Hacker News new | past | comments | ask | show | jobs | submit login
Pwning coworkers thanks to LaTeX (scumjr.github.io)
201 points by zdw on Nov 29, 2016 | hide | past | web | favorite | 101 comments

> Writing reports in LaTeX is painful.

No it's not. I like being able to use my favorite editor to write markup a lot better than being forced into a particular WYSIWYG editor.

> In short, run `pdflatex` in a VM.

Yeah with a premature prankster you might have to.

> No it's not.

Not to speak about collaborating. Oh the fun of sharing a Word doc between 10 people, each one with a slight different version that messes the formats so badly (like that one guy who uses OpenOffice) and constantly making phone calls to ask others to close the document to not overwrite it.

Meanwhile with LaTeX you have plain text source files so you can have nice version control with git or oven github, each person working in their local repo or even branch, with the document having a nice history of commits, blames, merges, etc. Maybe not to the average office worker, but for anyone with experience in coding / version control is a godsend.

https://www.sharelatex.com changed my life in that regard. All the convenience of Google docs, with the determinism of having one single system compiling your LaTeX documents.

I've been using Overleaf to great effect, mainly because it's free version isn't limited to one collaborator.

Also doubles as a Git repo.

I bet you guys sit alone on Jabber while everyone else are having conversations on Skype and Slack.

I'm a relatively big fan of TeX but in my whole life only once have I met a co-worker who also used it. Yes, in theory is great for collaborating, but it practice it's not because nobody would know what to do with a TeX file if you sent it to them.

For me it is less about it being better at collaboration, and more that the popular alternatives are so bloody awful.

It is frustrating, because the popular choices all make better demos. But recovery is often so painful that you start living in fear of formatting mistakes.

put it in a directory with a Makefile, that usually solves a lot of the problem of "knowing what to do with it."

I would probably get some blank stares and get asked why I sent two random files and not a .docx...

To non-editors, you'll usually just send the rendered PDF file.

Try Google Docs while working with 3 people at the same time. It will blow your mind.

OTOH try Google Docs for anything larger than an article. It will blow your browser.

How large article you are talking about? I used Google Slides to make reasonably heavy power points, and it performed well.

It will rot your mind. I'll take LaTeX + git, thank you.

Oh yes, vim + latex + git is better than any google docs when you know how to use it. When you need to collaborate with non-technical people, it's a different story - I've been in that situation and even successfully taught basic git to few people, it's not worth it in the long run.

Try Etherpad.

I find that markdown solves the 95% use-case for me, with a much lower barrier to entry, not to mention resistance from others in the team.

Newer Word versions have this Collaborative Mode (available through Office 365) which behaves like Google Docs, except you work in a full-featured word processor. With it you can edit in real-time via both Desktop and Web versions.

Yes, we used Microsoft's solution for our master's thesis.

<rant> We had to constantly clear cookies, restart the computer, delete our local OneDrive copies and do other quirky work-arounds to be able to do anything. Not to mention the constant crashing and general bugs that plagued the process.

As an example: during the final reading of the paper (a three hour session), I had restarted my computer 8 times and created about 15 local copies of the word document "just in case".

I have heard similar horror stories from other students as well.

It is genuinely shocking to me that Microsoft is getting away with this horrendous performance. </rant>

Yes, used it for a university group project and it was unstable.

I think a side by side markup / WYSIWYG is what is missing to PowerPoint and Word. What I would like to see is the equivalent of the WPF editor in Visual Studio, where you can change either and the other updates accordingly.

There are plenty of apps offering real time collaborative WYSIWYG these days: Google docs, office 365 etc

> Oh the fun of sharing a Word doc between 10 people, each one with a slight different version that messes the formats so badly (like that one guy who uses OpenOffice) and constantly making phone calls to ask others to close the document to not overwrite it.

You can setup git (or your preferred VCS) hooks to make this relatively manageable.

Now Dropbox tells you when others have the document open and so on, so it is easier. But still orders of magnitude worse than working with plain text files.

> > In short, run `pdflatex` in a VM.

> Yeah with a premature prankster you might have to.

Anything that runs on untrusted input should be run in an isolated environment.

When it's your own stuff do as you please. When it's a thing you got from somewhere and just blindly run it on your machine, might want to think twice. That advise doesn't just go for LaTeX.

Just because you consider it immature doesn't mean it's not genuinely exploitable and someone couldn't use it against you. If anything, taking the approach of "only immature pranksters do this" probably makes it easier for someone to sneak it past you.

