Content-Type: multipart/related; start=; boundary=----------lmJ707ve7Uig6mZfgrxNCG Content-Location: http://www.madboa.com/geek/pine-ssl/ Subject: =?utf-8?Q?Pine+OpenSSL=20HOWTO?= MIME-Version: 1.0 ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=default.htm Content-Type: text/html; name=default.htm Content-Id: Content-Location: http://www.madboa.com/geek/pine-ssl/ Content-Transfer-Encoding: 8bit Pine+OpenSSL HOWTO

Pine+OpenSSL HOWTO

Paul Heinlein

Initial publication: April 19, 2002
Most recent revision: November 6, 2006

This little how-to is about getting pine and, to a lesser extent, fetchmail to work cleanly with Secure Sockets Layer (SSL) certificates. There’s some OpenSSL trivia explored along the way, too.


Feel free to head right to the summary recipe and skip the whole explanation, called “long winded” by at least one reader.

If you’re looking for general SSL information, you may find my OpenSSL Command-Line HOWTO somewhat helpful.

Introduction

I think pine was given the ability to work with SSL-encryption when 4.20 was released—but don’t quote me on that. In any event, the feature has been around for a while, and I’ve used it pretty consistently to avoid sending passwords and such in clear text over the Internet.

Getting started

The basic setup is pretty simple. In your .pinerc file, you specify that you want to use SSL to communicate with your mail server. The ssl option can be used anywhere you’d ordinarily point to a remote server:

# SMTP over SSL on smtps port, 465/tcp
smtp-server=smtp.yourcompany.com/ssl

# IMAP over SSL on imaps port, 993/tcp
inbox-path={mail.yourcompany.com/ssl}inbox
incoming-folders="home-in" {your.isp.com/ssl}inbox
folder-collections=Work {mail.yourcompany.com/ssl}mail/[],
    Home {your.isp.com/ssl}mail/[]

In place of the ssl option, you can use tls if your remote SMTP or IMAP server is TLS-enabled. Actually, as Mark Crispin has noted, Pine will use TLS by default if the remote server advertises that capability. Using the tls option “causes an ‘Unable to negotiate TLS with this server’ error if the server does not advertise TLS. If you know that the server advertises TLS, this will protect you from a ‘man in the middle’ attack, since an attacker would either not offer TLS or would offer TLS with an invalid certificate for your server.

# SMTP using TLS on smtp port, 25/tcp
smtp-server=smtp.yourcompany.com/tls

# SMTP using TLS on submission port, 587/tcp
smtp-server=smtp.yourcompany.com:587/tls

# IMAP using TLS on imap port, 143/tcp
inbox-path={mail.yourcompany.com/tls}inbox

Finally, it’s worth noting that you can specify a username per connnection, just in case it’s different on the remote host than it is locally.

# SMTP using TLS on smtp port, 25/tcp
smtp-server=smtp.yourcompany.com/user=workacct/tls

# IMAP over SSL on imaps port, 993/tcp
inbox-path={mail.yourcompany.com/user=workacct/ssl}inbox
incoming-folders="home-in" {your.isp.com/user=homeacct/ssl}inbox
folder-collections=Work {mail.yourcompany.com/user=workacct/ssl}mail/[],
    Home {your.isp.com/user=homeacct/ssl}mail/[]

Validation problems

There was only one problem with this scheme: it didn’t work.

Oh, it probably worked for Mark Crispin and the other Pine gurus up at the University of Washington, but I would always get a failure message along the lines of

unable to get local issuer certificate: …

or

self signed certificate: …

which would soon fade to

Can't establish SSL session with…

and finally,

No folder opened

So pine would just sit there, with me unable to access my mail over an SSL link. It didn’t matter whether or not the server certificate was a legitimate one signed by Verisign or a home-brewed one cobbled together by amateurs like me. No dice, either way.

A dirty hack

Well, the UW folks didn’t leave me completely high and dry. They introduced a little hack to deal with rogue certificates. Using the novalidate-cert option, you could get around the validation problem:

inbox-path={mail.yourcompany.com/ssl/novalidate-cert}inbox

incoming-folders="home-in" {your.isp.com/ssl/novalidate-cert}inbox

And so forth.

It was a nice hack. At least I got encryption and didn’t have to worry about rogue sniffers catching wind of a plain-text password.

Still, it was a hack, because I couldn’t validate the server on the other end of my connection. One of the great features of SSL is that it provides authentication in addition to encryption. The remote server presents a signed certificate, and I’m supposed to be able to follow the signing chain back to an authority I trust. At that point, I can be reasonably certain that my connection hasn’t been hijacked by a DNS spoof or a man-in-the-middle attack.

So I lived in encryption-without-authentication land for a while, but the lack of authentication was always a sore point.

The breaking point

That soreness finally got to me when I had to add a fourth server to my .pinerc—and a fourth set of novalidate-cert options. Ugh.

I plunged into the murky waters of SSL server certificates, CA’s, and signing chains. Take a deep breath now, while you’ve got the chance. It’s a long dive from here…

Finding the files

The first step to discovering how to validate certs was ridding my .pinerc of all the novalidate-cert stuff. This was made a bit easier with the release of pine 4.41. In pine 4.33 and earlier releases, if pine couldn’t validate a remote server certificate, you were stuck. In pine 4.41, you were told why pine was having problems and given the option to proceed anyway. Neat.

A brief aside

The OpenSSL suite comes with one main binary file: openssl. It’s the main command-line entry into all the features of the OpenSSL libraries. On my Solaris box, it’s /usr/local/ssl/bin/openssl, on Red Hat, /usr/bin/openssl. I’ll just refer to it as openssl and assume you can find it in your $PATH.

When you compile the OpenSSL suite, you can pass an --openssldir option to the Configure script. It’ll default to the --prefix or, failing that, to /usr/local/ssl if you don’t specify one. On my Solaris box at home, this was /usr/local/ssl. On Red Hat boxes, it’s /usr/share.

Within that directory, there’s an ssl/ directory (e.g., /usr/local/ssl/ssl, /usr/share/ssl, etc.). That’s where the certificate action takes place. From here on out, I’ll refer to that directory as $SSLDIR; you can find it on your system by querying the openssl binary:

openssl version -d

Tracing the calls

I had set up my test .pinerc to poll three IMAP servers. One had a server certificate I knew to be valid and signed by Verisign. The other two had self-signed, home-brewed certs; one of them was on my local network (so I had easy access to it), the other was on a remote server.

