%% $Id: core02-owl.mgp,v 1.4 2002/04/28 15:19:36 solar Exp $ %% %%%%%%%%%%INCLUDE default.mgp %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% This default.mgp is "TrueType fonts" oriented. %% First, you should create "~/.mgprc" whose contents are: %% tfdir "/path/to/truetype/fonts" %% %% To visualize English, install "standard.ttf", "thick.ttf", and %% "typewriter.ttf" into the "tfdir" directory above: %% ftp://ftp.mew.org/pub/mgp/ttf-us.tar.gz %% %% To visualize Japanese, install "kochi-mincho.ttf" and "goth.ttf" %% into the "tfdir" directory above: %% ftp://ftp.mew.org/pub/mgp/ttf-jp.tar.gz %% %deffont "standard" tfont "standard.ttf", tmfont "kochi-mincho.ttf" %deffont "thick" tfont "thick.ttf", tmfont "goth.ttf" %deffont "typewriter" tfont "typewriter.ttf", tmfont "goth.ttf" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings per each line numbers. %% %default 1 area 90 90, leftfill, size 2, fore "white", back "black", font "thick" %default 2 size 7, vgap 10, prefix " " %default 3 size 2, bar "gray70", vgap 10 %default 4 size 5, fore "white", vgap 30, prefix " ", font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 5, vgap 40, prefix " ", icon box "green" 50 %tab 2 size 4, vgap 40, prefix " ", icon arc "yellow" 50 %tab 3 size 3, vgap 40, prefix " ", icon delta3 "white" 40 %%%%%%%%%%INCLUDE-END default.mgp %%%%%%%% %page %nodefault %center, size 7, font "standard", fore "white", vgap 15 Openwall GNU/*/Linux a security-enhanced OS %area 40 20 10 60 %center, size 20 Solar Designer %center, size 16, font "typewriter" %area 40 20 50 60 %center, size 20 Rafal Wojtczuk %center, size 16, font "typewriter" %%%%%%%% %page Why another Linux distro? Aren't major Linux distributions secure? Most care to patch %cont, font "thick" known %cont, font "standard" security vulnerabilities which are %cont, font "thick" "bad enough" %cont, font "standard" , yet do little to prevent vulnerable software from getting into the distribution in the first place There're usually more than just a few pieces of software in a distribution which provide a certain bit of functionality, thereby unnecessarily increasing the risk The number of vulnerabilities affecting each major distribution that hit Bugtraq is high, and those are only the ones which are "bad enough" %%%%%%%% %page Why another Linux distro? (cont.) Isn't there already a secure Linux distribution? Most choose software based on security track record A good security track record is no replacement for source code review; unless the software component is very popular, the track record hardly says anything on its %cont, font "thick" design %cont, font "standard" and %cont, font "thick" code quality %font "standard" It isn't just the %cont, font "thick" choice %cont, font "standard" of software which matters There's often an emphasis on kernel modifications It's not the