patches
CA-93:15.SunOS.and.Solaris.vulnerabilities
CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability
When you ftp to info.cert.org for advisories, also check
for README files, which contain updates or clarifications.
Vendors may have additional patches not covered by a CERT
advisory, so be sure to contact your vendor for further information.
>---------------------------------------------------------------------------
The CERT Coordination Center thanks Steve Bellovin, Casper Dik, Leendert
van Doorn, and Wietse Venema for their support in responding to this problem.
>---------------------------------------------------------------------------
CERT is a service mark of Carnegie Mellon University.
---------------------------------------------------------------------------
The following was the only post to explain WHY netgroup only works
in the access= field...
---------------------------------------------------------------------------
>From barmar@nic.near.net Thu Feb 16 03:17:43 1995
Sorry, that's the way it works. Options that affect mounting permit use of
netgroups. But options that affect processing of individual NFS operations
require a fixed list of hosts. Searching a netgroup every time a packet
from root is received would slow down the server too much.
--------------------------------------------------------------------------
And here are the scripts that Bob provided. Note that he took
scripts posted elswhere and modified them. I assume that he credits
the original authors in the source. It is tarred and uuencoded. You
can use the following to extract it from this mail message if your
uudecode isn't smart enough to find it by itself:
sed -e '1,/cut here/d' file_name_where_you_save_message | uudecode
but make the regex upper case. It will create "push_files.tar"
Note that I haven't tested these scripts, and Bob isn't particularly
proud of them (i.e. they work for him, but he never intended publication),
so don't give him any flak if they don't work without tweaking for your
system. I'm also pretty sure that Bob is not interested in supporting them.
You're on your own with these.
--------------------------------------------------------------------------
>From cqt.com!yamaguch@ig1.att.att.com
Well, here it is. I'm the only one who's ever used it, so I don't know how
well it'll work for you. ... -snip- ...
Good luck.
Bob
------------------------------- CUT HERE -------------------------------------
begin 644 push_files.tar
M<'5S:%]F:6QE<R\
M
M " T,#<U-2 (" @,C8T( @(" @,C4@ " @(" @(" @(" P
M(" U-S(P-3 W,S(P(" Q,C<V,P @-0
M
M !U<W1A<B @ 'EA;6%G
M=6-H <WES861M:6X
M
M
M
M
M !P=7-H7V9I;&5S+W!U<VA?9FEL97,
M
M ,3 P-S4U( @(" R-C0@ " @
M(" R-2 (" @(" @,C W,C$@(#4W,C U,#8R-S,@(#$U,3<W " P
M
M
M '5S=&%R(" >6%M86=U8V@ !S
M>7-A9&UI;@
M
M
M
M ",A+V)I;B]S: HC
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PHC"B,@<'5S:%]F:6QE
M<R M(&-O<'D@8V]N9FEG=7)A=&EO;B!F:6QE<R!T;R!R96UO=&4@;6%C:&EN
M97,@9G)O;0HC(" @(" @(" @(" @("!C96YT<F%L;'D@;&]C871E9"!F:6QE
M<RX*(PHC($%U=&AO<CH@($)O8B!986UA9W5C:&D@("AB87-E9"!O;B!"<F5N
M="!7>6YK;W G<R!M9G @<V-R:7!T*0HC(" @(" @(" @($9E8B Q-2P@,3DY
M-0HC"B,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C"@IS8W)?;F%M
M93U@8F%S96YA;64@)#!@"G1M<%]F:6QE/2]T;7 O)'-C<E]N86UE+G1M<"XD
M) IT;7!?9FEL93(]+W1M<"\D<V-R7VYA;64N=&UP,BXD) H*(R @3&]C871I
M;VX@;V8@=&AE(&-O;F9I9W5R871I;VX@9FEL97,*9&%T85]D:7(]+W5S<B]L
M;V-A;"]E=&,O9VQO8F%L7V9I;&5S"@HC("!4:&4@;&ES=&=R;W5P('-C<FEP
M="X@(%1H:7,@:7-N)W0@;F5E9&5D(&EF(&QI<W1G<F]U<"!I<R!I;B!T:&4@
M<&%T:"X*3$E35$=23U50/2]U<W(O;&]C86PO971C+V)I;B]L:7-T9W)O=7 *
M"B,@(%5N8V]M;65N="!T:&ES(&9O<B!D96)U9V=I;F<*(U1%4U1%0TA//65C
M:&\*"G1R87 @(G)M("UF("1T;7!?9FEL92 D=&UP7V9I;&4R.R!E>&ET(B P
M(#$@,B Q-0H*<W1R:7!?8V]M;65N=',H*0I["B @("!I9B!;("0C("UN92 B
