Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
From: nu-k-ar (nospam@plz.com)
Date: 11/27/02
- Next message: Govind Rathi: "Windows Authentication issue"
- Previous message: nu-k-ar: "Re: HELP PLEASE The request failed with HTTP status 401: Access Denied."
- In reply to: Larry Hastings: "Re: HELP PLEASE The request failed with HTTP status 401: Access Denied."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "nu-k-ar" <nospam@plz.com> Date: Wed, 27 Nov 2002 09:28:17 +0100
This article may contain URLs that were valid when originally published, but
now link to sites or pages that no longer exist. To maintain the flow of the
article, we've left these URLs in the text, but disabled the links.
----------------------------------------------------------------------------
----
Web Security: Part 2: Introducing the Web Application Manager, Client
Authentication Options, and Process Isolation
Keith Brown
This article assumes you're familiar with ISAPI, ASP, CGI
Level of Difficulty 1 2 3
Keith Brown works at DevelopMentor researching, writing,
teaching, and promoting an awareness of security among programmers. Keith
authored Programming Windows Security, to be published by Addison-Wesley in
June 2000. He also coauthored Essential COM, also published by
Addison-Wesley (December, 1998).
This article, the second of two parts, continues coverage of Web
security for Windows. It introduces the Web Application Manager in IIS that
allows Web processes to be isolated, decreasing the security risk associated
with running in a logon session.
The article then picks up where Part One left off-it
discusses authentication methods such as basic authentication, digest
authentication, integrated Windows authentication, and anonymous logons, and
the benefits and drawbacks of each.
--------------------------------------------------------------------
he first installment of this article covered the basics of SSL
authentication and certificates, and showed you how to obtain and install a
Web server certificate and how to require SSL for certain files or
directories (see
http://msdn.microsoft.com/msdnmag/issues/0600/websecure/websecure.asp). This
installment will introduce the Web Application Manager (WAM) and explain the
importance of Web application process isolation. It will then describe the
various options for client authentication and explain the type of security
context that results for each option. Understanding the subtle differences
in the resulting client security context is a key factor in determining how
to architect an Internet Information Services (IIS) gateway into a
traditional COM+ middle-tier suite of components.
Back in the old days of IIS 3.0, the Web server simply ran in a
single process known as INETINFO.EXE, which lurked in the System logon
session. All server-side ISAPI and ASP Web apps therefore ran in the System
logon session, which is dangerous.
To understand the danger, consider the following C/C++ code:
void foo() {
char buf[256];
GetStringFromTextBox(buf);
}
This ultra-simplified code reads a string from a text box on a
user-submitted form. Imagine that this code were housed in an ISAPI DLL
running inside of INETINFO.EXE, and that the user actually typed 300
characters into the text box. Since GetStringFromTextBox doesn't pay any
attention to how much memory buf points to, it will overflow the buffer. Is
this bad? It's incredibly bad. Because buf is on the stack, any overflow
will quickly overwrite the return address on the stack, and when foo returns
it won't return to the caller, it will return to whatever address was
overwritten on the stack.
Crackers find great fun in sending unexpectedly long strings to
applications as input and just waiting for one of them to explode. Once they
discover a bug like this, it's just a matter of shortening the string until
the program doesn't crash anymore. Now they know the exact length of the
buffer, and have a darn good idea where to write their own return address
onto the victim's stack. By crafting an input string that contains binary
executable machine instructions, all the cracker has to do is figure out the
address of the buffer on the stack (this becomes quite easy if she can
reproduce the bug on her own machine) and point the return address into the
buffer.
In the most elegant attack I've seen documented
(http://www.cultdeadcow/cDc_files/cDc-351), the cracker sends a small
program as input that loads WININET.DLL and calls a few functions that
download an executable program of the attacker's choosing onto the victim's
hard drive. The program then launches the downloaded executable and quietly
shuts down the victimized process in an attempt to hide the fact that
something is horribly awry. Note that using a language that is safer than C
or C++ can help alleviate this problem.
Imagine if this attack were carried out on an ISAPI application
running in the System logon session. The attacker has now compromised the
Trusted Computing Base (TCB) of the machine and the game is over. It's
funny; I remember when people were merely worried about ISAPI DLLs crashing
the Web server. Now that you've seen that a buggy ISAPI DLL can allow an
attacker to hijack the Web server's process, hopefully the imperative for
moving this code out of the System logon session is clear.
Introducing the Web Application Manager
IIS 4.0 addressed this problem in an elegant way. By separating
the core Web server functionality present in INETINFO.EXE from the code
needed to invoke ISAPI applications, it is possible to run ISAPI
applications in separate processes, sandboxing them in lesser-privileged
logon sessions. This separation was implemented by having the core Web
server talk to the ISAPI environment via an (undocumented) COM interface.
IIS 4.0 offered two choices for each Web application (each
virtual directory is considered a separate application): the application
could run in-process inside of INETINFO.EXE, or it could run in its own
separate process. In either case, a logical COM object representing the
environment for each application was registered and added to the Microsoft®
Transaction Server (MTS) catalog as a configured component. This component
is the WAM. Here COM's claim of local-remote transparency rings true; using
a COM interface allows the Web server to interact with in-process as well as
out-of-process WAMs polymorphically.
Unfortunately, IIS 4.0 didn't go quite far enough, and since
each isolated Web application chews up another process, the default setting
for each new Web application was to run in-process. IIS 5.0 makes
out-of-process Web applications more attractive by providing three options
for isolation: low (IIS process), medium (pooled), and high (isolated).
The low and the high options are exactly the same as what IIS
4.0 provided. In the first case, the application code runs in INETINFO.EXE.
In the last case, the application code runs in its own dedicated process.
What's interesting is the new medium option, which places all pooled
applications into a single process that runs outside INETINFO. EXE (and in a
separate logon session, as you'd expect). This new option is the default in
IIS 5.0, and is a great way to mitigate threats like the buffer overflow
attack. Don't get me wrong; the attack is still possible, but hijacking a
process in the TCB is different than hijacking one outside of the TCB,
assuming that the administrator has erected effective perimeter defenses
around the TCB.
The process isolation level is represented by a metabase
attribute named AppIsolated, an inheritable attribute that can be set on a
per-application basis. The current IIS 5.0 docs indicate that this value can
be set on subdirectories inside an application, but this has no effect. This
attribute can have one of three values:
0: Low (IIS Process)
1: High (Isolated)
2: Medium (Pooled)
Since each WAM runs in the context of a configured COM+
application, you can actually use the Component Services snap-in to look at
the two WAM-hosting applications that IIS creates by default when it is
installed with the operating system: IIS In-Process Applications and IIS
Out-Of-Process Pooled Applications.
The first application is designated as a library app, so that
when INETINFO.EXE creates an instance of the WAM for an in-process
application, the WAM will load into that same process. The second
application is designated as a server application, so that when INETINFO.EXE
creates an instance of the WAM for a pooled application, that object will be
served up from a single COM+ surrogate process.
If you look at the properties for IIS Out-Of-Process Pooled
Applications, you'll notice that it is designated to run as a distinguished
principal, IWAM_MACHINE, where MACHINE is the NetBios name of the machine at
the time IIS was installed. This is a local account that is created by the
system at IIS install time. Every Web application that you designate to run
at the third level of isolation (isolated) causes IIS to create another
distinct COM+ application configured in a similar way.
To demonstrate the differences between these levels of process
isolation, imagine creating six virtual directories, App1 through App6, and
configuring them as follows:
App1: Low (IIS Process)
App2: Low (IIS Process)
App3: Medium (Pooled)
App4: Medium (Pooled)
App5: High (Isolated)
App6: High (Isolated)
Figure 1 WAM Apps Responding to HTTP Requests
Figure 1 shows the results if all of these applications are in
use simultaneously. Traversing over to the Component Services snap-in, here
is the complete list of COM+ applications that are now hosting WAMs:
IIS In-Process Applications
IIS Out-Of-Process Pooled Applications
IIS-{Default Web Site//Root/App5}
IIS-{Default Web Site//Root/App6}
As Figure 1 illustrates, App5 and App6 are configured to run in
separate server applications, also under the auspices of IWAM_MACHINE.
IIS actually doesn't hardcode the account name and password for
IWAM_MACHINE; you can get and set these values via the metabase. If you
change these values, IIS will use the new values from then on for the
identity of all new COM+ applications it creates. Here is some code that
displays the user name and password for the IWAM_MACHINE account. You must
do this programmatically; these attributes aren't exposed via the IIS
snap-in.
set w = getObject("IIS://localhost/W3SVC")
msgBox w.wamUserName & chr(13) & w.wamUserPass
If you make changes, remember that IIS doesn't attempt to
synchronize your changes with the security database (of course, you can do
this programmatically using ADSI). If you change this to a user name of
Foo\Bob with a password of shazam, you had better make sure that the Foo
domain does in fact have an account called Bob, and that its password is
indeed shazam. Also note that I used the older-style authority\principal
form for the name, because COM+ currently chokes on server identities in UPN
form (bob@foo.com).
Before you make a change like this, it's usually safest to use a
local account for a server's identity unless you absolutely need something
different. Anyone with administrative access to the metabase can read this
user name and password, so leaving this as a local account severely
restricts the damage that can be done if the machine is compromised and the
password disclosed.
Client Authentication
While Figure 1 is interesting, it doesn't show the full picture.
Every WAM thread that performs work in response to an HTTP request from a
client does so while impersonating an account. Which account that thread
actually impersonates depends on a number of factors, but it's critical to
remember that each WAM thread that makes calls to the file system, an ISAPI
application, or an ASP application (which is really just a stylized form of
ISAPI) does so while impersonating somebody.
There are various ways that IIS can determine the identity of
the client, and thus obtain a logon session for the WAM thread to
impersonate. They are, in order of preference: anonymous (no
authentication), certificate-based authentication, integrated Windows®
authentication, digest authentication, and basic authentication.
Each resource can have its own configuration for authentication,
and you can select one or more of these options via the metabase. Last month
I showed the metabase attributes for enabling or requiring client
certificates. For the other options, the AuthFlags attribute (a bitfield)
controls which authentication options are allowed. There are also three
subflags (AuthAnonymous, AuthNTLM, and AuthBasic), but they are rather out
of date. There is no corresponding AuthDigest subflag, and AuthNTLM should
really be renamed AuthNegotiate because it now means SPNEGO (Simple and
Protected Negotiation). Here are the bit values you can use with the
AuthFlags attribute:
0x00000001: Anonymous
0x00000002: Basic
0x00000004: Integrated Windows Authentication (SPNEGO)
0x00000010: Digest
Anonymous: No Client Authentication
You may have noticed from the previous list that IIS prefers not
to authenticate its clients. Authenticating each client consumes CPU
resources and increases network traffic. Many large commercial Web sites
don't typically rely on the operating system to perform authentication.
Instead it's done at the application level, frequently by asking for a
credit card number and verifying the billing address, or even by asking for
an application-defined password.
IIS has the notion of an anonymous Internet user account, which
defaults to IUSR_MACHINE, another local account (similar to IWAM_MACHINE)
that's created when IIS is installed. For a given resource, if the Anonymous
option is enabled, IIS will check to see if the requested resource (HTML
file, ASP script, GIF file, and so on) can be accessed successfully by this
account. If the DACL on the file grants access to the anonymous Internet
user account, IIS will execute the client's request under the auspices of
that account instead of trying a more expensive authentication option.
This means that IIS will impersonate the anonymous Internet user
account and open the file while impersonating. If, on the other hand, the
DACL denies access to the anonymous Internet user, IIS will move on to the
next authentication option in the list. Access will be denied if no other
option is enabled for this resource.
Note that I've been careful to label this account in abstract
terms. This is because it doesn't always have to be IUSR_MACHINE. Rather,
each individual Web resource (Web site, virtual directory, file system
directory, or file) in the IIS metabase has the following (inheritable)
attributes:
AnonymousUserName This is the name of a valid user account that IIS
will use to establish a logon session for anonymous Internet users when they
request this particular resource.
AnonymousUserPass The password for the account just described.
AnonymousPasswordSync This is a boolean attribute with magical
properties that I'll describe shortly.
By default, the W3SVC node in the metabase (the root of all Web
nodes) sets AnonymousUserName to IUSR_MACHINE and AnonymousPasswordSync to
True. This latter property is quite magical; when set, it causes
INETINFO.EXE to obtain a logon session without providing a password by
invoking a special subauthentication DLL in the LSA that basically gives you
a logon without checking the password at all. This is a nifty feature, but
beware: it's only supported for local accounts. If this feature alarms you,
remember that INETINFO.EXE runs in the System logon session and is therefore
part of the TCB. This is an example of a member of the TCB doing what it
pleases on the local machine.
Based on my own experimentation with IIS 5.0, if you use the
password synchronization option, the resulting logon session for the
anonymous user will be a network logon session with no network credentials,
which makes sense since IIS obtained the logon session without providing a
password. On the other hand, if you don't use this feature and you specify a
password explicitly, the logon session will be an interactive logon session
with network credentials. Of course, if you're using a local account, these
network credentials won't buy you much unless you've created a matching user
name and password on some other machine.
Another thing to be aware of is that when two or more resources
share the same anonymous account setting (which is typically the case), IIS
does its best to cache a single logon session and impersonate that session
for all of these resources, even across isolated application boundaries.
Certificate-based Client Authentication
Last month I described the SSL protocol and explained that as
long as the server has a certificate, the server is allowed to request a
certificate from the client. I also described the metabase attributes that
allow you to control whether IIS should request or even require a client
certificate.
Before IIS will accept a client certificate, it must verify that
the certificate is valid. This involves comparing the current date with the
valid from and to dates in the certificate, followed by verification of the
signatures in the certificate chain. Finally, IIS must determine whether any
of the certificates in the chain are trusted.
By default, each Web site trusts all certificates that haven't
expired, so it's a good idea to create a certificate trust list (CTL) for
your Web site that limits this trust to certificates for a selected set of
trusted authorities. To do this, bring up the property *** for the Web
site, choose the Directory Security tab, and then press the Edit button that
takes you to the certificate-related settings. Check the "Enable certificate
trust list" box. This tells IIS not to trust any authorities except those
you put in the CTL. Press New to invoke a wizard that will help you build
the CTL; it's pretty straightforward once you've figured out which
certificate authorities to trust.
As IIS validates certificates, it must check for revocation,
which can be time-consuming. By default, IIS skips this step, but you can
control it via the CertCheckMode metabase attribute on each Web site. This
is not available via the IIS snap-in; it must be set programmatically.
Setting this value to a number greater than zero forces IIS to check for
revocation, which may involve downloading a CRL from a certificate authority
or simply looking in a cached CRL. If you are serious about client
authentication, you should enable this attribute.
At this point, another metabase attribute becomes useful:
AccessSSLMapCert, which is really just another bit that can be set or
cleared in the AccessSSL attribute that I mentioned in my last article. If
this attribute is set to True, IIS will attempt to map the client's
certificate onto a user account within Windows via one of two mechanisms:
either IIS will use its own internal table of mappings from certificates to
user accounts and passwords, or it will ask a domain controller to perform
the mapping based on settings in the directory service. You can control
which method is used via the metabase attribute SSLUseDSMapper. This is a
global setting on the W3SVC node in the metabase, accessible via the Web
Service Master Properties in the user interface. As of this writing, you
cannot control this on a per-Web-site basis. By default SSLUseDS-Mapper is
set to False, which indicates that IIS should perform its own internal
mapping.
An administrator can configure the internal IIS
certificate-to-account mapping via the IIS snap-in. Each Web site has its
own set of account mappings, which can be edited by going to the property
*** for the Web site, choosing the Directory Security tab, and pressing
the Edit button that takes you to the certificate-related settings. After
checking "Enable client certificate mapping," which is just the
AccessSSLMapCert metabase setting, press Edit to configure the
certificate-to-user-account mappings.
There are two ways to map certificates to user accounts in IIS:
one certificate to one account, or many certificates to one account. The
first method requires you to obtain a certificate from the user (typically
packaged in a base-64 encoded ASCII file). The second method allows you to
simply specify a set of criteria for the various components of the
distinguished name for the subject and issuer in the certificate. For
instance, you can detect certificates issued by VeriSign in which the
subject's organization is ACME Corporation and map these certificates onto a
particular user account. With the many-to-one option, you can either grant
or deny access to a matched certificate. Denying access is easy; you just
need to indicate that this is your intention via a radio button.
If you want to grant access (using the one-to-one or many-to-one
options), you'll need to provide a user account and password, which IIS will
tuck away in the metabase. If you want to configure this mapping
programmatically via script, you'll want to check out the IIsCertMapper
interface. This interface currently allows you to set up one-to-one
mappings, but doesn't provide for many-to-one mappings, which must be set up
in the IIS snap-in.
If IIS authenticates a client via one of these internal
certificate mappings, the result will be an interactive logon session with
the network credentials of the account. This makes sense because the logon
session was created locally with a password. If instead IIS delegates
authentication to the directory service, it will establish a network logon
session that will (naturally) not have network credentials. If a match
cannot be found, or if the client did not submit a certificate, IIS will
move on to the next authentication option in the list, or will deny access
if no further options are available.
If Alice was issued a certificate from an enterprise security
authority in her domain (one that's integrated with the directory service),
her certificate will have enough information in it for the directory service
to determine which account is Alice's. For other clients, it's possible to
set up certificate mappings manually in the directory service. To do this,
bring up the Active Directory® Users and Computers snap-in, turn on the
Advanced Features option via the MMC View menu, then right-click on any user
account and choose Name Mappings.
Certificates can be the most secure way to authenticate clients
over the Internet when used properly, but there are other options available
if issuing client certificates doesn't make sense for your particular
application.
Basic Authentication
Basic authentication is the native authentication mechanism
built into HTTP/1.0. The client sends an HTTP request to the server, and the
server sends back a failure, demanding that the client prove her identity by
sending a user name plus a base-64 encoded ASCII password. Base 64 is not an
encryption algorithm; rather, it's an expansion algorithm that allows
Internet-unfriendly characters to be represented by friendly ones, and is
therefore completely reversible without a key. Thus, Basic authentication
only makes sense over an SSL-encrypted link with strong server-side
authentication. As long as you know who you're sending the password to, and
as long as you are assured that nobody but that server will see the
password, basic authentication works just fine. That assumes, of course, you
trust the server with your cleartext password.
If you attempt to turn on this authentication mechanism in the
IIS snap-in, you'll get a very nasty warning that tells you not to do this
unless you plan to use SSL to secure the connection. This is great advice.
You should require SSL for any resource where you plan to allow basic
authentication. If you can't afford a public key infrastructure, this
combination will serve you well.
When IIS receives the client's user name and password, it will
check the LogonMethod attribute in the metabase to determine which type of
logon session to establish. There are three options: interactive logon (the
default), batch logon, and network logon.
The first two result in a logon session with network
credentials-the network logon naturally does not have network credentials.
Which one should you choose? Well, a batch-style logon will be pretty tough
for most clients to establish, since no principals are granted this logon
right by default. An interactive logon is more wide open in this respect,
depending on the type of machine your server runs on. Domain controllers
severely limit the right to an interactive logon. However, establishing an
interactive logon can be considerably more expensive (especially for domain
accounts) than establishing a batch or network logon. Generally everyone is
granted a network logon on any machine, including domain controllers.
Whether it's good security practice to run a public Web server on a domain
controller is another question entirely; in my opinion you should avoid
doing this, as I'll explain shortly.
One thing you should be aware of when using Basic authentication
is that Web applications (either CGI, ISAPI, or ASP) can get access to the
client's cleartext password via a server variable named AUTH_PASSWORD. I
know of no way to disable this, which is too bad considering that IIS has
already used the password to authenticate the client; letting this
information leak through to scripts is dangerous. Just because you trust the
TCB of a server with your password doesn't mean you want to trust all of its
scripts with your password as well. However, even if this little flaw didn't
exist, trusting the TCB of the Web server with your credentials may be more
than a security-conscious client is willing to do. In that case, consider
using a client-side certificate, which is ultimately a client's safest bet.
Digest Authentication
Digest authentication is a relative newcomer (it was introduced
with HTTP/1.1) and was first implemented by Microsoft in IIS 5.0 and
Internet Explorer 5.0, but it will likely have limited use as
certificate-based authentication becomes more popular. Digest authentication
is somewhat similar to NTLM; it's a simple challenge/response protocol that
allows a client to prove knowledge of a password without transmitting the
password across the wire. It does not provide mutual authentication, and it
doesn't provide a way to exchange a session key for data encryption or MAC
generation. It also requires password storage for users to be weakened
significantly. The passwords must be stored in such a way that the domain
controller can decrypt them to obtain a plaintext password. This is known as
reversible encryption as opposed to one-way encryption.
Probably the most dangerous thing is that the only way this
mechanism can be used is if the Web server resides on the same machine as
the domain controller (to have access to those cleartext passwords).