security-related bells and whistles which make a system secure %%%%%%%% %page Openwall GNU/*/Linux (Owl) A security-enhanced server platform based on The Linux kernel and its corresponding utilities GNU software Many BSD-derived components, including those ported to Linux specifically for use in Owl Other free software from various authors Free software developed by Openwall team members, including specifically for Owl %%%%%%%% %page Owl: Features A base for installing whatever software is generally available for GNU/*/Linux systems (including commercial and closed-source) Includes a growing set of integrated Internet services Includes a complete build environment ("make buildworld") Supports multiple architectures (currently x86, SPARC, Alpha) %%%%%%%% %page Owl: Approach to security Software design and code quality are first priority Source code review Pieces of code which are typically run with privileges greater than those of a regular user and/or typically process data obtained over a network are audited before the corresponding software component is included; this applies to relevant code paths in many of the system libraries all SUID/SGID programs all daemons and network services %%%%%%%% %page Owl: Approach to security (cont.) Software modifications in order to apply the least privilege principle introduce privilege separation Safe default configuration As the project evolves, many of the software components will be replaced with ones of our own %%%%%%%% %page Owl: Approach to security (cont.) Policy enforcement and integrity checking "Strong" cryptography within core OS components "Hardening" to reduce likelihood and/or impact of successful real-world attacks on insecure third-party software one might install on the system A wide range of security tools available for use "out of the box" %%%%%%%% %page Owl: Build environment The Owl userland is maintained similarly to *BSD ports/packages and may be rebuilt with one simple command ("make buildworld") %area 47 55 3 40 %font "standard", size 8 Some build times: %font "typewriter", size 5 Dual Pentium III, 800 MHz, 512 MB 0:45 UltraSparc IIi, 440 MHz, 256 MB 3:30 Alpha 21164PC, 533 MHz, 128 MB 5:20 %font "standard", size 5 (Yes, gcc is this slow on Alpha) The build times will increase as we add more packages and update to new versions of software already in Owl %area 47 60 50 35 %center, image "EMBEDDIR/buildworld.eps" 0 100 100 %%%%%%%% %page Owl: Developed software Portable pam_mktemp, pam_passwdqc, pam_userpass; popa3d; scanlogd; libnids Semi-portable crypt_blowfish, tcb (libtcb, libnss_tcb, pam_tcb) Owl-specific owl-control Startup scripts, the build environment, and so on %%%%%%%% %page Owl: Ported software Several software components have been ported from OpenBSD (with our usual source code review and modifications) mailx mtree and we actually build the initial filesystem