So I fired up my novalidate-cert-less configuration, and it complained like I expected. I quit pine and launched it in a system-call-trap wrapper. On Solaris boxes, you use truss to do this. On Linux systems, it’s strace. In either case, you’re best off using the -o option to send the output to a file.

I ran truss -o /tmp/PINEDEBUG pine to capture the system calls. Then I grep-ed the PINEDEBUG file for 'cert,' figuring that was as good a place as any to start. I found that pine was looking for a few files in the OpenSSL directory:

$ grep cert /tmp/PINEDEBUG
open("/usr/local/ssl/ssl/cert.pem", O_RDONLY) Err#2 ENOENT
stat("/usr/local/ssl/ssl/certs/ac2316fe.0", 0xFFBEC378) Err#2 ENOENT
open("/usr/local/ssl/ssl/cert.pem", O_RDONLY) Err#2 ENOENT
stat("/usr/local/ssl/ssl/certs/f73e89fd.0", 0xFFBEBE58) Err#2 ENOENT
open("/usr/local/ssl/ssl/cert.pem", O_RDONLY) Err#2 ENOENT
stat("/usr/local/ssl/ssl/certs/13550b38.0", 0xFFBEBE58) Err#2 ENOENT

For each server that I tried to access, pine would first look for $SSLDIR/cert.pem and then it would look for $SSLDIR/certs/hhhhhhhh.n, where “hhhhhhhh” is an eight-character hex string and “n” is a single digit. At first, the “n” was always zero (0). In my case, the actual files for which pine was looking were ac2316fe.0, f73e89fd.0, and 13550b38.0.

Concerning cert.pem, I knew that a .pem file typically contained an ASCII representation of an SSL key or certificate, so I was pretty sure that I had found at least one of the files pine assumed would contain the information necessary for validating the remote certificates.

Concerning hhhhhhhh.n, I figured it must be something similar since it resided in the certs/ directory of $SSLDIR. (I love filenames that are at least semi-self-documenting!)

So the pattern seemed to be 1) look up cert.pem and 2) look up the hhhhhhhh.n file appropriate to that server.

Decoding the h’s

Trying to make sense of the hhhhhhhh string, my first thought was that it was a hex representation of the remote server’s IP address. Nope.

So I launched the openssl binary without any arguments, which puts you into an OpenSSL subshell. From there, I tried some other hypotheses:

  • that it was all or part of a digest of the remote server’s hostname; I tried all the digests available via the openssl binary: md2, md4, md5, mdc2, rmd160, sha, and sha1,

  • that it was all or part of a digest of the remote server’s certificate (remember, I had one of them locally on my home network); I tried the same digests I had tried on the hostname,

  • that there might be some switch using the rsa or dsa options that would produce an appropriate hash.

Arrgh. No luck.

Finally, I started to poke around the x509 subcommand within the OpenSSL shell. It was there I discovered the hash mechanism. Here’s the command-line way to get the hhhhhhhh value from a server cert that’s stored as /tmp/server.pem:

$ openssl x509 -in /tmp/server.pem -hash -noout
ac2316fe

Aha! My grep of the PINEDEBUG file had told me that pine was looking for $SSLDIR/certs/ac2316fe.0. That seemed to explain the h’s.

As for the “n” portion of hhhhhhhh.n, I figured that to be an iterator since it’s possible for multiple server certificates to generate identical hash values.

Success

Anyway, I copied that certificate to the machine on which I was running pine and installed it as $SSLDIR/certs/ac2316fe.0.

I fired up pine. Woohoo! I was given the login dialog right away, with not a single warning about the trustworthiness of the remote certificate.

It’s worth reiterating at this point that the local certificate on which I performed my openssl hashing experiments is self-signed.

Retrieving remote certificates

Now that I knew how to name and where to put certificates I could trust, the next task was learning how to retrieve the certificates of remote mail servers.

I figured the remote server had to present its certificate at some point in the authentication process, so there had to be a way to retrieve it that didn’t involve sending an e-mail to the remote sysadmin asking him or her to mail it to me.

Back to openssl.

At this point, I ought to say that my current method for retrieving remote certs lacks elegance. It works, but that’s about all you can say for it.

The openssl binary allows you to imitate an SSL client using its s_client subcommand. Here’s part of the output generated when I initiated a SSL client session with a RSA Security’s secure web server:

$ openssl s_client -connect www.rsasecurity.com:443
CONNECTED(00000003)
depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/Email=server-certs@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC8zCCAlygAwIBAgIDCGWaMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMTEw
MDUyMTE4NDlaFw0wMjEwMDUyMTE4NDlaMIGQMQswCQYDVQQGEwJVUzEWMBQGA1UE
CBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmVkZm9yZDEaMBgGA1UEChMRUlNB
IFNlY3VyaXR5IEluYy4xHTAbBgNVBAsTFEluZm9ybWF0aW9uIFNlcnZpY2VzMRww
GgYDVQQDExN3d3cucnNhc2VjdXJpdHkuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCyHCUiYjfMkYbL8N/3rjsUdbRt1u1Q8RcMvTs9HeyLr94br2R649mT
r85i9qkVQOyFQUn2cWBa0xdhO0GBFX5b3LflaxUvsDe8vgpXMJ7WFdx9NbXny9gy
Wvyqr0QdaNUqyGxjvm7YPz7q3nJvkUKCHA51PcYR1DDEtiuzTOSirwIDAQABoyUw
IzATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB
BAUAA4GBAHsKnZODBYsbRuY8d4P15AChmwcvHI4FuJBvSFMkVW+zFuA94SRbJsqC
9sy9sIV9//s0/ovwzVp1xkTgfmKE/KgIoaz2SM/qQtlM4EoE8k7fjnCL0kVYjS/R
+1la+VANo/4sBfvd3GMJ83aDWP8i1luw1qATkA2/10UAwpbgFR5l
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/Email=server-certs@thawte.com

And there it was, in the midst of all the ASCII flotsam in my xterm’s history buffer, a .pem representation of the server certificate! (You might find it easier to use a cleaner scripted version of this procedure.)

I knew that the certs in which I was most interested were for IMAP over SSL, described in /etc/services as “imaps” and/or “s-imap” and assigned port 993.

So I used openssl s_client to retrieve the certificate, which I copied into a file I called mail.work.com.pem. Using openssl x509 -hash, I figured out the hhhhhhhh hash value (13550b38). Finally, I renamed and moved mail.work.com.pem to $SSLDIR/certs/13550b38.0.