Exposing a public Web server from a domain controller opens some serious
security risks; you'd better make absolutely sure that all the applications
on your server are sandboxed or bug-free because a compromise of the TCB of
a domain controller is a compromise of the domain itself. I mention this
protocol only for completeness. If you care about securing the transactions
on your Web server, you'll get a server certificate and use SSL to encrypt
the session.
The authors of the Digest authentication spec RFC 2069 (see
http://www.ietf.org/rfc/rfc2069.txt) state their position as follows:
Digest Authentication does not provide a strong authentication
mechanism. That is not its intent. It is intended solely to replace a much
weaker and even more dangerous authentication mechanism: Basic
Authentication. An important design constraint is that the new
authentication scheme be free of patent and export restrictions.
Most needs for secure HTTP transactions cannot be met by Digest
Authentication. For those needs SSL or SHTTP are more appropriate protocols.
In particular digest authentication cannot be used for any transaction
requiring encrypted content. Nevertheless many functions remain for which
digest authentication is both useful and appropriate.
Integrated Windows Authentication
The Integrated Windows Authentication option tells IIS to engage
the user agent in a native Kerberos or NTLM handshake piggybacked on HTTP.
These extensions are not supported by non-Microsoft® browsers, which
significantly limits their appeal for use with clients on the Internet at
large. Another problem with using Kerberos or NTLM is that neither protocol
gets along very well with firewalls. For instance, the Kerberos KDC listens
on port 88 for TCP or UDP requests. Can you imagine any administrator in her
right mind opening this port to allow random crackers on the Internet to
have direct conversations with the most trusted entity in the domain? I
think not. Microsoft and Cisco have proposed extensions to Kerberos (see
http://www.ietf.org/internet-drafts/draft-ietf-cat-iakerb-03.txt) to work
around this problem, but it still won't solve the browser problem. Most
browsers expect to use certificates to authenticate their clients.
Within the perimeter of the firewall in the confines of a
Windows-only enterprise, however, this is a very convenient authentication
option. Alice doesn't need to be issued a certificate to participate; she
just has to agree to use Internet Explorer and the system will use the
network credentials that were established when she logged in via WinLogon to
authenticate her to IIS servers on the company intranet.
The result of this form of authentication is (naturally) a
network logon session on the server. This assumes the client is not running
her browser on the same machine as the Web server. In that case the client's
local interactive logon session will often be used directly.
If authentication fails using the client's default
credentials-either because of problems with authentication or because the
client has not been granted access to the resource-Internet Explorer will
pop up a dialog asking for alternate credentials, allowing the client to
retry.
Server Applications
Three classes of server applications are in common use with IIS
today: raw ISAPI applications, ASP script-based applications, and CGI
applications. All of these applications are ultimately derived from the
basic CGI model that provides a set of variables describing the client and
server environment and the request, along with input and output streams for
reading and writing the request and response headers and bodies. The
interface that exposes these variables and streams to the application
differs significantly between the three application types, but the basic
information provided is similar. Figure 2 shows some security-related
variables.
I wrote a simple script that echoes these security-related
variables, and I ran it several times while changing the authentication
options on the server. Figure 3 shows my results when running over HTTP.
Note that I've omitted all the certificate-related fields because they were
all empty.
Figure 4 shows the results of the same script invoked over
HTTPS. The chart explains which elements relate to the server-side
certificate as opposed to the client-side certificate. Both client and
server certificates in this case were generated by the enterprise
certificate authority in my test system quux.com.
ISAPI Applications
ISAPI applications are hosted by the appropriate WAM depending
on how the Web application is configured in the metabase with respect to
process isolation. Each thread that enters the ISAPI DLL will be
impersonating an account. The particular account being impersonated will
depend on the mechanisms that I've just described. One interesting
difference between IIS 4.0 and IIS 5.0 is that on the earlier platform calls
to GetObjectContext failed with CONTEXT_E_NOCONTEXT, which made it
impossible for the ISAPI DLL to call IObjectContext::CreateInstance. This
was required in Windows NT® 4.0 to flow the impersonation token to the
configured component being created (to perform role-based access checks
based on the client as opposed to IWAM_MACHINE or SYSTEM). This requirement
was removed in IIS 5.0, and the client's security context appears to flow
correctly, at least according to my own experiments.
ASP Applications
While ASP is implemented as an ISAPI DLL, it provides its own
thread pool and transfers incoming requests from the WAM thread onto its own
thread before making calls into your scripts. Never fear; ASP also transfers
the token on the WAM thread to its own thread before making the call, so
threads entering ASP scripts will always be impersonating using the
mechanisms I've described previously.
As I pointed out for ISAPI applications, in IIS 4.0, it's
critical that you call IObjectContext::CreateInstance when creating
configured components, otherwise the thread's security context will not be
propagated to the new object. This can either cause all of the calls to be
denied (typical if your WAM is running under IWAM_MACHINE), or all calls to
be allowed since SYSTEM is not subject to role-based access checks. (This
happens if your WAM is running in-process in INETINFO.EXE. It's not a
problem at all in IIS 5.0.)
So for IIS 4.0, it's critical that scripts use
Server.CreateObject to instantiate objects, although using <object> tags is
also safe. Forgetting to do this can lead to unpredictable and unsafe
behavior.
Another interesting security-related tidbit is that if a client
submits a certificate, you can access all the information in that
certificate from ASP by using the Request object's ClientCertificate method.
Here's a simple ASP script that echoes into a table all the attributes in
the client's certificate.
<table border=1 cellpadding=3>
<thead<>td>Key</td<>td>Value</td<>/thead>
<% for each key in Request.ClientCertificate %>
<tr<>td<>%= key %<>/td>
<td<>%= Request.ClientCertificate(key) %<>/td<>/tr>
<% next %>
</table>
CGI Applications
ISAPI and ASP applications run in the logon session of the
client or anonymous user (or at least their threads run in that logon
session via impersonation). CGI applications run the same way, except the
entire process is directed into the client's logon session as opposed to
just a thread in that process. This is a great sandboxing measure for CGI
applications, but there is a metabase attribute that can be used to force a
particular CGI application into the System logon session. This attribute,
known as CreateProcessAsUser, is set to True by default, which is where you
should leave it. Like most metabase attributes, it is inheritable.
Setting this attribute to False causes CGI applications to run
in the System logon session in the noninteractive window station. The
noninteractive window station is not in any way a sandbox; when running as
SYSTEM you can pretty much move to any window station you desire.
IIS as a Gateway into COM+
The primary reason for incorporating a Web server in a
distributed three-tier application is to broaden the reach of the
application to a multitude of platforms. Imagine trying to use DCOM to reach
clients on all the various flavors of Unix, or on a handheld device or
pager. A Web-based front end is the de-facto architecture for reaching
across the Internet at large.
However, the natural architecture for a classic three-tier
Windows-based distributed application is to use a Web server only as a
gateway into a more structured environment built with COM+ components. From
a security standpoint, this architecture makes a lot of sense and can help
you avoid an overabundance of application-level security checks. The less
security-related code in your application, the better off you'll be.
Since IIS provides a plethora of authentication services that
you can choose declaratively, all you have to do is figure out a way to
smoothly move the client's security context from the WAM into your COM+
components and let COM+ role-based access checks do the heavy lifting. ASP
goes to great pains to do its part by transferring the client's token from
the WAM thread to the ASP thread. COM+ also gives you a boost by using
dynamic cloaking in all COM+ applications by default. Since the WAM is a
configured component, it runs in a process where dynamic cloaking is
enabled. Thus each outgoing COM call you make from an ISAPI application or
ASP script will go out using the client's security context.
Recall that dynamic cloaking implies that outgoing COM calls are
sensitive to the thread token; without cloaking turned on, COM ignores the
thread token for outgoing calls. Things didn't work nearly as smoothly in
Windows NT 4.0, as I discussed in my November 1999 Security Briefs column
(see http://www.microsoft.com/msj/1199/security/security1199.htm). Figure 5
shows the natural three-tier architecture in which IIS acts as the gateway
into a collection of COM+ components in the middle tier.
Figure 5 IIS Three-tier Architecture
If you plan on co-locating the Web server and your COM+
applications on the same machine (as in Figure 6), the security architecture
will be very natural and obvious. There might even be a farm of these
machines, each with a Web server and a set of equivalent COM+ applications,
but that's not a problem. The key is having the Web application and the
components it uses located on the same machine. Since dynamic cloaking is
turned on in the WAM by default, when you make calls from your scripts into
your local COM+ components, role-based access checks will occur naturally
against the client's security context.
Figure 6 Web Server and COM+ Apps on Same Machine
On the other hand, if you plan on putting the Web server on one
machine and your COM+ components on a separate machine (see Figure 7),
you've got to make sure that the client's logon session on the Web server
has network credentials to survive the hop from the Web server machine to
the other machine where the role-based access checks will occur. If the
client's logon session doesn't have network credentials, you'll end up
making the call using a NULL session. If your client was in fact
authenticated, you've basically just dropped that information on the floor.
Figure 7 Web Server and COM+ Apps on Separate Machines
Figure 8 shows when the logon session for the client will have
network credentials and when it won't, depending on the type of
authentication in use. It assumes the client is on a different machine than
the Web server.
As you can see, the options are not very pretty. Practically
speaking, if the client is authenticated (not using the anonymous account),
unless you're using Basic authentication, you're not likely to have network
credentials. You will therefore not be able to pass the access control
responsibilities on to COM+ components on a different machine in the middle
tier.
If you're adamant about using this multi-hop architecture, you
might consider using a COM+ library package configured with role-based
security as a layer between you and the remote objects that your script
would normally talk to directly. These library components can mimic the
remote object's interfaces. In fact, this code can be generated
automatically based on a type library if you simply delegate calls to the
remote object. The beauty of this model is twofold.
First, you shouldn't make calls from ASP scripts directly to
remote objects because most scripting languages double the number of
round-trips required to make each method call (think
IDispatch::GetIDsOfNames followed by IDispatch::Invoke). If you generate the
code for the library component layer in a vtable-friendly language like
Microsoft Visual Basic®, the Java language, or C++, the IDispatch
round-trips will be negligible because they'll happen locally between your
script and the library components. When the library components actually make
calls across the wire, they can use vtable interfaces and execute the call
in a single round-trip.
Second, your role-based checks will now work as desired since
the COM+ interceptors in the library application will see the client's
security context. Note that this trick requires Windows 2000, as MTS library
packages have no notion of role-based security.
Miscellaneous Topics
Here are some miscellaneous tips and traps to watch out for.
Using Client IP Addresses to Control Access Because HTTP is designed
to run over TCP/IP, and TCP/IP headers include the source IP address and
port, it's possible to grant or deny access purely on the basis of the
client's host address. While this is an interesting feature that is commonly
used to block unsophisticated pranksters from accessing Web resources on a
server, unless this policy is backed up with IPSec (which authenticates host
addresses cryptographically using Kerberos), simply relying on a client's
advertised host address to determine access restrictions is very insecure.
Spoofing a network address in a TCP request is relatively easy in the big
scheme of things. If you decide to use this feature and want to set this up
via a script, you'll use the methods defined under the IIsIPSecurity
interface.
Mapping Virtual Directories to UNC Paths This is an interesting
feature that IIS supports. Instead of having a virtual directory map to a
file system on a local device, you can direct it to a remote host by
specifying a UNC path (\\machine\share). Remember, though-IIS is always
impersonating when it accesses files for a client, and depending on the
authentication mechanism you've chosen, the logon session being impersonated
will probably not have network credentials. Thus there are three metabase
attributes for every virtual directory that come into play when a UNC path
is in use.
UNCUserName The user name that should be used in lieu of the actual
client's identity to access the resource. According to my own experiments,
this must be in authority\principal form, rather than UPN
(principal@authority) form.
UNCPassword The corresponding password for the account.
UNCAuthenticationPassthrough Instead of setting a user name and
password, you can set this attribute to True (the default setting is False)
to indicate that you want to attempt to delegate the client's credentials if
possible to make the additional network hop to the remote file system.
If all parties involved support Kerberos, the computer that
hosts the Web server has been designated as trusted for delegation, and the
client's account has not been marked as sensitive and cannot be delegated,
the Lan Manager client will ask for a forwarded TGT for the Web server to
use to delegate the client's credentials and make the call. This, of course,
assumes that you've enabled Kerberos authentication for the virtual
directory by selecting Integrated Windows Authentication. There are so many
planets that must align correctly for this to work that it may not be
worthwhile to even enable this option, but it's probably no worse than a
hardcoded user account.
When you hardcode a user account and password, IIS only verifies
that the client can be authenticated according to the AuthFlags attribute
for the target resource. This means if you've allowed anonymous access,
everyone gets past this hurdle. Once the authentication requirement is
satisfied, IIS ignores the real client's identity and instead establishes an
interactive logon session for the user specified via UNCUserName. This of
course, will fail if the specified user has not been granted the interactive
logon right on the machine hosting the Web server. IIS impersonates this
logon session as it would normally impersonate the client's logon session,
or IUSR_MACHINE, and executes the request. This means that if you are
targeting an ASP script via UNC redirection, that ASP script will never see
the actual client authenticated by IIS. Rather it will see the user
principal specified via UNCUserName. This can lead to security holes unless
you're paying attention, so watch your back.
Using RevertToSelf to Reenter the TCB Imagine that you had a Web
application that ran at a process isolation level of low (in other words,
inside of INETINFO.EXE). While this can be dangerous, it can also allow you
to do very powerful things. However, since all threads that call into your
application from the WAM will be impersonating someone, you need to rejoin
the TCB temporarily if you need to execute privileged code (for instance, if
you want to call LogonUser). The following code shows how this can be done.
I've packaged this in a nonconfigured, in-process apartment-neutral COM
component so that you can call it directly from an ASP script.
HRESULT Foo::DoSomethingPowerful() {
HANDLE htok;
OpenThreadToken(GetCurrentThread(),
TOKEN_IMPERSONATE,
TRUE, &htok);
RevertToSelf();
// we're now executing in the TCB!
// your code goes here
SetThreadToken(0, htok);
CloseHandle(htok);
return S_OK;
}
This code temporarily removes the thread token, causing the WAM thread
to execute in the security context of the process-in this case INETINFO.EXE
and the System logon session. Note that the code carefully replaces the
token on the thread before returning to the WAM. Restoring the environment
this way protects the application from any assumptions that ASP or the WAM
might make, and is purely a precautionary measure.
Calling this code from a Web application configured at medium or
high isolation also allows you to run in the security context of the host
process, but in this case it won't be in the System logon session. Rather it
will typically be IWAM_MACHINE, which is not very privileged at all, at
least by default.
If at any time you want to find out what security context your
ASP script is running in, you can download a little component that I built
called the token dumper (http://www.develop.com/books/pws). This COM
component exposes a single method that scripts can invoke.
HRESULT TokenDump([in] long grfOptions,
[out, retval] BSTR* pbstrResult);
The options allow you to limit the output in some ways (see the
documentation that comes with the tool for details). Just pass -1 if you
want to get all the output. This function will dump the token contents,
including the details of the thread and process tokens, into a printed HTML
stream. I've found this tool invaluable in debugging secure Web
applications. Here's how to use it in an ASP script:
<%= createObject("tokdumpsrv.tokdump").tokenDump(-1) %>
Where to Get More Information
IIS documentation ships with the software itself. Just go to a
machine that has IIS installed and surf to http://localhost/iishelp. As of
this writing, the IIS 5.0 documentation is somewhat out of date, but
hopefully the next service pack will fix this. The Platform SDK also
includes this documentation. I would expect this to be updated sooner than
the IIS software documentation, but only time will tell.
--------------------------------------------------------------------------
For related articles see:
http://www.microsoft.com/mind/1099/inside/inside1099.htm
http://msdn.microsoft.comhttp://msdn.microsoft.com/workshop/security/default
.asp
For background information see:
http://msdn.microsoft.com/library/
psdk/certsrv/crtsvnode_intro_8f3n.htm
http://msdn.microsoft.com/library/ psdk/crypto/cryptovrvw_8395.htm
--------------------------------------------------------------------------
This article was adapted from Keith Brown's Distributed Security in
Windows NT (Chapter 11) © 2000 Addison Wesley Longman, Inc. Reproduced by
permission of Addison Wesley Longman. All rights reserved.
--------------------------------------------------------------------------
Keith Brown works at DevelopMentor researching, writing, teaching, and
promoting an awareness of security among programmers. Keith authored
Programming Windows Security, to be published by Addison-Wesley in June
2000. He also coauthored Essential COM, also published by Addison-Wesley
(December, 1998).
--------------------------------------------------------------------------
>From the July 2000 issue of MSDN Magazine.
----------------------------------------------------------------------------
----
Send feedback to MSDN
© 2001 Microsoft Corporation. All rights reserved.
"Larry Hastings" <greg.NOSPAM.@NOSPAM.unixsucks.com> wrote in message
news:uu7sbilkv7jsba@corp.supernews.com...
> Logon type if different for both events. One if local logon (logon 2) and
> second one network logon (logon 3).
> Check if that user can access file shares on that machine from remote
> location. Is there any other event messages about failed logon?
>
> --
>
> G
> http://www.unixsucks.com
> "John" <jonashbaugh@hotmail.com> wrote in message
> news:O40022XlCHA.1356@tkmsftngp04...
> > I have turned on all security auditing and this is what I have found.
When
> > trying to connect using the code I get this:
> > Logon Failure:
> >
> > Reason: Unknown user name or bad password
> >
> > User Name: USeRx
> >
> > Domain: VCNET
> >
> > Logon Type: 3
> >
> > Logon Process: IIS
> >
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >
> > Workstation Name: WRK1
> >
> > When connecting to the site via a browser I get this:
> > Successful Logon:
> >
> > User Name: USeRx
> >
> > Domain: VCNET
> >
> > Logon ID: (0x0,0x5FC98)
> >
> > Logon Type: 2
> >
> > Logon Process: IIS
> >
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >
> > Workstation Name: WRK1
> >
> > Logon GUID: {00000000-0000-0000-0000-000000000000}
> >
> >
> > Is there a security policy I am not setting up correctly?
> >
> >
> > "nu-k-ar" <nospam@plz.com> wrote in message
> > news:ejxB5fWlCHA.2240@tkmsftngp04...
> > > 1.) turn on all your security policy logging
> > >
> > > 2.) check if u have an real login (means kerberos token)
> > > 3.) if u go to an remote sql-server (integrated sec), mark u're
> > web-service
> > > server "for delegation" in the AD
> > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q283201
> > >
> > > 4.) disable integrated sec on the web-server cause integrated is
> stronger
> > > than basic
> > >
> > > 5.) if u go with integrated then u deliver a kerberos token
> > >
> > > isent it NetWorkCredential.getGredential(URI)
> > > cred.user
> > > cred.pass
> > > cred.realm
> > >
> > > check your security logs...
> > >
> > > blaaa....
> > >
> > > .::[nu-k-ar]::
> > >
> > >
> > > "John" <jonashbaugh@hotmail.com> wrote in message
> > > news:#2ltUjVlCHA.2036@tkmsftngp07...
> > > > We have basic authentication on through IIS. We are running a win xp
> pro
> > > > server. When trying to access the site via a browser I get the login
> and
> > > > password page. I put in the valid login and password and I am able
to
> > > access
> > > > the site. However through our code we cannot access the site
> > > automatically.
> > > > I am missing something? Thanks in advance. This site is accessible
via
> > the
> > > > internet.
> > > >
> > > > Private Sub btnLogin_Click(ByVal sender As System.Object, ByVal e As
> > > > System.Web.UI.ImageClickEventArgs) Handles btnLogin.Click
> > > >
> > > > Dim Service As New localhost.ABCService()
> > > >
> > > > Dim credentials As System.Net.NetworkCredential = New
> > > > System.Net.NetworkCredential("USeR", "xxxxxx")
> > > >
> > > > Service.Credentials = credentials
> > > >
> > > > Dim Info As String = Service.Login(LCase(txtUser.Text),
> > > > LCase(txtPassword.Text), LCase(txtCompany.Text))
> > > >
> > > > Dim str As String
> > > >
> > > > If Info = "Error" Then
> > > >
> > > > Response.Redirect("login_err.aspx")
> > > >
> > > > End IF
> > > >
> > > > End Sub
> > > >
> > > >
> > >
> > >
> >
> >
>
>
begin 666 mmlogosm.gif
M1TE&.#EA> `N`/?_`/____[^_OW]_?S\_/O[^_KZ^OGY^?CX^/?W]_;V]O7U
M]?3T]//S\_+R\O'Q\?#P\._O[^[N[NWM[>SL[.OKZ^KJZNGIZ>CHZ.?GY^;F
MYN7EY>3DY./CX^+BXN'AX>#@X-_?W][>WMW=W=S<W-O;V]K:VMG9V=C8V-?7
MU];6UM75U=34U-/3T]+2TM'1T=#0T,_/S\[.SLW-S<S,S,O+R\K*RLG)R<?'