hierarchy with mtree telnet telnetd with modifications to introduce privilege separation Vixie Cron with modifications for SGID crontab(1) %%%%%%%% %page Owl: Modified software Essentially all of it on average 4 patch files per package (the most important) half of the patches originate in Owl the other half has been imported from various other distributions (including *BSD's) with appropriate credit given in each patch file name %font "typewriter", size 4 owl!build:~/native/Owl/packages/tcp_wrappers$ wc -c *.diff 22005 tcp_wrappers_7.6-openbsd-owl-cleanups.diff 4272 tcp_wrappers_7.6-openbsd-owl-ip-options.diff 4088 tcp_wrappers_7.6-owl-Makefile.diff 1866 tcp_wrappers_7.6-owl-safe_finger.diff %%%%%%%% %page Owl: crontab / crond What privileges does crontab(1) require? Ability to insert jobs into crond(8) spool The least privilege principle in the flesh %font "typewriter", size 4 owl!root:/var/spool/cron# ls -ld . joe drwx-wx--T root crontab 1024 Nov 5 14:10 . -rw------- joe crontab 493 Apr 3 2001 joe owl!root:/usr/bin# ls -l crontab -rwx--s--x root crontab 21116 Nov 5 14:10 crontab %font "standard" crond(8) must not blindly trust its spool directory (and ours doesn't) %%%%%%%% %page Owl: syslogd architecture Initialization as root Bind a socket to %cont, font "thick" /dev/log %font "standard" Process %cont, font "thick" /etc/syslog.conf %cont, font "standard" , open appropriate log files Drop to user/group %cont, font "thick" syslogd %font "standard" Normal operation as user %cont, font "thick" syslogd %font "standard" Read from %cont, font "thick" /dev/log %cont, font "standard" , write to the log files In order to be able to reopen the log files on SIGHUP, they must be made writable to user or group %cont, font "thick" syslogd %cont, font "standard" when rotated %%%%%%%% %page Owl: klogd architecture Initialization as root Open %cont, font "thick" /proc/kmsg %cont, font "standard" and %cont, font "thick" /dev/log %cont, font "standard" , retain the open fd's Open %cont, font "thick" /dev/kmem %cont, font "standard" and %cont, font "thick" System.map %cont, font "standard" , read relevant data, close them Chroot to %cont, font "thick" /var/empty %font "standard" Drop to user %cont, font "thick" klogd %font "standard" Normal operation as user %cont, font "thick" klogd %cont, font "standard" , in the chrooted environment Read from the %cont, font "thick" /proc/kmsg %cont, font "standard" fd, format the message, and write it to the %cont, font "thick" /dev/log %cont, font "standard" fd %%%%%%%% %page Owl: popa3d architecture %center, image "EMBEDDIR/popa3d.eps" 0 100 85 %%%%%%%% %page Owl: telnetd architecture %center, image "EMBEDDIR/telnetd.eps" 0 100 85 %%%%%%%% %page Owl: vsftpd architecture %center, image "EMBEDDIR/vsftpd.eps" 0 100 85 %%%%%%%% %page Traditional password shadowing Password hashes and aging information