M,B(@73L@=&AE;@H@(" @(" @(')E='5R;B Q"B @("!F:0H*(" @(&-O;6UE
M;G1S7VEN<'5T/20Q"B @("!C;VUM96YT<U]O=71P=70])#(*"B @("!I9B!;
M("$@+68@)&-O;6UE;G1S7VEN<'5T("UO("UZ("(D8V]M;65N='-?;W5T<'5T
M(B!=.R!T:&5N"B @(" @(" @<F5T=7)N(#$*(" @(&9I"@H@(" @9W)E<" M
M=B B7B,B("1C;VUM96YT<U]I;G!U=" ^("1C;VUM96YT<U]O=71P=70*(" @
M(')E='5R;B P"GT*"@HC(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,*(R @5&AI<R!F=6YC=&EO;B!W:6QL(&=R97 @+78@=&AE(&-U<G)E;G0@
M:&]S=&YA;64G<R!F<W1A8B!M;W5N=',@<V\@=&AA="!I= HC("!W;VXG="!T
M<GD@=&\@;6]U;G0@9FEL97-Y<W1E;7,@:70@86QR96%D>2!H87,N"B,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PIF<W1A8E]P87)S92@I"GL*
M(" @(')E;6]T95]H;W-T/20Q"B @("!O=71P=70])#(*(" @(&9S=&%B7V9I
M;&4]9G-T86(N8V]M;6]N"@H@(" @9W)E<" B7B\B("1D871A7V1I<B]F<W1A
M8B\D<F5M;W1E7VAO<W0@/CX@)&]U='!U= H@(" @9W)E<" M=B D<F5M;W1E
M7VAO<W0@)&1A=&%?9&ER+V9S=&%B+R1F<W1A8E]F:6QE(#X^("1O=71P=70*
M"B @(" C("!0=70@:6X@;W!E;G=I;B!R969E<F5N8V4@:68@=&AE(&UA8VAI
M;F4@;F5E9',@:70N"B @(" C("!!8W1U86QL>2P@:68@=&AE(&UA8VAI;F4@
M:7,@:6X@=&AE(&QI<W0L(&ET('=I;&P@9W)E<"!O=70@=&AE(&]P96YW:6X*
M(" @(",@(" @<F5F97)E;F-E(&9R;VT@=&AE(&9I;&4N("!"=70@:68@=&AE
M<F4@:7,@;F]N92P@=&AE;B!N;W1H:6YG('=I;&P@8F4*(" @(",@(" @861D
M960N("!3;RP@:6X@<F5A;&ET>2P@=&AE(&QI<W1G<F]U<"!C:&5C:R!I<R!N
M;W0@;F5C97-S87)Y+@H@(" @:68@;&ES=&=R;W5P(&YE961?;W!E;G=I;B!\
M(&=R97 @)')E;6]T95]H;W-T(#L@=&AE;@H)9W)E<"!O<&5N=VEN("1D871A
M7V1I<B]F<W1A8B\D<F5M;W1E7VAO<W0@/CX@)&]U='!U= H@(" @9FD*?0H*
M"B,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PHC("!3:6YC92!I
M="!I<R!A('-E8W5R:71Y('!R;V)L96T@=7-I;F<@;F5T9W)O=7!S(&EN(&5X
M<&]R="!F:6QE<RP@86YD(&)E8V%U<V4*(R @("!I="!I<VXG="!A(&=O;V0@
M:61E82!T;R!L96%V92!F<R=E<R!E>'!O<G1E9"!T;R!E=F5R>6]N92P@=&AI
M<R!F=6YC=&EO;@HC(" @('=I;&P@=&%K92!T:&4@;F5T9W)O=7 @<W!E8VEF
M:65D(&EN('1H92!F:6QE(&%N9"!T<F%N<VQA=&4@:70@:6YT;R!I=',*(R @
M("!A8W1U86P@=F%L=64N("!)="!W:6QL(&%L<V\@8F4@<W5R92!T;R!R96UO
M=F4@=&AE(&UA8VAI;F4@=&AA="!I<PHC(" @(&5X<&]R=&EN9R!T:&4@9G,@
M8F5C875S92!T:&%T(&ES('1H92!A8W1U86P@<')O8FQE;2!W:71H('1H92!E
M>'!O<G1S+@HC(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*97AP
M;W)T<U]P87)S92@I"GL*(" @(')E;6]T95]H;W-T/20Q"B @("!O=71P=70]
M)#(*(" @(&EN<'5T/21D871A7V1I<B]E>'!O<G1S+R1R96UO=&5?:&]S= H@
M(" @97AP;W)T7W1M<%]F:6QE/2]T;7 O+F5X<&]R="YT;7 N)"0*(" @(&5X
M<&]R=%]T;7!?9FEL93(]+W1M<"\N97AP;W)T+G1M<#(N)"0*"B @("!S=')I
M<%]C;VUM96YT<R D:6YP=70@)&5X<&]R=%]T;7!?9FEL90H*(" @(",@(%1H
M:7,@;F5X="!L:6YE(&1O97,@;6%N>2!T:&EN9W,*(" @(",@(" @+2!)="!E
M>'1R86-T<R!T:&4@86-C97-S('!O<G1I;VX@;V8@=&AE(&5X<&]R=',@9FEL
M90H@(" @(R @(" M('-P;&ET<R!A;&P@86-C97-S/2!A;F0@<F]O=#T@*&5T
M8RXN*2!O;G1O('-E<&%R871E(&QI;F5S"B @(" C(" @("T@8VAA;F=E<R!T
M:&]S92!L:6YE('1O(&QO;VL@;&EK92 B86-C97-S(&%L;"(@;W(@(G)O;W0@
M<W5N-&TB"B @(" C(" @("T@=&%K97,@=&AE('-E8V]N9"!C;VQU;6X@;V8@
M=&AA="!O=71P=70*(" @(",@(" @+2!S;W)T<R!A;F0@<')I;G1S(&]U="!T
M:&4@=6YI<75E(&YE=&=R;W5P<PH@(" @(R @5&AI<R!H87,@=&AE(&5F9F5C
M="!O9B!P<FEN=&EN9R!A;&P@=6YI<75E(&YE=&=R;W5P<RX@(%1H870@=V%Y
M(&ET('=I;&P@8F4*(" @(",@(" @<&]S<VEB;&4@=&\@9&\@82!S96%R8V@@
M86YD(')E<&QA8V4@;VX@=&AO<V4@;F5T9W)O=7!S+@H@(" @87=K("=[<')I
M;G0@)#)])R D97AP;W)T7W1M<%]F:6QE('P@<V5D("UE("=S+UXM+R\G(%P*
M(" @(" @(" M92 G<R\]+R O9R<@+64@)W,O+"]<"B @(" @(" @+V<G('P@
M87=K("=[<')I;G0@)#)])R!\('-O<G0@+74@/B D97AP;W)T7W1M<%]F:6QE
M,@H*(" @(",@($-O=6QD;B=T('!U="!T:&4@;&ES="!I;G1O('1H92!V87(@
M9&ER96-T;'D@9G)O;2!T:&4@86)O=F4@;&EN92!S;PH@(" @(R @("!P;&%C
M92!I="!I;G1O(&$@9FEL92P@=&AE;B!T:&4@=F%R('-O('1H92!T96UP(&9I
M;&4@8V%N(&)E(')E=7-E9"X*(" @(&YE=&=R;W5P7VQI<W0]8&-A=" D97AP
M;W)T7W1M<%]F:6QE,F *"B @("!R97!?8V]M;3TB<V5D("(*(" @(&9O<B!I
M(&EN("1N971G<F]U<%]L:7-T"B @("!D;PH@(" @(" @(&-U<G)?;&ES=&=R
M;W5P/6!L:7-T9W)O=7 @)&E@"B @(" @(" @:68@6R D/R M97$@,2!=.R!T
M:&5N"B @(" @(" @(" @(&-O;G1I;G5E"B @(" @(" @9FD*"B @(" @(" @
M(R @0W)E871E('1H92!R97!L86-E;65N="!S=')I;F<*(" @(" @("!R97!?
M<W1R/6!E8VAO("1C=7)R7VQI<W1G<F]U<"!\('-E9" M92 G<R\@+SHO9R<@
M+64@(G,O)')E;6]T95]H;W-T+R\B(%P*(" @(" @(" @(" @(" @(" M92 G
M<R\Z.B\Z+R=@"B @(" @(" @<F5P7V-O;6T](B1R97!?8V]M;2 M92!S+SU<
M/"1I7#XO/21R97!?<W1R+V<B"B @("!D;VYE"@H@(" @(R @1&\@=&AE(')E
M<&QA8V5M96YT+B @4F5P;&%C92!N971G<F]U<',@=VET:"!T:&4@86-T=6%L
M('9A;'5E+@H@(" @)')E<%]C;VUM("1E>'!O<G1?=&UP7V9I;&4@/B D;W5T
M<'5T"@H@(" @<FT@+68@)&5X<&]R=%]T;7!?9FEL92 D97AP;W)T7W1M<%]F
M:6QE,@I]"@H*"BTM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+0H*
M:68@6R D(R M9W0@,"!=.R!T:&5N"B @("!E8VAO(")U<V%G93H@)'-C<E]N
M86UE(@H@(" @97AI=" Q"F9I"@H*96-H;R B4&QE87-E('1Y<&4@:6X@;VX@
M;VYE(&QI;F4@=&AE(&UA8VAI;F4L('1H92!T87)G970@9&ER(&%N9"!F:6QE
M('1O('!U<V@N(@IE8VAO("(@("!I93H@("!M86-H:6YE,2 O971C+W)C+FQO
M8V%L("!R8RYO=&AE<B @(" @("!O<B(*96-H;R B(" @(" @(" @;6%C:&EN
M93$@+V5T8R @<F,N;&]C86P@(')C+F]T:&5R(@IE8VAO("(M+2TM+2TM+2TM
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
M+2(*96-H;R M;B B/B B"G=H:6QE(')E860@86YS.R!D;PH*(" @(",@(%-T
M<FEP(&]F9B!C;VUM96YT960@86YD(&)L86YK(&QI;F5S+@H@(" @;&EN93U@
M96-H;R D86YS('P@<V5D("UE("(O7B,O9"(@+64@(B]>)"]D(F *(" @(&EF
M(%L@+7H@(B1L:6YE(B!=.R!T:&5N"B @(" @(" @8V]N=&EN=64*(" @(&9I
M"@H@(" @<V5T("1L:6YE"B @("!F:6QE<STB(@H@(" @;6%C:&EN93TD,0H@
M(" @<V5C;VYD/20R"B @("!S96-?8F%S93U@8F%S96YA;64@)'-E8V]N9& *
M(" @('-E8U]D:7(]8&1I<FYA;64@)'-E8V]N9& *"B @("!S;&%S:#TB+R(*
M(" @(",@($EF('1H97)E(&ES(&%L<F5A9'D@82!S;&%S:"!A="!T:&4@96YD
M(&]F('-E8U]D:7(@*&%S(&AA<'!E;G,@:68@=&AE"B @(" C("!F:6QE(&AA
M<'!E;G,@=&\@8F4@:6X@=&AE(')O;W0@9&ER("\@*2P@=&AE;B!T:&4@<'5S
M:"!W:6QL(&YO="!H879E"B @(" C("!A('-L87-H+B @*%1H:7,@879O:61S
M('1H92!M86-H:6YE.B\O+F-S:')C('!R;V)L96TI"B @("!I9B!;(&!E8VAO
M("1S96-?9&ER('P@<V5D("=S+RXJ7"@N7"DD+UPQ+R=@(#T@(B\B(%T[('1H
M96X*(" @(" @("!S;&%S:#TB(@H@(" @9FD*"B @(" C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C"B @(" C("!#:&5C:R!T;R!S964@:68@=&AE(&)A
M<V5N86UE(&5X:7-T<R!A<R!A('!U<V@@9&ER96-T;W)Y+@H@(" @(R @4VEN
M8V4@=&AE('-E8V]N9"!A<F=U;65N="!C86X@8F4@<V]M971H:6YG(&QI:V4@
M"B @(" C(" @("]E=&,@<F,N;&]C86P@(&]R"B @(" C(" @("]E=&,O<F,N
M;&]C86P*(" @(",@('=E(&YE960@=&\@:VYO=R!I9B!T:&4@<V5C;VYD(&%R
M9W5M96YT(&-O;G1A:6YS(&]N;'D@=&AE(&1I<B!O<B!B;W1H+@H@(" @(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PH@(" @:68@6R M9" D9&%T85]D
M:7(O)'-E8U]B87-E(%T[('1H96X*(" @(" @("!P=71?:&5R93TD<V5C7V1I
M<@H@(" @(" @('=H:6-H7W!U<V@])'-E8U]B87-E"B @(" @(" @<VAI9G0@
M,@H@(" @96QI9B!;("UD("1S96-O;F0@73L@=&AE;@H@(" @(" @(",@($EF
M(&AE<F4L('1H96X@=V4@:VYO=R!T:&%T('1H92!S96-O;F0@<&%R86UE=&5R
M('=A<R!O;FQY(&$@9&ER96-T;W)Y"B @(" @(" @<'5T7VAE<F4])'-E8V]N
M9 H@(" @(" @(&EF(%L@)",@+6QT("(S(B M;R A("UD("1D871A7V1I<B\D
M,R!=.R!T:&5N"B @(" @(" @(" @(&5C:&\@(D524D]2.B @3F5E9"!T;R!S
M<&5C:69Y(&$@<'5S:"UA8FQE(&9I;&4N(" D,B!I<R!N;W0@96YO=6=H(@H@
M(" @(" @(" @("!E>&ET(#$*(" @(" @("!F:0H@(" @(" @('=H:6-H7W!U
M<V@])#,*(" @(" @("!S:&EF=" S"B @("!E;'-E"B @(" @(" @(R @5&AE
M('-E8V]N9"!A<F=U;65N="!I<R!B;V=U<PH@(" @(" @(&5C:&\@(D524D]2
M.B @)'-E8V]N9"!I<R!N96ET:&5R(&$@9&ER96-T;W)Y(&YO<B!P=7-H(&1I
M<BXB"B @(" @(" @97AI=" Q"B @("!F:0H*(" @(",@($YO=R!A9&0@=&AE
M(')E;6%I;FEN9R!A<F=U;65N=',@87,@9FEL97,@=&\@8F4@861D960@=&\@
M=&AE(&1E9F%U;'0N"B @("!F;W(@:2!I;B D*@H@(" @9&\*(" @(" @("!I
M9B!;("$@+68@)&1A=&%?9&ER+R1W:&EC:%]P=7-H+R1I(%T[('1H96X*(" @
M(" @(" @(" @96-H;R B15)23U(Z("!&:6QE("1I(&1O97,@;F]T(&5X:7-T
M(&EN("1W:&EC:%]P=7-H(@H@(" @(" @(" @("!E>&ET(#$*(" @(" @("!F
M:0H@(" @(" @(&9I;&5S/2(D9FEL97,@)&DB"B @("!D;VYE"@H@(" @(R @
M4V5A<F-H(&9O<B!A('@N8V]M;6]N(&9I;&4@=&AA="!W:6QL(&)E('1H92!B
M87-E(&]F(&%L;"!F:6QE<RX*(" @(&EF(%L@+68@)&1A=&%?9&ER+R1W:&EC
M:%]P=7-H+R1[=VAI8VA?<'5S:'TN8V]M;6]N(%T[('1H96X*(" @(" @("!F
M:6QE<STB)'MW:&EC:%]P=7-H?2YC;VUM;VX@)&9I;&5S(@H@(" @9FD*"@H@
M(" @(PH@(" @(R @0W)E871E(&$@8V]N8V%T96YA=&5D(&9I;&4*(" @(",*
M(" @(&9O<B!I(&EN("1F:6QE<PH@(" @9&\*(" @(" @("!C870@)&1A=&%?
M9&ER+R1W:&EC:%]P=7-H+R1I(" ^/B D=&UP7V9I;&4*(" @(&1O;F4*"B @
M("!I9B D3$E35$=23U50('P@9W)E<" D;6%C:&EN92 R/B8Q(#X@+V1E=B]N
M=6QL.R!T:&5N"B @(" @(" @;6%C:&EN93TB8"1,25-41U)/55 @)&UA8VAI
M;F5@(@H@(" @9FD*"@H@(" @(R @4V%V92!T:&4@;W)I9VEN86P@=&UP7V9I
M;&4@:6X@8V%S92!W92!N965D(&ET(&%S(&$@8F%S92X*(" @(",@('1M<%]F
M:6QE,B!W:6QL(&%L=V%Y<R!B92!T:&4@8F%S92X@($ET('=I;&P@;F]T(&=R
M;W<N"B @("!C<" D=&UP7V9I;&4@)'1M<%]F:6QE,B ^("]D978O;G5L;" R
M/B8Q"B @("!R;2 M9B D=&UP7V9I;&4*"B @("!F;W(@8W5R<E]M86-H:6YE
M(&EN("1M86-H:6YE"B @("!D;PH@(" @(" @(",*(" @(" @(" C("!-86ME
M('-U<F4@=&AE(&UA8VAI;F4G<R!F:6QE(&5X:7-T<R!F:7)S="X*(" @(" @
M(" C"B @(" @(" @:68@6R M9B D9&%T85]D:7(O)'=H:6-H7W!U<V@O)&-U
M<G)?;6%C:&EN92!=.R!T:&5N"B @(" @(" @(" @(",*(" @(" @(" @(" @
M(R @9G-T86(@:7,@82!S<&5C:6%L(&-A<V4N"B @(" @(" @(" @(",*(" @
M(" @(" @(" @:68@6R D=VAI8VA?<'5S:" ](")F<W1A8B(@73L@=&AE;@H@
M(" @(" @(" @(" @(" @9G-T86)?<&%R<V4@)&-U<G)?;6%C:&EN92 D=&UP
M7V9I;&4*(" @(" @(" @(" @(PH@(" @(" @(" @(" C("!E>'!O<G1S(&ES
M(&$@<W!E8VEA;"!C87-E+@H@(" @(" @(" @(" C"B @(" @(" @(" @(&5L
M:68@6R D=VAI8VA?<'5S:" ](")E>'!O<G1S(B!=.R!T:&5N"B @(" @(" @
M(" @(" @("!E>'!O<G1S7W!A<G-E("1C=7)R7VUA8VAI;F4@)'1M<%]F:6QE
M"B @(" @(" @(" @(&5L<V4*(" @(" @(" @(" @(" @(&-P("1T;7!?9FEL
M93(@)'1M<%]F:6QE"B @(" @(" @(" @(" @(" C("!!9&0@96%C:"!M86-H
M:6YE)W,@:6YD:79I9'5A;"!F:6QE('1O('1H92!B87-E+@H@(" @(" @(" @
M(" @(" @8V%T("1T;7!?9FEL93(@)&1A=&%?9&ER+R1W:&EC:%]P=7-H+R1C
M=7)R7VUA8VAI;F4@7 H@(" @(" @(" @(" @(" @(" @(" @/B D=&UP7V9I
M;&4@,CX@+V1E=B]N=6QL"B @(" @(" @(" @(&9I"@EE;'-E"@D@(" @8W @
M)'1M<%]F:6QE,B D=&UP7V9I;&4@/B O9&5V+VYU;&P@,CXF,0H@(" @(" @
M(&9I"@H*(" @(" @(" C"B @(" @(" @(R @268@=&AE('1M<%]F:6QE(&1O
M97-N)W0@97AI<W0L('1H96X@=&AE<F4G<R!N;W1H:6YG('1O('!U<V@L('-O
M"B @(" @(" @(R @;W5T<'5T(&$@=V%R;FEN9R!M97-S86=E(&%N9"!C;VYT
M:6YU92X*(" @(" @(" C("!%;'-E+"!I9B!I="=S(&5M<'1Y+"!O=71P=70@
M82!W87)N:6YG(&UE<W-A9V4N"B @(" @(" @(PH@(" @(" @(&EF(%L@+68@
M)'1M<%]F:6QE(%T[('1H96X*(" @(" @(" @(" @:68@6R!@8V%T("1T;7!?
M9FEL97QS960@)R]>)"]D)R!\('=C("UL8" M97$@(C B(%T[('1H96X*(" @
M(" @(" @(" @(" @(&5C:&\@(BLK("!.;R!L:6YE<R!F;W(@8V%T96=O<GD@
M)'=H:6-H7W!U<V@@;VX@)&-U<G)?;6%C:&EN92(*(" @(" @(" @(" @(" @
M(&-O;G1I;G5E"B @(" @(" @(" @(&9I"B @(" @(" @96QS90H@(" @(" @
M(" @("!E8VAO("(K*R @3F\@;&EN97,@9F]R(&-A=&5G;W)Y("1W:&EC:%]P
M=7-H(&]N("1C=7)R7VUA8VAI;F4B"B @(" @(" @(" @(&-O;G1I;G5E"B @
M(" @(" @9FD*(" @(" @(" *(" @(" @("!E8VAO("(M+2TM+2TM+2TM+2TM
M+2TM+2TM("!$;VEN9R D8W5R<E]M86-H:6YE("TM+2TM+2TM+2TM+2TM+2TM
M+2(*(" @(" @(" D5$535$5#2$\@<G-H("1C=7)R7VUA8VAI;F4@7 H@(" @
M(" @(" @(" @(" @(" @(" @(" @(" B*&-D("1P=71?:&5R93L@8W @+7 @
M)'=H:6-H7W!U<V@@)'=H:6-H7W!U<V@N8F%K("DB"B @(" @(" @)%1%4U1%
M0TA/(')D:7-T("UC("1T;7!?9FEL92 D8W5R<E]M86-H:6YE.B1P=71?:&5R
M921S;&%S:"1W:&EC:%]P=7-H"@H@(" @(" @(')M("UF("1T;7!?9FEL90H@
M(" @9&]N90H*(" @(')M("UF("1T;7!?9FEL90H@(" @96-H;R M;B B/B B
M"F1O;F4*
M !P=7-H7V9I;&5S+VQI<W1G<F]U<
M
M ,3 P-S4U( @(" R-C0@ " @(" R-2 (" @
M(" @(#8T-3,@(#4W,C U,#4V,#0@(#$U,#4Q " P
M
M '5S=&%R
M(" >6%M86=U8V@ !S>7-A9&UI;@
M
M
M
M
M ",A+V)I;B]S: HC(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PHC"B,@;&ES=&=R;W5P("T@;&ES="!C
M;VYT96YT<R!O9B!T:&4@;F5T9W)O=7 @9&%T86)A<V4@8GD@:V5Y(&EN(&$@
M:'5M86X*(R @(" @(" @(" @("!R96%D86)L92!F;W)M+B @8V]P>7)I9VAT
M($)R971T(%=Y;FMO<" Q-"!!<')I;" Q.3DR"B,*(R!#:&%N9V5D(&)Y($)O
M8B!986UA9W5C:&DZ("!!9&1E9"!N;VXM3DE3(&UA8VAI;F4@<W5P<&]R="X*
M(PHC(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PH*4$%42#TO=7-R
M+VQO8V%L+V5T8SHO=7-R+VQO8V%L+V)I;CHO=7-R+W5C8CHO=7-R+V)I;CHO
M8FEN.@I-64Y!344]8&)A<V5N86UE("0P8 I.151'4D]54#TD0 H*(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*(PHC("!.;W<@<VEN8V4@+V)I
M;B]S:"!O;B!3=6YS(&AA<R!F=6YC=&EO;G,@8G5I;'0@:6XL(&QE="=S('-E
M="!U<"!O=70*(R @=7-A9V4@;65S<V%G92!F=6YC=&EO;BX*(PHC(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PIU<V%G92@I"GL*(" @(&5C:&\*
M(" @(&5C:&\@(E5S86=E.B D35E.04U%(&YE=&=R;W5P(@H@(" @96-H;PH@
M(" @96-H;R B(" @(" @(&QI<W1S('1H92!C;VYT96YT<R!O9B!T:&4@;F%M
M960@;F5T9W)O=7 @=&\@<W1A;F1A<F0@;W5T+B(*(" @(&5C:&\*(" @(&5X
M:70@,0I]"@H*(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,*(PHC
M("!)<R!T:&4@=7-E<B!A<VMI;F<@9F]R(&AE;' _("!)9B!S;R!G:79E(&ET
M('1O(&AI;2X*(PHC(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PII
M9B!;('@D,2 ]('@M:"!=.R!T:&5N"B @("!U<V%G90IF:0II9B!;('@D,2 ]
M('@M/R!=.R!T:&5N"B @("!U<V%G90IF:0H*>7!W:&EC:" ^("]D978O;G5L
M;" R/B8Q"FEF(%L@)#\@+65Q(#$@73L@=&AE;@HC(" @(&5C:&\@(D524D]2
M.B @5&AI<R!M86-H:6YE(&ES(&YO="!R=6YN:6YG($Y)4RXB"B,@(" @97AI
M=" Q"B @(" C"B @(" C("!4:&ES(&5N=&ER92!S96-T:6]N(')E8W)E871E
M<R!T:&4@3DE3('9E<G-I;VX@;V8@=&AE(&-O;6UA;F1S+@H@(" @(R @("!)
M9B!T:&ES(&UA8VAI;F4@:7-N)W0@;VX@3DE3+"!T:&5N(&ET('=I;&P@;&]O
M:R!F;W(@82 O971C+VYE=&=R;W5P"B @(" C(" @(&9I;&4@=&\@=7-E(&EN
M<W1E860N"B @(" C"B @("!I9B!;("$@+68@+V5T8R]N971G<F]U<"!=.R!T
M:&5N"B @(" @(" @96-H;R B15)23U(Z("!4:&ES(&UA8VAI;F4@:7,@;F]T
M(')U;FYI;F<@3DE3(&%N9"!D;V5S;B=T(&AA=F4@82 O971C+VYE=&=R;W5P
M(&9I;&4B"B @(" @(" @97AI=" Q"B @("!F:0H@(" @:68@6R D(R M;'0@
M,2!=.R!T:&5N"B @(" @(" @8V%T("]E=&,O;F5T9W)O=7 @?"!A=VL@)WMP
M<FEN=" D,7TG('P@<V]R= H@(" @(" @(&5X:70@, H@(" @9FD*(" @(&9O
M<B!I(&EN("1.151'4D]54 H@(" @9&\*(" @(" @("!.15=?1U)/55 ]8&=R
M97 @(EXD:2(@+V5T8R]N971G<F]U<"!\7 H@(" @(" @(" @(" @(" @(" @
M(" @(" @("!S960@+64@)W,O7" J+R\G("UE("=S+UPH7"!<*5P@*B]<("]G
M)R!\7 H@(" @(" @(" @(" @(" @(" @(" @(" @("!C=70@+61<(" @+68R
M+2!@"B @(" @(" @1U)/55 ](B1'4D]54" D3D577T=23U50(@H@(" @9&]N
M90H@(" @(R @268@=&AE(&YE=&=R;W5P(&1O97-N)W0@97AI<W0L("1'4D]5
M4"!W:6QL(&)E(&5M<'1Y"B @("!I9B!;(&!E8VAO("1'4D]54"!\('=C("UW
M8" M97$@,"!=.R!T:&5N"@EE>&ET(#$*(" @(&9I"B @("!E8VAO("1'4D]5
M4"!\(&=R97 @+7,@(B@B"B @("!I9B!;("0_("UE<2 P(%T[('1H96X*(" @
M(" @("!E8VAO("1'4D]54"!\('1R("UD("(H+"TI(@H@(" @(" @(&5X:70@
M, H@(" @9FD*(" @(&5X96,@)# @)$=23U50"F9I"@HC(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(PHC"B,@($YO(&-O;6UA;F0@;&EN92!A<F=U
M;65N=',@=&\@=V4@=VEL;"!G:79E('1H92!U<V5R(&$@;&ES="!O9B!A;&P*
M(R @;F5T9W)O=7!S('=E(&MN;W<@86)O=70N"B,*(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,*:68@6R D(R M;'0@,2!=.R!T:&5N"B @("!Y
M<&-A=" M:R!N971G<F]U<"!\(&%W:R G>W!R:6YT("0Q?2<@?"!S;W)T"B @
M("!E>&ET(# *9FD*"B,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M"B,*(R @5&AI<R!I<R!T:&4@<F5A;"!H96%R="!O9B!L:7-T9W)O=7 N("!7
M92!G970@=&AE(&-O;G1E;G1S(&]F('1H92!D97-I<F5D"B,@(&YE=&=R;W5P
M(&%N9"!M87-S86=E('1H92!D871A('=I=&@@='(@=&\@<'5T(&ET(&EN=&\@
M86X@96%S>2!T;R!U<V4*(R @9F]R;6%T(&]N('-T86YD87)D(&]U="X*(PHC
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(PI'4D]54#U@>7!M871C
M:" D>TY%5$=23U50?2!N971G<F]U<" R/B O9&5V+VYU;&Q@"FEF(%L@)#\@
M+65Q(#$@73L@=&AE;@H@(" @97AI=" Q"F9I"F5C:&\@)$=23U50('P@9W)E
M<" M<R B*"(*:68@6R D/R M97$@,"!=.R!T:&5N"B @("!E8VAO("1'4D]5
M4"!\('1R("UD("(H+"TI(@H@(" @97AI=" P"F9I"@HC(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(PHC"B,@($EF('=E(&%R92!L;V]K:6YG(&%T
M(&$@9W)O=7 @;6%D92!U<"!O9B!G<F]U<',L('1A:V4@=VAA="!W92!H879E
M( HC("!L96%R;F5D(&%N9"!E>&5C(&]U<G-E;'9E<R!A9V%I;B!W:71H('1H
M92!N97<@87)G=6UE;G0N"B,*(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
M(R,C(R,*97AE8R D," D1U)/55 *
M
M
M
M
M <'5S:%]F:6QE<R]214%$344
M
M #$P,#8T-" (" @,C8T( @(" @,C4@ " @
M(" @(" W-C<T(" U-S(P-3 U-3(R(" Q,S<V, @,
M
M !U<W1A
M<B @ 'EA;6%G=6-H <WES861M:6X
M
M
M
M
M *;&ES=&=R;W5P"BTM+2TM+2TM
M+0H*=7-A9V4Z(&QI<W1G<F]U<"!;;F5T9W)O=7!="@H@(" @5&AE(&QI<W1G
M<F]U<"!S8W)I<'0@;W5T<'5T<R!T:&4@<W!E8VEF:65D(&YE=&=R;W5P(&5N
M=')I97,@<V5P87)A=&5D(&)Y( IS<&%C97,N("!)9B!N;R!N971G<F]U<"!I
M<R!S<&5C:69I960L(&ET(&]U='!U=',@86QL('1H92!A=F%I;&%B;&4@;F5T
M9W)O=7!S( IO;F4@<V5P87)A=&4@;&EN97,N"@H*<'5S:%]F:6QE<PHM+2TM
M+2TM+2TM"@IU<V%G93H@<'5S:%]F:6QE<PH*(" @(%1H92!P=7-H7V9I;&4@
M<V-R:7!T(&-A;B!B92!U<V5D(&EN=&5R86-T:79E;'D@;W(@=VET:"!A(&1A
M=&$@9FEL92X@(%1H90IS8W)I<'0@;&]O:W,@;&EK92!T:&ES.@H*4&QE87-E
M('1Y<&4@:6X@;VX@;VYE(&QI;F4@=&AE(&UA8VAI;F4L('1H92!T87)G970@
M9&ER(&%N9"!F:6QE('1O('!U<V@N"B @(&EE.B @('-U;G,@+V5T8R]R8RYL
M;V-A;" @<F,N;W1H97(@(" @(" @;W(*(" @(" @(" @<W5N<R O971C("!R
M8RYL;V-A;" @<F,N;W1H97(*+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2T*/@H*(" @($)R96%K9&]W
M;B!O9B!A<F=U;65N=',Z"B @(" @(&9I<G-T(" M+2!E:71H97(@82!M86-H
M:6YE(&YA;64@;W(@;F5T9W)O=7 @=&\@<'5S:"!T;PH@(" @("!S96-O;F0@
M+2T@=&AE(&9U;&P@<&%T:&YA;64@:6YC;'5D:6YG(&9I;&4@=&\@8F4@<'5S
M:&5D+"!O<B!J=7-T('1H92 *(" @(" @(" @(" @(" @(" @<&%T:"!T;R!T
M:&4@9FEL92X*(" @(" @=&AE(')E<W0@+2T@861D:71I;VYA;"!F:6QE<R!T
M:&%T(')E<VED92!I;B!T:&4@<V%M92!B87-E('!A=&AN86UE(&%S"B @(" @
M(" @(" @(" @(" @(" @=&AE('-E8V]N9"!A<F=U;65N="X@($%N>2!N=6UB
M97(@;V8@861D:71I;VYA;"!F:6QE<PH@(" @(" @(" @(" @(" @(" @(&UA
M>2!B92!S<&5C:69I960N"@H@(" @17AA;7!L97,Z"B @(" @(" @/B!A;&Q?
M<W5N<R O971C+W)C+FQO8V%L(&AO<W1S(&5X<&]R=',@9G-T86(*(" @(" @
M(" ^(&%L;%]S=6YS("]E=&,@(&AO<W1S(&5X<&]R=',*(" @(" @(" ^(&5L
M=FES(" O+F-S:')C"@H@(" @4F%T:&5R('1H86X@<G5N(&ET(&EN=&5R86-T
M:79E;'DL(&ET(&-A;B!B92!R=6X@=VET:"!A(&1A=&$@9FEL92!W:&EC: H@
M(" @("!C;VYS:7-T<R!O9B!T:&4@<F5G=6QA<B!C;VUM86YD<RX*"B @("!%
M>&%M<&QE(&9I;&4Z("!I;BYD870*(" @(" @("!A;&Q?<W5N<R O971C+W)C
M+FQO8V%L(&AO<W1S(&5X<&]R=',@9G-T86(*(" @(" @("!A;&Q?<W5N<R O
M971C("!H;W-T<R!E>'!O<G1S"B @(" @(" @96QV:7,@("\N8W-H<F,*"B @
M("!%>&%M<&QE(')U;CH*(" @(" @(" E('!U<VA?9FEL97,@/"!I;BYD870*
M"B @("!4:&%T('=A>2P@9W)O=7!S(&]F(&-O;6UA;F1S(&-A;B!B92!G<F]U
M<&5D(&EN=&\@8V5R=&%I;B!C;VYF:6=U<F%T:6]N<RX*"@H*(" @($EN('1H
M92!P=7-H7V9I;&5S('-C<FEP="P@=&AE<F4@87)E('1W;R!V87)I86)L97,@
M=&AA="!W:6QL(&AA=F4@=&\@8F4*8VAA;F=E9"!T;R!M871C:"!Y;W5R('-E
M='5P.@H@(" @+2!D871A7V1I<CH@('1H92!L;V-A=&EO;B!O9B!T:&4@8V]N
M9FEG=7)A=&EO;B!F:6QE<PH@(" @+2!,25-41U)/55 Z('1H:7,@<&]I;G1S
M('1O('1H92!L:7-T9W)O=7 @<V-R:7!T+B @268@;&ES=&=R;W5P(&ES(&EN
M('1H90H@(" @(" @(" @(" @(" @('!A=&@L('1H:7,@=F%R:6%B;&4@:7-N
M)W0@;F5E9&5D+B @2G5S="!C:&%N9V4@86QL('1H90H@(" @(" @(" @(" @
M(" @(')E9F5R96YC97,@=&\@3$E35$=23U50('1O(&IU<W0@<&QA:6X@;&ES
M=&=R;W5P+@H*9&%T85]D:7(*+2TM+2TM+2T*"B @("!4:&ES(&ES('1H92!D
M:7)E8W1O<GD@=&AA="!C;VYT86EN<R!A;&P@=&AE(&-O;F9I9W5R871I;VX@
M9FEL97,N("!%86-H"F-O;F9I9W5R871I;VX@9FEL92!H87,@:71S(&]W;B!D
M:7)E8W1O<GD@=VET:"!T:&4@<V%M92!N86UE(&%S('1H92!C;VYF:6<@9FEL
M92X*5&AE(&%C='5A;"!F:6QE(&5X:7-T<R!U;F1E<B!T:&ES(&1I<F5C=&]R
M>2X@(%1H97)E(&%R92!T=V\@='EP97,@;V8@9FEL97,*:6X@=&AE<V4@9&ER
M96-T;W)I97,Z(" *(" Q*2 \8V]N9FEG(&9I;&4^+F-O;6UO;B M+2!C;VYT
M86EN<R!I;F9O<FUA=&EO;B!T:&%T(&ES"B @(" @(" @(" @(" @(" @(" @
M(" @(" @(" @8V]M;6]N('1O(&%L;"!M86-H:6YE<R!A;F0@( H@(#(I(&AO
M<W1N86UE("TM(&-O;G1A:6YS(&EN9F]R;6%T:6]N('1H870@:7,@<W!E8VEF
M:6,@=&\@=&AA="!M86-H:6YE+B @5&AI<PH@(" @(" @(" @(" @(" @(&EN
M9F]R;6%T:6]N(&ES(&%P<&5N9&5D('1O('1H92!C;VUM;VX@9FEL92X@(%1H
M92!C;VYC871E;F%T960*(" @(" @(" @(" @(" @("!F:6QE(&ES('=H870@
M:7,@<'5S:&5D('1O('1H92!M86-H:6YE+@H*("!%>&%M<&QE.@H@(" @("4@
M<'=D"B @(" @+V5T8R]L;V-A;"]C;VYF:6=?9FEL97,*(" @(" E(&QS("U&
M0PH@(" @(&9S=&%B+R @("!R8RYL;V-A;"\@("!P=7-H7V9I;&5S*@H@(" @
M("4@;',@9G-T86(*(" @("!F<W1A8BYC;VUM;VX@(&UA8VAI;F4Q("!M86-H
M:6YE,@H@(" @("4@;',@<F,N;&]C86P*(" @("!M86-H:6YE,2 @(&UA8VAI
M;F4R(" @<F,N;&]C86PN8V]M;6]N"@H*(" @(%1H97)E(&%R92!T=V\@8V%S
M97,@=VAE<F4@<W!E8VEA;"!P87)S:6YG(&UU<W0@;V-C=7(Z(&9S=&%B(&%N
M9"!E>'!O<G1S+@I4:&4@9G-T86(N8V]M;6]N(&-O;G1A:6YS(&%L;"!P87)T
M:71I;VYS('1H870@=VEL;"!B92!L;V%D960@8GD@86QL('1H90IM86-H:6YE
M<RX@($$@<')O8FQE;2!O8V-U<G,@8F5C875S92!A(&UA8VAI;F4@=&AA="!I
M<R!E>'!O<G1I;F<@<&%R=&ET:6]N<PIW:6QL(&AA=F4@96YT<FEE<R!I;B!T
M:&ES(&9I;&5S.R @:70@<VAO=6QD;B=T(&AA=F4@:71S(&5N=')I97,@9G)O
M;2!T:&4*9G-T86(N8V]M;6]N(&9I;&4@8F5C875S92!I="!A;')E861Y(&AA
M<R!E;G1R:65S(&EN(&ET<R!M86-H:6YE+7-P96-I9FEC(&9I;&4N"@H@("!%
M>&%M<&QE.@H@(" @(" E(&-A="!F<W1A8BYC;VUM;VX*(" @(" @;6%C:&EN
M93$Z+V1I<VLQ(" @+V1I<VLQ(&YF<R!R=R P(# *(" @(" @;6%C:&EN93(Z
M+V1I<VLQ(" @+V1I<VLQ(&YF<R!R=R P(# *(" @(" @;6%C:&EN93(Z+V1I
M<VLR(" @+V1I<VLQ(&YF<R!R=R P(# *(" @(" @)2!C870@;6%C:&EN93$*
M(" @(" @+V1E=B]S9#!A(" O(" @(" @(" T+C(@<G<@,2 Q"B @(" @("]D
M978O<V0P:" @+W5S<B @(" @-"XR(')W(#$@,0H@(" @(" O9&5V+W-D,6,@
M("]D:7-K,2 @(#0N,B!R=R Q(#$*"B @("!)9B!M86-H:6YE,2!I<R!A<'!E
M;F1E9"!T;R!F<W1A8BYC;VUM;VXL('1H92!R97-U;'1I;F<@9FEL92!W;W5L
M9"!H879E('1W;PIE;G1R:65S(&9O<B!M;W5N=&EN9R O9&ES:S$N("!4:&4@
M;VYE(&9R;VT@=&AE(&9S=&%B+F-O;6UO;B!F:6QE(&ES('=R;VYG+"!A;F0*
M:7,@;VYL>2!M96%N="!F;W(@;W1H97(@;6%C:&EN97,N("!3;RP@=&AO<V4@
M96YT<FEE<R!A<F4@<F5M;W9E9"!F<F]M('1H90IF<W1A8BYC;VUM;VX@9FEL
M92!B969O<F4@=&AE(&9I;F%L(&9I;&4@:7,@8W)E871E9"X*"B @("!4:&4@
M97AP;W)T<R!F:6QE(&ES(&$@<W!E8VEA;"!C87-E(&)E8V%U<V4@;V8@;F5T
M9W)O=7!S+B @17AP;W)T:6YG(&1I<VMS"G5S:6YG(&YE=&=R;W5P<R!I<R!N
M;W0@82!P<F]B;&5M.R @:68@=&AE(&UA8VAI;F4@97AP;W)T:6YG('1H92!D
M:7-K(&ES"FEN8VQU9&5D(&EN('1H92!T:&4@;F5T9W)O=7 L(&$@<V5C=7)I
M='D@<')O8FQE;7,@87)I<V5S("A#15)4($-!+3DT.C$U*2X*5&AI<R!P<F]B
M;&5M(&ES(&9I>&5D(&)Y(')E<&QA8VEN9R!E86-H(&YE=&=R;W5P('=I=&@@
M:71S(&%C='5A;"!V86QU97,L"FUI;G5S('1H92!E>'!O<G1I;F<@;6%C:&EN
M92X@(%1H92!R97-U;'1I;F<@9FEL92!I<R!P=7-H960@=&\@=&AE(&UA8VAI
M;F4N"@
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
%
end
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:16 CDT