Breaking the chain

Back to pine to test it out.

I wasn’t so lucky this time. The cert from mail.work.com wasn’t self-signed; rather, it was signed by VeriSign. You can divine this by running an openssl s_client session and peeking at the output.

By way of example, here’s part of what you’d see if you initiated an SSL session to the https port (443) on Red Hat’s web server:

$ openssl s_client -connect www.redhat.com:443
CONNECTED(00000003)
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/CN=www.redhat.com
   i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 1 s:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
   i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---

What all this means is that Red Hat has had its server certificate issued and signed by RSA Data Security, Inc. RSA, on the other hand, has signed its own certificate—so that’s where the buck stops.

The obscure part was getting a copy of the original RSA self-signed certificate, along with the Certificate Authority (CA) certs from companies like VeriSign, Thawte, American Express, et al.

I poked around the web sites of these fine companies, but nowhere do they tell you how to obtain copies of their CA certificates.

I ended finding a nice bundle of them on a Red Hat 7.2 system in a file named /usr/share/ssl/certs/ca-bundle.crt (another self-documenting filename!) that’s included in the openssl RPM. It’s a plain text file, and the Red Hat package maintainer says that it was lifted from the Apache mod_ssl source tree; the mod_ssl maintainer in turn says that he lifted it from a Netscape Communicator certificate database.

The mod_ssl source tree still contains ca-bundle.crt, so if you need a copy, just head over to the mod_ssl home page and grab the latest distribution tarball.

More success

I noticed that Red Hat had a symlink /usr/share/ssl/cert.pem that pointed to ca-bundle.crt. Hmm. I copied the file to my Solaris test box and made a similar symlink.

That did the trick. pine opened cert.pem and found within it the VeriSign CA cert it needed to validate the VeriSign-signed cert offered up by mail.work.com.

All was now well in pine land. It authenticates remote servers now in addition to encrypting the traffic.

Certificates in PC-Pine

Adding certificates for use with PC-Pine is in many ways much easier than it is on Unix hosts.

Assuming you’ve retrieved the certificate in question (a task I’ve never done on a Windows host, so I’m a bit out of my element on that point), you can make it available to pine.exe via the Internet Options applet in the Control Panel. The directions below apply to Windows 2000™ and may need to be modified for other versions of Windows™.

  1. Launch the Control Panel and double-click the Internet Options icon.

    Alternatively, you can choose Internet Options from the Tools menu in Microsoft Internet Explorer.

  2. Select the Content tab and press the Certificates button.

  3. Press the Import button to launch the Certificate Import Wizard. Press the Next button.

    1. Specify the file to import and press the Next button.

    2. Choose the “Automatically select the certificate store” option and press the Next button.

    3. Press Finish.

pine should now be able to validate the remote certificate.

Only root need apply

On my Unix systems, I had no trouble storing the certificates I wanted to trust because I (as root) had write access to $SSLDIR.

Many pine users, however, don’t have that luxury. Sure, they could build an entire OpenSSL/pine infrastructure in their home directories, but that’s a hassle (and may push them over their disk-space quotas). The only recourse they have is to ask the local sysadmin to install the certs—and who knows whether the admin has either the time or inclination to do so.

It’d be really nice if the pine developers would allow a user to specify in his/her .pinerc one or more directories that contain trusted certificates. Then, at least, normal users would be able to authenticate remote servers with little or no hand-holding.

Summary recipe

Here’s the whole solution in five easy-to-follow steps:

  1. Make sure your $HOME/.pinerc is set up to handle SSL or TLS sessions.

  2. Find out where in the local filesystem pine and the OpenSSL libraries expect to find certificates.

  3. Use openssl s_client -connect to retrieve the remote certificate.

  4. Use openssl x509 -hash to generate the filename or symlink for the remote certificate. Place the renamed file or symlink in your local certificates directory.

  5. Make sure you’ve got certificates of the major trusted certificate authorities in your OpenSSL directory.

A side lesson in fetchmail

I have yet another mail account, but this one gets very little traffic. I thought that rather than adding the server to my ever-growing .pinerc file, I’d just use fetchmail to download mail from that account to my home machine.

The server in question supports IMAP over SSL, so I wondered: Could I take advantage of SSL with fetchmail?

Well, of course. Eric Raymond thinks of everything. :-)

Actually, fetchmail is very complete in this regard. Unlike pine, fetchmail lets specify a path to the CA and server certificates you trust. That’s a great boon for users who don’t have administrative rights on their machines.

In my case, however, I decided that I needed to do nothing more than check the fingerprint of the cert offered by the remote host. So I retrieved the remote cert using the openssl s_client method mentioned above. Then I obtained its fingerprint:

$ openssl x509 -in server.pem -noout -fingerprint
MD5 Fingerprint=00:9F:8A:E8:A4:9A:9F:E0:56:35:DD:87:27:9E:90:37

The resulting entry in my .fetchmailrc uses the sslfingerprint option with the value returned from the openssl fingerprint operation:

poll yet.another.mailhost.com proto pop3
    user "remote-me" with password "wackypasswd" is "local-me" here,
    ssl,
    sslfingerprint "00:9F:8A:E8:A4:9A:9F:E0:56:35:DD:87:27:9E:90:37"

Voila!

Comments welcome

Comments and suggestions about this document are appreciated and can be addressed to the author at .

This article is licensed under a Creative Commons License.

------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=leftfade.gif Content-Type: image/gif; name=leftfade.gif Content-Location: http://www.madboa.com/images/leftfade.gif Content-Transfer-Encoding: Base64 R0lGODlhZAAFAMYAAAAAAAICAgQEBAcHBwkJCQwMDA4ODhERERMTExYWFhgYGBsb Gx0dHSAgICIiIiUlJScnJyoqKiwsLC8vLzExMTMzMzY2Njg4ODs7Oz09PUBAQEJC QkVFRUdHR0pKSkxMTE9PT1FRUVRUVFZWVllZWVtbW15eXmBgYGJiYmVlZWdnZ2pq amxsbG9vb3FxcXR0dHZ2dnl5eXt7e35+foCAgIODg4WFhYiIiIqKio2NjY+Pj5KS kpSUlJaWlpmZmZubm56enqCgoKOjo6WlpaioqKqqqq2tra+vr7KysrS0tLe3t7m5 uby8vL6+vsHBwcPDw8XFxcjIyMrKys3Nzc/Pz9LS0tTU1NfX19nZ2dzc3N7e3uHh 4ePj4+bm5ujo6Ovr6+3t7fDw8PLy8vX19fX19fX19fX19fX19fX19fX19fX19fX1 9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX1 9fX19fX19fX19fX19SH+FUNyZWF0ZWQgd2l0aCBUaGUgR0lNUAAsAAAAAGQABQAA B/6AAAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSor LC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpb XF1eX2BhYoKEhoiKjI6QkpSWmJqcnqCipKaoqqyusLK0trh08fIFTBgxY8iUMXMG TRo1a9i0cfMGThw5c4UOJVrU6FGkSZUuZdrU6VOoUaVOpVrV6lWsWbVu5drV61ew YcWOJVvW7Fm0adWuZdvW7Vu4ceUGZUzHkd3HdyLllayHEt/KfS79xQxIk+DNgzoV 9mwIFOLQiUYtJj2nUV3HdiEg4Y2cZ9Jeynws+b38J1NgzYI4Ee5c6NNh0IhEKR4l FwgAOw== ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=madboa.css Content-Type: text/css; name=madboa.css Content-Location: http://www.madboa.com/css/madboa.css Content-Transfer-Encoding: 8bit /* * CSS Stylesheet for madboa.com */ /* body */ body { background: url("/images/leftfade.gif") repeat-y; background-color: #f5f5f5; color: black; margin: 0; width: 700px; } /* main div's */ div.article, div.bibliography, div.chordpro { font-family: utopia, optima, "dejavu serif", "bitstream charter", serif; font-size: 11pt; margin: 0 0 0 110px; padding: 0; width: 590px; } div.bottommenu { background-color: white; border-bottom: 1px solid #b22222; border-top: 1px solid #b22222; margin: 5px 0px 5px 110px; width: 590px; } div.footer, div.license { font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; font-size: 8pt; margin: 5px 0px 5px 110px; width: 590px; } div.footer { padding-top: 5px; } div.license { text-align: center; } div.menu { color: #b22222; font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; font-size: 8pt; font-weight: bold; float: left; margin: 0; padding: 0; width: 100px; } div.pageheader { background-color: black; clear: both; color: white; } div.topspace { height: 60px; width: 700px; } /* tag-specific styles */ a { text-decoration: none; } a:link, a:visited { color: #000080; } a:hover { color: #b22222; } div.fivepix { height: 5px; margin: 0; padding: 0; } div.informaltable th { border-bottom: 1px solid #b22222; padding-right: 15px; } div.informaltable td { padding-right: 15px; } div.note { font-size: 10pt; } div.toc { font-size: 10pt; } h1, h2, h3, h4 { color: #b22222; font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; } h1.title { font-size: 16pt; } h2.title { font-size: 14pt; } h3.title { font-size: 12pt; } hr.pageinfo { border: 0; color: black; background-color: black; height: 1px; } img { border: 0; } p.arttitle { font-size: 10pt; margin-bottom: 0; margin-top: 10px; } p.updated { font-size: 10pt; } pre, tt, code { font-family: monaco, "dejavu sans mono", "luxi mono", monospace; font-size: 10pt; } pre.programlisting { border-top: 1px solid #666666; border-right: 2px solid #666666; border-bottom: 2px solid #666666; border-left: 1px solid #666666; background-color: #fddfdf; padding: 5px; } span.smallcaps { font-variant: small-caps; } span.symbol { font-family: monospace; } /* general styles */ .rightward { text-align: right; } .centered { text-align: center; } .w3cimg { width: 88px; height: 31px; } /* cascades */ div.artabstract p { font-size: 10pt; margin-bottom: 0; margin-top: 0; } p.arttitle a { font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; font-weight: bold; } div.article pre { font-size: 10pt; } div.article div.toc { border-bottom: 1px solid black; font-size: 10pt; } div.article div.titlepage { font-size: 10pt; } div.author .authorname { font-weight: bold; } div.bottommenu p { font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; font-size: 8pt; margin: 2px; text-align: center; text-transform: lowercase; } div.menu a { color: white; display: block; margin-left: 5px; } div.menu a:hover { background-color: #b22222; color: white; } div.menu a:visited { color: white; } div.pageheader .moniker { font-family: "times new roman", times, serif; font-size: 20pt; letter-spacing: 1ex; margin: 10px 0px 0px 10px; text-transform: lowercase; } div.titlepage .releaseinfo, div.titlepage .copyright, div.titlepage .pubdate, div.titlepage .author, div.titlepage .revision { margin-top: 0; margin-bottom: 0; } table.simplelist tr, table.simplelist td { margin-top: 0; margin-bottom: 0; } /* just for bibliographies */ div.biblioentry { border-top: 1px dotted black; } div.biblioentry div.abstract { border-top: 1px dotted black; } div.biblioentry div.reviewdate { margin-left: 1cm; font-size: 10pt; font-style: italic; } div.biblioentry span.subtitle { font-style: italic; } p.booklist { margin-top: 0; margin-bottom: 6pt; } /* just for chordpro */ div.chordpro td.chords { color: #b22222; font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; font-size: 9pt; text-align: left; } div.chordpro .lyrics { color: black; text-align: left; } div.chordpro p.lyrics { margin-bottom: 0; margin-top: 0; } div.chordpro p.comment, div.chordpro p.spacer { font-size: 10pt; font-style: italic; margin-bottom: 0; margin-top: 0; } div.chordpro div.chorus { margin-left: 1cm; } div.chordpro div.chorus .lyrics { font-style: italic; } td.t1, td.t2 { padding-right: 25px; } /* vim: set filetype=css : */ /* eof */ ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=print.css Content-Type: text/css; name=print.css Content-Location: http://www.madboa.com/css/print.css Content-Transfer-Encoding: 8bit /* * CSS print-friendly stylesheet for madboa.com */ /* body */ body { background-color: white; color: black; padding: 0; } /* main div's */ div.article, div.bibliography, div.chordpro { font-family: utopia, optima, "dejavu serif", "bitstream charter", serif; font-size: 11pt; } div.bottommenu, div.footer, div.menu, div.pageheader, div.topspace { display: none; } div.license { font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; font-size: 8pt; text-align: center; } /* tag-specific styles */ a { text-decoration: none; } a:link, a:visited, a:hover { color: black; } div.fivepix { height: 5px; margin: 0; padding: 0; } div.informaltable th { border-bottom: 1px solid black; padding-right: 15px; } div.informaltable td { padding-right: 15px; } div.toc { font-size: 10pt; } h1, h2, h3, h4 { font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; } h1.title { font-size: 16pt; } h2.title { font-size: 14pt; } h3.title { font-size: 12pt; } h3.author { font-size: 100%; color: black; } hr.pageinfo { border: 0; color: black; background-color: black; height: 1px; } img { border: 0; } p.arttitle { margin-bottom: 0; margin-top: 10px; } p.updated { font-size: 10pt; } pre, tt, code { font-family: monaco, "dejavu sans mono", "luxi mono", monospace; } pre.programlisting { border-top: 1px solid black; border-right: 2px solid black; border-bottom: 2px solid black; border-left: 1px solid black; background-color: white; padding: 5px; } span.symbol { font-family: monospace; } /* general styles */ .rightward { text-align: right; } .w3cimg { width: 88px; height: 31px; } /* cascades */ div.artabstract p { font-size: 10pt; margin-bottom: 0; margin-top: 0; } div.article pre { font-size: 10pt; } div.article div.toc { border-bottom: 1px solid black; font-size: 10pt; } div.article div.titlepage { font-size: 10pt; } div.pageheader .moniker { font-family: "times new roman", times, serif; font-size: 20pt; letter-spacing: 1ex; margin: 10px 0px 0px 10px; text-transform: lowercase; } div.titlepage .releaseinfo, div.titlepage .copyright, div.titlepage .pubdate, div.titlepage .author { margin-top: 0; margin-bottom: 0; } table.simplelist tr, table.simplelist td { margin-top: 0; margin-bottom: 0; } /* just for bibliographies */ div.biblioentry div.abstract { border-top: 1px solid black; } div.biblioentry div.reviewdate { margin-left: 1cm; font-size: 10pt; font-style: italic; } div.biblioentry span.subtitle { font-style: italic; } p.booklist { margin-top: 0; margin-bottom: 6pt; } /* just for chordpro */ div.chordpro td.chords { color: black; font-family: verdana, arial, helvetica, "dejavu sans", sans-serif; font-size: 10pt; text-align: left; } div.chordpro .lyrics { color: black; font-size: 12pt; text-align: left; } div.chordpro p.lyrics { margin-bottom: 0; margin-top: 0; } div.chordpro p.comment, div.chordpro p.spacer { font-size: 10pt; font-style: italic; margin-bottom: 0; margin-top: 0; } div.chordpro div.chorus { margin-left: 1cm; } div.chordpro div.chorus .lyrics { font-style: italic; } td.t1, td.t2 { padding-right: 25px; } /* vim: set filetype=css : */ /* eof */ ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=favicon.ico Content-Type: image/x-icon; name=favicon.ico Content-Location: http://www.madboa.com/favicon.ico Content-Transfer-Encoding: Base64 AAABAAEAEBAQAAAAAAAoAQAAFgAAACgAAAAQAAAAIAAAAAEABAAAAAAAwAAAAAAA AAAAAAAAEAAAAAAAAAAAAAAAAACAAACAAAAAgIAAgAAAAIAAgACAgAAAwMDAAICA gAAAAP8AAP8AAAD//wD/AAAA/wD/AP//AAD///8AAAeDh3g4AAAAM7sAALuIAAi7 s//wu7uAAIu4//ewuAAAizD3/wBwAAAAD/f/AIAAAAcP9/8AcAAABwf/9wAAAAAA APf/BwAAAABwd3AAAAAAAAC7sHAAAAAAAAsAAAAAAAAAcHAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAADgD///wAP//4AB///AA///wAf//+AH///gB///4A////AP ///wH///+B////g////4P///+D////x///////// ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=madboa.js Content-Type: application/x-javascript; name=madboa.js Content-Location: http://www.madboa.com/js/madboa.js Content-Transfer-Encoding: Base64 LyogbWFkYm9hLmpzIC0tIGNvbW1vbiBqYXZhc2NyaXB0IGZ1bmN0aW9ucyBmb3Ig bWFkYm9hLmNvbSAqLwoKZnVuY3Rpb24gc2V0U3R5bGVzaGVldCh0aXRsZSkgewog IHZhciBpLCBhOwogIGZvciAoaSA9IDA7IChhID0gZG9jdW1lbnQuZ2V0RWxlbWVu dHNCeVRhZ05hbWUoImxpbmsiKVtpXSk7IGkrKykgewogICAgaWYgKGEuZ2V0QXR0 cmlidXRlKCJyZWwiKS5pbmRleE9mKCJzdHlsZXNoZWV0IikgIT0gLTEpICB7CiAg ICAgICBhLmRpc2FibGVkID0gKGEuZ2V0QXR0cmlidXRlKCJ0aXRsZSIpID09IHRp dGxlKSA/IGZhbHNlIDogdHJ1ZTsKICAgICB9CiAgIH0KfQoKLyogZW9mICovCg== ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=cc-by-nc-sa.png Content-Type: image/png; name=cc-by-nc-sa.png Content-Location: http://www.madboa.com/images/cc-by-nc-sa.png Content-Transfer-Encoding: Base64 iVBORw0KGgoAAAANSUhEUgAAAFgAAAAfCAYAAABjyArgAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj33 3vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEs DIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIe EeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH /w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAn f+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJ V2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4 mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHg g/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl 7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/A V/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5 WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQ WHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAA RKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv 1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4 IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGy UT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPE bDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhM WE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPE NyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD 5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2h tlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0 dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHK CpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2ep O6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN 2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIp G6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3n U9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36 p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYP jGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLn m+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cR p7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0H DYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dn F2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofc n8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh 7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJ gUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5p DoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85 ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7 F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/R NtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9 MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo 1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5 sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWF fevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTP ZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJ zs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ +7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3v dy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtb Ylu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ7 52PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7 nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9 zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9D BY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfy l5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT 0Kf7kxmTk/8EA5jz/GMzLdsAAAAEZ0FNQQAAsY58+1GTAAAAIGNIUk0AAHolAACA gwAA+f8AAIDpAAB1MAAA6mAAADqYAAAXb5JfxUYAAApvSURBVHja7FptbFPXGX7u tYlGJzz/2yYHYYQ2xZFWHAq0dLSx161TS9NcLylfocNmWtuVdUlKCNvIl4FAY0Id 91Ob1sRrV7VaqTBfaxc6fEPQ4sRJbEaL82OVjZKoVJvm4KCpxB/vflzfE9/EThxo 1Y72lY7v8T3nPPfc57znPe95z+WISMNx3FV8JZ+6EBHHASAAON19CjzPg+d5qFQq 8LwKKp4Hr0pfeR4cx4PnOHAcB3CcjAICgVKEFKWQSkkpmUxK11QSyWQKqVSSlaUo xeoTkdwZlr8V5JHyjQAADgDJ5KpUKinxqum8SiWV8ao0yRw4js/kN01OmtiURGYy mU6Z+aSS5FQqxYjNJPpWIlkNQEmuSg214iqlk8dPwev1YmBgAJOxSQXQEs0SrF27 FuYfmFH28ENIplTg+YQ0IEkeHLj0WGZMnxRJMwHpOcRJ5A77A/C87UEoFFLUNxgM ECoErFpTktfLfVFwOAD017PvQq1WM1LVarWUVGr0iOfgeMaB8fHxvDqk0+lQ/5t6 lJbei0QyiWQygUQinZIJJBJJpuGZmvzR+Ed4vuMFjIRGAAAmkwlGoxEAEAwGIYoi AKDIUISd1TvxrW9/M+vzr3z0MV50vfiFwHmkfKNE8Hs9Z6BWqaeJVS/CIrUazY0t 8BzzsAZarRaCIECv16O0tBQA0NPTg0gkAo/Hg4mJCVZXsAioq9+FxbctRiKRQDyR QCIRRyKRUJoMSuFq9Cp++cRTiMViEAQBTqcTer1e0dlIJILa2lp4PB5oNBq0Olpn vdS12DVU76z5wuDIdpjO9p6l3r5z1Ofvo8Ggny68HyTBIlB68pJWq6WWlhaKRqM0 l3R1dZFWq2XtigxFdL6vlwaDg+Qb7KPevnPk7T1LZ8Ruevdv79Dp7lN04p3jZDAY CABZrVYFnowz8xky9lvH/6xIRYairDgup5O2btp8Uzijo6Pk6+sjX18fjY6O5oUD gHgAUKVtsFqlglql1Fyj0YhAIIDm5mZotdo5zYPVakU4HGZTaSQ0gnbHEYUt55lH Inkjfp8foVAIgiCgfvfueU2Q1WqFIAgYCY1g2B9Q2MqR0AhWlZTg7rvWsfvPdXTg GYcDJ0+fxp663RgbG8sLJ7M/f3r1VZjW34OqzVtQtXkLTOvvwZnu7jlxFOtNr6+X fIM+Gr4wRK7nXUxzjEbjvFqbTaLRKBmNRobjesFFw/8Ypv4hH5339ZL3vKTF77z3 FzIUS9obDofzxg+HwwSADAYD0xZ5FhR957u0YpmeSr+/np74+WMEgFpaWujQwUME gI6+9VZeOHJ/fH19Et6d6+hn221Uv6uOVizT04plenI5nTlxsmiwpMWOZxzM3nZ1 dc2rtdlEq9XC6/Wyto5DjrQvndZgLu1T8zxCl0IwmUyzbJzNZmNabrPZFGV6vR4m k0mxsodCEk5ZWRke2bgRY2NjONPdjRXL9Pjv5DVse3QbLn3wASoqK/PC0ev1iMVi CAUuAgDKhZ/gD+5OtLUfxt6mRgCAu7MrJ44svOym8bzkisneQk1NDZvqNyJarRZO pxMAMD4+jpMnTrENi0Qyx9y0bM9xu91Z87Jka2M0GuE40o5Djja8/uYbqKisxIeX I3AcacfSpUvh7uxC6NKlvHBkaX1WUrjf//EVdu9H998PAIjFYvj4ypWcOIxgWZu8 Xi8jp7q6mlUSRREWiwVmsxlmsxl2uz1nWUdHh8JeylrsPevN0F4OHD9N8Gchd951 F9raD2N0dBT1u+pQ8r3b8fbRoyh7cAOqNm9hNnQu0Wg0cLlcuE2zBC+//HLWOp98 cn1ODGmjwXHgOQ4DAwOSiyUIjBhRFGE2mxWNRFGEKIqorq6GxWKZVXbhwgV0dXUx LLfbjYGBAWkHmCZWIpdjfmW2xUzWXKvVOqs8W5uZ92KxGM50d6Ot/TCsl2woe3AD AKDf50O/z4fCwkJwi9Rz4ixSq1FfV4fbFi9m9/p9PpZfpl+Wsz8ZGiy9sLxDW7ly JatQW1vL7Ew4HIbX64Ver8f27duZJhuNRoTDYRw7dkzhIwNg+cnYpPQccBlXoLi4 GKIoIhKJKDomD9DMvOyDiqIIg8Gg2FnNxPnFY4+jdd9+rLp9Jao2b8GHlyOoqKxE W/thVG3blhfO2NgYWpqasXXTZrTu24/WffvR1NAAANi9Z0/O/igIBgfFdM20J/LI WK1WZszD4TCsVisrkzcfgiCwssyFhG0bOfYz7YxvqlQMZD4i1xUqhOmNTTqfidPW fhi2HTtw5d//wj/DYbicTuxtakRFZSXsB/ajZM3qeXFsO3bAtmOHNNCdnejq7MT1 T65jQ9lD2FK1NWd/FCbi85R169fBUGyAx+OBzWabpa3ZyPV4PCgyFCniAKvWlKDI UKTAKSwsxN6mRnxt8WIMDw3hVzU1N4Szt6kRP37gAVy+LGl1cXExDMXFc+IoNZiU UaxMeyJrs9vtxsTEBILBIJYvXw673c7K5G1yZlnmdJ6Oj7IfRScaWxqh0Wjgdrth sVhYm8woWyQSgcViQUdHBzQaDXZW75z1Mnt+W58VZ9fuOrz+5hs3hbN6zWpUVFai orIShuLivHBYsMc/PICCggKsv/seTMYmYbVamSZ5PJ5ZC5lsMsrLy3OWye1ra2vR 0dGBJZolOP/3XkxNTWEqPoV4Io54PCEFg5IJRP8zgYP2g8yXNBqNMBqN0Gq1EEWR Dfp8QZprsWtoO+hgQZrPE4cFe/qH+lFQUAB7kx2eYx5otVpEo1GFZ+ByuVgwx2Qy obm5mQ2Ay+VidTPLAGD58uWIRCK474f34YizHdenphCfQbAcN04lU/D3+3Hs6K0R rmQE+wb7sGhRAc6fO4/qpyT/1+l0oibDZt2IuN1utgs7cPAAHtzwAKbiU5iKx5GI xxFPzCA4SwD+/z3gzgNgRzomcyl0Oh0AwG63z3KdFiITExNsddXpdOlAfPoUI5VC Km2LKX3kdKsKDwApSiGZlM7R9rfuYwRZLBZFjHch5JrNZta2/tf16QB7cprkjCMj tsjSrXVkxBZ3ANTQ3ED+4QEKXgzQoz99VBFRCwQCC4p0ZUbSBItAwYsB8g8P0L7W fez+lyhN/6l5upoGA34K3kDAPRqNUktLiyLgvmbtGrrwfpAGg35qaG74MpJL3Eyn tLG5AeUWAWq1GkccR/Daq6/d8JGRfX8LEokE+vsH8OTjT+bzHUHGro9j9zJ3mTP/ 58LJ1UZ+Rr6Bplx9WhDGzNTY3CBp8sUAdbpfIZ1Ol/eI6XQ6cj3vouDFAA0G/fTS 717Ku+3MY6KZ+cx78+HM1z4frGx1FooxS4NlqXm6GlXbqthRj+jtwYnjJ+Y8tn9Y eBgmUyk70Dx+/AQO2A8s5EuYWdqyEM2dWTfXdYFf52TV3lz9zLqTy1W46o4SNDY3 oXCpLuM0IjPcCIXfKn94Mj42hmfbnTjXc27BL3MzpmE+kzAX/kIHLV+MOQmW5d7S e7GhbAPuWH0HvqHRpD+dmjYwRISrsRiGBodw+uTpBRP7WWnwzdrg+daET43gr+Qm NhpE9PWvaPiMNhhE3P8GAG3CFDKJWtqSAAAAAElFTkSuQmCC ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=valid-xhtml10.png Content-Type: image/png; name=valid-xhtml10.png Content-Location: http://www.madboa.com/images/valid-xhtml10.png Content-Transfer-Encoding: Base64 iVBORw0KGgoAAAANSUhEUgAAAFgAAAAfCAMAAAEjEcpEAAACiFBMVEUAAADe5+fO ezmtra3ejEKlhELvvWO9WlrehELOe3vepaWclHvetVLGc3PerVKcCAj3vVqUjHOU e1JjlL0xOUpjjL2UAAC91ueMrc7vrVKlvdbW3u+EpcbO3ufO1ucYWpSMKQi9SiF7 e3taWkoQEAiMczkQSoxaUkpzc3O1lEoICACEazEhGAgIAACEYzFra2utjELWcznG nEr/7+9jY2POazHOYzGta2NShLVrlL05OUqctdacCADGa2ucAADGpVqUtc61ORg5 OTmlUikYGAiUezl7YzEYEAiUczkxMTG9nEqtIRDe3t4AMXu9lEoQCACMazEAKXsp KSmljFrW1ta1jELOzs7n7/fGxsa9pVqEOSkpY5xznL29tZxahLXOpVr/99ZrY1L/ 79ZjUiljSikAOYTvxmMAMYScezmchFqUczGtlFp7c2utjFqUlJStxt73///39/9C