of all users are stored in a single file passwd(1) possesses the privilege to alter %cont, font "thick" all %cont, font "standard" entries in the shadow file The traditional filesystem layout forces passwd(1) to be SUID root chage(1) possesses the privilege to read %cont, font "thick" all %cont, font "standard" entries in the shadow file A passwd process compromise is fatal The problem cannot be fixed by assigning a dedicated user for %cont, font "thick" /etc/shadow %cont, font "standard" accesses %%%%%%%% %page Owl: tcb - the alternative to shadow Each user is assigned a separate shadow file Each user is the owner of their shadow file Access to shadow files is group-restricted to allow for password policy enforcement The move to tcb is transparent for existing applications which rely on interfaces such as getspnam(3) (and thus on NSS) or PAM; no modifications to application sources are needed %%%%%%%% %page Owl: tcb: Filesystem layout %font "typewriter", size 4 owl!root:~# ls -ld /etc/tcb/ drwx--x--- root shadow 1024 Nov 27 12:14 /etc/tcb/ owl!root:~# ls -l /etc/tcb/ drwx--s--- root auth 1024 Nov 27 12:14 root drwx--s--- joe auth 1024 Nov 27 12:14 joe owl!root:~# ls -l /etc/tcb/joe/ -rw-r----- joe auth 85 Nov 27 12:14 shadow owl!root:~# cat /etc/tcb/joe/shadow joe:$2a$08$ghnh1Q5K6kE24bY9xqQa5uSXwG2YO4O5lbj.yfLKp8BVFBusqLwxi:11320:0:99999:7::: %font "standard" The per-user directories are also used as scratch space for temporary and lock files which are needed during password change %%%%%%%% %page Owl: tcb: Required privileges passwd(1) is made SGID %cont, font "thick" shadow %font "standard" chage(1) is SGID %cont, font "thick" shadow %font "standard" A possible compromise would only let one bypass password policy enforcement for their own account Group %cont, font "thick" auth %cont, font "standard" may be used to grant a process read access to all password hashes should the need arise No real need for any SUID binaries on the entire system %%%%%%%% %page Owl: tcb: Components libtcb, the auxiliary library used by almost all of the tcb suite Provides functions for locking and accessing tcb shadow files safely libnss_tcb, the NSS module Provides getspnam(3) and related functions When running as root, the %cont, font "thick" /etc/tcb/*/shadow %cont, font "standard" files are accessed with the proper effective credentials and treated as untrusted input %%%%%%%% %page Owl: tcb: Components (cont.) pam_tcb, the PAM module Provides functionality for all four PAM management groups Supports %cont, font "thick" /etc/passwd %cont, font "standard" , %cont, font "thick" /etc/shadow %cont, font "standard" , %cont, font "thick" /etc/tcb/ %cont, font "standard" directory structure, NIS, and NIS+ for password changes Supports arbitrary password hashing methods Optional forking to keep address space clean Backwards compatible with