> Anything that runs on untrusted input should be run in an isolated environment.

If a colleague sends me something to review, I trust that he doesn't want to hack me. Someone can always use physical access to capture my keystrokes in some way.

> doesn't mean it's not genuinely exploitable

Agreed, so the message should be "don't run random LaTeX files from the internet or classmates or something", not "oh hey look at me annoying colleagues at work".

Malware writers might take advantage of your trust for your coworkers and spread their viruses as email attachments from trusted (infected) sources.

It's like Office macro viruses but for nerds.

Yes, but that's not a problem for LaTeX specifically.

This is being a bit paranoid, but do your colleagues pgp sign their messages? How do you know it is really coming from them?

Fair point. I mean, I do sign with PGP when I have someone's key but this often runs into trouble with spam filters or people going "I lost my key" or "I want to read it in the train and I don't have my privkey on my mobile device". So it's a valid point.

You don't need to encrypt it, just sign it - no privkey required to read a signed message, and you don't need someone else's pubkey to do so.

Of course it won't help if your coworkers don't also sign things they send to you.

and how do you know your colleague is not a spy, or a double agent, or an advanced AI seeking to take down the human race ... /paranoia

Or just has an email client that got infected with a virus. Remember Office macro viruses? How we laughed at how stupid it was that a simple word processor apparently needed vulnerable turing-complete macros?

Now we actually compile source files into documents and get surprised that someone might trick you into running malware.

Well, the article implies 'pwning coworkers' which is indeed quite immature. Do you do all your development in closed/isolated environment because of your coworkers posing threats? That sounds a bit paranoid.

> Do you do all your development in closed/isolated environment because of your coworkers posing threats? That sounds a bit paranoid.

Not because of my coworkers posing threats. And this wouldn't have to come from a coworker. Though that's what the author suggests the issue isn't limited to that which unfortunately seems to have taken the upper hand in the discussions around this.

But I do most of my development in isolated environments. Not because I don't trust my coworkers but because people can fuck up, things sneak in and can break my system or leave it vulnerable.

On the other hand, isn't pwning coworkers the basis of sound security awareness training?

>No it's not.

Yes, it is. That's like saying I prefer bash because it's the same on all platform as opposed to windows proprietary UI.

Is latex powerful? Yes. Is it easy? Not for the average user.

> Is latex powerful? Yes. Is it easy? Not for the average user.

Have you tried writing technical reports in Word? It's a nightmare. Word's numbering and reference functionality, not to mention its citation functions are way worse than what you can achieve with TeX. Cooperating on writing the same document with many people? Yeah, forget about it. One guy has Mac OS with one Word version and then you have three others with different combinations of Windows/Word, and the whole thing implodes in a cascade of formatting glitches.

Also, I'd say that if you can't write your technical report in LaTeX because LaTeX is too hard, let's go shopping (in the Microsoft App Store), then maybe you shouldn't be writing a technical report.

Not to mention that nobody has to write an ounce of LaTeX since the advent of pandoc.

Saying that the alternatives are hard does not do anything to prove that LaTeX is easy.

When you make a syntax error (missing closing brace, forgot to escape that underscore, etc), what's the probability that the latex error message will be at all relevant to the source of the error? It's pretty damn low. In my experience, debugging LaTeX is anything but easy.

Yes, typesetting documents isn't easy, and it takes skill. Yes, LaTeX's error reporting is a bloody mess straight out of the 80s.

Word may make it easier to half-ass something. But its error reporting is way worse than LaTeX's — it doesn't have any. If something's fucked up, it's fucked up, and good luck finding out what you did wrong. Writing a consistently styled, readable and good looking document in Word is anything but easy.

So we're back to square one: typesetting a document is hard, and there is no software solution that makes it easy (for simple stuff, pandoc comes close.) You'll have to learn to do it.

Have you tried writing technical reports in LyX? It's not a nightmare and you can see what it looks like.

To provide a counterpoint, I've been writing Technical reports in word for about 15 years, using it for about 20, works fine for most things I've seen.

Like any complex program there are things to learn and quirks to get used to, but it can be a very powerful platform once you get past that.

Maybe LaTeX is not easy, but writing a scientific PhD dissertation in LaTeX is easier than doing so in Word. I did it in LaTeX. I had no problems. My wife did it in Word, and we both spend hours trying to solve tons of stupid Word related problems.

edits: typos.