e61CSkq9xsZznMbW5+9Cc62MjIxCQkrv9/fv7/fOzsbnlErWjIz/3mtCORhza1Ip IRBzWjH/1mtCMRhzY1L/zmvnvVpSQiHOpVJrUinntVr3zmOEc1L3xmNaWlq1nFo5 QkrGWim1lFoISpRSUlK1zt4hWpwASoz///////8xa6WUaykAQoxKe61KSkp7nMbW tWPe5+9jWlL39/f39/fWrWNCQkLera3nvWPv7+85MRjntWPetVp7c1IxKRCUlHtK ORh7a1IxIRCUjHtaSiHWrVIpIQhzWinvvVpaQiH/1mPWpVKMe1L/zmP/xmNrUiGE rc4YGBj/73PG1ucQWpT/53O9nFoQUpS1SiEQEBC9zt69vb05c6UISoxSUko5a6UI CAhSSkohUpS1tbXetWMAQoSUgD+kAAAA2HRSTlP/////////iP9sSf//dP////// //////////////////////////////////////////8M////////////ef////// //////////////////////////////////////////////////////////////// //////////////9d////////////////////////////////////AP////////// ////CP//RP////////////////////////////////////////////////////// //////9xPp1gAAAFvUlEQVR42pVWi18URRwfy7vsYUbaiqBRBFmICUQGVKcZckQe aRJQUCLeycMSfKGH0uo5NELpIvGQGzokvTTA85VHKTpbRoeJnPno/p1+M7t3txj2 0e/Nzu7Ofve7v/k9Zg4Vc+wRQMW0eyLx1ZSANeBDxVmxZZSwEUYkGAewm1eIBOMR vhv1UA+q8KXIVuxGdCelFYwxAnxOrxgbY8Ti1t4VA0QHYz4x3FnVC8OVLXv9fkKG SWDoW/4lG6VbdtBblesOs+MjmEmzJKNIJWFEfEQTCWNPFKvcKEymjLO1b8bwYQd1 hCiiDCl5KsrDCIlhj4fSuvcpfSpgJmyv6dzeZv+nMPx3dhbt94II07/JZliEtm1N 2RIYPkTYshwYm245a/zkWjJwcyFh6ZIcYxxmqiaDSYxhOhFUsqngi3Fzcj3ljdYD NE9uzA1YD/5MhnzW1KRqF7mYG8jFYXLcfLpjOe2LA0fuGqQrQHl10sdK0sFcFSOS lzF0BgXQH9h3QZDBI0ccNEhftjXuippBDD2/eMRiETmwwNEYHyqhdDyo22w+3QHu Nbdve5a7eOkHmDVJ0ixNmfbz1h0qo/Q6GuSB2wQJQbpOjOQAl7woWSRJ0m2ewhvA OUiYYtZtaZL0CZZmtmVOQttLfr/dbveLZodrfrL7W75wG/JjqkQxoNTtNsTKELQp QL6/D5loaSmyTT8TUhsmi8iFA0hZiyltf7OiNKdarRm5w2So2lTNdPLuIzR+AiLj 8VTRJaj0LmX4VhJ27f/VJV/yycilWPOrk8NkXi7Qqmj5bHqVZlJKZIRk1wFzKrt0 WUbnXMPJ1fk4TJ5oWBA61p1V76DeIs0MX+s3GxRlA1vtw83KhgNphc1nyErLO5zc vbOsrq+scbZnpzc6QVFPenLwGxmC+BOfYI+DN55QYddh4Q/NE/yGYYj4TOGNngQa vAZnzzTovEA+kcMJ+247uYexNA+4Fsvjmuv662jsWxPZx2xg890bYMYnTgya7bjm CiEY0qgJ0vMF3c+NoFdPyzxz6V3Uxs3AOWCDchRvOsQtBrbFsrT2fhHEc7ByGzu/ dA4IO0A3HdfeP9yMqAwP6NPEb6cbwn0PWVU17/FDBQh/CPIrbfcg027IZrsAT/Bf 3FNWyn9RSR4cvvwn3e4HFmYPDl/thYcRVi8qPEoXVUWBl6FTBFTtnqmKKg5wnlF4 wZ1yeLv7TiwXKektE+iDBNicWEyLpnFhfDkpJc3q2khSPyQBbE0dMJnOoDzTwGsI 7cdyMkL5gWqUjCF6Txst/twxCv1WzzHoy21ZDQ1xnuDzdPDWR4knr14v0tYn3Ixa MFFdiMOlEOJHw1jOQ4sWt5rQopRkXZhMEi7pmeDCVWBlfUKwhMZ7rsF6elKsvbwi KxgxIdewa3ErsaYomCVZFYJb0GUu3JqGUNoplBxYiYby8vLBFWef+Cri4/I1sbQ/ 1OtYTrNtdXS+rSe7kQ52eSObL99/iErCWUjCy5W4JLygmCouGfG9x9fmx17XhBuD CaOerbt538erta7TFktLvdHghZcCbcPQO33zIJG9kxF5hoVXnzTzRz0r5js8oTj6 uyPkGRf346HOLcasgFexueNUWFPtuFKzjoSFYYedhwVlhsRVYWWJpltv1XPQT1Rl 0bjZIBlb1XujVDzY/Kj4k6Ku3+Z0jo1owjVzDpFTXe1juvBSWNFmNWGZy8LvzUl5 PN4JCwyNDzbQ0aAj4Zrjz0FatGJJYhvq4j7mGSpvytGFlZtHf2C4o/28Zu8z7wo7 eYPfXysnF0i9NnPh1t1zR7VBb9GqaOXhtTmHQdgMFXE+Z608cnpODdZdjL+TuDY4 4Q38kJXHhccWLoOd9uv1AwwvO+48uu+faCSJPJ1bmy6ThyvpivBmYWgjxPDPAp7J TemY/yGKFEiRt/jG/2P79s8KCwoLCgoLC/khUBA5F0SfQZ+RYfpNE/4Xosmq7jsZ AJsAAAAASUVORK5CYII= ------------lmJ707ve7Uig6mZfgrxNCG Content-Disposition: inline; filename=vcss.png Content-Type: image/png; name=vcss.png Content-Location: http://www.madboa.com/images/vcss.png Content-Transfer-Encoding: Base64 iVBORw0KGgoAAAANSUhEUgAAAFgAAAAfCAMAAABUFvrSAAABKVBMVEUAAAAjIx8M R51ZVUqAdlmdnZ3ejEWLDAuNjY1kiMG0n2d9fX19Ghfrp1FtbW3y39+3Ph6lIRNd XV2qJBFcVUhcVUhPT0/dsmpUfLr57+/u7u4/PDWZAACZAADOp1GdGxG+SyTgvnNd SySzk16+mkuxw+BOS0BOS0DOzs7MzMy4T09RRDwsJBG+vr73wV6fkG6eCQRFcLSu rq6/X1+ht9nXfz5sepHuwV59ZTHetFjQ2+wMCQQ2ZK5tWCsmWajsz8+Sq9NMPh4h VaY8MRj///////////////////////9MTEyOp9Lu8vhXU1A8PDyjOSTBz+YLRJ2r Ly8sLCwXTaKujEUcHByDn82dfz7/zGafDw+fDw+zRSlzlMcMDAyNcji1tbXf5vIc FgvATJOjAAAAY3RSTlP/8/////////////////8A//////P/////ov//8/////// ///////z///T//////////+i//////////////8w/////6IA/xAgMP////////// 8/////////8w0/////////+zehebAAACkUlEQVR42u2VfVPTQBDG19VqC6LY+lKr RIxFQaFSBPuSvhBPF8SIUZK2J5Yav/+HcO8uZdLqTCsU/nKnyWwvk1/unnt2D9Zm H+8/cMAaTRFy+ng69/yiwC/+gy8R3McGv5zHvGJEGAdR4eBgi1IbZwevIEZE24pF tBtzG1Q4AoD5zvw5pEDcJvIQV/TE3/l+H9GnNJwcdABS5wAbFQLMqI98/UReoAaO TlaJsp0zaHx7LwZvY0BUR2xpWTzqam0gzY8KGzG4MhBCNGucha4QbpETy+Yk/BP8 5nt734AjpQLTsE4ZFpf/dnkUCglXVNYB+OfUZJHvAqAoa45OeuPgm4+Xjtv7xm4N 7PMV4C61+Mrz3H2WImm3ATiWrAiwZRWcUA5Ej4dgIEMxDv6yxHHcNuAutnjv2HZ1 NeuycoVPh0mwC834zZC9Ao5dkZZKwLVGwT+WdLw0YOZ1saEkUDoT+QGWKZ0E2xpc rPakVW2KXwyUtYEtlEAj3GXD/fYwrryAdeiyGqidQSw1eqtJcA8cZq4zXqhPuCBY E1fKJjh/5X6MwRm9c2xf7WVdLf5oSdt64esVIwVAKC1HJ2oli8vj3L0YzC4zjkMa gt+arDAs6bApbL1RVlWIqrJbreqKZmh4y6VR7rAJeUYDVRj9VqRXkErpJ9lbEwtE 83KlIfeG4p52t7zWIMO1XcaGz54uUyet+hBM7BXXDS8Xc5+8Gmmbu1xwSoGIokA3 oTptQecQ4Iimm/Ew7jwbPfMi3TM91T9XVIGo+W9xC8oWpugVCXLuwXijjxJ3r/6P jX7nlFua8QmyM+TO/Gja2TTc2Z95C5uaewGH6cJi6bJO6Z+TY276eH3tbgy+/3ly 3Js+rj66osG/AV5htgaQ9SeRAAAAAElFTkSuQmCC ------------lmJ707ve7Uig6mZfgrxNCG--