simplex install instructions and VPN quote

content/posts/grapheneos/index.md

@@ -21,7 +21,7 @@ letter="grapheneos-letter.pdf"
 
 GrapheneOS is a private and secure version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) have irrevocable access to your files, call logs, location, etc.), and it is trivial to [bypass standard Android authentication](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) with [physical access](/glossary/#physical-attacks) to the device. GrapheneOS uses hardware-based security to [greatly increase the difficulty](https://grapheneos.org/faq#encryption) of bypassing authentication, is significantly [hardened](/glossary#hardening) against hacking, and has all Google apps and services removed by default. There are other alternative Android operating systems, [but they are inferior](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of privacy and security improvements over standard Android. GrapheneOS is [regularly audited](https://grapheneos.org/faq#audit).
 
-Due to the nature of [how the technology works](https://privsec.dev/posts/android/android-tips/#carrier-tracking), cell phones leave a geolocation history when they connect to cell towers. For this reason, we recommend that you use a smartphone that stays at home like a landline and connects to the Internet via Wi-Fi in airplane mode, rather than using a SIM card to connect through cell towers. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Furthermore, it's not enough to only leave your phone at home when you're going to a demo or action, as this will [stand out](/posts/nophones/#metadata-patterns) as an outlier and serve as an indication of conspiratorial activity in that time window. 
+Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/), cell phones leave a geolocation history when they connect to cell towers. For this reason, we recommend that you use a smartphone that stays at home like a landline and connects to the Internet via Wi-Fi in airplane mode, rather than using a SIM card to connect through cell towers. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Furthermore, it's not enough to only leave your phone at home when you're going to a demo or action, as this will [stand out](/posts/nophones/#metadata-patterns) as an outlier and serve as an indication of conspiratorial activity in that time window. 
 
 # Installation 
 
@@ -121,7 +121,9 @@ To install and configure Sandboxed Google Play:
 * Automatic updates are enabled by default on the Google Play Store: **Google Play Store Settings → Network Preferences → Auto-update apps**.   
 * Notifications for Google Play Store and Google Play Services must be enabled for auto-updates to work: **Settings → Apps → Google Play Store / Google Play Services → Notifications**. If you get notifications from the Play Store that it wants to update itself, [accept them](https://discuss.grapheneos.org/d/4191-what-were-your-less-than-ideal-experiences-with-grapheneos/18).
 
-You are now ready to install applications from the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you want to use a free VPN, RiseupVPN is recommended. If you want to pay for a VPN anonymously, both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn) are also recommended. VPNs are per profile, so must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (expect for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)).
+You are now ready to install applications from the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you want to use a free VPN, RiseupVPN is recommended. If you want to pay for a VPN anonymously, both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn) are also recommended. VPNs are per profile, so must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (expect for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
+
+>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks – especially those targeting messaging apps – more difficult to perform and less effective.
 
 Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN** and follow the instructions. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps - see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.