20 years ago I wrote my dissertation using LaTeX. Two years ago I found it in old backups and immediately stuck it into a git repo, build a LaTeX hosting docker container and built the whole ~120 page doc using the makefile I made at the time. I then proceeded to marvel at the ingenuity of people, the hubris of a young man and the futility of it all. I then quenched the rising tide of existential angst with a few craft beers I purchased using proceeds from my day job building silly web-apps in JavaScript for a big multinational mining company.

Had I written it in word I would have tossed the disk into the trash, and watched a movie.

LaTeX, the gift that keeps on giving.

And for actual publications and the like, latex is indeed awesome and there is a strong argument for superiority.

But the ``problem'' is people who insist on using it for everything. Have a memo? Better set up a repo. Writing a report for a manger? Latex!

With the simpler things where you won't be cross referencing constantly and any figures that you have you want absolute control over placement, Word is the way to go. And pretty much the moment you are done your dissertation, that is the majority of what you'll write. Even in academia you'll likely spend more time writing grants and memos than papers. And, with at least the former, what matters most is having the figure easily seen and fitting the format requirements (specifically page count).

Use the best tool for any given job.

I agree. The other day, I had to write a 1-page project proposal for a PhD scholarship and they were giving the font to use and its size, and the margins. I had almost no mathematical symbol to use. One of the professors said that it looks unprofessional to not use Latex. I mean, I could have use Latex and I would have looked like exactly the same given the requirements. I just did it in LibreOffice because that was really the simplest I could have done.

To get an idea of what people might mean when they say that LaTeX looks more professional, see this: http://www.zinktypografie.nl/latex.php?lang=en

Oftentimes, I can (correctly) correlate "weird" looking documents with MS Word or Open/LibreOffice, eg: when reading papers. It's a surprising subconscious estimate and I don't know what throws my sensibilities off! Maybe I'm used to a higher standard of typesetting, or maybe it's just that I'm used to reading LaTeX output. I have heard the same from multiple academics who have spent some years looking at LaTeX output.

I wouldn't be surprised if people spent more time looking at beautiful documents, compared to uglier counterparts. Just like any other UX. As always, the document creator has to decide whether it's worth the extra effort.

Word 2010 supports ligatures, old-style and lining numbers, kerning and rare and historical letters and ligatures:


Latex typography looks vastly better than Word or LibreOffice, even when the font, margins and size are fixed.

Writing slides for a scientific talk too. Or a bullet-text-heavy slides for that matter.

OTOH: for many business cases where text is kept sparse and randomly placed PowerPoint excels. And new versions have somewhat taken Tufte's criticism to heart -- the smart, make-a-diagram-for-text enable a lot of conceptual collaboration across a widely multidisciplinar organization. I mean, sometimes you're writing documentation for your fellow nerds (i.e. the equations behind some code you wrote) and sometimes you're explaining economic concepts to lawyers.

(I think (we) nerds tend to undervalue the work and insights of people like lawyers and accountants; and the importance of clear communication. But I digress on a digression...)

Writing a dissertation in word is fine. Preparing for a dissertation for print in word is a pain in the ass. The 'correct' way to do it is to write in Word, do citations in Endnote, and then lay the whole thing out in InDesign.

Let me be the guy that brings this article in: http://journals.plos.org/plosone/article?id=10.1371/journal....

"LaTeX users were slower than Word users, wrote less text, made more typesetting, grammatical, and formatting errors"

Also, the usual rebuttal to that article. http://tex.stackexchange.com/a/219581. Anything that did not perfectly reproduce the typesetting of a reference document, they counted as a typesetting error. Any word placement at the end of one line as opposed to the start of the next, for example. The sort of thing that LaTeX handles automatically, and better than humans.

Murphy's law in action, there was a correction made to the paper you quote, so I clicked through to see what was corrected:

Notice of Republication

This article was republished on March 30, 2015, to correct the sizing and placement of the figures; none of the article content was changed. The publisher apologizes for the original layout errors. Please download this article again to view the corrected version. The originally published, uncorrected article and the republished, corrected article are provided here for reference.

> made more typesetting

Agh, I keep on making the mistake of doing homework directly to LaTeX. It seems that you're able to think directly from the page but it ultimately slows you down. I know way too much about mathematical typesetting as it is -- before I start making up rules about how Expectation should be \mathsf{E} and writing huge custom command files.

This one exam I started doing all the exercises in the book into LaTeX. As an aspiring mathematician, I need to learn to better appreciate pencil and paper.