MQ\;&QL7%Q<3$Q,/#P\+"PL'!P<# P+^_O[Z^OKV]O;R\O+N[N[JZNKFYN;BX
MN+>WM[:VMK6UM;2TM+.SL[*RLK&QL;"PL*^OKZZNKJVMK:RLK*NKJZJJJJFI
MJ:BHJ*>GIZ:FIJ6EI:2DI*.CHZ*BHJ&AH:"@H)^?GYZ>GIV=G9R<G)N;FYJ:
MFIF9F9B8F):6EI65E924E).3DY*2DI&1D9"0D(^/CXZ.CHV-C8R,C(N+BXF)
MB8B(B(>'AX:&AH2$A(.#@X*"@H&!@7]_?WY^?GU]?7Q\?'M[>WEY>7AX>'=W
M=W9V=G5U=71T=')R<G%Q<7!P<&]O;VYN;FQL;&MK:VIJ:FEI:6AH:&=G9V9F
M9F1D9&-C8V)B8F%A86!@8%]?7UY>7EU=75M;6UI:6EE965A86%=75U965E55
M55-34U)24E%145!04$]/3TY.3DU-34Q,3$M+2TI*2DE)24A(2$='1T9&1D5%
M141$1$-#0T)"0D! 0#\_/SX^/CT]/3P\/#L[.SHZ.CDY.3@X.#8V-C4U-30T
M-#,S,S(R,C$Q,3 P,"\O+RXN+BTM+2PL+"HJ*BDI*2@H*"<G)R8F)B4E)20D
M)",C(R(B(B$A(2 @(!\?'QX>'AT='1P<'!L;&QH:&AD9&1@8&!<7%Q86%A45
M%104%!,3$Q(2$A$1$1 0$ \/#PX.#@T-#0P,# L+"PH*"@D)"0@(" <'!P8&
M!@4%!00$! ,#`P("`@$!`0``````````````````````````````````````
M`````````````````````"'_"T%$3T)%.DE2,2XP`M[M`"'Y! ``````+ ``
M``!X`"X```C_``$('$BPH,&#"!,J7,A0( =DSR)*E!BCH<6+&#-JO!B"7;R/
M($'FV$BRI,F3`T.D"\D2!\J7,&,:5,DRI$N9.'.2I%GSXTV=0(,JY-GSI]"C
M2(G6-(JTJ4ZE+9T2#*!AQ0H-`A160.$"Q &+`2:8:,&"A(2L#2/LR%)FRPT%
M`J':O*C `XL1#A 2NF2IKU],801NZ"-L7+MVXXC]X5#P0Q]?W]:],\?L$H^$
M'<1H"M9-G3MWZ+H-PY1%0L(2CJRQ;.9&0 9U/3_NT,/7;U],> 0R^#(J6CG0
MUU2!@4M@X+;8FP!(P19;6Y2!8KS%CH<)0L$0D<)-!UD-30"#7\!-_U=%8]ST
M'LEB%P. P]CT8D0(/HN-R B\[>^H`&BS_2,M!@-MP4U_++&2`4%J$#@-.N?]
M$ILL+(BW'3LX#& ``O/U) LU!&:CQCL$QG.(0&:$6!,Q%@A$Q'TFQM:#@SWQ
MDDN(XF@@4(8MYLC2. R\X)&.'ZT"0 ++`%G3B[&!:"(?-QKII!"C3%>.-M]L
M1\463K*$9)8?Z=(DESE.8EY-OT#1P007W,!(3^R<XLMVO*!A1BK];;D=@]M-
M`Q>./4EBQ!.W]#<,'&G$LETVL65A4!CQJ,/,*'H\4<(.2L:8P$">;&=G3[#D
M$,(4$O;D38I\LA3*0!A4&9LR#P@D`"] .O_310D2?"<0#!X4-U :VUE!T Z:
MPMA3-Q0,M,ATXVP`0*DA:4'0+-,Q.5 D3K*C33&L0,*&#@<2Q,ETZXQ $ CK
M-#B=*021,=TY'BP[G1 $H3(=%@2M&9MT.:(3S!XF""1L3=,L0)!<(&W*DB($
M>;%NN\R"! 1!=,;&!$&-3+?*F#J6\T<#S4P'S'4KN?@O2X 0],7"[L86!,33
M)4'Q='Z$DJ4NW4S'"LCFQA:(R2@W_-'*`T7<DQ(OQZ;'">> &1LH.(L\W<X#
MG1P;NRGW!+1 0M=$]$ 5QS8(`$.HIC1+3 \<<D\&AP2U0%+W1+7/\5P-0-8L
M;2U0USU]#4 'CV#_/+:09N?<T]H`M%W3V]/)37=(=@. =TUZQ\7&*MJ,_<MU
ML#FM,\]3,YPXR[$U_CA+@APD00]J*%(*,)4#Z8UI`[G (MHCJ\VYVYZK#/K0
M1>=]0 @Y:'&')G$8),$-E+BC8^/J"EX3X8:SA+CN04\G^G3:/),T2.A4=!!S
M.?9B'0`6*!/LT[<?GKO5NVO=NXG;M%'"`@,,P, *B"BO8S*""-+Q^9N+6L\^
M5[W0O:]%ZIC&,I9!C79,9QIC2QM(H#= ZF'->@<,R2W(P25?M("#8)+@1RC8
MN:K51'$8Y-IT[M"%+'7C!0!X@XDXI+G!I4]ZZSMA^^J6P0D"``X.U!$R_V8P
MD$P0:!* <!Y+2(@[`%1C.D,@B"NF,[%I3<<0`M%!+5K$C4# 3B #4,1V7G$`
M04SG!\283B$(PJC8M.,#`+#%-*1!QSI.@QHC&4@EJE%'.U)#;G[@8Q_I6 T[
M#"0`1Z@$,X)8DV[4H@[*.@@27G&VCV#C#P@`P!T$V<=I3,,&J*!&'Y%AC&=4
M@PX$F0(G.ZD,&R% `0F(I2P3H "T".0`L)QE+!4P`((48 &ZC.4""F"0`ZA
M"6200QWF8 8HV* "#2F!%>!0!S04H5@"^64"# ```<Q2`+B<91*V$()A$F0`
MN=0E+&TEE7821 &!F,)";K&.(KCSGF"CP@K(@/^#"Y1A:R@@@QGR.($KN*$3
MZG@#!*S0AB8(S E<N (6:C"&0K1 "4Z0P1EZ(! 9K&$*`L,G3APD'G6(+0A/
M<$<W!I2&!BC#'=!"A0B@`8_YM (!Q!@3)*:8!0YI!QXG,$,[J'&.8'1+I# )
MU!JF^(=-Q.,-+0"$'#H1CU&8(!['F,$ZP!&"-P@"#X?9P *BP(YME&"+6#!?
M%6P1CSAHXQU=.$4\_H#4F 3J!IJ(AQ',F 8F1 ,:N(C'*0@P"W$$`Q=4`$$N
MOM&*=)3#`1)XACET``!8I34>(I#7(];1#EW8(A?2JBM*9N2#3\2#"8:(AQR"
M$0\VS"$>GPA".Y*1"#JSS* 0\8@%#MQ1#@RP(AZDR $+=A&/+# C'BGXK1Q4
M`P4Y[ (,HGU)+=S1@TVX8PF$<,<9\ "/=/#"':>X@3K.H3QX7&(;\"#&-<*A
MA'2XPR.BB(4[KH ,=Z `%>Z(PA*N\9%@E""Z*/E "A2@@10PP (IL X,:H `
M%'1 $O&PPQ(L$8\\:$ '$=A @DV @A2H@ ,>2($#1( "`W0@!:V2@ YHT$L`
0.X4(O+C&-*)!BDCJ)" `.P``
`
end
begin 666 t2000.gif
M1TE&.#EA+ `_`,3_`/___[F3@;>IK;6_V:Z'<ZNBJI9Z;HU8-(QC2HQ=/UM@
M;2\:"BTP-B,3""(D*1<8&P```,# P ``````````````````````````````
M`````````````````````````"'^`"'Y! $``!$`+ `````L`#\`0 7_("2.
M9&F>Z!F@RN"^<"S'P6(:Z<G,+Y*7N!]IQQOXA*(@$D+D'9%*9'/V%$:%4UGU
M=Q4V%N!PN+&$=,OH&ZO(GM74Y6QLFSNGY#!ZRH["]\I\.FQZ*($F?BZ$)X9I
M@(V/)BLG+6V5+F] :Y:5F"1VE)MLG2.,0X..<:=+I2.(1JA+KHIPL:I0:+*P
M4K96N+Q<OD6SF:G"NI"/!@'+S,W.S]#1T 7(U9+5C]0Z"MS=WM_@WPPGVB:@
MH3RC(N4EY^@RZA#L).[O,/'S(_7VES8E^2(>(!A($($!-@0*$CQ YE\P)V4`
MWOF50V(?BBDL"C*V1.,AC"@\ELC5\2&5B":U/Z L!K$DRY,N:W%$(M+43"$U
M6X$DEW+.2IDM:?;,\W/7S1\Y19 4^E)E3"0."@B82I5J@J+8T"3-2F(KUW4A
#```[
`
end
begin 666 websecure2fig01.gif
M1TE&.#EA+ 'S`/<``*5F<I98:M!@E_;?ZK,`6;@08[T@;L$P>,9 @\M0C=1P
MHMF K-Z/MN.?P>>OR^R_UO'/X'<[6OKO]:@F<_'G[?CS]II4@*%@B;>%I+Z1
MK8L[;I)'=ZALDJ]XF\6=M]2VR=O"TN+.V\RIP.G:Y)Q,C)%QIHY[K(N$LHB.
MN>'E[_#R]X67OT-,8&1QCXV>PY2DQYRKRZ2QS[.^U\++W\K2X]'8YZNXT[K%
MV]G?ZW. E^CL\V%H;_?Y^Y&=IZ"KKS8[.VQW=08+"B Y-!,B'PT7%2TW-=GM
MZ:*QKN+Q[NSV]/7Z^29%/CEG73-<4V:WI6"LFUF@D$9^<4V)?$!R9W"\JWG
ML(/%MHS)O);.P9_2QX:EGK+;TK/;TKS@V,7DW<;DW<_IXQHN*:G7S%EN:=GM
MZ.+R[F^ZH_7[^7B]H(# GBD\,2(Q)XG#FV>2=#A+.9O)ED=90:S/DA8:$F5V
M4;72CW2$68.38$E1-).A:&YY3IVBCR4H&L_;B#0W(IND9LG0?;R_GY697(:*
M5$-%*M?3CAX=$$Q()]3*;L6\9FIE-UM7+_+G?N/9=K:M7Y>03XB"1WET/Z:?
M5STZ("TK& \.",NG>+^1=J^#;KB&=:!T9O___^_O[]_?W\_/S[^_OZ^OKY^?
MGX^/CX" @']_?W!P<&!@8%!04$! 0# P," @(! 0$ ```/___P``````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M`````````````````````"'Y! $``*P`+ `````L`?,`0 C_`#4)'$BPH,&#
M"!,F(<.PH<.'$"-*G$BQHL6+&#-JW*@DH28E&T.*'(DQB<>3*%%N<<*RI<N7
M,&/*-'*F"Q4KFL2 $5.&"Y8J.9V X9+$"I<R7Y :<:GI"A<P8+HX.9-%DY4K
M28XZ,0*F9TN>/J=F.3-5I] O7ZI<T;25*):U7-C*G$M7)AF/9.JR7.MD;9<D
M1I)<<9(UB1,N1C0AEOO2B./'3K)TS;+V"I7!@<NPY;LV"9BEFKYPT>MD2\K3
MJ >N),VZM>O7L&/+EGTW85Z836.6&>P2,6[>,*O,ELF7M>G4R$^N'LX\C!3F
MT*-+AUE;X*J"MZ?/=9I%>^SCR<,;_US>DL^B\^C3JU_/OGUZ28W<RY]/O[[]
M]I)*;1(8JA C^FQ01]!U!&7GTGT()KB>(?KQ1\E_\\4!$WCB5:@)>2R9I^"&
MY\''X8<@)K@*@@&^5)TF! YD8$LAMBB?A_9)^!*%%H:'H1.#Q*>>)1KTZ../
M0 8IY)!$]@C ?8Z@LI] IBBBW@I01BFEE#%H`H,F*=R0P@HQ\+#E"@*]4(,F
M,TQI9I3ME>C2B2D*M&(8J\2IR"'G.9+*DIJ48LB39YI9Y959;MGEEV&.66:?
M4[8GHTLT#C0**IZLXHDFHYPB4*0"G9+**9_8"-,?[/$HI >::&#!!1R4J@D'
MJ?:HR0@5>/_@8PBRTMHC!A5\,.21+IZ'Z*_ !ILH>VJV=*)!*[*TH;#,-COL
M>HNV9!HIH)!"J2F=4$J*M=56JTDGIHRBR2:EZ ?**JAH\@FG*L$T1YR40 *A
MJ!I\$(*N%WP`0@<:B" ""!JTBH$(&G00`@8:7&#K!YH0',(%&G@``L0B8/"P
MD?<UHDJVXZ(""9]F$B#RR 0\,, `#Q"@"0(K+_" RR)KL@#)))=@9IH"VA;3
M>AISO DJB8 \)<TBFXRRRBPCX#+,"1@`,]$V/ZM>M"PU6J-!GHRB]=9;C]'$
MUV#?$>?8JRAR29%HIZVV!KSVZNS;S.)L(EX[*PCWW;\J.N'5%=[_J*&","(8
M>*^$%UY?L2P=BUW=AC=>']6E\2V>WQP.;I_ECF<NWR&0K)*(C@#FC%"R3F@.
M(N>4* )ZA'M+GASE&V).G^PM'O(()(BPA_?N-Q,K^D&DMW>(([CKSOOQ*^@]
MH^NOP_1W@K2_N#KAC#32")WK-?M"F3'(P*7W,90IO@LRQ!"W[W/K#%-[U5]O
MO+#;?R]_^"N,7_[YT+;./&JP`SY]?=&;#R)640A'M <1__/5F8A&``0\0 ((
M4!D$!D" !0Q `@(@0 (*H(D$,#!J4I+;FNBVO@,F<!%]8J #(2A!"EH0@P0P
M@ -6]L'>Y6]Y^^.?\RIW0M.YIQ&0@(0!_[-WI@D8\8A(3*(2EXA$$]A0/8AS
M@N(*Q#CU("*(0Q2:E)C(Q2XFT8E22P_DK)9#A/0/>CWT8:]6`<1)%&)/D"C$
M@^1H0#9"PHV&0 0E"K&(.%(">XMH!"4H83W/.4D2A9 $>J(X1155L5>%*,2(
M&C$B27QL%9)8!0('&8E%2&(2D]!C(7)W'D$2,HZ&< 0C]OBQ\XRQC*>Y41K8
M0,M:VO*6MUQ#&W#)RU[Z\I? #*8PATG,8)KA=\B*23&7R<QFVA(-^H.E- MR
MBDE-\YK8S*8VM\E-;5;SFJ3SCCB'TT@WC?.<T2EG-VOTS6F&\R7%.8,FQD(6
MG'3!*ES@PAFHPO\8EQA!#&?(RE(^4P8PX.0*51B-$;C F<W,\PR@`4Y=U/E.
ME\3SH?74Q#V-HD]^QN2?`?4-00W:E(2VI:%]>6A$6:/.=5:HG=(DG2;*4 8G
M6"&@54C,4L92!BH0I29,06@2BG*8@&*&*EOY@B:PT)(J#-4*AU%,5*6"!8A>
MABU5-<)E:%K3](TN)C.MZ4V3D%"!1.8,/?VI5%I2TJ<653!;0>I3@,H2IQ(U
M+J.)"U6MRI>L4L$)H3F#<$;HTOW!%):D<Z9B%PO,8WH5>,IDK&0GRP;'$K:P
MKCML&8.G1@0U(ET$*44KY<-($KZDLYY-14%(,5KWE!:SF;5F3!^)6OO_C.@^
MK_UJ"6LKN#1"$9FPM= IR$;<XAKWN,A-+B)E:QU).->YS2*30&A0)AJ,R05@
MRA*6#A4L$1K+M =2CR28BZ+G0I=9TM4$=5=@74U@%TLWV"[^?OO8X-KW))Q-
M4 H9R-_^UC",BP0N%7>+H/WZ]\#]!2&:T'?9^SI8MZ<5;Z<&LHE5!/'"!AY9
M`EP(`95=L((2D( "" `!34C `/\-(8._J[X(OV?"`['PA2&189%QT `LX^"'
M%Q#B$1\@Q!Z$VA/3D]L'&WG +N:MXXJ<3 (KV7!,/K*1\]NK53YB1)!0I"4I
M2<E%/ *4C]"C(OAHB$EP3I%?GH0B(*&(53A"_X^&X.-YHHSD\%*/$E<.9"4O
MR>4T/V(1E$C$*@Y1YD-T.<UK;O.;*1'G`-=7R@^N*#HG/5'P4OK2I&GI-&^$
MZ4Y[&IT4_;2H8T+&;'+:.U40`U.=@ 4PL"0+8OBK4YQ !3$,Y@J4R75OA),%
MIN8T"USI2Q;^FFN)POJO"15.0@=3Z^Z8M-903?9H*!UJO9A4V)$9#&4B0YDK
M7.$GTWY)%JJ0A:N,>S3);O:K$8KN=F,[GPS52ZFQ>6I/AV$)8,NWOO?-[W[[
M^]\`#[C !_XU('"M39J0:66.XI7<E#2A"UT*6Z^P4-]\P0A200Q?$..;ENBS
M"W#A0A6L0),J4$&I;_]A2U,6"MC*X-"E9U1C`)],\SG_#N%4KGFO7EG8F/MP
MYCK_T"1*,1!0/"ATC\4Y;8/>(:(+Q.@0D@_/8;[#]=!K;5C'>MM<A+SC>3=Q
M`UJ<D^W3==XICU$(\=8I.@&*4[B]$VY?.RG<#F.#M#WN>#]%$<+ ][[OH;B2
MR 21#$:PK%>L7PB[``A$L(%=W><0E!#%?D"ABDZFIUDST$0,4J")%;P`2SRH
M`9BJ-(,4<!=87Y>BI8- P"PN8I625U?EM?BKS&^^\Y]/0>A'3R;3SU>,T>SF
MC> 0IP*BY^I93WZ1MMZB&H_L9 <6@,SXJV HI;[:2;Z/\T4&??\J(,0S$S+_
M@%VYMU.(JQ.J,,6=TG^=4:C"[9HPA2E4`8I0H.(41$^_)E1!BE5P0CE5MR,]
M(C$:, (>D"H@$ (:$ (A4 &L4BH>H( 5( *:L &QLBH7H D9H $86 $@`#"T
M8BMLDS&J8$V<@ I_=GD+=& +@&(-E$$(1@#5ESPK!G8M9F?H,4 FZ#&T!R4(
MUH(B@P`PB& S>';2@EDW@CG(IWQ,""3,QW1+)F".-'90R"%3MTX^=SF^Q1Y
M5X498RD$(0JM=7V6IBQ>6$I@.!!B2!]7*'P!B$;^<X:&<UOV06=3F'URV(7D
M]W)8^(:]%8>%,UX%45S110,JH DU4":)J DOD%V9_^=[PD*&-\@BXD5>A(A>
MAHB(BIAYC;A=\A6)[-&&W)2%`+2%ZZ&'A;-],4B$0^9H#=9D>%@?JKB*_E6$
MH1A\H^B']X&*O=)F8S,GGF2)YB4)SF<`FE `+&.,1\-C`Y `+",0X4<SMK@>
M=FA.8R>(`S*,Q7B,R:@)RR@!S3@R-"1^*G9#:-=SNJB%<KB.2/>*8A>+[/@X
MN+A-I#@[IAB/YV%'EJ1(CD )DF!H\;((^IAEGO0Q_6@(U3,BB!!)0*0(BC )
MBR!H3F)SCU9GE!B(G:-G!2F07+:0H121F.1E;-1E"UD(C2 )CE (B< (DH!G
MZ"&*]#@=SC%J-.EIV%>3HO\V;Y"&$)JUDS[YDT 9E /1D_LC:7O!%I]!!4OU
M%*RV5%$U&O+T44V!$Q)'4Z^V3U"U4"BU%EG@&P,1;G-QD]N!E%JUE*Z&!4Z)
M5U/13RV1&%= E2QAE6=U!EG)4 Z54ET)&@(!EG8AE"A!E,QCE,SA;83Y5SBI
M>I,H3H3I;8:)DYHFE(#I.J2#5H9Q<5D!%%_@!']!EQPG<2S1%%5U!DRE&:)9
M!0$E%1$7;E65%4Y0!D-%!31U!E2PF=[&%INI%DW!EH@)82Y!F4Y@F:,Q5)J9
M!)P9<4$5FJ.I":5YFH=AG"RQFJ/AFDD`FV4@F[3)%[?9<KGACGY)3>250SF'
MCX?_(X76"(_BZ5KDV9V:$)F2$YY5F)($-(;H69%WB(-G& F3$)]11UKIV9WL
MR3<&`@7/X1Z,L)\J6'9W(XF\>9'KP0B U(,("HK4V)_J"4XN(:"EPQZ1``F)
MX'KHT2PPL"4R0 ,K8 ,D*@,XL );D@(O0 />(Z'TQ9WUR:#I`40=:J HQ"PA
MN@(C6J(GFJ(KVJ(OVETUN)L5ND[N21_;IP`/%#,0D#(+4&(1] !-0WVM2)$R
M6I[V278K2#,'\ ":< `2!*522@`-T((N*(U7N@C5>*062H6,D&62`(P02HMV
M*H-KVJ;N&:?.1:<'.C1WNHK3&*,LYJ;=E*0@\@B&@&5:_P8)E)0(0<,(#OD?