Linux-PAM pam_unix and pam_pwdb but offers additional functionality and better code quality %%%%%%%% %page Owl: tcb: Components (cont.) tcb_convert and tcb_unconvert Easy conversion between %cont, font "thick" /etc/tcb/* %cont, font "standard" and traditional %cont, font "thick" /etc/shadow %cont, font "standard" databases The shadow suite utilities Non-trivial patching has been applied to the sources of most shadow suite utilities The invocation syntax remained unchanged A setting in %cont, font "thick" /etc/login.defs %cont, font "standard" specifies whether the utilities should adhere to the tcb scheme %%%%%%%% %page Owl: Further information The Openwall GNU/*/Linux homepage is %center, font "typewriter", size 5 http://www.openwall.com/Owl/ %leftfill, font "standard" Any questions? %embed "vsftpd.eps.gz" M'XL("+H1S#P``W9S9G1P9"YE<',`W1Q9<]LV^GGY*[`/G4EG8O&^\N;83NO= M-O;&27=[30TRN(DF[^E]V^0`;]-VPQ1Z',%KO&< M%""#DY%YDMV0LLKAX2*+E>$972Y!=-%273.:TKGV*](G&2UC,GOR@?9_(KG( M<4203NZC%"^1_F=%2Q)/4Z1GU7)*6)',,Z3'-$TQ0WI.6`1N1CI>PK#`62PX M6#)?E)J>8T:RE,R`HA[68*`N.$7Q!:!I52`]@FAAI"]6^8)DM=2$@J0BQ<4" MZ?\EC"*=9D33RSL8E0M&0,,9K4"#67(+XR*YA[_(+>JCI*2E@1O)GA<&F.<]FPKC2I.!I"+H![RG2WR+]#.GG2+_0]'=(_P[IWR/] M$NG_0/H_D?X#TG]$^GND7VGZ-=+_A?0/2+]!^D>D?T+Z3TC_-]+_@_2?-?T7 MI$\9CKZ0LG'#%,;"+@%?^R1*DBAA405>A_0'=T:4$>'/AAE\-`6;-!V96D*5E2D5+0V*"UIJ"%+"$&38_/2B!3 MECABM6`RKPN'UQR(XH4']514=;DQ45?MHZ;CJ"J!>EG5M8OG#.>+MC:Y68WP MB,2@#*[K4XH"=9>00E7:U5G M0JG3IE!F*8%L/A5Y>BH]=\IJ;Y]>0!4+#37]0@BY$$(N5"$7DOE2T%T*NDN5 M[E+2793@C_?UY)I^)9BN!-.5RG0E-+R2S,LJ+9,\A42X$NW@DY#P24CX)"5H M^B?)^;/`?UQ0!JZ9$[:$OCM-`86%""Q(L*H$%DI@*0IS-T&D>:-9W4*V@*?@B,Z$.*=]E("C8!:HK^&.R),7)!PH>/6F( M-`2_5#B:)5D\HUE98^(J1RG)YF!CG$0EFO+-AO:W!Q,!%=?IW>4Y@AIX`/%? MT4-.\HZWE(%FL`A_+BJG"9 MK?*7)4Z3:$#[!O'2U7]+TWA`>0X^!M6W>E\B7ZX9I[@^)#,>AAC\&07CUT4<=BPG@\CJPJ MWF/&Z-T66QKD$9DQ'IHNT1&9-5(X"L61&;17K(ZBFMZ3NS/`5VQU$RTH3:?\ MV-Z_OMI.=F2F#6R,1^B.S+A>K6VE.D+#]HW<,=R37>.:D0Y46A=U!"8,Q&4# M=P1&]"JG@SD2`\8B<0Q5<;-:3FG:T;\!294W67[!^>QL@;.(L-7)CR1.JN6` M%[92O5Q?<)7/@6&*RZ)G2XMXN>I'.7J(4EJ0')>+KV@*&C3OQR*`5PPV2E2% MSM##+$E3%831`V:1"B%`1>@F'1CVP%^_J;`Y0P]S1HJ2,M*!%P`O\&T'6,!, MFS`&A`/\*7K@[Z.[NB_1PY)N&L0`ROK@##UDY&[3)S!94?+W^!W@`J`+>M>! MI>"^@I1HS3;(N[FZ-NTOBCO+DMVC)0;Q]RBORC63]H!4NJ:D>!E"TN-L MGA+YZI=#BQ*S<@"^8CCN0NY[D-4&P?JQ%@P)*M2K517U)T""YQZM$+BA%EW/ M6$0<7'_^AE356MVAP#B!(APBTHPXG!?V5^'$)6%SDC,:0;)JLM-H-CHQ$:/0 M-P"H"2`?NDC`)06.8PV.1GB%HMO[FDCBC-I<#7R?\`]#;G$CT$%6@U<12G2M M8&([GF$8Z$0.Z_31C(GA&C7&]B=FX,)_:)T@S3=^XIL^#6A-HZ:%4M%^-296 M_?0[.*Z(>\^./2)]3'](8545RA3#T*E!*'1FJH_$,%QVF='3KX>*N),=^($1K`- MZ$C@;,,/K?T'9LW3*U9[I'>9C*`Q2Z=`URUFVJL;WB2@N'$!54?+UWQ/\.7; M>F"YGF+PHGO&([!"Q85U12YD\!T`M,%/6%]-7E%P_H`R]><[1$'RYD$ M;N!U[95`Q38'"$S7V09\^D@\AVH'Q.)LP4.`2HKT6\QTLLS+U6L4,]BV`:PJ M"!.?6V_$QW8FCNT;^P7(F/B&&7HFZ@^D%X1B8<<+;3RMUM5@L3L.#9\C1,^@ MW`%!^HZ4=2@RO"1ZCHOBCK(8_?9JQN@2E0N"HI1_H/[;MZ_[47(;42)*IC&Q MO6UA>L5%8/%N(9" M*LGEU1Z'/D>K>";U#F\6.(?S9WAL@9W;$?$*+!"K"-H5P?AEK/6:!/J]XAQUS"ZI#,DI2@VP37I42G M?#V&*MHS2&,UNKN+RBZE'"XET%/V+NX.Z-.??)]'N0,"]*Y_[=#?7;FCC6R' M&R(P4]Z6N*WLI;+&KX$IO^-JKZT<<9T%Z'"41Z5<>V:_`(WJM][VRH"L0?*4 ML_;6>B,3*58`.G1LW^,VZ3=7SW9DMSVQ8#J!76KI[C.GGA.:'H!QUN^&]C>5BZ@ M];T@L"U^'>T$#J<]O.`'E)05+^^Y9]YK1S3ZOLZZ);]>D[O M4%^O15J#J:`>HX9207;.;5PR%23MWNK)\,E=OQI4==_7J:)6/4NJ-\P%T'"3 M=F_U'&OB0YL-';XG\GVW%C.Q0AN:KS+P?5C^3,N!6K4F'N_17ONJ4M$:MDJ! MXWB`JQWE^J'/WR?(#90C%RR`^HYENCZ'AF%H'5+^%O0ER[?K+9EKVY[M0J.& MO\W`4P;>Q/5-7DY6:(`E`6<84!JZJ&M9%M]C!;``NJ[Z#D0]FMNP.(%](0=Z MKN6%YE]?G91COOI"RAMRU4&KD^%&1G<0?["3!8"?Q#^XDZS7"5L["IMF';K1A:XUWQKD46FO[ M*K'O[G`]@SNH[<"BL4?Y20W=06O<06NWN7W:`7^VBOVKD?]08_ZJD?W M.YA=W).HJG_*R"RE=]\J^Q`UQWK'L?V$7_(///@W)OP'[/"?Z%-EXB<^=29R M'SW1M9ACRG]*%&:KCGA_1/SNUZ4VW]:'7A/#M2`%ZBOW&-"0PS'HTY_LGTN] M`\[V5SEA=5!13#."%OBV_K"0T3PG,=J\=H'5RZ]G$Z=^>^S4_ZJD**/927W] 9.G09VI/FC4CC7]_E>$ZT_P$UN81E]TP````` ` %endembed %embed "popa3d.eps.gz" M'XL("+L1S#P``W!O<&$S9"YE<',`W5QM<]-($OZ\^A5]'ZB"*N*19/F-;R8) M2^X6DB-P>[O+UM58&ML"2:,=24E\*?[[]4@CSG-`<+2Z+!*:I`'<,SN25X[VR^^#:MHN*;Z3M@O,`Q^_H M(@GGH5]:O@*G9^,OQ,]%R))*O>9$$8;)XS6]>@8V_'6,SC&%UGM=:%X!%?6'\`Z24\#]C\P0?6 M_XGG+*4^`\)N_(C&0/XJ>,Z"600D*>(9$UFX2(`$/(JH`)(RX6.:@=`8AQE- M`F4APL4RMTA*!4LB-D>-PKHE&1`?%QM2B0Y2I=LJ3T&G+TE$4T M6P+Y+Q,<"$^81?)K'.5+P9#AG!?(8!Y>X3@+;_`O=B6M635'$B9,>HYX(D5Q M6`XM$K$,9V1_%11C6LAJ9D*29IDL0^2&ME,@KX$<`SD!1W(#-!_:\L MK](PP[&*2^%-3OPP]$/A%YAU+'],I\\%4_FLC#%',XS)(I@6E-G/F%\58!`RP;*P M;(MTI1J)BV".-5P5]:((HXC%7)44;FRXM4;(0K>0P$U/SLJP4F+JB](Q6Y2- M(WL.7_2A:#ILNY-&5;EW&Z(:LT3G%VV>=316I:-FDU-M?*;TSI3>F:EWIO5.<\S'^W)R MBYPKHW-E=&X:G2N&Y]HX+J(\3",LA'.U'7Q2'CXI#Y^T!XM\TI:_*?G')1>8 MF@43,>Z[LPA%5+F@2H6:)*@B0;4K*M.$*RTWRF8AF7+"E!-F.F':.%1ZH=(+ M3;VPUK,(DVE*U.1<&7%EQ$TC7BOI28+P*BPAE:2BM+=(H>P+T[[0=BLESZLD MK6K)GT@MXQ'F(G&P#[D\90`V[!+*#OX8QBP[^L`QHT>5D@7XR\1A'B;!G"=Y M*0F*%"*6+##&(/1SF,G#AO73K0.H)3F].3L![(%;=/\-;O&$)4]9WR"9R;FJO2,OYV%)8"&.[26I2)\U^;.<1J'?P;X2/'7Z MKWD4=)"7\"%0WYI]+7RZ84RO:)+_3$7`D"[_VHIB378P09S/HA"O);MB42H' M$=()'@*VQ2)E!Q/$GG4Q5)YN2+)XY)7B%WFL:472DAQ(`!U;5X?\Z0>ST2*F MX##H[U@*+7ZZH1SCG3F>MUK\%?;T27=M3&NRIQ_$QBG*%!P&_5WK8,B?;C!O M673%_9]3'*"[&Z])><1S-YV[[Y^&J[VH&%UG$P MWJ%W8,%M]-I6K0,,[*XK=PC/R2YH:<@[.JTM.H`0.M9E378`06QT3DMR(`'L M6HE#Z(K+53SC48M_!6G*ZR:_TW1^O*2)S\3JZ!T+PB+NR,)6K:>;"TGY!`UF M-,\V8JD%3Y>^G\*M'_&,I31??H,9,JC>C_F(%P(/2MQ$YW`[#Z/(A"C<4N&; M"$,MQM?U,+!;^?K-Q!8";A>"93D7K(5GB&?TJ@5F.-,Z)E"QPSZ"6_D^NLT] MAMN8KPSPE.EN7R/7X+7"*ZY-T-R7:8)J[",H:I=+@:\$#=K( MS0:R6E-H/I:.L4`5O9*JZC\%*9L;6`&FH71=SICY$BZ__@8FM9H[-IA4,)SC MBE0CBLYX@'^@J9#J2W[J2WV657VA$'4W![)!K`3Z=@WTZT%L@(.>4PTB\/H[ MP6:`ES7+KC6P1ZT__L25RH+FIT2_6,T4FX-'I(8;>+;Y!!*PFW5BL%6SN?7\ M4E865@3-<*EX_E)>2+Z^*"]'V+,N=MP5](>]066%^W56S,#K]8?>V!D@4]R5 M'5D'N*O@IK<0:TFQ>V[YJ4[.VNKDZ"`0YT;-Y@#[J6AOW%X4YJ M8&Q,WH".:V3;VXV.'[P\'H?0BZ_6B88#?:5QV1'>3Q'+T`+ MZ2M7WPB&@.:TM\^I8^_R^@:K%CX_3WF6A;-HA8Y\X. MY_?97IR!7B4#'7*G.$]RPC/?$64[W4[VKEY#2>>XXQA M<[#1CZ[3U9"NU]5Z6U#GP9?ZL>C=8ZE/!-Z;Y!S65H@%4&1,O-RW/JZ[:]GE M(8:A*^QO"EE8'H1*+,OV.NX_]%6KR92G4^UU-8J[!_76$KU_QQGIHT`S=8,9 MC:O7L!-\^+WFX8G=H_2.E_(,(XN/7%%!6)SFJ_6"E:+G9"8T8D`1 MRO@AR=VCC!L-ANU;45M[15W'0047[P4G;G]@3[;G^_TW&'@]?M#N[PG<298(%N]HJ[CV!B]1(?> MT.D/'B"C/TR@(Z5[NT<_G#";U#P8=W4V;C4=K6U:Z=[6NM_1W/JVUYS(O!?J MHN?:7?1,*TU/ZWX//2-[>OLUKT.:'LJ'WF@P',F@^N.^[0ZW6B$Z'KN.,Y&H MXXW&HWO0T[>,S5$_+G>9=;3%SJG3@')OMY6AB]6W+7EW[&;-=M+)MB.7^YO9 M8#CIC&;2&S3W;.8?)]#1S'Z,MIO-<_=CDBG-\PORL/+/.+7 M+^3YN`[$J+&-,\;=G)_)EQ'JL0'(?WU>).JHU)IH\L,37:@Y9O)_-*!B9;HW M<_5]#Z(FGN=5:]@XTJA\;5(GW<,3B^?:6U'W49Y;/PJ]>YRRSU,FU`-FGC!8 MTJOR)3C>T:=LX^GC2%X*<;;F)+O[(3:'A"='Y=,&>;>XSUM_U[']3ENL8SS& H[[H`V&:+-5MLO^[NB;X\=1LAZJVIREJ0+[%3NF#6_P#J#=C,/D0````` ` %endembed %embed "buildworld.eps.gz" M'XL("&<1S#P``V)U:6QD=V]R;&0N97!S`-U;6W/;-A9^+G_%V=GI3/I@@:1N ME-\..EN;P\0"4E,0$(%2=E:3_[['H#@3:(NMI(9:=-I`GWG?B5D MR=__[>[^["(08W;F=FRXOKM_HP[6]]]_"%/.SF&7<$KFV[R/A&R4Z%"/#\ MED[C"9E*&J:(OQ99'(3Q]+5X/`<;__-&(_`& M0R3=T2E+4(7B8M,POF=I-L<7UW%0.UZ**$+-2<%U)P474^MW()U8I`&;?/6# M]7^B.9E3GP%ACSZG$9"_,I&R8,R!Q%DT9C()IS&00'!.)9`YDSZF&0B-\)C0 M.#`2,IS.4HO,J60Q9Q/DT$<-(W>B.)+/B/(L`>)CM2B0V7(^8['6&@K4E'": MS(#\ETD!1,3,(ND#GM*99.CA1&3HP214T2U07HF\H>P'D-9!+(%=`KBWR!LB/0'X"<@/D M'T#^">1G(&^!O`-R:Y$[(/\"\A[(/9`/0#X"^07(OX'\!\BO%OD-R%A2_S-+ M\S2,\6SB,GB9$S\,_5#Z&68=NQ_3Z0O)3#YS8I+@1V-$T MYO%K;HQ.(!ZP#OETJ';GN,[P=29Q#'PLP%+UZEB*SRS6V4^8GS=@$#+)DE"/ MQ7QI!DG(8((]G#?U%%^FXKM.,1_OM'&+ MW!JA6R-T6Q>Z-1[>5L)1QM-PSK$1;LTZ^&@T?#0:/E8:+/*QDOS5T#_,A,34 M3)F,<.^..9*H44$-"ZT[08T3M%)%59JPTFI1EH5D1@DS2EA=":N$0\,7&KZP MSA<6?!9A*DVQ,2Z,D#!"HBXD"J;*2!`N0@V9)&5:WB*9D<_J\EDEMS3T-$_2 MLJ#\B:XE@F,N8@?G4*A+!N#`SD!/\(X$9/'$`NY=.;FRO`&7A"]5_@:2[F@/]_@7#">,*^ MP$1(RKGU';DNG%EW3WFF;.6[(]5V6!Q8B.-X*5>4SL+YFY3RT&_Q/B<IS85+RC4HJ'#;'DQ!,*8WMI MFDPG%-:6P:EQG%A`>]7J)*;I'7NX1'HFE_?^3`@^5F_;UW]\M9GMQ$)KN1AO MX3NQX-9F;2/7"0:V;^5.X>=D=U0+BI9):Y).((26NJS03B"(M9"N7R%`F.: M)FNQ%(3C==^?PY//1<+F-)U]@3%ZD'\^YB.>2;PHB3HZ@:=)R'D=HO!$I5]' M&'(QLU.?13=\C M>(K$:D`24;D.Q_`4LX?5G*"Q)%6?XS?`&:(S\=#`.*8O8:ERPJ?S)NE32?HD MPKA)>RAI#V&P8EQ.QYJ*_ZHON,A&&"+%.$1*TZ9OR@V?\B88:#4!31KZ)[JV M>9LVV">:?0WV)T;W&N5!IPF[4,>0]VY%3K'FJ:1QPIO.8H=P'LX3IGO5RT=# M$>HPB5+Y"!%%]8\PS])2R'J".E\^4FH,L>EI/.6L^NA7H4E*9=J"+R4-FLCC M&K)<82A?:L78H,8][:J9/P,9F4=8`J9!J]86$U_!ZMMO#M1=*WS'`5,,->58 MD?RD<#787TP2(R:G;"Z%C\UJ59O&ZL*9`U+@WD#0,J`Z]L'@%0<-`@O?&M$E M^(M'S531;!VNA;D/U1=#%C17V`,WI]<)M>JZ7J?;&]BV#6?54;>/=69WNH[C M]5TXZSJ=GOJ^H`UEA^1?\C-?ZK,LNV-[F@%GQ5)_?[)^_Q/SE@16_E5#)*T? MU.Q8,:"AOC;4[SC#GCWL0U1AH\Y@V!]U;>!('O0\9P-6RN+33KF36U@_/--F M@KSK-J)67Y(]8NWFKVNZW%R38NVZ&K&A.["+N=DKFN=KQ0?,L]PMPXQ:L!9C MI4*O/+XHH!?:2#;\[!%PG3H=U]C"79E,K%4O]SO$1X71%O&5CVN4CW;':_JXJMY=T3_8 MXMY!P^FZ';>O`;^."H96L!3?;T#WMZM&M,5,U.[0/EWO MEMDLM76+@]/Q].D%4_H"M7N.::6YC#1J`UO,'3BH!QMYUJ0F."@^2U:&H?)A MCUG=G4RG%9TSVH&6&O9;3\^QK194 MFZ5H@U?[3'R5YDI?6OT3<[-YAAV MNOK2][(][I9UQ>J/:E>(*CZ[N)&XHQUHJ>&K5>1;N7=H5=S5IVN_I2S.IK+L M3(W??(25RJ-:CPVK&!.3S]WEQG<*CCL8#56+=NV!ZW:;C\72$M=7%7?0'2EP M,.QZ(V=S6?=S@<;LJ?AW>P87?@*$YO.'#L MT>&A'F@]CW2?/G%;^Z0V(K5+S?[)<]5O4A9:!X-":VNI$#4_^=!E->B!^3O< M@6PMSZG]6OPJ[ZP+L]K?8?/7'JW$84[D$$?/E'S_L5+;]C?X^R[>_ MGO?Z-[SO:M3!W=S+RZ0^-9EC8UO_`UN" &]1RR/@`` ` %endembed %embed "telnetd.eps.gz" M'XL("+H1S#P``W1E;&YE=&0N97!S`-U<6W/;-A9^7OZ*LP^=:6=J0:0HF[VW;Z`)&0A(0B6)"4K7KRW_>`!`E0HB3+EQEK1F+`3K]>'B^N;]VK@?//-1Y['[`WD+$Y8'O4B3I%X+AG-A7P# M[SB%9;\7!#VW)G.1O*,YBMP4"9RE$KP`W/$;UW_3]\#K]SUD?*]D9T)$./Z9 MSA(^Y6$I^0;<7A]_(/U*NZ8QEJ$.QL1E/;EA>I'AQD436\%PL%J@ZJ[FNI8C%S/D=2"\1><2FSSYP M_D\T9RD-&1!V%\9T`>3/0N0LFL1`DF(Q83+CLP1().*82B`IDR&Z&0A=X#"C M2:0E))_-D5+(D9E/D*(1?0'X!<@/D(Y!/0/X-Y#]`_@OD5X?\!F0B:?B% MY94;)CC6=FEZXY.0\Y#+L$"O8_JC.T,AF?9G)8P^FJ!-#D'G*`^@`>@U(!S( M9R#H3C1IX1"T`MV4HB@0M`W-1=D"R!+(K4/04RMT:K4^JU%)?6VCR7D3 MF*]?LJ*LMRDKJOZTB$T+'+D7A1E[=*9I.F\KDUE5J4\9!&"H65]&E4( M=X$I5,1MO#JYD!7+3Y:%A^,YC=%YY>J:G)F"K-QXAJNK.C_3H,ZJ0IG&#+/Y M3.?IF?'Z'7S2&CYI#9^,!H=\,I*_ZOF/V?&'D5GH^KYRT MJF?^0&B9B-$7B8MU*-0I`[!@YU!6\$>^8-G)+P(]>E(Q.8`_;#I,>1)-19*7 M,U&10LR2&=H8\3"'B3IL.'^[=P&Y%*;WE^\`:^`>U7^%^U2D@+^_`I^R.&-? M82HDC6/G;^2B!K,)3R%3:U6](R_784GD(!W+2T%1.FOPESF->=B!OIIX[?#? MBCCJ`*_(QP!]J_?-Y.LUXVQ)D_P'*B.&<,67EA5K_P$+#-%C5W-$;LB8O%\GI-4LFC=HJ?U+&F94EKYD@,Z&A='?.OWYB-$K$G MC@/^CE"8Z==KRCG>F>-YJX5?TUX_Z*[&M#;W^HW8.$79$\X[SA5S=A',AXHFZ;=]\?+6=[8((+J_5B(]$+B04G8U"G<3WDT66+F.%*ZS2)C!WR,=RK]]%M M[`NX7XAU@R12Y28Y@?N$W:[[!!?+OT6<(W4N;ENT&-V7L5R!"&G:GOK< M3'T6/&G/W39SMSQ:6US.)N4L_JT^<)$M,T2.=HBD%OX(_Z_3Z>75'^BY+-JX5ER? M4:1?B6P.5$TY"7CU=3-86+1A/8JM\1:J(6)CS1Z#%M&,:BTC"TXS1O)NYJKZP6Z,F\5,/B`,C;938VI#<_O&*F\/]?39P_`2T`X(PP\L!PIIOOH> MPO*33G7%4Z9.1:"^+BT2_?7QO@@%.R+T[2W'G2N?,Q#XAP354%F6?:]6^;)/ M\?A)H6_O;@OPRX`\+_"PN9^@Y8A88E2RY%HK[^_GY? M3-S37K`]VGB$I`G/^5\,^-[*QD:R7=4A'=:SMAN+ZG?UK"U4[]DC_%+P#NFT M*;U-0'WKNK>&O<&3:FW0F&4U,T.T^Y8_V$U]_D;[,N`.B,/Y7&UTD`L@2RH) M6ZBNNQ:1P:@W;$5D9U>-)-[+HKXBPYZJ_Q'*/H6[NFF_-QK[KAO`YJ`^VHT; MS]B'.T.U3@B^OX?Z_-7V4O`.B/('-A,Y5QMI%1`0J=H],Z#)WMBXN\KOV[4> M#&L;J'P/M5;[K"+4_\@-3]7;]&.K8S-[A6OANJG=G#/53W^`=TG2;(RRK"J;OL+/F]4%YK9?LU;F[U/=$-E3'EJ8--L%8 M6$2K0++F1AN[UZBBCO2=^#89)/IKG`_*N38RLS?;R]@'X2YLV.P[P-E2!IWA M?00\KQ.>?8;K@H=IW@'/EC+P#.]#*W:G#SUSZC$+^[U1$*A1T!M63Y7,D:DA MA98IN-EZ];1^#K7HDHE;G&Y-?*";3!]7`W7^S@O)!X]?1;JT6;]#S]^3J@W?')P/H>"CZ0)=:>_#`N-3M MH![DTM,ZUBCO-Q9U:K5XO=KZI[OTR0`JES[07O7H8EW%-B]:O(-G2Z&G`^A( MH2U-`^^,!IX?#(;J@.:-!^/34\#3D3\8^($U"$:]4W_HX]G##92'1X$_KM\E M6C%$D4`\^AUW(D8JV!5Z@J*/18#@8E*Y[V`FP/.KQE*T= MFC`IM-'FD=:P]N#&H>F`I?+5^DI>[W1HKX0$W3(?=R?F]<:^CQ&T;FP7%E6] M]>G7KD,K?:^_E6HT/-^=V`O!.^#0?Y4R63ZSAD@D#.9T6;[#ER)-V?I-N-_O M#?V!-VRB@V>573?A`A*1G)1/Q9M3F6ECK:.A]::J=:#TFGE_ MMY3%>UH?0Q^_5]=ZS9'/7M=0#]E7#$*4[[#&UFI9,]YNS:%]]LD`'O?^LNU1 MK].CK9/NP^KCXHZ%15D?TUCX-D%K+3XY$+ ?7>LU)NK_O*%RU5+O[5"O/B])Z8PY_P.A8=^TV4<````` ` %endembed