For an average document that doesn't do anything special, Latex is extremely simple. It only gets complicated if you want to deviate from the design that your document class uses by default.

The average user of course doesn't even know what the difference between a text editor and MS Word is but I'd argue that it's not much harder to learn using something like LyX than learning Word. Word only wins because of peer pressure. Almost all offices use MS Office, so you're expected to use that, even for documents where simple Markdown would be completely sufficient.

> It only gets complicated if you want to deviate from the design that your document class uses by default.

Which is always, because defaults are ugly as hell. Might work for math papers, but not much else.

My only real issue with LaTeX though is its error reporting, which is less readable than C++ template metaprogramming fails, and the fact you have to compile the same file $magic times in a row to get a stable render.

> the fact you have to compile the same file $magic times in a row to get a stable render.

You should look into LatexMk[0].

[0]: http://mg.readthedocs.io/latexmk.html

I wish I could upvote this more than once. Anyway who is writing non-trivial documents in LaTeX will benefit from this.

Haven't heard of that, thanks.

> My only real issue with LaTeX though is its error reporting, which is less readable than C++ template metaprogramming fails

Oh, that's so true. I've spend far to many hours trying to help debug LaTeX code from friends and coworkers.

I'd give Office users that MS Office is easier to use if you want to write one page of plain text without anything else but above that Office is just a huge pain in the a... But the biggest problem I have with Office isn't whether it's hard to use or not but that the text it produces is simply ugly. Especially so if you have to work between different versions of MS Office and maybe even an OO user within the loop. (That would than probably be me...) The text layout MS Office produces is simply hideous.

> Which is always, because defaults are ugly as hell. Might work for math papers, but not much else.

There are shittons of templates.

You don't have to compile the same file a magic number of times. You either click the button in your GUI or you use latexmk or texify.

The error messages suck though, that's true.

Does GUI LaTeX tools run the compilation several times in the background? Because last time I checked, you absolutely had to run it several times, if you wanted to have all your references correct.

EDIT: nevermind, I didn't know Latexmk is a thing and is popular.

Lyx for one does run latex/bibtex as many times as required.

> have to compile the same file $magic times

I now use rubber[0] to avoid this. I especially like that it has a --clean option :)

[0]: https://launchpad.net/rubber

I agree. I consider myself a fairly technical guy. Given the breathless praise for it anytime it's mentioned, I've tried to get into LaTeX off and on throughout the years, but it's just a massive learning cliff. I still haven't figured out how to change formatting or fonts, so every document I write in it has that standard "PhD dissertation" look. I can pick up a new programming language in a weekend, but I still don't "get" TeX.

Search online for "xelatex". It's latex for the 21st century.

Maybe it's not when writing plain English, but as soon as you want to include tricky Unicode characters it's not anymore.

I spend hours trying to fix bugs for my master dissertation and gave up with two unfixed problems: (1) missing line breaking in references containing accentuated characters and (2) including some non BMP code-point character.

And some package can mess up with some other packages so coming with a solution can sometime break another thing.

The "average" user isn't aware of the alternative that is LaTeX. Watching a few tutorials is an easy way to start. For example, see https://www.sharelatex.com/blog/latex-guides/beginners-tutor... and go from there.

I would say it's a huge difference between easy to use and easy to learn.

LaTeX is easy to use, but not easy to learn.

I haven't found an editor, let alone my favourite editor that knows what sections exist in my latex report and can give suggestions for (any of the) ref commands, that knows what citation I have in my bib file and can do autosuggestions for the cite command. Most editors I've tried that can do some auto-completion don't know which libraries I have loaded and will suggest the same commands regardless of whether they are actually available in the given document.

I find the "favourite editor" a moot point, when it is unclear if there even is an editor that works with latex. Setting up a pipeline that can give you a PDF is also difficult beyond reason.

And then we haven't even mentioned the code. Latex is not mark-up, it is code and it is one of the most horrible programming languages I have ever had the displeasure of using.

Writing latex is painful to say the least.

> Writing latex is painful to say the least.

One feels that the pain was worth it when their existing .doc files render differently using another Word version.

As a law student and an avid emacs user, I write my papers in org-mode and then just export it to latex and then to pdf.

I don't know how to write a single line of latex, but I can write a beautiful paper, full with footnotes, links, italics, quotations etc. thanks to emacs.

On the other hand, on some larger papers with heavy footnotes, sometimes tex doesn't compile. Then, I find the error through trial-and-error by editing the tex file.