MD)!'HD1*KS>I'/H(?U:IF*JG2Q<BBCI)>R:0BH"0DJH(_Q$)DA )EXH>J1JG
MB<"I?91'KEBHAKI-I!,'O-JKOOJKP!JLPCJLQ%JLP@I-]*FE+6&LS-JLSOJL
MOHJL64IOAUFMUJH78GFMDZ:3FW9I@8%4,@%7K+&=,+%JTU$<-)FM,8&=19$3
M7R 58A 4>J64NKD52X66$K=/+!$828":=IE2*=4%7ED&1M ==<&MTE1OTE$%
M4M$%`T546%!0+0=88F!KG=EQGWD%0R%282$&1L 7J>D2$0L&"U<%9055`&5K
M;'$&%&>7Z IJ9;BN<J$90%%3:/\I$%B03YKQLFV)K[ZA&3.EE%A052=UEVL!
ME^1ZL$CX:3<Q3I<Q6-J:3C$;M>*$L+"DL%2;M9VFKIH`!II0:ZY)&:$A%&#
MF8#AF2V7!30E!H1Q3R9[!E!Q&&?;$ED`&-V1!%]@&'A;F8&!F[]9ME 5ⅅ
M.>AXF#.IM=?*)N_H$N\Z&E?PKMWAL38%!E] !5G0!9?K3U9P<C9!!4:0MYG)
M!5\`59>;N2QQ<@;%:@6KNJ-A!91[$TOANFR[%20'5>=(=2]!!WRPN[S;N[[[
MN\ ;O+W;!WX@O,9[O,B;O,J[O,F;!C>WN.7!O-([O=3+NV\PC]I4CX[#B^=I
M1=:#6\__:Y%FR(X(=(^+`)/9FXZ:P[W=VPAI*!!K.!]%IG14&'3N6Q#Q*W78
M:VKJFSGLV[WG$0FK$ DXJJ H`KWCNXZ-4 CR$B/[2ZTO\3PR9[X`K!YT.)Y)
MA\ 9&H^HB+[\&\&ATH0B'"1/.!^.<*J/@*,1FJ!%JKAU%@5+``7M<<*2D,)$
MM,+.8H15L[0O\2YQ`B-+.,),6,+X(8SFU2RAQWDX< ,K@ ,R8"5@@@,TX"6G
MES<M3!!Y=PH_T'=\1P3$%2^24'?E=<3,DL2:L,1-_,0P$,53#(E$:HY'>!"5
M@B*3,L>:@"GK.0J1\IWM\A)N("> %,0:@ $0J("D0C <$ (C_\ !'5 !"C@K
MM2(K&MAXCD<XS>("YO,":ZS)GF<^GKP",-"(,$IDZ6D@3Y# VL<LF.QYF[S)
MGVP^H?Q[+XF]<RPIE *&>&Q^?0,3@1#"0S("FE !$#,"%# "`5,J_4(!#@C)
M"R@KP*P)_"(D1,PALQBH:CI^;%K*H3H?U6S-(S.HP,>'-=()>.(HR77.\")X
M/6(!'F !1<+.`8,P1,(!`^C.RY<@ME,\-PRH-),`)N-!FN `$E!!`P`!/C9]
M*;9@$YJL"1>J^8RI?RHE#.3/X1C0`VU!!BTR!^ `T5@S:_I*IV MHY *I2 I
M)GW+M5P*J3 *G[ *I[ ?MHP*]-?'+O\A"+Z\`9J0@1N0*JT2@@=8R*W"`1M@
M`13X@*["`1'8TQ$H*R-X.99(7,68,E]JC!Q-T T@I@^0U4/HT=@,JM?XU&03
MU00PU0$],Q9TU6/M``Y0``EM?;<HS@6!QV5T(W\<+U$7Q*W2(R(HQ)5\'^WS
MH!]Z)B0PV(1=V(9]V(A=V">0I]I<OW_]/E.2V)(]V8:]V-CLP1#L$G4P-@7T
M'X+,UUI7P2#BU>8IVK,,US$)PE8'VB,\S:8MOXU=VJ^-V=>DO=(#B*\]'XF
M"O_'"::@2.V(J["XI5"XVY/BVQ#)A@]<V_T['^S[O^=)": P$)TP:,%M@PN*
MRE58"*% W:K_`-AO?;M]J-JXO8L4_-H7?-U&.MPTFH?F2]O=2MYP.-^\Y0/V
M?=_XG=_ZO=_\;=\MP-\&S-[:71_]7> &SM\YT /[K<.$B[LN(<'F7=XNTC,"
M\3-CR"PVP(@\X,0Z`,IG#"4"X0(T0":RC*7"K<$\LS$5#C00:B89_@(;+@,=
M?B4I"B;N->)5C"@,;K5SW=RW3=^]HC$[>.',,N(VH /NY0(#0:*:D.&EE^-]
M$N H;D6VK DG2.3"8N1([@)*/EU@XN1NC'KA'<<.7AX\).&=A<-O(^7BN\$%
MIN;-LN,\_.!G#N2HI8H0T&'^Q0":\ !L38X*3:C8#5GUR\U=2C-Y_XY@2=/6
M- C'.URX=!X[Y^U)CV ]EG[IF)[I)TDV#,P(`S3==SQ[$1TE#.0`#P`!#H T
M+?,R4MU!5MK5L;VED-?=WZ(**1C8(4,TIH[JJJXTK*XR8*KGUUR.4[/<\1WI
M:&XZ_=C Z6$G>'(*03/J/GA@#R"F!" `#""HC,W0X1D)JO!_3#*1N,[/_57M
M(H/MVG[9QIZP/NX>T/UD<![G5YR8;I[*\?[&Q8[:Z2O??YC;Z<%&[H$(T0[P
MS4[P'$+:Q-TB7=9EEL21)NRA#JSO'XSL=I[;`ZE(JS )*$F0')EE!-GP;-3P
M'9)(0:,(E*!GSD5*"-_>(<)EI+J1;!3R0?_$CY0P"2S96H@D"4'S1GWDC\!]
MONM^M>V.'Y/N[YJS\@-N]/#-[M)QN(C[])5&[U /'3S^D_^9JUB?]5KOG5O?
M]5[_]5?_]6(_]I 6]A8BF%/_&NJ:]N2T]69?(8+94/'Z&9CQ&<V9!#Q1KX[Q
M!5VQ%!3'L@=%<DD5KP"+%1JU4IDVM?#D4'/_L5MA]XB!]YKQ49_;]WU!$V\Y
ME4OQN83/&2;AL!.;^%K_]N(1]W+1!355!E+QKDD%;R2K]Q0G!H@!%%=%;@%5
MEUO)%A<'6'N)K8IO4:>?^JN/FJ*13Z__4;$_^U^[%K9/5%IIM+JOEU(5]5E/
M^N%!.D9@NR_!EY'_L5::VVF"SU(QF_TQ,6[BYOUMJ?V4%OZB7_U\')A@51FN
M>P;_&OJ=&505M_EEZU,?"Q":G!CA0M#)02MGSEBYHLF(IBM?-'UQDD53&2H-
MG4 DV%#C09!D-(TD69(,2)00(5H!<X;+QBLP#Q8LF/(*P9I&6E(IJ)&F$9 )
M%S9\&'%BQ8L9!7)\J3(F2I$EI4ZE6M7J5:Q93WG*VO7J291AQ8XE*Y;*PR16
MRJYEVQ;J5[=QUY[5E%;N7;E1O>[EV]?J5K]]P89=5-CP8<2)%2]FW-CQ8C9B
M]5(=C/+Q9<R9-1^.''9R8-"A_W(5G;4RR,VI53M2)<H3*%6)+G=^:_7T_T'5
MN3-'6N4:5"I%LR67)EY<$V#C56\[T=V\,:-5G4AN2H7H,>V0<,4ZYYZ8$27I
M(ZE'NCX\^?F^R-&;'-O=?>)5FK$?_"QU^7O\A24URCS?2?WU`IQ*/0'O2PT0
M!!-4<$$&&W00018<A,P\Y=H[\$$,,VQP!ST:G- S`4.LBL `3Q-BE54*<<2P
M0R@)921/5"'OL!5JM/'&&V70Q 45:K!!A15>T*2&&D=:809-9L!Q21L_K*W"
M[1!K\45-8IS1,":9U)%''X$4DL@5C$12R2QQ=#([$=-4DSV43EQ%DA4+<R25
M34@R)3@:R\2Q!DUD4$&3%\+4@0<E^]2$AA3(U/^SQC/ITXXPQ.:L<Z12\,1R
M41OY]!-000D-4T=$%5VTT?_6-#5-`S?#=%56LR050))2U:Q56FE]]51<2[10
M528)\/577Q\0`%AB?67@@0<.*): $I:\U;9=9^UU60886)98!APP8-EFS53,
M/UAS%3<P60MC9!)3.NE$%$JLRW/)90=00()A-4' W@4>R)<`! J 8 %NG?V6
M0LJB-1?=3CAAU]U+X2VV@08>:( `>_'5]P$"'JC6@8"]30S<<4,NK=Q%(#FE
M)%$,02S+:X&UU]=]6P:VVQN?A1+2PQXYF:10)%EY6IE?)B!FF7VEN<F!011Y
M:;](OJQ6J#&UN> H>8W_^FJ!/R:8::ZQ<IJ[0R!9I)$5'6DD[,<..40UD*&M
M&C^TT3:[Y+4;4YOMK;O6>ZJO=6MDE;]+]ED22/X.G'!()&FQ$.L(/TP2R'TN
M1&5("E$DOL+:OMDR_ R/[W"Q`0<<<9\GH61%QPV+7'+*+<=\$<WWEIU-G/.S
MO3RE-T?M=MX;BWWVV9?#:WCBBQ\K7$V$-WYYYN-"'OBEE2!C>NJKM_YZ[+/7
M?GONN]]>B:ND]WY\\LLWOWOP0]ZB>?;;=_]]YI%7'G[ZB]]"Y/7KUW]__I>7
MOW\`XN5^Z@,@%<2 A;58@0IRX4(5`NB$*KSD@7FCW5HB6)$L.*&!5\A@!!UX
M_P4NQ$0,$@Q+%AK(DPQB\" &%,-!LG"%"\9P@QGD0@V?LI8!CBM__-,$%JS
M$".PA I?^ (5+%(&)[#D)5GX`ABRX$2;#+&(3L""3EK(!3"HI0M9"")(I+C
M*B(PC$D$PTNL`!0E)K$+:P3@_]JB$8M@01-=,$(&OV $BG A"4; PAD$(A8C
M)($+73@#4*KPD"I0H8=]'$@(!:*1*R1!D$"!2%QR**X=[F^(FGA)(0_HD 56
M<B*"_$E-0,*4F@A2$Q$T@D8(8I"#R-$(2N$"1,IPA@QV88Y.T A3//)'_KF1
M+1^I"Q?*(!!%6D$3/*EE&6HY%H(<LR9=P&(7/ (2(__@\9';)"0EOT!"'.(/
M@&>X90O%< 8GB*$,>'3"&<#@!#"TQ(2O-.5!(*+.,K20G%E,2#P;"<MTKI,B
M9Y!(%<Z@RRK$,PDO%$@\AZ*2-CYJ+1]I23O?B44G.+.&72C#1\+2RC)0DY)6
MD.- )-F%1D)RFQFEY#I3&$X"3M *"X6?08UP!@1.,*)NVU\-?>I G8KEDKG*
M9%"->M3X210D5UB@6ZJ@EK P]8$9D<M0<554I&95JVX19DH.>! Q9+ A%#$@
M`@LB!JC:,R992&$$Q4"1*XAA@5>(:UI5",$&XM6!!HS)&9W UYE8H85AL>JI
ML!K4*31!L8ME;&,=^UC(1E;_LI.E;&4M"X119#:S]AF+4ZJ !4'*!"(O_(E-
M< (4G&K""CT12&G!ZI(DJB0A701#$A#8RYLTY9HH*:RI#JO3,$AAJ\,MRV16
MP5FQ<'*9T6S*2YQ91]>J%8M@0.D<Y1I)8VKPE2!A8A,5:1$KE$&.5J!F/EVI
M1P0ZA;#BU&IPB?O>W&GBN!7<7T*,"4ZC]G9-OYV@>^'[7^,B][_\TZ^:L,J'
MWBEF/PEF,'YB-]]8&:S!O8N#4-F+$@1/6#_\T7"'\19?"(^D;Q[N3H77&U,,
M>WC!)&8P(R21BE.D@G'"`;& .<?BYTA"%3&>\6-,S-L+@R3#&EXQCF^'"%5,
M:B2G_XB3[P@6XN1)V,@L2G))F.QC"Z-8R"KF\)3S@XA42.7*CGFPC7?G92E5
MV4Z/P/*)=2B6(4^XR&A^SR$FD0I2H*)=-'Z2?,V,&SHCYEQX/@4ENMR8'X.D
MP&DZ,)<#?;O7\1E-(X'RB-$\9\<D^B"+%E&C.XSI1W<GTKCK<Z6E_&A0,T;3
M3N!TB#Q-Y$.'6M3R>?*?F2/KQ\4:T5E^<UCB;!A+:$#8PR9VL8U];&0G6]@`
MP _6G%VSI)7:UJIY=K47L^I6"^C5APFVLKW];7 S.S.*2 4H0'&*23#B9YB2
M00I60 ,9P,#=*TB!#&J4`G?;H-ZLFIJI0?($%"FB;H8A=_\HSEV(@1>&5>U^
M=[SGO6]ZYQOB4E,,MH-\$#6\Z=#=!G?'/3YL<5]&$J H"2<,W0B4-X)5+C"4
M"F9 @Q7<( 4\*)(.?N1R?D=[TO+U1,][?@0I!#WH2T!1T?=C"))/!W I5_FJ
M6*XCE\-<YC07U,U%I:=K\UI G/!YUWNN!:$+/0]%1Y&*./YQM'L[Y(])1"E*
M`HI)K!M3,T>2"F*P`A7<@ ?V3I(*<)"HG&LMOGP+"]'+_@AU)\(4;R^$W!=%
M=TW8'>]ZY_L,_ [X567=S5(9Q<E6T?,8CX(3I5B%Z$]1"E*L@A-^P:H=R*X(
MZYR=V!;0Q <HD(&/A\ #&M"]!BC_`((1[/[8:W\,(B11]BLUC-V J@&0?G0D
M'80I3#' /,4%WV?"@V0*89B"8HR/_,2T2D<O:/X*GC^#Z&MB^M4?5<6U7I)1
M%)TKG8?1?$]Q"E.L0LE[P:H<(*%N;D,V#]"$8:,]`^2 "@`!"QB!#F# 8>N]
MWA,!31@!"T VXG..:GNVJ<F^VLF,#'0VS0,RJJ"_S],$^JL2^QN%T-@V8$,V
M#M $"_B #Z ]#="$"WA!8:L`#L `#GC W=.]!=P`$0`!"VPV)ID`)$Q")5Q"
M)FQ")32!K$&,WYFVU,@2)[Q"+%Q"*/08Q+ XJN $Z?"$.@%#\2"-A%E!L2 "
M%4$,V2LV_P[8@&&[`&';@!X4M@N PSBLP NH0 VXPV2[P.9@F64Y`&4IF@/8
MEHZ!MNO;.0Z\,6EQF&(AQ*(A``,HQ&(Y&D9QO\TC*K' `[(K!,1KP[0;16(#
M1-T01&+Q%TTH@*%)@ 3@EP18`%:4`$T`F$1$FD5T%)YR1 \$&F!1159<`%>$
M15DD``&(18RYQ"@\#"\LCE0@#:_ *D\L.DH0.([+`$W O63#00\(@62CP1JL
MPS_4C$=8A5(H!56P%.6[D659@'P!F(I!@'=,QEJ\%DQ<@0VDPD@Q1U)0!4,`
MP'6TD79\1XJY%WF\&&.1@%=41BYD1@N+,5+HA%08!5/8A%4(A?_CZCSZ,X51
M2(5." 54&(5/X(2+U 15"(7%PPJL&@)0!,A%X#@*\ `*T( 7]( 1X#W;ZP!N
M#($-T 0,T(0-T#T;_$DYU 0.X("8O,D0`#[A,T7%, 0J&8E.:+QWP9%ET00%
M6 !-H!BM+( %@ `'L!:M? `$N,5,S,52V<4S(SA1*#E*<#R!+!:LU$JN7,6O
M#$L"& `'@(")84A%[,*'5,%10(5/& 5/^+R,/ 42#(50X(I/0(7%*T%.B+_P
ML H6+(QNZP"2T$FC)$#=T[V=Q$$,L(#;,TH<#,<," $<_,RF'+>V) E/H,J
MK)%)%!JB*9I[S$?Z`K3#4 12* E/>,O_JF3'HK'-9)S$W-1$( ,%TO"$4*B3
MPCRN31B%3B"Y36C,D0"%YZP2%9Q,:+1,L=B#_V-#8>-!#< `'O3)"@R!#\ `
M#;" W=O!]_2 'CS*#*A ]-0`#ZC '81#'C1/#7!*Q7 $2D"%4U@%V8!+VIQ$
M!O5+7)1""HJPMS$,`C50! T_7VS0!DW.Q&A&JMB$[T0/K*H#:AQ/4:3#/"3%
M<#/"#XP:W930#L2,%KV:$%2T-/$$S<K1S!H#Q[H#LEL%2H"$2U!1(BU%_" $
M)$U2)5U2)FU2)WU2)'U1$3LUQX!2*[U2+"6$&MVTBW."C%O#%BS2(A507,N-
M*=S-6RO3U/!0_T[T-<4013'].#)5T\TX4QCE13J]##:]*CA3C$H``$ -5$$%
MU @(@$$]5$0M5$0]5$S(4_>PTRF=4$?-M/?C4S=5C51SC$R=5,> !$H(.)=D
M#$B-,DD--$\%53VM5,/J4TS5M<?85$Y5C$-0O9)(A>234E*-432#CM4CB51H
M,E535=]BU=2 U<4PUE@]C$9 !:DH!38CLPB-5%WU,C!K5K&AU$VTU!1KU6)U
MU61=C$:@A%+XA'X$5E&-UES%4SI#!'$E5U4PURUEM2[]M<Q UL2PUV\]C%&#
MUL'3QS+%UT78TU6]U&XMV'S-C'UULGY%TSP%6($=5H+=#(!5'6\]6/_%2-AS
M7=@[74M<<UAAW2]BE=B*98R)=8\9=5&=TT7=X<U'/-E6B==L"Y#+Q(R2782:
M?8QR/,=TQ%!,B0$ED8$8> $RF8&[.Q(E@0&B#3P(U5AI55='6 530,=_5% F
M\=D5`%JAK9&D-=H50-JBM3[ S-:!W5:#U8R;;0RH+(FII-HE$1(;T 0=F $B
M:3<@"1.[&Y2K*Q-<)1E%>,V1,#FVQ1&WA5NYO=H4J-O(BP&\55J'%%N()5N1
M+5OWZ%O@E$V%8Y7#11(=N+O-Y0$;"!/TP[>\=9643<N535."^TW8%,[9S)+,
MA5O.C0'/!5T=$%W&-8R'!=F(-=N1/=;>78W_`CW0!!U./;D!38 !'* YV7TW
M=]L13="WT662O96R"A5>GL44XT5>Y:4Y1 D3EH/>VRV,W#6PD.5=R=4PEZV5
MZ2W5QTA?6U%.&]6R@Z!7FOW=>[7?_+#"+-Q?)]S"O^0,=+6TQ=!?_BW@)/3?
M!VU<$>PUR#7?R"4Q5-30#5U&PQA5`5:,")9@Y*1@\?U8\MW=>L7?7,N-2(!7
M&<W07QF K>07`]B6%BY+`]"$`\!*L\3'TNTJCCUA2"06%?85!&AA2C2 LO05
M!QB (286#@W;!<:D\@WA\]6,3TT18&V$0D@%/8/7#(:98X''>SF =^28H9$`
M5G30LUQ:[/-7PT"$_RK6LVLEW@4EE@78XH*4X2\F@ 8PR!J&V7G-C9I-A-7Y
M8T .Y$+X403US9+X!,M=A"PF``EH``>0`(I)`$TP@'QA@ 8P@$;^X3R^8:5B
MV<)HN\JEVF5IY$>.Y$FNY(E!@'M1@$WN4 ]FM":N7P_[#B =S\) .K=DNJ;;
MX6LQS@ENR H.8 E+6Y(@25U>9&+Q909-8@6.7P;>,F[ML(1##$50!5(0A51(
M-U'6X%_^WV!FVG3-X45(!&O&9FUVXQ7@YFY.8-Q]Y4Z+99$3831SWY?E9+7T
M9!VFY_9S9<?5W09VXEC5$($>: FQY]-5#8).Z(368_EU`OJ-9XL--0NFTO^#
M'5]8!F%9CFC]0 2U000`].A%4(1)6!M)X.A#\.ASP1.0/HR[.81&8 0..[2)
M9M_F8 3>&)OX<)Q5B 1WN9O"X(^4=LF[002.M@Y&8)B =6=7@^=7E><R!9S$
M29Q%*(1&@!.I7@2H)IS!$1M#DX1G#6E(@(3@&&2UB8]5J)N9GE;=0 31P6F;
M#1W#,82P5AD$Y8_4*0Q%"&N!2Y%%<(3]D$V+?F>,AFB-QNI&B&K)B01%< 1(
MB#O#1NRW7H1)B(1)< 2T481$>(1$8(1".)U9/822SAQAING<8.O `1W#!IQ$
M6.W@2(19K6K9N.S,3@0J/FM'F(2J;N=^_N!_SNC_PO:RM%;7B [LI1[LIOYM
M- MN<1YNI=8V]_&O`8ONO.ADZ7:?F%T/_AH>Z*YN[B8+'.YN]KEN]$B"\]&>
M'SB"\DYO]5YO]B[O]*D*)* K^9YO^JYO^[YO_,YO_=YO_?8"Z/$+$OEO`1]P
M`B]PD@AP`T]P!5]P<4%P!G]P"(_PXG!P":]P"[_P$0G1]4B"+>AP#_]P$ ]Q
M$1]Q$B]Q$S_Q$D^"J^!P%&]Q%W]Q&#]Q%;]P"C>.^0%OXOEN'/<?#*_QXKCQ
M';\+'0_R'.]Q#4</(.>EUE()FM"@T*JE+!H):-($,1 #AS@(%3^(@^*HE%JI
MAB@C2A(#&&J+(8^J)6^(_R;7HY> <F4")I1XB"J_<B?(\G9:(R3J""_7!##?
M"#$'JK5XG@3W<>)(<HVH`CV_HU7:B)+B`HD@(C?'ICM*@CO2(#IRI!MZ""E7
MJ=JB)"DG<^H6BT(_=$12]-9J=(F IDB?]$'"\TLG"257\DW?B$YG"T W<$$?
M&;?XB(?8"* 0`T$Z@Q'"HC/PJ#>_`G>J"8*JJ"V_<T=Z]8:@@D+B\S&G]4\W
M\X/8]2OW=2X`]AIJ"6+')F/?\V1'IV7O<F=?IFBG\FG_<R-'E?ZA[Z;*JC)O
M'WC?JEHO\%L7C20G<D^_9WX?GGLG\'P/C>6HI+!0)K&HIU.Z(93@"?CQ*^>A
M;O^##XMA#PN%5ZNQ</CW@7BN:G<1*?CQR@(QP',LQX(RF">%AX@O6".*<(HL
M$*\D&(A*!PEC\B%%,O3O:B$\R@*EF'.39ZB2`F>05RV1-XA*LJV3CRZ86/DN
M:'F/>'G0TJ#GHGGQ4J!56B9-$/F!^ *>UPBDSZ >FGB5K?"!!XV";PB6J/2/
M&/:P4GJ5[_:,P@('XB)C_R<2JH(K`(,@:JW/\@B&$"2OOPDQARBA[RRTIRZC
MCPFV1WF@6/AOPBCQFOM60J?HPGN]1_@&P@*_QZ[ -X(64J\SAO"R)Y>QL((J
M`*K3=Z"G0@C5-WV[DJI$2J(D2*AWH@*@<GT_AZ"TNB'_J4JBO7H*J,H(JBI\
ML3!]U#_]OP+^UE_]I5J@V)\IVO\KU'=]E&!^7FI^UD]^A&C^WF?$"!_]IOGW
MI/)W\9]N&C_R\[C@6%5N?-;H455P\!<,BLY7]D?=WW[_0$?_Y%!_$@.(1HHD
M&8JTZ"#"A G9.&GHD(RFB!(GDG%H42'&C!HW<N2(:* A1QT1,K3H!.+$E"I7
MLFSI\B7,4YY@TG19T:23D3IW\J0T,V(G58=&EK2(DN5-DSR7,L5(Z9/$3:H0
M$<5YM";6K%I9RMRJ->G%IF)Y-CJ5DA2DJB:OJ@3K<"S<D8U0I125MF/1AU[W
M\J79M2],MPWC$MX(21743J@,_^G,VY!M2L$Y"U-.^ BQ)L62&EL%[/FSIK^@
M5TJN;#KAJJ6.3]K$.?FT:4F->*Z&//IVS)^X*;J&?3HU[<XM2_NN+#OXVMW*
M<R^72+QX8> [:[?&"9WR\>G"FW.?*'KY\Z4KQI,O;_X\^O3JQVND/KQWT_7R
MY]-?T7Y[]^[?E8-]LBJ,2 HA4L@JJA1BD$+UO1##"C"\X *#*\3PPG@Q, @A
MA?3=E]Q[UF&$B"0%4A)@0@HRZ""$%69HX0H8UK>A4?G)N-]N;C&Q"HZK%"*2
M(J5,!,HD"=('@R8Q:)+"##BL8(,..HRG"0\QI*#)#"]FY!Y2\"64B(\2>5*(
MD/,1:?\DDDHRZ>0*4$I)I94882DCG."9-$6..HHD"2@3<4))(WWV6=\*3<YP
MI TKI& D@YK0@(,.2+:IT)MM:8F0(7E*Q,DJ?OY9GZ"$&HIHFHLV6J6&5^(7
M)ZJC]???; HIDHHHHIPR"2-ASC?HFA(6B4,*:;Z@B0R.ENKFJ9%-BI BJL0Z
M:ZTEUH?KE+K&P*NOP H['XQZI;HM:.'Q!"BXX&;[6'5*Q1<NNO*-RQJW[?;E
M[4[IE3 OO?7:>R^^]:)PWKJV.7=LO.CE.S#!]NYK7K_N*NP5O#JE1P#$$4L\
M,<452UP"OZ9RF*6'3#UL,<@A7YPQL1LO?')@`#N,7L4(2/#_@,@/-+! `15C
MC+#&,79HKL<L5RR!)B(+\ `##=A,,J3%HKRTL1TGQ(@BA11B"%6VEE>Q`P)H
M<@`!FB2@B0$+$&WT`YI(8,#1.)>L,\<\/YW())10C=''$RO0P ,*=/UUV&,3
M\, `$B"0=GD),WVXI$X?!(DI$XG"F+/G46R )@](8+0F"&PM]@(.'/! `1#H
M3?'-A>>L;=MA66:61*%L%KEY%0\`P0`#=*WY`9P[0 `#"W1..'F&(SZ\)O!*
M`E54JT"R_/)U1VP`UP8,[G7-8J,-,0(U`\_>Z>3NK#I"QT^TB?+,0^(\Q 4,
MKGX!U!-@_?-<;V]?]^P2CSB\C$QB_XHGGI!"2=40@CZ1$7!D:DN:R1+GMH/H
M[Q2?\(0H`&@U\A2P@A,K7?#JYZ_[*:QA(TD7"-,C/-*H[(,A/&$&UX8Z#B[-
M@QWQ`0QC*,,9TK"&-KPA#$>H0/#Q!(<^_"$0?:!#%B[,A=>!3J2:ML C,C&)
M1'27$>'2B-1 8C.2@,041Z*(NS#%B?]27&6RF,4K+B)3'=FB6+SXQ&U%L2F,
M4!X5K8C%53R"BH8P1"(0L0I'0$)_BFC6(AYQQT=$0D>'&! D(+<(-1:OA'!Y
M(R12,\:TT#%3B<3C(B@A2#\"4I"&(*0A$:E(1JXQ3FUDRA2S6,5%7#&5J3'$
M\C:#"$-0@L:57&2E(ASAB#>""1*3B 07&7G*I;AR$9,L8RIAN<I#1!)$MY1$
M+G>IHT7X$I@D45HI4S7,I40"$6EIA$@<T0AF,O,@CD!0(R Q%'*"TYPB><0A
MSFG,1P!2F(Z$2S?34DYQ4I.<BY#G(I@Y&W*6\Y_OC*=!&D'/:R8PFVR\)Q-A
M8T\P1A2)V'0HG"3CFHURM*,>_2A(/;K!1H:TI"8]*4I=,U*,=D>C*7TI3%\Z
<4I?&M*8V[>A*6=H<FMZTISZ=J4^#*E2C! 0`.P``
`
end
begin 666 websecure2fig05.gif
M1TE&.#EA+ $]`/<``/___P```.;4W;[7Z+,`61P9&BDD)DA#1?GT]OCS]3<P
M,U9/4O;O\O7N\=K+TKVPMJ^DJ=!@EWU09HU@=LR?M=ROQ>R_U8=V?O;?ZNC7
MWUH`+;@08[T@;L$P>'D@3<9 @\M0C9E ;+E@C-1PHME_K-F K-Z/MN.?P>>O
MR^R_UO'/X*:4G3<Q-&!66^#*U5-+3ZN;H_7?ZHZ"B.32VX!V>[JLLYZ2F.G9
MX3HV.!T;'.S>Y>O=Y.K<X_+H[?'G[/#FZ_?Q]/7O\OSZ^_OY^M*RP]&RPMF]
MS->[RM>\RMF^S-K SFQ?9L"KMHI[@]"[QI2%C<.PNN+-V.',U^31V^/0VL:U
MOIV0EZV@I^C7X.?6W^;5WNK;X^G:XNC9X>W@Y^S?YK>&H;N,IKV0J<"6K<.9
ML,>?M<6=L\>AMLBCM\NGN\FEN<VJO<RIO,ZLO]"OP=.TQ=6XR**.F=O#T-K"
MS][&T]S$T>#*UM_)U=S&TLRXP[:DKG!E:WAM<V1;8.+.V>32W'-J;W%H;>?7
MX/KO]?#EZ^_DZO/J[_+I[O'H[;^3K-2VQV]C:M*]R8U_AT4^0M_*UN',V)N-
ME6=@9.[BZ>WAZ/3M\2HE*#DT-QL8&BLH*OKW^?[]_OW\_0P-#_O\_B0H+.OR
M^#M#27>&D9JOO5->9K+*VJ:\RX.4H&MY@X^AKC V.A@;'<[A[M;F\>+M]>?P
M]O?Z_)G(Y9W*Y://ZJ',YJ3-YJS4[*G/YJS0YK/6[;#2Y[?4Y[[<[T=15U]L
M=,KD],/;ZLK?[-CK]]+D[]OI\M_M]M[K\_/X^X' XX7!XXS'Z8K$Y8[(Z(W$
MY([$XY;+Z97'Y)G+Z*+1[9W+YJ+1ZZ3-Y;'8[[C9[+S=\,7C],7B\]/I]N3R
M^F*XXVV\Y'6^Y7J^XGR_XH+"Y(;$Y9/*Y[;;[][O^.KT^>[V^J38[T*PWT^U
MX9S6[JC;\<7G]0X-#>_O[]_?W\_/S[^_OZ^OKY^?GX^/CW]_?W!P<&!@8%!0
M4$! 0# P," @(! 0$/___R'Y! $``/\`+ `````L`3T`0 C_``$('$BPH,&#
M"!,J7 CKE[5T[")*G$BQHL6+$=MQ6\BQH\>/($.*'$FRI,F3)N'!2VBKF<N7
MS<H)FTFSILV;.'/./&8RWL%!%H(*'4JTJ-&C2),J-1K#HTJ%G YE$$"UJM6K
M6+-JW7KU!A"48 W&VS<OX;$!:-.J7<NVK5NTK<(.W%?/H 4"> F,4($A`@$`
M* 81^ `8!8$4)?Y^Z# (10H"*% `X$#XA&(.C0V7P' "0-[+F0E$P+#Y<.)!
M)P9MR$O"HSRR![V "2-F#)DS;^3XX<J[=]8,6R;]^.&CQZ$@"??=FQ= H'*!
M]_8YOR=7(/,`V /D\UD0V-NUOK*G_Q)UJE2 5*D"?$?[2FYV[&3O?IY//V^'
MQ_4_1S"1_W[^_P3X5U]K'M'SGC_X^"0;;;:9<88:::S1AAM%O*$('$<@D802
M<\A1!QUTW&$')%'X0<4,?PB@11988-$%%UOPL(,.7WCA!2633%(((<,5=QP`
M\^SCSSSX].,///$$P$\_`$07'0!%'BE//_S@(X\__<A33S_]T#,2/MGMXV5"
MQ+ URBJ?D#+ )V@.X$LHZIV72B>K]#) +P&0<F::;/%DDCS9]6//2O(!:.BA
MB"9J*($=Y1-F60(M6!L9#D(H(8468J@AAW+DX4@`CHS8!W8U_ $(=H!T\6*,
M,]9X8XX[]O]H''+5H10/=Q^AL]ZNO*8%3$EC%E0H?0`0]L$))H P" <`;*#"
M",B64 (')710; 0?.)87LLHJAE@$*H!@& 8@F( "87N)EBU^]#&ZT*T(2=K@
M@Q%.6.&%&<:A0 !,L%! `2S8$4 D?L 0P"57`/).)@%T@8,D,M)H(XXZ\DC<
MK+7:FF!"L(#C\<<>TZ++R"27;/+)**=,\CDCY0,I0<,J*O/,-+/FVCTK(02$
M&O-:.B$1F6:X88<?ACABB2>FN&*+JT;L*L6Q$I= QE2;58PMXX"L]=9<=PVR
M.-&4@T[59)>M4 !EW0/?2OCXPP^N9L<M=TG8<+V,,GCGK??>?/?_[3?>V<PM
M^.!4:X(``I4<HOCBC#,.Q.%"$.[1/917;OGEE#OZGG8^';/+YZ"'+OKHI)?^
M.3$=U8/YZI9O'L ^8-0L^^R(AL#ZZIJ_EP\\AOCF^^^_;Y'<<LW=TP]=]>S3
M#W7[Y.,HW"9A61="GO2:%IZH#"!*)Z1T4DIZIW1B)UO >")7/O[@#/-GQYK@
M%V")508"`>X?U@$!):0P_P@EH'#_"(])P?WZ=[_]" @O`L2?_T3CF,G4#P2(
M^8R[% */`/1C>@21%Z7H=:E[:6IH'@*1B$AD(A2IB$4N@I'3)@8KB_F(5I(#
MRS"L1\.V!(-L,<O+!D8PB,04"S'Y(\QG_U+ 'R$6*W]_44$/[X.M8GEFASW$
M3%^2V,,@>F9 *-%@I>J%*7QMJD-,`!44[+"'`/@A$ $P%0Y0V+16L;!BLOH1
M<P12#W_L0R58:HZ!\B&=.MYQ2@&@CCW05D=_! LD^L#.=CCRBK6<*0"^& `I
M`J"*4OA"%6B14P!6$<E2K$(5CXPD6^)2DGK )U@Y9-]J`G0_`FS@`ZOD``?P
M\DK[S/(S'6@E`$#P`5JV<C"S%"(L`W1++'J$'XJ$FQ8Y:*^@(6$)CGA""(U&
MPJ2=D&DJ=..KX'BQ'\5M'^ ,ISC'"4YD;JX?+SN(KFK(3K7X"1_DC*<X7></
M"=#NGOC\C ?D&?]/<[YG'_%8IL^Z^$%.%6V$2#/ATE+(*HEM,VHOC.%)L)&+
MBEK4%M#(J$8WRM&.>O2C&9V&^21*TH^@K4G241L`J)3.D#" !W8P@A=!>-"C
ME5!I;,RF#GS0``1LHJ1 #:I0ATK4HE:-'%KS1C>6RM2F.O6I4(WJ4KUAU*I:
M]:IFBP;7GF&-KGKUJV -JUC'VE5A8/6L)>$$`WS `^"YU2H9^,(A-(%6@202
M0= ;1BWVRM>^^O6O@ WL7OU4G4$&0!\O2V4^%ZNH"2H$F>G+F4 X,96W6O:M
M/JBJ82V(08',L)WL'*E<DH2=]/E$L0"*8+$`I()>KO90KZ7/!C@006/_=@1,
MV+G@0&1C!BE<]K>\V8(/8%C7@;0"M.P$1=R&50*^^-!8QO*,:C^ 1%BF0#*N
MS:X5\9<"(>;EB-WU# <PH#_3"+$#Q72L2 3*Q7L=00EUN(,+I$ %*DSAOEQ9
M408$<0,N:#-'W(PH0I2'S.E 1SH`:!Z8)'L2`V4GL@5QA?7,XXM5#& 4`>B$
M* :0GCFIJ2W#D$L%=1</U$X++]1BK,QV>&(`J1<AI@S4H # W@XZDZ8BM*DU
M%]I&&M4(P!#%&(SG$0_J`* >D)K'])!<*RRI+R&@Z)4O1J&]#9\"%:88@"E$
MN1Y8@,51BQR(8C> @A.L)@412. ))/,9]_$'_X+S0V('4)"8O!"F?F0VLVC*
M.^<ZK_F*[7**]!A,X]E,:HLVGJE!+1& =S "$HP.@!7^$(@U8K.A7_AQ"^-(
M7)2H[B3Q0&Q'8 ':\[#%PF]Q!4KH8I?\E)DTWBK!!U #:-/@!36"06)D!M%+
MO! F,I Y`6D88X+)[/H#L^Y,?EYL$'F$N2 U;J:BB>8$*+QC#S0P8R#>06E+
M,]1IF@XPQN8(`.TL)SIS=))TS#T/>.Q#.PFF#B"GQT]Y^C-,\D"(=]12"E4$
MH!?I2<LE,XF>\Z@GX/W^-_D,`L]ZD]-U_9B BA4U3 #5,E'[='@X[PV?@!JZ
M9^V]L4%S3,(JE.J:W_]N5;B#[,V$O&9P3P%),-HY"DS64+DD@9Y 4!L!:V6K
M! :4[IQ/L&9T]3(%X5HE9(#.GQ^68"\\) "OW4<87A\FZ<MV"J%W^_$-#M2#
M1U@")JI0A$Z]X 6,L,,E&B� 1"!H#0`B .\( N2.()DE"Y%X#L0B$7-9&O
M:VE"/HM<&I)2)#'6[<XGSOA$,=L@YH0-UQGD]9#CBP_O, `FY, '2UAB#P*#
M@8DN<0D!U* 3!\"!P_ ![KUONIN=%JK:L"/JCNR[\-8;FT@`E=OIH;;QP"?
MXPN2NWSD>R!JH#RB?R9RHI$\H3B]=.OY'L<A%)<@L(B&]K>O?5I4X_O@#[__
M^,=/_O)_/Q?7)]QU`GD/MP7 2[@5/$*&X(<V#!1HTYXF0F^*\AYGVO4ZT@#6
MEWX'T1"_<( 'V S)L( ,V( .^( 0&(')@'X$*#DG]23&`P`J`4YD@P! ``0)
M$((AB `)@ "<4($HF((JN()&Q0W+\#'=H XR.(,T6(,V>(,X*(/KX XLV(,^
M.#C<P#7?,(1$6(1&>(1(F(1$N T_V(1.F#%:M37,( U46(56>(58F(5:2(5,
M^(0$B `,< B9!EQ5$5>%< A $#E-2 W(T(9NB S4H UR.(=T6(=V>(=X*(<;
MX856I59M18:_E0&%@ !8!0\09A#7$ N*N(BQD N\__"(D!B)DCB)E/B(Z'")
MF'B)HC42_/!LBQ=\H#@?PS<0\7"(!:$)-P"(JG@5A6!5F\4Y`U$,N#"+M%B+
MMGB+N)B+L\@RM4):\%$6OQ>**C:*`S%[`> /888`J[B,5B$\<7,[K),[I?5D
MMX=[Z\$*J0.-J^,Z^4 !-(,M^%-,];$!J]%BAF*.]0&.]6$[VE@YTFA!@^(%
M:,",RY@!F654R,0/G340$F:-O()S<J$VIA@S(^ 7^ ,"\\,!$3 "]Q-!)P8"
M); :&R!K@P$`EG%B'S "JX%L(S _W]5+&;E*$= _$0".'5 M$O01_? ZAU1H
MM,$&<T"/;Y4%/% (?I=^U?_HCV[Q*\OU&1P``K#F1,CF1+8&7BG6`1&P6DI)
M7>'%7=Z%%^ E1'O1+8@A1.9(C O!7FX`!W,@!5$@DQEP`UN@`Z\G8 >!#_7P
M<N&$#PTG'0W7DB41#_MH$%%&0Z(`2FCQ)J=P8:J@"KU0"FUQ>&!1#ULW+(BA
M`CY4`LU"&,U5E!\`E" P&;NDE,_U`:2A`DY9:\5BF8W97!2)&!NP2U.$%U@9
M#_+GDH?&3 0E-"-'3=#7?SKE*M0'>\-#;L^!4M/!'*<I$IIS05L'`(3'*ZM0
M)VZR"J4`F '7EV[1'F$18\C(':CU6D\IC)\1&2:@&B[V$8"G>)'2=<NWFE^D
M?SK_IE YA6DKUW<M9Q#@Y"@&AIL)AAWX<#:N,Y_T65K')Q"DUBNG\ GI@9S^
M9@KIL4E4YA:;6!#O5I\(^AX21YVAJ $)FJ#^X''*IYI@%YXU54WD*7W:!#7H
M&7MS03SM^23Q5BNX98H%42:\H@J1U F^@ J=P"8<IA[K$6)@X6#:<7S!F!_3
MF1](5!\[BB@_2IH?H3FF&&W@B6,K@% P4 4HD@<U4)[35Y8W*51RZ1$YJ9-M
MH6J>5I@\B@+/\A>>"90C4&LI@ $FL &#D)03^1B(B0&]5I&ET3_/8BWB0@!M
M^I@8,*99UQ%5&AO>2:'-)P<K$ !.L =Z$ D!4 4+< G=_P:E&RJEZ5F!C=1.
MJ0"8-.1E5*-8:X:8L;9=>1%!UJ(82+29'/!*E$&4FYH8'= 9/O<!U-*4ME42
M1EJA--4"C08%971&:51ICNIC`,ARR $/\A /*R$/.3.L^18/R"H0QBH0RJJ!
MG5BL.G=,@<<1,\<6IC"@WP.8II"M;F(*I3 *HP"8HA `5.:M:\&3)@$FW D`
MBJ60O!2.X#@"*987ZD@MP>07._2F!$ 9#-FO$1"OU-5+^XH7]%IG@>81*REY
MDY>:7Q>H35 `*X )C: '`4 #F7 `II()5Y '*>=0',II0!(`@^(/]L /]F /
M9%$\RB$=)HNR[5<//O$<^\ /]/^0,_.0LSJ[LSR;LZ_(60AQ%N"A8=FJ'J#D
M"YVPEYHT)S'J)D3+%JA3$/+0LU2[LYN3/A7 H*$H`E5+M<8('W4QJX%ZH27R
M#@L0?1_[?[,94>36)?I #R=K($U2)=+AMO2@9(.48/&)9/J 8"$18[^H$,>E
M%N.!"@%@"@%0"I^ "@,W`)IT"A;6GX4KHVNA>R0Q8KWGKEK[&;&EH[6V*!\!
MN-H!*6*;?V3+?SP6FV\$K M!;G-CB)ZH$-5#J93;*^K*B0S[B?5A`AB@&LHR
M"//#%YCYN["D`D@G&AA +GGQN_,#`"DP"/0Z"+#&N\M"&.""O,H;JPI1BO>@
M<Z6+(1?_\ XM\ YY<+H[UJMJ"ZD>6H'&@*6[(IA@86(8X'2^!F@I\"WT`P`J
ML $=,+\&:6M0^0% 1!K/5;\`X!?]>\![:A+?>P0&\PY-( <MX B.`'H!8 F-
M@+%]0 ,VD . H'HXD -Y![+J6U75^A%7ZKYK`9 AH0_MJKFNEAJ+T;M^46PI
MP+_)VP$;D +.*QJ#`+SV0<.QML-IZL,8T &$P2P?$ $_[)$)RQ$5%+NH"7*)
M!KY/4 0!L (LL AZH >A9R(!4 `"\,%Y``$.PP=1*FZ1*E2B*R8<T8\JO).7
M^Q[+`P\YNKFS@Y4`\(J2U\!(\ 1\P 0>T@1-(")[4 4F`@.3_Z8%5T ##M %
M3P`!*_10'2HW75NU/YN["!''WZ%[4WO)/7M.]9"U>-QX7 O*.IO)98$(?WI_
M8_M\J(N^YRFR1K624BP0YI#+NIS+P& ZOOS+IL/"'P$FN7O'I4PS>NP/L%@0
M0) (#LM%^%=0SN>:L:RA)"QN7U&!+K@,W-S-RT +MQ#.XCS.Y%S.YGS.XEP=
M,4 "[-S.[OS.\!S/\CS/]%S/\6P!\*"SMY*SDM6L'?$(9?"=T<R:T[Q_YVO-
MZ0M'E:"&*3@+#OW0#BT+$CW1%%W1%GW1&#W1\,N')G&!TM&WY48/]0"7"X$(
M=_ &S&>ZL'S0:3LQAY `)^B#V\ +V&M TX]H"\Z0TSJ]TSS=TS[]TSG]"QSM
M'FF34LU11^^'$D)0"92P`R:"!^*)H='W!9/@`Y6 ``,XU*"P#<+ U=$0#F =
JUF(]UF1=UF8=#N4PU-5Q@?PP#_VP'>^G#_F@UG1=UW9]UWB=UT,=$ `[
`
end
begin 666 websecure2fig06.gif
M1TE&.#EA? %9`/<``/___P```//GP/+G?LM,&+[7Z+,`6>?5U\FCJM-TC=&Q
MNZ5(:98Z77@=159/4NW@YO'FZ]!@E_;?ZNC7W[@08[T@;L$P>,9 @\M0C=1P
MHMF K-Z/MN.?P>>OR^R_UO'/X&U?9J./F6)873DS-BHF*.;4W;JLLYZ2F#HV
M..S>Y>O=Y.K<XV9@8_+H[?'G[-&RPM>ZR=>[RMF^S-S#T(M\A-['TWQO=M"[
MQL.PNN+-V*F:HN72W.31V^+/V<NZPYR/EN?6W^;5WNK;X^G:XNC9X>S?YN[A
MZ+F)I+R/J,"6K<.9L,6=L\>AMLJFNLRIO,VKOL^NP-.TQ=6XR-K!SU]46MO#
MT+*>J=S$T9>'D-_)U;6CK6]D:M*^R>//VG)I;MG)TJZCJ?KO]?#EZ^_DZM2V
MQS8O,S<P-,"KMT4^0N#+U^',V)"$BV5>8G1M<>[BZ2DD)TE$1^C9XBLH*@T-
M#B0H+#M#296HMG>&D;S6Z%->9J:\RX.4H&MY@S V.IG(Y:#+Y:;.YJO3[*G/
MYK#2Y[C:\+[<[[G5YT=15U]L=-?K]W^_XX;%Z(C"XY+(YY#%Y)W.ZZ#.Z+'8
M[\7B\V^\Y'J^XH'!XU.TX6:YX;+,V%ZXW\7:XXC$V;'3X&B\UWC V'_#T]7E
MZ<O;WM'=VLC9SN/JY=3>UMG?U-7=R=[AT.CJW/W\[_'FA_7MGKFS?]G3G_CR
MM_CSOOKVSOSYW^?CR._BEO+GI_WZY^[?D._BH/+HMNSEQ>WEPL6\G%M72/CR
MW/KVY^O<JWIT8#TZ,+:MD*>?A)B0>&IE5/#EP?'FP_;MT/GSW_SY[_W[]>+,
MC.31F>?:M=;*JRXK).C7P]&PF>[BVM:YJ9@Y$LY7)M)B-;A9,M5N0]AY4MN$
M8-^/;^*:?>6EB^6FC.BQFNR\J._'M_+2Q>C7T/GIXO7=U/ST\?'GY?+IY\6>
MF..MIN_DX^O=W>_O[]_?W\_/S[^_OZ^OKY^?GX^/CW]_?W!P<&!@8%!04$!
M0# P," @(!L;&Q 0$/___R'Y! $``/\`+ ````!\`5D`0 C_``$('$BPH,&#
M"!,J7,BPH<.'$"-*G$BQHL6+&#-JW,BQHT>'[^()E/>.) !X[PC&>Q=2X#MX
M`%ZN5)GR9,IX, '@%"@2@$F7\GR6K*FSY,>C2),J7<JTJ45]]O;-NQ>5GKP`
M\>;QPY?/'E1]`/3A>Q= 'M1]]KQ>C1E@WD"H7N_I6PL@'[Z@]_+MJP>5H+ZY
M9<G:\W=5Z\"U;<OV]<H8K-/'D"-WC,<OJ.2(R@1HWLRYL^?/H$.+'DVZM.G3
MJ$<G2[J-@.O7L&/+GDU;]C:-L ;HWLV[M^_?P(,+'ZZ;U>6&F3=7HL2<^:3G
MT*-+GTZ=.J;4V+-KW^YYM< ``?;=_^17&0`]?_I2A@? +\#"UK')@7,-CESM
M^_AOOP6?-H"_>C'IPX];".5&W(&[K4++@@PRB."#QATW$'C@^6-/2LD),,L@
M'';HX8<@A@AB*=Q]1@R%`?133 (&M.CBBS#&*..,--98(SN=>8<1/"CR0P\`
M\-T'CD#;=$...=AT`\ YW=Q&`#?HH*--?A/A@R(^\1CH6S4E=.GEEV"&*>:8
M9((91"Z_16B08O:8Y:.;5B664T7UA/<C01EJADP!?/;IYY][!)!'`8?0T0<B
M!03 1S]W_,EGB9Q%$T OO&S&8HL:?/"!!AI(( $&%P"PJ0$`7*"!!P9L`( &
M%X31`:H=`/] Z@47?. !!:>>ZJ('&AC0P0<1&,"!!V%@P&NJJ[J((V<Z2IC4
M8O[LDP\`\X!WSTG^73B0EKVM<P0222BQ!!--./$$%"]$0884,<@@PQ157%%#
M#5FDH48./?"PPPY!`#$!$7$(L8(**13QP -&N.&&&!! X$(++:#IFYK'$550
MGIR%XNC&?MJA!\<;:P+I,YY="J,'')3**Z^YHMKBL2V'2FH&&E00002AADI!
M&"D;4.L',]=<:JDQ+KM9L\X>M1A899V4CS\G'<0M;]Z"*RZYYJ*K+KONPGL&
M#3<$H ,:7O00@ ]>H. OP (3;##""C/L,,02]T:Q0?1<J]2<%XO_9@K('.O1
M!^".DIC=,]"4+*,%'7#0`04`1! &Y))3_H$%$K"*.:LN;BJ!!0!D4"H&'VRP
M`0:9=Y"I!!1L?H&,1FN&=-*2H630U+M5'>ZXY9Z;[KHQK!& &59@08(((NC0
M#QH_!."%/2?(P08+;?3#@ML')[QPPP]'G&;2=>YSYT 8GV+^^:<8HO[Z[+?O
M_OOPSY*=I+T,8ZF-^.>O__ZQ"S [15::"T'@`P!R`( ;\I%/?>KC) 62`QO:
M`,<YS@$.)SD)2$!*X'ST`Q$>68@HN./--':'-=]MK5WOBM>\ZG6O?.VK7_\*
MV, *ECTWC$%NZ:A%<.Y&._)Y!AFDD$0@_Q31G"(:\8A(/"(C,"$_2#GQB4_4
M47C\(9)J!0! ^?"/2+!"&/<H)$BUJ8]KPE$?;GB#'.3PAI/",8YQ>(-*?K$'
M``8C+6I9*R$A?) >]W@@'O80`+](AB '2<A"&O*0B$RD(A?)R$8Z\I&07*0O
M_DA)`,2"%9C,I"8WR<E.>O*3H PE)E]120G]9UH!N$=9ZI$/?O3$*_SP!S[L
M09E\U.,J>AD(/O"Q#P"PTI7ZV =5\C&7?-P#:@'0QYT0HTK+`$"6_"BE-*=)
MS6IJ)!Y>1$A7YL@WM60SC@J!A]X.XI4Z\8@@=#E,`/AFS78^I3%MF@=4Z+$/
M>5#E*VOYBCWHN?_+MT2E'K-49F.NLA9C0D4>\DS+@,AR#P)5DQG+B*A$)TK1
MBEKTHAC-J$8WRM&.>O2C&F6&.R6C"EF8]*0H3:E*5\K2EKKTI2:U!34Q!L6:
MVO2F-?W?1N"31@`0(('>6. X&@B.;IQC&^'8!@(KZ%,GF>,VV- @`3AXD3SR
M\:I8W8T?>Y@A3"BB$F %:R,D0=:RFO6L:$TK6D&!T[:Z-4<3DH<]\,&>>;QC
M'SQZQSWH>L6^O@<_!!"C:[S!#==T`QQ(F@\!NM$-P%(U+'+T"@#6*0^$?K,@
M5AT`+LI1ILYZUK/2H,4.DV87=@(@3[,@G&H)9S@G/J,?P2#9_5I$`0[_<( "
M$=B !RI@`<=A8%:Y-8"Q?JN!#E@@`J(R@ <L0($.;, `$<A !X+ULEY%8+D&
M8-P',K"!8 U767#-B##9"4; FM>\CUT:6=X1%7C(<1[BPRQP='>U)D !!C-(
MPPX^RU]_"2$%"9-;]^K&FZVR:8Z.D6PZ+\(C\,17(#05@"94:P=_(*(?B*!#
M'>APB$39`7"H<*(]*%0_`9A,?[JBD<QBM.+]$0U&_=/I2!E"C[14UA[UR(D\
MZ%$3?51(6WFD+^^R]CNNI? *(IC#%M+ A1',80T\2-O:9(@]N&UO;MZ;6%BN
M-1A^Z!,PB-E'6;PLDKZ062 ^1I&:UZSF7D98_S.E^-,A^K$'#]L!$WT8U*$"
M98<`%.!0!>A''S[\IR9NALV(3G0#]L?H1C>Z?\-(M*0G3>E*6_K2F*:0/UHQ
MWV^1L'=:`U[75$@O>^%+7_R:<MMH:&4!T^U[SL(F>)3I0]&@8K6XYIC(LC-B
M\/0B<2=VM+"'_:(8:\2*R;0,?+ !@#?2AJBUL8^3:O-8AX@Y6RD)LJ?K2^03
MPN#(*S1UOO0%0[;-\&W:<W66[3;3S@3BW? .A!_F3>]ZV_O>^,;W*-[*[YM*
MT9[7$A\]^,$C>.#C6N"1]5_/RW#'%D2]`6 O7N58H*O>PAG0@ 8*X26O4K<0
MU>4.F#MFD0M<K(*/6_^EW9O[S?*6YY0U#8=-&\4ACIA/%3=9S;G.BS/C'O+#
M'G*11S35V9$%]_SH2$_Z-+&)&()VQ2H"@8<_[J%*>/!EQP3-9CSJ%(^GFX7B
MR7RF7'GDS*8W#5MU4KK:U\[VMKO][9*1[$DHKI"^0,3N<'^G/@#JE3B99Q^[
M; QD)UO9A'H3`%3O)9KM876U_.<=4"G++L7WEYY@4RSZR >/ZE&9MD!M).ZA
M!],K#T_'Y+V47V8,6@8^UX&Z1Y]:X8H_Q4<5\44%'V!VS\'UB1:YWT/QIZ\[
MW3LB%VOOHSS!3[[RV[ERESO_^=B1<4;.@<;J6__ZV,^^]K-_#ISO_/LH;S?_
M],=/_M1('R/PX08`PD%MGS:)-MKP*384^VSO@__^?13_9D[QATUXHA,`&( "
M.( $6( $^ FG4'X*J!HPIPWH@%@+= [<4!_AD%0^)1_=8 [@( [R04&WH0U.
M(H$`$%4+=',9D5GXEX(#D'))TU5'M B/$(,R.(,T6(,V6(.<L( ZV!UQ)5EE
MX5YKX8-H(68+=Q\0=!_74%YPY$\(1GCG,3Y2\R"T``S2< #\=85=4@[/``RW
M@" LV!3XX",&D2&C<&^!4 AHF(9JN(9LR(;PD IP&(>&EAW]( SV,UO$EH?#
M9FP"D18.50]W`H1]:![N]18/-A!**!N"I4'>,$%J_W2!X( -V+"$`@%U<I5C
M`C$//*83`8 /?)-'SX"%HCB*HJ5ESD(6%") IY4QN=:*?8(,-74B) 8-P68C
M-7,!U+4X%& `-6,C.$,COU@TX;4C*)(/09&(YJ4-;30E,4=5\5!9\ `/\M 3
M,3$G5O)C[Z!M22 %/#"*WA@F0/ `KV:*TH0Q<>:*K1AB;F4RC),Y,3,TLW(J
M*U9;MC(KL[(RG+(RN\(J\*A;85 !O-)B+<*'R[<TA$<MY(%'G68U0V9"H@9N
M'G=J^Q5RJX9N<<,]X\AN!T$AD95@8'$5^_!Y!U%C:5&2)GF2:B:&-/4WJ]4'
M?.!G=C '<U!G`4 '`4!H?_\B"J$1##S9DS[YDSS9"VHF# L@([C8(A70*WJX
M/TF9B[#3&=!PDE(YE519E59YE5B9E5J9%FE&(?C@"@OY:=WVD!P7;A_7C11Y
M;C5T90,&:Q+2)@<18;>&CJT(B]SQ#,:0.)Q1BZGR`9/C`1T0!AE0`0`@`2ZC
M7*]2`;8"*K*B6T#3(J$B`1U@`)J"*AY0.JERF<(B`2]6;,.H? :Y3E%A%)IX
M.V');0YI9%X3`%MP`VDP`F4C-E(60Q6YENI&8%IE'O'P(_(`(+ZTF^Y5B.]0
M#R)A=2_A9=%8#Q;3$/0P:\ZTBI^A"XZ""7SP,=3Y87=@!W>0G7IP!WS@,8*F
M!WK_P >8\"?JN!U".2EZR9<8@ &#B3._F $8D(O!>#,&D)0&0 &#Z2(5X)X6
M8 `98"KWV8OZ60'9E0$18* P]IG)MQC^`2#Q<'QWX@\!\',UH6T,64*AIIKQ
M8@4V@ /V0@,CX `EH ->T 8^8&Y5EFX8N6X%-GA2QP_$B1[Z@$U6@GCD<5?[
M`!9A&*$[&A%6)(:U!AI_D@=TX ^8D ?], =_ABB'TF=U4 >$T@]V0 >&XBB[
MIAW&`!YVJ!E\N90RTIDRDF(V0I#+UQ#M(4LY@:%BF9HQ``)ST \VT'$L=&IH
MJ6IJV6HMBIL\YRQP.8:C,6%TF6MSB!J_UAE\F0&;LEP`_P"0H .0A'D!NX4!
MB4FIAUDL'1"II1(!P+(!BHH!G*(I&-"?K_*4S*(1]V!:R&AS#5=M#%&:\O4;
M0J:A118#90`":( &-/ &-) \`8 O:! `); &<K &U(,"><JB6,:G*X@4))F5
M*2E'S:<9@]J*3024V.J3Z4DAPL `8/JM^M,_4;F55YF2] `?X2 .YO!3XX .
M\S=!30*)V( .&L@-YH .VR .Z[=&XG .[(H.;Y0-Y%J270D>7PD<S;!M#;FA
M&T=J=3IN)9"6*VI#KJ8.)T>.I90GI[ (CM"Q'.L(?B ((CNR)%NR)GNR)WL,
M3\0."="R+ONR,!NS,CNS-%NS-?\[#L-86401C0,Q$SXA$L_X5T7R)$8R#HTE
M0=YP#?.W6*VQ#4FK#835&HRUM/,WB4WR?LX(C=)(C2^A$"BH&\U0#:!6JZ-&
MI^+&`W=*F\GJ!NVP"Q<K'%\H(1AC"F<5"(QPMWB;MWJ[MWR[MPFX@X#[;SX8
M%-+H'C[X>ZI4A&%D'[3A#=K N.>57AUYD%HQ=%&H@IB+L94TK8#;N?QV?A>Q
MJJ\A0=MP#>)0'X1%#DWK4^- 1H5U'ZXZ$5^;N3L7M\?!N9Z;N_X&<ZS:NZX1
MNQ(QN[2;<[9[IA(A#]&X$L]I%!S!O,;[O-"K=O&@+;3DF_3@4 85`/0P+;WI
M$]K+M9C_:!YN(7KT8!7S0!+$.4=!.W?JZYM1QWC1&[_RVT-91WB*$4L4)T]_
MH0_ST&6YITL#$A;XJP_7(@\A.5EB5AA$5Q9G1RTW.K\0',&0P0_&9+\(Y0_(
M-UGUD'8Q>DO^D _3(A"_YP_O, \8_'5H=BWWD*,-;':6P2,/+,$R/,,T7,-*
MES<\87H)<0]0V! \;,,+,7P&45EA08WF<0_QH,,#\<,4075)7,0]J\2(U\-
M'!F9ETJ$01D$!WG^T+^Q= _Y9"5V)2#4*"#^``\1FAX#M0]L[!/XJ\7NA0]=
M["/C!+V91\)I#'G)!'FN9 ]/`\;@05!P?'CBPP\]=B'ZT,5F_U%/\%46/@IY
MQ4<M4Q<`48%X_A G_#!./K9/Z+%E7R%+_U'%2)%ZE<N5*>%ZD 47/S<^J0<7
M^,3 J6P/I2QW8K:<QMO*;6*XJRQX?5$6LPP8=J3)C,</.TH7G"<>?]$F>#=9
M>_=S5V%CL QZ<Y3 2R-XHOP1/)S-UVM,/^+'NYG-3ZS-<^2)2^S'+[%-29PW
M2?S$2<S#\\#-.#Q'=6S'@'?.%'=PXPP/>8/#9K'.[\S#ZNP8$;?$] `/4('$
MCM$5>_$.LZ174(ACD <3[SR->3$^3PQT^1 //[S/V7S-$=P2\[L3'^&S#8&\
M'GW2,XR[NKO23@2Z$BR\PXM5Q2L9*O_-TC:M'2Y=$:+KNY1H$3 =T^$W335]
MTT1]&CE-$?!Q#>3PNK/QN 00#HU%&_/AU.UW@D"=N3,=&4-=U%PM&D<]$?!1
M'_Y*#NUZ#?6!KT2EU.C #=I@#DAB0*KK?N=0<^2@KX4%O!'QTU<-(?K7U7Z=
M'5\M$004#AFT0 L4US\%#O5Q#4_BUDQU<P2 0=L@57@-$7J]U_DGU)PQ"D5T
M"9;PV: =VJ(]VJ0]VIE0J'_=5H$=$:W!#>RGV.0PUV9M#N.@#4X-U8%5V]S0
MNHTE#N'@U)-=6%"-VY7]$)>-V<.1U9!!AD>D"(OPW- =W=(]W=0]W7^0VOWV
M;]MD3+]'%O3_T,L1!QZ*ZQK:,(D$<(0\/1O."'CN5:/NP7G;JY!\I"# 0(72
MP%E8* W2L(6X4(I[I-R/P=Q&Q B14. &?N (GN *GN!9BMVJW8-,8QE!R#2X
M%\,(L=.!!;FR`8(^Q7"2VX1-HTI2O"W$00M5^(W>J(5="+=)\YQXLAFCP B.
M(.,R#@F)<.,XGN,ZON,\ON.DP!UWR!DL:[-$7N1&;N0X>ZK?$89N80_D05=L
MW,46G$TN3B2 )5C>T*_:8%1,XB2-R"0]O1A;T4OU@,%@0=(D_ANK( THWN9A
M\@S `> >$:3*.:2H``AXGN=ZON=\WN=\;@HVE9Y=:F+@6N@WPJ!T_P(>0@HD
M5\ZXX[! C_M&1,4-.UW<!]$>G;BFP,'F;M[I7@(,;ND1!9MI;L89>'#JJ)[J
MJK[JK+[JH4 :F<9FBV;HM+Z@G!%IL6YI^8#AV+ -I4L`VL#8CPX.XY"$KB&)
M@&4-N;YFFS9?3= %GM[F$R &S"KG'=&<`6",+[X9<UFMA'.>3B24<Y"77LIH
MF_I<,R(!KX-=-7(L,8);W66J1Z,1=9+IB)C>K$I5:986&#PM4D?)`D&AB\ZF
M2@`%4] #T=Y9$R $1K"LH7X9M@QAG>'MJP5%SR!;>^DBN;5=I[(!'! JJ!./
MMQ(Y8< XCD.8&3 K&W JH/H!P[*/D%,KOO^B`0!@`;Q".6$`7DJ.$1$O#M_P
M\T ?]$(_]$1?]$.OK^ TN%=!SA%/\ O[.^]2:N.&MOM2]5]2;D.P`JRFK&VI
MN6^AT>7[%SPL]DF\S!3QIWW#&=VN6GA69YAP"'E0GGW0!X=0GG_26I!RJ!G?
M(L[%,KSR\:4B`2+_J!Z@J+I"-*7"`:=",_I879&:\QYOH+Q"^#H_[V<*<>]
M#_50+3ZA+03A]+1Z0F5KEA*9:FH[L6R9D2^ZD2@L=PKF'@U,$;)6H>-#4X*J
M6HC0!W10`%'Z,1X&:(X"[MS1:P'0I7R98@)9ZR\2!KKEE+9N^<NW$UL[$%TK
M$-<V=3 !^F,K^A#_^;!H&[%XBOJW^?!Q99!-2% 17XE;::[0R1FIM5J"<I/B
M60>#HRB^OS&[`!K9NO_;"A !`@A;8,#@080)%2YDV-"A0W8")$J$9L_B18P9
M-6[DV-'C1Y A->H36!*?JP$I5:9<=P1)$B5+F#1Q\@3*BRADI,20(6-*E2LU
M:F1)HR9'#QX[=@0!,H%('"$K5*0H\N"!$3=NQ$" X*)%BUPK5;("4-9L67WQ
M[M$#0.]>6;<`XND[6]?NW;/V`NB35U?91,"B"@PF7'CPGCP%$"&R<R@/I@)]
M[!@V+ KP9<R9)T8+T O:Q 0,+5 P,/J"P0H:/!P<;<% !=<7`!@<?5!V_P72
M!D[39IV[`H#="","3H;7^''DR94OKWO/'S]Z]OCEVP= 7H!]^0# "\#/WCNS
ML,2J;/DRYLR:-W/N[/G32@`L)+AX&4$CP XO*)H^C3JUZM6LMNKJJ[#&(XLY
M!!/$ZR_,D*'L00@C- P5S2JT$+#0%+(@`N \4$V##U<SR(,.#,C PPYD,R ,
M#@#8, +95(P@@]G"V*""%5NT`#C@%!INHN(4%')((L_2QQX`[*$K`'G@>6X>
MX\0;;X#R8)*))IMPTHDGGX"B88XYN!AABQX"`".__:"2BBJKL-***Z_ FO+
M(@&X!\DA\^'++@8Q0T7"!_M Q+ \!H50EPL3[?_'F,] 6R@,#3K\$ ,).!#1
M``]+^Z ##53LH ,`<-0-``T^V#%2`RJ5P(!/0_T@TN .^E&B(.NT]5;CCDQ2
M'^Z2S,<>?P"8![JZI!RORO.P5&_+]JIXCX0POR2AGQZ\F ,%$_A;\S\W!8RS
M0+'(TF>?>^*9KAYS];SN.@#R<0X`?O"Y!QY^>(WW+03?*6DO* 'H$S--##OD
M$#H*J*...?3H@XX\!+4C`$3ZT*,?B?MQS#!-$KV0F'T]R_ AD$,6.>19!:@5
M5Y135@Z?DOSYSEBQD+TR/2W9ZS*HH8K*P801=BB!*:?4]*_-`.$D<$X`=*V'
MK^B.Y(O)``#P1QY[X)'_!Y]@=;TZV 3W]0Z\?R_[LS [^ C@X;(5'M3AL^>(
M;-#&_*&L%(TK'&9?88KY>&2^$=) 5(8NB(#DRTY6^7#$S;IG7WS@@7DEF='+
M<CV>:%@#**&(,@HI'GY.LS\V`7QS0#D-E N>LMY!7:Y[Z(KGG;[D,BMVZ\"C
MG3E\]F'++PL%(QNR`NR S X]@M=CC[,)$SYX"&>I.[,Y>AD&0X8TZ, U##S
MP(#LM\_>-0TX("W\W$KCU ``..A@_/4-L-X"U3+(P'WQ%RK9\,3SQW4>E\$+
M;THJN<1*DEO63LI !2N<X0I;0,,-M" "-FR!#3_P0A"\`(<OK,$><!B:Z+QU
M_S33Z:](8;N,+@!UPA-F['F)VMM!*,"!#WA 1:,RB&P\X $*2$ "H]&A:PS2
M(_3%2 -A\, &5&.02(7!`#G<H?T*IS]O;$.*4Z1B%:UX12Q:T1NX>AQY!)@L
MFE%.!B%X`QJV, <SB$ '`3C*'/IA`FNA@ 5M0,&VB#:Z;R%-A,G1RY[.0L++
M^ Z%@YS;"@'#&<\X2B$7"$,'5K,!4AD`DAJ09!@R0 $/A $#F-3D02) Q" "
M!Y,2N `G,:":#> PD]OST1-OQ;)\W&X;!*!E+6UY2USF4I>XW(:"N-.__TTI
M<LJJ60QHT(\W6,$'9>B'#M9XE/SLX LHZ <8Z&A'#_\:K73ARE]T1+*O[K %
MD( Q(2'-61CG"2 8ZV1G.]VYSEZ DR!]HV<]'U*RBHCD(XO;%U]F28!N`$ <
M!- &-K1!`&Q@8Y:]!.@LKW%0A&(#H `H*#AHN8UK$/0:_\R&/C%"DI;9`R7"
M_.+,)K<EGOP$9YH["@\Z!S1M=1 K8_A@"VJAQST>ASL"(599Q@F84)Q3J.DT
M9#%*(HSIM=">2ZWG_7!U'8'H8W?_/$= KT$.<& UJUEE*%:]00YL=".LYP`'
M0QF*CEYJ`ZM8)4 O%90/@?BC<0#H(GG,8]("<DFEF=,94I0"4Z&%;J8?O"E.
M<XH7>]S.+/_:A2(<^UA%^&'_$).E;&4M>UG,8I9"AGQ&(JG'5- VU96VNH=B
M`;!0<VR#K.001VK!<8YQE!4`!,#J-M QCG",H[7@T 8`NL'0V*+CJEMMJX+F
M\9UB`5 ES4 `7HO9K)7VU:6>"QKHN.4&FD(`&:M0[@#H=%@$A>T1XWW$'\;[
M!_2F5[WK96][V\L)0\97OO.E+W',@IT`Q$-8`JD'`%CF#_UV1VI1.\X_;<E6
M`F1UEPMFL%O1(A"+/$<[3@H`GNY25^4ZHQH*>.[-^+JYI"SE<W:DQC%PT5UN
M@C=!8=,$(5S\8D?$6,8SIG&-;5QC/^RBOCOF<8]'RR0E`8!)L&-7D/?2.@(;
MQ\"[_]Q&-Q:,#8LRV)8.1@N2C"R/Z\P5+QA&L5A6<8M;`$/,SY!&F<TLC6>(
M&1BTH$67N_Q=%2LG;,@`12+L7 C(YEG/>^;S8QDQ"A\'6M#SK163[O$6W9E+
M7_"0EY#I$8!'(V?)NE0P`:Z!6TN+@QSC4&NFQ9'1!5,Y:5;6A[[>08]ZS"/)
M=N&RFUW]:EA[-\[A'72M;7WK'M<*R_X[W>S\UY?7F;8ND\YEI=<*#FZ8PQS<
MZ&J4&UR7>*#.:OI-W>JV'&ML9]O5<)[U<7Z*:W"'6]SX2QFQ<0F.LDCQ'.2X
M1C?.88YP,%0;RI9HJ+FH;7SG.\7=3LZWQ?UO@/N8W"@SMR^4+>T-;X#:X+44
G-9%:K6^(HYC;_+Z+OP-^<8RO<."X*OC"/7[+A@_IX1$GN8$"`@`[
`
end
begin 666 websecure2fig07.gif
M1TE&.#EA: %W`/<``/___P```//GP/+G?K[7Z+,`6<NHJL6;GN?5U]&PM.G:
MW-O!QRDD)DA#15))3?'FZ]!@EUTP1FU 5MROQ>R_U?;?ZNC7W[@08[T@;L$P
M>,9 @\M0C=1PHME_K-F K-Z/MN.?P>>OR^R_UO'/X+&;IJ./F=K S=F_S#<Q
M-#DS-LBTOK2BJ[JHL7YR>/7?ZIR.E7%G;.;4W>73W.32V^/1VLFYP9.'C;RN
MM9R0EH%W?-G)T>G9X5904SLW.;ZRN.S>Y>O=Y.K<X_+H[?'G[,6<LM"PP=*S
MP]>[RMB]R]K SK*?J=W&TGUP=]*]R(A[@N+-V*V@I^?6W^;5WNK;X^C9X<R_
MQNW@Y^S?YNO>Y;:%H+J*I;V0J;^5K,*8K\BBM\JFNLRIO,VKOLRJO<ZMO]&R
MP]2WQ]:YR=O#T-K"S][&T]S$T<^YQ::4GE5,4<.ONN#*UM_)U6-:7^//VN+.
MV=7#S8Z#B75L<:^DJOKO]?#EZ^_DZO+I[O'H[<:?M<BCN-.UQC8O,VYB:48_
M0^',V*J<I.[BZ>C9XBLH*BHF*1H:' T-#B0H+#M#29:IMW>&D;G5Z,;A\U->
M9K+*VJ:\RX.4H&MY@S V.LOC\]?J]]WM^)O)Y9[+YIW*Y://ZJ?3[J3-YJ;.
MYJ[5[:[3ZKC:\+'2Y[+3Y[O:[;G5YT=15U]L=,KD]-#F]'^_XX;%Z(?"XXC"
MXXK$Y9')Z)#%Y)?,ZY7)YY/&Y)?(Y9O,Z:#,YJ3-Y;#7[JO0YKO=\6^\Y&Z[
MX7B^XGJ^XI;'X5NVXF2YX:+-X<'>ZSJNWDBRWI7'V\;9X:/,UM3EY\W;W+O5
MT>/LZM+=V<?8S=7>U\79R,[:S^7KX]G?T]7=R=W@S-_AT-[@QOCSOOSYW^_C
MD_W[[^[@G_'EJO'GN.KDQ^_ISN;4C^_FP^O<K/GSW^S>M]_(I_#EUNG9R-&Q
ME=['M^_CV^C6T?+IY^_O[]_?W\_/S[^_OZ^OKY^?GX^/CW]_?W!P<&!@8%!0
M4$! 0# P," @(! 0$/___R'Y! $``/\`+ ````!H`7<`0 C_``$('$BPH,&#
M"!,J7,BPH<.'$"-*G$BQHL6+&#-JW,BQ8CQ_^OH!N!<`0(![\0+D\P=O(,EX
M^$H"Z*?/W[Q]_/CE(^@/G[]Z*5?".RG07@!Y`/+EO$>RH].G4*-*G4JUJLN2
M..<%F#<0G[U]^@9JI1>@'EFM\+1RY8>O[=A]^TS>`P"7KE9[39OB@UO/JM^_
M@ ,+'JR0Z,6S-4W2(ZBVH%9\A"-+=AJ@YKY^(B\?3=K/7[S+_ )\CHLS=#QY
M_OK-%:BU<SQX_?B%A9NWW[ZR'_MMO>?/GSV3^O;=ZT<O[F2H,0- /NZ70H'G
MT*-+GTZ]NO7KV*]38,Z]>T9S`L*+_Q]/OKSY\^C3FP?L'/H%#AD\% ``@D,!
M#0`\;"B P0,&#?(5L $'%PBH`00:% "!?!XD^!X$_/D'`83/`5BA?P5\P,$&
M%7@P80$7?!C==D\-8.*)**:HXHHLMNCBBS .H(UW#8$G'C3 Y*CC+[WTZ../
M0 8IY) _*H->0;<I)Q \M^W34DS]($527/H8IE![TV50004`%""""/AI\*4'
M74*7WWT`X.<!F5[B\:677>;WY@=<^L?E!_-5(,('89Y)'8D$!2!H28+^5)0_
M3BX4XZ(K<N/HHY ZRNBD)LY(HT#)^7-/2P+9&-XIH(0JZJBDEFKJJ:)>HUYY
M4=53:#[Q"/^$)7499 "=!A@\=X$&!?)G*X@)/I=!KM'M6N"7PSZ'P:\%U%H`
MF[SZJMU%50;03U\#M<A-#-QVZ^VWX(8K[KCD?MNBI9<FY*EXR1#@[KOPQBOO
MO/2^B\VJXK&7W;[\]NOO=(!VY&(66FS!11=$].''%V"$,4811OQ1AAE'('%"
M$FB<H48::<#QQB!/S"$'#3/($(,445A A2%3! $$$#]<8845A=2L1QX/Y#R$
M$'N<FU!;=/4ESSY(`0!TT$^%M@]7!*T[7C7UQDN))01(8@DEDZ#"2",$.$)U
MU.Z&LVJZ9%LU<,$')[QPPP]'/''%%V?L1 !N.. &(0&HT$8*,^#_#47**[?\
M<LPSUUS(S3D_L'//+,Y(4DO[^!.:6B=1?H]6_&B:CTHM$;5Y/ISN!=?HI)<^
M>FB#%FJ/T^2%(Z\C`5C"M2*I3-)((P%00H E5/.>2@"[4PV[[/.2<V39R$=U
MML$(*\RPPQ!+3+'%&&O,L<<@BTRRR2BKS+++,,M,L\TXZ\RSS^EBAFW3^(+M
M_OOQ)K,>5#5M2M"L![(I9PA]<A FFQ\0009"\"P,Y"=,\Y%/AT0`@C"]Z3EL
M@D":`-"?"8I)! 48@8<"])R 260HUS+(\M+F/+9%[VUV$)0@SL &120B#F\(
M``Q$5H<`U" B$(JH0$_ 1;GR'*Y_B_\[7N.09Q&G-@(42EZC$3^SBB5",
MHA2G2,4J1G$:K/K+K/S%)NQTD3I^^E<8I>/!C3!J' 98&_3<-KVX6:]C'PN9
M'&90LI,![GLP^Z'A])".;RP*74;L%'K"88U"&O*0B$RD(A=I2+&IIR#U8$JL
M!!+)2<;C'MB:!U#F<CF&;/%?H SEO\H(@'I@BRGVX-0EF:802KGRE;!,$2 #
MR3I\V?*6MM17=>0D`@-N8 0<D* !,_"!$6R@EQ\PH ;\!P(,/D>8`,C E\)4
MS&,6H (?^$ (R,2!"MPGF&7Z$U1B2<YRQFB6@01 E7YSCYS8)"E6NHN@OE+*
M`)"F-^NKIW$V-_\7Y>S#54,Y36HNF95T&O2@"$VH0A?*T(9>:AYS,>4E)PD`
M>=1#DV(YR6(``-%)1I*2?9FH*3F*DI'20Y/S@"A)!?)/A[KTI3 -U*8T<Q/C
MT",U_;0-/AHSD)7HHR8[L=8^=KH5*S5%'IC!BG%.0AN9Q!2F3!5.`.#ACWRH
MABZN@8M:ZJ+5K<PC-<OA:&Q8`AO;) 51)6G*25)RFYK6Q3#M;&@M<4G7NHY'
ME\\$@0?PD, 1-! `&P``@M+$)@\8TYM@`H#_TI3 #'I@3_@YIC.?U:7 XN<]
M%GS3GCX`@A&-TYR@#>V)T)F\N=KUM+?$Z[^^:!W62F>,_8(M=$B9$='_VM:<
MI$7>NG3$6V#<@A? #:YPATO<XAHWN,4XWD"X&A>BR..2:4TK7%1CI81\4I38
MS:XX#5(7N7@7'B3922MAY UUE.N\Z$VO.KP!H]P>QRB"6MI G :_^H+-D;F$
MBE8$%4(`7/<Y>'BL`-,$`@APH$LCR$ SB7F!#81)`P.<[($S*,W$:F#!> HP
M!SY IF+R!T#A!-A%DF-/5HZP"&A(KXI7W*T=7&&(C%N1>R-WF[GPM+LJB0FG
M-$*606FJ);5\AGU3@8I%I((`E8@=UW[7"$5$@E[RP]=37SK"YJFQ;=*#6_4V
M!L?LC:R.W0N<#\6W1R$N#GT;N6A&TH(0TV+#_[[PBL23X]4(1T3M&8^<LD.K
MK+;G8?EMU,M8( 2QA@"T`&\O$ 3?_'9'P86O<.1+W)F+N)#J6N4SK&1?>L@!
M9WCQKM/WFE]S0&FL__ +5_LR]76<51W:8H3/)5QCEAV@B!)D3 DN#$0,!8&"
M%P2 !0'0`0\2X0\=V*$'_KC#HX&(.//%6$7N[8@\4DKM:EN[VO =5 A-2YY.
M>QM>S"C/M<=-[G)7.W4!T-0$I).!72705I'-5:F#=8%?8:#>N3(UJILE;UZQ
M^L.Z"E8(-G"!"L#'WL2"SA;,S?"49CN^?7'1.M!F93^?L(U;OEX<149'[C7:
M93_08Z05MS-PH#F=K/\SQ2A6SG)1R.+E,(^YS&=.\YK#/!C&R^)R2=/<U8PD
MNB.)W%XL?9#_:HE+7K+PF$)\ICZMJ4LB<!,&11 G`6>H3ABX4YX@.T$.DO$@
M..[G7)2V8X3<UD2/\D8YUL[VMGOC46>/=KJXC=JZ*]<J_P41!P@$(OT(RP._
M&E"!XD.L8+(;\$DWO(#X7H"]4_8"'BB0X*WCZHN<_?*NE+N>-Y]W[7I>E)7?
MO.@SLKF9Y$,>HB%(=T?/^M9/F21J42M3!L5*G%K+'ON-:E.6:T_PTMXPL0EJ
M?'?O^N(;__C(3[[R`Z/2-6]E(?R(:#Y_3OWE6__Z%VE*5UG9#]%E]"Y&T<K_
MM)^OJ7F,OZ;>A4M*R#)[ZH,0^_"/?T?24O:HR*/^\E_HZE>O$)Y&Q/]Z=A)4
MU1ET426E%!MA40^]D5*5X7,G(2A-H8 VT1J>,1"Z<5'6,AL&6!F(@AGY1R.Z
M5Q+XH!N7\WQTL31;P5Q;A2C&P5%%-7M;)574=Q*PMQ7UT!D])Q#IME$*53D/
MB'X``%\L80^]<5(FR!H!8(1<083^<%)CM6.U47IAUU1:]'E6^'FA9WW#05$?
MZ%"=5QT/YG73<0&,U2#[XEK1,2$BLEU="%-T9W=P>%=5"!T@H$%5)P+\,T&+
M!6))1WB =4",=28!AH<.-%EL<F#XD0$:, +1\B;Y_[$!%-)!GX5YE-A>"/6&
M<1B'JB4=^V8L5PA*BM@KTU(BE5B*)T=+Y$$.R) COG ,QO"*L!B+LCB+M%B+
ML'@,S9 >FW@K`% !!"0"(S "%!182&<F(8!!(3 "%0!Y79(!>- AT=&+@.4E
M7%(K6R(?$( '>) @RBA;DDB*IAB.**)Y-+(NK-!;.0(+L[".[-B.[OB.\!B/
M[+@)=W>"!3@3<Y$/7I%6_C 2NH%41&<0_^4!%0`"4&=A$D1UT1@@(5 !>,",
M]_&,>&*,:7(!> `"';(!SXA!'*"-^[$ET,B&JK=4_60/J/<;#/%*:J<.",!B
M+(8`ZE .[$4IY"@8\#!]\_\U'K6PDSRYDY>0"4 9E$(YE$19E$89E-10CY&3
M.;%"$DPY@)H2=&0Q%#X7A/CWA9_(;LQB':K&+Z2$8YC!#P"0$J$14C@I$"[B
M#2ZYEFP9`S,I8U8A.J8SEZ>#;NFV.D_S"'JYEWS9EW[YEX"YEWB&2W19F(8Y
MEW89`!)@'0CR)62H`1^P`8'E)1A0A]V$'PB2=/LF(%"'`=-$8,#D31JT(&12
M`?M!D!NPE=(1`8?9FJB3.DWH(EJ0!FU9F^BU`WQPBMP!#[!R$$[S9M_6:5&6
M7T^1#YDF*]9Q`1BP+,(BBL$"(K_BB<VBFO<A+.T6+?4&'<L)<*C6E2(I$?+0
MFR+_U"($PSQ]UC!E8 )+, @T8)O?(@46L -3@ 5E)FE$!)<(\5:8%!K\4 ^1
M@R@FD0^;PX48H3Y'5!ZN8U^2H @!( E(I@B,X \$\#N4H BH0"_XE6=^X0(=
MT*$>^J$@&J(B.J(D6J(F6J(N,(DK4IXD=&47IV49PV78(T?;8T?>XV@Q\P/,
M9F;W"6T)H9\NR#1AQQ#3UG#6]G#6TA>UQ&GUQ:""0@!80PD!T B_XS[1(&5M
M.!FPYJ)L!*/6PP8S2@@J0#)T``4Z\'�V8C!V.Z65KH$9S?-C99*AE;:G%=
M&FAGL :($ "(T 0P$ !S\*=]$P!_<Z-C!FE!9)_/)DNE_]062($/^H 4]: /
M]E /0S,T0B,<```/^@`ZKA(EG HZ%;$Y2:IIY\$,\Q()6U,UC, (DM (EN (
MCB!G!"!GLM-DBF!GJLHU\1)JYS&G=$J>%'>>L@9H;J0&:P"F<80W.3 #90H%
M4&"H:8JHS<:F1;1[]J :_4"5/F@4<Z$IUY(/]_!3P,&;XQH6%.$J_+4^="=D
M\.((C) *BK [K8H*4JH[GV8)B]"JNY,(DP"O\CHOX?:K<YB5!MLO64@1=6I"
M75H"#.H`;S2CV@-F:+IL]>EL;:I;JP(U<-II&9HO!:LLP8(KMK(KVQF&(GLK
MN8(?]F&&_ 8L[@8=712SP,)A(O_R;]_H% M;K-.C`@X0`$J `HJ `BD00S,D
M!X>@"'$`!0%P"#U@`RETJ#NJJ!E['#U6*/:#B<#9L?;EJR#[%$.1.K R*\>H
M/X_U5YCY/UURC&*2`5V'0&>R0&C[0)2E(!.$`1# B,_Q)AHVD3F;KJES+2VQ
MLW^&<3&J<5Y6HRA#!6(VK5.+L91V*4ISG$Y##HN4#*>0N9J[N9S;N9[[N9L[
MG%_K%)O37\AYL*B;'0FK$/Z@$D63+2^R#BUJIUF&IS*Z<7-$L=(:<FJ:J(I#
M#B]2D]WA--?0"<9[O,:["9RPO,S;O,[[O- ;O<Q+#*+&4OQ %GUA53=ED@'P
M%3M!$OW_2(*>!(:]^(O!.(S2&(W'6 #)N(QLXHPA^1S2N!\B4(U'AXW:R(UU
MTFH&,1Q7I1(O097]J2BPA [H<*?'BKARU'$VVK@AUP[D\ W<\$K"RQVL0PZK
MD,$9K NLT,$>_,$@',(B/,(># U*&1=7I1,S80]3B0]B>0]2I155B1 #69 '
M&28)R70,Z9 0J0$2J;X5>9$9N9&-YY'7=(W\RUTDF1(I!1G\=Q#B&,65<HF9
M6,7U2!58B;IK:!T6@K J*L6E6,',@8E6C%J["!T9\$N]E"8((D$%U) @@ =N
M"P*YTI"1:+<%])D:`,=\U2'Y`P#;6,211WE?#,:4*,; .AE9_YRZ!KNZB?S(
ME\*A)SK)E%S)E@RB*0K)FKS)G-S)!:%6*(@D+>C)I)Q_9S%5CZ-1HC%52Z(2
MMZ&/0T$/UPL7(Q@H]6 /\4 6*0%"0'$2(L$6;<$;^D"@I5S,@11^1R%[1E%*
M.]96;85Z\T /H\$;!!$/"F@/RUP/5"D0F_,;Y2</Q&?,XIQ.';52G311C&%C
MJP$/N%=*EU1VEX0MZ-Q)8^ES(]5\XYS/^KS/_.P=X7P11+,0^- 73YP73M7/
M",T=VE<3VSH0-]6$&943+;%.="$H%3506M'-))&"<4$2_0!=U,<6]Q!6"5W2
M@:%]*,A*\F 9WT>#1<6 7#$H*0VD=?]1'"Y-?63QT2:]TX"!TO[7#TK1@EI1
M)?'P$2%14961%$L1@P`@.:.1$KS1?KNGPCQ=U0]UA%+A$_AGU?;WNO+PN@I!
M?Q,AUJ(W#\0L$?$P#_!P&A7%A61=S6#-U4^AUEQQ?ZQ!469]@L]52D)S&I8$
MUF,Q26Q64<_%%7Y=-+G\?%_-&O#PU?=WG =%%&+]7(@M#_Q0U[%"?Y,$S:$Q
M%$BQUX%-$ ,ZEDQ#V1S%9G8MUQ(1@B,!U4,Q#_A0'#/-<VJA%-G:TI5:5-,,
M=">!S"CU5OPP?D?3@RA1@C<!T50(U *:T10%%CD1'*:WW$6%DM2G2=H'T:RM
MVA$1@M!\$M#_G _^.=LG6-M$$U:48TJZ387*_-*:`J05O=7IU-LOW5T"6C2J
M84H`Z*TD\1OWC8%:L3Y-$1PHK8,P+(/:#1%F_=5I/9:-O=DM\=7TM]@0KM:;
M"M9K7=1+PDIT3=H<%2NOH=87CA1Y;30DG5!Y+>*-730L@7I(@>%OO:D@3N%C
MF=E%S84+7E&H730)7M@AR\@^/EL''N1%!TIJBQT"U%C9@8;20;<B)N160<9E
M;%>JE75G`@`C(,?X$8R[0EA=<@'"""&EZ9D"T5@^O(SX89#V`4%E$@**!2+*
M. *>B4'.*,>>!8Z&7(F(/!E0'N5TI5H7@)%W:&& R(=T>TR#WEB\_U2(,MLE
M9/)@%_F0CBB&!>#($7'GIICGDK'G?)Y:(5N'!CD?43=8;/X?7*X@>'",!K17
M@ <`!'0F`80'@W5!B\X?I^Y-^ $`O?0F=:A!=:ZSEH[G5+SI97S&\AL@"/3C
MU$$G49=P2>SKOXYYF!X9FB[L<CIJH>2=U8'MT;&9_L+MO2XPSP[MP4X>V2 -
MYG[NZ)[NZK[N[*[NU8YW7!DLPY(LS<):_E8A!=)%S+F0S+)O^_ZR()+JS0[N
MX1YWXQX>J\A;PR ,#-_P#O_P$!_Q$M_PPY -5SP5__7'FIDF9<MT":9,@L4F
MENE-9O)8!.0?^8&:ME*0( `";JLF`\\1!?]_>=%.&.NB#.@(#*VP\SS?\S[_
M\T ?]#U/O02[7-=;%IRQO2>Y#]^;;C,1D 7Q7QV_\7LL`JQU)B"_(%V"80O)
M0"^?'__!)ATR(5\OZ7\K$/[;3^(J&@)\E@1A3MR@=N>@#BSIDC 9DS(YP>14
M\X.Q6SD?"YX0^((_^(1?^(9_^(-_PO9H5$ 'PSU18^-;'=<YG9XX^2I[*P6B
M:MD9'>UF;_@&<,I"+,I)[TTNR@3N761'P#'"#>5@7NZYEC&I]Y9X4.OB"K9_
M^[;O":JP^[S?^[[_^\ ?_+R_#(J?PCO1#RP\52X<=#4XPT..[-#_E4OL54X\
MRE#L(MS@#J^__=W_X@ZRCY^7HC[UMRZ:4/[F7_Z[( KJO_[LW_[N__[KCPWB
M,/_T+PXY5[VE)$D#44D"`1#Q[M4#`&!>/8$`[LTK6%"?OWOP&@*@4,#B18P9
M-6[DR%&$B(X7/0`(J9'"Q(;U""J\9T\B`($,`< +T&_EQ $Y=>Y$$,/G3Z!!
MA0XE6M3H3P0[E6I#V=3I4ZA1I0*@%\!J`(@2S0G@*F :*;!AQ8XE6]9LV&I=
MU:Y=.]7M4YI7`^2+5Y&C!SQX.!0`40$/A@LC*HPHD %/!0^!1X"$X%?#Q<"#
M"X@8# "#8<0%(.3=,+)QX0J9.9Y\^[2>W'X1`2A5FN3H:]BQB>Y@K9-I_VG<
M3>7-X]W;]^_>]N36)+BU:S@"R94O9][<^7/ER=A.5PO<^G7LOH>GGM"Q,1X1
M&@`\+C#RH@CP($4`(+P!#X -(DE:_"A>`_J/!0!XL#@2`(0",*@`@ \ZVB([
M!'D33JY]&*I-IRRT$&,0V2JT$*@HK!!BCP<'N"TW$$,$@)\`&D3)N*Z>@6Y%
M%J%+B[KI1'0KGQ)OHJBCC_*C[*\+#B-,@\,^P "/$?"XX ._^+.H1\GJ&P_(
M"@K$"X_.`,C ,O<J`&DT&0OR9ZYX4.IP@ BWX*(+(KP@PP0*+W33)PNFN$*/
M!^H<8L,./^QR3Q!1Y JY%@,5-!P8V>(S-[M*4O]T448;[8BT0\7LL,PSB>C#
MCR_ "&.,(HSXHPPS3D!#C3?>&.2)&5*=0096605*BBBBH&*'*8 `XH<KK+"B
M$%[UR*/.!^[D\$$]4<(''P#V46D?9NMAEMEDF:4GTH+@L7$B/[F*1M#E4$$E
M.4E28:01`ARQQ!)4)'%.ND+5HO:M1!V5=UYZ+X+TW=4FU<),-"_-=--./S7C
M""1.2 *-,]1((PTX3'UB#CEH6#4&6"V@PI I@K 5UUQY+<178(7-$RIH`[C'
MH !D@A8`D^=)^5T:B7L)@&RYXC:Y1BP)@!("+%F$@$D(2"6 GBUY[L5V!<!W
M:::;QG=,2OO%5%-./07_E6"#$5:888<AEE@&BJ.P&&.-;\U5UUY_M1-/8DE.
MS6245=ZGH*N0A0J?9_/6>V\2A_/'GIH%P.9F2RI!Q6BA%?$G7*L2(?<Y0I-V
M>G+**W<+ZGTK]9?J@*\N^."$%V[X5*\GKOCBC#>^XH==TPZ9[=J*G:CDDUV6
MF^Z3ES[-*IL:"ER 9 1M) !)AL]Y$4848;Q%=MNU_'GH+<><7TNG!MCJ@3]'
M>(U$`D"DB4$0L0J'&: (``JQ42\;5UU;!WGM86./'K=X])'I1.H`O7E_YIZ1
M?'X`!I!/T].<]:HF,*R!S@D!8$+#8!" .3RP?.=+']E4QSJ/O2]8L&.-[ 2(
M_YO?"4!%_"-A<K#AO ^F4(53(:#4_G5 SV4M=$P(0 L>&,$`3!!]8TN=V=KG
M.OB-[%W[R!V?_*&LIH20'"6,1"2:DPK$00>%*Z1B%0O2PNJ]L'/9DR$;%!&
M1(!/? $@G_FLPL/UK:YU'U/;!N/7087THQ_RL$=J] $`B+0L97"#R!SUD0]\
MT",><X'''P,IHZI<I7<T*U0UFE.)150B%01@1"4C,;Q%F,MH/F/$(B2QB$5,
M`I*2; XS"F5%5*X0BYN['@*U%SJND>X%=3!=!7O(/K2Q\75O7(I"`E"0??"#
M'O2PG1Y=MI `V ,A\+B'/_+!LI,QTYD%V4V"?K.@J_]D)81<"1YS')&(1! @
M`*EH1#D#0*YS%6UH14O.-\/9G!-29WYXH$ ][7E/?.93G_OD9S_]V<_W,&V5
M!MPBP51 `JV)KFL1JR4:+[AJL;<ZJUCWT(0\`U(-&)\L'( DR#WV<3![Z
MN"@`[+$/>8RTI"+:1P#X<:UM"HXYDC@<SQKAK>)9@EQ-[%DBQD6 G#F"II;@
MF7,B9ZCHQ:M>2V7JHYHV4"UB[P@.8 `)') P-ZR@86R@`PM40(@9$$('4H""
M#JA0!1]4X0T^S&5$.=A+J2P$E3$5`#-*Z A'\*]Y;4GJO.QCGI",1S]**@E@
M<;2EC=SK75#EG%1)\,6K4I7_"8EX@_=80(<`P. 0-0A #@YA`WR8;*VXPB 0
MW2C$5,[D6KY+FOY*R+]X\I5I+FE*O,13@1#H9P3P$4^1,/!7DF"F0)2Q$@C8
M,]@"<, O&1!/"/ ``OD4X *#R2T&`!"""EP@/YNA$D84FYMXW$]2#XI:%AN+
M0$#8P08!4((#4+"".%06!A"+0P#JP%DHV"&_`4CC#W49Q+:EMB"AK8EJ"D)7
M$;ZVA$?MBM-V!Y$PW>@B&0@-2?;C)/%X`+B302R2]F,?Y%XX/./)3W](,A+[
M#&DQ'$9N1KZ;&WWPSD:,;:7G6(#0A*U!JV\@A H@1@="@$T*-S!K%>Z0QM+^
M][0!_ZX<WO;VY+SU32[^J >"7:M@;OEO+5#F<I>?/!RK2 `C'JB <?4S( W<
MUD@;ONT'>M07#UBW`LA5[I-(C%CS3%=+A6G(?4 RI?A<) )>)K24LTD/&L.0
MBZ#;VN@>)H=4"=F6&OL!+MVGMB'<Z1VH32TVD7C@I'$3R_LSI6R7)@]%KD2I
M&-F/14#<U'IM!@`BN$!)7HP;`I?H?F,:P &HQTI%)S"AL7QTI,/FT$JK,8.8
M'H(XQN1!*L(C'QA-XEJ@`0QL9QO;GRA%M[W];7"'6]SC_O9>N>*T?(BW(*MF
MU&\5Y6Z.: `#])(WEV0D#[HXA=<Y&8<!S%OC10_;T1 S]O_I+)AL__IJ".W@
MQKZA+6#6JF4:M*!XQ2F.BUQD7.,;YWC'/?[QC5\#J0UI:0#L!H^6[D,BH9VC
M+^<6XR)"A=T6@7<&+C/OPABV`!JX0 9<76O 7B8C^_&YJW$N=(O8?$G6):R+
MFR(7EF%E)?8XXLR>LF^EC ,="0"XL&$Y<$@W5'VW(NVNV@&.AF,])P^'."/5
M$HY0Q%WN<;=%W>U^=[SG7>][OWLS8C2[N>WCCJD!`""%HQ!_Q#$`\N@'W*0R
M<PU P#P8#H$(=,X>FX_G/^8!P0B4RVH/B""W<=X/F3?@\S*#``17RK"]4;(R
MN"43U?:XG-K'Q UTH(,="V"T0DG_%W9)6TP!ZC@'VM-N>SBV_2DUBP<DG/_\
M6;Q"^M.G?O6M?WWL3Q\:\@1\M* )`'D(Y)?W&#^SWA;SI\R\\I,?L0;6/Q^+
MM-JZXI$\24 @@@P4Z"(77KWFXZP!\T ,"( `UFNUQ'(*V#L9N&&FN9 *Y'M
M"(Q 3E,^;)D.<7"&3,"$4- V#NQ #_S #U2&;#BEV?$'?O"',"&_$XP'>/"'
M?H (A=B'JJ )]'.*F2N,"WB,#,B '*PU'B0/H[L(G@L0\NBYC.#!H@,,I8.W
M`,&Y"[@YU^L^EI$C?H )EPJ U1HO"=Q"+L0ZMH,X! LU,1S#OX.>&X0U-)R7
M6QN@+FQ#_S=,/@K$'S*<0SHD03-,PWDIL9#0.459PSUY0T!\PR\4L#"L0T.$
MD?FYP<Z+D@(8`>>RN>?"@P)PCQ `@2%!D@+X`!$8`0"AN4B<C#*S$DJ$K@\8
M`<\;B=";1-R"KBA<K$!\Q2T<Q-0JQ$.L17?I*XXH12VQ#Z CB5JC# _@CRGI
MN?4@K#SC,/L`1O[8CU[$`_ZX`.-"+)-X*EBLQ@>4Q53J!G/81F[L1F_\1G ,
M1W$<1W!,Q([0Q,HK#_"HM1 @D !!#PC0KEG3#,[ B'8<KO;#`'A4Q0K(@)&8
M/PHSP -DFFTH2(,\2(1,2(5<2(9L2(=\R&WHACB<2"HZ0SR\2!1;HTB-W$B.
/?!>+Q$B0G,:._*" ```[
`
end
- Next message: Govind Rathi: "Windows Authentication issue"
- Previous message: nu-k-ar: "Re: HELP PLEASE The request failed with HTTP status 401: Access Denied."
- In reply to: Larry Hastings: "Re: HELP PLEASE The request failed with HTTP status 401: Access Denied."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