On the other hand, running latex in a docker container is actually quite reasonable, since you can share the exact package/processing setup, and even set up a CI that builds PDF-artifacts.

But that's an advanced use case :-)

> Yeah with a premature prankster you might have to.

There are actually some online services that have web-based latex editors, and they may use this tool to generate PDFs. I just sent one of them an email to make sure they know about it.

Does anyone know what the history of that --wolfgang switch is? The bibtex8 man page just says "set really huge BibTeX capacity for Wolfgang". It sounds like it was made for me but I assume there was some other Wolfgang for whom it was intended.

http://www.ctan.org/tex-archive/biblio/bibtex/8-bit/ specifically says it's for Wolfgang's PhD thesis. I still can't figure out what Wolfgang this was intended for, but it is kind of impressive that this person got a whole flag for their one document.

So I did some more digging through the MiKTeX source code[1]. There's a couple of different Wolfgangs mentioned in comments scattered around the source, but I'm not sure which of them (if any) prompted this flag. I did find the following comment:

Revision 3.6 1995/10/21 22:20:42 kempson Fixed numerous bugs, improved error reporting and added the --wolfgang option.

So apparently it was a PhD from around 1995 or so.

What's even more impressive is that their name got turned into a magic incantation: while looking at forum posts about this I found that a lot of people just said "always pass --wolfgang, it makes things better"!

[1]: https://github.com/MiKTeX/miktex/search?utf8=%E2%9C%93&q=wol...

FWIW, MetaPost draws technical graphics. For instance, it is what Knuth uses for the graphics in his books. (Most LaTeX users these days seem to me to instead use TikZ, or sometimes Asymptote.)

The purpose of its --tex option is to allow you to format the labels to fit the document, using whatever TeX engine you use for your document. For instance, if you use XeTeX so you can access system fonts then you probably want the graphics to have labels using those fonts also, so you want MetaPost to use XeTeX also.

There has been a lot of work lately on MetaPost; I don't know whether this is a recently-introduced bug, but I suspect it is. Anyway, such reports are useful, as for any software project. So if someone here has a similar one please forward it to the developers list. If you go to TUG's page http://www.tug.org and click on "mailing lists" you'll see a great number of options. In a pinch you could start with the "tex-live" one and you will for sure get some attention.

  In short, run pdflatex in a VM.
Shouldn't it rather say that pdflatex shouldn't be run on arbitrary inputs? I suppose that funny things can happen upon opening arbitrary PDF files as well, or opening arbitrary image formats, or executing arbitrary code.

Next episode: Pwning coworkers thanks to Makefile

Or maybe: Pwning coworkers thanks to arbitrary code.

Checkoway et al. wrote a paper "Don’t take LaTeX files from strangers" in Usenix ;login: a few years ago; People forget that LaTeX isn't just a text file -- it is basically a programming language for typesetting.


It's a Turing-complete language that can do file-I/O, so it's a given that he can "pwn" his coworkers.

It's 2016 and someone only now realised LaTeX documents can execute arbitrary code?

There are a number of articles about that, for example in the TeX User's Group's magazine and on the TeX StackExchange. And the developers have been aware of, and taken steps about it, many years ago.

For example, TeX Live ships with write18 disabled.

I'm using MikTeX, and it has also write18 disabled. I thought it was the default configuration for most distributions.

At this point there are really only the two distributions, TeX Live (the basis for the distribution for many other platforms, including the Mac) and MikTeX on Windows.

I don't usually link to xkcd cartoons, but this seems like a perfect case. Every day I have new students learning Latex, sharing documents with each other. No guide to latex ever says "hey, don't trust documents people send you, they can p0wn you"


I mean, you can pwn coworkers with Python, too. I'm not quite getting this. Are people who use LaTeX not aware that the interpreter is... well... an interpreter?

Impressed that someone is using LaTeX to write reports! Wish I could get my coworkers to do that ;p

It might also be worthwhile to try ConTeXt [0], especially if your reports contain floats.

[0] http://wiki.contextgarden.net/What_is_ConTeXt

shell-escape really should be turned off by default.

It is, or at least had been on every distro I've used. I had to explicitly enable it to use gnuplottex.

The article shows a default config file where it is enabled for a handful of commands.

And this is why you want to run any third-party software in a sandbox or container. Doing this just needs to be done as painless as possible.

People compile LaTeX outside of chroot?

Pwn Overleaf is more like it.

LaTeX = this generation's ANSI?

Get off my lawn ;-)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact